Tips and Solutions

Source: Internet
Author: User
Tags block ip address ultraedit

1. If you get the administrator password but cannot find the background, try google. Enter site: xxx.com intext: admin/*, which means to search for all webpages whose URL contains xxx.com text */or site: xxx.com inurl: admin/* query URL containing admin */site: xxx.com intitle: admin/* query link containing admin in tittle */. You can replace admin with some backend keywords you know, such as "Administrator Logon" and "backend. In addition, using maxthon to view page links is also a good method, suitable for hiding web pages visible on background login pages like sa-blog.

2. It is better to use nbsi for sa injection and batch injection, so it is better to look for points such as use of D. Ah d and google are prime combinations of batch injection: "inurl:. asp? Id = "is a standard asp batch injection search keyword. The keyword depends on the module where you find a problem when reviewing a code.

3. A good way to find the keyword of the vulnerability code is to find the special name file under its directory, that is, some uncommon file names. What index. asp is, or google will be mad. Of course, it is best to set up a test platform. by looking at its footer, you can get more accurate keywords. You can get better results by using google's compound keywords.

4. between is a very good function. The rational use of the injection will produce unexpected results.

5. If you cannot confirm that your backdoors can be escaped from the Administrator's many tools, do not put them properly. Sometimes you may want to reinforce the control, pcshare will make your bots lose more quickly. Remember that what comes with the system is the safest. Sqldebugger is a good user. Proper use may make you receive better results than NX backdoors.

6. Do not use the so-called cleanlog software. Many of them are looking for the default directory (my opinion). Some BT administrators will modify the storage address, large companies may even have specialized software and space to protect and transfer logs. Therefore, we still choose some high-intensity deletion software such as WYWZ. If it is a large company, the data of memory, CPU, and other parts should also be wiped out.

7. After talking about how to clean PP, we should also look for a PP that the Administrator has not cleaned. Final date is a good software. We are always used to recording hard-to-remember passwords on the desktop, In the txt files in my documents. Check final date? Maybe you will have a good harvest. Of course, searching for *. txt *. ini will also have good results. Remember to search for hidden files.

8. The 2000 host uses a 2.3/2.1 driver. 2003 using 3.1bate4 is relatively stable. Some people say that the use of arpsnifer will lead to a disconnection from the sniffing party. This is indeed the case. The solution is as follows: do not add the/retset after the first time, add the/retset after the other party is disconnected, execute the task again, and then stop. In this way, it will not be dropped. (Zihuan)

9. tlntadmn config sec =-ntlm exec master. dbo. xp_mongoshell \ 'tlntadmn config sec =-ntlm \ '-- in fact, the tlntadmn command is used. For more information, enter /? Check it out. (This requires administrator permissions.) Do you need to set up the same user to pass ntml verification?

10. VPN connection error 733 resolution: Cancel automatic DHCP allocation, right-click the local server in "route and remote access, "property", "IP", and select "static address pool" at the IP address assignment area ". Enter the address. The address is not occupied. In CMD, ping the same CIDR Block IP address.

11. The address under the Remote Desktop Connection cannot be directly deleted. You can open HKEY_CURRENT_USER \ Software \ Microsoft \ Terminal Server Client \ Default in the Registry to display the MRU0 and MRU1 values, delete the one you want to delete.

12. If the ultraedit of the Chinese version is still E, move the mouse to "help" and Right-click and select "advanced" to display Chinese characters. If you want to right-click it, you can write a document with the following content: REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREClasses * shellexContextMenuHandlersUltraEdit-32]
@ = "{B5eedee0-c06e-11cf-8c56-444553540000 }"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {b5eedee0-c06e-11cf-8c56-444553540000}]
@ = "UltraEdit-32"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {b5eedee0-c06e-11cf-8c56-444553540000} InProcServer32]
@ = "D: \ Program Files \ IDM Computer Solutions \ UltraEdit-32 \ ue32ctmn. dll"
"ThreadingModel" = "Apartment"
D: \ Program Files \ IDM Computer Solutions \ UltraEdit-32 \ ue32ctmn. replace the dll with ue32ctmn In the UE installation directory. dll location, save. you can import reg to the Registry.

13. When 3389 is connected, the system prompts that the maximum number is exceeded. You can use Console mode to log on and remotely log off the Administrator account (there is a certain risk ). Run mstsc/console at the beginning. Enter the password and then confirm the dialog box.

