Friendship monitoring Huang shengyi Official Website

Author: by radish head
Copyright: 3EST Information Security Team (www.3est.com)
Target main site: Target Website:Www.huangshengyi.com

First of all, let's use the most basic method. The ASP site method is changed to several types, and thinking is the most important. let's take a look at the injection points, and use the browser. once I read it, there is no injection point,

If no vulnerability is detected, you can use JSKY to scan it.
Since there are no injection points, let's scan the directory to see if there are any fckeditor or ewebeditor or other editors, or if there are any upload vulnerabilities or vulnerabilities. Then, please scan out my WWWSCAN.

All right, the directory has been scanned. Haha, the server is IIS6.0. You may laugh when you see the result, and the database knows it. SHELL waved to us, downloaded the database account, and checked the Administrator account password. The account and password are all known,

Now let's look at the background, but we didn't use WWWSCAN to scan the background or admin directory like the background. Let's take a look at it...

I still cannot find the background. It's a bit depressing at this time. Don't worry. Let's observe the website structure and have a forum. I personally feel a bit like DVBBS. to verify our guesses, let's go to the registration page to see it.

You are familiar with this registration interface, such as dvbbs8.0-8.2. Because DVBBS8.0-8.2 has an IIS Parsing Vulnerability, vulnerability details Baidu it. In order to save time, I registered

. Let's test the vulnerability directly. It seems that the toolbar does not have "my homepage", but it still cannot block our intrusion steps. Although there is no "my homepage", we can directly access personal space management.

This page. Url + userspace. asp? Sid = 0 & act = modifyset, and then edit the CSS style-file management. The vulnerability is blocked.

This road is disconnected. At this time, we can observe the URL and find

The directory is eva_bbs. We just downloaded the database and didn't find the background, but we guess the background address is eva_admin?

Let's take a look. It seems that the background is indeed like this. We use the database username we just downloaded.

And password. --! It seems that the database is fake. This road does not seem to work either. At this time, we can guess the database address of the forum and get the administrator password to try it in the background of the forum-the Login Failed !!

Because I started to guess for a while, and I didn't guess it. If you haven't guessed it, let's take a look at the Administrator's ID. Here we must look for it carefully. This is the key to success. --! Ps

The Administrator posted a post. The Administrator's ID is: Pearl has tears. Try a weak password, or find some information about the Administrator online. I will not demonstrate the time relationship. Finally, I still failed.

It's really lascivious, so I sent a sticker to wipe it ....

The main site is fruitless! So let's take a look !!

Check the number of websites on the server and find a weakness. Well, there are 6 websites and a forum. First, check it out. It's DVBBS8.3. I have not found any vulnerability information about DVBBS8.3.

I don't know where to start. The popularity of the Forum is not very high either. Open a few sections to see the site.

Suddenly I saw an ID: Pearl with tears
Isn't this the administrator ID of the target website forum? Why is there ....

If we get the password for this ID from the database and try it on the target website, will it succeed? If you have a chance, we will give it a try. How to get the password? We download the database, DVBBS8.3

The default database address is/data/dvbbs83.mdb.
Good luck. The default address of this database has not been changed. Download it and check it. I have downloaded it beforehand. We have found this ID with tears and cracked the password!

Log on to the target forum and try again... haha, you can log on. It seems that the target station administrator uses this password, so let's log on to the background.

Dizzy, the background password is different. All we get is the front-end password. We use this user password to try the background/eva_admin/admin_login.asp of the target website. Unfortunately, the password is incorrect.

What should we do now? Didn't we just get the database of another forum? Let's try that forum.

Crack the front-end and back-end passwords and log on to the forum directly. The background of DVBBS8.3 is limited in the background of the forum. I haven't found any way to use SHELL for a while. I am very grateful to you for your guidance.

It seems that this road is also dead... but it always feels wrong. Yes, that is, the database. I found that the password for logging on to this forum administrator is the same as that for the target forum administrator. Let's look back at the database... at this time, we will find many IDs with the same password. Let's look at them later and find the registered IP address and the logon IP address. The IP addresses of many accounts are the same, or they are converted back and forth. Ah

Do you understand it! If you don't understand it, continue to look at it with me ---

We found that this ID is the same as the IP address of the 8.3 forum administrator to register for logon. The password is the same.

We can imagine that the Administrator is the same person. As a result, I sorted out several IP addresses commonly used by forum administrators and their passwords, and obtained some frequently-used passwords by administrators.