Infiltration, SQL injection, right

System: Kali 2.0

Tool: Sqlmap

Injection point: http://bixxxxx.org.cn/news_detail.php?id=547

Permissions: DBA

Target: Window 2k3 open 3389 port

Through the path of various detonation error invalid, unable to obtain an absolute path, the target site does not have a test pointer, there is phpmyadmin but also can not explode path.

Read database broken MD5 login background found no use of the place.

C:\Boot.ini files are read using Sqlmap's--file-read

Assuming that the lamp environment is installed by default, the absolute path can be obtained by reading the PHP configuration file. But in Reading

C:\windows\php.ini

C:\windows\system32\inetsrv\MetaBase.xml

These files do not exist at all.

Then a different idea, read the INFORMATION_SCHEMA database in the Session_variables table, you can find some useful information::

Well, from this path you can know that the environment is built using Wamp server, which explains the main reason why I can't read the information above.

Then you can read the Wamp wampmanager.conf file, from the above path can be known when the installation of Wamp is the default path installed,

Results

OK, then read the httpd.conf file to get the physical path

OK, get the physical path successfully, then you can do the right thing.

Just use--os-shell to see if it's

Well, get a shell, see what patches the system has played, perform systeminfo in the shell, and try it in--os-cmd way

Successfully echoing data

But the target from the system model in the returned information is a VMware virtual machine, my day.

Check how much permissions you have.

Very good, system authority, personality broke out,

Next look at the user information

is already a system right so say modify guest log in with user's permission and then Dodo.

1 NET user Guest/active:yes

2 Net user Guest hack

3 net localgroup Administrators Guest/add

Good, check the status of the guest user now

OK, Guest has been in the Administrators group, then can use 3389 up, but use 3389 is easy to find, you can not connect when you do not log on. This account will be reserved.
Next, the play began, using Sqlmap shell upload wget.exe to c:\windowns\system32\ directory, so you can solve the download problem, very convenient. Operation is the same as Linux. It's terrific. Yes, that's what it feels like. Use wget to download Pwwdump.exe to system32 directory to rename Pwd.exe get hash value

Crack

Get password for admin next that's good to do, turn on Telnet login up

Take a look at the information in this server and what useful information

As you can see, this server has already been broken, perhaps the chrysanthemum is a place ....

Ok, use net view to view the current network situation.

Well, there are 5 servers, through the ping hostname to get the corresponding IP, using NMAP scanning open 3389 ports, OK try to crack the above to get username and password 3389 up,

Found that the true blue-and-green virtual machine, 3 units of 2003, 2 2008r2, in these two 2008r2 should have a real physical host, but can not use a cracked password to login so temporarily unable to get results

When using Ipconfig-all to view the IP settings of the server, it was interesting to see that the routing

Use the public network IP router, this interesting, the general situation of the router's login account password is unchanged, try to log in to see what is the situation,

Haha, guys, h3c. Enterprise router, using the default admin admin login try Character

OK, go up. Look at the configuration of the intranet, but nothing, just like the server IP settings, and did not find an intranet

Decisively add a System account

Flash first, then have time to configure the VPN connection into the next step of infiltration.

Infiltration, SQL injection, right