"Combat" a difficult invasion to power, successfully won the server

Source: Internet
Author: User

Preface: This is the 10th article in 51CTO, give everyone to point to the force of HA ~ this intrusion detection in the right rebound connection encountered a lot of problems, let the nest to explain.

Let ' s go!

One, the information collected on the target website.

http://www.XXXXX.cn ip:122.225.xx.xxx [Zhejiang province Jiaxing Telecom]

Server os:microsoft Windows NT 5.2.3790 Service Pack 2 (XP | | Win Server SP1 or SP2)
Server software:microsoft-iis/6.0 Web script: aspx with IP no other site, next note just forget

Second, through the site backstage landing design defects directly admin ' or ' 1 ' = ' 1 won, can also inject, but so simple point, and then login backstage upload aspx webshell. How to take Webshell, later to write.

Three, landing Webshell. There are 3 kinds of Webshell uploaded, which are easy to use. Also confirm the host open port, intranet address, current login account permissions, Remote Desktop Services real port, server version for Windows Server 2003. To do the next step.

1521:oracle database 4899:radmin 3389: The administrator does not pervert the change is the remote Desktop.

650) this.width=650; "title=" 22.jpg "style=" Float:none; "alt=" wkiol1tr2gdjd1ktaagdbf2-wwo193.jpg "src=" http:/ S3.51cto.com/wyfs02/m01/59/d3/wkiol1tr2gdjd1ktaagdbf2-wwo193.jpg "/>

650) this.width=650; "title=" 88.jpg "style=" Float:none; "alt=" wkiol1tr2gby3zizaad0p5jk93e666.jpg "src=" http:/ S3.51cto.com/wyfs02/m01/59/d3/wkiol1tr2gby3zizaad0p5jk93e666.jpg "/>

Four, looks too good to mention the right, the actual is not drip, check the server patch, PR, Brazilian barbecue, server kernel overflow, such as the right to exploit all patched up ... As if iis6 right without patches, try, upload iis6.exe to read-write directory.

650) this.width=650; "title=" 555.jpg "alt=" wkiom1tr3ksrftiiaaexlw6hzdu704.jpg "src=" http://s3.51cto.com/wyfs02/M00 /59/d7/wkiom1tr3ksrftiiaaexlw6hzdu704.jpg "/>

Also turn off port filtering for the host.

650) this.width=650; "title=" 00.jpg "style=" Float:none; "alt=" wkiom1tr2pbascr7aae7fgocpri933.jpg "src=" http:/ S3.51cto.com/wyfs02/m02/59/d7/wkiom1tr2pbascr7aae7fgocpri933.jpg "/>

IIS6 the right to start, until the last moment is very smooth, until ...

650) this.width=650; "title=" 10.jpg "style=" Float:none; "alt=" wkiol1tr2f_yf-v2aafuy3k4_ec628.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/59/d3/wkiol1tr2f_yf-v2aafuy3k4_ec628.jpg "/>

Need Wmiprvse.exe can't find, view process, it exists, but current account permissions too low, no kill this process and restart to find the corresponding PID ... Failed. Another way of thinking.

650) this.width=650; "title=" 11. jpg "style=" float:none; "alt=" wkiol1tr2g6sycmcaabv0_hj2xm136.jpg "src=" http:/ S3.51cto.com/wyfs02/m01/59/d3/wkiol1tr2g6sycmcaabv0_hj2xm136.jpg "/>

Five, there are too few domestic data in Oracle database, but I have tried many ways. The server and database are not detached, find the Web. config download, and then log on remotely to prepare for a trial with Oracle's vulnerability.

650) this.width=650; "title=" 666.jpg "alt=" wkiom1tr30-jc_toaaqkhopdwe0277.jpg "src=" http://s3.51cto.com/wyfs02/M00 /59/d7/wkiom1tr30-jc_toaaqkhopdwe0277.jpg "/>

May be network reasons, the connection is very unstable, can only give up. Then try Metasploit directly, engage the mainframe, make Oracle, or not. Go on.

