1. Scan the target site:
Generally, when we are preparing to locate a server, we need to know its IP address no matter from which entry point to invade. If it is an attack on the website, we can use the NSLookup command that comes with the system to check its IP address.
On our system desktop, click "start"> "run", Enter cmd, press enter, and then enter "NSLookup domain name" in the pop-up Command Prompt window, and press enter to query, then, the system will report the real IP address of the queried site to us. (1)
500) This. width = 500 "border = 0>
Figure 1
TIPS:
If the target website is created in a server cluster, we may see that one domain name corresponds to multiple IP addresses in the reverse lookup results. Of course, each IP address corresponds to one server.
After obtaining the IP address of the target server, we can use professional vulnerability security scanning tools to scan it. The author uses the X-SCAN tool, first, all the open services and ports of the target IP address are scanned. Information about the opened ports on the server is listed. Each port corresponds to the corresponding network service. (2)
500) This. width = 500 "border = 0>
Figure 2
X-SCAN
Software v3.2 Simplified Chinese version
Software size: 9188 KB
Simplified Chinese software Language
Free Software for authorization
Applicable environment: Win9x/winnt/Win2000/WINXP
When we know the service information enabled on the target IP address, we can try to access the corresponding service. For example, the author scans the target IP address to open ports 80 and 8080, then we can access it through HTTP. Even if no website is enabled, we can also learn through the error message that Apache and tomcat page publishing programs are enabled on the server. (3)
500) This. width = 500 "border = 0>
Figure 3
Of course, if the target server enables the FTP service, we can try to log on with an anonymous account. (4) for most servers, enabling remote desktop control 3389 makes management easier, but it also greatly reduces the difficulty of intrusion. When intruders know the Administrator account and password, they can easily connect to the target server through the Remote Desktop program for graphical operations. (5)
500) This. width = 500 "border = 0>
Figure 4
500) This. width = 500 "border = 0>
Figure 5
After the X-SCAN scan is complete, the corresponding security report will be generated, which records the detailed information of the target server, including security tips and security vulnerabilities, for most users, you only need to view the "security vulnerabilities" information. The vulnerabilities in security prompts and security warnings are generally difficult to use, mainly for information data collection. (6)
500) This. width = 500 "border = 0>
Figure 6
2. attack using scan results:
Then we can start to use the security prompts and security warnings in the scan results to launch attacks. The entire attack process is a combination of data collection and intrusion.
(1) WEB-INF folder accessible vulnerability:
The X-SCAN folder accessible vulnerability prompt is given in the WEB-INF scan results, which can be accessed through relative paths/WEB-INF. /web. the XML address is used to understand the running status of the server environment. As prompted, I can access the corresponding address to see the basic information of the Server XML runtime environment. (7)
500) This. width = 500 "border = 0>
Figure 7
(2) Site Directory Vulnerability discovery:
The site directory discovery vulnerability is given in the X-SCAN scan results, we can clearly understand some directories of the site on the target server, for example, by accessing the manual directory to further master the basic information of Apache publishing tool. (8)
500) This. width = 500 "border = 0>
Figure 8
In the scan results, we can see the existence of the Status directory mentioned in the directory discovery vulnerability. We can access this directory to see some environment parameters and running status, from this information, we know that the website is published in combination with Apache + Tomcat. (9)
500) This. width = 500 "border = 0>
Figure 9
(3) serious vulnerabilities with empty database passwords:
From the X-SCAN scan results, the only serious vulnerability we can see that the database password on the server is empty, because the scan results show that the database on the target server is MySQL, therefore, we know that the default Administrator account information is root, and the password is empty. This is a fatal vulnerability. we can complete our entire intrusion operation. Here I recommend you to the it168 readers a small tool-mysql GUI tools, which is a visual interface of the MySQL database management console and provides four very useful graphical applications, it facilitates database management and data query. These graphical management tools can greatly improve the efficiency of database management, backup, migration and query, even if there is no rich SQL language basis for users to freely apply. They are MySQL migration toolkit database migration, MySQL administrator manager, MySQL query browser graphical client for data query, and MySQL workbench (DB Design Tool ).
MySQL GUI tools
Software 5.0
Software size: 17.38 MB
Simplified Chinese software Language
Free Software for authorization
Applicable environment: Win2k/WINXP/win2003
Step 1: Use the MySQL remote connection tool. After the program is started, enter the IP address of the target server and username as root. Keep the password blank and click OK to connect. The port number is the default 3306, this port can be analyzed in the X-SCAN scan results file. (10)
500) This. width = 500 "border = 0>
Figure 10
Step 2: we will be able to smoothly connect to the target server. In the MySQL remote connection controller, we can see that the target hostname is the destination IP address, and the server running information is MySQL 5.0.27. (11)
500) This. width = 500 "border = 0>
Figure 11
TIPS:
If an error message is prompted during the connection process, you must first troubleshoot the network problem and try to disable the local firewall to solve the problem, because the results of a X-SCAN scan typically do not have errors. (12)
500) This. width = 500 "border = 0>
Figure 12
Step 3: in the upper left corner of the MySQL Connection Tool, select "user administration" user management. Then, you can view the users in the current database, you can also use add new user in the lower right corner to add the corresponding account. After modification, click Apply changes to save the configuration. (13)
500) This. width = 500 "border = 0>
Figure 13
Step 4: Use server connections on the left to check the connection status of the current server database. You can use the kill thread button to close the connection of a user. (14)
500) This. width = 500 "border = 0>
Figure 14
Step 5: what we need to do is to view the content in the database. The specific method is to click catalogs on the left, then we will see the database information in the database in the MySQL remote connection tool. There are multiple tables under each database, each table has fields, all of this information can be queried and modified at will, because we currently have root user permissions. (15)
500) This. width = 500 "border = 0>
Figure 15
Step 6: You can also use the remote management tool to back up the database, select backup on the left, and click "new project" to create a backup job. Then, select the corresponding database or table, use the ">" button to add it to the right, and then select the execute back up now button to start the backup. (16)
500) This. width = 500 "border = 0>
Figure 16
Step 7: select the execute back up now button, and a dialog box Indicating the Save path appears. The saved file format is XXX. SQL. You can use related tools to view the database information in this format. (17)
500) This. width = 500 "border = 0>
Figure 17
TIPS:
The simplest way is to use the remote MySQL management tool described in this article to open the corresponding database file. You can also use this function to delete the database on the remote server and overwrite a new one, you only need to select the restore option on the left and add the corresponding database file. (18)
500) This. width = 500 "border = 0>
Figure 18
3. How to prevent:
This article introduces multiple vulnerabilities scanned by the X-SCAN, but the first two vulnerabilities will not cause a fatal threat in terms of personal feeling and actual operation, the real problem is that the root account password of the MySQL database is not set. You only need to modify the password in the MySQL management tool after installing or installing MySQL, change it to a safe enough character.
Iv. Summary:
So far, we have completed the scanning of the target server and carried out attacks based on the scanning results. This is also the most standard step for IP scanning, IP analysis, vulnerability analysis, and intrusion of vulnerability attacks, of course, the scanning tool is a double-edged sword. On the one hand, it helps us better scan the vulnerabilities on our servers and websites and help us make up for the vulnerabilities in a timely manner. On the other hand, it also provides vulnerability search functions for hacker intruders, it is convenient for them to intrude into the target server. It is worth mentioning that, for experienced database administrators, if the root password obtained in this article is empty, they can directly use MySQL-H (SQL address) in the Command Prompt window without using any tools) -U (name)-P (password) command to connect to the remote database and perform corresponding operations.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
