The entire process of Security Detection for a friend company

Source: evil baboons Author: fhod

PS: I have been engaged in intrusion all the time .. this time, I was asked by my friends to help his company perform a security test and ask me to write a report .. I have no experience writing reports either .. it's a rough record .. not satisfactory in some places .. but I should be able to understand it... the article is very dish .. you can skip this step .. for the security of a friend's company website .. the images and URLs involved in the following articles are processed .. reprinted please indicate the source

First, the program has an obvious injection vulnerability.
Injection Point
Http://www.hu *** xx.com/hxgs_csgy_Details.asp? Id = 6
However, because the program may be developed by itself, the table name cannot be guessed, And the administrator password cannot be obtained... This vulnerability cannot be exploited ..
View through webshell
D: webhxgs_csgy_Details.asp source code
<% Set rs = server. CreateObject ("adodb. recordset ")
SQL = "select * from csgy where id =" & request. QueryString ("id ")&""
Rs. open SQL, conn, 1, 2
%>
This is the vulnerability... Solution ,,
Create no_ SQL .asp as follows
<%
On Error Resume Next
Dim strTemp
If LCase (Request. ServerVariables ("HTTPS") = "off" Then
StrTemp = "http ://"
Else
StrTemp = "https ://"
End If
StrTemp = strTemp & Request. ServerVariables ("SERVER_NAME ")
If Request. ServerVariables ("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request. ServerVariables ("SERVER_PORT ")
StrTemp = strTemp & Request. ServerVariables ("URL ")
If Trim (Request. QueryString) <> "Then strTemp = strTemp &"? "& Trim (Request. QueryString)
Strtempurl = LCase (strTemp)
StrTemp = Trim (Request. QueryString)
If Instr (strTemp, "") or Instr (strTemp, ",") or Instr (strTemp, "% 20and % 20") or Instr (strTemp, "% 20or % 20") or Instr (strTemp, "select % 20") or Instr (strTemp, "insert % 20") or Instr (strTemp, "delete % 20 from") or Instr (strTemp, "count (") or Instr (strTemp, "drop % 20 table") or Instr (strTemp, "update % 20 ") or Instr (strTemp, "truncate % 20") or Instr (strTemp, "asc (") or Instr (strTemp, "mid (") or Instr (strTemp, "char (") or Instr (strTemp, "min (") or Instr (strTemp, "sum (") or Instr (strTemp, "max (") or Instr (strTemp, "xp_cmdshell") or Instr (strTemp, "exec % 20 master") or Instr (strTemp, "net % 20 localgroup % 20 administrators") or Instr (strTemp, "cmd ") or Instr (strTemp, "net % 20 user") then
Response. write strtempurl + "<br> your illegal operation has been recorded by the system at:" + cstr (now ())
Response. write "<script> alert (the ID parameter is incorrect. do not submit the invalid ID parameter ~!); </Script>"
Response. write "<script Language = Javascript> location. href =.../; </script>"

Response. end
End If
%>
Then add the first line in coon. asp as shown in Figure
<! -- # Include virtual = "no_ SQL .asp" -->

In this way, all SQL injection attacks will be rejected and prompted.
"Your illegal operation has been recorded by the System
The ID parameter is incorrect. Do not submit invalid ID parameters ~!
"
Http://www.hu *** xx.com/admin/login.asp
Management background should also be modified ..
Prevent hackers from logging on to the background after obtaining the administrator password and attempting to upload a Trojan horse to obtain webshell
It is best to change it to an address that you can remember. It is hard for hackers to guess.
For example
Http://www.hu *** xx.com/admin/^%jkhlogin.asp

Pass
Http://www.hu *** xx.com/hx_cs_gy.asp
Get news address
Http://www.hu *** xx.com/hxgs_csgy_Details.asp? Id = 6

Because there are pictures/.. in the news, get the image address.
Http: // hu ****** xx.com/admin/newsupload/previusfile/2007512144938165.jpg

Guess
Http: // hu ***** xx.com/admin/newsupload/upload.asp
It is likely that an online editor can be used through the page.
The most used is ewebeditor.
Default logon page of Ewebeditor
Http: // hu ***** xx.com/admin/newsupload/admin_login.asp

Http: // hu ***** xx.com/admin/newsupload/db/ewebeditor.mdb
Default Database
Return

Figure 1
= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PI492-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PI492-0.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

The returned information indicates that the default library has not been modified. IIS does not allow download ..

However, the default password is not modified.

Http: // hu ***** xx.com/admin/newsupload/admin_login.asp
.
Username: admin
Password: admin

Copy a new style in the background style management


Add the Flash type to the asa

Figure 2

= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PL1I-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PL1I-1.jpg "width = 800 onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

Preview New Style
Upload flash Animation

Figure 3

= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PM647-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PM647-2.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

Uploaded

Figure 4

= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PIb0-3.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PIb0-3.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

Asp Trojan login address
Http: // hu ****** xx.com/admin/newsupload/previusfile/200798165834394.asa? Id = login

Figure 5


= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PL2R-4.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PL2R-4.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>
Solution: Modify the default library... Default Administrator Password

Http: // hu ***** xx.com/admin/newsupload/admin_login.asp
It is best to change the default logon address.


D: webadminewsuploaddb
Directory to prohibit writing .. prevent hackers from getting the password and adding a new style when entering the background and uploading the asp Trojan ..
D: webadminewsuploadpreviusfile
The directory should be set to prohibit the running of programs... Delete the parsing of asp. dll so that even if the hacker successfully uploads the asp Trojan... will not be executed .... In the end, webshell cannot be obtained ..

After obtaining webshell, I found that the disk permission is not set... Cross-directory access...

Figure 6 7

= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PM140-5.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PM140-5.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

= 800) window. open (http://www.bkjia.com/uploads/allimg/131129/092PL308-6.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/092PL308-6.jpg "onload =" if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>

Read with webshell

Current Terminal Service port: 3389
System account for Automatic Logon: adminwindows
Account Password for Automatic Logon: windows! @*

By fhod
2007-09-08