Attack | page In recent days, the network seems to be always not peaceful, since the WebDAV vulnerabilities of the overflow tool released, online potential "broiler" seems to be more slowly up. Although the patch has been released for several days, but some people have no heart ...
But what I'm going to talk about today is not a WebDAV vulnerability overflow attack, but a penetration attack with an ASP leaf vulnerability.
The night before yesterday, a friend who has not seen you for days, suddenly in the online Q I (because he is Cantonese, so I thought he was hospitalized, hehe), chatted for a while suddenly gave me a place as long as I look, ask me if I can get the right to publish news ...
Old routine, ping the domain name to get IP address, using Superscan port scan, hehe, or opened a lot of AH.
21, 25, 53, 80, 110, 139, 445, 3389, and so on.
One analysis:
1, open FTP is to facilitate the updating of Web Information Bar! No weak password ...
2, 53DomainNameSystem seems to be the controller (forced to use RPC overflow, hehe violent tendency).
3, TelnetTargetip80 Look,
Http/1.1400badrequest
server:microsoft-iis/5.0
Date:mon,05may200314:22:00gmt
Content-type:text/html
content-length:87
Theparameterisincorrect.
The connection to the host has been lost.
Oh IIS5.0 ... Alas, there is no weddav overflow vulnerability. Not bad! Network management is very responsible, has posted a good patch! It is worth praising ...
4, 139, 445
Yes, and there are NetBIOS and ipc$ sharing good, prying, got the username and shared list.
5, 3389
No purple Input method is also windows2000+sp3+w2k_sp4_x86_cn don't think about it, and then get the authority of the administrator to say it!
It seems that these considerations are not feasible for the time being. So I opened the homepage of the website, see is a certain daily website, hehe! A lot of news Ah! Look, is the ASP interface, very good east and the method simple, readable, but also a lot of loopholes, many are due to the negligence of programmers, good office let me browse the entire site ...
Where is the admin page? Try it (social engineering primary application)!
Http://www.target.net/admin/No, it can't be displayed.
Http://www.target.net/admin.asp, No.
Http://www.target.net/manger.asp, huh? Come out ...
Http://www.target.net/pass.asp Look Back ... Oh? Not the address provided by a friend?
Look at it! Want me to enter username and password, well--is a difficult problem, hehe, originally he is want this ah! Good! Try this: In the password bar I entered the ASP ' or ' 1 hehe, went in! Why? Look at this!
In an ASP program, the user name and password checksum is implemented through such MSSQL statements:
mydsn= "select*fromuserwhereuser= '" &user& "' andpwd= '" &pwd& "" If "&pwd&" becomes ASP ' or ' 1 What does it mean? Take a look
mydsn= "select*fromuserwhereuser= '" &user& "' andpwd= ' asp ' or ' 1 '" These are all siblings from left to right "&user&" andpwd= " The result of the ASP ' operation is the result of 0,0or1 is 1 hehe so passed!
What do you do when you go in? Because see the release of the article at the same time but paste picture attachment, hey! I come to see, open the page of the post really have upload attachment place, looks lucky (don't be happy too early, still don't know can upload what)! Click to paste the attachment, hey heh see what reality when there is no extension of the filter, is all the files, meaning what? Ha ha! Uploaded files Of course are all types!
I uploaded the ASP trojan, the system automatically numbered. 01090208.asp Oh, where is the problem? Come and look for ... Big Head! It's time to think again. Take a look at his database! So......
http://www.target.net/data/Good! You do not have permission ... Haha the original really here Ah! Try again!
Http://www.target.net/data/database.mdb No files found
Http://www.target.net/data/target.mdb, yes! Come on! Download down to see!
Oh! It's the user list, the list of articles, and the system stats--that's it! Ha! Sure enough, 01090208.asp's absolute path is inside, OK, input to the browser inside to see ... It's coming out!
Good! Copysam file to the root of the Web page to download, enter in the command line:
Copyd:winntrepairsame:www.target.netsam._
Http://www.target.net/sam._
download complete ...
> next? LC4 cracked? No, no! Smbproxy login with new Method! Hehe Something New!
Smbproxy program only recognizes password information in pwdump format, LC format is not good, so I The resulting Sam file is converted to the pwdump format.