Webshell privilege escalation: Start Menu leaks

Blog.tosec.cn

From the title, it seems that this start menu (windows system) has a major correlation with our Elevation of Privilege. Nobug32 wrote some recall information about mssql backup last time, the START item in the Start menu is also mentioned, so here we will mention another method.

I have to admit that many methods may not be so useful for you, but this may become a critical process when you need it at a certain time. If you are interested, you can continue to read it.

First, we need to know what information the Start menu contains:

1.90% installation procedure

2. system startup items

3. Others (the third one is not specifically discussed, but only for special purposes)

As mentioned above, we usually use the startup Item for Elevation of Privilege, but we still need to write some permissions. Obviously this is not a very good solution, how can we use shortcuts ?, Let's talk about the next simple case.

Third-party server software such as IIS110 and webmail has been installed on some servers. Of course, not every server is installed. After these software is installed, a shortcut will be created in the Start Menu, this shortcut seems useless to us, but we need to note that most of these third-party programs run for their own normal operation usually with EVERYOEN full control of permission j.

The shortcut cannot be opened directly in webshell. The shortcut is displayed as follows: mz

In this way, we can obtain the address of the directory with full control. This method is used because the host administrator will not set the directory as the default directory for security purposes. Of course, besides information leakage in the Start menu, you can also obtain information from the registry and temporary files.