Detailed record penetration into Wang laoji's website and Server

Author: Tr0jan

Open the Home Page wlj.com.cn, check the approximate architecture and. net Language, try the FCK Editor, return 404, and open WVS to scan the website architecture and sensitive directories in detail.

It was found that the 2005 directory was a previous ASP site, and it was an exciting upload.

The use of kiddies, simple acquisition, cookies are not caught

Open connection

Upload ASPX Trojan

Relatively large permissions, so it is easy to escalate permissions.
Method 1
Find the executable directory, and upload the website www.2cto.com to the oday where IIS overflows and MS11080 and other types of public ODAY files are uploaded. If you use a forum to kill files, you cannot. Extremely tangled, turning to method 2
Method 2
Find SA or ROOT, or third-party software such as SU
Port Scan as shown in Figure

43958 open. First try SU Privilege Escalation by default

Failed to view system service

Go to the SU directory to view servudaemon. ini.

Failed to crack localsetuppassword. Local modification is not permitted.
Turn to SA and ROOT, various directories
Finally, sort out the following information:
SA account
Id = sgzsgz Password = sgzadmindsdsdsdswwww
Id = gzwjl2012 Pwd = www. sec120.COM222
Id = ycyy Pwd = www. sec120.COM ??
MYsql account
Root sec120COM2008
With ROOT, upload UDF scripts and escalate Permissions

Result: mysql. the repair shell dose net exist function cannot be fixed. Now I think that the UDF has a downlaoder function, which can download an EXE to the startup directory and then restart the computer using the shut function. Unfortunately, all of them fail, it is preliminarily determined that the ROOT user is downgraded.
Use the ROOT password and the MSSQL password obtained above to test the SA password. As a result, the SA password fails, and the SU password fails.
The logic is taken. Currently, only these passwords are available. Re-combine several SA and SU, and finally www. sec120.COM.

SU Password