提权前言

拿到一个WebSHELL后,需要看对方服务器打了那些补丁,根据没打的补丁来选择对应的Exploit来进行提权

  • POC
1
systeminfo>liuwx.txt&(for %i in ( KB4013389 KB3199135 KB3186973 KB3178466 KB3164038 KB3143145 KB3143141 KB3136041 K3134228 KB3089656 KB3067505 KB3077657 KB3057839 KB3057191 KB3031432 KB3036220 KB3023266 KB2989935 KB3011780 KB3000061 KB2992611 KB2975684 KB2914368 KB2850851 KB2840221 KB2778930 KB2972621 KB2671387 KB2592799 KB2566454 KB2503665 KB2393802 KB2305420 KB2267960 KB982799 KB2160329 KB977165 KB971468 KB975517 KB970483 KB959454 KB957097 KB958644 KB956803 KB941693 KB921883 KB899588 KB823980 ) do @type liuwx.txt|@find /i "%i"|| @echo %i is Yes)&del /f /q /a liuwx.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
KB4013389 is Yes
KB3199135 is Yes
KB3186973 is Yes
KB3178466 is Yes
KB3164038 is Yes
KB3143145 is Yes
KB3143141 is Yes
KB3136041 is Yes
K3134228 is Yes
KB3089656 is Yes
KB3067505 is Yes
KB3077657 is Yes
KB3057839 is Yes
KB3057191 is Yes
KB3031432 is Yes
KB3036220 is Yes
KB3023266 is Yes
KB2989935 is Yes
KB3011780 is Yes
KB3000061 is Yes
KB2992611 is Yes
KB2975684 is Yes
KB2914368 is Yes
KB2850851 is Yes
KB2840221 is Yes
KB2778930 is Yes
KB2972621 is Yes
KB2671387 is Yes
KB2592799 is Yes
KB2566454 is Yes
KB2503665 is Yes
KB2393802 is Yes
KB2305420 is Yes
KB2267960 is Yes
KB982799 is Yes
KB2160329 is Yes
KB977165 is Yes
KB971468 is Yes
KB975517 is Yes
KB970483 is Yes
KB959454 is Yes
KB957097 is Yes
KB958644 is Yes
KB956803 is Yes
KB941693 is Yes
KB921883 is Yes
KB899588 is Yes
KB823980 is Yes

图片

从上图得知,有很多补丁没有打,那么就可以根据这些补丁号来选择相应的Exp

MS16-032提权

这里是Windows Server 2008,然后刚好KB3143141这个补丁没打,那么我就用MS16-032来进行提权:

图片

运行了ms16-032exe,直接弹出了一个DOS窗口,是系统管理员权限!