Winwebmail Elevation of Privilege

 

Collect the default installation path of winwebmail, which is applicable to shortcuts without winwebmail in the Start-program.

 

 

C: \ winwebmail \ web. If you cannot browse, convert it to d: \ winwebmail \ web \

 

 

If no path is found, use the registry to read it.

 

 

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ WinWebMail Server \ imagepath

 

Winwebmail is a better method for Elevation of Privilege, because:

 

Quote:

 

The winwebmail directory requires the uses permission to read and write data.

If you are lucky, the Administrator may set the IIS account permissions to the users group.

You can try to write a trojan in winwebmail and execute it to check that the permission is much higher.

In addition, mysql of earlier versions will generate my. ini in % system % windows during mysql installation.

There is a root account password in it. It seems that version 4. x has this vulnerability.

The 5.x version will generate the my. ini file in the program directory without the root account password.

Try social engineering

If php is an asp php site, the general web server is iis.

Php only has the system permission under apache.

Take a look at the things under x: \ Program Files to see if there is any third-party software.

2. It seems to be installed in: c: \ winwebmail by default.

It can be used to replace the service, and management seldom cares about it.

Process name: emsvr.exe

 

After obtaining the SHELL on the server, if you can jump to the winwebmail directory and write the horse to the files in the winwebmail folder, you will enjoy the system group