Web server penetration test notes

Guess up to 256 times to get the value

When submitting:

Http://211.***.***.116/list.asp?l_id=1 and exists (select password from admin where left

(password,1) = ' 1 ')

Returns：

Microsoft OLE DB Provider for ODBC Drivers error ' 80004005 '

[Microsoft] The [ODBC Microsoft Access Driver] operation must use an updatable query.

/list.asp, line 145

You can tell that the first place is ' 1 '.

The same can be achieved in order of each of the values, and ultimately a patient attempt to get ' 19a7e9898008f09e '. This step may take some time, but you can also write a script to achieve the goal of automatic acquisition.

OK, now the turn to MD5 "burst" expert DeMd5 out, fill in just get the ' 19a7e9898008f09e ', the following can have a cup of coffee and then wait for the password to come to you!

So is it just waiting before the password is cracked? Of course is negative, I do not want to expect DeMD5 can give me a satisfactory answer, in case this administrator used more than 10 digits, uppercase and lowercase letters and symbols to compose his password, that is not miserable?!

Fortunately there are cookies to cheat this trick available:

Use IECookiesView to find a cookie with the name 211.***.***.116, replace password and username with 19a7e9898008f09e and admin, and, of course, register a user in the forum before this step. Save and then open http://211.***.***.116, is already the identity of the administrator.

Find the admin entrance, http://211.***.***.116/admindefault.asp, and see what you can use.

Damn, there seems to be no function to upload files directly, but you can change the type of files that users upload in the foreground.

I did not hesitate to add the ASP. Run to the forum's main interface by posting the way upload an ASP trojan, success!

Of course, don't forget to delete the post! The rest of the cleanup work can be done later, let's see through this springboard we can get the target host

211.***.***.114 What information!

Scan 211.***.***.114:nmap-v-ss-o on 211.***.***.116 211.***.***.114

Get：

Port State Service

21/TCP Open FTP

22/TCP Open SSH

80/TCP Open http

10000/TCP Open Snet-sensor-mgmt

This result is satisfactory, at least it shows that the 211.***.***.114 firewall on the same network segment of the computer open more services, of course, means more infiltration opportunities!

The first to enter the field of vision is the FTP service, if there is a weak password, and upload permissions, it can not ...

First look at the type of FTP server, on the 211.***.***.116:

FTP 211.***.***.114

Returns：

Connected to 211.***.***.114.

Free FTP Server (Version 6.00LS) ready.

User (211.***.***.114: (none)):

It appears to be FreeBSD's own FTP server.

Then take out the Xscan for the FTP service scan:

Xscan-host 211.***.***.114-ftp

Unfortunately, the results are regrettable: There are no available accounts.

The next 22 and 80 have nothing to take advantage of, and that leaves the tcp10000 port, and if it's not mistaken, this should be the default port for Webmin. Go ahead and try it again, run on the 211.***.***.116:

Fpipe-l 8800-s 8800-r 10000 211.***.***.114

Fpipe is a port redirection tool, which is roughly meant to redirect access to local 8800 ports to the 211.***.***.114 10000 port. So our visit to 211.***.***.116:8800 is tantamount to visiting 211.***.***.114:10000.

Enter in local browser: http://211.***.***.116:8800

A Webmin landing interface appeared. Now the question is: how to get in.

Remember how the first round of Group B was defeated in England? The answer is: luck!

The answer to this webmin question is also, when I am helpless, DeMd5 told me a good news: the 211.***.***.116 on the CPB forum admin password is ' 77889900 ', cracked the password is a part of luck, And the other part is: This password is also 211.***.***.114 on the Webmin service.

Landing into the webmin is equal to control the target host 211.***.***.114, install rootkit or replace the page is only a selective problem.

At this point, the task is completed, the following is to write a lengthy infiltration test report, but before that I have to write a few "if."

If the test forum on the 1:211.***.***.116 host is deleted after the test.

If the forum version on 2:211.***.***.116 is up to date.

If the 3:211.***.***.116 host installed a fire-proof strong, and made strict restrictions.

If the rules of 4:211.***.***.114 's ipfw are stricter, only the administrator's workstation is allowed to log on to Webmin.

If the 5:CPB forum password is not the same as the webmin password.

If the 6:CPB forum password is strong enough.

Did you do all these "if"?