The easiest way to get leadbbs webshell back-to-backend

This article has been published in the hackers' Manual (non-security) magazine and is copyrighted! Reprinted note name!

In fact, I like leadbbs most in ASP forums. It is stable, fast, and occupies little space. It is much smaller than the huge DVBBS. Speaking of security, it is also very good. Although there was a vulnerability in the early version that could change the administrator password (also known as the "Resolution Tree"), since then, its security has been very reassuring, you may say that a cookie spoofing vulnerability has been detected in the past few days. However, this vulnerability only takes place at the front-end, and the backend is generally powerless. Well, the above is a digress. Today, I am not talking about its security in detail. I am talking about a webshell with the leadbbs website. How can I easily enter the background, then let's talk less about useless things ~~

Someone asked me if I had intruded into the website and uploaded the ASP horse, but the leadbbs background that wanted to enter encountered difficulties. Maybe you would say that you should take the database down and break the MD5 password of the Administrator, there are also higher permissions to modify the database locally before uploading and overwriting. Of course, these methods may be available, but they are both troublesome and not absolutely sure that they can be successful, but is there a simple way? At that time, I still did not know :(. When I upgraded the forum one time later, I only changed the database and others. Of course, I also needed to change the database and background login path, all of which were in inc/BBSSetup. asp can be modified as follows:

Const DEF_AccessDatabase = "Data/LeadBBS. mdb" // database path

Const DEF_ManageDir = "manage" // Default background path

When I log on to the background after uploading all the files, I cannot log on to the background. It is displayed that only the administrator can perform the operations. Obviously, I am not the administrator, later, I turned to the leadbbs official forum, where {www.xker.com} saw a question in a question set post, as shown below:

How do I designate an administrator again?

Open BBSSetup. asp and find

Const DEF_SupervisorUserName = ", Admin ,"

Replace Admin with the name of the Administrator you want to use. Note that it is case sensitive. Multiple administrators are separated by commas (,) and must be separated by commas (,). For example

Const DEF_SupervisorUserName = ", Admin1, Admin2 ,"

If you can enter the background, you can also change it in the Forum parameter settings.

In addition to IP address restrictions, administrators can access the background regardless of how they restrict other permissions (including inactive permissions ).

Well, I finally know what's going on. When you reinstall the forum, the system automatically sets up bbssetup. the settings in asp modify the database, and the default Administrator only has admin, so my original user: I can't go to the next time, {www.xker.com}, and then I open bbssetup. asp adds my ID, uploads and overwrites, and then logs in. The problem is solved. As a result, we should all know how to enter the background for the webshell Forum site. First, we register an ID, and then we can find inc/bbssetup through our horse. asp, simply add your ID according to the above, maybe the security consciousness may change its name, you can also find, you can find the home page file Boards. asp (not only this, but many files will be included) the first few words after opening include the file name, as shown below:

<! -- # Include file = inc/BBSsetup. asp --> // that's it.

<! -- # Include file = inc/User_Setup.ASP -->

<! -- # Include file = inc/Board_Popfun.asp -->

After the modification is saved, you can easily enter the background. If the background path is changed, you can easily find it through ASP horse, go to the background and you will be able to do what you want.

In fact, it is quite simple, but we often do not care when using the program, so that we do not find this tips. Well, the article is over, if you have any questions, go to www.xker.com to discuss with me ~~ (Xiaoxin Technology Network)