论坛 › web app渗透测试::『Web App penetration testing』 › 渗透测试百货中国内网纪实

admin 发表于 2018-10-20 20:16:49

渗透测试百货中国内网纪实

<p style="margin:0cm 0cm 0.0001pt;text-align:justify;">
        <br />
</p>
<p style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:justify;text-justify:inter-ideograph;">
        <span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">1</span><span style="background:white;color:#444444;">、网站弱口令</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">getwebshell<br />
</span><span style="background:white;color:#444444;">经过一番手工猜解找到网站后台，习惯性的用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">admin admin</span><span style="background:white;color:#444444;">竟然进去了，浏览一番发现可以配置上传文件类型于是配置上传类型如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="428" src="https://www.2k8.org/content/uploadfile/202203/17/5d548dc0.png" alt="1.png" style="vertical-align:middle;" /><br />
<br />
<br />
</span><span style="background:white;color:#444444;">然后去找地方上传，上传的时候发现虽然配置了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">asp</span><span style="background:white;color:#444444;">、</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">aspx</span><span style="background:white;color:#444444;">但是仍然上不上去，还曾经一度用后台的</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sql</span><span style="background:white;color:#444444;">命令用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">db</span><span style="background:white;color:#444444;">权限备份一个</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">webshell</span><span style="background:white;color:#444444;">，但是由于权限设置问题导致拿</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">webshell</span><span style="background:white;color:#444444;">失败，抽了一支烟，沉思了半会，决定在增加个上传类型</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">cer</span><span style="background:white;color:#444444;">，看看果然可以成功上传，如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="274" src="https://www.2k8.org/content/uploadfile/202203/17/91b52d31.png" alt="2.png" style="vertical-align:middle;" /><br />
<br />
<br />
2</span><span style="background:white;color:#444444;">、各种方式尝试反弹</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389<br />
</span><span style="background:white;color:#444444;">拿菜刀连接执行</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ipconfig /all,</span><span style="background:white;color:#444444;">发现是内网，如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="427" src="https://www.2k8.org/content/uploadfile/202203/17/b23c4981.png" alt="3.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">服务器开了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">，下面我们想办法反弹出</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">，笔者测试用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">lcx,tunna</span><span style="background:white;color:#444444;">，</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">reDuh</span><span style="background:white;color:#444444;">，均以失败告终，貌似像开了</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">TCP/IP</span><span style="background:white;color:#444444;">筛选限制</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">登陆，好吧我们想办法关闭掉这个，方法有两种一种是用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">mt.exe</span><span style="background:white;color:#444444;">执行，笔者这里用修改注册表的方式修改，方法如下：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
TCP/IP</span><span style="background:white;color:#444444;">筛选在注册表里有三处，分别是：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip<br />
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip<br />
&nbsp;<br />
</span><span style="background:white;color:#444444;">导出到自己所指定的目录进行修改：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\1.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip&nbsp;&nbsp;&nbsp;<br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\2.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip&nbsp;&nbsp;&nbsp;<br />
regedit -e D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\3.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip&nbsp;&nbsp;<br />
&nbsp;<br />
</span><span style="background:white;color:#444444;">然后再把三个文件里中的：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
“EnableSecurityFilters"=dword:00000001”</span><span style="background:white;color:#444444;">改为：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">“EnableSecurityFilters"=dword:00000000”<br />
</span><span style="background:white;color:#444444;">再将以上三个文件分别导入注册表：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
regedit -s D:\</span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\1.reg<br />
regedit -s D:\</span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\2.reg<br />
regedit -s D:\ </span><span style="background:white;color:#444444;">网站目录</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">\3.reg<br />
</span><span style="background:white;color:#444444;">重启服务器即可！</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
