[转帖]「白帽黑客成长记」Windows提权基本原理(上)

https://www.cnblogs.com/ichunqiu/p/10949592.html

我们通常认为配置得当的Windows是安全的,事实真的是这样吗?今天让我们跟随本文作者一起深入了解Windows操作系统的黑暗角落,看看是否能得到SYSTEM权限。

作者将使用不同版本的Windows来强调任何可能存在的命令行差异,请牢记因为不同的操作系统和版本差异会在命令行中显现,作者试图构造本教程,以便它适用于Windows提权的最普遍的方式。

注:文章篇幅较长,阅读用时约10分钟。

必要文档补充:

Encyclopaedia Of Windows Privilege Escalation (Brett Moore)

Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)

Elevating privileges by exploiting weak folder permissions (Parvez Anwar)

译者注:原文作者提到了meterpreter,我们可以把meterpreter比做sql注入利用的sqlmap,在得到meterpreter的shell后,可以输入命令getsystem,自动完成提权。

在t0-t3阶段,最初的信息收集方法

最开始是一个低权限的shell,这个shell可能是通过远程代码执行、钓鱼、反弹得到的。

在最开始的阶段,我们要快速收集一些基本信息来评估我们的环境。

第一步,找到连接的操作系统。

C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601

接下来,我们将看到主机名和连接上的对应用户。

C:\Windows\system32> hostname
b33f
C:\Windows\system32> echo %username%
user1

现在我们得到了一些基本信息,然后列出其他用户的帐户,并在更详细的情况下查看用户信息。

这里会看到user1不是本地组管理员。

C:\Windows\system32> net users
User accounts for \\B33F
-------------------------------------------------------------------------------
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32> net user user1
User name user1
Full Name
Comment
User‘s comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.

以上是我们目前需要了解的关于用户和权限的全部内容。接下来我们要讨论的是网络信息,连接的设备,以及相应规则。

首先看一下可用的网络接口和路由表。

C:\Windows\system32> ipconfig /all
Windows IP Configuration
 Host Name . . . . . . . . . . . . : b33f
 Primary Dns Suffix . . . . . . . :
 Node Type . . . . . . . . . . . . : Hybrid
 IP Routing Enabled. . . . . . . . : No
 WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Bluetooth Network Connection:
 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
 Physical Address. . . . . . . . . : 0C-84-DC-62-60-29
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
 Physical Address. . . . . . . . . : 00-0C-29-56-79-35
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)
 IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM
 Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM
 Default Gateway . . . . . . . . . : 192.168.0.1
 DHCP Server . . . . . . . . . . . : 192.168.0.1
 DHCPv6 IAID . . . . . . . . . . . : 234884137
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
 DNS Servers . . . . . . . . . . . : 192.168.0.1
 NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Windows\system32> route print
===========================================================================
Interface List
 18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)
 13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9
 11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection
 1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
 192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
 192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
 192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
 224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
 255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
 None
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination Gateway
 14 58 ::/0 On-link
 1 306 ::1/128 On-link
 14 58 2001::/32 On-link
 14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
 On-link
 11 266 fe80::/64 On-link
 14 306 fe80::/64 On-link
 14 306 fe80::8d2:b4e:3f57:ff97/128
 On-link
 11 266 fe80::5cd4:9caf:61c0:ba6e/128
 On-link
 1 306 ff00::/8 On-link
 14 306 ff00::/8 On-link
 11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
 None

arp -A显示了所有可用接口的arp(地址解析协议)缓存表。

C:\Windows\system32> arp -A
Interface: 192.168.0.104 --- 0xb
 Internet Address Physical Address Type
 192.168.0.1 90-94-e4-c5-b0-46 dynamic
 192.168.0.101 ac-22-0b-af-bb-43 dynamic
 192.168.0.255 ff-ff-ff-ff-ff-ff static
 224.0.0.22 01-00-5e-00-00-16 static
 224.0.0.251 01-00-5e-00-00-fb static
 224.0.0.252 01-00-5e-00-00-fc static
 239.255.255.250 01-00-5e-7f-ff-fa static
 255.255.255.255 ff-ff-ff-ff-ff-ff static

