The case of raising power (1) infiltrating an asp.net website and sharing the idea of public raising power through SQL Server database

Time:2020-2-24

List the permissions of SQL Server role users first

Describe from the lowest level role (bulkadmin) to the highest level role (sysadmin):
1.bulkadmin: this role can run the bulk insert statement, which allows data to be imported into the SQL Server 2008 database from a text file and is designed for domain accounts that need to perform bulk insert into the database
2. Dbcreator: this role can create, change, delete and restore any database. It is suitable not only for assistant DBA role, but also for developer role
DiskAdmin: this role is used to manage disk files, such as image database and add backup devices. It is suitable for assistant DBA
4. Processadmin: SQL Server 2008 can process multiple processes at the same time. This role can end processes (referred to as “delete” in SQL Server 2008)
5. Public: there are two characteristics: first, there is no permission in the initial state; second, all database users are its members
6. Securityadmin: this role will manage the login name and its properties. You can authorize, deny and revoke server level / database level permissions. You can reset the login name and password
7. Serveradmin: this role can change server wide configuration options and shut down the server
8. Setupadmin: designed for users who need to manage connection servers and control startup stored procedures
9. Sysadmin: this role has the right to perform any operation in SQL Server 2008

First stepFirst, find the news page of the website and judge the basic information through the ending of ASPX suffix. The database may be MSSQL in Windows system

Try id = 1 / 0 to report syntax error. 410 / server error of application type…. it is obvious that MSSQL database and SQL injection exist

The second stepCheck his IP address and website information again. It is found that only local servers do not have cloud servers of major manufacturers. Judge that there is no cloud WAF (if any IP address is blocked, you can change the proxy IP address). You can directly use the tool

The third stepDirect sqlmap running out of table and data role permission very low defined by public continue information collection

The fourth stepFind out that there is no information available at the front desk. Write a script first. The crawler will get the basic directory, resource storage address and some rules of the website. There is no useful information in the upper imperial sword scanning

The fifth stepYou can also use a powerful search engine to search using Google hack syntax. Try site: *. Xxx.com to log in and successfully search the background address

The sixth stepOpen the page address and confirm it is the background address by comparing with the foreground rule. Enter sqlmap to obtain the user name information and log in

The seventh stepLook for the upload point to find the upload function of the select selection box, but only the DB file can be uploaded. The suffix of other files will be automatically modified. Carefully organize his logic on the side before entering the upload point

There is a URL request. Type = dB. The review element finds the option element in the select box  Thus, it can be determined that his logic can be selected to execute the above logic and confirm that the upload format file is directly tampered with ASA (ASPX is forbidden) to upload successfully

The eighth stepIt is found that the path and file name can’t be determined if the upload is successful without echo, but if img type is selected for upload, echo can determine the upload directory. Through the image naming format img201509246518.png, you can guess that the naming rule is img type 2015.. it may be the current time stamp after today’s date. I just need to determine the time stamp of the back door Write a JS script to send 10 requests of uploading Trojan horse and record the request time at the same time. There are ten horses in the time interval obtained by subtracting the first time and the tenth time. After traversing the interval, the corresponding address is obtained successfully

The ninth stepOpen Malaysia to check the components and find that both CMD and net components have been deleted to detect the security dog of background process with server. Upload net through Malaysia, CMD components to the directory with execution authority, such as the current recycle bin. The number of patches obtained by executing systeminfo is only 4. Upload PR without killing. Use memory overflow to directly claim the right to add the password set by guest user to the administrator group

The tenth stepInput netatst – ano, and it is found that port 80 is not the original address with a listening address. Through query, it is found that port 80 is an internal address. You can confirm that port 80 of the internal network is mapped through the external network. Upload LCX for port forwarding. Execute LCX – Listen 3000 3388 listening 3000 on the local machine. Map to port 3388. Execute – slave on the webshell machine. My IP 3000 192.xxx (intranet IP) 3389 is forwarded to my 3000 port. This machine opens the remote connection input 127.0.0.1:3388. Enter the guest user who just modified the password. The machine connecting webshell is under perfect control.

The eleventh stepClear trace exit to submit the vulnerability to the vulnerability platform.

Thoughts on infiltration of this station

1. You can directly use the scanning tool WVS appscan webinspect jsky Aurora, etc

2. Conduct directional penetration test on the results

3. Shell method upload, include, command execution, backup.

4. First of all, it depends on which patch is applied. Then it depends on the installed third-party application. It depends on MS vulnerability and application

5. Using LCX port forwarding to break through the limitation of Intranet with webshell

6. Information collection is very important