Title: Summary of ideas and techniques for separating and penetration of station and database

 Preface

I saw a discussion about the site separation type of site, and I would like to summarize the tips for information collection.

Text

There is no summary article on the website library separation type site yet, so I want to try to record the penetration ideas about the website library separation type site.

For the site library separation type site, you can usually have two penetration entry points :

1.web website

2. The idea of database penetration is actually quite conventional. But here if the two entry points are nothing more than two paths.

Intranet penetration is made from the web website and separated from the site database, intranet penetration is made from the database and separated from the site database, intranet penetration is made from the web website and separated from the site database, intranet penetration is customized to different penetration test plans according to different paths. The following records the process and easy problems.

1. Infiltration from the web entrance

From the web portal, you usually getshell through various vulnerabilities in the website, such as file upload, command execution, code execution, and SQL injection writing (into outfile, log backup, etc.).

When obtaining web permissions or having vulnerabilities such as file reading, we also read the database configuration file, analyze the database content, find database backups, and then penetrate the database target ip for subsequent operations.

2. Infiltration from the database entrance

But here we have to say that the database entry point weak password exposed by the external network; web website SQL injection.

Penetration from the database entrance is also mainly to obtain greater permissions or to expand our penetration results. For example, you can obtain some password information, usernames, etc. from the database, which can effectively help us in subsequent intranet penetration.

The site is separated from the site library, and the database and the web are not on the same server. At this time, you cannot write a sentence to connect through the web, because the path is useless. If it is SQL injection found from the web side, you can collect information and obtain permissions through the following methods.

1.MYSQL

(1) Positioning the web side ip address

You can check the current connection status of MYSQL by querying PROCESSLIST in the information_schema library. Because the web application will generate query database operations, the target's ip:port will be brought back in the echoed host field.

select * from information_schema.PROCESSLIST;

After getting the IP of the web end, we can penetrate the web end.

(2) load_file () Get sensitive information about the server where the database is located

If there is no limit on the secure_file_priv parameter (MySQL5.7 below), we can also use the load_file() function to read the file content.

select load_file('C:/test.txt');#left slash/

can also obtain network card information, such as reading:

/etc/udev/rules.d/70-persistent-net.rules get the network card name.

/etc/sysconfig/network-scripts/ifcfg-Netcard static IPDHCP if /var/lib/dhclient/dhclient--Netcard.lease

2.MSSQL

(1) Determine whether the station library is separated

Get the client host name

select host_name();

Get the server host name

select @@servername;

Judging whether it is separated based on the results, the same result may be the same as the server, and the same result is the separation of the site library.

(2) Stored procedure execution commands

We can execute system commands through MSSQL stored procedures, and we can try to directly escalate permissions and penetrate other hosts.

Two commonly used:

XP_CMDSHELLSP_OACREATE can detect whether the database server is out of the network, and check whether it is out of the network by executing ping or curl. Usually when we encounter MSSQL, we will go online directly through command execution.

It is also a database, so naturally there is some sensitive information in it. In order to further penetrate, you can organize the password book or other information.