Blog intrusion is too simple four major vulnerabilities intrude into blog

 

Vulnerability 1: database download Vulnerability

Step 1: Search for Attack Targets

Open the search engine and search for "pridentified by Dlog". You can find many blog pages that are created using the "Dlog broken ruins modified version. We are looking for a version 1.2 With a brute-force database vulnerability. Many users ignore the security of the Online Editing database embedded in the eWebEditor in this version, so that hackers can use the default path for download.

Step 2: Obtain the Administrator Password

Select an attack target in the search result list: http: // s * response.

Open the database and view the Administrator's username and password in the "eWebEditor_system" column of the database. Because the passwords are all encrypted by MD5, you can find an MD5 brute force cracking tool for the computer to obtain the password in minutes or days. However, as long as the database can be downloaded, the Administrator may not change the default logon password. If the MD5 password is "7a57a5a743894a0e", the password is the default "admin ". Now, we can go to the online editing page of The eWebEditor background.

Step 3: control the server

Add "eWebEditor/admin_login.asp" to the blog address to open the online editing page of The eWebEditor background. Enter the default username and password "admin" to log on to the background management page of the blog.

Add a new blog style and return to the style management page. Find the style you just added in the style list, and click "set" after the style name to use the new blog style.

Log out of the management page and register and log on to the blog. Then, send a post and Select Upload File. At this time, we can upload an ASP Trojan to control the entire server.

Vulnerability 2: File Upload Vulnerability

Step 1: search for a blog with a vulnerability

After finding any target, you must first test whether the blog administrator has deleted the uploaded webpage program file. If the user has some security awareness, the default uploaded webpage file may be deleted, this will not work.

Select "http://www.88888.net/workingbird" and add"/upfile "to the address. asp "and press Enter. If the prompt message is" Microsoft VBScript runtime error '800a01b6 ', it indicates that the blog website has a file upload vulnerability.

Step 2: launch attacks

Run "website upload utility" and enter upfile in "Submit address. the address of the asp file to be uploaded, and then specify the path to save the uploaded Trojan file in the "Upload path". We generally save it under the root directory of the website. Use the default settings for "path field" and "file field". In "allowed type", enter the image type that the blog system allows to upload. Click "Browse" next to "local files" and select a local ASP Trojan. You can select the top-Ocean Network Trojan.

Click "Submit" to upload the trojan. If the message "1 file had been uploaded!" is displayed !", Indicates that the file is uploaded successfully. Next, we can connect to the uploaded ASP trojan for further penetration attacks to control the entire website server.

Vulnerability 3: SQL Injection Vulnerability

Step 1: scan for injection vulnerabilities in the blog

Use the blog "http: // 202. 112. *. ***/dlog/" as the target. You can use tools such as NBSI 2 SQL automatic injection attacker to perform SQL injection. Run the program, click "website scan" in the toolbar, enter the blog website in "website address", select "Full scan", and click "scan, you can scan all injection vulnerabilities on a blog website.

Step 2: start the attack

Select any target "http: // 202. 112. *. ***/dlog/showlog. asp?" In the scan result list? Log_id = 402, and then click "Injection Analysis" at the bottom of the interface to go to the "Injection Attack" page. Click the "detect" button and the result shows "likes are detected as injection vulnerabilities "!

It doesn't matter. We use 1 = 1. Add "and 1 = 1" and "and 2 = 2" at the end of the address bar of the injection browser to view the differences between the two returned pages. And write down the strings that appear on the "and 1 = 1" page but not in "and 2 = 2, enter the "feature string" on the NBSI 2 interface ".

Click "detect Again". The injection detection result will soon be displayed. Because the database is an Access database, the program automatically guesses the table name and column name in the database. Click "automatically guesses" in the window to guess the possible database table names, the default table name is "user_mdb ". Then, you can automatically obtain the column name and other data information in the table. Then, the user data in the table is automatically guessed, and the Administrator's MD5 and secret code are obtained. Finally, use the MD5 password cracking tool to perform brute force cracking. log on to the background management page to successfully intrude into the system.

Vulnerability 4: Cookie Spoofing Vulnerability

Step 1: Search for the target

Search for the keyword "Powered by L-Blog" and select "http: // ***. ******. ***/blog" as the target of the attack.

Step 2: Query cookies

Here we will use a tool that can modify cookies. Open the program, enter the address of the blog website, and log in to view the current cookie information, which includes our login username and password.

Step 3: "spoofing" Attacks

Now we need to modify the cookies and cheat the blog program so that the identity of the login user is administrator. You can modify the cookies directly.

We only modify "menStatus = SupAdmin", retain other content, and then keep the "Lock" in the toolbar as pressed. Now, exit the current user logon status and re-open the blog homepage. At this time, it will show that we have not logged on, but we already have the administrator privilege.

Postscript: a blog is a good battlefield for connecting with the invasion and supply, and reminds the blog to strengthen its security awareness.