这就使我们了解了活动网络连接和防火墙规则。

C:\Windows\system32> netstat -ano
Active Connections
 Proto Local Address Foreign Address State PID
 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
 TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
 TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
 TCP [::]:135 [::]:0 LISTENING 684
 TCP [::]:445 [::]:0 LISTENING 4
 TCP [::]:5357 [::]:0 LISTENING 4
 UDP 0.0.0.0:5355 *:* 1100
 UDP 0.0.0.0:52282 *:* 976
 UDP 0.0.0.0:55202 *:* 2956
 UDP 0.0.0.0:59797 *:* 1400
 UDP 127.0.0.1:1900 *:* 2956
 UDP 127.0.0.1:65435 *:* 2956
 UDP 192.168.0.104:137 *:* 4
 UDP 192.168.0.104:138 *:* 4
 UDP 192.168.0.104:1900 *:* 2956
 UDP 192.168.0.104:5353 *:* 1400
 UDP 192.168.0.104:65434 *:* 2956
 UDP [::]:5355 *:* 1100
 UDP [::]:52281 *:* 976
 UDP [::]:52283 *:* 976
 UDP [::]:55203 *:* 2956
 UDP [::]:59798 *:* 1400
 UDP [::1]:1900 *:* 2956
 UDP [::1]:5353 *:* 1400
 UDP [::1]:65433 *:* 2956
 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956
 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956

以下两个netsh命令是在不同操作系统的命令示例。

netsh firewall命令只能从XP SP2和以上版本运行。

C:\Windows\system32> netsh firewall show state
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
C:\Windows\system32> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound COMRaider / E:\comraider\comraider.exe
Enable Inbound nc.exe / C:\users\b33f\desktop\nc.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable

最后,我们将简要地看一下在这个设备上的运行内容,比如计划任务、运行进程、启动服务和安装的驱动程序。

这将显示所有调度任务的详细输出,下面您可以看到单个任务的示例输出。

C:\Windows\system32> schtasks /query /fo LIST /v
Folder: \Microsoft\Windows Defender
HostName: B33F
TaskName: \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time: 1/22/2014 5:11:13 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob
 -WinTask -RestrictPrivilegesScan
Start In: N/A
Comment: Scheduled Scan
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 5:11:13 AM
Start Date: 1/1/2000
End Date: 1/1/2100
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
[..Snip..]
# tasklist命令显示了正在运行的进程以及启动服务。
C:\Windows\system32> tasklist /SVC
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 244 N/A
csrss.exe 332 N/A
csrss.exe 372 N/A
wininit.exe 380 N/A
winlogon.exe 428 N/A
services.exe 476 N/A
lsass.exe 484 SamSs
lsm.exe 496 N/A
svchost.exe 588 DcomLaunch, PlugPlay, Power
svchost.exe 668 RpcEptMapper, RpcSs
svchost.exe 760 Audiosrv, Dhcp, eventlog,
 HomeGroupProvider, lmhosts, wscsvc
svchost.exe 800 AudioEndpointBuilder, CscService, Netman,
 SysMain, TrkWks, UxSms, WdiSystemHost,
 wudfsvc
svchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc,
 LanmanServer, MMCSS, ProfSvc, Schedule,
 seclogon, SENS, ShellHWDetection, Themes,
 Winmgmt, wuauserv
audiodg.exe 916 N/A
svchost.exe 992 EventSystem, fdPHost, netprofm, nsi,
 WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation,
 NlaSvc
spoolsv.exe 1244 Spooler
svchost.exe 1272 BFE, DPS, MpsSvc
mDNSResponder.exe 1400 Bonjour Service
taskhost.exe 1504 N/A
taskeng.exe 1556 N/A
vmtoolsd.exe 1580 VMTools
dwm.exe 1660 N/A
explorer.exe 1668 N/A
vmware-usbarbitrator.exe 1768 VMUSBArbService
TPAutoConnSvc.exe 1712 TPAutoConnSvc
[..Snip..]
C:\Windows\system32> net start
These Windows services are started:
 Application Experience
 Application Information
 Background Intelligent Transfer Service
 Base Filtering Engine
 Bluetooth Support Service
 Bonjour Service
 COM+ Event System
 COM+ System Application
 Cryptographic Services
 DCOM Server Process Launcher
 Desktop Window Manager Session Manager
 DHCP Client
 Diagnostic Policy Service
 Diagnostic Service Host
 Diagnostic System Host
 Distributed Link Tracking Client
 Distributed Transaction Coordinator
 DNS Client
 Function Discovery Provider Host
 Function Discovery Resource Publication
 Group Policy Client
[..Snip..]
# DRIVERQUERY有时是有用的,因为一些第三方驱动,即使是信誉良好的公司,也比瑞士奶酪上的洞多。这是可能的,因为ring0的利用是在大多数人的专长技能之外。
C:\Windows\system32> DRIVERQUERY
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PM
ACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PM
AcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PM
adp94xx adp94xx Kernel 12/6/2008 7:59:55 AM
adpahci adpahci Kernel 5/2/2007 1:29:26 AM
adpu320 adpu320 Kernel 2/28/2007 8:03:08 AM
AFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PM
agp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AM
aic78xx aic78xx Kernel 4/12/2006 8:20:11 AM
aliide aliide Kernel 7/14/2009 7:11:17 AM
amdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AM
amdide amdide Kernel 7/14/2009 7:11:19 AM
AmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AM
AmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AM
amdsata amdsata Kernel 3/19/2010 9:08:27 AM
amdsbs amdsbs Kernel 3/21/2009 2:35:26 AM
amdxata amdxata Kernel 3/20/2010 12:19:01 AM
AppID AppID Driver Kernel 11/20/2010 5:29:48 PM
arc arc Kernel 5/25/2007 5:31:06 AM
[..Snip..]

