Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220055112
HistoryDec 05, 2005 - 12:00 a.m.

Serv-U.php: dark in glow-bug warning-the black bar safety net

2005-12-0500:00:00
佚名
www.myhack58.com
12
JSON

These days quite boring, nothing to do, and happen to be friends of the new had a website, let me go and see, by the test site’s security.
The first looked at the site structure and layout, the feel on the whole with the entire Station program, the fine breakdown analysis conjecture may be FreePower3. 6, the coupling is still relatively immature, there is a forum is LeadBBS,“enemy”, first check this, start now!
Tip: pre-invasion information gathering is very important, it can help you decide the invasion of the process, the ideas.
By Ping to get the target website’s IP in IE to open this IP, but it is another page, the estimate is the virtual host. In the http://whois. webhosting. the info on this site to query the IP address bound to the 7 8 adomain name, the boy, really much Ah, to the other site, most of it is ASP site, there is a small amount of PHP. Would have to think through other sites for cross-site attacks, but the Diamondback I level no, the Foundation is not strong, no way, a change of ideas.
First on the site to find this connection:
http://www.xxxxx.com/Article_Show.asp?ArticleID=7
The feeling there is a problem, just add a semicolon, display an error page; replaced by the point number, the page the normal display, indicating the likely presenceSQL injectionvulnerability, with the tool to inject it. Open NBSI2, fill injected into the page address, the display temporarily not detected injectionvulnerabilities, then the character written on the ID is detected again, the display findvulnerabilities, the
Turn to crack the username and md5 encrypted password, run the MD5 to get the password is kignpl it.
Since the home page has a ready-made back-office management address, eliminating the need for looking for trouble. Directly into the background after start uploading my ASP Trojan, carefully sifting through each function, although the Upload File manage can not be used, but the article management can be used. In the local first Haiyang 2 0 0 5 version of ASP Trojan renamed to a GIF file, and then in the article Manager upload, I was prompted to after a successful upload of the file relative address is“uploadfiles/2005-2/2005217193345303.gif”but how do I put it into ASP file?, side dish I’m stuck, depressed!!! Suddenly remember the feather art in the Black anti-introduced through the use of backup and recoverydatalibrary method to deal with DVBBS can not upload an ASP file problem, just right for me! Immediately find thedatathe Database Management part, put I uploaded the GIF file back into the ASP files.
Trojan address is http://www. xxxxx. com/database/8. asp, finally a little sense of accomplishment, huh. Immediately log in to my lovely ASP Trojan, get WebShell, roughly looked at the host information: IIS6. 0, Windows Server 2 0 0 3, better support FSO, glad to have my music opened the flower–you know, it’s my first time too!
Tip: FSO(File System Object is the Microsoft ASP one of the file operation of the controls, the controls can be onserviceto read, create, modify, delete, directory and file operations, is ASPprogrammingis very useful a control.
Originally wanted to stop there, but in the magazine see what others are elevated, and I also came along for the ride. In the WebShell in browsing a while, found that when I browse this site the C drive, actually do the permission restrictions
Didn’t think the host on only 3 discs, I can’t browse the root directory is limited in the website main directory, up to jump also impossible, and the administrator is also prohibited. WSH, since I is the Internet Guest account, only the user permissions, so hold a glimmer of hope tried CMD, the results can not be performed, 看来管理员又设置了不能访问Cmd.exe the. No CMD, no WSH, the directory does not have execute procedure permission, How do I mix?..
With depressed mood, and then try to upload, thinking that you don’t let me use CMD, I own a go! Still fail! The local Cmd. exe change the name to 1. gif upload, or not; the changed HTM file, same as-no! Na the stuffy son. So it seems that is what the program cannot run! Really a little want to give up, can’t write files, not read the web site directory outside file, before the master who method of how to Die, the reverse connection is also useless, not to mention Asheville NC and Trojans.
By the way, haven’t check the port too! I quickly come up with SuperScan scanning ports, the result let I this Diamondback desperate, just open up 2 1 and 3 8 9 port, the estimated each other there is a firewall or TCP/IP filtering filter, 3 8 9 port and are not familiar with, 2 for 1 is FTPservicethe default port, connect up to look at the Banner? Maybe is Serv-U?

