record the whole process of an illegal site from sql injection to whole station packaging and local building

Posted by tzul at 2020-03-24

Record the whole process of an illegal site from SQL injection to whole station packaging and local building

Published on October 1, 2019|

Reading time ≈ 6

For example, since the subsequent operations are only carried out when there is a known SQL injection, the previous information collection has been carried out.

The target is a local MLM site with general information of IIS + + security dog and Tencent cloud.

3.1 Fuzz

According to the above test, we can see that the program itself has filtering, and error is the filtering of the program itself. Some symbols can be bypassed by the mechanism of IIS processing% symbols, such as% 0b plus sign% 2B for space. Then according to the test results, we can use convert conversion to get some information.

Get the following information:

The next step is to get the table information

Because I can only select from simply, I can't get the table name all the time. If there are other postures, I want to give them to Kepu.

32000 Jinyou

At this time, the deadlock occurred. Later, I remembered that in a bypass security dog article of the 404 tycoon, it was mentioned that comments and line breaks in MSSQL were also valid, so it was constructed.

Get the first table name: jsrecord

Because I still can't bypass single quotation mark and equal sign, I can't use not in and for XML path to explode subsequent table names, which touches my knowledge blind area again, so I have to consult a large number of article cases, and finally construct the following statements.

At this time, you only need to traverse the value of top, for example:

It is found that there is still a problem through constant traversal. For example, 1-20, 200-209334-345 return the same table name, which has a lot of repetition and disorder. However, it can be solved through the intruder - > grep exact function in burp. The operation is as follows: first, set the intruder to traverse 001-600 (after more than 600, there will be no content)

Then extract the table name using grep - exact.

Save the results and then remove them.

It is consistent with the total number of tables obtained previously.

The solution is to get the column names and contents in the memberadmin table, but before that, I used to look at the source code of the web page in the lower background.

As shown in the figure, blind guess the column names: TXT ﹣ nickname, nickname, TXT ﹣ password, password

Landing background

After testing, it is found that the information management office can issue consultation and upload pictures. Remove the double quotes in filename = "1. ASPX" to bypass the security dog, but it cannot bypass the detection of the program itself.

However, it is known that the upload component is ueditor, and the. Net version has upload vulnerability POC as follows

And prepare the shell (pay attention to the dog) on your own server, named a.gif, and then fill in the shell address

Submit to get the shell path

After having a shell, what we need to do is more clear, that is, package the source code and the database. Because we only need these two operations, we don't need too much permission, so as to avoid improper operation triggering warnings. So I choose to package through shell first.

Source code

Here, we use the self uploaded rar.exe to package the source code in volumes. Before that, we tried 7z.exe (installed on the target server) and makecab, but the effect was not ideal, and the posture was not good enough.

Finally, the download is completed at 100k / s.

data base

Skip. The backup function is provided in the background

Pit: the suffix of the backup file in the background is zip. After downloading, it always prompts that the file is damaged. I always thought that there was a problem with the backup function. Later, I found that the file header was tape....

The local built environment is Windows Server 2012 + iis8 + SQL Server 2008, briefly speaking 0.0

SQL Server

Import data skipped during installation

Create a new database and restore the data through the original device

Restore success

IIS and

Install a pen belt, pull it full on the left, simple and rough

Add site

It is better to correspond to the target version

Modify the configuration file in the source code