admin 发表于 2018-10-20 20:16:49

渗透测试百货中国内网纪实

<p style="margin:0cm 0cm 0.0001pt;text-align:justify;">
        <br />
</p>
<p style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:justify;text-justify:inter-ideograph;">
        <span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">1</span><span style="background:white;color:#444444;">、网站弱口令</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">getwebshell<br />
</span><span style="background:white;color:#444444;">经过一番手工猜解找到网站后台,习惯性的用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">admin admin</span><span style="background:white;color:#444444;">竟然进去了,浏览一番发现可以配置上传文件类型于是配置上传类型如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="428" src="https://www.2k8.org/content/uploadfile/202203/17/5d548dc0.png" alt="1.png" style="vertical-align:middle;" /><br />
<br />
<br />
</span><span style="background:white;color:#444444;">然后去找地方上传,上传的时候发现虽然配置了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">asp</span><span style="background:white;color:#444444;">、</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">aspx</span><span style="background:white;color:#444444;">但是仍然上不上去,还曾经一度用后台的</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sql</span><span style="background:white;color:#444444;">命令用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">db</span><span style="background:white;color:#444444;">权限备份一个</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">webshell</span><span style="background:white;color:#444444;">,但是由于权限设置问题导致拿</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">webshell</span><span style="background:white;color:#444444;">失败,抽了一支烟,沉思了半会,决定在增加个上传类型</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">cer</span><span style="background:white;color:#444444;">,看看果然可以成功上传,如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="274" src="https://www.2k8.org/content/uploadfile/202203/17/91b52d31.png" alt="2.png" style="vertical-align:middle;" /><br />
<br />
<br />
2</span><span style="background:white;color:#444444;">、各种方式尝试反弹</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389<br />
</span><span style="background:white;color:#444444;">拿菜刀连接执行</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ipconfig /all,</span><span style="background:white;color:#444444;">发现是内网,如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="427" src="https://www.2k8.org/content/uploadfile/202203/17/b23c4981.png" alt="3.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">服务器开了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">,下面我们想办法反弹出</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">,笔者测试用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">lcx,tunna</span><span style="background:white;color:#444444;">,</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">reDuh</span><span style="background:white;color:#444444;">,均以失败告终,貌似像开了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">TCP/IP</span><span style="background:white;color:#444444;">筛选限制</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">登陆,好吧我们想办法关闭掉这个,方法有两种一种是用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">mt.exe</span><span style="background:white;color:#444444;">执行,笔者这里用修改注册表的方式修改,方法如下:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
TCP/IP</span><span style="background:white;color:#444444;">筛选在注册表里有三处,分别是:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip<br />
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip<br />
&nbsp;<br />
</span><span style="background:white;color:#444444;">导出到自己所指定的目录进行修改:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\1.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip&nbsp;&nbsp;&nbsp;<br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\2.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip&nbsp;&nbsp;&nbsp;<br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\3.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip&nbsp;&nbsp;<br />
&nbsp;<br />
</span><span style="background:white;color:#444444;">然后再把三个文件里中的:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
“EnableSecurityFilters"=dword:00000001”</span><span style="background:white;color:#444444;">改为:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">“EnableSecurityFilters"=dword:00000000”<br />
</span><span style="background:white;color:#444444;">再将以上三个文件分别导入注册表:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
regedit -s D:\</span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\1.reg<br />
regedit -s D:\</span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\2.reg<br />
regedit -s D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\3.reg<br />
</span><span style="background:white;color:#444444;">重启服务器即可!</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
