该次渗透没有其他政治目的,纯属想写个文章出来。文章应该是不会带有图片的咯,因为插入图片很麻烦。

  • 渗透目的
    写文章
  • 渗透目标
    tnu.edu.vn

  • 开搞
    对于这个大学,没有说是非要拿下什么的,所以没有对目标的防护做预估,那么扫描什么的就是直接放开手脚开干了。
      先是用SubDomainBrute爆破子域名,发现其主要网段是125.214.0.x,所以就先用MSF的scanner/smb/smb_ms17_010模块扫描是否有可利用之处。成功找到[+] 125.214.0.122:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit),但是利用的时候发现始终无法成功。我推测是该目标安装了强有力的杀软,比如卡巴斯基这个档次的,拦截了shellcode,失败告终

    www5a.tnu.edu.vn              125.214.0.61
    search.tnu.edu.vn             125.214.0.61
    homepage3.tnu.edu.vn          125.214.0.61
    platea.tnu.edu.vn             125.214.0.61
    resume.tnu.edu.vn             125.214.0.61
    kuratorium.tnu.edu.vn         125.214.0.61
    mail.tnu.edu.vn               74.125.68.121
    admin.tnu.edu.vn              222.254.76.40
    download.tnu.edu.vn           125.214.0.48
    test.tnu.edu.vn               125.214.0.62
    conf.tnu.edu.vn               125.214.0.50
    discovery.tnu.edu.vn          125.214.0.116
    netman.tnu.edu.vn             125.214.0.51
    record.tnu.edu.vn             125.214.0.60
    cn.tnu.edu.vn                 125.214.0.50
    en.tnu.edu.vn                 125.214.0.50
    is.tnu.edu.vn                 103.53.228.165
    kr.tnu.edu.vn                 125.214.0.50
    mp.tnu.edu.vn                 103.3.244.84
    us.tnu.edu.vn                 103.3.244.94
    ams.tnu.edu.vn                125.214.0.50
    dec.tnu.edu.vn                125.214.0.53
    faq.tnu.edu.vn                125.214.0.58, 125.214.0.62
    ftp.tnu.edu.vn                125.214.0.58
    hrm.tnu.edu.vn                125.214.0.48
    ic3.tnu.edu.vn                125.214.0.53
    ict.tnu.edu.vn                203.113.135.198
    itc.tnu.edu.vn                125.214.0.53
    iso.tnu.edu.vn                125.214.0.53
    jst.tnu.edu.vn                125.214.0.50
    ks9.tnu.edu.vn                125.214.0.55
    ks6.tnu.edu.vn                125.214.0.55
    ks2.tnu.edu.vn                125.214.0.55
    ks3.tnu.edu.vn                125.214.0.55
    ks5.tnu.edu.vn                125.214.0.55
    ks1.tnu.edu.vn                125.214.0.55
    lib.tnu.edu.vn                125.214.0.119
    lrc.tnu.edu.vn                125.214.0.118
    map.tnu.edu.vn                125.214.0.53
    nxb.tnu.edu.vn                125.214.0.53
    thi.tnu.edu.vn                125.214.0.60
    thp.tnu.edu.vn                125.214.0.56
    ebook.lrc.tnu.edu.vn          125.214.0.117, 125.214.0.118
    opac.lrc.tnu.edu.vn           125.214.0.117
    www.lrc.tnu.edu.vn            125.214.0.118
    

      从子域名结果来看,我直接找到ebook.lrc.tnu.edu.vn这个域名,我认为带有book的很有可能是图书馆或者是一些文档类的网站,安全性相对没有这么好。在该网站输入框处发现了注入,遂用Burp suite抓包,重发数次后发现该包极为可疑,遂发送到Repeater处进行深层次测试。经测试得知,该包中的参数value存在SQL注入漏洞。

    POST /ajaxpro/ElibWeb.Webparts.LRCEBook.ucSimpleSearch,ElibWeb.ashx HTTP/1.1
    Host: ebook.lrc.tnu.edu.vn
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Content-Type: text/plain; charset=utf-8
    X-AjaxPro-Method: getTotalRecord
    Referer: http://ebook.lrc.tnu.edu.vn/Default.aspx?keyword=1%27&page=SimpleSearch
    Content-Length: 14
    Cookie: ASP.NET_SessionId=cigf5jr1awr4gk00h3izktep
    Connection: close
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"value":"1'"}
    

    通过注入测试发现,不支持堆叠注入,进入后台也没有办法拿到Webshell,失败告终
      掏出Teemo就得到了更加多的域名跟上次得到去重后如下:

