Practice biting our safe dog over the years (Summary)

The primary node uses an instance to describe it again.
This article is a summary of the practices of safedog. Every example is based on the experience of safedog.
Divided
0X01 Injection
0X02 upload
0X03 Privilege Escalation to provide one-stop services for oil suppliers
Last
0x05 over-secure dog on-site instances

---------------------------------------------
0X01 Injection
Basic Method: a. Add aaa = 123% 00 & (this method is valid for old dogs)
B. Add % To the filtered keywords (this method often works, but it is not supported by the tool and must be manually)

Miss 1.1 weike.com
You are familiar with this website. Let's take this as an example ~~ Yes ~~ Let's take a look ~~

Meet a dog ~~
The first pattern in the past, % 00 indicates powerless

Offering second-level flash sales

 

1.2 try another website:

Method 2: directly report the user name and password ~~

It can be seen that the second method is very useful for the time being ~~~~

0x02 upload
Basic method:
A. File Name interception Breakthrough:
A.1/1.asp;1.jpg
A.2/; 1.cer/ 1.jpg
A.3/certificate 1.cer#.jpg/1.jpg
A.4 normal file creation, no;, truncation, or direct Establishment
B. The file content is too safe. Dog:
B .1 encryption and key word Conversion
B .2 include file, for example, <! -- # Include file = "1.jpg" -->

2.1 ASPCMS safedog:
Https://forum.90sec.org/thread-5093-1-1.html

Go to the interface style and add a template

 

First, follow the general idea:

 

Bitten by a dog

 

Let's try the first a.1 method/prepare 1.asp;1.jpg:
 

Not shown, and then connected with a kitchen knife (as shown in the following figure). It turns out that he was successfully executed.

Let's take a look at another a.2 method/; 1.cer/ 1.jpg
First, we put the semicolon in the back (this is also a common waf method), and the result was bitten by a dog.

Then we put it in front
Dogs let us go.

Let's take a look at these files by connecting to the kitchen knife. They do all exist.

Like a.3 and a.2, the primary node will not repeat them, and the primary node will not repeat the normal file in a.4.

Next let's talk about B .1, file encryption. In fact, this method is not only applicable to dongle, but also to other waf. After all, most of them use keywords to check the file name and file content. Once encrypted, it is difficult to identify.

Finally, let's take a look at the B .2's method. This method is applicable to B .1, which is actually powerless or will not encrypt files. In fact, you can see the method, the dog checked the currently accessed file but did not check the contained file.
Let's do a test:
First construct an asp file. The content is

After that, we changed the upload to 1.jpg, and then executed the big horse in 1.jpg.

0x03 Privilege Escalation
In fact, for some old dogs, you can ignore the permission escalation, but sometimes you are prohibited from adding users and reverse links (partial Remote Control). This is also true in 360.
In this case, you can try the following methods:
A. Obtain the plaintext password (there are no restrictions on methods or export hash cracking)
B. Replace Sticky Keys or magnifiers.
C. Use net user admin/ad (ad is not "add". Remember that we can do this before 360)
D. dll hijacking


0x04 others and summary
If you want to know the oil of other methods, you can go to the ghost Brother's article. There are some scripts that he has written for a dog, and so on. I will not introduce them here ~~

In short, there are many methods to pass the dog, so you can think more and use the previous methods together, which can often become a breakthrough.
For example, if the file contains only 1.jpg files, will it be banned (as mentioned in organic oil )? Yes, the camera changed to 1.txt, thus bypassing the stupid dog.

0x05 on-site instances
While I was writing an article, an engine oil called me for help ...... That's a coincidence ...... Good oil for a lifetime ......
 

 

 

Dede, read the next version, not very high

Angry, bitten by a dog

Then I checked that the server is iis6.0 and changed to asp.


Changed to pai.myfile.asp;.jpg.

I checked the server and browsed it all ...... High permissions ...... Since the engine oil says that he will raise the right by himself-then I will not continue ......
Ten o'clock ...... I sent an article to go back and play the game and go to bed...