Once I talked to the dongle about webshell.

Once I talked to the dongle about webshell.

Objectives: http://www.xxx. cn0x01 xx. xxx.248.48 ② target IP xx. xxx.248.48 Server System Microsoft-IIS/6.0 environment platform ASP. net url: overview

Preliminary judgment is that there is no waf and no CDN. Port. After all, we just want to get webshell, not a server. 0x02 vulnerability modeling since the web container is iis6, you can get the web shell through various parsing vulnerabilities. For websites such as Access + iis6.0 + asp architecture, my attack steps are as follows:

0x03 I will not scan the vulnerability scan. Manually test whether injection exists. Is injected,

So inject it. Joint query is done directly. I will not test other vulnerabilities. If it is a real penetration test, it must be tested. 0x04 vulnerability exploitation http://www.xxx.cn/newsdisp.asp? Id = (260) and 1 = 2 union select 1, username, password, 10 from admin

Decryption directly into the background http://www.xxx.cn/admin

Upload, southern Editor, database backup, and database end with an asp suffix. This is obviously the southern background, so you can use dual-File Upload to get webshell. Select the normal image format in the first box, and select the. cer horse in the second box (this is because the web container is iis6.0, so you can select a file such as. cer ).


Then the dongle is out. So, let's look at the southern editor... Http://www.xxx.cn/admin/southedtior/admin_style.asp I don't want to see. We can see here.

The database ends with asp.

The message content is directly written into the database, so what do you think? If you haven't thought of anything, it means that your Trojan Horse is not fully understood! Yes, you just need to leave a message to the database, so you can connect directly. Like this

Just submit. The password for this sentence is a. It must be used to insert a sentence into the database.

In this way, the dongle is taken over. Don't make a variant statement like the big dick in the group and back up the data. What if the backup is broken? In addition, the database backup of this website will automatically add. asa after the backup name, for example, I enter fuckyou. asp.

. Asa will be added automatically, but it will

If you remove the. asa file that he added, the resolution will be successful.

Therefore, you must change your skills in practice !!!

0x05 after the penetration stage, the trojan is deleted.