    Cford.tnu.edu.vn                        198.252.101.198
    Daotao.tnu.edu.vn                       125.214.0.57
    Daotao2.tnu.edu.vn                      125.214.0.52
    Dec.tnu.edu.vn                          125.214.0.53
    Diadiem.tnu.edu.vn                      125.214.0.61
    Is.tnu.edu.vn                           103.53.228.165
    Laocai.tnu.edu.vn                       112.213.89.117
    Lms.tnu.edu.vn                          125.214.0.124
    Lrc.tnu.edu.vn                          125.214.0.118
    Lysinhstudy.tnu.edu.vn                  125.214.0.58
    Newtravel.tnu.edu.vn                    125.214.0.61
    Qlkh.tnu.edu.vn                         125.214.0.50
    Ttgdqp.tnu.edu.vn                       117.6.222.10, 45.252.248.20
    Tuyensinh.tnu.edu.vn                    125.214.0.53
    Us.tnu.edu.vn                           103.3.244.94
    admin.tnu.edu.vn                        222.254.76.40
    ams.tnu.edu.vn                          125.214.0.50
    bankhtc.tnu.edu.vn                      125.214.0.61
    cford.tnu.edu.vn                        125.214.0.61
    cford.tnu.edu.vn                        198.252.101.198
    cn-sfl.tnu.edu.vn                       125.214.0.58
    cn.tnu.edu.vn                           125.214.0.50
    conf.tnu.edu.vn                         125.214.0.50
    cpdt.tnu.edu.vn                         125.214.0.53
    csdltc.tnu.edu.vn                       125.214.0.117
    daotao.tnu.edu.vn                       125.214.0.57
    daotao2.tnu.edu.vn                      125.214.0.52
    daotao2dhnl.tnu.edu.vn                  125.214.0.61
    dean2020.tnu.edu.vn                     125.214.0.58
    dec.tnu.edu.vn                          125.214.0.53
    dec.tnu.edu.vn                          125.214.0.53
    demosdh.tnu.edu.vn                      125.214.0.61
    dhnl-daotao2.tnu.edu.vn                 125.214.0.61
    dhnldaotao2.tnu.edu.vn                  125.214.0.61
    dhsptn.tnu.edu.vn                       125.214.0.61
    diadiem.tnu.edu.vn                      125.214.0.61
    discovery.tnu.edu.vn                    125.214.0.116
    dkmh.tnu.edu.vn                         125.214.0.61
    doanthanhnien.tnu.edu.vn                125.214.0.53
    doe-sfl.tnu.edu.vn                      125.214.0.58
    download.tnu.edu.vn                     125.214.0.48
    ebook.lrc.tnu.edu.vn                    125.214.0.117, 125.214.0.118
    elearning.tnu.edu.vn                    125.214.0.124
    en-sfl.tnu.edu.vn                       125.214.0.58
    en.tnu.edu.vn                           125.214.0.50
    faq.tnu.edu.vn                          125.214.0.58, 125.214.0.62
    ftp.tnu.edu.vn                          125.214.0.58
    homepage3.tnu.edu.vn                    125.214.0.61
    hrm.tnu.edu.vn                          125.214.0.48
    hsmc.tnu.edu.vn                         125.214.0.55
    ic3.tnu.edu.vn                          125.214.0.53
    ict.tnu.edu.vn                          203.113.135.198
    is.tnu.edu.vn                           103.53.228.165
    iso.tnu.edu.vn                          125.214.0.53
    istm.tnu.edu.vn                         125.214.0.50
    itc.tnu.edu.vn                          125.214.0.53
    jst.tnu.edu.vn                          125.214.0.50
    khcn.tnu.edu.vn                         125.214.0.50
    kr-sfl.tnu.edu.vn                       125.214.0.58
    kr.tnu.edu.vn                           125.214.0.50
    kr.tnu.edu.vn                           125.214.0.50
    ks1.tnu.edu.vn                          125.214.0.55
    ks2.tnu.edu.vn                          125.214.0.55
    ks3.tnu.edu.vn                          125.214.0.55
    ks4.tnu.edu.vn                          125.214.0.55
    ks5.tnu.edu.vn                          125.214.0.55
    ks6.tnu.edu.vn                          125.214.0.55
    ks9.tnu.edu.vn                          125.214.0.55
    kuratorium.tnu.edu.vn                   125.214.0.61
    laocai.tnu.edu.vn                       112.213.89.117
    lcmssfl.tnu.edu.vn                      222.252.156.91
    lib.tnu.edu.vn                          125.214.0.119
    lichthiic3.tnu.edu.vn                   125.214.0.61
