What is web penetration testing_ Infiltration practice

Hello everyone , I'm wang Jun , An architect who can write code and recite poetry . Let's talk about it today web What is penetration testing _ Infiltrate the actual combat , I hope it can help you make progress !!!

Learn a whole set of web Penetration test experiment is very helpful for future testing , So I write down the realization in the learning environment , Provide experience in testing the entire website .

Purpose ： （1） Learn how hackers invade websites through vulnerabilities , And obtain server permissions ; （2） Learn the whole process of penetration testing principle ： Hackers exploit the injection vulnerability of the website , Then get the administrator account and password to go into the background , Through database backup , Get webshell; Then the hacker logs in shell, adopt 2003 The right of the server exp Take down the permissions of the server .

1. Check website security

Enter the test website http://192.168.1.3 Interface

Looking for loopholes , Let's scan with software first , Then find the link to test , Open in browser http://192.168.1.3/see.asp?ID=461&titleID=86 This link

Add ‘ , Page error reporting

It can be seen from the above figure that the database error interface is directly prompted , Judge that there may be injection vulnerabilities . We type in the browser http://192.168.1.3/see.asp?ID=461&titleID=86 and 1=

Let's enter in the browser http://192.168.1.3/see.asp?ID=461&titleID=86 and 1=2

Return to error page , Enter at the end of the link and 1=1 and and 1=2 Returning to the page is different , From this we can judge the existence of this site SQL Inject holes .

2. Use the tool to activate the successful tutorial administrator user 、 password

Open it D Injection tool

Put the existing injection point URL Copy to D In the injection tool , Choose the one on the left SQL Injection detection , Click detection , At the bottom of the database, we will be prompted about the type of database

Click the detection table segment , It is to detect all table names in the database

We click admin surface , Then click the detection field

choice password and admin Field , Then click the detection content , If the field content is exposed, the user name and password of the successful tutorial will be activated

3. Use the tool to activate the successful tutorial MD5 password

The password we got is MD5 Encrypted , We go through MD5 Activate the success tutorial software to activate the success tutorial

thus , We get the account password of the website administrator as linhai 123456

4. Log in to the website management background

We use software to detect the background of website management , Open Yujian background scanning tool

Put the website URL http://192.168.1.3 Input in the tool , Click to start scanning

Through the scanning results , We guess that the background login URL by http://192.168.1.3/admin/Login.asp

Use the administrator account to activate the successful tutorial linhai And password 123456 Successfully logged into the background

5. Get the website webshell

We enter the website management background , We need to get webshell, In this example, open system management first , Choose article management , Open the upload map

We upload directly asp Try the Trojan horse

We changed the suffix of the Trojan horse to mm.jpg

After successful upload , Right click photo properties , Take a look at the location of its upload and record it ,http://192.168.1.3/admin/Upfiles/201873091139.jpg

After we upload successfully , Because what you upload is pictures , It cannot be parsed into Trojan script , It happens that our website has the function of backing up the database , We can backup data , Rename the script file , Enable it to be executed as a Trojan script . We click data management on the left , Choose backup / Recover database

In the backup database , After the database path , Fill in the address of the picture we just uploaded ：../admin/Upfiles/201873091139.jpg; Fill in after the backup database path ../db/1.aspx. The purpose of this is to upload our jpg Suffix Trojan horse , Back up as aspx file , Make our Trojan horse run normally .

After we click backup , visit http://192.168.1.3/db/1.aspx It's our Trojan horse address , The password of the Trojan horse is 77169, thus , We got the website webshell

6. Get the server permissions

Get into webshell after , We need to implement dos Command to add an administrator . Click on webshell The upper command line , Enter the execute command mode

Trying to perform whoami command , Check our permissions

We found that network service jurisdiction , You cannot directly add an administrator account under this permission , When we add accounts , Echo is blank , Prove that we can't add users

Click port scan , Then click Scan , Found the system open 43958 port , namely server-u service

Click on SU Raise the right , stay cmdshell Enter command in net user aaa 123456 /add, Then click execute

stay cmdshell Enter command in net localgroup administrators aaa /add, Then click execute

stay cmdshell Enter command in net user, Then click execute , see aaa Whether the user is successfully added

stay cmdshell Enter command in net user aaa, Then click execute , see aaa The user belongs to administrators User group

Click Start -> function ->mstsc->192.168.1.3-> Enter account aaa And password 123456, Click login

That's the end of today's article , Thank you for reading ,Java Architects must see I wish you a promotion and a raise , Good luck every year .