{"id":155,"date":"2023-08-15T01:00:00","date_gmt":"2023-08-14T17:00:00","guid":{"rendered":"http:\/\/www.redspear.cn\/index.php\/2023\/08\/15\/%e5%b8%b8%e7%94%a8%e7%ab%af%e5%8f%a3%e5%8f%b7%e5%8f%8a%e5%88%a9%e7%94%a8%e6%96%b9%e5%bc%8f\/"},"modified":"2026-06-01T19:10:52","modified_gmt":"2026-06-01T11:10:52","slug":"%e5%b8%b8%e7%94%a8%e7%ab%af%e5%8f%a3%e5%8f%b7%e5%8f%8a%e5%88%a9%e7%94%a8%e6%96%b9%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2023\/08\/15\/%e5%b8%b8%e7%94%a8%e7%ab%af%e5%8f%a3%e5%8f%b7%e5%8f%8a%e5%88%a9%e7%94%a8%e6%96%b9%e5%bc%8f\/","title":{"rendered":"\u5e38\u7528\u7aef\u53e3\u53f7\u53ca\u5229\u7528\u65b9\u5f0f"},"content":{"rendered":"

\u5e38\u7528\u7aef\u53e3\u53f7\u53ca\u5229\u7528\u65b9\u5f0f<\/h1>\n

\u6982\u8ff0<\/h2>\n

\u5728\u6e17\u900f\u6d4b\u8bd5\u4e2d\uff0c\u4e86\u89e3\u5e38\u89c1\u7aef\u53e3\u5bf9\u5e94\u7684\u670d\u52a1\u53ca\u5176\u5229\u7528\u65b9\u5f0f\u662f\u4fe1\u606f\u6536\u96c6\u7684\u91cd\u8981\u73af\u8282\u3002\u672c\u6587\u6574\u7406\u4e86\u5e38\u7528\u7aef\u53e3\u3001\u5bf9\u5e94\u670d\u52a1\u4ee5\u53ca\u5e38\u89c1\u7684\u653b\u51fb\u5229\u7528\u65b9\u5411\u3002<\/p>\n

\u4e00\u3001\u6587\u4ef6\u5171\u4eab\u670d\u52a1\u7aef\u53e3<\/h2>\n\n\n\n\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
21<\/td>\nFTP<\/td>\n\u533f\u540d\u767b\u5f55\u3001\u7206\u7834\u3001\u55c5\u63a2<\/td>\n<\/tr>\n
22<\/td>\nSSH<\/td>\n\u7206\u7834\u3001\u96a7\u9053\u8f6c\u53d1\u3001\u6587\u4ef6\u4f20\u8f93<\/td>\n<\/tr>\n
69<\/td>\nTFTP<\/td>\n\u533f\u540d\u4e0a\u4f20\u4e0b\u8f7d\u3001\u7206\u7834<\/td>\n<\/tr>\n
139<\/td>\nSamba<\/td>\n\u7206\u7834\u3001\u672a\u6388\u6743\u8bbf\u95ee\u3001\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c<\/td>\n<\/tr>\n
445<\/td>\nSMB<\/td>\n\u5171\u4eab\u6587\u4ef6\u5939\u3001\u6c38\u6052\u4e4b\u84dd\uff08MS17-010\uff09<\/td>\n<\/tr>\n
2049<\/td>\nNFS<\/td>\n\u914d\u7f6e\u4e0d\u5f53\u3001\u6302\u8f7d\u5171\u4eab<\/td>\n<\/tr>\n
389<\/td>\nLDAP<\/td>\n\u6ce8\u5165\u3001\u533f\u540d\u8bbf\u95ee\u3001\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n<\/table>\n

\u91cd\u70b9\u7aef\u53e3\u8be6\u89e3<\/h3>\n

445\u7aef\u53e3\uff08SMB\uff09<\/h4>\n
# \u68c0\u6d4b\u6f0f\u6d1e\nnmap --script smb-vuln* -p 445 target\n\n# \u5e38\u89c1\u6f0f\u6d1e\nMS17-010\uff08\u6c38\u6052\u4e4b\u84dd\uff09\nMS08-067\n\n# \u5229\u7528\u5de5\u5177\nmsfconsole\nuse exploit\/windows\/smb\/ms17_010_eternalblue<\/code><\/pre>\n
\u4e8c\u3001\u8fdc\u7a0b\u8fde\u63a5\u670d\u52a1\u7aef\u53e3<\/h2>\n\n\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
