Part talked about we've got the Intranet server 192.168.1.123
After getting 192.168.1.123 server to make intra-network roaming agents need to hang
When we use the information collected kitchen knife, found that access is not enough, you need to mention here the right
Also found 192.168.1.123 open 3389,445 port, we can use the overflow mention the right to be
Described here is not too much to hang agents provide the right to invade and 445 ports, you can see my previous article
https://www.cnblogs.com/G-Shadow/p/10965035.html
Here you can use the injection point before add an account, and add administrators group
(The following operations are operating after the agency)
Use a proxy to open a remote desktop connection 192.168.1.123 information collection
proxychains rdesktop IP
Use your own user name to log new, found a txt file open and found a mail user and password in the Desktop Administrator, the routing of a user and password
Try not to hang proxy login IP is found not to log, indicating that the route of the logon restrictions
For proxies, successfully entered the routing interface, but ordinary rights
By route discovery within an IP network as well as 172.19.23.123 server (192.168.1.25 is cached)
By route discovery, IP network can access each other
Use nmap to scan for port 172.19.23.123
proxychains proxychains nmap -vvv -n -sT -PN ip
172.19.23.123 80,135,139 and other open ports
Use the browser to find the web service access 172.19.23.123
A mail cms U-MAIL need to log, obtained prior to use mail user login and password success
It found that the site is set up IIS 7.0, and IIS 7.0 parsing vulnerability exists in a file path (/xx.jpg) followed by /.php will xx.jpg / .php files parsed as php
Try the online search found any file upload vulnerability U-MAIL
Here is an account login: xgk
Get the current logged-on user user_id: 3
http://mail.comingchina.com/webmail/client/oab/index.php?module=operate&action=member-get&page=1&orderby=&is_reverse=1&keyword=xgk
通过上传一个.jpg的文件获取上传后获取"file_id":
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<FORM name=form1 method=post action="http://mail.comingchina.com/webmail/client/mail/index.php?module=operate&action=attach-upload" enctype=multipart/form-data>
上传文件:<input type="file" name="Filedata" size="30">
<INPUT type=submit value=上传 name=Submit>
"file_id":15598087474