From security testing to 3389

Author: aweige from: Red Army of Chinese hackers

My friend made a game equipment transaction website and asked me to test whether the server has vulnerabilities or the program itself has vulnerabilities, because the servers and programs are provided by a network company in Shanghai. My friend also proudly told me that this is the fourth largest network company in Shanghai, saying that they have done a good job in all aspects and they spent more than 30 thousand RMB (I am sweating ...... I have been obligated to do so many websites. It seems that my business mind is not good ). Okay, I don't want to talk about it. wtf is waiting for my article ......
Since it is a test, of course we need to take a look at the intrusion. Go to his website and make a good look at the interface. The content includes the member center, Transaction Center, card sales center, and so on. Habitually Add a/admin behind the home page URL, dizzy, the administrator login page appears so early (figure 1)

Figure 1

Http: // www. ***. com/info_show.asp? Id = 10000127, followed by "", returns 2

 

However, I gave up having guessed that the username and password were not correct. I went on to the website and saw that his article and the pages and URLs of various specialty stores had parameters. Naturally, I thought of injecting them, try one at a time:
Figure 2

Press OK to automatically close the current window. Dizzy. It seems that the script is used for the injection restriction, and many pages are converted to the same result. You can find a lot by searching for NBSI, without exception, however, the "possibility (extremely low)" temporarily gives up the injection path and continues to change. Visit his forum to see if there is anything. The Forum is the SQL version of SP2.
(Here, let's talk about the problem. Many people don't know how to know whether the dynamic network forum is an access or SQL version. In fact, it's very easy to go to his forum and register a user to log in, then go to the Administrator Logon page admin_index.asp. The logon panel honestly shows the version and nature of admin_index.asp, as long as you know the Chinese characters. Due to space limitations, I will not capture images .) Come back ......
Try it with the automatic add administrator tool in the SQL version of veterans. No, check the upload page again. There is a blank space and you don't want to upload it any more. Depressing ing ......,
After a day of being depressed, I thought of the website of their network company. There were injection vulnerabilities, that is, the server did not return an error page to the client, so I could see the error information through information redirection, however, I thought it was too difficult for me to manually solve the problem. Besides, I still don't have high permissions to get my hands. The passwords are encrypted by MD5 in, and I can't set information redirection when I use NBSI, so I gave up the injection, add an admin behind his homepage, dizzy, and the background is coming out again, and the interface and file structure are basically the same as that of my friend. It seems that this network company will also cheat money, I took more than 30 thousand pieces and did not write programs for others. I got a ready-made one to fool people. Let's take a look at nothing else to make good use of it and give up (Don't hit me with eggs and say I don't have the hacker spirit, I'm not a hacher, And I'm just a test, don't be so persistent ). And depressing ing ......

Next, let's take a look at the common path: side note. Take out the Veteran's virtual host Site query tool to view other virtual hosts on the server, in fact, his tool principle is also very simple, through the winsock control access network connection http://whois.webhosting.info
To display information on the site, so sometimes http://whois.webhosting.info
When you need to enter the verification code, the veteran tool will be "dead" for a few minutes. There are dozens of domain names on this site. Find a website with a mobile network Upload Vulnerability and everyone will know about the next thing, that is, the upload Trojan, I uploaded asp Trojan 2004 to the top of the ocean. Everything is expected. The server imposes permission restrictions on the everyone folder by using the security of NTFS format. (After I log on to the 3389 folder, I changed it back, change to "Full Control"). You cannot access other folders, but it doesn't matter. As long as there is a trojan in your hands, I want to open 3389 for him, follow
Me ......
Upload my upgrade tool bat.exe to the web root directory E: Companywebsite ***. com, (this is a little thing that uses the serv-u vulnerability to escalate permissions), and then return to the fso-free page at the top of the ocean to see the net
Whether the user command can be used or not. OK, yes, so he is doomed to death. Figure 3:

Figure 3
Enter E: Companywebsite *** .comat.exe "net user aweige in the command line.
123456
/Add ", this is through this small item to run only the Administrator permission to run the add USER command, right? Add a user whose username is aweige and whose password is 123456. In fact, you can create a hidden account, but because it is a test, I don't want it anymore. It's a little "straightforward", but after going in, I saw his violent configuration, and my attention changed again, this is a fat chicken. It can be supplemented. Result 4:

Figure 4
Next, net user to see if there is any aweige user:

Figure 5
I will not talk about it any more. Run E: Companywebsite **** .comat.exe "net
Localgroup administrators aweige
/Add ", promote my role as a manager, and then use aspmu to upload the 3389tool 3389.exe to the root directory of the website, run the command E: Companywebsite *** .comar.exe
"E: Companywebsite **** .com3389.exe"
Okay, he is about to restart and check whether the website can be accessed:

Figure 6
Does it look strange? In fact, there is nothing, because I used a Korean proxy, so the "server not found" page shows garbled code, however, you can see the page "the server is not found. Wait for a moment. First, soak up a cup of tea, then soak up a MM on QQ, then go to the anti-DDoS forum and return several posts. Then, come back and check again. Haha, the website can be accessed again, take out the 3389 keystore immediately. Username: aweige, password: 123456, OK! No need to capture the image, right? Because it is a fat chicken, I add a hidden account in it, leave two rootkits, then put a radmin, modify the terminal port, haha, this time can be used for a while. In addition, because it is a server, I added a hidden virtual directory to my web space in IIS and opened an FTP for myself.
To sum up, the server settings and configurations of this network company are still acceptable. The defect is that the server has set access permissions but no other restrictions, and some dangerous components are set, as a result, the script Trojan can run. However, his current settings can basically prevent the vast majority of fast food hacher attacks, but the real experts will be vulnerable. This article also mentions several serious vulnerabilities that can be exploited, but they are not further exploited due to testing.
I have not mentioned any advanced technology in this article, so that many cainiao can understand it. If you have any questions, contact me directly. Woaili_1@hotmail.com