在t4阶段,神秘艺术之WMIC

WMIC(Windows Management Instrumentation Command-Line,Windows管理工具命令行),是Windows最有用的命令行工具之一。

WMIC对于信息收集和渗透是非常实用的,而且输出内容有很多值得期待的地方。全面解释WMIC的使用将需要一个教程,由于格式化的问题,WMIC有些输出将很难显示。

下面列出两个文章,对于WMIC是非常值得阅读的:

  • Command-Line Ninjitsu (SynJunkie)
  • Windows WMIC Command Line (ComputerHope)

一些默认配置的Windows并不允许访问WMIC,除非是用户在Windows的管理组,从虚拟机测试来看,任何版本的Windows XP的低权限用户并不能访问WMIC。相反的,默认配置的Windows 7专业版和Windows 8企业版允许低权限的用户访问WMIC并查询操作系统版本。

这正是我们所需要的,因为我们正在使用WMIC来收集关于目标机的信息。关于WMIC的选项,列出了下面可用的命令行:

C:\Windows\system32> wmic /?
[global switches]
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the for the connection.
/?[:<BRIEF|FULL>] Usage information.
For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:
ALIAS - Access to the aliases available on the local system
BASEBOARD - Base board (also known as a motherboard or system board) management.
BIOS - Basic input/output services (BIOS) management.
BOOTCONFIG - Boot configuration management.
CDROM - CD-ROM management.
COMPUTERSYSTEM - Computer system management.
CPU - CPU management.
CSPRODUCT - Computer system product information from SMBIOS.
DATAFILE - DataFile Management.
DCOMAPP - DCOM Application management.
DESKTOP - User‘s Desktop management.
DESKTOPMONITOR - Desktop Monitor management.
DEVICEMEMORYADDRESS - Device memory addresses management.
DISKDRIVE - Physical disk drive management.
DISKQUOTA - Disk space usage for NTFS volumes.
DMACHANNEL - Direct memory access (DMA) channel management.
ENVIRONMENT - System environment settings management.
FSDIR - Filesystem directory entry management.
GROUP - Group account management.
IDECONTROLLER - IDE Controller management.
IRQ - Interrupt request line (IRQ) management.
JOB - Provides access to the jobs scheduled using the schedule service.
LOADORDER - Management of system services that define execution dependencies.
LOGICALDISK - Local storage device management.
LOGON - LOGON Sessions.
MEMCACHE - Cache memory management.
MEMORYCHIP - Memory chip information.
MEMPHYSICAL - Computer system‘s physical memory management.
NETCLIENT - Network Client management.
NETLOGIN - Network login information (of a particular user) management.
NETPROTOCOL - Protocols (and their network characteristics) management.
NETUSE - Active network connection management.
NIC - Network Interface Controller (NIC) management.
NICCONFIG - Network adapter management.
NTDOMAIN - NT Domain management.
NTEVENT - Entries in the NT Event Log.
NTEVENTLOG - NT eventlog file management.
ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).
OS - Installed Operating System/s management.
PAGEFILE - Virtual memory file swapping management.
PAGEFILESET - Page file settings management.
PARTITION - Management of partitioned areas of a physical disk.
PORT - I/O port management.
PORTCONNECTOR - Physical connection ports management.
PRINTER - Printer device management.
PRINTERCONFIG - Printer device configuration management.
PRINTJOB - Print job management.
PROCESS - Process management.
PRODUCT - Installation package task management.
QFE - Quick Fix Engineering.
QUOTASETTING - Setting information for disk quotas on a volume.
RDACCOUNT - Remote Desktop connection permission management.
RDNIC - Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS - Permissions to a specific Remote Desktop connection.
RDTOGGLE - Turning Remote Desktop listener on or off remotely.
RECOVEROS - Information that will be gathered from memory when the operating system fails.
REGISTRY - Computer system registry management.
SCSICONTROLLER - SCSI Controller management.
SERVER - Server information management.
SERVICE - Service application management.
SHADOWCOPY - Shadow copy management.
SHADOWSTORAGE - Shadow copy storage area management.
SHARE - Shared resource management.
SOFTWAREELEMENT - Management of the elements of a software product installed on a system.
SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.
SOUNDDEV - Sound Device management.
STARTUP - Management of commands that run automatically when users log onto the computer
 system.
SYSACCOUNT - System account management.
SYSDRIVER - Management of the system driver for a base service.
SYSTEMENCLOSURE - Physical system enclosure management.
SYSTEMSLOT - Management of physical connection points including ports, slots and
 peripherals, and proprietary connections points.
TAPEDRIVE - Tape drive management.
TEMPERATURE - Data management of a temperature sensor (electronic thermometer).
TIMEZONE - Time zone data management.
UPS - Uninterruptible power supply (UPS) management.
USERACCOUNT - User account management.
VOLTAGE - Voltage sensor (electronic voltmeter) data management.
VOLUME - Local storage volume management.
VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA - Per user storage volume quota management.
WMISET - WMI service operational parameters management.
For more information on a specific alias, type: alias /?
CLASS - Escapes to full WMI schema.
PATH - Escapes to full WMI object paths.
CONTEXT - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.
For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

