Summary of simple website intrusion methods

First, observe the specified website.
Intrusion into a specified website requires the following conditions:
First, observe whether the website is dynamic or static.
First, we will introduce what types of websites can intrude into: I think dynamic websites must be websites written in code such as ASP, PHP, and JSP.
If it is a static (.htm or HTML), it will not succeed.
#### 7yhnju7 @#@#
If the target website to be intruded into is dynamic, attackers can exploit the vulnerabilities of dynamic websites to intrude into the website.

Quote:
The following are common website intrusion methods:
1. Upload Vulnerability
If you see: select the file you want to upload [re-upload] or "Please log in and use it", 80% will have a vulnerability!
Sometimes the upload may not be successful, because cookies are different. We need to use wsockexpert to obtain cookies and then use domain to upload them.

2. Injection Vulnerability
Character filtering is lax.

3. brute-force database: replace/in the middle of the second-level directory \
　
　

4. 'or' = 'or' is a language that can connect to SQL. You can directly enter the background. I collected it. Similar:
'Or ''='" or "A" = "A') or ('A' = 'a ") or ("A" = "A or 1 = 1 -- 'or 'A' = 'a

5. social engineering. We all know this. Is to guess.
　

6. Write Data to an ASP database. Is a trojan <% execute request ("value") %> (the database must be an ASP or ASA suffix)
　　

7. source code utilization: some websites use the source code downloaded from the Internet. Some webmasters are very lazy and don't change anything.
For example, the default database, the default backend address, and the default Administrator account and password
　　　

8. Use of the default database/webshell path: many of these websites/other people's webshells.
/Databackup/dvbbs7.mdb
/BBS/databackup/dvbbs7.mdb
/BBS/data/dvbbs7.mdb
/Data/dvbbs7.mdb
/BBS/DIY. asp

/DIY. asp
/BBS/CMD. asp
/BBS/cmd.exe
/BBS/s-u.exe
/BBS/servu.exe
Tool: Station hunter

9. view the directory method: some websites can disconnect the Directory and access the directory.
210.37.95.65 Images

10. Tool Overflow
　　　　　　
11. Use of search engines:
　
(1). inurl: flasher_list.asp default database: database/flash. mdb background/manager/
(2) Find the management background address of the website:
Site: XXXX. comintext: Management
Site: XXXX. comintitle: management <many keywords, find them by yourself> 〉
Site: XXXX. cominurl: Login
(3). Find the ACCESS database, MSSQL, and MySQL connection files.
Allinurl: bbsdata
Filetype: mdbinurl: Database
Filetype: incconn
Inurl: datafiletype: MDB

12. Cookie fraud: Change your ID to the Administrator's, and change the MD5 password to another one. You can use Guilin veterans tool to modify the cookie.

13. Exploit common vulnerabilities, such as BBS
You can use the dvbbs permission escalation tool to make yourself a front-end administrator.
Then: Use the dynamic net fixed top sticker tool to find a fixed top sticker and then obtain cookies. You need to do this yourself. We can use wsockexpert to obtain cookies/NC packets.
I will not do this anymore. I will take a look at my next online tutorials.
Tool: dvbbs permission escalation Tool

14. There are also some old vulnerabilities. For example, iis3, 4, view the source code, and delete
I won't talk about CGI and some old PHP holes .. Too old. There is no major purpose.
　

#######################################
　　　　　　　

General intrusion ideas

Script Injection (asp php jsp)
1. Script Vulnerability
Other script vulnerabilities (such as upload and cross-site vulnerabilities)

　　　　　　　　
　　　　　　　　　
Domain Name Bypass
2. Side note
"Ip" side note

Local Overflow
3. Overflow Vulnerability
Remote Overflow

ARP Spoofing
4. Network eavesdropping
IP Spoofing

5. Social Engineering

Simply put, you can use the above methods to intrude into the website. If the specified website does not have any vulnerabilities, you can also use other methods...
#######################################
〓 There is more than one road to computer
If the target website program has no vulnerabilities, follow these steps:
First, judge the IP address of the server host of the other website, for example, Ping www.baidu.com to obtain the IP address of the server of the Baidu website. Of course, you can also query the IP address of the server of the target website by using the bypass tool...
You can try to intrude into the server where the target website is located. You can use the bypass tool to query the number of websites on this server...
If the target website has no vulnerabilities, try to intrude into other websites on the same server... If you can intrude into other websites on the same server, you can obtain the permission to see if you can escalate the permission to the server.

