Win 2003 under the master to improve the permissions of the

It is understood that windows 2003 upload is limited by default, can not be greater than 200K, so I uploaded the classic Serv-U local overflow program, used in windows 2000 The invincible call to revoke Dafa when WSCRIPT is disabled.

In fact, the path and parameters of the local overflow program are written in the place where the CMD is called. Generally, the success rate of this method is high when the WSCRIPT component is not prohibited. But the result is still "no access", it seems that Windows 2003 by default, security is much stronger than Windows 2000 default. When I was disappointed, I thought about going to the home page and hanging a horse. I am playing PcShare recently. Run to the home page, add the occasional Trojan code, click save, “ no permission & rdquo;, even down! Too BT? Even the permissions to modify the home page are not? The administrator must reduce the IIS user to the GUEST group, or give The IIS directory has a separate user for the GUEST group and has removed the permissions to modify the file. God is too unfair, how to say it is a shell that I have worked so hard, and now I have no use at all!

No way, look at the server for something good. Turning over and over, suddenly it was bright: a congif.aspx file was found in a directory. Written here, everyone thought that I want to use the SA account, execute the system command through SQLROOTKIT? Wrong, I have seen it, the account is not the SA authority, the PU permission, nothing can be done, and it is not within the scope of this article. Even pay attention to the "ASPX" suffix, in the default installation, IIS 6.0 is supported by .net, which is ASPX file, but in IIS 6.0, ASP and ASPX two extensions are used by 2 different users. Role, ASP is the IUSER user, the administrator generally pays attention to this account, afraid to be elevated, so the permissions are reduced to GUEST, so nothing can be done in ASP WebShell. However, the network administrator often ignores ASPX! Because the system account used by .net is ASPNET, by default, this account belongs to the USER group, so we upload a .NET backdoor and execute the command with the user NET group ASPNET. The permissions will be greatly improved, you can lift the rights!

Say it, do upload the back door of an ASPX, open the CMD module and execute NET USER.

Wow, haha, and sure enough, you can finally execute CMD! Look at the permissions and type "net localgroup guests".

Have you seen it? The account we used in AspWebShell is IUSER_WEBSITE, which belongs to the GUESTS group. No wonder what permissions are not available. Let's take a look at the USERS group.

ASPNET is now the account used by our AspxShell, the permissions are USERS, much better than Guest, oh!

In fact, this is not a loophole, but the hidden danger caused by the carelessness of the administrator Only. It is an idea to improve the authority. If the administrator also reduces the permissions of ASPNET, or remove the extension of ASPX, the method of this article does not work, but such an administrator has not encountered this. In short, overall security is the most important. Don't let go of every detail.