Blog invasion is too simple! Everyone should pay attention!
Vulnerability 1: Database download vulnerability
The first step is to search for the target
Open the search engine and search for "Pragram by Dlog", and you can find many blog pages, which are created using "Dlog ruined version". The leaf surface we are looking for is version 1.2 with a blast library vulnerability. Many users ignore the security of the online editing database embedded in this version, which allows hackers to use the default path to download.
Step 2: Get the administrator password
Choose an attack target in the search results list: http://s*./blog/, open this address with a browser, add eWebEditor/db/e/ and press Enter to download the database.
Open this database and you can see the administrator's username and password in the "eWebEditor_system" column of the database. Since passwords are all encrypted by MD5, you can get the password in minutes or days after finding an MD5 password brute force cracker computer. However, according to experience, as long as you can download this database, it means that the administrator is most likely not changing the default login password. If you see that the MD5 password is "7a57a5a743894a0e", then the password is the default "admin". Now, we can enter the eWebEditor backend online editing page.
Step 3: Control the server
Add "eWebEditor/admin_login.asp" to the blog address to open the eWebEditor backend online editing page. Enter the default username and password "admin" to successfully log in to the blog's background management page.
Add a new blog style and return to the style management page. Find the style you just added in the style list and click the "Settings" button after the style name to use the new blog style style.
After exiting the management page, register and log in to the blog, then post a post and choose to upload a file. At this time, we can upload the ASP * to control the entire server.
Vulnerability 2: File upload vulnerability
The first step is to search for blogs with vulnerabilities
After finding any target, you must first test whether the blog administrator has deleted the uploaded webpage program file. If the user has some security awareness, it may delete the default uploaded webpage file, which will not work at this time.
We select "http:///workingbird" and add "/" to the address and press Enter. If the prompt message is "Microsoft VBScript runtime error error '800a01b6'", it means that there is a file upload vulnerability in the blog website.
Step 2: launch the attack
Run the "Website Upload Utilization Tool", enter the address of the uploaded file in the "Submit Address", and then specify the saving path after uploading the * file in the "Upload Path". We generally save it in the root directory of the website. Just use the default settings of "Path Field" and "File Field". Enter the image type that the blog system allows uploading in "Allow Type". After "Local File", click "Browse" to select a local ASP *. You can choose the Ocean Top Net *.
Now click the "Submit" button to upload the *. If you see the message "1 file had been uploaded!", it means that the file upload is successful. Next, we can connect to the uploaded ASP * to further penetrate the attack, achieving the purpose of controlling the entire website server.
Vulnerability 3: SQL injection vulnerability
The first step is to scan for injection vulnerabilities in the blog
The goal is to use the blog "http://202.112.*.***/dlog/". SQL injection can be performed using tools (such as NBSI 2 SQL Auto Injection Attacker). Run the program, click "Website Scan" in the toolbar, enter the blog URL in "Website Address", check the "Comprehensive Scan" item, and click "Scan", you can scan all injection vulnerabilities in the blog website.
Step 2: Start the attack
Select any target in the scan result list "http://202.112.*.***/dlog/?log_id=402", and then click "Injection Analysis" at the bottom of the interface to enter the "Injection Attack" page. Click the "Detection" button and the result shows "Like it is detected for injection vulnerability"!
It doesn't matter, we use the 1=1 detection method. Add "and 1=1" and "and 2=2" at the end of the injected browser address bar to see what is the difference in the information returned to the page. And note down the string that has appeared in the "and 1=1" page but has not appeared in the "and 2=2" and enter it into the "feature string" of the NBSI 2 interface.
Now click "Redetection" and you will soon see the results of the injection detection. Since the database is an Access database, the program will automatically guess the table name and column name in the database. Click "Auto guess" in the window to guess possible database table names. The default table name is "user_mdb". Then use automatic guessing to obtain data information such as column names in the table. Then automatically guess the user data in the table, so as to get the administrator's MD5 plus secret code. Finally, I used the MD5 password cracking tool to brute force cracking, log in to the background management page, and successfully invaded.
Vulnerability 4: Cookies spoofing vulnerability
The first step is to search for the target
Search for the keyword "Powered by L-Blog" and select "http://***.*********.***/blog" as the target of attack.
The second step is to query cookies information
Here we need to use a tool that can modify cookies information. Open the program, enter the address of the blog website and log in, and view the current cookies information, which includes information such as our login username and password.
Step 3: "Deception" attack
Now we need to modify the cookies information and deceive the blog program so that it thinks that the logged-in user is an administrator. At this time, you can directly modify the cookies information.
We only modify "menStatus=SupAdmin", retain other contents, and then continue to keep the "lock" in the toolbar pressed state. Now, exit the current user login status and reopen the blog homepage. It will be displayed that we are not logged in, but we already have the administrator permissions.
Postscript: Blogs are a good battlefield for invading supply, and it also reminds blogs to strengthen their safety awareness.
