Penetration into the official website

Writing this article only provides an idea and does not include any other force installation components ~

Www.tvxqlover.com

It is said that some day, good friends suddenly wanted to hook up a page for the Eastern God to mourn the old feeling of being dumped...
As a result, he first collected the website information. The server is an American IDC, windows2003, iis6.0, with more than 90 websites hanging on it. The entire site is a DZ6.0 Forum. If DZ has tried EXP, you should bypass it.
Then, the good friends found a side station supporting ASPX to enter the side station background, and I got webshell through ewebeditor. So we started our out-of-the-stars Elevation of Privilege ~

The peer site supports asp, php, and aspx.
Directory permissions and component configuration are very dead, resulting in very low permissions. This is generally true for IDCs.
You have read and write permissions on the website directory. Temp has read and write permissions, but has no execution permission. The wscript. shell component is disabled.

 

Next, we will sort out the information of the site:

1. It is known that the server is built outside the stars, and the version should be relatively new, and the permission is very dead. Unable to execute dos and so on (the directory with execution permission is not found yet)
2. usable components are basically disabled. Aspxspy is completely invalid. With the aspwebshell permission scanning function, the directory is simply scanned. Only the temp directory is readable and writable, but has no execution permission.
3. The server has enabled 3389. That is to say, under normal circumstances, you only need to add a management account to obtain the 3389 permission of the server.
4. mssql and mysql are installed on the server.

Next, let's talk about the permission escalation process. On the 03 server, you can try C: \ windows \ repair \ To see if you can download the SAM and system files automatically backed up by the system to your local device, and then run the password management. However, it is generally invalid for IDCs.

If the C: \ Program Files directory has the read permission, you can check which software is installed on the server. Maybe you can use these software to escalate permissions, such as 360 ~

When the server permission is very dead, you can try to enter the Registry to directly read the installation path of each server software. This dedicated shell has this function.

Through the registry, I read the directory containing out-of-the-box first-class information filtering, Which is writable and executable, but it is useless. I can only use dir to browse the C drive and view some server information. Some Server Installation Tools such as out-of-the-stars usually update patches automatically, so even if you have the execution permission, EXP and so on will also become invalid unless you have a zero-day pass.

By reading the registry, I got the flashfxp directory, went in and downloaded sites. dat, covered my local computer, and got three passwords. I tried to connect to server 3389. All of them were wrong. www.2cto.com.

Continue to read the registry and obtain the path information of all the stations on the server. The path information of the target station is e: \ freehost \ tvxqlover ***** \ web \, then I found the mysql path. Because the target site is a DZ Forum, mysql is usually used. So I got a idea at that time, directly download the database file of the target station and use the management password instead of the server.

When I found the mysql directory, I told this information to my friends, so we started to divide the work. I broke the management account of the target station, and he directly broke the root password in the mysql user table, then try UDF.

Some problems occurred when downloading the database files of the target station, that is, several KB files can be downloaded. However, if the number of database files exceeds a dozen KB, The downloading prompt cannot be opened, so I copied the database files to the root directory of the site through webshell. Then download.

While I am still downloading the root password, the user has found the root password, and then the user can directly escalate the UDF privilege... I Have To Say ~ To deal with IDCs, the success rate of UDF is still very high after obtaining the root password ~

After that, add the user through the UDF and then mount the page on 3389.

We only provide you with one central idea: If you encounter an IDC with a high level of permissions, try to directly read the Registry to find a directory.