Six, thinking back to the local power to try again. Take advantage of an up-to-date local exploit loophole and fix it! Here began to tangle for a long time, because there is no echo, add not on the administrator. Then the wretched thought came, such as ↓↓↓↓↓↓

650) this.width=650; "title=" 12. jpg "style=" float:none; "alt=" wkiom1tr2qtgaamraada92xt8he750.jpg "src=" http:/ S3.51cto.com/wyfs02/m02/59/d7/wkiom1tr2qtgaamraada92xt8he750.jpg "/> Successfully added administrator account, make sure you have to train your mind.

650) this.width=650; "title=" 13. jpg "style=" float:none; "alt=" wkiol1tr2g3dguz9aahqdck4suu881.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/59/d3/wkiol1tr2g3dguz9aahqdck4suu881.jpg "/>

Seven, remote connection to go up. What the heck. Sure enough to deny my IP connection, nothing, intranet port forwarding try.

650) this.width=650; "title=" 99.jpg "style=" Float:none; "alt=" wkiom1tr2p-gp7jjaaffy4slpyo810.jpg "src=" http:/ S3.51cto.com/wyfs02/m01/59/d7/wkiom1tr2p-gp7jjaaffy4slpyo810.jpg "/>

Eight, LCX walk, result ... Local NC monitor not to bounce the connection, no words I ... Think again for a moment, decided to upload reduh forwarding. How to use the goods, after the time to write. I have written about the usage of LCX,NC and I need to check it myself.

650) this.width=650; "title=" 11.jpg "style=" Float:none; "alt=" wkiom1tr2peshiuuaacjywdvmji477.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/59/d7/wkiom1tr2peshiuuaacjywdvmji477.jpg "/>

The local client connects to the service side while the NC listens on port 1010.

650) this.width=650; "title=" 33.jpg "src=" http://s3.51cto.com/wyfs02/M02/59/D3/wKioL1Tr5_zQnjFsAADtE2jkMm4878.jpg "alt=" Wkiol1tr5_zqnjfsaadte2jkmm4878.jpg "/>

650) this.width=650; "title=" 44.jpg "style=" Float:none; "alt=" wkiol1tr2ghsibwpaacnldfxado206.jpg "src=" http:/ S3.51cto.com/wyfs02/m02/59/d3/wkiol1tr2ghsibwpaacnldfxado206.jpg "/>

OK, it's forwarded.

650) this.width=650; "title=" 77.jpg "style=" Float:none; "alt=" wkiom1tr2p3raz8waaorxy9mi-a377.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/59/d7/wkiom1tr2p3raz8waaorxy9mi-a377.jpg "/>

Nine. Open Remote Desktop to start the connection.

650) this.width=650; "title=" 55.jpg "style=" Float:none; "alt=" wkiom1tr2pqaydk0aafy3obzlqg505.jpg "src=" http:/ S3.51cto.com/wyfs02/m02/59/d7/wkiom1tr2pqaydk0aafy3obzlqg505.jpg "/>

Success, server down, exhausted nest whistling ~ ~ ~

650) this.width=650; "title=" 66.jpg "style=" Float:none; "alt=" wkiol1tr2gpi0ct6aaf6fdmtioo211.jpg "src=" http:/ S3.51cto.com/wyfs02/m00/59/d3/wkiol1tr2gpi0ct6aaf6fdmtioo211.jpg "/>

Ten, enter the administrator account you just created, password login.

TIPS: Why didn't I log in to take a picture of a lot of things ah, a variety of traces to remove the people, we do not have bad motives, learning technology is the key ha ~650) this.width=650; "alt=" J_0037.gif "src="/http Img.baidu.com/hi/jx2/j_0037.gif "/>

This article from the "Night-person" blog, declined to reprint!

"Combat" a difficult invasion to power, successfully won the server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.