You can also directly intrude into the server of this website!
For example, you can use the IP port scanning software to scan which ports are open to the target server, and then use the opened vulnerability ports for intrusion. The Forum has provided a lot of information on how to intrude common vulnerability ports. You can also query the vulnerabilities on the target server, such as Microsoft's latest oday vulnerability, and use the vulnerability to obtain server permissions. Trojan intrusion to infect the website host with your Trojan. It mainly depends on whether the target website server system has vulnerabilities.

========================================================== ========================================================== ====

First, we will introduce what types of websites can intrude into: Dynamic websites, such as ASP, PHP, and JSP websites. Websites suffixed with .htm advise you not to intrude into it (the intrusion probability is almost 0 ).

Intrusion Introduction: 1 upload vulnerability; 2 brute-force database; 3 injection; 4 side note; 5 cookie fraud.

1. the upload vulnerability is the most prevalent among hackers in the dvbbs6.0 era. Using the Upload Vulnerability, you can directly obtain webshell, which has a high severity level, the current intrusion upload vulnerability is also a common vulnerability.

How to Use: Add/upfile to the address bar of the website. if ASP displays an incorrect upload format [re-upload], there is a long-transmission vulnerability. You can find a tool that can be uploaded to obtain webshell.

Tool Introduction: the upload tool, Veteran's upload tool, and domain3.5 can both achieve the upload purpose and can be submitted using NC.

What is webshell: webshell is a Web permission that many people don't understand after a brief introduction in the previous lesson. Here we will detail it in detail. In fact, webshell is not very esoteric, you can manage the Web, modify the homepage content, and other permissions, but you do not have any special permissions (this is based on the Administrator's settings). Generally, you need this permission to modify others' homepages, friends who have been familiar with Web Trojans may know (for example, the webmaster assistant of veterans is the Web Trojan, Haiyang 2006 is also a web Trojan) that we uploaded the vulnerability and finally passed it on, sometimes a server with poor permission settings can obtain the highest permission through webshell.

2. brute-force database: this vulnerability is rare today, but many other websites can exploit this vulnerability. The brute-force database is used to submit characters to obtain database files, after obtaining the database file, we have the site's front-end or back-end permissions.

Method: for example, a station address is http://www.xxx.com/dispbbs.asp? Boardid = 7 & id = 161, we can replace/in the middle of COM/dispbbs with \. If a vulnerability exists, we can directly obtain the absolute path of the database, you can download things by searching for things. You can also use the default database path http://www.xxx.com/and then add conn.asp. If you do not modify the default database path, you can obtain the database path (Note:/here must be replaced \).

Why can't I change to \: Because/equals \ In the ASCII code, sometimes the database name is/# ABC. MDB? Here we need to replace # With # To download it. Why is my database file exposed. End with ASP? What should I do? Here, you can replace. asp with. mdb during the download so that you can download it. If the download is not available, it may prevent the download.

3. Injection Vulnerability: this vulnerability is currently the most widely used and highly lethal vulnerability. It can be said that there is also an injection vulnerability on Microsoft's official website. The injection vulnerability is caused by the absence of strict character filtering. You can obtain related information such as the administrator's account and password.

How to Use: I first introduce how to find a vulnerability such as this Web site http://www.xxx.com/dispbbs.asp? Boardid = 7 & id = 161 is followed by a station ending in ID = number. We can manually add and 1 = 1 to the back of the station to see if a normal page is displayed, and 1 = 2 is added. check whether there are no vulnerabilities on the normal page. If an error is returned, the injection vulnerability exists. If the error page is returned with and 1 = 1, it indicates that no vulnerability exists, if you know whether the site has any vulnerabilities, you can use it to manually guess or use tools. Now there are many tools (such as nbsi ndsi and D domain) that can be used to guess the account password, because it was a cainiao contact, I suggest using tools, which is cumbersome to do manually.

4. Note: When we intrude into a station, this station may be robust and impeccable. We can find a site with the same server as this station, and then use this Site for Elevation of Privilege, sniffing and other methods to intrude into the site we want to intrude. A metaphor for the image. For example, if you and I are a building, my house is safe, but you have a lot of loopholes in your house. Now a thief wants to intrude into my house, he monitored my house (that is, scanning) and found that there was nothing to use in the east and west. Then the thief found that your house and my house were on the first floor, and your house would easily go in, he can first enter your home, and then get the key (system permission) of the entire building through your home, so that he can naturally get my key and access my home (website ).

