【原创】成功入侵一政府网站——善后工作
[color=blue]今天成功入侵一政府网站,一进webshell看到的东西吓死人[/color][color=blue][/color]
[color=blue]有个10MB左右的数据库,全是人才信息方面的,一个表有1w多条记录!!![/color]$|lKL^0e"Q+a2D
[color=blue][/color]
[color=blue]入侵的方法不方便说,关键是修补他们的漏洞[/color]+fa;sYV8d/E.I0~A
[color=blue][/color]
[color=blue]首先修补了他们的注入漏洞,他们只修补了conn.asp[/color]
[color=blue][/color]
[color=blue]但是数据库连接文件竟然是dbconn.asp,写入一下代码[/color][code]<% N1]erhT4V!a3\ p;v
Dim flashack_Post,flashack_Get,flashack_In,flashack_Inf,flashack_Xh,flashack_db,flashack_dbstr
flashack_In = "'※;※and※exec※insert※select※delete※update※count※*※%※chr※mid※master※truncate※char※declare"
flashack_Inf = split(flashack_In,"※")
If Request.Form<>"" Then s vG.Hf
For Each flashack_Post In Request.Form
6?S G)R'tSKP
For flashack_Xh=0 To Ubound(flashack_Inf) 7Okm%FO
If Instr(LCase(Request.Form(flashack_Post)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('柔肠寸断[3.A.S.T]提示你↓\n\n请不要在参数中包含非法字符尝试注入,QQ:790653916!\n\nHTTP://WWW.3AST.COM.CN');</Script>" Tr]5~Tj%S
Response.Write "非法操作!<br>" +v B lz'W Y[/W
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>" L)G!_W'F p*Gf@`9r5Y
Response.Write "操作时间:"&Now&"<br>" 9[%Kl\U#Ws~ptU
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>" .i D DB4Y jf*G#|!E y
Response.Write "提交方式:POST<br>" ]"d qno4z y|"Z
Response.Write "提交参数:"&flashack_Post&"<br>" n6SH'Dt/R)Y
Response.Write "提交数据:"&Request.Form(flashack_Post)
Response.End
End If
Next n |O)Vw(L+no2Y
Next
End If
If Request.QueryString<>"" Then ,Zx3Sd.| N
For Each flashack_Get In Request.QueryString (Nt#u1e:yI2O+w
For flashack_Xh=0 To Ubound(flashack_Inf)
If Instr(LCase(Request.QueryString(flashack_Get)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('柔肠寸断[3.A.S.T]提示你↓\n\n请不要在参数中包含非法字符尝试注入,QQ:790653916!\n\nHTTP://WWW.3AST.COM.CN');</Script>"
Response.Write "非法操作!br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>" %S@/k6x)Pd4x~
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:GET<br>"
Response.Write "提交参数:"&flashack_Get&"<br>"
Response.Write "提交数据:"&Request.QueryString(flashack_Get) 2P%_ Z:m!s-}
Response.End :Y%@ D6T7Ns(\R3p+T I
End If &PV.]B2ae&DEwB ]
Next 5`;f:jS/uK(p Z
Next
End If
%>
[/code]OK,注入漏洞解决
`s(tWNY.v
还有上传漏洞,我分析了一下上传处理页面的asp代码,竟然一点不完善[code]<%Bq!o%T.zc5kr
set upload=new upload_5xSoft:CJ-a(?|8uL hG
set file=upload.file("file1").Bq&A M~6b*W7C
formPath="../../photo/work/"Q}x2f.\W'bxt
if file.filesize>1000 then#RK$RLHc+kr)O
fileExt=lcase(right(file.filename,3))
if fileExt="asp" then1QL6a-C,ye;K Z+pH!q
Response.Write"文件类型非法"
end if
end if
randomize4|#ejOYs
ranNum=int(9000000*rnd)+10000