Some tips and FAQ _ Security Tutorials

1, when you get the administrator password but can not find the background may wish to try Google.   Input site:xxx.com intext:admin/* means to find URLs containing all pages of admin in xxx.com text * * or site:xxx.com inurl:admin/* Query address contains admin links. site:xxx.com intitle:admin/* Query tittle contains the admin link * *. You can swap admin for some of the background-related keywords you know, such as "admin login" "Backstage" and so on. In addition, using Maxthon to view page links is also a good way to apply to the web that is visible to hidden background login pages like the Sa-blog class.

2, SA injection using NBSI better, batch injection, looking for such as the point of use AH D better. Ah D and Google are batch injection of the gold combination: "inurl:.asp?id=" is the standard ASP batch injection search keywords. Keywords are based on the module where you find the problem when you audit a code.

3, the search for vulnerable code keyword good way is to find his directory under the special name files, that is, some unusual file names. Index.asp, or Google will be mad. Of course, set up a test platform is the best, by looking at his footer can get more accurate keywords, through Google to use composite keywords you will get better results.

4, between is a very good function, injection of reasonable use will reap unexpected results.

5, if you do not confirm that your back door can escape the many tools of the administrator that is not good, sometimes you want to strengthen the control of the gray Pigeon, Pcshare will make your broiler lost faster. Remember that the system comes with something that is safest. SQLDebugger is a good user, and proper use may give you a better result than the NX back door.

6, do not use those so-called Cleanlog software, to know that many of them are to find the default directory (my opinion), encountered a little bit of BT administrator will go to modify the address, large companies will even have special software and space to protect and transfer the log. So we still choose some high-strength delete software such as WYWZ, if it is a large company so memory, CPU and other parts of the data will also be wiped out.

7, said the Rub pp, then we also need to look for the administrator did not wipe clean pp. Final date is a good software, we are always accustomed to record some difficult to remember the password in the desktop, my document TXT. Final Date view? Maybe you'll have a good harvest. Of course, to search for *.txt *.ini will also have a good effect. Remember to put the search in the hidden file.

8, 2000 hosts use the 2.3/2.1 version of the driver. 2003 the use of 3.1bate4 is still relatively stable. It is said that the arpsniffer of the Banyan tree will cause the sniffer to drop the line. The solution is as follows: The first time do not join after the/retset, the other side off the line after joining/retset again to execute, and then stop. This will not fall off the line again. (Purple Magic)

9, tlntadmn config sec =-ntlm exec master.dbo.xp_cmdshell \ ' tlntadmn config sec =-ntlm\ '-is actually taking advantage of the tlntadmn command. Want to know more about, enter/? Look at it. (This is the need for Administrator privileges OH) to establish the same user through the Ntml verification does not need me to say?

10. VPN connection Tip 733 Error Resolution: Cancel DHCP Auto-assign, right-click on local server in Routing and Remote Access, and property IP to select static address pool at IP address assignment. You can enter the address yourself. The address was not occupied. Ping in cmd with C segment IP can not ping the basic available.

11, Remote Desktop Connection can not be directly deleted address, access to the registry to open HKEY_CURRENT_USER\Software\Microsoft\Terminal Server client\default display MRU0,MRU1 class values, Delete what you want to delete.

12, if you use the Chinese version of the UltraEdit display is still e, then move the mouse to "help", the right key to select "Advanced", you can display Chinese. If you want to add it to the right button, you can write a document that reads as follows REGEDIT4


[Hkey_local_machinesoftwareclasses*shellexcontextmenuhandlersultraedit-32]
@= "{b5eedee0-c06e-11cf-8c56-444553540000}"


[hkey_local_machinesoftwareclassesclsid{b5eedee0-c06e-11cf-8c56-444553540000}]
@= "UltraEdit-32"


[Hkey_local_machinesoftwareclassesclsid{b5eedee0-c06e-11cf-8c56-444553540000}inprocserver32]
@= "D:\\Program files\\idm Computer Solutions\\ultraedit-32\\ue32ctmn.dll"
"ThreadingModel" = "Apartment"
Replace the D:\\Program FILES\\IDM Computer Solutions\\ultraedit-32\\ue32ctmn.dll with the Ue32ctmn.dll location under your UE installation directory, and Save as. Reg Import Registry.

13, when the 3389 connection prompts more than the maximum number, you can consider using console mode login, remote logoff Administrator account (there is a certain risk). To run Mstsc/console at the beginning, enter the password to confirm the dialog box.

