Lessons learned from the practice of intrusion

1. No matter what station, no matter what language, I want to penetrate, the first thing is to sweep the directory, the best to sweep out an upload point, directly upload the shell, you do not laugh, sometimes you spend a long time to make a station, finally found that there is a ready upload point, and it is easy to guess, but this situation occurs in the ASP

2.asp (ASPX) +mssql first consider injection, the general injection has Dbowner permissions can directly write the shell, if not write, or the Web and database separation, then guess the data, from the background, can upload or change the configuration file;

3.asp (aspx) +access shell generally only 3 methods, one is the front desk upload or inject into the background upload, the second is injected into the background to change the configuration file, and the third is to inject into the background backup database or Bauku know is ASP or ASA database then directly write a sentence;

4.php+mysql is generally injected into the background upload, occasionally luck better enough to inject select into OutFile, and then include, sub-local and remote, remote included in the high version of PHP is not supported, so try to upload the image file locally or write to log; The program is an open loophole, good luck can directly write shell.

5.jsp+mysql use the database to get access to basic with PHP, and JSP upload basically rarely check file suffix, so as long as there is injection point and backstage, take the shell quite easy. Jsp+oracle Station I met not much, encountered is also guessed the user name and password from the background.

6. No matter what major stations, the main station is generally very safe (or early to play), so generally from the two-level domain name, guess the main station some user name and password or get the source code of the main station, or the side note to obtain the same network segment server after Cain or ARP.

7. The general station is seldom useful in the existing CMS, so if you are fortunate to find the source code, then you sent, inject loopholes ah, upload loopholes ah, write file loopholes Ah, are in your hands. Take a look at those big station new out of the test sub-site, those stations are still in the test, you can easily win.

8. The upload has a file name truncation, which includes 2 aspects, one is 00 truncation, two is a long file name truncation (once used to get the HW); and then a lot of writing files in the place, can be 00, all the time. Upload do not forget. asp (of course,. ASA,. cer,. CDX all can) the magical content of the catalogue.

9.php Station regardless of Windows or Linux, there is a MAGIC_QUOTES_GPC problem, when the MAGIC_QUOTES_GPC is on, when the server variable injection can still select into outfile, this I have worked on a non-open source CMS is the case, in general, do not consider writing files, but have this permission do not forget to read the file source, because the parameters of load_file can be encoded.

10. Guess the path or file in the intrusion is necessary, guess the path of the time do not forget Google (Baidu is too bad, Google is full), so you can consider the site under the Robot.txt or robots.txt, there will be surprises.

11. The use of tools is very important, before the invasion with WVS sweep will help the invasion; Although many of the injection tools, but not all, now the soft and hard firewall, anti-injection more and more serious, then you do not lazy, more manual help you grow.

12. Have met the first-class monitoring, encountered other anti-post firewall, sometimes a word into the big horse can not be transmitted, then, you learn to code, learn to change around.

13. Want to engage in general station, remember to check the copyright of this site, look for the company, and then from this company to do the other station, get the source code back to engage, I used this method to win a well-known pharmaceutical company station.

14. The idea of the side note is never outdated, encountered Dbowner injection, can be very comfortable to write the shell to the station you need, save trouble to mention the right, bad luck, step by step with the shell to get what you need.

15. Never forget the social engineering, use social workers to treat themselves as a person who does not, from the QQ, ID card, mailbox and so on, and so on, may sometimes have accidents, and do not forget admin,admin; test,test; 123456,123456 This simple attempt, of course, you can also brute force hack.

16. Do not neglect XSS, do not neglect cookies, XSS can steal cookies, but also a number of magical, learn to understand; Cookies can be forged, cookies can be injected, and cookies can be injected around the vast majority of firewalls.

17. Usually do station more collect path Ah, source Ah, tools ah, enrich their "weapons" library; it is best to record their invasion steps, or after the reflection, I generally remember in txt, in addition to do extrapolate.

18, to GoogLe, search some keywords, edit.asp? Korean broiler is more, most of the MSSQL database!

19, to Google, site:cq.cn inurl:asp

20, the use of mining chickens and an ASP Trojan horse. The file name is the Login.asp path group is the/manage/keyword is went.asp with ' or ' = ' or ' to log in

21. Keywords: Co Net MIB Ver 1.0 website Admin System account password is ' or ' = ' or '

22, dynamic Shopping system inurl:help.asp login, if not registered as a member! Upload_bm1.asp and upload_c1.asp The two casually selected, the general administrator has ignored the 2 vulnerabilities

23. Default database Address Blogdata/acblog.asa keyword: acblog

24, Baidu/htdocs registration can directly upload ASA file!

25,/database/#newasp. mdb keyword: newasp sitemanagesystem Version

26, with the Excavator keyword: Powered by Webboy page:/upfile.asp

Search keyword Ver5.0 Build 0519 (upload vulnerability exists) in Baidu

upfile_article.asp bbs/upfile.asp input keyword: powered by Mypower,

Inurl:winnt\system32\inetsrv\, enter this in Google to find a lot of websites.