22<\/td>\nSSH<\/td>\n\u7206\u7834\u3001SSH\u96a7\u9053<\/td>\n<\/tr>\n
23<\/td>\nTelnet<\/td>\n\u7206\u7834\u3001\u55c5\u63a2\u3001\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n
3389<\/td>\nRDP<\/td>\nShift\u540e\u95e8\u3001\u7206\u7834\u3001\u84dd\u5c4f\u6f0f\u6d1e<\/td>\n<\/tr>\n
5900<\/td>\nVNC<\/td>\n\u5f31\u53e3\u4ee4\u7206\u7834<\/td>\n<\/tr>\n
5632<\/td>\nPyAnywhere<\/td>\n\u6293\u5bc6\u7801\u3001\u4ee3\u7801\u6267\u884c<\/td>\n<\/tr>\n<\/table>\n
\u91cd\u70b9\u7aef\u53e3\u8be6\u89e3<\/h3>\n
3389\u7aef\u53e3\uff08RDP\uff09<\/h4>\n
# \u68c0\u6d4b\u6f0f\u6d1e\nnmap --script rdp-vuln* -p 3389 target\n\n# \u5e38\u89c1\u6f0f\u6d1e\nCVE-2019-0708\uff08BlueKeep\uff09\nShift\u540e\u95e8\uff08Win2003\u4ee5\u4e0b\uff09\n\n# \u7206\u7834\u5de5\u5177\nHydra\uff1ahydra -l admin -P pass.txt rdp:\/\/target<\/code><\/pre>\n
\u4e09\u3001Web\u5e94\u7528\u670d\u52a1\u7aef\u53e3<\/h2>\n\n\n\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
80\/443<\/td>\nHTTP\/HTTPS<\/td>\nWeb\u653b\u51fb\u3001\u7206\u7834<\/td>\n<\/tr>\n
8080<\/td>\nTomcat\/JBoss<\/td>\n\u53cd\u5e8f\u5217\u5316\u3001\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n
7001\/7002<\/td>\nWebLogic<\/td>\n\u53cd\u5e8f\u5217\u5316\u3001\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n
8089<\/td>\nJenkins<\/td>\n\u672a\u6388\u6743\u3001\u53cd\u5e8f\u5217\u5316<\/td>\n<\/tr>\n
9090<\/td>\nWebSphere<\/td>\n\u53cd\u5e8f\u5217\u5316\u3001\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n
4848<\/td>\nGlassFish<\/td>\n\u5f31\u53e3\u4ee4<\/td>\n<\/tr>\n<\/table>\n
\u91cd\u70b9\u7aef\u53e3\u8be6\u89e3<\/h3>\n
8080\u7aef\u53e3\uff08Tomcat\uff09<\/h4>\n
# \u9ed8\u8ba4\u540e\u53f0\nhttp:\/\/target:8080\/manager\/html\n\n# \u9ed8\u8ba4\u8d26\u53f7\u5bc6\u7801\ntomcat:tomcat\nadmin:admin\nmanager:manager\n\n# \u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\nPUT\u65b9\u6cd5\u4e0a\u4f20Webshell<\/code><\/pre>\n
7001\u7aef\u53e3\uff08WebLogic\uff09<\/h4>\n
# \u63a7\u5236\u53f0\u5730\u5740\nhttp:\/\/target:7001\/console\n\n# \u5e38\u89c1\u6f0f\u6d1e\nCVE-2019-2890\uff08\u53cd\u5e8f\u5217\u5316\uff09\nCVE-2023-21839\uff08RCE\uff09\n\n# \u68c0\u6d4b\n\u8bbf\u95ee \/_async\/AsyncResponseService<\/code><\/pre>\n
\u56db\u3001\u6570\u636e\u5e93\u670d\u52a1\u7aef\u53e3<\/h2>\n\n\n\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