</span><span style="background:white;color:#444444;">但是导出注册表打开看貌似不是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">TCP/IP</span><span style="background:white;color:#444444;">筛选限制,因为找不到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">EnableSecurityFilters</span><span style="background:white;color:#444444;">,好吧看来不是筛选限制,那怎么办,据说国外有很好的工具可以正则代理,我分析很有可能是做了安全策略导致的,因为我把防火墙相关的服务都关掉也不行,操家伙,工具名称叫:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">reGeorg-master</span><span style="background:white;color:#444444;">,下面看我操作,先把这个代理脚本</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">tunnel.aspx</span><span style="background:white;color:#444444;">上传然后执行</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="404" src="https://www.2k8.org/content/uploadfile/202203/17/34e8e1b6.png" alt="4.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">然后还需要安装个程序</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">SocksCap</span><span style="background:white;color:#444444;">,然后加载如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="333" src="https://www.2k8.org/content/uploadfile/202203/17/e159ca03.png" alt="5.png" style="vertical-align:middle;" /><br />
</span><span style="background:white;color:#444444;">下面我们开始用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">mstsc</span><span style="background:white;color:#444444;">连接内网</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ip,</span><span style="background:white;color:#444444;">首先连接</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.14</span><span style="background:white;color:#444444;">,结果连接不出来,连接另一个内网</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">Ip 10.177.250.1</span><span style="background:white;color:#444444;">也失败,后来干脆</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">netstat –an</span><span style="background:white;color:#444444;">一下发现目标机连接到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">,端口是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">1433</span><span style="background:white;color:#444444;">,如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="456" src="https://www.2k8.org/content/uploadfile/202203/17/168e9b94.png" alt="6.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">既然使用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">s5</span><span style="background:white;color:#444444;">正向代理,那可以试着连接一下这台数据库服务器</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">看看,连了一下果然是可以连通如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="436" src="https://www.2k8.org/content/uploadfile/202203/17/e1bf31d6.png" alt="7.png" style="vertical-align:middle;" /><br />
<br />
2</span><span style="background:white;color:#444444;">、数据库提权与</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ms15-051</span><span style="background:white;color:#444444;">提权双进内网服务器</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
OK</span><span style="background:white;color:#444444;">,现在的思路是翻网站数据库配置文件,找找</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">密码然后先给</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">提权,然后再在</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">11</span><span style="background:white;color:#444444;">里面连接目标</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">,没翻到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">密码此处略去</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">300</span><span style="background:white;color:#444444;">字,不过翻到一个账号是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">权限,连接数据库执行命令如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="271" src="https://www.2k8.org/content/uploadfile/202203/17/5a14cca7.png" alt="8.png" style="vertical-align:middle;" /><br />
<br />
<br />
</span><span style="background:white;color:#444444;">添加账号密码的过程就不写了,肯定是可以进</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">了,下面我们还的给目标机添加账号密码,经提前测试,发现存在</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ms15-051</span><span style="background:white;color:#444444;">漏洞,直接上</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">exp</span><span style="background:white;color:#444444;">执行命令如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="446" src="https://www.2k8.org/content/uploadfile/202203/17/29ea28bd.png" alt="9.png" style="vertical-align:middle;" /><br />
</span><span style="background:white;color:#444444;">同样添加账号密码,终于进了目标站的远程桌面如图:</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="546" height="299" src="https://www.2k8.org/content/uploadfile/202203/17/9b858d7e.png" alt="10.png" style="vertical-align:middle;" /></span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:red;">总结:至此这个网站的漏洞算是测试完了,测试中途有些卡顿,主要技术问题是反弹</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">3389</span><span style="background:white;color:red;">,测试各种反弹工具都失败,后来经验证不是做了</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">TCP/IP</span><span style="background:white;color:red;">筛选,我用远控也无法上线,貌点像通不了外网的样子,但疑惑的是为什么数据库服务器的</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">3389</span><span style="background:white;color:red;">却可以代理出来,同样在数据库服务器中远控也无法上线,如果有遇到过这样的朋友,请回贴不吝赐教。。。先在这里谢谢大家了。。。</span><span lang="EN-US"></span>
</p>
<p>
        <br />
</p>
页: [1]
查看完整版本: 渗透测试百货中国内网纪实