How to improve permissions in win 2003?

  

It is very important to upgrade the permissions in the win 2003 system. Now let's share the experience of the next netizen: I infiltrated a large website a few days ago, excited. After getting WebShell, the first thought was to upgrade the permissions and hang the even dear back door to the system. Skillfully open CMD and enter NET USER.

Not a good sign, then check the WSCRIPT component and execute NET USER again.

The prompt is changed, but the result is the same. Then I even thought of uploading CMD.EXE, but the upload of windows 2003 is limited by default, it can't be bigger than 200K, so I uploaded the classic Serv-U local overflow program, which is invincible when Windows 2000 is not disabled under WSCRIPT. Calling the law of power.

In fact, the path and parameters of the local overflow program are written in the place where the CMD is called. Generally, the success rate of this method is high when the WSCRIPT component is not prohibited. But the result is still "no access", it seems that Windows 2003 by default, security is much stronger than Windows 2000 default. When I was disappointed, I thought about going to the home page and hanging a horse. I am playing PcShare recently. Run to the home page, add the occasional Trojan code, click save, “ no permission & rdquo;, even down! Too BT? Even the permissions to modify the home page are not? The administrator must reduce the IIS user to the GUEST group, or give The IIS directory has a separate user for the GUEST group and has removed the permissions to modify the file. God is too unfair, how to say it is a shell that I have worked so hard, and now I have no use at all!

No way, look at the server for something good. Turning over and over, suddenly it was bright: a congif.aspx file was found in a directory. Written here, everyone thought that I want to use the SA account, execute the system command through SQLROOTKIT? Wrong, I have seen it, the account is not the SA authority, the PU permission, nothing can be done, and it is not within the scope of this article. Even pay attention to the "ASPX" suffix, in the default installation, IIS 6.0 is supported by .net, which is ASPX file, but in IIS 6.0, ASP and ASPX two extensions are used by 2 different users. Role, ASP is the IUSER user, the administrator generally pays attention to this account, afraid to be elevated, so the permissions are reduced to GUEST, so nothing can be done in ASP WebShell. However, the network administrator often ignores ASPX! Because the system account used by .net is ASPNET, by default, this account belongs to the USER group, so we upload a .NET backdoor and execute the command with the user NET group ASPNET. The permissions will be greatly improved, you can lift the rights!

Say it, do upload the back door of an ASPX, open the CMD module and execute NET USER.

Wow, haha, and sure enough, you can finally execute CMD! Look at the permissions and type "net localgroup guests".

Have you seen it? The account we used in AspWebShell is IUSER_WEBSITE, which belongs to the GUESTS group. No wonder what permissions are not available. Let's take a look at the USERS group.

ASPNET is now the account used by our AspxShell, the permissions are USERS, much better than Guest, oh!

In fact, this is not a loophole, but the hidden danger caused by the carelessness of the administrator Only. It is an idea to improve the authority. If the administrator also reduces the permissions of ASPNET, or remove the extension of ASPX, the method of this article does not work, but such an administrator has not encountered this. In short, overall security is the most important. Don't let go of every detail.

With examples, can you see more clearly? In short, if you want to improve the permissions, these details must be grasped. Of course, not everyone is required to do it. As long as you are interested, you can do it. .

Copyright © Windows knowledge All Rights Reserved