Title: A certain spinach website penetration practice

I. Preface

Recently I heard that the website built with a certain qipai product has SQL injection, and someone just sent one.

Infiltration of customary routines, a shuttle information collection - vulnerability detection/utilization - privilege raising/authorization maintenance - clean traces

2. Information collection

The browser accesses the home page preliminary discovery system: Windows server middleware IIS7.5 Language: ASPX

Port scan nmap -sV -T4 -p- 11x.xx.xx.xx.xx has many open ports. Among them, there are several web services: 80 (current homepage), 81, 82, 88, 4700181: It is the backend of this qipai site. 82: It is also a backend. I don’t know what system it is. There is a verification code 88/47001: Access failed

1433: Database mssql

Also opened 139 and 445 but it was filtered. I don’t know if there is a firewall, so I will look at it later.

Use Dirsearch to scan sensitive directories first. The website language collected earlier is aspx, plus -e specified language

python dirsearch.py -u http://11x.xx.xxx.xx -e aspx Use 7kbscan again. After all, the dictionary collected here is commonly used by Chinese people

/m/is the user registration page, which may be useful, remember first

/test.html is the entrance to adjust the WeChat, it is useless. It may be to guide the victims to chat on the mobile phone.

Check the IP server of a certain operator in Beijing. It is quite bold to build a website in domestic servers.

Information sorting

It is probably a small site built by myself. I won’t expand and collect new things, so as not to waste time.

III. Vulnerability detection

Focus on the 81 port found earlier, which is the website’s backend management page

No verification code, just write admin/admin for username/password, grab the package

The username has a quote and sent a request directly to return an error. If nothing unexpected happens, there should be an error injection or a blind note.

Separate two groups to save this data packet to local qipai.txt, use sqlmap to scan, it is already known that it is an mssql database, plus the --dbms parameter to specify the database type to save time

python sqlmap.py -r qipai.txt --dbms 'Microsoft SQL Server' --dbs Another way, send the packet to the intruder module to explode the password. I tried to enter the username casually in the browser, and the prompt 'User name does not exist'. When entering admin, the prompt 'User name or password is wrong', indicating that the admin account exists, just burst the password.

The password is 888999, a weak password, eternal god!

Log in to the background successfully

There are only 69 registered users, and the rest are all robots. These 69 users have rushed to 1.43 million? Are all the people who play qipai so rich? I am so happy that I can't bear to charge 6 yuan for the first recharge

I can't get involved in gambling, this guy lost 2800 in one day

After searching in the background for a long time, I couldn't find the upload point, so I put it first

Go back to the other sqlmap and check it out, confirm that there is injection, and you are already jogging the library name

ran out 16 libraries. According to the name, the RYPlatformManagerDB library may contain administrator-related information.

Running watch name

python sqlmap.py -r qipai.txt --tables -D RYPlatformManagerDB After searching for a long time, I found an administrator's account and password, which is the one bp burst in the previous bp, and there is some user information, nothing more valuable

python sqlmap.py -r qipai.txt --is-dba is DBA permission. Try to get shell, just use sqlmap to blast the path in the mssql database directly

python sqlmap.py -r qipai.txt --The blind spot used by os-shell is slow, and after a long wait, I finally successfully got the shell. It is a technical job on the surface, but in fact it is a physical job

The current user permissions are very small, just a mssql database permission

Systeminfo Check the system information and you can see that the system is 64-bit Windows server 2008

Cobaltstrike generates an attack payload, and then loads it with powershell on the target machine. The target machine is successfully launched

net user view user

tasklist viewing process, it should not be pretending to kill soft

net start to view the enabled services and you can see that the firewall is enabled, so the previous nmap scan 445 and other ports are filtered

Close the firewall, the right has not been raised yet

IV. Raise rights/wei rights

I learned earlier that this machine is Windows Server 2008, so I tried to use potatoes to increase the rights (MS16-075)

After executing, I waited for a while. I was lucky. The machine was not patched and the authority was successfully raised in one go. I got the system permissions and started doing whatever I wanted.

Enter file management and you can see the test.html file when the previous information is collected.

netstat -ano Check out the port opening situation, 3389 is not opened

Turn on manually

can access remote desktop

cobaltstrike I am not very skilled in operating it, so I should use metasploite to upload a horse generated by msf through cs, and msf enables monitoring

Note: cs can directly derive shell to msf, but I tried it for a long time and never returned the session, so I had no choice but to upload a horse curve of msf to save the country.

msf Enable monitoring

Run uploaded horse on cs

msf Successfully obtained the shell, which is the inherited system permissions

View password hash, cannot be obtained, because the horse of msf is 32-bit, and the system is 64-bit

ps view the process, find a 64-bit program running with system permission in the process, and then obtain the hash after migrating the process

Go to the website that cracks hash online to check the administrator's password. The password is not complicated, and it can be found in a few seconds.

Successfully logged into the remote desktop

Leave two backdoors, one webshell, and one self-start nc for rebounding shell

5. Clean up traces and retreat

meterpreter's clearv command is cleared with one click

Or manually delete the Windows log

Six.Summary

7. Experimental recommendation

Manual injection using sqlmap

https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182015011915533100001pk_campaign=freebuf-wemedia

Through the study of this experiment, you can understand SQLmap, master the commonly used commands of SQLmap, and learn to use SQLmap to assist in the injection manually.

Reprinted from the original link:

https://www.freebuf.com/articles/network/250744.html