Penetrate Dong Yanni's personal website

Wen/tU Acheng one day, a friend told me that a new guy named "Dong Yanni" sang well, especially the first "dragon family ", then she sent her personal website to me. Out of curiosity, I performed a security check on her personal website. At the beginning of the intrusion, I first Telnet port 80 of www.dongyanni.com and found that the returned banner is IIS6.0. I guess the target system is Windows 2003. Think carefully, it seems that Windows 2003 is no vulnerability at present, but I still use the x-scan3.3 to scan the target server, found that there is no vulnerability. I scanned it again with SuperScan4.0 and found that only port 80 and port 21 were opened. It seems that the attacker had to start from the Web to invade the server. When I open the website, I find that almost all pages are static and several ASP files without variables. However, I finally found a variable address, and habitually added "and 1 = 1" and "and 1 = 2" to the address ", the normal and error pages are returned, indicating that the injection vulnerability exists. I immediately took out the NBSI3.0 opening note. I guess only one news table, as shown in 1. However, I was unwilling to change some tools and manually tested the table names such as "administrator", "administrators", "adminname", and "admin1. Figure 1 The Idea of injection is broken! If there is no injection, try the Upload Vulnerability again! I scanned Domain3.5 and Hunter 2.0 respectively, but they did not scan the upload page. Specifically, none of the pages can be scanned. As a result, the idea of uploading is also interrupted. No matter how much it is, let's guess the background first! Respectively with Ah D-SQL injection tools and tomboy Domain3.5 scan the background, the same is not swept to a page, with Domain and then scan the database, still failed. It seems that the tool cannot guess the background, so just give it a try! I tried to guess that "admin" is not good, "manage" is not good, "manager" is not good, "admin_login.asp" is not good, and "login. asp "no," adminlogin. neither can asp. asp "Yes, the background was finally guessed by me. At first glance, I was able to operate the backend directly without verification, and I was very confident, as shown in figure 2. Figure 2 although the background is simple, you can see Figure 2. A careful friend should have discovered that there is a place to upload in the background, which is likely to have a vulnerability! OK. Let's open it and see, as shown in 3. Figure 3 shows this interface. I think many of my friends should think of the Upload Vulnerability of "dynamic mall? Now we need to capture packets first, put the captured upload address to the dynamic mall upload vulnerability in Domain3.5, and then click "Upload". Then the pony quickly flew to the server, 4. The next step is Ma Chuan. I believe everyone will, and I will not go into details. If not, read the previous anti-DDoS magazine. Figure 4 finally enters WebShell, and the next step is to escalate permissions. Open "C: Progra ~ 1 "folder. N multiple directories are displayed, as shown in 5. I searched for the shadow "Serv-U" and "Pcanywhere", and the idea was interrupted again. In a daze, I suddenly remembered that I had scanned port 21 when I used SuperScan4.0 to scan the server. Would this be Serv-U? Open CMD and enter "telnet www.dongyangni.com 21". The banner information is Serv-U 6.0! Search for the Serv-U directory and find the Serv-U path in the "Startup Program", as shown in figure 6. Figure 5 Figure 6 open the path Serv-U immediately, and the system prompts "The path is not found". It seems that the permission is set. The idea of modifying the configuration file and cracking the administrator password was also interrupted. After meditation, if the server's Serv-U administrator password is the default, we can use the golds7n Serv-U-asp Privilege Escalation program to escalate permissions. Upload Serv-U-asp immediately, then upload the configured shangxing Trojan, and enter "cmd/c upload Trojan path and Trojan file name" in the Serv-U Privilege Escalation program ", 7. Click Submit. After a while, start the Remote Control Trojan and find that the command has been successfully executed, as shown in figure 8. After several failures, we finally took the server down! Figure 7 Figure 8 In summary, the intrusion was successful. We didn't use the side-by-side remark. The main station was infiltrated all the way, and the interruption of ideas once and again hit my heart. However, after the failure and the transformation of ideas, we finally got lost, won the server. Intrusion is a process that challenges Technology and patience. We must understand how to sum up and constantly accumulate experience in the process of intrusion so that there can be a miracle in the Process of intrusion, in order to improve our technical level faster and better! If you have any omissions in this article, please give me more information.