Shulou(Shulou.com)06/01 Report--

Target address www.jzvales.com/jzvales/ProductShow.asp?ID=568 first of all, we add single quotation marks to determine the injection, and the result is as follows

Friends who are familiar with * * all know that the website uses general anti-injection, only filtering post parameters, but not cookie parameters, so we use the injection transfer tool to continue to open the injection transfer generator to fill in the data.

Then generate the asp file we open the generated file (the generated file must make sure that the http server is installed natively before using it. But use a small one) then open a browser and enter the following in the input box because of the local htp used. The port is 81. Access the following http://127.0.0.1:81/jmCook.asp?jndcw=568 and add single quotation marks for injection detection

At this time, it shows that after participating in the database query, the query can not get the result. That is to say, if it can be injected, then we can directly use Havij for testing. The test results are as follows.

We can know that the account is encrypted by adminMD5 and the password is lent to admin997. It is very simple to add an admin to the backend.

Next, take the website webshell because the website forbids uploading files with the suffix asp, so we will modify the page template of the website and add php because there are many sites on the general server, and there are many possibilities of asp,jsp,php. All will support parsing. You can give it a try.

Find a place where you can upload pictures and wear a php horse (upload size more than 100k is prohibited)

Ok! Look, our webshell has successfully got it.

I hope everyone will treat the tools in their hands carefully and don't do anything illegal!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.