ASP backup into a picture of refinement-bug warning-the black bar safety net

For the reader: the script invasion lovers
Pre-knowledge: sql injection
ASP backup into a picture of refinement
Text/figure lucky_feng
Pictures and the database backup file into ASP or ASA Trojan is we often use to get WebShell means, however the ASP files back into a map

Sheet file, there will also be different.
Preface: I heard that a friend of a friend recently configured a value of 7 million yuan of servers, script kiddies: the wealthy one, the page can be seen on

The only one dvbbs7. 1 SP1, feeling unable to start. Until one day, a friend told me Forum on the new blog system database is the default

Data/ Dvboke. mdb in a multi-administrator will modify moving network Forum database path, but the blog database the path to the little people will go

Modified. The invasion just began.

Blog the invasion failed
Black anti previous article, The name of the movement network 7. 1SP1 into the background by the blog to give WebShell for now, since with the blog database, so

The first from here to start with.
Download the blog database to find the administrator password c45f4399e5a3d1bd it. MD5crack run, luck is also good, less than ten seconds would have to

To a seven digit purely numeric password. Immediately take this password and rushed to the dvbbs7. 1, try to log in as administrator, but no success.

Also did not give up, and to the forum look at the management team, to give other administrators the user name, log in again, or not. Many administrators like to use

Two user names, you can later try it out, this forum is also, just the password is different.） Because the moving web blog need to be logged in theory

The altar, to the management, so through the blog of the invasion method can only be forced to cancel.

Google hack small try cow knife
Although this server is not a virtual host, but the site should be not just a forum? Please to Google, enter site:www. b***. net

The output results in several dozen pages, mostly about the forum layout or post information, but also found that there is a Fenghua alumni 2. 0 multi

The user version, there is a spot from which the river line online shopping system 6.0 in.

Invasion of the spot from which the river line shopping system
Fenghua alumni 2. 0 is before temptress alumni of the upgrade version, upload vulnerability has been patched, and now only allows the transmission of the image file on the

Time yourself to see elephants have no method to get WebShell, this also can only give up. As for the spot from which the river line shopping system 6. 0, the latest version

The present is 6. 0 SP1, the 1 0 bottom, neeao brother released injection vulnerability, but it seems like this site can not be used. However the injection point without too

Much, one is enough, manually injecting found this site gongqiu_view. ASP file vulnerability exists, the result is as follows:

“http://www.b***. net/shop/gongqiu_view. ASP? gq_id=5 3%20and%2 0 1=1”, normal display,

“http://www.b***. net/shop/gongqiu_view. ASP? gq_id=5 3%20and%2 0 1=2”, error,

Then on to? D, and as a result get the MD5 encrypted password 7a57a5a743894a0e, to see this password, everyone laughed, this is not it

Is a legend in the admim of the encrypted data? With account admin, password admin directly into the Mall, back office, find the Mall in the moving network to the next level

Directory

Pictures backup generation ASP Trojan,but can not perform
I believe that many people think to this, can certainly right away get the WebShell. In fact, when I went into to the background, is also think so. But

Real often than the ideal to the cruelty of others, the administrator BT settings make the following several methods, all failed.
Method one: normal backup and swap directories to backup
First, by“trade information added”Upload a single picture ASP Trojan modified the suffix,

To note here is, upload when is best to use the shortcut key Ctrl+n to open a new upload page, and after a successful upload, do not select the pop-up

To“close the window”, and then look at the IE source code, in that you see Before you upload a picture of the real path, I upload pictures address is

bookpic/20061261556516190.JPG the. Then with the uploaded images BACKUP DATABASE into a ASP file.

Prompt the backup was successful, under normal circumstances, direct access databackup/shop. ASP you can get a WebShell up,

The specific reason is that the administrator set the databackup directory prohibit execution of the ASP file that does not allow the ASP and other file of configuration steps: IIS Manager→Network

Station Name→Properties→home directory→execute permissions. This move operation is simple, the effect is good.
The original databackup directory not work, then change the BACKUP DATABASE directory to the admin to try. Unfortunately there“when processing the url Server error

”Prompt, because the administrator has set up this directory does not have write permissions. I downloaded the Mall of the code point of view, the results of each directory or not

Let write to a file, or can not execute the ASP file. Method one failed.
Method two: upload the capture, and submit the modified data packet
See the BJXupfile. ASP code, can’t seem to directly upload the ASP file. Upload pictures with WSockExpert grab packets sent

Now the filepath can be customized, modified later with NC submitted data, tips for a successful upload, but the access time was not found. Due to certain conditions

Member restrictions, this final step did not continue, interested friends can try.

Backup movement network conn. ASP into the picture to give the moving network database
Tried so many methods without success, and was a bit disappointed to watch their upload up Trojans pictures can not be turned into the ASP to perform this

Feels like to the mouth of fat can’t eat. Then suddenly thought, since the ASP Trojan file into a JPG file can be displayed ASP original content, and that

What movement network conn. The ASP file should be looking like this. Immediately again the backup file, the current database path to write…/…/conn. ASP,

BACKUP DATABASE directory write…/bookpic this directory can definitely write, 备份数据库名称写1.JPG, prompting backup successful.

打开 bookpic/1.JPG see this conn. ASP content,

Dynamic network address database is a b***/dvbbs71. ASP. Because the database directory is limited, and now the database is in ASP format, so straight

The next carrier is not okay. But the ASP backup into the mdb, you can download now. The third backup Action Network database into a mdb file to store

databackup directory. Then you see Flashget in work quickly, a look at the size of the database 3 0 0 multi M, A million users. This

Successfully get the forum database.
Winding paths give the WebShell
Action Network an administrator password has from the database hack to get, but still not getting the WebShell of. From the above failures can be summed up, to give

To the WebShell needs to meet two conditions: first, the placement of Trojan horse in the directory can be written to; the second, the directory can run the ASP Trojan. Pick

Down is in moving the web to each directory are added to a 1. ASP test the upper two conditions, if there and figure Six the same prompt, it shows this

Directory can not run the ASP, on the contrary, if prompted to“HTTP error 4 0 4 - file or directory not found”it shows that can run ASP. When I test

To the Skins directory when two conditions are met. The rest is the same as before the step, upload ice Fox prodigal micro ASP Trojan pictures, fourth

Time to backup the pictures into the ASP file to the Skins directory. Client link up, get familiar with the interface. Very strange, the large Trojan backup after successful

That are not the normal run

Summary:
1． The server in the moving network directory there are several in the test code. But from a security standpoint, the test code never put into the already

Running on the server. Administrator although do a comparison of BT’s set, but because such a test program and a folder permission settings

Problem, causing the entire server is compromised will outweigh the benefits.
2． Some times the backup is not sure to get WebShell, but by backing up you can see a lot of important file contents. This truth actually

And upload stm or Shtml to view the conn. ASP is somewhat similar, just picture at any time see.