Home > Developer > Windows

Windows System Vulnerability claim

Source: Internet
Author: User
Tags administrator password
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Suppose you've uploaded Webshell on the target server.



To view information about the target server:

User:

Network, Port:


Component:



Then execute the cmd command:



Click to execute:



From this you can know that the system Cmd.exe is not available, may be deleted or banned. We need to upload a cmd.exe, here to pay attention to the upload directory must be readable writable executable directory.

We upload a Cmd.exe directly to the root directory of the site




ASP file Upload function not available, server support ASPX, so we can use ASP Webshell to create a new ASPX Webshell file


When the new is complete, we visit this aspx Webshell file and click Execute cmd command. General ASPX permissions are relatively large, you can directly execute system cmd.

Because the command is executed in ASPX, the Web page dies, so use this webshell to upload a cmd.exe and return to the original Webshell to execute the command.




To see the system patches because you want to exploit the system vulnerabilities.





Found that there are a lot of system vulnerability patches are not installed. Then we can use the exploit tool of the loophole to attack according to the flaw number, here we use IIS6.exe to carry on the claim. First Use Aspxshell upload IIS6.exe.



Then execute IIS6.exe.


This step is also a claim to be successful, if you want to long-term control of the target host, it is necessary to continue to go down.

1. Modify Admin account password (undesirable will be found, and impact on target host, make admin unable to login)

2. Add an admin (undesirable, easy to find)

3. Read Admin account password (requires Administrator account not logged off)

4. Read Admin password hash

5. Trojan Planting, remote control

Here is a possible solution, the system users have a system help account, which is the system's own account is not easy to detect. We can elevate it to system permissions.




Read the administrator password to see if the administrator account is logged out.



The system administrator is running, then upload the tool and get the admin account password.



After obtaining the account password, connect 3389 ports.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
metropcs claim aflac claim quickfoto claim newest windows system system dsn windows 7 windows system commands windows system messages

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More