From the returned information to determine, although it modified the FTP Server’s Banner, but from the“user name okay, need password”this sentence can venture a guess it is the Serv-U! Although it is the version I now also don’t know, but this might be more the way to a successful route, try!
After careful thinking, at the moment there are two ideas can go: the first one is through the IP on the other site to penetration, I don’t believe that 7 7 a virtual host is BT, it should be some user permissions can be a large point, but that’s easy to do play hard, all black on the all over again the next day, I just have two dark circles of the national treasure; the second is Serv-U, not open 2 1? So I picked up the predecessors of the remote overflow attack weapon, turns to the bombing, but people 2 1 Position rock-solid, and despair…
Go back and think again: serviceis not support PHP script? the IP on the PHP website? Although my permissions is very small, but also not for nothing, the EXE upload no, to a PHP, but also really be able to properly parse it! Quickly Upload a PHP Trojan, unfortunately PHP Trojan permissions is also very low, with the ASP Trojan as there is hardly any useful permissions. However this gave me inspiration: if there’s a PHP script can be achieved Serv-U local privilege escalation is not successful? Said dry is dry, I’m not the PHP language, your knitting is to die, go online to find, unfortunately did not find suitable. Later took the idea with Yu Yi said that, he said he just had a such a script, I get back a look at the description, it does exactly what I want? Haha, it seems to be the trick.
Hurry upload it to the Web directory, the address is: http://www.xxxxx.com/database/servu.php that 这里 我 改成 了 Servu.php the. IE run directly.

As long as we at Serv-U Riga a super user! Talk about it use it: host IP, fill in the provided virtual hostserviceaddress; host FTP management Port to be according to the situation to modify; to add the user name and password for this according to their own preferences to modify here the default is wofeiwo, the password is wrsky; the user home directory is typically C:. Other generally do not need to be modified.
Well, I based my case I modify the IP, add user name and password, click on the Add button, the Serv-U local privilege elevation script in theserviceserver side is parsed execution, take some time and a little bit slow, like the scroll bar go after IE is executed successfully, it will add a Serv-U user admim password is admim, and it’s permissions are system, block with the command execution echo, my echo is see the following information substantially perform successfully: a
2 2 0 Serv-U FTP Server v5. 2 for WinSock ready…
3 3 1 User name okay, need password.
2 3 0 User logged in, proceed.
2 3 0-Switching to SYSTEM MAINTENANCE mode.
2 3 0 Version=1
9 0 0-Type=Status
9 0 0 Server=Online
9 0 0-Type=License
9 0 0-DaysLeft=0

9 0 0 MinorVersion=0
2 0 0-User=admim
2 0 0 User settings saved

Note that here, since I have no way to check in the firewall if there is a host of open real portsarttoo bad, Oh, so I’m assuming it’s the local Serv-U management port has not been modified, a little Simon’s taste. Ha ha! Success! Is Serv-U 5.2, the link version of the are displayed! The result is a lucky hit!
Now the situation is clear: direct FTP last login, change directory to system32, and then execute the following command to add the user“mdj: Quote site exec net.exe user mdj 1 2 3 4 5 6 /add”
What’s going on? Prompt I execute fail:
ftp> quote site exec net.exe user mdj 1 2 3 4 5 6 /add
5 0 1 Cannot EXEC command line (error=0)
Fine thought for a moment, since the net. exe there is description might be the administrator of the net file do access restrictions, the test cmd is the same. 这样 我 来 上传 net.exe that 改名 为 200.exe, and then perform the Add admin user command.
The command execution is successful! Description have System Administrator permissions! You can use Serv-U for remote management, uploadfree killTrojans and the like. Everyone is a Hipster, Diamondback, I here is not nonsense, and penetration here will be over.
Serv-U. php for all Serv-U versions are universal, the local privilege escalation tool, I’m still a little user permissions, visible it is in this penetration process plays a crucial role. Now there areServiceor allow execution of the program, such a open uploaded a To enhance the Serv-U permissions of the exe’s all done! But if you’re in the Web test met and I the same or similar situation, may wish to try this script, there will be surprises Oh! Finally, thanks to feather Arts brother of the great support!

JSON