Infiltrate a MLM server with file Upload vulnerability

Infiltrate a MLM server with file Upload vulnerability

Simeon

This article has been voted I spring and autumn

https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=30085&page=1#pid389491

For the marketing site of the server, is now strong protection, the use of security dogs and other hardware and software to prevent, but because the final use of the product must be implemented by people, when the acquisition of Webshell, through a number of technical means can bypass the firewall protection, so log in and get server permissions. Below share a file upload vulnerability to get webshell and picture Security dog protection Get server permissions.

1.1 Get Webshell via file upload

1. Find and Login Backstage

MLM site's background address is generally modified, the default is good luck to the admin, can be guessed and XSS cross-site attack to obtain, this article is more fortunate, through its domain name +admin address successfully acquired its background, and through the weak password login to its background, 1 is shown. There are multiple modules in the subsequent address, which is accessed by each module to see if there are uploaded pages.

Figure 1 Entering the background

2. Uploading Construction files

Choose "Cosmetics"-"Add submenu", 2, in the submenu name, menu sort, enter some values, in the menu image select a mu.asp;. jpg--A typical IIS name resolution vulnerability file, click OK to upload the file to the server.

Figure 2 Uploading a specially constructed file

3. View the newly created sub-menu record

3, back to menu management, you can see the success of creating a new record in the cosmetics menu.

Figure 3 Viewing the newly created menu record

4. Get the address of the uploaded file

You can get the real address of the uploaded picture by selecting the picture, opening the image link address in the new window, or by viewing the frame page source code, 4, get the real address of the uploaded file as "filemenu/mu.asp." JPG ", the site does not rename the uploaded files, such as security filtering and detection.

Figure 4 Get the real address of the picture

5. Get Webshell

Use Chinese menu A word back door management software create a new record, script type select ASP, Address fill in "http://www.somesite.com/FileMenu/mu.asp;". JPG ", Password to fill the page a word back door password, 5, the successful acquisition of Webshell.

Figure 5 Getting Webshell

1.2 Information view and right of reference

1. Information viewing and the idea of right to be raised

After getting the shell, the server Web site code files are viewed through Webshell, and read-write directories are viewed, looking for all the information that might be used to power up. 6, by viewing the code of the website, get the website currently using MSSQL, and the database user is SA permission. See here, in mind the right idea:

(1) To view the version of SQL Server, if it is below the 2005 version, then under the SA permission, the weight success rate is 99%.

(2) xp_cmdshell by recovering stored procedures:

EXEC sp_configure ' show advanced options ', 1;

RECONFIGURE;

EXEC sp_configure ' xp_cmdshell ', 1;

RECONFIGURE;

(3) Direct execution of orders

Figure 6 Getting the database configuration in source code

2. Configure MSSQL and EXECUTE commands

In the Chinese kitchen knife backdoor management tool, the Webshell configuration database connection information is obtained, and then database management, as shown in 7, can be performed "EXEC master." xp_cmdshell ' Set ' command to see the configuration of the system's current environment variables.

Figure 7 Executing the command

There are three ways to execute the MSSQL command:

(1) Through MSSQL Query Connector, SQL Server 2000 query separator, through the SQL Server connection server, the connection succeeds, you can execute the command in the query.

(2) in China Kitchen Knife Backdoor management tool database management Configure the database connection parameters, and then the database management.

(3) SQL Server database Connection tool SQL tools. The tool is mainly used to connect MSSQL and execute the command, is the MSSQL right auxiliary tool.

3. Add an administrator user and log in to the server

Execute separately:

EXEC Master. xp_cmdshell ' NET user hacker [email protected]#/add '

EXEC Master. xp_cmdshell ' net localgroup Administrator Hacker/add '

After the add succeeds, connect directly to the server, 8, prompting "The remote session was interrupted because the session was logged off on the remote computer." Your administrator or another user has ended your connection ", which indicates that there is protection on the server by executing TASKLIST/SVC | Find "TermService" and Netstat-ano | Find "port number" to get the real 3389 connection port 51389, and then connect again, 9, a connection will appear error prompt.

Figure 8 Connection 3389 error prompt

8

Figure 9 Connection failure after port swapping

4. Get the Security dog profile

On this issue, through the Baidu search situation, indicating that the situation is due to security dog protection. Through the shell, view the C drive, and under "C:\Program file\safedog\safedogserver\safedogguardcenter", download its profile Proguaddata.ini to local, as shown in 10. Install the security dog software locally, and then overwrite the configuration file.

Figure 10 Download the Secure Dog Protection profile

5. Modify the computer name

11, just allow three computers in secure dog Remote Desktop protection to be named Whitelist, see here to know how to bypass the firewall, change the name of the PC to any of the three names in the whitelist.

Figure 11 Remote Desktop Protection white list

6. Log in to the server

Log on to the remote desktop of the server again, as shown in 12, to successfully log on to the server where n multiple sites can be seen.

Figure 12 Logging in to Remote Desktop

1.3 Summary and improvement

1. Information extension

On the server, found a TXT file, 13, opened the file contains a new IP address, administrator name and password, using this information to successfully log on to the server, which is estimated to be the administrator to facilitate the management of the information left.

Figure 13 Getting other users and passwords

2. Bypassing the security dog to intercept the remote terminal

Get the security dog profile, and after local restore, modify the local server to a whitelist server name to bypass it.

Infiltrate a MLM server with file Upload vulnerability