Some ideas from the background to webshell

This function is mainly used to back up or restore the database of the access database in the background. if the variables such as the backup database path are not filtered, any file suffix can be changed to asp to obtain websh.

It mainly uses the "backup database" or "recover database" function of the access database in the background, and does not filter variables such as "backup database path", so that any file suffix can be changed to asp, to obtain webshell, the msssql program directly applies the access code, so that the SQL version can still be used, for specific methods and analysis, refer to angel's article "analysis of WebShell obtained by Forum 7.0". as far as I know, there are still many asp program background vulnerabilities, which are similar in the same way.

Php + mysql program

① Use the data query function in the background

Some programs provide the mysql data query function in the background, and we can use it to execute SELECT... into outfile: query and output the php file. because all the data is stored in mysql, we can insert our webshell code INTO mysql by using normal means... the into outfile statement exports the shell. Here we will use the ipb forum for a demonstration:

Step 1: Write our webshell code to the database

Find a place where you can write data (note that you do not need to filter your input). here we will use the background to create a new forum, write Our shell code in the forum description and submit OK to write our shell into the database.

Step 2: export webshell

In "SQL Management", "mySQL Toolbox" is used to write statements in "Run Query:

SELECT * FROM 123 forums into OUTFILE 'd: shell. php'

The absolute path of the table where the shell code is located, the absolute path of the web Directory. if the mysql Query on the host is successful, we will get our webshell:

Http: // 127.0.0.1/test/shell. php? C = dir

② Use mysql data backup

In combination with the above two cases, some programs have no restrictions on the types of backup files in the standby database, so as to export the php file, we write the webshell code into the database as in section 1, we can use this method to obtain webshell in the vbb Forum, which we are all familiar with. we set the user's signature to back up the webshell to the background database, change "back up database to file on server" to shell. php, submit and save. We can access our shell in the root directory of the Forum. because the files may be large everywhere, we can change the webshell code that can generate files.

Additional ideas:Using the web background system settings, if the system settings are saved in the php/asp file, we can write webshell code in the settings to the php/asp file that saves the settings.

Demo:The basic settings of the program sablog and sablog are stored in adminsettings. php. because the 10 variables submitted in the background are not filtered, we can write arbitrary code to adminsettings. php.

Go to the backend -- "basic settings" -- "blog name" (other items are acceptable) -- enter the code: sss "; phpinfo ();" ss -- submit.

In this way, we write phpinfo () to adminsettings. php. we can see that adminsettings. php normally displays php information.