Real-combat detection of a local school website of Beida Jade Bird

This paper is a tortuous process of taking Beida Jade Bird a local school website shell.

Before also took a Peking University Jade bird A website article, I once again sprouted I a Peking University bird's website practice practiced hand idea. In fact, I have tried to test a few Peking University Bird Local School website, simple look under no injection of the vulnerability without a weak password to give up. Read the article take the station process, the method is not difficult, so I also decided to find a website to practice practiced hand.

I. SET goals

I first to the Beijing University Bird's main station to see a bit, found that the site is a standalone server, although the server is located in the IP binding 3 domain names, but found that all points to the same site, the official main station, it appears that the next note do not think. A simple look at the next, unsurprisingly there is no simple injection of loopholes, also did not find the site backstage, I one, so give up the idea of the main station shell. The main station can not take, Beida Jade Bird in each province have campus, many of these campuses have their own website, estimated that the security do not better than the main station, perhaps can let me get the shell. Find the site of each campus is very simple, point Beida Jade Bird Master station on the "campus" can be queried by the region to the local campus site, such as the choice of Beijing will be listed in Peking University all the campus, and there are various campus site address links.

I randomly chose a campus site as the goal, for unnecessary trouble, I will not write the website.

Ii. Collection of information

identified the target site, first to collect some basic information of the target site. Open the target site homepage, found that the link on the page is a static page, by looking at the homepage source file, the preliminary determination of the site with the ASPX Web site management system, speculation may be generated through the background of static pages. There are robots.txt files, but no directories and files appear in the file, and no value is used. Through the search "site:xxxaccp.com inurl:.aspx" did not find any link with parameters, injection can not think of, but found the background of the site, with a few weak password to try to log in the background, no success.

Third, start the side note

Based on the information gathered, it is too difficult to get directly from the target site, considering the side note. In the IP query site back up a bit, found that the target site is located on the server has 60 sites (in fact, not only 60, I was negligent here), to meet the conditions of the next note. The remaining 59 sites always have the security to do bad, I do not believe to get a shell. So a site of a site to detect whether there is a low-level vulnerability, whether there is an injection vulnerability, add admin and manage after the website address, see if the background login page, if found backstage with common weak password try to log in. See if the website exists robots.txt this file. In this process encountered a can use a universal password into the background, encountered a admin,admin weak password into the background, but all because the background function too simple can not get webshell. It was hard to find an injection point to guess the Administrator's username and password, but MD5 encrypted password to crack. In short, the rough side-note over, did not get any one of the website shell.

Iv. find any File download vulnerability

After finding no results above, I decided to find out if there is any file download vulnerability in the website. There is a "download" link on a website, there are a lot of files for download when I move the mouse to a download file, I see, I think there is a chance, there may be any file download vulnerability, because the address of the download file is specified by a variable URL, Any file download vulnerability can occur if the URL variable is not filtered or filtered properly. To verify that the construction address is accessed in the browser, a dialog box for downloading the down.asp file appears, stating that any file download vulnerability does exist.

Any file download vulnerability is still very useful, the use of good may download to the Web site database files, find the administrator's user name and password into the background, the background can also take the shell, this is the most ideal situation. To download a database, you first know the path and name of the database. The path and name of the database for the use of the ASP program most commonly stored in the conn.asp file (a small part of the config.asp and other files), conn.asp some directly in the site root directory, and some in the directory under the INC directory, you can first try under the above two directories, if not find To the background log in the file can be downloaded after viewing the source code to find the database connection file and then download the database.

In order to save trouble, first guess. Assume that the database connection file for a Web site that has any file download vulnerability is conn.asp in the root directory of the Web site, and the Access prompt "program is running in error." Contact your system administrator. ", it seems that this file does exist, just direct access to the error.

Re-access result hint "Cannot find this page".

Description "The program ran an error. Contact your system administrator. "It is not the error to find the file, it proves that there is a conn.asp file in the root directory of the website." Download it, construct, access in the browser without accidentally appearing the download conn.asp dialog box.

After downloading the conn.asp, open it with Notepad and find the following code.

Dim Conn

Dim DBPath

Dbpatb=server. MapPath (".. /data/hn_kaitong,asp ")

The description database file is hn_kaitong.asp, in the data directory, know the database path and name to download the database, I first constructed the address after access to the "D:\www\web\xxx.com\wwwroot\data\HN_ Kaitong.aspdoes not exist "error message.

Rename the downloaded hn_kaitong.asp to Hn_ kaitong.mdb, open with Microsoft Office Access, find the administrator's username lawer and password 72ff7fa7b7678b6d in the admin table, Tragedy is 72ff7fa7b7678b6d crack not come out, more tragic is the site of the backstage also did not find. There is still no shell to get even a Web site on the same server.

Discerning eye know my address was constructed incorrectly because conn.asp is in the root directory of the Web site, the database file Hn_ Kaitong.asp relative to Conn in its superior directory under the Data folder, but this time the construction address error also has an unexpected harvest, is burst the absolute path of the website, this has a great effect, the following will be mentioned. The database file was downloaded with the newly constructed address.

