关于web渗透中得一些记录

1. 当得到linux root shell时，采用如下语句可以添加管理员帐户

??写道

?这个比较方便

?

?

3. ssh端口转发代理，这个作用大家都懂的

? ? ?第一种可以利用windows下的客户端例如securCRT中的

? ? ? ? ? session options中得Port Forwarding

第二种就是自己手动命令了

? ? ??http://7056824.blog.51cto.com/69854/279714

这篇大致讲的还是蛮细的。

基本上就是

#! /usr/bin/env python#coding=utf-8import socket, sys, select, SocketServer, struct, timeclass ThreadingTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): passclass Socks5Server(SocketServer.StreamRequestHandler): def handle_tcp(self, sock, remote): fdset = [sock, remote] while True: r, w, e = select.select(fdset, [], []) if sock in r: if remote.send(sock.recv(4096)) <= 0: break if remote in r: if sock.send(remote.recv(4096)) <= 0: break def handle(self): try: print 'socks connection from ', self.client_address sock = self.connection # 1. Version sock.recv(262) sock.send(b"\x05\x00"); # 2. Request data = self.rfile.read(4) mode = ord(data[1]) addrtype = ord(data[3]) if addrtype == 1: # IPv4 addr = socket.inet_ntoa(self.rfile.read(4)) elif addrtype == 3: # Domain name addr = self.rfile.read(ord(sock.recv(1)[0])) port = struct.unpack('>H', self.rfile.read(2)) reply = b"\x05\x00\x00\x01" try: if mode == 1: # 1. Tcp connect remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote.connect((addr, port[0])) print 'Tcp connect to', addr, port[0] else: reply = b"\x05\x07\x00\x01" # Command not supported local = remote.getsockname() reply += socket.inet_aton(local[0]) + struct.pack(">H", local[1]) except socket.error: # Connection refused reply = '\x05\x05\x00\x01\x00\x00\x00\x00\x00\x00' sock.send(reply) # 3. Transfering if reply[1] == '\x00': # Success if mode == 1: # 1. Tcp connect self.handle_tcp(sock, remote) except socket.error: print 'socket error'def main(): server = ThreadingTCPServer(('', 2013), Socks5Server) server.serve_forever()if __name__ == '__main__': main()?

?

