Posted April 10Apr 10

Foreword

I saw an article in the middle of the night yesterday.

I thought I would practice my skills, and halfway through the fight, I found that the masters had already traumatized such sites. So I learned from the experience of the masters, and took some exercises and recorded whatever I thought of. So the writing was quite complicated, and I also recorded whether there were any solutions. Then I changed the site and continued to walk.

Information Collection

The front desk is like this

Take a look at other information

Port Query

80 is the main page 8182 is the background login interface 1433 mssql directory scan

Catalogue traversal

Vulnerability Discovery

Go to the backend page first

Enter username: 123 prompts the user not exists Enter username: admin prompts the user or password is incorrect

Confirm the admin account and there is no verification code to verify, you can try to break it

Direct weak password admin 123456 Enter the background

There are not many functions, and there is nothing to use

Go back to the login to perform sql injection

mssql, dba permissions, direct –os-shell

The first machine here did not leave the network and did not echo. I gave up. After searching for several sites, I finally found a website that was released and echoed (it was easy to solve as long as it was released).

CS is online

Try CS here and judge that the network directly generates powershell online

Check the information and check the tasklist

Currently, it is database permissions. I tried to increase the authority, but it was directly disconnected and the website could not be opened. You should use it with caution, collect sufficient information and collect sufficient patch information.