System: Kali 2.0
Tool: Sqlmap
Injection point: http://bixxxxx.org.cn/news_detail.php?id=547
Permissions: DBA
Target: Window 2k3 open 3389 port
Through the path of various detonation error invalid, unable to obtain an absolute path, the target site does not have a test pointer, there is phpmyadmin but also can not explode path.
Read database broken MD5 login background found no use of the place.
C:\Boot.ini files are read using Sqlmap's--file-read
Assuming that the lamp environment is installed by default, the absolute path can be obtained by reading the PHP configuration file. But in Reading
C:\windows\php.ini
C:\windows\system32\inetsrv\MetaBase.xml
These files do not exist at all.
Then a different idea, read the INFORMATION_SCHEMA database in the Session_variables table, you can find some useful information::
Well, from this path you can know that the environment is built using Wamp server, which explains the main reason why I can't read the information above.
Then you can read the Wamp wampmanager.conf file, from the above path can be known when the installation of Wamp is the default path installed,
Results
OK, then read the httpd.conf file to get the physical path
OK, get the physical path successfully, then you can do the right thing.
Just use--os-shell to see if it's
Well, get a shell, see what patches the system has played, perform systeminfo in the shell, and try it in--os-cmd way
Successfully echoing data
But the target from the system model in the returned information is a VMware virtual machine, my day.
Check how much permissions you have.
Very good, system authority, personality broke out,
Next look at the user information
is already a system right so say modify guest log in with user's permission and then Dodo.
1 NET user Guest/active:yes
2 Net user Guest hack
3 net localgroup Administrators Guest/add
Good, check the status of the guest user now
OK, Guest has been in the Administrators group, then can use 3389 up, but use 3389 is easy to find, you can not connect when you do not log on. This account will be reserved.
Next, the play began, using Sqlmap shell upload wget.exe to c:\windowns\system32\ directory, so you can solve the download problem, very convenient. Operation is the same as Linux. It's terrific. Yes, that's what it feels like. Use wget to download Pwwdump.exe to system32 directory to rename Pwd.exe get hash value
Crack
Get password for admin next that's good to do, turn on Telnet login up
Take a look at the information in this server and what useful information
As you can see, this server has already been broken, perhaps the chrysanthemum is a place ....
Ok, use net view to view the current network situation.
Well, there are 5 servers, through the ping hostname to get the corresponding IP, using NMAP scanning open 3389 ports, OK try to crack the above to get username and password 3389 up,
Found that the true blue-and-green virtual machine, 3 units of 2003, 2 2008r2, in these two 2008r2 should have a real physical host, but can not use a cracked password to login so temporarily unable to get results
When using Ipconfig-all to view the IP settings of the server, it was interesting to see that the routing
Use the public network IP router, this interesting, the general situation of the router's login account password is unchanged, try to log in to see what is the situation,
Haha, guys, h3c. Enterprise router, using the default admin admin login try Character
OK, go up. Look at the configuration of the intranet, but nothing, just like the server IP settings, and did not find an intranet
Decisively add a System account
Flash first, then have time to configure the VPN connection into the next step of infiltration.
Infiltration, SQL injection, right