Shulou(Shulou.com)06/01 Report--

In the previous blog posts, we have successfully won the template website of Southern Data 2.0. Next, we will change the target website to Southern Data 5.0 template. Download address: http://down.51cto.com/data/553330. The lab environment is the same as before, with target server IP address 192.168.80.129 and *** host IP address 192.168.80.128.

First of all, we still find a page with parameters passed, add "and 1=2" after the URL to test, you can find that these commonly used sql injection commands have been filtered out.

Here we can use a more advanced injection method-cookie injection. The principle of cookie injection is also the same as that of usual injection, just submitting parameters in the form of cookies, and in general injection we mostly use the get method to submit, and the get method to submit is to add the statement that needs to be injected directly after the URL.

Here we use the tool sqlHelper to inject cookies, download http://www.example.com. down.51cto.com/data/1881323

First, open the page with parameter transfer completely, and copy the url: 192.168.80.129/shownews.asp? id=15。

Run the "Injection Transfer" tool in sqlHelper, select "Cookie Injection" and fill in the format shown below. Note that "post submission value" must use the default "jmdcw=", and the "15" after it is the parameter value transmitted by the web page just opened.

After setting, click "Generate ASP," and two asp web files jmCook.asp and jmPost.asp will be generated under sqlHelper software directory.

Below we also install the small cyclone ASP Web server on the *** host to build a Web environment, and copy the jmCook.asp and jmPost.asp files to the website home directory wwwroot.

Open your browser and type "127.0.0.1/jmCook.asp?" in the address bar jmdcw=15"to access the page just generated, which opens the page that was previously visited locally.

In this page, we can use the injection statements to implement the injection.

To simplify the operation, we can also use tools such as Mingzi to inject quickly. Add the address "127.0.0.1/jmCook.asp? jmdcw=15"Copy to Mingzi's SQL injection solution detection, and soon the administrator account and password will be revealed.

The admin password is still "3acdbb255b45d296," which is 0791idc.

Enter "http://192.168.80.129/admin/Login.asp" in the address bar to log in to the background of the website. You can see that although the security of the website has been enhanced, the vulnerability of database backup still exists.

We still upload the webshell in the form of an image first, get the path "http://192.168.80.129/UploadFiles/20141011145142292.jpg", then specify the uploaded image path in the database backup, and change the file suffix after backup to.asp, so that the WebShell is successfully uploaded again.

The follow-up is the process of raising power. For specific operations, please refer to the previous blog post.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.