The fall of a large shopping website in China

Web Security in China has been improving and everyone can see it, but security in the Intranet has been stagnant. As early as 08 years ago, we were lucky to be invited to detect a Chinese game company, web security is indeed doing well,
However, when a vulnerability breaks through the Intranet, it finds the internal security architecture and the security awareness of administrators, which leads to the collapse of many popular online games ....
The penetration once again tells you that Intranet security is still unsatisfactory over the past two years...

The specific process is as follows:

Host: http://www.bkjia.com (instead of the target site, not this site)

Traditionally, index. hTml is added, and the returned result is normal. It seems that the windows Server is highly likely (IIS supports case sensitivity by default)

 

After detection, we found that the site uses a. net script. Years of penetration experience tell me that direct detection of the main site is unreliable for large sites.

OK, look at his substation:

Member server: member.2cto.com

User server (merchant): user.2cto.com
Images Server: pics.2cto.com
Shop server: shop.2cto.com

As well as a number of sub-stations, some important sites use Dns resolution Clusters

It can be seen that the sites are closely distributed and the whole site uses static generation. It is inferred that the Intranet architecture should be complicated and the databases of different sites may be stored separately...

 

We started to try to bypass important sites to detect some remote substations ..

 

I have previously detected that most websites use. net scripts. For. net, I personally prefer to detect some special files, such as. asmx and asmx, which are generally used for website webservices,

Most administrators in China do not set security when deploying this interface, which leads to a large number of vulnerabilities. In the past, webservices was used to win the Chinese express delivery company home x to send

For large. net websites, the Administrator usually configures some webservice services...

Use the google engine to submit the Keyword: site: 2cto.com filetype: asmx inurl: webservices | webservice | service | services

After a series of searches, filters, and then searches

Finally, lock the target in user.2cto.com/userservices.

The scanner constructs some dictionaries to start scanning the. asmx file.

Good luck. I found that userservice. asmx was added after the address? Wsdl, a standard webservices interface appears...

I tested several parameters and found that the userid has sqlinjection, so I won't talk about the process. I got the background account smoothly.

The next step is to find the background

Because each substation is independent, it eliminates the possibility of unified background management and starts background scanning for user.2cto.com ....

The results can be imagined...

So I started to find the background login address in various ways.

In the last burpsuite packet capture, a js/query. js file is called on the page, and the host is useradmin.2cto.com.

A merchant logs on to the background and successfully logs on to the background...

After entering, I found that the background was very simple, mainly dealing with the products of Some sellers and sales management. In the product management office, I can upload product attachments, disable js, and try to upload xx. aspx, I did not expect that the upload was successful,

Attachment, found file forced to change to 201108042251_wooden.doc

It seems that the suffix has been processed, but a closer look shows that there is a wooden (merchant name) at the end of the file. It seems that when a file is generated,

The User Name of the merchant.

Go back to webservices and submit. update [admin] set username = 'test. asp; 'where username = 'wooden'

Connect the pony with the suffix of A. doc on the background, and then see the attachment: 201108042367_test.asp;.doc.

Iis is successfully parsed, and pony runs smoothly. So far, we have won webshell.

After entering webshell, I found it was a windows2003 server. I tried to raise the right:

Whoami finds that it is the default. net user, and inherits the users Group.

List the services and find that apache is enabled on the server. You must know that apache under win inherits the system permission by default, which is good,

Copy php files to apache and hosts directory immediately

When the system is ready, you can do a lot of work. ipconfig/all finds that the server is in the intranet.

Net view found several servers

Net time/domain return

The domain controller of the WORKGROUP cannot be found.

Type net helpmsg 3913 for more help.

It seems that no domain exists in the current CIDR block.

Ping the server in the net view in sequence,
Exist

10.10.2 .*
10.10.4 .*
10.10.10 .*

 

And so on, it seems that the Intranet structure is still relatively complex

And the ip address of the network segment is 10.10.10.106.

In order to facilitate the operation, a terminal is returned, and the aspnet user is enabled and upgraded to the administrators group.

The first thing to log on to the terminal is to view the system logs...

During Penetration, system logs can tell intruders many things, such as the administrator's daily operations and how to manage the server. Through analysis logs, we can find that 10.10.2.13

This server is often connected to this server and uses a super_user user

In the absence of domain control, the Administrator usually uses the following methods to facilitate terminal management:

1. Set different users for each terminal and record them with files
2. Set a general management software, such as remote desktop, which stores the account and password of each terminal.

3. Set a general user with the same account and password for easy management

Yes. From the returned results of the net user, super_user is in the administrators users Group.

 

It is very likely that this super_user is the third case. After the hash is captured, the super_user password is cracked, and then the system tries to log on to 2.13.

After you enter the account password, you will find that there are already two sessions on the Windows server...

From this we can see that the reliability of the third case is relatively high, and the Administrator activity frequency is large...

Try to open a session to enter the desktop. The result is: please wait for System Event Notification Service

At first, I thought the event service was responding, so I waited for him to enter. As a result, 2 and the smoke went down. I guess it may be that the system event service crashed, causing a failure to respond...
-Low-key development: 7 P + ?! Y6 @ # M, a; R
There are many solutions, such as stopping event service and restarting the computer. However, in the current situation, it is difficult to implement these solutions...

Event service should be caused by super_user's session persistence, so as long as the session of the current user is canceled, the event service will not mess up.

Submit net use \ 10.10.2.13 \ ipc $ "xxxxxxx"/user: super_user

 

Net share \ 10.10.2.13

Shared SQL directory

Security 'z "n5 maid n $ P
Net use z: \ 10.10.2.13 \ SQL

 

Create a. bat file on the z: disk with the content of command> z: \ 1.txt, and run the script through the at command, so that a basic mongoshell will have...

You are advised to execute cmd using the above method. Of course, you can also use opentelnet to execute mongoshell. However, in ipc $, the above method inherits the system permission,

By using tools such as opentelnet, only the administrators group is inherited. In some servers deployed with high-end policies, the former has highlighted its advantages.

Try logoff to log out of super_user after query user

 

However, an unexpected situation occurs. a. bat executes logoff 2> z: \ 1.txt and finds that 1.txt is not created, so the statement is not executed? Logically, after logoff is executed, the command returns a null value,

1.txt is empty, but 1.txt is not created. In this case, only logoff fails to be executed or access is denied...

It seems that the Administrator has implemented the security policy and then tried the tsdiscon command. tsdiscon 2> z: \ 1.txt. after the command is executed, 1.txt is created. It seems that the command has been successfully executed,

Mstsc/z: 10.10.2.13/console

Log on smoothly...

On the desktop, I found a server administrator software, xxxx cloud management, which details the entire intranet structure and the ip addresses of various services,

For example, the web corresponds to 10.10.10.x data and 10.10.2.x, and some application monitoring. Unfortunately, the server cannot be directly controlled, but the IP addresses of some important servers such as the master station and database have been confirmed...

After writing a net use bat script, the user is super_user and confirms users in batches. The result shows that most servers can log on normally, including:

Member.2cto.com
User.2cto.com
Shop.2cto.com
And several database servers...

There is no need to continue penetration. The administrator has lost an email after deleting the person from the day to the day.

So far, penetration is complete ..
 
Author: wooden