Network administrators must see the whole process of penetrating a large information port network.

Every day on the internet, I always see a website hacked. I admire the techniques of those infiltration experts, and admire them as if they were in the water of the river. This afternoon I was chatting with sophia. He asked me to stand up. I agreed when I saw my feelings, and I infiltrated the website with sophia. I have been busy until in the evening, so I want to write something if I have nothing to do. What should I do? I will write down the Penetration Process, hoping to give some inspiration to those who are constantly exploring and moving forward on the black road.
Http://www.xxx.cn/(ip: xx.103.160.22) is a large information port portal. Xxx.cn has the following features: 1. There are at least 20 second-level domain names. Check the ping result. Those second-level domain names are not bound to an ip address, so they are naturally not on one server. 2. Many script languages are supported, and jsp, php, asp.net, asp, and so on are available on the home page. 3. The amount of information is amazing. A lot of things are linked to other websites or second-level domain names, which can turn people out. For such a station, only people who have done it know how tired and painful it is to intrude.
I personally think that the key to this website is to find a suitable starting point and a critical vulnerability. Moved out of the domain and noticed that the server is bound to only one domain name. Let's take a look at the website first ?. After all, you know yourself, know yourself, and know what you want to do! A few cigarettes, a little dizzy at first. Although the main site supports a lot of scripts, but the dynamic page seems to be less pitiful. Others are connected to the second-level domain name! It seems that we can only start with the main site. I will first look at the website's direct vulnerabilities, such as injection and upload vulnerabilities. So we started the slow and long search process. First of all, of course, it's better to get the familiar asp. It's good. After you open the homepage, you will find an asp link, followed by parameters. Haha! Hurry up and 1 = 1. it's not good! This guy used the universal anti-injection program and did not find the injection point again. Try aspx again and return the error of the whole page when submitting everything. No way. The jsp page is correct. The php page is highlighted. Maybe it's 3306 .. Scan the password. Good! Please exit nc ip 3306 and connect quickly. the version 4.0.24 is returned. First, the UNION function is used in the injection query. to log on first .. mysql-hip-uroot. hey, at least let's get a blank password first. I'm not lucky. I failed. By the way, I guessed several common passwords and all of them failed. It seems that speculation is not enough. Come on! Drill into the main site again, start searching for the legendary php injection points, and finally find a page that looks a bit problematic!
Bytes
Because the system filters spaces, it can be replaced by/**/. However, even the number of fields cannot be guessed. It is difficult to guess the table name, so you have to give up.
Find http://gongqiu.xxx.cn/fabuinfo.asp. this is the region where the information is provided. After registration, you can upload images (only in jpg format ). I was preparing to capture packets, but I found that uploading a normal image would not work either. It seems that something wrong with the upload.
Finally, go to http://www.xxx.cn/life/lifehtm/pro_list.aspto find a search box and enter the key word "reverse detection" to return:
Microsoft ole db Provider for ODBC Drivers error '80040e14'
[Microsoft] [odbc SQL Server Driver] [SQL Server] row 1st: There is a syntax error near '%.
/Life/lifehtm/pro_list.asp, row 94
Enter "anti-probe" and 1 = 1 and '%' = '"and" anti-probe "and 1 = 1 and' % '='" To return different results, this proves the injection vulnerability. Manual injection tired people, capture packets sniffing address, such as: http://www.xxx.cn/life/lifehtm/pro_list.asp? Protype = % C6 % E4 % CB % FC % CE % EF % C6 % B7, cannot be injected with nbsi, use the tool ah d to check whether the permission is DB_owner, support multi-sentence execution, although the permission is not big, you can also list directories and search carefully in the three disks, only to find some Database backups, without any website directory, think of database and web separation, I do not know the ip address of this database machine. The idea of backing up the database to obtain webshell is probably no longer feasible. The table names such as admin and manager cannot be found. I searched back to the background on the main site and couldn't find it. it seems that this injection point has little value to use. the C:/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/directory is listed, but the configuration file cannot be obtained now.
At this time, the scanning result of sophia came out, and the superscan scan speed was really fast. It seems that it was only starting from the Intranet, not necessarily arp sniffing. It depends on luck, spoof errors may occur in. t. I have had a heated discussion, but no one has been able to solve it well. Scan the ports of machines in the same CIDR block.
After carefully analyzing the ports opened by these intranet machines, I found some secrets. Most machines have opened port 21 of ftp. After observation, we found that the connection information is such as xxweb and xxdatabase. In addition, the returned information cannot see what ftp is used, but there is a 220. Good guy! It's not hard to find out what the smart guys mean! Of course it's serv-u .. There is also accumulation, that is, many machines have opened 5631 of the pcanywhere port, an Intranet should be decorated with remote control software to manage the host for convenience? Even several hundred thousand failed. At this time, I felt that 3389 could bring us good luck. So many machine ftp information is regular, and pcanywhere should be somewhat related... social engineering? Gaga! The general idea has come out. First, extract the right from the webshell of several machines or directly download the preparation file of pcanywhere, then we can use social engineering or sniffing to get the target site. OK! When sophia started, we had to get a webshell first.

A webshell has suffered a lot. The content of the website is monotonous and has been visited by unknown people for a long time. It is difficult to build a webshell on the default database of the mobile network on the machine xx.103.160.48. of course, the cif file is stored in C:/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/. There are two configuration files. download a pcanywhere password viewer and click crack. the cute password appears in front of me like this?
