Win the school attendance SERVER + official website + Security suggestions again

Welcome to www.cnseay.com. Recently, the project was very painful. When I was bored, I played with the internal network of the school. This was the third time I checked the internal network of the school, and there was no domain. I had a server in my hand, if you can't do the project, you can also use it to check data for hundreds of times. There is also a server for the attendance system. All the photo and ID card information of the school's sister paper is on top. You have logged on to the injection and won the information, later, I informed the school that the access was restricted and only the Office was accessible. Which of the following can be accessed before?

10.0.0.2 win2003

10.0.0.4 Gateway

10.0.0.101 linux 2.6

10.0.0.103 win2003

10.0.0.104 win2008

Today, I used nmap to check if I had another server named 10.0.0.253 or win2003. Then I checked it and scanned the ports. There was a suspicious server named 8888 and 8889. I lost my browser to check it. Hey, the previous attendance system

Remember to inject it. Add a single quotation mark and try it. It's not fixed.

 

Run the 'or' = 'statement used last time, prompting that the account has been disabled. It should have been handled since the last time, but it does not matter. continue to use this injection, the query statement for splicing is select count (*) from admin where username = ''and password =''. Enter 'and 1 = (select user_name () as the user name ()); -1 random password,

 

 

DBO, this feeling is good, always like to use sa,

 

I wanted to directly mention the server. I couldn't add the database and my account, but the downgrading was so painful. I couldn't help it. I used the database to execute the cmd command, echo a shell, and found the web. config File, connected to the database, is indeed sa permission, or cannot add account, whoami looked at not system permission, found serv-u, I added an account with serv-u, but I couldn't improve my permissions. It hurt me to get it done with PR.

 

 

I caught the plaintext passwords of the two servers and found that they were different. On the server 253, I found a database connection string with an Internet IP address. I pinged the database connection string to the school website and found it was the same IP address.

 

It is not the sa permission. The website uses Bo CMS, because it has previously performed code auditing for this set of programs, and knows how to use shell. Directly find the administrator username and password. The weak password is egg and shell is used in the background.

 

 

The server permission is too dead. I did not mention it. Www.2cto.com

Then, I captured the plain text passwords of the two server administrators, combined with the passwords of the database and several OA system administrators, and found that there were regular patterns. It should be rewarded to generate a dictionary together, I will leave this school in a few days and don't bother with it.

 

Security suggestions:

Don't beat the world with a single password. It's best not to be regular. Of course, change the weak password on the server and the official website background.

It is better to install some security software on the server.

Do not drop some test programs on the server.

Sorry, we have everything in it. dare not do it safely.