A typical virtual host invasion
This invasion process is completed by the empty virtual corrosion and network ride, and the article is also written by two people. I hope everyone likes this way. ^ _ ^
Network Ranger
A friend of the school hires a server, be a web server, a big paragraph ...
On a certain day, I don't do anything, so ready to see how the friend's server is. I know that in addition to their own public websites, his server has also put a few sites under construction.
Tap a newly bought domain address, discovering the website is also new, and very beautiful. So I want to see a look. Of course, I have it, but the version is older. In fact, I don't have a problem directly to my friends, but I have a guide idea of "I have to do my own, and I have a good food", I think about our "so-called Hacker" spirit, or take itself, By the way, telling friends this test results and is also compensated. Ha ha
First, download the "virtual host site query tool" of Guilin veterans, see the following websites on the host:
Open the website in turn, there is no vulnerability, there is the following summary:
1. Two novices downloaded from the Internet without modifying the default username and password admin, but the ADMIN of the two programs can only add articles, software, without more permissions, and cannot be utilized.
2, the main procedure passes through manual detection and NBSI V2 test, confirming that there is no SQL Injection vulnerability, so that some accounts can be uploaded.
Fall in a deadlock.
Aerosolic
The website has once before, so if he does not modify the server name and modify the physical path, I now know the physical path of the site, and his machine name. Since I went in last time, I maybe I will come again!
Still you want to spy the information. The contents of the website forum are www.xxxxx.com/bbs, there are / bs, / bbs1, these two are what I know in advance, because he just installed Yuzi, I am afraid that I can't run normally, so I left a mobile network / BBS1 (has already been patch, the back door is not), / BS has always been the site maintenance and does not use it, it looks that the webmaster doesn't plan to use it.
Let's take a look at his permissions, just find a relatively simple station to go in Webshell, and find that the permission setting is more strict, you can't browse other discs. (What? Ask me how to go? Is I negligent - DVBBS 6 database default, After downloading, violent crack password, then change the registration information in the background, just write a stuff to go in - there is no need to use me nonsense?) Now you have to get some information through this WebShell. It is recommended to slash the ASP Trojan, very cattle! (Figure 2) This computer's process table comes out to see what he is running.
Gram files / symantec / pcanywhere / awhost32.exe is a process of pcanywhere
Gram files / symantec_client_security / symantec antivirus / rtvscan.exe This is Symantec AntiVirus anti-virus software
Serv-U - Serv-U FTP Server --2 Gram Files / Serv-U / Servudaemon.exe
SQLServerAgent - SQLSerVERAGENT - 3 OGRA ~ 1 / Micros ~ 1 / MSSQL / BINN / SQLAGENT.EXE
W3SVC - World Wide Web Publishing Service - 2 WinNT / System32 / InetSRV / INETINFO.EXE
Mysql - MySQL - 2 mysql / bin / mysqld-nt.exe
There is no use of other information. Now I want to get system control, or start with MS SQL, X-Scan scans, no weakness. Falling into a deadlock, intend to find another way. Network Ranger
X-scan scan results are very depressed - Mysql password is empty! Typical default installation! (Later I asked the friend of the management server, he said that there was a password, it seems that he is a password of MySQL Admin to make a password). Since getting these, you can connect with the SMYSQL-V1.7 of the east.
Depressed, the sky is not early, ready to sleep, will you still be busy tomorrow!
Aerosolic
With the east of the east, you must get a Web physics path. This is a bit trouble. Last time you get the site path in D: / wwwroot / under D: / wwwroot, but this time I find the site is under G: / user / *****, this is not easy to analyze, then we want Where is the site under the directory? There is only one BBS in that site, and the site domain name is a row of numbers, and still does not dare to determine the site path.
I looked at the site and turned over. I suddenly found "Thank you ** website to provide hosting service when browsing it." This, all understand! " This webmaster, in addition to his own site, put someone else to make money! Then D: / is his own site, while g: / user / just comes to the site to be space, that is, it can be sure, the Dongdong I want is under G: / user / ***** (Please note that this ***** can not mean the same above), I will take a look at the message and extract it.
I have invaded the site from Webshell's message:
-------------------------------------------------- --------
Machine name *** R2MQGH account CUS_X *** Web path g: / user / xi *** /
Get the user with cmdshell (although you can't add it, you can view)
Administrator ASPNET CUS_ ***
CUS _ **** CUS _ ***** CUS _ ** GI
CUS_CHANGAN CUS_CRA ** CUS _ ** Hudie
CUS_FEN ** CUS_HE ** CUS_IMA **
CUS_LB ** CUS_LC ** CUS_L **
CUS_LTGM ** CUS_MAIL CUS_P **
CUS_QUN ** CUS_S ** CUS_S **
CUS_US ** CUS_XI ***
-------------------------------------------------- --------
It can be inferred: No matter which site, the user is the beginning of CUS_ is his application, such as the username, such as the cus_changan, there is no number, but the program is a digital domain name), but his name is "Changan * ** ", so this cus_changan is what I want! According to his habits g: / user / xi *** /, I have to have the path is G: / user / Changan / since getting the path, I will use the eating tutorial Niu family SMYSQL-V1.7 The process is slightly said:
---------------------------------------- Reference Niu family tutorial additional modification
After getting the password, go up with the eada supermysql connector V1.7, then enter:
Use mysql;
Enter the MySQL this database
Create Table Shuangfeng (cmd text)
Select a table called Shuangfeng in the library called MySQL. This table has only one field name called cmd, and the data type is TEXT.
