An important system of Wanda Group, from SQL injection to system command execution to domain roaming

An important system of Wanda Group, from SQL injection to system command execution to domain roaming

An important system of Wanda Group, from SQL injection to system command execution to domain roaming

I. When detecting an APP of Wanda Group through SQL injection, injection was found in the following places: (groupCode, stacked queries, and Boolean blind injection in POST)
POST/modify process/hotel/hotelList. action HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://app.wandahotels.com/hotelprocess/hotel/hotelList.action
Cookie: JSESSIONID = 27C5851C2AB17BA654E8BF2B1FB31B19
Host: app.wandaw.s.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept :*/*
CityCode = BJS & groupCode = 1 & language = zh
1. SQLMap vulnerability proof

2. Check that the current database user is sa! After detection, it was indeed dba ~~


3. list all databases, 14 in total

4. Check the ECRS table of the current database. There are 493 tables in total.

2. Obtain the local management permissions of the server. I saw that the current database user is sa and dba. Run the following system command to check the system permissions. Through injection, we can know that the system environment is Windows + MSSQL 2008 + JSP. Therefore, we use SQLMAP's -- OS-shell. The principle is to open the MSSQL's javasshell module, create a temporary table sqlmapoutput in the current database, store the results returned when executing the command in this table, and then return the results to SQLMAP through SQL query. A problem occurs here, only stacked queries and union query injection types can be used -- OS-shell. Only stacked queries are injected here, but UNION QUERY is not, stacked queries is determined by enumeration + latency, so the returned results are very slow !!! Later, I figured out a way. Because there is a Boolean blind injection in the injection, I first run the command through stacked queries, and then use Boolean blind injection to dump the data in the sqlmapoutput table of the current database, in this way, the speed is much faster, because Boolean blind injection does not rely on latency and can be multithreading, that is, command execution (sqlmap ):
-- OS-shell -- technique = S
Command Result Display (sqlmap ):
-- Technique = B -- threads = 10-D "ECRS"-T "sqlmapoutput"-C "data" -- dump
Therefore, the following command is executed: 1. Determine the MSSQL permission in the SYSTEM, that is, our permission in the system. By default, the MSSQL service runs with the SYSTEM permission during installation, and the corresponding permission is system ~ However, a serious administrator will perform downgrading during installation, for example, downgrading to network service or creating a IWAM account. At this time, we can execute the whoami command to determine. The returned result is wanda \ amadmin, which is not the default account of the system. At this time, we have to run the command to further determine our permissions.

2. To determine wanda \ amadmin permissions, run net user amadmin. However, this command has a large number of results, which is time-consuming. So I chose to run the net localgroup administrators command to directly view the members of the local administrator group and found that our wanda \ amadmin is also in it, therefore, we are already the system administrator. Attackers can execute arbitrary commands.

3. Because it is too slow to execute shell through sqlmap, although Boolean blind injection is used to assist in returning. So I want to getshell to execute the command to increase the return speed, but later I found that this is only a database server, which is separated from the web server and does not open the web service; so I changed to view some system network environments, such as local IP addresses, but I found that they are all Intranet ...... (Ipconfig)

So I checked the local open port (netstat/)

But it seems useless. The server is estimated to be in the Intranet, so it cannot rebound or enter ...... However, the server is fully controlled and can execute any command. 3. Domain roaming because a member called WANDA \ Domain Admins is displayed when I checked the members of the administrators group, I guess the server is in the WANDA Domain. So we may execute some Domain commands to test the server. First, view the domain administrator
Net group "domain admins"/domain

We seem to be not a domain administrator ~~ However, as long as the domain administrator has logged on to the server, we can use the tool to get his password ~~ However, the speed is slow and uncomfortable. Considering the security of the Enterprise, we have not gone into depth. For example, we can also look at our identities in the domain, their groups, and their permissions.
Net user wxadmin/domain
Of course, you can continue to view domain members.
Net user/domain
However, it is estimated that there are many ~~ It's been a long time ~~ Let's get it here today ~ Although there are many more ......