Winwebmail Elevation of Privilege

Source: Internet
Author: User

 

Collect the default installation path of winwebmail, which is applicable to shortcuts without winwebmail in the Start-program.

 

 

C: \ winwebmail \ web. If you cannot browse, convert it to d: \ winwebmail \ web \

 

 

If no path is found, use the registry to read it.

 

 

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ WinWebMail Server \ imagepath

 

Winwebmail is a better method for Elevation of Privilege, because:

 

Quote:

 

The winwebmail directory requires the uses permission to read and write data.

If you are lucky, the Administrator may set the IIS account permissions to the users group.

You can try to write a trojan in winwebmail and execute it to check that the permission is much higher.

In addition, mysql of earlier versions will generate my. ini in % system % windows during mysql installation.

There is a root account password in it. It seems that version 4. x has this vulnerability.

The 5.x version will generate the my. ini file in the program directory without the root account password.

Try social engineering

If php is an asp php site, the general web server is iis.

Php only has the system permission under apache.

Take a look at the things under x: \ Program Files to see if there is any third-party software.

2. It seems to be installed in: c: \ winwebmail by default.

It can be used to replace the service, and management seldom cares about it.

Process name: emsvr.exe

 

After obtaining the SHELL on the server, if you can jump to the winwebmail directory and write the horse to the files in the winwebmail folder, you will enjoy the system group

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.