| Author: enterer Blog: www.enterer.cn Reprinted and retained This article can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 120749, the Elevation of Privilege tutorial seems to have been written a lot. Although this article has previously written about mssql Elevation of Privilege, it is operated in aspxshell. This article introduces some things that have not been mentioned before and the elevation of permissions of mssql under asp. Do not explain how to find the Sa password. Check the image and run the CMD command directly. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502KM2-0.jpg); "height = 539 src =" http://www.bkjia.com/uploads/allimg/131121/20502KM2-0.jpg "width = 549 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> Okay. Let's create an account and add an administrator. After the tutorial is complete, everyone can wash and sleep. That's strange. In my opinion, there are two criteria for successful elevation of permission: 1. Remote Desktop login 2. Remote Control Trojan was launched because it was found that there was a soft removal during data collection, so we need to set a 3389 privilege. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502M3b-1.jpg); "height = 154 src =" http://www.bkjia.com/uploads/allimg/131121/20502M3b-1.jpg "width = 559 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502M0M-2.jpg); "height = 195 src =" http://www.bkjia.com/uploads/allimg/131121/20502M0M-2.jpg "width = 548 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502MR7-3.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/20502MR7-3.jpg "onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> The default Administrator does not change the port 3389. Tragedy: the maximum number of connections is exceeded. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502K439-4.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/20502K439-4.jpg "onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> It is inconvenient to use shell CMD commands, and the SA password must be re-copied every time. Find the online tutorial and run SC config tlntsvr start = auto first. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502G014-5.jpg); "height = 128 src =" http://www.bkjia.com/uploads/allimg/131121/20502G014-5.jpg "width = 547 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> Enable telnet (net start telnet. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502M335-6.jpg); "height = 130 src =" http://www.bkjia.com/uploads/allimg/131121/20502M335-6.jpg "width = 550 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> To log on to telnet, and enter the telnet IP address in CMD. Yes. log in with the created administrator account. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502I102-7.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/20502I102-7.jpg "onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> After successful login, it will be the same as running CMD on your computer. In fact, this step can be regarded as a successful Elevation of Privilege, but I still feel 3389 better. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502G302-8.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/20502G302-8.jpg "onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> Here, I use another account. The newly created account will be deleted immediately after the permission has been raised. In addition, I cloned this account before logging on to telnet. I don't know why. There are many tools available on the Internet for account cloning. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502L527-9.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/20502L527-9.jpg "onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> Use the query user to view the users connected to the host, and then use the logoff session name to end a user's login. The end time may be relatively long. Now we can log on to the Remote Desktop. = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/20502H9E-10.jpg); "height = 230 src =" http://www.bkjia.com/uploads/allimg/131121/20502H9E-10.jpg "width = 553 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0> The server configuration is good, and it is a LAN, so you have time to penetrate it. Now the tutorial is over. You can wash your hair and sleep (by mistake) = 700) window. open (http://up.2cto.com/Article/200911/200911152119352 |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
