Shulou(Shulou.com)06/01 Report--

The beginning of a series of stories:

This is the background of a Dede site found.

The path is / dede

After getting the user name and password of the site (not specified here), enter the user name and password and enter the background, and subconsciously open the file manager

However, the administrator is not an ordinary person and has already uninstalled the module.

So I found another place where I could generate PHP files.

PHP script files can be created here in "tag source code management"

Remove the default code, write the eval code, click Save, and the file will be stored in the / include/taglib directory.

Note: there is a simple confusion because the server has a WAF,PHP script

So the kitchen knife is connected:

At first, I saw that there was no limit for other site directories, but I didn't expect to be able to make side notes.

Due to improper administrator permissions, a backup copy of the mysql database has permission to read, so user.MYD is downloaded.

Open it with notepad and find that the passwords of the rest of the database users can be obtained on cmd5 except root's password cmd5. (here, we should encourage webmaster Da Da, do not set a weak password for root users, otherwise the server can be granted rights.)

As for the rights, I would like to say here that because the IIS users of the server are low-privileged users, and the system patches are completely patched, and the rights are reduced on the PHP configuration, the security of the server cannot be threatened for the time being.

However, the leakage of all database accounts of the side station (more than 100) can easily take down the side station, which will not be explained in detail here. The general idea is to use webshell to connect to the mysql database, find tables like config, admin, manager, siteconfig, and get the domain name, title, and other information of the site in order to find the site, and obtain the account number and password of the administrator in the background, so as to log on to the background and finally get the webshell.

Similarly, I also found the database backup file for MSSQL2005 in another directory, so I won't elaborate on it here.

Case study:

The practice of the administrator of this server is not completely denied, although the DedeCMS was easily taken down, but the server security has also been strengthened to a certain extent. When I first got webshell, I found that there was no read and write access to other sites, so many people might give up trying side notes at this step, but if you analyze the server environment carefully, you may get a pleasant surprise. The reason why the side note can be realized is that after the disk partition of the Windows Server 2008 R2 server is formatted, the root directory of the disk partition has a Users read, write and modify permission by default. Through the inheritance of file permissions, all files under disk E partition have read permission for Users. For most people, it is natural to think that the permissions of data disk partition will not affect the security of the site. May not pay attention to the permissions here. However, the data backed up on the data disk sold the Mysql database passwords of all sites to others.

Summary:

For webmasters using DedeCMS, it is recommended to modify the path of the DedeCMS background to limit the executable and writable permissions of the site.

When you take a DedeCMS site, don't be discouraged when you find that the administrator has imposed certain restrictions on the site, because there are still many places where DedeCMS can be written into webshell. As long as you are patient, you can often get webshell.

When strengthening the security of the server, do not ignore the hidden danger brought by the permissions of the data disk. From a small point of view, it may disclose the software and running environment used by the server. From the aspect of great harm, it may cause problems such as database password disclosure, FTP password disclosure, side notes, and so on. If serious, it is also possible for the server to be promoted (in this case, if the root password set by the administrator is relatively simple. The ciphertext obtained when downloading user.MYD can be decrypted to get the password of the root account, and then use the root high-authority account to enhance the rights of the server).

For more content, follow www.mntm520.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.