V. Bold attempt

I don't know what to do at the moment. Calm down to think about it, I also notice that the arbitrary file download Vulnerability and the site of the absolute path burst. Look at that path again D:\www\web\xxx.com\wwwroot\data\HN_kaitong.asp, you can know that there is any file download vulnerability to the root of the Web site on the server absolute path is D:\www\web\ Xxxitalnc.com\wwwroot\. Because it is a virtual host, it is bold to guess the absolute path of most Web sites on the server has a certain regularity, such as the domain name of the www.xxx.com site is the absolute path of D:\www\web\xxx.com\

Wwwroot\. Single know the absolute path of other sites seems to be useless, but if you can traverse all the files under the other Web site to cooperate with any file download vulnerability is very useful, you can download other sites already know the path and file name of any file, you can download the database of the site, find the administrator's user name and password back backstage. To take advantage of the need to meet two conditions.

1, the absolute path of the site has regularity

2, there is a vulnerability to traverse all Web sites

These two conditions I do not know full of unsatisfied, I assume these two conditions meet, to verify my hypothesis. In the IP Site Query page found a website, using the ASP program, the background directory for admin, database connection file for the INC directory conn.asp, construction, access in the browser, the exciting Download file dialog box appears. It proves that the two assumptions I made above are set up!

Download conn.asp after the discovery of the database as a Data/buy#2buy#cndata.asa, constructs, in the browser access to the hint file does not exist, the construction of the address is correct AH, remove the address of the INC directory can download the database (to the # URL encoding, to become%23).

Found in the database administrator user name admin and password 9aof39b2e2b26750, in the MD5 online query site cracked out, the result is 23990588, and then logged in the background. Background add goods where there is ewebeditor, but has been castrated, can not get Webshell.

Six, continue to hit the wall

Use any file download vulnerability to download the database of the Web site to download the database (also downloaded a 289M database file!) ), but also into the backstage of several websites, but the site backstage function is too simple, did not get Webshell. I also tried to take advantage of getting the Site Admin password as FTP password, site domain name as FTP user name log on to the server FTP, but did not succeed.

Seven, the emergence of a turnaround

It seems that I don't know what to do now. Once again, after I have detected the target site listed on the IP query site with the Web site on the server, I find that the following instructions are shown below "Hint: only some domain names are displayed. To view all domain names, click here. "I go, I think show all the domain name, originally only show some domain name AH."

Click to open the link found to see all the content needs to pay money to become a member, no money to it. At this time I think of a good friend passers-by gave me a side note of the site address, because the query speed is relatively slow, usually not how to use, but it can be free to display a server on all domain names, in the search for the target site where the server bound 110 domain names, than in the IP query site display more than 50.

Hope that the more out of the 50 sites have let me get webshell. Continue to note just found out the site, continue to use any file download vulnerability to download the database site, and into a site backstage, in this background to see the long-awaited database backup function, upload a word trojan contains a picture file, through the database backup got a Webshell. This shell allows you to traverse files under the target Web directory.

Originally thought to this step, the target website shell can be handy, write an ASP a word Trojan to the target website root directory, write unsuccessful, tried the target site root directory of several subdirectories, there is no write permission. Think that the permissions of the ASPX file will be larger, perhaps the directory of the target site has write permissions, try to pass a aspxspy to the site directory has been obtained shell, prompted to upload a successful but not found the uploaded files, was killed? Re-uploading an ASPX file, test, or upload is unsuccessful, stating that you have obtained a shell in the site directory that does not allow uploading of. aspx files, blocked.

The target site is an ASPX program, must exist in the site root directory configuration file Web. config, through the already obtained shell download found the target site is also Access database, database file named Accpdb_backup.mdb, in the site root directory App_ Data directory, the administrator's user name and password are found after downloading, and the password is not encrypted. Hang up the VPN after login to the target site backstage, but helpless is in the background upload any files are prompted "Upload directory does not exist." ", you cannot upload a file, or you cannot get the shell of the target website.

Eight, the end of the wish

Although I haven't got the shell yet, I've gathered more and more information. Using one of the Shell's column directory functions of the other websites that have been obtained, we have found a kindeditor folder, an editor, and found the page where the file was uploaded, but still prompted "upload directory does not exist" when uploading the file. ", cannot be uploaded. I found a file in the Myfreetextbox directory ftb.imagegallery.aspx, the file name of FTB attracted me, is this file saved the FTP user name and password? We make a visit to the open page.

Seems to be able to upload files, I uploaded a picture file, no hint and display, do not know if the upload is successful, and can not be used? I found that this page also has the ability to create folders, see if you can use, enter 123, click "Create folder" after the 123 folder actually created successfully.

Through the column directory found in the Myfreetextbox directory more than one folder images, the newly created folder 123 in the images directory, double-click the new 123 folder to 123 directory, upload a picture again, this upload succeeded.

directly upload a. asp format asp A sentence Trojan asp.asp to 123 folder, although not see the thumbnail, but through the column directory to find the file upload success, access to successfully received a long-awaited shell.

Shell has been achieved, the goal has been reached, and the Peking University Jade Bird a local school website contest on the end, right I will not mention. Get the shell back to look at the process of taking the shell, in fact, the last way to take the shell is very simple, but the process of finding this method is twists, very tortuous. Through the shell practiced hand also told me, now if you want to take a website, directly through the injection or through the weak password into the background to get the shell is almost impossible, this time you need to try another way, more find other loopholes, such as any file download vulnerability, and then have patience, Do not encounter a little difficulty to give up, if I give up halfway will not have this article.

Real-combat detection of a local school website of Beida Jade Bird