为了简化操作,我已经创建了一个脚本,可以在目标机器上使用WMIC提取以下信息:流程、服务、用户帐号、用户组、网络接口、硬盘信息、网络共享信息、安装Windows补丁、程序在启动运行、安装的软件列表、操作系统、时区信息。

通过各种标志和参数来提取有价值的信息,如果有人想要添加到列表中,请在下面留下评论。使用内置的输出特性,脚本将把所有结果写入可读的html文件。

脚本地址:

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

输出页面:

http://www.fuzzysecurity.com/tutorials/files/Win7.html

以上是今天的内容,大家看懂了吗?下期我们将继续分享Windows提权基本原理的相关内容,请大家及时关注。

分类: 白帽生活,工具/软件分享,教程/书籍分享

原文地址:https://www.cnblogs.com/jinanxiaolaohu/p/10975626.html

时间: 2024-09-29 08:55:46

[转帖]「白帽黑客成长记」Windows提权基本原理(上)的相关文章

「博客产品记」从今以后,我们将会正式切入信任交易链条,今后的我们也将会在信任交易上越走越远

上线了上线了.我们还在等,等更好的机会和大家见面.嗯,来自博客PM的流水账. ------ 14:15:12 我们提交审核17:10:02 传来捷报,审核通过.之顺利,之完美,超乎想象. 上线后,第一时间笑着问一休,"这次界面不挑毛病吧.""嘿嘿.挺好的." 产品资深体验官,资深把控者.后盾者.督促者,可谓是很不错的评价了.在此,感谢项目组的兄弟姐妹们.大家都很棒.我们再接再厉.做更有价值的产品. ------ 还是稍做介绍这是一个怎样的产品形态吧.我们希望:通过t

「博客产品记」博客2018年产品记

1.3 PC搜索上线 2.1 关注功能上线 2.8 正式支持livewriter了 2.27 粉丝榜单top20诞生了 4.27 专栏上线,5.7正式对外开放 6.7 赞赏上线了 9.4 "51CTO订阅专栏"小程序面世了 10.8 大家可以拼团了 11.14 可以一键打包订阅很多专栏了,因为组合上线 12.3还记得有常知识节的狂欢么 原文地址:http://blog.51cto.com/9009110/2343524

