Network penetration of a catering Management Service Company Limited

One day, I went to a Western restaurant with a friend. The restaurant staff introduced us to follow their enterprise's Weibo posts and they could participate in their free lottery. After they came back, they went to their official website and checked them, indeed, I used the DZ forum to build a Lucky Draw Grand turntable plug-in. I spent several times using coupons. I don't know how to secure my website because they do a good job on their website. Take a closer look at their website main site does not know what php cms system, Forum is DZ-X2.5

The main site saw no available places for half a day, and there was no available 0-day forums.

Mountains do not turn into water, and cannot be hanged on a tree. Since the website is not available, you may wish to get up and down from the server, perhaps unexpected gains. The website IP address resolved in ip138.com is our city Telecom IP address. It is preliminarily determined that the server is either hosted in the telecom data center, either it is in the data center of your company (according to their website, there are more than 10 branches and independent servers should be used ), directly with the X-SCAN scan IP server opened port 21, 3389, 1433, etc., this drama casually crack an account password will have the opportunity, the fact is cruel, after scanning all my dictionaries, I did not guess. Brute force cracking is not acceptable. Let's look at our social workers. They used their company name and phone number to combine the dictionary, but they still had no final result. The intrusion was deadlocked.

There is no way to go back and forth. There are new ideas. In general, such medium-and high-grade restaurants are provided by free wifi. They can connect to the intranet of their stores through wifi and then explore useful values. The next day, carrying a notebook and calling for a juice, I asked the waiter for a password, I can't wait to connect to wifi. First, I use this Wi-Fi password to log on to ftp, remote terminal, and MSSQL in sequence, and the system prompts that the password is incorrect, which is not surprising to me. Open the X-SAN to scan the network segment, I own a live host, it should be the network segment isolation. The security awareness of management personnel is good. After drinking the juice, I saw the waiter glance at the operating order system, XX catering system, and Baidu. I downloaded a trial version and installed it to see if there were any vulnerabilities available, the restaurant system uses ODBC data sources to connect to the MSSQL database, which means that the database password is stored in the software or configuration file. You can see an SQL script for creating a database. The password, user name, and database name are clearly displayed.

Decisively using the query analyzer to connect to the website IP address, haha character finally broke out, the connection was successful, or the sysadmin permission was hit by the hot tie using xp_mongoshell to execute the net user command, the user was successfully added.

Log on to the Remote Desktop 2008 System

I saw a UT-VPN management server on the desktop, Baidu it turned out to be an open source
Vpn tool, download a local installation on the customer service end, each branch must communicate with each other through it, if you can get the VPN account password is more conducive to penetration testing, open the Software Directory, see a VPN-SERVER configuration file.

Like these open-source software, the user name and password are stored in the configuration file, and the user name and password are searched for in the file. I don't know how the password is encrypted.

Modify the configuration file in the local vpn-client and change the password field to the encrypted string above. Save and connect to the VPN successfully.

I scanned the VPN CIDR block with a X-SCAN, and scanned a machine (192.168.30.3) with 80, 1433, 3389

Enter 192.168.30.3 in IE

Originally, the remote access system was released by Citrix. The user name is directly referred to in their company's short name, And the password 1234 is used to log on to their internal management system.

Log on to the system using admin.

Clear the newly added users and logs on the server, and close the job. You have time to study them again. To sum up, pay attention to the details of your life and you may have unexpected gains.