Friendship intrusion detection Chinese Anonymous

At the beginning, I was just watching.

Because it seems that this station should not belong to the one where I can arrive at the server in five minutes. It was estimated that I had to spend some effort, and I had nothing to do with tools except IE and cmd, So I went around and took a good lead? Well, I admit that I am evil, because it is no good. Why do I have to spend half a day on him.

It's a pity that we haven't had a place to look around for a long time... Look at me...
Is this station so difficult? No clue? Well, since it's so difficult, I should set it to three days. How many days are there? This station won't make my brother feel embarrassed to this point, right?

Step 1: Step on

At the beginning, I didn't want to start with Domain Name Hijacking. I just touched the environment to see how the website is suitable.
On the Internet, I can see the absolute path of this website. D: \ phpnow \... if you remember correctly (it should be wrong )... Forgot .. If the absolute path is used in the Discuz X2 CMS, it does not seem very useful.
CMS, 0-day, weak password, bypass, and C-segment, it seems that there is nothing else to do? Sorry, I am not knowledgeable. I cannot think of too many methods for the moment. Okay, I suddenly remembered it again. 3389 brute force cracking, FTP brute force cracking, MySQL/MSSQL brute force cracking... There are many methods such as brute force cracking and weak passwords.

Then I also saw someone posting information in the same CIDR Block and website information on the server on the same ip segment... Is it all about the U.S. website? Wondering
By the way, I checked the ip site. The result is 0 ??? Although I still don't know why there is no website with the same ip address, but look at the HTTP Header?
I got an nc military knife temporarily.

 

The website container is cloudflare-nginx, which is actually ngxin. The prefix is a proxy. Someone said in the post that reverse proxy on the server is not feasible.
Too long .. The same ip address does not have a site. So it is useless to use the same C section. In the case of CMS, script attacks seem to be very inefficient. It is not very promising to directly use the server.
Trancer may be able to find his real ip address. But it doesn't take that much effort. Please try using a domain name.
Find a linux webshell of edu.cn and execute the following command on it:

Dig www.nmzhe.com
In Windows, the command nslookup is similar. I personally feel that dig is not as easy to use. directly adding a dig domain name is just a simple usage. dig actually has many parameters. Of course, nslookup also has
Windows dig can be downloaded here: http://bbs.blackbap.org/forum.php? Mod = attachment & aid = NjIyfGI3OTMzYTU3fDEzMzEwNzExMTR8Mnw5ODc % 3D
I have said that I only have IE and cmd in my hand, and I didn't download dig. So I just found a linux webshell. Well, the other meaning is that Google Baidu will not explain the dig usage in windows.

The preceding dig ECHO is as follows:

; <> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <> www.nmzhe.net
; Global options: printcmd
; Got answer: www.2cto.com
;-> HEADER <-opcode: QUERY, status: NXDOMAIN, id: 51167
; Flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
; Question section:
; Www.nmzhe.net. IN
; Authority section:
Net. 900 in soa a.gtld-servers.net. nstld.verisign-grs.com. 1330945176 1800 900 604800 86400

; Query time: 995 msec


; SERVER: 202.194.15.12 #53 (202.194.15.12)
; WHEN: Mon Mar 5 18:59:20 2012
; Msg size rcvd: 104

 

Copy the code so you cannot find the domain name registrar. Who is the domain name service provider?
How can I rob a domain name service provider on Buji Island? Rob root? I haven't reached that level

How about whoislookup? If there is no such thing, then I have no such thing. The whois information address is as follows:
Http://www.whois.net/whois/nmzhe.com
I found that the person who paid the bill was this person (I helped him change whois information later ):

Billing Contact:
Xuanyu
Xuan yu ()
Shen zhen shi fu tian qu
Shenzhen
Guangdong, 518000
CN
Tel. + 86.075561652929
Fax. + 86.00000000
Domain name registrants:

Registrant:
Xuan yu
Xuan yu ()
Shen zhen shi fu tian qu
Shenzhen
Guangdong, 518000
CN
Tel. + 086.075561652929
Fax. + 086.00000000

This is usually the case for domain names. The domain name registrant has an Email address and searches for information about the registrant to see which website he has registered, stabbed him, and then goes down to the database to unlock the password, social Engineering
I searched the two QQ accounts and found many registered websites. In addition, the header has the following information:

Registration Service Provided By: SHANGHAI YOVOLE NETWORKS INC

There are floating companies in Shanghai. Www.sundns.com should be the homepage provided by his network service. First try to use the two QQ accounts to log on to the service provider and find that none of these two mailboxes are logged on.
That is to say, if the email address of the person who registered the domain name is not within the known range, it cannot be done, and the login name is unknown.
However.
The main site does not have the obvious Vulnerability (several bugs are useless, not mentioned), so try other websites on the same server.
There are indeed several websites, basically not the enterprise mail login portal, but various management login portals, which are completely unavailable. There is a dede 5.6gbk, but the vulnerability should be replaced.
This seems a bit complicated.
Now let's sort out the current progress:
Server intrusion: proxy, without real ip addresses, real ip addresses may not be discovered

 

The password is wuerjuan.
This substation is also logged in to the/admin/directory. The background management panel is a little different from the individual user's Management Panel, and it seems completely unconnected.
However, it is a pity that only the sub-station permission does not have the master station permission. The sub-station admin is only a "common member" on the master station. To manage the master station, log in to the background of the master station.
 

 

Since the company has such an administrator, it means that the company is very large and the permissions are scattered... Then I feel dizzy.
The log is flipped through the background. The original website is divided into "common registered members", "Administrators", "site administrators", and "System Administrators ".
The website administrator can only manage one website, and the administrator can view the website administrator in the background. Although the system administrator cannot be obtained, the system administrator should be awesome.

But Nima, I have turned over 20 thousand pages of background security logs, that is, I have never seen a "system administrator" log on. However, the admin login record is actually "common registered member ".
Now that the background of the main station is in, you have the onlookers permission...

 



Nmzhe.com is indeed a space manager, but how can it be registered by a technology company? Should it be private? Is it a proxy?
The Chengdu technology company opened it. Indeed, there were more than fourteen thousand domain names, with a balance of more than 0.7 million yuan.

If the money is enough, the money will break the law. Just look at it.

 

 

 

 

 

The Administrator "bypasses password verification, logs on to the domain name proxy, and then changes the domain name management password to OK.

 

With the domain name management password, isn't it the same as changing the domain name resolution?

After the resolution is modified, it takes an hour to check the ping result.

 
Configure the resolved ip address in Apache as follows:


<VirtualHost *: 80>
ServerName nmzhe.com
DocumentRoot "C:/xampp/htdocs/hide /"
DirectoryIndex index. php index. aspx
</VirtualHost>
<VirtualHost *: 80>
ServerName www.nmzhe.com
DocumentRoot "C:/xampp/htdocs/hide /"
DirectoryIndex index. php index. aspx
</VirtualHost>
<VirtualHost *: 80>
ServerName bbs.nmzhe.com
DocumentRoot "C:/xampp/htdocs/hide /"
DirectoryIndex index. php index. aspx
</VirtualHost>

Copy the code and create. htaccess in hide and enter the following content:

<IfModule mod_setenvif.c>
AddType application/x-httpd-php. php
AddType application/x-httpd-php. aspx
</IfModule>

Copy the code and rename the php version of the Chrysanthemum chat room to index. aspx. Ah, haha, you will get the php chrysanthemum chat room version of aspx.

Author http://gov.com.im