1433<\/td>\nMSSQL<\/td>\n\u6ce8\u5165\u3001\u63d0\u6743\u3001\u7206\u7834<\/td>\n<\/tr>\n
1521<\/td>\nOracle<\/td>\nTNS\u7206\u7834\u3001\u6ce8\u5165\u3001\u53cd\u5f39Shell<\/td>\n<\/tr>\n
3306<\/td>\nMySQL<\/td>\n\u6ce8\u5165\u3001\u63d0\u6743\u3001\u7206\u7834\u3001UDF\u63d0\u6743<\/td>\n<\/tr>\n
5432<\/td>\nPostgreSQL<\/td>\n\u7206\u7834\u3001\u6ce8\u5165\u3001\u547d\u4ee4\u6267\u884c<\/td>\n<\/tr>\n
27017\/27018<\/td>\nMongoDB<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee\u3001\u7206\u7834<\/td>\n<\/tr>\n
6379<\/td>\nRedis<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee\u3001\u5199Webshell<\/td>\n<\/tr>\n<\/table>\n
\u91cd\u70b9\u7aef\u53e3\u8be6\u89e3<\/h3>\n
6379\u7aef\u53e3\uff08Redis\uff09<\/h4>\n
# \u68c0\u6d4b\u672a\u6388\u6743\nredis-cli -h target\n\n# \u5229\u7528\u65b9\u5f0f\n1. \u5199Webshell\n2. \u5199SSH\u516c\u94a5\n3. \u5199\u5b9a\u65f6\u4efb\u52a1\u53cd\u5f39Shell\n\n# \u5199Webshell\nconfig set dir \/var\/www\/html\nconfig set dbfilename shell.php\nset x \"\"\nsave<\/code><\/pre>\n
3306\u7aef\u53e3\uff08MySQL\uff09<\/h4>\n
# \u7206\u7834\nhydra -l root -P pass.txt mysql:\/\/target\n\n# UDF\u63d0\u6743\nSELECT @@basedir;\n# \u4e0a\u4f20udf.dll\u5230plugin\u76ee\u5f55\nCREATE FUNCTION sys_exec RETURNS STRING SONAME 'udf.dll';<\/code><\/pre>\n
\u4e94\u3001\u90ae\u4ef6\u670d\u52a1\u7aef\u53e3<\/h2>\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
25<\/td>\nSMTP<\/td>\n\u90ae\u4ef6\u4f2a\u9020\u3001\u4e2d\u7ee7<\/td>\n<\/tr>\n
110<\/td>\nPOP3<\/td>\n\u7206\u7834\u3001\u55c5\u63a2<\/td>\n<\/tr>\n
143<\/td>\nIMAP<\/td>\n\u7206\u7834<\/td>\n<\/tr>\n<\/table>\n
\u516d\u3001\u5176\u4ed6\u5e38\u89c1\u7aef\u53e3<\/h2>\n\n\n\n\n\n\n\n\n\n
\u7aef\u53e3<\/th>\n\u670d\u52a1<\/th>\n\u5229\u7528\u65b9\u5411<\/th>\n<\/tr>\n
2181<\/td>\nZooKeeper<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee<\/td>\n<\/tr>\n
2375<\/td>\nDocker<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee\u3001\u5bb9\u5668\u9003\u9038<\/td>\n<\/tr>\n
5601<\/td>\nKibana<\/td>\n\u6587\u4ef6\u8bfb\u53d6\u3001RCE<\/td>\n<\/tr>\n
8848<\/td>\nNacos<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee\u3001RCE<\/td>\n<\/tr>\n
9200<\/td>\nElasticsearch<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee\u3001\u547d\u4ee4\u6267\u884c<\/td>\n<\/tr>\n
11211<\/td>\nMemcached<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee<\/td>\n<\/tr>\n
