A penetration test targeting the school OA attendance system server

I am in a software School in XX, Chongqing. The school has a total of four internal servers,

IP address structure: 10.0.0.2, 10.0.0.4, 10.0.0.5, and 10.0.0.103

Last year, because the sa of 10.0.0.103 had a weak password of 123456, it was reported to the school for handling (indeed handled) by Sunday ),

I can't connect to the Intranet, so I am sorry,

Analysis structure:

 

I don't know what the nerves are. I just ran the SQL statement and lost a host named 10.0.0.3 over the connection (the SA password was 123456 last year). The username sa, password 123456, log on directly, and then simply fix an SQL error to take this one, and then sniff the C segment in cain. After several minutes, we found that 10.0.0.4 had 3389 data, and the rest was gone, so I don't care about it (in class). When I finish class, I can see that NND, the server is dead, kiss, 8 cores, so large memory, so easy to die, okay,

Egg ping 10.0.0.5, even can ping through, okay, visit http://seay.sinaapp.com: 8888, it is our goal OA, I forgot to say that several OA files on this server were written by a school teacher. Hey, the vulnerabilities will certainly exist. I did not inject the files when I logged on to the server, and I couldn't log on even if I didn't have an account, move out of the Toolkit you have written, open the sword, and scan NND... Wwwsan cannot be scanned. Okay, don't scan it. There is a link next to the login input box. It seems that the name of the telephone service OA system is incomplete. Click it. It's still a login interface, but I 've lost an 'or' = 'or'. Click login. Okay, an error is reported. Dear, 'the quotation marks are not complete. Various attempts are made, when I was about to give up, a "or" = "login was successful, but Mao duomu had it, and he could not do anything, for example, all the school staff like to use sa users. It is estimated that these OA permissions are also sa permissions. After studying this login injection, we found that only the user name and password can be logged in using 'or "=, the password is saved in plain text. Well, generally, the SQL statements injected during login write "select * from seay where name ='' and pwd = ''", the approximate structure is like this. Okay, construct it.
Select * from seay where name = "or" = "and pwd =" or "="; exec sp_password NULL, '1 ′, 'sa ', we can see that users only need to fill in' or "= 'password 'or" = "; exec sp_password NULL, '1', 'sa' to log on, the sa password can be changed to 1 as long as it is the sa permission. In fact, I didn't guess it was wrong. It was indeed the sa permission, and later it was still an old classic, when connecting to the sa, SQL directly adds a system account to the server and successfully wins the server. The whole process is divided into two classes. Well, it's sa's error. As I said before, www.2cto.com everyone who went out of this school liked to use sa (except me ).

There are two other servers: 10.0.0.4 and 10.0.0.2. It is not difficult to see them. There are three technical maintenance instructors in the school, and two are computer repair engineers... That is to say, there is another network, four servers, two servers, and one that can sniff 3389 of the data. The administrator's plaintext password is directly captured, the other two are estimated to be able to log on with this password.

Comments on the internal network: sa is invincible, you like it, and I like it more. It is best to use 123456 for all passwords.

Is there a login injection system written by the school's boss-level figures? Are you hurt? I told you to install an arpfirewall last year... Okay. In addition, there is a mentally retarded upload on the Internet school official website (also written by the teacher). The upload type is not verified (and I deleted the page for him later.

At the end of this article, our school teachers are all good (many beautiful sister-in-law teachers in their 20 s Wow). They have been running more than 4000 miles from their hometown, and they have been here for a year, there are a lot of things you have learned. You are willing to ask them and want to teach you. Come here anyway, no regrets... It means that the tuition fee is a little expensive. There are only five half-day (two and a half days) courses in one semester, and the next lesson is 6 or 7 cents a minute, I can't afford my tuition... Hello, Headmaster. Is it free of school fees?