The development of injection has provided a breeding environment for webshell research. The ASP system upload vulnerability, especially the extensive dvbbs upload vulnerability, has given webshell rapid development. In addition, downloading the default database or backing up the database, and then using the back-end database backup to obtain webshell is also a very important means of intrusion, especially the dv_logs settings of the dvbbs database table, which makes MD5 useless.
The improvement of webshell permissions has suddenly become a challenge for many web attack enthusiasts. Recently, I often see people who have obtained webshells. However, due to various restrictions, they cannot obtain permissions, or they cannot achieve the purpose of bypass.
Remember what a cool man said: as long as there is a webshell, I can get the administrator privilege.
The monks are not so strong. I just talked about the permissions of virtual hosts based on my actual intrusion experience. Please point out the errors and shortcomings, welcome to my website to discuss with me (http://www.918x.com ). Thanks for the help of hak_ban in this article.
The following situations of intrusion do not fall into our scope.
You can jump to any directory and write and execute it. You can modify C:/program files/Serv-U/servudaemon. INI; "cscript C:/inetpub/adminscripts/adsutil. vbs get w3svc/inprocessisapiapps "to improve permissions. You can replace related programs or services with similar programs bound to Trojans.
Well, here we use the trojan mainly the ASP management 6.0 of veterans, assisting with the C/s asp Trojan. (These two Trojans work better together than the ocean .)
Generally, the VM is set as follows: Access to everyone is prohibited from each partition of the system. For example, iis_www.tar get.com. Generally, the virtual host sets this user to belong to the guest group and has low permissions. Only specific folders can be accessed. As a result, the website directory cannot be redirected. You can only access the folder where the website is located.
However, although everyone access to drive C is prohibited, most system c subfolders do not have the restriction on inheriting the parent folder. Therefore, we can access them manually (note: add a path by yourself) C:/Documents and Settings and C:/program files, which is very important for the intrusion to improve permissions.
We can access C:/program files/Serv-U/servudaemon. INI, but Serv-U is widely used. The General Administrator knows how to set the permissions of the Serv-U folder, which cannot be modified.
You can also manually access and download C:/Documents and Settings/all users/Application Data/Symantec/pcAnywhere *. the CIF file, and then crack the pcAnywhere user name and password to remotely log on. We may not be able to log on after the Administrator logs on. The desktop will be locked after the Administrator leaves. Here veterans (http://www.gxgl.com) provide us with a solution (http://www.918x.com/showart.asp? Art_id = 47 & cat_id = 5 ).
If you can manually access C:/PHP, C:/prel, etc., we can use webshells such as PHP and CGI. In this issue, the angel article in the "xxfile" has successfully broken through the restrictions, so I will not repeat them much.
Add to Angel: If you can see C:/program files/Java Web Start/, you can try JSP webshell. I have met it once, but the permission is not very high.
With the hacker's Trojan, we can see that Serv-U is running and knows its absolute path. Naturally, we can think of Serv-U privilege escalation. Three points are involved: 1. Upload overflow program. 2. CMD is available. 3. A single IIS user must have the permission to run the program. For the first point, Veteran's Trojan involves scripting. dictionary (data stream upload auxiliary component), ADODB. stream (data stream Upload Component), SoftArtisans. fileup (SA-fileup File Upload Component), lyfupload. uploadfile (Liu Yunfeng File Upload Component), persits. upload.1 (aspupload File Upload Component) can be uploaded in general, no problem. (If not, I recommend using littlepigp for uploading without components, and hackbase.com for uploading .) For the second point, the use of the wscript. Shell component is very important, when "access is denied. ", We can tell the opposite party that we are not allowed to use cmd. In this way, we can upload cmd.exe to achieve our goal of using cmd. However, when we see that "ActiveX parts cannot create objects", it means that we cannot use CMD at all, and intrusion is in trouble. There is basically no way for 3rd points. The exception is the use of FTA partitions, and the permission is lower, so programs can be easily run in FTA partitions.
We often say that hackers need to have divergent thinking, and they cannot always be confused. Other breakthrough methods are based on the use of other content on the host. For example, someone uses the configuration file in flashfxp to obtain some basic password information. We can also download the CuteFTP configuration file to replace the local file.
Let's talk a little bit about the method of "escalate ASP Trojan permissions to the highest". Generally, while we can use cmd, although the server supports FSO, however, we do not have the permission to access C:/inetpub/, So we naturally cannot use "cscript C:/inetpub/adminscripts/adsutil. vbs get w3svc/inprocessisapiapps "to improve permissions.
If the permission is set too strictly, the only common method is to write bat in "C:/Documents and Settings/all users/" start "menu/Program/start, vbs and other Trojans. When the host is restarted or DDoS forces it to restart, the permission is upgraded.
Some of the VM settings are abnormal. For example, some hosts allow uploading but cannot be modified or deleted. Some hosts change their program files to abnormal names; some Serv-U servers are operated by users in the guest group. Some servers are very amazing in their anti-virus scenarios. The various Trojans that have been re-encrypted by N are hard to escape, and BT has reached the extreme.
There is no absolutely secure software system, so I believe there is no absolutely secure virtual host, luck is a small part. Your thinking is really important. Why can't you improve the permissions of webshell experts? In my opinion, the key is actually a divergent way of thinking, not a technology.
I hope you will give me your comments. Rain [918x] is the first!
