Text / Figure II (Still) Transferred from: http://www.xiutai.com/ Reprinted a good article, publishing with the X file, the author has done a space server agent salesman, mainly responsible space Sales, spacemakers are very confident on their own servers, saying that the average person can't break his server, even if a virtual machine is uploaded to WebShell, it will not affect other virtual directory customers, meaning that there is no cross-site invasion, I am just "Oh" a sound. I have nothing to do today, let's take a look at how security is your server. Anyway, I am just a general person, and I don't care if I can't break. ^ _ ^! First, obtain server information, envisage the invasion ideas first to see what services he opened, come up with the Scanner to sweep him, the port range will be filled with 1-6000, and the time will be cleared (Figure 1) I saw it, I only opened the web, ftp and mysql. The last 5921 port didn't know what. The web was built with IIS5.0. It should be Win2000 and hit SP4. No matter how much, try mysql, there is no weakness, take out the mysql connection tool of the agriculture, IP is 61.xx.xxx.xxx, the user is root, the password is empty, click to start connecting the button, I don't have me According to the material, the connection failed, and the Telnet was connected to Mysql. I didn't know what the version was, but listening to the space business said that it is the latest version, there is no overflow, it is likely to add a powerful password, violent crack Useless, it seems that from MySQL is not working, SERV-U is also the latest version, no overflow, even if there is overflow to get FTP users and passwords. IIIs don't want to say, you must hit the patch, WEBDAV overflows will not have. In fact, there is still a way to make a dictionary of a user and password, loaded into a wide range of FTP weak passwords in the X-Scan or other scanning tool, but I know, now his server is just built, there is not much Customers, this belongs to everyone sea fishing needle, so I don't do these fearless work. The most realistic thing is to engage a WebShell in a virtual space on the server and then perform permission. Second, the "difficult" situation after WebShell will first look at how many domains bind on his server, then find a website that is injecting to upload WebShell.
In this case, please enter the virtual host site query tool of Guilin veterans, enter the server's IP, then click on the "Domain Name" button, after a while, the result will come out (see Figure 2), halo, 8 international domain name It seems that the second-level domain name of the trial space is not shown, take him, one to find, so I will open a web page. I look at me, use DVBBS7.0, even SP2 is not playing. Nothing, 嘻, look like a space user is testing space, so casually uploading a DVBBS, see if he changed the default password and user, enter admin, password is admin888, then Log in, haha, I didn't expect it to come in, see the back desk password change, enter _index.asp "target = _blank> http://www.xxxxx.com/bbs/admin_index.asp, the user enters admin, Password or admin888, finally entered the additional code, click Login, did not expect the big disappearance (as shown in Figure 3), maybe change the admin background password or delete the admin user's administrator privilege, it seems to get the WebShell through the vulnerability through DVBBS. , He didn't play SP2, there should be no DVBBS for those well-known bugs. For convenience, I use DVBBS to upload a vulnerability, upload a webhell, here I use the vulnerability utilization tool of Guilin veterans, in submission Fill in the address of the Upfile.asp file, generally in /upfile.asp, can change the file name uploaded by default if the server is used by IIS5.0, the protocol version is selected "http / 1.0 ", If it is IIS6.0, choose" http / 1.1 ", click" Browse "to click the file you want to upload, the other does not change, then click the upload file button, haha, really successful (eg Figure 4), it is too early to be too early, in the Webshell, there is no command, is it not supported? It is impossible, the forum can be used, how can I not support FSO, it seems to be configured BT Permissions, the webhell feature is too small, or upload a marine ASP Trojan to see, not uploaded, go up, I will go up, I have no reactions in the FSO page, this is not only, I entered the FSO I can't see this directory in the support page (as shown in Figure 5), C, D, and E-catch. I really have a little doubt that the space does not support the FSO components. Don't say that it is cross-station invasion, even I want to change my things in my virtual directory (because you can't see the files and paths in the directory), it seems that it is really no hope, you can only say that spacemakers are too bt, to tell the truth, and servers in China Really rare.