    lisinhstudy.tnu.edu.vn                  125.214.0.58
    lms.tnu.edu.vn                          125.214.0.124
    lrc.tnu.edu.vn                          125.214.0.118
    lysinhstudy.tnu.edu.vn                  125.214.0.58
    mail.tnu.edu.vn                         74.125.68.121
    mail.tnu.edu.vn                         172.217.194.121
    mailserver.tnu.edu.vn                   125.214.0.61
    map.tnu.edu.vn                          125.214.0.53
    maptnu.tnu.edu.vn                       125.214.0.53
    mcu.tnu.edu.vn                          125.214.0.61
    mp.tnu.edu.vn                           103.3.244.84
    netman.tnu.edu.vn                       125.214.0.51
    newtravel.tnu.edu.vn                    125.214.0.61
    nxb.tnu.edu.vn                          125.214.0.53
    oir.tnu.edu.vn                          125.214.0.50
    old.tnu.edu.vn                          125.214.0.61
    opac.lrc.tnu.edu.vn                     125.214.0.117
    phuongpn.tnu.edu.vn                     172.217.194.121
    platea.tnu.edu.vn                       125.214.0.61
    qac.tnu.edu.vn                          125.214.0.55
    qlkh.tnu.edu.vn                         125.214.0.50
    qlns.tnu.edu.vn                         125.214.0.48
    qlvb.tnu.edu.vn                         125.214.0.49
    qtdhtn.tnu.edu.vn                       125.214.0.53
    record.tnu.edu.vn                       125.214.0.60
    repository.tnu.edu.vn                   125.214.0.119
    resume.tnu.edu.vn                       125.214.0.61
    sdh.tnu.edu.vn                          125.214.0.53
    search.tnu.edu.vn                       125.214.0.61
    sfl.tnu.edu.vn                          125.214.0.53
    shri.tnu.edu.vn                         125.214.0.61
    tailieudientu.lrc.tnu.edu.vn            125.214.0.117
    taisan.tnu.edu.vn                       125.214.0.50
    tao2.tnu.edu.vn                         125.214.0.61
    tec.tnu.edu.vn                          125.214.0.53
    tech.tnu.edu.vn                         125.214.0.61
    test.tnu.edu.vn                         125.214.0.62
    thi.tnu.edu.vn                          125.214.0.60
    thitructuyen.tnu.edu.vn                 125.214.0.61
    thp.tnu.edu.vn                          125.214.0.56
    thuvien.laocai.tnu.edu.vn               125.214.0.122
    tnu.edu.vn                              125.214.0.61
    topcford.tnu.edu.vn                     125.214.0.61
    tradiem.tnu.edu.vn                      125.214.0.56
    tt.tnu.edu.vn                           125.214.0.61
    ttgdqp.tnu.edu.vn                       45.252.248.20, 117.6.222.10
    tuaf.tnu.edu.vn                         27.0.14.37
    tueba.tnu.edu.vn                        123.30.185.162
    tuyensinh-sfl.tnu.edu.vn                125.214.0.53
    tuyensinh.tnu.edu.vn                    125.214.0.53
    tuyensinh1.tnu.edu.vn                   125.214.0.61
    tuyensinh2.tnu.edu.vn                   125.214.0.61
    us.tnu.edu.vn                           103.3.244.94
    vanban.tnu.edu.vn                       125.214.0.51
    vncmn.tnu.edu.vn                        125.214.0.61
    www.cpdt.tnu.edu.vn                     125.214.0.61
    www.dkmh.tnu.edu.vn                     125.214.0.61
    www.irc.tnu.edu.vn                      125.214.0.61
    www.tnu.edu.vn                          125.214.0.61
    www.tnunews.tnu.edu.vn                  125.214.0.61
    www.tradiem.tnu.edu.vn                  125.214.0.61
    www.ttgdqp.tnu.edu.vn                   125.214.0.61
    www5a.tnu.edu.vn                        125.214.0.61
    xettuyen.tnu.edu.vn                     125.214.0.58
    

由于要工作,所以只能对一些比较好搞的服务进行大字典口令爆破,得到了3台sqlserver的口令,进入发现只有一台能正常执行命令,但是上面有卡巴斯基,由于对这个版本的的病毒库更新路径不了解,所以没有贸然掏出免杀的工具冲上去,还是想看看另外两台能不能突破一下。
125.214.0.117报错

[42000] [Microsoft][SQL Server Native Client 10.0][SQL Server]An error occurred during the execution of xp_cmdshell. A call to 'CreateProcess' failed with error code: '5'. (15121)

125.214.0.122报错

[42000] [Microsoft][SQL Server Native Client 10.0][SQL Server]SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online. (15281)

发表评论

电子邮件地址不会被公开。 必填项已用*标注