Use the ewebeditor to batch detect websites

Author: Sad fish Source: IT168

More and more intrusions are targeting third-party plug-ins or files. Then I will lead you into the online text editor world of ewebeditor. Learn how to use the omission of the ewebeditor online text editor to obtain website permissions.
When talking about security detection methods, we may be most familiar with injection, uploading, or using improper website configuration, or administrator negligence. However, more and more intrusions are targeting third-party plug-ins or files. Then I will lead you into the online text editor world of ewebeditor. Learn how to use the omission of the ewebeditor online text editor to obtain website permissions.

Body:

On this day, I am working, and suddenly a message pops up in MSN. It turned out that a friend spent money to create a website and bought a Domain Name and space. I want to test the security of the website and the security of the server. Find out some security risks of your website. At the invitation of a friend, I started my intrusion detection journey.

I learned from my friend's remarks. The space used by a friend's website is the one-year free use right provided by the official staff when he buys a program. In this case, many websites will be deployed on the server. In addition, it is very likely that it is a similar program. Is it possible to hack into one of the websites and learn about its configuration information, and then use the same method to deal with other websites on the server? According to this idea, I started the intrusion journey.

First, open the domain name sent from a friend at www.pockxxx.com. The following is a website that sells mobile phones and game consoles. In the IP138 query, it is found that the IP address of the domain name is 210.51.22.X Beijing Netcom, and it seems to be the server hosted in the IDC. Use the superscan and IIS scanner to scan the server.

1. The server operating system is IIS 6.0 used by windows2003.

2. The server opens port 80 1433 and port 3389.

3. Use telnet 220.250.64.X 1433 to connect to port 3389. The required server is installed with firewall or IDS software. Since port 80 is open to the outside world, you can only start with WEB programs.

First open the website, a very beautiful website program. I probably saw that the website was developed using ASP. So the first thought of SQL injection is SQL injection vulnerability, casually open a connection, address for http://www.pcokXXX.com/product.asp? Id = 1294 add a single quotation mark to the address and the returned error message is:

Microsoft ole db Provider for ODBC Drivers error 80040e14
[Microsft] [ODBC Micorsoft Access Diver] the string syntax is incorrect in the query expression product. Asp? Id = 1294.
/Product. Asp, Row 32

We can see the following points from the error prompt:

1. The website uses an Access database to connect to the database through ODBC, instead of connecting to the database through the JET engine.

2. The program does not determine whether the data submitted by the client meets the program requirements.

3. The table queried by this SQL statement has a field named productID.

It seems that the website is based on the ASP + ACCESS database architecture. And 1 = 1 is different from and 1 = 2. The returned information is different. The SQL injection vulnerability exists in the name, but the ACCESS database is used in the website database. You can only log on to the background to obtain the WEBSHELL by using the password. If you are using the SQL server database, you can use BACK to BACK up a WEBSHELL.

After identifying the injection vulnerability, I started the difficult password guessing process and used SQL statements after injection points.

And (Select Count (*) from Admin)> = 0

If the page is returned, the admin table exists. Now that you know the admin table, continue to guess the field. However, in general, the fields used in such a program are nothing more than these username password id userid user_password pwd name userpwd, so it is very easy to guess such a field. The statement is copied and tried one by one. After a long time, I found the admin table. there are three fields: username password id. To prove that your guess is correct. I also used the SQL injection tool. It is found that three fields, username password and ID, exist.

Obviously, username and password are used to store the Administrator's username and password. Continue guessing

And (select top 1 len (username) from Admin)> 0

Here I want to talk about the principle first: if the length of the top 1 username is greater than 0, the condition is true; then we test it like> 1,> 2,> 3, until the condition is not true, for example,> 7 is true,> 8 is not true, that is, len (username) = 8 after the author's Manual guess and the injection tool, I finally found out that the Administrator's background password is [username]: test [password]: Catherine's password. Some readers may ask? Now that we have an injection tool, why do we need to manually guess the password? The author tells you that the tool is dead after all. You can't rely on tools for anything. If one day you are using a test and there is no tool for help, isn't it possible?

Now that you know the Administrator's username and password, you can directly log on to the website background? However, I am not confused about the use of injection tools to find the background of the website. The website does not have the admin directory. It seems that in order to prevent the website from being attacked by hackers, my friend has replaced the background path of the website. However, at this time, some paths searched by the author are useful. Because I usually like to search for the background addresses of some websites. In this way, once a path has not been seen, such as asdf/logi. asp dd. asp, etc.

Therefore, I suggest you read this article. Search for more useful information. A qualified security engineer must not only possess extraordinary technologies, but also have sufficient resources to do so to get twice the result with half the effort. The author adds the path information he has mastered to the injection tool. Then, use the background address scan function again to successfully scan the website background address 10f2c1dd/login. asp, 2

The image shows how hidden the background path is. There is also an episode. This is the first time that I did not scan the background address when I added the information scan. Here I learned from my friends, master some of my friends used to generate a small password-like dictionary by themselves, so that they could successfully find the background address. Therefore, sometimes it is necessary to use your own information and resources in a timely manner during penetration or other network security work.
Now that you know the background address, use the information we guessed [username]: test [password]: Catherine.

Log on to the background with the username "test" and password "Catherine.

After entering the background, I found that the background functions of this website are indeed very powerful. Many features and the following components are supported:

Parameters supported by components

Database (ADO) support: √ (supported)
FSO text read/write: √ (supported)
Stream file Stream: √ (supported)
CDONTS component support: √ (supported)

We may know that, as long as there is a FSO text read/write component, we can use the site and the background of the network, such as uploading our ASP Trojan to control the website. Is the website background function. 3

Readers may have discovered that the website has many background functions, but most of the permissions can only upload some jpg jif image files, and cannot directly upload ASP files. In addition, the website background does not have the database backup function. At the moment, I really don't know how to get WEBSHELL. If the WEBSHELL cannot be obtained, it cannot be regarded as successful if the WEBSHELL is entered in the background. No way. You can only obtain WEBSHELL methods. After half a day of searching, I found that the background of the website uses something similar to the online text editor of ewebeditor (it was detected that it was indeed the online text editor of ewebeditor ). To determine my judgment, I first renamed my asp Trojan suffix. Jpg file format. Then, use the website background to edit the document for upload. After the image is uploaded successfully, you only need to right-click an image and the uploaded image address is

/10f2c1dd/inc/edit/previusfile/some may not know much about the ewebeditor online text editor. Here I will briefly describe that the ewebeditor online text editor itself has a control background, there may be many website administrators who are using the program and do not know that the program itself has the ewebeditor function. Therefore, they do not pay much attention to the ewebeditor. The backend address of the ewebeditor online text editor is admin_login. Asp, So I directly change the path to/10f2c1dd/inc/edit/admin_login. The background management address of the ewebeditor is displayed successfully in asp, 4

The default password admin and admin888 of the ewebeditor management backend cannot be used. It seems that the Administrator has changed the default password for logging on to the background of the ewebeditor. It seems that the Administrator is still aware of the issue. But it does not matter. The administrator password is saved in an access database. We use the default database address DB/ewebeditor of Ewebeditor. Mdb to see if it can download its default database. If you can access the database, you may find the Administrator's user password? Enter the following in the IE address bar:

Http://www.pockxxx.com/10f2c1dd/inc/edit/DB/Ewebeditor.mdb

The database is displayed successfully, indicating that the management pressure has changed the background password of the ewebeditor.