Shulou(Shulou.com)05/31 Report--

Pagoda disable functions function is all prohibited command execution + plus domain server is how unlimited command execution, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Experimental environment 2008 R2

IIS discuz3.2X built by pagoda

Upload shell manually

Ice scorpion connection

(ps: when a cousin uses ice scorpion, he prompts that the file exists but cannot get the key. The solution is to use the latest version of ice scorpion. For more information, please see the update log.)

Download address: https://github.com/rebeyond/Behinder/releases/

Shell connected to the connection found that the command could not be executed.

Check that phpinfo turns out to have disabled functions. Almost everything that can be used is disabled.

Think about it is very strange, just built the site that is the default value, why the usual daily station is not like this, after checking East and West really want to thank the pagoda, too sweetheart, some of the default disabled values screenshot below.

Since the function is disabled, then we are in line with the idea that we can not solve the problem, Baidu!

The summary of an article on the official account of Raytheon is excellent! Come on!

The first party, routinely bypass, looked at the phpinfo, you will know that the current situation is not conventional.

Second party, sorry, putenv is not available

The third party, do not support

I watched it all from 6 to 12, and it was the same as above.

I have to say, the summary is too good, but tm can not be used ah, the pagoda is powerful, one sword seals the throat.

Rao Tou.

Asked the bosses, and get a solution, you can continue Baidu!

Emmm... No, I won't overflow.

Continue Baidu to check Github's bypass family bucket? Kang Kang Kang

Directly float red

I tried a few more (after all, the function was disabled)

At this time, an article attracted me (I have no choice but to look at you)

The author said

Then we'll do it his way.

But the code left behind doesn't seem to be very good.

Finally, I found the power raising tool of Dark Moon.

Can be used normally, select the corresponding version and export the udf.dll file

Ps:

MYSQL = 5.1. you must put the udf.dll file in the lib\ plugin folder under the MYSQL installation directory to create a custom function.

This directory does not exist by default, which requires us to use webshell to find the installation directory of MYSQL, create the lib\ plugin folder under the installation directory, and then export the udf.dll file to that directory.

And then we can successfully carry out the order.

Ps: personally test to add administrator database will be down, cousins pay attention to security in the actual environment.

If you look at it, you can only simply run sys_eval.

This is very scratching my head, do I have to go to the server to turn off the settings of the pagoda (as if nothing happened)

Think about bouncing back with CS and then Kangkang.

Server powershell ordinary administrator privilege execution

Accidentally found that the command can be executed indefinitely (in fact, after messing around for a long time, the initial 3.13swap 3.14 can not be executed, but finally tried version 4.1 and found that it could be executed.)

Mimikatz View password

? Take a look at the local situation

After the local server adds the domain, the user cannot be created directly without the domain administrator password = =

Although there are a lot of bug features in this experiment (such as knowing the root password and so on), some of the ideas are worth recording.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.