I. Technical Summary
With the rapid development of the Internet, various large and small websites are constantly emerging. Among these large and small websites, dynamic websites
Usability and diversity have an absolute advantage.
As ASP systems are widely used on the Internet, script attacks against ASP systems have become increasingly popular recently. In these attacks,
Attackers exploit injection, brute-force database, bypass, and cookie spoofing to obtain administrator privileges,
By direct upload or background backupIntrusionMethod
Obtain the website webshell and then control the entire site
Then, you can use webshell to increase the Server Management permission.
What is webshell? Webshell is written in a script language. It can be edited, deleted, added, and executed online.
ProgramAnd SQL statements.
For example, the famous veteran and ocean top are such an ASP script file, which is commonly known as dama and pony.
--------------------------------------------------
Ii. MainIntrusionMeans
1. UploadVulnerabilities
I. Typical online uploadVulnerabilitiesTo directly access the upload page.
Ii. directly upload scripts on the website backgroundTrojanTo obtain webshell.
Because some website Systems Trust the Administrator very much. After Entering the background, you only need to find the upload location. You can upload any scriptTrojan.
3. Add the upload type.
If the systemCodeIf ASP files cannot be uploaded, we can add files that are allowed to be uploaded, such as ASA Cer.Trojan
You can change the suffix to Asa Cer. webshell.
Iv. Restore the ASP suffix through the background backup function
If you cannot upload extension files such as ASP. Asa. Cer. We modify the scriptTrojanSuffix ASP: JPG or GIF image suffix
After the file is uploaded successfully, use the background backup database function to restore the file ASP suffix.
5. packet capture and upload
By capturing and uploading the real address and administrator authentication data cookies.
Then upload the script through mingxiaoTrojan. Obtain webshell.
In fact, there are still many upload methods, but they are also developed on the basis. As long as I have mastered the knowledge, the learning method is very simple.
2. InjectionVulnerabilities
Among the many attacks against the script system, injection is the most popular attack method.
Currently, SQL injection is mainly caused by incomplete filtering of special characters when programmers compile the account script program.
For example, a websiteHttp://www.xxx.com/asp? Id = 1
End the URL in the form of ID = digit. We add and 1 = 1 and 1 = 2 after the URL.
If and 1 = 1 is added, the normal page is displayed, and 1 = 2 is displayed, and an error is returned.
Indicates an injection exists.Vulnerabilities
Then a website has been injected.VulnerabilitiesHow can we use it?
First, you can use the tool.
For example, mingkido. a d injection tool. guesses important information such as accounts and passwords.
If the SQL database cannot crack the decrypted MD5 encryption password
Run the following command:
Http: // inject URL; update admin SET Password = 'new MD5 password' where Password = 'old MD5 password '--
[Admin indicates the table name.]
Change administrator password
3. Cookie fraud
What is a cookie?
Cookie is the information you have recorded, such as IP address and name and password, sent by the website when you access the internet.
How to defraud?
If we already know the XX station administrator's station number and MD5 password, but the password cannot be cracked (MD5 is the encrypted one)
16-bit password)
We can use cookie fraud to change our ID to the Administrator's, and the MD5 password to another one.
Therefore, the system determines that you are the administrator.
4. Side note
If your website is difficult, we will intrude into the website of the same virtual machine as you.IntrusionOthers' websites
With system permissions, you can control your website.
Many websites are stored on the same virtual machine. Maybe one virtual machine has hundreds of websites.Intrusion
IntrusionThe first one is to control all websites. It's so easy!
5. brute-force database
In general, to obtain the shell of a website, you must first obtain the background management permissions of the other party and the management permissions of the other party.
Of course, you must first obtain the administrator user and password of the other party! There are many ways to obtain the password of the Administrator.
Download the database and crack the MD5 encryption information to obtain the administrator account.
However, the database of a Website won't let you download it at will.
So how can we find the database address?
The simplest thing is the brute-force database.
The error message returned by the server indicates that the database address is exposed.
HoweverVulnerabilitiesI don't know. After all, it's dangerous to expose the system database!
Method of brute-force Library: for example, the address of a website is
Http://www.xxx.com/xxx.asp? Id = 1 & id = 2
Replace/in the middle of COM/dispbbs with % 5c.Vulnerabilities
It can be directly exposed to the absolute path of the database and downloaded using the tool, such as thunder.
