Use phpmyadmin to intrude asp websites

Phpmyadmin handles asp websites.

My high school alma mater used to use the user name and password in the background.

There are no bright spots. You can only say that you must consider multiple aspects.

Let's talk about the process.

Use the user name and password to find the injection point, and use the user name and password.

The super Administrator did not crack the password, but only one common administrator.

Wscan scanning out of the background

Log on to the background

I tried to upload images many times and failed to upload images. I also used nc to upload images. I tried all the methods I could think.

Website Information

Baidu is a bit old and has injection vulnerabilities, but it is useless to me.

Then I got stuck here. For a long time, I asked a friend and asked him to try it.

He scanned the phpmyadmin directory. In fact, I also scanned the directory, but it may not be noticed, or it is too young. He said

This can be done.

Open

Find some commands on the Internet
The http://www.bkjia.com/phpmyadmin/libraries/select_lang.lib.php

 

First, the physical path is exposed:

Create Table ------ insert a sentence in the table ------- write a sentence into the file ----- Delete the table.

CreateTABLEa (required textnotnull );

InsertINTOa (cmd) VALUES ('');

Selectaskfromaintooutfile 'C:/php/AppServ/www/phpMyAdmin/d. php ';

DropTABLEIFEXISTSa;

Connecting a kitchen knife (I'm so excited to use a kitchen knife for the first time)

The article has no highlights, but uses a php horse that is no longer used by phpmyadmin. Asp websites can do the same.

.