A general penetration test in Linux

Reposted from: Hilven

Directory

1. Penetration Process of this target.

Process 1.1

An episode in the middle of 1.2.

1.3 penetration completed.

Ii. system problems found during testing and Solutions

2.1 Access Control.

2.2 security management and practices.

2.3 Application and system security.

Penetration Test Case

Target system and software version

Linux 2.6.18-8. el5PAE

Apache 2.0 Handler

Mysql 5.0X

The deleted version modified by the Web application for Joomla (php)

Penetration target main site Web management permission modification target vulnerabilities and System Vulnerabilities

Test procedure in this case

1. First, perform a preliminary Architecture Analysis on the website, Whois query, and query other websites affiliated to the same server. Check whether the website has other traffic distribution servers.

2. view the default phpinfo. php of the website and collect the website information based on the Whois information to find out which servers are provided for the website.

3. Use an existing scanner to scan open ports of the target system software version

In order to eliminate the scanner's false positive, manually telnet to test that the port is enabled only for port 22 80.

For example, jsck.exe WVS, a Web security scanning software is used to globally scan websites and the bypass addresses.

XSS SQL injection dir bruteforce FileCheck File Inclusion Vulnerability arbitrary Download Vulnerability and backup file download test. you can edit the dictionary based on the collected website name. For example, if the target domain name is www.xxx.com, You can edit the scanner dictionary document xxxadmin xxxwebadmin adminxxx xxx.rar xxxblack.rar xxx. SQL. bak and so on. scan the target or search and analyze the known oday exp of the Website Based on the source code information, or check whether an online editor or other files such as phpmyadmin ewebeditor/CuteSoft_Client/fckeditor exist. and test the usage of the corresponding version of oday.

After manual judgment and scanning by the background path scanner, the system finds that the target has been injected. The/administrator/does not find the phpmyadmin path of the target. However, because the comment mark is filtered, the system cannot directly use statement injection to obtain information, need to convert

Rough demonstration

Http://www.xxx.com/play.php? Song_id = 1, and 0 = 0 and 1 = 100

The other party filters and 1 = 1.

Http://www.xxx.com/play.php? Song_id =) uNionselEct1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15frommysql. userwhere (1 = 1

After the injection process, the target Web SQL separation mysql permission is root.

Http://www.xxx.com/play.php? Song_id =) uNionselEct1, 2, database (), 14, 15frommysql. userwhere (1 = 1

Xx @ localhost

Xx@192.168.x.200

Http://www.xxx.com/play.php? Song_id =) uNionselEct1, 2, load_file (0xxx), 6, 7, 8, 9, 10, 11, 12, 13, 14, 15frommysql. userwhere (1 = 1

Use your long-term dictionary to scan targets to find their phpmyadmin complex paths

Welcome to phpMyAdmin 2.5.7. (You can also search for the vulnerability information of the current version.) For example:

Www.exploit-db.com www.milw0rm.com has other vulnerabilities released at Home and Abroad

Read the configuration file information of the other Party through injection. The password is displayed after entering phpmyadmin.

Because the target Web cannot be directly written into WebShell in SQL separation, log on to the background management to continue

After querying the admins table of the target administrator, it is found that the target administrator password adopts sha1 encryption, which is difficult to crack (the general principle is not to change the target, but the password is not cracked after the target administrator password is cracked) we enter the background by replacing the other party's administrator password sha1.

It is found that it is a modified version, and most functions have been lost. continue. return to the main site, log on to the personal management account, and find that there is a portrait upload function through the packet capture upload test. It is known that the other party has disabled php to allow jpg gif bmp, but can upload php3 php4 to detect the file header. We added and uploaded php4 to provide the address, but the target did not parse php3 and php4 to give up this path. We returned phpmyadmi to collect information. Query some confidential information, such as the possible password of the mailbox or traces left by the predecessors. this cannot be achieved. We can leave this section C to find that the target has a great relationship with another station, and the ip address of the same segment is approaching. the management account is the same. test the collected passwords to see if they can penetrate into the target. some information is obtained through careful analysis. Previously analyzed the target, with high traffic

The popularity is high, and the bandwidth of a single server cannot be met. Maybe there are other servers with shunting loads under C. The dictionary document edited by the tool scanned the C section. (Because both the target and class C have firewall protection, external scanning may be blocked. in this process, I have successfully obtained a windows2003 post. I will explain it carefully.) I have obtained the root permission for an SSH client.

Check whether there are any targets in the directory. Backup File port connection information configuration file management used command management habits and current OS version configuration information domain information.




Manage su habits

Connect to the local MYSQL

The overall information indicates that this server is the target SQL Server. The Web address is 192.168.0.100.

I have collected management password information and failed to connect to the SHH of the Web. At this time, I need some tools to help me complete penetration.

Fakessh. c su. c. Load Analysis management login time waiting for tomorrow to receive the password

Inception

The following is the process of a windows Host in my C-type environment (during the previous Penetration Process, I also got a Linux host installed with Sniff and failed to capture the target data packet, the current server may have dual-MAC binding settings on the gateway.) The START process is used. We noticed that 21 websites on the server use one management system source code, find the default ewebeditor/db/ewebeditor to access the other party in the online text editing path. asp obtains password cracking and enters the background to modify the type of the upload (but the current database does not have the permission to change, but I believe that patience and carefulness will certainly be able to break through, and continuously try 21 sites to finally get a Web Shell) you can get a Web shell to view system configuration information. The services enabled by the software installed in the writable directory and the sensitive documentation only enable the Remote Desktop Management of gent ftp mssql.

I tried all the mssql account and password combinations and failed to find an account with higher permissions (including databases) but had no chance of cracking the MD5 GENT FTP password. no suspicious services and Trojan backdoor processes left by the predecessors were found. The disk ntfs c is readable. Connect to the Remote Desktop Management of the other party and call the magnifier to check whether there is a popular magnifier backdoor. The current windows version is called in English, and the sethc is Chinese and is not fully displayed. Go to c: windowssystem32sethc.exe and check that if the size is 45KB, the normal version should be 30. KB. Use the copy function of aspx Web Shell to copy sethc.exe to the shell directory down to the local device. OD loading debugging found that the backdoor was added with the aspack 2.12 shell. The source code loading script could not be properly analyzed. The password and the shell Combination key were found and successfully entered the system.


Decompress the green cain and find that the cookie information is reloaded no matter the target is accessed on any page, causing high traffic.

I was unable to accurately identify and manage login information due to high popularity. I used the following method and later found that the cain http settings can also be completed, but the sharks used cain to perform surface data analysis and precisely manage login information setting parameters. the management information is intercepted successfully after the conditions are met.

The above windows permissions are obtained

Unfinished things of the continued revolution-(penetration completed)

After loading the rookit backdoor, we analyzed the management login time periods and found that it was not very frequent. The time to manage ssh web habits is precious. I decided to use the password of the Web target under social engineering based on the existing information. the combined dictionary scan and manual test failed for more than an hour, and the website encountered a problem, probably because ARP was used today.