Miss my wife, hey...
Vulnerability 1: Database download vulnerability
The first step is to search for the target
Open the search engine and search for "Pragram by Dlog", and you can find many blog pages, which are created using "Dlog ruined version". The leaf surface we are looking for is version 1.2 with a blast library vulnerability. Many users ignore the security of the online editing database embedded in this version, which allows hackers to use the default path to download.
Step 2: Get the administrator password
Choose an attack target in the search results list: http://s*./blog/, open this address with a browser, add eWebEditor/db/e/ and press Enter to download the database.
Open this database and you can see the administrator's username and password in the "eWebEditor_system" column of the database. Since passwords are all encrypted by MD5, you can get the password in minutes or days after finding an MD5 password brute force cracker computer. However, according to experience, as long as you can download this database, it means that the administrator is most likely not changing the default login password. If you see that the MD5 password is "7a57a5a743894a0e", then the password is the default "admin". Now, we can enter the eWebEditor backend online editing page.
Step 3: Control the server
Add "eWebEditor/admin_login.asp" to the blog address to open the eWebEditor backend online editing page. Enter the default username and password "admin" to successfully log in to the blog's background management page.
Add a new blog style and return to the style management page. Find the style you just added in the style list and click the "Settings" button after the style name to use the new blog style style.
After exiting the management page, register and log in to the blog, then post a post and choose to upload a file. At this time, we can upload the ASP * to control the entire server.
Vulnerability 2: File upload vulnerability
The first step is to search for blogs with vulnerabilities
After finding any target, you must first test whether the blog administrator has deleted the uploaded webpage program file. If the user has some security awareness, it may delete the default uploaded webpage file, which will not work at this time.
We select "http:///workingbird" and add "/" to the address and press Enter. If the prompt message is "Microsoft VBScript runtime error error '800a01b6'", it means that there is a file upload vulnerability in the blog website.
Step 2: launch the attack
Run the "Website Upload Utilization Tool", enter the address of the uploaded file in the "Submit Address", and then specify the saving path after uploading the * file in the "Upload Path". We generally save it in the root directory of the website. Just use the default settings of "Path Field" and "File Field". Enter the image type that the blog system allows uploading in "Allow Type". After "Local File", click "Browse" to select a local ASP *. You can choose the Ocean Top Net *.
Now click the "Submit" button to upload the *. If you see the message "1 file had been uploaded!", it means that the file upload is successful. Next, we can connect to the uploaded ASP * to further penetrate the attack, achieving the purpose of controlling the entire website server.
Vulnerability 3: SQL injection vulnerability
The first step is to scan for injection vulnerabilities in the blog
The goal is to use the blog "http://202.112.*.***/dlog/". SQL injection can be performed using tools (such as NBSI 2 SQL Auto Injection Attacker). Run the program, click "Website Scan" in the toolbar, enter the blog URL in "Website Address", check the "Comprehensive Scan" item, and click "Scan", you can scan all injection vulnerabilities in the blog website.
Step 2: Start the attack
Select any target in the scan result list "http://202.112.*.***/dlog/?log_id=402", and then click "Injection Analysis" at the bottom of the interface to enter the "Injection Attack" page. Click the "Detection" button and the result shows "Like it is detected for injection vulnerability"!
It doesn't matter, we use the 1=1 detection method. Add "and 1=1" and "and 2=2" at the end of the injected browser address bar to see what is the difference in the information returned to the page. And note down the string that has appeared in the "and 1=1" page but has not appeared in the "and 2=2" and enter it into the "feature string" of the NBSI 2 interface.
Now click "Redetection" and you will soon see the results of the injection detection. Since the database is an Access database, the program will automatically guess the table name and column name in the database. Click "Auto guess" in the window to guess possible database table names. The default table name is "user_mdb". Then use automatic guessing to obtain data information such as column names in the table. Then automatically guess the user data in the table, so as to get the administrator's MD5 plus secret code. Finally, I used the MD5 password cracking tool to brute force cracking, log in to the background management page, and successfully invaded.
Vulnerability 4: Cookies spoofing vulnerability
The first step is to search for the target
Search for the keyword "Powered by L-Blog" and select "http://***.*********.***/blog" as the target of attack.
The second step is to query cookies information
Here we need to use a tool that can modify cookies information. Open the program, enter the address of the blog website and log in, and view the current cookies information, which includes information such as our login username and password.
Step 3: "Deception" attack
Now we need to modify the cookies information and deceive the blog program so that it thinks that the logged-in user is an administrator. At this time, you can directly modify the cookies information.
We only modify "menStatus=SupAdmin", retain other contents, and then continue to keep the "lock" in the toolbar pressed state. Now, exit the current user login status and reopen the blog homepage. It will be displayed that we are not logged in, but we already have the administrator permissions.
Postscript: Blogs are a good battlefield for invading supply, and it also reminds blogs to strengthen their safety awareness.
Miss my wife, hey...