And use the default database path.Http://www.xxx.com/Add conn. asp. If the default value is not modified
You can also obtain the path of the database (Note:/here must be replaced with % 5c)
The purpose of the violent library is to download the database and upload it after obtaining the administrator account.TrojanScript
6. DefaultVulnerabilities
The same website system may have thousands of websites using this system.
Each website system, of course, has its original default installation path and account password.
We use this website system to search millions of websites in large batches.
Find websites that do not modify the default settings, do not modify the management account, do not modify the background login address, and do not modify the Data Inventory
Destination of the put address
ProceedIntrusion!
--------------------------------------------------
The above introduction is based on the fundamentals. The so-calledIntrusionThat's how to use these common tinyVulnerabilities.
There is nothing earth-shattering.HackerThere is no basic principle or method at once.
GoIntrusionA website or server
So how do weIntrusion? I know a lot about it. I know a lot.
We are more eager than administrators to know where the server is safe and where it can be used.
We are more interested in the latest system than administrators.Vulnerabilities
We are more diligent than administrators in searching for systems.Vulnerabilities
In fact, as long as we learn and practice these basic knowledge.
The so-calledIntrusionIt is actually very simple.
So I hope you will not be self-righteous after learning it.
But it's small.VulnerabilitiesIt is nothing more than the Administrator's negligence. What can this do?
In fact, we do not know much about it. Even computers were invented by Edison Aiken in the United States.
When we read the English code of tianshu, Americans can understand the meaning of the Code just like reading a novel.
Question
Is this the gap between heaven and earth?
Perhaps, this is entirely a difference in mind.
--------------------------------------------------
III:VulnerabilitiesExploitation
How to intrude a specified targetIntrusionWhat about it?
The method is very simple.Vulnerabilities
As long as theseVulnerabilitiesAnd we will launch an attack.
This section describes how to exploit these vulnerabilities.VulnerabilitiesWhat are we doing!
1. UploadVulnerabilities
UploadVulnerabilitiesEasy to use
Upload from thisVulnerabilities, Directly upload our scriptTrojanTo obtain the webshell. Then control the target website.
2. InjectionVulnerabilities
InjectionVulnerabilitiesThere are two different types of access database and MSSQL database.
First, you can directly guess the Administrator account and password.
Then, log on to the background and find the upload point from the background. Upload scripts from the upload pointTrojan. Then control the target website.
Then, the MSSQL database. You can also guess the root directory where the website is stored on the server and use differential backup
Back up a sentence and upload the script through a trojan client.TrojanTo control the target website.
3. Cookie fraud
After obtaining the MD5 encrypted password of the target website administrator, we cannot crack the MD5 decrypted password in a short time.
What should we do?
We directly modify cookie-related information
That is, to encrypt the managed account, ID, and MD5. Change to the corresponding location
In this way, the system considers us an administrator.
Therefore, we have the administrator privilege,
At this time, we will log on to the background. Find the upload point. Upload scriptTrojan. Then control the target website.
4. Side note
It is very interesting.
Simply put, the website server is stored in a special place, or so. Not operated by a private person
Is managed by the enterprise.
Of course, enterprises cannot manage only one website.
Therefore, a virtual machine may have hundreds of Websites stored on it.
So, let's see if it passesIntrusionHow can this virtual machine control the one hundred websites?
So. That's simple. Regardless of usIntrusionWhich of the one hundred websites!
As long as we reachIntrusionAnd control the purpose of this website server.
We achieved the goal of controlling one hundred websites on this server.
5. brute-force database
We use the brute-force databaseVulnerabilitiesWhy?
As the name suggests. The database address of the target database
Everyone will laugh here.
I understand. Violent database address
Of course, it is to download his database.
Then obtain the Administrator account through the database.
Log on to the background using the Administrator account, find the upload point, and then upload the script.TrojanAnd then?
Of course, it is to thoroughly control the servers of the target website.
6. DefaultVulnerabilities
DefaultVulnerabilitiesThat's just a smile.
Low-level errors. But it is widely used in networks.
How can we use it?
The default database is used to obtain the management account.Intrusion.
Default Administrator account. Log on to the backgroundIntrusion
That's simple.