Tool Introduction: domian3.5 is a good tool, which can detect injection, bypass, and upload!

5 cookie fraud: many people do not know what cookies are. Cookies record some of your information, such as IP addresses and names, sent by the website when you access the internet.

How to defraud? If we already know the XX station administrator's station number and MD5 password, but cannot crack the password (MD5 is a 16-bit encrypted password) we can use cookie fraud to implement it, change our ID to the Administrator's, and change the MD5 password to another. Tools can modify the cookie so that we can answer the purpose of cookie fraud, the system thinks you are the administrator.

Today's introduction is here. It is a basic concept and all is my personal understanding. If there are any mistakes, I hope you can point it out, why do I change ).

Prevent script intrusion

As a network administrator, many of my friends are also responsible for the website development and maintenance of the organization. I think everyone is proficient in Web development, however, it may not be clear about how to write secure script code and how intruders can penetrate the server through the Web. Many of my friends mistakenly think that my server has a hardware firewall, in addition, if only port 80 is enabled, there will be no network security problems. Next, I will introduce several common script attack methods to you so that you can find security protection methods to improve server security.

1. Simple script attacks

This type of attack is caused by poor filtering of special characters in Web programming. Although it cannot pose a serious threat to server security, however, intruders can publish malicious code containing HTML statements to disrupt the order of the website, thus adversely affecting the website. For example, if a website does not filter special characters when registering a user, it may be used by non-Chatting users. Assume that the forum administrator ID is webmaster, then someone may register the user name as a webmaster. Although the ID is different, it is displayed the same on the page. If other information is changed to the same as that of the webmaster, it is difficult for others to tell which of the two IDs is true or false. Many websites have self-developed message boards and support HTML message submission. This gives the attackers the opportunity to write an automatic pop-up window and open a webpage code with Trojans, in this way, someone else may be planted a trojan when Browsing this message. The defense method is very simple. You can add a filter function:

<%
Function sqlcheck (fstring)
Fstring = Replace (fstring ,"'","")
Fstring = Replace (fstring ,"","")
Fstring = Replace (fstring ,";","")
Fstring = Replace (fstring ,"--","")
Fstring = Replace (fstring ,",","")
Fstring = Replace (fstring ,"(","")
Fstring = Replace (fstring ,")","")
Fstring = Replace (fstring, "= ","")
Fstring = Replace (fstring, "% ","")
Fstring = Replace (fstring ,"*","")
Fstring = Replace (fstring, "<","")
Fstring = Replace (fstring, "> ","")
Sqlcheck = fstring
End Function
%> 〉

In the above filter function, string = Replace (fstring, "<", "") fstring = Replace (fstring, "> ","") you can remove the "<" and ">" symbols in the statement to make HTML code unable to run.

2. SQL injection vulnerability attack

It is also called SQL injection attack, which is a common web attack method. It uses the attack of cross-table queries on databases by constructing special SQL statements, in this way, it is easy for intruders to obtain a webshell, and then use this webshell for further penetration until the system's management permissions are obtained. Therefore, this attack method is very harmful. We recommend that you use nbsi, wed + WIS and other injection tools of Xiao Rong to scan your website to see if this vulnerability exists. There is also a special SQL injection vulnerability, which is special because it spoofs user identity code by constructing special SQL statements, for example, after an intruder finds the Background Management Portal, enter "'or '1' = '1'", "' or'' = '", and"' "in the administrator username and password. or ('A' = 'a "," "or" A "=" A "," 'or 'A' = 'a ","' or 1 = 1 --" such strings (excluding quotation marks ), submit, you may directly go to the background management interface, which also shows how important it is to filter special characters. Note that you do not need to let others know the website's background management page address, except for the above reasons, this also prevents intruders from entering the background management by brute force cracking the username and password of the background administrator. In addition to the filter function mentioned above, the defense method for such attacks also shields website error information and requires IIS execution permissions, previous magazines have also described the preventive methods in detail, but do not describe them here.

3. Attacks on the entire site system and Forum

Many websites use well-known and powerful systems and forums, such as mobile, and bbsxp, therefore, security risks are inevitable. Because the code of these systems can be obtained directly from the Internet, and there are many websites using these systems, there are also many people studying these system vulnerabilities, we often see articles about the latest vulnerabilities in the system on the Internet.