Whole Process of One-Stop penetration

The whole process of one-stop penetration .................................... ............................... 1
 
1. Web site penetration ...... 1
II. twists and turns upload webshell ................................... 2
 
III. dramatic Elevation of Privilege .................................... ............... 3
 
4. simple penetration of the Intranet .................................... ................. 3
 
Target environment:
 
Visual Testing of 2003 + iis6 + asp.net + mssql, but this website program should be developed using a certain asp.net + soap program. At least the vulnerability may occur.
 
1. Web site penetration
 
This penetration did not use any scanning and sniffing tools to detect the target using manual inspection. After a series of tests, a interesting link was found in the source code of the webpage.
 
 
 
The address pulled from the basket caught my attention. Based on the name, this should be used to upload files.
 
After accessing this link, I confirmed my conjecture.
 
 
 
If there is no input stream, try writing a POST form on the local machine:
 
<Form action = "http://www.xx.com/Service.asmx/AjaxUpload" method = "post" enctype = "multipart/form-data">
<Input type = "file" name = "upload"/> <br/>
<Input type = "submit"/>
</Form>
After an image is uploaded, the following content is successfully selected:
 
{"S": 1, "src": '2014/1/xx/c0b62302a79e47bab273f2dc76861f8e.gif ', "pics": [{src: "2012/xx/c0b62302a79e47bab273f2dc76861f8e.gif", icon: "http://img.xx.com/upload/2012/xx/c0b62302a79e47bab273f2dc76861f8e.155x155.gif", wh: "150X150"}]}
 
After the upload path is returned, the result is as follows:
 
{"S": 1, "src": '2017/xx/ac24ed3a0393497bb3d0e9a78f28ef7e. asp ', "pics": [{src: "2012/xx/ac24ed3a0393497bb3d0e9a78f28ef7e. asp ", icon:"/Themes/Default/images/noimage.100x100.jpg ", wh:" "}]}
 
Direct upload Oh, but the tragedy is unable to find the access path, even upload normal pictures can not find the access path, the previous returned http://img.xx.com/upload/2012/xx/c0b62302a79e47bab273f2dc76861f8e.155x155.gif is not accessible, how is this going on? Then I did not find the path for half a day, so I recorded the location and went to bed first.
 
Ii. Tortuous upload webshell
 
Modify the url and then upload an aspxspy directly. However, there was a small accident. The upload form written yesterday could not be used here. Which parameter is missing, so I began to search for upload points on the website, hoping to restore the parameters required for upload. So after registering a member, I found the Avatar modification function in the member, and told me that the required parameters can be restored here. So I started the live http headers of Firefox and started to capture the upload package, however, nothing is tragic. Only the address after the uploaded image is returned:
 
 
 
Depressed, I tried the same result several times, so I tried WSExplorer to catch it, but the same result was returned.
 
Finally, when I used firebug to review the elements, I found some upload parameters: www.2cto.com.
 
 
 
The ghost, that is, the flash upload, cannot be captured by my browser. So I re-open WSExplorer, select the Firefox plug-in process, and then upload it again. · This time there was data, so I immediately modified the next upload form based on the parameters in the data packet and then directly uploaded aspxspy.
 
 




 
(The following content in the form is modified by copying data packets to facilitate modification of the form parameters .)
 
After the submission, I was lucky enough to find the path and get a shell.
 
3. Dramatic Elevation of Privilege
 
It's already aspx, And the permissions are huge, so you can execute commands across directories. However, to make it easier to do some trivial things, several machines on the intranet also need to win the permissions.
 
One by one, a variety of kill tools are broken up. It is worth mentioning that I have put the Privilege Escalation EXP for N years, but none of them have been killed, but what is worth the tragedy is that it has no effect ...... no way to query the configuration file of each website to see if there is any root or sa, and a root port is found and changed to 3307. mssql users with several db permissions have the same port changed, however, if the root account is used, the system prompts that the IP address 192.168.2.1 is rejected during connection, what does the IP address of the machine I won in the Intranet mean by 192.168.2.1 .....
 
OK can't prepare to find a third-party software. An FTP software is found in the C-drive software installation directory and can still be used to escalate permissions. The name is: gene6 FTP Server v3.9.0 (Build 2)
 
It is worth cheering for my character. The management password in this configuration file is md5 encrypted and has not been decrypted yet, but the configuration file of his mother has the permission to modify it. I rely on it. So let alone Replace the connection IP address 127.0.0.1 with the Internet IP address of the machine and then encrypt the admin address and replace the original password ciphertext (the previous ciphertext is recorded on the machine and I will recover it later .) The next step is nothing to worry about. Simply add a system administrator to the server as a zombie (as for how to escalate the privilege of this FTP software, there will be no waste of ink here .)
 
Iii. Simple Intranet penetration
 
After entering the server, combine the password found during the elevation of permission with the password obtained after the system hash is cracked into a document to prepare for the next step,
 
The Intranet machine environment is as follows:
 
192.168.2.1 (Local Machine + website SERVER + 2003)
 
192.168.2.2 (an Intranet website SERVER + 2003)
 
192.168.2.22 (intranet database and Backup Server + 2008)
 
192.168.2.23 (intranet database and Backup Server + 2008)
 
All machines have port 80 and port 21. FTP is open. Gene6 FTP Server v3.9.0 (Build 2) is of little use here. You can only guess the common users, management users cannot be connected.
 
So here my idea is to back up the result meter permission through the mssql user with the db permission to a shell, and the column directory is also. Root cannot be connected. Next, I first guessed 192.168.2.2 through the account password cracked by hash.
 
The two database servers also guessed the ftp password, but they still cannot be obtained.
 
 
 
By: cfking@90sec.org
 
Blog: www.luoyes.com
 
Bbs: www.90sec.org