dinsdag 29 januari 2013

Confidentiality dangers of defaced websites by using shells

In my previous post I explained how you might abuse the DNN hack to modify or upload files on a vulnerable web server. Many hosts, which were reported to be infected by Sejeal and HMei7, have still not taken any action as the evidence is still available. They might reconsider their lack of administration. 

Once a person in able to upload a file to your web server, he will be able to upload a "shell". Many of those shell versions are freely available on the net. eg.: shell ASP
The ASP script aspshell.asp is a simple web application that provides a shell like environment for administering Microsoft IIS web servers. Commands submitted from a web browser are executed on the web server. The output is transferred back and dumped in the browser window. 
This means that the person who can access this shell, is able to manage your complete webserver. 
He can also insert an iframe into your webpage and have a spoofed webpage shown to your customers. Maybe this page asks for personal details, login details, creditcard details, ... and next to keeping the information to itself, it will send the output also to your web server back so nobody gets suspicious.
The scenarios you could build with this idea don't have a limit. 

Sysadmins should monitor their servers and act asap. Otherwise they are playing with the confidentiality of their customers.

NOTE: All this for educational purpose. I am not responsibility for any kind of problems which you cause in careless usage.

Geen opmerkingen:

Een reactie plaatsen