Understand the vulnerabilities of video servers through intrusion examples

Video servers will provide a large number of video resources, and most of them provide online viewing and downloading services. The traffic requirements are relatively high, and from the perspective of the deployment of the server itself, there are also some special features. Let’s take a look at the vulnerabilities exposed in the video server through an intrusion example .

Looking for vulnerabilities

We find a purpose. First, I scanned it with a tool, and it showed that there was no injection point. I only scanned the background with Webtool, and no community program was found. It seems that it is impossible to start from the website. Let’s take a look at the security of the system. From the results of the IIS write permission scanner, we can see that there is no IIS write vulnerability. We used Superscan to detect the port information. As shown in Figure 1, 3389 was actually opened. Use a remote terminal to log in and find out that the system is a Windows 2003 system. Now you can basically determine the server architecture: Windows 2003+IIS6.0+MSSQL+asp.

Then use the extremely fast MsSQL weak password scanner, hang up the dictionary and start scanning. After a few minutes, the weak password is scanned! , there was a glimmer of hope after taking down the server, and then took out the MsSQL connector to connect, and the connection was successful. Use the dir command in MsSQL's CMD to find the Web directory and execute echo " ”>>c:”program files”viewgoodwebvodwebmediatest.asp, built a one-sentence Trojan, disconnected, connected with one-sentence client, successfully entered, can browse almost all files, but many The directory does not have write permission. I checked the system services and ports. Since there are too few things installed, there is no Serv-u, PCAnywhere, Radmin, etc., so it becomes a bit difficult to escalate privileges.

successful invasion

NTpass.dll was found under c:Inetpub. This is the file written by Goldsun to record the system login password. Go to %systemroot%system32eulagold.txt, where the program record information is stored (%systemroot% refers to the system directory, here it should be c:windows), open it with the permissions just now, and find that many user logins are recorded in it. Password, including the Guest user, log in using port 3389 and obtain desktop permissions.

Deployment details

This intrusion seems to be more about luck, but a careful analysis is quite valuable, especially for users to learn from the security deployment of servers. Generally speaking, there are the following points:

1. Prevention of weak passwords

2. Routine detection of server files

3. For user control, especially the video server will provide a web membership form to check abnormal membership situations.

4. Blocking of necessary ports