A common penetration test

Blog from edevil

Directory

I. The Penetration Process of this target is 1.1 process, 1.2 inception, and 1.3 penetration.

2. For system problems and solutions found during the test, see 2.1 Access Control. 2.2 security management and practices. 2.3 Application and system security.


Penetration test case, target system and software version:

Linux 2.6.18-8. el5PAE Apache 2.0 Handler Mysql 5.0X

The Web program deletes a version modified by Joomla (php), and uses the Web management permission of the Target main site to modify the target vulnerabilities and system vulnerabilities.

Test procedure in this case:

1. First, perform a preliminary Architecture Analysis on the website, Whois query, and query other websites affiliated to the same server. Check whether the website has other traffic distribution servers.

2. view the default phpinfo. php of the website and collect the website information based on the Whois information to find out which servers are provided for the website.

3. Use an existing scanner to scan open ports of the target system software version

In order to eliminate the scanner's false positive, manually telnet to test that the port is enabled only for port 22 80.

The 4th percentile uses the Web security scanning software, such as jsck.exe WVS, to globally scan the website and the bypass addresses, including:

XSS SQL injection dir bruteforce FileCheck File Inclusion Vulnerability arbitrary Download Vulnerability and backup file download test. You can edit the dictionary based on the collected website name, for example, the target domain name isWww.xxx.comYou can edit the scanner dictionary file xxxadmin xxxwebadmin adminxxx xxx.rar xxxblack.rar xxx. SQL. bak and so on. scan the target or search and analyze the known oday exp of the Website Based on the source code information, or check whether an online editor or other files such as phpmyadmin ewebeditor/CuteSoft_Client/fckeditor exist. and test the usage of the corresponding version of oday.

After manual judgment and scanning by the background path scanner, the system finds that the target has been injected. The/administrator/does not find the phpmyadmin path of the target. However, because the comment mark is filtered, the system cannot directly use statement injection to obtain information, need to convert

Rough Demonstration:

Http://www.xxx.com/play.php? Song_id = 1, And 0 = 0 and 1 = 100, and 1 = 1 is filtered by the other party.

Http://www.xxx.com/play.php? Song_id = 1, 1) uNionselEct1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15frommysql. userwhere (1 = 1

After the injection process, the target Web SQL separation mysql permission is root.

Http://www.xxx.com/play.php? Song_id = 1, 1) uNionselEct1, 2, database (), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15frommysql. userwhere (1 = 1

Xx @ localhostXx@192.168.x.200

Http://www.xxx.com/play.php? Song_id = 1, 1) uNionselEct1, 2, load_file (0xxx), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15frommysql. userwhere (1 = 1

Use your long-term dictionary to scan targets to find their phpmyadmin complex paths

Welcome to phpMyAdmin 2.5.7. (You can also exploit the vulnerability information of the current version by searching) for example: www.exploit-db.comWww.milw0rm.comThere are also other vulnerabilities released at home and abroad to search for, read the configuration file information of the other Party through injection, get the password to enter phpmyadmin and then display

Because the target Web cannot be directly written to WebShell in SQL separation, log on to the background management and continue. After querying the admins table of the other party, it is found that the target administrator password adopts sha1 encryption, cracking is troublesome (the general principle is that the target is not changed but the password is not cracked after the attack). We enter the background by replacing the Administrator's password sha1.

It is found that it is a modified version, and most functions have been lost. continue. return to the main site, log on to the personal management account, and find that there is a portrait upload function through the packet capture upload test. It is known that the other party has disabled php to allow jpg gif bmp, but can upload php3 php4 to detect the file header. We added and uploaded php4 to provide the address, but the target did not parse php3 and php4 to give up this path. We returned phpmyadmi to collect information. Query some confidential information, such as the possible password of the mailbox or traces left by the predecessors. this cannot be achieved. We can leave this section C to find that the target has a great relationship with another station, and the ip address of the same segment is approaching. the management account is the same. test the collected passwords to see if they can penetrate into the target. some information is obtained through careful analysis. Previously analyzed the target, with high traffic

The popularity is high, and the bandwidth of a single server cannot be met. Maybe there are other servers with shunting loads under C. The dictionary document edited by the tool scanned the C section. (Because both the target and class C have firewall protection, external scanning may be blocked. in this process, I have successfully obtained a windows2003 post. I will explain it carefully.) I have obtained the root permission for an SSH client.

Check whether there are any targets in the directory. Backup File port connection information configuration file management used command management habits and current OS version configuration information domain information.

Manage the su habit and connect to the local MYSQL

The overall information indicates that this server is the target SQL Server. The Web address is 192.168.0.100.

I have collected management password information and failed to connect to the SHH of the Web. At this time, I need some tools to help me complete penetration.

Fakessh. c su. c. Load Analysis management login time waiting for tomorrow to receive the password

=

The following is the process of a windows Host in my C-type environment (during the previous Penetration Process, I also got a Linux host installed with Sniff and failed to capture the target data packet, the current server may have dual-MAC binding settings on the gateway.) The START process is used. We noticed that 21 websites on the server use one management system source code, find the default ewebeditor/db/ewebeditor to access the other party in the online text editing path. asp obtains password cracking and enters the background to modify the type of the upload (but the current database does not have the permission to change, but I believe that patience and carefulness will certainly be able to break through, and continuously try 21 sites to finally get a Web Shell) you can get a Web shell to view system configuration information. The services enabled by the software installed in the writable directory and the sensitive documentation only enable the Remote Desktop Management of gent ftp mssql.

I tried all the mssql account and password combinations and failed to find an account with higher permissions (including databases) but had no chance of cracking the MD5 GENT FTP password. no suspicious services and Trojan backdoor processes left by the predecessors were found. The disk ntfs c is readable and can be connected.