Good, looks like this to be possible to use, comes, writes a message. Like this writes, the message title is “@ARGV; #”, the message name is “system”, other writes casually. Good looked, /gb/data/$username/$num.pl? dir. What kind of? Read under /gb/data/$username/this catalog all contents. Might temporarily this achievement CGI WEB SHELL, the following matter on the flattery. May in fact not such easy, above has done in me from the loom on, what I from already the IIS use was perl.exe %s %s makes the CGI procedure mapping, but present many hypothesized main engines use are perlis.dll make the mapping. For a closer reality, I also alter to mine IIS server perlis.dll am the mapping. By now used the above that method not to be good, no matter how to do, only then .......(front abbreviation) script produced no output. Looks like does not have the execution to be the same probably, so long as actually the CGI procedure filename input has been right, it was may carry out, but has not returned obviously. Does not believe you from to write system “dir c:\ >a.txt”; To cmd.cgi. Then moves www.xxx.com/cmd.cgi. Had a look to have a.txt this document under yours WEB root directory to know. So long as the grammar strict spot, it is may carry out. Therefore, I message. Title: “system “dir >a.txt”; #”, name: “system”. Because carries out this procedure not to return obviously, therefore we redeposit the procedure output to a.txt this document inside. Then carries out /gb/data/$username/$num.pl. Has a look at /gb/data/$username/a.txt again. What doesn't have, how matter? Afterward has thought for a long time, possibly is in front of the $num.pl document that $num is doing strangely, because, if the perl script procedure content is this “4 system “dir >a.txt”; ” words, front that 4 not meet standards grammar. Therefore I thought that if wants means to cause it to conform to the grammar. If this elephant like this: “4 && system “dir >a.txt”; ”, perhaps like this: “4; system “dir >a.txt”; ” not conformed to the grammar (in here, this meaning transfers the system() function, the executive system ordered dir to use > to output again the dir order result inside a.txt this document. Carries out " dir >a.txt under the order prompt symbol " to be possible similarly, from has tried to know any function. )? After mine test, two means both may. Then again looks at /gb/data/$username/a.txt, saw this table of contents following content. Below I arrived at the blue shield, but uses the above means that basic invalid. I have been scared, obviously from already the loom on tests is may. Why has arrived at here not to work? I hundred think do not its solution. Afterward I thought that if the legitimate user through uploads CGI WEB SHELL, has not been possible the executive system to order? That multi-dangers. Has certainly made any limit, does not let use the system function executive system order, the meaning does not let carry out the system function, perhaps does not have the jurisdiction to carry out this function. Therefore I try other functions, rename this function try. Therefore I use rename this perl built-in function, it is different in dos orders the following rename order. Like this writes the message center, the title writes: “(”. \ \. \ \ user \ \ day of wave .cgi ", “a.txt”); #”, the name writes: “&& rename”. Like this looks like inside message center database $num.pl should be this: “$num && rename (”. \ \. \ \ user \ \ day of wave .cgi ", “a.txt”); #….(following abbreviation)”. Because " \ “has the special usage inside perl, therefore the above way needed to write” \ \ “. Then execution, /gbook/data/ day wave/$num.pl. Because $num we did not know that therefore may through the message center above demonstrate that the message quantity guessed, the narrow scope, found before long unceasingly. By now we looked at /gbook/data/ day wave /a.txt. Looked that the password came out. Might by now, we enter the manager contact surface through /gbook/admin.cgi. What but does this also have to use? Is only a message this, I tried to be able to enter ftp, bbs by the similar password. Looks like the password is dissimilar. How to manage? I was not a moment ago can work using the script function? This was good, therefore returned to the message book, the preparation message, but has gone bad, had changed name to a moment ago “day wave .cgi”, the user material made has not had, could not keep the word, how to manage? Then some simple functions could not use. , It is not anxious, in we enter the management contact surface time, saw had “edition message this template”, we might use it now, this template in preserved template style time was message center's form information preservation inside /gb/info/template.cgi. Therefore we may write some simple scripts in inside, then carries out /gb/info/template.cgi. Must display everybody's imagination about the template.cgi application method, generally the script which might carry out smoothly inside the CGI procedure inside this may carry out, for instance must think that C:\ table of contents following content everybody might write like this: “system “dir c:\ >a.txt”; ” then carries out http://www.yourtarget.com/gb/info/template.cgi. This script has carried out, then in forum's that reg_upload.asp upload. Only some examination table of contents and executive routine's web shell may use. The matter then I thought that real network management some metamorphoses, may examine besides the landun.org WEB root directory, all tables of contents cannot look, the power limit was really too abnormal. However we have the means to carry out the cmd.exe bringing some system order. First we need from to upload CMD.EXE. Uploads winshell5.0 (should better again to be uses to compress software first to compress, looked that can escape kills poisonous software). Then that which mentioned a moment ago with me may examine that the table of contents and executive routine's that asp shell carries out it. Then telnet came up carries out s, shell to come out again. Actually this shell is cmd.exe which we uploaded a moment ago, but is not under its system directory \ winnt \ system32 \ that cmd.exe. This must differentiate. But I am not unnecessary to do this, I only am in me from already the loom on tested is successful. To the present, I may say that I had already controlled the landun.org entire master station, may transfer some functions through template.cgi, realizes to the website random document deletion. But this hypothesized main engine's jurisdiction establishes quite well, enables me to invade another station through this station. Afterward I have uploaded a test page, confirms the loophole fact. Is actually satisfies my vanity. ^_^
Other pages: : <<Prev * 1 * 2 * 3 * 4 * 5 * Next>>
|
You are here: hacking technology
> invades the examination
> Content
Category: Home
> invades the examination