That way? I feel a little unwilling, then continue to penetrate? How to do it? At first, I will go to 12 o'clock. Because the school will limit the bedroom one to 12 points, I can only open a sunlight, I don't want to burn the CPU, this is not the lady and the soldier? Still waiting for tomorrow, then the computer is sleeping, I made a good dream that night, dreaming, the server has the highest authority ^ _ ^, so I feel very confident in the morning, I feel very confident, I feel that I can break through Permission. Top first, QQ, receive an ASP Trojan in a group of QQ, discovery is the ASP webmaster assistant 6.0, and it is Guilin veteran work. At that time, the ocean ASP Trojan did not work, upload ASP webmaster assistant 6.0 maybe A little, then I took the idea of trying a try to upload the ASP webmaster assistant 6.0. I didn't expect it to be better than the ocean ASP Trojan. At least you can see the files and directories in this directory. Try to delete this virtual directory. The authority of the file (as shown in Figure 6), really fainting, no deletion, after I test can only add files and modify files, and can only be active in their own virtual directory, such as the path I am in the virtual directory. E: / Web / AAA, you can only access files in the AAA directory, even have no permissions for the web directory, this is not only, there is no permission in your own virtual directory, that is, you can't use WebShell. The file uploaded, so that it cannot be performed even if the local overflower is uploaded in its own virtual directory. Third, finding the breakthrough point, I did not expect the IIS permission configuration, now the only way is to find a directory that can be executed, but also writes the file, but the authority is configured, it is very difficult, maybe Nothing, but general c: / winnt I want to enter, browse the directory and files inside, because IIS5.0's Internet guest account is generally guests, and the Winnt directory gives Guests permission reading, run, and list The folder directory is not written. If the Winnt directory does not give such permissions, you can run normally, so you can find a breakout point in C: / Winnt, that is, there may be writable Directory, first try to read files, enter "C: / Winnt" in the "address bar" of the ASP webmaster assistant, you can browse files and folders, you can't write File, now you will find a directory that can be written and can perform, and then uploads a local overflow program to make local overflow get administrator privileges.
However, there are so many folders in the winnt directory, how to find it? If one is found, what to find? So after a while, I suddenly thought of the folder of IIS, that is, there would be such a directory in the C: / WinNT / System32 / InetSrv directory? Because IIS's Internet Guest account is likely to call some files in the inetsrv directory, or load files, and this requires that there must be write permissions, so I will enter the C: / Winnt / System32 / Inetsrv directory immediately, and I found a DATA. The directory, so I tried to build a document inside, click on the "New Text" on the left of the ASP stationmaster, just build a file, haha, I didn't expect it to be really success (as shown in Figure 8), I am inside The text file of serv.txt, it seems that it can be written, I don't know if I can execute, so I will upload cmd.exe to the C: / WinNT / System32 / InetSrv / Data directory, then click on the "command line" Module ", in the bottom" shell path: ", fill in C: /Winnt/System32/inetsrv/data/cmd.exe, because I have passed a cmd.exe in the Data directory, which is cmd.exe under DATA. Run, and C: / Winnt / System32 / cmd.exe does not execute permission, the BT spacer cancels the permission of the guest user, fill in the "execution" to enter the ipconfig / all command above, mainly to see Can't be executed (such as Figure 9), haha, really successful, suddenly found the dawn of the victory in front of the eye ^ _ ^. Fourth, carry out the permissions, carrying the bug fix now to improve the permissions, but I listen to the space provider that the local overflow vulnerabilities of SP4 have been made, even some new things have been added, so I will It is not necessary to do this, and it is not necessary to use social engineering. It's right. Try the local authority of SERV-U, it should be possible because I heard that Serv-U5.2 The user and password still did not change, should there be such a vulnerability? Ok, not much nonsense, try, use the ASP webmaster to upload the SERV-U of the overflow program, upload it into the data directory, and then overflow, the command is: Serv-u "command to be executed", such as I want to build a yibing user, enter Serv-U "net user yibing / add", huh, I didn't expect to have a true overflow, I really don't want to have such a bug in the latest Seru-U program, now it is Look at the end of the terminal, upload mport.exe, found that 5921 This port is the terminal of the terminal. Due to the reasons of the space, these will no longer screen out, so connect to the terminal, after entering the desktop of the administrator administrator user A TXT file, wrote a few words, and wake up.