</span><span style="background:white;color:#444444;">但是导出注册表打开看貌似不是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">TCP/IP</span><span style="background:white;color:#444444;">筛选限制，因为找不到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">EnableSecurityFilters</span><span style="background:white;color:#444444;">，好吧看来不是筛选限制，那怎么办，据说国外有很好的工具可以正则代理，我分析很有可能是做了安全策略导致的，因为我把防火墙相关的服务都关掉也不行，操家伙，工具名称叫：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">reGeorg-master</span><span style="background:white;color:#444444;">，下面看我操作，先把这个代理脚本</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">tunnel.aspx</span><span style="background:white;color:#444444;">上传然后执行</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="404" src="https://www.2k8.org/content/uploadfile/202203/17/34e8e1b6.png" alt="4.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">然后还需要安装个程序</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">SocksCap</span><span style="background:white;color:#444444;">，然后加载如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<img width="600" height="333" src="https://www.2k8.org/content/uploadfile/202203/17/e159ca03.png" alt="5.png" style="vertical-align:middle;" /><br />
</span><span style="background:white;color:#444444;">下面我们开始用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">mstsc</span><span style="background:white;color:#444444;">连接内网</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ip,</span><span style="background:white;color:#444444;">首先连接</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.14</span><span style="background:white;color:#444444;">，结果连接不出来，连接另一个内网</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">Ip 10.177.250.1</span><span style="background:white;color:#444444;">也失败，后来干脆</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">netstat –an</span><span style="background:white;color:#444444;">一下发现目标机连接到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">，端口是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">1433</span><span style="background:white;color:#444444;">，如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="456" src="https://www.2k8.org/content/uploadfile/202203/17/168e9b94.png" alt="6.png" style="vertical-align:middle;" /><br />
<br />
</span><span style="background:white;color:#444444;">既然使用</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">s5</span><span style="background:white;color:#444444;">正向代理，那可以试着连接一下这台数据库服务器</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">看看，连了一下果然是可以连通如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="436" src="https://www.2k8.org/content/uploadfile/202203/17/e1bf31d6.png" alt="7.png" style="vertical-align:middle;" /><br />
<br />
2</span><span style="background:white;color:#444444;">、数据库提权与</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ms15-051</span><span style="background:white;color:#444444;">提权双进内网服务器</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
OK</span><span style="background:white;color:#444444;">，现在的思路是翻网站数据库配置文件，找找</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">密码然后先给</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">提权，然后再在</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">11</span><span style="background:white;color:#444444;">里面连接目标</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">3389</span><span style="background:white;color:#444444;">，没翻到</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">密码此处略去</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">300</span><span style="background:white;color:#444444;">字，不过翻到一个账号是</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">sa</span><span style="background:white;color:#444444;">权限，连接数据库执行命令如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="600" height="271" src="https://www.2k8.org/content/uploadfile/202203/17/5a14cca7.png" alt="8.png" style="vertical-align:middle;" /><br />
<br />
<br />
</span><span style="background:white;color:#444444;">添加账号密码的过程就不写了，肯定是可以进</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">10.177.2.11</span><span style="background:white;color:#444444;">了，下面我们还的给目标机添加账号密码，经提前测试，发现存在</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">ms15-051</span><span style="background:white;color:#444444;">漏洞，直接上</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;">exp</span><span style="background:white;color:#444444;">执行命令如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<br />
<br />
<img width="600" height="446" src="https://www.2k8.org/content/uploadfile/202203/17/29ea28bd.png" alt="9.png" style="vertical-align:middle;" /><br />
</span><span style="background:white;color:#444444;">同样添加账号密码，终于进了目标站的远程桌面如图：</span><span lang="EN-US" style="font-family:&quot;color:#444444;background:white;"><br />
<img width="546" height="299" src="https://www.2k8.org/content/uploadfile/202203/17/9b858d7e.png" alt="10.png" style="vertical-align:middle;" /></span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="background:white;color:red;">总结：至此这个网站的漏洞算是测试完了，测试中途有些卡顿，主要技术问题是反弹</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">3389</span><span style="background:white;color:red;">，测试各种反弹工具都失败，后来经验证不是做了</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">TCP/IP</span><span style="background:white;color:red;">筛选，我用远控也无法上线，貌点像通不了外网的样子，但疑惑的是为什么数据库服务器的</span><span lang="EN-US" style="background:white;color:red;font-family:Verdana,sans-serif;">3389</span><span style="background:white;color:red;">却可以代理出来，同样在数据库服务器中远控也无法上线，如果有遇到过这样的朋友，请回贴不吝赐教。。。先在这里谢谢大家了。。。</span><span lang="EN-US"></span>
</p>
<p>
        <br />
</p>

查看完整版本: 渗透测试百货中国内网纪实