记一次提权过程

太久都没有看菜刀上的webshell,之前拿的都被删的差不多了,所以决定把手上的一些站都提权.菜鸟拿一个shell不简单阿. 这都是一些简单的提权,大牛可飞过. 把大马上传上去后,稍微看了下,ASP,PHP,ASPX都是支持的,不过wscript.shell组件是已经关闭的了.那么就用PHP的来提权吧. 翻了一下网站里面的文件,找到了一个数据库链接文件,竟然还是root用户,那自然就是用mysql来提权了. 上传大马,看看root的权限有没有被限制. 还是可以跨目录来访问其他文件的,说明root

[转帖]提权

windows提权 https://www.cnblogs.com/v01cano/p/10317458.html 之前一直不太理解 感觉作者写的很好记录一下. 0,起因,由于前几天拿了一个菠菜站的webshell,但是只有iis权限,执行无法创建用户等操作,更无法对整个服务器进行控制了,于是此时便需要提权了,对于一个刚刚入门的小白来说,此刻真正意识到了提权的重要性,于是便开始学习提取相关知识,以拿下该菠菜的站点. 提权前的准备工作 1,通常来说,不同的脚本所处的权限是不一样的.这就意味着,如果

「足记」产品体验报告

「足记」产品体验报告     前段时间图片社交产品领域诞生了一款新贵--足记.足记在2.1.4版本,加入了横向宽屏拍摄.添加中英文字幕--即"大片模式".正是这次更新,让这款app从3月9日用户数还在10万量级,在不到两周的时间达到了1000万的量级,截止到3月24日,用户数达到了1200万.与此同时足记在App Store排名从Top1000开外,蹿升到免费分类榜第一.称得上2015年第一款现象级APP.抛开足记的辉煌历程不谈,此文纯粹从产品角度对足记进行分析.可以说足记到2.1.4

精心整理「服务器Linux C/C++」 成长路程(附思维导图)

前言 我不是名校毕业,更没有大厂的背景,我只是一个毕业不到 2 年的普普通通的程序员,在摸爬滚打的工作这段时间里,深知了有一个「完整的知识体系」是非常重要的.当事人非常后悔没有在大学期间知道这个道理-- 众多大厂招人的需求也是非常注重此方面,毕竟我们不能单单只是一个只会写代码的程序员,更应该成为一个全面的工程师,能够迅速解决工作上的需求及众多问题. 特此,我根据众多大佬的书籍推荐和豆瓣的高分书籍总结了一份较为全面的「服务器Linux C/C++」 成长路程,我自己也是在跟着这份思维导图进一步的学

谈谈「七个好习惯」

<高效能人士的七个习惯>The Seven Habits of Highly Effective People是美国管理大师史蒂芬·柯维的1989年的著作.风靡企业界,号称「世界500强企业必备培训课程」. 台达(之前工作的公司)的CEO日理万机,但每年还是会抽时间从台北飞到东莞给员工上这堂培训课,可见是这本书并不是普通的「鸡汤」. 对习惯2 -「以终为始」的曲折理解 最开始的印象是在台达厂房内的楼梯——有些楼层的楼梯,中间七级,每级用一块不锈钢板钉着一个「习惯」,这样在上楼梯的时候会不自觉看

「kuangbin带你飞」专题十二 基础DP

layout: post title: 「kuangbin带你飞」专题十二 基础DP author: "luowentaoaa" catalog: true tags: mathjax: true - kuangbin - 动态规划 传送门 A.HDU1024 Max Sum Plus Plus 题意 给你N个数,然后你分成M个不重叠部分,并且这M个不重叠部分的和最大. 思路 动态规划最大m字段和,dp数组,dp[i][j]表示以a[j]结尾的,i个字段的最大和 两种情况:1.第a[j

CSS无需Webfont实现近似「微软雅黑Light」的字体效果

在网页制作中,美观的字体能很大程度上提升一个网页的整体外观浏览效果(说白了就是提升逼格),但受各种因素的影响(例如中文字体应用Webfont的麻 烦),使开发者在制作过程中不得不使用“Web安全字体”,这使网页的外观效果大幅下降.今天在改模板的过程中偶然发现一个很笨的方法,实现近似微软雅黑 Light的字体效果. 实际上「微软雅黑Light」字体就是相对于「微软雅黑」字体较细,但是它的显示效果却要让人觉得舒适很多,只要字体不会太小,显示效果还是不错的. 所以直接用font-weight属性设置字