50070<\/td>\nHDFS<\/td>\n\u672a\u6388\u6743\u8bbf\u95ee<\/td>\n<\/tr>\n<\/table>\n
\u4e03\u3001\u7aef\u53e3\u626b\u63cf\u547d\u4ee4<\/h2>\n
Nmap\u626b\u63cf<\/h3>\n
# \u5168\u7aef\u53e3\u626b\u63cf\nnmap -sV -sC -p 1-65535 target\n\n# \u5feb\u901f\u626b\u63cf\u5e38\u7528\u7aef\u53e3\nnmap -sV -top-ports 1000 target\n\n# \u6307\u5b9a\u7aef\u53e3\u626b\u63cf\nnmap -sV -p 22,80,443,3306 target\n\n# UDP\u626b\u63cf\nnmap -sU -top-ports 100 target<\/code><\/pre>\n
Masscan\u5feb\u901f\u626b\u63cf<\/h3>\n
# \u5feb\u901f\u626b\u63cf\u6307\u5b9a\u7aef\u53e3\nmasscan target -p 80,443,8080 --rate=10000\n\n# \u5168\u7aef\u53e3\u626b\u63cf\nmasscan target -p 1-65535 --rate=10000<\/code><\/pre>\n
\u603b\u7ed3<\/h2>\n
\u7aef\u53e3\u5229\u7528\u7684\u5173\u952e\u70b9\uff1a<\/p>\n
    \n
  1. \u8bc6\u522b\u670d\u52a1\uff1a<\/strong>\u786e\u5b9a\u7aef\u53e3\u5bf9\u5e94\u7684\u670d\u52a1\u548c\u7248\u672c<\/li>\n
  2. \u67e5\u627e\u6f0f\u6d1e\uff1a<\/strong>\u6839\u636e\u670d\u52a1\u7248\u672c\u67e5\u627e\u5df2\u77e5\u6f0f\u6d1e<\/li>\n
  3. \u5f31\u53e3\u4ee4\u7206\u7834\uff1a<\/strong>\u5c1d\u8bd5\u9ed8\u8ba4\u8d26\u53f7\u5bc6\u7801<\/li>\n
  4. \u672a\u6388\u6743\u8bbf\u95ee\uff1a<\/strong>\u68c0\u67e5\u662f\u5426\u9700\u8981\u8ba4\u8bc1<\/li>\n
  5. \u5229\u7528\u5de5\u5177\uff1a<\/strong>\u4f7f\u7528Metasploit\u7b49\u5de5\u5177\u5229\u7528\u6f0f\u6d1e<\/li>\n<\/ol>\n
    \n
    \u672c\u6587\u4e3a\u4e2a\u4eba\u5b66\u4e60\u7b14\u8bb0\uff0c\u6574\u7406\u4e86\u5e38\u7528\u7aef\u53e3\u53ca\u5176\u5229\u7528\u65b9\u5f0f\uff0c\u4f9b\u6e17\u900f\u6d4b\u8bd5\u53c2\u8003\u3002<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
    \u5e38\u7528\u7aef\u53e3\u53f7\u53ca\u5229\u7528\u65b9\u5f0f \u6982\u8ff0 \u5728\u6e17\u900f\u6d4b\u8bd5\u4e2d\uff0c\u4e86\u89e3\u5e38\u89c1\u7aef\u53e3\u5bf9\u5e94\u7684\u670d\u52a1\u53ca\u5176\u5229\u7528\u65b9\u5f0f\u662f\u4fe1\u606f\u6536\u96c6\u7684\u91cd\u8981\u73af\u8282\u3002\u672c\u6587\u6574\u7406\u4e86\u5e38 … <\/p>\n","protected":false},"author":3,"featured_media":176,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pentest-basic"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":1,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":160,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/155\/revisions\/160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/176"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}