General idea using WebShell breakthroughs in virtual host permission settings
By: rain [918x] ---------------------------------------- http: ///www.918x.com The development of injection to WebShell's research provides a pregnant environment, an upload vulnerability of the ASP system, especially using a wide range of DVBBs upload vulnerabilities to WebShell, and download the default database or backup database, then It is also a very important invasion to obtain WebShell, which is also a means of invasive intrusion using the background database backup, especially the setting of the DVBBS database. Research on the improvement of WebShell permissions, a problem that is placed in many web attack enthusiasts. Recently, some people often saw that WebShell, but because of various limits, they could not get privileges, or could not reach the purpose of the next note. I remember that a cow said: As long as there is WebShell, I will get administrator privileges. The monks are not so strong, I just talk to everyone according to my actual intrusion experience, the wrong and deficiencies, please point out, welcome to my website and I discuss (http://www.918x.com) . This article has been helped by the Years League HAK_BAN, thank you here. The following cases in the invasion are not the scope of us. You can jump to any directory and write can be written; you can modify C: / Program files / serv-u / servudaemon.ini; you can successfully run "CScript C: /inetpub/adminScripts/adsutil.vbs Get W3SVC / Inprocessisapiapps" upgrade permission of. You can replace relevant procedures or services with similar programs that bind Trojans. Ok, the Trojan we used is mainly the ASP management 6.0 of the veteran, helping the C / S ASP Trojan. (These two Trojans can be used in conjunction with the ocean.) The general virtual host is set this: Each partition of the system is disabled from EVERYONE access. Each website uses a separate IIS user, for example, IIS_www.target.com. A typical virtual host setting This user is a member of the guest group, the permissions are very low. Only a specific folder can only be accessed. This causes the website directory that cannot be jumped, you can only access the folder where this website is located. But I want to emphasize that although the C disk's EVERYONE access is prohibited, most system C disk folders do not inherit the restriction of the father folder, so we can access manually (note: Add path to the path) C : / Documents and Settings and C: / Program Files, this is very important to intrusion. We can access C: / Program Files / Serv-U / Servudaemon.ini, but the use of Serv-U is too wide, and the general administrators know the permissions of setting the Serv-U folder, generally cannot be modified. We can also manually access and download the * .cif file under the C: / Documents and Settings / All Users / Application Data / Symantec / PCAnywhere, and then crack the username and password of the PCANywhere to remotely log in. It is also possible that the administrator will not go to log in, and the desktop will lock the desktop after the administrator leaves. Here the veterans (http://www.gxgl.com) give us a solution (http://www.918x.com/showart.asp?art_id=47&cat_id=5). If you can access C: / PHP, C: / Prel et al, we can use the WebShell of PHP, CGI, etc.
Specifically, the article "hacker X file" Angel's article has successfully broken through the limit, I don't repeat. Give an Angel: If you can see C: / Program Files / Java Web Start /, you can try to use JSP's WebShell, I have met once, but permissions are not very big. With the tip horse, we can see the operation of Serv-U and know his absolute path, naturally you can think of the upgrade of Serv-U. Here is three points: 1. Upload overflow procedures. 2, the available CMD. 3, IIS single users must have permission to run the program. For the first point, the veteran Trojan involves Scripting .dictionary (data stream upload auxiliary components), AdoDB .stream (data stream upload assembly), Softartisans.Fileup (SA-fileup file upload component), Lyfupload.uploadFile (Liu Yunfeng file upload Components), Persits.upload.1 (AspUpload file uploading components) Generally, it is possible to upload, no problem. (If you can't still do it, I recommend using LittlePigP without component, Hackbase.com is under.) For the second point, the use of WScript.Shell components is very important, when "refusal access.", We can know each other CMD is not allowed to access so that we can upload a cmd.exe to achieve our purpose of using CMD. But when we see "ActiveX components can't create objects", we can't use CMD at all, the invasion is in trouble. For item 3, there is no way, the exception is also the utilization of the FTA partition, the permission is low, and the program can be easily run in the FTA partition. We often talk about hackers to have divergent thinking and cannot always think. Some other breakthrough methods are not as used as the utilization of other contents of the host. For example, some people use the configuration files in FlashFXP to get some password basic information. We can also download CUTEFTP profiles to replace local files can also achieve the same purpose. That again talk about the method "upgrading the ASP Trojan to the highest", in general, under the premise of using CMD, although the server supports FSO, but we have no access to C: / INETPUB / permission This way we naturally cannot use the "CScript C: /ineTPub/adminScripts/adsutil.vbs Get W3SVC / Inprocessisapiapps" to increase permissions. Figure:
