Further exploitation and Security Prevention of hzhost vm in Elevation of Privilege

Source: Internet
Author: User

1. C: There is an ftp logon record left by the hzhost host in windowsemp. Username and password
2. It uses hzhost to obtain the highest permissions of the System host.

The mssql sa password, mysql root Password, and serv-u administrator password of the hzhost host are all stored in the registry. Location in

HKEY_LOCAL_MACHINEsoftwarehzhostconfigsettingsmysqlpass
HKEY_LOCAL_MACHINEsoftwarehzhostconfigsettingsmastersvrpass

After hzhost's own encryption method, like eLVClO4tzsKBf # dee52443a3872cc159

Such a string. However, it can be restored in the hzhost background! If you get the sa password or root password, the highest permission is in sight! If w. s is disabled. Let's upload the aspx Trojan!

After an asp Trojan is uploaded. You can see the database connection string under incsconstr. asp. Connect to the database. Run

SELECT * FROM [hstlst] statement. You can see many host records

The password of h_ftppass is similar to the encrypted string of the hzhost host. That's right. The host management password is encrypted by himself! In the host management area

The plaintext password is displayed. It indicates that he restored it again. Do you understand? We first use the aspx Trojan to export the root and sa Password Encrypted strings of mysql and mssql.

We use this statement to modify the host password of another user.

UPDATE [hstlst] SET h_ftppss = 'apww3j4zmak83lhmbof9fc298b1d3d0a' WHERE h_ID = 10000471

Go back and check the host password. (Converted to plaintext at this time)

The root password is sphil_070921. Note: Due to various restrictions. The screenshot I cut may not be perfect. However, this method is absolutely feasible!

Security Solution:

Don't talk about it separately. Let's take a look at the above description.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.