A complete security penetration test

Network penetration testing is to use all means for testing, discover and mine system vulnerabilities, and then write a penetration testing report to provide it to customers; based on the penetration test report provided by the penetration testing personnel, the customer fixes and fixes vulnerabilities and problems in the system. This penetration test is a supplement to the aspx website system. The following describes the entire Penetration Process and some penetration ideas. We will discuss and share them with you. If you cannot find them, please correct them.

(1) Preliminary Security penetration test

1. vulnerability scan

Open the JSky Web vulnerability scanner, create a scan task, and enter the address http: // www. *****. com, and then start scanning. The scan result 1 shows that there are no high-risk vulnerabilities. By analyzing the scan results, we know that the website uses Asp.net and has no injection vulnerabilities, the "admin" and "upload" directories exist in the scan results. Is there no penetration for this system? Generally, websites have very low security possibilities. There is only an absolutely insecure system, and there is no absolutely secure system.

　　

Figure 1 scan results using Jsky

2. Test website directory access

Copy shards.

　　

Figure 2 test whether the page with the scanned path exists

Note:

The actual access to the existing Directory is mainly to check whether the system has some error information and other prompts, and then analyze and use the information again to provide some judgment and support for penetration.

3. Use social engineering for login Test

Enter admin In the username in Figure 2, and enter some common passwords in the password for testing. Good character, no way to do it. refer to it again, as shown in Figure 3. The page is relatively simple.

　　

Figure 3 successfully enters the background

Note:

This successful penetration comes from the successful entry into the background. In fact, if the social worker guesses the password, it is still difficult to obtain the server's permissions. Therefore, in the actual penetration test process, all kinds of ideas and ideas can be tested. As long as you can enter the system, it is a good way to obtain certain permissions.

4. Find Breakthrough points

The entire system has a total of six modules, and each functional module is viewed. It is found that many modules have the same functions, as shown in figure 4, all of which are simple data addition, deletion, and modification.

　　

Figure 4 browse other functional modules

5. Modify the Administrator

In this website system, there is no user management and only one administrator password is modified, as shown in Figure 5. Considering that the password is very simple, for security reasons, you can directly change it to a complex password, then, inform the administrator of the modified password.

　　

Figure 5 Change the Administrator Password

(2) bypass penetration testing

If the front side does not work during penetration testing, we will adopt some roundabout tactics to carry out the tests from the side. That is, some indirect methods are used, such as the side note.

1. Retrieve all other domain names in the service of the website

Enter "http://www.ip866.com/reverse.aspx?" directly in the IE Address Bar? Domain = www. rain **. com ", open the" reverse query domain name "page, click" Click here to reverse query all relevant domain names ", as shown in 6, there are a total of 9 domain names on this server.

　　

Figure 6 domain name binding status

2. Scan for vulnerabilities

You can select a Domain Name and scan it in Jsky. As shown in 7, eight SQL injection points are displayed, and an ecstasy exists in your mind, there is nothing better about penetration testers than discovering vulnerabilities.

　　

Figure 7 obtain SQL injection points

3. Manual test of SQL Injection

Select an address in the SQL injection point list of the scan result, open it in the browser, and manually add some stuff to test the SQL injection point, the anti-injection prompt and record information shown in Figure 8 and Figure 9 are displayed.

Figure 8 The system uses the Flashack anti-Injection System

Figure 9 anti-injection Record System
4. Obtain the Database Type

To continue the test, replace the ID value with a value of the number + letter type, and the database error message is displayed, as shown in 10. The database type is ms SQL Server, it can be determined that the operating system of this server is also Windows, and it is very likely that it is Windows.

　　

Figure 10 website data types obtained by error

Note:

In many anti-injection systems, keywords such as and exe are filtered, and the range of input values is not strictly limited. Therefore, you can get some information by changing value errors.

5. Use pangolin for SQL injection testing

In the Jsky scan window, select the address with an SQL injection point, and then select penetration test, as shown in Figure 11. Check the SQL injection point and obtain the database information, in this test, it is obvious that the SQL anti-injection system exists, so no useful information can be guessed.

　　

Figure 11 test SQL Injection Using pangolin

It seems that the bypass method is not feasible and further permissions cannot be obtained. It seems that you can only find a way through the previous permissions.

(3) breakthrough in CuteEditor upload

Because Microsoft IIS6 has a file parsing Path Vulnerability, when the folder name is similar to "xxx. asp (that is, the folder name looks like the name of an ASP file). In this case, all text files in this folder can be executed as ASP programs in IIS. In this way, you can upload a trojan file that looks like an image file with the extension jpg or gif. You can access this file to run the Trojan.

Through analysis and observation, we found that the website system uses the CuteEditor. The security of the editor itself can also be divided into three permissions: Administrator/user/guest. The configuration file is located in the "CuteEditorConfigurationSecurity" directory, by analyzing the Admin. the core security code of the config file is as follows:

<Configuration>
<Security name = "RestrictUploadedImageDimension"> false </security>
<Security name = "OverWriteExistingUploadedFile"> false </security>
<Security name = "AutoResizeUploadedImages"> true </security>
<Security name = "MaxImageWidth"> 1024 </security>
<Security name = "MaxImageHeight"> 768 </security>
<Security name = "MaxImageSize"> 1000 </security>
<Security name = "MaxMediaSize"> 100 </security>
<Security name = "MaxFlashSize"> 100 </security>
<Security name = "MaxDocumentSize"> 10000 </security>
<Security name = "MaxTemplateSize"> 1000 </security>
<Security name = "ImageGalleryPath"> ~ /Uploads </security>
<Security name = "MediaGalleryPath"> ~ /Uploads </security>
<Security name = "FlashGalleryPath"> ~ /Uploads </security>
<Security name = "TemplateGalleryPath"> ~ /Templates </security>
<Security name = "FilesGalleryPath"> ~ /Uploads </security>
<Security name = "MaxImageFolderSize"> 102400 </security>
<Security name = "MaxMediaFolderSize"> 102400 </security>
<Security name = "MaxFlashFolderSize"> 102400 </security>
<Security name = "MaxDocumentFolderSize"> 102400 </security>
<Security name = "MaxTemplateFolderSize"> 102400 </security>
<Security name = "ThumbnailWidth"> 80 </security>
<Security name = "ThumbnailHeight"> 80 </security>
<Security name = "ThumbnailColumns"> 5 </security>
<Security name = "ThumbnailRows"> 3 </security>
<Security name = "AllowUpload"> true </security>
<Security name = "AllowModify"> true </security>
<Security name = "AllowRename"> true </security>
<Security name = "AllowDelete"> true </security>