Grand 180-day penetration documentary Chapter 1. Scan (some background exposure + database information leakage on a certain site)

One day half a year ago, I watched the update progress bar of Adventure Island and tried to test the event... half a year later...> _ <next, we will record the 180 days of base-love years ...... tips: · due to a long period of time, some vulnerabilities may have been changed or fixed, so in some scenarios, you can only restore the event environment in the past. · This penetration may involve some data, but it has never been removed from the database and declined to cross-provincial o (I believe Shanda is not such a vendor ~) Detailed Description: According to General Security penetration rules, breakthroughs should be made from some websites with vulnerabilities. However, looking at the vulnerability history of wooyun Shanda online and Shanda network vendors, there are not many security issues that can still be exploited = So, I can only look for ideas from du Niang and Google Niang ...... After some baiduhack and googlehack, they found some grand backgrounds: http://home.woool.sdo.com/admin/http://gui.sdo.com/adminhttp://61.129.44.185/admin/http://home.woool.sdo.com/home/project/hero/admin/http://coho.sdo.com/http://home.mir2.sdo.com/Admin/http://admin.178.sdo.comhttp://coho.sdo.com/admin/http://kk.sdo.com/admin/http://diaocha.sdo.com/admin/http://uam.sdo.com/http://diaocha.sdo.com/admin/http://chdlogin31.sdo.com/http://support.ebs.sdo.com/Admin/PostToPTD.aspxhttp://support.ebs.sdo.com/Admin/PostToEBD.aspx http://admin.shop.sdo.com/http://pao.sdo.com/admin/http://admin.abc001.sdo.com/http://221.231.128.35/web2.0/admin/http://support.billing.snda.com/bmsweb/http://support.ebs.sdo.com/http://support.pt.sdo.com/http://222.73.12.211/index.php/user/loginhttp://xy.sdo.com/admin/login.php I wanted to go in and look at the structure, but I didn't expect to unify the application management platform...
It seems that this Grand General mechanism, Shanda's online websites must first connect to the unified application management platform and be authorized before they can log on to the background, so Internet users cannot access it... helpless, you can only think about it from other aspects... for example, IP segment? According to the information obtained by Du Niang, Shanda's IP segment division is much wider than imagined. No wonder there are thousands of applications... after scanning and filtering, we got several grand IP segments: 222.73.2.0 222.73.2.254115.182.3.0 255.255.255.255.180.96.41.254. After scanning ports 80, 8000, and 8080, we did not find much information... "Don't be scared by the unified application management platform. You need to know that the network is not absolutely secure." A neural network has been reminding you. So I reviewed the background, most of which were win2003 systems. Maybe there is a parsing vulnerability? Or other unauthorized access? Or lower-level vulnerabilities? For example,. FckEditor? So I configured the dictionary for background scanning... http://admin.shop.sdo.com/ Fckeditor's test file is visually tested. This is the grand prop mall management system. (There should be good stuff in it. Wow ...) after a burst of surprises, but found that does not realize IIS parsing attacks, because files are uploaded to the img.dfs.sdg-china.com-Shanda a file server, and there are restrictions on execution. Although a little disappointed, I suddenly remembered that there was a traversal vulnerability before FCKeditor2.6.4. I checked the website, 2.6.3, and then successfully traversed it. In this way, we can probably find out the basic features of Shanda server: · The Autoup folder of drive C looks like Intranet FTP information. · The DBUpload/Program folder of drive D also seems to have FTP information, according to the folder meaning, it seems that the database file is uploaded. If you can get it, it will be of great help to the next step. In addition, there are BackupWEB, BackupDB, WebCodeBackup and other sensitive folders. The Website of Shanda server is generally placed in D: \ Website. Return to the website directory. Because of kernel compilation, even if the website directory is traversed, there is almost no problem of unauthorized access. Shanda is doing a great job... After some tests, the unauthenticated aspx program could not be found... When I was about to give up, I suddenly saw a PropTransferTool folder under the directory. Then I slide my hand. It seems that there is something in it ...... It is useless to import item information and specifications... DataTransformer.exe. config? It seems that there are good things ...? However, *. config does not seem to be allowed to be directly downloaded in. NET... That... Try again... If you do not want http://admin.shop.sdo.com/ Add PropTransferTool/DataTransformer.exe. config and Enter .. What the God! Read it !! Since *. config can be read, what about *. dll? If you can download the dll and decompile it through. NET, you can also obtain some useful information... Although *. dll cannot be downloaded directly, there are obvious configuration problems on this site .. Then, success... SndaShopTools also found the. config file. After downloading the file, we found that the Internet access address of the Intranet database was not connected to the Internet database due to network or other reasons... = As to the Dll decompilation results, there is not much value...Solution:· Upgrade FCKeditor to the latest version · enhance Server Security Configuration · change exposed database passwords