http 代理

# -*- coding: cp1252 -*-# <PythonProxy.py>##Copyright (c) <2009> <Fábio Domingues - fnds3000 in gmail.com>##Permission is hereby granted, free of charge, to any person#obtaining a copy of this software and associated documentation#files (the "Software"), to deal in the Software without#restriction, including without limitation the rights to use,#copy, modify, merge, publish, distribute, sublicense, and/or sell#copies of the Software, and to permit persons to whom the#Software is furnished to do so, subject to the following#conditions:##The above copyright notice and this permission notice shall be#included in all copies or substantial portions of the Software.##THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,#EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES#OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND#NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT#HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,#WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING#FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR#OTHER DEALINGS IN THE SOFTWARE."""\Copyright (c) <2009> <Fábio Domingues - fnds3000 in gmail.com> <MIT Licence>                  **************************************                 *** Python Proxy - A Fast HTTP proxy ***                  **************************************Neste momento este proxy é um Elie Proxy.Suporta os métodos HTTP: - OPTIONS; - GET; - HEAD; - POST; - PUT; - DELETE; - TRACE; - CONENCT.Suporta: - Conex?es dos cliente em IPv4 ou IPv6; - Conex?es ao alvo em IPv4 e IPv6; - Conex?es todo o tipo de transmiss?o de dados TCP (CONNECT tunneling),     p.e. liga??es SSL, como é o caso do HTTPS.A fazer: - Verificar se o input vindo do cliente está correcto;   - Enviar os devidos HTTP erros se n?o, ou simplesmente quebrar a liga??o; - Criar um gestor de erros; - Criar ficheiro log de erros; - Colocar excep??es nos sítios onde é previsível a ocorrência de erros,     p.e.sockets e ficheiros; - Rever tudo e melhorar a estrutura do programar e colocar nomes adequados nas     variáveis e métodos; - Comentar o programa decentemente; - Doc Strings.Funcionalidades futuras: - Adiconar a funcionalidade de proxy anónimo e transparente; - Suportar FTP?.(!) Aten??o o que se segue só tem efeito em conex?es n?o CONNECT, para estas o proxy é sempre Elite.Qual a diferen?a entre um proxy Elite, Anónimo e Transparente? - Um proxy elite é totalmente anónimo, o servidor que o recebe n?o consegue ter     conhecimento da existência do proxy e n?o recebe o endere?o IP do cliente; - Quando é usado um proxy anónimo o servidor sabe que o cliente está a usar um     proxy mas n?o sabe o endere?o IP do cliente;     é enviado o cabe?alho HTTP "Proxy-agent". - Um proxy transparente fornece ao servidor o IP do cliente e um informa??o que     se está a usar um proxy.     S?o enviados os cabe?alhos HTTP "Proxy-agent" e "HTTP_X_FORWARDED_FOR"."""import socket, thread, select__version__ = '0.1.0 Draft 1'BUFLEN = 8192VERSION = 'Python Proxy/'+__version__HTTPVER = 'HTTP/1.1'class ConnectionHandler:    def __init__(self, connection, address, timeout):        self.client = connection        self.client_buffer = ''        self.timeout = timeout        self.method, self.path, self.protocol = self.get_base_header()        if self.method=='CONNECT':            self.method_CONNECT()        elif self.method in ('OPTIONS', 'GET', 'HEAD', 'POST', 'PUT',                             'DELETE', 'TRACE'):            self.method_others()        self.client.close()        self.target.close()    def get_base_header(self):        while 1:            self.client_buffer += self.client.recv(BUFLEN)            end = self.client_buffer.find('\n')            if end!=-1:                break        print '%s'%self.client_buffer[:end]#debug        data = (self.client_buffer[:end+1]).split()        self.client_buffer = self.client_buffer[end+1:]        return data    def method_CONNECT(self):        self._connect_target(self.path)        self.client.send(HTTPVER+' 200 Connection established\n'+                         'Proxy-agent: %s\n\n'%VERSION)        self.client_buffer = ''        self._read_write()            def method_others(self):        self.path = self.path[7:]        i = self.path.find('/')        host = self.path[:i]                path = self.path[i:]        self._connect_target(host)        self.target.send('%s %s %s\n'%(self.method, path, self.protocol)+                         self.client_buffer)        self.client_buffer = ''        self._read_write()    def _connect_target(self, host):        i = host.find(':')        if i!=-1:            port = int(host[i+1:])            host = host[:i]        else:            port = 80        (soc_family, _, _, _, address) = socket.getaddrinfo(host, port)[0]        self.target = socket.socket(soc_family)        self.target.connect(address)    def _read_write(self):        time_out_max = self.timeout/3        socs = [self.client, self.target]        count = 0        while 1:            count += 1            (recv, _, error) = select.select(socs, [], socs, 3)            if error:                break            if recv:                for in_ in recv:                    data = in_.recv(BUFLEN)                    if in_ is self.client:                        out = self.target                    else:                        out = self.client                    if data:                        out.send(data)                        count = 0            if count == time_out_max:                breakdef start_server(host='localhost', port=8082, IPv6=False, timeout=60,                  handler=ConnectionHandler):    if IPv6==True:        soc_type=socket.AF_INET6    else:        soc_type=socket.AF_INET    soc = socket.socket(soc_type)    soc.bind((host, port))    print "Serving on %s:%d."%(host, port)#debug    soc.listen(0)    while 1:        thread.start_new_thread(handler, soc.accept()+(timeout,))if __name__ == '__main__':    start_server(host='',port=8082)

?

4 第四个其实是mysql udf提权，有空再写吧