Attack and Defense practices: A security test on a software company

In this article, the server where a software product is located performs a security check. A detail determines the penetration of a system. After successful penetration ..

I. Security Check reason

A friend needs to purchase a school OA system and query the products through the network. Then he finds a company dedicated to providing such a system and sends the company's address to me. Let's take a look, evaluate how the system works. If you can, you can customize a set.
Open the website address "http://www. I ****. net/products/case. asp" in a browser, 1 shows that there are many website products from the company's products.

498) this. style. width = 498; "border = 0>

Figure 1 view the company's software products

Ii. complete formal Detection

1. Information Collection

This penetration has changed to a website that queries domain name and other information.Http://www.ip866.comIn "IP/Domain Name", enter the company's domain name address "I ****. and then click "query details" to view information about the domain name, as shown in 2. the IP address of the company's official website is "218. 16. *. *".

498) this. style. width = 498; "border = 0>

Figure 1 Figure 2 get the Server IP address of the company's official website

2. Get bound Domain Name Information

On the IP866.com website, click "reverse query domain name" and click "Click here to reverse query all relevant domain names" to obtain other domain name addresses bound to the server, as shown in 3.

498) this. style. width = 498; "border = 0>

Figure 3 reverse query of Domain Name Information

3. View website information

In the reverse lookup Domain Name Information List, click the website name to open the selected website. In the reverse lookup results, it is found that the website has been listed as a Non-list, as shown in figure 4, I learned through the Firefox Security plug-in that the website has been attacked and may be infected with Trojans.

498) this. style. width = 498; "border = 0>

Figure 4 obtain website security information through the Firefox Security plug-in

4. Obtain port opening information

Use sfind to scan the obtained IP address. According to the scan results, ports 21, 80, 1433, and 3389 are opened on the server, as shown in Figure 5. Judging from the obtained information, the server security is not especially strict. The server security is strictly implemented with very few ports open to the outside, and some only open port 80.

498) this. style. width = 498; "border = 0>

Figure 5 port openness

5. Weak Password Scanning

During Security Detection, you can detect programs or some weak passwords first. Because you can view ports 3389 and 1433, first scan the Ftp and MSSQL passwords and then perform security checks on the website. After the Ftp and MSSQL passwords are scanned, a weak password is found on the server. The username is ftp and the password is blank.

6. Use Cuteftp to log on

Create a new site, enter an ID in the Label, enter the Server IP address and the obtained user name ftp in "Host address", and the password is blank, select "Anonymous" in login method to log on anonymously.

498) this. style. width = 498; "border = 0>

Figure 6 Configure ftp Software

After the connection is successful, as shown in 7, some asp files can be viewed from the Cuteftp software, and conn can be seen in the Ftp root directory. asp, config. asp and index. asp.

498) this. style. width = 498; "border = 0>

Figure 7 download the obtained file under the Ftp Server Directory

7. view the code file

Use the UE editor to view the downloaded conn. asp file, as shown in figure 8. The database uses Mssql and analyzes some of the key code:

Const SystemDatabaseType = "SQL" Const DBFileName = "databaseRCSchool. mdb" Const SqlUsername = "sa" Const SqlPassword = "sh ******" Const SqlDatabaseName = "RCSchool" Const SqlHostIP = "(local )" SystemDatabaseType = "SQL" indicates that the system uses Mysql DATA