Rongsoft Oday batch SHELL

Author: cast Blog: http://hi.baidu.com/cast_blog/ reprint please indicate from www.2cto.com, red black customer Alliance

This article can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 97714


Search for the keyword inurl: xinwenxq. asp? in GOOGLE? Biaohao =

Access Management address: gonggong/denglu. asp


First, on the management login page, use simple or = or to cheat the past!

In the verification file:


Zhanghao = request ("zhanghao ")
Mima = request ("mima ")
Quanxian = 1
Session. timeout = 230

Set rs = Server. CreateObject ("ADODB. Recordset ")
SQL = "select zhanghao, quanxian from guanli where zhanghao =" & zhanghao & "and mima =" & mima & "and zhuangtai = 1"
Rs. open SQL, conn, 1, 1


I doubt whether the author of this Program is an idiot and has no anti-injection measures!

After entering the background, uploading webshells is even more surprising!


= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2132453049-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/2132453049-0.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

Select a forum and add

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/21324524U-1.jpg); "height = 29 src =" http://www.bkjia.com/uploads/allimg/131121/21324524U-1.jpg "width = 567 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

Then

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/21324523H-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/21324523H-2.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

Click Upload and then directly upload the Trojan. ASP ASA PHP

After reading the background upload code, I found that the program is only responsible for uploading and does not verify any files.

Okay.


It's late. I'm going to bed after writing this!




--------------------------------------------------------------------------

Day 2 (continued)


Today, I suddenly thought that the uploaded file didn't filter anything. So, I should be able to access it directly.

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/213245D49-3.jpg); "height = 270 src =" http://www.bkjia.com/uploads/allimg/131121/213245D49-3.jpg "width = 561 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

A blank area is displayed after the upload. You can directly view the source file to obtain the SHELL address ..

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2132456343-4.jpg); "height = 383 src =" http://www.bkjia.com/uploads/allimg/131121/2132456343-4.jpg "width = 558 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

If you find that the uploaded file has been deleted, you can use eWebeditor to upload the file ..

Gonggong/ewebsoft/admin_login.asp


This is the address. The default admin password is used.

Okay .. There is no explanation.