First, it is explained that most of this post is post, mainly aimed at backing up the 360 vulnerability files: bregdrv. sys and bregdll. dll. Related Articles: Refer to 1: Get a WebShell. The directory permission is strictly set. C: \ progra ~ 1 \ no access permission, good C: \ w.e ~ 1 \ AllUse ~ 1 \ Documents \ directory has the write-readable permission, run CMD, is a 2003 system, taskli
First, it is explained that most of this post is post, mainly aimed at backing up the 360 vulnerability files: bregdrv. sys and bregdll. dll.
Related Articles:
Reference 1: A WebShell with strict directory permission settings. C: progra ~ 1. No access permission. Fortunately, C: Permission E ~ 1AllUse ~ The 1Documents directory has the write and read permissions,
Run CMD, which is a 2003 system. Run the tasklist command to check the running program. There are 360 security guards. Then, try to check whether the 360 vulnerability that was reported a while ago is available.
Failed to upload the 360 vulnerability exploitation program! 360 is not installed. (1)
However, I can use the registry to read and find that the Registry driver with the 360 vulnerability is still not uninstalled, which is certainly usable. ()
PS: Although 360 has the automatic upgrade function, the patch is automatically installed, but the patch only takes effect after restart. It is very dangerous to restart a server once a few months!
The problem is that C: progra ~ 1. The directory and subdirectory do not have access permissions.
The 360 vulnerability exploitation Program circulating on the Internet needs to use C: Program Files360saf
EdThe registry operation function exported by BREGDLL. dll under the eepscan directory (360 installation directory.
Since I cannot access the dll file of C: Program Files360safedeepscan, But I can upload bregdrv. sys and bregdll to my accessible directory.
So I extracted a 360 bregdrv. sys and BREGDLL. dll file from the local machine and uploaded it to C: 127e ~ 1AllUse ~ 1 Documents
Now, you need to write a 360 exploitation program so that the program can directly perform registry operations using the function in BREGDLL. dll we uploaded. As follows:
ModBReg: = LoadLibraryA ('C: Docume ~ 1AllUse ~ 1DocumentsBREGDLL. dll ');
If (modBReg = 0) then Exit;
InitRegEngine: = GetProcA
DdRess (modBReg, 'initregengine ');
BRegDeleteKey: = GetProcAddress (modBReg, 'bregdeletekey ');
BRegOpenKey: = GetProcAddress (modBReg, 'bregopenkey ');
BRegCloseKey: = GetProcAddress (modBReg, 'bregclosekey ');
BRegSetValueEx: = GetProcAddress (modBReg, 'bregsetvalueex ');
BRegCreateKeyEx: = GetProcAddress (modBReg, 'bregcreatekeyex ');
BRegQueryValueEx: = GetProcAddress (modBReg, 'bregqueryvalueex ');
Well, I will not talk about other codes. There is a lot of information on the Internet.
After compilation, upload and run. It's good. It's successful!
It should have been a shift backdoor.
3389 log on, shift !!!!!!! Reference 2:
Upload Vulnerability uploa
DfIle got the shell and probably looked at the server structure ~ Conclusion port 3389,143 and serv-u are opened. Unfortunately, serv-u is not running. If you do not want the SQL password to be found for half a day, you can skip to view the next disk and find that the system disk is not readable, disk D has no permission. You can view or touch the website and file on disk G. Prepare to use the NC to rebound and upload an NC and CMD file to go to step 2 and execute CMD.
CommandRun NC rebound to local step 3 run cmd -- te
LnWhen et is connected, the account cannot be added. When Brazilian barbecue is used, access is denied even if the Brazilian barbecue is transferred to the Brazilian barbecue (Church rasco. E Xe net user hackbase/add. NC rebound can be skipped again
I don't want to give up. I went to shell to find out what else I could use on the server and found that I had installed 360. Recently, 360 of the vulnerabilities have been exploited, and I uploaded a 360 vulnerability exploitation tool and executed it to show that it was successful.
360 Antivirus Privilege Escalation Exploit By fr
IdDy 2010.2.2You will get a Shift5 door! Have not installed 360 !! When I got connected to the server and found that it was unsuccessful, I must have completed the vulnerability. After I checked a lot of information on the Internet, I did not find a good method. This afternoon, I had a whimsy. We could create a vulnerability for him, so I checked the 360 vulnerability principles and found the vulnerability file bregdrv. sys and bregdll. upload dll to server
Writable temporary C: WINDOWSTemp system folder,
The vulnerability was created successfully. C: run the 360 vulnerability exploitation tool in WINDOWSTemp to display the same data.
Connect to the server shift 5 cute cmd window and create an account to enter the server !!!
|
360 Download Vulnerability files |