14. The sablog page is not displayed normally, cracked, or left blank in the previous section. Solution: Modify the two parts of style.css.
1. # right width: XXXpx;
2. # outmain width: YYYpx;
Add 50 to both XXX and YYY (if the problem persists, add another one until you can use NotePad to edit it. Find the change)

15. Vulnerability repair, trace cleaning, and backdoor placement after intrusion:

Basic vulnerabilities must be repaired, such as SU Elevation of Privilege and SA injection. DBO injection can take xp_treelist into account, and xp_regread remembers the web directory on its own. You must remember to clear traces ~ Sqlserver connections are well connected using the Enterprise Manager. Using the query analyzer will leave a record at HKEY_CURRENT_USER \ Software \ Microsoft SQL Server \ 80 \ Tools \ Client \ PrefServers. Delete the IISlog. Do not use AIO tools to directly Delete the log ~ You can select the logcleaner tool to delete only the access records of the specified IP address. If you can get gina to the administrator password, log on to it to clear the logs and clear the last trace through WYWZ. In other words, manual cleanup is safer. Finally, leave a backdoor with no log records. In a single sentence, there are several backdoors, standard backdoors, and cfm backdoors. Time to be modified ~ There is another trick. If this machine is just a normal zombie, put a TXT file on the Administrator's desktop ~ Remind him that you have intruded, placed a backdoor, and added a user ~ (Of course you are not really an important backdoor ~) Ask him to clear it. In this way, you are likely to keep your real backdoors ~

16. Solve the Problem of expired kazki key

360 security guard provides free use of Kabbah 6.0, and the KEY value of the provided key in HKEY_LOCAL_MACHINE \ SOFTWARE \ 360Safe in the registry. After expiration, delete the key value and restart 360 security guard to obtain the new registration code for further use.

17. More convenient server Trojans

There are too many sites, manual Trojan mounting, and the batch effect is not good. You can try the following method: Start IIS management, right-click the website (or the virtual directory where you want to mount the Trojan) attribute -- document -- enable the Document Footer -- specify the trojan webpage and then OK. He cannot find the file on the WEB (it is best not to put it in a virtual directory)

18. port 3389 Detection

Port 3389 is enabled and can be queried in the registry, portNumber in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp to read d3d is port 3389 (available for hexadecimal conversion) injection can be read using xp_regread (DBO permission or other accounts with this stored procedure) or exported using the type command to read the following regedit/e port. reg "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"

Then type port. reg | find "PortNumber"
Of course, you can also scan all the ports ~

19. VC compilation of small files

Release version is much smaller than debug version. To make the compiled file smaller, you can perform the following operations: alt + F7 pop-up project settings window, select the LINK property page, delete all lib in Object/library modules (project options): in the edit box below, and enter MSVCRT. LIB kernel32.lib user32.lib)
Compile.

20. sablog modification Problems

You can set the homepage in templates/default/index.htm (default is the Template Name. Here I use the default template and modify other templates to enter the corresponding Template Name directory) other settings can be modified in the corresponding file, for example, at the bottom of footer. Please make changes without infringing the author's copyright. If you want to delete the author's default friendship connection, you can go to the include/directory and modify the cache. update the link module in php and delete the following code (not recommended. It should be said that some people have asked me for help, but I am not kindly said ~) $ Tatol = $ DB-> num_rows ($ DB-> query ("SELECT linkid FROM ". $ db_prefix. "links WHERE visible = '1' AND (url LIKE '% 4ngel.net %' OR url LIKE '% sablog.net % ')"));
If (! $ Tatol ){
$ Contents. = "\ t' 1018 '=> array (\ n \ t 'name' => '". chr (83 ). chr (97 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). chr (45 ). chr (88 ). "', \ n \ t \ t' url' => '". chr (1, 104 ). chr (1, 116 ). chr (1, 116 ). chr (1, 112 ). chr (58 ). chr (47 ). chr (47 ). chr (1, 119 ). chr (1, 119 ). chr (1, 119 ). chr (46 ). chr (1, 115 ). chr (97 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). chr (46 ). chr (1, 110 ). chr (1, 101 ). chr (1, 116 ). "', \ n \ t \ t' note' => '". chr (83 ). chr (97 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). chr (45 ). chr (88 ). chr (32 ). chr (83 ). chr (1, 116 ). chr (1, 117 ). chr (1, 100 ). chr (1, 105 ). chr (1, 111 ). chr (1, 115 ). "', \ n \ t), \ n ";
$ Contents. = "\ t' 8717 '=> array (\ n \ t 'name' => '". chr (97 ). chr (1, 110 ). chr (1, 103 ). chr (1, 101 ). chr (1, 108 ). chr (92 ). chr (39 ). chr (1, 115 ). chr (32 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). "', \ n \ t \ t' url' => '". chr (1, 104 ). chr (1, 116 ). chr (1, 116 ). chr (1, 112 ). chr (58 ). chr (47 ). chr (47 ). chr (1, 119 ). chr (1, 119 ). chr (1, 119 ). chr (46 ). chr (52 ). chr (1, 110 ). chr (1, 103 ). chr (1, 101 ). chr (1, 108 ). chr (46 ). chr (1, 110 ). chr (1, 101 ). chr (1, 116 ). chr (47 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). chr (47 ). chr (97 ). chr (1, 110 ). chr (1, 103 ). chr (1, 101 ). chr (1, 108 ). "', \ n \ t \ t' note' => '". chr (97 ). chr (1, 110 ). chr (1, 103 ). chr (1, 101 ). chr (1, 108 ). chr (92 ). chr (39 ). chr (1, 115 ). chr (32 ). chr (98 ). chr (1, 108 ). chr (1, 111 ). chr (1, 103 ). "', \ n \ t), \ n ";
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.