30. Now GOOGLE search keyword intitle: website small Assistant inurl:asp

31. Key words: Home Latest news beginner guide dance music Download Center Classic article player style equipment purchase station Rumors Friendship Connection Site Forum Mining chicken keyword Tim setup.asp

The database default database address of the VBulletin forum! /includes/functions.php tools: 1. Website Hunter: Baidu google! 2.Google keyword: Powered by:vbulletin version 3.0.1 Powered by:vbulletin version 3.0.2 Powered by:vbulletin version 3.0.3 One of them will do.

33.1. Open Baidu or GOOGLE search, enter powered by Comersus ASP Shopping cart open source. This is a mall system. 2. At the bottom of the website, there is a comersus Open Technologies LC. Open to see the ~~comersus system ~ guessed, Comersus.mdb. Database name database is placed after the database/, so Database/comersus.mdb comersus_listcategoriestree.asp replaced Database/comersus.mdb, cannot download. Then remove the former ' store/' and add Database/comersus.mdb to try

34. The official site of the legendary worry-free program. 1. Admin Address: HTTP//Your domain/MSMIRADMIN/2, default admin account: Msmir 3, default admin password: Msmirmsmir database file is/HTTP/your domain name/msmirdata/msmirarticle. MDB database connection file is ***********/conn.asp

35. Enter/skins/default/in Baidu

36. Excavator Key machine: Power by Discuz Path:/wish.php mate: discuz! Forum wish.php Remote Inclusion Vulnerability tool used

37. Upload the vulnerability. Tools: Domain3.5 website Hunter version 1.5 keyword powered by Mypower detected page or file insertion upfile_photo.asp

38. New cloud Vulnerability This vulnerability ACCESS and SQL Edition all-in-one. Google search keywords "about this site-website help-Advertising cooperation-download statement-Link-Sitemap-manage Login" put flash/downfile.asp?url=uploadfile/. /.. /conn.asp commits to the Web site root directory. Can download conn.asp to source code, software and other download stations mostly. People often touch the database if the previous or Middle + # can be replaced with%23 can be downloaded \database\%23newasp.mdb such as: #xzws. mdb to%23xzws.mdb

39. All-in-one mall + Power upload system using tools: Mining Chicken v1.1 Ming Boy Mall intrusion: Keywords: purchase, add shopping cart---to confirm consignee information----Select payment Method---- Completion of > Remittance confirmation, Delivery, complete vulnerability page: upload.asp upfile_flash.asp power intrusion: Keyword: powered by mypower Vulnerability page: upfile_photo.asp Upfile_ Soft.asp upfile_adpic.asp upfile_softpic.asp

40, easy list admin_articlerecyclebin.asp inurl:admin_articlerecyclebin.asp

41, tools: Website Hunter keyword: inurl:Went.asp suffix: manage/login.asp password: ' or ' = ' or '

42, Invasion of Warcraft need tools: ASP Trojan one. Domain3.5 keyword: All right Reserved Design: Game Federation backend Address: admin/login.asp database address: chngame/#chngame. mdb

43, the vulnerability is the use of administrator IIS settings errors with Baidu keyword is relatively rare script name: reloadforumcache.asp Leadbbs:makealltopanc.asp BBSXP:admin_fso.asp: Ad Min_articlerecyclebin.asp

44, the Foreign Station Explosion Database Vulnerability keyword: sad Raven ' s guestbook password address:/passwd.dat Back office Address:/admin.php

45, Keywords: Channaix background path/system/manage.asp Direct ASP Trojan

46, Tool 1: Website Hunter 2: Big horse a keyword: do not turn off the Cookies function, otherwise you will not be able to login insert diy.asp

47. Keyword: TEAM5 Studio all rights reserved default database: Data/team.mdb

48. Tools: Excavator Assistant Database Reader keyword: Company profile product List suffix add:/database/myszw.mdb back office Address: admin/login.asp

49. Key sub-XXX inurl:Nclass.asp write a Trojan in "System Setup". will be saved to the config.asp.

50. Do not go backstage still take the net Webshell data.asp?action=backupdata network database backup default path 36. Tools: Website Hunter webshell keyword: inurl:Went.asp suffix: manage/login.asp weak password: ' or ' = ' or '

51, the invasion of the press release system Key words: Leichinews remove leichinews behind. Hit: admin/uploadpic.asp?actiontype=mod&picname=xuanran.asp then upload the horse ..... Access Uppic anran.asp landing horse.

52. First, through GOOGLE search to find a large number of injection point keywords: asp?id=1 gov.jp/asp?id= pages: 100 language: To invade which country to fill what language?

53. Keyword: Powered by:94kkbbs 2005 recover admin with password back question: ddddd answer: DDDDD

54. Keywords: ****** inurl:readnews.asp the last/change to%5c, direct Bauku, look at the password, into the background casually add a news in the title of our word Trojan

55. Tools: A Word Trojan BBSXP 5.0 SP1 administrator guess the key words: Powered by bbsxp5.00 into the background, back up a word horse!

56. Keywords: Program core: Bjxshop online open shop expert backstage:/admin

This article is from "My World, I am the director." "Blog, be sure to keep this provenance http://biock.blog.51cto.com/4643304/1768757

Lessons learned from the practice of intrusion