Transmission of WebShell text in txt format!

Author: Vic

Today, we will demonstrate how to convert WEBSHELL to txt for transmission. The demo process is as follows:

 

 

Find a weak MYSQL password host with port 3306 enabled. Let's choose this one for demonstration.

We use MYSQL for remote connection,

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSI3Y-0.jpg "/>

The system prompts that you have used a MYSQL null password to connect to the host of the other party,

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSM392-1.jpg "/>

When we export a file remotely, the system prompts that we have insufficient permissions and cannot create or execute functions. Many times I will give up and switch to another host. Why don't we spend some time to see if there are other methods? Let's just do it. We will scan the port again to see if there are other usable ones.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSG3M-2.jpg "/>

The host opened port 80 just now. Let's open IE to see what the homepage is.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSM929-3.jpg "/>

The default page is not displayed in the WEB root directory, and the page with an error returned is not set. Therefore, all the folders in the WEB directory are displayed. Let's take a look. There is a PHPMYADMIN management tool. I have previously written a method to use PHPMYADMIN for permission escalation. Let's try it. Click the phpMyadmin directory on IE to open the management page. On the right of the page, "display PHP information" is critical, we need it to determine where the absolute path of the WEB is. After knowing the absolute path, we can proceed to the next step.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSI124-4.jpg "/>

Click "show PHP information" to show all the information about this host. We only need to find the absolute path of the WEB. This is enough.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSK148-5.jpg "/>

The absolute path of the WEB is in the directory c:/program files/apache group/apache/htdocs. After we have mastered the absolute path, we will immediately initiate the permission escalation operation for PHPMYADMIN. Open the database table on the left of the PHPMYADMIN Management page and select one of them, such as mysql or test.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSH151-6.jpg "/>

After selecting the database, click the SQL option at the top of the page, which is queried by the MYSQL running statement.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSL5a-7.jpg "/>

Then, enter our command in the query column. The content is to create an nzhack table, create a niuzu field in it, and then write the php webshell with one sentence, export WEBSHELL to the WEB directory named nzhack. php

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSIR1-8.jpg "/>

After the input is complete, click it. Wait for the result.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSMX2-9.jpg "/>

The returned results are disappointing, and the system prompts that the running error is still unsuccessful. Then try to use the editing tool to convert a commonly used PHP-Webshell to a decimal code, the converted code is 0x. 3c 3f 0d 0a 2f 2a 0d 0a 2d2d2d2d2b2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2 .... . Copy the file to a TXT file, add the MYSQL statement, and note that the WEB path of the other party must be accurate. The created content is as follows:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSK211-10.jpg "/>

After preparation, run the CMD command to connect to the database of the other party. Enter the command \. Nzhack.txt and press Enter.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSH5L-11.jpg "/>

After running, the file is successfully exported. Now we can open IE and enter the other party's IP address and WEBSHELL address: http :// 10.10.10 . 10/nzhack. php

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSM629-12.jpg "/>

Well, WEBSHELL has been obtained successfully. Let's create a user.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSI315-13.jpg "/>

The user is successfully created. The purpose of this article reminds me to think more about the problem and have a wide range of ideas. Do not limit one method. If you try multiple times, the chances of success will be greatly improved. PS: after the test is completed, the previous operations are restored. Do not test hosts in China.

 

First, we need to scan first.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RSK148-14.jpg "/>