A few days ago, the brothers in the Group gave a website www.111.com and asked me if I could intrude into the website.
I. Click
Ping www.111.com to discover timeout. It can be a firewall or a policy. then, use superscan to scan and find that there are many open ports. It is estimated that it is software _ blank "> firewall.
Ii. Injection
Search for the keyword ASP in the source file and find an injection point. when nbsi injection was used, it was found that the SA password was used to log on. A user was added and the command was executed. Haha, it seems that the Administrator was too careless. first upload a webshell and a veteran's ASP Trojan. Next, I get used to it. My usual habit is to upload webshell first, and then upgrade webshell to system permissions, in this case, it can be said that the intrusion will be very convenient. I personally think this method is very good. haha (eggs ~~~~)~~~~
3. Privilege Escalation
What are the special permissions:
Cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get/w3svc/inprocessisapiapps
Get:
Microsoft (r) Windows Script Host version 5.1 for Windows
Copyright (c) Microsoft Corporation 1996-1999. All rights reserved.
Inprocessisapiapps: (list) (5 items)
"C: \ winnt \ system32 \ idq. dll"
"C: \ winnt \ system32 \ inetsrv \ httpext. dll"
"C: \ winnt \ system32 \ inetsrv \ httpodbc. dll"
"C: \ winnt \ system32 \ inetsrv \ ssinc. dll"
"C: \ winnt \ system32 \ msw3prt. dll"
Add ASP. dll:
Cscript c: \ Inetpub \ adminscripts \ adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ idq. DLL "" C: \ winnt \ system32 \ inetsrv \ httpext. DLL "" C: \ winnt \ system32 \ inetsrv \ httpodbc. DLL "" C: \ winnt \ system32 \ inetsrv \ ssinc. DLL "" C: \ winnt \ system32 \ msw3prt. DLL "" C: \ winnt \ system32 \ inetsrv \ ASP. DLL"
Then add a user with an ASP Trojan and the command is displayed.
Iii. terminalservice
The next step is to open 3389. Net start shows that the TS service has been enabled, but the port is not 3389. I think it may be a port change, but in fact they are deceiving my feelings, I checked it with netstat-An and found 3389. Then, I found the other party's _ blank from net start. "> the firewall is a ghost. upload a Trojan, upload a 20cn bounce Trojan with a modified signature, and then use the Trojan to turn off the _ blank "> firewall in the GUI, and then use the 3389 login device to log on. here I do this because I know the Administrator will not be there. in this case, you can use fpipe to implement port redirection, or use httptunnel as described in anti-DDoS, but I have never tried it once, in addition, I saw that the article on Anti-DDoS pro is exactly the same as that on another highly handwritten website. I don't know who copied it? Haha. another tool is despoxy (TCP tunnel for HTTP proxies). If you are interested, try it and it can penetrate the HTTP proxy. (I have never tried it. Oh, don't p me. I'll talk about what I know !)
4. Simple backdoor.
1. Changed the FSO name so that I can enjoy it myself. This is a trojan with the system permission.
2. put several rootkits and several background rare on the network.
3. I never liked to put more data in the background.
V. sniffer
1. in the TS interface, some sniffers are down. First, the arpsnifer graph is looked at. The system is dizzy. There is no intranet host. The system is dizzy. I read another Internet address, and the whole IP address segment is dizzy. Haha, it seems that I am running well. open webdavscan and check that only two or three IP addresses are websites, and they are very small. Then there is no motivation. clean PP and leave.