Haha! What are you waiting? Login. login successful. But it seems that there is a problem, the computer is locked. depressed! Social engineering first. two cif passwords were cracked. and then combine the following. it is very painful to start logging in. the error prompt appears again and again. the psychological thief is upset! After dozens of passwords are down, it seems that the road is disconnected. Let's go back to webshell and find a way to raise the right? In the 2000 system, check the components first. All components that can be unloaded are unloaded, such as wscript! Run cmd and no permission is returned. No. How can I get an authorization shell first. after that, I jumped to several directories and all failed. I want to upload a cmd and I have no place to think about it for a while. isn't there a jet Engine Overflow? Although the permission is low. but at least it is also an external shell. download the package. an mdb file was generated smoothly. then the local nc-v-l-p1234 listens to port 1234. return to the webshell database operation. input path, connection! The progress bar is starting. The line of sight is locked in the local nc. A few seconds have passed. Wow! I see the information. Haha! I agree. It's strange that I'm about to lose the command. How can I disconnect it? Go back to webshell and check it out! Catastrophic destruction! Obviously, the server is patched. All hope is shattered. It seems difficult to escalate the privilege.
It is necessary to change his mind. Isn't there many machines on the Intranet that open 5631? Haha! Come on! This will be useful in social engineering. I started logging on to pcanywhere on other machines with the two passwords and said I was lucky. more than 20 computers. almost half of the successful login! Ga ga... but there is another bad message, that is, the machines are locked! You must have a windows login password. So much about it. login to the system requires a password, the administrator password does not exist. the only way is to continue with the password of social engineering. the only information is the two cif documents. click and smoke. connect to xx.103.160.12. send ctrl + alt + del, and soon the familiar login interface appears in front of you. wow! Start to guess the password! Energetic. I guessed more than 20 in one breath. Good guy, I still failed to log on. I changed one, and the three servers are exhausted! A little disappointed! Relax. Find a mm chat first. Open q and read it. Wow! Why is there no mm online? Continue? Let's get to xx.103.160.21!
This time I changed my new password. see the cif password. One of them is cfs1234a. This password is good. It is somewhat regular. "1234" haha! What a note? Then I will come to cfs1234abcd. Enter the password to log on! Strange? Why didn't I receive a Password error prompt? Wow, it succeeded. excited. an administrator password is used to crack the password. qq notified sophia, which is a breakthrough. Please be sure. looking back at the ports opened in xx.103.160.21, only ports 21 and 5631 are available. how is this good? Let's go in and check out his system. I don't know what's going on. This time, the desktop is very friendly and tidy! :
You may have a pcanywhere client? There will be no pc connection to the target station, right? So uncomfortable! Open it and check whether it is found. let's try again. check whether the website is shared with the target site or other sites. net view. check whether the network neighbors are empty. dizzy! What does this mean? Just a few times. The next hop is broken. It seems that this machine is not very useful. Search for information and continue with social engineering! At least you can have more information to guess the passwords of other machine administrators! Query use. Wow .. Is there an administrator online? It is inevitable to check his password. Upload a mt first (I prefer to use mt. There are many features. The size is also small. !). Run cmd and run cd to the mt directory and enter the command mt-findpass. Hey, I got the password from another online administrator. Well! Good! Look at the password. It's really a little tough. It's really an administrator. Haha! I have an extra password. By the way, didn't he open 5631? Can I see if he has another pc administrator? Soon, the C:/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/directory was opened, and another two configuration files were found. haha. there seems to be an administrator. let alone download the file first .. after that, is it necessary to break the ring locally? This is the case. Is that the password that can be used? How many machines are used? A little unwilling. Flip his disk, right? How many items can be fished back? A little balance can be found in mind. Gaga! Dizzy .. just two. c disks will be browsed in less than a minute. A standard system disk -_-! There is another D disk, hoping to bring me good luck.
Double-click the drive letter. Recently, it's a familiar name! Flashfxp, this is a good thing? I immediately went back to the Local Machine (pc is a little bit of a card). The speed of the Internet cafe is different. In less than 20 minutes, it will be finished. It's no better than the 1 m speed at home. Haha! Don't talk nonsense. Open it and check out what kind of things flashfxp can bring? "The test period is displayed. Enter the registration code." No? What does the Administrator do with this? Not registered! How long does it take to search for a registration code? I did it myself, and soon google arrived. The verification was successful, and I quickly found the historical records in the connection information! The ip address is xx.103.160.22 (the ip address of the target site ). connect to the website directory and upload a file. Then open it in the browser. q notified sophia to successfully intrude into the target site: www. xxx. xn, and cmd can be used. If serv-u overflows, the system permission is obtained.
The next thing is not over yet. You thought I was so close to someone! With the regularity of pcanywhere password and windows Password, coupled with the ftp password, we logged on to most of the key hosts in the intranet. Sophia then planted the gray pigeons without killing them. sophia worked in the internet cafe and had to play them with bots. The machines went online one by one, and planted the dedicated backdoors for the professional brother who owed money.
Although this intrusion is difficult, it is troublesome. The vulnerabilities of some machines lead to the entire internal network being out of service. I cannot figure out why they do not like to use firewalls. If this happens, I have to be busy for at least a few hours. Many times, patience and keen observation are required. Social engineering is also a kind of ability. A bull said that intrusion relies on three-point technology and seven-point thinking. The ability to quickly find the weak links of the target, not to let go of every small vulnerability, and to bring the most critical attack to the target. This is the spirit of hackers.