I. Introduction
This article and the following series are limited to the learning of Xiaobai. First of all, let ’s first understand what we want to do. The penetration includes but is not limited to front-end penetration (web security), post-penetration and intranet penetration. Introductory explanation.
2. What is post-infiltration
We understand that front-end security includes SQL injection, arbitrary file uploads, XSS, CSRF, logic vulnerabilities, cross-domain vulnerabilities, etc. We know that we all want to exploit or combine these vulnerabilities for getshell. Here we distinguish the difference between getshell and webshell. Webshell is more about obtaining the permissions of the front end. As the name implies, it is generally limited to the addition, deletion and modification of the front end or files; then getshell is to obtain greater permissions. The general idea is to mine vulnerabilities, combine the vulnerabilities or use them to further obtain webshell or background permissions or greater permissions, and then further expand the "fighting results" to getshell.
as follows:
Vulnerability ----》 Background ----》 getshell
or
Vulnerability ----- "getshell
3. Several permissions for penetration
1) Background permissions 2) Shell permissions 3) Server permissions 4) Domain control permissions
1), 2) belongs to front-end penetration, 3) 4) belongs to intranet penetration, 2) 3) 4) belongs to post-penetration
Four. Trojan classification
Trojans cannot be expanded without expanding the "champions". Below we classify them according to language and Trojan type
1. Classified by language:
We know that the language is basically divided into the following types: php, jsp, jspx, aspx, ashx, asp, asa, cer, cdx
Here we popularize the service environment corresponding to the language:
php: Nginx and Apache
jsp ,jspx :Tomcat(java)
aspx, ashx, asp, asa, athletics, CDX those
2. Classified by Trojan:
In a word Trojan: the code can be only one line, small size
Pony: strong concealment, smaller
Malaysia: Strong functionality, larger
In actual penetration testing, we often encounter a variety of waf interception, and to prevent someone from maliciously using the Trojan, we often confuse our Trojan, and we will not describe the confusion in detail here.
5. Know yourselves and know each other, you can't be beaten-system permissions (windows)
Taking into account the object-oriented reasons, Windows is introduced here first, and the knowledge for Linux will be introduced in the future red and blue confrontation.
1. Authority division:
System: system authority; Administrator: management authority (elevation of authority); User: guest authority (administrator can be granted authority)
2. User division:
Administrator: Administrator; Users: ordinary users
3. Permission inheritance factors:
That is, what permissions are used to open some commands or applications, and those commands or applications perform tasks with this permission.
4. Unique IIS permissions (below User):
The picture on the left is for setting the permissions of the iis application in the win host. The picture on the right is the command interface of the simulated kitchen knife. We can find the following unique permissions
IIS apppool\defeatapppool
nt authority\local service
nt authority\network service
nt authority\system
Six. Common cmd commands (view and add user permissions) (please pay attention to this article and keep updating):
whoami: current permission
net user: View the user
net user username / password: add user and corresponding password (password is generally letters + numbers + symbols)
net localgroup user group name user name / add: add the specified user to the specified user group
tasklist / svc: View the services corresponding to the programs currently running on the computer
taskkill / f / im program name: end a program with a specified name
taskkill / f / PID ID: End a specified PID process
netstat -ano: Query the communication status of the network connection in the current computer. LISTENING indicates that the port opened by the current computer is in the listening state; ESTABLISHED indicates that the port is in working (communication) state
tasklist / svc | find "port": find the content specified in the output
systeminfo: View detailed information on the current computer
quser: query the current online administrator
logoff: log off the ID of a specified user
shutdown -r: Restart the current computer