14, Sablog page display is not normal, is cracked, or the upper part of the display Blank solution: Modify STYLE.CSS 2 places
1. #right width:xxxpx;
2. #outmain width:yyypx;
Add both XXX and yyy 50 (if the problem continues to increase until appropriate, use Notepad to edit, find changes)

15, after the invasion of the leak repair, trace cleaning, back door placement:

The underlying vulnerabilities must be patched, such as Su claim, SA injection, and so on. DBO injection can be considered to kill Xp_treelist,xp_regread self remember web directory; you have to remember to clean the tracks. ~sqlserver connections are better connected using Enterprise Manager, and using Query Analyzer will leave records located in Hkey_current_user\ Software\Microsoft\Microsoft SQL server\80\tools\client\prefservers. Delete; IISLog cleanup do not use the AIO class tool to completely delete the log ~ You can select the Logcleaner class tool to delete only the specified IP access records, if you can Gina to the administrator password by landing him to clean the log and through the WYWZ for the final traces of cleanup. In other words, manual cleanup is more secure. Finally left a back door without logging. A word back door several, standard back door, cfm back door I generally will not be less. To modify the time of the OH ~ There is a more malicious drop, if this machine is just a common broiler, put a txt to the Administrator desktop ~ remind him that you invaded, placed a certain back door, added a user ~ (of course, not your real important back door ~) to his clean off. So you have a great chance of keeping your real back door.

16, Kaspersky Key expired resolution

360 security guards to provide the annual Kabbah 6.0 free use, provided key is located in the registry Hkey_local_machine\software\360safe key value. After expiration, delete the key key value, restart the 360 security defender to obtain the new registration code to continue to use.

17, the more convenient server hanging horse

Too many sites, manual hanging Male, batch effect is not good. You can try the following methods: Start IIS Management, right-click the Web site (or the virtual directory where you want to hang the horse) properties--Document--Enable document footer--Specifies that the horse page is OK. He can't find the file on the web (preferably not in the virtual directory)

18., 3389 Port Detection

3389 port is open to query in the registry, located in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal server\winstations\ The PortNumber key value read in Rdp-tcp is D3D for 3389-Port (16-conversion) injection can be used with Xp_regread read (dbo permissions or other accounts where the stored procedure exists) or after export use the type command to read the command as follows Regedit/ E Port.reg "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal server\winstations\rdp-tcp"


Then type Port.reg | Find "PortNumber"
Of course, you can also go to scan all ports, poor lift ~

19, VC compile Small file method

Release version is much smaller than debug, in order to make the compiled file more small to do the following operations Alt+f7 pop-up Project Settings window, select the Link property page, will object/library modules (engineering options): Under edit box LIB all Delete, enter MSVCRT.LIB kernel32.lib user32.lib)
Compile.

20, Sablog Modify class Problems

Home settings can be in templates/default/index.htm (default for template name, I use here is the defaults template, modify other templates to enter the corresponding template of the record) other settings can be entered into the corresponding file to modify, such as the footer corresponding to the bottom settings. Please do not infringe the copyright of the author under the premise of modification. If you want to delete the author's default friendship connection, you can enter the include/directory, modify the Update link module in cache.php, delete the following code can be (not recommended, it should be more kind some people ask me I just said, said I am not kind ~) $tatol = $DB->num_ Rows ($DB->query ("Select LinkId from". $db _prefix. " Links WHERE visible= ' 1 ' and (URLs like '%4ngel.net% ' OR URLs like '%sablog.net% ')));
if (! $tatol) {
                                           $contents. = ' \ t ' 1018 '  => array (\n\t\t ' name '  =>  '. chr (). chr (CHR). chr (108). Chr (a). Chr (a). Chr (a). Chr (a). "', \n\t\t ' url '  =>  '. chr (116). Chr (116). chr (112). chr (CHR). Chr (a). chr (119). chr (119). chr (119). Chr (). chr (+). Chr (a). chr (+). chr (108) . chr (CHR). Chr (a). Chr (a) Chr. chr (116). "', \n\t\t ' note '  =>  '. chr (CHR). chr ( ). chr (108). chr (CHR). Chr (a). Chr (a). Chr (a). Chr (a). chr (116). CHR (117). Chr. chr (111). Chr ("', \n\t\t), \ n";                                          
$contents. = "\ t ' 8717 ' => array (\n\t\t ' name ' => '". Chr (). Chr (a) (a). chr (CHR). Chr (a). 108 (39) . chr (+). chr. chr. chr (108). Chr (a). Chr (the "', \n\t\t ' url ' => '". Chr (). chr (116). chr (116). chr (112) . chr (MB). chr (CHR). chr (119). chr (119). chr (119). Chr (a). Chr (a). Chr (a). chr (CHR). chr (46 ). Chr (a). Chr. chr (116). chr (CHR). 108 (CHR). Chr (a) (a). Chr (a). Chr (a). Chr (a). Chr (). Chr ( ). chr (108). "', \n\t\t ' note ' => '. chr (in). Chr (a). chr (CHR). Chr (a). 108 (a). Chr (The) Chr (a). Chr ( Chr. chr (108). Chr ((a). Chr (a). "', \n\t\t ', \ n";
                      }